diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-07 10:05:43 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-07 10:05:43 +0000 |
| commit | 802e1ede038010ddab31225f4b8a7e8d74f3b987 (patch) | |
| tree | f9f07d2fb57da9843ac6b79e06e9266301b7e8b7 | |
| parent | e0781d87ea58ff1ac1b6439d60510a8a26ea9f54 (diff) | |
| download | gnutls-802e1ede038010ddab31225f4b8a7e8d74f3b987.tar.gz | |
changed indentation to 4 spaces instead of tabs.
163 files changed, 43119 insertions, 41036 deletions
diff --git a/includes/gnutls/extra.h b/includes/gnutls/extra.h index 7df49b8d41..46283171de 100644 --- a/includes/gnutls/extra.h +++ b/includes/gnutls/extra.h @@ -40,13 +40,13 @@ int gnutls_srp_set_client_credentials( gnutls_srp_client_credentials res, char * void gnutls_srp_free_server_credentials( gnutls_srp_server_credentials sc); int gnutls_srp_allocate_server_credentials( gnutls_srp_server_credentials *sc); int gnutls_srp_set_server_credentials_file( gnutls_srp_server_credentials res, - const char *password_file, const char* password_conf_file); + const char *password_file, const char* password_conf_file); const char* gnutls_srp_server_get_username( gnutls_session state); int gnutls_srp_verifier( const char* username, const char* password, const gnutls_datum *salt, - const gnutls_datum* g, const gnutls_datum* n, - gnutls_datum * res); + const gnutls_datum* g, const gnutls_datum* n, + gnutls_datum * res); /* The static parameters defined in draft-ietf-tls-srp-05 * Those should be used as input to gnutls_srp_verifier(). @@ -61,46 +61,46 @@ extern const gnutls_datum gnutls_srp_1024_group_prime; extern const gnutls_datum gnutls_srp_1024_group_generator; typedef int gnutls_srp_server_credentials_function( - gnutls_session, - const char* username, gnutls_datum* salt, - gnutls_datum* verifier, gnutls_datum* generator, - gnutls_datum* prime + gnutls_session, + const char* username, gnutls_datum* salt, + gnutls_datum* verifier, gnutls_datum* generator, + gnutls_datum* prime ); void gnutls_srp_set_server_credentials_function( - gnutls_srp_server_credentials, - gnutls_srp_server_credentials_function *); + gnutls_srp_server_credentials, + gnutls_srp_server_credentials_function *); typedef int gnutls_srp_client_credentials_function(gnutls_session, unsigned int, - char **, char**); + char **, char**); void gnutls_srp_set_client_credentials_function( gnutls_srp_client_credentials, - gnutls_srp_client_credentials_function *); + gnutls_srp_client_credentials_function *); /* Openpgp certificate stuff */ typedef int (*gnutls_openpgp_recv_key_func)(gnutls_session, const unsigned char *keyfpr, - unsigned int keyfpr_length, gnutls_datum *key); + unsigned int keyfpr_length, gnutls_datum *key); void gnutls_openpgp_set_recv_key_function( gnutls_session, gnutls_openpgp_recv_key_func); int gnutls_certificate_set_openpgp_key_file( gnutls_certificate_credentials res, - const char *CERTFILE, const char* KEYFILE); + const char *CERTFILE, const char* KEYFILE); int gnutls_certificate_set_openpgp_key_mem( gnutls_certificate_credentials res, - const gnutls_datum* CERT, const gnutls_datum* KEY); + const gnutls_datum* CERT, const gnutls_datum* KEY); int gnutls_certificate_set_openpgp_keyserver(gnutls_certificate_credentials res, - const char* keyserver, int port); + const char* keyserver, int port); int gnutls_certificate_set_openpgp_trustdb(gnutls_certificate_credentials res, - const char* trustdb); + const char* trustdb); int gnutls_certificate_set_openpgp_keyring_mem( - gnutls_certificate_credentials c, - const unsigned char *data, size_t dlen ); + gnutls_certificate_credentials c, + const unsigned char *data, size_t dlen ); int gnutls_certificate_set_openpgp_keyring_file( gnutls_certificate_credentials res, - const char *name); + const char *name); int gnutls_global_init_extra(void); diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h index 6960e1d957..d18a115a3b 100644 --- a/includes/gnutls/openpgp.h +++ b/includes/gnutls/openpgp.h @@ -43,20 +43,20 @@ int gnutls_openpgp_key_init( gnutls_openpgp_key* key); /* initializes the memory void gnutls_openpgp_key_deinit(gnutls_openpgp_key key); /* frees all memory */ int gnutls_openpgp_key_import(gnutls_openpgp_key key, - const gnutls_datum* data, gnutls_openpgp_key_fmt format); + const gnutls_datum* data, gnutls_openpgp_key_fmt format); int gnutls_openpgp_key_export(gnutls_openpgp_key key, - gnutls_openpgp_key_fmt format, void* output_data, - size_t* output_data_size); + gnutls_openpgp_key_fmt format, void* output_data, + size_t* output_data_size); /* The key_usage flags are defined in gnutls.h. They are * the GNUTLS_KEY_* definitions. */ int gnutls_openpgp_key_get_key_usage( gnutls_openpgp_key cert, unsigned int* key_usage); int gnutls_openpgp_key_get_fingerprint( gnutls_openpgp_key key, - void* result, size_t* result_size); - + void* result, size_t* result_size); + int gnutls_openpgp_key_get_name( gnutls_openpgp_key key, - int idx, char *buf, size_t *sizeof_buf); + int idx, char *buf, size_t *sizeof_buf); int gnutls_openpgp_key_get_pk_algorithm(gnutls_openpgp_key key, unsigned int *r_bits); @@ -71,7 +71,7 @@ int gnutls_openpgp_key_get_id( gnutls_openpgp_key key, unsigned char keyid[8]); int gnutls_openpgp_key_check_hostname( gnutls_openpgp_key key, const char *hostname); int gnutls_openpgp_key_to_xml( gnutls_openpgp_key key, gnutls_datum *xmlkey, - int ext); + int ext); /* privkey stuff. */ @@ -79,8 +79,8 @@ int gnutls_openpgp_privkey_init(gnutls_openpgp_privkey * key); void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey key); int gnutls_openpgp_privkey_get_pk_algorithm( gnutls_openpgp_privkey key, unsigned int *bits); int gnutls_openpgp_privkey_import(gnutls_openpgp_privkey key, - const gnutls_datum * data, gnutls_openpgp_key_fmt format, - const char* pass, unsigned int flags); + const gnutls_datum * data, gnutls_openpgp_key_fmt format, + const char* pass, unsigned int flags); /* Keyring stuff. */ @@ -91,7 +91,7 @@ int gnutls_openpgp_keyring_init( gnutls_openpgp_keyring* ring); void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring ring); int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring ring, - const gnutls_datum* data, gnutls_openpgp_key_fmt format); + const gnutls_datum* data, gnutls_openpgp_key_fmt format); /* Trustdb functions. */ @@ -102,29 +102,29 @@ int gnutls_openpgp_trustdb_init( gnutls_openpgp_trustdb* db); void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb db); int gnutls_openpgp_trustdb_import(gnutls_openpgp_trustdb db, - const char* file); + const char* file); int gnutls_openpgp_key_verify_ring( - gnutls_openpgp_key key, - gnutls_openpgp_keyring ring, - unsigned int flags, - unsigned int * verify /* the output of the verification */); + gnutls_openpgp_key key, + gnutls_openpgp_keyring ring, + unsigned int flags, + unsigned int * verify /* the output of the verification */); int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, unsigned int flags, unsigned int *verify); int gnutls_openpgp_key_verify_trustdb( - gnutls_openpgp_key key, - gnutls_openpgp_trustdb db, - unsigned int flags, - unsigned int * verify /* the output of the verification */); + gnutls_openpgp_key key, + gnutls_openpgp_trustdb db, + unsigned int flags, + unsigned int * verify /* the output of the verification */); /* certificate authentication stuff. */ int gnutls_certificate_set_openpgp_key(gnutls_certificate_credentials res, - gnutls_openpgp_key key, gnutls_openpgp_privkey pkey); + gnutls_openpgp_key key, gnutls_openpgp_privkey pkey); #ifdef __cplusplus } diff --git a/includes/gnutls/pkcs12.h b/includes/gnutls/pkcs12.h index 0a2503236d..05ef7fe211 100644 --- a/includes/gnutls/pkcs12.h +++ b/includes/gnutls/pkcs12.h @@ -39,12 +39,12 @@ typedef struct gnutls_pkcs12_bag_int* gnutls_pkcs12_bag; int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12); void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12); int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, unsigned int flags); + gnutls_x509_crt_fmt format, unsigned int flags); int gnutls_pkcs12_export( gnutls_pkcs12 pkcs12, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, - int indx, gnutls_pkcs12_bag bag); + int indx, gnutls_pkcs12_bag bag); int gnutls_pkcs12_set_bag(gnutls_pkcs12 pkcs12, gnutls_pkcs12_bag bag); int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char* pass); @@ -54,14 +54,14 @@ int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass); int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag bag, const char* pass, unsigned int flags); typedef enum gnutls_pkcs12_bag_type { - GNUTLS_BAG_EMPTY = 0, - - GNUTLS_BAG_PKCS8_ENCRYPTED_KEY=1, - GNUTLS_BAG_PKCS8_KEY, - GNUTLS_BAG_CERTIFICATE, - GNUTLS_BAG_CRL, - GNUTLS_BAG_ENCRYPTED=10, - GNUTLS_BAG_UNKNOWN=20 + GNUTLS_BAG_EMPTY = 0, + + GNUTLS_BAG_PKCS8_ENCRYPTED_KEY=1, + GNUTLS_BAG_PKCS8_KEY, + GNUTLS_BAG_CERTIFICATE, + GNUTLS_BAG_CRL, + GNUTLS_BAG_ENCRYPTED=10, + GNUTLS_BAG_UNKNOWN=20 } gnutls_pkcs12_bag_type; gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx); @@ -76,14 +76,14 @@ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag bag); int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag); int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, - gnutls_datum* id); + gnutls_datum* id); int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag bag, int indx, - const gnutls_datum* id); + const gnutls_datum* id); int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, - char **name); + char **name); int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, - const char* name); + const char* name); #ifdef __cplusplus } diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 9b4c35690f..15a2a19683 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -80,34 +80,34 @@ extern "C" { int gnutls_x509_crt_init(gnutls_x509_crt * cert); void gnutls_x509_crt_deinit(gnutls_x509_crt cert); int gnutls_x509_crt_import(gnutls_x509_crt cert, const gnutls_datum * data, - gnutls_x509_crt_fmt format); + gnutls_x509_crt_fmt format); int gnutls_x509_crt_export( gnutls_x509_crt cert, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf); + size_t *sizeof_buf); int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid); + int indx, void *oid, size_t *sizeof_oid); int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, - const char* oid, int indx, unsigned int raw_flag, - void *buf, size_t *sizeof_buf); + const char* oid, int indx, unsigned int raw_flag, + void *buf, size_t *sizeof_buf); int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf); + size_t *sizeof_buf); int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid); + int indx, void *oid, size_t *sizeof_oid); int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); + int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert, const char *hostname); int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert); int gnutls_x509_crt_get_version(gnutls_x509_crt cert); int gnutls_x509_crt_get_key_id( gnutls_x509_crt crt, unsigned int flags, - unsigned char* output_data, size_t* output_data_size); + unsigned char* output_data, size_t* output_data_size); int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size); + size_t id_size); int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void* ret, - size_t* ret_size, unsigned int* critical); + size_t* ret_size, unsigned int* critical); int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, size_t* ret_size, unsigned int* critical); @@ -123,12 +123,12 @@ int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, #define GNUTLS_CRL_REASON_AA_COMPROMISE 32768 int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, unsigned int* reason_flags, - unsigned int *critical); + unsigned int seq, void *ret, size_t *ret_size, unsigned int* reason_flags, + unsigned int *critical); int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const void* data_string, unsigned int reason_flags); + const void* data_string, unsigned int reason_flags); int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, - gnutls_x509_crt src); + gnutls_x509_crt src); time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert); time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert); @@ -136,29 +136,29 @@ int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, size_t* resul int gnutls_x509_crt_get_pk_algorithm( gnutls_x509_crt cert, unsigned int* bits); int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt crt, - gnutls_datum * m, gnutls_datum *e); + gnutls_datum * m, gnutls_datum *e); int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt crt, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y); + gnutls_datum * p, gnutls_datum *q, + gnutls_datum *g, gnutls_datum *y); int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, unsigned int* critical); + unsigned int seq, void *ret, size_t *ret_size, unsigned int* critical); int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, unsigned int* critical); /* The key_usage flags are defined in gnutls.h. They are * the GNUTLS_KEY_* definitions. */ int gnutls_x509_crt_get_key_usage( gnutls_x509_crt cert, unsigned int* key_usage, - unsigned int* critical); + unsigned int* critical); int gnutls_x509_crt_set_key_usage(gnutls_x509_crt crt, unsigned int usage); int gnutls_x509_dn_oid_known(const char* oid); int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx, - void* oid, size_t * sizeof_oid); + void* oid, size_t * sizeof_oid); int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, - const char* oid, int indx, - void* buf, size_t * sizeof_buf, unsigned int * critical); + const char* oid, int indx, + void* buf, size_t * sizeof_buf, unsigned int * critical); int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail); @@ -170,34 +170,34 @@ int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail); /* X.509 Certificate writing. */ int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name); + unsigned int raw_flag, const void *name, unsigned int sizeof_name); int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name); + unsigned int raw_flag, const void *name, unsigned int sizeof_name); int gnutls_x509_crt_set_version(gnutls_x509_crt crt, unsigned int version); int gnutls_x509_crt_set_key(gnutls_x509_crt crt, gnutls_x509_privkey key); int gnutls_x509_crt_set_ca_status(gnutls_x509_crt crt, unsigned int ca); int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const char* data_string); + const char* data_string); int gnutls_x509_crt_sign(gnutls_x509_crt crt, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key); + gnutls_x509_privkey issuer_key); int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, time_t act_time); int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, time_t exp_time); int gnutls_x509_crt_set_serial(gnutls_x509_crt cert, const void* serial, - size_t serial_size); + size_t serial_size); int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size); + size_t id_size); /* RDN handling */ int gnutls_x509_rdn_get(const gnutls_datum * idn, - char *buf, size_t *sizeof_buf); + char *buf, size_t *sizeof_buf); int gnutls_x509_rdn_get_oid(const gnutls_datum * idn, - int indx, void *buf, size_t * sizeof_buf); + int indx, void *buf, size_t * sizeof_buf); int gnutls_x509_rdn_get_by_oid(const gnutls_datum * idn, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); + int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); /* CRL handling functions */ @@ -207,17 +207,17 @@ int gnutls_x509_crl_init(gnutls_x509_crl * crl); void gnutls_x509_crl_deinit(gnutls_x509_crl crl); int gnutls_x509_crl_import(gnutls_x509_crl crl, const gnutls_datum * data, - gnutls_x509_crt_fmt format); + gnutls_x509_crt_fmt format); int gnutls_x509_crl_export( gnutls_x509_crl crl, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_x509_crl_get_issuer_dn(const gnutls_x509_crl crl, - char *buf, size_t *sizeof_buf); + char *buf, size_t *sizeof_buf); int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl crl, - const char* oid, int indx, - unsigned int raw_flag, void *buf, size_t *sizeof_buf); + const char* oid, int indx, + unsigned int raw_flag, void *buf, size_t *sizeof_buf); int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, - int indx, void *oid, size_t *sizeof_oid); + int indx, void *oid, size_t *sizeof_oid); int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl crl); int gnutls_x509_crl_get_version(gnutls_x509_crl crl); @@ -232,19 +232,19 @@ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl crl, int index, unsigned char #define gnutls_x509_crl_get_certificate gnutls_x509_crl_get_crt_serial int gnutls_x509_crl_check_issuer( gnutls_x509_crl crl, - gnutls_x509_crt issuer); + gnutls_x509_crt issuer); /* CRL writing. */ int gnutls_x509_crl_set_version(gnutls_x509_crl crl, unsigned int version); int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key); + gnutls_x509_privkey issuer_key); int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time); int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time); int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, - size_t serial_size, time_t revocation_time); + size_t serial_size, time_t revocation_time); int gnutls_x509_crl_set_crt(gnutls_x509_crl crl, gnutls_x509_crt crt, - time_t revocation_time); + time_t revocation_time); /* PKCS7 structures handling @@ -257,20 +257,20 @@ typedef struct gnutls_pkcs7_int* gnutls_pkcs7; int gnutls_pkcs7_init(gnutls_pkcs7 * pkcs7); void gnutls_pkcs7_deinit(gnutls_pkcs7 pkcs7); int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, - gnutls_x509_crt_fmt format); + gnutls_x509_crt_fmt format); int gnutls_pkcs7_export( gnutls_pkcs7 pkcs7, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_pkcs7_get_crt_count( gnutls_pkcs7 pkcs7); int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, int indx, - void* certificate, size_t* certificate_size); + void* certificate, size_t* certificate_size); int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, const gnutls_datum* crt); int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, gnutls_x509_crt crt); int gnutls_pkcs7_delete_crt(gnutls_pkcs7 pkcs7, int indx); int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, - int indx, void* crl, size_t* crl_size); + int indx, void* crl, size_t* crl_size); int gnutls_pkcs7_get_crl_count(gnutls_pkcs7 pkcs7); int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, const gnutls_datum* crt); @@ -281,42 +281,42 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7 pkcs7, int indx); */ typedef enum gnutls_certificate_verify_flags { - GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be - * a certificate authority. - */ - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 /* Allow CA certificates that have version 1. - * This might be dangerous since those haven't - * the basicConstraints extension. - */ + GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be + * a certificate authority. + */ + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 /* Allow CA certificates that have version 1. + * This might be dangerous since those haven't + * the basicConstraints extension. + */ } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, - gnutls_x509_crt issuer); + gnutls_x509_crt issuer); int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_length, - gnutls_x509_crt * CA_list, int CA_list_length, - gnutls_x509_crl* CRL_list, int CRL_list_length, - unsigned int flags, unsigned int *verify); + gnutls_x509_crt * CA_list, int CA_list_length, + gnutls_x509_crl* CRL_list, int CRL_list_length, + unsigned int flags, unsigned int *verify); int gnutls_x509_crt_verify( gnutls_x509_crt cert, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify); + gnutls_x509_crt *CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify); int gnutls_x509_crl_verify( gnutls_x509_crl crl, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify); + gnutls_x509_crt *CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify); int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, - gnutls_x509_crl * crl_list, - int crl_list_length); + gnutls_x509_crl * crl_list, + int crl_list_length); int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt cert, - gnutls_digest_algorithm algo, void *buf, - size_t *sizeof_buf); + gnutls_digest_algorithm algo, void *buf, + size_t *sizeof_buf); int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid, unsigned int* critical); + int indx, void *oid, size_t *sizeof_oid, unsigned int* critical); int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, - const void *oid, unsigned int critical); + const void *oid, unsigned int critical); /* Private key handling */ @@ -324,13 +324,13 @@ int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, /* Flags for the gnutls_x509_privkey_export_pkcs8() function. */ typedef enum gnutls_pkcs_encrypt_flags { - GNUTLS_PKCS_PLAIN=1, /* if set the private key will not - * be encrypted. - */ - GNUTLS_PKCS_USE_PKCS12_3DES=2, - GNUTLS_PKCS_USE_PKCS12_ARCFOUR=4, - GNUTLS_PKCS_USE_PKCS12_RC2_40=8, - GNUTLS_PKCS_USE_PBES2_3DES=16 + GNUTLS_PKCS_PLAIN=1, /* if set the private key will not + * be encrypted. + */ + GNUTLS_PKCS_USE_PKCS12_3DES=2, + GNUTLS_PKCS_USE_PKCS12_ARCFOUR=4, + GNUTLS_PKCS_USE_PKCS12_RC2_40=8, + GNUTLS_PKCS_USE_PBES2_3DES=16 } gnutls_pkcs_encrypt_flags; #define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN @@ -342,48 +342,48 @@ int gnutls_x509_privkey_init(gnutls_x509_privkey * key); void gnutls_x509_privkey_deinit(gnutls_x509_privkey key); int gnutls_x509_privkey_cpy(gnutls_x509_privkey dst, gnutls_x509_privkey src); int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * data, - gnutls_x509_crt_fmt format); + gnutls_x509_crt_fmt format); int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey key, const gnutls_datum * data, - gnutls_x509_crt_fmt format, const char * pass, unsigned int flags); + gnutls_x509_crt_fmt format, const char * pass, unsigned int flags); int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey privkey, - const gnutls_datum *m, const gnutls_datum *e, - const gnutls_datum *d, const gnutls_datum *p, const gnutls_datum *q, - const gnutls_datum *u); + const gnutls_datum *m, const gnutls_datum *e, + const gnutls_datum *d, const gnutls_datum *p, const gnutls_datum *q, + const gnutls_datum *u); int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey key, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y, gnutls_datum* x); + gnutls_datum * p, gnutls_datum *q, + gnutls_datum *g, gnutls_datum *y, gnutls_datum* x); int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, - const gnutls_datum* p, const gnutls_datum* q, - const gnutls_datum* g, const gnutls_datum* y, - const gnutls_datum* x); + const gnutls_datum* p, const gnutls_datum* q, + const gnutls_datum* g, const gnutls_datum* y, + const gnutls_datum* x); int gnutls_x509_privkey_get_pk_algorithm( gnutls_x509_privkey key); int gnutls_x509_privkey_get_key_id( gnutls_x509_privkey key, unsigned int flags, - unsigned char* output_data, size_t* output_data_size); + unsigned char* output_data, size_t* output_data_size); int gnutls_x509_privkey_generate( gnutls_x509_privkey key, gnutls_pk_algorithm algo, - unsigned int bits, unsigned int flags); + unsigned int bits, unsigned int flags); int gnutls_x509_privkey_export( gnutls_x509_privkey key, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_x509_privkey_export_pkcs8( gnutls_x509_privkey key, - gnutls_x509_crt_fmt format, const char* password, unsigned int flags, - void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, const char* password, unsigned int flags, + void* output_data, size_t* output_data_size); int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey key, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u); + gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u); /* signing stuff. */ int gnutls_x509_privkey_sign_data( gnutls_x509_privkey key, gnutls_digest_algorithm digest, - unsigned int flags, const gnutls_datum* data, - void* signature, size_t* signature_size); + unsigned int flags, const gnutls_datum* data, + void* signature, size_t* signature_size); int gnutls_x509_privkey_verify_data( gnutls_x509_privkey key, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature); + const gnutls_datum* data, const gnutls_datum* signature); int gnutls_x509_crt_verify_data( gnutls_x509_crt crt, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature); + const gnutls_datum* data, const gnutls_datum* signature); /* Certificate request stuff @@ -394,26 +394,26 @@ typedef struct gnutls_x509_crq_int* gnutls_x509_crq; int gnutls_x509_crq_init(gnutls_x509_crq * crq); void gnutls_x509_crq_deinit(gnutls_x509_crq crq); int gnutls_x509_crq_import(gnutls_x509_crq crq, const gnutls_datum * data, - gnutls_x509_crt_fmt format); + gnutls_x509_crt_fmt format); int gnutls_x509_crq_get_pk_algorithm( gnutls_x509_crq crq, unsigned int* bits); int gnutls_x509_crq_get_dn(gnutls_x509_crq crq, char *buf, - size_t *sizeof_buf); + size_t *sizeof_buf); int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq crq, - int indx, void *oid, size_t *sizeof_oid); + int indx, void *oid, size_t *sizeof_oid); int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); + int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name); + unsigned int raw_flag, const void *name, unsigned int sizeof_name); int gnutls_x509_crq_set_version(gnutls_x509_crq crq, unsigned int version); int gnutls_x509_crq_set_key(gnutls_x509_crq crq, gnutls_x509_privkey key); int gnutls_x509_crq_sign(gnutls_x509_crq crq, gnutls_x509_privkey key); int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq crq, const char* pass); int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, - const char* pass, size_t* sizeof_pass); + const char* pass, size_t* sizeof_pass); int gnutls_x509_crq_export( gnutls_x509_crq crq, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); + gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size); int gnutls_x509_crt_set_crq(gnutls_x509_crt crt, gnutls_x509_crq crq); diff --git a/lib/auth_anon.c b/lib/auth_anon.c index 4eb120307f..6d2feecd5b 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -38,118 +38,125 @@ #include <gnutls_state.h> #include <auth_dh_common.h> -static int gen_anon_server_kx( gnutls_session, opaque**); -static int proc_anon_client_kx( gnutls_session, opaque*, size_t); -static int proc_anon_server_kx( gnutls_session, opaque*, size_t); +static int gen_anon_server_kx(gnutls_session, opaque **); +static int proc_anon_client_kx(gnutls_session, opaque *, size_t); +static int proc_anon_server_kx(gnutls_session, opaque *, size_t); const mod_auth_st anon_auth_struct = { - "ANON", - NULL, - NULL, - gen_anon_server_kx, - _gnutls_gen_dh_common_client_kx, /* this can be shared */ - NULL, - NULL, - - NULL, - NULL, /* certificate */ - proc_anon_server_kx, - proc_anon_client_kx, - NULL, - NULL + "ANON", + NULL, + NULL, + gen_anon_server_kx, + _gnutls_gen_dh_common_client_kx, /* this can be shared */ + NULL, + NULL, + + NULL, + NULL, /* certificate */ + proc_anon_server_kx, + proc_anon_client_kx, + NULL, + NULL }; -static int gen_anon_server_kx( gnutls_session session, opaque** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret; - gnutls_dh_params dh_params; - const gnutls_anon_server_credentials cred; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_anon_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( anon_server_auth_info_st), 1)) < 0) - { - gnutls_assert(); - return ret; - } - - _gnutls_dh_set_group( session, g, p); - - ret = _gnutls_dh_common_print_server_kx( session, g, p, data); - if (ret < 0) { - gnutls_assert(); - } - +static int gen_anon_server_kx(gnutls_session session, opaque ** data) +{ + mpi_t g, p; + const mpi_t *mpis; + int ret; + gnutls_dh_params dh_params; + const gnutls_anon_server_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_anon_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, + sizeof(anon_server_auth_info_st), 1)) < 0) { + gnutls_assert(); return ret; + } + + _gnutls_dh_set_group(session, g, p); + + ret = _gnutls_dh_common_print_server_kx(session, g, p, data); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } -static int proc_anon_client_kx( gnutls_session session, opaque* data, size_t _data_size) +static int proc_anon_client_kx(gnutls_session session, opaque * data, + size_t _data_size) { -const gnutls_anon_server_credentials cred; -int bits; -int ret; -mpi_t p, g; -gnutls_dh_params dh_params; -const mpi_t *mpis; - - bits = _gnutls_dh_get_allowed_prime_bits( session); - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_anon_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); + const gnutls_anon_server_credentials cred; + int bits; + int ret; + mpi_t p, g; + gnutls_dh_params dh_params; + const mpi_t *mpis; - return ret; + bits = _gnutls_dh_get_allowed_prime_bits(session); + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_anon_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + ret = + _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + + return ret; } -int proc_anon_server_kx( gnutls_session session, opaque* data, size_t _data_size) +int proc_anon_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { -int ret; + int ret; - /* set auth_info */ - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( anon_client_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; - } + /* set auth_info */ + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, + sizeof(anon_client_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_proc_dh_common_server_kx( session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } -#endif /* ENABLE_ANON */ +#endif /* ENABLE_ANON */ diff --git a/lib/auth_anon.h b/lib/auth_anon.h index 8173814be4..c722826663 100644 --- a/lib/auth_anon.h +++ b/lib/auth_anon.h @@ -3,18 +3,18 @@ #include <auth_dh_common.h> typedef struct { - gnutls_dh_params dh_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function * params_func; + gnutls_dh_params dh_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; } anon_server_credentials_st; #define gnutls_anon_server_credentials anon_server_credentials_st* #define gnutls_anon_client_credentials void* typedef struct anon_client_auth_info_st { - dh_info_t dh; + dh_info_t dh; } *anon_client_auth_info_t; typedef anon_client_auth_info_t anon_server_auth_info_t; @@ -22,5 +22,6 @@ typedef anon_client_auth_info_t anon_server_auth_info_t; typedef struct anon_client_auth_info_st anon_client_auth_info_st; typedef anon_client_auth_info_st anon_server_auth_info_st; -gnutls_dh_params _gnutls_anon_get_dh_params(const gnutls_anon_server_credentials sc, - gnutls_session session); +gnutls_dh_params _gnutls_anon_get_dh_params(const + gnutls_anon_server_credentials + sc, gnutls_session session); diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 9e67b1a791..57cfc4c62f 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -45,10 +45,12 @@ #include <gnutls_extra.h> #include "debug.h" -static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, uint); +static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, + uint); static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey key); static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key cert); -static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey key); +static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey + key); /* Copies data from a internal certificate struct (gnutls_cert) to @@ -58,49 +60,48 @@ static int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, gnutls_cert * cert, int ncerts) { - /* Copy peer's information to auth_info_t - */ - int ret, i, j; - - if (ncerts == 0) { - info->raw_certificate_list = NULL; - info->ncerts = 0; - return 0; - } + /* Copy peer's information to auth_info_t + */ + int ret, i, j; - info->raw_certificate_list = - gnutls_calloc(1, sizeof(gnutls_datum) * ncerts); - if (info->raw_certificate_list == NULL) { + if (ncerts == 0) { + info->raw_certificate_list = NULL; + info->ncerts = 0; + return 0; + } + + info->raw_certificate_list = + gnutls_calloc(1, sizeof(gnutls_datum) * ncerts); + if (info->raw_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ncerts; i++) { + if (cert->raw.size > 0) { + ret = + _gnutls_set_datum(&info-> + raw_certificate_list[i], + cert[i].raw.data, cert[i].raw.size); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + goto clear; + } } + } + info->ncerts = ncerts; - for (i = 0; i < ncerts; i++) { - if (cert->raw.size > 0) { - ret = - _gnutls_set_datum(&info-> - raw_certificate_list[i], - cert[i].raw.data, - cert[i].raw.size); - if (ret < 0) { - gnutls_assert(); - goto clear; - } - } - } - info->ncerts = ncerts; + return 0; - return 0; + clear: - clear: + for (j = 0; j < i; j++) + _gnutls_free_datum(&info->raw_certificate_list[j]); - for (j = 0; j < i; j++) - _gnutls_free_datum(&info->raw_certificate_list[j]); - - gnutls_free(info->raw_certificate_list); - info->raw_certificate_list = NULL; + gnutls_free(info->raw_certificate_list); + info->raw_certificate_list = NULL; - return ret; + return ret; } @@ -110,60 +111,63 @@ int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, * -1 otherwise. */ inline -static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm *pk_algos, - int pk_algos_length, gnutls_pk_algorithm algo_to_check) + static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm * + pk_algos, int pk_algos_length, + gnutls_pk_algorithm + algo_to_check) { - int i; - for (i = 0; i < pk_algos_length; i++) { - if (algo_to_check == pk_algos[i]) { - return 0; - } + int i; + for (i = 0; i < pk_algos_length; i++) { + if (algo_to_check == pk_algos[i]) { + return 0; } - return -1; + } + return -1; } /* Returns the issuer's Distinguished name in odn, of the certificate * specified in cert. */ -static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, gnutls_datum * odn) +static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, + gnutls_datum * odn) { - ASN1_TYPE dn; - int len, result; - int start, end; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + ASN1_TYPE dn; + int len, result; + int start, end; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size, + result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size, "tbsCertificate.issuer", &start, &end); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } + asn1_delete_structure(&dn); - len = end - start + 1; + len = end - start + 1; - odn->size = len; - odn->data = &cert->raw.data[start]; + odn->size = len; + odn->data = &cert->raw.data[start]; - return 0; + return 0; } @@ -178,64 +182,61 @@ static int _find_x509_cert(const gnutls_certificate_credentials cred, const gnutls_pk_algorithm * pk_algos, int pk_algos_length, int *indx) { - uint size; - gnutls_datum odn; - opaque *data = _data; - ssize_t data_size = _data_size; - uint i, j; - int result, cert_pk; + uint size; + gnutls_datum odn; + opaque *data = _data; + ssize_t data_size = _data_size; + uint i, j; + int result, cert_pk; - *indx = -1; + *indx = -1; - do { + do { - DECR_LENGTH_RET(data_size, 2, 0); - size = _gnutls_read_uint16(data); - DECR_LENGTH_RET(data_size, size, 0); - data += 2; - - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - if ((result = - _gnutls_cert_get_issuer_dn(&cred-> - cert_list[i][j], - &odn)) < 0) { - gnutls_assert(); - return result; - } - - if (odn.size != size) - continue; - - /* If the DN matches and - * the *_SIGN algorithm matches - * the cert is our cert! - */ - cert_pk = - cred->cert_list[i][0]. - subject_pk_algorithm; - - if ((memcmp(odn.data, data, size) == 0) && - (_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cert_pk) == 0)) { - *indx = i; - break; - } - } - if (*indx != -1) - break; + DECR_LENGTH_RET(data_size, 2, 0); + size = _gnutls_read_uint16(data); + DECR_LENGTH_RET(data_size, size, 0); + data += 2; + + for (i = 0; i < cred->ncerts; i++) { + for (j = 0; j < cred->cert_list_length[i]; j++) { + if ((result = + _gnutls_cert_get_issuer_dn(&cred-> + cert_list[i][j], + &odn)) < 0) { + gnutls_assert(); + return result; } - if (*indx != -1) - break; + if (odn.size != size) + continue; - /* move to next record */ - data += size; + /* If the DN matches and + * the *_SIGN algorithm matches + * the cert is our cert! + */ + cert_pk = cred->cert_list[i][0].subject_pk_algorithm; - } while (1); + if ((memcmp(odn.data, data, size) == 0) && + (_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, cert_pk) == 0)) { + *indx = i; + break; + } + } + if (*indx != -1) + break; + } - return 0; + if (*indx != -1) + break; + + /* move to next record */ + data += size; + + } while (1); + + return 0; } @@ -245,114 +246,114 @@ static int _find_openpgp_cert(const gnutls_certificate_credentials cred, gnutls_pk_algorithm * pk_algos, int pk_algos_length, int *indx) { - uint i, j; + uint i, j; - *indx = -1; + *indx = -1; - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - - /* If the *_SIGN algorithm matches - * the cert is our cert! - */ - if ((_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cred->cert_list[i][0]. - subject_pk_algorithm) == 0) - && (cred->cert_list[i][0].cert_type == - GNUTLS_CRT_OPENPGP)) { - *indx = i; - break; - } - } - if (*indx != -1) - break; + for (i = 0; i < cred->ncerts; i++) { + for (j = 0; j < cred->cert_list_length[i]; j++) { + + /* If the *_SIGN algorithm matches + * the cert is our cert! + */ + if ((_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, + cred->cert_list[i][0].subject_pk_algorithm) == 0) + && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP)) { + *indx = i; + break; + } } + if (*indx != -1) + break; + } - return 0; + return 0; } /* Returns the number of issuers in the server's * certificate request packet. */ -static int get_issuers_num( gnutls_session session, opaque * data, ssize_t data_size) +static int get_issuers_num(gnutls_session session, opaque * data, + ssize_t data_size) { -int issuers_dn_len = 0, result; -uint size; + int issuers_dn_len = 0, result; + uint size; - /* Count the number of the given issuers; - * This is used to allocate the issuers_dn without - * using realloc(). - */ + /* Count the number of the given issuers; + * This is used to allocate the issuers_dn without + * using realloc(). + */ - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return 0; - if (data_size > 0) do { - /* This works like DECR_LEN() - */ - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, 2, goto error); - size = _gnutls_read_uint16(data); + if (data_size > 0) + do { + /* This works like DECR_LEN() + */ + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM(data_size, 2, goto error); + size = _gnutls_read_uint16(data); - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, size, goto error); + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM(data_size, size, goto error); - data += 2; + data += 2; - if (size > 0) { - issuers_dn_len++; - data += size; - } + if (size > 0) { + issuers_dn_len++; + data += size; + } - if (data_size == 0) - break; + if (data_size == 0) + break; } while (1); - return issuers_dn_len; - - error: - return result; + return issuers_dn_len; + + error: + return result; } /* Returns the issuers in the server's certificate request * packet. */ -static int get_issuers( gnutls_session session, - gnutls_datum* issuers_dn, int issuers_len, - opaque * data, size_t data_size) +static int get_issuers(gnutls_session session, + gnutls_datum * issuers_dn, int issuers_len, + opaque * data, size_t data_size) { -int i; -uint size; + int i; + uint size; - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return 0; - /* put the requested DNs to req_dn, only in case - * of X509 certificates. - */ - if (issuers_len > 0) { + /* put the requested DNs to req_dn, only in case + * of X509 certificates. + */ + if (issuers_len > 0) { - for (i = 0; i < issuers_len; i++) { - /* The checks here for the buffer boundaries - * are not needed since the buffer has been - * parsed above. - */ - data_size -= 2; + for (i = 0; i < issuers_len; i++) { + /* The checks here for the buffer boundaries + * are not needed since the buffer has been + * parsed above. + */ + data_size -= 2; - size = _gnutls_read_uint16(data); + size = _gnutls_read_uint16(data); - data += 2; + data += 2; - issuers_dn[i].data = data; - issuers_dn[i].size = size; + issuers_dn[i].data = data; + issuers_dn[i].size = size; - data += size; - } + data += size; } + } - return 0; + return 0; } @@ -361,100 +362,99 @@ OPENPGP_PRIVKEY_DEINIT _E_gnutls_openpgp_privkey_deinit; /* Calls the client get callback. */ -static int call_get_cert_callback( gnutls_session session, - gnutls_datum* issuers_dn, int issuers_dn_length, - gnutls_pk_algorithm* pk_algos, int pk_algos_length) +static int call_get_cert_callback(gnutls_session session, + gnutls_datum * issuers_dn, + int issuers_dn_length, + gnutls_pk_algorithm * pk_algos, + int pk_algos_length) { -uint i; -gnutls_cert *local_certs = NULL; -gnutls_privkey *local_key = NULL; -gnutls_retr_st st; -int ret; -gnutls_certificate_type type = - gnutls_certificate_type_get(session); -const gnutls_certificate_credentials cred; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - memset( &st, 0, sizeof(st)); - - if (session->security_parameters.entity == GNUTLS_SERVER) { - ret = - cred->server_get_cert_callback(session, &st); - } else { /* CLIENT */ - ret = - cred->client_get_cert_callback(session, - issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length, - &st); - } - - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (st.ncerts == 0) - return 0; /* no certificate was selected */ - - if (type != st.type) { + uint i; + gnutls_cert *local_certs = NULL; + gnutls_privkey *local_key = NULL; + gnutls_retr_st st; + int ret; + gnutls_certificate_type type = gnutls_certificate_type_get(session); + const gnutls_certificate_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + memset(&st, 0, sizeof(st)); + + if (session->security_parameters.entity == GNUTLS_SERVER) { + ret = cred->server_get_cert_callback(session, &st); + } else { /* CLIENT */ + ret = + cred->client_get_cert_callback(session, + issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length, &st); + } + + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (st.ncerts == 0) + return 0; /* no certificate was selected */ + + if (type != st.type) { + gnutls_assert(); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if (type == GNUTLS_CRT_X509) { + local_certs = alloc_and_load_x509_certs(st.cert.x509, st.ncerts); + if (local_certs != NULL) + local_key = alloc_and_load_x509_key(st.key.x509); + + } else { /* PGP */ + if (st.ncerts > 1) { + gnutls_assert(); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + local_certs = alloc_and_load_pgp_certs(st.cert.pgp); + if (local_certs != NULL) + local_key = alloc_and_load_pgp_key(st.key.pgp); + + } + + _gnutls_selected_certs_set(session, local_certs, + (local_certs != NULL) ? st.ncerts : 0, + local_key, 1); + + ret = 0; + + cleanup: + + if (st.type == GNUTLS_CRT_X509) { + if (st.deinit_all) { + for (i = 0; i < st.ncerts; i++) { + gnutls_x509_crt_deinit(st.cert.x509[i]); + } + gnutls_free(st.cert.x509); + gnutls_x509_privkey_deinit(st.key.x509); + } + } else { + if (st.deinit_all) { + if (_E_gnutls_openpgp_key_deinit == NULL || + _E_gnutls_openpgp_privkey_deinit == NULL) { gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if (type == GNUTLS_CRT_X509) { - local_certs = alloc_and_load_x509_certs(st.cert.x509, st.ncerts); - if (local_certs != NULL) - local_key = alloc_and_load_x509_key(st.key.x509); - - } else { /* PGP */ - if (st.ncerts > 1) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - local_certs = alloc_and_load_pgp_certs(st.cert.pgp); - if (local_certs != NULL) - local_key = alloc_and_load_pgp_key(st.key.pgp); - - } - - _gnutls_selected_certs_set(session, local_certs, (local_certs!=NULL)?st.ncerts:0, - local_key, 1); - - ret = 0; - -cleanup: + return GNUTLS_E_INIT_LIBEXTRA; + } - if (st.type == GNUTLS_CRT_X509) { - if (st.deinit_all) { - for (i = 0; i < st.ncerts; i++) { - gnutls_x509_crt_deinit(st.cert.x509[i]); - } - gnutls_free( st.cert.x509); - gnutls_x509_privkey_deinit(st.key.x509); - } - } else { - if (st.deinit_all) { - if (_E_gnutls_openpgp_key_deinit == NULL || - _E_gnutls_openpgp_privkey_deinit == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - - _E_gnutls_openpgp_key_deinit(st.cert.pgp); - _E_gnutls_openpgp_privkey_deinit(st.key.pgp); - } + _E_gnutls_openpgp_key_deinit(st.cert.pgp); + _E_gnutls_openpgp_privkey_deinit(st.key.pgp); } + } - return ret; + return ret; } /* Finds the appropriate certificate depending on the cA Distinguished name @@ -469,92 +469,92 @@ static int _select_client_cert(gnutls_session session, gnutls_pk_algorithm * pk_algos, int pk_algos_length) { - int result; - int indx = -1; - const gnutls_certificate_credentials cred; - opaque *data = _data; - ssize_t data_size = _data_size; - int issuers_dn_length; - gnutls_datum * issuers_dn = NULL; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { + int result; + int indx = -1; + const gnutls_certificate_credentials cred; + opaque *data = _data; + ssize_t data_size = _data_size; + int issuers_dn_length; + gnutls_datum *issuers_dn = NULL; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (cred->client_get_cert_callback != NULL) { + + /* use a callback to get certificate + */ + if (session->security_parameters.cert_type != GNUTLS_CRT_X509) + issuers_dn_length = 0; + else { + issuers_dn_length = get_issuers_num(session, data, data_size); + if (issuers_dn_length < 0) { gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (cred->client_get_cert_callback != NULL) { + return issuers_dn_length; + } + + if (issuers_dn_length > 0) { + issuers_dn = + gnutls_malloc(sizeof(gnutls_datum) * + issuers_dn_length); + if (issuers_dn == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* use a callback to get certificate - */ - if (session->security_parameters.cert_type != GNUTLS_CRT_X509) - issuers_dn_length = 0; - else { - issuers_dn_length = get_issuers_num( session, data, data_size); - if (issuers_dn_length < 0) { - gnutls_assert(); - return issuers_dn_length; - } - - if (issuers_dn_length > 0) { - issuers_dn = gnutls_malloc( sizeof(gnutls_datum)*issuers_dn_length); - if (issuers_dn == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = get_issuers( session, issuers_dn, issuers_dn_length, data, data_size); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } + result = + get_issuers(session, issuers_dn, issuers_dn_length, + data, data_size); + if (result < 0) { + gnutls_assert(); + goto cleanup; } + } + } - result = call_get_cert_callback( session, issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length); - goto cleanup; + result = + call_get_cert_callback(session, issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length); + goto cleanup; - } else { - /* If we have no callbacks, try to guess. - */ - result = 0; - - if (session->security_parameters.cert_type == - GNUTLS_CRT_X509) - result = - _find_x509_cert(cred, _data, _data_size, - pk_algos, pk_algos_length, - &indx); + } else { + /* If we have no callbacks, try to guess. + */ + result = 0; - if (session->security_parameters.cert_type == - GNUTLS_CRT_OPENPGP) - result = - _find_openpgp_cert(cred, pk_algos, - pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) + result = + _find_x509_cert(cred, _data, _data_size, + pk_algos, pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP) + result = + _find_openpgp_cert(cred, pk_algos, pk_algos_length, &indx); - if (result < 0) { - gnutls_assert(); - return result; - } - if (indx >= 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[indx][0], - cred->cert_list_length[indx], - &cred->pkey[indx], 0); - } else { - _gnutls_selected_certs_set(session, NULL, 0, NULL, 0); - } + if (result < 0) { + gnutls_assert(); + return result; + } - result = 0; + if (indx >= 0) { + _gnutls_selected_certs_set(session, + &cred->cert_list[indx][0], + cred->cert_list_length[indx], + &cred->pkey[indx], 0); + } else { + _gnutls_selected_certs_set(session, NULL, 0, NULL, 0); } -cleanup: - gnutls_free( issuers_dn); - return result; + result = 0; + } + + cleanup: + gnutls_free(issuers_dn); + return result; } @@ -563,100 +563,100 @@ cleanup: int _gnutls_gen_x509_crt(gnutls_session session, opaque ** data) { - int ret, i; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate - */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - ret = 3; - for (i = 0; i < apr_cert_list_length; i++) { - ret += apr_cert_list[i].raw.size + 3; - /* hold size - * for uint24 */ - } - - /* if no certificates were found then send: - * 0B 00 00 03 00 00 00 // Certificate with no certs - * instead of: - * 0B 00 00 00 // empty certificate handshake - * - * ( the above is the whole handshake message, not - * the one produced here ) - */ - - (*data) = gnutls_malloc(ret); - pdata = (*data); - - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; - for (i = 0; i < apr_cert_list_length; i++) { - _gnutls_write_datum24(pdata, apr_cert_list[i].raw); - pdata += (3 + apr_cert_list[i].raw.size); - } - + int ret, i; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate + */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); return ret; + } + + ret = 3; + for (i = 0; i < apr_cert_list_length; i++) { + ret += apr_cert_list[i].raw.size + 3; + /* hold size + * for uint24 */ + } + + /* if no certificates were found then send: + * 0B 00 00 03 00 00 00 // Certificate with no certs + * instead of: + * 0B 00 00 00 // empty certificate handshake + * + * ( the above is the whole handshake message, not + * the one produced here ) + */ + + (*data) = gnutls_malloc(ret); + pdata = (*data); + + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_write_uint24(ret - 3, pdata); + pdata += 3; + for (i = 0; i < apr_cert_list_length; i++) { + _gnutls_write_datum24(pdata, apr_cert_list[i].raw); + pdata += (3 + apr_cert_list[i].raw.size); + } + + return ret; } enum PGPKeyDescriptorType { PGP_KEY_FINGERPRINT, PGP_KEY }; int _gnutls_gen_openpgp_certificate(gnutls_session session, opaque ** data) { - int ret; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + int ret; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - ret = 3 + 1 + 3; + ret = 3 + 1 + 3; - if (apr_cert_list_length > 0) - ret += apr_cert_list[0].raw.size; + if (apr_cert_list_length > 0) + ret += apr_cert_list[0].raw.size; - (*data) = gnutls_malloc(ret); - pdata = (*data); + (*data) = gnutls_malloc(ret); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; + _gnutls_write_uint24(ret - 3, pdata); + pdata += 3; - *pdata = PGP_KEY; /* whole key */ - pdata++; + *pdata = PGP_KEY; /* whole key */ + pdata++; - if (apr_cert_list_length > 0) { - _gnutls_write_datum24(pdata, apr_cert_list[0].raw); - pdata += (3 + apr_cert_list[0].raw.size); - } else /* empty - no certificate */ - _gnutls_write_uint24(0, pdata); + if (apr_cert_list_length > 0) { + _gnutls_write_datum24(pdata, apr_cert_list[0].raw); + pdata += (3 + apr_cert_list[0].raw.size); + } else /* empty - no certificate */ + _gnutls_write_uint24(0, pdata); - return ret; + return ret; } OPENPGP_FINGERPRINT _E_gnutls_openpgp_fingerprint = NULL; @@ -666,63 +666,63 @@ extern OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; int _gnutls_gen_openpgp_certificate_fpr(gnutls_session session, opaque ** data) { - int ret, packet_size; - size_t fpr_size; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + int ret, packet_size; + size_t fpr_size; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - packet_size = 3 + 1; + packet_size = 3 + 1; - /* Only v4 fingerprints are sent - */ - if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) - packet_size += 20 + 1; - else /* empty certificate case */ - return _gnutls_gen_openpgp_certificate(session, data); + /* Only v4 fingerprints are sent + */ + if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) + packet_size += 20 + 1; + else /* empty certificate case */ + return _gnutls_gen_openpgp_certificate(session, data); - (*data) = gnutls_malloc(packet_size); - pdata = (*data); + (*data) = gnutls_malloc(packet_size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint24(packet_size - 3, pdata); - pdata += 3; + _gnutls_write_uint24(packet_size - 3, pdata); + pdata += 3; - *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ - pdata++; + *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ + pdata++; - *pdata = 20; - pdata++; + *pdata = 20; + pdata++; - fpr_size = 20; + fpr_size = 20; - if (_E_gnutls_openpgp_fingerprint == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } + if (_E_gnutls_openpgp_fingerprint == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; + } - if ((ret = - _E_gnutls_openpgp_fingerprint(&apr_cert_list[0].raw, pdata, - &fpr_size)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = + _E_gnutls_openpgp_fingerprint(&apr_cert_list[0].raw, pdata, + &fpr_size)) < 0) { + gnutls_assert(); + return ret; + } - return packet_size; + return packet_size; } @@ -730,37 +730,34 @@ int _gnutls_gen_openpgp_certificate_fpr(gnutls_session session, int _gnutls_gen_cert_client_certificate(gnutls_session session, opaque ** data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - if (_gnutls_openpgp_send_fingerprint(session) == 0) - return - _gnutls_gen_openpgp_certificate(session, data); - else - return - _gnutls_gen_openpgp_certificate_fpr - (session, data); - - case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + if (_gnutls_openpgp_send_fingerprint(session) == 0) + return _gnutls_gen_openpgp_certificate(session, data); + else + return _gnutls_gen_openpgp_certificate_fpr(session, data); + + case GNUTLS_CRT_X509: + return _gnutls_gen_x509_crt(session, data); + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } int _gnutls_gen_cert_server_certificate(gnutls_session session, opaque ** data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - return _gnutls_gen_openpgp_certificate(session, data); - case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + return _gnutls_gen_openpgp_certificate(session, data); + case GNUTLS_CRT_X509: + return _gnutls_gen_x509_crt(session, data); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } /* Process server certificate @@ -770,130 +767,126 @@ int _gnutls_gen_cert_server_certificate(gnutls_session session, int _gnutls_proc_x509_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - int size, len, ret; - opaque *p = data; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - ssize_t dsize = data_size; - int i, j, x; - gnutls_cert *peer_certificate_list; - int peer_certificate_list_size = 0; - gnutls_datum tmp; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + int size, len, ret; + opaque *p = data; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + ssize_t dsize = data_size; + int i, j, x; + gnutls_cert *peer_certificate_list; + int peer_certificate_list_size = 0; + gnutls_datum tmp; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } + info = _gnutls_get_auth_info(session); - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < - 0) { - gnutls_assert(); - return ret; - } + if (data == NULL || data_size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - info = _gnutls_get_auth_info(session); + DECR_LEN(dsize, 3); + size = _gnutls_read_uint24(p); + p += 3; - if (data == NULL || data_size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + if (size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + i = dsize; + while (i > 0) { DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); + len = _gnutls_read_uint24(p); + p += 3; + DECR_LEN(dsize, len); + peer_certificate_list_size++; + p += len; + i -= len + 3; + } + + if (peer_certificate_list_size == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* Ok we now allocate the memory to hold the + * certificate list + */ + + peer_certificate_list = + gnutls_malloc(sizeof(gnutls_cert) * (peer_certificate_list_size)); + + if (peer_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + memset(peer_certificate_list, 0, sizeof(gnutls_cert) * + peer_certificate_list_size); + + p = data + 3; + + /* Now we start parsing the list (again). + * We don't use DECR_LEN since the list has + * been parsed before. + */ + + for (j = 0; j < peer_certificate_list_size; j++) { + len = _gnutls_read_uint24(p); p += 3; - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - i = dsize; - while (i > 0) { - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; - DECR_LEN(dsize, len); - peer_certificate_list_size++; - p += len; - i -= len + 3; - } + tmp.size = len; + tmp.data = p; - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if ((ret = + _gnutls_x509_raw_cert_to_gcert(&peer_certificate_list + [j], &tmp, + CERT_ONLY_EXTENSIONS)) < 0) { + gnutls_assert(); + goto cleanup; } - /* Ok we now allocate the memory to hold the - * certificate list - */ + p += len; + } - peer_certificate_list = - gnutls_malloc(sizeof(gnutls_cert) * - (peer_certificate_list_size)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); + if ((ret = + _gnutls_copy_certificate_auth_info(info, + peer_certificate_list, + peer_certificate_list_size)) + < 0) { + gnutls_assert(); + goto cleanup; + } - p = data + 3; + if ((ret = + _gnutls_check_key_usage(&peer_certificate_list[0], + gnutls_kx_get(session))) < 0) { + gnutls_assert(); + goto cleanup; + } - /* Now we start parsing the list (again). - * We don't use DECR_LEN since the list has - * been parsed before. - */ + ret = 0; - for (j = 0; j < peer_certificate_list_size; j++) { - len = _gnutls_read_uint24(p); - p += 3; - - tmp.size = len; - tmp.data = p; - - if ((ret = - _gnutls_x509_raw_cert_to_gcert(&peer_certificate_list - [j], &tmp, - CERT_ONLY_EXTENSIONS)) < - 0) { - gnutls_assert(); - goto cleanup; - } - - p += len; - } - - - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; - } - - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = 0; - - cleanup: - CLEAR_CERTS; - gnutls_free(peer_certificate_list); - return ret; + cleanup: + CLEAR_CERTS; + gnutls_free(peer_certificate_list); + return ret; } @@ -902,181 +895,177 @@ int _gnutls_proc_openpgp_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - int size, ret, len; - opaque *p = data; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - ssize_t dsize = data_size; - int i, x; - gnutls_cert *peer_certificate_list = NULL; - int peer_certificate_list_size = 0; - gnutls_datum tmp, akey = { NULL, 0 }; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + int size, ret, len; + opaque *p = data; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + ssize_t dsize = data_size; + int i, x; + gnutls_cert *peer_certificate_list = NULL; + int peer_certificate_list_size = 0; + gnutls_datum tmp, akey = { NULL, 0 }; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < - 0) { - gnutls_assert(); - return ret; - } + info = _gnutls_get_auth_info(session); - info = _gnutls_get_auth_info(session); + if (data == NULL || data_size == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - if (data == NULL || data_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + DECR_LEN(dsize, 3); + size = _gnutls_read_uint24(p); + p += 3; - DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); - p += 3; + if (size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + i = dsize; - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - i = dsize; + /* Read PGPKeyDescriptor */ + DECR_LEN(dsize, 1); + if (*p == PGP_KEY_FINGERPRINT) { /* the fingerprint */ + p++; - /* Read PGPKeyDescriptor */ DECR_LEN(dsize, 1); - if (*p == PGP_KEY_FINGERPRINT) { /* the fingerprint */ - p++; - - DECR_LEN(dsize, 1); - len = (uint8) * p; - p++; - - if (len != 20) { - gnutls_assert(); - return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; - } - - DECR_LEN(dsize, 20); - - /* request the actual key from our database, or - * a key server or anything. - */ - if (_E_gnutls_openpgp_request_key == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - if ((ret = - _E_gnutls_openpgp_request_key(session, &akey, cred, p, - 20)) < 0) { - gnutls_assert(); - return ret; - } - tmp = akey; - peer_certificate_list_size++; - - } else if (*p == PGP_KEY) { /* the whole key */ - - p++; - - /* Read the actual certificate */ - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; - - if (len == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN(dsize, len); - peer_certificate_list_size++; - - tmp.size = len; - tmp.data = p; - - } else { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - } - - /* ok we now have the peer's key in tmp datum - */ - - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + len = (uint8) * p; + p++; - peer_certificate_list = - gnutls_alloca(sizeof(gnutls_cert) * - (peer_certificate_list_size)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + if (len != 20) { + gnutls_assert(); + return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { - gnutls_assert(); - ret = GNUTLS_E_INIT_LIBEXTRA; - goto cleanup; - } + DECR_LEN(dsize, 20); - if ((ret = - _E_gnutls_openpgp_raw_key_to_gcert(&peer_certificate_list[0], - &tmp)) < 0) { - gnutls_assert(); - goto cleanup; + /* request the actual key from our database, or + * a key server or anything. + */ + if (_E_gnutls_openpgp_request_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; + _E_gnutls_openpgp_request_key(session, &akey, cred, p, + 20)) < 0) { + gnutls_assert(); + return ret; } + tmp = akey; + peer_certificate_list_size++; - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; - } + } else if (*p == PGP_KEY) { /* the whole key */ - ret = 0; + p++; - cleanup: + /* Read the actual certificate */ + DECR_LEN(dsize, 3); + len = _gnutls_read_uint24(p); + p += 3; - _gnutls_free_datum(&akey); - CLEAR_CERTS; - gnutls_afree(peer_certificate_list); - return ret; + if (len == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + DECR_LEN(dsize, len); + peer_certificate_list_size++; + + tmp.size = len; + tmp.data = p; + + } else { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + + /* ok we now have the peer's key in tmp datum + */ + + if (peer_certificate_list_size == 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + peer_certificate_list = + gnutls_alloca(sizeof(gnutls_cert) * (peer_certificate_list_size)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + memset(peer_certificate_list, 0, sizeof(gnutls_cert) * + peer_certificate_list_size); + + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { + gnutls_assert(); + ret = GNUTLS_E_INIT_LIBEXTRA; + goto cleanup; + } + + if ((ret = + _E_gnutls_openpgp_raw_key_to_gcert(&peer_certificate_list[0], + &tmp)) < 0) { + gnutls_assert(); + goto cleanup; + } + + if ((ret = + _gnutls_copy_certificate_auth_info(info, + peer_certificate_list, + peer_certificate_list_size)) + < 0) { + gnutls_assert(); + goto cleanup; + } + + if ((ret = + _gnutls_check_key_usage(&peer_certificate_list[0], + gnutls_kx_get(session))) < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + + _gnutls_free_datum(&akey); + CLEAR_CERTS; + gnutls_afree(peer_certificate_list); + return ret; } int _gnutls_proc_cert_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - return _gnutls_proc_openpgp_server_certificate(session, - data, - data_size); - case GNUTLS_CRT_X509: - return _gnutls_proc_x509_server_certificate(session, data, - data_size); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + return _gnutls_proc_openpgp_server_certificate(session, + data, data_size); + case GNUTLS_CRT_X509: + return _gnutls_proc_x509_server_certificate(session, data, + data_size); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } #define MAX_SIGN_ALGOS 2 @@ -1090,238 +1079,235 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN inline static int _gnutls_check_supported_sign_algo(CertificateSigType algo) { - switch (algo) { - case RSA_SIGN: - return GNUTLS_PK_RSA; - case DSA_SIGN: - return GNUTLS_PK_DSA; - } - - return -1; + switch (algo) { + case RSA_SIGN: + return GNUTLS_PK_RSA; + case DSA_SIGN: + return GNUTLS_PK_DSA; + } + + return -1; } int _gnutls_proc_cert_cert_req(gnutls_session session, opaque * data, size_t data_size) { - int size, ret; - opaque *p; - const gnutls_certificate_credentials cred; - cert_auth_info_t info; - ssize_t dsize; - int i, j; - gnutls_pk_algorithm pk_algos[MAX_SIGN_ALGOS]; - int pk_algos_length; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 0)) < - 0) { - gnutls_assert(); - return ret; - } + int size, ret; + opaque *p; + const gnutls_certificate_credentials cred; + cert_auth_info_t info; + ssize_t dsize; + int i, j; + gnutls_pk_algorithm pk_algos[MAX_SIGN_ALGOS]; + int pk_algos_length; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - info = _gnutls_get_auth_info(session); + info = _gnutls_get_auth_info(session); - p = data; - dsize = data_size; + p = data; + dsize = data_size; + DECR_LEN(dsize, 1); + size = p[0]; + p++; + /* check if the sign algorithm is supported. + */ + pk_algos_length = j = 0; + for (i = 0; i < size; i++, p++) { DECR_LEN(dsize, 1); - size = p[0]; - p++; - /* check if the sign algorithm is supported. - */ - pk_algos_length = j = 0; - for (i = 0; i < size; i++, p++) { - DECR_LEN(dsize, 1); - if ((ret = _gnutls_check_supported_sign_algo(*p)) > 0) { - if (j < MAX_SIGN_ALGOS) { - pk_algos[j++] = ret; - pk_algos_length++; - } - } - } - - if (pk_algos_length == 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(p); - p += 2; - } else { - p = NULL; - size = 0; + if ((ret = _gnutls_check_supported_sign_algo(*p)) > 0) { + if (j < MAX_SIGN_ALGOS) { + pk_algos[j++] = ret; + pk_algos_length++; + } } + } - DECR_LEN(dsize, size); + if (pk_algos_length == 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } - /* now we ask the user to tell which one - * he wants to use. - */ - if ((ret = - _select_client_cert(session, p, size, - pk_algos, pk_algos_length)) < 0) { - gnutls_assert(); - return ret; - } + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { + DECR_LEN(dsize, 2); + size = _gnutls_read_uint16(p); + p += 2; + } else { + p = NULL; + size = 0; + } + + DECR_LEN(dsize, size); + + /* now we ask the user to tell which one + * he wants to use. + */ + if ((ret = + _select_client_cert(session, p, size, + pk_algos, pk_algos_length)) < 0) { + gnutls_assert(); + return ret; + } - /* We should reply with a certificate message, - * even if we have no certificate to send. - */ - session->key->certificate_requested = 1; + /* We should reply with a certificate message, + * even if we have no certificate to send. + */ + session->key->certificate_requested = 1; - return 0; + return 0; } int _gnutls_gen_cert_client_cert_vrfy(gnutls_session session, opaque ** data) { - int ret; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length, size; - gnutls_datum signature; - - *data = NULL; + int ret; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length, size; + gnutls_datum signature; + + *data = NULL; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - /* find the appropriate certificate */ + if (apr_pkey != NULL) { if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_hdata(session, - &apr_cert_list[0], - apr_pkey, &signature)) < 0) { - gnutls_assert(); - return ret; - } - } else { - return 0; + _gnutls_tls_sign_hdata(session, + &apr_cert_list[0], + apr_pkey, &signature)) < 0) { + gnutls_assert(); + return ret; } + } else { + return 0; + } - *data = gnutls_malloc(signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - return GNUTLS_E_MEMORY_ERROR; - } - size = signature.size; - _gnutls_write_uint16(size, *data); + *data = gnutls_malloc(signature.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&signature); + return GNUTLS_E_MEMORY_ERROR; + } + size = signature.size; + _gnutls_write_uint16(size, *data); - memcpy(&(*data)[2], signature.data, size); + memcpy(&(*data)[2], signature.data, size); - _gnutls_free_datum(&signature); + _gnutls_free_datum(&signature); - return size + 2; + return size + 2; } int _gnutls_proc_cert_client_cert_vrfy(gnutls_session session, opaque * data, size_t data_size) { - int size, ret; - ssize_t dsize = data_size; - opaque *pdata = data; - gnutls_datum sig; - cert_auth_info_t info = _gnutls_get_auth_info(session); - gnutls_cert peer_cert; - - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(pdata); - pdata += 2; - - DECR_LEN(dsize, size); - - sig.data = pdata; - sig.size = size; - - ret = _gnutls_raw_cert_to_gcert( &peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int size, ret; + ssize_t dsize = data_size; + opaque *pdata = data; + gnutls_datum sig; + cert_auth_info_t info = _gnutls_get_auth_info(session); + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + DECR_LEN(dsize, 2); + size = _gnutls_read_uint16(pdata); + pdata += 2; + + DECR_LEN(dsize, size); + + sig.data = pdata; + sig.size = size; + + ret = _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_verify_sig_hdata(session, &peer_cert, &sig)) < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(&peer_cert); - return ret; - } + if ((ret = _gnutls_verify_sig_hdata(session, &peer_cert, &sig)) < 0) { + gnutls_assert(); _gnutls_gcert_deinit(&peer_cert); + return ret; + } + _gnutls_gcert_deinit(&peer_cert); - return 0; + return 0; } #define CERTTYPE_SIZE 3 int _gnutls_gen_cert_server_cert_req(gnutls_session session, opaque ** data) { - const gnutls_certificate_credentials cred; - int size; - opaque *pdata; - - /* Now we need to generate the RDN sequence. This is - * already in the CERTIFICATE_CRED structure, to improve - * performance. - */ - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq - */ + const gnutls_certificate_credentials cred; + int size; + opaque *pdata; + + /* Now we need to generate the RDN sequence. This is + * already in the CERTIFICATE_CRED structure, to improve + * performance. + */ + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq + */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) - size += cred->x509_rdn_sequence.size; + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) + size += cred->x509_rdn_sequence.size; - (*data) = gnutls_malloc(size); - pdata = (*data); + (*data) = gnutls_malloc(size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - pdata[0] = CERTTYPE_SIZE - 1; + pdata[0] = CERTTYPE_SIZE - 1; - pdata[1] = RSA_SIGN; - pdata[2] = DSA_SIGN; /* only these for now */ - pdata += CERTTYPE_SIZE; + pdata[1] = RSA_SIGN; + pdata[2] = DSA_SIGN; /* only these for now */ + pdata += CERTTYPE_SIZE; - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) { - _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); - /* pdata += cred->x509_rdn_sequence.size + 2; */ - } + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) { + _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); + /* pdata += cred->x509_rdn_sequence.size + 2; */ + } - return size; + return size; } @@ -1337,73 +1323,73 @@ int _gnutls_get_selected_cert(gnutls_session session, int *apr_cert_list_length, gnutls_privkey ** apr_pkey) { - if (session->security_parameters.entity == GNUTLS_SERVER) { + if (session->security_parameters.entity == GNUTLS_SERVER) { - /* select_client_cert() has been called before. - */ + /* select_client_cert() has been called before. + */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_pkey = session->internals.selected_key; - *apr_cert_list_length = - session->internals.selected_cert_list_length; + *apr_cert_list = session->internals.selected_cert_list; + *apr_pkey = session->internals.selected_key; + *apr_cert_list_length = + session->internals.selected_cert_list_length; - if (apr_cert_list_length == 0 || apr_pkey == NULL || - apr_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + if (apr_cert_list_length == 0 || apr_pkey == NULL || + apr_cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - } else { /* CLIENT SIDE + } else { /* CLIENT SIDE */ - /* we have already decided which certificate - * to send. - */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_cert_list_length = - session->internals.selected_cert_list_length; - *apr_pkey = session->internals.selected_key; + /* we have already decided which certificate + * to send. + */ + *apr_cert_list = session->internals.selected_cert_list; + *apr_cert_list_length = + session->internals.selected_cert_list_length; + *apr_pkey = session->internals.selected_key; - } + } - return 0; + return 0; } /* converts the given x509 certificate to gnutls_cert* and allocates * space for them. */ static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, - uint ncerts) + uint ncerts) { - gnutls_cert *local_certs; - int ret = 0; - uint i, j; - - if (certs == NULL) return NULL; - - local_certs = gnutls_malloc(sizeof(gnutls_cert) * ncerts); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; - } - - for (i = 0; i < ncerts; i++) { - ret = _gnutls_x509_crt_to_gcert(&local_certs[i], - certs[i], 0); - if (ret < 0) - break; - } - - if (ret < 0) { - gnutls_assert(); - for (j = 0; j < i; j++) { - _gnutls_gcert_deinit(&local_certs[j]); - } - gnutls_free(local_certs); - return NULL; - } - - return local_certs; + gnutls_cert *local_certs; + int ret = 0; + uint i, j; + + if (certs == NULL) + return NULL; + + local_certs = gnutls_malloc(sizeof(gnutls_cert) * ncerts); + if (local_certs == NULL) { + gnutls_assert(); + return NULL; + } + + for (i = 0; i < ncerts; i++) { + ret = _gnutls_x509_crt_to_gcert(&local_certs[i], certs[i], 0); + if (ret < 0) + break; + } + + if (ret < 0) { + gnutls_assert(); + for (j = 0; j < i; j++) { + _gnutls_gcert_deinit(&local_certs[j]); + } + gnutls_free(local_certs); + return NULL; + } + + return local_certs; } /* converts the given x509 key to gnutls_privkey* and allocates @@ -1411,25 +1397,25 @@ static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, */ static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey key) { - gnutls_privkey *local_key; - int ret = 0; + gnutls_privkey *local_key; + int ret = 0; - if (key == NULL) return NULL; + if (key == NULL) + return NULL; - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; - } + local_key = gnutls_malloc(sizeof(gnutls_privkey)); + if (local_key == NULL) { + gnutls_assert(); + return NULL; + } - ret = - _gnutls_x509_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; - } + ret = _gnutls_x509_privkey_to_gkey(local_key, key); + if (ret < 0) { + gnutls_assert(); + return NULL; + } - return local_key; + return local_key; } @@ -1441,100 +1427,100 @@ OPENPGP_PRIVKEY_TO_GKEY _E_gnutls_openpgp_privkey_to_gkey; */ static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key cert) { - gnutls_cert *local_certs; - int ret = 0; - - if (cert == NULL) return NULL; - - local_certs = gnutls_malloc(sizeof(gnutls_cert)); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; - } - - if (_E_gnutls_openpgp_key_to_gcert==NULL) { - gnutls_assert(); - return NULL; - } - - ret = _E_gnutls_openpgp_key_to_gcert(local_certs, cert); - if (ret < 0) { - gnutls_assert(); - return NULL; - } - - if (ret < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(local_certs); - gnutls_free(local_certs); - return NULL; - } - - return local_certs; + gnutls_cert *local_certs; + int ret = 0; + + if (cert == NULL) + return NULL; + + local_certs = gnutls_malloc(sizeof(gnutls_cert)); + if (local_certs == NULL) { + gnutls_assert(); + return NULL; + } + + if (_E_gnutls_openpgp_key_to_gcert == NULL) { + gnutls_assert(); + return NULL; + } + + ret = _E_gnutls_openpgp_key_to_gcert(local_certs, cert); + if (ret < 0) { + gnutls_assert(); + return NULL; + } + + if (ret < 0) { + gnutls_assert(); + _gnutls_gcert_deinit(local_certs); + gnutls_free(local_certs); + return NULL; + } + + return local_certs; } /* converts the given raw key to gnutls_privkey* and allocates * space for it. */ -static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey key) +static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey + key) { - gnutls_privkey *local_key; - int ret = 0; - - if (key == NULL) return NULL; - - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; - } - - if (_E_gnutls_openpgp_privkey_to_gkey==NULL) { - gnutls_assert(); - return NULL; - } - - ret = - _E_gnutls_openpgp_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; - } - - return local_key; + gnutls_privkey *local_key; + int ret = 0; + + if (key == NULL) + return NULL; + + local_key = gnutls_malloc(sizeof(gnutls_privkey)); + if (local_key == NULL) { + gnutls_assert(); + return NULL; + } + + if (_E_gnutls_openpgp_privkey_to_gkey == NULL) { + gnutls_assert(); + return NULL; + } + + ret = _E_gnutls_openpgp_privkey_to_gkey(local_key, key); + if (ret < 0) { + gnutls_assert(); + return NULL; + } + + return local_key; } void _gnutls_selected_certs_deinit(gnutls_session session) { - if (session->internals.selected_need_free != 0) { - int i; - - for (i = 0; - i < session->internals.selected_cert_list_length; - i++) { - _gnutls_gcert_deinit(&session->internals. - selected_cert_list[i]); - } - session->internals.selected_cert_list = NULL; - session->internals.selected_cert_list_length = 0; + if (session->internals.selected_need_free != 0) { + int i; - _gnutls_gkey_deinit(session->internals.selected_key); + for (i = 0; i < session->internals.selected_cert_list_length; i++) { + _gnutls_gcert_deinit(&session->internals. + selected_cert_list[i]); } + session->internals.selected_cert_list = NULL; + session->internals.selected_cert_list_length = 0; - return; + _gnutls_gkey_deinit(session->internals.selected_key); + } + + return; } void _gnutls_selected_certs_set(gnutls_session session, gnutls_cert * certs, int ncerts, gnutls_privkey * key, int need_free) { - _gnutls_selected_certs_deinit(session); + _gnutls_selected_certs_deinit(session); - session->internals.selected_cert_list = certs; - session->internals.selected_cert_list_length = ncerts; - session->internals.selected_key = key; - session->internals.selected_need_free = need_free; + session->internals.selected_cert_list = certs; + session->internals.selected_cert_list_length = ncerts; + session->internals.selected_key = key; + session->internals.selected_need_free = need_free; } @@ -1552,54 +1538,52 @@ void _gnutls_selected_certs_set(gnutls_session session, int _gnutls_server_select_cert(gnutls_session session, gnutls_pk_algorithm requested_algo) { - uint i; - int index, ret; - const gnutls_certificate_credentials cred; + uint i; + int index, ret; + const gnutls_certificate_credentials cred; - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* If the callback which retrieves certificate has been set, - * use it and leave. - */ - if (cred->server_get_cert_callback != NULL) - return call_get_cert_callback( session, NULL, 0, NULL, 0); + /* If the callback which retrieves certificate has been set, + * use it and leave. + */ + if (cred->server_get_cert_callback != NULL) + return call_get_cert_callback(session, NULL, 0, NULL, 0); - /* Otherwise... */ + /* Otherwise... */ - ret = 0; - index = -1; /* default is use no certificate */ - + ret = 0; + index = -1; /* default is use no certificate */ - for (i = 0; i < cred->ncerts; i++) { - /* find one compatible certificate - */ - if (requested_algo == GNUTLS_PK_ANY || - requested_algo == - cred->cert_list[i][0].subject_pk_algorithm) { - /* if cert type matches - */ - if (session->security_parameters.cert_type == - cred->cert_list[i][0].cert_type) { - index = i; - break; - } - } - } - - /* store the certificate pointer for future use, in the handshake. - * (This will allow not calling this callback again.) - */ - if (index >= 0 && ret == 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[index][0], - cred->cert_list_length[index], - &cred->pkey[index], 0); - } - return ret; + for (i = 0; i < cred->ncerts; i++) { + /* find one compatible certificate + */ + if (requested_algo == GNUTLS_PK_ANY || + requested_algo == cred->cert_list[i][0].subject_pk_algorithm) { + /* if cert type matches + */ + if (session->security_parameters.cert_type == + cred->cert_list[i][0].cert_type) { + index = i; + break; + } + } + } + + /* store the certificate pointer for future use, in the handshake. + * (This will allow not calling this callback again.) + */ + if (index >= 0 && ret == 0) { + _gnutls_selected_certs_set(session, + &cred->cert_list[index][0], + cred->cert_list_length[index], + &cred->pkey[index], 0); + } + + return ret; } diff --git a/lib/auth_cert.h b/lib/auth_cert.h index d024f16e4f..d7a0ebcb33 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -7,113 +7,121 @@ #include "../libextra/openpgp/openpgp.h" typedef struct retr_st { - gnutls_certificate_type type; - union cert { - gnutls_x509_crt* x509; - gnutls_openpgp_key pgp; - } cert; - uint ncerts; - - union key { - gnutls_x509_privkey x509; - gnutls_openpgp_privkey pgp; - } key; - - uint deinit_all; + gnutls_certificate_type type; + union cert { + gnutls_x509_crt *x509; + gnutls_openpgp_key pgp; + } cert; + uint ncerts; + + union key { + gnutls_x509_privkey x509; + gnutls_openpgp_privkey pgp; + } key; + + uint deinit_all; } gnutls_retr_st; typedef int gnutls_certificate_client_retrieve_function(gnutls_session, - const gnutls_datum* req_ca_rdn, int nreqs, - const gnutls_pk_algorithm* pk_algos, int pk_algos_length, - gnutls_retr_st *); - -typedef int gnutls_certificate_server_retrieve_function( - struct gnutls_session_int*, gnutls_retr_st*); + const gnutls_datum + * req_ca_rdn, + int nreqs, + const + gnutls_pk_algorithm + * pk_algos, + int + pk_algos_length, + gnutls_retr_st *); + +typedef int gnutls_certificate_server_retrieve_function(struct + gnutls_session_int + *, + gnutls_retr_st *); /* This structure may be complex, but it's the only way to * support a server that has multiple certificates */ typedef struct { - gnutls_dh_params dh_params; - gnutls_rsa_params rsa_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function * params_func; - - gnutls_cert ** cert_list; - /* contains a list of a list of certificates. - * eg (X509): [0] certificate1, certificate11, certificate111 - * (if more than one, one certificate certifies the one before) - * [1] certificate2, certificate22, ... - */ - uint * cert_list_length; - /* contains the number of the certificates in a - * row (should be 1 for OpenPGP keys). - */ - uint ncerts;/* contains the number of columns in cert_list. - * This is the same with the number of pkeys. - */ - - gnutls_privkey * pkey; - /* private keys. It contains ncerts private - * keys. pkey[i] corresponds to certificate in - * cert_list[i][0]. - */ - - /* OpenPGP specific stuff */ - - gnutls_datum keyring; - char * pgp_key_server; - int pgp_key_server_port; - - char * pgp_trustdb; - - /* X509 specific stuff */ - - gnutls_x509_crt * x509_ca_list; - uint x509_ncas; /* number of CAs in the ca_list - */ - - gnutls_x509_crl * x509_crl_list; - uint x509_ncrls;/* number of CRLs in the crl_list - */ - - unsigned int verify_flags; /* flags to be used at - * certificate verification. - */ - - /* holds a sequence of the - * RDNs of the CAs above. - * This is better than - * generating on every handshake. - */ - gnutls_datum x509_rdn_sequence; - - gnutls_certificate_client_retrieve_function* client_get_cert_callback; - gnutls_certificate_server_retrieve_function* server_get_cert_callback; + gnutls_dh_params dh_params; + gnutls_rsa_params rsa_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; + + gnutls_cert **cert_list; + /* contains a list of a list of certificates. + * eg (X509): [0] certificate1, certificate11, certificate111 + * (if more than one, one certificate certifies the one before) + * [1] certificate2, certificate22, ... + */ + uint *cert_list_length; + /* contains the number of the certificates in a + * row (should be 1 for OpenPGP keys). + */ + uint ncerts; /* contains the number of columns in cert_list. + * This is the same with the number of pkeys. + */ + + gnutls_privkey *pkey; + /* private keys. It contains ncerts private + * keys. pkey[i] corresponds to certificate in + * cert_list[i][0]. + */ + + /* OpenPGP specific stuff */ + + gnutls_datum keyring; + char *pgp_key_server; + int pgp_key_server_port; + + char *pgp_trustdb; + + /* X509 specific stuff */ + + gnutls_x509_crt *x509_ca_list; + uint x509_ncas; /* number of CAs in the ca_list + */ + + gnutls_x509_crl *x509_crl_list; + uint x509_ncrls; /* number of CRLs in the crl_list + */ + + unsigned int verify_flags; /* flags to be used at + * certificate verification. + */ + + /* holds a sequence of the + * RDNs of the CAs above. + * This is better than + * generating on every handshake. + */ + gnutls_datum x509_rdn_sequence; + + gnutls_certificate_client_retrieve_function *client_get_cert_callback; + gnutls_certificate_server_retrieve_function *server_get_cert_callback; } certificate_credentials_st; #define gnutls_certificate_credentials certificate_credentials_st* typedef struct rsa_info_st { - opaque modulus[65]; - size_t modulus_size; - opaque exponent[65]; - size_t exponent_size; + opaque modulus[65]; + size_t modulus_size; + opaque exponent[65]; + size_t exponent_size; } rsa_info_t; typedef struct cert_auth_info_st { - int certificate_requested; /* if the peer requested certificate - * this is non zero; - */ - dh_info_t dh; - - rsa_info_t rsa_export; - gnutls_datum* raw_certificate_list; /* holds the raw certificate of the - * peer. - */ - unsigned int ncerts; /* holds the size of the list above */ + int certificate_requested; /* if the peer requested certificate + * this is non zero; + */ + dh_info_t dh; + + rsa_info_t rsa_export; + gnutls_datum *raw_certificate_list; /* holds the raw certificate of the + * peer. + */ + unsigned int ncerts; /* holds the size of the list above */ } *cert_auth_info_t; typedef struct cert_auth_info_st cert_auth_info_st; @@ -126,20 +134,28 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session, opaque **); int _gnutls_proc_cert_cert_req(gnutls_session, opaque *, size_t); int _gnutls_proc_cert_client_cert_vrfy(gnutls_session, opaque *, size_t); int _gnutls_proc_cert_server_certificate(gnutls_session, opaque *, size_t); -int _gnutls_get_selected_cert( gnutls_session session, gnutls_cert** apr_cert_list, int *apr_cert_list_length, gnutls_privkey** apr_pkey); - -int _gnutls_server_select_cert( struct gnutls_session_int*, gnutls_pk_algorithm); -void _gnutls_selected_certs_deinit( gnutls_session session); -void _gnutls_selected_certs_set( gnutls_session session, - gnutls_cert* certs, int ncerts, gnutls_privkey* key, - int need_free); +int _gnutls_get_selected_cert(gnutls_session session, + gnutls_cert ** apr_cert_list, + int *apr_cert_list_length, + gnutls_privkey ** apr_pkey); + +int _gnutls_server_select_cert(struct gnutls_session_int *, + gnutls_pk_algorithm); +void _gnutls_selected_certs_deinit(gnutls_session session); +void _gnutls_selected_certs_set(gnutls_session session, + gnutls_cert * certs, int ncerts, + gnutls_privkey * key, int need_free); #define _gnutls_proc_cert_client_certificate _gnutls_proc_cert_server_certificate -gnutls_rsa_params _gnutls_certificate_get_rsa_params(const gnutls_certificate_credentials sc, - gnutls_session session); -gnutls_dh_params _gnutls_certificate_get_dh_params(const gnutls_certificate_credentials sc, - gnutls_session session); +gnutls_rsa_params _gnutls_certificate_get_rsa_params(const + gnutls_certificate_credentials + sc, + gnutls_session + session); +gnutls_dh_params _gnutls_certificate_get_dh_params(const + gnutls_certificate_credentials + sc, + gnutls_session session); #endif - diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c index a4842710f3..3114435eeb 100644 --- a/lib/auth_dh_common.c +++ b/lib/auth_dh_common.c @@ -38,234 +38,237 @@ #include <auth_dh_common.h> int _gnutls_proc_dh_common_client_kx(gnutls_session session, opaque * data, - size_t _data_size, mpi_t g, mpi_t p) + size_t _data_size, mpi_t g, mpi_t p) { - uint16 n_Y; - size_t _n_Y; - int ret; - ssize_t data_size = _data_size; + uint16 n_Y; + size_t _n_Y; + int ret; + ssize_t data_size = _data_size; - DECR_LEN( data_size, 2); - n_Y = _gnutls_read_uint16(&data[0]); - _n_Y = n_Y; + DECR_LEN(data_size, 2); + n_Y = _gnutls_read_uint16(&data[0]); + _n_Y = n_Y; - DECR_LEN( data_size, n_Y); - if (_gnutls_mpi_scan(&session->key->client_Y, &data[2], &_n_Y)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + DECR_LEN(data_size, n_Y); + if (_gnutls_mpi_scan(&session->key->client_Y, &data[2], &_n_Y)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - _gnutls_dh_set_peer_public( session, session->key->client_Y); + _gnutls_dh_set_peer_public(session, session->key->client_Y); - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, - session->key->dh_secret, p); + session->key->KEY = + gnutls_calc_dh_key(session->key->client_Y, + session->key->dh_secret, p); - if (session->key->KEY == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->key->KEY == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->dh_secret); + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->dh_secret); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&session->key->KEY); - if (ret < 0) { - return ret; - } + if (ret < 0) { + return ret; + } - return 0; + return 0; } int _gnutls_gen_dh_common_client_kx(gnutls_session session, opaque ** data) { - mpi_t x = NULL, X = NULL; - size_t n_X; - int ret; - - *data = NULL; - - X = gnutls_calc_dh_secret(&x, session->key->client_g, - session->key->client_p); - if (X == NULL || x == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_dh_set_secret_bits( session, _gnutls_mpi_get_nbits(x)); - - _gnutls_mpi_print( NULL, &n_X, X); - (*data) = gnutls_malloc(n_X + 2); - if (*data == NULL) { - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_mpi_print( &(*data)[2], &n_X, X); - _gnutls_mpi_release(&X); - - _gnutls_write_uint16(n_X, &(*data)[0]); - - /* calculate the key after calculating the message */ - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, x, - session->key->client_p); - - _gnutls_mpi_release(&x); - if (session->key->KEY == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_dh_set_peer_public( session, session->key->client_Y); - - /* THESE SHOULD BE DISCARDED */ - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); - - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); - - if (ret < 0) { - gnutls_assert(); - goto error; - } - - return n_X + 2; - -error: - _gnutls_mpi_release(&x); - _gnutls_mpi_release(&X); - gnutls_free(*data); *data = NULL; - return ret; + mpi_t x = NULL, X = NULL; + size_t n_X; + int ret; + + *data = NULL; + + X = gnutls_calc_dh_secret(&x, session->key->client_g, + session->key->client_p); + if (X == NULL || x == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); + + _gnutls_mpi_print(NULL, &n_X, X); + (*data) = gnutls_malloc(n_X + 2); + if (*data == NULL) { + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_mpi_print(&(*data)[2], &n_X, X); + _gnutls_mpi_release(&X); + + _gnutls_write_uint16(n_X, &(*data)[0]); + + /* calculate the key after calculating the message */ + session->key->KEY = + gnutls_calc_dh_key(session->key->client_Y, x, + session->key->client_p); + + _gnutls_mpi_release(&x); + if (session->key->KEY == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_dh_set_peer_public(session, session->key->client_Y); + + /* THESE SHOULD BE DISCARDED */ + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->client_p); + _gnutls_mpi_release(&session->key->client_g); + + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&session->key->KEY); + + if (ret < 0) { + gnutls_assert(); + goto error; + } + + return n_X + 2; + + error: + _gnutls_mpi_release(&x); + _gnutls_mpi_release(&X); + gnutls_free(*data); + *data = NULL; + return ret; } -int _gnutls_proc_dh_common_server_kx( gnutls_session session, opaque* data, size_t _data_size) +int _gnutls_proc_dh_common_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { - uint16 n_Y, n_g, n_p; - size_t _n_Y, _n_g, _n_p; - uint8 *data_p; - uint8 *data_g; - uint8 *data_Y; - int i, bits; - ssize_t data_size = _data_size; - - i = 0; - DECR_LEN( data_size, 2); - n_p = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_p); - data_p = &data[i]; - i += n_p; - if (i > data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - DECR_LEN( data_size, 2); - n_g = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_g); - data_g = &data[i]; - i += n_g; - - DECR_LEN( data_size, 2); - n_Y = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_Y); - data_Y = &data[i]; - i += n_Y; - - _n_Y = n_Y; - _n_g = n_g; - _n_p = n_p; - - if (_gnutls_mpi_scan(&session->key->client_Y, data_Y, &_n_Y) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&session->key->client_g, data_g, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - if (_gnutls_mpi_scan(&session->key->client_p, data_p, &_n_p) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - bits = _gnutls_dh_get_allowed_prime_bits( session); - if (bits < 0) { - gnutls_assert(); - return bits; - } - - if ( _gnutls_mpi_get_nbits( session->key->client_p) < (size_t)bits) { - /* the prime used by the peer is not acceptable - */ - gnutls_assert(); - return GNUTLS_E_DH_PRIME_UNACCEPTABLE; - } - - _gnutls_dh_set_group( session, session->key->client_g, session->key->client_p); - _gnutls_dh_set_peer_public( session, session->key->client_Y); - - return n_Y + n_p + n_g + 6; + uint16 n_Y, n_g, n_p; + size_t _n_Y, _n_g, _n_p; + uint8 *data_p; + uint8 *data_g; + uint8 *data_Y; + int i, bits; + ssize_t data_size = _data_size; + + i = 0; + DECR_LEN(data_size, 2); + n_p = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_p); + data_p = &data[i]; + i += n_p; + if (i > data_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + DECR_LEN(data_size, 2); + n_g = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_g); + data_g = &data[i]; + i += n_g; + + DECR_LEN(data_size, 2); + n_Y = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_Y); + data_Y = &data[i]; + i += n_Y; + + _n_Y = n_Y; + _n_g = n_g; + _n_p = n_p; + + if (_gnutls_mpi_scan(&session->key->client_Y, data_Y, &_n_Y) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&session->key->client_g, data_g, &_n_g) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + if (_gnutls_mpi_scan(&session->key->client_p, data_p, &_n_p) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + bits = _gnutls_dh_get_allowed_prime_bits(session); + if (bits < 0) { + gnutls_assert(); + return bits; + } + + if (_gnutls_mpi_get_nbits(session->key->client_p) < (size_t) bits) { + /* the prime used by the peer is not acceptable + */ + gnutls_assert(); + return GNUTLS_E_DH_PRIME_UNACCEPTABLE; + } + + _gnutls_dh_set_group(session, session->key->client_g, + session->key->client_p); + _gnutls_dh_set_peer_public(session, session->key->client_Y); + + return n_Y + n_p + n_g + 6; } -int _gnutls_dh_common_print_server_kx( gnutls_session session, - mpi_t g, mpi_t p, opaque** data) +int _gnutls_dh_common_print_server_kx(gnutls_session session, + mpi_t g, mpi_t p, opaque ** data) { - mpi_t x, X; - size_t n_X, n_g, n_p; - int ret; - uint8 *data_p; - uint8 *data_g; - uint8 *data_X; - - X = gnutls_calc_dh_secret(&x, g, p); - if (X == NULL || x == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - session->key->dh_secret = x; - _gnutls_dh_set_secret_bits( session, _gnutls_mpi_get_nbits(x)); - - _gnutls_mpi_print( NULL, &n_g, g); - _gnutls_mpi_print( NULL, &n_p, p); - _gnutls_mpi_print( NULL, &n_X, X); - (*data) = gnutls_malloc(n_g + n_p + n_X + 6); - if (*data == NULL) { - _gnutls_mpi_release(&X); - return GNUTLS_E_MEMORY_ERROR; - } - - data_p = &(*data)[0]; - _gnutls_mpi_print( &data_p[2], &n_p, p); - - _gnutls_write_uint16(n_p, data_p); - - data_g = &data_p[2 + n_p]; - _gnutls_mpi_print( &data_g[2], &n_g, g); - - _gnutls_write_uint16(n_g, data_g); - - data_X = &data_g[2 + n_g]; - _gnutls_mpi_print( &data_X[2], &n_X, X); + mpi_t x, X; + size_t n_X, n_g, n_p; + int ret; + uint8 *data_p; + uint8 *data_g; + uint8 *data_X; + + X = gnutls_calc_dh_secret(&x, g, p); + if (X == NULL || x == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + session->key->dh_secret = x; + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); + + _gnutls_mpi_print(NULL, &n_g, g); + _gnutls_mpi_print(NULL, &n_p, p); + _gnutls_mpi_print(NULL, &n_X, X); + (*data) = gnutls_malloc(n_g + n_p + n_X + 6); + if (*data == NULL) { _gnutls_mpi_release(&X); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint16(n_X, data_X); + data_p = &(*data)[0]; + _gnutls_mpi_print(&data_p[2], &n_p, p); - ret = n_p + n_g + n_X + 6; + _gnutls_write_uint16(n_p, data_p); - return ret; + data_g = &data_p[2 + n_p]; + _gnutls_mpi_print(&data_g[2], &n_g, g); + + _gnutls_write_uint16(n_g, data_g); + + data_X = &data_g[2 + n_g]; + _gnutls_mpi_print(&data_X[2], &n_X, X); + _gnutls_mpi_release(&X); + + _gnutls_write_uint16(n_X, data_X); + + ret = n_p + n_g + n_X + 6; + + return ret; } diff --git a/lib/auth_dh_common.h b/lib/auth_dh_common.h index 0da5c59f92..a1400cac2c 100644 --- a/lib/auth_dh_common.h +++ b/lib/auth_dh_common.h @@ -2,22 +2,22 @@ # define AUTH_DH_COMMON typedef struct dh_info_st { - int secret_bits; + int secret_bits; - opaque prime[1025]; - size_t prime_size; - opaque generator[16]; - size_t generator_size; - opaque public_key[1025]; - size_t public_key_size; + opaque prime[1025]; + size_t prime_size; + opaque generator[16]; + size_t generator_size; + opaque public_key[1025]; + size_t public_key_size; } dh_info_t; int _gnutls_gen_dh_common_client_kx(gnutls_session, opaque **); int _gnutls_proc_dh_common_client_kx(gnutls_session session, opaque * data, - size_t _data_size, mpi_t p, mpi_t g); -int _gnutls_dh_common_print_server_kx( gnutls_session, mpi_t g, - mpi_t p, opaque** data); -int _gnutls_proc_dh_common_server_kx( gnutls_session session, opaque* data, - size_t _data_size); + size_t _data_size, mpi_t p, mpi_t g); +int _gnutls_dh_common_print_server_kx(gnutls_session, mpi_t g, + mpi_t p, opaque ** data); +int _gnutls_proc_dh_common_server_kx(gnutls_session session, opaque * data, + size_t _data_size); #endif diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 8025801a2e..386545eb13 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -43,214 +43,214 @@ static int proc_dhe_server_kx(gnutls_session, opaque *, size_t); static int proc_dhe_client_kx(gnutls_session, opaque *, size_t); const mod_auth_st dhe_rsa_auth_struct = { - "DHE_RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; const mod_auth_st dhe_dss_auth_struct = { - "DHE_DSS", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_DSS", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; static int gen_dhe_server_kx(gnutls_session session, opaque ** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret = 0, data_size; - int bits; - gnutls_cert *apr_cert_list; - gnutls_privkey* apr_pkey; - int apr_cert_list_length; - gnutls_datum signature, ddata; - const gnutls_certificate_credentials cred; - gnutls_dh_params dh_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - bits = _gnutls_dh_get_allowed_prime_bits( session); - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, + mpi_t g, p; + const mpi_t *mpis; + int ret = 0, data_size; + int bits; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum signature, ddata; + const gnutls_certificate_credentials cred; + gnutls_dh_params dh_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + bits = _gnutls_dh_get_allowed_prime_bits(session); + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; + } - dh_params = _gnutls_certificate_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } + dh_params = _gnutls_certificate_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, - sizeof( cert_auth_info_st), 0)) < 0) - { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - _gnutls_dh_set_group( session, g, p); + _gnutls_dh_set_group(session, g, p); - ret = _gnutls_dh_common_print_server_kx( session, g, p, data); - if (ret < 0) { - gnutls_assert(); - return ret; - } - data_size = ret; - - /* Generate the signature. */ - - ddata.data = *data; - ddata.size = data_size; - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, - &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); - return ret; - } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ - } + ret = _gnutls_dh_common_print_server_kx(session, g, p, data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + data_size = ret; - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* Generate the signature. */ - _gnutls_write_datum16(&(*data)[data_size], signature); - data_size += signature.size + 2; + ddata.data = *data; + ddata.size = data_size; + if (apr_pkey != NULL) { + if ((ret = + _gnutls_tls_sign_params(session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) { + gnutls_assert(); + gnutls_free(*data); + return ret; + } + } else { + gnutls_assert(); + return data_size; /* do not put a signature - ILLEGAL! */ + } + + *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); + if (*data == NULL) { _gnutls_free_datum(&signature); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_write_datum16(&(*data)[data_size], signature); + data_size += signature.size + 2; - return data_size; + _gnutls_free_datum(&signature); + + return data_size; } static int proc_dhe_server_kx(gnutls_session session, opaque * data, - size_t _data_size) + size_t _data_size) { - int sigsize; - gnutls_datum vparams, signature; - int ret; - cert_auth_info_t info = _gnutls_get_auth_info( session); - ssize_t data_size = _data_size; - gnutls_cert peer_cert; - - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - ret = _gnutls_proc_dh_common_server_kx( session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int sigsize; + gnutls_datum vparams, signature; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info(session); + ssize_t data_size = _data_size; + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* VERIFY SIGNATURE */ + /* VERIFY SIGNATURE */ - vparams.size = ret; - vparams.data = data; + vparams.size = ret; + vparams.data = data; - DECR_LEN( data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + DECR_LEN(data_size, 2); + sigsize = _gnutls_read_uint16(&data[vparams.size]); - DECR_LEN( data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; + DECR_LEN(data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return ret; + } - ret = - _gnutls_verify_sig_params(session, - &peer_cert, - &vparams, &signature); - - _gnutls_gcert_deinit( &peer_cert); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = + _gnutls_verify_sig_params(session, + &peer_cert, &vparams, &signature); + _gnutls_gcert_deinit(&peer_cert); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } static int proc_dhe_client_kx(gnutls_session session, opaque * data, - size_t _data_size) + size_t _data_size) { -const gnutls_certificate_credentials cred; -int ret; -mpi_t p, g; -const mpi_t *mpis; -gnutls_dh_params dh_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_certificate_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); - - return ret; + const gnutls_certificate_credentials cred; + int ret; + mpi_t p, g; + const mpi_t *mpis; + gnutls_dh_params dh_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_certificate_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + ret = + _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + + return ret; } diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index 5e6f412b92..f62c7e5684 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -45,140 +45,146 @@ int _gnutls_gen_rsa_client_kx(gnutls_session, opaque **); int _gnutls_proc_rsa_client_kx(gnutls_session, opaque *, size_t); const mod_auth_st rsa_auth_struct = { - "RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - NULL, /* gen server kx */ - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - NULL, /* proc server kx */ - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + NULL, /* gen server kx */ + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + NULL, /* proc server kx */ + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; /* This function reads the RSA parameters from peer's certificate; */ -int _gnutls_get_public_rsa_params(gnutls_session session, - mpi_t params[MAX_PUBLIC_PARAMS_SIZE], int* params_len) +int _gnutls_get_public_rsa_params(gnutls_session session, + mpi_t params[MAX_PUBLIC_PARAMS_SIZE], + int *params_len) { -int ret; -cert_auth_info_t info; -gnutls_cert peer_cert; -int i; + int ret; + cert_auth_info_t info; + gnutls_cert peer_cert; + int i; - /* normal non export case */ + /* normal non export case */ - info = _gnutls_get_auth_info( session); + info = _gnutls_get_auth_info(session); - if (info==NULL || info->ncerts==0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_ONLY_PUBKEY|CERT_NO_COPY); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_ONLY_PUBKEY | CERT_NO_COPY); - /* EXPORT case: */ - if ( _gnutls_cipher_suite_get_kx_algo(&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT && - _gnutls_mpi_get_nbits(peer_cert.params[0]) > 512) { + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_gcert_deinit( &peer_cert); - if (session->key->rsa[0] == NULL || - session->key->rsa[1] == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + /* EXPORT case: */ + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT + && _gnutls_mpi_get_nbits(peer_cert.params[0]) > 512) { - if (*params_len < 2) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - *params_len = 2; - for (i=0;i<*params_len;i++) { - params[i] = _gnutls_mpi_copy(session->key->rsa[i]); - } + _gnutls_gcert_deinit(&peer_cert); - return 0; + if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - /* end of export case */ - - if (*params_len < peer_cert.params_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (*params_len < 2) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - *params_len = peer_cert.params_size; - - for (i=0;i<*params_len;i++) { - params[i] = _gnutls_mpi_copy(peer_cert.params[i]); + *params_len = 2; + for (i = 0; i < *params_len; i++) { + params[i] = _gnutls_mpi_copy(session->key->rsa[i]); } - _gnutls_gcert_deinit( &peer_cert); return 0; + } + + /* end of export case */ + + if (*params_len < peer_cert.params_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + *params_len = peer_cert.params_size; + + for (i = 0; i < *params_len; i++) { + params[i] = _gnutls_mpi_copy(peer_cert.params[i]); + } + _gnutls_gcert_deinit(&peer_cert); + + return 0; } /* This function reads the RSA parameters from the private key */ -int _gnutls_get_private_rsa_params(gnutls_session session, mpi_t **params, int* params_size) +int _gnutls_get_private_rsa_params(gnutls_session session, mpi_t ** params, + int *params_size) { -int bits; -const gnutls_certificate_credentials cred; -gnutls_rsa_params rsa_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (session->internals.selected_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + int bits; + const gnutls_certificate_credentials cred; + gnutls_rsa_params rsa_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (session->internals.selected_cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + bits = + _gnutls_mpi_get_nbits(session->internals.selected_cert_list[0]. + params[0]); + + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT && bits > 512) { + + rsa_params = _gnutls_certificate_get_rsa_params(cred, session); + /* EXPORT case: */ + if (rsa_params == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; } - bits = _gnutls_mpi_get_nbits(session->internals.selected_cert_list[0].params[0]); + /* In the export case, we do use temporary RSA params + * of 512 bits size. The params in the certificate are + * used to sign this temporary stuff. + */ + *params_size = RSA_PRIVATE_PARAMS; + *params = rsa_params->params; - if ( _gnutls_cipher_suite_get_kx_algo(&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT && - bits > 512) { + return 0; + } - rsa_params = _gnutls_certificate_get_rsa_params( cred, session); - /* EXPORT case: */ - if (rsa_params == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; - } - - /* In the export case, we do use temporary RSA params - * of 512 bits size. The params in the certificate are - * used to sign this temporary stuff. - */ - *params_size = RSA_PRIVATE_PARAMS; - *params = rsa_params->params; - - return 0; - } + /* non export cipher suites. */ - /* non export cipher suites. */ - - *params_size = session->internals.selected_key->params_size; - *params = session->internals.selected_key->params; + *params_size = session->internals.selected_key->params_size; + *params = session->internals.selected_key->params; - return 0; + return 0; } @@ -190,88 +196,88 @@ gnutls_rsa_params rsa_params; return GNUTLS_E_MEMORY_ERROR; \ } -int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, size_t _data_size) +int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, + size_t _data_size) { - gnutls_datum plaintext; - gnutls_datum ciphertext; - int ret, dsize; - mpi_t *params; - int params_len; - int randomize_key = 0; - ssize_t data_size = _data_size; - - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - /* SSL 3.0 - */ - ciphertext.data = data; - ciphertext.size = data_size; - } else { - /* TLS 1.0 - */ - DECR_LEN( data_size, 2); - ciphertext.data = &data[2]; - dsize = _gnutls_read_uint16(data); - - if (dsize != data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - ciphertext.size = dsize; - } + gnutls_datum plaintext; + gnutls_datum ciphertext; + int ret, dsize; + mpi_t *params; + int params_len; + int randomize_key = 0; + ssize_t data_size = _data_size; + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + /* SSL 3.0 + */ + ciphertext.data = data; + ciphertext.size = data_size; + } else { + /* TLS 1.0 + */ + DECR_LEN(data_size, 2); + ciphertext.data = &data[2]; + dsize = _gnutls_read_uint16(data); - ret = _gnutls_get_private_rsa_params(session, ¶ms, ¶ms_len); - if (ret < 0) { - gnutls_assert(); - return ret; + if (dsize != data_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + ciphertext.size = dsize; + } - ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, &ciphertext, params, - params_len, 2); /* btype==2 */ - - if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { - /* In case decryption fails then don't inform - * the peer. Just use a random key. (in order to avoid - * attack against pkcs-1 formating). - */ - gnutls_assert(); - _gnutls_x509_log("auth_rsa: Possible PKCS #1 format attack\n"); - randomize_key = 1; - } else { - /* If the secret was properly formatted, then - * check the version number. - */ - if (_gnutls_get_adv_version_major(session) != plaintext.data[0] - || _gnutls_get_adv_version_minor(session) != plaintext.data[1]) - { - /* No error is returned here, if the version number check - * fails. We proceed normally. - * That is to defend against the attack described in the paper - * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, - * Ondej Pokorny and Tomas Rosa. - */ - gnutls_assert(); - _gnutls_x509_log("auth_rsa: Possible PKCS #1 version check format attack\n"); - } - } + ret = _gnutls_get_private_rsa_params(session, ¶ms, ¶ms_len); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (randomize_key != 0) { - /* we do not need strong random numbers here. - */ - RANDOMIZE_KEY(session->key->key, - gnutls_malloc, GNUTLS_WEAK_RANDOM); + ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */ - } else { - session->key->key.data = plaintext.data; - session->key->key.size = plaintext.size; + if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { + /* In case decryption fails then don't inform + * the peer. Just use a random key. (in order to avoid + * attack against pkcs-1 formating). + */ + gnutls_assert(); + _gnutls_x509_log("auth_rsa: Possible PKCS #1 format attack\n"); + randomize_key = 1; + } else { + /* If the secret was properly formatted, then + * check the version number. + */ + if (_gnutls_get_adv_version_major(session) != plaintext.data[0] + || _gnutls_get_adv_version_minor(session) != plaintext.data[1]) { + /* No error is returned here, if the version number check + * fails. We proceed normally. + * That is to defend against the attack described in the paper + * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, + * Ondej Pokorny and Tomas Rosa. + */ + gnutls_assert(); + _gnutls_x509_log + ("auth_rsa: Possible PKCS #1 version check format attack\n"); } + } - /* This is here to avoid the version check attack - * discussed above. + if (randomize_key != 0) { + /* we do not need strong random numbers here. */ - session->key->key.data[0] = _gnutls_get_adv_version_major(session); - session->key->key.data[1] = _gnutls_get_adv_version_minor(session); + RANDOMIZE_KEY(session->key->key, + gnutls_malloc, GNUTLS_WEAK_RANDOM); - return 0; + } else { + session->key->key.data = plaintext.data; + session->key->key.size = plaintext.size; + } + + /* This is here to avoid the version check attack + * discussed above. + */ + session->key->key.data[0] = _gnutls_get_adv_version_major(session); + session->key->key.data[1] = _gnutls_get_adv_version_minor(session); + + return 0; } @@ -280,64 +286,66 @@ int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, size_t _da */ int _gnutls_gen_rsa_client_kx(gnutls_session session, opaque ** data) { - cert_auth_info_t auth = session->key->auth_info; - gnutls_datum sdata; /* data to send */ - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_len = MAX_PUBLIC_PARAMS_SIZE; - int ret, i; - gnutls_protocol_version ver; - - if (auth == NULL) { - /* this shouldn't have happened. The proc_certificate - * function should have detected that. - */ - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - RANDOMIZE_KEY(session->key->key, gnutls_secure_malloc, GNUTLS_STRONG_RANDOM); - - ver = _gnutls_get_adv_version(session); - - if (session->internals.rsa_pms_version[0] == 0) { - session->key->key.data[0] = _gnutls_version_get_major(ver); - session->key->key.data[1] = _gnutls_version_get_minor(ver); - } else { /* use the version provided */ - session->key->key.data[0] = session->internals.rsa_pms_version[0]; - session->key->key.data[1] = session->internals.rsa_pms_version[1]; - } - - /* move RSA parameters to key (session). + cert_auth_info_t auth = session->key->auth_info; + gnutls_datum sdata; /* data to send */ + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_len = MAX_PUBLIC_PARAMS_SIZE; + int ret, i; + gnutls_protocol_version ver; + + if (auth == NULL) { + /* this shouldn't have happened. The proc_certificate + * function should have detected that. */ - if ((ret = - _gnutls_get_public_rsa_params(session, params, ¶ms_len)) < 0) { - gnutls_assert(); - return ret; - } - - if ((ret = - _gnutls_pkcs1_rsa_encrypt(&sdata, &session->key->key, - params, params_len, 2)) < 0) { - gnutls_assert(); - return ret; - } - - for (i=0;i<params_len;i++) - _gnutls_mpi_release( ¶ms[i]); - - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - /* SSL 3.0 */ - *data = sdata.data; - return sdata.size; - } else { /* TLS 1 */ - *data = gnutls_malloc(sdata.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&sdata); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_write_datum16( *data, sdata); - ret = sdata.size + 2; - _gnutls_free_datum(&sdata); - return ret; + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + RANDOMIZE_KEY(session->key->key, gnutls_secure_malloc, + GNUTLS_STRONG_RANDOM); + + ver = _gnutls_get_adv_version(session); + + if (session->internals.rsa_pms_version[0] == 0) { + session->key->key.data[0] = _gnutls_version_get_major(ver); + session->key->key.data[1] = _gnutls_version_get_minor(ver); + } else { /* use the version provided */ + session->key->key.data[0] = session->internals.rsa_pms_version[0]; + session->key->key.data[1] = session->internals.rsa_pms_version[1]; + } + + /* move RSA parameters to key (session). + */ + if ((ret = + _gnutls_get_public_rsa_params(session, params, + ¶ms_len)) < 0) { + gnutls_assert(); + return ret; + } + + if ((ret = + _gnutls_pkcs1_rsa_encrypt(&sdata, &session->key->key, + params, params_len, 2)) < 0) { + gnutls_assert(); + return ret; + } + + for (i = 0; i < params_len; i++) + _gnutls_mpi_release(¶ms[i]); + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + /* SSL 3.0 */ + *data = sdata.data; + return sdata.size; + } else { /* TLS 1 */ + *data = gnutls_malloc(sdata.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&sdata); + return GNUTLS_E_MEMORY_ERROR; } + _gnutls_write_datum16(*data, sdata); + ret = sdata.size + 2; + _gnutls_free_datum(&sdata); + return ret; + } } diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index fe952d8d40..3246eacb77 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -49,251 +49,255 @@ static int gen_rsa_export_server_kx(gnutls_session, opaque **); static int proc_rsa_export_server_kx(gnutls_session, opaque *, size_t); const mod_auth_st rsa_export_auth_struct = { - "RSA EXPORT", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_rsa_export_server_kx, - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_rsa_export_server_kx, - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA EXPORT", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_rsa_export_server_kx, + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_rsa_export_server_kx, + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) { - gnutls_rsa_params rsa_params; - const mpi_t *rsa_mpis; - size_t n_e, n_m; - uint8 *data_e, *data_m; - int ret = 0, data_size; - gnutls_cert *apr_cert_list; - gnutls_privkey* apr_pkey; - int apr_cert_list_length; - gnutls_datum signature, ddata; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, + gnutls_rsa_params rsa_params; + const mpi_t *rsa_mpis; + size_t n_e, n_m; + uint8 *data_e, *data_m; + int ret = 0, data_size; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum signature, ddata; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - /* abort sending this message if we have a certificate - * of 512 bits or less. - */ - if ( _gnutls_mpi_get_nbits( apr_pkey->params[0]) <= 512) { - gnutls_assert(); - return GNUTLS_E_INT_RET_0; - } - - rsa_params = _gnutls_certificate_get_rsa_params( cred, session); - rsa_mpis = _gnutls_get_rsa_params( rsa_params); - if (rsa_mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; - } - - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, - sizeof( cert_auth_info_st), 0)) < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; + } + + /* abort sending this message if we have a certificate + * of 512 bits or less. + */ + if (_gnutls_mpi_get_nbits(apr_pkey->params[0]) <= 512) { + gnutls_assert(); + return GNUTLS_E_INT_RET_0; + } + + rsa_params = _gnutls_certificate_get_rsa_params(cred, session); + rsa_mpis = _gnutls_get_rsa_params(rsa_params); + if (rsa_mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; + } + + if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - info = _gnutls_get_auth_info( session); - _gnutls_rsa_export_set_pubkey( session, rsa_mpis[1], rsa_mpis[0]); + info = _gnutls_get_auth_info(session); + _gnutls_rsa_export_set_pubkey(session, rsa_mpis[1], rsa_mpis[0]); - _gnutls_mpi_print( NULL, &n_m, rsa_mpis[0]); - _gnutls_mpi_print( NULL, &n_e, rsa_mpis[1]); + _gnutls_mpi_print(NULL, &n_m, rsa_mpis[0]); + _gnutls_mpi_print(NULL, &n_e, rsa_mpis[1]); - (*data) = gnutls_malloc(n_e + n_m + 4); - if (*data == NULL) { - return GNUTLS_E_MEMORY_ERROR; - } + (*data) = gnutls_malloc(n_e + n_m + 4); + if (*data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } - data_m = &(*data)[0]; - _gnutls_mpi_print( &data_m[2], &n_m, rsa_mpis[0]); + data_m = &(*data)[0]; + _gnutls_mpi_print(&data_m[2], &n_m, rsa_mpis[0]); - _gnutls_write_uint16(n_m, data_m); + _gnutls_write_uint16(n_m, data_m); - data_e = &data_m[2 + n_m]; - _gnutls_mpi_print( &data_e[2], &n_e, rsa_mpis[1]); + data_e = &data_m[2 + n_m]; + _gnutls_mpi_print(&data_e[2], &n_e, rsa_mpis[1]); - _gnutls_write_uint16(n_e, data_e); + _gnutls_write_uint16(n_e, data_e); - data_size = n_m + n_e + 4; + data_size = n_m + n_e + 4; - /* Generate the signature. */ + /* Generate the signature. */ - ddata.data = *data; - ddata.size = data_size; + ddata.data = *data; + ddata.size = data_size; - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, - &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); *data = NULL; - return ret; - } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ + if (apr_pkey != NULL) { + if ((ret = + _gnutls_tls_sign_params(session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) { + gnutls_assert(); + gnutls_free(*data); + *data = NULL; + return ret; } + } else { + gnutls_assert(); + return data_size; /* do not put a signature - ILLEGAL! */ + } - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&signature); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_datum16(&((*data)[data_size]), signature); - data_size += signature.size + 2; + _gnutls_write_datum16(&((*data)[data_size]), signature); + data_size += signature.size + 2; - _gnutls_free_datum(&signature); + _gnutls_free_datum(&signature); - return data_size; + return data_size; } /* if the peer's certificate is of 512 bits or less, returns non zero. */ -int _gnutls_peers_cert_less_512( gnutls_session session) +int _gnutls_peers_cert_less_512(gnutls_session session) { -gnutls_cert peer_cert; -int ret; -cert_auth_info_t info = _gnutls_get_auth_info( session); - - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return 0; - } - - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return 0; - } - - if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - _gnutls_gcert_deinit( &peer_cert); - return 0; - } + gnutls_cert peer_cert; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info(session); - if ( _gnutls_mpi_get_nbits( peer_cert.params[0]) - <= 512) { - _gnutls_gcert_deinit( &peer_cert); - return 1; - } - - _gnutls_gcert_deinit( &peer_cert); - + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ return 0; -} - -static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, - size_t _data_size) -{ - uint16 n_m, n_e; - size_t _n_m, _n_e; - uint8 *data_m; - uint8 *data_e; - int i, sigsize; - gnutls_datum vparams, signature; - int ret; - ssize_t data_size = _data_size; - cert_auth_info_t info; - gnutls_cert peer_cert; - - info = _gnutls_get_auth_info( session); - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - - i = 0; - - DECR_LEN( data_size, 2); - n_m = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN( data_size, n_m); - data_m = &data[i]; - i += n_m; - - DECR_LEN( data_size, 2); - n_e = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN( data_size, n_e); - data_e = &data[i]; - i += n_e; - - _n_e = n_e; - _n_m = n_m; - - if (_gnutls_mpi_scan(&session->key->rsa[0], data_m, &_n_m) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&session->key->rsa[1], data_e, &_n_e) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + } + + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return 0; + } - _gnutls_rsa_export_set_pubkey( session, session->key->rsa[1], session->key->rsa[0]); + if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { + gnutls_assert(); + _gnutls_gcert_deinit(&peer_cert); + return 0; + } - /* VERIFY SIGNATURE */ + if (_gnutls_mpi_get_nbits(peer_cert.params[0]) + <= 512) { + _gnutls_gcert_deinit(&peer_cert); + return 1; + } - vparams.size = n_m + n_e + 4; - vparams.data = data; + _gnutls_gcert_deinit(&peer_cert); - DECR_LEN( data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + return 0; +} - DECR_LEN( data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; +static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, + size_t _data_size) +{ + uint16 n_m, n_e; + size_t _n_m, _n_e; + uint8 *data_m; + uint8 *data_e; + int i, sigsize; + gnutls_datum vparams, signature; + int ret; + ssize_t data_size = _data_size; + cert_auth_info_t info; + gnutls_cert peer_cert; + + info = _gnutls_get_auth_info(session); + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + + i = 0; + + DECR_LEN(data_size, 2); + n_m = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_m); + data_m = &data[i]; + i += n_m; + + DECR_LEN(data_size, 2); + n_e = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_e); + data_e = &data[i]; + i += n_e; + + _n_e = n_e; + _n_m = n_m; + + if (_gnutls_mpi_scan(&session->key->rsa[0], data_m, &_n_m) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&session->key->rsa[1], data_e, &_n_e) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + _gnutls_rsa_export_set_pubkey(session, session->key->rsa[1], + session->key->rsa[0]); + + /* VERIFY SIGNATURE */ + + vparams.size = n_m + n_e + 4; + vparams.data = data; + + DECR_LEN(data_size, 2); + sigsize = _gnutls_read_uint16(&data[vparams.size]); + + DECR_LEN(data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; + + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; - } + ret = + _gnutls_verify_sig_params(session, + &peer_cert, &vparams, &signature); - ret = - _gnutls_verify_sig_params(session, - &peer_cert, - &vparams, &signature); - - _gnutls_gcert_deinit( &peer_cert); - if (ret < 0) { - gnutls_assert(); - } + _gnutls_gcert_deinit(&peer_cert); + if (ret < 0) { + gnutls_assert(); + } - return ret; + return ret; } diff --git a/lib/debug.c b/lib/debug.c index bc02df8cec..1a9d519586 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -31,84 +31,87 @@ void _gnutls_print_state(gnutls_session session) { - _gnutls_debug_log( "GNUTLS State:\n"); - _gnutls_debug_log( "Connection End: %d\n", - session->security_parameters.entity); - _gnutls_debug_log( "Cipher Algorithm: %d\n", - session->security_parameters.read_bulk_cipher_algorithm); - _gnutls_debug_log( "MAC algorithm: %d\n", - session->security_parameters.read_mac_algorithm); - _gnutls_debug_log( "Compression Algorithm: %d\n", - session->security_parameters.read_compression_algorithm); - _gnutls_debug_log( "\n"); + _gnutls_debug_log("GNUTLS State:\n"); + _gnutls_debug_log("Connection End: %d\n", + session->security_parameters.entity); + _gnutls_debug_log("Cipher Algorithm: %d\n", + session->security_parameters. + read_bulk_cipher_algorithm); + _gnutls_debug_log("MAC algorithm: %d\n", + session->security_parameters.read_mac_algorithm); + _gnutls_debug_log("Compression Algorithm: %d\n", + session->security_parameters. + read_compression_algorithm); + _gnutls_debug_log("\n"); } #endif -const char* _gnutls_packet2str( content_type_t packet) +const char *_gnutls_packet2str(content_type_t packet) { - switch(packet) { - case GNUTLS_CHANGE_CIPHER_SPEC: - return "Change Cipher Spec"; - case GNUTLS_ALERT: - return "Alert"; - case GNUTLS_HANDSHAKE: - return "Handshake"; - case GNUTLS_APPLICATION_DATA: - return "Application Data"; + switch (packet) { + case GNUTLS_CHANGE_CIPHER_SPEC: + return "Change Cipher Spec"; + case GNUTLS_ALERT: + return "Alert"; + case GNUTLS_HANDSHAKE: + return "Handshake"; + case GNUTLS_APPLICATION_DATA: + return "Application Data"; - default: - return "Unknown Packet"; - } + default: + return "Unknown Packet"; + } } -const char* _gnutls_handshake2str( HandshakeType handshake) +const char *_gnutls_handshake2str(HandshakeType handshake) { - switch(handshake) { - case GNUTLS_HELLO_REQUEST: - return "HELLO REQUEST"; - break; - case GNUTLS_CLIENT_HELLO: - return "CLIENT HELLO"; - break; - case GNUTLS_SERVER_HELLO: - return "SERVER HELLO"; - break; - case GNUTLS_CERTIFICATE_PKT: - return "CERTIFICATE"; - break; - case GNUTLS_SERVER_KEY_EXCHANGE: - return "SERVER KEY EXCHANGE"; - break; - case GNUTLS_CERTIFICATE_REQUEST: - return "CERTIFICATE REQUEST"; - break; - case GNUTLS_SERVER_HELLO_DONE: - return "SERVER HELLO DONE"; - break; - case GNUTLS_CERTIFICATE_VERIFY: - return "CERTIFICATE VERIFY"; - break; - case GNUTLS_CLIENT_KEY_EXCHANGE: - return "CLIENT KEY EXCHANGE"; - break; - case GNUTLS_FINISHED: - return "FINISHED"; - break; - default: - return "Unknown Handshake packet"; - - } + switch (handshake) { + case GNUTLS_HELLO_REQUEST: + return "HELLO REQUEST"; + break; + case GNUTLS_CLIENT_HELLO: + return "CLIENT HELLO"; + break; + case GNUTLS_SERVER_HELLO: + return "SERVER HELLO"; + break; + case GNUTLS_CERTIFICATE_PKT: + return "CERTIFICATE"; + break; + case GNUTLS_SERVER_KEY_EXCHANGE: + return "SERVER KEY EXCHANGE"; + break; + case GNUTLS_CERTIFICATE_REQUEST: + return "CERTIFICATE REQUEST"; + break; + case GNUTLS_SERVER_HELLO_DONE: + return "SERVER HELLO DONE"; + break; + case GNUTLS_CERTIFICATE_VERIFY: + return "CERTIFICATE VERIFY"; + break; + case GNUTLS_CLIENT_KEY_EXCHANGE: + return "CLIENT KEY EXCHANGE"; + break; + case GNUTLS_FINISHED: + return "FINISHED"; + break; + default: + return "Unknown Handshake packet"; + + } } -void _gnutls_dump_mpi(const char* prefix, mpi_t a) +void _gnutls_dump_mpi(const char *prefix, mpi_t a) { - opaque buf[1024]; - size_t n = sizeof buf; - - if (gcry_mpi_print(GCRYMPI_FMT_HEX, buf, n, &n, a)) - strcpy(buf, "[can't print value]"); /* Flawfinder: ignore */ - _gnutls_hard_log( "MPI: length: %d\n\t%s%s\n", (n-1)/2, prefix, buf); + opaque buf[1024]; + size_t n = sizeof buf; + + if (gcry_mpi_print(GCRYMPI_FMT_HEX, buf, n, &n, a)) + strcpy(buf, "[can't print value]"); /* Flawfinder: ignore */ + _gnutls_hard_log("MPI: length: %d\n\t%s%s\n", (n - 1) / 2, prefix, + buf); } diff --git a/lib/debug.h b/lib/debug.h index c874abf4f3..e49190af01 100644 --- a/lib/debug.h +++ b/lib/debug.h @@ -21,6 +21,6 @@ #ifdef DEBUG void _gnutls_print_state(gnutls_session session); #endif -const char* _gnutls_packet2str( content_type_t packet); -const char* _gnutls_handshake2str( HandshakeType handshake); -void _gnutls_dump_mpi(const char* prefix, mpi_t a); +const char *_gnutls_packet2str(content_type_t packet); +const char *_gnutls_handshake2str(HandshakeType handshake); +void _gnutls_dump_mpi(const char *prefix, mpi_t a); diff --git a/lib/defines.h b/lib/defines.h index d5079c22e9..b87f0fe3c2 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -54,7 +54,8 @@ typedef long ptrdiff_t; #endif #ifndef HAVE_STRNSTR -char *strnstr(const char *haystack, const char *needle, size_t haystacklen); +char *strnstr(const char *haystack, const char *needle, + size_t haystacklen); #endif #ifdef HAVE_STDDEF_H @@ -99,7 +100,7 @@ typedef signed int sint; * it is not used. */ typedef struct { - unsigned char i[8]; + unsigned char i[8]; } uint64; #ifndef HAVE_ISASCII diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c index 97e769d0e7..1f927654f3 100644 --- a/lib/ext_cert_type.c +++ b/lib/ext_cert_type.c @@ -31,8 +31,8 @@ #include <gnutls_state.h> #include <gnutls_num.h> -inline static int _gnutls_num2cert_type( int num); -inline static int _gnutls_cert_type2num( int record_size); +inline static int _gnutls_num2cert_type(int num); +inline static int _gnutls_cert_type2num(int record_size); /* * In case of a server: if a CERT_TYPE extension type is received then it stores @@ -43,160 +43,174 @@ inline static int _gnutls_cert_type2num( int record_size); * */ -int _gnutls_cert_type_recv_params( gnutls_session session, const opaque* data, size_t _data_size) +int _gnutls_cert_type_recv_params(gnutls_session session, + const opaque * data, size_t _data_size) { - int new_type = -1, ret, i; - ssize_t data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (data_size > 0) { - if ( data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - new_type = _gnutls_num2cert_type(data[0]); - - if (new_type < 0) { - gnutls_assert(); - return new_type; - } - - /* Check if we support this cert_type */ - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_session_cert_type_set( session, new_type); - } - } else { /* SERVER SIDE - we must check if the sent cert type is the right one - */ - if (data_size > 1) { - uint8 len; - - len = data[0]; - DECR_LEN( data_size, len); - - for (i=0;i<len;i++) { - new_type = _gnutls_num2cert_type(data[i+1]); - - if (new_type < 0) continue; - - /* Check if we support this cert_type */ - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - continue; - } else break; - /* new_type is ok */ - } - - if (new_type < 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - /* The peer has requested unsupported certificate - * types. Instead of failing, procceed normally. - * (the ciphersuite selection would fail, or a - * non certificate ciphersuite will be selected). + int new_type = -1, ret, i; + ssize_t data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (data_size > 0) { + if (data_size != 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + new_type = _gnutls_num2cert_type(data[0]); + + if (new_type < 0) { + gnutls_assert(); + return new_type; + } + + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_session_cert_type_set(session, new_type); + } + } else { /* SERVER SIDE - we must check if the sent cert type is the right one */ - return 0; - } + if (data_size > 1) { + uint8 len; + + len = data[0]; + DECR_LEN(data_size, len); + + for (i = 0; i < len; i++) { + new_type = _gnutls_num2cert_type(data[i + 1]); + + if (new_type < 0) + continue; + + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + continue; + } else + break; + /* new_type is ok */ + } + + if (new_type < 0) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + /* The peer has requested unsupported certificate + * types. Instead of failing, procceed normally. + * (the ciphersuite selection would fail, or a + * non certificate ciphersuite will be selected). + */ + return 0; + } - _gnutls_session_cert_type_set( session, new_type); - } - - + _gnutls_session_cert_type_set(session, new_type); } - - return 0; + + + } + + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_cert_type_send_params( gnutls_session session, opaque* data, size_t data_size) { - uint len, i; - - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->internals.cert_type_priority.algorithms > 0) { - - len = session->internals.cert_type_priority.algorithms; - - if (len==1 && - session->internals.cert_type_priority.priority[0]==GNUTLS_CRT_X509) - { - /* We don't use this extension if X.509 certificates - * are used. - */ - return 0; - } - - if (data_size < len + 1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - /* this is a vector! - */ - data[0] = (uint8) len; - - for (i=0;i<len;i++) { - data[i+1] = _gnutls_cert_type2num( session->internals. - cert_type_priority.priority[i]); - } - return len + 1; - } - - } else { /* server side */ - if ( session->security_parameters.cert_type != DEFAULT_CERT_TYPE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = _gnutls_cert_type2num( session->security_parameters.cert_type); - return len; - } - - +int _gnutls_cert_type_send_params(gnutls_session session, opaque * data, + size_t data_size) +{ + uint len, i; + + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->internals.cert_type_priority.algorithms > 0) { + + len = session->internals.cert_type_priority.algorithms; + + if (len == 1 && + session->internals.cert_type_priority.priority[0] == + GNUTLS_CRT_X509) { + /* We don't use this extension if X.509 certificates + * are used. + */ + return 0; + } + + if (data_size < len + 1) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + /* this is a vector! + */ + data[0] = (uint8) len; + + for (i = 0; i < len; i++) { + data[i + 1] = _gnutls_cert_type2num(session->internals. + cert_type_priority. + priority[i]); + } + return len + 1; } - return 0; + } else { /* server side */ + if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + _gnutls_cert_type2num(session->security_parameters. + cert_type); + return len; + } + + + } + + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -inline -static int _gnutls_num2cert_type( int num) { - switch( num) { - case 0: - return GNUTLS_CRT_X509; - case 1: - return GNUTLS_CRT_OPENPGP; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +inline static int _gnutls_num2cert_type(int num) +{ + switch (num) { + case 0: + return GNUTLS_CRT_X509; + case 1: + return GNUTLS_CRT_OPENPGP; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } /* Maps record size to numbers according to the * extensions draft. */ -inline -static int _gnutls_cert_type2num( int cert_type) { - switch(cert_type) { - case GNUTLS_CRT_X509: - return 0; - case GNUTLS_CRT_OPENPGP: - return 1; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +inline static int _gnutls_cert_type2num(int cert_type) +{ + switch (cert_type) { + case GNUTLS_CRT_X509: + return 0; + case GNUTLS_CRT_OPENPGP: + return 1; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } diff --git a/lib/ext_cert_type.h b/lib/ext_cert_type.h index c011befc19..287125da3f 100644 --- a/lib/ext_cert_type.h +++ b/lib/ext_cert_type.h @@ -1,5 +1,7 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_cert_type_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_cert_type_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_cert_type_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_cert_type_send_params(gnutls_session session, opaque * data, + size_t); diff --git a/lib/ext_max_record.c b/lib/ext_max_record.c index c0ccff7f58..52e9a72876 100644 --- a/lib/ext_max_record.c +++ b/lib/ext_max_record.c @@ -38,124 +38,135 @@ * */ -int _gnutls_max_record_recv_params( gnutls_session session, const opaque* data, - size_t _data_size) +int _gnutls_max_record_recv_params(gnutls_session session, + const opaque * data, size_t _data_size) { - ssize_t new_size; - ssize_t data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - if (data_size > 0) { - DECR_LEN( data_size, 1); - - new_size = _gnutls_mre_num2record(data[0]); - - if (new_size < 0) { - gnutls_assert(); - return new_size; - } - - session->security_parameters.max_record_send_size = new_size; - session->security_parameters.max_record_recv_size = new_size; - } - } else { /* CLIENT SIDE - we must check if the sent record size is the right one - */ - if (data_size > 0) { - - if ( data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - new_size = _gnutls_mre_num2record(data[0]); - - if (new_size < 0 || new_size != session->internals.proposed_record_size) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } else { - session->security_parameters.max_record_recv_size = session->internals.proposed_record_size; - } - - } - - + ssize_t new_size; + ssize_t data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + if (data_size > 0) { + DECR_LEN(data_size, 1); + + new_size = _gnutls_mre_num2record(data[0]); + + if (new_size < 0) { + gnutls_assert(); + return new_size; + } + + session->security_parameters.max_record_send_size = new_size; + session->security_parameters.max_record_recv_size = new_size; + } + } else { /* CLIENT SIDE - we must check if the sent record size is the right one + */ + if (data_size > 0) { + + if (data_size != 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + new_size = _gnutls_mre_num2record(data[0]); + + if (new_size < 0 + || new_size != session->internals.proposed_record_size) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } else { + session->security_parameters.max_record_recv_size = + session->internals.proposed_record_size; + } + } - - return 0; + + + } + + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_max_record_send_params( gnutls_session session, opaque* data, - size_t data_size) +int _gnutls_max_record_send_params(gnutls_session session, opaque * data, + size_t data_size) { - uint16 len; - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->internals.proposed_record_size != DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = (uint8) _gnutls_mre_record2num( session->internals.proposed_record_size); - return len; - } - - } else { /* server side */ - - if (session->security_parameters.max_record_recv_size != DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = (uint8) _gnutls_mre_record2num( session->security_parameters.max_record_recv_size); - return len; - } - - + uint16 len; + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->internals.proposed_record_size != + DEFAULT_MAX_RECORD_SIZE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + (uint8) _gnutls_mre_record2num(session->internals. + proposed_record_size); + return len; + } + + } else { /* server side */ + + if (session->security_parameters.max_record_recv_size != + DEFAULT_MAX_RECORD_SIZE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + (uint8) _gnutls_mre_record2num(session-> + security_parameters. + max_record_recv_size); + return len; } - return 0; + + } + + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -int _gnutls_mre_num2record( int num) { - switch( num) { - case 1: - return 512; - case 2: - return 1024; - case 3: - return 2048; - case 4: - return 4096; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +int _gnutls_mre_num2record(int num) +{ + switch (num) { + case 1: + return 512; + case 2: + return 1024; + case 3: + return 2048; + case 4: + return 4096; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_record2num( uint16 record_size) { - switch(record_size) { - case 512: - return 1; - case 1024: - return 2; - case 2048: - return 3; - case 4096: - return 4; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +int _gnutls_mre_record2num(uint16 record_size) +{ + switch (record_size) { + case 512: + return 1; + case 1024: + return 2; + case 2048: + return 3; + case 4096: + return 4; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } diff --git a/lib/ext_max_record.h b/lib/ext_max_record.h index f804915ab3..b6f158f353 100644 --- a/lib/ext_max_record.h +++ b/lib/ext_max_record.h @@ -1,7 +1,9 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_num2record( int num); -int _gnutls_mre_record2num( uint16 record_size); -int _gnutls_max_record_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_max_record_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_mre_num2record(int num); +int _gnutls_mre_record2num(uint16 record_size); +int _gnutls_max_record_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_max_record_send_params(gnutls_session session, opaque * data, + size_t); diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index e0cd9d5ccb..7b83240f0e 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -38,77 +38,77 @@ int _gnutls_server_name_recv_params(gnutls_session session, const opaque * data, size_t _data_size) { - int i; - const unsigned char *p; - uint16 len, type; - ssize_t data_size = _data_size; - int server_names = 0; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - DECR_LENGTH_RET(data_size, 2, 0); - len = _gnutls_read_uint16(data); - - if ( len != data_size) { - /* This is unexpected packet length, but - * just ignore it, for now. - */ - gnutls_assert(); - return 0; - } - - p = data + 2; - - /* Count all server_names in the packet. */ - while (data_size > 0) { - DECR_LENGTH_RET(data_size, 1, 0); - p++; - - DECR_LEN(data_size, 2); - len = _gnutls_read_uint16(p); - p += 2; - - DECR_LENGTH_RET(data_size, len, 0); - server_names++; - - p += len; - } - - session->security_parameters.extensions.server_names_size = - server_names; - if (server_names == 0) - return 0; /* no names found */ - - /* we cannot accept more server names. - */ - if ( server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; - - p = data + 2; - for (i = 0; i < server_names; i++) { - type = *p; - p++; - - len = _gnutls_read_uint16(p); - p += 2; - - switch (type) { - case 0: /* NAME_DNS */ - if (len <= MAX_SERVER_NAME_SIZE) { - memcpy(session->security_parameters.extensions. - server_names[i].name, p, len); - session->security_parameters.extensions.server_names[i]. - name_length = len; - session->security_parameters.extensions.server_names[i]. - type = GNUTLS_NAME_DNS; - break; + int i; + const unsigned char *p; + uint16 len, type; + ssize_t data_size = _data_size; + int server_names = 0; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + DECR_LENGTH_RET(data_size, 2, 0); + len = _gnutls_read_uint16(data); + + if (len != data_size) { + /* This is unexpected packet length, but + * just ignore it, for now. + */ + gnutls_assert(); + return 0; + } + + p = data + 2; + + /* Count all server_names in the packet. */ + while (data_size > 0) { + DECR_LENGTH_RET(data_size, 1, 0); + p++; + + DECR_LEN(data_size, 2); + len = _gnutls_read_uint16(p); + p += 2; + + DECR_LENGTH_RET(data_size, len, 0); + server_names++; + + p += len; + } + + session->security_parameters.extensions.server_names_size = + server_names; + if (server_names == 0) + return 0; /* no names found */ + + /* we cannot accept more server names. + */ + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; + + p = data + 2; + for (i = 0; i < server_names; i++) { + type = *p; + p++; + + len = _gnutls_read_uint16(p); + p += 2; + + switch (type) { + case 0: /* NAME_DNS */ + if (len <= MAX_SERVER_NAME_SIZE) { + memcpy(session->security_parameters.extensions. + server_names[i].name, p, len); + session->security_parameters.extensions. + server_names[i].name_length = len; + session->security_parameters.extensions. + server_names[i].type = GNUTLS_NAME_DNS; + break; + } } - } - /* move to next record */ - p += len; - } - } - return 0; + /* move to next record */ + p += len; + } + } + return 0; } /* returns data_size or a negative number on failure @@ -116,80 +116,84 @@ int _gnutls_server_name_recv_params(gnutls_session session, int _gnutls_server_name_send_params(gnutls_session session, opaque * data, size_t _data_size) { - uint16 len; - opaque *p; - uint i; - ssize_t data_size = _data_size; - int total_size = 0; - - /* this function sends the client extension data (dnsname) - */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->security_parameters.extensions.server_names_size == 0) - return 0; - - /* uint16 - */ - total_size = 2; - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) - { - /* count the total size - */ - len = session->security_parameters.extensions.server_names[i].name_length; - - /* uint8 + uint16 + size - */ - total_size += 1 + 2 + len; - } - - p = data; - - /* UINT16: write total size of all names - */ - DECR_LENGTH_RET( data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); - _gnutls_write_uint16(total_size-2, p); - p += 2; - - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) - { - - switch (session->security_parameters.extensions.server_names[i]. - type) { - case GNUTLS_NAME_DNS: - - len = session->security_parameters.extensions.server_names[i].name_length; - if (len == 0) break; - - /* UINT8: type of this extension - * UINT16: size of the first name - * LEN: the actual server name. - */ - DECR_LENGTH_RET( data_size, len + 3, GNUTLS_E_SHORT_MEMORY_BUFFER); - - *p = 0; /* NAME_DNS type */ - p++; - - _gnutls_write_uint16(len, p); - p += 2; - - memcpy(p, - session->security_parameters.extensions. - server_names[0].name, len); - p += len; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - } - } + uint16 len; + opaque *p; + uint i; + ssize_t data_size = _data_size; + int total_size = 0; + + /* this function sends the client extension data (dnsname) + */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->security_parameters.extensions.server_names_size == 0) + return 0; + + /* uint16 + */ + total_size = 2; + for (i = 0; + i < session->security_parameters.extensions.server_names_size; + i++) { + /* count the total size + */ + len = + session->security_parameters.extensions.server_names[i]. + name_length; + + /* uint8 + uint16 + size + */ + total_size += 1 + 2 + len; + } + + p = data; + + /* UINT16: write total size of all names + */ + DECR_LENGTH_RET(data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); + _gnutls_write_uint16(total_size - 2, p); + p += 2; + + for (i = 0; + i < session->security_parameters.extensions.server_names_size; + i++) { + + switch (session->security_parameters.extensions. + server_names[i].type) { + case GNUTLS_NAME_DNS: + + len = + session->security_parameters.extensions. + server_names[i].name_length; + if (len == 0) + break; + + /* UINT8: type of this extension + * UINT16: size of the first name + * LEN: the actual server name. + */ + DECR_LENGTH_RET(data_size, len + 3, + GNUTLS_E_SHORT_MEMORY_BUFFER); + + *p = 0; /* NAME_DNS type */ + p++; + + _gnutls_write_uint16(len, p); + p += 2; + + memcpy(p, + session->security_parameters.extensions. + server_names[0].name, len); + p += len; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + } - return total_size; + return total_size; } /** @@ -216,46 +220,45 @@ int _gnutls_server_name_send_params(gnutls_session session, opaque * data, * **/ int gnutls_server_name_get(gnutls_session session, void *data, - size_t *data_length, - unsigned int * type, - unsigned int indx) + size_t * data_length, + unsigned int *type, unsigned int indx) { - char *_data = data; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx+1 > - session->security_parameters.extensions.server_names_size) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - *type = - session->security_parameters.extensions.server_names[indx].type; - - if (*data_length > /* greater since we need one extra byte for the null */ - session->security_parameters.extensions.server_names[indx]. - name_length) { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - memcpy(data, - session->security_parameters.extensions.server_names[indx]. - name, *data_length); - - if (*type == GNUTLS_NAME_DNS) /* null terminate */ - _data[(*data_length)] = 0; - - } else { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - return 0; + char *_data = data; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx + 1 > + session->security_parameters.extensions.server_names_size) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + *type = + session->security_parameters.extensions.server_names[indx].type; + + if (*data_length > /* greater since we need one extra byte for the null */ + session->security_parameters.extensions.server_names[indx]. + name_length) { + *data_length = + session->security_parameters.extensions.server_names[indx]. + name_length; + memcpy(data, + session->security_parameters.extensions.server_names[indx]. + name, *data_length); + + if (*type == GNUTLS_NAME_DNS) /* null terminate */ + _data[(*data_length)] = 0; + + } else { + *data_length = + session->security_parameters.extensions.server_names[indx]. + name_length; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + return 0; } /** @@ -279,31 +282,31 @@ int gnutls_server_name_set(gnutls_session session, gnutls_server_name_type type, const void *name, size_t name_length) { - int server_names; + int server_names; - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (name_length > MAX_SERVER_NAME_SIZE) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (name_length > MAX_SERVER_NAME_SIZE) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - server_names = - session->security_parameters.extensions.server_names_size + 1; + server_names = + session->security_parameters.extensions.server_names_size + 1; - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; - session->security_parameters.extensions.server_names[server_names - - 1].type = type; - memcpy(session->security_parameters.extensions. - server_names[server_names - 1].name, name, name_length); - session->security_parameters.extensions.server_names[server_names - - 1].name_length = - name_length; + session->security_parameters.extensions.server_names[server_names - + 1].type = type; + memcpy(session->security_parameters.extensions. + server_names[server_names - 1].name, name, name_length); + session->security_parameters.extensions.server_names[server_names - + 1].name_length = + name_length; - session->security_parameters.extensions.server_names_size++; + session->security_parameters.extensions.server_names_size++; - return 0; + return 0; } diff --git a/lib/ext_server_name.h b/lib/ext_server_name.h index 69a62ba9bf..a6eb92d94d 100644 --- a/lib/ext_server_name.h +++ b/lib/ext_server_name.h @@ -1,10 +1,11 @@ -int _gnutls_server_name_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_server_name_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_server_name_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_server_name_send_params(gnutls_session session, opaque * data, + size_t); -int gnutls_get_server_name(gnutls_session session, void* data, int* data_length, - int *type, int indx); +int gnutls_get_server_name(gnutls_session session, void *data, + int *data_length, int *type, int indx); int gnutls_set_server_name(gnutls_session session, - gnutls_server_name_type type, - const void *name, int name_length); - + gnutls_server_name_type type, + const void *name, int name_length); diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index c83067fc8e..883c80f865 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -61,29 +61,29 @@ extern "C" { #define GNUTLS_CIPHER_ARCFOUR GNUTLS_CIPHER_ARCFOUR_128 typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40 + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40 } gnutls_cipher_algorithm; typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, - GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS + GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT=1, - GNUTLS_PARAMS_DH + GNUTLS_PARAMS_DH } gnutls_params_type; typedef enum gnutls_credentials_type { GNUTLS_CRD_CERTIFICATE=1, GNUTLS_CRD_ANON, GNUTLS_CRD_SRP } gnutls_credentials_type; typedef enum gnutls_mac_algorithm { GNUTLS_MAC_NULL=1, - GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 + GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 } gnutls_mac_algorithm; /* The enumerations here should have the same value with gnutls_mac_algorithm. */ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, - GNUTLS_DIG_SHA, GNUTLS_DIG_RIPEMD160 + GNUTLS_DIG_SHA, GNUTLS_DIG_RIPEMD160 } gnutls_digest_algorithm; /* exported for other gnutls headers. This is the maximum number @@ -93,8 +93,8 @@ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, #define GNUTLS_COMP_ZLIB GNUTLS_COMP_DEFLATE typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, - GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_LZO /* only available if gnutls-extra has been initialized + GNUTLS_COMP_DEFLATE, + GNUTLS_COMP_LZO /* only available if gnutls-extra has been initialized */ } gnutls_compression_method; @@ -103,72 +103,72 @@ typedef enum gnutls_connection_end { GNUTLS_SERVER=1, GNUTLS_CLIENT } gnutls_con typedef enum gnutls_alert_level { GNUTLS_AL_WARNING=1, GNUTLS_AL_FATAL } gnutls_alert_level; typedef enum gnutls_alert_description { GNUTLS_A_CLOSE_NOTIFY, - GNUTLS_A_UNEXPECTED_MESSAGE=10, GNUTLS_A_BAD_RECORD_MAC=20, - GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, - GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, - GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, - GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, GNUTLS_A_CERTIFICATE_UNKNOWN, - GNUTLS_A_ILLEGAL_PARAMETER, GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, - GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, GNUTLS_A_PROTOCOL_VERSION=70, - GNUTLS_A_INSUFFICIENT_SECURITY, GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, - GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, - GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, - GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 + GNUTLS_A_UNEXPECTED_MESSAGE=10, GNUTLS_A_BAD_RECORD_MAC=20, + GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, + GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, + GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, + GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, GNUTLS_A_CERTIFICATE_UNKNOWN, + GNUTLS_A_ILLEGAL_PARAMETER, GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, + GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, GNUTLS_A_PROTOCOL_VERSION=70, + GNUTLS_A_INSUFFICIENT_SECURITY, GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, + GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, + GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, + GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 } gnutls_alert_description; typedef enum gnutls_handshake_description { GNUTLS_HANDSHAKE_HELLO_REQUEST, - GNUTLS_HANDSHAKE_CLIENT_HELLO, GNUTLS_HANDSHAKE_SERVER_HELLO, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT=11, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, - GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, - GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, - GNUTLS_HANDSHAKE_FINISHED=20 + GNUTLS_HANDSHAKE_CLIENT_HELLO, GNUTLS_HANDSHAKE_SERVER_HELLO, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT=11, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, + GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, + GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, + GNUTLS_HANDSHAKE_FINISHED=20 } gnutls_handshake_description; /* Note that the status bits have different meanings * in openpgp keys and x.509 certificate verification. */ typedef enum gnutls_certificate_status { - GNUTLS_CERT_INVALID=2, /* will be set if the certificate - * was not verified. - */ - GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked - */ - - /* Those are extra information about the verification - * process. Will be set only if the certificate was - * not verified. - */ - GNUTLS_CERT_SIGNER_NOT_FOUND=64, - GNUTLS_CERT_SIGNER_NOT_CA=128 + GNUTLS_CERT_INVALID=2, /* will be set if the certificate + * was not verified. + */ + GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked + */ + + /* Those are extra information about the verification + * process. Will be set only if the certificate was + * not verified. + */ + GNUTLS_CERT_SIGNER_NOT_FOUND=64, + GNUTLS_CERT_SIGNER_NOT_CA=128 } gnutls_certificate_status; typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, - GNUTLS_OPENPGP_KEY_FINGERPRINT + GNUTLS_OPENPGP_KEY_FINGERPRINT } gnutls_openpgp_key_status; typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutls_close_request; #define GNUTLS_TLS1 GNUTLS_TLS1_0 typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0, - GNUTLS_TLS1_1 } gnutls_protocol_version; + GNUTLS_TLS1_1 } gnutls_protocol_version; typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type; typedef enum gnutls_x509_crt_fmt { GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; + GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; typedef enum gnutls_pk_algorithm { GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, - GNUTLS_PK_UNKNOWN = 0xff + GNUTLS_PK_UNKNOWN = 0xff } gnutls_pk_algorithm; const char *gnutls_pk_algorithm_get_name( gnutls_pk_algorithm algorithm); typedef enum gnutls_sign_algorithm { GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, - GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, - GNUTLS_SIGN_UNKNOWN = 0xff + GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, + GNUTLS_SIGN_UNKNOWN = 0xff } gnutls_sign_algorithm; const char *gnutls_sign_algorithm_get_name( gnutls_sign_algorithm algorithm); @@ -188,8 +188,8 @@ struct gnutls_rsa_params_int; typedef struct gnutls_rsa_params_int* gnutls_rsa_params; typedef struct { - unsigned char * data; - unsigned int size; + unsigned char * data; + unsigned int size; } gnutls_datum; @@ -205,16 +205,16 @@ int gnutls_handshake( gnutls_session session); int gnutls_rehandshake( gnutls_session session); gnutls_alert_description gnutls_alert_get( gnutls_session session); -int gnutls_alert_send( gnutls_session, gnutls_alert_level, gnutls_alert_description); -int gnutls_alert_send_appropriate( gnutls_session session, int err); -const char* gnutls_alert_get_name( gnutls_alert_description alert); +int gnutls_alert_send( gnutls_session, gnutls_alert_level, gnutls_alert_description); +int gnutls_alert_send_appropriate( gnutls_session session, int err); +const char* gnutls_alert_get_name( gnutls_alert_description alert); /* get information on the current session */ -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); -gnutls_mac_algorithm gnutls_mac_get( gnutls_session session); -gnutls_compression_method gnutls_compression_get( gnutls_session session); -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); +gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); +gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); +gnutls_mac_algorithm gnutls_mac_get( gnutls_session session); +gnutls_compression_method gnutls_compression_get( gnutls_session session); +gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); size_t gnutls_cipher_get_key_size( gnutls_cipher_algorithm algorithm); @@ -259,12 +259,12 @@ typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS=1 } gnutls_server_name_type; int gnutls_server_name_set(gnutls_session session, - gnutls_server_name_type type, - const void *name, size_t name_length); + gnutls_server_name_type type, + const void *name, size_t name_length); int gnutls_server_name_get(gnutls_session session, - void *data, size_t *data_length, - unsigned int * type, int unsigned indx); + void *data, size_t *data_length, + unsigned int * type, int unsigned indx); /* functions to set priority of cipher suites */ @@ -282,7 +282,7 @@ int gnutls_set_default_export_priority(gnutls_session session); /* Returns the name of a cipher suite */ const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm kx_algorithm, - gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm); + gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm); /* get the currently used protocol version */ gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session); @@ -366,20 +366,20 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, uns int gnutls_certificate_set_x509_trust_file( gnutls_certificate_credentials res, const char* CAFILE, - gnutls_x509_crt_fmt); + gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, - const gnutls_datum *CA, gnutls_x509_crt_fmt); + const gnutls_datum *CA, gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, - const char *crlfile, gnutls_x509_crt_fmt type); + const char *crlfile, gnutls_x509_crt_fmt type); int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, - const gnutls_datum *CRL, gnutls_x509_crt_fmt type); + const gnutls_datum *CRL, gnutls_x509_crt_fmt type); int gnutls_certificate_set_x509_key_file( gnutls_certificate_credentials res, - const char *CERTFILE, const char* KEYFILE, gnutls_x509_crt_fmt); + const char *CERTFILE, const char* KEYFILE, gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, - const gnutls_datum* CERT, const gnutls_datum* KEY, - gnutls_x509_crt_fmt); + const gnutls_datum* CERT, const gnutls_datum* KEY, + gnutls_x509_crt_fmt); /* New functions to allow setting already parsed X.509 stuff. @@ -394,12 +394,12 @@ struct gnutls_x509_crt_int; typedef struct gnutls_x509_crt_int* gnutls_x509_crt; int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, - gnutls_x509_crt *cert_list, int cert_list_size, - gnutls_x509_privkey key); + gnutls_x509_crt *cert_list, int cert_list_size, + gnutls_x509_privkey key); int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, - gnutls_x509_crt * ca_list, int ca_list_size); + gnutls_x509_crt * ca_list, int ca_list_size); int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, - gnutls_x509_crl* crl_list, int crl_list_size); + gnutls_x509_crl* crl_list, int crl_list_size); /* global state functions @@ -413,9 +413,9 @@ typedef void (*gnutls_free_function)(void*); typedef void* (*gnutls_realloc_function)(void*, size_t); void gnutls_global_set_mem_functions( - gnutls_alloc_function, gnutls_alloc_function, - int (*gnutls_is_secure_func)(const void*), gnutls_realloc_function, - gnutls_free_function); + gnutls_alloc_function, gnutls_alloc_function, + int (*gnutls_is_secure_func)(const void*), gnutls_realloc_function, + gnutls_free_function); /* For use in callbacks */ extern gnutls_alloc_function gnutls_malloc; @@ -432,14 +432,14 @@ void gnutls_global_set_log_level( int level); int gnutls_dh_params_init( gnutls_dh_params*); void gnutls_dh_params_deinit( gnutls_dh_params); int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, - const gnutls_datum* generator); + const gnutls_datum* generator); int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, - const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format); + const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format); int gnutls_dh_params_generate2(gnutls_dh_params params, int bits); int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, size_t* params_data_size); + gnutls_x509_crt_fmt format, unsigned char* params_data, size_t* params_data_size); int gnutls_dh_params_export_raw(gnutls_dh_params params, - gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits); + gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits); int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src); @@ -449,19 +449,19 @@ int gnutls_rsa_params_init(gnutls_rsa_params * rsa_params); void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params); int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src); int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, - const gnutls_datum *m, const gnutls_datum *e, - const gnutls_datum *d, const gnutls_datum *p, - const gnutls_datum *q, const gnutls_datum *u); + const gnutls_datum *m, const gnutls_datum *e, + const gnutls_datum *d, const gnutls_datum *p, + const gnutls_datum *q, const gnutls_datum *u); int gnutls_rsa_params_generate2(gnutls_rsa_params params, int bits); int gnutls_rsa_params_export_raw(gnutls_rsa_params params, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, unsigned int *bits); + gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, unsigned int *bits); int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size); + gnutls_x509_crt_fmt format, unsigned char* params_data, + size_t* params_data_size); int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, - const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format); + const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format); /* Session stuff */ @@ -469,12 +469,12 @@ typedef ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, void*, size_t); typedef ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr); void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv_ptr, - gnutls_transport_ptr send_ptr); + gnutls_transport_ptr send_ptr); gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session); void gnutls_transport_get_ptr2(gnutls_session session, - gnutls_transport_ptr *recv_ptr, - gnutls_transport_ptr *send_ptr); + gnutls_transport_ptr *recv_ptr, + gnutls_transport_ptr *send_ptr); void gnutls_transport_set_lowat( gnutls_session session, int num); @@ -493,5 +493,5 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s * Actually this function returns the hash of the given data. */ int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size); + void* result, size_t* result_size); diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index 462bb795b6..3e70b46027 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -27,40 +27,42 @@ #include <debug.h> typedef struct { - gnutls_alert_description alert; - const char *desc; + gnutls_alert_description alert; + const char *desc; } gnutls_alert_entry; static const gnutls_alert_entry sup_alerts[] = { - { GNUTLS_A_CLOSE_NOTIFY, "Close notify" }, - { GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message" }, - { GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC" }, - { GNUTLS_A_DECRYPTION_FAILED, "Decryption failed" }, - { GNUTLS_A_RECORD_OVERFLOW, "Record overflow" }, - { GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed" }, - { GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed" }, - { GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad" }, - { GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported" }, - { GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked" }, - { GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired" }, - { GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate" }, - { GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter" }, - { GNUTLS_A_UNKNOWN_CA, "CA is unknown" }, - { GNUTLS_A_ACCESS_DENIED, "Access was denied" }, - { GNUTLS_A_DECODE_ERROR, "Decode error" }, - { GNUTLS_A_DECRYPT_ERROR, "Decrypt error" }, - { GNUTLS_A_EXPORT_RESTRICTION, "Export restriction" }, - { GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version" }, - { GNUTLS_A_INSUFFICIENT_SECURITY,"Insufficient security" }, - { GNUTLS_A_USER_CANCELED, "User canceled" }, - { GNUTLS_A_INTERNAL_ERROR, "Internal error" }, - { GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed" }, - { GNUTLS_A_CERTIFICATE_UNOBTAINABLE, "Could not retrieve the specified certificate" }, - { GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent" }, - { GNUTLS_A_UNRECOGNIZED_NAME, "The server name sent was not recognized" }, - { GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known" }, - { GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent" }, - {0, NULL} + {GNUTLS_A_CLOSE_NOTIFY, "Close notify"}, + {GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message"}, + {GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC"}, + {GNUTLS_A_DECRYPTION_FAILED, "Decryption failed"}, + {GNUTLS_A_RECORD_OVERFLOW, "Record overflow"}, + {GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed"}, + {GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed"}, + {GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad"}, + {GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported"}, + {GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked"}, + {GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired"}, + {GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate"}, + {GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter"}, + {GNUTLS_A_UNKNOWN_CA, "CA is unknown"}, + {GNUTLS_A_ACCESS_DENIED, "Access was denied"}, + {GNUTLS_A_DECODE_ERROR, "Decode error"}, + {GNUTLS_A_DECRYPT_ERROR, "Decrypt error"}, + {GNUTLS_A_EXPORT_RESTRICTION, "Export restriction"}, + {GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version"}, + {GNUTLS_A_INSUFFICIENT_SECURITY, "Insufficient security"}, + {GNUTLS_A_USER_CANCELED, "User canceled"}, + {GNUTLS_A_INTERNAL_ERROR, "Internal error"}, + {GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed"}, + {GNUTLS_A_CERTIFICATE_UNOBTAINABLE, + "Could not retrieve the specified certificate"}, + {GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent"}, + {GNUTLS_A_UNRECOGNIZED_NAME, + "The server name sent was not recognized"}, + {GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known"}, + {GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent"}, + {0, NULL} }; #define GNUTLS_ALERT_LOOP(b) \ @@ -79,13 +81,13 @@ static const gnutls_alert_entry sup_alerts[] = { * See gnutls_alert_get(). * **/ -const char* gnutls_alert_get_name( gnutls_alert_level alert) +const char *gnutls_alert_get_name(gnutls_alert_level alert) { -const char* ret = NULL; + const char *ret = NULL; - GNUTLS_ALERT_ID_LOOP( ret = p->desc); + GNUTLS_ALERT_ID_LOOP(ret = p->desc); - return ret; + return ret; } /** @@ -105,23 +107,26 @@ const char* ret = NULL; * Returns 0 on success. * **/ -int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_alert_description desc) +int gnutls_alert_send(gnutls_session session, gnutls_alert_level level, + gnutls_alert_description desc) { - uint8 data[2]; - int ret; - const char *name; + uint8 data[2]; + int ret; + const char *name; - data[0] = (uint8) level; - data[1] = (uint8) desc; + data[0] = (uint8) level; + data[1] = (uint8) desc; - name = gnutls_alert_get_name((int)data[1]); - if (name == NULL) name = "(unknown)"; - _gnutls_record_log( "REC: Sending Alert[%d|%d] - %s\n", data[0], data[1], name); + name = gnutls_alert_get_name((int) data[1]); + if (name == NULL) + name = "(unknown)"; + _gnutls_record_log("REC: Sending Alert[%d|%d] - %s\n", data[0], + data[1], name); - if ( (ret = _gnutls_send_int( session, GNUTLS_ALERT, -1, data, 2)) >= 0) - return 0; - else - return ret; + if ((ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, data, 2)) >= 0) + return 0; + else + return ret; } /** @@ -139,100 +144,101 @@ int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_ * mapping to an alert. * **/ -int gnutls_error_to_alert( int err, int* level) +int gnutls_error_to_alert(int err, int *level) { -int ret = GNUTLS_E_INVALID_REQUEST; -int _level = -1; + int ret = GNUTLS_E_INVALID_REQUEST; + int _level = -1; - switch (err) { /* send appropriate alert */ - case GNUTLS_E_DECRYPTION_FAILED: - /* GNUTLS_A_DECRYPTION_FAILED is not sent, because - * it is not defined in SSL3. Note that we must - * not distinguish Decryption failures from mac - * check failures, due to the possibility of some - * attacks. - */ - ret = GNUTLS_A_BAD_RECORD_MAC; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_DECOMPRESSION_FAILED: - ret = GNUTLS_A_DECOMPRESSION_FAILURE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: - case GNUTLS_E_ILLEGAL_SRP_USERNAME: - ret = GNUTLS_A_ILLEGAL_PARAMETER; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: - case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: - case GNUTLS_E_ASN1_DER_ERROR: - case GNUTLS_E_ASN1_VALUE_NOT_FOUND: - case GNUTLS_E_ASN1_GENERIC_ERROR: - case GNUTLS_E_ASN1_VALUE_NOT_VALID: - case GNUTLS_E_ASN1_TAG_ERROR: - case GNUTLS_E_ASN1_TAG_IMPLICIT: - case GNUTLS_E_ASN1_TYPE_ANY_ERROR: - case GNUTLS_E_ASN1_SYNTAX_ERROR: - case GNUTLS_E_ASN1_DER_OVERFLOW: - case GNUTLS_E_NO_CERTIFICATE_FOUND: - ret = GNUTLS_A_BAD_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNKNOWN_CIPHER_SUITE: - case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: - case GNUTLS_E_INSUFFICIENT_CREDENTIALS: - case GNUTLS_E_NO_CIPHER_SUITES: - case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: - ret = GNUTLS_A_HANDSHAKE_FAILURE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: - ret = GNUTLS_A_UNSUPPORTED_EXTENSION; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNEXPECTED_PACKET: - ret = GNUTLS_A_UNEXPECTED_MESSAGE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_REHANDSHAKE: - ret = GNUTLS_A_NO_RENEGOTIATION; - _level = GNUTLS_AL_WARNING; - break; - case GNUTLS_E_UNSUPPORTED_VERSION_PACKET: - ret = GNUTLS_A_PROTOCOL_VERSION; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: - ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: - ret = GNUTLS_A_RECORD_OVERFLOW; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_INTERNAL_ERROR: - case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: - case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: - ret = GNUTLS_A_INTERNAL_ERROR; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_OPENPGP_GETKEY_FAILED: - ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_DH_PRIME_UNACCEPTABLE: - ret = GNUTLS_A_INSUFFICIENT_SECURITY; - _level = GNUTLS_AL_FATAL; - break; - } - - if (level != NULL) *level = _level; + switch (err) { /* send appropriate alert */ + case GNUTLS_E_DECRYPTION_FAILED: + /* GNUTLS_A_DECRYPTION_FAILED is not sent, because + * it is not defined in SSL3. Note that we must + * not distinguish Decryption failures from mac + * check failures, due to the possibility of some + * attacks. + */ + ret = GNUTLS_A_BAD_RECORD_MAC; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_DECOMPRESSION_FAILED: + ret = GNUTLS_A_DECOMPRESSION_FAILURE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: + case GNUTLS_E_ILLEGAL_SRP_USERNAME: + ret = GNUTLS_A_ILLEGAL_PARAMETER; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: + case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: + case GNUTLS_E_ASN1_DER_ERROR: + case GNUTLS_E_ASN1_VALUE_NOT_FOUND: + case GNUTLS_E_ASN1_GENERIC_ERROR: + case GNUTLS_E_ASN1_VALUE_NOT_VALID: + case GNUTLS_E_ASN1_TAG_ERROR: + case GNUTLS_E_ASN1_TAG_IMPLICIT: + case GNUTLS_E_ASN1_TYPE_ANY_ERROR: + case GNUTLS_E_ASN1_SYNTAX_ERROR: + case GNUTLS_E_ASN1_DER_OVERFLOW: + case GNUTLS_E_NO_CERTIFICATE_FOUND: + ret = GNUTLS_A_BAD_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNKNOWN_CIPHER_SUITE: + case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + case GNUTLS_E_NO_CIPHER_SUITES: + case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: + ret = GNUTLS_A_HANDSHAKE_FAILURE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: + ret = GNUTLS_A_UNSUPPORTED_EXTENSION; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNEXPECTED_PACKET: + ret = GNUTLS_A_UNEXPECTED_MESSAGE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_REHANDSHAKE: + ret = GNUTLS_A_NO_RENEGOTIATION; + _level = GNUTLS_AL_WARNING; + break; + case GNUTLS_E_UNSUPPORTED_VERSION_PACKET: + ret = GNUTLS_A_PROTOCOL_VERSION; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: + ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: + ret = GNUTLS_A_RECORD_OVERFLOW; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_INTERNAL_ERROR: + case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: + case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: + ret = GNUTLS_A_INTERNAL_ERROR; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_OPENPGP_GETKEY_FAILED: + ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_DH_PRIME_UNACCEPTABLE: + ret = GNUTLS_A_INSUFFICIENT_SECURITY; + _level = GNUTLS_AL_FATAL; + break; + } - return ret; + if (level != NULL) + *level = _level; + + return ret; } - + /* Sends the appropriate alert, depending * on the error message. Deprecated. May be removed. */ @@ -251,16 +257,17 @@ int _level = -1; * been sent to the peer. * -*/ -int gnutls_alert_send_appropriate( gnutls_session session, int err) { -int alert; -int level; +int gnutls_alert_send_appropriate(gnutls_session session, int err) +{ + int alert; + int level; - alert = gnutls_error_to_alert( err, &level); - if (alert < 0) { - return alert; - } - - return gnutls_alert_send( session, level, alert); + alert = gnutls_error_to_alert(err, &level); + if (alert < 0) { + return alert; + } + + return gnutls_alert_send(session, level, alert); } /** @@ -273,6 +280,7 @@ int level; * The peer may send alerts if he thinks some things were not * right. Check gnutls.h for the available alert descriptions. **/ -gnutls_alert_description gnutls_alert_get( gnutls_session session) { - return session->internals.last_alert; +gnutls_alert_description gnutls_alert_get(gnutls_session session) +{ + return session->internals.last_alert; } diff --git a/lib/gnutls_alert.h b/lib/gnutls_alert.h index e877c9ab57..b042c5a85a 100644 --- a/lib/gnutls_alert.h +++ b/lib/gnutls_alert.h @@ -1,23 +1,27 @@ -typedef enum gnutls_alert_level { GNUTLS_AL_WARNING=1, GNUTLS_AL_FATAL +typedef enum gnutls_alert_level { GNUTLS_AL_WARNING = 1, GNUTLS_AL_FATAL } gnutls_alert_level; -typedef enum AlertDescription { - GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTED_MESSAGE=10, - GNUTLS_A_BAD_RECORD_MAC=20, GNUTLS_A_DECRYPTION_FAILED, - GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, - GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, - GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, - GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, - GNUTLS_A_CERTIFICATE_UNKNOWN, GNUTLS_A_ILLEGAL_PARAMETER, - GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, - GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, - GNUTLS_A_PROTOCOL_VERSION=70, GNUTLS_A_INSUFFICIENT_SECURITY, - GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, - GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, - GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, - GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 +typedef enum AlertDescription { + GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTED_MESSAGE = 10, + GNUTLS_A_BAD_RECORD_MAC = 20, GNUTLS_A_DECRYPTION_FAILED, + GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE = 30, + GNUTLS_A_HANDSHAKE_FAILURE = 40, GNUTLS_A_SSL3_NO_CERTIFICATE = 41, + GNUTLS_A_BAD_CERTIFICATE = 42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, + GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, + GNUTLS_A_CERTIFICATE_UNKNOWN, GNUTLS_A_ILLEGAL_PARAMETER, + GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR = + 50, + GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION = 60, + GNUTLS_A_PROTOCOL_VERSION = 70, GNUTLS_A_INSUFFICIENT_SECURITY, + GNUTLS_A_INTERNAL_ERROR = 80, GNUTLS_A_USER_CANCELED = 90, + GNUTLS_A_NO_RENEGOTIATION = 100, GNUTLS_A_UNSUPPORTED_EXTENSION = 110, + GNUTLS_A_CERTIFICATE_UNOBTAINABLE = 111, GNUTLS_A_UNRECOGNIZED_NAME = + 112, + GNUTLS_A_UNKNOWN_SRP_USERNAME = 120, GNUTLS_A_MISSING_SRP_USERNAME = + 121 } gnutls_alert_description; -gnutls_alert_description gnutls_alert_get( gnutls_session session); -int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_alert_description desc); -const char* gnutls_alert_get_name( gnutls_alert_level alert); +gnutls_alert_description gnutls_alert_get(gnutls_session session); +int gnutls_alert_send(gnutls_session session, gnutls_alert_level level, + gnutls_alert_description desc); +const char *gnutls_alert_get_name(gnutls_alert_level alert); diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index c79acf683c..d0d3d8384e 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -31,22 +31,22 @@ * more than one credentials type. */ typedef struct { - gnutls_kx_algorithm algorithm; - gnutls_credentials_type client_type; - gnutls_credentials_type server_type; /* The type of credentials a server - * needs to set */ + gnutls_kx_algorithm algorithm; + gnutls_credentials_type client_type; + gnutls_credentials_type server_type; /* The type of credentials a server + * needs to set */ } gnutls_cred_map; static const gnutls_cred_map cred_mappings[] = { - { GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON }, - { GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP }, - { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, - { 0, 0, 0} + {GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, + {GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP}, + {GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {0, 0, 0} }; #define GNUTLS_KX_MAP_LOOP(b) \ @@ -61,15 +61,15 @@ static const gnutls_cred_map cred_mappings[] = { /* KX mappings to PK algorithms */ typedef struct { - gnutls_kx_algorithm kx_algorithm; - gnutls_pk_algorithm pk_algorithm; - enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used - * for encryption, CIPHER_SIGN if signature only, - * CIPHER_IGN if this does not apply at all. - * - * This is useful to certificate cipher suites, which check - * against the certificate key usage bits. - */ + gnutls_kx_algorithm kx_algorithm; + gnutls_pk_algorithm pk_algorithm; + enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used + * for encryption, CIPHER_SIGN if signature only, + * CIPHER_IGN if this does not apply at all. + * + * This is useful to certificate cipher suites, which check + * against the certificate key usage bits. + */ } gnutls_pk_map; /* This table maps the Key exchange algorithms to @@ -78,13 +78,13 @@ typedef struct { * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, - {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {0, 0, 0} + {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {0, 0, 0} }; #define GNUTLS_PK_MAP_LOOP(b) \ @@ -99,18 +99,18 @@ static const gnutls_pk_map pk_mappings[] = { /* TLS Versions */ typedef struct { - const char *name; - gnutls_protocol_version id; /* gnutls internal version number */ - int major; /* defined by the protocol */ - int minor; /* defined by the protocol */ - int supported; /* 0 not supported, > 0 is supported */ + const char *name; + gnutls_protocol_version id; /* gnutls internal version number */ + int major; /* defined by the protocol */ + int minor; /* defined by the protocol */ + int supported; /* 0 not supported, > 0 is supported */ } gnutls_version_entry; static const gnutls_version_entry sup_versions[] = { - {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, - {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, - {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, - {0, 0, 0, 0, 0} + {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, + {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, + {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, + {0, 0, 0, 0, 0} }; #define GNUTLS_VERSION_LOOP(b) \ @@ -122,13 +122,13 @@ static const gnutls_version_entry sup_versions[] = { struct gnutls_cipher_entry { - const char *name; - gnutls_cipher_algorithm id; - uint16 blocksize; - uint16 keysize; - cipher_type_t block; - uint16 iv; - int export_flag; /* 0 non export */ + const char *name; + gnutls_cipher_algorithm id; + uint16 blocksize; + uint16 keysize; + cipher_type_t block; + uint16 iv; + int export_flag; /* 0 non export */ }; typedef struct gnutls_cipher_entry gnutls_cipher_entry; @@ -138,15 +138,17 @@ typedef struct gnutls_cipher_entry gnutls_cipher_entry; * protecting communications" by Hugo Krawczyk - CRYPTO 2001 */ static const gnutls_cipher_entry algorithms[] = { - {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0 }, - {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0 }, - {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0 }, - {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0 }, - {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1 }, - {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1 }, - {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0 }, - {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0 }, - {0, 0, 0, 0, 0, 0, 0} + {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, + {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, + 0}, + {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, + 0}, + {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, + {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, + {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, + {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, + {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, + {0, 0, 0, 0, 0, 0, 0} }; #define GNUTLS_LOOP(b) \ @@ -158,17 +160,17 @@ static const gnutls_cipher_entry algorithms[] = { struct gnutls_hash_entry { - const char *name; - gnutls_mac_algorithm id; + const char *name; + gnutls_mac_algorithm id; }; typedef struct gnutls_hash_entry gnutls_hash_entry; static const gnutls_hash_entry hash_algorithms[] = { - {"SHA", GNUTLS_MAC_SHA}, - {"MD5", GNUTLS_MAC_MD5}, - {"RIPEMD160", GNUTLS_MAC_RMD160}, - {"NULL", GNUTLS_MAC_NULL}, - {0, 0} + {"SHA", GNUTLS_MAC_SHA}, + {"MD5", GNUTLS_MAC_MD5}, + {"RIPEMD160", GNUTLS_MAC_RMD160}, + {"NULL", GNUTLS_MAC_NULL}, + {0, 0} }; #define GNUTLS_HASH_LOOP(b) \ @@ -189,14 +191,13 @@ const int _gnutls_comp_algorithms_size = MAX_COMP_METHODS; /* the compression entry is defined in gnutls_algorithms.h */ -gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = -{ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), +gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = { + GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), #ifdef HAVE_LIBZ - /* draft-ietf-tls-compression-02 */ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), + /* draft-ietf-tls-compression-02 */ + GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), #endif - {0, 0, 0, 0, 0, 0} + {0, 0, 0, 0, 0, 0} }; #define GNUTLS_COMPRESSION_LOOP(b) \ @@ -223,16 +224,16 @@ const int _gnutls_kx_algorithms_size = MAX_KX_ALGOS; gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { #ifdef ENABLE_ANON - { "Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0 }, + {"Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, #endif - { "RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0 }, - { "RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1 }, - { "DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0 }, - { "DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0 }, - /* other algorithms are appended here by gnutls-extra - * initialization function. - */ - {0, 0, 0, 0, 0} + {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, + {"RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1}, + {"DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, + {"DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, + /* other algorithms are appended here by gnutls-extra + * initialization function. + */ + {0, 0, 0, 0, 0} }; #define GNUTLS_KX_LOOP(b) \ @@ -249,14 +250,14 @@ gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { { #name, {name}, block_algorithm, kx_algorithm, mac_algorithm, version } typedef struct { - const char *name; - cipher_suite_st id; - gnutls_cipher_algorithm block_algorithm; - gnutls_kx_algorithm kx_algorithm; - gnutls_mac_algorithm mac_algorithm; - gnutls_protocol_version version; /* this cipher suite is supported - * from 'version' and above; - */ + const char *name; + cipher_suite_st id; + gnutls_cipher_algorithm block_algorithm; + gnutls_kx_algorithm kx_algorithm; + gnutls_mac_algorithm mac_algorithm; + gnutls_protocol_version version; /* this cipher suite is supported + * from 'version' and above; + */ } gnutls_cipher_suite_entry; /** RSA with NULL cipher and MD5 MAC @@ -345,129 +346,132 @@ typedef struct { #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 static const gnutls_cipher_suite_entry cs_algorithms[] = { - /* ANON_DH */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - /* SRP */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - /* DHE_DSS */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* DHE_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, - GNUTLS_CIPHER_NULL, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, - GNUTLS_CIPHER_ARCFOUR_40, - GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - {0, {{0,0}}, 0, 0, 0, 0} + /* ANON_DH */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + /* SRP */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + /* DHE_DSS */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* DHE_RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, + GNUTLS_CIPHER_NULL, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, + GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, + GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + {0, {{0, 0}}, 0, 0, 0, 0} }; #define GNUTLS_CIPHER_SUITE_LOOP(b) \ @@ -481,18 +485,17 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { /* Generic Functions */ -inline int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm algorithm) +inline int _gnutls_mac_priority(gnutls_session session, + gnutls_mac_algorithm algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < session->internals.mac_algorithm_priority.algorithms; - i++) { - if (session->internals. - mac_algorithm_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < session->internals.mac_algorithm_priority.algorithms; i++) { + if (session->internals. + mac_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -502,26 +505,25 @@ inline int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm alg * Returns a string that contains the name * of the specified MAC algorithm or NULL. **/ -const char *gnutls_mac_get_name( gnutls_mac_algorithm algorithm) +const char *gnutls_mac_get_name(gnutls_mac_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_HASH_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_HASH_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_HASH_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_HASH_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Compression Functions */ @@ -529,17 +531,15 @@ inline int _gnutls_compression_priority(gnutls_session session, gnutls_compression_method algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < - session->internals.compression_method_priority.algorithms; - i++) { - if (session->internals. - compression_method_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < + session->internals.compression_method_priority.algorithms; i++) { + if (session->internals. + compression_method_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -549,51 +549,51 @@ inline * Returns a pointer to a string that contains the name * of the specified compression algorithm or NULL. **/ -const char *gnutls_compression_get_name( gnutls_compression_method algorithm) +const char *gnutls_compression_get_name(gnutls_compression_method + algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_COMP_") - - 1); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = + p->name + sizeof("GNUTLS_COMP_") - 1); - return ret; + return ret; } /* return the tls number of the specified algorithm */ int _gnutls_compression_get_num(gnutls_compression_method algorithm) { - int ret = -1; + int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); - return ret; + return ret; } int _gnutls_compression_get_wbits(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); + return ret; } int _gnutls_compression_get_mem_level(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); + return ret; } int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); + return ret; } /* returns the gnutls internal ID of the TLS compression @@ -601,23 +601,23 @@ int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm) */ gnutls_compression_method _gnutls_compression_get_id(int num) { - gnutls_compression_method ret = -1; + gnutls_compression_method ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); - return ret; + return ret; } int _gnutls_compression_is_ok(gnutls_compression_method algorithm) { - ssize_t ret = -1; - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } @@ -625,37 +625,36 @@ int _gnutls_compression_is_ok(gnutls_compression_method algorithm) /* CIPHER functions */ int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm algorithm) { - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->blocksize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->blocksize); + return ret; } /* returns the priority */ inline int -_gnutls_cipher_priority(gnutls_session session, gnutls_cipher_algorithm algorithm) +_gnutls_cipher_priority(gnutls_session session, + gnutls_cipher_algorithm algorithm) { - unsigned int i; - for (i = 0; - i < - session->internals. - cipher_algorithm_priority.algorithms; i++) { - if (session->internals. - cipher_algorithm_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < + session->internals.cipher_algorithm_priority.algorithms; i++) { + if (session->internals. + cipher_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm) { - size_t ret = 0; + size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->block); - return ret; + GNUTLS_ALG_LOOP(ret = p->block); + return ret; } @@ -667,27 +666,27 @@ int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm) * Returns 0 if the given cipher is invalid. * **/ -size_t gnutls_cipher_get_key_size( gnutls_cipher_algorithm algorithm) +size_t gnutls_cipher_get_key_size(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->keysize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->keysize); + return ret; } int _gnutls_cipher_get_iv_size(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->iv); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->iv); + return ret; } int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->export_flag); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->export_flag); + return ret; } @@ -698,49 +697,49 @@ int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm) * Returns a pointer to a string that contains the name * of the specified cipher or NULL. **/ -const char *gnutls_cipher_get_name( gnutls_cipher_algorithm algorithm) +const char *gnutls_cipher_get_name(gnutls_cipher_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_cipher_is_ok(gnutls_cipher_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Key EXCHANGE functions */ mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm) { - mod_auth_st *ret = NULL; - GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); - return ret; + mod_auth_st *ret = NULL; + GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); + return ret; } -inline int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algorithm) +inline int _gnutls_kx_priority(gnutls_session session, + gnutls_kx_algorithm algorithm) { - unsigned int i; - for (i = 0; - i < session->internals.kx_algorithm_priority.algorithms; - i++) { - if (session->internals. - kx_algorithm_priority.priority[i] == algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < session->internals.kx_algorithm_priority.algorithms; i++) { + if (session->internals. + kx_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -750,97 +749,96 @@ inline int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algor * Returns a pointer to a string that contains the name * of the specified key exchange algorithm or NULL. **/ -const char *gnutls_kx_get_name( gnutls_kx_algorithm algorithm) +const char *gnutls_kx_get_name(gnutls_kx_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_KX_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_KX_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_kx_is_ok(gnutls_kx_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_KX_ALG_LOOP(ret = p->algorithm); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_KX_ALG_LOOP(ret = p->algorithm); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_rsa_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP(ret = p->needs_rsa_params); + return ret; } int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_dh_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP(ret = p->needs_dh_params); + return ret; } /* Version */ int _gnutls_version_priority(gnutls_session session, - gnutls_protocol_version version) + gnutls_protocol_version version) { /* actually returns the priority */ - unsigned int i; + unsigned int i; - if (session->internals.protocol_priority.priority==NULL) { - gnutls_assert(); - return -1; - } - - for (i = 0; - i < - session->internals.protocol_priority.algorithms; - i++) { - if (session->internals. - protocol_priority.priority[i] == - version) - return i; - } + if (session->internals.protocol_priority.priority == NULL) { + gnutls_assert(); return -1; + } + + for (i = 0; i < session->internals.protocol_priority.algorithms; i++) { + if (session->internals.protocol_priority.priority[i] == version) + return i; + } + return -1; } gnutls_protocol_version _gnutls_version_lowest(gnutls_session session) { /* returns the lowest version supported */ - unsigned int i, min = 0xff; - - if (session->internals.protocol_priority.priority==NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i=0;i<session->internals.protocol_priority.algorithms;i++) { - if (session->internals.protocol_priority.priority[i] < min) - min = session->internals.protocol_priority.priority[i]; - } - - if (min==0xff) return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - - return min; + unsigned int i, min = 0xff; + + if (session->internals.protocol_priority.priority == NULL) { + return GNUTLS_VERSION_UNKNOWN; + } else + for (i = 0; i < session->internals.protocol_priority.algorithms; + i++) { + if (session->internals.protocol_priority.priority[i] < min) + min = session->internals.protocol_priority.priority[i]; + } + + if (min == 0xff) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + + return min; } gnutls_protocol_version _gnutls_version_max(gnutls_session session) { /* returns the maximum version supported */ - unsigned int i, max=0x00; - - if (session->internals.protocol_priority.priority==NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i=0;i<session->internals.protocol_priority.algorithms;i++) { - if (session->internals.protocol_priority.priority[i] > max) - max = session->internals.protocol_priority.priority[i]; - } - - if (max==0x00) return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - - return max; + unsigned int i, max = 0x00; + + if (session->internals.protocol_priority.priority == NULL) { + return GNUTLS_VERSION_UNKNOWN; + } else + for (i = 0; i < session->internals.protocol_priority.algorithms; + i++) { + if (session->internals.protocol_priority.priority[i] > max) + max = session->internals.protocol_priority.priority[i]; + } + + if (max == 0x00) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + + return max; } @@ -851,39 +849,38 @@ gnutls_protocol_version _gnutls_version_max(gnutls_session session) * Returns a string that contains the name * of the specified TLS version or NULL. **/ -const char *gnutls_protocol_get_name( gnutls_protocol_version version) +const char *gnutls_protocol_get_name(gnutls_protocol_version version) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_VERSION_ALG_LOOP(ret = - p->name); - return ret; + /* avoid prefix */ + GNUTLS_VERSION_ALG_LOOP(ret = p->name); + return ret; } int _gnutls_version_get_minor(gnutls_protocol_version version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->minor); - return ret; + GNUTLS_VERSION_ALG_LOOP(ret = p->minor); + return ret; } gnutls_protocol_version _gnutls_version_get(int major, int minor) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_LOOP(if ((p->major == major) && (p->minor == minor)) - ret = p->id); - return ret; + GNUTLS_VERSION_LOOP(if ((p->major == major) && (p->minor == minor)) + ret = p->id); + return ret; } int _gnutls_version_get_major(gnutls_protocol_version version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->major); - return ret; + GNUTLS_VERSION_ALG_LOOP(ret = p->major); + return ret; } /* Version Functions */ @@ -892,89 +889,92 @@ int _gnutls_version_is_supported(gnutls_session session, const gnutls_protocol_version version) { -int ret=0; + int ret = 0; - GNUTLS_VERSION_ALG_LOOP(ret = p->supported); - if (ret == 0) return 0; + GNUTLS_VERSION_ALG_LOOP(ret = p->supported); + if (ret == 0) + return 0; - if (_gnutls_version_priority( session, version) < 0) - return 0; /* disabled by the user */ - else - return 1; + if (_gnutls_version_priority(session, version) < 0) + return 0; /* disabled by the user */ + else + return 1; } /* Type to KX mappings */ -gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, int server) +gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, + int server) { - gnutls_kx_algorithm ret = -1; - - if (server) { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); - } else { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); - } - return ret; + gnutls_kx_algorithm ret = -1; + + if (server) { + GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); + } else { + GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); + } + return ret; } -gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm algorithm, int server) +gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm + algorithm, int server) { - gnutls_credentials_type ret = -1; - if (server) { - GNUTLS_KX_MAP_LOOP(if (p->algorithm==algorithm) ret = p->server_type); - } else { - GNUTLS_KX_MAP_LOOP(if (p->algorithm==algorithm) ret = p->client_type); - } - - return ret; + gnutls_credentials_type ret = -1; + if (server) { + GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = + p->server_type); + } else { + GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = + p->client_type); + } + + return ret; } /* Cipher Suite's functions */ gnutls_cipher_algorithm -_gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st* suite) +_gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm); + return ret; } gnutls_protocol_version -_gnutls_cipher_suite_get_version(const cipher_suite_st* suite) +_gnutls_cipher_suite_get_version(const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->version); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->version); + return ret; } -gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st* - suite) +gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st + * suite) { - int ret = 0; + int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm); - return ret; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm); + return ret; } gnutls_mac_algorithm -_gnutls_cipher_suite_get_mac_algo(const cipher_suite_st *suite) +_gnutls_cipher_suite_get_mac_algo(const cipher_suite_st * suite) { /* In bytes */ - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm); + return ret; } -const char *_gnutls_cipher_suite_get_name(cipher_suite_st* suite) +const char *_gnutls_cipher_suite_get_name(cipher_suite_st * suite) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_") - - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->name + sizeof("GNUTLS_") - 1); - return ret; + return ret; } /** @@ -991,32 +991,33 @@ const char *_gnutls_cipher_suite_get_name(cipher_suite_st* suite) * **/ const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm kx_algorithm, - gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm) + gnutls_cipher_algorithm + cipher_algorithm, + gnutls_mac_algorithm + mac_algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_LOOP( - if (kx_algorithm == p->kx_algorithm && - cipher_algorithm == p->block_algorithm && - mac_algorithm == p->mac_algorithm) - ret = p->name + sizeof("GNUTLS_") - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_LOOP(if (kx_algorithm == p->kx_algorithm && + cipher_algorithm == p->block_algorithm && + mac_algorithm == p->mac_algorithm) + ret = p->name + sizeof("GNUTLS_") - 1); - return ret; + return ret; } -inline -static int _gnutls_cipher_suite_is_ok(cipher_suite_st *suite) +inline static int _gnutls_cipher_suite_is_ok(cipher_suite_st * suite) { - size_t ret; - const char *name = NULL; - - GNUTLS_CIPHER_SUITE_ALG_LOOP(name = p->name); - if (name != NULL) - ret = 0; - else - ret = 1; - return ret; + size_t ret; + const char *name = NULL; + + GNUTLS_CIPHER_SUITE_ALG_LOOP(name = p->name); + if (name != NULL) + ret = 0; + else + ret = 1; + return ret; } @@ -1028,67 +1029,69 @@ static int _gnutls_cipher_suite_is_ok(cipher_suite_st *suite) inline static int _gnutls_partition(gnutls_session session, void *_base, size_t nmemb, size_t size, - int (*compar) (gnutls_session, const void *, + int (*compar) (gnutls_session, + const void *, const void *)) { - uint8 *base = _base; - uint8 tmp[MAX_ELEM_SIZE]; - uint8 ptmp[MAX_ELEM_SIZE]; - unsigned int pivot; - unsigned int i, j; - unsigned int full; - - i = pivot = 0; - j = full = (nmemb - 1) * size; - - memcpy(ptmp, &base[0], size); /* set pivot item */ - - while (i < j) { - while ((compar(session, &base[i], ptmp) <= 0) && (i < full)) { - i += size; - } - while ((compar(session, &base[j], ptmp) >= 0) && (j > 0)) - j -= size; - - if (i < j) { - SWAP(&base[j], &base[i]); - } + uint8 *base = _base; + uint8 tmp[MAX_ELEM_SIZE]; + uint8 ptmp[MAX_ELEM_SIZE]; + unsigned int pivot; + unsigned int i, j; + unsigned int full; + + i = pivot = 0; + j = full = (nmemb - 1) * size; + + memcpy(ptmp, &base[0], size); /* set pivot item */ + + while (i < j) { + while ((compar(session, &base[i], ptmp) <= 0) && (i < full)) { + i += size; } + while ((compar(session, &base[j], ptmp) >= 0) && (j > 0)) + j -= size; - if (j > pivot) { - SWAP(&base[pivot], &base[j]); - pivot = j; - } else if (i < pivot) { - SWAP(&base[pivot], &base[i]); - pivot = i; + if (i < j) { + SWAP(&base[j], &base[i]); } - return pivot / size; + } + + if (j > pivot) { + SWAP(&base[pivot], &base[j]); + pivot = j; + } else if (i < pivot) { + SWAP(&base[pivot], &base[i]); + pivot = i; + } + return pivot / size; } static void -_gnutls_qsort(gnutls_session session, void *_base, size_t nmemb, size_t size, - int (*compar) (gnutls_session, const void *, const void *)) +_gnutls_qsort(gnutls_session session, void *_base, size_t nmemb, + size_t size, int (*compar) (gnutls_session, const void *, + const void *)) { - unsigned int pivot; - char *base = _base; - size_t snmemb = nmemb; + unsigned int pivot; + char *base = _base; + size_t snmemb = nmemb; #ifdef DEBUG - if (size > MAX_ELEM_SIZE) { - gnutls_assert(); - _gnutls_debug_log( "QSORT BUG\n"); - exit(1); - } + if (size > MAX_ELEM_SIZE) { + gnutls_assert(); + _gnutls_debug_log("QSORT BUG\n"); + exit(1); + } #endif - if (snmemb <= 1) - return; - pivot = _gnutls_partition(session, _base, nmemb, size, compar); + if (snmemb <= 1) + return; + pivot = _gnutls_partition(session, _base, nmemb, size, compar); - _gnutls_qsort(session, base, pivot < nmemb ? pivot + 1 : pivot, size, - compar); - _gnutls_qsort(session, &base[(pivot + 1) * size], nmemb - pivot - 1, - size, compar); + _gnutls_qsort(session, base, pivot < nmemb ? pivot + 1 : pivot, size, + compar); + _gnutls_qsort(session, &base[(pivot + 1) * size], nmemb - pivot - 1, + size, compar); } @@ -1099,38 +1102,38 @@ static int _gnutls_compare_algo(gnutls_session session, const void *i_A1, const void *i_A2) { - gnutls_kx_algorithm kA1 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A1); - gnutls_kx_algorithm kA2 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A2); - gnutls_cipher_algorithm cA1 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A1); - gnutls_cipher_algorithm cA2 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A2); - gnutls_mac_algorithm mA1 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A1); - gnutls_mac_algorithm mA2 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A2); - - int p1 = (_gnutls_kx_priority(session, kA1) + 1) * 64; - int p2 = (_gnutls_kx_priority(session, kA2) + 1) * 64; - p1 += (_gnutls_cipher_priority(session, cA1) + 1) * 8; - p2 += (_gnutls_cipher_priority(session, cA2) + 1) * 8; - p1 += _gnutls_mac_priority(session, mA1); - p2 += _gnutls_mac_priority(session, mA2); - - if (p1 > p2) { - return 1; - } else { - if (p1 == p2) { - return 0; - } - return -1; + gnutls_kx_algorithm kA1 = + _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A1); + gnutls_kx_algorithm kA2 = + _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A2); + gnutls_cipher_algorithm cA1 = + _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) + i_A1); + gnutls_cipher_algorithm cA2 = + _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) + i_A2); + gnutls_mac_algorithm mA1 = + _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) + i_A1); + gnutls_mac_algorithm mA2 = + _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) + i_A2); + + int p1 = (_gnutls_kx_priority(session, kA1) + 1) * 64; + int p2 = (_gnutls_kx_priority(session, kA2) + 1) * 64; + p1 += (_gnutls_cipher_priority(session, cA1) + 1) * 8; + p2 += (_gnutls_cipher_priority(session, cA2) + 1) * 8; + p1 += _gnutls_mac_priority(session, mA1); + p2 += _gnutls_mac_priority(session, mA2); + + if (p1 > p2) { + return 1; + } else { + if (p1 == p2) { + return 0; } + return -1; + } } #ifdef SORT_DEBUG @@ -1139,18 +1142,18 @@ _gnutls_bsort(gnutls_session session, void *_base, size_t nmemb, size_t size, int (*compar) (gnutls_session, const void *, const void *)) { - unsigned int i, j; - int full = nmemb * size; - char *base = _base; - char tmp[MAX_ELEM_SIZE]; - - for (i = 0; i < full; i += size) { - for (j = 0; j < full; j += size) { - if (compar(session, &base[i], &base[j]) < 0) { - SWAP(&base[j], &base[i]); - } - } + unsigned int i, j; + int full = nmemb * size; + char *base = _base; + char tmp[MAX_ELEM_SIZE]; + + for (i = 0; i < full; i += size) { + for (j = 0; j < full; j += size) { + if (compar(session, &base[i], &base[j]) < 0) { + SWAP(&base[j], &base[i]); + } } + } } #endif @@ -1161,34 +1164,33 @@ _gnutls_supported_ciphersuites_sorted(gnutls_session session, { #ifdef SORT_DEBUG - unsigned int i; + unsigned int i; #endif - int count; - - count = _gnutls_supported_ciphersuites( session, ciphers); - if (count<=0) { - gnutls_assert(); - return count; - } + int count; + count = _gnutls_supported_ciphersuites(session, ciphers); + if (count <= 0) { + gnutls_assert(); + return count; + } #ifdef SORT_DEBUG - _gnutls_debug_log( "Unsorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log( "\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log("Unsorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name((*ciphers)[i])); #endif - _gnutls_qsort(session, *ciphers, count, - sizeof(cipher_suite_st), _gnutls_compare_algo); + _gnutls_qsort(session, *ciphers, count, + sizeof(cipher_suite_st), _gnutls_compare_algo); #ifdef SORT_DEBUG - _gnutls_debug_log( "Sorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log( "\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log("Sorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name((*ciphers)[i])); #endif - return count; + return count; } int @@ -1196,91 +1198,91 @@ _gnutls_supported_ciphersuites(gnutls_session session, cipher_suite_st ** _ciphers) { - unsigned int i, ret_count, j; - unsigned int count = CIPHER_SUITES_COUNT; - cipher_suite_st *tmp_ciphers; - cipher_suite_st* ciphers; - gnutls_protocol_version version; - - if (count == 0) { - return 0; - } + unsigned int i, ret_count, j; + unsigned int count = CIPHER_SUITES_COUNT; + cipher_suite_st *tmp_ciphers; + cipher_suite_st *ciphers; + gnutls_protocol_version version; - tmp_ciphers = gnutls_alloca(count * sizeof(cipher_suite_st)); - if ( tmp_ciphers==NULL) - return GNUTLS_E_MEMORY_ERROR; + if (count == 0) { + return 0; + } - ciphers = gnutls_malloc(count * sizeof(cipher_suite_st)); - if ( ciphers==NULL) { - gnutls_afree( tmp_ciphers); - return GNUTLS_E_MEMORY_ERROR; - } - - version = gnutls_protocol_get_version( session); + tmp_ciphers = gnutls_alloca(count * sizeof(cipher_suite_st)); + if (tmp_ciphers == NULL) + return GNUTLS_E_MEMORY_ERROR; - for (i = 0; i < count; i++) { - memcpy( &tmp_ciphers[i], &cs_algorithms[i].id, sizeof( cipher_suite_st)); - } + ciphers = gnutls_malloc(count * sizeof(cipher_suite_st)); + if (ciphers == NULL) { + gnutls_afree(tmp_ciphers); + return GNUTLS_E_MEMORY_ERROR; + } - for (i = j = 0; i < count; i++) { - /* remove private cipher suites, if requested. - */ - if ( tmp_ciphers[i].suite[0] == 0xFF && - session->internals.enable_private == 0) - continue; - - /* remove cipher suites which do not support the - * protocol version used. - */ - if ( _gnutls_cipher_suite_get_version(&tmp_ciphers[i]) > version) - continue; - - if (_gnutls_kx_priority - (session, - _gnutls_cipher_suite_get_kx_algo(&tmp_ciphers[i])) < 0) - continue; - if (_gnutls_mac_priority - (session, - _gnutls_cipher_suite_get_mac_algo(&tmp_ciphers[i])) < - 0) - continue; - if (_gnutls_cipher_priority - (session, - _gnutls_cipher_suite_get_cipher_algo(&tmp_ciphers[i])) - < 0) - continue; - - memcpy( &ciphers[j], &tmp_ciphers[i], sizeof( cipher_suite_st)); - j++; - } + version = gnutls_protocol_get_version(session); - ret_count = j; - -#if 0 /* expensive */ - if (ret_count > 0 && ret_count != count) { - ciphers = - gnutls_realloc_fast(ciphers, - ret_count * sizeof(cipher_suite_st)); - } else { - if (ret_count != count) { - gnutls_free(ciphers); - ciphers = NULL; - } - } -#endif + for (i = 0; i < count; i++) { + memcpy(&tmp_ciphers[i], &cs_algorithms[i].id, + sizeof(cipher_suite_st)); + } - gnutls_afree(tmp_ciphers); + for (i = j = 0; i < count; i++) { + /* remove private cipher suites, if requested. + */ + if (tmp_ciphers[i].suite[0] == 0xFF && + session->internals.enable_private == 0) + continue; - /* This function can no longer return 0 cipher suites. - * It returns an error code instead. + /* remove cipher suites which do not support the + * protocol version used. */ - if (ret_count == 0) { - gnutls_assert(); - gnutls_free(ciphers); - return GNUTLS_E_NO_CIPHER_SUITES; + if (_gnutls_cipher_suite_get_version(&tmp_ciphers[i]) > version) + continue; + + if (_gnutls_kx_priority + (session, + _gnutls_cipher_suite_get_kx_algo(&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_mac_priority + (session, + _gnutls_cipher_suite_get_mac_algo(&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_cipher_priority + (session, + _gnutls_cipher_suite_get_cipher_algo(&tmp_ciphers[i])) + < 0) + continue; + + memcpy(&ciphers[j], &tmp_ciphers[i], sizeof(cipher_suite_st)); + j++; + } + + ret_count = j; + +#if 0 /* expensive */ + if (ret_count > 0 && ret_count != count) { + ciphers = + gnutls_realloc_fast(ciphers, + ret_count * sizeof(cipher_suite_st)); + } else { + if (ret_count != count) { + gnutls_free(ciphers); + ciphers = NULL; } - *_ciphers = ciphers; - return ret_count; + } +#endif + + gnutls_afree(tmp_ciphers); + + /* This function can no longer return 0 cipher suites. + * It returns an error code instead. + */ + if (ret_count == 0) { + gnutls_assert(); + gnutls_free(ciphers); + return GNUTLS_E_NO_CIPHER_SUITES; + } + *_ciphers = ciphers; + return ret_count; } @@ -1292,37 +1294,39 @@ _gnutls_supported_ciphersuites(gnutls_session session, */ #define SUPPORTED_COMPRESSION_METHODS session->internals.compression_method_priority.algorithms int -_gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) +_gnutls_supported_compression_methods(gnutls_session session, + uint8 ** comp) { - unsigned int i, j; - - *comp = gnutls_malloc( sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); - if (*comp == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - int tmp = _gnutls_compression_get_num(session->internals. - compression_method_priority. - priority[i]); - - /* remove private compression algorithms, if requested. - */ - if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && - session->internals.enable_private == 0)) { - gnutls_assert(); - continue; - } - - (*comp)[j] = (uint8) tmp; - j++; - } + unsigned int i, j; + + *comp = gnutls_malloc(sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); + if (*comp == NULL) + return GNUTLS_E_MEMORY_ERROR; - if (j==0) { - gnutls_assert(); - gnutls_free( *comp); *comp = NULL; - return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; + for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { + int tmp = _gnutls_compression_get_num(session->internals. + compression_method_priority. + priority[i]); + + /* remove private compression algorithms, if requested. + */ + if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && + session->internals.enable_private == 0)) { + gnutls_assert(); + continue; } - return j; + + (*comp)[j] = (uint8) tmp; + j++; + } + + if (j == 0) { + gnutls_assert(); + gnutls_free(*comp); + *comp = NULL; + return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; + } + return j; } /** @@ -1332,14 +1336,16 @@ _gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) * Returns a string (or NULL) that contains the name * of the specified certificate type. **/ -const char *gnutls_certificate_type_get_name( gnutls_certificate_type type) +const char *gnutls_certificate_type_get_name(gnutls_certificate_type type) { - const char *ret = NULL; + const char *ret = NULL; - if (type==GNUTLS_CRT_X509) ret = "X.509"; - if (type==GNUTLS_CRT_OPENPGP) ret = "OPENPGP"; + if (type == GNUTLS_CRT_X509) + ret = "X.509"; + if (type == GNUTLS_CRT_OPENPGP) + ret = "OPENPGP"; - return ret; + return ret; } /* returns the gnutls_pk_algorithm which is compatible with @@ -1347,9 +1353,9 @@ const char *gnutls_certificate_type_get_name( gnutls_certificate_type type) */ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) { - gnutls_pk_algorithm ret = -1; + gnutls_pk_algorithm ret = -1; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) + GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) return ret; } @@ -1358,10 +1364,11 @@ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) * * ex. GNUTLS_KX_RSA requires a certificate able to encrypt... so returns CIPHER_ENCRYPT. */ -enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm kx_algorithm) +enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm + kx_algorithm) { - int ret = CIPHER_IGN; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) + int ret = CIPHER_IGN; + GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) return ret; } @@ -1369,17 +1376,17 @@ enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm kx_algorithm) /* signature algorithms; */ struct gnutls_sign_entry { - const char *name; - gnutls_sign_algorithm id; + const char *name; + gnutls_sign_algorithm id; }; typedef struct gnutls_sign_entry gnutls_sign_entry; static const gnutls_sign_entry sign_algorithms[] = { - {"RSA-SHA", GNUTLS_SIGN_RSA_SHA}, - {"DSA-SHA", GNUTLS_SIGN_DSA_SHA}, - {"RSA-MD5", GNUTLS_SIGN_RSA_MD5}, - {"RSA-MD2", GNUTLS_SIGN_RSA_MD2}, - {0, 0} + {"RSA-SHA", GNUTLS_SIGN_RSA_SHA}, + {"DSA-SHA", GNUTLS_SIGN_DSA_SHA}, + {"RSA-MD5", GNUTLS_SIGN_RSA_MD5}, + {"RSA-MD2", GNUTLS_SIGN_RSA_MD2}, + {0, 0} }; #define GNUTLS_SIGN_LOOP(b) \ @@ -1398,29 +1405,28 @@ static const gnutls_sign_entry sign_algorithms[] = { * Returns a string that contains the name * of the specified sign algorithm or NULL. **/ -const char *gnutls_sign_algorithm_get_name( gnutls_sign_algorithm algorithm) +const char *gnutls_sign_algorithm_get_name(gnutls_sign_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_SIGN_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_SIGN_ALG_LOOP(ret = p->name); - return ret; + return ret; } /* pk algorithms; */ struct gnutls_pk_entry { - const char *name; - gnutls_pk_algorithm id; + const char *name; + gnutls_pk_algorithm id; }; typedef struct gnutls_pk_entry gnutls_pk_entry; static const gnutls_pk_entry pk_algorithms[] = { - {"RSA", GNUTLS_PK_RSA}, - {"DSA", GNUTLS_PK_DSA}, - {0, 0} + {"RSA", GNUTLS_PK_RSA}, + {"DSA", GNUTLS_PK_DSA}, + {0, 0} }; #define GNUTLS_PK_LOOP(b) \ @@ -1439,13 +1445,12 @@ static const gnutls_pk_entry pk_algorithms[] = { * Returns a string that contains the name * of the specified public key algorithm or NULL. **/ -const char *gnutls_pk_algorithm_get_name( gnutls_pk_algorithm algorithm) +const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_PK_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_PK_ALG_LOOP(ret = p->name); - return ret; + return ret; } diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 9962eb8a0d..b43398a10d 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -22,33 +22,48 @@ /* functions for version */ -gnutls_protocol_version _gnutls_version_lowest( gnutls_session session); -gnutls_protocol_version _gnutls_version_max( gnutls_session session); -int _gnutls_version_priority(gnutls_session session, gnutls_protocol_version version); -int _gnutls_version_is_supported(gnutls_session session, const gnutls_protocol_version version); -int _gnutls_version_get_major( gnutls_protocol_version ver); -int _gnutls_version_get_minor( gnutls_protocol_version ver); -gnutls_protocol_version _gnutls_version_get( int major, int minor); +gnutls_protocol_version _gnutls_version_lowest(gnutls_session session); +gnutls_protocol_version _gnutls_version_max(gnutls_session session); +int _gnutls_version_priority(gnutls_session session, + gnutls_protocol_version version); +int _gnutls_version_is_supported(gnutls_session session, + const gnutls_protocol_version version); +int _gnutls_version_get_major(gnutls_protocol_version ver); +int _gnutls_version_get_minor(gnutls_protocol_version ver); +gnutls_protocol_version _gnutls_version_get(int major, int minor); /* functions for macs */ -const char* gnutls_mac_get_name(gnutls_mac_algorithm algorithm); -int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm); -int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm algorithm); +const char *gnutls_mac_get_name(gnutls_mac_algorithm algorithm); +int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm); +int _gnutls_mac_priority(gnutls_session session, + gnutls_mac_algorithm algorithm); /* functions for cipher suites */ -int _gnutls_supported_ciphersuites(gnutls_session session, cipher_suite_st **ciphers); -int _gnutls_supported_ciphersuites_sorted(gnutls_session session, cipher_suite_st **ciphers); -int _gnutls_supported_compression_methods(gnutls_session session, uint8 **comp); - -const char* _gnutls_cipher_suite_get_name(cipher_suite_st *algorithm); -gnutls_cipher_algorithm _gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st *algorithm); -gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st *algorithm); -gnutls_mac_algorithm _gnutls_cipher_suite_get_mac_algo(const cipher_suite_st *algorithm); -gnutls_protocol_version _gnutls_cipher_suite_get_version(const cipher_suite_st *algorithm); -cipher_suite_st _gnutls_cipher_suite_get_suite_name(cipher_suite_st *algorithm); +int _gnutls_supported_ciphersuites(gnutls_session session, + cipher_suite_st ** ciphers); +int _gnutls_supported_ciphersuites_sorted(gnutls_session session, + cipher_suite_st ** ciphers); +int _gnutls_supported_compression_methods(gnutls_session session, + uint8 ** comp); + +const char *_gnutls_cipher_suite_get_name(cipher_suite_st * algorithm); +gnutls_cipher_algorithm _gnutls_cipher_suite_get_cipher_algo(const + cipher_suite_st + * algorithm); +gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st + * algorithm); +gnutls_mac_algorithm _gnutls_cipher_suite_get_mac_algo(const + cipher_suite_st * + algorithm); +gnutls_protocol_version _gnutls_cipher_suite_get_version(const + cipher_suite_st * + algorithm); +cipher_suite_st _gnutls_cipher_suite_get_suite_name(cipher_suite_st * + algorithm); /* functions for ciphers */ -int _gnutls_cipher_priority(gnutls_session session, gnutls_cipher_algorithm algorithm); +int _gnutls_cipher_priority(gnutls_session session, + gnutls_cipher_algorithm algorithm); int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm algorithm); int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm); int _gnutls_cipher_is_ok(gnutls_cipher_algorithm algorithm); @@ -58,54 +73,61 @@ int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm); const char *gnutls_cipher_get_name(gnutls_cipher_algorithm algorithm); /* functions for key exchange */ -int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algorithm); +int _gnutls_kx_priority(gnutls_session session, + gnutls_kx_algorithm algorithm); int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm algorithm); int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm algorithm); -mod_auth_st * _gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm); +mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm); const char *gnutls_kx_get_name(gnutls_kx_algorithm algorithm); int _gnutls_kx_is_ok(gnutls_kx_algorithm algorithm); /* functions for compression */ -int _gnutls_compression_priority(gnutls_session session, gnutls_compression_method algorithm); +int _gnutls_compression_priority(gnutls_session session, + gnutls_compression_method algorithm); int _gnutls_compression_is_ok(gnutls_compression_method algorithm); int _gnutls_compression_get_num(gnutls_compression_method algorithm); gnutls_compression_method _gnutls_compression_get_id(int num); -const char *gnutls_compression_get_name(gnutls_compression_method algorithm); +const char *gnutls_compression_get_name(gnutls_compression_method + algorithm); int _gnutls_compression_get_mem_level(gnutls_compression_method algorithm); -int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm); +int _gnutls_compression_get_comp_level(gnutls_compression_method + algorithm); int _gnutls_compression_get_wbits(gnutls_compression_method algorithm); /* Type to KX mappings */ -gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, int server); -gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm algorithm, int server); +gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, + int server); +gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm + algorithm, int server); /* KX to PK mapping */ -gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm); +gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm + kx_algorithm); -enum encipher_type { CIPHER_ENCRYPT=0, CIPHER_SIGN=1, CIPHER_IGN }; +enum encipher_type { CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN }; enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm algorithm); struct gnutls_kx_algo_entry { - const char *name; - gnutls_kx_algorithm algorithm; - mod_auth_st *auth_struct; - int needs_dh_params; - int needs_rsa_params; + const char *name; + gnutls_kx_algorithm algorithm; + mod_auth_st *auth_struct; + int needs_dh_params; + int needs_rsa_params; }; typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; struct gnutls_compression_entry { - const char *name; - gnutls_compression_method id; - int num; /* the number reserved in TLS for the specific compression method */ - - /* used in zlib compressor */ - int window_bits; - int mem_level; - int comp_level; + const char *name; + gnutls_compression_method id; + int num; /* the number reserved in TLS for the specific compression method */ + + /* used in zlib compressor */ + int window_bits; + int mem_level; + int comp_level; }; typedef struct gnutls_compression_entry gnutls_compression_entry; diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 50da169d3d..55e088c06e 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -40,10 +40,10 @@ static const int anon_dummy; * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) +void gnutls_anon_free_server_credentials(gnutls_anon_server_credentials sc) { - gnutls_free( sc); + gnutls_free(sc); } /*- @@ -53,26 +53,27 @@ void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) * This function will return the dh parameters pointer. * -*/ -gnutls_dh_params _gnutls_anon_get_dh_params(const gnutls_anon_server_credentials sc, - gnutls_session session) +gnutls_dh_params _gnutls_anon_get_dh_params(const + gnutls_anon_server_credentials + sc, gnutls_session session) { -gnutls_params_st params; -int ret; - - if (session->internals.params.anon_dh_params) - return session->internals.params.anon_dh_params; - - if (sc->dh_params) { - session->internals.params.anon_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.anon_dh_params = params.params.dh; - session->internals.params.free_anon_dh_params = params.deinit; - } - } - + gnutls_params_st params; + int ret; + + if (session->internals.params.anon_dh_params) return session->internals.params.anon_dh_params; + + if (sc->dh_params) { + session->internals.params.anon_dh_params = sc->dh_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { + session->internals.params.anon_dh_params = params.params.dh; + session->internals.params.free_anon_dh_params = params.deinit; + } + } + + return session->internals.params.anon_dh_params; } /** @@ -82,11 +83,13 @@ int ret; * This structure is complex enough to manipulate directly thus * this helper function is provided in order to allocate it. **/ -int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) { +int gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials + * sc) +{ - *sc = gnutls_calloc( 1, sizeof(anon_server_credentials_st)); + *sc = gnutls_calloc(1, sizeof(anon_server_credentials_st)); - return 0; + return 0; } @@ -97,7 +100,8 @@ int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_client_credentials( gnutls_anon_client_credentials sc) { +void gnutls_anon_free_client_credentials(gnutls_anon_client_credentials sc) +{ } /** @@ -107,14 +111,15 @@ void gnutls_anon_free_client_credentials( gnutls_anon_client_credentials sc) { * This structure is complex enough to manipulate directly thus * this helper function is provided in order to allocate it. **/ -int gnutls_anon_allocate_client_credentials( gnutls_anon_client_credentials *sc) +int gnutls_anon_allocate_client_credentials(gnutls_anon_client_credentials + * sc) { - /* anon_dummy is only there for *sc not to be null. - * it is not used at all; - */ - *sc = (void*) &anon_dummy; - - return 0; + /* anon_dummy is only there for *sc not to be null. + * it is not used at all; + */ + *sc = (void *) &anon_dummy; + + return 0; } #endif diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c index b7bfa2e03d..39c056c875 100644 --- a/lib/gnutls_asn1_tab.c +++ b/lib/gnutls_asn1_tab.c @@ -1,60 +1,60 @@ #include "libtasn1.h" -const ASN1_ARRAY_TYPE gnutls_asn1_tab[]={ - {"GNUTLS",536872976,0}, - {0,1073741836,0}, - {"RSAPublicKey",1610612741,0}, - {"modulus",1073741827,0}, - {"publicExponent",3,0}, - {"RSAPrivateKey",1610612741,0}, - {"version",1073741826,"Version"}, - {"modulus",1073741827,0}, - {"publicExponent",1073741827,0}, - {"privateExponent",1073741827,0}, - {"prime1",1073741827,0}, - {"prime2",1073741827,0}, - {"exponent1",1073741827,0}, - {"exponent2",1073741827,0}, - {"coefficient",1073741827,0}, - {"otherPrimeInfos",16386,"OtherPrimeInfos"}, - {"Version",1610874883,0}, - {"two-prime",1073741825,"0"}, - {"multi",1,"1"}, - {"OtherPrimeInfos",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"OtherPrimeInfo"}, - {"OtherPrimeInfo",1610612741,0}, - {"prime",1073741827,0}, - {"exponent",1073741827,0}, - {"coefficient",3,0}, - {"AlgorithmIdentifier",1610612741,0}, - {"algorithm",1073741836,0}, - {"parameters",541081613,0}, - {"algorithm",1,0}, - {"DigestInfo",1610612741,0}, - {"digestAlgorithm",1073741826,"DigestAlgorithmIdentifier"}, - {"digest",2,"Digest"}, - {"DigestAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"Digest",1073741831,0}, - {"DSAPublicKey",1073741827,0}, - {"DSAParameters",1610612741,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",3,0}, - {"DSASignatureValue",1610612741,0}, - {"r",1073741827,0}, - {"s",3,0}, - {"DSAPrivateKey",1610612741,0}, - {"version",1073741827,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",1073741827,0}, - {"Y",1073741827,0}, - {"priv",3,0}, - {"DHParameter",536870917,0}, - {"prime",1073741827,0}, - {"base",1073741827,0}, - {"privateValueLength",16387,0}, - {0,0,0} +const ASN1_ARRAY_TYPE gnutls_asn1_tab[] = { + {"GNUTLS", 536872976, 0}, + {0, 1073741836, 0}, + {"RSAPublicKey", 1610612741, 0}, + {"modulus", 1073741827, 0}, + {"publicExponent", 3, 0}, + {"RSAPrivateKey", 1610612741, 0}, + {"version", 1073741826, "Version"}, + {"modulus", 1073741827, 0}, + {"publicExponent", 1073741827, 0}, + {"privateExponent", 1073741827, 0}, + {"prime1", 1073741827, 0}, + {"prime2", 1073741827, 0}, + {"exponent1", 1073741827, 0}, + {"exponent2", 1073741827, 0}, + {"coefficient", 1073741827, 0}, + {"otherPrimeInfos", 16386, "OtherPrimeInfos"}, + {"Version", 1610874883, 0}, + {"two-prime", 1073741825, "0"}, + {"multi", 1, "1"}, + {"OtherPrimeInfos", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "OtherPrimeInfo"}, + {"OtherPrimeInfo", 1610612741, 0}, + {"prime", 1073741827, 0}, + {"exponent", 1073741827, 0}, + {"coefficient", 3, 0}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"}, + {"digest", 2, "Digest"}, + {"DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, + {"Digest", 1073741831, 0}, + {"DSAPublicKey", 1073741827, 0}, + {"DSAParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"DSASignatureValue", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"DSAPrivateKey", 1610612741, 0}, + {"version", 1073741827, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 1073741827, 0}, + {"Y", 1073741827, 0}, + {"priv", 3, 0}, + {"DHParameter", 536870917, 0}, + {"prime", 1073741827, 0}, + {"base", 1073741827, 0}, + {"privateValueLength", 16387, 0}, + {0, 0, 0} }; diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index a383ff1eaa..1819a6ab76 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -41,17 +41,18 @@ * Clears all the credentials previously set in this session. * **/ -void gnutls_credentials_clear( gnutls_session session) { - if (session->key && session->key->cred) { /* beginning of the list */ - auth_cred_st * ccred, *ncred; - ccred = session->key->cred; - while(ccred!=NULL) { - ncred = ccred->next; - gnutls_free(ccred); - ccred = ncred; - } - session->key->cred = NULL; +void gnutls_credentials_clear(gnutls_session session) +{ + if (session->key && session->key->cred) { /* beginning of the list */ + auth_cred_st *ccred, *ncred; + ccred = session->key->cred; + while (ccred != NULL) { + ncred = ccred->next; + gnutls_free(ccred); + ccred = ncred; } + session->key->cred = NULL; + } } /* @@ -83,51 +84,55 @@ void gnutls_credentials_clear( gnutls_session session) { * For GNUTLS_CRD_CERTIFICATE cred should be gnutls_certificate_credentials. * **/ -int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type, void* cred) { - auth_cred_st * ccred=NULL, *pcred=NULL; - int exists=0; - - if (session->key->cred==NULL) { /* beginning of the list */ - - session->key->cred = gnutls_malloc(sizeof(auth_cred_st)); - if (session->key->cred == NULL) return GNUTLS_E_MEMORY_ERROR; - - /* copy credentials locally */ - session->key->cred->credentials = cred; - - session->key->cred->next = NULL; - session->key->cred->algorithm = type; - } else { - ccred = session->key->cred; - while(ccred!=NULL) { - if (ccred->algorithm==type) { - exists=1; - break; - } - pcred = ccred; - ccred = ccred->next; - } - /* After this, pcred is not null. - */ - - if (exists==0) { /* new entry */ - pcred->next = gnutls_malloc(sizeof(auth_cred_st)); - if (pcred->next == NULL) return GNUTLS_E_MEMORY_ERROR; - - ccred = pcred->next; - - /* copy credentials locally */ - ccred->credentials = cred; - - ccred->next = NULL; - ccred->algorithm = type; - } else { /* modify existing entry */ - gnutls_free(ccred->credentials); - ccred->credentials = cred; - } +int gnutls_credentials_set(gnutls_session session, + gnutls_credentials_type type, void *cred) +{ + auth_cred_st *ccred = NULL, *pcred = NULL; + int exists = 0; + + if (session->key->cred == NULL) { /* beginning of the list */ + + session->key->cred = gnutls_malloc(sizeof(auth_cred_st)); + if (session->key->cred == NULL) + return GNUTLS_E_MEMORY_ERROR; + + /* copy credentials locally */ + session->key->cred->credentials = cred; + + session->key->cred->next = NULL; + session->key->cred->algorithm = type; + } else { + ccred = session->key->cred; + while (ccred != NULL) { + if (ccred->algorithm == type) { + exists = 1; + break; + } + pcred = ccred; + ccred = ccred->next; } + /* After this, pcred is not null. + */ + + if (exists == 0) { /* new entry */ + pcred->next = gnutls_malloc(sizeof(auth_cred_st)); + if (pcred->next == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ccred = pcred->next; + + /* copy credentials locally */ + ccred->credentials = cred; - return 0; + ccred->next = NULL; + ccred->algorithm = type; + } else { /* modify existing entry */ + gnutls_free(ccred->credentials); + ccred->credentials = cred; + } + } + + return 0; } /** @@ -141,16 +146,18 @@ int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type * Eg. for CERTIFICATE ciphersuites (key exchange algorithms: KX_RSA, KX_DHE_RSA), * the same function are to be used to access the authentication data. **/ -gnutls_credentials_type gnutls_auth_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_get_type(gnutls_session session) { /* This is not the credentials we must set, but the authentication data * we get by the peer, so it should be reversed. */ -int server = session->security_parameters.entity==GNUTLS_SERVER?0:1; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1; - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), server); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), server); } /** @@ -162,11 +169,12 @@ int server = session->security_parameters.entity==GNUTLS_SERVER?0:1; * to access authentication data. * **/ -gnutls_credentials_type gnutls_auth_server_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session session) { - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), 1); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 1); } /** @@ -178,11 +186,12 @@ gnutls_credentials_type gnutls_auth_server_get_type( gnutls_session session) * to access authentication data. * **/ -gnutls_credentials_type gnutls_auth_client_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session session) { - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), 0); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 0); } @@ -190,35 +199,43 @@ gnutls_credentials_type gnutls_auth_client_get_type( gnutls_session session) * This returns a pointer to the linked list. Don't * free that!!! */ -const void *_gnutls_get_kx_cred( gnutls_session session, gnutls_kx_algorithm algo, int *err) +const void *_gnutls_get_kx_cred(gnutls_session session, + gnutls_kx_algorithm algo, int *err) { -int server = session->security_parameters.entity==GNUTLS_SERVER?1:0; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; - return _gnutls_get_cred( session->key, _gnutls_map_kx_get_cred(algo, server), err); + return _gnutls_get_cred(session->key, + _gnutls_map_kx_get_cred(algo, server), err); } -const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type type, int *err) { - const void *retval = NULL; - int _err = -1; - auth_cred_st * ccred; +const void *_gnutls_get_cred(gnutls_key_st key, + gnutls_credentials_type type, int *err) +{ + const void *retval = NULL; + int _err = -1; + auth_cred_st *ccred; - if (key == NULL) goto out; + if (key == NULL) + goto out; - ccred = key->cred; - while(ccred!=NULL) { - if (ccred->algorithm==type) { - break; - } - ccred = ccred->next; + ccred = key->cred; + while (ccred != NULL) { + if (ccred->algorithm == type) { + break; } - if (ccred==NULL) goto out; + ccred = ccred->next; + } + if (ccred == NULL) + goto out; - _err = 0; - retval = ccred->credentials; + _err = 0; + retval = ccred->credentials; - out: - if (err!=NULL) *err=_err; - return retval; + out: + if (err != NULL) + *err = _err; + return retval; } /*- @@ -234,8 +251,9 @@ const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type type, i * In case of GNUTLS_CRD_CERTIFICATE returns a type of &cert_auth_info_t; * In case of GNUTLS_CRD_SRP returns a type of &srp_(server/client)_auth_info_t; -*/ -void* _gnutls_get_auth_info( gnutls_session session) { - return session->key->auth_info; +void *_gnutls_get_auth_info(gnutls_session session) +{ + return session->key->auth_info; } /*- @@ -246,43 +264,44 @@ void* _gnutls_get_auth_info( gnutls_session session) { * null. It must be called since some structures contain malloced * elements. -*/ -void _gnutls_free_auth_info( gnutls_session session) { - if (session==NULL || session->key==NULL) { - gnutls_assert(); - return; - } - - switch ( session->key->auth_info_type) { - case GNUTLS_CRD_SRP: - case GNUTLS_CRD_ANON: - - break; - case GNUTLS_CRD_CERTIFICATE: { - unsigned int i; - cert_auth_info_t info = - _gnutls_get_auth_info(session); - - if (info==NULL) break; - for (i=0;i<info->ncerts;i++) { - _gnutls_free_datum( &info->raw_certificate_list[i]); - } - - gnutls_free( info->raw_certificate_list); - info->raw_certificate_list = NULL; - info->ncerts = 0; - } +void _gnutls_free_auth_info(gnutls_session session) +{ + if (session == NULL || session->key == NULL) { + gnutls_assert(); + return; + } + + switch (session->key->auth_info_type) { + case GNUTLS_CRD_SRP: + case GNUTLS_CRD_ANON: + break; + case GNUTLS_CRD_CERTIFICATE:{ + unsigned int i; + cert_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL) break; - default: - return; + for (i = 0; i < info->ncerts; i++) { + _gnutls_free_datum(&info->raw_certificate_list[i]); + } + gnutls_free(info->raw_certificate_list); + info->raw_certificate_list = NULL; + info->ncerts = 0; } - gnutls_free( session->key->auth_info); - session->key->auth_info = NULL; - session->key->auth_info_size = 0; - session->key->auth_info_type = 0; + + break; + default: + return; + + } + + gnutls_free(session->key->auth_info); + session->key->auth_info = NULL; + session->key->auth_info_size = 0; + session->key->auth_info_type = 0; } @@ -291,65 +310,69 @@ void _gnutls_free_auth_info( gnutls_session session) { * If allow change is !=0 then this will allow changing the auth * info structure to a different type. */ -int _gnutls_auth_info_set( gnutls_session session, - gnutls_credentials_type type, int size, int allow_change) +int _gnutls_auth_info_set(gnutls_session session, + gnutls_credentials_type type, int size, + int allow_change) { - if ( session->key->auth_info == NULL) { - session->key->auth_info = gnutls_calloc( 1, size); + if (session->key->auth_info == NULL) { + session->key->auth_info = gnutls_calloc(1, size); + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_type = type; + session->key->auth_info_size = size; + } else { + if (allow_change == 0) { + /* If the credentials for the current authentication scheme, + * are not the one we want to set, then it's an error. + * This may happen if a rehandshake is performed an the + * ciphersuite which is negotiated has different authentication + * schema. + */ + if (gnutls_auth_get_type(session) != + session->key->auth_info_type) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + } else { + /* The new behaviour: Here we reallocate the auth info structure + * in order to be able to negotiate different authentication + * types. Ie. perform an auth_anon and then authenticate again using a + * certificate (in order to prevent revealing the certificate's contents, + * to passive eavesdropers. + */ + if (gnutls_auth_get_type(session) != + session->key->auth_info_type) { + session->key->auth_info = + gnutls_realloc_fast(session->key->auth_info, size); if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + memset(session->key->auth_info, 0, size); session->key->auth_info_type = type; session->key->auth_info_size = size; - } else { - if (allow_change==0) { - /* If the credentials for the current authentication scheme, - * are not the one we want to set, then it's an error. - * This may happen if a rehandshake is performed an the - * ciphersuite which is negotiated has different authentication - * schema. - */ - if ( gnutls_auth_get_type( session) != session->key->auth_info_type) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - } else { - /* The new behaviour: Here we reallocate the auth info structure - * in order to be able to negotiate different authentication - * types. Ie. perform an auth_anon and then authenticate again using a - * certificate (in order to prevent revealing the certificate's contents, - * to passive eavesdropers. - */ - if ( gnutls_auth_get_type( session) != session->key->auth_info_type) { - session->key->auth_info = gnutls_realloc_fast( - session->key->auth_info, size); - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memset( session->key->auth_info, 0, size); - session->key->auth_info_type = type; - session->key->auth_info_size = size; - } - } + } } - return 0; + } + return 0; } /* this function will copy an mpi_t key to * opaque data. */ -int _gnutls_generate_session_key(gnutls_key_st key) { -size_t tmp; +int _gnutls_generate_session_key(gnutls_key_st key) +{ + size_t tmp; - _gnutls_mpi_print( NULL, &tmp, key->KEY); - key->key.data = gnutls_secure_malloc( tmp); - if ( key->key.data==NULL) { - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print( key->key.data, &tmp, key->KEY); - - key->key.size = tmp; - return 0; + _gnutls_mpi_print(NULL, &tmp, key->KEY); + key->key.data = gnutls_secure_malloc(tmp); + if (key->key.data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(key->key.data, &tmp, key->KEY); + + key->key.size = tmp; + return 0; } diff --git a/lib/gnutls_auth.h b/lib/gnutls_auth.h index 23cb6d742e..1012ad0b0d 100644 --- a/lib/gnutls_auth.h +++ b/lib/gnutls_auth.h @@ -2,20 +2,25 @@ # define GNUTLS_AUTH_H typedef struct mod_auth_st_int { - const char* name; /* null terminated */ - int (*gnutls_generate_server_certificate)( gnutls_session, opaque**); - int (*gnutls_generate_client_certificate)( gnutls_session, opaque**); - int (*gnutls_generate_server_kx)( gnutls_session, opaque**); - int (*gnutls_generate_client_kx)( gnutls_session, opaque**); /* used in SRP */ - int (*gnutls_generate_client_cert_vrfy) ( gnutls_session, opaque**); - int (*gnutls_generate_server_certificate_request) ( gnutls_session, opaque**); - - int (*gnutls_process_server_certificate)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_certificate)( gnutls_session, opaque*, size_t); - int (*gnutls_process_server_kx)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_kx)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_cert_vrfy) ( gnutls_session, opaque*, size_t); - int (*gnutls_process_server_certificate_request) ( gnutls_session, opaque*, size_t); + const char *name; /* null terminated */ + int (*gnutls_generate_server_certificate) (gnutls_session, opaque **); + int (*gnutls_generate_client_certificate) (gnutls_session, opaque **); + int (*gnutls_generate_server_kx) (gnutls_session, opaque **); + int (*gnutls_generate_client_kx) (gnutls_session, opaque **); /* used in SRP */ + int (*gnutls_generate_client_cert_vrfy) (gnutls_session, opaque **); + int (*gnutls_generate_server_certificate_request) (gnutls_session, + opaque **); + + int (*gnutls_process_server_certificate) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_client_certificate) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_server_kx) (gnutls_session, opaque *, size_t); + int (*gnutls_process_client_kx) (gnutls_session, opaque *, size_t); + int (*gnutls_process_client_cert_vrfy) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_server_certificate_request) (gnutls_session, + opaque *, size_t); } mod_auth_st; #endif diff --git a/lib/gnutls_auth_int.h b/lib/gnutls_auth_int.h index c8ee82e373..e0de2f440a 100644 --- a/lib/gnutls_auth_int.h +++ b/lib/gnutls_auth_int.h @@ -1,8 +1,13 @@ -void gnutls_credentials_clear( gnutls_session session); -int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type, void* cred); -const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type kx, int* err); -const void *_gnutls_get_kx_cred( gnutls_session session, gnutls_kx_algorithm algo, int *err); +void gnutls_credentials_clear(gnutls_session session); +int gnutls_credentials_set(gnutls_session session, + gnutls_credentials_type type, void *cred); +const void *_gnutls_get_cred(gnutls_key_st key, gnutls_credentials_type kx, + int *err); +const void *_gnutls_get_kx_cred(gnutls_session session, + gnutls_kx_algorithm algo, int *err); int _gnutls_generate_session_key(gnutls_key_st key); -gnutls_credentials_type gnutls_auth_get_type( gnutls_session session); -void* _gnutls_get_auth_info( gnutls_session session); -int _gnutls_auth_info_set( gnutls_session session, gnutls_credentials_type type, int size, int allow_change); +gnutls_credentials_type gnutls_auth_get_type(gnutls_session session); +void *_gnutls_get_auth_info(gnutls_session session); +int _gnutls_auth_info_set(gnutls_session session, + gnutls_credentials_type type, int size, + int allow_change); diff --git a/lib/gnutls_buffer.h b/lib/gnutls_buffer.h index 58531d9383..8670d85ed8 100644 --- a/lib/gnutls_buffer.h +++ b/lib/gnutls_buffer.h @@ -5,4 +5,3 @@ typedef gnutls_string gnutls_buffer; #define _gnutls_buffer_init(buf) _gnutls_string_init(buf, gnutls_malloc, gnutls_realloc, gnutls_free); #define _gnutls_buffer_clear _gnutls_string_clear #define _gnutls_buffer_append _gnutls_string_append_data - diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index aa31d7a70a..13fb79035f 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -63,10 +63,11 @@ # define EAGAIN EWOULDBLOCK #endif -inline -static int RET( int err) { - if (err==EAGAIN) return GNUTLS_E_AGAIN; - return GNUTLS_E_INTERRUPTED; +inline static int RET(int err) +{ + if (err == EAGAIN) + return GNUTLS_E_AGAIN; + return GNUTLS_E_INTERRUPTED; } #ifdef IO_DEBUG @@ -76,52 +77,59 @@ static int RET( int err) { /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ -int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, opaque *data, size_t length) +int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, + opaque * data, size_t length) { - if (length==0) return 0; - switch( type) { - case GNUTLS_APPLICATION_DATA: - - if ( _gnutls_buffer_append( &session->internals.application_data_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_buffers_log( "BUF[REC]: Inserted %d bytes of Data(%d)\n", length, type); + if (length == 0) + return 0; + switch (type) { + case GNUTLS_APPLICATION_DATA: + + if (_gnutls_buffer_append + (&session->internals.application_data_buffer, data, + length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_buffers_log("BUF[REC]: Inserted %d bytes of Data(%d)\n", + length, type); + + break; + case GNUTLS_HANDSHAKE: + if (_gnutls_buffer_append + (&session->internals.handshake_data_buffer, data, + length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - break; - case GNUTLS_HANDSHAKE: - if ( _gnutls_buffer_append( &session->internals.handshake_data_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data(%d)\n", + length, type); - _gnutls_buffers_log( "BUF[HSK]: Inserted %d bytes of Data(%d)\n", length, type); + break; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return 0; + return 0; } -int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session) +int _gnutls_record_buffer_get_size(content_type_t type, + gnutls_session session) { - switch( type) { - case GNUTLS_APPLICATION_DATA: - return session->internals.application_data_buffer.length; - - case GNUTLS_HANDSHAKE: - return session->internals.handshake_data_buffer.length; - - default: - return GNUTLS_E_INVALID_REQUEST; - } + switch (type) { + case GNUTLS_APPLICATION_DATA: + return session->internals.application_data_buffer.length; + + case GNUTLS_HANDSHAKE: + return session->internals.handshake_data_buffer.length; + + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -135,63 +143,70 @@ int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session) * (gnutls leaves some data in the tcp buffer in order for select * to work). **/ -size_t gnutls_record_check_pending(gnutls_session session) { - return _gnutls_record_buffer_get_size(GNUTLS_APPLICATION_DATA, session); +size_t gnutls_record_check_pending(gnutls_session session) +{ + return _gnutls_record_buffer_get_size(GNUTLS_APPLICATION_DATA, + session); } -int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaque *data, size_t length) +int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, + opaque * data, size_t length) { - if (length==0 || data==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (length == 0 || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + switch (type) { + case GNUTLS_APPLICATION_DATA: + + if (length > session->internals.application_data_buffer.length) { + length = session->internals.application_data_buffer.length; } - - switch(type) { - case GNUTLS_APPLICATION_DATA: - if (length > session->internals.application_data_buffer.length) { - length = session->internals.application_data_buffer.length; - } + _gnutls_buffers_log("BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", + length, type); - _gnutls_buffers_log( "BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", length, type); + session->internals.application_data_buffer.length -= length; + memcpy(data, session->internals.application_data_buffer.data, + length); - session->internals.application_data_buffer.length -= length; - memcpy(data, session->internals.application_data_buffer.data, length); + /* overwrite buffer */ + memmove(session->internals.application_data_buffer.data, + &session->internals.application_data_buffer.data[length], + session->internals.application_data_buffer.length); - /* overwrite buffer */ - memmove(session->internals.application_data_buffer.data, - &session->internals.application_data_buffer.data[length], - session->internals.application_data_buffer.length); + /* we do no longer realloc the application_data_buffer.data, + * since it serves no practical reason. It also decreases + * performance. + */ + break; - /* we do no longer realloc the application_data_buffer.data, - * since it serves no practical reason. It also decreases - * performance. - */ - break; - - case GNUTLS_HANDSHAKE: - if (length > session->internals.handshake_data_buffer.length) { - length = session->internals.handshake_data_buffer.length; - } + case GNUTLS_HANDSHAKE: + if (length > session->internals.handshake_data_buffer.length) { + length = session->internals.handshake_data_buffer.length; + } - _gnutls_buffers_log( "BUF[REC][HD]: Read %d bytes of Data(%d)\n", length, type); + _gnutls_buffers_log("BUF[REC][HD]: Read %d bytes of Data(%d)\n", + length, type); - session->internals.handshake_data_buffer.length -= length; - memcpy(data, session->internals.handshake_data_buffer.data, length); + session->internals.handshake_data_buffer.length -= length; + memcpy(data, session->internals.handshake_data_buffer.data, + length); - /* overwrite buffer */ - memmove(session->internals.handshake_data_buffer.data, - &session->internals.handshake_data_buffer.data[length], - session->internals.handshake_data_buffer.length); + /* overwrite buffer */ + memmove(session->internals.handshake_data_buffer.data, + &session->internals.handshake_data_buffer.data[length], + session->internals.handshake_data_buffer.length); - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return length; + return length; } @@ -200,124 +215,134 @@ int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaqu * * Flags are only used if the default recv() function is being used. */ -static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPtr, int flags) +static ssize_t _gnutls_read(gnutls_session session, void *iptr, + size_t sizeOfPtr, int flags) { - size_t left; - ssize_t i=0; - char *ptr = iptr; - uint j,x, sum=0; - gnutls_transport_ptr fd = session->internals.transport_recv_ptr; - - session->internals.direction = 0; - - left = sizeOfPtr; - while (left > 0) { - - if (session->internals._gnutls_pull_func==NULL) - i = recv( (int)fd, &ptr[sizeOfPtr-left], left, flags); - else - i = session->internals._gnutls_pull_func(fd, &ptr[sizeOfPtr-left], left); - - if (i < 0) { - _gnutls_read_log( "READ: %d returned from %d, errno=%d\n", i, fd, errno); - - if (errno == EAGAIN || errno == EINTR) { - if (sizeOfPtr-left > 0) { - - _gnutls_read_log( "READ: returning %d bytes from %d\n", sizeOfPtr-left, fd); - - goto finish; - } - gnutls_assert(); - - return RET(errno); - } else { - gnutls_assert(); - return GNUTLS_E_PULL_ERROR; - } - } else { - - _gnutls_read_log( "READ: Got %d bytes from %d\n", i, fd); - - if (i == 0) - break; /* EOF */ + size_t left; + ssize_t i = 0; + char *ptr = iptr; + uint j, x, sum = 0; + gnutls_transport_ptr fd = session->internals.transport_recv_ptr; + + session->internals.direction = 0; + + left = sizeOfPtr; + while (left > 0) { + + if (session->internals._gnutls_pull_func == NULL) + i = recv((int) fd, &ptr[sizeOfPtr - left], left, flags); + else + i = session->internals._gnutls_pull_func(fd, + &ptr[sizeOfPtr - + left], left); + + if (i < 0) { + _gnutls_read_log("READ: %d returned from %d, errno=%d\n", i, + fd, errno); + + if (errno == EAGAIN || errno == EINTR) { + if (sizeOfPtr - left > 0) { + + _gnutls_read_log("READ: returning %d bytes from %d\n", + sizeOfPtr - left, fd); + + goto finish; } + gnutls_assert(); + + return RET(errno); + } else { + gnutls_assert(); + return GNUTLS_E_PULL_ERROR; + } + } else { - left -= i; + _gnutls_read_log("READ: Got %d bytes from %d\n", i, fd); + if (i == 0) + break; /* EOF */ } - finish: + left -= i; - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; - - - _gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd); - - for (x=0;x<((sizeOfPtr-left)/16)+1;x++) { - line[0] = 0; - - sprintf( tmp, "%.4x - ",x); - _gnutls_str_cat( line, sizeof(line), tmp); - - for (j=0;j<16;j++) { - if (sum<(sizeOfPtr-left)) { - sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); - _gnutls_str_cat( line, sizeof(line), tmp); - } - } - _gnutls_read_log( "%s\n", line); + } + + finish: + + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; + + + _gnutls_read_log("READ: read %d bytes from %d\n", + (sizeOfPtr - left), fd); + + for (x = 0; x < ((sizeOfPtr - left) / 16) + 1; x++) { + line[0] = 0; + + sprintf(tmp, "%.4x - ", x); + _gnutls_str_cat(line, sizeof(line), tmp); + + for (j = 0; j < 16; j++) { + if (sum < (sizeOfPtr - left)) { + sprintf(tmp, "%.2x ", ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat(line, sizeof(line), tmp); } + } + _gnutls_read_log("%s\n", line); } + } - return (sizeOfPtr - left); + return (sizeOfPtr - left); } -#define RCVLOWAT session->internals.lowat +#define RCVLOWAT session->internals.lowat /* This function is only used with berkeley style sockets. * Clears the peeked data (read with MSG_PEEK). */ -int _gnutls_io_clear_peeked_data( gnutls_session session) { -char *peekdata; -int ret, sum; - - if (session->internals.have_peeked_data==0 || RCVLOWAT==0) - return 0; - - peekdata = gnutls_alloca( RCVLOWAT); - if (peekdata==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* this was already read by using MSG_PEEK - so it shouldn't fail */ - sum = 0; - do { /* we need this to finish now */ - ret = _gnutls_read( session, peekdata, RCVLOWAT-sum, 0); - if (ret > 0) sum+=ret; - } while( ret==GNUTLS_E_INTERRUPTED || ret==GNUTLS_E_AGAIN || sum < RCVLOWAT); - - gnutls_afree(peekdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } +int _gnutls_io_clear_peeked_data(gnutls_session session) +{ + char *peekdata; + int ret, sum; + + if (session->internals.have_peeked_data == 0 || RCVLOWAT == 0) + return 0; + + peekdata = gnutls_alloca(RCVLOWAT); + if (peekdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* this was already read by using MSG_PEEK - so it shouldn't fail */ + sum = 0; + do { /* we need this to finish now */ + ret = _gnutls_read(session, peekdata, RCVLOWAT - sum, 0); + if (ret > 0) + sum += ret; + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN + || sum < RCVLOWAT); - session->internals.have_peeked_data=0; + gnutls_afree(peekdata); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + session->internals.have_peeked_data = 0; + + return 0; } -void _gnutls_io_clear_read_buffer( gnutls_session session) { - session->internals.record_recv_buffer.length = 0; +void _gnutls_io_clear_read_buffer(gnutls_session session) +{ + session->internals.record_recv_buffer.length = 0; } - + /* This function is like recv(with MSG_PEEK). But it does not return -1 on error. * It does return gnutls_errno instead. * This function reads data from the socket and keeps them in a buffer, of up to @@ -327,152 +352,163 @@ void _gnutls_io_clear_read_buffer( gnutls_session session) { * which are stored in a local (in the session) buffer. A pointer (iptr) to this buffer is returned. * */ -ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t sizeOfPtr, content_type_t recv_type) +ssize_t _gnutls_io_read_buffered(gnutls_session session, opaque ** iptr, + size_t sizeOfPtr, + content_type_t recv_type) { - ssize_t ret=0, ret2=0; - size_t min; - int buf_pos; - opaque *buf; - int recvlowat; - int recvdata, alloc_size; - - *iptr = session->internals.record_recv_buffer.data; - - if ( sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; - } - - /* If an external pull function is used, then do not leave - * any data into the kernel buffer. - */ - if (session->internals._gnutls_pull_func != NULL) { - recvlowat = 0; - } else { - /* leave peeked data to the kernel space only if application data - * is received and we don't have any peeked - * data in gnutls session. - */ - if ( recv_type != GNUTLS_APPLICATION_DATA - && session->internals.have_peeked_data==0) - recvlowat = 0; - else recvlowat = RCVLOWAT; - } - + ssize_t ret = 0, ret2 = 0; + size_t min; + int buf_pos; + opaque *buf; + int recvlowat; + int recvdata, alloc_size; + + *iptr = session->internals.record_recv_buffer.data; + + if (sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { + gnutls_assert(); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; + } - - /* calculate the actual size, ie. get the minimum of the - * buffered data and the requested data. + /* If an external pull function is used, then do not leave + * any data into the kernel buffer. + */ + if (session->internals._gnutls_pull_func != NULL) { + recvlowat = 0; + } else { + /* leave peeked data to the kernel space only if application data + * is received and we don't have any peeked + * data in gnutls session. */ - min = GMIN( session->internals.record_recv_buffer.length, sizeOfPtr); - if ( min > 0) { - /* if we have enough buffered data - * then just return them. - */ - if ( min == sizeOfPtr) { - return min; - } - } + if (recv_type != GNUTLS_APPLICATION_DATA + && session->internals.have_peeked_data == 0) + recvlowat = 0; + else + recvlowat = RCVLOWAT; + } - /* min is over zero. recvdata is the data we must - * receive in order to return the requested data. - */ - recvdata = sizeOfPtr - min; - /* Check if the previously read data plus the new data to - * receive are longer than the maximum receive buffer size. - */ - if ((session->internals.record_recv_buffer.length + recvdata) > MAX_RECV_SIZE) - { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; - } - - /* Allocate the data required to store the new packet. + + /* calculate the actual size, ie. get the minimum of the + * buffered data and the requested data. + */ + min = GMIN(session->internals.record_recv_buffer.length, sizeOfPtr); + if (min > 0) { + /* if we have enough buffered data + * then just return them. */ - alloc_size = recvdata+session->internals.record_recv_buffer.length; - session->internals.record_recv_buffer.data = gnutls_realloc_fast( - session->internals.record_recv_buffer.data, alloc_size); - if ( session->internals.record_recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (min == sizeOfPtr) { + return min; } + } - buf_pos = session->internals.record_recv_buffer.length; - buf = session->internals.record_recv_buffer.data; - *iptr = buf; + /* min is over zero. recvdata is the data we must + * receive in order to return the requested data. + */ + recvdata = sizeOfPtr - min; + + /* Check if the previously read data plus the new data to + * receive are longer than the maximum receive buffer size. + */ + if ((session->internals.record_recv_buffer.length + recvdata) > + MAX_RECV_SIZE) { + gnutls_assert(); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; + } - /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. - */ - if ( recvdata - recvlowat > 0) { - ret = _gnutls_read( session, &buf[buf_pos], recvdata - recvlowat, 0); - - /* return immediately if we got an interrupt or eagain - * error. - */ - if (ret < 0 && gnutls_error_is_fatal(ret)==0) { - return ret; - } - } + /* Allocate the data required to store the new packet. + */ + alloc_size = recvdata + session->internals.record_recv_buffer.length; + session->internals.record_recv_buffer.data = + gnutls_realloc_fast(session->internals.record_recv_buffer.data, + alloc_size); + if (session->internals.record_recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + buf_pos = session->internals.record_recv_buffer.length; + buf = session->internals.record_recv_buffer.data; + *iptr = buf; + + /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. + */ + if (recvdata - recvlowat > 0) { + ret = + _gnutls_read(session, &buf[buf_pos], recvdata - recvlowat, 0); - /* copy fresh data to our buffer. + /* return immediately if we got an interrupt or eagain + * error. */ - if (ret > 0) { - _gnutls_read_log("RB: Have %d bytes into buffer. Adding %d bytes.\n", session->internals.record_recv_buffer.length, ret); - _gnutls_read_log("RB: Requested %d bytes\n", sizeOfPtr); - session->internals.record_recv_buffer.length += ret; + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { + return ret; } + } - buf_pos = session->internals.record_recv_buffer.length; - - /* This is hack in order for select to work. Just leave recvlowat data, - * into the kernel buffer (using a read with MSG_PEEK), thus making - * select think, that the socket is ready for reading. - * MSG_PEEK is only used with berkeley style sockets. - */ - if (ret == (recvdata - recvlowat) && recvlowat > 0) { - ret2 = _gnutls_read( session, &buf[buf_pos], recvlowat, MSG_PEEK); + /* copy fresh data to our buffer. + */ + if (ret > 0) { + _gnutls_read_log + ("RB: Have %d bytes into buffer. Adding %d bytes.\n", + session->internals.record_recv_buffer.length, ret); + _gnutls_read_log("RB: Requested %d bytes\n", sizeOfPtr); + session->internals.record_recv_buffer.length += ret; + } - if (ret2 < 0 && gnutls_error_is_fatal(ret2)==0) { - return ret2; - } + buf_pos = session->internals.record_recv_buffer.length; - if (ret2 > 0) { - _gnutls_read_log("RB-PEEK: Read %d bytes in PEEK MODE.\n", ret2); - _gnutls_read_log("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", session->internals.record_recv_buffer.length, ret2, sizeOfPtr); - session->internals.have_peeked_data = 1; - session->internals.record_recv_buffer.length += ret2; + /* This is hack in order for select to work. Just leave recvlowat data, + * into the kernel buffer (using a read with MSG_PEEK), thus making + * select think, that the socket is ready for reading. + * MSG_PEEK is only used with berkeley style sockets. + */ + if (ret == (recvdata - recvlowat) && recvlowat > 0) { + ret2 = _gnutls_read(session, &buf[buf_pos], recvlowat, MSG_PEEK); - } + if (ret2 < 0 && gnutls_error_is_fatal(ret2) == 0) { + return ret2; } - if (ret < 0 || ret2 < 0) { - gnutls_assert(); - /* that's because they are initialized to 0 */ - return GMIN(ret, ret2); + if (ret2 > 0) { + _gnutls_read_log("RB-PEEK: Read %d bytes in PEEK MODE.\n", + ret2); + _gnutls_read_log + ("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", + session->internals.record_recv_buffer.length, ret2, + sizeOfPtr); + session->internals.have_peeked_data = 1; + session->internals.record_recv_buffer.length += ret2; + } + } - ret += ret2; + if (ret < 0 || ret2 < 0) { + gnutls_assert(); + /* that's because they are initialized to 0 */ + return GMIN(ret, ret2); + } - if (ret > 0 && ret < recvlowat) { - gnutls_assert(); - return GNUTLS_E_AGAIN; - } - - if (ret==0) { /* EOF */ - gnutls_assert(); - return 0; - } + ret += ret2; - ret = session->internals.record_recv_buffer.length; + if (ret > 0 && ret < recvlowat) { + gnutls_assert(); + return GNUTLS_E_AGAIN; + } - if ((ret > 0) && ((size_t)ret < sizeOfPtr)) { - /* Short Read */ - gnutls_assert(); - return GNUTLS_E_AGAIN; - } else { - return ret; - } + if (ret == 0) { /* EOF */ + gnutls_assert(); + return 0; + } + + ret = session->internals.record_recv_buffer.length; + + if ((ret > 0) && ((size_t) ret < sizeOfPtr)) { + /* Short Read */ + gnutls_assert(); + return GNUTLS_E_AGAIN; + } else { + return ret; + } } @@ -480,48 +516,53 @@ ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t * record protocol. The send buffer is kept if a send is interrupted and we need to keep * the data left to sent, in order to send them later. */ - + #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) inline -static int _gnutls_buffer_insert( gnutls_buffer * buffer, const opaque* _data, size_t data_size) + static int _gnutls_buffer_insert(gnutls_buffer * buffer, + const opaque * _data, + size_t data_size) { - if ( ( MEMSUB(_data, buffer->data) >= 0) && (MEMSUB(_data, buffer->data) < (ssize_t)buffer->length) ) { - /* the given _data is part of the buffer. - */ - if (data_size > buffer->length) { - gnutls_assert(); - /* this shouldn't have happened */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if (_data==buffer->data) { /* then don't even memmove */ - buffer->length = data_size; - return 0; - } - - memmove( buffer->data, _data, data_size); - buffer->length = data_size; - - return 0; - + if ((MEMSUB(_data, buffer->data) >= 0) + && (MEMSUB(_data, buffer->data) < (ssize_t) buffer->length)) { + /* the given _data is part of the buffer. + */ + if (data_size > buffer->length) { + gnutls_assert(); + /* this shouldn't have happened */ + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_buffer_append( buffer, _data, data_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_data == buffer->data) { /* then don't even memmove */ + buffer->length = data_size; + return 0; } + memmove(buffer->data, _data, data_size); + buffer->length = data_size; + return 0; + + } + + if (_gnutls_buffer_append(buffer, _data, data_size) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } inline -static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size_t *ptr_size) { - *ptr_size = buffer->length; - *ptr = buffer->data; - - return 0; + static int _gnutls_buffer_get(gnutls_buffer * buffer, + const opaque ** ptr, size_t * ptr_size) +{ + *ptr_size = buffer->length; + *ptr = buffer->data; + + return 0; } @@ -536,138 +577,155 @@ static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size * to decrypt and verify the integrity. * */ -ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, size_t n) +ssize_t _gnutls_io_write_buffered(gnutls_session session, const void *iptr, + size_t n) { - size_t left; - uint j,x, sum=0; - ssize_t retval, i; - const opaque * ptr; - int ret; - gnutls_transport_ptr fd = session->internals.transport_send_ptr; - - /* to know where the procedure was interrupted. - */ - session->internals.direction = 1; - - ptr = iptr; + size_t left; + uint j, x, sum = 0; + ssize_t retval, i; + const opaque *ptr; + int ret; + gnutls_transport_ptr fd = session->internals.transport_send_ptr; + + /* to know where the procedure was interrupted. + */ + session->internals.direction = 1; + + ptr = iptr; + + /* In case the previous write was interrupted, check if the + * iptr != NULL and we have data in the buffer. + * If this is true then return an error. + */ + if (session->internals.record_send_buffer.length > 0 && iptr != NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* In case the previous write was interrupted, check if the - * iptr != NULL and we have data in the buffer. - * If this is true then return an error. - */ - if (session->internals.record_send_buffer.length > 0 && iptr != NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* If data in the buffer exist + */ + if (iptr == NULL) { + /* checking is handled above */ + ret = + _gnutls_buffer_get(&session->internals.record_send_buffer, + &ptr, &n); + if (ret < 0) { + gnutls_assert(); + return ret; } - /* If data in the buffer exist - */ - if (iptr == NULL) { - /* checking is handled above */ - ret = _gnutls_buffer_get( &session->internals.record_send_buffer, &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_write_log + ("WRITE: Restoring old write. (%d bytes to send)\n", n); + } + + _gnutls_write_log("WRITE: Will write %d bytes to %d.\n", n, fd); + + i = 0; + left = n; + while (left > 0) { + + if (session->internals._gnutls_push_func == NULL) + i = send((int) fd, &ptr[n - left], left, 0); + else + i = session->internals._gnutls_push_func(fd, &ptr[n - left], + left); + + if (i == -1) { + if (errno == EAGAIN || errno == EINTR) { + session->internals.record_send_buffer_prev_size += + n - left; + + retval = + _gnutls_buffer_insert(&session->internals. + record_send_buffer, + &ptr[n - left], left); + if (retval < 0) { + gnutls_assert(); + return retval; } - _gnutls_write_log( "WRITE: Restoring old write. (%d bytes to send)\n", n); + _gnutls_write_log + ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", + left, n - left); + + retval = RET(errno); + + return retval; + } else { + gnutls_assert(); + return GNUTLS_E_PUSH_ERROR; + } } + left -= i; - _gnutls_write_log( "WRITE: Will write %d bytes to %d.\n", n, fd); - i = 0; - left = n; - while (left > 0) { - - if (session->internals._gnutls_push_func==NULL) - i = send( (int)fd, &ptr[n-left], left, 0); - else - i = session->internals._gnutls_push_func(fd, &ptr[n-left], left); + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) { - session->internals.record_send_buffer_prev_size += n - left; - retval = _gnutls_buffer_insert( &session->internals.record_send_buffer, &ptr[n-left], left); - if (retval < 0) { - gnutls_assert(); - return retval; - } + _gnutls_write_log + ("WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", + i, fd, left, n); + for (x = 0; x < (uint) ((i) / 16) + 1; x++) { + line[0] = 0; - _gnutls_write_log( "WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n-left); + if (sum > n - left) + break; - retval = RET(errno); + sprintf(tmp, "%.4x - ", x); + _gnutls_str_cat(line, sizeof(line), tmp); - return retval; - } else { - gnutls_assert(); - return GNUTLS_E_PUSH_ERROR; - } - } - left -= i; - - - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; - - - _gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n); - for (x=0;x<(uint)((i)/16)+1;x++) { - line[0] = 0; - - if (sum>n-left) - break; - - sprintf( tmp, "%.4x - ",x); - _gnutls_str_cat( line, sizeof(line), tmp); - - for (j=0;j<16;j++) { - if (sum<n-left) { - sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); - _gnutls_str_cat( line, sizeof(line), tmp); - } else break; - } - _gnutls_write_log( "%s\n", line); - } + for (j = 0; j < 16; j++) { + if (sum < n - left) { + sprintf(tmp, "%.2x ", + ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat(line, sizeof(line), tmp); + } else + break; } + _gnutls_write_log("%s\n", line); + } } + } - retval = n + session->internals.record_send_buffer_prev_size; + retval = n + session->internals.record_send_buffer_prev_size; - session->internals.record_send_buffer.length = 0; - session->internals.record_send_buffer_prev_size = 0; + session->internals.record_send_buffer.length = 0; + session->internals.record_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is exactly like write_buffered, but will use two buffers to read * from. */ -ssize_t _gnutls_io_write_buffered2( gnutls_session session, const void *iptr, size_t n, const void* iptr2, size_t n2) +ssize_t _gnutls_io_write_buffered2(gnutls_session session, + const void *iptr, size_t n, + const void *iptr2, size_t n2) { - if (n==0) { - return _gnutls_io_write_buffered( session, iptr2, n2); - } else { - opaque* sptr; - ssize_t ret; + if (n == 0) { + return _gnutls_io_write_buffered(session, iptr2, n2); + } else { + opaque *sptr; + ssize_t ret; - sptr = gnutls_alloca( n+n2); - if (sptr==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy( sptr, iptr, n); - memcpy( &sptr[n], iptr2, n2); + sptr = gnutls_alloca(n + n2); + if (sptr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = _gnutls_io_write_buffered( session, sptr, n+n2); - gnutls_afree( sptr); + memcpy(sptr, iptr, n); + memcpy(&sptr[n], iptr2, n2); - return ret; - } + ret = _gnutls_io_write_buffered(session, sptr, n + n2); + gnutls_afree(sptr); + + return ret; + } } @@ -675,15 +733,16 @@ ssize_t _gnutls_io_write_buffered2( gnutls_session session, const void *iptr, si * TLS write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_io_write_flush( gnutls_session session) +ssize_t _gnutls_io_write_flush(gnutls_session session) { ssize_t ret; if (session->internals.record_send_buffer.length == 0) - return 0; /* done */ + return 0; /* done */ - ret = _gnutls_io_write_buffered( session, NULL, 0); - _gnutls_write_log("WRITE FLUSH: %d [buffer: %d]\n", ret, session->internals.record_send_buffer.length); + ret = _gnutls_io_write_buffered(session, NULL, 0); + _gnutls_write_log("WRITE FLUSH: %d [buffer: %d]\n", ret, + session->internals.record_send_buffer.length); return ret; } @@ -692,19 +751,19 @@ ssize_t _gnutls_io_write_flush( gnutls_session session) * Handshake write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_handshake_io_write_flush( gnutls_session session) +ssize_t _gnutls_handshake_io_write_flush(gnutls_session session) { ssize_t ret; - ret = _gnutls_handshake_io_send_int( session, 0, 0, NULL, 0); + ret = _gnutls_handshake_io_send_int(session, 0, 0, NULL, 0); if (ret < 0) { gnutls_assert(); - return ret; + return ret; } _gnutls_write_log("HANDSHAKE_FLUSH: written[1] %d bytes\n", ret); if (session->internals.handshake_send_buffer.length == 0) { - ret = session->internals.handshake_send_buffer_prev_size; /* done */ + ret = session->internals.handshake_send_buffer_prev_size; /* done */ session->internals.handshake_send_buffer_prev_size = 0; } @@ -715,276 +774,303 @@ ssize_t _gnutls_handshake_io_write_flush( gnutls_session session) /* This is a send function for the gnutls handshake * protocol. Just makes sure that all data have been sent. */ -ssize_t _gnutls_handshake_io_send_int( gnutls_session session, content_type_t type, HandshakeType htype, const void *iptr, size_t n) +ssize_t _gnutls_handshake_io_send_int(gnutls_session session, + content_type_t type, + HandshakeType htype, + const void *iptr, size_t n) { - size_t left; - ssize_t ret=0; - const opaque *ptr; - ssize_t retval = 0; - - ptr = iptr; - - if (session->internals.handshake_send_buffer.length > 0 && ptr==NULL && n == 0) { - /* resuming previously interrupted write - */ - gnutls_assert(); - ret = _gnutls_buffer_get( &session->internals.handshake_send_buffer, &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return retval; - } + size_t left; + ssize_t ret = 0; + const opaque *ptr; + ssize_t retval = 0; - type = session->internals.handshake_send_buffer_type; - htype = session->internals.handshake_send_buffer_htype; + ptr = iptr; - } else if (session->internals.handshake_send_buffer.length > 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (session->internals.handshake_send_buffer.length > 0 && ptr == NULL + && n == 0) { + /* resuming previously interrupted write + */ + gnutls_assert(); + ret = + _gnutls_buffer_get(&session->internals.handshake_send_buffer, + &ptr, &n); + if (ret < 0) { + gnutls_assert(); + return retval; } + + type = session->internals.handshake_send_buffer_type; + htype = session->internals.handshake_send_buffer_htype; + + } else if (session->internals.handshake_send_buffer.length > 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } #ifdef WRITE_DEBUG - else { - size_t sum=0, x, j; - - _gnutls_write_log( "HWRITE: will write %d bytes to %d.\n", n, gnutls_transport_get_ptr(session)); - for (x=0;x<((n)/16)+1;x++) { - if (sum>n) - break; - - _gnutls_write_log( "%.4x - ",x); - for (j=0;j<16;j++) { - if (sum<n) { - _gnutls_write_log( "%.2x ", ((unsigned char*)ptr)[sum++]); - } else break; - } - _gnutls_write_log( "\n"); - } - _gnutls_write_log( "\n"); + else { + size_t sum = 0, x, j; + + _gnutls_write_log("HWRITE: will write %d bytes to %d.\n", n, + gnutls_transport_get_ptr(session)); + for (x = 0; x < ((n) / 16) + 1; x++) { + if (sum > n) + break; + + _gnutls_write_log("%.4x - ", x); + for (j = 0; j < 16; j++) { + if (sum < n) { + _gnutls_write_log("%.2x ", + ((unsigned char *) ptr)[sum++]); + } else + break; + } + _gnutls_write_log("\n"); } + _gnutls_write_log("\n"); + } #endif - if (n==0) { /* if we have no data to send */ - gnutls_assert(); - return 0; - } else if (ptr==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - + if (n == 0) { /* if we have no data to send */ + gnutls_assert(); + return 0; + } else if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - left = n; - while (left > 0) { - ret = _gnutls_send_int( session, type, htype, &ptr[n-left], left); - if (ret <= 0) { - if (ret==0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; - } + left = n; + while (left > 0) { + ret = _gnutls_send_int(session, type, htype, &ptr[n - left], left); - if ( left > 0 && (ret==GNUTLS_E_INTERRUPTED || ret==GNUTLS_E_AGAIN)) { - gnutls_assert(); + if (ret <= 0) { + if (ret == 0) { + gnutls_assert(); + ret = GNUTLS_E_INTERNAL_ERROR; + } - retval = _gnutls_buffer_insert( &session->internals.handshake_send_buffer, &ptr[n-left], left); - if (retval < 0) { - gnutls_assert(); - return retval; - } + if (left > 0 + && (ret == GNUTLS_E_INTERRUPTED + || ret == GNUTLS_E_AGAIN)) { + gnutls_assert(); - session->internals.handshake_send_buffer_prev_size += n-left; + retval = + _gnutls_buffer_insert(&session->internals. + handshake_send_buffer, + &ptr[n - left], left); + if (retval < 0) { + gnutls_assert(); + return retval; + } - session->internals.handshake_send_buffer_type = type; - session->internals.handshake_send_buffer_htype = htype; + session->internals.handshake_send_buffer_prev_size += + n - left; - } else { - session->internals.handshake_send_buffer_prev_size = 0; - session->internals.handshake_send_buffer.length = 0; - } + session->internals.handshake_send_buffer_type = type; + session->internals.handshake_send_buffer_htype = htype; - gnutls_assert(); - return ret; - } - left -= ret; + } else { + session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; + } + + gnutls_assert(); + return ret; } + left -= ret; + } - retval = n + session->internals.handshake_send_buffer_prev_size; + retval = n + session->internals.handshake_send_buffer_prev_size; - session->internals.handshake_send_buffer.length = 0; - session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; + session->internals.handshake_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is a receive function for the gnutls handshake * protocol. Makes sure that we have received all data. */ -ssize_t _gnutls_handshake_io_recv_int( gnutls_session session, - content_type_t type, HandshakeType htype, void *iptr, size_t sizeOfPtr) +ssize_t _gnutls_handshake_io_recv_int(gnutls_session session, + content_type_t type, + HandshakeType htype, void *iptr, + size_t sizeOfPtr) { - size_t left; - ssize_t i; - opaque *ptr; - size_t dsize; - - ptr = iptr; - left = sizeOfPtr; - - if (sizeOfPtr == 0 || iptr == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t left; + ssize_t i; + opaque *ptr; + size_t dsize; + + ptr = iptr; + left = sizeOfPtr; + + if (sizeOfPtr == 0 || iptr == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (session->internals.handshake_recv_buffer.length > 0) { + /* if we have already received some data */ + if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) { + /* if requested less data then return it. + */ + gnutls_assert(); + memcpy(iptr, session->internals.handshake_recv_buffer.data, + sizeOfPtr); + + session->internals.handshake_recv_buffer.length -= sizeOfPtr; + + memmove(session->internals.handshake_recv_buffer.data, + &session->internals.handshake_recv_buffer. + data[sizeOfPtr], + session->internals.handshake_recv_buffer.length); + + return sizeOfPtr; } + gnutls_assert(); + memcpy(iptr, session->internals.handshake_recv_buffer.data, + session->internals.handshake_recv_buffer.length); - if (session->internals.handshake_recv_buffer.length > 0) { - /* if we have already received some data */ - if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) { - /* if requested less data then return it. - */ - gnutls_assert(); - memcpy( iptr, session->internals.handshake_recv_buffer.data, sizeOfPtr); - - session->internals.handshake_recv_buffer.length -= sizeOfPtr; - - memmove( session->internals.handshake_recv_buffer.data, - &session->internals.handshake_recv_buffer.data[sizeOfPtr], - session->internals.handshake_recv_buffer.length); - - return sizeOfPtr; - } + htype = session->internals.handshake_recv_buffer_htype; + type = session->internals.handshake_recv_buffer_type; + + left -= session->internals.handshake_recv_buffer.length; + + session->internals.handshake_recv_buffer.length = 0; + } + + while (left > 0) { + dsize = sizeOfPtr - left; + i = _gnutls_recv_int(session, type, htype, &ptr[dsize], left); + if (i < 0) { + + if (dsize > 0 + && (i == GNUTLS_E_INTERRUPTED || i == GNUTLS_E_AGAIN)) { gnutls_assert(); - memcpy( iptr, session->internals.handshake_recv_buffer.data, session->internals.handshake_recv_buffer.length); - htype = session->internals.handshake_recv_buffer_htype; - type = session->internals.handshake_recv_buffer_type; + session->internals.handshake_recv_buffer.data = + gnutls_realloc_fast(session->internals. + handshake_recv_buffer.data, dsize); + if (session->internals.handshake_recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(session->internals.handshake_recv_buffer.data, iptr, + dsize); - left -= session->internals.handshake_recv_buffer.length; + session->internals.handshake_recv_buffer_htype = htype; + session->internals.handshake_recv_buffer_type = type; + session->internals.handshake_recv_buffer.length = dsize; + } else session->internals.handshake_recv_buffer.length = 0; - } - - while (left > 0) { - dsize = sizeOfPtr - left; - i = _gnutls_recv_int( session, type, htype, &ptr[dsize], left); - if (i < 0) { - - if (dsize > 0 && (i==GNUTLS_E_INTERRUPTED || i==GNUTLS_E_AGAIN)) { - gnutls_assert(); - - session->internals.handshake_recv_buffer.data = gnutls_realloc_fast( - session->internals.handshake_recv_buffer.data, dsize); - if (session->internals.handshake_recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy( session->internals.handshake_recv_buffer.data, iptr, dsize); - - session->internals.handshake_recv_buffer_htype = htype; - session->internals.handshake_recv_buffer_type = type; - - session->internals.handshake_recv_buffer.length = dsize; - } else - session->internals.handshake_recv_buffer.length = 0; - - gnutls_assert(); - - return i; - } else { - if (i == 0) - break; /* EOF */ - } - left -= i; + gnutls_assert(); + return i; + } else { + if (i == 0) + break; /* EOF */ } - session->internals.handshake_recv_buffer.length = 0; + left -= i; + + } + + session->internals.handshake_recv_buffer.length = 0; - return sizeOfPtr - left; + return sizeOfPtr - left; } /* Buffer for handshake packets. Keeps the packets in order * for finished messages to use them. Used in HMAC calculation * and finished messages. */ -int _gnutls_handshake_buffer_put( gnutls_session session, opaque *data, size_t length) +int _gnutls_handshake_buffer_put(gnutls_session session, opaque * data, + size_t length) { - if (length==0) return 0; + if (length == 0) + return 0; - if ( (session->internals.max_handshake_data_buffer_size > 0) && - ((length+session->internals.handshake_hash_buffer.length) > - session->internals.max_handshake_data_buffer_size)) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_buffers_log( "BUF[HSK]: Inserted %d bytes of Data\n", length); + if ((session->internals.max_handshake_data_buffer_size > 0) && + ((length + session->internals.handshake_hash_buffer.length) > + session->internals.max_handshake_data_buffer_size)) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - if ( _gnutls_buffer_append( &session->internals.handshake_hash_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data\n", length); - return 0; + if (_gnutls_buffer_append(&session->internals.handshake_hash_buffer, + data, length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } -int _gnutls_handshake_buffer_get_size( gnutls_session session) +int _gnutls_handshake_buffer_get_size(gnutls_session session) { - return session->internals.handshake_hash_buffer.length; + return session->internals.handshake_hash_buffer.length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_peek( gnutls_session session, opaque *data, size_t length) +int _gnutls_handshake_buffer_peek(gnutls_session session, opaque * data, + size_t length) { - if (length > session->internals.handshake_hash_buffer.length) { - length = session->internals.handshake_hash_buffer.length; - } + if (length > session->internals.handshake_hash_buffer.length) { + length = session->internals.handshake_hash_buffer.length; + } - _gnutls_buffers_log( "BUF[HSK]: Peeked %d bytes of Data\n", length); + _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", length); - memcpy(data, session->internals.handshake_hash_buffer.data, length); - return length; + memcpy(data, session->internals.handshake_hash_buffer.data, length); + return length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_get_ptr( gnutls_session session, opaque **data_ptr, size_t *length) +int _gnutls_handshake_buffer_get_ptr(gnutls_session session, + opaque ** data_ptr, size_t * length) { - if (length!=NULL) - *length = session->internals.handshake_hash_buffer.length; + if (length != NULL) + *length = session->internals.handshake_hash_buffer.length; - _gnutls_buffers_log( "BUF[HSK]: Peeked %d bytes of Data\n", *length); + _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", *length); - if (data_ptr!=NULL) - *data_ptr = session->internals.handshake_hash_buffer.data; + if (data_ptr != NULL) + *data_ptr = session->internals.handshake_hash_buffer.data; - return 0; + return 0; } /* Does not free the buffer */ -int _gnutls_handshake_buffer_empty( gnutls_session session) +int _gnutls_handshake_buffer_empty(gnutls_session session) { - _gnutls_buffers_log( "BUF[HSK]: Emptied buffer\n"); + _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n"); - session->internals.handshake_hash_buffer.length = 0; - - return 0; + session->internals.handshake_hash_buffer.length = 0; + + return 0; } -int _gnutls_handshake_buffer_clear( gnutls_session session) +int _gnutls_handshake_buffer_clear(gnutls_session session) { - _gnutls_buffers_log( "BUF[HSK]: Cleared Data from buffer\n"); + _gnutls_buffers_log("BUF[HSK]: Cleared Data from buffer\n"); - _gnutls_buffer_clear( &session->internals.handshake_hash_buffer); - - return 0; + _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); + + return 0; } diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h index 8552377971..b858d10860 100644 --- a/lib/gnutls_buffers.h +++ b/lib/gnutls_buffers.h @@ -18,33 +18,42 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, opaque *data, size_t length); -int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session); -int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaque *data, size_t length); -ssize_t _gnutls_io_read_buffered( gnutls_session, opaque **iptr, size_t n, content_type_t); -void _gnutls_io_clear_read_buffer( gnutls_session); -int _gnutls_io_clear_peeked_data( gnutls_session session); +int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, + opaque * data, size_t length); +int _gnutls_record_buffer_get_size(content_type_t type, + gnutls_session session); +int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, + opaque * data, size_t length); +ssize_t _gnutls_io_read_buffered(gnutls_session, opaque ** iptr, size_t n, + content_type_t); +void _gnutls_io_clear_read_buffer(gnutls_session); +int _gnutls_io_clear_peeked_data(gnutls_session session); -ssize_t _gnutls_io_write_buffered( gnutls_session, const void *iptr, size_t n ); -ssize_t _gnutls_io_write_buffered2( gnutls_session, const void *iptr, size_t n, - const void* iptr2, size_t n2); +ssize_t _gnutls_io_write_buffered(gnutls_session, const void *iptr, + size_t n); +ssize_t _gnutls_io_write_buffered2(gnutls_session, const void *iptr, + size_t n, const void *iptr2, size_t n2); -int _gnutls_handshake_buffer_get_size( gnutls_session session); -int _gnutls_handshake_buffer_peek( gnutls_session session, opaque *data, size_t length); -int _gnutls_handshake_buffer_put( gnutls_session session, opaque *data, size_t length); -int _gnutls_handshake_buffer_clear( gnutls_session session); -int _gnutls_handshake_buffer_empty( gnutls_session session); -int _gnutls_handshake_buffer_get_ptr( gnutls_session session, opaque **data_ptr, size_t *length); +int _gnutls_handshake_buffer_get_size(gnutls_session session); +int _gnutls_handshake_buffer_peek(gnutls_session session, opaque * data, + size_t length); +int _gnutls_handshake_buffer_put(gnutls_session session, opaque * data, + size_t length); +int _gnutls_handshake_buffer_clear(gnutls_session session); +int _gnutls_handshake_buffer_empty(gnutls_session session); +int _gnutls_handshake_buffer_get_ptr(gnutls_session session, + opaque ** data_ptr, size_t * length); #define _gnutls_handshake_io_buffer_clear( session) \ _gnutls_buffer_clear( &session->internals.handshake_send_buffer); \ _gnutls_buffer_clear( &session->internals.handshake_recv_buffer); \ session->internals.handshake_send_buffer_prev_size = 0 -ssize_t _gnutls_handshake_io_recv_int( gnutls_session, content_type_t, HandshakeType, void *, size_t); -ssize_t _gnutls_handshake_io_send_int( gnutls_session, content_type_t, HandshakeType, const void *, size_t); -ssize_t _gnutls_io_write_flush( gnutls_session session); -ssize_t _gnutls_handshake_io_write_flush( gnutls_session session); +ssize_t _gnutls_handshake_io_recv_int(gnutls_session, content_type_t, + HandshakeType, void *, size_t); +ssize_t _gnutls_handshake_io_send_int(gnutls_session, content_type_t, + HandshakeType, const void *, size_t); +ssize_t _gnutls_io_write_flush(gnutls_session session); +ssize_t _gnutls_handshake_io_write_flush(gnutls_session session); size_t gnutls_record_check_pending(gnutls_session session); - diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index ead9d09363..b2a9a942fe 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -56,29 +56,29 @@ void gnutls_certificate_free_crls(gnutls_certificate_credentials sc); **/ void gnutls_certificate_free_keys(gnutls_certificate_credentials sc) { - uint i, j; + uint i, j; - for (i = 0; i < sc->ncerts; i++) { - for (j = 0; j < sc->cert_list_length[i]; j++) { - _gnutls_gcert_deinit( &sc->cert_list[i][j]); - } - gnutls_free( sc->cert_list[i]); + for (i = 0; i < sc->ncerts; i++) { + for (j = 0; j < sc->cert_list_length[i]; j++) { + _gnutls_gcert_deinit(&sc->cert_list[i][j]); } + gnutls_free(sc->cert_list[i]); + } - gnutls_free(sc->cert_list_length); - sc->cert_list_length = NULL; + gnutls_free(sc->cert_list_length); + sc->cert_list_length = NULL; - gnutls_free(sc->cert_list); - sc->cert_list = NULL; + gnutls_free(sc->cert_list); + sc->cert_list = NULL; - for (i = 0; i < sc->ncerts; i++) { - _gnutls_gkey_deinit( &sc->pkey[i]); - } + for (i = 0; i < sc->ncerts; i++) { + _gnutls_gkey_deinit(&sc->pkey[i]); + } + + gnutls_free(sc->pkey); + sc->pkey = NULL; - gnutls_free( sc->pkey); - sc->pkey = NULL; - - sc->ncerts = 0; + sc->ncerts = 0; } @@ -94,16 +94,16 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials sc) **/ void gnutls_certificate_free_cas(gnutls_certificate_credentials sc) { - uint j; + uint j; + + for (j = 0; j < sc->x509_ncas; j++) { + gnutls_x509_crt_deinit(sc->x509_ca_list[j]); + } - for (j = 0; j < sc->x509_ncas; j++) { - gnutls_x509_crt_deinit( sc->x509_ca_list[j]); - } - - sc->x509_ncas = 0; + sc->x509_ncas = 0; - gnutls_free( sc->x509_ca_list); - sc->x509_ca_list = NULL; + gnutls_free(sc->x509_ca_list); + sc->x509_ca_list = NULL; } @@ -121,7 +121,7 @@ void gnutls_certificate_free_cas(gnutls_certificate_credentials sc) **/ void gnutls_certificate_free_ca_names(gnutls_certificate_credentials sc) { - _gnutls_free_datum( &sc->x509_rdn_sequence); + _gnutls_free_datum(&sc->x509_rdn_sequence); } /*- @@ -133,27 +133,29 @@ void gnutls_certificate_free_ca_names(gnutls_certificate_credentials sc) * calls would not examine the credentials (or call a callback). * -*/ -gnutls_dh_params _gnutls_certificate_get_dh_params(const gnutls_certificate_credentials sc, - gnutls_session session) +gnutls_dh_params _gnutls_certificate_get_dh_params(const + gnutls_certificate_credentials + sc, + gnutls_session session) { -gnutls_params_st params; -int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.cert_dh_params) { - return session->internals.params.cert_dh_params; + if (session->internals.params.cert_dh_params) { + return session->internals.params.cert_dh_params; + } + + if (sc->dh_params) { + session->internals.params.cert_dh_params = sc->dh_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { + session->internals.params.cert_dh_params = params.params.dh; + session->internals.params.free_cert_dh_params = params.deinit; } + } - if (sc->dh_params) { - session->internals.params.cert_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.cert_dh_params = params.params.dh; - session->internals.params.free_cert_dh_params = params.deinit; - } - } - - return session->internals.params.cert_dh_params; + return session->internals.params.cert_dh_params; } /*- @@ -163,27 +165,31 @@ int ret; * This function will return the rsa parameters pointer. * -*/ -gnutls_rsa_params _gnutls_certificate_get_rsa_params(const gnutls_certificate_credentials sc, - gnutls_session session) +gnutls_rsa_params _gnutls_certificate_get_rsa_params(const + gnutls_certificate_credentials + sc, + gnutls_session + session) { -gnutls_params_st params; -int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.rsa_params) { - return session->internals.params.rsa_params; + if (session->internals.params.rsa_params) { + return session->internals.params.rsa_params; + } + + if (sc->rsa_params) { + session->internals.params.rsa_params = sc->rsa_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) { + session->internals.params.rsa_params = + params.params.rsa_export; + session->internals.params.free_rsa_params = params.deinit; } + } - if (sc->rsa_params) { - session->internals.params.rsa_params = sc->rsa_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) { - session->internals.params.rsa_params = params.params.rsa_export; - session->internals.params.free_rsa_params = params.deinit; - } - } - - return session->internals.params.rsa_params; + return session->internals.params.rsa_params; } @@ -200,15 +206,15 @@ int ret; **/ void gnutls_certificate_free_credentials(gnutls_certificate_credentials sc) { - gnutls_certificate_free_keys( sc); - gnutls_certificate_free_cas( sc); + gnutls_certificate_free_keys(sc); + gnutls_certificate_free_cas(sc); #ifdef ENABLE_PKI - gnutls_certificate_free_crls( sc); + gnutls_certificate_free_crls(sc); #endif - _gnutls_free_datum( &sc->keyring); + _gnutls_free_datum(&sc->keyring); - gnutls_free( sc); + gnutls_free(sc); } @@ -221,14 +227,15 @@ void gnutls_certificate_free_credentials(gnutls_certificate_credentials sc) * * Returns 0 on success. **/ -int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res) +int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials + * res) { - *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); + *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); - if (*res == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*res == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -238,49 +245,50 @@ int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ -int _gnutls_selected_cert_supported_kx( gnutls_session session, gnutls_kx_algorithm ** alg, - int *alg_size) +int _gnutls_selected_cert_supported_kx(gnutls_session session, + gnutls_kx_algorithm ** alg, + int *alg_size) { - gnutls_kx_algorithm kx; - gnutls_pk_algorithm pk; - gnutls_kx_algorithm kxlist[MAX_ALGOS]; - gnutls_cert * cert; - int i; - - if (session->internals.selected_cert_list_length == 0) { - *alg_size = 0; - *alg = NULL; - return 0; - } - - cert = &session->internals.selected_cert_list[0]; - i = 0; - - for (kx = 0; kx < MAX_ALGOS; kx++) { - pk = _gnutls_map_pk_get_pk(kx); - if (pk == cert->subject_pk_algorithm) { - /* then check key usage */ - if (_gnutls_check_key_usage(cert, kx) == 0) { - kxlist[i] = kx; - i++; - } - } + gnutls_kx_algorithm kx; + gnutls_pk_algorithm pk; + gnutls_kx_algorithm kxlist[MAX_ALGOS]; + gnutls_cert *cert; + int i; + + if (session->internals.selected_cert_list_length == 0) { + *alg_size = 0; + *alg = NULL; + return 0; + } + + cert = &session->internals.selected_cert_list[0]; + i = 0; + + for (kx = 0; kx < MAX_ALGOS; kx++) { + pk = _gnutls_map_pk_get_pk(kx); + if (pk == cert->subject_pk_algorithm) { + /* then check key usage */ + if (_gnutls_check_key_usage(cert, kx) == 0) { + kxlist[i] = kx; + i++; + } } + } - if (i==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (i == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - *alg = gnutls_calloc(1, sizeof(gnutls_kx_algorithm) * i); - if (*alg == NULL) - return GNUTLS_E_MEMORY_ERROR; + *alg = gnutls_calloc(1, sizeof(gnutls_kx_algorithm) * i); + if (*alg == NULL) + return GNUTLS_E_MEMORY_ERROR; - *alg_size = i; + *alg_size = i; - memcpy(*alg, kxlist, i * sizeof(gnutls_kx_algorithm)); + memcpy(*alg, kxlist, i * sizeof(gnutls_kx_algorithm)); - return 0; + return 0; } @@ -297,9 +305,9 @@ int _gnutls_selected_cert_supported_kx( gnutls_session session, gnutls_kx_algori * send a certificate. **/ void gnutls_certificate_server_set_request(gnutls_session session, - gnutls_certificate_request req) + gnutls_certificate_request req) { - session->internals.send_cert_req = req; + session->internals.send_cert_req = req; } /** @@ -332,10 +340,10 @@ void gnutls_certificate_server_set_request(gnutls_session session, * should be set to zero. The value (-1) indicates error and the handshake * will be terminated. **/ -void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_credentials cred, - gnutls_certificate_client_retrieve_function * func) -{ - cred->client_get_cert_callback = func; +void gnutls_certificate_client_set_retrieve_function + (gnutls_certificate_credentials cred, + gnutls_certificate_client_retrieve_function * func) { + cred->client_get_cert_callback = func; } /** @@ -358,18 +366,20 @@ void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_credenti * return 0 on success. The value (-1) indicates error and the handshake * will be terminated. **/ -void gnutls_certificate_server_set_retrieve_function(gnutls_certificate_credentials cred, - gnutls_certificate_server_retrieve_function * func) -{ - cred->server_get_cert_callback = func; +void gnutls_certificate_server_set_retrieve_function + (gnutls_certificate_credentials cred, + gnutls_certificate_server_retrieve_function * func) { + cred->server_get_cert_callback = func; } /* These are set by the gnutls_extra library's initialization function. */ -OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time = NULL; -OPENPGP_KEY_EXPIRATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; +OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time + = NULL; +OPENPGP_KEY_EXPIRATION_TIME_FUNC + _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; /*- @@ -382,52 +392,54 @@ OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; -*/ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) { - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - int verify; - int peer_certificate_list_size; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - - if (peer_certificate_list_size != 1) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* Verify certificate - */ - if (_E_gnutls_openpgp_verify_key==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - verify = _E_gnutls_openpgp_verify_key( cred->pgp_trustdb, &cred->keyring, &info->raw_certificate_list[0], - peer_certificate_list_size); - - if (verify < 0) { - gnutls_assert(); - } - - return verify; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + int verify; + int peer_certificate_list_size; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + + if (peer_certificate_list_size != 1) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* Verify certificate + */ + if (_E_gnutls_openpgp_verify_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; + } + verify = + _E_gnutls_openpgp_verify_key(cred->pgp_trustdb, &cred->keyring, + &info->raw_certificate_list[0], + peer_certificate_list_size); + + if (verify < 0) { + gnutls_assert(); + } + + return verify; } /** @@ -446,26 +458,26 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) **/ int gnutls_certificate_verify_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_cert_verify_peers( session); - case GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_cert_verify_peers( session); - default: - return GNUTLS_E_INVALID_REQUEST; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_cert_verify_peers(session); + case GNUTLS_CRT_OPENPGP: + return _gnutls_openpgp_cert_verify_peers(session); + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -479,32 +491,34 @@ int gnutls_certificate_verify_peers(gnutls_session session) **/ time_t gnutls_certificate_expiration_time_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) -1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) -1; - } - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_expiration_time( - &info->raw_certificate_list[0]); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_expiration_time==NULL) - return (time_t)-1; - return _E_gnutls_openpgp_get_raw_key_expiration_time( - &info->raw_certificate_list[0]); - default: - return (time_t)-1; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_get_raw_crt_expiration_time(&info-> + raw_certificate_list + [0]); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL) + return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_expiration_time(&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; + } } /** @@ -519,76 +533,77 @@ time_t gnutls_certificate_expiration_time_peers(gnutls_session session) **/ time_t gnutls_certificate_activation_time_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) -1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) -1; - } - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_activation_time( - &info->raw_certificate_list[0]); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_creation_time==NULL) - return (time_t)-1; - return _E_gnutls_openpgp_get_raw_key_creation_time( - &info->raw_certificate_list[0]); - default: - return (time_t)-1; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_get_raw_crt_activation_time(&info-> + raw_certificate_list + [0]); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL) + return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_creation_time(&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; + } } OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; OPENPGP_RAW_PRIVKEY_TO_GKEY _E_gnutls_openpgp_raw_privkey_to_gkey; -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, gnutls_certificate_type type, - const gnutls_datum *raw_cert, int flags /* OR of ConvFlags */) +int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, + gnutls_certificate_type type, + const gnutls_datum * raw_cert, + int flags /* OR of ConvFlags */ ) { - switch( type) { - case GNUTLS_CRT_X509: - return _gnutls_x509_raw_cert_to_gcert( gcert, - raw_cert, flags); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_key_to_gcert==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - return - _E_gnutls_openpgp_raw_key_to_gcert( gcert, - raw_cert); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + switch (type) { + case GNUTLS_CRT_X509: + return _gnutls_x509_raw_cert_to_gcert(gcert, raw_cert, flags); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } + return _E_gnutls_openpgp_raw_key_to_gcert(gcert, raw_cert); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type type, - const gnutls_datum *raw_key, int key_enc /* DER or PEM */) +int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, + gnutls_certificate_type type, + const gnutls_datum * raw_key, + int key_enc /* DER or PEM */ ) { - switch( type) { - case GNUTLS_CRT_X509: - return _gnutls_x509_raw_privkey_to_gkey( key, - raw_key, key_enc); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_privkey_to_gkey==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - return - _E_gnutls_openpgp_raw_privkey_to_gkey( key, raw_key); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + switch (type) { + case GNUTLS_CRT_X509: + return _gnutls_x509_raw_privkey_to_gkey(key, raw_key, key_enc); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } + return _E_gnutls_openpgp_raw_privkey_to_gkey(key, raw_key); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } @@ -601,113 +616,121 @@ int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type ty * extensions found in the certificate are unsupported and critical. * The critical extensions will be catched by the verification functions. */ -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, const gnutls_datum *derCert, - int flags /* OR of ConvFlags */) +int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, + const gnutls_datum * derCert, + int flags /* OR of ConvFlags */ ) { - int ret; - gnutls_x509_crt cert; - - ret = gnutls_x509_crt_init( &cert); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + gnutls_x509_crt cert; - ret = gnutls_x509_crt_import( cert, derCert, GNUTLS_X509_FMT_DER); - if ( ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit( cert); - return ret; - } - - ret = _gnutls_x509_crt_to_gcert( gcert, cert, flags); - gnutls_x509_crt_deinit( cert); - + ret = gnutls_x509_crt_init(&cert); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_x509_crt_import(cert, derCert, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(cert); + return ret; + } + + ret = _gnutls_x509_crt_to_gcert(gcert, cert, flags); + gnutls_x509_crt_deinit(cert); + + return ret; } /* Like above but it accepts a parsed certificate instead. */ int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert, - unsigned int flags) + unsigned int flags) { - int ret = 0; - - memset(gcert, 0, sizeof(gnutls_cert)); - gcert->cert_type = GNUTLS_CRT_X509; - - if ( !(flags & CERT_NO_COPY)) { - #define SMALL_DER 512 - opaque* der; - size_t der_size = SMALL_DER; - - /* initially allocate a bogus size, just in case the certificate - * fits in it. That way we minimize the DER encodings performed. - */ - der = gnutls_malloc( SMALL_DER); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - gnutls_free(der); - return ret; - } - - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - der = gnutls_realloc( der, der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_free(der); - return ret; - } - } - - gcert->raw.data = der; - gcert->raw.size = der_size; - } else - /* now we have 0 or a bitwise or of things to decode */ - flags ^= CERT_NO_COPY; - - - if (flags & CERT_ONLY_EXTENSIONS || flags == 0) { - gnutls_x509_crt_get_key_usage( cert, &gcert->keyUsage, NULL); - gcert->version = gnutls_x509_crt_get_version( cert); + int ret = 0; + + memset(gcert, 0, sizeof(gnutls_cert)); + gcert->cert_type = GNUTLS_CRT_X509; + + if (!(flags & CERT_NO_COPY)) { +#define SMALL_DER 512 + opaque *der; + size_t der_size = SMALL_DER; + + /* initially allocate a bogus size, just in case the certificate + * fits in it. That way we minimize the DER encodings performed. + */ + der = gnutls_malloc(SMALL_DER); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm( cert, NULL); - - if (flags & CERT_ONLY_PUBKEY || flags == 0) { - gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = _gnutls_x509_crt_get_mpis( cert, gcert->params, &gcert->params_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + + ret = + gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + gnutls_free(der); + return ret; } - return 0; + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + der = gnutls_realloc(der, der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_free(der); + return ret; + } + } + + gcert->raw.data = der; + gcert->raw.size = der_size; + } else + /* now we have 0 or a bitwise or of things to decode */ + flags ^= CERT_NO_COPY; + + + if (flags & CERT_ONLY_EXTENSIONS || flags == 0) { + gnutls_x509_crt_get_key_usage(cert, &gcert->keyUsage, NULL); + gcert->version = gnutls_x509_crt_get_version(cert); + } + gcert->subject_pk_algorithm = + gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + if (flags & CERT_ONLY_PUBKEY || flags == 0) { + gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis(cert, gcert->params, + &gcert->params_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + return 0; } -void _gnutls_gcert_deinit(gnutls_cert *cert) +void _gnutls_gcert_deinit(gnutls_cert * cert) { - int i; + int i; - if (cert == NULL) return; + if (cert == NULL) + return; - for (i = 0; i < cert->params_size; i++) { - _gnutls_mpi_release( &cert->params[i]); - } + for (i = 0; i < cert->params_size; i++) { + _gnutls_mpi_release(&cert->params[i]); + } - _gnutls_free_datum(&cert->raw); + _gnutls_free_datum(&cert->raw); } - diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index 66c66a829f..37e1a821f6 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -6,7 +6,7 @@ #include <gnutls_ui.h> #include "x509/x509.h" -#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */ +#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */ /* parameters should not be larger than this limit */ #define DSA_PUBLIC_PARAMS 4 @@ -26,75 +26,81 @@ #define KEY_DECIPHER_ONLY 32768 typedef struct gnutls_cert { - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public - * key algorithm - * RSA: [0] is modulus - * [1] is public exponent - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is public key + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public + * key algorithm + * RSA: [0] is modulus + * [1] is public exponent + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is public key + */ + int params_size; /* holds the size of MPI params */ + + gnutls_pk_algorithm subject_pk_algorithm; + + unsigned int keyUsage; /* bits from KEY_* */ - int params_size; /* holds the size of MPI params */ - - gnutls_pk_algorithm subject_pk_algorithm; - - unsigned int keyUsage; /* bits from KEY_* - */ - - unsigned int version; - /* holds the type (PGP, X509) - */ - gnutls_certificate_type cert_type; - - gnutls_datum raw; - + + unsigned int version; + /* holds the type (PGP, X509) + */ + gnutls_certificate_type cert_type; + + gnutls_datum raw; + } gnutls_cert; typedef struct gnutls_privkey_int { - mpi_t params[MAX_PRIV_PARAMS_SIZE];/* the size of params depends on the public - * key algorithm - */ - /* - * RSA: [0] is modulus - * [1] is public exponent - * [2] is private exponent - * [3] is prime1 (p) - * [4] is prime2 (q) - * [5] is coefficient (u == inverse of p mod q) - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is y (public key) - * [4] is x (private key) - */ - int params_size; /* holds the number of params */ - - gnutls_pk_algorithm pk_algorithm; + mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public + * key algorithm + */ + /* + * RSA: [0] is modulus + * [1] is public exponent + * [2] is private exponent + * [3] is prime1 (p) + * [4] is prime2 (q) + * [5] is coefficient (u == inverse of p mod q) + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is y (public key) + * [4] is x (private key) + */ + int params_size; /* holds the number of params */ + + gnutls_pk_algorithm pk_algorithm; } gnutls_privkey; -struct gnutls_session_int; /* because gnutls_session is not defined when this file is included */ +struct gnutls_session_int; /* because gnutls_session is not defined when this file is included */ -typedef enum ConvFlags { - CERT_NO_COPY=2, - CERT_ONLY_PUBKEY=4, - CERT_ONLY_EXTENSIONS=16 +typedef enum ConvFlags { + CERT_NO_COPY = 2, + CERT_ONLY_PUBKEY = 4, + CERT_ONLY_EXTENSIONS = 16 } ConvFlags; -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, const gnutls_datum *derCert, - int flags); +int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, + const gnutls_datum * derCert, + int flags); int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert, - unsigned int flags); - -void _gnutls_gkey_deinit(gnutls_privkey *key); -void _gnutls_gcert_deinit(gnutls_cert *cert); - -int _gnutls_selected_cert_supported_kx(struct gnutls_session_int* session, - gnutls_kx_algorithm ** alg, int *alg_size); - -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, gnutls_certificate_type type, - const gnutls_datum *raw_cert, int flags /* OR of ConvFlags */); -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type type, - const gnutls_datum *raw_key, int key_enc /* DER or PEM */); + unsigned int flags); + +void _gnutls_gkey_deinit(gnutls_privkey * key); +void _gnutls_gcert_deinit(gnutls_cert * cert); + +int _gnutls_selected_cert_supported_kx(struct gnutls_session_int *session, + gnutls_kx_algorithm ** alg, + int *alg_size); + +int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, + gnutls_certificate_type type, + const gnutls_datum * raw_cert, + int flags /* OR of ConvFlags */ ); +int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, + gnutls_certificate_type type, + const gnutls_datum * raw_key, + int key_enc /* DER or PEM */ ); #endif diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index c892624880..259a752abc 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -39,20 +39,22 @@ #include "gnutls_record.h" #include "gnutls_constate.h" -inline static int -is_write_comp_null( gnutls_session session) { - if (session->security_parameters.write_compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; +inline static int is_write_comp_null(gnutls_session session) +{ + if (session->security_parameters.write_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; + + return 1; } -inline static int -is_read_comp_null( gnutls_session session) { - if (session->security_parameters.read_compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; +inline static int is_read_comp_null(gnutls_session session) +{ + if (session->security_parameters.read_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; + + return 1; } @@ -61,188 +63,189 @@ is_read_comp_null( gnutls_session session) { * * If random pad != 0 then the random pad data will be appended. */ -int _gnutls_encrypt(gnutls_session session, const opaque* headers, size_t headers_size, - const opaque *data, size_t data_size, - opaque * ciphertext, size_t ciphertext_size, content_type_t type, int random_pad) +int _gnutls_encrypt(gnutls_session session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, + int random_pad) { - gnutls_datum plain; - gnutls_datum comp; - int ret; - int free_comp = 1; - - plain.data = (opaque*)data; - plain.size = data_size; - - if (plain.size == 0 || is_write_comp_null( session)==0) { - comp = plain; - free_comp = 0; - } else { - /* Here comp is allocated and must be - * freed. - */ - ret = _gnutls_m_plaintext2compressed(session, &comp, plain); - if (ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_datum plain; + gnutls_datum comp; + int ret; + int free_comp = 1; + + plain.data = (opaque *) data; + plain.size = data_size; + + if (plain.size == 0 || is_write_comp_null(session) == 0) { + comp = plain; + free_comp = 0; + } else { + /* Here comp is allocated and must be + * freed. + */ + ret = _gnutls_m_plaintext2compressed(session, &comp, plain); + if (ret < 0) { + gnutls_assert(); + return ret; } + } - ret = _gnutls_compressed2ciphertext(session, &ciphertext[headers_size], - ciphertext_size - headers_size, comp, type, random_pad); + ret = _gnutls_compressed2ciphertext(session, &ciphertext[headers_size], + ciphertext_size - headers_size, + comp, type, random_pad); - if (free_comp) - _gnutls_free_datum(&comp); + if (free_comp) + _gnutls_free_datum(&comp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* copy the headers */ - memcpy( ciphertext, headers, headers_size); - _gnutls_write_uint16( ret, &ciphertext[3]); + /* copy the headers */ + memcpy(ciphertext, headers, headers_size); + _gnutls_write_uint16(ret, &ciphertext[3]); - return ret+headers_size; + return ret + headers_size; } /* Decrypts the given data. * Returns the decrypted data length. */ -int _gnutls_decrypt(gnutls_session session, opaque *ciphertext, - size_t ciphertext_size, uint8 * data, size_t max_data_size, - content_type_t type) +int _gnutls_decrypt(gnutls_session session, opaque * ciphertext, + size_t ciphertext_size, uint8 * data, + size_t max_data_size, content_type_t type) { - gnutls_datum gtxt; - gnutls_datum gcipher; - int ret; + gnutls_datum gtxt; + gnutls_datum gcipher; + int ret; + + if (ciphertext_size == 0) + return 0; + + gcipher.size = ciphertext_size; + gcipher.data = ciphertext; + + ret = + _gnutls_ciphertext2compressed(session, data, max_data_size, + gcipher, type); + if (ret < 0) { + return ret; + } - if (ciphertext_size == 0) - return 0; + if (ret == 0 || is_read_comp_null(session) == 0) { + /* ret == ret */ - gcipher.size = ciphertext_size; - gcipher.data = ciphertext; + } else { + gnutls_datum gcomp; - ret = _gnutls_ciphertext2compressed(session, data, max_data_size, gcipher, type); + /* compression has this malloc overhead. + */ + + gcomp.data = data; + gcomp.size = ret; + ret = _gnutls_m_compressed2plaintext(session, >xt, gcomp); if (ret < 0) { - return ret; + return ret; } - if (ret==0 || is_read_comp_null( session)==0) { - /* ret == ret */ - - } else { - gnutls_datum gcomp; - - /* compression has this malloc overhead. - */ - - gcomp.data = data; - gcomp.size = ret; - ret = _gnutls_m_compressed2plaintext(session, >xt, gcomp); - if (ret < 0) { - return ret; - } - - if (gtxt.size > max_data_size) { - gnutls_assert(); - _gnutls_free_datum( >xt); - /* This shouldn't have happen and - * is a TLS fatal error. - */ - return GNUTLS_E_INTERNAL_ERROR; - } - - memcpy( data, gtxt.data, gtxt.size); - ret = gtxt.size; - - _gnutls_free_datum( >xt); + if (gtxt.size > max_data_size) { + gnutls_assert(); + _gnutls_free_datum(>xt); + /* This shouldn't have happen and + * is a TLS fatal error. + */ + return GNUTLS_E_INTERNAL_ERROR; } - - return ret; + + memcpy(data, gtxt.data, gtxt.size); + ret = gtxt.size; + + _gnutls_free_datum(>xt); + } + + return ret; } inline -static mac_hd_t -mac_init( gnutls_mac_algorithm mac, opaque* secret, int secret_size, int ver) + static mac_hd_t +mac_init(gnutls_mac_algorithm mac, opaque * secret, int secret_size, + int ver) { -mac_hd_t td; + mac_hd_t td; - if (mac == GNUTLS_MAC_NULL) return GNUTLS_MAC_FAILED; + if (mac == GNUTLS_MAC_NULL) + return GNUTLS_MAC_FAILED; - if ( ver == GNUTLS_SSL3) { /* SSL 3.0 */ - td = - _gnutls_mac_init_ssl3( mac, secret, - secret_size); - } else { /* TLS 1.x */ - td = - _gnutls_hmac_init( mac, secret, secret_size); - } - - return td; + if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ + td = _gnutls_mac_init_ssl3(mac, secret, secret_size); + } else { /* TLS 1.x */ + td = _gnutls_hmac_init(mac, secret, secret_size); + } + + return td; } -inline -static void mac_deinit( mac_hd_t td, opaque* res, int ver) +inline static void mac_deinit(mac_hd_t td, opaque * res, int ver) { - if ( ver == GNUTLS_SSL3) { /* SSL 3.0 */ - _gnutls_mac_deinit_ssl3(td, res); - } else { - _gnutls_hmac_deinit(td, res); - } + if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ + _gnutls_mac_deinit_ssl3(td, res); + } else { + _gnutls_hmac_deinit(td, res); + } } inline -static int calc_enc_length( - gnutls_session session, int data_size, int hash_size, uint8* pad, - int random_pad, cipher_type_t block_algo, uint16 blocksize) + static int calc_enc_length(gnutls_session session, int data_size, + int hash_size, uint8 * pad, int random_pad, + cipher_type_t block_algo, uint16 blocksize) { -uint8 rand; -int length; - - *pad = 0; - - switch ( block_algo) { - case CIPHER_STREAM: - length = - data_size + hash_size; - - break; - case CIPHER_BLOCK: - if (_gnutls_get_random(&rand, 1, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* make rand a multiple of blocksize */ - if ( session->security_parameters.version == GNUTLS_SSL3 || - random_pad==0) { - rand = 0; - } else { - rand = (rand / blocksize) * blocksize; - /* added to avoid the case of pad calculated 0 - * seen below for pad calculation. - */ - if (rand > blocksize) rand-=blocksize; - } - - length = - data_size + - hash_size; - - *pad = (uint8) (blocksize - (length % blocksize)) + rand; - - length += *pad; - if ( session->security_parameters.version >= GNUTLS_TLS1_1) - length += blocksize; /* for the IV */ - - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 rand; + int length; + + *pad = 0; + + switch (block_algo) { + case CIPHER_STREAM: + length = data_size + hash_size; + + break; + case CIPHER_BLOCK: + if (_gnutls_get_random(&rand, 1, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - return length; + /* make rand a multiple of blocksize */ + if (session->security_parameters.version == GNUTLS_SSL3 || + random_pad == 0) { + rand = 0; + } else { + rand = (rand / blocksize) * blocksize; + /* added to avoid the case of pad calculated 0 + * seen below for pad calculation. + */ + if (rand > blocksize) + rand -= blocksize; + } + + length = data_size + hash_size; + + *pad = (uint8) (blocksize - (length % blocksize)) + rand; + + length += *pad; + if (session->security_parameters.version >= GNUTLS_TLS1_1) + length += blocksize; /* for the IV */ + + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return length; } /* This is the actual encryption @@ -251,261 +254,276 @@ int length; * return the actual encrypted data length. */ int _gnutls_compressed2ciphertext(gnutls_session session, - opaque* cipher_data, int cipher_size, - gnutls_datum compressed, content_type_t _type, - int random_pad) + opaque * cipher_data, int cipher_size, + gnutls_datum compressed, + content_type_t _type, int random_pad) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length,ret; - mac_hd_t td; - uint8 type = _type; - uint8 major, minor; - int hash_size = _gnutls_hash_get_algo_len(session->security_parameters.write_mac_algorithm); - gnutls_protocol_version ver; - int blocksize = - _gnutls_cipher_get_block_size(session->security_parameters. - write_bulk_cipher_algorithm); - cipher_type_t block_algo = _gnutls_cipher_is_block(session->security_parameters.write_bulk_cipher_algorithm); - opaque* data_ptr; - - - ver = gnutls_protocol_get_version( session); - minor = _gnutls_version_get_minor( ver); - major = _gnutls_version_get_major( ver); - - - /* Initialize MAC */ - td = mac_init(session->security_parameters.write_mac_algorithm, + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length, ret; + mac_hd_t td; + uint8 type = _type; + uint8 major, minor; + int hash_size = + _gnutls_hash_get_algo_len(session->security_parameters. + write_mac_algorithm); + gnutls_protocol_version ver; + int blocksize = + _gnutls_cipher_get_block_size(session->security_parameters. + write_bulk_cipher_algorithm); + cipher_type_t block_algo = + _gnutls_cipher_is_block(session->security_parameters. + write_bulk_cipher_algorithm); + opaque *data_ptr; + + + ver = gnutls_protocol_get_version(session); + minor = _gnutls_version_get_minor(ver); + major = _gnutls_version_get_major(ver); + + + /* Initialize MAC */ + td = mac_init(session->security_parameters.write_mac_algorithm, session->connection_state.write_mac_secret.data, session->connection_state.write_mac_secret.size, ver); - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - c_length = _gnutls_conv_uint16(compressed.size); - - if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ - _gnutls_hmac(td, UINT64DATA(session->connection_state.write_sequence_number), 8); - - _gnutls_hmac(td, &type, 1); - if ( ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); - } - _gnutls_hmac(td, &c_length, 2); - _gnutls_hmac(td, compressed.data, compressed.size); - mac_deinit( td, MAC, ver); - } + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.write_mac_algorithm != + GNUTLS_MAC_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + c_length = _gnutls_conv_uint16(compressed.size); - /* Calculate the encrypted length (padding etc.) - */ - length = calc_enc_length( session, compressed.size, hash_size, &pad, random_pad, block_algo, - blocksize); - if (length < 0) { - gnutls_assert(); - return length; - } + if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ + _gnutls_hmac(td, + UINT64DATA(session->connection_state. + write_sequence_number), 8); - /* copy the encrypted data to cipher_data. - */ - if (cipher_size < length) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + _gnutls_hmac(td, &type, 1); + if (ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ + _gnutls_hmac(td, &major, 1); + _gnutls_hmac(td, &minor, 1); } - - data_ptr = cipher_data; - if ( block_algo==CIPHER_BLOCK && - session->security_parameters.version >= GNUTLS_TLS1_1) - { - /* copy the random IV. - */ - if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - data_ptr += blocksize; - } - - memcpy(data_ptr, compressed.data, compressed.size); - data_ptr += compressed.size; - - if (hash_size > 0) { - memcpy(data_ptr, MAC, hash_size); - data_ptr += hash_size; - } - if (block_algo==CIPHER_BLOCK && pad > 0) { - memset(data_ptr, pad - 1, pad); - } - - - /* Actual encryption (inplace). + _gnutls_hmac(td, &c_length, 2); + _gnutls_hmac(td, compressed.data, compressed.size); + mac_deinit(td, MAC, ver); + } + + + /* Calculate the encrypted length (padding etc.) + */ + length = + calc_enc_length(session, compressed.size, hash_size, &pad, + random_pad, block_algo, blocksize); + if (length < 0) { + gnutls_assert(); + return length; + } + + /* copy the encrypted data to cipher_data. + */ + if (cipher_size < length) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + data_ptr = cipher_data; + if (block_algo == CIPHER_BLOCK && + session->security_parameters.version >= GNUTLS_TLS1_1) { + /* copy the random IV. */ - ret = _gnutls_cipher_encrypt(session->connection_state. - write_cipher_state, cipher_data, - length); - if (ret < 0) { - gnutls_assert(); - return ret; + if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < + 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + data_ptr += blocksize; + } + + memcpy(data_ptr, compressed.data, compressed.size); + data_ptr += compressed.size; + + if (hash_size > 0) { + memcpy(data_ptr, MAC, hash_size); + data_ptr += hash_size; + } + if (block_algo == CIPHER_BLOCK && pad > 0) { + memset(data_ptr, pad - 1, pad); + } + + + /* Actual encryption (inplace). + */ + ret = _gnutls_cipher_encrypt(session->connection_state. + write_cipher_state, cipher_data, length); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return length; + return length; } /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ int _gnutls_ciphertext2compressed(gnutls_session session, - opaque* compress_data, int compress_size, - gnutls_datum ciphertext, uint8 type) + opaque * compress_data, + int compress_size, + gnutls_datum ciphertext, uint8 type) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length; - mac_hd_t td; - uint16 blocksize; - int ret, i, pad_failed = 0; - uint8 major, minor; - gnutls_protocol_version ver; - int hash_size = _gnutls_hash_get_algo_len(session->security_parameters.read_mac_algorithm); - - ver = gnutls_protocol_get_version( session); - minor = _gnutls_version_get_minor(ver); - major = _gnutls_version_get_major(ver); - - blocksize = _gnutls_cipher_get_block_size(session->security_parameters. - read_bulk_cipher_algorithm); - - /* initialize MAC - */ - td = mac_init( session->security_parameters.read_mac_algorithm, - session->connection_state.read_mac_secret.data, - session->connection_state.read_mac_secret.size, ver); - - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length; + mac_hd_t td; + uint16 blocksize; + int ret, i, pad_failed = 0; + uint8 major, minor; + gnutls_protocol_version ver; + int hash_size = + _gnutls_hash_get_algo_len(session->security_parameters. + read_mac_algorithm); + + ver = gnutls_protocol_get_version(session); + minor = _gnutls_version_get_minor(ver); + major = _gnutls_version_get_major(ver); + + blocksize = _gnutls_cipher_get_block_size(session->security_parameters. + read_bulk_cipher_algorithm); + + /* initialize MAC + */ + td = mac_init(session->security_parameters.read_mac_algorithm, + session->connection_state.read_mac_secret.data, + session->connection_state.read_mac_secret.size, ver); + + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.read_mac_algorithm != + GNUTLS_MAC_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + + /* actual decryption (inplace) + */ + switch (_gnutls_cipher_is_block + (session->security_parameters.read_bulk_cipher_algorithm)) { + case CIPHER_STREAM: + if ((ret = _gnutls_cipher_decrypt(session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) { + gnutls_assert(); + return ret; } + length = ciphertext.size - hash_size; - /* actual decryption (inplace) - */ - switch (_gnutls_cipher_is_block(session->security_parameters.read_bulk_cipher_algorithm)) { - case CIPHER_STREAM: - if ( (ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; - } - - length = - ciphertext.size - hash_size; - - break; - case CIPHER_BLOCK: - if ((ciphertext.size < blocksize) - || (ciphertext.size % blocksize != 0)) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - - if ( (ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; - } - - /* ignore the IV in TLS 1.1. - */ - if (session->security_parameters.version >= GNUTLS_TLS1_1) { - ciphertext.size -= blocksize; - ciphertext.data += blocksize; - - if (ciphertext.size == 0) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - } - - pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - - length = - ciphertext.size - hash_size - pad; - - if (pad > ciphertext.size - hash_size) { - gnutls_assert(); - /* We do not fail here. We check below for the - * the pad_failed. If zero means success. - */ - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - - /* Check the pading bytes (TLS 1.x) - */ - if ( ver >= GNUTLS_TLS1) - for (i=2;i<pad;i++) { - if (ciphertext.data[ciphertext.size-i] != ciphertext.data[ciphertext.size - 1]) - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case CIPHER_BLOCK: + if ((ciphertext.size < blocksize) + || (ciphertext.size % blocksize != 0)) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; } - if (length < 0) length = 0; - c_length = _gnutls_conv_uint16((uint16) length); - - /* Pass the type, version, length and compressed through - * MAC. - */ - if (td != GNUTLS_MAC_FAILED) { - _gnutls_hmac(td, UINT64DATA(session->connection_state.read_sequence_number), 8); - - _gnutls_hmac(td, &type, 1); - if ( ver >= GNUTLS_TLS1) { /* TLS 1.x */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); - } - _gnutls_hmac(td, &c_length, 2); - - if (length > 0) - _gnutls_hmac(td, ciphertext.data, length); - - mac_deinit( td, MAC, ver); + if ((ret = _gnutls_cipher_decrypt(session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) { + gnutls_assert(); + return ret; } - /* This one was introduced to avoid a timing attack against the TLS - * 1.0 protocol. + /* ignore the IV in TLS 1.1. */ - if (pad_failed != 0) return pad_failed; + if (session->security_parameters.version >= GNUTLS_TLS1_1) { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; - /* HMAC was not the same. - */ - if (memcmp - (MAC, &ciphertext.data[length], hash_size) != 0) { + if (ciphertext.size == 0) { gnutls_assert(); return GNUTLS_E_DECRYPTION_FAILED; + } } - /* copy the decrypted stuff to compress_data. - */ - if (compress_size < length) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + + length = ciphertext.size - hash_size - pad; + + if (pad > ciphertext.size - hash_size) { + gnutls_assert(); + /* We do not fail here. We check below for the + * the pad_failed. If zero means success. + */ + pad_failed = GNUTLS_E_DECRYPTION_FAILED; } - memcpy( compress_data, ciphertext.data, length); - return length; + /* Check the pading bytes (TLS 1.x) + */ + if (ver >= GNUTLS_TLS1) + for (i = 2; i < pad; i++) { + if (ciphertext.data[ciphertext.size - i] != + ciphertext.data[ciphertext.size - 1]) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } + + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (length < 0) + length = 0; + c_length = _gnutls_conv_uint16((uint16) length); + + /* Pass the type, version, length and compressed through + * MAC. + */ + if (td != GNUTLS_MAC_FAILED) { + _gnutls_hmac(td, + UINT64DATA(session->connection_state. + read_sequence_number), 8); + + _gnutls_hmac(td, &type, 1); + if (ver >= GNUTLS_TLS1) { /* TLS 1.x */ + _gnutls_hmac(td, &major, 1); + _gnutls_hmac(td, &minor, 1); + } + _gnutls_hmac(td, &c_length, 2); + + if (length > 0) + _gnutls_hmac(td, ciphertext.data, length); + + mac_deinit(td, MAC, ver); + } + + /* This one was introduced to avoid a timing attack against the TLS + * 1.0 protocol. + */ + if (pad_failed != 0) + return pad_failed; + + /* HMAC was not the same. + */ + if (memcmp(MAC, &ciphertext.data[length], hash_size) != 0) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } + + /* copy the decrypted stuff to compress_data. + */ + if (compress_size < length) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + memcpy(compress_data, ciphertext.data, length); + + return length; } - diff --git a/lib/gnutls_cipher.h b/lib/gnutls_cipher.h index bc89aad4ab..972c01cf87 100644 --- a/lib/gnutls_cipher.h +++ b/lib/gnutls_cipher.h @@ -18,13 +18,20 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_encrypt( gnutls_session session, const opaque* headers, size_t headers_size, const opaque* data, size_t data_size, - opaque* ciphertext, size_t ciphertext_size, content_type_t type, int random_pad); +int _gnutls_encrypt(gnutls_session session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, + int random_pad); -int _gnutls_decrypt(gnutls_session session, opaque *ciphertext, +int _gnutls_decrypt(gnutls_session session, opaque * ciphertext, size_t ciphertext_size, uint8 * data, size_t data_size, content_type_t type); -int _gnutls_compressed2ciphertext(gnutls_session session, opaque* cipher_data, int cipher_size, gnutls_datum compressed, - content_type_t _type, int random_pad); -int _gnutls_ciphertext2compressed(gnutls_session session, opaque * compress_data, int compress_size, - gnutls_datum ciphertext, uint8 type); +int _gnutls_compressed2ciphertext(gnutls_session session, + opaque * cipher_data, int cipher_size, + gnutls_datum compressed, + content_type_t _type, int random_pad); +int _gnutls_ciphertext2compressed(gnutls_session session, + opaque * compress_data, + int compress_size, + gnutls_datum ciphertext, uint8 type); diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index c68a243736..24ff0370ee 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -25,75 +25,91 @@ #include <gnutls_cipher_int.h> #include <gnutls_datum.h> -cipher_hd_t _gnutls_cipher_init( gnutls_cipher_algorithm cipher, - const gnutls_datum *key, const gnutls_datum *iv) +cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm cipher, + const gnutls_datum * key, + const gnutls_datum * iv) { -cipher_hd_t ret = NULL; -gcry_error_t err = GPG_ERR_GENERAL; /* doesn't matter */ + cipher_hd_t ret = NULL; + gcry_error_t err = GPG_ERR_GENERAL; /* doesn't matter */ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_AES_256_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL256, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_3DES_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_DES_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_ARCFOUR_128: - case GNUTLS_CIPHER_ARCFOUR_40: - err = gcry_cipher_open(&ret, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0); - break; - case GNUTLS_CIPHER_RC2_40_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RFC2268_40, GCRY_CIPHER_MODE_CBC, 0); - break; - default: - return NULL; - } + switch (cipher) { + case GNUTLS_CIPHER_AES_128_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL, + GCRY_CIPHER_MODE_CBC, 0); + break; + case GNUTLS_CIPHER_AES_256_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL256, + GCRY_CIPHER_MODE_CBC, 0); + break; + case GNUTLS_CIPHER_3DES_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, + 0); + break; + case GNUTLS_CIPHER_DES_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, + 0); + break; + case GNUTLS_CIPHER_ARCFOUR_128: + case GNUTLS_CIPHER_ARCFOUR_40: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_ARCFOUR, + GCRY_CIPHER_MODE_STREAM, 0); + break; + case GNUTLS_CIPHER_RC2_40_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RFC2268_40, + GCRY_CIPHER_MODE_CBC, 0); + break; + default: + return NULL; + } - if (err == 0) { - gcry_cipher_setkey(ret, key->data, key->size); - if (iv->data!=NULL && iv->size>0) gcry_cipher_setiv(ret, iv->data, iv->size); - } else if (cipher != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - _gnutls_x509_log("Gcrypt cipher[%d] error: %s\n", cipher, gcry_strerror(err)); - } + if (err == 0) { + gcry_cipher_setkey(ret, key->data, key->size); + if (iv->data != NULL && iv->size > 0) + gcry_cipher_setiv(ret, iv->data, iv->size); + } else if (cipher != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + _gnutls_x509_log("Gcrypt cipher[%d] error: %s\n", cipher, + gcry_strerror(err)); + } - return ret; + return ret; } -int _gnutls_cipher_encrypt(cipher_hd_t handle, void* text, - int textlen) +int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen) { - if (handle!=GNUTLS_CIPHER_FAILED) { - if (gcry_cipher_encrypt( handle, text, textlen, NULL, textlen)!=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (handle != GNUTLS_CIPHER_FAILED) { + if (gcry_cipher_encrypt(handle, text, textlen, NULL, textlen) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + } + return 0; } -int _gnutls_cipher_decrypt(cipher_hd_t handle, void* ciphertext, - int ciphertextlen) +int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, + int ciphertextlen) { - if (handle!=GNUTLS_CIPHER_FAILED) { - if (gcry_cipher_decrypt( handle, ciphertext, ciphertextlen, NULL, ciphertextlen)!=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (handle != GNUTLS_CIPHER_FAILED) { + if (gcry_cipher_decrypt + (handle, ciphertext, ciphertextlen, NULL, + ciphertextlen) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + } + return 0; } -void _gnutls_cipher_deinit(cipher_hd_t handle) +void _gnutls_cipher_deinit(cipher_hd_t handle) { - if (handle!=GNUTLS_CIPHER_FAILED) { - gcry_cipher_close(handle); - } + if (handle != GNUTLS_CIPHER_FAILED) { + gcry_cipher_close(handle); + } } diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index b1dc79569d..c27631a319 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -24,10 +24,12 @@ #define cipher_hd_t gcry_cipher_hd_t #define GNUTLS_CIPHER_FAILED NULL -cipher_hd_t _gnutls_cipher_init( gnutls_cipher_algorithm cipher, - const gnutls_datum *key, const gnutls_datum *iv); -int _gnutls_cipher_encrypt(cipher_hd_t handle, void* text, int textlen); -int _gnutls_cipher_decrypt(cipher_hd_t handle, void* ciphertext, int ciphertextlen); +cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm cipher, + const gnutls_datum * key, + const gnutls_datum * iv); +int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen); +int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, + int ciphertextlen); void _gnutls_cipher_deinit(cipher_hd_t handle); -#endif /* GNUTLS_CIPHER_INT */ +#endif /* GNUTLS_CIPHER_INT */ diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c index 06d5ccdef9..80b3036110 100644 --- a/lib/gnutls_compress.c +++ b/lib/gnutls_compress.c @@ -32,41 +32,43 @@ /* These functions allocate the return value internally */ int _gnutls_m_plaintext2compressed(gnutls_session session, - gnutls_datum* - compress, - gnutls_datum plaintext) + gnutls_datum * + compress, gnutls_datum plaintext) { - int size; - opaque *data; - - size = _gnutls_compress( session->connection_state.write_compression_state, - plaintext.data, plaintext.size, &data, MAX_RECORD_SEND_SIZE+1024); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_COMPRESSION_FAILED; - } - compress->data = data; - compress->size = size; + int size; + opaque *data; - return 0; + size = + _gnutls_compress(session->connection_state.write_compression_state, + plaintext.data, plaintext.size, &data, + MAX_RECORD_SEND_SIZE + 1024); + if (size < 0) { + gnutls_assert(); + return GNUTLS_E_COMPRESSION_FAILED; + } + compress->data = data; + compress->size = size; + + return 0; } int _gnutls_m_compressed2plaintext(gnutls_session session, - gnutls_datum* plain, - gnutls_datum - compressed) + gnutls_datum * plain, + gnutls_datum compressed) { - int size; - opaque* data; + int size; + opaque *data; - size = _gnutls_decompress( session->connection_state.read_compression_state, - compressed.data, compressed.size, &data, MAX_RECORD_RECV_SIZE); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } - plain->data = data; - plain->size = size; + size = + _gnutls_decompress(session->connection_state. + read_compression_state, compressed.data, + compressed.size, &data, MAX_RECORD_RECV_SIZE); + if (size < 0) { + gnutls_assert(); + return GNUTLS_E_DECOMPRESSION_FAILED; + } + plain->data = data; + plain->size = size; - return 0; + return 0; } diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h index 47ba103804..865344b982 100644 --- a/lib/gnutls_compress.h +++ b/lib/gnutls_compress.h @@ -18,5 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_m_plaintext2compressed(gnutls_session session, gnutls_datum* compress, gnutls_datum plaintext); -int _gnutls_m_compressed2plaintext(gnutls_session session, gnutls_datum* plain, gnutls_datum compressed); +int _gnutls_m_plaintext2compressed(gnutls_session session, + gnutls_datum * compress, + gnutls_datum plaintext); +int _gnutls_m_compressed2plaintext(gnutls_session session, + gnutls_datum * plain, + gnutls_datum compressed); diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index b0c63ee551..bee6454f79 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -27,15 +27,15 @@ #ifdef USE_LZO # ifdef USE_MINILZO -# include "../libextra/minilzo.h" /* get the prototypes only. - * Since LZO is a GPLed library, the gnutls_global_init_extra() has - * to be called, before LZO compression can be used. - */ +# include "../libextra/minilzo.h" /* get the prototypes only. + * Since LZO is a GPLed library, the gnutls_global_init_extra() has + * to be called, before LZO compression can be used. + */ # else # include <lzo1x.h> # endif -typedef int (*LZO_FUNC)(); +typedef int (*LZO_FUNC) (); LZO_FUNC _gnutls_lzo1x_decompress_safe = NULL; LZO_FUNC _gnutls_lzo1x_1_compress = NULL; @@ -45,299 +45,314 @@ LZO_FUNC _gnutls_lzo1x_1_compress = NULL; /* The flag d is the direction (compress, decompress). Non zero is * decompress. */ -comp_hd_t _gnutls_comp_init( gnutls_compression_method method, int d) +comp_hd_t _gnutls_comp_init(gnutls_compression_method method, int d) { -comp_hd_t ret; -int err; + comp_hd_t ret; + int err; - ret = gnutls_malloc( sizeof( struct comp_hd_t_STRUCT)); - if (ret==NULL) { - gnutls_assert(); - return NULL; - } + ret = gnutls_malloc(sizeof(struct comp_hd_t_STRUCT)); + if (ret == NULL) { + gnutls_assert(); + return NULL; + } - ret->algo = method; - ret->handle = NULL; + ret->algo = method; + ret->handle = NULL; - switch( method) { + switch (method) { #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - int window_bits, mem_level; - int comp_level; - z_stream* zhandle; - - window_bits = _gnutls_compression_get_wbits( method); - mem_level = _gnutls_compression_get_mem_level( method); - comp_level = _gnutls_compression_get_comp_level( method); - - ret->handle = gnutls_malloc( sizeof( z_stream)); - if (ret->handle==NULL) { - gnutls_assert(); - goto cleanup_ret; - } - - zhandle = ret->handle; - - zhandle->zalloc = (alloc_func)0; - zhandle->zfree = (free_func)0; - zhandle->opaque = (voidpf)0; - - if (d) - err = inflateInit2(zhandle, window_bits); - else { - err = deflateInit2(zhandle, - comp_level, Z_DEFLATED, - window_bits, mem_level, Z_DEFAULT_STRATEGY); - } - if (err!=Z_OK) { - gnutls_assert(); - gnutls_free( ret->handle); - goto cleanup_ret; - } - break; + case GNUTLS_COMP_DEFLATE:{ + int window_bits, mem_level; + int comp_level; + z_stream *zhandle; + + window_bits = _gnutls_compression_get_wbits(method); + mem_level = _gnutls_compression_get_mem_level(method); + comp_level = _gnutls_compression_get_comp_level(method); + + ret->handle = gnutls_malloc(sizeof(z_stream)); + if (ret->handle == NULL) { + gnutls_assert(); + goto cleanup_ret; + } + + zhandle = ret->handle; + + zhandle->zalloc = (alloc_func) 0; + zhandle->zfree = (free_func) 0; + zhandle->opaque = (voidpf) 0; + + if (d) + err = inflateInit2(zhandle, window_bits); + else { + err = deflateInit2(zhandle, + comp_level, Z_DEFLATED, + window_bits, mem_level, + Z_DEFAULT_STRATEGY); + } + if (err != Z_OK) { + gnutls_assert(); + gnutls_free(ret->handle); + goto cleanup_ret; } + break; + } #endif #ifdef USE_LZO - case GNUTLS_COMP_LZO: - if (d) /* LZO does not use memory on decompressor */ - { /* ret->handle = NULL; */ } - else { - ret->handle = gnutls_malloc( LZO1X_1_MEM_COMPRESS); - - if (ret->handle==NULL) { - gnutls_assert(); - cleanup_ret: - gnutls_free(ret); - return NULL; - } - } - - break; -#endif - case GNUTLS_COMP_NULL: - break; + case GNUTLS_COMP_LZO: + if (d) { /* LZO does not use memory on decompressor *//* ret->handle = NULL; */ + } else { + ret->handle = gnutls_malloc(LZO1X_1_MEM_COMPRESS); + + if (ret->handle == NULL) { + gnutls_assert(); + cleanup_ret: + gnutls_free(ret); + return NULL; + } } - return ret; + + break; +#endif + case GNUTLS_COMP_NULL: + break; + } + return ret; } -void _gnutls_comp_deinit(comp_hd_t handle, int d) { -int err; +void _gnutls_comp_deinit(comp_hd_t handle, int d) +{ + int err; - if (handle!=NULL) { - switch( handle->algo) { + if (handle != NULL) { + switch (handle->algo) { #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - if (d) - err = inflateEnd( handle->handle); - else - err = deflateEnd( handle->handle); - break; + case GNUTLS_COMP_DEFLATE: + if (d) + err = inflateEnd(handle->handle); + else + err = deflateEnd(handle->handle); + break; #endif - default: - break; - } - gnutls_free( handle->handle); - gnutls_free( handle); - + default: + break; } + gnutls_free(handle->handle); + gnutls_free(handle); + + } } /* These functions are memory consuming */ -int _gnutls_compress( comp_hd_t handle, const opaque* plain, size_t plain_size, - opaque** compressed, size_t max_comp_size) +int _gnutls_compress(comp_hd_t handle, const opaque * plain, + size_t plain_size, opaque ** compressed, + size_t max_comp_size) { -int compressed_size=GNUTLS_E_COMPRESSION_FAILED; -int err; + int compressed_size = GNUTLS_E_COMPRESSION_FAILED; + int err; - /* NULL compression is not handled here - */ - - switch( handle->algo) { + /* NULL compression is not handled here + */ + + switch (handle->algo) { #ifdef USE_LZO - case GNUTLS_COMP_LZO: { - lzo_uint out_len; - size_t size; - - if ( _gnutls_lzo1x_1_compress == NULL) - return GNUTLS_E_COMPRESSION_FAILED; - - size = plain_size + plain_size / 64 + 16 + 3; - *compressed = gnutls_malloc(size); - if (*compressed==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - err = _gnutls_lzo1x_1_compress( plain, plain_size, *compressed, - &out_len, handle->handle); - - if (err!=LZO_E_OK) { - gnutls_assert(); - gnutls_free( *compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = out_len; - break; - } + case GNUTLS_COMP_LZO:{ + lzo_uint out_len; + size_t size; + + if (_gnutls_lzo1x_1_compress == NULL) + return GNUTLS_E_COMPRESSION_FAILED; + + size = plain_size + plain_size / 64 + 16 + 3; + *compressed = gnutls_malloc(size); + if (*compressed == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + err = _gnutls_lzo1x_1_compress(plain, plain_size, *compressed, + &out_len, handle->handle); + + if (err != LZO_E_OK) { + gnutls_assert(); + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = out_len; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - uLongf size; - z_stream *zhandle; - - size = (plain_size+plain_size)+10; - *compressed = gnutls_malloc(size); - if (*compressed==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - zhandle = handle->handle; - - zhandle->next_in = (Bytef*) plain; - zhandle->avail_in = plain_size; - zhandle->next_out = (Bytef*) *compressed; - zhandle->avail_out = size; - - err = deflate( zhandle, Z_SYNC_FLUSH); - - if (err!=Z_OK || zhandle->avail_in != 0) { - gnutls_assert(); - gnutls_free( *compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = size - zhandle->avail_out; - break; - } + case GNUTLS_COMP_DEFLATE:{ + uLongf size; + z_stream *zhandle; + + size = (plain_size + plain_size) + 10; + *compressed = gnutls_malloc(size); + if (*compressed == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + zhandle = handle->handle; + + zhandle->next_in = (Bytef *) plain; + zhandle->avail_in = plain_size; + zhandle->next_out = (Bytef *) * compressed; + zhandle->avail_out = size; + + err = deflate(zhandle, Z_SYNC_FLUSH); + + if (err != Z_OK || zhandle->avail_in != 0) { + gnutls_assert(); + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = size - zhandle->avail_out; + break; + } #endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } /* switch */ #ifdef COMPRESSION_DEBUG - _gnutls_debug_log("Compression ratio: %f\n", (float)((float)compressed_size / (float)plain_size)); + _gnutls_debug_log("Compression ratio: %f\n", + (float) ((float) compressed_size / + (float) plain_size)); #endif - if ((size_t)compressed_size > max_comp_size) { - gnutls_free(*compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } + if ((size_t) compressed_size > max_comp_size) { + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } - return compressed_size; + return compressed_size; } -int _gnutls_decompress( comp_hd_t handle, opaque* compressed, size_t compressed_size, - opaque** plain, size_t max_record_size) +int _gnutls_decompress(comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size) { -int plain_size=GNUTLS_E_DECOMPRESSION_FAILED, err; -int cur_pos; + int plain_size = GNUTLS_E_DECOMPRESSION_FAILED, err; + int cur_pos; - if (compressed_size > max_record_size+EXTRA_COMP_SIZE) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } + if (compressed_size > max_record_size + EXTRA_COMP_SIZE) { + gnutls_assert(); + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + /* NULL compression is not handled here + */ - /* NULL compression is not handled here - */ - - switch(handle->algo) { + switch (handle->algo) { #ifdef USE_LZO - case GNUTLS_COMP_LZO: { - lzo_uint out_size; - lzo_uint new_size; - - if (_gnutls_lzo1x_decompress_safe == NULL) - return GNUTLS_E_DECOMPRESSION_FAILED; - - *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; - - do { - out_size += 512; - *plain = gnutls_realloc_fast( *plain, out_size); - if (*plain==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - new_size = out_size; - err = _gnutls_lzo1x_decompress_safe(compressed,compressed_size, - *plain, &new_size,NULL); - - } while( (err==LZO_E_OUTPUT_OVERRUN && out_size < max_record_size)); - - if (err!=LZO_E_OK) { - gnutls_assert(); - gnutls_free( *plain); *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - plain_size = new_size; - break; + case GNUTLS_COMP_LZO:{ + lzo_uint out_size; + lzo_uint new_size; + + if (_gnutls_lzo1x_decompress_safe == NULL) + return GNUTLS_E_DECOMPRESSION_FAILED; + + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; + + do { + out_size += 512; + *plain = gnutls_realloc_fast(*plain, out_size); + if (*plain == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + + new_size = out_size; + err = + _gnutls_lzo1x_decompress_safe(compressed, + compressed_size, *plain, + &new_size, NULL); + + } while ((err == LZO_E_OUTPUT_OVERRUN + && out_size < max_record_size)); + + if (err != LZO_E_OK) { + gnutls_assert(); + gnutls_free(*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + plain_size = new_size; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - uLongf out_size; - z_stream* zhandle; - - *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef*) compressed; - zhandle->avail_in = compressed_size; - - cur_pos = 0; - - do { - out_size += 512; - *plain = gnutls_realloc_fast( *plain, out_size); - if (*plain==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - zhandle->next_out = (Bytef*) (*plain + cur_pos); - zhandle->avail_out = out_size - cur_pos; - - err = inflate( zhandle, Z_SYNC_FLUSH); - - cur_pos = out_size - zhandle->avail_out; - - } while( (err==Z_BUF_ERROR && zhandle->avail_out==0 && out_size < max_record_size) - || ( err==Z_OK && zhandle->avail_in != 0)); - - if (err!=Z_OK) { - gnutls_assert(); - gnutls_free( *plain); *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - plain_size = out_size - zhandle->avail_out; - break; + case GNUTLS_COMP_DEFLATE:{ + uLongf out_size; + z_stream *zhandle; + + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; + + zhandle = handle->handle; + + zhandle->next_in = (Bytef *) compressed; + zhandle->avail_in = compressed_size; + + cur_pos = 0; + + do { + out_size += 512; + *plain = gnutls_realloc_fast(*plain, out_size); + if (*plain == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - if ((size_t)plain_size > max_record_size) { + zhandle->next_out = (Bytef *) (*plain + cur_pos); + zhandle->avail_out = out_size - cur_pos; + + err = inflate(zhandle, Z_SYNC_FLUSH); + + cur_pos = out_size - zhandle->avail_out; + + } while ((err == Z_BUF_ERROR && zhandle->avail_out == 0 + && out_size < max_record_size) + || (err == Z_OK && zhandle->avail_in != 0)); + + if (err != Z_OK) { gnutls_assert(); - gnutls_free( *plain); *plain = NULL; + gnutls_free(*plain); + *plain = NULL; return GNUTLS_E_DECOMPRESSION_FAILED; - } + } - return plain_size; + plain_size = out_size - zhandle->avail_out; + break; + } +#endif + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } /* switch */ + + if ((size_t) plain_size > max_record_size) { + gnutls_assert(); + gnutls_free(*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + return plain_size; } diff --git a/lib/gnutls_compress_int.h b/lib/gnutls_compress_int.h index 7c1bfd404a..f285ce828f 100644 --- a/lib/gnutls_compress_int.h +++ b/lib/gnutls_compress_int.h @@ -28,14 +28,17 @@ #define GNUTLS_COMP_FAILED NULL typedef struct comp_hd_t_STRUCT { - void* handle; - gnutls_compression_method algo; + void *handle; + gnutls_compression_method algo; } *comp_hd_t; -comp_hd_t _gnutls_comp_init( gnutls_compression_method, int d); +comp_hd_t _gnutls_comp_init(gnutls_compression_method, int d); void _gnutls_comp_deinit(comp_hd_t handle, int d); -int _gnutls_decompress( comp_hd_t handle, opaque* compressed, size_t compressed_size, opaque** plain, size_t max_record_size); -int _gnutls_compress( comp_hd_t, const opaque* plain, size_t plain_size, opaque** compressed, size_t max_comp_size); +int _gnutls_decompress(comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size); +int _gnutls_compress(comp_hd_t, const opaque * plain, size_t plain_size, + opaque ** compressed, size_t max_comp_size); #endif diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 768a0b6c4d..78fee15e2b 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -58,337 +58,335 @@ int _gnutls_set_keys(gnutls_session session, int hash_size, int IV_size, /* FIXME: This function is too long */ - opaque *key_block; - opaque random[2 * TLS_RANDOM_SIZE]; - opaque rrandom[2 * TLS_RANDOM_SIZE]; - int pos, ret; - int block_size; - char buf[64]; - - if (session->cipher_specs.generated_keys != 0) { - /* keys have already been generated. - * reset generated_keys and exit normally. - */ - session->cipher_specs.generated_keys = 0; - return 0; + opaque *key_block; + opaque random[2 * TLS_RANDOM_SIZE]; + opaque rrandom[2 * TLS_RANDOM_SIZE]; + int pos, ret; + int block_size; + char buf[64]; + + if (session->cipher_specs.generated_keys != 0) { + /* keys have already been generated. + * reset generated_keys and exit normally. + */ + session->cipher_specs.generated_keys = 0; + return 0; + } + + block_size = 2 * hash_size + 2 * key_size; + if (export_flag == 0) + block_size += 2 * IV_size; + + key_block = gnutls_secure_malloc(block_size); + if (key_block == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(random, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + memcpy(rrandom, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + memcpy(&rrandom[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_generate_random(session-> + security_parameters. + master_secret, + TLS_MASTER_SIZE, random, + 2 * TLS_RANDOM_SIZE, + block_size, key_block); + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF(session->security_parameters.master_secret, + TLS_MASTER_SIZE, keyexp, keyexp_length, + random, 2 * TLS_RANDOM_SIZE, block_size, + key_block); + } + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); + return ret; + } + + _gnutls_hard_log("INT: KEY BLOCK[%d]: %s\n", block_size, + _gnutls_bin2hex(key_block, block_size, buf, + sizeof(buf))); + + pos = 0; + if (hash_size > 0) { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_mac_secret, + &key_block[pos], hash_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += hash_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_mac_secret, + &key_block[pos], hash_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; } + pos += hash_size; + } + + if (key_size > 0) { + opaque *client_write_key, *server_write_key; + int client_write_key_size, server_write_key_size; + int free_keys = 0; + + if (export_flag == 0) { + client_write_key = &key_block[pos]; + client_write_key_size = key_size; + + pos += key_size; - block_size = 2 * hash_size + 2 * key_size; - if (export_flag == 0) - block_size += 2 * IV_size; + server_write_key = &key_block[pos]; + server_write_key_size = key_size; - key_block = gnutls_secure_malloc(block_size); - if (key_block == NULL) { + pos += key_size; + + } else { /* export */ + free_keys = 1; + + client_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); + if (client_write_key == NULL) { gnutls_assert(); + gnutls_free(key_block); return GNUTLS_E_MEMORY_ERROR; - } + } - memcpy(random, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(&random[TLS_RANDOM_SIZE], - session->security_parameters.client_random, TLS_RANDOM_SIZE); + server_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); + if (server_write_key == NULL) { + gnutls_assert(); + gnutls_free(key_block); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; + } - memcpy(rrandom, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - memcpy(&rrandom[TLS_RANDOM_SIZE], - session->security_parameters.server_random, TLS_RANDOM_SIZE); + /* generate the final keys */ - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ ret = - _gnutls_ssl3_generate_random(session-> - security_parameters. - master_secret, - TLS_MASTER_SIZE, random, - 2 * TLS_RANDOM_SIZE, - block_size, key_block); - } else { /* TLS 1.0 */ + _gnutls_ssl3_hash_md5(&key_block[pos], + key_size, rrandom, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + client_write_key); + + } else { /* TLS 1.0 */ ret = - _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, keyexp, keyexp_length, - random, 2 * TLS_RANDOM_SIZE, block_size, - key_block); - } + _gnutls_PRF(&key_block[pos], key_size, + cliwrite, cliwrite_length, + rrandom, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, client_write_key); + } + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return ret; + } - if (ret < 0) { + client_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; + + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5(&key_block[pos], key_size, + random, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + server_write_key); + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF(&key_block[pos], key_size, + servwrite, servwrite_length, + rrandom, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, server_write_key); + } + + if (ret < 0) { gnutls_assert(); gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); return ret; + } + + server_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; } - _gnutls_hard_log("INT: KEY BLOCK[%d]: %s\n", block_size, - _gnutls_bin2hex(key_block, block_size, buf, sizeof(buf))); - - pos = 0; - if (hash_size > 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_key, + client_write_key, client_write_key_size) < 0) { + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; } + _gnutls_hard_log("INT: CLIENT WRITE KEY [%d]: %s\n", + client_write_key_size, + _gnutls_bin2hex(client_write_key, + client_write_key_size, buf, + sizeof(buf))); + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_key, + server_write_key, server_write_key_size) < 0) { + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_hard_log("INT: SERVER WRITE KEY [%d]: %s\n", + server_write_key_size, + _gnutls_bin2hex(server_write_key, + server_write_key_size, buf, + sizeof(buf))); - if (key_size > 0) { - opaque *client_write_key, *server_write_key; - int client_write_key_size, server_write_key_size; - int free_keys = 0; - - if (export_flag == 0) { - client_write_key = &key_block[pos]; - client_write_key_size = key_size; - - pos += key_size; - - server_write_key = &key_block[pos]; - server_write_key_size = key_size; - - pos += key_size; - - } else { /* export */ - free_keys = 1; - - client_write_key = - gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (client_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - server_write_key = - gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (server_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - - /* generate the final keys */ - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], - key_size, rrandom, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - client_write_key); - - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - cliwrite, cliwrite_length, - rrandom, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - client_write_key); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; - } - - client_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], key_size, - random, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - server_write_key); - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - servwrite, servwrite_length, - rrandom, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - server_write_key); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; - } - - server_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_key, - client_write_key, client_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_hard_log("INT: CLIENT WRITE KEY [%d]: %s\n", - client_write_key_size, - _gnutls_bin2hex(client_write_key, - client_write_key_size, buf, sizeof(buf))); - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_key, - server_write_key, server_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_hard_log("INT: SERVER WRITE KEY [%d]: %s\n", - server_write_key_size, - _gnutls_bin2hex(server_write_key, - server_write_key_size, buf, sizeof(buf))); - - if (free_keys != 0) { - gnutls_free(server_write_key); - gnutls_free(client_write_key); - } + if (free_keys != 0) { + gnutls_free(server_write_key); + gnutls_free(client_write_key); } + } - /* IV generation in export and non export ciphers. - */ - if (IV_size > 0 && export_flag == 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += IV_size; - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += IV_size; - - } else if (IV_size > 0 && export_flag != 0) { - opaque *iv_block = gnutls_alloca(IV_size * 2); - if (iv_block == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5( "", 0, - rrandom, TLS_RANDOM_SIZE*2, - IV_size, iv_block); - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_afree(iv_block); - return ret; - } - - ret = - _gnutls_ssl3_hash_md5( "", 0, random, - TLS_RANDOM_SIZE*2, - IV_size, &iv_block[IV_size]); - - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF( "", 0, - ivblock, ivblock_length, rrandom, - 2 * TLS_RANDOM_SIZE, IV_size * 2, - iv_block); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_afree(iv_block); - gnutls_free(key_block); - return ret; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, iv_block, - IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, - &iv_block[IV_size], IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } + /* IV generation in export and non export ciphers. + */ + if (IV_size > 0 && export_flag == 0) { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, &key_block[pos], + IV_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += IV_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, &key_block[pos], + IV_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += IV_size; + + } else if (IV_size > 0 && export_flag != 0) { + opaque *iv_block = gnutls_alloca(IV_size * 2); + if (iv_block == NULL) { + gnutls_assert(); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5("", 0, + rrandom, TLS_RANDOM_SIZE * 2, + IV_size, iv_block); + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); gnutls_afree(iv_block); + return ret; + } + + ret = + _gnutls_ssl3_hash_md5("", 0, random, + TLS_RANDOM_SIZE * 2, + IV_size, &iv_block[IV_size]); + + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF("", 0, + ivblock, ivblock_length, rrandom, + 2 * TLS_RANDOM_SIZE, IV_size * 2, iv_block); } - gnutls_free(key_block); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(iv_block); + gnutls_free(key_block); + return ret; + } - session->cipher_specs.generated_keys = 1; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, iv_block, + IV_size) < 0) { + gnutls_afree(iv_block); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, + &iv_block[IV_size], IV_size) < 0) { + gnutls_afree(iv_block); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + + gnutls_afree(iv_block); + } + + gnutls_free(key_block); + + session->cipher_specs.generated_keys = 1; + + return 0; } int _gnutls_set_read_keys(gnutls_session session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm algo; - gnutls_mac_algorithm mac_algo; - - mac_algo = session->security_parameters.read_mac_algorithm; - algo = session->security_parameters.read_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm algo; + gnutls_mac_algorithm mac_algo; + + mac_algo = session->security_parameters.read_mac_algorithm; + algo = session->security_parameters.read_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len(mac_algo); + IV_size = _gnutls_cipher_get_iv_size(algo); + key_size = gnutls_cipher_get_key_size(algo); + export_flag = _gnutls_cipher_get_export_flag(algo); + + return _gnutls_set_keys(session, hash_size, IV_size, key_size, + export_flag); } int _gnutls_set_write_keys(gnutls_session session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm algo; - gnutls_mac_algorithm mac_algo; - - mac_algo = session->security_parameters.write_mac_algorithm; - algo = session->security_parameters.write_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm algo; + gnutls_mac_algorithm mac_algo; + + mac_algo = session->security_parameters.write_mac_algorithm; + algo = session->security_parameters.write_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len(mac_algo); + IV_size = _gnutls_cipher_get_iv_size(algo); + key_size = gnutls_cipher_get_key_size(algo); + export_flag = _gnutls_cipher_get_export_flag(algo); + + return _gnutls_set_keys(session, hash_size, IV_size, key_size, + export_flag); } #define CPY_COMMON dst->entity = src->entity; \ @@ -406,26 +404,28 @@ int _gnutls_set_write_keys(gnutls_session session) dst->version = src->version; \ memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); -static void _gnutls_cpy_read_security_parameters(security_parameters_st * dst, - security_parameters_st * src) +static void _gnutls_cpy_read_security_parameters(security_parameters_st * + dst, + security_parameters_st * + src) { - CPY_COMMON; + CPY_COMMON; - dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; - dst->read_mac_algorithm = src->read_mac_algorithm; - dst->read_compression_algorithm = src->read_compression_algorithm; + dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; + dst->read_mac_algorithm = src->read_mac_algorithm; + dst->read_compression_algorithm = src->read_compression_algorithm; } -static void _gnutls_cpy_write_security_parameters(security_parameters_st * dst, - security_parameters_st * src) +static void _gnutls_cpy_write_security_parameters(security_parameters_st * + dst, + security_parameters_st * + src) { - CPY_COMMON; + CPY_COMMON; - dst->write_bulk_cipher_algorithm = - src->write_bulk_cipher_algorithm; - dst->write_mac_algorithm = src->write_mac_algorithm; - dst->write_compression_algorithm = - src->write_compression_algorithm; + dst->write_bulk_cipher_algorithm = src->write_bulk_cipher_algorithm; + dst->write_mac_algorithm = src->write_mac_algorithm; + dst->write_compression_algorithm = src->write_compression_algorithm; } /* Sets the current connection session to conform with the @@ -436,17 +436,17 @@ static void _gnutls_cpy_write_security_parameters(security_parameters_st * dst, */ int _gnutls_connection_state_init(gnutls_session session) { - int ret; + int ret; /* Setup the master secret */ - if ((ret = _gnutls_generate_master(session, 0), 0) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_generate_master(session, 0), 0) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -455,179 +455,176 @@ int _gnutls_connection_state_init(gnutls_session session) */ int _gnutls_read_connection_state_init(gnutls_session session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.read_sequence_number); + _gnutls_uint64zero(session->connection_state.read_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_read_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_read_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_read_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_read_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); - } - + if (session->internals.resumed == RESUME_FALSE) { + rc = _gnutls_set_read_cipher(session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_read_mac(session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - rc = _gnutls_set_read_keys(session); + rc = _gnutls_set_kx(session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); if (rc < 0) - return rc; + return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", - session, _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + rc = _gnutls_set_read_compression(session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } else { /* RESUME_TRUE */ + _gnutls_cpy_read_security_parameters(&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); + } + + + rc = _gnutls_set_read_keys(session); + if (rc < 0) + return rc; + + _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", + session, _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + if (_gnutls_compression_is_ok + (session->security_parameters.read_compression_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + if (_gnutls_mac_is_ok + (session->security_parameters.read_mac_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.read_mac_secret.data != NULL) + _gnutls_free_datum(&session->connection_state.read_mac_secret); + + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state.read_cipher_state); + + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + read_compression_state, 1); + + + mac_size = + _gnutls_hash_get_algo_len(session->security_parameters. + read_mac_algorithm); + + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [read] cipher sessions\n", + session); + + switch (session->security_parameters.entity) { + case GNUTLS_SERVER: + /* initialize cipher session + */ + session->connection_state.read_cipher_state = + _gnutls_cipher_init(session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (_gnutls_compression_is_ok - (session->security_parameters.read_compression_algorithm) != 0) { + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + read_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + return GNUTLS_E_MEMORY_ERROR; + } + } - if (_gnutls_mac_is_ok - (session->security_parameters.read_mac_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + + case GNUTLS_CLIENT: + session->connection_state.read_cipher_state = + _gnutls_cipher_init(session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - /* Free all the previous keys/ sessions etc. + + /* copy mac secret to connection session */ - if (session->connection_state.read_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state. - read_mac_secret); - - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - read_cipher_state); - - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - read_compression_state, 1); - - - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - read_mac_algorithm); - - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [read] cipher sessions\n", session); - - switch (session->security_parameters.entity) { - case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs. - client_write_IV); - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - } - - break; - - case GNUTLS_CLIENT: - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs. - server_write_IV); - - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - } - - break; - - default: /* this check is useless */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + read_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } } - session->connection_state.read_compression_state = - _gnutls_comp_init(session->security_parameters. - read_compression_algorithm, 1); + break; - if (session->connection_state.read_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + default: /* this check is useless */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + session->connection_state.read_compression_state = + _gnutls_comp_init(session->security_parameters. + read_compression_algorithm, 1); + + if (session->connection_state.read_compression_state == + GNUTLS_COMP_FAILED) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + return 0; } @@ -637,226 +634,223 @@ int _gnutls_read_connection_state_init(gnutls_session session) */ int _gnutls_write_connection_state_init(gnutls_session session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.write_sequence_number); + _gnutls_uint64zero(session->connection_state.write_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_write_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_write_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_write_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_write_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); - } - - rc = _gnutls_set_write_keys(session); + if (session->internals.resumed == RESUME_FALSE) { + rc = _gnutls_set_write_cipher(session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_write_mac(session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); if (rc < 0) - return rc; + return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + rc = _gnutls_set_kx(session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - if (_gnutls_compression_is_ok - (session->security_parameters.write_compression_algorithm) != - 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + rc = _gnutls_set_write_compression(session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } else { /* RESUME_TRUE */ + _gnutls_cpy_write_security_parameters(&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); + } + + rc = _gnutls_set_write_keys(session); + if (rc < 0) + return rc; + + _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", session, + _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + if (_gnutls_compression_is_ok + (session->security_parameters.write_compression_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + if (_gnutls_mac_is_ok + (session->security_parameters.write_mac_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + + + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.write_mac_secret.data != NULL) + _gnutls_free_datum(&session->connection_state.write_mac_secret); + + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state. + write_cipher_state); + + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + write_compression_state, 0); + + mac_size = + _gnutls_hash_get_algo_len(session->security_parameters. + write_mac_algorithm); + + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [write] cipher sessions\n", + session); + + switch (session->security_parameters.entity) { + case GNUTLS_SERVER: + /* initialize cipher session + */ + session->connection_state.write_cipher_state = + _gnutls_cipher_init(session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_mac_is_ok - (session->security_parameters.write_mac_algorithm) != 0) { + + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + write_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } + } + break; - /* Free all the previous keys/ sessions etc. + case GNUTLS_CLIENT: + session->connection_state.write_cipher_state = + _gnutls_cipher_init(session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* copy mac secret to connection session */ - if (session->connection_state.write_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state. - write_mac_secret); - - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - write_cipher_state); - - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - write_compression_state, 0); - - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - write_mac_algorithm); - - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [write] cipher sessions\n", session); - - switch (session->security_parameters.entity) { - case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs. - server_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - } - - - break; - - case GNUTLS_CLIENT: - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs. - client_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - } - - break; - - default: + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + write_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } } + break; - session->connection_state.write_compression_state = - _gnutls_comp_init(session->security_parameters. - write_compression_algorithm, 0); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (session->connection_state.write_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + session->connection_state.write_compression_state = + _gnutls_comp_init(session->security_parameters. + write_compression_algorithm, 0); + + if (session->connection_state.write_compression_state == + GNUTLS_COMP_FAILED) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + return 0; } /* Sets the specified cipher into the pending session */ -int _gnutls_set_read_cipher(gnutls_session session, gnutls_cipher_algorithm algo) +int _gnutls_set_read_cipher(gnutls_session session, + gnutls_cipher_algorithm algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_cipher_is_ok(algo) == 0) { + if (_gnutls_cipher_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - session->security_parameters.read_bulk_cipher_algorithm = - algo; + session->security_parameters.read_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } -int _gnutls_set_write_cipher(gnutls_session session, gnutls_cipher_algorithm algo) +int _gnutls_set_write_cipher(gnutls_session session, + gnutls_cipher_algorithm algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_cipher_is_ok(algo) == 0) { + if (_gnutls_cipher_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - session->security_parameters.write_bulk_cipher_algorithm = - algo; + session->security_parameters.write_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } @@ -867,14 +861,13 @@ int _gnutls_set_read_compression(gnutls_session session, gnutls_compression_method algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.read_compression_algorithm = - algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + if (_gnutls_compression_is_ok(algo) == 0) { + session->security_parameters.read_compression_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + return 0; } @@ -882,14 +875,13 @@ int _gnutls_set_write_compression(gnutls_session session, gnutls_compression_method algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.write_compression_algorithm = - algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + if (_gnutls_compression_is_ok(algo) == 0) { + session->security_parameters.write_compression_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + return 0; } @@ -898,19 +890,19 @@ int _gnutls_set_write_compression(gnutls_session session, int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo) { - if (_gnutls_kx_is_ok(algo) == 0) { - session->security_parameters.kx_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_kx_priority(session, algo) < 0) { - gnutls_assert(); - /* we shouldn't get here */ - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_kx_is_ok(algo) == 0) { + session->security_parameters.kx_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_kx_priority(session, algo) < 0) { + gnutls_assert(); + /* we shouldn't get here */ + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } @@ -918,37 +910,38 @@ int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo) int _gnutls_set_read_mac(gnutls_session session, gnutls_mac_algorithm algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.read_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_mac_is_ok(algo) == 0) { + session->security_parameters.read_mac_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_mac_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } -int _gnutls_set_write_mac(gnutls_session session, gnutls_mac_algorithm algo) +int _gnutls_set_write_mac(gnutls_session session, + gnutls_mac_algorithm algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.write_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_mac_is_ok(algo) == 0) { + session->security_parameters.write_mac_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_mac_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } diff --git a/lib/gnutls_constate.h b/lib/gnutls_constate.h index a78afcd4ef..8a0e3deb70 100644 --- a/lib/gnutls_constate.h +++ b/lib/gnutls_constate.h @@ -1,10 +1,16 @@ int _gnutls_connection_state_init(gnutls_session session); int _gnutls_read_connection_state_init(gnutls_session session); int _gnutls_write_connection_state_init(gnutls_session session); -int _gnutls_set_write_cipher( gnutls_session session, gnutls_cipher_algorithm algo); -int _gnutls_set_write_mac( gnutls_session session, gnutls_mac_algorithm algo); -int _gnutls_set_read_cipher( gnutls_session session, gnutls_cipher_algorithm algo); -int _gnutls_set_read_mac( gnutls_session session, gnutls_mac_algorithm algo); -int _gnutls_set_read_compression( gnutls_session session, gnutls_compression_method algo); -int _gnutls_set_write_compression( gnutls_session session, gnutls_compression_method algo); +int _gnutls_set_write_cipher(gnutls_session session, + gnutls_cipher_algorithm algo); +int _gnutls_set_write_mac(gnutls_session session, + gnutls_mac_algorithm algo); +int _gnutls_set_read_cipher(gnutls_session session, + gnutls_cipher_algorithm algo); +int _gnutls_set_read_mac(gnutls_session session, + gnutls_mac_algorithm algo); +int _gnutls_set_read_compression(gnutls_session session, + gnutls_compression_method algo); +int _gnutls_set_write_compression(gnutls_session session, + gnutls_compression_method algo); int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo); diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index edd71b2a47..667e88fbf4 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -31,59 +31,71 @@ #include <gnutls_errors.h> -void _gnutls_write_datum16( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint16( dat.size, dest); - memcpy( &dest[2], dat.data, dat.size); +void _gnutls_write_datum16(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint16(dat.size, dest); + memcpy(&dest[2], dat.data, dat.size); } -void _gnutls_write_datum24( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint24( dat.size, dest); - memcpy( &dest[3], dat.data, dat.size); + +void _gnutls_write_datum24(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint24(dat.size, dest); + memcpy(&dest[3], dat.data, dat.size); } -void _gnutls_write_datum32( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint32( dat.size, dest); - memcpy( &dest[4], dat.data, dat.size); + +void _gnutls_write_datum32(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint32(dat.size, dest); + memcpy(&dest[4], dat.data, dat.size); } -void _gnutls_write_datum8( opaque* dest, gnutls_datum dat) { - dest[0] = (uint8) dat.size; - memcpy( &dest[1], dat.data, dat.size); + +void _gnutls_write_datum8(opaque * dest, gnutls_datum dat) +{ + dest[0] = (uint8) dat.size; + memcpy(&dest[1], dat.data, dat.size); } -int _gnutls_set_datum_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_alloc_function galloc_func) +int _gnutls_set_datum_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_alloc_function galloc_func) { - if (data_size == 0) { - dat->data = NULL; - dat->size = 0; - return 0; - } - - dat->data = galloc_func(data_size); - if (dat->data==NULL) return GNUTLS_E_MEMORY_ERROR; - - dat->size = data_size; - memcpy( dat->data, data, data_size); - + if (data_size == 0) { + dat->data = NULL; + dat->size = 0; return 0; -} + } -int _gnutls_datum_append_m( gnutls_datum* dst, const void* data, int data_size, - gnutls_realloc_function grealloc_func) { + dat->data = galloc_func(data_size); + if (dat->data == NULL) + return GNUTLS_E_MEMORY_ERROR; - dst->data = grealloc_func(dst->data, data_size+dst->size); - if (dst->data==NULL) return GNUTLS_E_MEMORY_ERROR; - - memcpy( &dst->data[dst->size], data, data_size); - dst->size += data_size; + dat->size = data_size; + memcpy(dat->data, data, data_size); - return 0; + return 0; } -void _gnutls_free_datum_m( gnutls_datum* dat, gnutls_free_function gfree_func) { - if (dat->data!=NULL && dat->size!=0) - gfree_func( dat->data); +int _gnutls_datum_append_m(gnutls_datum * dst, const void *data, + int data_size, + gnutls_realloc_function grealloc_func) +{ - dat->data = NULL; - dat->size = 0; + dst->data = grealloc_func(dst->data, data_size + dst->size); + if (dst->data == NULL) + return GNUTLS_E_MEMORY_ERROR; + + memcpy(&dst->data[dst->size], data, data_size); + dst->size += data_size; + + return 0; } +void _gnutls_free_datum_m(gnutls_datum * dat, + gnutls_free_function gfree_func) +{ + if (dat->data != NULL && dat->size != 0) + gfree_func(dat->data); + + dat->data = NULL; + dat->size = 0; +} diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index f10026ffd7..8c6ee283de 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -1,17 +1,16 @@ -void _gnutls_write_datum16( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum24( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum32( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum8( opaque* dest, gnutls_datum dat); +void _gnutls_write_datum16(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum24(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum32(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum8(opaque * dest, gnutls_datum dat); -int _gnutls_set_datum_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_alloc_function); +int _gnutls_set_datum_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_alloc_function); #define _gnutls_set_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_malloc) #define _gnutls_sset_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_secure_malloc) -int _gnutls_datum_append_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_realloc_function); +int _gnutls_datum_append_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_realloc_function); #define _gnutls_datum_append(x,y,z) _gnutls_datum_append_m(x,y,z, gnutls_realloc) -void _gnutls_free_datum_m( gnutls_datum* dat, - gnutls_free_function); +void _gnutls_free_datum_m(gnutls_datum * dat, gnutls_free_function); #define _gnutls_free_datum(x) _gnutls_free_datum_m(x, gnutls_free) diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c index a58c17b52e..ee90096491 100644 --- a/lib/gnutls_db.c +++ b/lib/gnutls_db.c @@ -47,8 +47,10 @@ * has been called. * **/ -void gnutls_db_set_retrieve_function( gnutls_session session, gnutls_db_retr_func retr_func) { - session->internals.db_retrieve_func = retr_func; +void gnutls_db_set_retrieve_function(gnutls_session session, + gnutls_db_retr_func retr_func) +{ + session->internals.db_retrieve_func = retr_func; } /** @@ -63,8 +65,10 @@ void gnutls_db_set_retrieve_function( gnutls_session session, gnutls_db_retr_fun * has been called. * **/ -void gnutls_db_set_remove_function( gnutls_session session, gnutls_db_remove_func rem_func) { - session->internals.db_remove_func = rem_func; +void gnutls_db_set_remove_function(gnutls_session session, + gnutls_db_remove_func rem_func) +{ + session->internals.db_remove_func = rem_func; } /** @@ -79,8 +83,10 @@ void gnutls_db_set_remove_function( gnutls_session session, gnutls_db_remove_fun * has been called. * **/ -void gnutls_db_set_store_function( gnutls_session session, gnutls_db_store_func store_func) { - session->internals.db_store_func = store_func; +void gnutls_db_set_store_function(gnutls_session session, + gnutls_db_store_func store_func) +{ + session->internals.db_store_func = store_func; } /** @@ -92,8 +98,9 @@ void gnutls_db_set_store_function( gnutls_session session, gnutls_db_store_func * the first argument. * **/ -void gnutls_db_set_ptr( gnutls_session session, void* ptr) { - session->internals.db_ptr = ptr; +void gnutls_db_set_ptr(gnutls_session session, void *ptr) +{ + session->internals.db_ptr = ptr; } /** @@ -104,8 +111,9 @@ void gnutls_db_set_ptr( gnutls_session session, void* ptr) { * the first argument. * **/ -void* gnutls_db_get_ptr( gnutls_session session) { - return session->internals.db_ptr; +void *gnutls_db_get_ptr(gnutls_session session) +{ + return session->internals.db_ptr; } /** @@ -116,8 +124,9 @@ void* gnutls_db_get_ptr( gnutls_session session) { * Sets the expiration time for resumed sessions. The default is 3600 (one hour) * at the time writing this. **/ -void gnutls_db_set_cache_expiration( gnutls_session session, int seconds) { - session->internals.expire_time = seconds; +void gnutls_db_set_cache_expiration(gnutls_session session, int seconds) +{ + session->internals.expire_time = seconds; } /** @@ -131,193 +140,215 @@ void gnutls_db_set_cache_expiration( gnutls_session session, int seconds) { * backend. * **/ -int gnutls_db_check_entry( gnutls_session session, gnutls_datum session_entry) { -time_t timestamp; +int gnutls_db_check_entry(gnutls_session session, + gnutls_datum session_entry) +{ + time_t timestamp; - timestamp = time(0); + timestamp = time(0); - if (session_entry.data != NULL) - if ( timestamp - ((security_parameters_st*)(session_entry.data))->timestamp <= session->internals.expire_time || ((security_parameters_st*)(session_entry.data))->timestamp > timestamp|| ((security_parameters_st*)(session_entry.data))->timestamp == 0) - return GNUTLS_E_EXPIRED; - - return 0; + if (session_entry.data != NULL) + if (timestamp - + ((security_parameters_st *) (session_entry.data))->timestamp <= + session->internals.expire_time + || ((security_parameters_st *) (session_entry.data))-> + timestamp > timestamp + || ((security_parameters_st *) (session_entry.data))-> + timestamp == 0) + return GNUTLS_E_EXPIRED; + + return 0; } /* The format of storing data is: * (forget it). Check gnutls_session_pack.c */ -int _gnutls_server_register_current_session( gnutls_session session) +int _gnutls_server_register_current_session(gnutls_session session) { -gnutls_datum key; -gnutls_datum content; -int ret = 0; - - key.data = session->security_parameters.session_id; - key.size = session->security_parameters.session_id_size; - - if (session->internals.resumable==RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (session->security_parameters.session_id==NULL || session->security_parameters.session_id_size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - + gnutls_datum key; + gnutls_datum content; + int ret = 0; + + key.data = session->security_parameters.session_id; + key.size = session->security_parameters.session_id_size; + + if (session->internals.resumable == RESUME_FALSE) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (session->security_parameters.session_id == NULL + || session->security_parameters.session_id_size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + /* allocate space for data */ - ret = _gnutls_session_size( session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - content.size = ret; - - content.data = gnutls_malloc( content.size); - if (content.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - + ret = _gnutls_session_size(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + content.size = ret; + + content.data = gnutls_malloc(content.size); + if (content.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + /* copy data */ - ret = _gnutls_session_pack( session, &content); - if (ret < 0) { - gnutls_free( content.data); - gnutls_assert(); - return ret; - } + ret = _gnutls_session_pack(session, &content); + if (ret < 0) { + gnutls_free(content.data); + gnutls_assert(); + return ret; + } - ret = _gnutls_store_session( session, key, content); + ret = _gnutls_store_session(session, key, content); - gnutls_free( content.data); + gnutls_free(content.data); - return ret; + return ret; } /* Checks if both db_store and db_retrieve functions have * been set up. */ -static int _gnutls_db_func_is_ok( gnutls_session session) { - if (session->internals.db_store_func!=NULL && - session->internals.db_retrieve_func!=NULL && - session->internals.db_remove_func!=NULL) return 0; - else return GNUTLS_E_DB_ERROR; +static int _gnutls_db_func_is_ok(gnutls_session session) +{ + if (session->internals.db_store_func != NULL && + session->internals.db_retrieve_func != NULL && + session->internals.db_remove_func != NULL) + return 0; + else + return GNUTLS_E_DB_ERROR; } -int _gnutls_server_restore_session( gnutls_session session, uint8* session_id, int session_id_size) +int _gnutls_server_restore_session(gnutls_session session, + uint8 * session_id, int session_id_size) { -gnutls_datum data; -gnutls_datum key; -int ret; + gnutls_datum data; + gnutls_datum key; + int ret; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - if (_gnutls_db_func_is_ok(session)!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + if (_gnutls_db_func_is_ok(session) != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - data = _gnutls_retrieve_session( session, key); + data = _gnutls_retrieve_session(session, key); - if (data.data==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + if (data.data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - /* expiration check is performed inside */ - ret = gnutls_session_set_data( session, data.data, data.size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* expiration check is performed inside */ + ret = gnutls_session_set_data(session, data.data, data.size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - gnutls_free(data.data); + gnutls_free(data.data); - return 0; + return 0; } -int _gnutls_db_remove_session( gnutls_session session, uint8* session_id, int session_id_size) +int _gnutls_db_remove_session(gnutls_session session, uint8 * session_id, + int session_id_size) { -gnutls_datum key; + gnutls_datum key; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - return _gnutls_remove_session( session, key); + return _gnutls_remove_session(session, key); } /* Stores session data to the db backend. */ -int _gnutls_store_session( gnutls_session session, gnutls_datum session_id, gnutls_datum session_data) +int _gnutls_store_session(gnutls_session session, gnutls_datum session_id, + gnutls_datum session_data) { -int ret = 0; - - if (session->internals.resumable==RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (_gnutls_db_func_is_ok(session)!=0) { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data==NULL || session_id.size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (session_data.data==NULL || session_data.size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - /* if we can't read why bother writing? */ - - if (session->internals.db_store_func!=NULL) - ret = session->internals.db_store_func( session->internals.db_ptr, session_id, session_data); - - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + int ret = 0; + + if (session->internals.resumable == RESUME_FALSE) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (_gnutls_db_func_is_ok(session) != 0) { + return GNUTLS_E_DB_ERROR; + } + + if (session_id.data == NULL || session_id.size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (session_data.data == NULL || session_data.size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + /* if we can't read why bother writing? */ + + if (session->internals.db_store_func != NULL) + ret = + session->internals.db_store_func(session->internals.db_ptr, + session_id, session_data); + + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } /* Retrieves session data from the db backend. */ -gnutls_datum _gnutls_retrieve_session( gnutls_session session, gnutls_datum session_id) +gnutls_datum _gnutls_retrieve_session(gnutls_session session, + gnutls_datum session_id) { -gnutls_datum ret = { NULL, 0 }; - - if (session_id.data==NULL || session_id.size==0) { - gnutls_assert(); - return ret; - } - - if (session->internals.db_retrieve_func!=NULL) - ret = session->internals.db_retrieve_func( session->internals.db_ptr, session_id); + gnutls_datum ret = { NULL, 0 }; + if (session_id.data == NULL || session_id.size == 0) { + gnutls_assert(); return ret; + } + + if (session->internals.db_retrieve_func != NULL) + ret = + session->internals.db_retrieve_func(session->internals.db_ptr, + session_id); + + return ret; } /* Removes session data from the db backend. */ -int _gnutls_remove_session( gnutls_session session, gnutls_datum session_id) +int _gnutls_remove_session(gnutls_session session, gnutls_datum session_id) { -int ret = 0; + int ret = 0; - if (_gnutls_db_func_is_ok(session)!=0) { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data==NULL || session_id.size==0) - return GNUTLS_E_INVALID_SESSION; + if (_gnutls_db_func_is_ok(session) != 0) { + return GNUTLS_E_DB_ERROR; + } - /* if we can't read why bother writing? */ - if (session->internals.db_remove_func!=NULL) - ret = session->internals.db_remove_func( session->internals.db_ptr, session_id); + if (session_id.data == NULL || session_id.size == 0) + return GNUTLS_E_INVALID_SESSION; - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + /* if we can't read why bother writing? */ + if (session->internals.db_remove_func != NULL) + ret = + session->internals.db_remove_func(session->internals.db_ptr, + session_id); + + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } @@ -333,9 +364,13 @@ int ret = 0; * Normally gnutls_deinit() will remove abnormally terminated sessions. * **/ -void gnutls_db_remove_session(gnutls_session session) { - /* if the session has failed abnormally it has - * to be removed from the db - */ - _gnutls_db_remove_session( session, session->security_parameters.session_id, session->security_parameters.session_id_size); +void gnutls_db_remove_session(gnutls_session session) +{ + /* if the session has failed abnormally it has + * to be removed from the db + */ + _gnutls_db_remove_session(session, + session->security_parameters.session_id, + session->security_parameters. + session_id_size); } diff --git a/lib/gnutls_db.h b/lib/gnutls_db.h index a5cac00bd9..1d0f4a717c 100644 --- a/lib/gnutls_db.h +++ b/lib/gnutls_db.h @@ -18,13 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -void gnutls_set_cache_expiration( gnutls_session session, int seconds); -int gnutls_db_set_name( gnutls_session session, const char* filename); -int _gnutls_server_register_current_session( gnutls_session session); -int _gnutls_server_restore_session( gnutls_session session, uint8* session_id, int session_id_size); -int gnutls_db_clean( gnutls_session session); -int _gnutls_db_remove_session( gnutls_session session, uint8* session_id, int session_id_size); +void gnutls_set_cache_expiration(gnutls_session session, int seconds); +int gnutls_db_set_name(gnutls_session session, const char *filename); +int _gnutls_server_register_current_session(gnutls_session session); +int _gnutls_server_restore_session(gnutls_session session, + uint8 * session_id, + int session_id_size); +int gnutls_db_clean(gnutls_session session); +int _gnutls_db_remove_session(gnutls_session session, uint8 * session_id, + int session_id_size); void gnutls_db_remove_session(gnutls_session session); -int _gnutls_store_session( gnutls_session session, gnutls_datum session_id, gnutls_datum session_data); -gnutls_datum _gnutls_retrieve_session( gnutls_session session, gnutls_datum session_id); -int _gnutls_remove_session( gnutls_session session, gnutls_datum session_id); +int _gnutls_store_session(gnutls_session session, gnutls_datum session_id, + gnutls_datum session_data); +gnutls_datum _gnutls_retrieve_session(gnutls_session session, + gnutls_datum session_id); +int _gnutls_remove_session(gnutls_session session, + gnutls_datum session_id); diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index 1358f0ddda..8980a4cf0f 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -47,66 +47,65 @@ */ mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime) { - mpi_t e, x; - int x_size = _gnutls_mpi_get_nbits(prime) - 1; - /* The size of the secret key is less than - * prime/2 - */ - - if (x_size > MAX_BITS || x_size <= 0) { - gnutls_assert(); - return NULL; - } - - x = _gnutls_mpi_new(x_size); - if (x == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; - - return NULL; - } - - /* (x_size/8)*8 is there to overcome a bug in libgcrypt - * which does not really check the bits given but the bytes. - */ - _gnutls_mpi_randomize(x, (x_size/8)*8, GCRY_STRONG_RANDOM); - - e = _gnutls_mpi_alloc_like(prime); - if (e == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; - - _gnutls_mpi_release( &x); - return NULL; - } - - _gnutls_mpi_powm(e, g, x, prime); + mpi_t e, x; + int x_size = _gnutls_mpi_get_nbits(prime) - 1; + /* The size of the secret key is less than + * prime/2 + */ + + if (x_size > MAX_BITS || x_size <= 0) { + gnutls_assert(); + return NULL; + } + + x = _gnutls_mpi_new(x_size); + if (x == NULL) { + gnutls_assert(); + if (ret_x) + *ret_x = NULL; + + return NULL; + } + /* (x_size/8)*8 is there to overcome a bug in libgcrypt + * which does not really check the bits given but the bytes. + */ + _gnutls_mpi_randomize(x, (x_size / 8) * 8, GCRY_STRONG_RANDOM); + + e = _gnutls_mpi_alloc_like(prime); + if (e == NULL) { + gnutls_assert(); if (ret_x) - *ret_x = x; - else - _gnutls_mpi_release(&x); - return e; + *ret_x = NULL; + + _gnutls_mpi_release(&x); + return NULL; + } + + _gnutls_mpi_powm(e, g, x, prime); + + if (ret_x) + *ret_x = x; + else + _gnutls_mpi_release(&x); + return e; } mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime) { - mpi_t k; - int bits; - - bits = _gnutls_mpi_get_nbits(prime); - if (bits <= 0 || bits > MAX_BITS) { - gnutls_assert(); - return NULL; - } - - k = _gnutls_mpi_alloc_like(prime); - if (k == NULL) - return NULL; - _gnutls_mpi_powm(k, f, x, prime); - return k; + mpi_t k; + int bits; + + bits = _gnutls_mpi_get_nbits(prime); + if (bits <= 0 || bits > MAX_BITS) { + gnutls_assert(); + return NULL; + } + + k = _gnutls_mpi_alloc_like(prime); + if (k == NULL) + return NULL; + _gnutls_mpi_powm(k, f, x, prime); + return k; } - diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index 6b449ec72e..9336a31230 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -18,8 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -const mpi_t* _gnutls_get_dh_params(gnutls_dh_params); -mpi_t gnutls_calc_dh_secret( mpi_t *ret_x, mpi_t g, mpi_t prime ); -mpi_t gnutls_calc_dh_key( mpi_t f, mpi_t x, mpi_t prime ); -int _gnutls_dh_generate_prime(mpi_t *ret_g, mpi_t* ret_n, uint bits); +const mpi_t *_gnutls_get_dh_params(gnutls_dh_params); +mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime); +mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime); +int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, uint bits); void gnutls_dh_params_deinit(gnutls_dh_params dh_params); diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 061868093a..e6da92c4ae 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -23,7 +23,7 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> -#include <x509_b64.h> /* for PKCS3 PEM decoding */ +#include <x509_b64.h> /* for PKCS3 PEM decoding */ #include <gnutls_global.h> #include <gnutls_dh.h> #include <x509/mpi.h> @@ -32,95 +32,96 @@ /* returns the prime and the generator of DH params. */ -const mpi_t* _gnutls_get_dh_params(gnutls_dh_params dh_primes) +const mpi_t *_gnutls_get_dh_params(gnutls_dh_params dh_primes) { - if (dh_primes == NULL || dh_primes->params[1] == NULL || - dh_primes->params[0] == NULL) - { - return NULL; - } + if (dh_primes == NULL || dh_primes->params[1] == NULL || + dh_primes->params[0] == NULL) { + return NULL; + } - return dh_primes->params; + return dh_primes->params; } int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, unsigned int bits) { - mpi_t g=NULL, prime=NULL; - gcry_error_t err; - int result, times = 0, qbits; - mpi_t *factors = NULL; - - /* Calculate the size of a prime factor of (prime-1)/2. - * This is a bad emulation of Michael Wiener's table - */ - if (bits < 256) qbits = bits/2; - else { - qbits = 120 + (((bits / 256) - 1) * 20); + mpi_t g = NULL, prime = NULL; + gcry_error_t err; + int result, times = 0, qbits; + mpi_t *factors = NULL; + + /* Calculate the size of a prime factor of (prime-1)/2. + * This is a bad emulation of Michael Wiener's table + */ + if (bits < 256) + qbits = bits / 2; + else { + qbits = 120 + (((bits / 256) - 1) * 20); + } + + if (qbits & 1) /* better have an even number */ + qbits++; + + /* find a prime number of size bits. + */ + do { + + if (times) { + _gnutls_mpi_release(&prime); + gcry_prime_release_factors(factors); } - if (qbits & 1) /* better have an even number */ - qbits++; - - /* find a prime number of size bits. - */ - do { - - if (times) { - _gnutls_mpi_release(&prime); - gcry_prime_release_factors (factors); - } - - err = gcry_prime_generate( &prime, bits, qbits, - &factors, NULL, NULL, GCRY_STRONG_RANDOM, - GCRY_PRIME_FLAG_SPECIAL_FACTOR); - - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - err = gcry_prime_check( prime, 0); - - times++; - } while( err != 0 && times < 10); + err = gcry_prime_generate(&prime, bits, qbits, + &factors, NULL, NULL, GCRY_STRONG_RANDOM, + GCRY_PRIME_FLAG_SPECIAL_FACTOR); if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - /* generate the group generator. - */ - err = gcry_prime_group_generator (&g, prime, factors, NULL); - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } + err = gcry_prime_check(prime, 0); + + times++; + } while (err != 0 && times < 10); + + if (err != 0) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + /* generate the group generator. + */ + err = gcry_prime_group_generator(&g, prime, factors, NULL); + if (err != 0) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + gcry_prime_release_factors(factors); + factors = NULL; + + if (ret_g) + *ret_g = g; + else + _gnutls_mpi_release(&g); + if (ret_n) + *ret_n = prime; + else + _gnutls_mpi_release(&prime); + + return 0; + + cleanup: + gcry_prime_release_factors(factors); + _gnutls_mpi_release(&g); + _gnutls_mpi_release(&prime); + + return result; - gcry_prime_release_factors (factors); factors = NULL; - - if (ret_g) - *ret_g = g; - else - _gnutls_mpi_release(&g); - if (ret_n) - *ret_n = prime; - else - _gnutls_mpi_release(&prime); - - return 0; - - cleanup: - gcry_prime_release_factors (factors); - _gnutls_mpi_release(&g); - _gnutls_mpi_release(&prime); - - return result; - } /* Replaces the prime in the static DH parameters, with a randomly @@ -137,31 +138,32 @@ int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, * appropriate gnutls_datum. * **/ -int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, - const gnutls_datum* generator) +int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, + const gnutls_datum * prime, + const gnutls_datum * generator) { - mpi_t tmp_prime, tmp_g; - size_t siz; + mpi_t tmp_prime, tmp_g; + size_t siz; - siz = prime->size; - if (_gnutls_mpi_scan(&tmp_prime, prime->data, &siz)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + siz = prime->size; + if (_gnutls_mpi_scan(&tmp_prime, prime->data, &siz)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - siz = generator->size; - if (_gnutls_mpi_scan(&tmp_g, generator->data, &siz)) { - _gnutls_mpi_release(&tmp_prime); - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + siz = generator->size; + if (_gnutls_mpi_scan(&tmp_g, generator->data, &siz)) { + _gnutls_mpi_release(&tmp_prime); + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - /* store the generated values - */ - dh_params->params[0] = tmp_prime; - dh_params->params[1] = tmp_g; + /* store the generated values + */ + dh_params->params[0] = tmp_prime; + dh_params->params[1] = tmp_g; - return 0; + return 0; } @@ -175,13 +177,13 @@ int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum * int gnutls_dh_params_init(gnutls_dh_params * dh_params) { - (*dh_params) = gnutls_calloc(1, sizeof(dh_params_st)); - if (*dh_params == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + (*dh_params) = gnutls_calloc(1, sizeof(dh_params_st)); + if (*dh_params == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -194,13 +196,13 @@ int gnutls_dh_params_init(gnutls_dh_params * dh_params) **/ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) { - if (dh_params == NULL) - return; + if (dh_params == NULL) + return; - _gnutls_mpi_release(&dh_params->params[0]); - _gnutls_mpi_release(&dh_params->params[1]); + _gnutls_mpi_release(&dh_params->params[0]); + _gnutls_mpi_release(&dh_params->params[1]); - gnutls_free(dh_params); + gnutls_free(dh_params); } @@ -215,16 +217,16 @@ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) **/ int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src) { - if (src == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (src == NULL) + return GNUTLS_E_INVALID_REQUEST; - dst->params[0] = _gnutls_mpi_copy(src->params[0]); - dst->params[1] = _gnutls_mpi_copy(src->params[1]); + dst->params[0] = _gnutls_mpi_copy(src->params[0]); + dst->params[1] = _gnutls_mpi_copy(src->params[1]); - if (dst->params[0]==NULL || dst->params[1] == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (dst->params[0] == NULL || dst->params[1] == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -246,16 +248,16 @@ int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src) **/ int gnutls_dh_params_generate2(gnutls_dh_params params, unsigned int bits) { -int ret; + int ret; - ret = _gnutls_dh_generate_prime(¶ms->params[1], - ¶ms->params[0], bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_dh_generate_prime(¶ms->params[1], + ¶ms->params[0], bits); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -274,84 +276,87 @@ int ret; * 0 on success. * **/ -int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, - const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format) +int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, + const gnutls_datum * pkcs3_params, + gnutls_x509_crt_fmt format) { - ASN1_TYPE c2; - int result, need_free = 0; - gnutls_datum _params; - - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode("DH PARAMETERS", - pkcs3_params->data, pkcs3_params->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _params.data = out; - _params.size = result; - - need_free = 1; - - } else { - _params.data = pkcs3_params->data; - _params.size = pkcs3_params->size; - } + ASN1_TYPE c2; + int result, need_free = 0; + gnutls_datum _params; + + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + result = _gnutls_fbase64_decode("DH PARAMETERS", + pkcs3_params->data, + pkcs3_params->size, &out); - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - if (need_free != 0) { - gnutls_free( _params.data); _params.data = NULL; - } - return _gnutls_asn2err(result); + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - result = - asn1_der_decoding(&c2, _params.data, _params.size, NULL); - + _params.data = out; + _params.size = result; + + need_free = 1; + + } else { + _params.data = pkcs3_params->data; + _params.size = pkcs3_params->size; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) { + gnutls_assert(); if (need_free != 0) { - gnutls_free( _params.data); _params.data = NULL; + gnutls_free(_params.data); + _params.data = NULL; } + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ + result = asn1_der_decoding(&c2, _params.data, _params.size, NULL); - _gnutls_x509_log("DHParams: Decoding error %d\n", result); - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + if (need_free != 0) { + gnutls_free(_params.data); + _params.data = NULL; + } - /* Read PRIME - */ - result = _gnutls_x509_read_int( c2, "prime", ¶ms->params[0]); - if ( result < 0) { - asn1_delete_structure(&c2); - gnutls_assert(); - return result; - } + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ - /* read the generator - */ - result = _gnutls_x509_read_int( c2, "base", ¶ms->params[1]); - if ( result < 0) { - asn1_delete_structure(&c2); - _gnutls_mpi_release( ¶ms->params[0]); - gnutls_assert(); - return result; - } + _gnutls_x509_log("DHParams: Decoding error %d\n", result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + /* Read PRIME + */ + result = _gnutls_x509_read_int(c2, "prime", ¶ms->params[0]); + if (result < 0) { asn1_delete_structure(&c2); + gnutls_assert(); + return result; + } + + /* read the generator + */ + result = _gnutls_x509_read_int(c2, "base", ¶ms->params[1]); + if (result < 0) { + asn1_delete_structure(&c2); + _gnutls_mpi_release(¶ms->params[0]); + gnutls_assert(); + return result; + } + + asn1_delete_structure(&c2); - return 0; + return 0; } /** @@ -373,147 +378,148 @@ int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, * 0 on success. * **/ -int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size) +int gnutls_dh_params_export_pkcs3(gnutls_dh_params params, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + size_t * params_data_size) { - ASN1_TYPE c2; - int result, _params_data_size; - size_t g_size, p_size; - opaque * p_data, *g_data; - opaque * all_data; - - _gnutls_mpi_print( NULL, &g_size, params->params[1]); - _gnutls_mpi_print( NULL, &p_size, params->params[0]); - - all_data = gnutls_malloc( g_size + p_size); - if (all_data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + ASN1_TYPE c2; + int result, _params_data_size; + size_t g_size, p_size; + opaque *p_data, *g_data; + opaque *all_data; + + _gnutls_mpi_print(NULL, &g_size, params->params[1]); + _gnutls_mpi_print(NULL, &p_size, params->params[0]); + + all_data = gnutls_malloc(g_size + p_size); + if (all_data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + p_data = &all_data[0]; + g_data = &all_data[p_size]; + + _gnutls_mpi_print(p_data, &p_size, params->params[0]); + _gnutls_mpi_print(g_data, &g_size, params->params[1]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + return _gnutls_asn2err(result); + } + + /* Write PRIME + */ + if ((result = asn1_write_value(c2, "prime", + p_data, p_size)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* Write the GENERATOR + */ + if ((result = asn1_write_value(c2, "base", + g_data, g_size)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(c2, "privateValueLength", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + if (format == GNUTLS_X509_FMT_DER) { + if (params_data == NULL) + *params_data_size = 0; + + _params_data_size = *params_data_size; + result = + asn1_der_coding(c2, "", params_data, &_params_data_size, NULL); + *params_data_size = _params_data_size; + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + return _gnutls_asn2err(result); } - - p_data = &all_data[0]; - g_data = &all_data[p_size]; - - _gnutls_mpi_print( p_data, &p_size, params->params[0]); - _gnutls_mpi_print( g_data, &g_size, params->params[1]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - return _gnutls_asn2err(result); + + } else { /* PEM */ + opaque *tmp; + opaque *out; + int len; + + len = 0; + asn1_der_coding(c2, "", NULL, &len, NULL); + + tmp = gnutls_malloc(len); + if (tmp == NULL) { + gnutls_assert(); + asn1_delete_structure(&c2); + return GNUTLS_E_MEMORY_ERROR; } - /* Write PRIME - */ - if ((result = asn1_write_value(c2, "prime", - p_data, p_size)) != ASN1_SUCCESS) - { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((result = + asn1_der_coding(c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmp); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - /* Write the GENERATOR - */ - if ((result = asn1_write_value(c2, "base", - g_data, g_size)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + asn1_delete_structure(&c2); + + result = _gnutls_fbase64_encode("DH PARAMETERS", tmp, len, &out); + + gnutls_free(tmp); + + if (result < 0) { + gnutls_assert(); + return result; } - gnutls_free(all_data); + if (result == 0) { /* oooops */ + gnutls_assert(); + gnutls_free(out); + return GNUTLS_E_INTERNAL_ERROR; + } - if ((result = asn1_write_value(c2, "privateValueLength", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((uint) result + 1 > *params_data_size) { + gnutls_assert(); + gnutls_free(out); + *params_data_size = result + 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - if (format == GNUTLS_X509_FMT_DER) { - if (params_data == NULL) *params_data_size = 0; - - _params_data_size = *params_data_size; - result=asn1_der_coding( c2, "", params_data, &_params_data_size, NULL); - *params_data_size = _params_data_size; - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - - return _gnutls_asn2err(result); - } - - } else { /* PEM */ - opaque *tmp; - opaque *out; - int len; - - len = 0; - asn1_der_coding( c2, "", NULL, &len, NULL); - - tmp = gnutls_malloc( len); - if (tmp == NULL) { - gnutls_assert(); - asn1_delete_structure(&c2); - return GNUTLS_E_MEMORY_ERROR; - } - - if ((result=asn1_der_coding( c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) - { - gnutls_assert(); - gnutls_free( tmp); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - asn1_delete_structure(&c2); - - result = _gnutls_fbase64_encode("DH PARAMETERS", - tmp, len, &out); - - gnutls_free( tmp); - - if (result < 0) { - gnutls_assert(); - return result; - } - - if (result == 0) { /* oooops */ - gnutls_assert(); - gnutls_free(out); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((uint)result + 1 > *params_data_size) { - gnutls_assert(); - gnutls_free(out); - *params_data_size = result + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *params_data_size = result; - - if (params_data) { - memcpy( params_data, out, result); - params_data[result] = 0; - } - gnutls_free( out); - + *params_data_size = result; + + if (params_data) { + memcpy(params_data, out, result); + params_data[result] = 0; } + gnutls_free(out); + + } - return 0; + return 0; } /** @@ -529,44 +535,45 @@ int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, * **/ int gnutls_dh_params_export_raw(gnutls_dh_params params, - gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits) + gnutls_datum * prime, + gnutls_datum * generator, + unsigned int *bits) { - size_t size; + size_t size; - if (params->params[1] == NULL || - params->params[0] == NULL) - { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[1]); + if (params->params[1] == NULL || params->params[0] == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - generator->data = gnutls_malloc(size); - if (generator->data == NULL) { - return GNUTLS_E_MEMORY_ERROR; - } + size = 0; + _gnutls_mpi_print(NULL, &size, params->params[1]); - generator->size = size; - _gnutls_mpi_print(generator->data, &size, params->params[1]); + generator->data = gnutls_malloc(size); + if (generator->data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + generator->size = size; + _gnutls_mpi_print(generator->data, &size, params->params[1]); - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[0]); - prime->data = gnutls_malloc(size); - if (prime->data == NULL) { - gnutls_free(generator->data); generator->data = NULL; - return GNUTLS_E_MEMORY_ERROR; - } - prime->size = size; - _gnutls_mpi_print(prime->data, &size, params->params[0]); - - if (bits) - *bits = _gnutls_mpi_get_nbits( params->params[0]); + size = 0; + _gnutls_mpi_print(NULL, &size, params->params[0]); + + prime->data = gnutls_malloc(size); + if (prime->data == NULL) { + gnutls_free(generator->data); + generator->data = NULL; + return GNUTLS_E_MEMORY_ERROR; + } + prime->size = size; + _gnutls_mpi_print(prime->data, &size, params->params[0]); + + if (bits) + *bits = _gnutls_mpi_get_nbits(params->params[0]); - return 0; + return 0; } diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index c68239e28c..46e8cc3084 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -33,122 +33,201 @@ extern LOG_FUNC _gnutls_log_func; { desc, #name, name, fatal} struct gnutls_error_entry { - const char *desc; - const char *_name; - int number; - int fatal; + const char *desc; + const char *_name; + int number; + int fatal; }; typedef struct gnutls_error_entry gnutls_error_entry; static gnutls_error_entry error_algorithms[] = { - /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ - ERROR_ENTRY("Success.", GNUTLS_E_SUCCESS, 0 ), - ERROR_ENTRY("Could not negotiate a supported cipher suite.", GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1 ), - ERROR_ENTRY("The cipher type is unsupported.", GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1 ), - ERROR_ENTRY("The certificate and the given key do not match.", GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1 ), - ERROR_ENTRY("Could not negotiate a supported compression method.", GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1 ), - ERROR_ENTRY("An unknown public key algorithm was encountered.", GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1 ), - - ERROR_ENTRY("An algorithm that is not enabled was negotiated.", GNUTLS_E_UNWANTED_ALGORITHM, 1 ), - ERROR_ENTRY("A large TLS record packet was received.", GNUTLS_E_LARGE_PACKET, 1 ), - ERROR_ENTRY("A record packet with illegal version was received.", GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1 ), - ERROR_ENTRY("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1 ), - ERROR_ENTRY("A TLS packet with unexpected length was received.", GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1 ), - ERROR_ENTRY("The specified session has been invalidated for some reason.", GNUTLS_E_INVALID_SESSION, 1 ), - - ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1 ), - ERROR_ENTRY("An illegal TLS extension was received.", GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1 ), - ERROR_ENTRY("A TLS fatal alert has been received.", GNUTLS_E_FATAL_ALERT_RECEIVED ,1 ), - ERROR_ENTRY("An unexpected TLS packet was received.", GNUTLS_E_UNEXPECTED_PACKET, 1 ), - ERROR_ENTRY("A TLS warning alert has been received.", GNUTLS_E_WARNING_ALERT_RECEIVED, 0 ), - ERROR_ENTRY("An error was encountered at the TLS Finished packet calculation.", GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1 ), - ERROR_ENTRY("The peer did not send any certificate.", GNUTLS_E_NO_CERTIFICATE_FOUND, 1 ), - - ERROR_ENTRY("No temporary RSA parameters were found.", GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1 ), - ERROR_ENTRY("No temporary DH parameters were found.", GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1 ), - ERROR_ENTRY("An unexpected TLS handshake packet was received.", GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1 ), - ERROR_ENTRY("The scanning of a large integer has failed.", GNUTLS_E_MPI_SCAN_FAILED, 1 ), - ERROR_ENTRY("Could not export a large integer.", GNUTLS_E_MPI_PRINT_FAILED, 1 ), - ERROR_ENTRY("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1 ), - ERROR_ENTRY("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key decryption has failed.", GNUTLS_E_PK_DECRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key encryption has failed.", GNUTLS_E_PK_ENCRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, 1 ), - ERROR_ENTRY("Public key signature verification has failed.", GNUTLS_E_PK_SIG_VERIFY_FAILED, 1 ), - ERROR_ENTRY("Decompression of the TLS record packet has failed.", GNUTLS_E_DECOMPRESSION_FAILED, 1 ), - ERROR_ENTRY("Compression of the TLS record packet has failed.", GNUTLS_E_COMPRESSION_FAILED, 1 ), - - ERROR_ENTRY("Internal error in memory allocation.", GNUTLS_E_MEMORY_ERROR, 1 ), - ERROR_ENTRY("An unimplemented or disabled feature has been requested.", GNUTLS_E_UNIMPLEMENTED_FEATURE, 1 ), - ERROR_ENTRY("Insufficient credentials for that request.", GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1 ), - ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1 ), - ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, 1 ), - ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1 ), - ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1 ), - ERROR_ENTRY("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, 1 ), - ERROR_ENTRY("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, 1 ), - ERROR_ENTRY("Parsing error in SRP password file.", GNUTLS_E_SRP_PWD_PARSING_ERROR, 1 ), - ERROR_ENTRY("The requested data were not available.", GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0 ), - ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1 ), - ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1 ), - ERROR_ENTRY("The upper limit of record packet sequence numbers has been reached. Wow!", GNUTLS_E_RECORD_LIMIT_REACHED, 1 ), - ERROR_ENTRY("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, 1 ), - ERROR_ENTRY("Unknown Subject Alternative name in X.509 certificate.", GNUTLS_E_X509_UNKNOWN_SAN, 1 ), - - ERROR_ENTRY("Unsupported critical extension in X.509 certificate.", GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1 ), - ERROR_ENTRY("Key usage violation in certificate has been detected.", GNUTLS_E_KEY_USAGE_VIOLATION, 1 ), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_AGAIN, 0 ), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0 ), - ERROR_ENTRY("Rehandshake was requested by the peer.", GNUTLS_E_REHANDSHAKE, 0 ), - ERROR_ENTRY("TLS Application data were received, while expecting handshake data.", GNUTLS_E_GOT_APPLICATION_DATA, 1 ), - ERROR_ENTRY("Error in Database backend.", GNUTLS_E_DB_ERROR, 1 ), - ERROR_ENTRY("The certificate type is not supported.", GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1 ), - ERROR_ENTRY("The given memory buffer is too short to hold parameters.", GNUTLS_E_SHORT_MEMORY_BUFFER, 1 ), - ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1 ), - ERROR_ENTRY("An illegal parameter has been received.", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1 ), - ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1 ), - - ERROR_ENTRY("ASN1 parser: Element was not found.", GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Identifier was not found", GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Error in DER parsing.", GNUTLS_E_ASN1_DER_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Value was not found.", GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Generic parsing error.", GNUTLS_E_ASN1_GENERIC_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Value is not valid.", GNUTLS_E_ASN1_VALUE_NOT_VALID, 1 ), - ERROR_ENTRY("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: error in implicit tag", GNUTLS_E_ASN1_TAG_IMPLICIT, 1 ), - ERROR_ENTRY("ASN1 parser: Error in type 'ANY'.", GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Overflow in DER parsing.", GNUTLS_E_ASN1_DER_OVERFLOW, 1 ), - - ERROR_ENTRY("Too many empty record packets have been received.", GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1 ), - ERROR_ENTRY("The initialization of GnuTLS-extra has failed.", GNUTLS_E_INIT_LIBEXTRA, 1 ), - ERROR_ENTRY("The GnuTLS library version does not match the GnuTLS-extra library version.", - GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1 ), - ERROR_ENTRY("The gcrypt library version is too old.", - GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1 ), - - ERROR_ENTRY("The tasn1 library version is too old.", - GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1 ), - ERROR_ENTRY("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", - GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1 ), - - ERROR_ENTRY("Error loading the keyring.", GNUTLS_E_OPENPGP_KEYRING_ERROR, 1 ), - ERROR_ENTRY("The initialization of LZO has failed.", GNUTLS_E_LZO_INIT_FAILED, 1 ), - ERROR_ENTRY("No supported compression algorithms have been found.", GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1 ), - ERROR_ENTRY("No supported cipher suites have been found.", GNUTLS_E_NO_CIPHER_SUITES, 1 ), - ERROR_ENTRY("Could not get OpenPGP key.", GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), - - ERROR_ENTRY("The SRP username supplied is illegal.", GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), - - ERROR_ENTRY("The OpenPGP fingerprint is not supported.", GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), - ERROR_ENTRY("The certificate has unsupported attributes.", GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), - ERROR_ENTRY("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, 1), - ERROR_ENTRY("The hash algorithm is unknown.", GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), - ERROR_ENTRY("The PKCS structure's content type is unknown.", GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), - ERROR_ENTRY("The PKCS structure's bag type is unknown.", GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), - ERROR_ENTRY("The given password contains invalid characters.", GNUTLS_E_INVALID_PASSWORD, 1), - ERROR_ENTRY("The Message Authentication Code verification failed.", GNUTLS_E_MAC_VERIFY_FAILED, 1), - {NULL, NULL, 0, 0} + /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ + ERROR_ENTRY("Success.", GNUTLS_E_SUCCESS, 0), + ERROR_ENTRY("Could not negotiate a supported cipher suite.", + GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1), + ERROR_ENTRY("The cipher type is unsupported.", + GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1), + ERROR_ENTRY("The certificate and the given key do not match.", + GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1), + ERROR_ENTRY("Could not negotiate a supported compression method.", + GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1), + ERROR_ENTRY("An unknown public key algorithm was encountered.", + GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1), + + ERROR_ENTRY("An algorithm that is not enabled was negotiated.", + GNUTLS_E_UNWANTED_ALGORITHM, 1), + ERROR_ENTRY("A large TLS record packet was received.", + GNUTLS_E_LARGE_PACKET, 1), + ERROR_ENTRY("A record packet with illegal version was received.", + GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1), + ERROR_ENTRY + ("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", + GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1), + ERROR_ENTRY("A TLS packet with unexpected length was received.", + GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1), + ERROR_ENTRY + ("The specified session has been invalidated for some reason.", + GNUTLS_E_INVALID_SESSION, 1), + + ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1), + ERROR_ENTRY("An illegal TLS extension was received.", + GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1), + ERROR_ENTRY("A TLS fatal alert has been received.", + GNUTLS_E_FATAL_ALERT_RECEIVED, 1), + ERROR_ENTRY("An unexpected TLS packet was received.", + GNUTLS_E_UNEXPECTED_PACKET, 1), + ERROR_ENTRY("A TLS warning alert has been received.", + GNUTLS_E_WARNING_ALERT_RECEIVED, 0), + ERROR_ENTRY + ("An error was encountered at the TLS Finished packet calculation.", + GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1), + ERROR_ENTRY("The peer did not send any certificate.", + GNUTLS_E_NO_CERTIFICATE_FOUND, 1), + + ERROR_ENTRY("No temporary RSA parameters were found.", + GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1), + ERROR_ENTRY("No temporary DH parameters were found.", + GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1), + ERROR_ENTRY("An unexpected TLS handshake packet was received.", + GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1), + ERROR_ENTRY("The scanning of a large integer has failed.", + GNUTLS_E_MPI_SCAN_FAILED, 1), + ERROR_ENTRY("Could not export a large integer.", + GNUTLS_E_MPI_PRINT_FAILED, 1), + ERROR_ENTRY("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1), + ERROR_ENTRY("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1), + ERROR_ENTRY("Public key decryption has failed.", + GNUTLS_E_PK_DECRYPTION_FAILED, 1), + ERROR_ENTRY("Public key encryption has failed.", + GNUTLS_E_PK_ENCRYPTION_FAILED, 1), + ERROR_ENTRY("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, + 1), + ERROR_ENTRY("Public key signature verification has failed.", + GNUTLS_E_PK_SIG_VERIFY_FAILED, 1), + ERROR_ENTRY("Decompression of the TLS record packet has failed.", + GNUTLS_E_DECOMPRESSION_FAILED, 1), + ERROR_ENTRY("Compression of the TLS record packet has failed.", + GNUTLS_E_COMPRESSION_FAILED, 1), + + ERROR_ENTRY("Internal error in memory allocation.", + GNUTLS_E_MEMORY_ERROR, 1), + ERROR_ENTRY("An unimplemented or disabled feature has been requested.", + GNUTLS_E_UNIMPLEMENTED_FEATURE, 1), + ERROR_ENTRY("Insufficient credentials for that request.", + GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1), + ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1), + ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, + 1), + ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1), + ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1), + ERROR_ENTRY("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, + 1), + ERROR_ENTRY("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, + 1), + ERROR_ENTRY("Parsing error in SRP password file.", + GNUTLS_E_SRP_PWD_PARSING_ERROR, 1), + ERROR_ENTRY("The requested data were not available.", + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0), + ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1), + ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1), + ERROR_ENTRY + ("The upper limit of record packet sequence numbers has been reached. Wow!", + GNUTLS_E_RECORD_LIMIT_REACHED, 1), + ERROR_ENTRY("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, + 1), + ERROR_ENTRY("Unknown Subject Alternative name in X.509 certificate.", + GNUTLS_E_X509_UNKNOWN_SAN, 1), + + ERROR_ENTRY("Unsupported critical extension in X.509 certificate.", + GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1), + ERROR_ENTRY("Key usage violation in certificate has been detected.", + GNUTLS_E_KEY_USAGE_VIOLATION, 1), + ERROR_ENTRY("Function was interrupted.", GNUTLS_E_AGAIN, 0), + ERROR_ENTRY("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0), + ERROR_ENTRY("Rehandshake was requested by the peer.", + GNUTLS_E_REHANDSHAKE, 0), + ERROR_ENTRY + ("TLS Application data were received, while expecting handshake data.", + GNUTLS_E_GOT_APPLICATION_DATA, 1), + ERROR_ENTRY("Error in Database backend.", GNUTLS_E_DB_ERROR, 1), + ERROR_ENTRY("The certificate type is not supported.", + GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1), + ERROR_ENTRY("The given memory buffer is too short to hold parameters.", + GNUTLS_E_SHORT_MEMORY_BUFFER, 1), + ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1), + ERROR_ENTRY("An illegal parameter has been received.", + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1), + ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1), + + ERROR_ENTRY("ASN1 parser: Element was not found.", + GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Identifier was not found", + GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Error in DER parsing.", + GNUTLS_E_ASN1_DER_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Value was not found.", + GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Generic parsing error.", + GNUTLS_E_ASN1_GENERIC_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Value is not valid.", + GNUTLS_E_ASN1_VALUE_NOT_VALID, 1), + ERROR_ENTRY("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1), + ERROR_ENTRY("ASN1 parser: error in implicit tag", + GNUTLS_E_ASN1_TAG_IMPLICIT, 1), + ERROR_ENTRY("ASN1 parser: Error in type 'ANY'.", + GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, + 1), + ERROR_ENTRY("ASN1 parser: Overflow in DER parsing.", + GNUTLS_E_ASN1_DER_OVERFLOW, 1), + + ERROR_ENTRY("Too many empty record packets have been received.", + GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1), + ERROR_ENTRY("The initialization of GnuTLS-extra has failed.", + GNUTLS_E_INIT_LIBEXTRA, 1), + ERROR_ENTRY + ("The GnuTLS library version does not match the GnuTLS-extra library version.", + GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1), + ERROR_ENTRY("The gcrypt library version is too old.", + GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1), + + ERROR_ENTRY("The tasn1 library version is too old.", + GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1), + ERROR_ENTRY + ("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", + GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1), + + ERROR_ENTRY("Error loading the keyring.", + GNUTLS_E_OPENPGP_KEYRING_ERROR, 1), + ERROR_ENTRY("The initialization of LZO has failed.", + GNUTLS_E_LZO_INIT_FAILED, 1), + ERROR_ENTRY("No supported compression algorithms have been found.", + GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1), + ERROR_ENTRY("No supported cipher suites have been found.", + GNUTLS_E_NO_CIPHER_SUITES, 1), + ERROR_ENTRY("Could not get OpenPGP key.", + GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), + + ERROR_ENTRY("The SRP username supplied is illegal.", + GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), + + ERROR_ENTRY("The OpenPGP fingerprint is not supported.", + GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), + ERROR_ENTRY("The certificate has unsupported attributes.", + GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), + ERROR_ENTRY("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, + 1), + ERROR_ENTRY("The hash algorithm is unknown.", + GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), + ERROR_ENTRY("The PKCS structure's content type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), + ERROR_ENTRY("The PKCS structure's bag type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), + ERROR_ENTRY("The given password contains invalid characters.", + GNUTLS_E_INVALID_PASSWORD, 1), + ERROR_ENTRY("The Message Authentication Code verification failed.", + GNUTLS_E_MAC_VERIFY_FAILED, 1), + {NULL, NULL, 0, 0} }; #define GNUTLS_ERROR_LOOP(b) \ @@ -176,10 +255,10 @@ static gnutls_error_entry error_algorithms[] = { **/ int gnutls_error_is_fatal(int error) { - int ret = 0; + int ret = 0; - GNUTLS_ERROR_ALG_LOOP(ret = p->fatal); - return ret; + GNUTLS_ERROR_ALG_LOOP(ret = p->fatal); + return ret; } /** @@ -191,12 +270,13 @@ int gnutls_error_is_fatal(int error) **/ void gnutls_perror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = p->desc); - if (ret == NULL) ret = "(unknown)"; - fprintf(stderr, "GNUTLS ERROR: %s\n", ret); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->desc); + if (ret == NULL) + ret = "(unknown)"; + fprintf(stderr, "GNUTLS ERROR: %s\n", ret); } @@ -208,90 +288,96 @@ void gnutls_perror(int error) * number returned by a gnutls function; In case of an unknown error * a descriptive string is sent instead of NULL. **/ -const char* gnutls_strerror(int error) +const char *gnutls_strerror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = - p->desc); - if (ret == NULL) return "(unknown error code)"; - return ret; + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->desc); + if (ret == NULL) + return "(unknown error code)"; + return ret; } /* This will print the actual define of the * given error code. */ -const char* _gnutls_strerror(int error) +const char *_gnutls_strerror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = - p->_name); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->_name); - return ret; + return ret; } -int _gnutls_asn2err( int asn_err) { - switch( asn_err) { - case ASN1_FILE_NOT_FOUND: - return GNUTLS_E_FILE_ERROR; - case ASN1_ELEMENT_NOT_FOUND: - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - case ASN1_IDENTIFIER_NOT_FOUND: - return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; - case ASN1_DER_ERROR: - return GNUTLS_E_ASN1_DER_ERROR; - case ASN1_VALUE_NOT_FOUND: - return GNUTLS_E_ASN1_VALUE_NOT_FOUND; - case ASN1_GENERIC_ERROR: - return GNUTLS_E_ASN1_GENERIC_ERROR; - case ASN1_VALUE_NOT_VALID: - return GNUTLS_E_ASN1_VALUE_NOT_VALID; - case ASN1_TAG_ERROR: - return GNUTLS_E_ASN1_TAG_ERROR; - case ASN1_TAG_IMPLICIT: - return GNUTLS_E_ASN1_TAG_IMPLICIT; - case ASN1_ERROR_TYPE_ANY: - return GNUTLS_E_ASN1_TYPE_ANY_ERROR; - case ASN1_SYNTAX_ERROR: - return GNUTLS_E_ASN1_SYNTAX_ERROR; - case ASN1_MEM_ERROR: - return GNUTLS_E_SHORT_MEMORY_BUFFER; - case ASN1_MEM_ALLOC_ERROR: - return GNUTLS_E_MEMORY_ERROR; - case ASN1_DER_OVERFLOW: - return GNUTLS_E_ASN1_DER_OVERFLOW; - default: - return GNUTLS_E_ASN1_GENERIC_ERROR; - } +int _gnutls_asn2err(int asn_err) +{ + switch (asn_err) { + case ASN1_FILE_NOT_FOUND: + return GNUTLS_E_FILE_ERROR; + case ASN1_ELEMENT_NOT_FOUND: + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + case ASN1_IDENTIFIER_NOT_FOUND: + return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; + case ASN1_DER_ERROR: + return GNUTLS_E_ASN1_DER_ERROR; + case ASN1_VALUE_NOT_FOUND: + return GNUTLS_E_ASN1_VALUE_NOT_FOUND; + case ASN1_GENERIC_ERROR: + return GNUTLS_E_ASN1_GENERIC_ERROR; + case ASN1_VALUE_NOT_VALID: + return GNUTLS_E_ASN1_VALUE_NOT_VALID; + case ASN1_TAG_ERROR: + return GNUTLS_E_ASN1_TAG_ERROR; + case ASN1_TAG_IMPLICIT: + return GNUTLS_E_ASN1_TAG_IMPLICIT; + case ASN1_ERROR_TYPE_ANY: + return GNUTLS_E_ASN1_TYPE_ANY_ERROR; + case ASN1_SYNTAX_ERROR: + return GNUTLS_E_ASN1_SYNTAX_ERROR; + case ASN1_MEM_ERROR: + return GNUTLS_E_SHORT_MEMORY_BUFFER; + case ASN1_MEM_ALLOC_ERROR: + return GNUTLS_E_MEMORY_ERROR; + case ASN1_DER_OVERFLOW: + return GNUTLS_E_ASN1_DER_OVERFLOW; + default: + return GNUTLS_E_ASN1_GENERIC_ERROR; + } } /* this function will output a message using the * caller provided function */ -void _gnutls_log( int level, const char *fmt, ...) { - va_list args; - char str[MAX_LOG_SIZE]; - void (*log_func)(int, const char*) = _gnutls_log_func; +void _gnutls_log(int level, const char *fmt, ...) +{ + va_list args; + char str[MAX_LOG_SIZE]; + void (*log_func) (int, const char *) = _gnutls_log_func; - if (_gnutls_log_func==NULL) return; + if (_gnutls_log_func == NULL) + return; - va_start(args,fmt); - vsnprintf( str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ - va_end(args); + va_start(args, fmt); + vsnprintf(str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ + va_end(args); - log_func( level, str); + log_func(level, str); } + #ifndef DEBUG # ifndef C99_MACROS /* Without C99 macros these functions have to * be called. This may affect performance. */ -void _gnutls_null_log( void* x, ...) { return; } +void _gnutls_null_log(void *x, ...) +{ + return; +} -# endif /* C99_MACROS */ -#endif /* DEBUG */ +# endif /* C99_MACROS */ +#endif /* DEBUG */ diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h index 922447cfc1..a673852e39 100644 --- a/lib/gnutls_errors.h +++ b/lib/gnutls_errors.h @@ -25,18 +25,18 @@ # ifdef __LINE__ # define gnutls_assert() _gnutls_debug_log( "ASSERT: %s:%d\n", __FILE__,__LINE__); # else -# define gnutls_assert() +# define gnutls_assert() # endif -#else /* __FILE__ not defined */ -# define gnutls_assert() +#else /* __FILE__ not defined */ +# define gnutls_assert() #endif -int _gnutls_asn2err( int asn_err); -const char* gnutls_strerror(int error); +int _gnutls_asn2err(int asn_err); +const char *gnutls_strerror(int error); void gnutls_perror(int error); -int gnutls_error_is_fatal( int error); +int gnutls_error_is_fatal(int error); -void _gnutls_log( int, const char *fmt, ...); +void _gnutls_log(int, const char *fmt, ...); extern int _gnutls_log_level; @@ -67,7 +67,6 @@ extern int _gnutls_log_level; # define _gnutls_write_log _gnutls_null_log # define _gnutls_x509_log _gnutls_null_log -void _gnutls_null_log( void*, ...); - -#endif /* C99_MACROS */ +void _gnutls_null_log(void *, ...); +#endif /* C99_MACROS */ diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index 3f64c626d7..19a0227f0d 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -10,35 +10,35 @@ #define GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3 #define GNUTLS_E_UNKNOWN_CIPHER_TYPE -6 #define GNUTLS_E_LARGE_PACKET -7 -#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 /* GNUTLS_A_PROTOCOL_VERSION */ -#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */ +#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 /* GNUTLS_A_PROTOCOL_VERSION */ +#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */ #define GNUTLS_E_INVALID_SESSION -10 #define GNUTLS_E_FATAL_ALERT_RECEIVED -12 -#define GNUTLS_E_UNEXPECTED_PACKET -15 /* GNUTLS_A_UNEXPECTED_MESSAGE */ +#define GNUTLS_E_UNEXPECTED_PACKET -15 /* GNUTLS_A_UNEXPECTED_MESSAGE */ #define GNUTLS_E_WARNING_ALERT_RECEIVED -16 #define GNUTLS_E_ERROR_IN_FINISHED_PACKET -18 #define GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET -19 -#define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 /* GNUTLS_A_HANDSHAKE_FAILURE */ +#define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 /* GNUTLS_A_HANDSHAKE_FAILURE */ #define GNUTLS_E_UNWANTED_ALGORITHM -22 #define GNUTLS_E_MPI_SCAN_FAILED -23 -#define GNUTLS_E_DECRYPTION_FAILED -24 /* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */ +#define GNUTLS_E_DECRYPTION_FAILED -24 /* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */ #define GNUTLS_E_MEMORY_ERROR -25 -#define GNUTLS_E_DECOMPRESSION_FAILED -26 /* GNUTLS_A_DECOMPRESSION_FAILURE */ +#define GNUTLS_E_DECOMPRESSION_FAILED -26 /* GNUTLS_A_DECOMPRESSION_FAILURE */ #define GNUTLS_E_COMPRESSION_FAILED -27 #define GNUTLS_E_AGAIN -28 #define GNUTLS_E_EXPIRED -29 #define GNUTLS_E_DB_ERROR -30 #define GNUTLS_E_SRP_PWD_ERROR -31 #define GNUTLS_E_INSUFFICIENT_CREDENTIALS -32 -#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ +#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ #define GNUTLS_E_INSUFFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS -#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ +#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ #define GNUTLS_E_HASH_FAILED -33 #define GNUTLS_E_BASE64_DECODING_ERROR -34 #define GNUTLS_E_MPI_PRINT_FAILED -35 -#define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */ +#define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */ #define GNUTLS_E_GOT_APPLICATION_DATA -38 #define GNUTLS_E_RECORD_LIMIT_REACHED -39 #define GNUTLS_E_ENCRYPTION_FAILED -40 @@ -48,13 +48,13 @@ #define GNUTLS_E_PK_SIGN_FAILED -46 #define GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION -47 #define GNUTLS_E_KEY_USAGE_VIOLATION -48 -#define GNUTLS_E_NO_CERTIFICATE_FOUND -49 /* GNUTLS_A_BAD_CERTIFICATE */ +#define GNUTLS_E_NO_CERTIFICATE_FOUND -49 /* GNUTLS_A_BAD_CERTIFICATE */ #define GNUTLS_E_INVALID_REQUEST -50 #define GNUTLS_E_SHORT_MEMORY_BUFFER -51 #define GNUTLS_E_INTERRUPTED -52 #define GNUTLS_E_PUSH_ERROR -53 #define GNUTLS_E_PULL_ERROR -54 -#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55 /* GNUTLS_A_ILLEGAL_PARAMETER */ +#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55 /* GNUTLS_A_ILLEGAL_PARAMETER */ #define GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE -56 #define GNUTLS_E_PKCS1_WRONG_PAD -57 #define GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION -58 @@ -106,7 +106,7 @@ #define GNUTLS_E_CERTIFICATE_ERROR -43 #define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR #define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60 -#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */ +#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */ #define GNUTLS_E_X509_UNKNOWN_SAN -62 #define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94 #define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95 @@ -114,7 +114,7 @@ #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97 #define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98 #define GNUTLS_E_INVALID_PASSWORD -99 -#define GNUTLS_E_MAC_VERIFY_FAILED -100 /* for PKCS #12 MAC */ +#define GNUTLS_E_MAC_VERIFY_FAILED -100 /* for PKCS #12 MAC */ #define GNUTLS_E_BASE64_ENCODING_ERROR -201 #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 @@ -130,4 +130,4 @@ #define GNUTLS_E_INT_RET_0 -1251 #define GNUTLS_E_INT_HANDSHAKE_AGAIN -1252 -#endif /* GNUTLS_ERRORS_IH */ +#endif /* GNUTLS_ERRORS_IH */ diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 515ecb7032..868cd9ca7c 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -42,10 +42,16 @@ const int _gnutls_extensions_size = MAX_EXT_SIZE; gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_MAX_RECORD_SIZE, _gnutls_max_record_recv_params, _gnutls_max_record_send_params), - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_CERT_TYPE, _gnutls_cert_type_recv_params, _gnutls_cert_type_send_params), - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_SERVER_NAME, _gnutls_server_name_recv_params, _gnutls_server_name_send_params), - {0, 0, 0, 0} + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_MAX_RECORD_SIZE, + _gnutls_max_record_recv_params, + _gnutls_max_record_send_params), + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_CERT_TYPE, + _gnutls_cert_type_recv_params, + _gnutls_cert_type_send_params), + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_SERVER_NAME, + _gnutls_server_name_recv_params, + _gnutls_server_name_send_params), + {0, 0, 0, 0} }; #define GNUTLS_EXTENSION_LOOP2(b) \ @@ -60,101 +66,110 @@ gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { ext_recv_func _gnutls_ext_func_recv(uint16 type) { - ext_recv_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_recv); - return ret; + ext_recv_func ret = NULL; + GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_recv); + return ret; } ext_send_func _gnutls_ext_func_send(uint16 type) { - ext_send_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_send); - return ret; + ext_send_func ret = NULL; + GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_send); + return ret; } -const char* _gnutls_extension_get_name(uint16 type) +const char *_gnutls_extension_get_name(uint16 type) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_EXTENSION_LOOP(ret = p->name + sizeof("GNUTLS_EXTENSION_") - 1); + /* avoid prefix */ + GNUTLS_EXTENSION_LOOP(ret = p->name + sizeof("GNUTLS_EXTENSION_") - 1); - return ret; + return ret; } /* Checks if the extension we just received is one of the * requested ones. Otherwise it's a fatal error. */ -static int _gnutls_extension_list_check( gnutls_session session, uint16 type) { - if (session->security_parameters.entity==GNUTLS_CLIENT) { - int i; - for(i=0;i<session->internals.extensions_sent_size;i++) { - if (type==session->internals.extensions_sent[i]) - return 0; /* ok found */ - } - return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; +static int _gnutls_extension_list_check(gnutls_session session, + uint16 type) +{ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + int i; + for (i = 0; i < session->internals.extensions_sent_size; i++) { + if (type == session->internals.extensions_sent[i]) + return 0; /* ok found */ } + return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; + } - return 0; + return 0; } -int _gnutls_parse_extensions( gnutls_session session, const opaque* data, int data_size) { -int next, ret; -int pos=0; -uint16 type; -const opaque* sdata; -ext_recv_func ext_recv; -uint16 size; +int _gnutls_parse_extensions(gnutls_session session, const opaque * data, + int data_size) +{ + int next, ret; + int pos = 0; + uint16 type; + const opaque *sdata; + ext_recv_func ext_recv; + uint16 size; #ifdef DEBUG -int i; - - if (session->security_parameters.entity==GNUTLS_CLIENT) - for (i=0;i<session->internals.extensions_sent_size;i++) { - _gnutls_debug_log("EXT[%d]: expecting extension '%s'\n", session, - _gnutls_extension_get_name(session->internals.extensions_sent[i])); - } + int i; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + for (i = 0; i < session->internals.extensions_sent_size; i++) { + _gnutls_debug_log("EXT[%d]: expecting extension '%s'\n", + session, + _gnutls_extension_get_name(session-> + internals. + extensions_sent + [i])); + } #endif - DECR_LENGTH_RET( data_size, 2, 0); - next = _gnutls_read_uint16( data); - pos+=2; - - DECR_LENGTH_RET( data_size, next, 0); - - do { - DECR_LENGTH_RET( next, 2, 0); - type = _gnutls_read_uint16( &data[pos]); - pos+=2; - - _gnutls_debug_log("EXT[%x]: Received extension '%s'\n", session, - _gnutls_extension_get_name(type)); - - if ( (ret=_gnutls_extension_list_check( session, type)) < 0) { - gnutls_assert(); - return ret; - } - - DECR_LENGTH_RET( next, 2, 0); - size = _gnutls_read_uint16(&data[pos]); - pos+=2; - - DECR_LENGTH_RET( next, size, 0); - sdata = &data[pos]; - pos+=size; - - ext_recv = _gnutls_ext_func_recv(type); - if (ext_recv == NULL) continue; - if ( (ret=ext_recv( session, sdata, size)) < 0) { - gnutls_assert(); - return ret; - } - - } while(next > 2); - - return 0; + DECR_LENGTH_RET(data_size, 2, 0); + next = _gnutls_read_uint16(data); + pos += 2; + + DECR_LENGTH_RET(data_size, next, 0); + + do { + DECR_LENGTH_RET(next, 2, 0); + type = _gnutls_read_uint16(&data[pos]); + pos += 2; + + _gnutls_debug_log("EXT[%x]: Received extension '%s'\n", session, + _gnutls_extension_get_name(type)); + + if ((ret = _gnutls_extension_list_check(session, type)) < 0) { + gnutls_assert(); + return ret; + } + + DECR_LENGTH_RET(next, 2, 0); + size = _gnutls_read_uint16(&data[pos]); + pos += 2; + + DECR_LENGTH_RET(next, size, 0); + sdata = &data[pos]; + pos += size; + + ext_recv = _gnutls_ext_func_recv(type); + if (ext_recv == NULL) + continue; + if ((ret = ext_recv(session, sdata, size)) < 0) { + gnutls_assert(); + return ret; + } + + } while (next > 2); + + return 0; } @@ -162,91 +177,95 @@ int i; * This list is used to check whether the (later) received * extensions are the ones we requested. */ -static void _gnutls_extension_list_add( gnutls_session session, uint16 type) { - - if (session->security_parameters.entity==GNUTLS_CLIENT) { - if (session->internals.extensions_sent_size < MAX_EXT_TYPES) { - session->internals.extensions_sent[session->internals.extensions_sent_size] = type; - session->internals.extensions_sent_size++; - } else { - _gnutls_debug_log("extensions: Increase MAX_EXT_TYPES\n"); - } +static void _gnutls_extension_list_add(gnutls_session session, uint16 type) +{ + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (session->internals.extensions_sent_size < MAX_EXT_TYPES) { + session->internals.extensions_sent[session->internals. + extensions_sent_size] = + type; + session->internals.extensions_sent_size++; + } else { + _gnutls_debug_log("extensions: Increase MAX_EXT_TYPES\n"); } + } } -int _gnutls_gen_extensions( gnutls_session session, opaque* data, size_t data_size) +int _gnutls_gen_extensions(gnutls_session session, opaque * data, + size_t data_size) { -int next, size; -uint16 pos=0; -opaque *sdata; -int sdata_size; -ext_send_func ext_send; - - - if (data_size < 2) { + int next, size; + uint16 pos = 0; + opaque *sdata; + int sdata_size; + ext_send_func ext_send; + + + if (data_size < 2) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* allocate enough data for each extension. + */ + sdata_size = data_size; + sdata = gnutls_malloc(sdata_size); + if (sdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + pos += 2; + next = MAX_EXT_TYPES; /* maximum supported extensions */ + do { + next--; + ext_send = _gnutls_ext_func_send(next); + if (ext_send == NULL) + continue; + size = ext_send(session, sdata, sdata_size); + if (size > 0) { + if (data_size < pos + (size_t) size + 4) { gnutls_assert(); + gnutls_free(sdata); return GNUTLS_E_INTERNAL_ERROR; - } + } - /* allocate enough data for each extension. - */ - sdata_size = data_size; - sdata = gnutls_malloc( sdata_size); - if (sdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - pos+=2; - next = MAX_EXT_TYPES; /* maximum supported extensions */ - do { - next--; - ext_send = _gnutls_ext_func_send(next); - if (ext_send == NULL) continue; - size = ext_send( session, sdata, sdata_size); - if (size > 0) { - if (data_size < pos+(size_t)size+4) { - gnutls_assert(); - gnutls_free(sdata); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* write extension type */ - _gnutls_write_uint16( next, &data[pos]); - pos+=2; - - /* write size */ - _gnutls_write_uint16( size, &data[pos]); - pos+=2; - - memcpy( &data[pos], sdata, size); - pos+=size; - - /* add this extension to the extension list - */ - _gnutls_extension_list_add( session, next); - - _gnutls_debug_log("EXT[%x]: Sending extension %s\n", session, - _gnutls_extension_get_name(next)); - } else if (size < 0) { - gnutls_assert(); - gnutls_free(sdata); - return size; - } - - } while(next >= 0); - - size = pos; - pos-=2; /* remove the size of the size header! */ - - _gnutls_write_uint16( pos, data); - - if (size==2) { /* empty */ - size = 0; + /* write extension type */ + _gnutls_write_uint16(next, &data[pos]); + pos += 2; + + /* write size */ + _gnutls_write_uint16(size, &data[pos]); + pos += 2; + + memcpy(&data[pos], sdata, size); + pos += size; + + /* add this extension to the extension list + */ + _gnutls_extension_list_add(session, next); + + _gnutls_debug_log("EXT[%x]: Sending extension %s\n", session, + _gnutls_extension_get_name(next)); + } else if (size < 0) { + gnutls_assert(); + gnutls_free(sdata); + return size; } - - gnutls_free( sdata); - return size; -} + } while (next >= 0); + + size = pos; + pos -= 2; /* remove the size of the size header! */ + _gnutls_write_uint16(pos, data); + + if (size == 2) { /* empty */ + size = 0; + } + + gnutls_free(sdata); + return size; + +} diff --git a/lib/gnutls_extensions.h b/lib/gnutls_extensions.h index f87bc80cbd..288ec183be 100644 --- a/lib/gnutls_extensions.h +++ b/lib/gnutls_extensions.h @@ -21,18 +21,19 @@ #include <gnutls_int.h> const char *_gnutls_extension_get_name(uint16 type); -int _gnutls_parse_extensions( gnutls_session, const opaque*, int); -int _gnutls_gen_extensions( gnutls_session session, opaque* data, size_t data_size); +int _gnutls_parse_extensions(gnutls_session, const opaque *, int); +int _gnutls_gen_extensions(gnutls_session session, opaque * data, + size_t data_size); -typedef int (*ext_recv_func)( gnutls_session, const opaque*, size_t); /* recv data */ -typedef int (*ext_send_func)( gnutls_session, opaque*, size_t); /* send data */ +typedef int (*ext_recv_func) (gnutls_session, const opaque *, size_t); /* recv data */ +typedef int (*ext_send_func) (gnutls_session, opaque *, size_t); /* send data */ ext_send_func _gnutls_ext_func_send(uint16 type); ext_recv_func _gnutls_ext_func_recv(uint16 type); typedef struct { - const char *name; - uint16 type; - ext_recv_func gnutls_ext_func_recv; - ext_send_func gnutls_ext_func_send; + const char *name; + uint16 type; + ext_recv_func gnutls_ext_func_recv; + ext_send_func gnutls_ext_func_send; } gnutls_extension_entry; diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index ccb37bafc1..c3bf7d334e 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -32,7 +32,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[]; extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; LOG_FUNC _gnutls_log_func; -int _gnutls_log_level = 0; /* default log level */ +int _gnutls_log_level = 0; /* default log level */ ASN1_TYPE _gnutls_pkix1_asn; ASN1_TYPE _gnutls_gnutls_asn; @@ -49,9 +49,9 @@ ASN1_TYPE _gnutls_gnutls_asn; * gnutls_log_func is of the form, * void (*gnutls_log_func)( int level, const char*); **/ -void gnutls_global_set_log_function( gnutls_log_func log_func) +void gnutls_global_set_log_function(gnutls_log_func log_func) { - _gnutls_log_func = log_func; + _gnutls_log_func = log_func; } /** @@ -66,28 +66,29 @@ void gnutls_global_set_log_function( gnutls_log_func log_func) * Use a log level over 10 to enable all debugging options. * **/ -void gnutls_global_set_log_level( int level) +void gnutls_global_set_log_level(int level) { - _gnutls_log_level = level; + _gnutls_log_level = level; } #ifdef DEBUG /* default logging function */ -static void dlog( int level, const char* str) { - fputs( str, stderr); +static void dlog(int level, const char *str) +{ + fputs(str, stderr); } #endif extern gnutls_alloc_function gnutls_secure_malloc; extern gnutls_alloc_function gnutls_malloc; extern gnutls_free_function gnutls_free; -extern int (*_gnutls_is_secure_memory)(const void*); +extern int (*_gnutls_is_secure_memory) (const void *); extern gnutls_realloc_function gnutls_realloc; -extern char* (*gnutls_strdup)(const char*); -extern void* (*gnutls_calloc)(size_t, size_t); +extern char *(*gnutls_strdup) (const char *); +extern void *(*gnutls_calloc) (size_t, size_t); -int _gnutls_is_secure_mem_null( const void*); +int _gnutls_is_secure_mem_null(const void *); /** * gnutls_global_set_mem_functions - This function sets the memory allocation functions @@ -106,38 +107,41 @@ int _gnutls_is_secure_mem_null( const void*); * This function must be called before gnutls_global_init() is called. * **/ -void gnutls_global_set_mem_functions( - void *(*gnutls_alloc_func)(size_t), void* (*gnutls_secure_alloc_func)(size_t), - int (*gnutls_is_secure_func)(const void*), void *(*gnutls_realloc_func)(void *, size_t), - void (*gnutls_free_func)(void*)) +void gnutls_global_set_mem_functions(void *(*gnutls_alloc_func) (size_t), void + *(*gnutls_secure_alloc_func) (size_t), + int (*gnutls_is_secure_func) (const + void *), + void *(*gnutls_realloc_func) (void *, + size_t), + void (*gnutls_free_func) (void *)) { - gnutls_secure_malloc = gnutls_secure_alloc_func; - gnutls_malloc = gnutls_alloc_func; - gnutls_realloc = gnutls_realloc_func; - gnutls_free = gnutls_free_func; - - if (gnutls_is_secure_func!=NULL) - _gnutls_is_secure_memory = gnutls_is_secure_func; - else - _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; - - /* if using the libc's default malloc - * use libc's calloc as well. - */ - if ( gnutls_malloc == malloc) { - gnutls_calloc = calloc; - } else { /* use the included ones */ - gnutls_calloc = _gnutls_calloc; - } - gnutls_strdup = _gnutls_strdup; + gnutls_secure_malloc = gnutls_secure_alloc_func; + gnutls_malloc = gnutls_alloc_func; + gnutls_realloc = gnutls_realloc_func; + gnutls_free = gnutls_free_func; + + if (gnutls_is_secure_func != NULL) + _gnutls_is_secure_memory = gnutls_is_secure_func; + else + _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; + + /* if using the libc's default malloc + * use libc's calloc as well. + */ + if (gnutls_malloc == malloc) { + gnutls_calloc = calloc; + } else { /* use the included ones */ + gnutls_calloc = _gnutls_calloc; + } + gnutls_strdup = _gnutls_strdup; } #ifdef DEBUG -static void _gnutls_gcry_log_handler( void* dummy, int level, const char* fmt, - va_list list) +static void _gnutls_gcry_log_handler(void *dummy, int level, + const char *fmt, va_list list) { - _gnutls_log( fmt, list); + _gnutls_log(fmt, list); } #endif @@ -158,70 +162,74 @@ static int _gnutls_init = 0; * want to disable libgcrypt's internal lockings etc. * **/ -int gnutls_global_init( void) +int gnutls_global_init(void) { - int result = 0; - int res; - - if (_gnutls_init) goto out; - _gnutls_init++; + int result = 0; + int res; + + if (_gnutls_init) + goto out; + _gnutls_init++; + + if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) { + const char *p; + p = strchr(GNUTLS_GCRYPT_VERSION, ':'); + if (p == NULL) + p = GNUTLS_GCRYPT_VERSION; + else + p++; - if (gcry_control( GCRYCTL_ANY_INITIALIZATION_P) == 0) { - const char* p; - p = strchr( GNUTLS_GCRYPT_VERSION, ':'); - if (p==NULL) p = GNUTLS_GCRYPT_VERSION; - else p++; + if (gcry_check_version(p) == NULL) { + gnutls_assert(); + _gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p); + return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; + } - if (gcry_check_version(p)==NULL) { - gnutls_assert(); - _gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p); - return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; - } + /* for gcrypt in order to be able to allocate memory */ + gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, + _gnutls_is_secure_memory, + gnutls_realloc, gnutls_free); - /* for gcrypt in order to be able to allocate memory */ - gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, _gnutls_is_secure_memory, gnutls_realloc, gnutls_free); - - /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ + /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL,0); + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, NULL, 0); #ifdef DEBUG - /* applications may want to override that, so we only use - * it in debugging mode. - */ - gcry_set_log_handler( _gnutls_gcry_log_handler, NULL); + /* applications may want to override that, so we only use + * it in debugging mode. + */ + gcry_set_log_handler(_gnutls_gcry_log_handler, NULL); #endif - } - + } #ifdef DEBUG - gnutls_global_set_log_function( dlog); + gnutls_global_set_log_function(dlog); #endif - /* initialize parser - * This should not deal with files in the final - * version. - */ + /* initialize parser + * This should not deal with files in the final + * version. + */ - if (asn1_check_version(GNUTLS_LIBTASN1_VERSION)==NULL) { - gnutls_assert(); - return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; - } - - res=asn1_array2tree( pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); - if (res != ASN1_SUCCESS) { - result = _gnutls_asn2err(res); - goto out; - } + if (asn1_check_version(GNUTLS_LIBTASN1_VERSION) == NULL) { + gnutls_assert(); + return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; + } - res=asn1_array2tree( gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); - if (res != ASN1_SUCCESS) { - asn1_delete_structure(&_gnutls_pkix1_asn); - result = _gnutls_asn2err(res); - goto out; - } - - out: - return result; + res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); + if (res != ASN1_SUCCESS) { + result = _gnutls_asn2err(res); + goto out; + } + + res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); + if (res != ASN1_SUCCESS) { + asn1_delete_structure(&_gnutls_pkix1_asn); + result = _gnutls_asn2err(res); + goto out; + } + + out: + return result; } /** @@ -232,14 +240,15 @@ int gnutls_global_init( void) * **/ -void gnutls_global_deinit( void) { +void gnutls_global_deinit(void) +{ + + if (_gnutls_init == 1) { + _gnutls_init--; + asn1_delete_structure(&_gnutls_gnutls_asn); + asn1_delete_structure(&_gnutls_pkix1_asn); + } - if (_gnutls_init==1) { - _gnutls_init--; - asn1_delete_structure(&_gnutls_gnutls_asn); - asn1_delete_structure(&_gnutls_pkix1_asn); - } - } @@ -260,8 +269,10 @@ void gnutls_global_deinit( void) { * PULL_FUNC is of the form, * ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, const void*, size_t); **/ -void gnutls_transport_set_pull_function( gnutls_session session, gnutls_pull_func pull_func) { - session->internals._gnutls_pull_func = pull_func; +void gnutls_transport_set_pull_function(gnutls_session session, + gnutls_pull_func pull_func) +{ + session->internals._gnutls_pull_func = pull_func; } /** @@ -279,46 +290,47 @@ void gnutls_transport_set_pull_function( gnutls_session session, gnutls_pull_fun * PUSH_FUNC is of the form, * ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); **/ -void gnutls_transport_set_push_function( gnutls_session session, gnutls_push_func push_func) { - session->internals._gnutls_push_func = push_func; +void gnutls_transport_set_push_function(gnutls_session session, + gnutls_push_func push_func) +{ + session->internals._gnutls_push_func = push_func; } /* Taken from libgcrypt. Needed to configure scripts. */ -static const char* -parse_version_number( const char *s, int *number ) +static const char *parse_version_number(const char *s, int *number) { int val = 0; - if( *s == '0' && isdigit(s[1]) ) - return NULL; /* leading zeros are not allowed */ - for ( ; isdigit(*s); s++ ) { + if (*s == '0' && isdigit(s[1])) + return NULL; /* leading zeros are not allowed */ + for (; isdigit(*s); s++) { val *= 10; val += *s - '0'; } *number = val; - return val < 0? NULL : s; + return val < 0 ? NULL : s; } /* The parse version functions were copied from libgcrypt. */ -static const char * -parse_version_string( const char *s, int *major, int *minor, int *micro ) +static const char *parse_version_string(const char *s, int *major, + int *minor, int *micro) { - s = parse_version_number( s, major ); - if( !s || *s != '.' ) + s = parse_version_number(s, major); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, minor ); - if( !s || *s != '.' ) + s = parse_version_number(s, minor); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, micro ); - if( !s ) + s = parse_version_number(s, micro); + if (!s) return NULL; - return s; /* patchlevel */ + return s; /* patchlevel */ } /** @@ -331,34 +343,31 @@ parse_version_string( const char *s, int *major, int *minor, int *micro ) * but the version string is simply returned. * **/ -const char * -gnutls_check_version( const char *req_version ) +const char *gnutls_check_version(const char *req_version) { const char *ver = GNUTLS_VERSION; int my_major, my_minor, my_micro; int rq_major, rq_minor, rq_micro; const char *my_plvl, *rq_plvl; - if ( !req_version ) + if (!req_version) return ver; - my_plvl = parse_version_string( ver, &my_major, &my_minor, &my_micro ); - if ( !my_plvl ) - return NULL; /* very strange our own version is bogus */ - rq_plvl = parse_version_string( req_version, &rq_major, &rq_minor, - &rq_micro ); - if ( !rq_plvl ) - return NULL; /* req version string is invalid */ + my_plvl = parse_version_string(ver, &my_major, &my_minor, &my_micro); + if (!my_plvl) + return NULL; /* very strange our own version is bogus */ + rq_plvl = parse_version_string(req_version, &rq_major, &rq_minor, + &rq_micro); + if (!rq_plvl) + return NULL; /* req version string is invalid */ - if ( my_major > rq_major + if (my_major > rq_major || (my_major == rq_major && my_minor > rq_minor) || (my_major == rq_major && my_minor == rq_minor - && my_micro > rq_micro) + && my_micro > rq_micro) || (my_major == rq_major && my_minor == rq_minor - && my_micro == rq_micro - && strcmp( my_plvl, rq_plvl ) >= 0) ) { + && my_micro == rq_micro && strcmp(my_plvl, rq_plvl) >= 0)) { return ver; } return NULL; } - diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h index 55c0713872..f59fd3c7bf 100644 --- a/lib/gnutls_global.h +++ b/lib/gnutls_global.h @@ -3,8 +3,8 @@ #include <libtasn1.h> -int gnutls_global_init( void); -int gnutls_is_secure_memory(const void* mem); +int gnutls_global_init(void); +int gnutls_is_secure_memory(const void *mem); extern ASN1_TYPE _gnutls_pkix1_asn; extern ASN1_TYPE _gnutls_gnutls_asn; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 150e1864d6..9dc66a99dd 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -47,8 +47,8 @@ #include <gnutls_alert.h> #include <gnutls_state.h> #include <ext_srp.h> -#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */ -#include <auth_anon.h> /* for gnutls_anon_server_credentials */ +#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */ +#include <auth_anon.h> /* for gnutls_anon_server_credentials */ #ifdef HANDSHAKE_DEBUG #define ERR(x, y) _gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y) @@ -60,19 +60,19 @@ #define FALSE 0 int _gnutls_server_select_comp_method(gnutls_session session, - opaque * data, int datalen); + opaque * data, int datalen); /* Clears the handshake hash buffers and handles. */ inline static -void _gnutls_handshake_hash_buffers_clear( gnutls_session session) +void _gnutls_handshake_hash_buffers_clear(gnutls_session session) { - _gnutls_hash_deinit( session->internals.handshake_mac_handle_md5, NULL); - _gnutls_hash_deinit( session->internals.handshake_mac_handle_sha, NULL); - session->internals.handshake_mac_handle_md5 = NULL; - session->internals.handshake_mac_handle_sha = NULL; - _gnutls_handshake_buffer_clear( session); + _gnutls_hash_deinit(session->internals.handshake_mac_handle_md5, NULL); + _gnutls_hash_deinit(session->internals.handshake_mac_handle_sha, NULL); + session->internals.handshake_mac_handle_md5 = NULL; + session->internals.handshake_mac_handle_sha = NULL; + _gnutls_handshake_buffer_clear(session); } /* this will copy the required values for resuming to @@ -81,55 +81,57 @@ void _gnutls_handshake_hash_buffers_clear( gnutls_session session) */ static void resume_copy_required_values(gnutls_session session) { - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters. - server_random, - session->security_parameters.server_random, TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters. - client_random, - session->security_parameters.client_random, TLS_RANDOM_SIZE); - - /* keep the ciphersuite and compression - * That is because the client must see these in our - * hello message. - */ - memcpy(session->security_parameters.current_cipher_suite. - suite, - session->internals.resumed_security_parameters. - current_cipher_suite.suite, 2); - - session->internals.compression_method = - session->internals.resumed_security_parameters.read_compression_algorithm; - /* or write_compression_algorithm - * they are the same - */ - - session->security_parameters.entity = - session->internals.resumed_security_parameters.entity; - - _gnutls_set_current_version( session, session->internals.resumed_security_parameters.version); - - session->security_parameters.cert_type = - session->internals.resumed_security_parameters.cert_type; - - memcpy(session->security_parameters.session_id, - session->internals.resumed_security_parameters. - session_id, sizeof(session->security_parameters.session_id)); - session->security_parameters.session_id_size = - session->internals.resumed_security_parameters. - session_id_size; + /* get the new random values */ + memcpy(session->internals.resumed_security_parameters. + server_random, + session->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy(session->internals.resumed_security_parameters. + client_random, + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + /* keep the ciphersuite and compression + * That is because the client must see these in our + * hello message. + */ + memcpy(session->security_parameters.current_cipher_suite. + suite, + session->internals.resumed_security_parameters. + current_cipher_suite.suite, 2); + + session->internals.compression_method = + session->internals.resumed_security_parameters. + read_compression_algorithm; + /* or write_compression_algorithm + * they are the same + */ + + session->security_parameters.entity = + session->internals.resumed_security_parameters.entity; + + _gnutls_set_current_version(session, + session->internals. + resumed_security_parameters.version); + + session->security_parameters.cert_type = + session->internals.resumed_security_parameters.cert_type; + + memcpy(session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, sizeof(session->security_parameters.session_id)); + session->security_parameters.session_id_size = + session->internals.resumed_security_parameters.session_id_size; } void _gnutls_set_server_random(gnutls_session session, uint8 * random) { - memcpy(session->security_parameters.server_random, random, - TLS_RANDOM_SIZE); + memcpy(session->security_parameters.server_random, random, + TLS_RANDOM_SIZE); } void _gnutls_set_client_random(gnutls_session session, uint8 * random) { - memcpy(session->security_parameters.client_random, random, - TLS_RANDOM_SIZE); + memcpy(session->security_parameters.client_random, random, + TLS_RANDOM_SIZE); } /* Calculate The SSL3 Finished message @@ -137,39 +139,46 @@ void _gnutls_set_client_random(gnutls_session session, uint8 * random) #define SSL3_CLIENT_MSG "CLNT" #define SSL3_SERVER_MSG "SRVR" #define SSL_MSG_LEN 4 -static int _gnutls_ssl3_finished(gnutls_session session, int type, opaque * ret) +static int _gnutls_ssl3_finished(gnutls_session session, int type, + opaque * ret) { - const int siz = SSL_MSG_LEN; - mac_hd_t td_md5; - mac_hd_t td_sha; - const char *mesg; - - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - if (type == GNUTLS_SERVER) { - mesg = SSL3_SERVER_MSG; - } else { - mesg = SSL3_CLIENT_MSG; - } - - _gnutls_hash(td_md5, mesg, siz); - _gnutls_hash(td_sha, mesg, siz); - - _gnutls_mac_deinit_ssl3_handshake(td_md5, ret, session->security_parameters.master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake(td_sha, &ret[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); + const int siz = SSL_MSG_LEN; + mac_hd_t td_md5; + mac_hd_t td_sha; + const char *mesg; + + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - return 0; + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + if (type == GNUTLS_SERVER) { + mesg = SSL3_SERVER_MSG; + } else { + mesg = SSL3_CLIENT_MSG; + } + + _gnutls_hash(td_md5, mesg, siz); + _gnutls_hash(td_sha, mesg, siz); + + _gnutls_mac_deinit_ssl3_handshake(td_md5, ret, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &ret[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + + return 0; } /* Hash the handshake messages as required by TLS 1.0 @@ -179,39 +188,40 @@ static int _gnutls_ssl3_finished(gnutls_session session, int type, opaque * ret) #define TLS_MSG_LEN 15 int _gnutls_finished(gnutls_session session, int type, void *ret) { - const int siz = TLS_MSG_LEN; - opaque concat[36]; - const char *mesg; - mac_hd_t td_md5; - mac_hd_t td_sha; + const int siz = TLS_MSG_LEN; + opaque concat[36]; + const char *mesg; + mac_hd_t td_md5; + mac_hd_t td_sha; - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); - if (type == GNUTLS_SERVER) { - mesg = SERVER_MSG; - } else { - mesg = CLIENT_MSG; - } + if (type == GNUTLS_SERVER) { + mesg = SERVER_MSG; + } else { + mesg = CLIENT_MSG; + } - return _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, mesg, siz, concat, 36, - 12, ret); + return _gnutls_PRF(session->security_parameters.master_secret, + TLS_MASTER_SIZE, mesg, siz, concat, 36, 12, ret); } /* this function will produce TLS_RANDOM_SIZE==32 bytes of random data @@ -219,24 +229,24 @@ int _gnutls_finished(gnutls_session session, int type, void *ret) */ int _gnutls_tls_create_random(opaque * dst) { - uint32 tim; + uint32 tim; - /* Use weak random numbers for the most of the - * buffer except for the first 4 that are the - * system's time. - */ + /* Use weak random numbers for the most of the + * buffer except for the first 4 that are the + * system's time. + */ - tim = time(NULL); - /* generate server random value */ - _gnutls_write_uint32(tim, dst); + tim = time(NULL); + /* generate server random value */ + _gnutls_write_uint32(tim, dst); - if (_gnutls_get_random - (&dst[4], TLS_RANDOM_SIZE - 4, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (_gnutls_get_random + (&dst[4], TLS_RANDOM_SIZE - 4, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -248,154 +258,159 @@ int _gnutls_tls_create_random(opaque * dst) int _gnutls_read_client_hello(gnutls_session session, opaque * data, int datalen) { - uint8 session_id_len, z; - int pos = 0, ret; - uint16 suite_size; - gnutls_protocol_version version; - int len = datalen; - opaque random[TLS_RANDOM_SIZE], *suite_ptr; - gnutls_protocol_version ver; - - if (session->internals.v2_hello != 0) { /* version 2.0 */ - return _gnutls_read_client_hello_v2(session, data, datalen); - } - DECR_LEN(len, 2); - - _gnutls_handshake_log("HSK[%x]: Client's version: %d.%d\n", session, data[pos], data[pos + 1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - set_adv_version(session, data[pos], data[pos + 1]); - pos += 2; - - /* if we do not support that version */ - if (_gnutls_version_is_supported(session, version) == 0) { - /* If he requested something we do not support - * then we send him the highest we support. - */ - ver = _gnutls_version_max(session); - if (ver==GNUTLS_VERSION_UNKNOWN) { - /* this check is not really needed. - */ - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; - } - } else { - ver = version; - } - - _gnutls_set_current_version(session, ver); - - /* Read client random value. - */ - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_client_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; - - _gnutls_tls_create_random(random); - _gnutls_set_server_random(session, random); - - session->security_parameters.timestamp = time(NULL); - - DECR_LEN(len, 1); - session_id_len = data[pos++]; - - /* RESUME SESSION + uint8 session_id_len, z; + int pos = 0, ret; + uint16 suite_size; + gnutls_protocol_version version; + int len = datalen; + opaque random[TLS_RANDOM_SIZE], *suite_ptr; + gnutls_protocol_version ver; + + if (session->internals.v2_hello != 0) { /* version 2.0 */ + return _gnutls_read_client_hello_v2(session, data, datalen); + } + DECR_LEN(len, 2); + + _gnutls_handshake_log("HSK[%x]: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + version = _gnutls_version_get(data[pos], data[pos + 1]); + set_adv_version(session, data[pos], data[pos + 1]); + pos += 2; + + /* if we do not support that version */ + if (_gnutls_version_is_supported(session, version) == 0) { + /* If he requested something we do not support + * then we send him the highest we support. */ - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + ver = _gnutls_version_max(session); + if (ver == GNUTLS_VERSION_UNKNOWN) { + /* this check is not really needed. + */ + gnutls_assert(); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - DECR_LEN(len, session_id_len); - ret = _gnutls_server_restore_session(session, &data[pos], session_id_len); - pos += session_id_len; + } else { + ver = version; + } - if (ret == 0) { /* resumed! */ - resume_copy_required_values(session); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); + _gnutls_set_current_version(session, ver); - session->internals.resumed = RESUME_FALSE; - } + /* Read client random value. + */ + DECR_LEN(len, TLS_RANDOM_SIZE); + _gnutls_set_client_random(session, &data[pos]); + pos += TLS_RANDOM_SIZE; - /* Remember ciphersuites for later - */ - DECR_LEN(len, 2); - suite_size = _gnutls_read_uint16(&data[pos]); - pos += 2; + _gnutls_tls_create_random(random); + _gnutls_set_server_random(session, random); - DECR_LEN(len, suite_size); - suite_ptr = &data[pos]; - pos += suite_size; + session->security_parameters.timestamp = time(NULL); - /* Select an appropriate compression method - */ - DECR_LEN(len, 1); - z = data[pos++]; /* z is the number of compression methods */ + DECR_LEN(len, 1); + session_id_len = data[pos++]; - DECR_LEN(len, z); - ret = _gnutls_server_select_comp_method(session, &data[pos], z); - pos += z; + /* RESUME SESSION + */ + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + DECR_LEN(len, session_id_len); + ret = + _gnutls_server_restore_session(session, &data[pos], + session_id_len); + pos += session_id_len; + + if (ret == 0) { /* resumed! */ + resume_copy_required_values(session); + session->internals.resumed = RESUME_TRUE; + return 0; + } else { + _gnutls_generate_session_id(session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); + + session->internals.resumed = RESUME_FALSE; + } + + /* Remember ciphersuites for later + */ + DECR_LEN(len, 2); + suite_size = _gnutls_read_uint16(&data[pos]); + pos += 2; + + DECR_LEN(len, suite_size); + suite_ptr = &data[pos]; + pos += suite_size; + + /* Select an appropriate compression method + */ + DECR_LEN(len, 1); + z = data[pos++]; /* z is the number of compression methods */ + + DECR_LEN(len, z); + ret = _gnutls_server_select_comp_method(session, &data[pos], z); + pos += z; + + if (ret < 0) { + gnutls_assert(); + return ret; + } + /* Parse the extensions (if any) + */ + if (ver >= GNUTLS_TLS1) { + ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Parse the extensions (if any) - */ - if (ver >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - - /* select an appropriate cipher suite - */ - ret = _gnutls_server_select_suite(session, suite_ptr, suite_size); - if (ret < 0) { - gnutls_assert(); - return ret; + gnutls_assert(); + return ret; } + } - return 0; + /* select an appropriate cipher suite + */ + ret = _gnutls_server_select_suite(session, suite_ptr, suite_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /* here we hash all pending data. */ -inline static int -_gnutls_handshake_hash_pending( gnutls_session session) { -size_t siz; -int ret; -opaque * data; - - if (session->internals.handshake_mac_handle_sha==NULL || - session->internals.handshake_mac_handle_md5==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +inline static int _gnutls_handshake_hash_pending(gnutls_session session) +{ + size_t siz; + int ret; + opaque *data; - /* We check if there are pending data to hash. - */ - if ((ret=_gnutls_handshake_buffer_get_ptr(session, &data, &siz)) < 0) { - gnutls_assert(); - return ret; - } + if (session->internals.handshake_mac_handle_sha == NULL || + session->internals.handshake_mac_handle_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (siz > 0) { - _gnutls_hash( session->internals.handshake_mac_handle_sha, data, siz); - _gnutls_hash( session->internals.handshake_mac_handle_md5, data, siz); - } - - _gnutls_handshake_buffer_empty( session); - - return 0; + /* We check if there are pending data to hash. + */ + if ((ret = _gnutls_handshake_buffer_get_ptr(session, &data, &siz)) < 0) { + gnutls_assert(); + return ret; + } + + if (siz > 0) { + _gnutls_hash(session->internals.handshake_mac_handle_sha, data, + siz); + _gnutls_hash(session->internals.handshake_mac_handle_md5, data, + siz); + } + + _gnutls_handshake_buffer_empty(session); + + return 0; } @@ -405,48 +420,46 @@ opaque * data; */ int _gnutls_send_finished(gnutls_session session, int again) { - uint8 data[36]; - int ret; - int data_size = 0; + uint8 data[36]; + int ret; + int data_size = 0; - if (again == 0) { - - /* This is needed in order to hash all the required - * messages. - */ - if ((ret=_gnutls_handshake_hash_pending(session)) < 0) { - gnutls_assert(); - return ret; - } + if (again == 0) { - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - session-> - security_parameters. - entity, data); - data_size = 36; - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - session->security_parameters. - entity, data); - data_size = 12; - } + /* This is needed in order to hash all the required + * messages. + */ + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_finished(session, + session-> + security_parameters.entity, data); + data_size = 36; + } else { /* TLS 1.0 */ + ret = + _gnutls_finished(session, + session->security_parameters. + entity, data); + data_size = 12; + } + if (ret < 0) { + gnutls_assert(); + return ret; } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_FINISHED); + } - return ret; + ret = + _gnutls_send_handshake(session, data, data_size, GNUTLS_FINISHED); + + return ret; } /* This is to be called after sending our finished message. If everything @@ -454,245 +467,256 @@ int _gnutls_send_finished(gnutls_session session, int again) */ int _gnutls_recv_finished(gnutls_session session) { - uint8 data[36], *vrfy; - int data_size; - int ret; - int vrfysize; - - ret = - _gnutls_recv_handshake(session, &vrfy, &vrfysize, - GNUTLS_FINISHED, MANDATORY_PACKET); - if (ret < 0) { - ERR("recv finished int", ret); - gnutls_assert(); - return ret; - } + uint8 data[36], *vrfy; + int data_size; + int ret; + int vrfysize; + + ret = + _gnutls_recv_handshake(session, &vrfy, &vrfysize, + GNUTLS_FINISHED, MANDATORY_PACKET); + if (ret < 0) { + ERR("recv finished int", ret); + gnutls_assert(); + return ret; + } - if ( gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - data_size = 36; - } else { - data_size = 12; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + data_size = 36; + } else { + data_size = 12; + } - if (vrfysize != data_size) { - gnutls_assert(); - gnutls_free(vrfy); - return GNUTLS_E_ERROR_IN_FINISHED_PACKET; - } - - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - (session->security_parameters. - entity + 1) % 2, data); - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - (session->security_parameters.entity + - 1) % 2, data); - } + if (vrfysize != data_size) { + gnutls_assert(); + gnutls_free(vrfy); + return GNUTLS_E_ERROR_IN_FINISHED_PACKET; + } - if (ret < 0) { - gnutls_assert(); - gnutls_free(vrfy); - return ret; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_finished(session, + (session->security_parameters. + entity + 1) % 2, data); + } else { /* TLS 1.0 */ + ret = + _gnutls_finished(session, + (session->security_parameters.entity + + 1) % 2, data); + } - if (memcmp(vrfy, data, data_size) != 0) { - gnutls_assert(); - ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; - } + if (ret < 0) { + gnutls_assert(); gnutls_free(vrfy); - return ret; + } + + if (memcmp(vrfy, data, data_size) != 0) { + gnutls_assert(); + ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; + } + gnutls_free(vrfy); + + return ret; } /* returns PK_RSA if the given cipher suite list only supports, * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none. */ -static int _gnutls_server_find_pk_algos_in_ciphersuites( const opaque* data, int datalen) +static int _gnutls_server_find_pk_algos_in_ciphersuites(const opaque * + data, int datalen) { -int j; -gnutls_pk_algorithm algo=GNUTLS_PK_NONE, prev_algo = 0; -gnutls_kx_algorithm kx; -cipher_suite_st cs; + int j; + gnutls_pk_algorithm algo = GNUTLS_PK_NONE, prev_algo = 0; + gnutls_kx_algorithm kx; + cipher_suite_st cs; - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if (datalen % 2 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - for (j = 0; j < datalen; j += 2) { - memcpy( &cs.suite, &data[j], 2); - kx = _gnutls_cipher_suite_get_kx_algo( &cs); - - if ( _gnutls_map_kx_get_cred( kx, 1) == GNUTLS_CRD_CERTIFICATE) { - algo = _gnutls_map_pk_get_pk( kx); - - if (algo!=prev_algo && prev_algo!=0) return GNUTLS_PK_ANY; - prev_algo = algo; - } + for (j = 0; j < datalen; j += 2) { + memcpy(&cs.suite, &data[j], 2); + kx = _gnutls_cipher_suite_get_kx_algo(&cs); + + if (_gnutls_map_kx_get_cred(kx, 1) == GNUTLS_CRD_CERTIFICATE) { + algo = _gnutls_map_pk_get_pk(kx); + + if (algo != prev_algo && prev_algo != 0) + return GNUTLS_PK_ANY; + prev_algo = algo; } + } - return algo; + return algo; } /* This selects the best supported ciphersuite from the given ones. Then * it adds the suite to the session and performs some checks. */ -int _gnutls_server_select_suite(gnutls_session session, opaque *data, int datalen) +int _gnutls_server_select_suite(gnutls_session session, opaque * data, + int datalen) { - int x, i, j; - cipher_suite_st *ciphers, cs; - int retval, err; - gnutls_pk_algorithm pk_algo; /* will hold the pk algorithms - * supported by the peer. - */ + int x, i, j; + cipher_suite_st *ciphers, cs; + int retval, err; + gnutls_pk_algorithm pk_algo; /* will hold the pk algorithms + * supported by the peer. + */ - pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites( data, datalen); - - x = _gnutls_supported_ciphersuites(session, &ciphers); - if (x < 0) { /* the case x==0 is handled within the function. */ - gnutls_assert(); - return x; - } - - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (e.g. SRP). - */ - x = _gnutls_remove_unwanted_ciphersuites(session, &ciphers, x, pk_algo); - if (x<=0) { - gnutls_assert(); - gnutls_free(ciphers); - if (x<0) return x; - else return GNUTLS_E_UNKNOWN_CIPHER_SUITE; - } - - /* Data length should be zero mod 2 since - * every ciphersuite is 2 bytes. (this check is needed - * see below). - */ - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites(data, datalen); + x = _gnutls_supported_ciphersuites(session, &ciphers); + if (x < 0) { /* the case x==0 is handled within the function. */ + gnutls_assert(); + return x; + } + + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (e.g. SRP). + */ + x = _gnutls_remove_unwanted_ciphersuites(session, &ciphers, x, + pk_algo); + if (x <= 0) { + gnutls_assert(); + gnutls_free(ciphers); + if (x < 0) + return x; + else + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + } + + /* Data length should be zero mod 2 since + * every ciphersuite is 2 bytes. (this check is needed + * see below). + */ + if (datalen % 2 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } #ifdef HANDSHAKE_DEBUG - _gnutls_handshake_log("HSK[%x]: Requested cipher suites: \n", session); - for (j = 0; j < datalen; j += 2) { - memcpy( &cs.suite, &data[j], 2); - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&cs)); - } - _gnutls_handshake_log("HSK[%x]: Supported cipher suites: \n", session); - for (j = 0; j < x; j++) - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&ciphers[j])); + _gnutls_handshake_log("HSK[%x]: Requested cipher suites: \n", session); + for (j = 0; j < datalen; j += 2) { + memcpy(&cs.suite, &data[j], 2); + _gnutls_handshake_log("\t%s\n", + _gnutls_cipher_suite_get_name(&cs)); + } + _gnutls_handshake_log("HSK[%x]: Supported cipher suites: \n", session); + for (j = 0; j < x; j++) + _gnutls_handshake_log("\t%s\n", + _gnutls_cipher_suite_get_name(&ciphers[j])); #endif - memset(session->security_parameters.current_cipher_suite.suite, '\0', 2); - - retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; - - for (j = 0; j < datalen; j += 2) { - for (i = 0; i < x; i++) { - if (memcmp(ciphers[i].suite, &data[j], 2) == - 0) { - memcpy( &cs.suite, &data[j], 2); - - _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", - session, _gnutls_cipher_suite_get_name(&cs)); - memcpy(session->security_parameters.current_cipher_suite.suite, ciphers[i].suite, 2); - retval = 0; - goto finish; - } - } - } - - finish: - gnutls_free(ciphers); - - if (retval != 0) { - gnutls_assert(); - return retval; - } - - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred - (session, _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + memset(session->security_parameters.current_cipher_suite.suite, '\0', + 2); + retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + for (j = 0; j < datalen; j += 2) { + for (i = 0; i < x; i++) { + if (memcmp(ciphers[i].suite, &data[j], 2) == 0) { + memcpy(&cs.suite, &data[j], 2); _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + ("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name(&cs)); + memcpy(session->security_parameters.current_cipher_suite. + suite, ciphers[i].suite, 2); + retval = 0; + goto finish; + } } + } - return 0; + finish: + gnutls_free(ciphers); + + if (retval != 0) { + gnutls_assert(); + return retval; + } + + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) { + + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return 0; } /* This selects the best supported compression method from the ones provided */ -int _gnutls_server_select_comp_method(gnutls_session session, opaque * data, - int datalen) +int _gnutls_server_select_comp_method(gnutls_session session, + opaque * data, int datalen) { - int x, i, j; - uint8 *comps; + int x, i, j; + uint8 *comps; - x = _gnutls_supported_compression_methods(session, &comps); - if (x < 0) { - gnutls_assert(); - return x; - } + x = _gnutls_supported_compression_methods(session, &comps); + if (x < 0) { + gnutls_assert(); + return x; + } - memset( &session->internals.compression_method, 0, sizeof(gnutls_compression_method)); + memset(&session->internals.compression_method, 0, + sizeof(gnutls_compression_method)); - for (j = 0; j < datalen; j++) { - for (i = 0; i < x; i++) { - if (comps[i] == data[j]) { - gnutls_compression_method method = - _gnutls_compression_get_id(comps[i]); + for (j = 0; j < datalen; j++) { + for (i = 0; i < x; i++) { + if (comps[i] == data[j]) { + gnutls_compression_method method = + _gnutls_compression_get_id(comps[i]); - session->internals.compression_method = method; - gnutls_free(comps); + session->internals.compression_method = method; + gnutls_free(comps); - _gnutls_handshake_log("HSK[%x]: Selected Compression Method: %s\n", - session, gnutls_compression_get_name(session->internals. - compression_method)); + _gnutls_handshake_log + ("HSK[%x]: Selected Compression Method: %s\n", session, + gnutls_compression_get_name(session->internals. + compression_method)); - return 0; - } - } + return 0; + } } + } - /* we were not able to find a compatible compression - * algorithm - */ - gnutls_free(comps); - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + /* we were not able to find a compatible compression + * algorithm + */ + gnutls_free(comps); + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } @@ -701,39 +725,43 @@ int _gnutls_server_select_comp_method(gnutls_session session, opaque * data, * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ -int _gnutls_send_empty_handshake(gnutls_session session, HandshakeType type, - int again) +int _gnutls_send_empty_handshake(gnutls_session session, + HandshakeType type, int again) { - opaque data = 0; - opaque *ptr; + opaque data = 0; + opaque *ptr; - if (again == 0) - ptr = &data; - else - ptr = NULL; + if (again == 0) + ptr = &data; + else + ptr = NULL; - return _gnutls_send_handshake(session, ptr, 0, type); + return _gnutls_send_handshake(session, ptr, 0, type); } /* This function will hash the handshake message we sent. */ static -int _gnutls_handshake_hash_add_sent( gnutls_session session, HandshakeType type, - opaque* dataptr, uint32 datalen) { -int ret; +int _gnutls_handshake_hash_add_sent(gnutls_session session, + HandshakeType type, opaque * dataptr, + uint32 datalen) +{ + int ret; - if ( (ret=_gnutls_handshake_hash_pending( session)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } - if ( type != GNUTLS_HELLO_REQUEST) { - _gnutls_hash( session->internals.handshake_mac_handle_sha, dataptr, datalen); - _gnutls_hash( session->internals.handshake_mac_handle_md5, dataptr, datalen); - } + if (type != GNUTLS_HELLO_REQUEST) { + _gnutls_hash(session->internals.handshake_mac_handle_sha, dataptr, + datalen); + _gnutls_hash(session->internals.handshake_mac_handle_md5, dataptr, + datalen); + } - return 0; + return 0; } @@ -745,62 +773,64 @@ int ret; int _gnutls_send_handshake(gnutls_session session, void *i_data, uint32 i_datasize, HandshakeType type) { - int ret; - uint8 *data; - uint32 datasize; - int pos = 0; - - if (i_data == NULL && i_datasize == 0) { - /* we are resuming a previously interrupted - * send. - */ - ret = _gnutls_handshake_io_write_flush(session); - return ret; + int ret; + uint8 *data; + uint32 datasize; + int pos = 0; + + if (i_data == NULL && i_datasize == 0) { + /* we are resuming a previously interrupted + * send. + */ + ret = _gnutls_handshake_io_write_flush(session); + return ret; - } + } - if (i_data == NULL && i_datasize > 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (i_data == NULL && i_datasize > 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* first run */ - datasize = i_datasize + HANDSHAKE_HEADER_SIZE; - data = gnutls_alloca(datasize); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* first run */ + datasize = i_datasize + HANDSHAKE_HEADER_SIZE; + data = gnutls_alloca(datasize); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - data[pos++] = (uint8) type; - _gnutls_write_uint24(i_datasize, &data[pos]); - pos += 3; + data[pos++] = (uint8) type; + _gnutls_write_uint24(i_datasize, &data[pos]); + pos += 3; - if (i_datasize > 0) - memcpy(&data[pos], i_data, i_datasize); + if (i_datasize > 0) + memcpy(&data[pos], i_data, i_datasize); - _gnutls_handshake_log("HSK[%x]: %s was send [%ld bytes]\n", - session, _gnutls_handshake2str(type), datasize); + _gnutls_handshake_log("HSK[%x]: %s was send [%ld bytes]\n", + session, _gnutls_handshake2str(type), datasize); - /* Here we keep the handshake messages in order to hash them... - */ - if ( type != GNUTLS_HELLO_REQUEST) - if ( (ret= _gnutls_handshake_hash_add_sent( session, type, data, datasize)) < 0) { - gnutls_assert(); - gnutls_afree(data); - return ret; - } + /* Here we keep the handshake messages in order to hash them... + */ + if (type != GNUTLS_HELLO_REQUEST) + if ((ret = + _gnutls_handshake_hash_add_sent(session, type, data, + datasize)) < 0) { + gnutls_assert(); + gnutls_afree(data); + return ret; + } - session->internals.last_handshake_out = type; + session->internals.last_handshake_out = type; - ret = - _gnutls_handshake_io_send_int(session, GNUTLS_HANDSHAKE, type, - data, datasize); + ret = + _gnutls_handshake_io_send_int(session, GNUTLS_HANDSHAKE, type, + data, datasize); - gnutls_afree(data); + gnutls_afree(data); - return ret; + return ret; } /* This function will read the handshake header and return it to the caller. If the @@ -814,127 +844,117 @@ static int _gnutls_recv_handshake_header(gnutls_session session, HandshakeType type, HandshakeType * recv_type) { - int ret; - uint32 length32 = 0; - uint8 *dataptr = NULL; /* for realloc */ - size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; - - /* if we have data into the buffer then return them, do not read the next packet. - * In order to return we need a full TLS handshake header, or in case of a version 2 - * packet, then we return the first byte. - */ - if (session->internals.handshake_header_buffer.header_size == - handshake_header_size || (session->internals.v2_hello != 0 - && type == GNUTLS_CLIENT_HELLO - && session->internals. - handshake_header_buffer. - packet_length > 0)) { - - *recv_type = - session->internals.handshake_header_buffer. - recv_type; - - return session->internals.handshake_header_buffer. - packet_length; - } - - /* Note: SSL2_HEADERS == 1 */ + int ret; + uint32 length32 = 0; + uint8 *dataptr = NULL; /* for realloc */ + size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; + + /* if we have data into the buffer then return them, do not read the next packet. + * In order to return we need a full TLS handshake header, or in case of a version 2 + * packet, then we return the first byte. + */ + if (session->internals.handshake_header_buffer.header_size == + handshake_header_size || (session->internals.v2_hello != 0 + && type == GNUTLS_CLIENT_HELLO + && session->internals. + handshake_header_buffer. + packet_length > 0)) { + + *recv_type = session->internals.handshake_header_buffer.recv_type; + + return session->internals.handshake_header_buffer.packet_length; + } + + /* Note: SSL2_HEADERS == 1 */ + + dataptr = session->internals.handshake_header_buffer.header; + + /* If we haven't already read the handshake headers. + */ + if (session->internals.handshake_header_buffer.header_size < + SSL2_HEADERS) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, dataptr, SSL2_HEADERS); - dataptr = session->internals.handshake_header_buffer.header; + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* If we haven't already read the handshake headers. + /* The case ret==0 is caught here. */ - if (session->internals.handshake_header_buffer.header_size < - SSL2_HEADERS) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, - SSL2_HEADERS); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* The case ret==0 is caught here. - */ - if (ret != SSL2_HEADERS) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - session->internals.handshake_header_buffer. - header_size = SSL2_HEADERS; + if (ret != SSL2_HEADERS) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + session->internals.handshake_header_buffer. + header_size = SSL2_HEADERS; + } - if (session->internals.v2_hello == 0 - || type != GNUTLS_CLIENT_HELLO) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, - &dataptr[session-> - internals. - handshake_header_buffer. - header_size], - HANDSHAKE_HEADER_SIZE - - session->internals. - handshake_header_buffer. - header_size); - if (ret <= 0) { - gnutls_assert(); - return (ret < - 0) ? ret : - GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - if ((size_t)ret != - HANDSHAKE_HEADER_SIZE - - session->internals.handshake_header_buffer. - header_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - *recv_type = dataptr[0]; - - /* we do not use DECR_LEN because we know - * that the packet has enough data. - */ - length32 = _gnutls_read_uint24(&dataptr[1]); - handshake_header_size = HANDSHAKE_HEADER_SIZE; + if (session->internals.v2_hello == 0 || type != GNUTLS_CLIENT_HELLO) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, + &dataptr[session-> + internals. + handshake_header_buffer. + header_size], + HANDSHAKE_HEADER_SIZE - + session->internals. + handshake_header_buffer. + header_size); + if (ret <= 0) { + gnutls_assert(); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + if ((size_t) ret != + HANDSHAKE_HEADER_SIZE - + session->internals.handshake_header_buffer.header_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + *recv_type = dataptr[0]; + + /* we do not use DECR_LEN because we know + * that the packet has enough data. + */ + length32 = _gnutls_read_uint24(&dataptr[1]); + handshake_header_size = HANDSHAKE_HEADER_SIZE; - _gnutls_handshake_log("HSK[%x]: %s was received [%ld bytes]\n", - session, _gnutls_handshake2str(dataptr[0]), - length32 + HANDSHAKE_HEADER_SIZE); + _gnutls_handshake_log("HSK[%x]: %s was received [%ld bytes]\n", + session, _gnutls_handshake2str(dataptr[0]), + length32 + HANDSHAKE_HEADER_SIZE); - } else { /* v2 hello */ - length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ + } else { /* v2 hello */ + length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ - handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ + handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ - *recv_type = dataptr[0]; + *recv_type = dataptr[0]; - _gnutls_handshake_log("HSK[%x]: %s(v2) was received [%ld bytes]\n", - session, _gnutls_handshake2str(*recv_type), - length32 + handshake_header_size); + _gnutls_handshake_log("HSK[%x]: %s(v2) was received [%ld bytes]\n", + session, _gnutls_handshake2str(*recv_type), + length32 + handshake_header_size); - if (*recv_type != GNUTLS_CLIENT_HELLO) { /* it should be one or nothing */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (*recv_type != GNUTLS_CLIENT_HELLO) { /* it should be one or nothing */ + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } + } - /* put the packet into the buffer */ - session->internals.handshake_header_buffer.header_size = - handshake_header_size; - session->internals.handshake_header_buffer.packet_length = - length32; - session->internals.handshake_header_buffer.recv_type = - *recv_type; + /* put the packet into the buffer */ + session->internals.handshake_header_buffer.header_size = + handshake_header_size; + session->internals.handshake_header_buffer.packet_length = length32; + session->internals.handshake_header_buffer.recv_type = *recv_type; - if (*recv_type != type) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (*recv_type != type) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } - return length32; + return length32; } #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0 @@ -945,40 +965,43 @@ static int _gnutls_recv_handshake_header(gnutls_session session, * handshake data. */ static -int _gnutls_handshake_hash_add_recvd( gnutls_session session, HandshakeType recv_type, - opaque* header, uint16 header_size, opaque* dataptr, uint32 datalen) { -int ret; +int _gnutls_handshake_hash_add_recvd(gnutls_session session, + HandshakeType recv_type, + opaque * header, uint16 header_size, + opaque * dataptr, uint32 datalen) +{ + int ret; - /* The idea here is to hash the previous message we received, - * and add the one we just received into the handshake_hash_buffer. - */ - - if ( (ret=_gnutls_handshake_hash_pending( session)) < 0) { - gnutls_assert(); - return ret; + /* The idea here is to hash the previous message we received, + * and add the one we just received into the handshake_hash_buffer. + */ + + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } + + /* here we buffer the handshake messages - needed at Finished message */ + if (recv_type != GNUTLS_HELLO_REQUEST) { + + if ((ret = + _gnutls_handshake_buffer_put(session, + header, header_size)) < 0) { + gnutls_assert(); + return ret; } - - /* here we buffer the handshake messages - needed at Finished message */ - if ( recv_type != GNUTLS_HELLO_REQUEST) { - - if ((ret = - _gnutls_handshake_buffer_put(session, - header, header_size)) < 0) { - gnutls_assert(); - return ret; - } - if ( datalen > 0) { - if ((ret = - _gnutls_handshake_buffer_put(session, dataptr, - datalen)) < 0) { - gnutls_assert(); - return ret; - } - } + if (datalen > 0) { + if ((ret = + _gnutls_handshake_buffer_put(session, dataptr, + datalen)) < 0) { + gnutls_assert(); + return ret; + } } + } - return 0; + return 0; } @@ -991,118 +1014,121 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, int *datalen, HandshakeType type, Optional optional) { - int ret; - uint32 length32 = 0; - opaque *dataptr = NULL; - HandshakeType recv_type; - - ret = _gnutls_recv_handshake_header(session, type, &recv_type); - if (ret < 0) { + int ret; + uint32 length32 = 0; + opaque *dataptr = NULL; + HandshakeType recv_type; - /* In SRP when expecting the server hello we may receive - * an alert instead. Do as the draft demands. - */ - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_alert_get( session) == GNUTLS_A_MISSING_SRP_USERNAME && - type == GNUTLS_SERVER_HELLO) - { - gnutls_assert(); - return GNUTLS_E_INT_HANDSHAKE_AGAIN; - } - - if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET - && optional == OPTIONAL_PACKET) { - if (datalen != NULL) - *datalen = 0; - if (data != NULL) - *data = NULL; - return 0; /* ok just ignore the packet */ - } - - return ret; - } + ret = _gnutls_recv_handshake_header(session, type, &recv_type); + if (ret < 0) { - session->internals.last_handshake_in = recv_type; - - length32 = ret; - - if (length32 > 0) - dataptr = gnutls_malloc(length32); - else if (recv_type != GNUTLS_SERVER_HELLO_DONE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + /* In SRP when expecting the server hello we may receive + * an alert instead. Do as the draft demands. + */ + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_alert_get(session) == GNUTLS_A_MISSING_SRP_USERNAME && + type == GNUTLS_SERVER_HELLO) { + gnutls_assert(); + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } - if (dataptr == NULL && length32 > 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET + && optional == OPTIONAL_PACKET) { + if (datalen != NULL) + *datalen = 0; + if (data != NULL) + *data = NULL; + return 0; /* ok just ignore the packet */ } - if (datalen != NULL) - *datalen = length32; - - if (length32 > 0) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, length32); - if (ret <= 0) { - gnutls_assert(); - gnutls_free(dataptr); - return (ret == - 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : - ret; - } - } + return ret; + } - if (data != NULL && length32 > 0) - *data = dataptr; + session->internals.last_handshake_in = recv_type; + length32 = ret; - ret = _gnutls_handshake_hash_add_recvd( session, recv_type, - session->internals.handshake_header_buffer.header, - session->internals.handshake_header_buffer.header_size, - dataptr, length32); - if (ret < 0) { - gnutls_assert(); - _gnutls_handshake_header_buffer_clear(session); - return ret; - } + if (length32 > 0) + dataptr = gnutls_malloc(length32); + else if (recv_type != GNUTLS_SERVER_HELLO_DONE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - /* If we fail before this then we will reuse the handshake header - * have have received above. if we get here the we clear the handshake - * header we received. - */ - _gnutls_handshake_header_buffer_clear(session); + if (dataptr == NULL && length32 > 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - switch (recv_type) { - case GNUTLS_CLIENT_HELLO: - case GNUTLS_SERVER_HELLO: - ret = _gnutls_recv_hello(session, dataptr, length32); - /* dataptr is freed because the caller does not - * need it */ - gnutls_free(dataptr); - if (data!=NULL) *data = NULL; - break; - case GNUTLS_SERVER_HELLO_DONE: - if (length32==0) ret = 0; - else ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - break; - case GNUTLS_CERTIFICATE_PKT: - case GNUTLS_FINISHED: - case GNUTLS_SERVER_KEY_EXCHANGE: - case GNUTLS_CLIENT_KEY_EXCHANGE: - case GNUTLS_CERTIFICATE_REQUEST: - case GNUTLS_CERTIFICATE_VERIFY: - ret = length32; - break; - default: - gnutls_assert(); - gnutls_free(dataptr); - if (data!=NULL) *data = NULL; - ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (datalen != NULL) + *datalen = length32; + if (length32 > 0) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, dataptr, length32); + if (ret <= 0) { + gnutls_assert(); + gnutls_free(dataptr); + return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret; + } + } + + if (data != NULL && length32 > 0) + *data = dataptr; + + + ret = _gnutls_handshake_hash_add_recvd(session, recv_type, + session->internals. + handshake_header_buffer.header, + session->internals. + handshake_header_buffer. + header_size, dataptr, length32); + if (ret < 0) { + gnutls_assert(); + _gnutls_handshake_header_buffer_clear(session); return ret; + } + + /* If we fail before this then we will reuse the handshake header + * have have received above. if we get here the we clear the handshake + * header we received. + */ + _gnutls_handshake_header_buffer_clear(session); + + switch (recv_type) { + case GNUTLS_CLIENT_HELLO: + case GNUTLS_SERVER_HELLO: + ret = _gnutls_recv_hello(session, dataptr, length32); + /* dataptr is freed because the caller does not + * need it */ + gnutls_free(dataptr); + if (data != NULL) + *data = NULL; + break; + case GNUTLS_SERVER_HELLO_DONE: + if (length32 == 0) + ret = 0; + else + ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + break; + case GNUTLS_CERTIFICATE_PKT: + case GNUTLS_FINISHED: + case GNUTLS_SERVER_KEY_EXCHANGE: + case GNUTLS_CLIENT_KEY_EXCHANGE: + case GNUTLS_CERTIFICATE_REQUEST: + case GNUTLS_CERTIFICATE_VERIFY: + ret = length32; + break; + default: + gnutls_assert(); + gnutls_free(dataptr); + if (data != NULL) + *data = NULL; + ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } + + return ret; } /* This function checks if the given cipher suite is supported, and sets it @@ -1111,72 +1137,75 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, static int _gnutls_client_set_ciphersuite(gnutls_session session, opaque suite[2]) { - uint8 z; - cipher_suite_st *cipher_suites; - int cipher_suite_num; - int i, err; - - z = 1; - cipher_suite_num = _gnutls_supported_ciphersuites(session, &cipher_suites); - if (cipher_suite_num < 0) { - gnutls_assert(); - return cipher_suite_num; - } - - for (i = 0; i < cipher_suite_num; i++) { - if (memcmp(&cipher_suites[i], suite, 2) == 0) { - z = 0; break; - } - } - - gnutls_free(cipher_suites); + uint8 z; + cipher_suite_st *cipher_suites; + int cipher_suite_num; + int i, err; + + z = 1; + cipher_suite_num = + _gnutls_supported_ciphersuites(session, &cipher_suites); + if (cipher_suite_num < 0) { + gnutls_assert(); + return cipher_suite_num; + } - if (z != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + for (i = 0; i < cipher_suite_num; i++) { + if (memcmp(&cipher_suites[i], suite, 2) == 0) { + z = 0; + break; } + } - memcpy(session->security_parameters. - current_cipher_suite.suite, suite, 2); - - _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + gnutls_free(cipher_suites); - - /* check if the credentials (username, public key etc.) are ok. - * Actually checks if they exist. - */ - if (_gnutls_get_kx_cred - (session, _gnutls_cipher_suite_get_kx_algo(&session-> - security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + if (z != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + } + + memcpy(session->security_parameters. + current_cipher_suite.suite, suite, 2); + + _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + + /* check if the credentials (username, public key etc.) are ok. + * Actually checks if they exist. + */ + if (_gnutls_get_kx_cred + (session, _gnutls_cipher_suite_get_kx_algo(&session-> + security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + if (session->internals.auth_struct == NULL) { - _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } /* This function sets the given comp method to the session. @@ -1184,35 +1213,36 @@ static int _gnutls_client_set_ciphersuite(gnutls_session session, static int _gnutls_client_set_comp_method(gnutls_session session, opaque comp_method) { - int comp_methods_num; - uint8 *compression_methods; - int i; + int comp_methods_num; + uint8 *compression_methods; + int i; - comp_methods_num = _gnutls_supported_compression_methods(session, - &compression_methods); - if ( comp_methods_num < 0) { - gnutls_assert(); - return comp_methods_num; - } - - for (i = 0; i < comp_methods_num; i++) { - if (compression_methods[i] == comp_method) { - comp_methods_num = 0; break; - } + comp_methods_num = _gnutls_supported_compression_methods(session, + &compression_methods); + if (comp_methods_num < 0) { + gnutls_assert(); + return comp_methods_num; + } + + for (i = 0; i < comp_methods_num; i++) { + if (compression_methods[i] == comp_method) { + comp_methods_num = 0; + break; } + } - gnutls_free(compression_methods); + gnutls_free(compression_methods); - if (comp_methods_num != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + if (comp_methods_num != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } - session->internals.compression_method = - _gnutls_compression_get_id(comp_method); + session->internals.compression_method = + _gnutls_compression_get_id(comp_method); - return 0; + return 0; } /* This function returns 0 if we are resuming a session or -1 otherwise. @@ -1223,40 +1253,41 @@ static int _gnutls_client_check_if_resuming(gnutls_session session, opaque * session_id, int session_id_len) { -opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + + _gnutls_handshake_log("HSK[%x]: SessionID length: %d\n", session, + session_id_len); + _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex(session_id, session_id_len, buf, + sizeof(buf))); + + if ((session->internals.resumed_security_parameters. + session_id_size > 0) + && memcmp(session_id, + session->internals. + resumed_security_parameters.session_id, + session_id_len) == 0) { + /* resume session */ + memcpy(session->internals. + resumed_security_parameters.server_random, + session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(session->internals. + resumed_security_parameters.client_random, + session->security_parameters.client_random, + TLS_RANDOM_SIZE); + session->internals.resumed = RESUME_TRUE; /* we are resuming */ - _gnutls_handshake_log("HSK[%x]: SessionID length: %d\n", session, session_id_len); - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(session_id, session_id_len, buf, sizeof(buf))); - - if ((session->internals.resumed_security_parameters. - session_id_size > 0) - && memcmp(session_id, - session->internals. - resumed_security_parameters.session_id, - session_id_len) == 0) { - /* resume session */ - memcpy(session->internals. - resumed_security_parameters.server_random, - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(session->internals. - resumed_security_parameters.client_random, - session->security_parameters.client_random, - TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; /* we are resuming */ + return 0; + } else { + /* keep the new session id */ + session->internals.resumed = RESUME_FALSE; /* we are not resuming */ + session->security_parameters.session_id_size = session_id_len; + memcpy(session->security_parameters.session_id, + session_id, session_id_len); - return 0; - } else { - /* keep the new session id */ - session->internals.resumed = RESUME_FALSE; /* we are not resuming */ - session->security_parameters.session_id_size = - session_id_len; - memcpy(session->security_parameters.session_id, - session_id, session_id_len); - - return -1; - } + return -1; + } } @@ -1264,94 +1295,94 @@ opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; * This function also restores resumed parameters if we are resuming a * session. */ -static int _gnutls_read_server_hello(gnutls_session session, opaque *data, +static int _gnutls_read_server_hello(gnutls_session session, opaque * data, int datalen) { - uint8 session_id_len = 0; - int pos = 0; - int ret = 0; - gnutls_protocol_version version; - int len = datalen; + uint8 session_id_len = 0; + int pos = 0; + int ret = 0; + gnutls_protocol_version version; + int len = datalen; - if (datalen < 38) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if (datalen < 38) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - _gnutls_handshake_log("HSK[%x]: Server's version: %d.%d\n", - session, data[pos], data[pos + 1]); + _gnutls_handshake_log("HSK[%x]: Server's version: %d.%d\n", + session, data[pos], data[pos + 1]); - DECR_LEN(len, 2); - version = _gnutls_version_get(data[pos], data[pos + 1]); - if (_gnutls_version_is_supported(session, version) == 0) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } else { - _gnutls_set_current_version(session, version); - } + DECR_LEN(len, 2); + version = _gnutls_version_get(data[pos], data[pos + 1]); + if (_gnutls_version_is_supported(session, version) == 0) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } else { + _gnutls_set_current_version(session, version); + } - pos += 2; + pos += 2; - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_server_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; + DECR_LEN(len, TLS_RANDOM_SIZE); + _gnutls_set_server_random(session, &data[pos]); + pos += TLS_RANDOM_SIZE; - /* Read session ID - */ - DECR_LEN(len, 1); - session_id_len = data[pos++]; + /* Read session ID + */ + DECR_LEN(len, 1); + session_id_len = data[pos++]; - if (len < session_id_len) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } - DECR_LEN(len, session_id_len); + if (len < session_id_len) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + DECR_LEN(len, session_id_len); - /* check if we are resuming and set the appropriate - * values; - */ - if (_gnutls_client_check_if_resuming - (session, &data[pos], session_id_len) == 0) - return 0; - pos += session_id_len; + /* check if we are resuming and set the appropriate + * values; + */ + if (_gnutls_client_check_if_resuming + (session, &data[pos], session_id_len) == 0) + return 0; + pos += session_id_len; - /* Check if the given cipher suite is supported and copy - * it to the session. - */ + /* Check if the given cipher suite is supported and copy + * it to the session. + */ - DECR_LEN(len, 2); - ret = _gnutls_client_set_ciphersuite(session, &data[pos]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - pos += 2; + DECR_LEN(len, 2); + ret = _gnutls_client_set_ciphersuite(session, &data[pos]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + pos += 2; - /* move to compression - */ - DECR_LEN(len, 1); + /* move to compression + */ + DECR_LEN(len, 1); - ret = _gnutls_client_set_comp_method(session, data[pos++]); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + ret = _gnutls_client_set_comp_method(session, data[pos++]); + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } - /* Parse extensions. - */ - if (version >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* Parse extensions. + */ + if (version >= GNUTLS_TLS1) { + ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + } + return ret; } @@ -1359,63 +1390,64 @@ static int _gnutls_read_server_hello(gnutls_session session, opaque *data, * Needed in client hello messages. Returns the new data length. */ static int _gnutls_copy_ciphersuites(gnutls_session session, - opaque * ret_data, size_t ret_data_size) + opaque * ret_data, + size_t ret_data_size) { - int ret, i; - cipher_suite_st *cipher_suites; - uint16 cipher_num; - int datalen, pos; + int ret, i; + cipher_suite_st *cipher_suites; + uint16 cipher_num; + int datalen, pos; - ret = _gnutls_supported_ciphersuites_sorted(session, &cipher_suites); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_supported_ciphersuites_sorted(session, &cipher_suites); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (eg SRP). + */ + ret = + _gnutls_remove_unwanted_ciphersuites(session, &cipher_suites, + ret, -1); + if (ret < 0) { + gnutls_assert(); + gnutls_free(cipher_suites); + return ret; + } - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (eg SRP). - */ - ret = - _gnutls_remove_unwanted_ciphersuites(session, &cipher_suites, - ret, -1); - if (ret < 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return ret; - } + /* If no cipher suites were enabled. + */ + if (ret == 0) { + gnutls_assert(); + gnutls_free(cipher_suites); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* If no cipher suites were enabled. - */ - if (ret == 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + cipher_num = ret; - cipher_num = ret; - - cipher_num *= sizeof(uint16); /* in order to get bytes */ - - datalen = pos = 0; + cipher_num *= sizeof(uint16); /* in order to get bytes */ - datalen += sizeof(uint16) + cipher_num; + datalen = pos = 0; - if ((size_t)datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - _gnutls_write_uint16(cipher_num, ret_data); - pos += 2; + datalen += sizeof(uint16) + cipher_num; - for (i = 0; i < (cipher_num / 2); i++) { - memcpy( &ret_data[pos], cipher_suites[i].suite, 2); - pos += 2; - } - gnutls_free(cipher_suites); + if ((size_t) datalen > ret_data_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + _gnutls_write_uint16(cipher_num, ret_data); + pos += 2; + + for (i = 0; i < (cipher_num / 2); i++) { + memcpy(&ret_data[pos], cipher_suites[i].suite, 2); + pos += 2; + } + gnutls_free(cipher_suites); - return datalen; + return datalen; } @@ -1423,39 +1455,40 @@ static int _gnutls_copy_ciphersuites(gnutls_session session, * Needed in hello messages. Returns the new data length. */ static int _gnutls_copy_comp_methods(gnutls_session session, - opaque * ret_data, size_t ret_data_size) + opaque * ret_data, + size_t ret_data_size) { - int ret, i; - uint8 *compression_methods, comp_num; - int datalen, pos; - - ret = - _gnutls_supported_compression_methods(session, - &compression_methods); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret, i; + uint8 *compression_methods, comp_num; + int datalen, pos; + + ret = + _gnutls_supported_compression_methods(session, + &compression_methods); + if (ret < 0) { + gnutls_assert(); + return ret; + } - comp_num = ret; + comp_num = ret; - datalen = pos = 0; - datalen += comp_num + 1; + datalen = pos = 0; + datalen += comp_num + 1; - if ((size_t)datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if ((size_t) datalen > ret_data_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - ret_data[pos++] = comp_num; /* put the number of compression methods */ + ret_data[pos++] = comp_num; /* put the number of compression methods */ - for (i = 0; i < comp_num; i++) { - ret_data[pos++] = compression_methods[i]; - } + for (i = 0; i < comp_num; i++) { + ret_data[pos++] = compression_methods[i]; + } - gnutls_free(compression_methods); + gnutls_free(compression_methods); - return datalen; + return datalen; } /* This should be sufficient by now. It should hold all the extensions @@ -1467,312 +1500,313 @@ static int _gnutls_copy_comp_methods(gnutls_session session, */ static int _gnutls_send_client_hello(gnutls_session session, int again) { - opaque *data = NULL; - int extdatalen; - int pos = 0; - int datalen = 0, ret = 0; - opaque random[TLS_RANDOM_SIZE]; - gnutls_protocol_version hver; - opaque extdata[MAX_EXT_DATA_LENGTH]; - - opaque *SessionID = - session->internals.resumed_security_parameters.session_id; - uint8 session_id_len = - session->internals.resumed_security_parameters. - session_id_size; - - if (SessionID == NULL) session_id_len = 0; - else if (session_id_len == 0) SessionID = NULL; - - if (again == 0) { - - datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; - /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) - */ - - data = gnutls_malloc(datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + opaque *data = NULL; + int extdatalen; + int pos = 0; + int datalen = 0, ret = 0; + opaque random[TLS_RANDOM_SIZE]; + gnutls_protocol_version hver; + opaque extdata[MAX_EXT_DATA_LENGTH]; + + opaque *SessionID = + session->internals.resumed_security_parameters.session_id; + uint8 session_id_len = + session->internals.resumed_security_parameters.session_id_size; + + if (SessionID == NULL) + session_id_len = 0; + else if (session_id_len == 0) + SessionID = NULL; + + if (again == 0) { + + datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; + /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) + */ - /* if we are resuming a session then we set the - * version number to the previously established. - */ - if (SessionID == NULL) - hver = _gnutls_version_max(session); - else { /* we are resuming a session */ - hver = - session->internals. - resumed_security_parameters.version; - } + data = gnutls_malloc(datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) { - gnutls_assert(); - gnutls_free(data); - return GNUTLS_E_INTERNAL_ERROR; - } + /* if we are resuming a session then we set the + * version number to the previously established. + */ + if (SessionID == NULL) + hver = _gnutls_version_max(session); + else { /* we are resuming a session */ + hver = session->internals.resumed_security_parameters.version; + } - data[pos++] = _gnutls_version_get_major(hver); - data[pos++] = _gnutls_version_get_minor(hver); - - /* Set the version we advertized as maximum - * (RSA uses it). - */ - _gnutls_set_adv_version( session, hver); - - /* Some old implementations do not interoperate if we send a - * different version in the record layer. - * It seems they prefer to read the record's version - * as the one we actually requested. - * The proper behaviour is to use the one in the client hello - * handshake packet and ignore the one in the packet's record - * header. - */ - _gnutls_set_current_version(session, hver); - - /* In order to know when this session was initiated. - */ - session->security_parameters.timestamp = time(NULL); - - /* Generate random data - */ - _gnutls_tls_create_random(random); - _gnutls_set_client_random(session, random); - - memcpy(&data[pos], random, TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - /* Copy the Session ID - */ - data[pos++] = session_id_len; - - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); - pos += session_id_len; - } + if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) { + gnutls_assert(); + gnutls_free(data); + return GNUTLS_E_INTERNAL_ERROR; + } + data[pos++] = _gnutls_version_get_major(hver); + data[pos++] = _gnutls_version_get_minor(hver); - /* Copy the ciphersuites. - */ - extdatalen = _gnutls_copy_ciphersuites(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; - - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; - } + /* Set the version we advertized as maximum + * (RSA uses it). + */ + _gnutls_set_adv_version(session, hver); + + /* Some old implementations do not interoperate if we send a + * different version in the record layer. + * It seems they prefer to read the record's version + * as the one we actually requested. + * The proper behaviour is to use the one in the client hello + * handshake packet and ignore the one in the packet's record + * header. + */ + _gnutls_set_current_version(session, hver); + + /* In order to know when this session was initiated. + */ + session->security_parameters.timestamp = time(NULL); + /* Generate random data + */ + _gnutls_tls_create_random(random); + _gnutls_set_client_random(session, random); - /* Copy the compression methods. - */ - extdatalen = _gnutls_copy_comp_methods(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; - - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; - } + memcpy(&data[pos], random, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + /* Copy the Session ID + */ + data[pos++] = session_id_len; + + if (session_id_len > 0) { + memcpy(&data[pos], SessionID, session_id_len); + pos += session_id_len; + } + + + /* Copy the ciphersuites. + */ + extdatalen = + _gnutls_copy_ciphersuites(session, extdata, sizeof(extdata)); + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(&data[pos], extdata, extdatalen); + pos += extdatalen; + + } else { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free(data); + gnutls_assert(); + return extdatalen; + } + + + /* Copy the compression methods. + */ + extdatalen = + _gnutls_copy_comp_methods(session, extdata, sizeof(extdata)); + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* Generate and copy TLS extensions. - */ - if (hver >= GNUTLS_TLS1) { - extdatalen = _gnutls_gen_extensions(session, extdata, sizeof(extdata)); - - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - } else if (extdatalen < 0) { - gnutls_assert(); - gnutls_free(data); - return extdatalen; - } + memcpy(&data[pos], extdata, extdatalen); + pos += extdatalen; + + } else { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free(data); + gnutls_assert(); + return extdatalen; + } + + /* Generate and copy TLS extensions. + */ + if (hver >= GNUTLS_TLS1) { + extdatalen = + _gnutls_gen_extensions(session, extdata, sizeof(extdata)); + + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + + memcpy(&data[pos], extdata, extdatalen); + } else if (extdatalen < 0) { + gnutls_assert(); + gnutls_free(data); + return extdatalen; + } } + } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_CLIENT_HELLO); - gnutls_free(data); + ret = + _gnutls_send_handshake(session, data, datalen, + GNUTLS_CLIENT_HELLO); + gnutls_free(data); - return ret; + return ret; } static int _gnutls_send_server_hello(gnutls_session session, int again) { - opaque *data = NULL; - opaque extdata[MAX_EXT_DATA_LENGTH]; - int extdatalen; - int pos = 0; - int datalen, ret = 0; - uint8 comp; - opaque *SessionID = session->security_parameters.session_id; - uint8 session_id_len = session->security_parameters.session_id_size; - opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; + opaque *data = NULL; + opaque extdata[MAX_EXT_DATA_LENGTH]; + int extdatalen; + int pos = 0; + int datalen, ret = 0; + uint8 comp; + opaque *SessionID = session->security_parameters.session_id; + uint8 session_id_len = session->security_parameters.session_id_size; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + + if (SessionID == NULL) + session_id_len = 0; + + datalen = 0; + + if (IS_SRP_KX + (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite))) { + /* While resuming we cannot check the username extension since it is + * not available at this point. It will be copied on connection + * state activation. + */ + if (session->internals.resumed == RESUME_FALSE && + session->security_parameters.extensions.srp_username[0] == 0) { + /* The peer didn't send a valid SRP extension with the + * SRP username. The draft requires that we send an + * alert and start the handshake again. + */ + gnutls_assert(); + ret = gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_MISSING_SRP_USERNAME); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (SessionID == NULL) - session_id_len = 0; - - datalen = 0; - - if (IS_SRP_KX( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite))) - { - /* While resuming we cannot check the username extension since it is - * not available at this point. It will be copied on connection - * state activation. - */ - if (session->internals.resumed == RESUME_FALSE && - session->security_parameters.extensions.srp_username[0] == 0) - { - /* The peer didn't send a valid SRP extension with the - * SRP username. The draft requires that we send an - * alert and start the handshake again. - */ - gnutls_assert(); - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, - GNUTLS_A_MISSING_SRP_USERNAME); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return GNUTLS_E_INT_HANDSHAKE_AGAIN; - } + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } + } - if (again == 0) { - datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; - extdatalen = _gnutls_gen_extensions(session, extdata, sizeof(extdata)); + if (again == 0) { + datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; + extdatalen = + _gnutls_gen_extensions(session, extdata, sizeof(extdata)); - if (extdatalen < 0) { - gnutls_assert(); - return extdatalen; - } + if (extdatalen < 0) { + gnutls_assert(); + return extdatalen; + } - data = gnutls_alloca(datalen + extdatalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + data = gnutls_alloca(datalen + extdatalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - data[pos++] = - _gnutls_version_get_major(session->security_parameters. - version); - data[pos++] = - _gnutls_version_get_minor(session->security_parameters. - version); - - memcpy(&data[pos], - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - data[pos++] = session_id_len; - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); - } - pos += session_id_len; + data[pos++] = + _gnutls_version_get_major(session->security_parameters. + version); + data[pos++] = + _gnutls_version_get_minor(session->security_parameters. + version); + + memcpy(&data[pos], + session->security_parameters.server_random, + TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + data[pos++] = session_id_len; + if (session_id_len > 0) { + memcpy(&data[pos], SessionID, session_id_len); + } + pos += session_id_len; - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(SessionID, session_id_len, buf, sizeof(buf))); + _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex(SessionID, session_id_len, + buf, sizeof(buf))); - memcpy(&data[pos], - session->security_parameters. - current_cipher_suite.suite, 2); - pos += 2; + memcpy(&data[pos], + session->security_parameters.current_cipher_suite.suite, 2); + pos += 2; - comp = - (uint8) _gnutls_compression_get_num(session-> - internals. - compression_method); - data[pos++] = comp; + comp = + (uint8) _gnutls_compression_get_num(session-> + internals. + compression_method); + data[pos++] = comp; - if (extdatalen > 0) { - datalen += extdatalen; + if (extdatalen > 0) { + datalen += extdatalen; - memcpy(&data[pos], extdata, extdatalen); - } + memcpy(&data[pos], extdata, extdatalen); } + } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_SERVER_HELLO); - gnutls_afree(data); + ret = + _gnutls_send_handshake(session, data, datalen, + GNUTLS_SERVER_HELLO); + gnutls_afree(data); - return ret; + return ret; } int _gnutls_send_hello(gnutls_session session, int again) { - int ret; + int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_send_client_hello(session, again); + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_send_client_hello(session, again); - } else { /* SERVER */ - ret = _gnutls_send_server_hello(session, again); - } + } else { /* SERVER */ + ret = _gnutls_send_server_hello(session, again); + } - return ret; + return ret; } /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a * hello message is expected. It uses the security_parameters.current_cipher_suite * and internals.compression_method. */ -int _gnutls_recv_hello(gnutls_session session, opaque *data, int datalen) +int _gnutls_recv_hello(gnutls_session session, opaque * data, int datalen) { - int ret; + int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_read_server_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } else { /* Server side reading a client hello */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_read_server_hello(session, data, datalen); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } else { /* Server side reading a client hello */ - ret = _gnutls_read_client_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_read_client_hello(session, data, datalen); + if (ret < 0) { + gnutls_assert(); + return ret; } + } - return ret; + return ret; } /* The packets in gnutls_handshake (it's more broad than original TLS handshake) @@ -1821,64 +1855,67 @@ int _gnutls_recv_hello(gnutls_session session, opaque *data, int datalen) **/ int gnutls_rehandshake(gnutls_session session) { - int ret; + int ret; - /* only server sends that handshake packet */ - if (session->security_parameters.entity == GNUTLS_CLIENT) - return GNUTLS_E_INVALID_REQUEST; + /* only server sends that handshake packet */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + return GNUTLS_E_INVALID_REQUEST; - ret = - _gnutls_send_empty_handshake(session, GNUTLS_HELLO_REQUEST, - AGAIN(STATE50)); - STATE = STATE50; + ret = + _gnutls_send_empty_handshake(session, GNUTLS_HELLO_REQUEST, + AGAIN(STATE50)); + STATE = STATE50; - if (ret < 0) { - gnutls_assert(); - return ret; - } - STATE = STATE0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + STATE = STATE0; - return 0; + return 0; } -inline -static int _gnutls_abort_handshake( gnutls_session session, int ret) +inline static int _gnutls_abort_handshake(gnutls_session session, int ret) { - if ( ((ret==GNUTLS_E_WARNING_ALERT_RECEIVED) && - ( gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) - || ret==GNUTLS_E_GOT_APPLICATION_DATA) - return 0; + if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && + (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) + || ret == GNUTLS_E_GOT_APPLICATION_DATA) + return 0; - /* this doesn't matter */ - return GNUTLS_E_INTERNAL_ERROR; + /* this doesn't matter */ + return GNUTLS_E_INTERNAL_ERROR; } /* This function initialized the handshake hash session. * required for finished messages. */ -inline -static int _gnutls_handshake_hash_init( gnutls_session session) { +inline static int _gnutls_handshake_hash_init(gnutls_session session) +{ - if ( session->internals.handshake_mac_handle_md5==NULL) { - session->internals.handshake_mac_handle_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); + if (session->internals.handshake_mac_handle_md5 == NULL) { + session->internals.handshake_mac_handle_md5 = + _gnutls_hash_init(GNUTLS_MAC_MD5); - if (session->internals.handshake_mac_handle_md5==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->internals.handshake_mac_handle_md5 == + GNUTLS_HASH_FAILED) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + } - if ( session->internals.handshake_mac_handle_sha==NULL) { - session->internals.handshake_mac_handle_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (session->internals.handshake_mac_handle_sha==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->internals.handshake_mac_handle_sha == NULL) { + session->internals.handshake_mac_handle_sha = + _gnutls_hash_init(GNUTLS_MAC_SHA); + if (session->internals.handshake_mac_handle_sha == + GNUTLS_HASH_FAILED) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + } - return 0; -} + return 0; +} /** * gnutls_handshake - This is the main function in the handshake protocol. @@ -1906,43 +1943,43 @@ static int _gnutls_handshake_hash_init( gnutls_session session) { **/ int gnutls_handshake(gnutls_session session) { - int ret; + int ret; - if ( (ret=_gnutls_handshake_hash_init( session)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_handshake_hash_init(session)) < 0) { + gnutls_assert(); + return ret; + } + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_handshake_client(session); + } else { + ret = _gnutls_handshake_server(session); + } + if (ret < 0) { + /* In the case of a rehandshake abort + * we should reset the handshake's internal state. + */ + if (_gnutls_abort_handshake(session, ret) == 0) + STATE = STATE0; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_handshake_client(session); - } else { - ret = _gnutls_handshake_server(session); - } - if (ret < 0) { - /* In the case of a rehandshake abort - * we should reset the handshake's internal state. - */ - if (_gnutls_abort_handshake( session, ret) == 0) - STATE = STATE0; + return ret; + } - return ret; - } - - ret = _gnutls_handshake_common(session); + ret = _gnutls_handshake_common(session); - if (ret < 0) { - if (_gnutls_abort_handshake( session, ret) == 0) - STATE = STATE0; - - return ret; - } - - STATE = STATE0; + if (ret < 0) { + if (_gnutls_abort_handshake(session, ret) == 0) + STATE = STATE0; - _gnutls_handshake_io_buffer_clear(session); - _gnutls_handshake_internal_state_clear(session); + return ret; + } - return 0; + STATE = STATE0; + + _gnutls_handshake_io_buffer_clear(session); + _gnutls_handshake_internal_state_clear(session); + + return 0; } /* Here if GNUTLS_E_INT_HANDSHAKE_AGAIN is received we go to @@ -1975,162 +2012,154 @@ int gnutls_handshake(gnutls_session session) */ int _gnutls_handshake_client(gnutls_session session) { - int ret = 0; + int ret = 0; #ifdef HANDSHAKE_DEBUG - char buf[64]; - - if (session->internals.resumed_security_parameters. - session_id_size > 0) - _gnutls_handshake_log("HSK[%x]: Ask to resume: %s\n", session, - _gnutls_bin2hex(session->internals. - resumed_security_parameters. - session_id, - session->internals. - resumed_security_parameters. - session_id_size, buf, sizeof(buf))); + char buf[64]; + + if (session->internals.resumed_security_parameters.session_id_size > 0) + _gnutls_handshake_log("HSK[%x]: Ask to resume: %s\n", session, + _gnutls_bin2hex(session->internals. + resumed_security_parameters. + session_id, + session->internals. + resumed_security_parameters. + session_id_size, buf, + sizeof(buf))); #endif - restart: - - switch (STATE) { - case STATE0: - case STATE1: - ret = _gnutls_send_hello(session, AGAIN(STATE1)); - STATE = STATE1; - IMED_RET("send hello", ret); - - case STATE2: - /* receive the server hello */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_SERVER_HELLO, - MANDATORY_PACKET); - STATE = STATE2; - IMED_RET("recv hello", ret); - - case STATE3: - /* RECV CERTIFICATE */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_certificate(session); - STATE = STATE3; - IMED_RET("recv server certificate", ret); - - case STATE4: - /* receive the server key exchange */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_kx_message(session); - STATE = STATE4; - IMED_RET("recv server kx message", ret); - - case STATE5: - /* receive the server certificate request - if any - */ - - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_server_certificate_request(session); - STATE = STATE5; - IMED_RET("recv server certificate request message", ret); - - case STATE6: - /* receive the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_SERVER_HELLO_DONE, - MANDATORY_PACKET); - STATE = STATE6; - IMED_RET("recv server hello done", ret); - - case STATE7: - /* send our certificate - if any and if requested - */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_certificate(session, - AGAIN(STATE7)); - STATE = STATE7; - IMED_RET("send client certificate", ret); - - case STATE8: - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_kx_message(session, - AGAIN(STATE8)); - STATE = STATE8; - IMED_RET("send client kx", ret); - - case STATE9: - /* send client certificate verify */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_certificate_verify(session, - AGAIN - (STATE9)); - STATE = STATE9; - IMED_RET("send client certificate verify", ret); - - STATE = STATE0; - default: - break; - } + restart: + switch (STATE) { + case STATE0: + case STATE1: + ret = _gnutls_send_hello(session, AGAIN(STATE1)); + STATE = STATE1; + IMED_RET("send hello", ret); - return 0; + case STATE2: + /* receive the server hello */ + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_SERVER_HELLO, MANDATORY_PACKET); + STATE = STATE2; + IMED_RET("recv hello", ret); + + case STATE3: + /* RECV CERTIFICATE */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate(session); + STATE = STATE3; + IMED_RET("recv server certificate", ret); + + case STATE4: + /* receive the server key exchange */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_kx_message(session); + STATE = STATE4; + IMED_RET("recv server kx message", ret); + + case STATE5: + /* receive the server certificate request - if any + */ + + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate_request(session); + STATE = STATE5; + IMED_RET("recv server certificate request message", ret); + + case STATE6: + /* receive the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_SERVER_HELLO_DONE, + MANDATORY_PACKET); + STATE = STATE6; + IMED_RET("recv server hello done", ret); + + case STATE7: + /* send our certificate - if any and if requested + */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_certificate(session, AGAIN(STATE7)); + STATE = STATE7; + IMED_RET("send client certificate", ret); + + case STATE8: + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_kx_message(session, AGAIN(STATE8)); + STATE = STATE8; + IMED_RET("send client kx", ret); + + case STATE9: + /* send client certificate verify */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_client_certificate_verify(session, + AGAIN(STATE9)); + STATE = STATE9; + IMED_RET("send client certificate verify", ret); + + STATE = STATE0; + default: + break; + } + + + return 0; } /* This function sends the final handshake packets and initializes connection */ static int _gnutls_send_handshake_final(gnutls_session session, int init) { - int ret = 0; - - /* Send the CHANGE CIPHER SPEC PACKET */ - - switch (STATE) { - case STATE0: - case STATE20: - ret = - _gnutls_send_change_cipher_spec(session, AGAIN(STATE20)); - STATE = STATE20; - if (ret < 0) { - ERR("send ChangeCipherSpec", ret); - gnutls_assert(); - return ret; - } + int ret = 0; - /* Initialize the connection session (start encryption) - in case of client - */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } + /* Send the CHANGE CIPHER SPEC PACKET */ - ret = _gnutls_write_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } + switch (STATE) { + case STATE0: + case STATE20: + ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE20)); + STATE = STATE20; + if (ret < 0) { + ERR("send ChangeCipherSpec", ret); + gnutls_assert(); + return ret; + } - case STATE21: - /* send the finished message */ - ret = _gnutls_send_finished(session, AGAIN(STATE21)); - STATE = STATE21; - if (ret < 0) { - ERR("send Finished", ret); - gnutls_assert(); - return ret; - } + /* Initialize the connection session (start encryption) - in case of client + */ + if (init == TRUE) { + ret = _gnutls_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - STATE = STATE0; - default: - break; + ret = _gnutls_write_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; } - return 0; + case STATE21: + /* send the finished message */ + ret = _gnutls_send_finished(session, AGAIN(STATE21)); + STATE = STATE21; + if (ret < 0) { + ERR("send Finished", ret); + gnutls_assert(); + return ret; + } + + STATE = STATE0; + default: + break; + } + + return 0; } /* This function receives the final handshake packets @@ -2139,54 +2168,52 @@ static int _gnutls_send_handshake_final(gnutls_session session, int init) */ static int _gnutls_recv_handshake_final(gnutls_session session, int init) { - int ret = 0; - uint8 ch; - - switch (STATE) { - case STATE0: - case STATE30: - ret = - _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, - &ch, 1); - STATE = STATE30; - if (ret <= 0) { - ERR("recv ChangeCipherSpec", ret); - gnutls_assert(); - return (ret < - 0) ? ret : - GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + int ret = 0; + uint8 ch; - /* Initialize the connection session (start encryption) - in case of server */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } + switch (STATE) { + case STATE0: + case STATE30: + ret = + _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, + &ch, 1); + STATE = STATE30; + if (ret <= 0) { + ERR("recv ChangeCipherSpec", ret); + gnutls_assert(); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + /* Initialize the connection session (start encryption) - in case of server */ + if (init == TRUE) { + ret = _gnutls_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - ret = _gnutls_read_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_read_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } - case STATE31: - ret = _gnutls_recv_finished(session); - STATE = STATE31; - if (ret < 0) { - ERR("recv finished", ret); - gnutls_assert(); - return ret; - } - STATE = STATE0; - default: - break; + case STATE31: + ret = _gnutls_recv_finished(session); + STATE = STATE31; + if (ret < 0) { + ERR("recv finished", ret); + gnutls_assert(); + return ret; } + STATE = STATE0; + default: + break; + } - return 0; + return 0; } /* @@ -2196,236 +2223,231 @@ static int _gnutls_recv_handshake_final(gnutls_session session, int init) int _gnutls_handshake_server(gnutls_session session) { - int ret = 0; - - restart: - - switch (STATE) { - case STATE0: - case STATE1: - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_CLIENT_HELLO, - MANDATORY_PACKET); - STATE = STATE1; - IMED_RET("recv hello", ret); - - case STATE2: - ret = _gnutls_send_hello(session, AGAIN(STATE2)); - STATE = STATE2; - IMED_RET("send hello", ret); - - /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ - case STATE3: - /* NOTE: these should not be send if we are resuming */ - - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_certificate(session, - AGAIN(STATE3)); - STATE = STATE3; - IMED_RET("send server certificate", ret); - - case STATE4: - /* send server key exchange (A) */ - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_kx_message(session, - AGAIN(STATE4)); - STATE = STATE4; - IMED_RET("send server kx", ret); - - case STATE5: - /* Send certificate request - if requested to */ - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_certificate_request(session, - AGAIN - (STATE5)); - STATE = STATE5; - IMED_RET("send server cert request", ret); - - case STATE6: - /* send the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_empty_handshake(session, - GNUTLS_SERVER_HELLO_DONE, - AGAIN(STATE6)); - STATE = STATE6; - IMED_RET("send server hello done", ret); - - - /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ - case STATE7: - /* receive the client certificate message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_certificate(session); - STATE = STATE7; - IMED_RET("recv client certificate", ret); - - case STATE8: - /* receive the client key exchange message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_kx_message(session); - STATE = STATE8; - IMED_RET("recv client kx", ret); - - case STATE9: - /* receive the client certificate verify message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_client_certificate_verify_message - (session); - STATE = STATE9; - IMED_RET("recv client certificate verify", ret); - - STATE = STATE0; /* finished thus clear session */ - default: - break; - } + int ret = 0; - return 0; + restart: + + switch (STATE) { + case STATE0: + case STATE1: + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_CLIENT_HELLO, MANDATORY_PACKET); + STATE = STATE1; + IMED_RET("recv hello", ret); + + case STATE2: + ret = _gnutls_send_hello(session, AGAIN(STATE2)); + STATE = STATE2; + IMED_RET("send hello", ret); + + /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ + case STATE3: + /* NOTE: these should not be send if we are resuming */ + + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_certificate(session, AGAIN(STATE3)); + STATE = STATE3; + IMED_RET("send server certificate", ret); + + case STATE4: + /* send server key exchange (A) */ + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_kx_message(session, AGAIN(STATE4)); + STATE = STATE4; + IMED_RET("send server kx", ret); + + case STATE5: + /* Send certificate request - if requested to */ + if (session->internals.resumed == RESUME_FALSE) + ret = + _gnutls_send_server_certificate_request(session, + AGAIN(STATE5)); + STATE = STATE5; + IMED_RET("send server cert request", ret); + + case STATE6: + /* send the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_empty_handshake(session, + GNUTLS_SERVER_HELLO_DONE, + AGAIN(STATE6)); + STATE = STATE6; + IMED_RET("send server hello done", ret); + + + /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ + case STATE7: + /* receive the client certificate message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate(session); + STATE = STATE7; + IMED_RET("recv client certificate", ret); + + case STATE8: + /* receive the client key exchange message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_kx_message(session); + STATE = STATE8; + IMED_RET("recv client kx", ret); + + case STATE9: + /* receive the client certificate verify message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate_verify_message(session); + STATE = STATE9; + IMED_RET("recv client certificate verify", ret); + + STATE = STATE0; /* finished thus clear session */ + default: + break; + } + + return 0; } int _gnutls_handshake_common(gnutls_session session) { - int ret = 0; + int ret = 0; - restart: + restart: - /* send and recv the change cipher spec and finished messages */ - if ((session->internals.resumed == RESUME_TRUE - && session->security_parameters.entity == GNUTLS_CLIENT) - || (session->internals.resumed == RESUME_FALSE - && session->security_parameters.entity == GNUTLS_SERVER)) { - /* if we are a client resuming - or we are a server not resuming */ + /* send and recv the change cipher spec and finished messages */ + if ((session->internals.resumed == RESUME_TRUE + && session->security_parameters.entity == GNUTLS_CLIENT) + || (session->internals.resumed == RESUME_FALSE + && session->security_parameters.entity == GNUTLS_SERVER)) { + /* if we are a client resuming - or we are a server not resuming */ - ret = _gnutls_recv_handshake_final(session, TRUE); - IMED_RET("recv handshake final", ret); + ret = _gnutls_recv_handshake_final(session, TRUE); + IMED_RET("recv handshake final", ret); - ret = _gnutls_send_handshake_final(session, FALSE); - IMED_RET("send handshake final", ret); - } else { /* if we are a client not resuming - or we are a server resuming */ + ret = _gnutls_send_handshake_final(session, FALSE); + IMED_RET("send handshake final", ret); + } else { /* if we are a client not resuming - or we are a server resuming */ - ret = _gnutls_send_handshake_final(session, TRUE); - IMED_RET("send handshake final 2", ret); + ret = _gnutls_send_handshake_final(session, TRUE); + IMED_RET("send handshake final 2", ret); - ret = _gnutls_recv_handshake_final(session, FALSE); - IMED_RET("recv handshake final 2", ret); - } + ret = _gnutls_recv_handshake_final(session, FALSE); + IMED_RET("recv handshake final 2", ret); + } - if (session->security_parameters.entity == GNUTLS_SERVER) { - /* in order to support session resuming */ - _gnutls_server_register_current_session(session); - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + /* in order to support session resuming */ + _gnutls_server_register_current_session(session); + } - /* clear handshake buffer */ - _gnutls_handshake_hash_buffers_clear(session); - return ret; + /* clear handshake buffer */ + _gnutls_handshake_hash_buffers_clear(session); + return ret; } -int _gnutls_generate_session_id(opaque *session_id, uint8 * len) +int _gnutls_generate_session_id(opaque * session_id, uint8 * len) { - *len = TLS_MAX_SESSION_ID_SIZE; + *len = TLS_MAX_SESSION_ID_SIZE; - if (_gnutls_get_random(session_id, *len, GNUTLS_WEAK_RANDOM) < - 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (_gnutls_get_random(session_id, *len, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } int _gnutls_recv_hello_request(gnutls_session session, void *data, uint32 data_size) { - uint8 type; + uint8 type; - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } - if (data_size < 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - type = ((uint8 *) data)[0]; - if (type == GNUTLS_HELLO_REQUEST) - return GNUTLS_E_REHANDSHAKE; - else { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; + } + if (data_size < 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + type = ((uint8 *) data)[0]; + if (type == GNUTLS_HELLO_REQUEST) + return GNUTLS_E_REHANDSHAKE; + else { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; + } } /* Returns 1 if the given KX has not the corresponding parameters * (DH or RSA) set up. Otherwise returns 0. */ -inline static int check_server_params( gnutls_session session, gnutls_kx_algorithm kx, - gnutls_kx_algorithm* alg, int alg_size) +inline static int check_server_params(gnutls_session session, + gnutls_kx_algorithm kx, + gnutls_kx_algorithm * alg, + int alg_size) { - int cred_type; - const gnutls_certificate_credentials x509_cred; - const gnutls_anon_server_credentials anon_cred; - gnutls_dh_params dh_params = NULL; - gnutls_rsa_params rsa_params = NULL; - int j, remove; - - cred_type = _gnutls_map_kx_get_cred( kx, 1); - - if (cred_type == GNUTLS_CRD_CERTIFICATE) { - x509_cred = - _gnutls_get_cred(session->key, cred_type, NULL); - - if (x509_cred != NULL) { - dh_params = _gnutls_certificate_get_dh_params(x509_cred, session); - rsa_params = _gnutls_certificate_get_rsa_params(x509_cred, session); - } + int cred_type; + const gnutls_certificate_credentials x509_cred; + const gnutls_anon_server_credentials anon_cred; + gnutls_dh_params dh_params = NULL; + gnutls_rsa_params rsa_params = NULL; + int j, remove; - /* Check also if the certificate supports the - * KX method. - */ - remove = 1; - for (j = 0; j < alg_size; j++) { - if (alg[j] == kx) { - remove = 0; - break; - } - } - - if (remove == 1) return 1; + cred_type = _gnutls_map_kx_get_cred(kx, 1); -#ifdef ENABLE_ANON - } else if ( cred_type == GNUTLS_CRD_ANON) { - anon_cred = - _gnutls_get_cred(session->key, cred_type, NULL); - - if (anon_cred != NULL) { - dh_params = _gnutls_anon_get_dh_params(anon_cred, session); - } -#endif - } else return 0; /* no need for params */ + if (cred_type == GNUTLS_CRD_CERTIFICATE) { + x509_cred = _gnutls_get_cred(session->key, cred_type, NULL); + if (x509_cred != NULL) { + dh_params = + _gnutls_certificate_get_dh_params(x509_cred, session); + rsa_params = + _gnutls_certificate_get_rsa_params(x509_cred, session); + } - /* If the key exchange method needs RSA or DH params, - * but they are not set then remove it. + /* Check also if the certificate supports the + * KX method. */ - if (_gnutls_kx_needs_rsa_params( kx) != 0) { - /* needs rsa params. */ - if (_gnutls_get_rsa_params( rsa_params)==NULL) - return 1; - } - - if (_gnutls_kx_needs_dh_params( kx) != 0) { - /* needs DH params. */ - if (_gnutls_get_dh_params( dh_params)==NULL) - return 1; + remove = 1; + for (j = 0; j < alg_size; j++) { + if (alg[j] == kx) { + remove = 0; + break; + } } - return 0; + if (remove == 1) + return 1; + +#ifdef ENABLE_ANON + } else if (cred_type == GNUTLS_CRD_ANON) { + anon_cred = _gnutls_get_cred(session->key, cred_type, NULL); + + if (anon_cred != NULL) { + dh_params = _gnutls_anon_get_dh_params(anon_cred, session); + } +#endif + } else + return 0; /* no need for params */ + + + /* If the key exchange method needs RSA or DH params, + * but they are not set then remove it. + */ + if (_gnutls_kx_needs_rsa_params(kx) != 0) { + /* needs rsa params. */ + if (_gnutls_get_rsa_params(rsa_params) == NULL) + return 1; + } + + if (_gnutls_kx_needs_dh_params(kx) != 0) { + /* needs DH params. */ + if (_gnutls_get_dh_params(dh_params) == NULL) + return 1; + } + + return 0; } /* This function will remove algorithms that are not supported by @@ -2437,103 +2459,107 @@ inline static int check_server_params( gnutls_session session, gnutls_kx_algorit */ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, cipher_suite_st ** - cipherSuites, int numCipherSuites, - gnutls_pk_algorithm requested_pk_algo) + cipherSuites, int numCipherSuites, + gnutls_pk_algorithm + requested_pk_algo) { - int ret = 0; - cipher_suite_st *newSuite, cs; - int newSuiteSize = 0, i, remove; - const gnutls_certificate_credentials x509_cred; - gnutls_kx_algorithm kx; - int server = session->security_parameters.entity==GNUTLS_SERVER?1:0; - gnutls_kx_algorithm *alg; - int alg_size; - - /* if we should use a specific certificate, - * we should remove all algorithms that are not supported - * by that certificate and are on the same authentication - * method (CERTIFICATE). - */ + int ret = 0; + cipher_suite_st *newSuite, cs; + int newSuiteSize = 0, i, remove; + const gnutls_certificate_credentials x509_cred; + gnutls_kx_algorithm kx; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; + gnutls_kx_algorithm *alg; + int alg_size; + + /* if we should use a specific certificate, + * we should remove all algorithms that are not supported + * by that certificate and are on the same authentication + * method (CERTIFICATE). + */ + + x509_cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + + /* if x509_cred==NULL we should remove all X509 ciphersuites + */ + + if (session->security_parameters.entity == GNUTLS_SERVER + && x509_cred != NULL) { + ret = _gnutls_server_select_cert(session, requested_pk_algo); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - x509_cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + /* get all the key exchange algorithms that are + * supported by the X509 certificate parameters. + */ + if ((ret = + _gnutls_selected_cert_supported_kx(session, &alg, + &alg_size)) < 0) { + gnutls_assert(); + return ret; + } - /* if x509_cred==NULL we should remove all X509 ciphersuites + newSuite = gnutls_malloc(numCipherSuites * sizeof(cipher_suite_st)); + if (newSuite == NULL) { + gnutls_assert(); + gnutls_free(alg); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now removes ciphersuites based on the KX algorithm + */ + for (i = 0; i < numCipherSuites; i++) { + /* finds the key exchange algorithm in + * the ciphersuite */ + kx = _gnutls_cipher_suite_get_kx_algo(&(*cipherSuites)[i]); + remove = 0; - if (session->security_parameters.entity == GNUTLS_SERVER && x509_cred != NULL) { - ret = _gnutls_server_select_cert(session, requested_pk_algo); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - - /* get all the key exchange algorithms that are - * supported by the X509 certificate parameters. + /* if it is defined but had no credentials */ - if ((ret = - _gnutls_selected_cert_supported_kx(session, &alg, - &alg_size)) < 0) { - gnutls_assert(); - return ret; - } + if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { + remove = 1; + } else { + remove = 0; - newSuite = - gnutls_malloc(numCipherSuites * sizeof(cipher_suite_st)); - if (newSuite == NULL) { - gnutls_assert(); - gnutls_free(alg); - return GNUTLS_E_MEMORY_ERROR; + if (server) + remove = check_server_params(session, kx, alg, alg_size); } - /* now removes ciphersuites based on the KX algorithm - */ - for (i = 0; i < numCipherSuites; i++) { - /* finds the key exchange algorithm in - * the ciphersuite - */ - kx = _gnutls_cipher_suite_get_kx_algo(&(*cipherSuites)[i]); - remove = 0; - /* if it is defined but had no credentials - */ - if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { - remove = 1; - } else { - remove = 0; - if (server) - remove = check_server_params( session, kx, alg, alg_size); - } - - - - memcpy( &cs.suite, &(*cipherSuites)[i].suite, 2); + memcpy(&cs.suite, &(*cipherSuites)[i].suite, 2); - if (remove == 0) { + if (remove == 0) { - _gnutls_handshake_log("HSK[%x]: Keeping ciphersuite: %s\n", session, - _gnutls_cipher_suite_get_name(&cs)); + _gnutls_handshake_log("HSK[%x]: Keeping ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name(&cs)); - memcpy(newSuite[newSuiteSize].suite, - (*cipherSuites)[i].suite, 2); - newSuiteSize++; - } else { - _gnutls_handshake_log("HSK[%x]: Removing ciphersuite: %s\n", session, - _gnutls_cipher_suite_get_name(&cs)); + memcpy(newSuite[newSuiteSize].suite, + (*cipherSuites)[i].suite, 2); + newSuiteSize++; + } else { + _gnutls_handshake_log("HSK[%x]: Removing ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name(&cs)); - } } + } - gnutls_free(alg); - gnutls_free(*cipherSuites); - *cipherSuites = newSuite; + gnutls_free(alg); + gnutls_free(*cipherSuites); + *cipherSuites = newSuite; - ret = newSuiteSize; + ret = newSuiteSize; - return ret; + return ret; } @@ -2548,18 +2574,23 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, * to set an upper limit. * **/ -void gnutls_handshake_set_max_packet_length(gnutls_session session, int max) +void gnutls_handshake_set_max_packet_length(gnutls_session session, + int max) { - session->internals.max_handshake_data_buffer_size = max; + session->internals.max_handshake_data_buffer_size = max; } -void _gnutls_set_adv_version( gnutls_session session, gnutls_protocol_version ver) { - set_adv_version( session, _gnutls_version_get_major(ver), _gnutls_version_get_minor(ver)); +void _gnutls_set_adv_version(gnutls_session session, + gnutls_protocol_version ver) +{ + set_adv_version(session, _gnutls_version_get_major(ver), + _gnutls_version_get_minor(ver)); } -gnutls_protocol_version _gnutls_get_adv_version( gnutls_session session) { - return _gnutls_version_get( _gnutls_get_adv_version_major( session), - _gnutls_get_adv_version_minor( session)); +gnutls_protocol_version _gnutls_get_adv_version(gnutls_session session) +{ + return _gnutls_version_get(_gnutls_get_adv_version_major(session), + _gnutls_get_adv_version_minor(session)); } /** @@ -2572,9 +2603,10 @@ gnutls_protocol_version _gnutls_get_adv_version( gnutls_session session) { * * Check gnutls.h for the available handshake descriptions. **/ -gnutls_handshake_description gnutls_handshake_get_last_in( gnutls_session session) +gnutls_handshake_description gnutls_handshake_get_last_in(gnutls_session + session) { - return session->internals.last_handshake_in; + return session->internals.last_handshake_in; } /** @@ -2588,8 +2620,8 @@ gnutls_handshake_description gnutls_handshake_get_last_in( gnutls_session sessio * Check gnutls.h for the available handshake descriptions. * **/ -gnutls_handshake_description gnutls_handshake_get_last_out( gnutls_session session) +gnutls_handshake_description gnutls_handshake_get_last_out(gnutls_session + session) { - return session->internals.last_handshake_out; + return session->internals.last_handshake_out; } - diff --git a/lib/gnutls_handshake.h b/lib/gnutls_handshake.h index 5a86c9be74..52bb61dc9d 100644 --- a/lib/gnutls_handshake.h +++ b/lib/gnutls_handshake.h @@ -20,24 +20,32 @@ typedef enum Optional { OPTIONAL_PACKET, MANDATORY_PACKET } Optional; -int _gnutls_send_handshake( gnutls_session session, void* i_data, uint32 i_datasize, HandshakeType type); -int gnutls_send_hello_request( gnutls_session session); -int _gnutls_recv_hello_request( gnutls_session session, void* data, uint32 data_size); -int _gnutls_send_hello( gnutls_session session, int again); -int _gnutls_recv_hello( gnutls_session session, opaque* data, int datalen); -int gnutls_handshake( gnutls_session session); -int _gnutls_recv_handshake( gnutls_session session, uint8**, int*, HandshakeType, Optional optional); -int _gnutls_generate_session_id( opaque* session_id, uint8* len); -int _gnutls_handshake_common( gnutls_session session); -int _gnutls_handshake_client( gnutls_session session); -int _gnutls_handshake_server( gnutls_session session); -void _gnutls_set_server_random( gnutls_session session, uint8* random); -void _gnutls_set_client_random( gnutls_session session, uint8* random); -int _gnutls_tls_create_random( opaque* dst); -int _gnutls_remove_unwanted_ciphersuites( gnutls_session session, cipher_suite_st ** cipherSuites, int numCipherSuites, gnutls_pk_algorithm); -void gnutls_handshake_set_max_packet_length( gnutls_session session, int max); -int _gnutls_find_pk_algos_in_ciphersuites( opaque* data, int datalen); -int _gnutls_server_select_suite(gnutls_session session, opaque *data, int datalen); +int _gnutls_send_handshake(gnutls_session session, void *i_data, + uint32 i_datasize, HandshakeType type); +int gnutls_send_hello_request(gnutls_session session); +int _gnutls_recv_hello_request(gnutls_session session, void *data, + uint32 data_size); +int _gnutls_send_hello(gnutls_session session, int again); +int _gnutls_recv_hello(gnutls_session session, opaque * data, int datalen); +int gnutls_handshake(gnutls_session session); +int _gnutls_recv_handshake(gnutls_session session, uint8 **, int *, + HandshakeType, Optional optional); +int _gnutls_generate_session_id(opaque * session_id, uint8 * len); +int _gnutls_handshake_common(gnutls_session session); +int _gnutls_handshake_client(gnutls_session session); +int _gnutls_handshake_server(gnutls_session session); +void _gnutls_set_server_random(gnutls_session session, uint8 * random); +void _gnutls_set_client_random(gnutls_session session, uint8 * random); +int _gnutls_tls_create_random(opaque * dst); +int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, + cipher_suite_st ** cipherSuites, + int numCipherSuites, + gnutls_pk_algorithm); +void gnutls_handshake_set_max_packet_length(gnutls_session session, + int max); +int _gnutls_find_pk_algos_in_ciphersuites(opaque * data, int datalen); +int _gnutls_server_select_suite(gnutls_session session, opaque * data, + int datalen); #define STATE session->internals.handshake_state /* This returns true if we have got there diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 7cecfa705c..af09e431e1 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -31,360 +31,365 @@ GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm algorithm) { - mac_hd_t ret; - gcry_error_t result; - - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) { - gnutls_assert(); - return GNUTLS_HASH_FAILED; - } - - ret->algorithm = algorithm; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - result = gcry_md_open( &ret->handle, GCRY_MD_SHA1, 0); - break; - case GNUTLS_MAC_MD5: - result = gcry_md_open( &ret->handle, GCRY_MD_MD5, 0); - break; - case GNUTLS_MAC_RMD160: - result = gcry_md_open( &ret->handle, GCRY_MD_RMD160, 0); - break; - default: - gnutls_assert(); - result = -1; - } - - if (result) { - gnutls_assert(); - gnutls_free(ret); - ret = GNUTLS_HASH_FAILED; - } - - return ret; + mac_hd_t ret; + gcry_error_t result; + + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + if (ret == NULL) { + gnutls_assert(); + return GNUTLS_HASH_FAILED; + } + + ret->algorithm = algorithm; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + result = gcry_md_open(&ret->handle, GCRY_MD_SHA1, 0); + break; + case GNUTLS_MAC_MD5: + result = gcry_md_open(&ret->handle, GCRY_MD_MD5, 0); + break; + case GNUTLS_MAC_RMD160: + result = gcry_md_open(&ret->handle, GCRY_MD_RMD160, 0); + break; + default: + gnutls_assert(); + result = -1; + } + + if (result) { + gnutls_assert(); + gnutls_free(ret); + ret = GNUTLS_HASH_FAILED; + } + + return ret; } int _gnutls_hash_get_algo_len(gnutls_mac_algorithm algorithm) { - int ret; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - ret = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - break; - case GNUTLS_MAC_MD5: - ret = gcry_md_get_algo_dlen(GCRY_MD_MD5); - break; - case GNUTLS_MAC_RMD160: - ret = gcry_md_get_algo_dlen(GCRY_MD_RMD160); - break; - default: - ret = 0; break; - } - - return ret; + int ret; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + ret = gcry_md_get_algo_dlen(GCRY_MD_SHA1); + break; + case GNUTLS_MAC_MD5: + ret = gcry_md_get_algo_dlen(GCRY_MD_MD5); + break; + case GNUTLS_MAC_RMD160: + ret = gcry_md_get_algo_dlen(GCRY_MD_RMD160); + break; + default: + ret = 0; + break; + } + + return ret; } -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, size_t textlen) +int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, + size_t textlen) { - if (textlen > 0) - gcry_md_write(handle->handle, text, textlen); - return 0; + if (textlen > 0) + gcry_md_write(handle->handle, text, textlen); + return 0; } GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle) { - GNUTLS_HASH_HANDLE ret; - gcry_error_t result; + GNUTLS_HASH_HANDLE ret; + gcry_error_t result; - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) - return GNUTLS_HASH_FAILED; + if (ret == NULL) + return GNUTLS_HASH_FAILED; - ret->algorithm = handle->algorithm; - ret->key = NULL; /* it's a hash anyway */ - ret->keysize = 0; + ret->algorithm = handle->algorithm; + ret->key = NULL; /* it's a hash anyway */ + ret->keysize = 0; - result = gcry_md_copy( &ret->handle, handle->handle); + result = gcry_md_copy(&ret->handle, handle->handle); - if (result) { - gnutls_free(ret); - return GNUTLS_HASH_FAILED; - } + if (result) { + gnutls_free(ret); + return GNUTLS_HASH_FAILED; + } - return ret; + return ret; } void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest) { - opaque *mac; - int maclen; + opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len( handle->algorithm); + maclen = _gnutls_hash_get_algo_len(handle->algorithm); - gcry_md_final(handle->handle); - mac = gcry_md_read(handle->handle, 0); - if (digest != NULL) - memcpy(digest, mac, maclen); + gcry_md_final(handle->handle); + mac = gcry_md_read(handle->handle, 0); + if (digest != NULL) + memcpy(digest, mac, maclen); - gcry_md_close(handle->handle); + gcry_md_close(handle->handle); - gnutls_free(handle); + gnutls_free(handle); } mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm algorithm, - const void *key, int keylen) + const void *key, int keylen) { - mac_hd_t ret; - gcry_error_t result; - - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) - return GNUTLS_MAC_FAILED; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - result = gcry_md_open(&ret->handle, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); - break; - case GNUTLS_MAC_MD5: - result = gcry_md_open(&ret->handle, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC); - break; - case GNUTLS_MAC_RMD160: - result = gcry_md_open(&ret->handle, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC); - break; - default: - result = -1; - } - - if (result) { - gnutls_free(ret); - ret = GNUTLS_MAC_FAILED; - } - - if (ret != GNUTLS_MAC_FAILED) { - gcry_md_setkey(ret->handle, key, keylen); + mac_hd_t ret; + gcry_error_t result; + + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + if (ret == NULL) + return GNUTLS_MAC_FAILED; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + result = + gcry_md_open(&ret->handle, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + break; + case GNUTLS_MAC_MD5: + result = + gcry_md_open(&ret->handle, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC); + break; + case GNUTLS_MAC_RMD160: + result = + gcry_md_open(&ret->handle, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC); + break; + default: + result = -1; + } + + if (result) { + gnutls_free(ret); + ret = GNUTLS_MAC_FAILED; + } + + if (ret != GNUTLS_MAC_FAILED) { + gcry_md_setkey(ret->handle, key, keylen); - ret->algorithm = algorithm; - ret->key = key; - ret->keysize = keylen; - } + ret->algorithm = algorithm; + ret->key = key; + ret->keysize = keylen; + } - return ret; + return ret; } void _gnutls_hmac_deinit(mac_hd_t handle, void *digest) { - opaque *mac; - int maclen; + opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len( handle->algorithm); + maclen = _gnutls_hash_get_algo_len(handle->algorithm); - gcry_md_final(handle->handle); - mac = gcry_md_read(handle->handle, 0); + gcry_md_final(handle->handle); + mac = gcry_md_read(handle->handle, 0); - if (digest != NULL) - memcpy(digest, mac, maclen); + if (digest != NULL) + memcpy(digest, mac, maclen); - gcry_md_close(handle->handle); + gcry_md_close(handle->handle); - gnutls_free(handle); + gnutls_free(handle); } -inline static int get_padsize( gnutls_mac_algorithm algorithm) +inline static int get_padsize(gnutls_mac_algorithm algorithm) { - switch (algorithm) { - case GNUTLS_MAC_MD5: - return 48; - case GNUTLS_MAC_SHA: - return 40; - default: - return 0; - } + switch (algorithm) { + case GNUTLS_MAC_MD5: + return 48; + case GNUTLS_MAC_SHA: + return 40; + default: + return 0; + } } mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm algorithm, void *key, - int keylen) + int keylen) { - mac_hd_t ret; - opaque ipad[48]; - int padsize; - - padsize = get_padsize( algorithm); - if (padsize == 0) { - gnutls_assert(); - return GNUTLS_MAC_FAILED; - } + mac_hd_t ret; + opaque ipad[48]; + int padsize; - memset(ipad, 0x36, padsize); + padsize = get_padsize(algorithm); + if (padsize == 0) { + gnutls_assert(); + return GNUTLS_MAC_FAILED; + } - ret = _gnutls_hash_init(algorithm); - if (ret != GNUTLS_HASH_FAILED) { - ret->key = key; - ret->keysize = keylen; + memset(ipad, 0x36, padsize); - if (keylen > 0) - _gnutls_hash(ret, key, keylen); - _gnutls_hash(ret, ipad, padsize); - } + ret = _gnutls_hash_init(algorithm); + if (ret != GNUTLS_HASH_FAILED) { + ret->key = key; + ret->keysize = keylen; - return ret; + if (keylen > 0) + _gnutls_hash(ret, key, keylen); + _gnutls_hash(ret, ipad, padsize); + } + + return ret; } void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - int padsize; - int block; - - padsize = get_padsize( handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; - } - - memset(opad, 0x5C, padsize); - - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_MAC_FAILED) { - if (handle->keysize > 0) - _gnutls_hash(td, handle->key, handle->keysize); + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + int padsize; + int block; + + padsize = get_padsize(handle->algorithm); + if (padsize == 0) { + gnutls_assert(); + return; + } + + memset(opad, 0x5C, padsize); + + td = _gnutls_hash_init(handle->algorithm); + if (td != GNUTLS_MAC_FAILED) { + if (handle->keysize > 0) + _gnutls_hash(td, handle->key, handle->keysize); + + _gnutls_hash(td, opad, padsize); + block = _gnutls_hmac_get_algo_len(handle->algorithm); + _gnutls_hash_deinit(handle, ret); /* get the previous hash */ + _gnutls_hash(td, ret, block); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ - _gnutls_hash(td, ret, block); - - _gnutls_hash_deinit(td, digest); - } + _gnutls_hash_deinit(td, digest); + } } void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void *digest, opaque * key, uint32 key_size) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - opaque ipad[48]; - int padsize; - int block; - - padsize = get_padsize( handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; - } + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + opaque ipad[48]; + int padsize; + int block; - memset(opad, 0x5C, padsize); - memset(ipad, 0x36, padsize); + padsize = get_padsize(handle->algorithm); + if (padsize == 0) { + gnutls_assert(); + return; + } - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_HASH_FAILED) { - if (key_size > 0) - _gnutls_hash(td, key, key_size); + memset(opad, 0x5C, padsize); + memset(ipad, 0x36, padsize); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); + td = _gnutls_hash_init(handle->algorithm); + if (td != GNUTLS_HASH_FAILED) { + if (key_size > 0) + _gnutls_hash(td, key, key_size); - if (key_size > 0) - _gnutls_hash(handle, key, key_size); - _gnutls_hash(handle, ipad, padsize); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ + _gnutls_hash(td, opad, padsize); + block = _gnutls_hmac_get_algo_len(handle->algorithm); - _gnutls_hash(td, ret, block); + if (key_size > 0) + _gnutls_hash(handle, key, key_size); + _gnutls_hash(handle, ipad, padsize); + _gnutls_hash_deinit(handle, ret); /* get the previous hash */ - _gnutls_hash_deinit(td, digest); - } + _gnutls_hash(td, ret, block); + + _gnutls_hash_deinit(td, digest); + } } -static int ssl3_sha(int i, opaque *secret, int secret_len, opaque *random, - int random_len, void *digest) +static int ssl3_sha(int i, opaque * secret, int secret_len, + opaque * random, int random_len, void *digest) { - int j; - opaque text1[26]; + int j; + opaque text1[26]; - GNUTLS_HASH_HANDLE td; + GNUTLS_HASH_HANDLE td; - for (j = 0; j < i + 1; j++) { - text1[j] = 65 + i; /* A==65 */ - } + for (j = 0; j < i + 1; j++) { + text1[j] = 65 + i; /* A==65 */ + } - td = _gnutls_hash_init(GNUTLS_MAC_SHA); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + td = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash(td, text1, i + 1); - _gnutls_hash(td, secret, secret_len); - _gnutls_hash(td, random, random_len); + _gnutls_hash(td, text1, i + 1); + _gnutls_hash(td, secret, secret_len); + _gnutls_hash(td, random, random_len); - _gnutls_hash_deinit(td, digest); - return 0; + _gnutls_hash_deinit(td, digest); + return 0; } -static int ssl3_md5(int i, opaque *secret, int secret_len, opaque *random, - int random_len, void *digest) +static int ssl3_md5(int i, opaque * secret, int secret_len, + opaque * random, int random_len, void *digest) { - opaque tmp[MAX_HASH_SIZE]; - mac_hd_t td; - int ret; - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + opaque tmp[MAX_HASH_SIZE]; + mac_hd_t td; + int ret; - _gnutls_hash(td, secret, secret_len); + td = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - ret = ssl3_sha(i, secret, secret_len, random, random_len, tmp); - if (ret < 0) { - gnutls_assert(); - _gnutls_hash_deinit(td, digest); - return ret; - } - - _gnutls_hash(td, tmp, _gnutls_hash_get_algo_len(GNUTLS_MAC_SHA)); + _gnutls_hash(td, secret, secret_len); + ret = ssl3_sha(i, secret, secret_len, random, random_len, tmp); + if (ret < 0) { + gnutls_assert(); _gnutls_hash_deinit(td, digest); - return 0; + return ret; + } + + _gnutls_hash(td, tmp, _gnutls_hash_get_algo_len(GNUTLS_MAC_SHA)); + + _gnutls_hash_deinit(td, digest); + return 0; } int _gnutls_ssl3_hash_md5(void *first, int first_len, void *second, int second_len, int ret_len, opaque * ret) { - opaque digest[MAX_HASH_SIZE]; - mac_hd_t td; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + opaque digest[MAX_HASH_SIZE]; + mac_hd_t td; + int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - _gnutls_hash(td, first, first_len); - _gnutls_hash(td, second, second_len); + td = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash_deinit(td, digest); + _gnutls_hash(td, first, first_len); + _gnutls_hash(td, second, second_len); - if (ret_len > block) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + _gnutls_hash_deinit(td, digest); - memcpy(ret, digest, ret_len); + if (ret_len > block) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + memcpy(ret, digest, ret_len); + + return 0; } @@ -392,37 +397,35 @@ int _gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int ret_bytes, opaque * ret) { - int i = 0, copy, output_bytes; - opaque digest[MAX_HASH_SIZE]; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - int result, times; - - output_bytes = 0; - do { - output_bytes += block; - } while (output_bytes < ret_bytes); - - times = output_bytes / block; - - for (i = 0; i < times; i++) { - - result = - ssl3_md5(i, secret, secret_len, random, random_len, - digest); - if (result < 0) { - gnutls_assert(); - return result; - } - - if ((1 + i) * block < ret_bytes) { - copy = block; - } else { - copy = ret_bytes - (i) * block; - } - - memcpy(&ret[i * block], digest, copy); + int i = 0, copy, output_bytes; + opaque digest[MAX_HASH_SIZE]; + int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); + int result, times; + + output_bytes = 0; + do { + output_bytes += block; + } while (output_bytes < ret_bytes); + + times = output_bytes / block; + + for (i = 0; i < times; i++) { + + result = + ssl3_md5(i, secret, secret_len, random, random_len, digest); + if (result < 0) { + gnutls_assert(); + return result; } - return 0; -} + if ((1 + i) * block < ret_bytes) { + copy = block; + } else { + copy = ret_bytes - (i) * block; + } + memcpy(&ret[i * block], digest, copy); + } + + return 0; +} diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index 15c7e19514..2e626c9f8e 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -26,36 +26,42 @@ /* for message digests */ typedef struct { - gcry_md_hd_t handle; - gnutls_mac_algorithm algorithm; - const void* key; - int keysize; + gcry_md_hd_t handle; + gnutls_mac_algorithm algorithm; + const void *key; + int keysize; } mac_hd_t_INT; -typedef mac_hd_t_INT* mac_hd_t; +typedef mac_hd_t_INT *mac_hd_t; typedef mac_hd_t GNUTLS_HASH_HANDLE; #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL -mac_hd_t _gnutls_hmac_init( gnutls_mac_algorithm algorithm, const void* key, int keylen); +mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm algorithm, const void *key, + int keylen); #define _gnutls_hmac_get_algo_len _gnutls_hash_get_algo_len #define _gnutls_hmac _gnutls_hash -void _gnutls_hmac_deinit( mac_hd_t handle, void* digest); +void _gnutls_hmac_deinit(mac_hd_t handle, void *digest); -mac_hd_t _gnutls_mac_init_ssl3( gnutls_mac_algorithm algorithm, void* key, int keylen); -void _gnutls_mac_deinit_ssl3( mac_hd_t handle, void* digest); +mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm algorithm, void *key, + int keylen); +void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest); GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm algorithm); int _gnutls_hash_get_algo_len(gnutls_mac_algorithm algorithm); -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void* text, size_t textlen); -void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void* digest); +int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, + size_t textlen); +void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest); -int _gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int bytes, opaque* ret); -int _gnutls_ssl3_hash_md5(void *first, int first_len, - void *second, int second_len, int ret_len, opaque* ret); +int _gnutls_ssl3_generate_random(void *secret, int secret_len, + void *random, int random_len, int bytes, + opaque * ret); +int _gnutls_ssl3_hash_md5(void *first, int first_len, void *second, + int second_len, int ret_len, opaque * ret); -void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void* digest, opaque* key, uint32 key_size); +void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void *digest, + opaque * key, uint32 key_size); GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle); -#endif /* GNUTLS_HASH_INT_H */ +#endif /* GNUTLS_HASH_INT_H */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b9415b9c12..8f7e13dbc5 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -41,7 +41,7 @@ /* It might be a good idea to replace int with void* * here. */ -typedef void * gnutls_transport_ptr; +typedef void *gnutls_transport_ptr; #define MAX32 4294967295 #define MAX24 16777215 @@ -60,7 +60,7 @@ typedef void * gnutls_transport_ptr; */ #define MAX_HASH_SIZE 20 -#define MAX_LOG_SIZE 1024 /* maximum size of log message */ +#define MAX_LOG_SIZE 1024 /* maximum size of log message */ #define MAX_SRP_USERNAME 128 #define MAX_SERVER_NAME_SIZE 128 @@ -100,49 +100,60 @@ typedef void * gnutls_transport_ptr; #define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0) typedef unsigned char opaque; -typedef struct { opaque pint[3]; } uint24; +typedef struct { + opaque pint[3]; +} uint24; typedef struct { - opaque * data; - unsigned int size; + opaque *data; + unsigned int size; } gnutls_datum; #include <gnutls_mpi.h> -typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC=1 } ChangeCipherSpecType; +typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC = + 1 } ChangeCipherSpecType; -typedef enum gnutls_certificate_status { - GNUTLS_CERT_INVALID=2, /* will be set if the certificate - * was not verified. - */ - GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked +typedef enum gnutls_certificate_status { + GNUTLS_CERT_INVALID = 2, /* will be set if the certificate + * was not verified. + */ + GNUTLS_CERT_REVOKED = 32, /* in X.509 this will be set only if CRLs are checked */ - /* Those are extra information about the verification - * process. Will be set only if the certificate was - * not verified. - */ - GNUTLS_CERT_SIGNER_NOT_FOUND=64, - GNUTLS_CERT_SIGNER_NOT_CA=128 + /* Those are extra information about the verification + * process. Will be set only if the certificate was + * not verified. + */ + GNUTLS_CERT_SIGNER_NOT_FOUND = 64, + GNUTLS_CERT_SIGNER_NOT_CA = 128 } gnutls_certificate_status; -typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; +typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, + GNUTLS_CERT_REQUEST = + 1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; -typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, - GNUTLS_OPENPGP_KEY_FINGERPRINT +typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, + GNUTLS_OPENPGP_KEY_FINGERPRINT } gnutls_openpgp_key_status; -typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutls_close_request; +typedef enum gnutls_close_request { + GNUTLS_SHUT_RDWR = 0, GNUTLS_SHUT_WR = 1 +} gnutls_close_request; -typedef enum HandshakeState { STATE0=0, STATE1, STATE2, STATE3, STATE4, STATE5, - STATE6, STATE7, STATE8, STATE9, STATE20=20, STATE21, - STATE30=30, STATE31, STATE50=50, STATE60=60, STATE61, STATE62 } HandshakeState; +typedef enum HandshakeState { STATE0 = 0, STATE1, STATE2, + STATE3, STATE4, STATE5, + STATE6, STATE7, STATE8, STATE9, STATE20 = 20, STATE21, + STATE30 = 30, STATE31, STATE50 = 50, STATE60 = 60, STATE61, STATE62 +} HandshakeState; -typedef enum HandshakeType { GNUTLS_HELLO_REQUEST, GNUTLS_CLIENT_HELLO, GNUTLS_SERVER_HELLO, - GNUTLS_CERTIFICATE_PKT=11, GNUTLS_SERVER_KEY_EXCHANGE, - GNUTLS_CERTIFICATE_REQUEST, GNUTLS_SERVER_HELLO_DONE, - GNUTLS_CERTIFICATE_VERIFY, GNUTLS_CLIENT_KEY_EXCHANGE, - GNUTLS_FINISHED=20 } HandshakeType; +typedef enum HandshakeType { GNUTLS_HELLO_REQUEST, + GNUTLS_CLIENT_HELLO, GNUTLS_SERVER_HELLO, + GNUTLS_CERTIFICATE_PKT = 11, GNUTLS_SERVER_KEY_EXCHANGE, + GNUTLS_CERTIFICATE_REQUEST, GNUTLS_SERVER_HELLO_DONE, + GNUTLS_CERTIFICATE_VERIFY, GNUTLS_CLIENT_KEY_EXCHANGE, + GNUTLS_FINISHED = 20 +} HandshakeType; typedef HandshakeType gnutls_handshake_description; @@ -157,41 +168,49 @@ typedef HandshakeType gnutls_handshake_description; /* STATE */ -typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, - - GNUTLS_CIPHER_RC2_40_CBC=90, GNUTLS_CIPHER_DES_CBC +typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL = 1, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_CIPHER_RC2_40_CBC = 90, GNUTLS_CIPHER_DES_CBC } gnutls_cipher_algorithm; -typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, - GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS +typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA = 1, GNUTLS_KX_DHE_DSS, + GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; -typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT=1, - GNUTLS_PARAMS_DH +typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT = 1, + GNUTLS_PARAMS_DH } gnutls_params_type; -typedef enum gnutls_mac_algorithm { GNUTLS_MAC_UNKNOWN=0, GNUTLS_MAC_NULL=1, -GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 +typedef enum gnutls_mac_algorithm { GNUTLS_MAC_UNKNOWN = 0, + GNUTLS_MAC_NULL = 1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, + GNUTLS_MAC_RMD160 } gnutls_mac_algorithm; typedef gnutls_mac_algorithm gnutls_digest_algorithm; -typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_LZO +typedef enum gnutls_compression_method { + GNUTLS_COMP_NULL = 1, GNUTLS_COMP_DEFLATE, + GNUTLS_COMP_LZO } gnutls_compression_method; -typedef enum gnutls_connection_end { GNUTLS_SERVER=1, GNUTLS_CLIENT } gnutls_connection_end; +typedef enum gnutls_connection_end { + GNUTLS_SERVER = 1, GNUTLS_CLIENT +} gnutls_connection_end; -typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME=0, - GNUTLS_EXTENSION_MAX_RECORD_SIZE=1, GNUTLS_EXTENSION_SRP=6, - GNUTLS_EXTENSION_CERT_TYPE=7 +typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME = 0, + GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1, GNUTLS_EXTENSION_SRP = 6, + GNUTLS_EXTENSION_CERT_TYPE = 7 } extensions_t; -typedef enum gnutls_credentials_type { GNUTLS_CRD_CERTIFICATE=1, GNUTLS_CRD_ANON, GNUTLS_CRD_SRP } gnutls_credentials_type; +typedef enum gnutls_credentials_type { + GNUTLS_CRD_CERTIFICATE = 1, GNUTLS_CRD_ANON, + GNUTLS_CRD_SRP +} gnutls_credentials_type; -typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP +typedef enum gnutls_certificate_type { + GNUTLS_CRT_X509 = 1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type; typedef enum { CIPHER_STREAM, CIPHER_BLOCK } cipher_type_t; @@ -200,94 +219,102 @@ typedef enum valid_session_t { VALID_TRUE, VALID_FALSE } valid_session_t; typedef enum resumable_session_t { RESUME_TRUE, RESUME_FALSE } resumable_session_t; /* Record Protocol */ -typedef enum content_type_t { GNUTLS_CHANGE_CIPHER_SPEC=20, GNUTLS_ALERT, - GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA +typedef enum content_type_t { + GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT, + GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA } content_type_t; -typedef enum gnutls_x509_crt_fmt { GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; +typedef enum gnutls_x509_crt_fmt { + GNUTLS_X509_FMT_DER, + GNUTLS_X509_FMT_PEM +} gnutls_x509_crt_fmt; -typedef enum gnutls_pk_algorithm { GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, - GNUTLS_PK_UNKNOWN = 0xff +typedef enum gnutls_pk_algorithm { + GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, + GNUTLS_PK_UNKNOWN = 0xff } gnutls_pk_algorithm; + #define GNUTLS_PK_ANY (gnutls_pk_algorithm)-1 #define GNUTLS_PK_NONE (gnutls_pk_algorithm)0 -typedef enum gnutls_sign_algorithm { GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, - GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, - GNUTLS_SIGN_UNKNOWN = 0xff +typedef enum gnutls_sign_algorithm { + GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, + GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, + GNUTLS_SIGN_UNKNOWN = 0xff } gnutls_sign_algorithm; /* STATE (stop) */ -typedef void (*LOG_FUNC)( int, const char*); +typedef void (*LOG_FUNC) (int, const char *); /* Pull & Push functions defines: */ -typedef ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, void*, size_t); -typedef ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); +typedef ssize_t(*gnutls_pull_func) (gnutls_transport_ptr, void *, size_t); +typedef ssize_t(*gnutls_push_func) (gnutls_transport_ptr, const void *, + size_t); /* Store & Retrieve functions defines: */ -typedef int (*gnutls_db_store_func)(void*, gnutls_datum key, gnutls_datum data); -typedef int (*gnutls_db_remove_func)(void*, gnutls_datum key); -typedef gnutls_datum (*gnutls_db_retr_func)(void*, gnutls_datum key); +typedef int (*gnutls_db_store_func) (void *, gnutls_datum key, + gnutls_datum data); +typedef int (*gnutls_db_remove_func) (void *, gnutls_datum key); +typedef gnutls_datum(*gnutls_db_retr_func) (void *, gnutls_datum key); typedef struct auth_cred_st { - gnutls_credentials_type algorithm; + gnutls_credentials_type algorithm; - /* the type of credentials depends on algorithm - */ - void* credentials; - struct auth_cred_st* next; + /* the type of credentials depends on algorithm + */ + void *credentials; + struct auth_cred_st *next; } auth_cred_st; struct gnutls_key_st { - /* For DH KX */ - gnutls_datum key; - mpi_t KEY; - mpi_t client_Y; - mpi_t client_g; - mpi_t client_p; - mpi_t dh_secret; - /* for SRP */ - mpi_t A; - mpi_t B; - mpi_t u; - mpi_t b; - mpi_t a; - mpi_t x; - /* RSA: e, m - */ - mpi_t rsa[2]; - - /* this is used to hold the peers authentication data - */ - /* auth_info_t structures SHOULD NOT contain malloced - * elements. Check gnutls_session_pack.c, and gnutls_auth.c. - * Rememember that this should be calloced! - */ - void* auth_info; - gnutls_credentials_type auth_info_type; - int auth_info_size; /* needed in order to store to db for restoring - */ - uint8 crypt_algo; - - auth_cred_st* cred; /* used to specify keys/certificates etc */ - - int certificate_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ + /* For DH KX */ + gnutls_datum key; + mpi_t KEY; + mpi_t client_Y; + mpi_t client_g; + mpi_t client_p; + mpi_t dh_secret; + /* for SRP */ + mpi_t A; + mpi_t B; + mpi_t u; + mpi_t b; + mpi_t a; + mpi_t x; + /* RSA: e, m + */ + mpi_t rsa[2]; + + /* this is used to hold the peers authentication data + */ + /* auth_info_t structures SHOULD NOT contain malloced + * elements. Check gnutls_session_pack.c, and gnutls_auth.c. + * Rememember that this should be calloced! + */ + void *auth_info; + gnutls_credentials_type auth_info_type; + int auth_info_size; /* needed in order to store to db for restoring + */ + uint8 crypt_algo; + + auth_cred_st *cred; /* used to specify keys/certificates etc */ + + int certificate_requested; + /* some ciphersuites use this + * to provide client authentication. + * 1 if client auth was requested + * by the peer, 0 otherwise + *** In case of a server this + * holds 1 if we should wait + * for a client certificate verify + */ }; -typedef struct gnutls_key_st* gnutls_key_st; +typedef struct gnutls_key_st *gnutls_key_st; /* STATE (cont) */ @@ -298,44 +325,45 @@ typedef struct gnutls_key_st* gnutls_key_st; #include <gnutls_cert.h> typedef struct { - uint8 suite[2]; + uint8 suite[2]; } cipher_suite_st; /* Versions should be in order of the oldest * (eg. SSL3 is before TLS1) */ #define GNUTLS_TLS1 GNUTLS_TLS1_0 -typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0, - GNUTLS_TLS1_1, GNUTLS_VERSION_UNKNOWN=0xff } -gnutls_protocol_version; +typedef enum gnutls_protocol_version { + GNUTLS_SSL3 = 1, GNUTLS_TLS1_0, + GNUTLS_TLS1_1, GNUTLS_VERSION_UNKNOWN = 0xff +} gnutls_protocol_version; /* This structure holds parameters got from TLS extension * mechanism. (some extensions may hold parameters in auth_info_t * structures also - see SRP). */ -typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS=1 +typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS = 1 } gnutls_server_name_type; typedef struct { - opaque name[MAX_SERVER_NAME_SIZE]; - uint name_length; - gnutls_server_name_type type; + opaque name[MAX_SERVER_NAME_SIZE]; + uint name_length; + gnutls_server_name_type type; } server_name_st; #define MAX_SERVER_NAME_EXTENSIONS 3 typedef struct { - server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; - /* limit server_name extensions */ - uint server_names_size; - opaque srp_username[MAX_SRP_USERNAME]; + server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; + /* limit server_name extensions */ + uint server_names_size; + opaque srp_username[MAX_SRP_USERNAME]; } tls_ext_st; /* auth_info_t structures now MAY contain malloced * elements. */ - + /* This structure and auth_info_t, are stored in the resume database, * and are restored, in case of resume. * Holds all the required parameters to resume the current @@ -351,82 +379,82 @@ typedef struct { * the handshake is in progress is the cipher suite value. */ typedef struct { - gnutls_connection_end entity; - gnutls_kx_algorithm kx_algorithm; - /* we've got separate write/read bulk/macs because - * there is a time in handshake where the peer has - * null cipher and we don't - */ - gnutls_cipher_algorithm read_bulk_cipher_algorithm; - gnutls_mac_algorithm read_mac_algorithm; - gnutls_compression_method read_compression_algorithm; - - gnutls_cipher_algorithm write_bulk_cipher_algorithm; - gnutls_mac_algorithm write_mac_algorithm; - gnutls_compression_method write_compression_algorithm; - - /* this is the ciphersuite we are going to use - * moved here from internals in order to be restored - * on resume; - */ - cipher_suite_st current_cipher_suite; - opaque master_secret[TLS_MASTER_SIZE]; - opaque client_random[TLS_RANDOM_SIZE]; - opaque server_random[TLS_RANDOM_SIZE]; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - uint8 session_id_size; - time_t timestamp; - tls_ext_st extensions; - - /* The send size is the one requested by the programmer. - * The recv size is the one negotiated with the peer. - */ - uint16 max_record_send_size; - uint16 max_record_recv_size; - /* holds the negotiated certificate type */ - gnutls_certificate_type cert_type; - gnutls_protocol_version version; /* moved here */ + gnutls_connection_end entity; + gnutls_kx_algorithm kx_algorithm; + /* we've got separate write/read bulk/macs because + * there is a time in handshake where the peer has + * null cipher and we don't + */ + gnutls_cipher_algorithm read_bulk_cipher_algorithm; + gnutls_mac_algorithm read_mac_algorithm; + gnutls_compression_method read_compression_algorithm; + + gnutls_cipher_algorithm write_bulk_cipher_algorithm; + gnutls_mac_algorithm write_mac_algorithm; + gnutls_compression_method write_compression_algorithm; + + /* this is the ciphersuite we are going to use + * moved here from internals in order to be restored + * on resume; + */ + cipher_suite_st current_cipher_suite; + opaque master_secret[TLS_MASTER_SIZE]; + opaque client_random[TLS_RANDOM_SIZE]; + opaque server_random[TLS_RANDOM_SIZE]; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + uint8 session_id_size; + time_t timestamp; + tls_ext_st extensions; + + /* The send size is the one requested by the programmer. + * The recv size is the one negotiated with the peer. + */ + uint16 max_record_send_size; + uint16 max_record_recv_size; + /* holds the negotiated certificate type */ + gnutls_certificate_type cert_type; + gnutls_protocol_version version; /* moved here */ } security_parameters_st; /* This structure holds the generated keys */ typedef struct { - gnutls_datum server_write_mac_secret; - gnutls_datum client_write_mac_secret; - gnutls_datum server_write_IV; - gnutls_datum client_write_IV; - gnutls_datum server_write_key; - gnutls_datum client_write_key; - int generated_keys; /* zero if keys have not - * been generated. Non zero - * otherwise. - */ + gnutls_datum server_write_mac_secret; + gnutls_datum client_write_mac_secret; + gnutls_datum server_write_IV; + gnutls_datum client_write_IV; + gnutls_datum server_write_key; + gnutls_datum client_write_key; + int generated_keys; /* zero if keys have not + * been generated. Non zero + * otherwise. + */ } cipher_specs_st; typedef struct { - cipher_hd_t write_cipher_state; - cipher_hd_t read_cipher_state; - comp_hd_t read_compression_state; - comp_hd_t write_compression_state; - gnutls_datum read_mac_secret; - gnutls_datum write_mac_secret; - uint64 read_sequence_number; - uint64 write_sequence_number; + cipher_hd_t write_cipher_state; + cipher_hd_t read_cipher_state; + comp_hd_t read_compression_state; + comp_hd_t write_compression_state; + gnutls_datum read_mac_secret; + gnutls_datum write_mac_secret; + uint64 read_sequence_number; + uint64 write_sequence_number; } conn_stat_st; typedef struct { - unsigned int priority[MAX_ALGOS]; - unsigned int algorithms; + unsigned int priority[MAX_ALGOS]; + unsigned int algorithms; } priority_st; /* DH and RSA parameters types. */ typedef struct { - /* [0] is the prime, [1] is the generator. - */ - mpi_t params[2]; + /* [0] is the prime, [1] is the generator. + */ + mpi_t params[2]; } dh_params_st; #define gnutls_dh_params dh_params_st* @@ -434,253 +462,255 @@ typedef struct { #define gnutls_rsa_params gnutls_x509_privkey typedef struct { - gnutls_dh_params anon_dh_params; - int free_anon_dh_params; - gnutls_dh_params cert_dh_params; - int free_cert_dh_params; - gnutls_rsa_params rsa_params; - int free_rsa_params; + gnutls_dh_params anon_dh_params; + int free_anon_dh_params; + gnutls_dh_params cert_dh_params; + int free_cert_dh_params; + gnutls_rsa_params rsa_params; + int free_rsa_params; } internal_params_st; typedef struct gnutls_params_st { - gnutls_params_type type; - union params { - gnutls_dh_params dh; - gnutls_rsa_params rsa_export; - } params; - int deinit; + gnutls_params_type type; + union params { + gnutls_dh_params dh; + gnutls_rsa_params rsa_export; + } params; + int deinit; } gnutls_params_st; typedef struct { - opaque header[HANDSHAKE_HEADER_SIZE]; - /* this holds the number of bytes in the handshake_header[] */ - size_t header_size; - /* this holds the length of the handshake packet */ - size_t packet_length; - HandshakeType recv_type; + opaque header[HANDSHAKE_HEADER_SIZE]; + /* this holds the number of bytes in the handshake_header[] */ + size_t header_size; + /* this holds the length of the handshake packet */ + size_t packet_length; + HandshakeType recv_type; } handshake_header_buffer_st; /* Openpgp key retrieval callback */ -typedef int (*gnutls_openpgp_recv_key_func)(struct gnutls_session_int*, - const unsigned char *keyfpr, unsigned int keyfpr_length, gnutls_datum *); +typedef int (*gnutls_openpgp_recv_key_func) (struct gnutls_session_int *, + const unsigned char *keyfpr, + unsigned int keyfpr_length, + gnutls_datum *); typedef struct { - gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ - gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake - * message */ - mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ - mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ - - gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ - resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ - HandshakeState handshake_state; /* holds - * a number which indicates where - * the handshake procedure has been - * interrupted. If it is 0 then - * no interruption has happened. - */ - - valid_session_t valid_connection; /* true or FALSE - if this session is valid */ - - int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write - */ - int may_not_write; - int read_eof; /* non-zero if we have received a closure alert. */ - - int last_alert; /* last alert received */ - - /* The last handshake messages sent or received. - */ - int last_handshake_in; - int last_handshake_out; - - /* this is the compression method we are going to use */ - gnutls_compression_method compression_method; - /* priorities */ - priority_st cipher_algorithm_priority; - priority_st mac_algorithm_priority; - priority_st kx_algorithm_priority; - priority_st compression_method_priority; - priority_st protocol_priority; - priority_st cert_type_priority; - - /* resumed session */ - resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ - security_parameters_st resumed_security_parameters; - - /* sockets internals */ - int lowat; - - /* These buffers are used in the handshake - * protocol only. freed using _gnutls_handshake_io_buffer_clear(); - */ - gnutls_buffer handshake_send_buffer; - size_t handshake_send_buffer_prev_size; - content_type_t handshake_send_buffer_type; - HandshakeType handshake_send_buffer_htype; - content_type_t handshake_recv_buffer_type; - HandshakeType handshake_recv_buffer_htype; - gnutls_buffer handshake_recv_buffer; - - /* this buffer holds a record packet -mostly used for - * non blocking IO. + gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ + gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake + * message */ + mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ + mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ + + gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ + resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ + HandshakeState handshake_state; /* holds + * a number which indicates where + * the handshake procedure has been + * interrupted. If it is 0 then + * no interruption has happened. */ - gnutls_buffer record_recv_buffer; - gnutls_buffer record_send_buffer; /* holds cached data - * for the gnutls_io_write_buffered() - * function. - */ - size_t record_send_buffer_prev_size; /* holds the - * data written in the previous runs. - */ - size_t record_send_buffer_user_size; /* holds the - * size of the user specified data to - * send. - */ - - /* 0 if no peeked data was kept, 1 otherwise. + + valid_session_t valid_connection; /* true or FALSE - if this session is valid */ + + int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write + */ + int may_not_write; + int read_eof; /* non-zero if we have received a closure alert. */ + + int last_alert; /* last alert received */ + + /* The last handshake messages sent or received. + */ + int last_handshake_in; + int last_handshake_out; + + /* this is the compression method we are going to use */ + gnutls_compression_method compression_method; + /* priorities */ + priority_st cipher_algorithm_priority; + priority_st mac_algorithm_priority; + priority_st kx_algorithm_priority; + priority_st compression_method_priority; + priority_st protocol_priority; + priority_st cert_type_priority; + + /* resumed session */ + resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ + security_parameters_st resumed_security_parameters; + + /* sockets internals */ + int lowat; + + /* These buffers are used in the handshake + * protocol only. freed using _gnutls_handshake_io_buffer_clear(); + */ + gnutls_buffer handshake_send_buffer; + size_t handshake_send_buffer_prev_size; + content_type_t handshake_send_buffer_type; + HandshakeType handshake_send_buffer_htype; + content_type_t handshake_recv_buffer_type; + HandshakeType handshake_recv_buffer_htype; + gnutls_buffer handshake_recv_buffer; + + /* this buffer holds a record packet -mostly used for + * non blocking IO. + */ + gnutls_buffer record_recv_buffer; + gnutls_buffer record_send_buffer; /* holds cached data + * for the gnutls_io_write_buffered() + * function. */ - int have_peeked_data; - - int expire_time; /* after expire_time seconds this session will expire */ - struct mod_auth_st_int* auth_struct; /* used in handshake packets and KX algorithms */ - int v2_hello; /* 0 if the client hello is v3+. - * non-zero if we got a v2 hello. - */ - /* keeps the headers of the handshake packet - */ - handshake_header_buffer_st handshake_header_buffer; - - /* this is the highest version available - * to the peer. (advertized version). - * This is obtained by the Handshake Client Hello - * message. (some implementations read the Record version) - */ - uint8 adv_version_major; - uint8 adv_version_minor; - - /* if this is non zero a certificate request message - * will be sent to the client. - only if the ciphersuite - * supports it. - */ - int send_cert_req; - - /* bits to use for DHE and DHA - * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() - * to access it. - */ - uint16 dh_prime_bits; - - size_t max_handshake_data_buffer_size; - - /* PUSH & PULL functions. - */ - gnutls_pull_func _gnutls_pull_func; - gnutls_push_func _gnutls_push_func; - /* Holds the first argument of PUSH and PULL - * functions; - */ - gnutls_transport_ptr transport_recv_ptr; - gnutls_transport_ptr transport_send_ptr; - - /* STORE & RETRIEVE functions. Only used if other - * backend than gdbm is used. - */ - gnutls_db_store_func db_store_func; - gnutls_db_retr_func db_retrieve_func; - gnutls_db_remove_func db_remove_func; - void* db_ptr; - - /* Holds the record size requested by the - * user. - */ - uint16 proposed_record_size; - - /* holds the selected certificate and key. - * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() - * to change them. - */ - gnutls_cert* selected_cert_list; - int selected_cert_list_length; - gnutls_privkey* selected_key; - int selected_need_free; - - /* holds the extensions we sent to the peer - * (in case of a client) - */ - uint16 extensions_sent[MAX_EXT_TYPES]; - uint16 extensions_sent_size; - - /* is 0 if we are to send the whole PGP key, or non zero - * if the fingerprint is to be sent. - */ - int pgp_fingerprint; - - /* This holds the default version that our first - * record packet will have. */ - opaque default_record_version[2]; - - int cbc_protection_hack; - - void* user_ptr; - - int enable_private;/* non zero to - * enable cipher suites - * which have 0xFF status. - */ - - /* Holds 0 if the last called function was interrupted while - * receiving, and non zero otherwise. - */ - int direction; - - /* This callback will be used (if set) to receive an - * openpgp key. (if the peer sends a fingerprint) - */ - gnutls_openpgp_recv_key_func openpgp_recv_key_func; - - /* If non zero the server will not advertize the CA's he - * trusts (do not send an RDN sequence). - */ - int ignore_rdn_sequence; - - /* This is used to set an arbitary version in the RSA - * PMS secret. Can be used by clients to test whether the - * server checks that version. (** only used in gnutls-cli-debug) - */ - opaque rsa_pms_version[2]; - - char* srp_username; - char* srp_password; - - /* This is only set in SRP, when the handshake is - * restarted if an username is not found. - */ - int handshake_restarted; - - /* Here we cache the DH or RSA parameters got from the - * credentials structure, or from a callback. That is to - * minimize external calls. - */ - internal_params_st params; - - /* This buffer is used by the record recv functions, - * as a temporary store buffer. - */ - gnutls_datum recv_buffer; - - /* If you add anything here, check _gnutls_handshake_internal_state_clear(). - */ + size_t record_send_buffer_prev_size; /* holds the + * data written in the previous runs. + */ + size_t record_send_buffer_user_size; /* holds the + * size of the user specified data to + * send. + */ + + /* 0 if no peeked data was kept, 1 otherwise. + */ + int have_peeked_data; + + int expire_time; /* after expire_time seconds this session will expire */ + struct mod_auth_st_int *auth_struct; /* used in handshake packets and KX algorithms */ + int v2_hello; /* 0 if the client hello is v3+. + * non-zero if we got a v2 hello. + */ + /* keeps the headers of the handshake packet + */ + handshake_header_buffer_st handshake_header_buffer; + + /* this is the highest version available + * to the peer. (advertized version). + * This is obtained by the Handshake Client Hello + * message. (some implementations read the Record version) + */ + uint8 adv_version_major; + uint8 adv_version_minor; + + /* if this is non zero a certificate request message + * will be sent to the client. - only if the ciphersuite + * supports it. + */ + int send_cert_req; + + /* bits to use for DHE and DHA + * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() + * to access it. + */ + uint16 dh_prime_bits; + + size_t max_handshake_data_buffer_size; + + /* PUSH & PULL functions. + */ + gnutls_pull_func _gnutls_pull_func; + gnutls_push_func _gnutls_push_func; + /* Holds the first argument of PUSH and PULL + * functions; + */ + gnutls_transport_ptr transport_recv_ptr; + gnutls_transport_ptr transport_send_ptr; + + /* STORE & RETRIEVE functions. Only used if other + * backend than gdbm is used. + */ + gnutls_db_store_func db_store_func; + gnutls_db_retr_func db_retrieve_func; + gnutls_db_remove_func db_remove_func; + void *db_ptr; + + /* Holds the record size requested by the + * user. + */ + uint16 proposed_record_size; + + /* holds the selected certificate and key. + * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() + * to change them. + */ + gnutls_cert *selected_cert_list; + int selected_cert_list_length; + gnutls_privkey *selected_key; + int selected_need_free; + + /* holds the extensions we sent to the peer + * (in case of a client) + */ + uint16 extensions_sent[MAX_EXT_TYPES]; + uint16 extensions_sent_size; + + /* is 0 if we are to send the whole PGP key, or non zero + * if the fingerprint is to be sent. + */ + int pgp_fingerprint; + + /* This holds the default version that our first + * record packet will have. */ + opaque default_record_version[2]; + + int cbc_protection_hack; + + void *user_ptr; + + int enable_private; /* non zero to + * enable cipher suites + * which have 0xFF status. + */ + + /* Holds 0 if the last called function was interrupted while + * receiving, and non zero otherwise. + */ + int direction; + + /* This callback will be used (if set) to receive an + * openpgp key. (if the peer sends a fingerprint) + */ + gnutls_openpgp_recv_key_func openpgp_recv_key_func; + + /* If non zero the server will not advertize the CA's he + * trusts (do not send an RDN sequence). + */ + int ignore_rdn_sequence; + + /* This is used to set an arbitary version in the RSA + * PMS secret. Can be used by clients to test whether the + * server checks that version. (** only used in gnutls-cli-debug) + */ + opaque rsa_pms_version[2]; + + char *srp_username; + char *srp_password; + + /* This is only set in SRP, when the handshake is + * restarted if an username is not found. + */ + int handshake_restarted; + + /* Here we cache the DH or RSA parameters got from the + * credentials structure, or from a callback. That is to + * minimize external calls. + */ + internal_params_st params; + + /* This buffer is used by the record recv functions, + * as a temporary store buffer. + */ + gnutls_datum recv_buffer; + + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). + */ } internals_st; struct gnutls_session_int { - security_parameters_st security_parameters; - cipher_specs_st cipher_specs; - conn_stat_st connection_state; - internals_st internals; - gnutls_key_st key; + security_parameters_st security_parameters; + cipher_specs_st cipher_specs; + conn_stat_st connection_state; + internals_st internals; + gnutls_key_st key; }; typedef struct gnutls_session_int *gnutls_session; @@ -689,9 +719,11 @@ typedef struct gnutls_session_int *gnutls_session; /* functions */ -void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version version); -gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session); -void _gnutls_free_auth_info( gnutls_session session); +void _gnutls_set_current_version(gnutls_session session, + gnutls_protocol_version version); +gnutls_protocol_version gnutls_protocol_get_version(gnutls_session + session); +void _gnutls_free_auth_info(gnutls_session session); /* These two macros return the advertized TLS version of * the peer. @@ -706,13 +738,14 @@ void _gnutls_free_auth_info( gnutls_session session); session->internals.adv_version_major = major; \ session->internals.adv_version_minor = minor -void _gnutls_set_adv_version( gnutls_session, gnutls_protocol_version); -gnutls_protocol_version _gnutls_get_adv_version( gnutls_session); +void _gnutls_set_adv_version(gnutls_session, gnutls_protocol_version); +gnutls_protocol_version _gnutls_get_adv_version(gnutls_session); -int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size); +int gnutls_fingerprint(gnutls_digest_algorithm algo, + const gnutls_datum * data, void *result, + size_t * result_size); typedef int gnutls_params_function(gnutls_session, gnutls_params_type, - gnutls_params_st*); + gnutls_params_st *); -#endif /* GNUTLS_INT_H */ +#endif /* GNUTLS_INT_H */ diff --git a/lib/gnutls_int_compat.c b/lib/gnutls_int_compat.c index ffb367a6b3..39ee08c2cd 100644 --- a/lib/gnutls_int_compat.c +++ b/lib/gnutls_int_compat.c @@ -3,10 +3,10 @@ /* This file contains functions needed only for binary compatibility * with previous versions. */ -#define GNUTLS_BACKWARDS_COMPATIBLE +#define GNUTLS_BACKWARDS_COMPATIBLE #ifdef GNUTLS_BACKWARDS_COMPATIBLE /* removed everything for 0.9.0 release */ -#endif /* GNUTLS_BACKWARDS_COMPATIBLE */ +#endif /* GNUTLS_BACKWARDS_COMPATIBLE */ diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 59ae665333..0de4eaff99 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -41,52 +41,68 @@ */ #define MASTER_SECRET "master secret" -static int generate_normal_master( gnutls_session session, int); +static int generate_normal_master(gnutls_session session, int); -int _gnutls_generate_master( gnutls_session session, int keep_premaster) +int _gnutls_generate_master(gnutls_session session, int keep_premaster) { - if (session->internals.resumed==RESUME_FALSE) - return generate_normal_master(session, keep_premaster); - return 0; + if (session->internals.resumed == RESUME_FALSE) + return generate_normal_master(session, keep_premaster); + return 0; } /* here we generate the TLS Master secret. */ #define PREMASTER session->key->key -static int generate_normal_master( gnutls_session session, int keep_premaster) +static int generate_normal_master(gnutls_session session, + int keep_premaster) { -int ret = 0; -opaque random[2*TLS_RANDOM_SIZE]; -char buf[64]; - - memcpy(random, session->security_parameters.client_random, TLS_RANDOM_SIZE); - memcpy(&random[TLS_RANDOM_SIZE], session->security_parameters.server_random, TLS_RANDOM_SIZE); - - _gnutls_hard_log( "INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, _gnutls_bin2hex(PREMASTER.data, PREMASTER.size, buf, sizeof(buf))); - _gnutls_hard_log( "INT: CLIENT RANDOM[%d]: %s\n", 32, _gnutls_bin2hex(session->security_parameters.client_random,32, buf, sizeof(buf))); - _gnutls_hard_log( "INT: SERVER RANDOM[%d]: %s\n", 32, _gnutls_bin2hex(session->security_parameters.server_random,32, buf, sizeof(buf))); - - if ( gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_generate_random( PREMASTER.data, PREMASTER.size, - random, 2*TLS_RANDOM_SIZE, TLS_MASTER_SIZE, - session->security_parameters.master_secret); - - } else { - ret = - _gnutls_PRF( PREMASTER.data, PREMASTER.size, - MASTER_SECRET, strlen(MASTER_SECRET), - random, 2*TLS_RANDOM_SIZE, TLS_MASTER_SIZE, - session->security_parameters.master_secret); - } - - if (!keep_premaster) _gnutls_free_datum(&PREMASTER); - - if (ret<0) return ret; + int ret = 0; + opaque random[2 * TLS_RANDOM_SIZE]; + char buf[64]; + + memcpy(random, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + _gnutls_hard_log("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, + _gnutls_bin2hex(PREMASTER.data, PREMASTER.size, buf, + sizeof(buf))); + _gnutls_hard_log("INT: CLIENT RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex(session->security_parameters. + client_random, 32, buf, sizeof(buf))); + _gnutls_hard_log("INT: SERVER RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex(session->security_parameters. + server_random, 32, buf, sizeof(buf))); + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_generate_random(PREMASTER.data, PREMASTER.size, + random, 2 * TLS_RANDOM_SIZE, + TLS_MASTER_SIZE, + session->security_parameters. + master_secret); + + } else { + ret = + _gnutls_PRF(PREMASTER.data, PREMASTER.size, + MASTER_SECRET, strlen(MASTER_SECRET), + random, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE, + session->security_parameters.master_secret); + } - _gnutls_hard_log( "INT: MASTER SECRET: %s\n", _gnutls_bin2hex(session->security_parameters.master_secret, TLS_MASTER_SIZE, buf, sizeof(buf))); + if (!keep_premaster) + _gnutls_free_datum(&PREMASTER); + if (ret < 0) return ret; + + _gnutls_hard_log("INT: MASTER SECRET: %s\n", + _gnutls_bin2hex(session->security_parameters. + master_secret, TLS_MASTER_SIZE, buf, + sizeof(buf))); + + return ret; } @@ -94,483 +110,537 @@ char buf[64]; * server. It does nothing if this type of message is not required * by the selected ciphersuite. */ -int _gnutls_send_server_kx_message( gnutls_session session, int again) +int _gnutls_send_server_kx_message(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_kx==NULL) - return 0; + if (session->internals.auth_struct->gnutls_generate_server_kx == NULL) + return 0; - data = NULL; - data_size = 0; - - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_kx( session, &data); - - if (data_size == GNUTLS_E_INT_RET_0) { - gnutls_assert(); - return 0; - } - - if (data_size < 0) { - gnutls_assert(); - return data_size; - } + data = NULL; + data_size = 0; + + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_kx(session, &data); + + if (data_size == GNUTLS_E_INT_RET_0) { + gnutls_assert(); + return 0; } - - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_SERVER_KEY_EXCHANGE); - gnutls_free(data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } - return data_size; + } + + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_SERVER_KEY_EXCHANGE); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + return data_size; } /* This function sends a certificate request message to the * client. */ -int _gnutls_send_server_certificate_request( gnutls_session session, int again) +int _gnutls_send_server_certificate_request(gnutls_session session, + int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_certificate_request==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate_request == NULL) + return 0; - if (session->internals.send_cert_req <= 0) - return 0; - - data = NULL; - data_size = 0; + if (session->internals.send_cert_req <= 0) + return 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_certificate_request( session, &data); + data = NULL; + data_size = 0; - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_REQUEST); - gnutls_free(data); + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate_request(session, &data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } - return data_size; + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_REQUEST); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + return data_size; } /* This is the function for the client to send the key * exchange message */ -int _gnutls_send_client_kx_message( gnutls_session session, int again) +int _gnutls_send_client_kx_message(gnutls_session session, int again) { - uint8 *data; - int data_size; - int ret = 0; - - if (session->internals.auth_struct->gnutls_generate_client_kx==NULL) - return 0; + uint8 *data; + int data_size; + int ret = 0; + if (session->internals.auth_struct->gnutls_generate_client_kx == NULL) + return 0; - data = NULL; - data_size = 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_client_kx( session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CLIENT_KEY_EXCHANGE); - gnutls_free(data); + data = NULL; + data_size = 0; - if (ret<0) { - gnutls_assert(); - return ret; + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_kx(session, &data); + if (data_size < 0) { + gnutls_assert(); + return data_size; } - + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CLIENT_KEY_EXCHANGE); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /* This is the function for the client to send the certificate * verify message */ -int _gnutls_send_client_certificate_verify( gnutls_session session, int again) +int _gnutls_send_client_certificate_verify(gnutls_session session, + int again) { - uint8 *data; - int ret = 0; - int data_size; + uint8 *data; + int ret = 0; + int data_size; - /* This is a packet that is only sent by the client - */ - if (session->security_parameters.entity==GNUTLS_SERVER) return 0; - - /* if certificate verify is not needed just exit - */ - if (session->key->certificate_requested==0) - return 0; + /* This is a packet that is only sent by the client + */ + if (session->security_parameters.entity == GNUTLS_SERVER) + return 0; - if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy==NULL) { - gnutls_assert(); - return 0; /* this algorithm does not support cli_cert_vrfy - */ - } - - data = NULL; - data_size = 0; - - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_client_cert_vrfy( session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - if (data_size == 0) - return 0; + /* if certificate verify is not needed just exit + */ + if (session->key->certificate_requested == 0) + return 0; + if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy == + NULL) { + gnutls_assert(); + return 0; /* this algorithm does not support cli_cert_vrfy + */ + } + + data = NULL; + data_size = 0; + + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_cert_vrfy(session, &data); + if (data_size < 0) { + gnutls_assert(); + return data_size; } - ret = - _gnutls_send_handshake( session, data, - data_size, - GNUTLS_CERTIFICATE_VERIFY); - gnutls_free(data); + if (data_size == 0) + return 0; - return ret; + } + ret = + _gnutls_send_handshake(session, data, + data_size, GNUTLS_CERTIFICATE_VERIFY); + gnutls_free(data); + + return ret; } -int _gnutls_recv_server_kx_message( gnutls_session session) +int _gnutls_recv_server_kx_message(gnutls_session session) { - uint8 *data = NULL; - int datasize; - int ret = 0; + uint8 *data = NULL; + int datasize; + int ret = 0; - if (session->internals.auth_struct->gnutls_process_server_kx!=NULL) { + if (session->internals.auth_struct->gnutls_process_server_kx != NULL) { - /* EXCEPTION FOR RSA_EXPORT cipher suite - */ - if ( _gnutls_session_is_export( session) != 0 && - _gnutls_peers_cert_less_512(session) != 0) { - gnutls_assert(); - return 0; - } - - ret = - _gnutls_recv_handshake( session, &data, + /* EXCEPTION FOR RSA_EXPORT cipher suite + */ + if (_gnutls_session_is_export(session) != 0 && + _gnutls_peers_cert_less_512(session) != 0) { + gnutls_assert(); + return 0; + } + + ret = + _gnutls_recv_handshake(session, &data, &datasize, - GNUTLS_SERVER_KEY_EXCHANGE, MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = session->internals.auth_struct->gnutls_process_server_kx( session, data, datasize); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + GNUTLS_SERVER_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + + ret = + session->internals.auth_struct-> + gnutls_process_server_kx(session, data, datasize); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + } + return ret; } -int _gnutls_recv_server_certificate_request( gnutls_session session) +int _gnutls_recv_server_certificate_request(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - if (session->internals.auth_struct->gnutls_process_server_certificate_request!=NULL) { + if (session->internals.auth_struct-> + gnutls_process_server_certificate_request != NULL) { - ret = - _gnutls_recv_handshake( session, &data, + ret = + _gnutls_recv_handshake(session, &data, &datasize, - GNUTLS_CERTIFICATE_REQUEST, OPTIONAL_PACKET); - if (ret < 0) - return ret; - - if (ret==0 && datasize == 0) - return 0; /* ignored */ - - ret = session->internals.auth_struct->gnutls_process_server_certificate_request( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; - - } - return ret; + GNUTLS_CERTIFICATE_REQUEST, + OPTIONAL_PACKET); + if (ret < 0) + return ret; + + if (ret == 0 && datasize == 0) + return 0; /* ignored */ + + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate_request(session, data, + datasize); + gnutls_free(data); + if (ret < 0) + return ret; + + } + return ret; } -int _gnutls_recv_client_kx_message( gnutls_session session) +int _gnutls_recv_client_kx_message(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - /* Do key exchange only if the algorithm permits it */ - if (session->internals.auth_struct->gnutls_process_client_kx != NULL) { + /* Do key exchange only if the algorithm permits it */ + if (session->internals.auth_struct->gnutls_process_client_kx != NULL) { - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CLIENT_KEY_EXCHANGE, MANDATORY_PACKET); - if (ret < 0) - return ret; + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CLIENT_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) + return ret; - ret = session->internals.auth_struct->gnutls_process_client_kx( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_client_kx(session, data, datasize); + gnutls_free(data); + if (ret < 0) + return ret; - } + } - return ret; + return ret; } /* This is called when we want send our certificate */ -int _gnutls_send_client_certificate( gnutls_session session, int again) +int _gnutls_send_client_certificate(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->key->certificate_requested == 0) - return 0; + if (session->key->certificate_requested == 0) + return 0; - if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_client_certificate == NULL) + return 0; - data = NULL; - data_size = 0; - - if (again == 0) { - if (gnutls_protocol_get_version( session) != GNUTLS_SSL3 || - session->internals.selected_cert_list_length > 0) { - /* TLS 1.0 or SSL 3.0 with a valid certificate - */ - data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data); - - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - } + data = NULL; + data_size = 0; - /* In the SSL 3.0 protocol we need to send a - * no certificate alert instead of an - * empty certificate. - */ - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3 && - session->internals.selected_cert_list_length == 0) - { - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_SSL3_NO_CERTIFICATE); - - } else { /* TLS 1.0 or SSL 3.0 with a valid certificate - */ - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); - gnutls_free(data); - } + if (again == 0) { + if (gnutls_protocol_get_version(session) != GNUTLS_SSL3 || + session->internals.selected_cert_list_length > 0) { + /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + data_size = + session->internals.auth_struct-> + gnutls_generate_client_certificate(session, &data); - if (ret < 0) { + if (data_size < 0) { gnutls_assert(); - return ret; + return data_size; + } } + } + + /* In the SSL 3.0 protocol we need to send a + * no certificate alert instead of an + * empty certificate. + */ + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3 && + session->internals.selected_cert_list_length == 0) { + ret = + gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_SSL3_NO_CERTIFICATE); + + } else { /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_PKT); + gnutls_free(data); + } + + if (ret < 0) { + gnutls_assert(); + return ret; + } - return data_size; + return data_size; } /* This is called when we want send our certificate */ -int _gnutls_send_server_certificate( gnutls_session session, int again) +int _gnutls_send_server_certificate(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_certificate==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate == NULL) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_certificate( session, &data); + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate(session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_PKT); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - return data_size; + return data_size; } -int _gnutls_recv_client_certificate( gnutls_session session) +int _gnutls_recv_client_certificate(gnutls_session session) { - int datasize; - opaque * data; - int ret = 0; - int optional; + int datasize; + opaque *data; + int ret = 0; + int optional; - if (session->internals.auth_struct->gnutls_process_client_certificate!=NULL) { + if (session->internals.auth_struct-> + gnutls_process_client_certificate != NULL) { - /* if we have not requested a certificate then just return - */ - if ( session->internals.send_cert_req == 0) { - return 0; - } - - if ( session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) - optional = MANDATORY_PACKET; - else - optional = OPTIONAL_PACKET; - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_PKT, optional); - if (ret < 0) { - if (optional == OPTIONAL_PACKET && - ret==GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_protocol_get_version(session) == GNUTLS_SSL3 && - gnutls_alert_get(session)==GNUTLS_A_SSL3_NO_CERTIFICATE) { - - /* SSL3 does not send an empty certificate, - * but this alert. So we just ignore it. - */ - gnutls_assert(); - return 0; - } - /* certificate was required */ - if (optional==MANDATORY_PACKET) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - return ret; - } - - if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) { - /* Client has not sent the certificate message. - * well I'm not sure we should accept this - * behaviour. - */ - gnutls_assert(); - return 0; - } - - - ret = session->internals.auth_struct->gnutls_process_client_certificate( session, data, datasize); - gnutls_free(data); - if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) { - gnutls_assert(); - return ret; - } - - /* ok we should expect a certificate verify message now + /* if we have not requested a certificate then just return + */ + if (session->internals.send_cert_req == 0) { + return 0; + } + + if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) + optional = MANDATORY_PACKET; + else + optional = OPTIONAL_PACKET; + + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_PKT, optional); + if (ret < 0) { + if (optional == OPTIONAL_PACKET && + ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_protocol_get_version(session) == GNUTLS_SSL3 && + gnutls_alert_get(session) == + GNUTLS_A_SSL3_NO_CERTIFICATE) { + + /* SSL3 does not send an empty certificate, + * but this alert. So we just ignore it. */ - if (ret==GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET) - ret = 0; - else - session->key->certificate_requested = 1; + gnutls_assert(); + return 0; + } + /* certificate was required */ + if (optional == MANDATORY_PACKET) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + return ret; } - return ret; + if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) { + /* Client has not sent the certificate message. + * well I'm not sure we should accept this + * behaviour. + */ + gnutls_assert(); + return 0; + } + + + ret = + session->internals.auth_struct-> + gnutls_process_client_certificate(session, data, datasize); + gnutls_free(data); + if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) { + gnutls_assert(); + return ret; + } + + /* ok we should expect a certificate verify message now + */ + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND + && optional == OPTIONAL_PACKET) + ret = 0; + else + session->key->certificate_requested = 1; + + } + + return ret; } -int _gnutls_recv_server_certificate( gnutls_session session) +int _gnutls_recv_server_certificate(gnutls_session session) { - int datasize; - opaque * data; - int ret = 0; - - if (session->internals.auth_struct->gnutls_process_server_certificate!=NULL) { - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_PKT, MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = session->internals.auth_struct->gnutls_process_server_certificate( session, data, datasize); - gnutls_free(data); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int datasize; + opaque *data; + int ret = 0; + + if (session->internals.auth_struct-> + gnutls_process_server_certificate != NULL) { + + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_PKT, + MANDATORY_PACKET); + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate(session, data, datasize); + gnutls_free(data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + return ret; } /* Recv the client certificate verify. This packet may not * arrive if the peer did not send us a certificate. */ -int _gnutls_recv_client_certificate_verify_message( gnutls_session session) +int _gnutls_recv_client_certificate_verify_message(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; - - - if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != NULL) { - - if ( session->internals.send_cert_req == 0 || - session->key->certificate_requested == 0) { - return 0; - } - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_VERIFY, OPTIONAL_PACKET); - if (ret < 0) - return ret; - - if (ret==0 && datasize == 0 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) { - /* certificate was required */ - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - ret = session->internals.auth_struct->gnutls_process_client_cert_vrfy( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + uint8 *data; + int datasize; + int ret = 0; + + if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != + NULL) { + + if (session->internals.send_cert_req == 0 || + session->key->certificate_requested == 0) { + return 0; } - return ret; + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_VERIFY, + OPTIONAL_PACKET); + if (ret < 0) + return ret; + + if (ret == 0 && datasize == 0 + && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) { + /* certificate was required */ + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + ret = + session->internals.auth_struct-> + gnutls_process_client_cert_vrfy(session, data, datasize); + gnutls_free(data); + if (ret < 0) + return ret; + + } + + return ret; } diff --git a/lib/gnutls_kx.h b/lib/gnutls_kx.h index a2d8eea197..41f9ad4506 100644 --- a/lib/gnutls_kx.h +++ b/lib/gnutls_kx.h @@ -18,17 +18,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_send_server_kx_message( gnutls_session session, int again); -int _gnutls_send_client_kx_message( gnutls_session session, int again); -int _gnutls_recv_server_kx_message( gnutls_session session); -int _gnutls_recv_client_kx_message( gnutls_session session); -int _gnutls_send_client_certificate_verify( gnutls_session session, int again); -int _gnutls_send_server_certificate( gnutls_session session, int again); -int _gnutls_generate_master( gnutls_session session, int keep_premaster); -int _gnutls_recv_client_certificate( gnutls_session session); -int _gnutls_recv_server_certificate( gnutls_session session); -int _gnutls_send_client_certificate( gnutls_session session, int again); -int _gnutls_recv_server_certificate_request( gnutls_session session); -int _gnutls_send_server_certificate_request( gnutls_session session, int again); -int _gnutls_recv_client_certificate_verify_message( gnutls_session session); - +int _gnutls_send_server_kx_message(gnutls_session session, int again); +int _gnutls_send_client_kx_message(gnutls_session session, int again); +int _gnutls_recv_server_kx_message(gnutls_session session); +int _gnutls_recv_client_kx_message(gnutls_session session); +int _gnutls_send_client_certificate_verify(gnutls_session session, + int again); +int _gnutls_send_server_certificate(gnutls_session session, int again); +int _gnutls_generate_master(gnutls_session session, int keep_premaster); +int _gnutls_recv_client_certificate(gnutls_session session); +int _gnutls_recv_server_certificate(gnutls_session session); +int _gnutls_send_client_certificate(gnutls_session session, int again); +int _gnutls_recv_server_certificate_request(gnutls_session session); +int _gnutls_send_server_certificate_request(gnutls_session session, + int again); +int _gnutls_recv_client_certificate_verify_message(gnutls_session session); diff --git a/lib/gnutls_mem.c b/lib/gnutls_mem.c index 0762c6f1ae..2202e75e54 100644 --- a/lib/gnutls_mem.c +++ b/lib/gnutls_mem.c @@ -29,56 +29,65 @@ gnutls_alloc_function gnutls_malloc = malloc; gnutls_free_function gnutls_free = free; gnutls_realloc_function gnutls_realloc = realloc; -void* (*gnutls_calloc)(size_t, size_t) = calloc; -char* (*gnutls_strdup)(const char*) = _gnutls_strdup; +void *(*gnutls_calloc) (size_t, size_t) = calloc; +char *(*gnutls_strdup) (const char *) = _gnutls_strdup; -int _gnutls_is_secure_mem_null( const void* ign) { return 0; } +int _gnutls_is_secure_mem_null(const void *ign) +{ + return 0; +} -int (*_gnutls_is_secure_memory)(const void*) = _gnutls_is_secure_mem_null; +int (*_gnutls_is_secure_memory) (const void *) = + _gnutls_is_secure_mem_null; void *_gnutls_calloc(size_t nmemb, size_t size) { - void *ret; - size *= nmemb; - ret = gnutls_malloc(size); - if (ret != NULL) memset(ret, 0, size); - return ret; + void *ret; + size *= nmemb; + ret = gnutls_malloc(size); + if (ret != NULL) + memset(ret, 0, size); + return ret; } svoid *gnutls_secure_calloc(size_t nmemb, size_t size) { - svoid *ret; - size *= nmemb; - ret = gnutls_secure_malloc(size); - if (ret != NULL) memset(ret, 0, size); - return ret; + svoid *ret; + size *= nmemb; + ret = gnutls_secure_malloc(size); + if (ret != NULL) + memset(ret, 0, size); + return ret; } /* This realloc will free ptr in case realloc * fails. */ -void* gnutls_realloc_fast( void* ptr, size_t size) +void *gnutls_realloc_fast(void *ptr, size_t size) { -void *ret; + void *ret; - if (size == 0) return ptr; + if (size == 0) + return ptr; - ret = gnutls_realloc( ptr, size); - if ( ret == NULL) { - gnutls_free( ptr); - } + ret = gnutls_realloc(ptr, size); + if (ret == NULL) { + gnutls_free(ptr); + } - return ret; + return ret; } -char* _gnutls_strdup( const char* str) { -size_t siz = strlen( str) + 1; -char* ret; +char *_gnutls_strdup(const char *str) +{ + size_t siz = strlen(str) + 1; + char *ret; - ret = gnutls_malloc( siz); - if (ret != NULL) memcpy( ret, str, siz); - return ret; + ret = gnutls_malloc(siz); + if (ret != NULL) + memcpy(ret, str, siz); + return ret; } @@ -96,7 +105,7 @@ char* ret; * The allocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void* gnutls_malloc( size_t s) +void *gnutls_malloc(size_t s) { } @@ -109,9 +118,8 @@ void* gnutls_malloc( size_t s) * The deallocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void gnutls_free( void* ptr) +void gnutls_free(void *ptr) { } #endif - diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h index 959757a27f..06bb2167e3 100644 --- a/lib/gnutls_mem.h +++ b/lib/gnutls_mem.h @@ -5,7 +5,7 @@ # include <dmalloc.h> #endif -typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ +typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ /* Use gnutls_afree() when calling alloca, or * memory leaks may occur in systems which do not @@ -29,30 +29,30 @@ typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ # define gnutls_alloca gnutls_malloc # define gnutls_afree gnutls_free # endif -#endif /* HAVE_ALLOCA */ +#endif /* HAVE_ALLOCA */ -typedef void* (*gnutls_alloc_function)(size_t); -typedef void (*gnutls_free_function)(void*); -typedef void* (*gnutls_realloc_function)(void*, size_t); +typedef void *(*gnutls_alloc_function) (size_t); +typedef void (*gnutls_free_function) (void *); +typedef void *(*gnutls_realloc_function) (void *, size_t); extern gnutls_alloc_function gnutls_secure_malloc; extern gnutls_alloc_function gnutls_malloc; extern gnutls_free_function gnutls_free; -extern int (*_gnutls_is_secure_memory)(const void*); +extern int (*_gnutls_is_secure_memory) (const void *); extern gnutls_realloc_function gnutls_realloc; -extern void* (*gnutls_calloc)(size_t, size_t); -extern char* (*gnutls_strdup)( const char*); +extern void *(*gnutls_calloc) (size_t, size_t); +extern char *(*gnutls_strdup) (const char *); /* this realloc function will return ptr if size==0, and * will free the ptr if the new allocation failed. */ -void* gnutls_realloc_fast( void* ptr, size_t size); +void *gnutls_realloc_fast(void *ptr, size_t size); -svoid* gnutls_secure_calloc( size_t nmemb, size_t size); -void* _gnutls_calloc( size_t nmemb, size_t size); +svoid *gnutls_secure_calloc(size_t nmemb, size_t size); +void *_gnutls_calloc(size_t nmemb, size_t size); -char* _gnutls_strdup( const char*); +char *_gnutls_strdup(const char *); -#endif /* GNUTLS_MEM_H */ +#endif /* GNUTLS_MEM_H */ diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index 9d135ae092..2ba9ac7713 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -31,97 +31,109 @@ /* Functions that refer to the libgcrypt library. */ - -void _gnutls_mpi_release( mpi_t* x) { - if (*x==NULL) return; - gcry_mpi_release(*x); - *x=NULL; + +void _gnutls_mpi_release(mpi_t * x) +{ + if (*x == NULL) + return; + gcry_mpi_release(*x); + *x = NULL; } /* returns zero on success */ -int _gnutls_mpi_scan( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ) { - int ret; - - ret = gcry_mpi_scan( ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); - if (ret) return GNUTLS_E_MPI_SCAN_FAILED; - - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits( *ret_mpi) == 0) { - _gnutls_mpi_release( ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; - } +int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes) +{ + int ret; - return 0; -} + ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; -int _gnutls_mpi_scan_pgp( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes) -{ -int ret; - ret = gcry_mpi_scan( ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); - if (ret) return GNUTLS_E_MPI_SCAN_FAILED; + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { + _gnutls_mpi_release(ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; + } - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits( *ret_mpi) == 0) { - _gnutls_mpi_release( ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; - } + return 0; +} - return 0; +int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes) +{ + int ret; + ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; + + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { + _gnutls_mpi_release(ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + return 0; } -int _gnutls_mpi_print( void *buffer, size_t *nbytes, const mpi_t a ) +int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a) { -int ret; + int ret; - if (nbytes == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print( GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); - if (!ret) return 0; - - return GNUTLS_E_MPI_PRINT_FAILED; + ret = gcry_mpi_print(GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; + + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const mpi_t a ) +int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a) { -int ret; + int ret; - if (nbytes == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print( GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); - if (!ret) return 0; - - return GNUTLS_E_MPI_PRINT_FAILED; + ret = gcry_mpi_print(GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; + + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_dprint_lz( gnutls_datum* dest, const mpi_t a ) +int _gnutls_mpi_dprint_lz(gnutls_datum * dest, const mpi_t a) { -int ret; -opaque* buf = NULL; -size_t bytes = 0; - - if (dest == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; - - gcry_mpi_print( GCRYMPI_FMT_STD, NULL, 0, &bytes, a); - - if (bytes != 0) - buf = gnutls_malloc( bytes); - if (buf == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = gcry_mpi_print( GCRYMPI_FMT_STD, buf, bytes, &bytes, a); - if (!ret) { - dest->data = buf; - dest->size = bytes; - return 0; - } - - gnutls_free(buf); - return GNUTLS_E_MPI_PRINT_FAILED; + int ret; + opaque *buf = NULL; + size_t bytes = 0; + + if (dest == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; + + gcry_mpi_print(GCRYMPI_FMT_STD, NULL, 0, &bytes, a); + + if (bytes != 0) + buf = gnutls_malloc(bytes); + if (buf == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = gcry_mpi_print(GCRYMPI_FMT_STD, buf, bytes, &bytes, a); + if (!ret) { + dest->data = buf; + dest->size = bytes; + return 0; + } + + gnutls_free(buf); + return GNUTLS_E_MPI_PRINT_FAILED; } @@ -129,82 +141,86 @@ size_t bytes = 0; * from asn1 structs. Combines the read and mpi_scan * steps. */ -int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, - mpi_t* ret_mpi) +int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, + mpi_t * ret_mpi) { -int result; -size_t s_len; -opaque* tmpstr = NULL; -int tmpstr_size; - - tmpstr_size = 0; - result = asn1_read_value( node, value, NULL, &tmpstr_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - tmpstr = gnutls_alloca( tmpstr_size); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value( node, value, tmpstr, &tmpstr_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree( tmpstr); - return _gnutls_asn2err(result); - } - - s_len = tmpstr_size; - if (_gnutls_mpi_scan( ret_mpi, tmpstr, &s_len) != 0) { - gnutls_assert(); - gnutls_afree( tmpstr); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - gnutls_afree( tmpstr); - - return 0; + int result; + size_t s_len; + opaque *tmpstr = NULL; + int tmpstr_size; + + tmpstr_size = 0; + result = asn1_read_value(node, value, NULL, &tmpstr_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmpstr = gnutls_alloca(tmpstr_size); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(node, value, tmpstr, &tmpstr_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_afree(tmpstr); + return _gnutls_asn2err(result); + } + + s_len = tmpstr_size; + if (_gnutls_mpi_scan(ret_mpi, tmpstr, &s_len) != 0) { + gnutls_assert(); + gnutls_afree(tmpstr); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + gnutls_afree(tmpstr); + + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_int( ASN1_TYPE node, const char* value, mpi_t mpi, int lz) +int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, mpi_t mpi, + int lz) { -opaque *tmpstr; -size_t s_len; -int result; - - s_len = 0; - if (lz) result = _gnutls_mpi_print_lz( NULL, &s_len, mpi); - else result = _gnutls_mpi_print( NULL, &s_len, mpi); - - tmpstr = gnutls_alloca( s_len); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (lz) result = _gnutls_mpi_print_lz( tmpstr, &s_len, mpi); - else result = _gnutls_mpi_print( tmpstr, &s_len, mpi); - - if (result != 0) { - gnutls_assert(); - gnutls_afree( tmpstr); - return GNUTLS_E_MPI_PRINT_FAILED; - } - - result = asn1_write_value( node, value, tmpstr, s_len); - - gnutls_afree( tmpstr); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + opaque *tmpstr; + size_t s_len; + int result; + + s_len = 0; + if (lz) + result = _gnutls_mpi_print_lz(NULL, &s_len, mpi); + else + result = _gnutls_mpi_print(NULL, &s_len, mpi); + + tmpstr = gnutls_alloca(s_len); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (lz) + result = _gnutls_mpi_print_lz(tmpstr, &s_len, mpi); + else + result = _gnutls_mpi_print(tmpstr, &s_len, mpi); + + if (result != 0) { + gnutls_assert(); + gnutls_afree(tmpstr); + return GNUTLS_E_MPI_PRINT_FAILED; + } - return 0; -} + result = asn1_write_value(node, value, tmpstr, s_len); + gnutls_afree(tmpstr); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; +} diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h index 350226691d..41a05bf7ee 100644 --- a/lib/gnutls_mpi.h +++ b/lib/gnutls_mpi.h @@ -31,18 +31,20 @@ typedef mpi_t GNUTLS_MPI; #define _gnutls_prime_check gcry_prime_check #define _gnutls_mpi_div gcry_mpi_div -# define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) -# define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) +# define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) +# define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) -void _gnutls_mpi_release( mpi_t* x); +void _gnutls_mpi_release(mpi_t * x); -int _gnutls_mpi_scan( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ); -int _gnutls_mpi_scan_pgp( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ); +int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); +int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); -int _gnutls_mpi_print( void *buffer, size_t *nbytes, const mpi_t a ); -int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const mpi_t a ); +int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a); +int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a); -int _gnutls_mpi_dprint_lz( gnutls_datum* dest, const mpi_t a ); +int _gnutls_mpi_dprint_lz(gnutls_datum * dest, const mpi_t a); #define _gnutls_mpi_dprint _gnutls_mpi_dprint_lz #endif diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index 8d9ed1c8c4..259e230f20 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -32,130 +32,144 @@ * Returns 0 on success, or -1 if the uint64 max limit * has been reached. */ -int _gnutls_uint64pp( uint64 *x) { -register int i, y=0; - - for (i=7;i>=0;i--) { - y = 0; - if ( x->i[i] == 0xff) { - x->i[i] = 0; - y = 1; - } else x->i[i]++; - - if (y==0) break; - } - if (y != 0) return -1; /* over 64 bits! WOW */ - - return 0; +int _gnutls_uint64pp(uint64 * x) +{ + register int i, y = 0; + + for (i = 7; i >= 0; i--) { + y = 0; + if (x->i[i] == 0xff) { + x->i[i] = 0; + y = 1; + } else + x->i[i]++; + + if (y == 0) + break; + } + if (y != 0) + return -1; /* over 64 bits! WOW */ + + return 0; } -uint32 _gnutls_uint24touint32( uint24 num) { -uint32 ret=0; +uint32 _gnutls_uint24touint32(uint24 num) +{ + uint32 ret = 0; - ((uint8*)&ret)[1] = num.pint[0]; - ((uint8*)&ret)[2] = num.pint[1]; - ((uint8*)&ret)[3] = num.pint[2]; - return ret; + ((uint8 *) & ret)[1] = num.pint[0]; + ((uint8 *) & ret)[2] = num.pint[1]; + ((uint8 *) & ret)[3] = num.pint[2]; + return ret; } -uint24 _gnutls_uint32touint24( uint32 num) { -uint24 ret; +uint24 _gnutls_uint32touint24(uint32 num) +{ + uint24 ret; - ret.pint[0] = ((uint8*)&num)[1]; - ret.pint[1] = ((uint8*)&num)[2]; - ret.pint[2] = ((uint8*)&num)[3]; - return ret; + ret.pint[0] = ((uint8 *) & num)[1]; + ret.pint[1] = ((uint8 *) & num)[2]; + ret.pint[2] = ((uint8 *) & num)[3]; + return ret; } /* data should be at least 3 bytes */ -uint32 _gnutls_read_uint24( const opaque* data) { -uint32 res; -uint24 num; - - num.pint[0] = data[0]; - num.pint[1] = data[1]; - num.pint[2] = data[2]; - - res = _gnutls_uint24touint32( num); +uint32 _gnutls_read_uint24(const opaque * data) +{ + uint32 res; + uint24 num; + + num.pint[0] = data[0]; + num.pint[1] = data[1]; + num.pint[2] = data[2]; + + res = _gnutls_uint24touint32(num); #ifndef WORDS_BIGENDIAN - res = byteswap32( res); + res = byteswap32(res); #endif -return res; + return res; } -void _gnutls_write_uint24( uint32 num, opaque* data) { -uint24 tmp; - +void _gnutls_write_uint24(uint32 num, opaque * data) +{ + uint24 tmp; + #ifndef WORDS_BIGENDIAN - num = byteswap32( num); + num = byteswap32(num); #endif - tmp = _gnutls_uint32touint24( num); + tmp = _gnutls_uint32touint24(num); - data[0] = tmp.pint[0]; - data[1] = tmp.pint[1]; - data[2] = tmp.pint[2]; + data[0] = tmp.pint[0]; + data[1] = tmp.pint[1]; + data[2] = tmp.pint[2]; } -uint32 _gnutls_read_uint32( const opaque* data) { -uint32 res; +uint32 _gnutls_read_uint32(const opaque * data) +{ + uint32 res; - memcpy( &res, data, sizeof(uint32)); + memcpy(&res, data, sizeof(uint32)); #ifndef WORDS_BIGENDIAN - res = byteswap32( res); + res = byteswap32(res); #endif -return res; + return res; } -void _gnutls_write_uint32( uint32 num, opaque* data) { +void _gnutls_write_uint32(uint32 num, opaque * data) +{ #ifndef WORDS_BIGENDIAN - num = byteswap32( num); + num = byteswap32(num); #endif - memcpy( data, &num, sizeof(uint32)); + memcpy(data, &num, sizeof(uint32)); } -uint16 _gnutls_read_uint16( const opaque* data) { -uint16 res; - memcpy( &res, data, sizeof(uint16)); +uint16 _gnutls_read_uint16(const opaque * data) +{ + uint16 res; + memcpy(&res, data, sizeof(uint16)); #ifndef WORDS_BIGENDIAN - res = byteswap16( res); + res = byteswap16(res); #endif -return res; + return res; } -void _gnutls_write_uint16( uint16 num, opaque* data) { +void _gnutls_write_uint16(uint16 num, opaque * data) +{ #ifndef WORDS_BIGENDIAN - num = byteswap16( num); + num = byteswap16(num); #endif - memcpy( data, &num, sizeof(uint16)); + memcpy(data, &num, sizeof(uint16)); } -uint32 _gnutls_conv_uint32( uint32 data) { +uint32 _gnutls_conv_uint32(uint32 data) +{ #ifndef WORDS_BIGENDIAN - return byteswap32( data); + return byteswap32(data); #else - return data; + return data; #endif } -uint16 _gnutls_conv_uint16( uint16 data) { +uint16 _gnutls_conv_uint16(uint16 data) +{ #ifndef WORDS_BIGENDIAN - return byteswap16( data); + return byteswap16(data); #else - return data; + return data; #endif } -uint32 _gnutls_uint64touint32( const uint64* num) { -uint32 ret; +uint32 _gnutls_uint64touint32(const uint64 * num) +{ + uint32 ret; - memcpy( &ret, &num->i[4], 4); + memcpy(&ret, &num->i[4], 4); #ifndef WORDS_BIGENDIAN - ret = byteswap32(ret); + ret = byteswap32(ret); #endif - return ret; + return ret; } - diff --git a/lib/gnutls_num.h b/lib/gnutls_num.h index 91a54a4073..2c49ddb50f 100644 --- a/lib/gnutls_num.h +++ b/lib/gnutls_num.h @@ -31,18 +31,18 @@ #define byteswap16(x) ((rotl16(x, 8) & 0x00ff) | (rotr16(x, 8) & 0xff00)) #define byteswap32(x) ((rotl32(x, 8) & 0x00ff00ffUL) | (rotr32(x, 8) & 0xff00ff00UL)) -uint32 _gnutls_uint24touint32( uint24 num); -uint24 _gnutls_uint32touint24( uint32 num); -uint32 _gnutls_read_uint32( const opaque* data); -uint16 _gnutls_read_uint16( const opaque* data); -uint32 _gnutls_conv_uint32( uint32 data); -uint16 _gnutls_conv_uint16( uint16 data); -uint32 _gnutls_read_uint24( const opaque* data); -void _gnutls_write_uint24( uint32 num, opaque* data); -void _gnutls_write_uint32( uint32 num, opaque* data); -void _gnutls_write_uint16( uint16 num, opaque* data); -uint32 _gnutls_uint64touint32( const uint64*); +uint32 _gnutls_uint24touint32(uint24 num); +uint24 _gnutls_uint32touint24(uint32 num); +uint32 _gnutls_read_uint32(const opaque * data); +uint16 _gnutls_read_uint16(const opaque * data); +uint32 _gnutls_conv_uint32(uint32 data); +uint16 _gnutls_conv_uint16(uint16 data); +uint32 _gnutls_read_uint24(const opaque * data); +void _gnutls_write_uint24(uint32 num, opaque * data); +void _gnutls_write_uint32(uint32 num, opaque * data); +void _gnutls_write_uint16(uint16 num, opaque * data); +uint32 _gnutls_uint64touint32(const uint64 *); -int _gnutls_uint64pp( uint64 *); +int _gnutls_uint64pp(uint64 *); # define _gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0 # define UINT64DATA(x) x.i diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index fa49381d96..fce507b6de 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -36,162 +36,173 @@ #include <x509/mpi.h> #include <x509/common.h> -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len); -static int _gnutls_pk_sign(int algo, mpi_t* data, mpi_t hash, mpi_t * pkey, int); -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t* data, mpi_t *pkey, int); -static int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int); +static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len); +static int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, + mpi_t * pkey, int); +static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, + mpi_t * pkey, int); +static int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int); /* Do PKCS-1 RSA encryption. * params is modulus, public exp. */ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, - const gnutls_datum *plaintext, mpi_t* params, - uint params_len, - uint btype) + const gnutls_datum * plaintext, + mpi_t * params, uint params_len, uint btype) { - unsigned int i, pad; - int ret; - mpi_t m, res; - opaque *edata, *ps; - size_t k, psize; - size_t mod_bits; - - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if ( mod_bits % 8 != 0) k++; - - if (plaintext->size > k - 11) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; - } - - edata = gnutls_alloca(k); - if (edata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ - - edata[0] = 0; - edata[1] = btype; - psize = k - 3 - plaintext->size; - - ps = &edata[2]; - switch (btype) { - case 2: - /* using public key */ - if (params_len < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ( (ret=_gnutls_get_random(ps, psize, GNUTLS_STRONG_RANDOM)) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return ret; - } - for (i = 0; i < psize; i++) { - opaque rnd[3]; - - /* Read three random bytes that will be - * used to replace the zeros. - */ - if ( (ret=_gnutls_get_random( rnd, 3, GNUTLS_STRONG_RANDOM)) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return ret; - } - /* use non zero values for - * the first two. - */ - if (rnd[0]==0) rnd[0] = 0xaf; - if (rnd[1]==0) rnd[1] = 0xae; - - if (ps[i] == 0) { - /* If the first one is zero then set it to rnd[0]. - * If the second one is zero then set it to rnd[1]. - * Otherwise add (mod 256) the two previous ones plus rnd[3], or use - * rnd[1] if the value == 0. - */ - if (i<2) ps[i] = rnd[i]; - else ps[i] = GMAX( rnd[3] + ps[i-1] + ps[i-2], rnd[1]); - } - } - break; - case 1: - /* using private key */ - - if (params_len < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - for (i = 0; i < psize; i++) - ps[i] = 0xff; - break; - default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - ps[psize] = 0; - memcpy(&ps[psize + 1], plaintext->data, plaintext->size); - - if (_gnutls_mpi_scan(&m, edata, &k) != 0) { + unsigned int i, pad; + int ret; + mpi_t m, res; + opaque *edata, *ps; + size_t k, psize; + size_t mod_bits; + + mod_bits = _gnutls_mpi_get_nbits(params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; + + if (plaintext->size > k - 11) { + gnutls_assert(); + return GNUTLS_E_PK_ENCRYPTION_FAILED; + } + + edata = gnutls_alloca(k); + if (edata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ + + edata[0] = 0; + edata[1] = btype; + psize = k - 3 - plaintext->size; + + ps = &edata[2]; + switch (btype) { + case 2: + /* using public key */ + if (params_len < RSA_PUBLIC_PARAMS) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((ret = + _gnutls_get_random(ps, psize, GNUTLS_STRONG_RANDOM)) < 0) { + gnutls_assert(); + gnutls_afree(edata); + return ret; + } + for (i = 0; i < psize; i++) { + opaque rnd[3]; + + /* Read three random bytes that will be + * used to replace the zeros. + */ + if ((ret = + _gnutls_get_random(rnd, 3, GNUTLS_STRONG_RANDOM)) < 0) { gnutls_assert(); gnutls_afree(edata); - return GNUTLS_E_MPI_SCAN_FAILED; - } - gnutls_afree(edata); - - if (btype==2) /* encrypt */ - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, params, params_len); - else /* sign */ - ret = _gnutls_pk_sign(GCRY_PK_RSA, &res, m, params, params_len); - - _gnutls_mpi_release(&m); - - if (ret < 0) { - gnutls_assert(); return ret; - } + } + /* use non zero values for + * the first two. + */ + if (rnd[0] == 0) + rnd[0] = 0xaf; + if (rnd[1] == 0) + rnd[1] = 0xae; + + if (ps[i] == 0) { + /* If the first one is zero then set it to rnd[0]. + * If the second one is zero then set it to rnd[1]. + * Otherwise add (mod 256) the two previous ones plus rnd[3], or use + * rnd[1] if the value == 0. + */ + if (i < 2) + ps[i] = rnd[i]; + else + ps[i] = GMAX(rnd[3] + ps[i - 1] + ps[i - 2], rnd[1]); + } + } + break; + case 1: + /* using private key */ + + if (params_len < RSA_PRIVATE_PARAMS) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + + for (i = 0; i < psize; i++) + ps[i] = 0xff; + break; + default: + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_mpi_print(NULL, &psize, res); + ps[psize] = 0; + memcpy(&ps[psize + 1], plaintext->data, plaintext->size); - if (psize < k) { - /* padding psize */ - pad = k - psize; - psize = k; - } else if (psize==k) { - pad = 0; - } else { /* psize > k !!! */ - /* This is an impossible situation */ - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_INTERNAL_ERROR; - } + if (_gnutls_mpi_scan(&m, edata, &k) != 0) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_MPI_SCAN_FAILED; + } + gnutls_afree(edata); + + if (btype == 2) /* encrypt */ + ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, params, params_len); + else /* sign */ + ret = _gnutls_pk_sign(GCRY_PK_RSA, &res, m, params, params_len); + + _gnutls_mpi_release(&m); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_mpi_print(NULL, &psize, res); + + if (psize < k) { + /* padding psize */ + pad = k - psize; + psize = k; + } else if (psize == k) { + pad = 0; + } else { /* psize > k !!! */ + /* This is an impossible situation */ + gnutls_assert(); + _gnutls_mpi_release(&res); + return GNUTLS_E_INTERNAL_ERROR; + } - ciphertext->data = gnutls_malloc(psize); - if (ciphertext->data == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print( &ciphertext->data[pad], &psize, res); - for (i=0;i<pad;i++) ciphertext->data[i] = 0; + ciphertext->data = gnutls_malloc(psize); + if (ciphertext->data == NULL) { + gnutls_assert(); + _gnutls_mpi_release(&res); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(&ciphertext->data[pad], &psize, res); + for (i = 0; i < pad; i++) + ciphertext->data[i] = 0; - ciphertext->size = k; + ciphertext->size = k; - _gnutls_mpi_release(&res); + _gnutls_mpi_release(&res); - return 0; + return 0; } @@ -200,309 +211,322 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, * Can decrypt block type 1 and type 2 packets. */ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, - const gnutls_datum *ciphertext, mpi_t* params, uint params_len, - uint btype) + const gnutls_datum * ciphertext, + mpi_t * params, uint params_len, uint btype) { - uint k, i; - int ret; - mpi_t c, res; - opaque *edata; - size_t esize, mod_bits; - - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if ( mod_bits % 8 != 0) k++; - - esize = ciphertext->size; - - if (esize != k) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; - } - - if (_gnutls_mpi_scan(&c, ciphertext->data, &esize) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - /* we can use btype to see if the private key is - * available. - */ - if (btype==2) - ret = _gnutls_pk_decrypt(GCRY_PK_RSA, &res, c, params, params_len); - else { - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, c, params, params_len); - } - _gnutls_mpi_release(&c); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mpi_print(NULL, &esize, res); - edata = gnutls_alloca(esize + 1); - if (edata == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print(&edata[1], &esize, res); - + uint k, i; + int ret; + mpi_t c, res; + opaque *edata; + size_t esize, mod_bits; + + mod_bits = _gnutls_mpi_get_nbits(params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; + + esize = ciphertext->size; + + if (esize != k) { + gnutls_assert(); + return GNUTLS_E_PK_DECRYPTION_FAILED; + } + + if (_gnutls_mpi_scan(&c, ciphertext->data, &esize) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + /* we can use btype to see if the private key is + * available. + */ + if (btype == 2) + ret = _gnutls_pk_decrypt(GCRY_PK_RSA, &res, c, params, params_len); + else { + ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, c, params, params_len); + } + _gnutls_mpi_release(&c); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_mpi_print(NULL, &esize, res); + edata = gnutls_alloca(esize + 1); + if (edata == NULL) { + gnutls_assert(); _gnutls_mpi_release(&res); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(&edata[1], &esize, res); - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ + _gnutls_mpi_release(&res); + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ - edata[0] = 0; - esize++; - if (edata[0] != 0 || edata[1] != btype) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; - } + edata[0] = 0; + esize++; - ret = GNUTLS_E_DECRYPTION_FAILED; - switch (btype) { - case 2: - for (i = 2; i < esize; i++) { - if (edata[i] == 0) { - ret = 0; - break; - } - } - break; - case 1: - for (i = 2; i < esize; i++) { - if (edata[i] == 0 && i > 2) { - ret = 0; - break; - } - if (edata[i] != 0xff) { - _gnutls_handshake_log("PKCS #1 padding error"); - ret = GNUTLS_E_PKCS1_WRONG_PAD; - break; - } - } + if (edata[0] != 0 || edata[1] != btype) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_DECRYPTION_FAILED; + } + + ret = GNUTLS_E_DECRYPTION_FAILED; + switch (btype) { + case 2: + for (i = 2; i < esize; i++) { + if (edata[i] == 0) { + ret = 0; break; - default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + } } - i++; - - if (ret < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; + break; + case 1: + for (i = 2; i < esize; i++) { + if (edata[i] == 0 && i > 2) { + ret = 0; + break; + } + if (edata[i] != 0xff) { + _gnutls_handshake_log("PKCS #1 padding error"); + ret = GNUTLS_E_PKCS1_WRONG_PAD; + break; + } } + break; + default: + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + i++; - if (_gnutls_sset_datum(plaintext, &edata[i], esize - i) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_MEMORY_ERROR; - } + if (ret < 0) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_DECRYPTION_FAILED; + } + if (_gnutls_sset_datum(plaintext, &edata[i], esize - i) < 0) { + gnutls_assert(); gnutls_afree(edata); + return GNUTLS_E_MEMORY_ERROR; + } + + gnutls_afree(edata); - return 0; + return 0; } -int _gnutls_rsa_verify( const gnutls_datum* vdata, const gnutls_datum *ciphertext, - mpi_t *params, int params_len, int btype) { +int _gnutls_rsa_verify(const gnutls_datum * vdata, + const gnutls_datum * ciphertext, mpi_t * params, + int params_len, int btype) +{ - gnutls_datum plain; - int ret; + gnutls_datum plain; + int ret; - /* decrypt signature */ - if ( (ret=_gnutls_pkcs1_rsa_decrypt( &plain, ciphertext, params, params_len, btype)) < 0) { - gnutls_assert(); - return ret; - } + /* decrypt signature */ + if ((ret = + _gnutls_pkcs1_rsa_decrypt(&plain, ciphertext, params, params_len, + btype)) < 0) { + gnutls_assert(); + return ret; + } - if (plain.size != vdata->size) { - gnutls_assert(); - _gnutls_free_datum( &plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (plain.size != vdata->size) { + gnutls_assert(); + _gnutls_free_datum(&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - if ( memcmp(plain.data, vdata->data, plain.size)!=0) { - gnutls_assert(); - _gnutls_free_datum( &plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (memcmp(plain.data, vdata->data, plain.size) != 0) { + gnutls_assert(); + _gnutls_free_datum(&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - _gnutls_free_datum( &plain); + _gnutls_free_datum(&plain); - return 0; /* ok */ + return 0; /* ok */ } /* encodes the Dss-Sig-Value structure */ -static int encode_ber_rs( gnutls_datum* sig_value, mpi_t r, mpi_t s) { -ASN1_TYPE sig; -int result, tot_len; - - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", - &sig))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } +static int encode_ber_rs(gnutls_datum * sig_value, mpi_t r, mpi_t s) +{ + ASN1_TYPE sig; + int result, tot_len; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(sig, "r", r, 1); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = _gnutls_x509_write_int( sig, "r", r, 1); - if ( result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + result = _gnutls_x509_write_int(sig, "s", s, 1); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = _gnutls_x509_write_int( sig, "s", s, 1); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + tot_len = 0; - tot_len = 0; - - result = _gnutls_x509_der_encode( sig, "", sig_value, 0); + result = _gnutls_x509_der_encode(sig, "", sig_value, 0); - asn1_delete_structure(&sig); + asn1_delete_structure(&sig); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* Do DSA signature calculation. params is p, q, g, y, x in that order. */ -int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *hash, +int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum * hash, mpi_t * params, uint params_len) { - mpi_t rs[2], mdata; - int ret; - size_t k; - - k = hash->size; - if (k!=20) { /* SHA only */ - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; - } - - if (_gnutls_mpi_scan(&mdata, hash->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); - /* rs[0], rs[1] now hold r,s */ - _gnutls_mpi_release(&mdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = encode_ber_rs( signature, rs[0], rs[1]); - - /* free r,s */ - _gnutls_mpi_release(&rs[0]); - _gnutls_mpi_release(&rs[1]); - - if (ret!=0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - return 0; + mpi_t rs[2], mdata; + int ret; + size_t k; + + k = hash->size; + if (k != 20) { /* SHA only */ + gnutls_assert(); + return GNUTLS_E_PK_SIGN_FAILED; + } + + if (_gnutls_mpi_scan(&mdata, hash->data, &k) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); + /* rs[0], rs[1] now hold r,s */ + _gnutls_mpi_release(&mdata); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = encode_ber_rs(signature, rs[0], rs[1]); + + /* free r,s */ + _gnutls_mpi_release(&rs[0]); + _gnutls_mpi_release(&rs[1]); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } /* decodes the Dss-Sig-Value structure */ -static int decode_ber_rs( const gnutls_datum* sig_value, mpi_t* r, mpi_t* s) { -ASN1_TYPE sig; -int result; +static int decode_ber_rs(const gnutls_datum * sig_value, mpi_t * r, + mpi_t * s) +{ + ASN1_TYPE sig; + int result; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&sig, sig_value->data, sig_value->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&sig); + return _gnutls_asn2err(result); + } - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_read_int(sig, "r", r); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = asn1_der_decoding( &sig, sig_value->data, sig_value->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&sig); - return _gnutls_asn2err(result); - } - - result = - _gnutls_x509_read_int( sig, "r", r); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + result = _gnutls_x509_read_int(sig, "s", s); + if (result < 0) { + gnutls_assert(); + _gnutls_mpi_release(s); + asn1_delete_structure(&sig); + return result; + } - result = - _gnutls_x509_read_int( sig, "s", s); - if (result < 0) { - gnutls_assert(); - _gnutls_mpi_release( s); - asn1_delete_structure(&sig); - return result; - } + asn1_delete_structure(&sig); - asn1_delete_structure(&sig); - - return 0; + return 0; } /* params is p, q, g, y in that order */ -int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value, - mpi_t * params, int params_len) { - - mpi_t mdata; - int ret; - size_t k; - mpi_t rs[2]; - - if (vdata->size != 20) { /* sha-1 only */ - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } - - if (decode_ber_rs( sig_value, &rs[0], &rs[1])!=0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - k = vdata->size; - if (_gnutls_mpi_scan(&mdata, vdata->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - /* decrypt signature */ - ret=_gnutls_pk_verify( GCRY_PK_DSA, mdata, rs, params, - params_len); - _gnutls_mpi_release(&mdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } +int _gnutls_dsa_verify(const gnutls_datum * vdata, + const gnutls_datum * sig_value, mpi_t * params, + int params_len) +{ - return 0; /* ok */ + mpi_t mdata; + int ret; + size_t k; + mpi_t rs[2]; + + if (vdata->size != 20) { /* sha-1 only */ + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } + + if (decode_ber_rs(sig_value, &rs[0], &rs[1]) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + k = vdata->size; + if (_gnutls_mpi_scan(&mdata, vdata->data, &k) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + /* decrypt signature */ + ret = _gnutls_pk_verify(GCRY_PK_DSA, mdata, rs, params, params_len); + _gnutls_mpi_release(&mdata); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; /* ok */ } @@ -513,295 +537,298 @@ int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value * Emulate our old PK interface here - sometime in the future we might * change the internal design to directly fit to libgcrypt. */ -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len) +static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len) { - gcry_sexp_t s_ciph, s_data, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + gcry_sexp_t s_ciph, s_data, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_RSA: + if (pkey_len >= 2) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_data, NULL, "%m", data)) { + gnutls_assert(); + gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + /* pass it to libgcrypt */ + rc = gcry_pk_encrypt(&s_ciph, s_data, s_pkey); + gcry_sexp_release(s_data); + gcry_sexp_release(s_pkey); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_ENCRYPTION_FAILED; - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "%m", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; + } else { /* add better error handling or make gnupg use S-Exp directly */ + gcry_sexp_t list = gcry_sexp_find_token(s_ciph, "a", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } - /* pass it to libgcrypt */ - rc = gcry_pk_encrypt(&s_ciph, s_data, s_pkey); - gcry_sexp_release(s_data); - gcry_sexp_release(s_pkey); + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; - - } else { /* add better error handling or make gnupg use S-Exp directly */ - gcry_sexp_t list = gcry_sexp_find_token(s_ciph, "a", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; - } + if (resarr[0] == NULL) { + gnutls_assert(); + gcry_sexp_release(s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } + } - gcry_sexp_release(s_ciph); - return rc; + gcry_sexp_release(s_ciph); + return rc; } -static -int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len) +static +int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_plain, s_data, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_RSA: - if (pkey_len >=6) - rc = gcry_sexp_build(&s_pkey, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5]); - - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "(enc-val(rsa(a%m)))", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* pass it to libgcrypt */ - rc = gcry_pk_decrypt(&s_plain, s_data, s_pkey); - gcry_sexp_release(s_data); + gcry_sexp_t s_plain, s_data, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_RSA: + if (pkey_len >= 6) + rc = gcry_sexp_build(&s_pkey, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_data, NULL, "(enc-val(rsa(a%m)))", data)) { + gnutls_assert(); gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; + /* pass it to libgcrypt */ + rc = gcry_pk_decrypt(&s_plain, s_data, s_pkey); + gcry_sexp_release(s_data); + gcry_sexp_release(s_pkey); - } else { /* add better error handling or make gnupg use S-Exp directly */ - resarr[0] = gcry_sexp_nth_mpi(s_plain, 0, 0); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_DECRYPTION_FAILED; - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_plain); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { /* add better error handling or make gnupg use S-Exp directly */ + resarr[0] = gcry_sexp_nth_mpi(s_plain, 0, 0); + + if (resarr[0] == NULL) { + gnutls_assert(); + gcry_sexp_release(s_plain); + return GNUTLS_E_INTERNAL_ERROR; } + } - gcry_sexp_release(s_plain); - return rc; + gcry_sexp_release(s_plain); + return rc; } /* in case of DSA puts into data, r,s */ -static -int _gnutls_pk_sign(int algo, mpi_t* data, mpi_t hash, mpi_t * pkey, int pkey_len) +static +int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_hash, s_key, s_sig; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_DSA: - if (pkey_len >= 5) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", - pkey[0], pkey[1], pkey[2], - pkey[3], pkey[4]); - else { - gnutls_assert(); - } - - break; - case GCRY_PK_RSA: - if (pkey_len >=6) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5]); - else { - gnutls_assert(); - } - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gcry_sexp_t s_hash, s_key, s_sig; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_DSA: + if (pkey_len >= 5) + rc = gcry_sexp_build(&s_key, NULL, + "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", + pkey[0], pkey[1], pkey[2], + pkey[3], pkey[4]); + else { + gnutls_assert(); } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case GCRY_PK_RSA: + if (pkey_len >= 6) + rc = gcry_sexp_build(&s_key, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + else { + gnutls_assert(); } + break; - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - /* pass it to libgcrypt */ - rc = gcry_pk_sign(&s_sig, s_hash, s_key); - gcry_sexp_release(s_hash); - gcry_sexp_release(s_key); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; - - } else { - gcry_sexp_t list; - - if (algo==GCRY_PK_DSA) { - list = gcry_sexp_find_token( s_sig, "r" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[0] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - - list = gcry_sexp_find_token( s_sig, "s" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[1] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - } else { /* GCRY_PK_RSA */ - list = gcry_sexp_find_token( s_sig, "s" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[0] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - } - } + /* put the data into a simple list */ + if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - gcry_sexp_release(s_sig); - return 0; -} + /* pass it to libgcrypt */ + rc = gcry_pk_sign(&s_sig, s_hash, s_key); + gcry_sexp_release(s_hash); + gcry_sexp_release(s_key); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIGN_FAILED; -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t* data, mpi_t *pkey, int pkey_len) -{ - gcry_sexp_t s_sig, s_hash, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_DSA: - if (pkey_len >= 4) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", - pkey[0], pkey[1], pkey[2], pkey[3]); - break; - case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + } else { + gcry_sexp_t list; - default: + if (algo == GCRY_PK_DSA) { + list = gcry_sexp_find_token(s_sig, "r", 0); + if (list == NULL) { gnutls_assert(); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + data[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + list = gcry_sexp_find_token(s_sig, "s", 0); + if (list == NULL) { gnutls_assert(); - gcry_sexp_release(s_pkey); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - switch (algo) { - case GCRY_PK_DSA: - rc = gcry_sexp_build(&s_sig, NULL, - "(sig-val(dsa(r%m)(s%m)))", - data[0], data[1]); - break; - case GCRY_PK_RSA: - rc = gcry_sexp_build(&s_sig, NULL, - "(sig-val(rsa(s%m)))", - data[0]); - break; - - default: + data[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + } else { /* GCRY_PK_RSA */ + list = gcry_sexp_find_token(s_sig, "s", 0); + if (list == NULL) { gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - if (rc != 0) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); - return GNUTLS_E_INTERNAL_ERROR; + data[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); } + } - rc = gcry_pk_verify( s_sig, s_hash, s_pkey); - - gcry_sexp_release(s_sig); + gcry_sexp_release(s_sig); + return 0; +} + + +static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, + mpi_t * pkey, int pkey_len) +{ + gcry_sexp_t s_sig, s_hash, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_DSA: + if (pkey_len >= 4) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", + pkey[0], pkey[1], pkey[2], pkey[3]); + break; + case GCRY_PK_RSA: + if (pkey_len >= 2) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + gnutls_assert(); + gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } + + switch (algo) { + case GCRY_PK_DSA: + rc = gcry_sexp_build(&s_sig, NULL, + "(sig-val(dsa(r%m)(s%m)))", data[0], data[1]); + break; + case GCRY_PK_RSA: + rc = gcry_sexp_build(&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]); + break; + + default: + gnutls_assert(); + gcry_sexp_release(s_pkey); gcry_sexp_release(s_hash); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); gcry_sexp_release(s_pkey); + gcry_sexp_release(s_hash); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + rc = gcry_pk_verify(s_sig, s_hash, s_pkey); + + gcry_sexp_release(s_sig); + gcry_sexp_release(s_hash); + gcry_sexp_release(s_pkey); + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - return 0; + return 0; } diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h index 9838d6589b..9378706af0 100644 --- a/lib/gnutls_pk.h +++ b/lib/gnutls_pk.h @@ -1,15 +1,20 @@ #ifndef GNUTLS_PK_H # define GNUTLS_PK_H -int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, const gnutls_datum *plaintext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *plaintext, - mpi_t *params, uint params_len); -int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, const gnutls_datum* ciphertext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_rsa_verify( const gnutls_datum* vdata, const gnutls_datum *ciphertext, - mpi_t* params, int params_len, int btype); -int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value, - mpi_t * params, int params_len); +int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, + const gnutls_datum * plaintext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_dsa_sign(gnutls_datum * signature, + const gnutls_datum * plaintext, mpi_t * params, + uint params_len); +int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, + const gnutls_datum * ciphertext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_rsa_verify(const gnutls_datum * vdata, + const gnutls_datum * ciphertext, mpi_t * params, + int params_len, int btype); +int _gnutls_dsa_verify(const gnutls_datum * vdata, + const gnutls_datum * sig_value, mpi_t * params, + int params_len); -#endif /* GNUTLS_PK_H */ +#endif /* GNUTLS_PK_H */ diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7a39b827a1..e3fa10e409 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -42,18 +42,19 @@ **/ int gnutls_cipher_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.cipher_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cipher_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cipher_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.cipher_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -70,18 +71,19 @@ int gnutls_cipher_set_priority(gnutls_session session, const int *list) **/ int gnutls_kx_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.kx_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.kx_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.kx_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.kx_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -98,18 +100,19 @@ int gnutls_kx_set_priority(gnutls_session session, const int *list) **/ int gnutls_mac_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.mac_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.mac_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.mac_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.mac_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -132,17 +135,19 @@ int gnutls_mac_set_priority(gnutls_session session, const int *list) int gnutls_compression_set_priority(gnutls_session session, const int *list) { - int num = 0, i; - - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.compression_method_priority.algorithms = num; - - for (i = 0; i < num; i++) { - session->internals.compression_method_priority. - priority[i] = list[i]; - } - return 0; + int num = 0, i; + + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.compression_method_priority.algorithms = num; + + for (i = 0; i < num; i++) { + session->internals.compression_method_priority. + priority[i] = list[i]; + } + return 0; } /** @@ -157,23 +162,25 @@ int gnutls_compression_set_priority(gnutls_session session, **/ int gnutls_protocol_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.protocol_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.protocol_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.protocol_priority.priority[i] = list[i]; - } + for (i = 0; i < num; i++) { + session->internals.protocol_priority.priority[i] = list[i]; + } - /* set the current version to the first in the chain. - * This will be overridden later. - */ - if (num > 0) - _gnutls_set_current_version(session, list[0]); + /* set the current version to the first in the chain. + * This will be overridden later. + */ + if (num > 0) + _gnutls_set_current_version(session, list[0]); - return 0; + return 0; } /** @@ -193,22 +200,23 @@ int gnutls_certificate_type_set_priority(gnutls_session session, { #ifdef USE_OPENPGP - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.cert_type_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cert_type_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cert_type_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.cert_type_priority.priority[i] = list[i]; + } - return 0; + return 0; #else - return GNUTLS_E_UNIMPLEMENTED_FEATURE; + return GNUTLS_E_UNIMPLEMENTED_FEATURE; #endif } @@ -231,25 +239,24 @@ int gnutls_certificate_type_set_priority(gnutls_session session, **/ int gnutls_set_default_priority(gnutls_session session) { - static const int protocol_priority[] = - { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - static const int kx_priority[] = - { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; + static const int kx_priority[] = + { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + + return 0; } /** @@ -268,27 +275,27 @@ int gnutls_set_default_priority(gnutls_session session) **/ int gnutls_set_default_export_priority(gnutls_session session) { - static const int protocol_priority[] = { - GNUTLS_TLS1, GNUTLS_SSL3, 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_RSA_EXPORT, 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { + GNUTLS_TLS1, GNUTLS_SSL3, 0 + }; + static const int kx_priority[] = { + GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, + GNUTLS_KX_RSA_EXPORT, 0 + }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_ARCFOUR_40, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + + return 0; } diff --git a/lib/gnutls_priority.h b/lib/gnutls_priority.h index 43cee47ea9..45b84c35d1 100644 --- a/lib/gnutls_priority.h +++ b/lib/gnutls_priority.h @@ -18,9 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int gnutls_cipher_set_priority( gnutls_session session, const int*); -int gnutls_kx_set_priority( gnutls_session session, const int*); -int gnutls_mac_set_priority( gnutls_session session, const int*); -int gnutls_compression_set_priority( gnutls_session session, const int*); -int gnutls_protocol_set_priority( gnutls_session session, const int*); -int gnutls_certificate_type_set_priority( gnutls_session session, const int*); +int gnutls_cipher_set_priority(gnutls_session session, const int *); +int gnutls_kx_set_priority(gnutls_session session, const int *); +int gnutls_mac_set_priority(gnutls_session session, const int *); +int gnutls_compression_set_priority(gnutls_session session, const int *); +int gnutls_protocol_set_priority(gnutls_session session, const int *); +int gnutls_certificate_type_set_priority(gnutls_session session, + const int *); diff --git a/lib/gnutls_random.c b/lib/gnutls_random.c index 01e61d4c54..d8360e8e66 100644 --- a/lib/gnutls_random.c +++ b/lib/gnutls_random.c @@ -33,11 +33,11 @@ int _gnutls_get_random(opaque * res, int bytes, int level) { if (level == GNUTLS_WEAK_RANDOM) { - gcry_create_nonce( res, bytes); - return 0; + gcry_create_nonce(res, bytes); + return 0; } - gcry_randomize( res, bytes, level); + gcry_randomize(res, bytes, level); return 0; } diff --git a/lib/gnutls_random.h b/lib/gnutls_random.h index 790ed7d2c9..2cbde3cbf6 100644 --- a/lib/gnutls_random.h +++ b/lib/gnutls_random.h @@ -4,4 +4,4 @@ #define GNUTLS_STRONG_RANDOM GCRY_STRONG_RANDOM #define GNUTLS_VERY_STRONG_RANDOM GCRY_VERY_STRONG_RANDOM -int _gnutls_get_random(opaque* res, int bytes, int); +int _gnutls_get_random(opaque * res, int bytes, int); diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index f90d01a683..9cf774dfa4 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -51,14 +51,15 @@ * Returns the version of the currently used protocol. * **/ -gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session) +gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session) { - return session->security_parameters.version; + return session->security_parameters.version; } -void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version version) +void _gnutls_set_current_version(gnutls_session session, + gnutls_protocol_version version) { - session->security_parameters.version = version; + session->security_parameters.version = version; } /** @@ -74,9 +75,9 @@ void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version * Otherwise it must be called and set lowat to zero. * **/ -void gnutls_transport_set_lowat(gnutls_session session, int num) +void gnutls_transport_set_lowat(gnutls_session session, int num) { - session->internals.lowat = num; + session->internals.lowat = num; } /** @@ -89,10 +90,11 @@ void gnutls_transport_set_lowat(gnutls_session session, int num) * handle. * **/ -void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr) +void gnutls_transport_set_ptr(gnutls_session session, + gnutls_transport_ptr ptr) { - session->internals.transport_recv_ptr = ptr; - session->internals.transport_send_ptr = ptr; + session->internals.transport_recv_ptr = ptr; + session->internals.transport_send_ptr = ptr; } @@ -108,11 +110,12 @@ void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr) * receiving and sending. * **/ -void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv_ptr, - gnutls_transport_ptr send_ptr) +void gnutls_transport_set_ptr2(gnutls_session session, + gnutls_transport_ptr recv_ptr, + gnutls_transport_ptr send_ptr) { - session->internals.transport_send_ptr = send_ptr; - session->internals.transport_recv_ptr = recv_ptr; + session->internals.transport_send_ptr = send_ptr; + session->internals.transport_recv_ptr = recv_ptr; } /** @@ -123,9 +126,9 @@ void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv * PULL). This must have been set using gnutls_transport_set_ptr(). * **/ -gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) +gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) { - return session->internals.transport_recv_ptr; + return session->internals.transport_recv_ptr; } /** @@ -139,12 +142,12 @@ gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) * **/ void gnutls_transport_get_ptr2(gnutls_session session, - gnutls_transport_ptr *recv_ptr, - gnutls_transport_ptr *send_ptr) + gnutls_transport_ptr * recv_ptr, + gnutls_transport_ptr * send_ptr) { - - *recv_ptr = session->internals.transport_recv_ptr; - *send_ptr = session->internals.transport_send_ptr; + + *recv_ptr = session->internals.transport_recv_ptr; + *send_ptr = session->internals.transport_send_ptr; } /** @@ -171,92 +174,94 @@ void gnutls_transport_get_ptr2(gnutls_session session, * gnutls_record_get_direction(). * **/ -int gnutls_bye( gnutls_session session, gnutls_close_request how) +int gnutls_bye(gnutls_session session, gnutls_close_request how) { - int ret = 0; - - switch (STATE) { - case STATE0: - case STATE60: - ret = _gnutls_io_write_flush( session); - STATE = STATE60; - if (ret < 0) { - gnutls_assert(); - return ret; - } - - case STATE61: - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY); - STATE = STATE61; - if (ret < 0) { - gnutls_assert(); - return ret; - } - - case STATE62: - if ( how == GNUTLS_SHUT_RDWR) { - ret = _gnutls_recv_int( session, GNUTLS_ALERT, -1, NULL, 0); - if (ret >= 0) session->internals.may_not_read = 1; - } - STATE = STATE62; - - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + int ret = 0; + + switch (STATE) { + case STATE0: + case STATE60: + ret = _gnutls_io_write_flush(session); + STATE = STATE60; + if (ret < 0) { + gnutls_assert(); + return ret; } - STATE = STATE0; - - session->internals.may_not_write = 1; - return 0; + case STATE61: + ret = + gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_CLOSE_NOTIFY); + STATE = STATE61; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + case STATE62: + if (how == GNUTLS_SHUT_RDWR) { + ret = _gnutls_recv_int(session, GNUTLS_ALERT, -1, NULL, 0); + if (ret >= 0) + session->internals.may_not_read = 1; + } + STATE = STATE62; + + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + STATE = STATE0; + + session->internals.may_not_write = 1; + return 0; } -inline -static void session_invalidate( gnutls_session session) +inline static void session_invalidate(gnutls_session session) { - session->internals.valid_connection = VALID_FALSE; + session->internals.valid_connection = VALID_FALSE; } -inline -static void session_unresumable( gnutls_session session) +inline static void session_unresumable(gnutls_session session) { - session->internals.resumable = RESUME_FALSE; + session->internals.resumable = RESUME_FALSE; } /* returns 0 if session is valid */ -inline -static int session_is_valid( gnutls_session session) { - if (session->internals.valid_connection==VALID_FALSE) - return GNUTLS_E_INVALID_SESSION; - - return 0; +inline static int session_is_valid(gnutls_session session) +{ + if (session->internals.valid_connection == VALID_FALSE) + return GNUTLS_E_INVALID_SESSION; + + return 0; } /* Copies the record version into the headers. The * version must have 2 bytes at least. */ -inline static -void copy_record_version( gnutls_session session, HandshakeType htype, - opaque version[2]) +inline static +void copy_record_version(gnutls_session session, HandshakeType htype, + opaque version[2]) { -gnutls_protocol_version lver; - - if (htype != GNUTLS_CLIENT_HELLO || session->internals.default_record_version[0] == 0) { - lver = gnutls_protocol_get_version( session); - - version[0] = _gnutls_version_get_major( lver); - version[1] = _gnutls_version_get_minor( lver); - } else { - version[0] = session->internals.default_record_version[0]; - version[1] = session->internals.default_record_version[1]; - } + gnutls_protocol_version lver; + + if (htype != GNUTLS_CLIENT_HELLO + || session->internals.default_record_version[0] == 0) { + lver = gnutls_protocol_get_version(session); + + version[0] = _gnutls_version_get_major(lver); + version[1] = _gnutls_version_get_minor(lver); + } else { + version[0] = session->internals.default_record_version[0]; + version[1] = session->internals.default_record_version[1]; + } } /* This function behaves exactly like write(). The only difference is @@ -273,157 +278,174 @@ gnutls_protocol_version lver; * and only if the previous send was interrupted for some reason. * */ -ssize_t _gnutls_send_int( gnutls_session session, content_type_t type, - HandshakeType htype, const void *_data, size_t sizeofdata) +ssize_t _gnutls_send_int(gnutls_session session, content_type_t type, + HandshakeType htype, const void *_data, + size_t sizeofdata) { - uint8 *cipher; - int cipher_size; - int retval, ret; - int data2send_size; - uint8 headers[5]; - const uint8 *data=_data; - int erecord_size = 0; - opaque* erecord = NULL; - - /* Do not allow null pointer if the send buffer is empty. - * If the previous send was interrupted then a null pointer is - * ok, and means to resume. - */ - if (session->internals.record_send_buffer.length == 0 && - (sizeofdata == 0 || _data==NULL)) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + uint8 *cipher; + int cipher_size; + int retval, ret; + int data2send_size; + uint8 headers[5]; + const uint8 *data = _data; + int erecord_size = 0; + opaque *erecord = NULL; + + /* Do not allow null pointer if the send buffer is empty. + * If the previous send was interrupted then a null pointer is + * ok, and means to resume. + */ + if (session->internals.record_send_buffer.length == 0 && + (sizeofdata == 0 || _data == NULL)) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (type != GNUTLS_ALERT) /* alert messages are sent anyway */ + if (session_is_valid(session) + || session->internals.may_not_write != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; } - if (type!=GNUTLS_ALERT) /* alert messages are sent anyway */ - if ( session_is_valid( session) || session->internals.may_not_write != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + headers[0] = type; - headers[0] = type; - - /* Use the default record version, if it is - * set. - */ - copy_record_version( session, htype, &headers[1]); + /* Use the default record version, if it is + * set. + */ + copy_record_version(session, htype, &headers[1]); - _gnutls_record_log( "REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.write_sequence_number), _gnutls_packet2str(type), type, sizeofdata); + _gnutls_record_log + ("REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + write_sequence_number), + _gnutls_packet2str(type), type, sizeofdata); - if ( sizeofdata > MAX_RECORD_SEND_SIZE) - data2send_size = MAX_RECORD_SEND_SIZE; - else - data2send_size = sizeofdata; + if (sizeofdata > MAX_RECORD_SEND_SIZE) + data2send_size = MAX_RECORD_SEND_SIZE; + else + data2send_size = sizeofdata; - /* Only encrypt if we don't have data to send - * from the previous run. - probably interrupted. - */ - if (session->internals.record_send_buffer.length > 0) { - ret = _gnutls_io_write_flush( session); - if (ret > 0) cipher_size = ret; - else cipher_size = 0; - - cipher = NULL; + /* Only encrypt if we don't have data to send + * from the previous run. - probably interrupted. + */ + if (session->internals.record_send_buffer.length > 0) { + ret = _gnutls_io_write_flush(session); + if (ret > 0) + cipher_size = ret; + else + cipher_size = 0; - retval = session->internals.record_send_buffer_user_size; - } else { + cipher = NULL; - /* now proceed to packet encryption - */ - cipher_size = data2send_size + MAX_RECORD_OVERHEAD; - cipher = gnutls_malloc( cipher_size); - if (cipher==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + retval = session->internals.record_send_buffer_user_size; + } else { - cipher_size = _gnutls_encrypt( session, headers, RECORD_HEADER_SIZE, data, data2send_size, cipher, - cipher_size, type, 1); - if (cipher_size <= 0) { - gnutls_assert(); - if (cipher_size==0) cipher_size = GNUTLS_E_ENCRYPTION_FAILED; - gnutls_afree( erecord); - gnutls_free( cipher); - return cipher_size; /* error */ - } + /* now proceed to packet encryption + */ + cipher_size = data2send_size + MAX_RECORD_OVERHEAD; + cipher = gnutls_malloc(cipher_size); + if (cipher == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - retval = data2send_size; - session->internals.record_send_buffer_user_size = data2send_size; + cipher_size = + _gnutls_encrypt(session, headers, RECORD_HEADER_SIZE, data, + data2send_size, cipher, cipher_size, type, 1); + if (cipher_size <= 0) { + gnutls_assert(); + if (cipher_size == 0) + cipher_size = GNUTLS_E_ENCRYPTION_FAILED; + gnutls_afree(erecord); + gnutls_free(cipher); + return cipher_size; /* error */ + } - /* increase sequence number - */ - if (_gnutls_uint64pp( &session->connection_state.write_sequence_number) != 0) { - session_invalidate( session); - gnutls_assert(); - gnutls_afree( erecord); - gnutls_free( cipher); - return GNUTLS_E_RECORD_LIMIT_REACHED; - } + retval = data2send_size; + session->internals.record_send_buffer_user_size = data2send_size; - ret = _gnutls_io_write_buffered2( session, erecord, erecord_size, cipher, cipher_size); - gnutls_afree( erecord); - gnutls_free( cipher); + /* increase sequence number + */ + if (_gnutls_uint64pp + (&session->connection_state.write_sequence_number) != 0) { + session_invalidate(session); + gnutls_assert(); + gnutls_afree(erecord); + gnutls_free(cipher); + return GNUTLS_E_RECORD_LIMIT_REACHED; } - if ( ret != cipher_size + erecord_size) { - if ( ret < 0 && gnutls_error_is_fatal(ret)==0) { - /* If we have sent any data then just return - * the error value. Do not invalidate the session. - */ - gnutls_assert(); - return ret; - } - - if (ret > 0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; - } - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return ret; + ret = + _gnutls_io_write_buffered2(session, erecord, erecord_size, + cipher, cipher_size); + gnutls_afree(erecord); + gnutls_free(cipher); + } + + if (ret != cipher_size + erecord_size) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { + /* If we have sent any data then just return + * the error value. Do not invalidate the session. + */ + gnutls_assert(); + return ret; + } + + if (ret > 0) { + gnutls_assert(); + ret = GNUTLS_E_INTERNAL_ERROR; } + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return ret; + } - session->internals.record_send_buffer_user_size = 0; + session->internals.record_send_buffer_user_size = 0; - _gnutls_record_log( "REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.write_sequence_number), _gnutls_packet2str(type), type, cipher_size); + _gnutls_record_log("REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", + session, + (int) _gnutls_uint64touint32(&session-> + connection_state. + write_sequence_number), + _gnutls_packet2str(type), type, cipher_size); - return retval; + return retval; } /* This function is to be called if the handshake was successfully * completed. This sends a Change Cipher Spec packet to the peer. */ -ssize_t _gnutls_send_change_cipher_spec( gnutls_session session, int again) +ssize_t _gnutls_send_change_cipher_spec(gnutls_session session, int again) { - static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; + static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; - _gnutls_handshake_log( "REC[%x]: Sent ChangeCipherSpec\n", session); + _gnutls_handshake_log("REC[%x]: Sent ChangeCipherSpec\n", session); - if (again==0) - return _gnutls_send_int( session, GNUTLS_CHANGE_CIPHER_SPEC, -1, data, 1); - else { - return _gnutls_io_write_flush( session); - } + if (again == 0) + return _gnutls_send_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, + data, 1); + else { + return _gnutls_io_write_flush(session); + } } -static int check_recv_type( content_type_t recv_type) +static int check_recv_type(content_type_t recv_type) { - switch( recv_type) { - case GNUTLS_CHANGE_CIPHER_SPEC: - case GNUTLS_ALERT: - case GNUTLS_HANDSHAKE: - case GNUTLS_APPLICATION_DATA: - return 0; - default: - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + switch (recv_type) { + case GNUTLS_CHANGE_CIPHER_SPEC: + case GNUTLS_ALERT: + case GNUTLS_HANDSHAKE: + case GNUTLS_APPLICATION_DATA: + return 0; + default: + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } } @@ -431,28 +453,30 @@ static int check_recv_type( content_type_t recv_type) /* Checks if there are pending data in the record buffers. If there are * then it copies the data. */ -static int check_buffers( gnutls_session session, content_type_t type, opaque* data, int sizeofdata) +static int check_buffers(gnutls_session session, content_type_t type, + opaque * data, int sizeofdata) { - if ( (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) && _gnutls_record_buffer_get_size(type, session) > 0) { - int ret, ret2; - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* if the buffer just got empty */ - if (_gnutls_record_buffer_get_size(type, session)==0) { - if ( (ret2=_gnutls_io_clear_peeked_data( session)) < 0) { - gnutls_assert(); - return ret2; - } - } + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && _gnutls_record_buffer_get_size(type, session) > 0) { + int ret, ret2; + ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return ret; + /* if the buffer just got empty */ + if (_gnutls_record_buffer_get_size(type, session) == 0) { + if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { + gnutls_assert(); + return ret2; + } } - - return 0; + + return ret; + } + + return 0; } @@ -461,50 +485,56 @@ static int check_buffers( gnutls_session session, content_type_t type, opaque* d /* Checks the record headers and returns the length, version and * content type. */ -static -int record_check_headers( gnutls_session session, uint8 headers[RECORD_HEADER_SIZE], content_type_t type, - HandshakeType htype, /*output*/ content_type_t *recv_type, opaque version[2], uint16 *length, uint16* header_size) +static +int record_check_headers(gnutls_session session, + uint8 headers[RECORD_HEADER_SIZE], + content_type_t type, HandshakeType htype, + /*output */ content_type_t * recv_type, + opaque version[2], uint16 * length, + uint16 * header_size) { - /* Read the first two bytes to determine if this is a - * version 2 message + /* Read the first two bytes to determine if this is a + * version 2 message + */ + + if (htype == GNUTLS_CLIENT_HELLO && type == GNUTLS_HANDSHAKE + && headers[0] > 127) { + + /* if msb set and expecting handshake message + * it should be SSL 2 hello */ + version[0] = 3; /* assume SSL 3.0 */ + version[1] = 0; - if ( htype == GNUTLS_CLIENT_HELLO && type==GNUTLS_HANDSHAKE && headers[0] > 127) { + *length = (((headers[0] & 0x7f) << 8)) | headers[1]; - /* if msb set and expecting handshake message - * it should be SSL 2 hello - */ - version[0] = 3; /* assume SSL 3.0 */ - version[1] = 0; - - *length = (((headers[0] & 0x7f) << 8)) | headers[1]; - - /* SSL 2.0 headers */ - *header_size = 2; - *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello - */ - - /* in order to assist the handshake protocol. - * V2 compatibility is a mess. - */ - session->internals.v2_hello = *length; + /* SSL 2.0 headers */ + *header_size = 2; + *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello + */ - _gnutls_record_log( "REC[%x]: V2 packet received. Length: %d\n", session, *length); + /* in order to assist the handshake protocol. + * V2 compatibility is a mess. + */ + session->internals.v2_hello = *length; - } else { - /* version 3.x - */ - *recv_type = headers[0]; - version[0] = headers[1]; - version[1] = headers[2]; + _gnutls_record_log("REC[%x]: V2 packet received. Length: %d\n", + session, *length); - /* No DECR_LEN, since headers has enough size. - */ - *length = _gnutls_read_uint16( &headers[3]); - } + } else { + /* version 3.x + */ + *recv_type = headers[0]; + version[0] = headers[1]; + version[1] = headers[2]; - return 0; + /* No DECR_LEN, since headers has enough size. + */ + *length = _gnutls_read_uint16(&headers[3]); + } + + return 0; } /* Here we check if the advertized version is the one we @@ -512,19 +542,21 @@ int record_check_headers( gnutls_session session, uint8 headers[RECORD_HEADER_SI */ #ifdef CHECK_RECORD_VERSION inline -static int record_check_version( gnutls_session session, HandshakeType htype, opaque version[2]) + static int record_check_version(gnutls_session session, + HandshakeType htype, opaque version[2]) { - if ( (htype!=GNUTLS_CLIENT_HELLO && htype!=GNUTLS_SERVER_HELLO) && - gnutls_protocol_get_version(session) != _gnutls_version_get( version[0], version[1])) { + if ((htype != GNUTLS_CLIENT_HELLO && htype != GNUTLS_SERVER_HELLO) && + gnutls_protocol_get_version(session) != + _gnutls_version_get(version[0], version[1])) { - gnutls_assert(); - _gnutls_record_log( "REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", - session, htype, version[0], version[1]); + gnutls_assert(); + _gnutls_record_log("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", + session, htype, version[0], version[1]); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } - return 0; + return 0; } #else # define record_check_version(x,y,z) 0 @@ -533,104 +565,114 @@ static int record_check_version( gnutls_session session, HandshakeType htype, op /* This function will check if the received record type is * the one we actually expect. */ -static int record_check_type( gnutls_session session, content_type_t recv_type, - content_type_t type, HandshakeType htype, opaque* data, int data_size) +static int record_check_type(gnutls_session session, + content_type_t recv_type, content_type_t type, + HandshakeType htype, opaque * data, + int data_size) { - - int ret; - - if ( (recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) { - _gnutls_record_buffer_put(type, session, (void *) data, data_size); - } else { - switch (recv_type) { - case GNUTLS_ALERT: - - _gnutls_record_log( "REC[%x]: Alert[%d|%d] - %s - was received\n", - session, data[0], data[1], gnutls_alert_get_name((int)data[1])); - - session->internals.last_alert = data[1]; - - /* if close notify is received and - * the alert is not fatal - */ - if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) { - /* If we have been expecting for an alert do - */ - session->internals.read_eof = 1; - return GNUTLS_E_INT_RET_0; /* EOF */ - } else { - - /* if the alert is FATAL or WARNING - * return the apropriate message - */ - - gnutls_assert(); - ret = GNUTLS_E_WARNING_ALERT_RECEIVED; - if (data[0] == GNUTLS_AL_FATAL) { - session_unresumable( session); - session_invalidate( session); - ret = GNUTLS_E_FATAL_ALERT_RECEIVED; - } - - return ret; - } - break; - - case GNUTLS_CHANGE_CIPHER_SPEC: - /* this packet is now handled in the recv_int() - * function - */ - gnutls_assert(); - - return GNUTLS_E_UNEXPECTED_PACKET; - - case GNUTLS_APPLICATION_DATA: - /* even if data is unexpected put it into the buffer */ - if ( (ret=_gnutls_record_buffer_put(recv_type, session, (void *) data, data_size)) < 0) { - gnutls_assert(); - return ret; - } - - gnutls_assert(); - - /* the got_application data is only returned - * if expecting client hello (for rehandshake - * reasons). Otherwise it is an unexpected packet - */ - if (htype == GNUTLS_CLIENT_HELLO && type==GNUTLS_HANDSHAKE) - return GNUTLS_E_GOT_APPLICATION_DATA; - else return GNUTLS_E_UNEXPECTED_PACKET; - - break; - case GNUTLS_HANDSHAKE: - /* This is legal if HELLO_REQUEST is received - and we are a client. - * If we are a server, a client may initiate a renegotiation at any time. - */ - if ( session->security_parameters.entity==GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_REHANDSHAKE; - } - - /* If we are already in a handshake then a Hello - * Request is illegal. But here we don't really care - * since this message will never make it up here. - */ - - /* So we accept it */ - return _gnutls_recv_hello_request( session, data, data_size); - - break; - default: - - _gnutls_record_log( "REC[%x]: Received Unknown packet %d expecting %d\n", - session, recv_type, type); - - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + + int ret; + + if ((recv_type == type) + && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) { + _gnutls_record_buffer_put(type, session, (void *) data, data_size); + } else { + switch (recv_type) { + case GNUTLS_ALERT: + + _gnutls_record_log + ("REC[%x]: Alert[%d|%d] - %s - was received\n", session, + data[0], data[1], gnutls_alert_get_name((int) data[1])); + + session->internals.last_alert = data[1]; + + /* if close notify is received and + * the alert is not fatal + */ + if (data[1] == GNUTLS_A_CLOSE_NOTIFY + && data[0] != GNUTLS_AL_FATAL) { + /* If we have been expecting for an alert do + */ + session->internals.read_eof = 1; + return GNUTLS_E_INT_RET_0; /* EOF */ + } else { + + /* if the alert is FATAL or WARNING + * return the apropriate message + */ + + gnutls_assert(); + ret = GNUTLS_E_WARNING_ALERT_RECEIVED; + if (data[0] == GNUTLS_AL_FATAL) { + session_unresumable(session); + session_invalidate(session); + ret = GNUTLS_E_FATAL_ALERT_RECEIVED; } + + return ret; + } + break; + + case GNUTLS_CHANGE_CIPHER_SPEC: + /* this packet is now handled in the recv_int() + * function + */ + gnutls_assert(); + + return GNUTLS_E_UNEXPECTED_PACKET; + + case GNUTLS_APPLICATION_DATA: + /* even if data is unexpected put it into the buffer */ + if ((ret = + _gnutls_record_buffer_put(recv_type, session, + (void *) data, + data_size)) < 0) { + gnutls_assert(); + return ret; + } + + gnutls_assert(); + + /* the got_application data is only returned + * if expecting client hello (for rehandshake + * reasons). Otherwise it is an unexpected packet + */ + if (htype == GNUTLS_CLIENT_HELLO && type == GNUTLS_HANDSHAKE) + return GNUTLS_E_GOT_APPLICATION_DATA; + else + return GNUTLS_E_UNEXPECTED_PACKET; + + break; + case GNUTLS_HANDSHAKE: + /* This is legal if HELLO_REQUEST is received - and we are a client. + * If we are a server, a client may initiate a renegotiation at any time. + */ + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_REHANDSHAKE; + } + + /* If we are already in a handshake then a Hello + * Request is illegal. But here we don't really care + * since this message will never make it up here. + */ + + /* So we accept it */ + return _gnutls_recv_hello_request(session, data, data_size); + + break; + default: + + _gnutls_record_log + ("REC[%x]: Received Unknown packet %d expecting %d\n", + session, recv_type, type); + + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - - return 0; + } + + return 0; } @@ -639,35 +681,37 @@ static int record_check_type( gnutls_session session, content_type_t recv_type, * recv buffer. If the buffer was not initialized before it will * also initialize it. */ -inline -static int get_temp_recv_buffer( gnutls_session session, gnutls_datum* tmp) +inline + static int get_temp_recv_buffer(gnutls_session session, + gnutls_datum * tmp) { - /* We allocate MAX_RECORD_RECV_SIZE length - * because we cannot predict the output data by the record - * packet length (due to compression). - */ + /* We allocate MAX_RECORD_RECV_SIZE length + * because we cannot predict the output data by the record + * packet length (due to compression). + */ - if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || - session->internals.recv_buffer.data == NULL) { - - /* Initialize the internal buffer. - */ - session->internals.recv_buffer.data = gnutls_realloc( - session->internals.recv_buffer.data, MAX_RECORD_RECV_SIZE); + if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || + session->internals.recv_buffer.data == NULL) { - if (session->internals.recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; + /* Initialize the internal buffer. + */ + session->internals.recv_buffer.data = + gnutls_realloc(session->internals.recv_buffer.data, + MAX_RECORD_RECV_SIZE); + + if (session->internals.recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - tmp->data = session->internals.recv_buffer.data; - tmp->size = session->internals.recv_buffer.size; - - return 0; + session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; + } + + tmp->data = session->internals.recv_buffer.data; + tmp->size = session->internals.recv_buffer.size; + + return 0; } @@ -680,195 +724,226 @@ static int get_temp_recv_buffer( gnutls_session session, gnutls_datum* tmp) * * The HandshakeType was introduced to support SSL V2.0 client hellos. */ -ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, - HandshakeType htype, opaque *data, size_t sizeofdata) +ssize_t _gnutls_recv_int(gnutls_session session, content_type_t type, + HandshakeType htype, opaque * data, + size_t sizeofdata) { - gnutls_datum tmp; - int decrypted_length; - opaque version[2]; - uint8 *headers; - content_type_t recv_type; - uint16 length; - uint8 *ciphertext; - uint8 *recv_data; - int ret, ret2; - uint16 header_size; - int empty_packet = 0; - - if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) { - return GNUTLS_E_INVALID_REQUEST; - } + gnutls_datum tmp; + int decrypted_length; + opaque version[2]; + uint8 *headers; + content_type_t recv_type; + uint16 length; + uint8 *ciphertext; + uint8 *recv_data; + int ret, ret2; + uint16 header_size; + int empty_packet = 0; + + if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) { + return GNUTLS_E_INVALID_REQUEST; + } + + begin: + + if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) { + gnutls_assert(); + return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; + } + + if (session->internals.read_eof != 0) { + /* if we have already read an EOF + */ + return 0; + } else if (session_is_valid(session) != 0 + || session->internals.may_not_read != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - begin: - - if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) { - gnutls_assert(); - return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; - } - - if (session->internals.read_eof != 0) { - /* if we have already read an EOF - */ - return 0; - } else if ( session_is_valid(session)!=0 || session->internals.may_not_read!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - /* If we have enough data in the cache do not bother receiving * a new packet. (in order to flush the cache) */ - ret = check_buffers( session, type, data, sizeofdata); - if (ret != 0) - return ret; + ret = check_buffers(session, type, data, sizeofdata); + if (ret != 0) + return ret; /* default headers for TLS 1.0 */ - header_size = RECORD_HEADER_SIZE; - - if ( (ret = _gnutls_io_read_buffered( session, &headers, header_size, -1)) != header_size) { - if (ret < 0 && gnutls_error_is_fatal(ret)==0) return ret; - - session_invalidate( session); - if (type==GNUTLS_ALERT) { - gnutls_assert(); - return 0; /* we were expecting close notify */ - } - session_unresumable( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - if ( (ret=record_check_headers( session, headers, type, htype, &recv_type, version, &length, &header_size)) < 0) { - gnutls_assert(); - return ret; + header_size = RECORD_HEADER_SIZE; + + if ((ret = + _gnutls_io_read_buffered(session, &headers, header_size, + -1)) != header_size) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) + return ret; + + session_invalidate(session); + if (type == GNUTLS_ALERT) { + gnutls_assert(); + return 0; /* we were expecting close notify */ } + session_unresumable(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + if ((ret = + record_check_headers(session, headers, type, htype, &recv_type, + version, &length, &header_size)) < 0) { + gnutls_assert(); + return ret; + } /* Here we check if the Type of the received packet is * ok. */ - if ( (ret = check_recv_type( recv_type)) < 0) { - - gnutls_assert(); - return ret; - } + if ((ret = check_recv_type(recv_type)) < 0) { + + gnutls_assert(); + return ret; + } /* Here we check if the advertized version is the one we * negotiated in the handshake. */ - if ( (ret=record_check_version( session, htype, version)) < 0) { - gnutls_assert(); - session_invalidate( session); - return ret; - } - - _gnutls_record_log( "REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(type), type, sizeofdata); - _gnutls_record_log( "REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(recv_type), recv_type, length); - - if (length > MAX_RECV_SIZE) { - - _gnutls_record_log( "REC[%x]: FATAL ERROR: Received packet with length: %d\n", session, length); - - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if ((ret = record_check_version(session, htype, version)) < 0) { + gnutls_assert(); + session_invalidate(session); + return ret; + } + + _gnutls_record_log + ("REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(type), type, sizeofdata); + _gnutls_record_log + ("REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(recv_type), recv_type, length); + + if (length > MAX_RECV_SIZE) { + + _gnutls_record_log + ("REC[%x]: FATAL ERROR: Received packet with length: %d\n", + session, length); + + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } /* check if we have that data into buffer. */ - if ( (ret = _gnutls_io_read_buffered( session, &recv_data, header_size+length, recv_type)) != header_size+length) { - if (ret<0 && gnutls_error_is_fatal(ret)==0) return ret; + if ((ret = + _gnutls_io_read_buffered(session, &recv_data, + header_size + length, + recv_type)) != header_size + length) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) + return ret; + + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - /* ok now we are sure that we can read all the data - so * move on ! */ - _gnutls_io_clear_read_buffer( session); - ciphertext = &recv_data[header_size]; - - ret = get_temp_recv_buffer( session, &tmp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_io_clear_read_buffer(session); + ciphertext = &recv_data[header_size]; + + ret = get_temp_recv_buffer(session, &tmp); + if (ret < 0) { + gnutls_assert(); + return ret; + } /* decrypt the data we got. */ - ret = _gnutls_decrypt( session, ciphertext, length, tmp.data, tmp.size, recv_type); - if (ret < 0) { - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return ret; - } - decrypted_length = ret; + ret = + _gnutls_decrypt(session, ciphertext, length, tmp.data, tmp.size, + recv_type); + if (ret < 0) { + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return ret; + } + decrypted_length = ret; /* Check if this is a CHANGE_CIPHER_SPEC */ - if (type == GNUTLS_CHANGE_CIPHER_SPEC && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { - - _gnutls_record_log( "REC[%x]: ChangeCipherSpec Packet was received\n", session); + if (type == GNUTLS_CHANGE_CIPHER_SPEC + && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { - if ((size_t)ret!=sizeofdata) { /* sizeofdata should be 1 */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - memcpy( data, tmp.data, sizeofdata); + _gnutls_record_log + ("REC[%x]: ChangeCipherSpec Packet was received\n", session); - return ret; + if ((size_t) ret != sizeofdata) { /* sizeofdata should be 1 */ + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + memcpy(data, tmp.data, sizeofdata); + + return ret; + } - _gnutls_record_log( "REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(recv_type), recv_type, decrypted_length); + _gnutls_record_log + ("REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(recv_type), recv_type, decrypted_length); /* increase sequence number */ - if (_gnutls_uint64pp( &session->connection_state.read_sequence_number)!=0) { - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_RECORD_LIMIT_REACHED; - } - - ret= record_check_type( session, recv_type, type, htype, tmp.data, decrypted_length); - if (ret < 0) { - if (ret==GNUTLS_E_INT_RET_0) return 0; - gnutls_assert(); - return ret; - } + if (_gnutls_uint64pp(&session->connection_state.read_sequence_number) + != 0) { + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_RECORD_LIMIT_REACHED; + } + + ret = + record_check_type(session, recv_type, type, htype, tmp.data, + decrypted_length); + if (ret < 0) { + if (ret == GNUTLS_E_INT_RET_0) + return 0; + gnutls_assert(); + return ret; + } /* Get Application data from buffer */ - if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) && (recv_type == type)) { + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && (recv_type == type)) { - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); + if (ret < 0) { + gnutls_assert(); + return ret; + } /* if the buffer just got empty - */ - if (_gnutls_record_buffer_get_size(type, session)==0) { - if ( (ret2 = _gnutls_io_clear_peeked_data( session)) < 0) { - gnutls_assert(); - return ret2; - } - } - } else { + */ + if (_gnutls_record_buffer_get_size(type, session) == 0) { + if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; + return ret2; + } + } + } else { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; /* we didn't get what we wanted to */ - } + } /* (originally for) TLS 1.0 CBC protection. * Actually this code is called if we just received @@ -877,12 +952,12 @@ ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, * In that case we go to the beginning and start reading * the next packet. */ - if (ret==0) { - empty_packet++; - goto begin; - } - - return ret; + if (ret == 0) { + empty_packet++; + goto begin; + } + + return ret; } @@ -910,9 +985,11 @@ ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, * maximum record size. * **/ -ssize_t gnutls_record_send( gnutls_session session, const void *data, size_t sizeofdata) +ssize_t gnutls_record_send(gnutls_session session, const void *data, + size_t sizeofdata) { - return _gnutls_send_int( session, GNUTLS_APPLICATION_DATA, -1, data, sizeofdata); + return _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -937,9 +1014,11 @@ ssize_t gnutls_record_send( gnutls_session session, const void *data, size_t siz * A negative error code is returned in case of an error. * **/ -ssize_t gnutls_record_recv( gnutls_session session, void *data, size_t sizeofdata) +ssize_t gnutls_record_recv(gnutls_session session, void *data, + size_t sizeofdata) { - return _gnutls_recv_int( session, GNUTLS_APPLICATION_DATA, -1, data, sizeofdata); + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -951,12 +1030,12 @@ ssize_t gnutls_record_recv( gnutls_session session, void *data, size_t sizeofdat * first handshake message. * **/ -size_t gnutls_record_get_max_size( gnutls_session session) +size_t gnutls_record_get_max_size(gnutls_session session) { - /* Recv will hold the negotiated max record size - * always. - */ - return session->security_parameters.max_record_recv_size; + /* Recv will hold the negotiated max record size + * always. + */ + return session->security_parameters.max_record_recv_size; } @@ -978,23 +1057,23 @@ size_t gnutls_record_get_max_size( gnutls_session session) * Not all TLS implementations use or even understand this extension. * **/ -ssize_t gnutls_record_set_max_size( gnutls_session session, size_t size) +ssize_t gnutls_record_set_max_size(gnutls_session session, size_t size) { -ssize_t new_size; + ssize_t new_size; - if (session->security_parameters.entity==GNUTLS_SERVER) - return GNUTLS_E_INVALID_REQUEST; + if (session->security_parameters.entity == GNUTLS_SERVER) + return GNUTLS_E_INVALID_REQUEST; - new_size = _gnutls_mre_record2num( size); + new_size = _gnutls_mre_record2num(size); - if (new_size < 0) { - gnutls_assert(); - return new_size; - } - - session->security_parameters.max_record_send_size = size; + if (new_size < 0) { + gnutls_assert(); + return new_size; + } - session->internals.proposed_record_size = size; + session->security_parameters.max_record_send_size = size; - return 0; + session->internals.proposed_record_size = size; + + return 0; } diff --git a/lib/gnutls_record.h b/lib/gnutls_record.h index 2b4f5e4f92..1952f487da 100644 --- a/lib/gnutls_record.h +++ b/lib/gnutls_record.h @@ -1,6 +1,7 @@ -ssize_t _gnutls_send_int( gnutls_session session, content_type_t type, - HandshakeType htype, const void* data, size_t sizeofdata); -ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, - HandshakeType, opaque* data, size_t sizeofdata); -ssize_t _gnutls_send_change_cipher_spec( gnutls_session session, int again); +ssize_t _gnutls_send_int(gnutls_session session, content_type_t type, + HandshakeType htype, const void *data, + size_t sizeofdata); +ssize_t _gnutls_recv_int(gnutls_session session, content_type_t type, + HandshakeType, opaque * data, size_t sizeofdata); +ssize_t _gnutls_send_change_cipher_spec(gnutls_session session, int again); void gnutls_transport_set_lowat(gnutls_session session, int num); diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index 597a45145a..84d25436d9 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -23,7 +23,7 @@ /* This file contains code for RSA temporary keys. These keys are * only used in export cipher suites. */ - + #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> @@ -42,114 +42,114 @@ /* returns e and m, depends on the requested bits. * We only support limited key sizes. */ -const mpi_t* _gnutls_get_rsa_params(gnutls_rsa_params rsa_params) +const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params rsa_params) { - if (rsa_params == NULL) { - return NULL; - } + if (rsa_params == NULL) { + return NULL; + } - return rsa_params->params; + return rsa_params->params; } /* resarr will contain: modulus(0), public exponent(1), private exponent(2), * prime1 - p (3), prime2 - q(4), u (5). */ -int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) +int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; - - ret = gcry_sexp_build( &parms, NULL, "(genkey(rsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* generate the RSA key */ - ret = gcry_pk_genkey( &key, parms); - gcry_sexp_release( parms); - - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - list = gcry_sexp_find_token( key, "n", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "e", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "d", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "u", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[5] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + int ret; + gcry_sexp_t parms, key, list; + + ret = gcry_sexp_build(&parms, NULL, "(genkey(rsa(nbits %d)))", bits); + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* generate the RSA key */ + ret = gcry_pk_genkey(&key, parms); + gcry_sexp_release(parms); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + list = gcry_sexp_find_token(key, "n", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + list = gcry_sexp_find_token(key, "e", 0); + if (list == NULL) { + gnutls_assert(); gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_dump_mpi( "n: ", resarr[0]); - _gnutls_dump_mpi( "e: ", resarr[1]); - _gnutls_dump_mpi( "d: ", resarr[2]); - _gnutls_dump_mpi( "p: ", resarr[3]); - _gnutls_dump_mpi( "q: ", resarr[4]); - _gnutls_dump_mpi( "u: ", resarr[5]); - - *resarr_len = 6; + resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - return 0; + list = gcry_sexp_find_token(key, "d", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + list = gcry_sexp_find_token(key, "p", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "q", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "u", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[5] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + gcry_sexp_release(key); + + _gnutls_dump_mpi("n: ", resarr[0]); + _gnutls_dump_mpi("e: ", resarr[1]); + _gnutls_dump_mpi("d: ", resarr[2]); + _gnutls_dump_mpi("p: ", resarr[3]); + _gnutls_dump_mpi("q: ", resarr[4]); + _gnutls_dump_mpi("u: ", resarr[5]); + + *resarr_len = 6; + + return 0; } @@ -168,13 +168,16 @@ int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) * The new parameters should be stored in the appropriate gnutls_datum. * **/ -int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, - const gnutls_datum *m, const gnutls_datum *e, - const gnutls_datum *d, const gnutls_datum *p, - const gnutls_datum *q, const gnutls_datum *u) +int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, + const gnutls_datum * m, + const gnutls_datum * e, + const gnutls_datum * d, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * u) { - return gnutls_x509_privkey_import_rsa_raw( rsa_params, - m, e, d, p, q, u); + return gnutls_x509_privkey_import_rsa_raw(rsa_params, + m, e, d, p, q, u); } /** @@ -186,17 +189,17 @@ int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, **/ int gnutls_rsa_params_init(gnutls_rsa_params * rsa_params) { -int ret; - - ret = gnutls_x509_privkey_init( rsa_params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - (*rsa_params)->crippled = 1; - - return 0; + int ret; + + ret = gnutls_x509_privkey_init(rsa_params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + (*rsa_params)->crippled = 1; + + return 0; } /** @@ -208,7 +211,7 @@ int ret; **/ void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params) { - gnutls_x509_privkey_deinit(rsa_params); + gnutls_x509_privkey_deinit(rsa_params); } /** @@ -222,7 +225,7 @@ void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params) **/ int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src) { - return gnutls_x509_privkey_cpy( dst, src); + return gnutls_x509_privkey_cpy(dst, src); } /** @@ -240,9 +243,10 @@ int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src) * no use calling this in client side. * **/ -int gnutls_rsa_params_generate2(gnutls_rsa_params params, unsigned int bits) +int gnutls_rsa_params_generate2(gnutls_rsa_params params, + unsigned int bits) { - return gnutls_x509_privkey_generate( params, GNUTLS_PK_RSA, bits, 0); + return gnutls_x509_privkey_generate(params, GNUTLS_PK_RSA, bits, 0); } /** @@ -261,11 +265,11 @@ int gnutls_rsa_params_generate2(gnutls_rsa_params params, unsigned int bits) * 0 on success. * **/ -int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, - const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format) +int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, + const gnutls_datum * pkcs1_params, + gnutls_x509_crt_fmt format) { - return gnutls_x509_privkey_import( params, pkcs1_params, - format); + return gnutls_x509_privkey_import(params, pkcs1_params, format); } @@ -287,12 +291,13 @@ int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, * 0 on success. * **/ -int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size) +int gnutls_rsa_params_export_pkcs1(gnutls_rsa_params params, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + size_t * params_data_size) { - return gnutls_x509_privkey_export( params, format, - params_data, params_data_size); + return gnutls_x509_privkey_export(params, format, + params_data, params_data_size); } @@ -313,21 +318,22 @@ int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, * **/ int gnutls_rsa_params_export_raw(gnutls_rsa_params params, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, unsigned int *bits) + gnutls_datum * m, gnutls_datum * e, + gnutls_datum * d, gnutls_datum * p, + gnutls_datum * q, gnutls_datum * u, + unsigned int *bits) { -int ret; + int ret; - ret = gnutls_x509_privkey_export_rsa_raw( params, m, e, d, p, q, u); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_privkey_export_rsa_raw(params, m, e, d, p, q, u); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (bits) - *bits = _gnutls_mpi_get_nbits(params->params[3]); + if (bits) + *bits = _gnutls_mpi_get_nbits(params->params[3]); - return 0; + return 0; } diff --git a/lib/gnutls_rsa_export.h b/lib/gnutls_rsa_export.h index ce2c70e4f0..0d18464982 100644 --- a/lib/gnutls_rsa_export.h +++ b/lib/gnutls_rsa_export.h @@ -18,8 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -const mpi_t* _gnutls_get_rsa_params(gnutls_rsa_params); -int _gnutls_peers_cert_less_512( gnutls_session session); -int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits); +const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params); +int _gnutls_peers_cert_less_512(gnutls_session session); +int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits); void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params); - diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c index ca043c5b21..9eabfa043f 100644 --- a/lib/gnutls_session.c +++ b/lib/gnutls_session.c @@ -39,34 +39,35 @@ * * Resuming sessions is really useful and speedups connections after a succesful one. **/ -int gnutls_session_get_data( gnutls_session session, - void* session_data, size_t *session_data_size) +int gnutls_session_get_data(gnutls_session session, + void *session_data, size_t * session_data_size) { - gnutls_datum psession; - int ret; - - if (*session_data_size < SESSION_SIZE || session_data==NULL) { - *session_data_size = SESSION_SIZE; - session_data = NULL; /* return with the new session_data_size value */ - } - - if (session->internals.resumable==RESUME_FALSE) return GNUTLS_E_INVALID_SESSION; - /* just return the session size */ - if (session_data==NULL) { - return 0; - } - - psession.data = session_data; - - ret = _gnutls_session_pack( session, &psession); - if (ret< 0) { - gnutls_assert(); - return ret; - } - *session_data_size = psession.size; + gnutls_datum psession; + int ret; + if (*session_data_size < SESSION_SIZE || session_data == NULL) { + *session_data_size = SESSION_SIZE; + session_data = NULL; /* return with the new session_data_size value */ + } + + if (session->internals.resumable == RESUME_FALSE) + return GNUTLS_E_INVALID_SESSION; + /* just return the session size */ + if (session_data == NULL) { return 0; + } + + psession.data = session_data; + + ret = _gnutls_session_pack(session, &psession); + if (ret < 0) { + gnutls_assert(); + return ret; + } + *session_data_size = psession.size; + + return 0; } @@ -84,19 +85,20 @@ int gnutls_session_get_data( gnutls_session session, * Session id is some data set by the server, that identify the current session. * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. **/ -int gnutls_session_get_id( gnutls_session session, - void* session_id, size_t *session_id_size) +int gnutls_session_get_id(gnutls_session session, + void *session_id, size_t * session_id_size) { - *session_id_size = session->security_parameters.session_id_size; - - /* just return the session size */ - if (session_id==NULL) { - return 0; - } - memcpy( session_id, &session->security_parameters.session_id, *session_id_size); - + *session_id_size = session->security_parameters.session_id_size; + + /* just return the session size */ + if (session_id == NULL) { return 0; + } + memcpy(session_id, &session->security_parameters.session_id, + *session_id_size); + + return 0; } /** @@ -116,24 +118,25 @@ int gnutls_session_get_id( gnutls_session session, * Returns a negative value on error. * **/ -int gnutls_session_set_data( gnutls_session session, const void* session_data, - size_t session_data_size) +int gnutls_session_set_data(gnutls_session session, + const void *session_data, + size_t session_data_size) { - int ret; - gnutls_datum psession; - - psession.data = (opaque*)session_data; - psession.size = session_data_size; - - if (session_data==NULL || session_data_size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - ret = _gnutls_session_unpack( session, &psession); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; + int ret; + gnutls_datum psession; + + psession.data = (opaque *) session_data; + psession.size = session_data_size; + + if (session_data == NULL || session_data_size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + ret = _gnutls_session_unpack(session, &psession); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } diff --git a/lib/gnutls_session.h b/lib/gnutls_session.h index c9c25b4fa4..882d56fed0 100644 --- a/lib/gnutls_session.h +++ b/lib/gnutls_session.h @@ -18,5 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int gnutls_session_set_data( gnutls_session session, const opaque* session_data, int session_data_size); -int gnutls_session_get_data( gnutls_session session, opaque* session_data, int *session_data_size); +int gnutls_session_set_data(gnutls_session session, + const opaque * session_data, + int session_data_size); +int gnutls_session_get_data(gnutls_session session, opaque * session_data, + int *session_data_size); diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c index 3fff4977fb..ff0c990621 100644 --- a/lib/gnutls_session_pack.c +++ b/lib/gnutls_session_pack.c @@ -19,7 +19,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ - + /* Contains functions that are supposed to pack and unpack session data, * before and after they are sent to the database backend. */ @@ -35,382 +35,391 @@ #include <gnutls_num.h> #define PACK_HEADER_SIZE 1 -int _gnutls_pack_certificate_auth_info( cert_auth_info_t info, - gnutls_datum * packed_session); +int _gnutls_pack_certificate_auth_info(cert_auth_info_t info, + gnutls_datum * packed_session); int _gnutls_unpack_certificate_auth_info(cert_auth_info_t info, - const gnutls_datum * packed_session); -static int _gnutls_pack_certificate_auth_info_size( cert_auth_info_t info); + const gnutls_datum * + packed_session); +static int _gnutls_pack_certificate_auth_info_size(cert_auth_info_t info); /* Since auth_info structures contain malloced data, this function * is required in order to pack these structures in a vector in * order to store them to the DB. */ -int _gnutls_session_pack(gnutls_session session, gnutls_datum * packed_session) +int _gnutls_session_pack(gnutls_session session, + gnutls_datum * packed_session) { - uint32 pack_size; - int ret; + uint32 pack_size; + int ret; - if (packed_session==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (packed_session == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - switch (gnutls_auth_get_type(session)) { + switch (gnutls_auth_get_type(session)) { #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP:{ - srp_server_auth_info_t info = - _gnutls_get_auth_info(session); - - - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - pack_size = session->key->auth_info_size; - packed_session->size = - PACK_HEADER_SIZE + pack_size + sizeof(uint32); - - packed_session->data[0] = GNUTLS_CRD_SRP; - _gnutls_write_uint32(pack_size, - &packed_session-> - data[PACK_HEADER_SIZE]); - - if (session->key->auth_info_size > 0) - memcpy(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32)], - info, session->key->auth_info_size); + case GNUTLS_CRD_SRP:{ + srp_server_auth_info_t info = _gnutls_get_auth_info(session); - } - break; -#endif - case GNUTLS_CRD_ANON:{ - anon_client_auth_info_t info = - _gnutls_get_auth_info(session); - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - packed_session->size = - PACK_HEADER_SIZE + session->key->auth_info_size + sizeof(uint32); - - packed_session->data[0] = GNUTLS_CRD_ANON; - _gnutls_write_uint32(session->key->auth_info_size, - &packed_session-> - data[PACK_HEADER_SIZE]); - - if (session->key->auth_info_size > 0) - memcpy(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32)], - info, session->key->auth_info_size); - - } - break; - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info = - _gnutls_get_auth_info(session); - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = - _gnutls_pack_certificate_auth_info(info, - packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - break; - default: - return GNUTLS_E_INTERNAL_ERROR; + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + pack_size = session->key->auth_info_size; + packed_session->size = + PACK_HEADER_SIZE + pack_size + sizeof(uint32); + + packed_session->data[0] = GNUTLS_CRD_SRP; + _gnutls_write_uint32(pack_size, + &packed_session->data[PACK_HEADER_SIZE]); + + if (session->key->auth_info_size > 0) + memcpy(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32)], + info, session->key->auth_info_size); } - /* Auth_info structures copied. Now copy security_parameters_st. - */ - packed_session->size += sizeof(security_parameters_st)+sizeof(uint32); + break; +#endif + case GNUTLS_CRD_ANON:{ + anon_client_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + packed_session->size = + PACK_HEADER_SIZE + session->key->auth_info_size + + sizeof(uint32); + + packed_session->data[0] = GNUTLS_CRD_ANON; + _gnutls_write_uint32(session->key->auth_info_size, + &packed_session->data[PACK_HEADER_SIZE]); + + if (session->key->auth_info_size > 0) + memcpy(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32)], + info, session->key->auth_info_size); - _gnutls_write_uint32( sizeof(security_parameters_st), &packed_session->data[packed_session->size - sizeof(security_parameters_st) - sizeof(uint32)]); - memcpy(&packed_session-> - data[packed_session->size - sizeof(security_parameters_st)], - &session->security_parameters, sizeof(security_parameters_st)); + } + break; + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return 0; + ret = _gnutls_pack_certificate_auth_info(info, packed_session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + break; + default: + return GNUTLS_E_INTERNAL_ERROR; + + } + + /* Auth_info structures copied. Now copy security_parameters_st. + */ + packed_session->size += + sizeof(security_parameters_st) + sizeof(uint32); + + _gnutls_write_uint32(sizeof(security_parameters_st), + &packed_session->data[packed_session->size - + sizeof + (security_parameters_st) - + sizeof(uint32)]); + memcpy(&packed_session-> + data[packed_session->size - sizeof(security_parameters_st)], + &session->security_parameters, sizeof(security_parameters_st)); + + return 0; } /* Returns the size needed to hold the current session. */ -uint _gnutls_session_size( gnutls_session session) +uint _gnutls_session_size(gnutls_session session) { - uint32 pack_size; + uint32 pack_size; - pack_size = PACK_HEADER_SIZE + sizeof(uint32); + pack_size = PACK_HEADER_SIZE + sizeof(uint32); - switch ( gnutls_auth_get_type(session)) { - case GNUTLS_CRD_SRP: - case GNUTLS_CRD_ANON: - pack_size += session->key->auth_info_size; - break; - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info = - _gnutls_get_auth_info(session); - - pack_size += _gnutls_pack_certificate_auth_info_size( info); - } - break; + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_SRP: + case GNUTLS_CRD_ANON: + pack_size += session->key->auth_info_size; + break; + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info = _gnutls_get_auth_info(session); + + pack_size += _gnutls_pack_certificate_auth_info_size(info); } + break; + } - /* Auth_info structures copied. Now copy security_parameters_st. - */ - pack_size += sizeof(security_parameters_st) + sizeof(uint32); + /* Auth_info structures copied. Now copy security_parameters_st. + */ + pack_size += sizeof(security_parameters_st) + sizeof(uint32); - return pack_size; + return pack_size; } int _gnutls_session_unpack(gnutls_session session, const gnutls_datum * packed_session) { - uint32 pack_size; - int ret; - time_t timestamp = time(0); - security_parameters_st sp; + uint32 pack_size; + int ret; + time_t timestamp = time(0); + security_parameters_st sp; - if (packed_session==NULL || packed_session->size == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (packed_session == NULL || packed_session->size == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (session->key->auth_info != NULL) { - _gnutls_free_auth_info( session); - } - - switch ( packed_session->data[0]) { + if (session->key->auth_info != NULL) { + _gnutls_free_auth_info(session); + } + + switch (packed_session->data[0]) { #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP:{ - - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) break; - if (pack_size != sizeof(srp_server_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( pack_size); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = - sizeof(srp_server_auth_info_st); - - - memcpy(session->key->auth_info, - &packed_session->data[PACK_HEADER_SIZE + - sizeof(uint32)], - pack_size); - } - break; -#endif - case GNUTLS_CRD_ANON:{ - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) break; - - if (pack_size != sizeof(anon_client_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( pack_size); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = pack_size; - - memcpy(session->key->auth_info, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - pack_size); - } - break; - case GNUTLS_CRD_CERTIFICATE:{ - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) { - session->key->auth_info = NULL; - session->key->auth_info_size = 0; - break; - } - if (pack_size < sizeof(cert_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( sizeof(cert_auth_info_st)); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = - sizeof(cert_auth_info_st); - - ret = - _gnutls_unpack_certificate_auth_info(session-> - key-> - auth_info, - packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - } + case GNUTLS_CRD_SRP:{ + + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); + + if (pack_size == 0) break; - default: + if (pack_size != sizeof(srp_server_auth_info_st)) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_DB_ERROR; + } - } + session->key->auth_info = gnutls_malloc(pack_size); - session->key->auth_info_type = packed_session->data[0]; + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = sizeof(srp_server_auth_info_st); - /* Auth_info structures copied. Now copy security_parameters_st. - */ - ret = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32) + - pack_size]); - if (ret != sizeof(security_parameters_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; + memcpy(session->key->auth_info, + &packed_session->data[PACK_HEADER_SIZE + + sizeof(uint32)], pack_size); } - memcpy(&sp, &packed_session->data[PACK_HEADER_SIZE + - 2 * sizeof(uint32) + pack_size], - sizeof(security_parameters_st)); + break; +#endif + case GNUTLS_CRD_ANON:{ + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); - if ( timestamp - sp.timestamp <= session->internals.expire_time - && sp.timestamp <= timestamp) { + if (pack_size == 0) + break; - memcpy( &session->internals.resumed_security_parameters, &sp, sizeof(security_parameters_st)); - } else { - _gnutls_free_auth_info( session); + if (pack_size != sizeof(anon_client_auth_info_st)) { gnutls_assert(); - return GNUTLS_E_EXPIRED; - } + return GNUTLS_E_DB_ERROR; + } + session->key->auth_info = gnutls_malloc(pack_size); - return 0; -} + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = pack_size; -int _gnutls_pack_certificate_auth_info( cert_auth_info_t info, - gnutls_datum * packed_session) -{ - unsigned int pos, i; - int info_size; + memcpy(session->key->auth_info, + &packed_session->data[PACK_HEADER_SIZE + + sizeof(uint32)], pack_size); + } + break; + case GNUTLS_CRD_CERTIFICATE:{ + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); - packed_session->size = _gnutls_pack_certificate_auth_info_size( info); + if (pack_size == 0) { + session->key->auth_info = NULL; + session->key->auth_info_size = 0; + break; + } + if (pack_size < sizeof(cert_auth_info_st)) { + gnutls_assert(); + return GNUTLS_E_DB_ERROR; + } - if (info==NULL) info_size = 0; - else info_size = sizeof(cert_auth_info_st); + session->key->auth_info = + gnutls_malloc(sizeof(cert_auth_info_st)); - packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; - _gnutls_write_uint32( packed_session->size-PACK_HEADER_SIZE-sizeof(uint32), &packed_session->data[PACK_HEADER_SIZE]); + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = sizeof(cert_auth_info_st); + + ret = + _gnutls_unpack_certificate_auth_info(session-> + key-> + auth_info, + packed_session); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (info!=NULL) { - memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - info, sizeof(cert_auth_info_st)); } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + + } + + session->key->auth_info_type = packed_session->data[0]; + + /* Auth_info structures copied. Now copy security_parameters_st. + */ + ret = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32) + + pack_size]); + + if (ret != sizeof(security_parameters_st)) { + gnutls_assert(); + return GNUTLS_E_DB_ERROR; + } + memcpy(&sp, &packed_session->data[PACK_HEADER_SIZE + + 2 * sizeof(uint32) + pack_size], + sizeof(security_parameters_st)); + + if (timestamp - sp.timestamp <= session->internals.expire_time + && sp.timestamp <= timestamp) { + + memcpy(&session->internals.resumed_security_parameters, &sp, + sizeof(security_parameters_st)); + } else { + _gnutls_free_auth_info(session); + gnutls_assert(); + return GNUTLS_E_EXPIRED; + } + + + return 0; +} - pos = PACK_HEADER_SIZE + sizeof(uint32) + info_size; - - if (info!=NULL) { - for (i=0;i<info->ncerts;i++) { - _gnutls_write_uint32( info->raw_certificate_list[i].size, &packed_session->data[pos]); - pos += sizeof(uint32); - - memcpy(&packed_session->data[pos], info->raw_certificate_list[i].data, info->raw_certificate_list[i].size); - pos += info->raw_certificate_list[i].size; - } +int _gnutls_pack_certificate_auth_info(cert_auth_info_t info, + gnutls_datum * packed_session) +{ + unsigned int pos, i; + int info_size; + + packed_session->size = _gnutls_pack_certificate_auth_info_size(info); + + if (info == NULL) + info_size = 0; + else + info_size = sizeof(cert_auth_info_st); + + packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; + _gnutls_write_uint32(packed_session->size - PACK_HEADER_SIZE - + sizeof(uint32), + &packed_session->data[PACK_HEADER_SIZE]); + + if (info != NULL) { + memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], + info, sizeof(cert_auth_info_st)); + } + + pos = PACK_HEADER_SIZE + sizeof(uint32) + info_size; + + if (info != NULL) { + for (i = 0; i < info->ncerts; i++) { + _gnutls_write_uint32(info->raw_certificate_list[i].size, + &packed_session->data[pos]); + pos += sizeof(uint32); + + memcpy(&packed_session->data[pos], + info->raw_certificate_list[i].data, + info->raw_certificate_list[i].size); + pos += info->raw_certificate_list[i].size; } - - return 0; + } + + return 0; } -static int _gnutls_pack_certificate_auth_info_size( cert_auth_info_t info) +static int _gnutls_pack_certificate_auth_info_size(cert_auth_info_t info) { - uint32 pack_size = sizeof(cert_auth_info_st); - unsigned int i; + uint32 pack_size = sizeof(cert_auth_info_st); + unsigned int i; - if (info == NULL) - return sizeof(uint32) + PACK_HEADER_SIZE; + if (info == NULL) + return sizeof(uint32) + PACK_HEADER_SIZE; - for (i=0;i<info->ncerts;i++) { - pack_size += sizeof(uint32) + info->raw_certificate_list[i].size; - } + for (i = 0; i < info->ncerts; i++) { + pack_size += sizeof(uint32) + info->raw_certificate_list[i].size; + } - return pack_size + PACK_HEADER_SIZE + sizeof(uint32); + return pack_size + PACK_HEADER_SIZE + sizeof(uint32); } int _gnutls_unpack_certificate_auth_info(cert_auth_info_t info, - const gnutls_datum * packed_session) + const gnutls_datum * + packed_session) { -unsigned int i,j, pos; -int ret; -uint32 size; - - memcpy(info, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - sizeof(cert_auth_info_st)); - - pos = PACK_HEADER_SIZE + sizeof(uint32) + sizeof(cert_auth_info_st); - if (info->ncerts > 0) { - info->raw_certificate_list = gnutls_calloc( 1, info->ncerts * sizeof( gnutls_datum)); - if (info->raw_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<info->ncerts;i++) { - size = _gnutls_read_uint32( &packed_session->data[ pos]); - pos += sizeof(uint32); - - ret = _gnutls_set_datum( &info->raw_certificate_list[i], &packed_session->data[ pos], size); - pos += size; - - if (ret < 0) { - gnutls_assert(); - goto clear; - } - } + unsigned int i, j, pos; + int ret; + uint32 size; + + memcpy(info, + &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], + sizeof(cert_auth_info_st)); + + pos = PACK_HEADER_SIZE + sizeof(uint32) + sizeof(cert_auth_info_st); + if (info->ncerts > 0) { + info->raw_certificate_list = + gnutls_calloc(1, info->ncerts * sizeof(gnutls_datum)); + if (info->raw_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - return 0; - - clear: - for (j=0;j<i;j++) - _gnutls_free_datum( &info->raw_certificate_list[j]); - gnutls_free( info->raw_certificate_list); - return GNUTLS_E_MEMORY_ERROR; - + for (i = 0; i < info->ncerts; i++) { + size = _gnutls_read_uint32(&packed_session->data[pos]); + pos += sizeof(uint32); + + ret = + _gnutls_set_datum(&info->raw_certificate_list[i], + &packed_session->data[pos], size); + pos += size; + + if (ret < 0) { + gnutls_assert(); + goto clear; + } + } + } + return 0; + + clear: + for (j = 0; j < i; j++) + _gnutls_free_datum(&info->raw_certificate_list[j]); + + gnutls_free(info->raw_certificate_list); + return GNUTLS_E_MEMORY_ERROR; + } diff --git a/lib/gnutls_session_pack.h b/lib/gnutls_session_pack.h index 8602d9f976..0956beb758 100644 --- a/lib/gnutls_session_pack.h +++ b/lib/gnutls_session_pack.h @@ -1,3 +1,5 @@ -int _gnutls_session_pack( gnutls_session session, gnutls_datum* packed_session); -int _gnutls_session_unpack( gnutls_session session, const gnutls_datum* packed_session); +int _gnutls_session_pack(gnutls_session session, + gnutls_datum * packed_session); +int _gnutls_session_unpack(gnutls_session session, + const gnutls_datum * packed_session); uint _gnutls_session_size(gnutls_session session); diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 045f2f33f7..e84508b3a9 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -36,129 +36,145 @@ #include <gnutls_kx.h> static -int _gnutls_tls_sign( gnutls_cert* cert, gnutls_privkey* pkey, const gnutls_datum* hash_concat, gnutls_datum *signature); +int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum * hash_concat, + gnutls_datum * signature); /* Generates a signature of all the previous sent packets in the * handshake procedure. (20040227: now it works for SSL 3.0 as well) */ -int _gnutls_tls_sign_hdata( gnutls_session session, - gnutls_cert* cert, gnutls_privkey* pkey, gnutls_datum *signature) +int _gnutls_tls_sign_hdata(gnutls_session session, + gnutls_cert * cert, gnutls_privkey * pkey, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -opaque concat[36]; -mac_hd_t td_md5; -mac_hd_t td_sha; -gnutls_protocol_version ver = gnutls_protocol_get_version( session); - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum dconcat; + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_protocol_version ver = gnutls_protocol_get_version(session); + + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + if (ver == GNUTLS_SSL3) { + ret = _gnutls_generate_master(session, 1); + if (ret < 0) { + gnutls_assert(); + return ret; } - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master( session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mac_deinit_ssl3_handshake( td_sha, &concat[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); - } else - _gnutls_hash_deinit(td_sha, &concat[16]); - - switch (cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - if (ver == GNUTLS_SSL3) - _gnutls_mac_deinit_ssl3_handshake( td_md5, concat, session->security_parameters.master_secret, TLS_MASTER_SIZE); - else - _gnutls_hash_deinit(td_md5, concat); - - dconcat.data = concat; - dconcat.size = 36; - break; - case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - ret = _gnutls_tls_sign( cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } else + _gnutls_hash_deinit(td_sha, &concat[16]); + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; } - - return ret; + + if (ver == GNUTLS_SSL3) + _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, + session->security_parameters. + master_secret, + TLS_MASTER_SIZE); + else + _gnutls_hash_deinit(td_md5, concat); + + dconcat.data = concat; + dconcat.size = 36; + break; + case GNUTLS_PK_DSA: + dconcat.data = &concat[16]; + dconcat.size = 20; + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_tls_sign_params( gnutls_session session, gnutls_cert* cert, gnutls_privkey* pkey, gnutls_datum* params, gnutls_datum *signature) +int _gnutls_tls_sign_params(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, gnutls_datum * params, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -mac_hd_t td_md5; -mac_hd_t td_sha; -opaque concat[36]; - - - td_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + + td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td_sha == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, params->data, params->size); + + _gnutls_hash_deinit(td_sha, &concat[16]); + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash( td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, params->data, params->size); + _gnutls_hash(td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, params->data, params->size); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit(td_md5, concat); - switch (cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - td_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, params->data, params->size); - - _gnutls_hash_deinit(td_md5, concat); - - dconcat.data = concat; - dconcat.size = 36; - break; - case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - ret = _gnutls_tls_sign( cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - } - - return ret; + dconcat.data = concat; + dconcat.size = 36; + break; + case GNUTLS_PK_DSA: + dconcat.data = &concat[16]; + dconcat.size = 20; + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } @@ -166,36 +182,36 @@ opaque concat[36]; /* This will create a PKCS1 or DSA signature, using the given parameters, and the * given data. The output will be allocated and be put in signature. */ -int _gnutls_sign( gnutls_pk_algorithm algo, mpi_t* params, int params_size, - const gnutls_datum* data, gnutls_datum *signature) +int _gnutls_sign(gnutls_pk_algorithm algo, mpi_t * params, int params_size, + const gnutls_datum * data, gnutls_datum * signature) { -int ret; - - switch(algo) { - case GNUTLS_PK_RSA: - /* encrypt */ - if ((ret=_gnutls_pkcs1_rsa_encrypt( signature, data, params, - params_size, 1)) < 0) { - gnutls_assert(); - return ret; - } - - break; - case GNUTLS_PK_DSA: - /* sign */ - if ((ret=_gnutls_dsa_sign( signature, data, params, - params_size)) < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - break; + int ret; + + switch (algo) { + case GNUTLS_PK_RSA: + /* encrypt */ + if ((ret = _gnutls_pkcs1_rsa_encrypt(signature, data, params, + params_size, 1)) < 0) { + gnutls_assert(); + return ret; } - return 0; + break; + case GNUTLS_PK_DSA: + /* sign */ + if ((ret = _gnutls_dsa_sign(signature, data, params, + params_size)) < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + break; + } + + return 0; } /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol. @@ -203,185 +219,199 @@ int ret; * it supports signing. */ static -int _gnutls_tls_sign( gnutls_cert* cert, gnutls_privkey* pkey, - const gnutls_datum* hash_concat, gnutls_datum *signature) +int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum * hash_concat, + gnutls_datum * signature) { - /* If our certificate supports signing - */ + /* If our certificate supports signing + */ + + if (cert != NULL) + if (cert->keyUsage != 0) + if (!(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } - if ( cert != NULL) - if ( cert->keyUsage != 0) - if ( !(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } + return _gnutls_sign(pkey->pk_algorithm, pkey->params, + pkey->params_size, hash_concat, signature); - return _gnutls_sign( pkey->pk_algorithm, pkey->params, pkey->params_size, - hash_concat, signature); - } static -int _gnutls_pkcs1_rsa_verify_sig( gnutls_cert *cert, const gnutls_datum *hash_concat, - gnutls_datum *signature) +int _gnutls_pkcs1_rsa_verify_sig(gnutls_cert * cert, + const gnutls_datum * hash_concat, + gnutls_datum * signature) { - int ret; - gnutls_datum vdata; - - if (cert->version == 0 || cert==NULL) { /* this is the only way to check - * if it is initialized - */ + int ret; + gnutls_datum vdata; + + if (cert->version == 0 || cert == NULL) { /* this is the only way to check + * if it is initialized + */ + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + /* If the certificate supports signing continue. + */ + if (cert != NULL) + if (cert->keyUsage != 0) + if (!(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + return GNUTLS_E_KEY_USAGE_VIOLATION; + } + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + + vdata.data = hash_concat->data; + vdata.size = hash_concat->size; + + /* verify signature */ + if ((ret = _gnutls_rsa_verify(&vdata, signature, cert->params, + cert->params_size, 1)) < 0) { + gnutls_assert(); + return ret; } - /* If the certificate supports signing continue. - */ - if ( cert != NULL) - if ( cert->keyUsage != 0) - if ( !(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } - - switch(cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - - vdata.data = hash_concat->data; - vdata.size = hash_concat->size; - - /* verify signature */ - if ( (ret=_gnutls_rsa_verify( &vdata, signature, cert->params, - cert->params_size, 1)) < 0) { - gnutls_assert(); - return ret; - } - - break; - case GNUTLS_PK_DSA: - - vdata.data = &hash_concat->data[16]; - vdata.size = 20; /* sha1 */ - - /* verify signature */ - if ( (ret=_gnutls_dsa_verify( &vdata, signature, cert->params, - cert->params_size)) < 0) { - gnutls_assert(); - return ret; - } - - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case GNUTLS_PK_DSA: + + vdata.data = &hash_concat->data[16]; + vdata.size = 20; /* sha1 */ + + /* verify signature */ + if ((ret = _gnutls_dsa_verify(&vdata, signature, cert->params, + cert->params_size)) < 0) { + gnutls_assert(); + return ret; } - + + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + - return 0; + return 0; } /* Verifies a TLS signature (like the one in the client certificate * verify message). */ -int _gnutls_verify_sig_hdata( gnutls_session session, gnutls_cert *cert, gnutls_datum* signature) +int _gnutls_verify_sig_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_datum * signature) { -int ret; -opaque concat[36]; -mac_hd_t td_md5; -mac_hd_t td_sha; -gnutls_datum dconcat; -gnutls_protocol_version ver = gnutls_protocol_get_version( session); - - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master( session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mac_deinit_ssl3_handshake( td_md5, concat, session->security_parameters.master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake( td_sha, &concat[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); - } else { - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_datum dconcat; + gnutls_protocol_version ver = gnutls_protocol_get_version(session); + + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + if (ver == GNUTLS_SSL3) { + ret = _gnutls_generate_master(session, 1); + if (ret < 0) { + gnutls_assert(); + return ret; } - dconcat.data = concat; - dconcat.size = 20+16; /* md5+ sha */ + _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } else { + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); + } - ret = _gnutls_pkcs1_rsa_verify_sig( cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } + dconcat.data = concat; + dconcat.size = 20 + 16; /* md5+ sha */ + ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_verify_sig_params( gnutls_session session, gnutls_cert *cert, const gnutls_datum* params, gnutls_datum *signature) +int _gnutls_verify_sig_params(gnutls_session session, gnutls_cert * cert, + const gnutls_datum * params, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -mac_hd_t td_md5; -mac_hd_t td_sha; -opaque concat[36]; - - td_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, params->data, params->size); - - _gnutls_hash( td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, params->data, params->size); - - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); - - dconcat.data = concat; - dconcat.size = 36; - - ret = _gnutls_pkcs1_rsa_verify_sig( cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - + gnutls_datum dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, params->data, params->size); + + _gnutls_hash(td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, params->data, params->size); + + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); + + dconcat.data = concat; + dconcat.size = 36; + + ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); return ret; + } -} + return ret; +} diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h index eb832e30e9..4cc217fb77 100644 --- a/lib/gnutls_sig.h +++ b/lib/gnutls_sig.h @@ -2,12 +2,21 @@ # define GNUTLS_SIG_H # include <auth_cert.h> -gnutls_certificate_status gnutls_x509_verify_signature(gnutls_cert* cert, gnutls_cert* issuer); -int _gnutls_tls_sign_hdata( gnutls_session session, gnutls_cert* cert, gnutls_privkey *pkey, gnutls_datum *signature); -int _gnutls_tls_sign_params( gnutls_session session, gnutls_cert* cert, gnutls_privkey *pkey, gnutls_datum* params, gnutls_datum *signature); -int _gnutls_verify_sig_hdata( gnutls_session session, gnutls_cert *cert, gnutls_datum* signature); -int _gnutls_verify_sig_params( gnutls_session session, gnutls_cert *cert, const gnutls_datum* params, gnutls_datum* signature); -int _gnutls_sign( gnutls_pk_algorithm algo, mpi_t* params, int params_size, - const gnutls_datum* data, gnutls_datum *signature); +gnutls_certificate_status gnutls_x509_verify_signature(gnutls_cert * cert, + gnutls_cert * + issuer); +int _gnutls_tls_sign_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, + gnutls_datum * signature); +int _gnutls_tls_sign_params(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, gnutls_datum * params, + gnutls_datum * signature); +int _gnutls_verify_sig_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_datum * signature); +int _gnutls_verify_sig_params(gnutls_session session, gnutls_cert * cert, + const gnutls_datum * params, + gnutls_datum * signature); +int _gnutls_sign(gnutls_pk_algorithm algo, mpi_t * params, int params_size, + const gnutls_datum * data, gnutls_datum * signature); #endif diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 7f3d89bf5a..65e8848a2a 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -47,9 +47,10 @@ return ret; \ } -void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_type ct) +void _gnutls_session_cert_type_set(gnutls_session session, + gnutls_certificate_type ct) { - session->security_parameters.cert_type = ct; + session->security_parameters.cert_type = ct; } /** @@ -58,8 +59,9 @@ void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_t * * Returns the currently used cipher. **/ -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session) { - return session->security_parameters.read_bulk_cipher_algorithm; +gnutls_cipher_algorithm gnutls_cipher_get(gnutls_session session) +{ + return session->security_parameters.read_bulk_cipher_algorithm; } /** @@ -70,9 +72,9 @@ gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session) { * is by default X.509, unless it is negotiated as a TLS extension. * **/ -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session) +gnutls_certificate_type gnutls_certificate_type_get(gnutls_session session) { - return session->security_parameters.cert_type; + return session->security_parameters.cert_type; } /** @@ -81,9 +83,9 @@ gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session) * * Returns the key exchange algorithm used in the last handshake. **/ -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session) +gnutls_kx_algorithm gnutls_kx_get(gnutls_session session) { - return session->security_parameters.kx_algorithm; + return session->security_parameters.kx_algorithm; } /** @@ -92,9 +94,9 @@ gnutls_kx_algorithm gnutls_kx_get( gnutls_session session) * * Returns the currently used mac algorithm. **/ -gnutls_mac_algorithm gnutls_mac_get( gnutls_session session) +gnutls_mac_algorithm gnutls_mac_get(gnutls_session session) { - return session->security_parameters.read_mac_algorithm; + return session->security_parameters.read_mac_algorithm; } /** @@ -103,104 +105,105 @@ gnutls_mac_algorithm gnutls_mac_get( gnutls_session session) * * Returns the currently used compression method. **/ -gnutls_compression_method gnutls_compression_get( gnutls_session session) +gnutls_compression_method gnutls_compression_get(gnutls_session session) { - return session->security_parameters.read_compression_algorithm; + return session->security_parameters.read_compression_algorithm; } /* Check if the given certificate type is supported. * This means that it is enabled by the priority functions, * and a matching certificate exists. */ -int _gnutls_session_cert_type_supported( gnutls_session session, - gnutls_certificate_type cert_type) -{ -uint i; -uint cert_found = 0; -const gnutls_certificate_credentials cred; - - if (session->security_parameters.entity==GNUTLS_SERVER) { - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - - if (cred == NULL) - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - - for (i = 0; i < cred->ncerts; i++) { - if (cred->cert_list[i][0].cert_type == cert_type) { - cert_found = 1; - break; - } - } - if (cert_found == 0) - /* no certificate is of that type. - */ - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; +int _gnutls_session_cert_type_supported(gnutls_session session, + gnutls_certificate_type cert_type) +{ + uint i; + uint cert_found = 0; + const gnutls_certificate_credentials cred; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + + if (cred == NULL) + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + + for (i = 0; i < cred->ncerts; i++) { + if (cred->cert_list[i][0].cert_type == cert_type) { + cert_found = 1; + break; + } } - + if (cert_found == 0) + /* no certificate is of that type. + */ + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } - if (session->internals.cert_type_priority.algorithms==0 && cert_type == - DEFAULT_CERT_TYPE) return 0; - for (i=0;i<session->internals.cert_type_priority.algorithms;i++) { - if (session->internals.cert_type_priority.priority[i] - == cert_type) { - return 0; /* ok */ - } + if (session->internals.cert_type_priority.algorithms == 0 + && cert_type == DEFAULT_CERT_TYPE) + return 0; + + for (i = 0; i < session->internals.cert_type_priority.algorithms; i++) { + if (session->internals.cert_type_priority.priority[i] + == cert_type) { + return 0; /* ok */ } + } - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } /* this function deinitializes all the internal parameters stored * in a session struct. */ -inline -static void deinit_internal_params( gnutls_session session) +inline static void deinit_internal_params(gnutls_session session) { - if (session->internals.params.free_anon_dh_params) - gnutls_dh_params_deinit( session->internals.params.anon_dh_params); + if (session->internals.params.free_anon_dh_params) + gnutls_dh_params_deinit(session->internals.params.anon_dh_params); + + if (session->internals.params.free_cert_dh_params) + gnutls_dh_params_deinit(session->internals.params.cert_dh_params); - if (session->internals.params.free_cert_dh_params) - gnutls_dh_params_deinit( session->internals.params.cert_dh_params); + if (session->internals.params.free_rsa_params) + gnutls_rsa_params_deinit(session->internals.params.rsa_params); - if (session->internals.params.free_rsa_params) - gnutls_rsa_params_deinit( session->internals.params.rsa_params); - - memset( &session->internals.params, 0, sizeof( session->internals.params)); + memset(&session->internals.params, 0, + sizeof(session->internals.params)); } /* This function will clear all the variables in internals * structure within the session, which depend on the current handshake. * This is used to allow further handshakes. */ -void _gnutls_handshake_internal_state_clear( gnutls_session session) +void _gnutls_handshake_internal_state_clear(gnutls_session session) { - session->internals.extensions_sent_size = 0; + session->internals.extensions_sent_size = 0; - /* by default no selected certificate */ - session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; - session->internals.adv_version_major = 0; - session->internals.adv_version_minor = 0; - session->internals.v2_hello = 0; - memset( &session->internals.handshake_header_buffer, 0, - sizeof(handshake_header_buffer_st)); - session->internals.adv_version_minor = 0; - session->internals.adv_version_minor = 0; - session->internals.direction = 0; + /* by default no selected certificate */ + session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; + session->internals.adv_version_major = 0; + session->internals.adv_version_minor = 0; + session->internals.v2_hello = 0; + memset(&session->internals.handshake_header_buffer, 0, + sizeof(handshake_header_buffer_st)); + session->internals.adv_version_minor = 0; + session->internals.adv_version_minor = 0; + session->internals.direction = 0; - /* use out of band data for the last - * handshake messages received. - */ - session->internals.last_handshake_in = -1; - session->internals.last_handshake_out = -1; + /* use out of band data for the last + * handshake messages received. + */ + session->internals.last_handshake_in = -1; + session->internals.last_handshake_out = -1; - session->internals.handshake_restarted = 0; + session->internals.handshake_restarted = 0; - session->internals.resumable = RESUME_TRUE; - _gnutls_free_datum( &session->internals.recv_buffer); + session->internals.resumable = RESUME_TRUE; + _gnutls_free_datum(&session->internals.recv_buffer); - deinit_internal_params( session); + deinit_internal_params(session); } @@ -218,86 +221,96 @@ void _gnutls_handshake_internal_state_clear( gnutls_session session) **/ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end) { - *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); - if (*session==NULL) return GNUTLS_E_MEMORY_ERROR; - - (*session)->security_parameters.entity = con_end; + *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); + if (*session == NULL) + return GNUTLS_E_MEMORY_ERROR; - /* the default certificate type for TLS */ - (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; + (*session)->security_parameters.entity = con_end; + + /* the default certificate type for TLS */ + (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; /* Set the defaults for initial handshake */ - (*session)->security_parameters.read_bulk_cipher_algorithm = - (*session)->security_parameters.write_bulk_cipher_algorithm = GNUTLS_CIPHER_NULL; + (*session)->security_parameters.read_bulk_cipher_algorithm = + (*session)->security_parameters.write_bulk_cipher_algorithm = + GNUTLS_CIPHER_NULL; - (*session)->security_parameters.read_mac_algorithm = - (*session)->security_parameters.write_mac_algorithm = GNUTLS_MAC_NULL; + (*session)->security_parameters.read_mac_algorithm = + (*session)->security_parameters.write_mac_algorithm = + GNUTLS_MAC_NULL; - (*session)->security_parameters.read_compression_algorithm = GNUTLS_COMP_NULL; - (*session)->security_parameters.write_compression_algorithm = GNUTLS_COMP_NULL; + (*session)->security_parameters.read_compression_algorithm = + GNUTLS_COMP_NULL; + (*session)->security_parameters.write_compression_algorithm = + GNUTLS_COMP_NULL; - (*session)->internals.enable_private = 0; - - /* Initialize buffers */ - _gnutls_buffer_init( &(*session)->internals.application_data_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_data_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_hash_buffer); + (*session)->internals.enable_private = 0; - _gnutls_buffer_init( &(*session)->internals.record_send_buffer); - _gnutls_buffer_init( &(*session)->internals.record_recv_buffer); + /* Initialize buffers */ + _gnutls_buffer_init(&(*session)->internals.application_data_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_data_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_send_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_recv_buffer); + _gnutls_buffer_init(&(*session)->internals.record_send_buffer); + _gnutls_buffer_init(&(*session)->internals.record_recv_buffer); - (*session)->key = gnutls_calloc(1, sizeof(struct gnutls_key_st)); - if ( (*session)->key == NULL) { - cleanup_session: - gnutls_free( *session); *session = NULL; - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffer_init(&(*session)->internals.handshake_send_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_recv_buffer); - (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ + (*session)->key = gnutls_calloc(1, sizeof(struct gnutls_key_st)); + if ((*session)->key == NULL) { + cleanup_session: + gnutls_free(*session); + *session = NULL; + return GNUTLS_E_MEMORY_ERROR; + } - gnutls_dh_set_prime_bits( (*session), MIN_DH_BITS); + (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ - gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ + gnutls_dh_set_prime_bits((*session), MIN_DH_BITS); - gnutls_handshake_set_max_packet_length( (*session), MAX_HANDSHAKE_PACKET_SIZE); + gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ - /* Allocate a minimum size for recv_data - * This is allocated in order to avoid small messages, making - * the receive procedure slow. - */ - (*session)->internals.record_recv_buffer.data = gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); - if ( (*session)->internals.record_recv_buffer.data == NULL) { - gnutls_free((*session)->key); - goto cleanup_session; - } + gnutls_handshake_set_max_packet_length((*session), + MAX_HANDSHAKE_PACKET_SIZE); - /* set the socket pointers to -1; - */ - (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr)-1; - (*session)->internals.transport_send_ptr = (gnutls_transport_ptr)-1; - - /* set the default maximum record size for TLS - */ - (*session)->security_parameters.max_record_recv_size = DEFAULT_MAX_RECORD_SIZE; - (*session)->security_parameters.max_record_send_size = DEFAULT_MAX_RECORD_SIZE; + /* Allocate a minimum size for recv_data + * This is allocated in order to avoid small messages, making + * the receive procedure slow. + */ + (*session)->internals.record_recv_buffer.data = + gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); + if ((*session)->internals.record_recv_buffer.data == NULL) { + gnutls_free((*session)->key); + goto cleanup_session; + } - /* everything else not initialized here is initialized - * as NULL or 0. This is why calloc is used. - */ + /* set the socket pointers to -1; + */ + (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr) - 1; + (*session)->internals.transport_send_ptr = (gnutls_transport_ptr) - 1; - _gnutls_handshake_internal_state_clear( *session); + /* set the default maximum record size for TLS + */ + (*session)->security_parameters.max_record_recv_size = + DEFAULT_MAX_RECORD_SIZE; + (*session)->security_parameters.max_record_send_size = + DEFAULT_MAX_RECORD_SIZE; - return 0; + /* everything else not initialized here is initialized + * as NULL or 0. This is why calloc is used. + */ + + _gnutls_handshake_internal_state_clear(*session); + + return 0; } /* returns RESUME_FALSE or RESUME_TRUE. */ -int _gnutls_session_is_resumable( gnutls_session session) +int _gnutls_session_is_resumable(gnutls_session session) { - return session->internals.resumable; + return session->internals.resumable; } @@ -313,238 +326,248 @@ int _gnutls_session_is_resumable( gnutls_session session) void gnutls_deinit(gnutls_session session) { - if (session==NULL) return; + if (session == NULL) + return; - /* remove auth info firstly */ - _gnutls_free_auth_info(session ); + /* remove auth info firstly */ + _gnutls_free_auth_info(session); - _gnutls_handshake_internal_state_clear( session); - _gnutls_handshake_io_buffer_clear( session); + _gnutls_handshake_internal_state_clear(session); + _gnutls_handshake_io_buffer_clear(session); - _gnutls_free_datum(&session->connection_state.read_mac_secret); - _gnutls_free_datum(&session->connection_state.write_mac_secret); + _gnutls_free_datum(&session->connection_state.read_mac_secret); + _gnutls_free_datum(&session->connection_state.write_mac_secret); - _gnutls_buffer_clear( &session->internals.handshake_hash_buffer); - _gnutls_buffer_clear( &session->internals.handshake_data_buffer); - _gnutls_buffer_clear( &session->internals.application_data_buffer); - _gnutls_buffer_clear( &session->internals.record_recv_buffer); - _gnutls_buffer_clear( &session->internals.record_send_buffer); + _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); + _gnutls_buffer_clear(&session->internals.handshake_data_buffer); + _gnutls_buffer_clear(&session->internals.application_data_buffer); + _gnutls_buffer_clear(&session->internals.record_recv_buffer); + _gnutls_buffer_clear(&session->internals.record_send_buffer); - gnutls_credentials_clear( session); - _gnutls_selected_certs_deinit( session); + gnutls_credentials_clear(session); + _gnutls_selected_certs_deinit(session); - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.read_cipher_state); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.write_cipher_state); + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state.read_cipher_state); + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state. + write_cipher_state); - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state.read_compression_state, 1); - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state.write_compression_state, 0); + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + read_compression_state, 1); + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + write_compression_state, 0); - _gnutls_free_datum( &session->cipher_specs.server_write_mac_secret); - _gnutls_free_datum( &session->cipher_specs.client_write_mac_secret); - _gnutls_free_datum( &session->cipher_specs.server_write_IV); - _gnutls_free_datum( &session->cipher_specs.client_write_IV); - _gnutls_free_datum( &session->cipher_specs.server_write_key); - _gnutls_free_datum( &session->cipher_specs.client_write_key); + _gnutls_free_datum(&session->cipher_specs.server_write_mac_secret); + _gnutls_free_datum(&session->cipher_specs.client_write_mac_secret); + _gnutls_free_datum(&session->cipher_specs.server_write_IV); + _gnutls_free_datum(&session->cipher_specs.client_write_IV); + _gnutls_free_datum(&session->cipher_specs.server_write_key); + _gnutls_free_datum(&session->cipher_specs.client_write_key); - if (session->key != NULL) { - _gnutls_mpi_release(&session->key->KEY); - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); + if (session->key != NULL) { + _gnutls_mpi_release(&session->key->KEY); + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->client_p); + _gnutls_mpi_release(&session->key->client_g); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&session->key->a); - _gnutls_mpi_release(&session->key->x); - _gnutls_mpi_release(&session->key->A); - _gnutls_mpi_release(&session->key->B); - _gnutls_mpi_release(&session->key->b); + _gnutls_mpi_release(&session->key->u); + _gnutls_mpi_release(&session->key->a); + _gnutls_mpi_release(&session->key->x); + _gnutls_mpi_release(&session->key->A); + _gnutls_mpi_release(&session->key->B); + _gnutls_mpi_release(&session->key->b); - /* RSA */ - _gnutls_mpi_release(&session->key->rsa[0]); - _gnutls_mpi_release(&session->key->rsa[1]); + /* RSA */ + _gnutls_mpi_release(&session->key->rsa[0]); + _gnutls_mpi_release(&session->key->rsa[1]); - _gnutls_mpi_release(&session->key->dh_secret); - gnutls_free(session->key); + _gnutls_mpi_release(&session->key->dh_secret); + gnutls_free(session->key); - session->key = NULL; - } + session->key = NULL; + } - gnutls_free( session->internals.srp_username); + gnutls_free(session->internals.srp_username); - if (session->internals.srp_password) { - memset( session->internals.srp_password, 0, - strlen(session->internals.srp_password)); - gnutls_free( session->internals.srp_password); - } + if (session->internals.srp_password) { + memset(session->internals.srp_password, 0, + strlen(session->internals.srp_password)); + gnutls_free(session->internals.srp_password); + } - memset( session, 0, sizeof(struct gnutls_session_int)); - gnutls_free(session); + memset(session, 0, sizeof(struct gnutls_session_int)); + gnutls_free(session); } /* Returns the minimum prime bits that are acceptable. */ -int _gnutls_dh_get_allowed_prime_bits( gnutls_session session) +int _gnutls_dh_get_allowed_prime_bits(gnutls_session session) { - return session->internals.dh_prime_bits; + return session->internals.dh_prime_bits; } -int _gnutls_dh_set_peer_public( gnutls_session session, mpi_t public) +int _gnutls_dh_set_peer_public(gnutls_session session, mpi_t public) { -dh_info_t * dh; -int ret; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + dh_info_t *dh; + int ret; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + dh = &info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - dh->public_key_size = sizeof( dh->public_key); - ret = _gnutls_mpi_print_lz( dh->public_key, &dh->public_key_size, public); - if (ret < 0) { - gnutls_assert(); - dh->public_key_size = 0; - return ret; - } + dh->public_key_size = sizeof(dh->public_key); + ret = + _gnutls_mpi_print_lz(dh->public_key, &dh->public_key_size, public); + if (ret < 0) { + gnutls_assert(); + dh->public_key_size = 0; + return ret; + } - return 0; + return 0; } -int _gnutls_dh_set_secret_bits( gnutls_session session, uint bits) -{ - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - info->dh.secret_bits = bits; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - info->dh.secret_bits = bits; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +int _gnutls_dh_set_secret_bits(gnutls_session session, uint bits) +{ + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + info->dh.secret_bits = bits; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return 0; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + info->dh.secret_bits = bits; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + + return 0; } /* This function will set in the auth info structure the * RSA exponent and the modulus. */ -int _gnutls_rsa_export_set_pubkey( gnutls_session session, mpi_t exp, mpi_t mod) +int _gnutls_rsa_export_set_pubkey(gnutls_session session, mpi_t exp, + mpi_t mod) { - cert_auth_info_t info; - int ret; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + cert_auth_info_t info; + int ret; - info->rsa_export.modulus_size = sizeof( info->rsa_export.modulus); + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - ret = _gnutls_mpi_print_lz( info->rsa_export.modulus, &info->rsa_export.modulus_size, mod); - if (ret < 0) { - gnutls_assert(); - info->rsa_export.modulus_size = 0; - return ret; - } + info->rsa_export.modulus_size = sizeof(info->rsa_export.modulus); - info->rsa_export.exponent_size = sizeof( info->rsa_export.exponent); - ret = _gnutls_mpi_print_lz( info->rsa_export.exponent, &info->rsa_export.exponent_size, exp); - if (ret < 0) { - gnutls_assert(); - info->rsa_export.exponent_size = 0; - return ret; - } + ret = + _gnutls_mpi_print_lz(info->rsa_export.modulus, + &info->rsa_export.modulus_size, mod); + if (ret < 0) { + gnutls_assert(); + info->rsa_export.modulus_size = 0; + return ret; + } - return 0; + info->rsa_export.exponent_size = sizeof(info->rsa_export.exponent); + ret = + _gnutls_mpi_print_lz(info->rsa_export.exponent, + &info->rsa_export.exponent_size, exp); + if (ret < 0) { + gnutls_assert(); + info->rsa_export.exponent_size = 0; + return ret; + } + + return 0; } /* Sets the prime and the generator in the auth info structure. */ -int _gnutls_dh_set_group( gnutls_session session, mpi_t gen, mpi_t prime) -{ -dh_info_t* dh; -int ret; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +int _gnutls_dh_set_group(gnutls_session session, mpi_t gen, mpi_t prime) +{ + dh_info_t *dh; + int ret; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh->prime_size = sizeof( dh->prime); - ret = _gnutls_mpi_print_lz( dh->prime, &dh->prime_size, prime); - if (ret < 0) { - gnutls_assert(); - dh->prime_size = 0; - return ret; + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - dh->generator_size = sizeof( dh->generator); - ret = _gnutls_mpi_print_lz( dh->generator, &dh->generator_size, gen); - if (ret < 0) { - gnutls_assert(); - dh->generator_size = 0; - return ret; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - - return 0; + dh->prime_size = sizeof(dh->prime); + ret = _gnutls_mpi_print_lz(dh->prime, &dh->prime_size, prime); + if (ret < 0) { + gnutls_assert(); + dh->prime_size = 0; + return ret; + } + + dh->generator_size = sizeof(dh->generator); + ret = _gnutls_mpi_print_lz(dh->generator, &dh->generator_size, gen); + if (ret < 0) { + gnutls_assert(); + dh->generator_size = 0; + return ret; + } + + + return 0; } /** @@ -558,9 +581,10 @@ int ret; * server can obtain the client's key. * **/ -void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status status) +void gnutls_openpgp_send_key(gnutls_session session, + gnutls_openpgp_key_status status) { - session->internals.pgp_fingerprint = status; + session->internals.pgp_fingerprint = status; } /** @@ -577,14 +601,15 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s * certificate with X.509 certificates. * **/ -void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, int status) +void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, + int status) { - session->internals.ignore_rdn_sequence = status; + session->internals.ignore_rdn_sequence = status; } -int _gnutls_openpgp_send_fingerprint(gnutls_session session) +int _gnutls_openpgp_send_fingerprint(gnutls_session session) { - return session->internals.pgp_fingerprint; + return session->internals.pgp_fingerprint; } /*- @@ -599,10 +624,11 @@ int _gnutls_openpgp_send_fingerprint(gnutls_session session) * -*/ void _gnutls_record_set_default_version(gnutls_session session, - unsigned char major, unsigned char minor) + unsigned char major, + unsigned char minor) { - session->internals.default_record_version[0] = major; - session->internals.default_record_version[1] = minor; + session->internals.default_record_version[0] = major; + session->internals.default_record_version[1] = minor; } /** @@ -623,26 +649,30 @@ void _gnutls_record_set_default_version(gnutls_session session, * servers and clients may cause interoperability problems. * **/ -void gnutls_handshake_set_private_extensions(gnutls_session session, int allow) +void gnutls_handshake_set_private_extensions(gnutls_session session, + int allow) { - session->internals.enable_private = allow; + session->internals.enable_private = allow; } inline -static int _gnutls_cal_PRF_A( gnutls_mac_algorithm algorithm, const void *secret, int secret_size, const void *seed, int seed_size, void* result) + static int _gnutls_cal_PRF_A(gnutls_mac_algorithm algorithm, + const void *secret, int secret_size, + const void *seed, int seed_size, + void *result) { - mac_hd_t td1; + mac_hd_t td1; - td1 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + td1 = _gnutls_hmac_init(algorithm, secret, secret_size); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_hmac(td1, seed, seed_size); - _gnutls_hmac_deinit(td1, result); - - return 0; + _gnutls_hmac(td1, seed, seed_size); + _gnutls_hmac_deinit(td1, result); + + return 0; } #define MAX_SEED_SIZE 200 @@ -650,75 +680,81 @@ static int _gnutls_cal_PRF_A( gnutls_mac_algorithm algorithm, const void *secret /* Produces "total_bytes" bytes using the hash algorithm specified. * (used in the PRF function) */ -static int _gnutls_P_hash( gnutls_mac_algorithm algorithm, const opaque * secret, int secret_size, const opaque * seed, int seed_size, int total_bytes, opaque* ret) +static int _gnutls_P_hash(gnutls_mac_algorithm algorithm, + const opaque * secret, int secret_size, + const opaque * seed, int seed_size, + int total_bytes, opaque * ret) { - mac_hd_t td2; - int i, times, how, blocksize, A_size; - opaque final[20], Atmp[MAX_SEED_SIZE]; - int output_bytes, result; + mac_hd_t td2; + int i, times, how, blocksize, A_size; + opaque final[20], Atmp[MAX_SEED_SIZE]; + int output_bytes, result; - if (seed_size > MAX_SEED_SIZE || total_bytes<=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (seed_size > MAX_SEED_SIZE || total_bytes <= 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + blocksize = _gnutls_hmac_get_algo_len(algorithm); + + output_bytes = 0; + do { + output_bytes += blocksize; + } while (output_bytes < total_bytes); + + /* calculate A(0) */ + + memcpy(Atmp, seed, seed_size); + A_size = seed_size; + + times = output_bytes / blocksize; + + for (i = 0; i < times; i++) { + td2 = _gnutls_hmac_init(algorithm, secret, secret_size); + if (td2 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - - blocksize = _gnutls_hmac_get_algo_len(algorithm); - - output_bytes = 0; - do { - output_bytes += blocksize; - } while (output_bytes < total_bytes); - - /* calculate A(0) */ - - memcpy( Atmp, seed, seed_size); - A_size = seed_size; - - times = output_bytes / blocksize; - - for (i = 0; i < times; i++) { - td2 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td2 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* here we calculate A(i+1) */ - if ((result=_gnutls_cal_PRF_A( algorithm, secret, secret_size, Atmp, A_size, Atmp)) < 0) { - gnutls_assert(); - _gnutls_hmac_deinit(td2, final); - return result; - } - - A_size = blocksize; - - _gnutls_hmac(td2, Atmp, A_size); - _gnutls_hmac(td2, seed, seed_size); - _gnutls_hmac_deinit(td2, final); - - if ( (1+i) * blocksize < total_bytes) { - how = blocksize; - } else { - how = total_bytes - (i) * blocksize; - } - - if (how > 0) { - memcpy(&ret[i * blocksize], final, how); - } + + /* here we calculate A(i+1) */ + if ((result = + _gnutls_cal_PRF_A(algorithm, secret, secret_size, Atmp, + A_size, Atmp)) < 0) { + gnutls_assert(); + _gnutls_hmac_deinit(td2, final); + return result; } - - return 0; + + A_size = blocksize; + + _gnutls_hmac(td2, Atmp, A_size); + _gnutls_hmac(td2, seed, seed_size); + _gnutls_hmac_deinit(td2, final); + + if ((1 + i) * blocksize < total_bytes) { + how = blocksize; + } else { + how = total_bytes - (i) * blocksize; + } + + if (how > 0) { + memcpy(&ret[i * blocksize], final, how); + } + } + + return 0; } /* Xor's two buffers and puts the output in the first one. */ inline static -void _gnutls_xor(opaque* o1, opaque* o2, int length) { -int i; - for (i = 0; i < length; i++) { - o1[i] ^= o2[i]; - } +void _gnutls_xor(opaque * o1, opaque * o2, int length) +{ + int i; + for (i = 0; i < length; i++) { + o1[i] ^= o2[i]; + } } @@ -729,56 +765,61 @@ int i; * needed by the TLS specification. ret must have a least total_bytes * available. */ -int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, int label_size, - opaque * seed, int seed_size, int total_bytes, void* ret) +int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret) { - int l_s, s_seed_size; - const opaque *s1, *s2; - opaque s_seed[MAX_SEED_SIZE]; - opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; - int result; + int l_s, s_seed_size; + const opaque *s1, *s2; + opaque s_seed[MAX_SEED_SIZE]; + opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; + int result; - if (total_bytes > MAX_PRF_BYTES) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - /* label+seed = s_seed */ - s_seed_size = seed_size + label_size; + if (total_bytes > MAX_PRF_BYTES) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + /* label+seed = s_seed */ + s_seed_size = seed_size + label_size; - if (s_seed_size > MAX_SEED_SIZE) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (s_seed_size > MAX_SEED_SIZE) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - memcpy(s_seed, label, label_size); - memcpy(&s_seed[label_size], seed, seed_size); + memcpy(s_seed, label, label_size); + memcpy(&s_seed[label_size], seed, seed_size); - l_s = secret_size / 2; - - s1 = &secret[0]; - s2 = &secret[l_s]; + l_s = secret_size / 2; - if (secret_size % 2 != 0) { - l_s++; - } + s1 = &secret[0]; + s2 = &secret[l_s]; - result = _gnutls_P_hash( GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes, o1); - if (result<0) { - gnutls_assert(); - return result; - } + if (secret_size % 2 != 0) { + l_s++; + } - result = _gnutls_P_hash( GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes, o2); - if (result<0) { - gnutls_assert(); - return result; - } + result = + _gnutls_P_hash(GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, + total_bytes, o1); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_P_hash(GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, + total_bytes, o2); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_xor(o1, o2, total_bytes); + _gnutls_xor(o1, o2, total_bytes); - memcpy( ret, o1, total_bytes); + memcpy(ret, o1, total_bytes); - return 0; /* ok */ + return 0; /* ok */ } @@ -792,17 +833,18 @@ int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, int **/ int gnutls_session_is_resumed(gnutls_session session) { - if (session->security_parameters.entity==GNUTLS_CLIENT) { - if (memcmp( session->security_parameters.session_id, - session->internals.resumed_security_parameters.session_id, - session->security_parameters.session_id_size)==0) - return 1; - } else { - if (session->internals.resumed==RESUME_TRUE) - return 1; - } + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (memcmp(session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, + session->security_parameters.session_id_size) == 0) + return 1; + } else { + if (session->internals.resumed == RESUME_TRUE) + return 1; + } - return 0; + return 0; } /*- @@ -814,14 +856,16 @@ int gnutls_session_is_resumed(gnutls_session session) -*/ int _gnutls_session_is_export(gnutls_session session) { - gnutls_cipher_algorithm cipher; - - cipher = _gnutls_cipher_suite_get_cipher_algo( &session->security_parameters.current_cipher_suite); - - if (_gnutls_cipher_get_export_flag( cipher) != 0) - return 1; + gnutls_cipher_algorithm cipher; - return 0; + cipher = + _gnutls_cipher_suite_get_cipher_algo(&session->security_parameters. + current_cipher_suite); + + if (_gnutls_cipher_get_export_flag(cipher) != 0) + return 1; + + return 0; } /** @@ -832,9 +876,9 @@ int _gnutls_session_is_export(gnutls_session session) * This is the pointer set with gnutls_session_set_ptr(). * **/ -void* gnutls_session_get_ptr(gnutls_session session) +void *gnutls_session_get_ptr(gnutls_session session) { - return session->internals.user_ptr; + return session->internals.user_ptr; } /** @@ -846,9 +890,9 @@ void* gnutls_session_get_ptr(gnutls_session session) * This is pointer can be accessed with gnutls_session_get_ptr(). * **/ -void gnutls_session_set_ptr(gnutls_session session, void* ptr) +void gnutls_session_set_ptr(gnutls_session session, void *ptr) { - session->internals.user_ptr = ptr; + session->internals.user_ptr = ptr; } @@ -867,8 +911,9 @@ void gnutls_session_set_ptr(gnutls_session session, void* ptr) * write data. * **/ -int gnutls_record_get_direction(gnutls_session session) { - return session->internals.direction; +int gnutls_record_get_direction(gnutls_session session) +{ + return session->internals.direction; } /*- @@ -882,9 +927,9 @@ int gnutls_record_get_direction(gnutls_session session) { * test server's capabilities. * -*/ -void _gnutls_rsa_pms_set_version(gnutls_session session, unsigned char major, - unsigned char minor) +void _gnutls_rsa_pms_set_version(gnutls_session session, + unsigned char major, unsigned char minor) { - session->internals.rsa_pms_version[0] = major; - session->internals.rsa_pms_version[1] = minor; + session->internals.rsa_pms_version[0] = major; + session->internals.rsa_pms_version[1] = minor; } diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h index 41b8b178ad..19433fef05 100644 --- a/lib/gnutls_state.h +++ b/lib/gnutls_state.h @@ -3,10 +3,12 @@ #include <gnutls_int.h> -void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_type); -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); +void _gnutls_session_cert_type_set(gnutls_session session, + gnutls_certificate_type); +gnutls_kx_algorithm gnutls_kx_get(gnutls_session session); +gnutls_cipher_algorithm gnutls_cipher_get(gnutls_session session); +gnutls_certificate_type gnutls_certificate_type_get(gnutls_session + session); #include <gnutls_auth_int.h> @@ -17,25 +19,28 @@ gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); #endif -int _gnutls_session_cert_type_supported( gnutls_session, gnutls_certificate_type); +int _gnutls_session_cert_type_supported(gnutls_session, + gnutls_certificate_type); -int _gnutls_dh_set_secret_bits( gnutls_session session, uint bits); +int _gnutls_dh_set_secret_bits(gnutls_session session, uint bits); -int _gnutls_dh_set_peer_public( gnutls_session session, mpi_t public); -int _gnutls_dh_set_group( gnutls_session session, mpi_t gen, mpi_t prime); +int _gnutls_dh_set_peer_public(gnutls_session session, mpi_t public); +int _gnutls_dh_set_group(gnutls_session session, mpi_t gen, mpi_t prime); -int _gnutls_dh_get_allowed_prime_bits( gnutls_session session); -void gnutls_dh_set_prime_bits( gnutls_session session, unsigned int bits); -void _gnutls_handshake_internal_state_clear( gnutls_session); +int _gnutls_dh_get_allowed_prime_bits(gnutls_session session); +void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits); +void _gnutls_handshake_internal_state_clear(gnutls_session); -int _gnutls_rsa_export_set_pubkey( gnutls_session session, mpi_t exp, mpi_t mod); +int _gnutls_rsa_export_set_pubkey(gnutls_session session, mpi_t exp, + mpi_t mod); -int _gnutls_session_is_resumable( gnutls_session session); -int _gnutls_session_is_export( gnutls_session session); +int _gnutls_session_is_resumable(gnutls_session session); +int _gnutls_session_is_export(gnutls_session session); -int _gnutls_openpgp_send_fingerprint( gnutls_session session); +int _gnutls_openpgp_send_fingerprint(gnutls_session session); -int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, - int label_size, opaque * seed, int seed_size, int total_bytes, void* ret); +int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret); #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c index 10911bedfd..0e55c35d9a 100644 --- a/lib/gnutls_str.c +++ b/lib/gnutls_str.c @@ -31,157 +31,166 @@ * * They should be used only with null terminated strings. */ -void _gnutls_str_cat( char* dest, size_t dest_tot_size, const char* src) { -size_t str_size = strlen(src); -size_t dest_size = strlen(dest); - - if ( dest_tot_size - dest_size > str_size) { - strcat( dest, src); - } else { - if ( dest_tot_size - dest_size > 0) { - strncat( dest, src, (dest_tot_size - dest_size) -1); - dest[dest_tot_size-1] = 0; - } +void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src) +{ + size_t str_size = strlen(src); + size_t dest_size = strlen(dest); + + if (dest_tot_size - dest_size > str_size) { + strcat(dest, src); + } else { + if (dest_tot_size - dest_size > 0) { + strncat(dest, src, (dest_tot_size - dest_size) - 1); + dest[dest_tot_size - 1] = 0; } + } } -void _gnutls_str_cpy( char* dest, size_t dest_tot_size, const char* src) { -size_t str_size = strlen(src); - - if ( dest_tot_size > str_size) { - strcpy( dest, src); - } else { - if ( dest_tot_size > 0) { - strncpy( dest, src, (dest_tot_size) -1); - dest[dest_tot_size-1] = 0; - } +void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src) +{ + size_t str_size = strlen(src); + + if (dest_tot_size > str_size) { + strcpy(dest, src); + } else { + if (dest_tot_size > 0) { + strncpy(dest, src, (dest_tot_size) - 1); + dest[dest_tot_size - 1] = 0; } + } } -void _gnutls_mem_cpy( char* dest, size_t dest_tot_size, const char* src, size_t src_size) +void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, + size_t src_size) { - if ( dest_tot_size >= src_size) { - memcpy( dest, src, src_size); - } else { - if ( dest_tot_size > 0) { - memcpy( dest, src, dest_tot_size); - } + if (dest_tot_size >= src_size) { + memcpy(dest, src, src_size); + } else { + if (dest_tot_size > 0) { + memcpy(dest, src, dest_tot_size); } + } } -void _gnutls_string_init( gnutls_string* str, gnutls_alloc_function alloc_func, - gnutls_realloc_function realloc_func, - gnutls_free_function free_func) +void _gnutls_string_init(gnutls_string * str, + gnutls_alloc_function alloc_func, + gnutls_realloc_function realloc_func, + gnutls_free_function free_func) { - str->data = NULL; - str->max_length = 0; - str->length = 0; - - str->alloc_func = alloc_func; - str->free_func = free_func; - str->realloc_func = realloc_func; + str->data = NULL; + str->max_length = 0; + str->length = 0; + + str->alloc_func = alloc_func; + str->free_func = free_func; + str->realloc_func = realloc_func; } -void _gnutls_string_clear( gnutls_string* str) +void _gnutls_string_clear(gnutls_string * str) { - if (str==NULL || str->data == NULL) return; - str->free_func( str->data); - - str->data = NULL; - str->max_length = 0; - str->length = 0; + if (str == NULL || str->data == NULL) + return; + str->free_func(str->data); + + str->data = NULL; + str->max_length = 0; + str->length = 0; } /* This one does not copy the string. */ -gnutls_datum _gnutls_string2datum( gnutls_string* str) +gnutls_datum _gnutls_string2datum(gnutls_string * str) { - gnutls_datum ret; - - ret.data = str->data; - ret.size = str->length; - - return ret; + gnutls_datum ret; + + ret.data = str->data; + ret.size = str->length; + + return ret; } #define MIN_CHUNK 256 -int _gnutls_string_copy_str( gnutls_string* dest, const char * src) +int _gnutls_string_copy_str(gnutls_string * dest, const char *src) { - size_t src_len = strlen( src); - - if (dest->max_length >= src_len) { - memcpy( dest->data, src, src_len); - dest->length = src_len; - - return src_len; - } else { - dest->data = dest->realloc_func( dest->data, GMAX(src_len, MIN_CHUNK)); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = GMAX( MIN_CHUNK, src_len); - - memcpy( dest->data, src, src_len); - dest->length = src_len; - - return src_len; + size_t src_len = strlen(src); + + if (dest->max_length >= src_len) { + memcpy(dest->data, src, src_len); + dest->length = src_len; + + return src_len; + } else { + dest->data = + dest->realloc_func(dest->data, GMAX(src_len, MIN_CHUNK)); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = GMAX(MIN_CHUNK, src_len); + + memcpy(dest->data, src, src_len); + dest->length = src_len; + + return src_len; + } } -int _gnutls_string_append_str( gnutls_string* dest, const char * src) +int _gnutls_string_append_str(gnutls_string * dest, const char *src) { - size_t src_len = strlen( src); - size_t tot_len = src_len + dest->length; - - if (dest->max_length >= tot_len) { - memcpy( &dest->data[dest->length], src, src_len); - dest->length = tot_len; - - return tot_len; - } else { - size_t new_len = GMAX( src_len, MIN_CHUNK) + GMAX( dest->max_length, MIN_CHUNK); - - dest->data = dest->realloc_func( dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = new_len; - - memcpy( &dest->data[dest->length], src, src_len); - dest->length = tot_len; - - return tot_len; + size_t src_len = strlen(src); + size_t tot_len = src_len + dest->length; + + if (dest->max_length >= tot_len) { + memcpy(&dest->data[dest->length], src, src_len); + dest->length = tot_len; + + return tot_len; + } else { + size_t new_len = + GMAX(src_len, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func(dest->data, new_len); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = new_len; + + memcpy(&dest->data[dest->length], src, src_len); + dest->length = tot_len; + + return tot_len; + } } -int _gnutls_string_append_data( gnutls_string* dest, const void * data, size_t data_size) +int _gnutls_string_append_data(gnutls_string * dest, const void *data, + size_t data_size) { - size_t tot_len = data_size + dest->length; - - if (dest->max_length >= tot_len) { - memcpy( &dest->data[dest->length], data, data_size); - dest->length = tot_len; - - return tot_len; - } else { - size_t new_len = GMAX( data_size, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); - - dest->data = dest->realloc_func( dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = new_len; - - memcpy( &dest->data[dest->length], data, data_size); - dest->length = tot_len; - - return tot_len; + size_t tot_len = data_size + dest->length; + + if (dest->max_length >= tot_len) { + memcpy(&dest->data[dest->length], data, data_size); + dest->length = tot_len; + + return tot_len; + } else { + size_t new_len = + GMAX(data_size, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func(dest->data, new_len); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = new_len; + + memcpy(&dest->data[dest->length], data, data_size); + dest->length = tot_len; + + return tot_len; + } } /* Converts the given string (old) to hex. A buffer must be provided @@ -190,18 +199,19 @@ int _gnutls_string_append_data( gnutls_string* dest, const void * data, size_t d * NULL. */ char *_gnutls_bin2hex(const void *_old, size_t oldlen, - char *buffer, size_t buffer_size) + char *buffer, size_t buffer_size) { - unsigned int i, j; - const opaque *old = _old; + unsigned int i, j; + const opaque *old = _old; - if ((oldlen * 2) + 1 > buffer_size) return NULL; + if ((oldlen * 2) + 1 > buffer_size) + return NULL; - for (i = j = 0; i < oldlen; j+=2) { - sprintf(&buffer[j], "%.2x", old[i]); - i++; - } - buffer[j] = '\0'; + for (i = j = 0; i < oldlen; j += 2) { + sprintf(&buffer[j], "%.2x", old[i]); + i++; + } + buffer[j] = '\0'; - return buffer; + return buffer; } diff --git a/lib/gnutls_str.h b/lib/gnutls_str.h index 97007fffa6..ec94878593 100644 --- a/lib/gnutls_str.h +++ b/lib/gnutls_str.h @@ -3,32 +3,35 @@ #include <gnutls_int.h> -void _gnutls_str_cpy( char* dest, size_t dest_tot_size, const char* src); -void _gnutls_mem_cpy( char* dest, size_t dest_tot_size, const char* src, size_t src_size); -void _gnutls_str_cat( char* dest, size_t dest_tot_size, const char* src); +void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src); +void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, + size_t src_size); +void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src); typedef struct { - opaque * data; - size_t max_length; - size_t length; - gnutls_realloc_function realloc_func; - gnutls_alloc_function alloc_func; - gnutls_free_function free_func; + opaque *data; + size_t max_length; + size_t length; + gnutls_realloc_function realloc_func; + gnutls_alloc_function alloc_func; + gnutls_free_function free_func; } gnutls_string; -void _gnutls_string_init( gnutls_string*, gnutls_alloc_function, gnutls_realloc_function, gnutls_free_function); -void _gnutls_string_clear( gnutls_string*); +void _gnutls_string_init(gnutls_string *, gnutls_alloc_function, + gnutls_realloc_function, gnutls_free_function); +void _gnutls_string_clear(gnutls_string *); /* Beware, do not clear the string, after calling this * function */ -gnutls_datum _gnutls_string2datum( gnutls_string* str); +gnutls_datum _gnutls_string2datum(gnutls_string * str); -int _gnutls_string_copy_str( gnutls_string* dest, const char* src); -int _gnutls_string_append_str( gnutls_string*, const char* str); -int _gnutls_string_append_data( gnutls_string*, const void* data, size_t data_size); +int _gnutls_string_copy_str(gnutls_string * dest, const char *src); +int _gnutls_string_append_str(gnutls_string *, const char *str); +int _gnutls_string_append_data(gnutls_string *, const void *data, + size_t data_size); -char * _gnutls_bin2hex(const void *old, size_t oldlen, char* buffer, - size_t buffer_size); +char *_gnutls_bin2hex(const void *old, size_t oldlen, char *buffer, + size_t buffer_size); #endif diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 6871f38f5c..462aec6de3 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -53,7 +53,7 @@ **/ void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits) { - session->internals.dh_prime_bits = bits; + session->internals.dh_prime_bits = bits; } @@ -71,46 +71,46 @@ void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits) * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_group(gnutls_session session, - gnutls_datum* raw_gen, gnutls_datum* raw_prime) +int gnutls_dh_get_group(gnutls_session session, + gnutls_datum * raw_gen, gnutls_datum * raw_prime) { -dh_info_t *dh; -int ret; -anon_server_auth_info_t anon_info; -cert_auth_info_t cert_info; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; - case GNUTLS_CRD_CERTIFICATE: - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_set_datum( raw_prime, dh->prime, dh->prime_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_set_datum( raw_gen, dh->generator, dh->generator_size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( raw_prime); - return ret; - } - - return 0; + dh_info_t *dh; + int ret; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON: + anon_info = _gnutls_get_auth_info(session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; + case GNUTLS_CRD_CERTIFICATE: + cert_info = _gnutls_get_auth_info(session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_set_datum(raw_prime, dh->prime, dh->prime_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_set_datum(raw_gen, dh->generator, dh->generator_size); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(raw_prime); + return ret; + } + + return 0; } /** @@ -125,34 +125,34 @@ cert_auth_info_t cert_info; * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_pubkey(gnutls_session session, gnutls_datum* raw_key) +int gnutls_dh_get_pubkey(gnutls_session session, gnutls_datum * raw_key) { -dh_info_t* dh; -anon_server_auth_info_t anon_info; -cert_auth_info_t cert_info; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_info = _gnutls_get_auth_info(session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE:{ + + cert_info = _gnutls_get_auth_info(session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_set_datum( raw_key, dh->public_key, dh->public_key_size); + return _gnutls_set_datum(raw_key, dh->public_key, dh->public_key_size); } /** @@ -167,35 +167,36 @@ cert_auth_info_t cert_info; * Returns a negative value in case of an error. * **/ -int gnutls_rsa_export_get_pubkey(gnutls_session session, gnutls_datum* exp, gnutls_datum* mod) +int gnutls_rsa_export_get_pubkey(gnutls_session session, + gnutls_datum * exp, gnutls_datum * mod) { -cert_auth_info_t info; -int ret; - - if ( gnutls_auth_get_type( session) == GNUTLS_CRD_CERTIFICATE) { - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - ret = _gnutls_set_datum( mod, info->rsa_export.modulus, - info->rsa_export.modulus_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_set_datum( exp, info->rsa_export.exponent, - info->rsa_export.exponent_size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( mod); - return ret; - } - - return 0; + cert_auth_info_t info; + int ret; + + if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + ret = _gnutls_set_datum(mod, info->rsa_export.modulus, + info->rsa_export.modulus_size); + if (ret < 0) { + gnutls_assert(); + return ret; } - return GNUTLS_E_INVALID_REQUEST; + ret = _gnutls_set_datum(exp, info->rsa_export.exponent, + info->rsa_export.exponent_size); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(mod); + return ret; + } + + return 0; + } + + return GNUTLS_E_INVALID_REQUEST; } @@ -210,28 +211,28 @@ int ret; **/ int gnutls_dh_get_secret_bits(gnutls_session session) { - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->dh.secret_bits; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - return info->dh.secret_bits; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->dh.secret_bits; + } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + return info->dh.secret_bits; } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } } @@ -246,34 +247,34 @@ int gnutls_dh_get_secret_bits(gnutls_session session) **/ int gnutls_dh_get_prime_bits(gnutls_session session) { -dh_info_t *dh; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return (dh->prime_size)*8; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return (dh->prime_size) * 8; } @@ -288,13 +289,13 @@ dh_info_t *dh; **/ int gnutls_rsa_export_get_modulus_bits(gnutls_session session) { -cert_auth_info_t info; + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - return info->rsa_export.modulus_size*8; + return info->rsa_export.modulus_size * 8; } /** @@ -308,35 +309,35 @@ cert_auth_info_t info; **/ int gnutls_dh_get_peers_public_bits(gnutls_session session) { -dh_info_t * dh; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return dh->public_key_size*8; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return dh->public_key_size * 8; } @@ -355,20 +356,20 @@ dh_info_t * dh; **/ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session) { - const gnutls_certificate_credentials cred; + const gnutls_certificate_credentials cred; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL || cred->cert_list == NULL) { - gnutls_assert(); - return NULL; - } + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL || cred->cert_list == NULL) { + gnutls_assert(); + return NULL; + } - if (session->internals.selected_cert_list == NULL) - return NULL; + if (session->internals.selected_cert_list == NULL) + return NULL; - return &session->internals.selected_cert_list[0].raw; + return &session->internals.selected_cert_list[0].raw; } /** @@ -385,19 +386,19 @@ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session) * Returns NULL in case of an error, or if no certificate was sent. * **/ -const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, - unsigned int *list_size) +const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, + unsigned int *list_size) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return NULL; - *list_size = info->ncerts; - return info->raw_certificate_list; + *list_size = info->ncerts; + return info->raw_certificate_list; } @@ -412,14 +413,14 @@ const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, **/ int gnutls_certificate_client_get_request_status(gnutls_session session) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, 0); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, 0); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->certificate_requested; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->certificate_requested; } /** @@ -442,30 +443,30 @@ int gnutls_certificate_client_get_request_status(gnutls_session session) * Returns a negative value in case of an error. * **/ -int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size) +int gnutls_fingerprint(gnutls_digest_algorithm algo, + const gnutls_datum * data, void *result, + size_t * result_size) { - GNUTLS_HASH_HANDLE td; - int hash_len = _gnutls_hash_get_algo_len(algo); - - if (hash_len < 0 || (uint)hash_len > *result_size || - result==NULL) - { - *result_size = hash_len; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + GNUTLS_HASH_HANDLE td; + int hash_len = _gnutls_hash_get_algo_len(algo); + + if (hash_len < 0 || (uint) hash_len > *result_size || result == NULL) { *result_size = hash_len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *result_size = hash_len; - if (result) { - td = _gnutls_hash_init( algo); - if (td==NULL) return GNUTLS_E_HASH_FAILED; - - _gnutls_hash( td, data->data, data->size); - - _gnutls_hash_deinit( td, result); - } - - return 0; + if (result) { + td = _gnutls_hash_init(algo); + if (td == NULL) + return GNUTLS_E_HASH_FAILED; + + _gnutls_hash(td, data->data, data->size); + + _gnutls_hash_deinit(td, result); + } + + return 0; } /** @@ -478,9 +479,10 @@ int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, * cipher suites. * **/ -void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutls_dh_params dh_params) +void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials res, + gnutls_dh_params dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -493,9 +495,10 @@ void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutl * cipher suites. * **/ -void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) +void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, + gnutls_dh_params dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -508,10 +511,11 @@ void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls * should return zero on success. * **/ -void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func) +void gnutls_certificate_set_params_function(gnutls_certificate_credentials + res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } /** @@ -524,10 +528,10 @@ void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, * return zero on success. * **/ -void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, - gnutls_params_function* func) +void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } @@ -540,9 +544,10 @@ void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, * Flags must be OR of the gnutls_certificate_verify_flags enumerations. * **/ -void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags) +void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials + res, unsigned int flags) { - res->verify_flags = flags; + res->verify_flags = flags; } /** @@ -555,7 +560,9 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, uns * cipher suites. * **/ -void gnutls_certificate_set_rsa_export_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) +void +gnutls_certificate_set_rsa_export_params(gnutls_certificate_credentials + res, gnutls_rsa_params rsa_params) { - res->rsa_params = rsa_params; + res->rsa_params = rsa_params; } diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 29093fa989..29f6baa8b3 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -2,8 +2,8 @@ # define GNUTLS_UI_H typedef enum gnutls_x509_subject_alt_name { - GNUTLS_SAN_DNSNAME = 1, GNUTLS_SAN_RFC822NAME, - GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS + GNUTLS_SAN_DNSNAME = 1, GNUTLS_SAN_RFC822NAME, + GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS } gnutls_x509_subject_alt_name; # ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */ @@ -15,35 +15,43 @@ struct gnutls_openpgp_privkey_int; typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey; typedef struct gnutls_retr_st { - gnutls_certificate_type type; - union cert { - gnutls_x509_crt *x509; - gnutls_openpgp_key pgp; - } cert; - unsigned int ncerts; /* one for pgp keys */ - - union key { - gnutls_x509_privkey x509; - gnutls_openpgp_privkey pgp; - } key; - - unsigned int deinit_all; /* if non zero all keys will be deinited */ + gnutls_certificate_type type; + union cert { + gnutls_x509_crt *x509; + gnutls_openpgp_key pgp; + } cert; + unsigned int ncerts; /* one for pgp keys */ + + union key { + gnutls_x509_privkey x509; + gnutls_openpgp_privkey pgp; + } key; + + unsigned int deinit_all; /* if non zero all keys will be deinited */ } gnutls_retr_st; typedef int gnutls_certificate_client_retrieve_function(gnutls_session, - const gnutls_datum* req_ca_rdn, int nreqs, - const gnutls_pk_algorithm* pk_algos, int pk_algos_length, - gnutls_retr_st *); + const gnutls_datum + * req_ca_rdn, + int nreqs, + const + gnutls_pk_algorithm + * pk_algos, + int + pk_algos_length, + gnutls_retr_st *); typedef int gnutls_certificate_server_retrieve_function(gnutls_session, - gnutls_retr_st *); + gnutls_retr_st *); /* Functions that allow auth_info_t structures handling */ gnutls_credentials_type gnutls_auth_get_type(gnutls_session session); -gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session session); -gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session session); +gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session + session); +gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session + session); /* DH */ @@ -52,39 +60,49 @@ int gnutls_dh_get_secret_bits(gnutls_session); int gnutls_dh_get_peers_public_bits(gnutls_session); int gnutls_dh_get_prime_bits(gnutls_session); -int gnutls_dh_get_group(gnutls_session, gnutls_datum* gen, gnutls_datum* prime); -int gnutls_dh_get_pubkey(gnutls_session, gnutls_datum* pub); +int gnutls_dh_get_group(gnutls_session, gnutls_datum * gen, + gnutls_datum * prime); +int gnutls_dh_get_pubkey(gnutls_session, gnutls_datum * pub); /* RSA */ -int gnutls_rsa_export_get_pubkey(gnutls_session session, gnutls_datum* exp, gnutls_datum* mod); +int gnutls_rsa_export_get_pubkey(gnutls_session session, + gnutls_datum * exp, gnutls_datum * mod); int gnutls_rsa_export_get_modulus_bits(gnutls_session session); /* X509PKI */ /* These are set on the credentials structure. */ -void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_client_credentials, - gnutls_certificate_client_retrieve_function *); -void gnutls_certificate_server_set_retrieve_function(gnutls_certificate_server_credentials, - gnutls_certificate_server_retrieve_function *); +void +gnutls_certificate_client_set_retrieve_function +(gnutls_certificate_client_credentials, +gnutls_certificate_client_retrieve_function *); +void +gnutls_certificate_server_set_retrieve_function +(gnutls_certificate_server_credentials, +gnutls_certificate_server_retrieve_function *); void gnutls_certificate_server_set_request(gnutls_session, - gnutls_certificate_request); + gnutls_certificate_request); /* X.509 certificate handling functions */ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, - gnutls_x509_crt_fmt format, gnutls_datum * prime, - gnutls_datum * generator, int *prime_bits); + gnutls_x509_crt_fmt format, + gnutls_datum * prime, + gnutls_datum * generator, + int *prime_bits); int gnutls_pkcs3_export_dh_params(const gnutls_datum * prime, - const gnutls_datum * generator, gnutls_x509_crt_fmt format, - unsigned char *params_data, int *params_data_size); + const gnutls_datum * generator, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + int *params_data_size); /* get data from the session */ const gnutls_datum *gnutls_certificate_get_peers(gnutls_session, - unsigned int *list_size); + unsigned int *list_size); const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session); time_t gnutls_certificate_activation_time_peers(gnutls_session session); @@ -94,15 +112,17 @@ int gnutls_certificate_client_get_request_status(gnutls_session); int gnutls_certificate_verify_peers(gnutls_session); int gnutls_pem_base64_encode(const char *header, const gnutls_datum * data, - char *result, size_t * result_size); + char *result, size_t * result_size); int gnutls_pem_base64_decode(const char *header, - const gnutls_datum * b64_data, - unsigned char *result, size_t * result_size); + const gnutls_datum * b64_data, + unsigned char *result, size_t * result_size); int gnutls_pem_base64_encode_alloc(const char *header, - const gnutls_datum * data, gnutls_datum * result); + const gnutls_datum * data, + gnutls_datum * result); int gnutls_pem_base64_decode_alloc(const char *header, - const gnutls_datum * b64_data, gnutls_datum * result); + const gnutls_datum * b64_data, + gnutls_datum * result); /* key_usage will be an OR of the following values: */ @@ -121,21 +141,22 @@ int gnutls_pem_base64_decode_alloc(const char *header, #define GNUTLS_KEY_DECIPHER_ONLY 32768 typedef struct gnutls_params_st { - gnutls_params_type type; - union params { - gnutls_dh_params dh; - gnutls_rsa_params rsa_export; - } params; - int deinit; + gnutls_params_type type; + union params { + gnutls_dh_params dh; + gnutls_rsa_params rsa_export; + } params; + int deinit; } gnutls_params_st; typedef int gnutls_params_function(gnutls_session, gnutls_params_type, - gnutls_params_st*); + gnutls_params_st *); -void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func); -void gnutls_anon_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func); +void gnutls_certificate_set_params_function(gnutls_certificate_credentials + res, + gnutls_params_function * func); +void gnutls_anon_set_params_function(gnutls_certificate_credentials res, + gnutls_params_function * func); diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 7e19848582..0cda405a00 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -41,38 +41,40 @@ #include "gnutls_auth_int.h" /* This selects the best supported ciphersuite from the ones provided */ -static int _gnutls_handshake_select_v2_suite(gnutls_session session, opaque *data, int datalen) +static int _gnutls_handshake_select_v2_suite(gnutls_session session, + opaque * data, int datalen) { - int i, j, ret; - opaque* _data; - int _datalen; - - _gnutls_handshake_log( "HSK[%x]: Parsing a version 2.0 client hello.\n", session); - - _data = gnutls_malloc( datalen); - if (_data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int i, j, ret; + opaque *_data; + int _datalen; + + _gnutls_handshake_log("HSK[%x]: Parsing a version 2.0 client hello.\n", + session); + + _data = gnutls_malloc(datalen); + if (_data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (datalen % 3 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + i = _datalen = 0; + for (j = 0; j < datalen; j += 3) { + if (data[j] == 0) { + memcpy(&_data[i], &data[j + 1], 2); + i += 2; + _datalen += 2; } + } - if (datalen % 3 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - i = _datalen = 0; - for (j = 0; j < datalen; j += 3) { - if (data[j] == 0) { - memcpy( &_data[i], &data[j+1], 2); - i+=2; - _datalen+=2; - } - } + ret = _gnutls_server_select_suite(session, _data, _datalen); + gnutls_free(_data); - ret = _gnutls_server_select_suite( session, _data, _datalen); - gnutls_free(_data); - - return ret; + return ret; } @@ -81,152 +83,162 @@ static int _gnutls_handshake_select_v2_suite(gnutls_session session, opaque *dat * However they set their version to 3.0 or 3.1. */ int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, - int datalen) + int datalen) { - uint16 session_id_len = 0; - int pos = 0; - int ret = 0; - uint16 sizeOfSuites; - gnutls_protocol_version version; - opaque random[TLS_RANDOM_SIZE]; - int len = datalen; - int err; - uint16 challenge; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - gnutls_protocol_version ver; - - /* we only want to get here once - only in client hello */ - session->internals.v2_hello = 0; - - DECR_LEN(len, 2); - - _gnutls_handshake_log( "HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", - session, data[pos], data[pos + 1]); - - set_adv_version( session, data[pos], data[pos+1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - - /* if we do not support that version - */ - if (_gnutls_version_is_supported(session, version) == 0) { - ver = _gnutls_version_lowest( session); - } else { - ver = version; - } - - _gnutls_set_current_version(session, ver); - - pos += 2; - - - /* Read uint16 cipher_spec_length */ - DECR_LEN(len, 2); - sizeOfSuites = _gnutls_read_uint16( &data[pos]); - pos += 2; - - /* read session id length */ - DECR_LEN(len, 2); - session_id_len = _gnutls_read_uint16( &data[pos]); - pos += 2; + uint16 session_id_len = 0; + int pos = 0; + int ret = 0; + uint16 sizeOfSuites; + gnutls_protocol_version version; + opaque random[TLS_RANDOM_SIZE]; + int len = datalen; + int err; + uint16 challenge; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + gnutls_protocol_version ver; + + /* we only want to get here once - only in client hello */ + session->internals.v2_hello = 0; + + DECR_LEN(len, 2); + + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + set_adv_version(session, data[pos], data[pos + 1]); + + version = _gnutls_version_get(data[pos], data[pos + 1]); + + /* if we do not support that version + */ + if (_gnutls_version_is_supported(session, version) == 0) { + ver = _gnutls_version_lowest(session); + } else { + ver = version; + } + + _gnutls_set_current_version(session, ver); + + pos += 2; + + + /* Read uint16 cipher_spec_length */ + DECR_LEN(len, 2); + sizeOfSuites = _gnutls_read_uint16(&data[pos]); + pos += 2; + + /* read session id length */ + DECR_LEN(len, 2); + session_id_len = _gnutls_read_uint16(&data[pos]); + pos += 2; + + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + /* read challenge length */ + DECR_LEN(len, 2); + challenge = _gnutls_read_uint16(&data[pos]); + pos += 2; + + if (challenge < 16 || challenge > TLS_RANDOM_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + + /* find an appropriate cipher suite */ + + DECR_LEN(len, sizeOfSuites); + ret = + _gnutls_handshake_select_v2_suite(session, &data[pos], + sizeOfSuites); + + pos += sizeOfSuites; + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* read challenge length */ - DECR_LEN(len, 2); - challenge = _gnutls_read_uint16( &data[pos]); - pos += 2; + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) { - if ( challenge < 16 || challenge > TLS_RANDOM_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", + session); - /* find an appropriate cipher suite */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - DECR_LEN(len, sizeOfSuites); - ret = _gnutls_handshake_select_v2_suite(session, &data[pos], sizeOfSuites); - pos += sizeOfSuites; - if (ret < 0) { - gnutls_assert(); - return ret; - } - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred( session, _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + /* read random new values -skip session id for now */ + DECR_LEN(len, session_id_len); /* skip session id for now */ + memcpy(session_id, &data[pos], session_id_len); + pos += session_id_len; - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { - - _gnutls_handshake_log( - "HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", - session); - - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + DECR_LEN(len, challenge); + memset(random, 0, TLS_RANDOM_SIZE); - + memcpy(&random[TLS_RANDOM_SIZE - challenge], &data[pos], challenge); - /* read random new values -skip session id for now */ - DECR_LEN(len, session_id_len); /* skip session id for now */ - memcpy( session_id, &data[pos], session_id_len); - pos += session_id_len; - - DECR_LEN(len, challenge); - memset( random, 0, TLS_RANDOM_SIZE); - - memcpy( &random[TLS_RANDOM_SIZE-challenge], &data[pos], challenge); + _gnutls_set_client_random(session, random); - _gnutls_set_client_random( session, random); + /* generate server random value */ - /* generate server random value */ + _gnutls_tls_create_random(random); + _gnutls_set_server_random(session, random); - _gnutls_tls_create_random( random); - _gnutls_set_server_random( session, random); - - session->security_parameters.timestamp = time(NULL); + session->security_parameters.timestamp = time(NULL); - /* RESUME SESSION */ + /* RESUME SESSION */ - DECR_LEN(len, session_id_len); - ret = _gnutls_server_restore_session(session, session_id, session_id_len); + DECR_LEN(len, session_id_len); + ret = + _gnutls_server_restore_session(session, session_id, + session_id_len); - if (ret == 0) { /* resumed! */ - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters.server_random, - session->security_parameters.server_random, TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters.client_random, - session->security_parameters.client_random, TLS_RANDOM_SIZE); + if (ret == 0) { /* resumed! */ + /* get the new random values */ + memcpy(session->internals.resumed_security_parameters. + server_random, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(session->internals.resumed_security_parameters. + client_random, session->security_parameters.client_random, + TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); - session->internals.resumed = RESUME_FALSE; - } + session->internals.resumed = RESUME_TRUE; + return 0; + } else { + _gnutls_generate_session_id(session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); + session->internals.resumed = RESUME_FALSE; + } - session->internals.compression_method = GNUTLS_COMP_NULL; + session->internals.compression_method = GNUTLS_COMP_NULL; - return 0; + return 0; } diff --git a/lib/gnutls_v2_compat.h b/lib/gnutls_v2_compat.h index 77297cac3d..ce935d5782 100644 --- a/lib/gnutls_v2_compat.h +++ b/lib/gnutls_v2_compat.h @@ -1 +1,2 @@ -int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, int datalen); +int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, + int datalen); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 705b56a230..6e6ca037c5 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -71,78 +71,79 @@ -*/ int _gnutls_x509_cert_verify_peers(gnutls_session session) { - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - unsigned int verify; - gnutls_x509_crt *peer_certificate_list; - int peer_certificate_list_size, i, x, ret; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - peer_certificate_list = - gnutls_calloc(1, - peer_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + unsigned int verify; + gnutls_x509_crt *peer_certificate_list; + int peer_certificate_list_size, i, x, ret; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + peer_certificate_list = + gnutls_calloc(1, + peer_certificate_list_size * + sizeof(gnutls_x509_crt)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < peer_certificate_list_size; i++) { + ret = gnutls_x509_crt_init(&peer_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + CLEAR_CERTS; + return ret; } - for (i = 0; i < peer_certificate_list_size; i++) { - ret = gnutls_x509_crt_init( &peer_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; - } - - ret = - gnutls_x509_crt_import(peer_certificate_list[i], - &info-> - raw_certificate_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; - } + ret = + gnutls_x509_crt_import(peer_certificate_list[i], + &info-> + raw_certificate_list[i], + GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + CLEAR_CERTS; + return ret; } + } - /* Verify certificate - */ - ret = - gnutls_x509_crt_list_verify(peer_certificate_list, - peer_certificate_list_size, - cred->x509_ca_list, cred->x509_ncas, - cred->x509_crl_list, cred->x509_ncrls, - cred->verify_flags, &verify); + /* Verify certificate + */ + ret = + gnutls_x509_crt_list_verify(peer_certificate_list, + peer_certificate_list_size, + cred->x509_ca_list, cred->x509_ncas, + cred->x509_crl_list, cred->x509_ncrls, + cred->verify_flags, &verify); - CLEAR_CERTS; + CLEAR_CERTS; - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return verify; + return verify; } /* @@ -152,118 +153,123 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session) /* returns error if the certificate has different algorithm than * the given key parameters. */ -static int _gnutls_check_key_cert_match( gnutls_certificate_credentials res) +static int _gnutls_check_key_cert_match(gnutls_certificate_credentials res) { -gnutls_datum cid; -gnutls_datum kid; -uint pk = res->cert_list[res->ncerts-1][0].subject_pk_algorithm; - - if (res->pkey[res->ncerts-1].pk_algorithm != pk) - { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - if (pk == GNUTLS_PK_RSA) { - _gnutls_x509_write_rsa_params( res->pkey[res->ncerts-1].params, - res->pkey[res->ncerts-1].params_size, &kid); - - - _gnutls_x509_write_rsa_params( res->cert_list[res->ncerts-1][0].params, - res->cert_list[res->ncerts-1][0].params_size, &cid); - } else if ( pk == GNUTLS_PK_DSA) { - - _gnutls_x509_write_dsa_params( res->pkey[res->ncerts-1].params, - res->pkey[res->ncerts-1].params_size, &kid); - - _gnutls_x509_write_dsa_params( res->cert_list[res->ncerts-1][0].params, - res->cert_list[res->ncerts-1][0].params_size, &cid); - } - - if (cid.size != kid.size) { - gnutls_assert(); - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - if (memcmp( kid.data, cid.data, kid.size) != 0) { - gnutls_assert(); - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return 0; + gnutls_datum cid; + gnutls_datum kid; + uint pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm; + + if (res->pkey[res->ncerts - 1].pk_algorithm != pk) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + if (pk == GNUTLS_PK_RSA) { + _gnutls_x509_write_rsa_params(res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); + + + _gnutls_x509_write_rsa_params(res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, + &cid); + } else if (pk == GNUTLS_PK_DSA) { + + _gnutls_x509_write_dsa_params(res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); + + _gnutls_x509_write_dsa_params(res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, + &cid); + } + + if (cid.size != kid.size) { + gnutls_assert(); + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + if (memcmp(kid.data, cid.data, kid.size) != 0) { + gnutls_assert(); + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return 0; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_crt_mem( gnutls_cert** cert_list, uint* ncerts, - gnutls_x509_crt cert) +static int parse_crt_mem(gnutls_cert ** cert_list, uint * ncerts, + gnutls_x509_crt cert) { - int i; - int ret; + int i; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_cert)); + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * sizeof(gnutls_cert)); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = _gnutls_x509_crt_to_gcert( - &cert_list[0][i-1], cert, 0); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - *ncerts = i; + ret = _gnutls_x509_crt_to_gcert(&cert_list[0][i - 1], cert, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 1; /* one certificate parsed */ + *ncerts = i; + + return 1; /* one certificate parsed */ } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_cert_mem( gnutls_cert** cert_list, uint* ncerts, - const void *input_cert, int input_cert_size) +static int parse_der_cert_mem(gnutls_cert ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - gnutls_datum tmp; - gnutls_x509_crt cert; - int ret; - - ret = gnutls_x509_crt_init( &cert); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_datum tmp; + gnutls_x509_crt cert; + int ret; - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + ret = gnutls_x509_crt_init(&cert); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_x509_crt_import( cert, &tmp, GNUTLS_X509_FMT_DER); - if ( ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit( cert); - return ret; - } + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = parse_crt_mem( cert_list, ncerts, cert); - gnutls_x509_crt_deinit( cert); - + ret = gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(cert); return ret; + } + + ret = parse_crt_mem(cert_list, ncerts, cert); + gnutls_x509_crt_deinit(cert); + + return ret; } #define CERT_PEM 1 @@ -273,350 +279,369 @@ static int parse_der_cert_mem( gnutls_cert** cert_list, uint* ncerts, * a gnutls_cert structure. * returns the number of certificate parsed */ -static int parse_pkcs7_cert_mem( gnutls_cert** cert_list, uint* ncerts, const - void *input_cert, int input_cert_size, int flags) +static int parse_pkcs7_cert_mem(gnutls_cert ** cert_list, uint * ncerts, const + void *input_cert, int input_cert_size, + int flags) { #ifdef ENABLE_PKI - int i, j, count; - gnutls_datum tmp, tmp2; - int ret; - opaque *pcert = NULL; - size_t pcert_size; - gnutls_pkcs7 pkcs7; - - ret = gnutls_pkcs7_init( &pkcs7); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (flags & CERT_PEM) - ret = gnutls_pkcs7_import( pkcs7, &tmp, GNUTLS_X509_FMT_PEM); - else - ret = gnutls_pkcs7_import( pkcs7, &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - /* if we failed to read the structure, - * then just try to decode a plain DER - * certificate. - */ - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); + int i, j, count; + gnutls_datum tmp, tmp2; + int ret; + opaque *pcert = NULL; + size_t pcert_size; + gnutls_pkcs7 pkcs7; + + ret = gnutls_pkcs7_init(&pkcs7); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (flags & CERT_PEM) + ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_PEM); + else + ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + /* if we failed to read the structure, + * then just try to decode a plain DER + * certificate. + */ + gnutls_assert(); + gnutls_pkcs7_deinit(pkcs7); #endif - return parse_der_cert_mem( cert_list, ncerts, - input_cert, input_cert_size); + return parse_der_cert_mem(cert_list, ncerts, + input_cert, input_cert_size); #ifdef ENABLE_PKI + } + + i = *ncerts + 1; + + /* tmp now contains the decoded certificate list */ + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; + + ret = gnutls_pkcs7_get_crt_count(pkcs7); + + if (ret < 0) { + gnutls_assert(); + gnutls_pkcs7_deinit(pkcs7); + return ret; + } + count = ret; + + j = count - 1; + do { + pcert_size = 0; + ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, NULL, &pcert_size); + if (ret != GNUTLS_E_MEMORY_ERROR) { + count--; + continue; + } + + pcert = gnutls_malloc(pcert_size); + if (ret == GNUTLS_E_MEMORY_ERROR) { + gnutls_assert(); + count--; + continue; } - i = *ncerts + 1; + /* read the certificate + */ + ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, pcert, &pcert_size); - /* tmp now contains the decoded certificate list */ - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + j--; - ret = gnutls_pkcs7_get_crt_count( pkcs7); + if (ret >= 0) { + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * + sizeof(gnutls_cert)); - if (ret < 0) { + if (*cert_list == NULL) { + gnutls_assert(); + gnutls_free(pcert); + return GNUTLS_E_MEMORY_ERROR; + } + + tmp2.data = pcert; + tmp2.size = pcert_size; + + ret = + _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp2, + 0); + + if (ret < 0) { gnutls_assert(); gnutls_pkcs7_deinit(pkcs7); + gnutls_free(pcert); return ret; + } + + i++; } - count = ret; - - j = count - 1; - do { - pcert_size = 0; - ret = gnutls_pkcs7_get_crt_raw( pkcs7, j, NULL, &pcert_size); - if (ret!=GNUTLS_E_MEMORY_ERROR) { - count--; - continue; - } - - pcert = gnutls_malloc( pcert_size); - if (ret==GNUTLS_E_MEMORY_ERROR) { - gnutls_assert(); - count--; - continue; - } - /* read the certificate - */ - ret = gnutls_pkcs7_get_crt_raw( pkcs7, j, pcert, &pcert_size); - - j--; - - if (ret >= 0) { - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * sizeof(gnutls_cert)); - - if ( *cert_list == NULL) { - gnutls_assert(); - gnutls_free( pcert); - return GNUTLS_E_MEMORY_ERROR; - } - - tmp2.data = pcert; - tmp2.size = pcert_size; - - ret = _gnutls_x509_raw_cert_to_gcert( - &cert_list[0][i - 1], &tmp2, 0); - - if ( ret < 0) { - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); - gnutls_free( pcert); - return ret; - } - - i++; - } - - gnutls_free( pcert); + gnutls_free(pcert); - } while (ret >= 0 && j >= 0); + } while (ret >= 0 && j >= 0); - *ncerts = i - 1; + *ncerts = i - 1; - gnutls_pkcs7_deinit(pkcs7); - return count; + gnutls_pkcs7_deinit(pkcs7); + return count; #endif } /* Reads a base64 encoded certificate list from memory and stores it to * a gnutls_cert structure. Returns the number of certificate parsed. */ -static int parse_pem_cert_mem( gnutls_cert** cert_list, uint* ncerts, - const char *input_cert, int input_cert_size) +static int parse_pem_cert_mem(gnutls_cert ** cert_list, uint * ncerts, + const char *input_cert, int input_cert_size) { - int size, siz2, i; - const char *ptr; - opaque *ptr2; - gnutls_datum tmp; - int ret, count; + int size, siz2, i; + const char *ptr; + opaque *ptr2; + gnutls_datum tmp; + int ret, count; #ifdef ENABLE_PKI - if ( (ptr = strnstr( input_cert, PEM_PKCS7_SEP, input_cert_size)) != NULL) - { - size = strlen( ptr); + if ((ptr = + strnstr(input_cert, PEM_PKCS7_SEP, input_cert_size)) != NULL) { + size = strlen(ptr); - ret = parse_pkcs7_cert_mem( cert_list, ncerts, ptr, - size, CERT_PEM); + ret = parse_pkcs7_cert_mem(cert_list, ncerts, ptr, size, CERT_PEM); - return ret; - } + return ret; + } #endif - /* move to the certificate - */ - ptr = strnstr( input_cert, PEM_CERT_SEP, input_cert_size); - if (ptr == NULL) ptr = strnstr( input_cert, PEM_CERT_SEP2, input_cert_size); + /* move to the certificate + */ + ptr = strnstr(input_cert, PEM_CERT_SEP, input_cert_size); + if (ptr == NULL) + ptr = strnstr(input_cert, PEM_CERT_SEP2, input_cert_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = input_cert_size - (ptr - input_cert); + + i = *ncerts + 1; + count = 0; + + do { + + siz2 = _gnutls_fbase64_decode(NULL, ptr, size, &ptr2); + + if (siz2 < 0) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; } - size = input_cert_size - (ptr - input_cert); - i = *ncerts + 1; - count = 0; + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * sizeof(gnutls_cert)); - do { + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - siz2 = _gnutls_fbase64_decode(NULL, ptr, size, &ptr2); + tmp.data = ptr2; + tmp.size = siz2; - if (siz2 < 0) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + ret = + _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_cert)); + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = input_cert_size - (ptr - input_cert); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (size > 0) { + char *ptr2; - tmp.data = ptr2; - tmp.size = siz2; + ptr2 = strnstr(ptr, PEM_CERT_SEP, size); + if (ptr2 == NULL) + ptr2 = strnstr(ptr, PEM_CERT_SEP2, size); - ret = _gnutls_x509_raw_cert_to_gcert( - &cert_list[0][i - 1], &tmp, 0); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = input_cert_size - (ptr - input_cert); - - if (size > 0) { - char* ptr2; - - ptr2 = strnstr(ptr, PEM_CERT_SEP, size); - if (ptr2 == NULL) ptr2 = strnstr( ptr, PEM_CERT_SEP2, size); - - ptr = ptr2; - } else ptr = NULL; + ptr = ptr2; + } else + ptr = NULL; - i++; - count++; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER or PEM certificate from memory */ -static -int read_cert_mem(gnutls_certificate_credentials res, const void *cert, int cert_size, - gnutls_x509_crt_fmt type) +static +int read_cert_mem(gnutls_certificate_credentials res, const void *cert, + int cert_size, gnutls_x509_crt_fmt type) { - int ret; - - /* allocate space for the certificate to add - */ - res->cert_list = gnutls_realloc_fast( res->cert_list, - (1+ res->ncerts)*sizeof(gnutls_cert*)); - if ( res->cert_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast( res->cert_list_length, - (1+ res->ncerts)*sizeof(int)); - if (res->cert_list_length==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_pkcs7_cert_mem( &res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], cert, cert_size, 0); - else - ret = parse_pem_cert_mem( &res->cert_list[res->ncerts], &res->cert_list_length[res->ncerts], - cert, cert_size); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + + /* allocate space for the certificate to add + */ + res->cert_list = gnutls_realloc_fast(res->cert_list, + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); + if (res->cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, + (1 + + res->ncerts) * + sizeof(int)); + if (res->cert_list_length == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_pkcs7_cert_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], + cert, cert_size, 0); + else + ret = + parse_pem_cert_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], cert, + cert_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } -int _gnutls_x509_privkey_to_gkey( gnutls_privkey* dest, gnutls_x509_privkey src) +int _gnutls_x509_privkey_to_gkey(gnutls_privkey * dest, + gnutls_x509_privkey src) { -int i, ret; + int i, ret; - memset( dest, 0, sizeof(gnutls_privkey)); + memset(dest, 0, sizeof(gnutls_privkey)); - for(i=0;i<src->params_size;i++) { - dest->params[i] = _gnutls_mpi_copy( src->params[i]); - if (dest->params[i] == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + for (i = 0; i < src->params_size; i++) { + dest->params[i] = _gnutls_mpi_copy(src->params[i]); + if (dest->params[i] == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } + } - dest->pk_algorithm = src->pk_algorithm; - dest->params_size = src->params_size; + dest->pk_algorithm = src->pk_algorithm; + dest->params_size = src->params_size; - return 0; + return 0; - cleanup: - - for (i=0;i<src->params_size;i++) { - _gnutls_mpi_release( &dest->params[i]); - } - return ret; + cleanup: + + for (i = 0; i < src->params_size; i++) { + _gnutls_mpi_release(&dest->params[i]); + } + return ret; } -void _gnutls_gkey_deinit(gnutls_privkey *key) +void _gnutls_gkey_deinit(gnutls_privkey * key) { -int i; - if (key == NULL) return; + int i; + if (key == NULL) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release( &key->params[i]); - } + for (i = 0; i < key->params_size; i++) { + _gnutls_mpi_release(&key->params[i]); + } } -int _gnutls_x509_raw_privkey_to_gkey( gnutls_privkey* privkey, const gnutls_datum* raw_key, - gnutls_x509_crt_fmt type) +int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, + const gnutls_datum * raw_key, + gnutls_x509_crt_fmt type) { -gnutls_x509_privkey tmpkey; -int ret; + gnutls_x509_privkey tmpkey; + int ret; - ret = gnutls_x509_privkey_init( &tmpkey); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_privkey_init(&tmpkey); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_x509_privkey_import( tmpkey, raw_key, type); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit( tmpkey); - return ret; - } + ret = gnutls_x509_privkey_import(tmpkey, raw_key, type); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(tmpkey); + return ret; + } - ret = _gnutls_x509_privkey_to_gkey( privkey, tmpkey); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit( tmpkey); - return ret; - } + ret = _gnutls_x509_privkey_to_gkey(privkey, tmpkey); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(tmpkey); + return ret; + } + + gnutls_x509_privkey_deinit(tmpkey); - gnutls_x509_privkey_deinit( tmpkey); - - return 0; + return 0; } /* Reads a PEM encoded PKCS-1 RSA private key from memory * 2002-01-26: Added ability to read DSA keys. * type indicates the certificate format. */ -static int read_key_mem(gnutls_certificate_credentials res, const void *key, int key_size, - gnutls_x509_crt_fmt type) +static int read_key_mem(gnutls_certificate_credentials res, + const void *key, int key_size, + gnutls_x509_crt_fmt type) { - int ret; - gnutls_datum tmp; - - /* allocate space for the pkey list - */ - res->pkey = gnutls_realloc_fast( res->pkey, (res->ncerts+1)*sizeof(gnutls_privkey)); - if (res->pkey==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - tmp.data = (opaque*)key; - tmp.size = key_size; - - ret = _gnutls_x509_raw_privkey_to_gkey( &res->pkey[res->ncerts], &tmp, type); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + gnutls_datum tmp; + + /* allocate space for the pkey list + */ + res->pkey = + gnutls_realloc_fast(res->pkey, + (res->ncerts + 1) * sizeof(gnutls_privkey)); + if (res->pkey == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + tmp.data = (opaque *) key; + tmp.size = key_size; + + ret = + _gnutls_x509_raw_privkey_to_gkey(&res->pkey[res->ncerts], &tmp, + type); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /* Opens a file reads its contents and stores it @@ -634,113 +659,115 @@ static int read_key_mem(gnutls_certificate_credentials res, const void *key, int #include <strfile.h> -void _gnutls_strfile_free( strfile *x) +void _gnutls_strfile_free(strfile * x) { #ifdef HAVE_MMAP - if (x->mmaped) { - munmap( x->data, x->size); - return; - } + if (x->mmaped) { + munmap(x->data, x->size); + return; + } #endif - gnutls_free( x->data); - x->data = NULL; + gnutls_free(x->data); + x->data = NULL; } -strfile _gnutls_file_to_str( const char * file) +strfile _gnutls_file_to_str(const char *file) { - int fd1 = -1; - struct stat stat_st; - size_t tot_size; - size_t left; - opaque* tmp; - ssize_t i = 0; - strfile null = { NULL, 0, 0 }; - strfile ret = { NULL, 0, 0 }; - - fd1 = open( file, 0); - if (fd1==-1) { - gnutls_assert(); - return null; - } - - if (fstat( fd1, &stat_st) == -1) { - gnutls_assert(); - goto error; - } - - tot_size = stat_st.st_size; - if (tot_size == 0) { - gnutls_assert(); - goto error; - } - + int fd1 = -1; + struct stat stat_st; + size_t tot_size; + size_t left; + opaque *tmp; + ssize_t i = 0; + strfile null = { NULL, 0, 0 }; + strfile ret = { NULL, 0, 0 }; + + fd1 = open(file, 0); + if (fd1 == -1) { + gnutls_assert(); + return null; + } + + if (fstat(fd1, &stat_st) == -1) { + gnutls_assert(); + goto error; + } + + tot_size = stat_st.st_size; + if (tot_size == 0) { + gnutls_assert(); + goto error; + } #ifdef HAVE_MMAP - if ((tmp=mmap( NULL, tot_size, PROT_READ, MAP_SHARED, fd1, 0)) != MAP_FAILED) { - ret.mmaped = 1; - ret.data = tmp; - ret.size = tot_size; - - close(fd1); - return ret; - } + if ((tmp = + mmap(NULL, tot_size, PROT_READ, MAP_SHARED, fd1, + 0)) != MAP_FAILED) { + ret.mmaped = 1; + ret.data = tmp; + ret.size = tot_size; + + close(fd1); + return ret; + } #endif - ret.data = gnutls_malloc( tot_size); - if (ret.data == NULL) { + ret.data = gnutls_malloc(tot_size); + if (ret.data == NULL) { + gnutls_assert(); + goto error; + } + + left = tot_size; + while (left > 0) { + i = read(fd1, &ret.data[tot_size - left], left); + if (i == -1) { + if (errno == EAGAIN || errno == EINTR) + continue; + else { gnutls_assert(); goto error; - } - - left = tot_size; - while (left > 0) { - i = read( fd1, &ret.data[tot_size - left], left); - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) - continue; - else { - gnutls_assert(); - goto error; - } - } else if (i==0) break; - - left -= i; - } + } + } else if (i == 0) + break; - ret.size = tot_size - left; + left -= i; + } - ret.mmaped = 0; + ret.size = tot_size - left; - close(fd1); + ret.mmaped = 0; - return ret; - - error: - - if (!ret.mmaped) - gnutls_free( ret.data); - close(fd1); - return null; + close(fd1); + + return ret; + + error: + + if (!ret.mmaped) + gnutls_free(ret.data); + close(fd1); + return null; } /* Reads a certificate file */ -static int read_cert_file(gnutls_certificate_credentials res, const char *certfile, - gnutls_x509_crt_fmt type) +static int read_cert_file(gnutls_certificate_credentials res, + const char *certfile, gnutls_x509_crt_fmt type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str( certfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } + x = _gnutls_file_to_str(certfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } - ret = read_cert_mem( res, x.data, x.size, type); - _gnutls_strfile_free(&x); - - return ret; + ret = read_cert_mem(res, x.data, x.size, type); + _gnutls_strfile_free(&x); + + return ret; } @@ -749,22 +776,22 @@ static int read_cert_file(gnutls_certificate_credentials res, const char *certfi /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl * stores it). */ -static int read_key_file(gnutls_certificate_credentials res, const char *keyfile, - gnutls_x509_crt_fmt type) +static int read_key_file(gnutls_certificate_credentials res, + const char *keyfile, gnutls_x509_crt_fmt type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str( keyfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } + x = _gnutls_file_to_str(keyfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } - ret = read_key_mem( res, x.data, x.size, type); - _gnutls_strfile_free(&x); - - return ret; + ret = read_key_mem(res, x.data, x.size, type); + _gnutls_strfile_free(&x); + + return ret; } /** @@ -793,27 +820,29 @@ static int read_key_file(gnutls_certificate_credentials res, const char *keyfile * then the strings that hold their values must be null terminated. * **/ -int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, const gnutls_datum* cert, - const gnutls_datum* key, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, + const gnutls_datum * cert, + const gnutls_datum * key, + gnutls_x509_crt_fmt type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_mem( res, key->data, key->size, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_mem(res, key->data, key->size, type)) < 0) + return ret; - if ((ret = read_cert_mem( res, cert->data, cert->size, type)) < 0) - return ret; + if ((ret = read_cert_mem(res, cert->data, cert->size, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -829,61 +858,69 @@ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, cons * server). * **/ -int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, - gnutls_x509_crt *cert_list, int cert_list_size, - gnutls_x509_privkey key) +int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, + gnutls_x509_crt * cert_list, + int cert_list_size, + gnutls_x509_privkey key) { - int ret, i; - - /* this should be first - */ - - res->pkey = gnutls_realloc_fast( res->pkey, (res->ncerts+1)*sizeof(gnutls_privkey)); - if (res->pkey==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_x509_privkey_to_gkey( &res->pkey[res->ncerts], key); + int ret, i; + + /* this should be first + */ + + res->pkey = + gnutls_realloc_fast(res->pkey, + (res->ncerts + 1) * sizeof(gnutls_privkey)); + if (res->pkey == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_x509_privkey_to_gkey(&res->pkey[res->ncerts], key); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + res->cert_list = gnutls_realloc_fast(res->cert_list, + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); + if (res->cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, + (1 + + res->ncerts) * + sizeof(int)); + if (res->cert_list_length == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + + for (i = 0; i < cert_list_size; i++) { + ret = parse_crt_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], + cert_list[i]); if (ret < 0) { - gnutls_assert(); - return ret; - } - - res->cert_list = gnutls_realloc_fast( res->cert_list, - (1+ res->ncerts)*sizeof(gnutls_cert*)); - if ( res->cert_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast( res->cert_list_length, - (1+ res->ncerts)*sizeof(int)); - if (res->cert_list_length==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - - for (i=0;i<cert_list_size;i++) { - ret = parse_crt_mem( &res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], cert_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; } - res->ncerts++; + } + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -903,87 +940,91 @@ int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, * this function. * **/ -int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials res, const char *CERTFILE, - const char *KEYFILE, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials + res, const char *CERTFILE, + const char *KEYFILE, + gnutls_x509_crt_fmt type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_file(res, KEYFILE, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_file(res, KEYFILE, type)) < 0) + return ret; - if ((ret = read_cert_file(res, CERTFILE, type)) < 0) - return ret; + if ((ret = read_cert_file(res, CERTFILE, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } -static int generate_rdn_seq( gnutls_certificate_credentials res) +static int generate_rdn_seq(gnutls_certificate_credentials res) { -gnutls_datum tmp; -gnutls_datum _tmp; -int ret; -uint size, i; -opaque *pdata; - - /* Generate the RDN sequence - * This will be sent to clients when a certificate - * request message is sent. - */ - - /* FIXME: in case of a client it is not needed - * to do that. This would save time and memory. - * However we don't have that information available - * here. - */ - - size = 0; - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = _gnutls_x509_crt_get_raw_issuer_dn( - res->x509_ca_list[i], &tmp)) < 0) { - gnutls_assert(); - return ret; - } - size += (2 + tmp.size); - } - - if (res->x509_rdn_sequence.data != NULL) - gnutls_free( res->x509_rdn_sequence.data); - - res->x509_rdn_sequence.data = gnutls_malloc(size); - if (res->x509_rdn_sequence.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - res->x509_rdn_sequence.size = size; - - pdata = res->x509_rdn_sequence.data; - - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = _gnutls_x509_crt_get_raw_issuer_dn( - res->x509_ca_list[i], &tmp)) < 0) { - gnutls_free(res->x509_rdn_sequence.data); - res->x509_rdn_sequence.size = 0; - res->x509_rdn_sequence.data = NULL; - gnutls_assert(); - return ret; - } - - _tmp.data = (opaque*) tmp.data; - _tmp.size = tmp.size; - _gnutls_write_datum16(pdata, _tmp); - pdata += (2 + tmp.size); - } - - return 0; + gnutls_datum tmp; + gnutls_datum _tmp; + int ret; + uint size, i; + opaque *pdata; + + /* Generate the RDN sequence + * This will be sent to clients when a certificate + * request message is sent. + */ + + /* FIXME: in case of a client it is not needed + * to do that. This would save time and memory. + * However we don't have that information available + * here. + */ + + size = 0; + for (i = 0; i < res->x509_ncas; i++) { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], + &tmp)) < 0) { + gnutls_assert(); + return ret; + } + size += (2 + tmp.size); + } + + if (res->x509_rdn_sequence.data != NULL) + gnutls_free(res->x509_rdn_sequence.data); + + res->x509_rdn_sequence.data = gnutls_malloc(size); + if (res->x509_rdn_sequence.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + res->x509_rdn_sequence.size = size; + + pdata = res->x509_rdn_sequence.data; + + for (i = 0; i < res->x509_ncas; i++) { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], + &tmp)) < 0) { + gnutls_free(res->x509_rdn_sequence.data); + res->x509_rdn_sequence.size = 0; + res->x509_rdn_sequence.data = NULL; + gnutls_assert(); + return ret; + } + + _tmp.data = (opaque *) tmp.data; + _tmp.size = tmp.size; + _gnutls_write_datum16(pdata, _tmp); + pdata += (2 + tmp.size); + } + + return 0; } @@ -992,180 +1033,179 @@ opaque *pdata; /* Returns 0 if it's ok to use the gnutls_kx_algorithm with this * certificate (uses the KeyUsage field). */ -int _gnutls_check_key_usage( const gnutls_cert* cert, - gnutls_kx_algorithm alg) +int _gnutls_check_key_usage(const gnutls_cert * cert, + gnutls_kx_algorithm alg) { - unsigned int keyUsage = 0; - int encipher_type; + unsigned int keyUsage = 0; + int encipher_type; - if ( cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (_gnutls_map_kx_get_cred(alg, 1) == GNUTLS_CRD_CERTIFICATE || - _gnutls_map_kx_get_cred(alg, 0) == GNUTLS_CRD_CERTIFICATE) - { - - keyUsage = cert->keyUsage; - - encipher_type = _gnutls_kx_encipher_type( alg); - - if (keyUsage != 0 && encipher_type != CIPHER_IGN) { - /* If keyUsage has been set in the certificate - */ - - if ( encipher_type == CIPHER_ENCRYPT) { - /* If the key exchange method requires an encipher - * type algorithm, and key's usage does not permit - * encipherment, then fail. - */ - if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) { - gnutls_assert(); - return - GNUTLS_E_KEY_USAGE_VIOLATION; - } - } - - if ( encipher_type == CIPHER_SIGN) { - /* The same as above, but for sign only keys - */ - if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return - GNUTLS_E_KEY_USAGE_VIOLATION; - } - } + if (_gnutls_map_kx_get_cred(alg, 1) == GNUTLS_CRD_CERTIFICATE || + _gnutls_map_kx_get_cred(alg, 0) == GNUTLS_CRD_CERTIFICATE) { + + keyUsage = cert->keyUsage; + + encipher_type = _gnutls_kx_encipher_type(alg); + + if (keyUsage != 0 && encipher_type != CIPHER_IGN) { + /* If keyUsage has been set in the certificate + */ + + if (encipher_type == CIPHER_ENCRYPT) { + /* If the key exchange method requires an encipher + * type algorithm, and key's usage does not permit + * encipherment, then fail. + */ + if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; } + } + + if (encipher_type == CIPHER_SIGN) { + /* The same as above, but for sign only keys + */ + if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } + } } - return 0; + } + return 0; } -static int parse_pem_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, - const opaque *input_cert, int input_cert_size) +static int parse_pem_ca_mem(gnutls_x509_crt ** cert_list, uint * ncerts, + const opaque * input_cert, int input_cert_size) { - int i, size; - const opaque *ptr; - gnutls_datum tmp; - int ret, count; + int i, size; + const opaque *ptr; + gnutls_datum tmp; + int ret, count; - /* move to the certificate - */ - ptr = strnstr( input_cert, PEM_CERT_SEP, input_cert_size); - if (ptr == NULL) ptr = strnstr( input_cert, PEM_CERT_SEP2, input_cert_size); + /* move to the certificate + */ + ptr = strnstr(input_cert, PEM_CERT_SEP, input_cert_size); + if (ptr == NULL) + ptr = strnstr(input_cert, PEM_CERT_SEP2, input_cert_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = input_cert_size - (ptr - input_cert); + + i = *ncerts + 1; + count = 0; + + do { + + *cert_list = + (gnutls_x509_crt *) gnutls_realloc_fast(*cert_list, + i * + sizeof + (gnutls_x509_crt)); + + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; } - size = input_cert_size - (ptr - input_cert); - i = *ncerts + 1; - count = 0; + tmp.data = (opaque *) ptr; + tmp.size = size; - do { + ret = + gnutls_x509_crt_import(cert_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + return ret; + } - *cert_list = - (gnutls_x509_crt *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_x509_crt)); + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + size = input_cert_size - (ptr - input_cert); - ret = gnutls_x509_crt_init( &cert_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - tmp.data = (opaque*)ptr; - tmp.size = size; - - ret = - gnutls_x509_crt_import( - cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (size > 0) { + char *ptr2; - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + ptr2 = strnstr(ptr, PEM_CERT_SEP, size); + if (ptr2 == NULL) + ptr = strnstr(ptr, PEM_CERT_SEP2, size); - size = input_cert_size - (ptr - input_cert); - - if (size > 0) { - char* ptr2; - - ptr2 = strnstr(ptr, PEM_CERT_SEP, size); - if (ptr2 == NULL) ptr = strnstr( ptr, PEM_CERT_SEP2, size); - - ptr = ptr2; - } else ptr = NULL; + ptr = ptr2; + } else + ptr = NULL; - i++; - count++; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, - const void *input_cert, int input_cert_size) +static int parse_der_ca_mem(gnutls_x509_crt ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - int i; - gnutls_datum tmp; - int ret; + int i; + gnutls_datum tmp; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_x509_crt *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_x509_crt)); + *cert_list = + (gnutls_x509_crt *) gnutls_realloc_fast(*cert_list, + i * + sizeof(gnutls_x509_crt)); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = gnutls_x509_crt_init( &cert_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - ret = - gnutls_x509_crt_import( - cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - *ncerts = i; + ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 1; /* one certificate parsed */ + ret = + gnutls_x509_crt_import(cert_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + *ncerts = i; + + return 1; /* one certificate parsed */ } /** @@ -1188,22 +1228,23 @@ static int parse_der_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, * value on error. * **/ -int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, - const gnutls_datum *ca, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials + res, const gnutls_datum * ca, + gnutls_x509_crt_fmt type) { - int ret, ret2; + int ret, ret2; - if (type==GNUTLS_X509_FMT_DER) - return parse_der_ca_mem( &res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); - else - return parse_pem_ca_mem( &res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); + if (type == GNUTLS_X509_FMT_DER) + return parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); + else + return parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return ret; + return ret; } /** @@ -1225,32 +1266,35 @@ int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, - gnutls_x509_crt * ca_list, int ca_list_size) +int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, + gnutls_x509_crt * ca_list, + int ca_list_size) { - int ret, i, ret2; - - res->x509_ca_list = gnutls_realloc_fast( res->x509_ca_list, - (ca_list_size + res->x509_ncas)*sizeof(gnutls_x509_crt)); - if ( res->x509_ca_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<ca_list_size;i++) { - ret = _gnutls_x509_crt_cpy( res->x509_ca_list[i+res->x509_ncas], - ca_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - res->x509_ncas++; + int ret, i, ret2; + + res->x509_ca_list = gnutls_realloc_fast(res->x509_ca_list, + (ca_list_size + + res->x509_ncas) * + sizeof(gnutls_x509_crt)); + if (res->x509_ca_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ca_list_size; i++) { + ret = _gnutls_x509_crt_cpy(res->x509_ca_list[i + res->x509_ncas], + ca_list[i]); + if (ret < 0) { + gnutls_assert(); + return ret; } + res->x509_ncas++; + } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return 0; + return 0; } /** @@ -1273,189 +1317,192 @@ int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, * value on error. * **/ -int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials res, - const char *cafile, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials + res, const char *cafile, + gnutls_x509_crt_fmt type) { - int ret, ret2; - strfile x; - - x = _gnutls_file_to_str( cafile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_ca_mem( &res->x509_ca_list, &res->x509_ncas, - x.data, x.size); - else - ret = parse_pem_ca_mem( &res->x509_ca_list, &res->x509_ncas, - x.data, x.size); - - _gnutls_strfile_free(&x); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret, ret2; + strfile x; + + x = _gnutls_file_to_str(cafile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); + else + ret = parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); + + _gnutls_strfile_free(&x); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return ret; + return ret; } #ifdef ENABLE_PKI -static int parse_pem_crl_mem( gnutls_x509_crl** crl_list, uint* ncrls, - const opaque *input_crl, int input_crl_size) +static int parse_pem_crl_mem(gnutls_x509_crl ** crl_list, uint * ncrls, + const opaque * input_crl, int input_crl_size) { - int size, i; - const opaque *ptr; - gnutls_datum tmp; - int ret, count; + int size, i; + const opaque *ptr; + gnutls_datum tmp; + int ret, count; - /* move to the certificate - */ - ptr = strnstr( input_crl, PEM_CRL_SEP, input_crl_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + /* move to the certificate + */ + ptr = strnstr(input_crl, PEM_CRL_SEP, input_crl_size); + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } - size = input_crl_size - (ptr - input_crl); + size = input_crl_size - (ptr - input_crl); - i = *ncrls + 1; - count = 0; + i = *ncrls + 1; + count = 0; - do { + do { - *crl_list = - (gnutls_x509_crl *) gnutls_realloc_fast( *crl_list, - i * - sizeof(gnutls_x509_crl)); + *crl_list = + (gnutls_x509_crl *) gnutls_realloc_fast(*crl_list, + i * + sizeof + (gnutls_x509_crl)); - if ( *crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crl_init( &crl_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - tmp.data = (char*)ptr; - tmp.size = size; - - ret = - gnutls_x509_crl_import( - crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + tmp.data = (char *) ptr; + tmp.size = size; - size = input_crl_size - (ptr - input_crl); + ret = + gnutls_x509_crl_import(crl_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + + size = input_crl_size - (ptr - input_crl); - if (size > 0) - ptr = strnstr(ptr, PEM_CRL_SEP, size); - else ptr = NULL; - i++; - count++; + if (size > 0) + ptr = strnstr(ptr, PEM_CRL_SEP, size); + else + ptr = NULL; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncrls = i - 1; + *ncrls = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_crl_mem( gnutls_x509_crl** crl_list, uint* ncrls, - const void *input_crl, int input_crl_size) +static int parse_der_crl_mem(gnutls_x509_crl ** crl_list, uint * ncrls, + const void *input_crl, int input_crl_size) { - int i; - gnutls_datum tmp; - int ret; + int i; + gnutls_datum tmp; + int ret; - i = *ncrls + 1; + i = *ncrls + 1; - *crl_list = - (gnutls_x509_crl *) gnutls_realloc_fast( *crl_list, - i * - sizeof(gnutls_x509_crl)); + *crl_list = + (gnutls_x509_crl *) gnutls_realloc_fast(*crl_list, + i * + sizeof(gnutls_x509_crl)); - if ( *crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - tmp.data = (opaque*)input_crl; - tmp.size = input_crl_size; + tmp.data = (opaque *) input_crl; + tmp.size = input_crl_size; - ret = gnutls_x509_crl_init( &crl_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - ret = - gnutls_x509_crl_import( - crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - *ncrls = i; + ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + gnutls_x509_crl_import(crl_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + *ncrls = i; - return 1; /* one certificate parsed */ + return 1; /* one certificate parsed */ } /* Reads a DER or PEM CRL from memory */ -static -int read_crl_mem(gnutls_certificate_credentials res, const void *crl, int crl_size, - gnutls_x509_crt_fmt type) +static +int read_crl_mem(gnutls_certificate_credentials res, const void *crl, + int crl_size, gnutls_x509_crt_fmt type) { - int ret; - - /* allocate space for the certificate to add - */ - res->x509_crl_list = gnutls_realloc_fast( res->x509_crl_list, - (1+ res->x509_ncrls)*sizeof(gnutls_x509_crl)); - if ( res->x509_crl_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem( &res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - else - ret = parse_pem_crl_mem( &res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + int ret; + + /* allocate space for the certificate to add + */ + res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, + (1 + + res->x509_ncrls) * + sizeof(gnutls_x509_crl)); + if (res->x509_crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem(&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + else + ret = parse_pem_crl_mem(&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /** @@ -1474,15 +1521,16 @@ int read_crl_mem(gnutls_certificate_credentials res, const void *crl, int crl_si * on error. * **/ -int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, - const gnutls_datum *CRL, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, + const gnutls_datum * CRL, + gnutls_x509_crt_fmt type) { - int ret; - - if ((ret = read_crl_mem(res, CRL->data, CRL->size, type)) < 0) - return ret; + int ret; + if ((ret = read_crl_mem(res, CRL->data, CRL->size, type)) < 0) return ret; + + return ret; } /** @@ -1500,29 +1548,32 @@ int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, - gnutls_x509_crl* crl_list, int crl_list_size) +int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, + gnutls_x509_crl * crl_list, + int crl_list_size) { - int ret, i; - - res->x509_crl_list = gnutls_realloc_fast( res->x509_crl_list, - (crl_list_size + res->x509_ncrls)*sizeof(gnutls_x509_crl)); - if ( res->x509_crl_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<crl_list_size;i++) { - ret = _gnutls_x509_crl_cpy( res->x509_crl_list[i+res->x509_ncrls], - crl_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - res->x509_ncrls++; + int ret, i; + + res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, + (crl_list_size + + res->x509_ncrls) * + sizeof(gnutls_x509_crl)); + if (res->x509_crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < crl_list_size; i++) { + ret = _gnutls_x509_crl_cpy(res->x509_crl_list[i + res->x509_ncrls], + crl_list[i]); + if (ret < 0) { + gnutls_assert(); + return ret; } + res->x509_ncrls++; + } - return 0; + return 0; } /** @@ -1541,33 +1592,34 @@ int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, * on error. * **/ -int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, - const char *crlfile, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials + res, const char *crlfile, + gnutls_x509_crt_fmt type) { - int ret; - strfile x; - - x = _gnutls_file_to_str( crlfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem( &res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); - else - ret = parse_pem_crl_mem( &res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); - - _gnutls_strfile_free(&x); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + int ret; + strfile x; + + x = _gnutls_file_to_str(crlfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem(&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); + else + ret = parse_pem_crl_mem(&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); + + _gnutls_strfile_free(&x); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } @@ -1581,16 +1633,16 @@ int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, **/ void gnutls_certificate_free_crls(gnutls_certificate_credentials sc) { - uint j; + uint j; + + for (j = 0; j < sc->x509_ncrls; j++) { + gnutls_x509_crl_deinit(sc->x509_crl_list[j]); + } - for (j = 0; j < sc->x509_ncrls; j++) { - gnutls_x509_crl_deinit( sc->x509_crl_list[j]); - } - - sc->x509_ncrls = 0; + sc->x509_ncrls = 0; - gnutls_free( sc->x509_crl_list); - sc->x509_crl_list = NULL; + gnutls_free(sc->x509_crl_list); + sc->x509_crl_list = NULL; } #endif diff --git a/lib/gnutls_x509.h b/lib/gnutls_x509.h index f6ff1e32ac..ed29e3534a 100644 --- a/lib/gnutls_x509.h +++ b/lib/gnutls_x509.h @@ -11,11 +11,16 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session); #define PEM_KEY_RSA_SEP "-----BEGIN RSA" #define PEM_KEY_DSA_SEP "-----BEGIN DSA" -int _gnutls_check_key_usage( const gnutls_cert* cert, gnutls_kx_algorithm alg); +int _gnutls_check_key_usage(const gnutls_cert * cert, + gnutls_kx_algorithm alg); -int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params); -int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, mpi_t * params); +int _gnutls_x509_read_rsa_params(opaque * der, int dersize, + mpi_t * params); +int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, + mpi_t * params); -int _gnutls_x509_raw_privkey_to_gkey( gnutls_privkey* privkey, const gnutls_datum* raw_key, - gnutls_x509_crt_fmt type); -int _gnutls_x509_privkey_to_gkey( gnutls_privkey* privkey, gnutls_x509_privkey); +int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, + const gnutls_datum * raw_key, + gnutls_x509_crt_fmt type); +int _gnutls_x509_privkey_to_gkey(gnutls_privkey * privkey, + gnutls_x509_privkey); diff --git a/lib/io_debug.h b/lib/io_debug.h index 2c3e2ff8ab..85c499fcd1 100644 --- a/lib/io_debug.h +++ b/lib/io_debug.h @@ -15,7 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ - + /* This debug file was contributed by * Paul Sheer <psheer@icon.co.za>. Some changes were made by nmav. * Its purpose is to debug non blocking behaviour of gnutls. The included @@ -27,7 +27,7 @@ #include <gnutls_int.h> -#define EDUNNO EAGAIN /* EAGAIN */ +#define EDUNNO EAGAIN /* EAGAIN */ extern int errno; static int initialized_rand = 0; @@ -36,32 +36,32 @@ static int initialized_rand = 0; srand(time(0)); \ initialized_rand = 1; \ } -static int recv_debug (int fd, char *buf, int len, int flags) +static int recv_debug(int fd, char *buf, int len, int flags) { INITIALIZE_RAND; - + if (!(rand() % IO_DEBUG)) { errno = EDUNNO; return -1; } if (len > 1) len = 1; - return recv (fd, buf, len, flags); + return recv(fd, buf, len, flags); } #define recv recv_debug -static int send_debug (int fd, const char *buf, int len, int flags) +static int send_debug(int fd, const char *buf, int len, int flags) { INITIALIZE_RAND; - + if (!(rand() % IO_DEBUG)) { errno = EDUNNO; return -1; } if (len > 10) len = 10; - return send (fd, buf, len, flags); + return send(fd, buf, len, flags); } #define send send_debug diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index c31c516258..0e2ec9bba7 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -1,1095 +1,1103 @@ #include "libtasn1.h" -const ASN1_ARRAY_TYPE pkix_asn1_tab[]={ - {"PKIX1",536875024,0}, - {0,1073741836,0}, - {"id-ce",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"29"}, - {"id-ce-authorityKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"35"}, - {"AuthorityKeyIdentifier",1610612741,0}, - {"keyIdentifier",1610637314,"KeyIdentifier"}, - {0,4104,"0"}, - {"authorityCertIssuer",1610637314,"GeneralNames"}, - {0,4104,"1"}, - {"authorityCertSerialNumber",536895490,"CertificateSerialNumber"}, - {0,4104,"2"}, - {"KeyIdentifier",1073741831,0}, - {"id-ce-subjectKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"14"}, - {"SubjectKeyIdentifier",1073741826,"KeyIdentifier"}, - {"id-ce-keyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"15"}, - {"KeyUsage",1610874886,0}, - {"digitalSignature",1073741825,"0"}, - {"nonRepudiation",1073741825,"1"}, - {"keyEncipherment",1073741825,"2"}, - {"dataEncipherment",1073741825,"3"}, - {"keyAgreement",1073741825,"4"}, - {"keyCertSign",1073741825,"5"}, - {"cRLSign",1073741825,"6"}, - {"encipherOnly",1073741825,"7"}, - {"decipherOnly",1,"8"}, - {"id-ce-privateKeyUsagePeriod",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"16"}, - {"PrivateKeyUsagePeriod",1610612741,0}, - {"notBefore",1619025937,0}, - {0,4104,"0"}, - {"notAfter",545284113,0}, - {0,4104,"1"}, - {"id-ce-certificatePolicies",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"32"}, - {"CertificatePolicies",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyInformation"}, - {"PolicyInformation",1610612741,0}, - {"policyIdentifier",1073741826,"CertPolicyId"}, - {"policyQualifiers",538984459,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyQualifierInfo"}, - {"CertPolicyId",1073741836,0}, - {"PolicyQualifierInfo",1610612741,0}, - {"policyQualifierId",1073741826,"PolicyQualifierId"}, - {"qualifier",541065229,0}, - {"policyQualifierId",1,0}, - {"PolicyQualifierId",1073741836,0}, - {"CPSuri",1073741826,"IA5String"}, - {"UserNotice",1610612741,0}, - {"noticeRef",1073758210,"NoticeReference"}, - {"explicitText",16386,"DisplayText"}, - {"NoticeReference",1610612741,0}, - {"organization",1073741826,"DisplayText"}, - {"noticeNumbers",536870923,0}, - {0,3,0}, - {"DisplayText",1610612754,0}, - {"visibleString",1612709890,"VisibleString"}, - {"200",524298,"1"}, - {"bmpString",1612709890,"BMPString"}, - {"200",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"200",524298,"1"}, - {"id-ce-policyMappings",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"33"}, - {"PolicyMappings",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,536870917,0}, - {"issuerDomainPolicy",1073741826,"CertPolicyId"}, - {"subjectDomainPolicy",2,"CertPolicyId"}, - {"DirectoryString",1610612754,0}, - {"teletexString",1612709890,"TeletexString"}, - {"MAX",524298,"1"}, - {"printableString",1612709890,"PrintableString"}, - {"MAX",524298,"1"}, - {"universalString",1612709890,"UniversalString"}, - {"MAX",524298,"1"}, - {"utf8String",1612709890,"UTF8String"}, - {"MAX",524298,"1"}, - {"bmpString",538968066,"BMPString"}, - {"MAX",524298,"1"}, - {"id-ce-subjectAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"17"}, - {"SubjectAltName",1073741826,"GeneralNames"}, - {"GeneralNames",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralName"}, - {"GeneralName",1610612754,0}, - {"otherName",1610620930,"AnotherName"}, - {0,4104,"0"}, - {"rfc822Name",1610620930,"IA5String"}, - {0,4104,"1"}, - {"dNSName",1610620930,"IA5String"}, - {0,4104,"2"}, - {"x400Address",1610620930,"ORAddress"}, - {0,4104,"3"}, - {"directoryName",1610620930,"Name"}, - {0,4104,"4"}, - {"ediPartyName",1610620930,"EDIPartyName"}, - {0,4104,"5"}, - {"uniformResourceIdentifier",1610620930,"IA5String"}, - {0,4104,"6"}, - {"iPAddress",1610620935,0}, - {0,4104,"7"}, - {"registeredID",536879116,0}, - {0,4104,"8"}, - {"AnotherName",1610612741,0}, - {"type-id",1073741836,0}, - {"value",541073421,0}, - {0,1073743880,"0"}, - {"type-id",1,0}, - {"EDIPartyName",1610612741,0}, - {"nameAssigner",1610637314,"DirectoryString"}, - {0,4104,"0"}, - {"partyName",536879106,"DirectoryString"}, - {0,4104,"1"}, - {"id-ce-issuerAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"18"}, - {"IssuerAltName",1073741826,"GeneralNames"}, - {"id-ce-subjectDirectoryAttributes",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"9"}, - {"SubjectDirectoryAttributes",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-ce-basicConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"19"}, - {"BasicConstraints",1610612741,0}, - {"cA",1610645508,0}, - {0,131081,0}, - {"pathLenConstraint",537411587,0}, - {"0",10,"MAX"}, - {"id-ce-nameConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"30"}, - {"NameConstraints",1610612741,0}, - {"permittedSubtrees",1610637314,"GeneralSubtrees"}, - {0,4104,"0"}, - {"excludedSubtrees",536895490,"GeneralSubtrees"}, - {0,4104,"1"}, - {"GeneralSubtrees",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralSubtree"}, - {"GeneralSubtree",1610612741,0}, - {"base",1073741826,"GeneralName"}, - {"minimum",1610653698,"BaseDistance"}, - {0,1073741833,"0"}, - {0,4104,"0"}, - {"maximum",536895490,"BaseDistance"}, - {0,4104,"1"}, - {"BaseDistance",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-policyConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"36"}, - {"PolicyConstraints",1610612741,0}, - {"requireExplicitPolicy",1610637314,"SkipCerts"}, - {0,4104,"0"}, - {"inhibitPolicyMapping",536895490,"SkipCerts"}, - {0,4104,"1"}, - {"SkipCerts",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-cRLDistributionPoints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"31"}, - {"CRLDistributionPoints",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"DistributionPoint"}, - {"DistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,2056,"0"}, - {"reasons",1610637314,"ReasonFlags"}, - {0,4104,"1"}, - {"cRLIssuer",536895490,"GeneralNames"}, - {0,4104,"2"}, - {"DistributionPointName",1610612754,0}, - {"fullName",1610620930,"GeneralNames"}, - {0,4104,"0"}, - {"nameRelativeToCRLIssuer",536879106,"RelativeDistinguishedName"}, - {0,4104,"1"}, - {"ReasonFlags",1610874886,0}, - {"unused",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"privilegeWithdrawn",1073741825,"7"}, - {"aACompromise",1,"8"}, - {"id-ce-extKeyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"37"}, - {"ExtKeyUsageSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"KeyPurposeId"}, - {"KeyPurposeId",1073741836,0}, - {"id-kp-serverAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"1"}, - {"id-kp-clientAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"2"}, - {"id-kp-codeSigning",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"3"}, - {"id-kp-emailProtection",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"4"}, - {"id-kp-ipsecEndSystem",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"5"}, - {"id-kp-ipsecTunnel",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"6"}, - {"id-kp-ipsecUser",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"7"}, - {"id-kp-timeStamping",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"8"}, - {"id-pe-authorityInfoAccess",1879048204,0}, - {0,1073741825,"id-pe"}, - {0,1,"1"}, - {"AuthorityInfoAccessSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"AccessDescription"}, - {"AccessDescription",1610612741,0}, - {"accessMethod",1073741836,0}, - {"accessLocation",2,"GeneralName"}, - {"id-ce-cRLNumber",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"20"}, - {"CRLNumber",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-issuingDistributionPoint",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"28"}, - {"IssuingDistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,4104,"0"}, - {"onlyContainsUserCerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"1"}, - {"onlyContainsCACerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"2"}, - {"onlySomeReasons",1610637314,"ReasonFlags"}, - {0,4104,"3"}, - {"indirectCRL",536911876,0}, - {0,1073872905,0}, - {0,4104,"4"}, - {"id-ce-deltaCRLIndicator",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"27"}, - {"BaseCRLNumber",1073741826,"CRLNumber"}, - {"id-ce-cRLReasons",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"21"}, - {"CRLReason",1610874901,0}, - {"unspecified",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"removeFromCRL",1,"8"}, - {"id-ce-certificateIssuer",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"29"}, - {"CertificateIssuer",1073741826,"GeneralNames"}, - {"id-ce-holdInstructionCode",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"23"}, - {"HoldInstructionCode",1073741836,0}, - {"holdInstruction",1879048204,0}, - {"joint-iso-itu-t",1073741825,"2"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9cm",1073741825,"10040"}, - {0,1,"2"}, - {"id-holdinstruction-none",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"1"}, - {"id-holdinstruction-callissuer",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"2"}, - {"id-holdinstruction-reject",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"3"}, - {"id-ce-invalidityDate",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"24"}, - {"InvalidityDate",1082130449,0}, - {"VisibleString",1610620935,0}, - {0,4360,"26"}, - {"NumericString",1610620935,0}, - {0,4360,"18"}, - {"IA5String",1610620935,0}, - {0,4360,"22"}, - {"TeletexString",1610620935,0}, - {0,4360,"20"}, - {"PrintableString",1610620935,0}, - {0,4360,"19"}, - {"UniversalString",1610620935,0}, - {0,4360,"28"}, - {"BMPString",1610620935,0}, - {0,4360,"30"}, - {"UTF8String",1610620935,0}, - {0,4360,"12"}, - {"id-pkix",1879048204,0}, - {"iso",1073741825,"1"}, - {"identified-organization",1073741825,"3"}, - {"dod",1073741825,"6"}, - {"internet",1073741825,"1"}, - {"security",1073741825,"5"}, - {"mechanisms",1073741825,"5"}, - {"pkix",1,"7"}, - {"id-pe",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"1"}, - {"id-qt",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"2"}, - {"id-kp",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"3"}, - {"id-ad",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"48"}, - {"id-qt-cps",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"1"}, - {"id-qt-unotice",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"2"}, - {"id-ad-ocsp",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"1"}, - {"id-ad-caIssuers",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"2"}, - {"Attribute",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"values",536870927,0}, - {0,2,"AttributeValue"}, - {"AttributeType",1073741836,0}, - {"AttributeValue",1614807053,0}, - {"type",1,0}, - {"AttributeTypeAndValue",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"value",2,"AttributeValue"}, - {"id-at",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"4"}, - {"id-at-initials",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"43"}, - {"X520initials",1073741826,"DirectoryString"}, - {"id-at-generationQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"44"}, - {"X520generationQualifier",1073741826,"DirectoryString"}, - {"id-at-surname",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"4"}, - {"X520surName",1073741826,"DirectoryString"}, - {"id-at-givenName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"42"}, - {"X520givenName",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-commonName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"3"}, - {"X520CommonName",1073741826,"DirectoryString"}, - {"id-at-localityName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"7"}, - {"X520LocalityName",1073741826,"DirectoryString"}, - {"id-at-stateOrProvinceName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"8"}, - {"X520StateOrProvinceName",1073741826,"DirectoryString"}, - {"id-at-organizationName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"10"}, - {"X520OrganizationName",1073741826,"DirectoryString"}, - {"id-at-organizationalUnitName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"11"}, - {"X520OrganizationalUnitName",1073741826,"DirectoryString"}, - {"id-at-title",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"12"}, - {"X520Title",1073741826,"DirectoryString"}, - {"id-at-description",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"13"}, - {"X520Description",1073741826,"DirectoryString"}, - {"id-at-dnQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"46"}, - {"X520dnQualifier",1073741826,"PrintableString"}, - {"id-at-countryName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"6"}, - {"X520countryName",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-at-serialNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"5"}, - {"X520serialNumber",1073741826,"PrintableString"}, - {"id-at-telephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"20"}, - {"X520telephoneNumber",1073741826,"PrintableString"}, - {"id-at-facsimileTelephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"23"}, - {"X520facsimileTelephoneNumber",1073741826,"PrintableString"}, - {"id-at-pseudonym",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"65"}, - {"X520pseudonym",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-streetAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"9"}, - {"X520streetAddress",1073741826,"DirectoryString"}, - {"id-at-postalAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"16"}, - {"X520postalAddress",1073741826,"PostalAddress"}, - {"PostalAddress",1610612747,0}, - {0,2,"DirectoryString"}, - {"pkcs",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1,"1"}, - {"pkcs-9",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"9"}, - {"emailAddress",1880096780,"AttributeType"}, - {0,1073741825,"pkcs-9"}, - {0,1,"1"}, - {"Pkcs9email",1612709890,"IA5String"}, - {"ub-emailaddress-length",524298,"1"}, - {"Name",1610612754,0}, - {"rdnSequence",2,"RDNSequence"}, - {"RDNSequence",1610612747,0}, - {0,2,"RelativeDistinguishedName"}, - {"DistinguishedName",1073741826,"RDNSequence"}, - {"RelativeDistinguishedName",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"AttributeTypeAndValue"}, - {"Certificate",1610612741,0}, - {"tbsCertificate",1073741826,"TBSCertificate"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertificate",1610612741,0}, - {"version",1610653698,"Version"}, - {0,1073741833,"v1"}, - {0,2056,"0"}, - {"serialNumber",1073741826,"CertificateSerialNumber"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"validity",1073741826,"Validity"}, - {"subject",1073741826,"Name"}, - {"subjectPublicKeyInfo",1073741826,"SubjectPublicKeyInfo"}, - {"issuerUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"1"}, - {"subjectUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"2"}, - {"extensions",536895490,"Extensions"}, - {0,2056,"3"}, - {"Version",1610874883,0}, - {"v1",1073741825,"0"}, - {"v2",1073741825,"1"}, - {"v3",1,"2"}, - {"CertificateSerialNumber",1073741827,0}, - {"Validity",1610612741,0}, - {"notBefore",1073741826,"Time"}, - {"notAfter",2,"Time"}, - {"Time",1610612754,0}, - {"utcTime",1090519057,0}, - {"generalTime",8388625,0}, - {"UniqueIdentifier",1073741830,0}, - {"SubjectPublicKeyInfo",1610612741,0}, - {"algorithm",1073741826,"AlgorithmIdentifier"}, - {"subjectPublicKey",6,0}, - {"Extensions",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Extension"}, - {"Extension",1610612741,0}, - {"extnID",1073741836,0}, - {"critical",1610645508,0}, - {0,131081,0}, - {"extnValue",7,0}, - {"CertificateList",1610612741,0}, - {"tbsCertList",1073741826,"TBSCertList"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertList",1610612741,0}, - {"version",1073758210,"Version"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"thisUpdate",1073741826,"Time"}, - {"nextUpdate",1073758210,"Time"}, - {"revokedCertificates",1610629131,0}, - {0,536870917,0}, - {"userCertificate",1073741826,"CertificateSerialNumber"}, - {"revocationDate",1073741826,"Time"}, - {"crlEntryExtensions",16386,"Extensions"}, - {"crlExtensions",536895490,"Extensions"}, - {0,2056,"0"}, - {"AlgorithmIdentifier",1610612741,0}, - {"algorithm",1073741836,0}, - {"parameters",541081613,0}, - {"algorithm",1,0}, - {"pkcs-1",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"1"}, - {"rsaEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"1"}, - {"md2WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"2"}, - {"md5WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"4"}, - {"sha1WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"5"}, - {"id-dsa-with-sha1",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"3"}, - {"Dss-Sig-Value",1610612741,0}, - {"r",1073741827,0}, - {"s",3,0}, - {"dhpublicnumber",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"ansi-x942",1073741825,"10046"}, - {"number-type",1073741825,"2"}, - {0,1,"1"}, - {"DomainParameters",1610612741,0}, - {"p",1073741827,0}, - {"g",1073741827,0}, - {"q",1073741827,0}, - {"j",1073758211,0}, - {"validationParms",16386,"ValidationParms"}, - {"ValidationParms",1610612741,0}, - {"seed",1073741830,0}, - {"pgenCounter",3,0}, - {"id-dsa",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"1"}, - {"Dss-Parms",1610612741,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",3,0}, - {"ORAddress",1610612741,0}, - {"built-in-standard-attributes",1073741826,"BuiltInStandardAttributes"}, - {"built-in-domain-defined-attributes",1073758210,"BuiltInDomainDefinedAttributes"}, - {"extension-attributes",16386,"ExtensionAttributes"}, - {"BuiltInStandardAttributes",1610612741,0}, - {"country-name",1073758210,"CountryName"}, - {"administration-domain-name",1073758210,"AdministrationDomainName"}, - {"network-address",1610637314,"NetworkAddress"}, - {0,2056,"0"}, - {"terminal-identifier",1610637314,"TerminalIdentifier"}, - {0,2056,"1"}, - {"private-domain-name",1610637314,"PrivateDomainName"}, - {0,2056,"2"}, - {"organization-name",1610637314,"OrganizationName"}, - {0,2056,"3"}, - {"numeric-user-identifier",1610637314,"NumericUserIdentifier"}, - {0,2056,"4"}, - {"personal-name",1610637314,"PersonalName"}, - {0,2056,"5"}, - {"organizational-unit-names",536895490,"OrganizationalUnitNames"}, - {0,2056,"6"}, - {"CountryName",1610620946,0}, - {0,1073746952,"1"}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"AdministrationDomainName",1610620946,0}, - {0,1073744904,"2"}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"0"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"0"}, - {"NetworkAddress",1073741826,"X121Address"}, - {"X121Address",1612709890,"NumericString"}, - {"ub-x121-address-length",524298,"1"}, - {"TerminalIdentifier",1612709890,"PrintableString"}, - {"ub-terminal-id-length",524298,"1"}, - {"PrivateDomainName",1610612754,0}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"1"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"1"}, - {"OrganizationName",1612709890,"PrintableString"}, - {"ub-organization-name-length",524298,"1"}, - {"NumericUserIdentifier",1612709890,"NumericString"}, - {"ub-numeric-user-id-length",524298,"1"}, - {"PersonalName",1610612750,0}, - {"surname",1814044674,"PrintableString"}, - {0,1073745928,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"PrintableString"}, - {0,1073745928,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"PrintableString"}, - {0,1073745928,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"PrintableString"}, - {0,1073745928,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"OrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"OrganizationalUnitName"}, - {"OrganizationalUnitName",1612709890,"PrintableString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"BuiltInDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"BuiltInDomainDefinedAttribute"}, - {"BuiltInDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"PrintableString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"PrintableString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ExtensionAttributes",1612709903,0}, - {"ub-extension-attributes",1074266122,"1"}, - {0,2,"ExtensionAttribute"}, - {"ExtensionAttribute",1610612741,0}, - {"extension-attribute-type",1611145219,0}, - {0,1073743880,"0"}, - {"0",10,"ub-extension-attributes"}, - {"extension-attribute-value",541073421,0}, - {0,1073743880,"1"}, - {"extension-attribute-type",1,0}, - {"common-name",1342177283,"1"}, - {"CommonName",1612709890,"PrintableString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-common-name",1342177283,"2"}, - {"TeletexCommonName",1612709890,"TeletexString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-organization-name",1342177283,"3"}, - {"TeletexOrganizationName",1612709890,"TeletexString"}, - {"ub-organization-name-length",524298,"1"}, - {"teletex-personal-name",1342177283,"4"}, - {"TeletexPersonalName",1610612750,0}, - {"surname",1814044674,"TeletexString"}, - {0,1073743880,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"TeletexString"}, - {0,1073743880,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"TeletexString"}, - {0,1073743880,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"TeletexString"}, - {0,1073743880,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"teletex-organizational-unit-names",1342177283,"5"}, - {"TeletexOrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"TeletexOrganizationalUnitName"}, - {"TeletexOrganizationalUnitName",1612709890,"TeletexString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"pds-name",1342177283,"7"}, - {"PDSName",1612709890,"PrintableString"}, - {"ub-pds-name-length",524298,"1"}, - {"physical-delivery-country-name",1342177283,"8"}, - {"PhysicalDeliveryCountryName",1610612754,0}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"postal-code",1342177283,"9"}, - {"PostalCode",1610612754,0}, - {"numeric-code",1612709890,"NumericString"}, - {"ub-postal-code-length",524298,"1"}, - {"printable-code",538968066,"PrintableString"}, - {"ub-postal-code-length",524298,"1"}, - {"physical-delivery-office-name",1342177283,"10"}, - {"PhysicalDeliveryOfficeName",1073741826,"PDSParameter"}, - {"physical-delivery-office-number",1342177283,"11"}, - {"PhysicalDeliveryOfficeNumber",1073741826,"PDSParameter"}, - {"extension-OR-address-components",1342177283,"12"}, - {"ExtensionORAddressComponents",1073741826,"PDSParameter"}, - {"physical-delivery-personal-name",1342177283,"13"}, - {"PhysicalDeliveryPersonalName",1073741826,"PDSParameter"}, - {"physical-delivery-organization-name",1342177283,"14"}, - {"PhysicalDeliveryOrganizationName",1073741826,"PDSParameter"}, - {"extension-physical-delivery-address-components",1342177283,"15"}, - {"ExtensionPhysicalDeliveryAddressComponents",1073741826,"PDSParameter"}, - {"unformatted-postal-address",1342177283,"16"}, - {"UnformattedPostalAddress",1610612750,0}, - {"printable-address",1814052875,0}, - {"ub-pds-physical-address-lines",1074266122,"1"}, - {0,538968066,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-unformatted-address-length",524298,"1"}, - {"street-address",1342177283,"17"}, - {"StreetAddress",1073741826,"PDSParameter"}, - {"post-office-box-address",1342177283,"18"}, - {"PostOfficeBoxAddress",1073741826,"PDSParameter"}, - {"poste-restante-address",1342177283,"19"}, - {"PosteRestanteAddress",1073741826,"PDSParameter"}, - {"unique-postal-name",1342177283,"20"}, - {"UniquePostalName",1073741826,"PDSParameter"}, - {"local-postal-attributes",1342177283,"21"}, - {"LocalPostalAttributes",1073741826,"PDSParameter"}, - {"PDSParameter",1610612750,0}, - {"printable-string",1814052866,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"extended-network-address",1342177283,"22"}, - {"ExtendedNetworkAddress",1610612754,0}, - {"e163-4-address",1610612741,0}, - {"number",1612718082,"NumericString"}, - {0,1073743880,"0"}, - {"ub-e163-4-number-length",524298,"1"}, - {"sub-address",538992642,"NumericString"}, - {0,1073743880,"1"}, - {"ub-e163-4-sub-address-length",524298,"1"}, - {"psap-address",536879106,"PresentationAddress"}, - {0,2056,"0"}, - {"PresentationAddress",1610612741,0}, - {"pSelector",1610637319,0}, - {0,2056,"0"}, - {"sSelector",1610637319,0}, - {0,2056,"1"}, - {"tSelector",1610637319,0}, - {0,2056,"2"}, - {"nAddresses",538976271,0}, - {0,1073743880,"3"}, - {"MAX",1074266122,"1"}, - {0,7,0}, - {"terminal-type",1342177283,"23"}, - {"TerminalType",1610874883,0}, - {"telex",1073741825,"3"}, - {"teletex",1073741825,"4"}, - {"g3-facsimile",1073741825,"5"}, - {"g4-facsimile",1073741825,"6"}, - {"ia5-terminal",1073741825,"7"}, - {"videotex",1,"8"}, - {"teletex-domain-defined-attributes",1342177283,"6"}, - {"TeletexDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"TeletexDomainDefinedAttribute"}, - {"TeletexDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"TeletexString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"TeletexString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ub-name",1342177283,"32768"}, - {"ub-common-name",1342177283,"64"}, - {"ub-locality-name",1342177283,"128"}, - {"ub-state-name",1342177283,"128"}, - {"ub-organization-name",1342177283,"64"}, - {"ub-organizational-unit-name",1342177283,"64"}, - {"ub-title",1342177283,"64"}, - {"ub-match",1342177283,"128"}, - {"ub-emailaddress-length",1342177283,"128"}, - {"ub-common-name-length",1342177283,"64"}, - {"ub-country-name-alpha-length",1342177283,"2"}, - {"ub-country-name-numeric-length",1342177283,"3"}, - {"ub-domain-defined-attributes",1342177283,"4"}, - {"ub-domain-defined-attribute-type-length",1342177283,"8"}, - {"ub-domain-defined-attribute-value-length",1342177283,"128"}, - {"ub-domain-name-length",1342177283,"16"}, - {"ub-extension-attributes",1342177283,"256"}, - {"ub-e163-4-number-length",1342177283,"15"}, - {"ub-e163-4-sub-address-length",1342177283,"40"}, - {"ub-generation-qualifier-length",1342177283,"3"}, - {"ub-given-name-length",1342177283,"16"}, - {"ub-initials-length",1342177283,"5"}, - {"ub-integer-options",1342177283,"256"}, - {"ub-numeric-user-id-length",1342177283,"32"}, - {"ub-organization-name-length",1342177283,"64"}, - {"ub-organizational-unit-name-length",1342177283,"32"}, - {"ub-organizational-units",1342177283,"4"}, - {"ub-pds-name-length",1342177283,"16"}, - {"ub-pds-parameter-length",1342177283,"30"}, - {"ub-pds-physical-address-lines",1342177283,"6"}, - {"ub-postal-code-length",1342177283,"16"}, - {"ub-surname-length",1342177283,"40"}, - {"ub-terminal-id-length",1342177283,"24"}, - {"ub-unformatted-address-length",1342177283,"180"}, - {"ub-x121-address-length",1342177283,"16"}, - {"pkcs-7-ContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"content",541073421,0}, - {0,1073743880,"0"}, - {"contentType",1,0}, - {"pkcs-7-DigestInfo",1610612741,0}, - {"digestAlgorithm",1073741826,"pkcs-7-DigestAlgorithmIdentifier"}, - {"digest",2,"pkcs-7-Digest"}, - {"pkcs-7-Digest",1073741831,0}, - {"pkcs-7-ContentType",1073741836,0}, - {"pkcs-7-SignedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"digestAlgorithms",1073741826,"pkcs-7-DigestAlgorithmIdentifiers"}, - {"encapContentInfo",1073741826,"pkcs-7-EncapsulatedContentInfo"}, - {"certificates",1610637314,"pkcs-7-CertificateSet"}, - {0,4104,"0"}, - {"crls",1610637314,"pkcs-7-CertificateRevocationLists"}, - {0,4104,"1"}, - {"signerInfos",2,"pkcs-7-SignerInfos"}, - {"pkcs-7-CMSVersion",1610874883,0}, - {"v0",1073741825,"0"}, - {"v1",1073741825,"1"}, - {"v2",1073741825,"2"}, - {"v3",1073741825,"3"}, - {"v4",1,"4"}, - {"pkcs-7-DigestAlgorithmIdentifiers",1610612751,0}, - {0,2,"pkcs-7-DigestAlgorithmIdentifier"}, - {"pkcs-7-DigestAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncapsulatedContentInfo",1610612741,0}, - {"eContentType",1073741826,"pkcs-7-ContentType"}, - {"eContent",536895495,0}, - {0,2056,"0"}, - {"pkcs-7-CertificateRevocationLists",1610612751,0}, - {0,13,0}, - {"pkcs-7-CertificateChoices",1610612754,0}, - {"certificate",13,0}, - {"pkcs-7-CertificateSet",1610612751,0}, - {0,2,"pkcs-7-CertificateChoices"}, - {"pkcs-7-SignerInfos",1610612751,0}, - {0,13,0}, - {"pkcs-10-CertificationRequestInfo",1610612741,0}, - {"version",1610874883,0}, - {"v1",1,"0"}, - {"subject",1073741826,"Name"}, - {"subjectPKInfo",1073741826,"SubjectPublicKeyInfo"}, - {"attributes",536879106,"Attributes"}, - {0,4104,"0"}, - {"Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-10-CertificationRequest",1610612741,0}, - {"certificationRequestInfo",1073741826,"pkcs-10-CertificationRequestInfo"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"pkcs-9-ub-challengePassword",1342177283,"255"}, - {"pkcs-9-certTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"22"}, - {"pkcs-9-crlTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"23"}, - {"pkcs-9-at-challengePassword",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"7"}, - {"pkcs-9-challengePassword",1610612754,0}, - {"printableString",1612709890,"PrintableString"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"pkcs-9-at-localKeyId",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"21"}, - {"pkcs-9-localKeyId",1073741831,0}, - {"pkcs-9-at-friendlyName",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"20"}, - {"pkcs-9-friendlyName",1612709890,"BMPString"}, - {"255",524298,"1"}, - {"pkcs-8-PrivateKeyInfo",1610612741,0}, - {"version",1073741826,"pkcs-8-Version"}, - {"privateKeyAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"privateKey",1073741826,"pkcs-8-PrivateKey"}, - {"attributes",536895490,"Attributes"}, - {0,4104,"0"}, - {"pkcs-8-Version",1610874883,0}, - {"v1",1,"0"}, - {"pkcs-8-PrivateKey",1073741831,0}, - {"pkcs-8-Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-8-EncryptedPrivateKeyInfo",1610612741,0}, - {"encryptionAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"encryptedData",2,"pkcs-8-EncryptedData"}, - {"pkcs-8-EncryptedData",1073741831,0}, - {"pkcs-5",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"5"}, - {"pkcs-5-encryptionAlgorithm",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {0,1,"3"}, - {"pkcs-5-des-EDE3-CBC",1879048204,0}, - {0,1073741825,"pkcs-5-encryptionAlgorithm"}, - {0,1,"7"}, - {"pkcs-5-des-EDE3-CBC-params",1612709895,0}, - {0,1048586,"8"}, - {"pkcs-5-id-PBES2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"13"}, - {"pkcs-5-PBES2-params",1610612741,0}, - {"keyDerivationFunc",1073741826,"AlgorithmIdentifier"}, - {"encryptionScheme",2,"AlgorithmIdentifier"}, - {"pkcs-5-id-PBKDF2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"12"}, - {"pkcs-5-PBKDF2-params",1610612741,0}, - {"salt",1610612754,0}, - {"specified",1073741831,0}, - {"otherSource",2,"AlgorithmIdentifier"}, - {"iterationCount",1611137027,0}, - {"1",10,"MAX"}, - {"keyLength",1611153411,0}, - {"1",10,"MAX"}, - {"prf",16386,"AlgorithmIdentifier"}, - {"pkcs-12",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"12"}, - {"pkcs-12-PFX",1610612741,0}, - {"version",1610874883,0}, - {"v3",1,"3"}, - {"authSafe",1073741826,"pkcs-7-ContentInfo"}, - {"macData",16386,"pkcs-12-MacData"}, - {"pkcs-12-PbeParams",1610612741,0}, - {"salt",1073741831,0}, - {"iterations",3,0}, - {"pkcs-12-MacData",1610612741,0}, - {"mac",1073741826,"pkcs-7-DigestInfo"}, - {"macSalt",1073741831,0}, - {"iterations",536903683,0}, - {0,9,"1"}, - {"pkcs-12-AuthenticatedSafe",1610612747,0}, - {0,2,"pkcs-7-ContentInfo"}, - {"pkcs-12-SafeContents",1610612747,0}, - {0,2,"pkcs-12-SafeBag"}, - {"pkcs-12-SafeBag",1610612741,0}, - {"bagId",1073741836,0}, - {"bagValue",1614815245,0}, - {0,1073743880,"0"}, - {"badId",1,0}, - {"bagAttributes",536887311,0}, - {0,2,"pkcs-12-PKCS12Attribute"}, - {"pkcs-12-bagtypes",1879048204,0}, - {0,1073741825,"pkcs-12"}, - {0,1073741825,"10"}, - {0,1,"1"}, - {"pkcs-12-keyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"1"}, - {"pkcs-12-pkcs8ShroudedKeyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"2"}, - {"pkcs-12-certBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"3"}, - {"pkcs-12-crlBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"4"}, - {"pkcs-12-KeyBag",1073741826,"pkcs-8-PrivateKeyInfo"}, - {"pkcs-12-PKCS8ShroudedKeyBag",1073741826,"pkcs-8-EncryptedPrivateKeyInfo"}, - {"pkcs-12-CertBag",1610612741,0}, - {"certId",1073741836,0}, - {"certValue",541073421,0}, - {0,1073743880,"0"}, - {"certId",1,0}, - {"pkcs-12-CRLBag",1610612741,0}, - {"crlId",1073741836,0}, - {"crlValue",541073421,0}, - {0,1073743880,"0"}, - {"crlId",1,0}, - {"pkcs-12-PKCS12Attribute",1073741826,"Attribute"}, - {"pkcs-7-data",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"1"}, - {"pkcs-7-encryptedData",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"6"}, - {"pkcs-7-Data",1073741831,0}, - {"pkcs-7-EncryptedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"encryptedContentInfo",1073741826,"pkcs-7-EncryptedContentInfo"}, - {"unprotectedAttrs",536895490,"pkcs-7-UnprotectedAttributes"}, - {0,4104,"1"}, - {"pkcs-7-EncryptedContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"contentEncryptionAlgorithm",1073741826,"pkcs-7-ContentEncryptionAlgorithmIdentifier"}, - {"encryptedContent",536895490,"pkcs-7-EncryptedContent"}, - {0,4104,"0"}, - {"pkcs-7-ContentEncryptionAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncryptedContent",1073741831,0}, - {"pkcs-7-UnprotectedAttributes",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-at-ldap-DC",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"25"}, - {"ldap-DC",1073741826,"IA5String"}, - {"id-at-ldap-UID",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"1"}, - {"ldap-UID",1073741826,"IA5String"}, - {"id-pda",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"9"}, - {"id-pda-dateOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"1"}, - {"DateOfBirth",1082130449,0}, - {"id-pda-placeOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"2"}, - {"PlaceOfBirth",1073741826,"DirectoryString"}, - {"id-pda-gender",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"3"}, - {"Gender",1612709890,"PrintableString"}, - {0,1048586,"1"}, - {"id-pda-countryOfCitizenship",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"4"}, - {"CountryOfCitizenship",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-pda-countryOfResidence",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"5"}, - {"CountryOfResidence",538968066,"PrintableString"}, - {0,1048586,"2"}, - {0,0,0} +const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { + {"PKIX1", 536875024, 0}, + {0, 1073741836, 0}, + {"id-ce", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "29"}, + {"id-ce-authorityKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "35"}, + {"AuthorityKeyIdentifier", 1610612741, 0}, + {"keyIdentifier", 1610637314, "KeyIdentifier"}, + {0, 4104, "0"}, + {"authorityCertIssuer", 1610637314, "GeneralNames"}, + {0, 4104, "1"}, + {"authorityCertSerialNumber", 536895490, "CertificateSerialNumber"}, + {0, 4104, "2"}, + {"KeyIdentifier", 1073741831, 0}, + {"id-ce-subjectKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "14"}, + {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, + {"id-ce-keyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "15"}, + {"KeyUsage", 1610874886, 0}, + {"digitalSignature", 1073741825, "0"}, + {"nonRepudiation", 1073741825, "1"}, + {"keyEncipherment", 1073741825, "2"}, + {"dataEncipherment", 1073741825, "3"}, + {"keyAgreement", 1073741825, "4"}, + {"keyCertSign", 1073741825, "5"}, + {"cRLSign", 1073741825, "6"}, + {"encipherOnly", 1073741825, "7"}, + {"decipherOnly", 1, "8"}, + {"id-ce-privateKeyUsagePeriod", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "16"}, + {"PrivateKeyUsagePeriod", 1610612741, 0}, + {"notBefore", 1619025937, 0}, + {0, 4104, "0"}, + {"notAfter", 545284113, 0}, + {0, 4104, "1"}, + {"id-ce-certificatePolicies", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "32"}, + {"CertificatePolicies", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyInformation"}, + {"PolicyInformation", 1610612741, 0}, + {"policyIdentifier", 1073741826, "CertPolicyId"}, + {"policyQualifiers", 538984459, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyQualifierInfo"}, + {"CertPolicyId", 1073741836, 0}, + {"PolicyQualifierInfo", 1610612741, 0}, + {"policyQualifierId", 1073741826, "PolicyQualifierId"}, + {"qualifier", 541065229, 0}, + {"policyQualifierId", 1, 0}, + {"PolicyQualifierId", 1073741836, 0}, + {"CPSuri", 1073741826, "IA5String"}, + {"UserNotice", 1610612741, 0}, + {"noticeRef", 1073758210, "NoticeReference"}, + {"explicitText", 16386, "DisplayText"}, + {"NoticeReference", 1610612741, 0}, + {"organization", 1073741826, "DisplayText"}, + {"noticeNumbers", 536870923, 0}, + {0, 3, 0}, + {"DisplayText", 1610612754, 0}, + {"visibleString", 1612709890, "VisibleString"}, + {"200", 524298, "1"}, + {"bmpString", 1612709890, "BMPString"}, + {"200", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"200", 524298, "1"}, + {"id-ce-policyMappings", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "33"}, + {"PolicyMappings", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 536870917, 0}, + {"issuerDomainPolicy", 1073741826, "CertPolicyId"}, + {"subjectDomainPolicy", 2, "CertPolicyId"}, + {"DirectoryString", 1610612754, 0}, + {"teletexString", 1612709890, "TeletexString"}, + {"MAX", 524298, "1"}, + {"printableString", 1612709890, "PrintableString"}, + {"MAX", 524298, "1"}, + {"universalString", 1612709890, "UniversalString"}, + {"MAX", 524298, "1"}, + {"utf8String", 1612709890, "UTF8String"}, + {"MAX", 524298, "1"}, + {"bmpString", 538968066, "BMPString"}, + {"MAX", 524298, "1"}, + {"id-ce-subjectAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "17"}, + {"SubjectAltName", 1073741826, "GeneralNames"}, + {"GeneralNames", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralName"}, + {"GeneralName", 1610612754, 0}, + {"otherName", 1610620930, "AnotherName"}, + {0, 4104, "0"}, + {"rfc822Name", 1610620930, "IA5String"}, + {0, 4104, "1"}, + {"dNSName", 1610620930, "IA5String"}, + {0, 4104, "2"}, + {"x400Address", 1610620930, "ORAddress"}, + {0, 4104, "3"}, + {"directoryName", 1610620930, "Name"}, + {0, 4104, "4"}, + {"ediPartyName", 1610620930, "EDIPartyName"}, + {0, 4104, "5"}, + {"uniformResourceIdentifier", 1610620930, "IA5String"}, + {0, 4104, "6"}, + {"iPAddress", 1610620935, 0}, + {0, 4104, "7"}, + {"registeredID", 536879116, 0}, + {0, 4104, "8"}, + {"AnotherName", 1610612741, 0}, + {"type-id", 1073741836, 0}, + {"value", 541073421, 0}, + {0, 1073743880, "0"}, + {"type-id", 1, 0}, + {"EDIPartyName", 1610612741, 0}, + {"nameAssigner", 1610637314, "DirectoryString"}, + {0, 4104, "0"}, + {"partyName", 536879106, "DirectoryString"}, + {0, 4104, "1"}, + {"id-ce-issuerAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "18"}, + {"IssuerAltName", 1073741826, "GeneralNames"}, + {"id-ce-subjectDirectoryAttributes", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "9"}, + {"SubjectDirectoryAttributes", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-ce-basicConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "19"}, + {"BasicConstraints", 1610612741, 0}, + {"cA", 1610645508, 0}, + {0, 131081, 0}, + {"pathLenConstraint", 537411587, 0}, + {"0", 10, "MAX"}, + {"id-ce-nameConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "30"}, + {"NameConstraints", 1610612741, 0}, + {"permittedSubtrees", 1610637314, "GeneralSubtrees"}, + {0, 4104, "0"}, + {"excludedSubtrees", 536895490, "GeneralSubtrees"}, + {0, 4104, "1"}, + {"GeneralSubtrees", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralSubtree"}, + {"GeneralSubtree", 1610612741, 0}, + {"base", 1073741826, "GeneralName"}, + {"minimum", 1610653698, "BaseDistance"}, + {0, 1073741833, "0"}, + {0, 4104, "0"}, + {"maximum", 536895490, "BaseDistance"}, + {0, 4104, "1"}, + {"BaseDistance", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-policyConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "36"}, + {"PolicyConstraints", 1610612741, 0}, + {"requireExplicitPolicy", 1610637314, "SkipCerts"}, + {0, 4104, "0"}, + {"inhibitPolicyMapping", 536895490, "SkipCerts"}, + {0, 4104, "1"}, + {"SkipCerts", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-cRLDistributionPoints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "31"}, + {"CRLDistributionPoints", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "DistributionPoint"}, + {"DistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 2056, "0"}, + {"reasons", 1610637314, "ReasonFlags"}, + {0, 4104, "1"}, + {"cRLIssuer", 536895490, "GeneralNames"}, + {0, 4104, "2"}, + {"DistributionPointName", 1610612754, 0}, + {"fullName", 1610620930, "GeneralNames"}, + {0, 4104, "0"}, + {"nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"}, + {0, 4104, "1"}, + {"ReasonFlags", 1610874886, 0}, + {"unused", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"privilegeWithdrawn", 1073741825, "7"}, + {"aACompromise", 1, "8"}, + {"id-ce-extKeyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "37"}, + {"ExtKeyUsageSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "KeyPurposeId"}, + {"KeyPurposeId", 1073741836, 0}, + {"id-kp-serverAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "1"}, + {"id-kp-clientAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "2"}, + {"id-kp-codeSigning", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "3"}, + {"id-kp-emailProtection", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "4"}, + {"id-kp-ipsecEndSystem", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "5"}, + {"id-kp-ipsecTunnel", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "6"}, + {"id-kp-ipsecUser", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "7"}, + {"id-kp-timeStamping", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "8"}, + {"id-pe-authorityInfoAccess", 1879048204, 0}, + {0, 1073741825, "id-pe"}, + {0, 1, "1"}, + {"AuthorityInfoAccessSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AccessDescription"}, + {"AccessDescription", 1610612741, 0}, + {"accessMethod", 1073741836, 0}, + {"accessLocation", 2, "GeneralName"}, + {"id-ce-cRLNumber", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "20"}, + {"CRLNumber", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-issuingDistributionPoint", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "28"}, + {"IssuingDistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 4104, "0"}, + {"onlyContainsUserCerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "1"}, + {"onlyContainsCACerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "2"}, + {"onlySomeReasons", 1610637314, "ReasonFlags"}, + {0, 4104, "3"}, + {"indirectCRL", 536911876, 0}, + {0, 1073872905, 0}, + {0, 4104, "4"}, + {"id-ce-deltaCRLIndicator", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "27"}, + {"BaseCRLNumber", 1073741826, "CRLNumber"}, + {"id-ce-cRLReasons", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "21"}, + {"CRLReason", 1610874901, 0}, + {"unspecified", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"removeFromCRL", 1, "8"}, + {"id-ce-certificateIssuer", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "29"}, + {"CertificateIssuer", 1073741826, "GeneralNames"}, + {"id-ce-holdInstructionCode", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "23"}, + {"HoldInstructionCode", 1073741836, 0}, + {"holdInstruction", 1879048204, 0}, + {"joint-iso-itu-t", 1073741825, "2"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9cm", 1073741825, "10040"}, + {0, 1, "2"}, + {"id-holdinstruction-none", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "1"}, + {"id-holdinstruction-callissuer", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "2"}, + {"id-holdinstruction-reject", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "3"}, + {"id-ce-invalidityDate", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "24"}, + {"InvalidityDate", 1082130449, 0}, + {"VisibleString", 1610620935, 0}, + {0, 4360, "26"}, + {"NumericString", 1610620935, 0}, + {0, 4360, "18"}, + {"IA5String", 1610620935, 0}, + {0, 4360, "22"}, + {"TeletexString", 1610620935, 0}, + {0, 4360, "20"}, + {"PrintableString", 1610620935, 0}, + {0, 4360, "19"}, + {"UniversalString", 1610620935, 0}, + {0, 4360, "28"}, + {"BMPString", 1610620935, 0}, + {0, 4360, "30"}, + {"UTF8String", 1610620935, 0}, + {0, 4360, "12"}, + {"id-pkix", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"identified-organization", 1073741825, "3"}, + {"dod", 1073741825, "6"}, + {"internet", 1073741825, "1"}, + {"security", 1073741825, "5"}, + {"mechanisms", 1073741825, "5"}, + {"pkix", 1, "7"}, + {"id-pe", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "1"}, + {"id-qt", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "2"}, + {"id-kp", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "3"}, + {"id-ad", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "48"}, + {"id-qt-cps", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "1"}, + {"id-qt-unotice", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "2"}, + {"id-ad-ocsp", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "1"}, + {"id-ad-caIssuers", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "2"}, + {"Attribute", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"values", 536870927, 0}, + {0, 2, "AttributeValue"}, + {"AttributeType", 1073741836, 0}, + {"AttributeValue", 1614807053, 0}, + {"type", 1, 0}, + {"AttributeTypeAndValue", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"value", 2, "AttributeValue"}, + {"id-at", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "4"}, + {"id-at-initials", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "43"}, + {"X520initials", 1073741826, "DirectoryString"}, + {"id-at-generationQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "44"}, + {"X520generationQualifier", 1073741826, "DirectoryString"}, + {"id-at-surname", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "4"}, + {"X520surName", 1073741826, "DirectoryString"}, + {"id-at-givenName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "42"}, + {"X520givenName", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-commonName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "3"}, + {"X520CommonName", 1073741826, "DirectoryString"}, + {"id-at-localityName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "7"}, + {"X520LocalityName", 1073741826, "DirectoryString"}, + {"id-at-stateOrProvinceName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "8"}, + {"X520StateOrProvinceName", 1073741826, "DirectoryString"}, + {"id-at-organizationName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "10"}, + {"X520OrganizationName", 1073741826, "DirectoryString"}, + {"id-at-organizationalUnitName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "11"}, + {"X520OrganizationalUnitName", 1073741826, "DirectoryString"}, + {"id-at-title", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "12"}, + {"X520Title", 1073741826, "DirectoryString"}, + {"id-at-description", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "13"}, + {"X520Description", 1073741826, "DirectoryString"}, + {"id-at-dnQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "46"}, + {"X520dnQualifier", 1073741826, "PrintableString"}, + {"id-at-countryName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "6"}, + {"X520countryName", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-at-serialNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "5"}, + {"X520serialNumber", 1073741826, "PrintableString"}, + {"id-at-telephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "20"}, + {"X520telephoneNumber", 1073741826, "PrintableString"}, + {"id-at-facsimileTelephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "23"}, + {"X520facsimileTelephoneNumber", 1073741826, "PrintableString"}, + {"id-at-pseudonym", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "65"}, + {"X520pseudonym", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-streetAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "9"}, + {"X520streetAddress", 1073741826, "DirectoryString"}, + {"id-at-postalAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "16"}, + {"X520postalAddress", 1073741826, "PostalAddress"}, + {"PostalAddress", 1610612747, 0}, + {0, 2, "DirectoryString"}, + {"pkcs", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1, "1"}, + {"pkcs-9", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "9"}, + {"emailAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "1"}, + {"Pkcs9email", 1612709890, "IA5String"}, + {"ub-emailaddress-length", 524298, "1"}, + {"Name", 1610612754, 0}, + {"rdnSequence", 2, "RDNSequence"}, + {"RDNSequence", 1610612747, 0}, + {0, 2, "RelativeDistinguishedName"}, + {"DistinguishedName", 1073741826, "RDNSequence"}, + {"RelativeDistinguishedName", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AttributeTypeAndValue"}, + {"Certificate", 1610612741, 0}, + {"tbsCertificate", 1073741826, "TBSCertificate"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertificate", 1610612741, 0}, + {"version", 1610653698, "Version"}, + {0, 1073741833, "v1"}, + {0, 2056, "0"}, + {"serialNumber", 1073741826, "CertificateSerialNumber"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"validity", 1073741826, "Validity"}, + {"subject", 1073741826, "Name"}, + {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"issuerUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "1"}, + {"subjectUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "2"}, + {"extensions", 536895490, "Extensions"}, + {0, 2056, "3"}, + {"Version", 1610874883, 0}, + {"v1", 1073741825, "0"}, + {"v2", 1073741825, "1"}, + {"v3", 1, "2"}, + {"CertificateSerialNumber", 1073741827, 0}, + {"Validity", 1610612741, 0}, + {"notBefore", 1073741826, "Time"}, + {"notAfter", 2, "Time"}, + {"Time", 1610612754, 0}, + {"utcTime", 1090519057, 0}, + {"generalTime", 8388625, 0}, + {"UniqueIdentifier", 1073741830, 0}, + {"SubjectPublicKeyInfo", 1610612741, 0}, + {"algorithm", 1073741826, "AlgorithmIdentifier"}, + {"subjectPublicKey", 6, 0}, + {"Extensions", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Extension"}, + {"Extension", 1610612741, 0}, + {"extnID", 1073741836, 0}, + {"critical", 1610645508, 0}, + {0, 131081, 0}, + {"extnValue", 7, 0}, + {"CertificateList", 1610612741, 0}, + {"tbsCertList", 1073741826, "TBSCertList"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertList", 1610612741, 0}, + {"version", 1073758210, "Version"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"thisUpdate", 1073741826, "Time"}, + {"nextUpdate", 1073758210, "Time"}, + {"revokedCertificates", 1610629131, 0}, + {0, 536870917, 0}, + {"userCertificate", 1073741826, "CertificateSerialNumber"}, + {"revocationDate", 1073741826, "Time"}, + {"crlEntryExtensions", 16386, "Extensions"}, + {"crlExtensions", 536895490, "Extensions"}, + {0, 2056, "0"}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"pkcs-1", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "1"}, + {"rsaEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "1"}, + {"md2WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "2"}, + {"md5WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "4"}, + {"sha1WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "5"}, + {"id-dsa-with-sha1", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "3"}, + {"Dss-Sig-Value", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"dhpublicnumber", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"ansi-x942", 1073741825, "10046"}, + {"number-type", 1073741825, "2"}, + {0, 1, "1"}, + {"DomainParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"g", 1073741827, 0}, + {"q", 1073741827, 0}, + {"j", 1073758211, 0}, + {"validationParms", 16386, "ValidationParms"}, + {"ValidationParms", 1610612741, 0}, + {"seed", 1073741830, 0}, + {"pgenCounter", 3, 0}, + {"id-dsa", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "1"}, + {"Dss-Parms", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"ORAddress", 1610612741, 0}, + {"built-in-standard-attributes", 1073741826, + "BuiltInStandardAttributes"}, + {"built-in-domain-defined-attributes", 1073758210, + "BuiltInDomainDefinedAttributes"}, + {"extension-attributes", 16386, "ExtensionAttributes"}, + {"BuiltInStandardAttributes", 1610612741, 0}, + {"country-name", 1073758210, "CountryName"}, + {"administration-domain-name", 1073758210, "AdministrationDomainName"}, + {"network-address", 1610637314, "NetworkAddress"}, + {0, 2056, "0"}, + {"terminal-identifier", 1610637314, "TerminalIdentifier"}, + {0, 2056, "1"}, + {"private-domain-name", 1610637314, "PrivateDomainName"}, + {0, 2056, "2"}, + {"organization-name", 1610637314, "OrganizationName"}, + {0, 2056, "3"}, + {"numeric-user-identifier", 1610637314, "NumericUserIdentifier"}, + {0, 2056, "4"}, + {"personal-name", 1610637314, "PersonalName"}, + {0, 2056, "5"}, + {"organizational-unit-names", 536895490, "OrganizationalUnitNames"}, + {0, 2056, "6"}, + {"CountryName", 1610620946, 0}, + {0, 1073746952, "1"}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"AdministrationDomainName", 1610620946, 0}, + {0, 1073744904, "2"}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "0"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "0"}, + {"NetworkAddress", 1073741826, "X121Address"}, + {"X121Address", 1612709890, "NumericString"}, + {"ub-x121-address-length", 524298, "1"}, + {"TerminalIdentifier", 1612709890, "PrintableString"}, + {"ub-terminal-id-length", 524298, "1"}, + {"PrivateDomainName", 1610612754, 0}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "1"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "1"}, + {"OrganizationName", 1612709890, "PrintableString"}, + {"ub-organization-name-length", 524298, "1"}, + {"NumericUserIdentifier", 1612709890, "NumericString"}, + {"ub-numeric-user-id-length", 524298, "1"}, + {"PersonalName", 1610612750, 0}, + {"surname", 1814044674, "PrintableString"}, + {0, 1073745928, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "PrintableString"}, + {0, 1073745928, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "PrintableString"}, + {0, 1073745928, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "PrintableString"}, + {0, 1073745928, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"OrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "OrganizationalUnitName"}, + {"OrganizationalUnitName", 1612709890, "PrintableString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"BuiltInDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "BuiltInDomainDefinedAttribute"}, + {"BuiltInDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "PrintableString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "PrintableString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ExtensionAttributes", 1612709903, 0}, + {"ub-extension-attributes", 1074266122, "1"}, + {0, 2, "ExtensionAttribute"}, + {"ExtensionAttribute", 1610612741, 0}, + {"extension-attribute-type", 1611145219, 0}, + {0, 1073743880, "0"}, + {"0", 10, "ub-extension-attributes"}, + {"extension-attribute-value", 541073421, 0}, + {0, 1073743880, "1"}, + {"extension-attribute-type", 1, 0}, + {"common-name", 1342177283, "1"}, + {"CommonName", 1612709890, "PrintableString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-common-name", 1342177283, "2"}, + {"TeletexCommonName", 1612709890, "TeletexString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-organization-name", 1342177283, "3"}, + {"TeletexOrganizationName", 1612709890, "TeletexString"}, + {"ub-organization-name-length", 524298, "1"}, + {"teletex-personal-name", 1342177283, "4"}, + {"TeletexPersonalName", 1610612750, 0}, + {"surname", 1814044674, "TeletexString"}, + {0, 1073743880, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "TeletexString"}, + {0, 1073743880, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "TeletexString"}, + {0, 1073743880, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "TeletexString"}, + {0, 1073743880, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"teletex-organizational-unit-names", 1342177283, "5"}, + {"TeletexOrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "TeletexOrganizationalUnitName"}, + {"TeletexOrganizationalUnitName", 1612709890, "TeletexString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"pds-name", 1342177283, "7"}, + {"PDSName", 1612709890, "PrintableString"}, + {"ub-pds-name-length", 524298, "1"}, + {"physical-delivery-country-name", 1342177283, "8"}, + {"PhysicalDeliveryCountryName", 1610612754, 0}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"postal-code", 1342177283, "9"}, + {"PostalCode", 1610612754, 0}, + {"numeric-code", 1612709890, "NumericString"}, + {"ub-postal-code-length", 524298, "1"}, + {"printable-code", 538968066, "PrintableString"}, + {"ub-postal-code-length", 524298, "1"}, + {"physical-delivery-office-name", 1342177283, "10"}, + {"PhysicalDeliveryOfficeName", 1073741826, "PDSParameter"}, + {"physical-delivery-office-number", 1342177283, "11"}, + {"PhysicalDeliveryOfficeNumber", 1073741826, "PDSParameter"}, + {"extension-OR-address-components", 1342177283, "12"}, + {"ExtensionORAddressComponents", 1073741826, "PDSParameter"}, + {"physical-delivery-personal-name", 1342177283, "13"}, + {"PhysicalDeliveryPersonalName", 1073741826, "PDSParameter"}, + {"physical-delivery-organization-name", 1342177283, "14"}, + {"PhysicalDeliveryOrganizationName", 1073741826, "PDSParameter"}, + {"extension-physical-delivery-address-components", 1342177283, "15"}, + {"ExtensionPhysicalDeliveryAddressComponents", 1073741826, + "PDSParameter"}, + {"unformatted-postal-address", 1342177283, "16"}, + {"UnformattedPostalAddress", 1610612750, 0}, + {"printable-address", 1814052875, 0}, + {"ub-pds-physical-address-lines", 1074266122, "1"}, + {0, 538968066, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-unformatted-address-length", 524298, "1"}, + {"street-address", 1342177283, "17"}, + {"StreetAddress", 1073741826, "PDSParameter"}, + {"post-office-box-address", 1342177283, "18"}, + {"PostOfficeBoxAddress", 1073741826, "PDSParameter"}, + {"poste-restante-address", 1342177283, "19"}, + {"PosteRestanteAddress", 1073741826, "PDSParameter"}, + {"unique-postal-name", 1342177283, "20"}, + {"UniquePostalName", 1073741826, "PDSParameter"}, + {"local-postal-attributes", 1342177283, "21"}, + {"LocalPostalAttributes", 1073741826, "PDSParameter"}, + {"PDSParameter", 1610612750, 0}, + {"printable-string", 1814052866, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"extended-network-address", 1342177283, "22"}, + {"ExtendedNetworkAddress", 1610612754, 0}, + {"e163-4-address", 1610612741, 0}, + {"number", 1612718082, "NumericString"}, + {0, 1073743880, "0"}, + {"ub-e163-4-number-length", 524298, "1"}, + {"sub-address", 538992642, "NumericString"}, + {0, 1073743880, "1"}, + {"ub-e163-4-sub-address-length", 524298, "1"}, + {"psap-address", 536879106, "PresentationAddress"}, + {0, 2056, "0"}, + {"PresentationAddress", 1610612741, 0}, + {"pSelector", 1610637319, 0}, + {0, 2056, "0"}, + {"sSelector", 1610637319, 0}, + {0, 2056, "1"}, + {"tSelector", 1610637319, 0}, + {0, 2056, "2"}, + {"nAddresses", 538976271, 0}, + {0, 1073743880, "3"}, + {"MAX", 1074266122, "1"}, + {0, 7, 0}, + {"terminal-type", 1342177283, "23"}, + {"TerminalType", 1610874883, 0}, + {"telex", 1073741825, "3"}, + {"teletex", 1073741825, "4"}, + {"g3-facsimile", 1073741825, "5"}, + {"g4-facsimile", 1073741825, "6"}, + {"ia5-terminal", 1073741825, "7"}, + {"videotex", 1, "8"}, + {"teletex-domain-defined-attributes", 1342177283, "6"}, + {"TeletexDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "TeletexDomainDefinedAttribute"}, + {"TeletexDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "TeletexString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "TeletexString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ub-name", 1342177283, "32768"}, + {"ub-common-name", 1342177283, "64"}, + {"ub-locality-name", 1342177283, "128"}, + {"ub-state-name", 1342177283, "128"}, + {"ub-organization-name", 1342177283, "64"}, + {"ub-organizational-unit-name", 1342177283, "64"}, + {"ub-title", 1342177283, "64"}, + {"ub-match", 1342177283, "128"}, + {"ub-emailaddress-length", 1342177283, "128"}, + {"ub-common-name-length", 1342177283, "64"}, + {"ub-country-name-alpha-length", 1342177283, "2"}, + {"ub-country-name-numeric-length", 1342177283, "3"}, + {"ub-domain-defined-attributes", 1342177283, "4"}, + {"ub-domain-defined-attribute-type-length", 1342177283, "8"}, + {"ub-domain-defined-attribute-value-length", 1342177283, "128"}, + {"ub-domain-name-length", 1342177283, "16"}, + {"ub-extension-attributes", 1342177283, "256"}, + {"ub-e163-4-number-length", 1342177283, "15"}, + {"ub-e163-4-sub-address-length", 1342177283, "40"}, + {"ub-generation-qualifier-length", 1342177283, "3"}, + {"ub-given-name-length", 1342177283, "16"}, + {"ub-initials-length", 1342177283, "5"}, + {"ub-integer-options", 1342177283, "256"}, + {"ub-numeric-user-id-length", 1342177283, "32"}, + {"ub-organization-name-length", 1342177283, "64"}, + {"ub-organizational-unit-name-length", 1342177283, "32"}, + {"ub-organizational-units", 1342177283, "4"}, + {"ub-pds-name-length", 1342177283, "16"}, + {"ub-pds-parameter-length", 1342177283, "30"}, + {"ub-pds-physical-address-lines", 1342177283, "6"}, + {"ub-postal-code-length", 1342177283, "16"}, + {"ub-surname-length", 1342177283, "40"}, + {"ub-terminal-id-length", 1342177283, "24"}, + {"ub-unformatted-address-length", 1342177283, "180"}, + {"ub-x121-address-length", 1342177283, "16"}, + {"pkcs-7-ContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"content", 541073421, 0}, + {0, 1073743880, "0"}, + {"contentType", 1, 0}, + {"pkcs-7-DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"}, + {"digest", 2, "pkcs-7-Digest"}, + {"pkcs-7-Digest", 1073741831, 0}, + {"pkcs-7-ContentType", 1073741836, 0}, + {"pkcs-7-SignedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"}, + {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, + {"certificates", 1610637314, "pkcs-7-CertificateSet"}, + {0, 4104, "0"}, + {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, + {0, 4104, "1"}, + {"signerInfos", 2, "pkcs-7-SignerInfos"}, + {"pkcs-7-CMSVersion", 1610874883, 0}, + {"v0", 1073741825, "0"}, + {"v1", 1073741825, "1"}, + {"v2", 1073741825, "2"}, + {"v3", 1073741825, "3"}, + {"v4", 1, "4"}, + {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, 0}, + {0, 2, "pkcs-7-DigestAlgorithmIdentifier"}, + {"pkcs-7-DigestAlgorithmIdentifier", 1073741826, + "AlgorithmIdentifier"}, + {"pkcs-7-EncapsulatedContentInfo", 1610612741, 0}, + {"eContentType", 1073741826, "pkcs-7-ContentType"}, + {"eContent", 536895495, 0}, + {0, 2056, "0"}, + {"pkcs-7-CertificateRevocationLists", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-7-CertificateChoices", 1610612754, 0}, + {"certificate", 13, 0}, + {"pkcs-7-CertificateSet", 1610612751, 0}, + {0, 2, "pkcs-7-CertificateChoices"}, + {"pkcs-7-SignerInfos", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-10-CertificationRequestInfo", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v1", 1, "0"}, + {"subject", 1073741826, "Name"}, + {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"attributes", 536879106, "Attributes"}, + {0, 4104, "0"}, + {"Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-10-CertificationRequest", 1610612741, 0}, + {"certificationRequestInfo", 1073741826, + "pkcs-10-CertificationRequestInfo"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"pkcs-9-ub-challengePassword", 1342177283, "255"}, + {"pkcs-9-certTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "22"}, + {"pkcs-9-crlTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "23"}, + {"pkcs-9-at-challengePassword", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "7"}, + {"pkcs-9-challengePassword", 1610612754, 0}, + {"printableString", 1612709890, "PrintableString"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"pkcs-9-at-localKeyId", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "21"}, + {"pkcs-9-localKeyId", 1073741831, 0}, + {"pkcs-9-at-friendlyName", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "20"}, + {"pkcs-9-friendlyName", 1612709890, "BMPString"}, + {"255", 524298, "1"}, + {"pkcs-8-PrivateKeyInfo", 1610612741, 0}, + {"version", 1073741826, "pkcs-8-Version"}, + {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"privateKey", 1073741826, "pkcs-8-PrivateKey"}, + {"attributes", 536895490, "Attributes"}, + {0, 4104, "0"}, + {"pkcs-8-Version", 1610874883, 0}, + {"v1", 1, "0"}, + {"pkcs-8-PrivateKey", 1073741831, 0}, + {"pkcs-8-Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, 0}, + {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"encryptedData", 2, "pkcs-8-EncryptedData"}, + {"pkcs-8-EncryptedData", 1073741831, 0}, + {"pkcs-5", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "5"}, + {"pkcs-5-encryptionAlgorithm", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {0, 1, "3"}, + {"pkcs-5-des-EDE3-CBC", 1879048204, 0}, + {0, 1073741825, "pkcs-5-encryptionAlgorithm"}, + {0, 1, "7"}, + {"pkcs-5-des-EDE3-CBC-params", 1612709895, 0}, + {0, 1048586, "8"}, + {"pkcs-5-id-PBES2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "13"}, + {"pkcs-5-PBES2-params", 1610612741, 0}, + {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, + {"encryptionScheme", 2, "AlgorithmIdentifier"}, + {"pkcs-5-id-PBKDF2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "12"}, + {"pkcs-5-PBKDF2-params", 1610612741, 0}, + {"salt", 1610612754, 0}, + {"specified", 1073741831, 0}, + {"otherSource", 2, "AlgorithmIdentifier"}, + {"iterationCount", 1611137027, 0}, + {"1", 10, "MAX"}, + {"keyLength", 1611153411, 0}, + {"1", 10, "MAX"}, + {"prf", 16386, "AlgorithmIdentifier"}, + {"pkcs-12", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "12"}, + {"pkcs-12-PFX", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v3", 1, "3"}, + {"authSafe", 1073741826, "pkcs-7-ContentInfo"}, + {"macData", 16386, "pkcs-12-MacData"}, + {"pkcs-12-PbeParams", 1610612741, 0}, + {"salt", 1073741831, 0}, + {"iterations", 3, 0}, + {"pkcs-12-MacData", 1610612741, 0}, + {"mac", 1073741826, "pkcs-7-DigestInfo"}, + {"macSalt", 1073741831, 0}, + {"iterations", 536903683, 0}, + {0, 9, "1"}, + {"pkcs-12-AuthenticatedSafe", 1610612747, 0}, + {0, 2, "pkcs-7-ContentInfo"}, + {"pkcs-12-SafeContents", 1610612747, 0}, + {0, 2, "pkcs-12-SafeBag"}, + {"pkcs-12-SafeBag", 1610612741, 0}, + {"bagId", 1073741836, 0}, + {"bagValue", 1614815245, 0}, + {0, 1073743880, "0"}, + {"badId", 1, 0}, + {"bagAttributes", 536887311, 0}, + {0, 2, "pkcs-12-PKCS12Attribute"}, + {"pkcs-12-bagtypes", 1879048204, 0}, + {0, 1073741825, "pkcs-12"}, + {0, 1073741825, "10"}, + {0, 1, "1"}, + {"pkcs-12-keyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "1"}, + {"pkcs-12-pkcs8ShroudedKeyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "2"}, + {"pkcs-12-certBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "3"}, + {"pkcs-12-crlBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "4"}, + {"pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"}, + {"pkcs-12-PKCS8ShroudedKeyBag", 1073741826, + "pkcs-8-EncryptedPrivateKeyInfo"}, + {"pkcs-12-CertBag", 1610612741, 0}, + {"certId", 1073741836, 0}, + {"certValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"certId", 1, 0}, + {"pkcs-12-CRLBag", 1610612741, 0}, + {"crlId", 1073741836, 0}, + {"crlValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"crlId", 1, 0}, + {"pkcs-12-PKCS12Attribute", 1073741826, "Attribute"}, + {"pkcs-7-data", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "1"}, + {"pkcs-7-encryptedData", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "6"}, + {"pkcs-7-Data", 1073741831, 0}, + {"pkcs-7-EncryptedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"}, + {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, + {0, 4104, "1"}, + {"pkcs-7-EncryptedContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"contentEncryptionAlgorithm", 1073741826, + "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, + {"encryptedContent", 536895490, "pkcs-7-EncryptedContent"}, + {0, 4104, "0"}, + {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, + "AlgorithmIdentifier"}, + {"pkcs-7-EncryptedContent", 1073741831, 0}, + {"pkcs-7-UnprotectedAttributes", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-at-ldap-DC", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "25"}, + {"ldap-DC", 1073741826, "IA5String"}, + {"id-at-ldap-UID", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "1"}, + {"ldap-UID", 1073741826, "IA5String"}, + {"id-pda", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "9"}, + {"id-pda-dateOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "1"}, + {"DateOfBirth", 1082130449, 0}, + {"id-pda-placeOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "2"}, + {"PlaceOfBirth", 1073741826, "DirectoryString"}, + {"id-pda-gender", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "3"}, + {"Gender", 1612709890, "PrintableString"}, + {0, 1048586, "1"}, + {"id-pda-countryOfCitizenship", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "4"}, + {"CountryOfCitizenship", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-pda-countryOfResidence", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "5"}, + {"CountryOfResidence", 538968066, "PrintableString"}, + {0, 1048586, "2"}, + {0, 0, 0} }; diff --git a/lib/strfile.h b/lib/strfile.h index 56ed41fed1..8afa7efcfe 100644 --- a/lib/strfile.h +++ b/lib/strfile.h @@ -1,8 +1,8 @@ typedef struct { - opaque * data; - size_t size; - int mmaped; + opaque *data; + size_t size; + int mmaped; } strfile; -void _gnutls_strfile_free( strfile *x); -strfile _gnutls_file_to_str( const char * file); +void _gnutls_strfile_free(strfile * x); +strfile _gnutls_file_to_str(const char *file); diff --git a/lib/strnstr.c b/lib/strnstr.c index 7eaa9d0dac..d664384ee7 100644 --- a/lib/strnstr.c +++ b/lib/strnstr.c @@ -26,23 +26,25 @@ char *strnstr(const char *haystack, const char *needle, size_t haystacklen) { - char *p; - ssize_t plen; - ssize_t len = strlen(needle); + char *p; + ssize_t plen; + ssize_t len = strlen(needle); - if (*needle == '\0') /* everything matches empty string */ - return (char*) haystack; + if (*needle == '\0') /* everything matches empty string */ + return (char *) haystack; - plen = haystacklen; - for (p = (char*) haystack; p != NULL; p = memchr(p + 1, *needle, plen-1)) { - plen = haystacklen - (p - haystack); + plen = haystacklen; + for (p = (char *) haystack; p != NULL; + p = memchr(p + 1, *needle, plen - 1)) { + plen = haystacklen - (p - haystack); - if (plen < len) return NULL; + if (plen < len) + return NULL; - if (strncmp(p, needle, len) == 0) - return (p); - } - return NULL; + if (strncmp(p, needle, len) == 0) + return (p); + } + return NULL; } #endif diff --git a/lib/x509/common.c b/lib/x509/common.c index 2cd9149917..9b281dfe4d 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -34,64 +34,65 @@ #include <time.h> typedef struct _oid2string { - const char * oid; - const char * ldap_desc; - int choice; /* of type DirectoryString */ - int printable; + const char *oid; + const char *ldap_desc; + int choice; /* of type DirectoryString */ + int printable; } oid2string; /* This list contains all the OIDs that may be * contained in a rdnSequence and are printable. */ static const oid2string _oid2str[] = { - /* PKIX - */ - {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, - {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, - {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, - - {"2.5.4.6", "C", 0, 1}, - {"2.5.4.9", "STREET", 1, 1}, - {"2.5.4.12", "T", 1, 1}, - {"2.5.4.10", "O", 1, 1}, - {"2.5.4.11", "OU", 1, 1}, - {"2.5.4.3", "CN", 1, 1}, - {"2.5.4.7", "L", 1, 1}, - {"2.5.4.8", "ST", 1, 1}, - - {"2.5.4.5", "serialNumber", 0, 1}, - {"2.5.4.20", "telephoneNumber", 0, 1}, - {"2.5.4.4", "surName", 1, 1}, - {"2.5.4.43", "initials", 1, 1}, - {"2.5.4.44", "generationQualifier", 1, 1}, - {"2.5.4.42", "givenName", 1, 1}, - {"2.5.4.65", "pseudonym", 1, 1}, - {"2.5.4.46", "dnQualifier", 0, 1}, - - {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, - {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, - {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, - {"1.2.840.113549.1.9.7", NULL, 1, 1}, - - /* friendly name */ - {"1.2.840.113549.1.9.20", NULL, 0, 1}, - {NULL, NULL, 0, 0} + /* PKIX + */ + {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, + {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, + {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, + + {"2.5.4.6", "C", 0, 1}, + {"2.5.4.9", "STREET", 1, 1}, + {"2.5.4.12", "T", 1, 1}, + {"2.5.4.10", "O", 1, 1}, + {"2.5.4.11", "OU", 1, 1}, + {"2.5.4.3", "CN", 1, 1}, + {"2.5.4.7", "L", 1, 1}, + {"2.5.4.8", "ST", 1, 1}, + + {"2.5.4.5", "serialNumber", 0, 1}, + {"2.5.4.20", "telephoneNumber", 0, 1}, + {"2.5.4.4", "surName", 1, 1}, + {"2.5.4.43", "initials", 1, 1}, + {"2.5.4.44", "generationQualifier", 1, 1}, + {"2.5.4.42", "givenName", 1, 1}, + {"2.5.4.65", "pseudonym", 1, 1}, + {"2.5.4.46", "dnQualifier", 0, 1}, + + {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, + {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, + {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, + {"1.2.840.113549.1.9.7", NULL, 1, 1}, + + /* friendly name */ + {"1.2.840.113549.1.9.20", NULL, 0, 1}, + {NULL, NULL, 0, 0} }; /* Returns 1 if the data defined by the OID are printable. */ -int _gnutls_x509_oid_data_printable( const char* oid) { -int i = 0; +int _gnutls_x509_oid_data_printable(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].printable; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].printable; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } /** @@ -108,44 +109,46 @@ int i = 0; * Returns 1 on known OIDs and 0 otherwise. * **/ -int gnutls_x509_dn_oid_known( const char* oid) +int gnutls_x509_dn_oid_known(const char *oid) { -int i = 0; + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return 1; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return 1; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } /* Returns 1 if the data defined by the OID are of a choice * type. */ -int _gnutls_x509_oid_data_choice( const char* oid) { -int i = 0; +int _gnutls_x509_oid_data_choice(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].choice; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].choice; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } -const char* _gnutls_x509_oid2ldap_string( const char* oid) { -int i = 0; +const char *_gnutls_x509_oid2ldap_string(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].ldap_desc; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].ldap_desc; + i++; + } while (_oid2str[i].oid != NULL); - return NULL; + return NULL; } /* This function will convert an attribute value, specified by the OID, @@ -154,84 +157,87 @@ int i = 0; * res may be null. This will just return the res_size, needed to * hold the string. */ -int _gnutls_x509_oid_data2string( const char* oid, void* value, - int value_size, char * res, size_t *res_size) +int _gnutls_x509_oid_data2string(const char *oid, void *value, + int value_size, char *res, + size_t * res_size) { -char str[1024], tmpname[128]; -const char* ANAME = NULL; -int CHOICE = -1, len = -1, result; -ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; - - if (value==NULL || value_size <=0 || res_size == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if ( _gnutls_x509_oid_data_printable( oid) == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - ANAME = asn1_find_structure_from_oid( _gnutls_get_pkix(), oid); - CHOICE = _gnutls_x509_oid_data_choice( oid); + char str[1024], tmpname[128]; + const char *ANAME = NULL; + int CHOICE = -1, len = -1, result; + ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; + + if (value == NULL || value_size <= 0 || res_size == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (_gnutls_x509_oid_data_printable(oid) == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + ANAME = asn1_find_structure_from_oid(_gnutls_get_pkix(), oid); + CHOICE = _gnutls_x509_oid_data_choice(oid); + + if (ANAME == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + _gnutls_str_cpy(str, sizeof(str), "PKIX1."); + _gnutls_str_cat(str, sizeof(str), ANAME); + + if ((result = + asn1_create_element(_gnutls_get_pkix(), str, + &tmpasn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if ((result = + asn1_der_decoding(&tmpasn, value, value_size, + NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } + + /* If this is a choice then we read the choice. Otherwise it + * is the value; + */ + len = sizeof(str) - 1; + if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ + gnutls_assert(); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } - if (ANAME==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (CHOICE == 0) { + str[len] = 0; + if (res) + _gnutls_str_cpy(res, *res_size, str); + *res_size = len; - _gnutls_str_cpy(str, sizeof(str), "PKIX1."); - _gnutls_str_cat(str, sizeof(str), ANAME); + } else { /* CHOICE */ + str[len] = 0; + _gnutls_str_cpy(tmpname, sizeof(tmpname), str); + len = sizeof(str) - 1; if ((result = - asn1_create_element(_gnutls_get_pkix(), str, - &tmpasn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ((result = asn1_der_decoding(&tmpasn, value, value_size, NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); + asn1_read_value(tmpasn, tmpname, str, + &len)) != ASN1_SUCCESS) { + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); } + str[len] = 0; - /* If this is a choice then we read the choice. Otherwise it - * is the value; - */ - len = sizeof( str) - 1; - if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); - } + if (res) + _gnutls_str_cpy(res, *res_size, str); + *res_size = len; + } + asn1_delete_structure(&tmpasn); - if (CHOICE == 0) { - str[len] = 0; - if (res) - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; - - } else { /* CHOICE */ - str[len] = 0; - _gnutls_str_cpy( tmpname, sizeof(tmpname), str); - - len = sizeof(str) - 1; - if ((result = - asn1_read_value(tmpasn, tmpname, str, - &len)) != ASN1_SUCCESS) { - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); - } - str[len] = 0; - - if (res) - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; - } - asn1_delete_structure(&tmpasn); - - return 0; + return 0; } @@ -242,92 +248,105 @@ ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; */ void _gnutls_int2str(unsigned int k, char *data) { - if (k > 999) - sprintf(data, "%d", 999); - else - sprintf(data, "%d", k); + if (k > 999) + sprintf(data, "%d", 999); + else + sprintf(data, "%d", k); } -gnutls_pk_algorithm _gnutls_x509_oid2pk_algorithm( const char* oid) +gnutls_pk_algorithm _gnutls_x509_oid2pk_algorithm(const char *oid) { - if (strcmp( oid, PKIX1_RSA_OID) == 0) /* pkix-1 1 - RSA */ - return GNUTLS_PK_RSA; - else if (strcmp( oid, DSA_OID) == 0) - return GNUTLS_PK_DSA; + if (strcmp(oid, PKIX1_RSA_OID) == 0) /* pkix-1 1 - RSA */ + return GNUTLS_PK_RSA; + else if (strcmp(oid, DSA_OID) == 0) + return GNUTLS_PK_DSA; - _gnutls_x509_log("Unknown PK OID: '%s'\n", oid); + _gnutls_x509_log("Unknown PK OID: '%s'\n", oid); - return GNUTLS_PK_UNKNOWN; + return GNUTLS_PK_UNKNOWN; } -gnutls_sign_algorithm _gnutls_x509_oid2sign_algorithm( const char* oid) +gnutls_sign_algorithm _gnutls_x509_oid2sign_algorithm(const char *oid) { - if (strcmp( oid, RSA_MD5_OID) == 0) { - return GNUTLS_SIGN_RSA_MD5; - } else if (strcmp( oid, RSA_SHA1_OID) == 0) { - return GNUTLS_SIGN_RSA_SHA; - } else if (strcmp( oid, RSA_MD2_OID) == 0) { - return GNUTLS_SIGN_RSA_MD2; - } else if (strcmp( oid, DSA_SHA1_OID) == 0) { - return GNUTLS_SIGN_DSA_SHA; - } - - _gnutls_x509_log("Unknown SIGN OID: '%s'\n", oid); - - return GNUTLS_SIGN_UNKNOWN; + if (strcmp(oid, RSA_MD5_OID) == 0) { + return GNUTLS_SIGN_RSA_MD5; + } else if (strcmp(oid, RSA_SHA1_OID) == 0) { + return GNUTLS_SIGN_RSA_SHA; + } else if (strcmp(oid, RSA_MD2_OID) == 0) { + return GNUTLS_SIGN_RSA_MD2; + } else if (strcmp(oid, DSA_SHA1_OID) == 0) { + return GNUTLS_SIGN_DSA_SHA; + } + + _gnutls_x509_log("Unknown SIGN OID: '%s'\n", oid); + + return GNUTLS_SIGN_UNKNOWN; } /* returns -1 on error */ -gnutls_mac_algorithm _gnutls_x509_oid2mac_algorithm( const char* oid) +gnutls_mac_algorithm _gnutls_x509_oid2mac_algorithm(const char *oid) { - if (strcmp( oid, OID_SHA1) == 0) - return GNUTLS_MAC_SHA; - else if (strcmp( oid, OID_MD5) == 0) - return GNUTLS_MAC_MD5; + if (strcmp(oid, OID_SHA1) == 0) + return GNUTLS_MAC_SHA; + else if (strcmp(oid, OID_MD5) == 0) + return GNUTLS_MAC_MD5; - return GNUTLS_MAC_UNKNOWN; + return GNUTLS_MAC_UNKNOWN; } -const char* _gnutls_x509_mac_to_oid( gnutls_mac_algorithm mac) +const char *_gnutls_x509_mac_to_oid(gnutls_mac_algorithm mac) { - if (mac == GNUTLS_MAC_SHA) return OID_SHA1; - else if (mac == GNUTLS_MAC_MD5) return OID_MD5; - else return NULL; + if (mac == GNUTLS_MAC_SHA) + return OID_SHA1; + else if (mac == GNUTLS_MAC_MD5) + return OID_MD5; + else + return NULL; } -const char* _gnutls_x509_pk_to_oid( gnutls_pk_algorithm pk) +const char *_gnutls_x509_pk_to_oid(gnutls_pk_algorithm pk) { - if (pk == GNUTLS_PK_RSA) return PKIX1_RSA_OID; - else if (pk == GNUTLS_PK_DSA) return DSA_OID; - else return NULL; + if (pk == GNUTLS_PK_RSA) + return PKIX1_RSA_OID; + else if (pk == GNUTLS_PK_DSA) + return DSA_OID; + else + return NULL; } -gnutls_sign_algorithm _gnutls_x509_pk_to_sign( - gnutls_pk_algorithm pk, gnutls_mac_algorithm mac) +gnutls_sign_algorithm _gnutls_x509_pk_to_sign(gnutls_pk_algorithm pk, + gnutls_mac_algorithm mac) { - if (pk == GNUTLS_PK_RSA) { - if (mac == GNUTLS_MAC_SHA) return GNUTLS_SIGN_RSA_SHA; - else if (mac == GNUTLS_MAC_MD5) return GNUTLS_SIGN_RSA_MD5; - } else if (pk == GNUTLS_PK_DSA) { - if (mac == GNUTLS_MAC_SHA) return GNUTLS_SIGN_DSA_SHA; - } - return GNUTLS_SIGN_UNKNOWN; + if (pk == GNUTLS_PK_RSA) { + if (mac == GNUTLS_MAC_SHA) + return GNUTLS_SIGN_RSA_SHA; + else if (mac == GNUTLS_MAC_MD5) + return GNUTLS_SIGN_RSA_MD5; + } else if (pk == GNUTLS_PK_DSA) { + if (mac == GNUTLS_MAC_SHA) + return GNUTLS_SIGN_DSA_SHA; + } + return GNUTLS_SIGN_UNKNOWN; } -const char* _gnutls_x509_sign_to_oid( gnutls_pk_algorithm pk, gnutls_mac_algorithm mac) +const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm pk, + gnutls_mac_algorithm mac) { -gnutls_sign_algorithm sign; + gnutls_sign_algorithm sign; - sign = _gnutls_x509_pk_to_sign( pk, mac); + sign = _gnutls_x509_pk_to_sign(pk, mac); - if (sign == GNUTLS_SIGN_RSA_SHA) return RSA_SHA1_OID; - else if (sign == GNUTLS_SIGN_RSA_MD5) return RSA_MD5_OID; - else if (sign == GNUTLS_SIGN_DSA_SHA) return DSA_SHA1_OID; - - return NULL; + if (sign == GNUTLS_SIGN_RSA_SHA) + return RSA_SHA1_OID; + else if (sign == GNUTLS_SIGN_RSA_MD5) + return RSA_MD5_OID; + else if (sign == GNUTLS_SIGN_DSA_SHA) + return DSA_SHA1_OID; + + return NULL; } @@ -341,22 +360,22 @@ gnutls_sign_algorithm sign; * depend on the libc structure. */ typedef struct fake_tm { - int tm_mon; - int tm_year; /* FULL year - ie 1971 */ - int tm_mday; - int tm_hour; - int tm_min; - int tm_sec; + int tm_mon; + int tm_year; /* FULL year - ie 1971 */ + int tm_mday; + int tm_hour; + int tm_min; + int tm_sec; } fake_tm; /* The mktime_utc function is due to Russ Allbery (rra@stanford.edu), * who placed it under public domain: */ - + /* The number of days in each month. */ static const int MONTHDAYS[] = { - 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 + 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; /* Whether a given year is a leap year. */ @@ -371,29 +390,29 @@ static const int MONTHDAYS[] = { */ static time_t mktime_utc(const struct fake_tm *tm) { - time_t result = 0; - int i; + time_t result = 0; + int i; /* We do allow some ill-formed dates, but we don't do anything special * with them and our callers really shouldn't pass them to us. Do * explicitly disallow the ones that would cause invalid array accesses * or other algorithm problems. */ - if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) - return (time_t) - 1; + if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) + return (time_t) - 1; /* Convert to a time_t. */ - for (i = 1970; i < tm->tm_year; i++) - result += 365 + ISLEAP(i); - for (i = 0; i < tm->tm_mon; i++) - result += MONTHDAYS[i]; - if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) - result++; - result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; - result = 60 * result + tm->tm_min; - result = 60 * result + tm->tm_sec; - return result; + for (i = 1970; i < tm->tm_year; i++) + result += 365 + ISLEAP(i); + for (i = 0; i < tm->tm_mon; i++) + result += MONTHDAYS[i]; + if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) + result++; + result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; + result = 60 * result + tm->tm_min; + result = 60 * result + tm->tm_sec; + return result; } @@ -403,54 +422,54 @@ static time_t mktime_utc(const struct fake_tm *tm) */ time_t _gnutls_x509_time2gtime(const char *ttime, int year) { - char xx[3]; - struct fake_tm etime; - time_t ret; + char xx[3]; + struct fake_tm etime; + time_t ret; - if (strlen( ttime) < 8) { - gnutls_assert(); - return (time_t) -1; - } + if (strlen(ttime) < 8) { + gnutls_assert(); + return (time_t) - 1; + } - etime.tm_year = year; + etime.tm_year = year; - /* In order to work with 32 bit - * time_t. - */ - if (sizeof (time_t) <= 4 && etime.tm_year >= 2038) - return (time_t)2145914603; /* 2037-12-31 23:23:23 */ + /* In order to work with 32 bit + * time_t. + */ + if (sizeof(time_t) <= 4 && etime.tm_year >= 2038) + return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ - xx[2] = 0; + xx[2] = 0; /* get the month */ - memcpy(xx, ttime, 2); /* month */ - etime.tm_mon = atoi(xx) - 1; - ttime += 2; + memcpy(xx, ttime, 2); /* month */ + etime.tm_mon = atoi(xx) - 1; + ttime += 2; /* get the day */ - memcpy(xx, ttime, 2); /* day */ - etime.tm_mday = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* day */ + etime.tm_mday = atoi(xx); + ttime += 2; /* get the hour */ - memcpy(xx, ttime, 2); /* hour */ - etime.tm_hour = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* hour */ + etime.tm_hour = atoi(xx); + ttime += 2; /* get the minutes */ - memcpy(xx, ttime, 2); /* minutes */ - etime.tm_min = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* minutes */ + etime.tm_min = atoi(xx); + ttime += 2; - etime.tm_sec = 0; + etime.tm_sec = 0; - ret = mktime_utc(&etime); + ret = mktime_utc(&etime); - return ret; + return ret; } @@ -460,57 +479,58 @@ time_t _gnutls_x509_time2gtime(const char *ttime, int year) */ time_t _gnutls_x509_utcTime2gtime(const char *ttime) { - char xx[3]; - int year; - - if (strlen( ttime) < 10) { - gnutls_assert(); - return (time_t) -1; - } - xx[2] = 0; + char xx[3]; + int year; + + if (strlen(ttime) < 10) { + gnutls_assert(); + return (time_t) - 1; + } + xx[2] = 0; /* get the year */ - memcpy(xx, ttime, 2); /* year */ - year = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* year */ + year = atoi(xx); + ttime += 2; - if (year > 49) - year += 1900; - else - year += 2000; + if (year > 49) + year += 1900; + else + year += 2000; - return _gnutls_x509_time2gtime( ttime, year); + return _gnutls_x509_time2gtime(ttime, year); } /* returns a time value that contains the given time. * The given time is expressed as: * YEAR(2)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2) */ -int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, int str_time_size) +int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, + int str_time_size) { -size_t ret; + size_t ret; #ifdef HAVE_GMTIME_R -struct tm _tm; + struct tm _tm; - gmtime_r( >ime, &_tm); + gmtime_r(>ime, &_tm); - ret = strftime( str_time, str_time_size, "%y%m%d%H%M00Z", &_tm); + ret = strftime(str_time, str_time_size, "%y%m%d%H%M00Z", &_tm); #else -struct tm* _tm; - - _tm = gmtime( >ime); - - ret = strftime( str_time, str_time_size, "%y%m%d%H%M00Z", _tm); + struct tm *_tm; + + _tm = gmtime(>ime); + + ret = strftime(str_time, str_time_size, "%y%m%d%H%M00Z", _tm); #endif - - if (!ret) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - return 0; - + + if (!ret) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + return 0; + } /* returns a time_t value that contains the given time. @@ -519,29 +539,29 @@ struct tm* _tm; */ time_t _gnutls_x509_generalTime2gtime(const char *ttime) { - char xx[5]; - int year; + char xx[5]; + int year; - if (strlen( ttime) < 12) { - gnutls_assert(); - return (time_t) -1; - } + if (strlen(ttime) < 12) { + gnutls_assert(); + return (time_t) - 1; + } - if (strchr(ttime, 'Z') == 0) { - gnutls_assert(); - /* sorry we don't support it yet - */ - return (time_t)-1; - } - xx[4] = 0; + if (strchr(ttime, 'Z') == 0) { + gnutls_assert(); + /* sorry we don't support it yet + */ + return (time_t) - 1; + } + xx[4] = 0; /* get the year */ - memcpy(xx, ttime, 4); /* year */ - year = atoi(xx); - ttime += 4; + memcpy(xx, ttime, 4); /* year */ + year = atoi(xx); + ttime += 4; - return _gnutls_x509_time2gtime( ttime, year); + return _gnutls_x509_time2gtime(ttime, year); } @@ -551,45 +571,45 @@ time_t _gnutls_x509_generalTime2gtime(const char *ttime) #define MAX_TIME 1024 time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when) { - char ttime[MAX_TIME]; - char name[1024]; - time_t ctime = (time_t)-1; - int len, result; + char ttime[MAX_TIME]; + char name[1024]; + time_t ctime = (time_t) - 1; + int len, result; - _gnutls_str_cpy(name, sizeof(name), when); + _gnutls_str_cpy(name, sizeof(name), when); - len = sizeof(ttime) - 1; - if ((result = asn1_read_value(c2, name, ttime, &len)) < 0) { - gnutls_assert(); - return (time_t) (-1); - } + len = sizeof(ttime) - 1; + if ((result = asn1_read_value(c2, name, ttime, &len)) < 0) { + gnutls_assert(); + return (time_t) (-1); + } - /* CHOICE */ - if (strcmp(ttime, "GeneralizedTime") == 0) { - - _gnutls_str_cat(name, sizeof(name), ".generalTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - ctime = _gnutls_x509_generalTime2gtime(ttime); - } else { /* UTCTIME */ - - _gnutls_str_cat(name, sizeof(name), ".utcTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - ctime = _gnutls_x509_utcTime2gtime(ttime); - } + /* CHOICE */ + if (strcmp(ttime, "GeneralizedTime") == 0) { - /* We cannot handle dates after 2031 in 32 bit machines. - * a time_t of 64bits has to be used. - */ - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return (time_t) (-1); - } - return ctime; + _gnutls_str_cat(name, sizeof(name), ".generalTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + ctime = _gnutls_x509_generalTime2gtime(ttime); + } else { /* UTCTIME */ + + _gnutls_str_cat(name, sizeof(name), ".utcTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + ctime = _gnutls_x509_utcTime2gtime(ttime); + } + + /* We cannot handle dates after 2031 in 32 bit machines. + * a time_t of 64bits has to be used. + */ + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return (time_t) (-1); + } + return ctime; } /* Sets the time in time_t in the ASN1_TYPE given. Where should @@ -597,129 +617,138 @@ time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when) */ int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim) { - char str_time[MAX_TIME]; - char name[1024]; - int result, len; + char str_time[MAX_TIME]; + char name[1024]; + int result, len; - _gnutls_str_cpy(name, sizeof(name), where); + _gnutls_str_cpy(name, sizeof(name), where); - if ((result = asn1_write_value(c2, name, "utcTime", 1)) < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = asn1_write_value(c2, name, "utcTime", 1)) < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_gtime2utcTime( tim, str_time, sizeof(str_time)); - if (result < 0) { - gnutls_assert(); - return result; - } + result = _gnutls_x509_gtime2utcTime(tim, str_time, sizeof(str_time)); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_str_cat(name, sizeof(name), ".utcTime"); + _gnutls_str_cat(name, sizeof(name), ".utcTime"); - result = asn1_write_value(c2, name, str_time, len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(c2, name, str_time, len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } -gnutls_x509_subject_alt_name _gnutls_x509_san_find_type( char* str_type) +gnutls_x509_subject_alt_name _gnutls_x509_san_find_type(char *str_type) { - if (strcmp( str_type, "dNSName")==0) return GNUTLS_SAN_DNSNAME; - if (strcmp( str_type, "rfc822Name")==0) return GNUTLS_SAN_RFC822NAME; - if (strcmp( str_type, "uniformResourceIdentifier")==0) return GNUTLS_SAN_URI; - if (strcmp( str_type, "iPAddress")==0) return GNUTLS_SAN_IPADDRESS; - return (gnutls_x509_subject_alt_name)-1; + if (strcmp(str_type, "dNSName") == 0) + return GNUTLS_SAN_DNSNAME; + if (strcmp(str_type, "rfc822Name") == 0) + return GNUTLS_SAN_RFC822NAME; + if (strcmp(str_type, "uniformResourceIdentifier") == 0) + return GNUTLS_SAN_URI; + if (strcmp(str_type, "iPAddress") == 0) + return GNUTLS_SAN_IPADDRESS; + return (gnutls_x509_subject_alt_name) - 1; } /* A generic export function. Will export the given ASN.1 encoded data * to PEM or DER raw data. */ -int _gnutls_x509_export_int( ASN1_TYPE asn1_data, - gnutls_x509_crt_fmt format, char* pem_header, - int tmp_buf_size, unsigned char* output_data, size_t* output_data_size) +int _gnutls_x509_export_int(ASN1_TYPE asn1_data, + gnutls_x509_crt_fmt format, char *pem_header, + int tmp_buf_size, unsigned char *output_data, + size_t * output_data_size) { - int result, len; - if (tmp_buf_size == 0) tmp_buf_size = 16*1024; - - if (format == GNUTLS_X509_FMT_DER) { - - if (output_data == NULL) *output_data_size = 0; - - len = *output_data_size; - - if ((result=asn1_der_coding( asn1_data, "", output_data, &len, NULL)) != ASN1_SUCCESS) - { - *output_data_size = len; - if (result == ASN1_MEM_ERROR) { - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - gnutls_assert(); - return _gnutls_asn2err(result); - } - - *output_data_size = len; - - } else { /* PEM */ - opaque *tmp; - opaque *out; - - len = tmp_buf_size; - - tmp = gnutls_alloca( len); - if (tmp == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if ((result=asn1_der_coding( asn1_data, "", tmp, &len, NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) { - *output_data_size = B64FSIZE(strlen(pem_header),len) + 1; - } - gnutls_afree(tmp); - return _gnutls_asn2err(result); - } - - result = _gnutls_fbase64_encode( pem_header, - tmp, len, &out); - - gnutls_afree(tmp); - - if (result < 0) { - gnutls_assert(); - return result; - } - - if (result == 0) { /* oooops */ - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((uint)result > *output_data_size) { - gnutls_assert(); - gnutls_free(out); - *output_data_size = result; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *output_data_size = result; - - if (output_data) { - memcpy( output_data, out, result); - - /* do not include the null character into output size. - */ - *output_data_size = result - 1; - } - gnutls_free( out); - + int result, len; + if (tmp_buf_size == 0) + tmp_buf_size = 16 * 1024; + + if (format == GNUTLS_X509_FMT_DER) { + + if (output_data == NULL) + *output_data_size = 0; + + len = *output_data_size; + + if ((result = + asn1_der_coding(asn1_data, "", output_data, &len, + NULL)) != ASN1_SUCCESS) { + *output_data_size = len; + if (result == ASN1_MEM_ERROR) { + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + gnutls_assert(); + return _gnutls_asn2err(result); + } + + *output_data_size = len; + + } else { /* PEM */ + opaque *tmp; + opaque *out; + + len = tmp_buf_size; + + tmp = gnutls_alloca(len); + if (tmp == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if ((result = + asn1_der_coding(asn1_data, "", tmp, &len, + NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_MEM_ERROR) { + *output_data_size = B64FSIZE(strlen(pem_header), len) + 1; + } + gnutls_afree(tmp); + return _gnutls_asn2err(result); + } + + result = _gnutls_fbase64_encode(pem_header, tmp, len, &out); + + gnutls_afree(tmp); + + if (result < 0) { + gnutls_assert(); + return result; + } + + if (result == 0) { /* oooops */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + if ((uint) result > *output_data_size) { + gnutls_assert(); + gnutls_free(out); + *output_data_size = result; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *output_data_size = result; + + if (output_data) { + memcpy(output_data, out, result); + + /* do not include the null character into output size. + */ + *output_data_size = result - 1; + } + gnutls_free(out); + + } + + return 0; } @@ -728,71 +757,74 @@ int _gnutls_x509_export_int( ASN1_TYPE asn1_data, * If str is non zero, then the output will be treated as * an octet string. */ -int _gnutls_x509_read_value( ASN1_TYPE c, const char* root, gnutls_datum *ret, int str) +int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, + gnutls_datum * ret, int str) { -int len = 0, result; -opaque* tmp = NULL; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - result = asn1_read_value(c, root, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; + int len = 0, result; + opaque *tmp = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + result = asn1_read_value(c, root, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } + + tmp = gnutls_malloc(len); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(c, root, tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Extract the OCTET STRING. + */ + + if (str) { + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - tmp = gnutls_malloc(len); - if (tmp == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value(c, root, tmp, &len); + result = asn1_der_decoding(&c2, tmp, len, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* Extract the OCTET STRING. - */ - - if (str) { - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - result = asn1_der_decoding(&c2, tmp, len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + result = asn1_read_value(c2, "", tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } - result = asn1_read_value(c2, "", tmp, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + ret->data = tmp; + ret->size = len; - } - - ret->data = tmp; - ret->size = len; - - return 0; + return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - gnutls_free(tmp); - return result; + cleanup: + if (c2) + asn1_delete_structure(&c2); + gnutls_free(tmp); + return result; } @@ -800,78 +832,80 @@ ASN1_TYPE c2 = ASN1_TYPE_EMPTY; * the given datum. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode( ASN1_TYPE src, const char* src_name, - gnutls_datum *res, int str) +int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, + gnutls_datum * res, int str) { -int size, result; -int asize; -opaque *data = NULL; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - size = 0; - result = asn1_der_coding( src, src_name, NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + int size, result; + int asize; + opaque *data = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + size = 0; + result = asn1_der_coding(src, src_name, NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* allocate data for the der + */ + + if (str) + size += 16; /* for later to include the octet tags */ + asize = size; + + data = gnutls_malloc(size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_der_coding(src, src_name, data, &size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (str) { + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* allocate data for the der - */ - - if (str) size += 16; /* for later to include the octet tags */ - asize = size; - - data = gnutls_malloc( size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + result = asn1_write_value(c2, "", data, size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - result = asn1_der_coding( src, src_name, data, &size, NULL); + result = asn1_der_coding(c2, "", data, &asize, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - if (str) { - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "", data, size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_der_coding(c2, "", data, &asize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - size = asize; - - asn1_delete_structure( &c2); - } + size = asize; + + asn1_delete_structure(&c2); + } - res->data = data; - res->size = size; - return 0; + res->data = data; + res->size = size; + return 0; - cleanup: - gnutls_free(data); - asn1_delete_structure( &c2); - return result; + cleanup: + gnutls_free(data); + asn1_delete_structure(&c2); + return result; } @@ -880,431 +914,438 @@ ASN1_TYPE c2 = ASN1_TYPE_EMPTY; * as OCTET. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode_and_copy( ASN1_TYPE src, const char* src_name, - ASN1_TYPE dest, const char* dest_name, int str) +int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str) { -int result; -gnutls_datum encoded; + int result; + gnutls_datum encoded; - result = _gnutls_x509_der_encode( src, src_name, &encoded, str); + result = _gnutls_x509_der_encode(src, src_name, &encoded, str); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - /* Write the data. - */ - result = asn1_write_value( dest, dest_name, encoded.data, encoded.size); + /* Write the data. + */ + result = asn1_write_value(dest, dest_name, encoded.data, encoded.size); - _gnutls_free_datum(&encoded); + _gnutls_free_datum(&encoded); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /* Writes the value of the datum in the given ASN1_TYPE. If str is non * zero it encodes it as OCTET STRING. */ -int _gnutls_x509_write_value( ASN1_TYPE c, const char* root, - const gnutls_datum *data, int str) +int _gnutls_x509_write_value(ASN1_TYPE c, const char *root, + const gnutls_datum * data, int str) { -int result; -int asize; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -gnutls_datum val; - - asize = data->size + 16; - - val.data = gnutls_malloc( asize); - if (val.data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + int result; + int asize; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum val; + + asize = data->size + 16; + + val.data = gnutls_malloc(asize); + if (val.data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + if (str) { + /* Convert it to OCTET STRING + */ + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - if (str) { - /* Convert it to OCTET STRING - */ - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "", data->data, data->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = _gnutls_x509_der_encode( c2, "", &val, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { - val.data = data->data; - val.size = data->size; + result = asn1_write_value(c2, "", data->data, data->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* Write the data. - */ - result = asn1_write_value( c, root, val.data, val.size); + result = _gnutls_x509_der_encode(c2, "", &val, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (val.data != data->data) - _gnutls_free_datum(&val); + } else { + val.data = data->data; + val.size = data->size; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* Write the data. + */ + result = asn1_write_value(c, root, val.data, val.size); - return 0; - - cleanup: - if (val.data != data->data) _gnutls_free_datum( &val); - return result; + if (val.data != data->data) + _gnutls_free_datum(&val); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; + + cleanup: + if (val.data != data->data) + _gnutls_free_datum(&val); + return result; } /* Encodes and copies the private key parameters into a * subjectPublicKeyInfo structure. * */ -int _gnutls_x509_encode_and_copy_PKI_params( ASN1_TYPE dst, const char* dst_name, - gnutls_pk_algorithm pk_algorithm, mpi_t* params, int params_size) +int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm + pk_algorithm, mpi_t * params, + int params_size) { -const char* pk; -gnutls_datum der = {NULL, 0}; -int result; -char name[128]; - - pk = _gnutls_x509_pk_to_oid( pk_algorithm); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - /* write the OID + const char *pk; + gnutls_datum der = { NULL, 0 }; + int result; + char name[128]; + + pk = _gnutls_x509_pk_to_oid(pk_algorithm); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + /* write the OID + */ + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (pk_algorithm == GNUTLS_PK_RSA) { + /* disable parameters, which are not used in RSA. */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.algorithm"); - result = asn1_write_value( dst, name, pk, 1); + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); + result = asn1_write_value(dst, name, NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - if (pk_algorithm == GNUTLS_PK_RSA) { - /* disable parameters, which are not used in RSA. - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value( dst, name, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_rsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Write the DER parameters. (in bits) - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value( dst, name, der.data, der.size*8); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - } else if (pk_algorithm == GNUTLS_PK_DSA) { - - result = _gnutls_x509_write_dsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Write the DER parameters. - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value( dst, name, der.data, der.size); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_dsa_public_key( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value( dst, name, der.data, der.size*8); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - } else return GNUTLS_E_UNIMPLEMENTED_FEATURE; - - return 0; -} + result = _gnutls_x509_write_rsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; + } -/* Reads and returns the PK algorithm of the given certificate-like - * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". - */ -int _gnutls_x509_get_pk_algorithm( ASN1_TYPE src, const char* src_name, unsigned int* bits) -{ -int result; -opaque *str = NULL; -int algo; -char oid[64]; -int len; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -char name[128]; - - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.algorithm"); - - len = sizeof(oid); - result = - asn1_read_value(src, name, oid, &len); + /* Write the DER parameters. (in bits) + */ + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + result = asn1_write_value(dst, name, der.data, der.size * 8); + + _gnutls_free_datum(&der); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } + } else if (pk_algorithm == GNUTLS_PK_DSA) { - algo = _gnutls_x509_oid2pk_algorithm( oid); - - if ( bits==NULL) { - gnutls_free(str); - return algo; + result = _gnutls_x509_write_dsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - /* Now read the parameters' bits + /* Write the DER parameters. */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - - len = 0; - result = asn1_read_value( src, name, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); + result = asn1_write_value(dst, name, der.data, der.size); - if (len % 8 != 0) { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + _gnutls_free_datum(&der); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - - len /= 8; - - str = gnutls_malloc( len); - if (str == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + + result = + _gnutls_x509_write_dsa_public_key(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + result = asn1_write_value(dst, name, der.data, der.size * 8); + + _gnutls_free_datum(&der); - result = asn1_read_value(src, name, str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(str); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - len /= 8; + } else + return GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (algo==GNUTLS_PK_RSA) { - if ((result=_gnutls_x509_read_rsa_params( str, len, params)) < 0) { - gnutls_assert(); - return result; - } + return 0; +} - bits[0] = _gnutls_mpi_get_nbits( params[0]); - - _gnutls_mpi_release( ¶ms[0]); - _gnutls_mpi_release( ¶ms[1]); - } +/* Reads and returns the PK algorithm of the given certificate-like + * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". + */ +int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, + unsigned int *bits) +{ + int result; + opaque *str = NULL; + int algo; + char oid[64]; + int len; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + char name[128]; - if (algo==GNUTLS_PK_DSA) { + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); - if ((result = - _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { - gnutls_assert(); - return result; - } + len = sizeof(oid); + result = asn1_read_value(src, name, oid, &len); - bits[0] = _gnutls_mpi_get_nbits( params[3]); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_mpi_release( ¶ms[3]); - } + algo = _gnutls_x509_oid2pk_algorithm(oid); + if (bits == NULL) { gnutls_free(str); return algo; -} + } -ASN1_TYPE _asn1_find_node(ASN1_TYPE pointer,const char *name); + /* Now read the parameters' bits + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); -int _gnutls_asn1_copy_node( ASN1_TYPE *dst, const char* dst_name, - ASN1_TYPE src, const char* src_name) -{ + len = 0; + result = asn1_read_value(src, name, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - int result; - gnutls_datum der; - ASN1_TYPE dst_node; + if (len % 8 != 0) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } - result = _gnutls_x509_der_encode( src, src_name, &der, 0); - if (result < 0) { - gnutls_assert(); - return result; + len /= 8; + + str = gnutls_malloc(len); + if (str == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + + result = asn1_read_value(src, name, str, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(str); + return _gnutls_asn2err(result); + } + + len /= 8; + + if (algo == GNUTLS_PK_RSA) { + if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; } - dst_node=_asn1_find_node(*dst, dst_name); - if(dst_node==NULL) { - gnutls_assert(); - return _gnutls_asn2err(ASN1_ELEMENT_NOT_FOUND); + bits[0] = _gnutls_mpi_get_nbits(params[0]); + + _gnutls_mpi_release(¶ms[0]); + _gnutls_mpi_release(¶ms[1]); + } + + if (algo == GNUTLS_PK_DSA) { + + if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { + gnutls_assert(); + return result; } - result = asn1_der_decoding( &dst_node, der.data, der.size, NULL); - + bits[0] = _gnutls_mpi_get_nbits(params[3]); + + _gnutls_mpi_release(¶ms[3]); + } + + gnutls_free(str); + return algo; +} + +ASN1_TYPE _asn1_find_node(ASN1_TYPE pointer, const char *name); + +int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name, + ASN1_TYPE src, const char *src_name) +{ + + int result; + gnutls_datum der; + ASN1_TYPE dst_node; + + result = _gnutls_x509_der_encode(src, src_name, &der, 0); + if (result < 0) { + gnutls_assert(); + return result; + } + + dst_node = _asn1_find_node(*dst, dst_name); + if (dst_node == NULL) { + gnutls_assert(); + return _gnutls_asn2err(ASN1_ELEMENT_NOT_FOUND); + } + + result = asn1_der_decoding(&dst_node, der.data, der.size, NULL); + #if 0 - result = asn1_der_decoding_element( dst, dst_name, der.data, - der.size, NULL); + result = asn1_der_decoding_element(dst, dst_name, der.data, + der.size, NULL); #endif - _gnutls_free_datum( &der); + _gnutls_free_datum(&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return 0; + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* Reads the DER signed data from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signed_data( ASN1_TYPE src, const char* src_name, gnutls_datum * signed_data) +int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, + gnutls_datum * signed_data) { -gnutls_datum der; -int start, end, result; + gnutls_datum der; + int start, end, result; - result = _gnutls_x509_der_encode( src, "", &der, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Get the signed data - */ - result = asn1_der_decoding_startEnd( src, der.data, der.size, - src_name, &start, - &end); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + result = _gnutls_x509_der_encode(src, "", &der, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = - _gnutls_set_datum( signed_data, &der.data[start], end - start + 1); + /* Get the signed data + */ + result = asn1_der_decoding_startEnd(src, der.data, der.size, + src_name, &start, &end); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_set_datum(signed_data, &der.data[start], end - start + 1); - result = 0; + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - cleanup: - _gnutls_free_datum(&der); + result = 0; - return result; -} + cleanup: + _gnutls_free_datum(&der); + + return result; +} /* Reads the DER signature from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signature( ASN1_TYPE src, const char* src_name, gnutls_datum * signature) +int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, + gnutls_datum * signature) { -int bits, result, len; - - signature->data = NULL; - signature->size = 0; - - /* Read the signature - */ - bits = 0; - result = asn1_read_value( src, src_name, NULL, &bits); - - if (result != ASN1_MEM_ERROR) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } - - if (bits % 8 != 0) { - gnutls_assert(); - result = GNUTLS_E_CERTIFICATE_ERROR; - goto cleanup; - } + int bits, result, len; + + signature->data = NULL; + signature->size = 0; + + /* Read the signature + */ + bits = 0; + result = asn1_read_value(src, src_name, NULL, &bits); + + if (result != ASN1_MEM_ERROR) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (bits % 8 != 0) { + gnutls_assert(); + result = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; + } + + len = bits / 8; + + signature->data = gnutls_malloc(len); + if (signature->data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + return result; + } - len = bits/8; + /* read the bit string of the signature + */ + bits = len; + result = asn1_read_value(src, src_name, signature->data, &bits); - signature->data = gnutls_malloc( len); - if (signature->data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - return result; - } - - /* read the bit string of the signature - */ - bits = len; - result = asn1_read_value( src, src_name, signature->data, - &bits); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } - - signature->size = len; + signature->size = len; - return 0; + return 0; - cleanup: - return result; + cleanup: + return result; } diff --git a/lib/x509/compat.c b/lib/x509/compat.c index 00fcd4629a..90aae9e60a 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -27,7 +27,7 @@ #include <gnutls_global.h> #include <gnutls_errors.h> -#include <string.h> /* memset */ +#include <string.h> /* memset */ #include <dn.h> #include <libtasn1.h> #include <gnutls/x509.h> @@ -41,27 +41,26 @@ * Returns a (time_t) -1 in case of an error. * **/ -time_t _gnutls_x509_get_raw_crt_activation_time(const - gnutls_datum * - cert) +time_t _gnutls_x509_get_raw_crt_activation_time(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; + gnutls_x509_crt xcert; + time_t result; - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_activation_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = gnutls_x509_crt_get_activation_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -73,26 +72,24 @@ time_t _gnutls_x509_get_raw_crt_activation_time(const * Returns a (time_t) -1 in case of an error. * **/ -time_t _gnutls_x509_get_raw_crt_expiration_time(const - gnutls_datum * - cert) +time_t _gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; + gnutls_x509_crt xcert; + time_t result; - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_expiration_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; -} + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = gnutls_x509_crt_get_expiration_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; +} diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 3ae42dced9..3a6673b76d 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -48,20 +48,20 @@ **/ int gnutls_x509_crl_init(gnutls_x509_crl * crl) { - *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); - - if (*crl) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.CertificateList", - &(*crl)->crl); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *crl); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); + + if (*crl) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CertificateList", + &(*crl)->crl); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crl); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -73,12 +73,13 @@ int gnutls_x509_crl_init(gnutls_x509_crl * crl) **/ void gnutls_x509_crl_deinit(gnutls_x509_crl crl) { - if (!crl) return; + if (!crl) + return; - if (crl->crl) - asn1_delete_structure(&crl->crl); + if (crl->crl) + asn1_delete_structure(&crl->crl); - gnutls_free(crl); + gnutls_free(crl); } /** @@ -98,57 +99,55 @@ void gnutls_x509_crl_deinit(gnutls_x509_crl crl) int gnutls_x509_crl_import(gnutls_x509_crl crl, const gnutls_datum * data, gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; - - _data.data = data->data; - _data.size = data->size; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result = 0, need_free = 0; + gnutls_datum _data; - /* If the CRL is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + _data.data = data->data; + _data.size = data->size; - result = - _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, - &out); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } + /* If the CRL is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - _data.data = out; - _data.size = result; + result = + _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, &out); - need_free = 1; + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } + _data.data = out; + _data.size = result; - result = - asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + need_free = 1; + } - if (need_free) - _gnutls_free_datum(&_data); - return 0; + result = asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -170,16 +169,16 @@ int gnutls_x509_crl_import(gnutls_x509_crl crl, const gnutls_datum * data, * **/ int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl crl, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn(crl->crl, - "tbsCertList.issuer.rdnSequence", - buf, sizeof_buf); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(crl->crl, + "tbsCertList.issuer.rdnSequence", + buf, sizeof_buf); } /** @@ -208,17 +207,18 @@ int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl crl, char *buf, * **/ int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl crl, - const char *oid, int indx, unsigned int raw_flag, - void *buf, size_t *sizeof_buf) + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn_oid(crl->crl, - "tbsCertList.issuer.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -238,16 +238,17 @@ int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl crl, * On success 0 is returned. * **/ -int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, + int indx, void *oid, size_t * sizeof_oid) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( crl->crl, - "tbsCertList.issuer.rdnSequence", indx, oid, sizeof_oid); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", indx, + oid, sizeof_oid); } @@ -263,30 +264,32 @@ int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, **/ int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl crl) { - int result; - gnutls_datum sa; + int result; + gnutls_datum sa; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - - result = _gnutls_x509_read_value( crl->crl, "signatureAlgorithm.algorithm", &sa, 0); - - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_oid2sign_algorithm( (const char*)sa.data); + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ - _gnutls_free_datum( &sa); + result = + _gnutls_x509_read_value(crl->crl, "signatureAlgorithm.algorithm", + &sa, 0); + if (result < 0) { + gnutls_assert(); return result; + } + + result = _gnutls_x509_oid2sign_algorithm((const char *) sa.data); + + _gnutls_free_datum(&sa); + + return result; } /** @@ -300,23 +303,23 @@ int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl crl) **/ int gnutls_x509_crl_get_version(gnutls_x509_crl crl) { - opaque version[5]; - int len, result; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof(version); - if ((result = - asn1_read_value(crl->crl, "tbsCertList.version", version, - &len)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return (int) version[0] + 1; + opaque version[5]; + int len, result; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(crl->crl, "tbsCertList.version", version, + &len)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -330,13 +333,12 @@ int gnutls_x509_crl_get_version(gnutls_x509_crl crl) **/ time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time(crl->crl, - "tbsCertList.thisUpdate"); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.thisUpdate"); } /** @@ -352,13 +354,12 @@ time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl crl) **/ time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time(crl->crl, - "tbsCertList.nextUpdate"); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.nextUpdate"); } /** @@ -374,24 +375,23 @@ time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl crl) int gnutls_x509_crl_get_crt_count(gnutls_x509_crl crl) { - int count, result; + int count, result; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = - asn1_number_of_elements(crl->crl, - "tbsCertList.revokedCertificates", - &count); + result = + asn1_number_of_elements(crl->crl, + "tbsCertList.revokedCertificates", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } - return count; + return count; } /** @@ -409,50 +409,47 @@ int gnutls_x509_crl_get_crt_count(gnutls_x509_crl crl) * **/ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl crl, int index, - unsigned char *serial, - size_t *serial_size, time_t * time) + unsigned char *serial, + size_t * serial_size, time_t * time) { - int result, _serial_size; - char str_index[MAX_INT_DIGITS]; - char serial_name[64]; - char date_name[64]; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _gnutls_int2str(index + 1, str_index); - _gnutls_str_cpy(serial_name, sizeof(serial_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(serial_name, sizeof(serial_name), str_index); - _gnutls_str_cat(serial_name, sizeof(serial_name), - ".userCertificate"); - - _gnutls_str_cpy(date_name, sizeof(date_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(date_name, sizeof(date_name), str_index); - _gnutls_str_cat(date_name, sizeof(date_name), ".revocationDate"); - - _serial_size = *serial_size; - result = - asn1_read_value(crl->crl, serial_name, serial, - &_serial_size); - - *serial_size = _serial_size; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return _gnutls_asn2err(result); - } - - if (time) { - *time = _gnutls_x509_get_time(crl->crl, date_name); - } - - return 0; + int result, _serial_size; + char str_index[MAX_INT_DIGITS]; + char serial_name[64]; + char date_name[64]; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _gnutls_int2str(index + 1, str_index); + _gnutls_str_cpy(serial_name, sizeof(serial_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat(serial_name, sizeof(serial_name), str_index); + _gnutls_str_cat(serial_name, sizeof(serial_name), ".userCertificate"); + + _gnutls_str_cpy(date_name, sizeof(date_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat(date_name, sizeof(date_name), str_index); + _gnutls_str_cat(date_name, sizeof(date_name), ".revocationDate"); + + _serial_size = *serial_size; + result = asn1_read_value(crl->crl, serial_name, serial, &_serial_size); + + *serial_size = _serial_size; + if (result != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return _gnutls_asn2err(result); + } + + if (time) { + *time = _gnutls_x509_get_time(crl->crl, date_name); + } + + return 0; } /*- @@ -469,63 +466,65 @@ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl crl, int index, int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl crl, gnutls_datum * dn) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum crl_signed_data; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* get the issuer of 'crl' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertList", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_get_signed_data( crl->crl, "tbsCertList", &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = - asn1_der_decoding(&c2, crl_signed_data.data, - crl_signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum crl_signed_data; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* get the issuer of 'crl' + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertList", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", + &crl_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, crl_signed_data.data, + crl_signed_data.size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto cleanup; + } - result = - asn1_der_decoding_startEnd(c2, crl_signed_data.data, - crl_signed_data.size, "issuer", - &start1, &end1); + result = + asn1_der_decoding_startEnd(c2, crl_signed_data.data, + crl_signed_data.size, "issuer", + &start1, &end1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum( dn, &crl_signed_data.data[start1], len1); + _gnutls_set_datum(dn, &crl_signed_data.data[start1], len1); - result = 0; + result = 0; -cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum( &crl_signed_data); - return result; + cleanup: + asn1_delete_structure(&c2); + _gnutls_free_datum(&crl_signed_data); + return result; } /** @@ -546,16 +545,18 @@ cleanup: * Returns 0 on success, and a negative value on failure. * **/ -int gnutls_x509_crl_export( gnutls_x509_crl crl, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crl_export(gnutls_x509_crl crl, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( crl->crl, format, PEM_CRL, *output_data_size, - output_data, output_data_size); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(crl->crl, format, PEM_CRL, + *output_data_size, output_data, + output_data_size); } /*- @@ -570,42 +571,43 @@ int gnutls_x509_crl_export( gnutls_x509_crl crl, -*/ int _gnutls_x509_crl_cpy(gnutls_x509_crl dest, gnutls_x509_crl src) { -int ret; -size_t der_size; -opaque * der; -gnutls_datum tmp; - - ret = gnutls_x509_crl_export( src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; - } - - der = gnutls_alloca( der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + int ret; + size_t der_size; + opaque *der; + gnutls_datum tmp; + + ret = + gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + der = gnutls_alloca(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crl_export( src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree( der); - return ret; - } + ret = gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(der); + return ret; + } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crl_import( dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crl_import(dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree( der); + gnutls_afree(der); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c index 7545f2c6a8..c68889cf52 100644 --- a/lib/x509/crl_write.c +++ b/lib/x509/crl_write.c @@ -41,7 +41,7 @@ #include <libtasn1.h> #include <gnutls_ui.h> -static void disable_optional_stuff( gnutls_x509_crl crl); +static void disable_optional_stuff(gnutls_x509_crl crl); /** * gnutls_x509_crl_set_version - This function will set the CRL version @@ -57,24 +57,25 @@ static void disable_optional_stuff( gnutls_x509_crl crl); **/ int gnutls_x509_crl_set_version(gnutls_x509_crl crl, unsigned int version) { -int result; -char null = version; + int result; + char null = version; - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - null -= 1; - if (null < 0) null = 0; + null -= 1; + if (null < 0) + null = 0; - result = asn1_write_value( crl->crl, "tbsCertList.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(crl->crl, "tbsCertList.version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -92,28 +93,28 @@ char null = version; * Returns 0 on success. * **/ -int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key) +int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; - - if (crl==NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff( crl); - - result = _gnutls_x509_pkix_sign( crl->crl, "tbsCertList", issuer, - issuer_key); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + int result; + + if (crl == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crl); + + result = _gnutls_x509_pkix_sign(crl->crl, "tbsCertList", issuer, + issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -128,12 +129,13 @@ int result; **/ int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_set_time( crl->crl, "tbsCertList.thisUpdate", act_time); + return _gnutls_x509_set_time(crl->crl, "tbsCertList.thisUpdate", + act_time); } /** @@ -148,11 +150,12 @@ int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time) **/ int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time( crl->crl, "tbsCertList.nextUpdate", exp_time); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(crl->crl, "tbsCertList.nextUpdate", + exp_time); } /** @@ -167,42 +170,53 @@ int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, - size_t serial_size, time_t revocation_time) +int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void *serial, + size_t serial_size, + time_t revocation_time) { - int ret; - - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.userCertificate", serial, serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - ret = _gnutls_x509_set_time( crl->crl, "tbsCertList.revokedCertificates.?LAST.revocationDate", - revocation_time); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", NULL, 0); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return 0; + int ret; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", + "NEW", 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.userCertificate", + serial, serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + _gnutls_x509_set_time(crl->crl, + "tbsCertList.revokedCertificates.?LAST.revocationDate", + revocation_time); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", + NULL, 0); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /** @@ -217,43 +231,45 @@ int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, * **/ int gnutls_x509_crl_set_crt(gnutls_x509_crl crl, gnutls_x509_crt crt, - time_t revocation_time) + time_t revocation_time) { - int ret; - opaque serial[128]; - size_t serial_size; - - if (crl==NULL || crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - serial_size = sizeof(serial); - ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_x509_crl_set_crt_serial( crl, serial, serial_size, revocation_time); - if (ret < 0) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return 0; + int ret; + opaque serial[128]; + size_t serial_size; + + if (crl == NULL || crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + serial_size = sizeof(serial); + ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + gnutls_x509_crl_set_crt_serial(crl, serial, serial_size, + revocation_time); + if (ret < 0) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff( gnutls_x509_crl crl) +static void disable_optional_stuff(gnutls_x509_crl crl) { - asn1_write_value( crl->crl, "tbsCertList.crlExtensions", NULL, 0); + asn1_write_value(crl->crl, "tbsCertList.crlExtensions", NULL, 0); - return; + return; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/crq.c b/lib/x509/crq.c index e6d4d1669c..0bbf0b903b 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -52,20 +52,20 @@ **/ int gnutls_x509_crq_init(gnutls_x509_crq * crq) { - *crq = gnutls_calloc( 1, sizeof(gnutls_x509_crq_int)); - - if (*crq) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-10-CertificationRequest", - &((*crq)->crq)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *crq); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *crq = gnutls_calloc(1, sizeof(gnutls_x509_crq_int)); + + if (*crq) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-10-CertificationRequest", + &((*crq)->crq)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crq); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -77,12 +77,13 @@ int gnutls_x509_crq_init(gnutls_x509_crq * crq) **/ void gnutls_x509_crq_deinit(gnutls_x509_crq crq) { - if (!crq) return; + if (!crq) + return; - if (crq->crq) - asn1_delete_structure(&crq->crq); + if (crq->crq) + asn1_delete_structure(&crq->crq); - gnutls_free(crq); + gnutls_free(crq); } #define PEM_CRQ "NEW CERTIFICATE REQUEST" @@ -103,56 +104,59 @@ void gnutls_x509_crq_deinit(gnutls_x509_crq crq) * **/ int gnutls_x509_crq_import(gnutls_x509_crq crq, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ + result = _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, + &out); + + if (result <= 0) /* Go for the second header */ + result = + _gnutls_fbase64_decode(PEM_CRQ2, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - - _data.data = data->data; - _data.size = data->size; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, - &out); - - if (result <= 0) /* Go for the second header */ - result = _gnutls_fbase64_decode(PEM_CRQ2, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = out; + _data.size = result; - result = asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + need_free = 1; + } - result = 0; + result = asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + result = 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -175,15 +179,16 @@ int gnutls_x509_crq_import(gnutls_x509_crq crq, const gnutls_datum * data, * **/ int gnutls_x509_crq_get_dn(gnutls_x509_crq crq, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn( crq->crq, "certificationRequestInfo.subject.rdnSequence", - buf, sizeof_buf); + return _gnutls_x509_parse_dn(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + buf, sizeof_buf); } /** @@ -211,16 +216,18 @@ int gnutls_x509_crq_get_dn(gnutls_x509_crq crq, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn_oid( crq->crq, "certificationRequestInfo.subject.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -241,15 +248,16 @@ int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char* oid, * **/ int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq crq, - int indx, void *oid, size_t *sizeof_oid) + int indx, void *oid, size_t * sizeof_oid) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn_oid( crq->crq, "certificationRequestInfo.subject.rdnSequence", - indx, oid, sizeof_oid); + return _gnutls_x509_get_dn_oid(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + indx, oid, sizeof_oid); } /* Parses an Attribute list in the asn1_struct, and searches for the @@ -261,134 +269,117 @@ int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq crq, * */ static int parse_attribute(ASN1_TYPE asn1_struct, - const char *attr_name, - const char *given_oid, int indx, - char *buf, size_t *sizeof_buf) + const char *attr_name, + const char *given_oid, int indx, + char *buf, size_t * sizeof_buf) { - int k1, result; - char tmpbuffer1[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[200]; - char oid[128]; - int len, printable; - - if (*sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int k1, result; + char tmpbuffer1[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[200]; + char oid[128]; + int len, printable; + + if (*sizeof_buf == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + buf[0] = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "attribute.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), attr_name); + + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; } - buf[0] = 0; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k1 = 0; - do { + /* Move to the attibute type and values + */ + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k1++; - /* create a string like "attribute.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - attr_name); + if (strcmp(oid, given_oid) == 0) { /* Found the OID */ - if (strlen( tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + _gnutls_int2str(indx + 1, counter); + + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".values.?"); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, value, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + printable = _gnutls_x509_oid_data_printable(oid); + + if (printable == 1) { + if ((result = + _gnutls_x509_oid_data2string + (oid, value, len, buf, sizeof_buf)) < 0) { + gnutls_assert(); + goto cleanup; } - /* Move to the attibute type and values - */ - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer1); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); - - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (strcmp(oid, given_oid) == 0) { /* Found the OID */ - - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, - sizeof(tmpbuffer3), - tmpbuffer1); - - _gnutls_int2str(indx + 1, counter); - - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - ".values.?"); - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - counter); - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, - tmpbuffer3, value, - &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - - printable = - _gnutls_x509_oid_data_printable(oid); - - if (printable == 1) { - if ((result = - _gnutls_x509_oid_data2string - (oid, value, len, buf, - sizeof_buf)) < 0) { - gnutls_assert(); - goto cleanup; - } - - return 0; - } else { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; - } - } - - } while (1); + return 0; + } else { + gnutls_assert(); + return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; + } + } - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /** @@ -403,16 +394,17 @@ static int parse_attribute(ASN1_TYPE asn1_struct, * Returns 0 on success. * **/ -int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, - char* pass, size_t* sizeof_pass) +int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, + char *pass, + size_t * sizeof_pass) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return parse_attribute( crq->crq, "certificationRequestInfo.attributes", - "1.2.840.113549.1.9.7", 0, pass, sizeof_pass); + return parse_attribute(crq->crq, "certificationRequestInfo.attributes", + "1.2.840.113549.1.9.7", 0, pass, sizeof_pass); } /** @@ -435,15 +427,17 @@ int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char* oid, - unsigned int raw_flag, const void *data, unsigned int sizeof_data) +int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char *oid, + unsigned int raw_flag, const void *data, + unsigned int sizeof_data) { - if (sizeof_data == 0 || data == NULL || crq == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crq->crq, "certificationRequestInfo.subject", - oid, raw_flag, data, sizeof_data); + if (sizeof_data == 0 || data == NULL || crq == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crq->crq, + "certificationRequestInfo.subject", oid, + raw_flag, data, sizeof_data); } /** @@ -459,23 +453,26 @@ int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char* oid, **/ int gnutls_x509_crq_set_version(gnutls_x509_crq crq, unsigned int version) { -int result; -unsigned char null = version; + int result; + unsigned char null = version; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (null > 0) null--; - - result = asn1_write_value( crq->crq, "certificationRequestInfo.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (null > 0) + null--; + + result = + asn1_write_value(crq->crq, "certificationRequestInfo.version", + &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -489,24 +486,26 @@ unsigned char null = version; **/ int gnutls_x509_crq_get_version(gnutls_x509_crq crq) { - opaque version[5]; - int len, result; + opaque version[5]; + int len, result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - len = sizeof(version); - if ((result = asn1_read_value(crq->crq, "certificationRequestInfo.version", version, &len)) != - ASN1_SUCCESS) { - - if (result == ASN1_ELEMENT_NOT_FOUND) return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); - } + len = sizeof(version); + if ((result = + asn1_read_value(crq->crq, "certificationRequestInfo.version", + version, &len)) != ASN1_SUCCESS) { + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -522,23 +521,25 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq crq) **/ int gnutls_x509_crq_set_key(gnutls_x509_crq crq, gnutls_x509_privkey key) { -int result; + int result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_encode_and_copy_PKI_params( crq->crq, - "certificationRequestInfo.subjectPKInfo", key->pk_algorithm, - key->params, key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params(crq->crq, + "certificationRequestInfo.subjectPKInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -551,32 +552,38 @@ int result; * Returns 0 on success. * **/ -int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq crq, const char* pass) +int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq crq, + const char *pass) { -int result; - - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; - /* Add the attribute. - */ - result = asn1_write_value( crq->crq, "certificationRequestInfo.attributes", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Add the attribute. + */ + result = + asn1_write_value(crq->crq, "certificationRequestInfo.attributes", + "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_encode_and_write_attribute( "1.2.840.113549.1.9.7", crq->crq, - "certificationRequestInfo.attributes.?LAST", pass, strlen(pass), 1); + result = + _gnutls_x509_encode_and_write_attribute("1.2.840.113549.1.9.7", + crq->crq, + "certificationRequestInfo.attributes.?LAST", + pass, strlen(pass), 1); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -596,45 +603,49 @@ int result; **/ int gnutls_x509_crq_sign(gnutls_x509_crq crq, gnutls_x509_privkey key) { -int result; -gnutls_datum signature; + int result; + gnutls_datum signature; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* Step 1. Self sign the request. - */ - result = _gnutls_x509_sign_tbs( crq->crq, "certificationRequestInfo", GNUTLS_MAC_SHA, - key, &signature); - - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. Self sign the request. + */ + result = + _gnutls_x509_sign_tbs(crq->crq, "certificationRequestInfo", + GNUTLS_MAC_SHA, key, &signature); - /* Step 2. write the signature (bits) - */ - result = asn1_write_value( crq->crq, "signature", signature.data, signature.size*8); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_free_datum( &signature); + /* Step 2. write the signature (bits) + */ + result = + asn1_write_value(crq->crq, "signature", signature.data, + signature.size * 8); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_free_datum(&signature); - /* Step 3. Write the signatureAlgorithm field. - */ - result = _gnutls_x509_write_sig_params( crq->crq, "signatureAlgorithm", - key->pk_algorithm, key->params, key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Write the signatureAlgorithm field. + */ + result = _gnutls_x509_write_sig_params(crq->crq, "signatureAlgorithm", + key->pk_algorithm, key->params, + key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -656,16 +667,18 @@ gnutls_datum signature; * 0 on success. * **/ -int gnutls_x509_crq_export( gnutls_x509_crq crq, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crq_export(gnutls_x509_crq crq, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int( crq->crq, format, PEM_CRQ, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(crq->crq, format, PEM_CRQ, + *output_data_size, output_data, + output_data_size); } /** @@ -685,22 +698,25 @@ int gnutls_x509_crq_export( gnutls_x509_crq crq, * or a negative value on error. * **/ -int gnutls_x509_crq_get_pk_algorithm( gnutls_x509_crq crq, unsigned int* bits) +int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq crq, + unsigned int *bits) { -int result; + int result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + _gnutls_x509_get_pk_algorithm(crq->crq, + "certificationRequestInfo.subjectPKInfo", + bits); + if (result < 0) { + gnutls_assert(); + } - result = _gnutls_x509_get_pk_algorithm( crq->crq, "certificationRequestInfo.subjectPKInfo", - bits); - if (result < 0) { - gnutls_assert(); - } - - return result; + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/dn.c b/lib/x509/dn.c index ef0e6401cc..aa626c8a4a 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -39,40 +39,40 @@ */ static const char *oid2ldap_string(const char *oid) { - const char *ret; + const char *ret; - ret = _gnutls_x509_oid2ldap_string(oid); - if (ret) - return ret; + ret = _gnutls_x509_oid2ldap_string(oid); + if (ret) + return ret; - /* else return the OID in dotted format */ - return oid; + /* else return the OID in dotted format */ + return oid; } /* Escapes a string following the rules from RFC2253. */ static char *str_escape(char *str, char *buffer, unsigned int buffer_size) { - int str_length, j, i; + int str_length, j, i; - if (str == NULL || buffer == NULL) - return NULL; + if (str == NULL || buffer == NULL) + return NULL; - str_length = GMIN(strlen(str), buffer_size - 1); + str_length = GMIN(strlen(str), buffer_size - 1); - for (i = j = 0; i < str_length; i++) { - if (str[i] == ',' || str[i] == '+' || str[i] == '"' - || str[i] == '\\' || str[i] == '<' || str[i] == '>' - || str[i] == ';') - buffer[j++] = '\\'; + for (i = j = 0; i < str_length; i++) { + if (str[i] == ',' || str[i] == '+' || str[i] == '"' + || str[i] == '\\' || str[i] == '<' || str[i] == '>' + || str[i] == ';') + buffer[j++] = '\\'; - buffer[j++] = str[i]; - } + buffer[j++] = str[i]; + } - /* null terminate the string */ - buffer[j] = 0; + /* null terminate the string */ + buffer[j] = 0; - return buffer; + return buffer; } /* Parses an X509 DN in the asn1_struct, and puts the output into @@ -85,251 +85,233 @@ int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, const char *asn1_rdn_name, char *buf, size_t * sizeof_buf) { - gnutls_string out_str; - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[256], *value2 = NULL; - char *escaped = NULL; - const char *ldap_desc; - char oid[128]; - int len, printable; - char* string = NULL; - size_t sizeof_string ,sizeof_escaped; - - if (sizeof_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_string out_str; + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[256], *value2 = NULL; + char *escaped = NULL; + const char *ldap_desc; + char oid[128]; + int len, printable; + char *string = NULL; + size_t sizeof_string, sizeof_escaped; + + if (sizeof_buf == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (buf) + buf[0] = 0; + else + *sizeof_buf = 0; + + _gnutls_string_init(&out_str, gnutls_malloc, gnutls_realloc, + gnutls_free); + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; } - if (buf) - buf[0] = 0; - else - *sizeof_buf = 0; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - _gnutls_string_init(&out_str, gnutls_malloc, gnutls_realloc, - gnutls_free); + k2 = 0; - k1 = 0; - do { + do { /* Move to the attibute type and values + */ + k2++; - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + /* Try to read the RelativeDistinguishedName attributes. + */ - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - do { /* Move to the attibute type and values - */ - k2++; - - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".value"); + len = 0; + result = asn1_read_value(asn1_struct, tmpbuffer3, NULL, &len); - len = 0; - result = - asn1_read_value(asn1_struct, tmpbuffer3, NULL, - &len); - - value2 = gnutls_malloc( len); - if (value2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + value2 = gnutls_malloc(len); + if (value2 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - result = - asn1_read_value(asn1_struct, tmpbuffer3, value2, - &len); + result = + asn1_read_value(asn1_struct, tmpbuffer3, value2, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #define STR_APPEND(y) if ((result=_gnutls_string_append_str( &out_str, y)) < 0) { \ gnutls_assert(); \ goto cleanup; \ } - /* The encodings of adjoining RelativeDistinguishedNames are separated - * by a comma character (',' ASCII 44). - */ - - /* Where there is a multi-valued RDN, the outputs from adjoining - * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) - * character. - */ - if (k1 != 1) { /* the first time do not append a comma */ - if (k2 != 1) { /* adjoining multi-value RDN */ - STR_APPEND("+"); - } else { - STR_APPEND(","); - } - } + /* The encodings of adjoining RelativeDistinguishedNames are separated + * by a comma character (',' ASCII 44). + */ + + /* Where there is a multi-valued RDN, the outputs from adjoining + * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) + * character. + */ + if (k1 != 1) { /* the first time do not append a comma */ + if (k2 != 1) { /* adjoining multi-value RDN */ + STR_APPEND("+"); + } else { + STR_APPEND(","); + } + } - ldap_desc = oid2ldap_string(oid); - printable = _gnutls_x509_oid_data_printable(oid); + ldap_desc = oid2ldap_string(oid); + printable = _gnutls_x509_oid_data_printable(oid); - sizeof_escaped = 2*len + 1; + sizeof_escaped = 2 * len + 1; - escaped = gnutls_malloc( sizeof_escaped); - if (escaped == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + escaped = gnutls_malloc(sizeof_escaped); + if (escaped == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - if (printable == 1) { - sizeof_string = len; - - string = gnutls_malloc( sizeof_string); - if (string == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - - STR_APPEND(ldap_desc); - STR_APPEND("="); - result = - _gnutls_x509_oid_data2string(oid, - value2, - len, - string, - &sizeof_string); - - if (result < 0) { - gnutls_assert(); - _gnutls_x509_log - ("Found OID: '%s' with value '%s'\n", - oid, _gnutls_bin2hex(value2, - len, - escaped, - sizeof_escaped)); - goto cleanup; - } - STR_APPEND(str_escape(string, escaped, sizeof_escaped)); - gnutls_free(string); string = NULL; - } else { - char *res; - - res = - _gnutls_bin2hex(value2, len, escaped, - sizeof_escaped); - - STR_APPEND(ldap_desc); - STR_APPEND("=#"); - if (res) { - STR_APPEND(res); - } else { - STR_APPEND("(null)"); - } - } - - gnutls_free( escaped); escaped = NULL; - gnutls_free( value2); value2 = NULL; + if (printable == 1) { + sizeof_string = len; - } while (1); + string = gnutls_malloc(sizeof_string); + if (string == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - } while (1); - if (out_str.length >= (unsigned int) *sizeof_buf) { - gnutls_assert(); - *sizeof_buf = out_str.length; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } + STR_APPEND(ldap_desc); + STR_APPEND("="); + result = + _gnutls_x509_oid_data2string(oid, + value2, + len, + string, &sizeof_string); + + if (result < 0) { + gnutls_assert(); + _gnutls_x509_log + ("Found OID: '%s' with value '%s'\n", + oid, _gnutls_bin2hex(value2, + len, + escaped, sizeof_escaped)); + goto cleanup; + } + STR_APPEND(str_escape(string, escaped, sizeof_escaped)); + gnutls_free(string); + string = NULL; + } else { + char *res; + + res = + _gnutls_bin2hex(value2, len, escaped, sizeof_escaped); + + STR_APPEND(ldap_desc); + STR_APPEND("=#"); + if (res) { + STR_APPEND(res); + } else { + STR_APPEND("(null)"); + } + } - if (buf) { - memcpy(buf, out_str.data, out_str.length); - buf[out_str.length] = 0; - } - *sizeof_buf = out_str.length; + gnutls_free(escaped); + escaped = NULL; + gnutls_free(value2); + value2 = NULL; + + } while (1); - result = 0; + } while (1); - cleanup: - gnutls_free( value2); - gnutls_free( string); - gnutls_free( escaped); - _gnutls_string_clear(&out_str); - return result; + if (out_str.length >= (unsigned int) *sizeof_buf) { + gnutls_assert(); + *sizeof_buf = out_str.length; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } + + if (buf) { + memcpy(buf, out_str.data, out_str.length); + buf[out_str.length] = 0; + } + *sizeof_buf = out_str.length; + + result = 0; + + cleanup: + gnutls_free(value2); + gnutls_free(string); + gnutls_free(escaped); + _gnutls_string_clear(&out_str); + return result; } /* Parses an X509 DN in the asn1_struct, and searches for the @@ -346,210 +328,177 @@ int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, */ int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, const char *asn1_rdn_name, - const char *given_oid, int indx, + const char *given_oid, int indx, unsigned int raw_flag, void *buf, size_t * sizeof_buf) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[256]; - char escaped[256]; - char oid[128]; - int len, printable; - int i = 0; - char * cbuf = buf; - - if (cbuf == NULL) - *sizeof_buf = 0; - else - cbuf[0] = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[256]; + char escaped[256]; + char oid[128]; + int len, printable; + int i = 0; + char *cbuf = buf; + + if (cbuf == NULL) + *sizeof_buf = 0; + else + cbuf[0] = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, - sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - ".value"); - - len = *sizeof_buf; - result = - asn1_read_value(asn1_struct, - tmpbuffer3, buf, - &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw_flag != 0) { - if ((uint)len > *sizeof_buf) { - *sizeof_buf = len; - return - GNUTLS_E_SHORT_MEMORY_BUFFER; - } - *sizeof_buf = len; - - return 0; - - } else { /* parse data. raw_flag == 0 */ - printable = - _gnutls_x509_oid_data_printable - (oid); - - if (printable == 1) { - result = - _gnutls_x509_oid_data2string - (oid, buf, len, cbuf, - sizeof_buf); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - return 0; - } else { - char *res; - - res = - _gnutls_bin2hex(cbuf, - len, - escaped, - sizeof - (escaped)); - if (res) { - unsigned int size = - strlen(res) + - 1; - if (size + 1 > - *sizeof_buf) { - *sizeof_buf - = size; - return - GNUTLS_E_SHORT_MEMORY_BUFFER; - } - *sizeof_buf = size; /* -1 for the null +1 for the '#' */ - - if (buf) { - strcpy(cbuf, - "#"); - strcat(cbuf, - res); - } - - return 0; - } else { - gnutls_assert(); - return - GNUTLS_E_INTERNAL_ERROR; - } - } - } /* raw_flag == 0 */ + if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, + sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); + + len = *sizeof_buf; + result = + asn1_read_value(asn1_struct, tmpbuffer3, buf, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw_flag != 0) { + if ((uint) len > *sizeof_buf) { + *sizeof_buf = len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *sizeof_buf = len; + + return 0; + + } else { /* parse data. raw_flag == 0 */ + printable = _gnutls_x509_oid_data_printable(oid); + + if (printable == 1) { + result = + _gnutls_x509_oid_data2string + (oid, buf, len, cbuf, sizeof_buf); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - } while (1); + return 0; + } else { + char *res; + + res = + _gnutls_bin2hex(cbuf, + len, escaped, sizeof(escaped)); + if (res) { + unsigned int size = strlen(res) + 1; + if (size + 1 > *sizeof_buf) { + *sizeof_buf = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *sizeof_buf = size; /* -1 for the null +1 for the '#' */ + + if (buf) { + strcpy(cbuf, "#"); + strcat(cbuf, res); + } + + return 0; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + } /* raw_flag == 0 */ + } } while (1); - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /* Parses an X509 DN in the asn1_struct, and returns the requested @@ -562,130 +511,117 @@ int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, * OID found, 1 the second etc. */ int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid) + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[256]; - char oid[128]; - int len; - int i = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[256]; + char oid[128]; + int len; + int i = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - if ( indx == i++) { /* Found the OID */ + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len = strlen( oid) + 1; + if (indx == i++) { /* Found the OID */ - if ( *sizeof_oid < (uint)len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy( oid, _oid, len); - *sizeof_oid = len - 1; + len = strlen(oid) + 1; - return 0; - } - } while (1); + if (*sizeof_oid < (uint) len) { + *sizeof_oid = len; + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + memcpy(oid, _oid, len); + *sizeof_oid = len - 1; + + return 0; + } } while (1); - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /* This will encode and write the AttributeTypeAndValue field. @@ -698,108 +634,106 @@ int _gnutls_x509_encode_and_write_attribute(const char *given_oid, const void *_data, int sizeof_data, int multi) { - const char *val_name; - const opaque *data = _data; - char tmp[128]; - ASN1_TYPE c2; - int result; - - - /* Find how to encode the data. - */ - val_name = - asn1_find_structure_from_oid(_gnutls_get_pkix(), given_oid); - if (val_name == NULL) { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_OID; - } + const char *val_name; + const opaque *data = _data; + char tmp[128]; + ASN1_TYPE c2; + int result; - _gnutls_str_cpy(tmp, sizeof(tmp), "PKIX1."); - _gnutls_str_cat(tmp, sizeof(tmp), val_name); - result = asn1_create_element(_gnutls_get_pkix(), tmp, &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* Find how to encode the data. + */ + val_name = asn1_find_structure_from_oid(_gnutls_get_pkix(), given_oid); + if (val_name == NULL) { + gnutls_assert(); + return GNUTLS_E_X509_UNSUPPORTED_OID; + } - tmp[0] = 0; + _gnutls_str_cpy(tmp, sizeof(tmp), "PKIX1."); + _gnutls_str_cat(tmp, sizeof(tmp), val_name); - if ((result = _gnutls_x509_oid_data_choice(given_oid)) > 0) { - char *string_type; - int i; + result = asn1_create_element(_gnutls_get_pkix(), tmp, &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - string_type = "printableString"; + tmp[0] = 0; - /* Check if the data is plain ascii, and use - * the UTF8 string type if not. - */ - for (i = 0; i < sizeof_data; i++) { - if (!isascii(data[i])) { - string_type = "utf8String"; - break; - } - } + if ((result = _gnutls_x509_oid_data_choice(given_oid)) > 0) { + char *string_type; + int i; - /* if the type is a CHOICE then write the - * type we'll use. - */ - result = asn1_write_value(c2, "", string_type, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + string_type = "printableString"; - _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + /* Check if the data is plain ascii, and use + * the UTF8 string type if not. + */ + for (i = 0; i < sizeof_data; i++) { + if (!isascii(data[i])) { + string_type = "utf8String"; + break; + } } - result = asn1_write_value(c2, tmp, data, sizeof_data); + /* if the type is a CHOICE then write the + * type we'll use. + */ + result = asn1_write_value(c2, "", string_type, 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } + _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + } - /* write the data (value) - */ + result = asn1_write_value(c2, tmp, data, sizeof_data); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + /* write the data (value) + */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - result = - _gnutls_x509_der_encode_and_copy(c2, "", asn1_struct, tmp, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + } - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_der_encode_and_copy(c2, "", asn1_struct, tmp, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* This will write the AttributeTypeAndValue field. The data must be already DER encoded. @@ -811,46 +745,46 @@ int _gnutls_x509_write_attribute(const char *given_oid, const void *_data, int sizeof_data, int multi) { - char tmp[128]; - int result; + char tmp[128]; + int result; - /* write the data (value) - */ + /* write the data (value) + */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - } + } - result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); - if (result < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); + if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } @@ -862,39 +796,39 @@ int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, int oid_size, gnutls_datum * value, int multi) { - char tmpbuffer[128]; - int len, result; + char tmpbuffer[128]; + int len, result; - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); - len = oid_size - 1; - result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); + len = oid_size - 1; + result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } - /* Read the Value - */ + /* Read the Value + */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); - if (multi) - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ + if (multi) + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ - result = _gnutls_x509_read_value(asn1_struct, tmpbuffer, value, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + result = _gnutls_x509_read_value(asn1_struct, tmpbuffer, value, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -910,72 +844,68 @@ int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, int raw_flag, const char *name, int sizeof_name) { - int result; - char tmp[64], asn1_rdn_name[64]; + int result; + char tmp[64], asn1_rdn_name[64]; - if (sizeof_name == 0 || name == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_name == 0 || name == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* create the rdnSequence - */ - result = - asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create the rdnSequence + */ + result = asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); - _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), - ".rdnSequence"); + _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); + _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), ".rdnSequence"); - /* create a new element - */ - result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create a new element + */ + result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - /* create the set with only one element - */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create the set with only one element + */ + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Encode and write the data - */ - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); + /* Encode and write the data + */ + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); - if (!raw_flag) { - result = - _gnutls_x509_encode_and_write_attribute(given_oid, - asn1_struct, - tmp, name, - sizeof_name, - 0); - } else { - result = - _gnutls_x509_write_attribute(given_oid, asn1_struct, - tmp, name, sizeof_name, - 0); - } + if (!raw_flag) { + result = + _gnutls_x509_encode_and_write_attribute(given_oid, + asn1_struct, + tmp, name, + sizeof_name, 0); + } else { + result = + _gnutls_x509_write_attribute(given_oid, asn1_struct, + tmp, name, sizeof_name, 0); + } - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -996,37 +926,37 @@ int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, int gnutls_x509_rdn_get(const gnutls_datum * idn, char *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (buf) - buf[0] = 0; + if (buf) + buf[0] = 0; - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, sizeof_buf); + result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1048,37 +978,37 @@ int gnutls_x509_rdn_get(const gnutls_datum * idn, * **/ int gnutls_x509_rdn_get_by_oid(const gnutls_datum * idn, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * sizeof_buf) + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = - _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, - raw_flag, buf, sizeof_buf); + result = + _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, + raw_flag, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1096,37 +1026,36 @@ int gnutls_x509_rdn_get_by_oid(const gnutls_datum * idn, const char *oid, * and 0 on success. * **/ -int gnutls_x509_rdn_get_oid(const gnutls_datum * idn, - int indx, void *buf, size_t * sizeof_buf) +int gnutls_x509_rdn_get_oid(const gnutls_datum * idn, + int indx, void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = - _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, - buf, sizeof_buf); + result = + _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1142,13 +1071,13 @@ int _gnutls_x509_compare_raw_dn(const gnutls_datum * dn1, const gnutls_datum * dn2) { - if (dn1->size != dn2->size) { - gnutls_assert(); - return 0; - } - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { - gnutls_assert(); - return 0; - } - return 1; /* they match */ + if (dn1->size != dn2->size) { + gnutls_assert(); + return 0; + } + if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { + gnutls_assert(); + return 0; + } + return 1; /* they match */ } diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c index 1a2d593fc0..e4ac45bb07 100644 --- a/lib/x509/dsa.c +++ b/lib/x509/dsa.c @@ -22,7 +22,7 @@ /* This file contains code for DSA keys. */ - + #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> @@ -30,96 +30,95 @@ /* resarr will contain: p(0), q(1), g(2), y(3), x(4). */ -int _gnutls_dsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) +int _gnutls_dsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; - - if (bits > 1024) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gcry_sexp_build( &parms, NULL, "(genkey(dsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* generate the DSA key - */ - ret = gcry_pk_genkey( &key, parms); - gcry_sexp_release( parms); - - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - list = gcry_sexp_find_token( key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "g", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "y", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "x", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + int ret; + gcry_sexp_t parms, key, list; + + if (bits > 1024) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gcry_sexp_build(&parms, NULL, "(genkey(dsa(nbits %d)))", bits); + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* generate the DSA key + */ + ret = gcry_pk_genkey(&key, parms); + gcry_sexp_release(parms); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + list = gcry_sexp_find_token(key, "p", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + list = gcry_sexp_find_token(key, "q", 0); + if (list == NULL) { + gnutls_assert(); gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_dump_mpi( "p: ", resarr[0]); - _gnutls_dump_mpi( "q: ", resarr[1]); - _gnutls_dump_mpi( "g: ", resarr[2]); - _gnutls_dump_mpi( "y: ", resarr[3]); - _gnutls_dump_mpi( "x: ", resarr[4]); + resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - *resarr_len = 5; + list = gcry_sexp_find_token(key, "g", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); -} + list = gcry_sexp_find_token(key, "y", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "x", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + gcry_sexp_release(key); + _gnutls_dump_mpi("p: ", resarr[0]); + _gnutls_dump_mpi("q: ", resarr[1]); + _gnutls_dump_mpi("g: ", resarr[2]); + _gnutls_dump_mpi("y: ", resarr[3]); + _gnutls_dump_mpi("x: ", resarr[4]); + + *resarr_len = 5; + + return 0; + +} diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 21bc965c3d..1d499f6abf 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -41,114 +41,117 @@ * If the extension does not exist, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension( gnutls_x509_crt cert, const char* extension_id, - int indx, gnutls_datum* ret, unsigned int * _critical) +int _gnutls_x509_crt_get_extension(gnutls_x509_crt cert, + const char *extension_id, int indx, + gnutls_datum * ret, + unsigned int *_critical) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char str_critical[10]; - int critical = 0; - char extnID[128]; - gnutls_datum value; - int indx_counter = 0; - - ret->data = NULL; - ret->size = 0; - - k = 0; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char str_critical[10]; + int critical = 0; + char extnID[128]; + gnutls_datum value; + int indx_counter = 0; + + ret->data = NULL; + ret->size = 0; + + k = 0; + do { + k++; + + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); + + len = sizeof(str) - 1; + result = asn1_read_value(cert->cert, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + do { - k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - /* move to next + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (strcmp(extnID, extension_id) == 0 + && indx == indx_counter++) { + /* extension was found + */ + + /* read the critical status. */ + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".critical"); + + len = sizeof(str_critical); + result = + asn1_read_value(cert->cert, name2, str_critical, &len); if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - do { - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Handle Extension - */ - if ( strcmp(extnID, extension_id)==0 && indx == indx_counter++) { - /* extension was found - */ - - /* read the critical status. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); - - len = sizeof(str_critical); - result = - asn1_read_value(cert->cert, name2, str_critical, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (str_critical[0] == 'T') - critical = 1; - else critical = 0; - - /* read the value. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); - - result = _gnutls_x509_read_value( cert->cert, name2, - &value, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - ret->data = value.data; - ret->size = value.size; - - if (_critical) - *_critical = critical; - - return 0; - } - - - } while (0); - } while (1); + if (str_critical[0] == 'T') + critical = 1; + else + critical = 0; - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* read the value. + */ + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + + result = _gnutls_x509_read_value(cert->cert, name2, + &value, 0); + if (result < 0) { + gnutls_assert(); + return result; + } + + ret->data = value.data; + ret->size = value.size; + + if (_critical) + *_critical = critical; + + return 0; + } + + + } while (0); + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to return the requested extension OID found in @@ -157,77 +160,77 @@ int _gnutls_x509_crt_get_extension( gnutls_x509_crt cert, const char* extension_ * If you have passed the last extension, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension_oid( gnutls_x509_crt cert, - int indx, void* oid, size_t* sizeof_oid) +int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char extnID[128]; - int indx_counter = 0; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char extnID[128]; + int indx_counter = 0; - k = 0; - do { - k++; + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); + len = sizeof(str) - 1; + result = asn1_read_value(cert->cert, name, str, &len); - /* move to next - */ + /* move to next + */ - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } - do { + do { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Handle Extension - */ - if ( indx == indx_counter++) { - len = strlen( extnID) + 1; + /* Handle Extension + */ + if (indx == indx_counter++) { + len = strlen(extnID) + 1; - if ( *sizeof_oid < (uint)len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy( oid, extnID, len); - *sizeof_oid = len - 1; + if (*sizeof_oid < (uint) len) { + *sizeof_oid = len; + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - return 0; - } + memcpy(oid, extnID, len); + *sizeof_oid = len - 1; + return 0; + } - } while (0); - } while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + } while (0); + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to set the requested extension in @@ -235,82 +238,94 @@ int _gnutls_x509_crt_get_extension_oid( gnutls_x509_crt cert, * * Critical will be either 0 or 1. */ -static int set_extension( ASN1_TYPE asn, const char* extension_id, - const gnutls_datum* ext_data, unsigned int critical) +static int set_extension(ASN1_TYPE asn, const char *extension_id, + const gnutls_datum * ext_data, + unsigned int critical) { - int result; - const char *str; - - /* Add a new extension in the list. - */ - result = asn1_write_value(asn, "tbsCertificate.extensions", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(asn, "tbsCertificate.extensions.?LAST.extnID", extension_id, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (critical==0) str = "FALSE"; - else str = "TRUE"; - - - result = asn1_write_value(asn, "tbsCertificate.extensions.?LAST.critical", str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + const char *str; + + /* Add a new extension in the list. + */ + result = asn1_write_value(asn, "tbsCertificate.extensions", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_write_value(asn, "tbsCertificate.extensions.?LAST.extnID", + extension_id, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + + result = + asn1_write_value(asn, "tbsCertificate.extensions.?LAST.critical", + str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_write_value(asn, + "tbsCertificate.extensions.?LAST.extnValue", + ext_data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_write_value( asn, "tbsCertificate.extensions.?LAST.extnValue", - ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + return 0; } /* Overwrite the given extension (using the index) * index here starts from one. */ -static int overwrite_extension( ASN1_TYPE asn, unsigned int indx, - const gnutls_datum *ext_data, unsigned int critical) +static int overwrite_extension(ASN1_TYPE asn, unsigned int indx, + const gnutls_datum * ext_data, + unsigned int critical) { -char name[128], name2[128], counter[MAX_INT_DIGITS]; -const char* str; -int result; - - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(indx, counter); - _gnutls_str_cat(name, sizeof(name), counter); - - if (critical==0) str = "FALSE"; - else str = "TRUE"; - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); - - result = asn1_write_value(asn, name2, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + char name[128], name2[128], counter[MAX_INT_DIGITS]; + const char *str; + int result; + + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(indx, counter); + _gnutls_str_cat(name, sizeof(name), counter); + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".critical"); + + result = asn1_write_value(asn, name2, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + + result = _gnutls_x509_write_value(asn, name2, ext_data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_write_value( asn, name2, ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + return 0; } /* This function will attempt to overwrite the requested extension with @@ -318,396 +333,412 @@ int result; * * Critical will be either 0 or 1. */ -int _gnutls_x509_crt_set_extension( gnutls_x509_crt cert, const char* ext_id, - const gnutls_datum* ext_data, unsigned int critical) +int _gnutls_x509_crt_set_extension(gnutls_x509_crt cert, + const char *ext_id, + const gnutls_datum * ext_data, + unsigned int critical) { - int result; - int k, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char extnID[128]; + int result; + int k, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char extnID[128]; - /* Find the index of the given extension. - */ - k = 0; - do { - k++; + /* Find the index of the given extension. + */ + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name, extnID, &len); - /* move to next - */ + /* move to next + */ - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } - do { + do { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Handle Extension - */ - if ( strcmp(extnID, ext_id)==0) { - /* extension was found - */ - return overwrite_extension( cert->cert, k, ext_data, critical); - } + /* Handle Extension + */ + if (strcmp(extnID, ext_id) == 0) { + /* extension was found + */ + return overwrite_extension(cert->cert, k, ext_data, + critical); + } - } while (0); - } while (1); + } while (0); + } while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return set_extension( cert->cert, ext_id, ext_data, critical); - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + return set_extension(cert->cert, ext_id, ext_data, critical); + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } - - return 0; + + return 0; } /* Here we only extract the KeyUsage field, from the DER encoded * extension. */ -int _gnutls_x509_ext_extract_keyUsage(uint16 *keyUsage, opaque * extnValue, - int extnValueLen) +int _gnutls_x509_ext_extract_keyUsage(uint16 * keyUsage, + opaque * extnValue, int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int len, result; - uint8 str[2]; - - str[0] = str[1] = 0; - *keyUsage = 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int len, result; + uint8 str[2]; - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + str[0] = str[1] = 0; + *keyUsage = 0; - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } - - len = sizeof(str); - result = asn1_read_value(ext, "", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return 0; - } - - *keyUsage = str[0] | (str[1] << 8); + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + len = sizeof(str); + result = asn1_read_value(ext, "", str, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); return 0; + } + + *keyUsage = str[0] | (str[1] << 8); + + asn1_delete_structure(&ext); + + return 0; } /* extract the basicConstraints from the DER encoded extension */ int _gnutls_x509_ext_extract_basicConstraints(int *CA, opaque * extnValue, - int extnValueLen) + int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - char str[128]; - int len, result; - - *CA = 0; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.BasicConstraints", &ext - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + char str[128]; + int len, result; - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + *CA = 0; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.BasicConstraints", + &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - len = sizeof(str) - 1; - /* the default value of cA is false. - */ - result = asn1_read_value(ext, "cA", str, &len); - if (result != ASN1_SUCCESS) { - asn1_delete_structure(&ext); - return 0; - } + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + len = sizeof(str) - 1; + /* the default value of cA is false. + */ + result = asn1_read_value(ext, "cA", str, &len); + if (result != ASN1_SUCCESS) { + asn1_delete_structure(&ext); + return 0; + } - if (strcmp(str, "TRUE") == 0) - *CA = 1; - else - *CA = 0; + asn1_delete_structure(&ext); + if (strcmp(str, "TRUE") == 0) + *CA = 1; + else + *CA = 0; - return 0; + + return 0; } /* generate the basicConstraints in a DER encoded extension * Use 0 or 1 (TRUE) for CA. */ -int _gnutls_x509_ext_gen_basicConstraints(int CA, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_basicConstraints(int CA, gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - const char *str; - int result; - - if (CA == 0) str = "FALSE"; - else str = "TRUE"; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.BasicConstraints", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + const char *str; + int result; + + if (CA == 0) + str = "FALSE"; + else + str = "TRUE"; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.BasicConstraints", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "cA", str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = asn1_write_value(ext, "cA", str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + asn1_write_value(ext, "pathLenConstraint", NULL, 0); - asn1_write_value(ext, "pathLenConstraint", NULL, 0); - - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the keyUsage in a DER encoded extension * Use an ORed SEQUENCE of GNUTLS_KEY_* for usage. */ -int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - uint8 str[2]; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - str[0] = usage & 0xff; - str[1] = usage >> 8; - - result = asn1_write_value(ext, "", str, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + uint8 str[2]; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + str[0] = usage & 0xff; + str[1] = usage >> 8; + + result = asn1_write_value(ext, "", str, 9); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } -static int write_new_general_name( ASN1_TYPE ext, const char* ext_name, - gnutls_x509_subject_alt_name type, const char* data_string) +static int write_new_general_name(ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name type, + const char *data_string) { -const char* str; -int result; -char name[128]; - - result = asn1_write_value( ext, ext_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - switch(type) { - case GNUTLS_SAN_DNSNAME: - str = "dNSName"; - break; - case GNUTLS_SAN_RFC822NAME: - str = "rfc822Name"; - break; - case GNUTLS_SAN_URI: - str = "uniformResourceIdentifier"; - break; - case GNUTLS_SAN_IPADDRESS: - str = "iPAddress"; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (ext_name[0] == 0) { /* no dot */ - _gnutls_str_cpy( name, sizeof(name), "?LAST"); - } else { - _gnutls_str_cpy( name, sizeof(name), ext_name); - _gnutls_str_cat( name, sizeof(name), ".?LAST"); - } - - result = asn1_write_value( ext, name, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cat( name, sizeof(name), "."); - _gnutls_str_cat( name, sizeof(name), str); - - result = asn1_write_value(ext, name, data_string, strlen(data_string)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + const char *str; + int result; + char name[128]; + + result = asn1_write_value(ext, ext_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + switch (type) { + case GNUTLS_SAN_DNSNAME: + str = "dNSName"; + break; + case GNUTLS_SAN_RFC822NAME: + str = "rfc822Name"; + break; + case GNUTLS_SAN_URI: + str = "uniformResourceIdentifier"; + break; + case GNUTLS_SAN_IPADDRESS: + str = "iPAddress"; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (ext_name[0] == 0) { /* no dot */ + _gnutls_str_cpy(name, sizeof(name), "?LAST"); + } else { + _gnutls_str_cpy(name, sizeof(name), ext_name); + _gnutls_str_cat(name, sizeof(name), ".?LAST"); + } + + result = asn1_write_value(ext, name, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cat(name, sizeof(name), "."); + _gnutls_str_cat(name, sizeof(name), str); + + result = asn1_write_value(ext, name, data_string, strlen(data_string)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /* Convert the given name to GeneralNames in a DER encoded extension. * This is the same as subject alternative name. */ -int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name type, - const char* data_string, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name + type, const char *data_string, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = write_new_general_name(ext, "", type, data_string); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&ext); - return result; - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = write_new_general_name(ext, "", type, data_string); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the SubjectKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_key_id(const void* id, size_t id_size, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(ext, "", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.SubjectKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the AuthorityKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_auth_key_id(const void* id, size_t id_size, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(ext, "keyIdentifier", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.AuthorityKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "keyIdentifier", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - asn1_write_value(ext, "authorityCertIssuer", NULL, 0); - asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); + asn1_write_value(ext, "authorityCertIssuer", NULL, 0); + asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -716,85 +747,93 @@ int _gnutls_x509_ext_gen_auth_key_id(const void* id, size_t id_size, gnutls_datu * reason_flags should be an or'ed sequence of GNUTLS_CRL_REASON_*. * */ -int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name type, - const void* data_string, unsigned int reason_flags, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name type, + const void *data_string, + unsigned int reason_flags, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - gnutls_datum gnames = {NULL, 0}; - int result; - uint8 reasons[2]; - - reasons[0] = reason_flags & 0xff; - reasons[1] = reason_flags >> 8; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value( ext, "", "NEW", 1); + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + gnutls_datum gnames = { NULL, 0 }; + int result; + uint8 reasons[2]; + + reasons[0] = reason_flags & 0xff; + reasons[1] = reason_flags >> 8; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CRLDistributionPoints", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(ext, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (reason_flags) { + result = asn1_write_value(ext, "?LAST.reasons", reasons, 9); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (reason_flags) { - result = asn1_write_value( ext, "?LAST.reasons", reasons, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - } else { - result = asn1_write_value( ext, "?LAST.reasons", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - - result = asn1_write_value( ext, "?LAST.cRLIssuer", NULL, 0); + } else { + result = asn1_write_value(ext, "?LAST.reasons", NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } + + result = asn1_write_value(ext, "?LAST.cRLIssuer", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #if 0 - /* When used as type CHOICE. - */ - result = asn1_write_value( ext, "?LAST.distributionPoint", "fullName", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* When used as type CHOICE. + */ + result = + asn1_write_value(ext, "?LAST.distributionPoint", "fullName", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #endif - asn1_write_value( ext, "?LAST.distributionPoint.nameRelativeToCRLIssuer", NULL, 0); + asn1_write_value(ext, + "?LAST.distributionPoint.nameRelativeToCRLIssuer", + NULL, 0); - result = write_new_general_name(ext, "?LAST.distributionPoint.fullName", type, data_string); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + write_new_general_name(ext, "?LAST.distributionPoint.fullName", + type, data_string); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = 0; + result = 0; -cleanup: - _gnutls_free_datum( &gnames); - asn1_delete_structure(&ext); + cleanup: + _gnutls_free_datum(&gnames); + asn1_delete_structure(&ext); - return result; + return result; } diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 7a0604ccd3..f7ea8ac213 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -37,43 +37,42 @@ */ int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - if ( (result=_gnutls_x509_read_int( spk, "modulus", - ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - if ( (result=_gnutls_x509_read_int( spk, "publicExponent", - ¶ms[1])) < 0) { - gnutls_assert(); - _gnutls_mpi_release(¶ms[0]); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if ((result = _gnutls_x509_read_int(spk, "modulus", ¶ms[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + if ((result = _gnutls_x509_read_int(spk, "publicExponent", + ¶ms[1])) < 0) { + gnutls_assert(); + _gnutls_mpi_release(¶ms[0]); asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - return 0; + asn1_delete_structure(&spk); + + return 0; } @@ -84,59 +83,58 @@ int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) */ int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); - /* FIXME: If the parameters are not included in the certificate - * then the issuer's parameters should be used. This is not - * done yet. - */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - /* Read p */ + /* FIXME: If the parameters are not included in the certificate + * then the issuer's parameters should be used. This is not + * done yet. + */ - if ( (result=_gnutls_x509_read_int( spk, "p", ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + /* Read p */ - /* Read q */ + if ((result = _gnutls_x509_read_int(spk, "p", ¶ms[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - if ( (result=_gnutls_x509_read_int( spk, "q", ¶ms[1])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + /* Read q */ - /* Read g */ - - if ( (result=_gnutls_x509_read_int( spk, "g", ¶ms[2])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - _gnutls_mpi_release(¶ms[1]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if ((result = _gnutls_x509_read_int(spk, "q", ¶ms[1])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms[0]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + /* Read g */ + + if ((result = _gnutls_x509_read_int(spk, "g", ¶ms[2])) < 0) { + gnutls_assert(); asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms[0]); + _gnutls_mpi_release(¶ms[1]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - return 0; + asn1_delete_structure(&spk); + + return 0; } @@ -146,133 +144,132 @@ int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) */ int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ( (result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", + &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); - /* Read Y */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - if ( (result=_gnutls_x509_read_int( spk, "", ¶ms[3])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + /* Read Y */ + if ((result = _gnutls_x509_read_int(spk, "", ¶ms[3])) < 0) { + gnutls_assert(); asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - return 0; + asn1_delete_structure(&spk); + + return 0; } /* Extracts DSA and RSA parameters from a certificate. */ -int _gnutls_x509_crt_get_mpis( gnutls_x509_crt cert, - mpi_t* params, int *params_size) +int _gnutls_x509_crt_get_mpis(gnutls_x509_crt cert, + mpi_t * params, int *params_size) { -int len, result; -opaque str[5*1024]; -int pk_algorithm; + int len, result; + opaque str[5 * 1024]; + int pk_algorithm; + + /* Read the algorithm's OID + */ + pk_algorithm = gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + /* Read the algorithm's parameters + */ + len = sizeof(str); + result = asn1_read_value(cert->cert, + "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", + str, &len); + len /= 8; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + switch (pk_algorithm) { + case GNUTLS_PK_RSA: + /* params[0] is the modulus, + * params[1] is the exponent + */ + if (*params_size < RSA_PUBLIC_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; + } + *params_size = RSA_PUBLIC_PARAMS; - /* Read the algorithm's OID + return 0; + break; + case GNUTLS_PK_DSA: + /* params[0] is p, + * params[1] is q, + * params[2] is q, + * params[3] is pub. */ - pk_algorithm = gnutls_x509_crt_get_pk_algorithm(cert, NULL); - /* Read the algorithm's parameters + if (*params_size < DSA_PUBLIC_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { + gnutls_assert(); + return result; + } + + /* Now read the parameters */ + len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", str, &len); - len /= 8; + result = asn1_read_value(cert->cert, + "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", + str, &len); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - switch( pk_algorithm) { - case GNUTLS_PK_RSA: - /* params[0] is the modulus, - * params[1] is the exponent - */ - if ( *params_size < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((result = - _gnutls_x509_read_rsa_params( str, len, params)) < 0) { - gnutls_assert(); - return result; - } - *params_size = RSA_PUBLIC_PARAMS; - - return 0; - break; - case GNUTLS_PK_DSA: - /* params[0] is p, - * params[1] is q, - * params[2] is q, - * params[3] is pub. - */ - - if ( *params_size < DSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((result = - _gnutls_x509_read_dsa_pubkey( str, len, params)) < 0) { - gnutls_assert(); - return result; - } - - /* Now read the parameters - */ - - len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", str, &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ((result = - _gnutls_x509_read_dsa_params(str, len, params)) < 0) { - gnutls_assert(); - return result; - } - *params_size = DSA_PUBLIC_PARAMS; - - return 0; - break; - - default: - /* other types like DH - * currently not supported - */ - gnutls_assert(); - - return GNUTLS_E_X509_CERTIFICATE_ERROR; + if ((result = _gnutls_x509_read_dsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; } + *params_size = DSA_PUBLIC_PARAMS; + + return 0; + break; + + default: + /* other types like DH + * currently not supported + */ + gnutls_assert(); + + return GNUTLS_E_X509_CERTIFICATE_ERROR; + } } /* @@ -282,115 +279,116 @@ int pk_algorithm; * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_rsa_params( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_rsa_params(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 2) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "modulus", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "publicExponent", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 2) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "modulus", params[0], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "publicExponent", params[1], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + + return result; } /* * This function writes and encodes the parameters for DSS or RSA keys. * This is the "signatureAlgorithm" fields. */ -int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name, - gnutls_pk_algorithm pk_algorithm, mpi_t * params, int params_size) +int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm pk_algorithm, + mpi_t * params, int params_size) { -gnutls_datum der; -int result; -char name[128]; -const char* pk; - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm"); - - pk = _gnutls_x509_sign_to_oid( pk_algorithm, GNUTLS_MAC_SHA); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_datum der; + int result; + char name[128]; + const char *pk; + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm"); + + pk = _gnutls_x509_sign_to_oid(pk_algorithm, GNUTLS_MAC_SHA); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* write the OID. + */ + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".parameters"); + + if (pk_algorithm == GNUTLS_PK_DSA) { + result = _gnutls_x509_write_dsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - - /* write the OID. - */ - result = asn1_write_value( dst, name, pk, 1); + + result = asn1_write_value(dst, name, der.data, der.size); + _gnutls_free_datum(&der); + if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } + } else { /* RSA */ + result = asn1_write_value(dst, name, NULL, 0); - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".parameters"); - - if (pk_algorithm == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = asn1_write_value( dst, name, der.data, der.size); - _gnutls_free_datum( &der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - } else { /* RSA */ - result = asn1_write_value( dst, name, NULL, 0); - - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + /* Here we ignore the element not found error, since this + * may have been disabled before. + */ + gnutls_assert(); + return _gnutls_asn2err(result); } + } - return 0; + return 0; } /* @@ -399,58 +397,58 @@ const char* pk; * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_params( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_dsa_params(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "p", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "q", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "g", params[2], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 3) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "p", params[0], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "q", params[1], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "g", params[2], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } /* @@ -459,46 +457,46 @@ cleanup: * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_public_key( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_dsa_public_key(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "", params[3], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 3) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "", params[3], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } @@ -506,66 +504,66 @@ cleanup: * from asn1 structs. Combines the read and the convertion * steps. */ -int _gnutls_x509_read_uint( ASN1_TYPE node, const char* value, - unsigned int* ret) +int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value, + unsigned int *ret) { -int len, result; -opaque* tmpstr; - - len = 0; - result = asn1_read_value( node, value, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - tmpstr = gnutls_alloca( len); - if (tmpstr==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value( node, value, tmpstr, &len); - - gnutls_afree( tmpstr); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (len == 1) - *ret = tmpstr[0]; - else if (len == 2) - *ret = _gnutls_read_uint16(tmpstr); - else if (len == 3) - *ret = _gnutls_read_uint24(tmpstr); - else if (len == 4) - *ret = _gnutls_read_uint32(tmpstr); - else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - return 0; + int len, result; + opaque *tmpstr; + + len = 0; + result = asn1_read_value(node, value, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmpstr = gnutls_alloca(len); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(node, value, tmpstr, &len); + + gnutls_afree(tmpstr); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (len == 1) + *ret = tmpstr[0]; + else if (len == 2) + *ret = _gnutls_read_uint16(tmpstr); + else if (len == 3) + *ret = _gnutls_read_uint24(tmpstr); + else if (len == 4) + *ret = _gnutls_read_uint32(tmpstr); + else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_uint32( ASN1_TYPE node, const char* value, uint32 num) +int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, + uint32 num) { -opaque tmpstr[4]; -int result; + opaque tmpstr[4]; + int result; - _gnutls_write_uint32(num, tmpstr); + _gnutls_write_uint32(num, tmpstr); - result = asn1_write_value( node, value, tmpstr, 4); + result = asn1_write_value(node, value, tmpstr, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } - diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 0b9c0253c9..ee48262401 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -44,69 +44,73 @@ * which holds them. Returns an ASN1_TYPE of authenticatedSafe. */ static -int _decode_pkcs12_auth_safe( ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, gnutls_datum* raw) +int _decode_pkcs12_auth_safe(ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, + gnutls_datum * raw) { -char oid[128]; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -gnutls_datum auth_safe = { NULL, 0 }; -int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ( strcmp( oid, DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log( "Unknown PKCS12 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - /* Step 1. Read the content data - */ - - tmp_size = 0; - result = _gnutls_x509_read_value(pkcs12, "authSafe.content", &auth_safe, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Step 2. Extract the authenticatedSafe. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw == NULL) { - _gnutls_free_datum(&auth_safe); - } else { - raw->data = auth_safe.data; - raw->size = auth_safe.size; - } - - if (authen_safe) - *authen_safe = c2; - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - _gnutls_free_datum( &auth_safe); - return result; + char oid[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum auth_safe = { NULL, 0 }; + int tmp_size, len, result; + + len = sizeof(oid) - 1; + result = asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, DATA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log("Unknown PKCS12 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + /* Step 1. Read the content data + */ + + tmp_size = 0; + result = + _gnutls_x509_read_value(pkcs12, "authSafe.content", &auth_safe, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Step 2. Extract the authenticatedSafe. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + _gnutls_free_datum(&auth_safe); + } else { + raw->data = auth_safe.data; + raw->size = auth_safe.size; + } + + if (authen_safe) + *authen_safe = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + _gnutls_free_datum(&auth_safe); + return result; } /** @@ -122,20 +126,20 @@ int tmp_size, len, result; **/ int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12) { - *pkcs12 = gnutls_calloc( 1, sizeof(gnutls_pkcs12_int)); - - if (*pkcs12) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PFX", - &(*pkcs12)->pkcs12); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *pkcs12); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *pkcs12 = gnutls_calloc(1, sizeof(gnutls_pkcs12_int)); + + if (*pkcs12) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PFX", + &(*pkcs12)->pkcs12); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs12); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -147,12 +151,13 @@ int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12) **/ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) { - if (!pkcs12) return; + if (!pkcs12) + return; - if (pkcs12->pkcs12) - asn1_delete_structure(&pkcs12->pkcs12); + if (pkcs12->pkcs12) + asn1_delete_structure(&pkcs12->pkcs12); - gnutls_free(pkcs12); + gnutls_free(pkcs12); } /** @@ -171,53 +176,57 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) * **/ int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, unsigned int flags) + gnutls_x509_crt_fmt format, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum _data; - - _data.data = data->data; - _data.size = data->size; + int result = 0, need_free = 0; + gnutls_datum _data; - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + _data.data = data->data; + _data.size = data->size; - /* If the PKCS12 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS12, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + /* If the PKCS12 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + result = _gnutls_fbase64_decode(PEM_PKCS12, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + result = + asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -240,240 +249,254 @@ int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, * 0 on success. * **/ -int gnutls_pkcs12_export( gnutls_pkcs12 pkcs12, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_pkcs12_export(gnutls_pkcs12 pkcs12, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( pkcs12->pkcs12, format, PEM_PKCS12, *output_data_size, - output_data, output_data_size); + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, + *output_data_size, output_data, + output_data_size); } -static int oid2bag( const char* oid) +static int oid2bag(const char *oid) { - if (strcmp(oid, BAG_PKCS8_KEY)==0) - return GNUTLS_BAG_PKCS8_KEY; - if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY)==0) - return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; - if (strcmp(oid, BAG_CERTIFICATE)==0) - return GNUTLS_BAG_CERTIFICATE; - if (strcmp(oid, BAG_CRL)==0) - return GNUTLS_BAG_CRL; - - return GNUTLS_BAG_UNKNOWN; + if (strcmp(oid, BAG_PKCS8_KEY) == 0) + return GNUTLS_BAG_PKCS8_KEY; + if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) + return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; + if (strcmp(oid, BAG_CERTIFICATE) == 0) + return GNUTLS_BAG_CERTIFICATE; + if (strcmp(oid, BAG_CRL) == 0) + return GNUTLS_BAG_CRL; + + return GNUTLS_BAG_UNKNOWN; } -static const char* bag_to_oid( int bag) +static const char *bag_to_oid(int bag) { - switch (bag) { - case GNUTLS_BAG_PKCS8_KEY: - return BAG_PKCS8_KEY; - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - return BAG_PKCS8_ENCRYPTED_KEY; - case GNUTLS_BAG_CERTIFICATE: - return BAG_CERTIFICATE; - case GNUTLS_BAG_CRL: - return BAG_CRL; - } - return NULL; + switch (bag) { + case GNUTLS_BAG_PKCS8_KEY: + return BAG_PKCS8_KEY; + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + return BAG_PKCS8_ENCRYPTED_KEY; + case GNUTLS_BAG_CERTIFICATE: + return BAG_CERTIFICATE; + case GNUTLS_BAG_CRL: + return BAG_CRL; + } + return NULL; } -static inline -char* ucs2_to_ascii( char* data, int size) { -int i; +static inline char *ucs2_to_ascii(char *data, int size) +{ + int i; + + for (i = 0; i < size / 2; i++) + data[i] = data[i * 2 + 1]; + data[i] = 0; - for (i=0;i<size/2;i++) - data[i] = data[i*2 + 1]; - data[i] = 0; - - return data; + return data; } /* Decodes the SafeContents, and puts the output in * the given bag. */ int -_pkcs12_decode_safe_contents( const gnutls_datum* content, gnutls_pkcs12_bag bag) +_pkcs12_decode_safe_contents(const gnutls_datum * content, + gnutls_pkcs12_bag bag) { -char oid[128], root[128]; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -int len, result; -int bag_type; -gnutls_datum attr_val; -int count = 0, i, attributes, j; -char counter[MAX_INT_DIGITS]; - - /* Step 1. Extract the SEQUENCE. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + char oid[128], root[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int len, result; + int bag_type; + gnutls_datum attr_val; + int count = 0, i, attributes, j; + char counter[MAX_INT_DIGITS]; + + /* Step 1. Extract the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, content->data, content->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Count the number of bags + */ + result = asn1_number_of_elements(c2, "", &count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + bag->bag_elements = GMIN(MAX_BAG_ELEMENTS, count); + + for (i = 0; i < bag->bag_elements; i++) { + + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagId"); + + len = sizeof(oid); + result = asn1_read_value(c2, root, oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - result = asn1_der_decoding(&c2, content->data, content->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Read the Bag type + */ + bag_type = oid2bag(oid); + + if (bag_type < 0) { + gnutls_assert(); + goto cleanup; } - /* Count the number of bags + /* Read the Bag Value */ - result = asn1_number_of_elements( c2, "", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagValue"); + + result = + _gnutls_x509_read_value(c2, root, &bag->element[i].data, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - bag->bag_elements = GMIN(MAX_BAG_ELEMENTS, count); + if (bag_type == GNUTLS_BAG_CERTIFICATE || + bag_type == GNUTLS_BAG_CRL) { + gnutls_datum tmp = bag->element[i].data; - for (i=0;i<bag->bag_elements;i++) { + result = + _pkcs12_decode_crt_bag(bag_type, &tmp, + &bag->element[i].data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagId"); + _gnutls_free_datum(&tmp); + } - len = sizeof(oid); - result = asn1_read_value(c2, root, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* read the bag attributes + */ + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagAttributes"); + + result = asn1_number_of_elements(c2, root, &attributes); + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the Bag type - */ - bag_type = oid2bag( oid); - - if (bag_type < 0) { - gnutls_assert(); - goto cleanup; - } + if (attributes < 0) + attributes = 1; + + if (result != ASN1_ELEMENT_NOT_FOUND) + for (j = 0; j < attributes; j++) { - /* Read the Bag Value - */ + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagAttributes.?"); + _gnutls_int2str(j + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagValue"); + result = + _gnutls_x509_decode_and_read_attribute(c2, root, oid, + sizeof(oid), + &attr_val, 1); - result = _gnutls_x509_read_value( c2, root, &bag->element[i].data, 0); if (result < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + goto cleanup; } - if (bag_type == GNUTLS_BAG_CERTIFICATE || - bag_type == GNUTLS_BAG_CRL) { - gnutls_datum tmp = bag->element[i].data; - - result = _pkcs12_decode_crt_bag( bag_type, &tmp, &bag->element[i].data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - _gnutls_free_datum( &tmp); - } - /* read the bag attributes - */ - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagAttributes"); - - result = asn1_number_of_elements( c2, root, &attributes); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (strcmp(oid, KEY_ID_OID) == 0) + bag->element[i].local_key_id = attr_val; + else if (strcmp(oid, FRIENDLY_NAME_OID) == 0) + bag->element[i].friendly_name = + ucs2_to_ascii(attr_val.data, attr_val.size); + else { + _gnutls_x509_log + ("Unknown PKCS12 Bag Attribute OID '%s'\n", oid); } + } - if (attributes < 0) attributes = 1; - - if (result != ASN1_ELEMENT_NOT_FOUND) - for (j=0;j<attributes;j++) { - - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagAttributes.?"); - _gnutls_int2str( j+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - - result = _gnutls_x509_decode_and_read_attribute( - c2, root, oid, sizeof(oid), &attr_val, 1); - - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - - if (strcmp( oid, KEY_ID_OID)==0) - bag->element[i].local_key_id = attr_val; - else if (strcmp( oid, FRIENDLY_NAME_OID)==0) - bag->element[i].friendly_name = ucs2_to_ascii( attr_val.data, attr_val.size); - else { - _gnutls_x509_log( "Unknown PKCS12 Bag Attribute OID '%s'\n", oid); - } - } - - bag->element[i].type = bag_type; - - } + bag->element[i].type = bag_type; - asn1_delete_structure(&c2); + } + asn1_delete_structure(&c2); - return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } static -int _parse_safe_contents( ASN1_TYPE sc, const char* sc_name, gnutls_pkcs12_bag bag) +int _parse_safe_contents(ASN1_TYPE sc, const char *sc_name, + gnutls_pkcs12_bag bag) { -gnutls_datum content = { NULL, 0 }; -int result; + gnutls_datum content = { NULL, 0 }; + int result; - /* Step 1. Extract the content. - */ + /* Step 1. Extract the content. + */ - result = _gnutls_x509_read_value(sc, sc_name, &content, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = _gnutls_x509_read_value(sc, sc_name, &content, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _pkcs12_decode_safe_contents( &content, bag); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = _pkcs12_decode_safe_contents(&content, bag); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - _gnutls_free_datum( &content); + _gnutls_free_datum(&content); - return 0; - - cleanup: - _gnutls_free_datum( &content); - return result; + return 0; + + cleanup: + _gnutls_free_datum(&content); + return result; } @@ -490,133 +513,137 @@ int result; * will be returned. * **/ -int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, - int indx, gnutls_pkcs12_bag bag) +int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, + int indx, gnutls_pkcs12_bag bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. decode the data. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 1. decode the data. - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the AuthenticatedSafe - */ - - _gnutls_str_cpy( root2, sizeof(root2), "?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - _gnutls_str_cat( root2, sizeof(root2), ".contentType"); + /* Step 2. Parse the AuthenticatedSafe + */ - len = sizeof(oid) - 1; + _gnutls_str_cpy(root2, sizeof(root2), "?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cat(root2, sizeof(root2), ".contentType"); - result = asn1_read_value(c2, root2, oid, &len); + len = sizeof(oid) - 1; - if (result == ASN1_ELEMENT_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } + result = asn1_read_value(c2, root2, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } - /* Not encrypted Bag - */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - _gnutls_str_cpy( root2, sizeof(root2), "?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - _gnutls_str_cat( root2, sizeof(root2), ".content"); + /* Not encrypted Bag + */ - if (strcmp( oid, DATA_OID) == 0) { - result = _parse_safe_contents( c2, root2, bag); - goto cleanup; - } - - /* ENC_DATA_OID needs decryption */ + _gnutls_str_cpy(root2, sizeof(root2), "?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cat(root2, sizeof(root2), ".content"); - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->bag_elements = 1; + if (strcmp(oid, DATA_OID) == 0) { + result = _parse_safe_contents(c2, root2, bag); + goto cleanup; + } - result = _gnutls_x509_read_value( c2, root2, &bag->element[0].data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + /* ENC_DATA_OID needs decryption */ - return 0; + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->bag_elements = 1; + + result = _gnutls_x509_read_value(c2, root2, &bag->element[0].data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /* Creates an empty PFX structure for the PKCS12 structure. */ static int create_empty_pfx(ASN1_TYPE pkcs12) { - uint8 three = 3; - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - /* Use version 3 - */ - result = asn1_write_value( pkcs12, "version", &three, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write the content type of the data - */ - result = asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Check if the authenticatedSafe content is empty, and encode a - * null one in that case. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs12, "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - asn1_delete_structure( &c2); - - return 0; - - cleanup: - asn1_delete_structure( &c2); - return result; + uint8 three = 3; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + /* Use version 3 + */ + result = asn1_write_value(pkcs12, "version", &three, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write the content type of the data + */ + result = asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Check if the authenticatedSafe content is empty, and encode a + * null one in that case. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + asn1_delete_structure(&c2); + + return 0; + + cleanup: + asn1_delete_structure(&c2); + return result; } @@ -631,103 +658,112 @@ static int create_empty_pfx(ASN1_TYPE pkcs12) **/ int gnutls_pkcs12_set_bag(gnutls_pkcs12 pkcs12, gnutls_pkcs12_bag bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - int result; - int enc = 0, dum = 1; - char null; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Step 1. Check if the pkcs12 structure is empty. In that - * case generate an empty PFX. - */ - result = asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, &dum); - if (result == ASN1_VALUE_NOT_FOUND) { - result = create_empty_pfx( pkcs12->pkcs12); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. decode the authenticatedSafe. - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, &c2, NULL); + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + int result; + int enc = 0, dum = 1; + char null; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. Check if the pkcs12 structure is empty. In that + * case generate an empty PFX. + */ + result = + asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, &dum); + if (result == ASN1_VALUE_NOT_FOUND) { + result = create_empty_pfx(pkcs12->pkcs12); if (result < 0) { - gnutls_assert(); - return result; + gnutls_assert(); + return result; } + } - /* Step 3. Encode the bag elements into a SafeContents - * structure. - */ - result = _pkcs12_encode_safe_contents( bag, &safe_cont, &enc); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe - * structure. + /* Step 2. decode the authenticatedSafe. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 3. Encode the bag elements into a SafeContents + * structure. + */ + result = _pkcs12_encode_safe_contents(bag, &safe_cont, &enc); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe + * structure. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) + result = + asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, 1); + else + result = asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) { + /* Encrypted packets are written directly. */ - result = asn1_write_value(c2, "", "NEW", 1); + result = + asn1_write_value(c2, "?LAST.content", + bag->element[0].data.data, + bag->element[0].data.size); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - - if (enc) - result = asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, 1); - else - result = asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + } else { + result = + _gnutls_x509_der_encode_and_copy(safe_cont, "", c2, + "?LAST.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; } + } - if (enc) { - /* Encrypted packets are written directly. - */ - result = asn1_write_value( c2, "?LAST.content", bag->element[0].data.data, bag->element[0].data.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - } else { - result = _gnutls_x509_der_encode_and_copy( safe_cont, "", c2, "?LAST.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } + asn1_delete_structure(&safe_cont); - asn1_delete_structure(&safe_cont); - - /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 - * structure. - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs12->pkcs12, "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 + * structure. + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12->pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - asn1_delete_structure(&c2); + asn1_delete_structure(&c2); - return 0; + return 0; - cleanup: - asn1_delete_structure(&c2); - asn1_delete_structure(&safe_cont); - return result; + cleanup: + asn1_delete_structure(&c2); + asn1_delete_structure(&safe_cont); + return result; } /** @@ -739,102 +775,114 @@ int gnutls_pkcs12_set_bag(gnutls_pkcs12 pkcs12, gnutls_pkcs12_bag bag) * Returns 0 on success. * **/ -int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char* pass) +int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char *pass) { - opaque salt[8], key[20]; - int result; - const int iter = 1; - mac_hd_t td1 = NULL; - gnutls_datum tmp = {NULL, 0}; - opaque sha_mac[20]; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Generate the salt. - */ - _gnutls_get_random(salt, sizeof(salt), GNUTLS_WEAK_RANDOM); - - /* Write the salt into the structure. - */ - result = asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, sizeof(salt)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* write the iterations - */ - - if (iter > 1) { - result = _gnutls_x509_write_uint32( pkcs12->pkcs12, "macData.iterations", iter); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } - - /* Generate the key. - */ - result = _pkcs12_string_to_key( 3/*MAC*/, salt, sizeof(salt), - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, NULL, &tmp); + opaque salt[8], key[20]; + int result; + const int iter = 1; + mac_hd_t td1 = NULL; + gnutls_datum tmp = { NULL, 0 }; + opaque sha_mac[20]; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Generate the salt. + */ + _gnutls_get_random(salt, sizeof(salt), GNUTLS_WEAK_RANDOM); + + /* Write the salt into the structure. + */ + result = + asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, + sizeof(salt)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* write the iterations + */ + + if (iter > 1) { + result = + _gnutls_x509_write_uint32(pkcs12->pkcs12, "macData.iterations", + iter); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* MAC the data - */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum( &tmp); - - _gnutls_hmac_deinit(td1, sha_mac); - - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, sizeof(sha_mac)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + goto cleanup; } - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digestAlgorithm.algorithm", OID_SHA1, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - _gnutls_free_datum( &tmp); - return result; + } + + /* Generate the key. + */ + result = _pkcs12_string_to_key(3 /*MAC*/, salt, sizeof(salt), + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + _gnutls_hmac(td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_hmac_deinit(td1, sha_mac); + + + result = + asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, + sizeof(sha_mac)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.parameters", NULL, + 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.algorithm", OID_SHA1, + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + return result; } /** @@ -846,181 +894,194 @@ int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char* pass) * Returns 0 on success. * **/ -int gnutls_pkcs12_verify_mac(gnutls_pkcs12 pkcs12, const char* pass) +int gnutls_pkcs12_verify_mac(gnutls_pkcs12 pkcs12, const char *pass) { - opaque key[20]; - int result; - unsigned int iter, len; - mac_hd_t td1 = NULL; - gnutls_datum tmp = {NULL, 0}, salt = {NULL, 0}; - opaque sha_mac[20]; - opaque sha_mac_orig[20]; - - if (pkcs12==NULL || pass == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* read the iterations - */ - - result = _gnutls_x509_read_uint( pkcs12->pkcs12, "macData.iterations", &iter); - if (result < 0) { - iter = 1; /* the default */ - } + opaque key[20]; + int result; + unsigned int iter, len; + mac_hd_t td1 = NULL; + gnutls_datum tmp = { NULL, 0 }, salt = { + NULL, 0}; + opaque sha_mac[20]; + opaque sha_mac_orig[20]; + + if (pkcs12 == NULL || pass == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* read the iterations + */ + + result = + _gnutls_x509_read_uint(pkcs12->pkcs12, "macData.iterations", + &iter); + if (result < 0) { + iter = 1; /* the default */ + } + + + /* Read the salt from the structure. + */ + result = + _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", &salt, + 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Generate the key. + */ + result = _pkcs12_string_to_key(3 /*MAC*/, salt.data, salt.size, + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_free_datum(&salt); + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + _gnutls_hmac(td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_hmac_deinit(td1, sha_mac); + + len = sizeof(sha_mac_orig); + result = + asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (memcmp(sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { + gnutls_assert(); + return GNUTLS_E_MAC_VERIFY_FAILED; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&salt); + return result; +} - /* Read the salt from the structure. +static int write_attributes(gnutls_pkcs12_bag bag, int elem, ASN1_TYPE c2, + const char *where) +{ + int result; + char root[128]; + + /* If the bag attributes are empty, then write + * nothing to the attribute field. + */ + if (bag->element[elem].friendly_name == NULL && + bag->element[elem].local_key_id.data == NULL) { + /* no attributes */ - result = _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", &salt, 0); + result = asn1_write_value(c2, where, NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + return _gnutls_asn2err(result); } - /* Generate the key. + return 0; + } + + if (bag->element[elem].local_key_id.data != NULL) { + + /* Add a new Attribute */ - result = _pkcs12_string_to_key( 3/*MAC*/, salt.data, salt.size, - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = asn1_write_value(c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - _gnutls_free_datum( &salt); + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, NULL, &tmp); + result = + _gnutls_x509_encode_and_write_attribute(KEY_ID_OID, c2, root, + bag->element[elem]. + local_key_id.data, + bag->element[elem]. + local_key_id.size, 1); if (result < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + return result; } + } + + if (bag->element[elem].friendly_name != NULL) { + opaque *name; + int size, i; + const char *p; - /* MAC the data + /* Add a new Attribute */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum( &tmp); - - _gnutls_hmac_deinit(td1, sha_mac); - - len = sizeof(sha_mac_orig); - result = asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, &len); + result = asn1_write_value(c2, where, "NEW", 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (memcmp( sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { - gnutls_assert(); - return GNUTLS_E_MAC_VERIFY_FAILED; + gnutls_assert(); + return _gnutls_asn2err(result); } - return 0; - - cleanup: - _gnutls_free_datum( &tmp); - _gnutls_free_datum( &salt); - return result; -} - - -static int write_attributes( gnutls_pkcs12_bag bag, int elem, ASN1_TYPE c2, const char* where) { -int result; -char root[128]; - - /* If the bag attributes are empty, then write - * nothing to the attribute field. + /* convert name to BMPString */ - if (bag->element[elem].friendly_name == NULL && - bag->element[elem].local_key_id.data == NULL) { - /* no attributes - */ - result = asn1_write_value(c2, where, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + size = strlen(bag->element[elem].friendly_name) * 2; + name = gnutls_malloc(size); - return 0; + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - if (bag->element[elem].local_key_id.data != NULL) { - - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cpy( root, sizeof(root), where); - _gnutls_str_cat( root, sizeof(root), ".?LAST"); - - result = _gnutls_x509_encode_and_write_attribute( - KEY_ID_OID, c2, root, bag->element[elem].local_key_id.data, - bag->element[elem].local_key_id.size, 1); - if (result < 0) { - gnutls_assert(); - return result; - } + p = bag->element[elem].friendly_name; + for (i = 0; i < size; i += 2) { + name[i] = 0; + name[i + 1] = *p; + p++; } - if (bag->element[elem].friendly_name != NULL) { - opaque* name; - int size, i; - const char* p; - - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* convert name to BMPString - */ - size = strlen(bag->element[elem].friendly_name)*2; - name = gnutls_malloc(size); - - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - p = bag->element[elem].friendly_name; - for (i=0;i<size;i+=2) { - name[i] = 0; - name[i+1] = *p; - p++; - } + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); - _gnutls_str_cpy( root, sizeof(root), where); - _gnutls_str_cat( root, sizeof(root), ".?LAST"); - - result = _gnutls_x509_encode_and_write_attribute( - FRIENDLY_NAME_OID, c2, root, name, size, 1); + result = + _gnutls_x509_encode_and_write_attribute(FRIENDLY_NAME_OID, c2, + root, name, size, 1); - gnutls_free(name); + gnutls_free(name); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; } + } - return 0; + return 0; } @@ -1028,108 +1089,114 @@ char root[128]; * the given datum. Enc is set to non zero if the data are encrypted; */ int -_pkcs12_encode_safe_contents( gnutls_pkcs12_bag bag, ASN1_TYPE* contents, int *enc) +_pkcs12_encode_safe_contents(gnutls_pkcs12_bag bag, ASN1_TYPE * contents, + int *enc) { -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -int result; -int i; -const char* oid; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + int i; + const char *oid; + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { + *enc = 1; + return 0; /* ENCRYPTED BAG, do nothing. */ + } else if (enc) + *enc = 0; + + /* Step 1. Create the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + for (i = 0; i < bag->bag_elements; i++) { + + oid = bag_to_oid(bag->element[i].type); + if (oid == NULL) { + gnutls_assert(); + continue; + } - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { - *enc = 1; - return 0; /* ENCRYPTED BAG, do nothing. */ - } else if (enc) *enc = 0; + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Step 1. Create the SEQUENCE. + /* Copy the bag type. */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value(c2, "?LAST.bagId", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - for (i=0;i<bag->bag_elements;i++) { - - oid = bag_to_oid( bag->element[i].type); - if (oid==NULL) { - gnutls_assert(); - continue; - } - - result = asn1_write_value(c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Set empty attributes + */ + result = write_attributes(bag, i, c2, "?LAST.bagAttributes"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - /* Copy the bag type. - */ - result = asn1_write_value(c2, "?LAST.bagId", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - /* Set empty attributes - */ - result = write_attributes(bag, i, c2, "?LAST.bagAttributes"); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* Copy the Bag Value + */ + if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || + bag->element[i].type == GNUTLS_BAG_CRL) { + gnutls_datum tmp; - /* Copy the Bag Value - */ + /* in that case encode it to a CertBag or + * a CrlBag. + */ - if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || - bag->element[i].type == GNUTLS_BAG_CRL) { - gnutls_datum tmp; + result = + _pkcs12_encode_crt_bag(bag->element[i].type, + &bag->element[i].data, &tmp); - /* in that case encode it to a CertBag or - * a CrlBag. - */ + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _pkcs12_encode_crt_bag( bag->element[i].type, &bag->element[i].data, &tmp); + result = _gnutls_x509_write_value(c2, "?LAST.bagValue", + &tmp, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + _gnutls_free_datum(&tmp); - result = _gnutls_x509_write_value( c2, "?LAST.bagValue", - &tmp, 0); - - _gnutls_free_datum( &tmp); + } else { - } else { + result = _gnutls_x509_write_value(c2, "?LAST.bagValue", + &bag->element[i].data, 0); + } - result = _gnutls_x509_write_value( c2, "?LAST.bagValue", - &bag->element[i].data, 0); - } + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + } - } - - /* Encode the data and copy them into the datum - */ - *contents = c2; + /* Encode the data and copy them into the datum + */ + *contents = c2; - return 0; + return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index e27504bb01..352ddb279a 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -47,26 +47,25 @@ **/ int gnutls_pkcs12_bag_init(gnutls_pkcs12_bag * bag) { - *bag = gnutls_calloc( 1, sizeof(gnutls_pkcs12_bag_int)); + *bag = gnutls_calloc(1, sizeof(gnutls_pkcs12_bag_int)); - if (*bag) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*bag) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } -static inline -void _pkcs12_bag_free_data( gnutls_pkcs12_bag bag) +static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag bag) { -int i; - - for (i=0;i<bag->bag_elements;i++) { - _gnutls_free_datum( &bag->element[i].data); - _gnutls_free_datum( &bag->element[i].local_key_id); - gnutls_free( bag->element[i].friendly_name); - bag->element[i].friendly_name = NULL; - bag->element[i].type = 0; - } + int i; + + for (i = 0; i < bag->bag_elements; i++) { + _gnutls_free_datum(&bag->element[i].data); + _gnutls_free_datum(&bag->element[i].local_key_id); + gnutls_free(bag->element[i].friendly_name); + bag->element[i].friendly_name = NULL; + bag->element[i].type = 0; + } } @@ -80,11 +79,12 @@ int i; **/ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag bag) { - if (!bag) return; + if (!bag) + return; - _pkcs12_bag_free_data( bag); + _pkcs12_bag_free_data(bag); - gnutls_free(bag); + gnutls_free(bag); } /** @@ -96,16 +96,17 @@ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag bag) * enumerations. * **/ -gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx) +gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, + int indx) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return bag->element[indx].type; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return bag->element[indx].type; } /** @@ -117,12 +118,12 @@ gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int ind **/ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return bag->bag_elements; + return bag->bag_elements; } /** @@ -138,151 +139,156 @@ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag) * Returns 0 on success and a negative error code on error. * **/ -int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum * data) +int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, + gnutls_datum * data) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - data->data = bag->element[indx].data.data; - data->size = bag->element[indx].data.size; + data->data = bag->element[indx].data.data; + data->size = bag->element[indx].data.size; - return 0; + return 0; } #define X509_CERT_OID "1.2.840.113549.1.9.22.1" #define X509_CRL_OID "1.2.840.113549.1.9.23.1" -int _pkcs12_decode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* in, - gnutls_datum* out) +int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type type, + const gnutls_datum * in, gnutls_datum * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_der_decoding( &c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value( c2, "certValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { /* CRL */ - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_der_decoding( &c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value( c2, "crlValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) { + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; } - asn1_delete_structure( &c2); + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - return 0; - + ret = _gnutls_x509_read_value(c2, "certValue", out, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - cleanup: + } else { /* CRL */ + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - asn1_delete_structure( &c2); - return ret; + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = _gnutls_x509_read_value(c2, "crlValue", out, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } -int _pkcs12_encode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* raw, - gnutls_datum* out) +int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type type, + const gnutls_datum * raw, gnutls_datum * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_write_value( c2, "certId", X509_CERT_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value( c2, "certValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { /* CRL */ - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_write_value( c2, "crlId", X509_CRL_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value( c2, "crlValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) { + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; } - ret = _gnutls_x509_der_encode( c2, "", out, 0); + ret = asn1_write_value(c2, "certId", X509_CERT_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + ret = _gnutls_x509_write_value(c2, "certValue", raw, 1); if (ret < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + goto cleanup; } - - asn1_delete_structure( &c2); - return 0; - + } else { /* CRL */ + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - cleanup: + ret = asn1_write_value(c2, "crlId", X509_CRL_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - asn1_delete_structure( &c2); - return ret; + ret = _gnutls_x509_write_value(c2, "crlValue", raw, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + ret = _gnutls_x509_der_encode(c2, "", out, 0); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } @@ -299,46 +305,49 @@ int _pkcs12_encode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* raw * value on error. * **/ -int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, gnutls_pkcs12_bag_type type, - const gnutls_datum* data) +int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, + gnutls_pkcs12_bag_type type, + const gnutls_datum * data) { -int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int ret; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { + gnutls_assert(); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; + } - if (bag->bag_elements == MAX_BAG_ELEMENTS-1) { - gnutls_assert(); - /* bag is full */ - return GNUTLS_E_MEMORY_ERROR; - } + if (bag->bag_elements == 1) { + /* A bag with a key or an encrypted bag, must have + * only one element. + */ - if (bag->bag_elements == 1) { - /* A bag with a key or an encrypted bag, must have - * only one element. - */ - - if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || - bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || - bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || + bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || + bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - ret = _gnutls_set_datum( &bag->element[bag->bag_elements].data, data->data, data->size); + ret = + _gnutls_set_datum(&bag->element[bag->bag_elements].data, + data->data, data->size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - bag->element[bag->bag_elements].type = type; + bag->element[bag->bag_elements].type = type; - bag->bag_elements++; + bag->bag_elements++; - return bag->bag_elements-1; + return bag->bag_elements - 1; } /** @@ -355,25 +364,25 @@ int ret; **/ int gnutls_pkcs12_bag_set_crt(gnutls_pkcs12_bag bag, gnutls_x509_crt crt) { -int ret; -gnutls_datum data; + int ret; + gnutls_datum data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode( crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs12_bag_set_data( bag, GNUTLS_BAG_CERTIFICATE, &data); - - _gnutls_free_datum( &data); - + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CERTIFICATE, &data); + + _gnutls_free_datum(&data); + + return ret; } /** @@ -390,26 +399,26 @@ gnutls_datum data; **/ int gnutls_pkcs12_bag_set_crl(gnutls_pkcs12_bag bag, gnutls_x509_crl crl) { -int ret; -gnutls_datum data; + int ret; + gnutls_datum data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode( crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs12_bag_set_data( bag, GNUTLS_BAG_CRL, &data); - - _gnutls_free_datum( &data); - + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CRL, &data); + + _gnutls_free_datum(&data); + + return ret; } /** @@ -425,31 +434,31 @@ gnutls_datum data; * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag bag, int indx, - const gnutls_datum* id) +int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag bag, int indx, + const gnutls_datum * id) { -int ret; + int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_set_datum( &bag->element[indx].local_key_id, - id->data, id->size); + ret = _gnutls_set_datum(&bag->element[indx].local_key_id, + id->data, id->size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -464,23 +473,23 @@ int ret; * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, - gnutls_datum* id) +int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, + gnutls_datum * id) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - id->data = bag->element[indx].local_key_id.data; - id->size = bag->element[indx].local_key_id.size; + id->data = bag->element[indx].local_key_id.data; + id->size = bag->element[indx].local_key_id.size; - return 0; + return 0; } /** @@ -495,22 +504,22 @@ int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, - char **name) +int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, + char **name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - *name = bag->element[indx].friendly_name; + *name = bag->element[indx].friendly_name; - return 0; + return 0; } @@ -527,27 +536,27 @@ int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, - const char* name) +int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, + const char *name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - bag->element[indx].friendly_name = gnutls_strdup(name); + bag->element[indx].friendly_name = gnutls_strdup(name); - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -559,45 +568,44 @@ int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, * This function will decrypt the given encrypted bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass) +int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char *pass) { -int ret; -gnutls_datum dec; + int ret; + gnutls_datum dec; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_pkcs7_decrypt_data( - &bag->element[0].data, pass, &dec); + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_pkcs7_decrypt_data(&bag->element[0].data, pass, &dec); - /* decryption succeeded. Now decode the SafeContents - * stuff, and parse it. - */ + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_free_datum( &bag->element[0].data); + /* decryption succeeded. Now decode the SafeContents + * stuff, and parse it. + */ - ret = _pkcs12_decode_safe_contents( &dec, bag); + _gnutls_free_datum(&bag->element[0].data); - _gnutls_free_datum( &dec); + ret = _pkcs12_decode_safe_contents(&dec, bag); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_free_datum(&dec); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -609,78 +617,83 @@ gnutls_datum dec; * This function will encrypt the given bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag bag, const char* pass, unsigned int flags) +int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag bag, const char *pass, + unsigned int flags) { -int ret; -ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; -gnutls_datum der = {NULL, 0}; -gnutls_datum enc = {NULL, 0}; -schema_id id; - - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Encode the whole bag to a safe contents - * structure. - */ - ret = _pkcs12_encode_safe_contents( bag, &safe_cont, NULL); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* DER encode the SafeContents. - */ - ret = _gnutls_x509_der_encode( safe_cont, "", &der, 0); - - asn1_delete_structure( &safe_cont); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + gnutls_datum der = { NULL, 0 }; + gnutls_datum enc = { NULL, 0 }; + schema_id id; + + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Encode the whole bag to a safe contents + * structure. + */ + ret = _pkcs12_encode_safe_contents(bag, &safe_cont, NULL); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (flags & GNUTLS_PKCS_PLAIN) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) id = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) id = PKCS12_RC2_40_SHA1; - else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) id = PBES2; - else id = PKCS12_3DES_SHA1; + /* DER encode the SafeContents. + */ + ret = _gnutls_x509_der_encode(safe_cont, "", &der, 0); - /* Now encrypt them. - */ - ret = _gnutls_pkcs7_encrypt_data( id, &der, pass, &enc); + asn1_delete_structure(&safe_cont); - _gnutls_free_datum( &der); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (flags & GNUTLS_PKCS_PLAIN) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + id = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + id = PKCS12_RC2_40_SHA1; + else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) + id = PBES2; + else + id = PKCS12_3DES_SHA1; + + /* Now encrypt them. + */ + ret = _gnutls_pkcs7_encrypt_data(id, &der, pass, &enc); + + _gnutls_free_datum(&der); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* encryption succeeded. + */ - /* encryption succeeded. - */ + _pkcs12_bag_free_data(bag); - _pkcs12_bag_free_data( bag); + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->element[0].data = enc; - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->element[0].data = enc; - - bag->bag_elements = 1; + bag->bag_elements = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index 3225fa88d6..4ea40de2c7 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -30,17 +30,18 @@ /* Returns 0 if the password is ok, or a negative error * code instead. */ -static int _pkcs12_check_pass( const char* pass, size_t plen) +static int _pkcs12_check_pass(const char *pass, size_t plen) { -const unsigned char* p = pass; -unsigned int i; + const unsigned char *p = pass; + unsigned int i; - for (i=0;i<plen;i++) { - if ( isascii(p[i])) continue; - return GNUTLS_E_INVALID_PASSWORD; - } - - return 0; + for (i = 0; i < plen; i++) { + if (isascii(p[i])) + continue; + return GNUTLS_E_INVALID_PASSWORD; + } + + return 0; } /* ID should be: @@ -48,103 +49,96 @@ unsigned int i; * 2 for IV * 1 for encryption key */ -int -_pkcs12_string_to_key (unsigned int id, const opaque *salt, unsigned int salt_size, - unsigned int iter, const char *pw, - unsigned int req_keylen, opaque *keybuf) +int +_pkcs12_string_to_key(unsigned int id, const opaque * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + opaque * keybuf) { - int rc; - gcry_error_t err; - unsigned int i, j; - gcry_md_hd_t md; - mpi_t num_b1 = NULL; - unsigned int pwlen; - opaque hash[20], buf_b[64], buf_i[128], *p; - size_t cur_keylen; - size_t n; + int rc; + gcry_error_t err; + unsigned int i, j; + gcry_md_hd_t md; + mpi_t num_b1 = NULL; + unsigned int pwlen; + opaque hash[20], buf_b[64], buf_i[128], *p; + size_t cur_keylen; + size_t n; - cur_keylen = 0; - pwlen = strlen (pw); - if (pwlen > 63/2) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + cur_keylen = 0; + pwlen = strlen(pw); + if (pwlen > 63 / 2) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((rc=_pkcs12_check_pass( pw, pwlen)) < 0) { - gnutls_assert(); - return rc; - } + if ((rc = _pkcs12_check_pass(pw, pwlen)) < 0) { + gnutls_assert(); + return rc; + } - /* Store salt and password in BUF_I */ - p = buf_i; - for(i=0; i < 64; i++) - *p++ = salt [i % salt_size]; - for(i=j=0; i < 64; i += 2) - { - *p++ = 0; - *p++ = pw[j]; - if (++j > pwlen) /* Note, that we include the trailing zero */ - j = 0; + /* Store salt and password in BUF_I */ + p = buf_i; + for (i = 0; i < 64; i++) + *p++ = salt[i % salt_size]; + for (i = j = 0; i < 64; i += 2) { + *p++ = 0; + *p++ = pw[j]; + if (++j > pwlen) /* Note, that we include the trailing zero */ + j = 0; } - for (;;) - { - err = gcry_md_open (&md, GCRY_MD_SHA1, 0); - if (err) - { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - for(i=0; i < 64; i++) - gcry_md_putc (md, id); - gcry_md_write (md, buf_i, 128); - memcpy (hash, gcry_md_read (md, 0), 20); - gcry_md_close (md); - for (i=1; i < iter; i++) - gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20); + for (;;) { + err = gcry_md_open(&md, GCRY_MD_SHA1, 0); + if (err) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } + for (i = 0; i < 64; i++) + gcry_md_putc(md, id); + gcry_md_write(md, buf_i, 128); + memcpy(hash, gcry_md_read(md, 0), 20); + gcry_md_close(md); + for (i = 1; i < iter; i++) + gcry_md_hash_buffer(GCRY_MD_SHA1, hash, hash, 20); - for (i=0; i < 20 && cur_keylen < req_keylen; i++) - keybuf[cur_keylen++] = hash[i]; - if (cur_keylen == req_keylen) - { - gcry_mpi_release (num_b1); - return 0; /* ready */ - } - - /* need more bytes. */ - for(i=0; i < 64; i++) - buf_b[i] = hash[i % 20]; - n = 64; - rc = _gnutls_mpi_scan(&num_b1, buf_b, &n); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_add_ui (num_b1, num_b1, 1); - for (i=0; i < 128; i += 64) - { - mpi_t num_ij; + for (i = 0; i < 20 && cur_keylen < req_keylen; i++) + keybuf[cur_keylen++] = hash[i]; + if (cur_keylen == req_keylen) { + gcry_mpi_release(num_b1); + return 0; /* ready */ + } - n = 64; - rc = _gnutls_mpi_scan (&num_ij, buf_i + i, &n); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_add (num_ij, num_ij, num_b1); - gcry_mpi_clear_highbit (num_ij, 64*8); - n = 64; - rc = _gnutls_mpi_print( buf_i + i, &n, num_ij); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_release (num_ij); - } + /* need more bytes. */ + for (i = 0; i < 64; i++) + buf_b[i] = hash[i % 20]; + n = 64; + rc = _gnutls_mpi_scan(&num_b1, buf_b, &n); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_add_ui(num_b1, num_b1, 1); + for (i = 0; i < 128; i += 64) { + mpi_t num_ij; + + n = 64; + rc = _gnutls_mpi_scan(&num_ij, buf_i + i, &n); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_add(num_ij, num_ij, num_b1); + gcry_mpi_clear_highbit(num_ij, 64 * 8); + n = 64; + rc = _gnutls_mpi_print(buf_i + i, &n, num_ij); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_release(num_ij); + } } } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c index c1c745b71e..183b6fc5a2 100644 --- a/lib/x509/pkcs5.c +++ b/lib/x509/pkcs5.c @@ -55,159 +55,155 @@ #define MAX_PRF_BLOCK_LEN 80 int -_gnutls_pkcs5_pbkdf2 (int PRF, - const char *P, - size_t Plen, - const unsigned char *S, - size_t Slen, unsigned int c, unsigned int dkLen, char *DK) +_gnutls_pkcs5_pbkdf2(int PRF, + const char *P, + size_t Plen, + const unsigned char *S, + size_t Slen, unsigned int c, unsigned int dkLen, + char *DK) { - gcry_md_hd_t prf; - gcry_error_t err; - char U[MAX_PRF_BLOCK_LEN]; - char T[MAX_PRF_BLOCK_LEN]; - unsigned int u; - unsigned int hLen = gcry_md_get_algo_dlen (PRF); - unsigned int l; - unsigned int r; - int rc; - unsigned char *p; - int i; - int k; - - if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN) - return PKCS5_INVALID_PRF; - - if (c == 0) - return PKCS5_INVALID_ITERATION_COUNT; - - if (dkLen == 0) - return PKCS5_INVALID_DERIVED_KEY_LENGTH; - - /* - * - * Steps: - * - * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and - * stop. - */ - - if (dkLen > 4294967295U) - return PKCS5_DERIVED_KEY_TOO_LONG; - - /* - * 2. Let l be the number of hLen-octet blocks in the derived key, - * rounding up, and let r be the number of octets in the last - * block: - * - * l = CEIL (dkLen / hLen) , - * r = dkLen - (l - 1) * hLen . - * - * Here, CEIL (x) is the "ceiling" function, i.e. the smallest - * integer greater than, or equal to, x. - */ - - l = dkLen / hLen; - if (dkLen % hLen) - l++; - r = dkLen - (l - 1) * hLen; - - /* - * 3. For each block of the derived key apply the function F defined - * below to the password P, the salt S, the iteration count c, and - * the block index to compute the block: - * - * T_1 = F (P, S, c, 1) , - * T_2 = F (P, S, c, 2) , - * ... - * T_l = F (P, S, c, l) , - * - * where the function F is defined as the exclusive-or sum of the - * first c iterates of the underlying pseudorandom function PRF - * applied to the password P and the concatenation of the salt S - * and the block index i: - * - * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c - * - * where - * - * U_1 = PRF (P, S || INT (i)) , - * U_2 = PRF (P, U_1) , - * ... - * U_c = PRF (P, U_{c-1}) . - * - * Here, INT (i) is a four-octet encoding of the integer i, most - * significant octet first. - * - * 4. Concatenate the blocks and extract the first dkLen octets to - * produce a derived key DK: - * - * DK = T_1 || T_2 || ... || T_l<0..r-1> - * - * 5. Output the derived key DK. - * - * Note. The construction of the function F follows a "belt-and- - * suspenders" approach. The iterates U_i are computed recursively to - * remove a degree of parallelism from an opponent; they are exclusive- - * ored together to reduce concerns about the recursion degenerating - * into a small set of values. - * - */ - - err = gcry_md_open ( &prf, PRF, GCRY_MD_FLAG_HMAC); - if (err) - return PKCS5_INVALID_PRF; - - for (i = 1; (uint)i <= l; i++) - { - memset (T, 0, hLen); - - for (u = 1; u <= c; u++) - { - gcry_md_reset (prf); - - rc = gcry_md_setkey (prf, P, Plen); - if (rc) - return PKCS5_INVALID_PRF; - - if (u == 1) - { - char *tmp; - size_t tmplen = Slen + 4; - - tmp = gnutls_alloca( tmplen); - if (tmp == NULL) - return PKCS5_INVALID_PRF; - - memcpy (tmp, S, Slen); - tmp[Slen + 0] = (i & 0xff000000) >> 24; - tmp[Slen + 1] = (i & 0x00ff0000) >> 16; - tmp[Slen + 2] = (i & 0x0000ff00) >> 8; - tmp[Slen + 3] = (i & 0x000000ff) >> 0; - - gcry_md_write (prf, tmp, tmplen); - gnutls_afree(tmp); - } - else - { - gcry_md_write (prf, U, hLen); + gcry_md_hd_t prf; + gcry_error_t err; + char U[MAX_PRF_BLOCK_LEN]; + char T[MAX_PRF_BLOCK_LEN]; + unsigned int u; + unsigned int hLen = gcry_md_get_algo_dlen(PRF); + unsigned int l; + unsigned int r; + int rc; + unsigned char *p; + int i; + int k; + + if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN) + return PKCS5_INVALID_PRF; + + if (c == 0) + return PKCS5_INVALID_ITERATION_COUNT; + + if (dkLen == 0) + return PKCS5_INVALID_DERIVED_KEY_LENGTH; + + /* + * + * Steps: + * + * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + * stop. + */ + + if (dkLen > 4294967295U) + return PKCS5_DERIVED_KEY_TOO_LONG; + + /* + * 2. Let l be the number of hLen-octet blocks in the derived key, + * rounding up, and let r be the number of octets in the last + * block: + * + * l = CEIL (dkLen / hLen) , + * r = dkLen - (l - 1) * hLen . + * + * Here, CEIL (x) is the "ceiling" function, i.e. the smallest + * integer greater than, or equal to, x. + */ + + l = dkLen / hLen; + if (dkLen % hLen) + l++; + r = dkLen - (l - 1) * hLen; + + /* + * 3. For each block of the derived key apply the function F defined + * below to the password P, the salt S, the iteration count c, and + * the block index to compute the block: + * + * T_1 = F (P, S, c, 1) , + * T_2 = F (P, S, c, 2) , + * ... + * T_l = F (P, S, c, l) , + * + * where the function F is defined as the exclusive-or sum of the + * first c iterates of the underlying pseudorandom function PRF + * applied to the password P and the concatenation of the salt S + * and the block index i: + * + * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + * + * where + * + * U_1 = PRF (P, S || INT (i)) , + * U_2 = PRF (P, U_1) , + * ... + * U_c = PRF (P, U_{c-1}) . + * + * Here, INT (i) is a four-octet encoding of the integer i, most + * significant octet first. + * + * 4. Concatenate the blocks and extract the first dkLen octets to + * produce a derived key DK: + * + * DK = T_1 || T_2 || ... || T_l<0..r-1> + * + * 5. Output the derived key DK. + * + * Note. The construction of the function F follows a "belt-and- + * suspenders" approach. The iterates U_i are computed recursively to + * remove a degree of parallelism from an opponent; they are exclusive- + * ored together to reduce concerns about the recursion degenerating + * into a small set of values. + * + */ + + err = gcry_md_open(&prf, PRF, GCRY_MD_FLAG_HMAC); + if (err) + return PKCS5_INVALID_PRF; + + for (i = 1; (uint) i <= l; i++) { + memset(T, 0, hLen); + + for (u = 1; u <= c; u++) { + gcry_md_reset(prf); + + rc = gcry_md_setkey(prf, P, Plen); + if (rc) + return PKCS5_INVALID_PRF; + + if (u == 1) { + char *tmp; + size_t tmplen = Slen + 4; + + tmp = gnutls_alloca(tmplen); + if (tmp == NULL) + return PKCS5_INVALID_PRF; + + memcpy(tmp, S, Slen); + tmp[Slen + 0] = (i & 0xff000000) >> 24; + tmp[Slen + 1] = (i & 0x00ff0000) >> 16; + tmp[Slen + 2] = (i & 0x0000ff00) >> 8; + tmp[Slen + 3] = (i & 0x000000ff) >> 0; + + gcry_md_write(prf, tmp, tmplen); + gnutls_afree(tmp); + } else { + gcry_md_write(prf, U, hLen); } - p = gcry_md_read (prf, PRF); - if (p == NULL) - return PKCS5_INVALID_PRF; + p = gcry_md_read(prf, PRF); + if (p == NULL) + return PKCS5_INVALID_PRF; - memcpy (U, p, hLen); + memcpy(U, p, hLen); - for (k = 0; (uint)k < hLen; k++) - T[k] ^= U[k]; + for (k = 0; (uint) k < hLen; k++) + T[k] ^= U[k]; } - memcpy (DK + (i - 1) * hLen, T, (uint)i == l ? r : hLen); + memcpy(DK + (i - 1) * hLen, T, (uint) i == l ? r : hLen); } - gcry_md_close (prf); + gcry_md_close(prf); - return PKCS5_OK; + return PKCS5_OK; } #endif diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 3b969f32fb..ce301fda7d 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -43,86 +43,89 @@ * data are copied (they are locally allocated) there. */ static -int _decode_pkcs7_signed_data( ASN1_TYPE pkcs7, ASN1_TYPE * sdata, gnutls_datum* raw) +int _decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata, + gnutls_datum * raw) { -char oid[128]; -ASN1_TYPE c2; -opaque *tmp = NULL; -int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs7, "contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ( strcmp( oid, SIGNED_DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log( "Unknown PKCS7 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* the Signed-data has been created, so - * decode them. - */ - tmp_size = 0; - result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); - if (result!=ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - tmp = gnutls_malloc(tmp_size); - if (tmp==NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* tmp, tmp_size hold the data and the size of the CertificateSet structure - * actually the ANY stuff. - */ - - /* Step 1. In case of a signed structure extract certificate set. - */ - - result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw == NULL) { - gnutls_free(tmp); - } else { - raw->data = tmp; - raw->size = tmp_size; - } - - *sdata = c2; - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - gnutls_free(tmp); - return result; + char oid[128]; + ASN1_TYPE c2; + opaque *tmp = NULL; + int tmp_size, len, result; + + len = sizeof(oid) - 1; + result = asn1_read_value(pkcs7, "contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, SIGNED_DATA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log("Unknown PKCS7 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* the Signed-data has been created, so + * decode them. + */ + tmp_size = 0; + result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + tmp = gnutls_malloc(tmp_size); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* tmp, tmp_size hold the data and the size of the CertificateSet structure + * actually the ANY stuff. + */ + + /* Step 1. In case of a signed structure extract certificate set. + */ + + result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + gnutls_free(tmp); + } else { + raw->data = tmp; + raw->size = tmp_size; + } + + *sdata = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + gnutls_free(tmp); + return result; } /** @@ -138,20 +141,20 @@ int tmp_size, len, result; **/ int gnutls_pkcs7_init(gnutls_pkcs7 * pkcs7) { - *pkcs7 = gnutls_calloc( 1, sizeof(gnutls_pkcs7_int)); - - if (*pkcs7) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-ContentInfo", - &(*pkcs7)->pkcs7); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *pkcs7); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *pkcs7 = gnutls_calloc(1, sizeof(gnutls_pkcs7_int)); + + if (*pkcs7) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-ContentInfo", + &(*pkcs7)->pkcs7); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs7); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -163,12 +166,13 @@ int gnutls_pkcs7_init(gnutls_pkcs7 * pkcs7) **/ void gnutls_pkcs7_deinit(gnutls_pkcs7 pkcs7) { - if (!pkcs7) return; + if (!pkcs7) + return; - if (pkcs7->pkcs7) - asn1_delete_structure(&pkcs7->pkcs7); + if (pkcs7->pkcs7) + asn1_delete_structure(&pkcs7->pkcs7); - gnutls_free(pkcs7); + gnutls_free(pkcs7); } /** @@ -186,52 +190,56 @@ void gnutls_pkcs7_deinit(gnutls_pkcs7 pkcs7) * **/ int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - _data.data = data->data; - _data.size = data->size; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* If the PKCS7 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS7, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = data->data; + _data.size = data->size; + /* If the PKCS7 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - result = asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = _gnutls_fbase64_decode(PEM_PKCS7, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + + result = + asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } /** @@ -249,86 +257,88 @@ int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, * will be returned. * **/ -int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, - int indx, void* certificate, size_t* certificate_size) +int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, + int indx, void *certificate, + size_t * certificate_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + + if (certificate_size == NULL || pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } - if (certificate_size == NULL || pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + /* Step 2. Parse the CertificateSet + */ - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - _gnutls_str_cpy( root2, sizeof(root2), "certificates.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); + _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); - len = sizeof(oid) - 1; + len = sizeof(oid) - 1; - result = asn1_read_value(c2, root2, oid, &len); + result = asn1_read_value(c2, root2, oid, &len); + + if (result == ASN1_VALUE_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* if 'Certificate' is the choice found: + */ + if (strcmp(oid, "certificate") == 0) { + int start, end; + + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); - if (result == ASN1_VALUE_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* if 'Certificate' is the choice found: - */ - if (strcmp( oid, "certificate") == 0) { - int start, end; - - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - end = end-start+1; - - if ( (uint)end > *certificate_size) { - *certificate_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } - - if (certificate) - memcpy( certificate, &tmp.data[start], end); - - *certificate_size = end; - - result = 0; - - } else { - result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + end = end - start + 1; + + if ((uint) end > *certificate_size) { + *certificate_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + if (certificate) + memcpy(certificate, &tmp.data[start], end); + + *certificate_size = end; + + result = 0; + + } else { + result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -343,33 +353,33 @@ int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_get_crt_count(gnutls_pkcs7 pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ - - result = asn1_number_of_elements( c2, "certificates", &count); + /* Step 2. Count the CertificateSet */ - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ - } + result = asn1_number_of_elements(c2, "certificates", &count); + + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } + + return count; - return count; - } /** @@ -391,14 +401,16 @@ int gnutls_pkcs7_get_crt_count(gnutls_pkcs7 pkcs7) * 0 on success. * **/ -int gnutls_pkcs7_export( gnutls_pkcs7 pkcs7, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_pkcs7_export(gnutls_pkcs7 pkcs7, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - return _gnutls_x509_export_int( pkcs7->pkcs7, format, PEM_PKCS7, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(pkcs7->pkcs7, format, PEM_PKCS7, + *output_data_size, output_data, + output_data_size); } /* Creates an empty signed data structure in the pkcs7 @@ -406,68 +418,72 @@ int gnutls_pkcs7_export( gnutls_pkcs7 pkcs7, */ static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) { - uint8 one = 1; - int result; - - *sdata = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", sdata)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Use version 1 - */ - result = asn1_write_value( *sdata, "version", &one, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Use no digest algorithms - */ - - /* id-data */ - result = asn1_write_value( *sdata, "encapContentInfo.eContentType", "1.2.840.113549.1.7.5", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value( *sdata, "encapContentInfo.eContent", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Add no certificates. - */ - - /* Add no crls. - */ - - /* Add no signerInfos. - */ - - /* Write the content type of the signed data - */ - result = asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - asn1_delete_structure( sdata); - return result; + uint8 one = 1; + int result; + + *sdata = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + sdata)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use version 1 + */ + result = asn1_write_value(*sdata, "version", &one, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use no digest algorithms + */ + + /* id-data */ + result = + asn1_write_value(*sdata, "encapContentInfo.eContentType", + "1.2.840.113549.1.7.5", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(*sdata, "encapContentInfo.eContent", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Add no certificates. + */ + + /* Add no crls. + */ + + /* Add no signerInfos. + */ + + /* Write the content type of the signed data + */ + result = asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(sdata); + return result; } @@ -480,76 +496,80 @@ static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, - const gnutls_datum* crt) +int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, const gnutls_datum * crt) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data( pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. Append the new certificate. - */ + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; - result = asn1_write_value(c2, "certificates", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "certificates.?LAST", "certificate", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - result = asn1_write_value(c2, "certificates.?LAST.certificate", crt->data, crt->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } - /* Step 3. Replace the old content with the new + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); + result = create_empty_signed_data(pkcs7->pkcs7, &c2); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new certificate. + */ + + result = asn1_write_value(c2, "certificates", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "certificates.?LAST", "certificate", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(c2, "certificates.?LAST.certificate", crt->data, + crt->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /** @@ -563,31 +583,30 @@ int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, - gnutls_x509_crt crt) +int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, gnutls_x509_crt crt) { - int ret; - gnutls_datum data; + int ret; + gnutls_datum data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode( crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs7_set_crt_raw( pkcs7, &data); + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_free_datum( &data); + ret = gnutls_pkcs7_set_crt_raw(pkcs7, &data); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_free_datum(&data); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } @@ -602,51 +621,54 @@ int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_delete_crt(gnutls_pkcs7 pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Delete the certificate. - */ - - _gnutls_str_cpy( root2, sizeof(root2), "certificates.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the certificate. + */ + + _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /* Read and write CRLs @@ -667,65 +689,66 @@ int gnutls_pkcs7_delete_crt(gnutls_pkcs7 pkcs7, int indx) * will be returned. * **/ -int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, - int indx, void* crl, size_t* crl_size) +int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, + int indx, void *crl, size_t * crl_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[64]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; - int start, end; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[64]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + int start, end; + + if (pkcs7 == NULL || crl_size == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } - if (pkcs7==NULL || crl_size == NULL) - return GNUTLS_E_INVALID_REQUEST; + /* Step 2. Parse the CertificateSet + */ - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - _gnutls_str_cpy( root2, sizeof(root2), "crls.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); + _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); - /* Get the raw CRL - */ - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); + /* Get the raw CRL + */ + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - end = end-start+1; - - if ( (uint)end > *crl_size) { - *crl_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (crl) - memcpy( crl, &tmp.data[start], end); + end = end - start + 1; + if ((uint) end > *crl_size) { *crl_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } - result = 0; + if (crl) + memcpy(crl, &tmp.data[start], end); - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + *crl_size = end; + + result = 0; + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -740,33 +763,33 @@ int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_get_crl_count(gnutls_pkcs7 pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ - - result = asn1_number_of_elements( c2, "crls", &count); + /* Step 2. Count the CertificateSet */ - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no crls */ - } + result = asn1_number_of_elements(c2, "crls", &count); + + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no crls */ + } + + return count; - return count; - } /** @@ -778,69 +801,71 @@ int gnutls_pkcs7_get_crl_count(gnutls_pkcs7 pkcs7) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, - const gnutls_datum* crl) +int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, const gnutls_datum * crl) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data( pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. Append the new crl. - */ - - result = asn1_write_value(c2, "crls", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } - /* Step 3. Replace the old content with the new + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); + result = create_empty_signed_data(pkcs7->pkcs7, &c2); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new crl. + */ + + result = asn1_write_value(c2, "crls", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /** @@ -854,28 +879,28 @@ int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_set_crl(gnutls_pkcs7 pkcs7, gnutls_x509_crl crl) { - int ret; - gnutls_datum data; + int ret; + gnutls_datum data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode( crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs7_set_crl_raw( pkcs7, &data); - - _gnutls_free_datum( &data); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_pkcs7_set_crl_raw(pkcs7, &data); - return 0; + _gnutls_free_datum(&data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -889,51 +914,54 @@ int gnutls_pkcs7_set_crl(gnutls_pkcs7 pkcs7, gnutls_x509_crl crl) **/ int gnutls_pkcs7_delete_crl(gnutls_pkcs7 pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Delete the crl. - */ - - _gnutls_str_cpy( root2, sizeof(root2), "crls.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the crl. + */ + + _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 74a2eb23ec..73d7d69863 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -36,8 +36,8 @@ #include <dsa.h> #include <verify.h> -static int _encode_rsa( ASN1_TYPE* c2, mpi_t* params); -static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params); +static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params); +static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params); /** * gnutls_x509_privkey_init - This function initializes a gnutls_crl structure @@ -50,15 +50,15 @@ static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params); **/ int gnutls_x509_privkey_init(gnutls_x509_privkey * key) { - *key = gnutls_calloc( 1, sizeof(gnutls_x509_privkey_int)); + *key = gnutls_calloc(1, sizeof(gnutls_x509_privkey_int)); - if (*key) { - (*key)->key = ASN1_TYPE_EMPTY; - (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; - return 0; /* success */ - } + if (*key) { + (*key)->key = ASN1_TYPE_EMPTY; + (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; + return 0; /* success */ + } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -70,16 +70,17 @@ int gnutls_x509_privkey_init(gnutls_x509_privkey * key) **/ void gnutls_x509_privkey_deinit(gnutls_x509_privkey key) { -int i; + int i; - if (!key) return; + if (!key) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release( &key->params[i]); - } + for (i = 0; i < key->params_size; i++) { + _gnutls_mpi_release(&key->params[i]); + } - asn1_delete_structure(&key->key); - gnutls_free(key); + asn1_delete_structure(&key->key); + gnutls_free(key); } /** @@ -90,211 +91,216 @@ int i; * This function will copy a private key from source to destination key. * **/ -int gnutls_x509_privkey_cpy(gnutls_x509_privkey dst, gnutls_x509_privkey src) +int gnutls_x509_privkey_cpy(gnutls_x509_privkey dst, + gnutls_x509_privkey src) { -int i, ret; + int i, ret; - if (!src || !dst) return GNUTLS_E_INVALID_REQUEST; + if (!src || !dst) + return GNUTLS_E_INVALID_REQUEST; - for (i = 0; i < src->params_size; i++) { - dst->params[i] = _gnutls_mpi_copy( src->params[i]); - if (dst->params[i] == NULL) return GNUTLS_E_MEMORY_ERROR; - } + for (i = 0; i < src->params_size; i++) { + dst->params[i] = _gnutls_mpi_copy(src->params[i]); + if (dst->params[i] == NULL) + return GNUTLS_E_MEMORY_ERROR; + } - dst->params_size = src->params_size; - dst->pk_algorithm = src->pk_algorithm; - dst->crippled = src->crippled; - - if (!src->crippled) { - switch( dst->pk_algorithm) { - case GNUTLS_PK_DSA: - ret = _encode_dsa( &dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - case GNUTLS_PK_RSA: - ret = _encode_rsa( &dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + dst->params_size = src->params_size; + dst->pk_algorithm = src->pk_algorithm; + dst->crippled = src->crippled; + + if (!src->crippled) { + switch (dst->pk_algorithm) { + case GNUTLS_PK_DSA: + ret = _encode_dsa(&dst->key, dst->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + case GNUTLS_PK_RSA: + ret = _encode_rsa(&dst->key, dst->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - return 0; + return 0; } /* Converts an RSA PKCS#1 key to * an internal structure (gnutls_private_key) */ -ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key( const gnutls_datum *raw_key, - gnutls_x509_privkey pkey) +ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum * + raw_key, + gnutls_x509_privkey pkey) { - int result; - ASN1_TYPE pkey_asn; - - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.RSAPrivateKey", &pkey_asn - )) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; - } - - if ((sizeof(pkey->params) / sizeof(mpi_t)) < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; - } - - result = asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = - _gnutls_x509_read_int(pkey_asn, "publicExponent", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = - _gnutls_x509_read_int(pkey_asn, "privateExponent", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; - } - + int result; + ASN1_TYPE pkey_asn; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.RSAPrivateKey", + &pkey_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + if ((sizeof(pkey->params) / sizeof(mpi_t)) < RSA_PRIVATE_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return NULL; + } + + result = + asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", + &pkey->params[0])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_int(pkey_asn, "publicExponent", + &pkey->params[1])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_int(pkey_asn, "privateExponent", + &pkey->params[2])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", + &pkey->params[3])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", + &pkey->params[4])) < 0) { + gnutls_assert(); + goto error; + } #if 1 - /* Calculate the coefficient. This is because the gcrypt - * library is uses the p,q in the reverse order. - */ - pkey->params[5] = - _gnutls_mpi_snew(_gnutls_mpi_get_nbits(pkey->params[0])); - - if (pkey->params[5] == NULL) { - gnutls_assert(); - goto error; - } - - _gnutls_mpi_invm(pkey->params[5], pkey->params[3], pkey->params[4]); - /* p, q */ + /* Calculate the coefficient. This is because the gcrypt + * library is uses the p,q in the reverse order. + */ + pkey->params[5] = + _gnutls_mpi_snew(_gnutls_mpi_get_nbits(pkey->params[0])); + + if (pkey->params[5] == NULL) { + gnutls_assert(); + goto error; + } + + _gnutls_mpi_invm(pkey->params[5], pkey->params[3], pkey->params[4]); + /* p, q */ #else - if ( (result=_gnutls_x509_read_int( pkey_asn, "coefficient", - &pkey->params[5])) < 0) { - gnutls_assert(); - goto error; - } + if ((result = _gnutls_x509_read_int(pkey_asn, "coefficient", + &pkey->params[5])) < 0) { + gnutls_assert(); + goto error; + } #endif - pkey->params_size = 6; + pkey->params_size = 6; - return pkey_asn; + return pkey_asn; - error: - asn1_delete_structure(&pkey_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - _gnutls_mpi_release(&pkey->params[5]); - return NULL; + error: + asn1_delete_structure(&pkey_asn); + _gnutls_mpi_release(&pkey->params[0]); + _gnutls_mpi_release(&pkey->params[1]); + _gnutls_mpi_release(&pkey->params[2]); + _gnutls_mpi_release(&pkey->params[3]); + _gnutls_mpi_release(&pkey->params[4]); + _gnutls_mpi_release(&pkey->params[5]); + return NULL; } -static ASN1_TYPE decode_dsa_key( const gnutls_datum* raw_key, - gnutls_x509_privkey pkey) +static ASN1_TYPE decode_dsa_key(const gnutls_datum * raw_key, + gnutls_x509_privkey pkey) { - int result; - ASN1_TYPE dsa_asn; - - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSAPrivateKey", &dsa_asn - )) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; - } - - if ((sizeof(pkey->params) / sizeof(mpi_t)) < DSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; - } - - result = asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "p", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "q", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "g", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "Y", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "priv", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; - } - pkey->params_size = 5; - - return dsa_asn; - - error: - asn1_delete_structure(&dsa_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - return NULL; + int result; + ASN1_TYPE dsa_asn; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSAPrivateKey", + &dsa_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + if ((sizeof(pkey->params) / sizeof(mpi_t)) < DSA_PRIVATE_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return NULL; + } + + result = + asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "p", + &pkey->params[0])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "q", + &pkey->params[1])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "g", + &pkey->params[2])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "Y", + &pkey->params[3])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "priv", + &pkey->params[4])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params_size = 5; + + return dsa_asn; + + error: + asn1_delete_structure(&dsa_asn); + _gnutls_mpi_release(&pkey->params[0]); + _gnutls_mpi_release(&pkey->params[1]); + _gnutls_mpi_release(&pkey->params[2]); + _gnutls_mpi_release(&pkey->params[3]); + _gnutls_mpi_release(&pkey->params[4]); + return NULL; } @@ -317,94 +323,100 @@ static ASN1_TYPE decode_dsa_key( const gnutls_datum* raw_key, * Returns 0 on success. * **/ -int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * data, - gnutls_x509_crt_fmt format) +int gnutls_x509_privkey_import(gnutls_x509_privkey key, + const gnutls_datum * data, + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - if (key == NULL) { + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, data->size, + &out); + key->pk_algorithm = GNUTLS_PK_RSA; + + if (result <= 0) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, data->size, + &out); + key->pk_algorithm = GNUTLS_PK_DSA; + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + return result; + } } - - _data.data = data->data; - _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + _data.data = out; + _data.size = result; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_RSA; - - if (result <= 0) { - /* try for the second header */ - result = _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_DSA; - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - } - - _data.data = out; - _data.size = result; - - need_free = 1; + need_free = 1; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) { + key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; } + } else if (key->pk_algorithm == GNUTLS_PK_DSA) { + key->key = decode_dsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; + } + } else { + /* Try decoding with both, and accept the one that + * succeeds. + */ + key->pk_algorithm = GNUTLS_PK_DSA; + key->key = decode_dsa_key(&_data, key); - if (key->pk_algorithm == GNUTLS_PK_RSA) { - key->key = _gnutls_privkey_decode_pkcs1_rsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - key->key = decode_dsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } else { - /* Try decoding with both, and accept the one that - * succeeds. - */ - key->pk_algorithm = GNUTLS_PK_DSA; - key->key = decode_dsa_key( &_data, key); - - if (key->key == NULL) { - key->pk_algorithm = GNUTLS_PK_RSA; - key->key = _gnutls_privkey_decode_pkcs1_rsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } + if (key->key == NULL) { + key->pk_algorithm = GNUTLS_PK_RSA; + key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; + } } + } - if (need_free) _gnutls_free_datum( &_data); + if (need_free) + _gnutls_free_datum(&_data); - /* The key has now been decoded. - */ + /* The key has now been decoded. + */ - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) _gnutls_free_datum( &_data); - return result; + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum(&_data); + return result; } #define FREE_RSA_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ @@ -426,74 +438,77 @@ int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * dat * to the native gnutls_x509_privkey format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, - const gnutls_datum* m, const gnutls_datum* e, - const gnutls_datum* d, const gnutls_datum* p, - const gnutls_datum* q, const gnutls_datum* u) +int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, + const gnutls_datum * m, + const gnutls_datum * e, + const gnutls_datum * d, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * u) { - int i = 0, ret; - size_t siz = 0; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = m->size; - if (_gnutls_mpi_scan(&key->params[0], m->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = e->size; - if (_gnutls_mpi_scan(&key->params[1], e->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = d->size; - if (_gnutls_mpi_scan(&key->params[2], d->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = p->size; - if (_gnutls_mpi_scan(&key->params[3], p->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = q->size; - if (_gnutls_mpi_scan(&key->params[4], q->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = u->size; - if (_gnutls_mpi_scan(&key->params[5], u->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (!key->crippled) { - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return ret; - } + int i = 0, ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = m->size; + if (_gnutls_mpi_scan(&key->params[0], m->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = e->size; + if (_gnutls_mpi_scan(&key->params[1], e->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = d->size; + if (_gnutls_mpi_scan(&key->params[2], d->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = p->size; + if (_gnutls_mpi_scan(&key->params[3], p->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q->size; + if (_gnutls_mpi_scan(&key->params[4], q->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = u->size; + if (_gnutls_mpi_scan(&key->params[5], u->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (!key->crippled) { + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return ret; } + } - key->params_size = RSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_RSA; + key->params_size = RSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_RSA; - return 0; + return 0; } @@ -510,67 +525,69 @@ int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, * to the native gnutls_x509_privkey format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, - const gnutls_datum* p, const gnutls_datum* q, - const gnutls_datum* g, const gnutls_datum* y, - const gnutls_datum* x) +int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * g, + const gnutls_datum * y, + const gnutls_datum * x) { - int i = 0, ret; - size_t siz = 0; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = p->size; - if (_gnutls_mpi_scan(&key->params[0], p->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = q->size; - if (_gnutls_mpi_scan(&key->params[1], q->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = g->size; - if (_gnutls_mpi_scan(&key->params[2], g->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = y->size; - if (_gnutls_mpi_scan(&key->params[3], y->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = x->size; - if (_gnutls_mpi_scan(&key->params[4], x->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (!key->crippled) { - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return ret; - } + int i = 0, ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = p->size; + if (_gnutls_mpi_scan(&key->params[0], p->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q->size; + if (_gnutls_mpi_scan(&key->params[1], q->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = g->size; + if (_gnutls_mpi_scan(&key->params[2], g->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = y->size; + if (_gnutls_mpi_scan(&key->params[3], y->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = x->size; + if (_gnutls_mpi_scan(&key->params[4], x->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (!key->crippled) { + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return ret; } + } - key->params_size = DSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_DSA; + key->params_size = DSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_DSA; - return 0; + return 0; } @@ -586,14 +603,14 @@ int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, * or a negative value on error. * **/ -int gnutls_x509_privkey_get_pk_algorithm( gnutls_x509_privkey key) +int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey key) { - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return key->pk_algorithm; + return key->pk_algorithm; } @@ -618,48 +635,52 @@ int gnutls_x509_privkey_get_pk_algorithm( gnutls_x509_privkey key) * 0 on success. * **/ -int gnutls_x509_privkey_export( gnutls_x509_privkey key, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_privkey_export(gnutls_x509_privkey key, + gnutls_x509_crt_fmt format, + void *output_data, + size_t * output_data_size) { - char * msg; - int ret; - - if (key == NULL) { + char *msg; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) + msg = PEM_KEY_RSA; + else if (key->pk_algorithm == GNUTLS_PK_DSA) + msg = PEM_KEY_DSA; + else + msg = NULL; + + if (key->crippled) { /* encode the parameters on the fly. + */ + switch (key->pk_algorithm) { + case GNUTLS_PK_DSA: + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (key->pk_algorithm == GNUTLS_PK_RSA) - msg = PEM_KEY_RSA; - else if (key->pk_algorithm == GNUTLS_PK_DSA) - msg = PEM_KEY_DSA; - else msg = NULL; - - if (key->crippled) { /* encode the parameters on the fly. - */ - switch( key->pk_algorithm) { - case GNUTLS_PK_DSA: - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - case GNUTLS_PK_RSA: - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + return ret; + } + break; + case GNUTLS_PK_RSA: + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - return _gnutls_x509_export_int( key->key, format, msg, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(key->key, format, msg, + *output_data_size, output_data, + output_data_size); } /** @@ -678,74 +699,74 @@ int gnutls_x509_privkey_export( gnutls_x509_privkey key, * **/ int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey key, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u) + gnutls_datum * m, gnutls_datum * e, + gnutls_datum * d, gnutls_datum * p, + gnutls_datum * q, gnutls_datum * u) { -int ret; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_mpi_dprint(m, key->params[0]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* E */ - ret = _gnutls_mpi_dprint(e, key->params[1]); - if (ret < 0) { - _gnutls_free_datum( m); - gnutls_assert(); - return ret; - } - - /* D */ - ret = _gnutls_mpi_dprint(d, key->params[2]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( e); - gnutls_assert(); - return ret; - } - - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[3]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - gnutls_assert(); - return ret; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[4]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - _gnutls_free_datum( p); - gnutls_assert(); - return ret; - } - - /* U */ - ret = _gnutls_mpi_dprint(u, key->params[5]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - _gnutls_free_datum( p); - _gnutls_free_datum( q); - gnutls_assert(); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_mpi_dprint(m, key->params[0]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* E */ + ret = _gnutls_mpi_dprint(e, key->params[1]); + if (ret < 0) { + _gnutls_free_datum(m); + gnutls_assert(); + return ret; + } + + /* D */ + ret = _gnutls_mpi_dprint(d, key->params[2]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(e); + gnutls_assert(); + return ret; + } + + /* P */ + ret = _gnutls_mpi_dprint(p, key->params[3]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + gnutls_assert(); + return ret; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, key->params[4]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + _gnutls_free_datum(p); + gnutls_assert(); + return ret; + } + + /* U */ + ret = _gnutls_mpi_dprint(u, key->params[5]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -763,374 +784,373 @@ int ret; * **/ int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey key, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y, gnutls_datum* x) + gnutls_datum * p, gnutls_datum * q, + gnutls_datum * g, gnutls_datum * y, + gnutls_datum * x) { -int ret; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[0]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - return ret; - } - - - /* G */ - ret = _gnutls_mpi_dprint(g, key->params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - return ret; - } - - - /* Y */ - ret = _gnutls_mpi_dprint(y, key->params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; - } - - /* X */ - ret = _gnutls_mpi_dprint(x, key->params[4]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(y); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* P */ + ret = _gnutls_mpi_dprint(p, key->params[0]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, key->params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + return ret; + } + + + /* G */ + ret = _gnutls_mpi_dprint(g, key->params[2]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + return ret; + } + + + /* Y */ + ret = _gnutls_mpi_dprint(y, key->params[3]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + /* X */ + ret = _gnutls_mpi_dprint(x, key->params[4]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(y); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + return 0; } /* Encodes the RSA parameters into an ASN.1 RSA private key structure. */ -static int _encode_rsa( ASN1_TYPE* c2, mpi_t* params) +static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[8], total; - opaque * m_data, *pube_data, *prie_data; - opaque* p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; - opaque * all_data = NULL, *p; - mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i=0;i<6;i++) { - _gnutls_mpi_print_lz( NULL, &size[i], params[i]); - total += size[i]; - } - - /* Now generate exp1 and exp2 - */ - exp1 = _gnutls_mpi_salloc_like( params[0]); /* like modulus */ - if (exp1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - exp2 = _gnutls_mpi_salloc_like( params[0]); - if (exp2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - q1 = _gnutls_mpi_salloc_like( params[4]); - if (q1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p1 = _gnutls_mpi_salloc_like( params[3]); - if (p1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - _gnutls_mpi_add_ui( p1, params[3], -1); - _gnutls_mpi_add_ui( q1, params[4], -1); - - _gnutls_mpi_mod( exp1, params[2], p1); - _gnutls_mpi_mod( exp2, params[2], q1); - - - /* calculate exp's size */ - _gnutls_mpi_print_lz( NULL, &size[6], exp1); - total += size[6]; - - _gnutls_mpi_print_lz( NULL, &size[7], exp2); - total += size[7]; - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc( total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - m_data = p; p+= size[0]; - pube_data = p; p+= size[1]; - prie_data = p; p+= size[2]; - p1_data = p; p+= size[3]; - p2_data = p; p+= size[4]; - u_data = p; p+= size[5]; - exp1_data = p; p+= size[6]; - exp2_data = p; - - _gnutls_mpi_print_lz( m_data, &size[0], params[0]); - _gnutls_mpi_print_lz( pube_data, &size[1], params[1]); - _gnutls_mpi_print_lz( prie_data, &size[2], params[2]); - _gnutls_mpi_print_lz( p1_data, &size[3], params[3]); - _gnutls_mpi_print_lz( p2_data, &size[4], params[4]); - _gnutls_mpi_print_lz( u_data, &size[5], params[5]); - _gnutls_mpi_print_lz( exp1_data, &size[6], exp1); - _gnutls_mpi_print_lz( exp2_data, &size[7], exp2); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "modulus", - m_data, size[0])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "publicExponent", - pube_data, size[1])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "privateExponent", - prie_data, size[2])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime1", - p1_data, size[3])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime2", - p2_data, size[4])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent1", - exp1_data, size[6])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent2", - exp2_data, size[7])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "coefficient", - u_data, size[5])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "otherPrimeInfos", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - _gnutls_mpi_release( &exp1); - _gnutls_mpi_release( &exp2); - _gnutls_mpi_release( &q1); - _gnutls_mpi_release( &p1); - asn1_delete_structure(c2); - gnutls_free( all_data); - - return result; + int result, i; + size_t size[8], total; + opaque *m_data, *pube_data, *prie_data; + opaque *p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; + opaque *all_data = NULL, *p; + mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < 6; i++) { + _gnutls_mpi_print_lz(NULL, &size[i], params[i]); + total += size[i]; + } + + /* Now generate exp1 and exp2 + */ + exp1 = _gnutls_mpi_salloc_like(params[0]); /* like modulus */ + if (exp1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + exp2 = _gnutls_mpi_salloc_like(params[0]); + if (exp2 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + q1 = _gnutls_mpi_salloc_like(params[4]); + if (q1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p1 = _gnutls_mpi_salloc_like(params[3]); + if (p1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + _gnutls_mpi_add_ui(p1, params[3], -1); + _gnutls_mpi_add_ui(q1, params[4], -1); + + _gnutls_mpi_mod(exp1, params[2], p1); + _gnutls_mpi_mod(exp2, params[2], q1); + + + /* calculate exp's size */ + _gnutls_mpi_print_lz(NULL, &size[6], exp1); + total += size[6]; + + _gnutls_mpi_print_lz(NULL, &size[7], exp2); + total += size[7]; + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc(total); + if (all_data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + m_data = p; + p += size[0]; + pube_data = p; + p += size[1]; + prie_data = p; + p += size[2]; + p1_data = p; + p += size[3]; + p2_data = p; + p += size[4]; + u_data = p; + p += size[5]; + exp1_data = p; + p += size[6]; + exp2_data = p; + + _gnutls_mpi_print_lz(m_data, &size[0], params[0]); + _gnutls_mpi_print_lz(pube_data, &size[1], params[1]); + _gnutls_mpi_print_lz(prie_data, &size[2], params[2]); + _gnutls_mpi_print_lz(p1_data, &size[3], params[3]); + _gnutls_mpi_print_lz(p2_data, &size[4], params[4]); + _gnutls_mpi_print_lz(u_data, &size[5], params[5]); + _gnutls_mpi_print_lz(exp1_data, &size[6], exp1); + _gnutls_mpi_print_lz(exp2_data, &size[7], exp2); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value(*c2, "modulus", + m_data, size[0])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "publicExponent", + pube_data, size[1])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "privateExponent", + prie_data, size[2])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime1", + p1_data, size[3])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime2", + p2_data, size[4])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent1", + exp1_data, size[6])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent2", + exp2_data, size[7])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "coefficient", + u_data, size[5])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(*c2, "otherPrimeInfos", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "version", + &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + _gnutls_mpi_release(&exp1); + _gnutls_mpi_release(&exp2); + _gnutls_mpi_release(&q1); + _gnutls_mpi_release(&p1); + asn1_delete_structure(c2); + gnutls_free(all_data); + + return result; } /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure. */ -static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params) +static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[DSA_PRIVATE_PARAMS], total; - opaque* p_data, *q_data, *g_data, *x_data, *y_data; - opaque * all_data = NULL, *p; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i=0;i<DSA_PRIVATE_PARAMS;i++) { - _gnutls_mpi_print_lz( NULL, &size[i], params[i]); - total += size[i]; - } - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc( total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - p_data = p; p += size[0]; - q_data = p; p += size[1]; - g_data = p; p += size[2]; - y_data = p; p += size[3]; - x_data = p; - - _gnutls_mpi_print_lz( p_data, &size[0], params[0]); - _gnutls_mpi_print_lz( q_data, &size[1], params[1]); - _gnutls_mpi_print_lz( g_data, &size[2], params[2]); - _gnutls_mpi_print_lz( y_data, &size[3], params[3]); - _gnutls_mpi_print_lz( x_data, &size[4], params[4]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "p", - p_data, size[0])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "q", - q_data, size[1])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "g", - g_data, size[2])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "Y", - y_data, size[3])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "priv", - x_data, size[4])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - asn1_delete_structure(c2); - gnutls_free( all_data); - - return result; + int result, i; + size_t size[DSA_PRIVATE_PARAMS], total; + opaque *p_data, *q_data, *g_data, *x_data, *y_data; + opaque *all_data = NULL, *p; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < DSA_PRIVATE_PARAMS; i++) { + _gnutls_mpi_print_lz(NULL, &size[i], params[i]); + total += size[i]; + } + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc(total); + if (all_data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + p_data = p; + p += size[0]; + q_data = p; + p += size[1]; + g_data = p; + p += size[2]; + y_data = p; + p += size[3]; + x_data = p; + + _gnutls_mpi_print_lz(p_data, &size[0], params[0]); + _gnutls_mpi_print_lz(q_data, &size[1], params[1]); + _gnutls_mpi_print_lz(g_data, &size[2], params[2]); + _gnutls_mpi_print_lz(y_data, &size[3], params[3]); + _gnutls_mpi_print_lz(x_data, &size[4], params[4]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value(*c2, "p", + p_data, size[0])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "q", + q_data, size[1])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "g", + g_data, size[2])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "Y", + y_data, size[3])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "priv", + x_data, size[4])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(*c2, "version", + &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(c2); + gnutls_free(all_data); + + return result; } @@ -1147,69 +1167,70 @@ static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params) * Returns 0 on success or a negative value on error. * **/ -int gnutls_x509_privkey_generate( gnutls_x509_privkey key, gnutls_pk_algorithm algo, - unsigned int bits, unsigned int flags) +int gnutls_x509_privkey_generate(gnutls_x509_privkey key, + gnutls_pk_algorithm algo, + unsigned int bits, unsigned int flags) { -int ret, params_len; -int i; + int ret, params_len; + int i; - if (key == NULL) { + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + switch (algo) { + case GNUTLS_PK_DSA: + ret = _gnutls_dsa_generate_params(key->params, ¶ms_len, bits); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (!key->crippled) { + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + } + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_DSA; + + break; + case GNUTLS_PK_RSA: + ret = _gnutls_rsa_generate_params(key->params, ¶ms_len, bits); + if (ret < 0) { + gnutls_assert(); + return ret; } - switch( algo) { - case GNUTLS_PK_DSA: - ret = _gnutls_dsa_generate_params( key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (!key->crippled) { - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_DSA; - - break; - case GNUTLS_PK_RSA: - ret = _gnutls_rsa_generate_params( key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (!key->crippled) { - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_RSA; - - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (!key->crippled) { + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } } - - return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - key->params_size = 0; - for (i=0;i<params_len;i++) - _gnutls_mpi_release(&key->params[i]); + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_RSA; - return ret; + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->params_size = 0; + for (i = 0; i < params_len; i++) + _gnutls_mpi_release(&key->params[i]); + + return ret; } /** @@ -1231,56 +1252,63 @@ int i; * 0 on success. * **/ -int gnutls_x509_privkey_get_key_id( gnutls_x509_privkey key, unsigned int flags, - unsigned char* output_data, size_t* output_data_size) +int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey key, + unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { -int result; -GNUTLS_HASH_HANDLE hd; -gnutls_datum der = { NULL, 0 }; + int result; + GNUTLS_HASH_HANDLE hd; + gnutls_datum der = { NULL, 0 }; - if (key == NULL || key->crippled) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL || key->crippled) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (*output_data_size < 20) { + gnutls_assert(); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (key->pk_algorithm == GNUTLS_PK_RSA) { - result = _gnutls_x509_write_rsa_params( key->params, key->params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_public_key( key->params, key->params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else return GNUTLS_E_INTERNAL_ERROR; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + if (key->pk_algorithm == GNUTLS_PK_RSA) { + result = + _gnutls_x509_write_rsa_params(key->params, key->params_size, + &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } else if (key->pk_algorithm == GNUTLS_PK_DSA) { + result = + _gnutls_x509_write_dsa_public_key(key->params, + key->params_size, &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - - _gnutls_hash( hd, der.data, der.size); + } else + return GNUTLS_E_INTERNAL_ERROR; - _gnutls_hash_deinit( hd, output_data); - *output_data_size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == GNUTLS_HASH_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } - result = 0; + _gnutls_hash(hd, der.data, der.size); -cleanup: - - _gnutls_free_datum( &der); - return result; + _gnutls_hash_deinit(hd, output_data); + *output_data_size = 20; + + result = 0; + + cleanup: + + _gnutls_free_datum(&der); + return result; } #ifdef ENABLE_PKI @@ -1306,36 +1334,38 @@ cleanup: * 0 on success. * **/ -int gnutls_x509_privkey_sign_data( gnutls_x509_privkey key, gnutls_digest_algorithm digest, - unsigned int flags, const gnutls_datum* data, - void* signature, size_t* signature_size) +int gnutls_x509_privkey_sign_data(gnutls_x509_privkey key, + gnutls_digest_algorithm digest, + unsigned int flags, + const gnutls_datum * data, + void *signature, size_t * signature_size) { -int result; -gnutls_datum sig = { NULL, 0 }; + int result; + gnutls_datum sig = { NULL, 0 }; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_sign( data, digest, key, &sig); - if (result < 0) { - gnutls_assert(); - return result; - } - - if (*signature_size < sig.size) { - *signature_size = sig.size; - _gnutls_free_datum( &sig); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - + result = _gnutls_x509_sign(data, digest, key, &sig); + if (result < 0) { + gnutls_assert(); + return result; + } + + if (*signature_size < sig.size) { *signature_size = sig.size; - memcpy( signature, sig.data, sig.size); - - _gnutls_free_datum( &sig); + _gnutls_free_datum(&sig); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - return 0; + *signature_size = sig.size; + memcpy(signature, sig.data, sig.size); + + _gnutls_free_datum(&sig); + + return 0; } /** @@ -1352,24 +1382,25 @@ gnutls_datum sig = { NULL, 0 }; * 1 on success. * **/ -int gnutls_x509_privkey_verify_data( gnutls_x509_privkey key, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature) +int gnutls_x509_privkey_verify_data(gnutls_x509_privkey key, + unsigned int flags, + const gnutls_datum * data, + const gnutls_datum * signature) { -int result; + int result; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_privkey_verify_signature( data, signature, key); - if (result < 0) { - gnutls_assert(); - return 0; - } - - return result; + result = _gnutls_x509_privkey_verify_signature(data, signature, key); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; } #endif - diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 894be9f1b7..c0fe3fd663 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -54,16 +54,16 @@ #define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" struct pbkdf2_params { - opaque salt[32]; - int salt_size; - unsigned int iter_count; - int key_size; + opaque salt[32]; + int salt_size; + unsigned int iter_count; + int key_size; }; struct pbe_enc_params { - gnutls_cipher_algorithm cipher; - opaque iv[8]; - int iv_size; + gnutls_cipher_algorithm cipher; + opaque iv[8]; + int iv_size; }; static int generate_key(schema_id schema, const char *password, @@ -82,18 +82,20 @@ static int decrypt_data(schema_id, ASN1_TYPE pkcs8_asn, const char *root, const struct pbe_enc_params *enc_params, gnutls_datum * decrypted_data); static int decode_private_key_info(const gnutls_datum * der, - gnutls_x509_privkey pkey, ASN1_TYPE* out); -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, const char* where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params); + gnutls_x509_privkey pkey, + ASN1_TYPE * out); +static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params); static int encrypt_data(const gnutls_datum * plain, const struct pbe_enc_params *enc_params, gnutls_datum * key, gnutls_datum * encrypted); static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params); + struct pbkdf2_params *params); static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *params); + const struct pbkdf2_params *params); #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" @@ -104,21 +106,22 @@ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, inline static int check_schema(const char *oid) { - if (strcmp(oid, PBES2_OID) == 0) - return PBES2; + if (strcmp(oid, PBES2_OID) == 0) + return PBES2; - if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) - return PKCS12_3DES_SHA1; + if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) + return PKCS12_3DES_SHA1; - if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) - return PKCS12_ARCFOUR_SHA1; + if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) + return PKCS12_ARCFOUR_SHA1; - if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) - return PKCS12_RC2_40_SHA1; + if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) + return PKCS12_RC2_40_SHA1; - _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", oid); + _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", + oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } /* @@ -130,244 +133,243 @@ static int encode_to_private_key_info(gnutls_x509_privkey pkey, gnutls_datum * der, ASN1_TYPE * pkey_info) { - int result; - size_t size; - opaque *data = NULL; - opaque null = 0; - - if (pkey->pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - pkey_info)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the version. - */ - result = asn1_write_value(*pkey_info, "version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the privateKeyAlgorithm - * fields. (OID+NULL data) - */ - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", - PKIX1_RSA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", - NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the raw private key - */ - size = 0; - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, - &size); - if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - goto error; - } - - data = gnutls_alloca(size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, - &size); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = asn1_write_value(*pkey_info, "privateKey", data, size); - + int result; + size_t size; + opaque *data = NULL; + opaque null = 0; + + if (pkey->pk_algorithm != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + pkey_info)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the version. + */ + result = asn1_write_value(*pkey_info, "version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the privateKeyAlgorithm + * fields. (OID+NULL data) + */ + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", + PKIX1_RSA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", + NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the raw private key + */ + size = 0; + result = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, &size); + if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + goto error; + } + + data = gnutls_alloca(size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + + result = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, &size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = asn1_write_value(*pkey_info, "privateKey", data, size); + + gnutls_afree(data); + data = NULL; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Append an empty Attributes field. + */ + result = asn1_write_value(*pkey_info, "attributes", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* DER Encode the generated private key info. + */ + size = 0; + result = asn1_der_coding(*pkey_info, "", NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* allocate data for the der + */ + der->size = size; + der->data = gnutls_malloc(size); + if (der->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding(*pkey_info, "", der->data, &size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + return 0; + + error: + asn1_delete_structure(pkey_info); + if (data != NULL) { gnutls_afree(data); - data = NULL; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Append an empty Attributes field. - */ - result = asn1_write_value(*pkey_info, "attributes", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* DER Encode the generated private key info. - */ - size = 0; - result = asn1_der_coding(*pkey_info, "", NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* allocate data for the der - */ - der->size = size; - der->data = gnutls_malloc(size); - if (der->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_der_coding(*pkey_info, "", der->data, &size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - return 0; - - error: - asn1_delete_structure(pkey_info); - if (data != NULL) { - gnutls_afree(data); - } - return result; + } + return result; } /* Converts a PKCS #8 private key info to * a PKCS #8 EncryptedPrivateKeyInfo. */ -static -int encode_to_pkcs8_key( schema_id schema, const gnutls_datum * der_key, - const char *password, ASN1_TYPE* out) +static +int encode_to_pkcs8_key(schema_id schema, const gnutls_datum * der_key, + const char *password, ASN1_TYPE * out) { - int result; - gnutls_datum key = { NULL, 0 }; - gnutls_datum tmp = { NULL, 0 }; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { - case PBES2: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; - case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; - case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; - case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; - - } - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Generate a symmetric key. - */ - + int result; + gnutls_datum key = { NULL, 0 }; + gnutls_datum tmp = { NULL, 0 }; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) { + case PBES2: result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_schema_params(schema, pkcs8_asn, "encryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data( der_key, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* write the encrypted data. - */ + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; + case PKCS12_3DES_SHA1: result = - asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); - - *out = pkcs8_asn; - - return 0; - - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs8_asn); - return result; + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; + case PKCS12_ARCFOUR_SHA1: + result = + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; + case PKCS12_RC2_40_SHA1: + result = + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; + + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + write_schema_params(schema, pkcs8_asn, + "encryptionAlgorithm.parameters", &kdf_params, + &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(der_key, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + *out = pkcs8_asn; + + return 0; + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs8_asn); + return result; } @@ -404,68 +406,67 @@ int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey key, const char *password, unsigned int flags, void *output_data, - size_t *output_data_size) + size_t * output_data_size) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum tmp; - schema_id schema; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info(key, &tmp, &pkey_info); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum tmp; + schema_id schema; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info(key, &tmp, &pkey_info); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) - schema = PKCS12_3DES_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - schema = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - schema = PKCS12_RC2_40_SHA1; - else - schema = PBES2; + if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) + schema = PKCS12_3DES_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + schema = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + schema = PKCS12_RC2_40_SHA1; + else + schema = PBES2; - if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) - { - _gnutls_free_datum(&tmp); + if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) { + _gnutls_free_datum(&tmp); - ret = - _gnutls_x509_export_int(pkey_info, format, - PEM_UNENCRYPTED_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int(pkey_info, format, + PEM_UNENCRYPTED_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkey_info); - } else { - asn1_delete_structure(&pkey_info); /* we don't need it */ + asn1_delete_structure(&pkey_info); + } else { + asn1_delete_structure(&pkey_info); /* we don't need it */ - ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum(&tmp); + ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); + _gnutls_free_datum(&tmp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = - _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkcs8_asn); - } + asn1_delete_structure(&pkcs8_asn); + } - return ret; + return ret; } @@ -473,333 +474,328 @@ int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey key, * schema ID. */ static -int read_pkcs_schema_params(schema_id schema, const char* password, - const opaque * data, int data_size, +int read_pkcs_schema_params(schema_id schema, const char *password, + const opaque * data, int data_size, struct pbkdf2_params *kdf_params, struct pbe_enc_params *enc_params) { - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int result; - gnutls_datum tmp; - - switch (schema) { - - case PBES2: - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Decode the parameters. - */ - result = - asn1_der_decoding(&pbes2_asn, - data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - tmp.data = (opaque*)data; - tmp.size = data_size; - - result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - return 0; - break; - - case PKCS12_3DES_SHA1: - case PKCS12_ARCFOUR_SHA1: - case PKCS12_RC2_40_SHA1: - - if ((schema) == PKCS12_3DES_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - enc_params->iv_size = 8; - } else if ((schema) == PKCS12_ARCFOUR_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - enc_params->iv_size = 0; - } else if ((schema) == PKCS12_RC2_40_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - enc_params->iv_size = 8; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Decode the parameters. - */ - result = - asn1_der_decoding(&pbes2_asn, - data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - if (enc_params->iv_size) { - result = _pkcs12_string_to_key( 2/*IV*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, enc_params->iv_size, enc_params->iv); - if (result < 0) { - gnutls_assert(); - goto error; - } - - } - - asn1_delete_structure(&pbes2_asn); - - return 0; - break; - - } /* switch */ - - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - - error: - asn1_delete_structure(&pbes2_asn); - return result; -} + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int result; + gnutls_datum tmp; + switch (schema) { -/* Converts a PKCS #8 key to - * an internal structure (gnutls_private_key) - * (normally a PKCS #1 encoded RSA key) - */ -static -int decode_pkcs8_key(const gnutls_datum * raw_key, - const char *password, - gnutls_x509_privkey pkey, ASN1_TYPE* out) -{ - int result, len; - char enc_oid[64]; - gnutls_datum tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; + case PBES2: + /* Now check the key derivation and the encryption + * functions. + */ if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, - NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - - schema = result; - - /* Get the DER encoding of the parameters. + /* Decode the parameters. */ - result = - asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, - raw_key->size, - "encryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); + result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &raw_key->data[params_start], - params_len, &kdf_params, &enc_params); + tmp.data = (opaque *) data; + tmp.size = data_size; - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - result = - decrypt_data(schema, pkcs8_asn, "encryptedData", password, &kdf_params, - &enc_params, &tmp); + result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - asn1_delete_structure(&pkcs8_asn); - - result = decode_private_key_info(&tmp, pkey, &ret_asn); - _gnutls_free_datum(&tmp); - + result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - *out = ret_asn; - - return 0; - - error: asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); - return result; -} + return 0; + break; -static -int decode_private_key_info(const gnutls_datum * der, - gnutls_x509_privkey pkey, ASN1_TYPE* out) -{ - int result, len; - opaque oid[64], *data = NULL; - gnutls_datum tmp; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int data_size; + case PKCS12_3DES_SHA1: + case PKCS12_ARCFOUR_SHA1: + case PKCS12_RC2_40_SHA1: + if ((schema) == PKCS12_3DES_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + enc_params->iv_size = 8; + } else if ((schema) == PKCS12_ARCFOUR_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + enc_params->iv_size = 0; + } else if ((schema) == PKCS12_RC2_40_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + enc_params->iv_size = 8; + } if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* Check the private key algorithm OID + /* Decode the parameters. */ - len = sizeof(oid); - result = - asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", - oid, &len); + result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* we only support RSA private keys. - */ - if (strcmp(oid, PKIX1_RSA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 private key OID '%s' is unsupported.\n", - oid); - result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; - goto error; + result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; } - /* Get the DER encoding of the actual private key. - */ - data_size = 0; - result = - asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); - if (result != ASN1_MEM_ERROR) { + if (enc_params->iv_size) { + result = + _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (result < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto error; - } + } - data = gnutls_alloca(data_size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; } - result = - asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } + asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); + return 0; + break; - tmp.data = data; - tmp.size = data_size; + } /* switch */ - pkey->pk_algorithm = GNUTLS_PK_RSA; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); - if (ret_asn == NULL) { - gnutls_assert(); - } + error: + asn1_delete_structure(&pbes2_asn); + return result; +} - *out = ret_asn; - return 0; +/* Converts a PKCS #8 key to + * an internal structure (gnutls_private_key) + * (normally a PKCS #1 encoded RSA key) + */ +static +int decode_pkcs8_key(const gnutls_datum * raw_key, + const char *password, + gnutls_x509_privkey pkey, ASN1_TYPE * out) +{ + int result, len; + char enc_oid[64]; + gnutls_datum tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, + raw_key->size, + "encryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(schema, password, + &raw_key->data[params_start], + params_len, &kdf_params, &enc_params); + + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + result = + decrypt_data(schema, pkcs8_asn, "encryptedData", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pkcs8_asn); + + result = decode_private_key_info(&tmp, pkey, &ret_asn); + _gnutls_free_datum(&tmp); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + *out = ret_asn; + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + asn1_delete_structure(&pkcs8_asn); + return result; +} - error: - asn1_delete_structure(&pkcs8_asn); - if (data != NULL) { - gnutls_afree(data); - } - return result; +static +int decode_private_key_info(const gnutls_datum * der, + gnutls_x509_privkey pkey, ASN1_TYPE * out) +{ + int result, len; + opaque oid[64], *data = NULL; + gnutls_datum tmp; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int data_size; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + /* Check the private key algorithm OID + */ + len = sizeof(oid); + result = + asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", + oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* we only support RSA private keys. + */ + if (strcmp(oid, PKIX1_RSA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log + ("PKCS #8 private key OID '%s' is unsupported.\n", oid); + result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + goto error; + } + + /* Get the DER encoding of the actual private key. + */ + data_size = 0; + result = asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + data = gnutls_alloca(data_size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + result = asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + asn1_delete_structure(&pkcs8_asn); + + tmp.data = data; + tmp.size = data_size; + + pkey->pk_algorithm = GNUTLS_PK_RSA; + + ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); + if (ret_asn == NULL) { + gnutls_assert(); + } + + *out = ret_asn; + + return 0; + + error: + asn1_delete_structure(&pkcs8_asn); + if (data != NULL) { + gnutls_afree(data); + } + return result; } @@ -832,78 +828,78 @@ int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey key, const char *password, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum _data; - int encrypted; + int result = 0, need_free = 0; + gnutls_datum _data; + int encrypted; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->pk_algorithm = GNUTLS_PK_UNKNOWN; - /* If the Certificate is in PEM format then decode it + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header - */ - result = - _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, - data->data, data->size, &out); - encrypted = 0; - - if (result < 0) { /* Try the encrypted header - */ - result = - _gnutls_fbase64_decode(PEM_PKCS8, data->data, - data->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - encrypted = 1; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + result = + _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, + data->data, data->size, &out); + encrypted = 0; - if (flags & GNUTLS_PKCS_PLAIN || password == NULL) { - result = decode_private_key_info(&_data, key, &key->key); - } else { /* encrypted. */ - result = decode_pkcs8_key(&_data, password, key, &key->key); - } + if (result < 0) { /* Try the encrypted header + */ + result = + _gnutls_fbase64_decode(PEM_PKCS8, data->data, + data->size, &out); - if (result < 0) { + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - goto cleanup; + return result; + } + + encrypted = 1; } - if (need_free) - _gnutls_free_datum(&_data); + _data.data = out; + _data.size = result; - /* The key has now been decoded. - */ + need_free = 1; + } - return 0; + if (flags & GNUTLS_PKCS_PLAIN || password == NULL) { + result = decode_private_key_info(&_data, key, &key->key); + } else { /* encrypted. */ + result = decode_pkcs8_key(&_data, password, key, &key->key); + } - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum(&_data); - return result; + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + /* The key has now been decoded. + */ + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum(&_data); + return result; } /* Reads the PBKDF2 parameters. @@ -912,181 +908,180 @@ static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, const gnutls_datum * der, struct pbkdf2_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the key derivation algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); - - if (strcmp(oid, PBKDF2_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 key derivation OID '%s' is unsupported.\n", - oid); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "keyDerivationFunc.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - /* read the keylength, if it is set. - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", - ¶ms->key_size); - if (result < 0) { - params->key_size = 0; - } - _gnutls_hard_log("keyLength: %d\n", params->key_size); + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset(params, 0, sizeof(params)); + + /* Check the key derivation algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); + + if (strcmp(oid, PBKDF2_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log + ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "keyDerivationFunc.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + /* read the keylength, if it is set. + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", ¶ms->key_size); + if (result < 0) { + params->key_size = 0; + } + _gnutls_hard_log("keyLength: %d\n", params->key_size); - /* We don't read the PRF. We only use the default. - */ + /* We don't read the PRF. We only use the default. + */ - return 0; + return 0; - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } /* Reads the PBE parameters from PKCS-12 schemas (*&#%*&#% RSA). */ static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params) + struct pbkdf2_params *params) { - int result; - - memset(params, 0, sizeof(params)); - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbes2_asn, "salt", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbes2_asn, "iterations", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - params->key_size = 0; - - return 0; - - error: - return result; + int result; + + memset(params, 0, sizeof(params)); + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbes2_asn, "salt", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbes2_asn, "iterations", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + params->key_size = 0; + + return 0; + + error: + return result; } /* Writes the PBE parameters for PKCS-12 schemas. */ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) + const struct pbkdf2_params *kdf_params) { - int result; - - /* write the salt - */ - result = - asn1_write_value(pbes2_asn, "salt", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", - kdf_params->salt_size); - - /* write the iteration count - */ - result = _gnutls_x509_write_uint32( pbes2_asn, "iterations", kdf_params->iter_count); - if (result < 0) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - return 0; - - error: - return result; + int result; + + /* write the salt + */ + result = + asn1_write_value(pbes2_asn, "salt", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + result = + _gnutls_x509_write_uint32(pbes2_asn, "iterations", + kdf_params->iter_count); + if (result < 0) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + return 0; + + error: + return result; } @@ -1097,21 +1092,20 @@ inline static int oid2cipher(const char *oid, gnutls_cipher_algorithm * algo) { - *algo = 0; + *algo = 0; - if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_3DES_CBC; - return 0; - } + if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_3DES_CBC; + return 0; + } - if (strcmp(oid, DES_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_DES_CBC; - return 0; - } + if (strcmp(oid, DES_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_DES_CBC; + return 0; + } - _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", - oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", oid); + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } @@ -1119,189 +1113,190 @@ static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, const gnutls_datum * der, struct pbe_enc_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the encryption algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); - - if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { - gnutls_assert(); - goto error; - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "encryptionScheme.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbe_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the IV */ - params->iv_size = sizeof(params->iv); - result = - asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset(params, 0, sizeof(params)); + + /* Check the encryption algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); + + if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "encryptionScheme.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbe_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the IV */ + params->iv_size = sizeof(params->iv); + result = asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + return 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } -static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, const char *root, - const char *password, +static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *root, const char *password, const struct pbkdf2_params *kdf_params, const struct pbe_enc_params *enc_params, gnutls_datum * decrypted_data) { - int result; - int data_size; - opaque *data = NULL, *key = NULL; - gnutls_datum dkey, div; - cipher_hd_t ch = NULL; - int key_size; - - data_size = 0; - result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + int data_size; + opaque *data = NULL, *key = NULL; + gnutls_datum dkey, div; + cipher_hd_t ch = NULL; + int key_size; + + data_size = 0; + result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + data = gnutls_malloc(data_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(pkcs8_asn, root, data, &data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if (kdf_params->key_size == 0) { + key_size = gnutls_cipher_get_key_size(enc_params->cipher); + } else + key_size = kdf_params->key_size; + + key = gnutls_alloca(key_size); + if (key == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* generate the key + */ + if (schema == PBES2) { + result = + _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, + strlen(password), kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, key_size, key); - data = gnutls_malloc(data_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (result != PKCS5_OK) { + gnutls_assert(); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } + } else { + result = + _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + key_size, key); - result = asn1_read_value(pkcs8_asn, root, data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result < 0) { + gnutls_assert(); + goto error; } + } - if (kdf_params->key_size == 0) { - key_size = gnutls_cipher_get_key_size(enc_params->cipher); - } else - key_size = kdf_params->key_size; + /* do the decryption. + */ + dkey.data = key; + dkey.size = key_size; - key = gnutls_alloca(key_size); - if (key == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } + div.data = (opaque *) enc_params->iv; + div.size = enc_params->iv_size; + ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &div); - /* generate the key - */ - if (schema == PBES2) { - result = - _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, - strlen(password), kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, key_size, key); - - if (result != PKCS5_OK) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; - } - } else { - result = - _pkcs12_string_to_key( 1/*KEY*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, key_size, key); - - if (result < 0) { - gnutls_assert(); - goto error; - } - } + gnutls_afree(key); + key = NULL; - /* do the decryption. - */ - dkey.data = key; - dkey.size = key_size; + if (ch == NULL) { + gnutls_assert(); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; + } - div.data = (opaque *) enc_params->iv; - div.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &div); + result = _gnutls_cipher_decrypt(ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } - gnutls_afree(key); - key = NULL; + decrypted_data->data = data; - if (ch == NULL) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; - } - - result = _gnutls_cipher_decrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; - } + if (_gnutls_cipher_get_block_size(enc_params->cipher) != 1) + decrypted_data->size = data_size - data[data_size - 1]; + else + decrypted_data->size = data_size; - decrypted_data->data = data; + _gnutls_cipher_deinit(ch); - if ( _gnutls_cipher_get_block_size(enc_params->cipher) != 1) - decrypted_data->size = data_size - data[data_size - 1]; - else - decrypted_data->size = data_size; + return 0; + error: + gnutls_free(data); + gnutls_afree(key); + if (ch != NULL) _gnutls_cipher_deinit(ch); - - return 0; - - error: - gnutls_free(data); - gnutls_afree(key); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; + return result; } @@ -1310,629 +1305,634 @@ static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, const char *root, static int write_pbkdf2_params(ASN1_TYPE pbes2_asn, const struct pbkdf2_params *kdf_params) { - int result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - opaque tmp[64]; - - /* Write the key derivation algorithm - */ - result = - asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", - PBKDF2_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Now write the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the salt - */ - result = - asn1_write_value(pbkdf2_asn, "salt.specified", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", - kdf_params->salt_size); - - /* write the iteration count - */ - _gnutls_write_uint32(kdf_params->iter_count, tmp); - - result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - /* write the keylength, if it is set. - */ - result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* We write an emptry prf. - */ - result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* now encode them an put the DER output - * in the keyDerivationFunc.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", - pbes2_asn, - "keyDerivationFunc.parameters", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + opaque tmp[64]; + + /* Write the key derivation algorithm + */ + result = + asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", + PBKDF2_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Now write the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the salt + */ + result = + asn1_write_value(pbkdf2_asn, "salt.specified", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + _gnutls_write_uint32(kdf_params->iter_count, tmp); + + result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + /* write the keylength, if it is set. + */ + result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* We write an emptry prf. + */ + result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* now encode them an put the DER output + * in the keyDerivationFunc.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", + pbes2_asn, + "keyDerivationFunc.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } static int write_pbe_enc_params(ASN1_TYPE pbes2_asn, const struct pbe_enc_params *params) { - int result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - - /* Write the encryption algorithm - */ - result = - asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", - DES_EDE3_CBC_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", - DES_EDE3_CBC_OID); - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* read the salt */ - result = - asn1_write_value(pbe_asn, "", params->iv, params->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - /* now encode them an put the DER output - * in the encryptionScheme.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", - pbes2_asn, - "encryptionScheme.parameters", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + + /* Write the encryption algorithm + */ + result = + asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", + DES_EDE3_CBC_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* read the salt */ + result = asn1_write_value(pbe_asn, "", params->iv, params->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + /* now encode them an put the DER output + * in the encryptionScheme.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", + pbes2_asn, + "encryptionScheme.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } /* Generates a key and also stores the key parameters. */ -static int generate_key( schema_id schema, - const char *password, +static int generate_key(schema_id schema, + const char *password, struct pbkdf2_params *kdf_params, struct pbe_enc_params *enc_params, gnutls_datum * key) { - opaque rnd[2]; - int ret; + opaque rnd[2]; + int ret; - /* We should use the flags here to use different - * encryption algorithms etc. - */ + /* We should use the flags here to use different + * encryption algorithms etc. + */ - if (schema == PKCS12_ARCFOUR_SHA1) - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - else if (schema == PKCS12_3DES_SHA1) - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - else if (schema == PKCS12_RC2_40_SHA1) - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + if (schema == PKCS12_ARCFOUR_SHA1) + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + else if (schema == PKCS12_3DES_SHA1) + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + else if (schema == PKCS12_RC2_40_SHA1) + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - _gnutls_get_random(rnd, 2, GNUTLS_STRONG_RANDOM); + _gnutls_get_random(rnd, 2, GNUTLS_STRONG_RANDOM); - /* generate salt */ - - if (schema==PBES2) - kdf_params->salt_size = - GMIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); - else - kdf_params->salt_size = 8; + /* generate salt */ - _gnutls_get_random(kdf_params->salt, kdf_params->salt_size, - GNUTLS_STRONG_RANDOM); + if (schema == PBES2) + kdf_params->salt_size = + GMIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); + else + kdf_params->salt_size = 8; - kdf_params->iter_count = 256 + rnd[0]; - key->size = kdf_params->key_size = - gnutls_cipher_get_key_size(enc_params->cipher); + _gnutls_get_random(kdf_params->salt, kdf_params->salt_size, + GNUTLS_STRONG_RANDOM); - enc_params->iv_size = - _gnutls_cipher_get_iv_size(enc_params->cipher); + kdf_params->iter_count = 256 + rnd[0]; + key->size = kdf_params->key_size = + gnutls_cipher_get_key_size(enc_params->cipher); - key->data = gnutls_secure_malloc(key->size); - if (key->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + enc_params->iv_size = _gnutls_cipher_get_iv_size(enc_params->cipher); - /* now generate the key. - */ + key->data = gnutls_secure_malloc(key->size); + if (key->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now generate the key. + */ - if (schema == PBES2) { + if (schema == PBES2) { - ret = _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, + ret = _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, strlen(password), kdf_params->salt, kdf_params->salt_size, kdf_params->iter_count, kdf_params->key_size, key->data); - if (ret != PKCS5_OK) { - gnutls_assert(); - return GNUTLS_E_ENCRYPTION_FAILED; - } - - if (enc_params->iv_size) - _gnutls_get_random(enc_params->iv, enc_params->iv_size, - GNUTLS_WEAK_RANDOM); - - } else { /* PKCS12 schemas */ - ret = - _pkcs12_string_to_key( 1/*KEY*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, kdf_params->key_size, key->data); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Now generate the IV - */ - if (enc_params->iv_size) { - ret = _pkcs12_string_to_key( 2/*IV*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, enc_params->iv_size, enc_params->iv); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - } - - - return 0; -} - - -/* Encodes the parameters to be written in the encryptionAlgorithm.parameters - * part. - */ -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char * where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params) -{ - int result; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - - if (schema == PBES2) { - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = write_pbkdf2_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_pbe_enc_params(pbes2_asn, enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, - where, 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - } else { /* PKCS12 schemas */ - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, - where, 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - - } - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - return result; - -} - -static int encrypt_data( const gnutls_datum * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum * key, gnutls_datum * encrypted) -{ - int result; - int data_size; - opaque *data = NULL; - gnutls_datum div; - cipher_hd_t ch = NULL; - opaque pad, pad_size; - - pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); - - if (pad_size == 1) /* stream */ pad_size = 0; - - data = gnutls_malloc(plain->size + pad_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret != PKCS5_OK) { + gnutls_assert(); + return GNUTLS_E_ENCRYPTION_FAILED; } - memcpy(data, plain->data, plain->size); - - if (pad_size > 0) { - pad = pad_size - (plain->size % pad_size); - if (pad == 0) - pad = pad_size; - memset(&data[plain->size], pad, pad); - } else pad = 0; + if (enc_params->iv_size) + _gnutls_get_random(enc_params->iv, enc_params->iv_size, + GNUTLS_WEAK_RANDOM); - data_size = plain->size + pad; - - div.data = (opaque *) enc_params->iv; - div.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, key, &div); - - if (ch == GNUTLS_CIPHER_FAILED) { - gnutls_assert(); - result = GNUTLS_E_ENCRYPTION_FAILED; - goto error; + } else { /* PKCS12 schemas */ + ret = + _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + kdf_params->key_size, key->data); + if (ret < 0) { + gnutls_assert(); + return ret; } - result = _gnutls_cipher_encrypt(ch, data, data_size); - if (result < 0) { + /* Now generate the IV + */ + if (enc_params->iv_size) { + ret = + _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (ret < 0) { gnutls_assert(); - goto error; + return ret; + } } + } - encrypted->data = data; - encrypted->size = data_size; - - _gnutls_cipher_deinit(ch); - - return 0; - error: - gnutls_free(data); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; + return 0; } -/* Decrypts a PKCS #7 encryptedData. The output is allocated - * and stored in dec. + +/* Encodes the parameters to be written in the encryptionAlgorithm.parameters + * part. */ -int _gnutls_pkcs7_decrypt_data(const gnutls_datum * data, - const char *password, - gnutls_datum * dec) +static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params) { - int result, len; - char enc_oid[64]; - gnutls_datum tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; + int result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + if (schema == PBES2) { if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - result = - asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = write_pbkdf2_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; } - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = write_pbe_enc_params(pbes2_asn, enc_params); + if (result < 0) { + gnutls_assert(); + goto error; } - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) { + gnutls_assert(); + goto error; } - schema = result; - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; + asn1_delete_structure(&pbes2_asn); + } else { /* PKCS12 schemas */ - result = - read_pkcs_schema_params(schema, password, - &data->data[params_start], - params_len, &kdf_params, &enc_params); - if (result < ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ + result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; + } - result = - decrypt_data(schema, pkcs7_asn, - "encryptedContentInfo.encryptedContent", password, - &kdf_params, &enc_params, &tmp); + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, 0); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + goto error; } - asn1_delete_structure(&pkcs7_asn); + asn1_delete_structure(&pbes2_asn); - *dec = tmp; + } - return 0; + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + return result; - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs7_asn); - return result; +} + +static int encrypt_data(const gnutls_datum * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum * key, gnutls_datum * encrypted) +{ + int result; + int data_size; + opaque *data = NULL; + gnutls_datum div; + cipher_hd_t ch = NULL; + opaque pad, pad_size; + + pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); + + if (pad_size == 1) /* stream */ + pad_size = 0; + + data = gnutls_malloc(plain->size + pad_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(data, plain->data, plain->size); + + if (pad_size > 0) { + pad = pad_size - (plain->size % pad_size); + if (pad == 0) + pad = pad_size; + memset(&data[plain->size], pad, pad); + } else + pad = 0; + + data_size = plain->size + pad; + + div.data = (opaque *) enc_params->iv; + div.size = enc_params->iv_size; + ch = _gnutls_cipher_init(enc_params->cipher, key, &div); + + if (ch == GNUTLS_CIPHER_FAILED) { + gnutls_assert(); + result = GNUTLS_E_ENCRYPTION_FAILED; + goto error; + } + + result = _gnutls_cipher_encrypt(ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + encrypted->data = data; + encrypted->size = data_size; + + _gnutls_cipher_deinit(ch); + + return 0; + + error: + gnutls_free(data); + if (ch != NULL) + _gnutls_cipher_deinit(ch); + return result; +} + +/* Decrypts a PKCS #7 encryptedData. The output is allocated + * and stored in dec. + */ +int _gnutls_pkcs7_decrypt_data(const gnutls_datum * data, + const char *password, gnutls_datum * dec) +{ + int result, len; + char enc_oid[64]; + gnutls_datum tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(schema, password, + &data->data[params_start], + params_len, &kdf_params, &enc_params); + if (result < ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + + result = + decrypt_data(schema, pkcs7_asn, + "encryptedContentInfo.encryptedContent", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pkcs7_asn); + + *dec = tmp; + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + asn1_delete_structure(&pkcs7_asn); + return result; } /* Encrypts to a PKCS #7 encryptedData. The output is allocated * and stored in enc. */ int _gnutls_pkcs7_encrypt_data(schema_id schema, const gnutls_datum * data, - const char *password, - gnutls_datum * enc) + const char *password, gnutls_datum * enc) { - int result; - gnutls_datum key = { NULL, 0 }; - gnutls_datum tmp = { NULL, 0 }; - ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { - case PBES2: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; - case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; - case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; - case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; - - } - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Generate a symmetric key. - */ - + int result; + gnutls_datum key = { NULL, 0 }; + gnutls_datum tmp = { NULL, 0 }; + ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) { + case PBES2: result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_schema_params(schema, pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data( data, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* write the encrypted data. - */ + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; + case PKCS12_3DES_SHA1: result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.encryptedContent", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); - - /* Now write the rest of the pkcs-7 stuff. - */ - - result = _gnutls_x509_write_uint32( pkcs7_asn, "version", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; + case PKCS12_ARCFOUR_SHA1: result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; + case PKCS12_RC2_40_SHA1: result = - asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Now encode and copy the DER stuff. - */ - result = _gnutls_x509_der_encode( pkcs7_asn, "", enc, 0); - - asn1_delete_structure(&pkcs7_asn); - - if (result < 0) { - gnutls_assert(); - goto error; - } - - - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs7_asn); - return result; + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; + + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = write_schema_params(schema, pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(data, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.encryptedContent", tmp.data, + tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + /* Now write the rest of the pkcs-7 stuff. + */ + + result = _gnutls_x509_write_uint32(pkcs7_asn, "version", 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", + DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Now encode and copy the DER stuff. + */ + result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0); + + asn1_delete_structure(&pkcs7_asn); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs7_asn); + return result; } diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index b6229719c2..a1a7e1b82d 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -34,36 +34,36 @@ */ int _gnutls_hostname_compare(const char *certname, const char *hostname) { - const char *cmpstr1, *cmpstr2; + const char *cmpstr1, *cmpstr2; - if (strlen(certname) == 0 || strlen(hostname) == 0) - return 0; + if (strlen(certname) == 0 || strlen(hostname) == 0) + return 0; - if (strlen(certname) > 2 && strncmp(certname, "*.", 2) == 0) { - /* a wildcard certificate */ + if (strlen(certname) > 2 && strncmp(certname, "*.", 2) == 0) { + /* a wildcard certificate */ - cmpstr1 = certname + 1; + cmpstr1 = certname + 1; - /* find the first dot in hostname, compare from there on */ - cmpstr2 = strchr(hostname, '.'); + /* find the first dot in hostname, compare from there on */ + cmpstr2 = strchr(hostname, '.'); - if (cmpstr2 == NULL) { - /* error, the hostname we're connecting to is only a local part */ - return 0; - } + if (cmpstr2 == NULL) { + /* error, the hostname we're connecting to is only a local part */ + return 0; + } - if (strcasecmp(cmpstr1, cmpstr2) == 0) { - return 1; - } + if (strcasecmp(cmpstr1, cmpstr2) == 0) { + return 1; + } - return 0; - } + return 0; + } - if (strcasecmp(certname, hostname) == 0) { - return 1; - } + if (strcasecmp(certname, hostname) == 0) { + return 1; + } - return 0; + return 0; } /** @@ -80,63 +80,63 @@ int _gnutls_hostname_compare(const char *certname, const char *hostname) * **/ int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert, - const char *hostname) + const char *hostname) { - char dnsname[MAX_CN]; - size_t dnsnamesize; - int found_dnsname = 0; - int ret = 0; - int i = 0; - - /* try matching against: - * 1) a DNS name as an alternative name (subjectAltName) extension - * in the certificate - * 2) the common name (CN) in the certificate - * - * either of these may be of the form: *.domain.tld - * - * only try (2) if there is no subjectAltName extension of - * type dNSName - */ - - /* Check through all included subjectAltName extensions, comparing - * against all those of type dNSName. - */ - for (i = 0; !(ret < 0); i++) { - - dnsnamesize = sizeof(dnsname); - ret = - gnutls_x509_crt_get_subject_alt_name(cert, i, - dnsname, &dnsnamesize, NULL); - - if (ret == GNUTLS_SAN_DNSNAME) { - found_dnsname = 1; - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; - } - } - - } - - if (!found_dnsname) { - /* not got the necessary extension, use CN instead - */ - dnsnamesize = sizeof(dnsname); - if (gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, 0, - 0, dnsname, &dnsnamesize) < 0) { - /* got an error, can't find a name - */ - return 1; - } - - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; - } - } - - /* not found a matching name - */ - return 0; + char dnsname[MAX_CN]; + size_t dnsnamesize; + int found_dnsname = 0; + int ret = 0; + int i = 0; + + /* try matching against: + * 1) a DNS name as an alternative name (subjectAltName) extension + * in the certificate + * 2) the common name (CN) in the certificate + * + * either of these may be of the form: *.domain.tld + * + * only try (2) if there is no subjectAltName extension of + * type dNSName + */ + + /* Check through all included subjectAltName extensions, comparing + * against all those of type dNSName. + */ + for (i = 0; !(ret < 0); i++) { + + dnsnamesize = sizeof(dnsname); + ret = + gnutls_x509_crt_get_subject_alt_name(cert, i, + dnsname, &dnsnamesize, + NULL); + + if (ret == GNUTLS_SAN_DNSNAME) { + found_dnsname = 1; + if (_gnutls_hostname_compare(dnsname, hostname)) { + return 1; + } + } + + } + + if (!found_dnsname) { + /* not got the necessary extension, use CN instead + */ + dnsnamesize = sizeof(dnsname); + if (gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, 0, + 0, dnsname, &dnsnamesize) < 0) { + /* got an error, can't find a name + */ + return 1; + } + + if (_gnutls_hostname_compare(dnsname, hostname)) { + return 1; + } + } + + /* not found a matching name + */ + return 0; } - diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 35e8ba8fa3..8586bd86b7 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -46,69 +46,69 @@ /* Writes the digest information and the digest in a DER encoded * structure. The digest info is allocated and stored into the info structure. */ -static int encode_ber_digest_info( gnutls_mac_algorithm hash, - const gnutls_datum* digest, gnutls_datum *info) +static int encode_ber_digest_info(gnutls_mac_algorithm hash, + const gnutls_datum * digest, + gnutls_datum * info) { -ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; -int result; -const char* algo; - - algo = _gnutls_x509_mac_to_oid( hash); - if (algo == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + const char *algo; + + algo = _gnutls_x509_mac_to_oid(hash); + if (algo == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(dinfo, "digestAlgorithm.algorithm", algo, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", &dinfo))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_write_value( dinfo, "digestAlgorithm.algorithm", algo, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = + asn1_write_value(dinfo, "digestAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = - asn1_write_value( dinfo, "digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = asn1_write_value(dinfo, "digest", digest->data, digest->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = - asn1_write_value( dinfo, "digest", digest->data, digest->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + info->size = 0; + asn1_der_coding(dinfo, "", NULL, &info->size, NULL); - info->size = 0; - asn1_der_coding( dinfo, "", NULL, &info->size, NULL); + info->data = gnutls_malloc(info->size); + if (info->data == NULL) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return GNUTLS_E_MEMORY_ERROR; + } - info->data = gnutls_malloc( info->size); - if (info->data == NULL) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_MEMORY_ERROR; - } + result = asn1_der_coding(dinfo, "", info->data, &info->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = asn1_der_coding( dinfo, "", info->data, &info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + asn1_delete_structure(&dinfo); - asn1_delete_structure(&dinfo); - - return 0; + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -117,71 +117,75 @@ const char* algo; * params[1] is public key */ static int -pkcs1_rsa_sign( gnutls_mac_algorithm hash, const gnutls_datum* text, - mpi_t *params, int params_len, gnutls_datum* signature) +pkcs1_rsa_sign(gnutls_mac_algorithm hash, const gnutls_datum * text, + mpi_t * params, int params_len, gnutls_datum * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum digest, info; - - hd = _gnutls_hash_init( hash); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); - - digest.data = _digest; - digest.size = _gnutls_hash_get_algo_len(hash); - - /* Encode the digest as a DigestInfo - */ - if ( (ret = encode_ber_digest_info( hash, &digest, &info)) != 0) { - gnutls_assert(); - return ret; - } - - if ( (ret=_gnutls_sign( GNUTLS_PK_RSA, params, params_len, &info, signature)) < 0) { - gnutls_assert(); - _gnutls_free_datum( &info); - return ret; - } - - _gnutls_free_datum( &info); - - return 0; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum digest, info; + + hd = _gnutls_hash_init(hash); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); + + digest.data = _digest; + digest.size = _gnutls_hash_get_algo_len(hash); + + /* Encode the digest as a DigestInfo + */ + if ((ret = encode_ber_digest_info(hash, &digest, &info)) != 0) { + gnutls_assert(); + return ret; + } + + if ((ret = + _gnutls_sign(GNUTLS_PK_RSA, params, params_len, &info, + signature)) < 0) { + gnutls_assert(); + _gnutls_free_datum(&info); + return ret; + } + + _gnutls_free_datum(&info); + + return 0; } static int -dsa_sign( const gnutls_datum* text, - mpi_t *params, int params_len, gnutls_datum* signature) +dsa_sign(const gnutls_datum * text, + mpi_t * params, int params_len, gnutls_datum * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum digest; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); - - digest.data = _digest; - digest.size = 20; - - if ( (ret=_gnutls_sign( GNUTLS_PK_DSA, params, params_len, &digest, signature)) < 0) { - gnutls_assert(); - return ret; - } - - return 0; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum digest; + + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); + + digest.data = _digest; + digest.size = 20; + + if ((ret = + _gnutls_sign(GNUTLS_PK_DSA, params, params_len, &digest, + signature)) < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /* Signs the given data using the parameters from the signer's @@ -193,74 +197,77 @@ dsa_sign( const gnutls_datum* text, * 'signature' will hold the signature! * 'hash' is only used in PKCS1 RSA signing. */ -int _gnutls_x509_sign( const gnutls_datum* tbs, gnutls_mac_algorithm hash, - gnutls_x509_privkey signer, gnutls_datum* signature) +int _gnutls_x509_sign(const gnutls_datum * tbs, gnutls_mac_algorithm hash, + gnutls_x509_privkey signer, gnutls_datum * signature) { -int ret; - - switch( signer->pk_algorithm) - { - case GNUTLS_PK_RSA: - ret = pkcs1_rsa_sign( hash, tbs, signer->params, signer->params_size, - signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - return 0; - break; - case GNUTLS_PK_DSA: - ret = dsa_sign( tbs, signer->params, signer->params_size, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + int ret; + + switch (signer->pk_algorithm) { + case GNUTLS_PK_RSA: + ret = + pkcs1_rsa_sign(hash, tbs, signer->params, signer->params_size, + signature); + if (ret < 0) { + gnutls_assert(); + return ret; + } + return 0; + break; + case GNUTLS_PK_DSA: + ret = + dsa_sign(tbs, signer->params, signer->params_size, signature); + if (ret < 0) { + gnutls_assert(); + return ret; } + return 0; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } /* This is the same as the _gnutls_x509_sign, but this one will decode * the ASN1_TYPE given, and sign the DER data. Actually used to get the DER * of the TBS and sign it on the fly. */ -int _gnutls_x509_sign_tbs( ASN1_TYPE cert, const char* tbs_name, - gnutls_mac_algorithm hash, gnutls_x509_privkey signer, gnutls_datum* signature) +int _gnutls_x509_sign_tbs(ASN1_TYPE cert, const char *tbs_name, + gnutls_mac_algorithm hash, + gnutls_x509_privkey signer, + gnutls_datum * signature) { -int result; -opaque *buf; -int buf_size; -gnutls_datum tbs; - - buf_size = 0; - asn1_der_coding( cert, tbs_name, NULL, &buf_size, NULL); - - buf = gnutls_alloca( buf_size); - if (buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + int result; + opaque *buf; + int buf_size; + gnutls_datum tbs; - result = asn1_der_coding( cert, tbs_name, buf, &buf_size, NULL); + buf_size = 0; + asn1_der_coding(cert, tbs_name, NULL, &buf_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree(buf); - return _gnutls_asn2err(result); - } + buf = gnutls_alloca(buf_size); + if (buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding(cert, tbs_name, buf, &buf_size, NULL); - tbs.data = buf; - tbs.size = buf_size; - - result = _gnutls_x509_sign( &tbs, hash, signer, signature); + if (result != ASN1_SUCCESS) { + gnutls_assert(); gnutls_afree(buf); - - return result; + return _gnutls_asn2err(result); + } + + tbs.data = buf; + tbs.size = buf_size; + + result = _gnutls_x509_sign(&tbs, hash, signer, signature); + gnutls_afree(buf); + + return result; } /*- @@ -275,70 +282,78 @@ gnutls_datum tbs; * Returns 0 on success. * -*/ -int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char* src_name, - gnutls_x509_crt issuer, gnutls_x509_privkey issuer_key) +int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, + gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; -gnutls_datum signature; -char name[128]; - - /* Step 1. Copy the issuer's name into the certificate. - */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".issuer"); - - result = _gnutls_asn1_copy_node( &src, name, - issuer->cert, "tbsCertificate.subject"); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 1.5. Write the signature stuff in the tbsCertificate. - */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".signature"); - - result = _gnutls_x509_write_sig_params( src, name, - issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Sign the certificate. - */ - result = _gnutls_x509_sign_tbs( src, src_name, GNUTLS_MAC_SHA, - issuer_key, &signature); - - if (result < 0) { - gnutls_assert(); - return result; - } - - /* write the signature (bits) - */ - result = asn1_write_value( src, "signature", signature.data, signature.size*8); - - _gnutls_free_datum( &signature); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + gnutls_datum signature; + char name[128]; + + /* Step 1. Copy the issuer's name into the certificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".issuer"); + + result = _gnutls_asn1_copy_node(&src, name, + issuer->cert, + "tbsCertificate.subject"); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 1.5. Write the signature stuff in the tbsCertificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".signature"); + + result = _gnutls_x509_write_sig_params(src, name, + issuer_key->pk_algorithm, + issuer_key->params, + issuer_key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 3. Move up and write the AlgorithmIdentifier, which is also - * the same. - */ + /* Step 2. Sign the certificate. + */ + result = _gnutls_x509_sign_tbs(src, src_name, GNUTLS_MAC_SHA, + issuer_key, &signature); - result = _gnutls_x509_write_sig_params( src, "signatureAlgorithm", - issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } + + /* write the signature (bits) + */ + result = + asn1_write_value(src, "signature", signature.data, + signature.size * 8); + + _gnutls_free_datum(&signature); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Move up and write the AlgorithmIdentifier, which is also + * the same. + */ + + result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", + issuer_key->pk_algorithm, + issuer_key->params, + issuer_key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } #endif diff --git a/lib/x509/verify.c b/lib/x509/verify.c index f5d1a910d4..15bb97bf58 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -40,15 +40,18 @@ #include <verify.h> static int _gnutls_verify_certificate2(gnutls_x509_crt cert, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int* output); -int _gnutls_x509_verify_signature(const gnutls_datum* signed_data, - const gnutls_datum* signature, gnutls_x509_crt issuer); + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); +int _gnutls_x509_verify_signature(const gnutls_datum * signed_data, + const gnutls_datum * signature, + gnutls_x509_crt issuer); static int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert); static int _gnutls_verify_crl2(gnutls_x509_crl crl, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output); + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); /* Checks if the issuer of a certificate is a @@ -60,67 +63,74 @@ static int _gnutls_verify_crl2(gnutls_x509_crl crl, */ static int check_if_ca(gnutls_x509_crt cert, gnutls_x509_crt issuer) { -gnutls_datum cert_signed_data = { NULL, 0 }; -gnutls_datum issuer_signed_data = { NULL, 0 }; -gnutls_datum cert_signature = { NULL, 0 }; -gnutls_datum issuer_signature = { NULL, 0 }; -int result; - - /* Check if the issuer is the same with the - * certificate. This is added in order for trusted - * certificates to be able to verify themselves. - */ - - result = _gnutls_x509_get_signed_data( issuer->cert, "tbsCertificate", &issuer_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signature( issuer->cert, "signature", &issuer_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signature( cert->cert, "signature", &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + gnutls_datum cert_signed_data = { NULL, 0 }; + gnutls_datum issuer_signed_data = { NULL, 0 }; + gnutls_datum cert_signature = { NULL, 0 }; + gnutls_datum issuer_signature = { NULL, 0 }; + int result; + + /* Check if the issuer is the same with the + * certificate. This is added in order for trusted + * certificates to be able to verify themselves. + */ + + result = + _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate", + &issuer_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (cert_signed_data.size == issuer_signed_data.size) { - if ( - (memcmp(cert_signed_data.data, issuer_signed_data.data, - cert_signed_data.size) == 0) && - (cert_signature.size == issuer_signature.size) && - (memcmp(cert_signature.data, issuer_signature.data, - cert_signature.size) == 0)) + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = 1; - goto cleanup; - } + result = + _gnutls_x509_get_signature(issuer->cert, "signature", + &issuer_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (gnutls_x509_crt_get_ca_status(issuer, NULL) == 1) { - result = 1; - goto cleanup; - } else - gnutls_assert(); + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (cert_signed_data.size == issuer_signed_data.size) { + if ((memcmp(cert_signed_data.data, issuer_signed_data.data, + cert_signed_data.size) == 0) && + (cert_signature.size == issuer_signature.size) && + (memcmp(cert_signature.data, issuer_signature.data, + cert_signature.size) == 0)) + + result = 1; + goto cleanup; + } + + if (gnutls_x509_crt_get_ca_status(issuer, NULL) == 1) { + result = 1; + goto cleanup; + } else + gnutls_assert(); - result = 0; + result = 0; -cleanup: - _gnutls_free_datum( &cert_signed_data); - _gnutls_free_datum( &issuer_signed_data); - _gnutls_free_datum( &cert_signature); - _gnutls_free_datum( &issuer_signature); - return result; + cleanup: + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&issuer_signed_data); + _gnutls_free_datum(&cert_signature); + _gnutls_free_datum(&issuer_signature); + return result; } @@ -134,47 +144,49 @@ cleanup: static int is_issuer(gnutls_x509_crt cert, gnutls_x509_crt issuer_cert) { - gnutls_datum dn1 = {NULL, 0}, dn2 = { NULL, 0 }; - int ret; + gnutls_datum dn1 = { NULL, 0 }, dn2 = { + NULL, 0}; + int ret; - ret = _gnutls_x509_crt_get_raw_issuer_dn( cert, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_crt_get_raw_dn( issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_compare_raw_dn( &dn1, &dn2); - -cleanup: - _gnutls_free_datum(&dn1); - _gnutls_free_datum(&dn2); - return ret; + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + + cleanup: + _gnutls_free_datum(&dn1); + _gnutls_free_datum(&dn2); + return ret; } static inline -gnutls_x509_crt find_issuer(gnutls_x509_crt cert, - gnutls_x509_crt * trusted_cas, int tcas_size) + gnutls_x509_crt find_issuer(gnutls_x509_crt cert, + gnutls_x509_crt * trusted_cas, + int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_issuer(cert, trusted_cas[i]) == 1) - return trusted_cas[i]; - } + for (i = 0; i < tcas_size; i++) { + if (is_issuer(cert, trusted_cas[i]) == 1) + return trusted_cas[i]; + } - gnutls_assert(); - return NULL; + gnutls_assert(); + return NULL; } @@ -189,78 +201,91 @@ gnutls_x509_crt find_issuer(gnutls_x509_crt cert, * procedure. */ static int _gnutls_verify_certificate2(gnutls_x509_crt cert, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output) + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output) { -gnutls_datum cert_signed_data = { NULL, 0 }; -gnutls_datum cert_signature = { NULL, 0 }; -gnutls_x509_crt issuer; -int ret, issuer_version, result; - - if (output) *output = 0; - - if (tcas_size >= 1) - issuer = find_issuer(cert, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + gnutls_datum cert_signed_data = { NULL, 0 }; + gnutls_datum cert_signature = { NULL, 0 }; + gnutls_x509_crt issuer; + int ret, issuer_version, result; - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - gnutls_assert(); - return 0; - } + if (output) + *output = 0; - issuer_version = gnutls_x509_crt_get_version( issuer); - if (issuer_version < 0) { - gnutls_assert(); - return issuer_version; - } + if (tcas_size >= 1) + issuer = find_issuer(cert, trusted_cas, tcas_size); + else { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } + + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + gnutls_assert(); + return 0; + } - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) { - if (check_if_ca(cert, issuer)==0) { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; - } + issuer_version = gnutls_x509_crt_get_version(issuer); + if (issuer_version < 0) { + gnutls_assert(); + return issuer_version; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) + && issuer_version == 1)) { + if (check_if_ca(cert, issuer) == 0) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } + } - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _gnutls_x509_get_signature( cert->cert, "signature", &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_verify_signature(&cert_signed_data, &cert_signature, issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; - } + ret = + _gnutls_x509_verify_signature(&cert_signed_data, &cert_signature, + issuer); + if (ret < 0) { + gnutls_assert(); + } else if (ret == 0) { + gnutls_assert(); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; + } + + result = ret; - result = ret; - -cleanup: - _gnutls_free_datum( &cert_signed_data); - _gnutls_free_datum( &cert_signature); - - return result; + cleanup: + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&cert_signature); + + return result; } @@ -278,72 +303,75 @@ cleanup: * lead to a trusted CA in order to be trusted. */ static -unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, - int clist_size, - gnutls_x509_crt * trusted_cas, - int tcas_size, gnutls_x509_crl *CRLs, - int crls_size, unsigned int flags) +unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * + certificate_list, + int clist_size, + gnutls_x509_crt * trusted_cas, + int tcas_size, + gnutls_x509_crl * CRLs, + int crls_size, + unsigned int flags) { - int i = 0, ret; - unsigned int status = 0, output; + int i = 0, ret; + unsigned int status = 0, output; - /* Check for revoked certificates in the chain - */ + /* Check for revoked certificates in the chain + */ #ifdef ENABLE_PKI - for (i = 0; i < clist_size; i++) { - ret = gnutls_x509_crt_check_revocation( certificate_list[i], - CRLs, crls_size); - if (ret == 1) { /* revoked */ - status |= GNUTLS_CERT_REVOKED; - } + for (i = 0; i < clist_size; i++) { + ret = gnutls_x509_crt_check_revocation(certificate_list[i], + CRLs, crls_size); + if (ret == 1) { /* revoked */ + status |= GNUTLS_CERT_REVOKED; } + } #endif - /* Verify the certificate path - */ - for (i = 0; i < clist_size; i++) { - if (i + 1 >= clist_size) - break; - - if ((ret = - _gnutls_verify_certificate2(certificate_list[i], - &certificate_list[i + 1], 1, flags, NULL)) != 1) - { - status |= GNUTLS_CERT_INVALID; - } - } + /* Verify the certificate path + */ + for (i = 0; i < clist_size; i++) { + if (i + 1 >= clist_size) + break; - if (status != 0) { - /* If there is any problem in the - * certificate chain then mark as not trusted - * and return immediately. - */ - gnutls_assert(); - return (0 | GNUTLS_CERT_INVALID); + if ((ret = + _gnutls_verify_certificate2(certificate_list[i], + &certificate_list[i + 1], 1, + flags, NULL)) != 1) { + status |= GNUTLS_CERT_INVALID; } - - /* Now verify the last certificate in the certificate path - * against the trusted CA certificate list. - * - * If no CAs are present returns NOT_TRUSTED. Thus works - * in self signed etc certificates. + } + + if (status != 0) { + /* If there is any problem in the + * certificate chain then mark as not trusted + * and return immediately. */ - ret = - _gnutls_verify_certificate2(certificate_list[i], trusted_cas, - tcas_size, flags, &output); - - if (ret == 0) { - /* if the last certificate in the certificate - * list is invalid, then the certificate is not - * trusted. - */ - gnutls_assert(); - status |= output; - - status |= GNUTLS_CERT_INVALID; - } + gnutls_assert(); + return (0 | GNUTLS_CERT_INVALID); + } + + /* Now verify the last certificate in the certificate path + * against the trusted CA certificate list. + * + * If no CAs are present returns NOT_TRUSTED. Thus works + * in self signed etc certificates. + */ + ret = + _gnutls_verify_certificate2(certificate_list[i], trusted_cas, + tcas_size, flags, &output); + + if (ret == 0) { + /* if the last certificate in the certificate + * list is invalid, then the certificate is not + * trusted. + */ + gnutls_assert(); + status |= output; - return status; + status |= GNUTLS_CERT_INVALID; + } + + return status; } @@ -351,58 +379,59 @@ unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, * we use DER here, although we should use BER. It works fine * anyway. */ -static int decode_ber_digest_info( const gnutls_datum *info, gnutls_mac_algorithm *hash, - opaque* digest, int *digest_size) +static int decode_ber_digest_info(const gnutls_datum * info, + gnutls_mac_algorithm * hash, + opaque * digest, int *digest_size) { -ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; -int result; -char str[1024]; -int len; - - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", &dinfo))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + char str[1024]; + int len; + + if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding( &dinfo, info->data, info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } - - len = sizeof(str)-1; - result = - asn1_read_value( dinfo, "digestAlgorithm.algorithm", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dinfo, info->data, info->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - *hash = _gnutls_x509_oid2mac_algorithm( str); + len = sizeof(str) - 1; + result = + asn1_read_value(dinfo, "digestAlgorithm.algorithm", str, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - if (*hash==GNUTLS_MAC_UNKNOWN) { + *hash = _gnutls_x509_oid2mac_algorithm(str); - _gnutls_x509_log( "verify.c: HASH OID: %s\n", str); + if (*hash == GNUTLS_MAC_UNKNOWN) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; - } - - result = - asn1_read_value( dinfo, "digest", digest, digest_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + _gnutls_x509_log("verify.c: HASH OID: %s\n", str); + gnutls_assert(); asn1_delete_structure(&dinfo); - - return 0; + return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; + } + + result = asn1_read_value(dinfo, "digest", digest, digest_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } + + asn1_delete_structure(&dinfo); + + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -411,116 +440,124 @@ int len; * params[1] is public key */ static int -_pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, - mpi_t *params, int params_len) +_pkcs1_rsa_verify_sig(const gnutls_datum * text, + const gnutls_datum * signature, mpi_t * params, + int params_len) { - gnutls_mac_algorithm hash; - int ret; - opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; - int digest_size; - GNUTLS_HASH_HANDLE hd; - gnutls_datum decrypted; - - ret=_gnutls_pkcs1_rsa_decrypt( &decrypted, signature, params, params_len, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_mac_algorithm hash; + int ret; + opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; + int digest_size; + GNUTLS_HASH_HANDLE hd; + gnutls_datum decrypted; + + ret = + _gnutls_pkcs1_rsa_decrypt(&decrypted, signature, params, + params_len, 1); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* decrypted is a BER encoded data of type DigestInfo - */ + /* decrypted is a BER encoded data of type DigestInfo + */ - digest_size = sizeof(digest); - if ( (ret = decode_ber_digest_info( &decrypted, &hash, digest, &digest_size)) != 0) { - gnutls_assert(); - _gnutls_free_datum( &decrypted); - return ret; - } + digest_size = sizeof(digest); + if ((ret = + decode_ber_digest_info(&decrypted, &hash, digest, + &digest_size)) != 0) { + gnutls_assert(); + _gnutls_free_datum(&decrypted); + return ret; + } - _gnutls_free_datum( &decrypted); + _gnutls_free_datum(&decrypted); - if (digest_size != _gnutls_hash_get_algo_len(hash)) { - gnutls_assert(); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if (digest_size != _gnutls_hash_get_algo_len(hash)) { + gnutls_assert(); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - hd = _gnutls_hash_init( hash); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + hd = _gnutls_hash_init(hash); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, md); + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, md); - if (memcmp( md, digest, digest_size)!=0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (memcmp(md, digest, digest_size) != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - return 0; + return 0; } /* Hashes input data and verifies a DSA signature. */ static int -dsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, - mpi_t *params, int params_len) +dsa_verify_sig(const gnutls_datum * text, const gnutls_datum * signature, + mpi_t * params, int params_len) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - gnutls_datum digest; - GNUTLS_HASH_HANDLE hd; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); + int ret; + opaque _digest[MAX_HASH_SIZE]; + gnutls_datum digest; + GNUTLS_HASH_HANDLE hd; - digest.data = _digest; - digest.size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - ret = _gnutls_dsa_verify( &digest, signature, params, params_len); + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); - return ret; + digest.data = _digest; + digest.size = 20; + + ret = _gnutls_dsa_verify(&digest, signature, params, params_len); + + return ret; } /* Verifies the signature data, and returns 0 if not verified, * or 1 otherwise. */ -static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, - gnutls_pk_algorithm pk, mpi_t* issuer_params, int issuer_params_size) +static int verify_sig(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_pk_algorithm pk, mpi_t * issuer_params, + int issuer_params_size) { - switch( pk ) - { - case GNUTLS_PK_RSA: + switch (pk) { + case GNUTLS_PK_RSA: - if (_pkcs1_rsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { - gnutls_assert(); - return 0; - } + if (_pkcs1_rsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) { + gnutls_assert(); + return 0; + } - return 1; - break; + return 1; + break; - case GNUTLS_PK_DSA: - if (dsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { - gnutls_assert(); - return 0; - } + case GNUTLS_PK_DSA: + if (dsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) { + gnutls_assert(); + return 0; + } - return 1; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return 1; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; - } + } } /* verifies if the certificate is properly signed. @@ -529,34 +566,39 @@ static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_verify_signature( const gnutls_datum* tbs, - const gnutls_datum* signature, gnutls_x509_crt issuer) +int _gnutls_x509_verify_signature(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_x509_crt issuer) { -mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; -int ret, issuer_params_size, i; - - /* Read the MPI parameters from the issuer's certificate. - */ - issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; + int ret, issuer_params_size, i; + + /* Read the MPI parameters from the issuer's certificate. + */ + issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis(issuer, issuer_params, + &issuer_params_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = verify_sig( tbs, signature, gnutls_x509_crt_get_pk_algorithm(issuer, NULL), - issuer_params, issuer_params_size); - if ( ret < 0) { - gnutls_assert(); - } + ret = + verify_sig(tbs, signature, + gnutls_x509_crt_get_pk_algorithm(issuer, NULL), + issuer_params, issuer_params_size); + if (ret < 0) { + gnutls_assert(); + } - /* release all allocated MPIs - */ - for (i = 0; i < issuer_params_size; i++) { - _gnutls_mpi_release( &issuer_params[i]); - } + /* release all allocated MPIs + */ + for (i = 0; i < issuer_params_size; i++) { + _gnutls_mpi_release(&issuer_params[i]); + } - return ret; + return ret; } /* verifies if the certificate is properly signed. @@ -565,18 +607,19 @@ int ret, issuer_params_size, i; * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, - const gnutls_datum* signature, gnutls_x509_privkey issuer) +int _gnutls_x509_privkey_verify_signature(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_x509_privkey issuer) { - int ret; - - ret = verify_sig( tbs, signature, issuer->pk_algorithm, - issuer->params, issuer->params_size); - if ( ret < 0) { - gnutls_assert(); - } + int ret; - return ret; + ret = verify_sig(tbs, signature, issuer->pk_algorithm, + issuer->params, issuer->params_size); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } /** @@ -613,21 +656,25 @@ int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_length, - gnutls_x509_crt * CA_list, int CA_list_length, - gnutls_x509_crl* CRL_list, int CRL_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crt_list_verify(gnutls_x509_crt * cert_list, + int cert_list_length, + gnutls_x509_crt * CA_list, + int CA_list_length, + gnutls_x509_crl * CRL_list, + int CRL_list_length, unsigned int flags, + unsigned int *verify) { - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - /* Verify certificate - */ - *verify = - _gnutls_x509_verify_certificate( cert_list, cert_list_length, - CA_list, CA_list_length, CRL_list, CRL_list_length, flags); + /* Verify certificate + */ + *verify = + _gnutls_x509_verify_certificate(cert_list, cert_list_length, + CA_list, CA_list_length, CRL_list, + CRL_list_length, flags); - return 0; + return 0; } /** @@ -644,20 +691,22 @@ int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_lengt * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_verify( gnutls_x509_crt cert, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crt_verify(gnutls_x509_crt cert, + gnutls_x509_crt * CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify) { -int ret; - /* Verify certificate - */ - ret = _gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + /* Verify certificate + */ + ret = + _gnutls_verify_certificate2(cert, CA_list, CA_list_length, flags, + verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -672,10 +721,10 @@ int ret; * A negative value is returned in case of an error. * **/ -int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, - gnutls_x509_crt issuer) +int gnutls_x509_crt_check_issuer(gnutls_x509_crt cert, + gnutls_x509_crt issuer) { - return is_issuer(cert, issuer); + return is_issuer(cert, issuer); } @@ -693,10 +742,10 @@ int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, * A negative value is returned in case of an error. * **/ -int gnutls_x509_crl_check_issuer( gnutls_x509_crl cert, - gnutls_x509_crt issuer) +int gnutls_x509_crl_check_issuer(gnutls_x509_crl cert, + gnutls_x509_crt issuer) { - return is_crl_issuer(cert, issuer); + return is_crl_issuer(cert, issuer); } /** @@ -714,20 +763,20 @@ int gnutls_x509_crl_check_issuer( gnutls_x509_crl cert, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crl_verify( gnutls_x509_crl crl, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crl_verify(gnutls_x509_crl crl, + gnutls_x509_crt * CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify) { -int ret; - /* Verify crl - */ - ret = _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags, verify); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + /* Verify crl + */ + ret = _gnutls_verify_crl2(crl, CA_list, CA_list_length, flags, verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -736,46 +785,48 @@ int ret; static int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert) { - gnutls_datum dn1 = {NULL, 0}, dn2 = {NULL, 0}; - int ret; + gnutls_datum dn1 = { NULL, 0 }, dn2 = { + NULL, 0}; + int ret; - ret = _gnutls_x509_crl_get_raw_issuer_dn( crl, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = _gnutls_x509_crt_get_raw_dn( issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_crl_get_raw_issuer_dn(crl, &dn1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_compare_raw_dn( &dn1, &dn2); - -cleanup: - _gnutls_free_datum( &dn1); - _gnutls_free_datum( &dn2); - + ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + + cleanup: + _gnutls_free_datum(&dn1); + _gnutls_free_datum(&dn2); + + return ret; } static inline -gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, - gnutls_x509_crt * trusted_cas, int tcas_size) + gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, + gnutls_x509_crt * trusted_cas, + int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_crl_issuer(crl, trusted_cas[i]) == 1) - return trusted_cas[i]; - } + for (i = 0; i < tcas_size; i++) { + if (is_crl_issuer(crl, trusted_cas[i]) == 1) + return trusted_cas[i]; + } - gnutls_assert(); - return NULL; + gnutls_assert(); + return NULL; } /* @@ -788,72 +839,82 @@ gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, * procedure. */ static int _gnutls_verify_crl2(gnutls_x509_crl crl, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int* output) + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output) { /* CRL is ignored for now */ -gnutls_datum crl_signed_data = { NULL, 0 }; -gnutls_datum crl_signature = { NULL, 0 }; -gnutls_x509_crt issuer; -int ret, result; - - if (output) *output = 0; - - if (tcas_size >= 1) - issuer = find_crl_issuer(crl, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + gnutls_datum crl_signed_data = { NULL, 0 }; + gnutls_datum crl_signature = { NULL, 0 }; + gnutls_x509_crt issuer; + int ret, result; - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + if (output) + *output = 0; - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { - if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) - { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; - } - } + if (tcas_size >= 1) + issuer = find_crl_issuer(crl, trusted_cas, tcas_size); + else { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } - result = _gnutls_x509_get_signed_data( crl->crl, "tbsCertList", &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } - result = _gnutls_x509_get_signature( crl->crl, "signature", &crl_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { + if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } + } - ret = _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; - } + result = + _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", + &crl_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(crl->crl, "signature", &crl_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, + issuer); + if (ret < 0) { + gnutls_assert(); + } else if (ret == 0) { + gnutls_assert(); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; + } + + result = ret; + + cleanup: + _gnutls_free_datum(&crl_signed_data); + _gnutls_free_datum(&crl_signature); - result = ret; - -cleanup: - _gnutls_free_datum( &crl_signed_data); - _gnutls_free_datum( &crl_signature); - - return result; + return result; } #endif diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 1692d3b2c5..afdadaf398 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -50,20 +50,20 @@ **/ int gnutls_x509_crt_init(gnutls_x509_crt * cert) { - *cert = gnutls_calloc( 1, sizeof(gnutls_x509_crt_int)); - - if (*cert) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Certificate", - &(*cert)->cert); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *cert); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *cert = gnutls_calloc(1, sizeof(gnutls_x509_crt_int)); + + if (*cert) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Certificate", + &(*cert)->cert); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*cert); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /*- @@ -78,42 +78,43 @@ int gnutls_x509_crt_init(gnutls_x509_crt * cert) -*/ int _gnutls_x509_crt_cpy(gnutls_x509_crt dest, gnutls_x509_crt src) { -int ret; -size_t der_size; -opaque * der; -gnutls_datum tmp; - - ret = gnutls_x509_crt_export( src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; - } + int ret; + size_t der_size; + opaque *der; + gnutls_datum tmp; + + ret = + gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } - der = gnutls_alloca( der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + der = gnutls_alloca(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crt_export( src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree( der); - return ret; - } + ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(der); + return ret; + } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crt_import( dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree( der); + gnutls_afree(der); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -126,12 +127,13 @@ gnutls_datum tmp; **/ void gnutls_x509_crt_deinit(gnutls_x509_crt cert) { - if (!cert) return; + if (!cert) + return; - if (cert->cert) - asn1_delete_structure(&cert->cert); + if (cert->cert) + asn1_delete_structure(&cert->cert); - gnutls_free(cert); + gnutls_free(cert); } /** @@ -150,65 +152,70 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt cert) * **/ int gnutls_x509_crt_import(gnutls_x509_crt cert, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; - opaque *signature = NULL; + int result = 0, need_free = 0; + gnutls_datum _data; + opaque *signature = NULL; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, data->size, - &out); - - if (result <= 0) { - /* try for the second header */ - result = _gnutls_fbase64_decode(PEM_X509_CERT, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = data->data; + _data.size = data->size; - result = asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, data->size, + &out); + + if (result <= 0) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT, data->data, + data->size, &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - goto cleanup; + return result; + } } - /* Since we do not want to disable any extension - */ - cert->use_extensions = 1; - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - gnutls_free( signature); - if (need_free) _gnutls_free_datum( &_data); - return result; + result = asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + /* Since we do not want to disable any extension + */ + cert->use_extensions = 1; + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + gnutls_free(signature); + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -230,15 +237,16 @@ int gnutls_x509_crt_import(gnutls_x509_crt cert, const gnutls_datum * data, * **/ int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn( cert->cert, "tbsCertificate.issuer.rdnSequence", - buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.issuer.rdnSequence", buf, + sizeof_buf); } /** @@ -266,16 +274,19 @@ int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt cert, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn_oid( cert->cert, "tbsCertificate.issuer.rdnSequence", oid, - indx, raw_flag, buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -295,16 +306,18 @@ int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, const char* oid, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( cert->cert, "tbsCertificate.issuer.rdnSequence", - indx, oid, sizeof_oid); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -325,15 +338,16 @@ int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, * **/ int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn( cert->cert, "tbsCertificate.subject.rdnSequence", - buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.subject.rdnSequence", buf, + sizeof_buf); } /** @@ -361,16 +375,18 @@ int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn_oid( cert->cert, "tbsCertificate.subject.rdnSequence", oid, - indx, raw_flag, buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -390,16 +406,17 @@ int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, + int indx, void *oid, size_t * sizeof_oid) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( cert->cert, "tbsCertificate.subject.rdnSequence", - indx, oid, sizeof_oid); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -414,29 +431,31 @@ int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, **/ int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert) { - int result; - gnutls_datum sa; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - result = _gnutls_x509_read_value( cert->cert, "signatureAlgorithm.algorithm", &sa, 0); + int result; + gnutls_datum sa; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ + result = + _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.algorithm", + &sa, 0); + + if (result < 0) { + gnutls_assert(); + return result; + } - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_oid2sign_algorithm( sa.data); + result = _gnutls_x509_oid2sign_algorithm(sa.data); - _gnutls_free_datum( &sa); + _gnutls_free_datum(&sa); - return result; + return result; } /** @@ -450,24 +469,26 @@ int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert) **/ int gnutls_x509_crt_get_version(gnutls_x509_crt cert) { - opaque version[5]; - int len, result; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof(version); - if ((result = asn1_read_value(cert->cert, "tbsCertificate.version", version, &len)) != - ASN1_SUCCESS) { - - if (result == ASN1_ELEMENT_NOT_FOUND) return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return (int) version[0] + 1; + opaque version[5]; + int len, result; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(cert->cert, "tbsCertificate.version", version, + &len)) != ASN1_SUCCESS) { + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -481,12 +502,13 @@ int gnutls_x509_crt_get_version(gnutls_x509_crt cert) **/ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert) { - if (cert==NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time( cert->cert, "tbsCertificate.validity.notBefore"); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notBefore"); } /** @@ -500,12 +522,13 @@ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert) **/ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert) { - if (cert==NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time( cert->cert, "tbsCertificate.validity.notAfter"); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notAfter"); } /** @@ -523,22 +546,24 @@ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert) * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, - size_t* result_size) +int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void *result, + size_t * result_size) { - int ret; + int ret; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } + if ((ret = + asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, + result_size)) < 0) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /** @@ -555,66 +580,69 @@ int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, - size_t* ret_size, unsigned int* critical) +int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, critical)) < 0) { - return result; - } + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - len = *ret_size; - result = - asn1_read_value(c2, "", ret, &len); + len = *ret_size; + result = asn1_read_value(c2, "", ret, &len); - *ret_size = len; - asn1_delete_structure(&c2); + *ret_size = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -632,66 +660,69 @@ int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void* ret, - size_t* ret_size, unsigned int* critical) +int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, critical)) < 0) { - return result; - } + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); + len = *ret_size; + result = asn1_read_value(c2, "keyIdentifier", ret, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + *ret_size = len; + asn1_delete_structure(&c2); - len = *ret_size; - result = - asn1_read_value(c2, "keyIdentifier", ret, &len); - - *ret_size = len; - asn1_delete_structure(&c2); + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return 0; + return 0; } /** @@ -711,85 +742,87 @@ int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void* ret, * or a negative value on error. * **/ -int gnutls_x509_crt_get_pk_algorithm( gnutls_x509_crt cert, unsigned int* bits) +int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt cert, + unsigned int *bits) { - int result; + int result; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_get_pk_algorithm( cert->cert, "tbsCertificate.subjectPublicKeyInfo", - bits); - - if (result < 0) { - gnutls_assert(); - return result; - } + result = + _gnutls_x509_get_pk_algorithm(cert->cert, + "tbsCertificate.subjectPublicKeyInfo", + bits); + if (result < 0) { + gnutls_assert(); return result; + } + + return result; } /* returns the type and the name. */ -static int parse_general_name( ASN1_TYPE src, const char* src_name, - int seq, void* name, size_t *name_size) +static int parse_general_name(ASN1_TYPE src, const char *src_name, + int seq, void *name, size_t * name_size) { -int len; -char num[MAX_INT_DIGITS]; -char nptr[128]; -int result; -opaque choice_type[128]; -gnutls_x509_subject_alt_name type; + int len; + char num[MAX_INT_DIGITS]; + char nptr[128]; + int result; + opaque choice_type[128]; + gnutls_x509_subject_alt_name type; - seq++; /* 0->1, 1->2 etc */ - _gnutls_int2str( seq, num); + seq++; /* 0->1, 1->2 etc */ + _gnutls_int2str(seq, num); - _gnutls_str_cpy( nptr, sizeof(nptr), src_name); - if (src_name[0] != 0) _gnutls_str_cat( nptr, sizeof(nptr), "."); + _gnutls_str_cpy(nptr, sizeof(nptr), src_name); + if (src_name[0] != 0) + _gnutls_str_cat(nptr, sizeof(nptr), "."); - _gnutls_str_cat( nptr, sizeof(nptr), "?"); - _gnutls_str_cat( nptr, sizeof(nptr), num); + _gnutls_str_cat(nptr, sizeof(nptr), "?"); + _gnutls_str_cat(nptr, sizeof(nptr), num); - len = sizeof(choice_type); - result = - asn1_read_value(src, nptr, choice_type, &len); + len = sizeof(choice_type); + result = asn1_read_value(src, nptr, choice_type, &len); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - type = _gnutls_x509_san_find_type( choice_type); - if (type == (gnutls_x509_subject_alt_name)-1) { - gnutls_assert(); - return GNUTLS_E_X509_UNKNOWN_SAN; - } + type = _gnutls_x509_san_find_type(choice_type); + if (type == (gnutls_x509_subject_alt_name) - 1) { + gnutls_assert(); + return GNUTLS_E_X509_UNKNOWN_SAN; + } - _gnutls_str_cat( nptr, sizeof(nptr), "."); - _gnutls_str_cat( nptr, sizeof(nptr), choice_type); + _gnutls_str_cat(nptr, sizeof(nptr), "."); + _gnutls_str_cat(nptr, sizeof(nptr), choice_type); - len = *name_size; - result = - asn1_read_value(src, nptr, name, &len); - *name_size = len; + len = *name_size; + result = asn1_read_value(src, nptr, name, &len); + *name_size = len; - if (result==ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return type; + return type; } /** @@ -815,60 +848,65 @@ gnutls_x509_subject_alt_name type; * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, unsigned int *critical) +int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result; - gnutls_datum dnsname; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_x509_subject_alt_name type; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.17", 0, &dnsname, critical)) < 0) { - return result; - } - - if (dnsname.size == 0 || dnsname.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &dnsname); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); - _gnutls_free_datum( &dnsname); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + int result; + gnutls_datum dnsname; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_x509_subject_alt_name type; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.17", 0, &dnsname, + critical)) < 0) { + return result; + } + + if (dnsname.size == 0 || dnsname.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dnsname); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + _gnutls_free_datum(&dnsname); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - result = parse_general_name( c2, "", seq, ret, ret_size); + result = parse_general_name(c2, "", seq, ret, ret_size); - asn1_delete_structure(&c2); + asn1_delete_structure(&c2); - if (result < 0) { - return result; - } + if (result < 0) { + return result; + } - type = result; + type = result; - return type; + return type; } /** @@ -886,38 +924,43 @@ int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, unsigned int* critical) +int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, + unsigned int *critical) { - int result; - gnutls_datum basicConstraints; - int ca; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum basicConstraints; + int ca; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, + &basicConstraints, + critical)) < 0) { + gnutls_assert(); + return result; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, &basicConstraints, critical)) < 0) { - gnutls_assert(); - return result; - } + if (basicConstraints.size == 0 || basicConstraints.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (basicConstraints.size == 0 || basicConstraints.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = _gnutls_x509_ext_extract_basicConstraints( &ca, basicConstraints.data, - basicConstraints.size); - _gnutls_free_datum( &basicConstraints); + result = + _gnutls_x509_ext_extract_basicConstraints(&ca, + basicConstraints.data, + basicConstraints.size); + _gnutls_free_datum(&basicConstraints); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return ca; + return ca; } /** @@ -939,40 +982,42 @@ int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, unsigned int* critical) * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, unsigned int *key_usage, - unsigned int *critical) +int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, + unsigned int *key_usage, + unsigned int *critical) { - int result; - gnutls_datum keyUsage; - uint16 _usage; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum keyUsage; + uint16 _usage; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, &keyUsage, + critical)) < 0) { + return result; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, &keyUsage, critical)) < 0) { - return result; - } + if (keyUsage.size == 0 || keyUsage.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (keyUsage.size == 0 || keyUsage.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + result = _gnutls_x509_ext_extract_keyUsage(&_usage, keyUsage.data, + keyUsage.size); + _gnutls_free_datum(&keyUsage); - result = _gnutls_x509_ext_extract_keyUsage( &_usage, keyUsage.data, - keyUsage.size); - _gnutls_free_datum( &keyUsage); - - *key_usage = _usage; + *key_usage = _usage; - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -993,43 +1038,46 @@ int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, unsigned int *key_usage, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, void* buf, size_t * sizeof_buf, unsigned int * critical) +int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, + const char *oid, int indx, + void *buf, size_t * sizeof_buf, + unsigned int *critical) { - int result; - gnutls_datum output; + int result; + gnutls_datum output; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, oid, indx, &output, + critical)) < 0) { + gnutls_assert(); + return result; + } - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (output.size == 0 || output.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, oid, indx, &output, critical)) < 0) { - gnutls_assert(); - return result; - } + if (output.size > (unsigned int) *sizeof_buf) { + *sizeof_buf = output.size; + _gnutls_free_datum(&output); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (output.size == 0 || output.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + *sizeof_buf = output.size; - if (output.size > (unsigned int)*sizeof_buf) { - *sizeof_buf = output.size; - _gnutls_free_datum( &output); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (buf) + memcpy(buf, output.data, output.size); - *sizeof_buf = output.size; - - if (buf) - memcpy( buf, output.data, output.size); + _gnutls_free_datum(&output); + + return 0; - _gnutls_free_datum( &output); - - return 0; - } /** @@ -1047,79 +1095,82 @@ int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, const char* oid, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx, - void* oid, size_t * sizeof_oid) +int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx, + void *oid, size_t * sizeof_oid) { - int result; + int result; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = - _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid); - if (result < 0) { - return result; - } + result = + _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid); + if (result < 0) { + return result; + } + + return 0; - return 0; - } static -int _gnutls_x509_crt_get_raw_dn2( gnutls_x509_crt cert, - const char* whom, gnutls_datum* start) +int _gnutls_x509_crt_get_raw_dn2(gnutls_x509_crt cert, + const char *whom, gnutls_datum * start) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum signed_data; - - /* get the issuer of 'cert' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertificate", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum signed_data; + + /* get the issuer of 'cert' + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertificate", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, signed_data.data, signed_data.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto cleanup; + } - result = asn1_der_decoding(&c2, signed_data.data, signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; - } + result = + asn1_der_decoding_startEnd(c2, signed_data.data, signed_data.size, + whom, &start1, &end1); - result = - asn1_der_decoding_startEnd(c2, signed_data.data, signed_data.size, - whom, &start1, &end1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum( start, &signed_data.data[start1], len1); + _gnutls_set_datum(start, &signed_data.data[start1], len1); - result = 0; + result = 0; -cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum( &signed_data); - return result; + cleanup: + asn1_delete_structure(&c2); + _gnutls_free_datum(&signed_data); + return result; } /*- @@ -1133,10 +1184,10 @@ cleanup: * Returns 0 on success or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_issuer_dn( gnutls_x509_crt cert, - gnutls_datum* start) +int _gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt cert, + gnutls_datum * start) { - return _gnutls_x509_crt_get_raw_dn2( cert, "issuer", start); + return _gnutls_x509_crt_get_raw_dn2(cert, "issuer", start); } /*- @@ -1150,10 +1201,9 @@ int _gnutls_x509_crt_get_raw_issuer_dn( gnutls_x509_crt cert, * Returns 0 on success, or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_dn( gnutls_x509_crt cert, - gnutls_datum * start) +int _gnutls_x509_crt_get_raw_dn(gnutls_x509_crt cert, gnutls_datum * start) { - return _gnutls_x509_crt_get_raw_dn2( cert, "subject", start); + return _gnutls_x509_crt_get_raw_dn2(cert, "subject", start); } @@ -1174,44 +1224,44 @@ int _gnutls_x509_crt_get_raw_dn( gnutls_x509_crt cert, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt cert, - gnutls_digest_algorithm algo, void *buf, - size_t *sizeof_buf) +int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt cert, + gnutls_digest_algorithm algo, + void *buf, size_t * sizeof_buf) { -opaque *cert_buf; -int cert_buf_size; -int result; -gnutls_datum tmp; + opaque *cert_buf; + int cert_buf_size; + int result; + gnutls_datum tmp; - if (sizeof_buf == 0 || cert == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0 || cert == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } - cert_buf_size = 0; - asn1_der_coding( cert->cert, "", NULL, &cert_buf_size, NULL); + cert_buf_size = 0; + asn1_der_coding(cert->cert, "", NULL, &cert_buf_size, NULL); - cert_buf = gnutls_alloca( cert_buf_size); - if (cert_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + cert_buf = gnutls_alloca(cert_buf_size); + if (cert_buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - result = asn1_der_coding( cert->cert, "", - cert_buf, &cert_buf_size, NULL); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree( cert_buf); - return _gnutls_asn2err(result); - } - - tmp.data = cert_buf; - tmp.size = cert_buf_size; + result = asn1_der_coding(cert->cert, "", + cert_buf, &cert_buf_size, NULL); - result = gnutls_fingerprint( algo, &tmp, buf, sizeof_buf); - gnutls_afree( cert_buf); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_afree(cert_buf); + return _gnutls_asn2err(result); + } - return result; + tmp.data = cert_buf; + tmp.size = cert_buf_size; + + result = gnutls_fingerprint(algo, &tmp, buf, sizeof_buf); + gnutls_afree(cert_buf); + + return result; } /** @@ -1233,16 +1283,18 @@ gnutls_datum tmp; * 0 on success. * **/ -int gnutls_x509_crt_export( gnutls_x509_crt cert, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crt_export(gnutls_x509_crt cert, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( cert->cert, format, "CERTIFICATE", *output_data_size, - output_data, output_data_size); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(cert->cert, format, "CERTIFICATE", + *output_data_size, output_data, + output_data_size); } @@ -1265,78 +1317,81 @@ int gnutls_x509_crt_export( gnutls_x509_crt cert, * 0 on success. * **/ -int gnutls_x509_crt_get_key_id( gnutls_x509_crt crt, unsigned int flags, - unsigned char* output_data, size_t* output_data_size) +int gnutls_x509_crt_get_key_id(gnutls_x509_crt crt, unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i, pk, result = 0; -gnutls_datum der = { NULL, 0 }; -GNUTLS_HASH_HANDLE hd; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i, pk, result = 0; + gnutls_datum der = { NULL, 0 }; + GNUTLS_HASH_HANDLE hd; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (*output_data_size < 20) { + gnutls_assert(); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (pk < 0) { + gnutls_assert(); + return pk; + } - pk = gnutls_x509_crt_get_pk_algorithm( crt, NULL); - - if ( pk < 0) { - gnutls_assert(); - return pk; - } + result = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); - result = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - + if (result < 0) { + gnutls_assert(); + return result; + } + + if (pk == GNUTLS_PK_RSA) { + result = _gnutls_x509_write_rsa_params(params, params_size, &der); if (result < 0) { - gnutls_assert(); - return result; + gnutls_assert(); + goto cleanup; } - - if (pk == GNUTLS_PK_RSA) { - result = _gnutls_x509_write_rsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else if (pk == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_public_key( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else return GNUTLS_E_INTERNAL_ERROR; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + } else if (pk == GNUTLS_PK_DSA) { + result = + _gnutls_x509_write_dsa_public_key(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - - _gnutls_hash( hd, der.data, der.size); + } else + return GNUTLS_E_INTERNAL_ERROR; - _gnutls_hash_deinit( hd, output_data); - *output_data_size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == GNUTLS_HASH_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } - result = 0; + _gnutls_hash(hd, der.data, der.size); - cleanup: - - _gnutls_free_datum( &der); + _gnutls_hash_deinit(hd, output_data); + *output_data_size = 20; - /* release all allocated MPIs - */ - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } - return result; + result = 0; + + cleanup: + + _gnutls_free_datum(&der); + + /* release all allocated MPIs + */ + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return result; } @@ -1356,90 +1411,86 @@ GNUTLS_HASH_HANDLE hd; * **/ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, - gnutls_x509_crl * crl_list, - int crl_list_length) + gnutls_x509_crl * crl_list, + int crl_list_length) { - opaque serial[64]; - opaque cert_serial[64]; - size_t serial_size, cert_serial_size; - int ncerts, ret, i, j; - gnutls_datum dn1, dn2; + opaque serial[64]; + opaque cert_serial[64]; + size_t serial_size, cert_serial_size; + int ncerts, ret, i, j; + gnutls_datum dn1, dn2; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ + + /* Step 1. check if issuer's DN match + */ + ret = _gnutls_x509_crl_get_raw_issuer_dn(crl_list[j], &dn1); + if (ret < 0) { + gnutls_assert(); + return ret; } - for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ + ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn2); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* Step 1. check if issuer's DN match - */ - ret = _gnutls_x509_crl_get_raw_issuer_dn(crl_list[j], &dn1); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + if (ret == 0) { + /* issuers do not match so don't even + * bother checking. + */ + continue; + } - ret = - _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* Step 2. Read the certificate's serial number + */ + cert_serial_size = sizeof(cert_serial); + ret = + gnutls_x509_crt_get_serial(cert, cert_serial, + &cert_serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); - if (ret == 0) { - /* issuers do not match so don't even - * bother checking. - */ - continue; - } + /* Step 3. cycle through the CRL serials and compare with + * certificate serial we have. + */ - /* Step 2. Read the certificate's serial number - */ - cert_serial_size = sizeof(cert_serial); - ret = - gnutls_x509_crt_get_serial(cert, cert_serial, - &cert_serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); + if (ncerts < 0) { + gnutls_assert(); + return ncerts; + } - /* Step 3. cycle through the CRL serials and compare with - * certificate serial we have. - */ + for (i = 0; i < ncerts; i++) { + serial_size = sizeof(serial); + ret = + gnutls_x509_crl_get_crt_serial(crl_list[j], i, serial, + &serial_size, NULL); - ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); - if (ncerts < 0) { - gnutls_assert(); - return ncerts; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - for (i = 0; i < ncerts; i++) { - serial_size = sizeof(serial); - ret = - gnutls_x509_crl_get_crt_serial(crl_list[j], i, serial, - &serial_size, - NULL); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (serial_size == cert_serial_size) { - if (memcmp - (serial, cert_serial, - serial_size) == 0) { - /* serials match */ - return 1; /* revoked! */ - } - } + if (serial_size == cert_serial_size) { + if (memcmp(serial, cert_serial, serial_size) == 0) { + /* serials match */ + return 1; /* revoked! */ } - + } } - return 0; /* not revoked. */ + + } + return 0; /* not revoked. */ } /** @@ -1456,23 +1507,24 @@ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, * 1 on success. * **/ -int gnutls_x509_crt_verify_data( gnutls_x509_crt crt, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature) +int gnutls_x509_crt_verify_data(gnutls_x509_crt crt, unsigned int flags, + const gnutls_datum * data, + const gnutls_datum * signature) { -int result; + int result; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_verify_signature( data, signature, crt); - if (result < 0) { - gnutls_assert(); - return 0; - } - - return result; + result = _gnutls_x509_verify_signature(data, signature, crt); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; } /** @@ -1505,92 +1557,98 @@ int result; * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, - unsigned int* reason_flags, unsigned int *critical) +int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *reason_flags, + unsigned int *critical) { - int result; - gnutls_datum dist_points = {NULL, 0}; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - char name[128]; - int len; - char num[MAX_INT_DIGITS]; - gnutls_x509_subject_alt_name type; - uint8 reasons[2]; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum dist_points = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char name[128]; + int len; + char num[MAX_INT_DIGITS]; + gnutls_x509_subject_alt_name type; + uint8 reasons[2]; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if (reason_flags) + *reason_flags = 0; + + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, &dist_points, + critical); + if (result < 0) { + return result; + } + + if (dist_points.size == 0 || dist_points.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dist_points); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&c2, dist_points.data, dist_points.size, NULL); + _gnutls_free_datum(&dist_points); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if (reason_flags) *reason_flags = 0; + /* Return the different names from the first CRLDistr. point. + * The whole thing is a mess. + */ + _gnutls_str_cpy(name, sizeof(name), "?1.distributionPoint.fullName"); - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, &dist_points, critical); - if (result < 0) { - return result; - } - - if (dist_points.size == 0 || dist_points.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + result = parse_general_name(c2, name, seq, ret, ret_size); + if (result < 0) { + asn1_delete_structure(&c2); + return result; + } - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &dist_points); - return _gnutls_asn2err(result); - } + type = result; - result = asn1_der_decoding(&c2, dist_points.data, dist_points.size, NULL); - _gnutls_free_datum( &dist_points); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + /* Read the CRL reasons. + */ + if (reason_flags) { + _gnutls_str_cpy(name, sizeof(name), "?"); + _gnutls_str_cat(name, sizeof(name), num); + _gnutls_str_cat(name, sizeof(name), ".reasons"); - /* Return the different names from the first CRLDistr. point. - * The whole thing is a mess. - */ - _gnutls_str_cpy( name, sizeof(name), "?1.distributionPoint.fullName"); + len = sizeof(reasons); + result = asn1_read_value(c2, name, reasons, &len); - result = parse_general_name( c2, name, seq, ret, ret_size); - if (result < 0) { - asn1_delete_structure(&c2); - return result; + if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - - type = result; - - /* Read the CRL reasons. - */ - if (reason_flags) { - _gnutls_str_cpy( name, sizeof(name), "?"); - _gnutls_str_cat( name, sizeof(name), num); - _gnutls_str_cat( name, sizeof(name), ".reasons"); - - len = sizeof(reasons); - result = - asn1_read_value(c2, name, reasons, &len); - - if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - *reason_flags = reasons[0] | (reasons[1] << 8); - } + *reason_flags = reasons[0] | (reasons[1] << 8); + } - return type; + return type; } /** @@ -1611,74 +1669,78 @@ int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid, unsigned int* critical) +int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid, + unsigned int *critical) { - char counter[MAX_INT_DIGITS]; - char tmpstr[64]; - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (oid) memset(oid, 0, *sizeof_oid); - else *sizeof_oid = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, critical)) < 0) { - return result; - } - - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + char counter[MAX_INT_DIGITS]; + char tmpstr[64]; + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (oid) + memset(oid, 0, *sizeof_oid); + else + *sizeof_oid = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - indx++; - /* create a string like "?1" - */ - _gnutls_int2str(indx, counter); - _gnutls_str_cpy(tmpstr, sizeof(tmpstr), "?"); - _gnutls_str_cat(tmpstr, sizeof(tmpstr), counter); + indx++; + /* create a string like "?1" + */ + _gnutls_int2str(indx, counter); + _gnutls_str_cpy(tmpstr, sizeof(tmpstr), "?"); + _gnutls_str_cat(tmpstr, sizeof(tmpstr), counter); - len = *sizeof_oid; - result = - asn1_read_value(c2, tmpstr, oid, &len); + len = *sizeof_oid; + result = asn1_read_value(c2, tmpstr, oid, &len); - *sizeof_oid = len; - asn1_delete_structure(&c2); + *sizeof_oid = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } @@ -1694,44 +1756,50 @@ int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, * **/ int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt crt, - gnutls_datum * m, gnutls_datum *e) + gnutls_datum * m, gnutls_datum * e) { -int ret; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i; - - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_mpi_dprint(m, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = _gnutls_mpi_dprint(e, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(m); - goto cleanup; - } - - ret = 0; - -cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = _gnutls_mpi_dprint(m, params[0]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_mpi_dprint(e, params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(m); + goto cleanup; + } + + ret = 0; + + cleanup: + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return ret; } /** @@ -1748,69 +1816,75 @@ cleanup: * **/ int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt crt, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y) + gnutls_datum * p, gnutls_datum * q, + gnutls_datum * g, gnutls_datum * y) { -int ret; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i; - - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - - /* P */ - ret = _gnutls_mpi_dprint(p, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - goto cleanup; - } - - - /* G */ - ret = _gnutls_mpi_dprint(g, params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - goto cleanup; - } - - - /* Y */ - ret = _gnutls_mpi_dprint(y, params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - goto cleanup; - } - - ret = 0; - -cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_DSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + + /* P */ + ret = _gnutls_mpi_dprint(p, params[0]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + goto cleanup; + } + + + /* G */ + ret = _gnutls_mpi_dprint(g, params[2]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + goto cleanup; + } + + + /* Y */ + ret = _gnutls_mpi_dprint(y, params[3]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + goto cleanup; + } + + ret = 0; + + cleanup: + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return ret; } diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index 32f5ea3001..0fbe906c19 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -41,7 +41,7 @@ #include <libtasn1.h> #include <gnutls_ui.h> -static void disable_optional_stuff( gnutls_x509_crt cert); +static void disable_optional_stuff(gnutls_x509_crt cert); /** * gnutls_x509_crt_set_dn_by_oid - This function will set the Certificate request subject's distinguished name @@ -63,15 +63,16 @@ static void disable_optional_stuff( gnutls_x509_crt cert); * Returns 0 on success. * **/ -int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name) +int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char *oid, + unsigned int raw_flag, const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crt->cert, "tbsCertificate.subject", oid, - raw_flag, name, sizeof_name); + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.subject", + oid, raw_flag, name, sizeof_name); } /** @@ -97,15 +98,18 @@ int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char* oid, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name) +int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, + const char *oid, + unsigned int raw_flag, + const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crt->cert, "tbsCertificate.issuer", oid, - raw_flag, name, sizeof_name); + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.issuer", oid, + raw_flag, name, sizeof_name); } /** @@ -122,23 +126,25 @@ int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, const char* oid, **/ int gnutls_x509_crt_set_version(gnutls_x509_crt crt, unsigned int version) { -int result; -unsigned char null = version; + int result; + unsigned char null = version; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (null > 0) null--; + if (null > 0) + null--; - result = asn1_write_value( crt->cert, "tbsCertificate.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = + asn1_write_value(crt->cert, "tbsCertificate.version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -154,23 +160,25 @@ unsigned char null = version; **/ int gnutls_x509_crt_set_key(gnutls_x509_crt crt, gnutls_x509_privkey key) { -int result; + int result; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_encode_and_copy_PKI_params( crt->cert, - "tbsCertificate.subjectPublicKeyInfo", key->pk_algorithm, - key->params, key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -186,31 +194,35 @@ int result; **/ int gnutls_x509_crt_set_crq(gnutls_x509_crt crt, gnutls_x509_crq crq) { -int result; -int pk_algorithm; - - if (crt==NULL || crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - pk_algorithm = gnutls_x509_crq_get_pk_algorithm( crq, NULL); - - result = _gnutls_asn1_copy_node( &crt->cert, "tbsCertificate.subject", - crq->crq, "certificationRequestInfo.subject"); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_asn1_copy_node( &crt->cert, "tbsCertificate.subjectPublicKeyInfo", - crq->crq, "certificationRequestInfo.subjectPKInfo"); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + int result; + int pk_algorithm; + + if (crt == NULL || crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + pk_algorithm = gnutls_x509_crq_get_pk_algorithm(crq, NULL); + + result = _gnutls_asn1_copy_node(&crt->cert, "tbsCertificate.subject", + crq->crq, + "certificationRequestInfo.subject"); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_asn1_copy_node(&crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + crq->crq, + "certificationRequestInfo.subjectPKInfo"); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } @@ -226,34 +238,35 @@ int pk_algorithm; **/ int gnutls_x509_crt_set_ca_status(gnutls_x509_crt crt, unsigned int ca) { -int result; -gnutls_datum der_data; + int result; + gnutls_datum der_data; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_basicConstraints( ca, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_basicConstraints(ca, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.19", &der_data, 1); + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.19", &der_data, 1); - _gnutls_free_datum( &der_data); + _gnutls_free_datum(&der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -268,34 +281,35 @@ gnutls_datum der_data; **/ int gnutls_x509_crt_set_key_usage(gnutls_x509_crt crt, unsigned int usage) { -int result; -gnutls_datum der_data; + int result; + gnutls_datum der_data; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_keyUsage( (uint16)usage, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_keyUsage((uint16) usage, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.15", &der_data, 1); + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.15", &der_data, 1); - _gnutls_free_datum( &der_data); + _gnutls_free_datum(&der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -309,49 +323,57 @@ gnutls_datum der_data; * Returns 0 on success. * **/ -int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const char* data_string) +int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt crt, + gnutls_x509_subject_alt_name + type, + const char *data_string) { -int result; -gnutls_datum der_data; -gnutls_datum dnsname; -unsigned int critical; - - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, &dnsname, &critical); - - if (result >= 0) _gnutls_free_datum( &dnsname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_subject_alt_name( type, data_string, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.17", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + gnutls_datum dnsname; + unsigned int critical; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, &dnsname, + &critical); + + if (result >= 0) + _gnutls_free_datum(&dnsname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_subject_alt_name(type, data_string, + &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.17", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -369,28 +391,28 @@ unsigned int critical; * Returns 0 on success. * **/ -int gnutls_x509_crt_sign(gnutls_x509_crt crt, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key) +int gnutls_x509_crt_sign(gnutls_x509_crt crt, gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; + int result; - if (crt==NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff( crt); + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crt); - result = _gnutls_x509_pkix_sign( crt->cert, "tbsCertificate", issuer, - issuer_key); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate", issuer, + issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -403,14 +425,17 @@ int result; * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, time_t act_time) +int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, + time_t act_time) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_time( cert->cert, "tbsCertificate.validity.notBefore", act_time); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notBefore", + act_time); } /** @@ -423,13 +448,16 @@ int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, time_t act_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, time_t exp_time) +int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, + time_t exp_time) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time( cert->cert, "tbsCertificate.validity.notAfter", exp_time); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notAfter", + exp_time); } /** @@ -446,42 +474,45 @@ int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, time_t exp_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_serial(gnutls_x509_crt cert, const void* serial, - size_t serial_size) +int gnutls_x509_crt_set_serial(gnutls_x509_crt cert, const void *serial, + size_t serial_size) { - int ret; + int ret; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = asn1_write_value(cert->cert, "tbsCertificate.serialNumber", serial, serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } + ret = + asn1_write_value(cert->cert, "tbsCertificate.serialNumber", serial, + serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff( gnutls_x509_crt cert) +static void disable_optional_stuff(gnutls_x509_crt cert) { - asn1_write_value( cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); - asn1_write_value( cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.subjectUniqueID", NULL, + 0); - if (cert->use_extensions == 0) { - _gnutls_x509_log( "Disabling X.509 extensions.\n"); - asn1_write_value( cert->cert, "tbsCertificate.extensions", NULL, 0); - } + if (cert->use_extensions == 0) { + _gnutls_x509_log("Disabling X.509 extensions.\n"); + asn1_write_value(cert->cert, "tbsCertificate.extensions", NULL, 0); + } - return; + return; } /** @@ -496,49 +527,57 @@ static void disable_optional_stuff( gnutls_x509_crt cert) * Returns 0 on success. * **/ -int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const void* data_string, unsigned int reason_flags) +int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, + gnutls_x509_subject_alt_name type, + const void *data_string, + unsigned int reason_flags) { -int result; -gnutls_datum der_data; -gnutls_datum oldname; -unsigned int critical; - - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, &critical); - - if (result >= 0) _gnutls_free_datum( &oldname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_crl_dist_points( type, data_string, reason_flags, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.31", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + gnutls_datum oldname; + unsigned int critical; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, + &critical); + + if (result >= 0) + _gnutls_free_datum(&oldname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_crl_dist_points(type, data_string, + reason_flags, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.31", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -553,37 +592,41 @@ unsigned int critical; * Returns 0 on success. * **/ -int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, - gnutls_x509_crt src) +int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, + gnutls_x509_crt src) { -int result; -gnutls_datum der_data; -unsigned int critical; - - if (dst==NULL || src == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, &critical); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( dst, "2.5.29.31", &der_data, critical); - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - dst->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + unsigned int critical; + + if (dst == NULL || src == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, + &critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(dst, "2.5.29.31", &der_data, + critical); + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + dst->use_extensions = 1; + + return 0; } /** @@ -597,48 +640,52 @@ unsigned int critical; * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size) +int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, + const void *id, size_t id_size) { - int result; - gnutls_datum old_id, der_data; - unsigned int critical; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, &critical); - - if (result >= 0) _gnutls_free_datum( &old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_key_id( id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.14", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.14", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -653,48 +700,52 @@ int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, const void* id, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size) +int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, + const void *id, size_t id_size) { - int result; - gnutls_datum old_id, der_data; - unsigned int critical; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, &critical); - - if (result >= 0) _gnutls_free_datum( &old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_auth_key_id( id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.35", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_auth_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.35", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -712,85 +763,88 @@ int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, const void* id, * On success 0 is returned. * **/ -int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, - const void *oid, unsigned int critical) +int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, + const void *oid, + unsigned int critical) { - int result; - gnutls_datum old_id, der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Check if the extension already exists. + int result; + gnutls_datum old_id, der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, + NULL); + + if (result >= 0) { + /* decode it. */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, NULL); - - if (result >= 0) { - /* decode it. - */ - result = asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); - _gnutls_free_datum( &old_id); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - } + result = asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); + _gnutls_free_datum(&old_id); - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value( c2, "", "NEW", 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - /* 2. Add the OID. - */ - result = asn1_write_value(c2, "?LAST", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + } - result = _gnutls_x509_der_encode( c2, "", &der_data, 0); + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* 2. Add the OID. + */ + result = asn1_write_value(c2, "?LAST", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + asn1_delete_structure(&c2); - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.37", - &der_data, critical); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_free_datum( &der_data); + result = _gnutls_x509_crt_set_extension(cert, "2.5.29.37", + &der_data, critical); - if (result < 0) { - gnutls_assert(); - return result; - } + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } - cert->use_extensions = 1; + cert->use_extensions = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/xml.c b/lib/x509/xml.c index 4cac03abe4..e5b1350f34 100644 --- a/lib/x509/xml.c +++ b/lib/x509/xml.c @@ -33,10 +33,10 @@ #include <structure.h> #include <parser_aux.h> #include <der.h> -#define LIBASN1_H /* we use this since this file uses - * libtasn1 internals, and we don't want the - * exported API. - */ +#define LIBASN1_H /* we use this since this file uses + * libtasn1 internals, and we don't want the + * exported API. + */ #include <gnutls_int.h> #include <gnutls_datum.h> #include <gnutls_global.h> @@ -46,58 +46,58 @@ #include <x509.h> #include <common.h> -const char* asn1_find_structure_from_oid(ASN1_TYPE definitions, - const char *oidValue); +const char *asn1_find_structure_from_oid(ASN1_TYPE definitions, + const char *oidValue); -static int _gnutls_x509_expand_extensions(ASN1_TYPE* rasn); +static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn); static const void *find_default_value(ASN1_TYPE x) { - ASN1_TYPE p = x; - - if (x->value == NULL && x->type & CONST_DEFAULT) { - if (x->down) { - x = x->down; - do { - if (type_field(x->type) == TYPE_DEFAULT) { - if (type_field(p->type) == - TYPE_BOOLEAN) { - if (x->type & CONST_TRUE) - return "TRUE"; - else - return "FALSE"; - } else - return x->value; - } - x = x->right; - } while (x != NULL); - + ASN1_TYPE p = x; + + if (x->value == NULL && x->type & CONST_DEFAULT) { + if (x->down) { + x = x->down; + do { + if (type_field(x->type) == TYPE_DEFAULT) { + if (type_field(p->type) == TYPE_BOOLEAN) { + if (x->type & CONST_TRUE) + return "TRUE"; + else + return "FALSE"; + } else + return x->value; } + x = x->right; + } while (x != NULL); + } - return NULL; + } + return NULL; } static int is_node_printable(ASN1_TYPE x) { - switch (type_field(x->type)) { - case TYPE_TAG: - case TYPE_SIZE: - case TYPE_DEFAULT: + switch (type_field(x->type)) { + case TYPE_TAG: + case TYPE_SIZE: + case TYPE_DEFAULT: + return 0; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(x); + + if (up != NULL && type_field(up->type) != TYPE_ANY && + up->value != NULL) return 0; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up( x); - - if (up!=NULL && type_field(up->type)!= TYPE_ANY && - up->value!=NULL) return 0; - } - return 1; } - if (x->name == NULL && _asn1_find_up( x) != NULL) - return 0; - if (x->value == NULL && x->down == NULL) - return 0; return 1; + } + if (x->name == NULL && _asn1_find_up(x) != NULL) + return 0; + if (x->value == NULL && x->down == NULL) + return 0; + return 1; } /* returns true if the node is the only one printable in @@ -105,24 +105,24 @@ static int is_node_printable(ASN1_TYPE x) */ static int is_leaf(ASN1_TYPE p) { - ASN1_TYPE x; + ASN1_TYPE x; - if (p == NULL) - return 1; - if (p->down == NULL) - return 1; + if (p == NULL) + return 1; + if (p->down == NULL) + return 1; - x = p->down; + x = p->down; - while (x != NULL) { - if (is_node_printable(x)) - return 0; - if (is_leaf(x) == 0) - return 0; - x = x->right; - } + while (x != NULL) { + if (is_node_printable(x)) + return 0; + if (is_leaf(x) == 0) + return 0; + x = x->right; + } - return 1; + return 1; } @@ -141,52 +141,57 @@ static int is_leaf(ASN1_TYPE p) #define ROOT "certificate" /* This function removes the '?' character from ASN.1 names */ -static int normalize_name( ASN1_TYPE p, char* output, int output_size) +static int normalize_name(ASN1_TYPE p, char *output, int output_size) { -const char* name; - - if (output_size > 0) - output[0] = 0; - else return GNUTLS_E_INTERNAL_ERROR; - - if (p==NULL) return GNUTLS_E_INTERNAL_ERROR; - - name = p->name; - if (name == NULL) name = ROOT; - - if ( type_field(p->type)==TYPE_CONSTANT) { - ASN1_TYPE up = _asn1_find_up(p); - const char * tmp; - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - tmp = asn1_find_structure_from_oid( _gnutls_get_pkix(), up->left->value); - if ( tmp != NULL) - _gnutls_str_cpy( output, output_size, tmp); - else { - _gnutls_str_cpy( output, output_size, "DEFINED_BY_"); - _gnutls_str_cat( output, output_size, name); - } - } else { - _gnutls_str_cpy( output, output_size, "DEFINED_BY_"); - _gnutls_str_cat( output, output_size, name); - } - - - return 0; - } - - if ( name[0]=='?') { - _gnutls_str_cpy( output, output_size, UNNAMED); - if (strlen(name) > 1) - _gnutls_str_cat( output, output_size, &name[1]); + const char *name; + + if (output_size > 0) + output[0] = 0; + else + return GNUTLS_E_INTERNAL_ERROR; + + if (p == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + name = p->name; + if (name == NULL) + name = ROOT; + + if (type_field(p->type) == TYPE_CONSTANT) { + ASN1_TYPE up = _asn1_find_up(p); + const char *tmp; + + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { + + tmp = + asn1_find_structure_from_oid(_gnutls_get_pkix(), + up->left->value); + if (tmp != NULL) + _gnutls_str_cpy(output, output_size, tmp); + else { + _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); + _gnutls_str_cat(output, output_size, name); + } } else { - _gnutls_str_cpy( output, output_size, name); + _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); + _gnutls_str_cat(output, output_size, name); } + + return 0; + } + + if (name[0] == '?') { + _gnutls_str_cpy(output, output_size, UNNAMED); + if (strlen(name) > 1) + _gnutls_str_cat(output, output_size, &name[1]); + } else { + _gnutls_str_cpy(output, output_size, name); + } + return 0; } #define XML_HEADER "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n" \ @@ -195,406 +200,388 @@ const char* name; #define XML_FOOTER "</gnutls:x509:certificate>\n" static int -_gnutls_asn1_get_structure_xml(ASN1_TYPE structure, - gnutls_datum * res, int detail) +_gnutls_asn1_get_structure_xml(ASN1_TYPE structure, + gnutls_datum * res, int detail) { - node_asn *p, *root; - int k, indent = 0, len, len2, len3; - opaque tmp[1024]; - char nname[256]; - int ret; - gnutls_string str; - - if (res == NULL || structure == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + node_asn *p, *root; + int k, indent = 0, len, len2, len3; + opaque tmp[1024]; + char nname[256]; + int ret; + gnutls_string str; + + if (res == NULL || structure == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _gnutls_string_init(&str, malloc, realloc, free); + + STR_APPEND(XML_HEADER); + indent = 1; + + root = _asn1_find_node(structure, ""); + + if (root == NULL) { + gnutls_assert(); + _gnutls_string_clear(&str); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (detail == GNUTLS_XML_SHOW_ALL) + ret = asn1_expand_any_defined_by(_gnutls_get_pkix(), &structure); + /* we don't need to check the error value + * here. + */ + + if (detail == GNUTLS_XML_SHOW_ALL) { + ret = _gnutls_x509_expand_extensions(&structure); + if (ret < 0) { + gnutls_assert(); + return ret; } - - _gnutls_string_init( &str, malloc, realloc, free); + } - STR_APPEND(XML_HEADER); - indent = 1; + p = root; + while (p) { + if (is_node_printable(p)) { + for (k = 0; k < indent; k++) + APPEND(" ", 1); - root = _asn1_find_node(structure, ""); - - if (root == NULL) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); gnutls_assert(); - _gnutls_string_clear( &str); - return GNUTLS_E_INTERNAL_ERROR; - } + return ret; + } - if (detail == GNUTLS_XML_SHOW_ALL) - ret = asn1_expand_any_defined_by( _gnutls_get_pkix(), - &structure); - /* we don't need to check the error value - * here. - */ - - if (detail == GNUTLS_XML_SHOW_ALL) { - ret = _gnutls_x509_expand_extensions( &structure); - if (ret < 0) { - gnutls_assert(); - return ret; - } + APPEND("<", 1); + STR_APPEND(nname); } - p = root; - while (p) { - if (is_node_printable(p)) { - for (k = 0; k < indent; k++) - APPEND(" ", 1); + if (is_node_printable(p)) { + switch (type_field(p->type)) { + case TYPE_DEFAULT: + STR_APPEND(" type=\"DEFAULT\""); + break; + case TYPE_NULL: + STR_APPEND(" type=\"NULL\""); + break; + case TYPE_IDENTIFIER: + STR_APPEND(" type=\"IDENTIFIER\""); + break; + case TYPE_INTEGER: + STR_APPEND(" type=\"INTEGER\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_ENUMERATED: + STR_APPEND(" type=\"ENUMERATED\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_TIME: + STR_APPEND(" type=\"TIME\""); + break; + case TYPE_BOOLEAN: + STR_APPEND(" type=\"BOOLEAN\""); + break; + case TYPE_SEQUENCE: + STR_APPEND(" type=\"SEQUENCE\""); + break; + case TYPE_BIT_STRING: + STR_APPEND(" type=\"BIT STRING\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_OCTET_STRING: + STR_APPEND(" type=\"OCTET STRING\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_SEQUENCE_OF: + STR_APPEND(" type=\"SEQUENCE OF\""); + break; + case TYPE_OBJECT_ID: + STR_APPEND(" type=\"OBJECT ID\""); + break; + case TYPE_ANY: + STR_APPEND(" type=\"ANY\""); + if (!p->down) + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(p); + + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; + if (_gnutls_x509_oid_data_printable + (up->left->value) == 0) { + STR_APPEND(" encoding=\"HEX\""); } - APPEND("<", 1); - STR_APPEND(nname); + } } + break; + case TYPE_SET: + STR_APPEND(" type=\"SET\""); + break; + case TYPE_SET_OF: + STR_APPEND(" type=\"SET OF\""); + break; + case TYPE_CHOICE: + STR_APPEND(" type=\"CHOICE\""); + break; + case TYPE_DEFINITIONS: + STR_APPEND(" type=\"DEFINITIONS\""); + break; + default: + break; + } + } - if (is_node_printable(p)) { - switch (type_field(p->type)) { - case TYPE_DEFAULT: - STR_APPEND(" type=\"DEFAULT\""); - break; - case TYPE_NULL: - STR_APPEND(" type=\"NULL\""); - break; - case TYPE_IDENTIFIER: - STR_APPEND(" type=\"IDENTIFIER\""); - break; - case TYPE_INTEGER: - STR_APPEND(" type=\"INTEGER\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_ENUMERATED: - STR_APPEND(" type=\"ENUMERATED\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_TIME: - STR_APPEND(" type=\"TIME\""); - break; - case TYPE_BOOLEAN: - STR_APPEND(" type=\"BOOLEAN\""); - break; - case TYPE_SEQUENCE: - STR_APPEND(" type=\"SEQUENCE\""); - break; - case TYPE_BIT_STRING: - STR_APPEND(" type=\"BIT STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_OCTET_STRING: - STR_APPEND(" type=\"OCTET STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_SEQUENCE_OF: - STR_APPEND(" type=\"SEQUENCE OF\""); - break; - case TYPE_OBJECT_ID: - STR_APPEND(" type=\"OBJECT ID\""); - break; - case TYPE_ANY: - STR_APPEND(" type=\"ANY\""); - if (!p->down) STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up(p); - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - if (_gnutls_x509_oid_data_printable( up->left->value)==0) { - STR_APPEND(" encoding=\"HEX\""); - } - - } - } - break; - case TYPE_SET: - STR_APPEND(" type=\"SET\""); - break; - case TYPE_SET_OF: - STR_APPEND(" type=\"SET OF\""); - break; - case TYPE_CHOICE: - STR_APPEND(" type=\"CHOICE\""); - break; - case TYPE_DEFINITIONS: - STR_APPEND(" type=\"DEFINITIONS\""); - break; - default: - break; - } - } + if (p->type == TYPE_BIT_STRING) { + len2 = -1; + len = _asn1_get_length_der(p->value, &len2); + snprintf(tmp, sizeof(tmp), " length=\"%i\"", + (len - 1) * 8 - (p->value[len2])); + STR_APPEND(tmp); + } - if (p->type == TYPE_BIT_STRING) { - len2 = -1; - len = _asn1_get_length_der(p->value, &len2); - snprintf(tmp, sizeof(tmp), " length=\"%i\"", - (len - 1) * 8 - (p->value[len2])); + if (is_node_printable(p)) + STR_APPEND(">"); + + if (is_node_printable(p)) { + const unsigned char *value; + + if (p->value == NULL) + value = find_default_value(p); + else + value = p->value; + + switch (type_field(p->type)) { + + case TYPE_DEFAULT: + if (value) + STR_APPEND(value); + break; + case TYPE_IDENTIFIER: + if (value) + STR_APPEND(value); + break; + case TYPE_INTEGER: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); STR_APPEND(tmp); - } + } - if (is_node_printable(p)) - STR_APPEND( ">"); + } + break; + case TYPE_ENUMERATED: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_TIME: + if (value) + STR_APPEND(value); + break; + case TYPE_BOOLEAN: + if (value) { + if (value[0] == 'T') { + STR_APPEND("TRUE"); + } else if (value[0] == 'F') { + STR_APPEND("FALSE"); + } + } + break; + case TYPE_BIT_STRING: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 1; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_OCTET_STRING: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_OBJECT_ID: + if (value) + STR_APPEND(value); + break; + case TYPE_ANY: + if (!p->down) { + if (value) { + len3 = -1; + len2 = _asn1_get_length_der(value, &len3); + for (k = 0; k < len2; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len3]); + STR_APPEND(tmp); + } + } + } + break; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(p); - if (is_node_printable(p)) { - const unsigned char *value; + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { + + len2 = _asn1_get_length_der(up->value, &len3); + + if (len2 > 0 && strcmp(p->name, "type") == 0) { + int len = sizeof(tmp); + ret = + _gnutls_x509_oid_data2string(up->left-> + value, + up->value + + len3, len2, + tmp, &len); + + if (ret >= 0) { + STR_APPEND(tmp); + } + } else { + for (k = 0; k < len2; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (up->value)[k + len3]); + STR_APPEND(tmp); + } - if (p->value == NULL) - value = find_default_value(p); - else - value = p->value; - - switch (type_field(p->type)) { - - case TYPE_DEFAULT: - if (value) - STR_APPEND(value); - break; - case TYPE_IDENTIFIER: - if (value) - STR_APPEND(value); - break; - case TYPE_INTEGER: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - - } - break; - case TYPE_ENUMERATED: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_TIME: - if (value) - STR_APPEND(value); - break; - case TYPE_BOOLEAN: - if (value) { - if (value[0] == 'T') { - STR_APPEND("TRUE"); - } else if (value[0] == 'F') { - STR_APPEND("FALSE"); - } - } - break; - case TYPE_BIT_STRING: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 1; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_OCTET_STRING: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_OBJECT_ID: - if (value) - STR_APPEND(value); - break; - case TYPE_ANY: - if (!p->down) { - if (value) { - len3 = -1; - len2 = - _asn1_get_length_der(value, - &len3); - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len3]); - STR_APPEND(tmp); - } - } - } - break; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up(p); - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - len2 = - _asn1_get_length_der(up->value, - &len3); - - if (len2 > 0 && strcmp( p->name, "type")==0) { - int len = sizeof(tmp); - ret = _gnutls_x509_oid_data2string( up->left->value, up->value+len3, len2, tmp, &len); - - if (ret >= 0) { - STR_APPEND( tmp); - } - } else { - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (up->value)[k + - len3]); - STR_APPEND(tmp); - } - - } - } else { - if (value) - STR_APPEND(value); - } - - } - break; - case TYPE_SET: - case TYPE_SET_OF: - case TYPE_CHOICE: - case TYPE_DEFINITIONS: - case TYPE_SEQUENCE_OF: - case TYPE_SEQUENCE: - case TYPE_NULL: - break; - default: - break; } + } else { + if (value) + STR_APPEND(value); + } + } + break; + case TYPE_SET: + case TYPE_SET_OF: + case TYPE_CHOICE: + case TYPE_DEFINITIONS: + case TYPE_SEQUENCE_OF: + case TYPE_SEQUENCE: + case TYPE_NULL: + break; + default: + break; + } + } - if (p->down && is_node_printable(p)) { - ASN1_TYPE x; - p = p->down; - indent += 2; - x = p; - do { - if (is_node_printable(x)) { - STR_APPEND("\n"); - break; - } - x = x->right; - } while (x != NULL); - } else if (p == root) { - if (is_node_printable(p)) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); + if (p->down && is_node_printable(p)) { + ASN1_TYPE x; + p = p->down; + indent += 2; + x = p; + do { + if (is_node_printable(x)) { + STR_APPEND("\n"); + break; + } + x = x->right; + } while (x != NULL); + } else if (p == root) { + if (is_node_printable(p)) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; + } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + p = NULL; + break; + } else { + if (is_node_printable(p)) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; + } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + if (p->right) + p = p->right; + else { + while (1) { + ASN1_TYPE old_p; + + old_p = p; + + p = _asn1_find_up(p); + indent -= 2; + if (is_node_printable(p)) { + if (!is_leaf(p)) /* XXX */ + for (k = 0; k < indent; k++) + STR_APPEND(" "); + + if ((ret = + normalize_name(p, nname, + sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + if (p == root) { p = NULL; break; - } else { - if (is_node_printable(p)) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); - } - if (p->right) - p = p->right; - else { - while (1) { - ASN1_TYPE old_p; - - old_p = p; - - p = _asn1_find_up(p); - indent -= 2; - if (is_node_printable(p)) { - if (!is_leaf(p)) /* XXX */ - for (k = 0; - k < indent; - k++) - STR_APPEND(" "); - - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); - } - if (p == root) { - p = NULL; - break; - } - - if (p->right) { - p = p->right; - break; - } - } - } + } + + if (p->right) { + p = p->right; + break; + } } + } } - - STR_APPEND(XML_FOOTER); - APPEND( "\n\0", 2); + } - *res = _gnutls_string2datum( &str); - res->size -= 1; /* null is not included in size */ - - return 0; + STR_APPEND(XML_FOOTER); + APPEND("\n\0", 2); + + *res = _gnutls_string2datum(&str); + res->size -= 1; /* null is not included in size */ + + return 0; } /** @@ -608,20 +595,21 @@ _gnutls_asn1_get_structure_xml(ASN1_TYPE structure, * Returns a negative error code in case of an error. * **/ -int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail) +int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum * res, + int detail) { - int result; + int result; - res->data = NULL; - res->size = 0; - - result = _gnutls_asn1_get_structure_xml( cert->cert, res, detail); - if (result < 0) { - gnutls_assert(); - return result; - } + res->data = NULL; + res->size = 0; - return 0; + result = _gnutls_asn1_get_structure_xml(cert->cert, res, detail); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* This function will attempt to parse Extensions in @@ -630,45 +618,45 @@ int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail) * If no_critical_ext is non zero, then unsupported critical extensions * do not lead into a fatal error. */ -static int _gnutls_x509_expand_extensions(ASN1_TYPE* rasn) +static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char name1[128]; - char extnID[128]; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char name1[128]; + char extnID[128]; - k = 0; - do { - k++; + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - _gnutls_str_cpy(name1, sizeof(name1), name); - _gnutls_str_cat(name1, sizeof(name1), ".extnValue"); + _gnutls_str_cpy(name1, sizeof(name1), name); + _gnutls_str_cat(name1, sizeof(name1), ".extnValue"); - len = sizeof(extnID) - 1; + len = sizeof(extnID) - 1; - result = asn1_expand_octet_string( _gnutls_get_pkix(), - rasn, name1, name2); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - } while (1); + result = asn1_expand_octet_string(_gnutls_get_pkix(), + rasn, name1, name2); if (result == ASN1_ELEMENT_NOT_FOUND) - return 0; - else - return _gnutls_asn2err(result); + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 0; + else + return _gnutls_asn2err(result); } #endif diff --git a/lib/x509_b64.c b/lib/x509_b64.c index 234ca13c1a..dcdb9dbade 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -32,71 +32,69 @@ static const uint8 b64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static const uint8 asciitable[128] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, - 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, - 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, - 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, - 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, - 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, - 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, - 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, - 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, - 0xff, 0xff + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, + 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, + 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, + 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, + 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, + 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, + 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, + 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, + 0xff, 0xff }; -inline static int encode(char * result, const uint8 * data, int left) +inline static int encode(char *result, const uint8 * data, int left) { - int data_len; - - if (left > 3) - data_len = 3; - else - data_len = left; - - switch (data_len) { - case 3: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = - b64table[((((data[1] & 0x0f) << 2) & 0xff) | - (data[2] >> 6))]; - result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; - break; - case 2: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; - result[3] = '='; - break; - case 1: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; - result[2] = '='; - result[3] = '='; - break; - default: - return -1; - } - - return 4; + int data_len; + + if (left > 3) + data_len = 3; + else + data_len = left; + + switch (data_len) { + case 3: + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = + b64table[((((data[1] & 0x0f) << 2) & 0xff) | (data[2] >> 6))]; + result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; + break; + case 2: + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; + result[3] = '='; + break; + case 1: + result[0] = b64table[(data[0] >> 2)]; + result[1] = b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; + result[2] = '='; + result[3] = '='; + break; + default: + return -1; + } + + return 4; } @@ -106,61 +104,62 @@ inline static int encode(char * result, const uint8 * data, int left) #define TOASCII(c) (c < 127 ? asciitable[c] : 0xff) inline static int decode(uint8 * result, const opaque * data) { - uint8 a1, a2; - int ret = 3; - - a1 = TOASCII(data[0]); - a2 = TOASCII(data[1]); - if (a1 == 0xff || a2 == 0xff) - return -1; - result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); - - a1 = a2; - a2 = TOASCII(data[2]); - if (a2 == 0xff) - return -1; - result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); - - a1 = a2; - a2 = TOASCII(data[3]); - if (a2 == 0xff) - return -1; - result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); - - if (data[2] == '=') - ret--; - - if (data[3] == '=') - ret--; - return ret; + uint8 a1, a2; + int ret = 3; + + a1 = TOASCII(data[0]); + a2 = TOASCII(data[1]); + if (a1 == 0xff || a2 == 0xff) + return -1; + result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); + + a1 = a2; + a2 = TOASCII(data[2]); + if (a2 == 0xff) + return -1; + result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); + + a1 = a2; + a2 = TOASCII(data[3]); + if (a2 == 0xff) + return -1; + result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); + + if (data[2] == '=') + ret--; + + if (data[3] == '=') + ret--; + return ret; } /* encodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result) +int _gnutls_base64_encode(const uint8 * data, size_t data_size, + uint8 ** result) { - unsigned int i, j; - int ret, tmp; - char tmpres[4]; - - ret = B64SIZE( data_size); - - (*result) = gnutls_malloc(ret + 1); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < data_size; i += 3, j += 4) { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_free( (*result)); - return GNUTLS_E_MEMORY_ERROR; - } - memcpy(&(*result)[j], tmpres, tmp); + unsigned int i, j; + int ret, tmp; + char tmpres[4]; + + ret = B64SIZE(data_size); + + (*result) = gnutls_malloc(ret + 1); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (i = j = 0; i < data_size; i += 3, j += 4) { + tmp = encode(tmpres, &data[i], data_size - i); + if (tmp == -1) { + gnutls_free((*result)); + return GNUTLS_E_MEMORY_ERROR; } - (*result)[ret] = 0; /* null terminated */ + memcpy(&(*result)[j], tmpres, tmp); + } + (*result)[ret] = 0; /* null terminated */ - return ret; + return ret; } #define INCR(what, size) \ @@ -171,102 +170,103 @@ int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result) gnutls_free( (*result)); *result = NULL; \ return GNUTLS_E_INTERNAL_ERROR; \ } \ - } while(0) + } while(0) /* encodes data and puts the result into result (locally allocated) * The result_size (including the null terminator) is the return value. */ -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, - uint8 ** result) +int _gnutls_fbase64_encode(const char *msg, const uint8 * data, + int data_size, uint8 ** result) { - int i, ret, tmp, j; - char tmpres[4]; - uint8 *ptr; - uint8 top[80]; - uint8 bottom[80]; - int pos, bytes, top_len, bottom_len; - size_t msglen = strlen(msg); - - if (msglen > 50) { - gnutls_assert(); - return GNUTLS_E_BASE64_ENCODING_ERROR; + int i, ret, tmp, j; + char tmpres[4]; + uint8 *ptr; + uint8 top[80]; + uint8 bottom[80]; + int pos, bytes, top_len, bottom_len; + size_t msglen = strlen(msg); + + if (msglen > 50) { + gnutls_assert(); + return GNUTLS_E_BASE64_ENCODING_ERROR; + } + + memset(bottom, 0, sizeof(bottom)); + memset(top, 0, sizeof(top)); + + strcat(top, "-----BEGIN "); /* Flawfinder: ignore */ + strcat(top, msg); /* Flawfinder: ignore */ + strcat(top, "-----"); /* Flawfinder: ignore */ + + strcat(bottom, "\n-----END "); /* Flawfinder: ignore */ + strcat(bottom, msg); /* Flawfinder: ignore */ + strcat(bottom, "-----\n"); /* Flawfinder: ignore */ + + top_len = strlen(top); + bottom_len = strlen(bottom); + + ret = B64FSIZE(msglen, data_size); + + (*result) = gnutls_calloc(1, ret + 1); + if ((*result) == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + bytes = pos = 0; + INCR(bytes, top_len); + pos = top_len; + + strcpy(*result, top); /* Flawfinder: ignore */ + + for (i = j = 0; i < data_size; i += 3, j += 4) { + + tmp = encode(tmpres, &data[i], data_size - i); + if (tmp == -1) { + gnutls_assert(); + gnutls_free((*result)); + *result = NULL; + return GNUTLS_E_BASE64_ENCODING_ERROR; } - memset(bottom, 0, sizeof(bottom)); - memset(top, 0, sizeof(top)); + INCR(bytes, 4); + ptr = &(*result)[j + pos]; - strcat(top, "-----BEGIN "); /* Flawfinder: ignore */ - strcat(top, msg); /* Flawfinder: ignore */ - strcat(top, "-----"); /* Flawfinder: ignore */ - - strcat(bottom, "\n-----END "); /* Flawfinder: ignore */ - strcat(bottom, msg); /* Flawfinder: ignore */ - strcat(bottom, "-----\n"); /* Flawfinder: ignore */ - - top_len = strlen(top); - bottom_len = strlen(bottom); + if ((j) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; + } + *ptr++ = tmpres[0]; - ret = B64FSIZE( msglen, data_size); + if ((j + 1) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; + } + *ptr++ = tmpres[1]; - (*result) = gnutls_calloc(1, ret + 1); - if ((*result) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if ((j + 2) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; } + *ptr++ = tmpres[2]; - bytes = pos = 0; - INCR( bytes, top_len); - pos = top_len; - - strcpy(*result, top); /* Flawfinder: ignore */ - - for (i = j = 0; i < data_size; i += 3, j += 4) { - - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_assert(); - gnutls_free( (*result)); *result = NULL; - return GNUTLS_E_BASE64_ENCODING_ERROR; - } - - INCR(bytes, 4); - ptr = &(*result)[j + pos]; - - if ((j) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[0]; - - if ((j + 1) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[1]; - - if ((j + 2) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[2]; - - if ((j + 3) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[3]; + if ((j + 3) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; } + *ptr++ = tmpres[3]; + } - INCR( bytes, bottom_len); + INCR(bytes, bottom_len); - memcpy( &(*result)[ bytes-bottom_len], bottom, bottom_len); - (*result)[ bytes] = 0; + memcpy(&(*result)[bytes - bottom_len], bottom, bottom_len); + (*result)[bytes] = 0; - return ret + 1; + return ret + 1; } /** @@ -284,26 +284,27 @@ int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, * the terminating null. * **/ -int gnutls_pem_base64_encode( const char* msg, const gnutls_datum *data, char* result, - size_t* result_size) { -opaque* ret; -int size; - - size = _gnutls_fbase64_encode( msg, data->data, data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < (uint)size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size - 1; - } - - return 0; +int gnutls_pem_base64_encode(const char *msg, const gnutls_datum * data, + char *result, size_t * result_size) +{ + opaque *ret; + int size; + + size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size - 1; + } + + return 0; } /** @@ -319,69 +320,74 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_encode_alloc( const char* msg, const gnutls_datum *data, - gnutls_datum* result) +int gnutls_pem_base64_encode_alloc(const char *msg, + const gnutls_datum * data, + gnutls_datum * result) { -opaque* ret; -int size; + opaque *ret; + int size; - if (result==NULL) return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = _gnutls_fbase64_encode( msg, data->data, data->size, &ret); - if (size < 0) - return size; + size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size - 1; - return 0; + result->data = ret; + result->size = size - 1; + return 0; } /* decodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_decode(const uint8 * data, size_t data_size, uint8 ** result) +int _gnutls_base64_decode(const uint8 * data, size_t data_size, + uint8 ** result) { - unsigned int i, j; - int ret, tmp, est; - uint8 tmpres[3]; - - est = ((data_size * 3) / 4) + 1; - (*result) = gnutls_malloc(est); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = 0; - for (i = j = 0; i < data_size; i += 4, j += 3) { - tmp = decode(tmpres, &data[i]); - if (tmp < 0) { - gnutls_free( *result); *result = NULL; - return tmp; - } - memcpy(&(*result)[j], tmpres, tmp); - ret += tmp; + unsigned int i, j; + int ret, tmp, est; + uint8 tmpres[3]; + + est = ((data_size * 3) / 4) + 1; + (*result) = gnutls_malloc(est); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = 0; + for (i = j = 0; i < data_size; i += 4, j += 3) { + tmp = decode(tmpres, &data[i]); + if (tmp < 0) { + gnutls_free(*result); + *result = NULL; + return tmp; } - return ret; + memcpy(&(*result)[j], tmpres, tmp); + ret += tmp; + } + return ret; } /* copies data to result but removes newlines and <CR> * returns the size of the data copied. */ -inline static int cpydata(const uint8 * data, int data_size, uint8 ** result) +inline static int cpydata(const uint8 * data, int data_size, + uint8 ** result) { - int i, j; - - (*result) = gnutls_malloc(data_size); - if (*result == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (j = i = 0; i < data_size; i++) { - if (data[i] == '\n' || data[i] == '\r') - continue; - (*result)[j] = data[i]; - j++; - } - return j; + int i, j; + + (*result) = gnutls_malloc(data_size); + if (*result == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (j = i = 0; i < data_size; i++) { + if (data[i] == '\n' || data[i] == '\r') + continue; + (*result)[j] = data[i]; + j++; + } + return j; } /* Searches the given string for ONE PEM encoded certificate, and @@ -391,90 +397,91 @@ inline static int cpydata(const uint8 * data, int data_size, uint8 ** result) */ #define ENDSTR "-----\n" #define ENDSTR2 "-----\r" -int _gnutls_fbase64_decode( const char* header, const opaque * data, size_t data_size, - uint8 ** result) +int _gnutls_fbase64_decode(const char *header, const opaque * data, + size_t data_size, uint8 ** result) { - int ret; - static const char top[] = "-----BEGIN "; - static const char bottom[] = "\n-----END "; - uint8 *rdata; - int rdata_size; - uint8 *kdata; - int kdata_size; - char pem_header[128]; - - _gnutls_str_cpy( pem_header, sizeof(pem_header), top); - if (header != NULL) - _gnutls_str_cat( pem_header, sizeof(pem_header), header); - - rdata = strnstr( data, pem_header, data_size); - - if (rdata==NULL) { - gnutls_assert(); - _gnutls_debug_log( "Could not find '%s'\n", pem_header); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - data_size -= (unsigned long int)rdata-(unsigned long int)data; - - if (data_size < 4 + strlen(bottom)) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - kdata = strnstr( rdata, ENDSTR, data_size); - /* allow CR as well. - */ - if (kdata==NULL) kdata = strnstr( rdata, ENDSTR2, data_size); - - if (kdata==NULL) { - gnutls_assert(); - _gnutls_x509_log( "Could not find '%s'\n", ENDSTR); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - data_size -= strlen(ENDSTR); - data_size -= (unsigned long int)kdata-(unsigned long int)rdata; - - rdata = kdata + strlen(ENDSTR); - - /* position is now after the ---BEGIN--- headers */ - - kdata = strnstr( rdata, bottom, data_size); - if (kdata==NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - /* position of kdata is before the ----END--- footer - */ - rdata_size = (unsigned long int)kdata-(unsigned long int)rdata; - - if (rdata_size < 4) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - kdata_size = cpydata(rdata, rdata_size, &kdata); - - if (kdata_size < 0) { - gnutls_assert(); - return kdata_size; - } - - if (kdata_size < 4) { - gnutls_assert(); - gnutls_free(kdata); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + int ret; + static const char top[] = "-----BEGIN "; + static const char bottom[] = "\n-----END "; + uint8 *rdata; + int rdata_size; + uint8 *kdata; + int kdata_size; + char pem_header[128]; + + _gnutls_str_cpy(pem_header, sizeof(pem_header), top); + if (header != NULL) + _gnutls_str_cat(pem_header, sizeof(pem_header), header); + + rdata = strnstr(data, pem_header, data_size); + + if (rdata == NULL) { + gnutls_assert(); + _gnutls_debug_log("Could not find '%s'\n", pem_header); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + data_size -= (unsigned long int) rdata - (unsigned long int) data; + + if (data_size < 4 + strlen(bottom)) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + kdata = strnstr(rdata, ENDSTR, data_size); + /* allow CR as well. + */ + if (kdata == NULL) + kdata = strnstr(rdata, ENDSTR2, data_size); + + if (kdata == NULL) { + gnutls_assert(); + _gnutls_x509_log("Could not find '%s'\n", ENDSTR); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + data_size -= strlen(ENDSTR); + data_size -= (unsigned long int) kdata - (unsigned long int) rdata; + + rdata = kdata + strlen(ENDSTR); + + /* position is now after the ---BEGIN--- headers */ + + kdata = strnstr(rdata, bottom, data_size); + if (kdata == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + /* position of kdata is before the ----END--- footer + */ + rdata_size = (unsigned long int) kdata - (unsigned long int) rdata; + + if (rdata_size < 4) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + kdata_size = cpydata(rdata, rdata_size, &kdata); + + if (kdata_size < 0) { + gnutls_assert(); + return kdata_size; + } + + if (kdata_size < 4) { + gnutls_assert(); + gnutls_free(kdata); + return GNUTLS_E_BASE64_DECODING_ERROR; + } - if ((ret = _gnutls_base64_decode( kdata, kdata_size, result)) < 0) { - gnutls_free(kdata); - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + if ((ret = _gnutls_base64_decode(kdata, kdata_size, result)) < 0) { gnutls_free(kdata); - - return ret; + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + gnutls_free(kdata); + + return ret; } /** @@ -491,27 +498,30 @@ int _gnutls_fbase64_decode( const char* header, const opaque * data, size_t data * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_pem_base64_decode( const char* header, const gnutls_datum *b64_data, - unsigned char* result, size_t* result_size) +int gnutls_pem_base64_decode(const char *header, + const gnutls_datum * b64_data, + unsigned char *result, size_t * result_size) { -opaque* ret; -int size; - - size = _gnutls_fbase64_decode( header, b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < (uint)size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size; - } - - return 0; + opaque *ret; + int size; + + size = + _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, + &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size; + } + + return 0; } /** @@ -529,19 +539,23 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_decode_alloc( const char* header, const gnutls_datum *b64_data, - gnutls_datum* result) +int gnutls_pem_base64_decode_alloc(const char *header, + const gnutls_datum * b64_data, + gnutls_datum * result) { -opaque* ret; -int size; + opaque *ret; + int size; - if (result==NULL) return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = _gnutls_fbase64_decode( header, b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; + size = + _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, + &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size; - return 0; + result->data = ret; + result->size = size; + return 0; } diff --git a/lib/x509_b64.h b/lib/x509_b64.h index ada3333742..11ce26eeb0 100644 --- a/lib/x509_b64.h +++ b/lib/x509_b64.h @@ -1,15 +1,17 @@ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result); -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, - uint8 ** result); -int _gnutls_base64_decode(const uint8 * data, size_t data_size, uint8 ** result); -int _gnutls_fbase64_decode( const char* header, const uint8 * data, size_t data_size, - uint8 ** result); +int _gnutls_base64_encode(const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_encode(const char *msg, const uint8 * data, + int data_size, uint8 ** result); +int _gnutls_base64_decode(const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_decode(const char *header, const uint8 * data, + size_t data_size, uint8 ** result); #define B64SIZE( data_size) ((data_size%3==0)?((data_size*4)/3):(4+((data_size/3)*4))) /* The size for B64 encoding + newlines plus header */ - + #define HEADSIZE( hsize) \ sizeof("-----BEGIN ")-1+sizeof("-----")-1+ \ sizeof("\n-----END ")-1+sizeof("-----\n")-1+hsize+hsize @@ -17,4 +19,3 @@ int _gnutls_fbase64_decode( const char* header, const uint8 * data, size_t data_ #define B64FSIZE( hsize, dsize) \ (B64SIZE(dsize) + HEADSIZE(hsize) + /*newlines*/ \ B64SIZE(dsize)/64 + (((B64SIZE(dsize) % 64) > 0) ? 1 : 0)) - diff --git a/libextra/auth_srp.c b/libextra/auth_srp.c index cbeb134210..306d49a5b2 100644 --- a/libextra/auth_srp.c +++ b/libextra/auth_srp.c @@ -42,20 +42,20 @@ int _gnutls_proc_srp_server_kx(gnutls_session, opaque *, size_t); int _gnutls_proc_srp_client_kx(gnutls_session, opaque *, size_t); const mod_auth_st srp_auth_struct = { - "SRP", - NULL, - NULL, - _gnutls_gen_srp_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - NULL, - NULL, /* certificate */ - _gnutls_proc_srp_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + NULL, + NULL, + _gnutls_gen_srp_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + NULL, + NULL, /* certificate */ + _gnutls_proc_srp_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; @@ -72,56 +72,54 @@ const mod_auth_st srp_auth_struct = { * Returns a proper error code in that case, and 0 when * all are ok. */ -inline -static int check_b_mod_n( GNUTLS_MPI b, GNUTLS_MPI n) +inline static int check_b_mod_n(GNUTLS_MPI b, GNUTLS_MPI n) { -int ret; -GNUTLS_MPI r = _gnutls_mpi_alloc_like(b); + int ret; + GNUTLS_MPI r = _gnutls_mpi_alloc_like(b); - if (r == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (r == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_mpi_mod( r, b, n); - ret = _gnutls_mpi_cmp_ui(r, 0); - - _gnutls_mpi_release( &r); + _gnutls_mpi_mod(r, b, n); + ret = _gnutls_mpi_cmp_ui(r, 0); - if (ret == 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - return 0; + _gnutls_mpi_release(&r); + + if (ret == 0) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + return 0; } /* Checks if a%n==0,+1,-1%n which is a fatal srp error. * Returns a proper error code in that case, and 0 when * all are ok. */ -inline -static int check_a_mod_n( GNUTLS_MPI a, GNUTLS_MPI n) +inline static int check_a_mod_n(GNUTLS_MPI a, GNUTLS_MPI n) { -int ret; -GNUTLS_MPI r = _gnutls_mpi_alloc_like(a); + int ret; + GNUTLS_MPI r = _gnutls_mpi_alloc_like(a); - if (r == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (r == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_mpi_mod( r, a, n); - ret = _gnutls_mpi_cmp_ui(r, 0); - - _gnutls_mpi_release( &r); + _gnutls_mpi_mod(r, a, n); + ret = _gnutls_mpi_cmp_ui(r, 0); - if (ret == 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - return 0; + _gnutls_mpi_release(&r); + + if (ret == 0) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + return 0; } @@ -130,275 +128,281 @@ GNUTLS_MPI r = _gnutls_mpi_alloc_like(a); */ int _gnutls_gen_srp_server_kx(gnutls_session session, opaque ** data) { - int ret; - uint8 *data_n, *data_s; - uint8 *data_g; - char *username; - SRP_PWD_ENTRY *pwd_entry; - srp_server_auth_info_t info; - ssize_t data_size; - size_t n_b, tmp_size; - char buf[64]; - uint8 *data_b; - - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_SRP, sizeof( srp_server_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; - } + int ret; + uint8 *data_n, *data_s; + uint8 *data_g; + char *username; + SRP_PWD_ENTRY *pwd_entry; + srp_server_auth_info_t info; + ssize_t data_size; + size_t n_b, tmp_size; + char buf[64]; + uint8 *data_b; + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_SRP, + sizeof(srp_server_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } - info = _gnutls_get_auth_info( session); - username = info->username; + info = _gnutls_get_auth_info(session); + username = info->username; - _gnutls_str_cpy( username, MAX_SRP_USERNAME, session->security_parameters.extensions.srp_username); + _gnutls_str_cpy(username, MAX_SRP_USERNAME, + session->security_parameters.extensions.srp_username); - ret = _gnutls_srp_pwd_read_entry( session, username, &pwd_entry); + ret = _gnutls_srp_pwd_read_entry(session, username, &pwd_entry); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* copy from pwd_entry to local variables (actually in session) */ - if (_gnutls_mpi_scan( &G, pwd_entry->g.data, &pwd_entry->g.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + /* copy from pwd_entry to local variables (actually in session) */ + if (_gnutls_mpi_scan(&G, pwd_entry->g.data, &pwd_entry->g.size) < 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - tmp_size = pwd_entry->n.size; - if (_gnutls_mpi_scan( &N, pwd_entry->n.data, &tmp_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + tmp_size = pwd_entry->n.size; + if (_gnutls_mpi_scan(&N, pwd_entry->n.data, &tmp_size) < 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - tmp_size = pwd_entry->v.size; - if (_gnutls_mpi_scan( &V, pwd_entry->v.data, &tmp_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + tmp_size = pwd_entry->v.size; + if (_gnutls_mpi_scan(&V, pwd_entry->v.data, &tmp_size) < 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - /* Calculate: B = (k*v + g^b) % N - */ - B = _gnutls_calc_srp_B( &_b, G, N, V); - if (B==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* Calculate: B = (k*v + g^b) % N + */ + B = _gnutls_calc_srp_B(&_b, G, N, V); + if (B == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - if (_gnutls_mpi_print( NULL, &n_b, B)!=0) { - gnutls_assert(); - return GNUTLS_E_MPI_PRINT_FAILED; - } + if (_gnutls_mpi_print(NULL, &n_b, B) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_PRINT_FAILED; + } - /* Allocate size to hold the N, g, s, B - */ + /* Allocate size to hold the N, g, s, B + */ - data_size = (pwd_entry->n.size + 2 + pwd_entry->g.size + 2 + - pwd_entry->salt.size + 1) + (n_b + 2); + data_size = (pwd_entry->n.size + 2 + pwd_entry->g.size + 2 + + pwd_entry->salt.size + 1) + (n_b + 2); - (*data) = gnutls_malloc( data_size); - if ( (*data) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + (*data) = gnutls_malloc(data_size); + if ((*data) == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* copy N (mod n) - */ - data_n = *data; - _gnutls_write_datum16( data_n, pwd_entry->n); + /* copy N (mod n) + */ + data_n = *data; + _gnutls_write_datum16(data_n, pwd_entry->n); - /* copy G (generator) to data - */ - data_g = &data_n[2 + pwd_entry->n.size]; - _gnutls_write_datum16( data_g, pwd_entry->g); + /* copy G (generator) to data + */ + data_g = &data_n[2 + pwd_entry->n.size]; + _gnutls_write_datum16(data_g, pwd_entry->g); - /* copy the salt - */ - data_s = &data_g[2 + pwd_entry->g.size]; - _gnutls_write_datum8( data_s, pwd_entry->salt); + /* copy the salt + */ + data_s = &data_g[2 + pwd_entry->g.size]; + _gnutls_write_datum8(data_s, pwd_entry->salt); - /* Copy the B value - */ + /* Copy the B value + */ - data_b = &data_s[1+pwd_entry->salt.size]; - if (_gnutls_mpi_print( &data_b[2], &n_b, B)!=0) - return GNUTLS_E_MPI_PRINT_FAILED; - _gnutls_write_uint16( n_b, data_b); + data_b = &data_s[1 + pwd_entry->salt.size]; + if (_gnutls_mpi_print(&data_b[2], &n_b, B) != 0) + return GNUTLS_E_MPI_PRINT_FAILED; + _gnutls_write_uint16(n_b, data_b); - _gnutls_hard_log( "INT: SRP B[%d]: %s\n", n_b, _gnutls_bin2hex(&data_b[2], n_b, buf, sizeof(buf))); + _gnutls_hard_log("INT: SRP B[%d]: %s\n", n_b, + _gnutls_bin2hex(&data_b[2], n_b, buf, sizeof(buf))); - _gnutls_srp_entry_free( pwd_entry); + _gnutls_srp_entry_free(pwd_entry); - return data_size; + return data_size; } /* return A = g^a % N */ int _gnutls_gen_srp_client_kx(gnutls_session session, opaque ** data) { - size_t n_a; - int ret; - uint8 *data_a; - char *username; - char buf[64]; - char *password; - const gnutls_srp_client_credentials cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); - - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (session->internals.srp_username == NULL) { - username = cred->username; - password = cred->password; - } else { - username = session->internals.srp_username; - password = session->internals.srp_password; - } - - if (username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - /* calc A = g^a % N - */ - if (G == NULL || N == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - A = _gnutls_calc_srp_A( &_a, G, N); - if (A==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* Rest of SRP calculations - */ - - /* calculate u */ - session->key->u = _gnutls_calc_srp_u(A, B); - if ( session->key->u == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_dump_mpi( "SRP U: ", session->key->u); - - /* S = (B - g^x) ^ (a + u * x) % N */ - S = _gnutls_calc_srp_S2( B, G, session->key->x, _a, session->key->u, N); - if (S==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_dump_mpi( "SRP B: ", B); - - _gnutls_mpi_release(&_b); - _gnutls_mpi_release(&V); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&B); - - ret = _gnutls_generate_session_key( session->key); - _gnutls_mpi_release(&S); - - if (ret < 0) - return ret; + size_t n_a; + int ret; + uint8 *data_a; + char *username; + char buf[64]; + char *password; + const gnutls_srp_client_credentials cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); + + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (session->internals.srp_username == NULL) { + username = cred->username; + password = cred->password; + } else { + username = session->internals.srp_username; + password = session->internals.srp_password; + } + + if (username == NULL || password == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* calc A = g^a % N + */ + if (G == NULL || N == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + A = _gnutls_calc_srp_A(&_a, G, N); + if (A == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* Rest of SRP calculations + */ + + /* calculate u */ + session->key->u = _gnutls_calc_srp_u(A, B); + if (session->key->u == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_dump_mpi("SRP U: ", session->key->u); + + /* S = (B - g^x) ^ (a + u * x) % N */ + S = _gnutls_calc_srp_S2(B, G, session->key->x, _a, session->key->u, N); + if (S == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_dump_mpi("SRP B: ", B); + + _gnutls_mpi_release(&_b); + _gnutls_mpi_release(&V); + _gnutls_mpi_release(&session->key->u); + _gnutls_mpi_release(&B); + + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&S); + + if (ret < 0) + return ret; - if (_gnutls_mpi_print( NULL, &n_a, A)!=0) { - gnutls_assert(); - return GNUTLS_E_MPI_PRINT_FAILED; - } + if (_gnutls_mpi_print(NULL, &n_a, A) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_PRINT_FAILED; + } - (*data) = gnutls_malloc(n_a + 2); - if ( (*data) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + (*data) = gnutls_malloc(n_a + 2); + if ((*data) == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* copy A */ - data_a = (*data); - if (_gnutls_mpi_print( &data_a[2], &n_a, A)!=0) { - gnutls_free( *data); - return GNUTLS_E_MPI_PRINT_FAILED; - } - _gnutls_hard_log( "INT: SRP A[%d]: %s\n", n_a, _gnutls_bin2hex(&data_a[2], n_a, buf, sizeof(buf))); + /* copy A */ + data_a = (*data); + if (_gnutls_mpi_print(&data_a[2], &n_a, A) != 0) { + gnutls_free(*data); + return GNUTLS_E_MPI_PRINT_FAILED; + } + _gnutls_hard_log("INT: SRP A[%d]: %s\n", n_a, + _gnutls_bin2hex(&data_a[2], n_a, buf, sizeof(buf))); - _gnutls_mpi_release(&A); + _gnutls_mpi_release(&A); - _gnutls_write_uint16( n_a, data_a); + _gnutls_write_uint16(n_a, data_a); - return n_a + 2; + return n_a + 2; } /* just read A and put it to session */ -int _gnutls_proc_srp_client_kx(gnutls_session session, opaque * data, size_t _data_size) +int _gnutls_proc_srp_client_kx(gnutls_session session, opaque * data, + size_t _data_size) { - size_t _n_A; - ssize_t data_size = _data_size; - int ret; - - DECR_LEN( data_size, 2); - _n_A = _gnutls_read_uint16( &data[0]); - - DECR_LEN( data_size, _n_A); - if (_gnutls_mpi_scan(&A, &data[2], &_n_A) || A == NULL) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - _gnutls_dump_mpi( "SRP A: ", A); - _gnutls_dump_mpi( "SRP B: ", B); - - /* Checks if A % n == 0. - */ - if ( (ret = check_a_mod_n( A, N)) < 0) { - gnutls_assert(); - return ret; - } - - /* Start the SRP calculations. - * - Calculate u - */ - session->key->u = _gnutls_calc_srp_u(A, B); - if (session->key->u==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_dump_mpi( "SRP U: ", session->key->u); - - /* S = (A * v^u) ^ b % N - */ - S = _gnutls_calc_srp_S1( A, _b, session->key->u, V, N); - if ( S==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_dump_mpi( "SRP S: ", S); - - _gnutls_mpi_release(&A); - _gnutls_mpi_release(&_b); - _gnutls_mpi_release(&V); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&B); - - ret = _gnutls_generate_session_key( session->key); - _gnutls_mpi_release( &S); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + size_t _n_A; + ssize_t data_size = _data_size; + int ret; + + DECR_LEN(data_size, 2); + _n_A = _gnutls_read_uint16(&data[0]); + + DECR_LEN(data_size, _n_A); + if (_gnutls_mpi_scan(&A, &data[2], &_n_A) || A == NULL) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + _gnutls_dump_mpi("SRP A: ", A); + _gnutls_dump_mpi("SRP B: ", B); + + /* Checks if A % n == 0. + */ + if ((ret = check_a_mod_n(A, N)) < 0) { + gnutls_assert(); + return ret; + } + + /* Start the SRP calculations. + * - Calculate u + */ + session->key->u = _gnutls_calc_srp_u(A, B); + if (session->key->u == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_dump_mpi("SRP U: ", session->key->u); + + /* S = (A * v^u) ^ b % N + */ + S = _gnutls_calc_srp_S1(A, _b, session->key->u, V, N); + if (S == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_dump_mpi("SRP S: ", S); + + _gnutls_mpi_release(&A); + _gnutls_mpi_release(&_b); + _gnutls_mpi_release(&V); + _gnutls_mpi_release(&session->key->u); + _gnutls_mpi_release(&B); + + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&S); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -406,354 +410,363 @@ int _gnutls_proc_srp_client_kx(gnutls_session session, opaque * data, size_t _da /* Static parameters according to draft-ietf-tls-srp-05 */ static const unsigned char srp_params_1024[] = { - 0xEE, 0xAF, 0x0A, 0xB9, 0xAD, 0xB3, 0x8D, 0xD6, - 0x9C, 0x33, 0xF8, 0x0A, 0xFA, 0x8F, 0xC5, 0xE8, - 0x60, 0x72, 0x61, 0x87, 0x75, 0xFF, 0x3C, 0x0B, - 0x9E, 0xA2, 0x31, 0x4C, 0x9C, 0x25, 0x65, 0x76, - 0xD6, 0x74, 0xDF, 0x74, 0x96, 0xEA, 0x81, 0xD3, - 0x38, 0x3B, 0x48, 0x13, 0xD6, 0x92, 0xC6, 0xE0, - 0xE0, 0xD5, 0xD8, 0xE2, 0x50, 0xB9, 0x8B, 0xE4, - 0x8E, 0x49, 0x5C, 0x1D, 0x60, 0x89, 0xDA, 0xD1, - 0x5D, 0xC7, 0xD7, 0xB4, 0x61, 0x54, 0xD6, 0xB6, - 0xCE, 0x8E, 0xF4, 0xAD, 0x69, 0xB1, 0x5D, 0x49, - 0x82, 0x55, 0x9B, 0x29, 0x7B, 0xCF, 0x18, 0x85, - 0xC5, 0x29, 0xF5, 0x66, 0x66, 0x0E, 0x57, 0xEC, - 0x68, 0xED, 0xBC, 0x3C, 0x05, 0x72, 0x6C, 0xC0, - 0x2F, 0xD4, 0xCB, 0xF4, 0x97, 0x6E, 0xAA, 0x9A, - 0xFD, 0x51, 0x38, 0xFE, 0x83, 0x76, 0x43, 0x5B, - 0x9F, 0xC6, 0x1D, 0x2F, 0xC0, 0xEB, 0x06, 0xE3 + 0xEE, 0xAF, 0x0A, 0xB9, 0xAD, 0xB3, 0x8D, 0xD6, + 0x9C, 0x33, 0xF8, 0x0A, 0xFA, 0x8F, 0xC5, 0xE8, + 0x60, 0x72, 0x61, 0x87, 0x75, 0xFF, 0x3C, 0x0B, + 0x9E, 0xA2, 0x31, 0x4C, 0x9C, 0x25, 0x65, 0x76, + 0xD6, 0x74, 0xDF, 0x74, 0x96, 0xEA, 0x81, 0xD3, + 0x38, 0x3B, 0x48, 0x13, 0xD6, 0x92, 0xC6, 0xE0, + 0xE0, 0xD5, 0xD8, 0xE2, 0x50, 0xB9, 0x8B, 0xE4, + 0x8E, 0x49, 0x5C, 0x1D, 0x60, 0x89, 0xDA, 0xD1, + 0x5D, 0xC7, 0xD7, 0xB4, 0x61, 0x54, 0xD6, 0xB6, + 0xCE, 0x8E, 0xF4, 0xAD, 0x69, 0xB1, 0x5D, 0x49, + 0x82, 0x55, 0x9B, 0x29, 0x7B, 0xCF, 0x18, 0x85, + 0xC5, 0x29, 0xF5, 0x66, 0x66, 0x0E, 0x57, 0xEC, + 0x68, 0xED, 0xBC, 0x3C, 0x05, 0x72, 0x6C, 0xC0, + 0x2F, 0xD4, 0xCB, 0xF4, 0x97, 0x6E, 0xAA, 0x9A, + 0xFD, 0x51, 0x38, 0xFE, 0x83, 0x76, 0x43, 0x5B, + 0x9F, 0xC6, 0x1D, 0x2F, 0xC0, 0xEB, 0x06, 0xE3 }; static const unsigned char srp_generator = 0x02; const gnutls_datum gnutls_srp_1024_group_prime = { - (void*)srp_params_1024, sizeof(srp_params_1024) }; + (void *) srp_params_1024, sizeof(srp_params_1024) +}; const gnutls_datum gnutls_srp_1024_group_generator = { - (void*)&srp_generator, sizeof(srp_generator) }; + (void *) &srp_generator, sizeof(srp_generator) +}; static const unsigned char srp_params_1536[] = { - 0x9D, 0xEF, 0x3C, 0xAF, 0xB9, 0x39, 0x27, 0x7A, 0xB1, - 0xF1, 0x2A, 0x86, 0x17, 0xA4, 0x7B, 0xBB, 0xDB, 0xA5, - 0x1D, 0xF4, 0x99, 0xAC, 0x4C, 0x80, 0xBE, 0xEE, 0xA9, - 0x61, 0x4B, 0x19, 0xCC, 0x4D, 0x5F, 0x4F, 0x5F, 0x55, - 0x6E, 0x27, 0xCB, 0xDE, 0x51, 0xC6, 0xA9, 0x4B, 0xE4, - 0x60, 0x7A, 0x29, 0x15, 0x58, 0x90, 0x3B, 0xA0, 0xD0, - 0xF8, 0x43, 0x80, 0xB6, 0x55, 0xBB, 0x9A, 0x22, 0xE8, - 0xDC, 0xDF, 0x02, 0x8A, 0x7C, 0xEC, 0x67, 0xF0, 0xD0, - 0x81, 0x34, 0xB1, 0xC8, 0xB9, 0x79, 0x89, 0x14, 0x9B, - 0x60, 0x9E, 0x0B, 0xE3, 0xBA, 0xB6, 0x3D, 0x47, 0x54, - 0x83, 0x81, 0xDB, 0xC5, 0xB1, 0xFC, 0x76, 0x4E, 0x3F, - 0x4B, 0x53, 0xDD, 0x9D, 0xA1, 0x15, 0x8B, 0xFD, 0x3E, - 0x2B, 0x9C, 0x8C, 0xF5, 0x6E, 0xDF, 0x01, 0x95, 0x39, - 0x34, 0x96, 0x27, 0xDB, 0x2F, 0xD5, 0x3D, 0x24, 0xB7, - 0xC4, 0x86, 0x65, 0x77, 0x2E, 0x43, 0x7D, 0x6C, 0x7F, - 0x8C, 0xE4, 0x42, 0x73, 0x4A, 0xF7, 0xCC, 0xB7, 0xAE, - 0x83, 0x7C, 0x26, 0x4A, 0xE3, 0xA9, 0xBE, 0xB8, 0x7F, - 0x8A, 0x2F, 0xE9, 0xB8, 0xB5, 0x29, 0x2E, 0x5A, 0x02, - 0x1F, 0xFF, 0x5E, 0x91, 0x47, 0x9E, 0x8C, 0xE7, 0xA2, - 0x8C, 0x24, 0x42, 0xC6, 0xF3, 0x15, 0x18, 0x0F, 0x93, - 0x49, 0x9A, 0x23, 0x4D, 0xCF, 0x76, 0xE3, 0xFE, 0xD1, - 0x35, 0xF9, 0xBB + 0x9D, 0xEF, 0x3C, 0xAF, 0xB9, 0x39, 0x27, 0x7A, 0xB1, + 0xF1, 0x2A, 0x86, 0x17, 0xA4, 0x7B, 0xBB, 0xDB, 0xA5, + 0x1D, 0xF4, 0x99, 0xAC, 0x4C, 0x80, 0xBE, 0xEE, 0xA9, + 0x61, 0x4B, 0x19, 0xCC, 0x4D, 0x5F, 0x4F, 0x5F, 0x55, + 0x6E, 0x27, 0xCB, 0xDE, 0x51, 0xC6, 0xA9, 0x4B, 0xE4, + 0x60, 0x7A, 0x29, 0x15, 0x58, 0x90, 0x3B, 0xA0, 0xD0, + 0xF8, 0x43, 0x80, 0xB6, 0x55, 0xBB, 0x9A, 0x22, 0xE8, + 0xDC, 0xDF, 0x02, 0x8A, 0x7C, 0xEC, 0x67, 0xF0, 0xD0, + 0x81, 0x34, 0xB1, 0xC8, 0xB9, 0x79, 0x89, 0x14, 0x9B, + 0x60, 0x9E, 0x0B, 0xE3, 0xBA, 0xB6, 0x3D, 0x47, 0x54, + 0x83, 0x81, 0xDB, 0xC5, 0xB1, 0xFC, 0x76, 0x4E, 0x3F, + 0x4B, 0x53, 0xDD, 0x9D, 0xA1, 0x15, 0x8B, 0xFD, 0x3E, + 0x2B, 0x9C, 0x8C, 0xF5, 0x6E, 0xDF, 0x01, 0x95, 0x39, + 0x34, 0x96, 0x27, 0xDB, 0x2F, 0xD5, 0x3D, 0x24, 0xB7, + 0xC4, 0x86, 0x65, 0x77, 0x2E, 0x43, 0x7D, 0x6C, 0x7F, + 0x8C, 0xE4, 0x42, 0x73, 0x4A, 0xF7, 0xCC, 0xB7, 0xAE, + 0x83, 0x7C, 0x26, 0x4A, 0xE3, 0xA9, 0xBE, 0xB8, 0x7F, + 0x8A, 0x2F, 0xE9, 0xB8, 0xB5, 0x29, 0x2E, 0x5A, 0x02, + 0x1F, 0xFF, 0x5E, 0x91, 0x47, 0x9E, 0x8C, 0xE7, 0xA2, + 0x8C, 0x24, 0x42, 0xC6, 0xF3, 0x15, 0x18, 0x0F, 0x93, + 0x49, 0x9A, 0x23, 0x4D, 0xCF, 0x76, 0xE3, 0xFE, 0xD1, + 0x35, 0xF9, 0xBB }; const gnutls_datum gnutls_srp_1536_group_prime = { - (void*)srp_params_1536, sizeof(srp_params_1536) }; + (void *) srp_params_1536, sizeof(srp_params_1536) +}; const gnutls_datum gnutls_srp_1536_group_generator = { - (void*)&srp_generator, sizeof(srp_generator) }; + (void *) &srp_generator, sizeof(srp_generator) +}; static const unsigned char srp_params_2048[] = { - 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 0xF1, - 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 0xAF, 0x72, - 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 0xFC, 0x31, 0x92, - 0x94, 0x3D, 0xB5, 0x60, 0x50, 0xA3, 0x73, 0x29, 0xCB, - 0xB4, 0xA0, 0x99, 0xED, 0x81, 0x93, 0xE0, 0x75, 0x77, - 0x67, 0xA1, 0x3D, 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, - 0x31, 0x0D, 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, - 0x50, 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, - 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 0x66, - 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 0x29, 0x18, - 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 0x55, 0xF9, 0x79, - 0x93, 0xEC, 0x97, 0x5E, 0xEA, 0xA8, 0x0D, 0x74, 0x0A, - 0xDB, 0xF4, 0xFF, 0x74, 0x73, 0x59, 0xD0, 0x41, 0xD5, - 0xC3, 0x3E, 0xA7, 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, - 0x77, 0x3B, 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, - 0x16, 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, - 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 0x5B, - 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 0x54, 0x45, - 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 0x5E, 0xA7, 0x7A, - 0x27, 0x75, 0xD2, 0xEC, 0xFA, 0x03, 0x2C, 0xFB, 0xDB, - 0xF5, 0x2F, 0xB3, 0x78, 0x61, 0x60, 0x27, 0x90, 0x04, - 0xE5, 0x7A, 0xE6, 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, - 0x53, 0x29, 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, - 0xD8, 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, - 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 0x94, - 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 0x35, 0xDE, - 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 0x9B, 0x65, 0xE3, - 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, - 0x9E, 0x4A, 0xFF, 0x73 + 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 0xF1, + 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 0xAF, 0x72, + 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 0xFC, 0x31, 0x92, + 0x94, 0x3D, 0xB5, 0x60, 0x50, 0xA3, 0x73, 0x29, 0xCB, + 0xB4, 0xA0, 0x99, 0xED, 0x81, 0x93, 0xE0, 0x75, 0x77, + 0x67, 0xA1, 0x3D, 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, + 0x31, 0x0D, 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, + 0x50, 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, + 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 0x66, + 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 0x29, 0x18, + 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 0x55, 0xF9, 0x79, + 0x93, 0xEC, 0x97, 0x5E, 0xEA, 0xA8, 0x0D, 0x74, 0x0A, + 0xDB, 0xF4, 0xFF, 0x74, 0x73, 0x59, 0xD0, 0x41, 0xD5, + 0xC3, 0x3E, 0xA7, 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, + 0x77, 0x3B, 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, + 0x16, 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, + 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 0x5B, + 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 0x54, 0x45, + 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 0x5E, 0xA7, 0x7A, + 0x27, 0x75, 0xD2, 0xEC, 0xFA, 0x03, 0x2C, 0xFB, 0xDB, + 0xF5, 0x2F, 0xB3, 0x78, 0x61, 0x60, 0x27, 0x90, 0x04, + 0xE5, 0x7A, 0xE6, 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, + 0x53, 0x29, 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, + 0xD8, 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, + 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 0x94, + 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 0x35, 0xDE, + 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 0x9B, 0x65, 0xE3, + 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, + 0x9E, 0x4A, 0xFF, 0x73 }; const gnutls_datum gnutls_srp_2048_group_prime = { - (void*)srp_params_2048, sizeof(srp_params_2048) }; + (void *) srp_params_2048, sizeof(srp_params_2048) +}; const gnutls_datum gnutls_srp_2048_group_generator = { - (void*)&srp_generator, sizeof(srp_generator) }; + (void *) &srp_generator, sizeof(srp_generator) +}; /* Check if G and N are parameters from the SRP draft. */ -static int check_g_n( const opaque* g, size_t n_g, - const opaque* n, size_t n_n) +static int check_g_n(const opaque * g, size_t n_g, + const opaque * n, size_t n_n) { - if (n_g != 1 || g[0] != srp_generator) - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (n_g != 1 || g[0] != srp_generator) + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - if (n_n == sizeof(srp_params_1024) && - memcmp( srp_params_1024, n, n_n)==0) { - return 0; - } + if (n_n == sizeof(srp_params_1024) && + memcmp(srp_params_1024, n, n_n) == 0) { + return 0; + } - if (n_n == sizeof(srp_params_1536) && - memcmp( srp_params_1536, n, n_n)==0) { - return 0; - } + if (n_n == sizeof(srp_params_1536) && + memcmp(srp_params_1536, n, n_n) == 0) { + return 0; + } - if (n_n == sizeof(srp_params_2048) && - memcmp( srp_params_2048, n, n_n)==0) { - return 0; - } + if (n_n == sizeof(srp_params_2048) && + memcmp(srp_params_2048, n, n_n) == 0) { + return 0; + } - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } /* Check if N is a prime and G a generator of the * group. */ -static int group_check_g_n( GNUTLS_MPI g, GNUTLS_MPI n) +static int group_check_g_n(GNUTLS_MPI g, GNUTLS_MPI n) { -GNUTLS_MPI q = NULL, two = NULL, w = NULL; -int ret; - - /* N must be of the form N=2q+1 - * where q is also a prime. - */ - if (_gnutls_prime_check( n, 0) != 0) { - _gnutls_dump_mpi( "no prime N: ", n); - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - two = _gnutls_mpi_new( 4); - if (two == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - q = _gnutls_mpi_alloc_like( n); - if (q==NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - /* q = n-1 - */ - _gnutls_mpi_sub_ui( q, n, 1); - - /* q = q/2, remember that q is divisible by 2 (prime - 1) - */ - _gnutls_mpi_set_ui( two, 2); - _gnutls_mpi_div( q, NULL, q, two, 0); - - if (_gnutls_prime_check( q, 0) != 0) { - /* N was not on the form N=2q+1, where q = prime - */ - _gnutls_dump_mpi( "no prime Q: ", q); - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - /* We also check whether g is a generator, - */ - - /* check if g < q < N - */ - if (_gnutls_mpi_cmp( g, q) >= 0) { - gnutls_assert(); - ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - goto error; - } - - w = _gnutls_mpi_alloc_like( q); - if (w==NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - /* check if g^q mod N == N-1 - * w = g^q mod N - */ - _gnutls_mpi_powm( w, g, q, n); - - /* w++ + GNUTLS_MPI q = NULL, two = NULL, w = NULL; + int ret; + + /* N must be of the form N=2q+1 + * where q is also a prime. + */ + if (_gnutls_prime_check(n, 0) != 0) { + _gnutls_dump_mpi("no prime N: ", n); + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + two = _gnutls_mpi_new(4); + if (two == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + q = _gnutls_mpi_alloc_like(n); + if (q == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* q = n-1 + */ + _gnutls_mpi_sub_ui(q, n, 1); + + /* q = q/2, remember that q is divisible by 2 (prime - 1) + */ + _gnutls_mpi_set_ui(two, 2); + _gnutls_mpi_div(q, NULL, q, two, 0); + + if (_gnutls_prime_check(q, 0) != 0) { + /* N was not on the form N=2q+1, where q = prime */ - _gnutls_mpi_add_ui( w, w, 1); - - if (_gnutls_mpi_cmp( w, n)!=0) { - gnutls_assert(); - ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - goto error; - } - - ret = 0; + _gnutls_dump_mpi("no prime Q: ", q); + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + /* We also check whether g is a generator, + */ + + /* check if g < q < N + */ + if (_gnutls_mpi_cmp(g, q) >= 0) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto error; + } + + w = _gnutls_mpi_alloc_like(q); + if (w == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* check if g^q mod N == N-1 + * w = g^q mod N + */ + _gnutls_mpi_powm(w, g, q, n); + + /* w++ + */ + _gnutls_mpi_add_ui(w, w, 1); + + if (_gnutls_mpi_cmp(w, n) != 0) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto error; + } + + ret = 0; + + error: + _gnutls_mpi_release(&q); + _gnutls_mpi_release(&two); + _gnutls_mpi_release(&w); + + return ret; -error: - _gnutls_mpi_release( &q); - _gnutls_mpi_release( &two); - _gnutls_mpi_release( &w); - - return ret; - } /* receive the key exchange message ( n, g, s, B) */ -int _gnutls_proc_srp_server_kx(gnutls_session session, opaque * data, size_t _data_size) +int _gnutls_proc_srp_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { - uint8 n_s; - uint16 n_g, n_n, n_b; - size_t _n_s, _n_g, _n_n, _n_b; - const uint8 *data_n; - const uint8 *data_g; - const uint8 *data_s; - const uint8 *data_b; - int i, ret; - opaque hd[SRP_MAX_HASH_SIZE]; - char *username, *password; - ssize_t data_size = _data_size; - - const gnutls_srp_client_credentials cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); - - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (session->internals.srp_username == NULL) { - username = cred->username; - password = cred->password; - } else { - username = session->internals.srp_username; - password = session->internals.srp_password; - } - - if (username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - i = 0; - - /* Read N - */ - DECR_LEN( data_size, 2); - n_n = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_n); - data_n = &data[i]; - i += n_n; - - /* Read G - */ - DECR_LEN( data_size, 2); - n_g = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_g); - data_g = &data[i]; - i += n_g; - - /* Read salt - */ - DECR_LEN( data_size, 1); - n_s = data[i]; - i += 1; - - DECR_LEN( data_size, n_s); - data_s = &data[i]; - i += n_s; - - /* Read B - */ - DECR_LEN( data_size, 2); - n_b = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_b); - data_b = &data[i]; - i += n_b; - - _n_s = n_s; - _n_g = n_g; - _n_n = n_n; - _n_b = n_b; - - if (_gnutls_mpi_scan(&N, data_n, &_n_n) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&G, data_g, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&B, data_b, &_n_b) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - - /* Check if the g and n are from the SRP - * draft. Otherwise check if N is a prime and G - * a generator. - */ - if ( (ret = check_g_n( data_g, _n_g, data_n, _n_n)) < 0) { - _gnutls_x509_log("Checking the SRP group parameters.\n"); - if ( (ret = group_check_g_n( G, N)) < 0) { - gnutls_assert(); - return ret; - } - } + uint8 n_s; + uint16 n_g, n_n, n_b; + size_t _n_s, _n_g, _n_n, _n_b; + const uint8 *data_n; + const uint8 *data_g; + const uint8 *data_s; + const uint8 *data_b; + int i, ret; + opaque hd[SRP_MAX_HASH_SIZE]; + char *username, *password; + ssize_t data_size = _data_size; + + const gnutls_srp_client_credentials cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); + + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (session->internals.srp_username == NULL) { + username = cred->username; + password = cred->password; + } else { + username = session->internals.srp_username; + password = session->internals.srp_password; + } + + if (username == NULL || password == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + i = 0; + + /* Read N + */ + DECR_LEN(data_size, 2); + n_n = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_n); + data_n = &data[i]; + i += n_n; + + /* Read G + */ + DECR_LEN(data_size, 2); + n_g = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_g); + data_g = &data[i]; + i += n_g; + + /* Read salt + */ + DECR_LEN(data_size, 1); + n_s = data[i]; + i += 1; + + DECR_LEN(data_size, n_s); + data_s = &data[i]; + i += n_s; + + /* Read B + */ + DECR_LEN(data_size, 2); + n_b = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_b); + data_b = &data[i]; + i += n_b; + + _n_s = n_s; + _n_g = n_g; + _n_n = n_n; + _n_b = n_b; + + if (_gnutls_mpi_scan(&N, data_n, &_n_n) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&G, data_g, &_n_g) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&B, data_b, &_n_b) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + + /* Check if the g and n are from the SRP + * draft. Otherwise check if N is a prime and G + * a generator. + */ + if ((ret = check_g_n(data_g, _n_g, data_n, _n_n)) < 0) { + _gnutls_x509_log("Checking the SRP group parameters.\n"); + if ((ret = group_check_g_n(G, N)) < 0) { + gnutls_assert(); + return ret; + } + } + + /* Checks if b % n == 0 + */ + if ((ret = check_b_mod_n(B, N)) < 0) { + gnutls_assert(); + return ret; + } - /* Checks if b % n == 0 - */ - if ( (ret = check_b_mod_n( B, N)) < 0) { - gnutls_assert(); - return ret; - } + /* generate x = SHA(s | SHA(U | ":" | p)) + * (or the equivalent using bcrypt) + */ + if ((ret = + _gnutls_calc_srp_x(username, password, (opaque *) data_s, n_s, + &_n_g, hd)) < 0) { + gnutls_assert(); + return ret; + } - /* generate x = SHA(s | SHA(U | ":" | p)) - * (or the equivalent using bcrypt) - */ - if ( ( ret =_gnutls_calc_srp_x( username, password, (opaque*)data_s, n_s, &_n_g, hd)) < 0) { - gnutls_assert(); - return ret; - } + if (_gnutls_mpi_scan(&session->key->x, hd, &_n_g) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - if (_gnutls_mpi_scan(&session->key->x, hd, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - return i; /* return the processed data - * needed in auth_srp_rsa. - */ + return i; /* return the processed data + * needed in auth_srp_rsa. + */ } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/libextra/auth_srp_passwd.c b/libextra/auth_srp_passwd.c index 6b71962cfe..981dd8e4f6 100644 --- a/libextra/auth_srp_passwd.c +++ b/libextra/auth_srp_passwd.c @@ -38,302 +38,307 @@ #include <gnutls_datum.h> #include <gnutls_num.h> -static int _randomize_pwd_entry(SRP_PWD_ENTRY* entry); +static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry); /* this function parses tpasswd.conf file. Format is: * string(username):base64(v):base64(salt):int(index) */ -static int pwd_put_values( SRP_PWD_ENTRY *entry, char *str) { -char * p; -int len, ret; -opaque *verifier; -size_t verifier_size; -int indx; - - p = strrchr( str, ':'); /* we have index */ - if (p==NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - *p='\0'; - p++; +static int pwd_put_values(SRP_PWD_ENTRY * entry, char *str) +{ + char *p; + int len, ret; + opaque *verifier; + size_t verifier_size; + int indx; + + p = strrchr(str, ':'); /* we have index */ + if (p == NULL) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - len = strlen(p); - indx = atoi(p); - if (indx==0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - /* now go for salt */ - p = strrchr( str, ':'); /* we have salt */ - if (p==NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - *p='\0'; - p++; - - len = strlen(p); + *p = '\0'; + p++; - entry->salt.size = _gnutls_sbase64_decode( p, len, &entry->salt.data); + len = strlen(p); + indx = atoi(p); + if (indx == 0) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - if (entry->salt.size <= 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } + /* now go for salt */ + p = strrchr(str, ':'); /* we have salt */ + if (p == NULL) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - /* now go for verifier */ - p = strrchr( str, ':'); /* we have verifier */ - if (p==NULL) { - _gnutls_free_datum(&entry->salt); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - *p='\0'; - p++; + *p = '\0'; + p++; - len = strlen(p); - ret = _gnutls_sbase64_decode( p, len, &verifier); - if (ret <= 0) { - gnutls_assert(); - _gnutls_free_datum(&entry->salt); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } + len = strlen(p); - verifier_size = ret; - entry->v.data = verifier; - entry->v.size = verifier_size; + entry->salt.size = _gnutls_sbase64_decode(p, len, &entry->salt.data); - /* now go for username */ - *p='\0'; + if (entry->salt.size <= 0) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - entry->username = gnutls_strdup(str); - if (entry->username==NULL) { - _gnutls_free_datum( &entry->salt); - _gnutls_free_datum( &entry->v); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* now go for verifier */ + p = strrchr(str, ':'); /* we have verifier */ + if (p == NULL) { + _gnutls_free_datum(&entry->salt); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } + + *p = '\0'; + p++; + + len = strlen(p); + ret = _gnutls_sbase64_decode(p, len, &verifier); + if (ret <= 0) { + gnutls_assert(); + _gnutls_free_datum(&entry->salt); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } + + verifier_size = ret; + entry->v.data = verifier; + entry->v.size = verifier_size; + + /* now go for username */ + *p = '\0'; + + entry->username = gnutls_strdup(str); + if (entry->username == NULL) { + _gnutls_free_datum(&entry->salt); + _gnutls_free_datum(&entry->v); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return indx; + return indx; } /* this function parses tpasswd.conf file. Format is: * int(index):base64(n):int(g) */ -static int pwd_put_values2( SRP_PWD_ENTRY *entry, char *str) +static int pwd_put_values2(SRP_PWD_ENTRY * entry, char *str) { -char * p; -int len; -opaque * tmp; -int ret; + char *p; + int len; + opaque *tmp; + int ret; + + p = strrchr(str, ':'); /* we have g */ + if (p == NULL) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - p = strrchr( str, ':'); /* we have g */ - if (p==NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - *p='\0'; - p++; - - /* read the generator */ - len = strlen(p); - if (p[len-1]=='\n' || p[len-1]==' ') len--; - ret = _gnutls_sbase64_decode( p, len, &tmp); + *p = '\0'; + p++; - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } + /* read the generator */ + len = strlen(p); + if (p[len - 1] == '\n' || p[len - 1] == ' ') + len--; + ret = _gnutls_sbase64_decode(p, len, &tmp); - entry->g.data = tmp; - entry->g.size = ret; + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - /* now go for n - modulo */ - p = strrchr( str, ':'); /* we have n */ - if (p==NULL) { - _gnutls_free_datum( &entry->g); - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - *p='\0'; - p++; - - len = strlen(p); - ret = _gnutls_sbase64_decode( p, len, &tmp); + entry->g.data = tmp; + entry->g.size = ret; - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( &entry->g); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } - - entry->n.data = tmp; - entry->n.size = ret; + /* now go for n - modulo */ + p = strrchr(str, ':'); /* we have n */ + if (p == NULL) { + _gnutls_free_datum(&entry->g); + gnutls_assert(); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } - return 0; + *p = '\0'; + p++; + + len = strlen(p); + ret = _gnutls_sbase64_decode(p, len, &tmp); + + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(&entry->g); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } + + entry->n.data = tmp; + entry->n.size = ret; + + return 0; } /* this function opens the tpasswd.conf file and reads the g and n * values. They are put in the entry. */ -static int pwd_read_conf( const char* pconf_file, SRP_PWD_ENTRY* entry, int index) { - FILE * fd; - char line[2*1024]; - uint i, len; - char indexstr[10]; +static int pwd_read_conf(const char *pconf_file, SRP_PWD_ENTRY * entry, + int index) +{ + FILE *fd; + char line[2 * 1024]; + uint i, len; + char indexstr[10]; - sprintf( indexstr, "%d", index); /* Flawfinder: ignore */ + sprintf(indexstr, "%d", index); /* Flawfinder: ignore */ - fd = fopen( pconf_file, "r"); - if (fd==NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } + fd = fopen(pconf_file, "r"); + if (fd == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } - len = strlen(indexstr); - while( fgets( line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i=0; - while( (line[i]!=':') && (line[i]!='\0') && (i < sizeof(line)) ) { - i++; - } - if (strncmp( indexstr, line, GMAX(i,len)) == 0) { - if ((index = pwd_put_values2( entry, line)) >= 0) - return 0; - else { - return GNUTLS_E_SRP_PWD_ERROR; - } + len = strlen(indexstr); + while (fgets(line, sizeof(line), fd) != NULL) { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof(line))) { + i++; + } + if (strncmp(indexstr, line, GMAX(i, len)) == 0) { + if ((index = pwd_put_values2(entry, line)) >= 0) + return 0; + else { + return GNUTLS_E_SRP_PWD_ERROR; } + } } return GNUTLS_E_SRP_PWD_ERROR; - + } -int _gnutls_srp_pwd_read_entry( gnutls_session state, char* username, - SRP_PWD_ENTRY** _entry) +int _gnutls_srp_pwd_read_entry(gnutls_session state, char *username, + SRP_PWD_ENTRY ** _entry) { - const gnutls_srp_server_credentials cred; - FILE * fd; - char line[2*1024]; - uint i, len; - int ret; - int index, last_index; - SRP_PWD_ENTRY* entry; - - *_entry = gnutls_calloc(1, sizeof(SRP_PWD_ENTRY)); - if (*_entry==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - entry = *_entry; + const gnutls_srp_server_credentials cred; + FILE *fd; + char line[2 * 1024]; + uint i, len; + int ret; + int index, last_index; + SRP_PWD_ENTRY *entry; + + *_entry = gnutls_calloc(1, sizeof(SRP_PWD_ENTRY)); + if (*_entry == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + entry = *_entry; - cred = _gnutls_get_cred( state->key, GNUTLS_CRD_SRP, NULL); - if (cred==NULL) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + cred = _gnutls_get_cred(state->key, GNUTLS_CRD_SRP, NULL); + if (cred == NULL) { + gnutls_assert(); + _gnutls_srp_entry_free(entry); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* if the callback which sends the parameters is - * set, use it. - */ - if (cred->pwd_callback != NULL) { - ret = cred->pwd_callback( state, username, &entry->salt, - &entry->v, &entry->g, &entry->n); - - if (ret==1) { /* the user does not exist */ - if (entry->g.size!=0 && entry->n.size!=0) { - ret = _randomize_pwd_entry( entry); - if (ret < 0) { - _gnutls_srp_entry_free(entry); - return ret; - } - return 0; - } else { - gnutls_assert(); - ret = -1; /* error in the callback */ - } - } - + /* if the callback which sends the parameters is + * set, use it. + */ + if (cred->pwd_callback != NULL) { + ret = cred->pwd_callback(state, username, &entry->salt, + &entry->v, &entry->g, &entry->n); + + if (ret == 1) { /* the user does not exist */ + if (entry->g.size != 0 && entry->n.size != 0) { + ret = _randomize_pwd_entry(entry); if (ret < 0) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + _gnutls_srp_entry_free(entry); + return ret; } - return 0; + } else { + gnutls_assert(); + ret = -1; /* error in the callback */ + } } - - /* The callback was not set. Proceed. - */ - if (cred->password_file==NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; + if (ret < 0) { + gnutls_assert(); + _gnutls_srp_entry_free(entry); + return GNUTLS_E_SRP_PWD_ERROR; + } + + return 0; + } + + /* The callback was not set. Proceed. + */ + + if (cred->password_file == NULL) { + gnutls_assert(); + return GNUTLS_E_SRP_PWD_ERROR; + } + + /* Open the selected password file. + */ + fd = fopen(cred->password_file, "r"); + if (fd == NULL) { + gnutls_assert(); + _gnutls_srp_entry_free(entry); + return GNUTLS_E_SRP_PWD_ERROR; + } + + last_index = 1; /* a default value */ + + len = strlen(username); + while (fgets(line, sizeof(line), fd) != NULL) { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof(line))) { + i++; } - - /* Open the selected password file. - */ - fd = fopen( cred->password_file, "r"); - if (fd==NULL) { + + if (strncmp(username, line, GMAX(i, len)) == 0) { + if ((index = pwd_put_values(entry, line)) >= 0) { + /* Keep the last index in memory, so we can retrieve fake parameters (g,n) + * when the user does not exist. + */ + last_index = index; + if (pwd_read_conf(cred->password_conf_file, entry, index) + == 0) { + return 0; + } else { + gnutls_assert(); + _gnutls_srp_entry_free(entry); + return GNUTLS_E_SRP_PWD_ERROR; + } + } else { gnutls_assert(); _gnutls_srp_entry_free(entry); return GNUTLS_E_SRP_PWD_ERROR; - } - - last_index = 1; /* a default value */ - - len = strlen(username); - while( fgets( line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i=0; - while( (line[i]!=':') && (line[i]!='\0') && (i < sizeof(line)) ) { - i++; - } - - if (strncmp( username, line, GMAX(i,len)) == 0) { - if ((index = pwd_put_values( entry, line)) >= 0) { - /* Keep the last index in memory, so we can retrieve fake parameters (g,n) - * when the user does not exist. - */ - last_index = index; - if (pwd_read_conf( cred->password_conf_file, entry, index)==0) { - return 0; - } else { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; - } - } else { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; - } } + } } /* user was not found. Fake him. Actually read the g,n values from * the last index found and randomize the entry. */ - if (pwd_read_conf( cred->password_conf_file, entry, last_index)==0) { - ret = _randomize_pwd_entry( entry); + if (pwd_read_conf(cred->password_conf_file, entry, last_index) == 0) { + ret = _randomize_pwd_entry(entry); if (ret < 0) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return ret; + gnutls_assert(); + _gnutls_srp_entry_free(entry); + return ret; } - + return 0; } - + gnutls_assert(); _gnutls_srp_entry_free(entry); return GNUTLS_E_SRP_PWD_ERROR; @@ -343,50 +348,52 @@ int _gnutls_srp_pwd_read_entry( gnutls_session state, char* username, /* Randomizes the given password entry. It actually sets the verifier * and the salt. Returns 0 on success. */ -static int _randomize_pwd_entry(SRP_PWD_ENTRY* entry) +static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry) { -unsigned char rnd; + unsigned char rnd; - if (entry->g.size == 0 || entry->n.size == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - _gnutls_get_random( &rnd, 1, GNUTLS_WEAK_RANDOM); - entry->salt.size = (rnd % 10) + 9; + if (entry->g.size == 0 || entry->n.size == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - entry->v.data = gnutls_malloc(20); - entry->v.size = 20; - if (entry->v.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_get_random(&rnd, 1, GNUTLS_WEAK_RANDOM); + entry->salt.size = (rnd % 10) + 9; - _gnutls_get_random( entry->v.data, 20, GNUTLS_WEAK_RANDOM); + entry->v.data = gnutls_malloc(20); + entry->v.size = 20; + if (entry->v.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - entry->salt.data = gnutls_malloc( entry->salt.size); - if (entry->salt.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (_gnutls_get_random(entry->salt.data, entry->salt.size, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_get_random(entry->v.data, 20, GNUTLS_WEAK_RANDOM); - return 0; + entry->salt.data = gnutls_malloc(entry->salt.size); + if (entry->salt.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (_gnutls_get_random + (entry->salt.data, entry->salt.size, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } -void _gnutls_srp_entry_free( SRP_PWD_ENTRY * entry) { - _gnutls_free_datum(&entry->v); - _gnutls_free_datum(&entry->g); - _gnutls_free_datum(&entry->n); - _gnutls_free_datum(&entry->salt); +void _gnutls_srp_entry_free(SRP_PWD_ENTRY * entry) +{ + _gnutls_free_datum(&entry->v); + _gnutls_free_datum(&entry->g); + _gnutls_free_datum(&entry->n); + _gnutls_free_datum(&entry->salt); - gnutls_free(entry->username); - gnutls_free(entry); + gnutls_free(entry->username); + gnutls_free(entry); } -#endif /* ENABLE SRP */ +#endif /* ENABLE SRP */ diff --git a/libextra/auth_srp_rsa.c b/libextra/auth_srp_rsa.c index f28a3771b0..aec03b17c6 100644 --- a/libextra/auth_srp_rsa.c +++ b/libextra/auth_srp_rsa.c @@ -43,153 +43,157 @@ static int gen_srp_cert_server_kx(gnutls_session, opaque **); static int proc_srp_cert_server_kx(gnutls_session, opaque *, size_t); const mod_auth_st srp_rsa_auth_struct = { - "SRP", - _gnutls_gen_cert_server_certificate, - NULL, - gen_srp_cert_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - _gnutls_proc_cert_server_certificate, - NULL, /* certificate */ - proc_srp_cert_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + _gnutls_gen_cert_server_certificate, + NULL, + gen_srp_cert_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + _gnutls_proc_cert_server_certificate, + NULL, /* certificate */ + proc_srp_cert_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; const mod_auth_st srp_dss_auth_struct = { - "SRP", - _gnutls_gen_cert_server_certificate, - NULL, - gen_srp_cert_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - _gnutls_proc_cert_server_certificate, - NULL, /* certificate */ - proc_srp_cert_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + _gnutls_gen_cert_server_certificate, + NULL, + gen_srp_cert_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + _gnutls_proc_cert_server_certificate, + NULL, /* certificate */ + proc_srp_cert_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; static int gen_srp_cert_server_kx(gnutls_session session, opaque ** data) { -ssize_t ret, data_size; -gnutls_datum signature, ddata; -const gnutls_certificate_credentials cred; -gnutls_cert *apr_cert_list; -gnutls_privkey *apr_pkey; -int apr_cert_list_length; - - ret = _gnutls_gen_srp_server_kx( session, data); - - if (ret < 0) return ret; - - data_size = ret; - ddata.data = *data; - ddata.size = data_size; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, + ssize_t ret, data_size; + gnutls_datum signature, ddata; + const gnutls_certificate_credentials cred; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + ret = _gnutls_gen_srp_server_kx(session, data); + + if (ret < 0) + return ret; + + data_size = ret; + ddata.data = *data; + ddata.size = data_size; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, &signature)) < 0) - { - gnutls_assert(); - gnutls_free(*data); - return ret; - } - - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_write_datum16(&(*data)[data_size], signature); - data_size += signature.size + 2; - + gnutls_assert(); + return ret; + } + + if ((ret = + _gnutls_tls_sign_params(session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) { + gnutls_assert(); + gnutls_free(*data); + return ret; + } + + *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); + if (*data == NULL) { _gnutls_free_datum(&signature); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_write_datum16(&(*data)[data_size], signature); + data_size += signature.size + 2; + + _gnutls_free_datum(&signature); - return data_size; + return data_size; } -static int proc_srp_cert_server_kx(gnutls_session session, opaque * data, size_t _data_size) +static int proc_srp_cert_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { -ssize_t ret; -int sigsize; -gnutls_datum vparams, signature; -ssize_t data_size; -cert_auth_info_t info; -gnutls_cert peer_cert; -opaque* p; - - ret = _gnutls_proc_srp_server_kx( session, data, _data_size); - if (ret < 0) return ret; - - data_size = _data_size - ret; - - info = _gnutls_get_auth_info( session); - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - /* VERIFY SIGNATURE */ - - vparams.size = ret; /* all the data minus the signature */ - vparams.data = data; - - p = &data[vparams.size]; - - DECR_LEN( data_size, 2); - sigsize = _gnutls_read_uint16( p); - - DECR_LEN( data_size, sigsize); - signature.data = &p[2]; - signature.size = sigsize; - - ret = _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = - _gnutls_verify_sig_params(session, - &peer_cert, - &vparams, &signature); - - _gnutls_gcert_deinit( &peer_cert); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; + ssize_t ret; + int sigsize; + gnutls_datum vparams, signature; + ssize_t data_size; + cert_auth_info_t info; + gnutls_cert peer_cert; + opaque *p; + + ret = _gnutls_proc_srp_server_kx(session, data, _data_size); + if (ret < 0) + return ret; + + data_size = _data_size - ret; + + info = _gnutls_get_auth_info(session); + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + /* VERIFY SIGNATURE */ + + vparams.size = ret; /* all the data minus the signature */ + vparams.data = data; + + p = &data[vparams.size]; + + DECR_LEN(data_size, 2); + sigsize = _gnutls_read_uint16(p); + + DECR_LEN(data_size, sigsize); + signature.data = &p[2]; + signature.size = sigsize; + + ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_verify_sig_params(session, + &peer_cert, &vparams, &signature); + + _gnutls_gcert_deinit(&peer_cert); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/libextra/auth_srp_sb64.c b/libextra/auth_srp_sb64.c index db8edb65b7..9b0eb65979 100644 --- a/libextra/auth_srp_sb64.c +++ b/libextra/auth_srp_sb64.c @@ -32,103 +32,102 @@ static const uint8 b64table[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; static const uint8 asciitable[128] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0x3e, 0x3f, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, - 0x06, 0x07, 0x08, 0x09, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0x0a, - 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, - 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, - 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, - 0x23, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, - 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, - 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, - 0x3b, 0x3c, 0x3d, 0xff, 0xff, 0xff, - 0xff, 0xff + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x3e, 0x3f, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, + 0x06, 0x07, 0x08, 0x09, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, + 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, + 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, + 0x23, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, + 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, + 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, + 0x3b, 0x3c, 0x3d, 0xff, 0xff, 0xff, + 0xff, 0xff }; inline static int encode(uint8 * result, const uint8 * rdata, int left) { - int data_len; - int c, ret = 4; - uint8 data[3]; - - if (left > 3) - data_len = 3; - else - data_len = left; - - data[0] = data[1] = data[2] = 0; - memcpy(data, rdata, data_len); - - switch (data_len) { - case 3: - result[0] = b64table[((data[0] & 0xfc) >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - ((data[1] & 0xf0) >> 4))]; - result[2] = - b64table[((((data[1] & 0x0f) << 2) & 0xff) | - ((data[2] & 0xc0) >> 6))]; - result[3] = b64table[(data[2] & 0x3f) & 0xff]; - break; - case 2: - if ((c = ((data[0] & 0xf0) >> 4)) != 0) { - result[0] = b64table[c]; - result[1] = - b64table[((((data[0] & 0x0f) << 2) & 0xff) | - ((data[1] & 0xc0) >> 6))]; - result[2] = b64table[(data[1] & 0x3f) & 0xff]; - result[3] = '\0'; - ret -= 1; - } else { - if ((c = - ((data[0] & 0x0f) << 2) | ((data[1] & 0xc0) >> - 6)) != 0) { - result[0] = b64table[c]; - result[1] = b64table[data[1] & 0x3f]; - result[2] = '\0'; - result[3] = '\0'; - ret -= 2; - } else { - result[0] = b64table[data[0] & 0x3f]; - result[1] = '\0'; - result[2] = '\0'; - result[3] = '\0'; - ret -= 3; - } - } - break; - case 1: - if ((c = ((data[0] & 0xc0) >> 6)) != 0) { - result[0] = b64table[c]; - result[1] = b64table[(data[0] & 0x3f) & 0xff]; - result[2] = '\0'; - result[3] = '\0'; - ret -= 2; - } else { - result[0] = b64table[(data[0] & 0x3f) & 0xff]; - result[1] = '\0'; - result[2] = '\0'; - result[3] = '\0'; - ret -= 3; - } - break; - default: - return -1; + int data_len; + int c, ret = 4; + uint8 data[3]; + + if (left > 3) + data_len = 3; + else + data_len = left; + + data[0] = data[1] = data[2] = 0; + memcpy(data, rdata, data_len); + + switch (data_len) { + case 3: + result[0] = b64table[((data[0] & 0xfc) >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + ((data[1] & 0xf0) >> 4))]; + result[2] = + b64table[((((data[1] & 0x0f) << 2) & 0xff) | + ((data[2] & 0xc0) >> 6))]; + result[3] = b64table[(data[2] & 0x3f) & 0xff]; + break; + case 2: + if ((c = ((data[0] & 0xf0) >> 4)) != 0) { + result[0] = b64table[c]; + result[1] = + b64table[((((data[0] & 0x0f) << 2) & 0xff) | + ((data[1] & 0xc0) >> 6))]; + result[2] = b64table[(data[1] & 0x3f) & 0xff]; + result[3] = '\0'; + ret -= 1; + } else { + if ((c = + ((data[0] & 0x0f) << 2) | ((data[1] & 0xc0) >> 6)) != 0) { + result[0] = b64table[c]; + result[1] = b64table[data[1] & 0x3f]; + result[2] = '\0'; + result[3] = '\0'; + ret -= 2; + } else { + result[0] = b64table[data[0] & 0x3f]; + result[1] = '\0'; + result[2] = '\0'; + result[3] = '\0'; + ret -= 3; + } + } + break; + case 1: + if ((c = ((data[0] & 0xc0) >> 6)) != 0) { + result[0] = b64table[c]; + result[1] = b64table[(data[0] & 0x3f) & 0xff]; + result[2] = '\0'; + result[3] = '\0'; + ret -= 2; + } else { + result[0] = b64table[(data[0] & 0x3f) & 0xff]; + result[1] = '\0'; + result[2] = '\0'; + result[3] = '\0'; + ret -= 3; } + break; + default: + return -1; + } - return ret; + return ret; } @@ -137,50 +136,50 @@ inline static int encode(uint8 * result, const uint8 * rdata, int left) */ int _gnutls_sbase64_encode(uint8 * data, size_t data_size, uint8 ** result) { - uint i,j; - int ret, tmp; - opaque tmpres[4]; - int mod = data_size % 3; + uint i, j; + int ret, tmp; + opaque tmpres[4]; + int mod = data_size % 3; - ret = mod; - if (ret != 0) - ret = 4; - else - ret = 0; + ret = mod; + if (ret != 0) + ret = 4; + else + ret = 0; - ret += (data_size * 4) / 3; + ret += (data_size * 4) / 3; - (*result) = gnutls_calloc( 1, ret + 1); - if ((*result) == NULL) - return -1; + (*result) = gnutls_calloc(1, ret + 1); + if ((*result) == NULL) + return -1; - i = j = 0; + i = j = 0; /* encode the bytes that are not a multiple of 3 */ - if (mod > 0) { - tmp = encode(tmpres, &data[0], mod); - if (tmp < 0) { - gnutls_free( (*result)); - return tmp; - } + if (mod > 0) { + tmp = encode(tmpres, &data[0], mod); + if (tmp < 0) { + gnutls_free((*result)); + return tmp; + } - memcpy(&(*result)[0], tmpres, tmp); - i = mod; - j = tmp; + memcpy(&(*result)[0], tmpres, tmp); + i = mod; + j = tmp; - } + } /* encode the rest */ - for (; i < data_size; i += 3, j += 4) { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp < 0) { - gnutls_free( (*result)); - return tmp; - } - memcpy(&(*result)[j], tmpres, tmp); + for (; i < data_size; i += 3, j += 4) { + tmp = encode(tmpres, &data[i], data_size - i); + if (tmp < 0) { + gnutls_free((*result)); + return tmp; } + memcpy(&(*result)[j], tmpres, tmp); + } - return strlen(*result); + return strlen(*result); } @@ -190,30 +189,39 @@ int _gnutls_sbase64_encode(uint8 * data, size_t data_size, uint8 ** result) #define TOASCII(c) (c < 127 ? asciitable[c] : 0xff) inline static int decode(uint8 * result, const uint8 * data) { - uint8 a1, a2; - int ret = 3; - - memset( result, 0, 3); - - a1 = TOASCII(data[3]); - a2 = TOASCII(data[2]); - if (a1 != 0xff) result[2] = a1 & 0xff; - else return -1; - if (a2 != 0xff) result[2] |= ((a2 & 0x03) << 6) & 0xff; - - a1 = a2; - a2 = TOASCII(data[1]); - if (a1 != 0xff) result[1] = ((a1 & 0x3c) >> 2); - if (a2 != 0xff) result[1] |= ((a2 & 0x0f) << 4); - else if (a1==0xff || result[1] == 0) ret--; - - a1 = a2; - a2 = TOASCII(data[0]); - if (a1 != 0xff) result[0] = (((a1 & 0x30) >> 4) & 0xff); - if (a2 != 0xff) result[0] |= ((a2 << 2) & 0xff); - else if (a1==0xff || result[0] == 0) ret--; - - return ret; + uint8 a1, a2; + int ret = 3; + + memset(result, 0, 3); + + a1 = TOASCII(data[3]); + a2 = TOASCII(data[2]); + if (a1 != 0xff) + result[2] = a1 & 0xff; + else + return -1; + if (a2 != 0xff) + result[2] |= ((a2 & 0x03) << 6) & 0xff; + + a1 = a2; + a2 = TOASCII(data[1]); + if (a1 != 0xff) + result[1] = ((a1 & 0x3c) >> 2); + if (a2 != 0xff) + result[1] |= ((a2 & 0x0f) << 4); + else if (a1 == 0xff || result[1] == 0) + ret--; + + a1 = a2; + a2 = TOASCII(data[0]); + if (a1 != 0xff) + result[0] = (((a1 & 0x30) >> 4) & 0xff); + if (a2 != 0xff) + result[0] |= ((a2 << 2) & 0xff); + else if (a1 == 0xff || result[0] == 0) + ret--; + + return ret; } /* decodes data and puts the result into result (locally allocated) @@ -221,57 +229,60 @@ inline static int decode(uint8 * result, const uint8 * data) * That function does not ignore newlines tabs etc. You should remove them * before calling it. */ -int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, uint8 ** result) +int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, + uint8 ** result) { - uint i,j; - int ret, left; - int data_size, tmp; - uint8 datrev[4]; - uint8 tmpres[3]; - - data_size = (idata_size/4)*4; - left = idata_size % 4; - - ret = (data_size / 4) * 3; - - if (left > 0) - ret += 3; - - (*result) = gnutls_malloc(ret+1); - if ((*result) == NULL) - return -1; - - /* the first "block" is treated with special care */ - tmp = 0; - if (left > 0) { - memset( datrev, 0, 4); - memcpy( &datrev[4-left], data, left); - - tmp = decode( tmpres, datrev); - if (tmp < 0) { - gnutls_free( (*result)); *result = NULL; - return tmp; - } - - memcpy( *result, &tmpres[3-tmp], tmp); - if (tmp < 3) - ret -= (3 - tmp); + uint i, j; + int ret, left; + int data_size, tmp; + uint8 datrev[4]; + uint8 tmpres[3]; + + data_size = (idata_size / 4) * 4; + left = idata_size % 4; + + ret = (data_size / 4) * 3; + + if (left > 0) + ret += 3; + + (*result) = gnutls_malloc(ret + 1); + if ((*result) == NULL) + return -1; + + /* the first "block" is treated with special care */ + tmp = 0; + if (left > 0) { + memset(datrev, 0, 4); + memcpy(&datrev[4 - left], data, left); + + tmp = decode(tmpres, datrev); + if (tmp < 0) { + gnutls_free((*result)); + *result = NULL; + return tmp; } - /* rest data */ - for (i = left, j = tmp; i < idata_size; i += 4) { - tmp = decode(tmpres, &data[i]); - if (tmp < 0) { - gnutls_free( (*result)); *result = NULL; - return tmp; - } - memcpy(&(*result)[j], tmpres, tmp); - if (tmp < 3) - ret -= (3 - tmp); - j += 3; + memcpy(*result, &tmpres[3 - tmp], tmp); + if (tmp < 3) + ret -= (3 - tmp); + } + + /* rest data */ + for (i = left, j = tmp; i < idata_size; i += 4) { + tmp = decode(tmpres, &data[i]); + if (tmp < 0) { + gnutls_free((*result)); + *result = NULL; + return tmp; } + memcpy(&(*result)[j], tmpres, tmp); + if (tmp < 3) + ret -= (3 - tmp); + j += 3; + } - return ret; + return ret; } /** @@ -285,26 +296,27 @@ int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, uint8 ** result) * If the provided buffer is not long enough GNUTLS_E_SHORT_MEMORY_BUFFER is returned. * **/ -int gnutls_srp_base64_encode( const gnutls_datum *data, char* result, int* result_size) +int gnutls_srp_base64_encode(const gnutls_datum * data, char *result, + int *result_size) { -opaque* ret; -int size; - - size = _gnutls_sbase64_encode( data->data, data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size; - } - - return 0; + opaque *ret; + int size; + + size = _gnutls_sbase64_encode(data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size; + } + + return 0; } /** @@ -319,25 +331,25 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_srp_base64_encode_alloc( const gnutls_datum *data, - gnutls_datum* result) +int gnutls_srp_base64_encode_alloc(const gnutls_datum * data, + gnutls_datum * result) { -opaque* ret; -int size; - - size = _gnutls_sbase64_encode( data->data, data->size, &ret); - if (size < 0) - return size; - - if (result==NULL) { - gnutls_free(ret); - return GNUTLS_E_INVALID_REQUEST; - } else { - result->data = ret; - result->size = size; - } - - return 0; + opaque *ret; + int size; + + size = _gnutls_sbase64_encode(data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL) { + gnutls_free(ret); + return GNUTLS_E_INVALID_REQUEST; + } else { + result->data = ret; + result->size = size; + } + + return 0; } /** @@ -354,26 +366,27 @@ int size; * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_srp_base64_decode( const gnutls_datum *b64_data, char* result, int* result_size) +int gnutls_srp_base64_decode(const gnutls_datum * b64_data, char *result, + int *result_size) { -opaque* ret; -int size; - - size = _gnutls_sbase64_decode( b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size; - } - - return 0; + opaque *ret; + int size; + + size = _gnutls_sbase64_decode(b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size; + } + + return 0; } /** @@ -388,25 +401,25 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_srp_base64_decode_alloc( const gnutls_datum *b64_data, - gnutls_datum* result) +int gnutls_srp_base64_decode_alloc(const gnutls_datum * b64_data, + gnutls_datum * result) { -opaque* ret; -int size; - - size = _gnutls_sbase64_decode( b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result==NULL) { - gnutls_free(ret); - return GNUTLS_E_INVALID_REQUEST; - } else { - result->data = ret; - result->size = size; - } - - return 0; + opaque *ret; + int size; + + size = _gnutls_sbase64_decode(b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; + + if (result == NULL) { + gnutls_free(ret); + return GNUTLS_E_INVALID_REQUEST; + } else { + result->data = ret; + result->size = size; + } + + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/libextra/ext_srp.c b/libextra/ext_srp.c index c279f87b8e..d148094d40 100644 --- a/libextra/ext_srp.c +++ b/libextra/ext_srp.c @@ -30,112 +30,122 @@ #include "gnutls_algorithms.h" #include <gnutls_num.h> -int _gnutls_srp_recv_params( gnutls_session session, const opaque* data, size_t _data_size) { - uint8 len; - ssize_t data_size = _data_size; - - if (_gnutls_kx_priority( session, GNUTLS_KX_SRP) < 0 && - _gnutls_kx_priority( session, GNUTLS_KX_SRP_DSS) < 0 && - _gnutls_kx_priority( session, GNUTLS_KX_SRP_RSA) < 0) { - /* algorithm was not allowed in this session - */ - return 0; - } - - if (session->security_parameters.entity == GNUTLS_SERVER) { - if (data_size > 0) { - len = data[0]; - DECR_LEN( data_size, len); - - if ( sizeof( session->security_parameters.extensions.srp_username) <= len) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; - } - memcpy( session->security_parameters.extensions.srp_username, &data[1], len); - session->security_parameters.extensions.srp_username[len]=0; /* null terminated */ - } - } +int _gnutls_srp_recv_params(gnutls_session session, const opaque * data, + size_t _data_size) +{ + uint8 len; + ssize_t data_size = _data_size; + + if (_gnutls_kx_priority(session, GNUTLS_KX_SRP) < 0 && + _gnutls_kx_priority(session, GNUTLS_KX_SRP_DSS) < 0 && + _gnutls_kx_priority(session, GNUTLS_KX_SRP_RSA) < 0) { + /* algorithm was not allowed in this session + */ return 0; + } + + if (session->security_parameters.entity == GNUTLS_SERVER) { + if (data_size > 0) { + len = data[0]; + DECR_LEN(data_size, len); + + if (sizeof + (session->security_parameters.extensions.srp_username) <= + len) { + gnutls_assert(); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; + } + memcpy(session->security_parameters.extensions.srp_username, + &data[1], len); + session->security_parameters.extensions.srp_username[len] = 0; /* null terminated */ + } + } + return 0; } /* Checks if the given cipher suite is an SRP one */ -inline static int is_srp( cipher_suite_st suite) +inline static int is_srp(cipher_suite_st suite) { - int kx = _gnutls_cipher_suite_get_kx_algo( &suite); - - if (IS_SRP_KX(kx)) return 1; - return 0; + int kx = _gnutls_cipher_suite_get_kx_algo(&suite); + + if (IS_SRP_KX(kx)) + return 1; + return 0; } /* returns data_size or a negative number on failure * data is allocated locally */ -int _gnutls_srp_send_params( gnutls_session session, opaque* data, size_t data_size) { - uint len; - - if (_gnutls_kx_priority( session, GNUTLS_KX_SRP) < 0 && - _gnutls_kx_priority( session, GNUTLS_KX_SRP_DSS) < 0 && - _gnutls_kx_priority( session, GNUTLS_KX_SRP_RSA) < 0) { - /* algorithm was not allowed in this session - */ - return 0; - } +int _gnutls_srp_send_params(gnutls_session session, opaque * data, + size_t data_size) +{ + uint len; - /* this function sends the client extension data (username) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - const gnutls_srp_client_credentials cred = - _gnutls_get_cred( session->key, GNUTLS_CRD_SRP, NULL); - - if (cred==NULL) return 0; - - if (cred->username!=NULL) { /* send username */ - len = GMIN( strlen(cred->username), 255); - - if (data_size < len+1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = (uint8) len; - memcpy( &data[1], cred->username, len); - return len + 1; - } else if (cred->get_function != NULL) { - /* Try the callback - */ - char* username = NULL, *password = NULL; - - if (cred->get_function( session, session->internals.handshake_restarted, - &username, &password) < 0 || username == NULL || - password == NULL) - { - - if (session->internals.handshake_restarted) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; - } - - return 0; - } - - len = GMIN( strlen(username), 255); - - if (data_size < len+1) { - gnutls_free( username); - gnutls_free( password); - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - session->internals.srp_username = username; - session->internals.srp_password = password; - - data[0] = (uint8) len; - memcpy( &data[1], username, len); - return len + 1; + if (_gnutls_kx_priority(session, GNUTLS_KX_SRP) < 0 && + _gnutls_kx_priority(session, GNUTLS_KX_SRP_DSS) < 0 && + _gnutls_kx_priority(session, GNUTLS_KX_SRP_RSA) < 0) { + /* algorithm was not allowed in this session + */ + return 0; + } + + /* this function sends the client extension data (username) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + const gnutls_srp_client_credentials cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); + + if (cred == NULL) + return 0; + + if (cred->username != NULL) { /* send username */ + len = GMIN(strlen(cred->username), 255); + + if (data_size < len + 1) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = (uint8) len; + memcpy(&data[1], cred->username, len); + return len + 1; + } else if (cred->get_function != NULL) { + /* Try the callback + */ + char *username = NULL, *password = NULL; + + if (cred-> + get_function(session, + session->internals.handshake_restarted, + &username, &password) < 0 || username == NULL + || password == NULL) { + + if (session->internals.handshake_restarted) { + gnutls_assert(); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; } + + return 0; + } + + len = GMIN(strlen(username), 255); + + if (data_size < len + 1) { + gnutls_free(username); + gnutls_free(password); + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + session->internals.srp_username = username; + session->internals.srp_password = password; + + data[0] = (uint8) len; + memcpy(&data[1], username, len); + return len + 1; } - return 0; + } + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/libextra/gnutls_extra.c b/libextra/gnutls_extra.c index d32ba12264..4c44e91e4c 100644 --- a/libextra/gnutls_extra.c +++ b/libextra/gnutls_extra.c @@ -39,26 +39,31 @@ extern gnutls_kx_algo_entry _gnutls_kx_algorithms[]; #define TOSTR(x) #x #ifdef ENABLE_SRP -static int _gnutls_add_srp_extension(void) { -int i; - - /* find the last element */ - for(i=0;i<_gnutls_extensions_size;i++) { - if (_gnutls_extensions[i].name==NULL) break; - } - - if (_gnutls_extensions[i].name==NULL && (i < _gnutls_extensions_size-1)) { - _gnutls_extensions[i].name = TOSTR(GNUTLS_EXTENSION_SRP); - _gnutls_extensions[i].type = GNUTLS_EXTENSION_SRP; - _gnutls_extensions[i].gnutls_ext_func_recv = _gnutls_srp_recv_params; - _gnutls_extensions[i].gnutls_ext_func_send = _gnutls_srp_send_params; - - _gnutls_extensions[i+1].name = 0; - - return 0; /* ok */ - } - - return GNUTLS_E_MEMORY_ERROR; +static int _gnutls_add_srp_extension(void) +{ + int i; + + /* find the last element */ + for (i = 0; i < _gnutls_extensions_size; i++) { + if (_gnutls_extensions[i].name == NULL) + break; + } + + if (_gnutls_extensions[i].name == NULL + && (i < _gnutls_extensions_size - 1)) { + _gnutls_extensions[i].name = TOSTR(GNUTLS_EXTENSION_SRP); + _gnutls_extensions[i].type = GNUTLS_EXTENSION_SRP; + _gnutls_extensions[i].gnutls_ext_func_recv = + _gnutls_srp_recv_params; + _gnutls_extensions[i].gnutls_ext_func_send = + _gnutls_srp_send_params; + + _gnutls_extensions[i + 1].name = 0; + + return 0; /* ok */ + } + + return GNUTLS_E_MEMORY_ERROR; } extern mod_auth_st srp_auth_struct; @@ -66,46 +71,51 @@ extern mod_auth_st srp_rsa_auth_struct; extern mod_auth_st srp_dss_auth_struct; -static int _gnutls_add_srp_auth_struct(void) { -int i; - - /* find the last element */ - for(i=0;i<_gnutls_kx_algorithms_size;i++) { - if (_gnutls_kx_algorithms[i].name==NULL) break; - } - - if (_gnutls_kx_algorithms[i].name==NULL && (i < _gnutls_kx_algorithms_size-1)) { - _gnutls_kx_algorithms[i].name = "SRP"; - _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP; - _gnutls_kx_algorithms[i].auth_struct = &srp_auth_struct; - _gnutls_kx_algorithms[i].needs_dh_params = 0; - _gnutls_kx_algorithms[i].needs_rsa_params = 0; - _gnutls_kx_algorithms[i+1].name = 0; - } - i++; - - if (_gnutls_kx_algorithms[i].name==NULL && (i < _gnutls_kx_algorithms_size-1)) { - _gnutls_kx_algorithms[i].name = "SRP RSA"; - _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP_RSA; - _gnutls_kx_algorithms[i].auth_struct = &srp_rsa_auth_struct; - _gnutls_kx_algorithms[i].needs_dh_params = 0; - _gnutls_kx_algorithms[i].needs_rsa_params = 0; - _gnutls_kx_algorithms[i+1].name = 0; - } - i++; - - if (_gnutls_kx_algorithms[i].name==NULL && (i < _gnutls_kx_algorithms_size-1)) { - _gnutls_kx_algorithms[i].name = "SRP DSS"; - _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP_DSS; - _gnutls_kx_algorithms[i].auth_struct = &srp_dss_auth_struct; - _gnutls_kx_algorithms[i].needs_dh_params = 0; - _gnutls_kx_algorithms[i].needs_rsa_params = 0; - _gnutls_kx_algorithms[i+1].name = 0; - - return 0; /* ok */ - } - - return GNUTLS_E_MEMORY_ERROR; +static int _gnutls_add_srp_auth_struct(void) +{ + int i; + + /* find the last element */ + for (i = 0; i < _gnutls_kx_algorithms_size; i++) { + if (_gnutls_kx_algorithms[i].name == NULL) + break; + } + + if (_gnutls_kx_algorithms[i].name == NULL + && (i < _gnutls_kx_algorithms_size - 1)) { + _gnutls_kx_algorithms[i].name = "SRP"; + _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP; + _gnutls_kx_algorithms[i].auth_struct = &srp_auth_struct; + _gnutls_kx_algorithms[i].needs_dh_params = 0; + _gnutls_kx_algorithms[i].needs_rsa_params = 0; + _gnutls_kx_algorithms[i + 1].name = 0; + } + i++; + + if (_gnutls_kx_algorithms[i].name == NULL + && (i < _gnutls_kx_algorithms_size - 1)) { + _gnutls_kx_algorithms[i].name = "SRP RSA"; + _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP_RSA; + _gnutls_kx_algorithms[i].auth_struct = &srp_rsa_auth_struct; + _gnutls_kx_algorithms[i].needs_dh_params = 0; + _gnutls_kx_algorithms[i].needs_rsa_params = 0; + _gnutls_kx_algorithms[i + 1].name = 0; + } + i++; + + if (_gnutls_kx_algorithms[i].name == NULL + && (i < _gnutls_kx_algorithms_size - 1)) { + _gnutls_kx_algorithms[i].name = "SRP DSS"; + _gnutls_kx_algorithms[i].algorithm = GNUTLS_KX_SRP_DSS; + _gnutls_kx_algorithms[i].auth_struct = &srp_dss_auth_struct; + _gnutls_kx_algorithms[i].needs_dh_params = 0; + _gnutls_kx_algorithms[i].needs_rsa_params = 0; + _gnutls_kx_algorithms[i + 1].name = 0; + + return 0; /* ok */ + } + + return GNUTLS_E_MEMORY_ERROR; } #endif @@ -119,42 +129,46 @@ extern int _gnutls_comp_algorithms_size; /* Functions in gnutls that have not been initialized. */ #ifdef USE_LZO -typedef int (*LZO_FUNC)(); +typedef int (*LZO_FUNC) (); extern LZO_FUNC _gnutls_lzo1x_decompress_safe; extern LZO_FUNC _gnutls_lzo1x_1_compress; extern gnutls_compression_entry _gnutls_compression_algorithms[]; -static int _gnutls_add_lzo_comp(void) +static int _gnutls_add_lzo_comp(void) { -int i; + int i; + + /* find the last element */ + for (i = 0; i < _gnutls_comp_algorithms_size; i++) { + if (_gnutls_compression_algorithms[i].name == NULL) + break; + } - /* find the last element */ - for(i=0;i<_gnutls_comp_algorithms_size;i++) { - if (_gnutls_compression_algorithms[i].name==NULL) break; - } + if (_gnutls_compression_algorithms[i].name == NULL + && (i < _gnutls_comp_algorithms_size - 1)) { + _gnutls_compression_algorithms[i].name = "GNUTLS_COMP_LZO"; + _gnutls_compression_algorithms[i].id = GNUTLS_COMP_LZO; + _gnutls_compression_algorithms[i].num = 0xf2; - if (_gnutls_compression_algorithms[i].name==NULL && (i < _gnutls_comp_algorithms_size-1)) { - _gnutls_compression_algorithms[i].name = "GNUTLS_COMP_LZO"; - _gnutls_compression_algorithms[i].id = GNUTLS_COMP_LZO; - _gnutls_compression_algorithms[i].num = 0xf2; + _gnutls_compression_algorithms[i + 1].name = 0; - _gnutls_compression_algorithms[i+1].name = 0; + /* Now enable the lzo functions: */ + _gnutls_lzo1x_decompress_safe = lzo1x_decompress_safe; + _gnutls_lzo1x_1_compress = lzo1x_1_compress; + + return 0; /* ok */ + } - /* Now enable the lzo functions: */ - _gnutls_lzo1x_decompress_safe = lzo1x_decompress_safe; - _gnutls_lzo1x_1_compress = lzo1x_1_compress; - - return 0; /* ok */ - } - - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } #endif -extern OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time; -extern OPENPGP_KEY_EXPIRATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_expiration_time; +extern OPENPGP_KEY_CREATION_TIME_FUNC + _E_gnutls_openpgp_get_raw_key_creation_time; +extern OPENPGP_KEY_EXPIRATION_TIME_FUNC + _E_gnutls_openpgp_get_raw_key_expiration_time; extern OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key; extern OPENPGP_FINGERPRINT _E_gnutls_openpgp_fingerprint; extern OPENPGP_KEY_REQUEST _E_gnutls_openpgp_request_key; @@ -167,25 +181,29 @@ extern OPENPGP_PRIVKEY_TO_GKEY _E_gnutls_openpgp_privkey_to_gkey; extern OPENPGP_KEY_DEINIT _E_gnutls_openpgp_key_deinit; extern OPENPGP_PRIVKEY_DEINIT _E_gnutls_openpgp_privkey_deinit; -static void _gnutls_add_openpgp_functions(void) { +static void _gnutls_add_openpgp_functions(void) +{ #ifdef USE_OPENPGP - _E_gnutls_openpgp_verify_key = _gnutls_openpgp_verify_key; - _E_gnutls_openpgp_get_raw_key_expiration_time = _gnutls_openpgp_get_raw_key_expiration_time; - _E_gnutls_openpgp_get_raw_key_creation_time = _gnutls_openpgp_get_raw_key_creation_time; - _E_gnutls_openpgp_fingerprint = _gnutls_openpgp_fingerprint; - _E_gnutls_openpgp_request_key = _gnutls_openpgp_request_key; - - _E_gnutls_openpgp_raw_key_to_gcert = _gnutls_openpgp_raw_key_to_gcert; - _E_gnutls_openpgp_raw_privkey_to_gkey = _gnutls_openpgp_raw_privkey_to_gkey; - - _E_gnutls_openpgp_key_to_gcert = _gnutls_openpgp_key_to_gcert; - _E_gnutls_openpgp_privkey_to_gkey = _gnutls_openpgp_privkey_to_gkey; - _E_gnutls_openpgp_key_deinit = gnutls_openpgp_key_deinit; - _E_gnutls_openpgp_privkey_deinit = gnutls_openpgp_privkey_deinit; + _E_gnutls_openpgp_verify_key = _gnutls_openpgp_verify_key; + _E_gnutls_openpgp_get_raw_key_expiration_time = + _gnutls_openpgp_get_raw_key_expiration_time; + _E_gnutls_openpgp_get_raw_key_creation_time = + _gnutls_openpgp_get_raw_key_creation_time; + _E_gnutls_openpgp_fingerprint = _gnutls_openpgp_fingerprint; + _E_gnutls_openpgp_request_key = _gnutls_openpgp_request_key; + + _E_gnutls_openpgp_raw_key_to_gcert = _gnutls_openpgp_raw_key_to_gcert; + _E_gnutls_openpgp_raw_privkey_to_gkey = + _gnutls_openpgp_raw_privkey_to_gkey; + + _E_gnutls_openpgp_key_to_gcert = _gnutls_openpgp_key_to_gcert; + _E_gnutls_openpgp_privkey_to_gkey = _gnutls_openpgp_privkey_to_gkey; + _E_gnutls_openpgp_key_deinit = gnutls_openpgp_key_deinit; + _E_gnutls_openpgp_privkey_deinit = gnutls_openpgp_privkey_deinit; #endif } -extern const char* gnutls_check_version( const char*); +extern const char *gnutls_check_version(const char *); static int _gnutls_init_extra = 0; /** @@ -199,102 +217,102 @@ static int _gnutls_init_extra = 0; * be usable. * **/ -int gnutls_global_init_extra(void) { -int ret; - - /* If the version of libgnutls != version of - * libextra, then do not initialize the library. - * This is because it may break things. - */ - if (strcmp( gnutls_check_version(NULL), GNUTLS_VERSION)!=0) { - return GNUTLS_E_LIBRARY_VERSION_MISMATCH; - } - - _gnutls_init_extra++; - - if (_gnutls_init_extra!=1) { - return 0; - } - - /* Initialize the LZO library - */ +int gnutls_global_init_extra(void) +{ + int ret; + + /* If the version of libgnutls != version of + * libextra, then do not initialize the library. + * This is because it may break things. + */ + if (strcmp(gnutls_check_version(NULL), GNUTLS_VERSION) != 0) { + return GNUTLS_E_LIBRARY_VERSION_MISMATCH; + } + + _gnutls_init_extra++; + + if (_gnutls_init_extra != 1) { + return 0; + } + + /* Initialize the LZO library + */ #ifdef USE_LZO - if (lzo_init() != LZO_E_OK) { - return GNUTLS_E_LZO_INIT_FAILED; - } - - /* Add the LZO compression method in the list of compression - * methods. - */ - ret = _gnutls_add_lzo_comp(); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (lzo_init() != LZO_E_OK) { + return GNUTLS_E_LZO_INIT_FAILED; + } + + /* Add the LZO compression method in the list of compression + * methods. + */ + ret = _gnutls_add_lzo_comp(); + if (ret < 0) { + gnutls_assert(); + return ret; + } #endif #ifdef ENABLE_SRP - /* Add the SRP authentication to the list of authentication - * methods. - */ - ret = _gnutls_add_srp_auth_struct(); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Do the same of the extension - */ - ret = _gnutls_add_srp_extension(); - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* Add the SRP authentication to the list of authentication + * methods. + */ + ret = _gnutls_add_srp_auth_struct(); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Do the same of the extension + */ + ret = _gnutls_add_srp_extension(); + if (ret < 0) { + gnutls_assert(); + return ret; + } #endif - /* Register the openpgp functions. This is because some - * of them are defined to be NULL in the main library. - */ - _gnutls_add_openpgp_functions(); + /* Register the openpgp functions. This is because some + * of them are defined to be NULL in the main library. + */ + _gnutls_add_openpgp_functions(); - return 0; + return 0; } /* Taken from libgcrypt. Needed to configure scripts. */ -static const char* -parse_version_number( const char *s, int *number ) +static const char *parse_version_number(const char *s, int *number) { int val = 0; - if( *s == '0' && isdigit(s[1]) ) - return NULL; /* leading zeros are not allowed */ - for ( ; isdigit(*s); s++ ) { + if (*s == '0' && isdigit(s[1])) + return NULL; /* leading zeros are not allowed */ + for (; isdigit(*s); s++) { val *= 10; val += *s - '0'; } *number = val; - return val < 0? NULL : s; + return val < 0 ? NULL : s; } /* The parse version functions were copied from libgcrypt. */ -static const char * -parse_version_string( const char *s, int *major, int *minor, int *micro ) +static const char *parse_version_string(const char *s, int *major, + int *minor, int *micro) { - s = parse_version_number( s, major ); - if( !s || *s != '.' ) + s = parse_version_number(s, major); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, minor ); - if( !s || *s != '.' ) + s = parse_version_number(s, minor); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, micro ); - if( !s ) + s = parse_version_number(s, micro); + if (!s) return NULL; - return s; /* patchlevel */ + return s; /* patchlevel */ } /**************** @@ -303,34 +321,31 @@ parse_version_string( const char *s, int *major, int *minor, int *micro ) * satisfied. If a NULL is passed to this function, no check is done, * but the version string is simply returned. */ -const char * -gnutls_extra_check_version( const char *req_version ) +const char *gnutls_extra_check_version(const char *req_version) { const char *ver = GNUTLS_VERSION; int my_major, my_minor, my_micro; int rq_major, rq_minor, rq_micro; const char *my_plvl, *rq_plvl; - if ( !req_version ) + if (!req_version) return ver; - my_plvl = parse_version_string( ver, &my_major, &my_minor, &my_micro ); - if ( !my_plvl ) - return NULL; /* very strange our own version is bogus */ - rq_plvl = parse_version_string( req_version, &rq_major, &rq_minor, - &rq_micro ); - if ( !rq_plvl ) - return NULL; /* req version string is invalid */ + my_plvl = parse_version_string(ver, &my_major, &my_minor, &my_micro); + if (!my_plvl) + return NULL; /* very strange our own version is bogus */ + rq_plvl = parse_version_string(req_version, &rq_major, &rq_minor, + &rq_micro); + if (!rq_plvl) + return NULL; /* req version string is invalid */ - if ( my_major > rq_major + if (my_major > rq_major || (my_major == rq_major && my_minor > rq_minor) || (my_major == rq_major && my_minor == rq_minor - && my_micro > rq_micro) + && my_micro > rq_micro) || (my_major == rq_major && my_minor == rq_minor - && my_micro == rq_micro - && strcmp( my_plvl, rq_plvl ) >= 0) ) { + && my_micro == rq_micro && strcmp(my_plvl, rq_plvl) >= 0)) { return ver; } return NULL; } - diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index 64aa0ccb21..c861e4dd48 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -40,144 +40,149 @@ -static void -release_mpi_array( GNUTLS_MPI *arr, size_t n ) +static void release_mpi_array(GNUTLS_MPI * arr, size_t n) { GNUTLS_MPI x; - - while( arr && n-- ) { - x = *arr; - _gnutls_mpi_release( &x ); - *arr = NULL; arr++; + + while (arr && n--) { + x = *arr; + _gnutls_mpi_release(&x); + *arr = NULL; + arr++; } } -int -_gnutls_map_cdk_rc( int rc ) +int _gnutls_map_cdk_rc(int rc) { - switch( rc ) { - case CDK_Success: return 0; - case CDK_Too_Short: return GNUTLS_E_SHORT_MEMORY_BUFFER; - case CDK_General_Error: return GNUTLS_E_INTERNAL_ERROR; - case CDK_File_Error: return GNUTLS_E_FILE_ERROR; - case CDK_MPI_Error: return GNUTLS_E_MPI_SCAN_FAILED; - case CDK_Error_No_Key: return GNUTLS_E_OPENPGP_GETKEY_FAILED; - case CDK_Wrong_Format: return GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED; - case CDK_Armor_Error: return GNUTLS_E_BASE64_DECODING_ERROR; - case CDK_Inv_Value: return GNUTLS_E_INVALID_REQUEST; - default: return GNUTLS_E_INTERNAL_ERROR; + switch (rc) { + case CDK_Success: + return 0; + case CDK_Too_Short: + return GNUTLS_E_SHORT_MEMORY_BUFFER; + case CDK_General_Error: + return GNUTLS_E_INTERNAL_ERROR; + case CDK_File_Error: + return GNUTLS_E_FILE_ERROR; + case CDK_MPI_Error: + return GNUTLS_E_MPI_SCAN_FAILED; + case CDK_Error_No_Key: + return GNUTLS_E_OPENPGP_GETKEY_FAILED; + case CDK_Wrong_Format: + return GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED; + case CDK_Armor_Error: + return GNUTLS_E_BASE64_DECODING_ERROR; + case CDK_Inv_Value: + return GNUTLS_E_INVALID_REQUEST; + default: + return GNUTLS_E_INTERNAL_ERROR; } } -static unsigned long -buftou32( const uint8 *buf ) +static unsigned long buftou32(const uint8 * buf) { unsigned a; - a = buf[0] << 24; + a = buf[0] << 24; a |= buf[1] << 16; - a |= buf[2] << 8; + a |= buf[2] << 8; a |= buf[3]; return a; } -static int -kbx_blob_new( keybox_blob **r_ctx ) +static int kbx_blob_new(keybox_blob ** r_ctx) { keybox_blob *c; - - if( !r_ctx ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!r_ctx) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - c = cdk_calloc( 1, sizeof * c ); - if( !c ) { - gnutls_assert( ); - return GNUTLS_E_MEMORY_ERROR; + + c = cdk_calloc(1, sizeof *c); + if (!c) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } *r_ctx = c; - + return 0; } -void -kbx_blob_release( keybox_blob *ctx ) +void kbx_blob_release(keybox_blob * ctx) { - if( ctx ) { - cdk_free( ctx->data ); - cdk_free( ctx ); + if (ctx) { + cdk_free(ctx->data); + cdk_free(ctx); } } -cdk_keydb_hd_t -kbx_to_keydb( keybox_blob *blob ) +cdk_keydb_hd_t kbx_to_keydb(keybox_blob * blob) { cdk_keydb_hd_t hd; int rc; - if( !blob ) { - gnutls_assert( ); - return NULL; + if (!blob) { + gnutls_assert(); + return NULL; } - - switch( blob->type ) { + + switch (blob->type) { case KBX_BLOB_FILE: - rc = cdk_keydb_new( &hd, CDK_DBTYPE_PK_KEYRING, blob->data, blob->size ); - break; - + rc = cdk_keydb_new(&hd, CDK_DBTYPE_PK_KEYRING, blob->data, + blob->size); + break; + case KBX_BLOB_DATA: - rc = cdk_keydb_new( &hd, CDK_DBTYPE_DATA, blob->data, blob->size ); - break; + rc = cdk_keydb_new(&hd, CDK_DBTYPE_DATA, blob->data, blob->size); + break; default: - rc = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert( ); - break; + rc = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + break; } - if( rc ) - hd = NULL; + if (rc) + hd = NULL; return hd; } /* Extract a keybox blob from the given position. */ -keybox_blob* -kbx_read_blob( const gnutls_datum* keyring, size_t pos ) +keybox_blob *kbx_read_blob(const gnutls_datum * keyring, size_t pos) { keybox_blob *blob = NULL; int rc; - - if( !keyring || !keyring->data || pos > keyring->size ) { - gnutls_assert( ); - return NULL; - } - - rc = kbx_blob_new( &blob ); - if( rc ) - return NULL; - + + if (!keyring || !keyring->data || pos > keyring->size) { + gnutls_assert(); + return NULL; + } + + rc = kbx_blob_new(&blob); + if (rc) + return NULL; + blob->type = keyring->data[pos]; - if( blob->type != KBX_BLOB_FILE && blob->type != KBX_BLOB_DATA ) { - kbx_blob_release( blob ); - return NULL; + if (blob->type != KBX_BLOB_FILE && blob->type != KBX_BLOB_DATA) { + kbx_blob_release(blob); + return NULL; } blob->armored = keyring->data[pos + 1]; - blob->size = buftou32( keyring->data + pos + 2 ); - if( !blob->size ) { - kbx_blob_release( blob ); - return NULL; - } - blob->data = cdk_calloc( 1, blob->size + 1 ); - if( !blob->data ) - return NULL; - memcpy( blob->data, keyring->data + (pos + 6), blob->size ); + blob->size = buftou32(keyring->data + pos + 2); + if (!blob->size) { + kbx_blob_release(blob); + return NULL; + } + blob->data = cdk_calloc(1, blob->size + 1); + if (!blob->data) + return NULL; + memcpy(blob->data, keyring->data + (pos + 6), blob->size); blob->data[blob->size] = '\0'; - + return blob; } @@ -190,91 +195,89 @@ kbx_read_blob( const gnutls_datum* keyring, size_t pos ) * 4 octet size of blob * n octets data */ -static uint8* -kbx_data_to_keyring( int type, int enc, const char *data, - size_t size, size_t *r_size ) +static uint8 *kbx_data_to_keyring(int type, int enc, const char *data, + size_t size, size_t * r_size) { uint8 *p = NULL; - if( !data ) - return NULL; - - p = gnutls_malloc( 1+4+size ); - if( !p ) - return NULL; - p[0] = type; /* type: {keyring,name} */ - p[1] = enc; /* encoded: {plain, armored} */ + if (!data) + return NULL; + + p = gnutls_malloc(1 + 4 + size); + if (!p) + return NULL; + p[0] = type; /* type: {keyring,name} */ + p[1] = enc; /* encoded: {plain, armored} */ p[2] = size >> 24; p[3] = size >> 16; - p[4] = size >> 8; - p[5] = size ; - memcpy( p + 6, data, size ); - if( r_size ) - *r_size = 6 + size; + p[4] = size >> 8; + p[5] = size; + memcpy(p + 6, data, size); + if (r_size) + *r_size = 6 + size; return p; } -cdk_packet_t search_packet( const gnutls_datum *buf, int pkttype ) +cdk_packet_t search_packet(const gnutls_datum * buf, int pkttype) { static cdk_kbnode_t knode = NULL; cdk_packet_t pkt; - if( !buf && !pkttype ) { - cdk_kbnode_release( knode ); - knode = NULL; - return NULL; + if (!buf && !pkttype) { + cdk_kbnode_release(knode); + knode = NULL; + return NULL; } - if( cdk_kbnode_read_from_mem( &knode, buf->data, buf->size ) ) - return NULL; - pkt = cdk_kbnode_find_packet( knode, pkttype ); + if (cdk_kbnode_read_from_mem(&knode, buf->data, buf->size)) + return NULL; + pkt = cdk_kbnode_find_packet(knode, pkttype); return pkt; } static int -openpgp_pk_to_gnutls_cert( gnutls_cert *cert, cdk_pkt_pubkey_t pk ) +openpgp_pk_to_gnutls_cert(gnutls_cert * cert, cdk_pkt_pubkey_t pk) { uint8 buf[512]; size_t nbytes = 0; int algo, i; int rc = 0; - - if( !cert || !pk ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!cert || !pk) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } /* GnuTLS OpenPGP doesn't support ELG keys */ - if( is_ELG(pk->pubkey_algo) ) - return GNUTLS_E_UNWANTED_ALGORITHM; + if (is_ELG(pk->pubkey_algo)) + return GNUTLS_E_UNWANTED_ALGORITHM; - algo = is_DSA( pk->pubkey_algo )? GNUTLS_PK_DSA : GNUTLS_PK_RSA; + algo = is_DSA(pk->pubkey_algo) ? GNUTLS_PK_DSA : GNUTLS_PK_RSA; cert->subject_pk_algorithm = algo; cert->version = pk->version; cert->cert_type = GNUTLS_CRT_OPENPGP; - if( is_DSA(pk->pubkey_algo) || pk->pubkey_algo == GCRY_PK_RSA_S ) - cert->keyUsage = KEY_DIGITAL_SIGNATURE; - else if( pk->pubkey_algo == GCRY_PK_RSA_E ) - cert->keyUsage = KEY_KEY_ENCIPHERMENT; - else if( pk->pubkey_algo == GCRY_PK_RSA ) - cert->keyUsage = KEY_DIGITAL_SIGNATURE - | KEY_KEY_ENCIPHERMENT; - - cert->params_size = cdk_pk_get_npkey( pk->pubkey_algo ); - for( i = 0; i < cert->params_size; i++ ) { - nbytes = sizeof buf-1; - cdk_pk_get_mpi( pk, i, buf, &nbytes, NULL ); - rc = _gnutls_mpi_scan_pgp( &cert->params[i], buf, &nbytes ); - if( rc ) { - rc = GNUTLS_E_MPI_SCAN_FAILED; - break; - } - } - - if( rc ) - release_mpi_array( cert->params, i-1 ); + if (is_DSA(pk->pubkey_algo) || pk->pubkey_algo == GCRY_PK_RSA_S) + cert->keyUsage = KEY_DIGITAL_SIGNATURE; + else if (pk->pubkey_algo == GCRY_PK_RSA_E) + cert->keyUsage = KEY_KEY_ENCIPHERMENT; + else if (pk->pubkey_algo == GCRY_PK_RSA) + cert->keyUsage = KEY_DIGITAL_SIGNATURE | KEY_KEY_ENCIPHERMENT; + + cert->params_size = cdk_pk_get_npkey(pk->pubkey_algo); + for (i = 0; i < cert->params_size; i++) { + nbytes = sizeof buf - 1; + cdk_pk_get_mpi(pk, i, buf, &nbytes, NULL); + rc = _gnutls_mpi_scan_pgp(&cert->params[i], buf, &nbytes); + if (rc) { + rc = GNUTLS_E_MPI_SCAN_FAILED; + break; + } + } + + if (rc) + release_mpi_array(cert->params, i - 1); return rc; } @@ -289,8 +292,8 @@ openpgp_pk_to_gnutls_cert( gnutls_cert *cert, cdk_pkt_pubkey_t pk ) * This function can read both BASE64 and RAW keys. -*/ int -_gnutls_openpgp_raw_privkey_to_gkey( gnutls_privkey *pkey, - const gnutls_datum *raw_key) +_gnutls_openpgp_raw_privkey_to_gkey(gnutls_privkey * pkey, + const gnutls_datum * raw_key) { cdk_kbnode_t snode; cdk_packet_t pkt; @@ -301,64 +304,64 @@ _gnutls_openpgp_raw_privkey_to_gkey( gnutls_privkey *pkey, uint8 buf[512]; int rc = 0; - if( !pkey || raw_key->size <= 0 ) { - gnutls_assert( ); - return GNUTLS_E_CERTIFICATE_ERROR; + if (!pkey || raw_key->size <= 0) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; } - out = cdk_stream_tmp( ); - if( !out ) - return GNUTLS_E_CERTIFICATE_ERROR; + out = cdk_stream_tmp(); + if (!out) + return GNUTLS_E_CERTIFICATE_ERROR; - cdk_stream_write( out, raw_key->data, raw_key->size ); - cdk_stream_seek( out, 0 ); + cdk_stream_write(out, raw_key->data, raw_key->size); + cdk_stream_seek(out, 0); - cdk_keydb_get_keyblock( out, &snode ); - if( !snode ) { - rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; - goto leave; + cdk_keydb_get_keyblock(out, &snode); + if (!snode) { + rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + goto leave; } - pkt = cdk_kbnode_find_packet( snode, CDK_PKT_SECRET_KEY ); - if( !pkt ) { - rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; - goto leave; + pkt = cdk_kbnode_find_packet(snode, CDK_PKT_SECRET_KEY); + if (!pkt) { + rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + goto leave; } sk = pkt->pkt.secret_key; pke_algo = sk->pk->pubkey_algo; - pkey->params_size = cdk_pk_get_npkey( pke_algo ); - for( i = 0; i < pkey->params_size; i++ ) { - nbytes = sizeof buf -1; - cdk_pk_get_mpi( sk->pk, i, buf, &nbytes, NULL ); - rc = _gnutls_mpi_scan_pgp( &pkey->params[i], buf, &nbytes ); - if( rc ) { - rc = GNUTLS_E_MPI_SCAN_FAILED; - release_mpi_array( pkey->params, i-1 ); - goto leave; - } - } - pkey->params_size += cdk_pk_get_nskey( pke_algo ); - for( j = 0; j < cdk_pk_get_nskey( pke_algo ); j++, i++ ) { - nbytes = sizeof buf-1; - cdk_sk_get_mpi( sk, j, buf, &nbytes, NULL ); - rc = _gnutls_mpi_scan_pgp( &pkey->params[i], buf, &nbytes ); - if ( rc ) { - rc = GNUTLS_E_MPI_SCAN_FAILED; - release_mpi_array( pkey->params, i-1 ); - goto leave; - } - } - - if( is_ELG(pke_algo) ) - return GNUTLS_E_UNWANTED_ALGORITHM; - else if( is_DSA(pke_algo) ) - pkey->pk_algorithm = GNUTLS_PK_DSA; - else if( is_RSA(pke_algo) ) - pkey->pk_algorithm = GNUTLS_PK_RSA; - -leave: - cdk_stream_close( out ); - cdk_kbnode_release( snode ); + pkey->params_size = cdk_pk_get_npkey(pke_algo); + for (i = 0; i < pkey->params_size; i++) { + nbytes = sizeof buf - 1; + cdk_pk_get_mpi(sk->pk, i, buf, &nbytes, NULL); + rc = _gnutls_mpi_scan_pgp(&pkey->params[i], buf, &nbytes); + if (rc) { + rc = GNUTLS_E_MPI_SCAN_FAILED; + release_mpi_array(pkey->params, i - 1); + goto leave; + } + } + pkey->params_size += cdk_pk_get_nskey(pke_algo); + for (j = 0; j < cdk_pk_get_nskey(pke_algo); j++, i++) { + nbytes = sizeof buf - 1; + cdk_sk_get_mpi(sk, j, buf, &nbytes, NULL); + rc = _gnutls_mpi_scan_pgp(&pkey->params[i], buf, &nbytes); + if (rc) { + rc = GNUTLS_E_MPI_SCAN_FAILED; + release_mpi_array(pkey->params, i - 1); + goto leave; + } + } + + if (is_ELG(pke_algo)) + return GNUTLS_E_UNWANTED_ALGORITHM; + else if (is_DSA(pke_algo)) + pkey->pk_algorithm = GNUTLS_PK_DSA; + else if (is_RSA(pke_algo)) + pkey->pk_algorithm = GNUTLS_PK_RSA; + + leave: + cdk_stream_close(out); + cdk_kbnode_release(snode); return rc; } @@ -372,32 +375,33 @@ leave: * specific certificate. -*/ int -_gnutls_openpgp_raw_key_to_gcert( gnutls_cert *cert, const gnutls_datum *raw ) +_gnutls_openpgp_raw_key_to_gcert(gnutls_cert * cert, + const gnutls_datum * raw) { cdk_kbnode_t knode = NULL; cdk_packet_t pkt = NULL; int rc; - - if( !cert ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!cert) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - memset( cert, 0, sizeof *cert ); + memset(cert, 0, sizeof *cert); - rc = cdk_kbnode_read_from_mem( &knode, raw->data, raw->size ); - if( !(rc = _gnutls_map_cdk_rc( rc )) ) - pkt = cdk_kbnode_find_packet( knode, CDK_PKT_PUBLIC_KEY ); - if( !pkt ) { - gnutls_assert(); - rc = _gnutls_map_cdk_rc( rc); + rc = cdk_kbnode_read_from_mem(&knode, raw->data, raw->size); + if (!(rc = _gnutls_map_cdk_rc(rc))) + pkt = cdk_kbnode_find_packet(knode, CDK_PKT_PUBLIC_KEY); + if (!pkt) { + gnutls_assert(); + rc = _gnutls_map_cdk_rc(rc); } - if( !rc ) - rc = _gnutls_set_datum( &cert->raw, raw->data, raw->size ); - if( !rc ) - rc = openpgp_pk_to_gnutls_cert( cert, pkt->pkt.public_key ); + if (!rc) + rc = _gnutls_set_datum(&cert->raw, raw->data, raw->size); + if (!rc) + rc = openpgp_pk_to_gnutls_cert(cert, pkt->pkt.public_key); - cdk_kbnode_release( knode ); + cdk_kbnode_release(knode); return rc; } @@ -413,93 +417,90 @@ _gnutls_openpgp_raw_key_to_gcert( gnutls_cert *cert, const gnutls_datum *raw ) * from a binary or a file keyring. -*/ int -gnutls_openpgp_get_key( gnutls_datum *key, const gnutls_datum *keyring, - key_attr_t by, opaque *pattern ) +gnutls_openpgp_get_key(gnutls_datum * key, const gnutls_datum * keyring, + key_attr_t by, opaque * pattern) { keybox_blob *blob = NULL; cdk_keydb_hd_t hd = NULL; cdk_kbnode_t knode = NULL; unsigned long keyid[2]; unsigned char *buf; - void * desc; + void *desc; size_t len; int rc = 0; - - if( !key || !keyring || by == KEY_ATTR_NONE ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; - } - memset( key, 0, sizeof *key ); - blob = kbx_read_blob( keyring, 0 ); - if( !blob ) - return GNUTLS_E_MEMORY_ERROR; - hd = kbx_to_keydb( blob ); - - if( by == KEY_ATTR_SHORT_KEYID ) { - keyid[0] = buftou32( pattern ); - desc = keyid; + if (!key || !keyring || by == KEY_ATTR_NONE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - else if( by == KEY_ATTR_KEYID ) { - keyid[0] = buftou32( pattern ); - keyid[1] = buftou32( pattern + 4 ); - desc = keyid; + + memset(key, 0, sizeof *key); + blob = kbx_read_blob(keyring, 0); + if (!blob) + return GNUTLS_E_MEMORY_ERROR; + hd = kbx_to_keydb(blob); + + if (by == KEY_ATTR_SHORT_KEYID) { + keyid[0] = buftou32(pattern); + desc = keyid; + } else if (by == KEY_ATTR_KEYID) { + keyid[0] = buftou32(pattern); + keyid[1] = buftou32(pattern + 4); + desc = keyid; + } else + desc = pattern; + rc = cdk_keydb_search_start(hd, by, desc); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + goto leave; } - else - desc = pattern; - rc = cdk_keydb_search_start( hd, by, desc ); - if( rc ) { - rc = _gnutls_map_cdk_rc( rc ); - goto leave; + + rc = cdk_keydb_search(hd, &knode); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + goto leave; } - - rc = cdk_keydb_search( hd, &knode ); - if( rc ) { - rc = _gnutls_map_cdk_rc( rc ); - goto leave; - } - if( !cdk_kbnode_find( knode, CDK_PKT_PUBLIC_KEY ) ) { - rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; - goto leave; + if (!cdk_kbnode_find(knode, CDK_PKT_PUBLIC_KEY)) { + rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + goto leave; } len = 20000; - buf = cdk_calloc (1, len + 1); - rc = cdk_kbnode_write_to_mem( knode, buf, &len ); - if( !rc ) - datum_append( key, buf, len ); - cdk_free( buf ); - -leave: - cdk_free( hd ); - cdk_kbnode_release( knode ); - kbx_blob_release( blob ); + buf = cdk_calloc(1, len + 1); + rc = cdk_kbnode_write_to_mem(knode, buf, &len); + if (!rc) + datum_append(key, buf, len); + cdk_free(buf); + + leave: + cdk_free(hd); + cdk_kbnode_release(knode); + kbx_blob_release(blob); return rc; } -static int -stream_to_datum( cdk_stream_t inp, gnutls_datum *raw ) +static int stream_to_datum(cdk_stream_t inp, gnutls_datum * raw) { uint8 buf[4096]; int rc = 0, nread, nbytes = 0; - - if( !buf || !raw ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!buf || !raw) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - cdk_stream_seek( inp, 0 ); - while( !cdk_stream_eof( inp ) ) { - nread = cdk_stream_read( inp, buf, sizeof buf-1 ); - if( nread == EOF ) - break; - datum_append( raw, buf, nread ); - nbytes += nread; + cdk_stream_seek(inp, 0); + while (!cdk_stream_eof(inp)) { + nread = cdk_stream_read(inp, buf, sizeof buf - 1); + if (nread == EOF) + break; + datum_append(raw, buf, nread); + nbytes += nread; } - cdk_stream_seek( inp, 0 ); - if( !nbytes ) - rc = GNUTLS_E_INTERNAL_ERROR; + cdk_stream_seek(inp, 0); + if (!nbytes) + rc = GNUTLS_E_INTERNAL_ERROR; return rc; } @@ -517,8 +518,9 @@ stream_to_datum( cdk_stream_t inp, gnutls_datum *raw ) * should only contain one key which should not be encrypted. **/ int -gnutls_certificate_set_openpgp_key_mem( gnutls_certificate_credentials res, - const gnutls_datum *cert, const gnutls_datum *key ) +gnutls_certificate_set_openpgp_key_mem(gnutls_certificate_credentials res, + const gnutls_datum * cert, + const gnutls_datum * key) { gnutls_datum raw; cdk_kbnode_t knode = NULL, ctx = NULL, p; @@ -526,115 +528,121 @@ gnutls_certificate_set_openpgp_key_mem( gnutls_certificate_credentials res, int i = 0; int rc = 0; cdk_stream_t inp = NULL; - - if ( !res || !key || !cert ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!res || !key || !cert) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - inp = cdk_stream_tmp_from_mem( cert->data, cert->size); + inp = cdk_stream_tmp_from_mem(cert->data, cert->size); if (inp == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - - if( cdk_armor_filter_use( inp ) ) { - cdk_stream_set_armor_flag( inp, 0 ); + + if (cdk_armor_filter_use(inp)) { + cdk_stream_set_armor_flag(inp, 0); } res->cert_list = gnutls_realloc_fast(res->cert_list, - (1+res->ncerts)*sizeof(gnutls_cert*)); + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); if (res->cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, - (1+res->ncerts)*sizeof(int)); + (1 + + res->ncerts) * + sizeof(int)); if (res->cert_list_length == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } res->cert_list[res->ncerts] = gnutls_calloc(1, sizeof(gnutls_cert)); if (res->cert_list[res->ncerts] == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } i = 1; - rc = cdk_keydb_get_keyblock( inp, &knode ); - - while( knode && (p = cdk_kbnode_walk( knode, &ctx, 0 )) ) { - pkt = cdk_kbnode_get_packet( p ); - if( i > MAX_PUBLIC_PARAMS_SIZE ) { - gnutls_assert(); - break; - } - if( pkt->pkttype == CDK_PKT_PUBLIC_KEY ) { - int n = res->ncerts; - - cdk_pkt_pubkey_t pk = pkt->pkt.public_key; - res->cert_list_length[n] = 1; - - if (stream_to_datum( inp, &res->cert_list[n][0].raw )) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - openpgp_pk_to_gnutls_cert( &res->cert_list[n][0], pk ); - i++; - } - } - - if( rc == CDK_EOF && i > 1) - rc = 0; - - cdk_stream_close( inp ); - + rc = cdk_keydb_get_keyblock(inp, &knode); + + while (knode && (p = cdk_kbnode_walk(knode, &ctx, 0))) { + pkt = cdk_kbnode_get_packet(p); + if (i > MAX_PUBLIC_PARAMS_SIZE) { + gnutls_assert(); + break; + } + if (pkt->pkttype == CDK_PKT_PUBLIC_KEY) { + int n = res->ncerts; + + cdk_pkt_pubkey_t pk = pkt->pkt.public_key; + res->cert_list_length[n] = 1; + + if (stream_to_datum(inp, &res->cert_list[n][0].raw)) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + openpgp_pk_to_gnutls_cert(&res->cert_list[n][0], pk); + i++; + } + } + + if (rc == CDK_EOF && i > 1) + rc = 0; + + cdk_stream_close(inp); + if (rc) { - cdk_kbnode_release( knode ); - gnutls_assert(); - rc = _gnutls_map_cdk_rc( rc ); - goto leave; - } - + cdk_kbnode_release(knode); + gnutls_assert(); + rc = _gnutls_map_cdk_rc(rc); + goto leave; + } + res->ncerts++; res->pkey = gnutls_realloc_fast(res->pkey, - (res->ncerts)*sizeof(gnutls_privkey)); - if( !res->pkey ) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (res->ncerts) * + sizeof(gnutls_privkey)); + if (!res->pkey) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } /* ncerts has been incremented before */ - inp = cdk_stream_tmp_from_mem( key->data, key->size); + inp = cdk_stream_tmp_from_mem(key->data, key->size); if (inp == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if( cdk_armor_filter_use( inp ) ) - cdk_stream_set_armor_flag( inp, 0 ); - - memset( &raw, 0, sizeof raw ); - - if (stream_to_datum( inp, &raw )) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - cdk_stream_close( inp ); - - rc = _gnutls_openpgp_raw_privkey_to_gkey( &res->pkey[res->ncerts-1], &raw); + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (cdk_armor_filter_use(inp)) + cdk_stream_set_armor_flag(inp, 0); + + memset(&raw, 0, sizeof raw); + + if (stream_to_datum(inp, &raw)) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + cdk_stream_close(inp); + + rc = _gnutls_openpgp_raw_privkey_to_gkey(&res->pkey[res->ncerts - 1], + &raw); if (rc) { - gnutls_assert(); + gnutls_assert(); } _gnutls_free_datum(&raw); -leave: - cdk_kbnode_release( knode ); - + leave: + cdk_kbnode_release(knode); + return rc; } @@ -650,80 +658,78 @@ leave: * should only contain one key which should not be encrypted. **/ int -gnutls_certificate_set_openpgp_key_file( gnutls_certificate_credentials res, - const char* certfile, - const char* keyfile ) +gnutls_certificate_set_openpgp_key_file(gnutls_certificate_credentials res, + const char *certfile, + const char *keyfile) { struct stat statbuf; int rc = 0; gnutls_datum key, cert; strfile xcert, xkey; - if( !res || !keyfile || !certfile ) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (!res || !keyfile || !certfile) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - if( stat( certfile, &statbuf ) || stat( keyfile, &statbuf ) ) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + if (stat(certfile, &statbuf) || stat(keyfile, &statbuf)) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; } - xcert = _gnutls_file_to_str( certfile); + xcert = _gnutls_file_to_str(certfile); if (xcert.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; } - xkey = _gnutls_file_to_str( keyfile); + xkey = _gnutls_file_to_str(keyfile); if (xkey.data == NULL) { - gnutls_assert(); - _gnutls_strfile_free(&xcert); - return GNUTLS_E_FILE_ERROR; + gnutls_assert(); + _gnutls_strfile_free(&xcert); + return GNUTLS_E_FILE_ERROR; } - + key.data = xkey.data; key.size = xkey.size; - + cert.data = xcert.data; cert.size = xcert.size; - rc = gnutls_certificate_set_openpgp_key_mem( res, - &cert, &key); + rc = gnutls_certificate_set_openpgp_key_mem(res, &cert, &key); _gnutls_strfile_free(&xcert); _gnutls_strfile_free(&xkey); - + if (rc < 0) { - gnutls_assert(); - return rc; + gnutls_assert(); + return rc; } return 0; } -int -gnutls_openpgp_count_key_names( const gnutls_datum *cert ) +int gnutls_openpgp_count_key_names(const gnutls_datum * cert) { cdk_kbnode_t knode, p, ctx = NULL; cdk_packet_t pkt; int nuids = 0; - if( cert == NULL ) { - gnutls_assert(); - return 0; + if (cert == NULL) { + gnutls_assert(); + return 0; } - if( cdk_kbnode_read_from_mem( &knode, cert->data, cert->size ) ) { - gnutls_assert(); - return 0; + if (cdk_kbnode_read_from_mem(&knode, cert->data, cert->size)) { + gnutls_assert(); + return 0; } - while( (p = cdk_kbnode_walk( knode, &ctx, 0 )) ) { - pkt = cdk_kbnode_get_packet( p ); - if( pkt->pkttype == CDK_PKT_USER_ID ) - nuids++; + while ((p = cdk_kbnode_walk(knode, &ctx, 0))) { + pkt = cdk_kbnode_get_packet(p); + if (pkt->pkttype == CDK_PKT_USER_ID) + nuids++; } - + return nuids; } @@ -741,33 +747,33 @@ gnutls_openpgp_count_key_names( const gnutls_datum *cert ) * is needed for an operations. -*/ int -gnutls_openpgp_add_keyring_file(gnutls_datum *keyring, const char *name) +gnutls_openpgp_add_keyring_file(gnutls_datum * keyring, const char *name) { cdk_stream_t inp = NULL; uint8 *blob; size_t nbytes; int enc = 0; int rc = 0; - - if( !keyring || !name ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; - } - - rc = cdk_stream_open( name, &inp ); - if( rc ) - return _gnutls_map_cdk_rc( rc ); - enc = cdk_armor_filter_use( inp ); - cdk_stream_close( inp ); - - blob = kbx_data_to_keyring( KBX_BLOB_FILE, enc, name, - strlen( name ), &nbytes); - if( blob && nbytes ) { - if ( datum_append( keyring, blob, nbytes ) < 0 ) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - gnutls_free( blob ); + + if (!keyring || !name) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + rc = cdk_stream_open(name, &inp); + if (rc) + return _gnutls_map_cdk_rc(rc); + enc = cdk_armor_filter_use(inp); + cdk_stream_close(inp); + + blob = kbx_data_to_keyring(KBX_BLOB_FILE, enc, name, + strlen(name), &nbytes); + if (blob && nbytes) { + if (datum_append(keyring, blob, nbytes) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + gnutls_free(blob); } return 0; } @@ -783,26 +789,26 @@ gnutls_openpgp_add_keyring_file(gnutls_datum *keyring, const char *name) * data instead of the filename. -*/ int -gnutls_openpgp_add_keyring_mem(gnutls_datum *keyring, - const void *data, size_t len) +gnutls_openpgp_add_keyring_mem(gnutls_datum * keyring, + const void *data, size_t len) { uint8 *blob; size_t nbytes = 0; - - if( !keyring || !data || !len ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; - } - - blob = kbx_data_to_keyring( KBX_BLOB_DATA, 0, data, len, &nbytes ); - if( blob && nbytes ) { - if ( datum_append( keyring, blob, nbytes ) < 0 ) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - gnutls_free( blob ); - } - + + if (!keyring || !data || !len) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + blob = kbx_data_to_keyring(KBX_BLOB_DATA, 0, data, len, &nbytes); + if (blob && nbytes) { + if (datum_append(keyring, blob, nbytes) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + gnutls_free(blob); + } + return 0; } @@ -818,60 +824,61 @@ gnutls_openpgp_add_keyring_mem(gnutls_datum *keyring, * **/ int -gnutls_certificate_set_openpgp_keyring_file( gnutls_certificate_credentials c, - const char *file ) +gnutls_certificate_set_openpgp_keyring_file(gnutls_certificate_credentials + c, const char *file) { struct stat statbuf; - - if( !c || !file ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!c || !file) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - if( stat( file, &statbuf ) ) - return GNUTLS_E_FILE_ERROR; + if (stat(file, &statbuf)) + return GNUTLS_E_FILE_ERROR; - return gnutls_openpgp_add_keyring_file( &c->keyring, file ); + return gnutls_openpgp_add_keyring_file(&c->keyring, file); } int -gnutls_certificate_set_openpgp_keyring_mem( gnutls_certificate_credentials c, - const opaque *data, size_t dlen ) +gnutls_certificate_set_openpgp_keyring_mem(gnutls_certificate_credentials + c, const opaque * data, + size_t dlen) { cdk_stream_t inp; size_t count; uint8 *buf; int rc = 0; - - if( !c || !data || !dlen ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!c || !data || !dlen) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - inp = cdk_stream_tmp_from_mem( data, dlen ); - if( !inp ) - return GNUTLS_E_FILE_ERROR; - + inp = cdk_stream_tmp_from_mem(data, dlen); + if (!inp) + return GNUTLS_E_FILE_ERROR; + /* Maybe it's a little confusing that we check the output.. but it's possible, that the data we want to add, is armored and we only want to store plaintext keyring data. */ - if( cdk_armor_filter_use( inp ) ) - cdk_stream_set_armor_flag( inp, 0 ); + if (cdk_armor_filter_use(inp)) + cdk_stream_set_armor_flag(inp, 0); /* fixme: this is possible the armored length. */ - count = cdk_stream_get_length( inp ); - buf = gnutls_malloc( count + 1 ); - if( !buf ) { - gnutls_assert(); - cdk_stream_close( inp ); - return GNUTLS_E_MEMORY_ERROR; + count = cdk_stream_get_length(inp); + buf = gnutls_malloc(count + 1); + if (!buf) { + gnutls_assert(); + cdk_stream_close(inp); + return GNUTLS_E_MEMORY_ERROR; } - count = cdk_stream_read( inp, buf, count ); - buf[count] = '\0'; - rc = gnutls_openpgp_add_keyring_mem( &c->keyring, buf, count ); - cdk_stream_close( inp ); + count = cdk_stream_read(inp, buf, count); + buf[count] = '\0'; + rc = gnutls_openpgp_add_keyring_mem(&c->keyring, buf, count); + cdk_stream_close(inp); return rc; } @@ -888,36 +895,36 @@ gnutls_certificate_set_openpgp_keyring_mem( gnutls_certificate_credentials c, * -*/ int -_gnutls_openpgp_request_key( gnutls_session session, gnutls_datum* ret, - const gnutls_certificate_credentials cred, - opaque* key_fpr, - int key_fpr_size) +_gnutls_openpgp_request_key(gnutls_session session, gnutls_datum * ret, + const gnutls_certificate_credentials cred, + opaque * key_fpr, int key_fpr_size) { int rc = 0; - if( !ret || !cred || !key_fpr ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!ret || !cred || !key_fpr) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - if( key_fpr_size != 16 && key_fpr_size != 20 ) - return GNUTLS_E_HASH_FAILED; /* only MD5 and SHA1 are supported */ - - rc = gnutls_openpgp_get_key( ret, &cred->keyring, KEY_ATTR_FPR, key_fpr ); - if( rc >= 0 ) /* key was found */ - return rc; - else rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + + if (key_fpr_size != 16 && key_fpr_size != 20) + return GNUTLS_E_HASH_FAILED; /* only MD5 and SHA1 are supported */ + + rc = gnutls_openpgp_get_key(ret, &cred->keyring, KEY_ATTR_FPR, + key_fpr); + if (rc >= 0) /* key was found */ + return rc; + else + rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; /* If the callback function was set, then try this one. */ - if( session->internals.openpgp_recv_key_func != NULL ) { - rc = session->internals.openpgp_recv_key_func( session, - key_fpr, - key_fpr_size, - ret); - if( rc < 0 ) { - gnutls_assert(); - return GNUTLS_E_OPENPGP_GETKEY_FAILED; + if (session->internals.openpgp_recv_key_func != NULL) { + rc = session->internals.openpgp_recv_key_func(session, + key_fpr, + key_fpr_size, ret); + if (rc < 0) { + gnutls_assert(); + return GNUTLS_E_OPENPGP_GETKEY_FAILED; } } @@ -938,25 +945,25 @@ _gnutls_openpgp_request_key( gnutls_session session, gnutls_datum* ret, * **/ int -gnutls_certificate_set_openpgp_keyserver(gnutls_certificate_credentials res, - const char* keyserver, - int port) +gnutls_certificate_set_openpgp_keyserver(gnutls_certificate_credentials + res, const char *keyserver, + int port) { - if( !res || !keyserver ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; - } - - if( !port ) - port = 11371; - - gnutls_free( res->pgp_key_server); - res->pgp_key_server = gnutls_strdup( keyserver ); - if( !res->pgp_key_server ) - return GNUTLS_E_MEMORY_ERROR; + if (!res || !keyserver) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (!port) + port = 11371; + + gnutls_free(res->pgp_key_server); + res->pgp_key_server = gnutls_strdup(keyserver); + if (!res->pgp_key_server) + return GNUTLS_E_MEMORY_ERROR; res->pgp_key_server_port = port; - return 0; + return 0; } @@ -970,24 +977,24 @@ gnutls_certificate_set_openpgp_keyserver(gnutls_certificate_credentials res, * **/ int -gnutls_certificate_set_openpgp_trustdb( gnutls_certificate_credentials res, - const char* trustdb ) +gnutls_certificate_set_openpgp_trustdb(gnutls_certificate_credentials res, + const char *trustdb) { - if( !res || !trustdb ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!res || !trustdb) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } /* the old v2 format was used with 1.0.6, do we still need to check it now because GPG 1.0.7, 1.2.0, 1.2.1 and even 1.3.0 is out? */ - - gnutls_free( res->pgp_trustdb); - res->pgp_trustdb = gnutls_strdup( trustdb ); - if( res->pgp_trustdb==NULL ) - return GNUTLS_E_MEMORY_ERROR; - + + gnutls_free(res->pgp_trustdb); + res->pgp_trustdb = gnutls_strdup(trustdb); + if (res->pgp_trustdb == NULL) + return GNUTLS_E_MEMORY_ERROR; + return 0; -} +} /** * gnutls_openpgp_set_recv_key_function - Used to set a key retrieval callback for PGP keys @@ -999,81 +1006,88 @@ gnutls_certificate_set_openpgp_trustdb( gnutls_certificate_credentials res, * sent a key fingerprint instead of a full key. * **/ -void gnutls_openpgp_set_recv_key_function( gnutls_session session, - gnutls_openpgp_recv_key_func func ) +void gnutls_openpgp_set_recv_key_function(gnutls_session session, + gnutls_openpgp_recv_key_func + func) { session->internals.openpgp_recv_key_func = func; } /* Copies a gnutls_openpgp_privkey to a gnutls_privkey structure. */ -int _gnutls_openpgp_privkey_to_gkey( gnutls_privkey* dest, gnutls_openpgp_privkey src) +int _gnutls_openpgp_privkey_to_gkey(gnutls_privkey * dest, + gnutls_openpgp_privkey src) { -int i, ret; + int i, ret; - memset( dest, 0, sizeof(gnutls_privkey)); + memset(dest, 0, sizeof(gnutls_privkey)); - for(i=0;i<src->pkey.params_size;i++) { - dest->params[i] = _gnutls_mpi_copy( src->pkey.params[i]); - if (dest->params[i] == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + for (i = 0; i < src->pkey.params_size; i++) { + dest->params[i] = _gnutls_mpi_copy(src->pkey.params[i]); + if (dest->params[i] == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - - dest->pk_algorithm = src->pkey.pk_algorithm; - dest->params_size = src->pkey.params_size; + } - return 0; - -cleanup: - for (i=0;i<src->pkey.params_size;i++) { - _gnutls_mpi_release( &dest->params[i]); - } - return ret; + dest->pk_algorithm = src->pkey.pk_algorithm; + dest->params_size = src->pkey.params_size; + + return 0; + + cleanup: + for (i = 0; i < src->pkey.params_size; i++) { + _gnutls_mpi_release(&dest->params[i]); + } + return ret; } /* Converts a parsed gnutls_openpgp_key to a gnutls_cert structure. */ -int _gnutls_openpgp_key_to_gcert(gnutls_cert * gcert, gnutls_openpgp_key cert) +int _gnutls_openpgp_key_to_gcert(gnutls_cert * gcert, + gnutls_openpgp_key cert) { - int ret = 0; - opaque* der; - size_t der_size = 0; - gnutls_datum raw; - - memset(gcert, 0, sizeof(gnutls_cert)); - gcert->cert_type = GNUTLS_CRT_OPENPGP; - - - ret = gnutls_openpgp_key_export( cert, GNUTLS_OPENPGP_FMT_RAW, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; - } - - der = gnutls_malloc( der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + int ret = 0; + opaque *der; + size_t der_size = 0; + gnutls_datum raw; - ret = gnutls_openpgp_key_export( cert, GNUTLS_OPENPGP_FMT_RAW, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_free(der); - return ret; - } + memset(gcert, 0, sizeof(gnutls_cert)); + gcert->cert_type = GNUTLS_CRT_OPENPGP; - raw.data = der; - raw.size = der_size; - ret = _gnutls_openpgp_raw_key_to_gcert( gcert, &raw); - + ret = + gnutls_openpgp_key_export(cert, GNUTLS_OPENPGP_FMT_RAW, NULL, + &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + der = gnutls_malloc(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_openpgp_key_export(cert, GNUTLS_OPENPGP_FMT_RAW, der, + &der_size); + if (ret < 0) { + gnutls_assert(); gnutls_free(der); - - return 0; + return ret; + } + + raw.data = der; + raw.size = der_size; + + ret = _gnutls_openpgp_raw_key_to_gcert(gcert, &raw); + + gnutls_free(der); + + return 0; } @@ -1089,56 +1103,60 @@ int _gnutls_openpgp_key_to_gcert(gnutls_cert * gcert, gnutls_openpgp_key cert) * server). * **/ -int gnutls_certificate_set_openpgp_key(gnutls_certificate_credentials res, - gnutls_openpgp_key key, - gnutls_openpgp_privkey pkey) +int gnutls_certificate_set_openpgp_key(gnutls_certificate_credentials res, + gnutls_openpgp_key key, + gnutls_openpgp_privkey pkey) { - int ret; + int ret; - /* this should be first - */ - - res->pkey = gnutls_realloc_fast( res->pkey, (res->ncerts+1)*sizeof(gnutls_privkey)); - if (res->pkey==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* this should be first + */ - ret = _gnutls_openpgp_privkey_to_gkey( &res->pkey[res->ncerts], pkey); - if (ret < 0) { - gnutls_assert(); - return ret; - } + res->pkey = + gnutls_realloc_fast(res->pkey, + (res->ncerts + 1) * sizeof(gnutls_privkey)); + if (res->pkey == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - res->cert_list = gnutls_realloc_fast( res->cert_list, - (1+ res->ncerts)*sizeof(gnutls_cert*)); - if ( res->cert_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + ret = _gnutls_openpgp_privkey_to_gkey(&res->pkey[res->ncerts], pkey); + if (ret < 0) { + gnutls_assert(); + return ret; + } - res->cert_list_length = gnutls_realloc_fast( res->cert_list_length, - (1+ res->ncerts)*sizeof(int)); - if (res->cert_list_length==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + res->cert_list = gnutls_realloc_fast(res->cert_list, + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); + if (res->cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 1; + res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, + (1 + + res->ncerts) * + sizeof(int)); + if (res->cert_list_length == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = _gnutls_openpgp_key_to_gcert( res->cert_list[res->ncerts], key); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 1; - res->ncerts++; - - /* FIXME: Check if the keys match. - */ + ret = _gnutls_openpgp_key_to_gcert(res->cert_list[res->ncerts], key); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; -} + res->ncerts++; + /* FIXME: Check if the keys match. + */ + return 0; +} diff --git a/libextra/gnutls_openssl.c b/libextra/gnutls_openssl.c index 31155e18eb..2270b95b93 100644 --- a/libextra/gnutls_openssl.c +++ b/libextra/gnutls_openssl.c @@ -48,32 +48,33 @@ void OpenSSL_add_all_algorithms(void) /* SSL_CTX structure handling */ -SSL_CTX *SSL_CTX_new(SSL_METHOD *method) +SSL_CTX *SSL_CTX_new(SSL_METHOD * method) { SSL_CTX *ctx; - - ctx = (SSL_CTX *)calloc(1, sizeof(SSL_CTX)); + + ctx = (SSL_CTX *) calloc(1, sizeof(SSL_CTX)); ctx->method = method; return ctx; } -void SSL_CTX_free(SSL_CTX *ctx) +void SSL_CTX_free(SSL_CTX * ctx) { free(ctx->method); free(ctx); } -int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) +int SSL_CTX_set_default_verify_paths(SSL_CTX * ctx) { return 0; } -int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *certfile, int type) +int SSL_CTX_use_certificate_file(SSL_CTX * ctx, const char *certfile, + int type) { - ctx->certfile = (char *)calloc(1, strlen(certfile)+1); + ctx->certfile = (char *) calloc(1, strlen(certfile) + 1); if (!ctx->certfile) - return -1; + return -1; memcpy(ctx->certfile, certfile, strlen(certfile)); ctx->certfile_type = type; @@ -81,11 +82,12 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *certfile, int type) return 1; } -int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *keyfile, int type) +int SSL_CTX_use_PrivateKey_file(SSL_CTX * ctx, const char *keyfile, + int type) { - ctx->keyfile = (char *)calloc(1, strlen(keyfile)+1); + ctx->keyfile = (char *) calloc(1, strlen(keyfile) + 1); if (!ctx->keyfile) - return -1; + return -1; memcpy(ctx->keyfile, keyfile, strlen(keyfile)); ctx->keyfile_type = type; @@ -94,24 +96,24 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *keyfile, int type) } -void SSL_CTX_set_verify(SSL_CTX *ctx, int verify_mode, - int (*verify_callback)(int, X509_STORE_CTX *)) +void SSL_CTX_set_verify(SSL_CTX * ctx, int verify_mode, + int (*verify_callback) (int, X509_STORE_CTX *)) { ctx->verify_mode = verify_mode; ctx->verify_callback = verify_callback; } -unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long options) +unsigned long SSL_CTX_set_options(SSL_CTX * ctx, unsigned long options) { return (ctx->options |= options); } -long SSL_CTX_set_mode(SSL_CTX *ctx, long mode) +long SSL_CTX_set_mode(SSL_CTX * ctx, long mode) { return 0; } -int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *list) +int SSL_CTX_set_cipher_list(SSL_CTX * ctx, const char *list) { /* FIXME: ignore this for the moment */ /* We're going to have to parse the "list" string to do this */ @@ -125,52 +127,52 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *list) /* SSL_CTX statistics */ -long SSL_CTX_sess_number(SSL_CTX *ctx) +long SSL_CTX_sess_number(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_connect(SSL_CTX *ctx) +long SSL_CTX_sess_connect(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_connect_good(SSL_CTX *ctx) +long SSL_CTX_sess_connect_good(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx) +long SSL_CTX_sess_connect_renegotiate(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_accept(SSL_CTX *ctx) +long SSL_CTX_sess_accept(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_accept_good(SSL_CTX *ctx) +long SSL_CTX_sess_accept_good(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx) +long SSL_CTX_sess_accept_renegotiate(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_hits(SSL_CTX *ctx) +long SSL_CTX_sess_hits(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_misses(SSL_CTX *ctx) +long SSL_CTX_sess_misses(SSL_CTX * ctx) { return 0; } -long SSL_CTX_sess_timeouts(SSL_CTX *ctx) +long SSL_CTX_sess_timeouts(SSL_CTX * ctx) { return 0; } @@ -179,51 +181,56 @@ long SSL_CTX_sess_timeouts(SSL_CTX *ctx) /* SSL structure handling */ -SSL *SSL_new(SSL_CTX *ctx) +SSL *SSL_new(SSL_CTX * ctx) { SSL *ssl; int err; - ssl = (SSL *)calloc(1, sizeof(SSL)); + ssl = (SSL *) calloc(1, sizeof(SSL)); if (!ssl) - return NULL; + return NULL; err = gnutls_certificate_allocate_credentials(&ssl->gnutls_cred); - if (err < 0) - { - last_error = err; - free(ssl); - return NULL; + if (err < 0) { + last_error = err; + free(ssl); + return NULL; } gnutls_init(&ssl->gnutls_state, ctx->method->connend); - gnutls_protocol_set_priority (ssl->gnutls_state, ctx->method->protocol_priority); - gnutls_cipher_set_priority (ssl->gnutls_state, ctx->method->cipher_priority); - gnutls_compression_set_priority (ssl->gnutls_state, ctx->method->comp_priority); - gnutls_kx_set_priority (ssl->gnutls_state, ctx->method->kx_priority); - gnutls_mac_set_priority (ssl->gnutls_state, ctx->method->mac_priority); - - gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); + gnutls_protocol_set_priority(ssl->gnutls_state, + ctx->method->protocol_priority); + gnutls_cipher_set_priority(ssl->gnutls_state, + ctx->method->cipher_priority); + gnutls_compression_set_priority(ssl->gnutls_state, + ctx->method->comp_priority); + gnutls_kx_set_priority(ssl->gnutls_state, ctx->method->kx_priority); + gnutls_mac_set_priority(ssl->gnutls_state, ctx->method->mac_priority); + + gnutls_credentials_set(ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, + ssl->gnutls_cred); if (ctx->certfile) - gnutls_certificate_set_x509_trust_file(ssl->gnutls_cred, ctx->certfile, - ctx->certfile_type); + gnutls_certificate_set_x509_trust_file(ssl->gnutls_cred, + ctx->certfile, + ctx->certfile_type); if (ctx->keyfile) - gnutls_certificate_set_x509_key_file(ssl->gnutls_cred, ctx->certfile, - ctx->keyfile, ctx->keyfile_type); + gnutls_certificate_set_x509_key_file(ssl->gnutls_cred, + ctx->certfile, ctx->keyfile, + ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; - ssl->rfd = (gnutls_transport_ptr)-1; - ssl->wfd = (gnutls_transport_ptr)-1; + ssl->rfd = (gnutls_transport_ptr) - 1; + ssl->wfd = (gnutls_transport_ptr) - 1; return ssl; } -void SSL_free(SSL *ssl) +void SSL_free(SSL * ssl) { gnutls_certificate_free_credentials(ssl->gnutls_cred); gnutls_deinit(ssl->gnutls_state); @@ -234,76 +241,76 @@ void SSL_load_error_strings(void) { } -int SSL_get_error(SSL *ssl, int ret) +int SSL_get_error(SSL * ssl, int ret) { if (ret > 0) - return SSL_ERROR_NONE; + return SSL_ERROR_NONE; return SSL_ERROR_ZERO_RETURN; } -int SSL_set_fd(SSL *ssl, int fd) +int SSL_set_fd(SSL * ssl, int fd) { - gnutls_transport_set_ptr (ssl->gnutls_state, (gnutls_transport_ptr)fd); + gnutls_transport_set_ptr(ssl->gnutls_state, (gnutls_transport_ptr) fd); return 1; } -int SSL_set_rfd(SSL *ssl, int fd) +int SSL_set_rfd(SSL * ssl, int fd) { - ssl->rfd = (gnutls_transport_ptr)fd; - - if (ssl->wfd != (gnutls_transport_ptr)-1) - gnutls_transport_set_ptr2(ssl->gnutls_state, ssl->rfd, ssl->wfd); + ssl->rfd = (gnutls_transport_ptr) fd; + + if (ssl->wfd != (gnutls_transport_ptr) - 1) + gnutls_transport_set_ptr2(ssl->gnutls_state, ssl->rfd, ssl->wfd); return 1; } -int SSL_set_wfd(SSL *ssl, int fd) +int SSL_set_wfd(SSL * ssl, int fd) { - ssl->wfd = (gnutls_transport_ptr)fd; - - if (ssl->rfd != (gnutls_transport_ptr)-1) - gnutls_transport_set_ptr2(ssl->gnutls_state, ssl->rfd, ssl->wfd); + ssl->wfd = (gnutls_transport_ptr) fd; + + if (ssl->rfd != (gnutls_transport_ptr) - 1) + gnutls_transport_set_ptr2(ssl->gnutls_state, ssl->rfd, ssl->wfd); return 1; } -void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) +void SSL_set_bio(SSL * ssl, BIO * rbio, BIO * wbio) { - gnutls_transport_set_ptr2 (ssl->gnutls_state, rbio->fd, wbio->fd); + gnutls_transport_set_ptr2(ssl->gnutls_state, rbio->fd, wbio->fd); /* free(BIO); ? */ } -void SSL_set_connect_state(SSL *ssl) +void SSL_set_connect_state(SSL * ssl) { } -int SSL_pending(SSL *ssl) +int SSL_pending(SSL * ssl) { return gnutls_record_check_pending(ssl->gnutls_state); } -void SSL_set_verify(SSL *ssl, int verify_mode, - int (*verify_callback)(int, X509_STORE_CTX *)) +void SSL_set_verify(SSL * ssl, int verify_mode, + int (*verify_callback) (int, X509_STORE_CTX *)) { ssl->verify_mode = verify_mode; ssl->verify_callback = verify_callback; } -const X509 *SSL_get_peer_certificate(SSL *ssl) +const X509 *SSL_get_peer_certificate(SSL * ssl) { const gnutls_datum *cert_list; int cert_list_size = 0; cert_list = gnutls_certificate_get_peers(ssl->gnutls_state, - &cert_list_size); + &cert_list_size); return cert_list; } /* SSL connection open/close/read/write functions */ -int SSL_connect(SSL *ssl) +int SSL_connect(SSL * ssl) { X509_STORE_CTX *store; int cert_list_size = 0; @@ -312,40 +319,36 @@ int SSL_connect(SSL *ssl) int x_priority[GNUTLS_MAX_ALGORITHM_NUM]; /* take options into account before connecting */ - if (ssl->options & SSL_OP_NO_TLSv1) - { - for (i=0, j=0; - i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; - i++, j++) - { - if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1) - j++; - else - x_priority[i] = ssl->ctx->method->protocol_priority[j]; - } - if (i < GNUTLS_MAX_ALGORITHM_NUM) - x_priority[i] = 0; - gnutls_protocol_set_priority (ssl->gnutls_state, - ssl->ctx->method->protocol_priority); + if (ssl->options & SSL_OP_NO_TLSv1) { + for (i = 0, j = 0; + i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; + i++, j++) { + if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1) + j++; + else + x_priority[i] = ssl->ctx->method->protocol_priority[j]; + } + if (i < GNUTLS_MAX_ALGORITHM_NUM) + x_priority[i] = 0; + gnutls_protocol_set_priority(ssl->gnutls_state, + ssl->ctx->method->protocol_priority); } err = gnutls_handshake(ssl->gnutls_state); ssl->last_error = err; - if (err < 0) - { - last_error = err; - return 0; + if (err < 0) { + last_error = err; + return 0; } - store = (X509_STORE_CTX *)calloc(1, sizeof(X509_STORE_CTX)); + store = (X509_STORE_CTX *) calloc(1, sizeof(X509_STORE_CTX)); store->ssl = ssl; store->cert_list = gnutls_certificate_get_peers(ssl->gnutls_state, - &cert_list_size); + &cert_list_size); - if (ssl->verify_callback) - { - ssl->verify_callback(1 /*FIXME*/, store); + if (ssl->verify_callback) { + ssl->verify_callback(1 /*FIXME*/, store); } ssl->state = SSL_ST_OK; @@ -357,7 +360,7 @@ int SSL_connect(SSL *ssl) return 1; } -int SSL_accept(SSL *ssl) +int SSL_accept(SSL * ssl) { X509_STORE_CTX *store; int cert_list_size = 0; @@ -366,21 +369,19 @@ int SSL_accept(SSL *ssl) int x_priority[GNUTLS_MAX_ALGORITHM_NUM]; /* take options into account before accepting */ - if (ssl->options & SSL_OP_NO_TLSv1) - { - for (i=0, j=0; - i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; - i++, j++) - { - if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1) - j++; - else - x_priority[i] = ssl->ctx->method->protocol_priority[j]; - } - if (i < GNUTLS_MAX_ALGORITHM_NUM) - x_priority[i] = 0; - gnutls_protocol_set_priority (ssl->gnutls_state, - ssl->ctx->method->protocol_priority); + if (ssl->options & SSL_OP_NO_TLSv1) { + for (i = 0, j = 0; + i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; + i++, j++) { + if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1) + j++; + else + x_priority[i] = ssl->ctx->method->protocol_priority[j]; + } + if (i < GNUTLS_MAX_ALGORITHM_NUM) + x_priority[i] = 0; + gnutls_protocol_set_priority(ssl->gnutls_state, + ssl->ctx->method->protocol_priority); } /* FIXME: dh params, do we want client cert? */ @@ -388,20 +389,18 @@ int SSL_accept(SSL *ssl) err = gnutls_handshake(ssl->gnutls_state); ssl->last_error = err; - if (err < 0) - { - last_error = err; - return 0; + if (err < 0) { + last_error = err; + return 0; } - store = (X509_STORE_CTX *)calloc(1, sizeof(X509_STORE_CTX)); + store = (X509_STORE_CTX *) calloc(1, sizeof(X509_STORE_CTX)); store->ssl = ssl; store->cert_list = gnutls_certificate_get_peers(ssl->gnutls_state, - &cert_list_size); + &cert_list_size); - if (ssl->verify_callback) - { - ssl->verify_callback(1 /*FIXME*/, store); + if (ssl->verify_callback) { + ssl->verify_callback(1 /*FIXME*/, store); } ssl->state = SSL_ST_OK; @@ -413,56 +412,51 @@ int SSL_accept(SSL *ssl) return 1; } -int SSL_shutdown(SSL *ssl) +int SSL_shutdown(SSL * ssl) { - if (!ssl->shutdown) - { - gnutls_bye(ssl->gnutls_state, GNUTLS_SHUT_WR); - ssl->shutdown++; - } - else - { - gnutls_bye(ssl->gnutls_state, GNUTLS_SHUT_RDWR); - ssl->shutdown++; + if (!ssl->shutdown) { + gnutls_bye(ssl->gnutls_state, GNUTLS_SHUT_WR); + ssl->shutdown++; + } else { + gnutls_bye(ssl->gnutls_state, GNUTLS_SHUT_RDWR); + ssl->shutdown++; } /* FIXME */ return 1; } -int SSL_read(SSL *ssl, void *buf, int len) +int SSL_read(SSL * ssl, void *buf, int len) { int ret; ret = gnutls_record_recv(ssl->gnutls_state, buf, len); ssl->last_error = ret; - if (ret < 0) - { - last_error = ret; - return 0; + if (ret < 0) { + last_error = ret; + return 0; } return ret; } -int SSL_write(SSL *ssl, const void *buf, int len) +int SSL_write(SSL * ssl, const void *buf, int len) { int ret; ret = gnutls_record_send(ssl->gnutls_state, buf, len); ssl->last_error = ret; - if (ret < 0) - { - last_error = ret; - return 0; + if (ret < 0) { + last_error = ret; + return 0; } return ret; } -int SSL_want(SSL *ssl) +int SSL_want(SSL * ssl) { return SSL_NOTHING; } @@ -473,9 +467,9 @@ int SSL_want(SSL *ssl) SSL_METHOD *SSLv23_client_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_TLS1; m->protocol_priority[1] = GNUTLS_SSL3; @@ -508,9 +502,9 @@ SSL_METHOD *SSLv23_client_method(void) SSL_METHOD *SSLv23_server_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_TLS1; m->protocol_priority[1] = GNUTLS_SSL3; @@ -543,9 +537,9 @@ SSL_METHOD *SSLv23_server_method(void) SSL_METHOD *SSLv3_client_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_SSL3; m->protocol_priority[2] = 0; @@ -575,9 +569,9 @@ SSL_METHOD *SSLv3_client_method(void) SSL_METHOD *SSLv3_server_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_SSL3; m->protocol_priority[2] = 0; @@ -607,9 +601,9 @@ SSL_METHOD *SSLv3_server_method(void) SSL_METHOD *TLSv1_client_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_TLS1; m->protocol_priority[1] = 0; @@ -641,9 +635,9 @@ SSL_METHOD *TLSv1_client_method(void) SSL_METHOD *TLSv1_server_method(void) { SSL_METHOD *m; - m = (SSL_METHOD *)calloc(1, sizeof(SSL_METHOD)); + m = (SSL_METHOD *) calloc(1, sizeof(SSL_METHOD)); if (!m) - return NULL; + return NULL; m->protocol_priority[0] = GNUTLS_TLS1; m->protocol_priority[1] = 0; @@ -675,88 +669,85 @@ SSL_METHOD *TLSv1_server_method(void) /* SSL_CIPHER functions */ -SSL_CIPHER *SSL_get_current_cipher(SSL *ssl) +SSL_CIPHER *SSL_get_current_cipher(SSL * ssl) { if (!ssl) - return NULL; + return NULL; - ssl->ciphersuite.version = gnutls_protocol_get_version(ssl->gnutls_state); + ssl->ciphersuite.version = + gnutls_protocol_get_version(ssl->gnutls_state); ssl->ciphersuite.cipher = gnutls_cipher_get(ssl->gnutls_state); ssl->ciphersuite.kx = gnutls_kx_get(ssl->gnutls_state); ssl->ciphersuite.mac = gnutls_mac_get(ssl->gnutls_state); - ssl->ciphersuite.compression = gnutls_compression_get(ssl->gnutls_state); + ssl->ciphersuite.compression = + gnutls_compression_get(ssl->gnutls_state); ssl->ciphersuite.cert = gnutls_certificate_type_get(ssl->gnutls_state); return &(ssl->ciphersuite); } -const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher) +const char *SSL_CIPHER_get_name(SSL_CIPHER * cipher) { if (!cipher) - return ("NONE"); + return ("NONE"); return gnutls_cipher_suite_get_name(cipher->kx, - cipher->cipher, - cipher->mac); + cipher->cipher, cipher->mac); } -int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *bits) +int SSL_CIPHER_get_bits(SSL_CIPHER * cipher, int *bits) { int bit_result; if (!cipher) - return 0; + return 0; bit_result = (8 * gnutls_cipher_get_key_size(cipher->cipher)); if (bits) - *bits = bit_result; + *bits = bit_result; return bit_result; } -const char *SSL_CIPHER_get_version(SSL_CIPHER *cipher) +const char *SSL_CIPHER_get_version(SSL_CIPHER * cipher) { const char *ret; if (!cipher) - return ("(NONE)"); + return ("(NONE)"); ret = gnutls_protocol_get_name(cipher->version); if (ret) - return ret; + return ret; return ("unknown"); } -char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size) +char *SSL_CIPHER_description(SSL_CIPHER * cipher, char *buf, int size) { char *tmpbuf; int tmpsize; int local_alloc; - if (buf) - { - tmpbuf = buf; - tmpsize = size; - local_alloc = 0; - } - else - { - tmpbuf = (char *)malloc(128); - tmpsize = 128; - local_alloc = 1; + if (buf) { + tmpbuf = buf; + tmpsize = size; + local_alloc = 0; + } else { + tmpbuf = (char *) malloc(128); + tmpsize = 128; + local_alloc = 1; } if (snprintf(tmpbuf, tmpsize, "%s %s %s %s", - gnutls_protocol_get_name(cipher->version), - gnutls_kx_get_name(cipher->kx), - gnutls_cipher_get_name(cipher->cipher), - gnutls_mac_get_name(cipher->mac)) == -1) - { - if (local_alloc) - free(tmpbuf); - return "Buffer too small"; + gnutls_protocol_get_name(cipher->version), + gnutls_kx_get_name(cipher->kx), + gnutls_cipher_get_name(cipher->cipher), + gnutls_mac_get_name(cipher->mac)) == -1) { + if (local_alloc) + free(tmpbuf); + return "Buffer too small"; } return tmpbuf; @@ -765,45 +756,44 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size) /* X509 functions */ -X509_NAME *X509_get_subject_name(const X509 *cert) +X509_NAME *X509_get_subject_name(const X509 * cert) { gnutls_x509_dn *dn; - dn = (gnutls_x509_dn *)calloc(1, sizeof(gnutls_x509_dn)); - if (gnutls_x509_extract_certificate_dn(&cert[0], dn) < 0) - { - free(dn); - return NULL; + dn = (gnutls_x509_dn *) calloc(1, sizeof(gnutls_x509_dn)); + if (gnutls_x509_extract_certificate_dn(&cert[0], dn) < 0) { + free(dn); + return NULL; } return dn; } -X509_NAME *X509_get_issuer_name(const X509 *cert) +X509_NAME *X509_get_issuer_name(const X509 * cert) { gnutls_x509_dn *dn; - dn = (gnutls_x509_dn *)calloc(1, sizeof(gnutls_x509_dn)); - if (gnutls_x509_extract_certificate_dn(&cert[1], dn) < 0) - { - free(dn); - return NULL; + dn = (gnutls_x509_dn *) calloc(1, sizeof(gnutls_x509_dn)); + if (gnutls_x509_extract_certificate_dn(&cert[1], dn) < 0) { + free(dn); + return NULL; } return dn; } -char *X509_NAME_oneline(gnutls_x509_dn *name, char *buf, int len) +char *X509_NAME_oneline(gnutls_x509_dn * name, char *buf, int len) { memset(buf, 0, len); if (!buf) - return NULL; - - snprintf(buf, len-1, "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s", - name->country, name->state_or_province_name, - name->locality_name, name->organization, - name->organizational_unit_name, - name->common_name, name->email); + return NULL; + + snprintf(buf, len - 1, + "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s", + name->country, name->state_or_province_name, + name->locality_name, name->organization, + name->organizational_unit_name, name->common_name, + name->email); return buf; } -void X509_free(const X509 *cert) +void X509_free(const X509 * cert) { /* only get certificates as const items */ } @@ -813,18 +803,18 @@ void X509_free(const X509 *cert) void BIO_get_fd(gnutls_session gnutls_state, int *fd) { - *fd = (int)gnutls_transport_get_ptr(gnutls_state); + *fd = (int) gnutls_transport_get_ptr(gnutls_state); } BIO *BIO_new_socket(int sock, int close_flag) { BIO *bio; - bio = (BIO *)malloc(sizeof(BIO)); + bio = (BIO *) malloc(sizeof(BIO)); if (!bio) - return NULL; + return NULL; - bio->fd = (gnutls_transport_ptr)sock; + bio->fd = (gnutls_transport_ptr) sock; return bio; } @@ -889,84 +879,83 @@ int RAND_egd_bytes(const char *path, int bytes) /* message digest functions */ -void MD5_Init(MD5_CTX *ctx) +void MD5_Init(MD5_CTX * ctx) { gcry_md_open(&ctx->handle, GCRY_MD_MD5, 0); } -void MD5_Update(MD5_CTX *ctx, const void *buf, int len) +void MD5_Update(MD5_CTX * ctx, const void *buf, int len) { gcry_md_write(ctx->handle, buf, len); } -void MD5_Final(unsigned char *md, MD5_CTX *ctx) +void MD5_Final(unsigned char *md, MD5_CTX * ctx) { unsigned char *local_md; gcry_md_final(ctx->handle); local_md = gcry_md_read(ctx->handle, 0); if (md) - memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_MD5)); + memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_MD5)); gcry_md_close(ctx->handle); } unsigned char *MD5(const unsigned char *buf, unsigned long len, - unsigned char *md) + unsigned char *md) { unsigned char *local_md; if (!md) - return NULL; + return NULL; local_md = malloc(gcry_md_get_algo_dlen(GCRY_MD_MD5)); if (!local_md) - return NULL; + return NULL; gcry_md_hash_buffer(GCRY_MD_MD5, local_md, buf, len); memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_MD5)); - free( local_md); - + free(local_md); + return md; } -void RIPEMD160_Init(RIPEMD160_CTX *ctx) +void RIPEMD160_Init(RIPEMD160_CTX * ctx) { gcry_md_open(&ctx->handle, GCRY_MD_RMD160, 0); } -void RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *buf, int len) +void RIPEMD160_Update(RIPEMD160_CTX * ctx, const void *buf, int len) { gcry_md_write(ctx->handle, buf, len); } -void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *ctx) +void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX * ctx) { unsigned char *local_md; gcry_md_final(ctx->handle); local_md = gcry_md_read(ctx->handle, 0); if (md) - memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_RMD160)); + memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_RMD160)); gcry_md_close(ctx->handle); } unsigned char *RIPEMD160(const unsigned char *buf, unsigned long len, - unsigned char *md) + unsigned char *md) { unsigned char *local_md; if (!md) - return NULL; + return NULL; local_md = malloc(gcry_md_get_algo_dlen(GCRY_MD_RMD160)); if (!local_md) - return NULL; + return NULL; gcry_md_hash_buffer(GCRY_MD_RMD160, local_md, buf, len); memcpy(md, local_md, gcry_md_get_algo_dlen(GCRY_MD_RMD160)); - free( local_md); - + free(local_md); + return md; } - diff --git a/libextra/gnutls_srp.c b/libextra/gnutls_srp.c index 4ab3d29e61..3439da1c2f 100644 --- a/libextra/gnutls_srp.c +++ b/libextra/gnutls_srp.c @@ -36,39 +36,41 @@ /* Here functions for SRP (like g^x mod n) are defined */ -int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, GNUTLS_MPI g, - GNUTLS_MPI prime, gnutls_alloc_function galloc_func) +int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, + GNUTLS_MPI g, GNUTLS_MPI prime, + gnutls_alloc_function galloc_func) { - GNUTLS_MPI x, e; - size_t result_size; - - if (_gnutls_mpi_scan(&x, text, &textsize)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - e = _gnutls_mpi_alloc_like(prime); - if (e==NULL) { - gnutls_assert(); - _gnutls_mpi_release(&x); - return GNUTLS_E_MEMORY_ERROR; - } - - /* e = g^x mod prime (n) */ - _gnutls_mpi_powm(e, g, x, prime); + GNUTLS_MPI x, e; + size_t result_size; + + if (_gnutls_mpi_scan(&x, text, &textsize)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + e = _gnutls_mpi_alloc_like(prime); + if (e == NULL) { + gnutls_assert(); _gnutls_mpi_release(&x); + return GNUTLS_E_MEMORY_ERROR; + } + + /* e = g^x mod prime (n) */ + _gnutls_mpi_powm(e, g, x, prime); + _gnutls_mpi_release(&x); - _gnutls_mpi_print( NULL, &result_size, e); - if (result != NULL) { - *result = galloc_func(result_size); - if ((*result)==NULL) return GNUTLS_E_MEMORY_ERROR; + _gnutls_mpi_print(NULL, &result_size, e); + if (result != NULL) { + *result = galloc_func(result_size); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; - _gnutls_mpi_print( *result, &result_size, e); - } + _gnutls_mpi_print(*result, &result_size, e); + } - _gnutls_mpi_release(&e); + _gnutls_mpi_release(&e); - return result_size; + return result_size; } @@ -78,150 +80,153 @@ int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, GNUTLS_MPI * where k == SHA1(N|g) * Return: B and if ret_b is not NULL b. */ -GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, GNUTLS_MPI n, GNUTLS_MPI v) +GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, + GNUTLS_MPI n, GNUTLS_MPI v) { - GNUTLS_MPI tmpB = NULL, tmpV = NULL; - GNUTLS_MPI b = NULL, B = NULL, k = NULL; - int bits; - - /* calculate: B = (k*v + g^b) % N - */ - bits = _gnutls_mpi_get_nbits(n); - b = _gnutls_mpi_snew(bits); - if (b==NULL) { - gnutls_assert(); - return NULL; - } - - tmpV = _gnutls_mpi_alloc_like(n); - - if (tmpV == NULL) { - gnutls_assert(); - goto error; - } - - _gnutls_mpi_randomize(b, bits, GCRY_STRONG_RANDOM); - - tmpB = _gnutls_mpi_snew(bits); - if (tmpB==NULL) { - gnutls_assert(); - goto error; - } - - B = _gnutls_mpi_snew(bits); - if (B==NULL) { - gnutls_assert(); - goto error; - } - - k = _gnutls_calc_srp_u( n, g); - if (k == NULL) { - gnutls_assert(); - goto error; - } - - _gnutls_mpi_mulm(tmpV, k, v, n); - _gnutls_mpi_powm(tmpB, g, b, n); - - _gnutls_mpi_addm(B, tmpV, tmpB, n); - - _gnutls_mpi_release( &k); - _gnutls_mpi_release(&tmpB); - _gnutls_mpi_release(&tmpV); - - if (ret_b) - *ret_b = b; - else - _gnutls_mpi_release(&b); - - return B; - -error: - _gnutls_mpi_release( &b); - _gnutls_mpi_release( &B); - _gnutls_mpi_release( &k); - _gnutls_mpi_release( &tmpB); - _gnutls_mpi_release(&tmpV); + GNUTLS_MPI tmpB = NULL, tmpV = NULL; + GNUTLS_MPI b = NULL, B = NULL, k = NULL; + int bits; + + /* calculate: B = (k*v + g^b) % N + */ + bits = _gnutls_mpi_get_nbits(n); + b = _gnutls_mpi_snew(bits); + if (b == NULL) { + gnutls_assert(); return NULL; - + } + + tmpV = _gnutls_mpi_alloc_like(n); + + if (tmpV == NULL) { + gnutls_assert(); + goto error; + } + + _gnutls_mpi_randomize(b, bits, GCRY_STRONG_RANDOM); + + tmpB = _gnutls_mpi_snew(bits); + if (tmpB == NULL) { + gnutls_assert(); + goto error; + } + + B = _gnutls_mpi_snew(bits); + if (B == NULL) { + gnutls_assert(); + goto error; + } + + k = _gnutls_calc_srp_u(n, g); + if (k == NULL) { + gnutls_assert(); + goto error; + } + + _gnutls_mpi_mulm(tmpV, k, v, n); + _gnutls_mpi_powm(tmpB, g, b, n); + + _gnutls_mpi_addm(B, tmpV, tmpB, n); + + _gnutls_mpi_release(&k); + _gnutls_mpi_release(&tmpB); + _gnutls_mpi_release(&tmpV); + + if (ret_b) + *ret_b = b; + else + _gnutls_mpi_release(&b); + + return B; + + error: + _gnutls_mpi_release(&b); + _gnutls_mpi_release(&B); + _gnutls_mpi_release(&k); + _gnutls_mpi_release(&tmpB); + _gnutls_mpi_release(&tmpV); + return NULL; + } /* This calculates the SHA1(A | B) */ GNUTLS_MPI _gnutls_calc_srp_u(GNUTLS_MPI A, GNUTLS_MPI B) { - size_t b_size, a_size; - opaque *holder, hd[MAX_HASH_SIZE]; - size_t holder_size, hash_size; - GNUTLS_HASH_HANDLE td; - int ret; - GNUTLS_MPI res; - - _gnutls_mpi_print( NULL, &a_size, A); - _gnutls_mpi_print( NULL, &b_size, B); - - holder_size = a_size + b_size; - - holder = gnutls_alloca(holder_size); - if (holder==NULL) return NULL; - - _gnutls_mpi_print( holder, &a_size, A); - _gnutls_mpi_print( &holder[a_size], &b_size, B); - - td = _gnutls_hash_init(GNUTLS_MAC_SHA); - if (td==NULL) { - gnutls_afree(holder); - gnutls_assert(); - return NULL; - } - _gnutls_hash(td, holder, holder_size); - _gnutls_hash_deinit(td, hd); - - /* convert the bytes of hd to integer - */ - hash_size = 20; /* SHA */ - ret = _gnutls_mpi_scan( &res, hd, &hash_size); - gnutls_afree(holder); + size_t b_size, a_size; + opaque *holder, hd[MAX_HASH_SIZE]; + size_t holder_size, hash_size; + GNUTLS_HASH_HANDLE td; + int ret; + GNUTLS_MPI res; + + _gnutls_mpi_print(NULL, &a_size, A); + _gnutls_mpi_print(NULL, &b_size, B); - if (ret < 0) { - gnutls_assert(); - return NULL; - } + holder_size = a_size + b_size; + + holder = gnutls_alloca(holder_size); + if (holder == NULL) + return NULL; + + _gnutls_mpi_print(holder, &a_size, A); + _gnutls_mpi_print(&holder[a_size], &b_size, B); + + td = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td == NULL) { + gnutls_afree(holder); + gnutls_assert(); + return NULL; + } + _gnutls_hash(td, holder, holder_size); + _gnutls_hash_deinit(td, hd); + + /* convert the bytes of hd to integer + */ + hash_size = 20; /* SHA */ + ret = _gnutls_mpi_scan(&res, hd, &hash_size); + gnutls_afree(holder); + + if (ret < 0) { + gnutls_assert(); + return NULL; + } - return res; + return res; } /* S = (A * v^u) ^ b % N * this is our shared key (server premaster secret) */ -GNUTLS_MPI _gnutls_calc_srp_S1(GNUTLS_MPI A, GNUTLS_MPI b, GNUTLS_MPI u, GNUTLS_MPI v, GNUTLS_MPI n) +GNUTLS_MPI _gnutls_calc_srp_S1(GNUTLS_MPI A, GNUTLS_MPI b, GNUTLS_MPI u, + GNUTLS_MPI v, GNUTLS_MPI n) { - GNUTLS_MPI tmp1=NULL, tmp2 = NULL; - GNUTLS_MPI S = NULL; + GNUTLS_MPI tmp1 = NULL, tmp2 = NULL; + GNUTLS_MPI S = NULL; - S = _gnutls_mpi_alloc_like(n); - if (S==NULL) - return NULL; + S = _gnutls_mpi_alloc_like(n); + if (S == NULL) + return NULL; - tmp1 = _gnutls_mpi_alloc_like(n); - tmp2 = _gnutls_mpi_alloc_like(n); + tmp1 = _gnutls_mpi_alloc_like(n); + tmp2 = _gnutls_mpi_alloc_like(n); - if (tmp1 == NULL || tmp2 == NULL) - goto freeall; + if (tmp1 == NULL || tmp2 == NULL) + goto freeall; - _gnutls_mpi_powm(tmp1, v, u, n); - _gnutls_mpi_mulm(tmp2, A, tmp1, n); - _gnutls_mpi_powm(S, tmp2, b, n); + _gnutls_mpi_powm(tmp1, v, u, n); + _gnutls_mpi_mulm(tmp2, A, tmp1, n); + _gnutls_mpi_powm(S, tmp2, b, n); - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); + _gnutls_mpi_release(&tmp1); + _gnutls_mpi_release(&tmp2); - return S; + return S; - freeall: - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - return NULL; + freeall: + _gnutls_mpi_release(&tmp1); + _gnutls_mpi_release(&tmp2); + return NULL; } /* A = g^a % N @@ -229,131 +234,133 @@ GNUTLS_MPI _gnutls_calc_srp_S1(GNUTLS_MPI A, GNUTLS_MPI b, GNUTLS_MPI u, GNUTLS_ */ GNUTLS_MPI _gnutls_calc_srp_A(GNUTLS_MPI * a, GNUTLS_MPI g, GNUTLS_MPI n) { - GNUTLS_MPI tmpa; - GNUTLS_MPI A; - int bits; - - bits = _gnutls_mpi_get_nbits(n); - tmpa = _gnutls_mpi_snew(bits); - if (tmpa==NULL) { - gnutls_assert(); - return NULL; - } - - _gnutls_mpi_randomize(tmpa, bits, GCRY_STRONG_RANDOM); - - A = _gnutls_mpi_snew(bits); - if (A==NULL) { - gnutls_assert(); - _gnutls_mpi_release( &tmpa); - return NULL; - } - _gnutls_mpi_powm(A, g, tmpa, n); - - if (a != NULL) - *a = tmpa; - else - _gnutls_mpi_release(&tmpa); - - return A; + GNUTLS_MPI tmpa; + GNUTLS_MPI A; + int bits; + + bits = _gnutls_mpi_get_nbits(n); + tmpa = _gnutls_mpi_snew(bits); + if (tmpa == NULL) { + gnutls_assert(); + return NULL; + } + + _gnutls_mpi_randomize(tmpa, bits, GCRY_STRONG_RANDOM); + + A = _gnutls_mpi_snew(bits); + if (A == NULL) { + gnutls_assert(); + _gnutls_mpi_release(&tmpa); + return NULL; + } + _gnutls_mpi_powm(A, g, tmpa, n); + + if (a != NULL) + *a = tmpa; + else + _gnutls_mpi_release(&tmpa); + + return A; } /* generate x = SHA(s | SHA(U | ":" | p)) * The output is exactly 20 bytes */ -int _gnutls_calc_srp_sha(const char *username, const char *password, opaque * salt, - int salt_size, size_t *size, void* digest) +int _gnutls_calc_srp_sha(const char *username, const char *password, + opaque * salt, int salt_size, size_t * size, + void *digest) { - GNUTLS_HASH_HANDLE td; - opaque res[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE td; + opaque res[MAX_HASH_SIZE]; - *size = 20; + *size = 20; - td = _gnutls_hash_init(GNUTLS_MAC_SHA); - if (td==NULL) { - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_hash(td, username, strlen(username)); - _gnutls_hash(td, ":", 1); - _gnutls_hash(td, password, strlen(password)); - - _gnutls_hash_deinit(td, res); + td = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_hash(td, username, strlen(username)); + _gnutls_hash(td, ":", 1); + _gnutls_hash(td, password, strlen(password)); - td = _gnutls_hash_init(GNUTLS_MAC_SHA); - if (td==NULL) { - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_hash_deinit(td, res); - _gnutls_hash(td, salt, salt_size); - _gnutls_hash(td, res, 20); /* 20 bytes is the output of sha1 */ + td = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_hash_deinit(td, digest); + _gnutls_hash(td, salt, salt_size); + _gnutls_hash(td, res, 20); /* 20 bytes is the output of sha1 */ - return 0; + _gnutls_hash_deinit(td, digest); + + return 0; } int _gnutls_calc_srp_x(char *username, char *password, opaque * salt, - size_t salt_size, size_t *size, void* digest) + size_t salt_size, size_t * size, void *digest) { - return _gnutls_calc_srp_sha(username, password, salt, - salt_size, size, digest); + return _gnutls_calc_srp_sha(username, password, salt, + salt_size, size, digest); } /* S = (B - k*g^x) ^ (a + u * x) % N * this is our shared key (client premaster secret) */ -GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_MPI a, GNUTLS_MPI u, GNUTLS_MPI n) +GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, + GNUTLS_MPI a, GNUTLS_MPI u, GNUTLS_MPI n) { - GNUTLS_MPI S=NULL, tmp1=NULL, tmp2=NULL; - GNUTLS_MPI tmp4=NULL, tmp3=NULL, k = NULL; - - S = _gnutls_mpi_alloc_like(n); - if (S==NULL) - return NULL; - - tmp1 = _gnutls_mpi_alloc_like(n); - tmp2 = _gnutls_mpi_alloc_like(n); - tmp3 = _gnutls_mpi_alloc_like(n); - if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL) { - goto freeall; - } - - k = _gnutls_calc_srp_u( n, g); - if (k == NULL) { - gnutls_assert(); - goto freeall; - } - - _gnutls_mpi_powm(tmp1, g, x, n); /* g^x */ - _gnutls_mpi_mulm(tmp3, tmp1, k, n); /* k*g^x mod n */ - _gnutls_mpi_subm(tmp2, B, tmp3, n); - - tmp4 = _gnutls_mpi_alloc_like(n); - if (tmp4==NULL) - goto freeall; - - _gnutls_mpi_mul(tmp1, u, x); - _gnutls_mpi_add(tmp4, a, tmp1); - _gnutls_mpi_powm(S, tmp2, tmp4, n); - - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - _gnutls_mpi_release(&tmp3); - _gnutls_mpi_release(&tmp4); - _gnutls_mpi_release(&k); - - return S; - - freeall: - _gnutls_mpi_release(&k); - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - _gnutls_mpi_release(&tmp3); - _gnutls_mpi_release(&tmp4); - _gnutls_mpi_release(&S); - return NULL; + GNUTLS_MPI S = NULL, tmp1 = NULL, tmp2 = NULL; + GNUTLS_MPI tmp4 = NULL, tmp3 = NULL, k = NULL; + + S = _gnutls_mpi_alloc_like(n); + if (S == NULL) + return NULL; + + tmp1 = _gnutls_mpi_alloc_like(n); + tmp2 = _gnutls_mpi_alloc_like(n); + tmp3 = _gnutls_mpi_alloc_like(n); + if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL) { + goto freeall; + } + + k = _gnutls_calc_srp_u(n, g); + if (k == NULL) { + gnutls_assert(); + goto freeall; + } + + _gnutls_mpi_powm(tmp1, g, x, n); /* g^x */ + _gnutls_mpi_mulm(tmp3, tmp1, k, n); /* k*g^x mod n */ + _gnutls_mpi_subm(tmp2, B, tmp3, n); + + tmp4 = _gnutls_mpi_alloc_like(n); + if (tmp4 == NULL) + goto freeall; + + _gnutls_mpi_mul(tmp1, u, x); + _gnutls_mpi_add(tmp4, a, tmp1); + _gnutls_mpi_powm(S, tmp2, tmp4, n); + + _gnutls_mpi_release(&tmp1); + _gnutls_mpi_release(&tmp2); + _gnutls_mpi_release(&tmp3); + _gnutls_mpi_release(&tmp4); + _gnutls_mpi_release(&k); + + return S; + + freeall: + _gnutls_mpi_release(&k); + _gnutls_mpi_release(&tmp1); + _gnutls_mpi_release(&tmp2); + _gnutls_mpi_release(&tmp3); + _gnutls_mpi_release(&tmp4); + _gnutls_mpi_release(&S); + return NULL; } /** @@ -364,10 +371,11 @@ GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_ * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_srp_free_client_credentials( gnutls_srp_client_credentials sc) { - gnutls_free( sc->username); - gnutls_free( sc->password); - gnutls_free( sc); +void gnutls_srp_free_client_credentials(gnutls_srp_client_credentials sc) +{ + gnutls_free(sc->username); + gnutls_free(sc->password); + gnutls_free(sc); } /** @@ -379,12 +387,15 @@ void gnutls_srp_free_client_credentials( gnutls_srp_client_credentials sc) { * * Returns 0 on success. **/ -int gnutls_srp_allocate_client_credentials( gnutls_srp_client_credentials *sc) { - *sc = gnutls_calloc( 1, sizeof(srp_client_credentials_st)); - - if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; +int gnutls_srp_allocate_client_credentials(gnutls_srp_client_credentials * + sc) +{ + *sc = gnutls_calloc(1, sizeof(srp_client_credentials_st)); - return 0; + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; + + return 0; } /** @@ -399,24 +410,26 @@ int gnutls_srp_allocate_client_credentials( gnutls_srp_client_credentials *sc) { * * Returns 0 on success. **/ -int gnutls_srp_set_client_credentials( gnutls_srp_client_credentials res, char *username, char * password) +int gnutls_srp_set_client_credentials(gnutls_srp_client_credentials res, + char *username, char *password) { - if (username==NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (username == NULL || password == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - res->username = gnutls_strdup( username); - if (res->username == NULL) return GNUTLS_E_MEMORY_ERROR; + res->username = gnutls_strdup(username); + if (res->username == NULL) + return GNUTLS_E_MEMORY_ERROR; - res->password = gnutls_strdup( password); - if (res->password==NULL) { - gnutls_free(res->username); - return GNUTLS_E_MEMORY_ERROR; - } + res->password = gnutls_strdup(password); + if (res->password == NULL) { + gnutls_free(res->username); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } /** @@ -427,11 +440,12 @@ int gnutls_srp_set_client_credentials( gnutls_srp_client_credentials res, char * * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_srp_free_server_credentials( gnutls_srp_server_credentials sc) { - gnutls_free( sc->password_file); - gnutls_free( sc->password_conf_file); +void gnutls_srp_free_server_credentials(gnutls_srp_server_credentials sc) +{ + gnutls_free(sc->password_file); + gnutls_free(sc->password_conf_file); - gnutls_free(sc); + gnutls_free(sc); } /** @@ -443,23 +457,27 @@ void gnutls_srp_free_server_credentials( gnutls_srp_server_credentials sc) { * * Returns 0 on success. **/ -int gnutls_srp_allocate_server_credentials( gnutls_srp_server_credentials *sc) { - *sc = gnutls_calloc( 1, sizeof(srp_server_cred_st)); - - if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; - - return 0; +int gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials * + sc) +{ + *sc = gnutls_calloc(1, sizeof(srp_server_cred_st)); + + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; + + return 0; } -inline -static int file_exists( const char* file) { -FILE* fd; +inline static int file_exists(const char *file) +{ + FILE *fd; - fd = fopen( file, "r"); - if (fd==NULL) return -1; + fd = fopen(file, "r"); + if (fd == NULL) + return -1; - fclose(fd); - return 0; + fclose(fd); + return 0; } /** @@ -474,41 +492,42 @@ FILE* fd; * Returns 0 on success. * **/ -int gnutls_srp_set_server_credentials_file( gnutls_srp_server_credentials res, - const char *password_file, const char * password_conf_file) +int gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials + res, const char *password_file, + const char *password_conf_file) { - - if (password_file==NULL || password_conf_file==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the files can be opened */ - if (file_exists( password_file)!=0) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - if (file_exists( password_conf_file)!=0) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - res->password_file = gnutls_strdup( password_file); - if (res->password_file==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->password_conf_file = gnutls_strdup( password_conf_file); - if (res->password_conf_file==NULL) { - gnutls_assert(); - gnutls_free(res->password_file); - res->password_file = NULL; - return GNUTLS_E_MEMORY_ERROR; - } - - return 0; + + if (password_file == NULL || password_conf_file == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the files can be opened */ + if (file_exists(password_file) != 0) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + if (file_exists(password_conf_file) != 0) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + res->password_file = gnutls_strdup(password_file); + if (res->password_file == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->password_conf_file = gnutls_strdup(password_conf_file); + if (res->password_conf_file == NULL) { + gnutls_assert(); + gnutls_free(res->password_file); + res->password_file = NULL; + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } @@ -540,11 +559,13 @@ int gnutls_srp_set_server_credentials_file( gnutls_srp_server_credentials res, * -1 indicates an error. * **/ -void gnutls_srp_set_server_credentials_function( - gnutls_srp_server_credentials cred, - gnutls_srp_server_credentials_function * func) +void +gnutls_srp_set_server_credentials_function(gnutls_srp_server_credentials + cred, + gnutls_srp_server_credentials_function + * func) { - cred->pwd_callback = func; + cred->pwd_callback = func; } /** @@ -578,11 +599,13 @@ void gnutls_srp_set_server_credentials_function( * -1 indicates an error. * **/ -void gnutls_srp_set_client_credentials_function( - gnutls_srp_client_credentials cred, - gnutls_srp_client_credentials_function * func) +void +gnutls_srp_set_client_credentials_function(gnutls_srp_client_credentials + cred, + gnutls_srp_client_credentials_function + * func) { - cred->get_function = func; + cred->get_function = func; } @@ -597,14 +620,14 @@ void gnutls_srp_set_client_credentials_function( **/ const char *gnutls_srp_server_get_username(gnutls_session session) { - srp_server_auth_info_t info; + srp_server_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_SRP, NULL); + CHECK_AUTH(GNUTLS_CRD_SRP, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; - return info->username; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return NULL; + return info->username; } /** @@ -624,43 +647,43 @@ const char *gnutls_srp_server_get_username(gnutls_session session) * binary format. * **/ -int gnutls_srp_verifier( const char* username, const char* password, - const gnutls_datum *salt, - const gnutls_datum* generator, const gnutls_datum* prime, - gnutls_datum * res) +int gnutls_srp_verifier(const char *username, const char *password, + const gnutls_datum * salt, + const gnutls_datum * generator, + const gnutls_datum * prime, gnutls_datum * res) { -GNUTLS_MPI _n, _g; -int ret; -size_t digest_size = 20, size; -opaque digest[20]; - - ret = _gnutls_calc_srp_sha( username, password, salt->data, - salt->size, &digest_size, digest); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - size = prime->size; - if (_gnutls_mpi_scan(&_n, prime->data, &size)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - size = generator->size; - if (_gnutls_mpi_scan(&_g, generator->data, &size)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - ret = _gnutls_srp_gx( digest, 20, &res->data, _g, _n, malloc); - if (ret < 0) { - gnutls_assert(); - return ret; - } - res->size = ret; - - return 0; + GNUTLS_MPI _n, _g; + int ret; + size_t digest_size = 20, size; + opaque digest[20]; + + ret = _gnutls_calc_srp_sha(username, password, salt->data, + salt->size, &digest_size, digest); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + size = prime->size; + if (_gnutls_mpi_scan(&_n, prime->data, &size)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + size = generator->size; + if (_gnutls_mpi_scan(&_g, generator->data, &size)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + ret = _gnutls_srp_gx(digest, 20, &res->data, _g, _n, malloc); + if (ret < 0) { + gnutls_assert(); + return ret; + } + res->size = ret; + + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/libextra/minilzo.c b/libextra/minilzo.c index 85771eb479..1790c0716a 100644 --- a/libextra/minilzo.c +++ b/libextra/minilzo.c @@ -331,10 +331,10 @@ extern "C" { # include <dos.h> # if 1 && defined(__WATCOMC__) # include <i86.h> - __LZO_EXTERN_C unsigned char _HShift; + __LZO_EXTERN_C unsigned char _HShift; # define __LZO_HShift _HShift # elif 1 && defined(_MSC_VER) - __LZO_EXTERN_C unsigned short __near _AHSHIFT; + __LZO_EXTERN_C unsigned short __near _AHSHIFT; # define __LZO_HShift ((unsigned) &_AHSHIFT) # elif defined(__LZO_WIN16) # define __LZO_HShift 3 @@ -351,9 +351,9 @@ extern "C" { #if !defined(lzo_ptrdiff_t) # if (UINT_MAX >= LZO_0xffffffffL) - typedef ptrdiff_t lzo_ptrdiff_t; + typedef ptrdiff_t lzo_ptrdiff_t; # else - typedef long lzo_ptrdiff_t; + typedef long lzo_ptrdiff_t; # endif #endif @@ -365,8 +365,8 @@ extern "C" { #if !defined(__LZO_HAVE_PTR_T) # if defined(SIZEOF_CHAR_P) && defined(SIZEOF_UNSIGNED_LONG) # if (SIZEOF_CHAR_P == SIZEOF_UNSIGNED_LONG) - typedef unsigned long lzo_ptr_t; - typedef long lzo_sptr_t; + typedef unsigned long lzo_ptr_t; + typedef long lzo_sptr_t; # define __LZO_HAVE_PTR_T # endif # endif @@ -374,8 +374,8 @@ extern "C" { #if !defined(__LZO_HAVE_PTR_T) # if defined(SIZEOF_CHAR_P) && defined(SIZEOF_UNSIGNED) # if (SIZEOF_CHAR_P == SIZEOF_UNSIGNED) - typedef unsigned int lzo_ptr_t; - typedef int lzo_sptr_t; + typedef unsigned int lzo_ptr_t; + typedef int lzo_sptr_t; # define __LZO_HAVE_PTR_T # endif # endif @@ -383,8 +383,8 @@ extern "C" { #if !defined(__LZO_HAVE_PTR_T) # if defined(SIZEOF_CHAR_P) && defined(SIZEOF_UNSIGNED_SHORT) # if (SIZEOF_CHAR_P == SIZEOF_UNSIGNED_SHORT) - typedef unsigned short lzo_ptr_t; - typedef short lzo_sptr_t; + typedef unsigned short lzo_ptr_t; + typedef short lzo_sptr_t; # define __LZO_HAVE_PTR_T # endif # endif @@ -393,8 +393,8 @@ extern "C" { # if defined(LZO_HAVE_CONFIG_H) || defined(SIZEOF_CHAR_P) # error "no suitable type for lzo_ptr_t" # else - typedef unsigned long lzo_ptr_t; - typedef long lzo_sptr_t; + typedef unsigned long lzo_ptr_t; + typedef long lzo_sptr_t; # define __LZO_HAVE_PTR_T # endif #endif @@ -417,52 +417,45 @@ extern "C" { #define PTR_DIFF(a,b) ((lzo_ptrdiff_t) (PTR(a) - PTR(b))) #define pd(a,b) ((lzo_uint) ((a)-(b))) -LZO_EXTERN(lzo_ptr_t) -__lzo_ptr_linear(const lzo_voidp ptr); - -typedef union -{ - char a_char; - unsigned char a_uchar; - short a_short; - unsigned short a_ushort; - int a_int; - unsigned int a_uint; - long a_long; - unsigned long a_ulong; - lzo_int a_lzo_int; - lzo_uint a_lzo_uint; - lzo_int32 a_lzo_int32; - lzo_uint32 a_lzo_uint32; - ptrdiff_t a_ptrdiff_t; - lzo_ptrdiff_t a_lzo_ptrdiff_t; - lzo_ptr_t a_lzo_ptr_t; - lzo_voidp a_lzo_voidp; - void * a_void_p; - lzo_bytep a_lzo_bytep; - lzo_bytepp a_lzo_bytepp; - lzo_uintp a_lzo_uintp; - lzo_uint * a_lzo_uint_p; - lzo_uint32p a_lzo_uint32p; - lzo_uint32 * a_lzo_uint32_p; - unsigned char * a_uchar_p; - char * a_char_p; -} -lzo_full_align_t; + LZO_EXTERN(lzo_ptr_t) __lzo_ptr_linear(const lzo_voidp ptr); + + typedef union { + char a_char; + unsigned char a_uchar; + short a_short; + unsigned short a_ushort; + int a_int; + unsigned int a_uint; + long a_long; + unsigned long a_ulong; + lzo_int a_lzo_int; + lzo_uint a_lzo_uint; + lzo_int32 a_lzo_int32; + lzo_uint32 a_lzo_uint32; + ptrdiff_t a_ptrdiff_t; + lzo_ptrdiff_t a_lzo_ptrdiff_t; + lzo_ptr_t a_lzo_ptr_t; + lzo_voidp a_lzo_voidp; + void *a_void_p; + lzo_bytep a_lzo_bytep; + lzo_bytepp a_lzo_bytepp; + lzo_uintp a_lzo_uintp; + lzo_uint *a_lzo_uint_p; + lzo_uint32p a_lzo_uint32p; + lzo_uint32 *a_lzo_uint32_p; + unsigned char *a_uchar_p; + char *a_char_p; + } lzo_full_align_t; #ifdef __cplusplus } #endif - #endif - #define LZO_DETERMINISTIC - #define LZO_DICT_USE_PTR #if defined(__LZO_DOS16) || defined(__LZO_WIN16) || defined(__LZO_STRICT_16BIT) # undef LZO_DICT_USE_PTR #endif - #if defined(LZO_DICT_USE_PTR) # define lzo_dict_t const lzo_bytep # define lzo_dict_p lzo_dict_t __LZO_MMODEL * @@ -470,20 +463,17 @@ lzo_full_align_t; # define lzo_dict_t lzo_uint # define lzo_dict_p lzo_dict_t __LZO_MMODEL * #endif - #if !defined(lzo_moff_t) #define lzo_moff_t lzo_uint #endif - #endif - -LZO_PUBLIC(lzo_ptr_t) -__lzo_ptr_linear(const lzo_voidp ptr) +LZO_PUBLIC(lzo_ptr_t) __lzo_ptr_linear(const lzo_voidp ptr) { lzo_ptr_t p; #if defined(__LZO_DOS16) || defined(__LZO_WIN16) - p = (((lzo_ptr_t)(_FP_SEG(ptr))) << (16 - __LZO_HShift)) + (_FP_OFF(ptr)); + p = (((lzo_ptr_t) (_FP_SEG(ptr))) << (16 - __LZO_HShift)) + + (_FP_OFF(ptr)); #else p = PTR_LINEAR(ptr); #endif @@ -492,7 +482,7 @@ __lzo_ptr_linear(const lzo_voidp ptr) } LZO_PUBLIC(unsigned) -__lzo_align_gap(const lzo_voidp ptr, lzo_uint size) + __lzo_align_gap(const lzo_voidp ptr, lzo_uint size) { lzo_ptr_t p, s, n; @@ -507,10 +497,10 @@ __lzo_align_gap(const lzo_voidp ptr, lzo_uint size) n = (((p + s) / size) * size) - p; #endif - assert((long)n >= 0); + assert((long) n >= 0); assert(n <= s); - return (unsigned)n; + return (unsigned) n; } #ifndef __LZO_UTIL_H @@ -609,25 +599,25 @@ __asm__ __volatile__( \ #if 0 #if defined(__GNUC__) && defined(__i386__) -unsigned char lzo_rotr8(unsigned char value, int shift); -extern __inline__ unsigned char lzo_rotr8(unsigned char value, int shift) -{ - unsigned char result; - - __asm__ __volatile__ ("movb %b1, %b0; rorb %b2, %b0" - : "=a"(result) : "g"(value), "c"(shift)); - return result; -} - -unsigned short lzo_rotr16(unsigned short value, int shift); -extern __inline__ unsigned short lzo_rotr16(unsigned short value, int shift) -{ - unsigned short result; - - __asm__ __volatile__ ("movw %b1, %b0; rorw %b2, %b0" - : "=a"(result) : "g"(value), "c"(shift)); - return result; -} + unsigned char lzo_rotr8(unsigned char value, int shift); + extern __inline__ unsigned char lzo_rotr8(unsigned char value, + int shift) { + unsigned char result; + + __asm__ + __volatile__("movb %b1, %b0; rorb %b2, %b0":"=a"(result):"g" + (value), "c"(shift)); + return result; + } unsigned short lzo_rotr16(unsigned short value, int shift); + extern __inline__ unsigned short lzo_rotr16(unsigned short value, + int shift) { + unsigned short result; + + __asm__ + __volatile__("movw %b1, %b0; rorw %b2, %b0":"=a"(result):"g" + (value), "c"(shift)); + return result; + } #endif #endif @@ -639,7 +629,7 @@ extern __inline__ unsigned short lzo_rotr16(unsigned short value, int shift) #endif LZO_PUBLIC(lzo_bool) -lzo_assert(int expr) + lzo_assert(int expr) { return (expr) ? 1 : 0; } @@ -705,8 +695,7 @@ const lzo_byte __lzo_copyright[] = #if defined(__LZO_IN_MINILZO) " __LZO_IN_MINILZO\n" #endif - "\n\n" - "$Id: LZO " LZO_VERSION_STRING " built " __DATE__ " " __TIME__ + "\n\n" "$Id: LZO " LZO_VERSION_STRING " built " __DATE__ " " __TIME__ #if defined(__GNUC__) && defined(__VERSION__) " by gcc " __VERSION__ #elif defined(__BORLANDC__) @@ -726,38 +715,37 @@ const lzo_byte __lzo_copyright[] = "$Copyright: LZO (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002 Markus Franz Xaver Johannes Oberhumer $\n"; #endif -LZO_PUBLIC(const lzo_byte *) -lzo_copyright(void) +LZO_PUBLIC(const lzo_byte *) lzo_copyright(void) { return __lzo_copyright; } LZO_PUBLIC(unsigned) -lzo_version(void) + lzo_version(void) { return LZO_VERSION; } LZO_PUBLIC(const char *) -lzo_version_string(void) + lzo_version_string(void) { return LZO_VERSION_STRING; } LZO_PUBLIC(const char *) -lzo_version_date(void) + lzo_version_date(void) { return LZO_VERSION_DATE; } LZO_PUBLIC(const lzo_charp) -_lzo_version_string(void) + _lzo_version_string(void) { return LZO_VERSION_STRING; } LZO_PUBLIC(const lzo_charp) -_lzo_version_date(void) + _lzo_version_date(void) { return LZO_VERSION_DATE; } @@ -772,7 +760,7 @@ _lzo_version_date(void) #define LZO_DO16(buf,i) LZO_DO8(buf,i); LZO_DO8(buf,i+8); LZO_PUBLIC(lzo_uint32) -lzo_adler32(lzo_uint32 adler, const lzo_byte *buf, lzo_uint len) + lzo_adler32(lzo_uint32 adler, const lzo_byte * buf, lzo_uint len) { lzo_uint32 s1 = adler & 0xffff; lzo_uint32 s2 = (adler >> 16) & 0xffff; @@ -781,21 +769,20 @@ lzo_adler32(lzo_uint32 adler, const lzo_byte *buf, lzo_uint len) if (buf == NULL) return 1; - while (len > 0) - { + while (len > 0) { k = len < LZO_NMAX ? (int) len : LZO_NMAX; len -= k; - if (k >= 16) do - { - LZO_DO16(buf,0); - buf += 16; - k -= 16; - } while (k >= 16); - if (k != 0) do - { - s1 += *buf++; - s2 += s1; - } while (--k > 0); + if (k >= 16) + do { + LZO_DO16(buf, 0); + buf += 16; + k -= 16; + } while (k >= 16); + if (k != 0) + do { + s1 += *buf++; + s2 += s1; + } while (--k > 0); s1 %= LZO_BASE; s2 %= LZO_BASE; } @@ -803,33 +790,33 @@ lzo_adler32(lzo_uint32 adler, const lzo_byte *buf, lzo_uint len) } LZO_PUBLIC(int) -lzo_memcmp(const lzo_voidp s1, const lzo_voidp s2, lzo_uint len) + lzo_memcmp(const lzo_voidp s1, const lzo_voidp s2, lzo_uint len) { #if (LZO_UINT_MAX <= SIZE_T_MAX) && defined(HAVE_MEMCMP) - return memcmp(s1,s2,len); + return memcmp(s1, s2, len); #else const lzo_byte *p1 = (const lzo_byte *) s1; const lzo_byte *p2 = (const lzo_byte *) s2; int d; - if (len > 0) do - { - d = *p1 - *p2; - if (d != 0) - return d; - p1++; - p2++; - } - while (--len > 0); + if (len > 0) + do { + d = *p1 - *p2; + if (d != 0) + return d; + p1++; + p2++; + } + while (--len > 0); return 0; #endif } LZO_PUBLIC(lzo_voidp) -lzo_memcpy(lzo_voidp dest, const lzo_voidp src, lzo_uint len) + lzo_memcpy(lzo_voidp dest, const lzo_voidp src, lzo_uint len) { #if (LZO_UINT_MAX <= SIZE_T_MAX) && defined(HAVE_MEMCPY) - return memcpy(dest,src,len); + return memcpy(dest, src, len); #else lzo_byte *p1 = (lzo_byte *) dest; const lzo_byte *p2 = (const lzo_byte *) src; @@ -844,10 +831,10 @@ lzo_memcpy(lzo_voidp dest, const lzo_voidp src, lzo_uint len) } LZO_PUBLIC(lzo_voidp) -lzo_memmove(lzo_voidp dest, const lzo_voidp src, lzo_uint len) + lzo_memmove(lzo_voidp dest, const lzo_voidp src, lzo_uint len) { #if (LZO_UINT_MAX <= SIZE_T_MAX) && defined(HAVE_MEMMOVE) - return memmove(dest,src,len); + return memmove(dest, src, len); #else lzo_byte *p1 = (lzo_byte *) dest; const lzo_byte *p2 = (const lzo_byte *) src; @@ -855,14 +842,11 @@ lzo_memmove(lzo_voidp dest, const lzo_voidp src, lzo_uint len) if (len <= 0 || p1 == p2) return dest; - if (p1 < p2) - { + if (p1 < p2) { do *p1++ = *p2++; while (--len > 0); - } - else - { + } else { p1 += len; p2 += len; do @@ -874,16 +858,17 @@ lzo_memmove(lzo_voidp dest, const lzo_voidp src, lzo_uint len) } LZO_PUBLIC(lzo_voidp) -lzo_memset(lzo_voidp s, int c, lzo_uint len) + lzo_memset(lzo_voidp s, int c, lzo_uint len) { #if (LZO_UINT_MAX <= SIZE_T_MAX) && defined(HAVE_MEMSET) - return memset(s,c,len); + return memset(s, c, len); #else lzo_byte *p = (lzo_byte *) s; - if (len > 0) do - *p++ = LZO_BYTE(c); - while (--len > 0); + if (len > 0) + do + *p++ = LZO_BYTE(c); + while (--len > 0); return s; #endif } @@ -906,12 +891,13 @@ static lzo_bool strength_reduce_bug(int *); static lzo_bool __lzo_assert_fail(const char *s, unsigned line) { #if defined(__palmos__) - printf("LZO assertion failed in line %u: '%s'\n",line,s); + printf("LZO assertion failed in line %u: '%s'\n", line, s); #else - fprintf(stderr,"LZO assertion failed in line %u: '%s'\n",line,s); + fprintf(stderr, "LZO assertion failed in line %u: '%s'\n", line, s); #endif return 0; } + # define __lzo_assert(x) ((x) ? 1 : __lzo_assert_fail(#x,__LINE__)) #else # define __lzo_assert(x) ((x) ? 1 : 0) @@ -997,16 +983,18 @@ static lzo_bool basic_integral_check(void) COMPILE_TIME_ASSERT(IS_SIGNED(lzo_int32)); COMPILE_TIME_ASSERT(IS_SIGNED(lzo_int)); - COMPILE_TIME_ASSERT(INT_MAX == LZO_STYPE_MAX(sizeof(int))); - COMPILE_TIME_ASSERT(UINT_MAX == LZO_UTYPE_MAX(sizeof(unsigned))); - COMPILE_TIME_ASSERT(LONG_MAX == LZO_STYPE_MAX(sizeof(long))); - COMPILE_TIME_ASSERT(ULONG_MAX == LZO_UTYPE_MAX(sizeof(unsigned long))); - COMPILE_TIME_ASSERT(SHRT_MAX == LZO_STYPE_MAX(sizeof(short))); - COMPILE_TIME_ASSERT(USHRT_MAX == LZO_UTYPE_MAX(sizeof(unsigned short))); - COMPILE_TIME_ASSERT(LZO_UINT32_MAX == LZO_UTYPE_MAX(sizeof(lzo_uint32))); - COMPILE_TIME_ASSERT(LZO_UINT_MAX == LZO_UTYPE_MAX(sizeof(lzo_uint))); + COMPILE_TIME_ASSERT(INT_MAX == LZO_STYPE_MAX(sizeof(int))); + COMPILE_TIME_ASSERT(UINT_MAX == LZO_UTYPE_MAX(sizeof(unsigned))); + COMPILE_TIME_ASSERT(LONG_MAX == LZO_STYPE_MAX(sizeof(long))); + COMPILE_TIME_ASSERT(ULONG_MAX == LZO_UTYPE_MAX(sizeof(unsigned long))); + COMPILE_TIME_ASSERT(SHRT_MAX == LZO_STYPE_MAX(sizeof(short))); + COMPILE_TIME_ASSERT(USHRT_MAX == + LZO_UTYPE_MAX(sizeof(unsigned short))); + COMPILE_TIME_ASSERT(LZO_UINT32_MAX == + LZO_UTYPE_MAX(sizeof(lzo_uint32))); + COMPILE_TIME_ASSERT(LZO_UINT_MAX == LZO_UTYPE_MAX(sizeof(lzo_uint))); #if !defined(__LZO_IN_MINILZO) - COMPILE_TIME_ASSERT(SIZE_T_MAX == LZO_UTYPE_MAX(sizeof(size_t))); + COMPILE_TIME_ASSERT(SIZE_T_MAX == LZO_UTYPE_MAX(sizeof(size_t))); #endif r &= __lzo_assert(LZO_BYTE(257) == 1); @@ -1068,85 +1056,86 @@ static lzo_bool ptr_check(void) for (i = 0; i < (int) sizeof(x); i++) x[i] = LZO_BYTE(i); - wrkmem = LZO_PTR_ALIGN_UP((lzo_byte *)_wrkmem,sizeof(lzo_full_align_t)); + wrkmem = + LZO_PTR_ALIGN_UP((lzo_byte *) _wrkmem, sizeof(lzo_full_align_t)); #if 0 dict = (lzo_bytepp) wrkmem; #else - u.a_lzo_bytep = wrkmem; dict = u.a_lzo_bytepp; + u.a_lzo_bytep = wrkmem; + dict = u.a_lzo_bytepp; #endif d = (long) ((const lzo_bytep) dict - (const lzo_bytep) _wrkmem); r &= __lzo_assert(d >= 0); r &= __lzo_assert(d < (long) sizeof(lzo_full_align_t)); - memset(&a,0,sizeof(a)); + memset(&a, 0, sizeof(a)); r &= __lzo_assert(a.a_lzo_voidp == NULL); - memset(&a,0xff,sizeof(a)); + memset(&a, 0xff, sizeof(a)); r &= __lzo_assert(a.a_ushort == USHRT_MAX); r &= __lzo_assert(a.a_uint == UINT_MAX); r &= __lzo_assert(a.a_ulong == ULONG_MAX); r &= __lzo_assert(a.a_lzo_uint == LZO_UINT_MAX); r &= __lzo_assert(a.a_lzo_uint32 == LZO_UINT32_MAX); - if (r == 1) - { + if (r == 1) { for (i = 0; i < 8; i++) - r &= __lzo_assert((const lzo_voidp) (&dict[i]) == (const lzo_voidp) (&wrkmem[i * sizeof(lzo_byte *)])); + r &= __lzo_assert((const lzo_voidp) (&dict[i]) == + (const + lzo_voidp) (&wrkmem[i * + sizeof(lzo_byte *)])); } - memset(&a,0,sizeof(a)); + memset(&a, 0, sizeof(a)); r &= __lzo_assert(a.a_char_p == NULL); r &= __lzo_assert(a.a_lzo_bytep == NULL); - r &= __lzo_assert(NULL == (void *)0); - if (r == 1) - { + r &= __lzo_assert(NULL == (void *) 0); + if (r == 1) { for (i = 0; i < 10; i++) dict[i] = wrkmem; - BZERO8_PTR(dict+1,sizeof(dict[0]),8); + BZERO8_PTR(dict + 1, sizeof(dict[0]), 8); r &= __lzo_assert(dict[0] == wrkmem); for (i = 1; i < 9; i++) r &= __lzo_assert(dict[i] == NULL); r &= __lzo_assert(dict[9] == wrkmem); } - if (r == 1) - { + if (r == 1) { unsigned k = 1; const unsigned n = (unsigned) sizeof(lzo_uint32); lzo_byte *p0; lzo_byte *p1; - k += __lzo_align_gap(&x[k],n); - p0 = (lzo_bytep) &x[k]; + k += __lzo_align_gap(&x[k], n); + p0 = (lzo_bytep) & x[k]; #if defined(PTR_LINEAR) - r &= __lzo_assert((PTR_LINEAR(p0) & (n-1)) == 0); + r &= __lzo_assert((PTR_LINEAR(p0) & (n - 1)) == 0); #else r &= __lzo_assert(n == 4); r &= __lzo_assert(PTR_ALIGNED_4(p0)); #endif r &= __lzo_assert(k >= 1); - p1 = (lzo_bytep) &x[1]; - r &= __lzo_assert(PTR_GE(p0,p1)); + p1 = (lzo_bytep) & x[1]; + r &= __lzo_assert(PTR_GE(p0, p1)); - r &= __lzo_assert(k < 1+n); - p1 = (lzo_bytep) &x[1+n]; - r &= __lzo_assert(PTR_LT(p0,p1)); + r &= __lzo_assert(k < 1 + n); + p1 = (lzo_bytep) & x[1 + n]; + r &= __lzo_assert(PTR_LT(p0, p1)); - if (r == 1) - { + if (r == 1) { lzo_uint32 v0, v1; #if 0 - v0 = * (lzo_uint32 *) &x[k]; - v1 = * (lzo_uint32 *) &x[k+n]; + v0 = *(lzo_uint32 *) & x[k]; + v1 = *(lzo_uint32 *) & x[k + n]; #else u.a_uchar_p = &x[k]; v0 = *u.a_lzo_uint32_p; - u.a_uchar_p = &x[k+n]; + u.a_uchar_p = &x[k + n]; v1 = *u.a_lzo_uint32_p; #endif r &= __lzo_assert(v0 > 0); @@ -1158,7 +1147,7 @@ static lzo_bool ptr_check(void) } LZO_PUBLIC(int) -_lzo_config_check(void) + _lzo_config_check(void) { lzo_bool r = 1; int i; @@ -1166,17 +1155,19 @@ _lzo_config_check(void) lzo_uint32 a; unsigned short b; lzo_uint32 aa[4]; - unsigned char x[4*sizeof(lzo_full_align_t)]; - } u; + unsigned char x[4 * sizeof(lzo_full_align_t)]; + } + u; - COMPILE_TIME_ASSERT( (int) ((unsigned char) ((signed char) -1)) == 255); - COMPILE_TIME_ASSERT( (((unsigned char)128) << (int)(8*sizeof(int)-8)) < 0); + COMPILE_TIME_ASSERT((int) ((unsigned char) ((signed char) -1)) == 255); + COMPILE_TIME_ASSERT((((unsigned char) 128) << + (int) (8 * sizeof(int) - 8)) < 0); #if 0 - r &= __lzo_assert((const void *)&u == (const void *)&u.a); - r &= __lzo_assert((const void *)&u == (const void *)&u.b); - r &= __lzo_assert((const void *)&u == (const void *)&u.x[0]); - r &= __lzo_assert((const void *)&u == (const void *)&u.aa[0]); + r &= __lzo_assert((const void *) &u == (const void *) &u.a); + r &= __lzo_assert((const void *) &u == (const void *) &u.b); + r &= __lzo_assert((const void *) &u == (const void *) &u.x[0]); + r &= __lzo_assert((const void *) &u == (const void *) &u.aa[0]); #endif r &= basic_integral_check(); @@ -1184,13 +1175,13 @@ _lzo_config_check(void) if (r != 1) return LZO_E_ERROR; - u.a = 0; u.b = 0; + u.a = 0; + u.b = 0; for (i = 0; i < (int) sizeof(u.x); i++) u.x[i] = LZO_BYTE(i); #if defined(LZO_BYTE_ORDER) - if (r == 1) - { + if (r == 1) { # if (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) lzo_uint32 a = (lzo_uint32) (u.a & LZO_0xffffffffL); unsigned short b = (unsigned short) (u.b & 0xffff); @@ -1209,12 +1200,11 @@ _lzo_config_check(void) #if defined(LZO_UNALIGNED_OK_2) COMPILE_TIME_ASSERT(sizeof(short) == 2); - if (r == 1) - { + if (r == 1) { unsigned short b[4]; for (i = 0; i < 4; i++) - b[i] = * (const unsigned short *) &u.x[i]; + b[i] = *(const unsigned short *) &u.x[i]; # if (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) r &= __lzo_assert(b[0] == 0x0100); @@ -1232,12 +1222,11 @@ _lzo_config_check(void) #if defined(LZO_UNALIGNED_OK_4) COMPILE_TIME_ASSERT(sizeof(lzo_uint32) == 4); - if (r == 1) - { + if (r == 1) { lzo_uint32 a[4]; for (i = 0; i < 4; i++) - a[i] = * (const lzo_uint32 *) &u.x[i]; + a[i] = *(const lzo_uint32 *) &u.x[i]; # if (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) r &= __lzo_assert(a[0] == 0x03020100L); @@ -1260,8 +1249,7 @@ _lzo_config_check(void) COMPILE_TIME_ASSERT(lzo_sizeof_dict_t == sizeof(lzo_dict_t)); #if defined(__LZO_IN_MINLZO) - if (r == 1) - { + if (r == 1) { lzo_uint32 adler; adler = lzo_adler32(0, NULL, 0); adler = lzo_adler32(adler, lzo_copyright(), 200); @@ -1269,24 +1257,21 @@ _lzo_config_check(void) } #endif - if (r == 1) - { + if (r == 1) { r &= __lzo_assert(!schedule_insns_bug()); } - if (r == 1) - { + if (r == 1) { static int x[3]; static unsigned xn = 3; register unsigned j; for (j = 0; j < xn; j++) - x[j] = (int)j - 3; + x[j] = (int) j - 3; r &= __lzo_assert(!strength_reduce_bug(x)); } - if (r == 1) - { + if (r == 1) { r &= ptr_check(); } @@ -1298,7 +1283,7 @@ static lzo_bool schedule_insns_bug(void) #if defined(__LZO_CHECKER) return 0; #else - const int clone[] = {1, 2, 0}; + const int clone[] = { 1, 2, 0 }; const int *q; q = clone; return (*q) ? 0 : 1; @@ -1316,7 +1301,7 @@ int __lzo_init_done = 0; LZO_PUBLIC(int) __lzo_init2(unsigned v, int s1, int s2, int s3, int s4, int s5, - int s6, int s7, int s8, int s9) + int s6, int s7, int s8, int s9) { int r; @@ -1347,14 +1332,16 @@ __lzo_init2(unsigned v, int s1, int s2, int s3, int s4, int s5, #if !defined(__LZO_IN_MINILZO) LZO_EXTERN(int) -__lzo_init(unsigned v,int s1,int s2,int s3,int s4,int s5,int s6,int s7); + __lzo_init(unsigned v, int s1, int s2, int s3, int s4, int s5, int s6, + int s7); LZO_PUBLIC(int) -__lzo_init(unsigned v,int s1,int s2,int s3,int s4,int s5,int s6,int s7) +__lzo_init(unsigned v, int s1, int s2, int s3, int s4, int s5, int s6, + int s7) { if (v == 0 || v > 0x1010) return LZO_E_ERROR; - return __lzo_init2(v,s1,s2,s3,s4,s5,-1,-1,s6,s7); + return __lzo_init2(v, s1, s2, s3, s4, s5, -1, -1, s6, s7); } #endif @@ -1561,12 +1548,11 @@ extern "C" { #if !defined(DVAL_ASSERT) #if defined(__LZO_HASH_INCREMENTAL) && !defined(NDEBUG) -static void DVAL_ASSERT(lzo_uint32 dv, const lzo_byte *p) -{ - lzo_uint32 df; - DVAL_FIRST(df,(p)); - assert(DINDEX(dv,p) == DINDEX(df,p)); -} + static void DVAL_ASSERT(lzo_uint32 dv, const lzo_byte * p) { + lzo_uint32 df; + DVAL_FIRST(df, (p)); + assert(DINDEX(dv, p) == DINDEX(df, p)); + } #else # define DVAL_ASSERT(dv,p) ((void) 0) #endif @@ -1631,19 +1617,13 @@ static void DVAL_ASSERT(lzo_uint32 dv, const lzo_byte *p) #ifdef __cplusplus } #endif - #endif - #endif - #endif - #define DO_COMPRESS lzo1x_1_compress - static -lzo_uint do_compress ( const lzo_byte *in , lzo_uint in_len, - lzo_byte *out, lzo_uintp out_len, - lzo_voidp wrkmem ) +lzo_uint do_compress(const lzo_byte * in, lzo_uint in_len, + lzo_byte * out, lzo_uintp out_len, lzo_voidp wrkmem) { #if 0 && defined(__GNUC__) && defined(__i386__) register const lzo_byte *ip __asm__("%esi"); @@ -1651,8 +1631,8 @@ lzo_uint do_compress ( const lzo_byte *in , lzo_uint in_len, register const lzo_byte *ip; #endif lzo_byte *op; - const lzo_byte * const in_end = in + in_len; - const lzo_byte * const ip_end = in + in_len - M2_MAX_LEN - 5; + const lzo_byte *const in_end = in + in_len; + const lzo_byte *const ip_end = in + in_len - M2_MAX_LEN - 5; const lzo_byte *ii; lzo_dict_p const dict = (lzo_dict_p) wrkmem; @@ -1661,8 +1641,7 @@ lzo_uint do_compress ( const lzo_byte *in , lzo_uint in_len, ii = ip; ip += 4; - for (;;) - { + for (;;) { #if 0 && defined(__GNUC__) && defined(__i386__) register const lzo_byte *m_pos __asm__("%edi"); #else @@ -1672,51 +1651,48 @@ lzo_uint do_compress ( const lzo_byte *in , lzo_uint in_len, lzo_uint m_len; lzo_uint dindex; - DINDEX1(dindex,ip); - GINDEX(m_pos,m_off,dict,dindex,in); - if (LZO_CHECK_MPOS_NON_DET(m_pos,m_off,in,ip,M4_MAX_OFFSET)) + DINDEX1(dindex, ip); + GINDEX(m_pos, m_off, dict, dindex, in); + if (LZO_CHECK_MPOS_NON_DET(m_pos, m_off, in, ip, M4_MAX_OFFSET)) goto literal; #if 1 if (m_off <= M2_MAX_OFFSET || m_pos[3] == ip[3]) goto try_match; - DINDEX2(dindex,ip); + DINDEX2(dindex, ip); #endif - GINDEX(m_pos,m_off,dict,dindex,in); - if (LZO_CHECK_MPOS_NON_DET(m_pos,m_off,in,ip,M4_MAX_OFFSET)) + GINDEX(m_pos, m_off, dict, dindex, in); + if (LZO_CHECK_MPOS_NON_DET(m_pos, m_off, in, ip, M4_MAX_OFFSET)) goto literal; if (m_off <= M2_MAX_OFFSET || m_pos[3] == ip[3]) goto try_match; goto literal; -try_match: + try_match: #if 1 && defined(LZO_UNALIGNED_OK_2) - if (* (const lzo_ushortp) m_pos != * (const lzo_ushortp) ip) + if (*(const lzo_ushortp) m_pos != *(const lzo_ushortp) ip) #else if (m_pos[0] != ip[0] || m_pos[1] != ip[1]) #endif { - } - else - { - if (m_pos[2] == ip[2]) - { + } else { + if (m_pos[2] == ip[2]) { #if 0 if (m_off <= M2_MAX_OFFSET) goto match; if (lit <= 3) goto match; - if (lit == 3) - { - assert(op - 2 > out); op[-2] |= LZO_BYTE(3); - *op++ = *ii++; *op++ = *ii++; *op++ = *ii++; + if (lit == 3) { + assert(op - 2 > out); + op[-2] |= LZO_BYTE(3); + *op++ = *ii++; + *op++ = *ii++; + *op++ = *ii++; goto code_match; } if (m_pos[3] == ip[3]) #endif goto match; - } - else - { + } else { #if 0 #if 0 if (m_off <= M1_MAX_OFFSET && lit > 0 && lit <= 3) @@ -1727,8 +1703,11 @@ try_match: register lzo_uint t; t = lit; - assert(op - 2 > out); op[-2] |= LZO_BYTE(t); - do *op++ = *ii++; while (--t > 0); + assert(op - 2 > out); + op[-2] |= LZO_BYTE(t); + do + *op++ = *ii++; + while (--t > 0); assert(ii == ip); m_off -= 1; *op++ = LZO_BYTE(M1_MARKER | ((m_off & 3) << 2)); @@ -1740,40 +1719,37 @@ try_match: } } -literal: - UPDATE_I(dict,0,dindex,ip,in); + literal: + UPDATE_I(dict, 0, dindex, ip, in); ++ip; if (ip >= ip_end) break; continue; -match: - UPDATE_I(dict,0,dindex,ip,in); - if (pd(ip,ii) > 0) - { - register lzo_uint t = pd(ip,ii); + match: + UPDATE_I(dict, 0, dindex, ip, in); + if (pd(ip, ii) > 0) { + register lzo_uint t = pd(ip, ii); - if (t <= 3) - { + if (t <= 3) { assert(op - 2 > out); op[-2] |= LZO_BYTE(t); - } - else if (t <= 18) + } else if (t <= 18) *op++ = LZO_BYTE(t - 3); - else - { + else { register lzo_uint tt = t - 18; *op++ = 0; - while (tt > 255) - { + while (tt > 255) { tt -= 255; *op++ = 0; } assert(tt > 0); *op++ = LZO_BYTE(tt); } - do *op++ = *ii++; while (--t > 0); + do + *op++ = *ii++; + while (--t > 0); } assert(ii == ip); @@ -1781,17 +1757,17 @@ match: if (m_pos[3] != *ip++ || m_pos[4] != *ip++ || m_pos[5] != *ip++ || m_pos[6] != *ip++ || m_pos[7] != *ip++ || m_pos[8] != *ip++ #ifdef LZO1Y - || m_pos[ 9] != *ip++ || m_pos[10] != *ip++ || m_pos[11] != *ip++ - || m_pos[12] != *ip++ || m_pos[13] != *ip++ || m_pos[14] != *ip++ + || m_pos[9] != *ip++ || m_pos[10] != *ip++ + || m_pos[11] != *ip++ || m_pos[12] != *ip++ + || m_pos[13] != *ip++ || m_pos[14] != *ip++ #endif - ) - { + ) { --ip; m_len = ip - ii; - assert(m_len >= 3); assert(m_len <= M2_MAX_LEN); + assert(m_len >= 3); + assert(m_len <= M2_MAX_LEN); - if (m_off <= M2_MAX_OFFSET) - { + if (m_off <= M2_MAX_OFFSET) { m_off -= 1; #if defined(LZO1X) *op++ = LZO_BYTE(((m_len - 1) << 5) | ((m_off & 7) << 2)); @@ -1800,18 +1776,16 @@ match: *op++ = LZO_BYTE(((m_len + 1) << 4) | ((m_off & 3) << 2)); *op++ = LZO_BYTE(m_off >> 2); #endif - } - else if (m_off <= M3_MAX_OFFSET) - { + } else if (m_off <= M3_MAX_OFFSET) { m_off -= 1; *op++ = LZO_BYTE(M3_MARKER | (m_len - 2)); goto m3_m4_offset; - } - else + } else #if defined(LZO1X) { m_off -= 0x4000; - assert(m_off > 0); assert(m_off <= 0x7fff); + assert(m_off > 0); + assert(m_off <= 0x7fff); *op++ = LZO_BYTE(M4_MARKER | ((m_off & 0x4000) >> 11) | (m_len - 2)); goto m3_m4_offset; @@ -1819,9 +1793,7 @@ match: #elif defined(LZO1Y) goto m4_match; #endif - } - else - { + } else { { const lzo_byte *end = in_end; const lzo_byte *m = m_pos + M2_MAX_LEN + 1; @@ -1831,35 +1803,31 @@ match: } assert(m_len > M2_MAX_LEN); - if (m_off <= M3_MAX_OFFSET) - { + if (m_off <= M3_MAX_OFFSET) { m_off -= 1; if (m_len <= 33) *op++ = LZO_BYTE(M3_MARKER | (m_len - 2)); - else - { + else { m_len -= 33; *op++ = M3_MARKER | 0; goto m3_m4_len; } - } - else - { + } else { #if defined(LZO1Y) -m4_match: + m4_match: #endif m_off -= 0x4000; - assert(m_off > 0); assert(m_off <= 0x7fff); + assert(m_off > 0); + assert(m_off <= 0x7fff); if (m_len <= M4_MAX_LEN) *op++ = LZO_BYTE(M4_MARKER | - ((m_off & 0x4000) >> 11) | (m_len - 2)); - else - { + ((m_off & 0x4000) >> 11) | (m_len - + 2)); + else { m_len -= M4_MAX_LEN; *op++ = LZO_BYTE(M4_MARKER | ((m_off & 0x4000) >> 11)); -m3_m4_len: - while (m_len > 255) - { + m3_m4_len: + while (m_len > 255) { m_len -= 255; *op++ = 0; } @@ -1868,13 +1836,13 @@ m3_m4_len: } } -m3_m4_offset: + m3_m4_offset: *op++ = LZO_BYTE((m_off & 63) << 2); *op++ = LZO_BYTE(m_off >> 6); } #if 0 -match_done: + match_done: #endif ii = ip; if (ip >= ip_end) @@ -1882,32 +1850,30 @@ match_done: } *out_len = op - out; - return pd(in_end,ii); + return pd(in_end, ii); } LZO_PUBLIC(int) -DO_COMPRESS ( const lzo_byte *in , lzo_uint in_len, - lzo_byte *out, lzo_uintp out_len, - lzo_voidp wrkmem ) + DO_COMPRESS(const lzo_byte * in, lzo_uint in_len, + lzo_byte * out, lzo_uintp out_len, lzo_voidp wrkmem) { lzo_byte *op = out; lzo_uint t; #if defined(__LZO_QUERY_COMPRESS) - if (__LZO_IS_COMPRESS_QUERY(in,in_len,out,out_len,wrkmem)) - return __LZO_QUERY_COMPRESS(in,in_len,out,out_len,wrkmem,D_SIZE,lzo_sizeof(lzo_dict_t)); + if (__LZO_IS_COMPRESS_QUERY(in, in_len, out, out_len, wrkmem)) + return __LZO_QUERY_COMPRESS(in, in_len, out, out_len, wrkmem, + D_SIZE, lzo_sizeof(lzo_dict_t)); #endif if (in_len <= M2_MAX_LEN + 5) t = in_len; - else - { - t = do_compress(in,in_len,op,out_len,wrkmem); + else { + t = do_compress(in, in_len, op, out_len, wrkmem); op += *out_len; } - if (t > 0) - { + if (t > 0) { const lzo_byte *ii = in + in_len - t; if (op == out && t <= 238) @@ -1916,20 +1882,20 @@ DO_COMPRESS ( const lzo_byte *in , lzo_uint in_len, op[-2] |= LZO_BYTE(t); else if (t <= 18) *op++ = LZO_BYTE(t - 3); - else - { + else { lzo_uint tt = t - 18; *op++ = 0; - while (tt > 255) - { + while (tt > 255) { tt -= 255; *op++ = 0; } assert(tt > 0); *op++ = LZO_BYTE(tt); } - do *op++ = *ii++; while (--t > 0); + do + *op++ = *ii++; + while (--t > 0); } *op++ = M4_MARKER | 1; @@ -2047,9 +2013,8 @@ DO_COMPRESS ( const lzo_byte *in , lzo_uint in_len, #if defined(DO_DECOMPRESS) LZO_PUBLIC(int) -DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, - lzo_byte *out, lzo_uintp out_len, - lzo_voidp wrkmem ) + DO_DECOMPRESS(const lzo_byte * in, lzo_uint in_len, + lzo_byte * out, lzo_uintp out_len, lzo_voidp wrkmem) #endif { register lzo_byte *op; @@ -2062,9 +2027,9 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, register const lzo_byte *m_pos; #endif - const lzo_byte * const ip_end = in + in_len; + const lzo_byte *const ip_end = in + in_len; #if defined(HAVE_ANY_OP) - lzo_byte * const op_end = out + *out_len; + lzo_byte *const op_end = out + *out_len; #endif #if defined(LZO1Z) lzo_uint last_m_off = 0; @@ -2073,22 +2038,19 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, LZO_UNUSED(wrkmem); #if defined(__LZO_QUERY_DECOMPRESS) - if (__LZO_IS_DECOMPRESS_QUERY(in,in_len,out,out_len,wrkmem)) - return __LZO_QUERY_DECOMPRESS(in,in_len,out,out_len,wrkmem,0,0); + if (__LZO_IS_DECOMPRESS_QUERY(in, in_len, out, out_len, wrkmem)) + return __LZO_QUERY_DECOMPRESS(in, in_len, out, out_len, wrkmem, 0, + 0); #endif #if defined(COPY_DICT) - if (dict) - { - if (dict_len > M4_MAX_OFFSET) - { + if (dict) { + if (dict_len > M4_MAX_OFFSET) { dict += dict_len - M4_MAX_OFFSET; dict_len = M4_MAX_OFFSET; } dict_end = dict + dict_len; - } - else - { + } else { dict_len = 0; dict_end = NULL; } @@ -2099,66 +2061,75 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, op = out; ip = in; - if (*ip > 17) - { + if (*ip > 17) { t = *ip++ - 17; if (t < 4) goto match_next; - assert(t > 0); NEED_OP(t); NEED_IP(t+1); - do *op++ = *ip++; while (--t > 0); + assert(t > 0); + NEED_OP(t); + NEED_IP(t + 1); + do + *op++ = *ip++; + while (--t > 0); goto first_literal_run; } - while (TEST_IP && TEST_OP) - { + while (TEST_IP && TEST_OP) { t = *ip++; if (t >= 16) goto match; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); } t += 15 + *ip++; } - assert(t > 0); NEED_OP(t+3); NEED_IP(t+4); + assert(t > 0); + NEED_OP(t + 3); + NEED_IP(t + 4); #if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4) #if !defined(LZO_UNALIGNED_OK_4) - if (PTR_ALIGNED2_4(op,ip)) - { -#endif - COPY4(op,ip); - op += 4; ip += 4; - if (--t > 0) - { - if (t >= 4) - { - do { - COPY4(op,ip); - op += 4; ip += 4; t -= 4; - } while (t >= 4); - if (t > 0) do *op++ = *ip++; while (--t > 0); + if (PTR_ALIGNED2_4(op, ip)) { +#endif + COPY4(op, ip); + op += 4; + ip += 4; + if (--t > 0) { + if (t >= 4) { + do { + COPY4(op, ip); + op += 4; + ip += 4; + t -= 4; + } while (t >= 4); + if (t > 0) + do + *op++ = *ip++; + while (--t > 0); + } else + do + *op++ = *ip++; + while (--t > 0); } - else - do *op++ = *ip++; while (--t > 0); - } #if !defined(LZO_UNALIGNED_OK_4) - } - else + } else #endif #endif #if !defined(LZO_UNALIGNED_OK_4) { - *op++ = *ip++; *op++ = *ip++; *op++ = *ip++; - do *op++ = *ip++; while (--t > 0); + *op++ = *ip++; + *op++ = *ip++; + *op++ = *ip++; + do + *op++ = *ip++; + while (--t > 0); } #endif -first_literal_run: + first_literal_run: t = *ip++; if (t >= 16) @@ -2171,7 +2142,8 @@ first_literal_run: m_off = (1 + M2_MAX_OFFSET) + (t >> 2) + (*ip++ << 2); #endif NEED_OP(3); - t = 3; COPY_DICT(t,m_off) + t = 3; + COPY_DICT(t, m_off) #else #if defined(LZO1Z) t = (1 + M2_MAX_OFFSET) + (t << 6) + (*ip++ >> 2); @@ -2182,16 +2154,17 @@ first_literal_run: m_pos -= t >> 2; m_pos -= *ip++ << 2; #endif - TEST_LOOKBEHIND(m_pos,out); NEED_OP(3); - *op++ = *m_pos++; *op++ = *m_pos++; *op++ = *m_pos; + TEST_LOOKBEHIND(m_pos, out); + NEED_OP(3); + *op++ = *m_pos++; + *op++ = *m_pos++; + *op++ = *m_pos; #endif goto match_done; - while (TEST_IP && TEST_OP) - { -match: - if (t >= 64) - { + while (TEST_IP && TEST_OP) { + match: + if (t >= 64) { #if defined(COPY_DICT) #if defined(LZO1X) m_off = 1 + ((t >> 2) & 7) + (*ip++ << 3); @@ -2203,8 +2176,7 @@ match: m_off = t & 0x1f; if (m_off >= 0x1c) m_off = last_m_off; - else - { + else { m_off = 1 + (m_off << 6) + (*ip++ >> 2); last_m_off = m_off; } @@ -2225,13 +2197,10 @@ match: { lzo_uint off = t & 0x1f; m_pos = op; - if (off >= 0x1c) - { + if (off >= 0x1c) { assert(last_m_off > 0); m_pos -= last_m_off; - } - else - { + } else { off = 1 + (off << 6) + (*ip++ >> 2); m_pos -= off; last_m_off = off; @@ -2239,18 +2208,16 @@ match: } t = (t >> 5) - 1; #endif - TEST_LOOKBEHIND(m_pos,out); assert(t > 0); NEED_OP(t+3-1); + TEST_LOOKBEHIND(m_pos, out); + assert(t > 0); + NEED_OP(t + 3 - 1); goto copy_match; #endif - } - else if (t >= 32) - { + } else if (t >= 32) { t &= 31; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); @@ -2273,16 +2240,14 @@ match: } #elif defined(LZO_UNALIGNED_OK_2) && (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) m_pos = op - 1; - m_pos -= (* (const lzo_ushortp) ip) >> 2; + m_pos -= (*(const lzo_ushortp) ip) >> 2; #else m_pos = op - 1; m_pos -= (ip[0] >> 2) + (ip[1] << 6); #endif #endif ip += 2; - } - else if (t >= 16) - { + } else if (t >= 16) { #if defined(COPY_DICT) m_off = (t & 8) << 11; #else @@ -2290,11 +2255,9 @@ match: m_pos -= (t & 8) << 11; #endif t &= 7; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); @@ -2318,7 +2281,7 @@ match: #if defined(LZO1Z) m_pos -= (ip[0] << 6) + (ip[1] >> 2); #elif defined(LZO_UNALIGNED_OK_2) && (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) - m_pos -= (* (const lzo_ushortp) ip) >> 2; + m_pos -= (*(const lzo_ushortp) ip) >> 2; #else m_pos -= (ip[0] >> 2) + (ip[1] << 6); #endif @@ -2330,9 +2293,7 @@ match: last_m_off = op - m_pos; #endif #endif - } - else - { + } else { #if defined(COPY_DICT) #if defined(LZO1Z) m_off = 1 + (t << 6) + (*ip++ >> 2); @@ -2341,7 +2302,8 @@ match: m_off = 1 + (t >> 2) + (*ip++ << 2); #endif NEED_OP(2); - t = 2; COPY_DICT(t,m_off) + t = 2; + COPY_DICT(t, m_off) #else #if defined(LZO1Z) t = 1 + (t << 6) + (*ip++ >> 2); @@ -2352,48 +2314,59 @@ match: m_pos -= t >> 2; m_pos -= *ip++ << 2; #endif - TEST_LOOKBEHIND(m_pos,out); NEED_OP(2); - *op++ = *m_pos++; *op++ = *m_pos; + TEST_LOOKBEHIND(m_pos, out); + NEED_OP(2); + *op++ = *m_pos++; + *op++ = *m_pos; #endif goto match_done; } #if defined(COPY_DICT) - NEED_OP(t+3-1); - t += 3-1; COPY_DICT(t,m_off) - + NEED_OP(t + 3 - 1); + t += 3 - 1; + COPY_DICT(t, m_off) #else - TEST_LOOKBEHIND(m_pos,out); assert(t > 0); NEED_OP(t+3-1); + TEST_LOOKBEHIND(m_pos, out); + assert(t > 0); + NEED_OP(t + 3 - 1); #if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4) #if !defined(LZO_UNALIGNED_OK_4) - if (t >= 2 * 4 - (3 - 1) && PTR_ALIGNED2_4(op,m_pos)) - { + if (t >= 2 * 4 - (3 - 1) && PTR_ALIGNED2_4(op, m_pos)) { assert((op - m_pos) >= 4); #else - if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) - { + if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) { #endif - COPY4(op,m_pos); - op += 4; m_pos += 4; t -= 4 - (3 - 1); + COPY4(op, m_pos); + op += 4; + m_pos += 4; + t -= 4 - (3 - 1); do { - COPY4(op,m_pos); - op += 4; m_pos += 4; t -= 4; + COPY4(op, m_pos); + op += 4; + m_pos += 4; + t -= 4; } while (t >= 4); - if (t > 0) do *op++ = *m_pos++; while (--t > 0); - } - else + if (t > 0) + do + *op++ = *m_pos++; + while (--t > 0); + } else #endif { -copy_match: - *op++ = *m_pos++; *op++ = *m_pos++; - do *op++ = *m_pos++; while (--t > 0); + copy_match: + *op++ = *m_pos++; + *op++ = *m_pos++; + do + *op++ = *m_pos++; + while (--t > 0); } #endif -match_done: + match_done: #if defined(LZO1Z) t = ip[-1] & 3; #else @@ -2402,9 +2375,13 @@ match_done: if (t == 0) break; -match_next: - assert(t > 0); NEED_OP(t); NEED_IP(t+1); - do *op++ = *ip++; while (--t > 0); + match_next: + assert(t > 0); + NEED_OP(t); + NEED_IP(t + 1); + do + *op++ = *ip++; + while (--t > 0); t = *ip++; } } @@ -2414,26 +2391,27 @@ match_next: return LZO_E_EOF_NOT_FOUND; #endif -eof_found: + eof_found: assert(t == 1); *out_len = op - out; return (ip == ip_end ? LZO_E_OK : - (ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN)); + (ip < + ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN)); #if defined(HAVE_NEED_IP) -input_overrun: + input_overrun: *out_len = op - out; return LZO_E_INPUT_OVERRUN; #endif #if defined(HAVE_NEED_OP) -output_overrun: + output_overrun: *out_len = op - out; return LZO_E_OUTPUT_OVERRUN; #endif #if defined(LZO_TEST_DECOMPRESS_OVERRUN_LOOKBEHIND) -lookbehind_overrun: + lookbehind_overrun: *out_len = op - out; return LZO_E_LOOKBEHIND_OVERRUN; #endif @@ -2539,9 +2517,8 @@ lookbehind_overrun: #if defined(DO_DECOMPRESS) LZO_PUBLIC(int) -DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, - lzo_byte *out, lzo_uintp out_len, - lzo_voidp wrkmem ) + DO_DECOMPRESS(const lzo_byte * in, lzo_uint in_len, + lzo_byte * out, lzo_uintp out_len, lzo_voidp wrkmem) #endif { register lzo_byte *op; @@ -2554,9 +2531,9 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, register const lzo_byte *m_pos; #endif - const lzo_byte * const ip_end = in + in_len; + const lzo_byte *const ip_end = in + in_len; #if defined(HAVE_ANY_OP) - lzo_byte * const op_end = out + *out_len; + lzo_byte *const op_end = out + *out_len; #endif #if defined(LZO1Z) lzo_uint last_m_off = 0; @@ -2565,22 +2542,19 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, LZO_UNUSED(wrkmem); #if defined(__LZO_QUERY_DECOMPRESS) - if (__LZO_IS_DECOMPRESS_QUERY(in,in_len,out,out_len,wrkmem)) - return __LZO_QUERY_DECOMPRESS(in,in_len,out,out_len,wrkmem,0,0); + if (__LZO_IS_DECOMPRESS_QUERY(in, in_len, out, out_len, wrkmem)) + return __LZO_QUERY_DECOMPRESS(in, in_len, out, out_len, wrkmem, 0, + 0); #endif #if defined(COPY_DICT) - if (dict) - { - if (dict_len > M4_MAX_OFFSET) - { + if (dict) { + if (dict_len > M4_MAX_OFFSET) { dict += dict_len - M4_MAX_OFFSET; dict_len = M4_MAX_OFFSET; } dict_end = dict + dict_len; - } - else - { + } else { dict_len = 0; dict_end = NULL; } @@ -2591,66 +2565,75 @@ DO_DECOMPRESS ( const lzo_byte *in , lzo_uint in_len, op = out; ip = in; - if (*ip > 17) - { + if (*ip > 17) { t = *ip++ - 17; if (t < 4) goto match_next; - assert(t > 0); NEED_OP(t); NEED_IP(t+1); - do *op++ = *ip++; while (--t > 0); + assert(t > 0); + NEED_OP(t); + NEED_IP(t + 1); + do + *op++ = *ip++; + while (--t > 0); goto first_literal_run; } - while (TEST_IP && TEST_OP) - { + while (TEST_IP && TEST_OP) { t = *ip++; if (t >= 16) goto match; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); } t += 15 + *ip++; } - assert(t > 0); NEED_OP(t+3); NEED_IP(t+4); + assert(t > 0); + NEED_OP(t + 3); + NEED_IP(t + 4); #if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4) #if !defined(LZO_UNALIGNED_OK_4) - if (PTR_ALIGNED2_4(op,ip)) - { -#endif - COPY4(op,ip); - op += 4; ip += 4; - if (--t > 0) - { - if (t >= 4) - { - do { - COPY4(op,ip); - op += 4; ip += 4; t -= 4; - } while (t >= 4); - if (t > 0) do *op++ = *ip++; while (--t > 0); + if (PTR_ALIGNED2_4(op, ip)) { +#endif + COPY4(op, ip); + op += 4; + ip += 4; + if (--t > 0) { + if (t >= 4) { + do { + COPY4(op, ip); + op += 4; + ip += 4; + t -= 4; + } while (t >= 4); + if (t > 0) + do + *op++ = *ip++; + while (--t > 0); + } else + do + *op++ = *ip++; + while (--t > 0); } - else - do *op++ = *ip++; while (--t > 0); - } #if !defined(LZO_UNALIGNED_OK_4) - } - else + } else #endif #endif #if !defined(LZO_UNALIGNED_OK_4) { - *op++ = *ip++; *op++ = *ip++; *op++ = *ip++; - do *op++ = *ip++; while (--t > 0); + *op++ = *ip++; + *op++ = *ip++; + *op++ = *ip++; + do + *op++ = *ip++; + while (--t > 0); } #endif -first_literal_run: + first_literal_run: t = *ip++; if (t >= 16) @@ -2663,7 +2646,8 @@ first_literal_run: m_off = (1 + M2_MAX_OFFSET) + (t >> 2) + (*ip++ << 2); #endif NEED_OP(3); - t = 3; COPY_DICT(t,m_off) + t = 3; + COPY_DICT(t, m_off) #else #if defined(LZO1Z) t = (1 + M2_MAX_OFFSET) + (t << 6) + (*ip++ >> 2); @@ -2674,16 +2658,17 @@ first_literal_run: m_pos -= t >> 2; m_pos -= *ip++ << 2; #endif - TEST_LOOKBEHIND(m_pos,out); NEED_OP(3); - *op++ = *m_pos++; *op++ = *m_pos++; *op++ = *m_pos; + TEST_LOOKBEHIND(m_pos, out); + NEED_OP(3); + *op++ = *m_pos++; + *op++ = *m_pos++; + *op++ = *m_pos; #endif goto match_done; - while (TEST_IP && TEST_OP) - { -match: - if (t >= 64) - { + while (TEST_IP && TEST_OP) { + match: + if (t >= 64) { #if defined(COPY_DICT) #if defined(LZO1X) m_off = 1 + ((t >> 2) & 7) + (*ip++ << 3); @@ -2695,8 +2680,7 @@ match: m_off = t & 0x1f; if (m_off >= 0x1c) m_off = last_m_off; - else - { + else { m_off = 1 + (m_off << 6) + (*ip++ >> 2); last_m_off = m_off; } @@ -2717,13 +2701,10 @@ match: { lzo_uint off = t & 0x1f; m_pos = op; - if (off >= 0x1c) - { + if (off >= 0x1c) { assert(last_m_off > 0); m_pos -= last_m_off; - } - else - { + } else { off = 1 + (off << 6) + (*ip++ >> 2); m_pos -= off; last_m_off = off; @@ -2731,18 +2712,16 @@ match: } t = (t >> 5) - 1; #endif - TEST_LOOKBEHIND(m_pos,out); assert(t > 0); NEED_OP(t+3-1); + TEST_LOOKBEHIND(m_pos, out); + assert(t > 0); + NEED_OP(t + 3 - 1); goto copy_match; #endif - } - else if (t >= 32) - { + } else if (t >= 32) { t &= 31; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); @@ -2765,16 +2744,14 @@ match: } #elif defined(LZO_UNALIGNED_OK_2) && (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) m_pos = op - 1; - m_pos -= (* (const lzo_ushortp) ip) >> 2; + m_pos -= (*(const lzo_ushortp) ip) >> 2; #else m_pos = op - 1; m_pos -= (ip[0] >> 2) + (ip[1] << 6); #endif #endif ip += 2; - } - else if (t >= 16) - { + } else if (t >= 16) { #if defined(COPY_DICT) m_off = (t & 8) << 11; #else @@ -2782,11 +2759,9 @@ match: m_pos -= (t & 8) << 11; #endif t &= 7; - if (t == 0) - { + if (t == 0) { NEED_IP(1); - while (*ip == 0) - { + while (*ip == 0) { t += 255; ip++; NEED_IP(1); @@ -2810,7 +2785,7 @@ match: #if defined(LZO1Z) m_pos -= (ip[0] << 6) + (ip[1] >> 2); #elif defined(LZO_UNALIGNED_OK_2) && (LZO_BYTE_ORDER == LZO_LITTLE_ENDIAN) - m_pos -= (* (const lzo_ushortp) ip) >> 2; + m_pos -= (*(const lzo_ushortp) ip) >> 2; #else m_pos -= (ip[0] >> 2) + (ip[1] << 6); #endif @@ -2822,9 +2797,7 @@ match: last_m_off = op - m_pos; #endif #endif - } - else - { + } else { #if defined(COPY_DICT) #if defined(LZO1Z) m_off = 1 + (t << 6) + (*ip++ >> 2); @@ -2833,7 +2806,8 @@ match: m_off = 1 + (t >> 2) + (*ip++ << 2); #endif NEED_OP(2); - t = 2; COPY_DICT(t,m_off) + t = 2; + COPY_DICT(t, m_off) #else #if defined(LZO1Z) t = 1 + (t << 6) + (*ip++ >> 2); @@ -2844,48 +2818,59 @@ match: m_pos -= t >> 2; m_pos -= *ip++ << 2; #endif - TEST_LOOKBEHIND(m_pos,out); NEED_OP(2); - *op++ = *m_pos++; *op++ = *m_pos; + TEST_LOOKBEHIND(m_pos, out); + NEED_OP(2); + *op++ = *m_pos++; + *op++ = *m_pos; #endif goto match_done; } #if defined(COPY_DICT) - NEED_OP(t+3-1); - t += 3-1; COPY_DICT(t,m_off) - + NEED_OP(t + 3 - 1); + t += 3 - 1; + COPY_DICT(t, m_off) #else - TEST_LOOKBEHIND(m_pos,out); assert(t > 0); NEED_OP(t+3-1); + TEST_LOOKBEHIND(m_pos, out); + assert(t > 0); + NEED_OP(t + 3 - 1); #if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4) #if !defined(LZO_UNALIGNED_OK_4) - if (t >= 2 * 4 - (3 - 1) && PTR_ALIGNED2_4(op,m_pos)) - { + if (t >= 2 * 4 - (3 - 1) && PTR_ALIGNED2_4(op, m_pos)) { assert((op - m_pos) >= 4); #else - if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) - { + if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) { #endif - COPY4(op,m_pos); - op += 4; m_pos += 4; t -= 4 - (3 - 1); + COPY4(op, m_pos); + op += 4; + m_pos += 4; + t -= 4 - (3 - 1); do { - COPY4(op,m_pos); - op += 4; m_pos += 4; t -= 4; + COPY4(op, m_pos); + op += 4; + m_pos += 4; + t -= 4; } while (t >= 4); - if (t > 0) do *op++ = *m_pos++; while (--t > 0); - } - else + if (t > 0) + do + *op++ = *m_pos++; + while (--t > 0); + } else #endif { -copy_match: - *op++ = *m_pos++; *op++ = *m_pos++; - do *op++ = *m_pos++; while (--t > 0); + copy_match: + *op++ = *m_pos++; + *op++ = *m_pos++; + do + *op++ = *m_pos++; + while (--t > 0); } #endif -match_done: + match_done: #if defined(LZO1Z) t = ip[-1] & 3; #else @@ -2894,9 +2879,13 @@ match_done: if (t == 0) break; -match_next: - assert(t > 0); NEED_OP(t); NEED_IP(t+1); - do *op++ = *ip++; while (--t > 0); + match_next: + assert(t > 0); + NEED_OP(t); + NEED_IP(t + 1); + do + *op++ = *ip++; + while (--t > 0); t = *ip++; } } @@ -2906,30 +2895,30 @@ match_next: return LZO_E_EOF_NOT_FOUND; #endif -eof_found: + eof_found: assert(t == 1); *out_len = op - out; return (ip == ip_end ? LZO_E_OK : - (ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN)); + (ip < + ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN)); #if defined(HAVE_NEED_IP) -input_overrun: + input_overrun: *out_len = op - out; return LZO_E_INPUT_OVERRUN; #endif #if defined(HAVE_NEED_OP) -output_overrun: + output_overrun: *out_len = op - out; return LZO_E_OUTPUT_OVERRUN; #endif #if defined(LZO_TEST_DECOMPRESS_OVERRUN_LOOKBEHIND) -lookbehind_overrun: + lookbehind_overrun: *out_len = op - out; return LZO_E_LOOKBEHIND_OVERRUN; #endif } /***** End of minilzo.c *****/ - diff --git a/libextra/openpgp/compat.c b/libextra/openpgp/compat.c index 6f7f6052df..c54a1972a5 100644 --- a/libextra/openpgp/compat.c +++ b/libextra/openpgp/compat.c @@ -48,92 +48,92 @@ * may use GnuPG for that purpose, or any other external PGP application. -*/ int _gnutls_openpgp_verify_key(const char *trustdb, - const gnutls_datum * keyring, - const gnutls_datum * cert_list, - int cert_list_length) + const gnutls_datum * keyring, + const gnutls_datum * cert_list, + int cert_list_length) { - int ret = 0; - gnutls_openpgp_key key = NULL; - gnutls_openpgp_keyring ring = NULL; - gnutls_openpgp_trustdb tdb = NULL; - unsigned int verify_ring = 0, verify_db = 0, verify_self = 0; - - if (!cert_list || cert_list_length != 1) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + int ret = 0; + gnutls_openpgp_key key = NULL; + gnutls_openpgp_keyring ring = NULL; + gnutls_openpgp_trustdb tdb = NULL; + unsigned int verify_ring = 0, verify_db = 0, verify_self = 0; + + if (!cert_list || cert_list_length != 1) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + ret = gnutls_openpgp_key_init(&key); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_openpgp_key_import(key, &cert_list[0], 0); + if (ret < 0) { + gnutls_assert(); + goto leave; + } - ret = gnutls_openpgp_key_init( &key); + if (keyring && keyring->data && keyring->size != 0) { + + /* use the keyring + */ + ret = gnutls_openpgp_keyring_init(&ring); if (ret < 0) { - gnutls_assert(); - return ret; + gnutls_assert(); + goto leave; } - ret = gnutls_openpgp_key_import( key, &cert_list[0], 0); + ret = gnutls_openpgp_keyring_import(ring, keyring, 0); if (ret < 0) { - gnutls_assert(); - goto leave; + gnutls_assert(); + goto leave; } - if (keyring && keyring->data && keyring->size != 0) { - - /* use the keyring - */ - ret = gnutls_openpgp_keyring_init( &ring); - if (ret < 0) { - gnutls_assert(); - goto leave; - } - - ret = gnutls_openpgp_keyring_import( ring, keyring, 0); - if (ret < 0) { - gnutls_assert(); - goto leave; - } - - ret = gnutls_openpgp_key_verify_ring( key, ring, 0, &verify_ring); - if (ret < 0) { - gnutls_assert(); - goto leave; - } + ret = gnutls_openpgp_key_verify_ring(key, ring, 0, &verify_ring); + if (ret < 0) { + gnutls_assert(); + goto leave; } + } - if (trustdb) { /* Use the trustDB */ - ret = gnutls_openpgp_trustdb_init( &tdb); - if (ret < 0) { - gnutls_assert(); - goto leave; - } - - ret = gnutls_openpgp_trustdb_import_file( tdb, trustdb); - if (ret < 0) { - gnutls_assert(); - goto leave; - } - - ret = gnutls_openpgp_key_verify_trustdb( key, tdb, 0, &verify_db); + if (trustdb) { /* Use the trustDB */ + ret = gnutls_openpgp_trustdb_init(&tdb); + if (ret < 0) { + gnutls_assert(); + goto leave; } - /* now try the self signature. - */ - ret = gnutls_openpgp_key_verify_self( key, 0, &verify_self); + ret = gnutls_openpgp_trustdb_import_file(tdb, trustdb); if (ret < 0) { - gnutls_assert(); - goto leave; + gnutls_assert(); + goto leave; } - ret = verify_self | verify_ring | verify_db; + ret = gnutls_openpgp_key_verify_trustdb(key, tdb, 0, &verify_db); + } - /* If we only checked the self signature. - */ - if (!trustdb && (!keyring || !keyring->data)) - ret |= GNUTLS_CERT_SIGNER_NOT_FOUND; + /* now try the self signature. + */ + ret = gnutls_openpgp_key_verify_self(key, 0, &verify_self); + if (ret < 0) { + gnutls_assert(); + goto leave; + } -leave: - gnutls_openpgp_key_deinit( key); - gnutls_openpgp_trustdb_deinit( tdb); - gnutls_openpgp_keyring_deinit( ring); - return ret; + ret = verify_self | verify_ring | verify_db; + + /* If we only checked the self signature. + */ + if (!trustdb && (!keyring || !keyring->data)) + ret |= GNUTLS_CERT_SIGNER_NOT_FOUND; + + leave: + gnutls_openpgp_key_deinit(key); + gnutls_openpgp_trustdb_deinit(tdb); + gnutls_openpgp_keyring_deinit(ring); + return ret; } @@ -147,32 +147,32 @@ leave: * the fingerprint can be 16 or 20 bytes. -*/ int _gnutls_openpgp_fingerprint(const gnutls_datum * cert, - unsigned char *fpr, size_t * fprlen) + unsigned char *fpr, size_t * fprlen) { - gnutls_openpgp_key key; - int ret; + gnutls_openpgp_key key; + int ret; - ret = gnutls_openpgp_key_init( &key); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_init(&key); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_openpgp_key_import( key, cert, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_import(key, cert, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_openpgp_key_get_fingerprint( key, fpr, fprlen); - - gnutls_openpgp_key_deinit( key); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; + ret = gnutls_openpgp_key_get_fingerprint(key, fpr, fprlen); + + gnutls_openpgp_key_deinit(key); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /*- @@ -183,27 +183,27 @@ int _gnutls_openpgp_fingerprint(const gnutls_datum * cert, -*/ time_t _gnutls_openpgp_get_raw_key_creation_time(const gnutls_datum * cert) { - gnutls_openpgp_key key; - int ret; - time_t tim; + gnutls_openpgp_key key; + int ret; + time_t tim; - ret = gnutls_openpgp_key_init( &key); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_init(&key); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_openpgp_key_import( key, cert, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_import(key, cert, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + tim = gnutls_openpgp_key_get_creation_time(key); - tim = gnutls_openpgp_key_get_creation_time( key); - - gnutls_openpgp_key_deinit( key); - - return tim; + gnutls_openpgp_key_deinit(key); + + return tim; } @@ -214,28 +214,28 @@ time_t _gnutls_openpgp_get_raw_key_creation_time(const gnutls_datum * cert) * Returns the time when the OpenPGP key expires. A value of '0' means * that the key doesn't expire at all. -*/ -time_t _gnutls_openpgp_get_raw_key_expiration_time(const gnutls_datum * cert) +time_t _gnutls_openpgp_get_raw_key_expiration_time(const gnutls_datum * + cert) { - gnutls_openpgp_key key; - int ret; - time_t tim; + gnutls_openpgp_key key; + int ret; + time_t tim; - ret = gnutls_openpgp_key_init( &key); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_init(&key); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_openpgp_key_import( key, cert, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_openpgp_key_import(key, cert, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - tim = gnutls_openpgp_key_get_expiration_time( key); - - gnutls_openpgp_key_deinit( key); - - return tim; -} + tim = gnutls_openpgp_key_get_expiration_time(key); + gnutls_openpgp_key_deinit(key); + + return tim; +} diff --git a/libextra/openpgp/extras.c b/libextra/openpgp/extras.c index f3a099ca78..41defd6678 100644 --- a/libextra/openpgp/extras.c +++ b/libextra/openpgp/extras.c @@ -45,12 +45,12 @@ **/ int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring * keyring) { - *keyring = gnutls_calloc( 1, sizeof(gnutls_openpgp_keyring_int)); + *keyring = gnutls_calloc(1, sizeof(gnutls_openpgp_keyring_int)); - if (*keyring) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*keyring) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -62,14 +62,15 @@ int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring * keyring) **/ void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring keyring) { - if (!keyring) return; - - if (keyring->hd) { - cdk_free( keyring->hd); - keyring->hd = NULL; - } - - gnutls_free(keyring); + if (!keyring) + return; + + if (keyring->hd) { + cdk_free(keyring->hd); + keyring->hd = NULL; + } + + gnutls_free(keyring); } /** @@ -84,32 +85,32 @@ void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring keyring) * Returns 0 on success. * **/ -int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring keyring, - const gnutls_datum * data, - gnutls_openpgp_key_fmt format) +int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring keyring, + const gnutls_datum * data, + gnutls_openpgp_key_fmt format) { -int rc; -keybox_blob *blob = NULL; - - - blob = kbx_read_blob( data, 0); - if( !blob ) { - gnutls_assert(); - return GNUTLS_E_OPENPGP_KEYRING_ERROR; - } - - keyring->hd = kbx_to_keydb( blob); - if( !keyring->hd ) { - gnutls_assert(); - rc = GNUTLS_E_OPENPGP_KEYRING_ERROR; - goto leave; - } - - rc = 0; - - leave: - kbx_blob_release( blob ); - return rc; + int rc; + keybox_blob *blob = NULL; + + + blob = kbx_read_blob(data, 0); + if (!blob) { + gnutls_assert(); + return GNUTLS_E_OPENPGP_KEYRING_ERROR; + } + + keyring->hd = kbx_to_keydb(blob); + if (!keyring->hd) { + gnutls_assert(); + rc = GNUTLS_E_OPENPGP_KEYRING_ERROR; + goto leave; + } + + rc = 0; + + leave: + kbx_blob_release(blob); + return rc; } @@ -127,12 +128,12 @@ keybox_blob *blob = NULL; **/ int gnutls_openpgp_trustdb_init(gnutls_openpgp_trustdb * trustdb) { - *trustdb = gnutls_calloc( 1, sizeof(gnutls_openpgp_trustdb_int)); + *trustdb = gnutls_calloc(1, sizeof(gnutls_openpgp_trustdb_int)); - if (*trustdb) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*trustdb) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -144,14 +145,15 @@ int gnutls_openpgp_trustdb_init(gnutls_openpgp_trustdb * trustdb) **/ void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb trustdb) { - if (!trustdb) return; - - if (trustdb->st) { - cdk_stream_close( trustdb->st); - trustdb->st = NULL; - } - - gnutls_free(trustdb); + if (!trustdb) + return; + + if (trustdb->st) { + cdk_stream_close(trustdb->st); + trustdb->st = NULL; + } + + gnutls_free(trustdb); } /** @@ -165,18 +167,17 @@ void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb trustdb) * Returns 0 on success. * **/ -int gnutls_openpgp_trustdb_import_file(gnutls_openpgp_trustdb trustdb, - const char * file) +int gnutls_openpgp_trustdb_import_file(gnutls_openpgp_trustdb trustdb, + const char *file) { -int rc; - - rc = cdk_stream_open( file, &trustdb->st); - if( rc ) { - rc = _gnutls_map_cdk_rc( rc ); - gnutls_assert(); - return rc; - } - - return 0; -} + int rc; + + rc = cdk_stream_open(file, &trustdb->st); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; + } + return 0; +} diff --git a/libextra/openpgp/openpgp.c b/libextra/openpgp/openpgp.c index f4e0134710..8857c400a6 100644 --- a/libextra/openpgp/openpgp.c +++ b/libextra/openpgp/openpgp.c @@ -42,12 +42,12 @@ **/ int gnutls_openpgp_key_init(gnutls_openpgp_key * key) { - *key = gnutls_calloc( 1, sizeof(gnutls_openpgp_key_int)); + *key = gnutls_calloc(1, sizeof(gnutls_openpgp_key_int)); - if (*key) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*key) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -59,15 +59,17 @@ int gnutls_openpgp_key_init(gnutls_openpgp_key * key) **/ void gnutls_openpgp_key_deinit(gnutls_openpgp_key key) { - if (!key) return; + if (!key) + return; - if (key->knode) { - cdk_kbnode_release( key->knode); - key->knode = NULL; - } - if (key->inp) cdk_stream_close( key->inp); - - gnutls_free(key); + if (key->knode) { + cdk_kbnode_release(key->knode); + key->knode = NULL; + } + if (key->inp) + cdk_stream_close(key->inp); + + gnutls_free(key); } /** @@ -82,41 +84,42 @@ void gnutls_openpgp_key_deinit(gnutls_openpgp_key key) * Returns 0 on success. * **/ -int gnutls_openpgp_key_import(gnutls_openpgp_key key, - const gnutls_datum * data, gnutls_openpgp_key_fmt format) +int gnutls_openpgp_key_import(gnutls_openpgp_key key, + const gnutls_datum * data, + gnutls_openpgp_key_fmt format) { -int rc; - - if (format == GNUTLS_OPENPGP_FMT_RAW) { - rc = cdk_kbnode_read_from_mem( &key->knode, data->data, data->size); - if( rc) { - rc = _gnutls_map_cdk_rc( rc); - gnutls_assert(); - return rc; - } - } else { /* base64 */ - key->inp = cdk_stream_tmp_from_mem( data->data, data->size); - if (key->inp == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - rc = cdk_stream_set_armor_flag( key->inp, 0); - if (rc) { - rc = _gnutls_map_cdk_rc( rc); - gnutls_assert(); - return rc; - } - - rc = cdk_keydb_get_keyblock( key->inp, &key->knode ); - if( rc) { - rc = _gnutls_map_cdk_rc( rc); - gnutls_assert(); - return rc; - } + int rc; + + if (format == GNUTLS_OPENPGP_FMT_RAW) { + rc = cdk_kbnode_read_from_mem(&key->knode, data->data, data->size); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; } - - return 0; + } else { /* base64 */ + key->inp = cdk_stream_tmp_from_mem(data->data, data->size); + if (key->inp == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + rc = cdk_stream_set_armor_flag(key->inp, 0); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; + } + + rc = cdk_keydb_get_keyblock(key->inp, &key->knode); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; + } + } + + return 0; } /** @@ -133,61 +136,61 @@ int rc; * Returns 0 on success. * **/ -int gnutls_openpgp_key_export(gnutls_openpgp_key key, - gnutls_openpgp_key_fmt format, void* output_data, - size_t* output_data_size) +int gnutls_openpgp_key_export(gnutls_openpgp_key key, + gnutls_openpgp_key_fmt format, + void *output_data, size_t * output_data_size) { -int rc; -size_t input_data_size = *output_data_size; - - rc = cdk_kbnode_write_to_mem( key->knode, - output_data, output_data_size); - if( rc) { - rc = _gnutls_map_cdk_rc( rc); - gnutls_assert(); - return rc; + int rc; + size_t input_data_size = *output_data_size; + + rc = cdk_kbnode_write_to_mem(key->knode, + output_data, output_data_size); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; + } + + if (format == GNUTLS_OPENPGP_FMT_BASE64) { + cdk_stream_t s; + + s = cdk_stream_tmp_from_mem(output_data, *output_data_size); + if (s == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - if (format == GNUTLS_OPENPGP_FMT_BASE64) { - cdk_stream_t s; - - s = cdk_stream_tmp_from_mem( output_data, *output_data_size); - if (s == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - cdk_stream_tmp_set_mode( s, 1); - rc = cdk_stream_set_armor_flag( s, CDK_ARMOR_PUBKEY); - if (rc) { - rc = _gnutls_map_cdk_rc( rc); - gnutls_assert(); - cdk_stream_close(s); - return rc; - } - - - *output_data_size = input_data_size; - - rc = cdk_stream_read( s, output_data, *output_data_size); - if (rc==EOF) { - gnutls_assert(); - cdk_stream_close(s); - return GNUTLS_E_INTERNAL_ERROR; - } - - *output_data_size = rc; - if (*output_data_size != cdk_stream_get_length(s)) { - *output_data_size = cdk_stream_get_length(s); - cdk_stream_close(s); - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - cdk_stream_close(s); + cdk_stream_tmp_set_mode(s, 1); + rc = cdk_stream_set_armor_flag(s, CDK_ARMOR_PUBKEY); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + cdk_stream_close(s); + return rc; } - return 0; + + *output_data_size = input_data_size; + + rc = cdk_stream_read(s, output_data, *output_data_size); + if (rc == EOF) { + gnutls_assert(); + cdk_stream_close(s); + return GNUTLS_E_INTERNAL_ERROR; + } + + *output_data_size = rc; + if (*output_data_size != cdk_stream_get_length(s)) { + *output_data_size = cdk_stream_get_length(s); + cdk_stream_close(s); + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + cdk_stream_close(s); + } + + return 0; } @@ -201,50 +204,49 @@ size_t input_data_size = *output_data_size; * the fingerprint can be 16 or 20 bytes. **/ int -gnutls_openpgp_key_get_fingerprint( gnutls_openpgp_key key, - void *fpr, size_t *fprlen ) +gnutls_openpgp_key_get_fingerprint(gnutls_openpgp_key key, + void *fpr, size_t * fprlen) { cdk_packet_t pkt; cdk_pkt_pubkey_t pk = NULL; - if( !fpr || !fprlen ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!fpr || !fprlen) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } *fprlen = 0; - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY); - if( !pkt ) - return GNUTLS_E_OPENPGP_GETKEY_FAILED; - + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (!pkt) + return GNUTLS_E_OPENPGP_GETKEY_FAILED; + pk = pkt->pkt.public_key; *fprlen = 20; - if ( is_RSA(pk->pubkey_algo) && pk->version < 4 ) - *fprlen = 16; - cdk_pk_get_fingerprint( pk, fpr); - + if (is_RSA(pk->pubkey_algo) && pk->version < 4) + *fprlen = 16; + cdk_pk_get_fingerprint(pk, fpr); + return 0; } -int -_gnutls_openpgp_count_key_names( gnutls_openpgp_key key) +int _gnutls_openpgp_count_key_names(gnutls_openpgp_key key) { cdk_kbnode_t p, ctx = NULL; cdk_packet_t pkt; int nuids = 0; - if( key == NULL ) { - gnutls_assert(); - return 0; + if (key == NULL) { + gnutls_assert(); + return 0; } - while( (p = cdk_kbnode_walk( key->knode, &ctx, 0 )) ) { - pkt = cdk_kbnode_get_packet( p); - if( pkt->pkttype == CDK_PKT_USER_ID) - nuids++; + while ((p = cdk_kbnode_walk(key->knode, &ctx, 0))) { + pkt = cdk_kbnode_get_packet(p); + if (pkt->pkttype == CDK_PKT_USER_ID) + nuids++; } - + return nuids; } @@ -263,9 +265,8 @@ _gnutls_openpgp_count_key_names( gnutls_openpgp_key key) * **/ int -gnutls_openpgp_key_get_name( gnutls_openpgp_key key, - int idx, - char *buf, size_t *sizeof_buf) +gnutls_openpgp_key_get_name(gnutls_openpgp_key key, + int idx, char *buf, size_t * sizeof_buf) { cdk_kbnode_t ctx = NULL, p; cdk_packet_t pkt = NULL; @@ -274,51 +275,51 @@ gnutls_openpgp_key_get_name( gnutls_openpgp_key key, size_t size = 0; int rc = 0; - if( !key || !buf ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!key || !buf) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - if( idx < 0 || idx > _gnutls_openpgp_count_key_names( key) ) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + if (idx < 0 || idx > _gnutls_openpgp_count_key_names(key)) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if( !idx ) - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_USER_ID ); + if (!idx) + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_USER_ID); else { - pos = 0; - while( (p = cdk_kbnode_walk( key->knode, &ctx, 0 )) ) { - pkt = cdk_kbnode_get_packet( p ); - if( pkt->pkttype == CDK_PKT_USER_ID && ++pos == idx ) - break; - } + pos = 0; + while ((p = cdk_kbnode_walk(key->knode, &ctx, 0))) { + pkt = cdk_kbnode_get_packet(p); + if (pkt->pkttype == CDK_PKT_USER_ID && ++pos == idx) + break; + } } - if( !pkt ) { - rc = GNUTLS_E_INTERNAL_ERROR; - goto leave; + if (!pkt) { + rc = GNUTLS_E_INTERNAL_ERROR; + goto leave; } - + uid = pkt->pkt.user_id; - + if (uid->len >= *sizeof_buf) { - gnutls_assert(); - *sizeof_buf = uid->len + 1; - rc = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto leave; + gnutls_assert(); + *sizeof_buf = uid->len + 1; + rc = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto leave; } - size = uid->len < *sizeof_buf? uid->len : *sizeof_buf-1; - memcpy( buf, uid->name, size); + size = uid->len < *sizeof_buf ? uid->len : *sizeof_buf - 1; + memcpy(buf, uid->name, size); - buf[size] = '\0'; /* make sure it's a string */ + buf[size] = '\0'; /* make sure it's a string */ - if( uid->is_revoked ) { - rc = GNUTLS_E_OPENPGP_UID_REVOKED; - goto leave; + if (uid->is_revoked) { + rc = GNUTLS_E_OPENPGP_UID_REVOKED; + goto leave; } - -leave: + + leave: return rc; } @@ -339,30 +340,31 @@ leave: * **/ int -gnutls_openpgp_key_get_pk_algorithm( gnutls_openpgp_key key, unsigned int *bits) +gnutls_openpgp_key_get_pk_algorithm(gnutls_openpgp_key key, + unsigned int *bits) { cdk_packet_t pkt; int algo = 0; - - if( !key ) - return GNUTLS_E_INVALID_REQUEST; - - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY ) { - if( bits ) - *bits = cdk_pk_get_nbits( pkt->pkt.public_key ); - algo = pkt->pkt.public_key->pubkey_algo; - if( is_RSA( algo ) ) - algo = GNUTLS_PK_RSA; - else if( is_DSA( algo ) ) - algo = GNUTLS_PK_DSA; - else - algo = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + + if (!key) + return GNUTLS_E_INVALID_REQUEST; + + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY) { + if (bits) + *bits = cdk_pk_get_nbits(pkt->pkt.public_key); + algo = pkt->pkt.public_key->pubkey_algo; + if (is_RSA(algo)) + algo = GNUTLS_PK_RSA; + else if (is_DSA(algo)) + algo = GNUTLS_PK_DSA; + else + algo = GNUTLS_E_UNKNOWN_PK_ALGORITHM; } return algo; } - + /** * gnutls_openpgp_key_get_version - Extracts the version of the key. @@ -370,18 +372,17 @@ gnutls_openpgp_key_get_pk_algorithm( gnutls_openpgp_key key, unsigned int *bits) * * Extract the version of the OpenPGP key. **/ -int -gnutls_openpgp_key_get_version( gnutls_openpgp_key key) +int gnutls_openpgp_key_get_version(gnutls_openpgp_key key) { cdk_packet_t pkt; int version = 0; - if( !key) - return -1; + if (!key) + return -1; - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( pkt ) - version = pkt->pkt.public_key->version; + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt) + version = pkt->pkt.public_key->version; return version; } @@ -393,19 +394,18 @@ gnutls_openpgp_key_get_version( gnutls_openpgp_key key) * * Returns the timestamp when the OpenPGP key was created. **/ -time_t -gnutls_openpgp_key_get_creation_time( gnutls_openpgp_key key) +time_t gnutls_openpgp_key_get_creation_time(gnutls_openpgp_key key) { cdk_packet_t pkt; time_t timestamp = 0; - if( !key) - return (time_t)-1; + if (!key) + return (time_t) - 1; + + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt) + timestamp = pkt->pkt.public_key->timestamp; - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( pkt ) - timestamp = pkt->pkt.public_key->timestamp; - return timestamp; } @@ -417,19 +417,18 @@ gnutls_openpgp_key_get_creation_time( gnutls_openpgp_key key) * Returns the time when the OpenPGP key expires. A value of '0' means * that the key doesn't expire at all. **/ -time_t -gnutls_openpgp_key_get_expiration_time( gnutls_openpgp_key key) +time_t gnutls_openpgp_key_get_expiration_time(gnutls_openpgp_key key) { cdk_packet_t pkt; time_t expiredate = 0; - if( !key) - return (time_t)-1; - - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( pkt ) - expiredate = pkt->pkt.public_key->expiredate; - + if (!key) + return (time_t) - 1; + + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt) + expiredate = pkt->pkt.public_key->expiredate; + return expiredate; } @@ -441,33 +440,32 @@ gnutls_openpgp_key_get_expiration_time( gnutls_openpgp_key key) * Returns the 64-bit keyID of the OpenPGP key. **/ int -gnutls_openpgp_key_get_id( gnutls_openpgp_key key, - unsigned char keyid[8]) +gnutls_openpgp_key_get_id(gnutls_openpgp_key key, unsigned char keyid[8]) { cdk_packet_t pkt; cdk_pkt_pubkey_t pk = NULL; unsigned int kid[2]; - - if( !key || !keyid ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + + if (!key || !keyid) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY); - if( !pkt ) - return GNUTLS_E_OPENPGP_GETKEY_FAILED; - + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (!pkt) + return GNUTLS_E_OPENPGP_GETKEY_FAILED; + pk = pkt->pkt.public_key; - cdk_pk_get_keyid( pk, kid ); + cdk_pk_get_keyid(pk, kid); keyid[0] = kid[0] >> 24; keyid[1] = kid[0] >> 16; - keyid[2] = kid[0] >> 8; + keyid[2] = kid[0] >> 8; keyid[3] = kid[0]; keyid[4] = kid[1] >> 24; keyid[5] = kid[1] >> 16; - keyid[6] = kid[1] >> 8; + keyid[6] = kid[1] >> 8; keyid[7] = kid[1]; - + return 0; } @@ -484,31 +482,29 @@ gnutls_openpgp_key_get_id( gnutls_openpgp_key key, * **/ int gnutls_openpgp_key_check_hostname(gnutls_openpgp_key key, - const char *hostname) + const char *hostname) { - char dnsname[MAX_CN]; - size_t dnsnamesize; - int ret = 0; - int i = 0; + char dnsname[MAX_CN]; + size_t dnsnamesize; + int ret = 0; + int i = 0; - /* Check through all included names. - */ - for (i = 0; !(ret < 0); i++) { + /* Check through all included names. + */ + for (i = 0; !(ret < 0); i++) { - dnsnamesize = sizeof(dnsname); - ret = - gnutls_openpgp_key_get_name(key, i, - dnsname, &dnsnamesize); + dnsnamesize = sizeof(dnsname); + ret = gnutls_openpgp_key_get_name(key, i, dnsname, &dnsnamesize); - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; - } - } + if (_gnutls_hostname_compare(dnsname, hostname)) { + return 1; + } + } - /* not found a matching name - */ - return 0; + /* not found a matching name + */ + return 0; } /** @@ -523,28 +519,28 @@ int gnutls_openpgp_key_check_hostname(gnutls_openpgp_key key, * A negative value may be returned in case of parsing error. * **/ -int gnutls_openpgp_key_get_key_usage(gnutls_openpgp_key key, unsigned int *key_usage) +int gnutls_openpgp_key_get_key_usage(gnutls_openpgp_key key, + unsigned int *key_usage) { -cdk_packet_t pkt; -int algo = 0; - - if( !key ) - return GNUTLS_E_INVALID_REQUEST; - - *key_usage = 0; - - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY); - if( pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY ) { - algo = pkt->pkt.public_key->pubkey_algo; - - if( is_DSA(algo) || algo == GCRY_PK_RSA_S ) - *key_usage |= KEY_DIGITAL_SIGNATURE; - else if( algo == GCRY_PK_RSA_E ) - *key_usage |= KEY_KEY_ENCIPHERMENT; - else if( algo == GCRY_PK_RSA ) - *key_usage |= KEY_DIGITAL_SIGNATURE | KEY_KEY_ENCIPHERMENT; - } + cdk_packet_t pkt; + int algo = 0; - return 0; -} + if (!key) + return GNUTLS_E_INVALID_REQUEST; + + *key_usage = 0; + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY) { + algo = pkt->pkt.public_key->pubkey_algo; + + if (is_DSA(algo) || algo == GCRY_PK_RSA_S) + *key_usage |= KEY_DIGITAL_SIGNATURE; + else if (algo == GCRY_PK_RSA_E) + *key_usage |= KEY_KEY_ENCIPHERMENT; + else if (algo == GCRY_PK_RSA) + *key_usage |= KEY_DIGITAL_SIGNATURE | KEY_KEY_ENCIPHERMENT; + } + + return 0; +} diff --git a/libextra/openpgp/openpgp.h b/libextra/openpgp/openpgp.h index 1dbaa8498f..403cea6370 100644 --- a/libextra/openpgp/openpgp.h +++ b/libextra/openpgp/openpgp.h @@ -3,8 +3,9 @@ #include <config.h> -typedef enum gnutls_openpgp_key_fmt { GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64 } gnutls_openpgp_key_fmt; +typedef enum gnutls_openpgp_key_fmt { + GNUTLS_OPENPGP_FMT_RAW, GNUTLS_OPENPGP_FMT_BASE64 +} gnutls_openpgp_key_fmt; #ifdef USE_OPENPGP @@ -12,20 +13,20 @@ typedef enum gnutls_openpgp_key_fmt { GNUTLS_OPENPGP_FMT_RAW, #include <opencdk.h> typedef struct gnutls_openpgp_key_int { - cdk_kbnode_t knode; - cdk_stream_t inp; + cdk_kbnode_t knode; + cdk_stream_t inp; } gnutls_openpgp_key_int; typedef struct gnutls_openpgp_privkey_int { - gnutls_privkey pkey; + gnutls_privkey pkey; } gnutls_openpgp_privkey_int; typedef struct gnutls_openpgp_keyring_int { - cdk_keydb_hd_t hd; + cdk_keydb_hd_t hd; } gnutls_openpgp_keyring_int; typedef struct gnutls_openpgp_trustdb_int { - cdk_stream_t st; + cdk_stream_t st; } gnutls_openpgp_trustdb_int; typedef struct gnutls_openpgp_key_int *gnutls_openpgp_key; @@ -33,64 +34,65 @@ typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey; typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring; typedef struct gnutls_openpgp_trustdb_int *gnutls_openpgp_trustdb; +int _gnutls_map_cdk_rc(int rc); int -_gnutls_map_cdk_rc( int rc); -int -gnutls_openpgp_key_get_name( gnutls_openpgp_key key, - int idx, - char *buf, size_t *sizeof_buf); -int gnutls_openpgp_key_get_fingerprint( gnutls_openpgp_key key, - void *fpr, size_t *fprlen); -int gnutls_openpgp_key_get_pk_algorithm( gnutls_openpgp_key key, unsigned int *bits); -int gnutls_openpgp_key_get_version( gnutls_openpgp_key key); -time_t gnutls_openpgp_key_get_creation_time( gnutls_openpgp_key key); -time_t gnutls_openpgp_key_get_expiration_time( gnutls_openpgp_key key); -int gnutls_openpgp_key_get_id( gnutls_openpgp_key key, - unsigned char keyid[8]); +gnutls_openpgp_key_get_name(gnutls_openpgp_key key, + int idx, char *buf, size_t * sizeof_buf); +int gnutls_openpgp_key_get_fingerprint(gnutls_openpgp_key key, + void *fpr, size_t * fprlen); +int gnutls_openpgp_key_get_pk_algorithm(gnutls_openpgp_key key, + unsigned int *bits); +int gnutls_openpgp_key_get_version(gnutls_openpgp_key key); +time_t gnutls_openpgp_key_get_creation_time(gnutls_openpgp_key key); +time_t gnutls_openpgp_key_get_expiration_time(gnutls_openpgp_key key); +int gnutls_openpgp_key_get_id(gnutls_openpgp_key key, + unsigned char keyid[8]); int gnutls_openpgp_key_init(gnutls_openpgp_key * key); void gnutls_openpgp_key_deinit(gnutls_openpgp_key key); -int gnutls_openpgp_key_import(gnutls_openpgp_key key, - const gnutls_datum * data, gnutls_openpgp_key_fmt format); -int gnutls_openpgp_key_export(gnutls_openpgp_key key, - gnutls_openpgp_key_fmt format, void* output_data, - size_t* output_data_size); +int gnutls_openpgp_key_import(gnutls_openpgp_key key, + const gnutls_datum * data, + gnutls_openpgp_key_fmt format); +int gnutls_openpgp_key_export(gnutls_openpgp_key key, + gnutls_openpgp_key_fmt format, void *output_data, + size_t * output_data_size); void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring keyring); int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring * keyring); -int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring keyring, - const gnutls_datum * data, - gnutls_openpgp_key_fmt format); +int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring keyring, + const gnutls_datum * data, gnutls_openpgp_key_fmt format); void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb trustdb); int gnutls_openpgp_trustdb_init(gnutls_openpgp_trustdb * trustdb); -int gnutls_openpgp_trustdb_import_file(gnutls_openpgp_trustdb trustdb, - const char * file); +int gnutls_openpgp_trustdb_import_file(gnutls_openpgp_trustdb trustdb, + const char *file); -int gnutls_openpgp_key_verify_ring( gnutls_openpgp_key key, - gnutls_openpgp_keyring keyring, - unsigned int flags, unsigned int *verify); +int gnutls_openpgp_key_verify_ring(gnutls_openpgp_key key, + gnutls_openpgp_keyring keyring, unsigned int flags, + unsigned int *verify); -int gnutls_openpgp_key_verify_trustdb( gnutls_openpgp_key key, - gnutls_openpgp_trustdb trustdb, - unsigned int flags, unsigned int *verify); +int gnutls_openpgp_key_verify_trustdb(gnutls_openpgp_key key, + gnutls_openpgp_trustdb trustdb, unsigned int flags, + unsigned int *verify); -int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, - unsigned int flags, unsigned int *verify); +int gnutls_openpgp_key_verify_self(gnutls_openpgp_key key, + unsigned int flags, unsigned int *verify); -int _gnutls_openpgp_key_to_gcert(gnutls_cert * gcert, gnutls_openpgp_key cert); -int _gnutls_openpgp_privkey_to_gkey( gnutls_privkey* dest, gnutls_openpgp_privkey src); +int _gnutls_openpgp_key_to_gcert(gnutls_cert * gcert, + gnutls_openpgp_key cert); +int _gnutls_openpgp_privkey_to_gkey(gnutls_privkey * dest, + gnutls_openpgp_privkey src); void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey key); -#else /* no opencdk */ +#else /* no opencdk */ typedef void *gnutls_openpgp_key; typedef void *gnutls_openpgp_privkey; typedef void *gnutls_openpgp_keyring; typedef void *gnutls_openpgp_trustdb; -#endif /* USE_OPENPGP */ +#endif /* USE_OPENPGP */ -#endif /* OPENPGP_H */ +#endif /* OPENPGP_H */ diff --git a/libextra/openpgp/privkey.c b/libextra/openpgp/privkey.c index ff72e7d569..4dba0e043d 100644 --- a/libextra/openpgp/privkey.c +++ b/libextra/openpgp/privkey.c @@ -43,12 +43,12 @@ **/ int gnutls_openpgp_privkey_init(gnutls_openpgp_privkey * key) { - *key = gnutls_calloc( 1, sizeof(gnutls_openpgp_privkey_int)); + *key = gnutls_calloc(1, sizeof(gnutls_openpgp_privkey_int)); - if (*key) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*key) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -60,10 +60,11 @@ int gnutls_openpgp_privkey_init(gnutls_openpgp_privkey * key) **/ void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey key) { - if (!key) return; + if (!key) + return; - _gnutls_gkey_deinit( &key->pkey); - gnutls_free(key); + _gnutls_gkey_deinit(&key->pkey); + gnutls_free(key); } /** @@ -80,19 +81,20 @@ void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey key) * Returns 0 on success. * **/ -int gnutls_openpgp_privkey_import(gnutls_openpgp_privkey key, - const gnutls_datum * data, gnutls_openpgp_key_fmt format, - const char* pass, unsigned int flags) +int gnutls_openpgp_privkey_import(gnutls_openpgp_privkey key, + const gnutls_datum * data, + gnutls_openpgp_key_fmt format, + const char *pass, unsigned int flags) { -int rc; + int rc; - rc = _gnutls_openpgp_raw_privkey_to_gkey( &key->pkey, data); - if( rc) { - gnutls_assert(); - return rc; - } - - return 0; + rc = _gnutls_openpgp_raw_privkey_to_gkey(&key->pkey, data); + if (rc) { + gnutls_assert(); + return rc; + } + + return 0; } /** @@ -112,18 +114,17 @@ int rc; * **/ int -gnutls_openpgp_privkey_get_pk_algorithm( gnutls_openpgp_privkey key, unsigned int *bits) +gnutls_openpgp_privkey_get_pk_algorithm(gnutls_openpgp_privkey key, + unsigned int *bits) { - int pk = key->pkey.pk_algorithm; + int pk = key->pkey.pk_algorithm; - if (bits) { - *bits = 0; - if (pk == GNUTLS_PK_RSA) - *bits = _gnutls_mpi_get_nbits( key->pkey.params[0]); - if (pk == GNUTLS_PK_DSA) - *bits = _gnutls_mpi_get_nbits( key->pkey.params[3]); - } - return pk; + if (bits) { + *bits = 0; + if (pk == GNUTLS_PK_RSA) + *bits = _gnutls_mpi_get_nbits(key->pkey.params[0]); + if (pk == GNUTLS_PK_DSA) + *bits = _gnutls_mpi_get_nbits(key->pkey.params[3]); + } + return pk; } - - diff --git a/libextra/openpgp/verify.c b/libextra/openpgp/verify.c index 9c54e77c95..5e141e8b5d 100644 --- a/libextra/openpgp/verify.c +++ b/libextra/openpgp/verify.c @@ -30,47 +30,47 @@ #include <openpgp.h> static int -openpgp_get_key_trust( gnutls_openpgp_trustdb trustdb, - gnutls_openpgp_key key, unsigned int *r_trustval ) +openpgp_get_key_trust(gnutls_openpgp_trustdb trustdb, + gnutls_openpgp_key key, unsigned int *r_trustval) { cdk_packet_t pkt; cdk_pkt_pubkey_t pk = NULL; int flags = 0, ot = 0; int rc = 0; - if( !trustdb || !key || !r_trustval ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!trustdb || !key || !r_trustval) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } *r_trustval = 0; - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( !pkt ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; - goto leave; + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (!pkt) { + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + goto leave; } pk = pkt->pkt.public_key; - rc = cdk_trustdb_get_ownertrust( trustdb->st, pk, &ot, &flags ); + rc = cdk_trustdb_get_ownertrust(trustdb->st, pk, &ot, &flags); - if ( rc ) { /* no ownertrust record was found */ - rc = 0; - goto leave; + if (rc) { /* no ownertrust record was found */ + rc = 0; + goto leave; } - if( flags & CDK_TFLAG_DISABLED ) { - *r_trustval |= GNUTLS_CERT_INVALID; - goto leave; + if (flags & CDK_TFLAG_DISABLED) { + *r_trustval |= GNUTLS_CERT_INVALID; + goto leave; } - - if( flags & CDK_TFLAG_REVOKED ) { - *r_trustval |= GNUTLS_CERT_REVOKED; + + if (flags & CDK_TFLAG_REVOKED) { + *r_trustval |= GNUTLS_CERT_REVOKED; } - + rc = 0; -leave: + leave: return rc; } @@ -96,45 +96,49 @@ leave: * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_ring( gnutls_openpgp_key key, - gnutls_openpgp_keyring keyring, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_ring(gnutls_openpgp_key key, + gnutls_openpgp_keyring keyring, + unsigned int flags, + unsigned int *verify) { int rc = 0; int status = 0; - - if( !key || !keyring ) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + + if (!key || !keyring) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - + *verify = 0; - rc = cdk_pk_check_sigs( key->knode, keyring->hd, &status ); - if( rc == CDK_Error_No_Key ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; - gnutls_assert(); - return rc; + rc = cdk_pk_check_sigs(key->knode, keyring->hd, &status); + if (rc == CDK_Error_No_Key) { + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + gnutls_assert(); + return rc; } - if( rc) { - rc = _gnutls_map_cdk_rc(rc); - gnutls_assert(); - return rc; + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; } - if (status & CDK_KEY_INVALID) *verify |= GNUTLS_CERT_INVALID; - if (status & CDK_KEY_REVOKED) *verify |= GNUTLS_CERT_REVOKED; - if (status & CDK_KEY_NOSIGNER) *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND; + if (status & CDK_KEY_INVALID) + *verify |= GNUTLS_CERT_INVALID; + if (status & CDK_KEY_REVOKED) + *verify |= GNUTLS_CERT_REVOKED; + if (status & CDK_KEY_NOSIGNER) + *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND; return 0; } -int _cdk_sig_check( cdk_pkt_pubkey_t pk, cdk_pkt_signature_t sig, - cdk_md_hd_t digest, int * r_expired ); -cdk_md_hd_t cdk_md_open( int algo, unsigned int flags ); -void cdk_md_close( cdk_md_hd_t hd ); +int _cdk_sig_check(cdk_pkt_pubkey_t pk, cdk_pkt_signature_t sig, + cdk_md_hd_t digest, int *r_expired); +cdk_md_hd_t cdk_md_open(int algo, unsigned int flags); +void cdk_md_close(cdk_md_hd_t hd); /** * gnutls_openpgp_key_verify_self - Verify the self signature on the key @@ -150,8 +154,9 @@ void cdk_md_close( cdk_md_hd_t hd ); * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_self(gnutls_openpgp_key key, + unsigned int flags, + unsigned int *verify) { opaque key_id[8]; cdk_kbnode_t k; @@ -161,63 +166,63 @@ int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, cdk_packet_t pk = NULL; *verify = 0; - - pk = cdk_kbnode_get_packet( key->knode); + + pk = cdk_kbnode_get_packet(key->knode); if (!pk) { gnutls_assert(); return GNUTLS_E_INTERNAL_ERROR; } - rc = gnutls_openpgp_key_get_id( key, key_id); + rc = gnutls_openpgp_key_get_id(key, key_id); if (rc < 0) { - gnutls_assert(); - goto leave; + gnutls_assert(); + goto leave; } k = key->knode; - while( (k = cdk_kbnode_find_next( k, CDK_PKT_SIGNATURE)) != NULL) { + while ((k = cdk_kbnode_find_next(k, CDK_PKT_SIGNATURE)) != NULL) { + + packet = cdk_kbnode_get_packet(k); + if (!packet) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - packet = cdk_kbnode_get_packet( k); - if (!packet) { + if (memcmp(key_id, packet->pkt.signature->keyid, 8) == 0) { + /* found the self signature. + */ + md = cdk_md_open(packet->pkt.signature->digest_algo, 0); + if (!md) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (memcmp( key_id, packet->pkt.signature->keyid, 8)==0) { - /* found the self signature. - */ - md = cdk_md_open( packet->pkt.signature->digest_algo, 0); - if (!md) { - gnutls_assert(); - rc = GNUTLS_E_INTERNAL_ERROR; - goto leave; - } - - cdk_kbnode_hash( key->knode, md, 0, 0, 0 ); - - rc = _cdk_sig_check( pk->pkt.public_key, packet->pkt.signature, - md, &expired); - - if (rc != 0) { - *verify |= GNUTLS_CERT_INVALID; - } - - break; + rc = GNUTLS_E_INTERNAL_ERROR; + goto leave; + } + + cdk_kbnode_hash(key->knode, md, 0, 0, 0); + + rc = _cdk_sig_check(pk->pkt.public_key, packet->pkt.signature, + md, &expired); + + if (rc != 0) { + *verify |= GNUTLS_CERT_INVALID; } - - cdk_pkt_free( packet); - packet = NULL; + + break; + } + + cdk_pkt_free(packet); + packet = NULL; } rc = 0; - leave: - - cdk_pkt_free( packet); - cdk_pkt_free( pk); - cdk_md_close( md ); + leave: + + cdk_pkt_free(packet); + cdk_pkt_free(pk); + cdk_md_close(md); return rc; } @@ -241,32 +246,32 @@ int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_trustdb( gnutls_openpgp_key key, - gnutls_openpgp_trustdb trustdb, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_trustdb(gnutls_openpgp_key key, + gnutls_openpgp_trustdb trustdb, + unsigned int flags, + unsigned int *verify) { int rc = 0; - - if( !key) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + + if (!key) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - if( !trustdb) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!trustdb) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - rc = openpgp_get_key_trust( trustdb, key, verify); - if( rc) - goto leave; + rc = openpgp_get_key_trust(trustdb, key, verify); + if (rc) + goto leave; rc = 0; - -leave: - if( rc ) { - gnutls_assert(); + + leave: + if (rc) { + gnutls_assert(); } return rc; } - diff --git a/libextra/openpgp/xml.c b/libextra/openpgp/xml.c index a67fa9cff7..f726acd7ea 100644 --- a/libextra/openpgp/xml.c +++ b/libextra/openpgp/xml.c @@ -25,114 +25,110 @@ #include <gnutls_errors.h> #include <opencdk.h> #include <openpgp.h> -#include <x509/rfc2818.h> /* for MAX_CN */ +#include <x509/rfc2818.h> /* for MAX_CN */ static int -xml_add_tag( gnutls_string *xmlkey, const char *tag, const char *val ) +xml_add_tag(gnutls_string * xmlkey, const char *tag, const char *val) { - if( !xmlkey || !tag || !val ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !tag || !val) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - _gnutls_string_append_str( xmlkey, " <" ); - _gnutls_string_append_str( xmlkey, tag ); - _gnutls_string_append_str( xmlkey, ">" ); - _gnutls_string_append_str( xmlkey, val ); - _gnutls_string_append_str( xmlkey, "</" ); - _gnutls_string_append_str( xmlkey, tag ); - _gnutls_string_append_str( xmlkey, ">\n" ); + + _gnutls_string_append_str(xmlkey, " <"); + _gnutls_string_append_str(xmlkey, tag); + _gnutls_string_append_str(xmlkey, ">"); + _gnutls_string_append_str(xmlkey, val); + _gnutls_string_append_str(xmlkey, "</"); + _gnutls_string_append_str(xmlkey, tag); + _gnutls_string_append_str(xmlkey, ">\n"); return 0; } static int -xml_add_mpi2( gnutls_string *xmlkey, const uint8 *data, size_t count, - const char *tag ) +xml_add_mpi2(gnutls_string * xmlkey, const uint8 * data, size_t count, + const char *tag) { char *p = NULL; size_t i; int rc = 0; - if( !xmlkey || !data || !tag ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !data || !tag) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - p = gnutls_calloc( 1, 2 * ( count + 3 ) ); - if( !p ) { - gnutls_assert( ); - return GNUTLS_E_MEMORY_ERROR; + p = gnutls_calloc(1, 2 * (count + 3)); + if (!p) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - for( i = 0; i < count; i++ ) - sprintf( p + 2 * i, "%02X", data[i] ); + for (i = 0; i < count; i++) + sprintf(p + 2 * i, "%02X", data[i]); p[2 * count] = '\0'; - - rc = xml_add_tag( xmlkey, tag, p ); - gnutls_free( p ); - + + rc = xml_add_tag(xmlkey, tag, p); + gnutls_free(p); + return rc; } static int -xml_add_mpi( gnutls_string *xmlkey, cdk_pkt_pubkey_t pk, int idx, - const char *tag ) +xml_add_mpi(gnutls_string * xmlkey, cdk_pkt_pubkey_t pk, int idx, + const char *tag) { uint8 buf[4096]; size_t nbytes; - - nbytes = sizeof buf-1; - cdk_pk_get_mpi( pk, idx, buf, &nbytes, NULL ); - return xml_add_mpi2( xmlkey, buf, nbytes, tag ); + + nbytes = sizeof buf - 1; + cdk_pk_get_mpi(pk, idx, buf, &nbytes, NULL); + return xml_add_mpi2(xmlkey, buf, nbytes, tag); } - -static int -xml_add_key_mpi( gnutls_string *xmlkey, cdk_pkt_pubkey_t pk ) + +static int xml_add_key_mpi(gnutls_string * xmlkey, cdk_pkt_pubkey_t pk) { const char *s = " <KEY ENCODING=\"HEX\"/>\n"; int rc = 0; - if( !xmlkey || !pk ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !pk) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - _gnutls_string_append_str( xmlkey, s ); - - if( is_RSA( pk->pubkey_algo ) ) { - rc = xml_add_mpi( xmlkey, pk, 0, "RSA-N" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 1, "RSA-E" ); - } - else if( is_DSA( pk->pubkey_algo ) ) { - rc = xml_add_mpi( xmlkey, pk, 0, "DSA-P" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 1, "DSA-Q" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 2, "DSA-G" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 3, "DSA-Y" ); - } - else if( is_ELG( pk->pubkey_algo ) ) { - rc = xml_add_mpi( xmlkey, pk, 0, "ELG-P" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 1, "ELG-G" ); - if( !rc ) - rc = xml_add_mpi( xmlkey, pk, 2, "ELG-Y" ); - } - else - return GNUTLS_E_UNWANTED_ALGORITHM; - + + _gnutls_string_append_str(xmlkey, s); + + if (is_RSA(pk->pubkey_algo)) { + rc = xml_add_mpi(xmlkey, pk, 0, "RSA-N"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 1, "RSA-E"); + } else if (is_DSA(pk->pubkey_algo)) { + rc = xml_add_mpi(xmlkey, pk, 0, "DSA-P"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 1, "DSA-Q"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 2, "DSA-G"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 3, "DSA-Y"); + } else if (is_ELG(pk->pubkey_algo)) { + rc = xml_add_mpi(xmlkey, pk, 0, "ELG-P"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 1, "ELG-G"); + if (!rc) + rc = xml_add_mpi(xmlkey, pk, 2, "ELG-Y"); + } else + return GNUTLS_E_UNWANTED_ALGORITHM; + return 0; } static int -xml_add_key( gnutls_string *xmlkey, int ext, cdk_pkt_pubkey_t pk, int sub ) +xml_add_key(gnutls_string * xmlkey, int ext, cdk_pkt_pubkey_t pk, int sub) { const char *algo, *s; char keyid[16], fpr[41], tmp[32]; @@ -140,183 +136,198 @@ xml_add_key( gnutls_string *xmlkey, int ext, cdk_pkt_pubkey_t pk, int sub ) unsigned int kid[2]; int i = 0, rc = 0; - if( !xmlkey || !pk ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !pk) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - - s = sub? " <SUBKEY>\n" : " <MAINKEY>\n"; - _gnutls_string_append_str( xmlkey, s ); - - cdk_pk_get_keyid( pk, kid ); - snprintf( keyid, 16, "%08lX%08lX", kid[0], kid[1] ); - rc = xml_add_tag( xmlkey, "KEYID", keyid ); - if( rc ) - return rc; - - cdk_pk_get_fingerprint( pk, fingerpr ); - for ( i = 0; i < 20; i++ ) - sprintf( fpr + 2 * i, "%02X", fingerpr[i] ); + + s = sub ? " <SUBKEY>\n" : " <MAINKEY>\n"; + _gnutls_string_append_str(xmlkey, s); + + cdk_pk_get_keyid(pk, kid); + snprintf(keyid, 16, "%08lX%08lX", kid[0], kid[1]); + rc = xml_add_tag(xmlkey, "KEYID", keyid); + if (rc) + return rc; + + cdk_pk_get_fingerprint(pk, fingerpr); + for (i = 0; i < 20; i++) + sprintf(fpr + 2 * i, "%02X", fingerpr[i]); fpr[40] = '\0'; - rc = xml_add_tag( xmlkey, "FINGERPRINT", fpr ); - if( rc ) - return rc; - - if( is_DSA( pk->pubkey_algo ) ) - algo = "DSA"; - else if( is_RSA( pk->pubkey_algo ) ) - algo = "RSA"; - else if( is_ELG( pk->pubkey_algo ) ) - algo = "ELG"; - else algo = "???"; - rc = xml_add_tag( xmlkey, "PKALGO", algo ); - if( rc ) - return rc; - - sprintf( tmp, "%d", cdk_pk_get_nbits( pk ) ); - rc = xml_add_tag( xmlkey, "KEYLEN", tmp ); - if( rc ) - return rc; - - sprintf( tmp, "%lu", pk->timestamp ); - rc = xml_add_tag( xmlkey, "CREATED", tmp ); - if( rc ) - return rc; - - if( pk->expiredate > 0 ) { - sprintf( tmp, "%lu", (unsigned long)pk->expiredate ); - rc = xml_add_tag( xmlkey, "EXPIREDATE", tmp ); - if( rc ) - return rc; + rc = xml_add_tag(xmlkey, "FINGERPRINT", fpr); + if (rc) + return rc; + + if (is_DSA(pk->pubkey_algo)) + algo = "DSA"; + else if (is_RSA(pk->pubkey_algo)) + algo = "RSA"; + else if (is_ELG(pk->pubkey_algo)) + algo = "ELG"; + else + algo = "???"; + rc = xml_add_tag(xmlkey, "PKALGO", algo); + if (rc) + return rc; + + sprintf(tmp, "%d", cdk_pk_get_nbits(pk)); + rc = xml_add_tag(xmlkey, "KEYLEN", tmp); + if (rc) + return rc; + + sprintf(tmp, "%lu", pk->timestamp); + rc = xml_add_tag(xmlkey, "CREATED", tmp); + if (rc) + return rc; + + if (pk->expiredate > 0) { + sprintf(tmp, "%lu", (unsigned long) pk->expiredate); + rc = xml_add_tag(xmlkey, "EXPIREDATE", tmp); + if (rc) + return rc; } - sprintf( tmp, "%d", pk->is_revoked ); - rc = xml_add_tag( xmlkey, "REVOKED", tmp ); - if( rc ) - return rc; + sprintf(tmp, "%d", pk->is_revoked); + rc = xml_add_tag(xmlkey, "REVOKED", tmp); + if (rc) + return rc; - if( ext ) { - rc = xml_add_key_mpi( xmlkey, pk ); - if( rc ) - return rc; + if (ext) { + rc = xml_add_key_mpi(xmlkey, pk); + if (rc) + return rc; } - - s = sub? " </SUBKEY>\n" : " </MAINKEY>\n"; - _gnutls_string_append_str( xmlkey, s ); + + s = sub ? " </SUBKEY>\n" : " </MAINKEY>\n"; + _gnutls_string_append_str(xmlkey, s); return 0; } static int -xml_add_userid( gnutls_string *xmlkey, int ext, - const char* dn, cdk_pkt_userid_t id) +xml_add_userid(gnutls_string * xmlkey, int ext, + const char *dn, cdk_pkt_userid_t id) { const char *s; char tmp[32]; int rc = 0; - if( !xmlkey || !dn || !id ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !dn || !id) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } s = " <USERID>\n"; - _gnutls_string_append_str( xmlkey, s ); - - rc = xml_add_tag( xmlkey, "NAME", dn); - if( rc ) - return rc; - - if ( ext ) { - sprintf( tmp, "%d", id->is_primary ); - rc = xml_add_tag( xmlkey, "PRIMARY", tmp ); - if( rc ) - return rc; - sprintf( tmp, "%d", id->is_revoked ); - rc = xml_add_tag( xmlkey, "REVOKED", tmp ); - if( rc ) - return rc; + _gnutls_string_append_str(xmlkey, s); + + rc = xml_add_tag(xmlkey, "NAME", dn); + if (rc) + return rc; + + if (ext) { + sprintf(tmp, "%d", id->is_primary); + rc = xml_add_tag(xmlkey, "PRIMARY", tmp); + if (rc) + return rc; + sprintf(tmp, "%d", id->is_revoked); + rc = xml_add_tag(xmlkey, "REVOKED", tmp); + if (rc) + return rc; } s = " </USERID>\n"; - _gnutls_string_append_str( xmlkey, s ); - + _gnutls_string_append_str(xmlkey, s); + return 0; } static int -xml_add_sig( gnutls_string *xmlkey, int ext, cdk_pkt_signature_t sig ) +xml_add_sig(gnutls_string * xmlkey, int ext, cdk_pkt_signature_t sig) { const char *algo, *s; char tmp[32], keyid[16]; unsigned int kid[2]; int rc = 0; - if( !xmlkey || !sig ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!xmlkey || !sig) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } s = " <SIGNATURE>\n"; - _gnutls_string_append_str( xmlkey, s ); - - sprintf( tmp, "%d", sig->version ); - rc = xml_add_tag( xmlkey, "VERSION", tmp ); - if( rc ) - return rc; - - if( ext ) { - sprintf( tmp, "%d", sig->sig_class ); - rc = xml_add_tag( xmlkey, "SIGCLASS", tmp ); - if( rc ) - return rc; + _gnutls_string_append_str(xmlkey, s); + + sprintf(tmp, "%d", sig->version); + rc = xml_add_tag(xmlkey, "VERSION", tmp); + if (rc) + return rc; + + if (ext) { + sprintf(tmp, "%d", sig->sig_class); + rc = xml_add_tag(xmlkey, "SIGCLASS", tmp); + if (rc) + return rc; } - - sprintf( tmp, "%d", sig->flags.expired ); - rc = xml_add_tag( xmlkey, "EXPIRED", tmp ); - if( rc ) - return rc; - - if ( ext ) { - switch( sig->pubkey_algo ) { - case GCRY_PK_DSA : algo = "DSA"; break; - case GCRY_PK_ELG : - case GCRY_PK_ELG_E: algo = "ELG"; break; - case GCRY_PK_RSA : - case GCRY_PK_RSA_E: - case GCRY_PK_RSA_S: algo = "RSA"; break; - default : algo = "???"; /* unknown algorithm */ - } - rc = xml_add_tag( xmlkey, "PKALGO", algo ); - if( rc ) - return rc; - - switch( sig->digest_algo ) { - case GCRY_MD_SHA1 : algo = "SHA1"; break; - case GCRY_MD_RMD160: algo = "RMD160"; break; - case GCRY_MD_MD5 : algo = "MD5"; break; - default : algo = "???"; - } - rc = xml_add_tag( xmlkey, "MDALGO", algo ); - if( rc ) - return rc; - } - - sprintf( tmp, "%lu", sig->timestamp ); - rc = xml_add_tag( xmlkey, "CREATED", tmp ); - if( rc ) - return rc; - - cdk_sig_get_keyid( sig, kid ); - snprintf( keyid, 16, "%08lX%08lX", kid[0], kid[1] ); - rc = xml_add_tag( xmlkey, "KEYID", keyid ); - if( rc ) - return rc; + + sprintf(tmp, "%d", sig->flags.expired); + rc = xml_add_tag(xmlkey, "EXPIRED", tmp); + if (rc) + return rc; + + if (ext) { + switch (sig->pubkey_algo) { + case GCRY_PK_DSA: + algo = "DSA"; + break; + case GCRY_PK_ELG: + case GCRY_PK_ELG_E: + algo = "ELG"; + break; + case GCRY_PK_RSA: + case GCRY_PK_RSA_E: + case GCRY_PK_RSA_S: + algo = "RSA"; + break; + default: + algo = "???"; /* unknown algorithm */ + } + rc = xml_add_tag(xmlkey, "PKALGO", algo); + if (rc) + return rc; + + switch (sig->digest_algo) { + case GCRY_MD_SHA1: + algo = "SHA1"; + break; + case GCRY_MD_RMD160: + algo = "RMD160"; + break; + case GCRY_MD_MD5: + algo = "MD5"; + break; + default: + algo = "???"; + } + rc = xml_add_tag(xmlkey, "MDALGO", algo); + if (rc) + return rc; + } + + sprintf(tmp, "%lu", sig->timestamp); + rc = xml_add_tag(xmlkey, "CREATED", tmp); + if (rc) + return rc; + + cdk_sig_get_keyid(sig, kid); + snprintf(keyid, 16, "%08lX%08lX", kid[0], kid[1]); + rc = xml_add_tag(xmlkey, "KEYID", keyid); + if (rc) + return rc; s = " </SIGNATURE>\n"; - _gnutls_string_append_str( xmlkey, s ); + _gnutls_string_append_str(xmlkey, s); return 0; } @@ -332,8 +343,8 @@ xml_add_sig( gnutls_string *xmlkey, int ext, cdk_pkt_signature_t sig ) * a XML string. **/ int -gnutls_openpgp_key_to_xml( gnutls_openpgp_key key, - gnutls_datum *xmlkey, int ext ) +gnutls_openpgp_key_to_xml(gnutls_openpgp_key key, + gnutls_datum * xmlkey, int ext) { cdk_kbnode_t node, ctx = NULL; cdk_packet_t pkt; @@ -343,61 +354,61 @@ gnutls_openpgp_key_to_xml( gnutls_openpgp_key key, int idx = 0, rc = 0; gnutls_string string_xml_key; - if( !key || !xmlkey ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!key || !xmlkey) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - _gnutls_string_init( &string_xml_key, malloc, realloc, free ); - memset( xmlkey, 0, sizeof *xmlkey ); + _gnutls_string_init(&string_xml_key, malloc, realloc, free); + memset(xmlkey, 0, sizeof *xmlkey); s = "<?xml version=\"1.0\"?>\n\n"; - _gnutls_string_append_str( &string_xml_key, s ); + _gnutls_string_append_str(&string_xml_key, s); s = "<gnutls:openpgp:key version=\"1.0\">\n"; - _gnutls_string_append_str( &string_xml_key, s ); - + _gnutls_string_append_str(&string_xml_key, s); + s = " <OPENPGPKEY>\n"; - _gnutls_string_append_str( &string_xml_key, s ); + _gnutls_string_append_str(&string_xml_key, s); idx = 1; - while( (node = cdk_kbnode_walk( key->knode, &ctx, 0 )) ) { - pkt = cdk_kbnode_get_packet( node ); - switch ( pkt->pkttype ) { - case CDK_PKT_PUBLIC_KEY: - rc = xml_add_key( &string_xml_key, ext, pkt->pkt.public_key, 0 ); - break; - - case CDK_PKT_PUBLIC_SUBKEY: - rc = xml_add_key( &string_xml_key, ext, pkt->pkt.public_key, 1 ); - break; - - case CDK_PKT_USER_ID: - name_len = sizeof(name); - gnutls_openpgp_key_get_name( key, idx, name, &name_len); - rc = xml_add_userid( &string_xml_key, ext, name, pkt->pkt.user_id ); - idx++; - break; - - case CDK_PKT_SIGNATURE: - rc = xml_add_sig( &string_xml_key, ext, pkt->pkt.signature ); - break; - - default: - break; - } + while ((node = cdk_kbnode_walk(key->knode, &ctx, 0))) { + pkt = cdk_kbnode_get_packet(node); + switch (pkt->pkttype) { + case CDK_PKT_PUBLIC_KEY: + rc = xml_add_key(&string_xml_key, ext, pkt->pkt.public_key, 0); + break; + + case CDK_PKT_PUBLIC_SUBKEY: + rc = xml_add_key(&string_xml_key, ext, pkt->pkt.public_key, 1); + break; + + case CDK_PKT_USER_ID: + name_len = sizeof(name); + gnutls_openpgp_key_get_name(key, idx, name, &name_len); + rc = xml_add_userid(&string_xml_key, ext, name, + pkt->pkt.user_id); + idx++; + break; + + case CDK_PKT_SIGNATURE: + rc = xml_add_sig(&string_xml_key, ext, pkt->pkt.signature); + break; + + default: + break; + } } - if( !rc ) { - s = " </OPENPGPKEY>\n"; - _gnutls_string_append_str( &string_xml_key, s ); + if (!rc) { + s = " </OPENPGPKEY>\n"; + _gnutls_string_append_str(&string_xml_key, s); } s = "</gnutls:openpgp:key>\n"; - _gnutls_string_append_str( &string_xml_key, s ); - _gnutls_string_append_data( &string_xml_key, "\n\0", 2 ); + _gnutls_string_append_str(&string_xml_key, s); + _gnutls_string_append_data(&string_xml_key, "\n\0", 2); - *xmlkey = _gnutls_string2datum( &string_xml_key ); + *xmlkey = _gnutls_string2datum(&string_xml_key); xmlkey->size--; return rc; } - diff --git a/libextra/openssl_compat.c b/libextra/openssl_compat.c index 247cad1bdf..2752d5cb84 100644 --- a/libextra/openssl_compat.c +++ b/libextra/openssl_compat.c @@ -27,7 +27,7 @@ #include <gnutls_global.h> #include <gnutls_errors.h> -#include <string.h> /* memset */ +#include <string.h> /* memset */ #include <x509/dn.h> #include <libtasn1.h> #include <gnutls/x509.h> @@ -45,50 +45,58 @@ **/ int gnutls_x509_extract_dn(const gnutls_datum * idn, gnutls_x509_dn * rdn) { - ASN1_TYPE dn = ASN1_TYPE_EMPTY; - int result; - size_t len; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn - )) != ASN1_SUCCESS) { - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + size_t len; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - memset( rdn, 0, sizeof(gnutls_x509_dn)); + memset(rdn, 0, sizeof(gnutls_x509_dn)); - len = sizeof(rdn->country); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, rdn->country, &len); + len = sizeof(rdn->country); + _gnutls_x509_parse_dn_oid(dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, + rdn->country, &len); - len = sizeof(rdn->organization); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, rdn->organization, &len); + len = sizeof(rdn->organization); + _gnutls_x509_parse_dn_oid(dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0, + 0, rdn->organization, &len); - len = sizeof(rdn->organizational_unit_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, rdn->organizational_unit_name, &len); + len = sizeof(rdn->organizational_unit_name); + _gnutls_x509_parse_dn_oid(dn, "", + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, + 0, rdn->organizational_unit_name, &len); - len = sizeof(rdn->common_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0, rdn->common_name, &len); + len = sizeof(rdn->common_name); + _gnutls_x509_parse_dn_oid(dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0, + rdn->common_name, &len); - len = sizeof(rdn->locality_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, rdn->locality_name, &len); + len = sizeof(rdn->locality_name); + _gnutls_x509_parse_dn_oid(dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, + rdn->locality_name, &len); - len = sizeof(rdn->state_or_province_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, rdn->state_or_province_name, &len); + len = sizeof(rdn->state_or_province_name); + _gnutls_x509_parse_dn_oid(dn, "", + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, + rdn->state_or_province_name, &len); - len = sizeof(rdn->email); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0, rdn->email, &len); + len = sizeof(rdn->email); + _gnutls_x509_parse_dn_oid(dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0, + rdn->email, &len); - asn1_delete_structure(&dn); + asn1_delete_structure(&dn); - return 0; + return 0; } /** @@ -103,52 +111,56 @@ int gnutls_x509_extract_dn(const gnutls_datum * idn, gnutls_x509_dn * rdn) * **/ int gnutls_x509_extract_certificate_dn(const gnutls_datum * cert, - gnutls_x509_dn * ret) + gnutls_x509_dn * ret) { - gnutls_x509_crt xcert; - int result; - size_t len; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } + gnutls_x509_crt xcert; + int result; + size_t len; - len = sizeof( ret->country); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, - ret->country, &len); + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; - len = sizeof( ret->organization); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, - ret->organization, &len); + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } - len = sizeof( ret->organizational_unit_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, - ret->organizational_unit_name, &len); + len = sizeof(ret->country); + gnutls_x509_crt_get_dn_by_oid(xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, + 0, ret->country, &len); - len = sizeof( ret->common_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, - ret->common_name, &len); + len = sizeof(ret->organization); + gnutls_x509_crt_get_dn_by_oid(xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, 0, ret->organization, &len); - len = sizeof( ret->locality_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, - ret->locality_name, &len); + len = sizeof(ret->organizational_unit_name); + gnutls_x509_crt_get_dn_by_oid(xcert, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, 0, ret->organizational_unit_name, + &len); - len = sizeof( ret->state_or_province_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, - ret->state_or_province_name, &len); + len = sizeof(ret->common_name); + gnutls_x509_crt_get_dn_by_oid(xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, + ret->common_name, &len); - len = sizeof( ret->email); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, - ret->email, &len); + len = sizeof(ret->locality_name); + gnutls_x509_crt_get_dn_by_oid(xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, + 0, ret->locality_name, &len); - gnutls_x509_crt_deinit( xcert); + len = sizeof(ret->state_or_province_name); + gnutls_x509_crt_get_dn_by_oid(xcert, + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, + 0, 0, ret->state_or_province_name, &len); - return 0; + len = sizeof(ret->email); + gnutls_x509_crt_get_dn_by_oid(xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, + ret->email, &len); + + gnutls_x509_crt_deinit(xcert); + + return 0; } /** @@ -163,52 +175,62 @@ int gnutls_x509_extract_certificate_dn(const gnutls_datum * cert, * **/ int gnutls_x509_extract_certificate_issuer_dn(const gnutls_datum * cert, - gnutls_x509_dn * ret) + gnutls_x509_dn * ret) { - gnutls_x509_crt xcert; - int result; - size_t len; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - len = sizeof( ret->country); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, - ret->country, &len); - - len = sizeof( ret->organization); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, - ret->organization, &len); - - len = sizeof( ret->organizational_unit_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, - ret->organizational_unit_name, &len); - - len = sizeof( ret->common_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, - ret->common_name, &len); + gnutls_x509_crt xcert; + int result; + size_t len; - len = sizeof( ret->locality_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, - ret->locality_name, &len); - - len = sizeof( ret->state_or_province_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, - ret->state_or_province_name, &len); - - len = sizeof( ret->email); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, - ret->email, &len); - - gnutls_x509_crt_deinit( xcert); + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; - return 0; + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + len = sizeof(ret->country); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_COUNTRY_NAME, 0, + 0, ret->country, &len); + + len = sizeof(ret->organization); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, 0, ret->organization, &len); + + len = sizeof(ret->organizational_unit_name); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, 0, + ret->organizational_unit_name, + &len); + + len = sizeof(ret->common_name); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_COMMON_NAME, 0, 0, + ret->common_name, &len); + + len = sizeof(ret->locality_name); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_LOCALITY_NAME, 0, + 0, ret->locality_name, &len); + + len = sizeof(ret->state_or_province_name); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, + 0, 0, ret->state_or_province_name, + &len); + + len = sizeof(ret->email); + gnutls_x509_crt_get_issuer_dn_by_oid(xcert, GNUTLS_OID_PKCS9_EMAIL, 0, + 0, ret->email, &len); + + gnutls_x509_crt_deinit(xcert); + + return 0; } @@ -233,27 +255,32 @@ int gnutls_x509_extract_certificate_issuer_dn(const gnutls_datum * cert, * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * cert, int seq, char *ret, int *ret_size) +int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * + cert, int seq, + char *ret, + int *ret_size) { - gnutls_x509_crt xcert; - int result; - size_t size = *ret_size; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_subject_alt_name( xcert, seq, ret, &size, NULL); - *ret_size = size; - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + int result; + size_t size = *ret_size; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = + gnutls_x509_crt_get_subject_alt_name(xcert, seq, ret, &size, NULL); + *ret_size = size; + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -272,23 +299,24 @@ int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * cert, **/ int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_ca_status( xcert, NULL); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = gnutls_x509_crt_get_ca_status(xcert, NULL); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -301,26 +329,26 @@ int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) * **/ time_t gnutls_x509_extract_certificate_activation_time(const - gnutls_datum * - cert) + gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_activation_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + time_t result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); return result; + } + + result = gnutls_x509_crt_get_activation_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -333,26 +361,26 @@ time_t gnutls_x509_extract_certificate_activation_time(const * **/ time_t gnutls_x509_extract_certificate_expiration_time(const - gnutls_datum * - cert) + gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_expiration_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + time_t result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); return result; + } + + result = gnutls_x509_crt_get_expiration_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -365,23 +393,24 @@ time_t gnutls_x509_extract_certificate_expiration_time(const **/ int gnutls_x509_extract_certificate_version(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_version( xcert); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); return result; + } + + result = gnutls_x509_crt_get_version(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; } @@ -399,27 +428,29 @@ int gnutls_x509_extract_certificate_version(const gnutls_datum * cert) * Returns a negative value in case of an error. * **/ -int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size) +int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, + char *result, int *result_size) { - gnutls_x509_crt xcert; - size_t size = *result_size; - int ret; - - ret = gnutls_x509_crt_init( &xcert); - if (ret < 0) return ret; - - ret = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_x509_crt_deinit( xcert); - return ret; - } - - ret = gnutls_x509_crt_get_serial( xcert, result, &size); - *result_size = size; - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + size_t size = *result_size; + int ret; + + ret = gnutls_x509_crt_init(&xcert); + if (ret < 0) + return ret; + + ret = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_x509_crt_deinit(xcert); return ret; + } + + ret = gnutls_x509_crt_get_serial(xcert, result, &size); + *result_size = size; + + gnutls_x509_crt_deinit(xcert); + + return ret; } @@ -440,25 +471,27 @@ int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* resu * or a negative value on error. * **/ -int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits) +int gnutls_x509_extract_certificate_pk_algorithm(const gnutls_datum * cert, + int *bits) { - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_pk_algorithm( xcert, bits); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); return result; + } + + result = gnutls_x509_crt_get_pk_algorithm(xcert, bits); + + gnutls_x509_crt_deinit(xcert); + + return result; } @@ -476,29 +509,32 @@ int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int * and 0 on success. * **/ -int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf, - const gnutls_datum * cert, int issuer) +int gnutls_x509_extract_certificate_dn_string(char *buf, + unsigned int sizeof_buf, + const gnutls_datum * cert, + int issuer) { - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - if (!issuer) - result = gnutls_x509_crt_get_dn( xcert, buf, &sizeof_buf); - else - result = gnutls_x509_crt_get_issuer_dn( xcert, buf, &sizeof_buf); - - gnutls_x509_crt_deinit( xcert); - + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); return result; + } + + if (!issuer) + result = gnutls_x509_crt_get_dn(xcert, buf, &sizeof_buf); + else + result = gnutls_x509_crt_get_issuer_dn(xcert, buf, &sizeof_buf); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -534,157 +570,156 @@ int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf * * **/ -int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, - const gnutls_datum * CA_list, int CA_list_length, - const gnutls_datum* CRL_list, int CRL_list_length) +int gnutls_x509_verify_certificate(const gnutls_datum * cert_list, + int cert_list_length, + const gnutls_datum * CA_list, + int CA_list_length, + const gnutls_datum * CRL_list, + int CRL_list_length) { - unsigned int verify; - gnutls_x509_crt *peer_certificate_list = NULL; - gnutls_x509_crt *ca_certificate_list = NULL; - gnutls_x509_crl *crl_list = NULL; - int peer_certificate_list_size=0, i, x, ret; - int ca_certificate_list_size=0, crl_list_size=0; - - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = cert_list_length; - peer_certificate_list = - gnutls_calloc(1, - peer_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - ca_certificate_list_size = CA_list_length; - ca_certificate_list = - gnutls_calloc(1, - ca_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (ca_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + unsigned int verify; + gnutls_x509_crt *peer_certificate_list = NULL; + gnutls_x509_crt *ca_certificate_list = NULL; + gnutls_x509_crl *crl_list = NULL; + int peer_certificate_list_size = 0, i, x, ret; + int ca_certificate_list_size = 0, crl_list_size = 0; + + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = cert_list_length; + peer_certificate_list = + gnutls_calloc(1, + peer_certificate_list_size * + sizeof(gnutls_x509_crt)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ca_certificate_list_size = CA_list_length; + ca_certificate_list = + gnutls_calloc(1, + ca_certificate_list_size * sizeof(gnutls_x509_crt)); + if (ca_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + /* allocate memory for CRL + */ + crl_list_size = CRL_list_length; + crl_list = gnutls_calloc(1, crl_list_size * sizeof(gnutls_x509_crl)); + if (crl_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + /* convert certA_list to gnutls_cert* list + */ + for (i = 0; i < peer_certificate_list_size; i++) { + ret = gnutls_x509_crt_init(&peer_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } - /* allocate memory for CRL - */ - crl_list_size = CRL_list_length; - crl_list = - gnutls_calloc(1, - crl_list_size * - sizeof(gnutls_x509_crl)); - if (crl_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + ret = + gnutls_x509_crt_import(peer_certificate_list[i], + &cert_list[i], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } + } - /* convert certA_list to gnutls_cert* list - */ - for (i = 0; i < peer_certificate_list_size; i++) { - ret = gnutls_x509_crt_init( &peer_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crt_import(peer_certificate_list[i], - &cert_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + /* convert CA_list to gnutls_x509_cert* list + */ + for (i = 0; i < ca_certificate_list_size; i++) { + ret = gnutls_x509_crt_init(&ca_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } - /* convert CA_list to gnutls_x509_cert* list - */ - for (i = 0; i < ca_certificate_list_size; i++) { - ret = gnutls_x509_crt_init(&ca_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crt_import(ca_certificate_list[i], - &CA_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + ret = + gnutls_x509_crt_import(ca_certificate_list[i], + &CA_list[i], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } + } #ifdef ENABLE_PKI - /* convert CRL_list to gnutls_x509_crl* list - */ - for (i = 0; i < crl_list_size; i++) { - ret = gnutls_x509_crl_init( &crl_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crl_import(crl_list[i], - &CRL_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + /* convert CRL_list to gnutls_x509_crl* list + */ + for (i = 0; i < crl_list_size; i++) { + ret = gnutls_x509_crl_init(&crl_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } -#endif - /* Verify certificate - */ ret = - gnutls_x509_crt_list_verify(peer_certificate_list, - peer_certificate_list_size, - ca_certificate_list, ca_certificate_list_size, - crl_list, crl_list_size, 0, &verify); - + gnutls_x509_crl_import(crl_list[i], + &CRL_list[i], GNUTLS_X509_FMT_DER); if (ret < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + goto cleanup; } - - ret = verify; + } +#endif - cleanup: + /* Verify certificate + */ + ret = + gnutls_x509_crt_list_verify(peer_certificate_list, + peer_certificate_list_size, + ca_certificate_list, + ca_certificate_list_size, crl_list, + crl_list_size, 0, &verify); - if (peer_certificate_list != NULL) - for(x=0;x<peer_certificate_list_size;x++) { - if (peer_certificate_list[x] != NULL) - gnutls_x509_crt_deinit(peer_certificate_list[x]); - } + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - if (ca_certificate_list != NULL) - for(x=0;x<ca_certificate_list_size;x++) { - if (ca_certificate_list[x] != NULL) - gnutls_x509_crt_deinit(ca_certificate_list[x]); - } + ret = verify; + cleanup: + + if (peer_certificate_list != NULL) + for (x = 0; x < peer_certificate_list_size; x++) { + if (peer_certificate_list[x] != NULL) + gnutls_x509_crt_deinit(peer_certificate_list[x]); + } + + if (ca_certificate_list != NULL) + for (x = 0; x < ca_certificate_list_size; x++) { + if (ca_certificate_list[x] != NULL) + gnutls_x509_crt_deinit(ca_certificate_list[x]); + } #ifdef ENABLE_PKI - if (crl_list != NULL) - for(x=0;x<crl_list_size;x++) { - if (crl_list[x] != NULL) - gnutls_x509_crl_deinit(crl_list[x]); - } - - gnutls_free( crl_list); + if (crl_list != NULL) + for (x = 0; x < crl_list_size; x++) { + if (crl_list[x] != NULL) + gnutls_x509_crl_deinit(crl_list[x]); + } + + gnutls_free(crl_list); #endif - gnutls_free( ca_certificate_list); - gnutls_free( peer_certificate_list); + gnutls_free(ca_certificate_list); + gnutls_free(peer_certificate_list); - return ret; + return ret; } /** @@ -698,27 +733,27 @@ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error. * **/ -int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) +int gnutls_x509_extract_key_pk_algorithm(const gnutls_datum * key) { - gnutls_x509_privkey pkey; - int ret, pk; - - ret = gnutls_x509_privkey_init( &pkey); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_x509_privkey_import( pkey, key, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_x509_privkey pkey; + int ret, pk; + + ret = gnutls_x509_privkey_init(&pkey); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_x509_privkey_import(pkey, key, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } - pk = gnutls_x509_privkey_get_pk_algorithm( pkey); - - gnutls_x509_privkey_deinit( pkey); - return pk; + pk = gnutls_x509_privkey_get_pk_algorithm(pkey); + + gnutls_x509_privkey_deinit(pkey); + return pk; } #ifdef ENABLE_PKI @@ -738,27 +773,31 @@ int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) * will be returned. * **/ -int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size) +int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * + pkcs7_struct, int indx, + char *certificate, + int *certificate_size) { - gnutls_pkcs7 pkcs7; - int result; - size_t size = *certificate_size; - - result = gnutls_pkcs7_init( &pkcs7); - if (result < 0) return result; - - result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_pkcs7_deinit( pkcs7); - return result; - } - - result = gnutls_pkcs7_get_crt_raw( pkcs7, indx, certificate, &size); - *certificate_size = size; + gnutls_pkcs7 pkcs7; + int result; + size_t size = *certificate_size; + + result = gnutls_pkcs7_init(&pkcs7); + if (result < 0) + return result; - gnutls_pkcs7_deinit( pkcs7); - + result = gnutls_pkcs7_import(pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_pkcs7_deinit(pkcs7); return result; + } + + result = gnutls_pkcs7_get_crt_raw(pkcs7, indx, certificate, &size); + *certificate_size = size; + + gnutls_pkcs7_deinit(pkcs7); + + return result; } @@ -772,25 +811,27 @@ int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int * Returns a negative value on failure. * **/ -int gnutls_x509_pkcs7_extract_certificate_count(const gnutls_datum * pkcs7_struct) +int gnutls_x509_pkcs7_extract_certificate_count(const gnutls_datum * + pkcs7_struct) { - gnutls_pkcs7 pkcs7; - int result; - - result = gnutls_pkcs7_init( &pkcs7); - if (result < 0) return result; - - result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_pkcs7_deinit( pkcs7); - return result; - } - - result = gnutls_pkcs7_get_crt_count( pkcs7); - - gnutls_pkcs7_deinit( pkcs7); - + gnutls_pkcs7 pkcs7; + int result; + + result = gnutls_pkcs7_init(&pkcs7); + if (result < 0) + return result; + + result = gnutls_pkcs7_import(pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_pkcs7_deinit(pkcs7); return result; + } + + result = gnutls_pkcs7_get_crt_count(pkcs7); + + gnutls_pkcs7_deinit(pkcs7); + + return result; } #endif diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index cb9ad0e44e..8dc61858c0 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -32,721 +32,843 @@ extern int batch; -typedef struct _cfg_ctx -{ - char *organization; - char *unit; - char *locality; - char *state; - char *cn; - char *uid; - char *challenge_password; - char *pkcs9_email; - char *country; - char *dns_name; - char* ip_addr; - char *email; - char **dn_oid; - char *crl_dist_points; - char *password; - char *pkcs12_key_name; - int serial; - int expiration_days; - int ca; - int tls_www_client; - int tls_www_server; - int signing_key; - int encryption_key; - int cert_sign_key; - int crl_sign_key; - int code_sign_key; - int ocsp_sign_key; - int time_stamping_key; - int crl_next_update; +typedef struct _cfg_ctx { + char *organization; + char *unit; + char *locality; + char *state; + char *cn; + char *uid; + char *challenge_password; + char *pkcs9_email; + char *country; + char *dns_name; + char *ip_addr; + char *email; + char **dn_oid; + char *crl_dist_points; + char *password; + char *pkcs12_key_name; + int serial; + int expiration_days; + int ca; + int tls_www_client; + int tls_www_server; + int signing_key; + int encryption_key; + int cert_sign_key; + int crl_sign_key; + int code_sign_key; + int ocsp_sign_key; + int time_stamping_key; + int crl_next_update; } cfg_ctx; cfg_ctx cfg; void cfg_init(void) { - memset( &cfg, 0, sizeof(cfg)); + memset(&cfg, 0, sizeof(cfg)); } int template_parse(const char *template) { - /* libcfg+ parsing context */ - CFG_CONTEXT con; - - /* Parsing return code */ - register int ret; - - /* Option variables */ - - /* Option set */ - struct cfg_option options[] = { - {NULL, '\0', "organization", CFG_STR, (void *) &cfg.organization, 0}, - {NULL, '\0', "unit", CFG_STR, (void *) &cfg.unit, 0}, - {NULL, '\0', "locality", CFG_STR, (void *) &cfg.locality, 0}, - {NULL, '\0', "state", CFG_STR, (void *) &cfg.state, 0}, - {NULL, '\0', "cn", CFG_STR, (void *) &cfg.cn, 0}, - {NULL, '\0', "uid", CFG_STR, (void *) &cfg.uid, 0}, - {NULL, '\0', "challenge_password", CFG_STR, (void *) &cfg.challenge_password, 0}, - {NULL, '\0', "password", CFG_STR, (void *) &cfg.password, 0}, - {NULL, '\0', "pkcs9_email", CFG_STR, (void *) &cfg.pkcs9_email, 0}, - {NULL, '\0', "country", CFG_STR, (void *) &cfg.country, 0}, - {NULL, '\0', "dns_name", CFG_STR, (void *) &cfg.dns_name, 0}, - {NULL, '\0', "ip_address", CFG_STR, (void *) &cfg.ip_addr, 0}, - {NULL, '\0', "email", CFG_STR, (void *) &cfg.email, 0}, - - {NULL, '\0', "dn_oid", CFG_STR+CFG_MULTI_SEPARATED, (void *) &cfg.dn_oid, 0}, - - {NULL, '\0', "crl_dist_points", CFG_STR, (void *) &cfg.crl_dist_points, 0}, - {NULL, '\0', "pkcs12_key_name", CFG_STR, (void *) &cfg.pkcs12_key_name, 0}, - - {NULL, '\0', "serial", CFG_INT, (void *) &cfg.serial, 0}, - {NULL, '\0', "expiration_days", CFG_INT, (void *) &cfg.expiration_days, 0}, - - {NULL, '\0', "crl_next_update", CFG_INT, (void *) &cfg.crl_next_update, 0}, - - {NULL, '\0', "ca", CFG_BOOL, (void *) &cfg.ca, 0}, - {NULL, '\0', "tls_www_client", CFG_BOOL, (void *) &cfg.tls_www_client, 0}, - {NULL, '\0', "tls_www_server", CFG_BOOL, (void *) &cfg.tls_www_server, 0}, - {NULL, '\0', "signing_key", CFG_BOOL, (void *) &cfg.signing_key, 0}, - {NULL, '\0', "encryption_key", CFG_BOOL, (void *) &cfg.encryption_key, 0}, - {NULL, '\0', "cert_signing_key", CFG_BOOL, (void *) &cfg.cert_sign_key, 0}, - {NULL, '\0', "crl_signing_key", CFG_BOOL, (void *) &cfg.crl_sign_key, 0}, - {NULL, '\0', "code_signing_key", CFG_BOOL, (void *) &cfg.code_sign_key, 0}, - {NULL, '\0', "ocsp_signing_key", CFG_BOOL, (void *) &cfg.ocsp_sign_key, 0}, - {NULL, '\0', "time_stamping_key", CFG_BOOL, (void *) &cfg.time_stamping_key, 0}, - CFG_END_OF_LIST - }; - - /* Creating context */ - con = cfg_get_context(options); - if (con == NULL) { - puts("Not enough memory"); - exit(1); - } - - cfg_set_cfgfile_context(con, 0, -1, (char*)template); - - /* Parsing command line */ - ret = cfg_parse(con); - - if (ret != CFG_OK) { - printf("error parsing command line: %s: ", template); - cfg_fprint_error(con, stdout); - putchar('\n'); - exit( ret < 0 ? -ret : ret); - } - - return 0; + /* libcfg+ parsing context */ + CFG_CONTEXT con; + + /* Parsing return code */ + register int ret; + + /* Option variables */ + + /* Option set */ + struct cfg_option options[] = { + {NULL, '\0', "organization", CFG_STR, (void *) &cfg.organization, + 0}, + {NULL, '\0', "unit", CFG_STR, (void *) &cfg.unit, 0}, + {NULL, '\0', "locality", CFG_STR, (void *) &cfg.locality, 0}, + {NULL, '\0', "state", CFG_STR, (void *) &cfg.state, 0}, + {NULL, '\0', "cn", CFG_STR, (void *) &cfg.cn, 0}, + {NULL, '\0', "uid", CFG_STR, (void *) &cfg.uid, 0}, + {NULL, '\0', "challenge_password", CFG_STR, + (void *) &cfg.challenge_password, 0}, + {NULL, '\0', "password", CFG_STR, (void *) &cfg.password, 0}, + {NULL, '\0', "pkcs9_email", CFG_STR, (void *) &cfg.pkcs9_email, 0}, + {NULL, '\0', "country", CFG_STR, (void *) &cfg.country, 0}, + {NULL, '\0', "dns_name", CFG_STR, (void *) &cfg.dns_name, 0}, + {NULL, '\0', "ip_address", CFG_STR, (void *) &cfg.ip_addr, 0}, + {NULL, '\0', "email", CFG_STR, (void *) &cfg.email, 0}, + + {NULL, '\0', "dn_oid", CFG_STR + CFG_MULTI_SEPARATED, + (void *) &cfg.dn_oid, 0}, + + {NULL, '\0', "crl_dist_points", CFG_STR, + (void *) &cfg.crl_dist_points, 0}, + {NULL, '\0', "pkcs12_key_name", CFG_STR, + (void *) &cfg.pkcs12_key_name, 0}, + + {NULL, '\0', "serial", CFG_INT, (void *) &cfg.serial, 0}, + {NULL, '\0', "expiration_days", CFG_INT, + (void *) &cfg.expiration_days, 0}, + + {NULL, '\0', "crl_next_update", CFG_INT, + (void *) &cfg.crl_next_update, 0}, + + {NULL, '\0', "ca", CFG_BOOL, (void *) &cfg.ca, 0}, + {NULL, '\0', "tls_www_client", CFG_BOOL, + (void *) &cfg.tls_www_client, 0}, + {NULL, '\0', "tls_www_server", CFG_BOOL, + (void *) &cfg.tls_www_server, 0}, + {NULL, '\0', "signing_key", CFG_BOOL, (void *) &cfg.signing_key, + 0}, + {NULL, '\0', "encryption_key", CFG_BOOL, + (void *) &cfg.encryption_key, 0}, + {NULL, '\0', "cert_signing_key", CFG_BOOL, + (void *) &cfg.cert_sign_key, 0}, + {NULL, '\0', "crl_signing_key", CFG_BOOL, + (void *) &cfg.crl_sign_key, 0}, + {NULL, '\0', "code_signing_key", CFG_BOOL, + (void *) &cfg.code_sign_key, 0}, + {NULL, '\0', "ocsp_signing_key", CFG_BOOL, + (void *) &cfg.ocsp_sign_key, 0}, + {NULL, '\0', "time_stamping_key", CFG_BOOL, + (void *) &cfg.time_stamping_key, 0}, + CFG_END_OF_LIST + }; + + /* Creating context */ + con = cfg_get_context(options); + if (con == NULL) { + puts("Not enough memory"); + exit(1); + } + + cfg_set_cfgfile_context(con, 0, -1, (char *) template); + + /* Parsing command line */ + ret = cfg_parse(con); + + if (ret != CFG_OK) { + printf("error parsing command line: %s: ", template); + cfg_fprint_error(con, stdout); + putchar('\n'); + exit(ret < 0 ? -ret : ret); + } + + return 0; +} + +void read_crt_set(gnutls_x509_crt crt, const char *input_str, + const char *oid) +{ + char input[128]; + int ret; + + fputs(input_str, stderr); + fgets(input, sizeof(input), stdin); + + if (strlen(input) == 1) /* only newline */ + return; + + ret = + gnutls_x509_crt_set_dn_by_oid(crt, oid, 0, input, + strlen(input) - 1); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); + } +} + +void read_crq_set(gnutls_x509_crq crq, const char *input_str, + const char *oid) +{ + char input[128]; + int ret; + + fputs(input_str, stderr); + fgets(input, sizeof(input), stdin); + + if (strlen(input) == 1) /* only newline */ + return; + + ret = + gnutls_x509_crq_set_dn_by_oid(crq, oid, 0, input, + strlen(input) - 1); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); + } } - -void read_crt_set( gnutls_x509_crt crt, const char* input_str, const char* oid) + +int read_int(const char *input_str) { -char input[128]; -int ret; + char input[128]; + + fputs(input_str, stderr); + fgets(input, sizeof(input), stdin); - fputs( input_str, stderr); - fgets( input, sizeof(input), stdin); - - if (strlen(input)==1) /* only newline */ return; + if (strlen(input) == 1) /* only newline */ + return 0; - ret = gnutls_x509_crt_set_dn_by_oid(crt, oid, 0, input, strlen(input)-1); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } + return atoi(input); } -void read_crq_set( gnutls_x509_crq crq, const char* input_str, const char* oid) +const char *read_str(const char *input_str) { -char input[128]; -int ret; + static char input[128]; + int len; - fputs( input_str, stderr); - fgets( input, sizeof(input), stdin); - - if (strlen(input)==1) /* only newline */ return; + fputs(input_str, stderr); + if (fgets(input, sizeof(input), stdin) == NULL) + return NULL; - ret = gnutls_x509_crq_set_dn_by_oid(crq, oid, 0, input, strlen(input)-1); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } -} + len = strlen(input); + if ((len > 0) && (input[len - 1] == '\n')) + input[len - 1] = 0; + if (input[0] == 0) + return NULL; -int read_int( const char* input_str) -{ -char input[128]; - - fputs( input_str, stderr); - fgets( input, sizeof(input), stdin); - - if (strlen(input)==1) /* only newline */ return 0; - - return atoi(input); + return input; } -const char* read_str( const char* input_str) +int read_yesno(const char *input_str) { -static char input[128]; -int len; + char input[128]; - fputs( input_str, stderr); - if (fgets( input, sizeof(input), stdin) == NULL) return NULL; - - len = strlen(input); - if ( (len > 0) && (input[len-1] == '\n') ) input[len-1] = 0; - if (input[0] == 0) return NULL; + fputs(input_str, stderr); + fgets(input, sizeof(input), stdin); - return input; -} - -int read_yesno( const char* input_str) -{ -char input[128]; + if (strlen(input) == 1) /* only newline */ + return 0; - fputs( input_str, stderr); - fgets( input, sizeof(input), stdin); - - if (strlen(input)==1) /* only newline */ return 0; + if (input[0] == 'y' || input[0] == 'Y') + return 1; - if (input[0] == 'y' || input[0] == 'Y') return 1; - - return 0; + return 0; } /* Wrapper functions for non-interactive mode. */ -const char* get_pass(void) +const char *get_pass(void) { - if (batch) - return cfg.password; - else - return read_pass("Enter password: "); + if (batch) + return cfg.password; + else + return read_pass("Enter password: "); } -const char* get_challenge_pass(void) +const char *get_challenge_pass(void) { - if (batch) - return cfg.challenge_password; - else - return read_pass("Enter a challenge password: "); + if (batch) + return cfg.challenge_password; + else + return read_pass("Enter a challenge password: "); } -const char* get_crl_dist_point_url(void) +const char *get_crl_dist_point_url(void) { - if (batch) - return cfg.crl_dist_points; - else - return read_str( "Enter the URI of the CRL distribution point: "); + if (batch) + return cfg.crl_dist_points; + else + return read_str("Enter the URI of the CRL distribution point: "); } -void get_country_crt_set( gnutls_x509_crt crt) +void get_country_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.country) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0, - cfg.country, strlen(cfg.country)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "Country name (2 chars): ", GNUTLS_OID_X520_COUNTRY_NAME); + if (batch) { + if (!cfg.country) + return; + ret = + gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_COUNTRY_NAME, 0, + cfg.country, + strlen(cfg.country)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "Country name (2 chars): ", + GNUTLS_OID_X520_COUNTRY_NAME); + } } -void get_organization_crt_set( gnutls_x509_crt crt) +void get_organization_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.organization) return; + if (batch) { + if (!cfg.organization) + return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, - cfg.organization, strlen(cfg.organization)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "Organization name: ", GNUTLS_OID_X520_ORGANIZATION_NAME); + ret = + gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, cfg.organization, + strlen(cfg.organization)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "Organization name: ", + GNUTLS_OID_X520_ORGANIZATION_NAME); + } } -void get_unit_crt_set( gnutls_x509_crt crt) +void get_unit_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; + + if (batch) { + if (!cfg.unit) + return; - if (batch) { - if (!cfg.unit) return; - - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, - cfg.unit, strlen(cfg.unit)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "Organizational unit name: ", GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME); + ret = + gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit, strlen(cfg.unit)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "Organizational unit name: ", + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME); + } } -void get_state_crt_set( gnutls_x509_crt crt) +void get_state_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.state) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, - cfg.state, strlen(cfg.state)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "State or province name: ", GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME); + if (batch) { + if (!cfg.state) + return; + ret = + gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, + 0, cfg.state, strlen(cfg.state)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "State or province name: ", + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME); + } } -void get_locality_crt_set( gnutls_x509_crt crt) +void get_locality_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.locality) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0, - cfg.locality, strlen(cfg.locality)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME); + if (batch) { + if (!cfg.locality) + return; + ret = + gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_LOCALITY_NAME, 0, + cfg.locality, + strlen(cfg.locality)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "Locality name: ", + GNUTLS_OID_X520_LOCALITY_NAME); + } } -void get_cn_crt_set( gnutls_x509_crt crt) +void get_cn_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.cn) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, - cfg.cn, strlen(cfg.cn)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); + if (batch) { + if (!cfg.cn) + return; + ret = + gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, + 0, cfg.cn, strlen(cfg.cn)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); + } } -void get_uid_crt_set( gnutls_x509_crt crt) +void get_uid_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.uid) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_UID, 0, - cfg.uid, strlen(cfg.uid)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "UID: ", GNUTLS_OID_LDAP_UID); + if (batch) { + if (!cfg.uid) + return; + ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_UID, 0, + cfg.uid, strlen(cfg.uid)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "UID: ", GNUTLS_OID_LDAP_UID); + } } -void get_oid_crt_set( gnutls_x509_crt crt) +void get_oid_crt_set(gnutls_x509_crt crt) { -int ret, i; + int ret, i; - if (batch) { - if (!cfg.dn_oid) return; - for( i = 0; cfg.dn_oid[i] != NULL; i+=2) { - if (cfg.dn_oid[i+1]==NULL) { - fprintf(stderr, "dn_oid: %s does not have an argument.\n", - cfg.dn_oid[i]); - exit(1); - } - ret = gnutls_x509_crt_set_dn_by_oid(crt, cfg.dn_oid[i], 0, - cfg.dn_oid[i+1], strlen(cfg.dn_oid[i+1])); + if (batch) { + if (!cfg.dn_oid) + return; + for (i = 0; cfg.dn_oid[i] != NULL; i += 2) { + if (cfg.dn_oid[i + 1] == NULL) { + fprintf(stderr, "dn_oid: %s does not have an argument.\n", + cfg.dn_oid[i]); + exit(1); + } + ret = gnutls_x509_crt_set_dn_by_oid(crt, cfg.dn_oid[i], 0, + cfg.dn_oid[i + 1], + strlen(cfg.dn_oid[i + 1])); - if (ret < 0) { - fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); - exit(1); - } - } + if (ret < 0) { + fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); + exit(1); + } } + } } -void get_pkcs9_email_crt_set( gnutls_x509_crt crt) +void get_pkcs9_email_crt_set(gnutls_x509_crt crt) { -int ret; + int ret; - if (batch) { - if (!cfg.pkcs9_email) return; - ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0, - cfg.pkcs9_email, strlen(cfg.pkcs9_email)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crt_set( crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL); + if (batch) { + if (!cfg.pkcs9_email) + return; + ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0, + cfg.pkcs9_email, + strlen(cfg.pkcs9_email)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crt_set(crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL); + } } -int get_serial( void) +int get_serial(void) { - if (batch) { - if (cfg.serial < 0) return 0; - return cfg.serial; - } else { - return read_int( "Enter the certificate's serial number (decimal): "); - } + if (batch) { + if (cfg.serial < 0) + return 0; + return cfg.serial; + } else { + return + read_int("Enter the certificate's serial number (decimal): "); + } } -int get_days( void) +int get_days(void) { -int days; + int days; - if (batch) { - if (cfg.expiration_days <= 0) return 365; - else return cfg.expiration_days; - } else { - do { - days = read_int( "The certificate will expire in (days): "); - } while( days==0); - return days; - } + if (batch) { + if (cfg.expiration_days <= 0) + return 365; + else + return cfg.expiration_days; + } else { + do { + days = read_int("The certificate will expire in (days): "); + } while (days == 0); + return days; + } } -int get_ca_status( void) +int get_ca_status(void) { - if (batch) { - return cfg.ca; - } else { - return read_yesno( "Does the certificate belong to an authority? (Y/N): "); - } + if (batch) { + return cfg.ca; + } else { + return + read_yesno + ("Does the certificate belong to an authority? (Y/N): "); + } } -const char* get_pkcs12_key_name( void) +const char *get_pkcs12_key_name(void) { -const char* name; + const char *name; - if (batch) { - if (!cfg.pkcs12_key_name) return "Anonymous"; - return cfg.pkcs12_key_name; - } else { - do { - name = read_str("Enter a name for the key: "); - } while( name == NULL); - } - return name; + if (batch) { + if (!cfg.pkcs12_key_name) + return "Anonymous"; + return cfg.pkcs12_key_name; + } else { + do { + name = read_str("Enter a name for the key: "); + } while (name == NULL); + } + return name; } -int get_tls_client_status( void) +int get_tls_client_status(void) { - if (batch) { - return cfg.tls_www_client; - } else { - return read_yesno( "Is this a TLS web client certificate? (Y/N): "); - } + if (batch) { + return cfg.tls_www_client; + } else { + return read_yesno("Is this a TLS web client certificate? (Y/N): "); + } } -int get_tls_server_status( void) +int get_tls_server_status(void) { - if (batch) { - return cfg.tls_www_server; - } else { - return read_yesno( "Is this also a TLS web server certificate? (Y/N): "); - } + if (batch) { + return cfg.tls_www_server; + } else { + return + read_yesno + ("Is this also a TLS web server certificate? (Y/N): "); + } } -const char* get_dns_name( void) +const char *get_dns_name(void) { - if (batch) { - return cfg.dns_name; - } else { - return read_str( "Enter the dnsName of the subject of the certificate: "); - } + if (batch) { + return cfg.dns_name; + } else { + return + read_str + ("Enter the dnsName of the subject of the certificate: "); + } } -const char* get_ip_addr( void) +const char *get_ip_addr(void) { - if (batch) { - return cfg.ip_addr; - } else { - return read_str( "Enter the IP address of the subject of the certificate: "); - } + if (batch) { + return cfg.ip_addr; + } else { + return + read_str + ("Enter the IP address of the subject of the certificate: "); + } } -const char* get_email( void) +const char *get_email(void) { - if (batch) { - return cfg.email; - } else { - return read_str( "Enter the e-mail of the subject of the certificate: "); - } + if (batch) { + return cfg.email; + } else { + return + read_str + ("Enter the e-mail of the subject of the certificate: "); + } } -int get_sign_status( int server) +int get_sign_status(int server) { -const char* msg; + const char *msg; - if (batch) { - return cfg.signing_key; - } else { - if (server) msg = "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): "; - else msg = "Will the certificate be used for signing (required for TLS)? (Y/N): "; - return read_yesno( msg); - } + if (batch) { + return cfg.signing_key; + } else { + if (server) + msg = + "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): "; + else + msg = + "Will the certificate be used for signing (required for TLS)? (Y/N): "; + return read_yesno(msg); + } } -int get_encrypt_status( int server) +int get_encrypt_status(int server) { -const char* msg; + const char *msg; - if (batch) { - return cfg.encryption_key; - } else { - if (server) msg = "Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): "; - else msg = "Will the certificate be used for encryption (not required for TLS)? (Y/N): "; - return read_yesno( msg); - } + if (batch) { + return cfg.encryption_key; + } else { + if (server) + msg = + "Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): "; + else + msg = + "Will the certificate be used for encryption (not required for TLS)? (Y/N): "; + return read_yesno(msg); + } } int get_cert_sign_status(void) { - if (batch) { - return cfg.cert_sign_key; - } else { - return read_yesno( "Will the certificate be used to sign other certificates? (Y/N): "); - } + if (batch) { + return cfg.cert_sign_key; + } else { + return + read_yesno + ("Will the certificate be used to sign other certificates? (Y/N): "); + } } int get_crl_sign_status(void) { - if (batch) { - return cfg.crl_sign_key; - } else { - return read_yesno( "Will the certificate be used to sign CRLs? (Y/N): "); - } + if (batch) { + return cfg.crl_sign_key; + } else { + return + read_yesno + ("Will the certificate be used to sign CRLs? (Y/N): "); + } } int get_code_sign_status(void) { - if (batch) { - return cfg.code_sign_key; - } else { - return read_yesno( "Will the certificate be used to sign code? (Y/N): "); - } + if (batch) { + return cfg.code_sign_key; + } else { + return + read_yesno + ("Will the certificate be used to sign code? (Y/N): "); + } } int get_ocsp_sign_status(void) { - if (batch) { - return cfg.ocsp_sign_key; - } else { - return read_yesno( "Will the certificate be used to sign OCSP requests? (Y/N): "); - } + if (batch) { + return cfg.ocsp_sign_key; + } else { + return + read_yesno + ("Will the certificate be used to sign OCSP requests? (Y/N): "); + } } -int get_time_stamp_status( void) +int get_time_stamp_status(void) { - if (batch) { - return cfg.time_stamping_key; - } else { - return read_yesno( "Will the certificate be used for time stamping? (Y/N): "); - } + if (batch) { + return cfg.time_stamping_key; + } else { + return + read_yesno + ("Will the certificate be used for time stamping? (Y/N): "); + } } -int get_crl_next_update( void) +int get_crl_next_update(void) { -int days; + int days; - if (batch) { - if (cfg.crl_next_update <= 0) return 365; - else return cfg.crl_next_update; - } else { - do { - days = read_int( "The next CRL will be issued in (days): "); - } while( days==0); - return days; - } + if (batch) { + if (cfg.crl_next_update <= 0) + return 365; + else + return cfg.crl_next_update; + } else { + do { + days = read_int("The next CRL will be issued in (days): "); + } while (days == 0); + return days; + } } /* CRQ stuff. */ -void get_country_crq_set( gnutls_x509_crq crq) -{ -int ret; - - if (batch) { - if (!cfg.country) return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COUNTRY_NAME, 0, - cfg.country, strlen(cfg.country)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "Country name (2 chars): ", GNUTLS_OID_X520_COUNTRY_NAME); +void get_country_crq_set(gnutls_x509_crq crq) +{ + int ret; + + if (batch) { + if (!cfg.country) + return; + ret = + gnutls_x509_crq_set_dn_by_oid(crq, + GNUTLS_OID_X520_COUNTRY_NAME, 0, + cfg.country, + strlen(cfg.country)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "Country name (2 chars): ", + GNUTLS_OID_X520_COUNTRY_NAME); + } } -void get_organization_crq_set( gnutls_x509_crq crq) +void get_organization_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.organization) return; + if (batch) { + if (!cfg.organization) + return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, - cfg.organization, strlen(cfg.organization)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "Organization name: ", GNUTLS_OID_X520_ORGANIZATION_NAME); + ret = + gnutls_x509_crq_set_dn_by_oid(crq, + GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, cfg.organization, + strlen(cfg.organization)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "Organization name: ", + GNUTLS_OID_X520_ORGANIZATION_NAME); + } } -void get_unit_crq_set( gnutls_x509_crq crq) +void get_unit_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.unit) return; - - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, - cfg.unit, strlen(cfg.unit)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "Organizational unit name: ", GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME); + if (batch) { + if (!cfg.unit) + return; + + ret = + gnutls_x509_crq_set_dn_by_oid(crq, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit, strlen(cfg.unit)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "Organizational unit name: ", + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME); + } } -void get_state_crq_set( gnutls_x509_crq crq) +void get_state_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.state) return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, - cfg.state, strlen(cfg.state)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "State or province name: ", GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME); + if (batch) { + if (!cfg.state) + return; + ret = + gnutls_x509_crq_set_dn_by_oid(crq, + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, + 0, cfg.state, strlen(cfg.state)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "State or province name: ", + GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME); + } } -void get_locality_crq_set( gnutls_x509_crq crq) +void get_locality_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.locality) return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_LOCALITY_NAME, 0, - cfg.locality, strlen(cfg.locality)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME); + if (batch) { + if (!cfg.locality) + return; + ret = + gnutls_x509_crq_set_dn_by_oid(crq, + GNUTLS_OID_X520_LOCALITY_NAME, 0, + cfg.locality, + strlen(cfg.locality)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "Locality name: ", + GNUTLS_OID_X520_LOCALITY_NAME); + } } -void get_cn_crq_set( gnutls_x509_crq crq) +void get_cn_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.cn) return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME, 0, - cfg.cn, strlen(cfg.cn)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); + if (batch) { + if (!cfg.cn) + return; + ret = + gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME, + 0, cfg.cn, strlen(cfg.cn)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); + } } -void get_uid_crq_set( gnutls_x509_crq crq) +void get_uid_crq_set(gnutls_x509_crq crq) { -int ret; + int ret; - if (batch) { - if (!cfg.uid) return; - ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_LDAP_UID, 0, - cfg.uid, strlen(cfg.uid)); - if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - read_crq_set( crq, "UID: ", GNUTLS_OID_LDAP_UID); + if (batch) { + if (!cfg.uid) + return; + ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_LDAP_UID, 0, + cfg.uid, strlen(cfg.uid)); + if (ret < 0) { + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); + exit(1); } + } else { + read_crq_set(crq, "UID: ", GNUTLS_OID_LDAP_UID); + } } -void get_oid_crq_set( gnutls_x509_crq crq) +void get_oid_crq_set(gnutls_x509_crq crq) { -int ret, i; + int ret, i; - if (batch) { - if (!cfg.dn_oid) return; - for( i = 0; cfg.dn_oid[i] != NULL; i+=2) { - if (cfg.dn_oid[i+1]==NULL) { - fprintf(stderr, "dn_oid: %s does not have an argument.\n", - cfg.dn_oid[i]); - exit(1); - } - ret = gnutls_x509_crq_set_dn_by_oid(crq, cfg.dn_oid[i], 0, - cfg.dn_oid[i+1], strlen(cfg.dn_oid[i+1])); + if (batch) { + if (!cfg.dn_oid) + return; + for (i = 0; cfg.dn_oid[i] != NULL; i += 2) { + if (cfg.dn_oid[i + 1] == NULL) { + fprintf(stderr, "dn_oid: %s does not have an argument.\n", + cfg.dn_oid[i]); + exit(1); + } + ret = gnutls_x509_crq_set_dn_by_oid(crq, cfg.dn_oid[i], 0, + cfg.dn_oid[i + 1], + strlen(cfg.dn_oid[i + 1])); - if (ret < 0) { - fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); - exit(1); - } - } + if (ret < 0) { + fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); + exit(1); + } } + } } diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index 8fddbd654c..030d2d39cf 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -24,150 +24,161 @@ void certtool_version(void); #endif #endif -static void* gaa_malloc( size_t size) { -void* ret; - ret = malloc(size); - if (ret==NULL) { - fprintf(stderr, "gaa: could not allocate memory"); - exit(1); - } - return ret; +static void *gaa_malloc(size_t size) +{ + void *ret; + ret = malloc(size); + if (ret == NULL) { + fprintf(stderr, "gaa: could not allocate memory"); + exit(1); + } + return ret; } -static void __gaa_helpsingle(char short_name, char *name, - char *arg_desc, char *opt_help) +static void __gaa_helpsingle(char short_name, char *name, + char *arg_desc, char *opt_help) { - int col1, col3, col4, tabsize = 3, curr; - int i; - - col1 = 5; /* Default values */ - col3 = 30; - col4 = 70; - - curr = 0; - for(i = 0; i < col1; i++) - { - printf(" "); - curr++; - } - if(short_name) - { - if(name && *name) - { - printf("-%c, ", short_name); - curr += 4; - } - else - { - printf("-%c ", short_name); - curr += 3; - } - } - if(name && *name) - { - printf("--%s ", name); - curr += 3 + strlen(name); - } - if(arg_desc && *arg_desc) - { - printf("%s ", arg_desc); - curr += 1 + strlen(arg_desc); - } - if(curr >= col3) - { - printf("\n"); - curr = 0; - } - if(opt_help) /* let's print the option's help body */ - { - const char *str = opt_help; - while(*str) - { - while(curr < col3) - { - printf(" "); - curr++; - } - switch(*str) - { - case '\n': - printf("\n"); - curr = 0; - break; - case '\t': - do - { - printf(" "); - curr++; - } - while((curr - col3) % tabsize != 0 && curr < col4); - case ' ': - if(*str == ' ') - { - curr++; - printf(" "); - } - for(i = 1; str[i] && str[i] != ' ' && str[i] != '\n' - && str[i] != '\t'; i++); - if(curr + i - 1 >= col4) - curr = col4; - break; - default: - printf("%c", *str); - curr++; - } - if(curr >= col4) - { - printf("\n"); - curr = 0; - } - str++; - } - } - printf("\n"); + int col1, col3, col4, tabsize = 3, curr; + int i; + + col1 = 5; /* Default values */ + col3 = 30; + col4 = 70; + + curr = 0; + for (i = 0; i < col1; i++) { + printf(" "); + curr++; + } + if (short_name) { + if (name && *name) { + printf("-%c, ", short_name); + curr += 4; + } else { + printf("-%c ", short_name); + curr += 3; + } + } + if (name && *name) { + printf("--%s ", name); + curr += 3 + strlen(name); + } + if (arg_desc && *arg_desc) { + printf("%s ", arg_desc); + curr += 1 + strlen(arg_desc); + } + if (curr >= col3) { + printf("\n"); + curr = 0; + } + if (opt_help) { /* let's print the option's help body */ + const char *str = opt_help; + while (*str) { + while (curr < col3) { + printf(" "); + curr++; + } + switch (*str) { + case '\n': + printf("\n"); + curr = 0; + break; + case '\t': + do { + printf(" "); + curr++; + } + while ((curr - col3) % tabsize != 0 && curr < col4); + case ' ': + if (*str == ' ') { + curr++; + printf(" "); + } + for (i = 1; str[i] && str[i] != ' ' && str[i] != '\n' + && str[i] != '\t'; i++); + if (curr + i - 1 >= col4) + curr = col4; + break; + default: + printf("%c", *str); + curr++; + } + if (curr >= col4) { + printf("\n"); + curr = 0; + } + str++; + } + } + printf("\n"); } void gaa_help(void) { - printf("Certtool help\nUsage: certtool [options]\n"); - __gaa_helpsingle('s', "generate-self-signed", "", "Generate a self-signed certificate."); - __gaa_helpsingle('c', "generate-certificate", "", "Generate a signed certificate."); - __gaa_helpsingle(0, "generate-crl", "", "Generate a CRL."); - __gaa_helpsingle('u', "update-certificate", "", "Update a signed certificate."); - __gaa_helpsingle('p', "generate-privkey", "", "Generate a private key."); - __gaa_helpsingle('q', "generate-request", "", "Generate a PKCS #10 certificate request."); - __gaa_helpsingle('e', "verify-chain", "", "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one."); - __gaa_helpsingle(0, "verify-crl", "", "Verify a CRL."); - __gaa_helpsingle(0, "generate-dh-params", "", "Generate PKCS #3 encoded Diffie Hellman parameters."); - __gaa_helpsingle(0, "load-privkey", "FILE ", "Private key file to use."); - __gaa_helpsingle(0, "load-request", "FILE ", "Certificate request file to use."); - __gaa_helpsingle(0, "load-certificate", "FILE ", "Certificate file to use."); - __gaa_helpsingle(0, "load-ca-privkey", "FILE ", "Certificate authority's private key file to use."); - __gaa_helpsingle(0, "load-ca-certificate", "FILE ", "Certificate authority's certificate file to use."); - __gaa_helpsingle(0, "password", "PASSWORD ", "Password to use."); - __gaa_helpsingle('i', "certificate-info", "", "Print information on a certificate."); - __gaa_helpsingle('l', "crl-info", "", "Print information on a CRL."); - __gaa_helpsingle(0, "p12-info", "", "Print information on a PKCS #12 structure."); - __gaa_helpsingle(0, "p7-info", "", "Print information on a PKCS #7 structure."); - __gaa_helpsingle('k', "key-info", "", "Print information on a private key."); - __gaa_helpsingle(0, "to-p12", "", "Generate a PKCS #12 structure."); - __gaa_helpsingle('8', "pkcs8", "", "Use PKCS #8 format for private keys."); - __gaa_helpsingle(0, "dsa", "", "Use DSA keys."); - __gaa_helpsingle(0, "export-ciphers", "", "Use weak encryption algorithms."); - __gaa_helpsingle(0, "inder", "", "Use DER format for input certificates and private keys."); - __gaa_helpsingle(0, "xml", "", "Use XML format for output certificates."); - __gaa_helpsingle(0, "outder", "", "Use DER format for output certificates and private keys."); - __gaa_helpsingle(0, "bits", "BITS ", "specify the number of bits for key generation."); - __gaa_helpsingle(0, "outfile", "FILE ", "Output file."); - __gaa_helpsingle(0, "infile", "FILE ", "Output file."); - __gaa_helpsingle(0, "template", "FILE ", "Template file to use for non interactive operation."); - __gaa_helpsingle('d', "debug", "LEVEL ", "specify the debug level. Default is 1."); - __gaa_helpsingle('h', "help", "", "shows this help text"); - __gaa_helpsingle('v', "version", "", "shows the program's version"); - __gaa_helpsingle(0, "copyright", "", "shows the program's license"); + printf("Certtool help\nUsage: certtool [options]\n"); + __gaa_helpsingle('s', "generate-self-signed", "", + "Generate a self-signed certificate."); + __gaa_helpsingle('c', "generate-certificate", "", + "Generate a signed certificate."); + __gaa_helpsingle(0, "generate-crl", "", "Generate a CRL."); + __gaa_helpsingle('u', "update-certificate", "", + "Update a signed certificate."); + __gaa_helpsingle('p', "generate-privkey", "", + "Generate a private key."); + __gaa_helpsingle('q', "generate-request", "", + "Generate a PKCS #10 certificate request."); + __gaa_helpsingle('e', "verify-chain", "", + "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one."); + __gaa_helpsingle(0, "verify-crl", "", "Verify a CRL."); + __gaa_helpsingle(0, "generate-dh-params", "", + "Generate PKCS #3 encoded Diffie Hellman parameters."); + __gaa_helpsingle(0, "load-privkey", "FILE ", + "Private key file to use."); + __gaa_helpsingle(0, "load-request", "FILE ", + "Certificate request file to use."); + __gaa_helpsingle(0, "load-certificate", "FILE ", + "Certificate file to use."); + __gaa_helpsingle(0, "load-ca-privkey", "FILE ", + "Certificate authority's private key file to use."); + __gaa_helpsingle(0, "load-ca-certificate", "FILE ", + "Certificate authority's certificate file to use."); + __gaa_helpsingle(0, "password", "PASSWORD ", "Password to use."); + __gaa_helpsingle('i', "certificate-info", "", + "Print information on a certificate."); + __gaa_helpsingle('l', "crl-info", "", "Print information on a CRL."); + __gaa_helpsingle(0, "p12-info", "", + "Print information on a PKCS #12 structure."); + __gaa_helpsingle(0, "p7-info", "", + "Print information on a PKCS #7 structure."); + __gaa_helpsingle('k', "key-info", "", + "Print information on a private key."); + __gaa_helpsingle(0, "to-p12", "", "Generate a PKCS #12 structure."); + __gaa_helpsingle('8', "pkcs8", "", + "Use PKCS #8 format for private keys."); + __gaa_helpsingle(0, "dsa", "", "Use DSA keys."); + __gaa_helpsingle(0, "export-ciphers", "", + "Use weak encryption algorithms."); + __gaa_helpsingle(0, "inder", "", + "Use DER format for input certificates and private keys."); + __gaa_helpsingle(0, "xml", "", + "Use XML format for output certificates."); + __gaa_helpsingle(0, "outder", "", + "Use DER format for output certificates and private keys."); + __gaa_helpsingle(0, "bits", "BITS ", + "specify the number of bits for key generation."); + __gaa_helpsingle(0, "outfile", "FILE ", "Output file."); + __gaa_helpsingle(0, "infile", "FILE ", "Output file."); + __gaa_helpsingle(0, "template", "FILE ", + "Template file to use for non interactive operation."); + __gaa_helpsingle('d', "debug", "LEVEL ", + "specify the debug level. Default is 1."); + __gaa_helpsingle('h', "help", "", "shows this help text"); + __gaa_helpsingle('v', "version", "", "shows the program's version"); + __gaa_helpsingle(0, "copyright", "", "shows the program's license"); #line 100 "gaa.skel" } + /* Copy of C area */ #line 104 "gaa.skel" @@ -177,76 +188,68 @@ void gaa_help(void) typedef struct _gaainfo gaainfo; -struct _gaainfo -{ +struct _gaainfo { #line 97 "certtool.gaa" - int debug; + int debug; #line 93 "certtool.gaa" - char *template; + char *template; #line 90 "certtool.gaa" - char *infile; + char *infile; #line 87 "certtool.gaa" - char *outfile; + char *outfile; #line 84 "certtool.gaa" - int bits; + int bits; #line 81 "certtool.gaa" - int outcert_format; + int outcert_format; #line 78 "certtool.gaa" - int xml; + int xml; #line 75 "certtool.gaa" - int incert_format; + int incert_format; #line 72 "certtool.gaa" - int export; + int export; #line 69 "certtool.gaa" - int dsa; + int dsa; #line 66 "certtool.gaa" - int pkcs8; + int pkcs8; #line 51 "certtool.gaa" - char *pass; + char *pass; #line 48 "certtool.gaa" - char *ca; + char *ca; #line 45 "certtool.gaa" - char *ca_privkey; + char *ca_privkey; #line 42 "certtool.gaa" - char *cert; + char *cert; #line 39 "certtool.gaa" - char *request; + char *request; #line 36 "certtool.gaa" - char *privkey; + char *privkey; #line 17 "certtool.gaa" - int action; + int action; #line 114 "gaa.skel" }; #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif - int gaa(int argc, char *argv[], gaainfo *gaaval); + int gaa(int argc, char *argv[], gaainfo * gaaval); void gaa_help(void); - - int gaa_file(const char *name, gaainfo *gaaval); - + + int gaa_file(const char *name, gaainfo * gaaval); + #ifdef __cplusplus } #endif - - #endif - #line 135 "gaa.skel" - /* C declarations */ - #define GAAERROR(x) \ { \ gaa_error = 1; \ return x; \ } - static char *gaa_current_option; static int gaa_error = 0; @@ -347,7 +350,7 @@ if(gaa_error == 1) \ { \ gaa_error = 0; \ return GAA_ERROR_INVALID_ARG; \ -} +} @@ -425,7 +428,7 @@ if(k == 0) \ printf("You must give at least one option of '%s'\n", str); \ return 0; \ } - + #define GAA_INCOMP(str) \ k = 0; \ for(i = 0; i < strlen(str); i++) \ @@ -444,7 +447,7 @@ if(k > 1) \ printf("The options '%s' are incompatible\n", str); \ return 0; \ } - + static char **GAAargv; static int GAAargc; @@ -456,25 +459,25 @@ static int gaa_getint(char *arg) { int tmp; char a; - if(sscanf(arg, "%d%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%d%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't an integer\n", gaa_current_option, + arg); + GAAERROR(-1); } return tmp; } static char gaa_getchar(char *arg) { - if(strlen(arg) != 1) - { - printf("Option %s: '%s' isn't an character\n", gaa_current_option, arg); - GAAERROR(-1); + if (strlen(arg) != 1) { + printf("Option %s: '%s' isn't an character\n", gaa_current_option, + arg); + GAAERROR(-1); } return arg[0]; } -static char* gaa_getstr(char *arg) +static char *gaa_getstr(char *arg) { return arg; } @@ -482,209 +485,201 @@ static float gaa_getfloat(char *arg) { float tmp; char a; - if(sscanf(arg, "%f%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%f%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't a float number\n", + gaa_current_option, arg); + GAAERROR(-1); } return tmp; } + /* option structures */ -struct GAAOPTION_debug -{ - int arg1; - int size1; +struct GAAOPTION_debug { + int arg1; + int size1; }; -struct GAAOPTION_template -{ - char* arg1; - int size1; +struct GAAOPTION_template { + char *arg1; + int size1; }; -struct GAAOPTION_infile -{ - char* arg1; - int size1; +struct GAAOPTION_infile { + char *arg1; + int size1; }; -struct GAAOPTION_outfile -{ - char* arg1; - int size1; +struct GAAOPTION_outfile { + char *arg1; + int size1; }; -struct GAAOPTION_bits -{ - int arg1; - int size1; +struct GAAOPTION_bits { + int arg1; + int size1; }; -struct GAAOPTION_password -{ - char* arg1; - int size1; +struct GAAOPTION_password { + char *arg1; + int size1; }; -struct GAAOPTION_load_ca_certificate -{ - char* arg1; - int size1; +struct GAAOPTION_load_ca_certificate { + char *arg1; + int size1; }; -struct GAAOPTION_load_ca_privkey -{ - char* arg1; - int size1; +struct GAAOPTION_load_ca_privkey { + char *arg1; + int size1; }; -struct GAAOPTION_load_certificate -{ - char* arg1; - int size1; +struct GAAOPTION_load_certificate { + char *arg1; + int size1; }; -struct GAAOPTION_load_request -{ - char* arg1; - int size1; +struct GAAOPTION_load_request { + char *arg1; + int size1; }; -struct GAAOPTION_load_privkey -{ - char* arg1; - int size1; +struct GAAOPTION_load_privkey { + char *arg1; + int size1; }; - + #line 349 "gaa.skel" static int gaa_is_an_argument(char *str) { #ifdef GAA_WIN32 - if(str[0] == '/' && str[1] != 0) + if (str[0] == '/' && str[1] != 0) return GAA_MULTIPLE_OPTION; #endif - if(str[0] != '-') - return GAA_NOT_AN_OPTION; - if(str[1] == 0) - return GAA_NOT_AN_OPTION; - if(str[1] == '-') - { - if(str[2] != 0) - return GAA_WORD_OPTION; - else - return GAA_NOT_AN_OPTION; + if (str[0] != '-') + return GAA_NOT_AN_OPTION; + if (str[1] == 0) + return GAA_NOT_AN_OPTION; + if (str[1] == '-') { + if (str[2] != 0) + return GAA_WORD_OPTION; + else + return GAA_NOT_AN_OPTION; } - if(str[2] == 0) - return GAA_LETTER_OPTION; + if (str[2] == 0) + return GAA_LETTER_OPTION; else - return GAA_MULTIPLE_OPTION; + return GAA_MULTIPLE_OPTION; } static int gaa_get_option_num(char *str, int status) { - switch(status) - { - case GAA_LETTER_OPTION: - GAA_CHECK1STR("d", GAAOPTID_debug); - GAA_CHECK1STR("", GAAOPTID_template); - GAA_CHECK1STR("", GAAOPTID_infile); - GAA_CHECK1STR("", GAAOPTID_outfile); - GAA_CHECK1STR("", GAAOPTID_bits); - GAA_CHECK1STR("", GAAOPTID_password); - GAA_CHECK1STR("", GAAOPTID_load_ca_certificate); - GAA_CHECK1STR("", GAAOPTID_load_ca_privkey); - GAA_CHECK1STR("", GAAOPTID_load_certificate); - GAA_CHECK1STR("", GAAOPTID_load_request); - GAA_CHECK1STR("", GAAOPTID_load_privkey); - case GAA_MULTIPLE_OPTION: + switch (status) { + case GAA_LETTER_OPTION: + GAA_CHECK1STR("d", GAAOPTID_debug); + GAA_CHECK1STR("", GAAOPTID_template); + GAA_CHECK1STR("", GAAOPTID_infile); + GAA_CHECK1STR("", GAAOPTID_outfile); + GAA_CHECK1STR("", GAAOPTID_bits); + GAA_CHECK1STR("", GAAOPTID_password); + GAA_CHECK1STR("", GAAOPTID_load_ca_certificate); + GAA_CHECK1STR("", GAAOPTID_load_ca_privkey); + GAA_CHECK1STR("", GAAOPTID_load_certificate); + GAA_CHECK1STR("", GAAOPTID_load_request); + GAA_CHECK1STR("", GAAOPTID_load_privkey); + case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" - GAA_CHECK1STR("", GAAOPTID_copyright); - GAA_CHECK1STR("v", GAAOPTID_version); - GAA_CHECK1STR("h", GAAOPTID_help); - GAA_CHECK1STR("", GAAOPTID_outder); - GAA_CHECK1STR("", GAAOPTID_xml); - GAA_CHECK1STR("", GAAOPTID_inder); - GAA_CHECK1STR("", GAAOPTID_export_ciphers); - GAA_CHECK1STR("", GAAOPTID_dsa); - GAA_CHECK1STR("8", GAAOPTID_pkcs8); - GAA_CHECK1STR("", GAAOPTID_to_p12); - GAA_CHECK1STR("k", GAAOPTID_key_info); - GAA_CHECK1STR("", GAAOPTID_p7_info); - GAA_CHECK1STR("", GAAOPTID_p12_info); - GAA_CHECK1STR("l", GAAOPTID_crl_info); - GAA_CHECK1STR("i", GAAOPTID_certificate_info); - GAA_CHECK1STR("", GAAOPTID_generate_dh_params); - GAA_CHECK1STR("", GAAOPTID_verify_crl); - GAA_CHECK1STR("e", GAAOPTID_verify_chain); - GAA_CHECK1STR("q", GAAOPTID_generate_request); - GAA_CHECK1STR("p", GAAOPTID_generate_privkey); - GAA_CHECK1STR("u", GAAOPTID_update_certificate); - GAA_CHECK1STR("", GAAOPTID_generate_crl); - GAA_CHECK1STR("c", GAAOPTID_generate_certificate); - GAA_CHECK1STR("s", GAAOPTID_generate_self_signed); + GAA_CHECK1STR("", GAAOPTID_copyright); + GAA_CHECK1STR("v", GAAOPTID_version); + GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("", GAAOPTID_outder); + GAA_CHECK1STR("", GAAOPTID_xml); + GAA_CHECK1STR("", GAAOPTID_inder); + GAA_CHECK1STR("", GAAOPTID_export_ciphers); + GAA_CHECK1STR("", GAAOPTID_dsa); + GAA_CHECK1STR("8", GAAOPTID_pkcs8); + GAA_CHECK1STR("", GAAOPTID_to_p12); + GAA_CHECK1STR("k", GAAOPTID_key_info); + GAA_CHECK1STR("", GAAOPTID_p7_info); + GAA_CHECK1STR("", GAAOPTID_p12_info); + GAA_CHECK1STR("l", GAAOPTID_crl_info); + GAA_CHECK1STR("i", GAAOPTID_certificate_info); + GAA_CHECK1STR("", GAAOPTID_generate_dh_params); + GAA_CHECK1STR("", GAAOPTID_verify_crl); + GAA_CHECK1STR("e", GAAOPTID_verify_chain); + GAA_CHECK1STR("q", GAAOPTID_generate_request); + GAA_CHECK1STR("p", GAAOPTID_generate_privkey); + GAA_CHECK1STR("u", GAAOPTID_update_certificate); + GAA_CHECK1STR("", GAAOPTID_generate_crl); + GAA_CHECK1STR("c", GAAOPTID_generate_certificate); + GAA_CHECK1STR("s", GAAOPTID_generate_self_signed); #line 277 "gaa.skel" - break; - case GAA_WORD_OPTION: - GAA_CHECKSTR("copyright", GAAOPTID_copyright); - GAA_CHECKSTR("version", GAAOPTID_version); - GAA_CHECKSTR("help", GAAOPTID_help); - GAA_CHECKSTR("debug", GAAOPTID_debug); - GAA_CHECKSTR("template", GAAOPTID_template); - GAA_CHECKSTR("infile", GAAOPTID_infile); - GAA_CHECKSTR("outfile", GAAOPTID_outfile); - GAA_CHECKSTR("bits", GAAOPTID_bits); - GAA_CHECKSTR("outder", GAAOPTID_outder); - GAA_CHECKSTR("xml", GAAOPTID_xml); - GAA_CHECKSTR("inder", GAAOPTID_inder); - GAA_CHECKSTR("export-ciphers", GAAOPTID_export_ciphers); - GAA_CHECKSTR("dsa", GAAOPTID_dsa); - GAA_CHECKSTR("pkcs8", GAAOPTID_pkcs8); - GAA_CHECKSTR("to-p12", GAAOPTID_to_p12); - GAA_CHECKSTR("key-info", GAAOPTID_key_info); - GAA_CHECKSTR("p7-info", GAAOPTID_p7_info); - GAA_CHECKSTR("p12-info", GAAOPTID_p12_info); - GAA_CHECKSTR("crl-info", GAAOPTID_crl_info); - GAA_CHECKSTR("certificate-info", GAAOPTID_certificate_info); - GAA_CHECKSTR("password", GAAOPTID_password); - GAA_CHECKSTR("load-ca-certificate", GAAOPTID_load_ca_certificate); - GAA_CHECKSTR("load-ca-privkey", GAAOPTID_load_ca_privkey); - GAA_CHECKSTR("load-certificate", GAAOPTID_load_certificate); - GAA_CHECKSTR("load-request", GAAOPTID_load_request); - GAA_CHECKSTR("load-privkey", GAAOPTID_load_privkey); - GAA_CHECKSTR("generate-dh-params", GAAOPTID_generate_dh_params); - GAA_CHECKSTR("verify-crl", GAAOPTID_verify_crl); - GAA_CHECKSTR("verify-chain", GAAOPTID_verify_chain); - GAA_CHECKSTR("generate-request", GAAOPTID_generate_request); - GAA_CHECKSTR("generate-privkey", GAAOPTID_generate_privkey); - GAA_CHECKSTR("update-certificate", GAAOPTID_update_certificate); - GAA_CHECKSTR("generate-crl", GAAOPTID_generate_crl); - GAA_CHECKSTR("generate-certificate", GAAOPTID_generate_certificate); - GAA_CHECKSTR("generate-self-signed", GAAOPTID_generate_self_signed); + break; + case GAA_WORD_OPTION: + GAA_CHECKSTR("copyright", GAAOPTID_copyright); + GAA_CHECKSTR("version", GAAOPTID_version); + GAA_CHECKSTR("help", GAAOPTID_help); + GAA_CHECKSTR("debug", GAAOPTID_debug); + GAA_CHECKSTR("template", GAAOPTID_template); + GAA_CHECKSTR("infile", GAAOPTID_infile); + GAA_CHECKSTR("outfile", GAAOPTID_outfile); + GAA_CHECKSTR("bits", GAAOPTID_bits); + GAA_CHECKSTR("outder", GAAOPTID_outder); + GAA_CHECKSTR("xml", GAAOPTID_xml); + GAA_CHECKSTR("inder", GAAOPTID_inder); + GAA_CHECKSTR("export-ciphers", GAAOPTID_export_ciphers); + GAA_CHECKSTR("dsa", GAAOPTID_dsa); + GAA_CHECKSTR("pkcs8", GAAOPTID_pkcs8); + GAA_CHECKSTR("to-p12", GAAOPTID_to_p12); + GAA_CHECKSTR("key-info", GAAOPTID_key_info); + GAA_CHECKSTR("p7-info", GAAOPTID_p7_info); + GAA_CHECKSTR("p12-info", GAAOPTID_p12_info); + GAA_CHECKSTR("crl-info", GAAOPTID_crl_info); + GAA_CHECKSTR("certificate-info", GAAOPTID_certificate_info); + GAA_CHECKSTR("password", GAAOPTID_password); + GAA_CHECKSTR("load-ca-certificate", GAAOPTID_load_ca_certificate); + GAA_CHECKSTR("load-ca-privkey", GAAOPTID_load_ca_privkey); + GAA_CHECKSTR("load-certificate", GAAOPTID_load_certificate); + GAA_CHECKSTR("load-request", GAAOPTID_load_request); + GAA_CHECKSTR("load-privkey", GAAOPTID_load_privkey); + GAA_CHECKSTR("generate-dh-params", GAAOPTID_generate_dh_params); + GAA_CHECKSTR("verify-crl", GAAOPTID_verify_crl); + GAA_CHECKSTR("verify-chain", GAAOPTID_verify_chain); + GAA_CHECKSTR("generate-request", GAAOPTID_generate_request); + GAA_CHECKSTR("generate-privkey", GAAOPTID_generate_privkey); + GAA_CHECKSTR("update-certificate", GAAOPTID_update_certificate); + GAA_CHECKSTR("generate-crl", GAAOPTID_generate_crl); + GAA_CHECKSTR("generate-certificate", + GAAOPTID_generate_certificate); + GAA_CHECKSTR("generate-self-signed", + GAAOPTID_generate_self_signed); #line 281 "gaa.skel" break; - default: break; - } + default: + break; + } return GAA_ERROR_NOMATCH; } -static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) +static int gaa_try(int gaa_num, int gaa_index, gaainfo * gaaval, + char *opt_list) { int OK = 0; int gaa_last_non_option; - struct GAAOPTION_debug GAATMP_debug; - struct GAAOPTION_template GAATMP_template; - struct GAAOPTION_infile GAATMP_infile; - struct GAAOPTION_outfile GAATMP_outfile; - struct GAAOPTION_bits GAATMP_bits; - struct GAAOPTION_password GAATMP_password; - struct GAAOPTION_load_ca_certificate GAATMP_load_ca_certificate; - struct GAAOPTION_load_ca_privkey GAATMP_load_ca_privkey; - struct GAAOPTION_load_certificate GAATMP_load_certificate; - struct GAAOPTION_load_request GAATMP_load_request; - struct GAAOPTION_load_privkey GAATMP_load_privkey; + struct GAAOPTION_debug GAATMP_debug; + struct GAAOPTION_template GAATMP_template; + struct GAAOPTION_infile GAATMP_infile; + struct GAAOPTION_outfile GAATMP_outfile; + struct GAAOPTION_bits GAATMP_bits; + struct GAAOPTION_password GAATMP_password; + struct GAAOPTION_load_ca_certificate GAATMP_load_ca_certificate; + struct GAAOPTION_load_ca_privkey GAATMP_load_ca_privkey; + struct GAAOPTION_load_certificate GAATMP_load_certificate; + struct GAAOPTION_load_request GAATMP_load_request; + struct GAAOPTION_load_privkey GAATMP_load_privkey; #line 393 "gaa.skel" #ifdef GAA_REST_EXISTS @@ -692,305 +687,383 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) #endif opt_list[gaa_num] = 1; - - for(gaa_last_non_option = gaa_index; - (gaa_last_non_option != GAAargc) && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == GAA_NOT_AN_OPTION); - gaa_last_non_option++); - - if(gaa_num == GAA_REST) - { - gaa_index = 1; - gaa_last_non_option = GAAargc; + + for (gaa_last_non_option = gaa_index; + (gaa_last_non_option != GAAargc) + && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == + GAA_NOT_AN_OPTION); gaa_last_non_option++); + + if (gaa_num == GAA_REST) { + gaa_index = 1; + gaa_last_non_option = GAAargc; } - - switch(gaa_num) - { - case GAAOPTID_copyright: + + switch (gaa_num) { + case GAAOPTID_copyright: OK = 0; #line 103 "certtool.gaa" -{ print_license(); exit(0); ;}; + { + print_license(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_version: + return GAA_OK; + break; + case GAAOPTID_version: OK = 0; #line 102 "certtool.gaa" -{ certtool_version(); exit(0); ;}; + { + certtool_version(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_help: + return GAA_OK; + break; + case GAAOPTID_help: OK = 0; #line 100 "certtool.gaa" -{ gaa_help(); exit(0); ;}; + { + gaa_help(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_debug: + return GAA_OK; + break; + case GAAOPTID_debug: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); + gaa_index++; #line 98 "certtool.gaa" -{ gaaval->debug = GAATMP_debug.arg1 ;}; + { + gaaval->debug = GAATMP_debug.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_template: + return GAA_OK; + break; + case GAAOPTID_template: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1); + gaa_index++; #line 94 "certtool.gaa" -{ gaaval->template = GAATMP_template.arg1 ;}; + { + gaaval->template = GAATMP_template.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_infile: + return GAA_OK; + break; + case GAAOPTID_infile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); + gaa_index++; #line 91 "certtool.gaa" -{ gaaval->infile = GAATMP_infile.arg1 ;}; + { + gaaval->infile = GAATMP_infile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_outfile: + return GAA_OK; + break; + case GAAOPTID_outfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); + gaa_index++; #line 88 "certtool.gaa" -{ gaaval->outfile = GAATMP_outfile.arg1 ;}; + { + gaaval->outfile = GAATMP_outfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_bits: + return GAA_OK; + break; + case GAAOPTID_bits: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); + gaa_index++; #line 85 "certtool.gaa" -{ gaaval->bits = GAATMP_bits.arg1 ;}; + { + gaaval->bits = GAATMP_bits.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_outder: + return GAA_OK; + break; + case GAAOPTID_outder: OK = 0; #line 82 "certtool.gaa" -{ gaaval->outcert_format=1 ;}; + { + gaaval->outcert_format = 1; + }; - return GAA_OK; - break; - case GAAOPTID_xml: + return GAA_OK; + break; + case GAAOPTID_xml: OK = 0; #line 79 "certtool.gaa" -{ gaaval->xml=1 ;}; + { + gaaval->xml = 1; + }; - return GAA_OK; - break; - case GAAOPTID_inder: + return GAA_OK; + break; + case GAAOPTID_inder: OK = 0; #line 76 "certtool.gaa" -{ gaaval->incert_format=1 ;}; + { + gaaval->incert_format = 1; + }; - return GAA_OK; - break; - case GAAOPTID_export_ciphers: + return GAA_OK; + break; + case GAAOPTID_export_ciphers: OK = 0; #line 73 "certtool.gaa" -{ gaaval->export=1 ;}; + { + gaaval->export = 1; + }; - return GAA_OK; - break; - case GAAOPTID_dsa: + return GAA_OK; + break; + case GAAOPTID_dsa: OK = 0; #line 70 "certtool.gaa" -{ gaaval->dsa=1 ;}; + { + gaaval->dsa = 1; + }; - return GAA_OK; - break; - case GAAOPTID_pkcs8: + return GAA_OK; + break; + case GAAOPTID_pkcs8: OK = 0; #line 67 "certtool.gaa" -{ gaaval->pkcs8=1 ;}; + { + gaaval->pkcs8 = 1; + }; - return GAA_OK; - break; - case GAAOPTID_to_p12: + return GAA_OK; + break; + case GAAOPTID_to_p12: OK = 0; #line 64 "certtool.gaa" -{ gaaval->action = 8; ;}; + { + gaaval->action = 8;; + }; - return GAA_OK; - break; - case GAAOPTID_key_info: + return GAA_OK; + break; + case GAAOPTID_key_info: OK = 0; #line 62 "certtool.gaa" -{ gaaval->action = 6; ;}; + { + gaaval->action = 6;; + }; - return GAA_OK; - break; - case GAAOPTID_p7_info: + return GAA_OK; + break; + case GAAOPTID_p7_info: OK = 0; #line 60 "certtool.gaa" -{ gaaval->action = 12; ;}; + { + gaaval->action = 12;; + }; - return GAA_OK; - break; - case GAAOPTID_p12_info: + return GAA_OK; + break; + case GAAOPTID_p12_info: OK = 0; #line 58 "certtool.gaa" -{ gaaval->action = 9; ;}; + { + gaaval->action = 9;; + }; - return GAA_OK; - break; - case GAAOPTID_crl_info: + return GAA_OK; + break; + case GAAOPTID_crl_info: OK = 0; #line 56 "certtool.gaa" -{ gaaval->action = 11; ;}; + { + gaaval->action = 11;; + }; - return GAA_OK; - break; - case GAAOPTID_certificate_info: + return GAA_OK; + break; + case GAAOPTID_certificate_info: OK = 0; #line 54 "certtool.gaa" -{ gaaval->action = 2; ;}; + { + gaaval->action = 2;; + }; - return GAA_OK; - break; - case GAAOPTID_password: + return GAA_OK; + break; + case GAAOPTID_password: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_password.arg1, gaa_getstr, GAATMP_password.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_password.arg1, gaa_getstr, GAATMP_password.size1); + gaa_index++; #line 52 "certtool.gaa" -{ gaaval->pass = GAATMP_password.arg1 ;}; + { + gaaval->pass = GAATMP_password.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_load_ca_certificate: + return GAA_OK; + break; + case GAAOPTID_load_ca_certificate: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_load_ca_certificate.arg1, gaa_getstr, GAATMP_load_ca_certificate.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_load_ca_certificate.arg1, gaa_getstr, + GAATMP_load_ca_certificate.size1); + gaa_index++; #line 49 "certtool.gaa" -{ gaaval->ca = GAATMP_load_ca_certificate.arg1 ;}; + { + gaaval->ca = GAATMP_load_ca_certificate.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_load_ca_privkey: + return GAA_OK; + break; + case GAAOPTID_load_ca_privkey: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_load_ca_privkey.arg1, gaa_getstr, GAATMP_load_ca_privkey.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_load_ca_privkey.arg1, gaa_getstr, + GAATMP_load_ca_privkey.size1); + gaa_index++; #line 46 "certtool.gaa" -{ gaaval->ca_privkey = GAATMP_load_ca_privkey.arg1 ;}; + { + gaaval->ca_privkey = GAATMP_load_ca_privkey.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_load_certificate: + return GAA_OK; + break; + case GAAOPTID_load_certificate: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, GAATMP_load_certificate.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, + GAATMP_load_certificate.size1); + gaa_index++; #line 43 "certtool.gaa" -{ gaaval->cert = GAATMP_load_certificate.arg1 ;}; + { + gaaval->cert = GAATMP_load_certificate.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_load_request: + return GAA_OK; + break; + case GAAOPTID_load_request: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_load_request.arg1, gaa_getstr, GAATMP_load_request.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_load_request.arg1, gaa_getstr, + GAATMP_load_request.size1); + gaa_index++; #line 40 "certtool.gaa" -{ gaaval->request = GAATMP_load_request.arg1 ;}; + { + gaaval->request = GAATMP_load_request.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_load_privkey: + return GAA_OK; + break; + case GAAOPTID_load_privkey: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, GAATMP_load_privkey.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, + GAATMP_load_privkey.size1); + gaa_index++; #line 37 "certtool.gaa" -{ gaaval->privkey = GAATMP_load_privkey.arg1 ;}; + { + gaaval->privkey = GAATMP_load_privkey.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_generate_dh_params: + return GAA_OK; + break; + case GAAOPTID_generate_dh_params: OK = 0; #line 34 "certtool.gaa" -{ gaaval->action=10; ;}; + { + gaaval->action = 10;; + }; - return GAA_OK; - break; - case GAAOPTID_verify_crl: + return GAA_OK; + break; + case GAAOPTID_verify_crl: OK = 0; #line 32 "certtool.gaa" -{ gaaval->action=14; ;}; + { + gaaval->action = 14;; + }; - return GAA_OK; - break; - case GAAOPTID_verify_chain: + return GAA_OK; + break; + case GAAOPTID_verify_chain: OK = 0; #line 30 "certtool.gaa" -{ gaaval->action=5; ;}; + { + gaaval->action = 5;; + }; - return GAA_OK; - break; - case GAAOPTID_generate_request: + return GAA_OK; + break; + case GAAOPTID_generate_request: OK = 0; #line 28 "certtool.gaa" -{ gaaval->action=3; ;}; + { + gaaval->action = 3;; + }; - return GAA_OK; - break; - case GAAOPTID_generate_privkey: + return GAA_OK; + break; + case GAAOPTID_generate_privkey: OK = 0; #line 26 "certtool.gaa" -{ gaaval->action=1; ;}; + { + gaaval->action = 1;; + }; - return GAA_OK; - break; - case GAAOPTID_update_certificate: + return GAA_OK; + break; + case GAAOPTID_update_certificate: OK = 0; #line 24 "certtool.gaa" -{ gaaval->action=7; ;}; + { + gaaval->action = 7;; + }; - return GAA_OK; - break; - case GAAOPTID_generate_crl: + return GAA_OK; + break; + case GAAOPTID_generate_crl: OK = 0; #line 22 "certtool.gaa" -{ gaaval->action=13; ;}; + { + gaaval->action = 13;; + }; - return GAA_OK; - break; - case GAAOPTID_generate_certificate: + return GAA_OK; + break; + case GAAOPTID_generate_certificate: OK = 0; #line 20 "certtool.gaa" -{ gaaval->action=4; ;}; + { + gaaval->action = 4;; + }; - return GAA_OK; - break; - case GAAOPTID_generate_self_signed: + return GAA_OK; + break; + case GAAOPTID_generate_self_signed: OK = 0; #line 18 "certtool.gaa" -{ gaaval->action=0; ;}; + { + gaaval->action = 0;; + }; - return GAA_OK; - break; + return GAA_OK; + break; #line 413 "gaa.skel" - default: break; + default: + break; } return GAA_ERROR_UNKNOWN; } -int gaa(int argc, char **argv, gaainfo *gaaval) +int gaa(int argc, char **argv, gaainfo * gaaval) { int tmp1, tmp2; int i, j; @@ -999,19 +1072,33 @@ int gaa(int argc, char **argv, gaainfo *gaaval) GAAargv = argv; GAAargc = argc; - opt_list = (char*) gaa_malloc(GAA_NB_OPTION + 1); + opt_list = (char *) gaa_malloc(GAA_NB_OPTION + 1); - for(i = 0; i < GAA_NB_OPTION + 1; i++) - opt_list[i] = 0; + for (i = 0; i < GAA_NB_OPTION + 1; i++) + opt_list[i] = 0; /* initialization */ - if(inited == 0) - { + if (inited == 0) { #line 105 "certtool.gaa" -{ gaaval->bits = 1024; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; - gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; - gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; - gaaval->export = 0; gaaval->template = NULL; gaaval->xml = 0;;}; + { + gaaval->bits = 1024; + gaaval->pkcs8 = 0; + gaaval->privkey = NULL; + gaaval->ca = NULL; + gaaval->ca_privkey = NULL; + gaaval->debug = 1; + gaaval->request = NULL; + gaaval->infile = NULL; + gaaval->outfile = NULL; + gaaval->cert = NULL; + gaaval->incert_format = 0; + gaaval->outcert_format = 0; + gaaval->action = -1; + gaaval->pass = NULL; + gaaval->export = 0; + gaaval->template = NULL; + gaaval->xml = 0;; + }; } inited = 1; @@ -1019,186 +1106,173 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaa_arg_used = NULL; if (argc > 0) { - gaa_arg_used = gaa_malloc(argc * sizeof(char)); + gaa_arg_used = gaa_malloc(argc * sizeof(char)); } - for(i = 1; i < argc; i++) - gaa_arg_used[i] = 0; - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - j = 0; - tmp1 = gaa_is_an_argument(GAAargv[i]); - switch(tmp1) - { - case GAA_WORD_OPTION: - j++; - case GAA_LETTER_OPTION: - j++; - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%s'\n", argv[i]+j); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - gaa_arg_used[i] = 1; - break; - case GAA_MULTIPLE_OPTION: - for(j = 1; j < strlen(argv[i]); j++) - { - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%c'\n", *(argv[i]+j)); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - } - gaa_arg_used[i] = 1; - break; - default: break; - } - } + for (i = 1; i < argc; i++) + gaa_arg_used[i] = 0; + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + j = 0; + tmp1 = gaa_is_an_argument(GAAargv[i]); + switch (tmp1) { + case GAA_WORD_OPTION: + j++; + case GAA_LETTER_OPTION: + j++; + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%s'\n", argv[i] + j); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + gaa_arg_used[i] = 1; + break; + case GAA_MULTIPLE_OPTION: + for (j = 1; j < strlen(argv[i]); j++) { + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%c'\n", *(argv[i] + j)); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + } + gaa_arg_used[i] = 1; + break; + default: + break; + } + } } -if(gaa_processing_file == 0) -{ + if (gaa_processing_file == 0) { #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS - switch(gaa_try(GAA_REST, 1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("Rest: not enough arguments\n"); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } + switch (gaa_try(GAA_REST, 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("Rest: not enough arguments\n"); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } #endif -} - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - printf("Too many arguments\n"); - return 0; - } + } + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + printf("Too many arguments\n"); + return 0; + } } free(gaa_arg_used); free(opt_list); return -1; } -struct gaastrnode -{ +struct gaastrnode { char *str; struct gaastrnode *next; }; typedef struct gaastrnode gaa_str_node; -static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) +static int gaa_internal_get_next_str(FILE * file, gaa_str_node * tmp_str, + int argc) { int pos_ini; int a; int i = 0, len = 0, newline = 0; - if(argc == 1) { - newline = 1; - len = 2; + if (argc == 1) { + newline = 1; + len = 2; } - - a = fgetc( file); - if (a == EOF) return 0; - - while(a == ' ' || a == 9 || a == '\n') - { - if(a == '\n') - { - newline=1; - len = 2; - } - a = fgetc( file); - if (a == EOF) return 0; + + a = fgetc(file); + if (a == EOF) + return 0; + + while (a == ' ' || a == 9 || a == '\n') { + if (a == '\n') { + newline = 1; + len = 2; + } + a = fgetc(file); + if (a == EOF) + return 0; } pos_ini = ftell(file) - 1; - while(a != ' ' && a != 9 && a != '\n') - { + while (a != ' ' && a != 9 && a != '\n') { - len++; - a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + len++; + a = fgetc(file); + if (a == EOF) + return 0; //a = ' '; } len += 1; tmp_str->str = gaa_malloc((len) * sizeof(char)); - if(newline == 1) - { - tmp_str->str[0] = '-'; - tmp_str->str[1] = '-'; - i = 2; - } - else - { - i = 0; + if (newline == 1) { + tmp_str->str[0] = '-'; + tmp_str->str[1] = '-'; + i = 2; + } else { + i = 0; } - fseek(file,pos_ini, SEEK_SET); - do - { - a = fgetc( file); - - if (a == EOF) { - i+=2; - break; - } - tmp_str->str[i] = a; - i++; + fseek(file, pos_ini, SEEK_SET); + do { + a = fgetc(file); + + if (a == EOF) { + i += 2; + break; + } + tmp_str->str[i] = a; + i++; } - while(a != ' ' && a != 9 && a != '\n' && i < len); + while (a != ' ' && a != 9 && a != '\n' && i < len); tmp_str->str[i - 1] = 0; - fseek(file,- 1, SEEK_CUR); + fseek(file, -1, SEEK_CUR); /* printf("%d\n", ftell(file)); */ - + return -1; } -int gaa_file(const char *name, gaainfo *gaaval) +int gaa_file(const char *name, gaainfo * gaaval) { gaa_str_node *first_str, **tmp_str, *tmp_str2; int rval, i; @@ -1207,38 +1281,36 @@ int gaa_file(const char *name, gaainfo *gaaval) FILE *file; gaa_processing_file = 1; - - if((file = fopen(name, "r")) == NULL) - { - printf("Couldn't open '%s' configuration file for reading\n", name); - return 1; + + if ((file = fopen(name, "r")) == NULL) { + printf("Couldn't open '%s' configuration file for reading\n", + name); + return 1; } - + tmp_str = &first_str; - do - { - argc++; - *tmp_str = gaa_malloc(sizeof(gaa_str_node)); + do { + argc++; + *tmp_str = gaa_malloc(sizeof(gaa_str_node)); - (*tmp_str)->str = NULL; - (*tmp_str)->next = NULL; + (*tmp_str)->str = NULL; + (*tmp_str)->next = NULL; - rval = gaa_internal_get_next_str(file, *tmp_str, argc); - tmp_str = &((*tmp_str)->next); + rval = gaa_internal_get_next_str(file, *tmp_str, argc); + tmp_str = &((*tmp_str)->next); } - while(rval == -1); - - if(rval == 1) - return 0; - - argv = gaa_malloc((1 + argc) * sizeof(char*)); + while (rval == -1); + + if (rval == 1) + return 0; + + argv = gaa_malloc((1 + argc) * sizeof(char *)); tmp_str2 = first_str; argv[0] = "cfg"; - for(i = 1; i < argc; i++) - { - argv[i] = tmp_str2->str; - tmp_str2 = tmp_str2->next; + for (i = 1; i < argc; i++) { + argv[i] = tmp_str2->str; + tmp_str2 = tmp_str2->next; } rval = gaa(argc, argv, gaaval); diff --git a/src/certtool.c b/src/certtool.c index 620ddcf73f..d830216925 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -35,11 +35,11 @@ #include <getpass.h> #include <certtool-cfg.h> -static void print_crl_info( gnutls_x509_crl crl, FILE* out, int all); +static void print_crl_info(gnutls_x509_crl crl, FILE * out, int all); int generate_prime(int bits); -void pkcs7_info( void); -void pkcs12_info( void); -void generate_pkcs12( void); +void pkcs7_info(void); +void pkcs12_info(void); +void generate_pkcs12(void); void verify_chain(void); void verify_crl(void); gnutls_x509_privkey load_private_key(int mand); @@ -47,18 +47,19 @@ gnutls_x509_crq load_request(void); gnutls_x509_privkey load_ca_private_key(void); gnutls_x509_crt load_ca_cert(void); gnutls_x509_crt load_cert(int mand); -void certificate_info( void); -void crl_info( void); -void privkey_info( void); -static void print_certificate_info( gnutls_x509_crt crt, FILE* out, unsigned int); +void certificate_info(void); +void crl_info(void); +void privkey_info(void); +static void print_certificate_info(gnutls_x509_crt crt, FILE * out, + unsigned int); static void gaa_parser(int argc, char **argv); -void generate_self_signed( void); +void generate_self_signed(void); void generate_request(void); -gnutls_x509_crt* load_cert_list(int mand, int *size); +gnutls_x509_crt *load_cert_list(int mand, int *size); static gaainfo info; -FILE* outfile; -FILE* infile; +FILE *outfile; +FILE *infile; static int in_cert_format; static int out_cert_format; @@ -68,1472 +69,1581 @@ static int out_cert_format; */ int batch; -unsigned char buffer[50*1024]; +unsigned char buffer[50 * 1024]; const int buffer_size = sizeof(buffer); -static void tls_log_func( int level, const char* str) +static void tls_log_func(int level, const char *str) { - fprintf(stderr, "|<%d>| %s", level, str); + fprintf(stderr, "|<%d>| %s", level, str); } -int main(int argc, char** argv) +int main(int argc, char **argv) { - cfg_init(); - gaa_parser(argc, argv); + cfg_init(); + gaa_parser(argc, argv); - return 0; + return 0; } -static gnutls_x509_privkey generate_private_key_int( void) +static gnutls_x509_privkey generate_private_key_int(void) { -gnutls_x509_privkey key; -int ret, key_type; -const char* msg; - - if (info.dsa) { - msg = "DSA"; - key_type = GNUTLS_PK_DSA; - - if (info.bits > 1024) { - fprintf(stderr, "The DSA algorithm cannot be used with primes over 1024 bits.\n"); - exit(1); - } - } else { - msg = "RSA"; - key_type = GNUTLS_PK_RSA; - } + gnutls_x509_privkey key; + int ret, key_type; + const char *msg; - if (info.privkey) - return load_private_key(1); + if (info.dsa) { + msg = "DSA"; + key_type = GNUTLS_PK_DSA; - ret = gnutls_x509_privkey_init(&key); - if (ret < 0) { - fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); - exit(1); + if (info.bits > 1024) { + fprintf(stderr, + "The DSA algorithm cannot be used with primes over 1024 bits.\n"); + exit(1); } + } else { + msg = "RSA"; + key_type = GNUTLS_PK_RSA; + } - fprintf(stderr, "Generating a %d bit %s private key...\n", info.bits, msg); + if (info.privkey) + return load_private_key(1); - ret = gnutls_x509_privkey_generate( key, key_type, info.bits, 0); - if (ret < 0) { - fprintf(stderr, "privkey_generate: %s\n", gnutls_strerror(ret)); - exit(1); - } + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) { + fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + fprintf(stderr, "Generating a %d bit %s private key...\n", info.bits, + msg); - return key; + ret = gnutls_x509_privkey_generate(key, key_type, info.bits, 0); + if (ret < 0) { + fprintf(stderr, "privkey_generate: %s\n", gnutls_strerror(ret)); + exit(1); + } + + return key; } -static void print_key_usage( unsigned int x, FILE* out) +static void print_key_usage(unsigned int x, FILE * out) { - if (x&GNUTLS_KEY_DIGITAL_SIGNATURE) - fprintf(out,"\t\tDigital signature.\n"); - if (x&GNUTLS_KEY_NON_REPUDIATION) - fprintf(out,"\t\tNon repudiation.\n"); - if (x&GNUTLS_KEY_KEY_ENCIPHERMENT) - fprintf(out,"\t\tKey encipherment.\n"); - if (x&GNUTLS_KEY_DATA_ENCIPHERMENT) - fprintf(out,"\t\tData encipherment.\n"); - if (x&GNUTLS_KEY_KEY_AGREEMENT) - fprintf(out,"\t\tKey agreement.\n"); - if (x&GNUTLS_KEY_KEY_CERT_SIGN) - fprintf(out,"\t\tCertificate signing.\n"); - if (x&GNUTLS_KEY_CRL_SIGN) - fprintf(out,"\t\tCRL signing.\n"); - if (x&GNUTLS_KEY_ENCIPHER_ONLY) - fprintf(out,"\t\tKey encipher only.\n"); - if (x&GNUTLS_KEY_DECIPHER_ONLY) - fprintf(out,"\t\tKey decipher only.\n"); + if (x & GNUTLS_KEY_DIGITAL_SIGNATURE) + fprintf(out, "\t\tDigital signature.\n"); + if (x & GNUTLS_KEY_NON_REPUDIATION) + fprintf(out, "\t\tNon repudiation.\n"); + if (x & GNUTLS_KEY_KEY_ENCIPHERMENT) + fprintf(out, "\t\tKey encipherment.\n"); + if (x & GNUTLS_KEY_DATA_ENCIPHERMENT) + fprintf(out, "\t\tData encipherment.\n"); + if (x & GNUTLS_KEY_KEY_AGREEMENT) + fprintf(out, "\t\tKey agreement.\n"); + if (x & GNUTLS_KEY_KEY_CERT_SIGN) + fprintf(out, "\t\tCertificate signing.\n"); + if (x & GNUTLS_KEY_CRL_SIGN) + fprintf(out, "\t\tCRL signing.\n"); + if (x & GNUTLS_KEY_ENCIPHER_ONLY) + fprintf(out, "\t\tKey encipher only.\n"); + if (x & GNUTLS_KEY_DECIPHER_ONLY) + fprintf(out, "\t\tKey decipher only.\n"); } -static void print_key_purpose( const char* x, FILE* out) +static void print_key_purpose(const char *x, FILE * out) { - if (strcasecmp( x, GNUTLS_KP_TLS_WWW_SERVER)==0) - fprintf(out,"\t\tTLS WWW Server.\n"); - else if (strcasecmp( x, GNUTLS_KP_TLS_WWW_CLIENT)==0) - fprintf(out,"\t\tTLS WWW Client.\n"); - else if (strcasecmp( x, GNUTLS_KP_CODE_SIGNING)==0) - fprintf(out,"\t\tCode signing.\n"); - else if (strcasecmp( x, GNUTLS_KP_EMAIL_PROTECTION)==0) - fprintf(out,"\t\tEmail protection.\n"); - else if (strcasecmp( x, GNUTLS_KP_TIME_STAMPING)==0) - fprintf(out,"\t\tTime stamping.\n"); - else if (strcasecmp( x, GNUTLS_KP_OCSP_SIGNING)==0) - fprintf(out,"\t\tOCSP signing.\n"); - else if (strcasecmp( x, GNUTLS_KP_ANY)==0) - fprintf(out,"\t\tAny purpose.\n"); - else fprintf(out,"\t\t%s\n", x); + if (strcasecmp(x, GNUTLS_KP_TLS_WWW_SERVER) == 0) + fprintf(out, "\t\tTLS WWW Server.\n"); + else if (strcasecmp(x, GNUTLS_KP_TLS_WWW_CLIENT) == 0) + fprintf(out, "\t\tTLS WWW Client.\n"); + else if (strcasecmp(x, GNUTLS_KP_CODE_SIGNING) == 0) + fprintf(out, "\t\tCode signing.\n"); + else if (strcasecmp(x, GNUTLS_KP_EMAIL_PROTECTION) == 0) + fprintf(out, "\t\tEmail protection.\n"); + else if (strcasecmp(x, GNUTLS_KP_TIME_STAMPING) == 0) + fprintf(out, "\t\tTime stamping.\n"); + else if (strcasecmp(x, GNUTLS_KP_OCSP_SIGNING) == 0) + fprintf(out, "\t\tOCSP signing.\n"); + else if (strcasecmp(x, GNUTLS_KP_ANY) == 0) + fprintf(out, "\t\tAny purpose.\n"); + else + fprintf(out, "\t\t%s\n", x); } -static void print_private_key( gnutls_x509_privkey key) +static void print_private_key(gnutls_x509_privkey key) { -int ret; -size_t size; + int ret; + size_t size; - if (!key) return; + if (!key) + return; - if (!info.pkcs8) { - size = sizeof(buffer); - ret = gnutls_x509_privkey_export( key, out_cert_format, buffer, &size); - if (ret < 0) { - fprintf(stderr, "privkey_export: %s\n", gnutls_strerror(ret)); - exit(1); - } - } else { - unsigned int flags; - const char* pass; - - if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; - else flags = GNUTLS_PKCS_USE_PKCS12_3DES; - if ((pass=get_pass()) == NULL) flags = GNUTLS_PKCS_PLAIN; - - size = sizeof(buffer); - ret = gnutls_x509_privkey_export_pkcs8( key, out_cert_format, pass, flags, buffer, &size); - if (ret < 0) { - fprintf(stderr, "privkey_export_pkcs8: %s\n", gnutls_strerror(ret)); - exit(1); - } + if (!info.pkcs8) { + size = sizeof(buffer); + ret = + gnutls_x509_privkey_export(key, out_cert_format, buffer, + &size); + if (ret < 0) { + fprintf(stderr, "privkey_export: %s\n", gnutls_strerror(ret)); + exit(1); + } + } else { + unsigned int flags; + const char *pass; + + if (info.export) + flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; + else + flags = GNUTLS_PKCS_USE_PKCS12_3DES; + if ((pass = get_pass()) == NULL) + flags = GNUTLS_PKCS_PLAIN; + + size = sizeof(buffer); + ret = + gnutls_x509_privkey_export_pkcs8(key, out_cert_format, pass, + flags, buffer, &size); + if (ret < 0) { + fprintf(stderr, "privkey_export_pkcs8: %s\n", + gnutls_strerror(ret)); + exit(1); } + } - fwrite(buffer, 1, size, outfile); + fwrite(buffer, 1, size, outfile); } -void generate_private_key( void) +void generate_private_key(void) { -gnutls_x509_privkey key; - - fprintf(stderr, "Generating a private key...\n"); - - key = generate_private_key_int(); - - print_private_key( key); - - gnutls_x509_privkey_deinit(key); -} + gnutls_x509_privkey key; + fprintf(stderr, "Generating a private key...\n"); -gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key, - gnutls_x509_crt ca_crt) -{ - gnutls_x509_crt crt; - gnutls_x509_privkey key = NULL; - int size, serial, client; - int days, result, ca_status; - const char* str; - int vers = 3; /* the default version in the certificate - */ - unsigned int usage = 0, server; - gnutls_x509_crq crq; /* request */ - - size = gnutls_x509_crt_init(&crt); - if (size < 0) { - fprintf(stderr, "crt_init: %s\n", gnutls_strerror(size)); - exit(1); - } + key = generate_private_key_int(); + print_private_key(key); - crq = load_request(); + gnutls_x509_privkey_deinit(key); +} - if (crq == NULL) { - key = load_private_key(1); +gnutls_x509_crt generate_certificate(gnutls_x509_privkey * ret_key, + gnutls_x509_crt ca_crt) +{ + gnutls_x509_crt crt; + gnutls_x509_privkey key = NULL; + int size, serial, client; + int days, result, ca_status; + const char *str; + int vers = 3; /* the default version in the certificate + */ + unsigned int usage = 0, server; + gnutls_x509_crq crq; /* request */ - if (!batch) - fprintf(stderr, "Please enter the details of the certificate's distinguished name. " - "Just press enter to ignore a field.\n"); + size = gnutls_x509_crt_init(&crt); + if (size < 0) { + fprintf(stderr, "crt_init: %s\n", gnutls_strerror(size)); + exit(1); + } - /* set the DN. - */ - get_country_crt_set( crt); - get_organization_crt_set(crt); - get_unit_crt_set( crt); - get_locality_crt_set( crt); - get_state_crt_set( crt); - get_cn_crt_set( crt); - get_uid_crt_set( crt); - get_oid_crt_set( crt); - - if (!batch) fprintf(stderr, "This field should not be used in new certificates.\n"); - get_pkcs9_email_crt_set( crt); + crq = load_request(); - result = gnutls_x509_crt_set_key( crt, key); - if (result < 0) { - fprintf(stderr, "set_key: %s\n", gnutls_strerror(result)); - exit(1); - } + if (crq == NULL) { - } else { - result = gnutls_x509_crt_set_crq( crt, crq); - if (result < 0) { - fprintf(stderr, "set_crq: %s\n", gnutls_strerror(result)); - exit(1); - } - } + key = load_private_key(1); + if (!batch) + fprintf(stderr, + "Please enter the details of the certificate's distinguished name. " + "Just press enter to ignore a field.\n"); - serial = get_serial(); - buffer[3] = serial & 0xff; - buffer[2] = (serial >> 8) & 0xff; - buffer[1] = (serial >> 16) & 0xff; - buffer[0] = 0; + /* set the DN. + */ + get_country_crt_set(crt); + get_organization_crt_set(crt); + get_unit_crt_set(crt); + get_locality_crt_set(crt); + get_state_crt_set(crt); + get_cn_crt_set(crt); + get_uid_crt_set(crt); + get_oid_crt_set(crt); + + if (!batch) + fprintf(stderr, + "This field should not be used in new certificates.\n"); + + get_pkcs9_email_crt_set(crt); + + result = gnutls_x509_crt_set_key(crt, key); + if (result < 0) { + fprintf(stderr, "set_key: %s\n", gnutls_strerror(result)); + exit(1); + } - result = gnutls_x509_crt_set_serial( crt, buffer, 4); + } else { + result = gnutls_x509_crt_set_crq(crt, crq); if (result < 0) { - fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "set_crq: %s\n", gnutls_strerror(result)); + exit(1); } + } + + + serial = get_serial(); + buffer[3] = serial & 0xff; + buffer[2] = (serial >> 8) & 0xff; + buffer[1] = (serial >> 16) & 0xff; + buffer[0] = 0; + + result = gnutls_x509_crt_set_serial(crt, buffer, 4); + if (result < 0) { + fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); + exit(1); + } + + + if (!batch) + fprintf(stderr, "\n\nActivation/Expiration time.\n"); + + gnutls_x509_crt_set_activation_time(crt, time(NULL)); + + days = get_days(); + + result = + gnutls_x509_crt_set_expiration_time(crt, + time(NULL) + + days * 24 * 60 * 60); + if (result < 0) { + fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); + exit(1); + } - if (!batch) fprintf(stderr, "\n\nActivation/Expiration time.\n"); + if (!batch) + fprintf(stderr, "\n\nExtensions.\n"); - gnutls_x509_crt_set_activation_time( crt, time(NULL)); + ca_status = get_ca_status(); - days = get_days(); - - result = gnutls_x509_crt_set_expiration_time( crt, time(NULL)+days*24*60*60); + result = gnutls_x509_crt_set_ca_status(crt, ca_status); + if (result < 0) { + fprintf(stderr, "ca_status: %s\n", gnutls_strerror(result)); + exit(1); + } + + client = get_tls_client_status(); + if (client != 0) { + result = + gnutls_x509_crt_set_key_purpose_oid(crt, + GNUTLS_KP_TLS_WWW_CLIENT, + 0); if (result < 0) { - fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); + exit(1); } - + } - if (!batch) fprintf(stderr, "\n\nExtensions.\n"); + server = get_tls_server_status(); + if (server != 0) { + result = 0; - ca_status = get_ca_status(); + str = get_dns_name(); + if (str != NULL) { + result = + gnutls_x509_crt_set_subject_alternative_name(crt, + GNUTLS_SAN_DNSNAME, + str); + } else { + str = get_ip_addr(); + if (str != NULL) { + result = + gnutls_x509_crt_set_subject_alternative_name(crt, + GNUTLS_SAN_IPADDRESS, + str); + } + } - result = gnutls_x509_crt_set_ca_status( crt, ca_status); if (result < 0) { - fprintf(stderr, "ca_status: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "subject_alt_name: %s\n", + gnutls_strerror(result)); + exit(1); } - client = get_tls_client_status(); - if (client != 0) { - result = gnutls_x509_crt_set_key_purpose_oid( crt, GNUTLS_KP_TLS_WWW_CLIENT, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); - exit(1); - } + result = + gnutls_x509_crt_set_key_purpose_oid(crt, + GNUTLS_KP_TLS_WWW_SERVER, + 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); + exit(1); } - server = get_tls_server_status(); - if (server != 0) { - result = 0; - - str = get_dns_name(); - if (str != NULL) { - result = gnutls_x509_crt_set_subject_alternative_name( crt, GNUTLS_SAN_DNSNAME, str); - } else { - str = get_ip_addr(); - if (str != NULL) { - result = gnutls_x509_crt_set_subject_alternative_name( crt, GNUTLS_SAN_IPADDRESS, str); - } - } + } else { - if (result < 0) { - fprintf(stderr, "subject_alt_name: %s\n", gnutls_strerror(result)); - exit(1); - } + str = get_email(); - result = gnutls_x509_crt_set_key_purpose_oid( crt, GNUTLS_KP_TLS_WWW_SERVER, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); - exit(1); - } - - } else { - - str = get_email(); - - if (str != NULL) { - result = gnutls_x509_crt_set_subject_alternative_name( crt, GNUTLS_SAN_RFC822NAME, str); - if (result < 0) { - fprintf(stderr, "subject_alt_name: %s\n", gnutls_strerror(result)); - exit(1); - } - } + if (str != NULL) { + result = + gnutls_x509_crt_set_subject_alternative_name(crt, + GNUTLS_SAN_RFC822NAME, + str); + if (result < 0) { + fprintf(stderr, "subject_alt_name: %s\n", + gnutls_strerror(result)); + exit(1); + } } + } - if (!ca_status || server) { - int pk; + if (!ca_status || server) { + int pk; - pk = gnutls_x509_crt_get_pk_algorithm( crt, NULL); + pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (pk != GNUTLS_PK_DSA) { /* DSA keys can only sign. - */ - result = get_sign_status(server); - if (result) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - - result = get_encrypt_status( server); - if (result) usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; - } else usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - } + if (pk != GNUTLS_PK_DSA) { /* DSA keys can only sign. + */ + result = get_sign_status(server); + if (result) + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + result = get_encrypt_status(server); + if (result) + usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + } else + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + } - if (ca_status) { - result = get_cert_sign_status(); - if (result) usage |= GNUTLS_KEY_KEY_CERT_SIGN; - result = get_crl_sign_status(); - if (result) usage |= GNUTLS_KEY_CRL_SIGN; + if (ca_status) { + result = get_cert_sign_status(); + if (result) + usage |= GNUTLS_KEY_KEY_CERT_SIGN; - result = get_code_sign_status(); - if (result) { - result = gnutls_x509_crt_set_key_purpose_oid( crt, GNUTLS_KP_CODE_SIGNING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); - exit(1); - } - } + result = get_crl_sign_status(); + if (result) + usage |= GNUTLS_KEY_CRL_SIGN; - result = get_ocsp_sign_status(); - if (result) { - result = gnutls_x509_crt_set_key_purpose_oid( crt, GNUTLS_KP_OCSP_SIGNING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); - exit(1); - } - } + result = get_code_sign_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid(crt, + GNUTLS_KP_CODE_SIGNING, + 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); + exit(1); + } + } - result = get_time_stamp_status(); - if (result) { - result = gnutls_x509_crt_set_key_purpose_oid( crt, GNUTLS_KP_TIME_STAMPING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); - exit(1); - } - } + result = get_ocsp_sign_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid(crt, + GNUTLS_KP_OCSP_SIGNING, + 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); + exit(1); + } } - if (usage != 0) { - result = gnutls_x509_crt_set_key_usage( crt, usage); - if (result < 0) { - fprintf(stderr, "key_usage: %s\n", gnutls_strerror(result)); - exit(1); - } + result = get_time_stamp_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid(crt, + GNUTLS_KP_TIME_STAMPING, + 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", gnutls_strerror(result)); + exit(1); + } } + } - /* Version. - */ - result = gnutls_x509_crt_set_version( crt, vers); + if (usage != 0) { + result = gnutls_x509_crt_set_key_usage(crt, usage); if (result < 0) { - fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "key_usage: %s\n", gnutls_strerror(result)); + exit(1); + } + } + + /* Version. + */ + result = gnutls_x509_crt_set_version(crt, vers); + if (result < 0) { + fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); + exit(1); + } + + /* Subject Key ID. + */ + size = sizeof(buffer); + result = gnutls_x509_crt_get_key_id(crt, 0, buffer, &size); + if (result >= 0) { + result = gnutls_x509_crt_set_subject_key_id(crt, buffer, size); + if (result < 0) { + fprintf(stderr, "set_subject_key_id: %s\n", + gnutls_strerror(result)); + exit(1); } - - /* Subject Key ID. - */ + } + + /* Authority Key ID. + */ + if (ca_crt != NULL) { size = sizeof(buffer); - result = gnutls_x509_crt_get_key_id(crt, 0, buffer, &size); + result = gnutls_x509_crt_get_key_id(ca_crt, 0, buffer, &size); if (result >= 0) { - result = gnutls_x509_crt_set_subject_key_id( crt, buffer, size); - if (result < 0) { - fprintf(stderr, "set_subject_key_id: %s\n", gnutls_strerror(result)); - exit(1); - } - } - - /* Authority Key ID. - */ - if (ca_crt != NULL) { - size = sizeof(buffer); - result = gnutls_x509_crt_get_key_id(ca_crt, 0, buffer, &size); - if (result >= 0) { - result = gnutls_x509_crt_set_authority_key_id( crt, buffer, size); - if (result < 0) { - fprintf(stderr, "set_authority_key_id: %s\n", gnutls_strerror(result)); - exit(1); - } - } + result = + gnutls_x509_crt_set_authority_key_id(crt, buffer, size); + if (result < 0) { + fprintf(stderr, "set_authority_key_id: %s\n", + gnutls_strerror(result)); + exit(1); + } } + } - *ret_key = key; - return crt; + *ret_key = key; + return crt; } -gnutls_x509_crl generate_crl( void) +gnutls_x509_crl generate_crl(void) { - gnutls_x509_crl crl; - gnutls_x509_crt * crts; - int size; - int days, result, i; - int vers = 2; /* the default version in the CRL - */ - - result = gnutls_x509_crl_init(&crl); - if (result < 0) { - fprintf(stderr, "crl_init: %s\n", gnutls_strerror(result)); - exit(1); - } + gnutls_x509_crl crl; + gnutls_x509_crt *crts; + int size; + int days, result, i; + int vers = 2; /* the default version in the CRL + */ - crts = load_cert_list(1, &size); + result = gnutls_x509_crl_init(&crl); + if (result < 0) { + fprintf(stderr, "crl_init: %s\n", gnutls_strerror(result)); + exit(1); + } - for (i=0;i<size;i++) { - - result = gnutls_x509_crl_set_crt( crl, crts[i], time(0)); - if (result < 0) { - fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); - exit(1); - } - } + crts = load_cert_list(1, &size); - fprintf(stderr, "\n\nthisUpdate/nextUpdate time.\n"); - gnutls_x509_crl_set_this_update( crl, time(NULL)); + for (i = 0; i < size; i++) { - days = get_crl_next_update(); - - result = gnutls_x509_crl_set_next_update( crl, time(NULL)+days*24*60*60); + result = gnutls_x509_crl_set_crt(crl, crts[i], time(0)); if (result < 0) { - fprintf(stderr, "next_update: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); + exit(1); } - - /* Version. - */ - result = gnutls_x509_crl_set_version( crl, vers); - if (result < 0) { - fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); - exit(1); - } - - return crl; + } + + fprintf(stderr, "\n\nthisUpdate/nextUpdate time.\n"); + gnutls_x509_crl_set_this_update(crl, time(NULL)); + + days = get_crl_next_update(); + + result = + gnutls_x509_crl_set_next_update(crl, + time(NULL) + days * 24 * 60 * 60); + if (result < 0) { + fprintf(stderr, "next_update: %s\n", gnutls_strerror(result)); + exit(1); + } + + /* Version. + */ + result = gnutls_x509_crl_set_version(crl, vers); + if (result < 0) { + fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); + exit(1); + } + + return crl; } -gnutls_x509_crt update_certificate( void) +gnutls_x509_crt update_certificate(void) { - gnutls_x509_crt crt; - int size; - int days, result; + gnutls_x509_crt crt; + int size; + int days, result; - size = gnutls_x509_crt_init(&crt); - if (size < 0) { - fprintf(stderr, "crt_init: %s\n", gnutls_strerror(size)); - exit(1); - } + size = gnutls_x509_crt_init(&crt); + if (size < 0) { + fprintf(stderr, "crt_init: %s\n", gnutls_strerror(size)); + exit(1); + } - crt = load_cert(1); + crt = load_cert(1); - fprintf(stderr, "Activation/Expiration time.\n"); - gnutls_x509_crt_set_activation_time( crt, time(NULL)); - - days = get_days(); - - result = gnutls_x509_crt_set_expiration_time( crt, time(NULL)+days*24*60*60); - if (result < 0) { - fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); - exit(1); - } + fprintf(stderr, "Activation/Expiration time.\n"); + gnutls_x509_crt_set_activation_time(crt, time(NULL)); + + days = get_days(); + + result = + gnutls_x509_crt_set_expiration_time(crt, + time(NULL) + + days * 24 * 60 * 60); + if (result < 0) { + fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); + exit(1); + } - return crt; + return crt; } -void generate_self_signed( void) +void generate_self_signed(void) { - gnutls_x509_crt crt; - gnutls_x509_privkey key; - size_t size; - int result; - const char *uri; - - fprintf(stderr, "Generating a self signed certificate...\n"); - - crt = generate_certificate( &key, NULL); - - uri = get_crl_dist_point_url(); - if (uri) { - result = gnutls_x509_crt_set_crl_dist_points( crt, GNUTLS_SAN_URI, - uri, 0 /* all reasons */); - if (result < 0) { - fprintf(stderr, "crl_dist_points: %s\n", gnutls_strerror(result)); - exit(1); - } - } + gnutls_x509_crt crt; + gnutls_x509_privkey key; + size_t size; + int result; + const char *uri; - print_certificate_info( crt, stderr, 0); + fprintf(stderr, "Generating a self signed certificate...\n"); - fprintf(stderr, "\n\nSigning certificate...\n"); + crt = generate_certificate(&key, NULL); - result = gnutls_x509_crt_sign( crt, crt, key); + uri = get_crl_dist_point_url(); + if (uri) { + result = gnutls_x509_crt_set_crl_dist_points(crt, GNUTLS_SAN_URI, + uri, + 0 /* all reasons */ ); if (result < 0) { - fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "crl_dist_points: %s\n", + gnutls_strerror(result)); + exit(1); } + } - size = sizeof(buffer); - result = gnutls_x509_crt_export( crt, out_cert_format, buffer, &size); - if (result < 0) { - fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); - exit(1); - } + print_certificate_info(crt, stderr, 0); + + fprintf(stderr, "\n\nSigning certificate...\n"); + + result = gnutls_x509_crt_sign(crt, crt, key); + if (result < 0) { + fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); + exit(1); + } - fwrite( buffer, 1, size, outfile); + size = sizeof(buffer); + result = gnutls_x509_crt_export(crt, out_cert_format, buffer, &size); + if (result < 0) { + fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); + exit(1); + } - gnutls_x509_crt_deinit(crt); - gnutls_x509_privkey_deinit(key); + fwrite(buffer, 1, size, outfile); + + gnutls_x509_crt_deinit(crt); + gnutls_x509_privkey_deinit(key); } -void generate_signed_certificate( void) +void generate_signed_certificate(void) { - gnutls_x509_crt crt; - gnutls_x509_privkey key; - size_t size; - int result; - gnutls_x509_privkey ca_key; - gnutls_x509_crt ca_crt; + gnutls_x509_crt crt; + gnutls_x509_privkey key; + size_t size; + int result; + gnutls_x509_privkey ca_key; + gnutls_x509_crt ca_crt; - fprintf(stderr, "Generating a signed certificate...\n"); + fprintf(stderr, "Generating a signed certificate...\n"); - ca_key = load_ca_private_key(); - ca_crt = load_ca_cert(); + ca_key = load_ca_private_key(); + ca_crt = load_ca_cert(); - crt = generate_certificate( &key, ca_crt); - - /* Copy the CRL distribution points. - */ - gnutls_x509_crt_cpy_crl_dist_points( crt, ca_crt); - /* it doesn't matter if we couldn't copy the CRL dist points. - */ + crt = generate_certificate(&key, ca_crt); - print_certificate_info( crt, stderr, 0); - - fprintf(stderr, "\n\nSigning certificate...\n"); + /* Copy the CRL distribution points. + */ + gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt); + /* it doesn't matter if we couldn't copy the CRL dist points. + */ - result = gnutls_x509_crt_sign( crt, ca_crt, ca_key); - if (result < 0) { - fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); - exit(1); - } + print_certificate_info(crt, stderr, 0); - size = sizeof(buffer); - result = gnutls_x509_crt_export( crt, out_cert_format, buffer, &size); - if (result < 0) { - fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); - exit(1); - } + fprintf(stderr, "\n\nSigning certificate...\n"); + + result = gnutls_x509_crt_sign(crt, ca_crt, ca_key); + if (result < 0) { + fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); + exit(1); + } - fwrite( buffer, 1, size, outfile); + size = sizeof(buffer); + result = gnutls_x509_crt_export(crt, out_cert_format, buffer, &size); + if (result < 0) { + fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); + exit(1); + } - gnutls_x509_crt_deinit(crt); - gnutls_x509_privkey_deinit(key); + fwrite(buffer, 1, size, outfile); + + gnutls_x509_crt_deinit(crt); + gnutls_x509_privkey_deinit(key); } -void generate_signed_crl( void) +void generate_signed_crl(void) { - gnutls_x509_crl crl; - size_t size; - int result; - gnutls_x509_privkey ca_key; - gnutls_x509_crt ca_crt; + gnutls_x509_crl crl; + size_t size; + int result; + gnutls_x509_privkey ca_key; + gnutls_x509_crt ca_crt; - fprintf(stderr, "Generating a signed CRL...\n"); + fprintf(stderr, "Generating a signed CRL...\n"); - ca_key = load_ca_private_key(); - ca_crt = load_ca_cert(); + ca_key = load_ca_private_key(); + ca_crt = load_ca_cert(); - crl = generate_crl(); + crl = generate_crl(); - print_crl_info( crl, stderr, 0); - - fprintf(stderr, "\n\nSigning CRL...\n"); + print_crl_info(crl, stderr, 0); - result = gnutls_x509_crl_sign( crl, ca_crt, ca_key); - if (result < 0) { - fprintf(stderr, "crl_sign: %s\n", gnutls_strerror(result)); - exit(1); - } + fprintf(stderr, "\n\nSigning CRL...\n"); - size = sizeof(buffer); - result = gnutls_x509_crl_export( crl, out_cert_format, buffer, &size); - if (result < 0) { - fprintf(stderr, "crl_export: %s\n", gnutls_strerror(result)); - exit(1); - } + result = gnutls_x509_crl_sign(crl, ca_crt, ca_key); + if (result < 0) { + fprintf(stderr, "crl_sign: %s\n", gnutls_strerror(result)); + exit(1); + } + + size = sizeof(buffer); + result = gnutls_x509_crl_export(crl, out_cert_format, buffer, &size); + if (result < 0) { + fprintf(stderr, "crl_export: %s\n", gnutls_strerror(result)); + exit(1); + } - fwrite( buffer, 1, size, outfile); + fwrite(buffer, 1, size, outfile); - gnutls_x509_crl_deinit(crl); + gnutls_x509_crl_deinit(crl); } -void update_signed_certificate( void) +void update_signed_certificate(void) { - gnutls_x509_crt crt; - size_t size; - int result; - gnutls_x509_privkey ca_key; - gnutls_x509_crt ca_crt; + gnutls_x509_crt crt; + size_t size; + int result; + gnutls_x509_privkey ca_key; + gnutls_x509_crt ca_crt; - fprintf(stderr, "Generating a signed certificate...\n"); + fprintf(stderr, "Generating a signed certificate...\n"); - ca_key = load_ca_private_key(); - ca_crt = load_ca_cert(); + ca_key = load_ca_private_key(); + ca_crt = load_ca_cert(); - crt = update_certificate(); - - fprintf(stderr, "\n\nSigning certificate...\n"); + crt = update_certificate(); - result = gnutls_x509_crt_sign( crt, ca_crt, ca_key); - if (result < 0) { - fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); - exit(1); - } + fprintf(stderr, "\n\nSigning certificate...\n"); - size = sizeof(buffer); - result = gnutls_x509_crt_export( crt, out_cert_format, buffer, &size); - if (result < 0) { - fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); - exit(1); - } + result = gnutls_x509_crt_sign(crt, ca_crt, ca_key); + if (result < 0) { + fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); + exit(1); + } + + size = sizeof(buffer); + result = gnutls_x509_crt_export(crt, out_cert_format, buffer, &size); + if (result < 0) { + fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); + exit(1); + } - fwrite( buffer, 1, size, outfile); + fwrite(buffer, 1, size, outfile); - gnutls_x509_crt_deinit(crt); + gnutls_x509_crt_deinit(crt); } void gaa_parser(int argc, char **argv) { -int ret; - - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, - "Error in the arguments. Use the --help or -h parameters to get more information.\n"); - exit(1); - } - - if (info.outfile) { - outfile = fopen(info.outfile, "wb"); - if (outfile == NULL) { - fprintf(stderr, "error: could not open '%s'.\n", info.outfile); - exit(1); - } - } else outfile = stdout; - - if (info.infile) { - infile = fopen(info.infile, "rb"); - if (infile == NULL) { - fprintf(stderr, "error: could not open '%s'.\n", info.infile); - exit(1); - } - } else infile = stdin; - - if (info.incert_format) in_cert_format = GNUTLS_X509_FMT_DER; - else in_cert_format = GNUTLS_X509_FMT_PEM; - - if (info.outcert_format) out_cert_format = GNUTLS_X509_FMT_DER; - else out_cert_format = GNUTLS_X509_FMT_PEM; - - batch = 0; - if (info.template) { - batch = 1; - template_parse( info.template); - } - - gnutls_global_set_log_function( tls_log_func); - gnutls_global_set_log_level(info.debug); - - if ((ret=gnutls_global_init()) < 0) { - fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - switch( info.action) { - case 0: - generate_self_signed(); - break; - case 1: - generate_private_key(); - break; - case 2: - certificate_info(); - break; - case 3: - generate_request(); - break; - case 4: - generate_signed_certificate(); - break; - case 5: - verify_chain(); - break; - case 6: - privkey_info(); - break; - case 7: - update_signed_certificate(); - break; - case 8: - generate_pkcs12(); - break; - case 9: - pkcs12_info(); - break; - case 10: - generate_prime( info.bits); - break; - case 11: - crl_info(); - break; - case 12: - pkcs7_info(); - break; - case 13: - generate_signed_crl(); - break; - case 14: - verify_crl(); - break; - default: - fprintf(stderr, "GnuTLS' certtool utility.\n"); - fprintf(stderr, "Please use the --help to get help on this program.\n"); - exit(0); - } - fclose(outfile); + int ret; + + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the --help or -h parameters to get more information.\n"); + exit(1); + } + + if (info.outfile) { + outfile = fopen(info.outfile, "wb"); + if (outfile == NULL) { + fprintf(stderr, "error: could not open '%s'.\n", info.outfile); + exit(1); + } + } else + outfile = stdout; + + if (info.infile) { + infile = fopen(info.infile, "rb"); + if (infile == NULL) { + fprintf(stderr, "error: could not open '%s'.\n", info.infile); + exit(1); + } + } else + infile = stdin; + + if (info.incert_format) + in_cert_format = GNUTLS_X509_FMT_DER; + else + in_cert_format = GNUTLS_X509_FMT_PEM; + + if (info.outcert_format) + out_cert_format = GNUTLS_X509_FMT_DER; + else + out_cert_format = GNUTLS_X509_FMT_PEM; + + batch = 0; + if (info.template) { + batch = 1; + template_parse(info.template); + } + + gnutls_global_set_log_function(tls_log_func); + gnutls_global_set_log_level(info.debug); + + if ((ret = gnutls_global_init()) < 0) { + fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + switch (info.action) { + case 0: + generate_self_signed(); + break; + case 1: + generate_private_key(); + break; + case 2: + certificate_info(); + break; + case 3: + generate_request(); + break; + case 4: + generate_signed_certificate(); + break; + case 5: + verify_chain(); + break; + case 6: + privkey_info(); + break; + case 7: + update_signed_certificate(); + break; + case 8: + generate_pkcs12(); + break; + case 9: + pkcs12_info(); + break; + case 10: + generate_prime(info.bits); + break; + case 11: + crl_info(); + break; + case 12: + pkcs7_info(); + break; + case 13: + generate_signed_crl(); + break; + case 14: + verify_crl(); + break; + default: + fprintf(stderr, "GnuTLS' certtool utility.\n"); + fprintf(stderr, + "Please use the --help to get help on this program.\n"); + exit(0); + } + fclose(outfile); } /* OIDs that are handled by the gnutls' functions. */ -static inline int known_oid( const char* oid) +static inline int known_oid(const char *oid) { - if (strcmp(oid, "2.5.29.17") == 0 || - strcmp( oid, "2.5.29.19") == 0 || - strcmp( oid, "2.5.29.31") == 0 || - strcmp( oid, "2.5.29.37") == 0 || - strcmp( oid, "2.5.29.14") == 0 || - strcmp( oid, "2.5.29.35") == 0 || - strcmp( oid, "2.5.29.15") == 0) - return 1; - - return 0; + if (strcmp(oid, "2.5.29.17") == 0 || + strcmp(oid, "2.5.29.19") == 0 || + strcmp(oid, "2.5.29.31") == 0 || + strcmp(oid, "2.5.29.37") == 0 || + strcmp(oid, "2.5.29.14") == 0 || + strcmp(oid, "2.5.29.35") == 0 || strcmp(oid, "2.5.29.15") == 0) + return 1; + + return 0; } -void certificate_info( void) +void certificate_info(void) { - gnutls_x509_crt crt; - size_t size; - int ret; - gnutls_datum pem; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - gnutls_x509_crt_init(&crt); - - pem.data = buffer; - pem.size = size; - - ret = gnutls_x509_crt_import(crt, &pem, in_cert_format); + gnutls_x509_crt crt; + size_t size; + int ret; + gnutls_datum pem; + + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; + + gnutls_x509_crt_init(&crt); + + pem.data = buffer; + pem.size = size; + + ret = gnutls_x509_crt_import(crt, &pem, in_cert_format); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + + print_certificate_info(crt, outfile, 1); + + if (!info.xml) { + size = sizeof(buffer); + ret = + gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, + &size); if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); - exit(1); + fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); + exit(1); } - - print_certificate_info( crt, outfile, 1); - - if (!info.xml) { - size = sizeof(buffer); - ret = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &size); - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - fprintf(outfile, "\n%s\n", buffer); - - } else { - gnutls_datum xml; + fprintf(outfile, "\n%s\n", buffer); - ret = gnutls_x509_crt_to_xml( crt, &xml, GNUTLS_XML_SHOW_ALL); - if (ret < 0) { - fprintf(stderr, "XML encoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } + } else { + gnutls_datum xml; - fprintf(outfile, "\n%s\n", xml.data); - gnutls_free( xml.data); + ret = gnutls_x509_crt_to_xml(crt, &xml, GNUTLS_XML_SHOW_ALL); + if (ret < 0) { + fprintf(stderr, "XML encoding error: %s\n", + gnutls_strerror(ret)); + exit(1); } - + + fprintf(outfile, "\n%s\n", xml.data); + gnutls_free(xml.data); + } + } -static void print_certificate_info( gnutls_x509_crt crt, FILE* out, unsigned int all) +static void print_certificate_info(gnutls_x509_crt crt, FILE * out, + unsigned int all) { - int ret; - unsigned int i, indx, j, version; - unsigned int critical, key_usage; - time_t tim; - char serial[40]; - size_t serial_size = sizeof(serial), dn_size, size; - char printable[256]; - char *print; - const char* cprint; - char dn[256]; - char oid[128] = ""; - char old_oid[128] = ""; - - fprintf( out, "\n\nX.509 certificate info:\n\n"); - - version = gnutls_x509_crt_get_version(crt); - fprintf(out, "Version: %d\n", version); - - /* serial number - */ - if (gnutls_x509_crt_get_serial(crt, serial, &serial_size) >= 0) { - print = printable; - for (i = 0; i < serial_size; i++) { - sprintf(print, "%.2x ", - (unsigned char) serial[i]); - print += 3; - } - fprintf(out, "Serial Number (hex): %s\n", printable); - } - - /* Subject - */ + int ret; + unsigned int i, indx, j, version; + unsigned int critical, key_usage; + time_t tim; + char serial[40]; + size_t serial_size = sizeof(serial), dn_size, size; + char printable[256]; + char *print; + const char *cprint; + char dn[256]; + char oid[128] = ""; + char old_oid[128] = ""; + + fprintf(out, "\n\nX.509 certificate info:\n\n"); + + version = gnutls_x509_crt_get_version(crt); + fprintf(out, "Version: %d\n", version); + + /* serial number + */ + if (gnutls_x509_crt_get_serial(crt, serial, &serial_size) >= 0) { + print = printable; + for (i = 0; i < serial_size; i++) { + sprintf(print, "%.2x ", (unsigned char) serial[i]); + print += 3; + } + fprintf(out, "Serial Number (hex): %s\n", printable); + } + + /* Subject + */ + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size); + if (ret >= 0) + fprintf(out, "Subject: %s\n", dn); + else + fprintf(stderr, "get_issuer_dn: %s\n", gnutls_strerror(ret)); + + /* Issuer + */ + if (all) { dn_size = sizeof(dn); - ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size); + ret = gnutls_x509_crt_get_issuer_dn(crt, dn, &dn_size); if (ret >= 0) - fprintf(out, "Subject: %s\n", dn); + fprintf(out, "Issuer: %s\n", dn); else - fprintf(stderr, "get_issuer_dn: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "get_issuer_dn: %s\n", gnutls_strerror(ret)); - /* Issuer + + /* signature algorithm */ - if (all) { - dn_size = sizeof(dn); - ret = gnutls_x509_crt_get_issuer_dn(crt, dn, &dn_size); - if (ret >= 0) - fprintf(out, "Issuer: %s\n", dn); - else - fprintf(stderr, "get_issuer_dn: %s\n", gnutls_strerror(ret)); + fprintf(out, "Signature Algorithm: "); + ret = gnutls_x509_crt_get_signature_algorithm(crt); + cprint = gnutls_sign_algorithm_get_name(ret); + if (cprint == NULL) + cprint = UNKNOWN; + fprintf(out, "%s\n", cprint); + } - /* signature algorithm - */ - fprintf(out, "Signature Algorithm: "); - ret = gnutls_x509_crt_get_signature_algorithm(crt); - - cprint = gnutls_sign_algorithm_get_name( ret); - if (cprint == NULL) cprint = UNKNOWN; - fprintf(out, "%s\n", cprint); - } + /* Validity + */ + fprintf(out, "Validity:\n"); - /* Validity - */ - fprintf(out, "Validity:\n"); + tim = gnutls_x509_crt_get_activation_time(crt); + fprintf(out, "\tNot Before: %s", ctime(&tim)); - tim = gnutls_x509_crt_get_activation_time(crt); - fprintf(out, "\tNot Before: %s", ctime(&tim)); + tim = gnutls_x509_crt_get_expiration_time(crt); + fprintf(out, "\tNot After: %s", ctime(&tim)); - tim = gnutls_x509_crt_get_expiration_time(crt); - fprintf(out, "\tNot After: %s", ctime(&tim)); + /* Public key algorithm + */ + fprintf(out, "Subject Public Key Info:\n"); + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + fprintf(out, "\tPublic Key Algorithm: "); - /* Public key algorithm - */ - fprintf(out, "Subject Public Key Info:\n"); - ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - fprintf(out, "\tPublic Key Algorithm: "); + cprint = gnutls_pk_algorithm_get_name(ret); + if (cprint == NULL) + cprint = UNKNOWN; + fprintf(out, "%s\n", cprint); - cprint = gnutls_pk_algorithm_get_name( ret); - if (cprint == NULL) cprint = UNKNOWN; - fprintf(out, "%s\n", cprint); + if (version >= 3) + fprintf(out, "\nX.509 Extensions:\n"); - if (version >= 3) - fprintf(out, "\nX.509 Extensions:\n"); - - /* subject alternative name - */ - for (i = 0; !(ret < 0); i++) { - size = sizeof(buffer); - ret = gnutls_x509_crt_get_subject_alt_name(crt, i, buffer, &size, &critical); - - if (i==0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - fprintf(out, "\tSubject Alternative name:"); - if (critical) fprintf(out, " (critical)"); - fprintf(out, "\n"); - } - - if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - fprintf(out, "\t\tFound unsupported alternative name.\n"); - } else switch (ret) { - case GNUTLS_SAN_DNSNAME: - fprintf(out, "\t\tDNSname: %s\n", buffer); - break; - case GNUTLS_SAN_RFC822NAME: - fprintf(out, "\t\tRFC822name: %s\n", buffer); - break; - case GNUTLS_SAN_URI: - fprintf(out, "\t\tURI: %s\n", buffer); - break; - case GNUTLS_SAN_IPADDRESS: - fprintf(out, "\t\tIPAddress: %s\n", buffer); - break; - } - } - - /* CRL dist points. - */ - ret = 0; - for (i = 0; !(ret < 0); i++) { - size = sizeof(buffer); - ret = gnutls_x509_crt_get_crl_dist_points(crt, i, buffer, &size, NULL, &critical); - - if (i==0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - fprintf(out, "\tCRL Distribution points:"); - if (critical) fprintf(out, " (critical)"); - fprintf(out, "\n"); - } - - if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - fprintf(out, "\t\tError decoding: %s\n", gnutls_strerror(ret)); - } else switch (ret) { - case GNUTLS_SAN_DNSNAME: - fprintf(out, "\t\tDNSname: %s\n", buffer); - break; - case GNUTLS_SAN_RFC822NAME: - fprintf(out, "\t\tRFC822name: %s\n", buffer); - break; - case GNUTLS_SAN_URI: - fprintf(out, "\t\tURI: %s\n", buffer); - break; - case GNUTLS_SAN_IPADDRESS: - fprintf(out, "\t\tIPAddress: %s\n", buffer); - break; - } - } - - /* check for basicConstraints - */ - ret = gnutls_x509_crt_get_ca_status( crt, &critical); - - if (ret >= 0) { - fprintf(out, "\tBasic Constraints:"); - if (critical) fprintf(out, " (critical)"); - fprintf(out, "\n"); + /* subject alternative name + */ + for (i = 0; !(ret < 0); i++) { + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_subject_alt_name(crt, i, buffer, &size, + &critical); + + if (i == 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "\tSubject Alternative name:"); + if (critical) + fprintf(out, " (critical)"); + fprintf(out, "\n"); + } + + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "\t\tFound unsupported alternative name.\n"); + } else + switch (ret) { + case GNUTLS_SAN_DNSNAME: + fprintf(out, "\t\tDNSname: %s\n", buffer); + break; + case GNUTLS_SAN_RFC822NAME: + fprintf(out, "\t\tRFC822name: %s\n", buffer); + break; + case GNUTLS_SAN_URI: + fprintf(out, "\t\tURI: %s\n", buffer); + break; + case GNUTLS_SAN_IPADDRESS: + fprintf(out, "\t\tIPAddress: %s\n", buffer); + break; + } + } + + /* CRL dist points. + */ + ret = 0; + for (i = 0; !(ret < 0); i++) { + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_crl_dist_points(crt, i, buffer, &size, + NULL, &critical); + + if (i == 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "\tCRL Distribution points:"); + if (critical) + fprintf(out, " (critical)"); + fprintf(out, "\n"); + } + + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "\t\tError decoding: %s\n", gnutls_strerror(ret)); + } else + switch (ret) { + case GNUTLS_SAN_DNSNAME: + fprintf(out, "\t\tDNSname: %s\n", buffer); + break; + case GNUTLS_SAN_RFC822NAME: + fprintf(out, "\t\tRFC822name: %s\n", buffer); + break; + case GNUTLS_SAN_URI: + fprintf(out, "\t\tURI: %s\n", buffer); + break; + case GNUTLS_SAN_IPADDRESS: + fprintf(out, "\t\tIPAddress: %s\n", buffer); + break; + } + } + + /* check for basicConstraints + */ + ret = gnutls_x509_crt_get_ca_status(crt, &critical); + + if (ret >= 0) { + fprintf(out, "\tBasic Constraints:"); + if (critical) + fprintf(out, " (critical)"); + fprintf(out, "\n"); - if (ret==0) fprintf(out, "\t\tCA:FALSE\n"); - else fprintf(out, "\t\tCA:TRUE\n"); - - } + if (ret == 0) + fprintf(out, "\t\tCA:FALSE\n"); + else + fprintf(out, "\t\tCA:TRUE\n"); - /* Key Usage. - */ - ret = gnutls_x509_crt_get_key_usage( crt, &key_usage, &critical); - - if (ret >= 0) { - fprintf(out, "\tKey usage: %s\n", critical?"(critical)":""); - print_key_usage(key_usage, out); - } + } - /* Key Purpose identifiers. - */ - i = 0; - - size = sizeof(buffer); - if ((ret=gnutls_x509_crt_get_key_purpose_oid( crt, 0, buffer, &size, &critical)) >= 0) { - fprintf(out, "\tKey purpose OIDs: %s\n", critical?"(critical)":""); - do { - size = sizeof(buffer); - ret = gnutls_x509_crt_get_key_purpose_oid( crt, i, buffer, &size, &critical); - - if (ret >= 0) { - print_key_purpose(buffer, out); - } - i++; - } while(ret >= 0); - } + /* Key Usage. + */ + ret = gnutls_x509_crt_get_key_usage(crt, &key_usage, &critical); - /* Subject Key ID - */ - size = sizeof(buffer); - ret = gnutls_x509_crt_get_subject_key_id(crt, buffer, &size, &critical); + if (ret >= 0) { + fprintf(out, "\tKey usage: %s\n", critical ? "(critical)" : ""); + print_key_usage(key_usage, out); + } - if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - fprintf(out, "Error getting subject key id: %s\n", gnutls_strerror(ret)); - } - - if (ret >= 0) { - print = printable; - for (i = 0; i < size; i++) { - sprintf(print, "%.2x ", (unsigned char) buffer[i]); - print += 3; - } - fprintf(out, "\tSubject Key ID: %s\n\t\t%s\n", critical?"(critical)":"", printable); - } + /* Key Purpose identifiers. + */ + i = 0; - /* Authority Key ID - */ - size = sizeof(buffer); - ret = gnutls_x509_crt_get_authority_key_id(crt, buffer, &size, &critical); + size = sizeof(buffer); + if ((ret = + gnutls_x509_crt_get_key_purpose_oid(crt, 0, buffer, &size, + &critical)) >= 0) { + fprintf(out, "\tKey purpose OIDs: %s\n", + critical ? "(critical)" : ""); + do { + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_key_purpose_oid(crt, i, buffer, &size, + &critical); + + if (ret >= 0) { + print_key_purpose(buffer, out); + } + i++; + } while (ret >= 0); + } + + /* Subject Key ID + */ + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_subject_key_id(crt, buffer, &size, &critical); + + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "Error getting subject key id: %s\n", + gnutls_strerror(ret)); + } + + if (ret >= 0) { + print = printable; + for (i = 0; i < size; i++) { + sprintf(print, "%.2x ", (unsigned char) buffer[i]); + print += 3; + } + fprintf(out, "\tSubject Key ID: %s\n\t\t%s\n", + critical ? "(critical)" : "", printable); + } + + /* Authority Key ID + */ + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_authority_key_id(crt, buffer, &size, + &critical); + + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(out, "Error getting authority key id: %s\n", + gnutls_strerror(ret)); + } + + if (ret >= 0) { + print = printable; + for (i = 0; i < size; i++) { + sprintf(print, "%.2x ", (unsigned char) buffer[i]); + print += 3; + } + fprintf(out, "\tAuthority Key ID: %s\n\t\t%s\n", + critical ? "(critical)" : "", printable); + } + + /* other extensions: + */ + indx = 0; + ret = 0; + for (i = 0; !(ret < 0); i++) { + + size = sizeof(oid); + ret = gnutls_x509_crt_get_extension_oid(crt, i, oid, &size); - if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - fprintf(out, "Error getting authority key id: %s\n", gnutls_strerror(ret)); - } - if (ret >= 0) { + if (known_oid(oid)) + continue; + + if (strcmp(oid, old_oid) == 0) { + indx++; + } else { + indx = 0; + } + + fprintf(out, "\t%s: ", oid); + + size = sizeof(buffer); + ret = + gnutls_x509_crt_get_extension_by_oid(crt, oid, indx, + buffer, &size, + &critical); + + if (ret >= 0) { + if (critical) + fprintf(out, "(critical)\n"); + else + fprintf(out, "\n"); + print = printable; - for (i = 0; i < size; i++) { - sprintf(print, "%.2x ", (unsigned char) buffer[i]); - print += 3; + for (j = 0; j < size; j++) { + sprintf(print, "%.2x", (unsigned char) buffer[j]); + print += 2; } - fprintf(out, "\tAuthority Key ID: %s\n\t\t%s\n", critical?"(critical)":"", printable); - } + fprintf(out, "\t\tDER Data: %s\n", printable); - /* other extensions: - */ - indx = 0; - ret = 0; - for (i = 0; !(ret < 0); i++) { - - size = sizeof(oid); - ret = gnutls_x509_crt_get_extension_oid( crt, i, oid, &size); - - if (ret >= 0) { - if (known_oid( oid)) continue; - - if (strcmp( oid, old_oid) == 0) { - indx++; - } else { - indx = 0; - } - - fprintf( out, "\t%s: ", oid); - - size = sizeof(buffer); - ret = gnutls_x509_crt_get_extension_by_oid( crt, oid, indx, buffer, &size, &critical); - - if (ret >= 0) { - if (critical) - fprintf(out, "(critical)\n"); - else - fprintf(out, "\n"); - - print = printable; - for (j = 0; j < size; j++) { - sprintf(print, "%.2x", (unsigned char) buffer[j]); - print += 2; - } - fprintf(out, "\t\tDER Data: %s\n", printable); - - } - - ret = 0; - strcpy( old_oid, oid); - } - } + } + ret = 0; + strcpy(old_oid, oid); + } + } - /* fingerprint - */ - fprintf( out, "\nOther information:\n"); - if (all) { - size = sizeof(buffer); - if ((ret=gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_MD5, buffer, &size)) < 0) - { - fprintf(out, "Error in fingerprint calculation: %s\n", gnutls_strerror(ret)); - } else { - print = printable; - for (i = 0; i < size; i++) { - sprintf(print, "%.2x ", (unsigned char) buffer[i]); - print += 3; - } - fprintf(out, "\tFingerprint: %s\n", printable); - } - } + /* fingerprint + */ + fprintf(out, "\nOther information:\n"); + if (all) { size = sizeof(buffer); - if ((ret=gnutls_x509_crt_get_key_id(crt, 0, buffer, &size)) < 0) - { - fprintf(out, "Error in key id calculation: %s\n", gnutls_strerror(ret)); + if ((ret = + gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_MD5, buffer, + &size)) < 0) { + fprintf(out, "Error in fingerprint calculation: %s\n", + gnutls_strerror(ret)); } else { - print = printable; - for (i = 0; i < size; i++) { - sprintf(print, "%.2x ", (unsigned char) buffer[i]); - print += 3; - } - fprintf(out, "\tPublic Key ID: %s\n", printable); - } - - fprintf(out, "\n"); - - if (out==stderr && batch == 0) /* interactive */ - if (read_yesno( "Is the above information ok? (Y/N): ")==0) { - exit(1); + print = printable; + for (i = 0; i < size; i++) { + sprintf(print, "%.2x ", (unsigned char) buffer[i]); + print += 3; + } + fprintf(out, "\tFingerprint: %s\n", printable); + } + } + + size = sizeof(buffer); + if ((ret = gnutls_x509_crt_get_key_id(crt, 0, buffer, &size)) < 0) { + fprintf(out, "Error in key id calculation: %s\n", + gnutls_strerror(ret)); + } else { + print = printable; + for (i = 0; i < size; i++) { + sprintf(print, "%.2x ", (unsigned char) buffer[i]); + print += 3; + } + fprintf(out, "\tPublic Key ID: %s\n", printable); + } + + fprintf(out, "\n"); + + if (out == stderr && batch == 0) /* interactive */ + if (read_yesno("Is the above information ok? (Y/N): ") == 0) { + exit(1); } } -static void print_crl_info( gnutls_x509_crl crl, FILE* out, int all) +static void print_crl_info(gnutls_x509_crl crl, FILE * out, int all) { - int ret, rc; - time_t tim; - unsigned int i, j; - char serial[128]; - size_t serial_size = sizeof(serial), dn_size; - char printable[256]; - char *print, dn[256]; - const char* cprint; - - fprintf(out, "CRL information:\n"); - fprintf(out, "Version: %d\n", gnutls_x509_crl_get_version(crl)); - - /* Issuer - */ - if (all) { - dn_size = sizeof(dn); + int ret, rc; + time_t tim; + unsigned int i, j; + char serial[128]; + size_t serial_size = sizeof(serial), dn_size; + char printable[256]; + char *print, dn[256]; + const char *cprint; + + fprintf(out, "CRL information:\n"); + fprintf(out, "Version: %d\n", gnutls_x509_crl_get_version(crl)); + + /* Issuer + */ + if (all) { + dn_size = sizeof(dn); - ret = gnutls_x509_crl_get_issuer_dn(crl, dn, &dn_size); - if (ret >= 0) - fprintf(out, "Issuer: %s\n", dn); + ret = gnutls_x509_crl_get_issuer_dn(crl, dn, &dn_size); + if (ret >= 0) + fprintf(out, "Issuer: %s\n", dn); - fprintf(out, "Signature Algorithm: "); - ret = gnutls_x509_crl_get_signature_algorithm(crl); + fprintf(out, "Signature Algorithm: "); + ret = gnutls_x509_crl_get_signature_algorithm(crl); - cprint = gnutls_sign_algorithm_get_name( ret); - if (cprint == NULL) cprint = UNKNOWN; - fprintf(out, "%s\n", cprint); - } + cprint = gnutls_sign_algorithm_get_name(ret); + if (cprint == NULL) + cprint = UNKNOWN; + fprintf(out, "%s\n", cprint); + } - /* Validity - */ - fprintf(out, "Update dates:\n"); + /* Validity + */ + fprintf(out, "Update dates:\n"); - tim = gnutls_x509_crl_get_this_update(crl); - fprintf(out, "\tIssued at: %s", ctime(&tim)); + tim = gnutls_x509_crl_get_this_update(crl); + fprintf(out, "\tIssued at: %s", ctime(&tim)); - tim = gnutls_x509_crl_get_next_update(crl); - fprintf(out, "\tNext at: %s", ctime(&tim)); + tim = gnutls_x509_crl_get_next_update(crl); + fprintf(out, "\tNext at: %s", ctime(&tim)); - fprintf(out, "\n"); - - /* Count the certificates. + fprintf(out, "\n"); + + /* Count the certificates. + */ + + rc = gnutls_x509_crl_get_crt_count(crl); + fprintf(out, "Revoked certificates: %d\n", rc); + + for (j = 0; j < (unsigned int) rc; j++) { + /* serial number */ - - rc = gnutls_x509_crl_get_crt_count( crl); - fprintf(out, "Revoked certificates: %d\n", rc); - - for (j=0;j<(unsigned int)rc;j++) { - /* serial number - */ - serial_size = sizeof(serial); - ret = gnutls_x509_crl_get_crt_serial(crl, j, serial, &serial_size, &tim); - - if (ret < 0) { - fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); - } else { - print = printable; - for (i = 0; i < serial_size; i++) { - sprintf(print, "%.2x ", - (unsigned char) serial[i]); - print += 3; - } - fprintf(out, "\tCertificate SN: %s\n", printable); - fprintf(out, "\tRevoked at: %s\n", ctime( &tim)); - } + serial_size = sizeof(serial); + ret = + gnutls_x509_crl_get_crt_serial(crl, j, serial, &serial_size, + &tim); + + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + } else { + print = printable; + for (i = 0; i < serial_size; i++) { + sprintf(print, "%.2x ", (unsigned char) serial[i]); + print += 3; + } + fprintf(out, "\tCertificate SN: %s\n", printable); + fprintf(out, "\tRevoked at: %s\n", ctime(&tim)); } + } } void crl_info() { - gnutls_x509_crl crl; - int ret; - size_t size; - gnutls_datum pem; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - gnutls_x509_crl_init(&crl); - - pem.data = buffer; - pem.size = size; - - ret = gnutls_x509_crl_import(crl, &pem, in_cert_format); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - - print_crl_info( crl, outfile, 1); + gnutls_x509_crl crl; + int ret; + size_t size; + gnutls_datum pem; - size = sizeof(buffer); - ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buffer, &size); - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - - fprintf(outfile, "\n%s\n", buffer); - -} + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; -void privkey_info( void) -{ - gnutls_x509_privkey key; - size_t size; - int ret; - unsigned int i; - gnutls_datum pem; - char printable[256]; - char *print; - const char* cprint; - const char* pass; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - gnutls_x509_privkey_init(&key); - - pem.data = buffer; - pem.size = size; - - - if (!info.pkcs8) { - ret = gnutls_x509_privkey_import(key, &pem, in_cert_format); - } else { - pass = get_pass(); - ret = gnutls_x509_privkey_import_pkcs8(key, &pem, in_cert_format, pass, 0); - } + gnutls_x509_crl_init(&crl); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - - /* Public key algorithm - */ - fprintf(outfile, "Public Key Info:\n"); - ret = gnutls_x509_privkey_get_pk_algorithm(key); - fprintf(outfile, "\tPublic Key Algorithm: "); + pem.data = buffer; + pem.size = size; - cprint = gnutls_pk_algorithm_get_name( ret); - if (cprint == NULL) cprint = UNKNOWN; - fprintf(outfile, "%s\n", cprint); + ret = gnutls_x509_crl_import(crl, &pem, in_cert_format); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + print_crl_info(crl, outfile, 1); - size = sizeof(buffer); - if ((ret=gnutls_x509_privkey_get_key_id(key, 0, buffer, &size)) < 0) - { - fprintf(stderr, "Error in key id calculation: %s\n", gnutls_strerror(ret)); - } else { - print = printable; - for (i = 0; i < size; i++) { - sprintf(print, "%.2x ", (unsigned char) buffer[i]); - print += 3; - } - fprintf(outfile, "Public Key ID: %s\n", printable); - } + size = sizeof(buffer); + ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buffer, &size); + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + + fprintf(outfile, "\n%s\n", buffer); - size = sizeof(buffer); - ret = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &size); - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - fprintf(outfile, "\n%s\n", buffer); +} + +void privkey_info(void) +{ + gnutls_x509_privkey key; + size_t size; + int ret; + unsigned int i; + gnutls_datum pem; + char printable[256]; + char *print; + const char *cprint; + const char *pass; + + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; + + gnutls_x509_privkey_init(&key); + + pem.data = buffer; + pem.size = size; + + + if (!info.pkcs8) { + ret = gnutls_x509_privkey_import(key, &pem, in_cert_format); + } else { + pass = get_pass(); + ret = + gnutls_x509_privkey_import_pkcs8(key, &pem, in_cert_format, + pass, 0); + } + + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* Public key algorithm + */ + fprintf(outfile, "Public Key Info:\n"); + ret = gnutls_x509_privkey_get_pk_algorithm(key); + fprintf(outfile, "\tPublic Key Algorithm: "); + + cprint = gnutls_pk_algorithm_get_name(ret); + if (cprint == NULL) + cprint = UNKNOWN; + fprintf(outfile, "%s\n", cprint); + + + size = sizeof(buffer); + if ((ret = gnutls_x509_privkey_get_key_id(key, 0, buffer, &size)) < 0) { + fprintf(stderr, "Error in key id calculation: %s\n", + gnutls_strerror(ret)); + } else { + print = printable; + for (i = 0; i < size; i++) { + sprintf(print, "%.2x ", (unsigned char) buffer[i]); + print += 3; + } + fprintf(outfile, "Public Key ID: %s\n", printable); + } + + size = sizeof(buffer); + ret = + gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, + &size); + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + fprintf(outfile, "\n%s\n", buffer); } /* mand should be non zero if it is required to read a private key. */ gnutls_x509_privkey load_private_key(int mand) { -FILE* fd; -gnutls_x509_privkey key; -int ret; -gnutls_datum dat; -size_t size; -const char* pass; - - if (!info.privkey && !mand) return NULL; - - if (!info.privkey) { - fprintf(stderr, "error: a private key was not specified\n"); - exit(1); - } - - fd = fopen(info.privkey, "r"); - if (fd == NULL) { - fprintf(stderr, "error: could not load key file '%s'.\n", info.privkey); - exit(1); - } - - size = fread(buffer, 1, sizeof(buffer)-1, fd); - buffer[size] = 0; - - fclose(fd); - - ret = gnutls_x509_privkey_init(&key); - if (ret < 0) { - fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - dat.data = buffer; - dat.size = size; - - if (!info.pkcs8) - ret = gnutls_x509_privkey_import( key, &dat, in_cert_format); - else { - pass = get_pass(); - ret = gnutls_x509_privkey_import_pkcs8( key, &dat, in_cert_format, - pass, 0); - } - - if (ret < 0) { - fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret)); - exit(1); - } - - return key; + FILE *fd; + gnutls_x509_privkey key; + int ret; + gnutls_datum dat; + size_t size; + const char *pass; + + if (!info.privkey && !mand) + return NULL; + + if (!info.privkey) { + fprintf(stderr, "error: a private key was not specified\n"); + exit(1); + } + + fd = fopen(info.privkey, "r"); + if (fd == NULL) { + fprintf(stderr, "error: could not load key file '%s'.\n", + info.privkey); + exit(1); + } + + size = fread(buffer, 1, sizeof(buffer) - 1, fd); + buffer[size] = 0; + + fclose(fd); + + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) { + fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + dat.data = buffer; + dat.size = size; + + if (!info.pkcs8) + ret = gnutls_x509_privkey_import(key, &dat, in_cert_format); + else { + pass = get_pass(); + ret = gnutls_x509_privkey_import_pkcs8(key, &dat, in_cert_format, + pass, 0); + } + + if (ret < 0) { + fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret)); + exit(1); + } + + return key; } gnutls_x509_crq load_request() { -FILE* fd; -gnutls_x509_crq crq; -int ret; -gnutls_datum dat; -size_t size; - - if (!info.request) return NULL; + FILE *fd; + gnutls_x509_crq crq; + int ret; + gnutls_datum dat; + size_t size; - fd = fopen(info.request, "r"); - if (fd == NULL) { - fprintf(stderr, "File %s does not exist.\n", info.request); - exit(1); - } - - size = fread(buffer, 1, sizeof(buffer)-1, fd); - buffer[size] = 0; - - fclose(fd); - - ret = gnutls_x509_crq_init(&crq); - if (ret < 0) { - fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - dat.data = buffer; - dat.size = size; - - ret = gnutls_x509_crq_import( crq, &dat, in_cert_format); - - if (ret < 0) { - fprintf(stderr, "crq_import: %s\n", gnutls_strerror(ret)); - exit(1); - } + if (!info.request) + return NULL; - return crq; -} + fd = fopen(info.request, "r"); + if (fd == NULL) { + fprintf(stderr, "File %s does not exist.\n", info.request); + exit(1); + } -gnutls_x509_privkey load_ca_private_key() -{ -FILE* fd; -gnutls_x509_privkey key; -int ret; -const char* pass; -gnutls_datum dat; -size_t size; + size = fread(buffer, 1, sizeof(buffer) - 1, fd); + buffer[size] = 0; - fprintf(stderr, "Loading CA's private key...\n"); + fclose(fd); - if (info.ca_privkey==NULL) { - fprintf(stderr, "You must specify a private key of the CA.\n"); - exit(1); - } + ret = gnutls_x509_crq_init(&crq); + if (ret < 0) { + fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); + exit(1); + } - fd = fopen(info.ca_privkey, "r"); - if (fd == NULL) { - fprintf(stderr, "File %s does not exist.\n", info.ca_privkey); - exit(1); - } + dat.data = buffer; + dat.size = size; - size = fread(buffer, 1, sizeof(buffer)-1, fd); - buffer[size] = 0; + ret = gnutls_x509_crq_import(crq, &dat, in_cert_format); - fclose(fd); + if (ret < 0) { + fprintf(stderr, "crq_import: %s\n", gnutls_strerror(ret)); + exit(1); + } - ret = gnutls_x509_privkey_init(&key); - if (ret < 0) { - fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - dat.data = buffer; - dat.size = size; - - if (!info.pkcs8) - ret = gnutls_x509_privkey_import( key, &dat, in_cert_format); - else { - pass = get_pass(); - ret = gnutls_x509_privkey_import_pkcs8( key, &dat, in_cert_format, - pass, 0); - } - - if (ret < 0) { - fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret)); - exit(1); - } + return crq; +} - return key; +gnutls_x509_privkey load_ca_private_key() +{ + FILE *fd; + gnutls_x509_privkey key; + int ret; + const char *pass; + gnutls_datum dat; + size_t size; + + fprintf(stderr, "Loading CA's private key...\n"); + + if (info.ca_privkey == NULL) { + fprintf(stderr, "You must specify a private key of the CA.\n"); + exit(1); + } + + fd = fopen(info.ca_privkey, "r"); + if (fd == NULL) { + fprintf(stderr, "File %s does not exist.\n", info.ca_privkey); + exit(1); + } + + size = fread(buffer, 1, sizeof(buffer) - 1, fd); + buffer[size] = 0; + + fclose(fd); + + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) { + fprintf(stderr, "privkey_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + dat.data = buffer; + dat.size = size; + + if (!info.pkcs8) + ret = gnutls_x509_privkey_import(key, &dat, in_cert_format); + else { + pass = get_pass(); + ret = gnutls_x509_privkey_import_pkcs8(key, &dat, in_cert_format, + pass, 0); + } + + if (ret < 0) { + fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret)); + exit(1); + } + + return key; } /* Loads the CA's certificate */ gnutls_x509_crt load_ca_cert() { -FILE* fd; -gnutls_x509_crt crt; -int ret; -gnutls_datum dat; -size_t size; - - fprintf(stderr, "Loading CA's certificate...\n"); - - if (info.ca==NULL) { - fprintf(stderr, "You must specify a certificate of the CA.\n"); - exit(1); - } - - fd = fopen(info.ca, "r"); - if (fd == NULL) { - fprintf(stderr, "File %s does not exist.\n", info.ca); - exit(1); - } - - size = fread(buffer, 1, sizeof(buffer)-1, fd); - buffer[size] = 0; - - fclose(fd); - - ret = gnutls_x509_crt_init(&crt); - if (ret < 0) { - fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - dat.data = buffer; - dat.size = size; - - ret = gnutls_x509_crt_import( crt, &dat, in_cert_format); - if (ret < 0) { - fprintf(stderr, "crt_import: %s\n", gnutls_strerror(ret)); - exit(1); - } - - return crt; + FILE *fd; + gnutls_x509_crt crt; + int ret; + gnutls_datum dat; + size_t size; + + fprintf(stderr, "Loading CA's certificate...\n"); + + if (info.ca == NULL) { + fprintf(stderr, "You must specify a certificate of the CA.\n"); + exit(1); + } + + fd = fopen(info.ca, "r"); + if (fd == NULL) { + fprintf(stderr, "File %s does not exist.\n", info.ca); + exit(1); + } + + size = fread(buffer, 1, sizeof(buffer) - 1, fd); + buffer[size] = 0; + + fclose(fd); + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) { + fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + dat.data = buffer; + dat.size = size; + + ret = gnutls_x509_crt_import(crt, &dat, in_cert_format); + if (ret < 0) { + fprintf(stderr, "crt_import: %s\n", gnutls_strerror(ret)); + exit(1); + } + + return crt; } /* Loads the certificate @@ -1542,82 +1652,89 @@ size_t size; */ gnutls_x509_crt load_cert(int mand) { -gnutls_x509_crt *crt; -int size; + gnutls_x509_crt *crt; + int size; - crt = load_cert_list( mand, &size); + crt = load_cert_list(mand, &size); - return crt[0]; + return crt[0]; } #define MAX_CERTS 256 /* Loads a certificate list */ -gnutls_x509_crt* load_cert_list(int mand, int *crt_size) +gnutls_x509_crt *load_cert_list(int mand, int *crt_size) { -FILE* fd; -static gnutls_x509_crt crt[MAX_CERTS]; -char* ptr; -int ret, i; -gnutls_datum dat; -size_t size; -int ptr_size; - - *crt_size = 0; - fprintf(stderr, "Loading certificate list...\n"); - - if (info.cert==NULL) { - fprintf(stderr, "You must specify a certificate.\n"); - if (mand) exit(1); - else return NULL; - } + FILE *fd; + static gnutls_x509_crt crt[MAX_CERTS]; + char *ptr; + int ret, i; + gnutls_datum dat; + size_t size; + int ptr_size; + + *crt_size = 0; + fprintf(stderr, "Loading certificate list...\n"); + + if (info.cert == NULL) { + fprintf(stderr, "You must specify a certificate.\n"); + if (mand) + exit(1); + else + return NULL; + } - fd = fopen(info.cert, "r"); - if (fd == NULL) { - fprintf(stderr, "File %s does not exist.\n", info.cert); - exit(1); - } + fd = fopen(info.cert, "r"); + if (fd == NULL) { + fprintf(stderr, "File %s does not exist.\n", info.cert); + exit(1); + } - size = fread(buffer, 1, sizeof(buffer)-1, fd); - buffer[size] = 0; + size = fread(buffer, 1, sizeof(buffer) - 1, fd); + buffer[size] = 0; - fclose(fd); + fclose(fd); - ptr = buffer; - ptr_size = size; + ptr = buffer; + ptr_size = size; - for (i=0;i<MAX_CERTS;i++) { - ret = gnutls_x509_crt_init(&crt[i]); - if (ret < 0) { - fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - dat.data = ptr; - dat.size = ptr_size; - - ret = gnutls_x509_crt_import( crt[i], &dat, in_cert_format); - if (ret < 0 && *crt_size > 0) break; - if (ret < 0) { - fprintf(stderr, "crt_import: %s\n", gnutls_strerror(ret)); - exit(1); - } - - ptr = strstr( ptr, "---END"); - if (ptr==NULL) break; - ptr++; + for (i = 0; i < MAX_CERTS; i++) { + ret = gnutls_x509_crt_init(&crt[i]); + if (ret < 0) { + fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret)); + exit(1); + } - ptr_size = size; - ptr_size -= (unsigned int)((unsigned char*)ptr - (unsigned char*)buffer); - - if (ptr_size < 0) break; + dat.data = ptr; + dat.size = ptr_size; - (*crt_size)++; + ret = gnutls_x509_crt_import(crt[i], &dat, in_cert_format); + if (ret < 0 && *crt_size > 0) + break; + if (ret < 0) { + fprintf(stderr, "crt_import: %s\n", gnutls_strerror(ret)); + exit(1); } - fprintf(stderr, "Loaded %d certificates.\n", *crt_size); - return crt; + ptr = strstr(ptr, "---END"); + if (ptr == NULL) + break; + ptr++; + + ptr_size = size; + ptr_size -= + (unsigned int) ((unsigned char *) ptr - + (unsigned char *) buffer); + + if (ptr_size < 0) + break; + + (*crt_size)++; + } + fprintf(stderr, "Loaded %d certificates.\n", *crt_size); + + return crt; } @@ -1625,873 +1742,927 @@ int ptr_size; */ void generate_request(void) { - gnutls_x509_crq crq; - gnutls_x509_privkey key; - int ret; - const char* pass; - size_t size; - - fprintf(stderr, "Generating a PKCS #10 certificate request...\n"); - - ret = gnutls_x509_crq_init(&crq); + gnutls_x509_crq crq; + gnutls_x509_privkey key; + int ret; + const char *pass; + size_t size; + + fprintf(stderr, "Generating a PKCS #10 certificate request...\n"); + + ret = gnutls_x509_crq_init(&crq); + if (ret < 0) { + fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* Load the private key. + */ + key = generate_private_key_int(); + + /* Set the DN. + */ + get_country_crq_set(crq); + get_organization_crq_set(crq); + get_unit_crq_set(crq); + get_locality_crq_set(crq); + get_state_crq_set(crq); + get_cn_crq_set(crq); + get_uid_crq_set(crq); + get_oid_crq_set(crq); + + ret = gnutls_x509_crq_set_version(crq, 1); + if (ret < 0) { + fprintf(stderr, "set_version: %s\n", gnutls_strerror(ret)); + exit(1); + } + + pass = get_challenge_pass(); + + if (pass != NULL) { + ret = gnutls_x509_crq_set_challenge_password(crq, pass); if (ret < 0) { - fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); - exit(1); + fprintf(stderr, "set_pass: %s\n", gnutls_strerror(ret)); + exit(1); } - - /* Load the private key. - */ - key = generate_private_key_int(); + } - /* Set the DN. - */ - get_country_crq_set( crq); - get_organization_crq_set(crq); - get_unit_crq_set( crq); - get_locality_crq_set( crq); - get_state_crq_set( crq); - get_cn_crq_set( crq); - get_uid_crq_set( crq); - get_oid_crq_set( crq); - - ret = gnutls_x509_crq_set_version( crq, 1); - if (ret < 0) { - fprintf(stderr, "set_version: %s\n", gnutls_strerror(ret)); - exit(1); - } + ret = gnutls_x509_crq_set_key(crq, key); + if (ret < 0) { + fprintf(stderr, "set_key: %s\n", gnutls_strerror(ret)); + exit(1); + } - pass = get_challenge_pass(); - - if (pass != NULL) { - ret = gnutls_x509_crq_set_challenge_password( crq, pass); - if (ret < 0) { - fprintf(stderr, "set_pass: %s\n", gnutls_strerror(ret)); - exit(1); - } - } + ret = gnutls_x509_crq_sign(crq, key); + if (ret < 0) { + fprintf(stderr, "sign: %s\n", gnutls_strerror(ret)); + exit(1); + } - ret = gnutls_x509_crq_set_key( crq, key); - if (ret < 0) { - fprintf(stderr, "set_key: %s\n", gnutls_strerror(ret)); - exit(1); - } + size = sizeof(buffer); + ret = gnutls_x509_crq_export(crq, out_cert_format, buffer, &size); + if (ret < 0) { + fprintf(stderr, "export: %s\n", gnutls_strerror(ret)); + exit(1); + } - ret = gnutls_x509_crq_sign( crq, key); - if (ret < 0) { - fprintf(stderr, "sign: %s\n", gnutls_strerror(ret)); - exit(1); - } + fwrite(buffer, 1, size, outfile); - size = sizeof(buffer); - ret = gnutls_x509_crq_export( crq, out_cert_format, buffer, &size); - if (ret < 0) { - fprintf(stderr, "export: %s\n", gnutls_strerror(ret)); - exit(1); - } - - fwrite( buffer, 1, size, outfile); - - gnutls_x509_crq_deinit(crq); - gnutls_x509_privkey_deinit(key); + gnutls_x509_crq_deinit(crq); + gnutls_x509_privkey_deinit(key); } -static void print_verification_res( gnutls_x509_crt crt, gnutls_x509_crt issuer, - gnutls_x509_crl *crl_list, int crl_list_size); +static void print_verification_res(gnutls_x509_crt crt, + gnutls_x509_crt issuer, + gnutls_x509_crl * crl_list, + int crl_list_size); #define CERT_SEP "-----BEGIN CERT" #define CRL_SEP "-----BEGIN X509 CRL" -int _verify_x509_mem( const void* cert, int cert_size) +int _verify_x509_mem(const void *cert, int cert_size) { - int siz, i; - const char *ptr; - int ret; - unsigned int output; - char name[256]; - char issuer_name[256]; - size_t name_size; - size_t issuer_name_size; - gnutls_datum tmp; - gnutls_x509_crt *x509_cert_list = NULL; - gnutls_x509_crl *x509_crl_list = NULL; - int x509_ncerts, x509_ncrls; - - - /* Decode the CA certificate - */ - - /* Decode the CRL list - */ - siz = cert_size; - ptr = cert; - - i = 1; - - if (strstr(ptr, CRL_SEP)!=NULL) /* if CRLs exist */ + int siz, i; + const char *ptr; + int ret; + unsigned int output; + char name[256]; + char issuer_name[256]; + size_t name_size; + size_t issuer_name_size; + gnutls_datum tmp; + gnutls_x509_crt *x509_cert_list = NULL; + gnutls_x509_crl *x509_crl_list = NULL; + int x509_ncerts, x509_ncrls; + + + /* Decode the CA certificate + */ + + /* Decode the CRL list + */ + siz = cert_size; + ptr = cert; + + i = 1; + + if (strstr(ptr, CRL_SEP) != NULL) /* if CRLs exist */ do { - x509_crl_list = - (gnutls_x509_crl *) realloc( x509_crl_list, - i * - sizeof(gnutls_x509_crl)); - if (x509_crl_list == NULL) { - fprintf(stderr, "memory error\n"); - exit(1); - } - - tmp.data = (char*)ptr; - tmp.size = siz; - - ret = gnutls_x509_crl_init( &x509_crl_list[i-1]); - if (ret < 0) { - fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_x509_crl_import( x509_crl_list[i-1], &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret)); - exit(1); - } - - /* now we move ptr after the pem header */ - ptr = strstr(ptr, CRL_SEP); - if (ptr!=NULL) - ptr++; - - i++; - } while ((ptr = strstr(ptr, CRL_SEP)) != NULL); - - x509_ncrls = i - 1; + x509_crl_list = + (gnutls_x509_crl *) realloc(x509_crl_list, + i * sizeof(gnutls_x509_crl)); + if (x509_crl_list == NULL) { + fprintf(stderr, "memory error\n"); + exit(1); + } + tmp.data = (char *) ptr; + tmp.size = siz; - /* Decode the certificate chain. - */ - siz = cert_size; - ptr = cert; + ret = gnutls_x509_crl_init(&x509_crl_list[i - 1]); + if (ret < 0) { + fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, + gnutls_strerror(ret)); + exit(1); + } - i = 1; + ret = + gnutls_x509_crl_import(x509_crl_list[i - 1], &tmp, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, + gnutls_strerror(ret)); + exit(1); + } - do { - x509_cert_list = - (gnutls_x509_crt *) realloc( x509_cert_list, - i * - sizeof(gnutls_x509_crt)); - if (x509_cert_list == NULL) { - fprintf(stderr, "memory error\n"); - exit(1); - } + /* now we move ptr after the pem header */ + ptr = strstr(ptr, CRL_SEP); + if (ptr != NULL) + ptr++; - tmp.data = (char*)ptr; - tmp.size = siz; + i++; + } while ((ptr = strstr(ptr, CRL_SEP)) != NULL); - ret = gnutls_x509_crt_init( &x509_cert_list[i-1]); - if (ret < 0) { - fprintf(stderr, "Error parsing the certificate[%d]: %s\n", i, gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_x509_crt_import( x509_cert_list[i-1], &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fprintf(stderr, "Error parsing the certificate[%d]: %s\n", i, gnutls_strerror(ret)); - exit(1); - } - - - if (i-1 != 0) { - /* verify the previous certificate using this one - * as CA. - */ - - name_size = sizeof(name); - ret = gnutls_x509_crt_get_dn( x509_cert_list[i-2], name, &name_size); - if (ret < 0) { - fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - - fprintf( outfile, "Certificate[%d]: %s\n", i-2, name); - - /* print issuer - */ - issuer_name_size = sizeof(issuer_name); - ret = gnutls_x509_crt_get_issuer_dn( x509_cert_list[i-2], issuer_name, &issuer_name_size); - if (ret < 0) { - fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - - fprintf( outfile, "\tIssued by: %s\n", name); - - /* Get the Issuer's name - */ - name_size = sizeof(name); - ret = gnutls_x509_crt_get_dn( x509_cert_list[i-1], name, &name_size); - if (ret < 0) { - fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); - exit(1); - } - - fprintf( outfile, "\tVerifying against certificate[%d].\n", i-1); - - if (strcmp( issuer_name, name) != 0) { - fprintf(stderr, "Error: Issuer's name: %s\n", name); - fprintf(stderr, "Error: Issuer's name does not match the next certificate.\n"); - exit(1); - } - - fprintf( outfile, "\tVerification output: "); - print_verification_res( x509_cert_list[i-2], x509_cert_list[i-1], - x509_crl_list, x509_ncrls); - fprintf( outfile, ".\n\n"); + x509_ncrls = i - 1; - } + /* Decode the certificate chain. + */ + siz = cert_size; + ptr = cert; - /* now we move ptr after the pem header - */ - ptr = strstr(ptr, CERT_SEP); - if (ptr!=NULL) - ptr++; + i = 1; - i++; - } while ((ptr = strstr(ptr, CERT_SEP)) != NULL); + do { + x509_cert_list = + (gnutls_x509_crt *) realloc(x509_cert_list, + i * sizeof(gnutls_x509_crt)); + if (x509_cert_list == NULL) { + fprintf(stderr, "memory error\n"); + exit(1); + } - x509_ncerts = i - 1; + tmp.data = (char *) ptr; + tmp.size = siz; - /* The last certificate in the list will be used as - * a CA (should be self signed). - */ - name_size = sizeof(name); - ret = gnutls_x509_crt_get_dn( x509_cert_list[x509_ncerts-1], name, &name_size); + ret = gnutls_x509_crt_init(&x509_cert_list[i - 1]); if (ret < 0) { - fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); - exit(1); + fprintf(stderr, "Error parsing the certificate[%d]: %s\n", i, + gnutls_strerror(ret)); + exit(1); } - fprintf( outfile, "Certificate[%d]: %s\n", x509_ncerts-1, name); - - /* print issuer - */ - issuer_name_size = sizeof(issuer_name); - ret = gnutls_x509_crt_get_issuer_dn( x509_cert_list[x509_ncerts-1], issuer_name, &issuer_name_size); + ret = + gnutls_x509_crt_import(x509_cert_list[i - 1], &tmp, + GNUTLS_X509_FMT_PEM); if (ret < 0) { - fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); - exit(1); + fprintf(stderr, "Error parsing the certificate[%d]: %s\n", i, + gnutls_strerror(ret)); + exit(1); } - fprintf( outfile, "\tIssued by: %s\n", name); - - if (strcmp( issuer_name, name) != 0) { - fprintf(stderr, "Error: The last certificate is not self signed.\n"); - exit(1); - } - fprintf( outfile, "\tVerification output: "); - print_verification_res( x509_cert_list[x509_ncerts-1], x509_cert_list[x509_ncerts-1], - x509_crl_list, x509_ncrls); + if (i - 1 != 0) { + /* verify the previous certificate using this one + * as CA. + */ - fprintf( outfile, ".\n\n"); + name_size = sizeof(name); + ret = + gnutls_x509_crt_get_dn(x509_cert_list[i - 2], name, + &name_size); + if (ret < 0) { + fprintf(stderr, "Error in get_dn: %s\n", + gnutls_strerror(ret)); + exit(1); + } - for (i=0;i<x509_ncerts;i++) { - gnutls_x509_crt_deinit( x509_cert_list[i]); - } + fprintf(outfile, "Certificate[%d]: %s\n", i - 2, name); - for (i=0;i<x509_ncrls;i++) { - gnutls_x509_crl_deinit( x509_crl_list[i]); - } + /* print issuer + */ + issuer_name_size = sizeof(issuer_name); + ret = + gnutls_x509_crt_get_issuer_dn(x509_cert_list[i - 2], + issuer_name, + &issuer_name_size); + if (ret < 0) { + fprintf(stderr, "Error in get_dn: %s\n", + gnutls_strerror(ret)); + exit(1); + } - free( x509_cert_list); - free( x509_crl_list); + fprintf(outfile, "\tIssued by: %s\n", name); - if ( ret < 0) { - fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); + /* Get the Issuer's name + */ + name_size = sizeof(name); + ret = + gnutls_x509_crt_get_dn(x509_cert_list[i - 1], name, + &name_size); + if (ret < 0) { + fprintf(stderr, "Error in get_dn: %s\n", + gnutls_strerror(ret)); exit(1); - } + } - return output; -} - -static void print_verification_res( gnutls_x509_crt crt, gnutls_x509_crt issuer, - gnutls_x509_crl *crl_list, int crl_list_size) -{ -unsigned int output; -int comma=0; -int ret; -time_t now = time(0); + fprintf(outfile, "\tVerifying against certificate[%d].\n", + i - 1); - ret = gnutls_x509_crt_verify( crt, &issuer, 1, 0, &output); - if (ret < 0) { - fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); + if (strcmp(issuer_name, name) != 0) { + fprintf(stderr, "Error: Issuer's name: %s\n", name); + fprintf(stderr, + "Error: Issuer's name does not match the next certificate.\n"); exit(1); - } + } - if (output&GNUTLS_CERT_INVALID) { - fprintf(outfile, "Not verified"); - comma = 1; - } else { - fprintf(outfile, "Verified"); - comma = 1; - } + fprintf(outfile, "\tVerification output: "); + print_verification_res(x509_cert_list[i - 2], + x509_cert_list[i - 1], x509_crl_list, + x509_ncrls); + fprintf(outfile, ".\n\n"); - if (output&GNUTLS_CERT_SIGNER_NOT_CA) { - if (comma) fprintf(outfile, ", "); - fprintf(outfile, "Issuer is not a CA"); - comma = 1; } - /* Check expiration dates. + + /* now we move ptr after the pem header */ - - if (gnutls_x509_crt_get_activation_time(crt) > now) { - if (comma) fprintf(outfile, ", "); - comma = 1; - fprintf(outfile, "Not activated"); - } - - if (gnutls_x509_crt_get_expiration_time(crt) < now) { - if (comma) fprintf(outfile, ", "); - comma = 1; - fprintf(outfile, "Expired"); - } - - ret = gnutls_x509_crt_check_revocation( crt, crl_list, crl_list_size); - if (ret < 0) { - fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); - exit(1); - } - - if (ret == 1) { /* revoked */ - if (comma) fprintf(outfile, ", "); - comma = 1; - fprintf(outfile, "Revoked"); - } + ptr = strstr(ptr, CERT_SEP); + if (ptr != NULL) + ptr++; + + i++; + } while ((ptr = strstr(ptr, CERT_SEP)) != NULL); + + x509_ncerts = i - 1; + + /* The last certificate in the list will be used as + * a CA (should be self signed). + */ + name_size = sizeof(name); + ret = + gnutls_x509_crt_get_dn(x509_cert_list[x509_ncerts - 1], name, + &name_size); + if (ret < 0) { + fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); + exit(1); + } + + fprintf(outfile, "Certificate[%d]: %s\n", x509_ncerts - 1, name); + + /* print issuer + */ + issuer_name_size = sizeof(issuer_name); + ret = + gnutls_x509_crt_get_issuer_dn(x509_cert_list[x509_ncerts - 1], + issuer_name, &issuer_name_size); + if (ret < 0) { + fprintf(stderr, "Error in get_dn: %s\n", gnutls_strerror(ret)); + exit(1); + } + + fprintf(outfile, "\tIssued by: %s\n", name); + + if (strcmp(issuer_name, name) != 0) { + fprintf(stderr, + "Error: The last certificate is not self signed.\n"); + exit(1); + } + + fprintf(outfile, "\tVerification output: "); + print_verification_res(x509_cert_list[x509_ncerts - 1], + x509_cert_list[x509_ncerts - 1], x509_crl_list, + x509_ncrls); + + fprintf(outfile, ".\n\n"); + + for (i = 0; i < x509_ncerts; i++) { + gnutls_x509_crt_deinit(x509_cert_list[i]); + } + + for (i = 0; i < x509_ncrls; i++) { + gnutls_x509_crl_deinit(x509_crl_list[i]); + } + + free(x509_cert_list); + free(x509_crl_list); + + if (ret < 0) { + fprintf(stderr, "Error in verification: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + return output; } -void verify_chain( void) +static void print_verification_res(gnutls_x509_crt crt, + gnutls_x509_crt issuer, + gnutls_x509_crl * crl_list, + int crl_list_size) { -size_t size; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - _verify_x509_mem( buffer, size); - + unsigned int output; + int comma = 0; + int ret; + time_t now = time(0); + + ret = gnutls_x509_crt_verify(crt, &issuer, 1, 0, &output); + if (ret < 0) { + fprintf(stderr, "Error in verification: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (output & GNUTLS_CERT_INVALID) { + fprintf(outfile, "Not verified"); + comma = 1; + } else { + fprintf(outfile, "Verified"); + comma = 1; + } + + if (output & GNUTLS_CERT_SIGNER_NOT_CA) { + if (comma) + fprintf(outfile, ", "); + fprintf(outfile, "Issuer is not a CA"); + comma = 1; + } + + /* Check expiration dates. + */ + + if (gnutls_x509_crt_get_activation_time(crt) > now) { + if (comma) + fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "Not activated"); + } + + if (gnutls_x509_crt_get_expiration_time(crt) < now) { + if (comma) + fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "Expired"); + } + + ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); + if (ret < 0) { + fprintf(stderr, "Error in verification: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (ret == 1) { /* revoked */ + if (comma) + fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "Revoked"); + } } -void verify_crl( void) +void verify_chain(void) { -size_t size, dn_size; -char dn[128]; -unsigned int output; -int comma=0; -int ret; -gnutls_datum pem; -gnutls_x509_crl crl; -time_t now = time(0); -gnutls_x509_crt issuer; - - issuer = load_ca_cert(); - - fprintf(outfile, "\nCA certificate:\n"); - dn_size = sizeof(dn); - ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); - if (ret >= 0) - fprintf(outfile, "\tSubject: %s\n\n", dn); - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - pem.data = buffer; - pem.size = size; + size_t size; - gnutls_x509_crl_init( &crl); + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; - ret = gnutls_x509_crl_import(crl, &pem, in_cert_format); - if (ret < 0) { - fprintf(stderr, "CRL decoding error: %s\n", gnutls_strerror(ret)); - exit(1); - } - - print_crl_info( crl, outfile, 1); - - - fprintf(outfile, "Verification output: "); - ret = gnutls_x509_crl_verify( crl, &issuer, 1, 0, &output); - if (ret < 0) { - fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); - exit(1); - } + _verify_x509_mem(buffer, size); - if (output&GNUTLS_CERT_INVALID) { - fprintf(outfile, "Not verified"); - comma = 1; - } else { - fprintf(outfile, "Verified"); - comma = 1; - } +} - if (output&GNUTLS_CERT_SIGNER_NOT_CA) { - if (comma) fprintf(outfile, ", "); - fprintf(outfile, "Issuer is not a CA"); - comma = 1; - } +void verify_crl(void) +{ + size_t size, dn_size; + char dn[128]; + unsigned int output; + int comma = 0; + int ret; + gnutls_datum pem; + gnutls_x509_crl crl; + time_t now = time(0); + gnutls_x509_crt issuer; + + issuer = load_ca_cert(); + + fprintf(outfile, "\nCA certificate:\n"); + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); + if (ret >= 0) + fprintf(outfile, "\tSubject: %s\n\n", dn); + + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; + + pem.data = buffer; + pem.size = size; + + gnutls_x509_crl_init(&crl); + + ret = gnutls_x509_crl_import(crl, &pem, in_cert_format); + if (ret < 0) { + fprintf(stderr, "CRL decoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + + print_crl_info(crl, outfile, 1); + + + fprintf(outfile, "Verification output: "); + ret = gnutls_x509_crl_verify(crl, &issuer, 1, 0, &output); + if (ret < 0) { + fprintf(stderr, "Error in verification: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (output & GNUTLS_CERT_INVALID) { + fprintf(outfile, "Not verified"); + comma = 1; + } else { + fprintf(outfile, "Verified"); + comma = 1; + } + + if (output & GNUTLS_CERT_SIGNER_NOT_CA) { + if (comma) + fprintf(outfile, ", "); + fprintf(outfile, "Issuer is not a CA"); + comma = 1; + } + + /* Check expiration dates. + */ + + if (gnutls_x509_crl_get_this_update(crl) > now) { + if (comma) + fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "Issued in the future!"); + } + + if (gnutls_x509_crl_get_next_update(crl) < now) { + if (comma) + fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "CRL is not up to date"); + } + + fprintf(outfile, "\n"); - /* Check expiration dates. - */ - - if (gnutls_x509_crl_get_this_update(crl) > now) { - if (comma) fprintf(outfile, ", "); - comma = 1; - fprintf(outfile, "Issued in the future!"); - } - - if (gnutls_x509_crl_get_next_update(crl) < now) { - if (comma) fprintf(outfile, ", "); - comma = 1; - fprintf(outfile, "CRL is not up to date"); - } - - fprintf(outfile, "\n"); - } #include <gnutls/pkcs12.h> #include <unistd.h> -void generate_pkcs12( void) +void generate_pkcs12(void) { - gnutls_pkcs12 pkcs12; - gnutls_pkcs12_bag bag, kbag; - gnutls_x509_crt crt; - gnutls_x509_privkey key; - int result; - size_t size; - gnutls_datum data; - const char* password; - const char* name; - unsigned int flags; - gnutls_datum key_id; - unsigned char _key_id[20]; - int index; - - fprintf(stderr, "Generating a PKCS #12 structure...\n"); - - key = load_private_key(1); - crt = load_cert(0); - - name = get_pkcs12_key_name(); + gnutls_pkcs12 pkcs12; + gnutls_pkcs12_bag bag, kbag; + gnutls_x509_crt crt; + gnutls_x509_privkey key; + int result; + size_t size; + gnutls_datum data; + const char *password; + const char *name; + unsigned int flags; + gnutls_datum key_id; + unsigned char _key_id[20]; + int index; + + fprintf(stderr, "Generating a PKCS #12 structure...\n"); + + key = load_private_key(1); + crt = load_cert(0); + + name = get_pkcs12_key_name(); + + password = get_pass(); + + result = gnutls_pkcs12_bag_init(&bag); + if (result < 0) { + fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); + exit(1); + } + + size = sizeof(_key_id); + result = gnutls_x509_privkey_get_key_id(key, 0, _key_id, &size); + if (result < 0) { + fprintf(stderr, "key_id: %s\n", gnutls_strerror(result)); + exit(1); + } + + key_id.data = _key_id; + key_id.size = size; + + if (crt) { /* add the certificate only if it was specified. + */ + result = gnutls_pkcs12_bag_set_crt(bag, crt); + if (result < 0) { + fprintf(stderr, "set_crt: %s\n", gnutls_strerror(result)); + exit(1); + } - password = get_pass(); + index = result; - result = gnutls_pkcs12_bag_init( &bag); + result = gnutls_pkcs12_bag_set_friendly_name(bag, index, name); if (result < 0) { - fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "bag_set_key_id: %s\n", + gnutls_strerror(result)); + exit(1); } - size = sizeof(_key_id); - result = gnutls_x509_privkey_get_key_id( key, 0, _key_id, &size); + + result = gnutls_pkcs12_bag_set_key_id(bag, index, &key_id); if (result < 0) { - fprintf(stderr, "key_id: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "bag_set_key_id: %s\n", + gnutls_strerror(result)); + exit(1); } - - key_id.data = _key_id; - key_id.size = size; - - if (crt) { /* add the certificate only if it was specified. - */ - result = gnutls_pkcs12_bag_set_crt( bag, crt); - if (result < 0) { - fprintf(stderr, "set_crt: %s\n", gnutls_strerror(result)); - exit(1); - } - index = result; + if (info.export) + flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; + else + flags = GNUTLS_PKCS8_USE_PKCS12_3DES; - result = gnutls_pkcs12_bag_set_friendly_name( bag, index, name); - if (result < 0) { - fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); - exit(1); - } - + result = gnutls_pkcs12_bag_encrypt(bag, password, flags); + if (result < 0) { + fprintf(stderr, "bag_encrypt: %s\n", gnutls_strerror(result)); + exit(1); + } + } + + /* Key BAG */ + + result = gnutls_pkcs12_bag_init(&kbag); + if (result < 0) { + fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); + exit(1); + } + + if (info.export) + flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; + else + flags = GNUTLS_PKCS_USE_PKCS12_3DES; + + size = sizeof(buffer); + result = + gnutls_x509_privkey_export_pkcs8(key, GNUTLS_X509_FMT_DER, + password, flags, buffer, &size); + if (result < 0) { + fprintf(stderr, "key_export: %s\n", gnutls_strerror(result)); + exit(1); + } + + data.data = buffer; + data.size = size; + result = + gnutls_pkcs12_bag_set_data(kbag, GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, + &data); + if (result < 0) { + fprintf(stderr, "bag_set_data: %s\n", gnutls_strerror(result)); + exit(1); + } + + index = result; + + result = gnutls_pkcs12_bag_set_friendly_name(kbag, index, name); + if (result < 0) { + fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_bag_set_key_id(kbag, result, &key_id); + if (result < 0) { + fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); + exit(1); + } + + /* write the PKCS #12 structure. + */ + result = gnutls_pkcs12_init(&pkcs12); + if (result < 0) { + fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); + exit(1); + } + + if (crt) { + result = gnutls_pkcs12_set_bag(pkcs12, bag); + if (result < 0) { + fprintf(stderr, "set_bag: %s\n", gnutls_strerror(result)); + exit(1); + } + } - result = gnutls_pkcs12_bag_set_key_id( bag, index, &key_id); - if (result < 0) { - fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); - exit(1); - } + result = gnutls_pkcs12_set_bag(pkcs12, kbag); + if (result < 0) { + fprintf(stderr, "set_bag: %s\n", gnutls_strerror(result)); + exit(1); + } - if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; - else flags = GNUTLS_PKCS8_USE_PKCS12_3DES; + result = gnutls_pkcs12_generate_mac(pkcs12, password); + if (result < 0) { + fprintf(stderr, "generate_mac: %s\n", gnutls_strerror(result)); + exit(1); + } - result = gnutls_pkcs12_bag_encrypt( bag, password, flags); - if (result < 0) { - fprintf(stderr, "bag_encrypt: %s\n", gnutls_strerror(result)); - exit(1); - } - } - - /* Key BAG */ + size = sizeof(buffer); + result = gnutls_pkcs12_export(pkcs12, out_cert_format, buffer, &size); + if (result < 0) { + fprintf(stderr, "pkcs12_export: %s\n", gnutls_strerror(result)); + exit(1); + } - result = gnutls_pkcs12_bag_init( &kbag); - if (result < 0) { - fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); - exit(1); - } + fwrite(buffer, 1, size, outfile); - if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; - else flags = GNUTLS_PKCS_USE_PKCS12_3DES; +} - size = sizeof(buffer); - result = gnutls_x509_privkey_export_pkcs8( key, GNUTLS_X509_FMT_DER, password, - flags, buffer, &size); - if (result < 0) { - fprintf(stderr, "key_export: %s\n", gnutls_strerror(result)); - exit(1); - } +const char *BAGTYPE(gnutls_pkcs12_bag_type x) +{ + switch (x) { + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + return "PKCS #8 Encrypted key"; + case GNUTLS_BAG_EMPTY: + return "Empty"; + case GNUTLS_BAG_PKCS8_KEY: + return "PKCS #8 Key"; + case GNUTLS_BAG_CERTIFICATE: + return "Certificate"; + case GNUTLS_BAG_ENCRYPTED: + return "Encrypted"; + case GNUTLS_BAG_CRL: + return "CRL"; + default: + return "Unknown"; + } +} - data.data = buffer; - data.size = size; - result = gnutls_pkcs12_bag_set_data( kbag, GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, &data); - if (result < 0) { - fprintf(stderr, "bag_set_data: %s\n", gnutls_strerror(result)); - exit(1); - } +void print_bag_data(gnutls_pkcs12_bag bag) +{ + int result; + int count, i, type; + gnutls_datum cdata; + const char *str; + gnutls_datum out; - index = result; + count = gnutls_pkcs12_bag_get_count(bag); + if (count < 0) { + fprintf(stderr, "get_count: %s\n", gnutls_strerror(count)); + exit(1); + } - result = gnutls_pkcs12_bag_set_friendly_name( kbag, index, name); - if (result < 0) { - fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); - exit(1); - } + fprintf(outfile, "\tElements: %d\n", count); - result = gnutls_pkcs12_bag_set_key_id( kbag, result, &key_id); - if (result < 0) { - fprintf(stderr, "bag_set_key_id: %s\n", gnutls_strerror(result)); - exit(1); + for (i = 0; i < count; i++) { + type = gnutls_pkcs12_bag_get_type(bag, i); + if (type < 0) { + fprintf(stderr, "get_type: %s\n", gnutls_strerror(type)); + exit(1); } - /* write the PKCS #12 structure. - */ - result = gnutls_pkcs12_init(&pkcs12); + fprintf(outfile, "\tType: %s\n", BAGTYPE(type)); + + result = gnutls_pkcs12_bag_get_data(bag, i, &cdata); if (result < 0) { - fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "get_data: %s\n", gnutls_strerror(result)); + exit(1); } - if (crt) { - result = gnutls_pkcs12_set_bag( pkcs12, bag); - if (result < 0) { - fprintf(stderr, "set_bag: %s\n", gnutls_strerror(result)); - exit(1); - } + switch (type) { + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + str = "ENCRYPTED PRIVATE KEY"; + break; + case GNUTLS_BAG_PKCS8_KEY: + str = "PRIVATE KEY"; + break; + case GNUTLS_BAG_CERTIFICATE: + str = "CERTIFICATE"; + break; + case GNUTLS_BAG_CRL: + str = "CRL"; + break; + case GNUTLS_BAG_ENCRYPTED: + case GNUTLS_BAG_EMPTY: + default: + str = NULL; } - result = gnutls_pkcs12_set_bag( pkcs12, kbag); - if (result < 0) { - fprintf(stderr, "set_bag: %s\n", gnutls_strerror(result)); - exit(1); - } + if (str != NULL) { + gnutls_pem_base64_encode_alloc(str, &cdata, &out); + fprintf(outfile, "%s\n", out.data); - result = gnutls_pkcs12_generate_mac( pkcs12, password); - if (result < 0) { - fprintf(stderr, "generate_mac: %s\n", gnutls_strerror(result)); - exit(1); + gnutls_free(out.data); } - size = sizeof(buffer); - result = gnutls_pkcs12_export( pkcs12, out_cert_format, buffer, &size); - if (result < 0) { - fprintf(stderr, "pkcs12_export: %s\n", gnutls_strerror(result)); - exit(1); - } - - fwrite( buffer, 1, size, outfile); - + } } -const char* BAGTYPE( gnutls_pkcs12_bag_type x) +void pkcs12_info(void) { - switch (x) { - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - return "PKCS #8 Encrypted key"; - case GNUTLS_BAG_EMPTY: - return "Empty"; - case GNUTLS_BAG_PKCS8_KEY: - return "PKCS #8 Key"; - case GNUTLS_BAG_CERTIFICATE: - return "Certificate"; - case GNUTLS_BAG_ENCRYPTED: - return "Encrypted"; - case GNUTLS_BAG_CRL: - return "CRL"; - default: - return "Unknown"; - } -} + gnutls_pkcs12 pkcs12; + gnutls_pkcs12_bag bag; + int result, ret; + size_t size; + gnutls_datum data; + const char *password; + int index; -void print_bag_data(gnutls_pkcs12_bag bag) -{ -int result; -int count, i, type; -gnutls_datum cdata; -const char* str; -gnutls_datum out; - - count = gnutls_pkcs12_bag_get_count( bag); - if (count < 0) { - fprintf(stderr, "get_count: %s\n", gnutls_strerror(count)); - exit(1); - } + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; - fprintf( outfile, "\tElements: %d\n", count); - - for (i=0;i<count;i++) { - type = gnutls_pkcs12_bag_get_type( bag, i); - if (type < 0) { - fprintf(stderr, "get_type: %s\n", gnutls_strerror(type)); - exit(1); - } + data.data = buffer; + data.size = size; - fprintf( outfile, "\tType: %s\n", BAGTYPE( type)); - - result = gnutls_pkcs12_bag_get_data( bag, i, &cdata); - if (result < 0) { - fprintf(stderr, "get_data: %s\n", gnutls_strerror(result)); - exit(1); - } - - switch (type) { - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - str = "ENCRYPTED PRIVATE KEY"; - break; - case GNUTLS_BAG_PKCS8_KEY: - str = "PRIVATE KEY"; - break; - case GNUTLS_BAG_CERTIFICATE: - str = "CERTIFICATE"; - break; - case GNUTLS_BAG_CRL: - str = "CRL"; - break; - case GNUTLS_BAG_ENCRYPTED: - case GNUTLS_BAG_EMPTY: - default: - str = NULL; - } - - if (str != NULL) { - gnutls_pem_base64_encode_alloc( str, &cdata, &out); - fprintf( outfile, "%s\n", out.data); - - gnutls_free(out.data); - } - - } -} + password = get_pass(); + + result = gnutls_pkcs12_init(&pkcs12); + if (result < 0) { + fprintf(stderr, "p12_init: %s\n", gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_import(pkcs12, &data, in_cert_format, 0); + if (result < 0) { + fprintf(stderr, "p12_import: %s\n", gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_verify_mac(pkcs12, password); + if (result < 0) { + fprintf(stderr, "verify_mac: %s\n", gnutls_strerror(result)); + exit(1); + } -void pkcs12_info( void) -{ - gnutls_pkcs12 pkcs12; - gnutls_pkcs12_bag bag; - int result, ret; - size_t size; - gnutls_datum data; - const char* password; - int index; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - - data.data = buffer; - data.size = size; - password = get_pass(); - - result = gnutls_pkcs12_init(&pkcs12); + + index = 0; + + do { + result = gnutls_pkcs12_bag_init(&bag); if (result < 0) { - fprintf(stderr, "p12_init: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); + exit(1); + } + + ret = gnutls_pkcs12_get_bag(pkcs12, index, bag); + if (ret < 0) { + break; } - result = gnutls_pkcs12_import( pkcs12, &data, in_cert_format, 0); + result = gnutls_pkcs12_bag_get_count(bag); if (result < 0) { - fprintf(stderr, "p12_import: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); + exit(1); } - result = gnutls_pkcs12_verify_mac( pkcs12, password); + fprintf(outfile, "BAG #%d\n", index); + + result = gnutls_pkcs12_bag_get_type(bag, 0); if (result < 0) { - fprintf(stderr, "verify_mac: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); + exit(1); } + if (result == GNUTLS_BAG_ENCRYPTED) { + fprintf(stderr, "\tType: %s\n", BAGTYPE(result)); + fprintf(stderr, "\n\tDecrypting...\n"); - index = 0; + result = gnutls_pkcs12_bag_decrypt(bag, password); - do { - result = gnutls_pkcs12_bag_init( &bag); - if (result < 0) { - fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); - exit(1); - } + if (result < 0) { + fprintf(stderr, "bag_decrypt: %s\n", + gnutls_strerror(result)); + exit(1); + } - ret = gnutls_pkcs12_get_bag( pkcs12, index, bag); - if (ret < 0) { - break; - } - - result = gnutls_pkcs12_bag_get_count( bag); - if (result < 0) { - fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); - exit(1); - } - - fprintf( outfile, "BAG #%d\n", index); - - result = gnutls_pkcs12_bag_get_type( bag, 0); - if (result < 0) { - fprintf(stderr, "bag_init: %s\n", gnutls_strerror(result)); - exit(1); - } + result = gnutls_pkcs12_bag_get_count(bag); + if (result < 0) { + fprintf(stderr, "get_count: %s\n", + gnutls_strerror(result)); + exit(1); + } - - if (result == GNUTLS_BAG_ENCRYPTED) { - fprintf( stderr, "\tType: %s\n", BAGTYPE( result)); - fprintf( stderr, "\n\tDecrypting...\n"); + } - result = gnutls_pkcs12_bag_decrypt( bag, password); + print_bag_data(bag); - if (result < 0) { - fprintf(stderr, "bag_decrypt: %s\n", gnutls_strerror(result)); - exit(1); - } + gnutls_pkcs12_bag_deinit(bag); - result = gnutls_pkcs12_bag_get_count( bag); - if (result < 0) { - fprintf(stderr, "get_count: %s\n", gnutls_strerror(result)); - exit(1); - } - - } + index++; + } while (ret == 0); - print_bag_data( bag); - - gnutls_pkcs12_bag_deinit(bag); - - index++; - } while( ret == 0); - } -void pkcs7_info( void) +void pkcs7_info(void) { - gnutls_pkcs7 pkcs7; - int result; - size_t size; - gnutls_datum data, b64; - int index, count; - - size = fread( buffer, 1, sizeof(buffer)-1, infile); - buffer[size] = 0; - + gnutls_pkcs7 pkcs7; + int result; + size_t size; + gnutls_datum data, b64; + int index, count; + + size = fread(buffer, 1, sizeof(buffer) - 1, infile); + buffer[size] = 0; + + data.data = buffer; + data.size = size; + + result = gnutls_pkcs7_init(&pkcs7); + if (result < 0) { + fprintf(stderr, "p7_init: %s\n", gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs7_import(pkcs7, &data, in_cert_format); + if (result < 0) { + fprintf(stderr, "p7_import: %s\n", gnutls_strerror(result)); + exit(1); + } + + /* Read and print the certificates. + */ + result = gnutls_pkcs7_get_crt_count(pkcs7); + if (result < 0) { + fprintf(stderr, "p7_count: %s\n", gnutls_strerror(result)); + exit(1); + } + + count = result; + + if (count > 0) + fprintf(outfile, "Certificates: %u\n", count); + + for (index = 0; index < count; index++) { + size = sizeof(buffer); + result = gnutls_pkcs7_get_crt_raw(pkcs7, index, buffer, &size); + if (result < 0) { + break; + } + data.data = buffer; data.size = size; - result = gnutls_pkcs7_init(&pkcs7); + result = + gnutls_pem_base64_encode_alloc("CERTIFICATE", &data, &b64); if (result < 0) { - fprintf(stderr, "p7_init: %s\n", gnutls_strerror(result)); - exit(1); + fprintf(stderr, "error encoding: %s\n", + gnutls_strerror(result)); + exit(1); } - result = gnutls_pkcs7_import( pkcs7, &data, in_cert_format); - if (result < 0) { - fprintf(stderr, "p7_import: %s\n", gnutls_strerror(result)); - exit(1); - } + fputs(b64.data, outfile); + fputs("\n", outfile); + gnutls_free(b64.data); + } - /* Read and print the certificates. - */ - result = gnutls_pkcs7_get_crt_count( pkcs7); - if (result < 0) { - fprintf(stderr, "p7_count: %s\n", gnutls_strerror(result)); - exit(1); - } - - count = result; - - if (count > 0) - fprintf(outfile, "Certificates: %u\n", count); - - for (index = 0;index < count;index++) { - size = sizeof(buffer); - result = gnutls_pkcs7_get_crt_raw( pkcs7, index, buffer, &size); - if (result < 0) { - break; - } + /* Read the CRLs now. + */ + result = gnutls_pkcs7_get_crl_count(pkcs7); + if (result < 0) { + fprintf(stderr, "p7_count: %s\n", gnutls_strerror(result)); + exit(1); + } - data.data = buffer; - data.size = size; + count = result; - result = gnutls_pem_base64_encode_alloc( "CERTIFICATE", &data, &b64); - if (result < 0) { - fprintf(stderr, "error encoding: %s\n", gnutls_strerror(result)); - exit(1); - } - - fputs( b64.data, outfile); - fputs( "\n", outfile); - gnutls_free( b64.data); - } + if (count > 0) + fprintf(outfile, "\nCRLs: %u\n", count); - /* Read the CRLs now. - */ - result = gnutls_pkcs7_get_crl_count( pkcs7); + for (index = 0; index < count; index++) { + size = sizeof(buffer); + result = gnutls_pkcs7_get_crl_raw(pkcs7, index, buffer, &size); if (result < 0) { - fprintf(stderr, "p7_count: %s\n", gnutls_strerror(result)); - exit(1); + break; } - - count = result; - - if (count > 0) - fprintf(outfile, "\nCRLs: %u\n", count); - - for (index = 0;index < count;index++) { - size = sizeof(buffer); - result = gnutls_pkcs7_get_crl_raw( pkcs7, index, buffer, &size); - if (result < 0) { - break; - } - data.data = buffer; - data.size = size; + data.data = buffer; + data.size = size; - result = gnutls_pem_base64_encode_alloc( "X509 CRL", &data, &b64); - if (result < 0) { - fprintf(stderr, "error encoding: %s\n", gnutls_strerror(result)); - exit(1); - } - - fputs( b64.data, outfile); - fputs( "\n", outfile); - gnutls_free( b64.data); + result = gnutls_pem_base64_encode_alloc("X509 CRL", &data, &b64); + if (result < 0) { + fprintf(stderr, "error encoding: %s\n", + gnutls_strerror(result)); + exit(1); } - + fputs(b64.data, outfile); + fputs("\n", outfile); + gnutls_free(b64.data); + } + + } -#else /* ENABLE_PKI */ +#else /* ENABLE_PKI */ #include <stdio.h> -int main (int argc, char **argv) +int main(int argc, char **argv) { - printf ("\nX.509 PKI not supported. This program is a dummy.\n\n"); + printf("\nX.509 PKI not supported. This program is a dummy.\n\n"); return 1; }; @@ -2499,23 +2670,24 @@ int main (int argc, char **argv) void certtool_version(void) { - fprintf(stderr, "certtool, "); - fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, - gnutls_check_version(NULL)); + fprintf(stderr, "certtool, "); + fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, + gnutls_check_version(NULL)); } void print_license(void) { - fputs( "\nCopyright (C) 2004 Free Software Foundation\n" - "This program is free software; you can redistribute it and/or modify \n" - "it under the terms of the GNU General Public License as published by \n" - "the Free Software Foundation; either version 2 of the License, or \n" - "(at your option) any later version. \n" "\n" - "This program is distributed in the hope that it will be useful, \n" - "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" - "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" - "GNU General Public License for more details. \n" "\n" - "You should have received a copy of the GNU General Public License \n" - "along with this program; if not, write to the Free Software \n" - "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", stdout); + fputs("\nCopyright (C) 2004 Free Software Foundation\n" + "This program is free software; you can redistribute it and/or modify \n" + "it under the terms of the GNU General Public License as published by \n" + "the Free Software Foundation; either version 2 of the License, or \n" + "(at your option) any later version. \n" "\n" + "This program is distributed in the hope that it will be useful, \n" + "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" + "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" + "GNU General Public License for more details. \n" "\n" + "You should have received a copy of the GNU General Public License \n" + "along with this program; if not, write to the Free Software \n" + "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", + stdout); } diff --git a/src/cli-gaa.c b/src/cli-gaa.c index 2b93916c42..efa88ebae3 100644 --- a/src/cli-gaa.c +++ b/src/cli-gaa.c @@ -21,147 +21,153 @@ void cli_version(void); #endif #endif -static void* gaa_malloc( size_t size) { -void* ret; - ret = malloc(size); - if (ret==NULL) { - fprintf(stderr, "gaa: could not allocate memory"); - exit(1); - } - return ret; +static void *gaa_malloc(size_t size) +{ + void *ret; + ret = malloc(size); + if (ret == NULL) { + fprintf(stderr, "gaa: could not allocate memory"); + exit(1); + } + return ret; } -static void __gaa_helpsingle(char short_name, char *name, - char *arg_desc, char *opt_help) +static void __gaa_helpsingle(char short_name, char *name, + char *arg_desc, char *opt_help) { - int col1, col3, col4, tabsize = 3, curr; - int i; - - col1 = 5; /* Default values */ - col3 = 30; - col4 = 70; - - curr = 0; - for(i = 0; i < col1; i++) - { - printf(" "); - curr++; - } - if(short_name) - { - if(name && *name) - { - printf("-%c, ", short_name); - curr += 4; - } - else - { - printf("-%c ", short_name); - curr += 3; - } - } - if(name && *name) - { - printf("--%s ", name); - curr += 3 + strlen(name); - } - if(arg_desc && *arg_desc) - { - printf("%s ", arg_desc); - curr += 1 + strlen(arg_desc); - } - if(curr >= col3) - { - printf("\n"); - curr = 0; - } - if(opt_help) /* let's print the option's help body */ - { - const char *str = opt_help; - while(*str) - { - while(curr < col3) - { - printf(" "); - curr++; - } - switch(*str) - { - case '\n': - printf("\n"); - curr = 0; - break; - case '\t': - do - { - printf(" "); - curr++; - } - while((curr - col3) % tabsize != 0 && curr < col4); - case ' ': - if(*str == ' ') - { - curr++; - printf(" "); - } - for(i = 1; str[i] && str[i] != ' ' && str[i] != '\n' - && str[i] != '\t'; i++); - if(curr + i - 1 >= col4) - curr = col4; - break; - default: - printf("%c", *str); - curr++; - } - if(curr >= col4) - { - printf("\n"); - curr = 0; - } - str++; - } - } - printf("\n"); + int col1, col3, col4, tabsize = 3, curr; + int i; + + col1 = 5; /* Default values */ + col3 = 30; + col4 = 70; + + curr = 0; + for (i = 0; i < col1; i++) { + printf(" "); + curr++; + } + if (short_name) { + if (name && *name) { + printf("-%c, ", short_name); + curr += 4; + } else { + printf("-%c ", short_name); + curr += 3; + } + } + if (name && *name) { + printf("--%s ", name); + curr += 3 + strlen(name); + } + if (arg_desc && *arg_desc) { + printf("%s ", arg_desc); + curr += 1 + strlen(arg_desc); + } + if (curr >= col3) { + printf("\n"); + curr = 0; + } + if (opt_help) { /* let's print the option's help body */ + const char *str = opt_help; + while (*str) { + while (curr < col3) { + printf(" "); + curr++; + } + switch (*str) { + case '\n': + printf("\n"); + curr = 0; + break; + case '\t': + do { + printf(" "); + curr++; + } + while ((curr - col3) % tabsize != 0 && curr < col4); + case ' ': + if (*str == ' ') { + curr++; + printf(" "); + } + for (i = 1; str[i] && str[i] != ' ' && str[i] != '\n' + && str[i] != '\t'; i++); + if (curr + i - 1 >= col4) + curr = col4; + break; + default: + printf("%c", *str); + curr++; + } + if (curr >= col4) { + printf("\n"); + curr = 0; + } + str++; + } + } + printf("\n"); } void gaa_help(void) { - printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); - __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); - __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); - __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); - __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); - __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from."); - __gaa_helpsingle('f', "fingerprint", "", "Send the openpgp fingerprint, instead of the key."); - __gaa_helpsingle(0, "disable-extensions", "", "Disable all the TLS extensions."); - __gaa_helpsingle(0, "xml", "", "Print the certificate information in XML format."); - __gaa_helpsingle(0, "print-cert", "", "Print the certificate in PEM format."); - __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); - __gaa_helpsingle(0, "recordsize", "integer ", "The maximum record size to advertize."); - __gaa_helpsingle('V', "verbose", "", "More verbose output."); - __gaa_helpsingle(0, "ciphers", "cipher1 cipher2... ", "Ciphers to enable."); - __gaa_helpsingle(0, "protocols", "protocol1 protocol2... ", "Protocols to enable."); - __gaa_helpsingle(0, "comp", "comp1 comp2... ", "Compression methods to enable."); - __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); - __gaa_helpsingle(0, "kx", "kx1 kx2... ", "Key exchange methods to enable."); - __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", "Certificate types to enable."); - __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); - __gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use."); - __gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use."); - __gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use."); - __gaa_helpsingle(0, "pgptrustdb", "FILE ", "PGP trustdb file to use."); - __gaa_helpsingle(0, "pgpcertfile", "FILE ", "PGP Public Key (certificate) file to use."); - __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use."); - __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file to use."); - __gaa_helpsingle(0, "srpusername", "NAME ", "SRP username to use."); - __gaa_helpsingle(0, "srppasswd", "PASSWD ", "SRP password to use."); - __gaa_helpsingle('l', "list", "", "Print a list of the supported algorithms and modes."); - __gaa_helpsingle('h', "help", "", "prints this help"); - __gaa_helpsingle('v', "version", "", "prints the program's version number"); - __gaa_helpsingle(0, "copyright", "", "prints the program's license"); + printf + ("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); + __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); + __gaa_helpsingle('r', "resume", "", + "Connect, establish a session. Connect again and resume this session."); + __gaa_helpsingle('s', "starttls", "", + "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); + __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); + __gaa_helpsingle(0, "x509fmtder", "", + "Use DER format for certificates to read from."); + __gaa_helpsingle('f', "fingerprint", "", + "Send the openpgp fingerprint, instead of the key."); + __gaa_helpsingle(0, "disable-extensions", "", + "Disable all the TLS extensions."); + __gaa_helpsingle(0, "xml", "", + "Print the certificate information in XML format."); + __gaa_helpsingle(0, "print-cert", "", + "Print the certificate in PEM format."); + __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); + __gaa_helpsingle(0, "recordsize", "integer ", + "The maximum record size to advertize."); + __gaa_helpsingle('V', "verbose", "", "More verbose output."); + __gaa_helpsingle(0, "ciphers", "cipher1 cipher2... ", + "Ciphers to enable."); + __gaa_helpsingle(0, "protocols", "protocol1 protocol2... ", + "Protocols to enable."); + __gaa_helpsingle(0, "comp", "comp1 comp2... ", + "Compression methods to enable."); + __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); + __gaa_helpsingle(0, "kx", "kx1 kx2... ", + "Key exchange methods to enable."); + __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", + "Certificate types to enable."); + __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); + __gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use."); + __gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use."); + __gaa_helpsingle(0, "pgpkeyring", "FILE ", + "PGP Key ring file to use."); + __gaa_helpsingle(0, "pgptrustdb", "FILE ", "PGP trustdb file to use."); + __gaa_helpsingle(0, "pgpcertfile", "FILE ", + "PGP Public Key (certificate) file to use."); + __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use."); + __gaa_helpsingle(0, "x509certfile", "FILE ", + "X.509 Certificate file to use."); + __gaa_helpsingle(0, "srpusername", "NAME ", "SRP username to use."); + __gaa_helpsingle(0, "srppasswd", "PASSWD ", "SRP password to use."); + __gaa_helpsingle('l', "list", "", + "Print a list of the supported algorithms and modes."); + __gaa_helpsingle('h', "help", "", "prints this help"); + __gaa_helpsingle('v', "version", "", + "prints the program's version number"); + __gaa_helpsingle(0, "copyright", "", "prints the program's license"); #line 100 "gaa.skel" } + /* Copy of C area */ #line 104 "gaa.skel" @@ -171,110 +177,102 @@ void gaa_help(void) typedef struct _gaainfo gaainfo; -struct _gaainfo -{ +struct _gaainfo { #line 111 "cli.gaa" - char *rest_args; + char *rest_args; #line 101 "cli.gaa" - char *srp_passwd; + char *srp_passwd; #line 98 "cli.gaa" - char *srp_username; + char *srp_username; #line 95 "cli.gaa" - char *x509_certfile; + char *x509_certfile; #line 92 "cli.gaa" - char *x509_keyfile; + char *x509_keyfile; #line 89 "cli.gaa" - char *pgp_certfile; + char *pgp_certfile; #line 86 "cli.gaa" - char *pgp_trustdb; + char *pgp_trustdb; #line 83 "cli.gaa" - char *pgp_keyring; + char *pgp_keyring; #line 80 "cli.gaa" - char *pgp_keyfile; + char *pgp_keyfile; #line 77 "cli.gaa" - char *x509_crlfile; + char *x509_crlfile; #line 74 "cli.gaa" - char *x509_cafile; + char *x509_cafile; #line 71 "cli.gaa" - char **ctype; + char **ctype; #line 70 "cli.gaa" - int nctype; + int nctype; #line 67 "cli.gaa" - char **kx; + char **kx; #line 66 "cli.gaa" - int nkx; + int nkx; #line 63 "cli.gaa" - char **macs; + char **macs; #line 62 "cli.gaa" - int nmacs; + int nmacs; #line 59 "cli.gaa" - char **comp; + char **comp; #line 58 "cli.gaa" - int ncomp; + int ncomp; #line 55 "cli.gaa" - char **proto; + char **proto; #line 54 "cli.gaa" - int nproto; + int nproto; #line 51 "cli.gaa" - char **ciphers; + char **ciphers; #line 50 "cli.gaa" - int nciphers; + int nciphers; #line 47 "cli.gaa" - int verbose; + int verbose; #line 44 "cli.gaa" - int record_size; + int record_size; #line 41 "cli.gaa" - int port; + int port; #line 38 "cli.gaa" - int print_cert; + int print_cert; #line 35 "cli.gaa" - int xml; + int xml; #line 32 "cli.gaa" - int disable_extensions; + int disable_extensions; #line 29 "cli.gaa" - int fingerprint; + int fingerprint; #line 26 "cli.gaa" - int fmtder; + int fmtder; #line 23 "cli.gaa" - int crlf; + int crlf; #line 20 "cli.gaa" - int starttls; + int starttls; #line 17 "cli.gaa" - int resume; + int resume; #line 14 "cli.gaa" - int debug; + int debug; #line 114 "gaa.skel" }; #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif - int gaa(int argc, char *argv[], gaainfo *gaaval); + int gaa(int argc, char *argv[], gaainfo * gaaval); void gaa_help(void); - - int gaa_file(const char *name, gaainfo *gaaval); - + + int gaa_file(const char *name, gaainfo * gaaval); + #ifdef __cplusplus } #endif - - #endif - #line 135 "gaa.skel" - /* C declarations */ - #define GAAERROR(x) \ { \ gaa_error = 1; \ return x; \ } - static char *gaa_current_option; static int gaa_error = 0; @@ -372,7 +370,7 @@ if(gaa_error == 1) \ { \ gaa_error = 0; \ return GAA_ERROR_INVALID_ARG; \ -} +} @@ -450,7 +448,7 @@ if(k == 0) \ printf("You must give at least one option of '%s'\n", str); \ return 0; \ } - + #define GAA_INCOMP(str) \ k = 0; \ for(i = 0; i < strlen(str); i++) \ @@ -469,7 +467,7 @@ if(k > 1) \ printf("The options '%s' are incompatible\n", str); \ return 0; \ } - + static char **GAAargv; static int GAAargc; @@ -481,25 +479,25 @@ static int gaa_getint(char *arg) { int tmp; char a; - if(sscanf(arg, "%d%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%d%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't an integer\n", gaa_current_option, + arg); + GAAERROR(-1); } return tmp; } static char gaa_getchar(char *arg) { - if(strlen(arg) != 1) - { - printf("Option %s: '%s' isn't an character\n", gaa_current_option, arg); - GAAERROR(-1); + if (strlen(arg) != 1) { + printf("Option %s: '%s' isn't an character\n", gaa_current_option, + arg); + GAAERROR(-1); } return arg[0]; } -static char* gaa_getstr(char *arg) +static char *gaa_getstr(char *arg) { return arg; } @@ -507,266 +505,247 @@ static float gaa_getfloat(char *arg) { float tmp; char a; - if(sscanf(arg, "%f%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%f%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't a float number\n", + gaa_current_option, arg); + GAAERROR(-1); } return tmp; } + /* option structures */ -struct GAAOPTION_srppasswd -{ - char* arg1; - int size1; +struct GAAOPTION_srppasswd { + char *arg1; + int size1; }; -struct GAAOPTION_srpusername -{ - char* arg1; - int size1; +struct GAAOPTION_srpusername { + char *arg1; + int size1; }; -struct GAAOPTION_x509certfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509certfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509keyfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509keyfile { + char *arg1; + int size1; }; -struct GAAOPTION_pgpcertfile -{ - char* arg1; - int size1; +struct GAAOPTION_pgpcertfile { + char *arg1; + int size1; }; -struct GAAOPTION_pgptrustdb -{ - char* arg1; - int size1; +struct GAAOPTION_pgptrustdb { + char *arg1; + int size1; }; -struct GAAOPTION_pgpkeyring -{ - char* arg1; - int size1; +struct GAAOPTION_pgpkeyring { + char *arg1; + int size1; }; -struct GAAOPTION_pgpkeyfile -{ - char* arg1; - int size1; +struct GAAOPTION_pgpkeyfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509crlfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509crlfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509cafile -{ - char* arg1; - int size1; +struct GAAOPTION_x509cafile { + char *arg1; + int size1; }; -struct GAAOPTION_ctypes -{ - char** arg1; - int size1; +struct GAAOPTION_ctypes { + char **arg1; + int size1; }; -struct GAAOPTION_kx -{ - char** arg1; - int size1; +struct GAAOPTION_kx { + char **arg1; + int size1; }; -struct GAAOPTION_macs -{ - char** arg1; - int size1; +struct GAAOPTION_macs { + char **arg1; + int size1; }; -struct GAAOPTION_comp -{ - char** arg1; - int size1; +struct GAAOPTION_comp { + char **arg1; + int size1; }; -struct GAAOPTION_protocols -{ - char** arg1; - int size1; +struct GAAOPTION_protocols { + char **arg1; + int size1; }; -struct GAAOPTION_ciphers -{ - char** arg1; - int size1; +struct GAAOPTION_ciphers { + char **arg1; + int size1; }; -struct GAAOPTION_recordsize -{ - int arg1; - int size1; +struct GAAOPTION_recordsize { + int arg1; + int size1; }; -struct GAAOPTION_port -{ - int arg1; - int size1; +struct GAAOPTION_port { + int arg1; + int size1; }; -struct GAAOPTION_debug -{ - int arg1; - int size1; +struct GAAOPTION_debug { + int arg1; + int size1; }; #define GAA_REST_EXISTS -struct GAAREST -{ - char* arg1; - int size1; +struct GAAREST { + char *arg1; + int size1; }; - + #line 349 "gaa.skel" static int gaa_is_an_argument(char *str) { #ifdef GAA_WIN32 - if(str[0] == '/' && str[1] != 0) + if (str[0] == '/' && str[1] != 0) return GAA_MULTIPLE_OPTION; #endif - if(str[0] != '-') - return GAA_NOT_AN_OPTION; - if(str[1] == 0) - return GAA_NOT_AN_OPTION; - if(str[1] == '-') - { - if(str[2] != 0) - return GAA_WORD_OPTION; - else - return GAA_NOT_AN_OPTION; + if (str[0] != '-') + return GAA_NOT_AN_OPTION; + if (str[1] == 0) + return GAA_NOT_AN_OPTION; + if (str[1] == '-') { + if (str[2] != 0) + return GAA_WORD_OPTION; + else + return GAA_NOT_AN_OPTION; } - if(str[2] == 0) - return GAA_LETTER_OPTION; + if (str[2] == 0) + return GAA_LETTER_OPTION; else - return GAA_MULTIPLE_OPTION; + return GAA_MULTIPLE_OPTION; } static int gaa_get_option_num(char *str, int status) { - switch(status) - { - case GAA_LETTER_OPTION: - GAA_CHECK1STR("", GAAOPTID_srppasswd); - GAA_CHECK1STR("", GAAOPTID_srpusername); - GAA_CHECK1STR("", GAAOPTID_x509certfile); - GAA_CHECK1STR("", GAAOPTID_x509keyfile); - GAA_CHECK1STR("", GAAOPTID_pgpcertfile); - GAA_CHECK1STR("", GAAOPTID_pgptrustdb); - GAA_CHECK1STR("", GAAOPTID_pgpkeyring); - GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); - GAA_CHECK1STR("", GAAOPTID_x509crlfile); - GAA_CHECK1STR("", GAAOPTID_x509cafile); - GAA_CHECK1STR("", GAAOPTID_ctypes); - GAA_CHECK1STR("", GAAOPTID_kx); - GAA_CHECK1STR("", GAAOPTID_macs); - GAA_CHECK1STR("", GAAOPTID_comp); - GAA_CHECK1STR("", GAAOPTID_protocols); - GAA_CHECK1STR("", GAAOPTID_ciphers); - GAA_CHECK1STR("", GAAOPTID_recordsize); - GAA_CHECK1STR("p", GAAOPTID_port); - GAA_CHECK1STR("d", GAAOPTID_debug); - case GAA_MULTIPLE_OPTION: + switch (status) { + case GAA_LETTER_OPTION: + GAA_CHECK1STR("", GAAOPTID_srppasswd); + GAA_CHECK1STR("", GAAOPTID_srpusername); + GAA_CHECK1STR("", GAAOPTID_x509certfile); + GAA_CHECK1STR("", GAAOPTID_x509keyfile); + GAA_CHECK1STR("", GAAOPTID_pgpcertfile); + GAA_CHECK1STR("", GAAOPTID_pgptrustdb); + GAA_CHECK1STR("", GAAOPTID_pgpkeyring); + GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); + GAA_CHECK1STR("", GAAOPTID_x509crlfile); + GAA_CHECK1STR("", GAAOPTID_x509cafile); + GAA_CHECK1STR("", GAAOPTID_ctypes); + GAA_CHECK1STR("", GAAOPTID_kx); + GAA_CHECK1STR("", GAAOPTID_macs); + GAA_CHECK1STR("", GAAOPTID_comp); + GAA_CHECK1STR("", GAAOPTID_protocols); + GAA_CHECK1STR("", GAAOPTID_ciphers); + GAA_CHECK1STR("", GAAOPTID_recordsize); + GAA_CHECK1STR("p", GAAOPTID_port); + GAA_CHECK1STR("d", GAAOPTID_debug); + case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" - GAA_CHECK1STR("", GAAOPTID_copyright); - GAA_CHECK1STR("v", GAAOPTID_version); - GAA_CHECK1STR("h", GAAOPTID_help); - GAA_CHECK1STR("l", GAAOPTID_list); - GAA_CHECK1STR("V", GAAOPTID_verbose); - GAA_CHECK1STR("", GAAOPTID_print_cert); - GAA_CHECK1STR("", GAAOPTID_xml); - GAA_CHECK1STR("", GAAOPTID_disable_extensions); - GAA_CHECK1STR("f", GAAOPTID_fingerprint); - GAA_CHECK1STR("", GAAOPTID_x509fmtder); - GAA_CHECK1STR("", GAAOPTID_crlf); - GAA_CHECK1STR("s", GAAOPTID_starttls); - GAA_CHECK1STR("r", GAAOPTID_resume); + GAA_CHECK1STR("", GAAOPTID_copyright); + GAA_CHECK1STR("v", GAAOPTID_version); + GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("l", GAAOPTID_list); + GAA_CHECK1STR("V", GAAOPTID_verbose); + GAA_CHECK1STR("", GAAOPTID_print_cert); + GAA_CHECK1STR("", GAAOPTID_xml); + GAA_CHECK1STR("", GAAOPTID_disable_extensions); + GAA_CHECK1STR("f", GAAOPTID_fingerprint); + GAA_CHECK1STR("", GAAOPTID_x509fmtder); + GAA_CHECK1STR("", GAAOPTID_crlf); + GAA_CHECK1STR("s", GAAOPTID_starttls); + GAA_CHECK1STR("r", GAAOPTID_resume); #line 277 "gaa.skel" - break; - case GAA_WORD_OPTION: - GAA_CHECKSTR("copyright", GAAOPTID_copyright); - GAA_CHECKSTR("version", GAAOPTID_version); - GAA_CHECKSTR("help", GAAOPTID_help); - GAA_CHECKSTR("list", GAAOPTID_list); - GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); - GAA_CHECKSTR("srpusername", GAAOPTID_srpusername); - GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); - GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); - GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); - GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); - GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); - GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); - GAA_CHECKSTR("x509crlfile", GAAOPTID_x509crlfile); - GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); - GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); - GAA_CHECKSTR("kx", GAAOPTID_kx); - GAA_CHECKSTR("macs", GAAOPTID_macs); - GAA_CHECKSTR("comp", GAAOPTID_comp); - GAA_CHECKSTR("protocols", GAAOPTID_protocols); - GAA_CHECKSTR("ciphers", GAAOPTID_ciphers); - GAA_CHECKSTR("verbose", GAAOPTID_verbose); - GAA_CHECKSTR("recordsize", GAAOPTID_recordsize); - GAA_CHECKSTR("port", GAAOPTID_port); - GAA_CHECKSTR("print-cert", GAAOPTID_print_cert); - GAA_CHECKSTR("xml", GAAOPTID_xml); - GAA_CHECKSTR("disable-extensions", GAAOPTID_disable_extensions); - GAA_CHECKSTR("fingerprint", GAAOPTID_fingerprint); - GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); - GAA_CHECKSTR("crlf", GAAOPTID_crlf); - GAA_CHECKSTR("starttls", GAAOPTID_starttls); - GAA_CHECKSTR("resume", GAAOPTID_resume); - GAA_CHECKSTR("debug", GAAOPTID_debug); + break; + case GAA_WORD_OPTION: + GAA_CHECKSTR("copyright", GAAOPTID_copyright); + GAA_CHECKSTR("version", GAAOPTID_version); + GAA_CHECKSTR("help", GAAOPTID_help); + GAA_CHECKSTR("list", GAAOPTID_list); + GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); + GAA_CHECKSTR("srpusername", GAAOPTID_srpusername); + GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); + GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); + GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); + GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); + GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); + GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); + GAA_CHECKSTR("x509crlfile", GAAOPTID_x509crlfile); + GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); + GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); + GAA_CHECKSTR("kx", GAAOPTID_kx); + GAA_CHECKSTR("macs", GAAOPTID_macs); + GAA_CHECKSTR("comp", GAAOPTID_comp); + GAA_CHECKSTR("protocols", GAAOPTID_protocols); + GAA_CHECKSTR("ciphers", GAAOPTID_ciphers); + GAA_CHECKSTR("verbose", GAAOPTID_verbose); + GAA_CHECKSTR("recordsize", GAAOPTID_recordsize); + GAA_CHECKSTR("port", GAAOPTID_port); + GAA_CHECKSTR("print-cert", GAAOPTID_print_cert); + GAA_CHECKSTR("xml", GAAOPTID_xml); + GAA_CHECKSTR("disable-extensions", GAAOPTID_disable_extensions); + GAA_CHECKSTR("fingerprint", GAAOPTID_fingerprint); + GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); + GAA_CHECKSTR("crlf", GAAOPTID_crlf); + GAA_CHECKSTR("starttls", GAAOPTID_starttls); + GAA_CHECKSTR("resume", GAAOPTID_resume); + GAA_CHECKSTR("debug", GAAOPTID_debug); #line 281 "gaa.skel" break; - default: break; - } + default: + break; + } return GAA_ERROR_NOMATCH; } -static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) +static int gaa_try(int gaa_num, int gaa_index, gaainfo * gaaval, + char *opt_list) { int OK = 0; int gaa_last_non_option; - struct GAAOPTION_srppasswd GAATMP_srppasswd; - struct GAAOPTION_srpusername GAATMP_srpusername; - struct GAAOPTION_x509certfile GAATMP_x509certfile; - struct GAAOPTION_x509keyfile GAATMP_x509keyfile; - struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; - struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; - struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; - struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; - struct GAAOPTION_x509crlfile GAATMP_x509crlfile; - struct GAAOPTION_x509cafile GAATMP_x509cafile; - struct GAAOPTION_ctypes GAATMP_ctypes; - struct GAAOPTION_kx GAATMP_kx; - struct GAAOPTION_macs GAATMP_macs; - struct GAAOPTION_comp GAATMP_comp; - struct GAAOPTION_protocols GAATMP_protocols; - struct GAAOPTION_ciphers GAATMP_ciphers; - struct GAAOPTION_recordsize GAATMP_recordsize; - struct GAAOPTION_port GAATMP_port; - struct GAAOPTION_debug GAATMP_debug; + struct GAAOPTION_srppasswd GAATMP_srppasswd; + struct GAAOPTION_srpusername GAATMP_srpusername; + struct GAAOPTION_x509certfile GAATMP_x509certfile; + struct GAAOPTION_x509keyfile GAATMP_x509keyfile; + struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; + struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; + struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; + struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; + struct GAAOPTION_x509crlfile GAATMP_x509crlfile; + struct GAAOPTION_x509cafile GAATMP_x509cafile; + struct GAAOPTION_ctypes GAATMP_ctypes; + struct GAAOPTION_kx GAATMP_kx; + struct GAAOPTION_macs GAATMP_macs; + struct GAAOPTION_comp GAATMP_comp; + struct GAAOPTION_protocols GAATMP_protocols; + struct GAAOPTION_ciphers GAATMP_ciphers; + struct GAAOPTION_recordsize GAATMP_recordsize; + struct GAAOPTION_port GAATMP_port; + struct GAAOPTION_debug GAATMP_debug; #line 393 "gaa.skel" #ifdef GAA_REST_EXISTS @@ -774,305 +753,397 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) #endif opt_list[gaa_num] = 1; - - for(gaa_last_non_option = gaa_index; - (gaa_last_non_option != GAAargc) && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == GAA_NOT_AN_OPTION); - gaa_last_non_option++); - - if(gaa_num == GAA_REST) - { - gaa_index = 1; - gaa_last_non_option = GAAargc; + + for (gaa_last_non_option = gaa_index; + (gaa_last_non_option != GAAargc) + && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == + GAA_NOT_AN_OPTION); gaa_last_non_option++); + + if (gaa_num == GAA_REST) { + gaa_index = 1; + gaa_last_non_option = GAAargc; } - - switch(gaa_num) - { - case GAAOPTID_copyright: + + switch (gaa_num) { + case GAAOPTID_copyright: OK = 0; #line 109 "cli.gaa" -{ print_license(); exit(0); ;}; + { + print_license(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_version: + return GAA_OK; + break; + case GAAOPTID_version: OK = 0; #line 108 "cli.gaa" -{ cli_version(); exit(0); ;}; + { + cli_version(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_help: + return GAA_OK; + break; + case GAAOPTID_help: OK = 0; #line 106 "cli.gaa" -{ gaa_help(); exit(0); ;}; + { + gaa_help(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_list: + return GAA_OK; + break; + case GAAOPTID_list: OK = 0; #line 105 "cli.gaa" -{ print_list(); exit(0); ;}; + { + print_list(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_srppasswd: + return GAA_OK; + break; + case GAAOPTID_srppasswd: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, + GAATMP_srppasswd.size1); + gaa_index++; #line 102 "cli.gaa" -{ gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; + { + gaaval->srp_passwd = GAATMP_srppasswd.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_srpusername: + return GAA_OK; + break; + case GAAOPTID_srpusername: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_srpusername.arg1, gaa_getstr, GAATMP_srpusername.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srpusername.arg1, gaa_getstr, + GAATMP_srpusername.size1); + gaa_index++; #line 99 "cli.gaa" -{ gaaval->srp_username = GAATMP_srpusername.arg1 ;}; + { + gaaval->srp_username = GAATMP_srpusername.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509certfile: + return GAA_OK; + break; + case GAAOPTID_x509certfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, + GAATMP_x509certfile.size1); + gaa_index++; #line 96 "cli.gaa" -{ gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; + { + gaaval->x509_certfile = GAATMP_x509certfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509keyfile: + return GAA_OK; + break; + case GAAOPTID_x509keyfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, + GAATMP_x509keyfile.size1); + gaa_index++; #line 93 "cli.gaa" -{ gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; + { + gaaval->x509_keyfile = GAATMP_x509keyfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpcertfile: + return GAA_OK; + break; + case GAAOPTID_pgpcertfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, + GAATMP_pgpcertfile.size1); + gaa_index++; #line 90 "cli.gaa" -{ gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; + { + gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgptrustdb: + return GAA_OK; + break; + case GAAOPTID_pgptrustdb: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, + GAATMP_pgptrustdb.size1); + gaa_index++; #line 87 "cli.gaa" -{ gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1 ;}; + { + gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpkeyring: + return GAA_OK; + break; + case GAAOPTID_pgpkeyring: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, + GAATMP_pgpkeyring.size1); + gaa_index++; #line 84 "cli.gaa" -{ gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; + { + gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpkeyfile: + return GAA_OK; + break; + case GAAOPTID_pgpkeyfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, + GAATMP_pgpkeyfile.size1); + gaa_index++; #line 81 "cli.gaa" -{ gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; + { + gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509crlfile: + return GAA_OK; + break; + case GAAOPTID_x509crlfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509crlfile.arg1, gaa_getstr, GAATMP_x509crlfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509crlfile.arg1, gaa_getstr, + GAATMP_x509crlfile.size1); + gaa_index++; #line 78 "cli.gaa" -{ gaaval->x509_crlfile = GAATMP_x509crlfile.arg1 ;}; + { + gaaval->x509_crlfile = GAATMP_x509crlfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509cafile: + return GAA_OK; + break; + case GAAOPTID_x509cafile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, GAATMP_x509cafile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, + GAATMP_x509cafile.size1); + gaa_index++; #line 75 "cli.gaa" -{ gaaval->x509_cafile = GAATMP_x509cafile.arg1 ;}; + { + gaaval->x509_cafile = GAATMP_x509cafile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_ctypes: + return GAA_OK; + break; + case GAAOPTID_ctypes: OK = 0; - GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); + GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char *, + GAATMP_ctypes.size1); #line 72 "cli.gaa" -{ gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;}; + { + gaaval->ctype = GAATMP_ctypes.arg1; + gaaval->nctype = GAATMP_ctypes.size1; + }; - return GAA_OK; - break; - case GAAOPTID_kx: + return GAA_OK; + break; + case GAAOPTID_kx: OK = 0; - GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1); + GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char *, GAATMP_kx.size1); #line 68 "cli.gaa" -{ gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;}; + { + gaaval->kx = GAATMP_kx.arg1; + gaaval->nkx = GAATMP_kx.size1; + }; - return GAA_OK; - break; - case GAAOPTID_macs: + return GAA_OK; + break; + case GAAOPTID_macs: OK = 0; - GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1); + GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char *, + GAATMP_macs.size1); #line 64 "cli.gaa" -{ gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;}; + { + gaaval->macs = GAATMP_macs.arg1; + gaaval->nmacs = GAATMP_macs.size1; + }; - return GAA_OK; - break; - case GAAOPTID_comp: + return GAA_OK; + break; + case GAAOPTID_comp: OK = 0; - GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1); + GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char *, + GAATMP_comp.size1); #line 60 "cli.gaa" -{ gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;}; + { + gaaval->comp = GAATMP_comp.arg1; + gaaval->ncomp = GAATMP_comp.size1; + }; - return GAA_OK; - break; - case GAAOPTID_protocols: + return GAA_OK; + break; + case GAAOPTID_protocols: OK = 0; - GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1); + GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char *, + GAATMP_protocols.size1); #line 56 "cli.gaa" -{ gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;}; + { + gaaval->proto = GAATMP_protocols.arg1; + gaaval->nproto = GAATMP_protocols.size1; + }; - return GAA_OK; - break; - case GAAOPTID_ciphers: + return GAA_OK; + break; + case GAAOPTID_ciphers: OK = 0; - GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1); + GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char *, + GAATMP_ciphers.size1); #line 52 "cli.gaa" -{ gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;}; + { + gaaval->ciphers = GAATMP_ciphers.arg1; + gaaval->nciphers = GAATMP_ciphers.size1; + }; - return GAA_OK; - break; - case GAAOPTID_verbose: + return GAA_OK; + break; + case GAAOPTID_verbose: OK = 0; #line 48 "cli.gaa" -{ gaaval->verbose = 1 ;}; + { + gaaval->verbose = 1; + }; - return GAA_OK; - break; - case GAAOPTID_recordsize: + return GAA_OK; + break; + case GAAOPTID_recordsize: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_recordsize.arg1, gaa_getint, GAATMP_recordsize.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_recordsize.arg1, gaa_getint, + GAATMP_recordsize.size1); + gaa_index++; #line 45 "cli.gaa" -{ gaaval->record_size = GAATMP_recordsize.arg1 ;}; + { + gaaval->record_size = GAATMP_recordsize.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_port: + return GAA_OK; + break; + case GAAOPTID_port: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); + gaa_index++; #line 42 "cli.gaa" -{ gaaval->port = GAATMP_port.arg1 ;}; + { + gaaval->port = GAATMP_port.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_print_cert: + return GAA_OK; + break; + case GAAOPTID_print_cert: OK = 0; #line 39 "cli.gaa" -{ gaaval->print_cert = 1 ;}; + { + gaaval->print_cert = 1; + }; - return GAA_OK; - break; - case GAAOPTID_xml: + return GAA_OK; + break; + case GAAOPTID_xml: OK = 0; #line 36 "cli.gaa" -{ gaaval->xml = 1 ;}; + { + gaaval->xml = 1; + }; - return GAA_OK; - break; - case GAAOPTID_disable_extensions: + return GAA_OK; + break; + case GAAOPTID_disable_extensions: OK = 0; #line 33 "cli.gaa" -{ gaaval->disable_extensions = 1 ;}; + { + gaaval->disable_extensions = 1; + }; - return GAA_OK; - break; - case GAAOPTID_fingerprint: + return GAA_OK; + break; + case GAAOPTID_fingerprint: OK = 0; #line 30 "cli.gaa" -{ gaaval->fingerprint = 1 ;}; + { + gaaval->fingerprint = 1; + }; - return GAA_OK; - break; - case GAAOPTID_x509fmtder: + return GAA_OK; + break; + case GAAOPTID_x509fmtder: OK = 0; #line 27 "cli.gaa" -{ gaaval->fmtder = 1 ;}; + { + gaaval->fmtder = 1; + }; - return GAA_OK; - break; - case GAAOPTID_crlf: + return GAA_OK; + break; + case GAAOPTID_crlf: OK = 0; #line 24 "cli.gaa" -{ gaaval->crlf = 1 ;}; + { + gaaval->crlf = 1; + }; - return GAA_OK; - break; - case GAAOPTID_starttls: + return GAA_OK; + break; + case GAAOPTID_starttls: OK = 0; #line 21 "cli.gaa" -{ gaaval->starttls = 1 ;}; + { + gaaval->starttls = 1; + }; - return GAA_OK; - break; - case GAAOPTID_resume: + return GAA_OK; + break; + case GAAOPTID_resume: OK = 0; #line 18 "cli.gaa" -{ gaaval->resume = 1 ;}; + { + gaaval->resume = 1; + }; - return GAA_OK; - break; - case GAAOPTID_debug: + return GAA_OK; + break; + case GAAOPTID_debug: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); + gaa_index++; #line 15 "cli.gaa" -{ gaaval->debug = GAATMP_debug.arg1 ;}; + { + gaaval->debug = GAATMP_debug.arg1; + }; - return GAA_OK; - break; - case GAA_REST: - GAA_TESTMOREARGS; - GAA_FILL(GAAREST_tmp.arg1, gaa_getstr, GAAREST_tmp.size1); - gaa_index++; + return GAA_OK; + break; + case GAA_REST: + GAA_TESTMOREARGS; + GAA_FILL(GAAREST_tmp.arg1, gaa_getstr, GAAREST_tmp.size1); + gaa_index++; #line 112 "cli.gaa" -{ gaaval->rest_args = GAAREST_tmp.arg1; ;}; + { + gaaval->rest_args = GAAREST_tmp.arg1;; + }; - return GAA_OK; - break; + return GAA_OK; + break; #line 413 "gaa.skel" - default: break; + default: + break; } return GAA_ERROR_UNKNOWN; } -int gaa(int argc, char **argv, gaainfo *gaaval) +int gaa(int argc, char **argv, gaainfo * gaaval) { int tmp1, tmp2; int i, j; @@ -1081,23 +1152,49 @@ int gaa(int argc, char **argv, gaainfo *gaaval) GAAargv = argv; GAAargc = argc; - opt_list = (char*) gaa_malloc(GAA_NB_OPTION + 1); + opt_list = (char *) gaa_malloc(GAA_NB_OPTION + 1); - for(i = 0; i < GAA_NB_OPTION + 1; i++) - opt_list[i] = 0; + for (i = 0; i < GAA_NB_OPTION + 1; i++) + opt_list[i] = 0; /* initialization */ - if(inited == 0) - { + if (inited == 0) { #line 114 "cli.gaa" -{ gaaval->resume=0; gaaval->port=443; gaaval->rest_args=NULL; gaaval->ciphers=NULL; - gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; - gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->record_size=0; - gaaval->fingerprint=0; gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->x509_crlfile = NULL; - gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL; gaaval->disable_extensions = 0; - gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; gaaval->crlf = 0; gaaval->xml = 0; - gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; - gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; ;}; + { + gaaval->resume = 0; + gaaval->port = 443; + gaaval->rest_args = NULL; + gaaval->ciphers = NULL; + gaaval->kx = NULL; + gaaval->comp = NULL; + gaaval->macs = NULL; + gaaval->ctype = NULL; + gaaval->nciphers = 0; + gaaval->nkx = 0; + gaaval->ncomp = 0; + gaaval->nmacs = 0; + gaaval->nctype = 0; + gaaval->record_size = 0; + gaaval->fingerprint = 0; + gaaval->pgp_trustdb = NULL; + gaaval->pgp_keyring = NULL; + gaaval->x509_crlfile = NULL; + gaaval->x509_cafile = NULL; + gaaval->pgp_keyfile = NULL; + gaaval->pgp_certfile = NULL; + gaaval->disable_extensions = 0; + gaaval->x509_keyfile = NULL; + gaaval->x509_certfile = NULL; + gaaval->crlf = 0; + gaaval->xml = 0; + gaaval->srp_username = NULL; + gaaval->srp_passwd = NULL; + gaaval->fmtder = 0; + gaaval->starttls = 0; + gaaval->debug = 0; + gaaval->print_cert = 0; + gaaval->verbose = 0;; + }; } inited = 1; @@ -1105,186 +1202,173 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaa_arg_used = NULL; if (argc > 0) { - gaa_arg_used = gaa_malloc(argc * sizeof(char)); + gaa_arg_used = gaa_malloc(argc * sizeof(char)); } - for(i = 1; i < argc; i++) - gaa_arg_used[i] = 0; - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - j = 0; - tmp1 = gaa_is_an_argument(GAAargv[i]); - switch(tmp1) - { - case GAA_WORD_OPTION: - j++; - case GAA_LETTER_OPTION: - j++; - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%s'\n", argv[i]+j); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - gaa_arg_used[i] = 1; - break; - case GAA_MULTIPLE_OPTION: - for(j = 1; j < strlen(argv[i]); j++) - { - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%c'\n", *(argv[i]+j)); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - } - gaa_arg_used[i] = 1; - break; - default: break; - } - } + for (i = 1; i < argc; i++) + gaa_arg_used[i] = 0; + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + j = 0; + tmp1 = gaa_is_an_argument(GAAargv[i]); + switch (tmp1) { + case GAA_WORD_OPTION: + j++; + case GAA_LETTER_OPTION: + j++; + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%s'\n", argv[i] + j); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + gaa_arg_used[i] = 1; + break; + case GAA_MULTIPLE_OPTION: + for (j = 1; j < strlen(argv[i]); j++) { + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%c'\n", *(argv[i] + j)); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + } + gaa_arg_used[i] = 1; + break; + default: + break; + } + } } -if(gaa_processing_file == 0) -{ + if (gaa_processing_file == 0) { #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS - switch(gaa_try(GAA_REST, 1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("Rest: not enough arguments\n"); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } + switch (gaa_try(GAA_REST, 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("Rest: not enough arguments\n"); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } #endif -} - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - printf("Too many arguments\n"); - return 0; - } + } + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + printf("Too many arguments\n"); + return 0; + } } free(gaa_arg_used); free(opt_list); return -1; } -struct gaastrnode -{ +struct gaastrnode { char *str; struct gaastrnode *next; }; typedef struct gaastrnode gaa_str_node; -static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) +static int gaa_internal_get_next_str(FILE * file, gaa_str_node * tmp_str, + int argc) { int pos_ini; int a; int i = 0, len = 0, newline = 0; - if(argc == 1) { - newline = 1; - len = 2; + if (argc == 1) { + newline = 1; + len = 2; } - - a = fgetc( file); - if (a == EOF) return 0; - - while(a == ' ' || a == 9 || a == '\n') - { - if(a == '\n') - { - newline=1; - len = 2; - } - a = fgetc( file); - if (a == EOF) return 0; + + a = fgetc(file); + if (a == EOF) + return 0; + + while (a == ' ' || a == 9 || a == '\n') { + if (a == '\n') { + newline = 1; + len = 2; + } + a = fgetc(file); + if (a == EOF) + return 0; } pos_ini = ftell(file) - 1; - while(a != ' ' && a != 9 && a != '\n') - { + while (a != ' ' && a != 9 && a != '\n') { - len++; - a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + len++; + a = fgetc(file); + if (a == EOF) + return 0; //a = ' '; } len += 1; tmp_str->str = gaa_malloc((len) * sizeof(char)); - if(newline == 1) - { - tmp_str->str[0] = '-'; - tmp_str->str[1] = '-'; - i = 2; - } - else - { - i = 0; + if (newline == 1) { + tmp_str->str[0] = '-'; + tmp_str->str[1] = '-'; + i = 2; + } else { + i = 0; } - fseek(file,pos_ini, SEEK_SET); - do - { - a = fgetc( file); - - if (a == EOF) { - i+=2; - break; - } - tmp_str->str[i] = a; - i++; + fseek(file, pos_ini, SEEK_SET); + do { + a = fgetc(file); + + if (a == EOF) { + i += 2; + break; + } + tmp_str->str[i] = a; + i++; } - while(a != ' ' && a != 9 && a != '\n' && i < len); + while (a != ' ' && a != 9 && a != '\n' && i < len); tmp_str->str[i - 1] = 0; - fseek(file,- 1, SEEK_CUR); + fseek(file, -1, SEEK_CUR); /* printf("%d\n", ftell(file)); */ - + return -1; } -int gaa_file(const char *name, gaainfo *gaaval) +int gaa_file(const char *name, gaainfo * gaaval) { gaa_str_node *first_str, **tmp_str, *tmp_str2; int rval, i; @@ -1293,38 +1377,36 @@ int gaa_file(const char *name, gaainfo *gaaval) FILE *file; gaa_processing_file = 1; - - if((file = fopen(name, "r")) == NULL) - { - printf("Couldn't open '%s' configuration file for reading\n", name); - return 1; + + if ((file = fopen(name, "r")) == NULL) { + printf("Couldn't open '%s' configuration file for reading\n", + name); + return 1; } - + tmp_str = &first_str; - do - { - argc++; - *tmp_str = gaa_malloc(sizeof(gaa_str_node)); + do { + argc++; + *tmp_str = gaa_malloc(sizeof(gaa_str_node)); - (*tmp_str)->str = NULL; - (*tmp_str)->next = NULL; + (*tmp_str)->str = NULL; + (*tmp_str)->next = NULL; - rval = gaa_internal_get_next_str(file, *tmp_str, argc); - tmp_str = &((*tmp_str)->next); + rval = gaa_internal_get_next_str(file, *tmp_str, argc); + tmp_str = &((*tmp_str)->next); } - while(rval == -1); - - if(rval == 1) - return 0; - - argv = gaa_malloc((1 + argc) * sizeof(char*)); + while (rval == -1); + + if (rval == 1) + return 0; + + argv = gaa_malloc((1 + argc) * sizeof(char *)); tmp_str2 = first_str; argv[0] = "cfg"; - for(i = 1; i < argc; i++) - { - argv[i] = tmp_str2->str; - tmp_str2 = tmp_str2->next; + for (i = 1; i < argc; i++) { + argv[i] = tmp_str2->str; + tmp_str2 = tmp_str2->next; } rval = gaa(argc, argv, gaaval); @@ -86,14 +86,14 @@ int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; int kx_priority[PRI_MAX] = { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, - GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP, - /* Do not use anonymous authentication, unless you know what that means */ - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_ANON_DH, 0 + GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP, + /* Do not use anonymous authentication, unless you know what that means */ + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_ANON_DH, 0 }; int cipher_priority[PRI_MAX] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_ARCFOUR_40, 0 }; int comp_priority[PRI_MAX] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; int mac_priority[PRI_MAX] = @@ -105,10 +105,10 @@ int cert_type_priority[PRI_MAX] = /* prototypes */ typedef struct { - int fd; - gnutls_session session; - int secure; - const char *hostname; + int fd; + gnutls_session session; + int secure; + const char *hostname; } socket_st; ssize_t socket_recv(socket_st socket, void *buffer, int buffer_size); @@ -128,31 +128,31 @@ static void init_global_tls_stuff(void); */ static gnutls_datum mmap_file(const char *file) { - int fd; - gnutls_datum mmaped_file = { NULL, 0 }; - struct stat stat_st; - void *ptr; + int fd; + gnutls_datum mmaped_file = { NULL, 0 }; + struct stat stat_st; + void *ptr; - fd = open(file, 0); - if (fd == -1) - return mmaped_file; + fd = open(file, 0); + if (fd == -1) + return mmaped_file; - fstat(fd, &stat_st); + fstat(fd, &stat_st); - if ((ptr = - mmap(NULL, stat_st.st_size, PROT_READ, MAP_SHARED, fd, - 0)) == MAP_FAILED) - return mmaped_file; + if ((ptr = + mmap(NULL, stat_st.st_size, PROT_READ, MAP_SHARED, fd, + 0)) == MAP_FAILED) + return mmaped_file; - mmaped_file.data = ptr; - mmaped_file.size = stat_st.st_size; + mmaped_file.data = ptr; + mmaped_file.size = stat_st.st_size; - return mmaped_file; + return mmaped_file; } static void munmap_file(gnutls_datum data) { - munmap(data.data, data.size); + munmap(data.data, data.size); } static gnutls_x509_crt x509_crt = NULL; @@ -165,92 +165,88 @@ static gnutls_openpgp_privkey pgp_key = NULL; */ static void load_keys(void) { - int ret; - gnutls_datum data; - - if (x509_certfile != NULL && x509_keyfile != NULL) { - data = mmap_file(x509_certfile); - if (data.data == NULL) { - fprintf(stderr, "*** Error loading cert file.\n"); - exit(1); - } - gnutls_x509_crt_init(&x509_crt); - - ret = - gnutls_x509_crt_import(x509_crt, &data, - GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fprintf(stderr, - "*** Error loading cert file: %s\n", - gnutls_strerror(ret)); - exit(1); - } - - munmap_file(data); + int ret; + gnutls_datum data; + + if (x509_certfile != NULL && x509_keyfile != NULL) { + data = mmap_file(x509_certfile); + if (data.data == NULL) { + fprintf(stderr, "*** Error loading cert file.\n"); + exit(1); + } + gnutls_x509_crt_init(&x509_crt); + + ret = gnutls_x509_crt_import(x509_crt, &data, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, + "*** Error loading cert file: %s\n", + gnutls_strerror(ret)); + exit(1); + } - data = mmap_file(x509_keyfile); - if (data.data == NULL) { - fprintf(stderr, "*** Error loading key file.\n"); - exit(1); - } + munmap_file(data); - gnutls_x509_privkey_init(&x509_key); + data = mmap_file(x509_keyfile); + if (data.data == NULL) { + fprintf(stderr, "*** Error loading key file.\n"); + exit(1); + } - ret = - gnutls_x509_privkey_import(x509_key, &data, - GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fprintf(stderr, "*** Error loading key file: %s\n", - gnutls_strerror(ret)); - exit(1); - } + gnutls_x509_privkey_init(&x509_key); - munmap_file(data); + ret = + gnutls_x509_privkey_import(x509_key, &data, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "*** Error loading key file: %s\n", + gnutls_strerror(ret)); + exit(1); } -#ifdef USE_OPENPGP - if (pgp_certfile != NULL && pgp_keyfile != NULL) { - data = mmap_file(pgp_certfile); - if (data.data == NULL) { - fprintf(stderr, - "*** Error loading PGP cert file.\n"); - exit(1); - } - gnutls_openpgp_key_init(&pgp_crt); - - ret = - gnutls_openpgp_key_import(pgp_crt, &data, - GNUTLS_OPENPGP_FMT_BASE64); - if (ret < 0) { - fprintf(stderr, - "*** Error loading PGP cert file: %s\n", - gnutls_strerror(ret)); - exit(1); - } - munmap_file(data); + munmap_file(data); + } +#ifdef USE_OPENPGP + if (pgp_certfile != NULL && pgp_keyfile != NULL) { + data = mmap_file(pgp_certfile); + if (data.data == NULL) { + fprintf(stderr, "*** Error loading PGP cert file.\n"); + exit(1); + } + gnutls_openpgp_key_init(&pgp_crt); + + ret = + gnutls_openpgp_key_import(pgp_crt, &data, + GNUTLS_OPENPGP_FMT_BASE64); + if (ret < 0) { + fprintf(stderr, + "*** Error loading PGP cert file: %s\n", + gnutls_strerror(ret)); + exit(1); + } - data = mmap_file(x509_keyfile); - if (data.data == NULL) { - fprintf(stderr, - "*** Error loading PGP key file.\n"); - exit(1); - } + munmap_file(data); - gnutls_openpgp_privkey_init(&pgp_key); - - ret = - gnutls_openpgp_privkey_import(pgp_key, &data, - GNUTLS_OPENPGP_FMT_BASE64, - NULL, 0); - if (ret < 0) { - fprintf(stderr, - "*** Error loading PGP key file: %s\n", - gnutls_strerror(ret)); - exit(1); - } + data = mmap_file(x509_keyfile); + if (data.data == NULL) { + fprintf(stderr, "*** Error loading PGP key file.\n"); + exit(1); + } - munmap_file(data); + gnutls_openpgp_privkey_init(&pgp_key); + + ret = + gnutls_openpgp_privkey_import(pgp_key, &data, + GNUTLS_OPENPGP_FMT_BASE64, + NULL, 0); + if (ret < 0) { + fprintf(stderr, + "*** Error loading PGP key file: %s\n", + gnutls_strerror(ret)); + exit(1); } + + munmap_file(data); + } #endif } @@ -267,67 +263,65 @@ static int cert_callback(gnutls_session session, const gnutls_pk_algorithm * sign_algos, int sign_algos_length, gnutls_retr_st * st) { - char issuer_dn[256]; - int i, ret; - size_t len; - gnutls_certificate_type type; - - if (verbose) { - - /* Print the server's trusted CAs - */ - if (nreqs > 0) - printf("- Server's trusted authorities:\n"); - else - printf - ("- Server did not send us any trusted authorities names.\n"); - - /* print the names (if any) */ - for (i = 0; i < nreqs; i++) { - len = sizeof(issuer_dn); - ret = - gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, - &len); - if (ret >= 0) { - printf(" [%d]: ", i); - printf("%s\n", issuer_dn); - } - } - } + char issuer_dn[256]; + int i, ret; + size_t len; + gnutls_certificate_type type; - /* Select a certificate and return it. - * The certificate must be of any of the "sign algorithms" - * supported by the server. + if (verbose) { + + /* Print the server's trusted CAs */ - st->type = type; - st->ncerts = 0; + if (nreqs > 0) + printf("- Server's trusted authorities:\n"); + else + printf + ("- Server did not send us any trusted authorities names.\n"); + + /* print the names (if any) */ + for (i = 0; i < nreqs; i++) { + len = sizeof(issuer_dn); + ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len); + if (ret >= 0) { + printf(" [%d]: ", i); + printf("%s\n", issuer_dn); + } + } + } - type = gnutls_certificate_type_get(session); - if (type == GNUTLS_CRT_X509) { - if (x509_crt != NULL && x509_key != NULL) { - st->ncerts = 1; + /* Select a certificate and return it. + * The certificate must be of any of the "sign algorithms" + * supported by the server. + */ + st->type = type; + st->ncerts = 0; - st->cert.x509 = &x509_crt; - st->key.x509 = x509_key; + type = gnutls_certificate_type_get(session); + if (type == GNUTLS_CRT_X509) { + if (x509_crt != NULL && x509_key != NULL) { + st->ncerts = 1; - st->deinit_all = 0; + st->cert.x509 = &x509_crt; + st->key.x509 = x509_key; - return 0; - } - } else if (type == GNUTLS_CRT_OPENPGP) { - if (pgp_key != NULL && pgp_crt != NULL) { - st->ncerts = 1; + st->deinit_all = 0; - st->cert.pgp = pgp_crt; - st->key.pgp = pgp_key; + return 0; + } + } else if (type == GNUTLS_CRT_OPENPGP) { + if (pgp_key != NULL && pgp_crt != NULL) { + st->ncerts = 1; - st->deinit_all = 0; + st->cert.pgp = pgp_crt; + st->key.pgp = pgp_key; - return 0; - } + st->deinit_all = 0; + + return 0; } + } - return 0; + return 0; } @@ -337,55 +331,50 @@ static int cert_callback(gnutls_session session, */ static gnutls_session init_tls_session(const char *hostname) { - gnutls_session session; - - gnutls_init(&session, GNUTLS_CLIENT); - - /* allow the use of private ciphersuites. - */ - if (disable_extensions == 0) { - gnutls_handshake_set_private_extensions(session, 1); - gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, - strlen(hostname)); - gnutls_certificate_type_set_priority(session, - cert_type_priority); + gnutls_session session; + + gnutls_init(&session, GNUTLS_CLIENT); + + /* allow the use of private ciphersuites. + */ + if (disable_extensions == 0) { + gnutls_handshake_set_private_extensions(session, 1); + gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, + strlen(hostname)); + gnutls_certificate_type_set_priority(session, cert_type_priority); + } + + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + + + gnutls_dh_set_prime_bits(session, 512); + + gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); + gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + gnutls_certificate_client_set_retrieve_function(xcred, cert_callback); + + /* send the fingerprint */ + if (fingerprint != 0) + gnutls_openpgp_send_key(session, GNUTLS_OPENPGP_KEY_FINGERPRINT); + + /* use the max record size extension */ + if (record_max_size > 0 && disable_extensions == 0) { + if (gnutls_record_set_max_size(session, record_max_size) < 0) { + fprintf(stderr, + "Cannot set the maximum record size to %d.\n", + record_max_size); + fprintf(stderr, "Possible values: 512, 1024, 2048, 4096.\n"); + exit(1); } + } - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - - gnutls_dh_set_prime_bits(session, 512); - - gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); - gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - gnutls_certificate_client_set_retrieve_function(xcred, - cert_callback); - - /* send the fingerprint */ - if (fingerprint != 0) - gnutls_openpgp_send_key(session, - GNUTLS_OPENPGP_KEY_FINGERPRINT); - - /* use the max record size extension */ - if (record_max_size > 0 && disable_extensions == 0) { - if (gnutls_record_set_max_size(session, record_max_size) < - 0) { - fprintf(stderr, - "Cannot set the maximum record size to %d.\n", - record_max_size); - fprintf(stderr, - "Possible values: 512, 1024, 2048, 4096.\n"); - exit(1); - } - } - - return session; + return session; } static void gaa_parser(int argc, char **argv); @@ -394,361 +383,353 @@ static void gaa_parser(int argc, char **argv); */ static int handle_error(socket_st hd, int err) { - int alert, ret; - const char *err_type, *str; - - if (err >= 0) - return 0; + int alert, ret; + const char *err_type, *str; - if (gnutls_error_is_fatal(err) == 0) { - ret = 0; - err_type = "Non fatal"; - } else { - ret = err; - err_type = "Fatal"; - } + if (err >= 0) + return 0; - str = gnutls_strerror(err); + if (gnutls_error_is_fatal(err) == 0) { + ret = 0; + err_type = "Non fatal"; + } else { + ret = err; + err_type = "Fatal"; + } + + str = gnutls_strerror(err); + if (str == NULL) + str = str_unknown; + fprintf(stderr, "*** %s error: %s\n", err_type, str); + + if (err == GNUTLS_E_WARNING_ALERT_RECEIVED + || err == GNUTLS_E_FATAL_ALERT_RECEIVED) { + alert = gnutls_alert_get(hd.session); + str = gnutls_alert_get_name(alert); if (str == NULL) - str = str_unknown; - fprintf(stderr, "*** %s error: %s\n", err_type, str); - - if (err == GNUTLS_E_WARNING_ALERT_RECEIVED - || err == GNUTLS_E_FATAL_ALERT_RECEIVED) { - alert = gnutls_alert_get(hd.session); - str = gnutls_alert_get_name(alert); - if (str == NULL) - str = str_unknown; - printf("*** Received alert [%d]: %s\n", alert, str); - - /* In SRP if the alert is MISSING_SRP_USERNAME, - * we should read the username/password and - * call gnutls_handshake(). This is not implemented - * here. - */ - } + str = str_unknown; + printf("*** Received alert [%d]: %s\n", alert, str); + + /* In SRP if the alert is MISSING_SRP_USERNAME, + * we should read the username/password and + * call gnutls_handshake(). This is not implemented + * here. + */ + } - check_rehandshake(hd, ret); + check_rehandshake(hd, ret); - return ret; + return ret; } int starttls_alarmed = 0; void starttls_alarm(int signum) { - starttls_alarmed = 1; + starttls_alarmed = 1; } int main(int argc, char **argv) { - int err, ret; - int sd, ii, i; - struct sockaddr_in sa; - char buffer[MAX_BUF + 1]; - char *session_data = NULL; - char *session_id = NULL; - int session_data_size; - int session_id_size; - fd_set rset; - int maxfd; - struct timeval tv; - int user_term = 0; - struct hostent *server_host; - socket_st hd; - - gaa_parser(argc, argv); - if (hostname == NULL) { - fprintf(stderr, "No hostname given\n"); - exit(1); - } - - sockets_init(); + int err, ret; + int sd, ii, i; + struct sockaddr_in sa; + char buffer[MAX_BUF + 1]; + char *session_data = NULL; + char *session_id = NULL; + int session_data_size; + int session_id_size; + fd_set rset; + int maxfd; + struct timeval tv; + int user_term = 0; + struct hostent *server_host; + socket_st hd; + + gaa_parser(argc, argv); + if (hostname == NULL) { + fprintf(stderr, "No hostname given\n"); + exit(1); + } + + sockets_init(); #ifndef _WIN32 - signal(SIGPIPE, SIG_IGN); + signal(SIGPIPE, SIG_IGN); #endif - init_global_tls_stuff(); + init_global_tls_stuff(); - printf("Resolving '%s'...\n", hostname); - /* get server name */ - server_host = gethostbyname(hostname); - if (server_host == NULL) { - fprintf(stderr, "Cannot resolve %s\n", hostname); - exit(1); - } + printf("Resolving '%s'...\n", hostname); + /* get server name */ + server_host = gethostbyname(hostname); + if (server_host == NULL) { + fprintf(stderr, "Cannot resolve %s\n", hostname); + exit(1); + } - sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(sd, "socket"); + sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(sd, "socket"); - memset(&sa, '\0', sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = htons(port); + memset(&sa, '\0', sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(port); - sa.sin_addr.s_addr = *((unsigned int *) server_host->h_addr); + sa.sin_addr.s_addr = *((unsigned int *) server_host->h_addr); - if (inet_ntop(AF_INET, &sa.sin_addr, buffer, MAX_BUF) == NULL) { - perror("inet_ntop()"); - return (1); - } - fprintf(stderr, "Connecting to '%s:%d'...\n", buffer, port); + if (inet_ntop(AF_INET, &sa.sin_addr, buffer, MAX_BUF) == NULL) { + perror("inet_ntop()"); + return (1); + } + fprintf(stderr, "Connecting to '%s:%d'...\n", buffer, port); - err = connect(sd, (SA *) & sa, sizeof(sa)); - ERR(err, "connect"); + err = connect(sd, (SA *) & sa, sizeof(sa)); + ERR(err, "connect"); - hd.secure = 0; - hd.fd = sd; - hd.hostname = hostname; + hd.secure = 0; + hd.fd = sd; + hd.hostname = hostname; - hd.session = init_tls_session(hostname); - if (starttls) - goto after_handshake; + hd.session = init_tls_session(hostname); + if (starttls) + goto after_handshake; - for (i = 0; i < 2; i++) { + for (i = 0; i < 2; i++) { - if (i == 1) { - hd.session = init_tls_session(hostname); - gnutls_session_set_data(hd.session, session_data, - session_data_size); - free(session_data); - } + if (i == 1) { + hd.session = init_tls_session(hostname); + gnutls_session_set_data(hd.session, session_data, + session_data_size); + free(session_data); + } - ret = do_handshake(&hd); + ret = do_handshake(&hd); - if (ret < 0) { - fprintf(stderr, "*** Handshake has failed\n"); - gnutls_perror(ret); - gnutls_deinit(hd.session); - return 1; - } else { - printf("- Handshake was completed\n"); - if (gnutls_session_is_resumed(hd.session) != 0) - printf("*** This is a resumed session\n"); - } + if (ret < 0) { + fprintf(stderr, "*** Handshake has failed\n"); + gnutls_perror(ret); + gnutls_deinit(hd.session); + return 1; + } else { + printf("- Handshake was completed\n"); + if (gnutls_session_is_resumed(hd.session) != 0) + printf("*** This is a resumed session\n"); + } - if (resume != 0 && i == 0) { + if (resume != 0 && i == 0) { - gnutls_session_get_data(hd.session, NULL, - &session_data_size); - session_data = malloc(session_data_size); + gnutls_session_get_data(hd.session, NULL, &session_data_size); + session_data = malloc(session_data_size); - gnutls_session_get_data(hd.session, session_data, - &session_data_size); + gnutls_session_get_data(hd.session, session_data, + &session_data_size); - gnutls_session_get_id(hd.session, NULL, - &session_id_size); - session_id = malloc(session_id_size); - gnutls_session_get_id(hd.session, session_id, - &session_id_size); + gnutls_session_get_id(hd.session, NULL, &session_id_size); + session_id = malloc(session_id_size); + gnutls_session_get_id(hd.session, session_id, + &session_id_size); - /* print some information */ - print_info(hd.session, hostname); + /* print some information */ + print_info(hd.session, hostname); - printf("- Disconnecting\n"); - socket_bye(&hd); + printf("- Disconnecting\n"); + socket_bye(&hd); - printf - ("\n\n- Connecting again- trying to resume previous session\n"); - sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(sd, "socket"); + printf + ("\n\n- Connecting again- trying to resume previous session\n"); + sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(sd, "socket"); - err = connect(sd, (SA *) & sa, sizeof(sa)); - ERR(err, "connect"); + err = connect(sd, (SA *) & sa, sizeof(sa)); + ERR(err, "connect"); - hd.fd = sd; - hd.secure = 0; - } else { - break; - } + hd.fd = sd; + hd.secure = 0; + } else { + break; } + } - after_handshake: + after_handshake: - printf("\n- Simple Client Mode:\n\n"); + printf("\n- Simple Client Mode:\n\n"); #ifndef _WIN32 - signal(SIGALRM, &starttls_alarm); + signal(SIGALRM, &starttls_alarm); #endif - /* do not buffer */ - setbuf(stdin, NULL); - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - for (;;) { - FD_ZERO(&rset); - FD_SET(fileno(stdin), &rset); - FD_SET(sd, &rset); - - maxfd = MAX(fileno(stdin), sd); - tv.tv_sec = 3; - tv.tv_usec = 0; - err = select(maxfd + 1, &rset, NULL, NULL, &tv); - - if (err < 0) { - if (errno == EINTR && starttls_alarmed) { - if (hd.secure == 0) { - fprintf(stderr, - "*** Starting TLS handshake\n"); - ret = do_handshake(&hd); - if (ret < 0) { - fprintf(stderr, - "*** Handshake has failed\n"); - socket_bye(&hd); - user_term = 1; - } - } else { - user_term = 1; - } - } - continue; + /* do not buffer */ + setbuf(stdin, NULL); + setbuf(stdout, NULL); + setbuf(stderr, NULL); + + for (;;) { + FD_ZERO(&rset); + FD_SET(fileno(stdin), &rset); + FD_SET(sd, &rset); + + maxfd = MAX(fileno(stdin), sd); + tv.tv_sec = 3; + tv.tv_usec = 0; + err = select(maxfd + 1, &rset, NULL, NULL, &tv); + + if (err < 0) { + if (errno == EINTR && starttls_alarmed) { + if (hd.secure == 0) { + fprintf(stderr, "*** Starting TLS handshake\n"); + ret = do_handshake(&hd); + if (ret < 0) { + fprintf(stderr, "*** Handshake has failed\n"); + socket_bye(&hd); + user_term = 1; + } + } else { + user_term = 1; } + } + continue; + } - if (FD_ISSET(sd, &rset)) { - memset(buffer, 0, MAX_BUF + 1); - ret = socket_recv(hd, buffer, MAX_BUF); - - if (ret == 0) { - printf - ("- Peer has closed the GNUTLS connection\n"); - break; - } else if (handle_error(hd, ret) < 0 - && user_term == 0) { - fprintf(stderr, - "*** Server has terminated the connection abnormally.\n"); - break; - } else if (ret > 0) { - if (verbose != 0) - printf("- Received[%d]: ", ret); - for (ii = 0; ii < ret; ii++) { - fputc(buffer[ii], stdout); - } - fflush(stdout); - } - - if (user_term != 0) - break; + if (FD_ISSET(sd, &rset)) { + memset(buffer, 0, MAX_BUF + 1); + ret = socket_recv(hd, buffer, MAX_BUF); + + if (ret == 0) { + printf("- Peer has closed the GNUTLS connection\n"); + break; + } else if (handle_error(hd, ret) < 0 && user_term == 0) { + fprintf(stderr, + "*** Server has terminated the connection abnormally.\n"); + break; + } else if (ret > 0) { + if (verbose != 0) + printf("- Received[%d]: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); } + fflush(stdout); + } - if (FD_ISSET(fileno(stdin), &rset)) { - if (fgets(buffer, MAX_BUF, stdin) == NULL) { - if (hd.secure == 0) { - fprintf(stderr, - "*** Starting TLS handshake\n"); - ret = do_handshake(&hd); - if (ret < 0) { - fprintf(stderr, - "*** Handshake has failed\n"); - socket_bye(&hd); - user_term = 1; - } - } else { - user_term = 1; - } - continue; - } - - if (crlf != 0) { - char *b = strchr(buffer, '\n'); - if (b != NULL) - strcpy(b, "\r\n"); - } - - ret = socket_send(hd, buffer, strlen(buffer)); - - if (ret > 0) { - if (verbose != 0) - printf("- Sent: %d bytes\n", ret); - } else - handle_error(hd, ret); + if (user_term != 0) + break; + } + if (FD_ISSET(fileno(stdin), &rset)) { + if (fgets(buffer, MAX_BUF, stdin) == NULL) { + if (hd.secure == 0) { + fprintf(stderr, "*** Starting TLS handshake\n"); + ret = do_handshake(&hd); + if (ret < 0) { + fprintf(stderr, "*** Handshake has failed\n"); + socket_bye(&hd); + user_term = 1; + } + } else { + user_term = 1; } + continue; + } + + if (crlf != 0) { + char *b = strchr(buffer, '\n'); + if (b != NULL) + strcpy(b, "\r\n"); + } + + ret = socket_send(hd, buffer, strlen(buffer)); + + if (ret > 0) { + if (verbose != 0) + printf("- Sent: %d bytes\n", ret); + } else + handle_error(hd, ret); + } + } - if (user_term != 0) - socket_bye(&hd); + if (user_term != 0) + socket_bye(&hd); #ifdef ENABLE_SRP - gnutls_srp_free_client_credentials(srp_cred); + gnutls_srp_free_client_credentials(srp_cred); #endif - gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(xcred); #ifdef ENABLE_ANON - gnutls_anon_free_client_credentials(anon_cred); + gnutls_anon_free_client_credentials(anon_cred); #endif - gnutls_global_deinit(); + gnutls_global_deinit(); - return 0; + return 0; } static gaainfo info; void gaa_parser(int argc, char **argv) { - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, - "Error in the arguments. Use the --help or -h parameters to get more information.\n"); - exit(1); - } - - debug = info.debug; - verbose = info.verbose; - disable_extensions = info.disable_extensions; - xml = info.xml; - print_cert = info.print_cert; - starttls = info.starttls; - resume = info.resume; - port = info.port; - record_max_size = info.record_size; - fingerprint = info.fingerprint; - - if (info.fmtder == 0) - x509ctype = GNUTLS_X509_FMT_PEM; - else - x509ctype = GNUTLS_X509_FMT_DER; - - srp_username = info.srp_username; - srp_passwd = info.srp_passwd; - x509_cafile = info.x509_cafile; - x509_crlfile = info.x509_crlfile; - x509_keyfile = info.x509_keyfile; - x509_certfile = info.x509_certfile; - pgp_keyfile = info.pgp_keyfile; - pgp_certfile = info.pgp_certfile; - - pgp_keyring = info.pgp_keyring; - pgp_trustdb = info.pgp_trustdb; - - crlf = info.crlf; - - if (info.rest_args == NULL) - hostname = "localhost"; - else - hostname = info.rest_args; - - parse_protocols(info.proto, info.nproto, protocol_priority); - parse_ciphers(info.ciphers, info.nciphers, cipher_priority); - parse_macs(info.macs, info.nmacs, mac_priority); - parse_ctypes(info.ctype, info.nctype, cert_type_priority); - parse_kx(info.kx, info.nkx, kx_priority); - parse_comp(info.comp, info.ncomp, comp_priority); + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the --help or -h parameters to get more information.\n"); + exit(1); + } + + debug = info.debug; + verbose = info.verbose; + disable_extensions = info.disable_extensions; + xml = info.xml; + print_cert = info.print_cert; + starttls = info.starttls; + resume = info.resume; + port = info.port; + record_max_size = info.record_size; + fingerprint = info.fingerprint; + + if (info.fmtder == 0) + x509ctype = GNUTLS_X509_FMT_PEM; + else + x509ctype = GNUTLS_X509_FMT_DER; + + srp_username = info.srp_username; + srp_passwd = info.srp_passwd; + x509_cafile = info.x509_cafile; + x509_crlfile = info.x509_crlfile; + x509_keyfile = info.x509_keyfile; + x509_certfile = info.x509_certfile; + pgp_keyfile = info.pgp_keyfile; + pgp_certfile = info.pgp_certfile; + + pgp_keyring = info.pgp_keyring; + pgp_trustdb = info.pgp_trustdb; + + crlf = info.crlf; + + if (info.rest_args == NULL) + hostname = "localhost"; + else + hostname = info.rest_args; + + parse_protocols(info.proto, info.nproto, protocol_priority); + parse_ciphers(info.ciphers, info.nciphers, cipher_priority); + parse_macs(info.macs, info.nmacs, mac_priority); + parse_ctypes(info.ctype, info.nctype, cert_type_priority); + parse_kx(info.kx, info.nkx, kx_priority); + parse_comp(info.comp, info.ncomp, comp_priority); } void cli_version(void) { - fprintf(stderr, "GNU TLS test client, "); - fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, - gnutls_check_version(NULL)); + fprintf(stderr, "GNU TLS test client, "); + fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, + gnutls_check_version(NULL)); } @@ -758,250 +739,232 @@ void cli_version(void) ssize_t socket_recv(socket_st socket, void *buffer, int buffer_size) { - int ret; - - if (socket.secure) - do { - ret = - gnutls_record_recv(socket.session, buffer, - buffer_size); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - else - do { - ret = recv(socket.fd, buffer, buffer_size, 0); - } while (ret == -1 && errno == EINTR); + int ret; + + if (socket.secure) + do { + ret = gnutls_record_recv(socket.session, buffer, buffer_size); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + else + do { + ret = recv(socket.fd, buffer, buffer_size, 0); + } while (ret == -1 && errno == EINTR); - return ret; + return ret; } ssize_t socket_send(socket_st socket, const void *buffer, int buffer_size) { - int ret; - - if (socket.secure) - do { - ret = - gnutls_record_send(socket.session, buffer, - buffer_size); - } while (ret == GNUTLS_E_AGAIN - || ret == GNUTLS_E_INTERRUPTED); - else - do { - ret = send(socket.fd, buffer, buffer_size, 0); - } while (ret == -1 && errno == EINTR); + int ret; - if (ret > 0 && ret != buffer_size && verbose) - fprintf(stderr, - "*** Only sent %d bytes instead of %d.\n", ret, - buffer_size); + if (socket.secure) + do { + ret = gnutls_record_send(socket.session, buffer, buffer_size); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + else + do { + ret = send(socket.fd, buffer, buffer_size, 0); + } while (ret == -1 && errno == EINTR); + + if (ret > 0 && ret != buffer_size && verbose) + fprintf(stderr, + "*** Only sent %d bytes instead of %d.\n", ret, + buffer_size); - return ret; + return ret; } void socket_bye(socket_st * socket) { - int ret; - if (socket->secure) { - do - ret = - gnutls_bye(socket->session, GNUTLS_SHUT_RDWR); - while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - if (ret < 0) - fprintf(stderr, "*** gnutls_bye() error: %s\n", - gnutls_strerror(ret)); - gnutls_deinit(socket->session); - socket->session = NULL; - } - - shutdown(socket->fd, SHUT_RDWR); /* no more receptions */ - close(socket->fd); - - socket->fd = -1; - socket->secure = 0; + int ret; + if (socket->secure) { + do + ret = gnutls_bye(socket->session, GNUTLS_SHUT_RDWR); + while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + if (ret < 0) + fprintf(stderr, "*** gnutls_bye() error: %s\n", + gnutls_strerror(ret)); + gnutls_deinit(socket->session); + socket->session = NULL; + } + + shutdown(socket->fd, SHUT_RDWR); /* no more receptions */ + close(socket->fd); + + socket->fd = -1; + socket->secure = 0; } static void check_rehandshake(socket_st socket, int ret) { - if (socket.secure && ret == GNUTLS_E_REHANDSHAKE) { - /* There is a race condition here. If application - * data is sent after the rehandshake request, - * the server thinks we ignored his request. - * This is a bad design of this client. - */ - printf("*** Received rehandshake request\n"); - /* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ - - ret = do_handshake(&socket); - - if (ret == 0) { - printf("*** Rehandshake was performed.\n"); - } else { - printf("*** Rehandshake Failed.\n"); - } + if (socket.secure && ret == GNUTLS_E_REHANDSHAKE) { + /* There is a race condition here. If application + * data is sent after the rehandshake request, + * the server thinks we ignored his request. + * This is a bad design of this client. + */ + printf("*** Received rehandshake request\n"); + /* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ + + ret = do_handshake(&socket); + + if (ret == 0) { + printf("*** Rehandshake was performed.\n"); + } else { + printf("*** Rehandshake Failed.\n"); } + } } static int do_handshake(socket_st * socket) { - int ret; - gnutls_transport_set_ptr(socket->session, - (gnutls_transport_ptr) socket->fd); - do { - ret = gnutls_handshake(socket->session); - - if (ret < 0) { - handle_error(*socket, ret); - } - } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - - if (ret == 0) { - socket->secure = 1; - /* print some information */ - print_info(socket->session, socket->hostname); + int ret; + gnutls_transport_set_ptr(socket->session, + (gnutls_transport_ptr) socket->fd); + do { + ret = gnutls_handshake(socket->session); + + if (ret < 0) { + handle_error(*socket, ret); } - return ret; + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret == 0) { + socket->secure = 1; + /* print some information */ + print_info(socket->session, socket->hostname); + } + return ret; } static int srp_username_callback(gnutls_session session, unsigned int times, char **username, char **password) { - if (srp_username == NULL || srp_passwd == NULL) { - return -1; - } + if (srp_username == NULL || srp_passwd == NULL) { + return -1; + } - /* We should ask here the user for his SRP username - * and password. + /* We should ask here the user for his SRP username + * and password. + */ + if (times == 1) { + *username = gnutls_strdup(srp_username); + *password = gnutls_strdup(srp_passwd); + + return 0; + } else + /* At the first time return username and password, if + * the kx_priority[0] is an SRP method. */ - if (times == 1) { - *username = gnutls_strdup(srp_username); - *password = gnutls_strdup(srp_passwd); - - return 0; - } else - /* At the first time return username and password, if - * the kx_priority[0] is an SRP method. - */ - if (times == 0 && (kx_priority[0] == GNUTLS_KX_SRP || - kx_priority[0] == - GNUTLS_KX_SRP_RSA - || kx_priority[0] == - GNUTLS_KX_SRP_DSS)) { - - *username = gnutls_strdup(srp_username); - *password = gnutls_strdup(srp_passwd); - - return 0; - } + if (times == 0 && (kx_priority[0] == GNUTLS_KX_SRP || + kx_priority[0] == + GNUTLS_KX_SRP_RSA + || kx_priority[0] == GNUTLS_KX_SRP_DSS)) { - return -1; + *username = gnutls_strdup(srp_username); + *password = gnutls_strdup(srp_passwd); + + return 0; + } + + return -1; } static void tls_log_func(int level, const char *str) { - fprintf(stderr, "|<%d>| %s", level, str); + fprintf(stderr, "|<%d>| %s", level, str); } static void init_global_tls_stuff(void) { - int ret; - - if ((ret = gnutls_global_init()) < 0) { - fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - gnutls_global_set_log_function(tls_log_func); - gnutls_global_set_log_level(debug); - - if ((ret = gnutls_global_init_extra()) < 0) { - fprintf(stderr, - "global_init_extra: %s\n", gnutls_strerror(ret)); - exit(1); - } - - /* X509 stuff */ - if (gnutls_certificate_allocate_credentials(&xcred) < 0) { - fprintf(stderr, "Certificate allocation memory error\n"); - exit(1); - } - - /* there are some intermediate CAs that have a v1 certificate *%&@#*%& - */ - gnutls_certificate_set_verify_flags(xcred, - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); - - if (x509_cafile != NULL) { - ret = - gnutls_certificate_set_x509_trust_file(xcred, - x509_cafile, - x509ctype); - if (ret < 0) { - fprintf(stderr, - "Error setting the x509 trust file\n"); - } else { - printf("Processed %d CA certificate(s).\n", ret); - } + int ret; + + if ((ret = gnutls_global_init()) < 0) { + fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + gnutls_global_set_log_function(tls_log_func); + gnutls_global_set_log_level(debug); + + if ((ret = gnutls_global_init_extra()) < 0) { + fprintf(stderr, "global_init_extra: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* X509 stuff */ + if (gnutls_certificate_allocate_credentials(&xcred) < 0) { + fprintf(stderr, "Certificate allocation memory error\n"); + exit(1); + } + + /* there are some intermediate CAs that have a v1 certificate *%&@#*%& + */ + gnutls_certificate_set_verify_flags(xcred, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + + if (x509_cafile != NULL) { + ret = + gnutls_certificate_set_x509_trust_file(xcred, + x509_cafile, x509ctype); + if (ret < 0) { + fprintf(stderr, "Error setting the x509 trust file\n"); + } else { + printf("Processed %d CA certificate(s).\n", ret); } + } #ifdef ENABLE_PKI - if (x509_crlfile != NULL) { - ret = - gnutls_certificate_set_x509_crl_file(xcred, - x509_crlfile, - x509ctype); - if (ret < 0) { - fprintf(stderr, - "Error setting the x509 CRL file\n"); - } else { - printf("Processed %d CRL(s).\n", ret); - } + if (x509_crlfile != NULL) { + ret = + gnutls_certificate_set_x509_crl_file(xcred, + x509_crlfile, x509ctype); + if (ret < 0) { + fprintf(stderr, "Error setting the x509 CRL file\n"); + } else { + printf("Processed %d CRL(s).\n", ret); } + } #endif - load_keys(); + load_keys(); #ifdef USE_OPENPGP - if (pgp_keyring != NULL) { - ret = - gnutls_certificate_set_openpgp_keyring_file(xcred, - pgp_keyring); - if (ret < 0) { - fprintf(stderr, - "Error setting the OpenPGP keyring file\n"); - } + if (pgp_keyring != NULL) { + ret = + gnutls_certificate_set_openpgp_keyring_file(xcred, + pgp_keyring); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP keyring file\n"); } + } - if (pgp_trustdb != NULL) { - ret = - gnutls_certificate_set_openpgp_trustdb(xcred, - pgp_trustdb); - if (ret < 0) { - fprintf(stderr, - "Error setting the OpenPGP trustdb file\n"); - } + if (pgp_trustdb != NULL) { + ret = gnutls_certificate_set_openpgp_trustdb(xcred, pgp_trustdb); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP trustdb file\n"); } + } #endif #ifdef ENABLE_SRP - /* SRP stuff */ - if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) { - fprintf(stderr, "SRP authentication error\n"); - } + /* SRP stuff */ + if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) { + fprintf(stderr, "SRP authentication error\n"); + } - gnutls_srp_set_client_credentials_function(srp_cred, - srp_username_callback); + gnutls_srp_set_client_credentials_function(srp_cred, + srp_username_callback); #endif #ifdef ENABLE_ANON - /* ANON stuff */ - if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) { - fprintf(stderr, "Anonymous authentication error\n"); - } + /* ANON stuff */ + if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) { + fprintf(stderr, "Anonymous authentication error\n"); + } #endif } diff --git a/src/common.c b/src/common.c index ba73386e6b..8d071dbefb 100644 --- a/src/common.c +++ b/src/common.c @@ -49,266 +49,235 @@ const char str_unknown[] = "(unknown)"; */ const char *raw_to_string(const unsigned char *raw, size_t raw_size) { - static char buf[1024]; - size_t i; - if (raw_size == 0) - return NULL; + static char buf[1024]; + size_t i; + if (raw_size == 0) + return NULL; - if (raw_size * 3 + 1 >= sizeof(buf)) - return NULL; + if (raw_size * 3 + 1 >= sizeof(buf)) + return NULL; - for (i = 0; i < raw_size; i++) { - sprintf(&(buf[i * 3]), "%02X%s", raw[i], - (i == raw_size - 1) ? "" : ":"); - } - buf[sizeof(buf) - 1] = '\0'; + for (i = 0; i < raw_size; i++) { + sprintf(&(buf[i * 3]), "%02X%s", raw[i], + (i == raw_size - 1) ? "" : ":"); + } + buf[sizeof(buf) - 1] = '\0'; - return buf; + return buf; } static const char *my_ctime(const time_t * tv) { - static char buf[256]; - struct tm *tp; + static char buf[256]; + struct tm *tp; - if (((tp = localtime(tv)) == NULL) || - (!strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp))) - strcpy(buf, str_unknown); /* make sure buf text isn't garbage */ + if (((tp = localtime(tv)) == NULL) || + (!strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp))) + strcpy(buf, str_unknown); /* make sure buf text isn't garbage */ - return buf; + return buf; } void print_x509_info(gnutls_session session, const char *hostname) { - gnutls_x509_crt crt; - const gnutls_datum *cert_list; - int cert_list_size = 0, ret; - char digest[20]; - char serial[40]; - char dn[256]; - size_t dn_size; - size_t digest_size = sizeof(digest); - unsigned int j; - size_t serial_size = sizeof(serial); - const char *print; - const char *cstr; - unsigned int bits, algo; - time_t expiret, activet; - - cert_list = gnutls_certificate_get_peers(session, &cert_list_size); - - - if (cert_list_size == 0) { - fprintf(stderr, "No certificates found!\n"); - return; + gnutls_x509_crt crt; + const gnutls_datum *cert_list; + int cert_list_size = 0, ret; + char digest[20]; + char serial[40]; + char dn[256]; + size_t dn_size; + size_t digest_size = sizeof(digest); + unsigned int j; + size_t serial_size = sizeof(serial); + const char *print; + const char *cstr; + unsigned int bits, algo; + time_t expiret, activet; + + cert_list = gnutls_certificate_get_peers(session, &cert_list_size); + + + if (cert_list_size == 0) { + fprintf(stderr, "No certificates found!\n"); + return; + } + + printf(" - Got a certificate list of %d certificates.\n\n", + cert_list_size); + + for (j = 0; j < (unsigned int) cert_list_size; j++) { + + gnutls_x509_crt_init(&crt); + ret = + gnutls_x509_crt_import(crt, &cert_list[j], + GNUTLS_X509_FMT_DER); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + return; } - printf(" - Got a certificate list of %d certificates.\n\n", - cert_list_size); + printf(" - Certificate[%d] info:\n", j); - for (j = 0; j < (unsigned int) cert_list_size; j++) { + if (print_cert) { + size_t size; - gnutls_x509_crt_init(&crt); - ret = - gnutls_x509_crt_import(crt, &cert_list[j], - GNUTLS_X509_FMT_DER); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", - gnutls_strerror(ret)); - return; - } + size = sizeof(buffer); - printf(" - Certificate[%d] info:\n", j); - - if (print_cert) { - size_t size; - - size = sizeof(buffer); - - ret = - gnutls_x509_crt_export(crt, - GNUTLS_X509_FMT_PEM, - buffer, &size); - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", - gnutls_strerror(ret)); - return; - } - fputs("\n", stdout); - fputs(buffer, stdout); - fputs("\n", stdout); - } + ret = + gnutls_x509_crt_export(crt, + GNUTLS_X509_FMT_PEM, buffer, &size); + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", + gnutls_strerror(ret)); + return; + } + fputs("\n", stdout); + fputs(buffer, stdout); + fputs("\n", stdout); + } - if (j == 0 && hostname != NULL) { /* Check the hostname of the first certificate - * if it matches the name of the host we - * connected to. - */ - if (gnutls_x509_crt_check_hostname(crt, hostname) - == 0) { - printf - (" # The hostname in the certificate does NOT match '%s'.\n", - hostname); - } else { - printf - (" # The hostname in the certificate matches '%s'.\n", - hostname); - } - } + if (j == 0 && hostname != NULL) { /* Check the hostname of the first certificate + * if it matches the name of the host we + * connected to. + */ + if (gnutls_x509_crt_check_hostname(crt, hostname) + == 0) { + printf + (" # The hostname in the certificate does NOT match '%s'.\n", + hostname); + } else { + printf + (" # The hostname in the certificate matches '%s'.\n", + hostname); + } + } - if (xml) { + if (xml) { #ifdef ENABLE_PKI - gnutls_datum xml_data; + gnutls_datum xml_data; - ret = gnutls_x509_crt_to_xml(crt, &xml_data, 0); - if (ret < 0) { - fprintf(stderr, "XML encoding error: %s\n", - gnutls_strerror(ret)); - return; - } + ret = gnutls_x509_crt_to_xml(crt, &xml_data, 0); + if (ret < 0) { + fprintf(stderr, "XML encoding error: %s\n", + gnutls_strerror(ret)); + return; + } - printf("%s", xml_data.data); - gnutls_free(xml_data.data); + printf("%s", xml_data.data); + gnutls_free(xml_data.data); #endif - } else { - - expiret = gnutls_x509_crt_get_expiration_time(crt); - activet = gnutls_x509_crt_get_activation_time(crt); - - printf(" # valid since: %s", my_ctime(&activet)); - printf(" # expires at: %s", my_ctime(&expiret)); - - - /* Print the serial number of the certificate. - */ - if (verbose - && gnutls_x509_crt_get_serial(crt, serial, - &serial_size) - >= 0) { - print = raw_to_string(serial, serial_size); - if (print != NULL) - printf(" # serial number: %s\n", - print); - } - - /* Print the fingerprint of the certificate - */ - digest_size = sizeof(digest); - if ((ret = - gnutls_x509_crt_get_fingerprint(crt, - GNUTLS_DIG_MD5, - digest, - &digest_size)) - < 0) { - fprintf(stderr, - "Error in fingerprint calculation: %s\n", - gnutls_strerror(ret)); - } else { - print = raw_to_string(digest, digest_size); - if (print != NULL) - printf(" # fingerprint: %s\n", - print); - } - - /* Print the version of the X.509 - * certificate. - */ - if (verbose) { - printf(" # version: #%d\n", - gnutls_x509_crt_get_version(crt)); - - bits = 0; - algo = - gnutls_x509_crt_get_pk_algorithm(crt, - &bits); - printf(" # public key algorithm: "); - - cstr = - SU(gnutls_pk_algorithm_get_name(algo)); - printf("%s (%d bits)\n", cstr, bits); - - if (algo == GNUTLS_PK_RSA) { - gnutls_datum e, m; - - ret = - gnutls_x509_crt_get_pk_rsa_raw - (crt, &m, &e); - if (ret >= 0) { - print = - SU(raw_to_string - (e.data, e.size)); - printf(" # e [%d bits]: %s\n", - e.size*8, print); - - print = - SU(raw_to_string - (m.data, m.size)); - printf(" # m [%d bits]: %s\n", - m.size*8, print); - - gnutls_free(e.data); - gnutls_free(m.data); - } - } else if (algo == GNUTLS_PK_DSA) { - gnutls_datum p, q, g, y; - - ret = - gnutls_x509_crt_get_pk_dsa_raw - (crt, &p, &q, &g, &y); - if (ret >= 0) { - print = - SU(raw_to_string - (p.data, p.size)); - printf(" # p [%d bits]: %s\n", - p.size*8, print); - - print = - SU(raw_to_string - (q.data, q.size)); - printf(" # q [%d bits]: %s\n", - q.size*8, print); - - print = - SU(raw_to_string - (g.data, g.size)); - printf(" # g [%d bits]: %s\n", - g.size*8, print); - - print = - SU(raw_to_string - (y.data, y.size)); - printf(" # y [%d bits]: %s\n", - y.size*8, print); - - gnutls_free(p.data); - gnutls_free(q.data); - gnutls_free(g.data); - gnutls_free(y.data); - } - } - } - - dn_size = sizeof(dn); - ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size); - if (ret >= 0) - printf(" # Subject's DN: %s\n", dn); - - dn_size = sizeof(dn); - ret = - gnutls_x509_crt_get_issuer_dn(crt, dn, - &dn_size); - if (ret >= 0) - printf(" # Issuer's DN: %s\n", dn); - } + } else { - gnutls_x509_crt_deinit(crt); + expiret = gnutls_x509_crt_get_expiration_time(crt); + activet = gnutls_x509_crt_get_activation_time(crt); + + printf(" # valid since: %s", my_ctime(&activet)); + printf(" # expires at: %s", my_ctime(&expiret)); + + + /* Print the serial number of the certificate. + */ + if (verbose + && gnutls_x509_crt_get_serial(crt, serial, &serial_size) + >= 0) { + print = raw_to_string(serial, serial_size); + if (print != NULL) + printf(" # serial number: %s\n", print); + } + + /* Print the fingerprint of the certificate + */ + digest_size = sizeof(digest); + if ((ret = + gnutls_x509_crt_get_fingerprint(crt, + GNUTLS_DIG_MD5, + digest, &digest_size)) + < 0) { + fprintf(stderr, + "Error in fingerprint calculation: %s\n", + gnutls_strerror(ret)); + } else { + print = raw_to_string(digest, digest_size); + if (print != NULL) + printf(" # fingerprint: %s\n", print); + } + + /* Print the version of the X.509 + * certificate. + */ + if (verbose) { + printf(" # version: #%d\n", + gnutls_x509_crt_get_version(crt)); + + bits = 0; + algo = gnutls_x509_crt_get_pk_algorithm(crt, &bits); + printf(" # public key algorithm: "); + + cstr = SU(gnutls_pk_algorithm_get_name(algo)); + printf("%s (%d bits)\n", cstr, bits); + + if (algo == GNUTLS_PK_RSA) { + gnutls_datum e, m; + + ret = gnutls_x509_crt_get_pk_rsa_raw(crt, &m, &e); + if (ret >= 0) { + print = SU(raw_to_string(e.data, e.size)); + printf(" # e [%d bits]: %s\n", e.size * 8, print); + + print = SU(raw_to_string(m.data, m.size)); + printf(" # m [%d bits]: %s\n", m.size * 8, print); + + gnutls_free(e.data); + gnutls_free(m.data); + } + } else if (algo == GNUTLS_PK_DSA) { + gnutls_datum p, q, g, y; + + ret = + gnutls_x509_crt_get_pk_dsa_raw + (crt, &p, &q, &g, &y); + if (ret >= 0) { + print = SU(raw_to_string(p.data, p.size)); + printf(" # p [%d bits]: %s\n", p.size * 8, print); + + print = SU(raw_to_string(q.data, q.size)); + printf(" # q [%d bits]: %s\n", q.size * 8, print); + + print = SU(raw_to_string(g.data, g.size)); + printf(" # g [%d bits]: %s\n", g.size * 8, print); + + print = SU(raw_to_string(y.data, y.size)); + printf(" # y [%d bits]: %s\n", y.size * 8, print); + + gnutls_free(p.data); + gnutls_free(q.data); + gnutls_free(g.data); + gnutls_free(y.data); + } + } + } - printf("\n"); + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size); + if (ret >= 0) + printf(" # Subject's DN: %s\n", dn); + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_issuer_dn(crt, dn, &dn_size); + if (ret >= 0) + printf(" # Issuer's DN: %s\n", dn); } + gnutls_x509_crt_deinit(crt); + + printf("\n"); + + } + } #ifdef USE_OPENPGP @@ -316,129 +285,122 @@ void print_x509_info(gnutls_session session, const char *hostname) void print_openpgp_info(gnutls_session session, const char *hostname) { - char digest[20]; - size_t digest_size = sizeof(digest); - int ret; - const char *print; - const char *cstr; - char name[256]; - size_t name_len = sizeof(name); - gnutls_openpgp_key crt; - const gnutls_datum *cert_list; - int cert_list_size = 0; - time_t expiret; - time_t activet; - - cert_list = gnutls_certificate_get_peers(session, &cert_list_size); - - if (cert_list_size > 0) { - unsigned int algo, bits; - - gnutls_openpgp_key_init(&crt); - ret = - gnutls_openpgp_key_import(crt, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", - gnutls_strerror(ret)); - return; - } + char digest[20]; + size_t digest_size = sizeof(digest); + int ret; + const char *print; + const char *cstr; + char name[256]; + size_t name_len = sizeof(name); + gnutls_openpgp_key crt; + const gnutls_datum *cert_list; + int cert_list_size = 0; + time_t expiret; + time_t activet; + + cert_list = gnutls_certificate_get_peers(session, &cert_list_size); + + if (cert_list_size > 0) { + unsigned int algo, bits; + + gnutls_openpgp_key_init(&crt); + ret = + gnutls_openpgp_key_import(crt, &cert_list[0], + GNUTLS_OPENPGP_FMT_RAW); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + return; + } - if (print_cert) { - size_t size; - - size = sizeof(buffer); - - ret = - gnutls_openpgp_key_export(crt, - GNUTLS_OPENPGP_FMT_BASE64, - buffer, &size); - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", - gnutls_strerror(ret)); - return; - } - fputs("\n", stdout); - fputs(buffer, stdout); - fputs("\n", stdout); - } + if (print_cert) { + size_t size; - if (hostname != NULL) { /* Check the hostname of the first certificate - * if it matches the name of the host we - * connected to. - */ - if (gnutls_openpgp_key_check_hostname - (crt, hostname) == 0) { - printf - (" # The hostname in the key does NOT match '%s'.\n", - hostname); - } else { - printf - (" # The hostname in the key matches '%s'.\n", - hostname); - } - } + size = sizeof(buffer); - if (xml) { - gnutls_datum xml_data; + ret = + gnutls_openpgp_key_export(crt, + GNUTLS_OPENPGP_FMT_BASE64, + buffer, &size); + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", + gnutls_strerror(ret)); + return; + } + fputs("\n", stdout); + fputs(buffer, stdout); + fputs("\n", stdout); + } - ret = gnutls_openpgp_key_to_xml(crt, &xml_data, 0); - if (ret < 0) { - fprintf(stderr, "XML encoding error: %s\n", - gnutls_strerror(ret)); - return; - } + if (hostname != NULL) { /* Check the hostname of the first certificate + * if it matches the name of the host we + * connected to. + */ + if (gnutls_openpgp_key_check_hostname(crt, hostname) == 0) { + printf + (" # The hostname in the key does NOT match '%s'.\n", + hostname); + } else { + printf + (" # The hostname in the key matches '%s'.\n", + hostname); + } + } - printf("%s", xml_data.data); - gnutls_free(xml_data.data); + if (xml) { + gnutls_datum xml_data; - return; - } + ret = gnutls_openpgp_key_to_xml(crt, &xml_data, 0); + if (ret < 0) { + fprintf(stderr, "XML encoding error: %s\n", + gnutls_strerror(ret)); + return; + } - activet = gnutls_openpgp_key_get_creation_time(crt); - expiret = gnutls_openpgp_key_get_expiration_time(crt); - - printf(" # Key was created at: %s", my_ctime(&activet)); - printf(" # Key expires: "); - if (expiret != 0) - printf("%s", my_ctime(&expiret)); - else - printf("Never\n"); - - if (gnutls_openpgp_key_get_fingerprint - (crt, digest, &digest_size) >= 0) { - print = raw_to_string(digest, digest_size); - - printf(" # PGP Key version: %d\n", - gnutls_openpgp_key_get_version(crt)); - - bits = 0; - algo = - gnutls_openpgp_key_get_pk_algorithm(crt, - &bits); - - printf(" # PGP Key public key algorithm: "); - cstr = SU(gnutls_pk_algorithm_get_name(algo)); - printf("%s (%d bits)\n", cstr, bits); - - if (print != NULL) - printf(" # PGP Key fingerprint: %s\n", - print); - - name_len = sizeof(name); - if (gnutls_openpgp_key_get_name - (crt, 0, name, &name_len) < 0) { - fprintf(stderr, - "Could not extract name\n"); - } else { - PRINT_PGP_NAME(name); - } + printf("%s", xml_data.data); + gnutls_free(xml_data.data); - } + return; + } + + activet = gnutls_openpgp_key_get_creation_time(crt); + expiret = gnutls_openpgp_key_get_expiration_time(crt); + + printf(" # Key was created at: %s", my_ctime(&activet)); + printf(" # Key expires: "); + if (expiret != 0) + printf("%s", my_ctime(&expiret)); + else + printf("Never\n"); + + if (gnutls_openpgp_key_get_fingerprint + (crt, digest, &digest_size) >= 0) { + print = raw_to_string(digest, digest_size); + + printf(" # PGP Key version: %d\n", + gnutls_openpgp_key_get_version(crt)); - gnutls_openpgp_key_deinit(crt); + bits = 0; + algo = gnutls_openpgp_key_get_pk_algorithm(crt, &bits); + + printf(" # PGP Key public key algorithm: "); + cstr = SU(gnutls_pk_algorithm_get_name(algo)); + printf("%s (%d bits)\n", cstr, bits); + + if (print != NULL) + printf(" # PGP Key fingerprint: %s\n", print); + + name_len = sizeof(name); + if (gnutls_openpgp_key_get_name(crt, 0, name, &name_len) < 0) { + fprintf(stderr, "Could not extract name\n"); + } else { + PRINT_PGP_NAME(name); + } } + + gnutls_openpgp_key_deinit(crt); + + } } #endif @@ -446,330 +408,311 @@ void print_openpgp_info(gnutls_session session, const char *hostname) void print_cert_vrfy(gnutls_session session) { - int status; - status = gnutls_certificate_verify_peers(session); - printf("\n"); - - if (status == GNUTLS_E_NO_CERTIFICATE_FOUND) { - printf("- Peer did not send any certificate.\n"); - return; - } - if (status < 0) { - printf("- Could not verify certificate (err: %s)\n", - gnutls_strerror(status)); - return; - } - - if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - printf("- Peer's certificate issuer is unknown\n"); - if (status & GNUTLS_CERT_INVALID) - printf("- Peer's certificate is NOT trusted\n"); - else - printf("- Peer's certificate is trusted\n"); - } else { - if (status & GNUTLS_CERT_INVALID) - printf("- Peer's key is invalid\n"); - else - printf("- Peer's key is valid\n"); - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - printf - ("- Could not find a signer of the peer's key\n"); - } + int status; + status = gnutls_certificate_verify_peers(session); + printf("\n"); + + if (status == GNUTLS_E_NO_CERTIFICATE_FOUND) { + printf("- Peer did not send any certificate.\n"); + return; + } + if (status < 0) { + printf("- Could not verify certificate (err: %s)\n", + gnutls_strerror(status)); + return; + } + + if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf("- Peer's certificate issuer is unknown\n"); + if (status & GNUTLS_CERT_INVALID) + printf("- Peer's certificate is NOT trusted\n"); + else + printf("- Peer's certificate is trusted\n"); + } else { + if (status & GNUTLS_CERT_INVALID) + printf("- Peer's key is invalid\n"); + else + printf("- Peer's key is valid\n"); + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf("- Could not find a signer of the peer's key\n"); + } } int print_info(gnutls_session session, const char *hostname) { - const char *tmp; - gnutls_credentials_type cred; - gnutls_kx_algorithm kx; + const char *tmp; + gnutls_credentials_type cred; + gnutls_kx_algorithm kx; - /* print the key exchange's algorithm name - */ - kx = gnutls_kx_get(session); + /* print the key exchange's algorithm name + */ + kx = gnutls_kx_get(session); - cred = gnutls_auth_get_type(session); - switch (cred) { + cred = gnutls_auth_get_type(session); + switch (cred) { #ifdef ENABLE_ANON - case GNUTLS_CRD_ANON: - printf("- Anonymous DH using prime of %d bits, secret key " - "of %d bits, and peer's public key is %d bits.\n", - gnutls_dh_get_prime_bits(session), - gnutls_dh_get_secret_bits(session), - gnutls_dh_get_peers_public_bits(session)); - break; + case GNUTLS_CRD_ANON: + printf("- Anonymous DH using prime of %d bits, secret key " + "of %d bits, and peer's public key is %d bits.\n", + gnutls_dh_get_prime_bits(session), + gnutls_dh_get_secret_bits(session), + gnutls_dh_get_peers_public_bits(session)); + break; #endif #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP: - /* This should be only called in server - * side. - */ - if (gnutls_srp_server_get_username(session) != NULL) - printf("- SRP authentication. Connected as '%s'\n", - gnutls_srp_server_get_username(session)); - break; + case GNUTLS_CRD_SRP: + /* This should be only called in server + * side. + */ + if (gnutls_srp_server_get_username(session) != NULL) + printf("- SRP authentication. Connected as '%s'\n", + gnutls_srp_server_get_username(session)); + break; #endif - case GNUTLS_CRD_CERTIFICATE: - { - char dns[256]; - size_t dns_size = sizeof(dns); - unsigned int type; - - /* This fails in client side */ - if (gnutls_server_name_get - (session, dns, &dns_size, &type, 0) == 0) { - printf("- Given server name[%d]: %s\n", - type, dns); - } - } + case GNUTLS_CRD_CERTIFICATE: + { + char dns[256]; + size_t dns_size = sizeof(dns); + unsigned int type; + + /* This fails in client side */ + if (gnutls_server_name_get + (session, dns, &dns_size, &type, 0) == 0) { + printf("- Given server name[%d]: %s\n", type, dns); + } + } - print_cert_info(session, hostname); + print_cert_info(session, hostname); - print_cert_vrfy(session); + print_cert_vrfy(session); - } + } - tmp = - SU(gnutls_protocol_get_name - (gnutls_protocol_get_version(session))); - printf("- Version: %s\n", tmp); + tmp = + SU(gnutls_protocol_get_name(gnutls_protocol_get_version(session))); + printf("- Version: %s\n", tmp); - tmp = SU(gnutls_kx_get_name(kx)); - printf("- Key Exchange: %s\n", tmp); + tmp = SU(gnutls_kx_get_name(kx)); + printf("- Key Exchange: %s\n", tmp); - tmp = SU(gnutls_cipher_get_name(gnutls_cipher_get(session))); - printf("- Cipher: %s\n", tmp); + tmp = SU(gnutls_cipher_get_name(gnutls_cipher_get(session))); + printf("- Cipher: %s\n", tmp); - tmp = SU(gnutls_mac_get_name(gnutls_mac_get(session))); - printf("- MAC: %s\n", tmp); + tmp = SU(gnutls_mac_get_name(gnutls_mac_get(session))); + printf("- MAC: %s\n", tmp); - tmp = - SU(gnutls_compression_get_name - (gnutls_compression_get(session))); - printf("- Compression: %s\n", tmp); + tmp = SU(gnutls_compression_get_name(gnutls_compression_get(session))); + printf("- Compression: %s\n", tmp); - fflush(stdout); + fflush(stdout); - return 0; + return 0; } void print_cert_info(gnutls_session session, const char *hostname) { - printf("- Certificate type: "); - switch (gnutls_certificate_type_get(session)) { - case GNUTLS_CRT_X509: - printf("X.509\n"); - print_x509_info(session, hostname); - break; + printf("- Certificate type: "); + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + printf("X.509\n"); + print_x509_info(session, hostname); + break; #ifdef USE_OPENPGP - case GNUTLS_CRT_OPENPGP: - printf("OpenPGP\n"); - print_openpgp_info(session, hostname); - break; + case GNUTLS_CRT_OPENPGP: + printf("OpenPGP\n"); + print_openpgp_info(session, hostname); + break; #endif - } + } } void print_list(void) { - /* FIXME: This is hard coded. Make it print all the supported - * algorithms. - */ - printf("\n"); - printf("Certificate types:"); - printf(" X.509"); - printf(", OPENPGP\n"); - - printf("Protocols:"); - printf(" TLS1.0"); - printf(", TLS1.1"); - printf(", SSL3.0\n"); - - printf("Ciphers:"); - printf(" AES-128-CBC"); - printf(", 3DES-CBC"); - printf(", ARCFOUR"); - printf(", ARCFOUR-40\n"); - - printf("MACs:"); - printf(" MD5"); - printf(", RMD160"); - printf(", SHA1\n"); - - printf("Key exchange algorithms:"); - printf(" RSA"); - printf(", RSA-EXPORT"); - printf(", DHE-DSS"); - printf(", DHE-RSA"); - printf(", SRP"); - printf(", SRP-RSA"); - printf(", SRP-DSS"); - printf(", ANON-DH\n"); - - printf("Compression methods:"); - printf(" DEFLATE"); - printf(", LZO"); - printf(", NULL\n"); + /* FIXME: This is hard coded. Make it print all the supported + * algorithms. + */ + printf("\n"); + printf("Certificate types:"); + printf(" X.509"); + printf(", OPENPGP\n"); + + printf("Protocols:"); + printf(" TLS1.0"); + printf(", TLS1.1"); + printf(", SSL3.0\n"); + + printf("Ciphers:"); + printf(" AES-128-CBC"); + printf(", 3DES-CBC"); + printf(", ARCFOUR"); + printf(", ARCFOUR-40\n"); + + printf("MACs:"); + printf(" MD5"); + printf(", RMD160"); + printf(", SHA1\n"); + + printf("Key exchange algorithms:"); + printf(" RSA"); + printf(", RSA-EXPORT"); + printf(", DHE-DSS"); + printf(", DHE-RSA"); + printf(", SRP"); + printf(", SRP-RSA"); + printf(", SRP-DSS"); + printf(", ANON-DH\n"); + + printf("Compression methods:"); + printf(" DEFLATE"); + printf(", LZO"); + printf(", NULL\n"); } void print_license(void) { - fputs("\nCopyright (C) 2004 Free Software Foundation\n" - "This program is free software; you can redistribute it and/or modify \n" - "it under the terms of the GNU General Public License as published by \n" - "the Free Software Foundation; either version 2 of the License, or \n" - "(at your option) any later version. \n" "\n" - "This program is distributed in the hope that it will be useful, \n" - "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" - "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" - "GNU General Public License for more details. \n" "\n" - "You should have received a copy of the GNU General Public License \n" - "along with this program; if not, write to the Free Software \n" - "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", - stdout); + fputs("\nCopyright (C) 2004 Free Software Foundation\n" + "This program is free software; you can redistribute it and/or modify \n" + "it under the terms of the GNU General Public License as published by \n" + "the Free Software Foundation; either version 2 of the License, or \n" + "(at your option) any later version. \n" "\n" + "This program is distributed in the hope that it will be useful, \n" + "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" + "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" + "GNU General Public License for more details. \n" "\n" + "You should have received a copy of the GNU General Public License \n" + "along with this program; if not, write to the Free Software \n" + "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", + stdout); } void parse_protocols(char **protocols, int protocols_size, int *protocol_priority) { - int i, j; - - if (protocols != NULL && protocols_size > 0) { - for (j = i = 0; i < protocols_size; i++) { - if (strncasecmp(protocols[i], "SSL", 3) == 0) - protocol_priority[j++] = GNUTLS_SSL3; - else if (strncasecmp(protocols[i], "TLS1.1", 6) == - 0) - protocol_priority[j++] = GNUTLS_TLS1_1; - else if (strncasecmp(protocols[i], "TLS", 3) == 0) - protocol_priority[j++] = GNUTLS_TLS1_0; - else - fprintf(stderr, "Unknown protocol: '%s'\n", - protocols[i]); - } - protocol_priority[j] = 0; + int i, j; + + if (protocols != NULL && protocols_size > 0) { + for (j = i = 0; i < protocols_size; i++) { + if (strncasecmp(protocols[i], "SSL", 3) == 0) + protocol_priority[j++] = GNUTLS_SSL3; + else if (strncasecmp(protocols[i], "TLS1.1", 6) == 0) + protocol_priority[j++] = GNUTLS_TLS1_1; + else if (strncasecmp(protocols[i], "TLS", 3) == 0) + protocol_priority[j++] = GNUTLS_TLS1_0; + else + fprintf(stderr, "Unknown protocol: '%s'\n", protocols[i]); } + protocol_priority[j] = 0; + } } void parse_ciphers(char **ciphers, int nciphers, int *cipher_priority) { - int j, i; - - if (ciphers != NULL && nciphers > 0) { - for (j = i = 0; i < nciphers; i++) { - if (strncasecmp(ciphers[i], "AES", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_AES_128_CBC; - else if (strncasecmp(ciphers[i], "3DE", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_3DES_CBC; - else if (strcasecmp(ciphers[i], "ARCFOUR-40") == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_ARCFOUR_40; - else if (strcasecmp(ciphers[i], "ARCFOUR") == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_ARCFOUR_128; - else if (strncasecmp(ciphers[i], "NUL", 3) == 0) - cipher_priority[j++] = GNUTLS_CIPHER_NULL; - else - fprintf(stderr, "Unknown cipher: '%s'\n", - ciphers[i]); - } - cipher_priority[j] = 0; + int j, i; + + if (ciphers != NULL && nciphers > 0) { + for (j = i = 0; i < nciphers; i++) { + if (strncasecmp(ciphers[i], "AES", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_AES_128_CBC; + else if (strncasecmp(ciphers[i], "3DE", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_3DES_CBC; + else if (strcasecmp(ciphers[i], "ARCFOUR-40") == 0) + cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR_40; + else if (strcasecmp(ciphers[i], "ARCFOUR") == 0) + cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR_128; + else if (strncasecmp(ciphers[i], "NUL", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_NULL; + else + fprintf(stderr, "Unknown cipher: '%s'\n", ciphers[i]); } + cipher_priority[j] = 0; + } } void parse_macs(char **macs, int nmacs, int *mac_priority) { - int i, j; - if (macs != NULL && nmacs > 0) { - for (j = i = 0; i < nmacs; i++) { - if (strncasecmp(macs[i], "MD5", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_MD5; - else if (strncasecmp(macs[i], "RMD", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_RMD160; - else if (strncasecmp(macs[i], "SHA", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_SHA; - else - fprintf(stderr, "Unknown MAC: '%s'\n", - macs[i]); - } - mac_priority[j] = 0; + int i, j; + if (macs != NULL && nmacs > 0) { + for (j = i = 0; i < nmacs; i++) { + if (strncasecmp(macs[i], "MD5", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_MD5; + else if (strncasecmp(macs[i], "RMD", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_RMD160; + else if (strncasecmp(macs[i], "SHA", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_SHA; + else + fprintf(stderr, "Unknown MAC: '%s'\n", macs[i]); } + mac_priority[j] = 0; + } } void parse_ctypes(char **ctype, int nctype, int *cert_type_priority) { - int i, j; - if (ctype != NULL && nctype > 0) { - for (j = i = 0; i < nctype; i++) { - if (strncasecmp(ctype[i], "OPE", 3) == 0) - cert_type_priority[j++] = - GNUTLS_CRT_OPENPGP; - else if (strncasecmp(ctype[i], "X", 1) == 0) - cert_type_priority[j++] = GNUTLS_CRT_X509; - else - fprintf(stderr, - "Unknown certificate type: '%s'\n", - ctype[i]); - } - cert_type_priority[j] = 0; + int i, j; + if (ctype != NULL && nctype > 0) { + for (j = i = 0; i < nctype; i++) { + if (strncasecmp(ctype[i], "OPE", 3) == 0) + cert_type_priority[j++] = GNUTLS_CRT_OPENPGP; + else if (strncasecmp(ctype[i], "X", 1) == 0) + cert_type_priority[j++] = GNUTLS_CRT_X509; + else + fprintf(stderr, + "Unknown certificate type: '%s'\n", ctype[i]); } + cert_type_priority[j] = 0; + } } void parse_kx(char **kx, int nkx, int *kx_priority) { - int i, j; - if (kx != NULL && nkx > 0) { - for (j = i = 0; i < nkx; i++) { - if (strcasecmp(kx[i], "SRP") == 0) - kx_priority[j++] = GNUTLS_KX_SRP; - else if (strcasecmp(kx[i], "SRP-RSA") == 0) - kx_priority[j++] = GNUTLS_KX_SRP_RSA; - else if (strcasecmp(kx[i], "SRP-DSS") == 0) - kx_priority[j++] = GNUTLS_KX_SRP_DSS; - else if (strcasecmp(kx[i], "RSA") == 0) - kx_priority[j++] = GNUTLS_KX_RSA; - else if (strcasecmp(kx[i], "RSA-EXPORT") == 0) - kx_priority[j++] = GNUTLS_KX_RSA_EXPORT; - else if (strncasecmp(kx[i], "DHE-RSA", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_RSA; - else if (strncasecmp(kx[i], "DHE-DSS", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_DSS; - else if (strncasecmp(kx[i], "ANON", 4) == 0) - kx_priority[j++] = GNUTLS_KX_ANON_DH; - else - fprintf(stderr, - "Unknown key exchange: '%s'\n", - kx[i]); - } - kx_priority[j] = 0; + int i, j; + if (kx != NULL && nkx > 0) { + for (j = i = 0; i < nkx; i++) { + if (strcasecmp(kx[i], "SRP") == 0) + kx_priority[j++] = GNUTLS_KX_SRP; + else if (strcasecmp(kx[i], "SRP-RSA") == 0) + kx_priority[j++] = GNUTLS_KX_SRP_RSA; + else if (strcasecmp(kx[i], "SRP-DSS") == 0) + kx_priority[j++] = GNUTLS_KX_SRP_DSS; + else if (strcasecmp(kx[i], "RSA") == 0) + kx_priority[j++] = GNUTLS_KX_RSA; + else if (strcasecmp(kx[i], "RSA-EXPORT") == 0) + kx_priority[j++] = GNUTLS_KX_RSA_EXPORT; + else if (strncasecmp(kx[i], "DHE-RSA", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_RSA; + else if (strncasecmp(kx[i], "DHE-DSS", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_DSS; + else if (strncasecmp(kx[i], "ANON", 4) == 0) + kx_priority[j++] = GNUTLS_KX_ANON_DH; + else + fprintf(stderr, "Unknown key exchange: '%s'\n", kx[i]); } + kx_priority[j] = 0; + } } void parse_comp(char **comp, int ncomp, int *comp_priority) { - int i, j; - if (comp != NULL && ncomp > 0) { - for (j = i = 0; i < ncomp; i++) { - if (strncasecmp(comp[i], "NUL", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_NULL; - else if (strncasecmp(comp[i], "ZLI", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_DEFLATE; - else if (strncasecmp(comp[i], "DEF", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_DEFLATE; - else if (strncasecmp(comp[i], "LZO", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_LZO; - else - fprintf(stderr, - "Unknown compression: '%s'\n", - comp[i]); - } - comp_priority[j] = 0; + int i, j; + if (comp != NULL && ncomp > 0) { + for (j = i = 0; i < ncomp; i++) { + if (strncasecmp(comp[i], "NUL", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_NULL; + else if (strncasecmp(comp[i], "ZLI", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_DEFLATE; + else if (strncasecmp(comp[i], "DEF", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_DEFLATE; + else if (strncasecmp(comp[i], "LZO", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_LZO; + else + fprintf(stderr, "Unknown compression: '%s'\n", comp[i]); } + comp_priority[j] = 0; + } } @@ -785,28 +728,28 @@ void parse_comp(char **comp, int ncomp, int *comp_priority) const char *inet_ntop(int af, const void *src, char *dst, size_t cnt) { - char *ret; + char *ret; - ret = inet_ntoa(*((struct in_addr *) src)); + ret = inet_ntoa(*((struct in_addr *) src)); - if (ret == NULL || strlen(ret) > cnt) { - return NULL; - } - strcpy(dst, ret); + if (ret == NULL || strlen(ret) > cnt) { + return NULL; + } + strcpy(dst, ret); - return dst; + return dst; } #endif void sockets_init(void) { #ifdef _WIN32 - WORD wVersionRequested; - WSADATA wsaData; + WORD wVersionRequested; + WSADATA wsaData; - wVersionRequested = MAKEWORD(1, 1); - if (WSAStartup(wVersionRequested, &wsaData) != 0) { - perror("WSA_STARTUP_ERROR"); - } + wVersionRequested = MAKEWORD(1, 1); + if (WSAStartup(wVersionRequested, &wsaData) != 0) { + perror("WSA_STARTUP_ERROR"); + } #endif } diff --git a/src/crypt-gaa.c b/src/crypt-gaa.c index 3f055a4e83..0f71f3c1d7 100644 --- a/src/crypt-gaa.c +++ b/src/crypt-gaa.c @@ -21,123 +21,114 @@ #endif #endif -static void* gaa_malloc( size_t size) { -void* ret; - ret = malloc(size); - if (ret==NULL) { - fprintf(stderr, "gaa: could not allocate memory"); - exit(1); - } - return ret; +static void *gaa_malloc(size_t size) +{ + void *ret; + ret = malloc(size); + if (ret == NULL) { + fprintf(stderr, "gaa: could not allocate memory"); + exit(1); + } + return ret; } -static void __gaa_helpsingle(char short_name, char *name, - char *arg_desc, char *opt_help) +static void __gaa_helpsingle(char short_name, char *name, + char *arg_desc, char *opt_help) { - int col1, col3, col4, tabsize = 3, curr; - int i; - - col1 = 5; /* Default values */ - col3 = 30; - col4 = 70; - - curr = 0; - for(i = 0; i < col1; i++) - { - printf(" "); - curr++; - } - if(short_name) - { - if(name && *name) - { - printf("-%c, ", short_name); - curr += 4; - } - else - { - printf("-%c ", short_name); - curr += 3; - } - } - if(name && *name) - { - printf("--%s ", name); - curr += 3 + strlen(name); - } - if(arg_desc && *arg_desc) - { - printf("%s ", arg_desc); - curr += 1 + strlen(arg_desc); - } - if(curr >= col3) - { - printf("\n"); - curr = 0; - } - if(opt_help) /* let's print the option's help body */ - { - const char *str = opt_help; - while(*str) - { - while(curr < col3) - { - printf(" "); - curr++; - } - switch(*str) - { - case '\n': - printf("\n"); - curr = 0; - break; - case '\t': - do - { - printf(" "); - curr++; - } - while((curr - col3) % tabsize != 0 && curr < col4); - case ' ': - if(*str == ' ') - { - curr++; - printf(" "); - } - for(i = 1; str[i] && str[i] != ' ' && str[i] != '\n' - && str[i] != '\t'; i++); - if(curr + i - 1 >= col4) - curr = col4; - break; - default: - printf("%c", *str); - curr++; - } - if(curr >= col4) - { - printf("\n"); - curr = 0; - } - str++; - } - } - printf("\n"); + int col1, col3, col4, tabsize = 3, curr; + int i; + + col1 = 5; /* Default values */ + col3 = 30; + col4 = 70; + + curr = 0; + for (i = 0; i < col1; i++) { + printf(" "); + curr++; + } + if (short_name) { + if (name && *name) { + printf("-%c, ", short_name); + curr += 4; + } else { + printf("-%c ", short_name); + curr += 3; + } + } + if (name && *name) { + printf("--%s ", name); + curr += 3 + strlen(name); + } + if (arg_desc && *arg_desc) { + printf("%s ", arg_desc); + curr += 1 + strlen(arg_desc); + } + if (curr >= col3) { + printf("\n"); + curr = 0; + } + if (opt_help) { /* let's print the option's help body */ + const char *str = opt_help; + while (*str) { + while (curr < col3) { + printf(" "); + curr++; + } + switch (*str) { + case '\n': + printf("\n"); + curr = 0; + break; + case '\t': + do { + printf(" "); + curr++; + } + while ((curr - col3) % tabsize != 0 && curr < col4); + case ' ': + if (*str == ' ') { + curr++; + printf(" "); + } + for (i = 1; str[i] && str[i] != ' ' && str[i] != '\n' + && str[i] != '\t'; i++); + if (curr + i - 1 >= col4) + curr = col4; + break; + default: + printf("%c", *str); + curr++; + } + if (curr >= col4) { + printf("\n"); + curr = 0; + } + str++; + } + } + printf("\n"); } void gaa_help(void) { - printf("Srptool help\nUsage : srptool [options]\n"); - __gaa_helpsingle('u', "username", "username ", "specify username."); - __gaa_helpsingle('p', "passwd", "FILE ", "specify a password file."); - __gaa_helpsingle('i', "index", "INDEX ", "specify the index of the parameters in tpasswd.conf to use."); - __gaa_helpsingle('s', "salt", "SALT ", "specify salt size for crypt algorithm."); - __gaa_helpsingle(0, "verify", "", "just verify password."); - __gaa_helpsingle('c', "passwd-conf", "FILE ", "specify a password conf file."); - __gaa_helpsingle(0, "create-conf", "FILE ", "Generate a tpasswd.conf file."); - __gaa_helpsingle('h', "help", "", "shows this help text"); + printf("Srptool help\nUsage : srptool [options]\n"); + __gaa_helpsingle('u', "username", "username ", "specify username."); + __gaa_helpsingle('p', "passwd", "FILE ", "specify a password file."); + __gaa_helpsingle('i', "index", "INDEX ", + "specify the index of the parameters in tpasswd.conf to use."); + __gaa_helpsingle('s', "salt", "SALT ", + "specify salt size for crypt algorithm."); + __gaa_helpsingle(0, "verify", "", "just verify password."); + __gaa_helpsingle('c', "passwd-conf", "FILE ", + "specify a password conf file."); + __gaa_helpsingle(0, "create-conf", "FILE ", + "Generate a tpasswd.conf file."); + __gaa_helpsingle('h', "help", "", "shows this help text"); #line 100 "gaa.skel" } + /* Copy of C area */ #line 104 "gaa.skel" @@ -147,54 +138,46 @@ void gaa_help(void) typedef struct _gaainfo gaainfo; -struct _gaainfo -{ +struct _gaainfo { #line 32 "crypt.gaa" - char *create_conf; + char *create_conf; #line 29 "crypt.gaa" - char *passwd_conf; + char *passwd_conf; #line 26 "crypt.gaa" - int verify; + int verify; #line 23 "crypt.gaa" - int salt; + int salt; #line 20 "crypt.gaa" - int index; + int index; #line 17 "crypt.gaa" - char *passwd; + char *passwd; #line 14 "crypt.gaa" - char *username; + char *username; #line 114 "gaa.skel" }; #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif - int gaa(int argc, char *argv[], gaainfo *gaaval); + int gaa(int argc, char *argv[], gaainfo * gaaval); void gaa_help(void); - - int gaa_file(const char *name, gaainfo *gaaval); - + + int gaa_file(const char *name, gaainfo * gaaval); + #ifdef __cplusplus } #endif - - #endif - #line 135 "gaa.skel" - /* C declarations */ - #define GAAERROR(x) \ { \ gaa_error = 1; \ return x; \ } - static char *gaa_current_option; static int gaa_error = 0; @@ -268,7 +251,7 @@ if(gaa_error == 1) \ { \ gaa_error = 0; \ return GAA_ERROR_INVALID_ARG; \ -} +} @@ -346,7 +329,7 @@ if(k == 0) \ printf("You must give at least one option of '%s'\n", str); \ return 0; \ } - + #define GAA_INCOMP(str) \ k = 0; \ for(i = 0; i < strlen(str); i++) \ @@ -365,7 +348,7 @@ if(k > 1) \ printf("The options '%s' are incompatible\n", str); \ return 0; \ } - + static char **GAAargv; static int GAAargc; @@ -377,25 +360,25 @@ static int gaa_getint(char *arg) { int tmp; char a; - if(sscanf(arg, "%d%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%d%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't an integer\n", gaa_current_option, + arg); + GAAERROR(-1); } return tmp; } static char gaa_getchar(char *arg) { - if(strlen(arg) != 1) - { - printf("Option %s: '%s' isn't an character\n", gaa_current_option, arg); - GAAERROR(-1); + if (strlen(arg) != 1) { + printf("Option %s: '%s' isn't an character\n", gaa_current_option, + arg); + GAAERROR(-1); } return arg[0]; } -static char* gaa_getstr(char *arg) +static char *gaa_getstr(char *arg) { return arg; } @@ -403,120 +386,115 @@ static float gaa_getfloat(char *arg) { float tmp; char a; - if(sscanf(arg, "%f%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%f%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't a float number\n", + gaa_current_option, arg); + GAAERROR(-1); } return tmp; } + /* option structures */ -struct GAAOPTION_create_conf -{ - char* arg1; - int size1; +struct GAAOPTION_create_conf { + char *arg1; + int size1; }; -struct GAAOPTION_passwd_conf -{ - char* arg1; - int size1; +struct GAAOPTION_passwd_conf { + char *arg1; + int size1; }; -struct GAAOPTION_salt -{ - int arg1; - int size1; +struct GAAOPTION_salt { + int arg1; + int size1; }; -struct GAAOPTION_index -{ - int arg1; - int size1; +struct GAAOPTION_index { + int arg1; + int size1; }; -struct GAAOPTION_passwd -{ - char* arg1; - int size1; +struct GAAOPTION_passwd { + char *arg1; + int size1; }; -struct GAAOPTION_username -{ - char* arg1; - int size1; +struct GAAOPTION_username { + char *arg1; + int size1; }; - + #line 349 "gaa.skel" static int gaa_is_an_argument(char *str) { #ifdef GAA_WIN32 - if(str[0] == '/' && str[1] != 0) + if (str[0] == '/' && str[1] != 0) return GAA_MULTIPLE_OPTION; #endif - if(str[0] != '-') - return GAA_NOT_AN_OPTION; - if(str[1] == 0) - return GAA_NOT_AN_OPTION; - if(str[1] == '-') - { - if(str[2] != 0) - return GAA_WORD_OPTION; - else - return GAA_NOT_AN_OPTION; + if (str[0] != '-') + return GAA_NOT_AN_OPTION; + if (str[1] == 0) + return GAA_NOT_AN_OPTION; + if (str[1] == '-') { + if (str[2] != 0) + return GAA_WORD_OPTION; + else + return GAA_NOT_AN_OPTION; } - if(str[2] == 0) - return GAA_LETTER_OPTION; + if (str[2] == 0) + return GAA_LETTER_OPTION; else - return GAA_MULTIPLE_OPTION; + return GAA_MULTIPLE_OPTION; } static int gaa_get_option_num(char *str, int status) { - switch(status) - { - case GAA_LETTER_OPTION: - GAA_CHECK1STR("", GAAOPTID_create_conf); - GAA_CHECK1STR("c", GAAOPTID_passwd_conf); - GAA_CHECK1STR("s", GAAOPTID_salt); - GAA_CHECK1STR("i", GAAOPTID_index); - GAA_CHECK1STR("p", GAAOPTID_passwd); - GAA_CHECK1STR("u", GAAOPTID_username); - case GAA_MULTIPLE_OPTION: + switch (status) { + case GAA_LETTER_OPTION: + GAA_CHECK1STR("", GAAOPTID_create_conf); + GAA_CHECK1STR("c", GAAOPTID_passwd_conf); + GAA_CHECK1STR("s", GAAOPTID_salt); + GAA_CHECK1STR("i", GAAOPTID_index); + GAA_CHECK1STR("p", GAAOPTID_passwd); + GAA_CHECK1STR("u", GAAOPTID_username); + case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" - GAA_CHECK1STR("h", GAAOPTID_help); - GAA_CHECK1STR("", GAAOPTID_verify); + GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("", GAAOPTID_verify); #line 277 "gaa.skel" - break; - case GAA_WORD_OPTION: - GAA_CHECKSTR("help", GAAOPTID_help); - GAA_CHECKSTR("create-conf", GAAOPTID_create_conf); - GAA_CHECKSTR("passwd-conf", GAAOPTID_passwd_conf); - GAA_CHECKSTR("verify", GAAOPTID_verify); - GAA_CHECKSTR("salt", GAAOPTID_salt); - GAA_CHECKSTR("index", GAAOPTID_index); - GAA_CHECKSTR("passwd", GAAOPTID_passwd); - GAA_CHECKSTR("username", GAAOPTID_username); + break; + case GAA_WORD_OPTION: + GAA_CHECKSTR("help", GAAOPTID_help); + GAA_CHECKSTR("create-conf", GAAOPTID_create_conf); + GAA_CHECKSTR("passwd-conf", GAAOPTID_passwd_conf); + GAA_CHECKSTR("verify", GAAOPTID_verify); + GAA_CHECKSTR("salt", GAAOPTID_salt); + GAA_CHECKSTR("index", GAAOPTID_index); + GAA_CHECKSTR("passwd", GAAOPTID_passwd); + GAA_CHECKSTR("username", GAAOPTID_username); #line 281 "gaa.skel" break; - default: break; - } + default: + break; + } return GAA_ERROR_NOMATCH; } -static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) +static int gaa_try(int gaa_num, int gaa_index, gaainfo * gaaval, + char *opt_list) { int OK = 0; int gaa_last_non_option; - struct GAAOPTION_create_conf GAATMP_create_conf; - struct GAAOPTION_passwd_conf GAATMP_passwd_conf; - struct GAAOPTION_salt GAATMP_salt; - struct GAAOPTION_index GAATMP_index; - struct GAAOPTION_passwd GAATMP_passwd; - struct GAAOPTION_username GAATMP_username; + struct GAAOPTION_create_conf GAATMP_create_conf; + struct GAAOPTION_passwd_conf GAATMP_passwd_conf; + struct GAAOPTION_salt GAATMP_salt; + struct GAAOPTION_index GAATMP_index; + struct GAAOPTION_passwd GAATMP_passwd; + struct GAAOPTION_username GAATMP_username; #line 393 "gaa.skel" #ifdef GAA_REST_EXISTS @@ -524,101 +502,120 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) #endif opt_list[gaa_num] = 1; - - for(gaa_last_non_option = gaa_index; - (gaa_last_non_option != GAAargc) && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == GAA_NOT_AN_OPTION); - gaa_last_non_option++); - - if(gaa_num == GAA_REST) - { - gaa_index = 1; - gaa_last_non_option = GAAargc; + + for (gaa_last_non_option = gaa_index; + (gaa_last_non_option != GAAargc) + && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == + GAA_NOT_AN_OPTION); gaa_last_non_option++); + + if (gaa_num == GAA_REST) { + gaa_index = 1; + gaa_last_non_option = GAAargc; } - - switch(gaa_num) - { - case GAAOPTID_help: + + switch (gaa_num) { + case GAAOPTID_help: OK = 0; #line 35 "crypt.gaa" -{ gaa_help(); exit(0); ;}; + { + gaa_help(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_create_conf: + return GAA_OK; + break; + case GAAOPTID_create_conf: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_create_conf.arg1, gaa_getstr, GAATMP_create_conf.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_create_conf.arg1, gaa_getstr, + GAATMP_create_conf.size1); + gaa_index++; #line 33 "crypt.gaa" -{ gaaval->create_conf = GAATMP_create_conf.arg1 ;}; + { + gaaval->create_conf = GAATMP_create_conf.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_passwd_conf: + return GAA_OK; + break; + case GAAOPTID_passwd_conf: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_passwd_conf.arg1, gaa_getstr, GAATMP_passwd_conf.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_passwd_conf.arg1, gaa_getstr, + GAATMP_passwd_conf.size1); + gaa_index++; #line 30 "crypt.gaa" -{ gaaval->passwd_conf = GAATMP_passwd_conf.arg1 ;}; + { + gaaval->passwd_conf = GAATMP_passwd_conf.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_verify: + return GAA_OK; + break; + case GAAOPTID_verify: OK = 0; #line 27 "crypt.gaa" -{ gaaval->verify = 1 ;}; + { + gaaval->verify = 1; + }; - return GAA_OK; - break; - case GAAOPTID_salt: + return GAA_OK; + break; + case GAAOPTID_salt: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_salt.arg1, gaa_getint, GAATMP_salt.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_salt.arg1, gaa_getint, GAATMP_salt.size1); + gaa_index++; #line 24 "crypt.gaa" -{ gaaval->salt = GAATMP_salt.arg1 ;}; + { + gaaval->salt = GAATMP_salt.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_index: + return GAA_OK; + break; + case GAAOPTID_index: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_index.arg1, gaa_getint, GAATMP_index.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_index.arg1, gaa_getint, GAATMP_index.size1); + gaa_index++; #line 21 "crypt.gaa" -{ gaaval->index = GAATMP_index.arg1 ;}; + { + gaaval->index = GAATMP_index.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_passwd: + return GAA_OK; + break; + case GAAOPTID_passwd: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_passwd.arg1, gaa_getstr, GAATMP_passwd.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_passwd.arg1, gaa_getstr, GAATMP_passwd.size1); + gaa_index++; #line 18 "crypt.gaa" -{ gaaval->passwd = GAATMP_passwd.arg1 ;}; + { + gaaval->passwd = GAATMP_passwd.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_username: + return GAA_OK; + break; + case GAAOPTID_username: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_username.arg1, gaa_getstr, GAATMP_username.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_username.arg1, gaa_getstr, GAATMP_username.size1); + gaa_index++; #line 15 "crypt.gaa" -{ gaaval->username = GAATMP_username.arg1 ;}; + { + gaaval->username = GAATMP_username.arg1; + }; - return GAA_OK; - break; + return GAA_OK; + break; #line 413 "gaa.skel" - default: break; + default: + break; } return GAA_ERROR_UNKNOWN; } -int gaa(int argc, char **argv, gaainfo *gaaval) +int gaa(int argc, char **argv, gaainfo * gaaval) { int tmp1, tmp2; int i, j; @@ -627,18 +624,23 @@ int gaa(int argc, char **argv, gaainfo *gaaval) GAAargv = argv; GAAargc = argc; - opt_list = (char*) gaa_malloc(GAA_NB_OPTION + 1); + opt_list = (char *) gaa_malloc(GAA_NB_OPTION + 1); - for(i = 0; i < GAA_NB_OPTION + 1; i++) - opt_list[i] = 0; + for (i = 0; i < GAA_NB_OPTION + 1; i++) + opt_list[i] = 0; /* initialization */ - if(inited == 0) - { + if (inited == 0) { #line 37 "crypt.gaa" -{ gaaval->username=NULL; gaaval->passwd=NULL; gaaval->salt=0; - gaaval->create_conf=NULL; gaaval->passwd_conf=NULL; gaaval->verify = 0; - gaaval->index = 1; ;}; + { + gaaval->username = NULL; + gaaval->passwd = NULL; + gaaval->salt = 0; + gaaval->create_conf = NULL; + gaaval->passwd_conf = NULL; + gaaval->verify = 0; + gaaval->index = 1;; + }; } inited = 1; @@ -646,186 +648,173 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaa_arg_used = NULL; if (argc > 0) { - gaa_arg_used = gaa_malloc(argc * sizeof(char)); + gaa_arg_used = gaa_malloc(argc * sizeof(char)); } - for(i = 1; i < argc; i++) - gaa_arg_used[i] = 0; - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - j = 0; - tmp1 = gaa_is_an_argument(GAAargv[i]); - switch(tmp1) - { - case GAA_WORD_OPTION: - j++; - case GAA_LETTER_OPTION: - j++; - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%s'\n", argv[i]+j); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - gaa_arg_used[i] = 1; - break; - case GAA_MULTIPLE_OPTION: - for(j = 1; j < strlen(argv[i]); j++) - { - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%c'\n", *(argv[i]+j)); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - } - gaa_arg_used[i] = 1; - break; - default: break; - } - } + for (i = 1; i < argc; i++) + gaa_arg_used[i] = 0; + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + j = 0; + tmp1 = gaa_is_an_argument(GAAargv[i]); + switch (tmp1) { + case GAA_WORD_OPTION: + j++; + case GAA_LETTER_OPTION: + j++; + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%s'\n", argv[i] + j); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + gaa_arg_used[i] = 1; + break; + case GAA_MULTIPLE_OPTION: + for (j = 1; j < strlen(argv[i]); j++) { + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%c'\n", *(argv[i] + j)); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + } + gaa_arg_used[i] = 1; + break; + default: + break; + } + } } -if(gaa_processing_file == 0) -{ + if (gaa_processing_file == 0) { #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS - switch(gaa_try(GAA_REST, 1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("Rest: not enough arguments\n"); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } + switch (gaa_try(GAA_REST, 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("Rest: not enough arguments\n"); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } #endif -} - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - printf("Too many arguments\n"); - return 0; - } + } + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + printf("Too many arguments\n"); + return 0; + } } free(gaa_arg_used); free(opt_list); return -1; } -struct gaastrnode -{ +struct gaastrnode { char *str; struct gaastrnode *next; }; typedef struct gaastrnode gaa_str_node; -static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) +static int gaa_internal_get_next_str(FILE * file, gaa_str_node * tmp_str, + int argc) { int pos_ini; int a; int i = 0, len = 0, newline = 0; - if(argc == 1) { - newline = 1; - len = 2; + if (argc == 1) { + newline = 1; + len = 2; } - - a = fgetc( file); - if (a == EOF) return 0; - - while(a == ' ' || a == 9 || a == '\n') - { - if(a == '\n') - { - newline=1; - len = 2; - } - a = fgetc( file); - if (a == EOF) return 0; + + a = fgetc(file); + if (a == EOF) + return 0; + + while (a == ' ' || a == 9 || a == '\n') { + if (a == '\n') { + newline = 1; + len = 2; + } + a = fgetc(file); + if (a == EOF) + return 0; } pos_ini = ftell(file) - 1; - while(a != ' ' && a != 9 && a != '\n') - { + while (a != ' ' && a != 9 && a != '\n') { - len++; - a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + len++; + a = fgetc(file); + if (a == EOF) + return 0; //a = ' '; } len += 1; tmp_str->str = gaa_malloc((len) * sizeof(char)); - if(newline == 1) - { - tmp_str->str[0] = '-'; - tmp_str->str[1] = '-'; - i = 2; - } - else - { - i = 0; + if (newline == 1) { + tmp_str->str[0] = '-'; + tmp_str->str[1] = '-'; + i = 2; + } else { + i = 0; } - fseek(file,pos_ini, SEEK_SET); - do - { - a = fgetc( file); - - if (a == EOF) { - i+=2; - break; - } - tmp_str->str[i] = a; - i++; + fseek(file, pos_ini, SEEK_SET); + do { + a = fgetc(file); + + if (a == EOF) { + i += 2; + break; + } + tmp_str->str[i] = a; + i++; } - while(a != ' ' && a != 9 && a != '\n' && i < len); + while (a != ' ' && a != 9 && a != '\n' && i < len); tmp_str->str[i - 1] = 0; - fseek(file,- 1, SEEK_CUR); + fseek(file, -1, SEEK_CUR); /* printf("%d\n", ftell(file)); */ - + return -1; } -int gaa_file(const char *name, gaainfo *gaaval) +int gaa_file(const char *name, gaainfo * gaaval) { gaa_str_node *first_str, **tmp_str, *tmp_str2; int rval, i; @@ -834,38 +823,36 @@ int gaa_file(const char *name, gaainfo *gaaval) FILE *file; gaa_processing_file = 1; - - if((file = fopen(name, "r")) == NULL) - { - printf("Couldn't open '%s' configuration file for reading\n", name); - return 1; + + if ((file = fopen(name, "r")) == NULL) { + printf("Couldn't open '%s' configuration file for reading\n", + name); + return 1; } - + tmp_str = &first_str; - do - { - argc++; - *tmp_str = gaa_malloc(sizeof(gaa_str_node)); + do { + argc++; + *tmp_str = gaa_malloc(sizeof(gaa_str_node)); - (*tmp_str)->str = NULL; - (*tmp_str)->next = NULL; + (*tmp_str)->str = NULL; + (*tmp_str)->next = NULL; - rval = gaa_internal_get_next_str(file, *tmp_str, argc); - tmp_str = &((*tmp_str)->next); + rval = gaa_internal_get_next_str(file, *tmp_str, argc); + tmp_str = &((*tmp_str)->next); } - while(rval == -1); - - if(rval == 1) - return 0; - - argv = gaa_malloc((1 + argc) * sizeof(char*)); + while (rval == -1); + + if (rval == 1) + return 0; + + argv = gaa_malloc((1 + argc) * sizeof(char *)); tmp_str2 = first_str; argv[0] = "cfg"; - for(i = 1; i < argc; i++) - { - argv[i] = tmp_str2->str; - tmp_str2 = tmp_str2->next; + for (i = 1; i < argc; i++) { + argv[i] = tmp_str2->str; + tmp_str2 = tmp_str2->next; } rval = gaa(argc, argv, gaaval); diff --git a/src/crypt.c b/src/crypt.c index 0d36a3b668..b3f7a7cce1 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -25,9 +25,9 @@ #include <stdio.h> -int main (int argc, char **argv) +int main(int argc, char **argv) { - printf ("\nSRP not supported. This program is a dummy.\n\n"); + printf("\nSRP not supported. This program is a dummy.\n\n"); return 1; }; @@ -38,7 +38,7 @@ int main (int argc, char **argv) #include <stdlib.h> #include <gnutls/gnutls.h> #include <gnutls/extra.h> -#include <gcrypt.h> /* for randomize */ +#include <gcrypt.h> /* for randomize */ #include <crypt-gaa.h> #include <getpass.h> @@ -61,78 +61,82 @@ int main (int argc, char **argv) int crypt_int(const char *username, const char *passwd, int salt, char *tpasswd_conf, char *tpasswd, int uindex); static int read_conf_values(gnutls_datum * g, gnutls_datum * n, char *str); -static int _verify_passwd_int(const char* username, const char* passwd, char* verifier, char* salt, - const gnutls_datum* g, const gnutls_datum* n); +static int _verify_passwd_int(const char *username, const char *passwd, + char *verifier, char *salt, + const gnutls_datum * g, + const gnutls_datum * n); -static void print_num( const char* msg, const gnutls_datum * num) +static void print_num(const char *msg, const gnutls_datum * num) { -unsigned int i; + unsigned int i; - printf( "%s:\t", msg); + printf("%s:\t", msg); - for (i=0;i<num->size;i++) { - if (i!=0 && i%12==0) printf("\n\t"); - else if (i!=0 && i!=num->size) printf( ":"); - printf( "%.2x", num->data[i]); - } - printf("\n\n"); + for (i = 0; i < num->size; i++) { + if (i != 0 && i % 12 == 0) + printf("\n\t"); + else if (i != 0 && i != num->size) + printf(":"); + printf("%.2x", num->data[i]); + } + printf("\n\n"); } int generate_create_conf(char *tpasswd_conf) { - FILE *fd; - char line[5 * 1024]; - int index = 1; - gnutls_datum g, n; - gnutls_datum str_g, str_n; + FILE *fd; + char line[5 * 1024]; + int index = 1; + gnutls_datum g, n; + gnutls_datum str_g, str_n; + + fd = fopen(tpasswd_conf, "w"); + if (fd == NULL) { + fprintf(stderr, "Cannot open file '%s'\n", tpasswd_conf); + return -1; + } - fd = fopen(tpasswd_conf, "w"); - if (fd == NULL) { - fprintf(stderr, "Cannot open file '%s'\n", tpasswd_conf); - return -1; + for (index = 1; index <= 3; index++) { + + if (index == 1) { + n = gnutls_srp_1024_group_prime; + g = gnutls_srp_1024_group_generator; + } else if (index == 2) { + n = gnutls_srp_1536_group_prime; + g = gnutls_srp_1536_group_generator; + } else { + n = gnutls_srp_2048_group_prime; + g = gnutls_srp_2048_group_generator; } - for (index = 1; index <= 3; index++) { - - if (index == 1) { - n = gnutls_srp_1024_group_prime; - g = gnutls_srp_1024_group_generator; - } else if (index==2) { - n = gnutls_srp_1536_group_prime; - g = gnutls_srp_1536_group_generator; - } else { - n = gnutls_srp_2048_group_prime; - g = gnutls_srp_2048_group_generator; - } - - printf("\nGroup %d, of %d bits:\n", index, n.size*8); - print_num("Generator", &g); - print_num("Prime", &n); - - if (gnutls_srp_base64_encode_alloc( &n, &str_n) < 0) { - fprintf(stderr, "Could not encode\n"); - return -1; - } - - if (gnutls_srp_base64_encode_alloc( &g, &str_g) < 0) { - fprintf(stderr, "Could not encode\n"); - return -1; - } - - sprintf(line, "%d:%s:%s\n", index, str_n.data, str_g.data); - - gnutls_free( str_n.data); - gnutls_free( str_g.data); - - fwrite(line, 1, strlen(line), fd); + printf("\nGroup %d, of %d bits:\n", index, n.size * 8); + print_num("Generator", &g); + print_num("Prime", &n); + if (gnutls_srp_base64_encode_alloc(&n, &str_n) < 0) { + fprintf(stderr, "Could not encode\n"); + return -1; } - fclose(fd); - - return 0; + if (gnutls_srp_base64_encode_alloc(&g, &str_g) < 0) { + fprintf(stderr, "Could not encode\n"); + return -1; + } + + sprintf(line, "%d:%s:%s\n", index, str_n.data, str_g.data); + + gnutls_free(str_n.data); + gnutls_free(str_g.data); + + fwrite(line, 1, strlen(line), fd); + + } + + fclose(fd); + + return 0; } @@ -141,207 +145,213 @@ int generate_create_conf(char *tpasswd_conf) * * index is the index of the prime-generator pair in tpasswd.conf */ -static int _verify_passwd_int(const char* username, const char* passwd, char* verifier, - char* salt, const gnutls_datum* g, const gnutls_datum* n) +static int _verify_passwd_int(const char *username, const char *passwd, + char *verifier, char *salt, + const gnutls_datum * g, + const gnutls_datum * n) { -char _salt[1024]; -gnutls_datum tmp, raw_salt, new_verifier; -int salt_size; -char *pos; + char _salt[1024]; + gnutls_datum tmp, raw_salt, new_verifier; + int salt_size; + char *pos; + + if (salt == NULL || verifier == NULL) + return -1; - if (salt==NULL || verifier==NULL) return -1; + /* copy salt, and null terminate after the ':' */ + strcpy(_salt, salt); + pos = strchr(_salt, ':'); + if (pos != NULL) + *pos = 0; - /* copy salt, and null terminate after the ':' */ - strcpy( _salt, salt); - pos = strchr(_salt, ':'); - if (pos!=NULL) *pos = 0; + /* convert salt to binary. */ + tmp.data = _salt; + tmp.size = strlen(_salt); - /* convert salt to binary. */ - tmp.data = _salt; - tmp.size = strlen(_salt); + if (gnutls_srp_base64_decode_alloc(&tmp, &raw_salt) < 0) { + fprintf(stderr, "Could not decode salt.\n"); + return -1; + } - if (gnutls_srp_base64_decode_alloc( &tmp, &raw_salt) < 0) { - fprintf(stderr, "Could not decode salt.\n"); - return -1; - } + if (gnutls_srp_verifier + (username, passwd, &raw_salt, g, n, &new_verifier) < 0) { + fprintf(stderr, "Could not make the verifier\n"); + return -1; + } - if (gnutls_srp_verifier( username, passwd, &raw_salt, g, n, &new_verifier) < 0) - { - fprintf(stderr, "Could not make the verifier\n"); - return -1; - } - - free( raw_salt.data); - - /* encode the verifier into _salt */ - salt_size = sizeof(_salt); - if (gnutls_srp_base64_encode( &new_verifier, _salt, &salt_size) < 0) { - fprintf(stderr, "Encoding error\n"); - return -1; - } - - free( new_verifier.data); + free(raw_salt.data); - if (strncmp( verifier, _salt, strlen(_salt))==0) { - fprintf(stderr, "Password verified\n"); - return 0; - } else { - fprintf(stderr, - "Password does NOT match\n"); - } + /* encode the verifier into _salt */ + salt_size = sizeof(_salt); + if (gnutls_srp_base64_encode(&new_verifier, _salt, &salt_size) < 0) { + fprintf(stderr, "Encoding error\n"); return -1; -} + } -static int filecopy( char* src, char* dst) { -FILE *fd, *fd2; -char line[5*1024]; -char *p; - - fd = fopen(dst, "w"); - if (fd == NULL) { - fprintf(stderr, "Cannot open '%s' for write\n", - dst); - return -1; - } - - fd2 = fopen(src, "r"); - if (fd2 == NULL) { - /* empty file */ - fclose(fd); - return 0; - } - - line[sizeof(line)-1] = 0; - do { - p = fgets( line, sizeof(line)-1, fd2); - if (p==NULL) break; - - fputs( line, fd); - } while(1); - - fclose(fd); - fclose(fd2); - - return 0; -} + free(new_verifier.data); -/* accepts password file */ -static int find_strchr(char* username, char* file) { -FILE * fd; -char *pos; -char line[5*1024]; -unsigned int i; + if (strncmp(verifier, _salt, strlen(_salt)) == 0) { + fprintf(stderr, "Password verified\n"); + return 0; + } else { + fprintf(stderr, "Password does NOT match\n"); + } + return -1; +} - fd = fopen(file, "r"); - if (fd == NULL) { - fprintf(stderr, "Cannot open file '%s'\n", file); - return -1; - } +static int filecopy(char *src, char *dst) +{ + FILE *fd, *fd2; + char line[5 * 1024]; + char *p; - while (fgets(line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i = 0; - while ((line[i] != ':') && (line[i] != '\0') - && (i < sizeof(line))) { - i++; - } - if (strncmp(username, line, _MAX(i,strlen(username)) ) == 0) { - /* find the index */ - pos = strrchr(line, ':'); - pos++; - fclose(fd); - return atoi(pos); - } - } + fd = fopen(dst, "w"); + if (fd == NULL) { + fprintf(stderr, "Cannot open '%s' for write\n", dst); + return -1; + } + fd2 = fopen(src, "r"); + if (fd2 == NULL) { + /* empty file */ fclose(fd); + return 0; + } + + line[sizeof(line) - 1] = 0; + do { + p = fgets(line, sizeof(line) - 1, fd2); + if (p == NULL) + break; + + fputs(line, fd); + } while (1); + + fclose(fd); + fclose(fd2); + + return 0; +} + +/* accepts password file */ +static int find_strchr(char *username, char *file) +{ + FILE *fd; + char *pos; + char line[5 * 1024]; + unsigned int i; + + fd = fopen(file, "r"); + if (fd == NULL) { + fprintf(stderr, "Cannot open file '%s'\n", file); return -1; + } + + while (fgets(line, sizeof(line), fd) != NULL) { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') + && (i < sizeof(line))) { + i++; + } + if (strncmp(username, line, _MAX(i, strlen(username))) == 0) { + /* find the index */ + pos = strrchr(line, ':'); + pos++; + fclose(fd); + return atoi(pos); + } + } + + fclose(fd); + return -1; } /* Parses the tpasswd files, in order to verify the given * username/password pair. */ -int verify_passwd(char *conffile, char *tpasswd, char *username, const char *passwd) +int verify_passwd(char *conffile, char *tpasswd, char *username, + const char *passwd) { - FILE *fd; - char line[5 * 1024]; - unsigned int i; - gnutls_datum g, n; - int iindex; - char *p, *pos; - - iindex = find_strchr( username, tpasswd); - if (iindex==-1) { - fprintf(stderr, "Cannot find '%s' in %s\n", username, tpasswd); - return -1; - } - - fd = fopen(conffile, "r"); - if (fd == NULL) { - fprintf(stderr, "Cannot find %s\n", conffile); - return -1; - } + FILE *fd; + char line[5 * 1024]; + unsigned int i; + gnutls_datum g, n; + int iindex; + char *p, *pos; + + iindex = find_strchr(username, tpasswd); + if (iindex == -1) { + fprintf(stderr, "Cannot find '%s' in %s\n", username, tpasswd); + return -1; + } - do { - p = fgets(line, sizeof(line) - 1, fd); - } while(p!=NULL && atoi(p)!=iindex); - - if (p == NULL) { - fprintf(stderr, "Cannot find entry in %s\n", conffile); - return -1; - } - line[sizeof(line) - 1] = 0; + fd = fopen(conffile, "r"); + if (fd == NULL) { + fprintf(stderr, "Cannot find %s\n", conffile); + return -1; + } - fclose(fd); + do { + p = fgets(line, sizeof(line) - 1, fd); + } while (p != NULL && atoi(p) != iindex); - if ((iindex = read_conf_values(&g, &n, line)) < 0) { + if (p == NULL) { + fprintf(stderr, "Cannot find entry in %s\n", conffile); + return -1; + } + line[sizeof(line) - 1] = 0; + + fclose(fd); + + if ((iindex = read_conf_values(&g, &n, line)) < 0) { + fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); + return -1; + } + + fd = fopen(tpasswd, "r"); + if (fd == NULL) { + fprintf(stderr, "Cannot open file '%s'\n", tpasswd); + return -1; + } + + while (fgets(line, sizeof(line), fd) != NULL) { + /* move to first ':' + * This is the actual verifier. + */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') + && (i < sizeof(line))) { + i++; + } + if (strncmp(username, line, _MAX(i, strlen(username))) == 0) { + char *verifier_pos, *salt_pos; + + pos = strchr(line, ':'); + fclose(fd); + if (pos == NULL) { fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); return -1; - } + } + pos++; + verifier_pos = pos; - fd = fopen(tpasswd, "r"); - if (fd == NULL) { - fprintf(stderr, "Cannot open file '%s'\n", tpasswd); + /* Move to the salt */ + pos = strchr(pos, ':'); + if (pos == NULL) { + fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); return -1; - } + } + pos++; + salt_pos = pos; - while (fgets(line, sizeof(line), fd) != NULL) { - /* move to first ':' - * This is the actual verifier. - */ - i = 0; - while ((line[i] != ':') && (line[i] != '\0') - && (i < sizeof(line))) { - i++; - } - if (strncmp(username, line, _MAX(i,strlen(username)) ) == 0) { - char* verifier_pos, *salt_pos; - - pos = strchr(line, ':'); - fclose(fd); - if (pos==NULL) { - fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); - return -1; - } - pos++; - verifier_pos = pos; - - /* Move to the salt */ - pos = strchr(pos, ':'); - if (pos==NULL) { - fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); - return -1; - } - pos++; - salt_pos = pos; - - return _verify_passwd_int( username, passwd, - verifier_pos, salt_pos, &g, &n); - } + return _verify_passwd_int(username, passwd, + verifier_pos, salt_pos, &g, &n); } + } - fclose(fd); - return -1; + fclose(fd); + return -1; } @@ -350,228 +360,229 @@ int verify_passwd(char *conffile, char *tpasswd, char *username, const char *pas int main(int argc, char **argv) { - gaainfo info; - const char *passwd; - int salt, ret; - struct passwd *pwd; - - if ((ret=gnutls_global_init()) < 0) { - fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); - exit(1); - } - - if ((ret=gnutls_global_init_extra()) < 0) { - fprintf(stderr, - "global_init_extra: %s\n", gnutls_strerror(ret)); - exit(1); - } - - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, "Error in the arguments.\n"); - return -1; - } + gaainfo info; + const char *passwd; + int salt, ret; + struct passwd *pwd; + + if ((ret = gnutls_global_init()) < 0) { + fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if ((ret = gnutls_global_init_extra()) < 0) { + fprintf(stderr, "global_init_extra: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, "Error in the arguments.\n"); + return -1; + } - salt = info.salt; + salt = info.salt; - if (info.create_conf != NULL) { - return generate_create_conf(info.create_conf); - } + if (info.create_conf != NULL) { + return generate_create_conf(info.create_conf); + } - if (info.passwd == NULL) - info.passwd = KPASSWD; - if (info.passwd_conf == NULL) - info.passwd_conf = KPASSWD_CONF; + if (info.passwd == NULL) + info.passwd = KPASSWD; + if (info.passwd_conf == NULL) + info.passwd_conf = KPASSWD_CONF; - if (info.username == NULL) { + if (info.username == NULL) { #ifndef _WIN32 - pwd = getpwuid(getuid()); + pwd = getpwuid(getuid()); - if (pwd == NULL) { - fprintf(stderr, "No such user\n"); - return -1; - } + if (pwd == NULL) { + fprintf(stderr, "No such user\n"); + return -1; + } - info.username = pwd->pw_name; + info.username = pwd->pw_name; #else - fprintf(stderr, "Please specify a user\n"); - return -1; + fprintf(stderr, "Please specify a user\n"); + return -1; #endif - } + } - salt = 16; + salt = 16; - passwd = read_pass("Enter password: "); + passwd = read_pass("Enter password: "); /* not ready yet */ - if (info.verify != 0) { - return verify_passwd(info.passwd_conf, info.passwd, - info.username, passwd); - } + if (info.verify != 0) { + return verify_passwd(info.passwd_conf, info.passwd, + info.username, passwd); + } - return crypt_int(info.username, passwd, salt, - info.passwd_conf, info.passwd, info.index); + return crypt_int(info.username, passwd, salt, + info.passwd_conf, info.passwd, info.index); } -char* _srp_crypt( const char* username, const char* passwd, int salt_size, - const gnutls_datum* g, const gnutls_datum* n) +char *_srp_crypt(const char *username, const char *passwd, int salt_size, + const gnutls_datum * g, const gnutls_datum * n) { -char salt[128]; -static char result[1024]; -gnutls_datum dat_salt, txt_salt; -gnutls_datum verifier, txt_verifier; + char salt[128]; + static char result[1024]; + gnutls_datum dat_salt, txt_salt; + gnutls_datum verifier, txt_verifier; - if ((unsigned)salt_size > sizeof(salt)) - return NULL; + if ((unsigned) salt_size > sizeof(salt)) + return NULL; - /* generate the salt - */ + /* generate the salt + */ #ifdef HAVE_GCRY_CREATE_NONCE - gcry_create_nonce( salt, salt_size); + gcry_create_nonce(salt, salt_size); #else - gcry_randomize( salt, salt_size, GCRY_WEAK_RANDOM); + gcry_randomize(salt, salt_size, GCRY_WEAK_RANDOM); #endif - dat_salt.data = salt; - dat_salt.size = salt_size; + dat_salt.data = salt; + dat_salt.size = salt_size; - if (gnutls_srp_verifier( username, passwd, &dat_salt, g, n, &verifier) < 0) { - fprintf(stderr, "Error getting verifier\n"); - return NULL; - } - - /* base64 encode the verifier */ - if (gnutls_srp_base64_encode_alloc( &verifier, &txt_verifier) < 0) { - fprintf(stderr, "Error encoding\n"); - free( verifier.data); - return NULL; - } + if (gnutls_srp_verifier(username, passwd, &dat_salt, g, n, &verifier) < + 0) { + fprintf(stderr, "Error getting verifier\n"); + return NULL; + } - free( verifier.data); + /* base64 encode the verifier */ + if (gnutls_srp_base64_encode_alloc(&verifier, &txt_verifier) < 0) { + fprintf(stderr, "Error encoding\n"); + free(verifier.data); + return NULL; + } - if (gnutls_srp_base64_encode_alloc( &dat_salt, &txt_salt) < 0) { - fprintf(stderr, "Error encoding\n"); - return NULL; - } + free(verifier.data); + + if (gnutls_srp_base64_encode_alloc(&dat_salt, &txt_salt) < 0) { + fprintf(stderr, "Error encoding\n"); + return NULL; + } + + sprintf(result, "%s:%s", txt_verifier.data, txt_salt.data); + free(txt_salt.data); + free(txt_verifier.data); + + return result; - sprintf( result, "%s:%s", txt_verifier.data, txt_salt.data); - free(txt_salt.data); - free(txt_verifier.data); - - return result; - } int crypt_int(const char *username, const char *passwd, int salt_size, char *tpasswd_conf, char *tpasswd, int uindex) { - FILE *fd; - char *cr; - gnutls_datum g, n; - char line[5 * 1024]; - char *p, *pp; - int iindex; - char tmpname[1024]; - - fd = fopen(tpasswd_conf, "r"); - if (fd == NULL) { - fprintf(stderr, "Cannot find %s\n", tpasswd_conf); - return -1; + FILE *fd; + char *cr; + gnutls_datum g, n; + char line[5 * 1024]; + char *p, *pp; + int iindex; + char tmpname[1024]; + + fd = fopen(tpasswd_conf, "r"); + if (fd == NULL) { + fprintf(stderr, "Cannot find %s\n", tpasswd_conf); + return -1; + } + + do { /* find the specified uindex in file */ + p = fgets(line, sizeof(line) - 1, fd); + iindex = atoi(p); + } while (p != NULL && iindex != uindex); + + if (p == NULL) { + fprintf(stderr, "Cannot find entry in %s\n", tpasswd_conf); + return -1; + } + line[sizeof(line) - 1] = 0; + + fclose(fd); + if ((iindex = read_conf_values(&g, &n, line)) < 0) { + fprintf(stderr, "Cannot parse conf file '%s'\n", tpasswd_conf); + return -1; + } + + cr = _srp_crypt(username, passwd, salt_size, &g, &n); + if (cr == NULL) { + fprintf(stderr, "Cannot _srp_crypt()...\n"); + return -1; + } else { + /* delete previous entry */ + struct stat st; + FILE *fd2; + int put; + + if (strlen(tpasswd) > sizeof(tmpname) + 5) { + fprintf(stderr, "file '%s' is tooooo long\n", tpasswd); + return -1; } + strcpy(tmpname, tpasswd); + strcat(tmpname, ".tmp"); - do { /* find the specified uindex in file */ - p = fgets(line, sizeof(line) - 1, fd); - iindex = atoi(p); - } while( p!=NULL && iindex!=uindex); + if (stat(tmpname, &st) != -1) { + fprintf(stderr, "file '%s' is locked\n", tpasswd); + return -1; + } - if (p == NULL) { - fprintf(stderr, "Cannot find entry in %s\n", tpasswd_conf); - return -1; + if (filecopy(tpasswd, tmpname) != 0) { + fprintf(stderr, "Cannot copy '%s' to '%s'\n", + tpasswd, tmpname); + return -1; } - line[sizeof(line) - 1] = 0; - fclose(fd); - if ((iindex = read_conf_values(&g, &n, line)) < 0) { - fprintf(stderr, "Cannot parse conf file '%s'\n", - tpasswd_conf); - return -1; + fd = fopen(tpasswd, "w"); + if (fd == NULL) { + fprintf(stderr, "Cannot open '%s' for write\n", tpasswd); + remove(tmpname); + return -1; } - cr = _srp_crypt(username, passwd, salt_size, &g, &n); - if (cr == NULL) { - fprintf(stderr, "Cannot _srp_crypt()...\n"); - return -1; - } else { - /* delete previous entry */ - struct stat st; - FILE * fd2; - int put; - - if (strlen(tpasswd) > sizeof(tmpname)+5) { - fprintf(stderr, "file '%s' is tooooo long\n", tpasswd); - return -1; - } - strcpy( tmpname, tpasswd); - strcat( tmpname, ".tmp"); - - if ( stat( tmpname, &st) != -1) { - fprintf(stderr, "file '%s' is locked\n", tpasswd); - return -1; - } - - if (filecopy( tpasswd, tmpname)!=0) { - fprintf(stderr, "Cannot copy '%s' to '%s'\n", - tpasswd, tmpname); - return -1; - } - - fd = fopen(tpasswd, "w"); - if (fd == NULL) { - fprintf(stderr, "Cannot open '%s' for write\n", - tpasswd); - remove(tmpname); - return -1; - } - - fd2 = fopen(tmpname, "r"); - if (fd2 == NULL) { - fprintf(stderr, "Cannot open '%s' for read\n", - tmpname); - remove(tmpname); - return -1; - } - - put = 0; - do { - p = fgets( line, sizeof(line)-1, fd2); - if (p==NULL) break; - - pp = strchr( line, ':'); - if (pp==NULL) continue; - - if ( strncmp( p, username, _MAX(strlen(username), (unsigned int)(pp-p)) ) == 0 ) { - put = 1; - fprintf(fd, "%s:%s:%u\n", username, cr, iindex); - } else { - fputs( line, fd); - } - } while(1); - - if (put==0) { - fprintf(fd, "%s:%s:%u\n", username, cr, iindex); - } - - fclose(fd); - fclose(fd2); - - remove(tmpname); + fd2 = fopen(tmpname, "r"); + if (fd2 == NULL) { + fprintf(stderr, "Cannot open '%s' for read\n", tmpname); + remove(tmpname); + return -1; + } + + put = 0; + do { + p = fgets(line, sizeof(line) - 1, fd2); + if (p == NULL) + break; + pp = strchr(line, ':'); + if (pp == NULL) + continue; + + if (strncmp + (p, username, + _MAX(strlen(username), (unsigned int) (pp - p))) == 0) { + put = 1; + fprintf(fd, "%s:%s:%u\n", username, cr, iindex); + } else { + fputs(line, fd); + } + } while (1); + + if (put == 0) { + fprintf(fd, "%s:%s:%u\n", username, cr, iindex); } + fclose(fd); + fclose(fd2); - return 0; + remove(tmpname); + + } + + + return 0; } @@ -581,55 +592,56 @@ int crypt_int(const char *username, const char *passwd, int salt_size, */ static int read_conf_values(gnutls_datum * g, gnutls_datum * n, char *str) { - char *p; - int len; - int index, ret; - gnutls_datum dat; + char *p; + int len; + int index, ret; + gnutls_datum dat; - index = atoi(str); + index = atoi(str); - p = strrchr(str, ':'); /* we have g */ - if (p == NULL) { - return -1; - } + p = strrchr(str, ':'); /* we have g */ + if (p == NULL) { + return -1; + } - *p = '\0'; - p++; + *p = '\0'; + p++; - /* read the generator */ - len = strlen(p); - if (p[len-1]=='\n') len--; - - dat.data = p; - dat.size = len; - ret = gnutls_srp_base64_decode_alloc(&dat, g); + /* read the generator */ + len = strlen(p); + if (p[len - 1] == '\n') + len--; - if (ret < 0) { - fprintf(stderr, "Decoding error\n"); - return -1; - } + dat.data = p; + dat.size = len; + ret = gnutls_srp_base64_decode_alloc(&dat, g); - /* now go for n - modulo */ - p = strrchr(str, ':'); /* we have n */ - if (p == NULL) { - return -1; - } + if (ret < 0) { + fprintf(stderr, "Decoding error\n"); + return -1; + } + + /* now go for n - modulo */ + p = strrchr(str, ':'); /* we have n */ + if (p == NULL) { + return -1; + } - *p = '\0'; - p++; + *p = '\0'; + p++; - dat.data = p; - dat.size = strlen(p); + dat.data = p; + dat.size = strlen(p); - ret = gnutls_srp_base64_decode_alloc(&dat, n); + ret = gnutls_srp_base64_decode_alloc(&dat, n); - if (ret < 0) { - fprintf(stderr, "Decoding error\n"); - free(g->data); - return -1; - } + if (ret < 0) { + fprintf(stderr, "Decoding error\n"); + free(g->data); + return -1; + } - return index; + return index; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/src/getpass.c b/src/getpass.c index 21827072bf..1a73b7ae0a 100644 --- a/src/getpass.c +++ b/src/getpass.c @@ -12,41 +12,41 @@ const char *read_pass(const char *msg) { #ifndef _WIN32 - struct termios old, new; + struct termios old, new; #endif - static char input[128]; - char *p; + static char input[128]; + char *p; - fputs(msg, stderr); + fputs(msg, stderr); #ifndef _WIN32 - /* Turn echoing off and fail if we can't. */ - if (tcgetattr(fileno(OUT_STREAM), &old) != 0) { - perror("tcgetattr"); - exit(1); - } - - new = old; - new.c_lflag &= ~ECHO; - if (tcsetattr(fileno(OUT_STREAM), TCSAFLUSH, &new) != 0) { - perror("tcsetattr"); - exit(1); - } + /* Turn echoing off and fail if we can't. */ + if (tcgetattr(fileno(OUT_STREAM), &old) != 0) { + perror("tcgetattr"); + exit(1); + } + + new = old; + new.c_lflag &= ~ECHO; + if (tcsetattr(fileno(OUT_STREAM), TCSAFLUSH, &new) != 0) { + perror("tcsetattr"); + exit(1); + } #endif - /* Read the password. */ - p = fgets(input, sizeof(input), stdin); + /* Read the password. */ + p = fgets(input, sizeof(input), stdin); #ifndef _WIN32 - /* Restore terminal. */ - (void) tcsetattr(fileno(OUT_STREAM), TCSAFLUSH, &old); + /* Restore terminal. */ + (void) tcsetattr(fileno(OUT_STREAM), TCSAFLUSH, &old); #endif - if (p == NULL || strlen(p) == 0 || p[0] == '\n') - return NULL; + if (p == NULL || strlen(p) == 0 || p[0] == '\n') + return NULL; - /* overwrite the newline */ - input[strlen(p) - 1] = 0; + /* overwrite the newline */ + input[strlen(p) - 1] = 0; - return p; + return p; } diff --git a/src/prime.c b/src/prime.c index 13c078027c..098b68952e 100644 --- a/src/prime.c +++ b/src/prime.c @@ -33,8 +33,8 @@ * of the group). Exports them in PKCS #3 format. Used by certtool. */ -extern FILE* outfile; -extern FILE* infile; +extern FILE *outfile; +extern FILE *infile; extern unsigned char buffer[]; extern const int buffer_size; @@ -42,97 +42,105 @@ static int cparams = 0; int generate_prime(int bits) { - unsigned int i; - int ret; - gnutls_dh_params dh_params; - gnutls_datum p, g; - - gnutls_dh_params_init( &dh_params); - - fprintf(stderr, "Generating DH parameters..."); - - ret = gnutls_dh_params_generate2( dh_params, bits); - if (ret < 0) { - fprintf(stderr, "Error generating parameters: %s\n", - gnutls_strerror(ret)); - exit(1); + unsigned int i; + int ret; + gnutls_dh_params dh_params; + gnutls_datum p, g; + + gnutls_dh_params_init(&dh_params); + + fprintf(stderr, "Generating DH parameters..."); + + ret = gnutls_dh_params_generate2(dh_params, bits); + if (ret < 0) { + fprintf(stderr, "Error generating parameters: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + ret = gnutls_dh_params_export_raw(dh_params, &p, &g, NULL); + if (ret < 0) { + fprintf(stderr, "Error exporting parameters: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (cparams) { + + fprintf(outfile, "/* generator */\n"); + fprintf(outfile, "\nconst uint8 g[%d] = { ", g.size); + + for (i = 0; i < g.size; i++) { + if (i % 7 == 0) + fprintf(outfile, "\n\t"); + fprintf(outfile, "0x%.2x", g.data[i]); + if (i != g.size - 1) + fprintf(outfile, ", "); } - ret = gnutls_dh_params_export_raw( dh_params, &p, &g, NULL); - if (ret < 0) { - fprintf(stderr, "Error exporting parameters: %s\n", - gnutls_strerror(ret)); - exit(1); - } + fprintf(outfile, "\n};\n\n"); + } else { + fprintf(outfile, "\nGenerator: "); + + for (i = 0; i < g.size; i++) { + if (i != 0 && i % 12 == 0) + fprintf(outfile, "\n\t"); + else if (i != 0 && i != g.size) + fprintf(outfile, ":"); - if (cparams) { + fprintf(outfile, "%.2x", g.data[i]); + } - fprintf( outfile, "/* generator */\n"); - fprintf( outfile, "\nconst uint8 g[%d] = { ", g.size); - - for (i=0;i<g.size;i++) { - if (i%7==0) fprintf(outfile, "\n\t"); - fprintf(outfile, "0x%.2x", g.data[i]); - if (i!=g.size-1) fprintf(outfile, ", "); - } + fprintf(outfile, "\n\n"); + } - fprintf(outfile, "\n};\n\n"); - } else { - fprintf( outfile, "\nGenerator: "); - - for (i=0;i<g.size;i++) { - if (i!=0 && i%12==0) fprintf( outfile,"\n\t"); - else if (i!=0 && i!=g.size) fprintf( outfile, ":"); + /* print prime */ - fprintf( outfile, "%.2x", g.data[i]); - } + if (cparams) { + fprintf(outfile, "/* prime - %d bits */\n", p.size * 8); + fprintf(outfile, "\nconst uint8 prime[%d] = { ", p.size); - fprintf( outfile,"\n\n"); + for (i = 0; i < p.size; i++) { + if (i % 7 == 0) + fprintf(outfile, "\n\t"); + fprintf(outfile, "0x%.2x", p.data[i]); + if (i != p.size - 1) + fprintf(outfile, ", "); } - /* print prime */ + fprintf(outfile, "\n};\n"); + } else { + fprintf(outfile, "Prime: "); - if (cparams) { - fprintf( outfile, "/* prime - %d bits */\n", p.size*8); - fprintf( outfile, "\nconst uint8 prime[%d] = { ", p.size); - - for (i=0;i<p.size;i++) { - if (i%7==0) fprintf( outfile,"\n\t"); - fprintf( outfile, "0x%.2x", p.data[i]); - if (i!=p.size-1) fprintf( outfile, ", "); - } + for (i = 0; i < p.size; i++) { + if (i != 0 && i % 12 == 0) + fprintf(outfile, "\n\t"); + else if (i != 0 && i != p.size) + fprintf(outfile, ":"); + fprintf(outfile, "%.2x", p.data[i]); + } - fprintf( outfile,"\n};\n"); - } else { - fprintf( outfile, "Prime: "); + fprintf(outfile, "\n\n"); - for (i=0;i<p.size;i++) { - if (i!=0 && i%12==0) fprintf( outfile,"\n\t"); - else if (i!=0 && i!=p.size) fprintf( outfile, ":"); - fprintf( outfile, "%.2x", p.data[i]); - } + } - fprintf( outfile,"\n\n"); + if (!cparams) { /* generate a PKCS#3 structure */ - } + int ret; + size_t len = buffer_size; - if (!cparams) { /* generate a PKCS#3 structure */ - - int ret; - size_t len = buffer_size; - - ret = gnutls_dh_params_export_pkcs3( dh_params, GNUTLS_X509_FMT_PEM, - buffer, &len); - - if (ret == 0) { - fprintf( outfile,"\n%s", buffer); - } else { - fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); - } + ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, + buffer, &len); + if (ret == 0) { + fprintf(outfile, "\n%s", buffer); + } else { + fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } - return 0; + } + + return 0; } #endif diff --git a/src/retcodes.c b/src/retcodes.c index 141ffb6980..2bd27039cb 100644 --- a/src/retcodes.c +++ b/src/retcodes.c @@ -3,104 +3,106 @@ #include <string.h> #include <gnutls/gnutls.h> -const char* _gnutls_strerror(int); +const char *_gnutls_strerror(int); static const char headers[] = "\\tablefirsthead{%\n" - "\\hline\n" - "\\multicolumn{1}{|c}{Error code} &\n" - "\\multicolumn{1}{c|}{Description} \\\\\n" - "\\hline}\n" - "\\tablehead{%\n" - "\\hline\n" - "\\multicolumn{2}{|l|}{\\small\\sl continued from previous page}\\\\\n" - "\\hline\n" - "\\multicolumn{1}{|c}{Error code} &\n" - "\\multicolumn{1}{c|}{Description} \\\\\n" - "\\hline}\n" - "\\tabletail{%\n" - "\\hline\n" - "\\multicolumn{2}{|r|}{\\small\\sl continued on next page}\\\\\n" - "\\hline}\n" - "\\tablelasttail{\\hline}\n" - "\\bottomcaption{The error codes table}\n\n"; + "\\hline\n" + "\\multicolumn{1}{|c}{Error code} &\n" + "\\multicolumn{1}{c|}{Description} \\\\\n" + "\\hline}\n" + "\\tablehead{%\n" + "\\hline\n" + "\\multicolumn{2}{|l|}{\\small\\sl continued from previous page}\\\\\n" + "\\hline\n" + "\\multicolumn{1}{|c}{Error code} &\n" + "\\multicolumn{1}{c|}{Description} \\\\\n" + "\\hline}\n" + "\\tabletail{%\n" + "\\hline\n" + "\\multicolumn{2}{|r|}{\\small\\sl continued on next page}\\\\\n" + "\\hline}\n" + "\\tablelasttail{\\hline}\n" + "\\bottomcaption{The error codes table}\n\n"; typedef struct { - char name[128]; - int error_index; + char name[128]; + int error_index; } error_name; -static int compar( const void* _n1, const void* _n2) -{ const error_name* n1 = (const error_name*) _n1, - * n2 = (const error_name*) _n2; - return strcmp( n1->name, n2->name); +static int compar(const void *_n1, const void *_n2) +{ + const error_name *n1 = (const error_name *) _n1, + *n2 = (const error_name *) _n2; + return strcmp(n1->name, n2->name); } -static char* escape_string( const char* str) +static char *escape_string(const char *str) { -static char buffer[500]; -unsigned int i = 0, j = 0; + static char buffer[500]; + unsigned int i = 0, j = 0; -while( str[i] != 0 && j < sizeof(buffer) - 1) { - if (str[i]=='_') { - buffer[j++] = '\\'; - buffer[j++] = '_'; - } else { - buffer[j++] = str[i]; - } - i++; -}; + while (str[i] != 0 && j < sizeof(buffer) - 1) { + if (str[i] == '_') { + buffer[j++] = '\\'; + buffer[j++] = '_'; + } else { + buffer[j++] = str[i]; + } + i++; + }; -buffer[j] = 0; + buffer[j] = 0; -return buffer; + return buffer; } int main() { -int i, j; -const char* desc; -const char* _name; -error_name names_to_sort[400]; /* up to 400 names */ + int i, j; + const char *desc; + const char *_name; + error_name names_to_sort[400]; /* up to 400 names */ -printf("\\chapter{Error codes and descriptions\\index{Error codes}}\\label{ap:error_codes}\n"); + printf + ("\\chapter{Error codes and descriptions\\index{Error codes}}\\label{ap:error_codes}\n"); -printf("\\begin{center}\n"); + printf("\\begin{center}\n"); -puts( headers); + puts(headers); -printf("\\begin{supertabular}{|l|p{6cm}|}\n"); + printf("\\begin{supertabular}{|l|p{6cm}|}\n"); -memset( names_to_sort, 0, sizeof(names_to_sort)); -j=0; -for (i=0;i>-400;i--) -{ - _name = _gnutls_strerror(i); - if ( _name == NULL) continue; + memset(names_to_sort, 0, sizeof(names_to_sort)); + j = 0; + for (i = 0; i > -400; i--) { + _name = _gnutls_strerror(i); + if (_name == NULL) + continue; - strcpy( names_to_sort[j].name, _name); - names_to_sort[j].error_index = i; - j++; -} + strcpy(names_to_sort[j].name, _name); + names_to_sort[j].error_index = i; + j++; + } -qsort( names_to_sort, j, sizeof(error_name), compar); + qsort(names_to_sort, j, sizeof(error_name), compar); -for (i=0;i<j;i++) -{ - _name = names_to_sort[i].name; - desc = gnutls_strerror( names_to_sort[i].error_index); - if (desc == NULL || _name == NULL) continue; + for (i = 0; i < j; i++) { + _name = names_to_sort[i].name; + desc = gnutls_strerror(names_to_sort[i].error_index); + if (desc == NULL || _name == NULL) + continue; - printf( "{\\tiny{%s}} & %s", escape_string(_name), desc); - printf( "\\\\\n"); -} + printf("{\\tiny{%s}} & %s", escape_string(_name), desc); + printf("\\\\\n"); + } -printf("\\end{supertabular}\n\n"); + printf("\\end{supertabular}\n\n"); -printf("\\end{center}\n"); + printf("\\end{center}\n"); -return 0; + return 0; } diff --git a/src/serv-gaa.c b/src/serv-gaa.c index 8cbda15bab..8c7972cf5f 100644 --- a/src/serv-gaa.c +++ b/src/serv-gaa.c @@ -19,146 +19,148 @@ void serv_version(void); #endif #endif -static void* gaa_malloc( size_t size) { -void* ret; - ret = malloc(size); - if (ret==NULL) { - fprintf(stderr, "gaa: could not allocate memory"); - exit(1); - } - return ret; +static void *gaa_malloc(size_t size) +{ + void *ret; + ret = malloc(size); + if (ret == NULL) { + fprintf(stderr, "gaa: could not allocate memory"); + exit(1); + } + return ret; } -static void __gaa_helpsingle(char short_name, char *name, - char *arg_desc, char *opt_help) +static void __gaa_helpsingle(char short_name, char *name, + char *arg_desc, char *opt_help) { - int col1, col3, col4, tabsize = 3, curr; - int i; - - col1 = 5; /* Default values */ - col3 = 30; - col4 = 70; - - curr = 0; - for(i = 0; i < col1; i++) - { - printf(" "); - curr++; - } - if(short_name) - { - if(name && *name) - { - printf("-%c, ", short_name); - curr += 4; - } - else - { - printf("-%c ", short_name); - curr += 3; - } - } - if(name && *name) - { - printf("--%s ", name); - curr += 3 + strlen(name); - } - if(arg_desc && *arg_desc) - { - printf("%s ", arg_desc); - curr += 1 + strlen(arg_desc); - } - if(curr >= col3) - { - printf("\n"); - curr = 0; - } - if(opt_help) /* let's print the option's help body */ - { - const char *str = opt_help; - while(*str) - { - while(curr < col3) - { - printf(" "); - curr++; - } - switch(*str) - { - case '\n': - printf("\n"); - curr = 0; - break; - case '\t': - do - { - printf(" "); - curr++; - } - while((curr - col3) % tabsize != 0 && curr < col4); - case ' ': - if(*str == ' ') - { - curr++; - printf(" "); - } - for(i = 1; str[i] && str[i] != ' ' && str[i] != '\n' - && str[i] != '\t'; i++); - if(curr + i - 1 >= col4) - curr = col4; - break; - default: - printf("%c", *str); - curr++; - } - if(curr >= col4) - { - printf("\n"); - curr = 0; - } - str++; - } - } - printf("\n"); + int col1, col3, col4, tabsize = 3, curr; + int i; + + col1 = 5; /* Default values */ + col3 = 30; + col4 = 70; + + curr = 0; + for (i = 0; i < col1; i++) { + printf(" "); + curr++; + } + if (short_name) { + if (name && *name) { + printf("-%c, ", short_name); + curr += 4; + } else { + printf("-%c ", short_name); + curr += 3; + } + } + if (name && *name) { + printf("--%s ", name); + curr += 3 + strlen(name); + } + if (arg_desc && *arg_desc) { + printf("%s ", arg_desc); + curr += 1 + strlen(arg_desc); + } + if (curr >= col3) { + printf("\n"); + curr = 0; + } + if (opt_help) { /* let's print the option's help body */ + const char *str = opt_help; + while (*str) { + while (curr < col3) { + printf(" "); + curr++; + } + switch (*str) { + case '\n': + printf("\n"); + curr = 0; + break; + case '\t': + do { + printf(" "); + curr++; + } + while ((curr - col3) % tabsize != 0 && curr < col4); + case ' ': + if (*str == ' ') { + curr++; + printf(" "); + } + for (i = 1; str[i] && str[i] != ' ' && str[i] != '\n' + && str[i] != '\t'; i++); + if (curr + i - 1 >= col4) + curr = col4; + break; + default: + printf("%c", *str); + curr++; + } + if (curr >= col4) { + printf("\n"); + curr = 0; + } + str++; + } + } + printf("\n"); } void gaa_help(void) { - printf("GNU TLS test server\nUsage: gnutls-serv [options]\n\n\n"); - __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); - __gaa_helpsingle('g', "generate", "", "Generate Diffie Hellman Parameters."); - __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); - __gaa_helpsingle('q', "quiet", "", "Suppress some messages."); - __gaa_helpsingle(0, "nodb", "", "Does not use the resume database."); - __gaa_helpsingle(0, "http", "", "Act as an HTTP Server."); - __gaa_helpsingle(0, "echo", "", "Act as an Echo Server."); - __gaa_helpsingle(0, "dhparams", "FILE ", "DH params file to use."); - __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates"); - __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); - __gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use."); - __gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use."); - __gaa_helpsingle(0, "pgptrustdb", "FILE ", "PGP trustdb file to use."); - __gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use."); - __gaa_helpsingle(0, "pgpcertfile", "FILE ", "PGP Public Key (certificate) file to use."); - __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use."); - __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file to use."); - __gaa_helpsingle(0, "x509dsakeyfile", "FILE ", "Alternative X.509 key file to use."); - __gaa_helpsingle(0, "x509dsacertfile", "FILE ", "Alternative X.509 certificate file to use."); - __gaa_helpsingle(0, "srppasswd", "FILE ", "SRP password file to use."); - __gaa_helpsingle(0, "srppasswdconf", "FILE ", "SRP password conf file to use."); - __gaa_helpsingle(0, "ciphers", "cipher1 cipher2... ", "Ciphers to enable."); - __gaa_helpsingle(0, "protocols", "protocol1 protocol2... ", "Protocols to enable."); - __gaa_helpsingle(0, "comp", "comp1 comp2... ", "Compression methods to enable."); - __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); - __gaa_helpsingle(0, "kx", "kx1 kx2... ", "Key exchange methods to enable."); - __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", "Certificate types to enable."); - __gaa_helpsingle('l', "list", "", "Print a list of the supported algorithms and modes."); - __gaa_helpsingle('h', "help", "", "prints this help"); - __gaa_helpsingle('v', "version", "", "prints the program's version number"); - __gaa_helpsingle(0, "copyright", "", "prints the program's license"); + printf("GNU TLS test server\nUsage: gnutls-serv [options]\n\n\n"); + __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); + __gaa_helpsingle('g', "generate", "", + "Generate Diffie Hellman Parameters."); + __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); + __gaa_helpsingle('q', "quiet", "", "Suppress some messages."); + __gaa_helpsingle(0, "nodb", "", "Does not use the resume database."); + __gaa_helpsingle(0, "http", "", "Act as an HTTP Server."); + __gaa_helpsingle(0, "echo", "", "Act as an Echo Server."); + __gaa_helpsingle(0, "dhparams", "FILE ", "DH params file to use."); + __gaa_helpsingle(0, "x509fmtder", "", + "Use DER format for certificates"); + __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); + __gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use."); + __gaa_helpsingle(0, "pgpkeyring", "FILE ", + "PGP Key ring file to use."); + __gaa_helpsingle(0, "pgptrustdb", "FILE ", "PGP trustdb file to use."); + __gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use."); + __gaa_helpsingle(0, "pgpcertfile", "FILE ", + "PGP Public Key (certificate) file to use."); + __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use."); + __gaa_helpsingle(0, "x509certfile", "FILE ", + "X.509 Certificate file to use."); + __gaa_helpsingle(0, "x509dsakeyfile", "FILE ", + "Alternative X.509 key file to use."); + __gaa_helpsingle(0, "x509dsacertfile", "FILE ", + "Alternative X.509 certificate file to use."); + __gaa_helpsingle(0, "srppasswd", "FILE ", "SRP password file to use."); + __gaa_helpsingle(0, "srppasswdconf", "FILE ", + "SRP password conf file to use."); + __gaa_helpsingle(0, "ciphers", "cipher1 cipher2... ", + "Ciphers to enable."); + __gaa_helpsingle(0, "protocols", "protocol1 protocol2... ", + "Protocols to enable."); + __gaa_helpsingle(0, "comp", "comp1 comp2... ", + "Compression methods to enable."); + __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); + __gaa_helpsingle(0, "kx", "kx1 kx2... ", + "Key exchange methods to enable."); + __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", + "Certificate types to enable."); + __gaa_helpsingle('l', "list", "", + "Print a list of the supported algorithms and modes."); + __gaa_helpsingle('h', "help", "", "prints this help"); + __gaa_helpsingle('v', "version", "", + "prints the program's version number"); + __gaa_helpsingle(0, "copyright", "", "prints the program's license"); #line 100 "gaa.skel" } + /* Copy of C area */ #line 104 "gaa.skel" @@ -168,104 +170,96 @@ void gaa_help(void) typedef struct _gaainfo gaainfo; -struct _gaainfo -{ +struct _gaainfo { #line 95 "serv.gaa" - char **ctype; + char **ctype; #line 94 "serv.gaa" - int nctype; + int nctype; #line 91 "serv.gaa" - char **kx; + char **kx; #line 90 "serv.gaa" - int nkx; + int nkx; #line 87 "serv.gaa" - char **macs; + char **macs; #line 86 "serv.gaa" - int nmacs; + int nmacs; #line 83 "serv.gaa" - char **comp; + char **comp; #line 82 "serv.gaa" - int ncomp; + int ncomp; #line 79 "serv.gaa" - char **proto; + char **proto; #line 78 "serv.gaa" - int nproto; + int nproto; #line 75 "serv.gaa" - char **ciphers; + char **ciphers; #line 74 "serv.gaa" - int nciphers; + int nciphers; #line 70 "serv.gaa" - char *srp_passwd_conf; + char *srp_passwd_conf; #line 67 "serv.gaa" - char *srp_passwd; + char *srp_passwd; #line 64 "serv.gaa" - char *x509_dsacertfile; + char *x509_dsacertfile; #line 61 "serv.gaa" - char *x509_dsakeyfile; + char *x509_dsakeyfile; #line 58 "serv.gaa" - char *x509_certfile; + char *x509_certfile; #line 55 "serv.gaa" - char *x509_keyfile; + char *x509_keyfile; #line 52 "serv.gaa" - char *pgp_certfile; + char *pgp_certfile; #line 49 "serv.gaa" - char *pgp_keyfile; + char *pgp_keyfile; #line 46 "serv.gaa" - char *pgp_trustdb; + char *pgp_trustdb; #line 43 "serv.gaa" - char *pgp_keyring; + char *pgp_keyring; #line 40 "serv.gaa" - char *x509_crlfile; + char *x509_crlfile; #line 37 "serv.gaa" - char *x509_cafile; + char *x509_cafile; #line 34 "serv.gaa" - int fmtder; + int fmtder; #line 31 "serv.gaa" - char *dh_params_file; + char *dh_params_file; #line 27 "serv.gaa" - int http; + int http; #line 24 "serv.gaa" - int nodb; + int nodb; #line 21 "serv.gaa" - int quiet; + int quiet; #line 18 "serv.gaa" - int port; + int port; #line 15 "serv.gaa" - int generate; + int generate; #line 12 "serv.gaa" - int debug; + int debug; #line 114 "gaa.skel" }; #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif - int gaa(int argc, char *argv[], gaainfo *gaaval); + int gaa(int argc, char *argv[], gaainfo * gaaval); void gaa_help(void); - - int gaa_file(const char *name, gaainfo *gaaval); - + + int gaa_file(const char *name, gaainfo * gaaval); + #ifdef __cplusplus } #endif - - #endif - #line 135 "gaa.skel" - /* C declarations */ - #define GAAERROR(x) \ { \ gaa_error = 1; \ return x; \ } - static char *gaa_current_option; static int gaa_error = 0; @@ -362,7 +356,7 @@ if(gaa_error == 1) \ { \ gaa_error = 0; \ return GAA_ERROR_INVALID_ARG; \ -} +} @@ -440,7 +434,7 @@ if(k == 0) \ printf("You must give at least one option of '%s'\n", str); \ return 0; \ } - + #define GAA_INCOMP(str) \ k = 0; \ for(i = 0; i < strlen(str); i++) \ @@ -459,7 +453,7 @@ if(k > 1) \ printf("The options '%s' are incompatible\n", str); \ return 0; \ } - + static char **GAAargv; static int GAAargc; @@ -471,25 +465,25 @@ static int gaa_getint(char *arg) { int tmp; char a; - if(sscanf(arg, "%d%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%d%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't an integer\n", gaa_current_option, + arg); + GAAERROR(-1); } return tmp; } static char gaa_getchar(char *arg) { - if(strlen(arg) != 1) - { - printf("Option %s: '%s' isn't an character\n", gaa_current_option, arg); - GAAERROR(-1); + if (strlen(arg) != 1) { + printf("Option %s: '%s' isn't an character\n", gaa_current_option, + arg); + GAAERROR(-1); } return arg[0]; } -static char* gaa_getstr(char *arg) +static char *gaa_getstr(char *arg) { return arg; } @@ -497,271 +491,251 @@ static float gaa_getfloat(char *arg) { float tmp; char a; - if(sscanf(arg, "%f%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%f%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't a float number\n", + gaa_current_option, arg); + GAAERROR(-1); } return tmp; } + /* option structures */ -struct GAAOPTION_ctypes -{ - char** arg1; - int size1; +struct GAAOPTION_ctypes { + char **arg1; + int size1; }; -struct GAAOPTION_kx -{ - char** arg1; - int size1; +struct GAAOPTION_kx { + char **arg1; + int size1; }; -struct GAAOPTION_macs -{ - char** arg1; - int size1; +struct GAAOPTION_macs { + char **arg1; + int size1; }; -struct GAAOPTION_comp -{ - char** arg1; - int size1; +struct GAAOPTION_comp { + char **arg1; + int size1; }; -struct GAAOPTION_protocols -{ - char** arg1; - int size1; +struct GAAOPTION_protocols { + char **arg1; + int size1; }; -struct GAAOPTION_ciphers -{ - char** arg1; - int size1; +struct GAAOPTION_ciphers { + char **arg1; + int size1; }; -struct GAAOPTION_srppasswdconf -{ - char* arg1; - int size1; +struct GAAOPTION_srppasswdconf { + char *arg1; + int size1; }; -struct GAAOPTION_srppasswd -{ - char* arg1; - int size1; +struct GAAOPTION_srppasswd { + char *arg1; + int size1; }; -struct GAAOPTION_x509dsacertfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509dsacertfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509dsakeyfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509dsakeyfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509certfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509certfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509keyfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509keyfile { + char *arg1; + int size1; }; -struct GAAOPTION_pgpcertfile -{ - char* arg1; - int size1; +struct GAAOPTION_pgpcertfile { + char *arg1; + int size1; }; -struct GAAOPTION_pgpkeyfile -{ - char* arg1; - int size1; +struct GAAOPTION_pgpkeyfile { + char *arg1; + int size1; }; -struct GAAOPTION_pgptrustdb -{ - char* arg1; - int size1; +struct GAAOPTION_pgptrustdb { + char *arg1; + int size1; }; -struct GAAOPTION_pgpkeyring -{ - char* arg1; - int size1; +struct GAAOPTION_pgpkeyring { + char *arg1; + int size1; }; -struct GAAOPTION_x509crlfile -{ - char* arg1; - int size1; +struct GAAOPTION_x509crlfile { + char *arg1; + int size1; }; -struct GAAOPTION_x509cafile -{ - char* arg1; - int size1; +struct GAAOPTION_x509cafile { + char *arg1; + int size1; }; -struct GAAOPTION_dhparams -{ - char* arg1; - int size1; +struct GAAOPTION_dhparams { + char *arg1; + int size1; }; -struct GAAOPTION_port -{ - int arg1; - int size1; +struct GAAOPTION_port { + int arg1; + int size1; }; -struct GAAOPTION_debug -{ - int arg1; - int size1; +struct GAAOPTION_debug { + int arg1; + int size1; }; - + #line 349 "gaa.skel" static int gaa_is_an_argument(char *str) { #ifdef GAA_WIN32 - if(str[0] == '/' && str[1] != 0) + if (str[0] == '/' && str[1] != 0) return GAA_MULTIPLE_OPTION; #endif - if(str[0] != '-') - return GAA_NOT_AN_OPTION; - if(str[1] == 0) - return GAA_NOT_AN_OPTION; - if(str[1] == '-') - { - if(str[2] != 0) - return GAA_WORD_OPTION; - else - return GAA_NOT_AN_OPTION; + if (str[0] != '-') + return GAA_NOT_AN_OPTION; + if (str[1] == 0) + return GAA_NOT_AN_OPTION; + if (str[1] == '-') { + if (str[2] != 0) + return GAA_WORD_OPTION; + else + return GAA_NOT_AN_OPTION; } - if(str[2] == 0) - return GAA_LETTER_OPTION; + if (str[2] == 0) + return GAA_LETTER_OPTION; else - return GAA_MULTIPLE_OPTION; + return GAA_MULTIPLE_OPTION; } static int gaa_get_option_num(char *str, int status) { - switch(status) - { - case GAA_LETTER_OPTION: - GAA_CHECK1STR("", GAAOPTID_ctypes); - GAA_CHECK1STR("", GAAOPTID_kx); - GAA_CHECK1STR("", GAAOPTID_macs); - GAA_CHECK1STR("", GAAOPTID_comp); - GAA_CHECK1STR("", GAAOPTID_protocols); - GAA_CHECK1STR("", GAAOPTID_ciphers); - GAA_CHECK1STR("", GAAOPTID_srppasswdconf); - GAA_CHECK1STR("", GAAOPTID_srppasswd); - GAA_CHECK1STR("", GAAOPTID_x509dsacertfile); - GAA_CHECK1STR("", GAAOPTID_x509dsakeyfile); - GAA_CHECK1STR("", GAAOPTID_x509certfile); - GAA_CHECK1STR("", GAAOPTID_x509keyfile); - GAA_CHECK1STR("", GAAOPTID_pgpcertfile); - GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); - GAA_CHECK1STR("", GAAOPTID_pgptrustdb); - GAA_CHECK1STR("", GAAOPTID_pgpkeyring); - GAA_CHECK1STR("", GAAOPTID_x509crlfile); - GAA_CHECK1STR("", GAAOPTID_x509cafile); - GAA_CHECK1STR("", GAAOPTID_dhparams); - GAA_CHECK1STR("p", GAAOPTID_port); - GAA_CHECK1STR("d", GAAOPTID_debug); - case GAA_MULTIPLE_OPTION: + switch (status) { + case GAA_LETTER_OPTION: + GAA_CHECK1STR("", GAAOPTID_ctypes); + GAA_CHECK1STR("", GAAOPTID_kx); + GAA_CHECK1STR("", GAAOPTID_macs); + GAA_CHECK1STR("", GAAOPTID_comp); + GAA_CHECK1STR("", GAAOPTID_protocols); + GAA_CHECK1STR("", GAAOPTID_ciphers); + GAA_CHECK1STR("", GAAOPTID_srppasswdconf); + GAA_CHECK1STR("", GAAOPTID_srppasswd); + GAA_CHECK1STR("", GAAOPTID_x509dsacertfile); + GAA_CHECK1STR("", GAAOPTID_x509dsakeyfile); + GAA_CHECK1STR("", GAAOPTID_x509certfile); + GAA_CHECK1STR("", GAAOPTID_x509keyfile); + GAA_CHECK1STR("", GAAOPTID_pgpcertfile); + GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); + GAA_CHECK1STR("", GAAOPTID_pgptrustdb); + GAA_CHECK1STR("", GAAOPTID_pgpkeyring); + GAA_CHECK1STR("", GAAOPTID_x509crlfile); + GAA_CHECK1STR("", GAAOPTID_x509cafile); + GAA_CHECK1STR("", GAAOPTID_dhparams); + GAA_CHECK1STR("p", GAAOPTID_port); + GAA_CHECK1STR("d", GAAOPTID_debug); + case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" - GAA_CHECK1STR("", GAAOPTID_copyright); - GAA_CHECK1STR("v", GAAOPTID_version); - GAA_CHECK1STR("h", GAAOPTID_help); - GAA_CHECK1STR("l", GAAOPTID_list); - GAA_CHECK1STR("", GAAOPTID_x509fmtder); - GAA_CHECK1STR("", GAAOPTID_echo); - GAA_CHECK1STR("", GAAOPTID_http); - GAA_CHECK1STR("", GAAOPTID_nodb); - GAA_CHECK1STR("q", GAAOPTID_quiet); - GAA_CHECK1STR("g", GAAOPTID_generate); + GAA_CHECK1STR("", GAAOPTID_copyright); + GAA_CHECK1STR("v", GAAOPTID_version); + GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("l", GAAOPTID_list); + GAA_CHECK1STR("", GAAOPTID_x509fmtder); + GAA_CHECK1STR("", GAAOPTID_echo); + GAA_CHECK1STR("", GAAOPTID_http); + GAA_CHECK1STR("", GAAOPTID_nodb); + GAA_CHECK1STR("q", GAAOPTID_quiet); + GAA_CHECK1STR("g", GAAOPTID_generate); #line 277 "gaa.skel" - break; - case GAA_WORD_OPTION: - GAA_CHECKSTR("copyright", GAAOPTID_copyright); - GAA_CHECKSTR("version", GAAOPTID_version); - GAA_CHECKSTR("help", GAAOPTID_help); - GAA_CHECKSTR("list", GAAOPTID_list); - GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); - GAA_CHECKSTR("kx", GAAOPTID_kx); - GAA_CHECKSTR("macs", GAAOPTID_macs); - GAA_CHECKSTR("comp", GAAOPTID_comp); - GAA_CHECKSTR("protocols", GAAOPTID_protocols); - GAA_CHECKSTR("ciphers", GAAOPTID_ciphers); - GAA_CHECKSTR("srppasswdconf", GAAOPTID_srppasswdconf); - GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); - GAA_CHECKSTR("x509dsacertfile", GAAOPTID_x509dsacertfile); - GAA_CHECKSTR("x509dsakeyfile", GAAOPTID_x509dsakeyfile); - GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); - GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); - GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); - GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); - GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); - GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); - GAA_CHECKSTR("x509crlfile", GAAOPTID_x509crlfile); - GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); - GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); - GAA_CHECKSTR("dhparams", GAAOPTID_dhparams); - GAA_CHECKSTR("echo", GAAOPTID_echo); - GAA_CHECKSTR("http", GAAOPTID_http); - GAA_CHECKSTR("nodb", GAAOPTID_nodb); - GAA_CHECKSTR("quiet", GAAOPTID_quiet); - GAA_CHECKSTR("port", GAAOPTID_port); - GAA_CHECKSTR("generate", GAAOPTID_generate); - GAA_CHECKSTR("debug", GAAOPTID_debug); + break; + case GAA_WORD_OPTION: + GAA_CHECKSTR("copyright", GAAOPTID_copyright); + GAA_CHECKSTR("version", GAAOPTID_version); + GAA_CHECKSTR("help", GAAOPTID_help); + GAA_CHECKSTR("list", GAAOPTID_list); + GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); + GAA_CHECKSTR("kx", GAAOPTID_kx); + GAA_CHECKSTR("macs", GAAOPTID_macs); + GAA_CHECKSTR("comp", GAAOPTID_comp); + GAA_CHECKSTR("protocols", GAAOPTID_protocols); + GAA_CHECKSTR("ciphers", GAAOPTID_ciphers); + GAA_CHECKSTR("srppasswdconf", GAAOPTID_srppasswdconf); + GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); + GAA_CHECKSTR("x509dsacertfile", GAAOPTID_x509dsacertfile); + GAA_CHECKSTR("x509dsakeyfile", GAAOPTID_x509dsakeyfile); + GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); + GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); + GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); + GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); + GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); + GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); + GAA_CHECKSTR("x509crlfile", GAAOPTID_x509crlfile); + GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); + GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); + GAA_CHECKSTR("dhparams", GAAOPTID_dhparams); + GAA_CHECKSTR("echo", GAAOPTID_echo); + GAA_CHECKSTR("http", GAAOPTID_http); + GAA_CHECKSTR("nodb", GAAOPTID_nodb); + GAA_CHECKSTR("quiet", GAAOPTID_quiet); + GAA_CHECKSTR("port", GAAOPTID_port); + GAA_CHECKSTR("generate", GAAOPTID_generate); + GAA_CHECKSTR("debug", GAAOPTID_debug); #line 281 "gaa.skel" break; - default: break; - } + default: + break; + } return GAA_ERROR_NOMATCH; } -static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) +static int gaa_try(int gaa_num, int gaa_index, gaainfo * gaaval, + char *opt_list) { int OK = 0; int gaa_last_non_option; - struct GAAOPTION_ctypes GAATMP_ctypes; - struct GAAOPTION_kx GAATMP_kx; - struct GAAOPTION_macs GAATMP_macs; - struct GAAOPTION_comp GAATMP_comp; - struct GAAOPTION_protocols GAATMP_protocols; - struct GAAOPTION_ciphers GAATMP_ciphers; - struct GAAOPTION_srppasswdconf GAATMP_srppasswdconf; - struct GAAOPTION_srppasswd GAATMP_srppasswd; - struct GAAOPTION_x509dsacertfile GAATMP_x509dsacertfile; - struct GAAOPTION_x509dsakeyfile GAATMP_x509dsakeyfile; - struct GAAOPTION_x509certfile GAATMP_x509certfile; - struct GAAOPTION_x509keyfile GAATMP_x509keyfile; - struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; - struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; - struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; - struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; - struct GAAOPTION_x509crlfile GAATMP_x509crlfile; - struct GAAOPTION_x509cafile GAATMP_x509cafile; - struct GAAOPTION_dhparams GAATMP_dhparams; - struct GAAOPTION_port GAATMP_port; - struct GAAOPTION_debug GAATMP_debug; + struct GAAOPTION_ctypes GAATMP_ctypes; + struct GAAOPTION_kx GAATMP_kx; + struct GAAOPTION_macs GAATMP_macs; + struct GAAOPTION_comp GAATMP_comp; + struct GAAOPTION_protocols GAATMP_protocols; + struct GAAOPTION_ciphers GAATMP_ciphers; + struct GAAOPTION_srppasswdconf GAATMP_srppasswdconf; + struct GAAOPTION_srppasswd GAATMP_srppasswd; + struct GAAOPTION_x509dsacertfile GAATMP_x509dsacertfile; + struct GAAOPTION_x509dsakeyfile GAATMP_x509dsakeyfile; + struct GAAOPTION_x509certfile GAATMP_x509certfile; + struct GAAOPTION_x509keyfile GAATMP_x509keyfile; + struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; + struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; + struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; + struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; + struct GAAOPTION_x509crlfile GAATMP_x509crlfile; + struct GAAOPTION_x509cafile GAATMP_x509cafile; + struct GAAOPTION_dhparams GAATMP_dhparams; + struct GAAOPTION_port GAATMP_port; + struct GAAOPTION_debug GAATMP_debug; #line 393 "gaa.skel" #ifdef GAA_REST_EXISTS @@ -769,295 +743,384 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) #endif opt_list[gaa_num] = 1; - - for(gaa_last_non_option = gaa_index; - (gaa_last_non_option != GAAargc) && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == GAA_NOT_AN_OPTION); - gaa_last_non_option++); - - if(gaa_num == GAA_REST) - { - gaa_index = 1; - gaa_last_non_option = GAAargc; + + for (gaa_last_non_option = gaa_index; + (gaa_last_non_option != GAAargc) + && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == + GAA_NOT_AN_OPTION); gaa_last_non_option++); + + if (gaa_num == GAA_REST) { + gaa_index = 1; + gaa_last_non_option = GAAargc; } - - switch(gaa_num) - { - case GAAOPTID_copyright: + + switch (gaa_num) { + case GAAOPTID_copyright: OK = 0; #line 103 "serv.gaa" -{ print_serv_license(); exit(0); ;}; + { + print_serv_license(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_version: + return GAA_OK; + break; + case GAAOPTID_version: OK = 0; #line 102 "serv.gaa" -{ serv_version(); exit(0); ;}; + { + serv_version(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_help: + return GAA_OK; + break; + case GAAOPTID_help: OK = 0; #line 100 "serv.gaa" -{ gaa_help(); exit(0); ;}; + { + gaa_help(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_list: + return GAA_OK; + break; + case GAAOPTID_list: OK = 0; #line 99 "serv.gaa" -{ print_list(); exit(0); ;}; + { + print_list(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_ctypes: + return GAA_OK; + break; + case GAAOPTID_ctypes: OK = 0; - GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); + GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char *, + GAATMP_ctypes.size1); #line 96 "serv.gaa" -{ gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;}; + { + gaaval->ctype = GAATMP_ctypes.arg1; + gaaval->nctype = GAATMP_ctypes.size1; + }; - return GAA_OK; - break; - case GAAOPTID_kx: + return GAA_OK; + break; + case GAAOPTID_kx: OK = 0; - GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1); + GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char *, GAATMP_kx.size1); #line 92 "serv.gaa" -{ gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;}; + { + gaaval->kx = GAATMP_kx.arg1; + gaaval->nkx = GAATMP_kx.size1; + }; - return GAA_OK; - break; - case GAAOPTID_macs: + return GAA_OK; + break; + case GAAOPTID_macs: OK = 0; - GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1); + GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char *, + GAATMP_macs.size1); #line 88 "serv.gaa" -{ gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;}; + { + gaaval->macs = GAATMP_macs.arg1; + gaaval->nmacs = GAATMP_macs.size1; + }; - return GAA_OK; - break; - case GAAOPTID_comp: + return GAA_OK; + break; + case GAAOPTID_comp: OK = 0; - GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1); + GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char *, + GAATMP_comp.size1); #line 84 "serv.gaa" -{ gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;}; + { + gaaval->comp = GAATMP_comp.arg1; + gaaval->ncomp = GAATMP_comp.size1; + }; - return GAA_OK; - break; - case GAAOPTID_protocols: + return GAA_OK; + break; + case GAAOPTID_protocols: OK = 0; - GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1); + GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char *, + GAATMP_protocols.size1); #line 80 "serv.gaa" -{ gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;}; + { + gaaval->proto = GAATMP_protocols.arg1; + gaaval->nproto = GAATMP_protocols.size1; + }; - return GAA_OK; - break; - case GAAOPTID_ciphers: + return GAA_OK; + break; + case GAAOPTID_ciphers: OK = 0; - GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1); + GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char *, + GAATMP_ciphers.size1); #line 76 "serv.gaa" -{ gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;}; + { + gaaval->ciphers = GAATMP_ciphers.arg1; + gaaval->nciphers = GAATMP_ciphers.size1; + }; - return GAA_OK; - break; - case GAAOPTID_srppasswdconf: + return GAA_OK; + break; + case GAAOPTID_srppasswdconf: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, GAATMP_srppasswdconf.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, + GAATMP_srppasswdconf.size1); + gaa_index++; #line 71 "serv.gaa" -{ gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1 ;}; + { + gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_srppasswd: + return GAA_OK; + break; + case GAAOPTID_srppasswd: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, + GAATMP_srppasswd.size1); + gaa_index++; #line 68 "serv.gaa" -{ gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; + { + gaaval->srp_passwd = GAATMP_srppasswd.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509dsacertfile: + return GAA_OK; + break; + case GAAOPTID_x509dsacertfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509dsacertfile.arg1, gaa_getstr, GAATMP_x509dsacertfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509dsacertfile.arg1, gaa_getstr, + GAATMP_x509dsacertfile.size1); + gaa_index++; #line 65 "serv.gaa" -{ gaaval->x509_dsacertfile = GAATMP_x509dsacertfile.arg1 ;}; + { + gaaval->x509_dsacertfile = GAATMP_x509dsacertfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509dsakeyfile: + return GAA_OK; + break; + case GAAOPTID_x509dsakeyfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509dsakeyfile.arg1, gaa_getstr, GAATMP_x509dsakeyfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509dsakeyfile.arg1, gaa_getstr, + GAATMP_x509dsakeyfile.size1); + gaa_index++; #line 62 "serv.gaa" -{ gaaval->x509_dsakeyfile = GAATMP_x509dsakeyfile.arg1 ;}; + { + gaaval->x509_dsakeyfile = GAATMP_x509dsakeyfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509certfile: + return GAA_OK; + break; + case GAAOPTID_x509certfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, + GAATMP_x509certfile.size1); + gaa_index++; #line 59 "serv.gaa" -{ gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; + { + gaaval->x509_certfile = GAATMP_x509certfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509keyfile: + return GAA_OK; + break; + case GAAOPTID_x509keyfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, + GAATMP_x509keyfile.size1); + gaa_index++; #line 56 "serv.gaa" -{ gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; + { + gaaval->x509_keyfile = GAATMP_x509keyfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpcertfile: + return GAA_OK; + break; + case GAAOPTID_pgpcertfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, + GAATMP_pgpcertfile.size1); + gaa_index++; #line 53 "serv.gaa" -{ gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; + { + gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpkeyfile: + return GAA_OK; + break; + case GAAOPTID_pgpkeyfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, + GAATMP_pgpkeyfile.size1); + gaa_index++; #line 50 "serv.gaa" -{ gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; + { + gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgptrustdb: + return GAA_OK; + break; + case GAAOPTID_pgptrustdb: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, + GAATMP_pgptrustdb.size1); + gaa_index++; #line 47 "serv.gaa" -{ gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1 ;}; + { + gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_pgpkeyring: + return GAA_OK; + break; + case GAAOPTID_pgpkeyring: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, + GAATMP_pgpkeyring.size1); + gaa_index++; #line 44 "serv.gaa" -{ gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; + { + gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509crlfile: + return GAA_OK; + break; + case GAAOPTID_x509crlfile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509crlfile.arg1, gaa_getstr, GAATMP_x509crlfile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509crlfile.arg1, gaa_getstr, + GAATMP_x509crlfile.size1); + gaa_index++; #line 41 "serv.gaa" -{ gaaval->x509_crlfile = GAATMP_x509crlfile.arg1 ;}; + { + gaaval->x509_crlfile = GAATMP_x509crlfile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509cafile: + return GAA_OK; + break; + case GAAOPTID_x509cafile: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, GAATMP_x509cafile.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, + GAATMP_x509cafile.size1); + gaa_index++; #line 38 "serv.gaa" -{ gaaval->x509_cafile = GAATMP_x509cafile.arg1 ;}; + { + gaaval->x509_cafile = GAATMP_x509cafile.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_x509fmtder: + return GAA_OK; + break; + case GAAOPTID_x509fmtder: OK = 0; #line 35 "serv.gaa" -{ gaaval->fmtder = 1 ;}; + { + gaaval->fmtder = 1; + }; - return GAA_OK; - break; - case GAAOPTID_dhparams: + return GAA_OK; + break; + case GAAOPTID_dhparams: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_dhparams.arg1, gaa_getstr, GAATMP_dhparams.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_dhparams.arg1, gaa_getstr, GAATMP_dhparams.size1); + gaa_index++; #line 32 "serv.gaa" -{ gaaval->dh_params_file = GAATMP_dhparams.arg1 ;}; + { + gaaval->dh_params_file = GAATMP_dhparams.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_echo: + return GAA_OK; + break; + case GAAOPTID_echo: OK = 0; #line 29 "serv.gaa" -{ gaaval->http = 0 ;}; + { + gaaval->http = 0; + }; - return GAA_OK; - break; - case GAAOPTID_http: + return GAA_OK; + break; + case GAAOPTID_http: OK = 0; #line 28 "serv.gaa" -{ gaaval->http = 1 ;}; + { + gaaval->http = 1; + }; - return GAA_OK; - break; - case GAAOPTID_nodb: + return GAA_OK; + break; + case GAAOPTID_nodb: OK = 0; #line 25 "serv.gaa" -{ gaaval->nodb = 1 ;}; + { + gaaval->nodb = 1; + }; - return GAA_OK; - break; - case GAAOPTID_quiet: + return GAA_OK; + break; + case GAAOPTID_quiet: OK = 0; #line 22 "serv.gaa" -{ gaaval->quiet = 1 ;}; + { + gaaval->quiet = 1; + }; - return GAA_OK; - break; - case GAAOPTID_port: + return GAA_OK; + break; + case GAAOPTID_port: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); + gaa_index++; #line 19 "serv.gaa" -{ gaaval->port = GAATMP_port.arg1 ;}; + { + gaaval->port = GAATMP_port.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_generate: + return GAA_OK; + break; + case GAAOPTID_generate: OK = 0; #line 16 "serv.gaa" -{ gaaval->generate = 1 ;}; + { + gaaval->generate = 1; + }; - return GAA_OK; - break; - case GAAOPTID_debug: + return GAA_OK; + break; + case GAAOPTID_debug: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); + gaa_index++; #line 13 "serv.gaa" -{ gaaval->debug = GAATMP_debug.arg1 ;}; + { + gaaval->debug = GAATMP_debug.arg1; + }; - return GAA_OK; - break; + return GAA_OK; + break; #line 413 "gaa.skel" - default: break; + default: + break; } return GAA_ERROR_UNKNOWN; } -int gaa(int argc, char **argv, gaainfo *gaaval) +int gaa(int argc, char **argv, gaainfo * gaaval) { int tmp1, tmp2; int i, j; @@ -1066,24 +1129,46 @@ int gaa(int argc, char **argv, gaainfo *gaaval) GAAargv = argv; GAAargc = argc; - opt_list = (char*) gaa_malloc(GAA_NB_OPTION + 1); + opt_list = (char *) gaa_malloc(GAA_NB_OPTION + 1); - for(i = 0; i < GAA_NB_OPTION + 1; i++) - opt_list[i] = 0; + for (i = 0; i < GAA_NB_OPTION + 1; i++) + opt_list[i] = 0; /* initialization */ - if(inited == 0) - { + if (inited == 0) { #line 106 "serv.gaa" -{ gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL; - gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; - gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->nodb = 0; - gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL; - gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; gaaval->x509_crlfile = NULL; - gaaval->x509_dsakeyfile=NULL; gaaval->x509_dsacertfile=NULL; - gaaval->srp_passwd=NULL; gaaval->srp_passwd_conf=NULL; gaaval->quiet = 0; - gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; - gaaval->dh_params_file=NULL; gaaval->debug=0; ;}; + { + gaaval->generate = 0; + gaaval->port = 5556; + gaaval->http = 0; + gaaval->ciphers = NULL; + gaaval->kx = NULL; + gaaval->comp = NULL; + gaaval->macs = NULL; + gaaval->ctype = NULL; + gaaval->nciphers = 0; + gaaval->nkx = 0; + gaaval->ncomp = 0; + gaaval->nmacs = 0; + gaaval->nctype = 0; + gaaval->nodb = 0; + gaaval->x509_cafile = NULL; + gaaval->pgp_keyfile = NULL; + gaaval->pgp_certfile = NULL; + gaaval->x509_keyfile = NULL; + gaaval->x509_certfile = NULL; + gaaval->x509_crlfile = NULL; + gaaval->x509_dsakeyfile = NULL; + gaaval->x509_dsacertfile = NULL; + gaaval->srp_passwd = NULL; + gaaval->srp_passwd_conf = NULL; + gaaval->quiet = 0; + gaaval->pgp_trustdb = NULL; + gaaval->pgp_keyring = NULL; + gaaval->fmtder = 0; + gaaval->dh_params_file = NULL; + gaaval->debug = 0;; + }; } inited = 1; @@ -1091,186 +1176,173 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaa_arg_used = NULL; if (argc > 0) { - gaa_arg_used = gaa_malloc(argc * sizeof(char)); + gaa_arg_used = gaa_malloc(argc * sizeof(char)); } - for(i = 1; i < argc; i++) - gaa_arg_used[i] = 0; - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - j = 0; - tmp1 = gaa_is_an_argument(GAAargv[i]); - switch(tmp1) - { - case GAA_WORD_OPTION: - j++; - case GAA_LETTER_OPTION: - j++; - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%s'\n", argv[i]+j); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - gaa_arg_used[i] = 1; - break; - case GAA_MULTIPLE_OPTION: - for(j = 1; j < strlen(argv[i]); j++) - { - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%c'\n", *(argv[i]+j)); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - } - gaa_arg_used[i] = 1; - break; - default: break; - } - } + for (i = 1; i < argc; i++) + gaa_arg_used[i] = 0; + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + j = 0; + tmp1 = gaa_is_an_argument(GAAargv[i]); + switch (tmp1) { + case GAA_WORD_OPTION: + j++; + case GAA_LETTER_OPTION: + j++; + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%s'\n", argv[i] + j); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + gaa_arg_used[i] = 1; + break; + case GAA_MULTIPLE_OPTION: + for (j = 1; j < strlen(argv[i]); j++) { + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%c'\n", *(argv[i] + j)); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + } + gaa_arg_used[i] = 1; + break; + default: + break; + } + } } -if(gaa_processing_file == 0) -{ + if (gaa_processing_file == 0) { #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS - switch(gaa_try(GAA_REST, 1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("Rest: not enough arguments\n"); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } + switch (gaa_try(GAA_REST, 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("Rest: not enough arguments\n"); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } #endif -} - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - printf("Too many arguments\n"); - return 0; - } + } + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + printf("Too many arguments\n"); + return 0; + } } free(gaa_arg_used); free(opt_list); return -1; } -struct gaastrnode -{ +struct gaastrnode { char *str; struct gaastrnode *next; }; typedef struct gaastrnode gaa_str_node; -static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) +static int gaa_internal_get_next_str(FILE * file, gaa_str_node * tmp_str, + int argc) { int pos_ini; int a; int i = 0, len = 0, newline = 0; - if(argc == 1) { - newline = 1; - len = 2; + if (argc == 1) { + newline = 1; + len = 2; } - - a = fgetc( file); - if (a == EOF) return 0; - - while(a == ' ' || a == 9 || a == '\n') - { - if(a == '\n') - { - newline=1; - len = 2; - } - a = fgetc( file); - if (a == EOF) return 0; + + a = fgetc(file); + if (a == EOF) + return 0; + + while (a == ' ' || a == 9 || a == '\n') { + if (a == '\n') { + newline = 1; + len = 2; + } + a = fgetc(file); + if (a == EOF) + return 0; } pos_ini = ftell(file) - 1; - while(a != ' ' && a != 9 && a != '\n') - { + while (a != ' ' && a != 9 && a != '\n') { - len++; - a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + len++; + a = fgetc(file); + if (a == EOF) + return 0; //a = ' '; } len += 1; tmp_str->str = gaa_malloc((len) * sizeof(char)); - if(newline == 1) - { - tmp_str->str[0] = '-'; - tmp_str->str[1] = '-'; - i = 2; - } - else - { - i = 0; + if (newline == 1) { + tmp_str->str[0] = '-'; + tmp_str->str[1] = '-'; + i = 2; + } else { + i = 0; } - fseek(file,pos_ini, SEEK_SET); - do - { - a = fgetc( file); - - if (a == EOF) { - i+=2; - break; - } - tmp_str->str[i] = a; - i++; + fseek(file, pos_ini, SEEK_SET); + do { + a = fgetc(file); + + if (a == EOF) { + i += 2; + break; + } + tmp_str->str[i] = a; + i++; } - while(a != ' ' && a != 9 && a != '\n' && i < len); + while (a != ' ' && a != 9 && a != '\n' && i < len); tmp_str->str[i - 1] = 0; - fseek(file,- 1, SEEK_CUR); + fseek(file, -1, SEEK_CUR); /* printf("%d\n", ftell(file)); */ - + return -1; } -int gaa_file(const char *name, gaainfo *gaaval) +int gaa_file(const char *name, gaainfo * gaaval) { gaa_str_node *first_str, **tmp_str, *tmp_str2; int rval, i; @@ -1279,38 +1351,36 @@ int gaa_file(const char *name, gaainfo *gaaval) FILE *file; gaa_processing_file = 1; - - if((file = fopen(name, "r")) == NULL) - { - printf("Couldn't open '%s' configuration file for reading\n", name); - return 1; + + if ((file = fopen(name, "r")) == NULL) { + printf("Couldn't open '%s' configuration file for reading\n", + name); + return 1; } - + tmp_str = &first_str; - do - { - argc++; - *tmp_str = gaa_malloc(sizeof(gaa_str_node)); + do { + argc++; + *tmp_str = gaa_malloc(sizeof(gaa_str_node)); - (*tmp_str)->str = NULL; - (*tmp_str)->next = NULL; + (*tmp_str)->str = NULL; + (*tmp_str)->next = NULL; - rval = gaa_internal_get_next_str(file, *tmp_str, argc); - tmp_str = &((*tmp_str)->next); + rval = gaa_internal_get_next_str(file, *tmp_str, argc); + tmp_str = &((*tmp_str)->next); } - while(rval == -1); - - if(rval == 1) - return 0; - - argv = gaa_malloc((1 + argc) * sizeof(char*)); + while (rval == -1); + + if (rval == 1) + return 0; + + argv = gaa_malloc((1 + argc) * sizeof(char *)); tmp_str2 = first_str; argv[0] = "cfg"; - for(i = 1; i < argc; i++) - { - argv[i] = tmp_str2->str; - tmp_str2 = tmp_str2->next; + for (i = 1; i < argc; i++) { + argv[i] = tmp_str2->str; + tmp_str2 = tmp_str2->next; } rval = gaa(argc, argv, gaaval); diff --git a/src/serv.c b/src/serv.c index a08ea06ab9..daf66fdf24 100644 --- a/src/serv.c +++ b/src/serv.c @@ -116,32 +116,35 @@ static int wrap_db_delete(void *dbf, gnutls_datum key); #define HTTP_STATE_RESPONSE 2 #define HTTP_STATE_CLOSING 3 -LIST_TYPE_DECLARE(listener_item, char *http_request; - char *http_response; int request_length; +LIST_TYPE_DECLARE(listener_item, char *http_request; char *http_response; + int request_length; int response_length; - int response_written; - int http_state; - int fd; gnutls_session tls_session; int handshake_ok;); + int response_written; int http_state; int fd; + gnutls_session tls_session; + int handshake_ok; + ); static const char *safe_strerror(int value) -{ const char *ret = gnutls_strerror(value); - if (ret == NULL) ret = str_unknown; - return ret; +{ + const char *ret = gnutls_strerror(value); + if (ret == NULL) + ret = str_unknown; + return ret; } static void listener_free(listener_item * j) { - if (j->http_request) - free(j->http_request); - if (j->http_response) - free(j->http_response); - if (j->fd >= 0) { - gnutls_bye(j->tls_session, GNUTLS_SHUT_WR); - shutdown(j->fd, 2); - close(j->fd); - gnutls_deinit(j->tls_session); - } + if (j->http_request) + free(j->http_request); + if (j->http_response) + free(j->http_response); + if (j->fd >= 0) { + gnutls_bye(j->tls_session, GNUTLS_SHUT_WR); + shutdown(j->fd, 2); + close(j->fd); + gnutls_deinit(j->tls_session); + } } @@ -154,165 +157,171 @@ gnutls_rsa_params rsa_params = NULL; static int generate_dh_primes(void) { - int prime_bits = 768; - - if (gnutls_dh_params_init(&dh_params) < 0) { - fprintf(stderr, "Error in dh parameter initialization\n"); - exit(1); - } - - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depends on the - * security requirements. - */ - printf - ("Generating Diffie Hellman parameters [%d]. Please wait...\n", - prime_bits); - fflush(stdout); - - if (gnutls_dh_params_generate2( dh_params, prime_bits) < 0) { - fprintf(stderr, "Error in prime generation\n"); - exit(1); - } - - return 0; + int prime_bits = 768; + + if (gnutls_dh_params_init(&dh_params) < 0) { + fprintf(stderr, "Error in dh parameter initialization\n"); + exit(1); + } + + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. These should be discarded and regenerated + * once a day, once a week or once a month. Depends on the + * security requirements. + */ + printf + ("Generating Diffie Hellman parameters [%d]. Please wait...\n", + prime_bits); + fflush(stdout); + + if (gnutls_dh_params_generate2(dh_params, prime_bits) < 0) { + fprintf(stderr, "Error in prime generation\n"); + exit(1); + } + + return 0; } static void read_dh_params(void) { - char tmpdata[2048]; - int size; - gnutls_datum params; - FILE* fd; - - if (gnutls_dh_params_init(&dh_params) < 0) { - fprintf(stderr, "Error in dh parameter initialization\n"); - exit(1); - } - - /* read the params file - */ - fd = fopen(dh_params_file, "r"); - if (fd==NULL) { - fprintf(stderr, "Could not open %s\n", dh_params_file); - exit(1); - } - - size = fread( tmpdata, 1, sizeof(tmpdata)-1, fd); - tmpdata[size] = 0; - fclose(fd); - - params.data = tmpdata; - params.size = size; - - size = gnutls_dh_params_import_pkcs3( dh_params, ¶ms, GNUTLS_X509_FMT_PEM); - - if (size < 0) { - fprintf(stderr, "Error parsing dh params: %s\n", safe_strerror(size)); - exit(1); - } - - printf("Read Diffie Hellman parameters.\n"); - fflush(stdout); - + char tmpdata[2048]; + int size; + gnutls_datum params; + FILE *fd; + + if (gnutls_dh_params_init(&dh_params) < 0) { + fprintf(stderr, "Error in dh parameter initialization\n"); + exit(1); + } + + /* read the params file + */ + fd = fopen(dh_params_file, "r"); + if (fd == NULL) { + fprintf(stderr, "Could not open %s\n", dh_params_file); + exit(1); + } + + size = fread(tmpdata, 1, sizeof(tmpdata) - 1, fd); + tmpdata[size] = 0; + fclose(fd); + + params.data = tmpdata; + params.size = size; + + size = + gnutls_dh_params_import_pkcs3(dh_params, ¶ms, + GNUTLS_X509_FMT_PEM); + + if (size < 0) { + fprintf(stderr, "Error parsing dh params: %s\n", + safe_strerror(size)); + exit(1); + } + + printf("Read Diffie Hellman parameters.\n"); + fflush(stdout); + } -static int get_params( gnutls_session session, gnutls_params_type type, - gnutls_params_st *st) +static int get_params(gnutls_session session, gnutls_params_type type, + gnutls_params_st * st) { - - if (type == GNUTLS_PARAMS_RSA_EXPORT) - st->params.rsa_export = rsa_params; - else if (type == GNUTLS_PARAMS_DH) - st->params.dh = dh_params; - else return -1; - st->type = type; - st->deinit = 0; + if (type == GNUTLS_PARAMS_RSA_EXPORT) + st->params.rsa_export = rsa_params; + else if (type == GNUTLS_PARAMS_DH) + st->params.dh = dh_params; + else + return -1; - return 0; + st->type = type; + st->deinit = 0; + + return 0; } static int generate_rsa_params(void) { - if (gnutls_rsa_params_init(&rsa_params) < 0) { - fprintf(stderr, "Error in rsa parameter initialization\n"); - exit(1); - } - - /* Generate RSA parameters - for use with RSA-export - * cipher suites. These should be discarded and regenerated - * once a day, once every 500 transactions etc. Depends on the - * security requirements. - */ - printf("Generating temporary RSA parameters. Please wait...\n"); - fflush(stdout); - - if (gnutls_rsa_params_generate2( rsa_params, 512) < 0) { - fprintf(stderr, "Error in rsa parameter generation\n"); - exit(1); - } - - return 0; + if (gnutls_rsa_params_init(&rsa_params) < 0) { + fprintf(stderr, "Error in rsa parameter initialization\n"); + exit(1); + } + + /* Generate RSA parameters - for use with RSA-export + * cipher suites. These should be discarded and regenerated + * once a day, once every 500 transactions etc. Depends on the + * security requirements. + */ + printf("Generating temporary RSA parameters. Please wait...\n"); + fflush(stdout); + + if (gnutls_rsa_params_generate2(rsa_params, 512) < 0) { + fprintf(stderr, "Error in rsa parameter generation\n"); + exit(1); + } + + return 0; } -int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0 }; +int protocol_priority[PRI_MAX] = + { GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0 }; int kx_priority[PRI_MAX] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, - /* Do not use anonymous authentication, unless you know what that means */ - GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, GNUTLS_KX_ANON_DH, - GNUTLS_KX_RSA_EXPORT, 0 + /* Do not use anonymous authentication, unless you know what that means */ + GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, GNUTLS_KX_ANON_DH, + GNUTLS_KX_RSA_EXPORT, 0 }; int cipher_priority[PRI_MAX] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 }; int comp_priority[PRI_MAX] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_LZO, GNUTLS_COMP_NULL, 0 }; -int mac_priority[PRI_MAX] = - { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; -int cert_type_priority[PRI_MAX] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; +int mac_priority[PRI_MAX] = + { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; +int cert_type_priority[PRI_MAX] = + { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; LIST_DECLARE_INIT(listener_list, listener_item, listener_free); gnutls_session initialize_session(void) { - gnutls_session session; + gnutls_session session; - gnutls_init(&session, GNUTLS_SERVER); + gnutls_init(&session, GNUTLS_SERVER); - /* allow the use of private ciphersuites. - */ - gnutls_handshake_set_private_extensions(session, 1); + /* allow the use of private ciphersuites. + */ + gnutls_handshake_set_private_extensions(session, 1); - if (nodb == 0) { - gnutls_db_set_retrieve_function(session, wrap_db_fetch); - gnutls_db_set_remove_function(session, wrap_db_delete); - gnutls_db_set_store_function(session, wrap_db_store); - gnutls_db_set_ptr(session, NULL); - } + if (nodb == 0) { + gnutls_db_set_retrieve_function(session, wrap_db_fetch); + gnutls_db_set_remove_function(session, wrap_db_delete); + gnutls_db_set_store_function(session, wrap_db_store); + gnutls_db_set_ptr(session, NULL); + } /* gnutls_dh_set_prime_bits( session, prime_bits); */ - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - gnutls_certificate_type_set_priority(session, cert_type_priority); + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + gnutls_certificate_type_set_priority(session, cert_type_priority); - gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred); + gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred); - if (srp_cred != NULL) - gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); + if (srp_cred != NULL) + gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); - if (cert_cred != NULL) - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); + if (cert_cred != NULL) + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); - gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); + gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); - return session; + return session; } static const char DEFAULT_DATA[] = "This is the default message reported " @@ -325,474 +334,485 @@ static const char DEFAULT_DATA[] = "This is the default message reported " char *peer_print_info(gnutls_session session, int *ret_length, const char *header) { - const char *tmp; - unsigned char sesid[32]; - int sesid_size, i; - char *http_buffer = malloc(5 * 1024 + strlen(header)); - gnutls_kx_algorithm kx_alg; - - if (http_buffer == NULL) - return NULL; - if (verbose != 0) { - - strcpy(http_buffer, HTTP_BEGIN); - strcpy(&http_buffer[sizeof(HTTP_BEGIN) - 1], DEFAULT_DATA); - strcpy(&http_buffer[sizeof(HTTP_BEGIN) + sizeof(DEFAULT_DATA) - 2], - HTTP_END); - *ret_length = - sizeof(DEFAULT_DATA) + sizeof(HTTP_BEGIN) + sizeof(HTTP_END) - 3; - return http_buffer; - - } - - strcpy(http_buffer, HTTP_BEGIN); - - /* print session_id */ - gnutls_session_get_id(session, sesid, &sesid_size); - sprintf(tmp2, "\n<p>Session ID: <i>"); - for (i = 0; i < sesid_size; i++) - sprintf(tmp2, "%.2X", sesid[i]); - sprintf(tmp2, "</i></p>\n"); - sprintf(tmp2, - "<h5>If your browser supports session resuming, then you should see the " - "same session ID, when you press the <b>reload</b> button.</h5>\n"); - - /* Here unlike print_info() we use the kx algorithm to distinguish - * the functions to call. - */ - { - char dns[256]; - size_t dns_size = sizeof(dns); - unsigned int type; - - if (gnutls_server_name_get(session, dns, &dns_size, &type, 0) == 0) { - sprintf(tmp2, "\n<p>Server Name: %s</p>\n", dns); - } - - } - - kx_alg = gnutls_kx_get(session); - - /* print srp specific data */ + const char *tmp; + unsigned char sesid[32]; + int sesid_size, i; + char *http_buffer = malloc(5 * 1024 + strlen(header)); + gnutls_kx_algorithm kx_alg; + + if (http_buffer == NULL) + return NULL; + if (verbose != 0) { + + strcpy(http_buffer, HTTP_BEGIN); + strcpy(&http_buffer[sizeof(HTTP_BEGIN) - 1], DEFAULT_DATA); + strcpy(&http_buffer[sizeof(HTTP_BEGIN) + sizeof(DEFAULT_DATA) - 2], + HTTP_END); + *ret_length = + sizeof(DEFAULT_DATA) + sizeof(HTTP_BEGIN) + sizeof(HTTP_END) - + 3; + return http_buffer; + + } + + strcpy(http_buffer, HTTP_BEGIN); + + /* print session_id */ + gnutls_session_get_id(session, sesid, &sesid_size); + sprintf(tmp2, "\n<p>Session ID: <i>"); + for (i = 0; i < sesid_size; i++) + sprintf(tmp2, "%.2X", sesid[i]); + sprintf(tmp2, "</i></p>\n"); + sprintf(tmp2, + "<h5>If your browser supports session resuming, then you should see the " + "same session ID, when you press the <b>reload</b> button.</h5>\n"); + + /* Here unlike print_info() we use the kx algorithm to distinguish + * the functions to call. + */ + { + char dns[256]; + size_t dns_size = sizeof(dns); + unsigned int type; + + if (gnutls_server_name_get(session, dns, &dns_size, &type, 0) == 0) { + sprintf(tmp2, "\n<p>Server Name: %s</p>\n", dns); + } + + } + + kx_alg = gnutls_kx_get(session); + + /* print srp specific data */ #ifdef ENABLE_SRP - if (kx_alg == GNUTLS_KX_SRP) { - sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", - gnutls_srp_server_get_username(session)); - } + if (kx_alg == GNUTLS_KX_SRP) { + sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", + gnutls_srp_server_get_username(session)); + } #endif #ifdef ENABLE_ANON - if (kx_alg == GNUTLS_KX_ANON_DH) { - sprintf(tmp2, - "<p> Connect using anonymous DH (prime of %d bits)</p>\n", - gnutls_dh_get_prime_bits(session)); - } + if (kx_alg == GNUTLS_KX_ANON_DH) { + sprintf(tmp2, + "<p> Connect using anonymous DH (prime of %d bits)</p>\n", + gnutls_dh_get_prime_bits(session)); + } #endif - if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS) { - sprintf(tmp2, - "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", - gnutls_dh_get_prime_bits(session)); - } - - /* print session information */ - strcat(http_buffer, "<P>\n"); - - tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, - "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n", - tmp); - - if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { - tmp = - gnutls_certificate_type_get_name(gnutls_certificate_type_get - (session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", - tmp); - } - - tmp = gnutls_kx_get_name(kx_alg); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp); - - tmp = gnutls_compression_get_name(gnutls_compression_get(session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp); - - tmp = gnutls_cipher_get_name(gnutls_cipher_get(session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp); - - tmp = gnutls_mac_get_name(gnutls_mac_get(session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp); - - tmp = gnutls_cipher_suite_get_name(kx_alg, - gnutls_cipher_get(session), - gnutls_mac_get(session)); - if (tmp == NULL) tmp = str_unknown; - sprintf(tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", - tmp); - - strcat(http_buffer, "<hr><P>Your header was:<PRE>"); - strcat(http_buffer, header); - strcat(http_buffer, "</PRE></P>"); - - strcat(http_buffer, "\n" HTTP_END); - - *ret_length = strlen(http_buffer); - - return http_buffer; + if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS) { + sprintf(tmp2, + "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", + gnutls_dh_get_prime_bits(session)); + } + + /* print session information */ + strcat(http_buffer, "<P>\n"); + + tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, + "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n", + tmp); + + if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { + tmp = + gnutls_certificate_type_get_name(gnutls_certificate_type_get + (session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", + tmp); + } + + tmp = gnutls_kx_get_name(kx_alg); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp); + + tmp = gnutls_compression_get_name(gnutls_compression_get(session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp); + + tmp = gnutls_cipher_get_name(gnutls_cipher_get(session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp); + + tmp = gnutls_mac_get_name(gnutls_mac_get(session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp); + + tmp = gnutls_cipher_suite_get_name(kx_alg, + gnutls_cipher_get(session), + gnutls_mac_get(session)); + if (tmp == NULL) + tmp = str_unknown; + sprintf(tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", + tmp); + + strcat(http_buffer, "<hr><P>Your header was:<PRE>"); + strcat(http_buffer, header); + strcat(http_buffer, "</PRE></P>"); + + strcat(http_buffer, "\n" HTTP_END); + + *ret_length = strlen(http_buffer); + + return http_buffer; } static int listen_socket(const char *name, int listen_port) { - struct sockaddr_in a; - int s; - int yes; - - if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror("socket() failed"); - return -1; - } - yes = 1; - - if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (const void *)&yes, sizeof(yes)) - < 0) { - perror("setsockopt() failed"); + struct sockaddr_in a; + int s; + int yes; + + if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { + perror("socket() failed"); + return -1; + } + yes = 1; + + if (setsockopt + (s, SOL_SOCKET, SO_REUSEADDR, (const void *) &yes, sizeof(yes)) + < 0) { + perror("setsockopt() failed"); failed: - close(s); - return -1; - } - memset(&a, 0, sizeof(a)); - a.sin_port = htons(listen_port); - a.sin_family = AF_INET; - if (bind(s, (struct sockaddr *) &a, sizeof(a)) < 0) { - perror("bind() failed"); - goto failed; - } - - if (listen(s, 10) < 0) { - perror("listen() failed"); - goto failed; - } - - printf("%s ready. Listening to port '%d'.\n\n", name, listen_port); - return s; + close(s); + return -1; + } + memset(&a, 0, sizeof(a)); + a.sin_port = htons(listen_port); + a.sin_family = AF_INET; + if (bind(s, (struct sockaddr *) &a, sizeof(a)) < 0) { + perror("bind() failed"); + goto failed; + } + + if (listen(s, 10) < 0) { + perror("listen() failed"); + goto failed; + } + + printf("%s ready. Listening to port '%d'.\n\n", name, listen_port); + return s; } static void get_response(gnutls_session session, char *request, char **response, int *response_length) { - char *p, *h; + char *p, *h; - if (http != 0) { - if (strncmp(request, "GET ", 4)) - goto unimplemented; + if (http != 0) { + if (strncmp(request, "GET ", 4)) + goto unimplemented; - if (!(h = strchr(request, '\n'))) - goto unimplemented; + if (!(h = strchr(request, '\n'))) + goto unimplemented; - *h++ = '\0'; - while (*h == '\r' || *h == '\n') - h++; + *h++ = '\0'; + while (*h == '\r' || *h == '\n') + h++; - if (!(p = strchr(request + 4, ' '))) - goto unimplemented; - *p = '\0'; - } + if (!(p = strchr(request + 4, ' '))) + goto unimplemented; + *p = '\0'; + } /* *response = peer_print_info(session, request+4, h, response_length); */ - if (http != 0) { - *response = peer_print_info(session, response_length, h); - } else { - *response = strdup(request); - *response_length = ( (*response) ? strlen(*response) : 0 ); - } - - return; - - unimplemented: - *response = strdup(HTTP_UNIMPLEMENTED); - *response_length = ( (*response) ? strlen(*response) : 0 ); + if (http != 0) { + *response = peer_print_info(session, response_length, h); + } else { + *response = strdup(request); + *response_length = ((*response) ? strlen(*response) : 0); + } + + return; + + unimplemented: + *response = strdup(HTTP_UNIMPLEMENTED); + *response_length = ((*response) ? strlen(*response) : 0); } void terminate(int sig) { - fprintf(stderr, "Exiting via signal %d\n", sig); - exit(1); + fprintf(stderr, "Exiting via signal %d\n", sig); + exit(1); } static void check_alert(gnutls_session session, int ret) { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED - || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { - int last_alert = gnutls_alert_get(session); - if (last_alert == GNUTLS_A_NO_RENEGOTIATION && - ret == GNUTLS_E_WARNING_ALERT_RECEIVED) - printf - ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n"); - else - printf("* Received alert '%d': %s.\n", last_alert, - gnutls_alert_get_name(last_alert)); - } + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { + int last_alert = gnutls_alert_get(session); + if (last_alert == GNUTLS_A_NO_RENEGOTIATION && + ret == GNUTLS_E_WARNING_ALERT_RECEIVED) + printf + ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n"); + else + printf("* Received alert '%d': %s.\n", last_alert, + gnutls_alert_get_name(last_alert)); + } } -static void tls_log_func( int level, const char* str) +static void tls_log_func(int level, const char *str) { - fprintf(stderr, "|<%d>| %s", level, str); + fprintf(stderr, "|<%d>| %s", level, str); } static void gaa_parser(int argc, char **argv); int main(int argc, char **argv) { - int ret, n, h; - char topbuf[512]; - char name[256]; - int accept_fd; - struct sockaddr_in client_address; + int ret, n, h; + char topbuf[512]; + char name[256]; + int accept_fd; + struct sockaddr_in client_address; #ifndef _WIN32 - signal(SIGPIPE, SIG_IGN); - signal(SIGHUP, SIG_IGN); - signal(SIGTERM, terminate); - if (signal(SIGINT, terminate) == SIG_IGN) - signal(SIGINT, SIG_IGN); /* e.g. background process */ + signal(SIGPIPE, SIG_IGN); + signal(SIGHUP, SIG_IGN); + signal(SIGTERM, terminate); + if (signal(SIGINT, terminate) == SIG_IGN) + signal(SIGINT, SIG_IGN); /* e.g. background process */ #endif - sockets_init(); + sockets_init(); - gaa_parser(argc, argv); + gaa_parser(argc, argv); - if (nodb == 0) - wrap_db_init(); + if (nodb == 0) + wrap_db_init(); - if (http == 1) { - strcpy(name, "HTTP Server"); - } else { - strcpy(name, "Echo Server"); - } + if (http == 1) { + strcpy(name, "HTTP Server"); + } else { + strcpy(name, "Echo Server"); + } - if ((ret=gnutls_global_init()) < 0) { + if ((ret = gnutls_global_init()) < 0) { fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); exit(1); - } - gnutls_global_set_log_function( tls_log_func); - gnutls_global_set_log_level(debug); + } + gnutls_global_set_log_function(tls_log_func); + gnutls_global_set_log_level(debug); - if ((ret=gnutls_global_init_extra()) < 0) { - fprintf(stderr, - "global_init_extra: %s\n", gnutls_strerror(ret)); - exit(1); - } - - /* Note that servers must generate parameters for - * Diffie Hellman. See gnutls_dh_params_generate(), and - * gnutls_dh_params_set(). - */ - if (generate != 0) { - generate_rsa_params(); - generate_dh_primes(); - } - - if (dh_params_file) { - read_dh_params(); - } - - if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } - - if (x509_cafile != NULL) { - if ((ret = gnutls_certificate_set_x509_trust_file - (cert_cred, x509_cafile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", x509_cafile); - GERR(ret); - exit(1); - } else { - printf("Processed %d CA certificate(s).\n", ret); - } - } + if ((ret = gnutls_global_init_extra()) < 0) { + fprintf(stderr, "global_init_extra: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* Note that servers must generate parameters for + * Diffie Hellman. See gnutls_dh_params_generate(), and + * gnutls_dh_params_set(). + */ + if (generate != 0) { + generate_rsa_params(); + generate_dh_primes(); + } + + if (dh_params_file) { + read_dh_params(); + } + + if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } + if (x509_cafile != NULL) { + if ((ret = gnutls_certificate_set_x509_trust_file + (cert_cred, x509_cafile, x509ctype)) < 0) { + fprintf(stderr, "Error reading '%s'\n", x509_cafile); + GERR(ret); + exit(1); + } else { + printf("Processed %d CA certificate(s).\n", ret); + } + } #ifdef ENABLE_PKI - if (x509_crlfile != NULL) { - if ((ret = gnutls_certificate_set_x509_crl_file - (cert_cred, x509_crlfile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", x509_crlfile); - GERR(ret); - exit(1); - } else { - printf("Processed %d CRL(s).\n", ret); - } - } + if (x509_crlfile != NULL) { + if ((ret = gnutls_certificate_set_x509_crl_file + (cert_cred, x509_crlfile, x509ctype)) < 0) { + fprintf(stderr, "Error reading '%s'\n", x509_crlfile); + GERR(ret); + exit(1); + } else { + printf("Processed %d CRL(s).\n", ret); + } + } #endif #ifdef USE_OPENPGP - if (pgp_keyring != NULL) { - ret = - gnutls_certificate_set_openpgp_keyring_file(cert_cred, - pgp_keyring); - if (ret < 0) { - fprintf(stderr, "Error setting the OpenPGP keyring file\n"); - GERR(ret); - } - } - - if (pgp_trustdb != NULL) { - ret = gnutls_certificate_set_openpgp_trustdb(cert_cred, pgp_trustdb); - if (ret < 0) { - fprintf(stderr, "Error setting the OpenPGP trustdb file\n"); - GERR(ret); - } - } - - if (pgp_certfile != NULL) - if ((ret = gnutls_certificate_set_openpgp_key_file - (cert_cred, pgp_certfile, pgp_keyfile)) < 0) { - fprintf(stderr, - "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n", - ret, pgp_certfile, pgp_keyfile); - GERR(ret); - } + if (pgp_keyring != NULL) { + ret = + gnutls_certificate_set_openpgp_keyring_file(cert_cred, + pgp_keyring); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP keyring file\n"); + GERR(ret); + } + } + + if (pgp_trustdb != NULL) { + ret = + gnutls_certificate_set_openpgp_trustdb(cert_cred, pgp_trustdb); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP trustdb file\n"); + GERR(ret); + } + } + + if (pgp_certfile != NULL) + if ((ret = gnutls_certificate_set_openpgp_key_file + (cert_cred, pgp_certfile, pgp_keyfile)) < 0) { + fprintf(stderr, + "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n", + ret, pgp_certfile, pgp_keyfile); + GERR(ret); + } #endif - if (x509_certfile != NULL) - if ((ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_certfile, x509_keyfile, x509ctype)) < 0) { - fprintf(stderr, - "Error reading '%s' or '%s'\n", x509_certfile, - x509_keyfile); - GERR(ret); - exit(1); - } - - if (x509_dsacertfile != NULL) - if ((ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_dsacertfile, x509_dsakeyfile, x509ctype)) < 0) { - fprintf(stderr, - "Error reading '%s' or '%s'\n", x509_dsacertfile, - x509_dsakeyfile); - GERR(ret); - exit(1); - } - - if (generate != 0 || read_dh_params != NULL) { - gnutls_certificate_set_params_function( cert_cred, get_params); + if (x509_certfile != NULL) + if ((ret = gnutls_certificate_set_x509_key_file + (cert_cred, x509_certfile, x509_keyfile, x509ctype)) < 0) { + fprintf(stderr, + "Error reading '%s' or '%s'\n", x509_certfile, + x509_keyfile); + GERR(ret); + exit(1); + } + + if (x509_dsacertfile != NULL) + if ((ret = gnutls_certificate_set_x509_key_file + (cert_cred, x509_dsacertfile, x509_dsakeyfile, + x509ctype)) < 0) { + fprintf(stderr, "Error reading '%s' or '%s'\n", + x509_dsacertfile, x509_dsakeyfile); + GERR(ret); + exit(1); + } + + if (generate != 0 || read_dh_params != NULL) { + gnutls_certificate_set_params_function(cert_cred, get_params); /* gnutls_certificate_set_dh_params(cert_cred, dh_params); * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params); */ - } + } - /* this is a password file (created with the included srpcrypt utility) - * Read README.crypt prior to using SRP. - */ + /* this is a password file (created with the included srpcrypt utility) + * Read README.crypt prior to using SRP. + */ #ifdef ENABLE_SRP - if (srp_passwd != NULL) { - gnutls_srp_allocate_server_credentials(&srp_cred); - - if ((ret = - gnutls_srp_set_server_credentials_file(srp_cred, srp_passwd, - srp_passwd_conf)) < 0) { - /* only exit is this function is not disabled - */ - fprintf(stderr, "Error while setting SRP parameters\n"); - GERR(ret); - } - } + if (srp_passwd != NULL) { + gnutls_srp_allocate_server_credentials(&srp_cred); + + if ((ret = + gnutls_srp_set_server_credentials_file(srp_cred, srp_passwd, + srp_passwd_conf)) < + 0) { + /* only exit is this function is not disabled + */ + fprintf(stderr, "Error while setting SRP parameters\n"); + GERR(ret); + } + } #endif #ifdef ENABLE_ANON - gnutls_anon_allocate_server_credentials(&dh_cred); - if (generate != 0) - gnutls_anon_set_params_function( dh_cred, get_params); + gnutls_anon_allocate_server_credentials(&dh_cred); + if (generate != 0) + gnutls_anon_set_params_function(dh_cred, get_params); /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */ #endif - h = listen_socket(name, port); - if (h < 0) - exit(1); + h = listen_socket(name, port); + if (h < 0) + exit(1); - for (;;) { - listener_item *j; - fd_set rd, wr; - int val; + for (;;) { + listener_item *j; + fd_set rd, wr; + int val; - FD_ZERO(&rd); - FD_ZERO(&wr); - n = 0; + FD_ZERO(&rd); + FD_ZERO(&wr); + n = 0; /* check for new incoming connections */ - FD_SET(h, &rd); - n = max(n, h); + FD_SET(h, &rd); + n = max(n, h); /* flag which connections we are reading or writing to within the fd sets */ - lloopstart(listener_list, j) { + lloopstart(listener_list, j) { #ifndef _WIN32 - val = fcntl(j->fd, F_GETFL, 0); - if ( (val == -1) || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < 0) ) { - perror("fcntl()"); - exit(1); - } + val = fcntl(j->fd, F_GETFL, 0); + if ((val == -1) + || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < 0)) { + perror("fcntl()"); + exit(1); + } #endif - if (j->http_state == HTTP_STATE_REQUEST) { - FD_SET(j->fd, &rd); - n = max(n, j->fd); - } - if (j->http_state == HTTP_STATE_RESPONSE) { - FD_SET(j->fd, &wr); - n = max(n, j->fd); - } - } - lloopend(listener_list, j); + if (j->http_state == HTTP_STATE_REQUEST) { + FD_SET(j->fd, &rd); + n = max(n, j->fd); + } + if (j->http_state == HTTP_STATE_RESPONSE) { + FD_SET(j->fd, &wr); + n = max(n, j->fd); + } + } + lloopend(listener_list, j); /* core operation */ - n = select(n + 1, &rd, &wr, NULL, NULL); - if (n == -1 && errno == EINTR) - continue; - if (n < 0) { - perror("select()"); - exit(1); - } + n = select(n + 1, &rd, &wr, NULL, NULL); + if (n == -1 && errno == EINTR) + continue; + if (n < 0) { + perror("select()"); + exit(1); + } /* a new connection has arrived */ - if (FD_ISSET(h, &rd)) { - unsigned int l; - gnutls_session tls_session; + if (FD_ISSET(h, &rd)) { + unsigned int l; + gnutls_session tls_session; - tls_session = initialize_session(); + tls_session = initialize_session(); - l = sizeof(client_address); - memset(&client_address, 0, l); - accept_fd = accept(h, (struct sockaddr *) &client_address, &l); + l = sizeof(client_address); + memset(&client_address, 0, l); + accept_fd = accept(h, (struct sockaddr *) &client_address, &l); - if (accept_fd < 0) { - perror("accept()"); - } else { - time_t tt; - char *ctt; + if (accept_fd < 0) { + perror("accept()"); + } else { + time_t tt; + char *ctt; /* new list entry for the connection */ - lappend(listener_list); - j = listener_list.tail; - j->http_request = (char *) strdup(""); - j->http_state = HTTP_STATE_REQUEST; - j->fd = accept_fd; - - j->tls_session = tls_session; - gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)accept_fd); - j->handshake_ok = 0; - - if (verbose == 0) { - tt = time(0); - ctt = ctime(&tt); - ctt[strlen(ctt) - 1] = 0; + lappend(listener_list); + j = listener_list.tail; + j->http_request = (char *) strdup(""); + j->http_state = HTTP_STATE_REQUEST; + j->fd = accept_fd; + + j->tls_session = tls_session; + gnutls_transport_set_ptr(tls_session, + (gnutls_transport_ptr) accept_fd); + j->handshake_ok = 0; + + if (verbose == 0) { + tt = time(0); + ctt = ctime(&tt); + ctt[strlen(ctt) - 1] = 0; /* printf("\n* connection from %s, port %d\n", @@ -800,254 +820,266 @@ int main(int argc, char **argv) sizeof(topbuf)), ntohs(client_address.sin_port)); */ + } } - } - } + } /* read or write to each connection as indicated by select()'s return argument */ - lloopstart(listener_list, j) { - if (FD_ISSET(j->fd, &rd)) { + lloopstart(listener_list, j) { + if (FD_ISSET(j->fd, &rd)) { /* read partial GET request */ - char buf[1024]; - int r, ret; - - if (j->handshake_ok == 0) { - r = gnutls_handshake(j->tls_session); - if (r < 0 && gnutls_error_is_fatal(r) == 0) { - check_alert(j->tls_session, r); - /* nothing */ - } else if (r < 0 && gnutls_error_is_fatal(r) == 1) { - fprintf(stderr, "Error in handshake\n"); - GERR(r); - - do { - ret = - gnutls_alert_send_appropriate(j->tls_session, r); - } while (ret == GNUTLS_E_AGAIN); - j->http_state = HTTP_STATE_CLOSING; - } else if (r == 0) { - if (gnutls_session_is_resumed(j->tls_session) != 0 - && verbose == 0) - printf("*** This is a resumed session\n"); - - if (verbose == 0) { - printf("\n* connection from %s, port %d\n", - inet_ntop(AF_INET, &client_address.sin_addr, - topbuf, sizeof(topbuf)), - ntohs(client_address.sin_port)); - print_info(j->tls_session, NULL); - } - j->handshake_ok = 1; - } - } - - if (j->handshake_ok == 1) { - r = gnutls_record_recv(j->tls_session, buf, - min(1024, SMALL_READ_TEST)); - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { - /* do nothing */ - } else if (r <= 0) { - j->http_state = HTTP_STATE_CLOSING; - if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) { - check_alert(j->tls_session, r); - fprintf(stderr, "Error while receiving data\n"); - GERR(r); - } - - } else { - j->http_request = - realloc(j->http_request, j->request_length + r + 1); - if (j->http_request != NULL) { - memcpy(j->http_request + j->request_length, buf, r); - j->request_length += r; - j->http_request[j->request_length] = '\0'; - } else - j->http_state = HTTP_STATE_CLOSING; - - } + char buf[1024]; + int r, ret; + + if (j->handshake_ok == 0) { + r = gnutls_handshake(j->tls_session); + if (r < 0 && gnutls_error_is_fatal(r) == 0) { + check_alert(j->tls_session, r); + /* nothing */ + } else if (r < 0 && gnutls_error_is_fatal(r) == 1) { + fprintf(stderr, "Error in handshake\n"); + GERR(r); + + do { + ret = + gnutls_alert_send_appropriate(j-> + tls_session, + r); + } while (ret == GNUTLS_E_AGAIN); + j->http_state = HTTP_STATE_CLOSING; + } else if (r == 0) { + if (gnutls_session_is_resumed(j->tls_session) != 0 + && verbose == 0) + printf("*** This is a resumed session\n"); + + if (verbose == 0) { + printf("\n* connection from %s, port %d\n", + inet_ntop(AF_INET, + &client_address.sin_addr, + topbuf, sizeof(topbuf)), + ntohs(client_address.sin_port)); + print_info(j->tls_session, NULL); + } + j->handshake_ok = 1; + } + } + + if (j->handshake_ok == 1) { + r = gnutls_record_recv(j->tls_session, buf, + min(1024, SMALL_READ_TEST)); + if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + /* do nothing */ + } else if (r <= 0) { + j->http_state = HTTP_STATE_CLOSING; + if (r < 0 + && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) { + check_alert(j->tls_session, r); + fprintf(stderr, + "Error while receiving data\n"); + GERR(r); + } + + } else { + j->http_request = + realloc(j->http_request, + j->request_length + r + 1); + if (j->http_request != NULL) { + memcpy(j->http_request + j->request_length, + buf, r); + j->request_length += r; + j->http_request[j->request_length] = '\0'; + } else + j->http_state = HTTP_STATE_CLOSING; + + } /* check if we have a full HTTP header */ - j->http_response = NULL; - if (j->http_request != NULL) { - if ((http == 0 && strchr(j->http_request, '\n')) - || strstr(j->http_request, "\r\n\r\n") - || strstr(j->http_request, "\n\n")) { - get_response(j->tls_session, j->http_request, - &j->http_response, &j->response_length); - j->http_state = HTTP_STATE_RESPONSE; - j->response_written = 0; - } - } + j->http_response = NULL; + if (j->http_request != NULL) { + if ((http == 0 && strchr(j->http_request, '\n')) + || strstr(j->http_request, "\r\n\r\n") + || strstr(j->http_request, "\n\n")) { + get_response(j->tls_session, j->http_request, + &j->http_response, + &j->response_length); + j->http_state = HTTP_STATE_RESPONSE; + j->response_written = 0; + } + } + } } - } - if (FD_ISSET(j->fd, &wr)) { + if (FD_ISSET(j->fd, &wr)) { /* write partial response request */ - int r; - - if (j->handshake_ok == 0) { - r = gnutls_handshake(j->tls_session); - if (r < 0 && gnutls_error_is_fatal(r) == 0) { - check_alert(j->tls_session, r); - /* nothing */ - } else if (r < 0 && gnutls_error_is_fatal(r) == 1) { - int ret; - - j->http_state = HTTP_STATE_CLOSING; - fprintf(stderr, "Error in handshake\n"); - GERR(r); - - do { - ret = - gnutls_alert_send_appropriate(j->tls_session, r); - } while (ret == GNUTLS_E_AGAIN); - } else if (r == 0) { - if (gnutls_session_is_resumed(j->tls_session) != 0 - && verbose == 0) - printf("*** This is a resumed session\n"); - if (verbose == 0) { - printf("- connection from %s, port %d\n", - inet_ntop(AF_INET, &client_address.sin_addr, - topbuf, sizeof(topbuf)), - ntohs(client_address.sin_port)); - - print_info(j->tls_session, NULL); - } - j->handshake_ok = 1; - } - } + int r; + + if (j->handshake_ok == 0) { + r = gnutls_handshake(j->tls_session); + if (r < 0 && gnutls_error_is_fatal(r) == 0) { + check_alert(j->tls_session, r); + /* nothing */ + } else if (r < 0 && gnutls_error_is_fatal(r) == 1) { + int ret; - if (j->handshake_ok == 1) { - /* FIXME if j->http_response == NULL? */ - r = gnutls_record_send(j->tls_session, - j->http_response + - j->response_written, - min(j->response_length - - j->response_written, - SMALL_READ_TEST)); - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { - /* do nothing */ - } else if (r <= 0) { - if (http != 0) - j->http_state = HTTP_STATE_CLOSING; - else { - j->http_state = HTTP_STATE_REQUEST; - free(j->http_response); - j->response_length = 0; - j->request_length = 0; - j->http_request[0] = 0; - } - - if (r < 0) { - fprintf(stderr, "Error while sending data\n"); - GERR(r); - } - check_alert(j->tls_session, r); - } else { - j->response_written += r; -/* check if we have written a complete response */ - if (j->response_written == j->response_length) { - if (http != 0) j->http_state = HTTP_STATE_CLOSING; - else { - j->http_state = HTTP_STATE_REQUEST; - free(j->http_response); - j->response_length = 0; - j->request_length = 0; - j->http_request[0] = 0; - } - } - } + fprintf(stderr, "Error in handshake\n"); + GERR(r); + + do { + ret = + gnutls_alert_send_appropriate(j-> + tls_session, + r); + } while (ret == GNUTLS_E_AGAIN); + } else if (r == 0) { + if (gnutls_session_is_resumed(j->tls_session) != 0 + && verbose == 0) + printf("*** This is a resumed session\n"); + if (verbose == 0) { + printf("- connection from %s, port %d\n", + inet_ntop(AF_INET, + &client_address.sin_addr, + topbuf, sizeof(topbuf)), + ntohs(client_address.sin_port)); + + print_info(j->tls_session, NULL); + } + j->handshake_ok = 1; + } + } + + if (j->handshake_ok == 1) { + /* FIXME if j->http_response == NULL? */ + r = gnutls_record_send(j->tls_session, + j->http_response + + j->response_written, + min(j->response_length - + j->response_written, + SMALL_READ_TEST)); + if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + /* do nothing */ + } else if (r <= 0) { + if (http != 0) + j->http_state = HTTP_STATE_CLOSING; + else { + j->http_state = HTTP_STATE_REQUEST; + free(j->http_response); + j->response_length = 0; + j->request_length = 0; + j->http_request[0] = 0; + } + + if (r < 0) { + fprintf(stderr, "Error while sending data\n"); + GERR(r); + } + check_alert(j->tls_session, r); + } else { + j->response_written += r; +/* check if we have written a complete response */ + if (j->response_written == j->response_length) { + if (http != 0) + j->http_state = HTTP_STATE_CLOSING; + else { + j->http_state = HTTP_STATE_REQUEST; + free(j->http_response); + j->response_length = 0; + j->request_length = 0; + j->http_request[0] = 0; + } + } + } + } } - } - } - lloopend(listener_list, j); + } + lloopend(listener_list, j); /* loop through all connections, closing those that are in error */ - lloopstart(listener_list, j) { - if (j->http_state == HTTP_STATE_CLOSING) { - ldeleteinc(listener_list, j); - } - } - lloopend(listener_list, j); - } + lloopstart(listener_list, j) { + if (j->http_state == HTTP_STATE_CLOSING) { + ldeleteinc(listener_list, j); + } + } + lloopend(listener_list, j); + } - gnutls_certificate_free_credentials(cert_cred); + gnutls_certificate_free_credentials(cert_cred); #ifdef ENABLE_SRP - gnutls_srp_free_server_credentials(srp_cred); + gnutls_srp_free_server_credentials(srp_cred); #endif #ifdef ENABLE_ANON - gnutls_anon_free_server_credentials(dh_cred); + gnutls_anon_free_server_credentials(dh_cred); #endif - if (nodb == 0) - wrap_db_deinit(); - gnutls_global_deinit(); + if (nodb == 0) + wrap_db_deinit(); + gnutls_global_deinit(); - return 0; + return 0; } static gaainfo info; void gaa_parser(int argc, char **argv) { - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, - "Error in the arguments. Use the --help or -h parameters to get more information.\n"); - exit(1); - } - - debug = info.debug; - verbose = info.quiet; - nodb = info.nodb; - - if (info.http == 0) - http = 0; - else - http = 1; - - if (info.fmtder == 0) - x509ctype = GNUTLS_X509_FMT_PEM; - else - x509ctype = GNUTLS_X509_FMT_DER; - - if (info.generate == 0) - generate = 0; - else - generate = 1; - - dh_params_file = info.dh_params_file; - - port = info.port; - - x509_certfile = info.x509_certfile; - x509_keyfile = info.x509_keyfile; - x509_dsacertfile = info.x509_dsacertfile; - x509_dsakeyfile = info.x509_dsakeyfile; - x509_cafile = info.x509_cafile; - x509_crlfile = info.x509_crlfile; - pgp_certfile = info.pgp_certfile; - pgp_keyfile = info.pgp_keyfile; - srp_passwd = info.srp_passwd; - srp_passwd_conf = info.srp_passwd_conf; - - pgp_keyring = info.pgp_keyring; - pgp_trustdb = info.pgp_trustdb; - - parse_protocols(info.proto, info.nproto, protocol_priority); - parse_ciphers(info.ciphers, info.nciphers, cipher_priority); - parse_macs(info.macs, info.nmacs, mac_priority); - parse_ctypes(info.ctype, info.nctype, cert_type_priority); - parse_kx(info.kx, info.nkx, kx_priority); - parse_comp(info.comp, info.ncomp, comp_priority); + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the --help or -h parameters to get more information.\n"); + exit(1); + } + + debug = info.debug; + verbose = info.quiet; + nodb = info.nodb; + + if (info.http == 0) + http = 0; + else + http = 1; + + if (info.fmtder == 0) + x509ctype = GNUTLS_X509_FMT_PEM; + else + x509ctype = GNUTLS_X509_FMT_DER; + + if (info.generate == 0) + generate = 0; + else + generate = 1; + + dh_params_file = info.dh_params_file; + + port = info.port; + + x509_certfile = info.x509_certfile; + x509_keyfile = info.x509_keyfile; + x509_dsacertfile = info.x509_dsacertfile; + x509_dsakeyfile = info.x509_dsakeyfile; + x509_cafile = info.x509_cafile; + x509_crlfile = info.x509_crlfile; + pgp_certfile = info.pgp_certfile; + pgp_keyfile = info.pgp_keyfile; + srp_passwd = info.srp_passwd; + srp_passwd_conf = info.srp_passwd_conf; + + pgp_keyring = info.pgp_keyring; + pgp_trustdb = info.pgp_trustdb; + + parse_protocols(info.proto, info.nproto, protocol_priority); + parse_ciphers(info.ciphers, info.nciphers, cipher_priority); + parse_macs(info.macs, info.nmacs, mac_priority); + parse_ctypes(info.ctype, info.nctype, cert_type_priority); + parse_kx(info.kx, info.nkx, kx_priority); + parse_comp(info.comp, info.ncomp, comp_priority); } void serv_version(void) { - fprintf(stderr, "GNU TLS test server, "); - fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, gnutls_check_version(NULL)); + fprintf(stderr, "GNU TLS test server, "); + fprintf(stderr, "version %s. Libgnutls %s.\n", LIBGNUTLS_VERSION, + gnutls_check_version(NULL)); } /* session resuming support */ @@ -1056,11 +1088,11 @@ void serv_version(void) #define SESSION_DATA_SIZE 3*1024 typedef struct { - char session_id[SESSION_ID_SIZE]; - unsigned int session_id_size; + char session_id[SESSION_ID_SIZE]; + unsigned int session_id_size; - char session_data[SESSION_DATA_SIZE]; - unsigned int session_data_size; + char session_data[SESSION_DATA_SIZE]; + unsigned int session_data_size; } CACHE; static CACHE *cache_db; @@ -1069,8 +1101,8 @@ int cache_db_ptr = 0; static void wrap_db_init(void) { - /* allocate cache_db */ - cache_db = calloc(1, ssl_session_cache * sizeof(CACHE)); + /* allocate cache_db */ + cache_db = calloc(1, ssl_session_cache * sizeof(CACHE)); } static void wrap_db_deinit(void) @@ -1080,89 +1112,89 @@ static void wrap_db_deinit(void) static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data) { - if (cache_db == NULL) - return -1; + if (cache_db == NULL) + return -1; - if (key.size > SESSION_ID_SIZE) - return -1; - if (data.size > SESSION_DATA_SIZE) - return -1; + if (key.size > SESSION_ID_SIZE) + return -1; + if (data.size > SESSION_DATA_SIZE) + return -1; - memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size); - cache_db[cache_db_ptr].session_id_size = key.size; + memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size); + cache_db[cache_db_ptr].session_id_size = key.size; - memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size); - cache_db[cache_db_ptr].session_data_size = data.size; + memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size); + cache_db[cache_db_ptr].session_data_size = data.size; - cache_db_ptr++; - cache_db_ptr %= ssl_session_cache; + cache_db_ptr++; + cache_db_ptr %= ssl_session_cache; - return 0; + return 0; } static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key) { - gnutls_datum res = { NULL, 0 }; - int i; + gnutls_datum res = { NULL, 0 }; + int i; - if (cache_db == NULL) - return res; + if (cache_db == NULL) + return res; - for (i = 0; i < ssl_session_cache; i++) { - if (key.size == cache_db[i].session_id_size && - memcmp(key.data, cache_db[i].session_id, key.size) == 0) { + for (i = 0; i < ssl_session_cache; i++) { + if (key.size == cache_db[i].session_id_size && + memcmp(key.data, cache_db[i].session_id, key.size) == 0) { - res.size = cache_db[i].session_data_size; + res.size = cache_db[i].session_data_size; - res.data = gnutls_malloc(res.size); - if (res.data == NULL) - return res; + res.data = gnutls_malloc(res.size); + if (res.data == NULL) + return res; - memcpy(res.data, cache_db[i].session_data, res.size); + memcpy(res.data, cache_db[i].session_data, res.size); - return res; - } - } - return res; + return res; + } + } + return res; } static int wrap_db_delete(void *dbf, gnutls_datum key) { - int i; + int i; - if (cache_db == NULL) - return -1; + if (cache_db == NULL) + return -1; - for (i = 0; i < ssl_session_cache; i++) { - if (key.size == (unsigned int)cache_db[i].session_id_size && - memcmp(key.data, cache_db[i].session_id, key.size) == 0) { + for (i = 0; i < ssl_session_cache; i++) { + if (key.size == (unsigned int) cache_db[i].session_id_size && + memcmp(key.data, cache_db[i].session_id, key.size) == 0) { - cache_db[i].session_id_size = 0; - cache_db[i].session_data_size = 0; + cache_db[i].session_id_size = 0; + cache_db[i].session_data_size = 0; - return 0; - } - } + return 0; + } + } - return -1; + return -1; } void print_serv_license(void) { - fputs( "\nCopyright (C) 2001-2003 Paul Sheer, Nikos Mavroyanopoulos\n" - "\nCopyright (C) 2004 Free Software Foundation\n" - "This program is free software; you can redistribute it and/or modify \n" - "it under the terms of the GNU General Public License as published by \n" - "the Free Software Foundation; either version 2 of the License, or \n" - "(at your option) any later version. \n" "\n" - "This program is distributed in the hope that it will be useful, \n" - "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" - "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" - "GNU General Public License for more details. \n" "\n" - "You should have received a copy of the GNU General Public License \n" - "along with this program; if not, write to the Free Software \n" - "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", stdout); + fputs("\nCopyright (C) 2001-2003 Paul Sheer, Nikos Mavroyanopoulos\n" + "\nCopyright (C) 2004 Free Software Foundation\n" + "This program is free software; you can redistribute it and/or modify \n" + "it under the terms of the GNU General Public License as published by \n" + "the Free Software Foundation; either version 2 of the License, or \n" + "(at your option) any later version. \n" "\n" + "This program is distributed in the hope that it will be useful, \n" + "but WITHOUT ANY WARRANTY; without even the implied warranty of \n" + "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n" + "GNU General Public License for more details. \n" "\n" + "You should have received a copy of the GNU General Public License \n" + "along with this program; if not, write to the Free Software \n" + "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n", + stdout); } - diff --git a/src/tests.c b/src/tests.c index 547ab392fe..87bcc4d861 100644 --- a/src/tests.c +++ b/src/tests.c @@ -50,58 +50,62 @@ int tls1_1_ok = 0; /* keep session info */ static char *session_data = NULL; static char session_id[32]; -static int session_data_size=0, session_id_size=0; -static int sfree=0; +static int session_data_size = 0, session_id_size = 0; +static int sfree = 0; static int handshake_output = 0; -int do_handshake( gnutls_session session) { -int ret, alert; - - do { - ret = gnutls_handshake(session); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - handshake_output = ret; - - if (ret < 0 && verbose > 1) { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED - || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { - alert = gnutls_alert_get( session); - printf("\n"); - printf("*** Received alert [%d]: %s\n", - alert, gnutls_alert_get_name( alert)); - } - } - - if (ret < 0) return TEST_FAILED; - - gnutls_session_get_data(session, NULL, &session_data_size); - - if (sfree!=0) { - free(session_data); - sfree=0; - } - session_data = malloc(session_data_size); - sfree = 1; - if (session_data==NULL) { - fprintf(stderr, "Memory error\n"); - exit(1); - } - gnutls_session_get_data(session, session_data, &session_data_size); - - session_id_size = sizeof( session_id); - gnutls_session_get_id(session, session_id, &session_id_size); - - return TEST_SUCCEED; +int do_handshake(gnutls_session session) +{ + int ret, alert; + + do { + ret = gnutls_handshake(session); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + handshake_output = ret; + + if (ret < 0 && verbose > 1) { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { + alert = gnutls_alert_get(session); + printf("\n"); + printf("*** Received alert [%d]: %s\n", + alert, gnutls_alert_get_name(alert)); + } + } + + if (ret < 0) + return TEST_FAILED; + + gnutls_session_get_data(session, NULL, &session_data_size); + + if (sfree != 0) { + free(session_data); + sfree = 0; + } + session_data = malloc(session_data_size); + sfree = 1; + if (session_data == NULL) { + fprintf(stderr, "Memory error\n"); + exit(1); + } + gnutls_session_get_data(session, session_data, &session_data_size); + + session_id_size = sizeof(session_id); + gnutls_session_get_id(session, session_id, &session_id_size); + + return TEST_SUCCEED; } static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; static const int kx_priority[16] = - { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, - GNUTLS_KX_RSA_EXPORT, 0 }; + { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, +GNUTLS_KX_ANON_DH, + GNUTLS_KX_RSA_EXPORT, 0 +}; static const int cipher_priority[16] = - { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 }; + { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, +GNUTLS_CIPHER_ARCFOUR_40, 0 }; static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; static const int mac_priority[16] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; @@ -113,803 +117,858 @@ static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; #define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority) #define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority) -static void ADD_KX(gnutls_session session, int kx) { - static int _kx_priority[] = { 0, 0 }; - _kx_priority[0] = kx; +static void ADD_KX(gnutls_session session, int kx) +{ + static int _kx_priority[] = { 0, 0 }; + _kx_priority[0] = kx; - gnutls_kx_set_priority(session, _kx_priority); + gnutls_kx_set_priority(session, _kx_priority); } -static void ADD_KX2(gnutls_session session, int kx1, int kx2) { - static int _kx_priority[] = { 0, 0, 0 }; - _kx_priority[0] = kx1; - _kx_priority[1] = kx2; +static void ADD_KX2(gnutls_session session, int kx1, int kx2) +{ + static int _kx_priority[] = { 0, 0, 0 }; + _kx_priority[0] = kx1; + _kx_priority[1] = kx2; - gnutls_kx_set_priority(session, _kx_priority); + gnutls_kx_set_priority(session, _kx_priority); } -static void ADD_CIPHER(gnutls_session session, int cipher) { - static int _cipher_priority[] = { 0, 0 }; - _cipher_priority[0] = cipher; +static void ADD_CIPHER(gnutls_session session, int cipher) +{ + static int _cipher_priority[] = { 0, 0 }; + _cipher_priority[0] = cipher; - gnutls_cipher_set_priority(session, _cipher_priority); + gnutls_cipher_set_priority(session, _cipher_priority); } -static void ADD_CIPHER3(gnutls_session session, int cipher1, int cipher2, int cipher3) { - static int _cipher_priority[] = { 0, 0, 0, 0 }; - _cipher_priority[0] = cipher1; - _cipher_priority[1] = cipher2; - _cipher_priority[2] = cipher3; +static void ADD_CIPHER3(gnutls_session session, int cipher1, int cipher2, + int cipher3) +{ + static int _cipher_priority[] = { 0, 0, 0, 0 }; + _cipher_priority[0] = cipher1; + _cipher_priority[1] = cipher2; + _cipher_priority[2] = cipher3; - gnutls_cipher_set_priority(session, _cipher_priority); + gnutls_cipher_set_priority(session, _cipher_priority); } -static void ADD_MAC(gnutls_session session, int mac) { - static int _mac_priority[] = { 0, 0 }; - _mac_priority[0] = mac; +static void ADD_MAC(gnutls_session session, int mac) +{ + static int _mac_priority[] = { 0, 0 }; + _mac_priority[0] = mac; - gnutls_mac_set_priority(session, _mac_priority); + gnutls_mac_set_priority(session, _mac_priority); } -static void ADD_COMP(gnutls_session session, int c) { - static int _comp_priority[] = { 0, 0 }; - _comp_priority[0] = c; +static void ADD_COMP(gnutls_session session, int c) +{ + static int _comp_priority[] = { 0, 0 }; + _comp_priority[0] = c; - gnutls_compression_set_priority(session, _comp_priority); + gnutls_compression_set_priority(session, _comp_priority); } -static void ADD_CERTTYPE(gnutls_session session, int ctype) { - static int _ct_priority[] = { 0, 0 }; - _ct_priority[0] = ctype; +static void ADD_CERTTYPE(gnutls_session session, int ctype) +{ + static int _ct_priority[] = { 0, 0 }; + _ct_priority[0] = ctype; - gnutls_certificate_type_set_priority(session, _ct_priority); + gnutls_certificate_type_set_priority(session, _ct_priority); } -static void ADD_PROTOCOL(gnutls_session session, int protocol) +static void ADD_PROTOCOL(gnutls_session session, int protocol) { - static int _proto_priority[] = { 0, 0 }; - _proto_priority[0] = protocol; + static int _proto_priority[] = { 0, 0 }; + _proto_priority[0] = protocol; - gnutls_protocol_set_priority(session, _proto_priority); + gnutls_protocol_set_priority(session, _proto_priority); } static void ADD_PROTOCOL3(gnutls_session session, int p1, int p2, int p3) { - static int _proto_priority[] = { 0, 0, 0, 0 }; - _proto_priority[0] = p1; - _proto_priority[1] = p2; - _proto_priority[2] = p3; + static int _proto_priority[] = { 0, 0, 0, 0 }; + _proto_priority[0] = p1; + _proto_priority[1] = p2; + _proto_priority[2] = p3; - gnutls_protocol_set_priority(session, _proto_priority); + gnutls_protocol_set_priority(session, _proto_priority); } #ifdef ENABLE_SRP static int srp_detected; -int _test_srp_username_callback( gnutls_session session, unsigned int times, - char** username, char** password) +int _test_srp_username_callback(gnutls_session session, unsigned int times, + char **username, char **password) { - if (times == 1) { - srp_detected = 1; - } + if (times == 1) { + srp_detected = 1; + } - return -1; + return -1; } -test_code_t test_srp( gnutls_session session) { -int ret; +test_code_t test_srp(gnutls_session session) +{ + int ret; + + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + + ADD_KX(session, GNUTLS_KX_SRP); + srp_detected = 0; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); + gnutls_srp_set_client_credentials_function(srp_cred, + _test_srp_username_callback); - ADD_KX(session, GNUTLS_KX_SRP); - srp_detected = 0; - - gnutls_srp_set_client_credentials_function(srp_cred, - _test_srp_username_callback); + gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); - gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); + ret = do_handshake(session); - ret = do_handshake( session); - - gnutls_srp_set_client_credentials_function(srp_cred, NULL); - - if (srp_detected != 0) return TEST_SUCCEED; - else return TEST_FAILED; + gnutls_srp_set_client_credentials_function(srp_cred, NULL); + + if (srp_detected != 0) + return TEST_SUCCEED; + else + return TEST_FAILED; } #endif static int export_true = 0; -static gnutls_datum exp = { NULL, 0 }, mod = {NULL, 0}; +static gnutls_datum exp = { NULL, 0 }, mod = { +NULL, 0}; -test_code_t test_export( gnutls_session session) +test_code_t test_export(gnutls_session session) { -int ret; + int ret; - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); - ADD_KX(session, GNUTLS_KX_RSA_EXPORT); - ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ADD_KX(session, GNUTLS_KX_RSA_EXPORT); + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - - if (ret == TEST_SUCCEED) { - export_true = 1; - gnutls_rsa_export_get_pubkey( session, &exp, &mod); - } - - return ret; + ret = do_handshake(session); + + if (ret == TEST_SUCCEED) { + export_true = 1; + gnutls_rsa_export_get_pubkey(session, &exp, &mod); + } + + return ret; } -test_code_t test_export_info( gnutls_session session) -{ -int ret2, ret; -gnutls_datum exp2, mod2; -const char* print; - - if (verbose == 0 || export_true==0) return TEST_IGNORE; - - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - - ADD_KX(session, GNUTLS_KX_RSA_EXPORT); - ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - - if (ret == TEST_SUCCEED) { - ret2 = gnutls_rsa_export_get_pubkey( session, &exp2, &mod2); - if (ret2 >= 0) { - printf("\n"); - - print = raw_to_string( exp2.data, exp2.size); - if (print) - printf(" Exponent [%d bits]: %s\n", exp2.size*8, print); - - print = raw_to_string( mod2.data, mod2.size); - if (print) - printf(" Modulus [%d bits]: %s\n", mod2.size*8, print); - - if (mod2.size != mod.size || exp2.size != exp.size || - memcmp( mod2.data, mod.data, mod.size) != 0 || - memcmp( exp2.data, exp.data, exp.size) != 0) { - printf(" (server uses different public keys per connection)\n"); - } - } +test_code_t test_export_info(gnutls_session session) +{ + int ret2, ret; + gnutls_datum exp2, mod2; + const char *print; + + if (verbose == 0 || export_true == 0) + return TEST_IGNORE; + + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + + ADD_KX(session, GNUTLS_KX_RSA_EXPORT); + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + + if (ret == TEST_SUCCEED) { + ret2 = gnutls_rsa_export_get_pubkey(session, &exp2, &mod2); + if (ret2 >= 0) { + printf("\n"); + + print = raw_to_string(exp2.data, exp2.size); + if (print) + printf(" Exponent [%d bits]: %s\n", exp2.size * 8, print); + + print = raw_to_string(mod2.data, mod2.size); + if (print) + printf(" Modulus [%d bits]: %s\n", mod2.size * 8, print); + + if (mod2.size != mod.size || exp2.size != exp.size || + memcmp(mod2.data, mod.data, mod.size) != 0 || + memcmp(exp2.data, exp.data, exp.size) != 0) { + printf + (" (server uses different public keys per connection)\n"); + } } - - return ret; - + } + + return ret; + } -static gnutls_datum pubkey = { NULL , 0 }; +static gnutls_datum pubkey = { NULL, 0 }; -test_code_t test_dhe( gnutls_session session) +test_code_t test_dhe(gnutls_session session) { -int ret; + int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); - ADD_KX2(session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ADD_KX2(session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - - gnutls_dh_get_pubkey( session, &pubkey); + ret = do_handshake(session); - return ret; + gnutls_dh_get_pubkey(session, &pubkey); + + return ret; } -test_code_t test_dhe_group( gnutls_session session) +test_code_t test_dhe_group(gnutls_session session) { -int ret, ret2; -gnutls_datum gen, prime, pubkey2; -const char* print; + int ret, ret2; + gnutls_datum gen, prime, pubkey2; + const char *print; - if (verbose == 0 || pubkey.data==NULL) return TEST_IGNORE; + if (verbose == 0 || pubkey.data == NULL) + return TEST_IGNORE; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); - ADD_KX2(session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ADD_KX2(session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - - ret2 = gnutls_dh_get_group( session, &gen, &prime); - if (ret2 >= 0) { - printf("\n"); + ret = do_handshake(session); + + ret2 = gnutls_dh_get_group(session, &gen, &prime); + if (ret2 >= 0) { + printf("\n"); - print = raw_to_string( gen.data, gen.size); - if (print) - printf(" Generator [%d bits]: %s\n", gen.size*8, print); + print = raw_to_string(gen.data, gen.size); + if (print) + printf(" Generator [%d bits]: %s\n", gen.size * 8, print); - print = raw_to_string( prime.data, prime.size); - if (print) - printf(" Prime [%d bits]: %s\n", prime.size*8, print); + print = raw_to_string(prime.data, prime.size); + if (print) + printf(" Prime [%d bits]: %s\n", prime.size * 8, print); - gnutls_dh_get_pubkey( session, &pubkey2); - print = raw_to_string( pubkey2.data, pubkey2.size); - if (print) - printf(" Pubkey [%d bits]: %s\n", pubkey2.size*8, print); + gnutls_dh_get_pubkey(session, &pubkey2); + print = raw_to_string(pubkey2.data, pubkey2.size); + if (print) + printf(" Pubkey [%d bits]: %s\n", pubkey2.size * 8, print); - if (pubkey2.data && pubkey2.size == pubkey.size && - memcmp( pubkey.data, pubkey2.data, pubkey.size)==0) { - printf(" (public key seems to be static among sessions)\n"); - } + if (pubkey2.data && pubkey2.size == pubkey.size && + memcmp(pubkey.data, pubkey2.data, pubkey.size) == 0) { + printf(" (public key seems to be static among sessions)\n"); } - return ret; + } + return ret; } -test_code_t test_ssl3( gnutls_session session) +test_code_t test_ssl3(gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_PROTOCOL(session, GNUTLS_SSL3); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - if (ret==TEST_SUCCEED) ssl3_ok = 1; - - return ret; + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL(session, GNUTLS_SSL3); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_SUCCEED) + ssl3_ok = 1; + + return ret; } -static int alrm=0; -void got_alarm(int k) +static int alrm = 0; +void got_alarm(int k) { - alrm = 1; + alrm = 1; } - -test_code_t test_bye( gnutls_session session) { -int ret; -char data[20]; -int old, secs = 6; + +test_code_t test_bye(gnutls_session session) +{ + int ret; + char data[20]; + int old, secs = 6; #ifndef _WIN32 - signal( SIGALRM, got_alarm); + signal(SIGALRM, got_alarm); #endif - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - if (ret==TEST_FAILED) return ret; - - ret = gnutls_bye( session, GNUTLS_SHUT_WR); - if (ret<0) return TEST_FAILED; - + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; + + ret = gnutls_bye(session, GNUTLS_SHUT_WR); + if (ret < 0) + return TEST_FAILED; + #ifndef _WIN32 - old = siginterrupt( SIGALRM, 1); - alarm(secs); + old = siginterrupt(SIGALRM, 1); + alarm(secs); #else - setsockopt( gnutls_transport_get_ptr(session), SOL_SOCKET, SO_RCVTIMEO, (char*) &secs, sizeof(int)); + setsockopt(gnutls_transport_get_ptr(session), SOL_SOCKET, SO_RCVTIMEO, + (char *) &secs, sizeof(int)); #endif - - do { - ret = gnutls_record_recv( session, data, sizeof(data)); - } while( ret > 0); + + do { + ret = gnutls_record_recv(session, data, sizeof(data)); + } while (ret > 0); #ifndef _WIN32 - siginterrupt( SIGALRM, old); + siginterrupt(SIGALRM, old); #else - if (WSAGetLastError()==WSAETIMEDOUT || - WSAGetLastError() == WSAECONNABORTED) - alrm = 1; + if (WSAGetLastError() == WSAETIMEDOUT || + WSAGetLastError() == WSAECONNABORTED) + alrm = 1; #endif - if (ret==0) return TEST_SUCCEED; + if (ret == 0) + return TEST_SUCCEED; - if (alrm == 0) return TEST_UNSURE; - - return TEST_FAILED; -} + if (alrm == 0) + return TEST_UNSURE; + return TEST_FAILED; +} -test_code_t test_aes( gnutls_session session) { -int ret; - ADD_CIPHER(session, GNUTLS_CIPHER_AES_128_CBC); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - return ret; +test_code_t test_aes(gnutls_session session) +{ + int ret; + ADD_CIPHER(session, GNUTLS_CIPHER_AES_128_CBC); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_openpgp1( gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_CERTTYPE(session, GNUTLS_CRT_OPENPGP); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - if (ret==TEST_FAILED) return ret; +test_code_t test_openpgp1(gnutls_session session) +{ + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_CERTTYPE(session, GNUTLS_CRT_OPENPGP); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; - if ( gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) - return TEST_SUCCEED; + if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) + return TEST_SUCCEED; - return TEST_FAILED; + return TEST_FAILED; } -test_code_t test_unknown_ciphersuites( gnutls_session session) { -int ret; - ADD_CIPHER3(session, GNUTLS_CIPHER_AES_128_CBC, +test_code_t test_unknown_ciphersuites(gnutls_session session) +{ + int ret; + ADD_CIPHER3(session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_md5( gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_MAC(session, GNUTLS_MAC_MD5); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; +test_code_t test_md5(gnutls_session session) +{ + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_MAC(session, GNUTLS_MAC_MD5); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } #ifdef HAVE_LIBZ -test_code_t test_zlib( gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_COMP(session, GNUTLS_COMP_ZLIB); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; +test_code_t test_zlib(gnutls_session session) +{ + int ret; + ADD_ALL_CIPHERS(session); + ADD_COMP(session, GNUTLS_COMP_ZLIB); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } #endif -test_code_t test_lzo( gnutls_session session) { -int ret; - gnutls_handshake_set_private_extensions( session, 1); +test_code_t test_lzo(gnutls_session session) +{ + int ret; + gnutls_handshake_set_private_extensions(session, 1); - ADD_ALL_CIPHERS(session); - ADD_COMP(session, GNUTLS_COMP_LZO); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ADD_ALL_CIPHERS(session); + ADD_COMP(session, GNUTLS_COMP_LZO); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); + ret = do_handshake(session); - return ret; + return ret; } -test_code_t test_sha( gnutls_session session) +test_code_t test_sha(gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_MAC(session, GNUTLS_MAC_SHA); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_MAC(session, GNUTLS_MAC_SHA); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_rmd( gnutls_session session) +test_code_t test_rmd(gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_MAC(session, GNUTLS_MAC_RMD160); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_MAC(session, GNUTLS_MAC_RMD160); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_3des( gnutls_session session) +test_code_t test_3des(gnutls_session session) { -int ret; - ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; + int ret; + ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_arcfour( gnutls_session session) { -int ret; - ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_128); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; +test_code_t test_arcfour(gnutls_session session) +{ + int ret; + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_128); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_arcfour_40( gnutls_session session) { -int ret; - ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - return ret; +test_code_t test_arcfour_40(gnutls_session session) +{ + int ret; + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + return ret; } -test_code_t test_tls1( gnutls_session session) +test_code_t test_tls1(gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_PROTOCOL(session, GNUTLS_TLS1); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL(session, GNUTLS_TLS1); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - if (ret==TEST_SUCCEED) tls1_ok = 1; + ret = do_handshake(session); + if (ret == TEST_SUCCEED) + tls1_ok = 1; - return ret; + return ret; } -test_code_t test_tls1_1( gnutls_session session) +test_code_t test_tls1_1(gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_PROTOCOL(session, GNUTLS_TLS1_1); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL(session, GNUTLS_TLS1_1); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - if (ret==TEST_SUCCEED) tls1_1_ok = 1; + ret = do_handshake(session); + if (ret == TEST_SUCCEED) + tls1_1_ok = 1; - return ret; + return ret; } -test_code_t test_tls1_1_fallback( gnutls_session session) +test_code_t test_tls1_1_fallback(gnutls_session session) { -int ret; - if (tls1_1_ok) return TEST_IGNORE; - - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_PROTOCOL3(session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + int ret; + if (tls1_1_ok) + return TEST_IGNORE; + + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL3(session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret != TEST_SUCCEED) + return TEST_FAILED; - ret = do_handshake( session); - if (ret!=TEST_SUCCEED) return TEST_FAILED; + if (gnutls_protocol_get_version(session) == GNUTLS_TLS1) + return TEST_SUCCEED; + else if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) + return TEST_UNSURE; - if (gnutls_protocol_get_version( session)==GNUTLS_TLS1) - return TEST_SUCCEED; - else if (gnutls_protocol_get_version( session)==GNUTLS_SSL3) - return TEST_UNSURE; - - return TEST_FAILED; + return TEST_FAILED; } /* Advertize both TLS 1.0 and SSL 3.0. If the connection fails, * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ -test_code_t test_tls_disable( gnutls_session session) { -int ret; - if (tls1_ok!=0) return TEST_IGNORE; - - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - if (ret==TEST_FAILED) { - /* disable TLS 1.0 */ - if (ssl3_ok!=0) { - protocol_priority[0] = GNUTLS_SSL3; - protocol_priority[1] = 0; - } +test_code_t test_tls_disable(gnutls_session session) +{ + int ret; + if (tls1_ok != 0) + return TEST_IGNORE; + + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_FAILED) { + /* disable TLS 1.0 */ + if (ssl3_ok != 0) { + protocol_priority[0] = GNUTLS_SSL3; + protocol_priority[1] = 0; } - return ret; + } + return ret; } -test_code_t test_rsa_pms( gnutls_session session) { -int ret; - - /* here we enable both SSL 3.0 and TLS 1.0 - * and try to connect and use rsa authentication. - * If the server is old, buggy and only supports - * SSL 3.0 then the handshake will fail. - */ - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_KX(session, GNUTLS_KX_RSA); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake( session); - if (ret == TEST_FAILED) return TEST_FAILED; +test_code_t test_rsa_pms(gnutls_session session) +{ + int ret; + + /* here we enable both SSL 3.0 and TLS 1.0 + * and try to connect and use rsa authentication. + * If the server is old, buggy and only supports + * SSL 3.0 then the handshake will fail. + */ + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_KX(session, GNUTLS_KX_RSA); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_FAILED) + return TEST_FAILED; - if (gnutls_protocol_get_version(session)==GNUTLS_TLS1) return TEST_SUCCEED; - return TEST_UNSURE; + if (gnutls_protocol_get_version(session) == GNUTLS_TLS1) + return TEST_SUCCEED; + return TEST_UNSURE; } -test_code_t test_max_record_size( gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_record_set_max_size( session, 512); +test_code_t test_max_record_size(gnutls_session session) +{ + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size(session, 512); + + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; - ret = do_handshake( session); - if (ret == TEST_FAILED) return ret; + ret = gnutls_record_get_max_size(session); + if (ret == 512) + return TEST_SUCCEED; - ret = gnutls_record_get_max_size(session); - if (ret==512) return TEST_SUCCEED; - - return TEST_FAILED; + return TEST_FAILED; } -test_code_t test_hello_extension( gnutls_session session) { -int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_record_set_max_size( session, 512); +test_code_t test_hello_extension(gnutls_session session) +{ + int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size(session, 512); + + ret = do_handshake(session); + return ret; +} - ret = do_handshake( session); +void _gnutls_record_set_default_version(gnutls_session session, + unsigned char major, + unsigned char minor); + +test_code_t test_version_rollback(gnutls_session session) +{ + int ret; + if (tls1_ok == 0) + return TEST_IGNORE; + + /* here we enable both SSL 3.0 and TLS 1.0 + * and we connect using a 3.1 client hello version, + * and a 3.0 record version. Some implementations + * are buggy (and vulnerable to man in the middle + * attacks which allow a version downgrade) and this + * connection will fail. + */ + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version(session, 3, 0); + + ret = do_handshake(session); + if (ret != TEST_SUCCEED) return ret; -} -void _gnutls_record_set_default_version(gnutls_session session, unsigned char major, - unsigned char minor); - -test_code_t test_version_rollback( gnutls_session session) -{ -int ret; - if (tls1_ok==0) return TEST_IGNORE; - - /* here we enable both SSL 3.0 and TLS 1.0 - * and we connect using a 3.1 client hello version, - * and a 3.0 record version. Some implementations - * are buggy (and vulnerable to man in the middle - * attacks which allow a version downgrade) and this - * connection will fail. - */ - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_record_set_default_version( session, 3, 0); - - ret = do_handshake( session); - if (ret!=TEST_SUCCEED) return ret; - - if (tls1_ok!=0 && gnutls_protocol_get_version( session)==GNUTLS_SSL3) - return TEST_FAILED; - - return TEST_SUCCEED; + if (tls1_ok != 0 + && gnutls_protocol_get_version(session) == GNUTLS_SSL3) + return TEST_FAILED; + + return TEST_SUCCEED; } /* See if the server tolerates out of bounds * record layer versions in the first client hello * message. */ -test_code_t test_version_oob( gnutls_session session) { -int ret; - /* here we enable both SSL 3.0 and TLS 1.0 - * and we connect using a 5.5 record version. - */ - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_record_set_default_version( session, 5, 5); - - ret = do_handshake( session); - return ret; +test_code_t test_version_oob(gnutls_session session) +{ + int ret; + /* here we enable both SSL 3.0 and TLS 1.0 + * and we connect using a 5.5 record version. + */ + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version(session, 5, 5); + + ret = do_handshake(session); + return ret; } -void _gnutls_rsa_pms_set_version(gnutls_session session, unsigned char major, - unsigned char minor); +void _gnutls_rsa_pms_set_version(gnutls_session session, + unsigned char major, unsigned char minor); -test_code_t test_rsa_pms_version_check( gnutls_session session) +test_code_t test_rsa_pms_version_check(gnutls_session session) { -int ret; - /* here we use an arbitary version in the RSA PMS - * to see whether to server will check this version. - * - * A normal server would abort this handshake. - */ - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_rsa_pms_set_version( session, 5, 5); /* use SSL 5.5 version */ - - ret = do_handshake( session); - return ret; + int ret; + /* here we use an arbitary version in the RSA PMS + * to see whether to server will check this version. + * + * A normal server would abort this handshake. + */ + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_rsa_pms_set_version(session, 5, 5); /* use SSL 5.5 version */ + + ret = do_handshake(session); + return ret; } #ifdef ENABLE_ANON -test_code_t test_anonymous( gnutls_session session) { -int ret; +test_code_t test_anonymous(gnutls_session session) +{ + int ret; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_KX(session, GNUTLS_KX_ANON_DH); - gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_KX(session, GNUTLS_KX_ANON_DH); + gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); - ret = do_handshake( session); + ret = do_handshake(session); - if (ret == TEST_SUCCEED) - gnutls_dh_get_pubkey( session, &pubkey); + if (ret == TEST_SUCCEED) + gnutls_dh_get_pubkey(session, &pubkey); - return ret; + return ret; } #endif -test_code_t test_session_resume2( gnutls_session session) +test_code_t test_session_resume2(gnutls_session session) { -int ret; -char tmp_session_id[32]; -int tmp_session_id_size; + int ret; + char tmp_session_id[32]; + int tmp_session_id_size; - if (session == NULL) return TEST_IGNORE; - - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); + if (session == NULL) + return TEST_IGNORE; - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); - gnutls_session_set_data(session, session_data, session_data_size); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred); - memcpy( tmp_session_id, session_id, session_id_size); - tmp_session_id_size = session_id_size; + gnutls_session_set_data(session, session_data, session_data_size); - ret = do_handshake( session); - if (ret == TEST_FAILED) return ret; + memcpy(tmp_session_id, session_id, session_id_size); + tmp_session_id_size = session_id_size; - /* check if we actually resumed the previous session */ + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; - session_id_size = sizeof(session_id); - gnutls_session_get_id(session, session_id, &session_id_size); + /* check if we actually resumed the previous session */ - if (gnutls_session_is_resumed( session)) return TEST_SUCCEED; + session_id_size = sizeof(session_id); + gnutls_session_get_id(session, session_id, &session_id_size); - if (memcmp(tmp_session_id, session_id, tmp_session_id_size) == 0) - return TEST_SUCCEED; - else - return TEST_FAILED; + if (gnutls_session_is_resumed(session)) + return TEST_SUCCEED; + + if (memcmp(tmp_session_id, session_id, tmp_session_id_size) == 0) + return TEST_SUCCEED; + else + return TEST_FAILED; } -extern char* hostname; +extern char *hostname; -test_code_t test_certificate( gnutls_session session) +test_code_t test_certificate(gnutls_session session) { -int ret; + int ret; - if (verbose == 0) return TEST_IGNORE; + if (verbose == 0) + return TEST_IGNORE; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - ret = do_handshake( session); - if (ret == TEST_FAILED) return ret; + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; - printf("\n"); - print_cert_info( session, hostname); + printf("\n"); + print_cert_info(session, hostname); - return TEST_SUCCEED; + return TEST_SUCCEED; } /* A callback function to be used at the certificate selection time. @@ -919,59 +978,60 @@ static int cert_callback(gnutls_session session, const gnutls_pk_algorithm * sign_algos, int sign_algos_length, gnutls_retr_st * st) { -char issuer_dn[256]; -int i, ret; -size_t len; + char issuer_dn[256]; + int i, ret; + size_t len; - if (verbose == 0) return -1; + if (verbose == 0) + return -1; - /* Print the server's trusted CAs - */ - printf("\n"); - if (nreqs > 0) - printf("- Server's trusted authorities:\n"); - else - printf("- Server did not send us any trusted authorities names.\n"); - - /* print the names (if any) */ - for (i=0;i<nreqs;i++) { - len = sizeof(issuer_dn); - ret = gnutls_x509_rdn_get( &req_ca_rdn[i], issuer_dn, &len); - if ( ret >= 0) { - printf(" [%d]: ", i); - printf("%s\n", issuer_dn); - } + /* Print the server's trusted CAs + */ + printf("\n"); + if (nreqs > 0) + printf("- Server's trusted authorities:\n"); + else + printf + ("- Server did not send us any trusted authorities names.\n"); + + /* print the names (if any) */ + for (i = 0; i < nreqs; i++) { + len = sizeof(issuer_dn); + ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len); + if (ret >= 0) { + printf(" [%d]: ", i); + printf("%s\n", issuer_dn); } + } - return -1; + return -1; } /* Prints the trusted server's CAs. This is only * if the server sends a certificate request packet. */ -test_code_t test_server_cas( gnutls_session session) +test_code_t test_server_cas(gnutls_session session) { -int ret; + int ret; - if (verbose == 0) return TEST_IGNORE; + if (verbose == 0) + return TEST_IGNORE; - ADD_ALL_CIPHERS(session); - ADD_ALL_COMP(session); - ADD_ALL_CERTTYPES(session); - ADD_ALL_PROTOCOLS(session); - ADD_ALL_MACS(session); - ADD_ALL_KX(session); + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_certificate_client_set_retrieve_function( xcred, cert_callback); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_certificate_client_set_retrieve_function(xcred, cert_callback); - ret = do_handshake( session); - gnutls_certificate_client_set_retrieve_function( xcred, NULL); + ret = do_handshake(session); + gnutls_certificate_client_set_retrieve_function(xcred, NULL); - if (ret ==TEST_FAILED) return ret; - return TEST_SUCCEED; + if (ret == TEST_FAILED) + return ret; + return TEST_SUCCEED; } - - - diff --git a/src/tls_test-gaa.c b/src/tls_test-gaa.c index 2bf9b9737e..a097e46ba1 100644 --- a/src/tls_test-gaa.c +++ b/src/tls_test-gaa.c @@ -21,119 +21,107 @@ #endif #endif -static void* gaa_malloc( size_t size) { -void* ret; - ret = malloc(size); - if (ret==NULL) { - fprintf(stderr, "gaa: could not allocate memory"); - exit(1); - } - return ret; +static void *gaa_malloc(size_t size) +{ + void *ret; + ret = malloc(size); + if (ret == NULL) { + fprintf(stderr, "gaa: could not allocate memory"); + exit(1); + } + return ret; } -static void __gaa_helpsingle(char short_name, char *name, - char *arg_desc, char *opt_help) +static void __gaa_helpsingle(char short_name, char *name, + char *arg_desc, char *opt_help) { - int col1, col3, col4, tabsize = 3, curr; - int i; - - col1 = 5; /* Default values */ - col3 = 30; - col4 = 70; - - curr = 0; - for(i = 0; i < col1; i++) - { - printf(" "); - curr++; - } - if(short_name) - { - if(name && *name) - { - printf("-%c, ", short_name); - curr += 4; - } - else - { - printf("-%c ", short_name); - curr += 3; - } - } - if(name && *name) - { - printf("--%s ", name); - curr += 3 + strlen(name); - } - if(arg_desc && *arg_desc) - { - printf("%s ", arg_desc); - curr += 1 + strlen(arg_desc); - } - if(curr >= col3) - { - printf("\n"); - curr = 0; - } - if(opt_help) /* let's print the option's help body */ - { - const char *str = opt_help; - while(*str) - { - while(curr < col3) - { - printf(" "); - curr++; - } - switch(*str) - { - case '\n': - printf("\n"); - curr = 0; - break; - case '\t': - do - { - printf(" "); - curr++; - } - while((curr - col3) % tabsize != 0 && curr < col4); - case ' ': - if(*str == ' ') - { - curr++; - printf(" "); - } - for(i = 1; str[i] && str[i] != ' ' && str[i] != '\n' - && str[i] != '\t'; i++); - if(curr + i - 1 >= col4) - curr = col4; - break; - default: - printf("%c", *str); - curr++; - } - if(curr >= col4) - { - printf("\n"); - curr = 0; - } - str++; - } - } - printf("\n"); + int col1, col3, col4, tabsize = 3, curr; + int i; + + col1 = 5; /* Default values */ + col3 = 30; + col4 = 70; + + curr = 0; + for (i = 0; i < col1; i++) { + printf(" "); + curr++; + } + if (short_name) { + if (name && *name) { + printf("-%c, ", short_name); + curr += 4; + } else { + printf("-%c ", short_name); + curr += 3; + } + } + if (name && *name) { + printf("--%s ", name); + curr += 3 + strlen(name); + } + if (arg_desc && *arg_desc) { + printf("%s ", arg_desc); + curr += 1 + strlen(arg_desc); + } + if (curr >= col3) { + printf("\n"); + curr = 0; + } + if (opt_help) { /* let's print the option's help body */ + const char *str = opt_help; + while (*str) { + while (curr < col3) { + printf(" "); + curr++; + } + switch (*str) { + case '\n': + printf("\n"); + curr = 0; + break; + case '\t': + do { + printf(" "); + curr++; + } + while ((curr - col3) % tabsize != 0 && curr < col4); + case ' ': + if (*str == ' ') { + curr++; + printf(" "); + } + for (i = 1; str[i] && str[i] != ' ' && str[i] != '\n' + && str[i] != '\t'; i++); + if (curr + i - 1 >= col4) + curr = col4; + break; + default: + printf("%c", *str); + curr++; + } + if (curr >= col4) { + printf("\n"); + curr = 0; + } + str++; + } + } + printf("\n"); } void gaa_help(void) { - printf("GNU TLS debug client\nUsage: gnutls-cli-debug [options] hostname\n\n\n"); - __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); - __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); - __gaa_helpsingle('v', "verbose", "", "More verbose output"); - __gaa_helpsingle('h', "help", "", "prints this help"); + printf + ("GNU TLS debug client\nUsage: gnutls-cli-debug [options] hostname\n\n\n"); + __gaa_helpsingle('p', "port", "integer ", "The port to connect to."); + __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); + __gaa_helpsingle('v', "verbose", "", "More verbose output"); + __gaa_helpsingle('h', "help", "", "prints this help"); #line 100 "gaa.skel" } + /* Copy of C area */ #line 104 "gaa.skel" @@ -143,48 +131,40 @@ void gaa_help(void) typedef struct _gaainfo gaainfo; -struct _gaainfo -{ +struct _gaainfo { #line 26 "tls_test.gaa" - char *rest_args; + char *rest_args; #line 20 "tls_test.gaa" - int more_info; + int more_info; #line 17 "tls_test.gaa" - int debug; + int debug; #line 14 "tls_test.gaa" - int pp; + int pp; #line 114 "gaa.skel" }; #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif - int gaa(int argc, char *argv[], gaainfo *gaaval); + int gaa(int argc, char *argv[], gaainfo * gaaval); void gaa_help(void); - - int gaa_file(const char *name, gaainfo *gaaval); - + + int gaa_file(const char *name, gaainfo * gaaval); + #ifdef __cplusplus } #endif - - #endif - #line 135 "gaa.skel" - /* C declarations */ - #define GAAERROR(x) \ { \ gaa_error = 1; \ return x; \ } - static char *gaa_current_option; static int gaa_error = 0; @@ -254,7 +234,7 @@ if(gaa_error == 1) \ { \ gaa_error = 0; \ return GAA_ERROR_INVALID_ARG; \ -} +} @@ -332,7 +312,7 @@ if(k == 0) \ printf("You must give at least one option of '%s'\n", str); \ return 0; \ } - + #define GAA_INCOMP(str) \ k = 0; \ for(i = 0; i < strlen(str); i++) \ @@ -351,7 +331,7 @@ if(k > 1) \ printf("The options '%s' are incompatible\n", str); \ return 0; \ } - + static char **GAAargv; static int GAAargc; @@ -363,25 +343,25 @@ static int gaa_getint(char *arg) { int tmp; char a; - if(sscanf(arg, "%d%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%d%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't an integer\n", gaa_current_option, + arg); + GAAERROR(-1); } return tmp; } static char gaa_getchar(char *arg) { - if(strlen(arg) != 1) - { - printf("Option %s: '%s' isn't an character\n", gaa_current_option, arg); - GAAERROR(-1); + if (strlen(arg) != 1) { + printf("Option %s: '%s' isn't an character\n", gaa_current_option, + arg); + GAAERROR(-1); } return arg[0]; } -static char* gaa_getstr(char *arg) +static char *gaa_getstr(char *arg) { return arg; } @@ -389,91 +369,89 @@ static float gaa_getfloat(char *arg) { float tmp; char a; - if(sscanf(arg, "%f%c", &tmp, &a) < 1) - { - printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg); - GAAERROR(-1); + if (sscanf(arg, "%f%c", &tmp, &a) < 1) { + printf("Option %s: '%s' isn't a float number\n", + gaa_current_option, arg); + GAAERROR(-1); } return tmp; } + /* option structures */ -struct GAAOPTION_debug -{ - int arg1; - int size1; +struct GAAOPTION_debug { + int arg1; + int size1; }; -struct GAAOPTION_port -{ - int arg1; - int size1; +struct GAAOPTION_port { + int arg1; + int size1; }; #define GAA_REST_EXISTS -struct GAAREST -{ - char* arg1; - int size1; +struct GAAREST { + char *arg1; + int size1; }; - + #line 349 "gaa.skel" static int gaa_is_an_argument(char *str) { #ifdef GAA_WIN32 - if(str[0] == '/' && str[1] != 0) + if (str[0] == '/' && str[1] != 0) return GAA_MULTIPLE_OPTION; #endif - if(str[0] != '-') - return GAA_NOT_AN_OPTION; - if(str[1] == 0) - return GAA_NOT_AN_OPTION; - if(str[1] == '-') - { - if(str[2] != 0) - return GAA_WORD_OPTION; - else - return GAA_NOT_AN_OPTION; + if (str[0] != '-') + return GAA_NOT_AN_OPTION; + if (str[1] == 0) + return GAA_NOT_AN_OPTION; + if (str[1] == '-') { + if (str[2] != 0) + return GAA_WORD_OPTION; + else + return GAA_NOT_AN_OPTION; } - if(str[2] == 0) - return GAA_LETTER_OPTION; + if (str[2] == 0) + return GAA_LETTER_OPTION; else - return GAA_MULTIPLE_OPTION; + return GAA_MULTIPLE_OPTION; } static int gaa_get_option_num(char *str, int status) { - switch(status) - { - case GAA_LETTER_OPTION: - GAA_CHECK1STR("d", GAAOPTID_debug); - GAA_CHECK1STR("p", GAAOPTID_port); - case GAA_MULTIPLE_OPTION: + switch (status) { + case GAA_LETTER_OPTION: + GAA_CHECK1STR("d", GAAOPTID_debug); + GAA_CHECK1STR("p", GAAOPTID_port); + case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" - GAA_CHECK1STR("h", GAAOPTID_help); - GAA_CHECK1STR("v", GAAOPTID_verbose); + GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("v", GAAOPTID_verbose); #line 277 "gaa.skel" - break; - case GAA_WORD_OPTION: - GAA_CHECKSTR("help", GAAOPTID_help); - GAA_CHECKSTR("verbose", GAAOPTID_verbose); - GAA_CHECKSTR("debug", GAAOPTID_debug); - GAA_CHECKSTR("port", GAAOPTID_port); + break; + case GAA_WORD_OPTION: + GAA_CHECKSTR("help", GAAOPTID_help); + GAA_CHECKSTR("verbose", GAAOPTID_verbose); + GAA_CHECKSTR("debug", GAAOPTID_debug); + GAA_CHECKSTR("port", GAAOPTID_port); #line 281 "gaa.skel" break; - default: break; - } + default: + break; + } return GAA_ERROR_NOMATCH; } -static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) +static int gaa_try(int gaa_num, int gaa_index, gaainfo * gaaval, + char *opt_list) { int OK = 0; int gaa_last_non_option; - struct GAAOPTION_debug GAATMP_debug; - struct GAAOPTION_port GAATMP_port; + struct GAAOPTION_debug GAATMP_debug; + struct GAAOPTION_port GAATMP_port; #line 393 "gaa.skel" #ifdef GAA_REST_EXISTS @@ -481,70 +459,81 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) #endif opt_list[gaa_num] = 1; - - for(gaa_last_non_option = gaa_index; - (gaa_last_non_option != GAAargc) && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == GAA_NOT_AN_OPTION); - gaa_last_non_option++); - - if(gaa_num == GAA_REST) - { - gaa_index = 1; - gaa_last_non_option = GAAargc; + + for (gaa_last_non_option = gaa_index; + (gaa_last_non_option != GAAargc) + && (gaa_is_an_argument(GAAargv[gaa_last_non_option]) == + GAA_NOT_AN_OPTION); gaa_last_non_option++); + + if (gaa_num == GAA_REST) { + gaa_index = 1; + gaa_last_non_option = GAAargc; } - - switch(gaa_num) - { - case GAAOPTID_help: + + switch (gaa_num) { + case GAAOPTID_help: OK = 0; #line 23 "tls_test.gaa" -{ gaa_help(); exit(0); ;}; + { + gaa_help(); + exit(0);; + }; - return GAA_OK; - break; - case GAAOPTID_verbose: + return GAA_OK; + break; + case GAAOPTID_verbose: OK = 0; #line 21 "tls_test.gaa" -{ gaaval->more_info += 1 ;}; + { + gaaval->more_info += 1; + }; - return GAA_OK; - break; - case GAAOPTID_debug: + return GAA_OK; + break; + case GAAOPTID_debug: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); + gaa_index++; #line 18 "tls_test.gaa" -{ gaaval->debug = GAATMP_debug.arg1 ;}; + { + gaaval->debug = GAATMP_debug.arg1; + }; - return GAA_OK; - break; - case GAAOPTID_port: + return GAA_OK; + break; + case GAAOPTID_port: OK = 0; - GAA_TESTMOREARGS; - GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); - gaa_index++; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_port.arg1, gaa_getint, GAATMP_port.size1); + gaa_index++; #line 15 "tls_test.gaa" -{ gaaval->pp = GAATMP_port.arg1 ;}; + { + gaaval->pp = GAATMP_port.arg1; + }; - return GAA_OK; - break; - case GAA_REST: - GAA_TESTMOREARGS; - GAA_FILL(GAAREST_tmp.arg1, gaa_getstr, GAAREST_tmp.size1); - gaa_index++; + return GAA_OK; + break; + case GAA_REST: + GAA_TESTMOREARGS; + GAA_FILL(GAAREST_tmp.arg1, gaa_getstr, GAAREST_tmp.size1); + gaa_index++; #line 27 "tls_test.gaa" -{ gaaval->rest_args = GAAREST_tmp.arg1; ;}; + { + gaaval->rest_args = GAAREST_tmp.arg1;; + }; - return GAA_OK; - break; + return GAA_OK; + break; #line 413 "gaa.skel" - default: break; + default: + break; } return GAA_ERROR_UNKNOWN; } -int gaa(int argc, char **argv, gaainfo *gaaval) +int gaa(int argc, char **argv, gaainfo * gaaval) { int tmp1, tmp2; int i, j; @@ -553,16 +542,19 @@ int gaa(int argc, char **argv, gaainfo *gaaval) GAAargv = argv; GAAargc = argc; - opt_list = (char*) gaa_malloc(GAA_NB_OPTION + 1); + opt_list = (char *) gaa_malloc(GAA_NB_OPTION + 1); - for(i = 0; i < GAA_NB_OPTION + 1; i++) - opt_list[i] = 0; + for (i = 0; i < GAA_NB_OPTION + 1; i++) + opt_list[i] = 0; /* initialization */ - if(inited == 0) - { + if (inited == 0) { #line 29 "tls_test.gaa" -{ gaaval->rest_args=NULL; gaaval->pp = 443; gaaval->more_info = 0; ;}; + { + gaaval->rest_args = NULL; + gaaval->pp = 443; + gaaval->more_info = 0;; + }; } inited = 1; @@ -570,186 +562,173 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaa_arg_used = NULL; if (argc > 0) { - gaa_arg_used = gaa_malloc(argc * sizeof(char)); + gaa_arg_used = gaa_malloc(argc * sizeof(char)); } - for(i = 1; i < argc; i++) - gaa_arg_used[i] = 0; - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - j = 0; - tmp1 = gaa_is_an_argument(GAAargv[i]); - switch(tmp1) - { - case GAA_WORD_OPTION: - j++; - case GAA_LETTER_OPTION: - j++; - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%s'\n", argv[i]+j); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - gaa_arg_used[i] = 1; - break; - case GAA_MULTIPLE_OPTION: - for(j = 1; j < strlen(argv[i]); j++) - { - tmp2 = gaa_get_option_num(argv[i]+j, tmp1); - if(tmp2 == GAA_ERROR_NOMATCH) - { - printf("Invalid option '%c'\n", *(argv[i]+j)); - return 0; - } - switch(gaa_try(tmp2, i+1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("'%s': not enough arguments\n",gaa_current_option); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } - } - gaa_arg_used[i] = 1; - break; - default: break; - } - } + for (i = 1; i < argc; i++) + gaa_arg_used[i] = 0; + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + j = 0; + tmp1 = gaa_is_an_argument(GAAargv[i]); + switch (tmp1) { + case GAA_WORD_OPTION: + j++; + case GAA_LETTER_OPTION: + j++; + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%s'\n", argv[i] + j); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + gaa_arg_used[i] = 1; + break; + case GAA_MULTIPLE_OPTION: + for (j = 1; j < strlen(argv[i]); j++) { + tmp2 = gaa_get_option_num(argv[i] + j, tmp1); + if (tmp2 == GAA_ERROR_NOMATCH) { + printf("Invalid option '%c'\n", *(argv[i] + j)); + return 0; + } + switch (gaa_try(tmp2, i + 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("'%s': not enough arguments\n", + gaa_current_option); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } + } + gaa_arg_used[i] = 1; + break; + default: + break; + } + } } -if(gaa_processing_file == 0) -{ + if (gaa_processing_file == 0) { #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS - switch(gaa_try(GAA_REST, 1, gaaval, opt_list)) - { - case GAA_ERROR_NOTENOUGH_ARGS: - printf("Rest: not enough arguments\n"); - return 0; - case GAA_ERROR_INVALID_ARG: - printf("Invalid arguments\n"); - return 0; - case GAA_OK: - break; - default: - printf("Unknown error\n"); - } + switch (gaa_try(GAA_REST, 1, gaaval, opt_list)) { + case GAA_ERROR_NOTENOUGH_ARGS: + printf("Rest: not enough arguments\n"); + return 0; + case GAA_ERROR_INVALID_ARG: + printf("Invalid arguments\n"); + return 0; + case GAA_OK: + break; + default: + printf("Unknown error\n"); + } #endif -} - for(i = 1; i < argc; i++) - { - if(gaa_arg_used[i] == 0) - { - printf("Too many arguments\n"); - return 0; - } + } + for (i = 1; i < argc; i++) { + if (gaa_arg_used[i] == 0) { + printf("Too many arguments\n"); + return 0; + } } free(gaa_arg_used); free(opt_list); return -1; } -struct gaastrnode -{ +struct gaastrnode { char *str; struct gaastrnode *next; }; typedef struct gaastrnode gaa_str_node; -static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) +static int gaa_internal_get_next_str(FILE * file, gaa_str_node * tmp_str, + int argc) { int pos_ini; int a; int i = 0, len = 0, newline = 0; - if(argc == 1) { - newline = 1; - len = 2; + if (argc == 1) { + newline = 1; + len = 2; } - - a = fgetc( file); - if (a == EOF) return 0; - - while(a == ' ' || a == 9 || a == '\n') - { - if(a == '\n') - { - newline=1; - len = 2; - } - a = fgetc( file); - if (a == EOF) return 0; + + a = fgetc(file); + if (a == EOF) + return 0; + + while (a == ' ' || a == 9 || a == '\n') { + if (a == '\n') { + newline = 1; + len = 2; + } + a = fgetc(file); + if (a == EOF) + return 0; } pos_ini = ftell(file) - 1; - while(a != ' ' && a != 9 && a != '\n') - { + while (a != ' ' && a != 9 && a != '\n') { - len++; - a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + len++; + a = fgetc(file); + if (a == EOF) + return 0; //a = ' '; } len += 1; tmp_str->str = gaa_malloc((len) * sizeof(char)); - if(newline == 1) - { - tmp_str->str[0] = '-'; - tmp_str->str[1] = '-'; - i = 2; - } - else - { - i = 0; + if (newline == 1) { + tmp_str->str[0] = '-'; + tmp_str->str[1] = '-'; + i = 2; + } else { + i = 0; } - fseek(file,pos_ini, SEEK_SET); - do - { - a = fgetc( file); - - if (a == EOF) { - i+=2; - break; - } - tmp_str->str[i] = a; - i++; + fseek(file, pos_ini, SEEK_SET); + do { + a = fgetc(file); + + if (a == EOF) { + i += 2; + break; + } + tmp_str->str[i] = a; + i++; } - while(a != ' ' && a != 9 && a != '\n' && i < len); + while (a != ' ' && a != 9 && a != '\n' && i < len); tmp_str->str[i - 1] = 0; - fseek(file,- 1, SEEK_CUR); + fseek(file, -1, SEEK_CUR); /* printf("%d\n", ftell(file)); */ - + return -1; } -int gaa_file(const char *name, gaainfo *gaaval) +int gaa_file(const char *name, gaainfo * gaaval) { gaa_str_node *first_str, **tmp_str, *tmp_str2; int rval, i; @@ -758,38 +737,36 @@ int gaa_file(const char *name, gaainfo *gaaval) FILE *file; gaa_processing_file = 1; - - if((file = fopen(name, "r")) == NULL) - { - printf("Couldn't open '%s' configuration file for reading\n", name); - return 1; + + if ((file = fopen(name, "r")) == NULL) { + printf("Couldn't open '%s' configuration file for reading\n", + name); + return 1; } - + tmp_str = &first_str; - do - { - argc++; - *tmp_str = gaa_malloc(sizeof(gaa_str_node)); + do { + argc++; + *tmp_str = gaa_malloc(sizeof(gaa_str_node)); - (*tmp_str)->str = NULL; - (*tmp_str)->next = NULL; + (*tmp_str)->str = NULL; + (*tmp_str)->next = NULL; - rval = gaa_internal_get_next_str(file, *tmp_str, argc); - tmp_str = &((*tmp_str)->next); + rval = gaa_internal_get_next_str(file, *tmp_str, argc); + tmp_str = &((*tmp_str)->next); } - while(rval == -1); - - if(rval == 1) - return 0; - - argv = gaa_malloc((1 + argc) * sizeof(char*)); + while (rval == -1); + + if (rval == 1) + return 0; + + argv = gaa_malloc((1 + argc) * sizeof(char *)); tmp_str2 = first_str; argv[0] = "cfg"; - for(i = 1; i < argc; i++) - { - argv[i] = tmp_str2->str; - tmp_str2 = tmp_str2->next; + for (i = 1; i < argc; i++) { + argv[i] = tmp_str2->str; + tmp_str2 = tmp_str2->next; } rval = gaa(argc, argv, gaaval); diff --git a/src/tls_test.c b/src/tls_test.c index 9ef546630b..18655e9b1c 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -46,7 +46,7 @@ /* global stuff here */ int resume; -char *hostname=NULL; +char *hostname = NULL; int port; int record_max_size; int fingerprint; @@ -65,72 +65,94 @@ extern int tls1_ok; extern int tls1_1_ok; extern int ssl3_ok; -static void tls_log_func( int level, const char* str) +static void tls_log_func(int level, const char *str) { - fprintf(stderr, "|<%d>| %s", level, str); + fprintf(stderr, "|<%d>| %s", level, str); } -typedef test_code_t (*TEST_FUNC)( gnutls_session); +typedef test_code_t(*TEST_FUNC) (gnutls_session); typedef struct { - char* test_name; - TEST_FUNC func; - char* suc_str; - char* fail_str; - char* unsure_str; + char *test_name; + TEST_FUNC func; + char *suc_str; + char *fail_str; + char *unsure_str; } TLS_TEST; static const TLS_TEST tls_tests[] = { - { "for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno" }, - { "fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "", "SSL 3.0" }, - { "for TLS 1.0 support", test_tls1, "yes", "no", "dunno" }, - { "for SSL 3.0 support", test_ssl3, "yes", "no", "dunno" }, - { "for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", "dunno" }, - { "for version rollback bug in Client Hello", test_version_rollback, "no", "yes", "dunno" }, - - /* this test will disable TLS 1.0 if the server is - * buggy */ - { "whether we need to disable TLS 1.0", test_tls_disable, "no", "yes", "dunno" }, - - { "whether the server ignores the RSA PMS version", test_rsa_pms_version_check, "yes", "no", "dunno"}, - { "whether the server can accept Hello Extensions", test_hello_extension, "yes", "no", "dunno"}, - { "whether the server can accept cipher suites not in SSL 3.0 spec", test_unknown_ciphersuites, "yes", "no", "dunno"}, - { "whether the server can accept a bogus TLS record version in the client hello", test_version_oob, "yes", "no", "dunno"}, - { "for certificate information", test_certificate, "", "", "" }, - { "for trusted CAs", test_server_cas, "", "", "" }, - { "whether the server understands TLS closure alerts", test_bye, "yes", "no", "partially"}, - /* the fact that is after the closure alert test does matter. - */ - { "whether the server supports session resumption", test_session_resume2, "yes", "no", "dunno"}, - { "for export-grade ciphersuite support", test_export, "yes", "no", "dunno" }, - { "RSA-export ciphersuite info", test_export_info, "", "N/A", "N/A" }, + {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, + {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "", + "SSL 3.0"}, + {"for TLS 1.0 support", test_tls1, "yes", "no", "dunno"}, + {"for SSL 3.0 support", test_ssl3, "yes", "no", "dunno"}, + {"for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", + "dunno"}, + {"for version rollback bug in Client Hello", test_version_rollback, + "no", "yes", "dunno"}, + + /* this test will disable TLS 1.0 if the server is + * buggy */ + {"whether we need to disable TLS 1.0", test_tls_disable, "no", "yes", + "dunno"}, + + {"whether the server ignores the RSA PMS version", + test_rsa_pms_version_check, "yes", "no", "dunno"}, + {"whether the server can accept Hello Extensions", + test_hello_extension, "yes", "no", "dunno"}, + {"whether the server can accept cipher suites not in SSL 3.0 spec", + test_unknown_ciphersuites, "yes", "no", "dunno"}, + {"whether the server can accept a bogus TLS record version in the client hello", test_version_oob, "yes", "no", "dunno"}, + {"for certificate information", test_certificate, "", "", ""}, + {"for trusted CAs", test_server_cas, "", "", ""}, + {"whether the server understands TLS closure alerts", test_bye, "yes", + "no", "partially"}, + /* the fact that is after the closure alert test does matter. + */ + {"whether the server supports session resumption", + test_session_resume2, "yes", "no", "dunno"}, + {"for export-grade ciphersuite support", test_export, "yes", "no", + "dunno"}, + {"RSA-export ciphersuite info", test_export_info, "", "N/A", "N/A"}, #ifdef ENABLE_ANON - { "for anonymous authentication support", test_anonymous, "yes", "no", "dunno"}, - { "anonymous Diffie Hellman group info", test_dhe_group, "", "N/A", "N/A" }, + {"for anonymous authentication support", test_anonymous, "yes", "no", + "dunno"}, + {"anonymous Diffie Hellman group info", test_dhe_group, "", "N/A", + "N/A"}, #endif - { "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" }, - { "ephemeral Diffie Hellman group info", test_dhe_group, "", "N/A", "N/A" }, - { "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"}, - { "for 3DES cipher support", test_3des, "yes", "no", "dunno"}, - { "for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"}, - { "for ARCFOUR 40 cipher support", test_arcfour_40, "yes", "no", "dunno"}, - { "for MD5 MAC support", test_md5, "yes", "no", "dunno"}, - { "for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, - { "for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", "dunno"}, + {"for ephemeral Diffie Hellman support", test_dhe, "yes", "no", + "dunno"}, + {"ephemeral Diffie Hellman group info", test_dhe_group, "", "N/A", + "N/A"}, + {"for AES cipher support (TLS extension)", test_aes, "yes", "no", + "dunno"}, + {"for 3DES cipher support", test_3des, "yes", "no", "dunno"}, + {"for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"}, + {"for ARCFOUR 40 cipher support", test_arcfour_40, "yes", "no", + "dunno"}, + {"for MD5 MAC support", test_md5, "yes", "no", "dunno"}, + {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, + {"for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", + "dunno"}, #ifdef HAVE_LIBZ - { "for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"}, + {"for ZLIB compression support (TLS extension)", test_zlib, "yes", + "no", "dunno"}, #endif - { "for LZO compression support (GnuTLS extension)", test_lzo, "yes", "no", "dunno"}, - { "for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno" }, + {"for LZO compression support (GnuTLS extension)", test_lzo, "yes", + "no", "dunno"}, + {"for max record size (TLS extension)", test_max_record_size, "yes", + "no", "dunno"}, #ifdef ENABLE_SRP - { "for SRP authentication support (TLS extension)", test_srp, "yes", "no", "dunno" }, + {"for SRP authentication support (TLS extension)", test_srp, "yes", + "no", "dunno"}, #endif - { "for OpenPGP authentication support (TLS extension)", test_openpgp1, "yes", "no", "dunno" }, - { NULL, NULL, NULL, NULL, NULL } + {"for OpenPGP authentication support (TLS extension)", test_openpgp1, + "yes", "no", "dunno"}, + {NULL, NULL, NULL, NULL, NULL} }; static int tt = 0; -const char* ip; +const char *ip; #define CONNECT() \ sd = socket(AF_INET, SOCK_STREAM, 0); \ @@ -148,132 +170,137 @@ static void gaa_parser(int argc, char **argv); int main(int argc, char **argv) { - int err, ret; - int sd, i; - struct sockaddr_in sa; - gnutls_session state; - char buffer[MAX_BUF + 1]; - struct hostent *server_host; + int err, ret; + int sd, i; + struct sockaddr_in sa; + gnutls_session state; + char buffer[MAX_BUF + 1]; + struct hostent *server_host; - gaa_parser(argc, argv); + gaa_parser(argc, argv); #ifndef _WIN32 - signal(SIGPIPE, SIG_IGN); + signal(SIGPIPE, SIG_IGN); #endif - sockets_init(); + sockets_init(); - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } - gnutls_global_set_log_function( tls_log_func); - gnutls_global_set_log_level(debug); + gnutls_global_set_log_function(tls_log_func); + gnutls_global_set_log_level(debug); - if (gnutls_global_init_extra() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } + if (gnutls_global_init_extra() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } - printf("Resolving '%s'...\n", hostname); - /* get server name */ - server_host = gethostbyname(hostname); - if (server_host == NULL) { - fprintf(stderr, "Cannot resolve %s\n", hostname); - exit(1); - } + printf("Resolving '%s'...\n", hostname); + /* get server name */ + server_host = gethostbyname(hostname); + if (server_host == NULL) { + fprintf(stderr, "Cannot resolve %s\n", hostname); + exit(1); + } - /* X509 stuff */ - if (gnutls_certificate_allocate_credentials(&xcred) < 0) { /* space for 2 certificates */ - fprintf(stderr, "memory error\n"); - exit(1); - } + /* X509 stuff */ + if (gnutls_certificate_allocate_credentials(&xcred) < 0) { /* space for 2 certificates */ + fprintf(stderr, "memory error\n"); + exit(1); + } - /* SRP stuff */ + /* SRP stuff */ #ifdef ENABLE_SRP - if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } + if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } #endif #ifdef ENABLE_ANON - /* ANON stuff */ - if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } + /* ANON stuff */ + if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } #endif - i = 0; - - do { - - if (tls_tests[i].test_name==NULL) break; /* finished */ + i = 0; - /* if neither of SSL3 and TLSv1 are supported, exit - */ - if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) { - fprintf(stderr, "\nServer does not support none of SSL 3.0, TLS 1.0 and TLS 1.1\n"); - break; - } + do { - CONNECT(); - gnutls_init(&state, GNUTLS_CLIENT); - gnutls_transport_set_ptr(state, (gnutls_transport_ptr)sd); + if (tls_tests[i].test_name == NULL) + break; /* finished */ - do { - printf("Checking %s...", tls_tests[i].test_name); + /* if neither of SSL3 and TLSv1 are supported, exit + */ + if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) { + fprintf(stderr, + "\nServer does not support none of SSL 3.0, TLS 1.0 and TLS 1.1\n"); + break; + } - ret = tls_tests[i].func( state); + CONNECT(); + gnutls_init(&state, GNUTLS_CLIENT); + gnutls_transport_set_ptr(state, (gnutls_transport_ptr) sd); - if (ret == TEST_SUCCEED) - printf(" %s\n", tls_tests[i].suc_str); - else if (ret==TEST_FAILED) - printf(" %s\n", tls_tests[i].fail_str); - else if (ret == TEST_UNSURE) printf(" %s\n", tls_tests[i].unsure_str); - else if (ret == TEST_IGNORE) { - printf(" N/A\n"); - i++; - } - } while( ret == TEST_IGNORE && tls_tests[i].test_name != NULL); + do { + printf("Checking %s...", tls_tests[i].test_name); + + ret = tls_tests[i].func(state); + + if (ret == TEST_SUCCEED) + printf(" %s\n", tls_tests[i].suc_str); + else if (ret == TEST_FAILED) + printf(" %s\n", tls_tests[i].fail_str); + else if (ret == TEST_UNSURE) + printf(" %s\n", tls_tests[i].unsure_str); + else if (ret == TEST_IGNORE) { + printf(" N/A\n"); + i++; + } + } while (ret == TEST_IGNORE && tls_tests[i].test_name != NULL); - gnutls_deinit(state); + gnutls_deinit(state); - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); + shutdown(sd, SHUT_RDWR); /* no more receptions */ + close(sd); - i++; - } while(1); + i++; + } while (1); #ifdef ENABLE_SRP - gnutls_srp_free_client_credentials(srp_cred); + gnutls_srp_free_client_credentials(srp_cred); #endif - gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(xcred); #ifdef ENABLE_ANON - gnutls_anon_free_client_credentials(anon_cred); + gnutls_anon_free_client_credentials(anon_cred); #endif - gnutls_global_deinit(); + gnutls_global_deinit(); - return 0; + return 0; } static gaainfo info; void gaa_parser(int argc, char **argv) { - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, "Error in the arguments. Use the -h or --help parameters to get more info.\n"); - exit(1); - } + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the -h or --help parameters to get more info.\n"); + exit(1); + } - port = info.pp; - if (info.rest_args==NULL) hostname="localhost"; - else hostname = info.rest_args; + port = info.pp; + if (info.rest_args == NULL) + hostname = "localhost"; + else + hostname = info.rest_args; - debug = info.debug; + debug = info.debug; - verbose = info.more_info; - -} + verbose = info.more_info; +} |