diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-16 11:44:24 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-16 16:52:32 +0200 |
| commit | 77c58a3f62c474d1c05809683d33f4b03e33bdf5 (patch) | |
| tree | 27a139f0aff0f68d0d890fc490ea74358be5629b | |
| parent | e798c51c992e0d780e000354c6c33fb7f3dea9b2 (diff) | |
| download | gnutls-tmp-remove-cert-type-refs.tar.gz | |
Removed all references to certificate typestmp-remove-cert-type-refs
This removes all code related to certificate type selection and use.
Should be merged if we do not add other certificate types in the
future.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/auth/cert.c | 164 | ||||
| -rw-r--r-- | lib/auth/cert.h | 3 | ||||
| -rw-r--r-- | lib/auth/rsa.c | 5 | ||||
| -rw-r--r-- | lib/auth/srp_rsa.c | 5 | ||||
| -rw-r--r-- | lib/constate.c | 1 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 | ||||
| -rw-r--r-- | lib/handshake.c | 3 | ||||
| -rw-r--r-- | lib/pcert.c | 19 | ||||
| -rw-r--r-- | lib/priority.c | 13 | ||||
| -rw-r--r-- | lib/session_pack.c | 6 | ||||
| -rw-r--r-- | lib/state.c | 5 |
11 files changed, 57 insertions, 171 deletions
diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 2b635d0975..77aadac5ce 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -111,7 +111,6 @@ static int copy_certificate_auth_info(cert_auth_info_t info, gnutls_pcert_st * c } } info->ncerts = ncerts; - info->cert_type = certs[0].type; return 0; @@ -329,9 +328,6 @@ get_issuers(gnutls_session_t session, int i; unsigned size; - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; - /* put the requested DNs to req_dn, only in case * of X509 certificates. */ @@ -370,7 +366,6 @@ call_get_cert_callback(gnutls_session_t session, gnutls_pcert_st *local_certs = NULL; gnutls_privkey_t local_key = NULL; int ret = GNUTLS_E_INTERNAL_ERROR; - gnutls_certificate_type_t type = gnutls_certificate_type_get(session); gnutls_certificate_credentials_t cred; gnutls_retr2_st st2; gnutls_pcert_st *pcert = NULL; @@ -395,9 +390,6 @@ call_get_cert_callback(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(GNUTLS_E_USER_ERROR); - if (pcert_length > 0 && type != pcert[0].type) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (pcert_length == 0) { pcert = NULL; local_key = NULL; @@ -427,20 +419,8 @@ call_get_cert_callback(gnutls_session_t session, if (st2.ncerts == 0) return 0; /* no certificate was selected */ - if (type != st2.cert_type) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if (type == GNUTLS_CRT_X509) { - local_certs = - alloc_and_load_x509_certs(st2.cert.x509, st2.ncerts); - } else { /* PGP */ - ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; - goto cleanup; - } - + local_certs = + alloc_and_load_x509_certs(st2.cert.x509, st2.ncerts); if (local_certs == NULL) { gnutls_assert(); ret = GNUTLS_E_MEMORY_ERROR; @@ -488,13 +468,11 @@ call_get_cert_callback(gnutls_session_t session, cleanup: - if (st2.cert_type == GNUTLS_CRT_X509) { - if (st2.deinit_all) { - for (i = 0; i < st2.ncerts; i++) { - gnutls_x509_crt_deinit(st2.cert.x509[i]); - } - gnutls_free(st2.cert.x509); + if (st2.deinit_all) { + for (i = 0; i < st2.ncerts; i++) { + gnutls_x509_crt_deinit(st2.cert.x509[i]); } + gnutls_free(st2.cert.x509); } return ret; @@ -532,34 +510,30 @@ select_client_cert(gnutls_session_t session, /* use a callback to get certificate */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { - issuers_dn_length = - get_issuers_num(session, data, data_size); - if (issuers_dn_length < 0) { + issuers_dn_length = + get_issuers_num(session, data, data_size); + if (issuers_dn_length < 0) { + gnutls_assert(); + return issuers_dn_length; + } + + if (issuers_dn_length > 0) { + issuers_dn = + gnutls_malloc(sizeof(gnutls_datum_t) * + issuers_dn_length); + if (issuers_dn == NULL) { gnutls_assert(); - return issuers_dn_length; + return GNUTLS_E_MEMORY_ERROR; } - if (issuers_dn_length > 0) { - issuers_dn = - gnutls_malloc(sizeof(gnutls_datum_t) * - issuers_dn_length); - if (issuers_dn == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = - get_issuers(session, issuers_dn, - issuers_dn_length, data, - data_size); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + get_issuers(session, issuers_dn, + issuers_dn_length, data, + data_size); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - } else { - issuers_dn_length = 0; } result = @@ -571,13 +545,9 @@ select_client_cert(gnutls_session_t session, } else { /* If we have no callbacks, try to guess. */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { - result = - find_x509_client_cert(session, cred, _data, _data_size, - pk_algos, pk_algos_length, &indx); - } else { - result = GNUTLS_E_UNIMPLEMENTED_FEATURE; - } + result = + find_x509_client_cert(session, cred, _data, _data_size, + pk_algos, pk_algos_length, &indx); if (result < 0) { gnutls_assert(); return result; @@ -660,25 +630,13 @@ static int gen_x509_crt(gnutls_session_t session, gnutls_buffer_st * data) int _gnutls_gen_cert_client_crt(gnutls_session_t session, gnutls_buffer_st * data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_X509: - return gen_x509_crt(session, data); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + return gen_x509_crt(session, data); } int _gnutls_gen_cert_server_crt(gnutls_session_t session, gnutls_buffer_st * data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_X509: - return gen_x509_crt(session, data); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + return gen_x509_crt(session, data); } static @@ -850,7 +808,6 @@ _gnutls_proc_x509_server_crt(gnutls_session_t session, int _gnutls_proc_crt(gnutls_session_t session, uint8_t * data, size_t data_size) { - int ret; gnutls_certificate_credentials_t cred; cred = @@ -861,16 +818,7 @@ int _gnutls_proc_crt(gnutls_session_t session, uint8_t * data, size_t data_size) return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_X509: - ret = _gnutls_proc_x509_server_crt(session, data, data_size); - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - return ret; + return _gnutls_proc_x509_server_crt(session, data, data_size); } /* Checks if we support the given signature algorithm @@ -1113,10 +1061,7 @@ _gnutls_proc_cert_client_crt_vrfy(gnutls_session_t session, sig.data = pdata; sig.size = size; - ret = _gnutls_get_auth_info_pcert(&peer_cert, - session->security_parameters. - cert_type, info); - + ret = _gnutls_get_auth_info_pcert(&peer_cert, info); if (ret < 0) { gnutls_assert(); return ret; @@ -1183,8 +1128,7 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session, return gnutls_assert_val(ret); } - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) { + if (session->internals.ignore_rdn_sequence == 0) { ret = _gnutls_buffer_append_data_prefix(data, 16, @@ -1479,19 +1423,14 @@ _gnutls_server_select_cert(gnutls_session_t session, NULL); _gnutls_handshake_log - ("HSK[%p]: Requested server name: '%s', ctype: %s (%d)\n", - session, server_name, - gnutls_certificate_type_get_name - (session->security_parameters.cert_type), - session->security_parameters.cert_type); - - if (session->security_parameters.cert_type == - cred->certs[i].cert_list[0].type) { - for (j = 0; j < pk_algos_size; j++) - if (pk_algos[j] == pk) { - idx = i; - goto finished; - } + ("HSK[%p]: Requested server name: '%s'\n", + session, server_name); + + for (j = 0; j < pk_algos_size; j++) { + if (pk_algos[j] == pk) { + idx = i; + goto finished; + } } } } @@ -1499,11 +1438,8 @@ _gnutls_server_select_cert(gnutls_session_t session, for (j = 0; j < pk_algos_size; j++) { _gnutls_handshake_log - ("HSK[%p]: Requested PK algorithm: %s (%d) -- ctype: %s (%d)\n", - session, gnutls_pk_get_name(pk_algos[j]), pk_algos[j], - gnutls_certificate_type_get_name - (session->security_parameters.cert_type), - session->security_parameters.cert_type); + ("HSK[%p]: Requested PK algorithm: %s (%d)\n", + session, gnutls_pk_get_name(pk_algos[j]), pk_algos[j]); for (i = 0; i < cred->ncerts; i++) { gnutls_pk_algorithm_t pk = @@ -1521,15 +1457,8 @@ _gnutls_server_select_cert(gnutls_session_t session, cred->certs[i].cert_list[0].type); if (pk_algos[j] == pk) { - /* if cert type matches - */ - /* *INDENT-OFF* */ - if (session->security_parameters.cert_type == cred->certs[i].cert_list[0].type) - { - idx = i; - goto finished; - } - /* *INDENT-ON* */ + idx = i; + goto finished; } } } @@ -1700,7 +1629,6 @@ _gnutls_proc_dhe_signature(gnutls_session_t session, uint8_t * data, if ((ret = _gnutls_get_auth_info_pcert(&peer_cert, - session->security_parameters.cert_type, info)) < 0) { gnutls_assert(); return ret; diff --git a/lib/auth/cert.h b/lib/auth/cert.h index 262c2773ab..848c8b1110 100644 --- a/lib/auth/cert.h +++ b/lib/auth/cert.h @@ -103,8 +103,6 @@ typedef struct cert_auth_info_st { * peer. */ unsigned int ncerts; /* holds the size of the list above */ - - gnutls_certificate_type_t cert_type; } *cert_auth_info_t; typedef struct cert_auth_info_st cert_auth_info_st; @@ -129,7 +127,6 @@ int _gnutls_server_select_cert(struct gnutls_session_int *, void _gnutls_selected_certs_deinit(gnutls_session_t session); int _gnutls_get_auth_info_pcert(gnutls_pcert_st * gcert, - gnutls_certificate_type_t type, cert_auth_info_t info); int certificate_credential_append_crt_list(gnutls_certificate_credentials_t diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c index 6f75bb5327..664395bc4d 100644 --- a/lib/auth/rsa.c +++ b/lib/auth/rsa.c @@ -102,10 +102,7 @@ _gnutls_get_public_rsa_params(gnutls_session_t session, } ret = - _gnutls_get_auth_info_pcert(&peer_cert, - session->security_parameters. - cert_type, info); - + _gnutls_get_auth_info_pcert(&peer_cert, info); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/auth/srp_rsa.c b/lib/auth/srp_rsa.c index f7e9cccf02..e348a8d53e 100644 --- a/lib/auth/srp_rsa.c +++ b/lib/auth/srp_rsa.c @@ -237,10 +237,7 @@ proc_srp_cert_server_kx(gnutls_session_t session, uint8_t * data, signature.size = sigsize; ret = - _gnutls_get_auth_info_pcert(&peer_cert, - session->security_parameters. - cert_type, info); - + _gnutls_get_auth_info_pcert(&peer_cert, info); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/constate.c b/lib/constate.c index 81cbeff462..bdbefca1ae 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -407,7 +407,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) memcpy( dst->server_random, src->server_random, GNUTLS_RANDOM_SIZE); \ memcpy( dst->session_id, src->session_id, GNUTLS_MAX_SESSION_ID_SIZE); \ dst->session_id_size = src->session_id_size; \ - dst->cert_type = src->cert_type; \ dst->compression_method = src->compression_method; \ dst->timestamp = src->timestamp; \ dst->ext_master_secret = src->ext_master_secret; \ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b7f491c52c..3a08b99cb3 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -566,8 +566,7 @@ typedef struct { */ uint16_t max_record_send_size; uint16_t max_record_recv_size; - /* holds the negotiated certificate type */ - gnutls_certificate_type_t cert_type; + gnutls_ecc_curve_t ecc_curve; /* holds the first supported ECC curve requested by client */ /* Holds the signature algorithm used in this session - If any */ @@ -655,7 +654,6 @@ struct gnutls_priority_st { priority_st kx; priority_st compression; priority_st protocol; - priority_st cert_type; priority_st sign_algo; priority_st supported_ecc; diff --git a/lib/handshake.c b/lib/handshake.c index d62fd5b89c..76f8816838 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -167,9 +167,6 @@ static int resume_copy_required_values(gnutls_session_t session) id) < 0) return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); - session->security_parameters.cert_type = - session->internals.resumed_security_parameters.cert_type; - memcpy(session->security_parameters.session_id, session->internals.resumed_security_parameters.session_id, sizeof(session->security_parameters.session_id)); diff --git a/lib/pcert.c b/lib/pcert.c index 56322e124c..a6fef9d6cf 100644 --- a/lib/pcert.c +++ b/lib/pcert.c @@ -327,19 +327,12 @@ void gnutls_pcert_deinit(gnutls_pcert_st * pcert) */ int _gnutls_get_auth_info_pcert(gnutls_pcert_st * pcert, - gnutls_certificate_type_t type, cert_auth_info_t info) { - switch (type) { - case GNUTLS_CRT_X509: - return gnutls_pcert_import_x509_raw(pcert, - &info-> - raw_certificate_list - [0], - GNUTLS_X509_FMT_DER, - GNUTLS_PCERT_NO_CERT); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + return gnutls_pcert_import_x509_raw(pcert, + &info-> + raw_certificate_list + [0], + GNUTLS_X509_FMT_DER, + GNUTLS_PCERT_NO_CERT); } diff --git a/lib/priority.c b/lib/priority.c index b19981b4b8..42cd50aaed 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -483,11 +483,6 @@ static const int _mac_priority_secure192[] = { }; static const int* mac_priority_secure192 = _mac_priority_secure192; -static const int cert_type_priority_default[] = { - GNUTLS_CRT_X509, - 0 -}; - typedef void (rmadd_func) (priority_st * priority_list, unsigned int alg); static void prio_remove(priority_st * priority_list, unsigned int algo) @@ -1264,8 +1259,6 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, protocol_priority); _set_priority(&(*priority_cache)->compression, comp_priority); - _set_priority(&(*priority_cache)->cert_type, - cert_type_priority_default); _set_priority(&(*priority_cache)->sign_algo, sign_priority_default); _set_priority(&(*priority_cache)->supported_ecc, @@ -1725,11 +1718,7 @@ int gnutls_priority_certificate_type_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->cert_type.algorithms == 0) - return 0; - - *list = pcache->cert_type.priority; - return pcache->cert_type.algorithms; + return 0; } /** diff --git a/lib/session_pack.c b/lib/session_pack.c index 39f0737042..b30e317b31 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -749,7 +749,6 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_APPEND(ps, session->security_parameters.cipher_suite, 2); BUFFER_APPEND_NUM(ps, session->security_parameters.compression_method); - BUFFER_APPEND_NUM(ps, session->security_parameters.cert_type); BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id); BUFFER_APPEND(ps, session->security_parameters.master_secret, @@ -821,9 +820,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_POP_NUM(ps, session->internals.resumed_security_parameters. compression_method); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. - cert_type); BUFFER_POP_NUM(ps, version); session->internals.resumed_security_parameters.pversion = version_to_entry(version); @@ -944,8 +940,6 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity, session->internals.resumed_security_parameters.compression_method = comp; - session->internals.resumed_security_parameters.cert_type = - DEFAULT_CERT_TYPE; session->internals.resumed_security_parameters.pversion = version_to_entry(version); diff --git a/lib/state.c b/lib/state.c index 27c4adb3b8..12f13acd80 100644 --- a/lib/state.c +++ b/lib/state.c @@ -102,7 +102,7 @@ gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session) gnutls_certificate_type_t gnutls_certificate_type_get(gnutls_session_t session) { - return session->security_parameters.cert_type; + return GNUTLS_CRT_X509; } /** @@ -297,9 +297,6 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) (*session)->security_parameters.entity = (flags & GNUTLS_SERVER ? GNUTLS_SERVER : GNUTLS_CLIENT); - /* the default certificate type for TLS */ - (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; - /* Initialize buffers */ _gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer); _gnutls_buffer_init(&(*session)->internals.hb_remote_data); |