diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-06-20 14:11:16 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-06-20 14:11:16 +0000 |
commit | 06ee26c4753c4e399741f1710f6f0dd526130776 (patch) | |
tree | a9814eef9d9407da33afee0f419f94bc07db6f99 | |
parent | e9d5f40989e5bc54010753e9ce160d0e5ea5bd54 (diff) | |
download | gnutls-06ee26c4753c4e399741f1710f6f0dd526130776.tar.gz |
client side RSA works (no certificate checking)
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/TODO | 7 | ||||
-rw-r--r-- | lib/auth_rsa.c | 236 | ||||
-rwxr-xr-x | lib/cert_asn1.c | 1 | ||||
-rw-r--r-- | lib/cert_der.c | 6 | ||||
-rw-r--r-- | lib/gnutls_datum.c | 10 | ||||
-rw-r--r-- | lib/gnutls_datum.h | 2 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 5 | ||||
-rw-r--r-- | lib/gnutls_errors_int.h | 8 | ||||
-rw-r--r-- | lib/gnutls_int.h | 4 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 65 | ||||
-rw-r--r-- | lib/gnutls_pk.c | 9 | ||||
-rw-r--r-- | src/pkix.asn | 4 |
13 files changed, 155 insertions, 204 deletions
@@ -1,7 +1,7 @@ Version 0.1.4 - Corrected (srp) base64 encoding. - Changed bcrypt algorithm to include username. -- Added RSA Ciphersuites (server side only). +- Added RSA Ciphersuites (no certificate checking). - Fixes in SSL 2.0 client hello parsing. - Added ASN.1 and DER parsers. - Bugfixes in session resuming @@ -8,6 +8,7 @@ only one parse of the der structures. * Create global variables that hold read/write and initialize the ASN.1 parser's structures. -* Create certificate verify function(s) -* Add client side of RSA auth. - +* Create certificate verification function(s) +* Make the selection of the proper ciphersuite to depend on + the certificate/credentials. +* Modify SRP to conform the newest draft diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index 59a3219240..f40b2d690e 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -31,10 +31,8 @@ #include <gnutls_random.h> #include <gnutls_pk.h> #include <gnutls_algorithms.h> +#include "debug.h" -#if 0 -int gen_rsa_server_kx(GNUTLS_KEY, opaque **); -#endif int gen_rsa_certificate(GNUTLS_KEY, opaque **); int gen_rsa_client_kx(GNUTLS_KEY, opaque **); int proc_rsa_client_kx( GNUTLS_KEY, opaque*, int); @@ -63,55 +61,6 @@ typedef struct { gnutls_datum rsa_exponent; } RSA_Params; -#if 0 -/* This function will calculate the SHA/MD5 signature in server kx. - * This is needed by the protocol. - */ -int _gnutls_calc_rsa_signature( GNUTLS_KEY key, const opaque* data, int data_size, opaque* dst) { - void* md5; - void* sha; - int ret = 0; - GNUTLS_MAC_HANDLE td; - - td = gnutls_hash_init(GNUTLS_MAC_MD5); - if (td==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - gnutls_hash( td, key->client_random, TLS_RANDOM_SIZE); - gnutls_hash( td, key->server_random, TLS_RANDOM_SIZE); - gnutls_hash( td, data, data_size); - - md5 = gnutls_hash_deinit(td); - if (md5==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memcpy( dst, md5, 16); - gnutls_free(md5); - - - td = gnutls_hash_init(GNUTLS_MAC_SHA); - if (td==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - gnutls_hash( td, key->client_random, TLS_RANDOM_SIZE); - gnutls_hash( td, key->server_random, TLS_RANDOM_SIZE); - gnutls_hash( td, data, data_size); - - sha = gnutls_hash_deinit(td); - if (sha==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy( &dst[16], sha, 20); - gnutls_free(sha); - - return ret; -} -#endif /* This function extracts the RSA parameters from the given(?) certificate. */ @@ -123,81 +72,83 @@ static int _gnutls_get_rsa_params( GNUTLS_KEY key, RSA_Params * params, MPI* mod if (create_structure("rsa_params", "PKIX1Explicit88.Certificate")!=ASN_OK) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_ERROR; } result = get_der("rsa_params", cert.data, cert.size); if (result != ASN_OK) { /* couldn't decode DER */ gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } + len = sizeof(str); result = - read_value("rsa_params.tbsCertificate.subjectPublicKeyInfo.algorithm", str, &len); + read_value("rsa_params.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm", str, &len); + if (result != ASN_OK) { -fprintf(stderr, "resut: %d\n", result); gnutls_assert(); delete_structure("rsa_params"); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } if (!strcmp(str, "1 2 840 113549 1 1 1")) { /* pkix-1 1 - RSA */ len = sizeof(str); result = - read_value("rsa_params.tbsCertificate.subjectPublicKeyInfo.parameters", str, &len); + read_value("rsa_params.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", str, &len); delete_structure("rsa_params"); if (result != ASN_OK) { gnutls_assert(); - delete_structure("rsa_params"); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } - if (create_structure("rsapublickey", "PKIX1Explicit88.RSAPublicKey")!=ASN_OK) { + if (create_structure("rsa_public_key", "PKIX1Explicit88.RSAPublicKey")!=ASN_OK) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_ERROR; } - - result = get_der("rsapublickey", str, len); + + result = get_der("rsa_public_key", str, len/8); + if (result != ASN_OK) { gnutls_assert(); - delete_structure("rsapublickey"); - return GNUTLS_E_PARSING_ERROR; + delete_structure("rsa_public_key"); + return GNUTLS_E_ASN1_PARSING_ERROR; } + len = sizeof(str); result = - read_value("rsapublickey.modulus", str, &len); + read_value("rsa_public_key.modulus", str, &len); if (result != ASN_OK) { gnutls_assert(); - delete_structure("rsapublickey"); - return GNUTLS_E_PARSING_ERROR; + delete_structure("rsa_public_key"); + return GNUTLS_E_ASN1_PARSING_ERROR; } if (gcry_mpi_scan(mod, GCRYMPI_FMT_USG, str, &len) != 0) { gnutls_assert(); - delete_structure("rsapublickey"); + delete_structure("rsa_public_key"); return GNUTLS_E_MPI_SCAN_FAILED; } if (params!=NULL) if (gnutls_set_datum(¶ms->rsa_modulus, str, len) < 0) { gnutls_assert(); - delete_structure("rsapublickey"); + delete_structure("rsa_public_key"); return GNUTLS_E_MEMORY_ERROR; } len = sizeof(str); result = - read_value("rsapublickey.publicExponent", str, &len); + read_value("rsa_public_key.publicExponent", str, &len); if (result != ASN_OK) { gnutls_assert(); - delete_structure("rsapublickey"); + delete_structure("rsa_public_key"); if (params!=NULL) gnutls_free_datum(¶ms->rsa_modulus); _gnutls_mpi_release(mod); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } if (gcry_mpi_scan(exp, @@ -205,22 +156,32 @@ fprintf(stderr, "resut: %d\n", result); gnutls_assert(); _gnutls_mpi_release(mod); if (params!=NULL) gnutls_free_datum(¶ms->rsa_modulus); - delete_structure("rsapublickey"); + delete_structure("rsa_public_key"); return GNUTLS_E_MPI_SCAN_FAILED; } - if (gnutls_set_datum(¶ms->rsa_exponent, str, len) < 0) { - _gnutls_mpi_release(mod); - _gnutls_mpi_release(exp); - if (params!=NULL) gnutls_free_datum(¶ms->rsa_modulus); - delete_structure("rsapublickey"); - return GNUTLS_E_MEMORY_ERROR; - } + if (params !=NULL) + if (gnutls_set_datum(¶ms->rsa_exponent, str, len) < 0) { + _gnutls_mpi_release(mod); + _gnutls_mpi_release(exp); + if (params!=NULL) gnutls_free_datum(¶ms->rsa_modulus); + delete_structure("rsa_public_key"); + return GNUTLS_E_MEMORY_ERROR; + } - delete_structure("rsapublickey"); + delete_structure("rsa_public_key"); + + ret = 0; + + } else { + /* The certificate that was sent was not + * supported by the ciphersuite + */ + gnutls_assert(); + ret = GNUTLS_E_X509_CERTIFICATE_ERROR; + delete_structure("rsa_params"); } - delete_structure("rsa_params"); return ret; } @@ -237,21 +198,22 @@ static int _gnutls_get_private_rsa_params( GNUTLS_KEY key, gnutls_datum cert) if (create_structure("rsakey", "PKCS-1.RSAPrivateKey")!=ASN_OK) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_ERROR; } result = get_der("rsakey", cert.data, cert.size); if (result != ASN_OK) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } + len = sizeof(str); result = read_value("rsakey.privateExponent", str, &len); if (result != ASN_OK) { gnutls_assert(); delete_structure("rsakey"); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } if (gcry_mpi_scan(&key->u, GCRYMPI_FMT_USG, str, &len) != 0) { @@ -268,7 +230,7 @@ static int _gnutls_get_private_rsa_params( GNUTLS_KEY key, gnutls_datum cert) gnutls_assert(); delete_structure("rsakey"); _gnutls_mpi_release(&key->u); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_ASN1_PARSING_ERROR; } if (gcry_mpi_scan(&key->A, @@ -284,54 +246,6 @@ static int _gnutls_get_private_rsa_params( GNUTLS_KEY key, gnutls_datum cert) return ret; } -#if 0 /* wow ... this was not needed ! */ -int gen_rsa_server_kx(GNUTLS_KEY key, opaque ** data) -{ - RSA_Params params; - const X509PKI_SERVER_CREDENTIALS *cred; - int ret; - opaque* pdata; - - cred = _gnutls_get_cred(key, GNUTLS_X509PKI, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFICIENT_CRED; - } - - ret = - _gnutls_get_rsa_params(key, ¶ms, cred->pkey); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = params.rsa_modulus.size + - params.rsa_modulus.size + 16 + 20 + 4; - (*data) = gnutls_malloc( ret); - - pdata = (*data); - if (pdata == NULL) return GNUTLS_E_MEMORY_ERROR; - - WRITEdatum16(pdata, params.rsa_modulus); - pdata += params.rsa_modulus.size; - - WRITEdatum16(pdata, params.rsa_exponent); - pdata += params.rsa_exponent.size; - - gnutls_free_datum(¶ms.rsa_modulus); - gnutls_free_datum(¶ms.rsa_modulus); - - ret = _gnutls_calc_rsa_signature( key, (*data), ret-20-16, pdata); - if (ret< 0) { - gnutls_free((*data)); - gnutls_assert(); - return ret; - } - - return ret; -} -#endif int gen_rsa_certificate(GNUTLS_KEY key, opaque ** data) { @@ -396,9 +310,9 @@ int gen_rsa_certificate(GNUTLS_KEY key, opaque ** data) return pdatasize; } -#define RANDOMIZE_X(x) x.size=TLS_MASTER_SIZE; x.data=gnutls_malloc(x.size); \ +#define RANDOMIZE_KEY(x, galloc) x.size=TLS_MASTER_SIZE; x.data=galloc(x.size); \ if (x.data==NULL) return GNUTLS_E_MEMORY_ERROR; \ - if (_gnutls_get_random( key->key.data, key->key.size, GNUTLS_WEAK_RANDOM) < 0) { \ + if (_gnutls_get_random( x.data, x.size, GNUTLS_WEAK_RANDOM) < 0) { \ return GNUTLS_E_MEMORY_ERROR; \ } @@ -424,11 +338,11 @@ int proc_rsa_client_kx( GNUTLS_KEY key, opaque* data, int data_size) { * attack against pkcs-1 formating). */ gnutls_assert(); - RANDOMIZE_X(key->key); + RANDOMIZE_KEY(key->key, secure_malloc); } else { ret = 0; if (plaintext.size != TLS_MASTER_SIZE) { /* WOW */ - RANDOMIZE_X(key->key); + RANDOMIZE_KEY(key->key, secure_malloc); } else { if (key->version.major != plaintext.data[0]) ret = GNUTLS_E_DECRYPTION_FAILED; if (key->version.minor != plaintext.data[1]) ret = GNUTLS_E_DECRYPTION_FAILED; @@ -535,10 +449,9 @@ int gen_rsa_client_kx(GNUTLS_KEY key, opaque ** data) X509PKI_AUTH_INFO *auth = key->auth_info; svoid *rand; gnutls_datum sdata; /* data to send */ - gnutls_datum edata; /* data to encrypt */ MPI pkey, n; int ret; - + if (auth == NULL) { /* this shouldn't have happened. The proc_certificate * function should have detected that. @@ -550,26 +463,41 @@ int gen_rsa_client_kx(GNUTLS_KEY key, opaque ** data) rand = secure_malloc( TLS_MASTER_SIZE); if (rand==NULL) return GNUTLS_E_MEMORY_ERROR; - - _gnutls_get_random( rand, TLS_MASTER_SIZE, GNUTLS_STRONG_RANDOM); - - key->key.data = rand; - key->key.size = TLS_MASTER_SIZE; - edata.data = rand; - edata.size = TLS_MASTER_SIZE; + RANDOMIZE_KEY( key->key, secure_malloc); + key->key.data[0] = key->version.major; + key->key.data[1] = key->version.minor; if ( (ret=_gnutls_get_rsa_params( key, NULL, &n, &pkey, auth->peer_certificate_list[0])) < 0 ) { gnutls_assert(); return ret; } - _gnutls_pkcs1_rsa_encrypt( &sdata, edata, pkey, n); + if ( (ret=_gnutls_pkcs1_rsa_encrypt( &sdata, key->key, pkey, n)) < 0 ) { + gnutls_assert(); + _gnutls_mpi_release(&pkey); + _gnutls_mpi_release(&n); + return ret; + } - secure_free(rand); _gnutls_mpi_release(&pkey); _gnutls_mpi_release(&n); - - *data = sdata.data; - return sdata.size; + + if ( _gnutls_version_ssl3(_gnutls_version_get(key->version.major, key->version.minor)) == 0 ) { + /* SSL 3.0 */ + *data = sdata.data; + return sdata.size; + } else { /* TLS 1 */ + *data = gnutls_malloc(sdata.size+2); + if (*data==NULL) { + gnutls_free_datum(&sdata); + return GNUTLS_E_MEMORY_ERROR; + } + WRITEuint16(sdata.size, *data); + memcpy( &(*data)[2], sdata.data, sdata.size); + ret = sdata.size + 2; + gnutls_free_datum(&sdata); + return ret; + } + } diff --git a/lib/cert_asn1.c b/lib/cert_asn1.c index b8a12ff87a..1040a6eca0 100755 --- a/lib/cert_asn1.c +++ b/lib/cert_asn1.c @@ -4,6 +4,7 @@ /*****************************************************/ #include <defines.h> +#include <gnutls_int.h> #include <cert_asn1.h> #include <cert_der.h> diff --git a/lib/cert_der.c b/lib/cert_der.c index 7699543e67..780e6ccec1 100644 --- a/lib/cert_der.c +++ b/lib/cert_der.c @@ -3,10 +3,8 @@ /* Description: Functions to manage DER encoding */ /*****************************************************/ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> - +#include <defines.h> +#include <gnutls_int.h> #include <cert_der.h> #include <cert_asn1.h> diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index b152c19c40..cf31a02990 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -51,6 +51,16 @@ int gnutls_set_datum( gnutls_datum* dat, const void* data, int data_size) { return 0; } +int gnutls_sset_datum( gnutls_datum* dat, const void* data, int data_size) { + dat->data = secure_malloc(data_size); + if (dat->data==NULL) return GNUTLS_E_MEMORY_ERROR; + + dat->size = data_size; + memcpy( dat->data, data, data_size); + + return 0; +} + void gnutls_free_datum( gnutls_datum* dat) { if (dat->data!=NULL && dat->size!=0) gnutls_free( dat->data); diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index 0fa057dd20..9ecf461bcf 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -4,4 +4,6 @@ void WRITEdatum32( opaque* dest, gnutls_datum dat); void WRITEdatum8( opaque* dest, gnutls_datum dat); int gnutls_set_datum( gnutls_datum* dat, const void* data, int data_size); +/* uses secure_malloc */ +int gnutls_sset_datum( gnutls_datum* dat, const void* data, int data_size); void gnutls_free_datum( gnutls_datum* dat); diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 7f92b2c45a..517a22aad9 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -60,6 +60,8 @@ static gnutls_error_entry error_algorithms[] = { GNUTLS_ERROR_ENTRY( GNUTLS_E_MPI_PRINT_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_DECRYPTION_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_ENCRYPTION_FAILED, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_PK_DECRYPTION_FAILED, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_PK_ENCRYPTION_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_DECOMPRESSION_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_COMPRESSION_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_MEMORY_ERROR, 1), @@ -71,6 +73,9 @@ static gnutls_error_entry error_algorithms[] = { GNUTLS_ERROR_ENTRY( GNUTLS_E_PARSING_ERROR, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_AUTH_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_RECORD_LIMIT_REACHED, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_ASN1_PARSING_ERROR, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_ASN1_ERROR, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_X509_CERTIFICATE_ERROR, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_AGAIN, 0), GNUTLS_ERROR_ENTRY( GNUTLS_E_GOT_HELLO_REQUEST, 0), GNUTLS_ERROR_ENTRY( GNUTLS_E_GOT_APPLICATION_DATA, 0), diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index ed98646485..3b04dea8fc 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -38,4 +38,10 @@ #define GNUTLS_E_GOT_APPLICATION_DATA -38 #define GNUTLS_E_RECORD_LIMIT_REACHED -39 #define GNUTLS_E_ENCRYPTION_FAILED -40 -#define GNUTLS_E_UNIMPLEMENTED_FEATURE -50 +#define GNUTLS_E_ASN1_ERROR -41 +#define GNUTLS_E_ASN1_PARSING_ERROR -42 +#define GNUTLS_E_X509_CERTIFICATE_ERROR -43 +#define GNUTLS_E_PK_ENCRYPTION_FAILED -44 +#define GNUTLS_E_PK_DECRYPTION_FAILED -45 + +#define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b1e24ac9ad..3843eb3164 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -28,10 +28,10 @@ #define WRITE_DEBUG #define BUFFERS_DEBUG #define RECORD_DEBUG -#define HARD_DEBUG #define HANDSHAKE_DEBUG -*/ +#define HARD_DEBUG #define DEBUG +*/ #define SOCKET int #define LIST ... diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 406075302f..444184bbb0 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -95,14 +95,14 @@ int _gnutls_send_server_kx_message(SOCKET cd, GNUTLS_STATE state) int data_size = 0; int ret = 0; -#ifdef HARD_DEBUG + if (state->gnutls_internals.auth_struct->gnutls_generate_server_kx==NULL) + return 0; + +#ifdef HANDSHAKE_DEBUG fprintf(stderr, "Sending server KX message\n"); #endif - if (state->gnutls_internals.auth_struct->gnutls_generate_server_kx==NULL) - return 0; - data_size = state->gnutls_internals.auth_struct->gnutls_generate_server_kx( state->gnutls_key, &data); if (data_size < 0) { @@ -130,7 +130,7 @@ int _gnutls_send_server_kx_message2(SOCKET cd, GNUTLS_STATE state) if (state->gnutls_internals.auth_struct->gnutls_generate_server_kx2 != NULL) { data_size = state->gnutls_internals.auth_struct->gnutls_generate_server_kx2( state->gnutls_key, &data); -#ifdef HARD_DEBUG +#ifdef HANDSHAKE_DEBUG fprintf(stderr, "Sending server KX message2\n"); #endif @@ -162,11 +162,8 @@ int _gnutls_send_client_kx_message(SOCKET cd, GNUTLS_STATE state) if (state->gnutls_internals.auth_struct->gnutls_generate_client_kx==NULL) return 0; -#ifdef HARD_DEBUG - { - int i; +#ifdef HANDSHAKE_DEBUG fprintf(stderr, "Sending client KX message\n"); - } #endif data_size = state->gnutls_internals.auth_struct->gnutls_generate_client_kx( state->gnutls_key, &data); @@ -197,11 +194,8 @@ int _gnutls_send_client_kx_message0(SOCKET cd, GNUTLS_STATE state) if ( state->gnutls_internals.auth_struct->gnutls_generate_client_kx0 == NULL) return 0; -#ifdef HARD_DEBUG - { - int i; +#ifdef HANDSHAKE_DEBUG fprintf(stderr, "Sending client KX message0\n"); - } #endif data_size = state->gnutls_internals.auth_struct->gnutls_generate_client_kx0( state->gnutls_key, &data); @@ -235,7 +229,7 @@ int _gnutls_send_client_certificate_verify(SOCKET cd, GNUTLS_STATE state) return 0; /* this algorithm does not support cli_cert_vrfy */ } -#ifdef HARD_DEBUG +#ifdef HANDSHAKE_DEBUG fprintf(stderr, "Sending client certificate verify message\n"); #endif data_size = state->gnutls_internals.auth_struct->gnutls_generate_client_cert_vrfy( state->gnutls_key, &data); @@ -257,11 +251,12 @@ int _gnutls_recv_server_kx_message(SOCKET cd, GNUTLS_STATE state) int datasize; int ret = 0; -#ifdef HARD_DEBUG - fprintf(stderr, "Receiving Server KX message\n"); + if (state->gnutls_internals.auth_struct->gnutls_process_server_kx!=NULL) { + +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Receiving Server KX message\n"); #endif - if (state->gnutls_internals.auth_struct->gnutls_process_server_kx!=NULL) { ret = _gnutls_recv_handshake(cd, state, &data, &datasize, @@ -285,11 +280,13 @@ int _gnutls_recv_server_kx_message2(SOCKET cd, GNUTLS_STATE state) int datasize; int ret = 0; -#ifdef HARD_DEBUG - fprintf(stderr, "Receiving Server KX message2\n"); -#endif if (state->gnutls_internals.auth_struct->gnutls_process_server_kx2 != NULL) { + +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Receiving Server KX message2\n"); +#endif + ret = _gnutls_recv_handshake(cd, state, &data, &datasize, @@ -310,19 +307,20 @@ int _gnutls_recv_server_kx_message2(SOCKET cd, GNUTLS_STATE state) int _gnutls_recv_client_kx_message(SOCKET cd, GNUTLS_STATE state) { uint8 *data; -#ifdef HARD_DEBUG +#ifdef HANDSHAKE_DEBUG int i; #endif int datasize; int ret = 0; -#ifdef HARD_DEBUG - fprintf(stderr, "Receiving client KX message\n"); -#endif /* Do key exchange only if the algorithm permits it */ if (state->gnutls_internals.auth_struct->gnutls_process_client_kx != NULL) { +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Receiving client KX message\n"); +#endif + ret = _gnutls_recv_handshake(cd, state, &data, &datasize, @@ -344,19 +342,19 @@ int _gnutls_recv_client_kx_message(SOCKET cd, GNUTLS_STATE state) int _gnutls_recv_client_kx_message0(SOCKET cd, GNUTLS_STATE state) { uint8 *data; -#ifdef HARD_DEBUG +#ifdef HANDSHAKE_DEBUG int i; #endif int datasize; int ret = 0; -#ifdef HARD_DEBUG - fprintf(stderr, "Receiving client KX message0\n"); -#endif - /* Do key exchange only if the algorithm permits it */ if (state->gnutls_internals.auth_struct->gnutls_process_client_kx0 != NULL) { +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Receiving client KX message0\n"); +#endif + ret = _gnutls_recv_handshake(cd, state, &data, &datasize, @@ -381,14 +379,15 @@ int _gnutls_send_certificate(SOCKET cd, GNUTLS_STATE state) int data_size = 0; int ret = 0; -#ifdef HARD_DEBUG - fprintf(stderr, "Sending certificate message\n"); -#endif - if (state->gnutls_internals.auth_struct->gnutls_generate_certificate==NULL) return 0; +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Sending certificate message\n"); +#endif + + data_size = state->gnutls_internals.auth_struct->gnutls_generate_certificate( state->gnutls_key, &data); if (data_size < 0) { diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 5573385c28..3fa188b1b8 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -46,7 +46,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, gnutls_datum plaintext, if (plaintext.size > k - 11) { gnutls_assert(); - return GNUTLS_E_ENCRYPTION_FAILED; + return GNUTLS_E_PK_ENCRYPTION_FAILED; } edata = gnutls_malloc(k); @@ -82,7 +82,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, gnutls_datum plaintext, _pkey[0] = &n; _pkey[1] = &pkey; ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, _pkey); - gcry_mpi_release(m); + _gnutls_mpi_release(&m); if (ret < 0) { gnutls_assert(); @@ -90,6 +90,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, gnutls_datum plaintext, } gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &psize, res); + ciphertext->data = gnutls_malloc(psize); if (ciphertext->data == NULL) { gnutls_assert(); @@ -122,7 +123,7 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, if (esize!=k) { gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; + return GNUTLS_E_PK_DECRYPTION_FAILED; } if (gcry_mpi_scan(&c, GCRYMPI_FMT_USG, ciphertext.data, &esize) != 0) { @@ -180,7 +181,7 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, return GNUTLS_E_DECRYPTION_FAILED; } - if (gnutls_set_datum( plaintext, &edata[i], esize - i) < 0) { + if (gnutls_sset_datum( plaintext, &edata[i], esize - i) < 0) { gnutls_assert(); gnutls_free(edata); return GNUTLS_E_MEMORY_ERROR; diff --git a/src/pkix.asn b/src/pkix.asn index 34f6f84bff..aef812c57a 100644 --- a/src/pkix.asn +++ b/src/pkix.asn @@ -309,8 +309,8 @@ md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } RSAPublicKey ::= SEQUENCE { - modulus INTEGER, -- n - publicExponent INTEGER -- e + modulus INTEGER, + publicExponent INTEGER } id-dsa-with-sha1 OBJECT IDENTIFIER ::= { |