diff options
author | Simon Josefsson <simon@josefsson.org> | 2007-10-17 15:43:15 +0200 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2007-10-17 15:43:15 +0200 |
commit | e81f0d050af347e7cf514e1ff2edfbf7b795cd9e (patch) | |
tree | 830a1176c189b83e30a39cee67486124c137e586 | |
parent | a9e6cd38295bede500d1912ba0c7656c29a16314 (diff) | |
download | gnutls-e81f0d050af347e7cf514e1ff2edfbf7b795cd9e.tar.gz |
Remove TLS authorization support.
-rw-r--r-- | NEWS | 7 | ||||
-rw-r--r-- | configure.in | 14 | ||||
-rw-r--r-- | doc/examples/Makefile.am | 4 | ||||
-rw-r--r-- | doc/examples/ex-client-authz.c | 185 | ||||
-rw-r--r-- | doc/examples/ex-serv-authz.c | 267 | ||||
-rw-r--r-- | doc/gnutls.texi | 27 | ||||
-rw-r--r-- | doc/reference/Makefile.am | 2 | ||||
-rw-r--r-- | includes/gnutls/compat.h | 39 | ||||
-rw-r--r-- | includes/gnutls/gnutls.h.in | 45 | ||||
-rw-r--r-- | lib/Makefile.am | 2 | ||||
-rw-r--r-- | lib/ext_authz.c | 614 | ||||
-rw-r--r-- | lib/ext_authz.h | 42 | ||||
-rw-r--r-- | lib/gnutls_extensions.c | 9 | ||||
-rw-r--r-- | lib/gnutls_int.h | 11 | ||||
-rw-r--r-- | lib/gnutls_supplemental.c | 5 | ||||
-rw-r--r-- | src/cli.c | 106 | ||||
-rw-r--r-- | src/cli.gaa | 6 | ||||
-rw-r--r-- | src/serv.c | 112 | ||||
-rw-r--r-- | src/serv.gaa | 6 |
19 files changed, 67 insertions, 1436 deletions
@@ -5,6 +5,13 @@ See the end for copying conditions. * Version 2.0.2 (unreleased) +** TLS authorization support removed. +This technique may be patented in the future, and it is not of crucial +importance for the Internet community. After deliberation we have +concluded that the best thing we can do in this situation is to +encourage society not to adopt this technique. We have decided to +lead the way with our own actions. + ** certtool: Fixed data corruption when using --outder. ** Fix configure-time Guile detection. diff --git a/configure.in b/configure.in index 3828ef1f2e..8142838028 100644 --- a/configure.in +++ b/configure.in @@ -409,20 +409,6 @@ else fi AM_CONDITIONAL(ENABLE_ANON, test "$ac_enable_anon" != "no") -AC_MSG_CHECKING([whether to disable authorization (tls-authz) support]) -AC_ARG_ENABLE(tls-authorization, - AS_HELP_STRING([--disable-tls-authorization], - [disable tls authorization support]), - ac_enable_authz=no) -if test x$ac_enable_authz != xno; then - AC_MSG_RESULT(no) - AC_DEFINE(ENABLE_AUTHZ, 1, [enable tls authorization]) -else - ac_full=0 - AC_MSG_RESULT(yes) -fi -AM_CONDITIONAL(ENABLE_AUTHZ, test "$ac_enable_authz" != "no") - AC_MSG_CHECKING([whether to disable extra PKI stuff]) AC_ARG_ENABLE(extra-pki, AS_HELP_STRING([--disable-extra-pki], diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am index 3d2b6223d3..cc61db0a11 100644 --- a/doc/examples/Makefile.am +++ b/doc/examples/Makefile.am @@ -43,10 +43,6 @@ if ENABLE_SRP noinst_PROGRAMS += ex-client-srp ex-serv-srp endif -if ENABLE_AUTHZ -noinst_PROGRAMS += ex-serv-authz ex-client-authz -endif - noinst_LTLIBRARIES = libexamples.la libexamples_la_SOURCES = ex-alert.c ex-pkcs12.c ex-rfc2818.c \ diff --git a/doc/examples/ex-client-authz.c b/doc/examples/ex-client-authz.c deleted file mode 100644 index 02e383164d..0000000000 --- a/doc/examples/ex-client-authz.c +++ /dev/null @@ -1,185 +0,0 @@ -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <arpa/inet.h> -#include <unistd.h> -#include <gnutls/gnutls.h> - -/* A basic TLS client, with X.509 authentication, and support for - the authorization extension. - */ - -#define MAX_BUF 1024 -#define CAFILE "ca.pem" -#define MSG "GET / HTTP/1.0\r\n\r\n" - -extern int tcp_connect (void); -extern void tcp_close (int sd); - -int server_authorized_p = 0; - -int -authz_recv_callback (gnutls_session_t session, - const int *authz_formats, - gnutls_datum_t *infos, - const int *hashtypes, - gnutls_datum_t *hash) -{ - size_t i, j; - - /* This function receives authorization data. */ - - for (i = 0; authz_formats[i]; i++) - { - printf ("- Received authorization data, format %02x of %d bytes\n", - authz_formats[i], infos[i].size); - - printf (" data: "); - for (j = 0; j < infos[i].size; j++) - printf ("%02x", infos[i].data[j]); - printf ("\n"); - - if (hash[i].size > 0) - { - printf (" hash: "); - for (j = 0; j < hash[i].size; j++) - printf ("%02x", hash[i].data[j]); - printf (" type %02x\n", hashtypes[i]); - } - } - - /* You would typically actually _validate_ the data here... if you - need access to authentication details, store the authorization - data and do the validation inside main(). */ - - server_authorized_p = 1; - - return 0; -} - -int -authz_send_callback (gnutls_session_t session, - const int *client_formats, - const int *server_formats) -{ - const char *str = "saml assertion"; - /* Send the authorization data here. client_formats and - server_formats contains a list of negotiated authorization - formats. */ - return gnutls_authz_send_saml_assertion (session, str, sizeof (str)); -} - -int -main (void) -{ - int ret, sd, ii; - gnutls_session_t session; - char buffer[MAX_BUF + 1]; - gnutls_certificate_credentials_t xcred; - const int authz_client_formats[] = { - GNUTLS_AUTHZ_SAML_ASSERTION, - }; - const int authz_server_formats[] = { - GNUTLS_AUTHZ_X509_ATTR_CERT, - GNUTLS_AUTHZ_SAML_ASSERTION, - GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - GNUTLS_AUTHZ_SAML_ASSERTION_URL - }; - - gnutls_global_init (); - - /* X509 stuff */ - gnutls_certificate_allocate_credentials (&xcred); - - /* sets the trusted cas file - */ - gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); - - /* Initialize TLS session - */ - gnutls_init (&session, GNUTLS_CLIENT); - - /* Use default priorities */ - gnutls_set_default_priority (session); - - /* put the x509 credentials to the current session - */ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - /* connect to the peer - */ - sd = tcp_connect (); - - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); - - gnutls_authz_enable (session, authz_client_formats, authz_server_formats, - authz_recv_callback, authz_send_callback); - - /* Perform the TLS handshake - */ - ret = gnutls_handshake (session); - - if (ret < 0) - { - fprintf (stderr, "*** Handshake failed\n"); - gnutls_perror (ret); - goto end; - } - else - { - printf ("- Handshake was completed\n"); - } - - if (!server_authorized_p) - { - fprintf (stderr, "*** Not authorized, giving up...\n"); - ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, - GNUTLS_A_ACCESS_DENIED); - if (ret < 0) - { - gnutls_perror (ret); - goto end; - } - } - - gnutls_record_send (session, MSG, strlen (MSG)); - - ret = gnutls_record_recv (session, buffer, MAX_BUF); - if (ret == 0) - { - printf ("- Peer has closed the TLS connection\n"); - goto end; - } - else if (ret < 0) - { - fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); - goto end; - } - - printf ("- Received %d bytes: ", ret); - for (ii = 0; ii < ret; ii++) - { - fputc (buffer[ii], stdout); - } - fputs ("\n", stdout); - - gnutls_bye (session, GNUTLS_SHUT_RDWR); - -end: - - tcp_close (sd); - - gnutls_deinit (session); - - gnutls_certificate_free_credentials (xcred); - - gnutls_global_deinit (); - - return 0; -} diff --git a/doc/examples/ex-serv-authz.c b/doc/examples/ex-serv-authz.c deleted file mode 100644 index 1e72010754..0000000000 --- a/doc/examples/ex-serv-authz.c +++ /dev/null @@ -1,267 +0,0 @@ -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <arpa/inet.h> -#include <netinet/in.h> -#include <string.h> -#include <unistd.h> -#include <gnutls/gnutls.h> - -#define KEYFILE "key.pem" -#define CERTFILE "cert.pem" -#define CAFILE "ca.pem" -#define CRLFILE "crl.pem" - -/* This is a sample TLS 1.0 echo server, using X.509 authentication. - */ - - -#define SA struct sockaddr -#define SOCKET_ERR(err,s) if(err==-1) {perror(s);return(1);} -#define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ -#define DH_BITS 1024 - -/* These are global */ -gnutls_certificate_credentials_t x509_cred; - -gnutls_session_t -initialize_tls_session (void) -{ - gnutls_session_t session; - - gnutls_init (&session, GNUTLS_SERVER); - - /* avoid calling all the priority functions, since the defaults - * are adequate. - */ - gnutls_set_default_priority (session); - - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); - - /* request client certificate if any. - */ - gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); - - gnutls_dh_set_prime_bits (session, DH_BITS); - - return session; -} - -static gnutls_dh_params_t dh_params; - -static int -generate_dh_params (void) -{ - - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depending on the - * security requirements. - */ - gnutls_dh_params_init (&dh_params); - gnutls_dh_params_generate2 (dh_params, DH_BITS); - - return 0; -} - -int server_authorized_p = 0; - -int -authz_recv_callback (gnutls_session_t session, - const int *authz_formats, - gnutls_datum_t *infos, - const int *hashtypes, - gnutls_datum_t *hash) -{ - size_t i, j; - - /* This function receives authorization data. */ - - for (i = 0; authz_formats[i]; i++) - { - printf ("- Received authorization data, format %02x of %d bytes\n", - authz_formats[i], infos[i].size); - - printf (" data: "); - for (j = 0; j < infos[i].size; j++) - printf ("%02x", infos[i].data[j]); - printf ("\n"); - - if (hash[i].size > 0) - { - printf (" hash: "); - for (j = 0; j < hash[i].size; j++) - printf ("%02x", hash[i].data[j]); - printf (" type %02x\n", hashtypes[i]); - } - } - - /* You would typically actually _validate_ the data here... if you - need access to authentication details, store the authorization - data and do the validation inside main(). */ - - server_authorized_p = 1; - - return 0; -} - -int -authz_send_callback (gnutls_session_t session, - const int *client_formats, - const int *server_formats) -{ - const char *str = "saml assertion"; - /* Send the authorization data here. client_formats and - server_formats contains a list of negotiated authorization - formats. */ - return gnutls_authz_send_saml_assertion (session, str, sizeof (str)); -} - -int -main (void) -{ - int err, listen_sd, i; - int sd, ret; - struct sockaddr_in sa_serv; - struct sockaddr_in sa_cli; - int client_len; - char topbuf[512]; - gnutls_session_t session; - char buffer[MAX_BUF + 1]; - int optval = 1; - const int authz_server_formats[] = { - GNUTLS_AUTHZ_SAML_ASSERTION, - }; - const int authz_client_formats[] = { - GNUTLS_AUTHZ_X509_ATTR_CERT, - GNUTLS_AUTHZ_SAML_ASSERTION, - GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - GNUTLS_AUTHZ_SAML_ASSERTION_URL - }; - - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_certificate_allocate_credentials (&x509_cred); - gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, - GNUTLS_X509_FMT_PEM); - - gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, - GNUTLS_X509_FMT_PEM); - - gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, - GNUTLS_X509_FMT_PEM); - - generate_dh_params (); - - gnutls_certificate_set_dh_params (x509_cred, dh_params); - - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - SOCKET_ERR (listen_sd, "socket"); - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - SOCKET_ERR (err, "bind"); - err = listen (listen_sd, 1024); - SOCKET_ERR (err, "listen"); - - printf ("Server ready. Listening to port '%d'.\n\n", PORT); - - client_len = sizeof (sa_cli); - for (;;) - { - session = initialize_tls_session (); - - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - printf ("- connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); - - gnutls_authz_enable (session, authz_client_formats, authz_server_formats, - authz_recv_callback, authz_send_callback); - - ret = gnutls_handshake (session); - if (ret < 0) - { - close (sd); - gnutls_deinit (session); - fprintf (stderr, "*** Handshake has failed (%s)\n\n", - gnutls_strerror (ret)); - continue; - } - - if (!server_authorized_p) - { - fprintf (stderr, "*** Not authorized, giving up...\n"); - ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, - GNUTLS_A_ACCESS_DENIED); - if (ret < 0) - continue; - } - - printf ("- Handshake was completed\n"); - - /* see the Getting peer's information example */ - /* print_info(session); */ - - i = 0; - for (;;) - { - memset (buffer, 0, MAX_BUF + 1); - ret = gnutls_record_recv (session, buffer, MAX_BUF); - - if (ret == 0) - { - printf ("\n- Peer has closed the GNUTLS connection\n"); - break; - } - else if (ret < 0) - { - fprintf (stderr, "\n*** Received corrupted " - "data(%d). Closing the connection.\n\n", ret); - break; - } - else if (ret > 0) - { - /* echo data back to the client - */ - gnutls_record_send (session, buffer, strlen (buffer)); - } - } - printf ("\n"); - /* do not wait for the peer to close the connection. - */ - gnutls_bye (session, GNUTLS_SHUT_WR); - - close (sd); - gnutls_deinit (session); - - } - close (listen_sd); - - gnutls_certificate_free_credentials (x509_cred); - - gnutls_global_deinit (); - - return 0; - -} diff --git a/doc/gnutls.texi b/doc/gnutls.texi index f9755e9ba7..4c453ec47c 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -2243,15 +2243,6 @@ The following client is a simple client which uses the @verbatiminclude examples/ex-client-tlsia.c -@node Simple client example with authorization support -@subsection Simple Client Example with Authorization Support - -The following client require that the server sends authorization data, -and the client will send authorization data to the server as well. -For authentication, X.509 is used. - -@verbatiminclude examples/ex-client-authz.c - @node Helper function for TCP connections @subsection Helper Function for TCP Connections @@ -2321,14 +2312,6 @@ used to serve the example client for anonymous authentication. @verbatiminclude examples/ex-serv-anon.c -@node Echo Server with authorization support -@subsection Echo Server with Authorization Support - -This example server support authorization data, and can be used to -serve the example client with authorization support. - -@verbatiminclude examples/ex-serv-authz.c - @node Miscellaneous examples @section Miscellaneous Examples @@ -3714,8 +3697,8 @@ consider adding support for the hypothetical TLS extension @item Modify @code{configure.in} to add @code{--enable-foobar} or @code{--disable-foobar}. Which to chose depends on whether you intend to make the extension be -enabled by default. Look at existing checks (i.e., SRP, authz) for -how to model the code. +enabled by default. Look at existing checks (i.e., SRP) for how to +model the code. @item Add IANA extension value to @code{extensions_t} in @code{gnutls_int.h}. @@ -3820,9 +3803,9 @@ When adding the files, you'll need to add them to @code{Makefile.am} as well, for example: @example -if ENABLE_AUTHZ -COBJECTS += ext_authz.c -HFILES += ext_authz.h +if ENABLE_FOOBAR +COBJECTS += ext_foobar.c +HFILES += ext_foobar.h endif @end example diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am index 20e5ae3eaf..ee51df269d 100644 --- a/doc/reference/Makefile.am +++ b/doc/reference/Makefile.am @@ -77,7 +77,7 @@ IGNORE_HFILES=debug.h gnutls_compress.h defines.h gnutls_cipher.h \ stream.h types.h \ \ gnutls_openpgp.h gnutlsxx.h gnutls_extra_hooks.h \ - gnutls_supplemental.h ext_authz.h + gnutls_supplemental.h # Images to copy into HTML directory. # e.g. HTML_IMAGES=$(top_srcdir)/gtk/stock-icons/stock_about_24.png diff --git a/includes/gnutls/compat.h b/includes/gnutls/compat.h index eab5442262..68d961efbd 100644 --- a/includes/gnutls/compat.h +++ b/includes/gnutls/compat.h @@ -54,4 +54,43 @@ #define gnutls_datum gnutls_datum_t #define gnutls_transport_ptr gnutls_transport_ptr_t +/* Prototypes for removed tls-authz code. */ +#define GNUTLS_SUPPLEMENTAL_AUTHZ_DATA 1 +typedef enum + { + GNUTLS_AUTHZ_X509_ATTR_CERT = 1, + GNUTLS_AUTHZ_SAML_ASSERTION = 2, + GNUTLS_AUTHZ_X509_ATTR_CERT_URL = 3, + GNUTLS_AUTHZ_SAML_ASSERTION_URL = 4 + } gnutls_authz_data_format_type_t; +typedef int (*gnutls_authz_recv_callback_func) (gnutls_session_t session, + const int *authz_formats, + gnutls_datum_t *infos, + const int *hashtypes, + gnutls_datum_t *hash); +typedef int (*gnutls_authz_send_callback_func) (gnutls_session_t session, + const int *client_formats, + const int *server_formats); +void gnutls_authz_enable (gnutls_session_t session, + const int *client_formats, + const int *server_formats, + gnutls_authz_recv_callback_func recv_callback, + gnutls_authz_send_callback_func send_callback); +int gnutls_authz_send_x509_attr_cert (gnutls_session_t session, + const char *data, + size_t len); +int gnutls_authz_send_saml_assertion (gnutls_session_t session, + const char *data, + size_t len); +int gnutls_authz_send_x509_attr_cert_url (gnutls_session_t session, + const char *url, + size_t urllen, + gnutls_mac_algorithm_t hash_type, + const char *hash); +int gnutls_authz_send_saml_assertion_url (gnutls_session_t session, + const char *url, + size_t urllen, + gnutls_mac_algorithm_t hash_type, + const char *hash); + #endif /* GCOMPAT_H */ diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index e448a03ebd..72c90b59de 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -451,55 +451,12 @@ extern "C" /* Supplemental data, RFC 4680. */ typedef enum { - GNUTLS_SUPPLEMENTAL_AUTHZ_DATA = 1 + GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA = 0 } gnutls_supplemental_data_format_type_t; const char *gnutls_supplemental_get_name (gnutls_supplemental_data_format_type_t type); - /* Authorization extensions, RFC xxxx. */ - typedef enum - { - /* Values incremented by one compared to the protocol, to be - able to use zero-terminated format lists. */ - GNUTLS_AUTHZ_X509_ATTR_CERT = 1, - GNUTLS_AUTHZ_SAML_ASSERTION = 2, - GNUTLS_AUTHZ_X509_ATTR_CERT_URL = 3, - GNUTLS_AUTHZ_SAML_ASSERTION_URL = 4 - } gnutls_authz_data_format_type_t; - - typedef int (*gnutls_authz_recv_callback_func) (gnutls_session_t session, - const int *authz_formats, - gnutls_datum_t *infos, - const int *hashtypes, - gnutls_datum_t *hash); - typedef int (*gnutls_authz_send_callback_func) (gnutls_session_t session, - const int *client_formats, - const int *server_formats); - - void gnutls_authz_enable (gnutls_session_t session, - const int *client_formats, - const int *server_formats, - gnutls_authz_recv_callback_func recv_callback, - gnutls_authz_send_callback_func send_callback); - - int gnutls_authz_send_x509_attr_cert (gnutls_session_t session, - const char *data, - size_t len); - int gnutls_authz_send_saml_assertion (gnutls_session_t session, - const char *data, - size_t len); - int gnutls_authz_send_x509_attr_cert_url (gnutls_session_t session, - const char *url, - size_t urllen, - gnutls_mac_algorithm_t hash_type, - const char *hash); - int gnutls_authz_send_saml_assertion_url (gnutls_session_t session, - const char *url, - size_t urllen, - gnutls_mac_algorithm_t hash_type, - const char *hash); - /* functions to set priority of cipher suites */ int gnutls_cipher_set_priority (gnutls_session_t session, const int *list); diff --git a/lib/Makefile.am b/lib/Makefile.am index b20abb621d..3fb50be657 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -95,7 +95,7 @@ HFILES = debug.h gnutls_compress.h defines.h gnutls_cipher.h \ ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ gnutls_helper.h auth_psk.h auth_psk_passwd.h \ ext_inner_application.h gnutls_extra_hooks.h \ - gnutls_supplemental.h ext_authz.h + gnutls_supplemental.h # Separate so we can create the documentation diff --git a/lib/ext_authz.c b/lib/ext_authz.c index 30e1058116..0c2e606aed 100644 --- a/lib/ext_authz.c +++ b/lib/ext_authz.c @@ -22,504 +22,34 @@ */ /* - * This file implements the authz extensions in - * draft-housley-tls-authz-extns-07 using the supplemental handshake - * record type, which see RFC 4680 and gnutls_supplemental.c. + * This file used to implement TLS-authz as specified in + * draft-housley-tls-authz-extns-07. This technique may be patented + * in the future, and it is not of crucial importance for the Internet + * community. After deliberation we have concluded that the best + * thing we can do in this situation is to encourage society not to + * adopt this technique. We have decided to lead the way with our own + * actions. * - * There are three parts of this file. The first is the client hello - * and server hello extensions, which are used to negotiate use of - * supplemental authz data. If they successfully negotiate that the - * client will send some format(s) and/or the server will send some - * format(s), this will request that gnutls_handshake() invoke a - * supplemental phase in the corresponding direction. - * - * It may be possible that client authz data format type negotiation - * fails, but server authz data format type negotiation succeeds. In - * that case, only the server will send supplemental data, and the - * client will only expect to receive supplemental data. - * - * The second part is parsing and generating the authz supplemental - * data itself, by using the callbacks. - * - * The third part is the public APIs for use in the callbacks, and of - * course gnutls_authz_enable() to request that authz should be used. - */ +*/ #include "gnutls_int.h" -#include "gnutls_auth_int.h" -#include "gnutls_errors.h" -#include "gnutls_num.h" -#include <ext_authz.h> - -static int -format_in_list_p (unsigned char format, - const unsigned char *data, - size_t data_size) -{ - size_t i; - for (i = 0; i < data_size; i++) - if (format == data[i]) - return 1; - return 0; -} - -static int -recv_extension (gnutls_session_t session, - const opaque * data, - size_t data_size, - int *formats) -{ - size_t total_size; - const int *in = formats; - int *out = formats; - - if (data_size == 0) - { - gnutls_assert (); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - total_size = *data++; - data_size--; - - if (data_size != total_size) - { - gnutls_assert (); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - while (*in) - if (format_in_list_p (*in - 1, data, data_size)) - { - _gnutls_debug_log ("EXT[%x]: Keeping authz format %02x\n", - session, *in); - *out++ = *in++; - } - else - { - _gnutls_debug_log ("EXT[%x]: Disabling authz format %02x\n", - session, *in); - in++; - } - *out = 0; - - return 0; -} - -static int -send_extension (gnutls_session_t session, - opaque * data, - size_t _data_size, - int *authz_formats) -{ - ssize_t data_size = _data_size; - size_t total_size; - opaque *sizepos; - - if (!authz_formats[0]) - return 0; - - /* Make room for size. */ - DECR_LENGTH_RET (data_size, 1, GNUTLS_E_SHORT_MEMORY_BUFFER); - sizepos = data++; - - for (total_size = 0; authz_formats[total_size]; total_size++) - { - _gnutls_debug_log ("EXT[%x]: Sending authz format %02x\n", - session, authz_formats[total_size]); - DECR_LENGTH_RET (data_size, 1, GNUTLS_E_SHORT_MEMORY_BUFFER); - *data++ = authz_formats[total_size] - 1; - } - - *sizepos = total_size; - - return 1 + total_size; -} - -int -_gnutls_authz_ext_client_recv_params (gnutls_session_t session, - const opaque * data, - size_t data_size) -{ - int *client_formats = - session->security_parameters.extensions.authz_client_formats; - int ret; - - ret = recv_extension (session, data, data_size, client_formats); - if (ret < 0) - return ret; - - if (*client_formats) - { - if (session->security_parameters.entity == GNUTLS_CLIENT) - { - _gnutls_debug_log ("EXT[%x]: Will send supplemental data\n", - session); - session->security_parameters.extensions.do_send_supplemental = 1; - } - else - session->security_parameters.extensions.authz_recvd_client = 1; - } - - return 0; -} int -_gnutls_authz_ext_client_send_params (gnutls_session_t session, - opaque * data, - size_t _data_size) -{ - int *client_formats = - session->security_parameters.extensions.authz_client_formats; - int ret; - - /* Should we be sending this? */ - if (session->security_parameters.entity == GNUTLS_SERVER - && !session->security_parameters.extensions.authz_recvd_client) - { - gnutls_assert (); - return 0; - } - - ret = send_extension (session, data, _data_size, client_formats); - - if (session->security_parameters.entity == GNUTLS_SERVER && ret > 0) - { - _gnutls_debug_log ("EXT[%x]: Will expect supplemental data\n", - session); - session->security_parameters.extensions.do_recv_supplemental = 1; - } - - return ret; -} - -int -_gnutls_authz_ext_server_recv_params (gnutls_session_t session, - const opaque * data, - size_t data_size) -{ - int *server_formats = - session->security_parameters.extensions.authz_server_formats; - int ret; - - ret = recv_extension (session, data, data_size, server_formats); - if (ret < 0) - return ret; - - if (*server_formats) - { - if (session->security_parameters.entity == GNUTLS_CLIENT) - { - _gnutls_debug_log ("EXT[%x]: Will expect supplemental data\n", - session); - session->security_parameters.extensions.do_recv_supplemental = 1; - } - else - session->security_parameters.extensions.authz_recvd_server = 1; - } - - return 0; -} - -int -_gnutls_authz_ext_server_send_params (gnutls_session_t session, - opaque * data, - size_t _data_size) -{ - int *server_formats = - session->security_parameters.extensions.authz_server_formats; - int ret; - - /* Should we be sending this? */ - if (session->security_parameters.entity == GNUTLS_SERVER - && !session->security_parameters.extensions.authz_recvd_server) - { - gnutls_assert (); - return 0; - } - - ret = send_extension (session, data, _data_size, server_formats); - - if (session->security_parameters.entity == GNUTLS_SERVER && ret > 0) - { - _gnutls_debug_log ("EXT[%x]: Will send supplemental data\n", - session); - session->security_parameters.extensions.do_send_supplemental = 1; - } - - return ret; -} - -int -_gnutls_authz_supp_recv_params (gnutls_session_t session, - const opaque * data, - size_t data_size) -{ - int authz_formats[MAX_AUTHZ_FORMATS + 1]; - gnutls_datum_t info[MAX_AUTHZ_FORMATS]; - gnutls_datum_t hash[MAX_AUTHZ_FORMATS]; - int hashtype[MAX_AUTHZ_FORMATS]; - ssize_t dsize = data_size; - const opaque *p = data; - size_t i; - gnutls_authz_recv_callback_func callback = - session->security_parameters.extensions.authz_recv_callback; - - if (!callback) - { - gnutls_assert (); - return 0; - } - - /* XXX Will there be more than one data item for each authz format? - If so, we can't know the maximum size of the list of authz data, - so replace the static arrays with dynamically allocated lists. - Let's worry about that when someone reports it. */ - - i = 0; - do - { - DECR_LEN (dsize, 2); - authz_formats[i] = _gnutls_read_uint16 (p) + 1; - p += 2; - - _gnutls_debug_log ("EXT[%x]: authz_format[%d]=%02x\n", - session, i, authz_formats[i]); - - DECR_LEN (dsize, 2); - info[i].size = _gnutls_read_uint16 (p); - p += 2; - - _gnutls_debug_log ("EXT[%x]: data[%d]=%d bytes\n", - session, i, info[i].size); - - info[i].data = p; - - DECR_LEN (dsize, info[i].size); - p += info[i].size; - - if (authz_formats[i] == GNUTLS_AUTHZ_X509_ATTR_CERT_URL - || authz_formats[i] == GNUTLS_AUTHZ_SAML_ASSERTION_URL) - { - DECR_LEN (dsize, 1); - _gnutls_debug_log ("EXT[%x]: hashtype[%d]=%02x\n", - session, i, *p); - if (*p == '\x00') - hashtype[i] = GNUTLS_MAC_SHA1; - else if (*p == '\x01') - hashtype[i] = GNUTLS_MAC_SHA256; - else - { - gnutls_assert (); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - p++; - - hash[i].data = p; - hash[i].size = _gnutls_hash_get_algo_len (hashtype[i]); - - _gnutls_debug_log ("EXT[%x]: hash[%d]=%d\n", - session, i, hash[i].size); - - DECR_LEN (dsize, hash[i].size); - p += hash[i].size; - } - else - { - hashtype[i] = 0; - hash[i].data = NULL; - hash[i].size = 0; - } - - i++; - - if (i == MAX_AUTHZ_FORMATS) - { - gnutls_assert (); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - } - while (dsize > 0); - - authz_formats[i] = 0; - - return callback (session, authz_formats, info, hashtype, hash); -} - -int -_gnutls_authz_supp_send_params (gnutls_session_t session, - gnutls_buffer *buf) -{ - int *server_formats = - session->security_parameters.extensions.authz_server_formats; - int *client_formats = - session->security_parameters.extensions.authz_client_formats; - gnutls_authz_send_callback_func callback = - session->security_parameters.extensions.authz_send_callback; - gnutls_buffer *authz_buf = - &session->security_parameters.extensions.authz_data; - int ret; - - if (!callback) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - _gnutls_buffer_init (authz_buf); - - ret = callback (session, client_formats, server_formats); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_buffer_append (buf, authz_buf->data, authz_buf->length); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - _gnutls_buffer_clear (authz_buf); - - return ret; -} - -static int -add_data (gnutls_session_t session, - const char *data, - size_t len, - gnutls_authz_data_format_type_t format, - gnutls_mac_algorithm_t hash_type, - const char *hash) -{ - gnutls_buffer *buffer = &session->security_parameters.extensions.authz_data; - size_t hash_len = hash ? _gnutls_hash_get_algo_len (hash_type) : 0; - unsigned char str[4]; - int ret; - - if (len + 4 > 0xFFFF) - { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (hash && hash_type != GNUTLS_MAC_SHA256 && hash_type != GNUTLS_MAC_SHA1) - { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - str[0] = '\x00'; - str[1] = format - 1; - - str[2] = (len >> 8) & 0xFF; - str[3] = len & 0xFF; - - ret = _gnutls_buffer_append (buffer, str, 4); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_buffer_append (buffer, data, len); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (hash) - { - if (hash_type == GNUTLS_MAC_SHA1) - str[0] = '\x00'; - else if (hash_type == GNUTLS_MAC_SHA256) - str[0] = '\x01'; - - ret = _gnutls_buffer_append (buffer, str, 1); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_buffer_append (buffer, hash, hash_len); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - - return 0; -} - -/** - * gnutls_authz_send_x509_attr_cert: - * @session: is a #gnutls_session_t structure. - * @data: buffer with a X.509 attribute certificate. - * @len: length of buffer. - * - * Send a X.509 attribute certificate as authorization data. This - * function may only be called inside a @send_callback set by - * gnutls_authz_enable(). - * - * Returns: Returns 0 on success, or an error code on failures. If - * the supplied data was too long (the authorization extension only - * support 64kb large attribute certificates), - * %GNUTLS_E_INVALID_REQUEST is returned. - **/ -int gnutls_authz_send_x509_attr_cert (gnutls_session_t session, const char *data, size_t len) { - return add_data (session, data, len, GNUTLS_AUTHZ_X509_ATTR_CERT, 0, NULL); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } -/** - * gnutls_authz_send_saml_assertion: - * @session: is a #gnutls_session_t structure. - * @data: buffer with a SAML assertion. - * @len: length of buffer. - * - * Send a SAML assertion as authorization data. This function may - * only be called inside a @send_callback set by - * gnutls_authz_enable(). - * - * Returns: Returns 0 on success, or an error code on failures. If - * the supplied data was too long (the authorization extension only - * support 64kb large SAML assertions), %GNUTLS_E_INVALID_REQUEST is - * returned. - **/ int gnutls_authz_send_saml_assertion (gnutls_session_t session, const char *data, size_t len) { - return add_data (session, data, len, GNUTLS_AUTHZ_SAML_ASSERTION, 0, NULL); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } -/** - * gnutls_authz_send_x509_attr_cert_url: - * @session: is a #gnutls_session_t structure. - * @url: buffer with a URL pointing to X.509 attribute certificate. - * @urllen: length of buffer. - * @hash_type: type of hash in @hash. - * @hash: buffer with hash of URL target. - * - * Send a URL to an X.509 attribute certificate as authorization data, - * including a hash used to make sure the retrieved data was the - * intended data. This function may only be called inside a - * @send_callback set by gnutls_authz_enable(). - * - * Returns: Returns 0 on success, or an error code on failures. If - * the supplied data was too long (the authorization extension only - * support 64kb large URLs), %GNUTLS_E_INVALID_REQUEST is returned. - **/ int gnutls_authz_send_x509_attr_cert_url (gnutls_session_t session, const char *url, @@ -527,27 +57,9 @@ gnutls_authz_send_x509_attr_cert_url (gnutls_session_t session, gnutls_mac_algorithm_t hash_type, const char *hash) { - return add_data (session, url, urllen, GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - hash_type, hash); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } -/** - * gnutls_authz_send_saml_assertion_url: - * @session: is a #gnutls_session_t structure. - * @url: buffer with a URL pointing to a SAML assertion. - * @urllen: length of buffer. - * @hash_type: type of hash in @hash. - * @hash: buffer with hash of URL target. - * - * Send a URL to a SAML assertion as authorization data, including a - * hash used to make sure the retrieved data was the intended data. - * This function may only be called inside a @send_callback set by - * gnutls_authz_enable(). - * - * Returns: Returns 0 on success, or an error code on failures. If - * the supplied data was too long (the authorization extension only - * support 64kb large URLs), %GNUTLS_E_INVALID_REQUEST is returned. - **/ int gnutls_authz_send_saml_assertion_url (gnutls_session_t session, const char *url, @@ -555,83 +67,9 @@ gnutls_authz_send_saml_assertion_url (gnutls_session_t session, gnutls_mac_algorithm_t hash_type, const char *hash) { - return add_data (session, url, urllen, GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - hash_type, hash); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } -/** - * gnutls_authz_enable: - * @session: is a #gnutls_session_t structure. - * @client_formats: zero-terminated list of - * #gnutls_authz_data_format_type_t elements with authorization - * data formats. - * @server_formats: zero-terminated list of - * #gnutls_authz_data_format_type_t elements with authorization - * data formats. - * @recv_callback: your callback function which will receive - * authz information when it is received. - * @send_callback: your callback function which is responsible for - * generating authorization data to send. - * - * Indicate willingness to send and receive authorization data, and - * which formats. - * - * For clients, @client_formats indicate which formats the client is - * willing to send, and @server_formats indicate which formats the - * client can receive. - * - * For servers, @client_formats indicate which formats the server is - * willing to accept from the client, and @server_formats indicate - * which formats the server is willing to send. Before the list is - * sent to the client, the formats which the client do not support are - * removed. If no supported formats remains, either or both of the - * extensions will not be sent. - * - * The @send_callback is invoked during the handshake if negotiation - * of the authorization extension was successful. The function - * prototype is: - * - * int (*gnutls_authz_send_callback_func) (gnutls_session_t @session, - * const int *@client_formats, const int *@server_formats); - * - * The @client_format contains a list of successfully negotiated - * formats which the client may send data for to the server. The - * @server_formats contains a list of successfully neogitated formats - * which the server may send data for to the client. The callback is - * supposed to invoke gnutls_authz_send_x509_attr_cert(), - * gnutls_authz_send_saml_assertion(), - * gnutls_authz_send_x509_attr_cert_url(), or - * gnutls_authz_send_saml_assertion_url() for the data it wishes to - * send, passing along the @session parameter, and the data. The - * @client_format function should return 0 on success, or an error - * code, which may be used to abort the handshake on failures. - * - * The @recv_callback is invoked during the handshake when - * authorization data is received. The prototype of the callback - * should be: - * - * int (*gnutls_authz_recv_callback_func) (gnutls_session_t session, - * const char *authz_formats, gnutls_datum_t *datums); - * - * The @authz_formats contains a list of formats for which data where - * received. The data for each format is stored in the @datums array, - * where the data associated with the @authz_formats[0] format is - * stored in @datums[0]. The function should return 0 on success, but - * may return an error, which may cause the handshake to abort. - * - * Note that there is no guarantee that @send_callback or - * @recv_callback is invoked just because gnutls_authz_enable was - * invoked. Whether the callbacks are invoked depend on whether - * negotiation of the extension succeeds. Therefor, if verification - * of authorization data is done by the @recv_callback, care should be - * made that if the callback is never invoked, it is not interpretetd - * as successful authorization verification. It is suggested to add - * some logic check whether authorization data was successfully - * verified after the call to gnutls_handshake(). That logic could - * shut down the connection if the authorization data is insufficient. - * - * This function have no effect if it is called during a handshake. - **/ void gnutls_authz_enable (gnutls_session_t session, const int *client_formats, @@ -639,31 +77,5 @@ gnutls_authz_enable (gnutls_session_t session, gnutls_authz_recv_callback_func recv_callback, gnutls_authz_send_callback_func send_callback) { - int *session_client_formats = - session->security_parameters.extensions.authz_client_formats; - int *session_server_formats = - session->security_parameters.extensions.authz_server_formats; - size_t i; - - if (session->internals.handshake_state != STATE0) - return; - - for (i = 0; client_formats[i]; i++) - if (i < MAX_AUTHZ_FORMATS) - session_client_formats[i] = client_formats[i]; - if (i < MAX_AUTHZ_FORMATS) - session_client_formats[i] = 0; - else - session_client_formats[MAX_AUTHZ_FORMATS] = 0; - - for (i = 0; server_formats[i]; i++) - if (i < MAX_AUTHZ_FORMATS) - session_server_formats[i] = server_formats[i]; - if (i < MAX_AUTHZ_FORMATS) - session_server_formats[i] = 0; - else - session_server_formats[MAX_AUTHZ_FORMATS] = 0; - - session->security_parameters.extensions.authz_recv_callback = recv_callback; - session->security_parameters.extensions.authz_send_callback = send_callback; + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } diff --git a/lib/ext_authz.h b/lib/ext_authz.h deleted file mode 100644 index 95624f539d..0000000000 --- a/lib/ext_authz.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2007 Free Software Foundation - * Author: Simon Josefsson - * - * This file is part of GNUTLS. - * - * The GNUTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -int _gnutls_authz_ext_client_recv_params (gnutls_session_t session, - const opaque * data, - size_t _data_size); -int _gnutls_authz_ext_client_send_params (gnutls_session_t session, - opaque * data, - size_t _data_size); - -int _gnutls_authz_ext_server_recv_params (gnutls_session_t session, - const opaque * data, - size_t _data_size); -int _gnutls_authz_ext_server_send_params (gnutls_session_t session, - opaque * data, - size_t _data_size); - -int _gnutls_authz_supp_recv_params (gnutls_session_t session, - const opaque * data, - size_t data_size); -int _gnutls_authz_supp_send_params (gnutls_session_t session, - gnutls_buffer *buf); diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index bb6a64d49a..4eebabecb3 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -35,7 +35,6 @@ #include <ext_server_name.h> #include <ext_srp.h> #include <ext_inner_application.h> -#include <ext_authz.h> #include <gnutls_num.h> /* Key Exchange Section */ @@ -50,14 +49,6 @@ gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_MAX_RECORD_SIZE, _gnutls_max_record_recv_params, _gnutls_max_record_send_params), -#ifdef ENABLE_AUTHZ - GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_AUTHZ_CLIENT, - _gnutls_authz_ext_client_recv_params, - _gnutls_authz_ext_client_send_params), - GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_AUTHZ_SERVER, - _gnutls_authz_ext_server_recv_params, - _gnutls_authz_ext_server_send_params), -#endif GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_CERT_TYPE, _gnutls_cert_type_recv_params, _gnutls_cert_type_send_params), diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 3e6ef39575..69156c0161 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -141,8 +141,6 @@ typedef enum handshake_state_t typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME = 0, GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1, - GNUTLS_EXTENSION_AUTHZ_CLIENT = 7, - GNUTLS_EXTENSION_AUTHZ_SERVER = 8, GNUTLS_EXTENSION_CERT_TYPE = 9, GNUTLS_EXTENSION_SRP = 12, GNUTLS_EXTENSION_INNER_APPLICATION = 37703 @@ -260,7 +258,6 @@ typedef struct } server_name_st; #define MAX_SERVER_NAME_EXTENSIONS 3 -#define MAX_AUTHZ_FORMATS 5 typedef struct { @@ -276,14 +273,6 @@ typedef struct /* Used by extensions that enable supplemental data. */ int do_recv_supplemental, do_send_supplemental; - - /* Authz extension data. */ - int authz_recvd_client, authz_recvd_server; - int authz_client_formats[MAX_AUTHZ_FORMATS + 1]; - int authz_server_formats[MAX_AUTHZ_FORMATS + 1]; - gnutls_authz_recv_callback_func authz_recv_callback; - gnutls_authz_send_callback_func authz_send_callback; - gnutls_buffer authz_data; } tls_ext_st; /* auth_info_t structures now MAY contain malloced diff --git a/lib/gnutls_supplemental.c b/lib/gnutls_supplemental.c index 13ae5bf7da..945582759f 100644 --- a/lib/gnutls_supplemental.c +++ b/lib/gnutls_supplemental.c @@ -49,7 +49,6 @@ #include "gnutls_supplemental.h" #include "gnutls_errors.h" #include "gnutls_num.h" -#include "ext_authz.h" typedef int (*supp_recv_func) (gnutls_session_t session, const opaque *data, @@ -66,10 +65,6 @@ typedef struct } gnutls_supplemental_entry; gnutls_supplemental_entry _gnutls_supplemental[] = { - { "authz_data", - GNUTLS_SUPPLEMENTAL_AUTHZ_DATA, - _gnutls_authz_supp_recv_params, - _gnutls_authz_supp_send_params }, { 0, 0, 0, 0 } }; @@ -99,19 +99,6 @@ static int comp_priority[PRI_MAX]; static int mac_priority[PRI_MAX]; static int cert_type_priority[PRI_MAX]; -#ifdef ENABLE_AUTHZ - -static int authz_client_formats[PRI_MAX]; -static int authz_server_formats[PRI_MAX] = { - GNUTLS_AUTHZ_X509_ATTR_CERT, - GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - GNUTLS_AUTHZ_SAML_ASSERTION, - GNUTLS_AUTHZ_SAML_ASSERTION_URL, - 0 -}; - -#endif - /* end of global stuff */ /* prototypes */ @@ -382,94 +369,6 @@ cert_callback (gnutls_session_t session, } -#ifdef ENABLE_AUTHZ - -int -authz_send_callback (gnutls_session_t session, - const int *client_formats, - const int *server_formats) -{ - size_t i; - int ret; - - printf ("- Server authorization formats: "); - for (i = 0; server_formats[i]; i++) - printf ("%d ", server_formats[i]); - printf ("\n"); - - for (i = 0; client_formats[i]; i++) - { - if (client_formats[i] == GNUTLS_AUTHZ_X509_ATTR_CERT - && info.authz_x509_attr_cert) - { - size_t x509ac_len; - const char *x509ac = read_binary_file (info.authz_x509_attr_cert, - &x509ac_len); - if (!x509ac) - error (EXIT_FAILURE, errno, "%s", info.authz_x509_attr_cert); - - printf (" Sending X.509 Attribute Certificate\n"); - - ret = gnutls_authz_send_x509_attr_cert (session, - x509ac, x509ac_len); - if (ret < 0) - return ret; - } - - if (client_formats[i] == GNUTLS_AUTHZ_SAML_ASSERTION - && info.authz_saml_assertion) - { - size_t samlass_len; - const char *samlass = read_binary_file (info.authz_saml_assertion, - &samlass_len); - if (!samlass) - error (EXIT_FAILURE, errno, "%s", info.authz_saml_assertion); - - printf (" Sending SAML assertion\n"); - - ret = gnutls_authz_send_saml_assertion (session, - samlass, samlass_len); - if (ret < 0) - return ret; - } - } - - return 0; -} - -int -authz_recv_callback (gnutls_session_t session, - const int *authz_formats, - gnutls_datum_t *infos, - const int *hashtypes, - gnutls_datum_t *hash) -{ - size_t i, j; - - for (i = 0; authz_formats[i]; i++) - { - printf ("- Received authorization data, format %02x of %d bytes\n", - authz_formats[i], infos[i].size); - - printf (" data: "); - for (j = 0; j < infos[i].size; j++) - printf ("%02x", infos[i].data[j]); - printf ("\n"); - - if (hash[i].size > 0) - { - printf (" hash: "); - for (j = 0; j < hash[i].size; j++) - printf ("%02x", hash[i].data[j]); - printf (" type %02x\n", hashtypes[i]); - } - } - - return 0; -} - -#endif - /* initializes a gnutls_session_t with some defaults. */ static gnutls_session_t @@ -531,11 +430,6 @@ init_tls_session (const char *hostname) } } -#ifdef ENABLE_AUTHZ - gnutls_authz_enable (session, authz_client_formats, authz_server_formats, - authz_recv_callback, authz_send_callback); -#endif - return session; } diff --git a/src/cli.gaa b/src/cli.gaa index 64b5394fef..80ab0bbe5c 100644 --- a/src/cli.gaa +++ b/src/cli.gaa @@ -104,12 +104,6 @@ option (pskusername) STR "NAME" { $psk_username = $1 } "PSK username to use." #char *psk_key; option (pskkey) STR "KEY" { $psk_key = $1 } "PSK key (in hex) to use." -#char *authz_x509_attr_cert; -option (authz-x509-attr-cert) STR "FILE" { $authz_x509_attr_cert = $1 } "Use X.509 Attribute Certificate in FILE as authorization data." - -#char *authz_saml_assertion; -option (authz-saml-assertion) STR "FILE" { $authz_saml_assertion = $1 } "Use SAML Assertion in FILE as authorization data." - #char *port; option (p, port) STR "PORT" { $port = $1 } "The port to connect to." diff --git a/src/serv.c b/src/serv.c index 96bce50df9..9e746cc772 100644 --- a/src/serv.c +++ b/src/serv.c @@ -337,103 +337,6 @@ static int comp_priority[PRI_MAX]; static int mac_priority[PRI_MAX]; static int cert_type_priority[PRI_MAX]; -#ifdef ENABLE_AUTHZ -static int authz_server_formats[PRI_MAX] = { - 0 -}; -static int authz_client_formats[PRI_MAX] = { - GNUTLS_AUTHZ_X509_ATTR_CERT, - GNUTLS_AUTHZ_SAML_ASSERTION, - GNUTLS_AUTHZ_X509_ATTR_CERT_URL, - GNUTLS_AUTHZ_SAML_ASSERTION_URL, - 0 -}; - -int -authz_send_callback (gnutls_session_t session, - const int *client_formats, - const int *server_formats) -{ - size_t i; - int ret; - - printf ("- Client authorization formats: "); - for (i = 0; client_formats[i]; i++) - printf ("%d ", client_formats[i]); - printf ("\n"); - - for (i = 0; server_formats[i]; i++) - { - if (server_formats[i] == GNUTLS_AUTHZ_X509_ATTR_CERT - && info.authz_x509_attr_cert) - { - size_t x509ac_len; - const char *x509ac = read_binary_file (info.authz_x509_attr_cert, - &x509ac_len); - if (!x509ac) - error (EXIT_FAILURE, errno, "%s", info.authz_x509_attr_cert); - - printf (" Sending X.509 Attribute Certificate\n"); - - ret = gnutls_authz_send_x509_attr_cert (session, - x509ac, x509ac_len); - if (ret < 0) - return ret; - } - - if (server_formats[i] == GNUTLS_AUTHZ_SAML_ASSERTION - && info.authz_saml_assertion) - { - size_t samlass_len; - const char *samlass = read_binary_file (info.authz_saml_assertion, - &samlass_len); - if (!samlass) - error (EXIT_FAILURE, errno, "%s", info.authz_saml_assertion); - - printf (" Sending SAML assertion\n"); - - ret = gnutls_authz_send_saml_assertion (session, - samlass, samlass_len); - if (ret < 0) - return ret; - } - } - - return 0; -} - -int -authz_recv_callback (gnutls_session_t session, - const int *authz_formats, - gnutls_datum_t *infos, - const int *hashtypes, - gnutls_datum_t *hash) -{ - size_t i, j; - - for (i = 0; authz_formats[i]; i++) - { - printf ("- Received authorization data, format %02x of %d bytes\n", - authz_formats[i], infos[i].size); - - printf (" data: "); - for (j = 0; j < infos[i].size; j++) - printf ("%02x", infos[i].data[j]); - printf ("\n"); - - if (hash[i].size > 0) - { - printf (" hash: "); - for (j = 0; j < hash[i].size; j++) - printf ("%02x", hash[i].data[j]); - printf (" type %02x\n", hashtypes[i]); - } - } - - return 0; -} -#endif - gnutls_session_t initialize_session (void) { @@ -488,11 +391,6 @@ initialize_session (void) gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); } -#ifdef ENABLE_AUTHZ - gnutls_authz_enable (session, authz_client_formats, authz_server_formats, - authz_recv_callback, authz_send_callback); -#endif - return session; } @@ -1462,16 +1360,6 @@ gaa_parser (int argc, char **argv) parse_ctypes (info.ctype, info.nctype, cert_type_priority); parse_kx (info.kx, info.nkx, kx_priority); parse_comp (info.comp, info.ncomp, comp_priority); - -#ifdef ENABLE_AUTHZ - { - size_t authz_idx = 0; - if (info.authz_x509_attr_cert) - authz_server_formats[authz_idx++] = GNUTLS_AUTHZ_X509_ATTR_CERT; - if (info.authz_saml_assertion) - authz_server_formats[authz_idx++] = GNUTLS_AUTHZ_SAML_ASSERTION; - } -#endif } void diff --git a/src/serv.gaa b/src/serv.gaa index 6d7dd5610a..b1a39595d2 100644 --- a/src/serv.gaa +++ b/src/serv.gaa @@ -79,12 +79,6 @@ option (srppasswd) STR "FILE" { $srp_passwd = $1 } "SRP password file to use." #char *srp_passwd_conf; option (srppasswdconf) STR "FILE" { $srp_passwd_conf = $1 } "SRP password conf file to use." -#char *authz_x509_attr_cert; -option (authz-x509-attr-cert) STR "FILE" { $authz_x509_attr_cert = $1 } "Use X.509 Attribute Certificate in FILE as authorization data." - -#char *authz_saml_assertion; -option (authz-saml-assertion) STR "FILE" { $authz_saml_assertion = $1 } "Use SAML Assertion in FILE as authorization data." - #int nciphers; #char **ciphers; option (ciphers) *STR "cipher1 cipher2..." { $ciphers = $1; $nciphers = @1 } "Ciphers to enable." |