diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-11-19 13:07:21 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-11-19 13:07:21 +0000 |
| commit | b58a168e293155fe11deada650d28fb6ac865781 (patch) | |
| tree | d4653c8fa152da2edcc5bf1d655552ecddc76f01 /lib | |
| parent | fe1b1d18fa42e2162cc58da5bcc262d07dfb9b9b (diff) | |
| download | gnutls-b58a168e293155fe11deada650d28fb6ac865781.tar.gz | |
Added support for the DSS certificate SRP authenticated cipher suites (currently only with 3DES cipher). Cleaned up the client and server code, which was duplicated.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gnutls.h.in.in | 4 | ||||
| -rw-r--r-- | lib/gnutls_alert.c | 3 | ||||
| -rw-r--r-- | lib/gnutls_algorithms.c | 6 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 1 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 9 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 8 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 1 |
7 files changed, 24 insertions, 8 deletions
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 97e7b5644f..04efa1d676 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -44,7 +44,7 @@ typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; typedef enum gnutls_credentials_type { GNUTLS_CRD_CERTIFICATE=1, GNUTLS_CRD_ANON, GNUTLS_CRD_SRP } gnutls_credentials_type; @@ -58,7 +58,7 @@ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, GNUTLS /* exported for other gnutls headers. This is the maximum number * of algorithms (ciphers, kx or macs). */ -#define GNUTLS_MAX_ALGORITHM_NUM 8 +#define GNUTLS_MAX_ALGORITHM_NUM 10 typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, GNUTLS_COMP_ZLIB, diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index e40bda5d31..3a6207548b 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -166,6 +166,9 @@ int _level = -1; case GNUTLS_E_UNKNOWN_CIPHER_SUITE: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: + case GNUTLS_E_INSUFICIENT_CREDENTIALS: + case GNUTLS_E_NO_CIPHER_SUITES: + case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index f05a3cb4c2..873d35b918 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -41,6 +41,7 @@ static const gnutls_cred_map cred_mappings[] = { { GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, { GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP }, { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, { 0 } }; @@ -241,6 +242,7 @@ typedef struct { #define GNUTLS_SRP_SHA_RIJNDAEL_256_CBC_SHA { 0x00, 0x56 } #define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA { 0x00, 0x51 } +#define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA { 0x00, 0x52 } /** RSA **/ @@ -323,6 +325,10 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_RIJNDAEL_256_CBC, GNUTLS_KX_SRP, GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, GNUTLS_MAC_SHA, GNUTLS_TLS1), diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 2ddf17b937..caa8acc11b 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -59,6 +59,7 @@ static const gnutls_pk_map pk_mappings[] = { {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA}, {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA}, {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA}, + {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA}, {0} }; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 6771fcb8a7..00dfd2a5c2 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -553,7 +553,7 @@ int _gnutls_server_select_suite(gnutls_session session, opaque *data, int datale if (x<=0) { gnutls_assert(); if (x<0) return x; - else return GNUTLS_E_INSUFICIENT_CREDENTIALS; + else return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } #ifdef HANDSHAKE_DEBUG @@ -2389,6 +2389,7 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, /* if it is defined but had no credentials */ if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { +fprintf(stderr, "HERE\n"); keep = 1; } else /* If there was no credentials to use with the specified @@ -2396,14 +2397,16 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, */ if (_gnutls_map_kx_get_cred(kx, server) == GNUTLS_CRD_CERTIFICATE) { keep = 1; /* do not keep */ + +fprintf(stderr, "THERE %d\n", kx); if (x509_cred != NULL) { if (server) { /* here we check if the KX algorithm * is compatible with the certificate. */ -fprintf(stderr, "KX: %d\n", kx); for (j = 0; j < alg_size; j++) { -fprintf(stderr, "ALG: %d\n", alg[j]); +fprintf(stderr, "ALG %d\n", alg[j]); + if (alg[j] == kx) { keep = 0; break; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 281ba655c8..80426c1cb1 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -35,8 +35,10 @@ #define X509_DEBUG #define RECORD_DEBUG #define COMPRESSION_DEBUG -#define DEBUG */ +#define HANDSHAKE_DEBUG +#define DEBUG + /* It might be a good idea to replace int with void* * here. @@ -145,7 +147,7 @@ typedef gnutls_datum gnutls_sdatum; /* This is the maximum number of algorithms (ciphers or macs etc). * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h */ -#define MAX_ALGOS 8 +#define MAX_ALGOS 10 #define MAX_CIPHERSUITES 256 @@ -159,7 +161,7 @@ typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; typedef enum gnutls_mac_algorithm { GNUTLS_MAC_NULL=1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA } gnutls_mac_algorithm; diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 59f46a47ee..8d27ccb60c 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -2233,6 +2233,7 @@ int _gnutls_check_x509_key_usage( const gnutls_cert * cert, } return 0; case GNUTLS_KX_SRP_RSA: + case GNUTLS_KX_SRP_DSS: case GNUTLS_KX_DHE_RSA: case GNUTLS_KX_DHE_DSS: case GNUTLS_KX_RSA_EXPORT: |