diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-19 18:23:27 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-19 18:23:27 +0000 |
commit | 5fe0a8400c1989c8d8700567f49687603508d3e5 (patch) | |
tree | 582f8f85c721c76bc58eb5320c21d35c0ee50313 /lib | |
parent | d42caa832f73b00c39fbd59093e19fb3db144261 (diff) | |
download | gnutls-5fe0a8400c1989c8d8700567f49687603508d3e5.tar.gz |
gnutls_x509pki_set_trust_(file/mem) can now be called multiple times
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gnutls_cert.c | 150 |
1 files changed, 55 insertions, 95 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 2370a7a7e0..9ec5aaac78 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -220,10 +220,8 @@ static int read_ca_mem(GNUTLS_X509PKI_CREDENTIALS res, const char *ca, int ca_si siz = ca_size; ptr = ca; - res->ncas = 0; - i = 1; - res->ca_list = NULL; + i = res->ncas + 1; do { siz2 = _gnutls_fbase64_decode(ptr, siz, &b64); @@ -446,24 +444,10 @@ int gnutls_x509pki_set_key_file(GNUTLS_X509PKI_CREDENTIALS res, char *CERTFILE, return 0; } -/** - * gnutls_x509pki_set_trust_file - Used to set trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure - * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. - * @CAFILE: is a PEM encoded file containing trusted CAs - * @CRLFILE: is a PEM encoded file containing CRLs (ignored for now) - * - * This function sets the trusted CAs in order to verify client - * certificates. - **/ -int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, - char *CRLFILE) -{ - int ret, size, i; - opaque *pdata; - gnutls_datum tmp; - - if ((ret = read_ca_file(res, CAFILE)) < 0) - return ret; +static int generate_rdn_seq( GNUTLS_X509PKI_CREDENTIALS res) { +gnutls_datum tmp; +int ret, size, i; +opaque *pdata; /* Generate the RDN sequence * This will be sent to clients when a certificate @@ -485,6 +469,9 @@ int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, size += (2 + tmp.size); } + if (res->rdn_sequence.data != NULL) + gnutls_free( res->rdn_sequence.data); + res->rdn_sequence.data = gnutls_malloc(size); if (res->rdn_sequence.data == NULL) { gnutls_assert(); @@ -510,114 +497,87 @@ int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, } /** - * gnutls_x509pki_set_key_mem - Used to set keys in a GNUTLS_X509PKI_CREDENTIALS structure + * gnutls_x509pki_set_trust_mem - Used to add trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. - * @CERT: contains a PEM encoded certificate list (path) for - * the specified private key - * @KEY: is a PEM encoded private key - * - * This function sets a certificate/private key pair in the - * GNUTLS_X509PKI_CREDENTIALS structure. This function may be called - * more than once (in case multiple keys/certificates exist for the - * server). + * @CA: is a PEM encoded list of trusted CAs + * @CRL: is a PEM encoded list of CRLs (ignored for now) * - * Currently only PKCS-1 PEM encoded RSA private keys are accepted by - * this function. + * This function adds the trusted CAs in order to verify client + * certificates. This function may be called multiple times. * **/ -int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, - const gnutls_datum* KEY) +int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, + const gnutls_datum *CRL) { int ret; - /* this should be first - */ - if ((ret = read_key_mem( res, KEY->data, KEY->size)) < 0) + if ((ret = read_ca_mem(res, CA->data, CA->size)) < 0) return ret; - if ((ret = read_cert_mem( res, CERT->data, CERT->size)) < 0) + if ((ret = generate_rdn_seq(res)) < 0) return ret; return 0; } /** - * gnutls_x509pki_set_trust_mem - Used to set trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure + * gnutls_x509pki_set_trust_file - Used to add trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. - * @CA: is a PEM encoded list of trusted CAs - * @CRL: is a PEM encoded list of CRLs (ignored for now) + * @CAFILE: is a PEM encoded file containing trusted CAs + * @CRLFILE: is a PEM encoded file containing CRLs (ignored for now) * * This function sets the trusted CAs in order to verify client - * certificates. + * certificates. This function may be called multiple times. + * **/ -int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, - const gnutls_datum *CRL) +int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, + char *CRLFILE) { - int ret, size, i; - opaque *pdata; - gnutls_datum tmp; + int ret; - if ((ret = read_ca_mem(res, CA->data, CA->size)) < 0) + if ((ret = read_ca_file(res, CAFILE)) < 0) return ret; - /* Generate the RDN sequence - * This will be sent to clients when a certificate - * request message is sent. - */ - - /* FIXME: in case of a client it is not needed - * to do that. This would save time and memory. - * However we don't have that information available - * here. - */ - - size = 0; - for (i = 0; i < res->ncas; i++) { - if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { - gnutls_assert(); - return ret; - } - size += (2 + tmp.size); - } - - res->rdn_sequence.data = gnutls_malloc(size); - if (res->rdn_sequence.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - res->rdn_sequence.size = size; - - pdata = res->rdn_sequence.data; - - for (i = 0; i < res->ncas; i++) { - if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { - gnutls_free(res->rdn_sequence.data); - res->rdn_sequence.size = 0; - res->rdn_sequence.data = NULL; - gnutls_assert(); - return ret; - } - WRITEdatum16(pdata, tmp); - pdata += (2 + tmp.size); - } + if ((ret = generate_rdn_seq(res)) < 0) + return ret; return 0; } + /** - * gnutls_dh_set_dhe_bits - Used to set the bits for a DHE_* ciphersuite - * @state: is a &GNUTLS_STATE structure. - * @bits: is the number of bits + * gnutls_x509pki_set_key_mem - Used to set keys in a GNUTLS_X509PKI_CREDENTIALS structure + * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. + * @CERT: contains a PEM encoded certificate list (path) for + * the specified private key + * @KEY: is a PEM encoded private key * - * This function sets the number of bits, for use in a Diffie Hellman key exchange. - * This value will only be used in case of DHE ciphersuite. + * This function sets a certificate/private key pair in the + * GNUTLS_X509PKI_CREDENTIALS structure. This function may be called + * more than once (in case multiple keys/certificates exist for the + * server). + * + * Currently only PKCS-1 PEM encoded RSA private keys are accepted by + * this function. * **/ -void gnutls_dh_set_dhe_bits(GNUTLS_STATE state, int bits) +int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, + const gnutls_datum* KEY) { - state->gnutls_internals.dhe_bits = bits; + int ret; + + /* this should be first + */ + if ((ret = read_key_mem( res, KEY->data, KEY->size)) < 0) + return ret; + + if ((ret = read_cert_mem( res, CERT->data, CERT->size)) < 0) + return ret; + + return 0; } + static int _read_rsa_params(opaque * der, int dersize, MPI * params) { opaque str[MAX_X509_CERT_SIZE]; |