diff options
| author | Simon Josefsson <simon@josefsson.org> | 2005-11-07 23:27:56 +0000 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2005-11-07 23:27:56 +0000 |
| commit | a5891d75997c9529b9fc5c273df8bd0df4093cd0 (patch) | |
| tree | fd6eec448a88c5eb891cc145921c5793662da604 /lib | |
| parent | af21484a8daf15da48f7d00c4fe632708a757a64 (diff) | |
| download | gnutls-a5891d75997c9529b9fc5c273df8bd0df4093cd0.tar.gz | |
Use GNU coding style.
Diffstat (limited to 'lib')
145 files changed, 32002 insertions, 28272 deletions
diff --git a/lib/auth_anon.c b/lib/auth_anon.c index 7aed922152..c94da0ffb1 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -40,127 +40,137 @@ #include <gnutls_state.h> #include <auth_dh_common.h> -static int gen_anon_server_kx(gnutls_session_t, opaque **); -static int proc_anon_client_kx(gnutls_session_t, opaque *, size_t); -static int proc_anon_server_kx(gnutls_session_t, opaque *, size_t); +static int gen_anon_server_kx (gnutls_session_t, opaque **); +static int proc_anon_client_kx (gnutls_session_t, opaque *, size_t); +static int proc_anon_server_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st anon_auth_struct = { - "ANON", - NULL, - NULL, - gen_anon_server_kx, - _gnutls_gen_dh_common_client_kx, /* this can be shared */ - NULL, - NULL, - - NULL, - NULL, /* certificate */ - proc_anon_server_kx, - proc_anon_client_kx, - NULL, - NULL + "ANON", + NULL, + NULL, + gen_anon_server_kx, + _gnutls_gen_dh_common_client_kx, /* this can be shared */ + NULL, + NULL, + + NULL, + NULL, /* certificate */ + proc_anon_server_kx, + proc_anon_client_kx, + NULL, + NULL }; -static int gen_anon_server_kx(gnutls_session_t session, opaque ** data) +static int +gen_anon_server_kx (gnutls_session_t session, opaque ** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret; - gnutls_dh_params_t dh_params; - gnutls_anon_server_credentials_t cred; - - cred = (gnutls_anon_server_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + mpi_t g, p; + const mpi_t *mpis; + int ret; + gnutls_dh_params_t dh_params; + gnutls_anon_server_credentials_t cred; + + cred = (gnutls_anon_server_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - dh_params = _gnutls_anon_get_dh_params(cred, session); - mpis = _gnutls_get_dh_params(dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + dh_params = _gnutls_anon_get_dh_params (cred, session); + mpis = _gnutls_get_dh_params (dh_params); + if (mpis == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, - sizeof(anon_server_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_ANON, + sizeof (anon_server_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; } - _gnutls_dh_set_group(session, g, p); + _gnutls_dh_set_group (session, g, p); - ret = _gnutls_dh_common_print_server_kx(session, g, p, data); - if (ret < 0) { - gnutls_assert(); + ret = _gnutls_dh_common_print_server_kx (session, g, p, data); + if (ret < 0) + { + gnutls_assert (); } - return ret; + return ret; } -static int proc_anon_client_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +static int +proc_anon_client_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - gnutls_anon_server_credentials_t cred; - int bits; - int ret; - mpi_t p, g; - gnutls_dh_params_t dh_params; - const mpi_t *mpis; - - bits = _gnutls_dh_get_allowed_prime_bits(session); - - cred = (gnutls_anon_server_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + gnutls_anon_server_credentials_t cred; + int bits; + int ret; + mpi_t p, g; + gnutls_dh_params_t dh_params; + const mpi_t *mpis; + + bits = _gnutls_dh_get_allowed_prime_bits (session); + + cred = (gnutls_anon_server_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - dh_params = _gnutls_anon_get_dh_params(cred, session); - mpis = _gnutls_get_dh_params(dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + dh_params = _gnutls_anon_get_dh_params (cred, session); + mpis = _gnutls_get_dh_params (dh_params); + if (mpis == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - ret = - _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + ret = _gnutls_proc_dh_common_client_kx (session, data, _data_size, g, p); - return ret; + return ret; } -int proc_anon_server_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +int +proc_anon_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - int ret; + int ret; - /* set auth_info */ - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, - sizeof(anon_client_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; + /* set auth_info */ + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_ANON, + sizeof (anon_client_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_proc_dh_common_server_kx (session, data, _data_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } -#endif /* ENABLE_ANON */ +#endif /* ENABLE_ANON */ diff --git a/lib/auth_anon.h b/lib/auth_anon.h index a447134029..1f7ae397ae 100644 --- a/lib/auth_anon.h +++ b/lib/auth_anon.h @@ -26,20 +26,23 @@ #include <gnutls_auth.h> #include <auth_dh_common.h> -typedef struct gnutls_anon_server_credentials_st { - gnutls_dh_params_t dh_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function *params_func; +typedef struct gnutls_anon_server_credentials_st +{ + gnutls_dh_params_t dh_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; } anon_server_credentials_st; -typedef struct gnutls_anon_client_credentials_st { +typedef struct gnutls_anon_client_credentials_st +{ int dummy; } anon_client_credentials_st; -typedef struct anon_client_auth_info_st { - dh_info_st dh; +typedef struct anon_client_auth_info_st +{ + dh_info_st dh; } *anon_client_auth_info_t; typedef anon_client_auth_info_t anon_server_auth_info_t; @@ -48,7 +51,6 @@ typedef anon_client_auth_info_t anon_auth_info_t; typedef struct anon_client_auth_info_st anon_client_auth_info_st; typedef anon_client_auth_info_st anon_server_auth_info_st; -gnutls_dh_params_t _gnutls_anon_get_dh_params(const - gnutls_anon_server_credentials_t - sc, - gnutls_session_t session); +gnutls_dh_params_t _gnutls_anon_get_dh_params (const + gnutls_anon_server_credentials_t + sc, gnutls_session_t session); diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 8480b710bd..c458ff987a 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -46,63 +46,68 @@ #include <gnutls_extra.h> #include "debug.h" -static gnutls_cert *alloc_and_load_x509_certs( - gnutls_x509_crt_t * certs, uint); -static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey_t key); -static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key_t cert); -static gnutls_privkey *alloc_and_load_pgp_key( - const gnutls_openpgp_privkey_t key); +static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, + uint); +static gnutls_privkey *alloc_and_load_x509_key (gnutls_x509_privkey_t key); +static gnutls_cert *alloc_and_load_pgp_certs (gnutls_openpgp_key_t cert); +static gnutls_privkey *alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t + key); /* Copies data from a internal certificate struct (gnutls_cert) to * exported certificate struct (cert_auth_info_t) */ -static -int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, - gnutls_cert * cert, int ncerts) +static int +_gnutls_copy_certificate_auth_info (cert_auth_info_t info, + gnutls_cert * cert, int ncerts) { - /* Copy peer's information to auth_info_t - */ - int ret, i, j; - - if (ncerts == 0) { - info->raw_certificate_list = NULL; - info->ncerts = 0; - return 0; - } - - info->raw_certificate_list = - gnutls_calloc(1, sizeof(gnutls_datum_t) * ncerts); - if (info->raw_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i = 0; i < ncerts; i++) { - if (cert->raw.size > 0) { - ret = - _gnutls_set_datum(&info-> - raw_certificate_list[i], - cert[i].raw.data, cert[i].raw.size); - if (ret < 0) { - gnutls_assert(); - goto clear; + /* Copy peer's information to auth_info_t + */ + int ret, i, j; + + if (ncerts == 0) + { + info->raw_certificate_list = NULL; + info->ncerts = 0; + return 0; + } + + info->raw_certificate_list = + gnutls_calloc (1, sizeof (gnutls_datum_t) * ncerts); + if (info->raw_certificate_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ncerts; i++) + { + if (cert->raw.size > 0) + { + ret = + _gnutls_set_datum (&info-> + raw_certificate_list[i], + cert[i].raw.data, cert[i].raw.size); + if (ret < 0) + { + gnutls_assert (); + goto clear; } } } - info->ncerts = ncerts; + info->ncerts = ncerts; - return 0; + return 0; - clear: +clear: - for (j = 0; j < i; j++) - _gnutls_free_datum(&info->raw_certificate_list[j]); + for (j = 0; j < i; j++) + _gnutls_free_datum (&info->raw_certificate_list[j]); - gnutls_free(info->raw_certificate_list); - info->raw_certificate_list = NULL; + gnutls_free (info->raw_certificate_list); + info->raw_certificate_list = NULL; - return ret; + return ret; } @@ -111,64 +116,67 @@ int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, /* returns 0 if the algo_to-check exists in the pk_algos list, * -1 otherwise. */ -inline - static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm_t * - pk_algos, int pk_algos_length, - gnutls_pk_algorithm_t - algo_to_check) +inline static int +_gnutls_check_pk_algo_in_list (const gnutls_pk_algorithm_t * + pk_algos, int pk_algos_length, + gnutls_pk_algorithm_t algo_to_check) { - int i; - for (i = 0; i < pk_algos_length; i++) { - if (algo_to_check == pk_algos[i]) { - return 0; + int i; + for (i = 0; i < pk_algos_length; i++) + { + if (algo_to_check == pk_algos[i]) + { + return 0; } } - return -1; + return -1; } /* Returns the issuer's Distinguished name in odn, of the certificate * specified in cert. */ -static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, - gnutls_datum_t * odn) +static int +_gnutls_cert_get_issuer_dn (gnutls_cert * cert, gnutls_datum_t * odn) { - ASN1_TYPE dn; - int len, result; - int start, end; + ASN1_TYPE dn; + int len, result; + int start, end; - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&dn, cert->raw.data, cert->raw.size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); } - result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size, - "tbsCertificate.issuer", &start, - &end); + result = asn1_der_decoding_startEnd (dn, cert->raw.data, cert->raw.size, + "tbsCertificate.issuer", &start, &end); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); } - asn1_delete_structure(&dn); + asn1_delete_structure (&dn); - len = end - start + 1; + len = end - start + 1; - odn->size = len; - odn->data = &cert->raw.data[start]; + odn->size = len; + odn->data = &cert->raw.data[start]; - return 0; + return 0; } @@ -178,183 +186,199 @@ static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, * That is to guess which certificate to use, based on the * CAs and sign algorithms supported by the peer server. */ -static int _find_x509_cert(const gnutls_certificate_credentials_t cred, - opaque * _data, size_t _data_size, - const gnutls_pk_algorithm_t * pk_algos, - int pk_algos_length, int *indx) +static int +_find_x509_cert (const gnutls_certificate_credentials_t cred, + opaque * _data, size_t _data_size, + const gnutls_pk_algorithm_t * pk_algos, + int pk_algos_length, int *indx) { - uint size; - gnutls_datum_t odn; - opaque *data = _data; - ssize_t data_size = _data_size; - uint i, j; - int result, cert_pk; - - *indx = -1; - - do { - - DECR_LENGTH_RET(data_size, 2, 0); - size = _gnutls_read_uint16(data); - DECR_LENGTH_RET(data_size, size, 0); - data += 2; - - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - if ((result = - _gnutls_cert_get_issuer_dn(&cred-> - cert_list[i][j], - &odn)) < 0) { - gnutls_assert(); - return result; + uint size; + gnutls_datum_t odn; + opaque *data = _data; + ssize_t data_size = _data_size; + uint i, j; + int result, cert_pk; + + *indx = -1; + + do + { + + DECR_LENGTH_RET (data_size, 2, 0); + size = _gnutls_read_uint16 (data); + DECR_LENGTH_RET (data_size, size, 0); + data += 2; + + for (i = 0; i < cred->ncerts; i++) + { + for (j = 0; j < cred->cert_list_length[i]; j++) + { + if ((result = + _gnutls_cert_get_issuer_dn (&cred-> + cert_list[i][j], &odn)) < 0) + { + gnutls_assert (); + return result; } - if (odn.size != size) - continue; - - /* If the DN matches and - * the *_SIGN algorithm matches - * the cert is our cert! - */ - cert_pk = cred->cert_list[i][0].subject_pk_algorithm; - - if ((memcmp(odn.data, data, size) == 0) && - (_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, cert_pk) == 0)) { - *indx = i; - break; + if (odn.size != size) + continue; + + /* If the DN matches and + * the *_SIGN algorithm matches + * the cert is our cert! + */ + cert_pk = cred->cert_list[i][0].subject_pk_algorithm; + + if ((memcmp (odn.data, data, size) == 0) && + (_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, cert_pk) == 0)) + { + *indx = i; + break; } } - if (*indx != -1) - break; + if (*indx != -1) + break; } - if (*indx != -1) - break; + if (*indx != -1) + break; - /* move to next record */ - data += size; + /* move to next record */ + data += size; - } while (1); + } + while (1); - return 0; + return 0; } /* Locates the most appropriate openpgp cert */ -static int _find_openpgp_cert(const gnutls_certificate_credentials_t cred, - gnutls_pk_algorithm_t * pk_algos, - int pk_algos_length, int *indx) +static int +_find_openpgp_cert (const gnutls_certificate_credentials_t cred, + gnutls_pk_algorithm_t * pk_algos, + int pk_algos_length, int *indx) { - uint i, j; - - *indx = -1; - - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - - /* If the *_SIGN algorithm matches - * the cert is our cert! - */ - if ((_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cred->cert_list[i][0].subject_pk_algorithm) == 0) - && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP)) { - *indx = i; - break; + uint i, j; + + *indx = -1; + + for (i = 0; i < cred->ncerts; i++) + { + for (j = 0; j < cred->cert_list_length[i]; j++) + { + + /* If the *_SIGN algorithm matches + * the cert is our cert! + */ + if ((_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, + cred->cert_list[i][0].subject_pk_algorithm) == 0) + && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP)) + { + *indx = i; + break; } } - if (*indx != -1) - break; + if (*indx != -1) + break; } - return 0; + return 0; } /* Returns the number of issuers in the server's * certificate request packet. */ -static int get_issuers_num(gnutls_session_t session, opaque * data, - ssize_t data_size) +static int +get_issuers_num (gnutls_session_t session, opaque * data, ssize_t data_size) { - int issuers_dn_len = 0, result; - uint size; + int issuers_dn_len = 0, result; + uint size; - /* Count the number of the given issuers; - * This is used to allocate the issuers_dn without - * using realloc(). - */ + /* Count the number of the given issuers; + * This is used to allocate the issuers_dn without + * using realloc(). + */ - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) + return 0; - if (data_size > 0) - do { - /* This works like DECR_LEN() - */ - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, 2, goto error); - size = _gnutls_read_uint16(data); + if (data_size > 0) + do + { + /* This works like DECR_LEN() + */ + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM (data_size, 2, goto error); + size = _gnutls_read_uint16 (data); - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, size, goto error); + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM (data_size, size, goto error); - data += 2; + data += 2; - if (size > 0) { - issuers_dn_len++; - data += size; - } + if (size > 0) + { + issuers_dn_len++; + data += size; + } - if (data_size == 0) - break; + if (data_size == 0) + break; - } while (1); + } + while (1); - return issuers_dn_len; + return issuers_dn_len; - error: - return result; +error: + return result; } /* Returns the issuers in the server's certificate request * packet. */ -static int get_issuers(gnutls_session_t session, - gnutls_datum_t * issuers_dn, int issuers_len, - opaque * data, size_t data_size) +static int +get_issuers (gnutls_session_t session, + gnutls_datum_t * issuers_dn, int issuers_len, + opaque * data, size_t data_size) { - int i; - uint size; + int i; + uint size; - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) + return 0; - /* put the requested DNs to req_dn, only in case - * of X509 certificates. - */ - if (issuers_len > 0) { + /* put the requested DNs to req_dn, only in case + * of X509 certificates. + */ + if (issuers_len > 0) + { - for (i = 0; i < issuers_len; i++) { - /* The checks here for the buffer boundaries - * are not needed since the buffer has been - * parsed above. - */ - data_size -= 2; + for (i = 0; i < issuers_len; i++) + { + /* The checks here for the buffer boundaries + * are not needed since the buffer has been + * parsed above. + */ + data_size -= 2; - size = _gnutls_read_uint16(data); + size = _gnutls_read_uint16 (data); - data += 2; + data += 2; - issuers_dn[i].data = data; - issuers_dn[i].size = size; + issuers_dn[i].data = data; + issuers_dn[i].size = size; - data += size; + data += size; } } - return 0; + return 0; } @@ -363,100 +387,117 @@ OPENPGP_PRIVKEY_DEINIT _E_gnutls_openpgp_privkey_deinit; /* Calls the client get callback. */ -static int call_get_cert_callback(gnutls_session_t session, - gnutls_datum_t * issuers_dn, - int issuers_dn_length, - gnutls_pk_algorithm_t * pk_algos, - int pk_algos_length) +static int +call_get_cert_callback (gnutls_session_t session, + gnutls_datum_t * issuers_dn, + int issuers_dn_length, + gnutls_pk_algorithm_t * pk_algos, int pk_algos_length) { - uint i; - gnutls_cert *local_certs = NULL; - gnutls_privkey *local_key = NULL; - gnutls_retr_st st; - int ret; - gnutls_certificate_type_t type = gnutls_certificate_type_get(session); - gnutls_certificate_credentials_t cred; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - memset(&st, 0, sizeof(st)); - - if (session->security_parameters.entity == GNUTLS_SERVER) { - ret = cred->server_get_cert_callback(session, &st); - } else { /* CLIENT */ - ret = - cred->client_get_cert_callback(session, - issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length, &st); - } - - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (st.ncerts == 0) - return 0; /* no certificate was selected */ - - if (type != st.type) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if (type == GNUTLS_CRT_X509) { - local_certs = alloc_and_load_x509_certs(st.cert.x509, st.ncerts); - if (local_certs != NULL) - local_key = alloc_and_load_x509_key(st.key.x509); - - } else { /* PGP */ - if (st.ncerts > 1) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; + uint i; + gnutls_cert *local_certs = NULL; + gnutls_privkey *local_key = NULL; + gnutls_retr_st st; + int ret; + gnutls_certificate_type_t type = gnutls_certificate_type_get (session); + gnutls_certificate_credentials_t cred; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + memset (&st, 0, sizeof (st)); + + if (session->security_parameters.entity == GNUTLS_SERVER) + { + ret = cred->server_get_cert_callback (session, &st); + } + else + { /* CLIENT */ + ret = + cred->client_get_cert_callback (session, + issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length, &st); + } + + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (st.ncerts == 0) + return 0; /* no certificate was selected */ + + if (type != st.type) + { + gnutls_assert (); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if (type == GNUTLS_CRT_X509) + { + local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts); + if (local_certs != NULL) + local_key = alloc_and_load_x509_key (st.key.x509); + + } + else + { /* PGP */ + if (st.ncerts > 1) + { + gnutls_assert (); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; } - local_certs = alloc_and_load_pgp_certs(st.cert.pgp); - if (local_certs != NULL) - local_key = alloc_and_load_pgp_key(st.key.pgp); + local_certs = alloc_and_load_pgp_certs (st.cert.pgp); + if (local_certs != NULL) + local_key = alloc_and_load_pgp_key (st.key.pgp); } - _gnutls_selected_certs_set(session, local_certs, - (local_certs != NULL) ? st.ncerts : 0, - local_key, 1); + _gnutls_selected_certs_set (session, local_certs, + (local_certs != NULL) ? st.ncerts : 0, + local_key, 1); - ret = 0; + ret = 0; - cleanup: +cleanup: - if (st.type == GNUTLS_CRT_X509) { - if (st.deinit_all) { - for (i = 0; i < st.ncerts; i++) { - gnutls_x509_crt_deinit(st.cert.x509[i]); + if (st.type == GNUTLS_CRT_X509) + { + if (st.deinit_all) + { + for (i = 0; i < st.ncerts; i++) + { + gnutls_x509_crt_deinit (st.cert.x509[i]); } - gnutls_free(st.cert.x509); - gnutls_x509_privkey_deinit(st.key.x509); + gnutls_free (st.cert.x509); + gnutls_x509_privkey_deinit (st.key.x509); } - } else { - if (st.deinit_all) { - if (_E_gnutls_openpgp_key_deinit == NULL || - _E_gnutls_openpgp_privkey_deinit == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + } + else + { + if (st.deinit_all) + { + if (_E_gnutls_openpgp_key_deinit == NULL || + _E_gnutls_openpgp_privkey_deinit == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - _E_gnutls_openpgp_key_deinit(st.cert.pgp); - _E_gnutls_openpgp_privkey_deinit(st.key.pgp); + _E_gnutls_openpgp_key_deinit (st.cert.pgp); + _E_gnutls_openpgp_privkey_deinit (st.key.pgp); } } - return ret; + return ret; } /* Finds the appropriate certificate depending on the cA Distinguished name @@ -466,301 +507,325 @@ static int call_get_cert_callback(gnutls_session_t session, * 20020128: added ability to select a certificate depending on the SIGN * algorithm (only in automatic mode). */ -static int _select_client_cert(gnutls_session_t session, - opaque * _data, size_t _data_size, - gnutls_pk_algorithm_t * pk_algos, - int pk_algos_length) +static int +_select_client_cert (gnutls_session_t session, + opaque * _data, size_t _data_size, + gnutls_pk_algorithm_t * pk_algos, int pk_algos_length) { - int result; - int indx = -1; - gnutls_certificate_credentials_t cred; - opaque *data = _data; - ssize_t data_size = _data_size; - int issuers_dn_length; - gnutls_datum_t *issuers_dn = NULL; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (cred->client_get_cert_callback != NULL) { - - /* use a callback to get certificate - */ - if (session->security_parameters.cert_type != GNUTLS_CRT_X509) - issuers_dn_length = 0; - else { - issuers_dn_length = get_issuers_num(session, data, data_size); - if (issuers_dn_length < 0) { - gnutls_assert(); - return issuers_dn_length; + int result; + int indx = -1; + gnutls_certificate_credentials_t cred; + opaque *data = _data; + ssize_t data_size = _data_size; + int issuers_dn_length; + gnutls_datum_t *issuers_dn = NULL; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (cred->client_get_cert_callback != NULL) + { + + /* use a callback to get certificate + */ + if (session->security_parameters.cert_type != GNUTLS_CRT_X509) + issuers_dn_length = 0; + else + { + issuers_dn_length = get_issuers_num (session, data, data_size); + if (issuers_dn_length < 0) + { + gnutls_assert (); + return issuers_dn_length; } - if (issuers_dn_length > 0) { - issuers_dn = - gnutls_malloc(sizeof(gnutls_datum_t) * - issuers_dn_length); - if (issuers_dn == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (issuers_dn_length > 0) + { + issuers_dn = + gnutls_malloc (sizeof (gnutls_datum_t) * issuers_dn_length); + if (issuers_dn == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - result = - get_issuers(session, issuers_dn, issuers_dn_length, - data, data_size); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + get_issuers (session, issuers_dn, issuers_dn_length, + data, data_size); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } } } - result = - call_get_cert_callback(session, issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length); - goto cleanup; + result = + call_get_cert_callback (session, issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length); + goto cleanup; - } else { - /* If we have no callbacks, try to guess. - */ - result = 0; + } + else + { + /* If we have no callbacks, try to guess. + */ + result = 0; - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) - result = - _find_x509_cert(cred, _data, _data_size, - pk_algos, pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) + result = + _find_x509_cert (cred, _data, _data_size, + pk_algos, pk_algos_length, &indx); - if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP) - result = - _find_openpgp_cert(cred, pk_algos, pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP) + result = _find_openpgp_cert (cred, pk_algos, pk_algos_length, &indx); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - if (indx >= 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[indx][0], - cred->cert_list_length[indx], - &cred->pkey[indx], 0); - } else { - _gnutls_selected_certs_set(session, NULL, 0, NULL, 0); + if (indx >= 0) + { + _gnutls_selected_certs_set (session, + &cred->cert_list[indx][0], + cred->cert_list_length[indx], + &cred->pkey[indx], 0); + } + else + { + _gnutls_selected_certs_set (session, NULL, 0, NULL, 0); } - result = 0; + result = 0; } - cleanup: - gnutls_free(issuers_dn); - return result; +cleanup: + gnutls_free (issuers_dn); + return result; } /* Generate client certificate */ -int _gnutls_gen_x509_crt(gnutls_session_t session, opaque ** data) +int +_gnutls_gen_x509_crt (gnutls_session_t session, opaque ** data) { - int ret, i; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate - */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - ret = 3; - for (i = 0; i < apr_cert_list_length; i++) { - ret += apr_cert_list[i].raw.size + 3; - /* hold size - * for uint24 */ - } - - /* if no certificates were found then send: - * 0B 00 00 03 00 00 00 // Certificate with no certs - * instead of: - * 0B 00 00 00 // empty certificate handshake - * - * ( the above is the whole handshake message, not - * the one produced here ) - */ - - (*data) = gnutls_malloc(ret); - pdata = (*data); - - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; - for (i = 0; i < apr_cert_list_length; i++) { - _gnutls_write_datum24(pdata, apr_cert_list[i].raw); - pdata += (3 + apr_cert_list[i].raw.size); - } - - return ret; + int ret, i; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate + */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; + } + + ret = 3; + for (i = 0; i < apr_cert_list_length; i++) + { + ret += apr_cert_list[i].raw.size + 3; + /* hold size + * for uint24 */ + } + + /* if no certificates were found then send: + * 0B 00 00 03 00 00 00 // Certificate with no certs + * instead of: + * 0B 00 00 00 // empty certificate handshake + * + * ( the above is the whole handshake message, not + * the one produced here ) + */ + + (*data) = gnutls_malloc (ret); + pdata = (*data); + + if (pdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_write_uint24 (ret - 3, pdata); + pdata += 3; + for (i = 0; i < apr_cert_list_length; i++) + { + _gnutls_write_datum24 (pdata, apr_cert_list[i].raw); + pdata += (3 + apr_cert_list[i].raw.size); + } + + return ret; } -enum PGPKeyDescriptorType { PGP_KEY_FINGERPRINT, PGP_KEY }; +enum PGPKeyDescriptorType +{ PGP_KEY_FINGERPRINT, PGP_KEY }; -int _gnutls_gen_openpgp_certificate(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_openpgp_certificate (gnutls_session_t session, opaque ** data) { - int ret; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; + int ret; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; } - ret = 3 + 1 + 3; + ret = 3 + 1 + 3; - if (apr_cert_list_length > 0) - ret += apr_cert_list[0].raw.size; + if (apr_cert_list_length > 0) + ret += apr_cert_list[0].raw.size; - (*data) = gnutls_malloc(ret); - pdata = (*data); + (*data) = gnutls_malloc (ret); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (pdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; + _gnutls_write_uint24 (ret - 3, pdata); + pdata += 3; - *pdata = PGP_KEY; /* whole key */ - pdata++; + *pdata = PGP_KEY; /* whole key */ + pdata++; - if (apr_cert_list_length > 0) { - _gnutls_write_datum24(pdata, apr_cert_list[0].raw); - pdata += (3 + apr_cert_list[0].raw.size); - } else /* empty - no certificate */ - _gnutls_write_uint24(0, pdata); + if (apr_cert_list_length > 0) + { + _gnutls_write_datum24 (pdata, apr_cert_list[0].raw); + pdata += (3 + apr_cert_list[0].raw.size); + } + else /* empty - no certificate */ + _gnutls_write_uint24 (0, pdata); - return ret; + return ret; } OPENPGP_FINGERPRINT _E_gnutls_openpgp_fingerprint = NULL; OPENPGP_KEY_REQUEST _E_gnutls_openpgp_request_key = NULL; extern OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; -int _gnutls_gen_openpgp_certificate_fpr(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, opaque ** data) { - int ret, packet_size; - size_t fpr_size; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; + int ret, packet_size; + size_t fpr_size; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; } - packet_size = 3 + 1; + packet_size = 3 + 1; - /* Only v4 fingerprints are sent - */ - if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) - packet_size += 20 + 1; - else /* empty certificate case */ - return _gnutls_gen_openpgp_certificate(session, data); + /* Only v4 fingerprints are sent + */ + if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) + packet_size += 20 + 1; + else /* empty certificate case */ + return _gnutls_gen_openpgp_certificate (session, data); - (*data) = gnutls_malloc(packet_size); - pdata = (*data); + (*data) = gnutls_malloc (packet_size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (pdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_uint24(packet_size - 3, pdata); - pdata += 3; + _gnutls_write_uint24 (packet_size - 3, pdata); + pdata += 3; - *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ - pdata++; + *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ + pdata++; - *pdata = 20; - pdata++; + *pdata = 20; + pdata++; - fpr_size = 20; + fpr_size = 20; - if (_E_gnutls_openpgp_fingerprint == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + if (_E_gnutls_openpgp_fingerprint == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - if ((ret = - _E_gnutls_openpgp_fingerprint(&apr_cert_list[0].raw, pdata, - &fpr_size)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _E_gnutls_openpgp_fingerprint (&apr_cert_list[0].raw, pdata, + &fpr_size)) < 0) + { + gnutls_assert (); + return ret; } - return packet_size; + return packet_size; } -int _gnutls_gen_cert_client_certificate(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_cert_client_certificate (gnutls_session_t session, opaque ** data) { - switch (session->security_parameters.cert_type) { + switch (session->security_parameters.cert_type) + { case GNUTLS_CRT_OPENPGP: - if (_gnutls_openpgp_send_fingerprint(session) == 0) - return _gnutls_gen_openpgp_certificate(session, data); - else - return _gnutls_gen_openpgp_certificate_fpr(session, data); + if (_gnutls_openpgp_send_fingerprint (session) == 0) + return _gnutls_gen_openpgp_certificate (session, data); + else + return _gnutls_gen_openpgp_certificate_fpr (session, data); case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); + return _gnutls_gen_x509_crt (session, data); default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } -int _gnutls_gen_cert_server_certificate(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_cert_server_certificate (gnutls_session_t session, opaque ** data) { - switch (session->security_parameters.cert_type) { + switch (session->security_parameters.cert_type) + { case GNUTLS_CRT_OPENPGP: - return _gnutls_gen_openpgp_certificate(session, data); + return _gnutls_gen_openpgp_certificate (session, data); case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); + return _gnutls_gen_x509_crt (session, data); default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } @@ -768,554 +833,607 @@ int _gnutls_gen_cert_server_certificate(gnutls_session_t session, */ #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x]) -int _gnutls_proc_x509_server_certificate(gnutls_session_t session, - opaque * data, size_t data_size) +int +_gnutls_proc_x509_server_certificate (gnutls_session_t session, + opaque * data, size_t data_size) { - int size, len, ret; - opaque *p = data; - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - ssize_t dsize = data_size; - int i, j, x; - gnutls_cert *peer_certificate_list; - int peer_certificate_list_size = 0; - gnutls_datum_t tmp; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; - } - - info = _gnutls_get_auth_info(session); - - if (data == NULL || data_size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); - p += 3; - - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - i = dsize; - while (i > 0) { - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; - DECR_LEN(dsize, len); - peer_certificate_list_size++; - p += len; - i -= len + 3; - } - - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - /* Ok we now allocate the memory to hold the - * certificate list - */ - - peer_certificate_list = - gnutls_malloc(sizeof(gnutls_cert) * (peer_certificate_list_size)); - - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); - - p = data + 3; - - /* Now we start parsing the list (again). - * We don't use DECR_LEN since the list has - * been parsed before. - */ - - for (j = 0; j < peer_certificate_list_size; j++) { - len = _gnutls_read_uint24(p); - p += 3; - - tmp.size = len; - tmp.data = p; - - if ((ret = - _gnutls_x509_raw_cert_to_gcert(&peer_certificate_list - [j], &tmp, - CERT_ONLY_EXTENSIONS)) < 0) { - gnutls_assert(); - goto cleanup; + int size, len, ret; + opaque *p = data; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + ssize_t dsize = data_size; + int i, j, x; + gnutls_cert *peer_certificate_list; + int peer_certificate_list_size = 0; + gnutls_datum_t tmp; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; + } + + info = _gnutls_get_auth_info (session); + + if (data == NULL || data_size == 0) + { + gnutls_assert (); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + DECR_LEN (dsize, 3); + size = _gnutls_read_uint24 (p); + p += 3; + + if (size == 0) + { + gnutls_assert (); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + i = dsize; + while (i > 0) + { + DECR_LEN (dsize, 3); + len = _gnutls_read_uint24 (p); + p += 3; + DECR_LEN (dsize, len); + peer_certificate_list_size++; + p += len; + i -= len + 3; + } + + if (peer_certificate_list_size == 0) + { + gnutls_assert (); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* Ok we now allocate the memory to hold the + * certificate list + */ + + peer_certificate_list = + gnutls_malloc (sizeof (gnutls_cert) * (peer_certificate_list_size)); + + if (peer_certificate_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + memset (peer_certificate_list, 0, sizeof (gnutls_cert) * + peer_certificate_list_size); + + p = data + 3; + + /* Now we start parsing the list (again). + * We don't use DECR_LEN since the list has + * been parsed before. + */ + + for (j = 0; j < peer_certificate_list_size; j++) + { + len = _gnutls_read_uint24 (p); + p += 3; + + tmp.size = len; + tmp.data = p; + + if ((ret = + _gnutls_x509_raw_cert_to_gcert (&peer_certificate_list + [j], &tmp, + CERT_ONLY_EXTENSIONS)) < 0) + { + gnutls_assert (); + goto cleanup; } - p += len; + p += len; } - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; + if ((ret = + _gnutls_copy_certificate_auth_info (info, + peer_certificate_list, + peer_certificate_list_size)) < 0) + { + gnutls_assert (); + goto cleanup; } - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; + if ((ret = + _gnutls_check_key_usage (&peer_certificate_list[0], + gnutls_kx_get (session))) < 0) + { + gnutls_assert (); + goto cleanup; } - ret = 0; + ret = 0; - cleanup: - CLEAR_CERTS; - gnutls_free(peer_certificate_list); - return ret; +cleanup: + CLEAR_CERTS; + gnutls_free (peer_certificate_list); + return ret; } #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x]) -int _gnutls_proc_openpgp_server_certificate(gnutls_session_t session, - opaque * data, - size_t data_size) +int +_gnutls_proc_openpgp_server_certificate (gnutls_session_t session, + opaque * data, size_t data_size) { - int size, ret, len; - opaque *p = data; - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - ssize_t dsize = data_size; - int i, x; - gnutls_cert *peer_certificate_list = NULL; - int peer_certificate_list_size = 0; - gnutls_datum_t tmp, akey = { NULL, 0 }; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; - } - - info = _gnutls_get_auth_info(session); - - if (data == NULL || data_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); - p += 3; - - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - i = dsize; - - /* Read PGPKeyDescriptor */ - DECR_LEN(dsize, 1); - if (*p == PGP_KEY_FINGERPRINT) { /* the fingerprint */ - p++; - - DECR_LEN(dsize, 1); - len = (uint8) * p; - p++; - - if (len != 20) { - gnutls_assert(); - return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; + int size, ret, len; + opaque *p = data; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + ssize_t dsize = data_size; + int i, x; + gnutls_cert *peer_certificate_list = NULL; + int peer_certificate_list_size = 0; + gnutls_datum_t tmp, akey = { NULL, 0 }; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; + } + + info = _gnutls_get_auth_info (session); + + if (data == NULL || data_size == 0) + { + gnutls_assert (); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + DECR_LEN (dsize, 3); + size = _gnutls_read_uint24 (p); + p += 3; + + if (size == 0) + { + gnutls_assert (); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + i = dsize; + + /* Read PGPKeyDescriptor */ + DECR_LEN (dsize, 1); + if (*p == PGP_KEY_FINGERPRINT) + { /* the fingerprint */ + p++; + + DECR_LEN (dsize, 1); + len = (uint8) * p; + p++; + + if (len != 20) + { + gnutls_assert (); + return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; } - DECR_LEN(dsize, 20); + DECR_LEN (dsize, 20); - /* request the actual key from our database, or - * a key server or anything. - */ - if (_E_gnutls_openpgp_request_key == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + /* request the actual key from our database, or + * a key server or anything. + */ + if (_E_gnutls_openpgp_request_key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - if ((ret = - _E_gnutls_openpgp_request_key(session, &akey, cred, p, - 20)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _E_gnutls_openpgp_request_key (session, &akey, cred, p, 20)) < 0) + { + gnutls_assert (); + return ret; } - tmp = akey; - peer_certificate_list_size++; + tmp = akey; + peer_certificate_list_size++; - } else if (*p == PGP_KEY) { /* the whole key */ + } + else if (*p == PGP_KEY) + { /* the whole key */ - p++; + p++; - /* Read the actual certificate */ - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; + /* Read the actual certificate */ + DECR_LEN (dsize, 3); + len = _gnutls_read_uint24 (p); + p += 3; - if (len == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (len == 0) + { + gnutls_assert (); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - DECR_LEN(dsize, len); - peer_certificate_list_size++; + DECR_LEN (dsize, len); + peer_certificate_list_size++; - tmp.size = len; - tmp.data = p; + tmp.size = len; + tmp.data = p; - } else { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + else + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } - /* ok we now have the peer's key in tmp datum - */ + /* ok we now have the peer's key in tmp datum + */ - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (peer_certificate_list_size == 0) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - peer_certificate_list = - gnutls_alloca(sizeof(gnutls_cert) * (peer_certificate_list_size)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + peer_certificate_list = + gnutls_alloca (sizeof (gnutls_cert) * (peer_certificate_list_size)); + if (peer_certificate_list == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); + memset (peer_certificate_list, 0, sizeof (gnutls_cert) * + peer_certificate_list_size); - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { - gnutls_assert(); - ret = GNUTLS_E_INIT_LIBEXTRA; - goto cleanup; + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_INIT_LIBEXTRA; + goto cleanup; } - if ((ret = - _E_gnutls_openpgp_raw_key_to_gcert(&peer_certificate_list[0], - &tmp)) < 0) { - gnutls_assert(); - goto cleanup; + if ((ret = + _E_gnutls_openpgp_raw_key_to_gcert (&peer_certificate_list[0], + &tmp)) < 0) + { + gnutls_assert (); + goto cleanup; } - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; + if ((ret = + _gnutls_copy_certificate_auth_info (info, + peer_certificate_list, + peer_certificate_list_size)) < 0) + { + gnutls_assert (); + goto cleanup; } - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; + if ((ret = + _gnutls_check_key_usage (&peer_certificate_list[0], + gnutls_kx_get (session))) < 0) + { + gnutls_assert (); + goto cleanup; } - ret = 0; + ret = 0; - cleanup: +cleanup: - _gnutls_free_datum(&akey); - CLEAR_CERTS; - gnutls_afree(peer_certificate_list); - return ret; + _gnutls_free_datum (&akey); + CLEAR_CERTS; + gnutls_afree (peer_certificate_list); + return ret; } -int _gnutls_proc_cert_server_certificate(gnutls_session_t session, - opaque * data, size_t data_size) +int +_gnutls_proc_cert_server_certificate (gnutls_session_t session, + opaque * data, size_t data_size) { - switch (session->security_parameters.cert_type) { + switch (session->security_parameters.cert_type) + { case GNUTLS_CRT_OPENPGP: - return _gnutls_proc_openpgp_server_certificate(session, - data, data_size); + return _gnutls_proc_openpgp_server_certificate (session, + data, data_size); case GNUTLS_CRT_X509: - return _gnutls_proc_x509_server_certificate(session, data, - data_size); + return _gnutls_proc_x509_server_certificate (session, data, data_size); default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } #define MAX_SIGN_ALGOS 2 -typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN +typedef enum CertificateSigType +{ RSA_SIGN = 1, DSA_SIGN } CertificateSigType; /* Checks if we support the given signature algorithm * (RSA or DSA). Returns the corresponding gnutls_pk_algorithm_t * if true; */ -inline static -int _gnutls_check_supported_sign_algo(CertificateSigType algo) +inline static int +_gnutls_check_supported_sign_algo (CertificateSigType algo) { - switch (algo) { + switch (algo) + { case RSA_SIGN: - return GNUTLS_PK_RSA; + return GNUTLS_PK_RSA; case DSA_SIGN: - return GNUTLS_PK_DSA; + return GNUTLS_PK_DSA; } - return -1; + return -1; } -int _gnutls_proc_cert_cert_req(gnutls_session_t session, opaque * data, - size_t data_size) +int +_gnutls_proc_cert_cert_req (gnutls_session_t session, opaque * data, + size_t data_size) { - int size, ret; - opaque *p; - gnutls_certificate_credentials_t cred; - cert_auth_info_t info; - ssize_t dsize; - int i, j; - gnutls_pk_algorithm_t pk_algos[MAX_SIGN_ALGOS]; - int pk_algos_length; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 0)) < 0) { - gnutls_assert(); - return ret; - } - - info = _gnutls_get_auth_info(session); - - p = data; - dsize = data_size; - - DECR_LEN(dsize, 1); - size = p[0]; - p++; - /* check if the sign algorithm is supported. - */ - pk_algos_length = j = 0; - for (i = 0; i < size; i++, p++) { - DECR_LEN(dsize, 1); - if ((ret = _gnutls_check_supported_sign_algo(*p)) > 0) { - if (j < MAX_SIGN_ALGOS) { - pk_algos[j++] = ret; - pk_algos_length++; + int size, ret; + opaque *p; + gnutls_certificate_credentials_t cred; + cert_auth_info_t info; + ssize_t dsize; + int i, j; + gnutls_pk_algorithm_t pk_algos[MAX_SIGN_ALGOS]; + int pk_algos_length; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 0)) < 0) + { + gnutls_assert (); + return ret; + } + + info = _gnutls_get_auth_info (session); + + p = data; + dsize = data_size; + + DECR_LEN (dsize, 1); + size = p[0]; + p++; + /* check if the sign algorithm is supported. + */ + pk_algos_length = j = 0; + for (i = 0; i < size; i++, p++) + { + DECR_LEN (dsize, 1); + if ((ret = _gnutls_check_supported_sign_algo (*p)) > 0) + { + if (j < MAX_SIGN_ALGOS) + { + pk_algos[j++] = ret; + pk_algos_length++; } } } - if (pk_algos_length == 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + if (pk_algos_length == 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; } - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(p); - p += 2; - } else { - p = NULL; - size = 0; + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) + { + DECR_LEN (dsize, 2); + size = _gnutls_read_uint16 (p); + p += 2; + } + else + { + p = NULL; + size = 0; } - DECR_LEN(dsize, size); + DECR_LEN (dsize, size); - /* now we ask the user to tell which one - * he wants to use. - */ - if ((ret = - _select_client_cert(session, p, size, - pk_algos, pk_algos_length)) < 0) { - gnutls_assert(); - return ret; + /* now we ask the user to tell which one + * he wants to use. + */ + if ((ret = + _select_client_cert (session, p, size, pk_algos, pk_algos_length)) < 0) + { + gnutls_assert (); + return ret; } - /* We should reply with a certificate message, - * even if we have no certificate to send. - */ - session->key->certificate_requested = 1; + /* We should reply with a certificate message, + * even if we have no certificate to send. + */ + session->key->certificate_requested = 1; - return 0; + return 0; } -int _gnutls_gen_cert_client_cert_vrfy(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_cert_client_cert_vrfy (gnutls_session_t session, opaque ** data) { - int ret; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length, size; - gnutls_datum_t signature; - - *data = NULL; - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_hdata(session, - &apr_cert_list[0], - apr_pkey, &signature)) < 0) { - gnutls_assert(); - return ret; + int ret; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length, size; + gnutls_datum_t signature; + + *data = NULL; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; + } + + if (apr_pkey != NULL) + { + if ((ret = + _gnutls_tls_sign_hdata (session, + &apr_cert_list[0], + apr_pkey, &signature)) < 0) + { + gnutls_assert (); + return ret; } - } else { - return 0; + } + else + { + return 0; } - *data = gnutls_malloc(signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - return GNUTLS_E_MEMORY_ERROR; + *data = gnutls_malloc (signature.size + 2); + if (*data == NULL) + { + _gnutls_free_datum (&signature); + return GNUTLS_E_MEMORY_ERROR; } - size = signature.size; - _gnutls_write_uint16(size, *data); + size = signature.size; + _gnutls_write_uint16 (size, *data); - memcpy(&(*data)[2], signature.data, size); + memcpy (&(*data)[2], signature.data, size); - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - return size + 2; + return size + 2; } -int _gnutls_proc_cert_client_cert_vrfy(gnutls_session_t session, - opaque * data, size_t data_size) +int +_gnutls_proc_cert_client_cert_vrfy (gnutls_session_t session, + opaque * data, size_t data_size) { - int size, ret; - ssize_t dsize = data_size; - opaque *pdata = data; - gnutls_datum_t sig; - cert_auth_info_t info = _gnutls_get_auth_info(session); - gnutls_cert peer_cert; + int size, ret; + ssize_t dsize = data_size; + opaque *pdata = data; + gnutls_datum_t sig; + cert_auth_info_t info = _gnutls_get_auth_info (session); + gnutls_cert peer_cert; - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; } - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(pdata); - pdata += 2; + DECR_LEN (dsize, 2); + size = _gnutls_read_uint16 (pdata); + pdata += 2; - DECR_LEN(dsize, size); + DECR_LEN (dsize, size); - sig.data = pdata; - sig.size = size; + sig.data = pdata; + sig.size = size; - ret = _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_NO_COPY); + ret = _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - if ((ret = _gnutls_verify_sig_hdata(session, &peer_cert, &sig)) < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(&peer_cert); - return ret; + if ((ret = _gnutls_verify_sig_hdata (session, &peer_cert, &sig)) < 0) + { + gnutls_assert (); + _gnutls_gcert_deinit (&peer_cert); + return ret; } - _gnutls_gcert_deinit(&peer_cert); + _gnutls_gcert_deinit (&peer_cert); - return 0; + return 0; } #define CERTTYPE_SIZE 3 -int _gnutls_gen_cert_server_cert_req(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data) { - gnutls_certificate_credentials_t cred; - int size; - opaque *pdata; + gnutls_certificate_credentials_t cred; + int size; + opaque *pdata; - /* Now we need to generate the RDN sequence. This is - * already in the CERTIFICATE_CRED structure, to improve - * performance. - */ + /* Now we need to generate the RDN sequence. This is + * already in the CERTIFICATE_CRED structure, to improve + * performance. + */ - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type_t + 2 for size of rdn_seq + size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type_t + 2 for size of rdn_seq */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) - size += cred->x509_rdn_sequence.size; + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) + size += cred->x509_rdn_sequence.size; - (*data) = gnutls_malloc(size); - pdata = (*data); + (*data) = gnutls_malloc (size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (pdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - pdata[0] = CERTTYPE_SIZE - 1; + pdata[0] = CERTTYPE_SIZE - 1; - pdata[1] = RSA_SIGN; - pdata[2] = DSA_SIGN; /* only these for now */ - pdata += CERTTYPE_SIZE; + pdata[1] = RSA_SIGN; + pdata[2] = DSA_SIGN; /* only these for now */ + pdata += CERTTYPE_SIZE; - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) { - _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); - /* pdata += cred->x509_rdn_sequence.size + 2; */ + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) + { + _gnutls_write_datum16 (pdata, cred->x509_rdn_sequence); + /* pdata += cred->x509_rdn_sequence.size + 2; */ } - return size; + return size; } @@ -1326,104 +1444,114 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session_t session, * It is normal to return 0 with no certificates in client side. * */ -int _gnutls_get_selected_cert(gnutls_session_t session, - gnutls_cert ** apr_cert_list, - int *apr_cert_list_length, - gnutls_privkey ** apr_pkey) +int +_gnutls_get_selected_cert (gnutls_session_t session, + gnutls_cert ** apr_cert_list, + int *apr_cert_list_length, + gnutls_privkey ** apr_pkey) { - if (session->security_parameters.entity == GNUTLS_SERVER) { + if (session->security_parameters.entity == GNUTLS_SERVER) + { - /* select_client_cert() has been called before. - */ + /* select_client_cert() has been called before. + */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_pkey = session->internals.selected_key; - *apr_cert_list_length = - session->internals.selected_cert_list_length; + *apr_cert_list = session->internals.selected_cert_list; + *apr_pkey = session->internals.selected_key; + *apr_cert_list_length = session->internals.selected_cert_list_length; - if (apr_cert_list_length == 0 || apr_pkey == NULL || - apr_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + if (apr_cert_list_length == 0 || apr_pkey == NULL || + apr_cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - } else { /* CLIENT SIDE + } + else + { /* CLIENT SIDE */ - /* we have already decided which certificate - * to send. - */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_cert_list_length = - session->internals.selected_cert_list_length; - *apr_pkey = session->internals.selected_key; + /* we have already decided which certificate + * to send. + */ + *apr_cert_list = session->internals.selected_cert_list; + *apr_cert_list_length = session->internals.selected_cert_list_length; + *apr_pkey = session->internals.selected_key; } - return 0; + return 0; } /* converts the given x509 certificate to gnutls_cert* and allocates * space for them. */ -static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt_t * certs, - uint ncerts) +static gnutls_cert * +alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, uint ncerts) { - gnutls_cert *local_certs; - int ret = 0; - uint i, j; + gnutls_cert *local_certs; + int ret = 0; + uint i, j; - if (certs == NULL) - return NULL; + if (certs == NULL) + return NULL; - local_certs = gnutls_malloc(sizeof(gnutls_cert) * ncerts); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; + local_certs = gnutls_malloc (sizeof (gnutls_cert) * ncerts); + if (local_certs == NULL) + { + gnutls_assert (); + return NULL; } - for (i = 0; i < ncerts; i++) { - ret = _gnutls_x509_crt_to_gcert(&local_certs[i], certs[i], 0); - if (ret < 0) - break; + for (i = 0; i < ncerts; i++) + { + ret = _gnutls_x509_crt_to_gcert (&local_certs[i], certs[i], 0); + if (ret < 0) + break; } - if (ret < 0) { - gnutls_assert(); - for (j = 0; j < i; j++) { - _gnutls_gcert_deinit(&local_certs[j]); + if (ret < 0) + { + gnutls_assert (); + for (j = 0; j < i; j++) + { + _gnutls_gcert_deinit (&local_certs[j]); } - gnutls_free(local_certs); - return NULL; + gnutls_free (local_certs); + return NULL; } - return local_certs; + return local_certs; } /* converts the given x509 key to gnutls_privkey* and allocates * space for it. */ -static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey_t key) +static gnutls_privkey * +alloc_and_load_x509_key (gnutls_x509_privkey_t key) { - gnutls_privkey *local_key; - int ret = 0; + gnutls_privkey *local_key; + int ret = 0; - if (key == NULL) - return NULL; + if (key == NULL) + return NULL; - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; + local_key = gnutls_malloc (sizeof (gnutls_privkey)); + if (local_key == NULL) + { + gnutls_assert (); + return NULL; } - ret = _gnutls_x509_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; + ret = _gnutls_x509_privkey_to_gkey (local_key, key); + if (ret < 0) + { + gnutls_assert (); + return NULL; } - return local_key; + return local_key; } @@ -1433,102 +1561,113 @@ OPENPGP_PRIVKEY_TO_GKEY _E_gnutls_openpgp_privkey_to_gkey; /* converts the given pgp certificate to gnutls_cert* and allocates * space for them. */ -static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key_t cert) +static gnutls_cert * +alloc_and_load_pgp_certs (gnutls_openpgp_key_t cert) { - gnutls_cert *local_certs; - int ret = 0; + gnutls_cert *local_certs; + int ret = 0; - if (cert == NULL) - return NULL; + if (cert == NULL) + return NULL; - local_certs = gnutls_malloc(sizeof(gnutls_cert)); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; + local_certs = gnutls_malloc (sizeof (gnutls_cert)); + if (local_certs == NULL) + { + gnutls_assert (); + return NULL; } - if (_E_gnutls_openpgp_key_to_gcert == NULL) { - gnutls_assert(); - return NULL; + if (_E_gnutls_openpgp_key_to_gcert == NULL) + { + gnutls_assert (); + return NULL; } - ret = _E_gnutls_openpgp_key_to_gcert(local_certs, cert); - if (ret < 0) { - gnutls_assert(); - return NULL; + ret = _E_gnutls_openpgp_key_to_gcert (local_certs, cert); + if (ret < 0) + { + gnutls_assert (); + return NULL; } - if (ret < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(local_certs); - gnutls_free(local_certs); - return NULL; + if (ret < 0) + { + gnutls_assert (); + _gnutls_gcert_deinit (local_certs); + gnutls_free (local_certs); + return NULL; } - return local_certs; + return local_certs; } /* converts the given raw key to gnutls_privkey* and allocates * space for it. */ -static gnutls_privkey *alloc_and_load_pgp_key(const - gnutls_openpgp_privkey_t key) +static gnutls_privkey * +alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t key) { - gnutls_privkey *local_key; - int ret = 0; + gnutls_privkey *local_key; + int ret = 0; - if (key == NULL) - return NULL; + if (key == NULL) + return NULL; - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; + local_key = gnutls_malloc (sizeof (gnutls_privkey)); + if (local_key == NULL) + { + gnutls_assert (); + return NULL; } - if (_E_gnutls_openpgp_privkey_to_gkey == NULL) { - gnutls_assert(); - return NULL; + if (_E_gnutls_openpgp_privkey_to_gkey == NULL) + { + gnutls_assert (); + return NULL; } - ret = _E_gnutls_openpgp_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; + ret = _E_gnutls_openpgp_privkey_to_gkey (local_key, key); + if (ret < 0) + { + gnutls_assert (); + return NULL; } - return local_key; + return local_key; } -void _gnutls_selected_certs_deinit(gnutls_session_t session) +void +_gnutls_selected_certs_deinit (gnutls_session_t session) { - if (session->internals.selected_need_free != 0) { - int i; + if (session->internals.selected_need_free != 0) + { + int i; - for (i = 0; i < session->internals.selected_cert_list_length; i++) { - _gnutls_gcert_deinit(&session->internals. - selected_cert_list[i]); + for (i = 0; i < session->internals.selected_cert_list_length; i++) + { + _gnutls_gcert_deinit (&session->internals.selected_cert_list[i]); } - session->internals.selected_cert_list = NULL; - session->internals.selected_cert_list_length = 0; + session->internals.selected_cert_list = NULL; + session->internals.selected_cert_list_length = 0; - _gnutls_gkey_deinit(session->internals.selected_key); + _gnutls_gkey_deinit (session->internals.selected_key); } - return; + return; } -void _gnutls_selected_certs_set(gnutls_session_t session, - gnutls_cert * certs, int ncerts, - gnutls_privkey * key, int need_free) +void +_gnutls_selected_certs_set (gnutls_session_t session, + gnutls_cert * certs, int ncerts, + gnutls_privkey * key, int need_free) { - _gnutls_selected_certs_deinit(session); + _gnutls_selected_certs_deinit (session); - session->internals.selected_cert_list = certs; - session->internals.selected_cert_list_length = ncerts; - session->internals.selected_key = key; - session->internals.selected_need_free = need_free; + session->internals.selected_cert_list = certs; + session->internals.selected_cert_list_length = ncerts; + session->internals.selected_key = key; + session->internals.selected_need_free = need_free; } @@ -1543,64 +1682,71 @@ void _gnutls_selected_certs_set(gnutls_session_t session, * selected certificate will be in session->internals.selected_*. * */ -int _gnutls_server_select_cert(gnutls_session_t session, - gnutls_pk_algorithm_t requested_algo) +int +_gnutls_server_select_cert (gnutls_session_t session, + gnutls_pk_algorithm_t requested_algo) { - uint i; - int idx, ret; - gnutls_certificate_credentials_t cred; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - /* If the callback which retrieves certificate has been set, - * use it and leave. - */ - if (cred->server_get_cert_callback != NULL) - return call_get_cert_callback(session, NULL, 0, NULL, 0); - - /* Otherwise... */ - - ret = 0; - idx = -1; /* default is use no certificate */ - - - for (i = 0; i < cred->ncerts; i++) { - /* find one compatible certificate - */ - if (requested_algo == GNUTLS_PK_ANY || - requested_algo == cred->cert_list[i][0].subject_pk_algorithm) { - /* if cert type matches - */ - if (session->security_parameters.cert_type == - cred->cert_list[i][0].cert_type) { - idx = i; - break; + uint i; + int idx, ret; + gnutls_certificate_credentials_t cred; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* If the callback which retrieves certificate has been set, + * use it and leave. + */ + if (cred->server_get_cert_callback != NULL) + return call_get_cert_callback (session, NULL, 0, NULL, 0); + + /* Otherwise... */ + + ret = 0; + idx = -1; /* default is use no certificate */ + + + for (i = 0; i < cred->ncerts; i++) + { + /* find one compatible certificate + */ + if (requested_algo == GNUTLS_PK_ANY || + requested_algo == cred->cert_list[i][0].subject_pk_algorithm) + { + /* if cert type matches + */ + if (session->security_parameters.cert_type == + cred->cert_list[i][0].cert_type) + { + idx = i; + break; } } } - /* store the certificate pointer for future use, in the handshake. - * (This will allow not calling this callback again.) - */ - if (idx >= 0 && ret == 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[idx][0], cred->cert_list_length[idx], - &cred->pkey[idx], 0); + /* store the certificate pointer for future use, in the handshake. + * (This will allow not calling this callback again.) + */ + if (idx >= 0 && ret == 0) + { + _gnutls_selected_certs_set (session, + &cred->cert_list[idx][0], + cred->cert_list_length[idx], + &cred->pkey[idx], 0); } - return ret; + return ret; } /* Frees the rsa_info_st structure. */ -void _gnutls_free_rsa_info( rsa_info_st* rsa) +void +_gnutls_free_rsa_info (rsa_info_st * rsa) { - _gnutls_free_datum( &rsa->modulus); - _gnutls_free_datum( &rsa->exponent); + _gnutls_free_datum (&rsa->modulus); + _gnutls_free_datum (&rsa->exponent); } - diff --git a/lib/auth_cert.h b/lib/auth_cert.h index 05d3890cad..dadd2d7d7e 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -33,126 +33,127 @@ /* This structure may be complex, but it's the only way to * support a server that has multiple certificates */ -typedef struct gnutls_certificate_credentials_st { - gnutls_dh_params_t dh_params; - gnutls_rsa_params_t rsa_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function *params_func; - - gnutls_cert **cert_list; - /* contains a list of a list of certificates. - * eg (X509): [0] certificate1, certificate11, certificate111 - * (if more than one, one certificate certifies the one before) - * [1] certificate2, certificate22, ... - */ - uint *cert_list_length; - /* contains the number of the certificates in a - * row (should be 1 for OpenPGP keys). - */ - uint ncerts; /* contains the number of columns in cert_list. +typedef struct gnutls_certificate_credentials_st +{ + gnutls_dh_params_t dh_params; + gnutls_rsa_params_t rsa_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; + + gnutls_cert **cert_list; + /* contains a list of a list of certificates. + * eg (X509): [0] certificate1, certificate11, certificate111 + * (if more than one, one certificate certifies the one before) + * [1] certificate2, certificate22, ... + */ + uint *cert_list_length; + /* contains the number of the certificates in a + * row (should be 1 for OpenPGP keys). + */ + uint ncerts; /* contains the number of columns in cert_list. * This is the same with the number of pkeys. */ - gnutls_privkey *pkey; - /* private keys. It contains ncerts private - * keys. pkey[i] corresponds to certificate in - * cert_list[i][0]. - */ + gnutls_privkey *pkey; + /* private keys. It contains ncerts private + * keys. pkey[i] corresponds to certificate in + * cert_list[i][0]. + */ - /* OpenPGP specific stuff */ + /* OpenPGP specific stuff */ - gnutls_datum_t keyring; - char *pgp_key_server; - int pgp_key_server_port; + gnutls_datum_t keyring; + char *pgp_key_server; + int pgp_key_server_port; - char *pgp_trustdb; + char *pgp_trustdb; - /* X509 specific stuff */ + /* X509 specific stuff */ - gnutls_x509_crt_t *x509_ca_list; - uint x509_ncas; /* number of CAs in the ca_list + gnutls_x509_crt_t *x509_ca_list; + uint x509_ncas; /* number of CAs in the ca_list */ - gnutls_x509_crl_t *x509_crl_list; - uint x509_ncrls; /* number of CRLs in the crl_list + gnutls_x509_crl_t *x509_crl_list; + uint x509_ncrls; /* number of CRLs in the crl_list */ - unsigned int verify_flags; /* flags to be used at + unsigned int verify_flags; /* flags to be used at * certificate verification. */ - unsigned int verify_depth; - unsigned int verify_bits; - - /* holds a sequence of the - * RDNs of the CAs above. - * This is better than - * generating on every handshake. - */ - gnutls_datum_t x509_rdn_sequence; - - gnutls_certificate_client_retrieve_function *client_get_cert_callback; - gnutls_certificate_server_retrieve_function *server_get_cert_callback; + unsigned int verify_depth; + unsigned int verify_bits; + + /* holds a sequence of the + * RDNs of the CAs above. + * This is better than + * generating on every handshake. + */ + gnutls_datum_t x509_rdn_sequence; + + gnutls_certificate_client_retrieve_function *client_get_cert_callback; + gnutls_certificate_server_retrieve_function *server_get_cert_callback; } certificate_credentials_st; -typedef struct rsa_info_st { - gnutls_datum_t modulus; - gnutls_datum_t exponent; +typedef struct rsa_info_st +{ + gnutls_datum_t modulus; + gnutls_datum_t exponent; } rsa_info_st; -typedef struct cert_auth_info_st { - int certificate_requested; /* if the peer requested certificate +typedef struct cert_auth_info_st +{ + int certificate_requested; /* if the peer requested certificate * this is non zero; */ - /* These (dh/rsa) are just copies from the credentials_t structure. - * They must be freed. - */ - dh_info_st dh; - rsa_info_st rsa_export; + /* These (dh/rsa) are just copies from the credentials_t structure. + * They must be freed. + */ + dh_info_st dh; + rsa_info_st rsa_export; - gnutls_datum_t *raw_certificate_list; /* holds the raw certificate of the - * peer. - */ - unsigned int ncerts; /* holds the size of the list above */ + gnutls_datum_t *raw_certificate_list; /* holds the raw certificate of the + * peer. + */ + unsigned int ncerts; /* holds the size of the list above */ } *cert_auth_info_t; typedef struct cert_auth_info_st cert_auth_info_st; -void _gnutls_free_rsa_info( rsa_info_st* rsa); +void _gnutls_free_rsa_info (rsa_info_st * rsa); /* AUTH X509 functions */ -int _gnutls_gen_cert_server_certificate(gnutls_session_t, opaque **); -int _gnutls_gen_cert_client_certificate(gnutls_session_t, opaque **); -int _gnutls_gen_cert_client_cert_vrfy(gnutls_session_t, opaque **); -int _gnutls_gen_cert_server_cert_req(gnutls_session_t, opaque **); -int _gnutls_proc_cert_cert_req(gnutls_session_t, opaque *, size_t); -int _gnutls_proc_cert_client_cert_vrfy(gnutls_session_t, opaque *, size_t); -int _gnutls_proc_cert_server_certificate(gnutls_session_t, opaque *, - size_t); -int _gnutls_get_selected_cert(gnutls_session_t session, - gnutls_cert ** apr_cert_list, - int *apr_cert_list_length, - gnutls_privkey ** apr_pkey); - -int _gnutls_server_select_cert(struct gnutls_session_int *, - gnutls_pk_algorithm_t); -void _gnutls_selected_certs_deinit(gnutls_session_t session); -void _gnutls_selected_certs_set(gnutls_session_t session, - gnutls_cert * certs, int ncerts, - gnutls_privkey * key, int need_free); +int _gnutls_gen_cert_server_certificate (gnutls_session_t, opaque **); +int _gnutls_gen_cert_client_certificate (gnutls_session_t, opaque **); +int _gnutls_gen_cert_client_cert_vrfy (gnutls_session_t, opaque **); +int _gnutls_gen_cert_server_cert_req (gnutls_session_t, opaque **); +int _gnutls_proc_cert_cert_req (gnutls_session_t, opaque *, size_t); +int _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t, opaque *, size_t); +int _gnutls_proc_cert_server_certificate (gnutls_session_t, opaque *, size_t); +int _gnutls_get_selected_cert (gnutls_session_t session, + gnutls_cert ** apr_cert_list, + int *apr_cert_list_length, + gnutls_privkey ** apr_pkey); + +int _gnutls_server_select_cert (struct gnutls_session_int *, + gnutls_pk_algorithm_t); +void _gnutls_selected_certs_deinit (gnutls_session_t session); +void _gnutls_selected_certs_set (gnutls_session_t session, + gnutls_cert * certs, int ncerts, + gnutls_privkey * key, int need_free); #define _gnutls_proc_cert_client_certificate _gnutls_proc_cert_server_certificate -gnutls_rsa_params_t _gnutls_certificate_get_rsa_params(const - gnutls_certificate_credentials_t - sc, - gnutls_session_t); -gnutls_dh_params_t _gnutls_certificate_get_dh_params(const - gnutls_certificate_credentials_t - sc, - gnutls_session_t - session); +gnutls_rsa_params_t _gnutls_certificate_get_rsa_params (const + gnutls_certificate_credentials_t + sc, gnutls_session_t); +gnutls_dh_params_t _gnutls_certificate_get_dh_params (const + gnutls_certificate_credentials_t + sc, + gnutls_session_t + session); #endif diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c index f6c88015a2..a56f9a9890 100644 --- a/lib/auth_dh_common.c +++ b/lib/auth_dh_common.c @@ -41,248 +41,265 @@ /* Frees the dh_info_st structure. */ -void _gnutls_free_dh_info( dh_info_st* dh) +void +_gnutls_free_dh_info (dh_info_st * dh) { - dh->secret_bits = 0; - _gnutls_free_datum( &dh->prime); - _gnutls_free_datum( &dh->generator); - _gnutls_free_datum( &dh->public_key); + dh->secret_bits = 0; + _gnutls_free_datum (&dh->prime); + _gnutls_free_datum (&dh->generator); + _gnutls_free_datum (&dh->public_key); } -int _gnutls_proc_dh_common_client_kx(gnutls_session_t session, - opaque * data, size_t _data_size, - mpi_t g, mpi_t p) +int +_gnutls_proc_dh_common_client_kx (gnutls_session_t session, + opaque * data, size_t _data_size, + mpi_t g, mpi_t p) { - uint16 n_Y; - size_t _n_Y; - int ret; - ssize_t data_size = _data_size; + uint16 n_Y; + size_t _n_Y; + int ret; + ssize_t data_size = _data_size; - DECR_LEN(data_size, 2); - n_Y = _gnutls_read_uint16(&data[0]); - _n_Y = n_Y; + DECR_LEN (data_size, 2); + n_Y = _gnutls_read_uint16 (&data[0]); + _n_Y = n_Y; - DECR_LEN(data_size, n_Y); - if (_gnutls_mpi_scan_nz(&session->key->client_Y, &data[2], &_n_Y)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + DECR_LEN (data_size, n_Y); + if (_gnutls_mpi_scan_nz (&session->key->client_Y, &data[2], &_n_Y)) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - _gnutls_dh_set_peer_public(session, session->key->client_Y); + _gnutls_dh_set_peer_public (session, session->key->client_Y); - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, - session->key->dh_secret, p); + session->key->KEY = + gnutls_calc_dh_key (session->key->client_Y, session->key->dh_secret, p); - if (session->key->KEY == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (session->key->KEY == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->dh_secret); + _gnutls_mpi_release (&session->key->client_Y); + _gnutls_mpi_release (&session->key->dh_secret); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); + ret = _gnutls_generate_session_key (session->key); + _gnutls_mpi_release (&session->key->KEY); - if (ret < 0) { - return ret; + if (ret < 0) + { + return ret; } - return 0; + return 0; } -int _gnutls_gen_dh_common_client_kx(gnutls_session_t session, - opaque ** data) +int +_gnutls_gen_dh_common_client_kx (gnutls_session_t session, opaque ** data) { - mpi_t x = NULL, X = NULL; - size_t n_X; - int ret; - - *data = NULL; - - X = gnutls_calc_dh_secret(&x, session->key->client_g, - session->key->client_p); - if (X == NULL || x == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + mpi_t x = NULL, X = NULL; + size_t n_X; + int ret; + + *data = NULL; + + X = gnutls_calc_dh_secret (&x, session->key->client_g, + session->key->client_p); + if (X == NULL || x == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); + _gnutls_dh_set_secret_bits (session, _gnutls_mpi_get_nbits (x)); - _gnutls_mpi_print(NULL, &n_X, X); - (*data) = gnutls_malloc(n_X + 2); - if (*data == NULL) { - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + _gnutls_mpi_print (NULL, &n_X, X); + (*data) = gnutls_malloc (n_X + 2); + if (*data == NULL) + { + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - _gnutls_mpi_print(&(*data)[2], &n_X, X); - _gnutls_mpi_release(&X); + _gnutls_mpi_print (&(*data)[2], &n_X, X); + _gnutls_mpi_release (&X); - _gnutls_write_uint16(n_X, &(*data)[0]); + _gnutls_write_uint16 (n_X, &(*data)[0]); - /* calculate the key after calculating the message */ - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, x, - session->key->client_p); + /* calculate the key after calculating the message */ + session->key->KEY = + gnutls_calc_dh_key (session->key->client_Y, x, session->key->client_p); - _gnutls_mpi_release(&x); - if (session->key->KEY == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + _gnutls_mpi_release (&x); + if (session->key->KEY == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - _gnutls_dh_set_peer_public(session, session->key->client_Y); + _gnutls_dh_set_peer_public (session, session->key->client_Y); - /* THESE SHOULD BE DISCARDED */ - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); + /* THESE SHOULD BE DISCARDED */ + _gnutls_mpi_release (&session->key->client_Y); + _gnutls_mpi_release (&session->key->client_p); + _gnutls_mpi_release (&session->key->client_g); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); + ret = _gnutls_generate_session_key (session->key); + _gnutls_mpi_release (&session->key->KEY); - if (ret < 0) { - gnutls_assert(); - goto error; + if (ret < 0) + { + gnutls_assert (); + goto error; } - return n_X + 2; + return n_X + 2; - error: - _gnutls_mpi_release(&x); - _gnutls_mpi_release(&X); - gnutls_free(*data); - *data = NULL; - return ret; +error: + _gnutls_mpi_release (&x); + _gnutls_mpi_release (&X); + gnutls_free (*data); + *data = NULL; + return ret; } -int _gnutls_proc_dh_common_server_kx(gnutls_session_t session, - opaque * data, size_t _data_size) +int +_gnutls_proc_dh_common_server_kx (gnutls_session_t session, + opaque * data, size_t _data_size) { - uint16 n_Y, n_g, n_p; - size_t _n_Y, _n_g, _n_p; - uint8 *data_p; - uint8 *data_g; - uint8 *data_Y; - int i, bits; - ssize_t data_size = _data_size; - - i = 0; - DECR_LEN(data_size, 2); - n_p = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_p); - data_p = &data[i]; - i += n_p; - if (i > data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + uint16 n_Y, n_g, n_p; + size_t _n_Y, _n_g, _n_p; + uint8 *data_p; + uint8 *data_g; + uint8 *data_Y; + int i, bits; + ssize_t data_size = _data_size; + + i = 0; + DECR_LEN (data_size, 2); + n_p = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_p); + data_p = &data[i]; + i += n_p; + if (i > data_size) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - DECR_LEN(data_size, 2); - n_g = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_g); - data_g = &data[i]; - i += n_g; - - DECR_LEN(data_size, 2); - n_Y = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_Y); - data_Y = &data[i]; - i += n_Y; - - _n_Y = n_Y; - _n_g = n_g; - _n_p = n_p; - - if (_gnutls_mpi_scan_nz(&session->key->client_Y, data_Y, &_n_Y) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + DECR_LEN (data_size, 2); + n_g = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_g); + data_g = &data[i]; + i += n_g; + + DECR_LEN (data_size, 2); + n_Y = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_Y); + data_Y = &data[i]; + i += n_Y; + + _n_Y = n_Y; + _n_g = n_g; + _n_p = n_p; + + if (_gnutls_mpi_scan_nz (&session->key->client_Y, data_Y, &_n_Y) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - if (_gnutls_mpi_scan_nz(&session->key->client_g, data_g, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&session->key->client_g, data_g, &_n_g) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - if (_gnutls_mpi_scan_nz(&session->key->client_p, data_p, &_n_p) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&session->key->client_p, data_p, &_n_p) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - bits = _gnutls_dh_get_allowed_prime_bits(session); - if (bits < 0) { - gnutls_assert(); - return bits; + bits = _gnutls_dh_get_allowed_prime_bits (session); + if (bits < 0) + { + gnutls_assert (); + return bits; } - if (_gnutls_mpi_get_nbits(session->key->client_p) < (size_t) bits) { - /* the prime used by the peer is not acceptable - */ - gnutls_assert(); - return GNUTLS_E_DH_PRIME_UNACCEPTABLE; + if (_gnutls_mpi_get_nbits (session->key->client_p) < (size_t) bits) + { + /* the prime used by the peer is not acceptable + */ + gnutls_assert (); + return GNUTLS_E_DH_PRIME_UNACCEPTABLE; } - _gnutls_dh_set_group(session, session->key->client_g, - session->key->client_p); - _gnutls_dh_set_peer_public(session, session->key->client_Y); + _gnutls_dh_set_group (session, session->key->client_g, + session->key->client_p); + _gnutls_dh_set_peer_public (session, session->key->client_Y); - return n_Y + n_p + n_g + 6; + return n_Y + n_p + n_g + 6; } -int _gnutls_dh_common_print_server_kx(gnutls_session_t session, - mpi_t g, mpi_t p, opaque ** data) +int +_gnutls_dh_common_print_server_kx (gnutls_session_t session, + mpi_t g, mpi_t p, opaque ** data) { - mpi_t x, X; - size_t n_X, n_g, n_p; - int ret; - uint8 *data_p; - uint8 *data_g; - uint8 *data_X; - - X = gnutls_calc_dh_secret(&x, g, p); - if (X == NULL || x == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + mpi_t x, X; + size_t n_X, n_g, n_p; + int ret; + uint8 *data_p; + uint8 *data_g; + uint8 *data_X; + + X = gnutls_calc_dh_secret (&x, g, p); + if (X == NULL || x == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - session->key->dh_secret = x; - _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); - - _gnutls_mpi_print(NULL, &n_g, g); - _gnutls_mpi_print(NULL, &n_p, p); - _gnutls_mpi_print(NULL, &n_X, X); - (*data) = gnutls_malloc(n_g + n_p + n_X + 6); - if (*data == NULL) { - _gnutls_mpi_release(&X); - return GNUTLS_E_MEMORY_ERROR; + session->key->dh_secret = x; + _gnutls_dh_set_secret_bits (session, _gnutls_mpi_get_nbits (x)); + + _gnutls_mpi_print (NULL, &n_g, g); + _gnutls_mpi_print (NULL, &n_p, p); + _gnutls_mpi_print (NULL, &n_X, X); + (*data) = gnutls_malloc (n_g + n_p + n_X + 6); + if (*data == NULL) + { + _gnutls_mpi_release (&X); + return GNUTLS_E_MEMORY_ERROR; } - data_p = &(*data)[0]; - _gnutls_mpi_print(&data_p[2], &n_p, p); + data_p = &(*data)[0]; + _gnutls_mpi_print (&data_p[2], &n_p, p); - _gnutls_write_uint16(n_p, data_p); + _gnutls_write_uint16 (n_p, data_p); - data_g = &data_p[2 + n_p]; - _gnutls_mpi_print(&data_g[2], &n_g, g); + data_g = &data_p[2 + n_p]; + _gnutls_mpi_print (&data_g[2], &n_g, g); - _gnutls_write_uint16(n_g, data_g); + _gnutls_write_uint16 (n_g, data_g); - data_X = &data_g[2 + n_g]; - _gnutls_mpi_print(&data_X[2], &n_X, X); - _gnutls_mpi_release(&X); + data_X = &data_g[2 + n_g]; + _gnutls_mpi_print (&data_X[2], &n_X, X); + _gnutls_mpi_release (&X); - _gnutls_write_uint16(n_X, data_X); + _gnutls_write_uint16 (n_X, data_X); - ret = n_p + n_g + n_X + 6; + ret = n_p + n_g + n_X + 6; - return ret; + return ret; } diff --git a/lib/auth_dh_common.h b/lib/auth_dh_common.h index c283f1f562..3665248a40 100644 --- a/lib/auth_dh_common.h +++ b/lib/auth_dh_common.h @@ -25,22 +25,23 @@ #ifndef AUTH_DH_COMMON # define AUTH_DH_COMMON -typedef struct { - int secret_bits; +typedef struct +{ + int secret_bits; - gnutls_datum_t prime; - gnutls_datum_t generator; - gnutls_datum_t public_key; + gnutls_datum_t prime; + gnutls_datum_t generator; + gnutls_datum_t public_key; } dh_info_st; -void _gnutls_free_dh_info( dh_info_st* dh); -int _gnutls_gen_dh_common_client_kx(gnutls_session_t, opaque **); -int _gnutls_proc_dh_common_client_kx(gnutls_session_t session, - opaque * data, size_t _data_size, - mpi_t p, mpi_t g); -int _gnutls_dh_common_print_server_kx(gnutls_session_t, mpi_t g, mpi_t p, - opaque ** data); -int _gnutls_proc_dh_common_server_kx(gnutls_session_t session, - opaque * data, size_t _data_size); +void _gnutls_free_dh_info (dh_info_st * dh); +int _gnutls_gen_dh_common_client_kx (gnutls_session_t, opaque **); +int _gnutls_proc_dh_common_client_kx (gnutls_session_t session, + opaque * data, size_t _data_size, + mpi_t p, mpi_t g); +int _gnutls_dh_common_print_server_kx (gnutls_session_t, mpi_t g, mpi_t p, + opaque ** data); +int _gnutls_proc_dh_common_server_kx (gnutls_session_t session, + opaque * data, size_t _data_size); #endif diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 049cc35d1c..f3952a3e3a 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -40,221 +40,236 @@ #include <gnutls_state.h> #include <auth_dh_common.h> -static int gen_dhe_server_kx(gnutls_session_t, opaque **); -static int proc_dhe_server_kx(gnutls_session_t, opaque *, size_t); -static int proc_dhe_client_kx(gnutls_session_t, opaque *, size_t); +static int gen_dhe_server_kx (gnutls_session_t, opaque **); +static int proc_dhe_server_kx (gnutls_session_t, opaque *, size_t); +static int proc_dhe_client_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st dhe_rsa_auth_struct = { - "DHE_RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; const mod_auth_st dhe_dss_auth_struct = { - "DHE_DSS", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_DSS", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; -static int gen_dhe_server_kx(gnutls_session_t session, opaque ** data) +static int +gen_dhe_server_kx (gnutls_session_t session, opaque ** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret = 0, data_size; - int bits; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - gnutls_datum_t signature, ddata; - gnutls_certificate_credentials_t cred; - gnutls_dh_params_t dh_params; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + mpi_t g, p; + const mpi_t *mpis; + int ret = 0, data_size; + int bits; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum_t signature, ddata; + gnutls_certificate_credentials_t cred; + gnutls_dh_params_t dh_params; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - bits = _gnutls_dh_get_allowed_prime_bits(session); + bits = _gnutls_dh_get_allowed_prime_bits (session); - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; } - dh_params = _gnutls_certificate_get_dh_params(cred, session); - mpis = _gnutls_get_dh_params(dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + dh_params = _gnutls_certificate_get_dh_params (cred, session); + mpis = _gnutls_get_dh_params (dh_params); + if (mpis == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 0)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 0)) < 0) + { + gnutls_assert (); + return ret; } - _gnutls_dh_set_group(session, g, p); + _gnutls_dh_set_group (session, g, p); - ret = _gnutls_dh_common_print_server_kx(session, g, p, data); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_dh_common_print_server_kx (session, g, p, data); + if (ret < 0) + { + gnutls_assert (); + return ret; } - data_size = ret; - - /* Generate the signature. */ - - ddata.data = *data; - ddata.size = data_size; - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); - return ret; + data_size = ret; + + /* Generate the signature. */ + + ddata.data = *data; + ddata.size = data_size; + + if (apr_pkey != NULL) + { + if ((ret = + _gnutls_tls_sign_params (session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) + { + gnutls_assert (); + gnutls_free (*data); + return ret; } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ + } + else + { + gnutls_assert (); + return data_size; /* do not put a signature - ILLEGAL! */ } - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + *data = gnutls_realloc_fast (*data, data_size + signature.size + 2); + if (*data == NULL) + { + _gnutls_free_datum (&signature); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16(&(*data)[data_size], signature); - data_size += signature.size + 2; + _gnutls_write_datum16 (&(*data)[data_size], signature); + data_size += signature.size + 2; - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - return data_size; + return data_size; } -static int proc_dhe_server_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +static int +proc_dhe_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - int sigsize; - gnutls_datum_t vparams, signature; - int ret; - cert_auth_info_t info = _gnutls_get_auth_info(session); - ssize_t data_size = _data_size; - gnutls_cert peer_cert; - - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; + int sigsize; + gnutls_datum_t vparams, signature; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info (session); + ssize_t data_size = _data_size; + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; } - ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_proc_dh_common_server_kx (session, data, _data_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* VERIFY SIGNATURE */ + /* VERIFY SIGNATURE */ - vparams.size = ret; - vparams.data = data; + vparams.size = ret; + vparams.data = data; - DECR_LEN(data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + DECR_LEN (data_size, 2); + sigsize = _gnutls_read_uint16 (&data[vparams.size]); - DECR_LEN(data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; + DECR_LEN (data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; - if ((ret = - _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_verify_sig_params(session, - &peer_cert, &vparams, &signature); + ret = _gnutls_verify_sig_params (session, &peer_cert, &vparams, &signature); - _gnutls_gcert_deinit(&peer_cert); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_gcert_deinit (&peer_cert); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } -static int proc_dhe_client_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +static int +proc_dhe_client_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - gnutls_certificate_credentials_t cred; - int ret; - mpi_t p, g; - const mpi_t *mpis; - gnutls_dh_params_t dh_params; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + gnutls_certificate_credentials_t cred; + int ret; + mpi_t p, g; + const mpi_t *mpis; + gnutls_dh_params_t dh_params; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - dh_params = _gnutls_certificate_get_dh_params(cred, session); - mpis = _gnutls_get_dh_params(dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + dh_params = _gnutls_certificate_get_dh_params (cred, session); + mpis = _gnutls_get_dh_params (dh_params); + if (mpis == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - ret = - _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + ret = _gnutls_proc_dh_common_client_kx (session, data, _data_size, g, p); - return ret; + return ret; } diff --git a/lib/auth_psk.c b/lib/auth_psk.c index ff0fed0831..dd4bf39b06 100644 --- a/lib/auth_psk.c +++ b/lib/auth_psk.c @@ -36,51 +36,53 @@ #include <gnutls_str.h> #include <gnutls_datum.h> -int _gnutls_gen_psk_client_kx(gnutls_session_t, opaque **); +int _gnutls_gen_psk_client_kx (gnutls_session_t, opaque **); -int _gnutls_proc_psk_client_kx(gnutls_session_t, opaque *, size_t); +int _gnutls_proc_psk_client_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st psk_auth_struct = { - "PSK", - NULL, - NULL, - NULL, - _gnutls_gen_psk_client_kx, - NULL, - NULL, - - NULL, - NULL, /* certificate */ - NULL, - _gnutls_proc_psk_client_kx, - NULL, - NULL + "PSK", + NULL, + NULL, + NULL, + _gnutls_gen_psk_client_kx, + NULL, + NULL, + + NULL, + NULL, /* certificate */ + NULL, + _gnutls_proc_psk_client_kx, + NULL, + NULL }; /* Set the PSK premaster secret. */ -static int set_psk_session_key( gnutls_session_t session, gnutls_datum* psk) +static int +set_psk_session_key (gnutls_session_t session, gnutls_datum * psk) { - /* set the session key - */ - session->key->key.size = 4 + psk->size + psk->size; - session->key->key.data = gnutls_malloc( session->key->key.size); - if (session->key->key.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* set the session key + */ + session->key->key.size = 4 + psk->size + psk->size; + session->key->key.data = gnutls_malloc (session->key->key.size); + if (session->key->key.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* format of the premaster secret: - * (uint16) psk_size - * psk_size bytes of zeros - * (uint16) psk_size - * the psk - */ - _gnutls_write_uint16( psk->size, session->key->key.data); - memset( &session->key->key.data[2], 0, psk->size); - _gnutls_write_datum16( &session->key->key.data[psk->size + 2], *psk); - - return 0; + /* format of the premaster secret: + * (uint16) psk_size + * psk_size bytes of zeros + * (uint16) psk_size + * the psk + */ + _gnutls_write_uint16 (psk->size, session->key->key.data); + memset (&session->key->key.data[2], 0, psk->size); + _gnutls_write_datum16 (&session->key->key.data[psk->size + 2], *psk); + + return 0; } @@ -94,112 +96,123 @@ static int set_psk_session_key( gnutls_session_t session, gnutls_datum* psk) * } ClientKeyExchange; * */ -int _gnutls_gen_psk_client_kx(gnutls_session_t session, opaque ** data) +int +_gnutls_gen_psk_client_kx (gnutls_session_t session, opaque ** data) { - int ret; - gnutls_psk_client_credentials_t cred; - gnutls_datum *psk; - - cred = (gnutls_psk_client_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_PSK, NULL); - - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + int ret; + gnutls_psk_client_credentials_t cred; + gnutls_datum *psk; + + cred = (gnutls_psk_client_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - psk = &cred->key; + psk = &cred->key; - if (cred->username.data == NULL || psk == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + if (cred->username.data == NULL || psk == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - ret = set_psk_session_key( session, psk); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = set_psk_session_key (session, psk); + if (ret < 0) + { + gnutls_assert (); + return ret; } - (*data) = gnutls_malloc( 2 + cred->username.size); - if ((*data) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (*data) = gnutls_malloc (2 + cred->username.size); + if ((*data) == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16( *data, cred->username); + _gnutls_write_datum16 (*data, cred->username); - return (cred->username.size + 2); + return (cred->username.size + 2); } /* just read the username from the client key exchange. */ -int _gnutls_proc_psk_client_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +int +_gnutls_proc_psk_client_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - ssize_t data_size = _data_size; - int ret; - gnutls_datum username; - gnutls_psk_client_credentials_t cred; - gnutls_datum psk; - psk_server_auth_info_t info; - - cred = (gnutls_psk_client_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_PSK, NULL); - - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + ssize_t data_size = _data_size; + int ret; + gnutls_datum username; + gnutls_psk_client_credentials_t cred; + gnutls_datum psk; + psk_server_auth_info_t info; + + cred = (gnutls_psk_client_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_PSK, - sizeof(psk_server_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_PSK, + sizeof (psk_server_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; } - DECR_LEN(data_size, 2); - username.size = _gnutls_read_uint16(&data[0]); + DECR_LEN (data_size, 2); + username.size = _gnutls_read_uint16 (&data[0]); - DECR_LEN(data_size, username.size); + DECR_LEN (data_size, username.size); - username.data = &data[2]; + username.data = &data[2]; - /* copy the username to the auth info structures - */ - info = _gnutls_get_auth_info(session); + /* copy the username to the auth info structures + */ + info = _gnutls_get_auth_info (session); - if (username.size > MAX_SRP_USERNAME) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; + if (username.size > MAX_SRP_USERNAME) + { + gnutls_assert (); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; } - memcpy(info->username, username.data, username.size); - info->username[ username.size] = 0; + memcpy (info->username, username.data, username.size); + info->username[username.size] = 0; - /* find the key of this username - */ - ret = _gnutls_psk_pwd_find_entry( session, info->username, &psk); - if (ret < 0) { - gnutls_assert(); - return ret; + /* find the key of this username + */ + ret = _gnutls_psk_pwd_find_entry (session, info->username, &psk); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = set_psk_session_key( session, &psk); - if (ret < 0) { - gnutls_assert(); - goto error; + ret = set_psk_session_key (session, &psk); + if (ret < 0) + { + gnutls_assert (); + goto error; } - return 0; + return 0; error: - _gnutls_free_datum( &psk); - return ret; + _gnutls_free_datum (&psk); + return ret; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/auth_psk.h b/lib/auth_psk.h index 59b49abc1e..432515eb08 100644 --- a/lib/auth_psk.h +++ b/lib/auth_psk.h @@ -27,23 +27,26 @@ #include <gnutls_auth.h> -typedef struct gnutls_psk_client_credentials_st { - gnutls_datum username; - gnutls_datum key; - gnutls_psk_client_credentials_function *get_function; +typedef struct gnutls_psk_client_credentials_st +{ + gnutls_datum username; + gnutls_datum key; + gnutls_psk_client_credentials_function *get_function; } psk_client_credentials_st; -typedef struct gnutls_psk_server_credentials_st { - char *password_file; - /* callback function, instead of reading the - * password files. - */ - gnutls_psk_server_credentials_function *pwd_callback; +typedef struct gnutls_psk_server_credentials_st +{ + char *password_file; + /* callback function, instead of reading the + * password files. + */ + gnutls_psk_server_credentials_function *pwd_callback; } psk_server_cred_st; /* these structures should not use allocated data */ -typedef struct psk_server_auth_info_st { - char username[MAX_SRP_USERNAME+1]; +typedef struct psk_server_auth_info_st +{ + char username[MAX_SRP_USERNAME + 1]; } *psk_server_auth_info_t; @@ -51,6 +54,6 @@ typedef struct psk_server_auth_info_st { typedef struct psk_server_auth_info_st psk_server_auth_info_st; -#endif /* ENABLE_PSK */ +#endif /* ENABLE_PSK */ #endif diff --git a/lib/auth_psk_passwd.c b/lib/auth_psk_passwd.c index 76a2d597d1..237a1d015e 100644 --- a/lib/auth_psk_passwd.c +++ b/lib/auth_psk_passwd.c @@ -43,44 +43,48 @@ /* this function parses passwd.psk file. Format is: * string(username):hex(passwd) */ -static int pwd_put_values(gnutls_datum* psk, char *str) +static int +pwd_put_values (gnutls_datum * psk, char *str) { - char *p; - int len, ret; - - p = strchr(str, ':'); - if (p == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + char *p; + int len, ret; + + p = strchr (str, ':'); + if (p == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - /* skip username - */ + /* skip username + */ - /* read the key - */ - len = strlen(p); - if (p[len - 1] == '\n' || p[len - 1] == ' ') - len--; + /* read the key + */ + len = strlen (p); + if (p[len - 1] == '\n' || p[len - 1] == ' ') + len--; - psk->size = len / 2; - psk->data = gnutls_malloc( psk->size); - if (psk->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + psk->size = len / 2; + psk->data = gnutls_malloc (psk->size); + if (psk->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = _gnutls_hex2bin( (opaque*)p, len, psk->data, &psk->size); - if ( ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_hex2bin ((opaque *) p, len, psk->data, &psk->size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -88,110 +92,126 @@ static int pwd_put_values(gnutls_datum* psk, char *str) /* Randomizes the given password entry. It actually sets a random password. * Returns 0 on success. */ -static int _randomize_psk(gnutls_datum * psk) +static int +_randomize_psk (gnutls_datum * psk) { - psk->data = gnutls_malloc(16); - if (psk->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + psk->data = gnutls_malloc (16); + if (psk->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - psk->size = 16; - if (gc_nonce ((char*)psk->data, 16) != GC_OK) { - gnutls_assert(); - return GNUTLS_E_RANDOM_FAILED; + psk->size = 16; + if (gc_nonce ((char *) psk->data, 16) != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_RANDOM_FAILED; } - return 0; + return 0; } /* Returns the PSK key of the given user. * If the user doesn't exist a random password is returned instead. */ -int _gnutls_psk_pwd_find_entry(gnutls_session_t session, char *username, - gnutls_datum* psk) +int +_gnutls_psk_pwd_find_entry (gnutls_session_t session, char *username, + gnutls_datum * psk) { - gnutls_psk_server_credentials_t cred; - FILE *fd; - char line[2 * 1024]; - uint i, len; - int ret; - - cred = (gnutls_psk_server_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_PSK, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + gnutls_psk_server_credentials_t cred; + FILE *fd; + char line[2 * 1024]; + uint i, len; + int ret; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* if the callback which sends the parameters is - * set, use it. - */ - if (cred->pwd_callback != NULL) { - ret = cred->pwd_callback(session, username, psk); - - if (ret == 1) { /* the user does not exist */ - ret = _randomize_psk(psk); - if (ret < 0) { - gnutls_assert(); - return ret; - } - return 0; + /* if the callback which sends the parameters is + * set, use it. + */ + if (cred->pwd_callback != NULL) + { + ret = cred->pwd_callback (session, username, psk); + + if (ret == 1) + { /* the user does not exist */ + ret = _randomize_psk (psk); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + return 0; } - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_ERROR; } - return 0; + return 0; } - /* The callback was not set. Proceed. - */ - if (cred->password_file == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; + /* The callback was not set. Proceed. + */ + if (cred->password_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_ERROR; } - /* Open the selected password file. - */ - fd = fopen(cred->password_file, "r"); - if (fd == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; + /* Open the selected password file. + */ + fd = fopen (cred->password_file, "r"); + if (fd == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_ERROR; } - len = strlen(username); - while (fgets(line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i = 0; - while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof(line))) { - i++; + len = strlen (username); + while (fgets (line, sizeof (line), fd) != NULL) + { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line))) + { + i++; } - if (strncmp(username, line, MAX(i, len)) == 0) { - ret = pwd_put_values(psk, line); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; - } - return 0; + if (strncmp (username, line, MAX (i, len)) == 0) + { + ret = pwd_put_values (psk, line); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_ERROR; + } + return 0; } } - /* user was not found. Fake him. - * the last index found and randomize the entry. - */ - ret = _randomize_psk(psk); - if (ret < 0) { - gnutls_assert(); - return ret; + /* user was not found. Fake him. + * the last index found and randomize the entry. + */ + ret = _randomize_psk (psk); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } -#endif /* ENABLE PSK */ +#endif /* ENABLE PSK */ diff --git a/lib/auth_psk_passwd.h b/lib/auth_psk_passwd.h index 41d54bc5fa..fe1726dbab 100644 --- a/lib/auth_psk_passwd.h +++ b/lib/auth_psk_passwd.h @@ -25,7 +25,7 @@ #ifdef ENABLE_PSK /* this is locally allocated. It should be freed using the provided function */ -int _gnutls_psk_pwd_find_entry(gnutls_session_t, char *username, - gnutls_datum* key); +int _gnutls_psk_pwd_find_entry (gnutls_session_t, char *username, + gnutls_datum * key); -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index 07e4072c7b..e1f5e34005 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -43,326 +43,365 @@ #include <gnutls_extra.h> #include <gc.h> -int _gnutls_gen_rsa_client_kx(gnutls_session_t, opaque **); -int _gnutls_proc_rsa_client_kx(gnutls_session_t, opaque *, size_t); +int _gnutls_gen_rsa_client_kx (gnutls_session_t, opaque **); +int _gnutls_proc_rsa_client_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st rsa_auth_struct = { - "RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - NULL, /* gen server kx */ - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - NULL, /* proc server kx */ - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + NULL, /* gen server kx */ + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + NULL, /* proc server kx */ + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; /* This function reads the RSA parameters from peer's certificate; */ -int _gnutls_get_public_rsa_params(gnutls_session_t session, - mpi_t params[MAX_PUBLIC_PARAMS_SIZE], - int *params_len) +int +_gnutls_get_public_rsa_params (gnutls_session_t session, + mpi_t params[MAX_PUBLIC_PARAMS_SIZE], + int *params_len) { - int ret; - cert_auth_info_t info; - gnutls_cert peer_cert; - int i; + int ret; + cert_auth_info_t info; + gnutls_cert peer_cert; + int i; - /* normal non export case */ + /* normal non export case */ - info = _gnutls_get_auth_info(session); + info = _gnutls_get_auth_info (session); - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ret = - _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_ONLY_PUBKEY | CERT_NO_COPY); + ret = + _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_ONLY_PUBKEY | CERT_NO_COPY); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* EXPORT case: */ - if (_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT - && _gnutls_mpi_get_nbits(peer_cert.params[0]) > 512) { + /* EXPORT case: */ + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT + && _gnutls_mpi_get_nbits (peer_cert.params[0]) > 512) + { - _gnutls_gcert_deinit(&peer_cert); + _gnutls_gcert_deinit (&peer_cert); - if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (*params_len < 2) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (*params_len < 2) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - *params_len = 2; - for (i = 0; i < *params_len; i++) { - params[i] = _gnutls_mpi_copy(session->key->rsa[i]); + *params_len = 2; + for (i = 0; i < *params_len; i++) + { + params[i] = _gnutls_mpi_copy (session->key->rsa[i]); } - return 0; + return 0; } - /* end of export case */ + /* end of export case */ - if (*params_len < peer_cert.params_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (*params_len < peer_cert.params_size) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - *params_len = peer_cert.params_size; + *params_len = peer_cert.params_size; - for (i = 0; i < *params_len; i++) { - params[i] = _gnutls_mpi_copy(peer_cert.params[i]); + for (i = 0; i < *params_len; i++) + { + params[i] = _gnutls_mpi_copy (peer_cert.params[i]); } - _gnutls_gcert_deinit(&peer_cert); + _gnutls_gcert_deinit (&peer_cert); - return 0; + return 0; } /* This function reads the RSA parameters from the private key */ -int _gnutls_get_private_rsa_params(gnutls_session_t session, - mpi_t ** params, int *params_size) +int +_gnutls_get_private_rsa_params (gnutls_session_t session, + mpi_t ** params, int *params_size) { - int bits; - gnutls_certificate_credentials_t cred; - gnutls_rsa_params_t rsa_params; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + int bits; + gnutls_certificate_credentials_t cred; + gnutls_rsa_params_t rsa_params; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if (session->internals.selected_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + if (session->internals.selected_cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - bits = - _gnutls_mpi_get_nbits(session->internals.selected_cert_list[0]. - params[0]); + bits = + _gnutls_mpi_get_nbits (session->internals.selected_cert_list[0]. + params[0]); - if (_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT && bits > 512) { + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT && bits > 512) + { - rsa_params = _gnutls_certificate_get_rsa_params(cred, session); - /* EXPORT case: */ - if (rsa_params == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; + rsa_params = _gnutls_certificate_get_rsa_params (cred, session); + /* EXPORT case: */ + if (rsa_params == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; } - /* In the export case, we do use temporary RSA params - * of 512 bits size. The params in the certificate are - * used to sign this temporary stuff. - */ - *params_size = RSA_PRIVATE_PARAMS; - *params = rsa_params->params; + /* In the export case, we do use temporary RSA params + * of 512 bits size. The params in the certificate are + * used to sign this temporary stuff. + */ + *params_size = RSA_PRIVATE_PARAMS; + *params = rsa_params->params; - return 0; + return 0; } - /* non export cipher suites. */ + /* non export cipher suites. */ - *params_size = session->internals.selected_key->params_size; - *params = session->internals.selected_key->params; + *params_size = session->internals.selected_key->params_size; + *params = session->internals.selected_key->params; - return 0; + return 0; } -int _gnutls_proc_rsa_client_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +int +_gnutls_proc_rsa_client_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - gnutls_datum_t plaintext; - gnutls_datum_t ciphertext; - int ret, dsize; - mpi_t *params; - int params_len; - int randomize_key = 0; - ssize_t data_size = _data_size; - - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - /* SSL 3.0 - */ - ciphertext.data = data; - ciphertext.size = data_size; - } else { - /* TLS 1.0 - */ - DECR_LEN(data_size, 2); - ciphertext.data = &data[2]; - dsize = _gnutls_read_uint16(data); - - if (dsize != data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + int ret, dsize; + mpi_t *params; + int params_len; + int randomize_key = 0; + ssize_t data_size = _data_size; + + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + /* SSL 3.0 + */ + ciphertext.data = data; + ciphertext.size = data_size; + } + else + { + /* TLS 1.0 + */ + DECR_LEN (data_size, 2); + ciphertext.data = &data[2]; + dsize = _gnutls_read_uint16 (data); + + if (dsize != data_size) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - ciphertext.size = dsize; + ciphertext.size = dsize; } - ret = _gnutls_get_private_rsa_params(session, ¶ms, ¶ms_len); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_get_private_rsa_params (session, ¶ms, ¶ms_len); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */ - - if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { - /* In case decryption fails then don't inform - * the peer. Just use a random key. (in order to avoid - * attack against pkcs-1 formating). - */ - gnutls_assert(); - _gnutls_x509_log("auth_rsa: Possible PKCS #1 format attack\n"); - randomize_key = 1; - } else { - /* If the secret was properly formatted, then - * check the version number. - */ - if (_gnutls_get_adv_version_major(session) != plaintext.data[0] - || _gnutls_get_adv_version_minor(session) != plaintext.data[1]) { - /* No error is returned here, if the version number check - * fails. We proceed normally. - * That is to defend against the attack described in the paper - * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, - * Ondej Pokorny and Tomas Rosa. - */ - gnutls_assert(); - _gnutls_x509_log - ("auth_rsa: Possible PKCS #1 version check format attack\n"); + ret = _gnutls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */ + + if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) + { + /* In case decryption fails then don't inform + * the peer. Just use a random key. (in order to avoid + * attack against pkcs-1 formating). + */ + gnutls_assert (); + _gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n"); + randomize_key = 1; + } + else + { + /* If the secret was properly formatted, then + * check the version number. + */ + if (_gnutls_get_adv_version_major (session) != plaintext.data[0] + || _gnutls_get_adv_version_minor (session) != plaintext.data[1]) + { + /* No error is returned here, if the version number check + * fails. We proceed normally. + * That is to defend against the attack described in the paper + * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, + * Ondej Pokorny and Tomas Rosa. + */ + gnutls_assert (); + _gnutls_x509_log + ("auth_rsa: Possible PKCS #1 version check format attack\n"); } } - if (randomize_key != 0) { + if (randomize_key != 0) + { session->key->key.size = TLS_MASTER_SIZE; session->key->key.data = gnutls_malloc (session->key->key.size); if (session->key->key.data == NULL) { - gnutls_assert(); + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } /* we do not need strong random numbers here. */ - if (gc_nonce(session->key->key.data, session->key->key.size) != GC_OK) { - gnutls_assert(); - return GNUTLS_E_RANDOM_FAILED; - } - - } else { - session->key->key.data = plaintext.data; - session->key->key.size = plaintext.size; + if (gc_nonce (session->key->key.data, session->key->key.size) != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_RANDOM_FAILED; + } + + } + else + { + session->key->key.data = plaintext.data; + session->key->key.size = plaintext.size; } - /* This is here to avoid the version check attack - * discussed above. - */ - session->key->key.data[0] = _gnutls_get_adv_version_major(session); - session->key->key.data[1] = _gnutls_get_adv_version_minor(session); + /* This is here to avoid the version check attack + * discussed above. + */ + session->key->key.data[0] = _gnutls_get_adv_version_major (session); + session->key->key.data[1] = _gnutls_get_adv_version_minor (session); - return 0; + return 0; } /* return RSA(random) using the peers public key */ -int _gnutls_gen_rsa_client_kx(gnutls_session_t session, opaque ** data) +int +_gnutls_gen_rsa_client_kx (gnutls_session_t session, opaque ** data) { - cert_auth_info_t auth = session->key->auth_info; - gnutls_datum_t sdata; /* data to send */ - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_len = MAX_PUBLIC_PARAMS_SIZE; - int ret, i; - gnutls_protocol_t ver; - - if (auth == NULL) { - /* this shouldn't have happened. The proc_certificate - * function should have detected that. - */ - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + cert_auth_info_t auth = session->key->auth_info; + gnutls_datum_t sdata; /* data to send */ + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_len = MAX_PUBLIC_PARAMS_SIZE; + int ret, i; + gnutls_protocol_t ver; + + if (auth == NULL) + { + /* this shouldn't have happened. The proc_certificate + * function should have detected that. + */ + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - session->key->key.size = TLS_MASTER_SIZE; - session->key->key.data = gnutls_secure_malloc(session->key->key.size); + session->key->key.size = TLS_MASTER_SIZE; + session->key->key.data = gnutls_secure_malloc (session->key->key.size); - if (session->key->key.data == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->key->key.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } - if (gc_pseudo_random(session->key->key.data, - session->key->key.size) != GC_OK) { - gnutls_assert(); + if (gc_pseudo_random (session->key->key.data, + session->key->key.size) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - ver = _gnutls_get_adv_version(session); + ver = _gnutls_get_adv_version (session); - if (session->internals.rsa_pms_version[0] == 0) { - session->key->key.data[0] = _gnutls_version_get_major(ver); - session->key->key.data[1] = _gnutls_version_get_minor(ver); - } else { /* use the version provided */ - session->key->key.data[0] = session->internals.rsa_pms_version[0]; - session->key->key.data[1] = session->internals.rsa_pms_version[1]; + if (session->internals.rsa_pms_version[0] == 0) + { + session->key->key.data[0] = _gnutls_version_get_major (ver); + session->key->key.data[1] = _gnutls_version_get_minor (ver); + } + else + { /* use the version provided */ + session->key->key.data[0] = session->internals.rsa_pms_version[0]; + session->key->key.data[1] = session->internals.rsa_pms_version[1]; } - /* move RSA parameters to key (session). - */ - if ((ret = - _gnutls_get_public_rsa_params(session, params, - ¶ms_len)) < 0) { - gnutls_assert(); - return ret; + /* move RSA parameters to key (session). + */ + if ((ret = + _gnutls_get_public_rsa_params (session, params, ¶ms_len)) < 0) + { + gnutls_assert (); + return ret; } - if ((ret = - _gnutls_pkcs1_rsa_encrypt(&sdata, &session->key->key, - params, params_len, 2)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_pkcs1_rsa_encrypt (&sdata, &session->key->key, + params, params_len, 2)) < 0) + { + gnutls_assert (); + return ret; } - for (i = 0; i < params_len; i++) - _gnutls_mpi_release(¶ms[i]); - - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - /* SSL 3.0 */ - *data = sdata.data; - return sdata.size; - } else { /* TLS 1 */ - *data = gnutls_malloc(sdata.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&sdata); - return GNUTLS_E_MEMORY_ERROR; + for (i = 0; i < params_len; i++) + _gnutls_mpi_release (¶ms[i]); + + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + /* SSL 3.0 */ + *data = sdata.data; + return sdata.size; + } + else + { /* TLS 1 */ + *data = gnutls_malloc (sdata.size + 2); + if (*data == NULL) + { + _gnutls_free_datum (&sdata); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16(*data, sdata); - ret = sdata.size + 2; - _gnutls_free_datum(&sdata); - return ret; + _gnutls_write_datum16 (*data, sdata); + ret = sdata.size + 2; + _gnutls_free_datum (&sdata); + return ret; } } diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index f45eb99283..8f240eac54 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -44,263 +44,281 @@ #include <gnutls_rsa_export.h> #include <gnutls_state.h> -int _gnutls_gen_rsa_client_kx(gnutls_session_t, opaque **); -int _gnutls_proc_rsa_client_kx(gnutls_session_t, opaque *, size_t); -static int gen_rsa_export_server_kx(gnutls_session_t, opaque **); -static int proc_rsa_export_server_kx(gnutls_session_t, opaque *, size_t); +int _gnutls_gen_rsa_client_kx (gnutls_session_t, opaque **); +int _gnutls_proc_rsa_client_kx (gnutls_session_t, opaque *, size_t); +static int gen_rsa_export_server_kx (gnutls_session_t, opaque **); +static int proc_rsa_export_server_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st rsa_export_auth_struct = { - "RSA EXPORT", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_rsa_export_server_kx, - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_rsa_export_server_kx, - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA EXPORT", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_rsa_export_server_kx, + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_rsa_export_server_kx, + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; -static int gen_rsa_export_server_kx(gnutls_session_t session, - opaque ** data) +static int +gen_rsa_export_server_kx (gnutls_session_t session, opaque ** data) { - gnutls_rsa_params_t rsa_params; - const mpi_t *rsa_mpis; - size_t n_e, n_m; - uint8 *data_e, *data_m; - int ret = 0, data_size; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - gnutls_datum_t signature, ddata; - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + gnutls_rsa_params_t rsa_params; + const mpi_t *rsa_mpis; + size_t n_e, n_m; + uint8 *data_e, *data_m; + int ret = 0, data_size; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum_t signature, ddata; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; } - /* abort sending this message if we have a certificate - * of 512 bits or less. - */ - if (_gnutls_mpi_get_nbits(apr_pkey->params[0]) <= 512) { - gnutls_assert(); - return GNUTLS_E_INT_RET_0; + /* abort sending this message if we have a certificate + * of 512 bits or less. + */ + if (_gnutls_mpi_get_nbits (apr_pkey->params[0]) <= 512) + { + gnutls_assert (); + return GNUTLS_E_INT_RET_0; } - rsa_params = _gnutls_certificate_get_rsa_params(cred, session); - rsa_mpis = _gnutls_get_rsa_params(rsa_params); - if (rsa_mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; + rsa_params = _gnutls_certificate_get_rsa_params (cred, session); + rsa_mpis = _gnutls_get_rsa_params (rsa_params); + if (rsa_mpis == NULL) + { + gnutls_assert (); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; } - if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 0)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 0)) < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - _gnutls_rsa_export_set_pubkey(session, rsa_mpis[1], rsa_mpis[0]); + info = _gnutls_get_auth_info (session); + _gnutls_rsa_export_set_pubkey (session, rsa_mpis[1], rsa_mpis[0]); - _gnutls_mpi_print(NULL, &n_m, rsa_mpis[0]); - _gnutls_mpi_print(NULL, &n_e, rsa_mpis[1]); + _gnutls_mpi_print (NULL, &n_m, rsa_mpis[0]); + _gnutls_mpi_print (NULL, &n_e, rsa_mpis[1]); - (*data) = gnutls_malloc(n_e + n_m + 4); - if (*data == NULL) { - return GNUTLS_E_MEMORY_ERROR; + (*data) = gnutls_malloc (n_e + n_m + 4); + if (*data == NULL) + { + return GNUTLS_E_MEMORY_ERROR; } - data_m = &(*data)[0]; - _gnutls_mpi_print(&data_m[2], &n_m, rsa_mpis[0]); + data_m = &(*data)[0]; + _gnutls_mpi_print (&data_m[2], &n_m, rsa_mpis[0]); - _gnutls_write_uint16(n_m, data_m); + _gnutls_write_uint16 (n_m, data_m); - data_e = &data_m[2 + n_m]; - _gnutls_mpi_print(&data_e[2], &n_e, rsa_mpis[1]); + data_e = &data_m[2 + n_m]; + _gnutls_mpi_print (&data_e[2], &n_e, rsa_mpis[1]); - _gnutls_write_uint16(n_e, data_e); + _gnutls_write_uint16 (n_e, data_e); - data_size = n_m + n_e + 4; + data_size = n_m + n_e + 4; - /* Generate the signature. */ + /* Generate the signature. */ - ddata.data = *data; - ddata.size = data_size; + ddata.data = *data; + ddata.size = data_size; - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); - *data = NULL; - return ret; + if (apr_pkey != NULL) + { + if ((ret = + _gnutls_tls_sign_params (session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) + { + gnutls_assert (); + gnutls_free (*data); + *data = NULL; + return ret; } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ + } + else + { + gnutls_assert (); + return data_size; /* do not put a signature - ILLEGAL! */ } - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + *data = gnutls_realloc_fast (*data, data_size + signature.size + 2); + if (*data == NULL) + { + _gnutls_free_datum (&signature); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16(&((*data)[data_size]), signature); - data_size += signature.size + 2; + _gnutls_write_datum16 (&((*data)[data_size]), signature); + data_size += signature.size + 2; - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - return data_size; + return data_size; } /* if the peer's certificate is of 512 bits or less, returns non zero. */ -int _gnutls_peers_cert_less_512(gnutls_session_t session) +int +_gnutls_peers_cert_less_512 (gnutls_session_t session) { - gnutls_cert peer_cert; - int ret; - cert_auth_info_t info = _gnutls_get_auth_info(session); - - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return 0; + gnutls_cert peer_cert; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info (session); + + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + /* we need this in order to get peer's certificate */ + return 0; } - if ((ret = - _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_NO_COPY)) < 0) { - gnutls_assert(); - return 0; + if ((ret = + _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) + { + gnutls_assert (); + return 0; } - if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - _gnutls_gcert_deinit(&peer_cert); - return 0; + if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) + { + gnutls_assert (); + _gnutls_gcert_deinit (&peer_cert); + return 0; } - if (_gnutls_mpi_get_nbits(peer_cert.params[0]) - <= 512) { - _gnutls_gcert_deinit(&peer_cert); - return 1; + if (_gnutls_mpi_get_nbits (peer_cert.params[0]) <= 512) + { + _gnutls_gcert_deinit (&peer_cert); + return 1; } - _gnutls_gcert_deinit(&peer_cert); + _gnutls_gcert_deinit (&peer_cert); - return 0; + return 0; } -static int proc_rsa_export_server_kx(gnutls_session_t session, - opaque * data, size_t _data_size) +static int +proc_rsa_export_server_kx (gnutls_session_t session, + opaque * data, size_t _data_size) { - uint16 n_m, n_e; - size_t _n_m, _n_e; - uint8 *data_m; - uint8 *data_e; - int i, sigsize; - gnutls_datum_t vparams, signature; - int ret; - ssize_t data_size = _data_size; - cert_auth_info_t info; - gnutls_cert peer_cert; - - info = _gnutls_get_auth_info(session); - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; + uint16 n_m, n_e; + size_t _n_m, _n_e; + uint8 *data_m; + uint8 *data_e; + int i, sigsize; + gnutls_datum_t vparams, signature; + int ret; + ssize_t data_size = _data_size; + cert_auth_info_t info; + gnutls_cert peer_cert; + + info = _gnutls_get_auth_info (session); + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; } - i = 0; + i = 0; - DECR_LEN(data_size, 2); - n_m = _gnutls_read_uint16(&data[i]); - i += 2; + DECR_LEN (data_size, 2); + n_m = _gnutls_read_uint16 (&data[i]); + i += 2; - DECR_LEN(data_size, n_m); - data_m = &data[i]; - i += n_m; + DECR_LEN (data_size, n_m); + data_m = &data[i]; + i += n_m; - DECR_LEN(data_size, 2); - n_e = _gnutls_read_uint16(&data[i]); - i += 2; + DECR_LEN (data_size, 2); + n_e = _gnutls_read_uint16 (&data[i]); + i += 2; - DECR_LEN(data_size, n_e); - data_e = &data[i]; - i += n_e; + DECR_LEN (data_size, n_e); + data_e = &data[i]; + i += n_e; - _n_e = n_e; - _n_m = n_m; + _n_e = n_e; + _n_m = n_m; - if (_gnutls_mpi_scan_nz(&session->key->rsa[0], data_m, &_n_m) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&session->key->rsa[0], data_m, &_n_m) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - if (_gnutls_mpi_scan_nz(&session->key->rsa[1], data_e, &_n_e) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&session->key->rsa[1], data_e, &_n_e) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - _gnutls_rsa_export_set_pubkey(session, session->key->rsa[1], - session->key->rsa[0]); + _gnutls_rsa_export_set_pubkey (session, session->key->rsa[1], + session->key->rsa[0]); - /* VERIFY SIGNATURE */ + /* VERIFY SIGNATURE */ - vparams.size = n_m + n_e + 4; - vparams.data = data; + vparams.size = n_m + n_e + 4; + vparams.data = data; - DECR_LEN(data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + DECR_LEN (data_size, 2); + sigsize = _gnutls_read_uint16 (&data[vparams.size]); - DECR_LEN(data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; + DECR_LEN (data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; - if ((ret = - _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_verify_sig_params(session, - &peer_cert, &vparams, &signature); + ret = _gnutls_verify_sig_params (session, &peer_cert, &vparams, &signature); - _gnutls_gcert_deinit(&peer_cert); - if (ret < 0) { - gnutls_assert(); + _gnutls_gcert_deinit (&peer_cert); + if (ret < 0) + { + gnutls_assert (); } - return ret; + return ret; } diff --git a/lib/auth_srp.c b/lib/auth_srp.c index f5aa740a5f..d6c0264147 100644 --- a/lib/auth_srp.c +++ b/lib/auth_srp.c @@ -37,27 +37,27 @@ #include <gnutls_str.h> #include <gnutls_datum.h> -int _gnutls_gen_srp_server_kx(gnutls_session_t, opaque **); -int _gnutls_gen_srp_client_kx(gnutls_session_t, opaque **); +int _gnutls_gen_srp_server_kx (gnutls_session_t, opaque **); +int _gnutls_gen_srp_client_kx (gnutls_session_t, opaque **); -int _gnutls_proc_srp_server_kx(gnutls_session_t, opaque *, size_t); -int _gnutls_proc_srp_client_kx(gnutls_session_t, opaque *, size_t); +int _gnutls_proc_srp_server_kx (gnutls_session_t, opaque *, size_t); +int _gnutls_proc_srp_client_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st srp_auth_struct = { - "SRP", - NULL, - NULL, - _gnutls_gen_srp_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - NULL, - NULL, /* certificate */ - _gnutls_proc_srp_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + NULL, + NULL, + _gnutls_gen_srp_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + NULL, + NULL, /* certificate */ + _gnutls_proc_srp_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; @@ -74,339 +74,373 @@ const mod_auth_st srp_auth_struct = { * Returns a proper error code in that case, and 0 when * all are ok. */ -inline static int check_b_mod_n(mpi_t b, mpi_t n) +inline static int +check_b_mod_n (mpi_t b, mpi_t n) { - int ret; - mpi_t r = _gnutls_mpi_alloc_like(b); + int ret; + mpi_t r = _gnutls_mpi_alloc_like (b); - if (r == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (r == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_mod(r, b, n); - ret = _gnutls_mpi_cmp_ui(r, 0); + _gnutls_mpi_mod (r, b, n); + ret = _gnutls_mpi_cmp_ui (r, 0); - _gnutls_mpi_release(&r); + _gnutls_mpi_release (&r); - if (ret == 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (ret == 0) + { + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - return 0; + return 0; } /* Checks if a%n==0,+1,-1%n which is a fatal srp error. * Returns a proper error code in that case, and 0 when * all are ok. */ -inline static int check_a_mod_n(mpi_t a, mpi_t n) +inline static int +check_a_mod_n (mpi_t a, mpi_t n) { - int ret; - mpi_t r = _gnutls_mpi_alloc_like(a); + int ret; + mpi_t r = _gnutls_mpi_alloc_like (a); - if (r == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (r == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_mod(r, a, n); - ret = _gnutls_mpi_cmp_ui(r, 0); + _gnutls_mpi_mod (r, a, n); + ret = _gnutls_mpi_cmp_ui (r, 0); - _gnutls_mpi_release(&r); + _gnutls_mpi_release (&r); - if (ret == 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (ret == 0) + { + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - return 0; + return 0; } /* Send the first key exchange message ( g, n, s) and append the verifier algorithm number * Data is allocated by the caller, and should have data_size size. */ -int _gnutls_gen_srp_server_kx(gnutls_session_t session, opaque ** data) +int +_gnutls_gen_srp_server_kx (gnutls_session_t session, opaque ** data) { - int ret; - uint8 *data_n, *data_s; - uint8 *data_g; - char *username; - SRP_PWD_ENTRY *pwd_entry; - srp_server_auth_info_t info; - ssize_t data_size; - size_t n_b, tmp_size; - char buf[64]; - uint8 *data_b; + int ret; + uint8 *data_n, *data_s; + uint8 *data_g; + char *username; + SRP_PWD_ENTRY *pwd_entry; + srp_server_auth_info_t info; + ssize_t data_size; + size_t n_b, tmp_size; + char buf[64]; + uint8 *data_b; - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_SRP, - sizeof(srp_server_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_SRP, + sizeof (srp_server_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - username = info->username; + info = _gnutls_get_auth_info (session); + username = info->username; - _gnutls_str_cpy(username, MAX_SRP_USERNAME, - session->security_parameters.extensions.srp_username); + _gnutls_str_cpy (username, MAX_SRP_USERNAME, + session->security_parameters.extensions.srp_username); - ret = _gnutls_srp_pwd_read_entry(session, username, &pwd_entry); + ret = _gnutls_srp_pwd_read_entry (session, username, &pwd_entry); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* copy from pwd_entry to local variables (actually in session) */ - if (_gnutls_mpi_scan_nz(&G, pwd_entry->g.data, &pwd_entry->g.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + /* copy from pwd_entry to local variables (actually in session) */ + if (_gnutls_mpi_scan_nz (&G, pwd_entry->g.data, &pwd_entry->g.size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - tmp_size = pwd_entry->n.size; - if (_gnutls_mpi_scan_nz(&N, pwd_entry->n.data, &tmp_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + tmp_size = pwd_entry->n.size; + if (_gnutls_mpi_scan_nz (&N, pwd_entry->n.data, &tmp_size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - tmp_size = pwd_entry->v.size; - if (_gnutls_mpi_scan_nz(&V, pwd_entry->v.data, &tmp_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + tmp_size = pwd_entry->v.size; + if (_gnutls_mpi_scan_nz (&V, pwd_entry->v.data, &tmp_size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - /* Calculate: B = (k*v + g^b) % N - */ - B = _gnutls_calc_srp_B(&_b, G, N, V); - if (B == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Calculate: B = (k*v + g^b) % N + */ + B = _gnutls_calc_srp_B (&_b, G, N, V); + if (B == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (_gnutls_mpi_print(NULL, &n_b, B) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_PRINT_FAILED; + if (_gnutls_mpi_print (NULL, &n_b, B) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_PRINT_FAILED; } - /* Allocate size to hold the N, g, s, B - */ + /* Allocate size to hold the N, g, s, B + */ - data_size = (pwd_entry->n.size + 2 + pwd_entry->g.size + 2 + - pwd_entry->salt.size + 1) + (n_b + 2); + data_size = (pwd_entry->n.size + 2 + pwd_entry->g.size + 2 + + pwd_entry->salt.size + 1) + (n_b + 2); - (*data) = gnutls_malloc(data_size); - if ((*data) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (*data) = gnutls_malloc (data_size); + if ((*data) == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* copy N (mod n) - */ - data_n = *data; - _gnutls_write_datum16(data_n, pwd_entry->n); + /* copy N (mod n) + */ + data_n = *data; + _gnutls_write_datum16 (data_n, pwd_entry->n); - /* copy G (generator) to data - */ - data_g = &data_n[2 + pwd_entry->n.size]; - _gnutls_write_datum16(data_g, pwd_entry->g); + /* copy G (generator) to data + */ + data_g = &data_n[2 + pwd_entry->n.size]; + _gnutls_write_datum16 (data_g, pwd_entry->g); - /* copy the salt - */ - data_s = &data_g[2 + pwd_entry->g.size]; - _gnutls_write_datum8(data_s, pwd_entry->salt); + /* copy the salt + */ + data_s = &data_g[2 + pwd_entry->g.size]; + _gnutls_write_datum8 (data_s, pwd_entry->salt); - /* Copy the B value - */ + /* Copy the B value + */ - data_b = &data_s[1 + pwd_entry->salt.size]; - if (_gnutls_mpi_print(&data_b[2], &n_b, B) != 0) - return GNUTLS_E_MPI_PRINT_FAILED; - _gnutls_write_uint16(n_b, data_b); + data_b = &data_s[1 + pwd_entry->salt.size]; + if (_gnutls_mpi_print (&data_b[2], &n_b, B) != 0) + return GNUTLS_E_MPI_PRINT_FAILED; + _gnutls_write_uint16 (n_b, data_b); - _gnutls_hard_log("INT: SRP B[%d]: %s\n", n_b, - _gnutls_bin2hex(&data_b[2], n_b, buf, sizeof(buf))); + _gnutls_hard_log ("INT: SRP B[%d]: %s\n", n_b, + _gnutls_bin2hex (&data_b[2], n_b, buf, sizeof (buf))); - _gnutls_srp_entry_free(pwd_entry); + _gnutls_srp_entry_free (pwd_entry); - return data_size; + return data_size; } /* return A = g^a % N */ -int _gnutls_gen_srp_client_kx(gnutls_session_t session, opaque ** data) +int +_gnutls_gen_srp_client_kx (gnutls_session_t session, opaque ** data) { - size_t n_a; - int ret; - uint8 *data_a; - char *username, *password; - char buf[64]; - gnutls_srp_client_credentials_t cred; - - - cred = (gnutls_srp_client_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); + size_t n_a; + int ret; + uint8 *data_a; + char *username, *password; + char buf[64]; + gnutls_srp_client_credentials_t cred; - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + + cred = (gnutls_srp_client_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if (session->internals.srp_username == NULL) { - username = cred->username; - password = cred->password; - } else { - username = session->internals.srp_username; - password = session->internals.srp_password; + if (session->internals.srp_username == NULL) + { + username = cred->username; + password = cred->password; + } + else + { + username = session->internals.srp_username; + password = session->internals.srp_password; } - if (username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + if (username == NULL || password == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* calc A = g^a % N - */ - if (G == NULL || N == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + /* calc A = g^a % N + */ + if (G == NULL || N == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - A = _gnutls_calc_srp_A(&_a, G, N); - if (A == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + A = _gnutls_calc_srp_A (&_a, G, N); + if (A == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* Rest of SRP calculations - */ + /* Rest of SRP calculations + */ - /* calculate u */ - session->key->u = _gnutls_calc_srp_u(A, B, N); - if (session->key->u == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* calculate u */ + session->key->u = _gnutls_calc_srp_u (A, B, N); + if (session->key->u == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_dump_mpi("SRP U: ", session->key->u); + _gnutls_dump_mpi ("SRP U: ", session->key->u); - /* S = (B - g^x) ^ (a + u * x) % N */ - S = _gnutls_calc_srp_S2(B, G, session->key->x, _a, session->key->u, N); - if (S == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* S = (B - g^x) ^ (a + u * x) % N */ + S = _gnutls_calc_srp_S2 (B, G, session->key->x, _a, session->key->u, N); + if (S == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_dump_mpi("SRP B: ", B); + _gnutls_dump_mpi ("SRP B: ", B); - _gnutls_mpi_release(&_b); - _gnutls_mpi_release(&V); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&B); + _gnutls_mpi_release (&_b); + _gnutls_mpi_release (&V); + _gnutls_mpi_release (&session->key->u); + _gnutls_mpi_release (&B); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&S); + ret = _gnutls_generate_session_key (session->key); + _gnutls_mpi_release (&S); - if (ret < 0) - return ret; + if (ret < 0) + return ret; - if (_gnutls_mpi_print(NULL, &n_a, A) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_PRINT_FAILED; + if (_gnutls_mpi_print (NULL, &n_a, A) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_PRINT_FAILED; } - (*data) = gnutls_malloc(n_a + 2); - if ((*data) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (*data) = gnutls_malloc (n_a + 2); + if ((*data) == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* copy A */ - data_a = (*data); - if (_gnutls_mpi_print(&data_a[2], &n_a, A) != 0) { - gnutls_free(*data); - return GNUTLS_E_MPI_PRINT_FAILED; + /* copy A */ + data_a = (*data); + if (_gnutls_mpi_print (&data_a[2], &n_a, A) != 0) + { + gnutls_free (*data); + return GNUTLS_E_MPI_PRINT_FAILED; } - _gnutls_hard_log("INT: SRP A[%d]: %s\n", n_a, - _gnutls_bin2hex(&data_a[2], n_a, buf, sizeof(buf))); + _gnutls_hard_log ("INT: SRP A[%d]: %s\n", n_a, + _gnutls_bin2hex (&data_a[2], n_a, buf, sizeof (buf))); - _gnutls_mpi_release(&A); + _gnutls_mpi_release (&A); - _gnutls_write_uint16(n_a, data_a); + _gnutls_write_uint16 (n_a, data_a); - return n_a + 2; + return n_a + 2; } /* just read A and put it to session */ -int _gnutls_proc_srp_client_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +int +_gnutls_proc_srp_client_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - size_t _n_A; - ssize_t data_size = _data_size; - int ret; + size_t _n_A; + ssize_t data_size = _data_size; + int ret; - DECR_LEN(data_size, 2); - _n_A = _gnutls_read_uint16(&data[0]); + DECR_LEN (data_size, 2); + _n_A = _gnutls_read_uint16 (&data[0]); - DECR_LEN(data_size, _n_A); - if (_gnutls_mpi_scan_nz(&A, &data[2], &_n_A) || A == NULL) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + DECR_LEN (data_size, _n_A); + if (_gnutls_mpi_scan_nz (&A, &data[2], &_n_A) || A == NULL) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - _gnutls_dump_mpi("SRP A: ", A); - _gnutls_dump_mpi("SRP B: ", B); + _gnutls_dump_mpi ("SRP A: ", A); + _gnutls_dump_mpi ("SRP B: ", B); - /* Checks if A % n == 0. - */ - if ((ret = check_a_mod_n(A, N)) < 0) { - gnutls_assert(); - return ret; + /* Checks if A % n == 0. + */ + if ((ret = check_a_mod_n (A, N)) < 0) + { + gnutls_assert (); + return ret; } - /* Start the SRP calculations. - * - Calculate u - */ - session->key->u = _gnutls_calc_srp_u(A, B, N); - if (session->key->u == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Start the SRP calculations. + * - Calculate u + */ + session->key->u = _gnutls_calc_srp_u (A, B, N); + if (session->key->u == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_dump_mpi("SRP U: ", session->key->u); + _gnutls_dump_mpi ("SRP U: ", session->key->u); - /* S = (A * v^u) ^ b % N - */ - S = _gnutls_calc_srp_S1(A, _b, session->key->u, V, N); - if (S == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* S = (A * v^u) ^ b % N + */ + S = _gnutls_calc_srp_S1 (A, _b, session->key->u, V, N); + if (S == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_dump_mpi("SRP S: ", S); + _gnutls_dump_mpi ("SRP S: ", S); - _gnutls_mpi_release(&A); - _gnutls_mpi_release(&_b); - _gnutls_mpi_release(&V); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&B); + _gnutls_mpi_release (&A); + _gnutls_mpi_release (&_b); + _gnutls_mpi_release (&V); + _gnutls_mpi_release (&session->key->u); + _gnutls_mpi_release (&B); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&S); + ret = _gnutls_generate_session_key (session->key); + _gnutls_mpi_release (&S); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -416,370 +450,396 @@ int _gnutls_proc_srp_client_kx(gnutls_session_t session, opaque * data, * and _gnutls_srp_entry_free() should be changed. */ static const unsigned char srp_params_1024[] = { - 0xEE, 0xAF, 0x0A, 0xB9, 0xAD, 0xB3, 0x8D, 0xD6, - 0x9C, 0x33, 0xF8, 0x0A, 0xFA, 0x8F, 0xC5, 0xE8, - 0x60, 0x72, 0x61, 0x87, 0x75, 0xFF, 0x3C, 0x0B, - 0x9E, 0xA2, 0x31, 0x4C, 0x9C, 0x25, 0x65, 0x76, - 0xD6, 0x74, 0xDF, 0x74, 0x96, 0xEA, 0x81, 0xD3, - 0x38, 0x3B, 0x48, 0x13, 0xD6, 0x92, 0xC6, 0xE0, - 0xE0, 0xD5, 0xD8, 0xE2, 0x50, 0xB9, 0x8B, 0xE4, - 0x8E, 0x49, 0x5C, 0x1D, 0x60, 0x89, 0xDA, 0xD1, - 0x5D, 0xC7, 0xD7, 0xB4, 0x61, 0x54, 0xD6, 0xB6, - 0xCE, 0x8E, 0xF4, 0xAD, 0x69, 0xB1, 0x5D, 0x49, - 0x82, 0x55, 0x9B, 0x29, 0x7B, 0xCF, 0x18, 0x85, - 0xC5, 0x29, 0xF5, 0x66, 0x66, 0x0E, 0x57, 0xEC, - 0x68, 0xED, 0xBC, 0x3C, 0x05, 0x72, 0x6C, 0xC0, - 0x2F, 0xD4, 0xCB, 0xF4, 0x97, 0x6E, 0xAA, 0x9A, - 0xFD, 0x51, 0x38, 0xFE, 0x83, 0x76, 0x43, 0x5B, - 0x9F, 0xC6, 0x1D, 0x2F, 0xC0, 0xEB, 0x06, 0xE3 + 0xEE, 0xAF, 0x0A, 0xB9, 0xAD, 0xB3, 0x8D, 0xD6, + 0x9C, 0x33, 0xF8, 0x0A, 0xFA, 0x8F, 0xC5, 0xE8, + 0x60, 0x72, 0x61, 0x87, 0x75, 0xFF, 0x3C, 0x0B, + 0x9E, 0xA2, 0x31, 0x4C, 0x9C, 0x25, 0x65, 0x76, + 0xD6, 0x74, 0xDF, 0x74, 0x96, 0xEA, 0x81, 0xD3, + 0x38, 0x3B, 0x48, 0x13, 0xD6, 0x92, 0xC6, 0xE0, + 0xE0, 0xD5, 0xD8, 0xE2, 0x50, 0xB9, 0x8B, 0xE4, + 0x8E, 0x49, 0x5C, 0x1D, 0x60, 0x89, 0xDA, 0xD1, + 0x5D, 0xC7, 0xD7, 0xB4, 0x61, 0x54, 0xD6, 0xB6, + 0xCE, 0x8E, 0xF4, 0xAD, 0x69, 0xB1, 0x5D, 0x49, + 0x82, 0x55, 0x9B, 0x29, 0x7B, 0xCF, 0x18, 0x85, + 0xC5, 0x29, 0xF5, 0x66, 0x66, 0x0E, 0x57, 0xEC, + 0x68, 0xED, 0xBC, 0x3C, 0x05, 0x72, 0x6C, 0xC0, + 0x2F, 0xD4, 0xCB, 0xF4, 0x97, 0x6E, 0xAA, 0x9A, + 0xFD, 0x51, 0x38, 0xFE, 0x83, 0x76, 0x43, 0x5B, + 0x9F, 0xC6, 0x1D, 0x2F, 0xC0, 0xEB, 0x06, 0xE3 }; static const unsigned char srp_generator = 0x02; const gnutls_datum_t gnutls_srp_1024_group_prime = { - (void *) srp_params_1024, sizeof(srp_params_1024) + (void *) srp_params_1024, sizeof (srp_params_1024) }; const gnutls_datum_t gnutls_srp_1024_group_generator = { - (void *) &srp_generator, sizeof(srp_generator) + (void *) &srp_generator, sizeof (srp_generator) }; static const unsigned char srp_params_1536[] = { - 0x9D, 0xEF, 0x3C, 0xAF, 0xB9, 0x39, 0x27, 0x7A, 0xB1, - 0xF1, 0x2A, 0x86, 0x17, 0xA4, 0x7B, 0xBB, 0xDB, 0xA5, - 0x1D, 0xF4, 0x99, 0xAC, 0x4C, 0x80, 0xBE, 0xEE, 0xA9, - 0x61, 0x4B, 0x19, 0xCC, 0x4D, 0x5F, 0x4F, 0x5F, 0x55, - 0x6E, 0x27, 0xCB, 0xDE, 0x51, 0xC6, 0xA9, 0x4B, 0xE4, - 0x60, 0x7A, 0x29, 0x15, 0x58, 0x90, 0x3B, 0xA0, 0xD0, - 0xF8, 0x43, 0x80, 0xB6, 0x55, 0xBB, 0x9A, 0x22, 0xE8, - 0xDC, 0xDF, 0x02, 0x8A, 0x7C, 0xEC, 0x67, 0xF0, 0xD0, - 0x81, 0x34, 0xB1, 0xC8, 0xB9, 0x79, 0x89, 0x14, 0x9B, - 0x60, 0x9E, 0x0B, 0xE3, 0xBA, 0xB6, 0x3D, 0x47, 0x54, - 0x83, 0x81, 0xDB, 0xC5, 0xB1, 0xFC, 0x76, 0x4E, 0x3F, - 0x4B, 0x53, 0xDD, 0x9D, 0xA1, 0x15, 0x8B, 0xFD, 0x3E, - 0x2B, 0x9C, 0x8C, 0xF5, 0x6E, 0xDF, 0x01, 0x95, 0x39, - 0x34, 0x96, 0x27, 0xDB, 0x2F, 0xD5, 0x3D, 0x24, 0xB7, - 0xC4, 0x86, 0x65, 0x77, 0x2E, 0x43, 0x7D, 0x6C, 0x7F, - 0x8C, 0xE4, 0x42, 0x73, 0x4A, 0xF7, 0xCC, 0xB7, 0xAE, - 0x83, 0x7C, 0x26, 0x4A, 0xE3, 0xA9, 0xBE, 0xB8, 0x7F, - 0x8A, 0x2F, 0xE9, 0xB8, 0xB5, 0x29, 0x2E, 0x5A, 0x02, - 0x1F, 0xFF, 0x5E, 0x91, 0x47, 0x9E, 0x8C, 0xE7, 0xA2, - 0x8C, 0x24, 0x42, 0xC6, 0xF3, 0x15, 0x18, 0x0F, 0x93, - 0x49, 0x9A, 0x23, 0x4D, 0xCF, 0x76, 0xE3, 0xFE, 0xD1, - 0x35, 0xF9, 0xBB + 0x9D, 0xEF, 0x3C, 0xAF, 0xB9, 0x39, 0x27, 0x7A, 0xB1, + 0xF1, 0x2A, 0x86, 0x17, 0xA4, 0x7B, 0xBB, 0xDB, 0xA5, + 0x1D, 0xF4, 0x99, 0xAC, 0x4C, 0x80, 0xBE, 0xEE, 0xA9, + 0x61, 0x4B, 0x19, 0xCC, 0x4D, 0x5F, 0x4F, 0x5F, 0x55, + 0x6E, 0x27, 0xCB, 0xDE, 0x51, 0xC6, 0xA9, 0x4B, 0xE4, + 0x60, 0x7A, 0x29, 0x15, 0x58, 0x90, 0x3B, 0xA0, 0xD0, + 0xF8, 0x43, 0x80, 0xB6, 0x55, 0xBB, 0x9A, 0x22, 0xE8, + 0xDC, 0xDF, 0x02, 0x8A, 0x7C, 0xEC, 0x67, 0xF0, 0xD0, + 0x81, 0x34, 0xB1, 0xC8, 0xB9, 0x79, 0x89, 0x14, 0x9B, + 0x60, 0x9E, 0x0B, 0xE3, 0xBA, 0xB6, 0x3D, 0x47, 0x54, + 0x83, 0x81, 0xDB, 0xC5, 0xB1, 0xFC, 0x76, 0x4E, 0x3F, + 0x4B, 0x53, 0xDD, 0x9D, 0xA1, 0x15, 0x8B, 0xFD, 0x3E, + 0x2B, 0x9C, 0x8C, 0xF5, 0x6E, 0xDF, 0x01, 0x95, 0x39, + 0x34, 0x96, 0x27, 0xDB, 0x2F, 0xD5, 0x3D, 0x24, 0xB7, + 0xC4, 0x86, 0x65, 0x77, 0x2E, 0x43, 0x7D, 0x6C, 0x7F, + 0x8C, 0xE4, 0x42, 0x73, 0x4A, 0xF7, 0xCC, 0xB7, 0xAE, + 0x83, 0x7C, 0x26, 0x4A, 0xE3, 0xA9, 0xBE, 0xB8, 0x7F, + 0x8A, 0x2F, 0xE9, 0xB8, 0xB5, 0x29, 0x2E, 0x5A, 0x02, + 0x1F, 0xFF, 0x5E, 0x91, 0x47, 0x9E, 0x8C, 0xE7, 0xA2, + 0x8C, 0x24, 0x42, 0xC6, 0xF3, 0x15, 0x18, 0x0F, 0x93, + 0x49, 0x9A, 0x23, 0x4D, 0xCF, 0x76, 0xE3, 0xFE, 0xD1, + 0x35, 0xF9, 0xBB }; const gnutls_datum_t gnutls_srp_1536_group_prime = { - (void *) srp_params_1536, sizeof(srp_params_1536) + (void *) srp_params_1536, sizeof (srp_params_1536) }; const gnutls_datum_t gnutls_srp_1536_group_generator = { - (void *) &srp_generator, sizeof(srp_generator) + (void *) &srp_generator, sizeof (srp_generator) }; static const unsigned char srp_params_2048[] = { - 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 0xF1, - 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 0xAF, 0x72, - 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 0xFC, 0x31, 0x92, - 0x94, 0x3D, 0xB5, 0x60, 0x50, 0xA3, 0x73, 0x29, 0xCB, - 0xB4, 0xA0, 0x99, 0xED, 0x81, 0x93, 0xE0, 0x75, 0x77, - 0x67, 0xA1, 0x3D, 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, - 0x31, 0x0D, 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, - 0x50, 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, - 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 0x66, - 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 0x29, 0x18, - 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 0x55, 0xF9, 0x79, - 0x93, 0xEC, 0x97, 0x5E, 0xEA, 0xA8, 0x0D, 0x74, 0x0A, - 0xDB, 0xF4, 0xFF, 0x74, 0x73, 0x59, 0xD0, 0x41, 0xD5, - 0xC3, 0x3E, 0xA7, 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, - 0x77, 0x3B, 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, - 0x16, 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, - 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 0x5B, - 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 0x54, 0x45, - 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 0x5E, 0xA7, 0x7A, - 0x27, 0x75, 0xD2, 0xEC, 0xFA, 0x03, 0x2C, 0xFB, 0xDB, - 0xF5, 0x2F, 0xB3, 0x78, 0x61, 0x60, 0x27, 0x90, 0x04, - 0xE5, 0x7A, 0xE6, 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, - 0x53, 0x29, 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, - 0xD8, 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, - 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 0x94, - 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 0x35, 0xDE, - 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 0x9B, 0x65, 0xE3, - 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, - 0x9E, 0x4A, 0xFF, 0x73 + 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 0xF1, + 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 0xAF, 0x72, + 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 0xFC, 0x31, 0x92, + 0x94, 0x3D, 0xB5, 0x60, 0x50, 0xA3, 0x73, 0x29, 0xCB, + 0xB4, 0xA0, 0x99, 0xED, 0x81, 0x93, 0xE0, 0x75, 0x77, + 0x67, 0xA1, 0x3D, 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, + 0x31, 0x0D, 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, + 0x50, 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, + 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 0x66, + 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 0x29, 0x18, + 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 0x55, 0xF9, 0x79, + 0x93, 0xEC, 0x97, 0x5E, 0xEA, 0xA8, 0x0D, 0x74, 0x0A, + 0xDB, 0xF4, 0xFF, 0x74, 0x73, 0x59, 0xD0, 0x41, 0xD5, + 0xC3, 0x3E, 0xA7, 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, + 0x77, 0x3B, 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, + 0x16, 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, + 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 0x5B, + 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 0x54, 0x45, + 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 0x5E, 0xA7, 0x7A, + 0x27, 0x75, 0xD2, 0xEC, 0xFA, 0x03, 0x2C, 0xFB, 0xDB, + 0xF5, 0x2F, 0xB3, 0x78, 0x61, 0x60, 0x27, 0x90, 0x04, + 0xE5, 0x7A, 0xE6, 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, + 0x53, 0x29, 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, + 0xD8, 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, + 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 0x94, + 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 0x35, 0xDE, + 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 0x9B, 0x65, 0xE3, + 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, + 0x9E, 0x4A, 0xFF, 0x73 }; const gnutls_datum_t gnutls_srp_2048_group_prime = { - (void *) srp_params_2048, sizeof(srp_params_2048) + (void *) srp_params_2048, sizeof (srp_params_2048) }; const gnutls_datum_t gnutls_srp_2048_group_generator = { - (void *) &srp_generator, sizeof(srp_generator) + (void *) &srp_generator, sizeof (srp_generator) }; /* Check if G and N are parameters from the SRP draft. */ -static int check_g_n(const opaque * g, size_t n_g, - const opaque * n, size_t n_n) +static int +check_g_n (const opaque * g, size_t n_g, const opaque * n, size_t n_n) { - if (n_g != 1 || g[0] != srp_generator) - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (n_g != 1 || g[0] != srp_generator) + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - if (n_n == sizeof(srp_params_1024) && - memcmp(srp_params_1024, n, n_n) == 0) { - return 0; + if (n_n == sizeof (srp_params_1024) && + memcmp (srp_params_1024, n, n_n) == 0) + { + return 0; } - if (n_n == sizeof(srp_params_1536) && - memcmp(srp_params_1536, n, n_n) == 0) { - return 0; + if (n_n == sizeof (srp_params_1536) && + memcmp (srp_params_1536, n, n_n) == 0) + { + return 0; } - if (n_n == sizeof(srp_params_2048) && - memcmp(srp_params_2048, n, n_n) == 0) { - return 0; + if (n_n == sizeof (srp_params_2048) && + memcmp (srp_params_2048, n, n_n) == 0) + { + return 0; } - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } /* Check if N is a prime and G a generator of the * group. This is check only done if N is big enough. * Otherwise only the included parameters must be used. */ -static int group_check_g_n(mpi_t g, mpi_t n) +static int +group_check_g_n (mpi_t g, mpi_t n) { - mpi_t q = NULL, two = NULL, w = NULL; - int ret; + mpi_t q = NULL, two = NULL, w = NULL; + int ret; - if (_gnutls_mpi_get_nbits(n) < 2048) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (_gnutls_mpi_get_nbits (n) < 2048) + { + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - /* N must be of the form N=2q+1 - * where q is also a prime. - */ - if (_gnutls_prime_check(n, 0) != 0) { - _gnutls_dump_mpi("no prime N: ", n); - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + /* N must be of the form N=2q+1 + * where q is also a prime. + */ + if (_gnutls_prime_check (n, 0) != 0) + { + _gnutls_dump_mpi ("no prime N: ", n); + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - two = _gnutls_mpi_new(4); - if (two == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + two = _gnutls_mpi_new (4); + if (two == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - q = _gnutls_mpi_alloc_like(n); - if (q == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + q = _gnutls_mpi_alloc_like (n); + if (q == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - /* q = n-1 - */ - _gnutls_mpi_sub_ui(q, n, 1); + /* q = n-1 + */ + _gnutls_mpi_sub_ui (q, n, 1); - /* q = q/2, remember that q is divisible by 2 (prime - 1) - */ - _gnutls_mpi_set_ui(two, 2); - _gnutls_mpi_div(q, NULL, q, two, 0); + /* q = q/2, remember that q is divisible by 2 (prime - 1) + */ + _gnutls_mpi_set_ui (two, 2); + _gnutls_mpi_div (q, NULL, q, two, 0); - if (_gnutls_prime_check(q, 0) != 0) { - /* N was not on the form N=2q+1, where q = prime - */ - _gnutls_dump_mpi("no prime Q: ", q); - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (_gnutls_prime_check (q, 0) != 0) + { + /* N was not on the form N=2q+1, where q = prime + */ + _gnutls_dump_mpi ("no prime Q: ", q); + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - /* We also check whether g is a generator, - */ + /* We also check whether g is a generator, + */ - /* check if g < q < N - */ - if (_gnutls_mpi_cmp(g, q) >= 0) { - gnutls_assert(); - ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - goto error; + /* check if g < q < N + */ + if (_gnutls_mpi_cmp (g, q) >= 0) + { + gnutls_assert (); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto error; } - w = _gnutls_mpi_alloc_like(q); - if (w == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + w = _gnutls_mpi_alloc_like (q); + if (w == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - /* check if g^q mod N == N-1 - * w = g^q mod N - */ - _gnutls_mpi_powm(w, g, q, n); + /* check if g^q mod N == N-1 + * w = g^q mod N + */ + _gnutls_mpi_powm (w, g, q, n); - /* w++ - */ - _gnutls_mpi_add_ui(w, w, 1); + /* w++ + */ + _gnutls_mpi_add_ui (w, w, 1); - if (_gnutls_mpi_cmp(w, n) != 0) { - gnutls_assert(); - ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - goto error; + if (_gnutls_mpi_cmp (w, n) != 0) + { + gnutls_assert (); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto error; } - ret = 0; + ret = 0; - error: - _gnutls_mpi_release(&q); - _gnutls_mpi_release(&two); - _gnutls_mpi_release(&w); +error: + _gnutls_mpi_release (&q); + _gnutls_mpi_release (&two); + _gnutls_mpi_release (&w); - return ret; + return ret; } /* receive the key exchange message ( n, g, s, B) */ -int _gnutls_proc_srp_server_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +int +_gnutls_proc_srp_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - uint8 n_s; - uint16 n_g, n_n, n_b; - size_t _n_s, _n_g, _n_n, _n_b; - const uint8 *data_n; - const uint8 *data_g; - const uint8 *data_s; - const uint8 *data_b; - int i, ret; - opaque hd[SRP_MAX_HASH_SIZE]; - char *username, *password; - ssize_t data_size = _data_size; - gnutls_srp_client_credentials_t cred; - - cred = (gnutls_srp_client_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); - - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (session->internals.srp_username == NULL) { - username = cred->username; - password = cred->password; - } else { - username = session->internals.srp_username; - password = session->internals.srp_password; - } - - if (username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - i = 0; - - /* Read N - */ - DECR_LEN(data_size, 2); - n_n = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_n); - data_n = &data[i]; - i += n_n; - - /* Read G - */ - DECR_LEN(data_size, 2); - n_g = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_g); - data_g = &data[i]; - i += n_g; - - /* Read salt - */ - DECR_LEN(data_size, 1); - n_s = data[i]; - i += 1; - - DECR_LEN(data_size, n_s); - data_s = &data[i]; - i += n_s; - - /* Read B - */ - DECR_LEN(data_size, 2); - n_b = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN(data_size, n_b); - data_b = &data[i]; - i += n_b; - - _n_s = n_s; - _n_g = n_g; - _n_n = n_n; - _n_b = n_b; - - if (_gnutls_mpi_scan_nz(&N, data_n, &_n_n) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan_nz(&G, data_g, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan_nz(&B, data_b, &_n_b) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - - /* Check if the g and n are from the SRP - * draft. Otherwise check if N is a prime and G - * a generator. - */ - if ((ret = check_g_n(data_g, _n_g, data_n, _n_n)) < 0) { - _gnutls_x509_log("Checking the SRP group parameters.\n"); - if ((ret = group_check_g_n(G, N)) < 0) { - gnutls_assert(); - return ret; + uint8 n_s; + uint16 n_g, n_n, n_b; + size_t _n_s, _n_g, _n_n, _n_b; + const uint8 *data_n; + const uint8 *data_g; + const uint8 *data_s; + const uint8 *data_b; + int i, ret; + opaque hd[SRP_MAX_HASH_SIZE]; + char *username, *password; + ssize_t data_size = _data_size; + gnutls_srp_client_credentials_t cred; + + cred = (gnutls_srp_client_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (session->internals.srp_username == NULL) + { + username = cred->username; + password = cred->password; + } + else + { + username = session->internals.srp_username; + password = session->internals.srp_password; + } + + if (username == NULL || password == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + i = 0; + + /* Read N + */ + DECR_LEN (data_size, 2); + n_n = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_n); + data_n = &data[i]; + i += n_n; + + /* Read G + */ + DECR_LEN (data_size, 2); + n_g = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_g); + data_g = &data[i]; + i += n_g; + + /* Read salt + */ + DECR_LEN (data_size, 1); + n_s = data[i]; + i += 1; + + DECR_LEN (data_size, n_s); + data_s = &data[i]; + i += n_s; + + /* Read B + */ + DECR_LEN (data_size, 2); + n_b = _gnutls_read_uint16 (&data[i]); + i += 2; + + DECR_LEN (data_size, n_b); + data_b = &data[i]; + i += n_b; + + _n_s = n_s; + _n_g = n_g; + _n_n = n_n; + _n_b = n_b; + + if (_gnutls_mpi_scan_nz (&N, data_n, &_n_n) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan_nz (&G, data_g, &_n_g) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan_nz (&B, data_b, &_n_b) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + + /* Check if the g and n are from the SRP + * draft. Otherwise check if N is a prime and G + * a generator. + */ + if ((ret = check_g_n (data_g, _n_g, data_n, _n_n)) < 0) + { + _gnutls_x509_log ("Checking the SRP group parameters.\n"); + if ((ret = group_check_g_n (G, N)) < 0) + { + gnutls_assert (); + return ret; } } - /* Checks if b % n == 0 - */ - if ((ret = check_b_mod_n(B, N)) < 0) { - gnutls_assert(); - return ret; + /* Checks if b % n == 0 + */ + if ((ret = check_b_mod_n (B, N)) < 0) + { + gnutls_assert (); + return ret; } - /* generate x = SHA(s | SHA(U | ":" | p)) - * (or the equivalent using bcrypt) - */ - if ((ret = - _gnutls_calc_srp_x(username, password, (opaque *) data_s, n_s, - &_n_g, hd)) < 0) { - gnutls_assert(); - return ret; + /* generate x = SHA(s | SHA(U | ":" | p)) + * (or the equivalent using bcrypt) + */ + if ((ret = + _gnutls_calc_srp_x (username, password, (opaque *) data_s, n_s, + &_n_g, hd)) < 0) + { + gnutls_assert (); + return ret; } - if (_gnutls_mpi_scan_nz(&session->key->x, hd, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&session->key->x, hd, &_n_g) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - return i; /* return the processed data + return i; /* return the processed data * needed in auth_srp_rsa. */ } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/auth_srp.h b/lib/auth_srp.h index b23a7369c1..3caa389640 100644 --- a/lib/auth_srp.h +++ b/lib/auth_srp.h @@ -27,24 +27,27 @@ #include <gnutls_auth.h> -typedef struct gnutls_srp_client_credentials_st { - char *username; - char *password; - gnutls_srp_client_credentials_function *get_function; +typedef struct gnutls_srp_client_credentials_st +{ + char *username; + char *password; + gnutls_srp_client_credentials_function *get_function; } srp_client_credentials_st; -typedef struct gnutls_srp_server_credentials_st { - char *password_file; - char *password_conf_file; - /* callback function, instead of reading the - * password files. - */ - gnutls_srp_server_credentials_function *pwd_callback; +typedef struct gnutls_srp_server_credentials_st +{ + char *password_file; + char *password_conf_file; + /* callback function, instead of reading the + * password files. + */ + gnutls_srp_server_credentials_function *pwd_callback; } srp_server_cred_st; /* these structures should not use allocated data */ -typedef struct srp_server_auth_info_st { - char username[MAX_SRP_USERNAME+1]; +typedef struct srp_server_auth_info_st +{ + char username[MAX_SRP_USERNAME + 1]; } *srp_server_auth_info_t; extern const gnutls_datum_t gnutls_srp_1024_group_prime; @@ -57,19 +60,19 @@ extern const gnutls_datum_t gnutls_srp_2048_group_generator; #ifdef ENABLE_SRP -int _gnutls_proc_srp_server_hello(gnutls_session_t state, - const opaque * data, size_t data_size); -int _gnutls_gen_srp_server_hello(gnutls_session_t state, opaque * data, - size_t data_size); +int _gnutls_proc_srp_server_hello (gnutls_session_t state, + const opaque * data, size_t data_size); +int _gnutls_gen_srp_server_hello (gnutls_session_t state, opaque * data, + size_t data_size); -int _gnutls_gen_srp_server_kx(gnutls_session_t, opaque **); -int _gnutls_gen_srp_client_kx(gnutls_session_t, opaque **); +int _gnutls_gen_srp_server_kx (gnutls_session_t, opaque **); +int _gnutls_gen_srp_client_kx (gnutls_session_t, opaque **); -int _gnutls_proc_srp_server_kx(gnutls_session_t, opaque *, size_t); -int _gnutls_proc_srp_client_kx(gnutls_session_t, opaque *, size_t); +int _gnutls_proc_srp_server_kx (gnutls_session_t, opaque *, size_t); +int _gnutls_proc_srp_client_kx (gnutls_session_t, opaque *, size_t); typedef struct srp_server_auth_info_st srp_server_auth_info_st; -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ #endif diff --git a/lib/auth_srp_passwd.c b/lib/auth_srp_passwd.c index edaaa1de66..35be3f8a73 100644 --- a/lib/auth_srp_passwd.c +++ b/lib/auth_srp_passwd.c @@ -41,377 +41,425 @@ #include <gnutls_num.h> #include <gc.h> -static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry); +static int _randomize_pwd_entry (SRP_PWD_ENTRY * entry); /* this function parses tpasswd.conf file. Format is: * string(username):base64(v):base64(salt):int(index) */ -static int pwd_put_values(SRP_PWD_ENTRY * entry, char *str) +static int +pwd_put_values (SRP_PWD_ENTRY * entry, char *str) { - char *p; - int len, ret; - opaque *verifier; - size_t verifier_size; - int indx; - - p = strrchr(str, ':'); /* we have index */ - if (p == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + char *p; + int len, ret; + opaque *verifier; + size_t verifier_size; + int indx; + + p = strrchr (str, ':'); /* we have index */ + if (p == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - len = strlen(p); - indx = atoi(p); - if (indx == 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + len = strlen (p); + indx = atoi (p); + if (indx == 0) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - /* now go for salt */ - p = strrchr(str, ':'); /* we have salt */ - if (p == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + /* now go for salt */ + p = strrchr (str, ':'); /* we have salt */ + if (p == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - len = strlen(p); + len = strlen (p); - entry->salt.size = _gnutls_sbase64_decode(p, len, &entry->salt.data); + entry->salt.size = _gnutls_sbase64_decode (p, len, &entry->salt.data); - if (entry->salt.size <= 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + if (entry->salt.size <= 0) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - /* now go for verifier */ - p = strrchr(str, ':'); /* we have verifier */ - if (p == NULL) { - _gnutls_free_datum(&entry->salt); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + /* now go for verifier */ + p = strrchr (str, ':'); /* we have verifier */ + if (p == NULL) + { + _gnutls_free_datum (&entry->salt); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - len = strlen(p); - ret = _gnutls_sbase64_decode(p, len, &verifier); - if (ret <= 0) { - gnutls_assert(); - _gnutls_free_datum(&entry->salt); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + len = strlen (p); + ret = _gnutls_sbase64_decode (p, len, &verifier); + if (ret <= 0) + { + gnutls_assert (); + _gnutls_free_datum (&entry->salt); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - verifier_size = ret; - entry->v.data = verifier; - entry->v.size = verifier_size; + verifier_size = ret; + entry->v.data = verifier; + entry->v.size = verifier_size; - /* now go for username */ - *p = '\0'; + /* now go for username */ + *p = '\0'; - entry->username = gnutls_strdup(str); - if (entry->username == NULL) { - _gnutls_free_datum(&entry->salt); - _gnutls_free_datum(&entry->v); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + entry->username = gnutls_strdup (str); + if (entry->username == NULL) + { + _gnutls_free_datum (&entry->salt); + _gnutls_free_datum (&entry->v); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return indx; + return indx; } /* this function parses tpasswd.conf file. Format is: * int(index):base64(n):int(g) */ -static int pwd_put_values2(SRP_PWD_ENTRY * entry, char *str) +static int +pwd_put_values2 (SRP_PWD_ENTRY * entry, char *str) { - char *p; - int len; - opaque *tmp; - int ret; - - p = strrchr(str, ':'); /* we have g */ - if (p == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + char *p; + int len; + opaque *tmp; + int ret; + + p = strrchr (str, ':'); /* we have g */ + if (p == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - /* read the generator */ - len = strlen(p); - if (p[len - 1] == '\n' || p[len - 1] == ' ') - len--; - ret = _gnutls_sbase64_decode(p, len, &tmp); + /* read the generator */ + len = strlen (p); + if (p[len - 1] == '\n' || p[len - 1] == ' ') + len--; + ret = _gnutls_sbase64_decode (p, len, &tmp); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - entry->g.data = tmp; - entry->g.size = ret; + entry->g.data = tmp; + entry->g.size = ret; - /* now go for n - modulo */ - p = strrchr(str, ':'); /* we have n */ - if (p == NULL) { - _gnutls_free_datum(&entry->g); - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + /* now go for n - modulo */ + p = strrchr (str, ':'); /* we have n */ + if (p == NULL) + { + _gnutls_free_datum (&entry->g); + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - *p = '\0'; - p++; + *p = '\0'; + p++; - len = strlen(p); - ret = _gnutls_sbase64_decode(p, len, &tmp); + len = strlen (p); + ret = _gnutls_sbase64_decode (p, len, &tmp); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(&entry->g); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (&entry->g); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } - entry->n.data = tmp; - entry->n.size = ret; + entry->n.data = tmp; + entry->n.size = ret; - return 0; + return 0; } /* this function opens the tpasswd.conf file and reads the g and n * values. They are put in the entry. */ -static int pwd_read_conf(const char *pconf_file, SRP_PWD_ENTRY * entry, - int idx) +static int +pwd_read_conf (const char *pconf_file, SRP_PWD_ENTRY * entry, int idx) { - FILE *fd; - char line[2 * 1024]; - uint i, len; - char indexstr[10]; - - sprintf(indexstr, "%d", idx); /* Flawfinder: ignore */ - - fd = fopen(pconf_file, "r"); - if (fd == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + FILE *fd; + char line[2 * 1024]; + uint i, len; + char indexstr[10]; + + sprintf (indexstr, "%d", idx); /* Flawfinder: ignore */ + + fd = fopen (pconf_file, "r"); + if (fd == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - len = strlen(indexstr); - while (fgets(line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i = 0; - while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof(line))) { - i++; + len = strlen (indexstr); + while (fgets (line, sizeof (line), fd) != NULL) + { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line))) + { + i++; } - if (strncmp(indexstr, line, MAX(i, len)) == 0) { - if ((idx = pwd_put_values2(entry, line)) >= 0) - return 0; - else { - return GNUTLS_E_SRP_PWD_ERROR; + if (strncmp (indexstr, line, MAX (i, len)) == 0) + { + if ((idx = pwd_put_values2 (entry, line)) >= 0) + return 0; + else + { + return GNUTLS_E_SRP_PWD_ERROR; } } } - return GNUTLS_E_SRP_PWD_ERROR; + return GNUTLS_E_SRP_PWD_ERROR; } -int _gnutls_srp_pwd_read_entry(gnutls_session_t state, char *username, - SRP_PWD_ENTRY ** _entry) +int +_gnutls_srp_pwd_read_entry (gnutls_session_t state, char *username, + SRP_PWD_ENTRY ** _entry) { - gnutls_srp_server_credentials_t cred; - FILE *fd; - char line[2 * 1024]; - uint i, len; - int ret; - int idx, last_idx; - SRP_PWD_ENTRY *entry; - - *_entry = gnutls_calloc(1, sizeof(SRP_PWD_ENTRY)); - if (*_entry == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_srp_server_credentials_t cred; + FILE *fd; + char line[2 * 1024]; + uint i, len; + int ret; + int idx, last_idx; + SRP_PWD_ENTRY *entry; + + *_entry = gnutls_calloc (1, sizeof (SRP_PWD_ENTRY)); + if (*_entry == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - entry = *_entry; - - cred = (gnutls_srp_server_credentials_t) - _gnutls_get_cred(state->key, GNUTLS_CRD_SRP, NULL); - if (cred == NULL) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + entry = *_entry; + + cred = (gnutls_srp_server_credentials_t) + _gnutls_get_cred (state->key, GNUTLS_CRD_SRP, NULL); + if (cred == NULL) + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* if the callback which sends the parameters is - * set, use it. - */ - if (cred->pwd_callback != NULL) { - ret = cred->pwd_callback(state, username, &entry->salt, - &entry->v, &entry->g, &entry->n); - - if (ret == 1) { /* the user does not exist */ - if (entry->g.size != 0 && entry->n.size != 0) { - ret = _randomize_pwd_entry(entry); - if (ret < 0) { - _gnutls_srp_entry_free(entry); - return ret; + /* if the callback which sends the parameters is + * set, use it. + */ + if (cred->pwd_callback != NULL) + { + ret = cred->pwd_callback (state, username, &entry->salt, + &entry->v, &entry->g, &entry->n); + + if (ret == 1) + { /* the user does not exist */ + if (entry->g.size != 0 && entry->n.size != 0) + { + ret = _randomize_pwd_entry (entry); + if (ret < 0) + { + _gnutls_srp_entry_free (entry); + return ret; } - return 0; - } else { - gnutls_assert(); - ret = -1; /* error in the callback */ + return 0; + } + else + { + gnutls_assert (); + ret = -1; /* error in the callback */ } } - if (ret < 0) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + if (ret < 0) + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_SRP_PWD_ERROR; } - return 0; + return 0; } - /* The callback was not set. Proceed. - */ + /* The callback was not set. Proceed. + */ - if (cred->password_file == NULL) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_ERROR; + if (cred->password_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_ERROR; } - /* Open the selected password file. - */ - fd = fopen(cred->password_file, "r"); - if (fd == NULL) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + /* Open the selected password file. + */ + fd = fopen (cred->password_file, "r"); + if (fd == NULL) + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_SRP_PWD_ERROR; } - last_idx = 1; /* a default value */ + last_idx = 1; /* a default value */ - len = strlen(username); - while (fgets(line, sizeof(line), fd) != NULL) { - /* move to first ':' */ - i = 0; - while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof(line))) { - i++; + len = strlen (username); + while (fgets (line, sizeof (line), fd) != NULL) + { + /* move to first ':' */ + i = 0; + while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line))) + { + i++; } - if (strncmp(username, line, MAX(i, len)) == 0) { - if ((idx = pwd_put_values(entry, line)) >= 0) { - /* Keep the last index in memory, so we can retrieve fake parameters (g,n) - * when the user does not exist. - */ - last_idx = idx; - if (pwd_read_conf(cred->password_conf_file, entry, idx) - == 0) { - return 0; - } else { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + if (strncmp (username, line, MAX (i, len)) == 0) + { + if ((idx = pwd_put_values (entry, line)) >= 0) + { + /* Keep the last index in memory, so we can retrieve fake parameters (g,n) + * when the user does not exist. + */ + last_idx = idx; + if (pwd_read_conf (cred->password_conf_file, entry, idx) == 0) + { + return 0; } - } else { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + else + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_SRP_PWD_ERROR; + } + } + else + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_SRP_PWD_ERROR; } } } - /* user was not found. Fake him. Actually read the g,n values from - * the last index found and randomize the entry. - */ - if (pwd_read_conf(cred->password_conf_file, entry, last_idx) == 0) { - ret = _randomize_pwd_entry(entry); - if (ret < 0) { - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return ret; + /* user was not found. Fake him. Actually read the g,n values from + * the last index found and randomize the entry. + */ + if (pwd_read_conf (cred->password_conf_file, entry, last_idx) == 0) + { + ret = _randomize_pwd_entry (entry); + if (ret < 0) + { + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return ret; } - return 0; + return 0; } - gnutls_assert(); - _gnutls_srp_entry_free(entry); - return GNUTLS_E_SRP_PWD_ERROR; + gnutls_assert (); + _gnutls_srp_entry_free (entry); + return GNUTLS_E_SRP_PWD_ERROR; } /* Randomizes the given password entry. It actually sets the verifier * and the salt. Returns 0 on success. */ -static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry) +static int +_randomize_pwd_entry (SRP_PWD_ENTRY * entry) { - unsigned char rnd; + unsigned char rnd; - if (entry->g.size == 0 || entry->n.size == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (entry->g.size == 0 || entry->n.size == 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (gc_nonce (&rnd, 1) != GC_OK) { - gnutls_assert(); + if (gc_nonce (&rnd, 1) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - entry->salt.size = (rnd % 10) + 9; - - entry->v.data = gnutls_malloc(20); - entry->v.size = 20; - if (entry->v.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + entry->salt.size = (rnd % 10) + 9; + + entry->v.data = gnutls_malloc (20); + entry->v.size = 20; + if (entry->v.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (gc_nonce (entry->v.data, 20) != GC_OK) { - gnutls_assert(); + if (gc_nonce (entry->v.data, 20) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - entry->salt.data = gnutls_malloc(entry->salt.size); - if (entry->salt.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + entry->salt.data = gnutls_malloc (entry->salt.size); + if (entry->salt.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (gc_nonce (entry->salt.data, entry->salt.size) != GC_OK) { - gnutls_assert(); + if (gc_nonce (entry->salt.data, entry->salt.size) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - return 0; + return 0; } /* Free all the entry parameters, except if g and n are * the static ones defined in extra.h */ -void _gnutls_srp_entry_free(SRP_PWD_ENTRY * entry) +void +_gnutls_srp_entry_free (SRP_PWD_ENTRY * entry) { - _gnutls_free_datum(&entry->v); - _gnutls_free_datum(&entry->salt); + _gnutls_free_datum (&entry->v); + _gnutls_free_datum (&entry->salt); - if (entry->g.data != gnutls_srp_1024_group_generator.data) - _gnutls_free_datum(&entry->g); + if (entry->g.data != gnutls_srp_1024_group_generator.data) + _gnutls_free_datum (&entry->g); - if (entry->n.data != gnutls_srp_1024_group_prime.data && - entry->n.data != gnutls_srp_1536_group_prime.data && - entry->n.data != gnutls_srp_2048_group_prime.data) - _gnutls_free_datum(&entry->n); + if (entry->n.data != gnutls_srp_1024_group_prime.data && + entry->n.data != gnutls_srp_1536_group_prime.data && + entry->n.data != gnutls_srp_2048_group_prime.data) + _gnutls_free_datum (&entry->n); - gnutls_free(entry->username); - gnutls_free(entry); + gnutls_free (entry->username); + gnutls_free (entry); } -#endif /* ENABLE SRP */ +#endif /* ENABLE SRP */ diff --git a/lib/auth_srp_passwd.h b/lib/auth_srp_passwd.h index ed526196cf..5111a838cb 100644 --- a/lib/auth_srp_passwd.h +++ b/lib/auth_srp_passwd.h @@ -24,22 +24,21 @@ #ifdef ENABLE_SRP -typedef struct { - char *username; +typedef struct +{ + char *username; - gnutls_datum_t salt; - gnutls_datum_t v; - gnutls_datum_t g; - gnutls_datum_t n; + gnutls_datum_t salt; + gnutls_datum_t v; + gnutls_datum_t g; + gnutls_datum_t n; } SRP_PWD_ENTRY; /* this is locally allocated. It should be freed using the provided function */ -int _gnutls_srp_pwd_read_entry(gnutls_session_t state, char *username, - SRP_PWD_ENTRY **); -void _gnutls_srp_entry_free(SRP_PWD_ENTRY * entry); -int _gnutls_sbase64_encode(uint8 * data, size_t data_size, - uint8 ** result); -int _gnutls_sbase64_decode(uint8 * data, size_t data_size, - uint8 ** result); +int _gnutls_srp_pwd_read_entry (gnutls_session_t state, char *username, + SRP_PWD_ENTRY **); +void _gnutls_srp_entry_free (SRP_PWD_ENTRY * entry); +int _gnutls_sbase64_encode (uint8 * data, size_t data_size, uint8 ** result); +int _gnutls_sbase64_decode (uint8 * data, size_t data_size, uint8 ** result); -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/auth_srp_rsa.c b/lib/auth_srp_rsa.c index 1107547445..a6830f340d 100644 --- a/lib/auth_srp_rsa.c +++ b/lib/auth_srp_rsa.c @@ -42,162 +42,167 @@ #include <gnutls_x509.h> #include <gnutls_extra.h> -static int gen_srp_cert_server_kx(gnutls_session_t, opaque **); -static int proc_srp_cert_server_kx(gnutls_session_t, opaque *, size_t); +static int gen_srp_cert_server_kx (gnutls_session_t, opaque **); +static int proc_srp_cert_server_kx (gnutls_session_t, opaque *, size_t); const mod_auth_st srp_rsa_auth_struct = { - "SRP", - _gnutls_gen_cert_server_certificate, - NULL, - gen_srp_cert_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - _gnutls_proc_cert_server_certificate, - NULL, /* certificate */ - proc_srp_cert_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + _gnutls_gen_cert_server_certificate, + NULL, + gen_srp_cert_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + _gnutls_proc_cert_server_certificate, + NULL, /* certificate */ + proc_srp_cert_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; const mod_auth_st srp_dss_auth_struct = { - "SRP", - _gnutls_gen_cert_server_certificate, - NULL, - gen_srp_cert_server_kx, - _gnutls_gen_srp_client_kx, - NULL, - NULL, - - _gnutls_proc_cert_server_certificate, - NULL, /* certificate */ - proc_srp_cert_server_kx, - _gnutls_proc_srp_client_kx, - NULL, - NULL + "SRP", + _gnutls_gen_cert_server_certificate, + NULL, + gen_srp_cert_server_kx, + _gnutls_gen_srp_client_kx, + NULL, + NULL, + + _gnutls_proc_cert_server_certificate, + NULL, /* certificate */ + proc_srp_cert_server_kx, + _gnutls_proc_srp_client_kx, + NULL, + NULL }; -static int gen_srp_cert_server_kx(gnutls_session_t session, opaque ** data) +static int +gen_srp_cert_server_kx (gnutls_session_t session, opaque ** data) { - ssize_t ret, data_size; - gnutls_datum_t signature, ddata; - gnutls_certificate_credentials_t cred; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - ret = _gnutls_gen_srp_server_kx(session, data); - - if (ret < 0) - return ret; - - data_size = ret; - ddata.data = *data; - ddata.size = data_size; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + ssize_t ret, data_size; + gnutls_datum_t signature, ddata; + gnutls_certificate_credentials_t cred; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + ret = _gnutls_gen_srp_server_kx (session, data); + + if (ret < 0) + return ret; + + data_size = ret; + ddata.data = *data; + ddata.size = data_size; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert (session, &apr_cert_list, + &apr_cert_list_length, &apr_pkey)) < 0) + { + gnutls_assert (); + return ret; } - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); - return ret; + if ((ret = + _gnutls_tls_sign_params (session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) + { + gnutls_assert (); + gnutls_free (*data); + return ret; } - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + *data = gnutls_realloc_fast (*data, data_size + signature.size + 2); + if (*data == NULL) + { + _gnutls_free_datum (&signature); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16(&(*data)[data_size], signature); - data_size += signature.size + 2; + _gnutls_write_datum16 (&(*data)[data_size], signature); + data_size += signature.size + 2; - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - return data_size; + return data_size; } -static int proc_srp_cert_server_kx(gnutls_session_t session, opaque * data, - size_t _data_size) +static int +proc_srp_cert_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size) { - ssize_t ret; - int sigsize; - gnutls_datum_t vparams, signature; - ssize_t data_size; - cert_auth_info_t info; - gnutls_cert peer_cert; - opaque *p; - - ret = _gnutls_proc_srp_server_kx(session, data, _data_size); - if (ret < 0) - return ret; - - data_size = _data_size - ret; - - info = _gnutls_get_auth_info(session); - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; + ssize_t ret; + int sigsize; + gnutls_datum_t vparams, signature; + ssize_t data_size; + cert_auth_info_t info; + gnutls_cert peer_cert; + opaque *p; + + ret = _gnutls_proc_srp_server_kx (session, data, _data_size); + if (ret < 0) + return ret; + + data_size = _data_size - ret; + + info = _gnutls_get_auth_info (session); + if (info == NULL || info->ncerts == 0) + { + gnutls_assert (); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; } - /* VERIFY SIGNATURE */ + /* VERIFY SIGNATURE */ - vparams.size = ret; /* all the data minus the signature */ - vparams.data = data; + vparams.size = ret; /* all the data minus the signature */ + vparams.data = data; - p = &data[vparams.size]; + p = &data[vparams.size]; - DECR_LEN(data_size, 2); - sigsize = _gnutls_read_uint16(p); + DECR_LEN (data_size, 2); + sigsize = _gnutls_read_uint16 (p); - DECR_LEN(data_size, sigsize); - signature.data = &p[2]; - signature.size = sigsize; + DECR_LEN (data_size, sigsize); + signature.data = &p[2]; + signature.size = sigsize; - ret = - _gnutls_raw_cert_to_gcert(&peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], - CERT_NO_COPY); + ret = + _gnutls_raw_cert_to_gcert (&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], CERT_NO_COPY); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_verify_sig_params(session, - &peer_cert, &vparams, &signature); + ret = _gnutls_verify_sig_params (session, &peer_cert, &vparams, &signature); - _gnutls_gcert_deinit(&peer_cert); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_gcert_deinit (&peer_cert); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/auth_srp_sb64.c b/lib/auth_srp_sb64.c index db48cac9c3..ae7513e536 100644 --- a/lib/auth_srp_sb64.c +++ b/lib/auth_srp_sb64.c @@ -32,157 +32,172 @@ * It seems that everybody makes an own base64 conversion. */ static const uint8 b64table[] = - "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; static const uint8 asciitable[128] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0x3e, 0x3f, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, - 0x06, 0x07, 0x08, 0x09, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0x0a, - 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, - 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, - 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, - 0x23, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, - 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, - 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, - 0x3b, 0x3c, 0x3d, 0xff, 0xff, 0xff, - 0xff, 0xff + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x3e, 0x3f, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, + 0x06, 0x07, 0x08, 0x09, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, + 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, + 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, + 0x23, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, + 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, + 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, + 0x3b, 0x3c, 0x3d, 0xff, 0xff, 0xff, + 0xff, 0xff }; -inline static int encode(uint8 * result, const uint8 * rdata, int left) +inline static int +encode (uint8 * result, const uint8 * rdata, int left) { - int data_len; - int c, ret = 4; - uint8 data[3]; + int data_len; + int c, ret = 4; + uint8 data[3]; - if (left > 3) - data_len = 3; - else - data_len = left; + if (left > 3) + data_len = 3; + else + data_len = left; - data[0] = data[1] = data[2] = 0; - memcpy(data, rdata, data_len); + data[0] = data[1] = data[2] = 0; + memcpy (data, rdata, data_len); - switch (data_len) { + switch (data_len) + { case 3: - result[0] = b64table[((data[0] & 0xfc) >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - ((data[1] & 0xf0) >> 4))]; - result[2] = - b64table[((((data[1] & 0x0f) << 2) & 0xff) | - ((data[2] & 0xc0) >> 6))]; - result[3] = b64table[(data[2] & 0x3f) & 0xff]; - break; + result[0] = b64table[((data[0] & 0xfc) >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + ((data[1] & 0xf0) >> 4))]; + result[2] = + b64table[((((data[1] & 0x0f) << 2) & 0xff) | + ((data[2] & 0xc0) >> 6))]; + result[3] = b64table[(data[2] & 0x3f) & 0xff]; + break; case 2: - if ((c = ((data[0] & 0xf0) >> 4)) != 0) { - result[0] = b64table[c]; - result[1] = - b64table[((((data[0] & 0x0f) << 2) & 0xff) | - ((data[1] & 0xc0) >> 6))]; - result[2] = b64table[(data[1] & 0x3f) & 0xff]; - result[3] = '\0'; - ret -= 1; - } else { - if ((c = - ((data[0] & 0x0f) << 2) | ((data[1] & 0xc0) >> 6)) != 0) { - result[0] = b64table[c]; - result[1] = b64table[data[1] & 0x3f]; - result[2] = '\0'; - result[3] = '\0'; - ret -= 2; - } else { - result[0] = b64table[data[0] & 0x3f]; - result[1] = '\0'; - result[2] = '\0'; - result[3] = '\0'; - ret -= 3; + if ((c = ((data[0] & 0xf0) >> 4)) != 0) + { + result[0] = b64table[c]; + result[1] = + b64table[((((data[0] & 0x0f) << 2) & 0xff) | + ((data[1] & 0xc0) >> 6))]; + result[2] = b64table[(data[1] & 0x3f) & 0xff]; + result[3] = '\0'; + ret -= 1; + } + else + { + if ((c = ((data[0] & 0x0f) << 2) | ((data[1] & 0xc0) >> 6)) != 0) + { + result[0] = b64table[c]; + result[1] = b64table[data[1] & 0x3f]; + result[2] = '\0'; + result[3] = '\0'; + ret -= 2; + } + else + { + result[0] = b64table[data[0] & 0x3f]; + result[1] = '\0'; + result[2] = '\0'; + result[3] = '\0'; + ret -= 3; } } - break; + break; case 1: - if ((c = ((data[0] & 0xc0) >> 6)) != 0) { - result[0] = b64table[c]; - result[1] = b64table[(data[0] & 0x3f) & 0xff]; - result[2] = '\0'; - result[3] = '\0'; - ret -= 2; - } else { - result[0] = b64table[(data[0] & 0x3f) & 0xff]; - result[1] = '\0'; - result[2] = '\0'; - result[3] = '\0'; - ret -= 3; + if ((c = ((data[0] & 0xc0) >> 6)) != 0) + { + result[0] = b64table[c]; + result[1] = b64table[(data[0] & 0x3f) & 0xff]; + result[2] = '\0'; + result[3] = '\0'; + ret -= 2; + } + else + { + result[0] = b64table[(data[0] & 0x3f) & 0xff]; + result[1] = '\0'; + result[2] = '\0'; + result[3] = '\0'; + ret -= 3; } - break; + break; default: - return -1; + return -1; } - return ret; + return ret; } /* encodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_sbase64_encode(uint8 * data, size_t data_size, uint8 ** result) +int +_gnutls_sbase64_encode (uint8 * data, size_t data_size, uint8 ** result) { - uint i, j; - int ret, tmp; - opaque tmpres[4]; - int mod = data_size % 3; + uint i, j; + int ret, tmp; + opaque tmpres[4]; + int mod = data_size % 3; - ret = mod; - if (ret != 0) - ret = 4; - else - ret = 0; + ret = mod; + if (ret != 0) + ret = 4; + else + ret = 0; - ret += (data_size * 4) / 3; + ret += (data_size * 4) / 3; - (*result) = gnutls_calloc(1, ret + 1); - if ((*result) == NULL) - return -1; + (*result) = gnutls_calloc (1, ret + 1); + if ((*result) == NULL) + return -1; - i = j = 0; + i = j = 0; /* encode the bytes that are not a multiple of 3 */ - if (mod > 0) { - tmp = encode(tmpres, &data[0], mod); - if (tmp < 0) { - gnutls_free((*result)); - return tmp; + if (mod > 0) + { + tmp = encode (tmpres, &data[0], mod); + if (tmp < 0) + { + gnutls_free ((*result)); + return tmp; } - memcpy(&(*result)[0], tmpres, tmp); - i = mod; - j = tmp; + memcpy (&(*result)[0], tmpres, tmp); + i = mod; + j = tmp; } /* encode the rest */ - for (; i < data_size; i += 3, j += 4) { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp < 0) { - gnutls_free((*result)); - return tmp; + for (; i < data_size; i += 3, j += 4) + { + tmp = encode (tmpres, &data[i], data_size - i); + if (tmp < 0) + { + gnutls_free ((*result)); + return tmp; } - memcpy(&(*result)[j], tmpres, tmp); + memcpy (&(*result)[j], tmpres, tmp); } - return strlen(*result); + return strlen (*result); } @@ -190,41 +205,42 @@ int _gnutls_sbase64_encode(uint8 * data, size_t data_size, uint8 ** result) * result should be 3 bytes */ #define TOASCII(c) (c < 127 ? asciitable[c] : 0xff) -inline static int decode(uint8 * result, const uint8 * data) +inline static int +decode (uint8 * result, const uint8 * data) { - uint8 a1, a2; - int ret = 3; - - memset(result, 0, 3); - - a1 = TOASCII(data[3]); - a2 = TOASCII(data[2]); - if (a1 != 0xff) - result[2] = a1 & 0xff; - else - return -1; - if (a2 != 0xff) - result[2] |= ((a2 & 0x03) << 6) & 0xff; - - a1 = a2; - a2 = TOASCII(data[1]); - if (a1 != 0xff) - result[1] = ((a1 & 0x3c) >> 2); - if (a2 != 0xff) - result[1] |= ((a2 & 0x0f) << 4); - else if (a1 == 0xff || result[1] == 0) - ret--; - - a1 = a2; - a2 = TOASCII(data[0]); - if (a1 != 0xff) - result[0] = (((a1 & 0x30) >> 4) & 0xff); - if (a2 != 0xff) - result[0] |= ((a2 << 2) & 0xff); - else if (a1 == 0xff || result[0] == 0) - ret--; - - return ret; + uint8 a1, a2; + int ret = 3; + + memset (result, 0, 3); + + a1 = TOASCII (data[3]); + a2 = TOASCII (data[2]); + if (a1 != 0xff) + result[2] = a1 & 0xff; + else + return -1; + if (a2 != 0xff) + result[2] |= ((a2 & 0x03) << 6) & 0xff; + + a1 = a2; + a2 = TOASCII (data[1]); + if (a1 != 0xff) + result[1] = ((a1 & 0x3c) >> 2); + if (a2 != 0xff) + result[1] |= ((a2 & 0x0f) << 4); + else if (a1 == 0xff || result[1] == 0) + ret--; + + a1 = a2; + a2 = TOASCII (data[0]); + if (a1 != 0xff) + result[0] = (((a1 & 0x30) >> 4) & 0xff); + if (a2 != 0xff) + result[0] |= ((a2 << 2) & 0xff); + else if (a1 == 0xff || result[0] == 0) + ret--; + + return ret; } /* decodes data and puts the result into result (locally allocated) @@ -232,60 +248,64 @@ inline static int decode(uint8 * result, const uint8 * data) * That function does not ignore newlines tabs etc. You should remove them * before calling it. */ -int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, - uint8 ** result) +int +_gnutls_sbase64_decode (uint8 * data, size_t idata_size, uint8 ** result) { - uint i, j; - int ret, left; - int data_size, tmp; - uint8 datrev[4]; - uint8 tmpres[3]; - - data_size = (idata_size / 4) * 4; - left = idata_size % 4; - - ret = (data_size / 4) * 3; - - if (left > 0) - ret += 3; - - (*result) = gnutls_malloc(ret + 1); - if ((*result) == NULL) - return -1; - - /* the first "block" is treated with special care */ - tmp = 0; - if (left > 0) { - memset(datrev, 0, 4); - memcpy(&datrev[4 - left], data, left); - - tmp = decode(tmpres, datrev); - if (tmp < 0) { - gnutls_free((*result)); - *result = NULL; - return tmp; + uint i, j; + int ret, left; + int data_size, tmp; + uint8 datrev[4]; + uint8 tmpres[3]; + + data_size = (idata_size / 4) * 4; + left = idata_size % 4; + + ret = (data_size / 4) * 3; + + if (left > 0) + ret += 3; + + (*result) = gnutls_malloc (ret + 1); + if ((*result) == NULL) + return -1; + + /* the first "block" is treated with special care */ + tmp = 0; + if (left > 0) + { + memset (datrev, 0, 4); + memcpy (&datrev[4 - left], data, left); + + tmp = decode (tmpres, datrev); + if (tmp < 0) + { + gnutls_free ((*result)); + *result = NULL; + return tmp; } - memcpy(*result, &tmpres[3 - tmp], tmp); - if (tmp < 3) - ret -= (3 - tmp); + memcpy (*result, &tmpres[3 - tmp], tmp); + if (tmp < 3) + ret -= (3 - tmp); } - /* rest data */ - for (i = left, j = tmp; i < idata_size; i += 4) { - tmp = decode(tmpres, &data[i]); - if (tmp < 0) { - gnutls_free((*result)); - *result = NULL; - return tmp; + /* rest data */ + for (i = left, j = tmp; i < idata_size; i += 4) + { + tmp = decode (tmpres, &data[i]); + if (tmp < 0) + { + gnutls_free ((*result)); + *result = NULL; + return tmp; } - memcpy(&(*result)[j], tmpres, tmp); - if (tmp < 3) - ret -= (3 - tmp); - j += 3; + memcpy (&(*result)[j], tmpres, tmp); + if (tmp < 3) + ret -= (3 - tmp); + j += 3; } - return ret; + return ret; } /** @@ -299,27 +319,31 @@ int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, * If the provided buffer is not long enough GNUTLS_E_SHORT_MEMORY_BUFFER is returned. * **/ -int gnutls_srp_base64_encode(const gnutls_datum_t * data, char *result, - size_t *result_size) +int +gnutls_srp_base64_encode (const gnutls_datum_t * data, char *result, + size_t * result_size) { - opaque *ret; - int size; - - size = _gnutls_sbase64_encode(data->data, data->size, &ret); - if (size < 0) - return size; - - if (result == NULL || *result_size < size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy(result, ret, size); - gnutls_free(ret); - *result_size = size; + opaque *ret; + int size; + + size = _gnutls_sbase64_encode (data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < size) + { + gnutls_free (ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { + memcpy (result, ret, size); + gnutls_free (ret); + *result_size = size; } - return 0; + return 0; } /** @@ -334,25 +358,29 @@ int gnutls_srp_base64_encode(const gnutls_datum_t * data, char *result, * You should use gnutls_free() to free the returned data. * **/ -int gnutls_srp_base64_encode_alloc(const gnutls_datum_t * data, - gnutls_datum_t * result) +int +gnutls_srp_base64_encode_alloc (const gnutls_datum_t * data, + gnutls_datum_t * result) { - opaque *ret; - int size; - - size = _gnutls_sbase64_encode(data->data, data->size, &ret); - if (size < 0) - return size; - - if (result == NULL) { - gnutls_free(ret); - return GNUTLS_E_INVALID_REQUEST; - } else { - result->data = ret; - result->size = size; + opaque *ret; + int size; + + size = _gnutls_sbase64_encode (data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL) + { + gnutls_free (ret); + return GNUTLS_E_INVALID_REQUEST; + } + else + { + result->data = ret; + result->size = size; } - return 0; + return 0; } /** @@ -369,27 +397,31 @@ int gnutls_srp_base64_encode_alloc(const gnutls_datum_t * data, * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_srp_base64_decode(const gnutls_datum_t * b64_data, char *result, - size_t *result_size) +int +gnutls_srp_base64_decode (const gnutls_datum_t * b64_data, char *result, + size_t * result_size) { - opaque *ret; - int size; - - size = _gnutls_sbase64_decode(b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result == NULL || *result_size < size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy(result, ret, size); - gnutls_free(ret); - *result_size = size; + opaque *ret; + int size; + + size = _gnutls_sbase64_decode (b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < size) + { + gnutls_free (ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { + memcpy (result, ret, size); + gnutls_free (ret); + *result_size = size; } - return 0; + return 0; } /** @@ -404,25 +436,29 @@ int gnutls_srp_base64_decode(const gnutls_datum_t * b64_data, char *result, * You should use gnutls_free() to free the returned data. * **/ -int gnutls_srp_base64_decode_alloc(const gnutls_datum_t * b64_data, - gnutls_datum_t * result) +int +gnutls_srp_base64_decode_alloc (const gnutls_datum_t * b64_data, + gnutls_datum_t * result) { - opaque *ret; - int size; - - size = _gnutls_sbase64_decode(b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result == NULL) { - gnutls_free(ret); - return GNUTLS_E_INVALID_REQUEST; - } else { - result->data = ret; - result->size = size; + opaque *ret; + int size; + + size = _gnutls_sbase64_decode (b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; + + if (result == NULL) + { + gnutls_free (ret); + return GNUTLS_E_INVALID_REQUEST; + } + else + { + result->data = ret; + result->size = size; } - return 0; + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/debug.c b/lib/debug.c index 9a97f6336b..a9f18d0c11 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -31,90 +31,93 @@ #ifdef DEBUG -void _gnutls_print_state(gnutls_session_t session) +void +_gnutls_print_state (gnutls_session_t session) { - _gnutls_debug_log("GNUTLS State:\n"); - _gnutls_debug_log("Connection End: %d\n", - session->security_parameters.entity); - _gnutls_debug_log("Cipher Algorithm: %d\n", - session->security_parameters. - read_bulk_cipher_algorithm); - _gnutls_debug_log("MAC algorithm: %d\n", - session->security_parameters.read_mac_algorithm); - _gnutls_debug_log("Compression Algorithm: %d\n", - session->security_parameters. - read_compression_algorithm); - _gnutls_debug_log("\n"); + _gnutls_debug_log ("GNUTLS State:\n"); + _gnutls_debug_log ("Connection End: %d\n", + session->security_parameters.entity); + _gnutls_debug_log ("Cipher Algorithm: %d\n", + session->security_parameters.read_bulk_cipher_algorithm); + _gnutls_debug_log ("MAC algorithm: %d\n", + session->security_parameters.read_mac_algorithm); + _gnutls_debug_log ("Compression Algorithm: %d\n", + session->security_parameters.read_compression_algorithm); + _gnutls_debug_log ("\n"); } #endif -const char *_gnutls_packet2str(content_type_t packet) +const char * +_gnutls_packet2str (content_type_t packet) { - switch (packet) { + switch (packet) + { case GNUTLS_CHANGE_CIPHER_SPEC: - return "Change Cipher Spec"; + return "Change Cipher Spec"; case GNUTLS_ALERT: - return "Alert"; + return "Alert"; case GNUTLS_HANDSHAKE: - return "Handshake"; + return "Handshake"; case GNUTLS_APPLICATION_DATA: - return "Application Data"; + return "Application Data"; default: - return "Unknown Packet"; + return "Unknown Packet"; } } -const char *_gnutls_handshake2str(gnutls_handshake_description_t handshake) +const char * +_gnutls_handshake2str (gnutls_handshake_description_t handshake) { - switch (handshake) { + switch (handshake) + { case GNUTLS_HANDSHAKE_HELLO_REQUEST: - return "HELLO REQUEST"; - break; + return "HELLO REQUEST"; + break; case GNUTLS_HANDSHAKE_CLIENT_HELLO: - return "CLIENT HELLO"; - break; + return "CLIENT HELLO"; + break; case GNUTLS_HANDSHAKE_SERVER_HELLO: - return "SERVER HELLO"; - break; + return "SERVER HELLO"; + break; case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: - return "CERTIFICATE"; - break; + return "CERTIFICATE"; + break; case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: - return "SERVER KEY EXCHANGE"; - break; + return "SERVER KEY EXCHANGE"; + break; case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: - return "CERTIFICATE REQUEST"; - break; + return "CERTIFICATE REQUEST"; + break; case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE: - return "SERVER HELLO DONE"; - break; + return "SERVER HELLO DONE"; + break; case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: - return "CERTIFICATE VERIFY"; - break; + return "CERTIFICATE VERIFY"; + break; case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: - return "CLIENT KEY EXCHANGE"; - break; + return "CLIENT KEY EXCHANGE"; + break; case GNUTLS_HANDSHAKE_FINISHED: - return "FINISHED"; - break; + return "FINISHED"; + break; default: - return "Unknown Handshake packet"; + return "Unknown Handshake packet"; } } -void _gnutls_dump_mpi(const char *prefix, mpi_t a) +void +_gnutls_dump_mpi (const char *prefix, mpi_t a) { - opaque buf[1024]; - size_t n = sizeof buf; + opaque buf[1024]; + size_t n = sizeof buf; - if (gcry_mpi_print(GCRYMPI_FMT_HEX, buf, n, &n, a)) - strcpy(buf, "[can't print value]"); /* Flawfinder: ignore */ - _gnutls_hard_log("MPI: length: %d\n\t%s%s\n", (n - 1) / 2, prefix, - buf); + if (gcry_mpi_print (GCRYMPI_FMT_HEX, buf, n, &n, a)) + strcpy (buf, "[can't print value]"); /* Flawfinder: ignore */ + _gnutls_hard_log ("MPI: length: %d\n\t%s%s\n", (n - 1) / 2, prefix, buf); } diff --git a/lib/debug.h b/lib/debug.h index 666862d6ac..f33413d20a 100644 --- a/lib/debug.h +++ b/lib/debug.h @@ -23,8 +23,8 @@ */ #ifdef DEBUG -void _gnutls_print_state(gnutls_session_t session); +void _gnutls_print_state (gnutls_session_t session); #endif -const char *_gnutls_packet2str(content_type_t packet); -const char *_gnutls_handshake2str(gnutls_handshake_description_t handshake); -void _gnutls_dump_mpi(const char *prefix, mpi_t a); +const char *_gnutls_packet2str (content_type_t packet); +const char *_gnutls_handshake2str (gnutls_handshake_description_t handshake); +void _gnutls_dump_mpi (const char *prefix, mpi_t a); diff --git a/lib/defines.h b/lib/defines.h index b86dda4966..9ccfcfafea 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -83,8 +83,9 @@ typedef signed int sint; /* some systems had problems with long long int, thus, * it is not used. */ -typedef struct { - unsigned char i[8]; +typedef struct +{ + unsigned char i[8]; } uint64; #if SIZEOF_UNSIGNED_LONG == 4 @@ -114,4 +115,4 @@ typedef signed char int8; # error "Cannot find an 8 bit char in your system, sorry." #endif -#endif /* defines_h */ +#endif /* defines_h */ diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c index 2fc93066c6..b53feebf79 100644 --- a/lib/ext_cert_type.c +++ b/lib/ext_cert_type.c @@ -33,8 +33,8 @@ #include <gnutls_state.h> #include <gnutls_num.h> -inline static int _gnutls_num2cert_type(int num); -inline static int _gnutls_cert_type2num(int record_size); +inline static int _gnutls_num2cert_type (int num); +inline static int _gnutls_cert_type2num (int record_size); /* * In case of a server: if a CERT_TYPE extension type is received then it stores @@ -45,174 +45,199 @@ inline static int _gnutls_cert_type2num(int record_size); * */ -int _gnutls_cert_type_recv_params(gnutls_session_t session, - const opaque * data, size_t _data_size) +int +_gnutls_cert_type_recv_params (gnutls_session_t session, + const opaque * data, size_t _data_size) { - int new_type = -1, ret, i; - ssize_t data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (data_size > 0) { - if (data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + int new_type = -1, ret, i; + ssize_t data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + if (data_size > 0) + { + if (data_size != 1) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - new_type = _gnutls_num2cert_type(data[0]); + new_type = _gnutls_num2cert_type (data[0]); - if (new_type < 0) { - gnutls_assert(); - return new_type; + if (new_type < 0) + { + gnutls_assert (); + return new_type; } - /* Check if we support this cert_type */ - if ((ret = - _gnutls_session_cert_type_supported(session, - new_type)) < 0) { - gnutls_assert(); - return ret; + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported (session, new_type)) < 0) + { + gnutls_assert (); + return ret; } - _gnutls_session_cert_type_set(session, new_type); + _gnutls_session_cert_type_set (session, new_type); } - } else { /* SERVER SIDE - we must check if the sent cert type is the right one + } + else + { /* SERVER SIDE - we must check if the sent cert type is the right one */ - if (data_size > 1) { - uint8 len; - - len = data[0]; - DECR_LEN(data_size, len); - - for (i = 0; i < len; i++) { - new_type = _gnutls_num2cert_type(data[i + 1]); - - if (new_type < 0) - continue; - - /* Check if we support this cert_type */ - if ((ret = - _gnutls_session_cert_type_supported(session, - new_type)) < 0) { - gnutls_assert(); - continue; - } else - break; - /* new_type is ok */ + if (data_size > 1) + { + uint8 len; + + len = data[0]; + DECR_LEN (data_size, len); + + for (i = 0; i < len; i++) + { + new_type = _gnutls_num2cert_type (data[i + 1]); + + if (new_type < 0) + continue; + + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported (session, + new_type)) < 0) + { + gnutls_assert (); + continue; + } + else + break; + /* new_type is ok */ } - if (new_type < 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + if (new_type < 0) + { + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - if ((ret = - _gnutls_session_cert_type_supported(session, - new_type)) < 0) { - gnutls_assert(); - /* The peer has requested unsupported certificate - * types. Instead of failing, procceed normally. - * (the ciphersuite selection would fail, or a - * non certificate ciphersuite will be selected). - */ - return 0; + if ((ret = + _gnutls_session_cert_type_supported (session, new_type)) < 0) + { + gnutls_assert (); + /* The peer has requested unsupported certificate + * types. Instead of failing, procceed normally. + * (the ciphersuite selection would fail, or a + * non certificate ciphersuite will be selected). + */ + return 0; } - _gnutls_session_cert_type_set(session, new_type); + _gnutls_session_cert_type_set (session, new_type); } } - return 0; + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_cert_type_send_params(gnutls_session_t session, opaque * data, - size_t data_size) +int +_gnutls_cert_type_send_params (gnutls_session_t session, opaque * data, + size_t data_size) { - uint len, i; + uint len, i; - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { - if (session->internals.cert_type_priority.algorithms > 0) { + if (session->internals.cert_type_priority.algorithms > 0) + { - len = session->internals.cert_type_priority.algorithms; + len = session->internals.cert_type_priority.algorithms; - if (len == 1 && - session->internals.cert_type_priority.priority[0] == - GNUTLS_CRT_X509) { - /* We don't use this extension if X.509 certificates - * are used. - */ - return 0; + if (len == 1 && + session->internals.cert_type_priority.priority[0] == + GNUTLS_CRT_X509) + { + /* We don't use this extension if X.509 certificates + * are used. + */ + return 0; } - if (data_size < len + 1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (data_size < len + 1) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - /* this is a vector! - */ - data[0] = (uint8) len; + /* this is a vector! + */ + data[0] = (uint8) len; - for (i = 0; i < len; i++) { - data[i + 1] = _gnutls_cert_type2num(session->internals. - cert_type_priority. - priority[i]); + for (i = 0; i < len; i++) + { + data[i + 1] = _gnutls_cert_type2num (session->internals. + cert_type_priority. + priority[i]); } - return len + 1; + return len + 1; } - } else { /* server side */ - if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { /* server side */ + if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE) + { + len = 1; + if (data_size < len) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - data[0] = - _gnutls_cert_type2num(session->security_parameters. - cert_type); - return len; + data[0] = + _gnutls_cert_type2num (session->security_parameters.cert_type); + return len; } } - return 0; + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -inline static int _gnutls_num2cert_type(int num) +inline static int +_gnutls_num2cert_type (int num) { - switch (num) { + switch (num) + { case 0: - return GNUTLS_CRT_X509; + return GNUTLS_CRT_X509; case 1: - return GNUTLS_CRT_OPENPGP; + return GNUTLS_CRT_OPENPGP; default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } } /* Maps record size to numbers according to the * extensions draft. */ -inline static int _gnutls_cert_type2num(int cert_type) +inline static int +_gnutls_cert_type2num (int cert_type) { - switch (cert_type) { + switch (cert_type) + { case GNUTLS_CRT_X509: - return 0; + return 0; case GNUTLS_CRT_OPENPGP: - return 1; + return 1; default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } } diff --git a/lib/ext_cert_type.h b/lib/ext_cert_type.h index 1ae0d17b94..78e6780d76 100644 --- a/lib/ext_cert_type.h +++ b/lib/ext_cert_type.h @@ -25,7 +25,7 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_cert_type_recv_params(gnutls_session_t session, - const opaque * data, size_t data_size); -int _gnutls_cert_type_send_params(gnutls_session_t session, opaque * data, - size_t); +int _gnutls_cert_type_recv_params (gnutls_session_t session, + const opaque * data, size_t data_size); +int _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data, + size_t); diff --git a/lib/ext_max_record.c b/lib/ext_max_record.c index 35e00b1f49..0ed17a8587 100644 --- a/lib/ext_max_record.c +++ b/lib/ext_max_record.c @@ -40,44 +40,55 @@ * */ -int _gnutls_max_record_recv_params(gnutls_session_t session, - const opaque * data, size_t _data_size) +int +_gnutls_max_record_recv_params (gnutls_session_t session, + const opaque * data, size_t _data_size) { - ssize_t new_size; - ssize_t data_size = _data_size; + ssize_t new_size; + ssize_t data_size = _data_size; - if (session->security_parameters.entity == GNUTLS_SERVER) { - if (data_size > 0) { - DECR_LEN(data_size, 1); + if (session->security_parameters.entity == GNUTLS_SERVER) + { + if (data_size > 0) + { + DECR_LEN (data_size, 1); - new_size = _gnutls_mre_num2record(data[0]); + new_size = _gnutls_mre_num2record (data[0]); - if (new_size < 0) { - gnutls_assert(); - return new_size; + if (new_size < 0) + { + gnutls_assert (); + return new_size; } - session->security_parameters.max_record_send_size = new_size; - session->security_parameters.max_record_recv_size = new_size; + session->security_parameters.max_record_send_size = new_size; + session->security_parameters.max_record_recv_size = new_size; } - } else { /* CLIENT SIDE - we must check if the sent record size is the right one + } + else + { /* CLIENT SIDE - we must check if the sent record size is the right one */ - if (data_size > 0) { + if (data_size > 0) + { - if (data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (data_size != 1) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - new_size = _gnutls_mre_num2record(data[0]); + new_size = _gnutls_mre_num2record (data[0]); - if (new_size < 0 - || new_size != session->internals.proposed_record_size) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } else { - session->security_parameters.max_record_recv_size = - session->internals.proposed_record_size; + if (new_size < 0 + || new_size != session->internals.proposed_record_size) + { + gnutls_assert (); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + else + { + session->security_parameters.max_record_recv_size = + session->internals.proposed_record_size; } } @@ -85,90 +96,101 @@ int _gnutls_max_record_recv_params(gnutls_session_t session, } - return 0; + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_max_record_send_params(gnutls_session_t session, opaque * data, - size_t data_size) +int +_gnutls_max_record_send_params (gnutls_session_t session, opaque * data, + size_t data_size) { - uint16 len; - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->internals.proposed_record_size != - DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + uint16 len; + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + + if (session->internals.proposed_record_size != DEFAULT_MAX_RECORD_SIZE) + { + len = 1; + if (data_size < len) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - data[0] = - (uint8) _gnutls_mre_record2num(session->internals. - proposed_record_size); - return len; + data[0] = + (uint8) _gnutls_mre_record2num (session->internals. + proposed_record_size); + return len; } - } else { /* server side */ - - if (session->security_parameters.max_record_recv_size != - DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { /* server side */ + + if (session->security_parameters.max_record_recv_size != + DEFAULT_MAX_RECORD_SIZE) + { + len = 1; + if (data_size < len) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - data[0] = - (uint8) _gnutls_mre_record2num(session-> - security_parameters. - max_record_recv_size); - return len; + data[0] = + (uint8) _gnutls_mre_record2num (session-> + security_parameters. + max_record_recv_size); + return len; } } - return 0; + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -int _gnutls_mre_num2record(int num) +int +_gnutls_mre_num2record (int num) { - switch (num) { + switch (num) + { case 1: - return 512; + return 512; case 2: - return 1024; + return 1024; case 3: - return 2048; + return 2048; case 4: - return 4096; + return 4096; default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } } /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_record2num(uint16 record_size) +int +_gnutls_mre_record2num (uint16 record_size) { - switch (record_size) { + switch (record_size) + { case 512: - return 1; + return 1; case 1024: - return 2; + return 2; case 2048: - return 3; + return 3; case 4096: - return 4; + return 4; default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } } diff --git a/lib/ext_max_record.h b/lib/ext_max_record.h index b594880730..9f6c396aab 100644 --- a/lib/ext_max_record.h +++ b/lib/ext_max_record.h @@ -25,9 +25,9 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_num2record(int num); -int _gnutls_mre_record2num(uint16 record_size); -int _gnutls_max_record_recv_params(gnutls_session_t session, - const opaque * data, size_t data_size); -int _gnutls_max_record_send_params(gnutls_session_t session, opaque * data, - size_t); +int _gnutls_mre_num2record (int num); +int _gnutls_mre_record2num (uint16 record_size); +int _gnutls_max_record_recv_params (gnutls_session_t session, + const opaque * data, size_t data_size); +int _gnutls_max_record_send_params (gnutls_session_t session, opaque * data, + size_t); diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index 287f1881b1..e5b7006a3b 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -38,165 +38,175 @@ * */ -int _gnutls_server_name_recv_params(gnutls_session_t session, - const opaque * data, size_t _data_size) +int +_gnutls_server_name_recv_params (gnutls_session_t session, + const opaque * data, size_t _data_size) { - int i; - const unsigned char *p; - uint16 len, type; - ssize_t data_size = _data_size; - int server_names = 0; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - DECR_LENGTH_RET(data_size, 2, 0); - len = _gnutls_read_uint16(data); - - if (len != data_size) { - /* This is unexpected packet length, but - * just ignore it, for now. - */ - gnutls_assert(); - return 0; + int i; + const unsigned char *p; + uint16 len, type; + ssize_t data_size = _data_size; + int server_names = 0; + + if (session->security_parameters.entity == GNUTLS_SERVER) + { + DECR_LENGTH_RET (data_size, 2, 0); + len = _gnutls_read_uint16 (data); + + if (len != data_size) + { + /* This is unexpected packet length, but + * just ignore it, for now. + */ + gnutls_assert (); + return 0; } - p = data + 2; + p = data + 2; - /* Count all server_names in the packet. */ - while (data_size > 0) { - DECR_LENGTH_RET(data_size, 1, 0); - p++; + /* Count all server_names in the packet. */ + while (data_size > 0) + { + DECR_LENGTH_RET (data_size, 1, 0); + p++; - DECR_LEN(data_size, 2); - len = _gnutls_read_uint16(p); - p += 2; + DECR_LEN (data_size, 2); + len = _gnutls_read_uint16 (p); + p += 2; - DECR_LENGTH_RET(data_size, len, 0); - server_names++; + DECR_LENGTH_RET (data_size, len, 0); + server_names++; - p += len; + p += len; } - session->security_parameters.extensions.server_names_size = - server_names; - if (server_names == 0) - return 0; /* no names found */ + session->security_parameters.extensions.server_names_size = + server_names; + if (server_names == 0) + return 0; /* no names found */ - /* we cannot accept more server names. - */ - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; + /* we cannot accept more server names. + */ + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; - p = data + 2; - for (i = 0; i < server_names; i++) { - type = *p; - p++; + p = data + 2; + for (i = 0; i < server_names; i++) + { + type = *p; + p++; - len = _gnutls_read_uint16(p); - p += 2; + len = _gnutls_read_uint16 (p); + p += 2; - switch (type) { + switch (type) + { case 0: /* NAME_DNS */ - if (len <= MAX_SERVER_NAME_SIZE) { - memcpy(session->security_parameters.extensions. - server_names[i].name, p, len); - session->security_parameters.extensions. - server_names[i].name_length = len; - session->security_parameters.extensions. - server_names[i].type = GNUTLS_NAME_DNS; - break; + if (len <= MAX_SERVER_NAME_SIZE) + { + memcpy (session->security_parameters.extensions. + server_names[i].name, p, len); + session->security_parameters.extensions. + server_names[i].name_length = len; + session->security_parameters.extensions. + server_names[i].type = GNUTLS_NAME_DNS; + break; } } - /* move to next record */ - p += len; + /* move to next record */ + p += len; } } - return 0; + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_server_name_send_params(gnutls_session_t session, - opaque * data, size_t _data_size) +int +_gnutls_server_name_send_params (gnutls_session_t session, + opaque * data, size_t _data_size) { - uint16 len; - opaque *p; - uint i; - ssize_t data_size = _data_size; - int total_size = 0; - - /* this function sends the client extension data (dnsname) - */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->security_parameters.extensions.server_names_size == 0) - return 0; - - /* uint16 - */ - total_size = 2; - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) { - /* count the total size - */ - len = - session->security_parameters.extensions.server_names[i]. - name_length; - - /* uint8 + uint16 + size - */ - total_size += 1 + 2 + len; + uint16 len; + opaque *p; + uint i; + ssize_t data_size = _data_size; + int total_size = 0; + + /* this function sends the client extension data (dnsname) + */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + + if (session->security_parameters.extensions.server_names_size == 0) + return 0; + + /* uint16 + */ + total_size = 2; + for (i = 0; + i < session->security_parameters.extensions.server_names_size; i++) + { + /* count the total size + */ + len = + session->security_parameters.extensions.server_names[i]. + name_length; + + /* uint8 + uint16 + size + */ + total_size += 1 + 2 + len; } - p = data; + p = data; - /* UINT16: write total size of all names - */ - DECR_LENGTH_RET(data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); - _gnutls_write_uint16(total_size - 2, p); - p += 2; + /* UINT16: write total size of all names + */ + DECR_LENGTH_RET (data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); + _gnutls_write_uint16 (total_size - 2, p); + p += 2; - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) { + for (i = 0; + i < session->security_parameters.extensions.server_names_size; i++) + { - switch (session->security_parameters.extensions. - server_names[i].type) { + switch (session->security_parameters.extensions. + server_names[i].type) + { case GNUTLS_NAME_DNS: - len = - session->security_parameters.extensions. - server_names[i].name_length; - if (len == 0) - break; - - /* UINT8: type of this extension - * UINT16: size of the first name - * LEN: the actual server name. - */ - DECR_LENGTH_RET(data_size, len + 3, - GNUTLS_E_SHORT_MEMORY_BUFFER); - - *p = 0; /* NAME_DNS type */ - p++; - - _gnutls_write_uint16(len, p); - p += 2; - - memcpy(p, - session->security_parameters.extensions. - server_names[0].name, len); - p += len; + len = + session->security_parameters.extensions. + server_names[i].name_length; + if (len == 0) break; + + /* UINT8: type of this extension + * UINT16: size of the first name + * LEN: the actual server name. + */ + DECR_LENGTH_RET (data_size, len + 3, + GNUTLS_E_SHORT_MEMORY_BUFFER); + + *p = 0; /* NAME_DNS type */ + p++; + + _gnutls_write_uint16 (len, p); + p += 2; + + memcpy (p, + session->security_parameters.extensions. + server_names[0].name, len); + p += len; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } } - return total_size; + return total_size; } /** @@ -222,46 +232,49 @@ int _gnutls_server_name_send_params(gnutls_session_t session, * index exists GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. * **/ -int gnutls_server_name_get(gnutls_session_t session, void *data, - size_t * data_length, - unsigned int *type, unsigned int indx) +int +gnutls_server_name_get (gnutls_session_t session, void *data, + size_t * data_length, + unsigned int *type, unsigned int indx) { - char *_data = data; + char *_data = data; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx + 1 > - session->security_parameters.extensions.server_names_size) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (indx + 1 > session->security_parameters.extensions.server_names_size) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - *type = - session->security_parameters.extensions.server_names[indx].type; + *type = session->security_parameters.extensions.server_names[indx].type; - if (*data_length > /* greater since we need one extra byte for the null */ + if (*data_length > /* greater since we need one extra byte for the null */ + session->security_parameters.extensions.server_names[indx].name_length) + { + *data_length = session->security_parameters.extensions.server_names[indx]. - name_length) { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - memcpy(data, - session->security_parameters.extensions.server_names[indx]. - name, *data_length); + name_length; + memcpy (data, + session->security_parameters.extensions.server_names[indx]. + name, *data_length); - if (*type == GNUTLS_NAME_DNS) /* null terminate */ - _data[(*data_length)] = 0; + if (*type == GNUTLS_NAME_DNS) /* null terminate */ + _data[(*data_length)] = 0; - } else { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { + *data_length = + session->security_parameters.extensions.server_names[indx]. + name_length; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - return 0; + return 0; } /** @@ -281,35 +294,37 @@ int gnutls_server_name_get(gnutls_session_t session, void *data, * IPv4 or IPv6 addresses are not permitted. * **/ -int gnutls_server_name_set(gnutls_session_t session, - gnutls_server_name_type_t type, - const void *name, size_t name_length) +int +gnutls_server_name_set (gnutls_session_t session, + gnutls_server_name_type_t type, + const void *name, size_t name_length) { - int server_names; + int server_names; - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (session->security_parameters.entity == GNUTLS_SERVER) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (name_length > MAX_SERVER_NAME_SIZE) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (name_length > MAX_SERVER_NAME_SIZE) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - server_names = - session->security_parameters.extensions.server_names_size + 1; + server_names = + session->security_parameters.extensions.server_names_size + 1; - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; - session->security_parameters.extensions.server_names[server_names - - 1].type = type; - memcpy(session->security_parameters.extensions. - server_names[server_names - 1].name, name, name_length); - session->security_parameters.extensions.server_names[server_names - - 1].name_length = - name_length; + session->security_parameters.extensions.server_names[server_names - + 1].type = type; + memcpy (session->security_parameters.extensions. + server_names[server_names - 1].name, name, name_length); + session->security_parameters.extensions.server_names[server_names - + 1].name_length = + name_length; - session->security_parameters.extensions.server_names_size++; + session->security_parameters.extensions.server_names_size++; - return 0; + return 0; } diff --git a/lib/ext_server_name.h b/lib/ext_server_name.h index 50cc9d55c3..6c081644af 100644 --- a/lib/ext_server_name.h +++ b/lib/ext_server_name.h @@ -22,7 +22,7 @@ * */ -int _gnutls_server_name_recv_params(gnutls_session_t session, - const opaque * data, size_t data_size); -int _gnutls_server_name_send_params(gnutls_session_t session, - opaque * data, size_t); +int _gnutls_server_name_recv_params (gnutls_session_t session, + const opaque * data, size_t data_size); +int _gnutls_server_name_send_params (gnutls_session_t session, + opaque * data, size_t); diff --git a/lib/ext_srp.c b/lib/ext_srp.c index d6333ffd8d..d6abcb9fdf 100644 --- a/lib/ext_srp.c +++ b/lib/ext_srp.c @@ -33,110 +33,124 @@ #include "gnutls_algorithms.h" #include <gnutls_num.h> -int _gnutls_srp_recv_params(gnutls_session_t session, const opaque * data, - size_t _data_size) +int +_gnutls_srp_recv_params (gnutls_session_t session, const opaque * data, + size_t _data_size) { - uint8 len; - ssize_t data_size = _data_size; - - if (_gnutls_kx_priority(session, GNUTLS_KX_SRP) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_DSS) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_RSA) < 0) { - /* algorithm was not allowed in this session - */ - return 0; + uint8 len; + ssize_t data_size = _data_size; + + if (_gnutls_kx_priority (session, GNUTLS_KX_SRP) < 0 && + _gnutls_kx_priority (session, GNUTLS_KX_SRP_DSS) < 0 && + _gnutls_kx_priority (session, GNUTLS_KX_SRP_RSA) < 0) + { + /* algorithm was not allowed in this session + */ + return 0; } - if (session->security_parameters.entity == GNUTLS_SERVER) { - if (data_size > 0) { - len = data[0]; - DECR_LEN(data_size, len); - - if (MAX_SRP_USERNAME < len) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; + if (session->security_parameters.entity == GNUTLS_SERVER) + { + if (data_size > 0) + { + len = data[0]; + DECR_LEN (data_size, len); + + if (MAX_SRP_USERNAME < len) + { + gnutls_assert (); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; } - memcpy(session->security_parameters.extensions.srp_username, - &data[1], len); - /* null terminated */ - session->security_parameters.extensions.srp_username[len] = 0; + memcpy (session->security_parameters.extensions.srp_username, + &data[1], len); + /* null terminated */ + session->security_parameters.extensions.srp_username[len] = 0; } } - return 0; + return 0; } /* returns data_size or a negative number on failure * data is allocated locally */ -int _gnutls_srp_send_params(gnutls_session_t session, opaque * data, - size_t data_size) +int +_gnutls_srp_send_params (gnutls_session_t session, opaque * data, + size_t data_size) { - uint len; - - if (_gnutls_kx_priority(session, GNUTLS_KX_SRP) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_DSS) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_RSA) < 0) { - /* algorithm was not allowed in this session - */ - return 0; + uint len; + + if (_gnutls_kx_priority (session, GNUTLS_KX_SRP) < 0 && + _gnutls_kx_priority (session, GNUTLS_KX_SRP_DSS) < 0 && + _gnutls_kx_priority (session, GNUTLS_KX_SRP_RSA) < 0) + { + /* algorithm was not allowed in this session + */ + return 0; } - /* this function sends the client extension data (username) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - gnutls_srp_client_credentials_t cred = (gnutls_srp_client_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_SRP, NULL); + /* this function sends the client extension data (username) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + gnutls_srp_client_credentials_t cred = (gnutls_srp_client_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL); - if (cred == NULL) - return 0; + if (cred == NULL) + return 0; - if (cred->username != NULL) { /* send username */ - len = MIN(strlen(cred->username), 255); + if (cred->username != NULL) + { /* send username */ + len = MIN (strlen (cred->username), 255); - if (data_size < len + 1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (data_size < len + 1) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - data[0] = (uint8) len; - memcpy(&data[1], cred->username, len); - return len + 1; - } else if (cred->get_function != NULL) { - /* Try the callback - */ - char *username = NULL, *password = NULL; - - if (cred-> get_function(session, - session->internals.handshake_restarted, - &username, &password) < 0 - || username == NULL - || password == NULL) { - - if (session->internals.handshake_restarted) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; + data[0] = (uint8) len; + memcpy (&data[1], cred->username, len); + return len + 1; + } + else if (cred->get_function != NULL) + { + /* Try the callback + */ + char *username = NULL, *password = NULL; + + if (cred->get_function (session, + session->internals.handshake_restarted, + &username, &password) < 0 + || username == NULL || password == NULL) + { + + if (session->internals.handshake_restarted) + { + gnutls_assert (); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; } - return 0; + return 0; } - len = MIN(strlen(username), 255); + len = MIN (strlen (username), 255); - if (data_size < len + 1) { - gnutls_free(username); - gnutls_free(password); - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (data_size < len + 1) + { + gnutls_free (username); + gnutls_free (password); + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - session->internals.srp_username = username; - session->internals.srp_password = password; + session->internals.srp_username = username; + session->internals.srp_password = password; - data[0] = (uint8) len; - memcpy(&data[1], username, len); - return len + 1; + data[0] = (uint8) len; + memcpy (&data[1], username, len); + return len + 1; } } - return 0; + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/ext_srp.h b/lib/ext_srp.h index 4d345ea9e3..cc6994cf83 100644 --- a/lib/ext_srp.h +++ b/lib/ext_srp.h @@ -27,8 +27,8 @@ #define IS_SRP_KX(kx) ((kx == GNUTLS_KX_SRP || (kx == GNUTLS_KX_SRP_RSA) || \ kx == GNUTLS_KX_SRP_DSS)?1:0) -int _gnutls_srp_recv_params(gnutls_session_t state, const opaque * data, - size_t data_size); -int _gnutls_srp_send_params(gnutls_session_t state, opaque * data, size_t); +int _gnutls_srp_recv_params (gnutls_session_t state, const opaque * data, + size_t data_size); +int _gnutls_srp_send_params (gnutls_session_t state, opaque * data, size_t); #endif diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index dde3c6a132..b2959de53f 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -27,43 +27,44 @@ #include <gnutls_record.h> #include <debug.h> -typedef struct { - gnutls_alert_description_t alert; - const char *desc; +typedef struct +{ + gnutls_alert_description_t alert; + const char *desc; } gnutls_alert_entry; static const gnutls_alert_entry sup_alerts[] = { - {GNUTLS_A_CLOSE_NOTIFY, "Close notify"}, - {GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message"}, - {GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC"}, - {GNUTLS_A_DECRYPTION_FAILED, "Decryption failed"}, - {GNUTLS_A_RECORD_OVERFLOW, "Record overflow"}, - {GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed"}, - {GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed"}, - {GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad"}, - {GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported"}, - {GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked"}, - {GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired"}, - {GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate"}, - {GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter"}, - {GNUTLS_A_UNKNOWN_CA, "CA is unknown"}, - {GNUTLS_A_ACCESS_DENIED, "Access was denied"}, - {GNUTLS_A_DECODE_ERROR, "Decode error"}, - {GNUTLS_A_DECRYPT_ERROR, "Decrypt error"}, - {GNUTLS_A_EXPORT_RESTRICTION, "Export restriction"}, - {GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version"}, - {GNUTLS_A_INSUFFICIENT_SECURITY, "Insufficient security"}, - {GNUTLS_A_USER_CANCELED, "User canceled"}, - {GNUTLS_A_INTERNAL_ERROR, "Internal error"}, - {GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed"}, - {GNUTLS_A_CERTIFICATE_UNOBTAINABLE, - "Could not retrieve the specified certificate"}, - {GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent"}, - {GNUTLS_A_UNRECOGNIZED_NAME, - "The server name sent was not recognized"}, - {GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known"}, - {GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent"}, - {0, NULL} + {GNUTLS_A_CLOSE_NOTIFY, "Close notify"}, + {GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message"}, + {GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC"}, + {GNUTLS_A_DECRYPTION_FAILED, "Decryption failed"}, + {GNUTLS_A_RECORD_OVERFLOW, "Record overflow"}, + {GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed"}, + {GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed"}, + {GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad"}, + {GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported"}, + {GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked"}, + {GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired"}, + {GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate"}, + {GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter"}, + {GNUTLS_A_UNKNOWN_CA, "CA is unknown"}, + {GNUTLS_A_ACCESS_DENIED, "Access was denied"}, + {GNUTLS_A_DECODE_ERROR, "Decode error"}, + {GNUTLS_A_DECRYPT_ERROR, "Decrypt error"}, + {GNUTLS_A_EXPORT_RESTRICTION, "Export restriction"}, + {GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version"}, + {GNUTLS_A_INSUFFICIENT_SECURITY, "Insufficient security"}, + {GNUTLS_A_USER_CANCELED, "User canceled"}, + {GNUTLS_A_INTERNAL_ERROR, "Internal error"}, + {GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed"}, + {GNUTLS_A_CERTIFICATE_UNOBTAINABLE, + "Could not retrieve the specified certificate"}, + {GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent"}, + {GNUTLS_A_UNRECOGNIZED_NAME, + "The server name sent was not recognized"}, + {GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known"}, + {GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent"}, + {0, NULL} }; #define GNUTLS_ALERT_LOOP(b) \ @@ -82,13 +83,14 @@ static const gnutls_alert_entry sup_alerts[] = { * number or NULL. See gnutls_alert_get(). * **/ -const char *gnutls_alert_get_name(gnutls_alert_description_t alert) +const char * +gnutls_alert_get_name (gnutls_alert_description_t alert) { - const char *ret = NULL; + const char *ret = NULL; - GNUTLS_ALERT_ID_LOOP(ret = p->desc); + GNUTLS_ALERT_ID_LOOP (ret = p->desc); - return ret; + return ret; } /** @@ -108,26 +110,27 @@ const char *gnutls_alert_get_name(gnutls_alert_description_t alert) * Returns 0 on success. * **/ -int gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level, - gnutls_alert_description_t desc) +int +gnutls_alert_send (gnutls_session_t session, gnutls_alert_level_t level, + gnutls_alert_description_t desc) { - uint8 data[2]; - int ret; - const char *name; + uint8 data[2]; + int ret; + const char *name; - data[0] = (uint8) level; - data[1] = (uint8) desc; + data[0] = (uint8) level; + data[1] = (uint8) desc; - name = gnutls_alert_get_name((int) data[1]); - if (name == NULL) - name = "(unknown)"; - _gnutls_record_log("REC: Sending Alert[%d|%d] - %s\n", data[0], - data[1], name); + name = gnutls_alert_get_name ((int) data[1]); + if (name == NULL) + name = "(unknown)"; + _gnutls_record_log ("REC: Sending Alert[%d|%d] - %s\n", data[0], + data[1], name); - if ((ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, data, 2)) >= 0) - return 0; - else - return ret; + if ((ret = _gnutls_send_int (session, GNUTLS_ALERT, -1, data, 2)) >= 0) + return 0; + else + return ret; } /** @@ -145,31 +148,33 @@ int gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level, * mapping to an alert. * **/ -int gnutls_error_to_alert(int err, int *level) +int +gnutls_error_to_alert (int err, int *level) { - int ret = GNUTLS_E_INVALID_REQUEST; - int _level = -1; + int ret = GNUTLS_E_INVALID_REQUEST; + int _level = -1; - switch (err) { /* send appropriate alert */ + switch (err) + { /* send appropriate alert */ case GNUTLS_E_DECRYPTION_FAILED: - /* GNUTLS_A_DECRYPTION_FAILED is not sent, because - * it is not defined in SSL3. Note that we must - * not distinguish Decryption failures from mac - * check failures, due to the possibility of some - * attacks. - */ - ret = GNUTLS_A_BAD_RECORD_MAC; - _level = GNUTLS_AL_FATAL; - break; + /* GNUTLS_A_DECRYPTION_FAILED is not sent, because + * it is not defined in SSL3. Note that we must + * not distinguish Decryption failures from mac + * check failures, due to the possibility of some + * attacks. + */ + ret = GNUTLS_A_BAD_RECORD_MAC; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_DECOMPRESSION_FAILED: - ret = GNUTLS_A_DECOMPRESSION_FAILURE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_DECOMPRESSION_FAILURE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: case GNUTLS_E_ILLEGAL_SRP_USERNAME: - ret = GNUTLS_A_ILLEGAL_PARAMETER; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_ILLEGAL_PARAMETER; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: case GNUTLS_E_ASN1_DER_ERROR: @@ -181,63 +186,63 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_ASN1_TYPE_ANY_ERROR: case GNUTLS_E_ASN1_SYNTAX_ERROR: case GNUTLS_E_ASN1_DER_OVERFLOW: - ret = GNUTLS_A_BAD_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_BAD_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_UNKNOWN_CIPHER_SUITE: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_INSUFFICIENT_CREDENTIALS: case GNUTLS_E_NO_CIPHER_SUITES: case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: - ret = GNUTLS_A_HANDSHAKE_FAILURE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_HANDSHAKE_FAILURE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: - ret = GNUTLS_A_UNSUPPORTED_EXTENSION; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_UNSUPPORTED_EXTENSION; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_UNEXPECTED_PACKET: case GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET: - ret = GNUTLS_A_UNEXPECTED_MESSAGE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_UNEXPECTED_MESSAGE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_REHANDSHAKE: - ret = GNUTLS_A_NO_RENEGOTIATION; - _level = GNUTLS_AL_WARNING; - break; + ret = GNUTLS_A_NO_RENEGOTIATION; + _level = GNUTLS_AL_WARNING; + break; case GNUTLS_E_UNSUPPORTED_VERSION_PACKET: - ret = GNUTLS_A_PROTOCOL_VERSION; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_PROTOCOL_VERSION; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: - ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: - ret = GNUTLS_A_RECORD_OVERFLOW; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_RECORD_OVERFLOW; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_INTERNAL_ERROR: case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: - ret = GNUTLS_A_INTERNAL_ERROR; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_INTERNAL_ERROR; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_OPENPGP_GETKEY_FAILED: - ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_DH_PRIME_UNACCEPTABLE: case GNUTLS_E_NO_CERTIFICATE_FOUND: - ret = GNUTLS_A_INSUFFICIENT_SECURITY; - _level = GNUTLS_AL_FATAL; - break; + ret = GNUTLS_A_INSUFFICIENT_SECURITY; + _level = GNUTLS_AL_FATAL; + break; } - if (level != NULL) - *level = _level; + if (level != NULL) + *level = _level; - return ret; + return ret; } @@ -257,17 +262,19 @@ int gnutls_error_to_alert(int err, int *level) * * Returns zero on success. */ -int gnutls_alert_send_appropriate(gnutls_session_t session, int err) +int +gnutls_alert_send_appropriate (gnutls_session_t session, int err) { - int alert; - int level; + int alert; + int level; - alert = gnutls_error_to_alert(err, &level); - if (alert < 0) { - return alert; + alert = gnutls_error_to_alert (err, &level); + if (alert < 0) + { + return alert; } - return gnutls_alert_send(session, level, alert); + return gnutls_alert_send (session, level, alert); } /** @@ -283,7 +290,8 @@ int gnutls_alert_send_appropriate(gnutls_session_t session, int err) * If no alert has been received the returned value is undefined. * **/ -gnutls_alert_description_t gnutls_alert_get(gnutls_session_t session) +gnutls_alert_description_t +gnutls_alert_get (gnutls_session_t session) { - return session->internals.last_alert; + return session->internals.last_alert; } diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 66b36791bd..00a9c92743 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -32,24 +32,25 @@ * FIXME: The mappings are not 1-1. Some KX such as SRP_RSA require * more than one credentials type. */ -typedef struct { - gnutls_kx_algorithm_t algorithm; - gnutls_credentials_type_t client_type; - gnutls_credentials_type_t server_type; /* The type of credentials a server +typedef struct +{ + gnutls_kx_algorithm_t algorithm; + gnutls_credentials_type_t client_type; + gnutls_credentials_type_t server_type; /* The type of credentials a server * needs to set */ } gnutls_cred_map; static const gnutls_cred_map cred_mappings[] = { - {GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, - {GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK}, - {GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP}, - {GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, - {0, 0, 0} + {GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, + {GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK}, + {GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP}, + {GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {0, 0, 0} }; #define GNUTLS_KX_MAP_LOOP(b) \ @@ -63,10 +64,11 @@ static const gnutls_cred_map cred_mappings[] = { GNUTLS_KX_MAP_LOOP( if(p->client_type == type) { a; break; }) /* KX mappings to PK algorithms */ -typedef struct { - gnutls_kx_algorithm_t kx_algorithm; - gnutls_pk_algorithm_t pk_algorithm; - enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used +typedef struct +{ + gnutls_kx_algorithm_t kx_algorithm; + gnutls_pk_algorithm_t pk_algorithm; + enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used * for encryption, CIPHER_SIGN if signature only, * CIPHER_IGN if this does not apply at all. * @@ -81,13 +83,13 @@ typedef struct { * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, - {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {0, 0, 0} + {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {0, 0, 0} }; #define GNUTLS_PK_MAP_LOOP(b) \ @@ -101,19 +103,20 @@ static const gnutls_pk_map pk_mappings[] = { /* TLS Versions */ -typedef struct { - const char *name; - gnutls_protocol_t id; /* gnutls internal version number */ - int major; /* defined by the protocol */ - int minor; /* defined by the protocol */ - int supported; /* 0 not supported, > 0 is supported */ +typedef struct +{ + const char *name; + gnutls_protocol_t id; /* gnutls internal version number */ + int major; /* defined by the protocol */ + int minor; /* defined by the protocol */ + int supported; /* 0 not supported, > 0 is supported */ } gnutls_version_entry; static const gnutls_version_entry sup_versions[] = { - {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, - {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, - {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, - {0, 0, 0, 0, 0} + {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, + {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, + {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, + {0, 0, 0, 0, 0} }; #define GNUTLS_VERSION_LOOP(b) \ @@ -124,14 +127,15 @@ static const gnutls_version_entry sup_versions[] = { GNUTLS_VERSION_LOOP( if(p->id == version) { a; break; }) -struct gnutls_cipher_entry { - const char *name; - gnutls_cipher_algorithm_t id; - uint16 blocksize; - uint16 keysize; - cipher_type_t block; - uint16 iv; - int export_flag; /* 0 non export */ +struct gnutls_cipher_entry +{ + const char *name; + gnutls_cipher_algorithm_t id; + uint16 blocksize; + uint16 keysize; + cipher_type_t block; + uint16 iv; + int export_flag; /* 0 non export */ }; typedef struct gnutls_cipher_entry gnutls_cipher_entry; @@ -141,17 +145,17 @@ typedef struct gnutls_cipher_entry gnutls_cipher_entry; * protecting communications" by Hugo Krawczyk - CRYPTO 2001 */ static const gnutls_cipher_entry algorithms[] = { - {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, - {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, - 0}, - {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, - 0}, - {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, - {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, - {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, - {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, - {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, - {0, 0, 0, 0, 0, 0, 0} + {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, + {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, + 0}, + {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, + 0}, + {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, + {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, + {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, + {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, + {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, + {0, 0, 0, 0, 0, 0, 0} }; #define GNUTLS_LOOP(b) \ @@ -162,20 +166,21 @@ static const gnutls_cipher_entry algorithms[] = { GNUTLS_LOOP( if(p->id == algorithm) { a; break; } ) -struct gnutls_hash_entry { - const char *name; - const char* oid; - gnutls_mac_algorithm_t id; +struct gnutls_hash_entry +{ + const char *name; + const char *oid; + gnutls_mac_algorithm_t id; }; typedef struct gnutls_hash_entry gnutls_hash_entry; static const gnutls_hash_entry hash_algorithms[] = { - {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1}, - {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5}, - {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2}, - {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160}, - {"NULL", NULL, GNUTLS_MAC_NULL}, - {0, 0, 0} + {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1}, + {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5}, + {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2}, + {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160}, + {"NULL", NULL, GNUTLS_MAC_NULL}, + {0, 0, 0} }; #define GNUTLS_HASH_LOOP(b) \ @@ -197,12 +202,12 @@ const int _gnutls_comp_algorithms_size = MAX_COMP_METHODS; /* the compression entry is defined in gnutls_algorithms.h */ gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = { - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), + GNUTLS_COMPRESSION_ENTRY (GNUTLS_COMP_NULL, 0x00, 0, 0, 0), #ifdef HAVE_LIBZ - /* draft-ietf-tls-compression-02 */ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), + /* draft-ietf-tls-compression-02 */ + GNUTLS_COMPRESSION_ENTRY (GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), #endif - {0, 0, 0, 0, 0, 0} + {0, 0, 0, 0, 0, 0} }; #define GNUTLS_COMPRESSION_LOOP(b) \ @@ -233,25 +238,25 @@ const int _gnutls_kx_algorithms_size = MAX_KX_ALGOS; gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { #ifdef ENABLE_ANON - {"Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, + {"Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, #endif - {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, - {"RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1}, - {"DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, - {"DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, + {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, + {"RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1}, + {"DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, + {"DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, #ifdef ENABLE_SRP - {"SRP DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0}, - {"SRP RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0}, - {"SRP", GNUTLS_KX_SRP, &srp_auth_struct, 0, 0}, + {"SRP DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0}, + {"SRP RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0}, + {"SRP", GNUTLS_KX_SRP, &srp_auth_struct, 0, 0}, #endif #ifdef ENABLE_PSK - {"PSK", GNUTLS_KX_PSK, &psk_auth_struct, 0, 0}, + {"PSK", GNUTLS_KX_PSK, &psk_auth_struct, 0, 0}, #endif - /* other algorithms are appended here by gnutls-extra - * initialization function. - */ - {0, 0, 0, 0, 0} + /* other algorithms are appended here by gnutls-extra + * initialization function. + */ + {0, 0, 0, 0, 0} }; #define GNUTLS_KX_LOOP(b) \ @@ -267,13 +272,14 @@ gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { #define GNUTLS_CIPHER_SUITE_ENTRY( name, block_algorithm, kx_algorithm, mac_algorithm, version ) \ { #name, {name}, block_algorithm, kx_algorithm, mac_algorithm, version } -typedef struct { - const char *name; - cipher_suite_st id; - gnutls_cipher_algorithm_t block_algorithm; - gnutls_kx_algorithm_t kx_algorithm; - gnutls_mac_algorithm_t mac_algorithm; - gnutls_protocol_t version; /* this cipher suite is supported +typedef struct +{ + const char *name; + cipher_suite_st id; + gnutls_cipher_algorithm_t block_algorithm; + gnutls_kx_algorithm_t kx_algorithm; + gnutls_mac_algorithm_t mac_algorithm; + gnutls_protocol_t version; /* this cipher suite is supported * from 'version' and above; */ } gnutls_cipher_suite_entry; @@ -372,147 +378,147 @@ typedef struct { #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 static const gnutls_cipher_suite_entry cs_algorithms[] = { - /* ANON_DH */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, - GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - - /* PSK */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_PSK_SHA_ARCFOUR_SHA1, - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_PSK_SHA_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_PSK_SHA_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - /* SRP */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - - /* DHE_DSS */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA1, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* DHE_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, - GNUTLS_CIPHER_NULL, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, - GNUTLS_CIPHER_ARCFOUR_40, - GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, - GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA1, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA1, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_SHA1, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA1, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, - GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - {0, {{0, 0}}, 0, 0, 0, 0} + /* ANON_DH */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + + /* PSK */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_PSK_SHA_ARCFOUR_SHA1, + GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_PSK_SHA_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_PSK_SHA_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + /* SRP */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + + /* DHE_DSS */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_ARCFOUR_SHA1, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* DHE_RSA */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* RSA */ + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_NULL_MD5, + GNUTLS_CIPHER_NULL, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, + GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_ARCFOUR_SHA1, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_3DES_EDE_CBC_SHA1, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_128_CBC_SHA1, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_256_CBC_SHA1, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, + GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + {0, {{0, 0}}, 0, 0, 0, 0} }; #define GNUTLS_CIPHER_SUITE_LOOP(b) \ @@ -526,17 +532,17 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { /* Generic Functions */ -inline int _gnutls_mac_priority(gnutls_session_t session, - gnutls_mac_algorithm_t algorithm) +inline int +_gnutls_mac_priority (gnutls_session_t session, + gnutls_mac_algorithm_t algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < session->internals.mac_algorithm_priority.algorithms; i++) { - if (session->internals. - mac_algorithm_priority.priority[i] == algorithm) - return i; + unsigned int i; + for (i = 0; i < session->internals.mac_algorithm_priority.algorithms; i++) + { + if (session->internals.mac_algorithm_priority.priority[i] == algorithm) + return i; } - return -1; + return -1; } /** @@ -546,62 +552,70 @@ inline int _gnutls_mac_priority(gnutls_session_t session, * Returns a string that contains the name * of the specified MAC algorithm or NULL. **/ -const char *gnutls_mac_get_name(gnutls_mac_algorithm_t algorithm) +const char * +gnutls_mac_get_name (gnutls_mac_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_HASH_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_HASH_ALG_LOOP (ret = p->name); - return ret; + return ret; } -const char *_gnutls_x509_mac_to_oid(gnutls_mac_algorithm_t algorithm) +const char * +_gnutls_x509_mac_to_oid (gnutls_mac_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_HASH_ALG_LOOP(ret = p->oid); + /* avoid prefix */ + GNUTLS_HASH_ALG_LOOP (ret = p->oid); - return ret; + return ret; } -gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm(const char *oid) +gnutls_mac_algorithm_t +_gnutls_x509_oid2mac_algorithm (const char *oid) { -gnutls_mac_algorithm_t ret = 0; + gnutls_mac_algorithm_t ret = 0; - GNUTLS_HASH_LOOP(if (strcmp(oid, p->oid)==0) {ret = p->id;break;}); + GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0) + { + ret = p->id; break;} + ); - if (ret == 0) return GNUTLS_MAC_UNKNOWN; - return ret; + if (ret == 0) + return GNUTLS_MAC_UNKNOWN; + return ret; } -int _gnutls_mac_is_ok(gnutls_mac_algorithm_t algorithm) +int +_gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm) { - ssize_t ret = -1; - GNUTLS_HASH_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_HASH_ALG_LOOP (ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Compression Functions */ -inline - int _gnutls_compression_priority(gnutls_session_t session, - gnutls_compression_method_t algorithm) +inline int +_gnutls_compression_priority (gnutls_session_t session, + gnutls_compression_method_t algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < - session->internals.compression_method_priority.algorithms; i++) { - if (session->internals. - compression_method_priority.priority[i] == algorithm) - return i; + unsigned int i; + for (i = 0; + i < session->internals.compression_method_priority.algorithms; i++) + { + if (session->internals. + compression_method_priority.priority[i] == algorithm) + return i; } - return -1; + return -1; } /** @@ -611,114 +625,118 @@ inline * Returns a pointer to a string that contains the name * of the specified compression algorithm or NULL. **/ -const char *gnutls_compression_get_name(gnutls_compression_method_t - algorithm) +const char * +gnutls_compression_get_name (gnutls_compression_method_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_COMP_") - 1); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->name + sizeof ("GNUTLS_COMP_") - 1); - return ret; + return ret; } /* return the tls number of the specified algorithm */ -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm) +int +_gnutls_compression_get_num (gnutls_compression_method_t algorithm) { - int ret = -1; + int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->num); - return ret; + return ret; } -int _gnutls_compression_get_wbits(gnutls_compression_method_t algorithm) +int +_gnutls_compression_get_wbits (gnutls_compression_method_t algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->window_bits); + return ret; } -int _gnutls_compression_get_mem_level(gnutls_compression_method_t - algorithm) +int +_gnutls_compression_get_mem_level (gnutls_compression_method_t algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->mem_level); + return ret; } -int _gnutls_compression_get_comp_level(gnutls_compression_method_t - algorithm) +int +_gnutls_compression_get_comp_level (gnutls_compression_method_t algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->comp_level); + return ret; } /* returns the gnutls internal ID of the TLS compression * method num */ -gnutls_compression_method_t _gnutls_compression_get_id(int num) +gnutls_compression_method_t +_gnutls_compression_get_id (int num) { - gnutls_compression_method_t ret = -1; + gnutls_compression_method_t ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP_NUM (ret = p->id); - return ret; + return ret; } -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm) +int +_gnutls_compression_is_ok (gnutls_compression_method_t algorithm) { - ssize_t ret = -1; - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_COMPRESSION_ALG_LOOP (ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* CIPHER functions */ -int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm_t algorithm) +int +_gnutls_cipher_get_block_size (gnutls_cipher_algorithm_t algorithm) { - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->blocksize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP (ret = p->blocksize); + return ret; } /* returns the priority */ -inline - int -_gnutls_cipher_priority(gnutls_session_t session, - gnutls_cipher_algorithm_t algorithm) +inline int +_gnutls_cipher_priority (gnutls_session_t session, + gnutls_cipher_algorithm_t algorithm) { - unsigned int i; - for (i = 0; - i < - session->internals.cipher_algorithm_priority.algorithms; i++) { - if (session->internals. - cipher_algorithm_priority.priority[i] == algorithm) - return i; + unsigned int i; + for (i = 0; + i < session->internals.cipher_algorithm_priority.algorithms; i++) + { + if (session->internals. + cipher_algorithm_priority.priority[i] == algorithm) + return i; } - return -1; + return -1; } -int _gnutls_cipher_is_block(gnutls_cipher_algorithm_t algorithm) +int +_gnutls_cipher_is_block (gnutls_cipher_algorithm_t algorithm) { - size_t ret = 0; + size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->block); - return ret; + GNUTLS_ALG_LOOP (ret = p->block); + return ret; } @@ -730,27 +748,30 @@ int _gnutls_cipher_is_block(gnutls_cipher_algorithm_t algorithm) * Returns 0 if the given cipher is invalid. * **/ -size_t gnutls_cipher_get_key_size(gnutls_cipher_algorithm_t algorithm) +size_t +gnutls_cipher_get_key_size (gnutls_cipher_algorithm_t algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->keysize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP (ret = p->keysize); + return ret; } -int _gnutls_cipher_get_iv_size(gnutls_cipher_algorithm_t algorithm) +int +_gnutls_cipher_get_iv_size (gnutls_cipher_algorithm_t algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->iv); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP (ret = p->iv); + return ret; } -int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm_t algorithm) +int +_gnutls_cipher_get_export_flag (gnutls_cipher_algorithm_t algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->export_flag); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP (ret = p->export_flag); + return ret; } @@ -761,49 +782,52 @@ int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm_t algorithm) * Returns a pointer to a string that contains the name * of the specified cipher or NULL. **/ -const char *gnutls_cipher_get_name(gnutls_cipher_algorithm_t algorithm) +const char * +gnutls_cipher_get_name (gnutls_cipher_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_ALG_LOOP (ret = p->name); - return ret; + return ret; } -int _gnutls_cipher_is_ok(gnutls_cipher_algorithm_t algorithm) +int +_gnutls_cipher_is_ok (gnutls_cipher_algorithm_t algorithm) { - ssize_t ret = -1; - GNUTLS_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_ALG_LOOP (ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Key EXCHANGE functions */ -mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm) +mod_auth_st * +_gnutls_kx_auth_struct (gnutls_kx_algorithm_t algorithm) { - mod_auth_st *ret = NULL; - GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); - return ret; + mod_auth_st *ret = NULL; + GNUTLS_KX_ALG_LOOP (ret = p->auth_struct); + return ret; } -inline int _gnutls_kx_priority(gnutls_session_t session, - gnutls_kx_algorithm_t algorithm) +inline int +_gnutls_kx_priority (gnutls_session_t session, + gnutls_kx_algorithm_t algorithm) { - unsigned int i; - for (i = 0; - i < session->internals.kx_algorithm_priority.algorithms; i++) { - if (session->internals. - kx_algorithm_priority.priority[i] == algorithm) - return i; + unsigned int i; + for (i = 0; i < session->internals.kx_algorithm_priority.algorithms; i++) + { + if (session->internals.kx_algorithm_priority.priority[i] == algorithm) + return i; } - return -1; + return -1; } /** @@ -813,96 +837,108 @@ inline int _gnutls_kx_priority(gnutls_session_t session, * Returns a pointer to a string that contains the name * of the specified key exchange algorithm or NULL. **/ -const char *gnutls_kx_get_name(gnutls_kx_algorithm_t algorithm) +const char * +gnutls_kx_get_name (gnutls_kx_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_KX_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_KX_ALG_LOOP (ret = p->name); - return ret; + return ret; } -int _gnutls_kx_is_ok(gnutls_kx_algorithm_t algorithm) +int +_gnutls_kx_is_ok (gnutls_kx_algorithm_t algorithm) { - ssize_t ret = -1; - GNUTLS_KX_ALG_LOOP(ret = p->algorithm); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_KX_ALG_LOOP (ret = p->algorithm); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } -int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm_t algorithm) +int +_gnutls_kx_needs_rsa_params (gnutls_kx_algorithm_t algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_rsa_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP (ret = p->needs_rsa_params); + return ret; } -int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm_t algorithm) +int +_gnutls_kx_needs_dh_params (gnutls_kx_algorithm_t algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_dh_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP (ret = p->needs_dh_params); + return ret; } /* Version */ -int _gnutls_version_priority(gnutls_session_t session, - gnutls_protocol_t version) +int +_gnutls_version_priority (gnutls_session_t session, gnutls_protocol_t version) { /* actually returns the priority */ - unsigned int i; + unsigned int i; - if (session->internals.protocol_priority.priority == NULL) { - gnutls_assert(); - return -1; + if (session->internals.protocol_priority.priority == NULL) + { + gnutls_assert (); + return -1; } - for (i = 0; i < session->internals.protocol_priority.algorithms; i++) { - if (session->internals.protocol_priority.priority[i] == version) - return i; + for (i = 0; i < session->internals.protocol_priority.algorithms; i++) + { + if (session->internals.protocol_priority.priority[i] == version) + return i; } - return -1; + return -1; } -gnutls_protocol_t _gnutls_version_lowest(gnutls_session_t session) +gnutls_protocol_t +_gnutls_version_lowest (gnutls_session_t session) { /* returns the lowest version supported */ - unsigned int i, min = 0xff; - - if (session->internals.protocol_priority.priority == NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i = 0; i < session->internals.protocol_priority.algorithms; - i++) { - if (session->internals.protocol_priority.priority[i] < min) - min = session->internals.protocol_priority.priority[i]; - } + unsigned int i, min = 0xff; + + if (session->internals.protocol_priority.priority == NULL) + { + return GNUTLS_VERSION_UNKNOWN; + } + else + for (i = 0; i < session->internals.protocol_priority.algorithms; i++) + { + if (session->internals.protocol_priority.priority[i] < min) + min = session->internals.protocol_priority.priority[i]; + } - if (min == 0xff) - return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + if (min == 0xff) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - return min; + return min; } -gnutls_protocol_t _gnutls_version_max(gnutls_session_t session) +gnutls_protocol_t +_gnutls_version_max (gnutls_session_t session) { /* returns the maximum version supported */ - unsigned int i, max = 0x00; - - if (session->internals.protocol_priority.priority == NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i = 0; i < session->internals.protocol_priority.algorithms; - i++) { - if (session->internals.protocol_priority.priority[i] > max) - max = session->internals.protocol_priority.priority[i]; - } + unsigned int i, max = 0x00; - if (max == 0x00) - return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + if (session->internals.protocol_priority.priority == NULL) + { + return GNUTLS_VERSION_UNKNOWN; + } + else + for (i = 0; i < session->internals.protocol_priority.algorithms; i++) + { + if (session->internals.protocol_priority.priority[i] > max) + max = session->internals.protocol_priority.priority[i]; + } + + if (max == 0x00) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - return max; + return max; } @@ -913,133 +949,143 @@ gnutls_protocol_t _gnutls_version_max(gnutls_session_t session) * Returns a string that contains the name * of the specified TLS version or NULL. **/ -const char *gnutls_protocol_get_name(gnutls_protocol_t version) +const char * +gnutls_protocol_get_name (gnutls_protocol_t version) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_VERSION_ALG_LOOP(ret = p->name); - return ret; + /* avoid prefix */ + GNUTLS_VERSION_ALG_LOOP (ret = p->name); + return ret; } -int _gnutls_version_get_minor(gnutls_protocol_t version) +int +_gnutls_version_get_minor (gnutls_protocol_t version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->minor); - return ret; + GNUTLS_VERSION_ALG_LOOP (ret = p->minor); + return ret; } -gnutls_protocol_t _gnutls_version_get(int major, int minor) +gnutls_protocol_t +_gnutls_version_get (int major, int minor) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_LOOP(if ((p->major == major) && (p->minor == minor)) - ret = p->id); - return ret; + GNUTLS_VERSION_LOOP (if ((p->major == major) && (p->minor == minor)) + ret = p->id); + return ret; } -int _gnutls_version_get_major(gnutls_protocol_t version) +int +_gnutls_version_get_major (gnutls_protocol_t version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->major); - return ret; + GNUTLS_VERSION_ALG_LOOP (ret = p->major); + return ret; } /* Version Functions */ int -_gnutls_version_is_supported(gnutls_session_t session, - const gnutls_protocol_t version) +_gnutls_version_is_supported (gnutls_session_t session, + const gnutls_protocol_t version) { - int ret = 0; + int ret = 0; - GNUTLS_VERSION_ALG_LOOP(ret = p->supported); - if (ret == 0) - return 0; + GNUTLS_VERSION_ALG_LOOP (ret = p->supported); + if (ret == 0) + return 0; - if (_gnutls_version_priority(session, version) < 0) - return 0; /* disabled by the user */ - else - return 1; + if (_gnutls_version_priority (session, version) < 0) + return 0; /* disabled by the user */ + else + return 1; } /* Type to KX mappings */ -gnutls_kx_algorithm_t _gnutls_map_kx_get_kx(gnutls_credentials_type_t type, - int server) +gnutls_kx_algorithm_t +_gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server) { - gnutls_kx_algorithm_t ret = -1; + gnutls_kx_algorithm_t ret = -1; - if (server) { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); - } else { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); + if (server) + { + GNUTLS_KX_MAP_ALG_LOOP_SERVER (ret = p->algorithm); } - return ret; + else + { + GNUTLS_KX_MAP_ALG_LOOP_SERVER (ret = p->algorithm); + } + return ret; } -gnutls_credentials_type_t _gnutls_map_kx_get_cred(gnutls_kx_algorithm_t - algorithm, int server) +gnutls_credentials_type_t +_gnutls_map_kx_get_cred (gnutls_kx_algorithm_t algorithm, int server) { - gnutls_credentials_type_t ret = -1; - if (server) { - GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = - p->server_type); - } else { - GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = - p->client_type); + gnutls_credentials_type_t ret = -1; + if (server) + { + GNUTLS_KX_MAP_LOOP (if (p->algorithm == algorithm) ret = + p->server_type); + } + else + { + GNUTLS_KX_MAP_LOOP (if (p->algorithm == algorithm) ret = + p->client_type); } - return ret; + return ret; } /* Cipher Suite's functions */ gnutls_cipher_algorithm_t -_gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st * suite) +_gnutls_cipher_suite_get_cipher_algo (const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->block_algorithm); + return ret; } gnutls_protocol_t -_gnutls_cipher_suite_get_version(const cipher_suite_st * suite) +_gnutls_cipher_suite_get_version (const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->version); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->version); + return ret; } -gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo(const - cipher_suite_st * - suite) +gnutls_kx_algorithm_t +_gnutls_cipher_suite_get_kx_algo (const cipher_suite_st * suite) { - int ret = 0; + int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm); - return ret; + GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->kx_algorithm); + return ret; } gnutls_mac_algorithm_t -_gnutls_cipher_suite_get_mac_algo(const cipher_suite_st * suite) +_gnutls_cipher_suite_get_mac_algo (const cipher_suite_st * suite) { /* In bytes */ - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->mac_algorithm); + return ret; } -const char *_gnutls_cipher_suite_get_name(cipher_suite_st * suite) +const char * +_gnutls_cipher_suite_get_name (cipher_suite_st * suite) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->name + sizeof("GNUTLS_") - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->name + sizeof ("GNUTLS_") - 1); - return ret; + return ret; } /** @@ -1055,35 +1101,36 @@ const char *_gnutls_cipher_suite_get_name(cipher_suite_st * suite) * by TLS or SSL depending of the protocol in use. * **/ -const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t - kx_algorithm, - gnutls_cipher_algorithm_t - cipher_algorithm, - gnutls_mac_algorithm_t - mac_algorithm) +const char * +gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t + kx_algorithm, + gnutls_cipher_algorithm_t + cipher_algorithm, + gnutls_mac_algorithm_t mac_algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_LOOP(if (kx_algorithm == p->kx_algorithm && - cipher_algorithm == p->block_algorithm && - mac_algorithm == p->mac_algorithm) - ret = p->name + sizeof("GNUTLS_") - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_LOOP (if (kx_algorithm == p->kx_algorithm && + cipher_algorithm == p->block_algorithm && + mac_algorithm == p->mac_algorithm) + ret = p->name + sizeof ("GNUTLS_") - 1); - return ret; + return ret; } -inline static int _gnutls_cipher_suite_is_ok(cipher_suite_st * suite) +inline static int +_gnutls_cipher_suite_is_ok (cipher_suite_st * suite) { - size_t ret; - const char *name = NULL; + size_t ret; + const char *name = NULL; - GNUTLS_CIPHER_SUITE_ALG_LOOP(name = p->name); - if (name != NULL) - ret = 0; - else - ret = 1; - return ret; + GNUTLS_CIPHER_SUITE_ALG_LOOP (name = p->name); + if (name != NULL) + ret = 0; + else + ret = 1; + return ret; } @@ -1092,72 +1139,78 @@ inline static int _gnutls_cipher_suite_is_ok(cipher_suite_st * suite) memcpy(y,tmp,size); #define MAX_ELEM_SIZE 4 -inline - static int _gnutls_partition(gnutls_session_t session, void *_base, - size_t nmemb, size_t size, - int (*compar) (gnutls_session_t, - const void *, - const void *)) +inline static int +_gnutls_partition (gnutls_session_t session, void *_base, + size_t nmemb, size_t size, + int (*compar) (gnutls_session_t, + const void *, const void *)) { - uint8 *base = _base; - uint8 tmp[MAX_ELEM_SIZE]; - uint8 ptmp[MAX_ELEM_SIZE]; - unsigned int pivot; - unsigned int i, j; - unsigned int full; - - i = pivot = 0; - j = full = (nmemb - 1) * size; - - memcpy(ptmp, &base[0], size); /* set pivot item */ - - while (i < j) { - while ((compar(session, &base[i], ptmp) <= 0) && (i < full)) { - i += size; + uint8 *base = _base; + uint8 tmp[MAX_ELEM_SIZE]; + uint8 ptmp[MAX_ELEM_SIZE]; + unsigned int pivot; + unsigned int i, j; + unsigned int full; + + i = pivot = 0; + j = full = (nmemb - 1) * size; + + memcpy (ptmp, &base[0], size); /* set pivot item */ + + while (i < j) + { + while ((compar (session, &base[i], ptmp) <= 0) && (i < full)) + { + i += size; } - while ((compar(session, &base[j], ptmp) >= 0) && (j > 0)) - j -= size; + while ((compar (session, &base[j], ptmp) >= 0) && (j > 0)) + j -= size; - if (i < j) { - SWAP(&base[j], &base[i]); + if (i < j) + { + SWAP (&base[j], &base[i]); } } - if (j > pivot) { - SWAP(&base[pivot], &base[j]); - pivot = j; - } else if (i < pivot) { - SWAP(&base[pivot], &base[i]); - pivot = i; + if (j > pivot) + { + SWAP (&base[pivot], &base[j]); + pivot = j; + } + else if (i < pivot) + { + SWAP (&base[pivot], &base[i]); + pivot = i; } - return pivot / size; + return pivot / size; } static void -_gnutls_qsort(gnutls_session_t session, void *_base, size_t nmemb, - size_t size, int (*compar) (gnutls_session_t, const void *, - const void *)) +_gnutls_qsort (gnutls_session_t session, void *_base, size_t nmemb, + size_t size, int (*compar) (gnutls_session_t, const void *, + const void *)) { - unsigned int pivot; - char *base = _base; - size_t snmemb = nmemb; + unsigned int pivot; + char *base = _base; + size_t snmemb = nmemb; #ifdef DEBUG - if (size > MAX_ELEM_SIZE) { - gnutls_assert(); - _gnutls_debug_log("QSORT BUG\n"); - exit(1); + if (size > MAX_ELEM_SIZE) + { + gnutls_assert (); + _gnutls_debug_log ("QSORT BUG\n"); + exit (1); } #endif - if (snmemb <= 1) - return; - pivot = _gnutls_partition(session, _base, nmemb, size, compar); + if (snmemb <= 1) + return; + pivot = _gnutls_partition (session, _base, nmemb, size, compar); - _gnutls_qsort(session, base, pivot < nmemb ? pivot + 1 : pivot, size, - compar); - _gnutls_qsort(session, &base[(pivot + 1) * size], nmemb - pivot - 1, - size, compar); + _gnutls_qsort (session, base, pivot < nmemb ? pivot + 1 : pivot, size, + compar); + _gnutls_qsort (session, &base[(pivot + 1) * size], nmemb - pivot - 1, + size, compar); } @@ -1165,58 +1218,61 @@ _gnutls_qsort(gnutls_session_t session, void *_base, size_t nmemb, * For use with qsort */ static int -_gnutls_compare_algo(gnutls_session_t session, const void *i_A1, - const void *i_A2) +_gnutls_compare_algo (gnutls_session_t session, const void *i_A1, + const void *i_A2) { - gnutls_kx_algorithm_t kA1 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A1); - gnutls_kx_algorithm_t kA2 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A2); - gnutls_cipher_algorithm_t cA1 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A1); - gnutls_cipher_algorithm_t cA2 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A2); - gnutls_mac_algorithm_t mA1 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A1); - gnutls_mac_algorithm_t mA2 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A2); - - int p1 = (_gnutls_kx_priority(session, kA1) + 1) * 64; - int p2 = (_gnutls_kx_priority(session, kA2) + 1) * 64; - p1 += (_gnutls_cipher_priority(session, cA1) + 1) * 8; - p2 += (_gnutls_cipher_priority(session, cA2) + 1) * 8; - p1 += _gnutls_mac_priority(session, mA1); - p2 += _gnutls_mac_priority(session, mA2); - - if (p1 > p2) { - return 1; - } else { - if (p1 == p2) { - return 0; + gnutls_kx_algorithm_t kA1 = + _gnutls_cipher_suite_get_kx_algo ((const cipher_suite_st *) i_A1); + gnutls_kx_algorithm_t kA2 = + _gnutls_cipher_suite_get_kx_algo ((const cipher_suite_st *) i_A2); + gnutls_cipher_algorithm_t cA1 = + _gnutls_cipher_suite_get_cipher_algo ((const cipher_suite_st *) i_A1); + gnutls_cipher_algorithm_t cA2 = + _gnutls_cipher_suite_get_cipher_algo ((const cipher_suite_st *) i_A2); + gnutls_mac_algorithm_t mA1 = + _gnutls_cipher_suite_get_mac_algo ((const cipher_suite_st *) i_A1); + gnutls_mac_algorithm_t mA2 = + _gnutls_cipher_suite_get_mac_algo ((const cipher_suite_st *) i_A2); + + int p1 = (_gnutls_kx_priority (session, kA1) + 1) * 64; + int p2 = (_gnutls_kx_priority (session, kA2) + 1) * 64; + p1 += (_gnutls_cipher_priority (session, cA1) + 1) * 8; + p2 += (_gnutls_cipher_priority (session, cA2) + 1) * 8; + p1 += _gnutls_mac_priority (session, mA1); + p2 += _gnutls_mac_priority (session, mA2); + + if (p1 > p2) + { + return 1; + } + else + { + if (p1 == p2) + { + return 0; } - return -1; + return -1; } } #ifdef SORT_DEBUG static void -_gnutls_bsort(gnutls_session_t session, void *_base, size_t nmemb, - size_t size, int (*compar) (gnutls_session_t, const void *, - const void *)) +_gnutls_bsort (gnutls_session_t session, void *_base, size_t nmemb, + size_t size, int (*compar) (gnutls_session_t, const void *, + const void *)) { - unsigned int i, j; - int full = nmemb * size; - char *base = _base; - char tmp[MAX_ELEM_SIZE]; - - for (i = 0; i < full; i += size) { - for (j = 0; j < full; j += size) { - if (compar(session, &base[i], &base[j]) < 0) { - SWAP(&base[j], &base[i]); + unsigned int i, j; + int full = nmemb * size; + char *base = _base; + char tmp[MAX_ELEM_SIZE]; + + for (i = 0; i < full; i += size) + { + for (j = 0; j < full; j += size) + { + if (compar (session, &base[i], &base[j]) < 0) + { + SWAP (&base[j], &base[i]); } } } @@ -1225,130 +1281,136 @@ _gnutls_bsort(gnutls_session_t session, void *_base, size_t nmemb, #endif int -_gnutls_supported_ciphersuites_sorted(gnutls_session_t session, - cipher_suite_st ** ciphers) +_gnutls_supported_ciphersuites_sorted (gnutls_session_t session, + cipher_suite_st ** ciphers) { #ifdef SORT_DEBUG - unsigned int i; + unsigned int i; #endif - int count; + int count; - count = _gnutls_supported_ciphersuites(session, ciphers); - if (count <= 0) { - gnutls_assert(); - return count; + count = _gnutls_supported_ciphersuites (session, ciphers); + if (count <= 0) + { + gnutls_assert (); + return count; } #ifdef SORT_DEBUG - _gnutls_debug_log("Unsorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log("\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log ("Unsorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log ("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name ((*ciphers)[i])); #endif - _gnutls_qsort(session, *ciphers, count, - sizeof(cipher_suite_st), _gnutls_compare_algo); + _gnutls_qsort (session, *ciphers, count, + sizeof (cipher_suite_st), _gnutls_compare_algo); #ifdef SORT_DEBUG - _gnutls_debug_log("Sorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log("\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log ("Sorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log ("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name ((*ciphers)[i])); #endif - return count; + return count; } int -_gnutls_supported_ciphersuites(gnutls_session_t session, - cipher_suite_st ** _ciphers) +_gnutls_supported_ciphersuites (gnutls_session_t session, + cipher_suite_st ** _ciphers) { - unsigned int i, ret_count, j; - unsigned int count = CIPHER_SUITES_COUNT; - cipher_suite_st *tmp_ciphers; - cipher_suite_st *ciphers; - gnutls_protocol_t version; + unsigned int i, ret_count, j; + unsigned int count = CIPHER_SUITES_COUNT; + cipher_suite_st *tmp_ciphers; + cipher_suite_st *ciphers; + gnutls_protocol_t version; - if (count == 0) { - return 0; + if (count == 0) + { + return 0; } - tmp_ciphers = gnutls_alloca(count * sizeof(cipher_suite_st)); - if (tmp_ciphers == NULL) - return GNUTLS_E_MEMORY_ERROR; + tmp_ciphers = gnutls_alloca (count * sizeof (cipher_suite_st)); + if (tmp_ciphers == NULL) + return GNUTLS_E_MEMORY_ERROR; - ciphers = gnutls_malloc(count * sizeof(cipher_suite_st)); - if (ciphers == NULL) { - gnutls_afree(tmp_ciphers); - return GNUTLS_E_MEMORY_ERROR; + ciphers = gnutls_malloc (count * sizeof (cipher_suite_st)); + if (ciphers == NULL) + { + gnutls_afree (tmp_ciphers); + return GNUTLS_E_MEMORY_ERROR; } - version = gnutls_protocol_get_version(session); + version = gnutls_protocol_get_version (session); - for (i = 0; i < count; i++) { - memcpy(&tmp_ciphers[i], &cs_algorithms[i].id, - sizeof(cipher_suite_st)); + for (i = 0; i < count; i++) + { + memcpy (&tmp_ciphers[i], &cs_algorithms[i].id, + sizeof (cipher_suite_st)); } - for (i = j = 0; i < count; i++) { - /* remove private cipher suites, if requested. - */ - if (tmp_ciphers[i].suite[0] == 0xFF && - session->internals.enable_private == 0) - continue; - - /* remove cipher suites which do not support the - * protocol version used. - */ - if (_gnutls_cipher_suite_get_version(&tmp_ciphers[i]) > version) - continue; - - if (_gnutls_kx_priority - (session, - _gnutls_cipher_suite_get_kx_algo(&tmp_ciphers[i])) < 0) - continue; - if (_gnutls_mac_priority - (session, - _gnutls_cipher_suite_get_mac_algo(&tmp_ciphers[i])) < 0) - continue; - if (_gnutls_cipher_priority - (session, - _gnutls_cipher_suite_get_cipher_algo(&tmp_ciphers[i])) - < 0) - continue; - - memcpy(&ciphers[j], &tmp_ciphers[i], sizeof(cipher_suite_st)); - j++; + for (i = j = 0; i < count; i++) + { + /* remove private cipher suites, if requested. + */ + if (tmp_ciphers[i].suite[0] == 0xFF && + session->internals.enable_private == 0) + continue; + + /* remove cipher suites which do not support the + * protocol version used. + */ + if (_gnutls_cipher_suite_get_version (&tmp_ciphers[i]) > version) + continue; + + if (_gnutls_kx_priority + (session, _gnutls_cipher_suite_get_kx_algo (&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_mac_priority + (session, _gnutls_cipher_suite_get_mac_algo (&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_cipher_priority + (session, + _gnutls_cipher_suite_get_cipher_algo (&tmp_ciphers[i])) < 0) + continue; + + memcpy (&ciphers[j], &tmp_ciphers[i], sizeof (cipher_suite_st)); + j++; } - ret_count = j; + ret_count = j; #if 0 /* expensive */ - if (ret_count > 0 && ret_count != count) { - ciphers = - gnutls_realloc_fast(ciphers, - ret_count * sizeof(cipher_suite_st)); - } else { - if (ret_count != count) { - gnutls_free(ciphers); - ciphers = NULL; + if (ret_count > 0 && ret_count != count) + { + ciphers = + gnutls_realloc_fast (ciphers, ret_count * sizeof (cipher_suite_st)); + } + else + { + if (ret_count != count) + { + gnutls_free (ciphers); + ciphers = NULL; } } #endif - gnutls_afree(tmp_ciphers); + gnutls_afree (tmp_ciphers); - /* This function can no longer return 0 cipher suites. - * It returns an error code instead. - */ - if (ret_count == 0) { - gnutls_assert(); - gnutls_free(ciphers); - return GNUTLS_E_NO_CIPHER_SUITES; + /* This function can no longer return 0 cipher suites. + * It returns an error code instead. + */ + if (ret_count == 0) + { + gnutls_assert (); + gnutls_free (ciphers); + return GNUTLS_E_NO_CIPHER_SUITES; } - *_ciphers = ciphers; - return ret_count; + *_ciphers = ciphers; + return ret_count; } @@ -1360,39 +1422,42 @@ _gnutls_supported_ciphersuites(gnutls_session_t session, */ #define SUPPORTED_COMPRESSION_METHODS session->internals.compression_method_priority.algorithms int -_gnutls_supported_compression_methods(gnutls_session_t session, - uint8 ** comp) +_gnutls_supported_compression_methods (gnutls_session_t session, + uint8 ** comp) { - unsigned int i, j; - - *comp = gnutls_malloc(sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); - if (*comp == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - int tmp = _gnutls_compression_get_num(session->internals. - compression_method_priority. - priority[i]); - - /* remove private compression algorithms, if requested. - */ - if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && - session->internals.enable_private == 0)) { - gnutls_assert(); - continue; + unsigned int i, j; + + *comp = gnutls_malloc (sizeof (uint8) * SUPPORTED_COMPRESSION_METHODS); + if (*comp == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) + { + int tmp = _gnutls_compression_get_num (session->internals. + compression_method_priority. + priority[i]); + + /* remove private compression algorithms, if requested. + */ + if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && + session->internals.enable_private == 0)) + { + gnutls_assert (); + continue; } - (*comp)[j] = (uint8) tmp; - j++; + (*comp)[j] = (uint8) tmp; + j++; } - if (j == 0) { - gnutls_assert(); - gnutls_free(*comp); - *comp = NULL; - return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; + if (j == 0) + { + gnutls_assert (); + gnutls_free (*comp); + *comp = NULL; + return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; } - return j; + return j; } /** @@ -1402,29 +1467,28 @@ _gnutls_supported_compression_methods(gnutls_session_t session, * Returns a string (or NULL) that contains the name * of the specified certificate type. **/ -const char *gnutls_certificate_type_get_name(gnutls_certificate_type_t - type) +const char * +gnutls_certificate_type_get_name (gnutls_certificate_type_t type) { - const char *ret = NULL; + const char *ret = NULL; - if (type == GNUTLS_CRT_X509) - ret = "X.509"; - if (type == GNUTLS_CRT_OPENPGP) - ret = "OPENPGP"; + if (type == GNUTLS_CRT_X509) + ret = "X.509"; + if (type == GNUTLS_CRT_OPENPGP) + ret = "OPENPGP"; - return ret; + return ret; } /* returns the gnutls_pk_algorithm_t which is compatible with * the given gnutls_kx_algorithm_t. */ -gnutls_pk_algorithm_t _gnutls_map_pk_get_pk(gnutls_kx_algorithm_t - kx_algorithm) +gnutls_pk_algorithm_t +_gnutls_map_pk_get_pk (gnutls_kx_algorithm_t kx_algorithm) { - gnutls_pk_algorithm_t ret = -1; + gnutls_pk_algorithm_t ret = -1; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) - return ret; + GNUTLS_PK_MAP_ALG_LOOP (ret = p->pk_algorithm) return ret; } /* Returns the encipher type for the given key exchange algorithm. @@ -1432,35 +1496,40 @@ gnutls_pk_algorithm_t _gnutls_map_pk_get_pk(gnutls_kx_algorithm_t * * ex. GNUTLS_KX_RSA requires a certificate able to encrypt... so returns CIPHER_ENCRYPT. */ -enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm_t - kx_algorithm) +enum encipher_type +_gnutls_kx_encipher_type (gnutls_kx_algorithm_t kx_algorithm) { - int ret = CIPHER_IGN; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) - return ret; + int ret = CIPHER_IGN; + GNUTLS_PK_MAP_ALG_LOOP (ret = p->encipher_type) return ret; } /* signature algorithms; */ -struct gnutls_sign_entry { - const char *name; - const char* oid; - gnutls_sign_algorithm_t id; - gnutls_pk_algorithm_t pk; - gnutls_mac_algorithm_t mac; +struct gnutls_sign_entry +{ + const char *name; + const char *oid; + gnutls_sign_algorithm_t id; + gnutls_pk_algorithm_t pk; + gnutls_mac_algorithm_t mac; }; typedef struct gnutls_sign_entry gnutls_sign_entry; static const gnutls_sign_entry sign_algorithms[] = { - {"RSA-SHA", SIG_RSA_SHA1_OID, GNUTLS_SIGN_RSA_SHA1, GNUTLS_PK_RSA, GNUTLS_MAC_SHA1}, - {"RSA-RMD160", SIG_RSA_RMD160_OID, GNUTLS_SIGN_RSA_RMD160, GNUTLS_PK_RSA, GNUTLS_MAC_RMD160}, - {"DSA-SHA", SIG_DSA_SHA1_OID, GNUTLS_SIGN_DSA_SHA1, GNUTLS_PK_DSA, GNUTLS_MAC_SHA1}, - {"RSA-MD5", SIG_RSA_MD5_OID, GNUTLS_SIGN_RSA_MD5, GNUTLS_PK_RSA, GNUTLS_MAC_MD5}, - {"RSA-MD2", SIG_RSA_MD2_OID, GNUTLS_SIGN_RSA_MD2, GNUTLS_PK_RSA, GNUTLS_MAC_MD2}, - {"GOST R 34.10-2001", SIG_GOST_R3410_2001_OID, 0, 0, 0}, - {"GOST R 34.10-94", SIG_GOST_R3410_94_OID, 0, 0, 0}, - {0, 0, 0, 0, 0} + {"RSA-SHA", SIG_RSA_SHA1_OID, GNUTLS_SIGN_RSA_SHA1, GNUTLS_PK_RSA, + GNUTLS_MAC_SHA1}, + {"RSA-RMD160", SIG_RSA_RMD160_OID, GNUTLS_SIGN_RSA_RMD160, GNUTLS_PK_RSA, + GNUTLS_MAC_RMD160}, + {"DSA-SHA", SIG_DSA_SHA1_OID, GNUTLS_SIGN_DSA_SHA1, GNUTLS_PK_DSA, + GNUTLS_MAC_SHA1}, + {"RSA-MD5", SIG_RSA_MD5_OID, GNUTLS_SIGN_RSA_MD5, GNUTLS_PK_RSA, + GNUTLS_MAC_MD5}, + {"RSA-MD2", SIG_RSA_MD2_OID, GNUTLS_SIGN_RSA_MD2, GNUTLS_PK_RSA, + GNUTLS_MAC_MD2}, + {"GOST R 34.10-2001", SIG_GOST_R3410_2001_OID, 0, 0, 0}, + {"GOST R 34.10-94", SIG_GOST_R3410_94_OID, 0, 0, 0}, + {0, 0, 0, 0, 0} }; #define GNUTLS_SIGN_LOOP(b) \ @@ -1481,71 +1550,82 @@ static const gnutls_sign_entry sign_algorithms[] = { * Returns a string that contains the name * of the specified sign algorithm or NULL. **/ -const char *gnutls_sign_algorithm_get_name(gnutls_sign_algorithm_t - sign) +const char * +gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_SIGN_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_SIGN_ALG_LOOP (ret = p->name); - return ret; + return ret; } -gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm(const char *oid) +gnutls_sign_algorithm_t +_gnutls_x509_oid2sign_algorithm (const char *oid) { - gnutls_sign_algorithm_t ret = 0; + gnutls_sign_algorithm_t ret = 0; - GNUTLS_SIGN_LOOP(if(strcmp(oid, p->oid)==0) {ret=p->id;break;}); + GNUTLS_SIGN_LOOP (if (strcmp (oid, p->oid) == 0) + { + ret = p->id; break;} + ); - if (ret == 0) { - _gnutls_x509_log("Unknown SIGN OID: '%s'\n", oid); - return GNUTLS_SIGN_UNKNOWN; + if (ret == 0) + { + _gnutls_x509_log ("Unknown SIGN OID: '%s'\n", oid); + return GNUTLS_SIGN_UNKNOWN; } - return ret; + return ret; } -gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign(gnutls_pk_algorithm_t pk, - gnutls_mac_algorithm_t mac) +gnutls_sign_algorithm_t +_gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk, gnutls_mac_algorithm_t mac) { -gnutls_sign_algorithm_t ret = 0; + gnutls_sign_algorithm_t ret = 0; - GNUTLS_SIGN_LOOP(if(pk==p->pk && mac==p->mac) {ret=p->id;break;}); - - if (ret==0) return GNUTLS_SIGN_UNKNOWN; - return ret; + GNUTLS_SIGN_LOOP (if (pk == p->pk && mac == p->mac) + { + ret = p->id; break;} + ); + + if (ret == 0) + return GNUTLS_SIGN_UNKNOWN; + return ret; } -const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm_t pk, - gnutls_mac_algorithm_t mac) +const char * +_gnutls_x509_sign_to_oid (gnutls_pk_algorithm_t pk, + gnutls_mac_algorithm_t mac) { gnutls_sign_algorithm_t sign; - const char* ret = NULL; + const char *ret = NULL; - sign = _gnutls_x509_pk_to_sign(pk, mac); - if (sign == GNUTLS_SIGN_UNKNOWN) - return NULL; + sign = _gnutls_x509_pk_to_sign (pk, mac); + if (sign == GNUTLS_SIGN_UNKNOWN) + return NULL; - GNUTLS_SIGN_ALG_LOOP(ret=p->oid); - return ret; + GNUTLS_SIGN_ALG_LOOP (ret = p->oid); + return ret; } /* pk algorithms; */ -struct gnutls_pk_entry { - const char *name; - const char* oid; - gnutls_pk_algorithm_t id; +struct gnutls_pk_entry +{ + const char *name; + const char *oid; + gnutls_pk_algorithm_t id; }; typedef struct gnutls_pk_entry gnutls_pk_entry; static const gnutls_pk_entry pk_algorithms[] = { - {"RSA", PK_PKIX1_RSA_OID, GNUTLS_PK_RSA}, - {"DSA", PK_DSA_OID, GNUTLS_PK_DSA}, - {"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, 0}, - {"GOST R 34.10-94", PK_GOST_R3410_94_OID, 0}, - {0, 0, 0} + {"RSA", PK_PKIX1_RSA_OID, GNUTLS_PK_RSA}, + {"DSA", PK_DSA_OID, GNUTLS_PK_DSA}, + {"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, 0}, + {"GOST R 34.10-94", PK_GOST_R3410_94_OID, 0}, + {0, 0, 0} }; #define GNUTLS_PK_LOOP(b) \ @@ -1564,28 +1644,34 @@ static const gnutls_pk_entry pk_algorithms[] = { * Returns a string that contains the name * of the specified public key algorithm or NULL. **/ -const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm) +const char * +gnutls_pk_algorithm_get_name (gnutls_pk_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_PK_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_PK_ALG_LOOP (ret = p->name); - return ret; + return ret; } -gnutls_pk_algorithm_t _gnutls_x509_oid2pk_algorithm(const char *oid) +gnutls_pk_algorithm_t +_gnutls_x509_oid2pk_algorithm (const char *oid) { -gnutls_pk_algorithm_t ret = GNUTLS_PK_UNKNOWN; + gnutls_pk_algorithm_t ret = GNUTLS_PK_UNKNOWN; - GNUTLS_PK_LOOP(if (strcmp(p->oid,oid)==0) {ret = p->id; break;}); - return ret; + GNUTLS_PK_LOOP (if (strcmp (p->oid, oid) == 0) + { + ret = p->id; break;} + ); + return ret; } -const char *_gnutls_x509_pk_to_oid(gnutls_pk_algorithm_t algorithm) +const char * +_gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t algorithm) { - const char *ret = NULL; + const char *ret = NULL; - GNUTLS_PK_ALG_LOOP(ret = p->oid); - return ret; + GNUTLS_PK_ALG_LOOP (ret = p->oid); + return ret; } diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 09b1e25161..71562773d5 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -28,114 +28,117 @@ #include "gnutls_auth.h" /* Functions for version handling. */ -gnutls_protocol_t _gnutls_version_lowest(gnutls_session_t session); -gnutls_protocol_t _gnutls_version_max(gnutls_session_t session); -int _gnutls_version_priority(gnutls_session_t session, - gnutls_protocol_t version); -int _gnutls_version_is_supported(gnutls_session_t session, - const gnutls_protocol_t version); -int _gnutls_version_get_major(gnutls_protocol_t ver); -int _gnutls_version_get_minor(gnutls_protocol_t ver); -gnutls_protocol_t _gnutls_version_get(int major, int minor); +gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session); +gnutls_protocol_t _gnutls_version_max (gnutls_session_t session); +int _gnutls_version_priority (gnutls_session_t session, + gnutls_protocol_t version); +int _gnutls_version_is_supported (gnutls_session_t session, + const gnutls_protocol_t version); +int _gnutls_version_get_major (gnutls_protocol_t ver); +int _gnutls_version_get_minor (gnutls_protocol_t ver); +gnutls_protocol_t _gnutls_version_get (int major, int minor); /* Functions for MACs. */ -int _gnutls_mac_is_ok(gnutls_mac_algorithm_t algorithm); -int _gnutls_mac_priority(gnutls_session_t session, - gnutls_mac_algorithm_t algorithm); -gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm(const char *oid); -const char *_gnutls_x509_mac_to_oid(gnutls_mac_algorithm_t mac); +int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm); +int _gnutls_mac_priority (gnutls_session_t session, + gnutls_mac_algorithm_t algorithm); +gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid); +const char *_gnutls_x509_mac_to_oid (gnutls_mac_algorithm_t mac); /* Functions for cipher suites. */ -int _gnutls_supported_ciphersuites(gnutls_session_t session, - cipher_suite_st ** ciphers); -int _gnutls_supported_ciphersuites_sorted(gnutls_session_t session, - cipher_suite_st ** ciphers); -int _gnutls_supported_compression_methods(gnutls_session_t session, - uint8 ** comp); -const char *_gnutls_cipher_suite_get_name(cipher_suite_st * algorithm); -gnutls_cipher_algorithm_t _gnutls_cipher_suite_get_cipher_algo(const - cipher_suite_st* algorithm); -gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo(const - cipher_suite_st * algorithm); -gnutls_mac_algorithm_t _gnutls_cipher_suite_get_mac_algo(const - cipher_suite_st *algorithm); -gnutls_protocol_t _gnutls_cipher_suite_get_version(const cipher_suite_st * - algorithm); -cipher_suite_st _gnutls_cipher_suite_get_suite_name(cipher_suite_st * +int _gnutls_supported_ciphersuites (gnutls_session_t session, + cipher_suite_st ** ciphers); +int _gnutls_supported_ciphersuites_sorted (gnutls_session_t session, + cipher_suite_st ** ciphers); +int _gnutls_supported_compression_methods (gnutls_session_t session, + uint8 ** comp); +const char *_gnutls_cipher_suite_get_name (cipher_suite_st * algorithm); +gnutls_cipher_algorithm_t _gnutls_cipher_suite_get_cipher_algo (const + cipher_suite_st + * algorithm); +gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo (const cipher_suite_st + * algorithm); +gnutls_mac_algorithm_t _gnutls_cipher_suite_get_mac_algo (const + cipher_suite_st * + algorithm); +gnutls_protocol_t _gnutls_cipher_suite_get_version (const cipher_suite_st * algorithm); +cipher_suite_st _gnutls_cipher_suite_get_suite_name (cipher_suite_st * + algorithm); /* Functions for ciphers. */ -int _gnutls_cipher_priority(gnutls_session_t session, - gnutls_cipher_algorithm_t algorithm); -int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm_t algorithm); -int _gnutls_cipher_is_block(gnutls_cipher_algorithm_t algorithm); -int _gnutls_cipher_is_ok(gnutls_cipher_algorithm_t algorithm); -int _gnutls_cipher_get_iv_size(gnutls_cipher_algorithm_t algorithm); -int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_priority (gnutls_session_t session, + gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_get_block_size (gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_is_block (gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_is_ok (gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_get_iv_size (gnutls_cipher_algorithm_t algorithm); +int _gnutls_cipher_get_export_flag (gnutls_cipher_algorithm_t algorithm); /* Functions for key exchange. */ -int _gnutls_kx_priority(gnutls_session_t session, - gnutls_kx_algorithm_t algorithm); -int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm_t algorithm); -int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm_t algorithm); -mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm); -int _gnutls_kx_is_ok(gnutls_kx_algorithm_t algorithm); +int _gnutls_kx_priority (gnutls_session_t session, + gnutls_kx_algorithm_t algorithm); +int _gnutls_kx_needs_dh_params (gnutls_kx_algorithm_t algorithm); +int _gnutls_kx_needs_rsa_params (gnutls_kx_algorithm_t algorithm); +mod_auth_st *_gnutls_kx_auth_struct (gnutls_kx_algorithm_t algorithm); +int _gnutls_kx_is_ok (gnutls_kx_algorithm_t algorithm); /* Functions for compression. */ -int _gnutls_compression_priority(gnutls_session_t session, - gnutls_compression_method_t algorithm); -int _gnutls_compression_is_ok(gnutls_compression_method_t algorithm); -int _gnutls_compression_get_num(gnutls_compression_method_t algorithm); -gnutls_compression_method_t _gnutls_compression_get_id(int num); -int _gnutls_compression_get_mem_level(gnutls_compression_method_t - algorithm); -int _gnutls_compression_get_comp_level(gnutls_compression_method_t - algorithm); -int _gnutls_compression_get_wbits(gnutls_compression_method_t algorithm); +int _gnutls_compression_priority (gnutls_session_t session, + gnutls_compression_method_t algorithm); +int _gnutls_compression_is_ok (gnutls_compression_method_t algorithm); +int _gnutls_compression_get_num (gnutls_compression_method_t algorithm); +gnutls_compression_method_t _gnutls_compression_get_id (int num); +int _gnutls_compression_get_mem_level (gnutls_compression_method_t algorithm); +int _gnutls_compression_get_comp_level (gnutls_compression_method_t + algorithm); +int _gnutls_compression_get_wbits (gnutls_compression_method_t algorithm); /* Type to KX mappings. */ -gnutls_kx_algorithm_t _gnutls_map_kx_get_kx(gnutls_credentials_type_t type, - int server); -gnutls_credentials_type_t _gnutls_map_kx_get_cred(gnutls_kx_algorithm_t - algorithm, int server); +gnutls_kx_algorithm_t _gnutls_map_kx_get_kx (gnutls_credentials_type_t type, + int server); +gnutls_credentials_type_t _gnutls_map_kx_get_cred (gnutls_kx_algorithm_t + algorithm, int server); /* KX to PK mapping. */ -gnutls_pk_algorithm_t _gnutls_map_pk_get_pk(gnutls_kx_algorithm_t - kx_algorithm); -gnutls_pk_algorithm_t _gnutls_x509_oid2pk_algorithm(const char *oid); -const char *_gnutls_x509_pk_to_oid(gnutls_pk_algorithm_t pk); - -enum encipher_type { CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN }; - -enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm_t - algorithm); - -struct gnutls_kx_algo_entry { - const char *name; - gnutls_kx_algorithm_t algorithm; - mod_auth_st *auth_struct; - int needs_dh_params; - int needs_rsa_params; +gnutls_pk_algorithm_t _gnutls_map_pk_get_pk (gnutls_kx_algorithm_t + kx_algorithm); +gnutls_pk_algorithm_t _gnutls_x509_oid2pk_algorithm (const char *oid); +const char *_gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t pk); + +enum encipher_type +{ CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN }; + +enum encipher_type _gnutls_kx_encipher_type (gnutls_kx_algorithm_t algorithm); + +struct gnutls_kx_algo_entry +{ + const char *name; + gnutls_kx_algorithm_t algorithm; + mod_auth_st *auth_struct; + int needs_dh_params; + int needs_rsa_params; }; typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; -struct gnutls_compression_entry { - const char *name; - gnutls_compression_method_t id; - int num; /* the number reserved in TLS for the specific compression method */ +struct gnutls_compression_entry +{ + const char *name; + gnutls_compression_method_t id; + int num; /* the number reserved in TLS for the specific compression method */ - /* used in zlib compressor */ - int window_bits; - int mem_level; - int comp_level; + /* used in zlib compressor */ + int window_bits; + int mem_level; + int comp_level; }; typedef struct gnutls_compression_entry gnutls_compression_entry; /* Functions for sign algorithms. */ -gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm(const char *oid); -gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign(gnutls_pk_algorithm_t pk, - gnutls_mac_algorithm_t mac); -const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm_t, - gnutls_mac_algorithm_t mac); +gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm (const char *oid); +gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk, + gnutls_mac_algorithm_t mac); +const char *_gnutls_x509_sign_to_oid (gnutls_pk_algorithm_t, + gnutls_mac_algorithm_t mac); #endif diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 84cf5ca928..0261a7683b 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -42,11 +42,11 @@ static const int anon_dummy; * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_server_credentials(gnutls_anon_server_credentials_t - sc) +void +gnutls_anon_free_server_credentials (gnutls_anon_server_credentials_t sc) { - gnutls_free(sc); + gnutls_free (sc); } /*- @@ -56,27 +56,32 @@ void gnutls_anon_free_server_credentials(gnutls_anon_server_credentials_t * This function will return the dh parameters pointer. * -*/ -gnutls_dh_params_t _gnutls_anon_get_dh_params(const - gnutls_anon_server_credentials_t - sc, gnutls_session_t session) +gnutls_dh_params_t +_gnutls_anon_get_dh_params (const + gnutls_anon_server_credentials_t + sc, gnutls_session_t session) { - gnutls_params_st params; - int ret; - - if (session->internals.params.anon_dh_params) - return session->internals.params.anon_dh_params; - - if (sc->dh_params) { - session->internals.params.anon_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.anon_dh_params = params.params.dh; - session->internals.params.free_anon_dh_params = params.deinit; + gnutls_params_st params; + int ret; + + if (session->internals.params.anon_dh_params) + return session->internals.params.anon_dh_params; + + if (sc->dh_params) + { + session->internals.params.anon_dh_params = sc->dh_params; + } + else if (sc->params_func) + { + ret = sc->params_func (session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) + { + session->internals.params.anon_dh_params = params.params.dh; + session->internals.params.free_anon_dh_params = params.deinit; } } - return session->internals.params.anon_dh_params; + return session->internals.params.anon_dh_params; } /** @@ -89,13 +94,13 @@ gnutls_dh_params_t _gnutls_anon_get_dh_params(const * Returns a negative value in case of an error. **/ int -gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials_t * - sc) +gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * + sc) { - *sc = gnutls_calloc(1, sizeof(anon_server_credentials_st)); + *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); - return 0; + return 0; } @@ -106,8 +111,8 @@ gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials_t * * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_client_credentials(gnutls_anon_client_credentials_t - sc) +void +gnutls_anon_free_client_credentials (gnutls_anon_client_credentials_t sc) { } @@ -121,15 +126,15 @@ void gnutls_anon_free_client_credentials(gnutls_anon_client_credentials_t * Returns a negative value in case of an error. **/ int -gnutls_anon_allocate_client_credentials(gnutls_anon_client_credentials_t * - sc) +gnutls_anon_allocate_client_credentials (gnutls_anon_client_credentials_t * + sc) { - /* anon_dummy is only there for *sc not to be null. - * it is not used at all; - */ - *sc = (void *) &anon_dummy; + /* anon_dummy is only there for *sc not to be null. + * it is not used at all; + */ + *sc = (void *) &anon_dummy; - return 0; + return 0; } #endif diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c index 39c056c875..a3a68523bb 100644 --- a/lib/gnutls_asn1_tab.c +++ b/lib/gnutls_asn1_tab.c @@ -2,59 +2,59 @@ #include "libtasn1.h" const ASN1_ARRAY_TYPE gnutls_asn1_tab[] = { - {"GNUTLS", 536872976, 0}, - {0, 1073741836, 0}, - {"RSAPublicKey", 1610612741, 0}, - {"modulus", 1073741827, 0}, - {"publicExponent", 3, 0}, - {"RSAPrivateKey", 1610612741, 0}, - {"version", 1073741826, "Version"}, - {"modulus", 1073741827, 0}, - {"publicExponent", 1073741827, 0}, - {"privateExponent", 1073741827, 0}, - {"prime1", 1073741827, 0}, - {"prime2", 1073741827, 0}, - {"exponent1", 1073741827, 0}, - {"exponent2", 1073741827, 0}, - {"coefficient", 1073741827, 0}, - {"otherPrimeInfos", 16386, "OtherPrimeInfos"}, - {"Version", 1610874883, 0}, - {"two-prime", 1073741825, "0"}, - {"multi", 1, "1"}, - {"OtherPrimeInfos", 1612709899, 0}, - {"MAX", 1074266122, "1"}, - {0, 2, "OtherPrimeInfo"}, - {"OtherPrimeInfo", 1610612741, 0}, - {"prime", 1073741827, 0}, - {"exponent", 1073741827, 0}, - {"coefficient", 3, 0}, - {"AlgorithmIdentifier", 1610612741, 0}, - {"algorithm", 1073741836, 0}, - {"parameters", 541081613, 0}, - {"algorithm", 1, 0}, - {"DigestInfo", 1610612741, 0}, - {"digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"}, - {"digest", 2, "Digest"}, - {"DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, - {"Digest", 1073741831, 0}, - {"DSAPublicKey", 1073741827, 0}, - {"DSAParameters", 1610612741, 0}, - {"p", 1073741827, 0}, - {"q", 1073741827, 0}, - {"g", 3, 0}, - {"DSASignatureValue", 1610612741, 0}, - {"r", 1073741827, 0}, - {"s", 3, 0}, - {"DSAPrivateKey", 1610612741, 0}, - {"version", 1073741827, 0}, - {"p", 1073741827, 0}, - {"q", 1073741827, 0}, - {"g", 1073741827, 0}, - {"Y", 1073741827, 0}, - {"priv", 3, 0}, - {"DHParameter", 536870917, 0}, - {"prime", 1073741827, 0}, - {"base", 1073741827, 0}, - {"privateValueLength", 16387, 0}, - {0, 0, 0} + {"GNUTLS", 536872976, 0}, + {0, 1073741836, 0}, + {"RSAPublicKey", 1610612741, 0}, + {"modulus", 1073741827, 0}, + {"publicExponent", 3, 0}, + {"RSAPrivateKey", 1610612741, 0}, + {"version", 1073741826, "Version"}, + {"modulus", 1073741827, 0}, + {"publicExponent", 1073741827, 0}, + {"privateExponent", 1073741827, 0}, + {"prime1", 1073741827, 0}, + {"prime2", 1073741827, 0}, + {"exponent1", 1073741827, 0}, + {"exponent2", 1073741827, 0}, + {"coefficient", 1073741827, 0}, + {"otherPrimeInfos", 16386, "OtherPrimeInfos"}, + {"Version", 1610874883, 0}, + {"two-prime", 1073741825, "0"}, + {"multi", 1, "1"}, + {"OtherPrimeInfos", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "OtherPrimeInfo"}, + {"OtherPrimeInfo", 1610612741, 0}, + {"prime", 1073741827, 0}, + {"exponent", 1073741827, 0}, + {"coefficient", 3, 0}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"}, + {"digest", 2, "Digest"}, + {"DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, + {"Digest", 1073741831, 0}, + {"DSAPublicKey", 1073741827, 0}, + {"DSAParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"DSASignatureValue", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"DSAPrivateKey", 1610612741, 0}, + {"version", 1073741827, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 1073741827, 0}, + {"Y", 1073741827, 0}, + {"priv", 3, 0}, + {"DHParameter", 536870917, 0}, + {"prime", 1073741827, 0}, + {"base", 1073741827, 0}, + {"privateValueLength", 16387, 0}, + {0, 0, 0} }; diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index c92e115c55..8d36be1660 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -43,17 +43,20 @@ * Clears all the credentials previously set in this session. * **/ -void gnutls_credentials_clear(gnutls_session_t session) +void +gnutls_credentials_clear (gnutls_session_t session) { - if (session->key && session->key->cred) { /* beginning of the list */ - auth_cred_st *ccred, *ncred; - ccred = session->key->cred; - while (ccred != NULL) { - ncred = ccred->next; - gnutls_free(ccred); - ccred = ncred; + if (session->key && session->key->cred) + { /* beginning of the list */ + auth_cred_st *ccred, *ncred; + ccred = session->key->cred; + while (ccred != NULL) + { + ncred = ccred->next; + gnutls_free (ccred); + ccred = ncred; } - session->key->cred = NULL; + session->key->cred = NULL; } } @@ -86,55 +89,64 @@ void gnutls_credentials_clear(gnutls_session_t session) * For GNUTLS_CRD_CERTIFICATE cred should be gnutls_certificate_credentials_t. * **/ -int gnutls_credentials_set(gnutls_session_t session, - gnutls_credentials_type_t type, void *cred) +int +gnutls_credentials_set (gnutls_session_t session, + gnutls_credentials_type_t type, void *cred) { - auth_cred_st *ccred = NULL, *pcred = NULL; - int exists = 0; + auth_cred_st *ccred = NULL, *pcred = NULL; + int exists = 0; - if (session->key->cred == NULL) { /* beginning of the list */ + if (session->key->cred == NULL) + { /* beginning of the list */ - session->key->cred = gnutls_malloc(sizeof(auth_cred_st)); - if (session->key->cred == NULL) - return GNUTLS_E_MEMORY_ERROR; + session->key->cred = gnutls_malloc (sizeof (auth_cred_st)); + if (session->key->cred == NULL) + return GNUTLS_E_MEMORY_ERROR; + + /* copy credentials locally */ + session->key->cred->credentials = cred; - /* copy credentials locally */ - session->key->cred->credentials = cred; - - session->key->cred->next = NULL; - session->key->cred->algorithm = type; - } else { - ccred = session->key->cred; - while (ccred != NULL) { - if (ccred->algorithm == type) { - exists = 1; - break; + session->key->cred->next = NULL; + session->key->cred->algorithm = type; + } + else + { + ccred = session->key->cred; + while (ccred != NULL) + { + if (ccred->algorithm == type) + { + exists = 1; + break; } - pcred = ccred; - ccred = ccred->next; + pcred = ccred; + ccred = ccred->next; } - /* After this, pcred is not null. - */ + /* After this, pcred is not null. + */ - if (exists == 0) { /* new entry */ - pcred->next = gnutls_malloc(sizeof(auth_cred_st)); - if (pcred->next == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (exists == 0) + { /* new entry */ + pcred->next = gnutls_malloc (sizeof (auth_cred_st)); + if (pcred->next == NULL) + return GNUTLS_E_MEMORY_ERROR; - ccred = pcred->next; + ccred = pcred->next; - /* copy credentials locally */ - ccred->credentials = cred; + /* copy credentials locally */ + ccred->credentials = cred; - ccred->next = NULL; - ccred->algorithm = type; - } else { /* modify existing entry */ - gnutls_free(ccred->credentials); - ccred->credentials = cred; + ccred->next = NULL; + ccred->algorithm = type; + } + else + { /* modify existing entry */ + gnutls_free (ccred->credentials); + ccred->credentials = cred; } } - return 0; + return 0; } /** @@ -148,18 +160,18 @@ int gnutls_credentials_set(gnutls_session_t session, * Eg. for CERTIFICATE ciphersuites (key exchange algorithms: KX_RSA, KX_DHE_RSA), * the same function are to be used to access the authentication data. **/ -gnutls_credentials_type_t gnutls_auth_get_type(gnutls_session_t session) +gnutls_credentials_type_t +gnutls_auth_get_type (gnutls_session_t session) { /* This is not the credentials we must set, but the authentication data * we get by the peer, so it should be reversed. */ - int server = - session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1; + int server = session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1; - return - _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite), server); + return + _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), server); } /** @@ -172,12 +184,12 @@ gnutls_credentials_type_t gnutls_auth_get_type(gnutls_session_t session) * **/ gnutls_credentials_type_t -gnutls_auth_server_get_type(gnutls_session_t session) +gnutls_auth_server_get_type (gnutls_session_t session) { - return - _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite), 1); + return + _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 1); } /** @@ -190,12 +202,12 @@ gnutls_auth_server_get_type(gnutls_session_t session) * **/ gnutls_credentials_type_t -gnutls_auth_client_get_type(gnutls_session_t session) +gnutls_auth_client_get_type (gnutls_session_t session) { - return - _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite), 0); + return + _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 0); } @@ -203,43 +215,45 @@ gnutls_auth_client_get_type(gnutls_session_t session) * This returns a pointer to the linked list. Don't * free that!!! */ -const void *_gnutls_get_kx_cred(gnutls_session_t session, - gnutls_kx_algorithm_t algo, int *err) +const void * +_gnutls_get_kx_cred (gnutls_session_t session, + gnutls_kx_algorithm_t algo, int *err) { - int server = - session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; + int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; - return _gnutls_get_cred(session->key, - _gnutls_map_kx_get_cred(algo, server), err); + return _gnutls_get_cred (session->key, + _gnutls_map_kx_get_cred (algo, server), err); } -const void *_gnutls_get_cred(gnutls_key_st key, - gnutls_credentials_type_t type, int *err) +const void * +_gnutls_get_cred (gnutls_key_st key, gnutls_credentials_type_t type, int *err) { - const void *retval = NULL; - int _err = -1; - auth_cred_st *ccred; - - if (key == NULL) - goto out; - - ccred = key->cred; - while (ccred != NULL) { - if (ccred->algorithm == type) { - break; + const void *retval = NULL; + int _err = -1; + auth_cred_st *ccred; + + if (key == NULL) + goto out; + + ccred = key->cred; + while (ccred != NULL) + { + if (ccred->algorithm == type) + { + break; } - ccred = ccred->next; + ccred = ccred->next; } - if (ccred == NULL) - goto out; + if (ccred == NULL) + goto out; - _err = 0; - retval = ccred->credentials; + _err = 0; + retval = ccred->credentials; - out: - if (err != NULL) - *err = _err; - return retval; +out: + if (err != NULL) + *err = _err; + return retval; } /*- @@ -255,9 +269,10 @@ const void *_gnutls_get_cred(gnutls_key_st key, * In case of GNUTLS_CRD_CERTIFICATE returns a type of &cert_auth_info_t; * In case of GNUTLS_CRD_SRP returns a type of &srp_(server/client)_auth_info_t; -*/ -void *_gnutls_get_auth_info(gnutls_session_t session) +void * +_gnutls_get_auth_info (gnutls_session_t session) { - return session->key->auth_info; + return session->key->auth_info; } /*- @@ -268,61 +283,67 @@ void *_gnutls_get_auth_info(gnutls_session_t session) * null. It must be called since some structures contain malloced * elements. -*/ -void _gnutls_free_auth_info(gnutls_session_t session) +void +_gnutls_free_auth_info (gnutls_session_t session) { -dh_info_st *dh_info; -rsa_info_st * rsa_info; + dh_info_st *dh_info; + rsa_info_st *rsa_info; - if (session == NULL || session->key == NULL) { - gnutls_assert(); - return; + if (session == NULL || session->key == NULL) + { + gnutls_assert (); + return; } - switch (session->key->auth_info_type) { + switch (session->key->auth_info_type) + { case GNUTLS_CRD_SRP: - break; - case GNUTLS_CRD_ANON: { - anon_auth_info_t info = _gnutls_get_auth_info(session); - - if (info == NULL) - break; - - dh_info = &info->dh; - _gnutls_free_dh_info( dh_info); - } - break; - case GNUTLS_CRD_CERTIFICATE:{ - unsigned int i; - cert_auth_info_t info = _gnutls_get_auth_info(session); - - if (info == NULL) - break; - - dh_info = &info->dh; - rsa_info = &info->rsa_export; - for (i = 0; i < info->ncerts; i++) { - _gnutls_free_datum(&info->raw_certificate_list[i]); - } - - gnutls_free(info->raw_certificate_list); - info->raw_certificate_list = NULL; - info->ncerts = 0; - - _gnutls_free_dh_info( dh_info); - _gnutls_free_rsa_info( rsa_info); - } - - - break; + break; + case GNUTLS_CRD_ANON: + { + anon_auth_info_t info = _gnutls_get_auth_info (session); + + if (info == NULL) + break; + + dh_info = &info->dh; + _gnutls_free_dh_info (dh_info); + } + break; + case GNUTLS_CRD_CERTIFICATE: + { + unsigned int i; + cert_auth_info_t info = _gnutls_get_auth_info (session); + + if (info == NULL) + break; + + dh_info = &info->dh; + rsa_info = &info->rsa_export; + for (i = 0; i < info->ncerts; i++) + { + _gnutls_free_datum (&info->raw_certificate_list[i]); + } + + gnutls_free (info->raw_certificate_list); + info->raw_certificate_list = NULL; + info->ncerts = 0; + + _gnutls_free_dh_info (dh_info); + _gnutls_free_rsa_info (rsa_info); + } + + + break; default: - return; + return; } - gnutls_free(session->key->auth_info); - session->key->auth_info = NULL; - session->key->auth_info_size = 0; - session->key->auth_info_type = 0; + gnutls_free (session->key->auth_info); + session->key->auth_info = NULL; + session->key->auth_info_size = 0; + session->key->auth_info_type = 0; } @@ -331,69 +352,80 @@ rsa_info_st * rsa_info; * If allow change is !=0 then this will allow changing the auth * info structure to a different type. */ -int _gnutls_auth_info_set(gnutls_session_t session, - gnutls_credentials_type_t type, int size, - int allow_change) +int +_gnutls_auth_info_set (gnutls_session_t session, + gnutls_credentials_type_t type, int size, + int allow_change) { - if (session->key->auth_info == NULL) { - session->key->auth_info = gnutls_calloc(1, size); - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (session->key->auth_info == NULL) + { + session->key->auth_info = gnutls_calloc (1, size); + if (session->key->auth_info == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - session->key->auth_info_type = type; - session->key->auth_info_size = size; - } else { - if (allow_change == 0) { - /* If the credentials for the current authentication scheme, - * are not the one we want to set, then it's an error. - * This may happen if a rehandshake is performed an the - * ciphersuite which is negotiated has different authentication - * schema. - */ - if (gnutls_auth_get_type(session) != - session->key->auth_info_type) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + session->key->auth_info_type = type; + session->key->auth_info_size = size; + } + else + { + if (allow_change == 0) + { + /* If the credentials for the current authentication scheme, + * are not the one we want to set, then it's an error. + * This may happen if a rehandshake is performed an the + * ciphersuite which is negotiated has different authentication + * schema. + */ + if (gnutls_auth_get_type (session) != session->key->auth_info_type) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - } else { - /* The new behaviour: Here we reallocate the auth info structure - * in order to be able to negotiate different authentication - * types. Ie. perform an auth_anon and then authenticate again using a - * certificate (in order to prevent revealing the certificate's contents, - * to passive eavesdropers. - */ - if (gnutls_auth_get_type(session) != - session->key->auth_info_type) { - session->key->auth_info = - gnutls_realloc_fast(session->key->auth_info, size); - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + } + else + { + /* The new behaviour: Here we reallocate the auth info structure + * in order to be able to negotiate different authentication + * types. Ie. perform an auth_anon and then authenticate again using a + * certificate (in order to prevent revealing the certificate's contents, + * to passive eavesdropers. + */ + if (gnutls_auth_get_type (session) != session->key->auth_info_type) + { + session->key->auth_info = + gnutls_realloc_fast (session->key->auth_info, size); + if (session->key->auth_info == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memset(session->key->auth_info, 0, size); - session->key->auth_info_type = type; - session->key->auth_info_size = size; + memset (session->key->auth_info, 0, size); + session->key->auth_info_type = type; + session->key->auth_info_size = size; } } } - return 0; + return 0; } /* this function will copy an mpi_t key to * opaque data. */ -int _gnutls_generate_session_key(gnutls_key_st key) +int +_gnutls_generate_session_key (gnutls_key_st key) { - size_t tmp; + size_t tmp; - _gnutls_mpi_print(NULL, &tmp, key->KEY); - key->key.data = gnutls_secure_malloc(tmp); - if (key->key.data == NULL) { - return GNUTLS_E_MEMORY_ERROR; + _gnutls_mpi_print (NULL, &tmp, key->KEY); + key->key.data = gnutls_secure_malloc (tmp); + if (key->key.data == NULL) + { + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_print(key->key.data, &tmp, key->KEY); + _gnutls_mpi_print (key->key.data, &tmp, key->KEY); - key->key.size = tmp; - return 0; + key->key.size = tmp; + return 0; } diff --git a/lib/gnutls_auth.h b/lib/gnutls_auth.h index 6d86584953..23bd7eea0e 100644 --- a/lib/gnutls_auth.h +++ b/lib/gnutls_auth.h @@ -25,28 +25,26 @@ #ifndef GNUTLS_AUTH_H # define GNUTLS_AUTH_H -typedef struct mod_auth_st_int { - const char *name; /* null terminated */ - int (*gnutls_generate_server_certificate) (gnutls_session_t, - opaque **); - int (*gnutls_generate_client_certificate) (gnutls_session_t, - opaque **); - int (*gnutls_generate_server_kx) (gnutls_session_t, opaque **); - int (*gnutls_generate_client_kx) (gnutls_session_t, opaque **); /* used in SRP */ - int (*gnutls_generate_client_cert_vrfy) (gnutls_session_t, opaque **); - int (*gnutls_generate_server_certificate_request) (gnutls_session_t, - opaque **); +typedef struct mod_auth_st_int +{ + const char *name; /* null terminated */ + int (*gnutls_generate_server_certificate) (gnutls_session_t, opaque **); + int (*gnutls_generate_client_certificate) (gnutls_session_t, opaque **); + int (*gnutls_generate_server_kx) (gnutls_session_t, opaque **); + int (*gnutls_generate_client_kx) (gnutls_session_t, opaque **); /* used in SRP */ + int (*gnutls_generate_client_cert_vrfy) (gnutls_session_t, opaque **); + int (*gnutls_generate_server_certificate_request) (gnutls_session_t, + opaque **); - int (*gnutls_process_server_certificate) (gnutls_session_t, opaque *, - size_t); - int (*gnutls_process_client_certificate) (gnutls_session_t, opaque *, - size_t); - int (*gnutls_process_server_kx) (gnutls_session_t, opaque *, size_t); - int (*gnutls_process_client_kx) (gnutls_session_t, opaque *, size_t); - int (*gnutls_process_client_cert_vrfy) (gnutls_session_t, opaque *, + int (*gnutls_process_server_certificate) (gnutls_session_t, opaque *, size_t); - int (*gnutls_process_server_certificate_request) (gnutls_session_t, - opaque *, size_t); + int (*gnutls_process_client_certificate) (gnutls_session_t, opaque *, + size_t); + int (*gnutls_process_server_kx) (gnutls_session_t, opaque *, size_t); + int (*gnutls_process_client_kx) (gnutls_session_t, opaque *, size_t); + int (*gnutls_process_client_cert_vrfy) (gnutls_session_t, opaque *, size_t); + int (*gnutls_process_server_certificate_request) (gnutls_session_t, + opaque *, size_t); } mod_auth_st; #endif diff --git a/lib/gnutls_auth_int.h b/lib/gnutls_auth_int.h index 9c6fb9ad13..acb5de4afb 100644 --- a/lib/gnutls_auth_int.h +++ b/lib/gnutls_auth_int.h @@ -22,12 +22,12 @@ * */ -const void *_gnutls_get_cred(gnutls_key_st key, - gnutls_credentials_type_t kx, int *err); -const void *_gnutls_get_kx_cred(gnutls_session_t session, - gnutls_kx_algorithm_t algo, int *err); -int _gnutls_generate_session_key(gnutls_key_st key); -void *_gnutls_get_auth_info(gnutls_session_t session); -int _gnutls_auth_info_set(gnutls_session_t session, - gnutls_credentials_type_t type, int size, - int allow_change); +const void *_gnutls_get_cred (gnutls_key_st key, + gnutls_credentials_type_t kx, int *err); +const void *_gnutls_get_kx_cred (gnutls_session_t session, + gnutls_kx_algorithm_t algo, int *err); +int _gnutls_generate_session_key (gnutls_key_st key); +void *_gnutls_get_auth_info (gnutls_session_t session); +int _gnutls_auth_info_set (gnutls_session_t session, + gnutls_credentials_type_t type, int size, + int allow_change); diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 2e6d79e600..a883357dfd 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -65,11 +65,12 @@ # define EAGAIN EWOULDBLOCK #endif -inline static int RET(int err) +inline static int +RET (int err) { - if (err == EAGAIN) - return GNUTLS_E_AGAIN; - return GNUTLS_E_INTERRUPTED; + if (err == EAGAIN) + return GNUTLS_E_AGAIN; + return GNUTLS_E_INTERRUPTED; } #ifdef IO_DEBUG @@ -79,59 +80,62 @@ inline static int RET(int err) /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ -int _gnutls_record_buffer_put(content_type_t type, - gnutls_session_t session, opaque * data, - size_t length) +int +_gnutls_record_buffer_put (content_type_t type, + gnutls_session_t session, opaque * data, + size_t length) { - if (length == 0) - return 0; - switch (type) { + if (length == 0) + return 0; + switch (type) + { case GNUTLS_APPLICATION_DATA: - if (_gnutls_buffer_append - (&session->internals.application_data_buffer, data, - length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_buffer_append + (&session->internals.application_data_buffer, data, length) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_buffers_log("BUF[REC]: Inserted %d bytes of Data(%d)\n", - length, type); + _gnutls_buffers_log ("BUF[REC]: Inserted %d bytes of Data(%d)\n", + length, type); - break; + break; case GNUTLS_HANDSHAKE: - if (_gnutls_buffer_append - (&session->internals.handshake_data_buffer, data, - length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_buffer_append + (&session->internals.handshake_data_buffer, data, length) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data(%d)\n", - length, type); + _gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data(%d)\n", + length, type); - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return 0; + return 0; } -int _gnutls_record_buffer_get_size(content_type_t type, - gnutls_session_t session) +int +_gnutls_record_buffer_get_size (content_type_t type, gnutls_session_t session) { - switch (type) { + switch (type) + { case GNUTLS_APPLICATION_DATA: - return session->internals.application_data_buffer.length; + return session->internals.application_data_buffer.length; case GNUTLS_HANDSHAKE: - return session->internals.handshake_data_buffer.length; + return session->internals.handshake_data_buffer.length; default: - return GNUTLS_E_INVALID_REQUEST; + return GNUTLS_E_INVALID_REQUEST; } } @@ -146,71 +150,74 @@ int _gnutls_record_buffer_get_size(content_type_t type, * (gnutls leaves some data in the tcp buffer in order for select * to work). **/ -size_t gnutls_record_check_pending(gnutls_session_t session) +size_t +gnutls_record_check_pending (gnutls_session_t session) { - return _gnutls_record_buffer_get_size(GNUTLS_APPLICATION_DATA, - session); + return _gnutls_record_buffer_get_size (GNUTLS_APPLICATION_DATA, session); } -int _gnutls_record_buffer_get(content_type_t type, - gnutls_session_t session, opaque * data, - size_t length) +int +_gnutls_record_buffer_get (content_type_t type, + gnutls_session_t session, opaque * data, + size_t length) { - if (length == 0 || data == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (length == 0 || data == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - switch (type) { + switch (type) + { case GNUTLS_APPLICATION_DATA: - if (length > session->internals.application_data_buffer.length) { - length = session->internals.application_data_buffer.length; + if (length > session->internals.application_data_buffer.length) + { + length = session->internals.application_data_buffer.length; } - _gnutls_buffers_log("BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", - length, type); + _gnutls_buffers_log ("BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", + length, type); - session->internals.application_data_buffer.length -= length; - memcpy(data, session->internals.application_data_buffer.data, - length); + session->internals.application_data_buffer.length -= length; + memcpy (data, session->internals.application_data_buffer.data, length); - /* overwrite buffer */ - memmove(session->internals.application_data_buffer.data, - &session->internals.application_data_buffer.data[length], - session->internals.application_data_buffer.length); + /* overwrite buffer */ + memmove (session->internals.application_data_buffer.data, + &session->internals.application_data_buffer.data[length], + session->internals.application_data_buffer.length); - /* we do no longer realloc the application_data_buffer.data, - * since it serves no practical reason. It also decreases - * performance. - */ - break; + /* we do no longer realloc the application_data_buffer.data, + * since it serves no practical reason. It also decreases + * performance. + */ + break; case GNUTLS_HANDSHAKE: - if (length > session->internals.handshake_data_buffer.length) { - length = session->internals.handshake_data_buffer.length; + if (length > session->internals.handshake_data_buffer.length) + { + length = session->internals.handshake_data_buffer.length; } - _gnutls_buffers_log("BUF[REC][HD]: Read %d bytes of Data(%d)\n", - length, type); + _gnutls_buffers_log ("BUF[REC][HD]: Read %d bytes of Data(%d)\n", + length, type); - session->internals.handshake_data_buffer.length -= length; - memcpy(data, session->internals.handshake_data_buffer.data, - length); + session->internals.handshake_data_buffer.length -= length; + memcpy (data, session->internals.handshake_data_buffer.data, length); - /* overwrite buffer */ - memmove(session->internals.handshake_data_buffer.data, - &session->internals.handshake_data_buffer.data[length], - session->internals.handshake_data_buffer.length); + /* overwrite buffer */ + memmove (session->internals.handshake_data_buffer.data, + &session->internals.handshake_data_buffer.data[length], + session->internals.handshake_data_buffer.length); - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return length; + return length; } @@ -219,85 +226,98 @@ int _gnutls_record_buffer_get(content_type_t type, * * Flags are only used if the default recv() function is being used. */ -static ssize_t _gnutls_read(gnutls_session_t session, void *iptr, - size_t sizeOfPtr, int flags) +static ssize_t +_gnutls_read (gnutls_session_t session, void *iptr, + size_t sizeOfPtr, int flags) { - size_t left; - ssize_t i = 0; - char *ptr = iptr; - uint j, x, sum = 0; - gnutls_transport_ptr_t fd = session->internals.transport_recv_ptr; - - session->internals.direction = 0; - - left = sizeOfPtr; - while (left > 0) { - - if (session->internals._gnutls_pull_func == NULL) - i = recv((int) fd, &ptr[sizeOfPtr - left], left, flags); - else - i = session->internals._gnutls_pull_func(fd, - &ptr[sizeOfPtr - - left], left); - - if (i < 0) { - _gnutls_read_log("READ: %d returned from %d, errno=%d\n", i, - fd, errno); - - if (errno == EAGAIN || errno == EINTR) { - if (sizeOfPtr - left > 0) { - - _gnutls_read_log("READ: returning %d bytes from %d\n", - sizeOfPtr - left, fd); - - goto finish; + size_t left; + ssize_t i = 0; + char *ptr = iptr; + uint j, x, sum = 0; + gnutls_transport_ptr_t fd = session->internals.transport_recv_ptr; + + session->internals.direction = 0; + + left = sizeOfPtr; + while (left > 0) + { + + if (session->internals._gnutls_pull_func == NULL) + i = recv ((int) fd, &ptr[sizeOfPtr - left], left, flags); + else + i = session->internals._gnutls_pull_func (fd, + &ptr[sizeOfPtr - + left], left); + + if (i < 0) + { + _gnutls_read_log ("READ: %d returned from %d, errno=%d\n", i, + fd, errno); + + if (errno == EAGAIN || errno == EINTR) + { + if (sizeOfPtr - left > 0) + { + + _gnutls_read_log ("READ: returning %d bytes from %d\n", + sizeOfPtr - left, fd); + + goto finish; } - gnutls_assert(); + gnutls_assert (); - return RET(errno); - } else { - gnutls_assert(); - return GNUTLS_E_PULL_ERROR; + return RET (errno); + } + else + { + gnutls_assert (); + return GNUTLS_E_PULL_ERROR; } - } else { + } + else + { - _gnutls_read_log("READ: Got %d bytes from %d\n", i, fd); + _gnutls_read_log ("READ: Got %d bytes from %d\n", i, fd); - if (i == 0) - break; /* EOF */ + if (i == 0) + break; /* EOF */ } - left -= i; + left -= i; } - finish: +finish: - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; + if (_gnutls_log_level >= 7) + { + char line[128]; + char tmp[16]; - _gnutls_read_log("READ: read %d bytes from %d\n", - (sizeOfPtr - left), fd); + _gnutls_read_log ("READ: read %d bytes from %d\n", + (sizeOfPtr - left), fd); - for (x = 0; x < ((sizeOfPtr - left) / 16) + 1; x++) { - line[0] = 0; + for (x = 0; x < ((sizeOfPtr - left) / 16) + 1; x++) + { + line[0] = 0; - sprintf(tmp, "%.4x - ", x); - _gnutls_str_cat(line, sizeof(line), tmp); + sprintf (tmp, "%.4x - ", x); + _gnutls_str_cat (line, sizeof (line), tmp); - for (j = 0; j < 16; j++) { - if (sum < (sizeOfPtr - left)) { - sprintf(tmp, "%.2x ", ((unsigned char *) ptr)[sum++]); - _gnutls_str_cat(line, sizeof(line), tmp); + for (j = 0; j < 16; j++) + { + if (sum < (sizeOfPtr - left)) + { + sprintf (tmp, "%.2x ", ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat (line, sizeof (line), tmp); } } - _gnutls_read_log("%s\n", line); + _gnutls_read_log ("%s\n", line); } } - return (sizeOfPtr - left); + return (sizeOfPtr - left); } @@ -306,45 +326,51 @@ static ssize_t _gnutls_read(gnutls_session_t session, void *iptr, /* This function is only used with berkeley style sockets. * Clears the peeked data (read with MSG_PEEK). */ -int _gnutls_io_clear_peeked_data(gnutls_session_t session) +int +_gnutls_io_clear_peeked_data (gnutls_session_t session) { - char *peekdata; - int ret, sum; + char *peekdata; + int ret, sum; - if (session->internals.have_peeked_data == 0 || RCVLOWAT == 0) - return 0; + if (session->internals.have_peeked_data == 0 || RCVLOWAT == 0) + return 0; - peekdata = gnutls_alloca(RCVLOWAT); - if (peekdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + peekdata = gnutls_alloca (RCVLOWAT); + if (peekdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* this was already read by using MSG_PEEK - so it shouldn't fail */ - sum = 0; - do { /* we need this to finish now */ - ret = _gnutls_read(session, peekdata, RCVLOWAT - sum, 0); - if (ret > 0) - sum += ret; - } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN - || sum < RCVLOWAT); + /* this was already read by using MSG_PEEK - so it shouldn't fail */ + sum = 0; + do + { /* we need this to finish now */ + ret = _gnutls_read (session, peekdata, RCVLOWAT - sum, 0); + if (ret > 0) + sum += ret; + } + while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN + || sum < RCVLOWAT); - gnutls_afree(peekdata); + gnutls_afree (peekdata); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - session->internals.have_peeked_data = 0; + session->internals.have_peeked_data = 0; - return 0; + return 0; } -void _gnutls_io_clear_read_buffer(gnutls_session_t session) +void +_gnutls_io_clear_read_buffer (gnutls_session_t session) { - session->internals.record_recv_buffer.length = 0; + session->internals.record_recv_buffer.length = 0; } /* This function is like recv(with MSG_PEEK). But it does not return -1 on error. @@ -356,162 +382,179 @@ void _gnutls_io_clear_read_buffer(gnutls_session_t session) * which are stored in a local (in the session) buffer. A pointer (iptr) to this buffer is returned. * */ -ssize_t _gnutls_io_read_buffered(gnutls_session_t session, opaque ** iptr, - size_t sizeOfPtr, - content_type_t recv_type) +ssize_t +_gnutls_io_read_buffered (gnutls_session_t session, opaque ** iptr, + size_t sizeOfPtr, content_type_t recv_type) { - ssize_t ret = 0, ret2 = 0; - size_t min; - int buf_pos; - opaque *buf; - int recvlowat; - int recvdata, alloc_size; - - *iptr = session->internals.record_recv_buffer.data; - - if (sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; + ssize_t ret = 0, ret2 = 0; + size_t min; + int buf_pos; + opaque *buf; + int recvlowat; + int recvdata, alloc_size; + + *iptr = session->internals.record_recv_buffer.data; + + if (sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) + { + gnutls_assert (); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; } - /* If an external pull function is used, then do not leave - * any data into the kernel buffer. - */ - if (session->internals._gnutls_pull_func != NULL) { + /* If an external pull function is used, then do not leave + * any data into the kernel buffer. + */ + if (session->internals._gnutls_pull_func != NULL) + { + recvlowat = 0; + } + else + { + /* leave peeked data to the kernel space only if application data + * is received and we don't have any peeked + * data in gnutls session. + */ + if (recv_type != GNUTLS_APPLICATION_DATA + && session->internals.have_peeked_data == 0) recvlowat = 0; - } else { - /* leave peeked data to the kernel space only if application data - * is received and we don't have any peeked - * data in gnutls session. - */ - if (recv_type != GNUTLS_APPLICATION_DATA - && session->internals.have_peeked_data == 0) - recvlowat = 0; - else - recvlowat = RCVLOWAT; + else + recvlowat = RCVLOWAT; } - /* calculate the actual size, ie. get the minimum of the - * buffered data and the requested data. - */ - min = MIN(session->internals.record_recv_buffer.length, sizeOfPtr); - if (min > 0) { - /* if we have enough buffered data - * then just return them. - */ - if (min == sizeOfPtr) { - return min; + /* calculate the actual size, ie. get the minimum of the + * buffered data and the requested data. + */ + min = MIN (session->internals.record_recv_buffer.length, sizeOfPtr); + if (min > 0) + { + /* if we have enough buffered data + * then just return them. + */ + if (min == sizeOfPtr) + { + return min; } } - /* min is over zero. recvdata is the data we must - * receive in order to return the requested data. - */ - recvdata = sizeOfPtr - min; - - /* Check if the previously read data plus the new data to - * receive are longer than the maximum receive buffer size. - */ - if ((session->internals.record_recv_buffer.length + recvdata) > - MAX_RECV_SIZE) { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; + /* min is over zero. recvdata is the data we must + * receive in order to return the requested data. + */ + recvdata = sizeOfPtr - min; + + /* Check if the previously read data plus the new data to + * receive are longer than the maximum receive buffer size. + */ + if ((session->internals.record_recv_buffer.length + recvdata) > + MAX_RECV_SIZE) + { + gnutls_assert (); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; } - /* Allocate the data required to store the new packet. - */ - alloc_size = recvdata + session->internals.record_recv_buffer.length; - session->internals.record_recv_buffer.data = - gnutls_realloc_fast(session->internals.record_recv_buffer.data, - alloc_size); - if (session->internals.record_recv_buffer.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Allocate the data required to store the new packet. + */ + alloc_size = recvdata + session->internals.record_recv_buffer.length; + session->internals.record_recv_buffer.data = + gnutls_realloc_fast (session->internals.record_recv_buffer.data, + alloc_size); + if (session->internals.record_recv_buffer.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - buf_pos = session->internals.record_recv_buffer.length; - buf = session->internals.record_recv_buffer.data; - *iptr = buf; - - /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. - */ - if (recvdata - recvlowat > 0) { - ret = - _gnutls_read(session, &buf[buf_pos], recvdata - recvlowat, 0); - - /* return immediately if we got an interrupt or eagain - * error. - */ - if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { - return ret; + buf_pos = session->internals.record_recv_buffer.length; + buf = session->internals.record_recv_buffer.data; + *iptr = buf; + + /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. + */ + if (recvdata - recvlowat > 0) + { + ret = _gnutls_read (session, &buf[buf_pos], recvdata - recvlowat, 0); + + /* return immediately if we got an interrupt or eagain + * error. + */ + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + { + return ret; } } - /* copy fresh data to our buffer. - */ - if (ret > 0) { - _gnutls_read_log - ("RB: Have %d bytes into buffer. Adding %d bytes.\n", - session->internals.record_recv_buffer.length, ret); - _gnutls_read_log("RB: Requested %d bytes\n", sizeOfPtr); - session->internals.record_recv_buffer.length += ret; + /* copy fresh data to our buffer. + */ + if (ret > 0) + { + _gnutls_read_log + ("RB: Have %d bytes into buffer. Adding %d bytes.\n", + session->internals.record_recv_buffer.length, ret); + _gnutls_read_log ("RB: Requested %d bytes\n", sizeOfPtr); + session->internals.record_recv_buffer.length += ret; } - buf_pos = session->internals.record_recv_buffer.length; + buf_pos = session->internals.record_recv_buffer.length; - /* This is hack in order for select to work. Just leave recvlowat data, - * into the kernel buffer (using a read with MSG_PEEK), thus making - * select think, that the socket is ready for reading. - * MSG_PEEK is only used with berkeley style sockets. - */ - if (ret == (recvdata - recvlowat) && recvlowat > 0) { - ret2 = _gnutls_read(session, &buf[buf_pos], recvlowat, MSG_PEEK); + /* This is hack in order for select to work. Just leave recvlowat data, + * into the kernel buffer (using a read with MSG_PEEK), thus making + * select think, that the socket is ready for reading. + * MSG_PEEK is only used with berkeley style sockets. + */ + if (ret == (recvdata - recvlowat) && recvlowat > 0) + { + ret2 = _gnutls_read (session, &buf[buf_pos], recvlowat, MSG_PEEK); - if (ret2 < 0 && gnutls_error_is_fatal(ret2) == 0) { - return ret2; + if (ret2 < 0 && gnutls_error_is_fatal (ret2) == 0) + { + return ret2; } - if (ret2 > 0) { - _gnutls_read_log("RB-PEEK: Read %d bytes in PEEK MODE.\n", - ret2); - _gnutls_read_log - ("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", - session->internals.record_recv_buffer.length, ret2, - sizeOfPtr); - session->internals.have_peeked_data = 1; - session->internals.record_recv_buffer.length += ret2; + if (ret2 > 0) + { + _gnutls_read_log ("RB-PEEK: Read %d bytes in PEEK MODE.\n", ret2); + _gnutls_read_log + ("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", + session->internals.record_recv_buffer.length, ret2, sizeOfPtr); + session->internals.have_peeked_data = 1; + session->internals.record_recv_buffer.length += ret2; } } - if (ret < 0 || ret2 < 0) { - gnutls_assert(); - /* that's because they are initialized to 0 */ - return MIN(ret, ret2); + if (ret < 0 || ret2 < 0) + { + gnutls_assert (); + /* that's because they are initialized to 0 */ + return MIN (ret, ret2); } - ret += ret2; + ret += ret2; - if (ret > 0 && ret < recvlowat) { - gnutls_assert(); - return GNUTLS_E_AGAIN; + if (ret > 0 && ret < recvlowat) + { + gnutls_assert (); + return GNUTLS_E_AGAIN; } - if (ret == 0) { /* EOF */ - gnutls_assert(); - return 0; + if (ret == 0) + { /* EOF */ + gnutls_assert (); + return 0; } - ret = session->internals.record_recv_buffer.length; + ret = session->internals.record_recv_buffer.length; - if ((ret > 0) && ((size_t) ret < sizeOfPtr)) { - /* Short Read */ - gnutls_assert(); - return GNUTLS_E_AGAIN; - } else { - return ret; + if ((ret > 0) && ((size_t) ret < sizeOfPtr)) + { + /* Short Read */ + gnutls_assert (); + return GNUTLS_E_AGAIN; + } + else + { + return ret; } } @@ -523,50 +566,53 @@ ssize_t _gnutls_io_read_buffered(gnutls_session_t session, opaque ** iptr, #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) -inline - static int _gnutls_buffer_insert(gnutls_buffer * buffer, - const opaque * _data, - size_t data_size) +inline static int +_gnutls_buffer_insert (gnutls_buffer * buffer, + const opaque * _data, size_t data_size) { - if ((MEMSUB(_data, buffer->data) >= 0) - && (MEMSUB(_data, buffer->data) < (ssize_t) buffer->length)) { - /* the given _data is part of the buffer. - */ - if (data_size > buffer->length) { - gnutls_assert(); - /* this shouldn't have happened */ - return GNUTLS_E_INTERNAL_ERROR; + if ((MEMSUB (_data, buffer->data) >= 0) + && (MEMSUB (_data, buffer->data) < (ssize_t) buffer->length)) + { + /* the given _data is part of the buffer. + */ + if (data_size > buffer->length) + { + gnutls_assert (); + /* this shouldn't have happened */ + return GNUTLS_E_INTERNAL_ERROR; } - if (_data == buffer->data) { /* then don't even memmove */ - buffer->length = data_size; - return 0; + if (_data == buffer->data) + { /* then don't even memmove */ + buffer->length = data_size; + return 0; } - memmove(buffer->data, _data, data_size); - buffer->length = data_size; + memmove (buffer->data, _data, data_size); + buffer->length = data_size; - return 0; + return 0; } - if (_gnutls_buffer_append(buffer, _data, data_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_buffer_append (buffer, _data, data_size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } -inline - static int _gnutls_buffer_get(gnutls_buffer * buffer, - const opaque ** ptr, size_t * ptr_size) +inline static int +_gnutls_buffer_get (gnutls_buffer * buffer, + const opaque ** ptr, size_t * ptr_size) { - *ptr_size = buffer->length; - *ptr = buffer->data; + *ptr_size = buffer->length; + *ptr = buffer->data; - return 0; + return 0; } @@ -581,154 +627,170 @@ inline * to decrypt and verify the integrity. * */ -ssize_t _gnutls_io_write_buffered(gnutls_session_t session, - const void *iptr, size_t n) +ssize_t +_gnutls_io_write_buffered (gnutls_session_t session, + const void *iptr, size_t n) { - size_t left; - uint j, x, sum = 0; - ssize_t retval, i; - const opaque *ptr; - int ret; - gnutls_transport_ptr_t fd = session->internals.transport_send_ptr; - - /* to know where the procedure was interrupted. - */ - session->internals.direction = 1; - - ptr = iptr; - - /* In case the previous write was interrupted, check if the - * iptr != NULL and we have data in the buffer. - * If this is true then return an error. - */ - if (session->internals.record_send_buffer.length > 0 && iptr != NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t left; + uint j, x, sum = 0; + ssize_t retval, i; + const opaque *ptr; + int ret; + gnutls_transport_ptr_t fd = session->internals.transport_send_ptr; + + /* to know where the procedure was interrupted. + */ + session->internals.direction = 1; + + ptr = iptr; + + /* In case the previous write was interrupted, check if the + * iptr != NULL and we have data in the buffer. + * If this is true then return an error. + */ + if (session->internals.record_send_buffer.length > 0 && iptr != NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* If data in the buffer exist - */ - if (iptr == NULL) { - /* checking is handled above */ - ret = - _gnutls_buffer_get(&session->internals.record_send_buffer, - &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return ret; + /* If data in the buffer exist + */ + if (iptr == NULL) + { + /* checking is handled above */ + ret = + _gnutls_buffer_get (&session->internals.record_send_buffer, &ptr, &n); + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_write_log - ("WRITE: Restoring old write. (%d bytes to send)\n", n); + _gnutls_write_log + ("WRITE: Restoring old write. (%d bytes to send)\n", n); } - _gnutls_write_log("WRITE: Will write %d bytes to %d.\n", n, fd); - - i = 0; - left = n; - while (left > 0) { - - if (session->internals._gnutls_push_func == NULL) - i = send((int) fd, &ptr[n - left], left, 0); - else - i = session->internals._gnutls_push_func(fd, &ptr[n - left], - left); - - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) { - session->internals.record_send_buffer_prev_size += - n - left; - - retval = - _gnutls_buffer_insert(&session->internals. - record_send_buffer, - &ptr[n - left], left); - if (retval < 0) { - gnutls_assert(); - return retval; + _gnutls_write_log ("WRITE: Will write %d bytes to %d.\n", n, fd); + + i = 0; + left = n; + while (left > 0) + { + + if (session->internals._gnutls_push_func == NULL) + i = send ((int) fd, &ptr[n - left], left, 0); + else + i = session->internals._gnutls_push_func (fd, &ptr[n - left], left); + + if (i == -1) + { + if (errno == EAGAIN || errno == EINTR) + { + session->internals.record_send_buffer_prev_size += n - left; + + retval = + _gnutls_buffer_insert (&session->internals. + record_send_buffer, + &ptr[n - left], left); + if (retval < 0) + { + gnutls_assert (); + return retval; } - _gnutls_write_log - ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", - left, n - left); + _gnutls_write_log + ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", + left, n - left); - retval = RET(errno); + retval = RET (errno); - return retval; - } else { - gnutls_assert(); - return GNUTLS_E_PUSH_ERROR; + return retval; + } + else + { + gnutls_assert (); + return GNUTLS_E_PUSH_ERROR; } } - left -= i; + left -= i; - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; + if (_gnutls_log_level >= 7) + { + char line[128]; + char tmp[16]; - _gnutls_write_log - ("WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", - i, fd, left, n); - for (x = 0; x < (uint) ((i) / 16) + 1; x++) { - line[0] = 0; + _gnutls_write_log + ("WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", + i, fd, left, n); + for (x = 0; x < (uint) ((i) / 16) + 1; x++) + { + line[0] = 0; - if (sum > n - left) - break; - - sprintf(tmp, "%.4x - ", x); - _gnutls_str_cat(line, sizeof(line), tmp); + if (sum > n - left) + break; - for (j = 0; j < 16; j++) { - if (sum < n - left) { - sprintf(tmp, "%.2x ", - ((unsigned char *) ptr)[sum++]); - _gnutls_str_cat(line, sizeof(line), tmp); - } else - break; + sprintf (tmp, "%.4x - ", x); + _gnutls_str_cat (line, sizeof (line), tmp); + + for (j = 0; j < 16; j++) + { + if (sum < n - left) + { + sprintf (tmp, "%.2x ", ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat (line, sizeof (line), tmp); + } + else + break; } - _gnutls_write_log("%s\n", line); + _gnutls_write_log ("%s\n", line); } } } - retval = n + session->internals.record_send_buffer_prev_size; + retval = n + session->internals.record_send_buffer_prev_size; - session->internals.record_send_buffer.length = 0; - session->internals.record_send_buffer_prev_size = 0; + session->internals.record_send_buffer.length = 0; + session->internals.record_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is exactly like write_buffered, but will use two buffers to read * from. */ -ssize_t _gnutls_io_write_buffered2(gnutls_session_t session, - const void *iptr, size_t n, - const void *iptr2, size_t n2) +ssize_t +_gnutls_io_write_buffered2 (gnutls_session_t session, + const void *iptr, size_t n, + const void *iptr2, size_t n2) { - if (n == 0) { - return _gnutls_io_write_buffered(session, iptr2, n2); - } else { - opaque *sptr; - ssize_t ret; - - sptr = gnutls_alloca(n + n2); - if (sptr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (n == 0) + { + return _gnutls_io_write_buffered (session, iptr2, n2); + } + else + { + opaque *sptr; + ssize_t ret; + + sptr = gnutls_alloca (n + n2); + if (sptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(sptr, iptr, n); - memcpy(&sptr[n], iptr2, n2); + memcpy (sptr, iptr, n); + memcpy (&sptr[n], iptr2, n2); - ret = _gnutls_io_write_buffered(session, sptr, n + n2); - gnutls_afree(sptr); + ret = _gnutls_io_write_buffered (session, sptr, n + n2); + gnutls_afree (sptr); - return ret; + return ret; } } @@ -737,344 +799,384 @@ ssize_t _gnutls_io_write_buffered2(gnutls_session_t session, * TLS write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_io_write_flush(gnutls_session_t session) +ssize_t +_gnutls_io_write_flush (gnutls_session_t session) { - ssize_t ret; + ssize_t ret; - if (session->internals.record_send_buffer.length == 0) - return 0; /* done */ + if (session->internals.record_send_buffer.length == 0) + return 0; /* done */ - ret = _gnutls_io_write_buffered(session, NULL, 0); - _gnutls_write_log("WRITE FLUSH: %d [buffer: %d]\n", ret, - session->internals.record_send_buffer.length); + ret = _gnutls_io_write_buffered (session, NULL, 0); + _gnutls_write_log ("WRITE FLUSH: %d [buffer: %d]\n", ret, + session->internals.record_send_buffer.length); - return ret; + return ret; } /* This function writes the data that are left in the * Handshake write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_handshake_io_write_flush(gnutls_session_t session) +ssize_t +_gnutls_handshake_io_write_flush (gnutls_session_t session) { - ssize_t ret; - ret = _gnutls_handshake_io_send_int(session, 0, 0, NULL, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ssize_t ret; + ret = _gnutls_handshake_io_send_int (session, 0, 0, NULL, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_write_log("HANDSHAKE_FLUSH: written[1] %d bytes\n", ret); + _gnutls_write_log ("HANDSHAKE_FLUSH: written[1] %d bytes\n", ret); - if (session->internals.handshake_send_buffer.length == 0) { - ret = session->internals.handshake_send_buffer_prev_size; /* done */ - session->internals.handshake_send_buffer_prev_size = 0; + if (session->internals.handshake_send_buffer.length == 0) + { + ret = session->internals.handshake_send_buffer_prev_size; /* done */ + session->internals.handshake_send_buffer_prev_size = 0; } - return ret; + return ret; } /* This is a send function for the gnutls handshake * protocol. Just makes sure that all data have been sent. */ -ssize_t _gnutls_handshake_io_send_int(gnutls_session_t session, - content_type_t type, - gnutls_handshake_description_t htype, - const void *iptr, size_t n) +ssize_t +_gnutls_handshake_io_send_int (gnutls_session_t session, + content_type_t type, + gnutls_handshake_description_t htype, + const void *iptr, size_t n) { - size_t left; - ssize_t ret = 0; - const opaque *ptr; - ssize_t retval = 0; - - ptr = iptr; - - if (session->internals.handshake_send_buffer.length > 0 && ptr == NULL - && n == 0) { - /* resuming previously interrupted write - */ - gnutls_assert(); - ret = - _gnutls_buffer_get(&session->internals.handshake_send_buffer, - &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return retval; + size_t left; + ssize_t ret = 0; + const opaque *ptr; + ssize_t retval = 0; + + ptr = iptr; + + if (session->internals.handshake_send_buffer.length > 0 && ptr == NULL + && n == 0) + { + /* resuming previously interrupted write + */ + gnutls_assert (); + ret = + _gnutls_buffer_get (&session->internals.handshake_send_buffer, + &ptr, &n); + if (ret < 0) + { + gnutls_assert (); + return retval; } - type = session->internals.handshake_send_buffer_type; - htype = session->internals.handshake_send_buffer_htype; + type = session->internals.handshake_send_buffer_type; + htype = session->internals.handshake_send_buffer_htype; - } else if (session->internals.handshake_send_buffer.length > 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + } + else if (session->internals.handshake_send_buffer.length > 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } #ifdef WRITE_DEBUG - else { - size_t sum = 0, x, j; - - _gnutls_write_log("HWRITE: will write %d bytes to %d.\n", n, - gnutls_transport_get_ptr(session)); - for (x = 0; x < ((n) / 16) + 1; x++) { - if (sum > n) + else + { + size_t sum = 0, x, j; + + _gnutls_write_log ("HWRITE: will write %d bytes to %d.\n", n, + gnutls_transport_get_ptr (session)); + for (x = 0; x < ((n) / 16) + 1; x++) + { + if (sum > n) + break; + + _gnutls_write_log ("%.4x - ", x); + for (j = 0; j < 16; j++) + { + if (sum < n) + { + _gnutls_write_log ("%.2x ", ((unsigned char *) ptr)[sum++]); + } + else break; - - _gnutls_write_log("%.4x - ", x); - for (j = 0; j < 16; j++) { - if (sum < n) { - _gnutls_write_log("%.2x ", - ((unsigned char *) ptr)[sum++]); - } else - break; } - _gnutls_write_log("\n"); + _gnutls_write_log ("\n"); } - _gnutls_write_log("\n"); + _gnutls_write_log ("\n"); } #endif - if (n == 0) { /* if we have no data to send */ - gnutls_assert(); - return 0; - } else if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (n == 0) + { /* if we have no data to send */ + gnutls_assert (); + return 0; + } + else if (ptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - left = n; - while (left > 0) { - ret = _gnutls_send_int(session, type, htype, &ptr[n - left], left); + left = n; + while (left > 0) + { + ret = _gnutls_send_int (session, type, htype, &ptr[n - left], left); - if (ret <= 0) { - if (ret == 0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; + if (ret <= 0) + { + if (ret == 0) + { + gnutls_assert (); + ret = GNUTLS_E_INTERNAL_ERROR; } - if (left > 0 - && (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN)) { - gnutls_assert(); - - retval = - _gnutls_buffer_insert(&session->internals. - handshake_send_buffer, - &ptr[n - left], left); - if (retval < 0) { - gnutls_assert(); - return retval; + if (left > 0 + && (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN)) + { + gnutls_assert (); + + retval = + _gnutls_buffer_insert (&session->internals. + handshake_send_buffer, + &ptr[n - left], left); + if (retval < 0) + { + gnutls_assert (); + return retval; } - session->internals.handshake_send_buffer_prev_size += - n - left; + session->internals.handshake_send_buffer_prev_size += n - left; - session->internals.handshake_send_buffer_type = type; - session->internals.handshake_send_buffer_htype = htype; + session->internals.handshake_send_buffer_type = type; + session->internals.handshake_send_buffer_htype = htype; - } else { - session->internals.handshake_send_buffer_prev_size = 0; - session->internals.handshake_send_buffer.length = 0; + } + else + { + session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; } - gnutls_assert(); - return ret; + gnutls_assert (); + return ret; } - left -= ret; + left -= ret; } - retval = n + session->internals.handshake_send_buffer_prev_size; + retval = n + session->internals.handshake_send_buffer_prev_size; - session->internals.handshake_send_buffer.length = 0; - session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; + session->internals.handshake_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is a receive function for the gnutls handshake * protocol. Makes sure that we have received all data. */ -ssize_t _gnutls_handshake_io_recv_int(gnutls_session_t session, - content_type_t type, - gnutls_handshake_description_t htype, void *iptr, - size_t sizeOfPtr) +ssize_t +_gnutls_handshake_io_recv_int (gnutls_session_t session, + content_type_t type, + gnutls_handshake_description_t htype, + void *iptr, size_t sizeOfPtr) { - size_t left; - ssize_t i; - opaque *ptr; - size_t dsize; - - ptr = iptr; - left = sizeOfPtr; - - if (sizeOfPtr == 0 || iptr == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t left; + ssize_t i; + opaque *ptr; + size_t dsize; + + ptr = iptr; + left = sizeOfPtr; + + if (sizeOfPtr == 0 || iptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (session->internals.handshake_recv_buffer.length > 0) { - /* if we have already received some data */ - if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) { - /* if requested less data then return it. - */ - gnutls_assert(); - memcpy(iptr, session->internals.handshake_recv_buffer.data, - sizeOfPtr); - - session->internals.handshake_recv_buffer.length -= sizeOfPtr; - - memmove(session->internals.handshake_recv_buffer.data, - &session->internals.handshake_recv_buffer. - data[sizeOfPtr], - session->internals.handshake_recv_buffer.length); - - return sizeOfPtr; + if (session->internals.handshake_recv_buffer.length > 0) + { + /* if we have already received some data */ + if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) + { + /* if requested less data then return it. + */ + gnutls_assert (); + memcpy (iptr, session->internals.handshake_recv_buffer.data, + sizeOfPtr); + + session->internals.handshake_recv_buffer.length -= sizeOfPtr; + + memmove (session->internals.handshake_recv_buffer.data, + &session->internals.handshake_recv_buffer. + data[sizeOfPtr], + session->internals.handshake_recv_buffer.length); + + return sizeOfPtr; } - gnutls_assert(); - memcpy(iptr, session->internals.handshake_recv_buffer.data, - session->internals.handshake_recv_buffer.length); + gnutls_assert (); + memcpy (iptr, session->internals.handshake_recv_buffer.data, + session->internals.handshake_recv_buffer.length); - htype = session->internals.handshake_recv_buffer_htype; - type = session->internals.handshake_recv_buffer_type; + htype = session->internals.handshake_recv_buffer_htype; + type = session->internals.handshake_recv_buffer_type; - left -= session->internals.handshake_recv_buffer.length; + left -= session->internals.handshake_recv_buffer.length; - session->internals.handshake_recv_buffer.length = 0; + session->internals.handshake_recv_buffer.length = 0; } - while (left > 0) { - dsize = sizeOfPtr - left; - i = _gnutls_recv_int(session, type, htype, &ptr[dsize], left); - if (i < 0) { - - if (dsize > 0 - && (i == GNUTLS_E_INTERRUPTED || i == GNUTLS_E_AGAIN)) { - gnutls_assert(); - - session->internals.handshake_recv_buffer.data = - gnutls_realloc_fast(session->internals. - handshake_recv_buffer.data, dsize); - if (session->internals.handshake_recv_buffer.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + while (left > 0) + { + dsize = sizeOfPtr - left; + i = _gnutls_recv_int (session, type, htype, &ptr[dsize], left); + if (i < 0) + { + + if (dsize > 0 && (i == GNUTLS_E_INTERRUPTED || i == GNUTLS_E_AGAIN)) + { + gnutls_assert (); + + session->internals.handshake_recv_buffer.data = + gnutls_realloc_fast (session->internals. + handshake_recv_buffer.data, dsize); + if (session->internals.handshake_recv_buffer.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(session->internals.handshake_recv_buffer.data, iptr, - dsize); + memcpy (session->internals.handshake_recv_buffer.data, iptr, + dsize); - session->internals.handshake_recv_buffer_htype = htype; - session->internals.handshake_recv_buffer_type = type; + session->internals.handshake_recv_buffer_htype = htype; + session->internals.handshake_recv_buffer_type = type; - session->internals.handshake_recv_buffer.length = dsize; - } else - session->internals.handshake_recv_buffer.length = 0; + session->internals.handshake_recv_buffer.length = dsize; + } + else + session->internals.handshake_recv_buffer.length = 0; - gnutls_assert(); + gnutls_assert (); - return i; - } else { - if (i == 0) - break; /* EOF */ + return i; + } + else + { + if (i == 0) + break; /* EOF */ } - left -= i; + left -= i; } - session->internals.handshake_recv_buffer.length = 0; + session->internals.handshake_recv_buffer.length = 0; - return sizeOfPtr - left; + return sizeOfPtr - left; } /* Buffer for handshake packets. Keeps the packets in order * for finished messages to use them. Used in HMAC calculation * and finished messages. */ -int _gnutls_handshake_buffer_put(gnutls_session_t session, opaque * data, - size_t length) +int +_gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data, + size_t length) { - if (length == 0) - return 0; + if (length == 0) + return 0; - if ((session->internals.max_handshake_data_buffer_size > 0) && - ((length + session->internals.handshake_hash_buffer.length) > - session->internals.max_handshake_data_buffer_size)) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if ((session->internals.max_handshake_data_buffer_size > 0) && + ((length + session->internals.handshake_hash_buffer.length) > + session->internals.max_handshake_data_buffer_size)) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data\n", length); + _gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data\n", length); - if (_gnutls_buffer_append(&session->internals.handshake_hash_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_buffer_append (&session->internals.handshake_hash_buffer, + data, length) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } -int _gnutls_handshake_buffer_get_size(gnutls_session_t session) +int +_gnutls_handshake_buffer_get_size (gnutls_session_t session) { - return session->internals.handshake_hash_buffer.length; + return session->internals.handshake_hash_buffer.length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_peek(gnutls_session_t session, opaque * data, - size_t length) +int +_gnutls_handshake_buffer_peek (gnutls_session_t session, opaque * data, + size_t length) { - if (length > session->internals.handshake_hash_buffer.length) { - length = session->internals.handshake_hash_buffer.length; + if (length > session->internals.handshake_hash_buffer.length) + { + length = session->internals.handshake_hash_buffer.length; } - _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", length); + _gnutls_buffers_log ("BUF[HSK]: Peeked %d bytes of Data\n", length); - memcpy(data, session->internals.handshake_hash_buffer.data, length); - return length; + memcpy (data, session->internals.handshake_hash_buffer.data, length); + return length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_get_ptr(gnutls_session_t session, - opaque ** data_ptr, size_t * length) +int +_gnutls_handshake_buffer_get_ptr (gnutls_session_t session, + opaque ** data_ptr, size_t * length) { - if (length != NULL) - *length = session->internals.handshake_hash_buffer.length; + if (length != NULL) + *length = session->internals.handshake_hash_buffer.length; - _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", *length); + _gnutls_buffers_log ("BUF[HSK]: Peeked %d bytes of Data\n", *length); - if (data_ptr != NULL) - *data_ptr = session->internals.handshake_hash_buffer.data; + if (data_ptr != NULL) + *data_ptr = session->internals.handshake_hash_buffer.data; - return 0; + return 0; } /* Does not free the buffer */ -int _gnutls_handshake_buffer_empty(gnutls_session_t session) +int +_gnutls_handshake_buffer_empty (gnutls_session_t session) { - _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n"); + _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n"); - session->internals.handshake_hash_buffer.length = 0; + session->internals.handshake_hash_buffer.length = 0; - return 0; + return 0; } -int _gnutls_handshake_buffer_clear(gnutls_session_t session) +int +_gnutls_handshake_buffer_clear (gnutls_session_t session) { - _gnutls_buffers_log("BUF[HSK]: Cleared Data from buffer\n"); + _gnutls_buffers_log ("BUF[HSK]: Cleared Data from buffer\n"); - _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); + _gnutls_buffer_clear (&session->internals.handshake_hash_buffer); - return 0; + return 0; } diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h index 4b565c6c0d..a06a2458dc 100644 --- a/lib/gnutls_buffers.h +++ b/lib/gnutls_buffers.h @@ -22,44 +22,46 @@ * */ -int _gnutls_record_buffer_put(content_type_t type, - gnutls_session_t session, opaque * data, - size_t length); -int _gnutls_record_buffer_get_size(content_type_t type, - gnutls_session_t session); -int _gnutls_record_buffer_get(content_type_t type, - gnutls_session_t session, opaque * data, - size_t length); -ssize_t _gnutls_io_read_buffered(gnutls_session_t, opaque ** iptr, - size_t n, content_type_t); -void _gnutls_io_clear_read_buffer(gnutls_session_t); -int _gnutls_io_clear_peeked_data(gnutls_session_t session); +int _gnutls_record_buffer_put (content_type_t type, + gnutls_session_t session, opaque * data, + size_t length); +int _gnutls_record_buffer_get_size (content_type_t type, + gnutls_session_t session); +int _gnutls_record_buffer_get (content_type_t type, + gnutls_session_t session, opaque * data, + size_t length); +ssize_t _gnutls_io_read_buffered (gnutls_session_t, opaque ** iptr, + size_t n, content_type_t); +void _gnutls_io_clear_read_buffer (gnutls_session_t); +int _gnutls_io_clear_peeked_data (gnutls_session_t session); -ssize_t _gnutls_io_write_buffered(gnutls_session_t, const void *iptr, - size_t n); -ssize_t _gnutls_io_write_buffered2(gnutls_session_t, const void *iptr, - size_t n, const void *iptr2, size_t n2); +ssize_t _gnutls_io_write_buffered (gnutls_session_t, const void *iptr, + size_t n); +ssize_t _gnutls_io_write_buffered2 (gnutls_session_t, const void *iptr, + size_t n, const void *iptr2, size_t n2); -int _gnutls_handshake_buffer_get_size(gnutls_session_t session); -int _gnutls_handshake_buffer_peek(gnutls_session_t session, opaque * data, +int _gnutls_handshake_buffer_get_size (gnutls_session_t session); +int _gnutls_handshake_buffer_peek (gnutls_session_t session, opaque * data, + size_t length); +int _gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data, size_t length); -int _gnutls_handshake_buffer_put(gnutls_session_t session, opaque * data, - size_t length); -int _gnutls_handshake_buffer_clear(gnutls_session_t session); -int _gnutls_handshake_buffer_empty(gnutls_session_t session); -int _gnutls_handshake_buffer_get_ptr(gnutls_session_t session, - opaque ** data_ptr, size_t * length); +int _gnutls_handshake_buffer_clear (gnutls_session_t session); +int _gnutls_handshake_buffer_empty (gnutls_session_t session); +int _gnutls_handshake_buffer_get_ptr (gnutls_session_t session, + opaque ** data_ptr, size_t * length); #define _gnutls_handshake_io_buffer_clear( session) \ _gnutls_buffer_clear( &session->internals.handshake_send_buffer); \ _gnutls_buffer_clear( &session->internals.handshake_recv_buffer); \ session->internals.handshake_send_buffer_prev_size = 0 -ssize_t _gnutls_handshake_io_recv_int(gnutls_session_t, content_type_t, - gnutls_handshake_description_t, void *, size_t); -ssize_t _gnutls_handshake_io_send_int(gnutls_session_t, content_type_t, - gnutls_handshake_description_t, const void *, size_t); -ssize_t _gnutls_io_write_flush(gnutls_session_t session); -ssize_t _gnutls_handshake_io_write_flush(gnutls_session_t session); +ssize_t _gnutls_handshake_io_recv_int (gnutls_session_t, content_type_t, + gnutls_handshake_description_t, void *, + size_t); +ssize_t _gnutls_handshake_io_send_int (gnutls_session_t, content_type_t, + gnutls_handshake_description_t, + const void *, size_t); +ssize_t _gnutls_io_write_flush (gnutls_session_t session); +ssize_t _gnutls_handshake_io_write_flush (gnutls_session_t session); -size_t gnutls_record_check_pending(gnutls_session_t session); +size_t gnutls_record_check_pending (gnutls_session_t session); diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 3b427c5f8c..c95a02180f 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -54,31 +54,35 @@ * TLS negotiation that uses the credentials is in progress. * **/ -void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc) +void +gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc) { - uint i, j; + uint i, j; - for (i = 0; i < sc->ncerts; i++) { - for (j = 0; j < sc->cert_list_length[i]; j++) { - _gnutls_gcert_deinit(&sc->cert_list[i][j]); + for (i = 0; i < sc->ncerts; i++) + { + for (j = 0; j < sc->cert_list_length[i]; j++) + { + _gnutls_gcert_deinit (&sc->cert_list[i][j]); } - gnutls_free(sc->cert_list[i]); + gnutls_free (sc->cert_list[i]); } - gnutls_free(sc->cert_list_length); - sc->cert_list_length = NULL; + gnutls_free (sc->cert_list_length); + sc->cert_list_length = NULL; - gnutls_free(sc->cert_list); - sc->cert_list = NULL; + gnutls_free (sc->cert_list); + sc->cert_list = NULL; - for (i = 0; i < sc->ncerts; i++) { - _gnutls_gkey_deinit(&sc->pkey[i]); + for (i = 0; i < sc->ncerts; i++) + { + _gnutls_gkey_deinit (&sc->pkey[i]); } - gnutls_free(sc->pkey); - sc->pkey = NULL; + gnutls_free (sc->pkey); + sc->pkey = NULL; - sc->ncerts = 0; + sc->ncerts = 0; } @@ -92,18 +96,20 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc) * save some memory. * **/ -void gnutls_certificate_free_cas(gnutls_certificate_credentials_t sc) +void +gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc) { - uint j; + uint j; - for (j = 0; j < sc->x509_ncas; j++) { - gnutls_x509_crt_deinit(sc->x509_ca_list[j]); + for (j = 0; j < sc->x509_ncas; j++) + { + gnutls_x509_crt_deinit (sc->x509_ca_list[j]); } - sc->x509_ncas = 0; + sc->x509_ncas = 0; - gnutls_free(sc->x509_ca_list); - sc->x509_ca_list = NULL; + gnutls_free (sc->x509_ca_list); + sc->x509_ca_list = NULL; } @@ -119,9 +125,10 @@ void gnutls_certificate_free_cas(gnutls_certificate_credentials_t sc) * support to clients. * **/ -void gnutls_certificate_free_ca_names(gnutls_certificate_credentials_t sc) +void +gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc) { - _gnutls_free_datum(&sc->x509_rdn_sequence); + _gnutls_free_datum (&sc->x509_rdn_sequence); } /*- @@ -133,27 +140,34 @@ void gnutls_certificate_free_ca_names(gnutls_certificate_credentials_t sc) * calls would not examine the credentials (or call a callback). * -*/ -gnutls_dh_params_t _gnutls_certificate_get_dh_params(const - gnutls_certificate_credentials_t sc, gnutls_session_t session) +gnutls_dh_params_t +_gnutls_certificate_get_dh_params (const + gnutls_certificate_credentials_t sc, + gnutls_session_t session) { - gnutls_params_st params; - int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.cert_dh_params) { - return session->internals.params.cert_dh_params; + if (session->internals.params.cert_dh_params) + { + return session->internals.params.cert_dh_params; } - if (sc->dh_params) { - session->internals.params.cert_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.cert_dh_params = params.params.dh; - session->internals.params.free_cert_dh_params = params.deinit; + if (sc->dh_params) + { + session->internals.params.cert_dh_params = sc->dh_params; + } + else if (sc->params_func) + { + ret = sc->params_func (session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) + { + session->internals.params.cert_dh_params = params.params.dh; + session->internals.params.free_cert_dh_params = params.deinit; } } - return session->internals.params.cert_dh_params; + return session->internals.params.cert_dh_params; } /*- @@ -163,28 +177,34 @@ gnutls_dh_params_t _gnutls_certificate_get_dh_params(const * This function will return the rsa parameters pointer. * -*/ -gnutls_rsa_params_t _gnutls_certificate_get_rsa_params(const - gnutls_certificate_credentials_t sc, gnutls_session_t session) +gnutls_rsa_params_t +_gnutls_certificate_get_rsa_params (const + gnutls_certificate_credentials_t sc, + gnutls_session_t session) { - gnutls_params_st params; - int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.rsa_params) { - return session->internals.params.rsa_params; + if (session->internals.params.rsa_params) + { + return session->internals.params.rsa_params; } - if (sc->rsa_params) { - session->internals.params.rsa_params = sc->rsa_params; - } else if (sc->params_func) { - ret = sc->params_func(session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) { - session->internals.params.rsa_params = - params.params.rsa_export; - session->internals.params.free_rsa_params = params.deinit; + if (sc->rsa_params) + { + session->internals.params.rsa_params = sc->rsa_params; + } + else if (sc->params_func) + { + ret = sc->params_func (session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) + { + session->internals.params.rsa_params = params.params.rsa_export; + session->internals.params.free_rsa_params = params.deinit; } } - return session->internals.params.rsa_params; + return session->internals.params.rsa_params; } @@ -199,19 +219,19 @@ gnutls_rsa_params_t _gnutls_certificate_get_rsa_params(const * with this structure (ie RSA and DH parameters are not freed by * this function). **/ -void gnutls_certificate_free_credentials(gnutls_certificate_credentials_t - sc) +void +gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc) { - gnutls_certificate_free_keys(sc); - gnutls_certificate_free_cas(sc); - gnutls_certificate_free_ca_names(sc); + gnutls_certificate_free_keys (sc); + gnutls_certificate_free_cas (sc); + gnutls_certificate_free_ca_names (sc); #ifdef ENABLE_PKI - gnutls_certificate_free_crls(sc); + gnutls_certificate_free_crls (sc); #endif - _gnutls_free_datum(&sc->keyring); + _gnutls_free_datum (&sc->keyring); - gnutls_free(sc); + gnutls_free (sc); } @@ -225,18 +245,18 @@ void gnutls_certificate_free_credentials(gnutls_certificate_credentials_t * Returns 0 on success. **/ int -gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t * - res) +gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t * + res) { - *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); + *res = gnutls_calloc (1, sizeof (certificate_credentials_st)); - if (*res == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*res == NULL) + return GNUTLS_E_MEMORY_ERROR; - (*res)->verify_bits = DEFAULT_VERIFY_BITS; - (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; + (*res)->verify_bits = DEFAULT_VERIFY_BITS; + (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; - return 0; + return 0; } @@ -246,49 +266,56 @@ gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t * * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ -int _gnutls_selected_cert_supported_kx(gnutls_session_t session, - gnutls_kx_algorithm_t ** alg, int *alg_size) +int +_gnutls_selected_cert_supported_kx (gnutls_session_t session, + gnutls_kx_algorithm_t ** alg, + int *alg_size) { - gnutls_kx_algorithm_t kx; - gnutls_pk_algorithm_t pk; - gnutls_kx_algorithm_t kxlist[MAX_ALGOS]; - gnutls_cert *cert; - int i; - - if (session->internals.selected_cert_list_length == 0) { - *alg_size = 0; - *alg = NULL; - return 0; - } - - cert = &session->internals.selected_cert_list[0]; - i = 0; - - for (kx = 0; kx < MAX_ALGOS; kx++) { - pk = _gnutls_map_pk_get_pk(kx); - if (pk == cert->subject_pk_algorithm) { - /* then check key usage */ - if (_gnutls_check_key_usage(cert, kx) == 0) { - kxlist[i] = kx; - i++; + gnutls_kx_algorithm_t kx; + gnutls_pk_algorithm_t pk; + gnutls_kx_algorithm_t kxlist[MAX_ALGOS]; + gnutls_cert *cert; + int i; + + if (session->internals.selected_cert_list_length == 0) + { + *alg_size = 0; + *alg = NULL; + return 0; + } + + cert = &session->internals.selected_cert_list[0]; + i = 0; + + for (kx = 0; kx < MAX_ALGOS; kx++) + { + pk = _gnutls_map_pk_get_pk (kx); + if (pk == cert->subject_pk_algorithm) + { + /* then check key usage */ + if (_gnutls_check_key_usage (cert, kx) == 0) + { + kxlist[i] = kx; + i++; } } } - if (i == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (i == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - *alg = gnutls_calloc(1, sizeof(gnutls_kx_algorithm_t) * i); - if (*alg == NULL) - return GNUTLS_E_MEMORY_ERROR; + *alg = gnutls_calloc (1, sizeof (gnutls_kx_algorithm_t) * i); + if (*alg == NULL) + return GNUTLS_E_MEMORY_ERROR; - *alg_size = i; + *alg_size = i; - memcpy(*alg, kxlist, i * sizeof(gnutls_kx_algorithm_t)); + memcpy (*alg, kxlist, i * sizeof (gnutls_kx_algorithm_t)); - return 0; + return 0; } @@ -304,10 +331,11 @@ int _gnutls_selected_cert_supported_kx(gnutls_session_t session, * call this function then the client will not be asked to * send a certificate. **/ -void gnutls_certificate_server_set_request(gnutls_session_t session, - gnutls_certificate_request_t req) +void +gnutls_certificate_server_set_request (gnutls_session_t session, + gnutls_certificate_request_t req) { - session->internals.send_cert_req = req; + session->internals.send_cert_req = req; } /** @@ -341,9 +369,10 @@ void gnutls_certificate_server_set_request(gnutls_session_t session, * will be terminated. **/ void gnutls_certificate_client_set_retrieve_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_client_retrieve_function * func) { - cred->client_get_cert_callback = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_client_retrieve_function * func) +{ + cred->client_get_cert_callback = func; } /** @@ -366,9 +395,10 @@ void gnutls_certificate_client_set_retrieve_function * will be terminated. **/ void gnutls_certificate_server_set_retrieve_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_server_retrieve_function * func) { - cred->server_get_cert_callback = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_server_retrieve_function * func) +{ + cred->server_get_cert_callback = func; } @@ -376,9 +406,9 @@ void gnutls_certificate_server_set_retrieve_function */ OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time - = NULL; + = NULL; OPENPGP_KEY_EXPIRATION_TIME_FUNC - _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; + _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; /*- @@ -389,57 +419,63 @@ OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ -int _gnutls_openpgp_cert_verify_peers(gnutls_session_t session, - unsigned int *status) +int +_gnutls_openpgp_cert_verify_peers (gnutls_session_t session, + unsigned int *status) { - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - int peer_certificate_list_size, ret; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + int peer_certificate_list_size, ret; + + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + { + gnutls_assert (); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; - if (peer_certificate_list_size != 1) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (peer_certificate_list_size != 1) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* Verify certificate - */ - if (_E_gnutls_openpgp_verify_key == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + /* Verify certificate + */ + if (_E_gnutls_openpgp_verify_key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - ret = - _E_gnutls_openpgp_verify_key(cred, &info->raw_certificate_list[0], - peer_certificate_list_size, status); - - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _E_gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0], + peer_certificate_list_size, status); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -469,28 +505,31 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session_t session, * you need to call gnutls_certificate_set_verify_flags() with, e.g., * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. **/ -int gnutls_certificate_verify_peers2(gnutls_session_t session, - unsigned int *status) +int +gnutls_certificate_verify_peers2 (gnutls_session_t session, + unsigned int *status) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return GNUTLS_E_NO_CERTIFICATE_FOUND; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - switch (gnutls_certificate_type_get(session)) { + switch (gnutls_certificate_type_get (session)) + { case GNUTLS_CRT_X509: - return _gnutls_x509_cert_verify_peers(session, status); + return _gnutls_x509_cert_verify_peers (session, status); case GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_cert_verify_peers(session, status); + return _gnutls_openpgp_cert_verify_peers (session, status); default: - return GNUTLS_E_INVALID_REQUEST; + return GNUTLS_E_INVALID_REQUEST; } } @@ -512,19 +551,21 @@ int gnutls_certificate_verify_peers2(gnutls_session_t session, * Deprecated: Use gnutls_certificate_verify_peers2() instead. * **/ -int gnutls_certificate_verify_peers(gnutls_session_t session) +int +gnutls_certificate_verify_peers (gnutls_session_t session) { - unsigned int status; - int ret; + unsigned int status; + int ret; - ret = gnutls_certificate_verify_peers2(session, &status); + ret = gnutls_certificate_verify_peers2 (session, &status); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return status; + return status; } /** @@ -536,35 +577,39 @@ int gnutls_certificate_verify_peers(gnutls_session_t session) * Returns (time_t) -1 on error. * **/ -time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session) +time_t +gnutls_certificate_expiration_time_peers (gnutls_session_t session) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) - 1; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + return (time_t) - 1; } - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) - 1; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + { + gnutls_assert (); + return (time_t) - 1; } - switch (gnutls_certificate_type_get(session)) { + switch (gnutls_certificate_type_get (session)) + { case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_expiration_time(&info-> - raw_certificate_list - [0]); + return _gnutls_x509_get_raw_crt_expiration_time (&info-> + raw_certificate_list + [0]); case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL) - return (time_t) - 1; - return _E_gnutls_openpgp_get_raw_key_expiration_time(&info-> - raw_certificate_list - [0]); - default: + if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL) return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_expiration_time (&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; } } @@ -578,76 +623,88 @@ time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session) * Returns (time_t) -1 on error. * **/ -time_t gnutls_certificate_activation_time_peers(gnutls_session_t session) +time_t +gnutls_certificate_activation_time_peers (gnutls_session_t session) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) - 1; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + return (time_t) - 1; } - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) - 1; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + { + gnutls_assert (); + return (time_t) - 1; } - switch (gnutls_certificate_type_get(session)) { + switch (gnutls_certificate_type_get (session)) + { case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_activation_time(&info-> - raw_certificate_list - [0]); + return _gnutls_x509_get_raw_crt_activation_time (&info-> + raw_certificate_list + [0]); case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL) - return (time_t) - 1; - return _E_gnutls_openpgp_get_raw_key_creation_time(&info-> - raw_certificate_list - [0]); - default: + if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL) return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_creation_time (&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; } } OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; OPENPGP_RAW_PRIVKEY_TO_GKEY _E_gnutls_openpgp_raw_privkey_to_gkey; -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, - gnutls_certificate_type_t type, const gnutls_datum_t * raw_cert, - int flags /* OR of ConvFlags */ ) +int +_gnutls_raw_cert_to_gcert (gnutls_cert * gcert, + gnutls_certificate_type_t type, + const gnutls_datum_t * raw_cert, + int flags /* OR of ConvFlags */ ) { - switch (type) { + switch (type) + { case GNUTLS_CRT_X509: - return _gnutls_x509_raw_cert_to_gcert(gcert, raw_cert, flags); + return _gnutls_x509_raw_cert_to_gcert (gcert, raw_cert, flags); case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - return _E_gnutls_openpgp_raw_key_to_gcert(gcert, raw_cert); + return _E_gnutls_openpgp_raw_key_to_gcert (gcert, raw_cert); default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, - gnutls_certificate_type_t type, const gnutls_datum_t * raw_key, - int key_enc /* DER or PEM */ ) +int +_gnutls_raw_privkey_to_gkey (gnutls_privkey * key, + gnutls_certificate_type_t type, + const gnutls_datum_t * raw_key, + int key_enc /* DER or PEM */ ) { - switch (type) { + switch (type) + { case GNUTLS_CRT_X509: - return _gnutls_x509_raw_privkey_to_gkey(key, raw_key, key_enc); + return _gnutls_x509_raw_privkey_to_gkey (key, raw_key, key_enc); case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; + if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL) + { + gnutls_assert (); + return GNUTLS_E_INIT_LIBEXTRA; } - return _E_gnutls_openpgp_raw_privkey_to_gkey(key, raw_key); + return _E_gnutls_openpgp_raw_privkey_to_gkey (key, raw_key); default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } @@ -661,120 +718,134 @@ int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, * extensions found in the certificate are unsupported and critical. * The critical extensions will be catched by the verification functions. */ -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, - const gnutls_datum_t * derCert, int flags /* OR of ConvFlags */ ) +int +_gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert, + const gnutls_datum_t * derCert, + int flags /* OR of ConvFlags */ ) { - int ret; - gnutls_x509_crt_t cert; - - ret = gnutls_x509_crt_init(&cert); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + gnutls_x509_crt_t cert; + + ret = gnutls_x509_crt_init (&cert); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_x509_crt_import(cert, derCert, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit(cert); - return ret; + ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER); + if (ret < 0) + { + gnutls_assert (); + gnutls_x509_crt_deinit (cert); + return ret; } - ret = _gnutls_x509_crt_to_gcert(gcert, cert, flags); - gnutls_x509_crt_deinit(cert); + ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags); + gnutls_x509_crt_deinit (cert); - return ret; + return ret; } /* Like above but it accepts a parsed certificate instead. */ -int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, - gnutls_x509_crt_t cert, unsigned int flags) +int +_gnutls_x509_crt_to_gcert (gnutls_cert * gcert, + gnutls_x509_crt_t cert, unsigned int flags) { - int ret = 0; + int ret = 0; - memset(gcert, 0, sizeof(gnutls_cert)); - gcert->cert_type = GNUTLS_CRT_X509; + memset (gcert, 0, sizeof (gnutls_cert)); + gcert->cert_type = GNUTLS_CRT_X509; - if (!(flags & CERT_NO_COPY)) { + if (!(flags & CERT_NO_COPY)) + { #define SMALL_DER 512 - opaque *der; - size_t der_size = SMALL_DER; - - /* initially allocate a bogus size, just in case the certificate - * fits in it. That way we minimize the DER encodings performed. - */ - der = gnutls_malloc(SMALL_DER); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + opaque *der; + size_t der_size = SMALL_DER; + + /* initially allocate a bogus size, just in case the certificate + * fits in it. That way we minimize the DER encodings performed. + */ + der = gnutls_malloc (SMALL_DER); + if (der == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = - gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, - &der_size); - if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - gnutls_free(der); - return ret; + ret = + gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + gnutls_assert (); + gnutls_free (der); + return ret; } - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - der = gnutls_realloc(der, der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + der = gnutls_realloc (der, der_size); + if (der == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = - gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, - &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_free(der); - return ret; + ret = + gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0) + { + gnutls_assert (); + gnutls_free (der); + return ret; } } - gcert->raw.data = der; - gcert->raw.size = der_size; - } else - /* now we have 0 or a bitwise or of things to decode */ - flags ^= CERT_NO_COPY; + gcert->raw.data = der; + gcert->raw.size = der_size; + } + else + /* now we have 0 or a bitwise or of things to decode */ + flags ^= CERT_NO_COPY; - if (flags & CERT_ONLY_EXTENSIONS || flags == 0) { - gnutls_x509_crt_get_key_usage(cert, &gcert->key_usage, NULL); - gcert->version = gnutls_x509_crt_get_version(cert); + if (flags & CERT_ONLY_EXTENSIONS || flags == 0) + { + gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL); + gcert->version = gnutls_x509_crt_get_version (cert); } - gcert->subject_pk_algorithm = - gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - if (flags & CERT_ONLY_PUBKEY || flags == 0) { - gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = - _gnutls_x509_crt_get_mpis(cert, gcert->params, - &gcert->params_size); - if (ret < 0) { - gnutls_assert(); - return ret; + gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL); + + if (flags & CERT_ONLY_PUBKEY || flags == 0) + { + gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis (cert, gcert->params, &gcert->params_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - return 0; + return 0; } -void _gnutls_gcert_deinit(gnutls_cert * cert) +void +_gnutls_gcert_deinit (gnutls_cert * cert) { - int i; + int i; - if (cert == NULL) - return; + if (cert == NULL) + return; - for (i = 0; i < cert->params_size; i++) { - _gnutls_mpi_release(&cert->params[i]); + for (i = 0; i < cert->params_size; i++) + { + _gnutls_mpi_release (&cert->params[i]); } - _gnutls_free_datum(&cert->raw); + _gnutls_free_datum (&cert->raw); } diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index 99aaeca463..8c753d1816 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -48,82 +48,85 @@ #define KEY_ENCIPHER_ONLY 1 #define KEY_DECIPHER_ONLY 32768 -typedef struct gnutls_cert { - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public - * key algorithm - * RSA: [0] is modulus - * [1] is public exponent - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is public key - */ - int params_size; /* holds the size of MPI params */ - - gnutls_pk_algorithm_t subject_pk_algorithm; - - unsigned int key_usage; /* bits from KEY_* +typedef struct gnutls_cert +{ + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public + * key algorithm + * RSA: [0] is modulus + * [1] is public exponent + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is public key + */ + int params_size; /* holds the size of MPI params */ + + gnutls_pk_algorithm_t subject_pk_algorithm; + + unsigned int key_usage; /* bits from KEY_* */ - unsigned int version; - /* holds the type (PGP, X509) - */ - gnutls_certificate_type_t cert_type; + unsigned int version; + /* holds the type (PGP, X509) + */ + gnutls_certificate_type_t cert_type; - gnutls_datum_t raw; + gnutls_datum_t raw; } gnutls_cert; -typedef struct gnutls_privkey_int { - mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public +typedef struct gnutls_privkey_int +{ + mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public * key algorithm */ - /* - * RSA: [0] is modulus - * [1] is public exponent - * [2] is private exponent - * [3] is prime1 (p) - * [4] is prime2 (q) - * [5] is coefficient (u == inverse of p mod q) - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is y (public key) - * [4] is x (private key) - */ - int params_size; /* holds the number of params */ - - gnutls_pk_algorithm_t pk_algorithm; + /* + * RSA: [0] is modulus + * [1] is public exponent + * [2] is private exponent + * [3] is prime1 (p) + * [4] is prime2 (q) + * [5] is coefficient (u == inverse of p mod q) + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is y (public key) + * [4] is x (private key) + */ + int params_size; /* holds the number of params */ + + gnutls_pk_algorithm_t pk_algorithm; } gnutls_privkey; struct gnutls_session_int; /* because gnutls_session_t is not defined when this file is included */ -typedef enum ConvFlags { - CERT_NO_COPY = 2, - CERT_ONLY_PUBKEY = 4, - CERT_ONLY_EXTENSIONS = 16 +typedef enum ConvFlags +{ + CERT_NO_COPY = 2, + CERT_ONLY_PUBKEY = 4, + CERT_ONLY_EXTENSIONS = 16 } ConvFlags; -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, - const gnutls_datum_t * derCert, - int flags); -int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt_t cert, - unsigned int flags); - -void _gnutls_gkey_deinit(gnutls_privkey * key); -void _gnutls_gcert_deinit(gnutls_cert * cert); - -int _gnutls_selected_cert_supported_kx(struct gnutls_session_int *session, - gnutls_kx_algorithm_t ** alg, - int *alg_size); - -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, - gnutls_certificate_type_t type, - const gnutls_datum_t * raw_cert, - int flags /* OR of ConvFlags */ ); -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, - gnutls_certificate_type_t type, - const gnutls_datum_t * raw_key, - int key_enc /* DER or PEM */ ); +int _gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert, + const gnutls_datum_t * derCert, + int flags); +int _gnutls_x509_crt_to_gcert (gnutls_cert * gcert, gnutls_x509_crt_t cert, + unsigned int flags); + +void _gnutls_gkey_deinit (gnutls_privkey * key); +void _gnutls_gcert_deinit (gnutls_cert * cert); + +int _gnutls_selected_cert_supported_kx (struct gnutls_session_int *session, + gnutls_kx_algorithm_t ** alg, + int *alg_size); + +int _gnutls_raw_cert_to_gcert (gnutls_cert * gcert, + gnutls_certificate_type_t type, + const gnutls_datum_t * raw_cert, + int flags /* OR of ConvFlags */ ); +int _gnutls_raw_privkey_to_gkey (gnutls_privkey * key, + gnutls_certificate_type_t type, + const gnutls_datum_t * raw_key, + int key_enc /* DER or PEM */ ); #endif diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 9ee2f2c79e..dbace455da 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -41,22 +41,24 @@ #include "gnutls_constate.h" #include <gc.h> -inline static int is_write_comp_null(gnutls_session_t session) +inline static int +is_write_comp_null (gnutls_session_t session) { - if (session->security_parameters.write_compression_algorithm == - GNUTLS_COMP_NULL) - return 0; + if (session->security_parameters.write_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; - return 1; + return 1; } -inline static int is_read_comp_null(gnutls_session_t session) +inline static int +is_read_comp_null (gnutls_session_t session) { - if (session->security_parameters.read_compression_algorithm == - GNUTLS_COMP_NULL) - return 0; + if (session->security_parameters.read_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; - return 1; + return 1; } @@ -65,189 +67,212 @@ inline static int is_read_comp_null(gnutls_session_t session) * * If random pad != 0 then the random pad data will be appended. */ -int _gnutls_encrypt(gnutls_session_t session, const opaque * headers, - size_t headers_size, const opaque * data, - size_t data_size, opaque * ciphertext, - size_t ciphertext_size, content_type_t type, - int random_pad) +int +_gnutls_encrypt (gnutls_session_t session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, int random_pad) { - gnutls_datum_t plain; - gnutls_datum_t comp; - int ret; - int free_comp = 1; - - plain.data = (opaque *) data; - plain.size = data_size; - - if (plain.size == 0 || is_write_comp_null(session) == 0) { - comp = plain; - free_comp = 0; - } else { - /* Here comp is allocated and must be - * freed. - */ - ret = _gnutls_m_plaintext2compressed(session, &comp, plain); - if (ret < 0) { - gnutls_assert(); - return ret; + gnutls_datum_t plain; + gnutls_datum_t comp; + int ret; + int free_comp = 1; + + plain.data = (opaque *) data; + plain.size = data_size; + + if (plain.size == 0 || is_write_comp_null (session) == 0) + { + comp = plain; + free_comp = 0; + } + else + { + /* Here comp is allocated and must be + * freed. + */ + ret = _gnutls_m_plaintext2compressed (session, &comp, plain); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - ret = _gnutls_compressed2ciphertext(session, &ciphertext[headers_size], - ciphertext_size - headers_size, - comp, type, random_pad); + ret = _gnutls_compressed2ciphertext (session, &ciphertext[headers_size], + ciphertext_size - headers_size, + comp, type, random_pad); - if (free_comp) - _gnutls_free_datum(&comp); + if (free_comp) + _gnutls_free_datum (&comp); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* copy the headers */ - memcpy(ciphertext, headers, headers_size); - _gnutls_write_uint16(ret, &ciphertext[3]); + /* copy the headers */ + memcpy (ciphertext, headers, headers_size); + _gnutls_write_uint16 (ret, &ciphertext[3]); - return ret + headers_size; + return ret + headers_size; } /* Decrypts the given data. * Returns the decrypted data length. */ -int _gnutls_decrypt(gnutls_session_t session, opaque * ciphertext, - size_t ciphertext_size, uint8 * data, - size_t max_data_size, content_type_t type) +int +_gnutls_decrypt (gnutls_session_t session, opaque * ciphertext, + size_t ciphertext_size, uint8 * data, + size_t max_data_size, content_type_t type) { - gnutls_datum_t gtxt; - gnutls_datum_t gcipher; - int ret; - - if (ciphertext_size == 0) - return 0; - - gcipher.size = ciphertext_size; - gcipher.data = ciphertext; - - ret = - _gnutls_ciphertext2compressed(session, data, max_data_size, - gcipher, type); - if (ret < 0) { - return ret; + gnutls_datum_t gtxt; + gnutls_datum_t gcipher; + int ret; + + if (ciphertext_size == 0) + return 0; + + gcipher.size = ciphertext_size; + gcipher.data = ciphertext; + + ret = + _gnutls_ciphertext2compressed (session, data, max_data_size, + gcipher, type); + if (ret < 0) + { + return ret; } - if (ret == 0 || is_read_comp_null(session) == 0) { - /* ret == ret */ - - } else { - gnutls_datum_t gcomp; - - /* compression has this malloc overhead. - */ + if (ret == 0 || is_read_comp_null (session) == 0) + { + /* ret == ret */ - gcomp.data = data; - gcomp.size = ret; - ret = _gnutls_m_compressed2plaintext(session, >xt, gcomp); - if (ret < 0) { - return ret; + } + else + { + gnutls_datum_t gcomp; + + /* compression has this malloc overhead. + */ + + gcomp.data = data; + gcomp.size = ret; + ret = _gnutls_m_compressed2plaintext (session, >xt, gcomp); + if (ret < 0) + { + return ret; } - if (gtxt.size > max_data_size) { - gnutls_assert(); - _gnutls_free_datum(>xt); - /* This shouldn't have happen and - * is a TLS fatal error. - */ - return GNUTLS_E_INTERNAL_ERROR; + if (gtxt.size > max_data_size) + { + gnutls_assert (); + _gnutls_free_datum (>xt); + /* This shouldn't have happen and + * is a TLS fatal error. + */ + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(data, gtxt.data, gtxt.size); - ret = gtxt.size; + memcpy (data, gtxt.data, gtxt.size); + ret = gtxt.size; - _gnutls_free_datum(>xt); + _gnutls_free_datum (>xt); } - return ret; + return ret; } -inline - static mac_hd_t -mac_init(gnutls_mac_algorithm_t mac, opaque * secret, int secret_size, - int ver) +inline static mac_hd_t +mac_init (gnutls_mac_algorithm_t mac, opaque * secret, int secret_size, + int ver) { - mac_hd_t td; + mac_hd_t td; - if (mac == GNUTLS_MAC_NULL) - return GNUTLS_MAC_FAILED; + if (mac == GNUTLS_MAC_NULL) + return GNUTLS_MAC_FAILED; - if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ - td = _gnutls_mac_init_ssl3(mac, secret, secret_size); - } else { /* TLS 1.x */ - td = _gnutls_hmac_init(mac, secret, secret_size); + if (ver == GNUTLS_SSL3) + { /* SSL 3.0 */ + td = _gnutls_mac_init_ssl3 (mac, secret, secret_size); + } + else + { /* TLS 1.x */ + td = _gnutls_hmac_init (mac, secret, secret_size); } - return td; + return td; } -inline static void mac_deinit(mac_hd_t td, opaque * res, int ver) +inline static void +mac_deinit (mac_hd_t td, opaque * res, int ver) { - if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ - _gnutls_mac_deinit_ssl3(td, res); - } else { - _gnutls_hmac_deinit(td, res); + if (ver == GNUTLS_SSL3) + { /* SSL 3.0 */ + _gnutls_mac_deinit_ssl3 (td, res); + } + else + { + _gnutls_hmac_deinit (td, res); } } inline static int -calc_enc_length(gnutls_session_t session, int data_size, - int hash_size, uint8 * pad, int random_pad, - cipher_type_t block_algo, uint16 blocksize) +calc_enc_length (gnutls_session_t session, int data_size, + int hash_size, uint8 * pad, int random_pad, + cipher_type_t block_algo, uint16 blocksize) { - uint8 rnd; - int length; + uint8 rnd; + int length; - *pad = 0; + *pad = 0; - switch (block_algo) { + switch (block_algo) + { case CIPHER_STREAM: - length = data_size + hash_size; + length = data_size + hash_size; - break; + break; case CIPHER_BLOCK: - if (gc_nonce (&rnd, 1) != GC_OK) { - gnutls_assert(); + if (gc_nonce (&rnd, 1) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - /* make rnd a multiple of blocksize */ - if (session->security_parameters.version == GNUTLS_SSL3 || - random_pad == 0) { - rnd = 0; - } else { - rnd = (rnd / blocksize) * blocksize; - /* added to avoid the case of pad calculated 0 - * seen below for pad calculation. - */ - if (rnd > blocksize) - rnd -= blocksize; + /* make rnd a multiple of blocksize */ + if (session->security_parameters.version == GNUTLS_SSL3 || + random_pad == 0) + { + rnd = 0; + } + else + { + rnd = (rnd / blocksize) * blocksize; + /* added to avoid the case of pad calculated 0 + * seen below for pad calculation. + */ + if (rnd > blocksize) + rnd -= blocksize; } - length = data_size + hash_size; + length = data_size + hash_size; - *pad = (uint8) (blocksize - (length % blocksize)) + rnd; + *pad = (uint8) (blocksize - (length % blocksize)) + rnd; - length += *pad; - if (session->security_parameters.version >= GNUTLS_TLS1_1) - length += blocksize; /* for the IV */ + length += *pad; + if (session->security_parameters.version >= GNUTLS_TLS1_1) + length += blocksize; /* for the IV */ - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return length; + return length; } /* This is the actual encryption @@ -255,275 +280,297 @@ calc_enc_length(gnutls_session_t session, int data_size, * which has cipher_size size. * return the actual encrypted data length. */ -int _gnutls_compressed2ciphertext(gnutls_session_t session, - opaque * cipher_data, int cipher_size, - gnutls_datum_t compressed, - content_type_t _type, int random_pad) +int +_gnutls_compressed2ciphertext (gnutls_session_t session, + opaque * cipher_data, int cipher_size, + gnutls_datum_t compressed, + content_type_t _type, int random_pad) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length, ret; - mac_hd_t td; - uint8 type = _type; - uint8 major, minor; - int hash_size = - _gnutls_hash_get_algo_len(session->security_parameters. - write_mac_algorithm); - gnutls_protocol_t ver; - int blocksize = - _gnutls_cipher_get_block_size(session->security_parameters. - write_bulk_cipher_algorithm); - cipher_type_t block_algo = - _gnutls_cipher_is_block(session->security_parameters. - write_bulk_cipher_algorithm); - opaque *data_ptr; - - - ver = gnutls_protocol_get_version(session); - minor = _gnutls_version_get_minor(ver); - major = _gnutls_version_get_major(ver); - - - /* Initialize MAC */ - td = mac_init(session->security_parameters.write_mac_algorithm, - session->connection_state.write_mac_secret.data, - session->connection_state.write_mac_secret.size, ver); - - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.write_mac_algorithm != - GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length, ret; + mac_hd_t td; + uint8 type = _type; + uint8 major, minor; + int hash_size = + _gnutls_hash_get_algo_len (session->security_parameters. + write_mac_algorithm); + gnutls_protocol_t ver; + int blocksize = + _gnutls_cipher_get_block_size (session->security_parameters. + write_bulk_cipher_algorithm); + cipher_type_t block_algo = + _gnutls_cipher_is_block (session->security_parameters. + write_bulk_cipher_algorithm); + opaque *data_ptr; + + + ver = gnutls_protocol_get_version (session); + minor = _gnutls_version_get_minor (ver); + major = _gnutls_version_get_major (ver); + + + /* Initialize MAC */ + td = mac_init (session->security_parameters.write_mac_algorithm, + session->connection_state.write_mac_secret.data, + session->connection_state.write_mac_secret.size, ver); + + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - c_length = _gnutls_conv_uint16(compressed.size); + c_length = _gnutls_conv_uint16 (compressed.size); - if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ - _gnutls_hmac(td, - UINT64DATA(session->connection_state. + if (td != GNUTLS_MAC_FAILED) + { /* actually when the algorithm in not the NULL one */ + _gnutls_hmac (td, + UINT64DATA (session->connection_state. write_sequence_number), 8); - _gnutls_hmac(td, &type, 1); - if (ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); + _gnutls_hmac (td, &type, 1); + if (ver >= GNUTLS_TLS1) + { /* TLS 1.0 or higher */ + _gnutls_hmac (td, &major, 1); + _gnutls_hmac (td, &minor, 1); } - _gnutls_hmac(td, &c_length, 2); - _gnutls_hmac(td, compressed.data, compressed.size); - mac_deinit(td, MAC, ver); + _gnutls_hmac (td, &c_length, 2); + _gnutls_hmac (td, compressed.data, compressed.size); + mac_deinit (td, MAC, ver); } - /* Calculate the encrypted length (padding etc.) - */ - length = - calc_enc_length(session, compressed.size, hash_size, &pad, - random_pad, block_algo, blocksize); - if (length < 0) { - gnutls_assert(); - return length; + /* Calculate the encrypted length (padding etc.) + */ + length = + calc_enc_length (session, compressed.size, hash_size, &pad, + random_pad, block_algo, blocksize); + if (length < 0) + { + gnutls_assert (); + return length; } - /* copy the encrypted data to cipher_data. - */ - if (cipher_size < length) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* copy the encrypted data to cipher_data. + */ + if (cipher_size < length) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - data_ptr = cipher_data; - if (block_algo == CIPHER_BLOCK && - session->security_parameters.version >= GNUTLS_TLS1_1) { - /* copy the random IV. - */ - if (gc_nonce (data_ptr, blocksize) != GC_OK) { - gnutls_assert(); + data_ptr = cipher_data; + if (block_algo == CIPHER_BLOCK && + session->security_parameters.version >= GNUTLS_TLS1_1) + { + /* copy the random IV. + */ + if (gc_nonce (data_ptr, blocksize) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - data_ptr += blocksize; + data_ptr += blocksize; } - memcpy(data_ptr, compressed.data, compressed.size); - data_ptr += compressed.size; + memcpy (data_ptr, compressed.data, compressed.size); + data_ptr += compressed.size; - if (hash_size > 0) { - memcpy(data_ptr, MAC, hash_size); - data_ptr += hash_size; + if (hash_size > 0) + { + memcpy (data_ptr, MAC, hash_size); + data_ptr += hash_size; } - if (block_algo == CIPHER_BLOCK && pad > 0) { - memset(data_ptr, pad - 1, pad); + if (block_algo == CIPHER_BLOCK && pad > 0) + { + memset (data_ptr, pad - 1, pad); } - /* Actual encryption (inplace). - */ - ret = _gnutls_cipher_encrypt(session->connection_state. - write_cipher_state, cipher_data, length); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Actual encryption (inplace). + */ + ret = _gnutls_cipher_encrypt (session->connection_state. + write_cipher_state, cipher_data, length); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return length; + return length; } /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ -int _gnutls_ciphertext2compressed(gnutls_session_t session, - opaque * compress_data, - int compress_size, - gnutls_datum_t ciphertext, uint8 type) +int +_gnutls_ciphertext2compressed (gnutls_session_t session, + opaque * compress_data, + int compress_size, + gnutls_datum_t ciphertext, uint8 type) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length; - mac_hd_t td; - uint16 blocksize; - int ret, i, pad_failed = 0; - uint8 major, minor; - gnutls_protocol_t ver; - int hash_size = - _gnutls_hash_get_algo_len(session->security_parameters. - read_mac_algorithm); - - ver = gnutls_protocol_get_version(session); - minor = _gnutls_version_get_minor(ver); - major = _gnutls_version_get_major(ver); - - blocksize = _gnutls_cipher_get_block_size(session->security_parameters. - read_bulk_cipher_algorithm); - - /* initialize MAC - */ - td = mac_init(session->security_parameters.read_mac_algorithm, - session->connection_state.read_mac_secret.data, - session->connection_state.read_mac_secret.size, ver); - - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.read_mac_algorithm != - GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length; + mac_hd_t td; + uint16 blocksize; + int ret, i, pad_failed = 0; + uint8 major, minor; + gnutls_protocol_t ver; + int hash_size = + _gnutls_hash_get_algo_len (session->security_parameters. + read_mac_algorithm); + + ver = gnutls_protocol_get_version (session); + minor = _gnutls_version_get_minor (ver); + major = _gnutls_version_get_major (ver); + + blocksize = _gnutls_cipher_get_block_size (session->security_parameters. + read_bulk_cipher_algorithm); + + /* initialize MAC + */ + td = mac_init (session->security_parameters.read_mac_algorithm, + session->connection_state.read_mac_secret.data, + session->connection_state.read_mac_secret.size, ver); + + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* actual decryption (inplace) - */ - switch (_gnutls_cipher_is_block - (session->security_parameters.read_bulk_cipher_algorithm)) { + /* actual decryption (inplace) + */ + switch (_gnutls_cipher_is_block + (session->security_parameters.read_bulk_cipher_algorithm)) + { case CIPHER_STREAM: - if ((ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, - ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_cipher_decrypt (session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) + { + gnutls_assert (); + return ret; } - length = ciphertext.size - hash_size; + length = ciphertext.size - hash_size; - break; + break; case CIPHER_BLOCK: - if ((ciphertext.size < blocksize) - || (ciphertext.size % blocksize != 0)) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; + if ((ciphertext.size < blocksize) || (ciphertext.size % blocksize != 0)) + { + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; } - if ((ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, - ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_cipher_decrypt (session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) + { + gnutls_assert (); + return ret; } - /* ignore the IV in TLS 1.1. - */ - if (session->security_parameters.version >= GNUTLS_TLS1_1) { - ciphertext.size -= blocksize; - ciphertext.data += blocksize; - - if (ciphertext.size == 0) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; + /* ignore the IV in TLS 1.1. + */ + if (session->security_parameters.version >= GNUTLS_TLS1_1) + { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; + + if (ciphertext.size == 0) + { + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; } } - pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - length = ciphertext.size - hash_size - pad; + length = ciphertext.size - hash_size - pad; - if (pad > ciphertext.size - hash_size) { - gnutls_assert(); - /* We do not fail here. We check below for the - * the pad_failed. If zero means success. - */ - pad_failed = GNUTLS_E_DECRYPTION_FAILED; + if (pad > ciphertext.size - hash_size) + { + gnutls_assert (); + /* We do not fail here. We check below for the + * the pad_failed. If zero means success. + */ + pad_failed = GNUTLS_E_DECRYPTION_FAILED; } - /* Check the pading bytes (TLS 1.x) - */ - if (ver >= GNUTLS_TLS1 && pad_failed==0) - for (i = 2; i < pad; i++) { - if (ciphertext.data[ciphertext.size - i] != - ciphertext.data[ciphertext.size - 1]) - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - break; + /* Check the pading bytes (TLS 1.x) + */ + if (ver >= GNUTLS_TLS1 && pad_failed == 0) + for (i = 2; i < pad; i++) + { + if (ciphertext.data[ciphertext.size - i] != + ciphertext.data[ciphertext.size - 1]) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (length < 0) - length = 0; - c_length = _gnutls_conv_uint16((uint16) length); - - /* Pass the type, version, length and compressed through - * MAC. - */ - if (td != GNUTLS_MAC_FAILED) { - _gnutls_hmac(td, - UINT64DATA(session->connection_state. + if (length < 0) + length = 0; + c_length = _gnutls_conv_uint16 ((uint16) length); + + /* Pass the type, version, length and compressed through + * MAC. + */ + if (td != GNUTLS_MAC_FAILED) + { + _gnutls_hmac (td, + UINT64DATA (session->connection_state. read_sequence_number), 8); - _gnutls_hmac(td, &type, 1); - if (ver >= GNUTLS_TLS1) { /* TLS 1.x */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); + _gnutls_hmac (td, &type, 1); + if (ver >= GNUTLS_TLS1) + { /* TLS 1.x */ + _gnutls_hmac (td, &major, 1); + _gnutls_hmac (td, &minor, 1); } - _gnutls_hmac(td, &c_length, 2); + _gnutls_hmac (td, &c_length, 2); - if (length > 0) - _gnutls_hmac(td, ciphertext.data, length); + if (length > 0) + _gnutls_hmac (td, ciphertext.data, length); - mac_deinit(td, MAC, ver); + mac_deinit (td, MAC, ver); } - /* This one was introduced to avoid a timing attack against the TLS - * 1.0 protocol. - */ - if (pad_failed != 0) - return pad_failed; - - /* HMAC was not the same. - */ - if (memcmp(MAC, &ciphertext.data[length], hash_size) != 0) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; + /* This one was introduced to avoid a timing attack against the TLS + * 1.0 protocol. + */ + if (pad_failed != 0) + return pad_failed; + + /* HMAC was not the same. + */ + if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) + { + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; } - /* copy the decrypted stuff to compress_data. - */ - if (compress_size < length) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + /* copy the decrypted stuff to compress_data. + */ + if (compress_size < length) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(compress_data, ciphertext.data, length); + memcpy (compress_data, ciphertext.data, length); - return length; + return length; } diff --git a/lib/gnutls_cipher.h b/lib/gnutls_cipher.h index 73d0e81a2a..9caf440497 100644 --- a/lib/gnutls_cipher.h +++ b/lib/gnutls_cipher.h @@ -22,20 +22,20 @@ * */ -int _gnutls_encrypt(gnutls_session_t session, const opaque * headers, - size_t headers_size, const opaque * data, - size_t data_size, opaque * ciphertext, - size_t ciphertext_size, content_type_t type, - int random_pad); +int _gnutls_encrypt (gnutls_session_t session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, + int random_pad); -int _gnutls_decrypt(gnutls_session_t session, opaque * ciphertext, - size_t ciphertext_size, uint8 * data, size_t data_size, - content_type_t type); -int _gnutls_compressed2ciphertext(gnutls_session_t session, - opaque * cipher_data, int cipher_size, - gnutls_datum_t compressed, - content_type_t _type, int random_pad); -int _gnutls_ciphertext2compressed(gnutls_session_t session, - opaque * compress_data, - int compress_size, - gnutls_datum_t ciphertext, uint8 type); +int _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext, + size_t ciphertext_size, uint8 * data, size_t data_size, + content_type_t type); +int _gnutls_compressed2ciphertext (gnutls_session_t session, + opaque * cipher_data, int cipher_size, + gnutls_datum_t compressed, + content_type_t _type, int random_pad); +int _gnutls_ciphertext2compressed (gnutls_session_t session, + opaque * compress_data, + int compress_size, + gnutls_datum_t ciphertext, uint8 type); diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index 658b6cb77b..36b2e24754 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -27,86 +27,97 @@ #include <gnutls_cipher_int.h> #include <gnutls_datum.h> -cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm_t cipher, - const gnutls_datum_t * key, - const gnutls_datum_t * iv) +cipher_hd_t +_gnutls_cipher_init (gnutls_cipher_algorithm_t cipher, + const gnutls_datum_t * key, const gnutls_datum_t * iv) { - cipher_hd_t ret = NULL; - int err = GC_INVALID_CIPHER; /* doesn't matter */ + cipher_hd_t ret = NULL; + int err = GC_INVALID_CIPHER; /* doesn't matter */ - switch (cipher) { + switch (cipher) + { case GNUTLS_CIPHER_AES_128_CBC: - err = gc_cipher_open(GC_AES128, GC_CBC, &ret); - break; + err = gc_cipher_open (GC_AES128, GC_CBC, &ret); + break; case GNUTLS_CIPHER_AES_256_CBC: - err = gc_cipher_open(GC_AES256, GC_CBC, &ret); - break; + err = gc_cipher_open (GC_AES256, GC_CBC, &ret); + break; case GNUTLS_CIPHER_3DES_CBC: - err = gc_cipher_open(GC_3DES, GC_CBC, &ret); - break; + err = gc_cipher_open (GC_3DES, GC_CBC, &ret); + break; case GNUTLS_CIPHER_DES_CBC: - err = gc_cipher_open(GC_DES, GC_CBC, &ret); - break; + err = gc_cipher_open (GC_DES, GC_CBC, &ret); + break; case GNUTLS_CIPHER_ARCFOUR_128: - err = gc_cipher_open(GC_ARCFOUR128, GC_STREAM, &ret); - break; + err = gc_cipher_open (GC_ARCFOUR128, GC_STREAM, &ret); + break; case GNUTLS_CIPHER_ARCFOUR_40: - err = gc_cipher_open(GC_ARCFOUR40, GC_STREAM, &ret); - break; + err = gc_cipher_open (GC_ARCFOUR40, GC_STREAM, &ret); + break; case GNUTLS_CIPHER_RC2_40_CBC: - err = gc_cipher_open(GC_ARCTWO40, GC_CBC, &ret); - break; + err = gc_cipher_open (GC_ARCTWO40, GC_CBC, &ret); + break; default: - return NULL; + return NULL; } - if (err == 0) { - gc_cipher_setkey(ret, key->size, key->data); - if (iv->data != NULL && iv->size > 0) - gc_cipher_setiv(ret, iv->size, iv->data); - } else if (cipher != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - _gnutls_x509_log("Crypto cipher[%d] error: %d\n", cipher, err); - /* FIXME: gc_strerror */ + if (err == 0) + { + gc_cipher_setkey (ret, key->size, key->data); + if (iv->data != NULL && iv->size > 0) + gc_cipher_setiv (ret, iv->size, iv->data); + } + else if (cipher != GNUTLS_CIPHER_NULL) + { + gnutls_assert (); + _gnutls_x509_log ("Crypto cipher[%d] error: %d\n", cipher, err); + /* FIXME: gc_strerror */ } - return ret; + return ret; } -int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen) +int +_gnutls_cipher_encrypt (cipher_hd_t handle, void *text, int textlen) { - if (handle != GNUTLS_CIPHER_FAILED) { - if (gc_cipher_encrypt_inline(handle, textlen, text) != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (handle != GNUTLS_CIPHER_FAILED) + { + if (gc_cipher_encrypt_inline (handle, textlen, text) != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } - return 0; + return 0; } -int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, - int ciphertextlen) +int +_gnutls_cipher_decrypt (cipher_hd_t handle, void *ciphertext, + int ciphertextlen) { - if (handle != GNUTLS_CIPHER_FAILED) { - if (gc_cipher_decrypt_inline(handle, ciphertextlen, ciphertext) != - 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (handle != GNUTLS_CIPHER_FAILED) + { + if (gc_cipher_decrypt_inline (handle, ciphertextlen, ciphertext) != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } - return 0; + return 0; } -void _gnutls_cipher_deinit(cipher_hd_t handle) +void +_gnutls_cipher_deinit (cipher_hd_t handle) { - if (handle != GNUTLS_CIPHER_FAILED) { - gc_cipher_close(handle); + if (handle != GNUTLS_CIPHER_FAILED) + { + gc_cipher_close (handle); } } diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index a74d012602..c4cd4c791a 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -28,12 +28,12 @@ #define cipher_hd_t gc_cipher_handle #define GNUTLS_CIPHER_FAILED NULL -cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm_t cipher, - const gnutls_datum_t * key, - const gnutls_datum_t * iv); -int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen); -int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, - int ciphertextlen); -void _gnutls_cipher_deinit(cipher_hd_t handle); +cipher_hd_t _gnutls_cipher_init (gnutls_cipher_algorithm_t cipher, + const gnutls_datum_t * key, + const gnutls_datum_t * iv); +int _gnutls_cipher_encrypt (cipher_hd_t handle, void *text, int textlen); +int _gnutls_cipher_decrypt (cipher_hd_t handle, void *ciphertext, + int ciphertextlen); +void _gnutls_cipher_deinit (cipher_hd_t handle); -#endif /* GNUTLS_CIPHER_INT */ +#endif /* GNUTLS_CIPHER_INT */ diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c index 2ce64cd708..9e42157d8e 100644 --- a/lib/gnutls_compress.c +++ b/lib/gnutls_compress.c @@ -33,44 +33,48 @@ /* These functions allocate the return value internally */ -int _gnutls_m_plaintext2compressed(gnutls_session_t session, - gnutls_datum_t * compressed, - gnutls_datum_t plaintext) +int +_gnutls_m_plaintext2compressed (gnutls_session_t session, + gnutls_datum_t * compressed, + gnutls_datum_t plaintext) { - int size; - opaque *data; + int size; + opaque *data; - size = - _gnutls_compress(session->connection_state.write_compression_state, - plaintext.data, plaintext.size, &data, - MAX_RECORD_SEND_SIZE + 1024); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_COMPRESSION_FAILED; + size = + _gnutls_compress (session->connection_state.write_compression_state, + plaintext.data, plaintext.size, &data, + MAX_RECORD_SEND_SIZE + 1024); + if (size < 0) + { + gnutls_assert (); + return GNUTLS_E_COMPRESSION_FAILED; } - compressed->data = data; - compressed->size = size; + compressed->data = data; + compressed->size = size; - return 0; + return 0; } -int _gnutls_m_compressed2plaintext(gnutls_session_t session, - gnutls_datum_t * plain, - gnutls_datum_t compressed) +int +_gnutls_m_compressed2plaintext (gnutls_session_t session, + gnutls_datum_t * plain, + gnutls_datum_t compressed) { - int size; - opaque *data; + int size; + opaque *data; - size = - _gnutls_decompress(session->connection_state. - read_compression_state, compressed.data, - compressed.size, &data, MAX_RECORD_RECV_SIZE); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; + size = + _gnutls_decompress (session->connection_state. + read_compression_state, compressed.data, + compressed.size, &data, MAX_RECORD_RECV_SIZE); + if (size < 0) + { + gnutls_assert (); + return GNUTLS_E_DECOMPRESSION_FAILED; } - plain->data = data; - plain->size = size; + plain->data = data; + plain->size = size; - return 0; + return 0; } diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h index fb66d188a4..13e155ec05 100644 --- a/lib/gnutls_compress.h +++ b/lib/gnutls_compress.h @@ -22,9 +22,9 @@ * */ -int _gnutls_m_plaintext2compressed(gnutls_session_t session, - gnutls_datum_t * compressed, - gnutls_datum_t plaintext); -int _gnutls_m_compressed2plaintext(gnutls_session_t session, - gnutls_datum_t * plain, - gnutls_datum_t compressed); +int _gnutls_m_plaintext2compressed (gnutls_session_t session, + gnutls_datum_t * compressed, + gnutls_datum_t plaintext); +int _gnutls_m_compressed2plaintext (gnutls_session_t session, + gnutls_datum_t * plain, + gnutls_datum_t compressed); diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index 5a45e3e58f..fc3d2e76a3 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -50,102 +50,115 @@ LZO_FUNC _gnutls_lzo1x_1_compress = NULL; /* The flag d is the direction (compress, decompress). Non zero is * decompress. */ -comp_hd_t _gnutls_comp_init(gnutls_compression_method_t method, int d) +comp_hd_t +_gnutls_comp_init (gnutls_compression_method_t method, int d) { - comp_hd_t ret; - int err; - - ret = gnutls_malloc(sizeof(struct comp_hd_t_STRUCT)); - if (ret == NULL) { - gnutls_assert(); - return NULL; + comp_hd_t ret; + int err; + + ret = gnutls_malloc (sizeof (struct comp_hd_t_STRUCT)); + if (ret == NULL) + { + gnutls_assert (); + return NULL; } - ret->algo = method; - ret->handle = NULL; + ret->algo = method; + ret->handle = NULL; - switch (method) { + switch (method) + { #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE:{ - int window_bits, mem_level; - int comp_level; - z_stream *zhandle; - - window_bits = _gnutls_compression_get_wbits(method); - mem_level = _gnutls_compression_get_mem_level(method); - comp_level = _gnutls_compression_get_comp_level(method); - - ret->handle = gnutls_malloc(sizeof(z_stream)); - if (ret->handle == NULL) { - gnutls_assert(); - goto cleanup_ret; - } - - zhandle = ret->handle; - - zhandle->zalloc = (alloc_func) 0; - zhandle->zfree = (free_func) 0; - zhandle->opaque = (voidpf) 0; - - if (d) - err = inflateInit2(zhandle, window_bits); - else { - err = deflateInit2(zhandle, - comp_level, Z_DEFLATED, - window_bits, mem_level, - Z_DEFAULT_STRATEGY); - } - if (err != Z_OK) { - gnutls_assert(); - gnutls_free(ret->handle); - goto cleanup_ret; - } - break; - } + case GNUTLS_COMP_DEFLATE: + { + int window_bits, mem_level; + int comp_level; + z_stream *zhandle; + + window_bits = _gnutls_compression_get_wbits (method); + mem_level = _gnutls_compression_get_mem_level (method); + comp_level = _gnutls_compression_get_comp_level (method); + + ret->handle = gnutls_malloc (sizeof (z_stream)); + if (ret->handle == NULL) + { + gnutls_assert (); + goto cleanup_ret; + } + + zhandle = ret->handle; + + zhandle->zalloc = (alloc_func) 0; + zhandle->zfree = (free_func) 0; + zhandle->opaque = (voidpf) 0; + + if (d) + err = inflateInit2 (zhandle, window_bits); + else + { + err = deflateInit2 (zhandle, + comp_level, Z_DEFLATED, + window_bits, mem_level, Z_DEFAULT_STRATEGY); + } + if (err != Z_OK) + { + gnutls_assert (); + gnutls_free (ret->handle); + goto cleanup_ret; + } + break; + } #endif #ifdef USE_LZO case GNUTLS_COMP_LZO: - if (d) { /* LZO does not use memory on decompressor *//* ret->handle = NULL; */ - } else { - ret->handle = gnutls_malloc(LZO1X_1_MEM_COMPRESS); - - if (ret->handle == NULL) { - gnutls_assert(); - goto cleanup_ret; + if (d) + { /* LZO does not use memory on decompressor *//* ret->handle = NULL; */ + } + else + { + ret->handle = gnutls_malloc (LZO1X_1_MEM_COMPRESS); + + if (ret->handle == NULL) + { + gnutls_assert (); + goto cleanup_ret; } } - break; + break; #endif case GNUTLS_COMP_NULL: - break; + break; } - return ret; + return ret; - cleanup_ret: - gnutls_free(ret); - return NULL; +cleanup_ret: + gnutls_free (ret); + return NULL; } -void _gnutls_comp_deinit(comp_hd_t handle, int d) +void +_gnutls_comp_deinit (comp_hd_t handle, int d) { - int err; + int err; - if (handle != NULL) { - switch (handle->algo) { + if (handle != NULL) + { + switch (handle->algo) + { #ifdef HAVE_LIBZ case GNUTLS_COMP_DEFLATE: - if (d) - err = inflateEnd(handle->handle); - else - err = deflateEnd(handle->handle); - break; + if (d) + err = inflateEnd (handle->handle); + else + err = deflateEnd (handle->handle); + break; #endif default: - break; + break; } - gnutls_free(handle->handle); - gnutls_free(handle); + gnutls_free (handle->handle); + gnutls_free (handle); } } @@ -153,222 +166,245 @@ void _gnutls_comp_deinit(comp_hd_t handle, int d) /* These functions are memory consuming */ -int _gnutls_compress(comp_hd_t handle, const opaque * plain, - size_t plain_size, opaque ** compressed, - size_t max_comp_size) +int +_gnutls_compress (comp_hd_t handle, const opaque * plain, + size_t plain_size, opaque ** compressed, + size_t max_comp_size) { - int compressed_size = GNUTLS_E_COMPRESSION_FAILED; - int err; - - /* NULL compression is not handled here - */ - if (handle == NULL) { - gnutls_assert(); + int compressed_size = GNUTLS_E_COMPRESSION_FAILED; + int err; + + /* NULL compression is not handled here + */ + if (handle == NULL) + { + gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } - switch (handle->algo) { + switch (handle->algo) + { #ifdef USE_LZO - case GNUTLS_COMP_LZO:{ - lzo_uint out_len; - size_t size; - - if (_gnutls_lzo1x_1_compress == NULL) - return GNUTLS_E_COMPRESSION_FAILED; - - size = plain_size + plain_size / 64 + 16 + 3; - *compressed = gnutls_malloc(size); - if (*compressed == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - err = _gnutls_lzo1x_1_compress(plain, plain_size, *compressed, - &out_len, handle->handle); - - if (err != LZO_E_OK) { - gnutls_assert(); - gnutls_free(*compressed); - *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = out_len; - break; - } + case GNUTLS_COMP_LZO: + { + lzo_uint out_len; + size_t size; + + if (_gnutls_lzo1x_1_compress == NULL) + return GNUTLS_E_COMPRESSION_FAILED; + + size = plain_size + plain_size / 64 + 16 + 3; + *compressed = gnutls_malloc (size); + if (*compressed == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + err = _gnutls_lzo1x_1_compress (plain, plain_size, *compressed, + &out_len, handle->handle); + + if (err != LZO_E_OK) + { + gnutls_assert (); + gnutls_free (*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = out_len; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE:{ - uLongf size; - z_stream *zhandle; - - size = (plain_size + plain_size) + 10; - *compressed = gnutls_malloc(size); - if (*compressed == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) plain; - zhandle->avail_in = plain_size; - zhandle->next_out = (Bytef *) * compressed; - zhandle->avail_out = size; - - err = deflate(zhandle, Z_SYNC_FLUSH); - - if (err != Z_OK || zhandle->avail_in != 0) { - gnutls_assert(); - gnutls_free(*compressed); - *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = size - zhandle->avail_out; - break; - } + case GNUTLS_COMP_DEFLATE: + { + uLongf size; + z_stream *zhandle; + + size = (plain_size + plain_size) + 10; + *compressed = gnutls_malloc (size); + if (*compressed == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + zhandle = handle->handle; + + zhandle->next_in = (Bytef *) plain; + zhandle->avail_in = plain_size; + zhandle->next_out = (Bytef *) * compressed; + zhandle->avail_out = size; + + err = deflate (zhandle, Z_SYNC_FLUSH); + + if (err != Z_OK || zhandle->avail_in != 0) + { + gnutls_assert (); + gnutls_free (*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = size - zhandle->avail_out; + break; + } #endif default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } /* switch */ #ifdef COMPRESSION_DEBUG - _gnutls_debug_log("Compression ratio: %f\n", - (float) ((float) compressed_size / - (float) plain_size)); + _gnutls_debug_log ("Compression ratio: %f\n", + (float) ((float) compressed_size / (float) plain_size)); #endif - if ((size_t) compressed_size > max_comp_size) { - gnutls_free(*compressed); - *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; + if ((size_t) compressed_size > max_comp_size) + { + gnutls_free (*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; } - return compressed_size; + return compressed_size; } -int _gnutls_decompress(comp_hd_t handle, opaque * compressed, - size_t compressed_size, opaque ** plain, - size_t max_record_size) +int +_gnutls_decompress (comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size) { - int plain_size = GNUTLS_E_DECOMPRESSION_FAILED, err; - int cur_pos; + int plain_size = GNUTLS_E_DECOMPRESSION_FAILED, err; + int cur_pos; - if (compressed_size > max_record_size + EXTRA_COMP_SIZE) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; + if (compressed_size > max_record_size + EXTRA_COMP_SIZE) + { + gnutls_assert (); + return GNUTLS_E_DECOMPRESSION_FAILED; } - /* NULL compression is not handled here - */ + /* NULL compression is not handled here + */ - if (handle == NULL) { - gnutls_assert(); + if (handle == NULL) + { + gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } - switch (handle->algo) { + switch (handle->algo) + { #ifdef USE_LZO - case GNUTLS_COMP_LZO:{ - lzo_uint out_size; - lzo_uint new_size; + case GNUTLS_COMP_LZO: + { + lzo_uint out_size; + lzo_uint new_size; + + if (_gnutls_lzo1x_decompress_safe == NULL) + return GNUTLS_E_DECOMPRESSION_FAILED; + + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; + + do + { + out_size += 512; + *plain = gnutls_realloc_fast (*plain, out_size); + if (*plain == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } - if (_gnutls_lzo1x_decompress_safe == NULL) - return GNUTLS_E_DECOMPRESSION_FAILED; + new_size = out_size; + err = + _gnutls_lzo1x_decompress_safe (compressed, + compressed_size, *plain, + &new_size, NULL); + } + while ((err == LZO_E_OUTPUT_OVERRUN && out_size < max_record_size)); + + if (err != LZO_E_OK) + { + gnutls_assert (); + gnutls_free (*plain); *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; - - do { - out_size += 512; - *plain = gnutls_realloc_fast(*plain, out_size); - if (*plain == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - new_size = out_size; - err = - _gnutls_lzo1x_decompress_safe(compressed, - compressed_size, *plain, - &new_size, NULL); - - } while ((err == LZO_E_OUTPUT_OVERRUN - && out_size < max_record_size)); - - if (err != LZO_E_OK) { - gnutls_assert(); - gnutls_free(*plain); - *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } + return GNUTLS_E_DECOMPRESSION_FAILED; + } - plain_size = new_size; - break; - } + plain_size = new_size; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE:{ - uLongf out_size; - z_stream *zhandle; + case GNUTLS_COMP_DEFLATE: + { + uLongf out_size; + z_stream *zhandle; - *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; - zhandle = handle->handle; + zhandle = handle->handle; - zhandle->next_in = (Bytef *) compressed; - zhandle->avail_in = compressed_size; + zhandle->next_in = (Bytef *) compressed; + zhandle->avail_in = compressed_size; - cur_pos = 0; + cur_pos = 0; - do { - out_size += 512; - *plain = gnutls_realloc_fast(*plain, out_size); - if (*plain == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + do + { + out_size += 512; + *plain = gnutls_realloc_fast (*plain, out_size); + if (*plain == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } - zhandle->next_out = (Bytef *) (*plain + cur_pos); - zhandle->avail_out = out_size - cur_pos; + zhandle->next_out = (Bytef *) (*plain + cur_pos); + zhandle->avail_out = out_size - cur_pos; - err = inflate(zhandle, Z_SYNC_FLUSH); + err = inflate (zhandle, Z_SYNC_FLUSH); - cur_pos = out_size - zhandle->avail_out; + cur_pos = out_size - zhandle->avail_out; - } while ((err == Z_BUF_ERROR && zhandle->avail_out == 0 - && out_size < max_record_size) - || (err == Z_OK && zhandle->avail_in != 0)); + } + while ((err == Z_BUF_ERROR && zhandle->avail_out == 0 + && out_size < max_record_size) + || (err == Z_OK && zhandle->avail_in != 0)); - if (err != Z_OK) { - gnutls_assert(); - gnutls_free(*plain); - *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } + if (err != Z_OK) + { + gnutls_assert (); + gnutls_free (*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; + } - plain_size = out_size - zhandle->avail_out; - break; - } + plain_size = out_size - zhandle->avail_out; + break; + } #endif default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } /* switch */ - if ((size_t) plain_size > max_record_size) { - gnutls_assert(); - gnutls_free(*plain); - *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; + if ((size_t) plain_size > max_record_size) + { + gnutls_assert (); + gnutls_free (*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; } - return plain_size; + return plain_size; } diff --git a/lib/gnutls_compress_int.h b/lib/gnutls_compress_int.h index b7e0ebc0af..b18cf05a63 100644 --- a/lib/gnutls_compress_int.h +++ b/lib/gnutls_compress_int.h @@ -31,18 +31,19 @@ #define GNUTLS_COMP_FAILED NULL -typedef struct comp_hd_t_STRUCT { - void *handle; - gnutls_compression_method_t algo; +typedef struct comp_hd_t_STRUCT +{ + void *handle; + gnutls_compression_method_t algo; } *comp_hd_t; -comp_hd_t _gnutls_comp_init(gnutls_compression_method_t, int d); -void _gnutls_comp_deinit(comp_hd_t handle, int d); +comp_hd_t _gnutls_comp_init (gnutls_compression_method_t, int d); +void _gnutls_comp_deinit (comp_hd_t handle, int d); -int _gnutls_decompress(comp_hd_t handle, opaque * compressed, - size_t compressed_size, opaque ** plain, - size_t max_record_size); -int _gnutls_compress(comp_hd_t, const opaque * plain, size_t plain_size, - opaque ** compressed, size_t max_comp_size); +int _gnutls_decompress (comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size); +int _gnutls_compress (comp_hd_t, const opaque * plain, size_t plain_size, + opaque ** compressed, size_t max_comp_size); #endif diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 2f56869b95..3ac7b3ef2e 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -36,16 +36,16 @@ #include <gnutls_state.h> static const char keyexp[] = "key expansion"; -static const int keyexp_length = sizeof(keyexp) - 1; +static const int keyexp_length = sizeof (keyexp) - 1; static const char ivblock[] = "IV block"; -static const int ivblock_length = sizeof(ivblock) - 1; +static const int ivblock_length = sizeof (ivblock) - 1; static const char cliwrite[] = "client write key"; -static const int cliwrite_length = sizeof(cliwrite) - 1; +static const int cliwrite_length = sizeof (cliwrite) - 1; static const char servwrite[] = "server write key"; -static const int servwrite_length = sizeof(servwrite) - 1; +static const int servwrite_length = sizeof (servwrite) - 1; #define EXPORT_FINAL_KEY_SIZE 16 @@ -54,341 +54,379 @@ static const int servwrite_length = sizeof(servwrite) - 1; * This function creates the keys and stores them into pending session. * (session->cipher_specs) */ -int _gnutls_set_keys(gnutls_session_t session, int hash_size, int IV_size, - int key_size, int export_flag) +int +_gnutls_set_keys (gnutls_session_t session, int hash_size, int IV_size, + int key_size, int export_flag) { /* FIXME: This function is too long */ - opaque *key_block; - opaque rnd[2 * TLS_RANDOM_SIZE]; - opaque rrnd[2 * TLS_RANDOM_SIZE]; - int pos, ret; - int block_size; - char buf[65]; - - if (session->cipher_specs.generated_keys != 0) { - /* keys have already been generated. - * reset generated_keys and exit normally. - */ - session->cipher_specs.generated_keys = 0; - return 0; - } - - block_size = 2 * hash_size + 2 * key_size; - if (export_flag == 0) - block_size += 2 * IV_size; - - key_block = gnutls_secure_malloc(block_size); - if (key_block == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(rnd, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(&rnd[TLS_RANDOM_SIZE], - session->security_parameters.client_random, TLS_RANDOM_SIZE); - - memcpy(rrnd, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - memcpy(&rrnd[TLS_RANDOM_SIZE], - session->security_parameters.server_random, TLS_RANDOM_SIZE); - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_generate_random(session-> - security_parameters. - master_secret, - TLS_MASTER_SIZE, rnd, - 2 * TLS_RANDOM_SIZE, - block_size, key_block); - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, keyexp, keyexp_length, - rnd, 2 * TLS_RANDOM_SIZE, block_size, - key_block); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - return ret; - } - - _gnutls_hard_log("INT: KEY BLOCK[%d]: %s\n", block_size, - _gnutls_bin2hex(key_block, block_size, buf, - sizeof(buf))); - - pos = 0; - if (hash_size > 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; + opaque *key_block; + opaque rnd[2 * TLS_RANDOM_SIZE]; + opaque rrnd[2 * TLS_RANDOM_SIZE]; + int pos, ret; + int block_size; + char buf[65]; + + if (session->cipher_specs.generated_keys != 0) + { + /* keys have already been generated. + * reset generated_keys and exit normally. + */ + session->cipher_specs.generated_keys = 0; + return 0; + } - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; + block_size = 2 * hash_size + 2 * key_size; + if (export_flag == 0) + block_size += 2 * IV_size; + + key_block = gnutls_secure_malloc (block_size); + if (key_block == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (key_size > 0) { - opaque *client_write_key, *server_write_key; - int client_write_key_size, server_write_key_size; - int free_keys = 0; + memcpy (rnd, session->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy (&rnd[TLS_RANDOM_SIZE], + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + memcpy (rrnd, session->security_parameters.client_random, TLS_RANDOM_SIZE); + memcpy (&rrnd[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + if (session->security_parameters.version == GNUTLS_SSL3) + { /* SSL 3 */ + ret = + _gnutls_ssl3_generate_random (session-> + security_parameters. + master_secret, + TLS_MASTER_SIZE, rnd, + 2 * TLS_RANDOM_SIZE, + block_size, key_block); + } + else + { /* TLS 1.0 */ + ret = + _gnutls_PRF (session->security_parameters.master_secret, + TLS_MASTER_SIZE, keyexp, keyexp_length, + rnd, 2 * TLS_RANDOM_SIZE, block_size, key_block); + } - if (export_flag == 0) { - client_write_key = &key_block[pos]; - client_write_key_size = key_size; + if (ret < 0) + { + gnutls_assert (); + gnutls_free (key_block); + return ret; + } - pos += key_size; + _gnutls_hard_log ("INT: KEY BLOCK[%d]: %s\n", block_size, + _gnutls_bin2hex (key_block, block_size, buf, + sizeof (buf))); + + pos = 0; + if (hash_size > 0) + { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_mac_secret, + &key_block[pos], hash_size) < 0) + { + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += hash_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_mac_secret, + &key_block[pos], hash_size) < 0) + { + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += hash_size; + } + + if (key_size > 0) + { + opaque *client_write_key, *server_write_key; + int client_write_key_size, server_write_key_size; + int free_keys = 0; - server_write_key = &key_block[pos]; - server_write_key_size = key_size; + if (export_flag == 0) + { + client_write_key = &key_block[pos]; + client_write_key_size = key_size; - pos += key_size; + pos += key_size; - } else { /* export */ - free_keys = 1; + server_write_key = &key_block[pos]; + server_write_key_size = key_size; - client_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (client_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + pos += key_size; + + } + else + { /* export */ + free_keys = 1; + + client_write_key = gnutls_secure_malloc (EXPORT_FINAL_KEY_SIZE); + if (client_write_key == NULL) + { + gnutls_assert (); + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - server_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (server_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; + server_write_key = gnutls_secure_malloc (EXPORT_FINAL_KEY_SIZE); + if (server_write_key == NULL) + { + gnutls_assert (); + gnutls_free (key_block); + gnutls_free (client_write_key); + return GNUTLS_E_MEMORY_ERROR; } - /* generate the final keys */ - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], - key_size, rrnd, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - client_write_key); - - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - cliwrite, cliwrite_length, - rrnd, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, client_write_key); + /* generate the final keys */ + + if (session->security_parameters.version == GNUTLS_SSL3) + { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5 (&key_block[pos], + key_size, rrnd, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + client_write_key); + + } + else + { /* TLS 1.0 */ + ret = + _gnutls_PRF (&key_block[pos], key_size, + cliwrite, cliwrite_length, + rrnd, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, client_write_key); } - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_free (key_block); + gnutls_free (server_write_key); + gnutls_free (client_write_key); + return ret; } - client_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], key_size, - rnd, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - server_write_key); - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - servwrite, servwrite_length, - rrnd, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, server_write_key); + client_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; + + if (session->security_parameters.version == GNUTLS_SSL3) + { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5 (&key_block[pos], key_size, + rnd, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + server_write_key); + } + else + { /* TLS 1.0 */ + ret = + _gnutls_PRF (&key_block[pos], key_size, + servwrite, servwrite_length, + rrnd, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, server_write_key); } - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_free (key_block); + gnutls_free (server_write_key); + gnutls_free (client_write_key); + return ret; } - server_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; + server_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; } - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_key, - client_write_key, client_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_key, + client_write_key, client_write_key_size) < 0) + { + gnutls_free (key_block); + gnutls_free (server_write_key); + gnutls_free (client_write_key); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hard_log("INT: CLIENT WRITE KEY [%d]: %s\n", - client_write_key_size, - _gnutls_bin2hex(client_write_key, + _gnutls_hard_log ("INT: CLIENT WRITE KEY [%d]: %s\n", + client_write_key_size, + _gnutls_bin2hex (client_write_key, client_write_key_size, buf, - sizeof(buf))); - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_key, - server_write_key, server_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; + sizeof (buf))); + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_key, + server_write_key, server_write_key_size) < 0) + { + gnutls_free (key_block); + gnutls_free (server_write_key); + gnutls_free (client_write_key); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hard_log("INT: SERVER WRITE KEY [%d]: %s\n", - server_write_key_size, - _gnutls_bin2hex(server_write_key, + _gnutls_hard_log ("INT: SERVER WRITE KEY [%d]: %s\n", + server_write_key_size, + _gnutls_bin2hex (server_write_key, server_write_key_size, buf, - sizeof(buf))); + sizeof (buf))); - if (free_keys != 0) { - gnutls_free(server_write_key); - gnutls_free(client_write_key); + if (free_keys != 0) + { + gnutls_free (server_write_key); + gnutls_free (client_write_key); } } - /* IV generation in export and non export ciphers. - */ - if (IV_size > 0 && export_flag == 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + /* IV generation in export and non export ciphers. + */ + if (IV_size > 0 && export_flag == 0) + { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, &key_block[pos], + IV_size) < 0) + { + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - pos += IV_size; - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + pos += IV_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, &key_block[pos], + IV_size) < 0) + { + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - pos += IV_size; - - } else if (IV_size > 0 && export_flag != 0) { - opaque *iv_block = gnutls_alloca(IV_size * 2); - if (iv_block == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + pos += IV_size; + + } + else if (IV_size > 0 && export_flag != 0) + { + opaque *iv_block = gnutls_alloca (IV_size * 2); + if (iv_block == NULL) + { + gnutls_assert (); + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5("", 0, - rrnd, TLS_RANDOM_SIZE * 2, - IV_size, iv_block); - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_afree(iv_block); - return ret; + if (session->security_parameters.version == GNUTLS_SSL3) + { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5 ("", 0, + rrnd, TLS_RANDOM_SIZE * 2, + IV_size, iv_block); + + if (ret < 0) + { + gnutls_assert (); + gnutls_free (key_block); + gnutls_afree (iv_block); + return ret; } - ret = - _gnutls_ssl3_hash_md5("", 0, rnd, - TLS_RANDOM_SIZE * 2, - IV_size, &iv_block[IV_size]); + ret = + _gnutls_ssl3_hash_md5 ("", 0, rnd, + TLS_RANDOM_SIZE * 2, + IV_size, &iv_block[IV_size]); - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF("", 0, - ivblock, ivblock_length, rrnd, - 2 * TLS_RANDOM_SIZE, IV_size * 2, iv_block); + } + else + { /* TLS 1.0 */ + ret = + _gnutls_PRF ("", 0, + ivblock, ivblock_length, rrnd, + 2 * TLS_RANDOM_SIZE, IV_size * 2, iv_block); } - if (ret < 0) { - gnutls_assert(); - gnutls_afree(iv_block); - gnutls_free(key_block); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_afree (iv_block); + gnutls_free (key_block); + return ret; } - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, iv_block, - IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, iv_block, IV_size) < 0) + { + gnutls_afree (iv_block); + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, - &iv_block[IV_size], IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, + &iv_block[IV_size], IV_size) < 0) + { + gnutls_afree (iv_block); + gnutls_free (key_block); + return GNUTLS_E_MEMORY_ERROR; } - gnutls_afree(iv_block); + gnutls_afree (iv_block); } - gnutls_free(key_block); + gnutls_free (key_block); - session->cipher_specs.generated_keys = 1; + session->cipher_specs.generated_keys = 1; - return 0; + return 0; } -int _gnutls_set_read_keys(gnutls_session_t session) +int +_gnutls_set_read_keys (gnutls_session_t session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm_t algo; - gnutls_mac_algorithm_t mac_algo; - - mac_algo = session->security_parameters.read_mac_algorithm; - algo = session->security_parameters.read_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm_t algo; + gnutls_mac_algorithm_t mac_algo; + + mac_algo = session->security_parameters.read_mac_algorithm; + algo = session->security_parameters.read_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len (mac_algo); + IV_size = _gnutls_cipher_get_iv_size (algo); + key_size = gnutls_cipher_get_key_size (algo); + export_flag = _gnutls_cipher_get_export_flag (algo); + + return _gnutls_set_keys (session, hash_size, IV_size, key_size, + export_flag); } -int _gnutls_set_write_keys(gnutls_session_t session) +int +_gnutls_set_write_keys (gnutls_session_t session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm_t algo; - gnutls_mac_algorithm_t mac_algo; - - mac_algo = session->security_parameters.write_mac_algorithm; - algo = session->security_parameters.write_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm_t algo; + gnutls_mac_algorithm_t mac_algo; + + mac_algo = session->security_parameters.write_mac_algorithm; + algo = session->security_parameters.write_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len (mac_algo); + IV_size = _gnutls_cipher_get_iv_size (algo); + key_size = gnutls_cipher_get_key_size (algo); + export_flag = _gnutls_cipher_get_export_flag (algo); + + return _gnutls_set_keys (session, hash_size, IV_size, key_size, + export_flag); } #define CPY_COMMON dst->entity = src->entity; \ @@ -406,28 +444,26 @@ int _gnutls_set_write_keys(gnutls_session_t session) dst->version = src->version; \ memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); -static void _gnutls_cpy_read_security_parameters(security_parameters_st * - dst, - security_parameters_st * - src) +static void +_gnutls_cpy_read_security_parameters (security_parameters_st * + dst, security_parameters_st * src) { - CPY_COMMON; + CPY_COMMON; - dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; - dst->read_mac_algorithm = src->read_mac_algorithm; - dst->read_compression_algorithm = src->read_compression_algorithm; + dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; + dst->read_mac_algorithm = src->read_mac_algorithm; + dst->read_compression_algorithm = src->read_compression_algorithm; } -static void _gnutls_cpy_write_security_parameters(security_parameters_st * - dst, - security_parameters_st * - src) +static void +_gnutls_cpy_write_security_parameters (security_parameters_st * + dst, security_parameters_st * src) { - CPY_COMMON; + CPY_COMMON; - dst->write_bulk_cipher_algorithm = src->write_bulk_cipher_algorithm; - dst->write_mac_algorithm = src->write_mac_algorithm; - dst->write_compression_algorithm = src->write_compression_algorithm; + dst->write_bulk_cipher_algorithm = src->write_bulk_cipher_algorithm; + dst->write_mac_algorithm = src->write_mac_algorithm; + dst->write_compression_algorithm = src->write_compression_algorithm; } /* Sets the current connection session to conform with the @@ -436,197 +472,210 @@ static void _gnutls_cpy_write_security_parameters(security_parameters_st * * secrets and random numbers to have been negotiated) * This is to be called after sending the Change Cipher Spec packet. */ -int _gnutls_connection_state_init(gnutls_session_t session) +int +_gnutls_connection_state_init (gnutls_session_t session) { - int ret; + int ret; /* Setup the master secret */ - if ((ret = _gnutls_generate_master(session, 0), 0) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_generate_master (session, 0), 0) < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* Initializes the read connection session * (read encrypted data) */ -int _gnutls_read_connection_state_init(gnutls_session_t session) +int +_gnutls_read_connection_state_init (gnutls_session_t session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.read_sequence_number); + _gnutls_uint64zero (session->connection_state.read_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_read_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_read_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; + if (session->internals.resumed == RESUME_FALSE) + { + rc = _gnutls_set_read_cipher (session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_read_mac (session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; + rc = _gnutls_set_kx (session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - rc = _gnutls_set_read_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_read_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); + rc = _gnutls_set_read_compression (session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } + else + { /* RESUME_TRUE */ + _gnutls_cpy_read_security_parameters (&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); } - rc = _gnutls_set_read_keys(session); - if (rc < 0) - return rc; + rc = _gnutls_set_read_keys (session); + if (rc < 0) + return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", - session, _gnutls_cipher_suite_get_name(&session-> + _gnutls_handshake_log ("HSK[%x]: Cipher Suite: %s\n", + session, _gnutls_cipher_suite_get_name (&session-> security_parameters. current_cipher_suite)); - if (_gnutls_compression_is_ok - (session->security_parameters.read_compression_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (_gnutls_compression_is_ok + (session->security_parameters.read_compression_algorithm) != 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - if (_gnutls_mac_is_ok - (session->security_parameters.read_mac_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_mac_is_ok + (session->security_parameters.read_mac_algorithm) != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* Free all the previous keys/ sessions etc. - */ - if (session->connection_state.read_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state.read_mac_secret); + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.read_mac_secret.data != NULL) + _gnutls_free_datum (&session->connection_state.read_mac_secret); - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.read_cipher_state); + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit (session->connection_state.read_cipher_state); - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - read_compression_state, 1); + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit (session->connection_state.read_compression_state, 1); - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - read_mac_algorithm); + mac_size = + _gnutls_hash_get_algo_len (session->security_parameters. + read_mac_algorithm); - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [read] cipher sessions\n", - session); + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [read] cipher sessions\n", session); - switch (session->security_parameters.entity) { + switch (session->security_parameters.entity) + { case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs.client_write_IV); - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + /* initialize cipher session + */ + session->connection_state.read_cipher_state = + _gnutls_cipher_init (session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) + { + if (_gnutls_sset_datum (&session->connection_state. + read_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - break; + break; case GNUTLS_CLIENT: - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs.server_write_IV); - - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + session->connection_state.read_cipher_state = + _gnutls_cipher_init (session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* copy mac secret to connection session + */ + if (mac_size > 0) + { + if (_gnutls_sset_datum (&session->connection_state. + read_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - break; + break; default: /* this check is useless */ - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - session->connection_state.read_compression_state = - _gnutls_comp_init(session->security_parameters. - read_compression_algorithm, 1); + session->connection_state.read_compression_state = + _gnutls_comp_init (session->security_parameters. + read_compression_algorithm, 1); - if (session->connection_state.read_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (session->connection_state.read_compression_state == GNUTLS_COMP_FAILED) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - return 0; + return 0; } @@ -634,317 +683,359 @@ int _gnutls_read_connection_state_init(gnutls_session_t session) /* Initializes the write connection session * (write encrypted data) */ -int _gnutls_write_connection_state_init(gnutls_session_t session) +int +_gnutls_write_connection_state_init (gnutls_session_t session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.write_sequence_number); + _gnutls_uint64zero (session->connection_state.write_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_write_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_write_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_write_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_write_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); - } - - rc = _gnutls_set_write_keys(session); - if (rc < 0) + if (session->internals.resumed == RESUME_FALSE) + { + rc = _gnutls_set_write_cipher (session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_write_mac (session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> + rc = _gnutls_set_kx (session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + + rc = _gnutls_set_write_compression (session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } + else + { /* RESUME_TRUE */ + _gnutls_cpy_write_security_parameters (&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); + } + + rc = _gnutls_set_write_keys (session); + if (rc < 0) + return rc; + + _gnutls_handshake_log ("HSK[%x]: Cipher Suite: %s\n", session, + _gnutls_cipher_suite_get_name (&session-> security_parameters. current_cipher_suite)); - if (_gnutls_compression_is_ok - (session->security_parameters.write_compression_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (_gnutls_compression_is_ok + (session->security_parameters.write_compression_algorithm) != 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - if (_gnutls_mac_is_ok - (session->security_parameters.write_mac_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_mac_is_ok + (session->security_parameters.write_mac_algorithm) != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* Free all the previous keys/ sessions etc. - */ - if (session->connection_state.write_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state.write_mac_secret); + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.write_mac_secret.data != NULL) + _gnutls_free_datum (&session->connection_state.write_mac_secret); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - write_cipher_state); + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit (session->connection_state.write_cipher_state); - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - write_compression_state, 0); + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit (session->connection_state. + write_compression_state, 0); - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - write_mac_algorithm); + mac_size = + _gnutls_hash_get_algo_len (session->security_parameters. + write_mac_algorithm); - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [write] cipher sessions\n", - session); + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [write] cipher sessions\n", session); - switch (session->security_parameters.entity) { + switch (session->security_parameters.entity) + { case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs.server_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + /* initialize cipher session + */ + session->connection_state.write_cipher_state = + _gnutls_cipher_init (session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) + { + if (_gnutls_sset_datum (&session->connection_state. + write_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - break; + break; case GNUTLS_CLIENT: - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs.client_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + session->connection_state.write_cipher_state = + _gnutls_cipher_init (session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* copy mac secret to connection session + */ + if (mac_size > 0) + { + if (_gnutls_sset_datum (&session->connection_state. + write_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - session->connection_state.write_compression_state = - _gnutls_comp_init(session->security_parameters. - write_compression_algorithm, 0); + session->connection_state.write_compression_state = + _gnutls_comp_init (session->security_parameters. + write_compression_algorithm, 0); - if (session->connection_state.write_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (session->connection_state.write_compression_state == GNUTLS_COMP_FAILED) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - return 0; + return 0; } /* Sets the specified cipher into the pending session */ -int _gnutls_set_read_cipher(gnutls_session_t session, - gnutls_cipher_algorithm_t algo) +int +_gnutls_set_read_cipher (gnutls_session_t session, + gnutls_cipher_algorithm_t algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; + if (_gnutls_cipher_is_ok (algo) == 0) + { + if (_gnutls_cipher_priority (session, algo) < 0) + { + gnutls_assert (); + return GNUTLS_E_UNWANTED_ALGORITHM; } - session->security_parameters.read_bulk_cipher_algorithm = algo; + session->security_parameters.read_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + } + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } -int _gnutls_set_write_cipher(gnutls_session_t session, - gnutls_cipher_algorithm_t algo) +int +_gnutls_set_write_cipher (gnutls_session_t session, + gnutls_cipher_algorithm_t algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; + if (_gnutls_cipher_is_ok (algo) == 0) + { + if (_gnutls_cipher_priority (session, algo) < 0) + { + gnutls_assert (); + return GNUTLS_E_UNWANTED_ALGORITHM; } - session->security_parameters.write_bulk_cipher_algorithm = algo; + session->security_parameters.write_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + } + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } /* Sets the specified algorithm into pending compression session */ -int _gnutls_set_read_compression(gnutls_session_t session, - gnutls_compression_method_t algo) +int +_gnutls_set_read_compression (gnutls_session_t session, + gnutls_compression_method_t algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.read_compression_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (_gnutls_compression_is_ok (algo) == 0) + { + session->security_parameters.read_compression_algorithm = algo; + } + else + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - return 0; + return 0; } -int _gnutls_set_write_compression(gnutls_session_t session, - gnutls_compression_method_t algo) +int +_gnutls_set_write_compression (gnutls_session_t session, + gnutls_compression_method_t algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.write_compression_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (_gnutls_compression_is_ok (algo) == 0) + { + session->security_parameters.write_compression_algorithm = algo; } - return 0; + else + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + return 0; } /* Sets the specified kx algorithm into pending session */ -int _gnutls_set_kx(gnutls_session_t session, gnutls_kx_algorithm_t algo) +int +_gnutls_set_kx (gnutls_session_t session, gnutls_kx_algorithm_t algo) { - if (_gnutls_kx_is_ok(algo) == 0) { - session->security_parameters.kx_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_kx_is_ok (algo) == 0) + { + session->security_parameters.kx_algorithm = algo; + } + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_kx_priority(session, algo) < 0) { - gnutls_assert(); - /* we shouldn't get here */ - return GNUTLS_E_UNWANTED_ALGORITHM; + if (_gnutls_kx_priority (session, algo) < 0) + { + gnutls_assert (); + /* we shouldn't get here */ + return GNUTLS_E_UNWANTED_ALGORITHM; } - return 0; + return 0; } /* Sets the specified mac algorithm into pending session */ -int _gnutls_set_read_mac(gnutls_session_t session, - gnutls_mac_algorithm_t algo) +int +_gnutls_set_read_mac (gnutls_session_t session, gnutls_mac_algorithm_t algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.read_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_mac_is_ok (algo) == 0) + { + session->security_parameters.read_mac_algorithm = algo; } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_mac_priority (session, algo) < 0) + { + gnutls_assert (); + return GNUTLS_E_UNWANTED_ALGORITHM; } - return 0; + return 0; } -int _gnutls_set_write_mac(gnutls_session_t session, - gnutls_mac_algorithm_t algo) +int +_gnutls_set_write_mac (gnutls_session_t session, gnutls_mac_algorithm_t algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.write_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_mac_is_ok (algo) == 0) + { + session->security_parameters.write_mac_algorithm = algo; + } + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; + if (_gnutls_mac_priority (session, algo) < 0) + { + gnutls_assert (); + return GNUTLS_E_UNWANTED_ALGORITHM; } - return 0; + return 0; } diff --git a/lib/gnutls_constate.h b/lib/gnutls_constate.h index de8ae4db53..9b74160777 100644 --- a/lib/gnutls_constate.h +++ b/lib/gnutls_constate.h @@ -22,19 +22,19 @@ * */ -int _gnutls_connection_state_init(gnutls_session_t session); -int _gnutls_read_connection_state_init(gnutls_session_t session); -int _gnutls_write_connection_state_init(gnutls_session_t session); -int _gnutls_set_write_cipher(gnutls_session_t session, +int _gnutls_connection_state_init (gnutls_session_t session); +int _gnutls_read_connection_state_init (gnutls_session_t session); +int _gnutls_write_connection_state_init (gnutls_session_t session); +int _gnutls_set_write_cipher (gnutls_session_t session, + gnutls_cipher_algorithm_t algo); +int _gnutls_set_write_mac (gnutls_session_t session, + gnutls_mac_algorithm_t algo); +int _gnutls_set_read_cipher (gnutls_session_t session, gnutls_cipher_algorithm_t algo); -int _gnutls_set_write_mac(gnutls_session_t session, +int _gnutls_set_read_mac (gnutls_session_t session, gnutls_mac_algorithm_t algo); -int _gnutls_set_read_cipher(gnutls_session_t session, - gnutls_cipher_algorithm_t algo); -int _gnutls_set_read_mac(gnutls_session_t session, - gnutls_mac_algorithm_t algo); -int _gnutls_set_read_compression(gnutls_session_t session, - gnutls_compression_method_t algo); -int _gnutls_set_write_compression(gnutls_session_t session, +int _gnutls_set_read_compression (gnutls_session_t session, gnutls_compression_method_t algo); -int _gnutls_set_kx(gnutls_session_t session, gnutls_kx_algorithm_t algo); +int _gnutls_set_write_compression (gnutls_session_t session, + gnutls_compression_method_t algo); +int _gnutls_set_kx (gnutls_session_t session, gnutls_kx_algorithm_t algo); diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index d21ea97546..66bc6fce6a 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -33,72 +33,78 @@ #include <gnutls_errors.h> -void _gnutls_write_datum16(opaque * dest, gnutls_datum_t dat) +void +_gnutls_write_datum16 (opaque * dest, gnutls_datum_t dat) { - _gnutls_write_uint16(dat.size, dest); - memcpy(&dest[2], dat.data, dat.size); + _gnutls_write_uint16 (dat.size, dest); + memcpy (&dest[2], dat.data, dat.size); } -void _gnutls_write_datum24(opaque * dest, gnutls_datum_t dat) +void +_gnutls_write_datum24 (opaque * dest, gnutls_datum_t dat) { - _gnutls_write_uint24(dat.size, dest); - memcpy(&dest[3], dat.data, dat.size); + _gnutls_write_uint24 (dat.size, dest); + memcpy (&dest[3], dat.data, dat.size); } -void _gnutls_write_datum32(opaque * dest, gnutls_datum_t dat) +void +_gnutls_write_datum32 (opaque * dest, gnutls_datum_t dat) { - _gnutls_write_uint32(dat.size, dest); - memcpy(&dest[4], dat.data, dat.size); + _gnutls_write_uint32 (dat.size, dest); + memcpy (&dest[4], dat.data, dat.size); } -void _gnutls_write_datum8(opaque * dest, gnutls_datum_t dat) +void +_gnutls_write_datum8 (opaque * dest, gnutls_datum_t dat) { - dest[0] = (uint8) dat.size; - memcpy(&dest[1], dat.data, dat.size); + dest[0] = (uint8) dat.size; + memcpy (&dest[1], dat.data, dat.size); } -int _gnutls_set_datum_m(gnutls_datum_t * dat, const void *data, - size_t data_size, - gnutls_alloc_function galloc_func) +int +_gnutls_set_datum_m (gnutls_datum_t * dat, const void *data, + size_t data_size, gnutls_alloc_function galloc_func) { - if (data_size == 0 || data == NULL) { - dat->data = NULL; - dat->size = 0; - return 0; + if (data_size == 0 || data == NULL) + { + dat->data = NULL; + dat->size = 0; + return 0; } - dat->data = galloc_func(data_size); - if (dat->data == NULL) - return GNUTLS_E_MEMORY_ERROR; + dat->data = galloc_func (data_size); + if (dat->data == NULL) + return GNUTLS_E_MEMORY_ERROR; - dat->size = data_size; - memcpy(dat->data, data, data_size); + dat->size = data_size; + memcpy (dat->data, data, data_size); - return 0; + return 0; } -int _gnutls_datum_append_m(gnutls_datum_t * dst, const void *data, - size_t data_size, - gnutls_realloc_function grealloc_func) +int +_gnutls_datum_append_m (gnutls_datum_t * dst, const void *data, + size_t data_size, + gnutls_realloc_function grealloc_func) { - dst->data = grealloc_func(dst->data, data_size + dst->size); - if (dst->data == NULL) - return GNUTLS_E_MEMORY_ERROR; + dst->data = grealloc_func (dst->data, data_size + dst->size); + if (dst->data == NULL) + return GNUTLS_E_MEMORY_ERROR; - memcpy(&dst->data[dst->size], data, data_size); - dst->size += data_size; + memcpy (&dst->data[dst->size], data, data_size); + dst->size += data_size; - return 0; + return 0; } -void _gnutls_free_datum_m(gnutls_datum_t * dat, - gnutls_free_function gfree_func) +void +_gnutls_free_datum_m (gnutls_datum_t * dat, gnutls_free_function gfree_func) { - if (dat->data != NULL && dat->size != 0) - gfree_func(dat->data); + if (dat->data != NULL && dat->size != 0) + gfree_func (dat->data); - dat->data = NULL; - dat->size = 0; + dat->data = NULL; + dat->size = 0; } diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index fe195de9f7..57bf96daa0 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -22,19 +22,19 @@ * */ -void _gnutls_write_datum16(opaque * dest, gnutls_datum_t dat); -void _gnutls_write_datum24(opaque * dest, gnutls_datum_t dat); -void _gnutls_write_datum32(opaque * dest, gnutls_datum_t dat); -void _gnutls_write_datum8(opaque * dest, gnutls_datum_t dat); +void _gnutls_write_datum16 (opaque * dest, gnutls_datum_t dat); +void _gnutls_write_datum24 (opaque * dest, gnutls_datum_t dat); +void _gnutls_write_datum32 (opaque * dest, gnutls_datum_t dat); +void _gnutls_write_datum8 (opaque * dest, gnutls_datum_t dat); -int _gnutls_set_datum_m(gnutls_datum_t * dat, const void *data, - size_t data_size, gnutls_alloc_function); +int _gnutls_set_datum_m (gnutls_datum_t * dat, const void *data, + size_t data_size, gnutls_alloc_function); #define _gnutls_set_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_malloc) #define _gnutls_sset_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_secure_malloc) -int _gnutls_datum_append_m(gnutls_datum_t * dat, const void *data, - size_t data_size, gnutls_realloc_function); +int _gnutls_datum_append_m (gnutls_datum_t * dat, const void *data, + size_t data_size, gnutls_realloc_function); #define _gnutls_datum_append(x,y,z) _gnutls_datum_append_m(x,y,z, gnutls_realloc) -void _gnutls_free_datum_m(gnutls_datum_t * dat, gnutls_free_function); +void _gnutls_free_datum_m (gnutls_datum_t * dat, gnutls_free_function); #define _gnutls_free_datum(x) _gnutls_free_datum_m(x, gnutls_free) diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c index 29af963bf3..75be69303d 100644 --- a/lib/gnutls_db.c +++ b/lib/gnutls_db.c @@ -50,10 +50,11 @@ * has been called. * **/ -void gnutls_db_set_retrieve_function(gnutls_session_t session, - gnutls_db_retr_func retr_func) +void +gnutls_db_set_retrieve_function (gnutls_session_t session, + gnutls_db_retr_func retr_func) { - session->internals.db_retrieve_func = retr_func; + session->internals.db_retrieve_func = retr_func; } /** @@ -68,10 +69,11 @@ void gnutls_db_set_retrieve_function(gnutls_session_t session, * has been called. * **/ -void gnutls_db_set_remove_function(gnutls_session_t session, - gnutls_db_remove_func rem_func) +void +gnutls_db_set_remove_function (gnutls_session_t session, + gnutls_db_remove_func rem_func) { - session->internals.db_remove_func = rem_func; + session->internals.db_remove_func = rem_func; } /** @@ -86,10 +88,11 @@ void gnutls_db_set_remove_function(gnutls_session_t session, * has been called. * **/ -void gnutls_db_set_store_function(gnutls_session_t session, - gnutls_db_store_func store_func) +void +gnutls_db_set_store_function (gnutls_session_t session, + gnutls_db_store_func store_func) { - session->internals.db_store_func = store_func; + session->internals.db_store_func = store_func; } /** @@ -101,9 +104,10 @@ void gnutls_db_set_store_function(gnutls_session_t session, * the first argument. * **/ -void gnutls_db_set_ptr(gnutls_session_t session, void *ptr) +void +gnutls_db_set_ptr (gnutls_session_t session, void *ptr) { - session->internals.db_ptr = ptr; + session->internals.db_ptr = ptr; } /** @@ -114,9 +118,10 @@ void gnutls_db_set_ptr(gnutls_session_t session, void *ptr) * the first argument. * **/ -void *gnutls_db_get_ptr(gnutls_session_t session) +void * +gnutls_db_get_ptr (gnutls_session_t session) { - return session->internals.db_ptr; + return session->internals.db_ptr; } /** @@ -127,9 +132,10 @@ void *gnutls_db_get_ptr(gnutls_session_t session) * Sets the expiration time for resumed sessions. The default is 3600 (one hour) * at the time writing this. **/ -void gnutls_db_set_cache_expiration(gnutls_session_t session, int seconds) +void +gnutls_db_set_cache_expiration (gnutls_session_t session, int seconds) { - session->internals.expire_time = seconds; + session->internals.expire_time = seconds; } /** @@ -143,201 +149,216 @@ void gnutls_db_set_cache_expiration(gnutls_session_t session, int seconds) * backend. * **/ -int gnutls_db_check_entry(gnutls_session_t session, - gnutls_datum_t session_entry) +int +gnutls_db_check_entry (gnutls_session_t session, gnutls_datum_t session_entry) { - time_t timestamp; + time_t timestamp; - timestamp = time(0); + timestamp = time (0); - if (session_entry.data != NULL) - if (timestamp - - ((security_parameters_st *) (session_entry.data))->timestamp <= - session->internals.expire_time - || ((security_parameters_st *) (session_entry.data))-> - timestamp > timestamp - || ((security_parameters_st *) (session_entry.data))-> - timestamp == 0) - return GNUTLS_E_EXPIRED; + if (session_entry.data != NULL) + if (timestamp - + ((security_parameters_st *) (session_entry.data))->timestamp <= + session->internals.expire_time + || ((security_parameters_st *) (session_entry.data))-> + timestamp > timestamp + || ((security_parameters_st *) (session_entry.data))->timestamp == 0) + return GNUTLS_E_EXPIRED; - return 0; + return 0; } /* The format of storing data is: * (forget it). Check gnutls_session_pack.c */ -int _gnutls_server_register_current_session(gnutls_session_t session) +int +_gnutls_server_register_current_session (gnutls_session_t session) { - gnutls_datum_t key; - gnutls_datum_t content; - int ret = 0; + gnutls_datum_t key; + gnutls_datum_t content; + int ret = 0; - key.data = session->security_parameters.session_id; - key.size = session->security_parameters.session_id_size; + key.data = session->security_parameters.session_id; + key.size = session->security_parameters.session_id_size; - if (session->internals.resumable == RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session->internals.resumable == RESUME_FALSE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - if (session->security_parameters.session_id == NULL - || session->security_parameters.session_id_size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session->security_parameters.session_id == NULL + || session->security_parameters.session_id_size == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } /* copy data */ - ret = _gnutls_session_pack(session, &content); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_session_pack (session, &content); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_store_session(session, key, content); - _gnutls_free_datum( &content); + ret = _gnutls_store_session (session, key, content); + _gnutls_free_datum (&content); - return ret; + return ret; } /* Checks if both db_store and db_retrieve functions have * been set up. */ -static int _gnutls_db_func_is_ok(gnutls_session_t session) +static int +_gnutls_db_func_is_ok (gnutls_session_t session) { - if (session->internals.db_store_func != NULL && - session->internals.db_retrieve_func != NULL && - session->internals.db_remove_func != NULL) - return 0; - else - return GNUTLS_E_DB_ERROR; + if (session->internals.db_store_func != NULL && + session->internals.db_retrieve_func != NULL && + session->internals.db_remove_func != NULL) + return 0; + else + return GNUTLS_E_DB_ERROR; } -int _gnutls_server_restore_session(gnutls_session_t session, - uint8 * session_id, int session_id_size) +int +_gnutls_server_restore_session (gnutls_session_t session, + uint8 * session_id, int session_id_size) { - gnutls_datum_t data; - gnutls_datum_t key; - int ret; + gnutls_datum_t data; + gnutls_datum_t key; + int ret; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - if (_gnutls_db_func_is_ok(session) != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (_gnutls_db_func_is_ok (session) != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - data = _gnutls_retrieve_session(session, key); + data = _gnutls_retrieve_session (session, key); - if (data.data == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (data.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - /* expiration check is performed inside */ - ret = gnutls_session_set_data(session, data.data, data.size); - if (ret < 0) { - gnutls_assert(); - return ret; + /* expiration check is performed inside */ + ret = gnutls_session_set_data (session, data.data, data.size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - gnutls_free(data.data); + gnutls_free (data.data); - return 0; + return 0; } -int _gnutls_db_remove_session(gnutls_session_t session, uint8 * session_id, - int session_id_size) +int +_gnutls_db_remove_session (gnutls_session_t session, uint8 * session_id, + int session_id_size) { - gnutls_datum_t key; + gnutls_datum_t key; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - return _gnutls_remove_session(session, key); + return _gnutls_remove_session (session, key); } /* Stores session data to the db backend. */ -int _gnutls_store_session(gnutls_session_t session, - gnutls_datum_t session_id, - gnutls_datum_t session_data) +int +_gnutls_store_session (gnutls_session_t session, + gnutls_datum_t session_id, gnutls_datum_t session_data) { - int ret = 0; + int ret = 0; - if (session->internals.resumable == RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session->internals.resumable == RESUME_FALSE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - if (_gnutls_db_func_is_ok(session) != 0) { - return GNUTLS_E_DB_ERROR; + if (_gnutls_db_func_is_ok (session) != 0) + { + return GNUTLS_E_DB_ERROR; } - if (session_id.data == NULL || session_id.size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session_id.data == NULL || session_id.size == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - if (session_data.data == NULL || session_data.size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session_data.data == NULL || session_data.size == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } - /* if we can't read why bother writing? */ + /* if we can't read why bother writing? */ - if (session->internals.db_store_func != NULL) - ret = - session->internals.db_store_func(session->internals.db_ptr, - session_id, session_data); + if (session->internals.db_store_func != NULL) + ret = + session->internals.db_store_func (session->internals.db_ptr, + session_id, session_data); - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } /* Retrieves session data from the db backend. */ -gnutls_datum_t _gnutls_retrieve_session(gnutls_session_t session, - gnutls_datum_t session_id) +gnutls_datum_t +_gnutls_retrieve_session (gnutls_session_t session, gnutls_datum_t session_id) { - gnutls_datum_t ret = { NULL, 0 }; + gnutls_datum_t ret = { NULL, 0 }; - if (session_id.data == NULL || session_id.size == 0) { - gnutls_assert(); - return ret; + if (session_id.data == NULL || session_id.size == 0) + { + gnutls_assert (); + return ret; } - if (session->internals.db_retrieve_func != NULL) - ret = - session->internals.db_retrieve_func(session->internals.db_ptr, - session_id); + if (session->internals.db_retrieve_func != NULL) + ret = + session->internals.db_retrieve_func (session->internals.db_ptr, + session_id); - return ret; + return ret; } /* Removes session data from the db backend. */ -int _gnutls_remove_session(gnutls_session_t session, - gnutls_datum_t session_id) +int +_gnutls_remove_session (gnutls_session_t session, gnutls_datum_t session_id) { - int ret = 0; + int ret = 0; - if (_gnutls_db_func_is_ok(session) != 0) { - return GNUTLS_E_DB_ERROR; + if (_gnutls_db_func_is_ok (session) != 0) + { + return GNUTLS_E_DB_ERROR; } - if (session_id.data == NULL || session_id.size == 0) - return GNUTLS_E_INVALID_SESSION; + if (session_id.data == NULL || session_id.size == 0) + return GNUTLS_E_INVALID_SESSION; - /* if we can't read why bother writing? */ - if (session->internals.db_remove_func != NULL) - ret = - session->internals.db_remove_func(session->internals.db_ptr, - session_id); + /* if we can't read why bother writing? */ + if (session->internals.db_remove_func != NULL) + ret = + session->internals.db_remove_func (session->internals.db_ptr, + session_id); - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } @@ -353,13 +374,13 @@ int _gnutls_remove_session(gnutls_session_t session, * Normally gnutls_deinit() will remove abnormally terminated sessions. * **/ -void gnutls_db_remove_session(gnutls_session_t session) +void +gnutls_db_remove_session (gnutls_session_t session) { - /* if the session has failed abnormally it has - * to be removed from the db - */ - _gnutls_db_remove_session(session, - session->security_parameters.session_id, - session->security_parameters. - session_id_size); + /* if the session has failed abnormally it has + * to be removed from the db + */ + _gnutls_db_remove_session (session, + session->security_parameters.session_id, + session->security_parameters.session_id_size); } diff --git a/lib/gnutls_db.h b/lib/gnutls_db.h index 5d23045f5f..aed508942e 100644 --- a/lib/gnutls_db.h +++ b/lib/gnutls_db.h @@ -22,16 +22,15 @@ * */ -int _gnutls_server_register_current_session(gnutls_session_t session); -int _gnutls_server_restore_session(gnutls_session_t session, - uint8 * session_id, - int session_id_size); -int _gnutls_db_remove_session(gnutls_session_t session, uint8 * session_id, - int session_id_size); -int _gnutls_store_session(gnutls_session_t session, - gnutls_datum_t session_id, - gnutls_datum_t session_data); -gnutls_datum_t _gnutls_retrieve_session(gnutls_session_t session, - gnutls_datum_t session_id); -int _gnutls_remove_session(gnutls_session_t session, - gnutls_datum_t session_id); +int _gnutls_server_register_current_session (gnutls_session_t session); +int _gnutls_server_restore_session (gnutls_session_t session, + uint8 * session_id, int session_id_size); +int _gnutls_db_remove_session (gnutls_session_t session, uint8 * session_id, + int session_id_size); +int _gnutls_store_session (gnutls_session_t session, + gnutls_datum_t session_id, + gnutls_datum_t session_data); +gnutls_datum_t _gnutls_retrieve_session (gnutls_session_t session, + gnutls_datum_t session_id); +int _gnutls_remove_session (gnutls_session_t session, + gnutls_datum_t session_id); diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index 6a50943d03..5eae3c2366 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -46,71 +46,79 @@ /* returns the public value (X), and the secret (ret_x). */ -mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime) +mpi_t +gnutls_calc_dh_secret (mpi_t * ret_x, mpi_t g, mpi_t prime) { - mpi_t e, x; - int x_size = _gnutls_mpi_get_nbits(prime) - 1; - /* The size of the secret key is less than - * prime/2 - */ - - if (x_size > MAX_BITS || x_size <= 0) { - gnutls_assert(); - return NULL; + mpi_t e, x; + int x_size = _gnutls_mpi_get_nbits (prime) - 1; + /* The size of the secret key is less than + * prime/2 + */ + + if (x_size > MAX_BITS || x_size <= 0) + { + gnutls_assert (); + return NULL; } - x = _gnutls_mpi_new(x_size); - if (x == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; + x = _gnutls_mpi_new (x_size); + if (x == NULL) + { + gnutls_assert (); + if (ret_x) + *ret_x = NULL; - return NULL; + return NULL; } - /* FIXME: (x_size/8)*8 is there to overcome a bug in libgcrypt - * which does not really check the bits given but the bytes. - */ - do { - _gnutls_mpi_randomize(x, (x_size / 8) * 8, GCRY_STRONG_RANDOM); - /* Check whether x is zero. - */ - } while( _gnutls_mpi_cmp_ui( x, 0)==0); - - e = _gnutls_mpi_alloc_like(prime); - if (e == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; - - _gnutls_mpi_release(&x); - return NULL; + /* FIXME: (x_size/8)*8 is there to overcome a bug in libgcrypt + * which does not really check the bits given but the bytes. + */ + do + { + _gnutls_mpi_randomize (x, (x_size / 8) * 8, GCRY_STRONG_RANDOM); + /* Check whether x is zero. + */ } + while (_gnutls_mpi_cmp_ui (x, 0) == 0); - _gnutls_mpi_powm(e, g, x, prime); + e = _gnutls_mpi_alloc_like (prime); + if (e == NULL) + { + gnutls_assert (); + if (ret_x) + *ret_x = NULL; - if (ret_x) - *ret_x = x; - else - _gnutls_mpi_release(&x); - return e; + _gnutls_mpi_release (&x); + return NULL; + } + + _gnutls_mpi_powm (e, g, x, prime); + + if (ret_x) + *ret_x = x; + else + _gnutls_mpi_release (&x); + return e; } -mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime) +mpi_t +gnutls_calc_dh_key (mpi_t f, mpi_t x, mpi_t prime) { - mpi_t k; - int bits; - - bits = _gnutls_mpi_get_nbits(prime); - if (bits <= 0 || bits > MAX_BITS) { - gnutls_assert(); - return NULL; + mpi_t k; + int bits; + + bits = _gnutls_mpi_get_nbits (prime); + if (bits <= 0 || bits > MAX_BITS) + { + gnutls_assert (); + return NULL; } - k = _gnutls_mpi_alloc_like(prime); - if (k == NULL) - return NULL; - _gnutls_mpi_powm(k, f, x, prime); - return k; + k = _gnutls_mpi_alloc_like (prime); + if (k == NULL) + return NULL; + _gnutls_mpi_powm (k, f, x, prime); + return k; } diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index 169df8cbe3..bbae902478 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -22,7 +22,7 @@ * */ -const mpi_t *_gnutls_get_dh_params(gnutls_dh_params_t); -mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime); -mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime); -int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, uint bits); +const mpi_t *_gnutls_get_dh_params (gnutls_dh_params_t); +mpi_t gnutls_calc_dh_secret (mpi_t * ret_x, mpi_t g, mpi_t prime); +mpi_t gnutls_calc_dh_key (mpi_t f, mpi_t x, mpi_t prime); +int _gnutls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, uint bits); diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index ec8e5ff1e8..ff383e1f3d 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -34,95 +34,104 @@ /* returns the prime and the generator of DH params. */ -const mpi_t *_gnutls_get_dh_params(gnutls_dh_params_t dh_primes) +const mpi_t * +_gnutls_get_dh_params (gnutls_dh_params_t dh_primes) { - if (dh_primes == NULL || dh_primes->params[1] == NULL || - dh_primes->params[0] == NULL) { - return NULL; + if (dh_primes == NULL || dh_primes->params[1] == NULL || + dh_primes->params[0] == NULL) + { + return NULL; } - return dh_primes->params; + return dh_primes->params; } -int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, - unsigned int bits) +int +_gnutls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, unsigned int bits) { - mpi_t g = NULL, prime = NULL; - gcry_error_t err; - int result, times = 0, qbits; - mpi_t *factors = NULL; - - /* Calculate the size of a prime factor of (prime-1)/2. - * This is a bad emulation of Michael Wiener's table - */ - if (bits < 256) - qbits = bits / 2; - else { - qbits = 120 + (((bits / 256) - 1) * 20); + mpi_t g = NULL, prime = NULL; + gcry_error_t err; + int result, times = 0, qbits; + mpi_t *factors = NULL; + + /* Calculate the size of a prime factor of (prime-1)/2. + * This is a bad emulation of Michael Wiener's table + */ + if (bits < 256) + qbits = bits / 2; + else + { + qbits = 120 + (((bits / 256) - 1) * 20); } - if (qbits & 1) /* better have an even number */ - qbits++; + if (qbits & 1) /* better have an even number */ + qbits++; - /* find a prime number of size bits. - */ - do { + /* find a prime number of size bits. + */ + do + { - if (times) { - _gnutls_mpi_release(&prime); - gcry_prime_release_factors(factors); + if (times) + { + _gnutls_mpi_release (&prime); + gcry_prime_release_factors (factors); } - err = gcry_prime_generate(&prime, bits, qbits, - &factors, NULL, NULL, GCRY_STRONG_RANDOM, - GCRY_PRIME_FLAG_SPECIAL_FACTOR); + err = gcry_prime_generate (&prime, bits, qbits, + &factors, NULL, NULL, GCRY_STRONG_RANDOM, + GCRY_PRIME_FLAG_SPECIAL_FACTOR); - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + if (err != 0) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - err = gcry_prime_check(prime, 0); + err = gcry_prime_check (prime, 0); - times++; - } while (err != 0 && times < 10); + times++; + } + while (err != 0 && times < 10); - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + if (err != 0) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - /* generate the group generator. - */ - err = gcry_prime_group_generator(&g, prime, factors, NULL); - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + /* generate the group generator. + */ + err = gcry_prime_group_generator (&g, prime, factors, NULL); + if (err != 0) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - gcry_prime_release_factors(factors); - factors = NULL; + gcry_prime_release_factors (factors); + factors = NULL; - if (ret_g) - *ret_g = g; - else - _gnutls_mpi_release(&g); - if (ret_n) - *ret_n = prime; - else - _gnutls_mpi_release(&prime); + if (ret_g) + *ret_g = g; + else + _gnutls_mpi_release (&g); + if (ret_n) + *ret_n = prime; + else + _gnutls_mpi_release (&prime); - return 0; + return 0; - cleanup: - gcry_prime_release_factors(factors); - _gnutls_mpi_release(&g); - _gnutls_mpi_release(&prime); +cleanup: + gcry_prime_release_factors (factors); + _gnutls_mpi_release (&g); + _gnutls_mpi_release (&prime); - return result; + return result; } @@ -140,32 +149,35 @@ int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, * appropriate gnutls_datum. * **/ -int gnutls_dh_params_import_raw(gnutls_dh_params_t dh_params, - const gnutls_datum_t * prime, - const gnutls_datum_t * generator) +int +gnutls_dh_params_import_raw (gnutls_dh_params_t dh_params, + const gnutls_datum_t * prime, + const gnutls_datum_t * generator) { - mpi_t tmp_prime, tmp_g; - size_t siz; - - siz = prime->size; - if (_gnutls_mpi_scan_nz(&tmp_prime, prime->data, &siz)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + mpi_t tmp_prime, tmp_g; + size_t siz; + + siz = prime->size; + if (_gnutls_mpi_scan_nz (&tmp_prime, prime->data, &siz)) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - siz = generator->size; - if (_gnutls_mpi_scan_nz(&tmp_g, generator->data, &siz)) { - _gnutls_mpi_release(&tmp_prime); - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + siz = generator->size; + if (_gnutls_mpi_scan_nz (&tmp_g, generator->data, &siz)) + { + _gnutls_mpi_release (&tmp_prime); + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - /* store the generated values - */ - dh_params->params[0] = tmp_prime; - dh_params->params[1] = tmp_g; + /* store the generated values + */ + dh_params->params[0] = tmp_prime; + dh_params->params[1] = tmp_g; - return 0; + return 0; } @@ -176,16 +188,18 @@ int gnutls_dh_params_import_raw(gnutls_dh_params_t dh_params, * This function will initialize the DH parameters structure. * **/ -int gnutls_dh_params_init(gnutls_dh_params_t * dh_params) +int +gnutls_dh_params_init (gnutls_dh_params_t * dh_params) { - (*dh_params) = gnutls_calloc(1, sizeof(dh_params_st)); - if (*dh_params == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (*dh_params) = gnutls_calloc (1, sizeof (dh_params_st)); + if (*dh_params == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } @@ -196,15 +210,16 @@ int gnutls_dh_params_init(gnutls_dh_params_t * dh_params) * This function will deinitialize the DH parameters structure. * **/ -void gnutls_dh_params_deinit(gnutls_dh_params_t dh_params) +void +gnutls_dh_params_deinit (gnutls_dh_params_t dh_params) { - if (dh_params == NULL) - return; + if (dh_params == NULL) + return; - _gnutls_mpi_release(&dh_params->params[0]); - _gnutls_mpi_release(&dh_params->params[1]); + _gnutls_mpi_release (&dh_params->params[0]); + _gnutls_mpi_release (&dh_params->params[1]); - gnutls_free(dh_params); + gnutls_free (dh_params); } @@ -217,18 +232,19 @@ void gnutls_dh_params_deinit(gnutls_dh_params_t dh_params) * to destination. * **/ -int gnutls_dh_params_cpy(gnutls_dh_params_t dst, gnutls_dh_params_t src) +int +gnutls_dh_params_cpy (gnutls_dh_params_t dst, gnutls_dh_params_t src) { - if (src == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (src == NULL) + return GNUTLS_E_INVALID_REQUEST; - dst->params[0] = _gnutls_mpi_copy(src->params[0]); - dst->params[1] = _gnutls_mpi_copy(src->params[1]); + dst->params[0] = _gnutls_mpi_copy (src->params[0]); + dst->params[1] = _gnutls_mpi_copy (src->params[1]); - if (dst->params[0] == NULL || dst->params[1] == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (dst->params[0] == NULL || dst->params[1] == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -248,19 +264,20 @@ int gnutls_dh_params_cpy(gnutls_dh_params_t dst, gnutls_dh_params_t src) * no use to call this in client side. * **/ -int gnutls_dh_params_generate2(gnutls_dh_params_t params, - unsigned int bits) +int +gnutls_dh_params_generate2 (gnutls_dh_params_t params, unsigned int bits) { - int ret; - - ret = _gnutls_dh_generate_prime(¶ms->params[1], - ¶ms->params[0], bits); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + + ret = _gnutls_dh_generate_prime (¶ms->params[1], + ¶ms->params[0], bits); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -279,87 +296,98 @@ int gnutls_dh_params_generate2(gnutls_dh_params_t params, * 0 on success. * **/ -int gnutls_dh_params_import_pkcs3(gnutls_dh_params_t params, - const gnutls_datum_t * pkcs3_params, - gnutls_x509_crt_fmt_t format) +int +gnutls_dh_params_import_pkcs3 (gnutls_dh_params_t params, + const gnutls_datum_t * pkcs3_params, + gnutls_x509_crt_fmt_t format) { - ASN1_TYPE c2; - int result, need_free = 0; - gnutls_datum_t _params; - - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode("DH PARAMETERS", - pkcs3_params->data, - pkcs3_params->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + ASN1_TYPE c2; + int result, need_free = 0; + gnutls_datum_t _params; + + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; + + result = _gnutls_fbase64_decode ("DH PARAMETERS", + pkcs3_params->data, + pkcs3_params->size, &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - _params.data = out; - _params.size = result; + _params.data = out; + _params.size = result; - need_free = 1; + need_free = 1; - } else { - _params.data = pkcs3_params->data; - _params.size = pkcs3_params->size; + } + else + { + _params.data = pkcs3_params->data; + _params.size = pkcs3_params->size; } - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - if (need_free != 0) { - gnutls_free(_params.data); - _params.data = NULL; + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) + { + gnutls_assert (); + if (need_free != 0) + { + gnutls_free (_params.data); + _params.data = NULL; } - return _gnutls_asn2err(result); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&c2, _params.data, _params.size, NULL); + result = asn1_der_decoding (&c2, _params.data, _params.size, NULL); - if (need_free != 0) { - gnutls_free(_params.data); - _params.data = NULL; + if (need_free != 0) + { + gnutls_free (_params.data); + _params.data = NULL; } - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ - _gnutls_x509_log("DHParams: Decoding error %d\n", result); - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + _gnutls_x509_log ("DHParams: Decoding error %d\n", result); + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - /* Read PRIME - */ - result = _gnutls_x509_read_int(c2, "prime", ¶ms->params[0]); - if (result < 0) { - asn1_delete_structure(&c2); - gnutls_assert(); - return result; + /* Read PRIME + */ + result = _gnutls_x509_read_int (c2, "prime", ¶ms->params[0]); + if (result < 0) + { + asn1_delete_structure (&c2); + gnutls_assert (); + return result; } - /* read the generator - */ - result = _gnutls_x509_read_int(c2, "base", ¶ms->params[1]); - if (result < 0) { - asn1_delete_structure(&c2); - _gnutls_mpi_release(¶ms->params[0]); - gnutls_assert(); - return result; + /* read the generator + */ + result = _gnutls_x509_read_int (c2, "base", ¶ms->params[1]); + if (result < 0) + { + asn1_delete_structure (&c2); + _gnutls_mpi_release (¶ms->params[0]); + gnutls_assert (); + return result; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; } /** @@ -381,148 +409,164 @@ int gnutls_dh_params_import_pkcs3(gnutls_dh_params_t params, * 0 on success. * **/ -int gnutls_dh_params_export_pkcs3(gnutls_dh_params_t params, - gnutls_x509_crt_fmt_t format, - unsigned char *params_data, - size_t * params_data_size) +int +gnutls_dh_params_export_pkcs3 (gnutls_dh_params_t params, + gnutls_x509_crt_fmt_t format, + unsigned char *params_data, + size_t * params_data_size) { - ASN1_TYPE c2; - int result, _params_data_size; - size_t g_size, p_size; - opaque *p_data, *g_data; - opaque *all_data; - - _gnutls_mpi_print(NULL, &g_size, params->params[1]); - _gnutls_mpi_print(NULL, &p_size, params->params[0]); - - all_data = gnutls_malloc(g_size + p_size); - if (all_data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + ASN1_TYPE c2; + int result, _params_data_size; + size_t g_size, p_size; + opaque *p_data, *g_data; + opaque *all_data; + + _gnutls_mpi_print (NULL, &g_size, params->params[1]); + _gnutls_mpi_print (NULL, &p_size, params->params[0]); + + all_data = gnutls_malloc (g_size + p_size); + if (all_data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - p_data = &all_data[0]; - g_data = &all_data[p_size]; + p_data = &all_data[0]; + g_data = &all_data[p_size]; - _gnutls_mpi_print(p_data, &p_size, params->params[0]); - _gnutls_mpi_print(g_data, &g_size, params->params[1]); + _gnutls_mpi_print (p_data, &p_size, params->params[0]); + _gnutls_mpi_print (g_data, &g_size, params->params[1]); - /* Ok. Now we have the data. Create the asn1 structures - */ + /* Ok. Now we have the data. Create the asn1 structures + */ - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (all_data); + return _gnutls_asn2err (result); } - /* Write PRIME - */ - if ((result = asn1_write_value(c2, "prime", - p_data, p_size)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + /* Write PRIME + */ + if ((result = asn1_write_value (c2, "prime", + p_data, p_size)) != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (all_data); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - /* Write the GENERATOR - */ - if ((result = asn1_write_value(c2, "base", - g_data, g_size)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + /* Write the GENERATOR + */ + if ((result = asn1_write_value (c2, "base", + g_data, g_size)) != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (all_data); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - gnutls_free(all_data); + gnutls_free (all_data); - if ((result = asn1_write_value(c2, "privateValueLength", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((result = asn1_write_value (c2, "privateValueLength", + NULL, 0)) != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - if (format == GNUTLS_X509_FMT_DER) { - if (params_data == NULL) - *params_data_size = 0; - - _params_data_size = *params_data_size; - result = - asn1_der_coding(c2, "", params_data, &_params_data_size, NULL); - *params_data_size = _params_data_size; - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (format == GNUTLS_X509_FMT_DER) + { + if (params_data == NULL) + *params_data_size = 0; + + _params_data_size = *params_data_size; + result = + asn1_der_coding (c2, "", params_data, &_params_data_size, NULL); + *params_data_size = _params_data_size; + asn1_delete_structure (&c2); + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - return _gnutls_asn2err(result); + return _gnutls_asn2err (result); } - } else { /* PEM */ - opaque *tmp; - opaque *out; - int len; - - len = 0; - asn1_der_coding(c2, "", NULL, &len, NULL); - - tmp = gnutls_malloc(len); - if (tmp == NULL) { - gnutls_assert(); - asn1_delete_structure(&c2); - return GNUTLS_E_MEMORY_ERROR; + } + else + { /* PEM */ + opaque *tmp; + opaque *out; + int len; + + len = 0; + asn1_der_coding (c2, "", NULL, &len, NULL); + + tmp = gnutls_malloc (len); + if (tmp == NULL) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return GNUTLS_E_MEMORY_ERROR; } - if ((result = - asn1_der_coding(c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(tmp); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((result = + asn1_der_coding (c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (tmp); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - result = _gnutls_fbase64_encode("DH PARAMETERS", tmp, len, &out); + result = _gnutls_fbase64_encode ("DH PARAMETERS", tmp, len, &out); - gnutls_free(tmp); + gnutls_free (tmp); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - if (result == 0) { /* oooops */ - gnutls_assert(); - gnutls_free(out); - return GNUTLS_E_INTERNAL_ERROR; + if (result == 0) + { /* oooops */ + gnutls_assert (); + gnutls_free (out); + return GNUTLS_E_INTERNAL_ERROR; } - if ((uint) result + 1 > *params_data_size) { - gnutls_assert(); - gnutls_free(out); - *params_data_size = result + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if ((uint) result + 1 > *params_data_size) + { + gnutls_assert (); + gnutls_free (out); + *params_data_size = result + 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *params_data_size = result; + *params_data_size = result; - if (params_data) { - memcpy(params_data, out, result); - params_data[result] = 0; + if (params_data) + { + memcpy (params_data, out, result); + params_data[result] = 0; } - gnutls_free(out); + gnutls_free (out); } - return 0; + return 0; } /** @@ -537,46 +581,49 @@ int gnutls_dh_params_export_pkcs3(gnutls_dh_params_t params, * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_dh_params_export_raw(gnutls_dh_params_t params, - gnutls_datum_t * prime, - gnutls_datum_t * generator, - unsigned int *bits) +int +gnutls_dh_params_export_raw (gnutls_dh_params_t params, + gnutls_datum_t * prime, + gnutls_datum_t * generator, unsigned int *bits) { - size_t size; + size_t size; - if (params->params[1] == NULL || params->params[0] == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (params->params[1] == NULL || params->params[0] == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[1]); + size = 0; + _gnutls_mpi_print (NULL, &size, params->params[1]); - generator->data = gnutls_malloc(size); - if (generator->data == NULL) { - return GNUTLS_E_MEMORY_ERROR; + generator->data = gnutls_malloc (size); + if (generator->data == NULL) + { + return GNUTLS_E_MEMORY_ERROR; } - generator->size = size; - _gnutls_mpi_print(generator->data, &size, params->params[1]); + generator->size = size; + _gnutls_mpi_print (generator->data, &size, params->params[1]); - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[0]); + size = 0; + _gnutls_mpi_print (NULL, &size, params->params[0]); - prime->data = gnutls_malloc(size); - if (prime->data == NULL) { - gnutls_free(generator->data); - generator->data = NULL; - return GNUTLS_E_MEMORY_ERROR; + prime->data = gnutls_malloc (size); + if (prime->data == NULL) + { + gnutls_free (generator->data); + generator->data = NULL; + return GNUTLS_E_MEMORY_ERROR; } - prime->size = size; - _gnutls_mpi_print(prime->data, &size, params->params[0]); + prime->size = size; + _gnutls_mpi_print (prime->data, &size, params->params[0]); - if (bits) - *bits = _gnutls_mpi_get_nbits(params->params[0]); + if (bits) + *bits = _gnutls_mpi_get_nbits (params->params[0]); - return 0; + return 0; } diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index a4bed7c42e..356a0d4a80 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -34,206 +34,206 @@ extern LOG_FUNC _gnutls_log_func; #define ERROR_ENTRY(desc, name, fatal) \ { desc, #name, name, fatal} -struct gnutls_error_entry { - const char *desc; - const char *_name; - int number; - int fatal; +struct gnutls_error_entry +{ + const char *desc; + const char *_name; + int number; + int fatal; }; typedef struct gnutls_error_entry gnutls_error_entry; static gnutls_error_entry error_algorithms[] = { - /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ - ERROR_ENTRY("Success.", GNUTLS_E_SUCCESS, 0), - ERROR_ENTRY("Could not negotiate a supported cipher suite.", - GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1), - ERROR_ENTRY("The cipher type is unsupported.", - GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1), - ERROR_ENTRY("The certificate and the given key do not match.", - GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1), - ERROR_ENTRY("Could not negotiate a supported compression method.", - GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1), - ERROR_ENTRY("An unknown public key algorithm was encountered.", - GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1), - - ERROR_ENTRY("An algorithm that is not enabled was negotiated.", - GNUTLS_E_UNWANTED_ALGORITHM, 1), - ERROR_ENTRY("A large TLS record packet was received.", - GNUTLS_E_LARGE_PACKET, 1), - ERROR_ENTRY("A record packet with illegal version was received.", - GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1), - ERROR_ENTRY - ("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", - GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1), - ERROR_ENTRY("A TLS packet with unexpected length was received.", - GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1), - ERROR_ENTRY - ("The specified session has been invalidated for some reason.", - GNUTLS_E_INVALID_SESSION, 1), - - ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1), - ERROR_ENTRY("An illegal TLS extension was received.", - GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1), - ERROR_ENTRY("A TLS fatal alert has been received.", - GNUTLS_E_FATAL_ALERT_RECEIVED, 1), - ERROR_ENTRY("An unexpected TLS packet was received.", - GNUTLS_E_UNEXPECTED_PACKET, 1), - ERROR_ENTRY("A TLS warning alert has been received.", - GNUTLS_E_WARNING_ALERT_RECEIVED, 0), - ERROR_ENTRY - ("An error was encountered at the TLS Finished packet calculation.", - GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1), - ERROR_ENTRY("The peer did not send any certificate.", - GNUTLS_E_NO_CERTIFICATE_FOUND, 1), - - ERROR_ENTRY("No temporary RSA parameters were found.", - GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1), - ERROR_ENTRY("No temporary DH parameters were found.", - GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1), - ERROR_ENTRY("An unexpected TLS handshake packet was received.", - GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1), - ERROR_ENTRY("The scanning of a large integer has failed.", - GNUTLS_E_MPI_SCAN_FAILED, 1), - ERROR_ENTRY("Could not export a large integer.", - GNUTLS_E_MPI_PRINT_FAILED, 1), - ERROR_ENTRY("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1), - ERROR_ENTRY("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1), - ERROR_ENTRY("Public key decryption has failed.", - GNUTLS_E_PK_DECRYPTION_FAILED, 1), - ERROR_ENTRY("Public key encryption has failed.", - GNUTLS_E_PK_ENCRYPTION_FAILED, 1), - ERROR_ENTRY("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, - 1), - ERROR_ENTRY("Public key signature verification has failed.", - GNUTLS_E_PK_SIG_VERIFY_FAILED, 1), - ERROR_ENTRY("Decompression of the TLS record packet has failed.", - GNUTLS_E_DECOMPRESSION_FAILED, 1), - ERROR_ENTRY("Compression of the TLS record packet has failed.", - GNUTLS_E_COMPRESSION_FAILED, 1), - - ERROR_ENTRY("Internal error in memory allocation.", - GNUTLS_E_MEMORY_ERROR, 1), - ERROR_ENTRY("An unimplemented or disabled feature has been requested.", - GNUTLS_E_UNIMPLEMENTED_FEATURE, 1), - ERROR_ENTRY("Insufficient credentials for that request.", - GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1), - ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1), - ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, - 1), - ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1), - ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1), - ERROR_ENTRY("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, - 1), - ERROR_ENTRY("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, - 1), - ERROR_ENTRY("Parsing error in SRP password file.", - GNUTLS_E_SRP_PWD_PARSING_ERROR, 1), - ERROR_ENTRY("The requested data were not available.", - GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0), - ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1), - ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1), - ERROR_ENTRY - ("The upper limit of record packet sequence numbers has been reached. Wow!", - GNUTLS_E_RECORD_LIMIT_REACHED, 1), - ERROR_ENTRY("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, - 1), - ERROR_ENTRY("Unknown Subject Alternative name in X.509 certificate.", - GNUTLS_E_X509_UNKNOWN_SAN, 1), - - ERROR_ENTRY("Unsupported critical extension in X.509 certificate.", - GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1), - ERROR_ENTRY("Key usage violation in certificate has been detected.", - GNUTLS_E_KEY_USAGE_VIOLATION, 1), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_AGAIN, 0), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0), - ERROR_ENTRY("Rehandshake was requested by the peer.", - GNUTLS_E_REHANDSHAKE, 0), - ERROR_ENTRY - ("TLS Application data were received, while expecting handshake data.", - GNUTLS_E_GOT_APPLICATION_DATA, 1), - ERROR_ENTRY("Error in Database backend.", GNUTLS_E_DB_ERROR, 1), - ERROR_ENTRY("The certificate type is not supported.", - GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1), - ERROR_ENTRY("The given memory buffer is too short to hold parameters.", - GNUTLS_E_SHORT_MEMORY_BUFFER, 1), - ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1), - ERROR_ENTRY("An illegal parameter has been received.", - GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1), - ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1), - - ERROR_ENTRY("ASN1 parser: Element was not found.", - GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1), - ERROR_ENTRY("ASN1 parser: Identifier was not found", - GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1), - ERROR_ENTRY("ASN1 parser: Error in DER parsing.", - GNUTLS_E_ASN1_DER_ERROR, 1), - ERROR_ENTRY("ASN1 parser: Value was not found.", - GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1), - ERROR_ENTRY("ASN1 parser: Generic parsing error.", - GNUTLS_E_ASN1_GENERIC_ERROR, 1), - ERROR_ENTRY("ASN1 parser: Value is not valid.", - GNUTLS_E_ASN1_VALUE_NOT_VALID, 1), - ERROR_ENTRY("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1), - ERROR_ENTRY("ASN1 parser: error in implicit tag", - GNUTLS_E_ASN1_TAG_IMPLICIT, 1), - ERROR_ENTRY("ASN1 parser: Error in type 'ANY'.", - GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1), - ERROR_ENTRY("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, - 1), - ERROR_ENTRY("ASN1 parser: Overflow in DER parsing.", - GNUTLS_E_ASN1_DER_OVERFLOW, 1), - - ERROR_ENTRY("Too many empty record packets have been received.", - GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1), - ERROR_ENTRY("The initialization of GnuTLS-extra has failed.", - GNUTLS_E_INIT_LIBEXTRA, 1), - ERROR_ENTRY - ("The GnuTLS library version does not match the GnuTLS-extra library version.", - GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1), - ERROR_ENTRY("The gcrypt library version is too old.", - GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1), - - ERROR_ENTRY("The tasn1 library version is too old.", - GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1), - ERROR_ENTRY - ("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", - GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1), - - ERROR_ENTRY("Error loading the keyring.", - GNUTLS_E_OPENPGP_KEYRING_ERROR, 1), - ERROR_ENTRY("The initialization of LZO has failed.", - GNUTLS_E_LZO_INIT_FAILED, 1), - ERROR_ENTRY("No supported compression algorithms have been found.", - GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1), - ERROR_ENTRY("No supported cipher suites have been found.", - GNUTLS_E_NO_CIPHER_SUITES, 1), - ERROR_ENTRY("Could not get OpenPGP key.", - GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), - - ERROR_ENTRY("The SRP username supplied is illegal.", - GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), - - ERROR_ENTRY("The OpenPGP fingerprint is not supported.", - GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), - ERROR_ENTRY("The certificate has unsupported attributes.", - GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), - ERROR_ENTRY("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, - 1), - ERROR_ENTRY("The hash algorithm is unknown.", - GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), - ERROR_ENTRY("The PKCS structure's content type is unknown.", - GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), - ERROR_ENTRY("The PKCS structure's bag type is unknown.", - GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), - ERROR_ENTRY("The given password contains invalid characters.", - GNUTLS_E_INVALID_PASSWORD, 1), - ERROR_ENTRY("The Message Authentication Code verification failed.", - GNUTLS_E_MAC_VERIFY_FAILED, 1), - ERROR_ENTRY("Some constraint limits were reached.", - GNUTLS_E_CONSTRAINT_ERROR, 1), - ERROR_ENTRY("Failed to acquire random data.", GNUTLS_E_RANDOM_FAILED, - 1), - {NULL, NULL, 0, 0} + /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ + ERROR_ENTRY ("Success.", GNUTLS_E_SUCCESS, 0), + ERROR_ENTRY ("Could not negotiate a supported cipher suite.", + GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1), + ERROR_ENTRY ("The cipher type is unsupported.", + GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1), + ERROR_ENTRY ("The certificate and the given key do not match.", + GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1), + ERROR_ENTRY ("Could not negotiate a supported compression method.", + GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1), + ERROR_ENTRY ("An unknown public key algorithm was encountered.", + GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1), + + ERROR_ENTRY ("An algorithm that is not enabled was negotiated.", + GNUTLS_E_UNWANTED_ALGORITHM, 1), + ERROR_ENTRY ("A large TLS record packet was received.", + GNUTLS_E_LARGE_PACKET, 1), + ERROR_ENTRY ("A record packet with illegal version was received.", + GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1), + ERROR_ENTRY + ("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", + GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1), + ERROR_ENTRY ("A TLS packet with unexpected length was received.", + GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1), + ERROR_ENTRY ("The specified session has been invalidated for some reason.", + GNUTLS_E_INVALID_SESSION, 1), + + ERROR_ENTRY ("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1), + ERROR_ENTRY ("An illegal TLS extension was received.", + GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1), + ERROR_ENTRY ("A TLS fatal alert has been received.", + GNUTLS_E_FATAL_ALERT_RECEIVED, 1), + ERROR_ENTRY ("An unexpected TLS packet was received.", + GNUTLS_E_UNEXPECTED_PACKET, 1), + ERROR_ENTRY ("A TLS warning alert has been received.", + GNUTLS_E_WARNING_ALERT_RECEIVED, 0), + ERROR_ENTRY + ("An error was encountered at the TLS Finished packet calculation.", + GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1), + ERROR_ENTRY ("The peer did not send any certificate.", + GNUTLS_E_NO_CERTIFICATE_FOUND, 1), + + ERROR_ENTRY ("No temporary RSA parameters were found.", + GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1), + ERROR_ENTRY ("No temporary DH parameters were found.", + GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1), + ERROR_ENTRY ("An unexpected TLS handshake packet was received.", + GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1), + ERROR_ENTRY ("The scanning of a large integer has failed.", + GNUTLS_E_MPI_SCAN_FAILED, 1), + ERROR_ENTRY ("Could not export a large integer.", + GNUTLS_E_MPI_PRINT_FAILED, 1), + ERROR_ENTRY ("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1), + ERROR_ENTRY ("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1), + ERROR_ENTRY ("Public key decryption has failed.", + GNUTLS_E_PK_DECRYPTION_FAILED, 1), + ERROR_ENTRY ("Public key encryption has failed.", + GNUTLS_E_PK_ENCRYPTION_FAILED, 1), + ERROR_ENTRY ("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, + 1), + ERROR_ENTRY ("Public key signature verification has failed.", + GNUTLS_E_PK_SIG_VERIFY_FAILED, 1), + ERROR_ENTRY ("Decompression of the TLS record packet has failed.", + GNUTLS_E_DECOMPRESSION_FAILED, 1), + ERROR_ENTRY ("Compression of the TLS record packet has failed.", + GNUTLS_E_COMPRESSION_FAILED, 1), + + ERROR_ENTRY ("Internal error in memory allocation.", + GNUTLS_E_MEMORY_ERROR, 1), + ERROR_ENTRY ("An unimplemented or disabled feature has been requested.", + GNUTLS_E_UNIMPLEMENTED_FEATURE, 1), + ERROR_ENTRY ("Insufficient credentials for that request.", + GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1), + ERROR_ENTRY ("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1), + ERROR_ENTRY ("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, + 1), + ERROR_ENTRY ("The requested session has expired.", GNUTLS_E_EXPIRED, 1), + ERROR_ENTRY ("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1), + ERROR_ENTRY ("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, + 1), + ERROR_ENTRY ("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, + 1), + ERROR_ENTRY ("Parsing error in SRP password file.", + GNUTLS_E_SRP_PWD_PARSING_ERROR, 1), + ERROR_ENTRY ("The requested data were not available.", + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0), + ERROR_ENTRY ("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1), + ERROR_ENTRY ("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1), + ERROR_ENTRY + ("The upper limit of record packet sequence numbers has been reached. Wow!", + GNUTLS_E_RECORD_LIMIT_REACHED, 1), + ERROR_ENTRY ("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, + 1), + ERROR_ENTRY ("Unknown Subject Alternative name in X.509 certificate.", + GNUTLS_E_X509_UNKNOWN_SAN, 1), + + ERROR_ENTRY ("Unsupported critical extension in X.509 certificate.", + GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1), + ERROR_ENTRY ("Key usage violation in certificate has been detected.", + GNUTLS_E_KEY_USAGE_VIOLATION, 1), + ERROR_ENTRY ("Function was interrupted.", GNUTLS_E_AGAIN, 0), + ERROR_ENTRY ("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0), + ERROR_ENTRY ("Rehandshake was requested by the peer.", + GNUTLS_E_REHANDSHAKE, 0), + ERROR_ENTRY + ("TLS Application data were received, while expecting handshake data.", + GNUTLS_E_GOT_APPLICATION_DATA, 1), + ERROR_ENTRY ("Error in Database backend.", GNUTLS_E_DB_ERROR, 1), + ERROR_ENTRY ("The certificate type is not supported.", + GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1), + ERROR_ENTRY ("The given memory buffer is too short to hold parameters.", + GNUTLS_E_SHORT_MEMORY_BUFFER, 1), + ERROR_ENTRY ("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1), + ERROR_ENTRY ("An illegal parameter has been received.", + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1), + ERROR_ENTRY ("Error while reading file.", GNUTLS_E_FILE_ERROR, 1), + + ERROR_ENTRY ("ASN1 parser: Element was not found.", + GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1), + ERROR_ENTRY ("ASN1 parser: Identifier was not found", + GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1), + ERROR_ENTRY ("ASN1 parser: Error in DER parsing.", + GNUTLS_E_ASN1_DER_ERROR, 1), + ERROR_ENTRY ("ASN1 parser: Value was not found.", + GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1), + ERROR_ENTRY ("ASN1 parser: Generic parsing error.", + GNUTLS_E_ASN1_GENERIC_ERROR, 1), + ERROR_ENTRY ("ASN1 parser: Value is not valid.", + GNUTLS_E_ASN1_VALUE_NOT_VALID, 1), + ERROR_ENTRY ("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1), + ERROR_ENTRY ("ASN1 parser: error in implicit tag", + GNUTLS_E_ASN1_TAG_IMPLICIT, 1), + ERROR_ENTRY ("ASN1 parser: Error in type 'ANY'.", + GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1), + ERROR_ENTRY ("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, + 1), + ERROR_ENTRY ("ASN1 parser: Overflow in DER parsing.", + GNUTLS_E_ASN1_DER_OVERFLOW, 1), + + ERROR_ENTRY ("Too many empty record packets have been received.", + GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1), + ERROR_ENTRY ("The initialization of GnuTLS-extra has failed.", + GNUTLS_E_INIT_LIBEXTRA, 1), + ERROR_ENTRY + ("The GnuTLS library version does not match the GnuTLS-extra library version.", + GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1), + ERROR_ENTRY ("The gcrypt library version is too old.", + GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1), + + ERROR_ENTRY ("The tasn1 library version is too old.", + GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1), + ERROR_ENTRY + ("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", + GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1), + + ERROR_ENTRY ("Error loading the keyring.", + GNUTLS_E_OPENPGP_KEYRING_ERROR, 1), + ERROR_ENTRY ("The initialization of LZO has failed.", + GNUTLS_E_LZO_INIT_FAILED, 1), + ERROR_ENTRY ("No supported compression algorithms have been found.", + GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1), + ERROR_ENTRY ("No supported cipher suites have been found.", + GNUTLS_E_NO_CIPHER_SUITES, 1), + ERROR_ENTRY ("Could not get OpenPGP key.", + GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), + + ERROR_ENTRY ("The SRP username supplied is illegal.", + GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), + + ERROR_ENTRY ("The OpenPGP fingerprint is not supported.", + GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), + ERROR_ENTRY ("The certificate has unsupported attributes.", + GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), + ERROR_ENTRY ("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, + 1), + ERROR_ENTRY ("The hash algorithm is unknown.", + GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), + ERROR_ENTRY ("The PKCS structure's content type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), + ERROR_ENTRY ("The PKCS structure's bag type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), + ERROR_ENTRY ("The given password contains invalid characters.", + GNUTLS_E_INVALID_PASSWORD, 1), + ERROR_ENTRY ("The Message Authentication Code verification failed.", + GNUTLS_E_MAC_VERIFY_FAILED, 1), + ERROR_ENTRY ("Some constraint limits were reached.", + GNUTLS_E_CONSTRAINT_ERROR, 1), + ERROR_ENTRY ("Failed to acquire random data.", GNUTLS_E_RANDOM_FAILED, + 1), + {NULL, NULL, 0, 0} }; #define GNUTLS_ERROR_LOOP(b) \ @@ -259,12 +259,13 @@ static gnutls_error_entry error_algorithms[] = { * record layer or the handshake layer. * **/ -int gnutls_error_is_fatal(int error) +int +gnutls_error_is_fatal (int error) { - int ret = 0; + int ret = 0; - GNUTLS_ERROR_ALG_LOOP(ret = p->fatal); - return ret; + GNUTLS_ERROR_ALG_LOOP (ret = p->fatal); + return ret; } /** @@ -274,15 +275,16 @@ int gnutls_error_is_fatal(int error) * This function is like perror(). The only difference is that it accepts an * error number returned by a gnutls function. **/ -void gnutls_perror(int error) +void +gnutls_perror (int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = p->desc); - if (ret == NULL) - ret = "(unknown)"; - fprintf(stderr, "GNUTLS ERROR: %s\n", ret); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP (ret = p->desc); + if (ret == NULL) + ret = "(unknown)"; + fprintf (stderr, "GNUTLS ERROR: %s\n", ret); } @@ -294,63 +296,67 @@ void gnutls_perror(int error) * number returned by a gnutls function; In case of an unknown error * a descriptive string is sent instead of NULL. **/ -const char *gnutls_strerror(int error) +const char * +gnutls_strerror (int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = p->desc); - if (ret == NULL) - return "(unknown error code)"; - return ret; + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP (ret = p->desc); + if (ret == NULL) + return "(unknown error code)"; + return ret; } /* This will print the actual define of the * given error code. */ -const char *_gnutls_strerror(int error) +const char * +_gnutls_strerror (int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = p->_name); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP (ret = p->_name); - return ret; + return ret; } -int _gnutls_asn2err(int asn_err) +int +_gnutls_asn2err (int asn_err) { - switch (asn_err) { + switch (asn_err) + { case ASN1_FILE_NOT_FOUND: - return GNUTLS_E_FILE_ERROR; + return GNUTLS_E_FILE_ERROR; case ASN1_ELEMENT_NOT_FOUND: - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; case ASN1_IDENTIFIER_NOT_FOUND: - return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; + return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; case ASN1_DER_ERROR: - return GNUTLS_E_ASN1_DER_ERROR; + return GNUTLS_E_ASN1_DER_ERROR; case ASN1_VALUE_NOT_FOUND: - return GNUTLS_E_ASN1_VALUE_NOT_FOUND; + return GNUTLS_E_ASN1_VALUE_NOT_FOUND; case ASN1_GENERIC_ERROR: - return GNUTLS_E_ASN1_GENERIC_ERROR; + return GNUTLS_E_ASN1_GENERIC_ERROR; case ASN1_VALUE_NOT_VALID: - return GNUTLS_E_ASN1_VALUE_NOT_VALID; + return GNUTLS_E_ASN1_VALUE_NOT_VALID; case ASN1_TAG_ERROR: - return GNUTLS_E_ASN1_TAG_ERROR; + return GNUTLS_E_ASN1_TAG_ERROR; case ASN1_TAG_IMPLICIT: - return GNUTLS_E_ASN1_TAG_IMPLICIT; + return GNUTLS_E_ASN1_TAG_IMPLICIT; case ASN1_ERROR_TYPE_ANY: - return GNUTLS_E_ASN1_TYPE_ANY_ERROR; + return GNUTLS_E_ASN1_TYPE_ANY_ERROR; case ASN1_SYNTAX_ERROR: - return GNUTLS_E_ASN1_SYNTAX_ERROR; + return GNUTLS_E_ASN1_SYNTAX_ERROR; case ASN1_MEM_ERROR: - return GNUTLS_E_SHORT_MEMORY_BUFFER; + return GNUTLS_E_SHORT_MEMORY_BUFFER; case ASN1_MEM_ALLOC_ERROR: - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; case ASN1_DER_OVERFLOW: - return GNUTLS_E_ASN1_DER_OVERFLOW; + return GNUTLS_E_ASN1_DER_OVERFLOW; default: - return GNUTLS_E_ASN1_GENERIC_ERROR; + return GNUTLS_E_ASN1_GENERIC_ERROR; } } @@ -358,20 +364,21 @@ int _gnutls_asn2err(int asn_err) /* this function will output a message using the * caller provided function */ -void _gnutls_log(int level, const char *fmt, ...) +void +_gnutls_log (int level, const char *fmt, ...) { - va_list args; - char str[MAX_LOG_SIZE]; - void (*log_func) (int, const char *) = _gnutls_log_func; + va_list args; + char str[MAX_LOG_SIZE]; + void (*log_func) (int, const char *) = _gnutls_log_func; - if (_gnutls_log_func == NULL) - return; + if (_gnutls_log_func == NULL) + return; - va_start(args, fmt); - vsnprintf(str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ - va_end(args); + va_start (args, fmt); + vsnprintf (str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ + va_end (args); - log_func(level, str); + log_func (level, str); } #ifndef DEBUG @@ -380,10 +387,11 @@ void _gnutls_log(int level, const char *fmt, ...) /* Without C99 macros these functions have to * be called. This may affect performance. */ -void _gnutls_null_log(void *x, ...) +void +_gnutls_null_log (void *x, ...) { - return; + return; } -# endif /* C99_MACROS */ -#endif /* DEBUG */ +# endif /* C99_MACROS */ +#endif /* DEBUG */ diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h index 7510bb047a..46724708b0 100644 --- a/lib/gnutls_errors.h +++ b/lib/gnutls_errors.h @@ -33,12 +33,12 @@ # else # define gnutls_assert() # endif -#else /* __FILE__ not defined */ +#else /* __FILE__ not defined */ # define gnutls_assert() #endif -int _gnutls_asn2err(int asn_err); -void _gnutls_log(int, const char *fmt, ...); +int _gnutls_asn2err (int asn_err); +void _gnutls_log (int, const char *fmt, ...); extern int _gnutls_log_level; @@ -69,6 +69,6 @@ extern int _gnutls_log_level; # define _gnutls_write_log _gnutls_null_log # define _gnutls_x509_log _gnutls_null_log -void _gnutls_null_log(void *, ...); +void _gnutls_null_log (void *, ...); -#endif /* C99_MACROS */ +#endif /* C99_MACROS */ diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 11e4c1a83b..6c644f4177 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -45,21 +45,21 @@ const int _gnutls_extensions_size = MAX_EXT_SIZE; gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { - GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_MAX_RECORD_SIZE, - _gnutls_max_record_recv_params, - _gnutls_max_record_send_params), - GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_CERT_TYPE, - _gnutls_cert_type_recv_params, - _gnutls_cert_type_send_params), - GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_SERVER_NAME, - _gnutls_server_name_recv_params, - _gnutls_server_name_send_params), + GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_MAX_RECORD_SIZE, + _gnutls_max_record_recv_params, + _gnutls_max_record_send_params), + GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_CERT_TYPE, + _gnutls_cert_type_recv_params, + _gnutls_cert_type_send_params), + GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_SERVER_NAME, + _gnutls_server_name_recv_params, + _gnutls_server_name_send_params), #ifdef ENABLE_SRP - GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_SRP, - _gnutls_srp_recv_params, - _gnutls_srp_send_params), + GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_SRP, + _gnutls_srp_recv_params, + _gnutls_srp_send_params), #endif - {0, 0, 0, 0} + {0, 0, 0, 0} }; #define GNUTLS_EXTENSION_LOOP2(b) \ @@ -72,112 +72,122 @@ gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { /* EXTENSION functions */ -ext_recv_func _gnutls_ext_func_recv(uint16 type) +ext_recv_func +_gnutls_ext_func_recv (uint16 type) { - ext_recv_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_recv); - return ret; + ext_recv_func ret = NULL; + GNUTLS_EXTENSION_LOOP (ret = p->gnutls_ext_func_recv); + return ret; } -ext_send_func _gnutls_ext_func_send(uint16 type) +ext_send_func +_gnutls_ext_func_send (uint16 type) { - ext_send_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_send); - return ret; + ext_send_func ret = NULL; + GNUTLS_EXTENSION_LOOP (ret = p->gnutls_ext_func_send); + return ret; } -const char *_gnutls_extension_get_name(uint16 type) +const char * +_gnutls_extension_get_name (uint16 type) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_EXTENSION_LOOP(ret = p->name + sizeof("GNUTLS_EXTENSION_") - 1); + /* avoid prefix */ + GNUTLS_EXTENSION_LOOP (ret = p->name + sizeof ("GNUTLS_EXTENSION_") - 1); - return ret; + return ret; } /* Checks if the extension we just received is one of the * requested ones. Otherwise it's a fatal error. */ -static int _gnutls_extension_list_check(gnutls_session_t session, - uint16 type) +static int +_gnutls_extension_list_check (gnutls_session_t session, uint16 type) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { - int i; - for (i = 0; i < session->internals.extensions_sent_size; i++) { - if (type == session->internals.extensions_sent[i]) - return 0; /* ok found */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + int i; + for (i = 0; i < session->internals.extensions_sent_size; i++) + { + if (type == session->internals.extensions_sent[i]) + return 0; /* ok found */ } - return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; + return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; } - return 0; + return 0; } -int _gnutls_parse_extensions(gnutls_session_t session, const opaque * data, - int data_size) +int +_gnutls_parse_extensions (gnutls_session_t session, const opaque * data, + int data_size) { - int next, ret; - int pos = 0; - uint16 type; - const opaque *sdata; - ext_recv_func ext_recv; - uint16 size; + int next, ret; + int pos = 0; + uint16 type; + const opaque *sdata; + ext_recv_func ext_recv; + uint16 size; #ifdef DEBUG - int i; - - if (session->security_parameters.entity == GNUTLS_CLIENT) - for (i = 0; i < session->internals.extensions_sent_size; i++) { - _gnutls_debug_log("EXT[%d]: expecting extension '%s'\n", - session, - _gnutls_extension_get_name(session-> - internals. - extensions_sent - [i])); - } + int i; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + for (i = 0; i < session->internals.extensions_sent_size; i++) + { + _gnutls_debug_log ("EXT[%d]: expecting extension '%s'\n", + session, + _gnutls_extension_get_name (session-> + internals. + extensions_sent[i])); + } #endif - DECR_LENGTH_RET(data_size, 2, 0); - next = _gnutls_read_uint16(data); - pos += 2; + DECR_LENGTH_RET (data_size, 2, 0); + next = _gnutls_read_uint16 (data); + pos += 2; - DECR_LENGTH_RET(data_size, next, 0); + DECR_LENGTH_RET (data_size, next, 0); - do { - DECR_LENGTH_RET(next, 2, 0); - type = _gnutls_read_uint16(&data[pos]); - pos += 2; + do + { + DECR_LENGTH_RET (next, 2, 0); + type = _gnutls_read_uint16 (&data[pos]); + pos += 2; - _gnutls_debug_log("EXT[%x]: Received extension '%s'\n", session, - _gnutls_extension_get_name(type)); + _gnutls_debug_log ("EXT[%x]: Received extension '%s'\n", session, + _gnutls_extension_get_name (type)); - if ((ret = _gnutls_extension_list_check(session, type)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_extension_list_check (session, type)) < 0) + { + gnutls_assert (); + return ret; } - DECR_LENGTH_RET(next, 2, 0); - size = _gnutls_read_uint16(&data[pos]); - pos += 2; - - DECR_LENGTH_RET(next, size, 0); - sdata = &data[pos]; - pos += size; - - ext_recv = _gnutls_ext_func_recv(type); - if (ext_recv == NULL) - continue; - if ((ret = ext_recv(session, sdata, size)) < 0) { - gnutls_assert(); - return ret; + DECR_LENGTH_RET (next, 2, 0); + size = _gnutls_read_uint16 (&data[pos]); + pos += 2; + + DECR_LENGTH_RET (next, size, 0); + sdata = &data[pos]; + pos += size; + + ext_recv = _gnutls_ext_func_recv (type); + if (ext_recv == NULL) + continue; + if ((ret = ext_recv (session, sdata, size)) < 0) + { + gnutls_assert (); + return ret; } - } while (next > 2); + } + while (next > 2); - return 0; + return 0; } @@ -185,96 +195,109 @@ int _gnutls_parse_extensions(gnutls_session_t session, const opaque * data, * This list is used to check whether the (later) received * extensions are the ones we requested. */ -static void _gnutls_extension_list_add(gnutls_session_t session, - uint16 type) +static void +_gnutls_extension_list_add (gnutls_session_t session, uint16 type) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (session->internals.extensions_sent_size < MAX_EXT_TYPES) { - session->internals.extensions_sent[session->internals. - extensions_sent_size] = - type; - session->internals.extensions_sent_size++; - } else { - _gnutls_debug_log("extensions: Increase MAX_EXT_TYPES\n"); + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + if (session->internals.extensions_sent_size < MAX_EXT_TYPES) + { + session->internals.extensions_sent[session->internals. + extensions_sent_size] = type; + session->internals.extensions_sent_size++; + } + else + { + _gnutls_debug_log ("extensions: Increase MAX_EXT_TYPES\n"); } } } -int _gnutls_gen_extensions(gnutls_session_t session, opaque * data, - size_t data_size) +int +_gnutls_gen_extensions (gnutls_session_t session, opaque * data, + size_t data_size) { - int next, size; - uint16 pos = 0; - opaque *sdata; - int sdata_size; - ext_send_func ext_send; + int next, size; + uint16 pos = 0; + opaque *sdata; + int sdata_size; + ext_send_func ext_send; - if (data_size < 2) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (data_size < 2) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* allocate enough data for each extension. - */ - sdata_size = data_size; - sdata = gnutls_malloc(sdata_size); - if (sdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* allocate enough data for each extension. + */ + sdata_size = data_size; + sdata = gnutls_malloc (sdata_size); + if (sdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - pos += 2; - next = MAX_EXT_TYPES; /* maximum supported extensions */ - do { - next--; - ext_send = _gnutls_ext_func_send(next); - if (ext_send == NULL) - continue; - size = ext_send(session, sdata, sdata_size); - if (size > 0) { - if (data_size < pos + (size_t) size + 4) { - gnutls_assert(); - gnutls_free(sdata); - return GNUTLS_E_INTERNAL_ERROR; + pos += 2; + next = MAX_EXT_TYPES; /* maximum supported extensions */ + do + { + next--; + ext_send = _gnutls_ext_func_send (next); + if (ext_send == NULL) + continue; + size = ext_send (session, sdata, sdata_size); + if (size > 0) + { + if (data_size < pos + (size_t) size + 4) + { + gnutls_assert (); + gnutls_free (sdata); + return GNUTLS_E_INTERNAL_ERROR; } - /* write extension type */ - _gnutls_write_uint16(next, &data[pos]); - pos += 2; + /* write extension type */ + _gnutls_write_uint16 (next, &data[pos]); + pos += 2; - /* write size */ - _gnutls_write_uint16(size, &data[pos]); - pos += 2; + /* write size */ + _gnutls_write_uint16 (size, &data[pos]); + pos += 2; - memcpy(&data[pos], sdata, size); - pos += size; + memcpy (&data[pos], sdata, size); + pos += size; - /* add this extension to the extension list - */ - _gnutls_extension_list_add(session, next); + /* add this extension to the extension list + */ + _gnutls_extension_list_add (session, next); - _gnutls_debug_log("EXT[%x]: Sending extension %s\n", session, - _gnutls_extension_get_name(next)); - } else if (size < 0) { - gnutls_assert(); - gnutls_free(sdata); - return size; + _gnutls_debug_log ("EXT[%x]: Sending extension %s\n", session, + _gnutls_extension_get_name (next)); + } + else if (size < 0) + { + gnutls_assert (); + gnutls_free (sdata); + return size; } - } while (next >= 0); + } + while (next >= 0); - size = pos; - pos -= 2; /* remove the size of the size header! */ + size = pos; + pos -= 2; /* remove the size of the size header! */ - _gnutls_write_uint16(pos, data); + _gnutls_write_uint16 (pos, data); - if (size == 2) { /* empty */ - size = 0; + if (size == 2) + { /* empty */ + size = 0; } - gnutls_free(sdata); - return size; + gnutls_free (sdata); + return size; } diff --git a/lib/gnutls_extensions.h b/lib/gnutls_extensions.h index 8789201edf..de6aeb7e35 100644 --- a/lib/gnutls_extensions.h +++ b/lib/gnutls_extensions.h @@ -24,20 +24,21 @@ #include <gnutls_int.h> -const char *_gnutls_extension_get_name(uint16 type); -int _gnutls_parse_extensions(gnutls_session_t, const opaque *, int); -int _gnutls_gen_extensions(gnutls_session_t session, opaque * data, - size_t data_size); +const char *_gnutls_extension_get_name (uint16 type); +int _gnutls_parse_extensions (gnutls_session_t, const opaque *, int); +int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, + size_t data_size); typedef int (*ext_recv_func) (gnutls_session_t, const opaque *, size_t); /* recv data */ typedef int (*ext_send_func) (gnutls_session_t, opaque *, size_t); /* send data */ -ext_send_func _gnutls_ext_func_send(uint16 type); -ext_recv_func _gnutls_ext_func_recv(uint16 type); +ext_send_func _gnutls_ext_func_send (uint16 type); +ext_recv_func _gnutls_ext_func_recv (uint16 type); -typedef struct { - const char *name; - uint16 type; - ext_recv_func gnutls_ext_func_recv; - ext_send_func gnutls_ext_func_send; +typedef struct +{ + const char *name; + uint16 type; + ext_recv_func gnutls_ext_func_recv; + ext_send_func gnutls_ext_func_send; } gnutls_extension_entry; diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index b7ba3592c1..c8184db7e0 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -51,9 +51,10 @@ ASN1_TYPE _gnutls_gnutls_asn; * gnutls_log_func is of the form, * void (*gnutls_log_func)( int level, const char*); **/ -void gnutls_global_set_log_function(gnutls_log_func log_func) +void +gnutls_global_set_log_function (gnutls_log_func log_func) { - _gnutls_log_func = log_func; + _gnutls_log_func = log_func; } /** @@ -68,17 +69,19 @@ void gnutls_global_set_log_function(gnutls_log_func log_func) * Use a log level over 10 to enable all debugging options. * **/ -void gnutls_global_set_log_level(int level) +void +gnutls_global_set_log_level (int level) { - _gnutls_log_level = level; + _gnutls_log_level = level; } #ifdef DEBUG /* default logging function */ -static void dlog(int level, const char *str) +static void +dlog (int level, const char *str) { - fputs(str, stderr); + fputs (str, stderr); } #endif @@ -90,7 +93,7 @@ extern gnutls_realloc_function gnutls_realloc; extern char *(*gnutls_strdup) (const char *); extern void *(*gnutls_calloc) (size_t, size_t); -int _gnutls_is_secure_mem_null(const void *); +int _gnutls_is_secure_mem_null (const void *); /** * gnutls_global_set_mem_functions - This function sets the memory allocation functions @@ -109,41 +112,46 @@ int _gnutls_is_secure_mem_null(const void *); * This function must be called before gnutls_global_init() is called. * **/ -void gnutls_global_set_mem_functions(gnutls_alloc_function alloc_func, - gnutls_alloc_function - secure_alloc_func, - gnutls_is_secure_function - is_secure_func, - gnutls_realloc_function realloc_func, - gnutls_free_function free_func) +void +gnutls_global_set_mem_functions (gnutls_alloc_function alloc_func, + gnutls_alloc_function + secure_alloc_func, + gnutls_is_secure_function + is_secure_func, + gnutls_realloc_function realloc_func, + gnutls_free_function free_func) { - gnutls_secure_malloc = secure_alloc_func; - gnutls_malloc = alloc_func; - gnutls_realloc = realloc_func; - gnutls_free = free_func; - - if (is_secure_func != NULL) - _gnutls_is_secure_memory = is_secure_func; - else - _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; - - /* if using the libc's default malloc - * use libc's calloc as well. - */ - if (gnutls_malloc == malloc) { - gnutls_calloc = calloc; - } else { /* use the included ones */ - gnutls_calloc = _gnutls_calloc; + gnutls_secure_malloc = secure_alloc_func; + gnutls_malloc = alloc_func; + gnutls_realloc = realloc_func; + gnutls_free = free_func; + + if (is_secure_func != NULL) + _gnutls_is_secure_memory = is_secure_func; + else + _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; + + /* if using the libc's default malloc + * use libc's calloc as well. + */ + if (gnutls_malloc == malloc) + { + gnutls_calloc = calloc; } - gnutls_strdup = _gnutls_strdup; + else + { /* use the included ones */ + gnutls_calloc = _gnutls_calloc; + } + gnutls_strdup = _gnutls_strdup; } #ifdef DEBUG -static void _gnutls_gcry_log_handler(void *dummy, int level, - const char *fmt, va_list list) +static void +_gnutls_gcry_log_handler (void *dummy, int level, + const char *fmt, va_list list) { - _gnutls_log(fmt, list); + _gnutls_log (fmt, list); } #endif @@ -164,82 +172,92 @@ static int _gnutls_init = 0; * want to disable libgcrypt's internal lockings etc. * **/ -int gnutls_global_init(void) +int +gnutls_global_init (void) { - int result = 0; - int res; - - if (_gnutls_init) - goto out; - _gnutls_init++; - - if (gcry_control( GCRYCTL_ANY_INITIALIZATION_P) == 0) { - const char* p; - p = strchr( GNUTLS_GCRYPT_VERSION, ':'); - if (p==NULL) p = GNUTLS_GCRYPT_VERSION; - else p++; - - if (gcry_check_version(p)==NULL) { - gnutls_assert(); - _gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p); - return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; - } + int result = 0; + int res; + + if (_gnutls_init) + goto out; + _gnutls_init++; + + if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P) == 0) + { + const char *p; + p = strchr (GNUTLS_GCRYPT_VERSION, ':'); + if (p == NULL) + p = GNUTLS_GCRYPT_VERSION; + else + p++; + + if (gcry_check_version (p) == NULL) + { + gnutls_assert (); + _gnutls_debug_log ("Checking for libgcrypt failed '%s'\n", p); + return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; + } /* for gcrypt in order to be able to allocate memory */ - gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, _gnutls_is_secure_memory, gnutls_realloc, gnutls_free); + gcry_set_allocation_handler (gnutls_malloc, gnutls_secure_malloc, + _gnutls_is_secure_memory, gnutls_realloc, + gnutls_free); /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL,0); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL, 0); #ifdef DEBUG /* applications may want to override that, so we only use * it in debugging mode. */ - gcry_set_log_handler( _gnutls_gcry_log_handler, NULL); + gcry_set_log_handler (_gnutls_gcry_log_handler, NULL); #endif } - if (gc_init() != GC_OK) { - gnutls_assert(); - _gnutls_debug_log("Initializing crypto backend failed\n"); - return GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY; + if (gc_init () != GC_OK) + { + gnutls_assert (); + _gnutls_debug_log ("Initializing crypto backend failed\n"); + return GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY; } - /* for gcrypt in order to be able to allocate memory */ - gc_set_allocators(gnutls_malloc, gnutls_secure_malloc, - _gnutls_is_secure_memory, - gnutls_realloc, gnutls_free); + /* for gcrypt in order to be able to allocate memory */ + gc_set_allocators (gnutls_malloc, gnutls_secure_malloc, + _gnutls_is_secure_memory, gnutls_realloc, gnutls_free); #ifdef DEBUG - gnutls_global_set_log_function(dlog); + gnutls_global_set_log_function (dlog); #endif - /* initialize parser - * This should not deal with files in the final - * version. - */ + /* initialize parser + * This should not deal with files in the final + * version. + */ - if (asn1_check_version(GNUTLS_LIBTASN1_VERSION) == NULL) { - gnutls_assert(); - return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; + if (asn1_check_version (GNUTLS_LIBTASN1_VERSION) == NULL) + { + gnutls_assert (); + return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; } - res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); - if (res != ASN1_SUCCESS) { - result = _gnutls_asn2err(res); - goto out; + res = asn1_array2tree (pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); + if (res != ASN1_SUCCESS) + { + result = _gnutls_asn2err (res); + goto out; } - res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); - if (res != ASN1_SUCCESS) { - asn1_delete_structure(&_gnutls_pkix1_asn); - result = _gnutls_asn2err(res); - goto out; + res = asn1_array2tree (gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); + if (res != ASN1_SUCCESS) + { + asn1_delete_structure (&_gnutls_pkix1_asn); + result = _gnutls_asn2err (res); + goto out; } - out: - return result; +out: + return result; } /** @@ -250,13 +268,15 @@ int gnutls_global_init(void) * **/ -void gnutls_global_deinit(void) +void +gnutls_global_deinit (void) { - if (_gnutls_init == 1) { - _gnutls_init--; - asn1_delete_structure(&_gnutls_gnutls_asn); - asn1_delete_structure(&_gnutls_pkix1_asn); + if (_gnutls_init == 1) + { + _gnutls_init--; + asn1_delete_structure (&_gnutls_gnutls_asn); + asn1_delete_structure (&_gnutls_pkix1_asn); } } @@ -279,10 +299,11 @@ void gnutls_global_deinit(void) * PULL_FUNC is of the form, * ssize_t (*gnutls_pull_func)(gnutls_transport_ptr_t, void*, size_t); **/ -void gnutls_transport_set_pull_function(gnutls_session_t session, - gnutls_pull_func pull_func) +void +gnutls_transport_set_pull_function (gnutls_session_t session, + gnutls_pull_func pull_func) { - session->internals._gnutls_pull_func = pull_func; + session->internals._gnutls_pull_func = pull_func; } /** @@ -299,47 +320,50 @@ void gnutls_transport_set_pull_function(gnutls_session_t session, * PUSH_FUNC is of the form, * ssize_t (*gnutls_push_func)(gnutls_transport_ptr_t, const void*, size_t); **/ -void gnutls_transport_set_push_function(gnutls_session_t session, - gnutls_push_func push_func) +void +gnutls_transport_set_push_function (gnutls_session_t session, + gnutls_push_func push_func) { - session->internals._gnutls_push_func = push_func; + session->internals._gnutls_push_func = push_func; } /* Taken from libgcrypt. Needed to configure scripts. */ -static const char *parse_version_number(const char *s, int *number) +static const char * +parse_version_number (const char *s, int *number) { - int val = 0; - - if (*s == '0' && isdigit(s[1])) - return NULL; /* leading zeros are not allowed */ - for (; isdigit(*s); s++) { - val *= 10; - val += *s - '0'; + int val = 0; + + if (*s == '0' && isdigit (s[1])) + return NULL; /* leading zeros are not allowed */ + for (; isdigit (*s); s++) + { + val *= 10; + val += *s - '0'; } - *number = val; - return val < 0 ? NULL : s; + *number = val; + return val < 0 ? NULL : s; } /* The parse version functions were copied from libgcrypt. */ -static const char *parse_version_string(const char *s, int *major, - int *minor, int *micro) +static const char * +parse_version_string (const char *s, int *major, int *minor, int *micro) { - s = parse_version_number(s, major); - if (!s || *s != '.') - return NULL; - s++; - s = parse_version_number(s, minor); - if (!s || *s != '.') - return NULL; - s++; - s = parse_version_number(s, micro); - if (!s) - return NULL; - return s; /* patchlevel */ + s = parse_version_number (s, major); + if (!s || *s != '.') + return NULL; + s++; + s = parse_version_number (s, minor); + if (!s || *s != '.') + return NULL; + s++; + s = parse_version_number (s, micro); + if (!s) + return NULL; + return s; /* patchlevel */ } /** @@ -352,31 +376,33 @@ static const char *parse_version_string(const char *s, int *major, * but the version string is simply returned. * **/ -const char *gnutls_check_version(const char *req_version) +const char * +gnutls_check_version (const char *req_version) { - const char *ver = VERSION; - int my_major, my_minor, my_micro; - int rq_major, rq_minor, rq_micro; - const char *my_plvl, *rq_plvl; - - if (!req_version) - return ver; - - my_plvl = parse_version_string(ver, &my_major, &my_minor, &my_micro); - if (!my_plvl) - return NULL; /* very strange our own version is bogus */ - rq_plvl = parse_version_string(req_version, &rq_major, &rq_minor, - &rq_micro); - if (!rq_plvl) - return NULL; /* req version string is invalid */ - - if (my_major > rq_major - || (my_major == rq_major && my_minor > rq_minor) - || (my_major == rq_major && my_minor == rq_minor - && my_micro > rq_micro) - || (my_major == rq_major && my_minor == rq_minor - && my_micro == rq_micro && strcmp(my_plvl, rq_plvl) >= 0)) { - return ver; + const char *ver = VERSION; + int my_major, my_minor, my_micro; + int rq_major, rq_minor, rq_micro; + const char *my_plvl, *rq_plvl; + + if (!req_version) + return ver; + + my_plvl = parse_version_string (ver, &my_major, &my_minor, &my_micro); + if (!my_plvl) + return NULL; /* very strange our own version is bogus */ + rq_plvl = parse_version_string (req_version, &rq_major, &rq_minor, + &rq_micro); + if (!rq_plvl) + return NULL; /* req version string is invalid */ + + if (my_major > rq_major + || (my_major == rq_major && my_minor > rq_minor) + || (my_major == rq_major && my_minor == rq_minor + && my_micro > rq_micro) + || (my_major == rq_major && my_minor == rq_minor + && my_micro == rq_micro && strcmp (my_plvl, rq_plvl) >= 0)) + { + return ver; } - return NULL; + return NULL; } diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h index fd4fcaeade..94db92bf9c 100644 --- a/lib/gnutls_global.h +++ b/lib/gnutls_global.h @@ -27,7 +27,7 @@ #include <libtasn1.h> -int gnutls_is_secure_memory(const void *mem); +int gnutls_is_secure_memory (const void *mem); extern ASN1_TYPE _gnutls_pkix1_asn; extern ASN1_TYPE _gnutls_gnutls_asn; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 464d2572dc..4331fb136b 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -60,77 +60,79 @@ #define TRUE 1 #define FALSE 0 -int _gnutls_server_select_comp_method(gnutls_session_t session, - opaque * data, int datalen); +int _gnutls_server_select_comp_method (gnutls_session_t session, + opaque * data, int datalen); /* Clears the handshake hash buffers and handles. */ -inline static -void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session) +inline static void +_gnutls_handshake_hash_buffers_clear (gnutls_session_t session) { - _gnutls_hash_deinit(session->internals.handshake_mac_handle_md5, NULL); - _gnutls_hash_deinit(session->internals.handshake_mac_handle_sha, NULL); - session->internals.handshake_mac_handle_md5 = NULL; - session->internals.handshake_mac_handle_sha = NULL; - _gnutls_handshake_buffer_clear(session); + _gnutls_hash_deinit (session->internals.handshake_mac_handle_md5, NULL); + _gnutls_hash_deinit (session->internals.handshake_mac_handle_sha, NULL); + session->internals.handshake_mac_handle_md5 = NULL; + session->internals.handshake_mac_handle_sha = NULL; + _gnutls_handshake_buffer_clear (session); } /* this will copy the required values for resuming to * internals, and to security_parameters. * this will keep as less data to security_parameters. */ -static void resume_copy_required_values(gnutls_session_t session) +static void +resume_copy_required_values (gnutls_session_t session) { - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters. - server_random, - session->security_parameters.server_random, TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters. - client_random, - session->security_parameters.client_random, TLS_RANDOM_SIZE); - - /* keep the ciphersuite and compression - * That is because the client must see these in our - * hello message. - */ - memcpy(session->security_parameters.current_cipher_suite. - suite, - session->internals.resumed_security_parameters. - current_cipher_suite.suite, 2); - - session->internals.compression_method = - session->internals.resumed_security_parameters. - read_compression_algorithm; - /* or write_compression_algorithm - * they are the same - */ - - session->security_parameters.entity = - session->internals.resumed_security_parameters.entity; - - _gnutls_set_current_version(session, - session->internals. - resumed_security_parameters.version); - - session->security_parameters.cert_type = - session->internals.resumed_security_parameters.cert_type; - - memcpy(session->security_parameters.session_id, - session->internals.resumed_security_parameters. - session_id, sizeof(session->security_parameters.session_id)); - session->security_parameters.session_id_size = - session->internals.resumed_security_parameters.session_id_size; + /* get the new random values */ + memcpy (session->internals.resumed_security_parameters. + server_random, + session->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy (session->internals.resumed_security_parameters. + client_random, + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + /* keep the ciphersuite and compression + * That is because the client must see these in our + * hello message. + */ + memcpy (session->security_parameters.current_cipher_suite. + suite, + session->internals.resumed_security_parameters. + current_cipher_suite.suite, 2); + + session->internals.compression_method = + session->internals.resumed_security_parameters.read_compression_algorithm; + /* or write_compression_algorithm + * they are the same + */ + + session->security_parameters.entity = + session->internals.resumed_security_parameters.entity; + + _gnutls_set_current_version (session, + session->internals. + resumed_security_parameters.version); + + session->security_parameters.cert_type = + session->internals.resumed_security_parameters.cert_type; + + memcpy (session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, sizeof (session->security_parameters.session_id)); + session->security_parameters.session_id_size = + session->internals.resumed_security_parameters.session_id_size; } -void _gnutls_set_server_random(gnutls_session_t session, uint8 * rnd) +void +_gnutls_set_server_random (gnutls_session_t session, uint8 * rnd) { - memcpy(session->security_parameters.server_random, rnd, TLS_RANDOM_SIZE); + memcpy (session->security_parameters.server_random, rnd, TLS_RANDOM_SIZE); } -void _gnutls_set_client_random(gnutls_session_t session, uint8 * rnd) +void +_gnutls_set_client_random (gnutls_session_t session, uint8 * rnd) { - memcpy(session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE); + memcpy (session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE); } /* Calculate The SSL3 Finished message @@ -138,46 +140,49 @@ void _gnutls_set_client_random(gnutls_session_t session, uint8 * rnd) #define SSL3_CLIENT_MSG "CLNT" #define SSL3_SERVER_MSG "SRVR" #define SSL_MSG_LEN 4 -static int _gnutls_ssl3_finished(gnutls_session_t session, int type, - opaque * ret) +static int +_gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret) { - const int siz = SSL_MSG_LEN; - mac_hd_t td_md5; - mac_hd_t td_sha; - const char *mesg; + const int siz = SSL_MSG_LEN; + mac_hd_t td_md5; + mac_hd_t td_sha; + const char *mesg; - td_md5 = - _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - td_sha = - _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit(td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) + { + gnutls_assert (); + _gnutls_hash_deinit (td_md5, NULL); + return GNUTLS_E_HASH_FAILED; } - if (type == GNUTLS_SERVER) { - mesg = SSL3_SERVER_MSG; - } else { - mesg = SSL3_CLIENT_MSG; + if (type == GNUTLS_SERVER) + { + mesg = SSL3_SERVER_MSG; + } + else + { + mesg = SSL3_CLIENT_MSG; } - _gnutls_hash(td_md5, mesg, siz); - _gnutls_hash(td_sha, mesg, siz); + _gnutls_hash (td_md5, mesg, siz); + _gnutls_hash (td_sha, mesg, siz); - _gnutls_mac_deinit_ssl3_handshake(td_md5, ret, - session->security_parameters. - master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake(td_sha, &ret[16], - session->security_parameters. - master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake (td_md5, ret, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake (td_sha, &ret[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); - return 0; + return 0; } /* Hash the handshake messages as required by TLS 1.0 @@ -185,66 +190,72 @@ static int _gnutls_ssl3_finished(gnutls_session_t session, int type, #define SERVER_MSG "server finished" #define CLIENT_MSG "client finished" #define TLS_MSG_LEN 15 -int _gnutls_finished(gnutls_session_t session, int type, void *ret) +int +_gnutls_finished (gnutls_session_t session, int type, void *ret) { - const int siz = TLS_MSG_LEN; - opaque concat[36]; - const char *mesg; - mac_hd_t td_md5; - mac_hd_t td_sha; + const int siz = TLS_MSG_LEN; + opaque concat[36]; + const char *mesg; + mac_hd_t td_md5; + mac_hd_t td_sha; - td_md5 = - _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - td_sha = - _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit(td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) + { + gnutls_assert (); + _gnutls_hash_deinit (td_md5, NULL); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit (td_md5, concat); + _gnutls_hash_deinit (td_sha, &concat[16]); - if (type == GNUTLS_SERVER) { - mesg = SERVER_MSG; - } else { - mesg = CLIENT_MSG; + if (type == GNUTLS_SERVER) + { + mesg = SERVER_MSG; + } + else + { + mesg = CLIENT_MSG; } - return _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, mesg, siz, concat, 36, 12, ret); + return _gnutls_PRF (session->security_parameters.master_secret, + TLS_MASTER_SIZE, mesg, siz, concat, 36, 12, ret); } /* this function will produce TLS_RANDOM_SIZE==32 bytes of random data * and put it to dst. */ -int _gnutls_tls_create_random(opaque * dst) +int +_gnutls_tls_create_random (opaque * dst) { - uint32 tim; + uint32 tim; - /* Use weak random numbers for the most of the - * buffer except for the first 4 that are the - * system's time. - */ + /* Use weak random numbers for the most of the + * buffer except for the first 4 that are the + * system's time. + */ - tim = time(NULL); - /* generate server random value */ - _gnutls_write_uint32(tim, dst); + tim = time (NULL); + /* generate server random value */ + _gnutls_write_uint32 (tim, dst); - if (gc_nonce (&dst[4], TLS_RANDOM_SIZE - 4) != GC_OK) { - gnutls_assert(); + if (gc_nonce (&dst[4], TLS_RANDOM_SIZE - 4) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - return 0; + return 0; } @@ -253,162 +264,176 @@ int _gnutls_tls_create_random(opaque * dst) * or version 2.0 client hello (only for compatibility * since SSL version 2.0 is not supported). */ -int _gnutls_read_client_hello(gnutls_session_t session, opaque * data, - int datalen) +int +_gnutls_read_client_hello (gnutls_session_t session, opaque * data, + int datalen) { - uint8 session_id_len, z; - int pos = 0, ret; - uint16 suite_size; - gnutls_protocol_t version; - int len = datalen; - opaque rnd[TLS_RANDOM_SIZE], *suite_ptr; - gnutls_protocol_t ver; - - if (session->internals.v2_hello != 0) { /* version 2.0 */ - return _gnutls_read_client_hello_v2(session, data, datalen); - } - DECR_LEN(len, 2); - - _gnutls_handshake_log("HSK[%x]: Client's version: %d.%d\n", session, - data[pos], data[pos + 1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - set_adv_version(session, data[pos], data[pos + 1]); - pos += 2; - - /* if we do not support that version */ - if (_gnutls_version_is_supported(session, version) == 0) { - /* If he requested something we do not support - * then we send him the highest we support. - */ - ver = _gnutls_version_max(session); - if (ver == GNUTLS_VERSION_UNKNOWN) { - /* this check is not really needed. - */ - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + uint8 session_id_len, z; + int pos = 0, ret; + uint16 suite_size; + gnutls_protocol_t version; + int len = datalen; + opaque rnd[TLS_RANDOM_SIZE], *suite_ptr; + gnutls_protocol_t ver; + + if (session->internals.v2_hello != 0) + { /* version 2.0 */ + return _gnutls_read_client_hello_v2 (session, data, datalen); + } + DECR_LEN (len, 2); + + _gnutls_handshake_log ("HSK[%x]: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + version = _gnutls_version_get (data[pos], data[pos + 1]); + set_adv_version (session, data[pos], data[pos + 1]); + pos += 2; + + /* if we do not support that version */ + if (_gnutls_version_is_supported (session, version) == 0) + { + /* If he requested something we do not support + * then we send him the highest we support. + */ + ver = _gnutls_version_max (session); + if (ver == GNUTLS_VERSION_UNKNOWN) + { + /* this check is not really needed. + */ + gnutls_assert (); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - } else { - ver = version; + } + else + { + ver = version; } - _gnutls_set_current_version(session, ver); + _gnutls_set_current_version (session, ver); - /* Read client random value. - */ - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_client_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; + /* Read client random value. + */ + DECR_LEN (len, TLS_RANDOM_SIZE); + _gnutls_set_client_random (session, &data[pos]); + pos += TLS_RANDOM_SIZE; - _gnutls_tls_create_random(rnd); - _gnutls_set_server_random(session, rnd); + _gnutls_tls_create_random (rnd); + _gnutls_set_server_random (session, rnd); - session->security_parameters.timestamp = time(NULL); + session->security_parameters.timestamp = time (NULL); - DECR_LEN(len, 1); - session_id_len = data[pos++]; + DECR_LEN (len, 1); + session_id_len = data[pos++]; - /* RESUME SESSION - */ - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + /* RESUME SESSION + */ + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - DECR_LEN(len, session_id_len); - ret = - _gnutls_server_restore_session(session, &data[pos], - session_id_len); - pos += session_id_len; + DECR_LEN (len, session_id_len); + ret = _gnutls_server_restore_session (session, &data[pos], session_id_len); + pos += session_id_len; - if (ret == 0) { /* resumed! */ - resume_copy_required_values(session); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); + if (ret == 0) + { /* resumed! */ + resume_copy_required_values (session); + session->internals.resumed = RESUME_TRUE; + return 0; + } + else + { + _gnutls_generate_session_id (session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); - session->internals.resumed = RESUME_FALSE; + session->internals.resumed = RESUME_FALSE; } - /* Remember ciphersuites for later - */ - DECR_LEN(len, 2); - suite_size = _gnutls_read_uint16(&data[pos]); - pos += 2; + /* Remember ciphersuites for later + */ + DECR_LEN (len, 2); + suite_size = _gnutls_read_uint16 (&data[pos]); + pos += 2; - DECR_LEN(len, suite_size); - suite_ptr = &data[pos]; - pos += suite_size; + DECR_LEN (len, suite_size); + suite_ptr = &data[pos]; + pos += suite_size; - /* Select an appropriate compression method - */ - DECR_LEN(len, 1); - z = data[pos++]; /* z is the number of compression methods */ + /* Select an appropriate compression method + */ + DECR_LEN (len, 1); + z = data[pos++]; /* z is the number of compression methods */ - DECR_LEN(len, z); - ret = _gnutls_server_select_comp_method(session, &data[pos], z); - pos += z; + DECR_LEN (len, z); + ret = _gnutls_server_select_comp_method (session, &data[pos], z); + pos += z; - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Parse the extensions (if any) - */ - if (ver >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; + /* Parse the extensions (if any) + */ + if (ver >= GNUTLS_TLS1) + { + ret = _gnutls_parse_extensions (session, &data[pos], len); /* len is the rest of the parsed length */ + if (ret < 0) + { + gnutls_assert (); + return ret; } } - /* select an appropriate cipher suite - */ - ret = _gnutls_server_select_suite(session, suite_ptr, suite_size); - if (ret < 0) { - gnutls_assert(); - return ret; + /* select an appropriate cipher suite + */ + ret = _gnutls_server_select_suite (session, suite_ptr, suite_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* here we hash all pending data. */ -inline static int _gnutls_handshake_hash_pending(gnutls_session_t session) +inline static int +_gnutls_handshake_hash_pending (gnutls_session_t session) { - size_t siz; - int ret; - opaque *data; + size_t siz; + int ret; + opaque *data; - if (session->internals.handshake_mac_handle_sha == NULL || - session->internals.handshake_mac_handle_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (session->internals.handshake_mac_handle_sha == NULL || + session->internals.handshake_mac_handle_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* We check if there are pending data to hash. - */ - if ((ret = _gnutls_handshake_buffer_get_ptr(session, &data, &siz)) < 0) { - gnutls_assert(); - return ret; + /* We check if there are pending data to hash. + */ + if ((ret = _gnutls_handshake_buffer_get_ptr (session, &data, &siz)) < 0) + { + gnutls_assert (); + return ret; } - if (siz > 0) { - _gnutls_hash(session->internals.handshake_mac_handle_sha, data, - siz); - _gnutls_hash(session->internals.handshake_mac_handle_md5, data, - siz); + if (siz > 0) + { + _gnutls_hash (session->internals.handshake_mac_handle_sha, data, siz); + _gnutls_hash (session->internals.handshake_mac_handle_md5, data, siz); } - _gnutls_handshake_buffer_empty(session); + _gnutls_handshake_buffer_empty (session); - return 0; + return 0; } @@ -416,305 +441,339 @@ inline static int _gnutls_handshake_hash_pending(gnutls_session_t session) * and initializing encryption. This is the first encrypted message * we send. */ -int _gnutls_send_finished(gnutls_session_t session, int again) +int +_gnutls_send_finished (gnutls_session_t session, int again) { - uint8 data[36]; - int ret; - int data_size = 0; + uint8 data[36]; + int ret; + int data_size = 0; - if (again == 0) { + if (again == 0) + { - /* This is needed in order to hash all the required - * messages. - */ - if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { - gnutls_assert(); - return ret; + /* This is needed in order to hash all the required + * messages. + */ + if ((ret = _gnutls_handshake_hash_pending (session)) < 0) + { + gnutls_assert (); + return ret; } - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - session-> - security_parameters.entity, data); - data_size = 36; - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - session->security_parameters. - entity, data); - data_size = 12; + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + ret = + _gnutls_ssl3_finished (session, + session->security_parameters.entity, data); + data_size = 36; + } + else + { /* TLS 1.0 */ + ret = + _gnutls_finished (session, + session->security_parameters.entity, data); + data_size = 12; } - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } } - ret = - _gnutls_send_handshake(session, data, data_size, GNUTLS_HANDSHAKE_FINISHED); + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_FINISHED); - return ret; + return ret; } /* This is to be called after sending our finished message. If everything * went fine we have negotiated a secure connection */ -int _gnutls_recv_finished(gnutls_session_t session) +int +_gnutls_recv_finished (gnutls_session_t session) { - uint8 data[36], *vrfy; - int data_size; - int ret; - int vrfysize; - - ret = - _gnutls_recv_handshake(session, &vrfy, &vrfysize, - GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET); - if (ret < 0) { - ERR("recv finished int", ret); - gnutls_assert(); - return ret; + uint8 data[36], *vrfy; + int data_size; + int ret; + int vrfysize; + + ret = + _gnutls_recv_handshake (session, &vrfy, &vrfysize, + GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET); + if (ret < 0) + { + ERR ("recv finished int", ret); + gnutls_assert (); + return ret; } - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - data_size = 36; - } else { - data_size = 12; + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + data_size = 36; + } + else + { + data_size = 12; } - if (vrfysize != data_size) { - gnutls_assert(); - gnutls_free(vrfy); - return GNUTLS_E_ERROR_IN_FINISHED_PACKET; + if (vrfysize != data_size) + { + gnutls_assert (); + gnutls_free (vrfy); + return GNUTLS_E_ERROR_IN_FINISHED_PACKET; } - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - (session->security_parameters. - entity + 1) % 2, data); - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - (session->security_parameters.entity + - 1) % 2, data); + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + ret = + _gnutls_ssl3_finished (session, + (session->security_parameters. + entity + 1) % 2, data); + } + else + { /* TLS 1.0 */ + ret = + _gnutls_finished (session, + (session->security_parameters.entity + + 1) % 2, data); } - if (ret < 0) { - gnutls_assert(); - gnutls_free(vrfy); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_free (vrfy); + return ret; } - if (memcmp(vrfy, data, data_size) != 0) { - gnutls_assert(); - ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; + if (memcmp (vrfy, data, data_size) != 0) + { + gnutls_assert (); + ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; } - gnutls_free(vrfy); + gnutls_free (vrfy); - return ret; + return ret; } /* returns PK_RSA if the given cipher suite list only supports, * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none. */ -static int _gnutls_server_find_pk_algos_in_ciphersuites(const opaque * - data, int datalen) +static int +_gnutls_server_find_pk_algos_in_ciphersuites (const opaque * + data, int datalen) { - int j; - gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0; - gnutls_kx_algorithm_t kx; - cipher_suite_st cs; + int j; + gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0; + gnutls_kx_algorithm_t kx; + cipher_suite_st cs; - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (datalen % 2 != 0) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - for (j = 0; j < datalen; j += 2) { - memcpy(&cs.suite, &data[j], 2); - kx = _gnutls_cipher_suite_get_kx_algo(&cs); + for (j = 0; j < datalen; j += 2) + { + memcpy (&cs.suite, &data[j], 2); + kx = _gnutls_cipher_suite_get_kx_algo (&cs); - if (_gnutls_map_kx_get_cred(kx, 1) == GNUTLS_CRD_CERTIFICATE) { - algo = _gnutls_map_pk_get_pk(kx); + if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE) + { + algo = _gnutls_map_pk_get_pk (kx); - if (algo != prev_algo && prev_algo != 0) - return GNUTLS_PK_ANY; - prev_algo = algo; + if (algo != prev_algo && prev_algo != 0) + return GNUTLS_PK_ANY; + prev_algo = algo; } } - return algo; + return algo; } /* This selects the best supported ciphersuite from the given ones. Then * it adds the suite to the session and performs some checks. */ -int _gnutls_server_select_suite(gnutls_session_t session, opaque * data, - int datalen) +int +_gnutls_server_select_suite (gnutls_session_t session, opaque * data, + int datalen) { - int x, i, j; - cipher_suite_st *ciphers, cs; - int retval, err; - gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms + int x, i, j; + cipher_suite_st *ciphers, cs; + int retval, err; + gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms * supported by the peer. */ - pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites(data, datalen); - - x = _gnutls_supported_ciphersuites(session, &ciphers); - if (x < 0) { /* the case x==0 is handled within the function. */ - gnutls_assert(); + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen); + + x = _gnutls_supported_ciphersuites (session, &ciphers); + if (x < 0) + { /* the case x==0 is handled within the function. */ + gnutls_assert (); + return x; + } + + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (e.g. SRP). + */ + x = _gnutls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo); + if (x <= 0) + { + gnutls_assert (); + gnutls_free (ciphers); + if (x < 0) return x; + else + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (e.g. SRP). - */ - x = _gnutls_remove_unwanted_ciphersuites(session, &ciphers, x, - pk_algo); - if (x <= 0) { - gnutls_assert(); - gnutls_free(ciphers); - if (x < 0) - return x; - else - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; - } - - /* Data length should be zero mod 2 since - * every ciphersuite is 2 bytes. (this check is needed - * see below). - */ - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + /* Data length should be zero mod 2 since + * every ciphersuite is 2 bytes. (this check is needed + * see below). + */ + if (datalen % 2 != 0) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } #ifdef HANDSHAKE_DEBUG - _gnutls_handshake_log("HSK[%x]: Requested cipher suites: \n", session); - for (j = 0; j < datalen; j += 2) { - memcpy(&cs.suite, &data[j], 2); - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&cs)); + _gnutls_handshake_log ("HSK[%x]: Requested cipher suites: \n", session); + for (j = 0; j < datalen; j += 2) + { + memcpy (&cs.suite, &data[j], 2); + _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs)); } - _gnutls_handshake_log("HSK[%x]: Supported cipher suites: \n", session); - for (j = 0; j < x; j++) - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&ciphers[j])); + _gnutls_handshake_log ("HSK[%x]: Supported cipher suites: \n", session); + for (j = 0; j < x; j++) + _gnutls_handshake_log ("\t%s\n", + _gnutls_cipher_suite_get_name (&ciphers[j])); #endif - memset(session->security_parameters.current_cipher_suite.suite, '\0', - 2); - - retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; - - for (j = 0; j < datalen; j += 2) { - for (i = 0; i < x; i++) { - if (memcmp(ciphers[i].suite, &data[j], 2) == 0) { - memcpy(&cs.suite, &data[j], 2); - - _gnutls_handshake_log - ("HSK[%x]: Selected cipher suite: %s\n", session, - _gnutls_cipher_suite_get_name(&cs)); - memcpy(session->security_parameters.current_cipher_suite. - suite, ciphers[i].suite, 2); - retval = 0; - goto finish; + memset (session->security_parameters.current_cipher_suite.suite, '\0', 2); + + retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; + + for (j = 0; j < datalen; j += 2) + { + for (i = 0; i < x; i++) + { + if (memcmp (ciphers[i].suite, &data[j], 2) == 0) + { + memcpy (&cs.suite, &data[j], 2); + + _gnutls_handshake_log + ("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name (&cs)); + memcpy (session->security_parameters.current_cipher_suite. + suite, ciphers[i].suite, 2); + retval = 0; + goto finish; } } } - finish: - gnutls_free(ciphers); +finish: + gnutls_free (ciphers); - if (retval != 0) { - gnutls_assert(); - return retval; + if (retval != 0) + { + gnutls_assert (); + return retval; } - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred - (session, - _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo (&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) + { - _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", - session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } /* This selects the best supported compression method from the ones provided */ -int _gnutls_server_select_comp_method(gnutls_session_t session, - opaque * data, int datalen) +int +_gnutls_server_select_comp_method (gnutls_session_t session, + opaque * data, int datalen) { - int x, i, j; - uint8 *comps; + int x, i, j; + uint8 *comps; - x = _gnutls_supported_compression_methods(session, &comps); - if (x < 0) { - gnutls_assert(); - return x; + x = _gnutls_supported_compression_methods (session, &comps); + if (x < 0) + { + gnutls_assert (); + return x; } - memset(&session->internals.compression_method, 0, - sizeof(gnutls_compression_method_t)); + memset (&session->internals.compression_method, 0, + sizeof (gnutls_compression_method_t)); - for (j = 0; j < datalen; j++) { - for (i = 0; i < x; i++) { - if (comps[i] == data[j]) { - gnutls_compression_method_t method = - _gnutls_compression_get_id(comps[i]); + for (j = 0; j < datalen; j++) + { + for (i = 0; i < x; i++) + { + if (comps[i] == data[j]) + { + gnutls_compression_method_t method = + _gnutls_compression_get_id (comps[i]); - session->internals.compression_method = method; - gnutls_free(comps); + session->internals.compression_method = method; + gnutls_free (comps); - _gnutls_handshake_log - ("HSK[%x]: Selected Compression Method: %s\n", session, - gnutls_compression_get_name(session->internals. - compression_method)); + _gnutls_handshake_log + ("HSK[%x]: Selected Compression Method: %s\n", session, + gnutls_compression_get_name (session->internals. + compression_method)); - return 0; + return 0; } } } - /* we were not able to find a compatible compression - * algorithm - */ - gnutls_free(comps); - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + /* we were not able to find a compatible compression + * algorithm + */ + gnutls_free (comps); + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } @@ -723,43 +782,46 @@ int _gnutls_server_select_comp_method(gnutls_session_t session, * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ -int _gnutls_send_empty_handshake(gnutls_session_t session, - gnutls_handshake_description_t type, int again) +int +_gnutls_send_empty_handshake (gnutls_session_t session, + gnutls_handshake_description_t type, int again) { - opaque data = 0; - opaque *ptr; + opaque data = 0; + opaque *ptr; - if (again == 0) - ptr = &data; - else - ptr = NULL; + if (again == 0) + ptr = &data; + else + ptr = NULL; - return _gnutls_send_handshake(session, ptr, 0, type); + return _gnutls_send_handshake (session, ptr, 0, type); } /* This function will hash the handshake message we sent. */ -static -int _gnutls_handshake_hash_add_sent(gnutls_session_t session, - gnutls_handshake_description_t type, opaque * dataptr, - uint32 datalen) +static int +_gnutls_handshake_hash_add_sent (gnutls_session_t session, + gnutls_handshake_description_t type, + opaque * dataptr, uint32 datalen) { - int ret; + int ret; - if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_handshake_hash_pending (session)) < 0) + { + gnutls_assert (); + return ret; } - if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST) { - _gnutls_hash(session->internals.handshake_mac_handle_sha, dataptr, - datalen); - _gnutls_hash(session->internals.handshake_mac_handle_md5, dataptr, - datalen); + if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST) + { + _gnutls_hash (session->internals.handshake_mac_handle_sha, dataptr, + datalen); + _gnutls_hash (session->internals.handshake_mac_handle_md5, dataptr, + datalen); } - return 0; + return 0; } @@ -768,67 +830,72 @@ int _gnutls_handshake_hash_add_sent(gnutls_session_t session, * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ -int _gnutls_send_handshake(gnutls_session_t session, void *i_data, - uint32 i_datasize, gnutls_handshake_description_t type) +int +_gnutls_send_handshake (gnutls_session_t session, void *i_data, + uint32 i_datasize, + gnutls_handshake_description_t type) { - int ret; - uint8 *data; - uint32 datasize; - int pos = 0; - - if (i_data == NULL && i_datasize == 0) { - /* we are resuming a previously interrupted - * send. - */ - ret = _gnutls_handshake_io_write_flush(session); - return ret; + int ret; + uint8 *data; + uint32 datasize; + int pos = 0; + + if (i_data == NULL && i_datasize == 0) + { + /* we are resuming a previously interrupted + * send. + */ + ret = _gnutls_handshake_io_write_flush (session); + return ret; } - if (i_data == NULL && i_datasize > 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (i_data == NULL && i_datasize > 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* first run */ - datasize = i_datasize + HANDSHAKE_HEADER_SIZE; - data = gnutls_alloca(datasize); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* first run */ + datasize = i_datasize + HANDSHAKE_HEADER_SIZE; + data = gnutls_alloca (datasize); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - data[pos++] = (uint8) type; - _gnutls_write_uint24(i_datasize, &data[pos]); - pos += 3; + data[pos++] = (uint8) type; + _gnutls_write_uint24 (i_datasize, &data[pos]); + pos += 3; - if (i_datasize > 0) - memcpy(&data[pos], i_data, i_datasize); + if (i_datasize > 0) + memcpy (&data[pos], i_data, i_datasize); - _gnutls_handshake_log("HSK[%x]: %s was send [%ld bytes]\n", - session, _gnutls_handshake2str(type), datasize); + _gnutls_handshake_log ("HSK[%x]: %s was send [%ld bytes]\n", + session, _gnutls_handshake2str (type), datasize); - /* Here we keep the handshake messages in order to hash them... - */ - if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST) - if ((ret = - _gnutls_handshake_hash_add_sent(session, type, data, - datasize)) < 0) { - gnutls_assert(); - gnutls_afree(data); - return ret; - } + /* Here we keep the handshake messages in order to hash them... + */ + if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST) + if ((ret = + _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0) + { + gnutls_assert (); + gnutls_afree (data); + return ret; + } - session->internals.last_handshake_out = type; + session->internals.last_handshake_out = type; - ret = - _gnutls_handshake_io_send_int(session, GNUTLS_HANDSHAKE, type, - data, datasize); + ret = + _gnutls_handshake_io_send_int (session, GNUTLS_HANDSHAKE, type, + data, datasize); - gnutls_afree(data); + gnutls_afree (data); - return ret; + return ret; } /* This function will read the handshake header and return it to the caller. If the @@ -838,121 +905,130 @@ int _gnutls_send_handshake(gnutls_session_t session, void *i_data, * FIXME: This function is complex. */ #define SSL2_HEADERS 1 -static int _gnutls_recv_handshake_header(gnutls_session_t session, - gnutls_handshake_description_t type, - gnutls_handshake_description_t * recv_type) +static int +_gnutls_recv_handshake_header (gnutls_session_t session, + gnutls_handshake_description_t type, + gnutls_handshake_description_t * recv_type) { - int ret; - uint32 length32 = 0; - uint8 *dataptr = NULL; /* for realloc */ - size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; - - /* if we have data into the buffer then return them, do not read the next packet. - * In order to return we need a full TLS handshake header, or in case of a version 2 - * packet, then we return the first byte. - */ - if (session->internals.handshake_header_buffer.header_size == - handshake_header_size || (session->internals.v2_hello != 0 - && type == GNUTLS_HANDSHAKE_CLIENT_HELLO - && session->internals. - handshake_header_buffer. - packet_length > 0)) { - - *recv_type = session->internals.handshake_header_buffer.recv_type; - - return session->internals.handshake_header_buffer.packet_length; - } - - /* Note: SSL2_HEADERS == 1 */ - - dataptr = session->internals.handshake_header_buffer.header; - - /* If we haven't already read the handshake headers. - */ - if (session->internals.handshake_header_buffer.header_size < - SSL2_HEADERS) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, SSL2_HEADERS); - - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + uint32 length32 = 0; + uint8 *dataptr = NULL; /* for realloc */ + size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; + + /* if we have data into the buffer then return them, do not read the next packet. + * In order to return we need a full TLS handshake header, or in case of a version 2 + * packet, then we return the first byte. + */ + if (session->internals.handshake_header_buffer.header_size == + handshake_header_size || (session->internals.v2_hello != 0 + && type == GNUTLS_HANDSHAKE_CLIENT_HELLO + && session->internals. + handshake_header_buffer.packet_length > 0)) + { + + *recv_type = session->internals.handshake_header_buffer.recv_type; + + return session->internals.handshake_header_buffer.packet_length; + } + + /* Note: SSL2_HEADERS == 1 */ + + dataptr = session->internals.handshake_header_buffer.header; + + /* If we haven't already read the handshake headers. + */ + if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS) + { + ret = + _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE, + type, dataptr, SSL2_HEADERS); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* The case ret==0 is caught here. - */ - if (ret != SSL2_HEADERS) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + /* The case ret==0 is caught here. + */ + if (ret != SSL2_HEADERS) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - session->internals.handshake_header_buffer. - header_size = SSL2_HEADERS; + session->internals.handshake_header_buffer.header_size = SSL2_HEADERS; } - if (session->internals.v2_hello == 0 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, - &dataptr[session-> - internals. - handshake_header_buffer. - header_size], - HANDSHAKE_HEADER_SIZE - - session->internals. - handshake_header_buffer. - header_size); - if (ret <= 0) { - gnutls_assert(); - return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (session->internals.v2_hello == 0 + || type != GNUTLS_HANDSHAKE_CLIENT_HELLO) + { + ret = + _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE, + type, + &dataptr[session-> + internals. + handshake_header_buffer. + header_size], + HANDSHAKE_HEADER_SIZE - + session->internals. + handshake_header_buffer.header_size); + if (ret <= 0) + { + gnutls_assert (); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if ((size_t) ret != - HANDSHAKE_HEADER_SIZE - - session->internals.handshake_header_buffer.header_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if ((size_t) ret != + HANDSHAKE_HEADER_SIZE - + session->internals.handshake_header_buffer.header_size) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - *recv_type = dataptr[0]; + *recv_type = dataptr[0]; - /* we do not use DECR_LEN because we know - * that the packet has enough data. - */ - length32 = _gnutls_read_uint24(&dataptr[1]); - handshake_header_size = HANDSHAKE_HEADER_SIZE; + /* we do not use DECR_LEN because we know + * that the packet has enough data. + */ + length32 = _gnutls_read_uint24 (&dataptr[1]); + handshake_header_size = HANDSHAKE_HEADER_SIZE; - _gnutls_handshake_log("HSK[%x]: %s was received [%ld bytes]\n", - session, _gnutls_handshake2str(dataptr[0]), - length32 + HANDSHAKE_HEADER_SIZE); + _gnutls_handshake_log ("HSK[%x]: %s was received [%ld bytes]\n", + session, _gnutls_handshake2str (dataptr[0]), + length32 + HANDSHAKE_HEADER_SIZE); - } else { /* v2 hello */ - length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ + } + else + { /* v2 hello */ + length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ - handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ + handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ - *recv_type = dataptr[0]; + *recv_type = dataptr[0]; - _gnutls_handshake_log("HSK[%x]: %s(v2) was received [%ld bytes]\n", - session, _gnutls_handshake2str(*recv_type), - length32 + handshake_header_size); + _gnutls_handshake_log ("HSK[%x]: %s(v2) was received [%ld bytes]\n", + session, _gnutls_handshake2str (*recv_type), + length32 + handshake_header_size); - if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO) { /* it should be one or nothing */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO) + { /* it should be one or nothing */ + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } } - /* put the packet into the buffer */ - session->internals.handshake_header_buffer.header_size = - handshake_header_size; - session->internals.handshake_header_buffer.packet_length = length32; - session->internals.handshake_header_buffer.recv_type = *recv_type; + /* put the packet into the buffer */ + session->internals.handshake_header_buffer.header_size = + handshake_header_size; + session->internals.handshake_header_buffer.packet_length = length32; + session->internals.handshake_header_buffer.recv_type = *recv_type; - if (*recv_type != type) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + if (*recv_type != type) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } - return length32; + return length32; } #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0 @@ -962,44 +1038,47 @@ static int _gnutls_recv_handshake_header(gnutls_session_t session, /* This function will hash the handshake headers and the * handshake data. */ -static -int _gnutls_handshake_hash_add_recvd(gnutls_session_t session, - gnutls_handshake_description_t recv_type, - opaque * header, uint16 header_size, - opaque * dataptr, uint32 datalen) +static int +_gnutls_handshake_hash_add_recvd (gnutls_session_t session, + gnutls_handshake_description_t recv_type, + opaque * header, uint16 header_size, + opaque * dataptr, uint32 datalen) { - int ret; + int ret; - /* The idea here is to hash the previous message we received, - * and add the one we just received into the handshake_hash_buffer. - */ + /* The idea here is to hash the previous message we received, + * and add the one we just received into the handshake_hash_buffer. + */ - if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_handshake_hash_pending (session)) < 0) + { + gnutls_assert (); + return ret; } - /* here we buffer the handshake messages - needed at Finished message */ - if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST) { + /* here we buffer the handshake messages - needed at Finished message */ + if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST) + { - if ((ret = - _gnutls_handshake_buffer_put(session, - header, header_size)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_handshake_buffer_put (session, header, header_size)) < 0) + { + gnutls_assert (); + return ret; } - if (datalen > 0) { - if ((ret = - _gnutls_handshake_buffer_put(session, dataptr, - datalen)) < 0) { - gnutls_assert(); - return ret; + if (datalen > 0) + { + if ((ret = + _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0) + { + gnutls_assert (); + return ret; } } } - return 0; + return 0; } @@ -1008,283 +1087,302 @@ int _gnutls_handshake_hash_add_recvd(gnutls_session_t session, * E.g. for the SERVER_HELLO message (if it is expected), it will be * passed to _gnutls_recv_hello(). */ -int _gnutls_recv_handshake(gnutls_session_t session, uint8 ** data, - int *datalen, gnutls_handshake_description_t type, - Optional optional) +int +_gnutls_recv_handshake (gnutls_session_t session, uint8 ** data, + int *datalen, gnutls_handshake_description_t type, + Optional optional) { - int ret; - uint32 length32 = 0; - opaque *dataptr = NULL; - gnutls_handshake_description_t recv_type; - - ret = _gnutls_recv_handshake_header(session, type, &recv_type); - if (ret < 0) { - - /* In SRP when expecting the server hello we may receive - * an alert instead. Do as the draft demands. - */ - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_alert_get(session) == GNUTLS_A_MISSING_SRP_USERNAME && - type == GNUTLS_HANDSHAKE_SERVER_HELLO) { - gnutls_assert(); - return GNUTLS_E_INT_HANDSHAKE_AGAIN; + int ret; + uint32 length32 = 0; + opaque *dataptr = NULL; + gnutls_handshake_description_t recv_type; + + ret = _gnutls_recv_handshake_header (session, type, &recv_type); + if (ret < 0) + { + + /* In SRP when expecting the server hello we may receive + * an alert instead. Do as the draft demands. + */ + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_alert_get (session) == GNUTLS_A_MISSING_SRP_USERNAME && + type == GNUTLS_HANDSHAKE_SERVER_HELLO) + { + gnutls_assert (); + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } - if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET - && optional == OPTIONAL_PACKET) { - if (datalen != NULL) - *datalen = 0; - if (data != NULL) - *data = NULL; - return 0; /* ok just ignore the packet */ + if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET + && optional == OPTIONAL_PACKET) + { + if (datalen != NULL) + *datalen = 0; + if (data != NULL) + *data = NULL; + return 0; /* ok just ignore the packet */ } - return ret; + return ret; } - session->internals.last_handshake_in = recv_type; + session->internals.last_handshake_in = recv_type; - length32 = ret; + length32 = ret; - if (length32 > 0) - dataptr = gnutls_malloc(length32); - else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (length32 > 0) + dataptr = gnutls_malloc (length32); + else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if (dataptr == NULL && length32 > 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (dataptr == NULL && length32 > 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (datalen != NULL) - *datalen = length32; + if (datalen != NULL) + *datalen = length32; - if (length32 > 0) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, length32); - if (ret <= 0) { - gnutls_assert(); - gnutls_free(dataptr); - return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret; + if (length32 > 0) + { + ret = + _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE, + type, dataptr, length32); + if (ret <= 0) + { + gnutls_assert (); + gnutls_free (dataptr); + return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret; } } - if (data != NULL && length32 > 0) - *data = dataptr; - - - ret = _gnutls_handshake_hash_add_recvd(session, recv_type, - session->internals. - handshake_header_buffer.header, - session->internals. - handshake_header_buffer. - header_size, dataptr, length32); - if (ret < 0) { - gnutls_assert(); - _gnutls_handshake_header_buffer_clear(session); - return ret; - } + if (data != NULL && length32 > 0) + *data = dataptr; - /* If we fail before this then we will reuse the handshake header - * have have received above. if we get here the we clear the handshake - * header we received. - */ - _gnutls_handshake_header_buffer_clear(session); - switch (recv_type) { + ret = _gnutls_handshake_hash_add_recvd (session, recv_type, + session->internals. + handshake_header_buffer.header, + session->internals. + handshake_header_buffer. + header_size, dataptr, length32); + if (ret < 0) + { + gnutls_assert (); + _gnutls_handshake_header_buffer_clear (session); + return ret; + } + + /* If we fail before this then we will reuse the handshake header + * have have received above. if we get here the we clear the handshake + * header we received. + */ + _gnutls_handshake_header_buffer_clear (session); + + switch (recv_type) + { case GNUTLS_HANDSHAKE_CLIENT_HELLO: case GNUTLS_HANDSHAKE_SERVER_HELLO: - ret = _gnutls_recv_hello(session, dataptr, length32); - /* dataptr is freed because the caller does not - * need it */ - gnutls_free(dataptr); - if (data != NULL) - *data = NULL; - break; + ret = _gnutls_recv_hello (session, dataptr, length32); + /* dataptr is freed because the caller does not + * need it */ + gnutls_free (dataptr); + if (data != NULL) + *data = NULL; + break; case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE: - if (length32 == 0) - ret = 0; - else - ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - break; + if (length32 == 0) + ret = 0; + else + ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + break; case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: case GNUTLS_HANDSHAKE_FINISHED: case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: - ret = length32; - break; + ret = length32; + break; default: - gnutls_assert(); - gnutls_free(dataptr); - if (data != NULL) - *data = NULL; - ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + gnutls_assert (); + gnutls_free (dataptr); + if (data != NULL) + *data = NULL; + ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } - return ret; + return ret; } /* This function checks if the given cipher suite is supported, and sets it * to the session; */ -static int _gnutls_client_set_ciphersuite(gnutls_session_t session, - opaque suite[2]) +static int +_gnutls_client_set_ciphersuite (gnutls_session_t session, opaque suite[2]) { - uint8 z; - cipher_suite_st *cipher_suites; - int cipher_suite_num; - int i, err; - - z = 1; - cipher_suite_num = - _gnutls_supported_ciphersuites(session, &cipher_suites); - if (cipher_suite_num < 0) { - gnutls_assert(); - return cipher_suite_num; - } - - for (i = 0; i < cipher_suite_num; i++) { - if (memcmp(&cipher_suites[i], suite, 2) == 0) { - z = 0; - break; + uint8 z; + cipher_suite_st *cipher_suites; + int cipher_suite_num; + int i, err; + + z = 1; + cipher_suite_num = _gnutls_supported_ciphersuites (session, &cipher_suites); + if (cipher_suite_num < 0) + { + gnutls_assert (); + return cipher_suite_num; + } + + for (i = 0; i < cipher_suite_num; i++) + { + if (memcmp (&cipher_suites[i], suite, 2) == 0) + { + z = 0; + break; } } - gnutls_free(cipher_suites); + gnutls_free (cipher_suites); - if (z != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + if (z != 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - memcpy(session->security_parameters. - current_cipher_suite.suite, suite, 2); + memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2); - _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> + _gnutls_handshake_log ("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name (&session-> security_parameters. current_cipher_suite)); - /* check if the credentials (username, public key etc.) are ok. - * Actually checks if they exist. - */ - if (_gnutls_get_kx_cred - (session, _gnutls_cipher_suite_get_kx_algo(&session-> - security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + /* check if the credentials (username, public key etc.) are ok. + * Actually checks if they exist. + */ + if (_gnutls_get_kx_cred + (session, _gnutls_cipher_suite_get_kx_algo (&session-> + security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + if (session->internals.auth_struct == NULL) + { - _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", - session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } /* This function sets the given comp method to the session. */ -static int _gnutls_client_set_comp_method(gnutls_session_t session, - opaque comp_method) +static int +_gnutls_client_set_comp_method (gnutls_session_t session, opaque comp_method) { - int comp_methods_num; - uint8 *compression_methods; - int i; - - comp_methods_num = _gnutls_supported_compression_methods(session, - &compression_methods); - if (comp_methods_num < 0) { - gnutls_assert(); - return comp_methods_num; - } - - for (i = 0; i < comp_methods_num; i++) { - if (compression_methods[i] == comp_method) { - comp_methods_num = 0; - break; + int comp_methods_num; + uint8 *compression_methods; + int i; + + comp_methods_num = _gnutls_supported_compression_methods (session, + &compression_methods); + if (comp_methods_num < 0) + { + gnutls_assert (); + return comp_methods_num; + } + + for (i = 0; i < comp_methods_num; i++) + { + if (compression_methods[i] == comp_method) + { + comp_methods_num = 0; + break; } } - gnutls_free(compression_methods); + gnutls_free (compression_methods); - if (comp_methods_num != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + if (comp_methods_num != 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - session->internals.compression_method = - _gnutls_compression_get_id(comp_method); + session->internals.compression_method = + _gnutls_compression_get_id (comp_method); - return 0; + return 0; } /* This function returns 0 if we are resuming a session or -1 otherwise. * This also sets the variables in the session. Used only while reading a server * hello. */ -static int _gnutls_client_check_if_resuming(gnutls_session_t session, - opaque * session_id, - int session_id_len) +static int +_gnutls_client_check_if_resuming (gnutls_session_t session, + opaque * session_id, int session_id_len) { - opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; - - _gnutls_handshake_log("HSK[%x]: SessionID length: %d\n", session, - session_id_len); - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(session_id, session_id_len, buf, - sizeof(buf))); - - if (session_id_len > 0 && - session->internals.resumed_security_parameters.session_id_size == - session_id_len - && memcmp(session_id, - session->internals.resumed_security_parameters. - session_id, session_id_len) == 0) { - /* resume session */ - memcpy(session->internals. - resumed_security_parameters.server_random, - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(session->internals. - resumed_security_parameters.client_random, - session->security_parameters.client_random, - TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; /* we are resuming */ - - return 0; - } else { - /* keep the new session id */ - session->internals.resumed = RESUME_FALSE; /* we are not resuming */ - session->security_parameters.session_id_size = session_id_len; - memcpy(session->security_parameters.session_id, - session_id, session_id_len); - - return -1; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + + _gnutls_handshake_log ("HSK[%x]: SessionID length: %d\n", session, + session_id_len); + _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex (session_id, session_id_len, buf, + sizeof (buf))); + + if (session_id_len > 0 && + session->internals.resumed_security_parameters.session_id_size == + session_id_len + && memcmp (session_id, + session->internals.resumed_security_parameters. + session_id, session_id_len) == 0) + { + /* resume session */ + memcpy (session->internals. + resumed_security_parameters.server_random, + session->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy (session->internals. + resumed_security_parameters.client_random, + session->security_parameters.client_random, TLS_RANDOM_SIZE); + session->internals.resumed = RESUME_TRUE; /* we are resuming */ + + return 0; + } + else + { + /* keep the new session id */ + session->internals.resumed = RESUME_FALSE; /* we are not resuming */ + session->security_parameters.session_id_size = session_id_len; + memcpy (session->security_parameters.session_id, + session_id, session_id_len); + + return -1; } } @@ -1293,200 +1391,215 @@ static int _gnutls_client_check_if_resuming(gnutls_session_t session, * This function also restores resumed parameters if we are resuming a * session. */ -static int _gnutls_read_server_hello(gnutls_session_t session, - opaque * data, int datalen) +static int +_gnutls_read_server_hello (gnutls_session_t session, + opaque * data, int datalen) { - uint8 session_id_len = 0; - int pos = 0; - int ret = 0; - gnutls_protocol_t version; - int len = datalen; + uint8 session_id_len = 0; + int pos = 0; + int ret = 0; + gnutls_protocol_t version; + int len = datalen; - if (datalen < 38) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (datalen < 38) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - _gnutls_handshake_log("HSK[%x]: Server's version: %d.%d\n", - session, data[pos], data[pos + 1]); + _gnutls_handshake_log ("HSK[%x]: Server's version: %d.%d\n", + session, data[pos], data[pos + 1]); - DECR_LEN(len, 2); - version = _gnutls_version_get(data[pos], data[pos + 1]); - if (_gnutls_version_is_supported(session, version) == 0) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } else { - _gnutls_set_current_version(session, version); + DECR_LEN (len, 2); + version = _gnutls_version_get (data[pos], data[pos + 1]); + if (_gnutls_version_is_supported (session, version) == 0) + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + else + { + _gnutls_set_current_version (session, version); } - pos += 2; + pos += 2; - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_server_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; + DECR_LEN (len, TLS_RANDOM_SIZE); + _gnutls_set_server_random (session, &data[pos]); + pos += TLS_RANDOM_SIZE; - /* Read session ID - */ - DECR_LEN(len, 1); - session_id_len = data[pos++]; + /* Read session ID + */ + DECR_LEN (len, 1); + session_id_len = data[pos++]; - if (len < session_id_len) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + if (len < session_id_len) + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } - DECR_LEN(len, session_id_len); + DECR_LEN (len, session_id_len); - /* check if we are resuming and set the appropriate - * values; - */ - if (_gnutls_client_check_if_resuming - (session, &data[pos], session_id_len) == 0) - return 0; - pos += session_id_len; + /* check if we are resuming and set the appropriate + * values; + */ + if (_gnutls_client_check_if_resuming + (session, &data[pos], session_id_len) == 0) + return 0; + pos += session_id_len; - /* Check if the given cipher suite is supported and copy - * it to the session. - */ + /* Check if the given cipher suite is supported and copy + * it to the session. + */ - DECR_LEN(len, 2); - ret = _gnutls_client_set_ciphersuite(session, &data[pos]); - if (ret < 0) { - gnutls_assert(); - return ret; + DECR_LEN (len, 2); + ret = _gnutls_client_set_ciphersuite (session, &data[pos]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - pos += 2; + pos += 2; - /* move to compression - */ - DECR_LEN(len, 1); + /* move to compression + */ + DECR_LEN (len, 1); - ret = _gnutls_client_set_comp_method(session, data[pos++]); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + ret = _gnutls_client_set_comp_method (session, data[pos++]); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - /* Parse extensions. - */ - if (version >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; + /* Parse extensions. + */ + if (version >= GNUTLS_TLS1) + { + ret = _gnutls_parse_extensions (session, &data[pos], len); /* len is the rest of the parsed length */ + if (ret < 0) + { + gnutls_assert (); + return ret; } } - return ret; + return ret; } /* This function copies the appropriate ciphersuites to a locally allocated buffer * Needed in client hello messages. Returns the new data length. */ -static int _gnutls_copy_ciphersuites(gnutls_session_t session, - opaque * ret_data, - size_t ret_data_size) +static int +_gnutls_copy_ciphersuites (gnutls_session_t session, + opaque * ret_data, size_t ret_data_size) { - int ret, i; - cipher_suite_st *cipher_suites; - uint16 cipher_num; - int datalen, pos; - - ret = _gnutls_supported_ciphersuites_sorted(session, &cipher_suites); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret, i; + cipher_suite_st *cipher_suites; + uint16 cipher_num; + int datalen, pos; + + ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (eg SRP). - */ - ret = - _gnutls_remove_unwanted_ciphersuites(session, &cipher_suites, - ret, -1); - if (ret < 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return ret; + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (eg SRP). + */ + ret = + _gnutls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1); + if (ret < 0) + { + gnutls_assert (); + gnutls_free (cipher_suites); + return ret; } - /* If no cipher suites were enabled. - */ - if (ret == 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + /* If no cipher suites were enabled. + */ + if (ret == 0) + { + gnutls_assert (); + gnutls_free (cipher_suites); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - cipher_num = ret; + cipher_num = ret; - cipher_num *= sizeof(uint16); /* in order to get bytes */ + cipher_num *= sizeof (uint16); /* in order to get bytes */ - datalen = pos = 0; + datalen = pos = 0; - datalen += sizeof(uint16) + cipher_num; + datalen += sizeof (uint16) + cipher_num; - if ((size_t) datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if ((size_t) datalen > ret_data_size) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - _gnutls_write_uint16(cipher_num, ret_data); - pos += 2; + _gnutls_write_uint16 (cipher_num, ret_data); + pos += 2; - for (i = 0; i < (cipher_num / 2); i++) { - memcpy(&ret_data[pos], cipher_suites[i].suite, 2); - pos += 2; + for (i = 0; i < (cipher_num / 2); i++) + { + memcpy (&ret_data[pos], cipher_suites[i].suite, 2); + pos += 2; } - gnutls_free(cipher_suites); + gnutls_free (cipher_suites); - return datalen; + return datalen; } /* This function copies the appropriate compression methods, to a locally allocated buffer * Needed in hello messages. Returns the new data length. */ -static int _gnutls_copy_comp_methods(gnutls_session_t session, - opaque * ret_data, - size_t ret_data_size) +static int +_gnutls_copy_comp_methods (gnutls_session_t session, + opaque * ret_data, size_t ret_data_size) { - int ret, i; - uint8 *compression_methods, comp_num; - int datalen, pos; - - ret = - _gnutls_supported_compression_methods(session, - &compression_methods); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret, i; + uint8 *compression_methods, comp_num; + int datalen, pos; + + ret = _gnutls_supported_compression_methods (session, &compression_methods); + if (ret < 0) + { + gnutls_assert (); + return ret; } - comp_num = ret; + comp_num = ret; - datalen = pos = 0; - datalen += comp_num + 1; + datalen = pos = 0; + datalen += comp_num + 1; - if ((size_t) datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if ((size_t) datalen > ret_data_size) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ret_data[pos++] = comp_num; /* put the number of compression methods */ + ret_data[pos++] = comp_num; /* put the number of compression methods */ - for (i = 0; i < comp_num; i++) { - ret_data[pos++] = compression_methods[i]; + for (i = 0; i < comp_num; i++) + { + ret_data[pos++] = compression_methods[i]; } - gnutls_free(compression_methods); + gnutls_free (compression_methods); - return datalen; + return datalen; } /* This should be sufficient by now. It should hold all the extensions @@ -1496,318 +1609,351 @@ static int _gnutls_copy_comp_methods(gnutls_session_t session, /* This function sends the client hello handshake message. */ -static int _gnutls_send_client_hello(gnutls_session_t session, int again) +static int +_gnutls_send_client_hello (gnutls_session_t session, int again) { - opaque *data = NULL; - int extdatalen; - int pos = 0; - int datalen = 0, ret = 0; - opaque rnd[TLS_RANDOM_SIZE]; - gnutls_protocol_t hver; - opaque extdata[MAX_EXT_DATA_LENGTH]; - - opaque *SessionID = - session->internals.resumed_security_parameters.session_id; - uint8 session_id_len = - session->internals.resumed_security_parameters.session_id_size; - - if (SessionID == NULL) - session_id_len = 0; - else if (session_id_len == 0) - SessionID = NULL; - - if (again == 0) { - - datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; - /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) - */ - - data = gnutls_malloc(datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + opaque *data = NULL; + int extdatalen; + int pos = 0; + int datalen = 0, ret = 0; + opaque rnd[TLS_RANDOM_SIZE]; + gnutls_protocol_t hver; + opaque extdata[MAX_EXT_DATA_LENGTH]; + + opaque *SessionID = + session->internals.resumed_security_parameters.session_id; + uint8 session_id_len = + session->internals.resumed_security_parameters.session_id_size; + + if (SessionID == NULL) + session_id_len = 0; + else if (session_id_len == 0) + SessionID = NULL; + + if (again == 0) + { + + datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; + /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) + */ + + data = gnutls_malloc (datalen); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* if we are resuming a session then we set the - * version number to the previously established. - */ - if (SessionID == NULL) - hver = _gnutls_version_max(session); - else { /* we are resuming a session */ - hver = session->internals.resumed_security_parameters.version; + /* if we are resuming a session then we set the + * version number to the previously established. + */ + if (SessionID == NULL) + hver = _gnutls_version_max (session); + else + { /* we are resuming a session */ + hver = session->internals.resumed_security_parameters.version; } - if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) { - gnutls_assert(); - gnutls_free(data); - return GNUTLS_E_INTERNAL_ERROR; + if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) + { + gnutls_assert (); + gnutls_free (data); + return GNUTLS_E_INTERNAL_ERROR; } - data[pos++] = _gnutls_version_get_major(hver); - data[pos++] = _gnutls_version_get_minor(hver); - - /* Set the version we advertized as maximum - * (RSA uses it). - */ - _gnutls_set_adv_version(session, hver); - - /* Some old implementations do not interoperate if we send a - * different version in the record layer. - * It seems they prefer to read the record's version - * as the one we actually requested. - * The proper behaviour is to use the one in the client hello - * handshake packet and ignore the one in the packet's record - * header. - */ - _gnutls_set_current_version(session, hver); - - /* In order to know when this session was initiated. - */ - session->security_parameters.timestamp = time(NULL); - - /* Generate random data - */ - _gnutls_tls_create_random(rnd); - _gnutls_set_client_random(session, rnd); - - memcpy(&data[pos], rnd, TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - /* Copy the Session ID - */ - data[pos++] = session_id_len; - - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); - pos += session_id_len; + data[pos++] = _gnutls_version_get_major (hver); + data[pos++] = _gnutls_version_get_minor (hver); + + /* Set the version we advertized as maximum + * (RSA uses it). + */ + _gnutls_set_adv_version (session, hver); + + /* Some old implementations do not interoperate if we send a + * different version in the record layer. + * It seems they prefer to read the record's version + * as the one we actually requested. + * The proper behaviour is to use the one in the client hello + * handshake packet and ignore the one in the packet's record + * header. + */ + _gnutls_set_current_version (session, hver); + + /* In order to know when this session was initiated. + */ + session->security_parameters.timestamp = time (NULL); + + /* Generate random data + */ + _gnutls_tls_create_random (rnd); + _gnutls_set_client_random (session, rnd); + + memcpy (&data[pos], rnd, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + /* Copy the Session ID + */ + data[pos++] = session_id_len; + + if (session_id_len > 0) + { + memcpy (&data[pos], SessionID, session_id_len); + pos += session_id_len; } - /* Copy the ciphersuites. - */ - extdatalen = - _gnutls_copy_ciphersuites(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Copy the ciphersuites. + */ + extdatalen = + _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); + if (extdatalen > 0) + { + datalen += extdatalen; + data = gnutls_realloc_fast (data, datalen); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; + memcpy (&data[pos], extdata, extdatalen); + pos += extdatalen; - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; + } + else + { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free (data); + gnutls_assert (); + return extdatalen; } - /* Copy the compression methods. - */ - extdatalen = - _gnutls_copy_comp_methods(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Copy the compression methods. + */ + extdatalen = + _gnutls_copy_comp_methods (session, extdata, sizeof (extdata)); + if (extdatalen > 0) + { + datalen += extdatalen; + data = gnutls_realloc_fast (data, datalen); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; + memcpy (&data[pos], extdata, extdatalen); + pos += extdatalen; - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; + } + else + { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free (data); + gnutls_assert (); + return extdatalen; } - /* Generate and copy TLS extensions. - */ - if (hver >= GNUTLS_TLS1) { - extdatalen = - _gnutls_gen_extensions(session, extdata, sizeof(extdata)); - - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* Generate and copy TLS extensions. + */ + if (hver >= GNUTLS_TLS1) + { + extdatalen = + _gnutls_gen_extensions (session, extdata, sizeof (extdata)); + + if (extdatalen > 0) + { + datalen += extdatalen; + data = gnutls_realloc_fast (data, datalen); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(&data[pos], extdata, extdatalen); - } else if (extdatalen < 0) { - gnutls_assert(); - gnutls_free(data); - return extdatalen; + memcpy (&data[pos], extdata, extdatalen); + } + else if (extdatalen < 0) + { + gnutls_assert (); + gnutls_free (data); + return extdatalen; } } } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_HANDSHAKE_CLIENT_HELLO); - gnutls_free(data); + ret = + _gnutls_send_handshake (session, data, datalen, + GNUTLS_HANDSHAKE_CLIENT_HELLO); + gnutls_free (data); - return ret; + return ret; } -static int _gnutls_send_server_hello(gnutls_session_t session, int again) +static int +_gnutls_send_server_hello (gnutls_session_t session, int again) { - opaque *data = NULL; - opaque extdata[MAX_EXT_DATA_LENGTH]; - int extdatalen; - int pos = 0; - int datalen, ret = 0; - uint8 comp; - opaque *SessionID = session->security_parameters.session_id; - uint8 session_id_len = session->security_parameters.session_id_size; - opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + opaque *data = NULL; + opaque extdata[MAX_EXT_DATA_LENGTH]; + int extdatalen; + int pos = 0; + int datalen, ret = 0; + uint8 comp; + opaque *SessionID = session->security_parameters.session_id; + uint8 session_id_len = session->security_parameters.session_id_size; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; - if (SessionID == NULL) - session_id_len = 0; + if (SessionID == NULL) + session_id_len = 0; - datalen = 0; + datalen = 0; #ifdef ENABLE_SRP - if (IS_SRP_KX - (_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters.current_cipher_suite))) { - /* While resuming we cannot check the username extension since it is - * not available at this point. It will be copied on connection - * state activation. - */ - if (session->internals.resumed == RESUME_FALSE && - session->security_parameters.extensions.srp_username[0] == 0) { - /* The peer didn't send a valid SRP extension with the - * SRP username. The draft requires that we send an - * alert and start the handshake again. - */ - gnutls_assert(); - ret = gnutls_alert_send(session, GNUTLS_AL_WARNING, - GNUTLS_A_MISSING_SRP_USERNAME); - if (ret < 0) { - gnutls_assert(); - return ret; + if (IS_SRP_KX + (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite))) + { + /* While resuming we cannot check the username extension since it is + * not available at this point. It will be copied on connection + * state activation. + */ + if (session->internals.resumed == RESUME_FALSE && + session->security_parameters.extensions.srp_username[0] == 0) + { + /* The peer didn't send a valid SRP extension with the + * SRP username. The draft requires that we send an + * alert and start the handshake again. + */ + gnutls_assert (); + ret = gnutls_alert_send (session, GNUTLS_AL_WARNING, + GNUTLS_A_MISSING_SRP_USERNAME); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return GNUTLS_E_INT_HANDSHAKE_AGAIN; + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } } #endif - if (again == 0) { - datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; - extdatalen = - _gnutls_gen_extensions(session, extdata, sizeof(extdata)); + if (again == 0) + { + datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; + extdatalen = + _gnutls_gen_extensions (session, extdata, sizeof (extdata)); - if (extdatalen < 0) { - gnutls_assert(); - return extdatalen; + if (extdatalen < 0) + { + gnutls_assert (); + return extdatalen; } - data = gnutls_alloca(datalen + extdatalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + data = gnutls_alloca (datalen + extdatalen); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - data[pos++] = - _gnutls_version_get_major(session->security_parameters. - version); - data[pos++] = - _gnutls_version_get_minor(session->security_parameters. - version); - - memcpy(&data[pos], - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - data[pos++] = session_id_len; - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); + data[pos++] = + _gnutls_version_get_major (session->security_parameters.version); + data[pos++] = + _gnutls_version_get_minor (session->security_parameters.version); + + memcpy (&data[pos], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + data[pos++] = session_id_len; + if (session_id_len > 0) + { + memcpy (&data[pos], SessionID, session_id_len); } - pos += session_id_len; + pos += session_id_len; - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(SessionID, session_id_len, - buf, sizeof(buf))); + _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex (SessionID, session_id_len, + buf, sizeof (buf))); - memcpy(&data[pos], - session->security_parameters.current_cipher_suite.suite, 2); - pos += 2; + memcpy (&data[pos], + session->security_parameters.current_cipher_suite.suite, 2); + pos += 2; - comp = - (uint8) _gnutls_compression_get_num(session-> - internals. - compression_method); - data[pos++] = comp; + comp = + (uint8) _gnutls_compression_get_num (session-> + internals.compression_method); + data[pos++] = comp; - if (extdatalen > 0) { - datalen += extdatalen; + if (extdatalen > 0) + { + datalen += extdatalen; - memcpy(&data[pos], extdata, extdatalen); + memcpy (&data[pos], extdata, extdatalen); } } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_HANDSHAKE_SERVER_HELLO); - gnutls_afree(data); + ret = + _gnutls_send_handshake (session, data, datalen, + GNUTLS_HANDSHAKE_SERVER_HELLO); + gnutls_afree (data); - return ret; + return ret; } -int _gnutls_send_hello(gnutls_session_t session, int again) +int +_gnutls_send_hello (gnutls_session_t session, int again) { - int ret; + int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_send_client_hello(session, again); + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + ret = _gnutls_send_client_hello (session, again); - } else { /* SERVER */ - ret = _gnutls_send_server_hello(session, again); + } + else + { /* SERVER */ + ret = _gnutls_send_server_hello (session, again); } - return ret; + return ret; } /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a * hello message is expected. It uses the security_parameters.current_cipher_suite * and internals.compression_method. */ -int _gnutls_recv_hello(gnutls_session_t session, opaque * data, - int datalen) +int +_gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen) { - int ret; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_read_server_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + ret = _gnutls_read_server_hello (session, data, datalen); + if (ret < 0) + { + gnutls_assert (); + return ret; } - } else { /* Server side reading a client hello */ + } + else + { /* Server side reading a client hello */ - ret = _gnutls_read_client_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_read_client_hello (session, data, datalen); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - return ret; + return ret; } /* The packets in gnutls_handshake (it's more broad than original TLS handshake) @@ -1854,69 +2000,74 @@ int _gnutls_recv_hello(gnutls_session_t session, opaque * data, * this message. * **/ -int gnutls_rehandshake(gnutls_session_t session) +int +gnutls_rehandshake (gnutls_session_t session) { - int ret; + int ret; - /* only server sends that handshake packet */ - if (session->security_parameters.entity == GNUTLS_CLIENT) - return GNUTLS_E_INVALID_REQUEST; + /* only server sends that handshake packet */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + return GNUTLS_E_INVALID_REQUEST; - ret = - _gnutls_send_empty_handshake(session, GNUTLS_HANDSHAKE_HELLO_REQUEST, - AGAIN(STATE50)); - STATE = STATE50; + ret = + _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST, + AGAIN (STATE50)); + STATE = STATE50; - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - STATE = STATE0; + STATE = STATE0; - return 0; + return 0; } -inline static int _gnutls_abort_handshake(gnutls_session_t session, - int ret) +inline static int +_gnutls_abort_handshake (gnutls_session_t session, int ret) { - if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && - (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) - || ret == GNUTLS_E_GOT_APPLICATION_DATA) - return 0; + if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && + (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION)) + || ret == GNUTLS_E_GOT_APPLICATION_DATA) + return 0; - /* this doesn't matter */ - return GNUTLS_E_INTERNAL_ERROR; + /* this doesn't matter */ + return GNUTLS_E_INTERNAL_ERROR; } /* This function initialized the handshake hash session. * required for finished messages. */ -inline static int _gnutls_handshake_hash_init(gnutls_session_t session) +inline static int +_gnutls_handshake_hash_init (gnutls_session_t session) { - if (session->internals.handshake_mac_handle_md5 == NULL) { - session->internals.handshake_mac_handle_md5 = - _gnutls_hash_init(GNUTLS_MAC_MD5); + if (session->internals.handshake_mac_handle_md5 == NULL) + { + session->internals.handshake_mac_handle_md5 = + _gnutls_hash_init (GNUTLS_MAC_MD5); - if (session->internals.handshake_mac_handle_md5 == - GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (session->internals.handshake_mac_handle_md5 == GNUTLS_HASH_FAILED) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - if (session->internals.handshake_mac_handle_sha == NULL) { - session->internals.handshake_mac_handle_sha = - _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (session->internals.handshake_mac_handle_sha == - GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (session->internals.handshake_mac_handle_sha == NULL) + { + session->internals.handshake_mac_handle_sha = + _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (session->internals.handshake_mac_handle_sha == GNUTLS_HASH_FAILED) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } } - return 0; + return 0; } /** @@ -1943,45 +2094,52 @@ inline static int _gnutls_handshake_hash_init(gnutls_session_t session) * rejected the rehandshake request. * **/ -int gnutls_handshake(gnutls_session_t session) +int +gnutls_handshake (gnutls_session_t session) { - int ret; + int ret; - if ((ret = _gnutls_handshake_hash_init(session)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_handshake_hash_init (session)) < 0) + { + gnutls_assert (); + return ret; } - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_handshake_client(session); - } else { - ret = _gnutls_handshake_server(session); + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + ret = _gnutls_handshake_client (session); } - if (ret < 0) { - /* In the case of a rehandshake abort - * we should reset the handshake's internal state. - */ - if (_gnutls_abort_handshake(session, ret) == 0) - STATE = STATE0; + else + { + ret = _gnutls_handshake_server (session); + } + if (ret < 0) + { + /* In the case of a rehandshake abort + * we should reset the handshake's internal state. + */ + if (_gnutls_abort_handshake (session, ret) == 0) + STATE = STATE0; - return ret; + return ret; } - ret = _gnutls_handshake_common(session); + ret = _gnutls_handshake_common (session); - if (ret < 0) { - if (_gnutls_abort_handshake(session, ret) == 0) - STATE = STATE0; + if (ret < 0) + { + if (_gnutls_abort_handshake (session, ret) == 0) + STATE = STATE0; - return ret; + return ret; } - STATE = STATE0; + STATE = STATE0; - _gnutls_handshake_io_buffer_clear(session); - _gnutls_handshake_internal_state_clear(session); + _gnutls_handshake_io_buffer_clear (session); + _gnutls_handshake_internal_state_clear (session); - return 0; + return 0; } /* Here if GNUTLS_E_INT_HANDSHAKE_AGAIN is received we go to @@ -2012,210 +2170,224 @@ int gnutls_handshake(gnutls_session_t session) * _gnutls_handshake_client * This function performs the client side of the handshake of the TLS/SSL protocol. */ -int _gnutls_handshake_client(gnutls_session_t session) +int +_gnutls_handshake_client (gnutls_session_t session) { - int ret = 0; + int ret = 0; #ifdef HANDSHAKE_DEBUG - char buf[64]; - - if (session->internals.resumed_security_parameters.session_id_size > 0) - _gnutls_handshake_log("HSK[%x]: Ask to resume: %s\n", session, - _gnutls_bin2hex(session->internals. - resumed_security_parameters. - session_id, - session->internals. - resumed_security_parameters. - session_id_size, buf, - sizeof(buf))); + char buf[64]; + + if (session->internals.resumed_security_parameters.session_id_size > 0) + _gnutls_handshake_log ("HSK[%x]: Ask to resume: %s\n", session, + _gnutls_bin2hex (session->internals. + resumed_security_parameters. + session_id, + session->internals. + resumed_security_parameters. + session_id_size, buf, + sizeof (buf))); #endif - restart: +restart: - switch (STATE) { + switch (STATE) + { case STATE0: case STATE1: - ret = _gnutls_send_hello(session, AGAIN(STATE1)); - STATE = STATE1; - IMED_RET("send hello", ret); + ret = _gnutls_send_hello (session, AGAIN (STATE1)); + STATE = STATE1; + IMED_RET ("send hello", ret); case STATE2: - /* receive the server hello */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_HANDSHAKE_SERVER_HELLO, MANDATORY_PACKET); - STATE = STATE2; - IMED_RET("recv hello", ret); + /* receive the server hello */ + ret = + _gnutls_recv_handshake (session, NULL, NULL, + GNUTLS_HANDSHAKE_SERVER_HELLO, + MANDATORY_PACKET); + STATE = STATE2; + IMED_RET ("recv hello", ret); case STATE3: - /* RECV CERTIFICATE */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_certificate(session); - STATE = STATE3; - IMED_RET("recv server certificate", ret); + /* RECV CERTIFICATE */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate (session); + STATE = STATE3; + IMED_RET ("recv server certificate", ret); case STATE4: - /* receive the server key exchange */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_kx_message(session); - STATE = STATE4; - IMED_RET("recv server kx message", ret); + /* receive the server key exchange */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_kx_message (session); + STATE = STATE4; + IMED_RET ("recv server kx message", ret); case STATE5: - /* receive the server certificate request - if any - */ + /* receive the server certificate request - if any + */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_certificate_request(session); - STATE = STATE5; - IMED_RET("recv server certificate request message", ret); + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate_request (session); + STATE = STATE5; + IMED_RET ("recv server certificate request message", ret); case STATE6: - /* receive the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, - MANDATORY_PACKET); - STATE = STATE6; - IMED_RET("recv server hello done", ret); + /* receive the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_recv_handshake (session, NULL, NULL, + GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, + MANDATORY_PACKET); + STATE = STATE6; + IMED_RET ("recv server hello done", ret); case STATE7: - /* send our certificate - if any and if requested - */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_send_client_certificate(session, AGAIN(STATE7)); - STATE = STATE7; - IMED_RET("send client certificate", ret); + /* send our certificate - if any and if requested + */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_certificate (session, AGAIN (STATE7)); + STATE = STATE7; + IMED_RET ("send client certificate", ret); case STATE8: - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_send_client_kx_message(session, AGAIN(STATE8)); - STATE = STATE8; - IMED_RET("send client kx", ret); + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8)); + STATE = STATE8; + IMED_RET ("send client kx", ret); case STATE9: - /* send client certificate verify */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_certificate_verify(session, - AGAIN(STATE9)); - STATE = STATE9; - IMED_RET("send client certificate verify", ret); + /* send client certificate verify */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_client_certificate_verify (session, AGAIN (STATE9)); + STATE = STATE9; + IMED_RET ("send client certificate verify", ret); - STATE = STATE0; + STATE = STATE0; default: - break; + break; } - return 0; + return 0; } /* This function sends the final handshake packets and initializes connection */ -static int _gnutls_send_handshake_final(gnutls_session_t session, int init) +static int +_gnutls_send_handshake_final (gnutls_session_t session, int init) { - int ret = 0; + int ret = 0; - /* Send the CHANGE CIPHER SPEC PACKET */ + /* Send the CHANGE CIPHER SPEC PACKET */ - switch (STATE) { + switch (STATE) + { case STATE0: case STATE20: - ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE20)); - STATE = STATE20; - if (ret < 0) { - ERR("send ChangeCipherSpec", ret); - gnutls_assert(); - return ret; + ret = _gnutls_send_change_cipher_spec (session, AGAIN (STATE20)); + STATE = STATE20; + if (ret < 0) + { + ERR ("send ChangeCipherSpec", ret); + gnutls_assert (); + return ret; } - /* Initialize the connection session (start encryption) - in case of client - */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Initialize the connection session (start encryption) - in case of client + */ + if (init == TRUE) + { + ret = _gnutls_connection_state_init (session); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - ret = _gnutls_write_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_write_connection_state_init (session); + if (ret < 0) + { + gnutls_assert (); + return ret; } case STATE21: - /* send the finished message */ - ret = _gnutls_send_finished(session, AGAIN(STATE21)); - STATE = STATE21; - if (ret < 0) { - ERR("send Finished", ret); - gnutls_assert(); - return ret; + /* send the finished message */ + ret = _gnutls_send_finished (session, AGAIN (STATE21)); + STATE = STATE21; + if (ret < 0) + { + ERR ("send Finished", ret); + gnutls_assert (); + return ret; } - STATE = STATE0; + STATE = STATE0; default: - break; + break; } - return 0; + return 0; } /* This function receives the final handshake packets * And executes the appropriate function to initialize the * read session. */ -static int _gnutls_recv_handshake_final(gnutls_session_t session, int init) +static int +_gnutls_recv_handshake_final (gnutls_session_t session, int init) { - int ret = 0; - uint8 ch; + int ret = 0; + uint8 ch; - switch (STATE) { + switch (STATE) + { case STATE0: case STATE30: - ret = - _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, - &ch, 1); - STATE = STATE30; - if (ret <= 0) { - ERR("recv ChangeCipherSpec", ret); - gnutls_assert(); - return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1); + STATE = STATE30; + if (ret <= 0) + { + ERR ("recv ChangeCipherSpec", ret); + gnutls_assert (); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - /* Initialize the connection session (start encryption) - in case of server */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Initialize the connection session (start encryption) - in case of server */ + if (init == TRUE) + { + ret = _gnutls_connection_state_init (session); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - ret = _gnutls_read_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_read_connection_state_init (session); + if (ret < 0) + { + gnutls_assert (); + return ret; } case STATE31: - ret = _gnutls_recv_finished(session); - STATE = STATE31; - if (ret < 0) { - ERR("recv finished", ret); - gnutls_assert(); - return ret; + ret = _gnutls_recv_finished (session); + STATE = STATE31; + if (ret < 0) + { + ERR ("recv finished", ret); + gnutls_assert (); + return ret; } - STATE = STATE0; + STATE = STATE0; default: - break; + break; } - return 0; + return 0; } /* @@ -2223,236 +2395,260 @@ static int _gnutls_recv_handshake_final(gnutls_session_t session, int init) * This function does the server stuff of the handshake protocol. */ -int _gnutls_handshake_server(gnutls_session_t session) +int +_gnutls_handshake_server (gnutls_session_t session) { - int ret = 0; + int ret = 0; - restart: +restart: - switch (STATE) { + switch (STATE) + { case STATE0: case STATE1: - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_HANDSHAKE_CLIENT_HELLO, MANDATORY_PACKET); - STATE = STATE1; - IMED_RET("recv hello", ret); + ret = + _gnutls_recv_handshake (session, NULL, NULL, + GNUTLS_HANDSHAKE_CLIENT_HELLO, + MANDATORY_PACKET); + STATE = STATE1; + IMED_RET ("recv hello", ret); case STATE2: - ret = _gnutls_send_hello(session, AGAIN(STATE2)); - STATE = STATE2; - IMED_RET("send hello", ret); + ret = _gnutls_send_hello (session, AGAIN (STATE2)); + STATE = STATE2; + IMED_RET ("send hello", ret); - /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ + /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ case STATE3: - /* NOTE: these should not be send if we are resuming */ + /* NOTE: these should not be send if we are resuming */ - if (session->internals.resumed == RESUME_FALSE) - ret = _gnutls_send_server_certificate(session, AGAIN(STATE3)); - STATE = STATE3; - IMED_RET("send server certificate", ret); + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_certificate (session, AGAIN (STATE3)); + STATE = STATE3; + IMED_RET ("send server certificate", ret); case STATE4: - /* send server key exchange (A) */ - if (session->internals.resumed == RESUME_FALSE) - ret = _gnutls_send_server_kx_message(session, AGAIN(STATE4)); - STATE = STATE4; - IMED_RET("send server kx", ret); + /* send server key exchange (A) */ + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4)); + STATE = STATE4; + IMED_RET ("send server kx", ret); case STATE5: - /* Send certificate request - if requested to */ - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_certificate_request(session, - AGAIN(STATE5)); - STATE = STATE5; - IMED_RET("send server cert request", ret); + /* Send certificate request - if requested to */ + if (session->internals.resumed == RESUME_FALSE) + ret = + _gnutls_send_server_certificate_request (session, AGAIN (STATE5)); + STATE = STATE5; + IMED_RET ("send server cert request", ret); case STATE6: - /* send the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_empty_handshake(session, - GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, - AGAIN(STATE6)); - STATE = STATE6; - IMED_RET("send server hello done", ret); + /* send the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_empty_handshake (session, + GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, + AGAIN (STATE6)); + STATE = STATE6; + IMED_RET ("send server hello done", ret); - /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ + /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ case STATE7: - /* receive the client certificate message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_certificate(session); - STATE = STATE7; - IMED_RET("recv client certificate", ret); + /* receive the client certificate message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate (session); + STATE = STATE7; + IMED_RET ("recv client certificate", ret); case STATE8: - /* receive the client key exchange message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_kx_message(session); - STATE = STATE8; - IMED_RET("recv client kx", ret); + /* receive the client key exchange message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_kx_message (session); + STATE = STATE8; + IMED_RET ("recv client kx", ret); case STATE9: - /* receive the client certificate verify message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_certificate_verify_message(session); - STATE = STATE9; - IMED_RET("recv client certificate verify", ret); + /* receive the client certificate verify message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate_verify_message (session); + STATE = STATE9; + IMED_RET ("recv client certificate verify", ret); - STATE = STATE0; /* finished thus clear session */ + STATE = STATE0; /* finished thus clear session */ default: - break; + break; } - return 0; + return 0; } -int _gnutls_handshake_common(gnutls_session_t session) +int +_gnutls_handshake_common (gnutls_session_t session) { - int ret = 0; + int ret = 0; - restart: +restart: - /* send and recv the change cipher spec and finished messages */ - if ((session->internals.resumed == RESUME_TRUE - && session->security_parameters.entity == GNUTLS_CLIENT) - || (session->internals.resumed == RESUME_FALSE - && session->security_parameters.entity == GNUTLS_SERVER)) { - /* if we are a client resuming - or we are a server not resuming */ + /* send and recv the change cipher spec and finished messages */ + if ((session->internals.resumed == RESUME_TRUE + && session->security_parameters.entity == GNUTLS_CLIENT) + || (session->internals.resumed == RESUME_FALSE + && session->security_parameters.entity == GNUTLS_SERVER)) + { + /* if we are a client resuming - or we are a server not resuming */ - ret = _gnutls_recv_handshake_final(session, TRUE); - IMED_RET("recv handshake final", ret); + ret = _gnutls_recv_handshake_final (session, TRUE); + IMED_RET ("recv handshake final", ret); - ret = _gnutls_send_handshake_final(session, FALSE); - IMED_RET("send handshake final", ret); - } else { /* if we are a client not resuming - or we are a server resuming */ + ret = _gnutls_send_handshake_final (session, FALSE); + IMED_RET ("send handshake final", ret); + } + else + { /* if we are a client not resuming - or we are a server resuming */ - ret = _gnutls_send_handshake_final(session, TRUE); - IMED_RET("send handshake final 2", ret); + ret = _gnutls_send_handshake_final (session, TRUE); + IMED_RET ("send handshake final 2", ret); - ret = _gnutls_recv_handshake_final(session, FALSE); - IMED_RET("recv handshake final 2", ret); + ret = _gnutls_recv_handshake_final (session, FALSE); + IMED_RET ("recv handshake final 2", ret); } - if (session->security_parameters.entity == GNUTLS_SERVER) { - /* in order to support session resuming */ - _gnutls_server_register_current_session(session); + if (session->security_parameters.entity == GNUTLS_SERVER) + { + /* in order to support session resuming */ + _gnutls_server_register_current_session (session); } - /* clear handshake buffer */ - _gnutls_handshake_hash_buffers_clear(session); - return ret; + /* clear handshake buffer */ + _gnutls_handshake_hash_buffers_clear (session); + return ret; } -int _gnutls_generate_session_id(opaque * session_id, uint8 * len) +int +_gnutls_generate_session_id (opaque * session_id, uint8 * len) { - *len = TLS_MAX_SESSION_ID_SIZE; + *len = TLS_MAX_SESSION_ID_SIZE; - if (gc_nonce (session_id, *len) != GC_OK) { - gnutls_assert(); + if (gc_nonce (session_id, *len) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - return 0; + return 0; } -int _gnutls_recv_hello_request(gnutls_session_t session, void *data, - uint32 data_size) +int +_gnutls_recv_hello_request (gnutls_session_t session, void *data, + uint32 data_size) { - uint8 type; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } - if (data_size < 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - type = ((uint8 *) data)[0]; - if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST) - return GNUTLS_E_REHANDSHAKE; - else { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; + uint8 type; + + if (session->security_parameters.entity == GNUTLS_SERVER) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET; + } + if (data_size < 1) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + type = ((uint8 *) data)[0]; + if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST) + return GNUTLS_E_REHANDSHAKE; + else + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET; } } /* Returns 1 if the given KX has not the corresponding parameters * (DH or RSA) set up. Otherwise returns 0. */ -inline static int check_server_params(gnutls_session_t session, - gnutls_kx_algorithm_t kx, - gnutls_kx_algorithm_t * alg, - int alg_size) +inline static int +check_server_params (gnutls_session_t session, + gnutls_kx_algorithm_t kx, + gnutls_kx_algorithm_t * alg, int alg_size) { - int cred_type; - gnutls_dh_params_t dh_params = NULL; - gnutls_rsa_params_t rsa_params = NULL; - int j; + int cred_type; + gnutls_dh_params_t dh_params = NULL; + gnutls_rsa_params_t rsa_params = NULL; + int j; - cred_type = _gnutls_map_kx_get_cred(kx, 1); + cred_type = _gnutls_map_kx_get_cred (kx, 1); - /* Read the Diffie Hellman parameters, if any. - */ - if (cred_type == GNUTLS_CRD_CERTIFICATE) { + /* Read the Diffie Hellman parameters, if any. + */ + if (cred_type == GNUTLS_CRD_CERTIFICATE) + { int delete; - gnutls_certificate_credentials_t x509_cred = - (gnutls_certificate_credentials_t)_gnutls_get_cred(session->key, cred_type, NULL); - - if (x509_cred != NULL) { - dh_params = - _gnutls_certificate_get_dh_params(x509_cred, session); - rsa_params = - _gnutls_certificate_get_rsa_params(x509_cred, session); + gnutls_certificate_credentials_t x509_cred = + (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, + cred_type, NULL); + + if (x509_cred != NULL) + { + dh_params = _gnutls_certificate_get_dh_params (x509_cred, session); + rsa_params = + _gnutls_certificate_get_rsa_params (x509_cred, session); } - /* Check also if the certificate supports the - * KX method. - */ - delete = 1; - for (j = 0; j < alg_size; j++) { - if (alg[j] == kx) { - delete = 0; - break; + /* Check also if the certificate supports the + * KX method. + */ + delete = 1; + for (j = 0; j < alg_size; j++) + { + if (alg[j] == kx) + { + delete = 0; + break; } } - if (delete == 1) - return 1; + if (delete == 1) + return 1; #ifdef ENABLE_ANON - } else if (cred_type == GNUTLS_CRD_ANON) { + } + else if (cred_type == GNUTLS_CRD_ANON) + { gnutls_anon_server_credentials_t anon_cred = - (gnutls_anon_server_credentials_t)_gnutls_get_cred(session->key, cred_type, NULL); + (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key, + cred_type, NULL); - if (anon_cred != NULL) { - dh_params = _gnutls_anon_get_dh_params(anon_cred, session); + if (anon_cred != NULL) + { + dh_params = _gnutls_anon_get_dh_params (anon_cred, session); } #endif - } else - return 0; /* no need for params */ + } + else + return 0; /* no need for params */ - /* If the key exchange method needs RSA or DH params, - * but they are not set then remove it. - */ - if (_gnutls_kx_needs_rsa_params(kx) != 0) { - /* needs rsa params. */ - if (_gnutls_get_rsa_params(rsa_params) == NULL) - return 1; + /* If the key exchange method needs RSA or DH params, + * but they are not set then remove it. + */ + if (_gnutls_kx_needs_rsa_params (kx) != 0) + { + /* needs rsa params. */ + if (_gnutls_get_rsa_params (rsa_params) == NULL) + return 1; } - if (_gnutls_kx_needs_dh_params(kx) != 0) { - /* needs DH params. */ - if (_gnutls_get_dh_params(dh_params) == NULL) - return 1; + if (_gnutls_kx_needs_dh_params (kx) != 0) + { + /* needs DH params. */ + if (_gnutls_get_dh_params (dh_params) == NULL) + return 1; } - return 0; + return 0; } /* This function will remove algorithms that are not supported by @@ -2462,108 +2658,120 @@ inline static int check_server_params(gnutls_session_t session, * This does a more high level check than gnutls_supported_ciphersuites(), * by checking certificates etc. */ -int _gnutls_remove_unwanted_ciphersuites(gnutls_session_t session, - cipher_suite_st **cipherSuites, int numCipherSuites, - gnutls_pk_algorithm_t requested_pk_algo) +int +_gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, + cipher_suite_st ** cipherSuites, + int numCipherSuites, + gnutls_pk_algorithm_t requested_pk_algo) { - int ret = 0; - cipher_suite_st *newSuite, cs; - int newSuiteSize = 0, i; - gnutls_certificate_credentials_t x509_cred; - gnutls_kx_algorithm_t kx; - int server = - session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; - gnutls_kx_algorithm_t *alg; - int alg_size; - - /* if we should use a specific certificate, - * we should remove all algorithms that are not supported - * by that certificate and are on the same authentication - * method (CERTIFICATE). - */ - - x509_cred = - (gnutls_certificate_credentials_t)_gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - - /* if x509_cred==NULL we should remove all X509 ciphersuites - */ - - if (session->security_parameters.entity == GNUTLS_SERVER - && x509_cred != NULL) { - ret = _gnutls_server_select_cert(session, requested_pk_algo); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret = 0; + cipher_suite_st *newSuite, cs; + int newSuiteSize = 0, i; + gnutls_certificate_credentials_t x509_cred; + gnutls_kx_algorithm_t kx; + int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; + gnutls_kx_algorithm_t *alg; + int alg_size; + + /* if we should use a specific certificate, + * we should remove all algorithms that are not supported + * by that certificate and are on the same authentication + * method (CERTIFICATE). + */ + + x509_cred = + (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, + GNUTLS_CRD_CERTIFICATE, + NULL); + + /* if x509_cred==NULL we should remove all X509 ciphersuites + */ + + if (session->security_parameters.entity == GNUTLS_SERVER + && x509_cred != NULL) + { + ret = _gnutls_server_select_cert (session, requested_pk_algo); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - /* get all the key exchange algorithms that are - * supported by the X509 certificate parameters. - */ - if ((ret = - _gnutls_selected_cert_supported_kx(session, &alg, - &alg_size)) < 0) { - gnutls_assert(); - return ret; - } - - newSuite = gnutls_malloc(numCipherSuites * sizeof(cipher_suite_st)); - if (newSuite == NULL) { - gnutls_assert(); - gnutls_free(alg); - return GNUTLS_E_MEMORY_ERROR; - } - - /* now removes ciphersuites based on the KX algorithm - */ - for (i = 0; i < numCipherSuites; i++) { - int delete = 0; - - /* finds the key exchange algorithm in - * the ciphersuite - */ - kx = _gnutls_cipher_suite_get_kx_algo(&(*cipherSuites)[i]); - - /* if it is defined but had no credentials - */ - if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { - delete = 1; - } else { - delete = 0; + /* get all the key exchange algorithms that are + * supported by the X509 certificate parameters. + */ + if ((ret = + _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0) + { + gnutls_assert (); + return ret; + } + + newSuite = gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st)); + if (newSuite == NULL) + { + gnutls_assert (); + gnutls_free (alg); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now removes ciphersuites based on the KX algorithm + */ + for (i = 0; i < numCipherSuites; i++) + { + int delete = 0; + + /* finds the key exchange algorithm in + * the ciphersuite + */ + kx = _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]); + + /* if it is defined but had no credentials + */ + if (_gnutls_get_kx_cred (session, kx, NULL) == NULL) + { + delete = 1; + } + else + { + delete = 0; - if (server) - delete = check_server_params(session, kx, alg, alg_size); + if (server) + delete = check_server_params (session, kx, alg, alg_size); } - memcpy(&cs.suite, &(*cipherSuites)[i].suite, 2); + memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2); - if (delete == 0) { + if (delete == 0) + { - _gnutls_handshake_log("HSK[%x]: Keeping ciphersuite: %s\n", - session, - _gnutls_cipher_suite_get_name(&cs)); + _gnutls_handshake_log ("HSK[%x]: Keeping ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name (&cs)); - memcpy(newSuite[newSuiteSize].suite, - (*cipherSuites)[i].suite, 2); - newSuiteSize++; - } else { - _gnutls_handshake_log("HSK[%x]: Removing ciphersuite: %s\n", - session, - _gnutls_cipher_suite_get_name(&cs)); + memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2); + newSuiteSize++; + } + else + { + _gnutls_handshake_log ("HSK[%x]: Removing ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name (&cs)); } } - gnutls_free(alg); - gnutls_free(*cipherSuites); - *cipherSuites = newSuite; + gnutls_free (alg); + gnutls_free (*cipherSuites); + *cipherSuites = newSuite; - ret = newSuiteSize; + ret = newSuiteSize; - return ret; + return ret; } @@ -2578,23 +2786,24 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session_t session, * to set an upper limit. * **/ -void gnutls_handshake_set_max_packet_length(gnutls_session_t session, - int max) +void +gnutls_handshake_set_max_packet_length (gnutls_session_t session, int max) { - session->internals.max_handshake_data_buffer_size = max; + session->internals.max_handshake_data_buffer_size = max; } -void _gnutls_set_adv_version(gnutls_session_t session, - gnutls_protocol_t ver) +void +_gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver) { - set_adv_version(session, _gnutls_version_get_major(ver), - _gnutls_version_get_minor(ver)); + set_adv_version (session, _gnutls_version_get_major (ver), + _gnutls_version_get_minor (ver)); } -gnutls_protocol_t _gnutls_get_adv_version(gnutls_session_t session) +gnutls_protocol_t +_gnutls_get_adv_version (gnutls_session_t session) { - return _gnutls_version_get(_gnutls_get_adv_version_major(session), - _gnutls_get_adv_version_minor(session)); + return _gnutls_version_get (_gnutls_get_adv_version_major (session), + _gnutls_get_adv_version_minor (session)); } /** @@ -2608,9 +2817,9 @@ gnutls_protocol_t _gnutls_get_adv_version(gnutls_session_t session) * Check gnutls.h for the available handshake descriptions. **/ gnutls_handshake_description_t -gnutls_handshake_get_last_in(gnutls_session_t session) +gnutls_handshake_get_last_in (gnutls_session_t session) { - return session->internals.last_handshake_in; + return session->internals.last_handshake_in; } /** @@ -2625,7 +2834,7 @@ gnutls_handshake_get_last_in(gnutls_session_t session) * **/ gnutls_handshake_description_t -gnutls_handshake_get_last_out(gnutls_session_t session) +gnutls_handshake_get_last_out (gnutls_session_t session) { - return session->internals.last_handshake_out; + return session->internals.last_handshake_out; } diff --git a/lib/gnutls_handshake.h b/lib/gnutls_handshake.h index f684b70ee3..3067084b86 100644 --- a/lib/gnutls_handshake.h +++ b/lib/gnutls_handshake.h @@ -22,31 +22,33 @@ * */ -typedef enum Optional { OPTIONAL_PACKET, MANDATORY_PACKET } Optional; +typedef enum Optional +{ OPTIONAL_PACKET, MANDATORY_PACKET } Optional; -int _gnutls_send_handshake(gnutls_session_t session, void *i_data, - uint32 i_datasize, gnutls_handshake_description_t type); -int _gnutls_recv_hello_request(gnutls_session_t session, void *data, - uint32 data_size); -int _gnutls_send_hello(gnutls_session_t session, int again); -int _gnutls_recv_hello(gnutls_session_t session, opaque * data, - int datalen); -int _gnutls_recv_handshake(gnutls_session_t session, uint8 **, int *, - gnutls_handshake_description_t, Optional optional); -int _gnutls_generate_session_id(opaque * session_id, uint8 * len); -int _gnutls_handshake_common(gnutls_session_t session); -int _gnutls_handshake_client(gnutls_session_t session); -int _gnutls_handshake_server(gnutls_session_t session); -void _gnutls_set_server_random(gnutls_session_t session, uint8 * rnd); -void _gnutls_set_client_random(gnutls_session_t session, uint8 * rnd); -int _gnutls_tls_create_random(opaque * dst); -int _gnutls_remove_unwanted_ciphersuites(gnutls_session_t session, - cipher_suite_st ** cipherSuites, - int numCipherSuites, - gnutls_pk_algorithm_t); -int _gnutls_find_pk_algos_in_ciphersuites(opaque * data, int datalen); -int _gnutls_server_select_suite(gnutls_session_t session, opaque * data, - int datalen); +int _gnutls_send_handshake (gnutls_session_t session, void *i_data, + uint32 i_datasize, + gnutls_handshake_description_t type); +int _gnutls_recv_hello_request (gnutls_session_t session, void *data, + uint32 data_size); +int _gnutls_send_hello (gnutls_session_t session, int again); +int _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen); +int _gnutls_recv_handshake (gnutls_session_t session, uint8 **, int *, + gnutls_handshake_description_t, + Optional optional); +int _gnutls_generate_session_id (opaque * session_id, uint8 * len); +int _gnutls_handshake_common (gnutls_session_t session); +int _gnutls_handshake_client (gnutls_session_t session); +int _gnutls_handshake_server (gnutls_session_t session); +void _gnutls_set_server_random (gnutls_session_t session, uint8 * rnd); +void _gnutls_set_client_random (gnutls_session_t session, uint8 * rnd); +int _gnutls_tls_create_random (opaque * dst); +int _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, + cipher_suite_st ** cipherSuites, + int numCipherSuites, + gnutls_pk_algorithm_t); +int _gnutls_find_pk_algos_in_ciphersuites (opaque * data, int datalen); +int _gnutls_server_select_suite (gnutls_session_t session, opaque * data, + int datalen); #define STATE session->internals.handshake_state /* This returns true if we have got there diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 6552cc3ad4..37f34cf605 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -30,404 +30,445 @@ #include <gnutls_hash_int.h> #include <gnutls_errors.h> -GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm_t algorithm) +GNUTLS_HASH_HANDLE +_gnutls_hash_init (gnutls_mac_algorithm_t algorithm) { - mac_hd_t ret; - int result; - - ret = gnutls_malloc(sizeof(mac_hd_st)); - if (ret == NULL) { - gnutls_assert(); - return GNUTLS_HASH_FAILED; + mac_hd_t ret; + int result; + + ret = gnutls_malloc (sizeof (mac_hd_st)); + if (ret == NULL) + { + gnutls_assert (); + return GNUTLS_HASH_FAILED; } - ret->algorithm = algorithm; + ret->algorithm = algorithm; - switch (algorithm) { + switch (algorithm) + { case GNUTLS_MAC_SHA1: - result = gc_hash_open(GC_SHA1, 0, &ret->handle); - break; + result = gc_hash_open (GC_SHA1, 0, &ret->handle); + break; case GNUTLS_MAC_MD5: - result = gc_hash_open(GC_MD5, 0, &ret->handle); - break; + result = gc_hash_open (GC_MD5, 0, &ret->handle); + break; case GNUTLS_MAC_RMD160: - result = gc_hash_open(GC_RMD160, 0, &ret->handle); - break; + result = gc_hash_open (GC_RMD160, 0, &ret->handle); + break; case GNUTLS_MAC_MD2: - result = gc_hash_open(GC_MD2, 0, &ret->handle); - break; + result = gc_hash_open (GC_MD2, 0, &ret->handle); + break; default: - gnutls_assert(); - result = -1; + gnutls_assert (); + result = -1; } - if (result) { - gnutls_assert(); - gnutls_free(ret); - ret = GNUTLS_HASH_FAILED; + if (result) + { + gnutls_assert (); + gnutls_free (ret); + ret = GNUTLS_HASH_FAILED; } - return ret; + return ret; } -int _gnutls_hash_get_algo_len(gnutls_mac_algorithm_t algorithm) +int +_gnutls_hash_get_algo_len (gnutls_mac_algorithm_t algorithm) { - int ret; + int ret; - switch (algorithm) { + switch (algorithm) + { case GNUTLS_MAC_SHA1: - ret = gc_hash_digest_length(GC_SHA1); - break; + ret = gc_hash_digest_length (GC_SHA1); + break; case GNUTLS_MAC_MD5: - ret = gc_hash_digest_length(GC_MD5); - break; + ret = gc_hash_digest_length (GC_MD5); + break; case GNUTLS_MAC_RMD160: - ret = gc_hash_digest_length(GC_RMD160); - break; + ret = gc_hash_digest_length (GC_RMD160); + break; case GNUTLS_MAC_MD2: - ret = gc_hash_digest_length(GC_MD2); + ret = gc_hash_digest_length (GC_MD2); break; default: - ret = 0; - break; + ret = 0; + break; } - return ret; + return ret; } -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, - size_t textlen) +int +_gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text, size_t textlen) { - if (textlen > 0) - gc_hash_write(handle->handle, textlen, text); - return 0; + if (textlen > 0) + gc_hash_write (handle->handle, textlen, text); + return 0; } -GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle) +GNUTLS_HASH_HANDLE +_gnutls_hash_copy (GNUTLS_HASH_HANDLE handle) { - GNUTLS_HASH_HANDLE ret; - int result; + GNUTLS_HASH_HANDLE ret; + int result; - ret = gnutls_malloc(sizeof(mac_hd_st)); + ret = gnutls_malloc (sizeof (mac_hd_st)); - if (ret == NULL) - return GNUTLS_HASH_FAILED; + if (ret == NULL) + return GNUTLS_HASH_FAILED; - ret->algorithm = handle->algorithm; - ret->key = NULL; /* it's a hash anyway */ - ret->keysize = 0; + ret->algorithm = handle->algorithm; + ret->key = NULL; /* it's a hash anyway */ + ret->keysize = 0; - result = gc_hash_clone(handle->handle, &ret->handle); + result = gc_hash_clone (handle->handle, &ret->handle); - if (result) { - gnutls_free(ret); - return GNUTLS_HASH_FAILED; + if (result) + { + gnutls_free (ret); + return GNUTLS_HASH_FAILED; } - return ret; + return ret; } -void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest) +void +_gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest) { - const opaque *mac; - int maclen; + const opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len(handle->algorithm); + maclen = _gnutls_hash_get_algo_len (handle->algorithm); - mac = gc_hash_read(handle->handle); - if (digest != NULL) - memcpy(digest, mac, maclen); + mac = gc_hash_read (handle->handle); + if (digest != NULL) + memcpy (digest, mac, maclen); - gc_hash_close(handle->handle); + gc_hash_close (handle->handle); - gnutls_free(handle); + gnutls_free (handle); } -mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm_t algorithm, - const void *key, int keylen) +mac_hd_t +_gnutls_hmac_init (gnutls_mac_algorithm_t algorithm, + const void *key, int keylen) { - mac_hd_t ret; - int result; + mac_hd_t ret; + int result; - ret = gnutls_malloc(sizeof(mac_hd_st)); - if (ret == NULL) - return GNUTLS_MAC_FAILED; + ret = gnutls_malloc (sizeof (mac_hd_st)); + if (ret == NULL) + return GNUTLS_MAC_FAILED; - switch (algorithm) { + switch (algorithm) + { case GNUTLS_MAC_SHA1: - result = gc_hash_open(GC_SHA1, GC_HMAC, &ret->handle); - break; + result = gc_hash_open (GC_SHA1, GC_HMAC, &ret->handle); + break; case GNUTLS_MAC_MD5: - result = gc_hash_open(GC_MD5, GC_HMAC, &ret->handle); - break; + result = gc_hash_open (GC_MD5, GC_HMAC, &ret->handle); + break; case GNUTLS_MAC_RMD160: - result = gc_hash_open(GC_RMD160, GC_HMAC, &ret->handle); - break; + result = gc_hash_open (GC_RMD160, GC_HMAC, &ret->handle); + break; default: - result = -1; + result = -1; } - if (result) { - gnutls_free(ret); - ret = GNUTLS_MAC_FAILED; + if (result) + { + gnutls_free (ret); + ret = GNUTLS_MAC_FAILED; } - if (ret != GNUTLS_MAC_FAILED) { - gc_hash_hmac_setkey(ret->handle, keylen, key); + if (ret != GNUTLS_MAC_FAILED) + { + gc_hash_hmac_setkey (ret->handle, keylen, key); - ret->algorithm = algorithm; - ret->key = key; - ret->keysize = keylen; + ret->algorithm = algorithm; + ret->key = key; + ret->keysize = keylen; } - return ret; + return ret; } -void _gnutls_hmac_deinit(mac_hd_t handle, void *digest) +void +_gnutls_hmac_deinit (mac_hd_t handle, void *digest) { - const opaque *mac; - int maclen; + const opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len(handle->algorithm); + maclen = _gnutls_hash_get_algo_len (handle->algorithm); - mac = gc_hash_read(handle->handle); + mac = gc_hash_read (handle->handle); - if (digest != NULL) - memcpy(digest, mac, maclen); + if (digest != NULL) + memcpy (digest, mac, maclen); - gc_hash_close(handle->handle); + gc_hash_close (handle->handle); - gnutls_free(handle); + gnutls_free (handle); } -inline static int get_padsize(gnutls_mac_algorithm_t algorithm) +inline static int +get_padsize (gnutls_mac_algorithm_t algorithm) { - switch (algorithm) { + switch (algorithm) + { case GNUTLS_MAC_MD5: - return 48; + return 48; case GNUTLS_MAC_SHA1: - return 40; + return 40; default: - return 0; + return 0; } } -mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm_t algorithm, void *key, - int keylen) +mac_hd_t +_gnutls_mac_init_ssl3 (gnutls_mac_algorithm_t algorithm, void *key, + int keylen) { - mac_hd_t ret; - opaque ipad[48]; - int padsize; - - padsize = get_padsize(algorithm); - if (padsize == 0) { - gnutls_assert(); - return GNUTLS_MAC_FAILED; + mac_hd_t ret; + opaque ipad[48]; + int padsize; + + padsize = get_padsize (algorithm); + if (padsize == 0) + { + gnutls_assert (); + return GNUTLS_MAC_FAILED; } - memset(ipad, 0x36, padsize); + memset (ipad, 0x36, padsize); - ret = _gnutls_hash_init(algorithm); - if (ret != GNUTLS_HASH_FAILED) { - ret->key = key; - ret->keysize = keylen; + ret = _gnutls_hash_init (algorithm); + if (ret != GNUTLS_HASH_FAILED) + { + ret->key = key; + ret->keysize = keylen; - if (keylen > 0) - _gnutls_hash(ret, key, keylen); - _gnutls_hash(ret, ipad, padsize); + if (keylen > 0) + _gnutls_hash (ret, key, keylen); + _gnutls_hash (ret, ipad, padsize); } - return ret; + return ret; } -void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest) +void +_gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - int padsize; - int block; - - padsize = get_padsize(handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + int padsize; + int block; + + padsize = get_padsize (handle->algorithm); + if (padsize == 0) + { + gnutls_assert (); + return; } - memset(opad, 0x5C, padsize); + memset (opad, 0x5C, padsize); - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_MAC_FAILED) { - if (handle->keysize > 0) - _gnutls_hash(td, handle->key, handle->keysize); + td = _gnutls_hash_init (handle->algorithm); + if (td != GNUTLS_MAC_FAILED) + { + if (handle->keysize > 0) + _gnutls_hash (td, handle->key, handle->keysize); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ - _gnutls_hash(td, ret, block); + _gnutls_hash (td, opad, padsize); + block = _gnutls_hmac_get_algo_len (handle->algorithm); + _gnutls_hash_deinit (handle, ret); /* get the previous hash */ + _gnutls_hash (td, ret, block); - _gnutls_hash_deinit(td, digest); + _gnutls_hash_deinit (td, digest); } } -void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, - void *digest, opaque * key, - uint32 key_size) +void +_gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, + void *digest, opaque * key, + uint32 key_size) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - opaque ipad[48]; - int padsize; - int block; - - padsize = get_padsize(handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + opaque ipad[48]; + int padsize; + int block; + + padsize = get_padsize (handle->algorithm); + if (padsize == 0) + { + gnutls_assert (); + return; } - memset(opad, 0x5C, padsize); - memset(ipad, 0x36, padsize); + memset (opad, 0x5C, padsize); + memset (ipad, 0x36, padsize); - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_HASH_FAILED) { - if (key_size > 0) - _gnutls_hash(td, key, key_size); + td = _gnutls_hash_init (handle->algorithm); + if (td != GNUTLS_HASH_FAILED) + { + if (key_size > 0) + _gnutls_hash (td, key, key_size); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); + _gnutls_hash (td, opad, padsize); + block = _gnutls_hmac_get_algo_len (handle->algorithm); - if (key_size > 0) - _gnutls_hash(handle, key, key_size); - _gnutls_hash(handle, ipad, padsize); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ + if (key_size > 0) + _gnutls_hash (handle, key, key_size); + _gnutls_hash (handle, ipad, padsize); + _gnutls_hash_deinit (handle, ret); /* get the previous hash */ - _gnutls_hash(td, ret, block); + _gnutls_hash (td, ret, block); - _gnutls_hash_deinit(td, digest); + _gnutls_hash_deinit (td, digest); } } -static int ssl3_sha(int i, opaque * secret, int secret_len, - opaque * rnd, int rnd_len, void *digest) +static int +ssl3_sha (int i, opaque * secret, int secret_len, + opaque * rnd, int rnd_len, void *digest) { - int j; - opaque text1[26]; + int j; + opaque text1[26]; - GNUTLS_HASH_HANDLE td; + GNUTLS_HASH_HANDLE td; - for (j = 0; j < i + 1; j++) { - text1[j] = 65 + i; /* A==65 */ + for (j = 0; j < i + 1; j++) + { + text1[j] = 65 + i; /* A==65 */ } - td = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + td = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td, text1, i + 1); - _gnutls_hash(td, secret, secret_len); - _gnutls_hash(td, rnd, rnd_len); + _gnutls_hash (td, text1, i + 1); + _gnutls_hash (td, secret, secret_len); + _gnutls_hash (td, rnd, rnd_len); - _gnutls_hash_deinit(td, digest); - return 0; + _gnutls_hash_deinit (td, digest); + return 0; } -static int ssl3_md5(int i, opaque * secret, int secret_len, - opaque * rnd, int rnd_len, void *digest) +static int +ssl3_md5 (int i, opaque * secret, int secret_len, + opaque * rnd, int rnd_len, void *digest) { - opaque tmp[MAX_HASH_SIZE]; - mac_hd_t td; - int ret; - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + opaque tmp[MAX_HASH_SIZE]; + mac_hd_t td; + int ret; + + td = _gnutls_hash_init (GNUTLS_MAC_MD5); + if (td == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td, secret, secret_len); + _gnutls_hash (td, secret, secret_len); - ret = ssl3_sha(i, secret, secret_len, rnd, rnd_len, tmp); - if (ret < 0) { - gnutls_assert(); - _gnutls_hash_deinit(td, digest); - return ret; + ret = ssl3_sha (i, secret, secret_len, rnd, rnd_len, tmp); + if (ret < 0) + { + gnutls_assert (); + _gnutls_hash_deinit (td, digest); + return ret; } - _gnutls_hash(td, tmp, _gnutls_hash_get_algo_len(GNUTLS_MAC_SHA1)); + _gnutls_hash (td, tmp, _gnutls_hash_get_algo_len (GNUTLS_MAC_SHA1)); - _gnutls_hash_deinit(td, digest); - return 0; + _gnutls_hash_deinit (td, digest); + return 0; } -int _gnutls_ssl3_hash_md5(void *first, int first_len, - void *second, int second_len, int ret_len, - opaque * ret) +int +_gnutls_ssl3_hash_md5 (void *first, int first_len, + void *second, int second_len, int ret_len, + opaque * ret) { - opaque digest[MAX_HASH_SIZE]; - mac_hd_t td; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + opaque digest[MAX_HASH_SIZE]; + mac_hd_t td; + int block = _gnutls_hash_get_algo_len (GNUTLS_MAC_MD5); + + td = _gnutls_hash_init (GNUTLS_MAC_MD5); + if (td == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td, first, first_len); - _gnutls_hash(td, second, second_len); + _gnutls_hash (td, first, first_len); + _gnutls_hash (td, second, second_len); - _gnutls_hash_deinit(td, digest); + _gnutls_hash_deinit (td, digest); - if (ret_len > block) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (ret_len > block) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(ret, digest, ret_len); + memcpy (ret, digest, ret_len); - return 0; + return 0; } -int _gnutls_ssl3_generate_random(void *secret, int secret_len, - void *rnd, int rnd_len, - int ret_bytes, opaque * ret) +int +_gnutls_ssl3_generate_random (void *secret, int secret_len, + void *rnd, int rnd_len, + int ret_bytes, opaque * ret) { - int i = 0, copy, output_bytes; - opaque digest[MAX_HASH_SIZE]; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - int result, times; - - output_bytes = 0; - do { - output_bytes += block; - } while (output_bytes < ret_bytes); + int i = 0, copy, output_bytes; + opaque digest[MAX_HASH_SIZE]; + int block = _gnutls_hash_get_algo_len (GNUTLS_MAC_MD5); + int result, times; + + output_bytes = 0; + do + { + output_bytes += block; + } + while (output_bytes < ret_bytes); - times = output_bytes / block; + times = output_bytes / block; - for (i = 0; i < times; i++) { + for (i = 0; i < times; i++) + { - result = - ssl3_md5(i, secret, secret_len, rnd, rnd_len, digest); - if (result < 0) { - gnutls_assert(); - return result; + result = ssl3_md5 (i, secret, secret_len, rnd, rnd_len, digest); + if (result < 0) + { + gnutls_assert (); + return result; } - if ((1 + i) * block < ret_bytes) { - copy = block; - } else { - copy = ret_bytes - (i) * block; + if ((1 + i) * block < ret_bytes) + { + copy = block; + } + else + { + copy = ret_bytes - (i) * block; } - memcpy(&ret[i * block], digest, copy); + memcpy (&ret[i * block], digest, copy); } - return 0; + return 0; } diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index ea15b26323..bc9d4c11f8 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -29,11 +29,12 @@ /* for message digests */ -typedef struct { - gc_hash_handle handle; - gnutls_mac_algorithm_t algorithm; - const void *key; - int keysize; +typedef struct +{ + gc_hash_handle handle; + gnutls_mac_algorithm_t algorithm; + const void *key; + int keysize; } mac_hd_st; typedef mac_hd_st *mac_hd_t; typedef mac_hd_t GNUTLS_HASH_HANDLE; @@ -41,30 +42,31 @@ typedef mac_hd_t GNUTLS_HASH_HANDLE; #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL -mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm_t algorithm, - const void *key, int keylen); +mac_hd_t _gnutls_hmac_init (gnutls_mac_algorithm_t algorithm, + const void *key, int keylen); #define _gnutls_hmac_get_algo_len _gnutls_hash_get_algo_len #define _gnutls_hmac _gnutls_hash -void _gnutls_hmac_deinit(mac_hd_t handle, void *digest); +void _gnutls_hmac_deinit (mac_hd_t handle, void *digest); -mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm_t algorithm, void *key, - int keylen); -void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest); +mac_hd_t _gnutls_mac_init_ssl3 (gnutls_mac_algorithm_t algorithm, void *key, + int keylen); +void _gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest); -GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm_t algorithm); -int _gnutls_hash_get_algo_len(gnutls_mac_algorithm_t algorithm); -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, - size_t textlen); -void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest); +GNUTLS_HASH_HANDLE _gnutls_hash_init (gnutls_mac_algorithm_t algorithm); +int _gnutls_hash_get_algo_len (gnutls_mac_algorithm_t algorithm); +int _gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text, + size_t textlen); +void _gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest); -int _gnutls_ssl3_generate_random(void *secret, int secret_len, - void *rnd, int random_len, int bytes, opaque * ret); -int _gnutls_ssl3_hash_md5(void *first, int first_len, void *second, - int second_len, int ret_len, opaque * ret); +int _gnutls_ssl3_generate_random (void *secret, int secret_len, + void *rnd, int random_len, int bytes, + opaque * ret); +int _gnutls_ssl3_hash_md5 (void *first, int first_len, void *second, + int second_len, int ret_len, opaque * ret); -void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void *digest, - opaque * key, uint32 key_size); +void _gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, void *digest, + opaque * key, uint32 key_size); -GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle); +GNUTLS_HASH_HANDLE _gnutls_hash_copy (GNUTLS_HASH_HANDLE handle); -#endif /* GNUTLS_HASH_INT_H */ +#endif /* GNUTLS_HASH_INT_H */ diff --git a/lib/gnutls_helper.c b/lib/gnutls_helper.c index bdab26c870..61e907766b 100644 --- a/lib/gnutls_helper.c +++ b/lib/gnutls_helper.c @@ -24,15 +24,15 @@ #include <gnutls_int.h> -int _gnutls_file_exists(const char *file) +int +_gnutls_file_exists (const char *file) { - FILE *fd; + FILE *fd; - fd = fopen(file, "r"); - if (fd == NULL) - return -1; + fd = fopen (file, "r"); + if (fd == NULL) + return -1; - fclose(fd); - return 0; + fclose (fd); + return 0; } - diff --git a/lib/gnutls_helper.h b/lib/gnutls_helper.h index ef1156c11f..25b0626cfe 100644 --- a/lib/gnutls_helper.h +++ b/lib/gnutls_helper.h @@ -1 +1 @@ -int _gnutls_file_exists(const char *file); +int _gnutls_file_exists (const char *file); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 1733b7d6d1..a340932f0a 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -107,19 +107,22 @@ #define HASH2MAC(x) ((gnutls_mac_algorithm_t)x) typedef unsigned char opaque; -typedef struct { - opaque pint[3]; +typedef struct +{ + opaque pint[3]; } uint24; #include <gnutls_mpi.h> -typedef enum change_cipher_spec_t { GNUTLS_TYPE_CHANGE_CIPHER_SPEC = 1 +typedef enum change_cipher_spec_t +{ GNUTLS_TYPE_CHANGE_CIPHER_SPEC = 1 } change_cipher_spec_t; -typedef enum handshake_state_t { STATE0 = 0, STATE1, STATE2, - STATE3, STATE4, STATE5, - STATE6, STATE7, STATE8, STATE9, STATE20 = 20, STATE21, - STATE30 = 30, STATE31, STATE50 = 50, STATE60 = 60, STATE61, STATE62 +typedef enum handshake_state_t +{ STATE0 = 0, STATE1, STATE2, + STATE3, STATE4, STATE5, + STATE6, STATE7, STATE8, STATE9, STATE20 = 20, STATE21, + STATE30 = 30, STATE31, STATE50 = 50, STATE60 = 60, STATE61, STATE62 } handshake_state_t; #include <gnutls_buffer.h> @@ -131,22 +134,27 @@ typedef enum handshake_state_t { STATE0 = 0, STATE1, STATE2, #define MAX_CIPHERSUITES 256 -typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME = 0, - GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1, GNUTLS_EXTENSION_SRP = 6, - GNUTLS_EXTENSION_CERT_TYPE = 7 +typedef enum extensions_t +{ GNUTLS_EXTENSION_SERVER_NAME = 0, + GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1, GNUTLS_EXTENSION_SRP = 6, + GNUTLS_EXTENSION_CERT_TYPE = 7 } extensions_t; -typedef enum { CIPHER_STREAM, CIPHER_BLOCK } cipher_type_t; +typedef enum +{ CIPHER_STREAM, CIPHER_BLOCK } cipher_type_t; -typedef enum valid_session_t { VALID_TRUE, VALID_FALSE } valid_session_t; -typedef enum resumable_session_t { RESUME_TRUE, - RESUME_FALSE +typedef enum valid_session_t +{ VALID_TRUE, VALID_FALSE } valid_session_t; +typedef enum resumable_session_t +{ RESUME_TRUE, + RESUME_FALSE } resumable_session_t; /* Record Protocol */ -typedef enum content_type_t { - GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT, - GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA +typedef enum content_type_t +{ + GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT, + GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA } content_type_t; #define GNUTLS_PK_ANY (gnutls_pk_algorithm_t)-1 @@ -160,58 +168,60 @@ typedef void (*LOG_FUNC) (int, const char *); /* Store & Retrieve functions defines: */ -typedef struct auth_cred_st { - gnutls_credentials_type_t algorithm; +typedef struct auth_cred_st +{ + gnutls_credentials_type_t algorithm; - /* the type of credentials depends on algorithm - */ - void *credentials; - struct auth_cred_st *next; + /* the type of credentials depends on algorithm + */ + void *credentials; + struct auth_cred_st *next; } auth_cred_st; -struct gnutls_key_st { - /* For DH KX */ - gnutls_datum_t key; - mpi_t KEY; - mpi_t client_Y; - mpi_t client_g; - mpi_t client_p; - mpi_t dh_secret; - /* for SRP */ - mpi_t A; - mpi_t B; - mpi_t u; - mpi_t b; - mpi_t a; - mpi_t x; - /* RSA: e, m - */ - mpi_t rsa[2]; - - /* this is used to hold the peers authentication data - */ - /* auth_info_t structures SHOULD NOT contain malloced - * elements. Check gnutls_session_pack.c, and gnutls_auth.c. - * Rememember that this should be calloced! - */ - void *auth_info; - gnutls_credentials_type_t auth_info_type; - int auth_info_size; /* needed in order to store to db for restoring +struct gnutls_key_st +{ + /* For DH KX */ + gnutls_datum_t key; + mpi_t KEY; + mpi_t client_Y; + mpi_t client_g; + mpi_t client_p; + mpi_t dh_secret; + /* for SRP */ + mpi_t A; + mpi_t B; + mpi_t u; + mpi_t b; + mpi_t a; + mpi_t x; + /* RSA: e, m + */ + mpi_t rsa[2]; + + /* this is used to hold the peers authentication data + */ + /* auth_info_t structures SHOULD NOT contain malloced + * elements. Check gnutls_session_pack.c, and gnutls_auth.c. + * Rememember that this should be calloced! + */ + void *auth_info; + gnutls_credentials_type_t auth_info_type; + int auth_info_size; /* needed in order to store to db for restoring */ - uint8 crypt_algo; - - auth_cred_st *cred; /* used to specify keys/certificates etc */ - - int certificate_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ + uint8 crypt_algo; + + auth_cred_st *cred; /* used to specify keys/certificates etc */ + + int certificate_requested; + /* some ciphersuites use this + * to provide client authentication. + * 1 if client auth was requested + * by the peer, 0 otherwise + *** In case of a server this + * holds 1 if we should wait + * for a client certificate verify + */ }; typedef struct gnutls_key_st *gnutls_key_st; @@ -223,8 +233,9 @@ typedef struct gnutls_key_st *gnutls_key_st; #include <gnutls_compress_int.h> #include <gnutls_cert.h> -typedef struct { - uint8 suite[2]; +typedef struct +{ + uint8 suite[2]; } cipher_suite_st; /* This structure holds parameters got from TLS extension @@ -232,19 +243,21 @@ typedef struct { * structures also - see SRP). */ -typedef struct { - opaque name[MAX_SERVER_NAME_SIZE]; - uint name_length; - gnutls_server_name_type_t type; +typedef struct +{ + opaque name[MAX_SERVER_NAME_SIZE]; + uint name_length; + gnutls_server_name_type_t type; } server_name_st; #define MAX_SERVER_NAME_EXTENSIONS 3 -typedef struct { - server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; - /* limit server_name extensions */ - uint server_names_size; - opaque srp_username[MAX_SRP_USERNAME+1]; +typedef struct +{ + server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; + /* limit server_name extensions */ + uint server_names_size; + opaque srp_username[MAX_SRP_USERNAME + 1]; } tls_ext_st; /* auth_info_t structures now MAY contain malloced @@ -265,330 +278,339 @@ typedef struct { * handshake has finished. The only value you may depend on while * the handshake is in progress is the cipher suite value. */ -typedef struct { - gnutls_connection_end_t entity; - gnutls_kx_algorithm_t kx_algorithm; - /* we've got separate write/read bulk/macs because - * there is a time in handshake where the peer has - * null cipher and we don't - */ - /* FIXME: remove the read and write stuff... keep only one version */ - gnutls_cipher_algorithm_t read_bulk_cipher_algorithm; - gnutls_mac_algorithm_t read_mac_algorithm; - gnutls_compression_method_t read_compression_algorithm; - - gnutls_cipher_algorithm_t write_bulk_cipher_algorithm; - gnutls_mac_algorithm_t write_mac_algorithm; - gnutls_compression_method_t write_compression_algorithm; - - /* this is the ciphersuite we are going to use - * moved here from internals in order to be restored - * on resume; - */ - cipher_suite_st current_cipher_suite; - opaque master_secret[TLS_MASTER_SIZE]; - opaque client_random[TLS_RANDOM_SIZE]; - opaque server_random[TLS_RANDOM_SIZE]; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - uint8 session_id_size; - time_t timestamp; - tls_ext_st extensions; - - /* The send size is the one requested by the programmer. - * The recv size is the one negotiated with the peer. - */ - uint16 max_record_send_size; - uint16 max_record_recv_size; - /* holds the negotiated certificate type */ - gnutls_certificate_type_t cert_type; - gnutls_protocol_t version; /* moved here */ +typedef struct +{ + gnutls_connection_end_t entity; + gnutls_kx_algorithm_t kx_algorithm; + /* we've got separate write/read bulk/macs because + * there is a time in handshake where the peer has + * null cipher and we don't + */ + /* FIXME: remove the read and write stuff... keep only one version */ + gnutls_cipher_algorithm_t read_bulk_cipher_algorithm; + gnutls_mac_algorithm_t read_mac_algorithm; + gnutls_compression_method_t read_compression_algorithm; + + gnutls_cipher_algorithm_t write_bulk_cipher_algorithm; + gnutls_mac_algorithm_t write_mac_algorithm; + gnutls_compression_method_t write_compression_algorithm; + + /* this is the ciphersuite we are going to use + * moved here from internals in order to be restored + * on resume; + */ + cipher_suite_st current_cipher_suite; + opaque master_secret[TLS_MASTER_SIZE]; + opaque client_random[TLS_RANDOM_SIZE]; + opaque server_random[TLS_RANDOM_SIZE]; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + uint8 session_id_size; + time_t timestamp; + tls_ext_st extensions; + + /* The send size is the one requested by the programmer. + * The recv size is the one negotiated with the peer. + */ + uint16 max_record_send_size; + uint16 max_record_recv_size; + /* holds the negotiated certificate type */ + gnutls_certificate_type_t cert_type; + gnutls_protocol_t version; /* moved here */ } security_parameters_st; /* This structure holds the generated keys */ -typedef struct { - gnutls_datum_t server_write_mac_secret; - gnutls_datum_t client_write_mac_secret; - gnutls_datum_t server_write_IV; - gnutls_datum_t client_write_IV; - gnutls_datum_t server_write_key; - gnutls_datum_t client_write_key; - int generated_keys; /* zero if keys have not +typedef struct +{ + gnutls_datum_t server_write_mac_secret; + gnutls_datum_t client_write_mac_secret; + gnutls_datum_t server_write_IV; + gnutls_datum_t client_write_IV; + gnutls_datum_t server_write_key; + gnutls_datum_t client_write_key; + int generated_keys; /* zero if keys have not * been generated. Non zero * otherwise. */ } cipher_specs_st; -typedef struct { - cipher_hd_t write_cipher_state; - cipher_hd_t read_cipher_state; - comp_hd_t read_compression_state; - comp_hd_t write_compression_state; - gnutls_datum_t read_mac_secret; - gnutls_datum_t write_mac_secret; - uint64 read_sequence_number; - uint64 write_sequence_number; +typedef struct +{ + cipher_hd_t write_cipher_state; + cipher_hd_t read_cipher_state; + comp_hd_t read_compression_state; + comp_hd_t write_compression_state; + gnutls_datum_t read_mac_secret; + gnutls_datum_t write_mac_secret; + uint64 read_sequence_number; + uint64 write_sequence_number; } conn_stat_st; -typedef struct { - unsigned int priority[MAX_ALGOS]; - unsigned int algorithms; +typedef struct +{ + unsigned int priority[MAX_ALGOS]; + unsigned int algorithms; } priority_st; /* DH and RSA parameters types. */ -typedef struct gnutls_dh_params_int { - /* [0] is the prime, [1] is the generator. - */ - mpi_t params[2]; +typedef struct gnutls_dh_params_int +{ + /* [0] is the prime, [1] is the generator. + */ + mpi_t params[2]; } dh_params_st; -typedef struct { - gnutls_dh_params_t anon_dh_params; - int free_anon_dh_params; - gnutls_dh_params_t cert_dh_params; - int free_cert_dh_params; - gnutls_rsa_params_t rsa_params; - int free_rsa_params; +typedef struct +{ + gnutls_dh_params_t anon_dh_params; + int free_anon_dh_params; + gnutls_dh_params_t cert_dh_params; + int free_cert_dh_params; + gnutls_rsa_params_t rsa_params; + int free_rsa_params; } internal_params_st; -typedef struct { - opaque header[HANDSHAKE_HEADER_SIZE]; - /* this holds the number of bytes in the handshake_header[] */ - size_t header_size; - /* this holds the length of the handshake packet */ - size_t packet_length; - gnutls_handshake_description_t recv_type; +typedef struct +{ + opaque header[HANDSHAKE_HEADER_SIZE]; + /* this holds the number of bytes in the handshake_header[] */ + size_t header_size; + /* this holds the length of the handshake packet */ + size_t packet_length; + gnutls_handshake_description_t recv_type; } handshake_header_buffer_st; -typedef struct { - gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ - gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake - * message */ - mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ - mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ - - gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ - resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ - handshake_state_t handshake_state; /* holds +typedef struct +{ + gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ + gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake + * message */ + mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ + mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ + + gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ + resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ + handshake_state_t handshake_state; /* holds * a number which indicates where * the handshake procedure has been * interrupted. If it is 0 then * no interruption has happened. */ - valid_session_t valid_connection; /* true or FALSE - if this session is valid */ + valid_session_t valid_connection; /* true or FALSE - if this session is valid */ - int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write + int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write */ - int may_not_write; - int read_eof; /* non-zero if we have received a closure alert. */ - - int last_alert; /* last alert received */ - - /* The last handshake messages sent or received. - */ - int last_handshake_in; - int last_handshake_out; - - /* this is the compression method we are going to use */ - gnutls_compression_method_t compression_method; - /* priorities */ - priority_st cipher_algorithm_priority; - priority_st mac_algorithm_priority; - priority_st kx_algorithm_priority; - priority_st compression_method_priority; - priority_st protocol_priority; - priority_st cert_type_priority; - - /* resumed session */ - resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ - security_parameters_st resumed_security_parameters; - - /* sockets internals */ - int lowat; - - /* These buffers are used in the handshake - * protocol only. freed using _gnutls_handshake_io_buffer_clear(); - */ - gnutls_buffer handshake_send_buffer; - size_t handshake_send_buffer_prev_size; - content_type_t handshake_send_buffer_type; - gnutls_handshake_description_t handshake_send_buffer_htype; - content_type_t handshake_recv_buffer_type; - gnutls_handshake_description_t handshake_recv_buffer_htype; - gnutls_buffer handshake_recv_buffer; - - /* this buffer holds a record packet -mostly used for - * non blocking IO. - */ - gnutls_buffer record_recv_buffer; - gnutls_buffer record_send_buffer; /* holds cached data + int may_not_write; + int read_eof; /* non-zero if we have received a closure alert. */ + + int last_alert; /* last alert received */ + + /* The last handshake messages sent or received. + */ + int last_handshake_in; + int last_handshake_out; + + /* this is the compression method we are going to use */ + gnutls_compression_method_t compression_method; + /* priorities */ + priority_st cipher_algorithm_priority; + priority_st mac_algorithm_priority; + priority_st kx_algorithm_priority; + priority_st compression_method_priority; + priority_st protocol_priority; + priority_st cert_type_priority; + + /* resumed session */ + resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ + security_parameters_st resumed_security_parameters; + + /* sockets internals */ + int lowat; + + /* These buffers are used in the handshake + * protocol only. freed using _gnutls_handshake_io_buffer_clear(); + */ + gnutls_buffer handshake_send_buffer; + size_t handshake_send_buffer_prev_size; + content_type_t handshake_send_buffer_type; + gnutls_handshake_description_t handshake_send_buffer_htype; + content_type_t handshake_recv_buffer_type; + gnutls_handshake_description_t handshake_recv_buffer_htype; + gnutls_buffer handshake_recv_buffer; + + /* this buffer holds a record packet -mostly used for + * non blocking IO. + */ + gnutls_buffer record_recv_buffer; + gnutls_buffer record_send_buffer; /* holds cached data * for the gnutls_io_write_buffered() * function. */ - size_t record_send_buffer_prev_size; /* holds the - * data written in the previous runs. - */ - size_t record_send_buffer_user_size; /* holds the - * size of the user specified data to - * send. - */ - - /* 0 if no peeked data was kept, 1 otherwise. - */ - int have_peeked_data; - - int expire_time; /* after expire_time seconds this session will expire */ - struct mod_auth_st_int *auth_struct; /* used in handshake packets and KX algorithms */ - int v2_hello; /* 0 if the client hello is v3+. + size_t record_send_buffer_prev_size; /* holds the + * data written in the previous runs. + */ + size_t record_send_buffer_user_size; /* holds the + * size of the user specified data to + * send. + */ + + /* 0 if no peeked data was kept, 1 otherwise. + */ + int have_peeked_data; + + int expire_time; /* after expire_time seconds this session will expire */ + struct mod_auth_st_int *auth_struct; /* used in handshake packets and KX algorithms */ + int v2_hello; /* 0 if the client hello is v3+. * non-zero if we got a v2 hello. */ - /* keeps the headers of the handshake packet - */ - handshake_header_buffer_st handshake_header_buffer; - - /* this is the highest version available - * to the peer. (advertized version). - * This is obtained by the Handshake Client Hello - * message. (some implementations read the Record version) - */ - uint8 adv_version_major; - uint8 adv_version_minor; - - /* if this is non zero a certificate request message - * will be sent to the client. - only if the ciphersuite - * supports it. - */ - int send_cert_req; - - /* bits to use for DHE and DHA - * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() - * to access it. - */ - uint16 dh_prime_bits; - - size_t max_handshake_data_buffer_size; - - /* PUSH & PULL functions. - */ - gnutls_pull_func _gnutls_pull_func; - gnutls_push_func _gnutls_push_func; - /* Holds the first argument of PUSH and PULL - * functions; - */ - gnutls_transport_ptr_t transport_recv_ptr; - gnutls_transport_ptr_t transport_send_ptr; - - /* STORE & RETRIEVE functions. Only used if other - * backend than gdbm is used. - */ - gnutls_db_store_func db_store_func; - gnutls_db_retr_func db_retrieve_func; - gnutls_db_remove_func db_remove_func; - void *db_ptr; - - /* Holds the record size requested by the - * user. - */ - uint16 proposed_record_size; - - /* holds the selected certificate and key. - * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() - * to change them. - */ - gnutls_cert *selected_cert_list; - int selected_cert_list_length; - gnutls_privkey *selected_key; - int selected_need_free; - - /* holds the extensions we sent to the peer - * (in case of a client) - */ - uint16 extensions_sent[MAX_EXT_TYPES]; - uint16 extensions_sent_size; - - /* is 0 if we are to send the whole PGP key, or non zero - * if the fingerprint is to be sent. - */ - int pgp_fingerprint; - - /* This holds the default version that our first - * record packet will have. */ - opaque default_record_version[2]; - - int cbc_protection_hack; - - void *user_ptr; - - int enable_private; /* non zero to + /* keeps the headers of the handshake packet + */ + handshake_header_buffer_st handshake_header_buffer; + + /* this is the highest version available + * to the peer. (advertized version). + * This is obtained by the Handshake Client Hello + * message. (some implementations read the Record version) + */ + uint8 adv_version_major; + uint8 adv_version_minor; + + /* if this is non zero a certificate request message + * will be sent to the client. - only if the ciphersuite + * supports it. + */ + int send_cert_req; + + /* bits to use for DHE and DHA + * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() + * to access it. + */ + uint16 dh_prime_bits; + + size_t max_handshake_data_buffer_size; + + /* PUSH & PULL functions. + */ + gnutls_pull_func _gnutls_pull_func; + gnutls_push_func _gnutls_push_func; + /* Holds the first argument of PUSH and PULL + * functions; + */ + gnutls_transport_ptr_t transport_recv_ptr; + gnutls_transport_ptr_t transport_send_ptr; + + /* STORE & RETRIEVE functions. Only used if other + * backend than gdbm is used. + */ + gnutls_db_store_func db_store_func; + gnutls_db_retr_func db_retrieve_func; + gnutls_db_remove_func db_remove_func; + void *db_ptr; + + /* Holds the record size requested by the + * user. + */ + uint16 proposed_record_size; + + /* holds the selected certificate and key. + * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() + * to change them. + */ + gnutls_cert *selected_cert_list; + int selected_cert_list_length; + gnutls_privkey *selected_key; + int selected_need_free; + + /* holds the extensions we sent to the peer + * (in case of a client) + */ + uint16 extensions_sent[MAX_EXT_TYPES]; + uint16 extensions_sent_size; + + /* is 0 if we are to send the whole PGP key, or non zero + * if the fingerprint is to be sent. + */ + int pgp_fingerprint; + + /* This holds the default version that our first + * record packet will have. */ + opaque default_record_version[2]; + + int cbc_protection_hack; + + void *user_ptr; + + int enable_private; /* non zero to * enable cipher suites * which have 0xFF status. */ - /* Holds 0 if the last called function was interrupted while - * receiving, and non zero otherwise. - */ - int direction; - - /* This callback will be used (if set) to receive an - * openpgp key. (if the peer sends a fingerprint) - */ - gnutls_openpgp_recv_key_func openpgp_recv_key_func; - - /* If non zero the server will not advertize the CA's he - * trusts (do not send an RDN sequence). - */ - int ignore_rdn_sequence; - - /* This is used to set an arbitary version in the RSA - * PMS secret. Can be used by clients to test whether the - * server checks that version. (** only used in gnutls-cli-debug) - */ - opaque rsa_pms_version[2]; - - char *srp_username; - char *srp_password; - - /* This is only set in SRP, when the handshake is - * restarted if an username is not found. - */ - int handshake_restarted; - - /* Here we cache the DH or RSA parameters got from the - * credentials structure, or from a callback. That is to - * minimize external calls. - */ - internal_params_st params; - - /* This buffer is used by the record recv functions, - * as a temporary store buffer. - */ - gnutls_datum_t recv_buffer; - - /* If you add anything here, check _gnutls_handshake_internal_state_clear(). - */ + /* Holds 0 if the last called function was interrupted while + * receiving, and non zero otherwise. + */ + int direction; + + /* This callback will be used (if set) to receive an + * openpgp key. (if the peer sends a fingerprint) + */ + gnutls_openpgp_recv_key_func openpgp_recv_key_func; + + /* If non zero the server will not advertize the CA's he + * trusts (do not send an RDN sequence). + */ + int ignore_rdn_sequence; + + /* This is used to set an arbitary version in the RSA + * PMS secret. Can be used by clients to test whether the + * server checks that version. (** only used in gnutls-cli-debug) + */ + opaque rsa_pms_version[2]; + + char *srp_username; + char *srp_password; + + /* This is only set in SRP, when the handshake is + * restarted if an username is not found. + */ + int handshake_restarted; + + /* Here we cache the DH or RSA parameters got from the + * credentials structure, or from a callback. That is to + * minimize external calls. + */ + internal_params_st params; + + /* This buffer is used by the record recv functions, + * as a temporary store buffer. + */ + gnutls_datum_t recv_buffer; + + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). + */ } internals_st; -struct gnutls_session_int { - security_parameters_st security_parameters; - cipher_specs_st cipher_specs; - conn_stat_st connection_state; - internals_st internals; - gnutls_key_st key; +struct gnutls_session_int +{ + security_parameters_st security_parameters; + cipher_specs_st cipher_specs; + conn_stat_st connection_state; + internals_st internals; + gnutls_key_st key; }; /* functions */ -void _gnutls_set_current_version(gnutls_session_t session, - gnutls_protocol_t version); -void _gnutls_free_auth_info(gnutls_session_t session); +void _gnutls_set_current_version (gnutls_session_t session, + gnutls_protocol_t version); +void _gnutls_free_auth_info (gnutls_session_t session); /* These two macros return the advertized TLS version of * the peer. @@ -603,7 +625,7 @@ void _gnutls_free_auth_info(gnutls_session_t session); session->internals.adv_version_major = major; \ session->internals.adv_version_minor = minor -void _gnutls_set_adv_version(gnutls_session_t, gnutls_protocol_t); -gnutls_protocol_t _gnutls_get_adv_version(gnutls_session_t); +void _gnutls_set_adv_version (gnutls_session_t, gnutls_protocol_t); +gnutls_protocol_t _gnutls_get_adv_version (gnutls_session_t); -#endif /* GNUTLS_INT_H */ +#endif /* GNUTLS_INT_H */ diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 241c508045..728e407e11 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -42,68 +42,71 @@ */ #define MASTER_SECRET "master secret" -static int generate_normal_master(gnutls_session_t session, int); +static int generate_normal_master (gnutls_session_t session, int); -int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) +int +_gnutls_generate_master (gnutls_session_t session, int keep_premaster) { - if (session->internals.resumed == RESUME_FALSE) - return generate_normal_master(session, keep_premaster); - return 0; + if (session->internals.resumed == RESUME_FALSE) + return generate_normal_master (session, keep_premaster); + return 0; } /* here we generate the TLS Master secret. */ #define PREMASTER session->key->key -static int generate_normal_master(gnutls_session_t session, - int keep_premaster) +static int +generate_normal_master (gnutls_session_t session, int keep_premaster) { - int ret = 0; - opaque rnd[2 * TLS_RANDOM_SIZE + 1]; - char buf[64]; - - memcpy(rnd, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - memcpy(&rnd[TLS_RANDOM_SIZE], - session->security_parameters.server_random, TLS_RANDOM_SIZE); - - _gnutls_hard_log("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, - _gnutls_bin2hex(PREMASTER.data, PREMASTER.size, buf, - sizeof(buf))); - _gnutls_hard_log("INT: CLIENT RANDOM[%d]: %s\n", 32, - _gnutls_bin2hex(session->security_parameters. - client_random, 32, buf, sizeof(buf))); - _gnutls_hard_log("INT: SERVER RANDOM[%d]: %s\n", 32, - _gnutls_bin2hex(session->security_parameters. - server_random, 32, buf, sizeof(buf))); - - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_generate_random(PREMASTER.data, PREMASTER.size, - rnd, 2 * TLS_RANDOM_SIZE, - TLS_MASTER_SIZE, - session->security_parameters. - master_secret); - - } else { - ret = - _gnutls_PRF(PREMASTER.data, PREMASTER.size, - MASTER_SECRET, strlen(MASTER_SECRET), - rnd, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE, - session->security_parameters.master_secret); + int ret = 0; + opaque rnd[2 * TLS_RANDOM_SIZE + 1]; + char buf[64]; + + memcpy (rnd, session->security_parameters.client_random, TLS_RANDOM_SIZE); + memcpy (&rnd[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, + _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf, + sizeof (buf))); + _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex (session->security_parameters. + client_random, 32, buf, sizeof (buf))); + _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex (session->security_parameters. + server_random, 32, buf, sizeof (buf))); + + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + ret = + _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size, + rnd, 2 * TLS_RANDOM_SIZE, + TLS_MASTER_SIZE, + session->security_parameters. + master_secret); + + } + else + { + ret = + _gnutls_PRF (PREMASTER.data, PREMASTER.size, + MASTER_SECRET, strlen (MASTER_SECRET), + rnd, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE, + session->security_parameters.master_secret); } - if (!keep_premaster) - _gnutls_free_datum(&PREMASTER); + if (!keep_premaster) + _gnutls_free_datum (&PREMASTER); - if (ret < 0) - return ret; + if (ret < 0) + return ret; - _gnutls_hard_log("INT: MASTER SECRET: %s\n", - _gnutls_bin2hex(session->security_parameters. + _gnutls_hard_log ("INT: MASTER SECRET: %s\n", + _gnutls_bin2hex (session->security_parameters. master_secret, TLS_MASTER_SIZE, buf, - sizeof(buf))); + sizeof (buf))); - return ret; + return ret; } @@ -111,545 +114,594 @@ static int generate_normal_master(gnutls_session_t session, * server. It does nothing if this type of message is not required * by the selected ciphersuite. */ -int _gnutls_send_server_kx_message(gnutls_session_t session, int again) +int +_gnutls_send_server_kx_message (gnutls_session_t session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_kx == NULL) - return 0; + if (session->internals.auth_struct->gnutls_generate_server_kx == NULL) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = - session->internals.auth_struct-> - gnutls_generate_server_kx(session, &data); + if (again == 0) + { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_kx (session, &data); - if (data_size == GNUTLS_E_INT_RET_0) { - gnutls_assert(); - return 0; + if (data_size == GNUTLS_E_INT_RET_0) + { + gnutls_assert (); + return 0; } - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (data_size < 0) + { + gnutls_assert (); + return data_size; } } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE); - gnutls_free(data); + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE); + gnutls_free (data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return data_size; + return data_size; } /* This function sends a certificate request message to the * client. */ -int _gnutls_send_server_certificate_request(gnutls_session_t session, - int again) +int +_gnutls_send_server_certificate_request (gnutls_session_t session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct-> - gnutls_generate_server_certificate_request == NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate_request == NULL) + return 0; - if (session->internals.send_cert_req <= 0) - return 0; + if (session->internals.send_cert_req <= 0) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = - session->internals.auth_struct-> - gnutls_generate_server_certificate_request(session, &data); + if (again == 0) + { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate_request (session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (data_size < 0) + { + gnutls_assert (); + return data_size; } } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST); + gnutls_free (data); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - return data_size; + return data_size; } /* This is the function for the client to send the key * exchange message */ -int _gnutls_send_client_kx_message(gnutls_session_t session, int again) +int +_gnutls_send_client_kx_message (gnutls_session_t session, int again) { - uint8 *data; - int data_size; - int ret = 0; + uint8 *data; + int data_size; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_client_kx == NULL) - return 0; + if (session->internals.auth_struct->gnutls_generate_client_kx == NULL) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = - session->internals.auth_struct-> - gnutls_generate_client_kx(session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (again == 0) + { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_kx (session, &data); + if (data_size < 0) + { + gnutls_assert (); + return data_size; } } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE); + gnutls_free (data); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } /* This is the function for the client to send the certificate * verify message */ -int _gnutls_send_client_certificate_verify(gnutls_session_t session, - int again) +int +_gnutls_send_client_certificate_verify (gnutls_session_t session, int again) { - uint8 *data; - int ret = 0; - int data_size; + uint8 *data; + int ret = 0; + int data_size; - /* This is a packet that is only sent by the client - */ - if (session->security_parameters.entity == GNUTLS_SERVER) - return 0; + /* This is a packet that is only sent by the client + */ + if (session->security_parameters.entity == GNUTLS_SERVER) + return 0; - /* if certificate verify is not needed just exit - */ - if (session->key->certificate_requested == 0) - return 0; + /* if certificate verify is not needed just exit + */ + if (session->key->certificate_requested == 0) + return 0; - if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy == - NULL) { - gnutls_assert(); - return 0; /* this algorithm does not support cli_cert_vrfy + if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy == + NULL) + { + gnutls_assert (); + return 0; /* this algorithm does not support cli_cert_vrfy */ } - data = NULL; - data_size = 0; - - if (again == 0) { - data_size = - session->internals.auth_struct-> - gnutls_generate_client_cert_vrfy(session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; + data = NULL; + data_size = 0; + + if (again == 0) + { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_cert_vrfy (session, &data); + if (data_size < 0) + { + gnutls_assert (); + return data_size; } - if (data_size == 0) - return 0; + if (data_size == 0) + return 0; } - ret = - _gnutls_send_handshake(session, data, - data_size, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY); - gnutls_free(data); + ret = + _gnutls_send_handshake (session, data, + data_size, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY); + gnutls_free (data); - return ret; + return ret; } -int _gnutls_recv_server_kx_message(gnutls_session_t session) +int +_gnutls_recv_server_kx_message (gnutls_session_t session) { - uint8 *data = NULL; - int datasize; - int ret = 0; - - if (session->internals.auth_struct->gnutls_process_server_kx != NULL) { - - /* EXCEPTION FOR RSA_EXPORT cipher suite - */ - if (_gnutls_session_is_export(session) != 0 && - _gnutls_peers_cert_less_512(session) != 0) { - gnutls_assert(); - return 0; + uint8 *data = NULL; + int datasize; + int ret = 0; + + if (session->internals.auth_struct->gnutls_process_server_kx != NULL) + { + + /* EXCEPTION FOR RSA_EXPORT cipher suite + */ + if (_gnutls_session_is_export (session) != 0 && + _gnutls_peers_cert_less_512 (session) != 0) + { + gnutls_assert (); + return 0; } - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, - MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - session->internals.auth_struct-> - gnutls_process_server_kx(session, data, datasize); - gnutls_free(data); + ret = + session->internals.auth_struct-> + gnutls_process_server_kx (session, data, datasize); + gnutls_free (data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } } - return ret; + return ret; } -int _gnutls_recv_server_certificate_request(gnutls_session_t session) +int +_gnutls_recv_server_certificate_request (gnutls_session_t session) { - uint8 *data; - int datasize; - int ret = 0; - - if (session->internals.auth_struct-> - gnutls_process_server_certificate_request != NULL) { - - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, - OPTIONAL_PACKET); - if (ret < 0) - return ret; + uint8 *data; + int datasize; + int ret = 0; + + if (session->internals.auth_struct-> + gnutls_process_server_certificate_request != NULL) + { + + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, + OPTIONAL_PACKET); + if (ret < 0) + return ret; - if (ret == 0 && datasize == 0) - return 0; /* ignored */ + if (ret == 0 && datasize == 0) + return 0; /* ignored */ - ret = - session->internals.auth_struct-> - gnutls_process_server_certificate_request(session, data, - datasize); - gnutls_free(data); - if (ret < 0) - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate_request (session, data, datasize); + gnutls_free (data); + if (ret < 0) + return ret; } - return ret; + return ret; } -int _gnutls_recv_client_kx_message(gnutls_session_t session) +int +_gnutls_recv_client_kx_message (gnutls_session_t session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - /* Do key exchange only if the algorithm permits it */ - if (session->internals.auth_struct->gnutls_process_client_kx != NULL) { + /* Do key exchange only if the algorithm permits it */ + if (session->internals.auth_struct->gnutls_process_client_kx != NULL) + { - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, - MANDATORY_PACKET); - if (ret < 0) - return ret; + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) + return ret; - ret = - session->internals.auth_struct-> - gnutls_process_client_kx(session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_client_kx (session, data, datasize); + gnutls_free (data); + if (ret < 0) + return ret; } - return ret; + return ret; } /* This is called when we want send our certificate */ -int _gnutls_send_client_certificate(gnutls_session_t session, int again) +int +_gnutls_send_client_certificate (gnutls_session_t session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->key->certificate_requested == 0) - return 0; + if (session->key->certificate_requested == 0) + return 0; - if (session->internals.auth_struct-> - gnutls_generate_client_certificate == NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_client_certificate == NULL) + return 0; + + data = NULL; + data_size = 0; + + if (again == 0) + { + if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 || + session->internals.selected_cert_list_length > 0) + { + /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + data_size = + session->internals.auth_struct-> + gnutls_generate_client_certificate (session, &data); - data = NULL; - data_size = 0; - - if (again == 0) { - if (gnutls_protocol_get_version(session) != GNUTLS_SSL3 || - session->internals.selected_cert_list_length > 0) { - /* TLS 1.0 or SSL 3.0 with a valid certificate - */ - data_size = - session->internals.auth_struct-> - gnutls_generate_client_certificate(session, &data); - - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (data_size < 0) + { + gnutls_assert (); + return data_size; } } } - /* In the SSL 3.0 protocol we need to send a - * no certificate alert instead of an - * empty certificate. - */ - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3 && - session->internals.selected_cert_list_length == 0) { - ret = - gnutls_alert_send(session, GNUTLS_AL_WARNING, - GNUTLS_A_SSL3_NO_CERTIFICATE); - - } else { /* TLS 1.0 or SSL 3.0 with a valid certificate + /* In the SSL 3.0 protocol we need to send a + * no certificate alert instead of an + * empty certificate. + */ + if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 && + session->internals.selected_cert_list_length == 0) + { + ret = + gnutls_alert_send (session, GNUTLS_AL_WARNING, + GNUTLS_A_SSL3_NO_CERTIFICATE); + + } + else + { /* TLS 1.0 or SSL 3.0 with a valid certificate */ - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT); - gnutls_free(data); + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT); + gnutls_free (data); } - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return data_size; + return data_size; } /* This is called when we want send our certificate */ -int _gnutls_send_server_certificate(gnutls_session_t session, int again) +int +_gnutls_send_server_certificate (gnutls_session_t session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct-> - gnutls_generate_server_certificate == NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate == NULL) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = - session->internals.auth_struct-> - gnutls_generate_server_certificate(session, &data); + if (again == 0) + { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate (session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (data_size < 0) + { + gnutls_assert (); + return data_size; } } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_send_handshake (session, data, data_size, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT); + gnutls_free (data); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - return data_size; + return data_size; } -int _gnutls_recv_client_certificate(gnutls_session_t session) +int +_gnutls_recv_client_certificate (gnutls_session_t session) { - int datasize; - opaque *data; - int ret = 0; - int optional; - - if (session->internals.auth_struct-> - gnutls_process_client_certificate != NULL) { - - /* if we have not requested a certificate then just return - */ - if (session->internals.send_cert_req == 0) { - return 0; + int datasize; + opaque *data; + int ret = 0; + int optional; + + if (session->internals.auth_struct-> + gnutls_process_client_certificate != NULL) + { + + /* if we have not requested a certificate then just return + */ + if (session->internals.send_cert_req == 0) + { + return 0; } - if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) - optional = MANDATORY_PACKET; - else - optional = OPTIONAL_PACKET; - - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional); - - if (ret < 0) { - /* Handle the case of old SSL3 clients who send - * a warning alert instead of an empty certificate to indicate - * no certificate. - */ - if (optional == OPTIONAL_PACKET && - ret == GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_protocol_get_version(session) == GNUTLS_SSL3 && - gnutls_alert_get(session) == - GNUTLS_A_SSL3_NO_CERTIFICATE) { - - /* SSL3 does not send an empty certificate, - * but this alert. So we just ignore it. - */ - gnutls_assert(); - return 0; + if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) + optional = MANDATORY_PACKET; + else + optional = OPTIONAL_PACKET; + + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional); + + if (ret < 0) + { + /* Handle the case of old SSL3 clients who send + * a warning alert instead of an empty certificate to indicate + * no certificate. + */ + if (optional == OPTIONAL_PACKET && + ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_protocol_get_version (session) == GNUTLS_SSL3 && + gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE) + { + + /* SSL3 does not send an empty certificate, + * but this alert. So we just ignore it. + */ + gnutls_assert (); + return 0; } - /* certificate was required - */ - if (ret == (GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) && - optional == MANDATORY_PACKET) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + /* certificate was required + */ + if (ret == + (GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) + && optional == MANDATORY_PACKET) + { + gnutls_assert (); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - return ret; + return ret; } - if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) { - /* Client has not sent the certificate message. - * well I'm not sure we should accept this - * behaviour. - */ - gnutls_assert(); - return 0; + if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) + { + /* Client has not sent the certificate message. + * well I'm not sure we should accept this + * behaviour. + */ + gnutls_assert (); + return 0; } - ret = - session->internals.auth_struct-> - gnutls_process_client_certificate(session, data, datasize); - gnutls_free(data); - if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) { - gnutls_assert(); - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_client_certificate (session, data, datasize); + gnutls_free (data); + if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) + { + gnutls_assert (); + return ret; } - /* ok we should expect a certificate verify message now - */ - if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND - && optional == OPTIONAL_PACKET) - ret = 0; - else - session->key->certificate_requested = 1; + /* ok we should expect a certificate verify message now + */ + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET) + ret = 0; + else + session->key->certificate_requested = 1; } - return ret; + return ret; } -int _gnutls_recv_server_certificate(gnutls_session_t session) +int +_gnutls_recv_server_certificate (gnutls_session_t session) { - int datasize; - opaque *data; - int ret = 0; - - if (session->internals.auth_struct-> - gnutls_process_server_certificate != NULL) { - - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT, - MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; + int datasize; + opaque *data; + int ret = 0; + + if (session->internals.auth_struct-> + gnutls_process_server_certificate != NULL) + { + + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT, + MANDATORY_PACKET); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - session->internals.auth_struct-> - gnutls_process_server_certificate(session, data, datasize); - gnutls_free(data); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate (session, data, datasize); + gnutls_free (data); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - return ret; + return ret; } /* Recv the client certificate verify. This packet may not * arrive if the peer did not send us a certificate. */ -int _gnutls_recv_client_certificate_verify_message(gnutls_session_t - session) +int +_gnutls_recv_client_certificate_verify_message (gnutls_session_t session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != - NULL) { + if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != NULL) + { - if (session->internals.send_cert_req == 0 || - session->key->certificate_requested == 0) { - return 0; + if (session->internals.send_cert_req == 0 || + session->key->certificate_requested == 0) + { + return 0; } - ret = - _gnutls_recv_handshake(session, &data, - &datasize, - GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, - OPTIONAL_PACKET); - if (ret < 0) - return ret; - - if (ret == 0 && datasize == 0 - && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) { - /* certificate was required */ - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + ret = + _gnutls_recv_handshake (session, &data, + &datasize, + GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, + OPTIONAL_PACKET); + if (ret < 0) + return ret; + + if (ret == 0 && datasize == 0 + && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) + { + /* certificate was required */ + gnutls_assert (); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - ret = - session->internals.auth_struct-> - gnutls_process_client_cert_vrfy(session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_client_cert_vrfy (session, data, datasize); + gnutls_free (data); + if (ret < 0) + return ret; } - return ret; + return ret; } diff --git a/lib/gnutls_kx.h b/lib/gnutls_kx.h index e92dbe3b4f..7fc8c6d8d1 100644 --- a/lib/gnutls_kx.h +++ b/lib/gnutls_kx.h @@ -22,19 +22,18 @@ * */ -int _gnutls_send_server_kx_message(gnutls_session_t session, int again); -int _gnutls_send_client_kx_message(gnutls_session_t session, int again); -int _gnutls_recv_server_kx_message(gnutls_session_t session); -int _gnutls_recv_client_kx_message(gnutls_session_t session); -int _gnutls_send_client_certificate_verify(gnutls_session_t session, - int again); -int _gnutls_send_server_certificate(gnutls_session_t session, int again); -int _gnutls_generate_master(gnutls_session_t session, int keep_premaster); -int _gnutls_recv_client_certificate(gnutls_session_t session); -int _gnutls_recv_server_certificate(gnutls_session_t session); -int _gnutls_send_client_certificate(gnutls_session_t session, int again); -int _gnutls_recv_server_certificate_request(gnutls_session_t session); -int _gnutls_send_server_certificate_request(gnutls_session_t session, +int _gnutls_send_server_kx_message (gnutls_session_t session, int again); +int _gnutls_send_client_kx_message (gnutls_session_t session, int again); +int _gnutls_recv_server_kx_message (gnutls_session_t session); +int _gnutls_recv_client_kx_message (gnutls_session_t session); +int _gnutls_send_client_certificate_verify (gnutls_session_t session, int again); -int _gnutls_recv_client_certificate_verify_message(gnutls_session_t - session); +int _gnutls_send_server_certificate (gnutls_session_t session, int again); +int _gnutls_generate_master (gnutls_session_t session, int keep_premaster); +int _gnutls_recv_client_certificate (gnutls_session_t session); +int _gnutls_recv_server_certificate (gnutls_session_t session); +int _gnutls_send_client_certificate (gnutls_session_t session, int again); +int _gnutls_recv_server_certificate_request (gnutls_session_t session); +int _gnutls_send_server_certificate_request (gnutls_session_t session, + int again); +int _gnutls_recv_client_certificate_verify_message (gnutls_session_t session); diff --git a/lib/gnutls_mem.c b/lib/gnutls_mem.c index 81fb1a1be3..36aecf3df7 100644 --- a/lib/gnutls_mem.c +++ b/lib/gnutls_mem.c @@ -34,62 +34,67 @@ gnutls_realloc_function gnutls_realloc = realloc; void *(*gnutls_calloc) (size_t, size_t) = calloc; char *(*gnutls_strdup) (const char *) = _gnutls_strdup; -int _gnutls_is_secure_mem_null(const void *ign) +int +_gnutls_is_secure_mem_null (const void *ign) { - return 0; + return 0; } -int (*_gnutls_is_secure_memory) (const void *) = - _gnutls_is_secure_mem_null; +int (*_gnutls_is_secure_memory) (const void *) = _gnutls_is_secure_mem_null; -void *_gnutls_calloc(size_t nmemb, size_t size) +void * +_gnutls_calloc (size_t nmemb, size_t size) { - void *ret; - size *= nmemb; - ret = gnutls_malloc(size); - if (ret != NULL) - memset(ret, 0, size); - return ret; + void *ret; + size *= nmemb; + ret = gnutls_malloc (size); + if (ret != NULL) + memset (ret, 0, size); + return ret; } -svoid *gnutls_secure_calloc(size_t nmemb, size_t size) +svoid * +gnutls_secure_calloc (size_t nmemb, size_t size) { - svoid *ret; - size *= nmemb; - ret = gnutls_secure_malloc(size); - if (ret != NULL) - memset(ret, 0, size); - return ret; + svoid *ret; + size *= nmemb; + ret = gnutls_secure_malloc (size); + if (ret != NULL) + memset (ret, 0, size); + return ret; } /* This realloc will free ptr in case realloc * fails. */ -void *gnutls_realloc_fast(void *ptr, size_t size) +void * +gnutls_realloc_fast (void *ptr, size_t size) { - void *ret; + void *ret; - if (size == 0) - return ptr; + if (size == 0) + return ptr; - ret = gnutls_realloc(ptr, size); - if (ret == NULL) { - gnutls_free(ptr); + ret = gnutls_realloc (ptr, size); + if (ret == NULL) + { + gnutls_free (ptr); } - return ret; + return ret; } -char *_gnutls_strdup(const char *str) +char * +_gnutls_strdup (const char *str) { - size_t siz = strlen(str) + 1; - char *ret; + size_t siz = strlen (str) + 1; + char *ret; - ret = gnutls_malloc(siz); - if (ret != NULL) - memcpy(ret, str, siz); - return ret; + ret = gnutls_malloc (siz); + if (ret != NULL) + memcpy (ret, str, siz); + return ret; } @@ -107,7 +112,8 @@ char *_gnutls_strdup(const char *str) * The allocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void *gnutls_malloc(size_t s) +void * +gnutls_malloc (size_t s) { } @@ -120,7 +126,8 @@ void *gnutls_malloc(size_t s) * The deallocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void gnutls_free(void *ptr) +void +gnutls_free (void *ptr) { } diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h index b1263c65bb..a22d0f2fc3 100644 --- a/lib/gnutls_mem.h +++ b/lib/gnutls_mem.h @@ -53,18 +53,18 @@ typedef void svoid; /* for functions that allocate using gnutls_secure_malloc * # define gnutls_alloca gnutls_malloc # define gnutls_afree gnutls_free # endif -#endif /* HAVE_ALLOCA */ +#endif /* HAVE_ALLOCA */ extern int (*_gnutls_is_secure_memory) (const void *); /* this realloc function will return ptr if size==0, and * will free the ptr if the new allocation failed. */ -void *gnutls_realloc_fast(void *ptr, size_t size); +void *gnutls_realloc_fast (void *ptr, size_t size); -svoid *gnutls_secure_calloc(size_t nmemb, size_t size); +svoid *gnutls_secure_calloc (size_t nmemb, size_t size); -void *_gnutls_calloc(size_t nmemb, size_t size); -char *_gnutls_strdup(const char *); +void *_gnutls_calloc (size_t nmemb, size_t size); +char *_gnutls_strdup (const char *); -#endif /* GNUTLS_MEM_H */ +#endif /* GNUTLS_MEM_H */ diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index 58b9939e91..d0fcd5da1d 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -34,122 +34,129 @@ /* Functions that refer to the libgcrypt library. */ -void _gnutls_mpi_release(mpi_t * x) +void +_gnutls_mpi_release (mpi_t * x) { - if (*x == NULL) - return; - gcry_mpi_release(*x); - *x = NULL; + if (*x == NULL) + return; + gcry_mpi_release (*x); + *x = NULL; } /* returns zero on success */ -int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, - size_t * nbytes) +int +_gnutls_mpi_scan (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes) { - int ret; + int ret; - ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); - if (ret) - return GNUTLS_E_MPI_SCAN_FAILED; + ret = gcry_mpi_scan (ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; - return 0; + return 0; } /* returns zero on success. Fails if the number is zero. */ -int _gnutls_mpi_scan_nz(mpi_t * ret_mpi, const opaque * buffer, - size_t * nbytes) +int +_gnutls_mpi_scan_nz (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes) { - int ret; - - ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); - if (ret) - return GNUTLS_E_MPI_SCAN_FAILED; - - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { - _gnutls_mpi_release(ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; + int ret; + + ret = gcry_mpi_scan (ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; + + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits (*ret_mpi) == 0) + { + _gnutls_mpi_release (ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; } - return 0; + return 0; } -int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, - size_t * nbytes) +int +_gnutls_mpi_scan_pgp (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes) { - int ret; - ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); - if (ret) - return GNUTLS_E_MPI_SCAN_FAILED; - - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { - _gnutls_mpi_release(ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; + int ret; + ret = gcry_mpi_scan (ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; + + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits (*ret_mpi) == 0) + { + _gnutls_mpi_release (ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; } - return 0; + return 0; } -int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a) +int +_gnutls_mpi_print (void *buffer, size_t * nbytes, const mpi_t a) { - int ret; + int ret; - if (nbytes == NULL || a == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print(GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); - if (!ret) - return 0; + ret = gcry_mpi_print (GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; - return GNUTLS_E_MPI_PRINT_FAILED; + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a) +int +_gnutls_mpi_print_lz (void *buffer, size_t * nbytes, const mpi_t a) { - int ret; + int ret; - if (nbytes == NULL || a == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print(GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); - if (!ret) - return 0; + ret = gcry_mpi_print (GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; - return GNUTLS_E_MPI_PRINT_FAILED; + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_dprint_lz(gnutls_datum_t * dest, const mpi_t a) +int +_gnutls_mpi_dprint_lz (gnutls_datum_t * dest, const mpi_t a) { - int ret; - opaque *buf = NULL; - size_t bytes = 0; - - if (dest == NULL || a == NULL) - return GNUTLS_E_INVALID_REQUEST; - - gcry_mpi_print(GCRYMPI_FMT_STD, NULL, 0, &bytes, a); - - if (bytes != 0) - buf = gnutls_malloc(bytes); - if (buf == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = gcry_mpi_print(GCRYMPI_FMT_STD, buf, bytes, &bytes, a); - if (!ret) { - dest->data = buf; - dest->size = bytes; - return 0; + int ret; + opaque *buf = NULL; + size_t bytes = 0; + + if (dest == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; + + gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &bytes, a); + + if (bytes != 0) + buf = gnutls_malloc (bytes); + if (buf == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = gcry_mpi_print (GCRYMPI_FMT_STD, buf, bytes, &bytes, a); + if (!ret) + { + dest->data = buf; + dest->size = bytes; + return 0; } - gnutls_free(buf); - return GNUTLS_E_MPI_PRINT_FAILED; + gnutls_free (buf); + return GNUTLS_E_MPI_PRINT_FAILED; } @@ -157,86 +164,93 @@ int _gnutls_mpi_dprint_lz(gnutls_datum_t * dest, const mpi_t a) * from asn1 structs. Combines the read and mpi_scan * steps. */ -int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, - mpi_t * ret_mpi) +int +_gnutls_x509_read_int (ASN1_TYPE node, const char *value, mpi_t * ret_mpi) { - int result; - size_t s_len; - opaque *tmpstr = NULL; - int tmpstr_size; - - tmpstr_size = 0; - result = asn1_read_value(node, value, NULL, &tmpstr_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); + int result; + size_t s_len; + opaque *tmpstr = NULL; + int tmpstr_size; + + tmpstr_size = 0; + result = asn1_read_value (node, value, NULL, &tmpstr_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - tmpstr = gnutls_alloca(tmpstr_size); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + tmpstr = gnutls_alloca (tmpstr_size); + if (tmpstr == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - result = asn1_read_value(node, value, tmpstr, &tmpstr_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree(tmpstr); - return _gnutls_asn2err(result); + result = asn1_read_value (node, value, tmpstr, &tmpstr_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_afree (tmpstr); + return _gnutls_asn2err (result); } - s_len = tmpstr_size; - if (_gnutls_mpi_scan(ret_mpi, tmpstr, &s_len) != 0) { - gnutls_assert(); - gnutls_afree(tmpstr); - return GNUTLS_E_MPI_SCAN_FAILED; + s_len = tmpstr_size; + if (_gnutls_mpi_scan (ret_mpi, tmpstr, &s_len) != 0) + { + gnutls_assert (); + gnutls_afree (tmpstr); + return GNUTLS_E_MPI_SCAN_FAILED; } - gnutls_afree(tmpstr); + gnutls_afree (tmpstr); - return 0; + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, mpi_t mpi, - int lz) +int +_gnutls_x509_write_int (ASN1_TYPE node, const char *value, mpi_t mpi, int lz) { - opaque *tmpstr; - size_t s_len; - int result; - - s_len = 0; - if (lz) - result = _gnutls_mpi_print_lz(NULL, &s_len, mpi); - else - result = _gnutls_mpi_print(NULL, &s_len, mpi); - - tmpstr = gnutls_alloca(s_len); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + opaque *tmpstr; + size_t s_len; + int result; + + s_len = 0; + if (lz) + result = _gnutls_mpi_print_lz (NULL, &s_len, mpi); + else + result = _gnutls_mpi_print (NULL, &s_len, mpi); + + tmpstr = gnutls_alloca (s_len); + if (tmpstr == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (lz) - result = _gnutls_mpi_print_lz(tmpstr, &s_len, mpi); - else - result = _gnutls_mpi_print(tmpstr, &s_len, mpi); + if (lz) + result = _gnutls_mpi_print_lz (tmpstr, &s_len, mpi); + else + result = _gnutls_mpi_print (tmpstr, &s_len, mpi); - if (result != 0) { - gnutls_assert(); - gnutls_afree(tmpstr); - return GNUTLS_E_MPI_PRINT_FAILED; + if (result != 0) + { + gnutls_assert (); + gnutls_afree (tmpstr); + return GNUTLS_E_MPI_PRINT_FAILED; } - result = asn1_write_value(node, value, tmpstr, s_len); + result = asn1_write_value (node, value, tmpstr, s_len); - gnutls_afree(tmpstr); + gnutls_afree (tmpstr); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h index 198a4edeff..2efde82d2d 100644 --- a/lib/gnutls_mpi.h +++ b/lib/gnutls_mpi.h @@ -59,19 +59,19 @@ typedef gcry_mpi_t mpi_t; # define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) # define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) -void _gnutls_mpi_release(mpi_t * x); +void _gnutls_mpi_release (mpi_t * x); -int _gnutls_mpi_scan_nz(mpi_t * ret_mpi, const opaque * buffer, - size_t * nbytes); -int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, - size_t * nbytes); -int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, +int _gnutls_mpi_scan_nz (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes); +int _gnutls_mpi_scan (mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); +int _gnutls_mpi_scan_pgp (mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); -int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a); -int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a); +int _gnutls_mpi_print (void *buffer, size_t * nbytes, const mpi_t a); +int _gnutls_mpi_print_lz (void *buffer, size_t * nbytes, const mpi_t a); -int _gnutls_mpi_dprint_lz(gnutls_datum_t * dest, const mpi_t a); +int _gnutls_mpi_dprint_lz (gnutls_datum_t * dest, const mpi_t a); #define _gnutls_mpi_dprint _gnutls_mpi_dprint_lz #endif diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index 00e6655ccb..a59b3dcc84 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -34,144 +34,159 @@ * Returns 0 on success, or -1 if the uint64 max limit * has been reached. */ -int _gnutls_uint64pp(uint64 * x) +int +_gnutls_uint64pp (uint64 * x) { - register int i, y = 0; - - for (i = 7; i >= 0; i--) { - y = 0; - if (x->i[i] == 0xff) { - x->i[i] = 0; - y = 1; - } else - x->i[i]++; - - if (y == 0) - break; + register int i, y = 0; + + for (i = 7; i >= 0; i--) + { + y = 0; + if (x->i[i] == 0xff) + { + x->i[i] = 0; + y = 1; + } + else + x->i[i]++; + + if (y == 0) + break; } - if (y != 0) - return -1; /* over 64 bits! WOW */ + if (y != 0) + return -1; /* over 64 bits! WOW */ - return 0; + return 0; } -uint32 _gnutls_uint24touint32(uint24 num) +uint32 +_gnutls_uint24touint32 (uint24 num) { - uint32 ret = 0; + uint32 ret = 0; - ((uint8 *) & ret)[1] = num.pint[0]; - ((uint8 *) & ret)[2] = num.pint[1]; - ((uint8 *) & ret)[3] = num.pint[2]; - return ret; + ((uint8 *) & ret)[1] = num.pint[0]; + ((uint8 *) & ret)[2] = num.pint[1]; + ((uint8 *) & ret)[3] = num.pint[2]; + return ret; } -uint24 _gnutls_uint32touint24(uint32 num) +uint24 +_gnutls_uint32touint24 (uint32 num) { - uint24 ret; + uint24 ret; - ret.pint[0] = ((uint8 *) & num)[1]; - ret.pint[1] = ((uint8 *) & num)[2]; - ret.pint[2] = ((uint8 *) & num)[3]; - return ret; + ret.pint[0] = ((uint8 *) & num)[1]; + ret.pint[1] = ((uint8 *) & num)[2]; + ret.pint[2] = ((uint8 *) & num)[3]; + return ret; } /* data should be at least 3 bytes */ -uint32 _gnutls_read_uint24(const opaque * data) +uint32 +_gnutls_read_uint24 (const opaque * data) { - uint32 res; - uint24 num; + uint32 res; + uint24 num; - num.pint[0] = data[0]; - num.pint[1] = data[1]; - num.pint[2] = data[2]; + num.pint[0] = data[0]; + num.pint[1] = data[1]; + num.pint[2] = data[2]; - res = _gnutls_uint24touint32(num); + res = _gnutls_uint24touint32 (num); #ifndef WORDS_BIGENDIAN - res = byteswap32(res); + res = byteswap32 (res); #endif - return res; + return res; } -void _gnutls_write_uint24(uint32 num, opaque * data) +void +_gnutls_write_uint24 (uint32 num, opaque * data) { - uint24 tmp; + uint24 tmp; #ifndef WORDS_BIGENDIAN - num = byteswap32(num); + num = byteswap32 (num); #endif - tmp = _gnutls_uint32touint24(num); + tmp = _gnutls_uint32touint24 (num); - data[0] = tmp.pint[0]; - data[1] = tmp.pint[1]; - data[2] = tmp.pint[2]; + data[0] = tmp.pint[0]; + data[1] = tmp.pint[1]; + data[2] = tmp.pint[2]; } -uint32 _gnutls_read_uint32(const opaque * data) +uint32 +_gnutls_read_uint32 (const opaque * data) { - uint32 res; + uint32 res; - memcpy(&res, data, sizeof(uint32)); + memcpy (&res, data, sizeof (uint32)); #ifndef WORDS_BIGENDIAN - res = byteswap32(res); + res = byteswap32 (res); #endif - return res; + return res; } -void _gnutls_write_uint32(uint32 num, opaque * data) +void +_gnutls_write_uint32 (uint32 num, opaque * data) { #ifndef WORDS_BIGENDIAN - num = byteswap32(num); + num = byteswap32 (num); #endif - memcpy(data, &num, sizeof(uint32)); + memcpy (data, &num, sizeof (uint32)); } -uint16 _gnutls_read_uint16(const opaque * data) +uint16 +_gnutls_read_uint16 (const opaque * data) { - uint16 res; - memcpy(&res, data, sizeof(uint16)); + uint16 res; + memcpy (&res, data, sizeof (uint16)); #ifndef WORDS_BIGENDIAN - res = byteswap16(res); + res = byteswap16 (res); #endif - return res; + return res; } -void _gnutls_write_uint16(uint16 num, opaque * data) +void +_gnutls_write_uint16 (uint16 num, opaque * data) { #ifndef WORDS_BIGENDIAN - num = byteswap16(num); + num = byteswap16 (num); #endif - memcpy(data, &num, sizeof(uint16)); + memcpy (data, &num, sizeof (uint16)); } -uint32 _gnutls_conv_uint32(uint32 data) +uint32 +_gnutls_conv_uint32 (uint32 data) { #ifndef WORDS_BIGENDIAN - return byteswap32(data); + return byteswap32 (data); #else - return data; + return data; #endif } -uint16 _gnutls_conv_uint16(uint16 data) +uint16 +_gnutls_conv_uint16 (uint16 data) { #ifndef WORDS_BIGENDIAN - return byteswap16(data); + return byteswap16 (data); #else - return data; + return data; #endif } -uint32 _gnutls_uint64touint32(const uint64 * num) +uint32 +_gnutls_uint64touint32 (const uint64 * num) { - uint32 ret; + uint32 ret; - memcpy(&ret, &num->i[4], 4); + memcpy (&ret, &num->i[4], 4); #ifndef WORDS_BIGENDIAN - ret = byteswap32(ret); + ret = byteswap32 (ret); #endif - return ret; + return ret; } diff --git a/lib/gnutls_num.h b/lib/gnutls_num.h index 5d71ae9e94..0098bb22e4 100644 --- a/lib/gnutls_num.h +++ b/lib/gnutls_num.h @@ -34,18 +34,18 @@ #define byteswap16(x) ((rotl16(x, 8) & 0x00ff) | (rotr16(x, 8) & 0xff00)) #define byteswap32(x) ((rotl32(x, 8) & 0x00ff00ffUL) | (rotr32(x, 8) & 0xff00ff00UL)) -uint32 _gnutls_uint24touint32(uint24 num); -uint24 _gnutls_uint32touint24(uint32 num); -uint32 _gnutls_read_uint32(const opaque * data); -uint16 _gnutls_read_uint16(const opaque * data); -uint32 _gnutls_conv_uint32(uint32 data); -uint16 _gnutls_conv_uint16(uint16 data); -uint32 _gnutls_read_uint24(const opaque * data); -void _gnutls_write_uint24(uint32 num, opaque * data); -void _gnutls_write_uint32(uint32 num, opaque * data); -void _gnutls_write_uint16(uint16 num, opaque * data); -uint32 _gnutls_uint64touint32(const uint64 *); +uint32 _gnutls_uint24touint32 (uint24 num); +uint24 _gnutls_uint32touint24 (uint32 num); +uint32 _gnutls_read_uint32 (const opaque * data); +uint16 _gnutls_read_uint16 (const opaque * data); +uint32 _gnutls_conv_uint32 (uint32 data); +uint16 _gnutls_conv_uint16 (uint16 data); +uint32 _gnutls_read_uint24 (const opaque * data); +void _gnutls_write_uint24 (uint32 num, opaque * data); +void _gnutls_write_uint32 (uint32 num, opaque * data); +void _gnutls_write_uint16 (uint16 num, opaque * data); +uint32 _gnutls_uint64touint32 (const uint64 *); -int _gnutls_uint64pp(uint64 *); +int _gnutls_uint64pp (uint64 *); # define _gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0 # define UINT64DATA(x) x.i diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 4db5c0c048..8dfc8e38ea 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -38,148 +38,165 @@ #include <x509/common.h> #include <gc.h> -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, - mpi_t * pkey, int pkey_len); -static int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, - mpi_t * pkey, int); -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, - mpi_t * pkey, int); -static int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, +static int _gnutls_pk_encrypt (int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len); +static int _gnutls_pk_sign (int algo, mpi_t * data, mpi_t hash, + mpi_t * pkey, int); +static int _gnutls_pk_verify (int algo, mpi_t hash, mpi_t * data, mpi_t * pkey, int); +static int _gnutls_pk_decrypt (int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int); /* Do PKCS-1 RSA encryption. * params is modulus, public exp. */ -int _gnutls_pkcs1_rsa_encrypt(gnutls_datum_t * ciphertext, - const gnutls_datum_t * plaintext, - mpi_t * params, uint params_len, uint btype) +int +_gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext, + const gnutls_datum_t * plaintext, + mpi_t * params, uint params_len, uint btype) { - unsigned int i, pad; - int ret; - mpi_t m, res; - opaque *edata, *ps; - size_t k, psize; - size_t mod_bits; - - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if (mod_bits % 8 != 0) - k++; - - if (plaintext->size > k - 11) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; - } - - edata = gnutls_alloca(k); - if (edata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ - - edata[0] = 0; - edata[1] = btype; - psize = k - 3 - plaintext->size; - - ps = &edata[2]; - switch (btype) { + unsigned int i, pad; + int ret; + mpi_t m, res; + opaque *edata, *ps; + size_t k, psize; + size_t mod_bits; + + mod_bits = _gnutls_mpi_get_nbits (params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; + + if (plaintext->size > k - 11) + { + gnutls_assert (); + return GNUTLS_E_PK_ENCRYPTION_FAILED; + } + + edata = gnutls_alloca (k); + if (edata == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ + + edata[0] = 0; + edata[1] = btype; + psize = k - 3 - plaintext->size; + + ps = &edata[2]; + switch (btype) + { case 2: - /* using public key */ - if (params_len < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + /* using public key */ + if (params_len < RSA_PUBLIC_PARAMS) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_INTERNAL_ERROR; } - if (gc_pseudo_random (ps, psize) != GC_OK) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_RANDOM_FAILED; + if (gc_pseudo_random (ps, psize) != GC_OK) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_RANDOM_FAILED; } - for (i = 0; i < psize; i++) - while (ps[i] == 0) { - if (gc_pseudo_random (&ps[i], 1) != GC_OK) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_RANDOM_FAILED; - } - } - break; + for (i = 0; i < psize; i++) + while (ps[i] == 0) + { + if (gc_pseudo_random (&ps[i], 1) != GC_OK) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_RANDOM_FAILED; + } + } + break; case 1: - /* using private key */ + /* using private key */ - if (params_len < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + if (params_len < RSA_PRIVATE_PARAMS) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_INTERNAL_ERROR; } - for (i = 0; i < psize; i++) - ps[i] = 0xff; - break; + for (i = 0; i < psize; i++) + ps[i] = 0xff; + break; default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_INTERNAL_ERROR; } - ps[psize] = 0; - memcpy(&ps[psize + 1], plaintext->data, plaintext->size); + ps[psize] = 0; + memcpy (&ps[psize + 1], plaintext->data, plaintext->size); - if (_gnutls_mpi_scan_nz(&m, edata, &k) != 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&m, edata, &k) != 0) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_MPI_SCAN_FAILED; } - gnutls_afree(edata); + gnutls_afree (edata); - if (btype == 2) /* encrypt */ - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, params, params_len); - else /* sign */ - ret = _gnutls_pk_sign(GCRY_PK_RSA, &res, m, params, params_len); + if (btype == 2) /* encrypt */ + ret = _gnutls_pk_encrypt (GCRY_PK_RSA, &res, m, params, params_len); + else /* sign */ + ret = _gnutls_pk_sign (GCRY_PK_RSA, &res, m, params, params_len); - _gnutls_mpi_release(&m); + _gnutls_mpi_release (&m); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_mpi_print(NULL, &psize, res); + _gnutls_mpi_print (NULL, &psize, res); - if (psize < k) { - /* padding psize */ - pad = k - psize; - psize = k; - } else if (psize == k) { - pad = 0; - } else { /* psize > k !!! */ - /* This is an impossible situation */ - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_INTERNAL_ERROR; + if (psize < k) + { + /* padding psize */ + pad = k - psize; + psize = k; + } + else if (psize == k) + { + pad = 0; + } + else + { /* psize > k !!! */ + /* This is an impossible situation */ + gnutls_assert (); + _gnutls_mpi_release (&res); + return GNUTLS_E_INTERNAL_ERROR; } - ciphertext->data = gnutls_malloc(psize); - if (ciphertext->data == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; + ciphertext->data = gnutls_malloc (psize); + if (ciphertext->data == NULL) + { + gnutls_assert (); + _gnutls_mpi_release (&res); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_print(&ciphertext->data[pad], &psize, res); - for (i = 0; i < pad; i++) - ciphertext->data[i] = 0; + _gnutls_mpi_print (&ciphertext->data[pad], &psize, res); + for (i = 0; i < pad; i++) + ciphertext->data[i] = 0; - ciphertext->size = k; + ciphertext->size = k; - _gnutls_mpi_release(&res); + _gnutls_mpi_release (&res); - return 0; + return 0; } @@ -187,324 +204,361 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum_t * ciphertext, * params is modulus, public exp., private key * Can decrypt block type 1 and type 2 packets. */ -int _gnutls_pkcs1_rsa_decrypt(gnutls_datum_t * plaintext, - const gnutls_datum_t * ciphertext, - mpi_t * params, uint params_len, uint btype) +int +_gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext, + const gnutls_datum_t * ciphertext, + mpi_t * params, uint params_len, uint btype) { - uint k, i; - int ret; - mpi_t c, res; - opaque *edata; - size_t esize, mod_bits; + uint k, i; + int ret; + mpi_t c, res; + opaque *edata; + size_t esize, mod_bits; - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if (mod_bits % 8 != 0) - k++; + mod_bits = _gnutls_mpi_get_nbits (params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; - esize = ciphertext->size; + esize = ciphertext->size; - if (esize != k) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; + if (esize != k) + { + gnutls_assert (); + return GNUTLS_E_PK_DECRYPTION_FAILED; } - if (_gnutls_mpi_scan_nz(&c, ciphertext->data, &esize) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&c, ciphertext->data, &esize) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - /* we can use btype to see if the private key is - * available. - */ - if (btype == 2) - ret = _gnutls_pk_decrypt(GCRY_PK_RSA, &res, c, params, params_len); - else { - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, c, params, params_len); + /* we can use btype to see if the private key is + * available. + */ + if (btype == 2) + ret = _gnutls_pk_decrypt (GCRY_PK_RSA, &res, c, params, params_len); + else + { + ret = _gnutls_pk_encrypt (GCRY_PK_RSA, &res, c, params, params_len); } - _gnutls_mpi_release(&c); + _gnutls_mpi_release (&c); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_mpi_print(NULL, &esize, res); - edata = gnutls_alloca(esize + 1); - if (edata == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; + _gnutls_mpi_print (NULL, &esize, res); + edata = gnutls_alloca (esize + 1); + if (edata == NULL) + { + gnutls_assert (); + _gnutls_mpi_release (&res); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_print(&edata[1], &esize, res); + _gnutls_mpi_print (&edata[1], &esize, res); - _gnutls_mpi_release(&res); + _gnutls_mpi_release (&res); - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ - edata[0] = 0; - esize++; + edata[0] = 0; + esize++; - if (edata[0] != 0 || edata[1] != btype) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; + if (edata[0] != 0 || edata[1] != btype) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_DECRYPTION_FAILED; } - ret = GNUTLS_E_DECRYPTION_FAILED; - switch (btype) { + ret = GNUTLS_E_DECRYPTION_FAILED; + switch (btype) + { case 2: - for (i = 2; i < esize; i++) { - if (edata[i] == 0) { - ret = 0; - break; + for (i = 2; i < esize; i++) + { + if (edata[i] == 0) + { + ret = 0; + break; } } - break; + break; case 1: - for (i = 2; i < esize; i++) { - if (edata[i] == 0 && i > 2) { - ret = 0; - break; + for (i = 2; i < esize; i++) + { + if (edata[i] == 0 && i > 2) + { + ret = 0; + break; } - if (edata[i] != 0xff) { - _gnutls_handshake_log("PKCS #1 padding error"); - ret = GNUTLS_E_PKCS1_WRONG_PAD; - break; + if (edata[i] != 0xff) + { + _gnutls_handshake_log ("PKCS #1 padding error"); + ret = GNUTLS_E_PKCS1_WRONG_PAD; + break; } } - break; + break; default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_INTERNAL_ERROR; } - i++; + i++; - if (ret < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; + if (ret < 0) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_DECRYPTION_FAILED; } - if (_gnutls_sset_datum(plaintext, &edata[i], esize - i) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_MEMORY_ERROR; + if (_gnutls_sset_datum (plaintext, &edata[i], esize - i) < 0) + { + gnutls_assert (); + gnutls_afree (edata); + return GNUTLS_E_MEMORY_ERROR; } - gnutls_afree(edata); + gnutls_afree (edata); - return 0; + return 0; } -int _gnutls_rsa_verify(const gnutls_datum_t * vdata, - const gnutls_datum_t * ciphertext, mpi_t * params, - int params_len, int btype) +int +_gnutls_rsa_verify (const gnutls_datum_t * vdata, + const gnutls_datum_t * ciphertext, mpi_t * params, + int params_len, int btype) { - gnutls_datum_t plain; - int ret; + gnutls_datum_t plain; + int ret; - /* decrypt signature */ - if ((ret = - _gnutls_pkcs1_rsa_decrypt(&plain, ciphertext, params, params_len, - btype)) < 0) { - gnutls_assert(); - return ret; + /* decrypt signature */ + if ((ret = + _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params, params_len, + btype)) < 0) + { + gnutls_assert (); + return ret; } - if (plain.size != vdata->size) { - gnutls_assert(); - _gnutls_free_datum(&plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; + if (plain.size != vdata->size) + { + gnutls_assert (); + _gnutls_free_datum (&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - if (memcmp(plain.data, vdata->data, plain.size) != 0) { - gnutls_assert(); - _gnutls_free_datum(&plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; + if (memcmp (plain.data, vdata->data, plain.size) != 0) + { + gnutls_assert (); + _gnutls_free_datum (&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - _gnutls_free_datum(&plain); + _gnutls_free_datum (&plain); - return 0; /* ok */ + return 0; /* ok */ } /* encodes the Dss-Sig-Value structure */ -static int encode_ber_rs(gnutls_datum_t * sig_value, mpi_t r, mpi_t s) +static int +encode_ber_rs (gnutls_datum_t * sig_value, mpi_t r, mpi_t s) { - ASN1_TYPE sig; - int result, tot_len; + ASN1_TYPE sig; + int result, tot_len; - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSASignatureValue", - &sig)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_write_int(sig, "r", r, 1); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; + result = _gnutls_x509_write_int (sig, "r", r, 1); + if (result < 0) + { + gnutls_assert (); + asn1_delete_structure (&sig); + return result; } - result = _gnutls_x509_write_int(sig, "s", s, 1); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; + result = _gnutls_x509_write_int (sig, "s", s, 1); + if (result < 0) + { + gnutls_assert (); + asn1_delete_structure (&sig); + return result; } - tot_len = 0; + tot_len = 0; - result = _gnutls_x509_der_encode(sig, "", sig_value, 0); + result = _gnutls_x509_der_encode (sig, "", sig_value, 0); - asn1_delete_structure(&sig); + asn1_delete_structure (&sig); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* Do DSA signature calculation. params is p, q, g, y, x in that order. */ -int _gnutls_dsa_sign(gnutls_datum_t * signature, - const gnutls_datum_t * hash, mpi_t * params, - uint params_len) +int +_gnutls_dsa_sign (gnutls_datum_t * signature, + const gnutls_datum_t * hash, mpi_t * params, + uint params_len) { - mpi_t rs[2], mdata; - int ret; - size_t k; + mpi_t rs[2], mdata; + int ret; + size_t k; - k = hash->size; - if (k != 20) { /* SHA only */ - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; + k = hash->size; + if (k != 20) + { /* SHA only */ + gnutls_assert (); + return GNUTLS_E_PK_SIGN_FAILED; } - if (_gnutls_mpi_scan_nz(&mdata, hash->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&mdata, hash->data, &k) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); - /* rs[0], rs[1] now hold r,s */ - _gnutls_mpi_release(&mdata); + ret = _gnutls_pk_sign (GCRY_PK_DSA, rs, mdata, params, params_len); + /* rs[0], rs[1] now hold r,s */ + _gnutls_mpi_release (&mdata); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = encode_ber_rs(signature, rs[0], rs[1]); + ret = encode_ber_rs (signature, rs[0], rs[1]); - /* free r,s */ - _gnutls_mpi_release(&rs[0]); - _gnutls_mpi_release(&rs[1]); + /* free r,s */ + _gnutls_mpi_release (&rs[0]); + _gnutls_mpi_release (&rs[1]); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret != 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } /* decodes the Dss-Sig-Value structure */ -static int decode_ber_rs(const gnutls_datum_t * sig_value, mpi_t * r, - mpi_t * s) +static int +decode_ber_rs (const gnutls_datum_t * sig_value, mpi_t * r, mpi_t * s) { - ASN1_TYPE sig; - int result; + ASN1_TYPE sig; + int result; - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSASignatureValue", - &sig)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - asn1_der_decoding(&sig, sig_value->data, sig_value->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&sig); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&sig, sig_value->data, sig_value->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&sig); + return _gnutls_asn2err (result); } - result = _gnutls_x509_read_int(sig, "r", r); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; + result = _gnutls_x509_read_int (sig, "r", r); + if (result < 0) + { + gnutls_assert (); + asn1_delete_structure (&sig); + return result; } - result = _gnutls_x509_read_int(sig, "s", s); - if (result < 0) { - gnutls_assert(); - _gnutls_mpi_release(s); - asn1_delete_structure(&sig); - return result; + result = _gnutls_x509_read_int (sig, "s", s); + if (result < 0) + { + gnutls_assert (); + _gnutls_mpi_release (s); + asn1_delete_structure (&sig); + return result; } - asn1_delete_structure(&sig); + asn1_delete_structure (&sig); - return 0; + return 0; } /* params is p, q, g, y in that order */ -int _gnutls_dsa_verify(const gnutls_datum_t * vdata, - const gnutls_datum_t * sig_value, mpi_t * params, - int params_len) +int +_gnutls_dsa_verify (const gnutls_datum_t * vdata, + const gnutls_datum_t * sig_value, mpi_t * params, + int params_len) { - mpi_t mdata; - int ret; - size_t k; - mpi_t rs[2]; + mpi_t mdata; + int ret; + size_t k; + mpi_t rs[2]; - if (vdata->size != 20) { /* sha-1 only */ - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; + if (vdata->size != 20) + { /* sha-1 only */ + gnutls_assert (); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - if (decode_ber_rs(sig_value, &rs[0], &rs[1]) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (decode_ber_rs (sig_value, &rs[0], &rs[1]) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - k = vdata->size; - if (_gnutls_mpi_scan_nz(&mdata, vdata->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + k = vdata->size; + if (_gnutls_mpi_scan_nz (&mdata, vdata->data, &k) != 0) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - /* decrypt signature */ - ret = _gnutls_pk_verify(GCRY_PK_DSA, mdata, rs, params, params_len); - _gnutls_mpi_release(&mdata); + /* decrypt signature */ + ret = _gnutls_pk_verify (GCRY_PK_DSA, mdata, rs, params, params_len); + _gnutls_mpi_release (&mdata); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; /* ok */ + return 0; /* ok */ } @@ -515,297 +569,333 @@ int _gnutls_dsa_verify(const gnutls_datum_t * vdata, * Emulate our old PK interface here - sometime in the future we might * change the internal design to directly fit to libgcrypt. */ -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, - mpi_t * pkey, int pkey_len) +static int +_gnutls_pk_encrypt (int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len) { - gcry_sexp_t s_ciph, s_data, s_pkey; - int rc = -1; + gcry_sexp_t s_ciph, s_data, s_pkey; + int rc = -1; - /* make a sexp from pkey */ - switch (algo) { + /* make a sexp from pkey */ + switch (algo) + { case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + if (pkey_len >= 2) + rc = gcry_sexp_build (&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "%m", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; + /* put the data into a simple list */ + if (gcry_sexp_build (&s_data, NULL, "%m", data)) + { + gnutls_assert (); + gcry_sexp_release (s_pkey); + return GNUTLS_E_INTERNAL_ERROR; } - /* pass it to libgcrypt */ - rc = gcry_pk_encrypt(&s_ciph, s_data, s_pkey); - gcry_sexp_release(s_data); - gcry_sexp_release(s_pkey); + /* pass it to libgcrypt */ + rc = gcry_pk_encrypt (&s_ciph, s_data, s_pkey); + gcry_sexp_release (s_data); + gcry_sexp_release (s_pkey); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_PK_ENCRYPTION_FAILED; - } else { /* add better error handling or make gnupg use S-Exp directly */ - gcry_sexp_t list = gcry_sexp_find_token(s_ciph, "a", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; + } + else + { /* add better error handling or make gnupg use S-Exp directly */ + gcry_sexp_t list = gcry_sexp_find_token (s_ciph, "a", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; + if (resarr[0] == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } } - gcry_sexp_release(s_ciph); - return rc; + gcry_sexp_release (s_ciph); + return rc; } -static -int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, - int pkey_len) +static int +_gnutls_pk_decrypt (int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_plain, s_data, s_pkey; - int rc = -1; + gcry_sexp_t s_plain, s_data, s_pkey; + int rc = -1; - /* make a sexp from pkey */ - switch (algo) { + /* make a sexp from pkey */ + switch (algo) + { case GCRY_PK_RSA: - if (pkey_len >= 6) - rc = gcry_sexp_build(&s_pkey, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], - pkey[4], pkey[5]); - break; + if (pkey_len >= 6) + rc = gcry_sexp_build (&s_pkey, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "(enc-val(rsa(a%m)))", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; + /* put the data into a simple list */ + if (gcry_sexp_build (&s_data, NULL, "(enc-val(rsa(a%m)))", data)) + { + gnutls_assert (); + gcry_sexp_release (s_pkey); + return GNUTLS_E_INTERNAL_ERROR; } - /* pass it to libgcrypt */ - rc = gcry_pk_decrypt(&s_plain, s_data, s_pkey); - gcry_sexp_release(s_data); - gcry_sexp_release(s_pkey); + /* pass it to libgcrypt */ + rc = gcry_pk_decrypt (&s_plain, s_data, s_pkey); + gcry_sexp_release (s_data); + gcry_sexp_release (s_pkey); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_PK_DECRYPTION_FAILED; - } else { /* add better error handling or make gnupg use S-Exp directly */ - resarr[0] = gcry_sexp_nth_mpi(s_plain, 0, 0); + } + else + { /* add better error handling or make gnupg use S-Exp directly */ + resarr[0] = gcry_sexp_nth_mpi (s_plain, 0, 0); - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_plain); - return GNUTLS_E_INTERNAL_ERROR; + if (resarr[0] == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_plain); + return GNUTLS_E_INTERNAL_ERROR; } } - gcry_sexp_release(s_plain); - return rc; + gcry_sexp_release (s_plain); + return rc; } /* in case of DSA puts into data, r,s */ -static -int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, mpi_t * pkey, - int pkey_len) +static int +_gnutls_pk_sign (int algo, mpi_t * data, mpi_t hash, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_hash, s_key, s_sig; - int rc = -1; + gcry_sexp_t s_hash, s_key, s_sig; + int rc = -1; - /* make a sexp from pkey */ - switch (algo) { + /* make a sexp from pkey */ + switch (algo) + { case GCRY_PK_DSA: - if (pkey_len >= 5) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", - pkey[0], pkey[1], pkey[2], - pkey[3], pkey[4]); - else { - gnutls_assert(); + if (pkey_len >= 5) + rc = gcry_sexp_build (&s_key, NULL, + "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", + pkey[0], pkey[1], pkey[2], pkey[3], pkey[4]); + else + { + gnutls_assert (); } - break; + break; case GCRY_PK_RSA: - if (pkey_len >= 6) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], - pkey[4], pkey[5]); - else { - gnutls_assert(); + if (pkey_len >= 6) + rc = gcry_sexp_build (&s_key, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + else + { + gnutls_assert (); } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + /* put the data into a simple list */ + if (gcry_sexp_build (&s_hash, NULL, "%m", hash)) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* pass it to libgcrypt */ - rc = gcry_pk_sign(&s_sig, s_hash, s_key); - gcry_sexp_release(s_hash); - gcry_sexp_release(s_key); + /* pass it to libgcrypt */ + rc = gcry_pk_sign (&s_sig, s_hash, s_key); + gcry_sexp_release (s_hash); + gcry_sexp_release (s_key); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_PK_SIGN_FAILED; - } else { - gcry_sexp_t list; + } + else + { + gcry_sexp_t list; - if (algo == GCRY_PK_DSA) { - list = gcry_sexp_find_token(s_sig, "r", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; + if (algo == GCRY_PK_DSA) + { + list = gcry_sexp_find_token (s_sig, "r", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_sig); + return GNUTLS_E_INTERNAL_ERROR; } - data[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + data[0] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(s_sig, "s", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (s_sig, "s", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_sig); + return GNUTLS_E_INTERNAL_ERROR; } - data[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - } else { /* GCRY_PK_RSA */ - list = gcry_sexp_find_token(s_sig, "s", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; + data[1] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); + } + else + { /* GCRY_PK_RSA */ + list = gcry_sexp_find_token (s_sig, "s", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (s_sig); + return GNUTLS_E_INTERNAL_ERROR; } - data[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + data[0] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); } } - gcry_sexp_release(s_sig); - return 0; + gcry_sexp_release (s_sig); + return 0; } -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, - mpi_t * pkey, int pkey_len) +static int +_gnutls_pk_verify (int algo, mpi_t hash, mpi_t * data, + mpi_t * pkey, int pkey_len) { - gcry_sexp_t s_sig, s_hash, s_pkey; - int rc = -1; + gcry_sexp_t s_sig, s_hash, s_pkey; + int rc = -1; - /* make a sexp from pkey */ - switch (algo) { + /* make a sexp from pkey */ + switch (algo) + { case GCRY_PK_DSA: - if (pkey_len >= 4) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", - pkey[0], pkey[1], pkey[2], pkey[3]); - break; + if (pkey_len >= 4) + rc = gcry_sexp_build (&s_pkey, NULL, + "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", + pkey[0], pkey[1], pkey[2], pkey[3]); + break; case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + if (pkey_len >= 2) + rc = gcry_sexp_build (&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; + /* put the data into a simple list */ + if (gcry_sexp_build (&s_hash, NULL, "%m", hash)) + { + gnutls_assert (); + gcry_sexp_release (s_pkey); + return GNUTLS_E_INTERNAL_ERROR; } - switch (algo) { + switch (algo) + { case GCRY_PK_DSA: - rc = gcry_sexp_build(&s_sig, NULL, - "(sig-val(dsa(r%m)(s%m)))", data[0], data[1]); - break; + rc = gcry_sexp_build (&s_sig, NULL, + "(sig-val(dsa(r%m)(s%m)))", data[0], data[1]); + break; case GCRY_PK_RSA: - rc = gcry_sexp_build(&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]); - break; + rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]); + break; default: - gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + gcry_sexp_release (s_pkey); + gcry_sexp_release (s_hash); + return GNUTLS_E_INTERNAL_ERROR; } - if (rc != 0) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); - return GNUTLS_E_INTERNAL_ERROR; + if (rc != 0) + { + gnutls_assert (); + gcry_sexp_release (s_pkey); + gcry_sexp_release (s_hash); + return GNUTLS_E_INTERNAL_ERROR; } - rc = gcry_pk_verify(s_sig, s_hash, s_pkey); + rc = gcry_pk_verify (s_sig, s_hash, s_pkey); - gcry_sexp_release(s_sig); - gcry_sexp_release(s_hash); - gcry_sexp_release(s_pkey); + gcry_sexp_release (s_sig); + gcry_sexp_release (s_hash); + gcry_sexp_release (s_pkey); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; + if (rc != 0) + { + gnutls_assert (); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - return 0; + return 0; } diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h index 714fba92da..1494fc64d4 100644 --- a/lib/gnutls_pk.h +++ b/lib/gnutls_pk.h @@ -25,20 +25,20 @@ #ifndef GNUTLS_PK_H # define GNUTLS_PK_H -int _gnutls_pkcs1_rsa_encrypt(gnutls_datum_t * ciphertext, - const gnutls_datum_t * plaintext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_dsa_sign(gnutls_datum_t * signature, - const gnutls_datum_t * plaintext, mpi_t * params, - uint params_len); -int _gnutls_pkcs1_rsa_decrypt(gnutls_datum_t * plaintext, - const gnutls_datum_t * ciphertext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_rsa_verify(const gnutls_datum_t * vdata, - const gnutls_datum_t * ciphertext, mpi_t * params, - int params_len, int btype); -int _gnutls_dsa_verify(const gnutls_datum_t * vdata, - const gnutls_datum_t * sig_value, mpi_t * params, - int params_len); +int _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext, + const gnutls_datum_t * plaintext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_dsa_sign (gnutls_datum_t * signature, + const gnutls_datum_t * plaintext, mpi_t * params, + uint params_len); +int _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext, + const gnutls_datum_t * ciphertext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_rsa_verify (const gnutls_datum_t * vdata, + const gnutls_datum_t * ciphertext, mpi_t * params, + int params_len, int btype); +int _gnutls_dsa_verify (const gnutls_datum_t * vdata, + const gnutls_datum_t * sig_value, mpi_t * params, + int params_len); -#endif /* GNUTLS_PK_H */ +#endif /* GNUTLS_PK_H */ diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 3c19e13a12..1792c90418 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -42,21 +42,23 @@ * not use the algorithm's priority except for disabling * algorithms that were not specified. **/ -int gnutls_cipher_set_priority(gnutls_session_t session, const int *list) +int +gnutls_cipher_set_priority (gnutls_session_t session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.cipher_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cipher_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cipher_algorithm_priority.priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.cipher_algorithm_priority.priority[i] = list[i]; } - return 0; + return 0; } /** @@ -71,21 +73,23 @@ int gnutls_cipher_set_priority(gnutls_session_t session, const int *list) * not use the algorithm's priority except for disabling * algorithms that were not specified. **/ -int gnutls_kx_set_priority(gnutls_session_t session, const int *list) +int +gnutls_kx_set_priority (gnutls_session_t session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.kx_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.kx_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.kx_algorithm_priority.priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.kx_algorithm_priority.priority[i] = list[i]; } - return 0; + return 0; } /** @@ -100,21 +104,23 @@ int gnutls_kx_set_priority(gnutls_session_t session, const int *list) * not use the algorithm's priority except for disabling * algorithms that were not specified. **/ -int gnutls_mac_set_priority(gnutls_session_t session, const int *list) +int +gnutls_mac_set_priority (gnutls_session_t session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.mac_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.mac_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.mac_algorithm_priority.priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.mac_algorithm_priority.priority[i] = list[i]; } - return 0; + return 0; } /** @@ -134,22 +140,22 @@ int gnutls_mac_set_priority(gnutls_session_t session, const int *list) * as gnutls extensions. * **/ -int gnutls_compression_set_priority(gnutls_session_t session, - const int *list) +int +gnutls_compression_set_priority (gnutls_session_t session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.compression_method_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.compression_method_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.compression_method_priority. - priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.compression_method_priority.priority[i] = list[i]; } - return 0; + return 0; } /** @@ -162,27 +168,29 @@ int gnutls_compression_set_priority(gnutls_session_t session, * versions always have highest priority. * **/ -int gnutls_protocol_set_priority(gnutls_session_t session, const int *list) +int +gnutls_protocol_set_priority (gnutls_session_t session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.protocol_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.protocol_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.protocol_priority.priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.protocol_priority.priority[i] = list[i]; } - /* set the current version to the first in the chain. - * This will be overridden later. - */ - if (num > 0) - _gnutls_set_current_version(session, list[0]); + /* set the current version to the first in the chain. + * This will be overridden later. + */ + if (num > 0) + _gnutls_set_current_version (session, list[0]); - return 0; + return 0; } /** @@ -197,28 +205,30 @@ int gnutls_protocol_set_priority(gnutls_session_t session, const int *list) * The server does not use the cert type priority except for disabling * types that were not specified. **/ -int gnutls_certificate_type_set_priority(gnutls_session_t session, - const int *list) +int +gnutls_certificate_type_set_priority (gnutls_session_t session, + const int *list) { #ifdef ENABLE_OPENPGP - int num = 0, i; + int num = 0, i; - while (list[num] != 0) - num++; - if (num > MAX_ALGOS) - num = MAX_ALGOS; - session->internals.cert_type_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cert_type_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cert_type_priority.priority[i] = list[i]; + for (i = 0; i < num; i++) + { + session->internals.cert_type_priority.priority[i] = list[i]; } - return 0; + return 0; #else - return GNUTLS_E_UNIMPLEMENTED_FEATURE; + return GNUTLS_E_UNIMPLEMENTED_FEATURE; #endif } @@ -239,26 +249,27 @@ int gnutls_certificate_type_set_priority(gnutls_session_t session, * and ARCFOUR_128 for ciphers. * **/ -int gnutls_set_default_priority(gnutls_session_t session) +int +gnutls_set_default_priority (gnutls_session_t session) { - static const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - static const int kx_priority[] = - { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; + static const int kx_priority[] = + { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority (session, cipher_priority); + gnutls_compression_set_priority (session, comp_priority); + gnutls_kx_set_priority (session, kx_priority); + gnutls_protocol_set_priority (session, protocol_priority); + gnutls_mac_set_priority (session, mac_priority); + + return 0; } /** @@ -275,29 +286,30 @@ int gnutls_set_default_priority(gnutls_session_t session) * and 3DES_CBC, ARCFOUR_128, ARCFOUR_40 for ciphers. * **/ -int gnutls_set_default_export_priority(gnutls_session_t session) +int +gnutls_set_default_export_priority (gnutls_session_t session) { - static const int protocol_priority[] = { - GNUTLS_TLS1, GNUTLS_SSL3, 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_RSA_EXPORT, 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { + GNUTLS_TLS1, GNUTLS_SSL3, 0 + }; + static const int kx_priority[] = { + GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, + GNUTLS_KX_RSA_EXPORT, 0 + }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_ARCFOUR_40, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority (session, cipher_priority); + gnutls_compression_set_priority (session, comp_priority); + gnutls_kx_set_priority (session, kx_priority); + gnutls_protocol_set_priority (session, protocol_priority); + gnutls_mac_set_priority (session, mac_priority); + + return 0; } diff --git a/lib/gnutls_priority.h b/lib/gnutls_priority.h index 7f47c732ff..d5b1fe60bb 100644 --- a/lib/gnutls_priority.h +++ b/lib/gnutls_priority.h @@ -22,10 +22,10 @@ * */ -int gnutls_cipher_set_priority(gnutls_session_t session, const int *); -int gnutls_kx_set_priority(gnutls_session_t session, const int *); -int gnutls_mac_set_priority(gnutls_session_t session, const int *); -int gnutls_compression_set_priority(gnutls_session_t session, const int *); -int gnutls_protocol_set_priority(gnutls_session_t session, const int *); -int gnutls_certificate_type_set_priority(gnutls_session_t session, - const int *); +int gnutls_cipher_set_priority (gnutls_session_t session, const int *); +int gnutls_kx_set_priority (gnutls_session_t session, const int *); +int gnutls_mac_set_priority (gnutls_session_t session, const int *); +int gnutls_compression_set_priority (gnutls_session_t session, const int *); +int gnutls_protocol_set_priority (gnutls_session_t session, const int *); +int gnutls_certificate_type_set_priority (gnutls_session_t session, + const int *); diff --git a/lib/gnutls_psk.c b/lib/gnutls_psk.c index a15c50314e..c9965ca049 100644 --- a/lib/gnutls_psk.c +++ b/lib/gnutls_psk.c @@ -46,11 +46,12 @@ * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc) +void +gnutls_psk_free_client_credentials (gnutls_psk_client_credentials_t sc) { - _gnutls_free_datum(&sc->username); - _gnutls_free_datum(&sc->key); - gnutls_free(sc); + _gnutls_free_datum (&sc->username); + _gnutls_free_datum (&sc->key); + gnutls_free (sc); } /** @@ -62,14 +63,15 @@ void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc) * * Returns 0 on success. **/ -int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t* sc) +int +gnutls_psk_allocate_client_credentials (gnutls_psk_client_credentials_t * sc) { - *sc = gnutls_calloc(1, sizeof(psk_client_credentials_st)); + *sc = gnutls_calloc (1, sizeof (psk_client_credentials_st)); - if (*sc == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } /** @@ -84,50 +86,59 @@ int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t* sc) * * Returns 0 on success. **/ -int gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res, - const char *username, const gnutls_datum *key, - unsigned int flags) +int +gnutls_psk_set_client_credentials (gnutls_psk_client_credentials_t res, + const char *username, + const gnutls_datum * key, + unsigned int flags) { -int ret; + int ret; - if (username == NULL || key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (username == NULL || key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_set_datum(&res->username, username, strlen(username)); - if (ret < 0) - return ret; - - if (flags == GNUTLS_PSK_KEY_RAW) { - if (_gnutls_set_datum( &res->key, key->data, key->size) < 0) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - } else { /* HEX key */ - res->key.size = key->size / 2; - res->key.data = gnutls_malloc( res->key.size); - if (res->key.data == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - ret = gnutls_hex_decode( key, (char*)res->key.data, &res->key.size); - if (ret < 0) { - gnutls_assert(); - goto error; - } + ret = _gnutls_set_datum (&res->username, username, strlen (username)); + if (ret < 0) + return ret; + + if (flags == GNUTLS_PSK_KEY_RAW) + { + if (_gnutls_set_datum (&res->key, key->data, key->size) < 0) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + } + else + { /* HEX key */ + res->key.size = key->size / 2; + res->key.data = gnutls_malloc (res->key.size); + if (res->key.data == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + ret = gnutls_hex_decode (key, (char *) res->key.data, &res->key.size); + if (ret < 0) + { + gnutls_assert (); + goto error; + } } - return 0; + return 0; error: - _gnutls_free_datum( &res->username); + _gnutls_free_datum (&res->username); - return ret; + return ret; } /** @@ -138,10 +149,11 @@ error: * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc) +void +gnutls_psk_free_server_credentials (gnutls_psk_server_credentials_t sc) { - gnutls_free(sc->password_file); - gnutls_free(sc); + gnutls_free (sc->password_file); + gnutls_free (sc); } /** @@ -153,14 +165,15 @@ void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc) * * Returns 0 on success. **/ -int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t* sc) +int +gnutls_psk_allocate_server_credentials (gnutls_psk_server_credentials_t * sc) { - *sc = gnutls_calloc(1, sizeof(psk_server_cred_st)); + *sc = gnutls_calloc (1, sizeof (psk_server_cred_st)); - if (*sc == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -175,28 +188,32 @@ int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t* sc) * Returns 0 on success. * **/ -int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t - res, const char *password_file) +int +gnutls_psk_set_server_credentials_file (gnutls_psk_server_credentials_t + res, const char *password_file) { - if (password_file == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (password_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the files can be opened */ - if (_gnutls_file_exists(password_file) != 0) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + /* Check if the files can be opened */ + if (_gnutls_file_exists (password_file) != 0) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - res->password_file = gnutls_strdup(password_file); - if (res->password_file == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + res->password_file = gnutls_strdup (password_file); + if (res->password_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } @@ -222,12 +239,12 @@ int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t * **/ void -gnutls_psk_set_server_credentials_function(gnutls_psk_server_credentials_t - cred, - gnutls_psk_server_credentials_function - * func) +gnutls_psk_set_server_credentials_function (gnutls_psk_server_credentials_t + cred, + gnutls_psk_server_credentials_function + * func) { - cred->pwd_callback = func; + cred->pwd_callback = func; } /** @@ -252,12 +269,12 @@ gnutls_psk_set_server_credentials_function(gnutls_psk_server_credentials_t * **/ void -gnutls_psk_set_client_credentials_function(gnutls_psk_client_credentials_t - cred, - gnutls_psk_client_credentials_function - * func) +gnutls_psk_set_client_credentials_function (gnutls_psk_client_credentials_t + cred, + gnutls_psk_client_credentials_function + * func) { - cred->get_function = func; + cred->get_function = func; } @@ -270,16 +287,17 @@ gnutls_psk_set_client_credentials_function(gnutls_psk_client_credentials_t * Returns NULL in case of an error. * **/ -const char *gnutls_psk_server_get_username(gnutls_session_t session) +const char * +gnutls_psk_server_get_username (gnutls_session_t session) { - psk_server_auth_info_t info; + psk_server_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_PSK, NULL); + CHECK_AUTH (GNUTLS_CRD_PSK, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; - return info->username; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return NULL; + return info->username; } /** @@ -296,16 +314,19 @@ const char *gnutls_psk_server_get_username(gnutls_session_t session) * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_hex_decode(const gnutls_datum_t * hex_data, char *result, - size_t *result_size) +int +gnutls_hex_decode (const gnutls_datum_t * hex_data, char *result, + size_t * result_size) { - int ret; + int ret; - ret = _gnutls_hex2bin(hex_data->data, hex_data->size, (opaque*)result, result_size); - if (ret < 0) - return ret; + ret = + _gnutls_hex2bin (hex_data->data, hex_data->size, (opaque *) result, + result_size); + if (ret < 0) + return ret; - return 0; + return 0; } /** @@ -320,18 +341,20 @@ int gnutls_hex_decode(const gnutls_datum_t * hex_data, char *result, * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_hex_encode(const gnutls_datum_t * data, char *result, - size_t *result_size) +int +gnutls_hex_encode (const gnutls_datum_t * data, char *result, + size_t * result_size) { - if (*result_size < data->size + data->size + 1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (*result_size < data->size + data->size + 1) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - _gnutls_bin2hex(data->data, data->size, result, *result_size); + _gnutls_bin2hex (data->data, data->size, result, *result_size); - return 0; + return 0; } -#endif /* ENABLE_PSK */ +#endif /* ENABLE_PSK */ diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 32d26734e5..9e2faf965c 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -52,15 +52,17 @@ * Returns the version of the currently used protocol. * **/ -gnutls_protocol_t gnutls_protocol_get_version(gnutls_session_t session) +gnutls_protocol_t +gnutls_protocol_get_version (gnutls_session_t session) { - return session->security_parameters.version; + return session->security_parameters.version; } -void _gnutls_set_current_version(gnutls_session_t session, - gnutls_protocol_t version) +void +_gnutls_set_current_version (gnutls_session_t session, + gnutls_protocol_t version) { - session->security_parameters.version = version; + session->security_parameters.version = version; } /** @@ -76,9 +78,10 @@ void _gnutls_set_current_version(gnutls_session_t session, * Otherwise it must be called and set lowat to zero. * **/ -void gnutls_transport_set_lowat(gnutls_session_t session, int num) +void +gnutls_transport_set_lowat (gnutls_session_t session, int num) { - session->internals.lowat = num; + session->internals.lowat = num; } /** @@ -91,11 +94,12 @@ void gnutls_transport_set_lowat(gnutls_session_t session, int num) * handle. * **/ -void gnutls_transport_set_ptr(gnutls_session_t session, - gnutls_transport_ptr_t ptr) +void +gnutls_transport_set_ptr (gnutls_session_t session, + gnutls_transport_ptr_t ptr) { - session->internals.transport_recv_ptr = ptr; - session->internals.transport_send_ptr = ptr; + session->internals.transport_recv_ptr = ptr; + session->internals.transport_send_ptr = ptr; } @@ -111,12 +115,13 @@ void gnutls_transport_set_ptr(gnutls_session_t session, * receiving and sending. * **/ -void gnutls_transport_set_ptr2(gnutls_session_t session, - gnutls_transport_ptr_t recv_ptr, - gnutls_transport_ptr_t send_ptr) +void +gnutls_transport_set_ptr2 (gnutls_session_t session, + gnutls_transport_ptr_t recv_ptr, + gnutls_transport_ptr_t send_ptr) { - session->internals.transport_send_ptr = send_ptr; - session->internals.transport_recv_ptr = recv_ptr; + session->internals.transport_send_ptr = send_ptr; + session->internals.transport_recv_ptr = recv_ptr; } /** @@ -127,9 +132,10 @@ void gnutls_transport_set_ptr2(gnutls_session_t session, * PULL). This must have been set using gnutls_transport_set_ptr(). * **/ -gnutls_transport_ptr_t gnutls_transport_get_ptr(gnutls_session_t session) +gnutls_transport_ptr_t +gnutls_transport_get_ptr (gnutls_session_t session) { - return session->internals.transport_recv_ptr; + return session->internals.transport_recv_ptr; } /** @@ -142,13 +148,14 @@ gnutls_transport_ptr_t gnutls_transport_get_ptr(gnutls_session_t session) * PULL). These should have been set using gnutls_transport_set_ptr2(). * **/ -void gnutls_transport_get_ptr2(gnutls_session_t session, - gnutls_transport_ptr_t * recv_ptr, - gnutls_transport_ptr_t * send_ptr) +void +gnutls_transport_get_ptr2 (gnutls_session_t session, + gnutls_transport_ptr_t * recv_ptr, + gnutls_transport_ptr_t * send_ptr) { - *recv_ptr = session->internals.transport_recv_ptr; - *send_ptr = session->internals.transport_send_ptr; + *recv_ptr = session->internals.transport_recv_ptr; + *send_ptr = session->internals.transport_send_ptr; } /** @@ -175,98 +182,111 @@ void gnutls_transport_get_ptr2(gnutls_session_t session, * gnutls_record_get_direction(). * **/ -int gnutls_bye(gnutls_session_t session, gnutls_close_request_t how) +int +gnutls_bye (gnutls_session_t session, gnutls_close_request_t how) { - int ret = 0; + int ret = 0; - switch (STATE) { + switch (STATE) + { case STATE0: case STATE60: - ret = _gnutls_io_write_flush(session); - STATE = STATE60; - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_io_write_flush (session); + STATE = STATE60; + if (ret < 0) + { + gnutls_assert (); + return ret; } case STATE61: - ret = - gnutls_alert_send(session, GNUTLS_AL_WARNING, - GNUTLS_A_CLOSE_NOTIFY); - STATE = STATE61; - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + gnutls_alert_send (session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY); + STATE = STATE61; + if (ret < 0) + { + gnutls_assert (); + return ret; } case STATE62: - if (how == GNUTLS_SHUT_RDWR) { - do { - _gnutls_io_clear_peeked_data( session); - ret = _gnutls_recv_int(session, GNUTLS_ALERT, -1, NULL, 0); - } while( ret == GNUTLS_E_GOT_APPLICATION_DATA); - - if (ret >= 0) - session->internals.may_not_read = 1; - - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (how == GNUTLS_SHUT_RDWR) + { + do + { + _gnutls_io_clear_peeked_data (session); + ret = _gnutls_recv_int (session, GNUTLS_ALERT, -1, NULL, 0); + } + while (ret == GNUTLS_E_GOT_APPLICATION_DATA); + + if (ret >= 0) + session->internals.may_not_read = 1; + + if (ret < 0) + { + gnutls_assert (); + return ret; + } } - STATE = STATE62; + STATE = STATE62; - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - STATE = STATE0; + STATE = STATE0; - session->internals.may_not_write = 1; - return 0; + session->internals.may_not_write = 1; + return 0; } -inline static void session_invalidate(gnutls_session_t session) +inline static void +session_invalidate (gnutls_session_t session) { - session->internals.valid_connection = VALID_FALSE; + session->internals.valid_connection = VALID_FALSE; } -inline static void session_unresumable(gnutls_session_t session) +inline static void +session_unresumable (gnutls_session_t session) { - session->internals.resumable = RESUME_FALSE; + session->internals.resumable = RESUME_FALSE; } /* returns 0 if session is valid */ -inline static int session_is_valid(gnutls_session_t session) +inline static int +session_is_valid (gnutls_session_t session) { - if (session->internals.valid_connection == VALID_FALSE) - return GNUTLS_E_INVALID_SESSION; + if (session->internals.valid_connection == VALID_FALSE) + return GNUTLS_E_INVALID_SESSION; - return 0; + return 0; } /* Copies the record version into the headers. The * version must have 2 bytes at least. */ -inline static -void copy_record_version(gnutls_session_t session, gnutls_handshake_description_t htype, - opaque version[2]) +inline static void +copy_record_version (gnutls_session_t session, + gnutls_handshake_description_t htype, opaque version[2]) { - gnutls_protocol_t lver; + gnutls_protocol_t lver; - if (htype != GNUTLS_HANDSHAKE_CLIENT_HELLO - || session->internals.default_record_version[0] == 0) { - lver = gnutls_protocol_get_version(session); + if (htype != GNUTLS_HANDSHAKE_CLIENT_HELLO + || session->internals.default_record_version[0] == 0) + { + lver = gnutls_protocol_get_version (session); - version[0] = _gnutls_version_get_major(lver); - version[1] = _gnutls_version_get_minor(lver); - } else { - version[0] = session->internals.default_record_version[0]; - version[1] = session->internals.default_record_version[1]; + version[0] = _gnutls_version_get_major (lver); + version[1] = _gnutls_version_get_minor (lver); + } + else + { + version[0] = session->internals.default_record_version[0]; + version[1] = session->internals.default_record_version[1]; } } @@ -284,175 +304,187 @@ void copy_record_version(gnutls_session_t session, gnutls_handshake_description_ * and only if the previous send was interrupted for some reason. * */ -ssize_t _gnutls_send_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t htype, const void *_data, - size_t sizeofdata) +ssize_t +_gnutls_send_int (gnutls_session_t session, content_type_t type, + gnutls_handshake_description_t htype, const void *_data, + size_t sizeofdata) { - uint8 *cipher; - int cipher_size; - int retval, ret; - int data2send_size; - uint8 headers[5]; - const uint8 *data = _data; - int erecord_size = 0; - opaque *erecord = NULL; - - /* Do not allow null pointer if the send buffer is empty. - * If the previous send was interrupted then a null pointer is - * ok, and means to resume. - */ - if (session->internals.record_send_buffer.length == 0 && - (sizeofdata == 0 && _data == NULL)) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + uint8 *cipher; + int cipher_size; + int retval, ret; + int data2send_size; + uint8 headers[5]; + const uint8 *data = _data; + int erecord_size = 0; + opaque *erecord = NULL; + + /* Do not allow null pointer if the send buffer is empty. + * If the previous send was interrupted then a null pointer is + * ok, and means to resume. + */ + if (session->internals.record_send_buffer.length == 0 && + (sizeofdata == 0 && _data == NULL)) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (type != GNUTLS_ALERT) /* alert messages are sent anyway */ - if (session_is_valid(session) - || session->internals.may_not_write != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - + if (type != GNUTLS_ALERT) /* alert messages are sent anyway */ + if (session_is_valid (session) || session->internals.may_not_write != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; + } - headers[0] = type; - /* Use the default record version, if it is - * set. - */ - copy_record_version(session, htype, &headers[1]); + headers[0] = type; + /* Use the default record version, if it is + * set. + */ + copy_record_version (session, htype, &headers[1]); - _gnutls_record_log - ("REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", session, - (int) _gnutls_uint64touint32(&session->connection_state. - write_sequence_number), - _gnutls_packet2str(type), type, sizeofdata); - if (sizeofdata > MAX_RECORD_SEND_SIZE) - data2send_size = MAX_RECORD_SEND_SIZE; - else - data2send_size = sizeofdata; + _gnutls_record_log + ("REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32 (&session->connection_state. + write_sequence_number), + _gnutls_packet2str (type), type, sizeofdata); - /* Only encrypt if we don't have data to send - * from the previous run. - probably interrupted. - */ - if (session->internals.record_send_buffer.length > 0) { - ret = _gnutls_io_write_flush(session); - if (ret > 0) - cipher_size = ret; - else - cipher_size = 0; + if (sizeofdata > MAX_RECORD_SEND_SIZE) + data2send_size = MAX_RECORD_SEND_SIZE; + else + data2send_size = sizeofdata; - cipher = NULL; + /* Only encrypt if we don't have data to send + * from the previous run. - probably interrupted. + */ + if (session->internals.record_send_buffer.length > 0) + { + ret = _gnutls_io_write_flush (session); + if (ret > 0) + cipher_size = ret; + else + cipher_size = 0; - retval = session->internals.record_send_buffer_user_size; - } else { + cipher = NULL; - /* now proceed to packet encryption - */ - cipher_size = data2send_size + MAX_RECORD_OVERHEAD; - cipher = gnutls_malloc(cipher_size); - if (cipher == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + retval = session->internals.record_send_buffer_user_size; + } + else + { + + /* now proceed to packet encryption + */ + cipher_size = data2send_size + MAX_RECORD_OVERHEAD; + cipher = gnutls_malloc (cipher_size); + if (cipher == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - cipher_size = - _gnutls_encrypt(session, headers, RECORD_HEADER_SIZE, data, - data2send_size, cipher, cipher_size, type, 1); - if (cipher_size <= 0) { - gnutls_assert(); - if (cipher_size == 0) - cipher_size = GNUTLS_E_ENCRYPTION_FAILED; - gnutls_afree(erecord); - gnutls_free(cipher); - return cipher_size; /* error */ + cipher_size = + _gnutls_encrypt (session, headers, RECORD_HEADER_SIZE, data, + data2send_size, cipher, cipher_size, type, 1); + if (cipher_size <= 0) + { + gnutls_assert (); + if (cipher_size == 0) + cipher_size = GNUTLS_E_ENCRYPTION_FAILED; + gnutls_afree (erecord); + gnutls_free (cipher); + return cipher_size; /* error */ } - retval = data2send_size; - session->internals.record_send_buffer_user_size = data2send_size; - - /* increase sequence number - */ - if (_gnutls_uint64pp - (&session->connection_state.write_sequence_number) != 0) { - session_invalidate(session); - gnutls_assert(); - gnutls_afree(erecord); - gnutls_free(cipher); - return GNUTLS_E_RECORD_LIMIT_REACHED; + retval = data2send_size; + session->internals.record_send_buffer_user_size = data2send_size; + + /* increase sequence number + */ + if (_gnutls_uint64pp + (&session->connection_state.write_sequence_number) != 0) + { + session_invalidate (session); + gnutls_assert (); + gnutls_afree (erecord); + gnutls_free (cipher); + return GNUTLS_E_RECORD_LIMIT_REACHED; } - ret = - _gnutls_io_write_buffered2(session, erecord, erecord_size, - cipher, cipher_size); - gnutls_afree(erecord); - gnutls_free(cipher); + ret = + _gnutls_io_write_buffered2 (session, erecord, erecord_size, + cipher, cipher_size); + gnutls_afree (erecord); + gnutls_free (cipher); } - if (ret != cipher_size + erecord_size) { - if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { - /* If we have sent any data then just return - * the error value. Do not invalidate the session. - */ - gnutls_assert(); - return ret; + if (ret != cipher_size + erecord_size) + { + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + { + /* If we have sent any data then just return + * the error value. Do not invalidate the session. + */ + gnutls_assert (); + return ret; } - if (ret > 0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; + if (ret > 0) + { + gnutls_assert (); + ret = GNUTLS_E_INTERNAL_ERROR; } - session_unresumable(session); - session_invalidate(session); - gnutls_assert(); - return ret; + session_unresumable (session); + session_invalidate (session); + gnutls_assert (); + return ret; } - session->internals.record_send_buffer_user_size = 0; + session->internals.record_send_buffer_user_size = 0; - _gnutls_record_log("REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", - session, - (int) _gnutls_uint64touint32(&session-> + _gnutls_record_log ("REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", + session, + (int) _gnutls_uint64touint32 (&session-> connection_state. write_sequence_number), - _gnutls_packet2str(type), type, cipher_size); + _gnutls_packet2str (type), type, cipher_size); - return retval; + return retval; } /* This function is to be called if the handshake was successfully * completed. This sends a Change Cipher Spec packet to the peer. */ -ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, - int again) +ssize_t +_gnutls_send_change_cipher_spec (gnutls_session_t session, int again) { - static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; + static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; - _gnutls_handshake_log("REC[%x]: Sent ChangeCipherSpec\n", session); + _gnutls_handshake_log ("REC[%x]: Sent ChangeCipherSpec\n", session); - if (again == 0) - return _gnutls_send_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, - data, 1); - else { - return _gnutls_io_write_flush(session); + if (again == 0) + return _gnutls_send_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, data, 1); + else + { + return _gnutls_io_write_flush (session); } } -inline -static int check_recv_type(content_type_t recv_type) +inline static int +check_recv_type (content_type_t recv_type) { - switch (recv_type) { + switch (recv_type) + { case GNUTLS_CHANGE_CIPHER_SPEC: case GNUTLS_ALERT: case GNUTLS_HANDSHAKE: case GNUTLS_APPLICATION_DATA: - return 0; + return 0; default: - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } } @@ -461,231 +493,256 @@ static int check_recv_type(content_type_t recv_type) /* Checks if there are pending data in the record buffers. If there are * then it copies the data. */ -static int check_buffers(gnutls_session_t session, content_type_t type, - opaque * data, int sizeofdata) +static int +check_buffers (gnutls_session_t session, content_type_t type, + opaque * data, int sizeofdata) { - if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) - && _gnutls_record_buffer_get_size(type, session) > 0) { - int ret, ret2; - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && _gnutls_record_buffer_get_size (type, session) > 0) + { + int ret, ret2; + ret = _gnutls_record_buffer_get (type, session, data, sizeofdata); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* if the buffer just got empty */ - if (_gnutls_record_buffer_get_size(type, session) == 0) { - if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { - gnutls_assert(); - return ret2; + /* if the buffer just got empty */ + if (_gnutls_record_buffer_get_size (type, session) == 0) + { + if ((ret2 = _gnutls_io_clear_peeked_data (session)) < 0) + { + gnutls_assert (); + return ret2; } } - return ret; + return ret; } - return 0; + return 0; } /* Checks the record headers and returns the length, version and * content type. */ -static -int record_check_headers(gnutls_session_t session, - uint8 headers[RECORD_HEADER_SIZE], content_type_t type, gnutls_handshake_description_t htype, - /*output */ content_type_t * recv_type, opaque version[2], uint16 * length, - uint16 * header_size) +static int +record_check_headers (gnutls_session_t session, + uint8 headers[RECORD_HEADER_SIZE], content_type_t type, + gnutls_handshake_description_t htype, + /*output */ content_type_t * recv_type, + opaque version[2], uint16 * length, + uint16 * header_size) { - /* Read the first two bytes to determine if this is a - * version 2 message - */ + /* Read the first two bytes to determine if this is a + * version 2 message + */ - if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE - && headers[0] > 127) { + if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE + && headers[0] > 127) + { - /* if msb set and expecting handshake message - * it should be SSL 2 hello - */ - version[0] = 3; /* assume SSL 3.0 */ - version[1] = 0; + /* if msb set and expecting handshake message + * it should be SSL 2 hello + */ + version[0] = 3; /* assume SSL 3.0 */ + version[1] = 0; - *length = (((headers[0] & 0x7f) << 8)) | headers[1]; + *length = (((headers[0] & 0x7f) << 8)) | headers[1]; - /* SSL 2.0 headers */ - *header_size = 2; - *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello + /* SSL 2.0 headers */ + *header_size = 2; + *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello */ - /* in order to assist the handshake protocol. - * V2 compatibility is a mess. - */ - session->internals.v2_hello = *length; - - _gnutls_record_log("REC[%x]: V2 packet received. Length: %d\n", - session, *length); + /* in order to assist the handshake protocol. + * V2 compatibility is a mess. + */ + session->internals.v2_hello = *length; - } else { - /* version 3.x - */ - *recv_type = headers[0]; - version[0] = headers[1]; - version[1] = headers[2]; + _gnutls_record_log ("REC[%x]: V2 packet received. Length: %d\n", + session, *length); - /* No DECR_LEN, since headers has enough size. - */ - *length = _gnutls_read_uint16(&headers[3]); + } + else + { + /* version 3.x + */ + *recv_type = headers[0]; + version[0] = headers[1]; + version[1] = headers[2]; + + /* No DECR_LEN, since headers has enough size. + */ + *length = _gnutls_read_uint16 (&headers[3]); } - return 0; + return 0; } /* Here we check if the advertized version is the one we * negotiated in the handshake. */ -inline - static int record_check_version(gnutls_session_t session, - gnutls_handshake_description_t htype, opaque version[2]) +inline static int +record_check_version (gnutls_session_t session, + gnutls_handshake_description_t htype, opaque version[2]) { - if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) { - /* Reject hello packets with major version higher than 3. - */ - if (version[0] > 3) { - gnutls_assert(); - _gnutls_record_log - ("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", session, - htype, version[0], version[1]); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) + { + /* Reject hello packets with major version higher than 3. + */ + if (version[0] > 3) + { + gnutls_assert (); + _gnutls_record_log + ("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", session, + htype, version[0], version[1]); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } - } else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO && - gnutls_protocol_get_version(session) != - _gnutls_version_get(version[0], version[1])) { - /* Reject record packets that have a different version than the - * one negotiated. Note that this version is not protected by any - * mac. I don't really think that this check serves any purpose. - */ - gnutls_assert(); - _gnutls_record_log("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", - session, htype, version[0], version[1]); - - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO && + gnutls_protocol_get_version (session) != + _gnutls_version_get (version[0], version[1])) + { + /* Reject record packets that have a different version than the + * one negotiated. Note that this version is not protected by any + * mac. I don't really think that this check serves any purpose. + */ + gnutls_assert (); + _gnutls_record_log ("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", + session, htype, version[0], version[1]); + + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } - return 0; + return 0; } /* This function will check if the received record type is * the one we actually expect. */ -static int record_check_type(gnutls_session_t session, - content_type_t recv_type, content_type_t type, - gnutls_handshake_description_t htype, opaque * data, int data_size) +static int +record_check_type (gnutls_session_t session, + content_type_t recv_type, content_type_t type, + gnutls_handshake_description_t htype, opaque * data, + int data_size) { - int ret; + int ret; - if ((recv_type == type) - && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) { - _gnutls_record_buffer_put(type, session, (void *) data, data_size); - } else { - switch (recv_type) { + if ((recv_type == type) + && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) + { + _gnutls_record_buffer_put (type, session, (void *) data, data_size); + } + else + { + switch (recv_type) + { case GNUTLS_ALERT: - _gnutls_record_log - ("REC[%x]: Alert[%d|%d] - %s - was received\n", session, - data[0], data[1], gnutls_alert_get_name((int) data[1])); - - session->internals.last_alert = data[1]; - - /* if close notify is received and - * the alert is not fatal - */ - if (data[1] == GNUTLS_A_CLOSE_NOTIFY - && data[0] != GNUTLS_AL_FATAL) { - /* If we have been expecting for an alert do - */ - session->internals.read_eof = 1; - return GNUTLS_E_INT_RET_0; /* EOF */ - } else { - - /* if the alert is FATAL or WARNING - * return the apropriate message - */ - - gnutls_assert(); - ret = GNUTLS_E_WARNING_ALERT_RECEIVED; - if (data[0] == GNUTLS_AL_FATAL) { - session_unresumable(session); - session_invalidate(session); - ret = GNUTLS_E_FATAL_ALERT_RECEIVED; + _gnutls_record_log + ("REC[%x]: Alert[%d|%d] - %s - was received\n", session, + data[0], data[1], gnutls_alert_get_name ((int) data[1])); + + session->internals.last_alert = data[1]; + + /* if close notify is received and + * the alert is not fatal + */ + if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) + { + /* If we have been expecting for an alert do + */ + session->internals.read_eof = 1; + return GNUTLS_E_INT_RET_0; /* EOF */ + } + else + { + + /* if the alert is FATAL or WARNING + * return the apropriate message + */ + + gnutls_assert (); + ret = GNUTLS_E_WARNING_ALERT_RECEIVED; + if (data[0] == GNUTLS_AL_FATAL) + { + session_unresumable (session); + session_invalidate (session); + ret = GNUTLS_E_FATAL_ALERT_RECEIVED; } - return ret; + return ret; } - break; + break; case GNUTLS_CHANGE_CIPHER_SPEC: - /* this packet is now handled in the recv_int() - * function - */ - gnutls_assert(); + /* this packet is now handled in the recv_int() + * function + */ + gnutls_assert (); - return GNUTLS_E_UNEXPECTED_PACKET; + return GNUTLS_E_UNEXPECTED_PACKET; case GNUTLS_APPLICATION_DATA: - /* even if data is unexpected put it into the buffer */ - if ((ret = - _gnutls_record_buffer_put(recv_type, session, - (void *) data, - data_size)) < 0) { - gnutls_assert(); - return ret; + /* even if data is unexpected put it into the buffer */ + if ((ret = + _gnutls_record_buffer_put (recv_type, session, + (void *) data, data_size)) < 0) + { + gnutls_assert (); + return ret; } - /* the got_application data is only returned - * if expecting client hello (for rehandshake - * reasons). Otherwise it is an unexpected packet - */ - if (type==GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO - && type == GNUTLS_HANDSHAKE)) - return GNUTLS_E_GOT_APPLICATION_DATA; - else { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } - - break; + /* the got_application data is only returned + * if expecting client hello (for rehandshake + * reasons). Otherwise it is an unexpected packet + */ + if (type == GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO + && type == GNUTLS_HANDSHAKE)) + return GNUTLS_E_GOT_APPLICATION_DATA; + else + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET; + } + + break; case GNUTLS_HANDSHAKE: - /* This is legal if HELLO_REQUEST is received - and we are a client. - * If we are a server, a client may initiate a renegotiation at any time. - */ - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_REHANDSHAKE; + /* This is legal if HELLO_REQUEST is received - and we are a client. + * If we are a server, a client may initiate a renegotiation at any time. + */ + if (session->security_parameters.entity == GNUTLS_SERVER) + { + gnutls_assert (); + return GNUTLS_E_REHANDSHAKE; } - /* If we are already in a handshake then a Hello - * Request is illegal. But here we don't really care - * since this message will never make it up here. - */ + /* If we are already in a handshake then a Hello + * Request is illegal. But here we don't really care + * since this message will never make it up here. + */ - /* So we accept it */ - return _gnutls_recv_hello_request(session, data, data_size); + /* So we accept it */ + return _gnutls_recv_hello_request (session, data, data_size); - break; + break; default: - _gnutls_record_log - ("REC[%x]: Received Unknown packet %d expecting %d\n", - session, recv_type, type); + _gnutls_record_log + ("REC[%x]: Received Unknown packet %d expecting %d\n", + session, recv_type, type); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } - return 0; + return 0; } @@ -694,37 +751,38 @@ static int record_check_type(gnutls_session_t session, * recv buffer. If the buffer was not initialized before it will * also initialize it. */ -inline - static int get_temp_recv_buffer(gnutls_session_t session, - gnutls_datum_t * tmp) +inline static int +get_temp_recv_buffer (gnutls_session_t session, gnutls_datum_t * tmp) { - /* We allocate MAX_RECORD_RECV_SIZE length - * because we cannot predict the output data by the record - * packet length (due to compression). - */ - - if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || - session->internals.recv_buffer.data == NULL) { - - /* Initialize the internal buffer. - */ - session->internals.recv_buffer.data = - gnutls_realloc(session->internals.recv_buffer.data, - MAX_RECORD_RECV_SIZE); - - if (session->internals.recv_buffer.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* We allocate MAX_RECORD_RECV_SIZE length + * because we cannot predict the output data by the record + * packet length (due to compression). + */ + + if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || + session->internals.recv_buffer.data == NULL) + { + + /* Initialize the internal buffer. + */ + session->internals.recv_buffer.data = + gnutls_realloc (session->internals.recv_buffer.data, + MAX_RECORD_RECV_SIZE); + + if (session->internals.recv_buffer.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; + session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; } - tmp->data = session->internals.recv_buffer.data; - tmp->size = session->internals.recv_buffer.size; + tmp->data = session->internals.recv_buffer.data; + tmp->size = session->internals.recv_buffer.size; - return 0; + return 0; } @@ -737,223 +795,247 @@ inline * * The gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos. */ -ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t htype, opaque * data, - size_t sizeofdata) +ssize_t +_gnutls_recv_int (gnutls_session_t session, content_type_t type, + gnutls_handshake_description_t htype, opaque * data, + size_t sizeofdata) { - gnutls_datum_t tmp; - int decrypted_length; - opaque version[2]; - uint8 *headers; - content_type_t recv_type; - uint16 length; - uint8 *ciphertext; - uint8 *recv_data; - int ret, ret2; - uint16 header_size; - int empty_packet = 0; - - if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) { - return GNUTLS_E_INVALID_REQUEST; + gnutls_datum_t tmp; + int decrypted_length; + opaque version[2]; + uint8 *headers; + content_type_t recv_type; + uint16 length; + uint8 *ciphertext; + uint8 *recv_data; + int ret, ret2; + uint16 header_size; + int empty_packet = 0; + + if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) + { + return GNUTLS_E_INVALID_REQUEST; } - begin: +begin: - if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) { - gnutls_assert(); - return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; + if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) + { + gnutls_assert (); + return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; } - if (session->internals.read_eof != 0) { - /* if we have already read an EOF - */ - return 0; - } else if (session_is_valid(session) != 0 - || session->internals.may_not_read != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; + if (session->internals.read_eof != 0) + { + /* if we have already read an EOF + */ + return 0; + } + else if (session_is_valid (session) != 0 + || session->internals.may_not_read != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_SESSION; } /* If we have enough data in the cache do not bother receiving * a new packet. (in order to flush the cache) */ - ret = check_buffers(session, type, data, sizeofdata); - if (ret != 0) - return ret; + ret = check_buffers (session, type, data, sizeofdata); + if (ret != 0) + return ret; /* default headers for TLS 1.0 */ - header_size = RECORD_HEADER_SIZE; - - if ((ret = - _gnutls_io_read_buffered(session, &headers, header_size, - -1)) != header_size) { - if (ret < 0 && gnutls_error_is_fatal(ret) == 0) - return ret; - - session_invalidate(session); - if (type == GNUTLS_ALERT) { - gnutls_assert(); - return 0; /* we were expecting close notify */ + header_size = RECORD_HEADER_SIZE; + + if ((ret = + _gnutls_io_read_buffered (session, &headers, header_size, + -1)) != header_size) + { + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + return ret; + + session_invalidate (session); + if (type == GNUTLS_ALERT) + { + gnutls_assert (); + return 0; /* we were expecting close notify */ } - session_unresumable(session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + session_unresumable (session); + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if ((ret = - record_check_headers(session, headers, type, htype, &recv_type, - version, &length, &header_size)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + record_check_headers (session, headers, type, htype, &recv_type, + version, &length, &header_size)) < 0) + { + gnutls_assert (); + return ret; } /* Here we check if the Type of the received packet is * ok. */ - if ((ret = check_recv_type(recv_type)) < 0) { - gnutls_assert(); - return ret; + if ((ret = check_recv_type (recv_type)) < 0) + { + gnutls_assert (); + return ret; } /* Here we check if the advertized version is the one we * negotiated in the handshake. */ - if ((ret = record_check_version(session, htype, version)) < 0) { - gnutls_assert(); - session_invalidate(session); - return ret; + if ((ret = record_check_version (session, htype, version)) < 0) + { + gnutls_assert (); + session_invalidate (session); + return ret; } - _gnutls_record_log - ("REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", session, - (int) _gnutls_uint64touint32(&session->connection_state. - read_sequence_number), - _gnutls_packet2str(type), type, sizeofdata); - _gnutls_record_log - ("REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", session, - (int) _gnutls_uint64touint32(&session->connection_state. - read_sequence_number), - _gnutls_packet2str(recv_type), recv_type, length); - - if (length > MAX_RECV_SIZE) { - _gnutls_record_log - ("REC[%x]: FATAL ERROR: Received packet with length: %d\n", - session, length); - - session_unresumable(session); - session_invalidate(session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + _gnutls_record_log + ("REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32 (&session->connection_state. + read_sequence_number), + _gnutls_packet2str (type), type, sizeofdata); + _gnutls_record_log + ("REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32 (&session->connection_state. + read_sequence_number), + _gnutls_packet2str (recv_type), recv_type, length); + + if (length > MAX_RECV_SIZE) + { + _gnutls_record_log + ("REC[%x]: FATAL ERROR: Received packet with length: %d\n", + session, length); + + session_unresumable (session); + session_invalidate (session); + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } /* check if we have that data into buffer. */ - if ((ret = - _gnutls_io_read_buffered(session, &recv_data, - header_size + length, - recv_type)) != header_size + length) { - if (ret < 0 && gnutls_error_is_fatal(ret) == 0) - return ret; - - session_unresumable(session); - session_invalidate(session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if ((ret = + _gnutls_io_read_buffered (session, &recv_data, + header_size + length, + recv_type)) != header_size + length) + { + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + return ret; + + session_unresumable (session); + session_invalidate (session); + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } /* ok now we are sure that we can read all the data - so * move on ! */ - _gnutls_io_clear_read_buffer(session); - ciphertext = &recv_data[header_size]; - - ret = get_temp_recv_buffer(session, &tmp); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_io_clear_read_buffer (session); + ciphertext = &recv_data[header_size]; + + ret = get_temp_recv_buffer (session, &tmp); + if (ret < 0) + { + gnutls_assert (); + return ret; } /* decrypt the data we got. */ - ret = - _gnutls_decrypt(session, ciphertext, length, tmp.data, tmp.size, - recv_type); - if (ret < 0) { - session_unresumable(session); - session_invalidate(session); - gnutls_assert(); - return ret; + ret = + _gnutls_decrypt (session, ciphertext, length, tmp.data, tmp.size, + recv_type); + if (ret < 0) + { + session_unresumable (session); + session_invalidate (session); + gnutls_assert (); + return ret; } - decrypted_length = ret; + decrypted_length = ret; /* Check if this is a CHANGE_CIPHER_SPEC */ - if (type == GNUTLS_CHANGE_CIPHER_SPEC && - recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { + if (type == GNUTLS_CHANGE_CIPHER_SPEC && + recv_type == GNUTLS_CHANGE_CIPHER_SPEC) + { - _gnutls_record_log - ("REC[%x]: ChangeCipherSpec Packet was received\n", session); + _gnutls_record_log + ("REC[%x]: ChangeCipherSpec Packet was received\n", session); - if ((size_t) ret != sizeofdata) { /* sizeofdata should be 1 */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if ((size_t) ret != sizeofdata) + { /* sizeofdata should be 1 */ + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - memcpy(data, tmp.data, sizeofdata); + memcpy (data, tmp.data, sizeofdata); - return ret; + return ret; } - _gnutls_record_log - ("REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", session, - (int) _gnutls_uint64touint32(&session->connection_state. - read_sequence_number), - _gnutls_packet2str(recv_type), recv_type, decrypted_length); + _gnutls_record_log + ("REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32 (&session->connection_state. + read_sequence_number), + _gnutls_packet2str (recv_type), recv_type, decrypted_length); /* increase sequence number */ - if (_gnutls_uint64pp(&session->connection_state.read_sequence_number) - != 0) { - session_invalidate(session); - gnutls_assert(); - return GNUTLS_E_RECORD_LIMIT_REACHED; + if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) + { + session_invalidate (session); + gnutls_assert (); + return GNUTLS_E_RECORD_LIMIT_REACHED; } - ret = - record_check_type(session, recv_type, type, htype, tmp.data, - decrypted_length); - if (ret < 0) { - if (ret == GNUTLS_E_INT_RET_0) - return 0; - gnutls_assert(); - return ret; + ret = + record_check_type (session, recv_type, type, htype, tmp.data, + decrypted_length); + if (ret < 0) + { + if (ret == GNUTLS_E_INT_RET_0) + return 0; + gnutls_assert (); + return ret; } /* Get Application data from buffer */ - if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) - && (recv_type == type)) { - - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && (recv_type == type)) + { + + ret = _gnutls_record_buffer_get (type, session, data, sizeofdata); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* if the buffer just got empty - */ - if (_gnutls_record_buffer_get_size(type, session) == 0) { - if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { - gnutls_assert(); - return ret2; + /* if the buffer just got empty + */ + if (_gnutls_record_buffer_get_size (type, session) == 0) + { + if ((ret2 = _gnutls_io_clear_peeked_data (session)) < 0) + { + gnutls_assert (); + return ret2; } } - } else { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - /* we didn't get what we wanted to - */ + } + else + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET; + /* we didn't get what we wanted to + */ } /* (originally for) TLS 1.0 CBC protection. @@ -963,12 +1045,13 @@ ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, * In that case we go to the beginning and start reading * the next packet. */ - if (ret == 0) { - empty_packet++; - goto begin; + if (ret == 0) + { + empty_packet++; + goto begin; } - return ret; + return ret; } @@ -994,11 +1077,12 @@ ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, * number of bytes this function can send in a single call depends on * the negotiated maximum record size. **/ -ssize_t gnutls_record_send(gnutls_session_t session, const void *data, - size_t sizeofdata) +ssize_t +gnutls_record_send (gnutls_session_t session, const void *data, + size_t sizeofdata) { - return _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -1, data, - sizeofdata); + return _gnutls_send_int (session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -1032,11 +1116,11 @@ ssize_t gnutls_record_send(gnutls_session_t session, const void *data, * error code is returned in case of an error. The number of bytes * received might be less than @code{count}. **/ -ssize_t gnutls_record_recv(gnutls_session_t session, void *data, - size_t sizeofdata) +ssize_t +gnutls_record_recv (gnutls_session_t session, void *data, size_t sizeofdata) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, data, - sizeofdata); + return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -1048,12 +1132,13 @@ ssize_t gnutls_record_recv(gnutls_session_t session, void *data, * first handshake message. * **/ -size_t gnutls_record_get_max_size(gnutls_session_t session) +size_t +gnutls_record_get_max_size (gnutls_session_t session) { - /* Recv will hold the negotiated max record size - * always. - */ - return session->security_parameters.max_record_recv_size; + /* Recv will hold the negotiated max record size + * always. + */ + return session->security_parameters.max_record_recv_size; } @@ -1075,23 +1160,25 @@ size_t gnutls_record_get_max_size(gnutls_session_t session) * Not all TLS implementations use or even understand this extension. * **/ -ssize_t gnutls_record_set_max_size(gnutls_session_t session, size_t size) +ssize_t +gnutls_record_set_max_size (gnutls_session_t session, size_t size) { - ssize_t new_size; + ssize_t new_size; - if (session->security_parameters.entity == GNUTLS_SERVER) - return GNUTLS_E_INVALID_REQUEST; + if (session->security_parameters.entity == GNUTLS_SERVER) + return GNUTLS_E_INVALID_REQUEST; - new_size = _gnutls_mre_record2num(size); + new_size = _gnutls_mre_record2num (size); - if (new_size < 0) { - gnutls_assert(); - return new_size; + if (new_size < 0) + { + gnutls_assert (); + return new_size; } - session->security_parameters.max_record_send_size = size; + session->security_parameters.max_record_send_size = size; - session->internals.proposed_record_size = size; + session->internals.proposed_record_size = size; - return 0; + return 0; } diff --git a/lib/gnutls_record.h b/lib/gnutls_record.h index 76e23e8eb5..10178fcf85 100644 --- a/lib/gnutls_record.h +++ b/lib/gnutls_record.h @@ -22,11 +22,11 @@ * */ -ssize_t _gnutls_send_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t htype, const void *data, - size_t sizeofdata); -ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t, opaque * data, size_t sizeofdata); -ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, - int again); -void gnutls_transport_set_lowat(gnutls_session_t session, int num); +ssize_t _gnutls_send_int (gnutls_session_t session, content_type_t type, + gnutls_handshake_description_t htype, + const void *data, size_t sizeofdata); +ssize_t _gnutls_recv_int (gnutls_session_t session, content_type_t type, + gnutls_handshake_description_t, opaque * data, + size_t sizeofdata); +ssize_t _gnutls_send_change_cipher_spec (gnutls_session_t session, int again); +void gnutls_transport_set_lowat (gnutls_session_t session, int num); diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index eaea9c04eb..7121ee6d74 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -44,114 +44,125 @@ /* returns e and m, depends on the requested bits. * We only support limited key sizes. */ -const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params_t rsa_params) +const mpi_t * +_gnutls_get_rsa_params (gnutls_rsa_params_t rsa_params) { - if (rsa_params == NULL) { - return NULL; + if (rsa_params == NULL) + { + return NULL; } - return rsa_params->params; + return rsa_params->params; } /* resarr will contain: modulus(0), public exponent(1), private exponent(2), * prime1 - p (3), prime2 - q(4), u (5). */ -int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) +int +_gnutls_rsa_generate_params (mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; + int ret; + gcry_sexp_t parms, key, list; - ret = gcry_sexp_build(&parms, NULL, "(genkey(rsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + ret = gcry_sexp_build (&parms, NULL, "(genkey(rsa(nbits %d)))", bits); + if (ret != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* generate the RSA key */ - ret = gcry_pk_genkey(&key, parms); - gcry_sexp_release(parms); + /* generate the RSA key */ + ret = gcry_pk_genkey (&key, parms); + gcry_sexp_release (parms); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (ret != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - list = gcry_sexp_find_token(key, "n", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "n", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "e", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "e", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "d", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "d", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "p", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "q", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "u", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "u", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[5] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[5] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - gcry_sexp_release(key); + gcry_sexp_release (key); - _gnutls_dump_mpi("n: ", resarr[0]); - _gnutls_dump_mpi("e: ", resarr[1]); - _gnutls_dump_mpi("d: ", resarr[2]); - _gnutls_dump_mpi("p: ", resarr[3]); - _gnutls_dump_mpi("q: ", resarr[4]); - _gnutls_dump_mpi("u: ", resarr[5]); + _gnutls_dump_mpi ("n: ", resarr[0]); + _gnutls_dump_mpi ("e: ", resarr[1]); + _gnutls_dump_mpi ("d: ", resarr[2]); + _gnutls_dump_mpi ("p: ", resarr[3]); + _gnutls_dump_mpi ("q: ", resarr[4]); + _gnutls_dump_mpi ("u: ", resarr[5]); - *resarr_len = 6; + *resarr_len = 6; - return 0; + return 0; } @@ -170,16 +181,16 @@ int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) * The new parameters should be stored in the appropriate gnutls_datum. * **/ -int gnutls_rsa_params_import_raw(gnutls_rsa_params_t rsa_params, - const gnutls_datum_t * m, - const gnutls_datum_t * e, - const gnutls_datum_t * d, - const gnutls_datum_t * p, - const gnutls_datum_t * q, - const gnutls_datum_t * u) +int +gnutls_rsa_params_import_raw (gnutls_rsa_params_t rsa_params, + const gnutls_datum_t * m, + const gnutls_datum_t * e, + const gnutls_datum_t * d, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * u) { - return gnutls_x509_privkey_import_rsa_raw(rsa_params, - m, e, d, p, q, u); + return gnutls_x509_privkey_import_rsa_raw (rsa_params, m, e, d, p, q, u); } /** @@ -189,19 +200,21 @@ int gnutls_rsa_params_import_raw(gnutls_rsa_params_t rsa_params, * This function will initialize the temporary RSA parameters structure. * **/ -int gnutls_rsa_params_init(gnutls_rsa_params_t * rsa_params) +int +gnutls_rsa_params_init (gnutls_rsa_params_t * rsa_params) { - int ret; + int ret; - ret = gnutls_x509_privkey_init(rsa_params); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_privkey_init (rsa_params); + if (ret < 0) + { + gnutls_assert (); + return ret; } - (*rsa_params)->crippled = 1; + (*rsa_params)->crippled = 1; - return 0; + return 0; } /** @@ -211,9 +224,10 @@ int gnutls_rsa_params_init(gnutls_rsa_params_t * rsa_params) * This function will deinitialize the RSA parameters structure. * **/ -void gnutls_rsa_params_deinit(gnutls_rsa_params_t rsa_params) +void +gnutls_rsa_params_deinit (gnutls_rsa_params_t rsa_params) { - gnutls_x509_privkey_deinit(rsa_params); + gnutls_x509_privkey_deinit (rsa_params); } /** @@ -225,9 +239,10 @@ void gnutls_rsa_params_deinit(gnutls_rsa_params_t rsa_params) * to destination. * **/ -int gnutls_rsa_params_cpy(gnutls_rsa_params_t dst, gnutls_rsa_params_t src) +int +gnutls_rsa_params_cpy (gnutls_rsa_params_t dst, gnutls_rsa_params_t src) { - return gnutls_x509_privkey_cpy(dst, src); + return gnutls_x509_privkey_cpy (dst, src); } /** @@ -245,10 +260,10 @@ int gnutls_rsa_params_cpy(gnutls_rsa_params_t dst, gnutls_rsa_params_t src) * no use calling this in client side. * **/ -int gnutls_rsa_params_generate2(gnutls_rsa_params_t params, - unsigned int bits) +int +gnutls_rsa_params_generate2 (gnutls_rsa_params_t params, unsigned int bits) { - return gnutls_x509_privkey_generate(params, GNUTLS_PK_RSA, bits, 0); + return gnutls_x509_privkey_generate (params, GNUTLS_PK_RSA, bits, 0); } /** @@ -267,11 +282,12 @@ int gnutls_rsa_params_generate2(gnutls_rsa_params_t params, * 0 on success. * **/ -int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params_t params, - const gnutls_datum_t * pkcs1_params, - gnutls_x509_crt_fmt_t format) +int +gnutls_rsa_params_import_pkcs1 (gnutls_rsa_params_t params, + const gnutls_datum_t * pkcs1_params, + gnutls_x509_crt_fmt_t format) { - return gnutls_x509_privkey_import(params, pkcs1_params, format); + return gnutls_x509_privkey_import (params, pkcs1_params, format); } @@ -293,13 +309,14 @@ int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params_t params, * 0 on success. * **/ -int gnutls_rsa_params_export_pkcs1(gnutls_rsa_params_t params, - gnutls_x509_crt_fmt_t format, - unsigned char *params_data, - size_t * params_data_size) +int +gnutls_rsa_params_export_pkcs1 (gnutls_rsa_params_t params, + gnutls_x509_crt_fmt_t format, + unsigned char *params_data, + size_t * params_data_size) { - return gnutls_x509_privkey_export(params, format, - params_data, params_data_size); + return gnutls_x509_privkey_export (params, format, + params_data, params_data_size); } @@ -319,23 +336,25 @@ int gnutls_rsa_params_export_pkcs1(gnutls_rsa_params_t params, * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_rsa_params_export_raw(gnutls_rsa_params_t params, - gnutls_datum_t * m, gnutls_datum_t * e, - gnutls_datum_t * d, gnutls_datum_t * p, - gnutls_datum_t * q, gnutls_datum_t * u, - unsigned int *bits) +int +gnutls_rsa_params_export_raw (gnutls_rsa_params_t params, + gnutls_datum_t * m, gnutls_datum_t * e, + gnutls_datum_t * d, gnutls_datum_t * p, + gnutls_datum_t * q, gnutls_datum_t * u, + unsigned int *bits) { - int ret; + int ret; - ret = gnutls_x509_privkey_export_rsa_raw(params, m, e, d, p, q, u); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_privkey_export_rsa_raw (params, m, e, d, p, q, u); + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (bits) - *bits = _gnutls_mpi_get_nbits(params->params[3]); + if (bits) + *bits = _gnutls_mpi_get_nbits (params->params[3]); - return 0; + return 0; } diff --git a/lib/gnutls_rsa_export.h b/lib/gnutls_rsa_export.h index 152d279eb5..932852d11a 100644 --- a/lib/gnutls_rsa_export.h +++ b/lib/gnutls_rsa_export.h @@ -22,7 +22,6 @@ * */ -const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params_t); -int _gnutls_peers_cert_less_512(gnutls_session_t session); -int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits); - +const mpi_t *_gnutls_get_rsa_params (gnutls_rsa_params_t); +int _gnutls_peers_cert_less_512 (gnutls_session_t session); +int _gnutls_rsa_generate_params (mpi_t * resarr, int *resarr_len, int bits); diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c index cf0d37a14d..7a285e29a5 100644 --- a/lib/gnutls_session.c +++ b/lib/gnutls_session.c @@ -39,32 +39,34 @@ * * Resuming sessions is really useful and speedups connections after a succesful one. **/ -int gnutls_session_get_data(gnutls_session_t session, - void *session_data, size_t * session_data_size) +int +gnutls_session_get_data (gnutls_session_t session, + void *session_data, size_t * session_data_size) { - gnutls_datum_t psession; - int ret; + gnutls_datum_t psession; + int ret; - if (session->internals.resumable == RESUME_FALSE) - return GNUTLS_E_INVALID_SESSION; + if (session->internals.resumable == RESUME_FALSE) + return GNUTLS_E_INVALID_SESSION; - psession.data = session_data; + psession.data = session_data; - ret = _gnutls_session_pack(session, &psession); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_session_pack (session, &psession); + if (ret < 0) + { + gnutls_assert (); + return ret; } - *session_data_size = psession.size; + *session_data_size = psession.size; - if (psession.size > *session_data_size) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (psession.size > *session_data_size) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - if (session_data != NULL) - memcpy(session_data, psession.data, psession.size); + if (session_data != NULL) + memcpy (session_data, psession.data, psession.size); - return 0; + return 0; } /** @@ -80,25 +82,28 @@ int gnutls_session_get_data(gnutls_session_t session, * * Resuming sessions is really useful and speedups connections after a succesful one. **/ -int gnutls_session_get_data2(gnutls_session_t session, gnutls_datum * data) +int +gnutls_session_get_data2 (gnutls_session_t session, gnutls_datum * data) { - int ret; + int ret; - if (data == NULL) { - return GNUTLS_E_INVALID_REQUEST; + if (data == NULL) + { + return GNUTLS_E_INVALID_REQUEST; } - if (session->internals.resumable == RESUME_FALSE) - return GNUTLS_E_INVALID_SESSION; + if (session->internals.resumable == RESUME_FALSE) + return GNUTLS_E_INVALID_SESSION; - ret = _gnutls_session_pack(session, data); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_session_pack (session, data); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -116,20 +121,22 @@ int gnutls_session_get_data2(gnutls_session_t session, gnutls_datum * data) * Session id is some data set by the server, that identify the current session. * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. **/ -int gnutls_session_get_id(gnutls_session_t session, - void *session_id, size_t * session_id_size) +int +gnutls_session_get_id (gnutls_session_t session, + void *session_id, size_t * session_id_size) { - *session_id_size = session->security_parameters.session_id_size; + *session_id_size = session->security_parameters.session_id_size; - /* just return the session size */ - if (session_id == NULL) { - return 0; + /* just return the session size */ + if (session_id == NULL) + { + return 0; } - memcpy(session_id, &session->security_parameters.session_id, - *session_id_size); + memcpy (session_id, &session->security_parameters.session_id, + *session_id_size); - return 0; + return 0; } /** @@ -149,25 +156,27 @@ int gnutls_session_get_id(gnutls_session_t session, * Returns a negative value on error. * **/ -int gnutls_session_set_data(gnutls_session_t session, - const void *session_data, - size_t session_data_size) +int +gnutls_session_set_data (gnutls_session_t session, + const void *session_data, size_t session_data_size) { - int ret; - gnutls_datum_t psession; + int ret; + gnutls_datum_t psession; - psession.data = (opaque *) session_data; - psession.size = session_data_size; + psession.data = (opaque *) session_data; + psession.size = session_data_size; - if (session_data == NULL || session_data_size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (session_data == NULL || session_data_size == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_session_unpack(session, &psession); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_session_unpack (session, &psession); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c index 93753d2301..2c372e36d9 100644 --- a/lib/gnutls_session_pack.c +++ b/lib/gnutls_session_pack.c @@ -43,31 +43,31 @@ #define PACK_HEADER_SIZE 1 #define MAX_SEC_PARAMS 7+MAX_SRP_USERNAME+MAX_SERVER_NAME_EXTENSIONS*(3+MAX_SERVER_NAME_SIZE)+165 -static int pack_certificate_auth_info(gnutls_session_t, - gnutls_datum_t * packed_session); -static int unpack_certificate_auth_info(gnutls_session_t, - const gnutls_datum_t * - packed_session); - -static int unpack_srp_auth_info(gnutls_session_t session, - const gnutls_datum * packed_session); -static int pack_srp_auth_info(gnutls_session_t session, - gnutls_datum * packed_session); - -static int unpack_psk_auth_info(gnutls_session_t session, - const gnutls_datum * packed_session); -static int pack_psk_auth_info(gnutls_session_t session, - gnutls_datum * packed_session); - -static int unpack_anon_auth_info(gnutls_session_t session, +static int pack_certificate_auth_info (gnutls_session_t, + gnutls_datum_t * packed_session); +static int unpack_certificate_auth_info (gnutls_session_t, + const gnutls_datum_t * + packed_session); + +static int unpack_srp_auth_info (gnutls_session_t session, + const gnutls_datum * packed_session); +static int pack_srp_auth_info (gnutls_session_t session, + gnutls_datum * packed_session); + +static int unpack_psk_auth_info (gnutls_session_t session, const gnutls_datum * packed_session); -static int pack_anon_auth_info(gnutls_session_t session, +static int pack_psk_auth_info (gnutls_session_t session, gnutls_datum * packed_session); -static int unpack_security_parameters(gnutls_session_t session, - const gnutls_datum * packed_session); -static int pack_security_parameters(gnutls_session_t session, - gnutls_datum * packed_session); +static int unpack_anon_auth_info (gnutls_session_t session, + const gnutls_datum * packed_session); +static int pack_anon_auth_info (gnutls_session_t session, + gnutls_datum * packed_session); + +static int unpack_security_parameters (gnutls_session_t session, + const gnutls_datum * packed_session); +static int pack_security_parameters (gnutls_session_t session, + gnutls_datum * packed_session); /* Since auth_info structures contain malloced data, this function @@ -78,138 +78,155 @@ static int pack_security_parameters(gnutls_session_t session, * * The data will be in a platform independent format. */ -int _gnutls_session_pack(gnutls_session_t session, - gnutls_datum_t * packed_session) +int +_gnutls_session_pack (gnutls_session_t session, + gnutls_datum_t * packed_session) { - int ret; + int ret; - if (packed_session == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (packed_session == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - switch (gnutls_auth_get_type(session)) { + switch (gnutls_auth_get_type (session)) + { #ifdef ENABLE_SRP case GNUTLS_CRD_SRP: - ret = pack_srp_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = pack_srp_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif #ifdef ENABLE_SRP case GNUTLS_CRD_PSK: - ret = pack_psk_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = pack_psk_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif #ifdef ENABLE_ANON case GNUTLS_CRD_ANON: - ret = pack_anon_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = pack_anon_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif case GNUTLS_CRD_CERTIFICATE: - ret = pack_certificate_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = pack_certificate_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_INTERNAL_ERROR; } - /* Auth_info structures copied. Now copy security_parameters_st. - * packed_session must have allocated space for the security parameters. - */ - ret = pack_security_parameters(session, packed_session); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( packed_session); - return ret; + /* Auth_info structures copied. Now copy security_parameters_st. + * packed_session must have allocated space for the security parameters. + */ + ret = pack_security_parameters (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (packed_session); + return ret; } - return 0; + return 0; } /* Load session data from a buffer. */ -int _gnutls_session_unpack(gnutls_session_t session, - const gnutls_datum_t * packed_session) +int +_gnutls_session_unpack (gnutls_session_t session, + const gnutls_datum_t * packed_session) { - int ret; + int ret; - if (packed_session == NULL || packed_session->size == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (packed_session == NULL || packed_session->size == 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (session->key->auth_info != NULL) { - _gnutls_free_auth_info(session); + if (session->key->auth_info != NULL) + { + _gnutls_free_auth_info (session); } - switch (packed_session->data[0]) { + switch (packed_session->data[0]) + { #ifdef ENABLE_SRP case GNUTLS_CRD_SRP: - ret = unpack_srp_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = unpack_srp_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif #ifdef ENABLE_PSK case GNUTLS_CRD_PSK: - ret = unpack_psk_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = unpack_psk_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif #ifdef ENABLE_ANON case GNUTLS_CRD_ANON: - ret = unpack_anon_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = unpack_anon_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; #endif case GNUTLS_CRD_CERTIFICATE: - ret = unpack_certificate_auth_info(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = unpack_certificate_auth_info (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* Auth_info structures copied. Now copy security_parameters_st. - * packed_session must have allocated space for the security parameters. - */ - ret = unpack_security_parameters(session, packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Auth_info structures copied. Now copy security_parameters_st. + * packed_session must have allocated space for the security parameters. + */ + ret = unpack_security_parameters (session, packed_session); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -235,227 +252,237 @@ int _gnutls_session_unpack(gnutls_session_t session, * x bytes the certificate * and so on... */ -static -int pack_certificate_auth_info(gnutls_session_t session, - gnutls_datum_t * packed_session) +static int +pack_certificate_auth_info (gnutls_session_t session, + gnutls_datum_t * packed_session) { - unsigned int pos, i; - int cert_size, pack_size; - cert_auth_info_t info = _gnutls_get_auth_info(session); + unsigned int pos, i; + int cert_size, pack_size; + cert_auth_info_t info = _gnutls_get_auth_info (session); - if (info == NULL && session->key->auth_info_size != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (info == NULL && session->key->auth_info_size != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (info) { - for (i = 0; i < info->ncerts; i++) - cert_size += info->raw_certificate_list[i].size; + if (info) + { + for (i = 0; i < info->ncerts; i++) + cert_size += info->raw_certificate_list[i].size; - pack_size = 2 + 4 * 3 + 4 * 2 + info->dh.prime.size + - info->dh.generator.size + info->dh.public_key.size + - info->rsa_export.modulus.size + - info->rsa_export.exponent.size + cert_size; - } else - pack_size = 0; + pack_size = 2 + 4 * 3 + 4 * 2 + info->dh.prime.size + + info->dh.generator.size + info->dh.public_key.size + + info->rsa_export.modulus.size + + info->rsa_export.exponent.size + cert_size; + } + else + pack_size = 0; - packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof(uint32); + packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32); - /* calculate the size and allocate the data. - */ - packed_session->data = gnutls_malloc(packed_session->size + MAX_SEC_PARAMS); + /* calculate the size and allocate the data. + */ + packed_session->data = + gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); - if (packed_session->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (packed_session->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; - _gnutls_write_uint32(pack_size, - &packed_session->data[PACK_HEADER_SIZE]); - pos += pack_size + PACK_HEADER_SIZE; - - - if (pack_size > 0) { - - _gnutls_write_uint16(info->dh.secret_bits, - &packed_session->data[pos]); - pos += 2; - - _gnutls_write_datum32(&packed_session->data[pos], info->dh.prime); - pos += 4 + info->dh.prime.size; - _gnutls_write_datum32(&packed_session->data[pos], - info->dh.generator); - pos += 4 + info->dh.generator.size; - _gnutls_write_datum32(&packed_session->data[pos], - info->dh.public_key); - pos += 4 + info->dh.public_key.size; - - _gnutls_write_datum32(&packed_session->data[pos], - info->rsa_export.modulus); - pos += 4 + info->rsa_export.modulus.size; - _gnutls_write_datum32(&packed_session->data[pos], - info->rsa_export.exponent); - pos += 4 + info->rsa_export.exponent.size; - - _gnutls_write_uint32(info->ncerts, &packed_session->data[pos]); - pos += 4; - - for (i = 0; i < info->ncerts; i++) { - _gnutls_write_uint32(info->raw_certificate_list[i].size, - &packed_session->data[pos]); - pos += sizeof(uint32); - - memcpy(&packed_session->data[pos], - info->raw_certificate_list[i].data, - info->raw_certificate_list[i].size); - pos += info->raw_certificate_list[i].size; + packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; + _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); + pos += pack_size + PACK_HEADER_SIZE; + + + if (pack_size > 0) + { + + _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); + pos += 2; + + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); + pos += 4 + info->dh.prime.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); + pos += 4 + info->dh.generator.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); + pos += 4 + info->dh.public_key.size; + + _gnutls_write_datum32 (&packed_session->data[pos], + info->rsa_export.modulus); + pos += 4 + info->rsa_export.modulus.size; + _gnutls_write_datum32 (&packed_session->data[pos], + info->rsa_export.exponent); + pos += 4 + info->rsa_export.exponent.size; + + _gnutls_write_uint32 (info->ncerts, &packed_session->data[pos]); + pos += 4; + + for (i = 0; i < info->ncerts; i++) + { + _gnutls_write_uint32 (info->raw_certificate_list[i].size, + &packed_session->data[pos]); + pos += sizeof (uint32); + + memcpy (&packed_session->data[pos], + info->raw_certificate_list[i].data, + info->raw_certificate_list[i].size); + pos += info->raw_certificate_list[i].size; } } - return 0; + return 0; } /* Upack certificate info. */ -static int unpack_certificate_auth_info(gnutls_session_t session, - const gnutls_datum_t * - packed_session) +static int +unpack_certificate_auth_info (gnutls_session_t session, + const gnutls_datum_t * packed_session) { - int pos, size, ret; - unsigned int i, j; - size_t pack_size; - cert_auth_info_t info; - - if (packed_session->data[0] != GNUTLS_CRD_CERTIFICATE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int pos, size, ret; + unsigned int i, j; + size_t pack_size; + cert_auth_info_t info; + + if (packed_session->data[0] != GNUTLS_CRD_CERTIFICATE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - pack_size = - _gnutls_read_uint32(&packed_session->data[PACK_HEADER_SIZE]); - pos += PACK_HEADER_SIZE + 4; + pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); + pos += PACK_HEADER_SIZE + 4; - if (pack_size == 0) - return 0; /* nothing to be done */ + if (pack_size == 0) + return 0; /* nothing to be done */ - /* a simple check for integrity */ - if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* a simple check for integrity */ + if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* client and server have the same auth_info here - */ - ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1); - if (ret < 0) { - gnutls_assert(); - return ret; + /* client and server have the same auth_info here + */ + ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE, + sizeof (cert_auth_info_st), 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - info->dh.secret_bits = _gnutls_read_uint16(&packed_session->data[pos]); - pos += 2; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.prime, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.generator, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.public_key, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], + size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->rsa_export.modulus, - &packed_session->data[pos], size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->rsa_export.modulus, + &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->rsa_export.exponent, - &packed_session->data[pos], size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->rsa_export.exponent, + &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; + pos += size; - info->ncerts = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; + info->ncerts = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; - for (i = 0; i < info->ncerts; i++) { - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += sizeof(uint32); + for (i = 0; i < info->ncerts; i++) + { + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += sizeof (uint32); - ret = - _gnutls_set_datum(&info->raw_certificate_list[i], - &packed_session->data[pos], size); - pos += size; + ret = + _gnutls_set_datum (&info->raw_certificate_list[i], + &packed_session->data[pos], size); + pos += size; - if (ret < 0) { - gnutls_assert(); - goto error; + if (ret < 0) + { + gnutls_assert (); + goto error; } } - return 0; + return 0; - error: - _gnutls_free_datum(&info->dh.prime); - _gnutls_free_datum(&info->dh.generator); - _gnutls_free_datum(&info->dh.public_key); +error: + _gnutls_free_datum (&info->dh.prime); + _gnutls_free_datum (&info->dh.generator); + _gnutls_free_datum (&info->dh.public_key); - _gnutls_free_datum(&info->rsa_export.modulus); - _gnutls_free_datum(&info->rsa_export.exponent); + _gnutls_free_datum (&info->rsa_export.modulus); + _gnutls_free_datum (&info->rsa_export.exponent); - for (j = 0; j < i; j++) - _gnutls_free_datum(&info->raw_certificate_list[j]); + for (j = 0; j < i; j++) + _gnutls_free_datum (&info->raw_certificate_list[j]); - gnutls_free(info->raw_certificate_list); + gnutls_free (info->raw_certificate_list); - return ret; + return ret; } @@ -468,88 +495,95 @@ static int unpack_certificate_auth_info(gnutls_session_t session, * 4 bytes the size of the SRP username (x) * x bytes the SRP username */ -static int pack_srp_auth_info(gnutls_session_t session, - gnutls_datum * packed_session) +static int +pack_srp_auth_info (gnutls_session_t session, gnutls_datum * packed_session) { - srp_server_auth_info_t info = _gnutls_get_auth_info(session); - int pack_size; + srp_server_auth_info_t info = _gnutls_get_auth_info (session); + int pack_size; - if (info == NULL && session->key->auth_info_size != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (info == NULL && session->key->auth_info_size != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (info && info->username) - pack_size = strlen(info->username) + 1; /* include the terminating null */ - else - pack_size = 0; + if (info && info->username) + pack_size = strlen (info->username) + 1; /* include the terminating null */ + else + pack_size = 0; - packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof(uint32); + packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32); - /* calculate the size and allocate the data. - */ - packed_session->data = gnutls_malloc(packed_session->size + MAX_SEC_PARAMS); + /* calculate the size and allocate the data. + */ + packed_session->data = + gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); - if (packed_session->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (packed_session->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - packed_session->data[0] = GNUTLS_CRD_SRP; - _gnutls_write_uint32(pack_size, - &packed_session->data[PACK_HEADER_SIZE]); + packed_session->data[0] = GNUTLS_CRD_SRP; + _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); - if (pack_size > 0) - memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - info->username, pack_size + 1); + if (pack_size > 0) + memcpy (&packed_session->data[PACK_HEADER_SIZE + sizeof (uint32)], + info->username, pack_size + 1); - return 0; + return 0; } -static int unpack_srp_auth_info(gnutls_session_t session, - const gnutls_datum * packed_session) +static int +unpack_srp_auth_info (gnutls_session_t session, + const gnutls_datum * packed_session) { - size_t username_size; - int ret; - srp_server_auth_info_t info; - - if (packed_session->data[0] != GNUTLS_CRD_SRP) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t username_size; + int ret; + srp_server_auth_info_t info; + + if (packed_session->data[0] != GNUTLS_CRD_SRP) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - username_size = - _gnutls_read_uint32(&packed_session->data[PACK_HEADER_SIZE]); + username_size = + _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); - if (username_size == 0) - return 0; /* nothing to be done */ + if (username_size == 0) + return 0; /* nothing to be done */ - /* a simple check for integrity */ - if (username_size + 4 + PACK_HEADER_SIZE > packed_session->size) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* a simple check for integrity */ + if (username_size + 4 + PACK_HEADER_SIZE > packed_session->size) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_SRP, - sizeof(srp_server_auth_info_st), 1); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_SRP, + sizeof (srp_server_auth_info_st), 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(info->username, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - username_size); + memcpy (info->username, + &packed_session->data[PACK_HEADER_SIZE + sizeof (uint32)], + username_size); - return 0; + return 0; } #endif @@ -569,147 +603,151 @@ static int unpack_srp_auth_info(gnutls_session_t session, * 4 bytes the size of the public key * x bytes the public key */ -static int pack_anon_auth_info(gnutls_session_t session, - gnutls_datum * packed_session) +static int +pack_anon_auth_info (gnutls_session_t session, gnutls_datum * packed_session) { - anon_auth_info_t info = _gnutls_get_auth_info(session); - int pos; - size_t pack_size; - - if (info == NULL && session->key->auth_info_size != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + anon_auth_info_t info = _gnutls_get_auth_info (session); + int pos; + size_t pack_size; + + if (info == NULL && session->key->auth_info_size != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (info) - pack_size = 2 + 4 * 3 + info->dh.prime.size + - info->dh.generator.size + info->dh.public_key.size; - else - pack_size = 0; + if (info) + pack_size = 2 + 4 * 3 + info->dh.prime.size + + info->dh.generator.size + info->dh.public_key.size; + else + pack_size = 0; - packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof(uint32); + packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32); - /* calculate the size and allocate the data. - */ - packed_session->data = gnutls_malloc(packed_session->size + MAX_SEC_PARAMS); + /* calculate the size and allocate the data. + */ + packed_session->data = + gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); - if (packed_session->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (packed_session->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - packed_session->data[0] = GNUTLS_CRD_ANON; - _gnutls_write_uint32(pack_size, - &packed_session->data[PACK_HEADER_SIZE]); - pos += pack_size + PACK_HEADER_SIZE; - - if (pack_size > 0) { - _gnutls_write_uint16(info->dh.secret_bits, - &packed_session->data[pos]); - pos += 2; - - _gnutls_write_datum32(&packed_session->data[pos], info->dh.prime); - pos += 4 + info->dh.prime.size; - _gnutls_write_datum32(&packed_session->data[pos], - info->dh.generator); - pos += 4 + info->dh.generator.size; - _gnutls_write_datum32(&packed_session->data[pos], - info->dh.public_key); - pos += 4 + info->dh.public_key.size; + packed_session->data[0] = GNUTLS_CRD_ANON; + _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); + pos += pack_size + PACK_HEADER_SIZE; + + if (pack_size > 0) + { + _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); + pos += 2; + + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); + pos += 4 + info->dh.prime.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); + pos += 4 + info->dh.generator.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); + pos += 4 + info->dh.public_key.size; } - return 0; + return 0; } -static int unpack_anon_auth_info(gnutls_session_t session, - const gnutls_datum * packed_session) +static int +unpack_anon_auth_info (gnutls_session_t session, + const gnutls_datum * packed_session) { - size_t pack_size; - int pos, size, ret; - anon_auth_info_t info; - - if (packed_session->data[0] != GNUTLS_CRD_ANON) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t pack_size; + int pos, size, ret; + anon_auth_info_t info; + + if (packed_session->data[0] != GNUTLS_CRD_ANON) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - pack_size = - _gnutls_read_uint32(&packed_session->data[PACK_HEADER_SIZE]); - pos += PACK_HEADER_SIZE + 4; + pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); + pos += PACK_HEADER_SIZE + 4; - if (pack_size == 0) - return 0; /* nothing to be done */ + if (pack_size == 0) + return 0; /* nothing to be done */ - /* a simple check for integrity */ - if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* a simple check for integrity */ + if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* client and serer have the same auth_info here - */ - ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, - sizeof(anon_client_auth_info_st), 1); - if (ret < 0) { - gnutls_assert(); - return ret; + /* client and serer have the same auth_info here + */ + ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_ANON, + sizeof (anon_client_auth_info_st), 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - info->dh.secret_bits = _gnutls_read_uint16(&packed_session->data[pos]); - pos += 2; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.prime, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.generator, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; - - size = _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum(&info->dh.public_key, &packed_session->data[pos], - size); - if (ret < 0) { - gnutls_assert(); - goto error; + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], + size); + if (ret < 0) + { + gnutls_assert (); + goto error; } - pos += size; + pos += size; - return 0; + return 0; - error: - _gnutls_free_datum(&info->dh.prime); - _gnutls_free_datum(&info->dh.generator); - _gnutls_free_datum(&info->dh.public_key); - return ret; +error: + _gnutls_free_datum (&info->dh.prime); + _gnutls_free_datum (&info->dh.generator); + _gnutls_free_datum (&info->dh.public_key); + return ret; } -#endif /* ANON */ +#endif /* ANON */ #ifdef ENABLE_PSK /* Packs the PSK session authentication data. @@ -720,88 +758,95 @@ static int unpack_anon_auth_info(gnutls_session_t session, * 4 bytes the size of the PSK username (x) * x bytes the PSK username */ -static int pack_psk_auth_info(gnutls_session_t session, - gnutls_datum * packed_session) +static int +pack_psk_auth_info (gnutls_session_t session, gnutls_datum * packed_session) { - psk_server_auth_info_t info = _gnutls_get_auth_info(session); - int pack_size; + psk_server_auth_info_t info = _gnutls_get_auth_info (session); + int pack_size; - if (info == NULL && session->key->auth_info_size != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (info == NULL && session->key->auth_info_size != 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (info && info->username) - pack_size = strlen(info->username) + 1; /* include the terminating null */ - else - pack_size = 0; + if (info && info->username) + pack_size = strlen (info->username) + 1; /* include the terminating null */ + else + pack_size = 0; - packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof(uint32); + packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32); - /* calculate the size and allocate the data. - */ - packed_session->data = gnutls_malloc(packed_session->size + MAX_SEC_PARAMS); + /* calculate the size and allocate the data. + */ + packed_session->data = + gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); - if (packed_session->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (packed_session->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - packed_session->data[0] = GNUTLS_CRD_PSK; - _gnutls_write_uint32(pack_size, - &packed_session->data[PACK_HEADER_SIZE]); + packed_session->data[0] = GNUTLS_CRD_PSK; + _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); - if (pack_size > 0) - memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - info->username, pack_size + 1); + if (pack_size > 0) + memcpy (&packed_session->data[PACK_HEADER_SIZE + sizeof (uint32)], + info->username, pack_size + 1); - return 0; + return 0; } -static int unpack_psk_auth_info(gnutls_session_t session, - const gnutls_datum * packed_session) +static int +unpack_psk_auth_info (gnutls_session_t session, + const gnutls_datum * packed_session) { - size_t username_size; - int ret; - psk_server_auth_info_t info; - - if (packed_session->data[0] != GNUTLS_CRD_PSK) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t username_size; + int ret; + psk_server_auth_info_t info; + + if (packed_session->data[0] != GNUTLS_CRD_PSK) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - username_size = - _gnutls_read_uint32(&packed_session->data[PACK_HEADER_SIZE]); + username_size = + _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); - if (username_size == 0) - return 0; /* nothing to be done */ + if (username_size == 0) + return 0; /* nothing to be done */ - /* a simple check for integrity */ - if (username_size + 4 + PACK_HEADER_SIZE > packed_session->size) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* a simple check for integrity */ + if (username_size + 4 + PACK_HEADER_SIZE > packed_session->size) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_PSK, - sizeof(psk_server_auth_info_st), 1); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_PSK, + sizeof (psk_server_auth_info_st), 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(info->username, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - username_size); + memcpy (info->username, + &packed_session->data[PACK_HEADER_SIZE + sizeof (uint32)], + username_size); - return 0; + return 0; } #endif @@ -854,187 +899,236 @@ static int unpack_psk_auth_info(gnutls_session_t session, * -------------------- * MAX: 7+MAX_SRP_USERNAME+MAX_SERVER_NAME_EXTENSIONS*(3+MAX_SERVER_NAME_SIZE) */ -static int pack_security_parameters(gnutls_session_t session, - gnutls_datum * packed_session) +static int +pack_security_parameters (gnutls_session_t session, + gnutls_datum * packed_session) { - int pos; - size_t len, init, i; - - /* move after the auth info stuff. - */ - init = _gnutls_read_uint32( &packed_session->data[PACK_HEADER_SIZE]) + 4 + PACK_HEADER_SIZE; - - pos = init + 4; /* make some space to write later the size */ - - packed_session->data[pos++] = session->security_parameters.entity; - packed_session->data[pos++] = session->security_parameters.kx_algorithm; - packed_session->data[pos++] = session->security_parameters.read_bulk_cipher_algorithm; - packed_session->data[pos++] = session->security_parameters.read_mac_algorithm; - packed_session->data[pos++] = session->security_parameters.read_compression_algorithm; - packed_session->data[pos++] = session->security_parameters.write_bulk_cipher_algorithm; - packed_session->data[pos++] = session->security_parameters.write_mac_algorithm; - packed_session->data[pos++] = session->security_parameters.write_compression_algorithm; - packed_session->data[pos++] = session->security_parameters.current_cipher_suite.suite[0]; - packed_session->data[pos++] = session->security_parameters.current_cipher_suite.suite[1]; - - packed_session->data[pos++] = session->security_parameters.cert_type; - packed_session->data[pos++] = session->security_parameters.version; - - memcpy(&packed_session->data[pos], session->security_parameters.master_secret, - TLS_MASTER_SIZE); - pos += TLS_MASTER_SIZE; - - memcpy(&packed_session->data[pos], session->security_parameters.client_random, - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - memcpy(&packed_session->data[pos], session->security_parameters.server_random, - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - packed_session->data[pos++] = session->security_parameters.session_id_size; - memcpy(&packed_session->data[pos], session->security_parameters.session_id, - session->security_parameters.session_id_size); - pos += session->security_parameters.session_id_size; - - _gnutls_write_uint32(session->security_parameters.timestamp, - &packed_session->data[pos]); - pos += 4; - - /* Extensions */ - _gnutls_write_uint16(session->security_parameters.max_record_send_size, - &packed_session->data[pos]); - pos += 2; - - _gnutls_write_uint16(session->security_parameters.max_record_recv_size, - &packed_session->data[pos]); - pos += 2; - - /* SRP */ - len = strlen((char*)session->security_parameters.extensions.srp_username); - packed_session->data[pos++] = len; - memcpy(&packed_session->data[pos], session->security_parameters.extensions.srp_username, - len); - pos += len; - - _gnutls_write_uint16(session->security_parameters.extensions.server_names_size, - &packed_session->data[pos]); - pos += 2; - - for(i=0;i<session->security_parameters.extensions.server_names_size;i++) { - packed_session->data[pos++] = session->security_parameters.extensions.server_names[i].type; - _gnutls_write_uint16(session->security_parameters.extensions.server_names[i].name_length, - &packed_session->data[pos]); - pos += 2; - - memcpy(&packed_session->data[pos], session->security_parameters.extensions. - server_names[i].name, session->security_parameters.extensions.server_names[i].name_length); - pos += session->security_parameters.extensions.server_names[i].name_length; + int pos; + size_t len, init, i; + + /* move after the auth info stuff. + */ + init = + _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]) + 4 + + PACK_HEADER_SIZE; + + pos = init + 4; /* make some space to write later the size */ + + packed_session->data[pos++] = session->security_parameters.entity; + packed_session->data[pos++] = session->security_parameters.kx_algorithm; + packed_session->data[pos++] = + session->security_parameters.read_bulk_cipher_algorithm; + packed_session->data[pos++] = + session->security_parameters.read_mac_algorithm; + packed_session->data[pos++] = + session->security_parameters.read_compression_algorithm; + packed_session->data[pos++] = + session->security_parameters.write_bulk_cipher_algorithm; + packed_session->data[pos++] = + session->security_parameters.write_mac_algorithm; + packed_session->data[pos++] = + session->security_parameters.write_compression_algorithm; + packed_session->data[pos++] = + session->security_parameters.current_cipher_suite.suite[0]; + packed_session->data[pos++] = + session->security_parameters.current_cipher_suite.suite[1]; + + packed_session->data[pos++] = session->security_parameters.cert_type; + packed_session->data[pos++] = session->security_parameters.version; + + memcpy (&packed_session->data[pos], + session->security_parameters.master_secret, TLS_MASTER_SIZE); + pos += TLS_MASTER_SIZE; + + memcpy (&packed_session->data[pos], + session->security_parameters.client_random, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + memcpy (&packed_session->data[pos], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + packed_session->data[pos++] = session->security_parameters.session_id_size; + memcpy (&packed_session->data[pos], session->security_parameters.session_id, + session->security_parameters.session_id_size); + pos += session->security_parameters.session_id_size; + + _gnutls_write_uint32 (session->security_parameters.timestamp, + &packed_session->data[pos]); + pos += 4; + + /* Extensions */ + _gnutls_write_uint16 (session->security_parameters.max_record_send_size, + &packed_session->data[pos]); + pos += 2; + + _gnutls_write_uint16 (session->security_parameters.max_record_recv_size, + &packed_session->data[pos]); + pos += 2; + + /* SRP */ + len = + strlen ((char *) session->security_parameters.extensions.srp_username); + packed_session->data[pos++] = len; + memcpy (&packed_session->data[pos], + session->security_parameters.extensions.srp_username, len); + pos += len; + + _gnutls_write_uint16 (session->security_parameters.extensions. + server_names_size, &packed_session->data[pos]); + pos += 2; + + for (i = 0; i < session->security_parameters.extensions.server_names_size; + i++) + { + packed_session->data[pos++] = + session->security_parameters.extensions.server_names[i].type; + _gnutls_write_uint16 (session->security_parameters.extensions. + server_names[i].name_length, + &packed_session->data[pos]); + pos += 2; + + memcpy (&packed_session->data[pos], + session->security_parameters.extensions.server_names[i].name, + session->security_parameters.extensions.server_names[i]. + name_length); + pos += + session->security_parameters.extensions.server_names[i].name_length; } - /* write the total size */ - _gnutls_write_uint32(pos - init - 4, - &packed_session->data[init]); - packed_session->size += pos - init; + /* write the total size */ + _gnutls_write_uint32 (pos - init - 4, &packed_session->data[init]); + packed_session->size += pos - init; - return 0; + return 0; } -static int unpack_security_parameters(gnutls_session_t session, - const gnutls_datum * packed_session) +static int +unpack_security_parameters (gnutls_session_t session, + const gnutls_datum * packed_session) { - size_t pack_size, init, i; - int pos, len; - time_t timestamp = time(0); + size_t pack_size, init, i; + int pos, len; + time_t timestamp = time (0); - /* skip the auth info stuff */ - init = _gnutls_read_uint32( &packed_session->data[PACK_HEADER_SIZE]) + 4 + PACK_HEADER_SIZE; + /* skip the auth info stuff */ + init = + _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]) + 4 + + PACK_HEADER_SIZE; - pos = init; + pos = init; - pack_size = - _gnutls_read_uint32(&packed_session->data[pos]); - pos += 4; + pack_size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; - if (pack_size == 0) - return GNUTLS_E_INVALID_REQUEST; + if (pack_size == 0) + return GNUTLS_E_INVALID_REQUEST; - /* a simple check for integrity */ - if (pack_size > MAX_SEC_PARAMS) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* a simple check for integrity */ + if (pack_size > MAX_SEC_PARAMS) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - session->internals.resumed_security_parameters.entity = packed_session->data[pos++]; - session->internals.resumed_security_parameters.kx_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.read_bulk_cipher_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.read_mac_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.read_compression_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.write_bulk_cipher_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.write_mac_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.write_compression_algorithm = packed_session->data[pos++]; - session->internals.resumed_security_parameters.current_cipher_suite.suite[0] = packed_session->data[pos++]; - session->internals.resumed_security_parameters.current_cipher_suite.suite[1] = packed_session->data[pos++]; - - session->internals.resumed_security_parameters.cert_type = packed_session->data[pos++]; - session->internals.resumed_security_parameters.version = packed_session->data[pos++]; - - memcpy(session->internals.resumed_security_parameters.master_secret,&packed_session->data[pos], - TLS_MASTER_SIZE); - pos += TLS_MASTER_SIZE; - - memcpy(session->internals.resumed_security_parameters.client_random,&packed_session->data[pos], - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - memcpy(session->internals.resumed_security_parameters.server_random,&packed_session->data[pos], - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - session->internals.resumed_security_parameters.session_id_size = packed_session->data[pos++]; - memcpy( session->internals.resumed_security_parameters.session_id,&packed_session->data[pos], - session->internals.resumed_security_parameters.session_id_size); - pos += session->internals.resumed_security_parameters.session_id_size; - - session->internals.resumed_security_parameters.timestamp = _gnutls_read_uint32( &packed_session->data[pos]); - pos += 4; - - if (timestamp - session->internals.resumed_security_parameters.timestamp > session->internals.expire_time - || session->internals.resumed_security_parameters.timestamp > timestamp) { - gnutls_assert(); - return GNUTLS_E_EXPIRED; + session->internals.resumed_security_parameters.entity = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.kx_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.read_bulk_cipher_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.read_mac_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.read_compression_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.write_bulk_cipher_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.write_mac_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.write_compression_algorithm = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.current_cipher_suite. + suite[0] = packed_session->data[pos++]; + session->internals.resumed_security_parameters.current_cipher_suite. + suite[1] = packed_session->data[pos++]; + + session->internals.resumed_security_parameters.cert_type = + packed_session->data[pos++]; + session->internals.resumed_security_parameters.version = + packed_session->data[pos++]; + + memcpy (session->internals.resumed_security_parameters.master_secret, + &packed_session->data[pos], TLS_MASTER_SIZE); + pos += TLS_MASTER_SIZE; + + memcpy (session->internals.resumed_security_parameters.client_random, + &packed_session->data[pos], TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + memcpy (session->internals.resumed_security_parameters.server_random, + &packed_session->data[pos], TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + session->internals.resumed_security_parameters.session_id_size = + packed_session->data[pos++]; + memcpy (session->internals.resumed_security_parameters.session_id, + &packed_session->data[pos], + session->internals.resumed_security_parameters.session_id_size); + pos += session->internals.resumed_security_parameters.session_id_size; + + session->internals.resumed_security_parameters.timestamp = + _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + + if (timestamp - session->internals.resumed_security_parameters.timestamp > + session->internals.expire_time + || session->internals.resumed_security_parameters.timestamp > timestamp) + { + gnutls_assert (); + return GNUTLS_E_EXPIRED; } - /* Extensions */ - session->internals.resumed_security_parameters.max_record_send_size = _gnutls_read_uint16( - &packed_session->data[pos]); - pos += 2; - - session->internals.resumed_security_parameters.max_record_recv_size = _gnutls_read_uint16( - &packed_session->data[pos]); - pos += 2; - - - /* SRP */ - len = packed_session->data[pos++]; /* srp username length */ - memcpy(session->internals.resumed_security_parameters.extensions.srp_username,&packed_session->data[pos], - len); - session->internals.resumed_security_parameters.extensions.srp_username[len] = 0; - pos += len; - - session->internals.resumed_security_parameters.extensions.server_names_size = - _gnutls_read_uint16(&packed_session->data[pos]); - pos += 2; - for(i=0;i<session->internals.resumed_security_parameters.extensions.server_names_size;i++) { - session->internals.resumed_security_parameters.extensions.server_names[i].type = packed_session->data[pos++]; - session->internals.resumed_security_parameters.extensions.server_names[i].name_length = - _gnutls_read_uint16(&packed_session->data[pos]); - pos += 2; - - memcpy(session->internals.resumed_security_parameters.extensions. - server_names[i].name, &packed_session->data[pos], session->internals.resumed_security_parameters.extensions.server_names[i].name_length); - pos += session->internals.resumed_security_parameters.extensions.server_names[i].name_length; + /* Extensions */ + session->internals.resumed_security_parameters.max_record_send_size = + _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + session->internals.resumed_security_parameters.max_record_recv_size = + _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + + /* SRP */ + len = packed_session->data[pos++]; /* srp username length */ + memcpy (session->internals.resumed_security_parameters.extensions. + srp_username, &packed_session->data[pos], len); + session->internals.resumed_security_parameters.extensions. + srp_username[len] = 0; + pos += len; + + session->internals.resumed_security_parameters.extensions. + server_names_size = _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + for (i = 0; + i < + session->internals.resumed_security_parameters.extensions. + server_names_size; i++) + { + session->internals.resumed_security_parameters.extensions. + server_names[i].type = packed_session->data[pos++]; + session->internals.resumed_security_parameters.extensions. + server_names[i].name_length = + _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + memcpy (session->internals.resumed_security_parameters.extensions. + server_names[i].name, &packed_session->data[pos], + session->internals.resumed_security_parameters.extensions. + server_names[i].name_length); + pos += + session->internals.resumed_security_parameters.extensions. + server_names[i].name_length; } - return 0; + return 0; } diff --git a/lib/gnutls_session_pack.h b/lib/gnutls_session_pack.h index d3beb821fa..d2143c7a2b 100644 --- a/lib/gnutls_session_pack.h +++ b/lib/gnutls_session_pack.h @@ -22,7 +22,7 @@ * */ -int _gnutls_session_pack(gnutls_session_t session, - gnutls_datum_t * packed_session); -int _gnutls_session_unpack(gnutls_session_t session, - const gnutls_datum_t * packed_session); +int _gnutls_session_pack (gnutls_session_t session, + gnutls_datum_t * packed_session); +int _gnutls_session_unpack (gnutls_session_t session, + const gnutls_datum_t * packed_session); diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index ac4fa7704e..67a4928531 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -38,145 +38,156 @@ #include <gnutls_kx.h> static -int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, - const gnutls_datum_t * hash_concat, - gnutls_datum_t * signature); + int _gnutls_tls_sign (gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum_t * hash_concat, + gnutls_datum_t * signature); /* Generates a signature of all the previous sent packets in the * handshake procedure. (20040227: now it works for SSL 3.0 as well) */ -int _gnutls_tls_sign_hdata(gnutls_session_t session, - gnutls_cert * cert, gnutls_privkey * pkey, - gnutls_datum_t * signature) +int +_gnutls_tls_sign_hdata (gnutls_session_t session, + gnutls_cert * cert, gnutls_privkey * pkey, + gnutls_datum_t * signature) { - gnutls_datum_t dconcat; - int ret; - opaque concat[36]; - mac_hd_t td_md5; - mac_hd_t td_sha; - gnutls_protocol_t ver = gnutls_protocol_get_version(session); - - td_sha = - _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum_t dconcat; + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_protocol_t ver = gnutls_protocol_get_version (session); + + td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master(session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ver == GNUTLS_SSL3) + { + ret = _gnutls_generate_master (session, 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], - session->security_parameters. - master_secret, TLS_MASTER_SIZE); - } else - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } + else + _gnutls_hash_deinit (td_sha, &concat[16]); - switch (cert->subject_pk_algorithm) { + switch (cert->subject_pk_algorithm) + { case GNUTLS_PK_RSA: - td_md5 = - _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + td_md5 = + _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - if (ver == GNUTLS_SSL3) - _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, - session->security_parameters. - master_secret, - TLS_MASTER_SIZE); - else - _gnutls_hash_deinit(td_md5, concat); - - dconcat.data = concat; - dconcat.size = 36; - break; + if (ver == GNUTLS_SSL3) + _gnutls_mac_deinit_ssl3_handshake (td_md5, concat, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + else + _gnutls_hash_deinit (td_md5, concat); + + dconcat.data = concat; + dconcat.size = 36; + break; case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; + dconcat.data = &concat[16]; + dconcat.size = 20; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); + ret = _gnutls_tls_sign (cert, pkey, &dconcat, signature); + if (ret < 0) + { + gnutls_assert (); } - return ret; + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_tls_sign_params(gnutls_session_t session, gnutls_cert * cert, - gnutls_privkey * pkey, gnutls_datum_t * params, - gnutls_datum_t * signature) +int +_gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert, + gnutls_privkey * pkey, gnutls_datum_t * params, + gnutls_datum_t * signature) { - gnutls_datum_t dconcat; - int ret; - mac_hd_t td_md5; - mac_hd_t td_sha; - opaque concat[36]; - - - td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum_t dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + + td_sha = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td_sha == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td_sha, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_sha, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_sha, params->data, params->size); + _gnutls_hash (td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_sha, params->data, params->size); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit (td_sha, &concat[16]); - switch (cert->subject_pk_algorithm) { + switch (cert->subject_pk_algorithm) + { case GNUTLS_PK_RSA: - td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + td_md5 = _gnutls_hash_init (GNUTLS_MAC_MD5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td_md5, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_md5, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_md5, params->data, params->size); + _gnutls_hash (td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_md5, params->data, params->size); - _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit (td_md5, concat); - dconcat.data = concat; - dconcat.size = 36; - break; + dconcat.data = concat; + dconcat.size = 36; + break; case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; + dconcat.data = &concat[16]; + dconcat.size = 20; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); + ret = _gnutls_tls_sign (cert, pkey, &dconcat, signature); + if (ret < 0) + { + gnutls_assert (); } - return ret; + return ret; } @@ -184,237 +195,256 @@ int _gnutls_tls_sign_params(gnutls_session_t session, gnutls_cert * cert, /* This will create a PKCS1 or DSA signature, using the given parameters, and the * given data. The output will be allocated and be put in signature. */ -int _gnutls_sign(gnutls_pk_algorithm_t algo, mpi_t * params, - int params_size, const gnutls_datum_t * data, - gnutls_datum_t * signature) +int +_gnutls_sign (gnutls_pk_algorithm_t algo, mpi_t * params, + int params_size, const gnutls_datum_t * data, + gnutls_datum_t * signature) { - int ret; + int ret; - switch (algo) { + switch (algo) + { case GNUTLS_PK_RSA: - /* encrypt */ - if ((ret = _gnutls_pkcs1_rsa_encrypt(signature, data, params, - params_size, 1)) < 0) { - gnutls_assert(); - return ret; + /* encrypt */ + if ((ret = _gnutls_pkcs1_rsa_encrypt (signature, data, params, + params_size, 1)) < 0) + { + gnutls_assert (); + return ret; } - break; + break; case GNUTLS_PK_DSA: - /* sign */ - if ((ret = _gnutls_dsa_sign(signature, data, params, - params_size)) < 0) { - gnutls_assert(); - return ret; + /* sign */ + if ((ret = _gnutls_dsa_sign (signature, data, params, params_size)) < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - break; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + break; } - return 0; + return 0; } /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol. * Cert is the certificate of the corresponding private key. It is only checked if * it supports signing. */ -static -int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, - const gnutls_datum_t * hash_concat, - gnutls_datum_t * signature) +static int +_gnutls_tls_sign (gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum_t * hash_concat, + gnutls_datum_t * signature) { - /* If our certificate supports signing - */ + /* If our certificate supports signing + */ - if (cert != NULL) - if (cert->key_usage != 0) - if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } + if (cert != NULL) + if (cert->key_usage != 0) + if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE)) + { + gnutls_assert (); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } - return _gnutls_sign(pkey->pk_algorithm, pkey->params, - pkey->params_size, hash_concat, signature); + return _gnutls_sign (pkey->pk_algorithm, pkey->params, + pkey->params_size, hash_concat, signature); } -static -int _gnutls_pkcs1_rsa_verify_sig(gnutls_cert * cert, - const gnutls_datum_t * hash_concat, - gnutls_datum_t * signature) +static int +_gnutls_pkcs1_rsa_verify_sig (gnutls_cert * cert, + const gnutls_datum_t * hash_concat, + gnutls_datum_t * signature) { - int ret; - gnutls_datum_t vdata; - - if (cert->version == 0 || cert == NULL) { /* this is the only way to check - * if it is initialized - */ - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + int ret; + gnutls_datum_t vdata; + + if (cert->version == 0 || cert == NULL) + { /* this is the only way to check + * if it is initialized + */ + gnutls_assert (); + return GNUTLS_E_CERTIFICATE_ERROR; } - /* If the certificate supports signing continue. - */ - if (cert != NULL) - if (cert->key_usage != 0) - if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } + /* If the certificate supports signing continue. + */ + if (cert != NULL) + if (cert->key_usage != 0) + if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE)) + { + gnutls_assert (); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } - switch (cert->subject_pk_algorithm) { + switch (cert->subject_pk_algorithm) + { case GNUTLS_PK_RSA: - vdata.data = hash_concat->data; - vdata.size = hash_concat->size; + vdata.data = hash_concat->data; + vdata.size = hash_concat->size; - /* verify signature */ - if ((ret = _gnutls_rsa_verify(&vdata, signature, cert->params, - cert->params_size, 1)) < 0) { - gnutls_assert(); - return ret; + /* verify signature */ + if ((ret = _gnutls_rsa_verify (&vdata, signature, cert->params, + cert->params_size, 1)) < 0) + { + gnutls_assert (); + return ret; } - break; + break; case GNUTLS_PK_DSA: - vdata.data = &hash_concat->data[16]; - vdata.size = 20; /* sha1 */ + vdata.data = &hash_concat->data[16]; + vdata.size = 20; /* sha1 */ - /* verify signature */ - if ((ret = _gnutls_dsa_verify(&vdata, signature, cert->params, - cert->params_size)) < 0) { - gnutls_assert(); - return ret; + /* verify signature */ + if ((ret = _gnutls_dsa_verify (&vdata, signature, cert->params, + cert->params_size)) < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } /* Verifies a TLS signature (like the one in the client certificate * verify message). */ -int _gnutls_verify_sig_hdata(gnutls_session_t session, gnutls_cert * cert, - gnutls_datum_t * signature) +int +_gnutls_verify_sig_hdata (gnutls_session_t session, gnutls_cert * cert, + gnutls_datum_t * signature) { - int ret; - opaque concat[36]; - mac_hd_t td_md5; - mac_hd_t td_sha; - gnutls_datum_t dconcat; - gnutls_protocol_t ver = gnutls_protocol_get_version(session); - - td_md5 = - _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_datum_t dconcat; + gnutls_protocol_t ver = gnutls_protocol_get_version (session); + + td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - td_sha = - _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit(td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) + { + gnutls_assert (); + _gnutls_hash_deinit (td_md5, NULL); + return GNUTLS_E_HASH_FAILED; } - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master(session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ver == GNUTLS_SSL3) + { + ret = _gnutls_generate_master (session, 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, - session->security_parameters. - master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], - session->security_parameters. - master_secret, TLS_MASTER_SIZE); - } else { - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_mac_deinit_ssl3_handshake (td_md5, concat, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } + else + { + _gnutls_hash_deinit (td_md5, concat); + _gnutls_hash_deinit (td_sha, &concat[16]); } - dconcat.data = concat; - dconcat.size = 20 + 16; /* md5+ sha */ + dconcat.data = concat; + dconcat.size = 20 + 16; /* md5+ sha */ - ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_pkcs1_rsa_verify_sig (cert, &dconcat, signature); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_verify_sig_params(gnutls_session_t session, gnutls_cert * cert, - const gnutls_datum_t * params, - gnutls_datum_t * signature) +int +_gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, + const gnutls_datum_t * params, + gnutls_datum_t * signature) { - gnutls_datum_t dconcat; - int ret; - mac_hd_t td_md5; - mac_hd_t td_sha; - opaque concat[36]; - - td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum_t dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + td_md5 = _gnutls_hash_init (GNUTLS_MAC_MD5); + if (td_md5 == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit(td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + td_sha = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td_sha == NULL) + { + gnutls_assert (); + _gnutls_hash_deinit (td_md5, NULL); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(td_md5, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_md5, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_md5, params->data, params->size); - - _gnutls_hash(td_sha, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_sha, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - _gnutls_hash(td_sha, params->data, params->size); - - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); - - dconcat.data = concat; - dconcat.size = 36; - - ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_hash (td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_md5, params->data, params->size); + + _gnutls_hash (td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash (td_sha, params->data, params->size); + + _gnutls_hash_deinit (td_md5, concat); + _gnutls_hash_deinit (td_sha, &concat[16]); + + dconcat.data = concat; + dconcat.size = 36; + + ret = _gnutls_pkcs1_rsa_verify_sig (cert, &dconcat, signature); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h index cf3615ccf7..43ecca5435 100644 --- a/lib/gnutls_sig.h +++ b/lib/gnutls_sig.h @@ -25,28 +25,27 @@ #ifndef GNUTLS_SIG_H # define GNUTLS_SIG_H -int _gnutls_tls_sign_hdata(gnutls_session_t session, - gnutls_cert * cert, - gnutls_privkey * pkey, - gnutls_datum_t * signature); - -int _gnutls_tls_sign_params(gnutls_session_t session, +int _gnutls_tls_sign_hdata (gnutls_session_t session, gnutls_cert * cert, gnutls_privkey * pkey, - gnutls_datum_t * params, gnutls_datum_t * signature); -int _gnutls_verify_sig_hdata(gnutls_session_t session, +int _gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert, + gnutls_privkey * pkey, + gnutls_datum_t * params, gnutls_datum_t * signature); -int _gnutls_verify_sig_params(gnutls_session_t session, - gnutls_cert * cert, - const gnutls_datum_t * params, - gnutls_datum_t * signature); +int _gnutls_verify_sig_hdata (gnutls_session_t session, + gnutls_cert * cert, gnutls_datum_t * signature); + +int _gnutls_verify_sig_params (gnutls_session_t session, + gnutls_cert * cert, + const gnutls_datum_t * params, + gnutls_datum_t * signature); -int _gnutls_sign(gnutls_pk_algorithm_t algo, - mpi_t * params, int params_size, - const gnutls_datum_t * data, gnutls_datum_t * signature); +int _gnutls_sign (gnutls_pk_algorithm_t algo, + mpi_t * params, int params_size, + const gnutls_datum_t * data, gnutls_datum_t * signature); #endif diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c index 5e73b2eabc..9170c868fa 100644 --- a/lib/gnutls_srp.c +++ b/lib/gnutls_srp.c @@ -41,40 +41,44 @@ /* Here functions for SRP (like g^x mod n) are defined */ -int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, - mpi_t g, mpi_t prime, gnutls_alloc_function galloc_func) +int +_gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result, + mpi_t g, mpi_t prime, gnutls_alloc_function galloc_func) { - mpi_t x, e; - size_t result_size; + mpi_t x, e; + size_t result_size; - if (_gnutls_mpi_scan_nz(&x, text, &textsize)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + if (_gnutls_mpi_scan_nz (&x, text, &textsize)) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - e = _gnutls_mpi_alloc_like(prime); - if (e == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&x); - return GNUTLS_E_MEMORY_ERROR; + e = _gnutls_mpi_alloc_like (prime); + if (e == NULL) + { + gnutls_assert (); + _gnutls_mpi_release (&x); + return GNUTLS_E_MEMORY_ERROR; } - /* e = g^x mod prime (n) */ - _gnutls_mpi_powm(e, g, x, prime); - _gnutls_mpi_release(&x); + /* e = g^x mod prime (n) */ + _gnutls_mpi_powm (e, g, x, prime); + _gnutls_mpi_release (&x); - _gnutls_mpi_print(NULL, &result_size, e); - if (result != NULL) { - *result = galloc_func(result_size); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; + _gnutls_mpi_print (NULL, &result_size, e); + if (result != NULL) + { + *result = galloc_func (result_size); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; - _gnutls_mpi_print(*result, &result_size, e); + _gnutls_mpi_print (*result, &result_size, e); } - _gnutls_mpi_release(&e); + _gnutls_mpi_release (&e); - return result_size; + return result_size; } @@ -84,295 +88,315 @@ int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, * where k == SHA1(N|g) * Return: B and if ret_b is not NULL b. */ -mpi_t _gnutls_calc_srp_B(mpi_t * ret_b, mpi_t g, mpi_t n, mpi_t v) +mpi_t +_gnutls_calc_srp_B (mpi_t * ret_b, mpi_t g, mpi_t n, mpi_t v) { - mpi_t tmpB = NULL, tmpV = NULL; - mpi_t b = NULL, B = NULL, k = NULL; - int bits; - - - /* calculate: B = (k*v + g^b) % N - */ - bits = _gnutls_mpi_get_nbits(n); - b = _gnutls_mpi_snew(bits); - if (b == NULL) { - gnutls_assert(); - return NULL; + mpi_t tmpB = NULL, tmpV = NULL; + mpi_t b = NULL, B = NULL, k = NULL; + int bits; + + + /* calculate: B = (k*v + g^b) % N + */ + bits = _gnutls_mpi_get_nbits (n); + b = _gnutls_mpi_snew (bits); + if (b == NULL) + { + gnutls_assert (); + return NULL; } - tmpV = _gnutls_mpi_alloc_like(n); + tmpV = _gnutls_mpi_alloc_like (n); - if (tmpV == NULL) { - gnutls_assert(); - goto error; + if (tmpV == NULL) + { + gnutls_assert (); + goto error; } - _gnutls_mpi_randomize(b, bits, GCRY_STRONG_RANDOM); + _gnutls_mpi_randomize (b, bits, GCRY_STRONG_RANDOM); - tmpB = _gnutls_mpi_snew(bits); - if (tmpB == NULL) { - gnutls_assert(); - goto error; + tmpB = _gnutls_mpi_snew (bits); + if (tmpB == NULL) + { + gnutls_assert (); + goto error; } - B = _gnutls_mpi_snew(bits); - if (B == NULL) { - gnutls_assert(); - goto error; + B = _gnutls_mpi_snew (bits); + if (B == NULL) + { + gnutls_assert (); + goto error; } - k = _gnutls_calc_srp_u(n, g, n); - if (k == NULL) { - gnutls_assert(); - goto error; + k = _gnutls_calc_srp_u (n, g, n); + if (k == NULL) + { + gnutls_assert (); + goto error; } - _gnutls_mpi_mulm(tmpV, k, v, n); - _gnutls_mpi_powm(tmpB, g, b, n); + _gnutls_mpi_mulm (tmpV, k, v, n); + _gnutls_mpi_powm (tmpB, g, b, n); - _gnutls_mpi_addm(B, tmpV, tmpB, n); + _gnutls_mpi_addm (B, tmpV, tmpB, n); - _gnutls_mpi_release(&k); - _gnutls_mpi_release(&tmpB); - _gnutls_mpi_release(&tmpV); + _gnutls_mpi_release (&k); + _gnutls_mpi_release (&tmpB); + _gnutls_mpi_release (&tmpV); - if (ret_b) - *ret_b = b; - else - _gnutls_mpi_release(&b); + if (ret_b) + *ret_b = b; + else + _gnutls_mpi_release (&b); - return B; + return B; - error: - _gnutls_mpi_release(&b); - _gnutls_mpi_release(&B); - _gnutls_mpi_release(&k); - _gnutls_mpi_release(&tmpB); - _gnutls_mpi_release(&tmpV); - return NULL; +error: + _gnutls_mpi_release (&b); + _gnutls_mpi_release (&B); + _gnutls_mpi_release (&k); + _gnutls_mpi_release (&tmpB); + _gnutls_mpi_release (&tmpV); + return NULL; } /* This calculates the SHA1(A | B) * A and B will be left-padded with zeros to fill n_size. */ -mpi_t _gnutls_calc_srp_u(mpi_t A, mpi_t B, mpi_t n) +mpi_t +_gnutls_calc_srp_u (mpi_t A, mpi_t B, mpi_t n) { - size_t b_size, a_size; - opaque *holder, hd[MAX_HASH_SIZE]; - size_t holder_size, hash_size, n_size; - GNUTLS_HASH_HANDLE td; - int ret; - mpi_t res; - - /* get the size of n in bytes */ - _gnutls_mpi_print(NULL, &n_size, n); - - _gnutls_mpi_print(NULL, &a_size, A); - _gnutls_mpi_print(NULL, &b_size, B); - - if (a_size > n_size || b_size > n_size) { - gnutls_assert(); - return NULL; /* internal error */ + size_t b_size, a_size; + opaque *holder, hd[MAX_HASH_SIZE]; + size_t holder_size, hash_size, n_size; + GNUTLS_HASH_HANDLE td; + int ret; + mpi_t res; + + /* get the size of n in bytes */ + _gnutls_mpi_print (NULL, &n_size, n); + + _gnutls_mpi_print (NULL, &a_size, A); + _gnutls_mpi_print (NULL, &b_size, B); + + if (a_size > n_size || b_size > n_size) + { + gnutls_assert (); + return NULL; /* internal error */ } - holder_size = n_size + n_size; + holder_size = n_size + n_size; - holder = gnutls_calloc(1, holder_size); - if (holder == NULL) - return NULL; + holder = gnutls_calloc (1, holder_size); + if (holder == NULL) + return NULL; - _gnutls_mpi_print(&holder[n_size - a_size], &a_size, A); - _gnutls_mpi_print(&holder[n_size + n_size - b_size], &b_size, B); + _gnutls_mpi_print (&holder[n_size - a_size], &a_size, A); + _gnutls_mpi_print (&holder[n_size + n_size - b_size], &b_size, B); - td = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td == NULL) { - gnutls_free(holder); - gnutls_assert(); - return NULL; + td = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td == NULL) + { + gnutls_free (holder); + gnutls_assert (); + return NULL; } - _gnutls_hash(td, holder, holder_size); - _gnutls_hash_deinit(td, hd); - - /* convert the bytes of hd to integer - */ - hash_size = 20; /* SHA */ - ret = _gnutls_mpi_scan_nz(&res, hd, &hash_size); - gnutls_free(holder); - - if (ret < 0) { - gnutls_assert(); - return NULL; + _gnutls_hash (td, holder, holder_size); + _gnutls_hash_deinit (td, hd); + + /* convert the bytes of hd to integer + */ + hash_size = 20; /* SHA */ + ret = _gnutls_mpi_scan_nz (&res, hd, &hash_size); + gnutls_free (holder); + + if (ret < 0) + { + gnutls_assert (); + return NULL; } - return res; + return res; } /* S = (A * v^u) ^ b % N * this is our shared key (server premaster secret) */ -mpi_t _gnutls_calc_srp_S1(mpi_t A, mpi_t b, mpi_t u, mpi_t v, mpi_t n) +mpi_t +_gnutls_calc_srp_S1 (mpi_t A, mpi_t b, mpi_t u, mpi_t v, mpi_t n) { - mpi_t tmp1 = NULL, tmp2 = NULL; - mpi_t S = NULL; + mpi_t tmp1 = NULL, tmp2 = NULL; + mpi_t S = NULL; - S = _gnutls_mpi_alloc_like(n); - if (S == NULL) - return NULL; + S = _gnutls_mpi_alloc_like (n); + if (S == NULL) + return NULL; - tmp1 = _gnutls_mpi_alloc_like(n); - tmp2 = _gnutls_mpi_alloc_like(n); + tmp1 = _gnutls_mpi_alloc_like (n); + tmp2 = _gnutls_mpi_alloc_like (n); - if (tmp1 == NULL || tmp2 == NULL) - goto freeall; + if (tmp1 == NULL || tmp2 == NULL) + goto freeall; - _gnutls_mpi_powm(tmp1, v, u, n); - _gnutls_mpi_mulm(tmp2, A, tmp1, n); - _gnutls_mpi_powm(S, tmp2, b, n); + _gnutls_mpi_powm (tmp1, v, u, n); + _gnutls_mpi_mulm (tmp2, A, tmp1, n); + _gnutls_mpi_powm (S, tmp2, b, n); - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); + _gnutls_mpi_release (&tmp1); + _gnutls_mpi_release (&tmp2); - return S; + return S; - freeall: - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - return NULL; +freeall: + _gnutls_mpi_release (&tmp1); + _gnutls_mpi_release (&tmp2); + return NULL; } /* A = g^a % N * returns A and a (which is random) */ -mpi_t _gnutls_calc_srp_A(mpi_t * a, mpi_t g, mpi_t n) +mpi_t +_gnutls_calc_srp_A (mpi_t * a, mpi_t g, mpi_t n) { - mpi_t tmpa; - mpi_t A; - int bits; - - bits = _gnutls_mpi_get_nbits(n); - tmpa = _gnutls_mpi_snew(bits); - if (tmpa == NULL) { - gnutls_assert(); - return NULL; + mpi_t tmpa; + mpi_t A; + int bits; + + bits = _gnutls_mpi_get_nbits (n); + tmpa = _gnutls_mpi_snew (bits); + if (tmpa == NULL) + { + gnutls_assert (); + return NULL; } - _gnutls_mpi_randomize(tmpa, bits, GCRY_STRONG_RANDOM); + _gnutls_mpi_randomize (tmpa, bits, GCRY_STRONG_RANDOM); - A = _gnutls_mpi_snew(bits); - if (A == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&tmpa); - return NULL; + A = _gnutls_mpi_snew (bits); + if (A == NULL) + { + gnutls_assert (); + _gnutls_mpi_release (&tmpa); + return NULL; } - _gnutls_mpi_powm(A, g, tmpa, n); + _gnutls_mpi_powm (A, g, tmpa, n); - if (a != NULL) - *a = tmpa; - else - _gnutls_mpi_release(&tmpa); + if (a != NULL) + *a = tmpa; + else + _gnutls_mpi_release (&tmpa); - return A; + return A; } /* generate x = SHA(s | SHA(U | ":" | p)) * The output is exactly 20 bytes */ -int _gnutls_calc_srp_sha(const char *username, const char *password, - opaque * salt, int salt_size, size_t * size, - void *digest) +int +_gnutls_calc_srp_sha (const char *username, const char *password, + opaque * salt, int salt_size, size_t * size, + void *digest) { - GNUTLS_HASH_HANDLE td; - opaque res[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE td; + opaque res[MAX_HASH_SIZE]; - *size = 20; + *size = 20; - td = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td == NULL) { - return GNUTLS_E_MEMORY_ERROR; + td = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td == NULL) + { + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hash(td, username, strlen(username)); - _gnutls_hash(td, ":", 1); - _gnutls_hash(td, password, strlen(password)); + _gnutls_hash (td, username, strlen (username)); + _gnutls_hash (td, ":", 1); + _gnutls_hash (td, password, strlen (password)); - _gnutls_hash_deinit(td, res); + _gnutls_hash_deinit (td, res); - td = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (td == NULL) { - return GNUTLS_E_MEMORY_ERROR; + td = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (td == NULL) + { + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hash(td, salt, salt_size); - _gnutls_hash(td, res, 20); /* 20 bytes is the output of sha1 */ + _gnutls_hash (td, salt, salt_size); + _gnutls_hash (td, res, 20); /* 20 bytes is the output of sha1 */ - _gnutls_hash_deinit(td, digest); + _gnutls_hash_deinit (td, digest); - return 0; + return 0; } -int _gnutls_calc_srp_x(char *username, char *password, opaque * salt, - size_t salt_size, size_t * size, void *digest) +int +_gnutls_calc_srp_x (char *username, char *password, opaque * salt, + size_t salt_size, size_t * size, void *digest) { - return _gnutls_calc_srp_sha(username, password, salt, - salt_size, size, digest); + return _gnutls_calc_srp_sha (username, password, salt, + salt_size, size, digest); } /* S = (B - k*g^x) ^ (a + u * x) % N * this is our shared key (client premaster secret) */ -mpi_t _gnutls_calc_srp_S2(mpi_t B, mpi_t g, mpi_t x, - mpi_t a, mpi_t u, mpi_t n) +mpi_t +_gnutls_calc_srp_S2 (mpi_t B, mpi_t g, mpi_t x, mpi_t a, mpi_t u, mpi_t n) { - mpi_t S = NULL, tmp1 = NULL, tmp2 = NULL; - mpi_t tmp4 = NULL, tmp3 = NULL, k = NULL; - - S = _gnutls_mpi_alloc_like(n); - if (S == NULL) - return NULL; - - tmp1 = _gnutls_mpi_alloc_like(n); - tmp2 = _gnutls_mpi_alloc_like(n); - tmp3 = _gnutls_mpi_alloc_like(n); - if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL) { - goto freeall; + mpi_t S = NULL, tmp1 = NULL, tmp2 = NULL; + mpi_t tmp4 = NULL, tmp3 = NULL, k = NULL; + + S = _gnutls_mpi_alloc_like (n); + if (S == NULL) + return NULL; + + tmp1 = _gnutls_mpi_alloc_like (n); + tmp2 = _gnutls_mpi_alloc_like (n); + tmp3 = _gnutls_mpi_alloc_like (n); + if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL) + { + goto freeall; } - k = _gnutls_calc_srp_u(n, g, n); - if (k == NULL) { - gnutls_assert(); - goto freeall; + k = _gnutls_calc_srp_u (n, g, n); + if (k == NULL) + { + gnutls_assert (); + goto freeall; } - _gnutls_mpi_powm(tmp1, g, x, n); /* g^x */ - _gnutls_mpi_mulm(tmp3, tmp1, k, n); /* k*g^x mod n */ - _gnutls_mpi_subm(tmp2, B, tmp3, n); - - tmp4 = _gnutls_mpi_alloc_like(n); - if (tmp4 == NULL) - goto freeall; - - _gnutls_mpi_mul(tmp1, u, x); - _gnutls_mpi_add(tmp4, a, tmp1); - _gnutls_mpi_powm(S, tmp2, tmp4, n); - - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - _gnutls_mpi_release(&tmp3); - _gnutls_mpi_release(&tmp4); - _gnutls_mpi_release(&k); - - return S; - - freeall: - _gnutls_mpi_release(&k); - _gnutls_mpi_release(&tmp1); - _gnutls_mpi_release(&tmp2); - _gnutls_mpi_release(&tmp3); - _gnutls_mpi_release(&tmp4); - _gnutls_mpi_release(&S); - return NULL; + _gnutls_mpi_powm (tmp1, g, x, n); /* g^x */ + _gnutls_mpi_mulm (tmp3, tmp1, k, n); /* k*g^x mod n */ + _gnutls_mpi_subm (tmp2, B, tmp3, n); + + tmp4 = _gnutls_mpi_alloc_like (n); + if (tmp4 == NULL) + goto freeall; + + _gnutls_mpi_mul (tmp1, u, x); + _gnutls_mpi_add (tmp4, a, tmp1); + _gnutls_mpi_powm (S, tmp2, tmp4, n); + + _gnutls_mpi_release (&tmp1); + _gnutls_mpi_release (&tmp2); + _gnutls_mpi_release (&tmp3); + _gnutls_mpi_release (&tmp4); + _gnutls_mpi_release (&k); + + return S; + +freeall: + _gnutls_mpi_release (&k); + _gnutls_mpi_release (&tmp1); + _gnutls_mpi_release (&tmp2); + _gnutls_mpi_release (&tmp3); + _gnutls_mpi_release (&tmp4); + _gnutls_mpi_release (&S); + return NULL; } /** @@ -383,11 +407,12 @@ mpi_t _gnutls_calc_srp_S2(mpi_t B, mpi_t g, mpi_t x, * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_srp_free_client_credentials(gnutls_srp_client_credentials_t sc) +void +gnutls_srp_free_client_credentials (gnutls_srp_client_credentials_t sc) { - gnutls_free(sc->username); - gnutls_free(sc->password); - gnutls_free(sc); + gnutls_free (sc->username); + gnutls_free (sc->password); + gnutls_free (sc); } /** @@ -399,15 +424,15 @@ void gnutls_srp_free_client_credentials(gnutls_srp_client_credentials_t sc) * * Returns 0 on success. **/ -int gnutls_srp_allocate_client_credentials(gnutls_srp_client_credentials_t - * sc) +int +gnutls_srp_allocate_client_credentials (gnutls_srp_client_credentials_t * sc) { - *sc = gnutls_calloc(1, sizeof(srp_client_credentials_st)); + *sc = gnutls_calloc (1, sizeof (srp_client_credentials_st)); - if (*sc == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } /** @@ -422,26 +447,29 @@ int gnutls_srp_allocate_client_credentials(gnutls_srp_client_credentials_t * * Returns 0 on success. **/ -int gnutls_srp_set_client_credentials(gnutls_srp_client_credentials_t res, - char *username, char *password) +int +gnutls_srp_set_client_credentials (gnutls_srp_client_credentials_t res, + char *username, char *password) { - if (username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (username == NULL || password == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - res->username = gnutls_strdup(username); - if (res->username == NULL) - return GNUTLS_E_MEMORY_ERROR; + res->username = gnutls_strdup (username); + if (res->username == NULL) + return GNUTLS_E_MEMORY_ERROR; - res->password = gnutls_strdup(password); - if (res->password == NULL) { - gnutls_free(res->username); - return GNUTLS_E_MEMORY_ERROR; + res->password = gnutls_strdup (password); + if (res->password == NULL) + { + gnutls_free (res->username); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } /** @@ -452,12 +480,13 @@ int gnutls_srp_set_client_credentials(gnutls_srp_client_credentials_t res, * this helper function is provided in order to free (deallocate) it. * **/ -void gnutls_srp_free_server_credentials(gnutls_srp_server_credentials_t sc) +void +gnutls_srp_free_server_credentials (gnutls_srp_server_credentials_t sc) { - gnutls_free(sc->password_file); - gnutls_free(sc->password_conf_file); + gnutls_free (sc->password_file); + gnutls_free (sc->password_conf_file); - gnutls_free(sc); + gnutls_free (sc); } /** @@ -469,15 +498,15 @@ void gnutls_srp_free_server_credentials(gnutls_srp_server_credentials_t sc) * * Returns 0 on success. **/ -int gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials_t - * sc) +int +gnutls_srp_allocate_server_credentials (gnutls_srp_server_credentials_t * sc) { - *sc = gnutls_calloc(1, sizeof(srp_server_cred_st)); + *sc = gnutls_calloc (1, sizeof (srp_server_cred_st)); - if (*sc == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } /** @@ -492,42 +521,48 @@ int gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials_t * Returns 0 on success. * **/ -int gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t - res, const char *password_file, - const char *password_conf_file) +int +gnutls_srp_set_server_credentials_file (gnutls_srp_server_credentials_t + res, const char *password_file, + const char *password_conf_file) { - if (password_file == NULL || password_conf_file == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (password_file == NULL || password_conf_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the files can be opened */ - if (_gnutls_file_exists(password_file) != 0) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + /* Check if the files can be opened */ + if (_gnutls_file_exists (password_file) != 0) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - if (_gnutls_file_exists(password_conf_file) != 0) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + if (_gnutls_file_exists (password_conf_file) != 0) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - res->password_file = gnutls_strdup(password_file); - if (res->password_file == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + res->password_file = gnutls_strdup (password_file); + if (res->password_file == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - res->password_conf_file = gnutls_strdup(password_conf_file); - if (res->password_conf_file == NULL) { - gnutls_assert(); - gnutls_free(res->password_file); - res->password_file = NULL; - return GNUTLS_E_MEMORY_ERROR; + res->password_conf_file = gnutls_strdup (password_conf_file); + if (res->password_conf_file == NULL) + { + gnutls_assert (); + gnutls_free (res->password_file); + res->password_file = NULL; + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } @@ -561,12 +596,12 @@ int gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t * **/ void -gnutls_srp_set_server_credentials_function(gnutls_srp_server_credentials_t - cred, - gnutls_srp_server_credentials_function - * func) +gnutls_srp_set_server_credentials_function (gnutls_srp_server_credentials_t + cred, + gnutls_srp_server_credentials_function + * func) { - cred->pwd_callback = func; + cred->pwd_callback = func; } /** @@ -601,12 +636,12 @@ gnutls_srp_set_server_credentials_function(gnutls_srp_server_credentials_t * **/ void -gnutls_srp_set_client_credentials_function(gnutls_srp_client_credentials_t - cred, - gnutls_srp_client_credentials_function - * func) +gnutls_srp_set_client_credentials_function (gnutls_srp_client_credentials_t + cred, + gnutls_srp_client_credentials_function + * func) { - cred->get_function = func; + cred->get_function = func; } @@ -619,16 +654,17 @@ gnutls_srp_set_client_credentials_function(gnutls_srp_client_credentials_t * Returns NULL in case of an error. * **/ -const char *gnutls_srp_server_get_username(gnutls_session_t session) +const char * +gnutls_srp_server_get_username (gnutls_session_t session) { - srp_server_auth_info_t info; + srp_server_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_SRP, NULL); + CHECK_AUTH (GNUTLS_CRD_SRP, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; - return info->username; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return NULL; + return info->username; } /** @@ -648,43 +684,48 @@ const char *gnutls_srp_server_get_username(gnutls_session_t session) * binary format. * **/ -int gnutls_srp_verifier(const char *username, const char *password, - const gnutls_datum_t * salt, - const gnutls_datum_t * generator, - const gnutls_datum_t * prime, gnutls_datum_t * res) +int +gnutls_srp_verifier (const char *username, const char *password, + const gnutls_datum_t * salt, + const gnutls_datum_t * generator, + const gnutls_datum_t * prime, gnutls_datum_t * res) { - mpi_t _n, _g; - int ret; - size_t digest_size = 20, size; - opaque digest[20]; - - ret = _gnutls_calc_srp_sha(username, password, salt->data, - salt->size, &digest_size, digest); - if (ret < 0) { - gnutls_assert(); - return ret; + mpi_t _n, _g; + int ret; + size_t digest_size = 20, size; + opaque digest[20]; + + ret = _gnutls_calc_srp_sha (username, password, salt->data, + salt->size, &digest_size, digest); + if (ret < 0) + { + gnutls_assert (); + return ret; } - size = prime->size; - if (_gnutls_mpi_scan_nz(&_n, prime->data, &size)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + size = prime->size; + if (_gnutls_mpi_scan_nz (&_n, prime->data, &size)) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - size = generator->size; - if (_gnutls_mpi_scan_nz(&_g, generator->data, &size)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; + size = generator->size; + if (_gnutls_mpi_scan_nz (&_g, generator->data, &size)) + { + gnutls_assert (); + return GNUTLS_E_MPI_SCAN_FAILED; } - ret = _gnutls_srp_gx(digest, 20, &res->data, _g, _n, malloc); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n, malloc); + if (ret < 0) + { + gnutls_assert (); + return ret; } - res->size = ret; + res->size = ret; - return 0; + return 0; } -#endif /* ENABLE_SRP */ +#endif /* ENABLE_SRP */ diff --git a/lib/gnutls_srp.h b/lib/gnutls_srp.h index 4de701d77d..befcbc578e 100644 --- a/lib/gnutls_srp.h +++ b/lib/gnutls_srp.h @@ -24,17 +24,17 @@ #ifdef ENABLE_SRP -int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, - mpi_t g, mpi_t prime, gnutls_alloc_function); -mpi_t _gnutls_calc_srp_B(mpi_t * ret_b, mpi_t g, mpi_t n, mpi_t v); -mpi_t _gnutls_calc_srp_u(mpi_t A, mpi_t B, mpi_t N); -mpi_t _gnutls_calc_srp_S1(mpi_t A, mpi_t b, mpi_t u, mpi_t v, mpi_t n); -mpi_t _gnutls_calc_srp_A(mpi_t * a, mpi_t g, mpi_t n); -mpi_t _gnutls_calc_srp_S2(mpi_t B, mpi_t g, mpi_t x, mpi_t a, mpi_t u, - mpi_t n); -int _gnutls_calc_srp_x(char *username, char *password, opaque * salt, - size_t salt_size, size_t * size, void *digest); -int _gnutls_srp_gn(opaque ** ret_g, opaque ** ret_n, int bits); +int _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result, + mpi_t g, mpi_t prime, gnutls_alloc_function); +mpi_t _gnutls_calc_srp_B (mpi_t * ret_b, mpi_t g, mpi_t n, mpi_t v); +mpi_t _gnutls_calc_srp_u (mpi_t A, mpi_t B, mpi_t N); +mpi_t _gnutls_calc_srp_S1 (mpi_t A, mpi_t b, mpi_t u, mpi_t v, mpi_t n); +mpi_t _gnutls_calc_srp_A (mpi_t * a, mpi_t g, mpi_t n); +mpi_t _gnutls_calc_srp_S2 (mpi_t B, mpi_t g, mpi_t x, mpi_t a, mpi_t u, + mpi_t n); +int _gnutls_calc_srp_x (char *username, char *password, opaque * salt, + size_t salt_size, size_t * size, void *digest); +int _gnutls_srp_gn (opaque ** ret_g, opaque ** ret_n, int bits); /* g is defined to be 2 */ #define SRP_MAX_HASH_SIZE 24 diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 7087c60a88..774c5a2805 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -49,10 +49,11 @@ return ret; \ } -void _gnutls_session_cert_type_set(gnutls_session_t session, - gnutls_certificate_type_t ct) +void +_gnutls_session_cert_type_set (gnutls_session_t session, + gnutls_certificate_type_t ct) { - session->security_parameters.cert_type = ct; + session->security_parameters.cert_type = ct; } /** @@ -61,9 +62,10 @@ void _gnutls_session_cert_type_set(gnutls_session_t session, * * Returns the currently used cipher. **/ -gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session) +gnutls_cipher_algorithm_t +gnutls_cipher_get (gnutls_session_t session) { - return session->security_parameters.read_bulk_cipher_algorithm; + return session->security_parameters.read_bulk_cipher_algorithm; } /** @@ -74,10 +76,10 @@ gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session) * is by default X.509, unless it is negotiated as a TLS extension. * **/ -gnutls_certificate_type_t gnutls_certificate_type_get(gnutls_session_t - session) +gnutls_certificate_type_t +gnutls_certificate_type_get (gnutls_session_t session) { - return session->security_parameters.cert_type; + return session->security_parameters.cert_type; } /** @@ -86,9 +88,10 @@ gnutls_certificate_type_t gnutls_certificate_type_get(gnutls_session_t * * Returns the key exchange algorithm used in the last handshake. **/ -gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session) +gnutls_kx_algorithm_t +gnutls_kx_get (gnutls_session_t session) { - return session->security_parameters.kx_algorithm; + return session->security_parameters.kx_algorithm; } /** @@ -97,9 +100,10 @@ gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session) * * Returns the currently used mac algorithm. **/ -gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session) +gnutls_mac_algorithm_t +gnutls_mac_get (gnutls_session_t session) { - return session->security_parameters.read_mac_algorithm; + return session->security_parameters.read_mac_algorithm; } /** @@ -108,107 +112,112 @@ gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session) * * Returns the currently used compression method. **/ -gnutls_compression_method_t gnutls_compression_get(gnutls_session_t - session) +gnutls_compression_method_t +gnutls_compression_get (gnutls_session_t session) { - return session->security_parameters.read_compression_algorithm; + return session->security_parameters.read_compression_algorithm; } /* Check if the given certificate type is supported. * This means that it is enabled by the priority functions, * and a matching certificate exists. */ -int _gnutls_session_cert_type_supported(gnutls_session_t session, - gnutls_certificate_type_t - cert_type) -{ - uint i; - uint cert_found = 0; - gnutls_certificate_credentials_t cred; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - - if (cred == NULL) - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - - for (i = 0; i < cred->ncerts; i++) { - if (cred->cert_list[i][0].cert_type == cert_type) { - cert_found = 1; - break; +int +_gnutls_session_cert_type_supported (gnutls_session_t session, + gnutls_certificate_type_t cert_type) +{ + uint i; + uint cert_found = 0; + gnutls_certificate_credentials_t cred; + + if (session->security_parameters.entity == GNUTLS_SERVER) + { + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + + if (cred == NULL) + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + + for (i = 0; i < cred->ncerts; i++) + { + if (cred->cert_list[i][0].cert_type == cert_type) + { + cert_found = 1; + break; } } - if (cert_found == 0) - /* no certificate is of that type. - */ - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + if (cert_found == 0) + /* no certificate is of that type. + */ + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } - if (session->internals.cert_type_priority.algorithms == 0 - && cert_type == DEFAULT_CERT_TYPE) - return 0; + if (session->internals.cert_type_priority.algorithms == 0 + && cert_type == DEFAULT_CERT_TYPE) + return 0; - for (i = 0; i < session->internals.cert_type_priority.algorithms; i++) { - if (session->internals.cert_type_priority.priority[i] - == cert_type) { - return 0; /* ok */ + for (i = 0; i < session->internals.cert_type_priority.algorithms; i++) + { + if (session->internals.cert_type_priority.priority[i] == cert_type) + { + return 0; /* ok */ } } - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } /* this function deinitializes all the internal parameters stored * in a session struct. */ -inline static void deinit_internal_params(gnutls_session_t session) +inline static void +deinit_internal_params (gnutls_session_t session) { - if (session->internals.params.free_anon_dh_params) - gnutls_dh_params_deinit(session->internals.params.anon_dh_params); + if (session->internals.params.free_anon_dh_params) + gnutls_dh_params_deinit (session->internals.params.anon_dh_params); - if (session->internals.params.free_cert_dh_params) - gnutls_dh_params_deinit(session->internals.params.cert_dh_params); + if (session->internals.params.free_cert_dh_params) + gnutls_dh_params_deinit (session->internals.params.cert_dh_params); - if (session->internals.params.free_rsa_params) - gnutls_rsa_params_deinit(session->internals.params.rsa_params); + if (session->internals.params.free_rsa_params) + gnutls_rsa_params_deinit (session->internals.params.rsa_params); - memset(&session->internals.params, 0, - sizeof(session->internals.params)); + memset (&session->internals.params, 0, sizeof (session->internals.params)); } /* This function will clear all the variables in internals * structure within the session, which depend on the current handshake. * This is used to allow further handshakes. */ -void _gnutls_handshake_internal_state_clear(gnutls_session_t session) +void +_gnutls_handshake_internal_state_clear (gnutls_session_t session) { - session->internals.extensions_sent_size = 0; + session->internals.extensions_sent_size = 0; - /* by default no selected certificate */ - session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; - session->internals.adv_version_major = 0; - session->internals.adv_version_minor = 0; - session->internals.v2_hello = 0; - memset(&session->internals.handshake_header_buffer, 0, - sizeof(handshake_header_buffer_st)); - session->internals.adv_version_minor = 0; - session->internals.adv_version_minor = 0; - session->internals.direction = 0; + /* by default no selected certificate */ + session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; + session->internals.adv_version_major = 0; + session->internals.adv_version_minor = 0; + session->internals.v2_hello = 0; + memset (&session->internals.handshake_header_buffer, 0, + sizeof (handshake_header_buffer_st)); + session->internals.adv_version_minor = 0; + session->internals.adv_version_minor = 0; + session->internals.direction = 0; - /* use out of band data for the last - * handshake messages received. - */ - session->internals.last_handshake_in = -1; - session->internals.last_handshake_out = -1; + /* use out of band data for the last + * handshake messages received. + */ + session->internals.last_handshake_in = -1; + session->internals.last_handshake_out = -1; - session->internals.handshake_restarted = 0; + session->internals.handshake_restarted = 0; - session->internals.resumable = RESUME_TRUE; - _gnutls_free_datum(&session->internals.recv_buffer); + session->internals.resumable = RESUME_TRUE; + _gnutls_free_datum (&session->internals.recv_buffer); - deinit_internal_params(session); + deinit_internal_params (session); } @@ -224,101 +233,101 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session) * This function allocates structures which can only be free'd * by calling gnutls_deinit(). Returns zero on success. **/ -int gnutls_init(gnutls_session_t * session, - gnutls_connection_end_t con_end) +int +gnutls_init (gnutls_session_t * session, gnutls_connection_end_t con_end) { - *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); - if (*session == NULL) - return GNUTLS_E_MEMORY_ERROR; + *session = gnutls_calloc (1, sizeof (struct gnutls_session_int)); + if (*session == NULL) + return GNUTLS_E_MEMORY_ERROR; - (*session)->security_parameters.entity = con_end; + (*session)->security_parameters.entity = con_end; - /* the default certificate type for TLS */ - (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; + /* the default certificate type for TLS */ + (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; /* Set the defaults for initial handshake */ - (*session)->security_parameters.read_bulk_cipher_algorithm = - (*session)->security_parameters.write_bulk_cipher_algorithm = - GNUTLS_CIPHER_NULL; - - (*session)->security_parameters.read_mac_algorithm = - (*session)->security_parameters.write_mac_algorithm = - GNUTLS_MAC_NULL; - - (*session)->security_parameters.read_compression_algorithm = - GNUTLS_COMP_NULL; - (*session)->security_parameters.write_compression_algorithm = - GNUTLS_COMP_NULL; - - (*session)->internals.enable_private = 0; - - /* Initialize buffers */ - _gnutls_buffer_init(&(*session)->internals.application_data_buffer); - _gnutls_buffer_init(&(*session)->internals.handshake_data_buffer); - _gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer); - - _gnutls_buffer_init(&(*session)->internals.record_send_buffer); - _gnutls_buffer_init(&(*session)->internals.record_recv_buffer); - - _gnutls_buffer_init(&(*session)->internals.handshake_send_buffer); - _gnutls_buffer_init(&(*session)->internals.handshake_recv_buffer); - - (*session)->key = gnutls_calloc(1, sizeof(struct gnutls_key_st)); - if ((*session)->key == NULL) { - cleanup_session: - gnutls_free(*session); - *session = NULL; - return GNUTLS_E_MEMORY_ERROR; + (*session)->security_parameters.read_bulk_cipher_algorithm = + (*session)->security_parameters.write_bulk_cipher_algorithm = + GNUTLS_CIPHER_NULL; + + (*session)->security_parameters.read_mac_algorithm = + (*session)->security_parameters.write_mac_algorithm = GNUTLS_MAC_NULL; + + (*session)->security_parameters.read_compression_algorithm = + GNUTLS_COMP_NULL; + (*session)->security_parameters.write_compression_algorithm = + GNUTLS_COMP_NULL; + + (*session)->internals.enable_private = 0; + + /* Initialize buffers */ + _gnutls_buffer_init (&(*session)->internals.application_data_buffer); + _gnutls_buffer_init (&(*session)->internals.handshake_data_buffer); + _gnutls_buffer_init (&(*session)->internals.handshake_hash_buffer); + + _gnutls_buffer_init (&(*session)->internals.record_send_buffer); + _gnutls_buffer_init (&(*session)->internals.record_recv_buffer); + + _gnutls_buffer_init (&(*session)->internals.handshake_send_buffer); + _gnutls_buffer_init (&(*session)->internals.handshake_recv_buffer); + + (*session)->key = gnutls_calloc (1, sizeof (struct gnutls_key_st)); + if ((*session)->key == NULL) + { + cleanup_session: + gnutls_free (*session); + *session = NULL; + return GNUTLS_E_MEMORY_ERROR; } - (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ + (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ - gnutls_dh_set_prime_bits((*session), MIN_DH_BITS); + gnutls_dh_set_prime_bits ((*session), MIN_DH_BITS); - gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ + gnutls_transport_set_lowat ((*session), DEFAULT_LOWAT); /* the default for tcp */ - gnutls_handshake_set_max_packet_length((*session), - MAX_HANDSHAKE_PACKET_SIZE); + gnutls_handshake_set_max_packet_length ((*session), + MAX_HANDSHAKE_PACKET_SIZE); - /* Allocate a minimum size for recv_data - * This is allocated in order to avoid small messages, making - * the receive procedure slow. - */ - (*session)->internals.record_recv_buffer.data = - gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); - if ((*session)->internals.record_recv_buffer.data == NULL) { - gnutls_free((*session)->key); - goto cleanup_session; + /* Allocate a minimum size for recv_data + * This is allocated in order to avoid small messages, making + * the receive procedure slow. + */ + (*session)->internals.record_recv_buffer.data = + gnutls_malloc (INITIAL_RECV_BUFFER_SIZE); + if ((*session)->internals.record_recv_buffer.data == NULL) + { + gnutls_free ((*session)->key); + goto cleanup_session; } - /* set the socket pointers to -1; - */ - (*session)->internals.transport_recv_ptr = - (gnutls_transport_ptr_t) - 1; - (*session)->internals.transport_send_ptr = - (gnutls_transport_ptr_t) - 1; + /* set the socket pointers to -1; + */ + (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr_t) - 1; + (*session)->internals.transport_send_ptr = (gnutls_transport_ptr_t) - 1; - /* set the default maximum record size for TLS - */ - (*session)->security_parameters.max_record_recv_size = - DEFAULT_MAX_RECORD_SIZE; - (*session)->security_parameters.max_record_send_size = - DEFAULT_MAX_RECORD_SIZE; + /* set the default maximum record size for TLS + */ + (*session)->security_parameters.max_record_recv_size = + DEFAULT_MAX_RECORD_SIZE; + (*session)->security_parameters.max_record_send_size = + DEFAULT_MAX_RECORD_SIZE; - /* everything else not initialized here is initialized - * as NULL or 0. This is why calloc is used. - */ + /* everything else not initialized here is initialized + * as NULL or 0. This is why calloc is used. + */ - _gnutls_handshake_internal_state_clear(*session); + _gnutls_handshake_internal_state_clear (*session); - return 0; + return 0; } /* returns RESUME_FALSE or RESUME_TRUE. */ -int _gnutls_session_is_resumable(gnutls_session_t session) +int +_gnutls_session_is_resumable (gnutls_session_t session) { - return session->internals.resumable; + return session->internals.resumable; } @@ -331,241 +340,260 @@ int _gnutls_session_is_resumable(gnutls_session_t session) * if the session was terminated abnormally. * **/ -void gnutls_deinit(gnutls_session_t session) -{ - - if (session == NULL) - return; - - /* remove auth info firstly */ - _gnutls_free_auth_info(session); - - _gnutls_handshake_internal_state_clear(session); - _gnutls_handshake_io_buffer_clear(session); - - _gnutls_free_datum(&session->connection_state.read_mac_secret); - _gnutls_free_datum(&session->connection_state.write_mac_secret); - - _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); - _gnutls_buffer_clear(&session->internals.handshake_data_buffer); - _gnutls_buffer_clear(&session->internals.application_data_buffer); - _gnutls_buffer_clear(&session->internals.record_recv_buffer); - _gnutls_buffer_clear(&session->internals.record_send_buffer); - - gnutls_credentials_clear(session); - _gnutls_selected_certs_deinit(session); - - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.read_cipher_state); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - write_cipher_state); - - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - read_compression_state, 1); - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - write_compression_state, 0); - - _gnutls_free_datum(&session->cipher_specs.server_write_mac_secret); - _gnutls_free_datum(&session->cipher_specs.client_write_mac_secret); - _gnutls_free_datum(&session->cipher_specs.server_write_IV); - _gnutls_free_datum(&session->cipher_specs.client_write_IV); - _gnutls_free_datum(&session->cipher_specs.server_write_key); - _gnutls_free_datum(&session->cipher_specs.client_write_key); - - if (session->key != NULL) { - _gnutls_mpi_release(&session->key->KEY); - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); - - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&session->key->a); - _gnutls_mpi_release(&session->key->x); - _gnutls_mpi_release(&session->key->A); - _gnutls_mpi_release(&session->key->B); - _gnutls_mpi_release(&session->key->b); - - /* RSA */ - _gnutls_mpi_release(&session->key->rsa[0]); - _gnutls_mpi_release(&session->key->rsa[1]); - - _gnutls_mpi_release(&session->key->dh_secret); - gnutls_free(session->key); - - session->key = NULL; +void +gnutls_deinit (gnutls_session_t session) +{ + + if (session == NULL) + return; + + /* remove auth info firstly */ + _gnutls_free_auth_info (session); + + _gnutls_handshake_internal_state_clear (session); + _gnutls_handshake_io_buffer_clear (session); + + _gnutls_free_datum (&session->connection_state.read_mac_secret); + _gnutls_free_datum (&session->connection_state.write_mac_secret); + + _gnutls_buffer_clear (&session->internals.handshake_hash_buffer); + _gnutls_buffer_clear (&session->internals.handshake_data_buffer); + _gnutls_buffer_clear (&session->internals.application_data_buffer); + _gnutls_buffer_clear (&session->internals.record_recv_buffer); + _gnutls_buffer_clear (&session->internals.record_send_buffer); + + gnutls_credentials_clear (session); + _gnutls_selected_certs_deinit (session); + + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit (session->connection_state.read_cipher_state); + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit (session->connection_state.write_cipher_state); + + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit (session->connection_state.read_compression_state, 1); + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit (session->connection_state. + write_compression_state, 0); + + _gnutls_free_datum (&session->cipher_specs.server_write_mac_secret); + _gnutls_free_datum (&session->cipher_specs.client_write_mac_secret); + _gnutls_free_datum (&session->cipher_specs.server_write_IV); + _gnutls_free_datum (&session->cipher_specs.client_write_IV); + _gnutls_free_datum (&session->cipher_specs.server_write_key); + _gnutls_free_datum (&session->cipher_specs.client_write_key); + + if (session->key != NULL) + { + _gnutls_mpi_release (&session->key->KEY); + _gnutls_mpi_release (&session->key->client_Y); + _gnutls_mpi_release (&session->key->client_p); + _gnutls_mpi_release (&session->key->client_g); + + _gnutls_mpi_release (&session->key->u); + _gnutls_mpi_release (&session->key->a); + _gnutls_mpi_release (&session->key->x); + _gnutls_mpi_release (&session->key->A); + _gnutls_mpi_release (&session->key->B); + _gnutls_mpi_release (&session->key->b); + + /* RSA */ + _gnutls_mpi_release (&session->key->rsa[0]); + _gnutls_mpi_release (&session->key->rsa[1]); + + _gnutls_mpi_release (&session->key->dh_secret); + gnutls_free (session->key); + + session->key = NULL; } - gnutls_free(session->internals.srp_username); + gnutls_free (session->internals.srp_username); - if (session->internals.srp_password) { - memset(session->internals.srp_password, 0, - strlen(session->internals.srp_password)); - gnutls_free(session->internals.srp_password); + if (session->internals.srp_password) + { + memset (session->internals.srp_password, 0, + strlen (session->internals.srp_password)); + gnutls_free (session->internals.srp_password); } - memset(session, 0, sizeof(struct gnutls_session_int)); - gnutls_free(session); + memset (session, 0, sizeof (struct gnutls_session_int)); + gnutls_free (session); } /* Returns the minimum prime bits that are acceptable. */ -int _gnutls_dh_get_allowed_prime_bits(gnutls_session_t session) +int +_gnutls_dh_get_allowed_prime_bits (gnutls_session_t session) { - return session->internals.dh_prime_bits; + return session->internals.dh_prime_bits; } -int _gnutls_dh_set_peer_public(gnutls_session_t session, mpi_t public) +int +_gnutls_dh_set_peer_public (gnutls_session_t session, mpi_t public) { - dh_info_st *dh; - int ret; + dh_info_st *dh; + int ret; - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } + dh = &info->dh; + break; + } default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ret = _gnutls_mpi_dprint_lz(&dh->public_key, public); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_mpi_dprint_lz (&dh->public_key, public); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; -} - -int _gnutls_dh_set_secret_bits(gnutls_session_t session, uint bits) -{ - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - info->dh.secret_bits = bits; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - info->dh.secret_bits = bits; - break; + return 0; +} + +int +_gnutls_dh_set_secret_bits (gnutls_session_t session, uint bits) +{ + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + info->dh.secret_bits = bits; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + info->dh.secret_bits = bits; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } } - return 0; + return 0; } /* This function will set in the auth info structure the * RSA exponent and the modulus. */ -int _gnutls_rsa_export_set_pubkey(gnutls_session_t session, - mpi_t exponent, - mpi_t modulus) -{ - cert_auth_info_t info; - int ret; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - ret = _gnutls_mpi_dprint_lz(&info->rsa_export.modulus, modulus); - if (ret < 0) { - gnutls_assert(); - return ret; +int +_gnutls_rsa_export_set_pubkey (gnutls_session_t session, + mpi_t exponent, mpi_t modulus) +{ + cert_auth_info_t info; + int ret; + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + ret = _gnutls_mpi_dprint_lz (&info->rsa_export.modulus, modulus); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_mpi_dprint_lz(&info->rsa_export.exponent, exponent); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(&info->rsa_export.modulus); - return ret; + ret = _gnutls_mpi_dprint_lz (&info->rsa_export.exponent, exponent); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (&info->rsa_export.modulus); + return ret; } - return 0; + return 0; } /* Sets the prime and the generator in the auth info structure. */ -int _gnutls_dh_set_group(gnutls_session_t session, mpi_t gen, mpi_t prime) -{ - dh_info_st *dh; - int ret; - - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } +int +_gnutls_dh_set_group (gnutls_session_t session, mpi_t gen, mpi_t prime) +{ + dh_info_st *dh; + int ret; + + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* prime - */ - ret = _gnutls_mpi_dprint_lz(&dh->prime, prime); - if (ret < 0) { - gnutls_assert(); - return ret; + /* prime + */ + ret = _gnutls_mpi_dprint_lz (&dh->prime, prime); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* generator - */ - ret = _gnutls_mpi_dprint_lz(&dh->generator, gen); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(&dh->prime); - return ret; + /* generator + */ + ret = _gnutls_mpi_dprint_lz (&dh->generator, gen); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (&dh->prime); + return ret; } - return 0; + return 0; } /** @@ -579,10 +607,11 @@ int _gnutls_dh_set_group(gnutls_session_t session, mpi_t gen, mpi_t prime) * server can obtain the client's key. * **/ -void gnutls_openpgp_send_key(gnutls_session_t session, - gnutls_openpgp_key_status_t status) +void +gnutls_openpgp_send_key (gnutls_session_t session, + gnutls_openpgp_key_status_t status) { - session->internals.pgp_fingerprint = status; + session->internals.pgp_fingerprint = status; } /** @@ -599,15 +628,17 @@ void gnutls_openpgp_send_key(gnutls_session_t session, * certificate with X.509 certificates. * **/ -void gnutls_certificate_send_x509_rdn_sequence(gnutls_session_t session, - int status) +void +gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session, + int status) { - session->internals.ignore_rdn_sequence = status; + session->internals.ignore_rdn_sequence = status; } -int _gnutls_openpgp_send_fingerprint(gnutls_session_t session) +int +_gnutls_openpgp_send_fingerprint (gnutls_session_t session) { - return session->internals.pgp_fingerprint; + return session->internals.pgp_fingerprint; } /*- @@ -621,12 +652,12 @@ int _gnutls_openpgp_send_fingerprint(gnutls_session_t session) * that know TLS internals and want to debug other implementations. * -*/ -void _gnutls_record_set_default_version(gnutls_session_t session, - unsigned char major, - unsigned char minor) +void +_gnutls_record_set_default_version (gnutls_session_t session, + unsigned char major, unsigned char minor) { - session->internals.default_record_version[0] = major; - session->internals.default_record_version[1] = minor; + session->internals.default_record_version[0] = major; + session->internals.default_record_version[1] = minor; } /** @@ -647,30 +678,30 @@ void _gnutls_record_set_default_version(gnutls_session_t session, * servers and clients may cause interoperability problems. * **/ -void gnutls_handshake_set_private_extensions(gnutls_session_t session, - int allow) +void +gnutls_handshake_set_private_extensions (gnutls_session_t session, int allow) { - session->internals.enable_private = allow; + session->internals.enable_private = allow; } -inline - static int _gnutls_cal_PRF_A(gnutls_mac_algorithm_t algorithm, - const void *secret, int secret_size, - const void *seed, int seed_size, - void *result) +inline static int +_gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm, + const void *secret, int secret_size, + const void *seed, int seed_size, void *result) { - mac_hd_t td1; + mac_hd_t td1; - td1 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + td1 = _gnutls_hmac_init (algorithm, secret, secret_size); + if (td1 == GNUTLS_MAC_FAILED) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - _gnutls_hmac(td1, seed, seed_size); - _gnutls_hmac_deinit(td1, result); + _gnutls_hmac (td1, seed, seed_size); + _gnutls_hmac_deinit (td1, result); - return 0; + return 0; } #define MAX_SEED_SIZE 200 @@ -678,80 +709,92 @@ inline /* Produces "total_bytes" bytes using the hash algorithm specified. * (used in the PRF function) */ -static int _gnutls_P_hash(gnutls_mac_algorithm_t algorithm, - const opaque * secret, int secret_size, - const opaque * seed, int seed_size, - int total_bytes, opaque * ret) -{ - - mac_hd_t td2; - int i, times, how, blocksize, A_size; - opaque final[20], Atmp[MAX_SEED_SIZE]; - int output_bytes, result; - - if (seed_size > MAX_SEED_SIZE || total_bytes <= 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; +static int +_gnutls_P_hash (gnutls_mac_algorithm_t algorithm, + const opaque * secret, int secret_size, + const opaque * seed, int seed_size, + int total_bytes, opaque * ret) +{ + + mac_hd_t td2; + int i, times, how, blocksize, A_size; + opaque final[20], Atmp[MAX_SEED_SIZE]; + int output_bytes, result; + + if (seed_size > MAX_SEED_SIZE || total_bytes <= 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - blocksize = _gnutls_hmac_get_algo_len(algorithm); + blocksize = _gnutls_hmac_get_algo_len (algorithm); - output_bytes = 0; - do { - output_bytes += blocksize; - } while (output_bytes < total_bytes); + output_bytes = 0; + do + { + output_bytes += blocksize; + } + while (output_bytes < total_bytes); - /* calculate A(0) */ + /* calculate A(0) */ - memcpy(Atmp, seed, seed_size); - A_size = seed_size; + memcpy (Atmp, seed, seed_size); + A_size = seed_size; - times = output_bytes / blocksize; + times = output_bytes / blocksize; - for (i = 0; i < times; i++) { - td2 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td2 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + for (i = 0; i < times; i++) + { + td2 = _gnutls_hmac_init (algorithm, secret, secret_size); + if (td2 == GNUTLS_MAC_FAILED) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* here we calculate A(i+1) */ - if ((result = - _gnutls_cal_PRF_A(algorithm, secret, secret_size, Atmp, - A_size, Atmp)) < 0) { - gnutls_assert(); - _gnutls_hmac_deinit(td2, final); - return result; + /* here we calculate A(i+1) */ + if ((result = + _gnutls_cal_PRF_A (algorithm, secret, secret_size, Atmp, + A_size, Atmp)) < 0) + { + gnutls_assert (); + _gnutls_hmac_deinit (td2, final); + return result; } - A_size = blocksize; + A_size = blocksize; - _gnutls_hmac(td2, Atmp, A_size); - _gnutls_hmac(td2, seed, seed_size); - _gnutls_hmac_deinit(td2, final); + _gnutls_hmac (td2, Atmp, A_size); + _gnutls_hmac (td2, seed, seed_size); + _gnutls_hmac_deinit (td2, final); - if ((1 + i) * blocksize < total_bytes) { - how = blocksize; - } else { - how = total_bytes - (i) * blocksize; + if ((1 + i) * blocksize < total_bytes) + { + how = blocksize; + } + else + { + how = total_bytes - (i) * blocksize; } - if (how > 0) { - memcpy(&ret[i * blocksize], final, how); + if (how > 0) + { + memcpy (&ret[i * blocksize], final, how); } } - return 0; + return 0; } /* Xor's two buffers and puts the output in the first one. */ -inline static -void _gnutls_xor(opaque * o1, opaque * o2, int length) +inline static void +_gnutls_xor (opaque * o1, opaque * o2, int length) { - int i; - for (i = 0; i < length; i++) { - o1[i] ^= o2[i]; + int i; + for (i = 0; i < length; i++) + { + o1[i] ^= o2[i]; } } @@ -763,61 +806,67 @@ void _gnutls_xor(opaque * o1, opaque * o2, int length) * needed by the TLS specification. ret must have a least total_bytes * available. */ -int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, - int label_size, opaque * seed, int seed_size, - int total_bytes, void *ret) -{ - int l_s, s_seed_size; - const opaque *s1, *s2; - opaque s_seed[MAX_SEED_SIZE]; - opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; - int result; - - if (total_bytes > MAX_PRF_BYTES) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; +int +_gnutls_PRF (const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret) +{ + int l_s, s_seed_size; + const opaque *s1, *s2; + opaque s_seed[MAX_SEED_SIZE]; + opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; + int result; + + if (total_bytes > MAX_PRF_BYTES) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* label+seed = s_seed */ - s_seed_size = seed_size + label_size; + /* label+seed = s_seed */ + s_seed_size = seed_size + label_size; - if (s_seed_size > MAX_SEED_SIZE) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (s_seed_size > MAX_SEED_SIZE) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - memcpy(s_seed, label, label_size); - memcpy(&s_seed[label_size], seed, seed_size); + memcpy (s_seed, label, label_size); + memcpy (&s_seed[label_size], seed, seed_size); - l_s = secret_size / 2; + l_s = secret_size / 2; - s1 = &secret[0]; - s2 = &secret[l_s]; + s1 = &secret[0]; + s2 = &secret[l_s]; - if (secret_size % 2 != 0) { - l_s++; + if (secret_size % 2 != 0) + { + l_s++; } - result = - _gnutls_P_hash(GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, - total_bytes, o1); - if (result < 0) { - gnutls_assert(); - return result; + result = + _gnutls_P_hash (GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, + total_bytes, o1); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_P_hash(GNUTLS_MAC_SHA1, s2, l_s, s_seed, s_seed_size, - total_bytes, o2); - if (result < 0) { - gnutls_assert(); - return result; + result = + _gnutls_P_hash (GNUTLS_MAC_SHA1, s2, l_s, s_seed, s_seed_size, + total_bytes, o2); + if (result < 0) + { + gnutls_assert (); + return result; } - _gnutls_xor(o1, o2, total_bytes); + _gnutls_xor (o1, o2, total_bytes); - memcpy(ret, o1, total_bytes); + memcpy (ret, o1, total_bytes); - return 0; /* ok */ + return 0; /* ok */ } @@ -829,23 +878,27 @@ int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, * or a zero if this is a new session. * **/ -int gnutls_session_is_resumed(gnutls_session_t session) -{ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (session->security_parameters.session_id_size > 0 && - session->security_parameters.session_id_size == - session->internals.resumed_security_parameters.session_id_size - && memcmp(session->security_parameters.session_id, - session->internals.resumed_security_parameters. - session_id, - session->security_parameters.session_id_size) == 0) - return 1; - } else { - if (session->internals.resumed == RESUME_TRUE) - return 1; +int +gnutls_session_is_resumed (gnutls_session_t session) +{ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + if (session->security_parameters.session_id_size > 0 && + session->security_parameters.session_id_size == + session->internals.resumed_security_parameters.session_id_size + && memcmp (session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, + session->security_parameters.session_id_size) == 0) + return 1; + } + else + { + if (session->internals.resumed == RESUME_TRUE) + return 1; } - return 0; + return 0; } /*- @@ -855,18 +908,19 @@ int gnutls_session_is_resumed(gnutls_session_t session) * This function will return non zero if this session is of export grade. * -*/ -int _gnutls_session_is_export(gnutls_session_t session) +int +_gnutls_session_is_export (gnutls_session_t session) { - gnutls_cipher_algorithm_t cipher; + gnutls_cipher_algorithm_t cipher; - cipher = - _gnutls_cipher_suite_get_cipher_algo(&session->security_parameters. - current_cipher_suite); + cipher = + _gnutls_cipher_suite_get_cipher_algo (&session->security_parameters. + current_cipher_suite); - if (_gnutls_cipher_get_export_flag(cipher) != 0) - return 1; + if (_gnutls_cipher_get_export_flag (cipher) != 0) + return 1; - return 0; + return 0; } /** @@ -877,9 +931,10 @@ int _gnutls_session_is_export(gnutls_session_t session) * This is the pointer set with gnutls_session_set_ptr(). * **/ -void *gnutls_session_get_ptr(gnutls_session_t session) +void * +gnutls_session_get_ptr (gnutls_session_t session) { - return session->internals.user_ptr; + return session->internals.user_ptr; } /** @@ -892,9 +947,10 @@ void *gnutls_session_get_ptr(gnutls_session_t session) * gnutls_session_get_ptr(). * **/ -void gnutls_session_set_ptr(gnutls_session_t session, void *ptr) +void +gnutls_session_set_ptr (gnutls_session_t session, void *ptr) { - session->internals.user_ptr = ptr; + session->internals.user_ptr = ptr; } @@ -913,9 +969,10 @@ void gnutls_session_set_ptr(gnutls_session_t session, void *ptr) * write data. * **/ -int gnutls_record_get_direction(gnutls_session_t session) +int +gnutls_record_get_direction (gnutls_session_t session) { - return session->internals.direction; + return session->internals.direction; } /*- @@ -929,9 +986,10 @@ int gnutls_record_get_direction(gnutls_session_t session) * test server's capabilities. * -*/ -void _gnutls_rsa_pms_set_version(gnutls_session_t session, - unsigned char major, unsigned char minor) +void +_gnutls_rsa_pms_set_version (gnutls_session_t session, + unsigned char major, unsigned char minor) { - session->internals.rsa_pms_version[0] = major; - session->internals.rsa_pms_version[1] = minor; + session->internals.rsa_pms_version[0] = major; + session->internals.rsa_pms_version[1] = minor; } diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h index 5a3f5d717b..633fccfc84 100644 --- a/lib/gnutls_state.h +++ b/lib/gnutls_state.h @@ -27,11 +27,11 @@ #include <gnutls_int.h> -void _gnutls_session_cert_type_set(gnutls_session_t session, - gnutls_certificate_type_t); -gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session); -gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session); -gnutls_certificate_type_t gnutls_certificate_type_get(gnutls_session_t); +void _gnutls_session_cert_type_set (gnutls_session_t session, + gnutls_certificate_type_t); +gnutls_kx_algorithm_t gnutls_kx_get (gnutls_session_t session); +gnutls_cipher_algorithm_t gnutls_cipher_get (gnutls_session_t session); +gnutls_certificate_type_t gnutls_certificate_type_get (gnutls_session_t); #include <gnutls_auth_int.h> @@ -42,28 +42,27 @@ gnutls_certificate_type_t gnutls_certificate_type_get(gnutls_session_t); #endif -int _gnutls_session_cert_type_supported(gnutls_session_t, - gnutls_certificate_type_t); +int _gnutls_session_cert_type_supported (gnutls_session_t, + gnutls_certificate_type_t); -int _gnutls_dh_set_secret_bits(gnutls_session_t session, uint bits); +int _gnutls_dh_set_secret_bits (gnutls_session_t session, uint bits); -int _gnutls_dh_set_peer_public(gnutls_session_t session, mpi_t public); -int _gnutls_dh_set_group(gnutls_session_t session, mpi_t gen, mpi_t prime); +int _gnutls_dh_set_peer_public (gnutls_session_t session, mpi_t public); +int _gnutls_dh_set_group (gnutls_session_t session, mpi_t gen, mpi_t prime); -int _gnutls_dh_get_allowed_prime_bits(gnutls_session_t session); -void _gnutls_handshake_internal_state_clear(gnutls_session_t); +int _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session); +void _gnutls_handshake_internal_state_clear (gnutls_session_t); -int _gnutls_rsa_export_set_pubkey(gnutls_session_t session, - mpi_t exponent, - mpi_t modulus); +int _gnutls_rsa_export_set_pubkey (gnutls_session_t session, + mpi_t exponent, mpi_t modulus); -int _gnutls_session_is_resumable(gnutls_session_t session); -int _gnutls_session_is_export(gnutls_session_t session); +int _gnutls_session_is_resumable (gnutls_session_t session); +int _gnutls_session_is_export (gnutls_session_t session); -int _gnutls_openpgp_send_fingerprint(gnutls_session_t session); +int _gnutls_openpgp_send_fingerprint (gnutls_session_t session); -int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, - int label_size, opaque * seed, int seed_size, - int total_bytes, void *ret); +int _gnutls_PRF (const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret); #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c index 8edd498c25..cbda764af2 100644 --- a/lib/gnutls_str.c +++ b/lib/gnutls_str.c @@ -33,165 +33,197 @@ * * They should be used only with null terminated strings. */ -void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src) +void +_gnutls_str_cat (char *dest, size_t dest_tot_size, const char *src) { - size_t str_size = strlen(src); - size_t dest_size = strlen(dest); - - if (dest_tot_size - dest_size > str_size) { - strcat(dest, src); - } else { - if (dest_tot_size - dest_size > 0) { - strncat(dest, src, (dest_tot_size - dest_size) - 1); - dest[dest_tot_size - 1] = 0; + size_t str_size = strlen (src); + size_t dest_size = strlen (dest); + + if (dest_tot_size - dest_size > str_size) + { + strcat (dest, src); + } + else + { + if (dest_tot_size - dest_size > 0) + { + strncat (dest, src, (dest_tot_size - dest_size) - 1); + dest[dest_tot_size - 1] = 0; } } } -void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src) +void +_gnutls_str_cpy (char *dest, size_t dest_tot_size, const char *src) { - size_t str_size = strlen(src); - - if (dest_tot_size > str_size) { - strcpy(dest, src); - } else { - if (dest_tot_size > 0) { - strncpy(dest, src, (dest_tot_size) - 1); - dest[dest_tot_size - 1] = 0; + size_t str_size = strlen (src); + + if (dest_tot_size > str_size) + { + strcpy (dest, src); + } + else + { + if (dest_tot_size > 0) + { + strncpy (dest, src, (dest_tot_size) - 1); + dest[dest_tot_size - 1] = 0; } } } -void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, - size_t src_size) +void +_gnutls_mem_cpy (char *dest, size_t dest_tot_size, const char *src, + size_t src_size) { - if (dest_tot_size >= src_size) { - memcpy(dest, src, src_size); - } else { - if (dest_tot_size > 0) { - memcpy(dest, src, dest_tot_size); + if (dest_tot_size >= src_size) + { + memcpy (dest, src, src_size); + } + else + { + if (dest_tot_size > 0) + { + memcpy (dest, src, dest_tot_size); } } } -void _gnutls_string_init(gnutls_string * str, - gnutls_alloc_function alloc_func, - gnutls_realloc_function realloc_func, - gnutls_free_function free_func) +void +_gnutls_string_init (gnutls_string * str, + gnutls_alloc_function alloc_func, + gnutls_realloc_function realloc_func, + gnutls_free_function free_func) { - str->data = NULL; - str->max_length = 0; - str->length = 0; + str->data = NULL; + str->max_length = 0; + str->length = 0; - str->alloc_func = alloc_func; - str->free_func = free_func; - str->realloc_func = realloc_func; + str->alloc_func = alloc_func; + str->free_func = free_func; + str->realloc_func = realloc_func; } -void _gnutls_string_clear(gnutls_string * str) +void +_gnutls_string_clear (gnutls_string * str) { - if (str == NULL || str->data == NULL) - return; - str->free_func(str->data); + if (str == NULL || str->data == NULL) + return; + str->free_func (str->data); - str->data = NULL; - str->max_length = 0; - str->length = 0; + str->data = NULL; + str->max_length = 0; + str->length = 0; } /* This one does not copy the string. */ -gnutls_datum_t _gnutls_string2datum(gnutls_string * str) +gnutls_datum_t +_gnutls_string2datum (gnutls_string * str) { - gnutls_datum_t ret; + gnutls_datum_t ret; - ret.data = str->data; - ret.size = str->length; + ret.data = str->data; + ret.size = str->length; - return ret; + return ret; } #define MIN_CHUNK 256 -int _gnutls_string_copy_str(gnutls_string * dest, const char *src) +int +_gnutls_string_copy_str (gnutls_string * dest, const char *src) { - size_t src_len = strlen(src); - - if (dest->max_length >= src_len) { - memcpy(dest->data, src, src_len); - dest->length = src_len; - - return src_len; - } else { - dest->data = - dest->realloc_func(dest->data, MAX(src_len, MIN_CHUNK)); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + size_t src_len = strlen (src); + + if (dest->max_length >= src_len) + { + memcpy (dest->data, src, src_len); + dest->length = src_len; + + return src_len; + } + else + { + dest->data = dest->realloc_func (dest->data, MAX (src_len, MIN_CHUNK)); + if (dest->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - dest->max_length = MAX(MIN_CHUNK, src_len); + dest->max_length = MAX (MIN_CHUNK, src_len); - memcpy(dest->data, src, src_len); - dest->length = src_len; + memcpy (dest->data, src, src_len); + dest->length = src_len; - return src_len; + return src_len; } } -int _gnutls_string_append_str(gnutls_string * dest, const char *src) +int +_gnutls_string_append_str (gnutls_string * dest, const char *src) { - size_t src_len = strlen(src); - size_t tot_len = src_len + dest->length; - - if (dest->max_length >= tot_len) { - memcpy(&dest->data[dest->length], src, src_len); - dest->length = tot_len; - - return tot_len; - } else { - size_t new_len = - MAX(src_len, MIN_CHUNK) + MAX(dest->max_length, MIN_CHUNK); - - dest->data = dest->realloc_func(dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + size_t src_len = strlen (src); + size_t tot_len = src_len + dest->length; + + if (dest->max_length >= tot_len) + { + memcpy (&dest->data[dest->length], src, src_len); + dest->length = tot_len; + + return tot_len; + } + else + { + size_t new_len = + MAX (src_len, MIN_CHUNK) + MAX (dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func (dest->data, new_len); + if (dest->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - dest->max_length = new_len; + dest->max_length = new_len; - memcpy(&dest->data[dest->length], src, src_len); - dest->length = tot_len; + memcpy (&dest->data[dest->length], src, src_len); + dest->length = tot_len; - return tot_len; + return tot_len; } } -int _gnutls_string_append_data(gnutls_string * dest, const void *data, - size_t data_size) +int +_gnutls_string_append_data (gnutls_string * dest, const void *data, + size_t data_size) { - size_t tot_len = data_size + dest->length; - - if (dest->max_length >= tot_len) { - memcpy(&dest->data[dest->length], data, data_size); - dest->length = tot_len; + size_t tot_len = data_size + dest->length; - return tot_len; - } else { - size_t new_len = - MAX(data_size, MIN_CHUNK) + MAX(dest->max_length, MIN_CHUNK); + if (dest->max_length >= tot_len) + { + memcpy (&dest->data[dest->length], data, data_size); + dest->length = tot_len; - dest->data = dest->realloc_func(dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return tot_len; + } + else + { + size_t new_len = + MAX (data_size, MIN_CHUNK) + MAX (dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func (dest->data, new_len); + if (dest->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - dest->max_length = new_len; + dest->max_length = new_len; - memcpy(&dest->data[dest->length], data, data_size); - dest->length = tot_len; + memcpy (&dest->data[dest->length], data, data_size); + dest->length = tot_len; - return tot_len; + return tot_len; } } @@ -200,50 +232,56 @@ int _gnutls_string_append_data(gnutls_string * dest, const void *data, * If the buffer does not have enough space to hold the string, a * truncated hex string is returned (always null terminated). */ -char *_gnutls_bin2hex(const void *_old, size_t oldlen, - char *buffer, size_t buffer_size) +char * +_gnutls_bin2hex (const void *_old, size_t oldlen, + char *buffer, size_t buffer_size) { - unsigned int i, j; - const opaque *old = _old; + unsigned int i, j; + const opaque *old = _old; - for (i = j = 0; i < oldlen && j + 2 < buffer_size; j += 2) { - sprintf(&buffer[j], "%.2x", old[i]); - i++; + for (i = j = 0; i < oldlen && j + 2 < buffer_size; j += 2) + { + sprintf (&buffer[j], "%.2x", old[i]); + i++; } - buffer[j] = '\0'; + buffer[j] = '\0'; - return buffer; + return buffer; } /* just a hex2bin function. */ -int _gnutls_hex2bin(const opaque* hex_data, int hex_size, opaque * bin_data, - size_t * bin_size) +int +_gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data, + size_t * bin_size) { -int i, j; -opaque hex2_data[3]; -unsigned long val; - - /* FIXME: we don't handle whitespace. - */ - hex_size /= 2; - - if (*bin_size < (size_t)hex_size) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + int i, j; + opaque hex2_data[3]; + unsigned long val; + + /* FIXME: we don't handle whitespace. + */ + hex_size /= 2; + + if (*bin_size < (size_t) hex_size) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - for (i=j=0; j < hex_size;i+=2,j++) { + for (i = j = 0; j < hex_size; i += 2, j++) + { hex2_data[0] = hex_data[i]; - hex2_data[1] = hex_data[i+1]; + hex2_data[1] = hex_data[i + 1]; hex2_data[2] = 0; - val = strtoul( (char*)hex2_data, NULL, 16); - if (val == ULONG_MAX) { - gnutls_assert(); - return GNUTLS_E_SRP_PWD_PARSING_ERROR; - } + val = strtoul ((char *) hex2_data, NULL, 16); + if (val == ULONG_MAX) + { + gnutls_assert (); + return GNUTLS_E_SRP_PWD_PARSING_ERROR; + } bin_data[j] = val; - } + } - return 0; + return 0; } diff --git a/lib/gnutls_str.h b/lib/gnutls_str.h index 951a878bff..3acf071a29 100644 --- a/lib/gnutls_str.h +++ b/lib/gnutls_str.h @@ -27,37 +27,38 @@ #include <gnutls_int.h> -void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src); -void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, - size_t src_size); -void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src); - -typedef struct { - opaque *data; - size_t max_length; - size_t length; - gnutls_realloc_function realloc_func; - gnutls_alloc_function alloc_func; - gnutls_free_function free_func; +void _gnutls_str_cpy (char *dest, size_t dest_tot_size, const char *src); +void _gnutls_mem_cpy (char *dest, size_t dest_tot_size, const char *src, + size_t src_size); +void _gnutls_str_cat (char *dest, size_t dest_tot_size, const char *src); + +typedef struct +{ + opaque *data; + size_t max_length; + size_t length; + gnutls_realloc_function realloc_func; + gnutls_alloc_function alloc_func; + gnutls_free_function free_func; } gnutls_string; -void _gnutls_string_init(gnutls_string *, gnutls_alloc_function, - gnutls_realloc_function, gnutls_free_function); -void _gnutls_string_clear(gnutls_string *); +void _gnutls_string_init (gnutls_string *, gnutls_alloc_function, + gnutls_realloc_function, gnutls_free_function); +void _gnutls_string_clear (gnutls_string *); /* Beware, do not clear the string, after calling this * function */ -gnutls_datum_t _gnutls_string2datum(gnutls_string * str); +gnutls_datum_t _gnutls_string2datum (gnutls_string * str); -int _gnutls_string_copy_str(gnutls_string * dest, const char *src); -int _gnutls_string_append_str(gnutls_string *, const char *str); -int _gnutls_string_append_data(gnutls_string *, const void *data, - size_t data_size); +int _gnutls_string_copy_str (gnutls_string * dest, const char *src); +int _gnutls_string_append_str (gnutls_string *, const char *str); +int _gnutls_string_append_data (gnutls_string *, const void *data, + size_t data_size); -char *_gnutls_bin2hex(const void *old, size_t oldlen, char *buffer, - size_t buffer_size); -int _gnutls_hex2bin(const opaque* hex_data, int hex_size, opaque * bin_data, - size_t * bin_size); +char *_gnutls_bin2hex (const void *old, size_t oldlen, char *buffer, + size_t buffer_size); +int _gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data, + size_t * bin_size); #endif diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 2e0a038c70..ec2a007dfd 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -53,9 +53,10 @@ * handshake. * **/ -void gnutls_dh_set_prime_bits(gnutls_session_t session, unsigned int bits) +void +gnutls_dh_set_prime_bits (gnutls_session_t session, unsigned int bits) { - session->internals.dh_prime_bits = bits; + session->internals.dh_prime_bits = bits; } @@ -73,48 +74,50 @@ void gnutls_dh_set_prime_bits(gnutls_session_t session, unsigned int bits) * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_group(gnutls_session_t session, - gnutls_datum_t * raw_gen, - gnutls_datum_t * raw_prime) +int +gnutls_dh_get_group (gnutls_session_t session, + gnutls_datum_t * raw_gen, gnutls_datum_t * raw_prime) { - dh_info_st *dh; - int ret; - anon_server_auth_info_t anon_info; - cert_auth_info_t cert_info; + dh_info_st *dh; + int ret; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; - switch (gnutls_auth_get_type(session)) { + switch (gnutls_auth_get_type (session)) + { case GNUTLS_CRD_ANON: - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; + anon_info = _gnutls_get_auth_info (session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; case GNUTLS_CRD_CERTIFICATE: - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; + cert_info = _gnutls_get_auth_info (session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_set_datum(raw_prime, dh->prime.data, dh->prime.size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_set_datum (raw_prime, dh->prime.data, dh->prime.size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_set_datum(raw_gen, dh->generator.data, dh->generator.size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(raw_prime); - return ret; + ret = _gnutls_set_datum (raw_gen, dh->generator.data, dh->generator.size); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (raw_prime); + return ret; } - return 0; + return 0; } /** @@ -129,36 +132,39 @@ int gnutls_dh_get_group(gnutls_session_t session, * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_pubkey(gnutls_session_t session, - gnutls_datum_t * raw_key) +int +gnutls_dh_get_pubkey (gnutls_session_t session, gnutls_datum_t * raw_key) { - dh_info_st *dh; - anon_server_auth_info_t anon_info; - cert_auth_info_t cert_info; - - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ + dh_info_st *dh; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; - } + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_info = _gnutls_get_auth_info (session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + + cert_info = _gnutls_get_auth_info (session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; + } default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_set_datum(raw_key, dh->public_key.data, - dh->public_key.size); + return _gnutls_set_datum (raw_key, dh->public_key.data, + dh->public_key.size); } /** @@ -174,37 +180,41 @@ int gnutls_dh_get_pubkey(gnutls_session_t session, * Returns a negative value in case of an error. * **/ -int gnutls_rsa_export_get_pubkey(gnutls_session_t session, - gnutls_datum_t * exponent, - gnutls_datum_t * modulus) +int +gnutls_rsa_export_get_pubkey (gnutls_session_t session, + gnutls_datum_t * exponent, + gnutls_datum_t * modulus) { - cert_auth_info_t info; - int ret; + cert_auth_info_t info; + int ret; - if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + if (gnutls_auth_get_type (session) == GNUTLS_CRD_CERTIFICATE) + { + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - ret = _gnutls_set_datum(modulus, info->rsa_export.modulus.data, - info->rsa_export.modulus.size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_set_datum (modulus, info->rsa_export.modulus.data, + info->rsa_export.modulus.size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_set_datum(exponent, info->rsa_export.exponent.data, - info->rsa_export.exponent.size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(modulus); - return ret; + ret = _gnutls_set_datum (exponent, info->rsa_export.exponent.data, + info->rsa_export.exponent.size); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (modulus); + return ret; } - return 0; + return 0; } - return GNUTLS_E_INVALID_REQUEST; + return GNUTLS_E_INVALID_REQUEST; } @@ -217,29 +227,33 @@ int gnutls_rsa_export_get_pubkey(gnutls_session_t session, * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_secret_bits(gnutls_session_t session) +int +gnutls_dh_get_secret_bits (gnutls_session_t session) { - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->dh.secret_bits; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->dh.secret_bits; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - return info->dh.secret_bits; - } + return info->dh.secret_bits; + } default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } } @@ -253,36 +267,40 @@ int gnutls_dh_get_secret_bits(gnutls_session_t session) * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_prime_bits(gnutls_session_t session) +int +gnutls_dh_get_prime_bits (gnutls_session_t session) { - dh_info_st *dh; + dh_info_st *dh; - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } + dh = &info->dh; + break; + } default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return (dh->prime.size) * 8; + return (dh->prime.size) * 8; } @@ -295,15 +313,16 @@ int gnutls_dh_get_prime_bits(gnutls_session_t session) * Returns a negative value in case of an error. * **/ -int gnutls_rsa_export_get_modulus_bits(gnutls_session_t session) +int +gnutls_rsa_export_get_modulus_bits (gnutls_session_t session) { - cert_auth_info_t info; + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - return info->rsa_export.modulus.size * 8; + return info->rsa_export.modulus.size * 8; } /** @@ -315,37 +334,41 @@ int gnutls_rsa_export_get_modulus_bits(gnutls_session_t session) * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_peers_public_bits(gnutls_session_t session) +int +gnutls_dh_get_peers_public_bits (gnutls_session_t session) { - dh_info_st *dh; + dh_info_st *dh; - switch (gnutls_auth_get_type(session)) { - case GNUTLS_CRD_ANON:{ - anon_server_auth_info_t info; + switch (gnutls_auth_get_type (session)) + { + case GNUTLS_CRD_ANON: + { + anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info; + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE: + { + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } + dh = &info->dh; + break; + } default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return dh->public_key.size * 8; + return dh->public_key.size * 8; } @@ -362,23 +385,25 @@ int gnutls_dh_get_peers_public_bits(gnutls_session_t session) * Returns NULL in case of an error, or if no certificate was used. * **/ -const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session) +const gnutls_datum_t * +gnutls_certificate_get_ours (gnutls_session_t session) { - gnutls_certificate_credentials_t cred; + gnutls_certificate_credentials_t cred; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, NULL); - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL || cred->cert_list == NULL) { - gnutls_assert(); - return NULL; + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL || cred->cert_list == NULL) + { + gnutls_assert (); + return NULL; } - if (session->internals.selected_cert_list == NULL) - return NULL; + if (session->internals.selected_cert_list == NULL) + return NULL; - return &session->internals.selected_cert_list[0].raw; + return &session->internals.selected_cert_list[0].raw; } /** @@ -398,20 +423,20 @@ const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session) * Returns NULL in case of an error, or if no certificate was sent. * **/ -const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t - session, - unsigned int *list_size) +const gnutls_datum_t * +gnutls_certificate_get_peers (gnutls_session_t + session, unsigned int *list_size) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return NULL; - *list_size = info->ncerts; - return info->raw_certificate_list; + *list_size = info->ncerts; + return info->raw_certificate_list; } @@ -424,16 +449,17 @@ const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t * Returns a negative value in case of an error. * **/ -int gnutls_certificate_client_get_request_status(gnutls_session_t session) +int +gnutls_certificate_client_get_request_status (gnutls_session_t session) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, 0); + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, 0); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->certificate_requested; + info = _gnutls_get_auth_info (session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->certificate_requested; } /** @@ -456,30 +482,33 @@ int gnutls_certificate_client_get_request_status(gnutls_session_t session) * Returns a negative value in case of an error. * **/ -int gnutls_fingerprint(gnutls_digest_algorithm_t algo, - const gnutls_datum_t * data, void *result, - size_t * result_size) +int +gnutls_fingerprint (gnutls_digest_algorithm_t algo, + const gnutls_datum_t * data, void *result, + size_t * result_size) { - GNUTLS_HASH_HANDLE td; - int hash_len = _gnutls_hash_get_algo_len(HASH2MAC(algo)); + GNUTLS_HASH_HANDLE td; + int hash_len = _gnutls_hash_get_algo_len (HASH2MAC (algo)); - if (hash_len < 0 || (uint) hash_len > *result_size || result == NULL) { - *result_size = hash_len; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (hash_len < 0 || (uint) hash_len > *result_size || result == NULL) + { + *result_size = hash_len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *result_size = hash_len; + *result_size = hash_len; - if (result) { - td = _gnutls_hash_init(HASH2MAC(algo)); - if (td == NULL) - return GNUTLS_E_HASH_FAILED; + if (result) + { + td = _gnutls_hash_init (HASH2MAC (algo)); + if (td == NULL) + return GNUTLS_E_HASH_FAILED; - _gnutls_hash(td, data->data, data->size); + _gnutls_hash (td, data->data, data->size); - _gnutls_hash_deinit(td, result); + _gnutls_hash_deinit (td, result); } - return 0; + return 0; } /** @@ -492,10 +521,11 @@ int gnutls_fingerprint(gnutls_digest_algorithm_t algo, * cipher suites. * **/ -void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials_t res, - gnutls_dh_params_t dh_params) +void +gnutls_anon_set_server_dh_params (gnutls_anon_server_credentials_t res, + gnutls_dh_params_t dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -511,10 +541,11 @@ void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials_t res, * you must change the parameters stored in the certificate first. * **/ -void gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res, - gnutls_dh_params_t dh_params) +void +gnutls_certificate_set_dh_params (gnutls_certificate_credentials_t res, + gnutls_dh_params_t dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -528,10 +559,10 @@ void gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res, * **/ void -gnutls_certificate_set_params_function(gnutls_certificate_credentials_t res, - gnutls_params_function * func) +gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } /** @@ -544,10 +575,11 @@ gnutls_certificate_set_params_function(gnutls_certificate_credentials_t res, * return zero on success. * **/ -void gnutls_anon_set_params_function(gnutls_anon_server_credentials_t res, - gnutls_params_function * func) +void +gnutls_anon_set_params_function (gnutls_anon_server_credentials_t res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } @@ -561,10 +593,11 @@ void gnutls_anon_set_params_function(gnutls_anon_server_credentials_t res, * #gnutls_certificate_verify_flags enumerations. * **/ -void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t - res, unsigned int flags) +void +gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t + res, unsigned int flags) { - res->verify_flags = flags; + res->verify_flags = flags; } /** @@ -577,11 +610,13 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t * gnutls_certificate_verify_peers2(), to avoid denial of service attacks. * **/ -void gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t - res, unsigned int max_bits, unsigned int max_depth) +void +gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t + res, unsigned int max_bits, + unsigned int max_depth) { - res->verify_depth = max_depth; - res->verify_bits = max_bits; + res->verify_depth = max_depth; + res->verify_bits = max_bits; } /** @@ -595,8 +630,8 @@ void gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t * **/ void -gnutls_certificate_set_rsa_export_params(gnutls_certificate_credentials_t - res, gnutls_rsa_params_t rsa_params) +gnutls_certificate_set_rsa_export_params (gnutls_certificate_credentials_t + res, gnutls_rsa_params_t rsa_params) { - res->rsa_params = rsa_params; + res->rsa_params = rsa_params; } diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 86e666f797..38c3b57de5 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -42,40 +42,45 @@ #include "gnutls_auth_int.h" /* This selects the best supported ciphersuite from the ones provided */ -static int _gnutls_handshake_select_v2_suite(gnutls_session_t session, - opaque * data, int datalen) +static int +_gnutls_handshake_select_v2_suite (gnutls_session_t session, + opaque * data, int datalen) { - int i, j, ret; - opaque *_data; - int _datalen; - - _gnutls_handshake_log("HSK[%x]: Parsing a version 2.0 client hello.\n", - session); - - _data = gnutls_malloc(datalen); - if (_data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int i, j, ret; + opaque *_data; + int _datalen; + + _gnutls_handshake_log ("HSK[%x]: Parsing a version 2.0 client hello.\n", + session); + + _data = gnutls_malloc (datalen); + if (_data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if (datalen % 3 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (datalen % 3 != 0) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - i = _datalen = 0; - for (j = 0; j < datalen; j += 3) { - if (data[j] == 0) { - memcpy(&_data[i], &data[j + 1], 2); - i += 2; - _datalen += 2; + i = _datalen = 0; + for (j = 0; j < datalen; j += 3) + { + if (data[j] == 0) + { + memcpy (&_data[i], &data[j + 1], 2); + i += 2; + _datalen += 2; } } - ret = _gnutls_server_select_suite(session, _data, _datalen); - gnutls_free(_data); + ret = _gnutls_server_select_suite (session, _data, _datalen); + gnutls_free (_data); - return ret; + return ret; } @@ -83,163 +88,171 @@ static int _gnutls_handshake_select_v2_suite(gnutls_session_t session, /* Read a v2 client hello. Some browsers still use that beast! * However they set their version to 3.0 or 3.1. */ -int _gnutls_read_client_hello_v2(gnutls_session_t session, opaque * data, - int datalen) +int +_gnutls_read_client_hello_v2 (gnutls_session_t session, opaque * data, + int datalen) { - uint16 session_id_len = 0; - int pos = 0; - int ret = 0; - uint16 sizeOfSuites; - gnutls_protocol_t version; - opaque rnd[TLS_RANDOM_SIZE]; - int len = datalen; - int err; - uint16 challenge; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - gnutls_protocol_t ver; - - /* we only want to get here once - only in client hello */ - session->internals.v2_hello = 0; - - DECR_LEN(len, 2); - - _gnutls_handshake_log - ("HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", session, - data[pos], data[pos + 1]); - - set_adv_version(session, data[pos], data[pos + 1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - - /* if we do not support that version - */ - if (_gnutls_version_is_supported(session, version) == 0) { - ver = _gnutls_version_lowest(session); - } else { - ver = version; + uint16 session_id_len = 0; + int pos = 0; + int ret = 0; + uint16 sizeOfSuites; + gnutls_protocol_t version; + opaque rnd[TLS_RANDOM_SIZE]; + int len = datalen; + int err; + uint16 challenge; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + gnutls_protocol_t ver; + + /* we only want to get here once - only in client hello */ + session->internals.v2_hello = 0; + + DECR_LEN (len, 2); + + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + set_adv_version (session, data[pos], data[pos + 1]); + + version = _gnutls_version_get (data[pos], data[pos + 1]); + + /* if we do not support that version + */ + if (_gnutls_version_is_supported (session, version) == 0) + { + ver = _gnutls_version_lowest (session); + } + else + { + ver = version; } - _gnutls_set_current_version(session, ver); + _gnutls_set_current_version (session, ver); - pos += 2; + pos += 2; - /* Read uint16 cipher_spec_length */ - DECR_LEN(len, 2); - sizeOfSuites = _gnutls_read_uint16(&data[pos]); - pos += 2; + /* Read uint16 cipher_spec_length */ + DECR_LEN (len, 2); + sizeOfSuites = _gnutls_read_uint16 (&data[pos]); + pos += 2; - /* read session id length */ - DECR_LEN(len, 2); - session_id_len = _gnutls_read_uint16(&data[pos]); - pos += 2; + /* read session id length */ + DECR_LEN (len, 2); + session_id_len = _gnutls_read_uint16 (&data[pos]); + pos += 2; - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - /* read challenge length */ - DECR_LEN(len, 2); - challenge = _gnutls_read_uint16(&data[pos]); - pos += 2; + /* read challenge length */ + DECR_LEN (len, 2); + challenge = _gnutls_read_uint16 (&data[pos]); + pos += 2; - if (challenge < 16 || challenge > TLS_RANDOM_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + if (challenge < 16 || challenge > TLS_RANDOM_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } - /* find an appropriate cipher suite */ + /* find an appropriate cipher suite */ - DECR_LEN(len, sizeOfSuites); - ret = - _gnutls_handshake_select_v2_suite(session, &data[pos], - sizeOfSuites); + DECR_LEN (len, sizeOfSuites); + ret = _gnutls_handshake_select_v2_suite (session, &data[pos], sizeOfSuites); - pos += sizeOfSuites; - if (ret < 0) { - gnutls_assert(); - return ret; + pos += sizeOfSuites; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred - (session, - _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo (&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { - - _gnutls_handshake_log - ("HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", - session); - - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) + { + + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", + session); + + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* read random new values -skip session id for now */ - DECR_LEN(len, session_id_len); /* skip session id for now */ - memcpy(session_id, &data[pos], session_id_len); - pos += session_id_len; + /* read random new values -skip session id for now */ + DECR_LEN (len, session_id_len); /* skip session id for now */ + memcpy (session_id, &data[pos], session_id_len); + pos += session_id_len; - DECR_LEN(len, challenge); - memset(rnd, 0, TLS_RANDOM_SIZE); + DECR_LEN (len, challenge); + memset (rnd, 0, TLS_RANDOM_SIZE); - memcpy(&rnd[TLS_RANDOM_SIZE - challenge], &data[pos], challenge); + memcpy (&rnd[TLS_RANDOM_SIZE - challenge], &data[pos], challenge); - _gnutls_set_client_random(session, rnd); + _gnutls_set_client_random (session, rnd); - /* generate server random value */ + /* generate server random value */ - _gnutls_tls_create_random(rnd); - _gnutls_set_server_random(session, rnd); + _gnutls_tls_create_random (rnd); + _gnutls_set_server_random (session, rnd); - session->security_parameters.timestamp = time(NULL); + session->security_parameters.timestamp = time (NULL); - /* RESUME SESSION */ + /* RESUME SESSION */ - DECR_LEN(len, session_id_len); - ret = - _gnutls_server_restore_session(session, session_id, - session_id_len); + DECR_LEN (len, session_id_len); + ret = _gnutls_server_restore_session (session, session_id, session_id_len); - if (ret == 0) { /* resumed! */ - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters. - server_random, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters. - client_random, session->security_parameters.client_random, - TLS_RANDOM_SIZE); + if (ret == 0) + { /* resumed! */ + /* get the new random values */ + memcpy (session->internals.resumed_security_parameters. + server_random, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy (session->internals.resumed_security_parameters. + client_random, session->security_parameters.client_random, + TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); - session->internals.resumed = RESUME_FALSE; + session->internals.resumed = RESUME_TRUE; + return 0; + } + else + { + _gnutls_generate_session_id (session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); + session->internals.resumed = RESUME_FALSE; } - session->internals.compression_method = GNUTLS_COMP_NULL; + session->internals.compression_method = GNUTLS_COMP_NULL; - return 0; + return 0; } diff --git a/lib/gnutls_v2_compat.h b/lib/gnutls_v2_compat.h index 09e5044304..effca1eeaf 100644 --- a/lib/gnutls_v2_compat.h +++ b/lib/gnutls_v2_compat.h @@ -22,5 +22,5 @@ * */ -int _gnutls_read_client_hello_v2(gnutls_session_t session, opaque * data, - int datalen); +int _gnutls_read_client_hello_v2 (gnutls_session_t session, opaque * data, + int datalen); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index f5d60e7f5e..f7e0222937 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -57,23 +57,26 @@ /* Check if the number of bits of the key in the certificate * is unacceptable. */ -inline static int check_bits(gnutls_x509_crt_t crt, unsigned int max_bits) +inline static int +check_bits (gnutls_x509_crt_t crt, unsigned int max_bits) { - int ret; - unsigned int bits; + int ret; + unsigned int bits; - ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits); + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (bits > max_bits) { - gnutls_assert(); - return GNUTLS_E_CONSTRAINT_ERROR; + if (bits > max_bits) + { + gnutls_assert (); + return GNUTLS_E_CONSTRAINT_ERROR; } - return 0; + return 0; } @@ -93,94 +96,103 @@ inline static int check_bits(gnutls_x509_crt_t crt, unsigned int max_bits) * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ -int _gnutls_x509_cert_verify_peers(gnutls_session_t session, - unsigned int *status) +int +_gnutls_x509_cert_verify_peers (gnutls_session_t session, + unsigned int *status) { - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - gnutls_x509_crt_t *peer_certificate_list; - int peer_certificate_list_size, i, x, ret; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - if (info->ncerts > cred->verify_depth) { - gnutls_assert(); - return GNUTLS_E_CONSTRAINT_ERROR; - } - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - peer_certificate_list = - gnutls_calloc(1, - peer_certificate_list_size * - sizeof(gnutls_x509_crt_t)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i = 0; i < peer_certificate_list_size; i++) { - ret = gnutls_x509_crt_init(&peer_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + gnutls_x509_crt_t *peer_certificate_list; + int peer_certificate_list_size, i, x, ret; + + CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + if (info->ncerts > cred->verify_depth) + { + gnutls_assert (); + return GNUTLS_E_CONSTRAINT_ERROR; + } + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + peer_certificate_list = + gnutls_calloc (1, + peer_certificate_list_size * sizeof (gnutls_x509_crt_t)); + if (peer_certificate_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < peer_certificate_list_size; i++) + { + ret = gnutls_x509_crt_init (&peer_certificate_list[i]); + if (ret < 0) + { + gnutls_assert (); + CLEAR_CERTS; + return ret; } - ret = - gnutls_x509_crt_import(peer_certificate_list[i], - &info->raw_certificate_list[i], - GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; + ret = + gnutls_x509_crt_import (peer_certificate_list[i], + &info->raw_certificate_list[i], + GNUTLS_X509_FMT_DER); + if (ret < 0) + { + gnutls_assert (); + CLEAR_CERTS; + return ret; } - ret = check_bits(peer_certificate_list[i], cred->verify_bits); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; + ret = check_bits (peer_certificate_list[i], cred->verify_bits); + if (ret < 0) + { + gnutls_assert (); + CLEAR_CERTS; + return ret; } } - /* Verify certificate - */ - ret = - gnutls_x509_crt_list_verify(peer_certificate_list, - peer_certificate_list_size, - cred->x509_ca_list, cred->x509_ncas, - cred->x509_crl_list, cred->x509_ncrls, - cred->verify_flags, status); + /* Verify certificate + */ + ret = + gnutls_x509_crt_list_verify (peer_certificate_list, + peer_certificate_list_size, + cred->x509_ca_list, cred->x509_ncas, + cred->x509_crl_list, cred->x509_ncrls, + cred->verify_flags, status); - CLEAR_CERTS; + CLEAR_CERTS; - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* @@ -190,124 +202,134 @@ int _gnutls_x509_cert_verify_peers(gnutls_session_t session, /* returns error if the certificate has different algorithm than * the given key parameters. */ -static int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t - res) +static int +_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res) { - gnutls_datum_t cid; - gnutls_datum_t kid; - uint pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm; + gnutls_datum_t cid; + gnutls_datum_t kid; + uint pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm; - if (res->pkey[res->ncerts - 1].pk_algorithm != pk) { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + if (res->pkey[res->ncerts - 1].pk_algorithm != pk) + { + gnutls_assert (); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; } - if (pk == GNUTLS_PK_RSA) { - _gnutls_x509_write_rsa_params(res->pkey[res->ncerts - 1].params, - res->pkey[res->ncerts - - 1].params_size, &kid); + if (pk == GNUTLS_PK_RSA) + { + _gnutls_x509_write_rsa_params (res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); - _gnutls_x509_write_rsa_params(res->cert_list[res->ncerts - 1][0]. - params, - res->cert_list[res->ncerts - - 1][0].params_size, - &cid); - } else if (pk == GNUTLS_PK_DSA) { + _gnutls_x509_write_rsa_params (res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, &cid); + } + else if (pk == GNUTLS_PK_DSA) + { - _gnutls_x509_write_dsa_params(res->pkey[res->ncerts - 1].params, - res->pkey[res->ncerts - - 1].params_size, &kid); + _gnutls_x509_write_dsa_params (res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); - _gnutls_x509_write_dsa_params(res->cert_list[res->ncerts - 1][0]. - params, - res->cert_list[res->ncerts - - 1][0].params_size, - &cid); + _gnutls_x509_write_dsa_params (res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, &cid); } - if (cid.size != kid.size) { - gnutls_assert(); - _gnutls_free_datum(&kid); - _gnutls_free_datum(&cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + if (cid.size != kid.size) + { + gnutls_assert (); + _gnutls_free_datum (&kid); + _gnutls_free_datum (&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; } - if (memcmp(kid.data, cid.data, kid.size) != 0) { - gnutls_assert(); - _gnutls_free_datum(&kid); - _gnutls_free_datum(&cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + if (memcmp (kid.data, cid.data, kid.size) != 0) + { + gnutls_assert (); + _gnutls_free_datum (&kid); + _gnutls_free_datum (&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; } - _gnutls_free_datum(&kid); - _gnutls_free_datum(&cid); - return 0; + _gnutls_free_datum (&kid); + _gnutls_free_datum (&cid); + return 0; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_crt_mem(gnutls_cert ** cert_list, uint * ncerts, - gnutls_x509_crt_t cert) +static int +parse_crt_mem (gnutls_cert ** cert_list, uint * ncerts, + gnutls_x509_crt_t cert) { - int i; - int ret; + int i; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_cert *) gnutls_realloc_fast(*cert_list, - i * sizeof(gnutls_cert)); + *cert_list = + (gnutls_cert *) gnutls_realloc_fast (*cert_list, + i * sizeof (gnutls_cert)); - if (*cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (*cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = _gnutls_x509_crt_to_gcert(&cert_list[0][i - 1], cert, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_crt_to_gcert (&cert_list[0][i - 1], cert, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - *ncerts = i; + *ncerts = i; - return 1; /* one certificate parsed */ + return 1; /* one certificate parsed */ } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_cert_mem(gnutls_cert ** cert_list, uint * ncerts, - const void *input_cert, int input_cert_size) +static int +parse_der_cert_mem (gnutls_cert ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - gnutls_datum_t tmp; - gnutls_x509_crt_t cert; - int ret; + gnutls_datum_t tmp; + gnutls_x509_crt_t cert; + int ret; - ret = gnutls_x509_crt_init(&cert); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crt_init (&cert); + if (ret < 0) + { + gnutls_assert (); + return ret; } - tmp.data = (opaque *) input_cert; - tmp.size = input_cert_size; + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit(cert); - return ret; + ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) + { + gnutls_assert (); + gnutls_x509_crt_deinit (cert); + return ret; } - ret = parse_crt_mem(cert_list, ncerts, cert); - gnutls_x509_crt_deinit(cert); + ret = parse_crt_mem (cert_list, ncerts, cert); + gnutls_x509_crt_deinit (cert); - return ret; + return ret; } #define CERT_PEM 1 @@ -317,373 +339,403 @@ static int parse_der_cert_mem(gnutls_cert ** cert_list, uint * ncerts, * a gnutls_cert structure. * returns the number of certificate parsed */ -static int parse_pkcs7_cert_mem(gnutls_cert ** cert_list, uint * ncerts, const - void *input_cert, int input_cert_size, - int flags) +static int +parse_pkcs7_cert_mem (gnutls_cert ** cert_list, uint * ncerts, const + void *input_cert, int input_cert_size, int flags) { #ifdef ENABLE_PKI - int i, j, count; - gnutls_datum_t tmp, tmp2; - int ret; - opaque *pcert = NULL; - size_t pcert_size; - gnutls_pkcs7_t pkcs7; - - ret = gnutls_pkcs7_init(&pkcs7); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (flags & CERT_PEM) - ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_PEM); - else - ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - /* if we failed to read the structure, - * then just try to decode a plain DER - * certificate. - */ - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); + int i, j, count; + gnutls_datum_t tmp, tmp2; + int ret; + opaque *pcert = NULL; + size_t pcert_size; + gnutls_pkcs7_t pkcs7; + + ret = gnutls_pkcs7_init (&pkcs7); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + if (flags & CERT_PEM) + ret = gnutls_pkcs7_import (pkcs7, &tmp, GNUTLS_X509_FMT_PEM); + else + ret = gnutls_pkcs7_import (pkcs7, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) + { + /* if we failed to read the structure, + * then just try to decode a plain DER + * certificate. + */ + gnutls_assert (); + gnutls_pkcs7_deinit (pkcs7); #endif - return parse_der_cert_mem(cert_list, ncerts, - input_cert, input_cert_size); + return parse_der_cert_mem (cert_list, ncerts, + input_cert, input_cert_size); #ifdef ENABLE_PKI } - i = *ncerts + 1; + i = *ncerts + 1; - /* tmp now contains the decoded certificate list */ - tmp.data = (opaque *) input_cert; - tmp.size = input_cert_size; + /* tmp now contains the decoded certificate list */ + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = gnutls_pkcs7_get_crt_count(pkcs7); + ret = gnutls_pkcs7_get_crt_count (pkcs7); - if (ret < 0) { - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_pkcs7_deinit (pkcs7); + return ret; } - count = ret; + count = ret; - j = count - 1; - do { - pcert_size = 0; - ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, NULL, &pcert_size); - if (ret != GNUTLS_E_MEMORY_ERROR) { - count--; - continue; + j = count - 1; + do + { + pcert_size = 0; + ret = gnutls_pkcs7_get_crt_raw (pkcs7, j, NULL, &pcert_size); + if (ret != GNUTLS_E_MEMORY_ERROR) + { + count--; + continue; } - pcert = gnutls_malloc(pcert_size); - if (ret == GNUTLS_E_MEMORY_ERROR) { - gnutls_assert(); - count--; - continue; + pcert = gnutls_malloc (pcert_size); + if (ret == GNUTLS_E_MEMORY_ERROR) + { + gnutls_assert (); + count--; + continue; } - /* read the certificate - */ - ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, pcert, &pcert_size); + /* read the certificate + */ + ret = gnutls_pkcs7_get_crt_raw (pkcs7, j, pcert, &pcert_size); - j--; + j--; - if (ret >= 0) { - *cert_list = - (gnutls_cert *) gnutls_realloc_fast(*cert_list, - i * - sizeof(gnutls_cert)); + if (ret >= 0) + { + *cert_list = + (gnutls_cert *) gnutls_realloc_fast (*cert_list, + i * sizeof (gnutls_cert)); - if (*cert_list == NULL) { - gnutls_assert(); - gnutls_free(pcert); - return GNUTLS_E_MEMORY_ERROR; + if (*cert_list == NULL) + { + gnutls_assert (); + gnutls_free (pcert); + return GNUTLS_E_MEMORY_ERROR; } - tmp2.data = pcert; - tmp2.size = pcert_size; + tmp2.data = pcert; + tmp2.size = pcert_size; - ret = - _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp2, - 0); + ret = + _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp2, 0); - if (ret < 0) { - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); - gnutls_free(pcert); - return ret; + if (ret < 0) + { + gnutls_assert (); + gnutls_pkcs7_deinit (pkcs7); + gnutls_free (pcert); + return ret; } - i++; + i++; } - gnutls_free(pcert); + gnutls_free (pcert); - } while (ret >= 0 && j >= 0); + } + while (ret >= 0 && j >= 0); - *ncerts = i - 1; + *ncerts = i - 1; - gnutls_pkcs7_deinit(pkcs7); - return count; + gnutls_pkcs7_deinit (pkcs7); + return count; #endif } /* Reads a base64 encoded certificate list from memory and stores it to * a gnutls_cert structure. Returns the number of certificate parsed. */ -static int parse_pem_cert_mem(gnutls_cert ** cert_list, uint * ncerts, - const char *input_cert, int input_cert_size) +static int +parse_pem_cert_mem (gnutls_cert ** cert_list, uint * ncerts, + const char *input_cert, int input_cert_size) { - int size, siz2, i; - const char *ptr; - opaque *ptr2; - gnutls_datum_t tmp; - int ret, count; + int size, siz2, i; + const char *ptr; + opaque *ptr2; + gnutls_datum_t tmp; + int ret, count; #ifdef ENABLE_PKI - if ((ptr = memmem(input_cert, input_cert_size, - PEM_PKCS7_SEP, sizeof(PEM_PKCS7_SEP) - 1)) != NULL) { - size = strlen(ptr); + if ((ptr = memmem (input_cert, input_cert_size, + PEM_PKCS7_SEP, sizeof (PEM_PKCS7_SEP) - 1)) != NULL) + { + size = strlen (ptr); - ret = parse_pkcs7_cert_mem(cert_list, ncerts, ptr, size, CERT_PEM); + ret = parse_pkcs7_cert_mem (cert_list, ncerts, ptr, size, CERT_PEM); - return ret; + return ret; } #endif - /* move to the certificate - */ - ptr = memmem(input_cert, input_cert_size, - PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr == NULL) - ptr = memmem(input_cert, input_cert_size, - PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); + /* move to the certificate + */ + ptr = memmem (input_cert, input_cert_size, + PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr == NULL) + ptr = memmem (input_cert, input_cert_size, + PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (ptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - size = input_cert_size - (ptr - input_cert); + size = input_cert_size - (ptr - input_cert); - i = *ncerts + 1; - count = 0; + i = *ncerts + 1; + count = 0; - do { + do + { - siz2 = _gnutls_fbase64_decode(NULL, ptr, size, &ptr2); + siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2); - if (siz2 < 0) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (siz2 < 0) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - *cert_list = - (gnutls_cert *) gnutls_realloc_fast(*cert_list, - i * sizeof(gnutls_cert)); + *cert_list = + (gnutls_cert *) gnutls_realloc_fast (*cert_list, + i * sizeof (gnutls_cert)); - if (*cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (*cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - tmp.data = ptr2; - tmp.size = siz2; + tmp.data = ptr2; + tmp.size = siz2; - ret = - _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - _gnutls_free_datum(&tmp); /* free ptr2 */ + _gnutls_free_datum (&tmp); /* free ptr2 */ - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = input_cert_size - (ptr - input_cert); + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = input_cert_size - (ptr - input_cert); - if (size > 0) { - char *ptr3; + if (size > 0) + { + char *ptr3; - ptr3 = memmem(ptr, size, PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr3 == NULL) - ptr3 = memmem(ptr, size, PEM_CERT_SEP2, - sizeof(PEM_CERT_SEP2) - 1); + ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr3 == NULL) + ptr3 = memmem (ptr, size, PEM_CERT_SEP2, + sizeof (PEM_CERT_SEP2) - 1); - ptr = ptr3; - } else - ptr = NULL; + ptr = ptr3; + } + else + ptr = NULL; - i++; - count++; + i++; + count++; - } while (ptr != NULL); + } + while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER or PEM certificate from memory */ -static -int read_cert_mem(gnutls_certificate_credentials_t res, const void *cert, - int cert_size, gnutls_x509_crt_fmt_t type) +static int +read_cert_mem (gnutls_certificate_credentials_t res, const void *cert, + int cert_size, gnutls_x509_crt_fmt_t type) { - int ret; - - /* allocate space for the certificate to add - */ - res->cert_list = gnutls_realloc_fast(res->cert_list, - (1 + - res->ncerts) * - sizeof(gnutls_cert *)); - if (res->cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, - (1 + - res->ncerts) * - sizeof(int)); - if (res->cert_list_length == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - if (type == GNUTLS_X509_FMT_DER) - ret = parse_pkcs7_cert_mem(&res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], - cert, cert_size, 0); - else - ret = - parse_pem_cert_mem(&res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], cert, - cert_size); - - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + + /* allocate space for the certificate to add + */ + res->cert_list = gnutls_realloc_fast (res->cert_list, + (1 + + res->ncerts) * + sizeof (gnutls_cert *)); + if (res->cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast (res->cert_list_length, + (1 + + res->ncerts) * sizeof (int)); + if (res->cert_list_length == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_pkcs7_cert_mem (&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], + cert, cert_size, 0); + else + ret = + parse_pem_cert_mem (&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], cert, + cert_size); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } -int _gnutls_x509_privkey_to_gkey(gnutls_privkey * dest, - gnutls_x509_privkey_t src) +int +_gnutls_x509_privkey_to_gkey (gnutls_privkey * dest, + gnutls_x509_privkey_t src) { - int i, ret; - - memset(dest, 0, sizeof(gnutls_privkey)); - - for (i = 0; i < src->params_size; i++) { - dest->params[i] = _gnutls_mpi_copy(src->params[i]); - if (dest->params[i] == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + int i, ret; + + memset (dest, 0, sizeof (gnutls_privkey)); + + for (i = 0; i < src->params_size; i++) + { + dest->params[i] = _gnutls_mpi_copy (src->params[i]); + if (dest->params[i] == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } } - dest->pk_algorithm = src->pk_algorithm; - dest->params_size = src->params_size; + dest->pk_algorithm = src->pk_algorithm; + dest->params_size = src->params_size; - return 0; + return 0; - cleanup: +cleanup: - for (i = 0; i < src->params_size; i++) { - _gnutls_mpi_release(&dest->params[i]); + for (i = 0; i < src->params_size; i++) + { + _gnutls_mpi_release (&dest->params[i]); } - return ret; + return ret; } -void _gnutls_gkey_deinit(gnutls_privkey * key) +void +_gnutls_gkey_deinit (gnutls_privkey * key) { - int i; - if (key == NULL) - return; + int i; + if (key == NULL) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release(&key->params[i]); + for (i = 0; i < key->params_size; i++) + { + _gnutls_mpi_release (&key->params[i]); } } -int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, - const gnutls_datum_t * raw_key, - gnutls_x509_crt_fmt_t type) +int +_gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey, + const gnutls_datum_t * raw_key, + gnutls_x509_crt_fmt_t type) { - gnutls_x509_privkey_t tmpkey; - int ret; + gnutls_x509_privkey_t tmpkey; + int ret; - ret = gnutls_x509_privkey_init(&tmpkey); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_privkey_init (&tmpkey); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_x509_privkey_import(tmpkey, raw_key, type); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit(tmpkey); - return ret; + ret = gnutls_x509_privkey_import (tmpkey, raw_key, type); + if (ret < 0) + { + gnutls_assert (); + gnutls_x509_privkey_deinit (tmpkey); + return ret; } - ret = _gnutls_x509_privkey_to_gkey(privkey, tmpkey); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit(tmpkey); - return ret; + ret = _gnutls_x509_privkey_to_gkey (privkey, tmpkey); + if (ret < 0) + { + gnutls_assert (); + gnutls_x509_privkey_deinit (tmpkey); + return ret; } - gnutls_x509_privkey_deinit(tmpkey); + gnutls_x509_privkey_deinit (tmpkey); - return 0; + return 0; } /* Reads a PEM encoded PKCS-1 RSA private key from memory * 2002-01-26: Added ability to read DSA keys. * type indicates the certificate format. */ -static int read_key_mem(gnutls_certificate_credentials_t res, - const void *key, int key_size, - gnutls_x509_crt_fmt_t type) +static int +read_key_mem (gnutls_certificate_credentials_t res, + const void *key, int key_size, gnutls_x509_crt_fmt_t type) { - int ret; - gnutls_datum_t tmp; + int ret; + gnutls_datum_t tmp; - /* allocate space for the pkey list - */ - res->pkey = - gnutls_realloc_fast(res->pkey, - (res->ncerts + 1) * sizeof(gnutls_privkey)); - if (res->pkey == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + /* allocate space for the pkey list + */ + res->pkey = + gnutls_realloc_fast (res->pkey, + (res->ncerts + 1) * sizeof (gnutls_privkey)); + if (res->pkey == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - tmp.data = (opaque *) key; - tmp.size = key_size; + tmp.data = (opaque *) key; + tmp.size = key_size; - ret = - _gnutls_x509_raw_privkey_to_gkey(&res->pkey[res->ncerts], &tmp, - type); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp, type); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* Opens a file reads its contents and stores it @@ -701,115 +753,128 @@ static int read_key_mem(gnutls_certificate_credentials_t res, #include <strfile.h> -void _gnutls_strfile_free(strfile * x) +void +_gnutls_strfile_free (strfile * x) { #ifdef HAVE_MMAP - if (x->mmaped) { - munmap(x->data, x->size); - return; + if (x->mmaped) + { + munmap (x->data, x->size); + return; } #endif - gnutls_free(x->data); - x->data = NULL; + gnutls_free (x->data); + x->data = NULL; } -strfile _gnutls_file_to_str(const char *file) +strfile +_gnutls_file_to_str (const char *file) { - int fd1 = -1; - struct stat stat_st; - size_t tot_size; - size_t left; - opaque *tmp; - ssize_t i = 0; - strfile null = { NULL, 0, 0 }; - strfile ret = { NULL, 0, 0 }; - - fd1 = open(file, 0); - if (fd1 == -1) { - gnutls_assert(); - return null; - } - - if (fstat(fd1, &stat_st) == -1) { - gnutls_assert(); - goto error; - } - - tot_size = stat_st.st_size; - if (tot_size == 0) { - gnutls_assert(); - goto error; + int fd1 = -1; + struct stat stat_st; + size_t tot_size; + size_t left; + opaque *tmp; + ssize_t i = 0; + strfile null = { NULL, 0, 0 }; + strfile ret = { NULL, 0, 0 }; + + fd1 = open (file, 0); + if (fd1 == -1) + { + gnutls_assert (); + return null; + } + + if (fstat (fd1, &stat_st) == -1) + { + gnutls_assert (); + goto error; + } + + tot_size = stat_st.st_size; + if (tot_size == 0) + { + gnutls_assert (); + goto error; } #ifdef HAVE_MMAP - if ((tmp = - mmap(NULL, tot_size, PROT_READ, MAP_SHARED, fd1, - 0)) != MAP_FAILED) { - ret.mmaped = 1; - ret.data = tmp; - ret.size = tot_size; + if ((tmp = + mmap (NULL, tot_size, PROT_READ, MAP_SHARED, fd1, 0)) != MAP_FAILED) + { + ret.mmaped = 1; + ret.data = tmp; + ret.size = tot_size; - close(fd1); - return ret; + close (fd1); + return ret; } #endif - ret.data = gnutls_malloc(tot_size); - if (ret.data == NULL) { - gnutls_assert(); - goto error; - } - - left = tot_size; - while (left > 0) { - i = read(fd1, &ret.data[tot_size - left], left); - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) - continue; - else { - gnutls_assert(); - goto error; + ret.data = gnutls_malloc (tot_size); + if (ret.data == NULL) + { + gnutls_assert (); + goto error; + } + + left = tot_size; + while (left > 0) + { + i = read (fd1, &ret.data[tot_size - left], left); + if (i == -1) + { + if (errno == EAGAIN || errno == EINTR) + continue; + else + { + gnutls_assert (); + goto error; } - } else if (i == 0) - break; + } + else if (i == 0) + break; - left -= i; + left -= i; } - ret.size = tot_size - left; + ret.size = tot_size - left; - ret.mmaped = 0; + ret.mmaped = 0; - close(fd1); + close (fd1); - return ret; + return ret; - error: +error: - if (!ret.mmaped) - gnutls_free(ret.data); - close(fd1); - return null; + if (!ret.mmaped) + gnutls_free (ret.data); + close (fd1); + return null; } /* Reads a certificate file */ -static int read_cert_file(gnutls_certificate_credentials_t res, - const char *certfile, gnutls_x509_crt_fmt_t type) +static int +read_cert_file (gnutls_certificate_credentials_t res, + const char *certfile, gnutls_x509_crt_fmt_t type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str(certfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + x = _gnutls_file_to_str (certfile); + if (x.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - ret = read_cert_mem(res, x.data, x.size, type); - _gnutls_strfile_free(&x); + ret = read_cert_mem (res, x.data, x.size, type); + _gnutls_strfile_free (&x); - return ret; + return ret; } @@ -818,22 +883,24 @@ static int read_cert_file(gnutls_certificate_credentials_t res, /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl * stores it). */ -static int read_key_file(gnutls_certificate_credentials_t res, - const char *keyfile, gnutls_x509_crt_fmt_t type) +static int +read_key_file (gnutls_certificate_credentials_t res, + const char *keyfile, gnutls_x509_crt_fmt_t type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str(keyfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + x = _gnutls_file_to_str (keyfile); + if (x.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - ret = read_key_mem(res, x.data, x.size, type); - _gnutls_strfile_free(&x); + ret = read_key_mem (res, x.data, x.size, type); + _gnutls_strfile_free (&x); - return ret; + return ret; } /** @@ -862,29 +929,31 @@ static int read_key_file(gnutls_certificate_credentials_t res, * then the strings that hold their values must be null terminated. * **/ -int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t - res, const gnutls_datum_t * cert, - const gnutls_datum_t * key, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t + res, const gnutls_datum_t * cert, + const gnutls_datum_t * key, + gnutls_x509_crt_fmt_t type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_mem(res, key->data, key->size, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_mem (res, key->data, key->size, type)) < 0) + return ret; - if ((ret = read_cert_mem(res, cert->data, cert->size, type)) < 0) - return ret; + if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret = _gnutls_check_key_cert_match(res)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_check_key_cert_match (res)) < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -900,69 +969,75 @@ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t * server). * **/ -int gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, - gnutls_x509_crt_t * cert_list, - int cert_list_size, - gnutls_x509_privkey_t key) +int +gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, + gnutls_x509_crt_t * cert_list, + int cert_list_size, + gnutls_x509_privkey_t key) { - int ret, i; - - /* this should be first - */ - - res->pkey = - gnutls_realloc_fast(res->pkey, - (res->ncerts + 1) * sizeof(gnutls_privkey)); - if (res->pkey == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_x509_privkey_to_gkey(&res->pkey[res->ncerts], key); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - res->cert_list = gnutls_realloc_fast(res->cert_list, - (1 + - res->ncerts) * - sizeof(gnutls_cert *)); - if (res->cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, - (1 + - res->ncerts) * - sizeof(int)); - if (res->cert_list_length == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - - for (i = 0; i < cert_list_size; i++) { - ret = parse_crt_mem(&res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], - cert_list[i]); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret, i; + + /* this should be first + */ + + res->pkey = + gnutls_realloc_fast (res->pkey, + (res->ncerts + 1) * sizeof (gnutls_privkey)); + if (res->pkey == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_x509_privkey_to_gkey (&res->pkey[res->ncerts], key); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + res->cert_list = gnutls_realloc_fast (res->cert_list, + (1 + + res->ncerts) * + sizeof (gnutls_cert *)); + if (res->cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast (res->cert_list_length, + (1 + + res->ncerts) * sizeof (int)); + if (res->cert_list_length == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + + for (i = 0; i < cert_list_size; i++) + { + ret = parse_crt_mem (&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], cert_list[i]); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - res->ncerts++; + res->ncerts++; - if ((ret = _gnutls_check_key_cert_match(res)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_check_key_cert_match (res)) < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -982,88 +1057,96 @@ int gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, * this function. * **/ -int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t - res, const char *CERTFILE, - const char *KEYFILE, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t + res, const char *CERTFILE, + const char *KEYFILE, + gnutls_x509_crt_fmt_t type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_file(res, KEYFILE, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_file (res, KEYFILE, type)) < 0) + return ret; - if ((ret = read_cert_file(res, CERTFILE, type)) < 0) - return ret; + if ((ret = read_cert_file (res, CERTFILE, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret = _gnutls_check_key_cert_match(res)) < 0) { - gnutls_assert(); - return ret; + if ((ret = _gnutls_check_key_cert_match (res)) < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } -static int generate_rdn_seq(gnutls_certificate_credentials_t res) +static int +generate_rdn_seq (gnutls_certificate_credentials_t res) { - gnutls_datum_t tmp; - int ret; - uint size, i; - opaque *pdata; - - /* Generate the RDN sequence - * This will be sent to clients when a certificate - * request message is sent. - */ - - /* FIXME: in case of a client it is not needed - * to do that. This would save time and memory. - * However we don't have that information available - * here. - */ - - size = 0; - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = - _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], - &tmp)) < 0) { - gnutls_assert(); - return ret; + gnutls_datum_t tmp; + int ret; + uint size, i; + opaque *pdata; + + /* Generate the RDN sequence + * This will be sent to clients when a certificate + * request message is sent. + */ + + /* FIXME: in case of a client it is not needed + * to do that. This would save time and memory. + * However we don't have that information available + * here. + */ + + size = 0; + for (i = 0; i < res->x509_ncas; i++) + { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn (res->x509_ca_list[i], + &tmp)) < 0) + { + gnutls_assert (); + return ret; } - size += (2 + tmp.size); - _gnutls_free_datum(&tmp); + size += (2 + tmp.size); + _gnutls_free_datum (&tmp); } - if (res->x509_rdn_sequence.data != NULL) - gnutls_free(res->x509_rdn_sequence.data); + if (res->x509_rdn_sequence.data != NULL) + gnutls_free (res->x509_rdn_sequence.data); - res->x509_rdn_sequence.data = gnutls_malloc(size); - if (res->x509_rdn_sequence.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + res->x509_rdn_sequence.data = gnutls_malloc (size); + if (res->x509_rdn_sequence.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - res->x509_rdn_sequence.size = size; + res->x509_rdn_sequence.size = size; - pdata = res->x509_rdn_sequence.data; + pdata = res->x509_rdn_sequence.data; - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = - _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], - &tmp)) < 0) { - _gnutls_free_datum(&res->x509_rdn_sequence); - gnutls_assert(); - return ret; + for (i = 0; i < res->x509_ncas; i++) + { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn (res->x509_ca_list[i], + &tmp)) < 0) + { + _gnutls_free_datum (&res->x509_rdn_sequence); + gnutls_assert (); + return ret; } - _gnutls_write_datum16(pdata, tmp); - pdata += (2 + tmp.size); - _gnutls_free_datum(&tmp); + _gnutls_write_datum16 (pdata, tmp); + pdata += (2 + tmp.size); + _gnutls_free_datum (&tmp); } - return 0; + return 0; } @@ -1072,183 +1155,201 @@ static int generate_rdn_seq(gnutls_certificate_credentials_t res) /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this * certificate (uses the KeyUsage field). */ -int _gnutls_check_key_usage(const gnutls_cert * cert, - gnutls_kx_algorithm_t alg) +int +_gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) { - unsigned int key_usage = 0; - int encipher_type; - - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (_gnutls_map_kx_get_cred(alg, 1) == GNUTLS_CRD_CERTIFICATE || - _gnutls_map_kx_get_cred(alg, 0) == GNUTLS_CRD_CERTIFICATE) { - - key_usage = cert->key_usage; - - encipher_type = _gnutls_kx_encipher_type(alg); - - if (key_usage != 0 && encipher_type != CIPHER_IGN) { - /* If key_usage has been set in the certificate - */ - - if (encipher_type == CIPHER_ENCRYPT) { - /* If the key exchange method requires an encipher - * type algorithm, and key's usage does not permit - * encipherment, then fail. - */ - if (!(key_usage & KEY_KEY_ENCIPHERMENT)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; + unsigned int key_usage = 0; + int encipher_type; + + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE || + _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE) + { + + key_usage = cert->key_usage; + + encipher_type = _gnutls_kx_encipher_type (alg); + + if (key_usage != 0 && encipher_type != CIPHER_IGN) + { + /* If key_usage has been set in the certificate + */ + + if (encipher_type == CIPHER_ENCRYPT) + { + /* If the key exchange method requires an encipher + * type algorithm, and key's usage does not permit + * encipherment, then fail. + */ + if (!(key_usage & KEY_KEY_ENCIPHERMENT)) + { + gnutls_assert (); + return GNUTLS_E_KEY_USAGE_VIOLATION; } } - if (encipher_type == CIPHER_SIGN) { - /* The same as above, but for sign only keys - */ - if (!(key_usage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; + if (encipher_type == CIPHER_SIGN) + { + /* The same as above, but for sign only keys + */ + if (!(key_usage & KEY_DIGITAL_SIGNATURE)) + { + gnutls_assert (); + return GNUTLS_E_KEY_USAGE_VIOLATION; } } } } - return 0; + return 0; } -static int parse_pem_ca_mem(gnutls_x509_crt_t ** cert_list, uint * ncerts, - const opaque * input_cert, int input_cert_size) +static int +parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, uint * ncerts, + const opaque * input_cert, int input_cert_size) { - int i, size; - const opaque *ptr; - gnutls_datum_t tmp; - int ret, count; - - /* move to the certificate - */ - ptr = memmem(input_cert, input_cert_size, - PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr == NULL) - ptr = memmem(input_cert, input_cert_size, - PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); - - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - size = input_cert_size - (ptr - input_cert); - - i = *ncerts + 1; - count = 0; - - do { - - *cert_list = - (gnutls_x509_crt_t *) gnutls_realloc_fast(*cert_list, - i * - sizeof - (gnutls_x509_crt_t)); - - if (*cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int i, size; + const opaque *ptr; + gnutls_datum_t tmp; + int ret, count; + + /* move to the certificate + */ + ptr = memmem (input_cert, input_cert_size, + PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr == NULL) + ptr = memmem (input_cert, input_cert_size, + PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1); + + if (ptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = input_cert_size - (ptr - input_cert); + + i = *ncerts + 1; + count = 0; + + do + { + + *cert_list = + (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list, + i * + sizeof + (gnutls_x509_crt_t)); + + if (*cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crt_init (&cert_list[0][i - 1]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - tmp.data = (opaque *) ptr; - tmp.size = size; + tmp.data = (opaque *) ptr; + tmp.size = size; - ret = - gnutls_x509_crt_import(cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + gnutls_x509_crt_import (cert_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ - size = input_cert_size - (ptr - input_cert); + size = input_cert_size - (ptr - input_cert); - if (size > 0) { - char *ptr3; + if (size > 0) + { + char *ptr3; - ptr3 = memmem(ptr, size, PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr3 == NULL) - ptr = memmem(ptr, size, - PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); + ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr3 == NULL) + ptr = memmem (ptr, size, + PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1); - ptr = ptr3; - } else - ptr = NULL; + ptr = ptr3; + } + else + ptr = NULL; - i++; - count++; + i++; + count++; - } while (ptr != NULL); + } + while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_ca_mem(gnutls_x509_crt_t ** cert_list, uint * ncerts, - const void *input_cert, int input_cert_size) +static int +parse_der_ca_mem (gnutls_x509_crt_t ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - int i; - gnutls_datum_t tmp; - int ret; + int i; + gnutls_datum_t tmp; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_x509_crt_t *) gnutls_realloc_fast(*cert_list, - i * - sizeof - (gnutls_x509_crt_t)); + *cert_list = + (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list, + i * + sizeof (gnutls_x509_crt_t)); - if (*cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (*cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - tmp.data = (opaque *) input_cert; - tmp.size = input_cert_size; + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crt_init (&cert_list[0][i - 1]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - gnutls_x509_crt_import(cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + gnutls_x509_crt_import (cert_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) + { + gnutls_assert (); + return ret; } - *ncerts = i; + *ncerts = i; - return 1; /* one certificate parsed */ + return 1; /* one certificate parsed */ } /** @@ -1271,23 +1372,24 @@ static int parse_der_ca_mem(gnutls_x509_crt_t ** cert_list, uint * ncerts, * value on error. * **/ -int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t - res, const gnutls_datum_t * ca, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t + res, const gnutls_datum_t * ca, + gnutls_x509_crt_fmt_t type) { - int ret, ret2; + int ret, ret2; - if (type == GNUTLS_X509_FMT_DER) - ret = parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); - else - ret = parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); + else + ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq (res)) < 0) + return ret2; - return ret; + return ret; } /** @@ -1309,42 +1411,47 @@ int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, - gnutls_x509_crt_t * ca_list, - int ca_list_size) +int +gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res, + gnutls_x509_crt_t * ca_list, + int ca_list_size) { - int ret, i, ret2; - - res->x509_ca_list = gnutls_realloc_fast(res->x509_ca_list, - (ca_list_size + - res->x509_ncas) * - sizeof(gnutls_x509_crt_t)); - if (res->x509_ca_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i = 0; i < ca_list_size; i++) { - ret = gnutls_x509_crt_init(&res->x509_ca_list[i + res->x509_ncas]); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret, i, ret2; + + res->x509_ca_list = gnutls_realloc_fast (res->x509_ca_list, + (ca_list_size + + res->x509_ncas) * + sizeof (gnutls_x509_crt_t)); + if (res->x509_ca_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ca_list_size; i++) + { + ret = gnutls_x509_crt_init (&res->x509_ca_list[i + res->x509_ncas]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_x509_crt_cpy(res->x509_ca_list[i + res->x509_ncas], - ca_list[i]); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit(res->x509_ca_list[i + res->x509_ncas]); - return ret; + ret = _gnutls_x509_crt_cpy (res->x509_ca_list[i + res->x509_ncas], + ca_list[i]); + if (ret < 0) + { + gnutls_assert (); + gnutls_x509_crt_deinit (res->x509_ca_list[i + res->x509_ncas]); + return ret; } - res->x509_ncas++; + res->x509_ncas++; } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq (res)) < 0) + return ret2; - return 0; + return 0; } /** @@ -1367,194 +1474,208 @@ int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, * value on error. * **/ -int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t - res, const char *cafile, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t + res, const char *cafile, + gnutls_x509_crt_fmt_t type) { - int ret, ret2; - strfile x; + int ret, ret2; + strfile x; - x = _gnutls_file_to_str(cafile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + x = _gnutls_file_to_str (cafile); + if (x.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - if (type == GNUTLS_X509_FMT_DER) - ret = parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, - x.data, x.size); - else - ret = parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, - x.data, x.size); + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); + else + ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); - _gnutls_strfile_free(&x); + _gnutls_strfile_free (&x); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq (res)) < 0) + return ret2; - return ret; + return ret; } #ifdef ENABLE_PKI -static int parse_pem_crl_mem(gnutls_x509_crl_t ** crl_list, uint * ncrls, - const opaque * input_crl, int input_crl_size) +static int +parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, uint * ncrls, + const opaque * input_crl, int input_crl_size) { - int size, i; - const opaque *ptr; - gnutls_datum_t tmp; - int ret, count; - - /* move to the certificate - */ - ptr = memmem(input_crl, input_crl_size, - PEM_CRL_SEP, sizeof(PEM_CRL_SEP) - 1); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - size = input_crl_size - (ptr - input_crl); - - i = *ncrls + 1; - count = 0; - - do { - - *crl_list = - (gnutls_x509_crl_t *) gnutls_realloc_fast(*crl_list, - i * - sizeof - (gnutls_x509_crl_t)); - - if (*crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int size, i; + const opaque *ptr; + gnutls_datum_t tmp; + int ret, count; + + /* move to the certificate + */ + ptr = memmem (input_crl, input_crl_size, + PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1); + if (ptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + size = input_crl_size - (ptr - input_crl); + + i = *ncrls + 1; + count = 0; + + do + { + + *crl_list = + (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list, + i * + sizeof + (gnutls_x509_crl_t)); + + if (*crl_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crl_init (&crl_list[0][i - 1]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - tmp.data = (char *) ptr; - tmp.size = size; + tmp.data = (char *) ptr; + tmp.size = size; - ret = - gnutls_x509_crl_import(crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + gnutls_x509_crl_import (crl_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ - size = input_crl_size - (ptr - input_crl); + size = input_crl_size - (ptr - input_crl); - if (size > 0) - ptr = memmem(ptr, size, PEM_CRL_SEP, sizeof(PEM_CRL_SEP) - 1); - else - ptr = NULL; - i++; - count++; + if (size > 0) + ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1); + else + ptr = NULL; + i++; + count++; - } while (ptr != NULL); + } + while (ptr != NULL); - *ncrls = i - 1; + *ncrls = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_crl_mem(gnutls_x509_crl_t ** crl_list, uint * ncrls, - const void *input_crl, int input_crl_size) +static int +parse_der_crl_mem (gnutls_x509_crl_t ** crl_list, uint * ncrls, + const void *input_crl, int input_crl_size) { - int i; - gnutls_datum_t tmp; - int ret; + int i; + gnutls_datum_t tmp; + int ret; - i = *ncrls + 1; + i = *ncrls + 1; - *crl_list = - (gnutls_x509_crl_t *) gnutls_realloc_fast(*crl_list, - i * - sizeof - (gnutls_x509_crl_t)); + *crl_list = + (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list, + i * + sizeof (gnutls_x509_crl_t)); - if (*crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (*crl_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - tmp.data = (opaque *) input_crl; - tmp.size = input_crl_size; + tmp.data = (opaque *) input_crl; + tmp.size = input_crl_size; - ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crl_init (&crl_list[0][i - 1]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - gnutls_x509_crl_import(crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + gnutls_x509_crl_import (crl_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) + { + gnutls_assert (); + return ret; } - *ncrls = i; + *ncrls = i; - return 1; /* one certificate parsed */ + return 1; /* one certificate parsed */ } /* Reads a DER or PEM CRL from memory */ -static -int read_crl_mem(gnutls_certificate_credentials_t res, const void *crl, - int crl_size, gnutls_x509_crt_fmt_t type) +static int +read_crl_mem (gnutls_certificate_credentials_t res, const void *crl, + int crl_size, gnutls_x509_crt_fmt_t type) { - int ret; - - /* allocate space for the certificate to add - */ - res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, - (1 + - res->x509_ncrls) * - sizeof(gnutls_x509_crl_t)); - if (res->x509_crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (type == GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem(&res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - else - ret = parse_pem_crl_mem(&res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return ret; + int ret; + + /* allocate space for the certificate to add + */ + res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list, + (1 + + res->x509_ncrls) * + sizeof (gnutls_x509_crl_t)); + if (res->x509_crl_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem (&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + else + ret = parse_pem_crl_mem (&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + return ret; } /** @@ -1572,16 +1693,17 @@ int read_crl_mem(gnutls_certificate_credentials_t res, const void *crl, * Returns the number of CRLs processed or a negative value on error. * **/ -int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t - res, const gnutls_datum_t * CRL, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t + res, const gnutls_datum_t * CRL, + gnutls_x509_crt_fmt_t type) { - int ret; - - if ((ret = read_crl_mem(res, CRL->data, CRL->size, type)) < 0) - return ret; + int ret; + if ((ret = read_crl_mem (res, CRL->data, CRL->size, type)) < 0) return ret; + + return ret; } /** @@ -1599,32 +1721,36 @@ int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, - gnutls_x509_crl_t * crl_list, - int crl_list_size) +int +gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res, + gnutls_x509_crl_t * crl_list, + int crl_list_size) { - int ret, i; - - res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, - (crl_list_size + - res->x509_ncrls) * - sizeof(gnutls_x509_crl_t)); - if (res->x509_crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i = 0; i < crl_list_size; i++) { - ret = _gnutls_x509_crl_cpy(res->x509_crl_list[i + res->x509_ncrls], - crl_list[i]); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret, i; + + res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list, + (crl_list_size + + res->x509_ncrls) * + sizeof (gnutls_x509_crl_t)); + if (res->x509_crl_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < crl_list_size; i++) + { + ret = _gnutls_x509_crl_cpy (res->x509_crl_list[i + res->x509_ncrls], + crl_list[i]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - res->x509_ncrls++; + res->x509_ncrls++; } - return 0; + return 0; } /** @@ -1642,34 +1768,37 @@ int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, * Returns the number of CRLs processed or a negative value on error. * **/ -int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t - res, const char *crlfile, - gnutls_x509_crt_fmt_t type) +int +gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t + res, const char *crlfile, + gnutls_x509_crt_fmt_t type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str(crlfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; + x = _gnutls_file_to_str (crlfile); + if (x.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; } - if (type == GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem(&res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); - else - ret = parse_pem_crl_mem(&res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem (&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); + else + ret = parse_pem_crl_mem (&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); - _gnutls_strfile_free(&x); + _gnutls_strfile_free (&x); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return ret; + return ret; } @@ -1681,18 +1810,20 @@ int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t * with the given credentials. * **/ -void gnutls_certificate_free_crls(gnutls_certificate_credentials_t sc) +void +gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc) { - uint j; + uint j; - for (j = 0; j < sc->x509_ncrls; j++) { - gnutls_x509_crl_deinit(sc->x509_crl_list[j]); + for (j = 0; j < sc->x509_ncrls; j++) + { + gnutls_x509_crl_deinit (sc->x509_crl_list[j]); } - sc->x509_ncrls = 0; + sc->x509_ncrls = 0; - gnutls_free(sc->x509_crl_list); - sc->x509_crl_list = NULL; + gnutls_free (sc->x509_crl_list); + sc->x509_crl_list = NULL; } #endif diff --git a/lib/gnutls_x509.h b/lib/gnutls_x509.h index 82183a6440..2c2f62291d 100644 --- a/lib/gnutls_x509.h +++ b/lib/gnutls_x509.h @@ -24,8 +24,8 @@ #include <libtasn1.h> -int _gnutls_x509_cert_verify_peers(gnutls_session_t session, - unsigned int *status); +int _gnutls_x509_cert_verify_peers (gnutls_session_t session, + unsigned int *status); #define PEM_CERT_SEP2 "-----BEGIN X509 CERTIFICATE" #define PEM_CERT_SEP "-----BEGIN CERTIFICATE" @@ -36,16 +36,14 @@ int _gnutls_x509_cert_verify_peers(gnutls_session_t session, #define PEM_KEY_RSA_SEP "-----BEGIN RSA" #define PEM_KEY_DSA_SEP "-----BEGIN DSA" -int _gnutls_check_key_usage(const gnutls_cert * cert, - gnutls_kx_algorithm_t alg); +int _gnutls_check_key_usage (const gnutls_cert * cert, + gnutls_kx_algorithm_t alg); -int _gnutls_x509_read_rsa_params(opaque * der, int dersize, - mpi_t * params); -int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, - mpi_t * params); +int _gnutls_x509_read_rsa_params (opaque * der, int dersize, mpi_t * params); +int _gnutls_x509_read_dsa_pubkey (opaque * der, int dersize, mpi_t * params); -int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, - const gnutls_datum_t * raw_key, - gnutls_x509_crt_fmt_t type); -int _gnutls_x509_privkey_to_gkey(gnutls_privkey * privkey, - gnutls_x509_privkey_t); +int _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey, + const gnutls_datum_t * raw_key, + gnutls_x509_crt_fmt_t type); +int _gnutls_x509_privkey_to_gkey (gnutls_privkey * privkey, + gnutls_x509_privkey_t); diff --git a/lib/io_debug.h b/lib/io_debug.h index f04df369c6..696d43b788 100644 --- a/lib/io_debug.h +++ b/lib/io_debug.h @@ -42,32 +42,36 @@ static int initialized_rand = 0; srand(time(0)); \ initialized_rand = 1; \ } -static int recv_debug(int fd, char *buf, int len, int flags) +static int +recv_debug (int fd, char *buf, int len, int flags) { - INITIALIZE_RAND; + INITIALIZE_RAND; - if (!(rand() % IO_DEBUG)) { - errno = EDUNNO; - return -1; + if (!(rand () % IO_DEBUG)) + { + errno = EDUNNO; + return -1; } - if (len > 1) - len = 1; - return recv(fd, buf, len, flags); + if (len > 1) + len = 1; + return recv (fd, buf, len, flags); } #define recv recv_debug -static int send_debug(int fd, const char *buf, int len, int flags) +static int +send_debug (int fd, const char *buf, int len, int flags) { - INITIALIZE_RAND; + INITIALIZE_RAND; - if (!(rand() % IO_DEBUG)) { - errno = EDUNNO; - return -1; + if (!(rand () % IO_DEBUG)) + { + errno = EDUNNO; + return -1; } - if (len > 10) - len = 10; - return send(fd, buf, len, flags); + if (len > 10) + len = 10; + return send (fd, buf, len, flags); } #define send send_debug diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index c43538a6b9..3c6b528ff5 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -1,1095 +1,1100 @@ #include "libtasn1.h" -const ASN1_ARRAY_TYPE pkix_asn1_tab[]={ - {"PKIX1",536875024,0}, - {0,1073741836,0}, - {"id-ce",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"29"}, - {"id-ce-authorityKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"35"}, - {"AuthorityKeyIdentifier",1610612741,0}, - {"keyIdentifier",1610637314,"KeyIdentifier"}, - {0,4104,"0"}, - {"authorityCertIssuer",1610637314,"GeneralNames"}, - {0,4104,"1"}, - {"authorityCertSerialNumber",536895490,"CertificateSerialNumber"}, - {0,4104,"2"}, - {"KeyIdentifier",1073741831,0}, - {"id-ce-subjectKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"14"}, - {"SubjectKeyIdentifier",1073741826,"KeyIdentifier"}, - {"id-ce-keyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"15"}, - {"KeyUsage",1610874886,0}, - {"digitalSignature",1073741825,"0"}, - {"nonRepudiation",1073741825,"1"}, - {"keyEncipherment",1073741825,"2"}, - {"dataEncipherment",1073741825,"3"}, - {"keyAgreement",1073741825,"4"}, - {"keyCertSign",1073741825,"5"}, - {"cRLSign",1073741825,"6"}, - {"encipherOnly",1073741825,"7"}, - {"decipherOnly",1,"8"}, - {"id-ce-privateKeyUsagePeriod",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"16"}, - {"PrivateKeyUsagePeriod",1610612741,0}, - {"notBefore",1619025937,0}, - {0,4104,"0"}, - {"notAfter",545284113,0}, - {0,4104,"1"}, - {"id-ce-certificatePolicies",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"32"}, - {"CertificatePolicies",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyInformation"}, - {"PolicyInformation",1610612741,0}, - {"policyIdentifier",1073741826,"CertPolicyId"}, - {"policyQualifiers",538984459,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyQualifierInfo"}, - {"CertPolicyId",1073741836,0}, - {"PolicyQualifierInfo",1610612741,0}, - {"policyQualifierId",1073741826,"PolicyQualifierId"}, - {"qualifier",541065229,0}, - {"policyQualifierId",1,0}, - {"PolicyQualifierId",1073741836,0}, - {"CPSuri",1073741826,"IA5String"}, - {"UserNotice",1610612741,0}, - {"noticeRef",1073758210,"NoticeReference"}, - {"explicitText",16386,"DisplayText"}, - {"NoticeReference",1610612741,0}, - {"organization",1073741826,"DisplayText"}, - {"noticeNumbers",536870923,0}, - {0,3,0}, - {"DisplayText",1610612754,0}, - {"visibleString",1612709890,"VisibleString"}, - {"200",524298,"1"}, - {"bmpString",1612709890,"BMPString"}, - {"200",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"200",524298,"1"}, - {"id-ce-policyMappings",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"33"}, - {"PolicyMappings",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,536870917,0}, - {"issuerDomainPolicy",1073741826,"CertPolicyId"}, - {"subjectDomainPolicy",2,"CertPolicyId"}, - {"DirectoryString",1610612754,0}, - {"teletexString",1612709890,"TeletexString"}, - {"MAX",524298,"1"}, - {"printableString",1612709890,"PrintableString"}, - {"MAX",524298,"1"}, - {"universalString",1612709890,"UniversalString"}, - {"MAX",524298,"1"}, - {"utf8String",1612709890,"UTF8String"}, - {"MAX",524298,"1"}, - {"bmpString",538968066,"BMPString"}, - {"MAX",524298,"1"}, - {"id-ce-subjectAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"17"}, - {"SubjectAltName",1073741826,"GeneralNames"}, - {"GeneralNames",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralName"}, - {"GeneralName",1610612754,0}, - {"otherName",1610620930,"AnotherName"}, - {0,4104,"0"}, - {"rfc822Name",1610620930,"IA5String"}, - {0,4104,"1"}, - {"dNSName",1610620930,"IA5String"}, - {0,4104,"2"}, - {"x400Address",1610620930,"ORAddress"}, - {0,4104,"3"}, - {"directoryName",1610620930,"RDNSequence"}, - {0,2056,"4"}, - {"ediPartyName",1610620930,"EDIPartyName"}, - {0,4104,"5"}, - {"uniformResourceIdentifier",1610620930,"IA5String"}, - {0,4104,"6"}, - {"iPAddress",1610620935,0}, - {0,4104,"7"}, - {"registeredID",536879116,0}, - {0,4104,"8"}, - {"AnotherName",1610612741,0}, - {"type-id",1073741836,0}, - {"value",541073421,0}, - {0,1073743880,"0"}, - {"type-id",1,0}, - {"EDIPartyName",1610612741,0}, - {"nameAssigner",1610637314,"DirectoryString"}, - {0,4104,"0"}, - {"partyName",536879106,"DirectoryString"}, - {0,4104,"1"}, - {"id-ce-issuerAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"18"}, - {"IssuerAltName",1073741826,"GeneralNames"}, - {"id-ce-subjectDirectoryAttributes",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"9"}, - {"SubjectDirectoryAttributes",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-ce-basicConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"19"}, - {"BasicConstraints",1610612741,0}, - {"cA",1610645508,0}, - {0,131081,0}, - {"pathLenConstraint",537411587,0}, - {"0",10,"MAX"}, - {"id-ce-nameConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"30"}, - {"NameConstraints",1610612741,0}, - {"permittedSubtrees",1610637314,"GeneralSubtrees"}, - {0,4104,"0"}, - {"excludedSubtrees",536895490,"GeneralSubtrees"}, - {0,4104,"1"}, - {"GeneralSubtrees",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralSubtree"}, - {"GeneralSubtree",1610612741,0}, - {"base",1073741826,"GeneralName"}, - {"minimum",1610653698,"BaseDistance"}, - {0,1073741833,"0"}, - {0,4104,"0"}, - {"maximum",536895490,"BaseDistance"}, - {0,4104,"1"}, - {"BaseDistance",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-policyConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"36"}, - {"PolicyConstraints",1610612741,0}, - {"requireExplicitPolicy",1610637314,"SkipCerts"}, - {0,4104,"0"}, - {"inhibitPolicyMapping",536895490,"SkipCerts"}, - {0,4104,"1"}, - {"SkipCerts",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-cRLDistributionPoints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"31"}, - {"CRLDistributionPoints",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"DistributionPoint"}, - {"DistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,2056,"0"}, - {"reasons",1610637314,"ReasonFlags"}, - {0,4104,"1"}, - {"cRLIssuer",536895490,"GeneralNames"}, - {0,4104,"2"}, - {"DistributionPointName",1610612754,0}, - {"fullName",1610620930,"GeneralNames"}, - {0,4104,"0"}, - {"nameRelativeToCRLIssuer",536879106,"RelativeDistinguishedName"}, - {0,4104,"1"}, - {"ReasonFlags",1610874886,0}, - {"unused",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"privilegeWithdrawn",1073741825,"7"}, - {"aACompromise",1,"8"}, - {"id-ce-extKeyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"37"}, - {"ExtKeyUsageSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"KeyPurposeId"}, - {"KeyPurposeId",1073741836,0}, - {"id-kp-serverAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"1"}, - {"id-kp-clientAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"2"}, - {"id-kp-codeSigning",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"3"}, - {"id-kp-emailProtection",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"4"}, - {"id-kp-ipsecEndSystem",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"5"}, - {"id-kp-ipsecTunnel",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"6"}, - {"id-kp-ipsecUser",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"7"}, - {"id-kp-timeStamping",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"8"}, - {"id-pe-authorityInfoAccess",1879048204,0}, - {0,1073741825,"id-pe"}, - {0,1,"1"}, - {"AuthorityInfoAccessSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"AccessDescription"}, - {"AccessDescription",1610612741,0}, - {"accessMethod",1073741836,0}, - {"accessLocation",2,"GeneralName"}, - {"id-ce-cRLNumber",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"20"}, - {"CRLNumber",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-issuingDistributionPoint",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"28"}, - {"IssuingDistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,4104,"0"}, - {"onlyContainsUserCerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"1"}, - {"onlyContainsCACerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"2"}, - {"onlySomeReasons",1610637314,"ReasonFlags"}, - {0,4104,"3"}, - {"indirectCRL",536911876,0}, - {0,1073872905,0}, - {0,4104,"4"}, - {"id-ce-deltaCRLIndicator",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"27"}, - {"BaseCRLNumber",1073741826,"CRLNumber"}, - {"id-ce-cRLReasons",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"21"}, - {"CRLReason",1610874901,0}, - {"unspecified",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"removeFromCRL",1,"8"}, - {"id-ce-certificateIssuer",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"29"}, - {"CertificateIssuer",1073741826,"GeneralNames"}, - {"id-ce-holdInstructionCode",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"23"}, - {"HoldInstructionCode",1073741836,0}, - {"holdInstruction",1879048204,0}, - {"joint-iso-itu-t",1073741825,"2"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9cm",1073741825,"10040"}, - {0,1,"2"}, - {"id-holdinstruction-none",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"1"}, - {"id-holdinstruction-callissuer",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"2"}, - {"id-holdinstruction-reject",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"3"}, - {"id-ce-invalidityDate",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"24"}, - {"InvalidityDate",1082130449,0}, - {"VisibleString",1610620935,0}, - {0,4360,"26"}, - {"NumericString",1610620935,0}, - {0,4360,"18"}, - {"IA5String",1610620935,0}, - {0,4360,"22"}, - {"TeletexString",1610620935,0}, - {0,4360,"20"}, - {"PrintableString",1610620935,0}, - {0,4360,"19"}, - {"UniversalString",1610620935,0}, - {0,4360,"28"}, - {"BMPString",1610620935,0}, - {0,4360,"30"}, - {"UTF8String",1610620935,0}, - {0,4360,"12"}, - {"id-pkix",1879048204,0}, - {"iso",1073741825,"1"}, - {"identified-organization",1073741825,"3"}, - {"dod",1073741825,"6"}, - {"internet",1073741825,"1"}, - {"security",1073741825,"5"}, - {"mechanisms",1073741825,"5"}, - {"pkix",1,"7"}, - {"id-pe",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"1"}, - {"id-qt",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"2"}, - {"id-kp",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"3"}, - {"id-ad",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"48"}, - {"id-qt-cps",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"1"}, - {"id-qt-unotice",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"2"}, - {"id-ad-ocsp",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"1"}, - {"id-ad-caIssuers",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"2"}, - {"Attribute",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"values",536870927,0}, - {0,2,"AttributeValue"}, - {"AttributeType",1073741836,0}, - {"AttributeValue",1614807053,0}, - {"type",1,0}, - {"AttributeTypeAndValue",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"value",2,"AttributeValue"}, - {"id-at",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"4"}, - {"id-at-initials",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"43"}, - {"X520initials",1073741826,"DirectoryString"}, - {"id-at-generationQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"44"}, - {"X520generationQualifier",1073741826,"DirectoryString"}, - {"id-at-surname",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"4"}, - {"X520surName",1073741826,"DirectoryString"}, - {"id-at-givenName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"42"}, - {"X520givenName",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-commonName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"3"}, - {"X520CommonName",1073741826,"DirectoryString"}, - {"id-at-localityName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"7"}, - {"X520LocalityName",1073741826,"DirectoryString"}, - {"id-at-stateOrProvinceName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"8"}, - {"X520StateOrProvinceName",1073741826,"DirectoryString"}, - {"id-at-organizationName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"10"}, - {"X520OrganizationName",1073741826,"DirectoryString"}, - {"id-at-organizationalUnitName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"11"}, - {"X520OrganizationalUnitName",1073741826,"DirectoryString"}, - {"id-at-title",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"12"}, - {"X520Title",1073741826,"DirectoryString"}, - {"id-at-description",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"13"}, - {"X520Description",1073741826,"DirectoryString"}, - {"id-at-dnQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"46"}, - {"X520dnQualifier",1073741826,"PrintableString"}, - {"id-at-countryName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"6"}, - {"X520countryName",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-at-serialNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"5"}, - {"X520serialNumber",1073741826,"PrintableString"}, - {"id-at-telephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"20"}, - {"X520telephoneNumber",1073741826,"PrintableString"}, - {"id-at-facsimileTelephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"23"}, - {"X520facsimileTelephoneNumber",1073741826,"PrintableString"}, - {"id-at-pseudonym",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"65"}, - {"X520pseudonym",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-streetAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"9"}, - {"X520streetAddress",1073741826,"DirectoryString"}, - {"id-at-postalAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"16"}, - {"X520postalAddress",1073741826,"PostalAddress"}, - {"PostalAddress",1610612747,0}, - {0,2,"DirectoryString"}, - {"pkcs",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1,"1"}, - {"pkcs-9",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"9"}, - {"emailAddress",1880096780,"AttributeType"}, - {0,1073741825,"pkcs-9"}, - {0,1,"1"}, - {"Pkcs9email",1612709890,"IA5String"}, - {"ub-emailaddress-length",524298,"1"}, - {"Name",1610612754,0}, - {"rdnSequence",2,"RDNSequence"}, - {"RDNSequence",1610612747,0}, - {0,2,"RelativeDistinguishedName"}, - {"DistinguishedName",1073741826,"RDNSequence"}, - {"RelativeDistinguishedName",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"AttributeTypeAndValue"}, - {"Certificate",1610612741,0}, - {"tbsCertificate",1073741826,"TBSCertificate"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertificate",1610612741,0}, - {"version",1610653698,"Version"}, - {0,1073741833,"v1"}, - {0,2056,"0"}, - {"serialNumber",1073741826,"CertificateSerialNumber"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"validity",1073741826,"Validity"}, - {"subject",1073741826,"Name"}, - {"subjectPublicKeyInfo",1073741826,"SubjectPublicKeyInfo"}, - {"issuerUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"1"}, - {"subjectUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"2"}, - {"extensions",536895490,"Extensions"}, - {0,2056,"3"}, - {"Version",1610874883,0}, - {"v1",1073741825,"0"}, - {"v2",1073741825,"1"}, - {"v3",1,"2"}, - {"CertificateSerialNumber",1073741827,0}, - {"Validity",1610612741,0}, - {"notBefore",1073741826,"Time"}, - {"notAfter",2,"Time"}, - {"Time",1610612754,0}, - {"utcTime",1090519057,0}, - {"generalTime",8388625,0}, - {"UniqueIdentifier",1073741830,0}, - {"SubjectPublicKeyInfo",1610612741,0}, - {"algorithm",1073741826,"AlgorithmIdentifier"}, - {"subjectPublicKey",6,0}, - {"Extensions",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Extension"}, - {"Extension",1610612741,0}, - {"extnID",1073741836,0}, - {"critical",1610645508,0}, - {0,131081,0}, - {"extnValue",7,0}, - {"CertificateList",1610612741,0}, - {"tbsCertList",1073741826,"TBSCertList"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertList",1610612741,0}, - {"version",1073758210,"Version"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"thisUpdate",1073741826,"Time"}, - {"nextUpdate",1073758210,"Time"}, - {"revokedCertificates",1610629131,0}, - {0,536870917,0}, - {"userCertificate",1073741826,"CertificateSerialNumber"}, - {"revocationDate",1073741826,"Time"}, - {"crlEntryExtensions",16386,"Extensions"}, - {"crlExtensions",536895490,"Extensions"}, - {0,2056,"0"}, - {"AlgorithmIdentifier",1610612741,0}, - {"algorithm",1073741836,0}, - {"parameters",541081613,0}, - {"algorithm",1,0}, - {"pkcs-1",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"1"}, - {"rsaEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"1"}, - {"md2WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"2"}, - {"md5WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"4"}, - {"sha1WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"5"}, - {"id-dsa-with-sha1",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"3"}, - {"Dss-Sig-Value",1610612741,0}, - {"r",1073741827,0}, - {"s",3,0}, - {"dhpublicnumber",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"ansi-x942",1073741825,"10046"}, - {"number-type",1073741825,"2"}, - {0,1,"1"}, - {"DomainParameters",1610612741,0}, - {"p",1073741827,0}, - {"g",1073741827,0}, - {"q",1073741827,0}, - {"j",1073758211,0}, - {"validationParms",16386,"ValidationParms"}, - {"ValidationParms",1610612741,0}, - {"seed",1073741830,0}, - {"pgenCounter",3,0}, - {"id-dsa",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"1"}, - {"Dss-Parms",1610612741,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",3,0}, - {"ORAddress",1610612741,0}, - {"built-in-standard-attributes",1073741826,"BuiltInStandardAttributes"}, - {"built-in-domain-defined-attributes",1073758210,"BuiltInDomainDefinedAttributes"}, - {"extension-attributes",16386,"ExtensionAttributes"}, - {"BuiltInStandardAttributes",1610612741,0}, - {"country-name",1073758210,"CountryName"}, - {"administration-domain-name",1073758210,"AdministrationDomainName"}, - {"network-address",1610637314,"NetworkAddress"}, - {0,2056,"0"}, - {"terminal-identifier",1610637314,"TerminalIdentifier"}, - {0,2056,"1"}, - {"private-domain-name",1610637314,"PrivateDomainName"}, - {0,2056,"2"}, - {"organization-name",1610637314,"OrganizationName"}, - {0,2056,"3"}, - {"numeric-user-identifier",1610637314,"NumericUserIdentifier"}, - {0,2056,"4"}, - {"personal-name",1610637314,"PersonalName"}, - {0,2056,"5"}, - {"organizational-unit-names",536895490,"OrganizationalUnitNames"}, - {0,2056,"6"}, - {"CountryName",1610620946,0}, - {0,1073746952,"1"}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"AdministrationDomainName",1610620946,0}, - {0,1073744904,"2"}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"0"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"0"}, - {"NetworkAddress",1073741826,"X121Address"}, - {"X121Address",1612709890,"NumericString"}, - {"ub-x121-address-length",524298,"1"}, - {"TerminalIdentifier",1612709890,"PrintableString"}, - {"ub-terminal-id-length",524298,"1"}, - {"PrivateDomainName",1610612754,0}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"1"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"1"}, - {"OrganizationName",1612709890,"PrintableString"}, - {"ub-organization-name-length",524298,"1"}, - {"NumericUserIdentifier",1612709890,"NumericString"}, - {"ub-numeric-user-id-length",524298,"1"}, - {"PersonalName",1610612750,0}, - {"surname",1814044674,"PrintableString"}, - {0,1073745928,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"PrintableString"}, - {0,1073745928,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"PrintableString"}, - {0,1073745928,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"PrintableString"}, - {0,1073745928,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"OrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"OrganizationalUnitName"}, - {"OrganizationalUnitName",1612709890,"PrintableString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"BuiltInDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"BuiltInDomainDefinedAttribute"}, - {"BuiltInDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"PrintableString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"PrintableString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ExtensionAttributes",1612709903,0}, - {"ub-extension-attributes",1074266122,"1"}, - {0,2,"ExtensionAttribute"}, - {"ExtensionAttribute",1610612741,0}, - {"extension-attribute-type",1611145219,0}, - {0,1073743880,"0"}, - {"0",10,"ub-extension-attributes"}, - {"extension-attribute-value",541073421,0}, - {0,1073743880,"1"}, - {"extension-attribute-type",1,0}, - {"common-name",1342177283,"1"}, - {"CommonName",1612709890,"PrintableString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-common-name",1342177283,"2"}, - {"TeletexCommonName",1612709890,"TeletexString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-organization-name",1342177283,"3"}, - {"TeletexOrganizationName",1612709890,"TeletexString"}, - {"ub-organization-name-length",524298,"1"}, - {"teletex-personal-name",1342177283,"4"}, - {"TeletexPersonalName",1610612750,0}, - {"surname",1814044674,"TeletexString"}, - {0,1073743880,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"TeletexString"}, - {0,1073743880,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"TeletexString"}, - {0,1073743880,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"TeletexString"}, - {0,1073743880,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"teletex-organizational-unit-names",1342177283,"5"}, - {"TeletexOrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"TeletexOrganizationalUnitName"}, - {"TeletexOrganizationalUnitName",1612709890,"TeletexString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"pds-name",1342177283,"7"}, - {"PDSName",1612709890,"PrintableString"}, - {"ub-pds-name-length",524298,"1"}, - {"physical-delivery-country-name",1342177283,"8"}, - {"PhysicalDeliveryCountryName",1610612754,0}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"postal-code",1342177283,"9"}, - {"PostalCode",1610612754,0}, - {"numeric-code",1612709890,"NumericString"}, - {"ub-postal-code-length",524298,"1"}, - {"printable-code",538968066,"PrintableString"}, - {"ub-postal-code-length",524298,"1"}, - {"physical-delivery-office-name",1342177283,"10"}, - {"PhysicalDeliveryOfficeName",1073741826,"PDSParameter"}, - {"physical-delivery-office-number",1342177283,"11"}, - {"PhysicalDeliveryOfficeNumber",1073741826,"PDSParameter"}, - {"extension-OR-address-components",1342177283,"12"}, - {"ExtensionORAddressComponents",1073741826,"PDSParameter"}, - {"physical-delivery-personal-name",1342177283,"13"}, - {"PhysicalDeliveryPersonalName",1073741826,"PDSParameter"}, - {"physical-delivery-organization-name",1342177283,"14"}, - {"PhysicalDeliveryOrganizationName",1073741826,"PDSParameter"}, - {"extension-physical-delivery-address-components",1342177283,"15"}, - {"ExtensionPhysicalDeliveryAddressComponents",1073741826,"PDSParameter"}, - {"unformatted-postal-address",1342177283,"16"}, - {"UnformattedPostalAddress",1610612750,0}, - {"printable-address",1814052875,0}, - {"ub-pds-physical-address-lines",1074266122,"1"}, - {0,538968066,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-unformatted-address-length",524298,"1"}, - {"street-address",1342177283,"17"}, - {"StreetAddress",1073741826,"PDSParameter"}, - {"post-office-box-address",1342177283,"18"}, - {"PostOfficeBoxAddress",1073741826,"PDSParameter"}, - {"poste-restante-address",1342177283,"19"}, - {"PosteRestanteAddress",1073741826,"PDSParameter"}, - {"unique-postal-name",1342177283,"20"}, - {"UniquePostalName",1073741826,"PDSParameter"}, - {"local-postal-attributes",1342177283,"21"}, - {"LocalPostalAttributes",1073741826,"PDSParameter"}, - {"PDSParameter",1610612750,0}, - {"printable-string",1814052866,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"extended-network-address",1342177283,"22"}, - {"ExtendedNetworkAddress",1610612754,0}, - {"e163-4-address",1610612741,0}, - {"number",1612718082,"NumericString"}, - {0,1073743880,"0"}, - {"ub-e163-4-number-length",524298,"1"}, - {"sub-address",538992642,"NumericString"}, - {0,1073743880,"1"}, - {"ub-e163-4-sub-address-length",524298,"1"}, - {"psap-address",536879106,"PresentationAddress"}, - {0,2056,"0"}, - {"PresentationAddress",1610612741,0}, - {"pSelector",1610637319,0}, - {0,2056,"0"}, - {"sSelector",1610637319,0}, - {0,2056,"1"}, - {"tSelector",1610637319,0}, - {0,2056,"2"}, - {"nAddresses",538976271,0}, - {0,1073743880,"3"}, - {"MAX",1074266122,"1"}, - {0,7,0}, - {"terminal-type",1342177283,"23"}, - {"TerminalType",1610874883,0}, - {"telex",1073741825,"3"}, - {"teletex",1073741825,"4"}, - {"g3-facsimile",1073741825,"5"}, - {"g4-facsimile",1073741825,"6"}, - {"ia5-terminal",1073741825,"7"}, - {"videotex",1,"8"}, - {"teletex-domain-defined-attributes",1342177283,"6"}, - {"TeletexDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"TeletexDomainDefinedAttribute"}, - {"TeletexDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"TeletexString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"TeletexString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ub-name",1342177283,"32768"}, - {"ub-common-name",1342177283,"64"}, - {"ub-locality-name",1342177283,"128"}, - {"ub-state-name",1342177283,"128"}, - {"ub-organization-name",1342177283,"64"}, - {"ub-organizational-unit-name",1342177283,"64"}, - {"ub-title",1342177283,"64"}, - {"ub-match",1342177283,"128"}, - {"ub-emailaddress-length",1342177283,"128"}, - {"ub-common-name-length",1342177283,"64"}, - {"ub-country-name-alpha-length",1342177283,"2"}, - {"ub-country-name-numeric-length",1342177283,"3"}, - {"ub-domain-defined-attributes",1342177283,"4"}, - {"ub-domain-defined-attribute-type-length",1342177283,"8"}, - {"ub-domain-defined-attribute-value-length",1342177283,"128"}, - {"ub-domain-name-length",1342177283,"16"}, - {"ub-extension-attributes",1342177283,"256"}, - {"ub-e163-4-number-length",1342177283,"15"}, - {"ub-e163-4-sub-address-length",1342177283,"40"}, - {"ub-generation-qualifier-length",1342177283,"3"}, - {"ub-given-name-length",1342177283,"16"}, - {"ub-initials-length",1342177283,"5"}, - {"ub-integer-options",1342177283,"256"}, - {"ub-numeric-user-id-length",1342177283,"32"}, - {"ub-organization-name-length",1342177283,"64"}, - {"ub-organizational-unit-name-length",1342177283,"32"}, - {"ub-organizational-units",1342177283,"4"}, - {"ub-pds-name-length",1342177283,"16"}, - {"ub-pds-parameter-length",1342177283,"30"}, - {"ub-pds-physical-address-lines",1342177283,"6"}, - {"ub-postal-code-length",1342177283,"16"}, - {"ub-surname-length",1342177283,"40"}, - {"ub-terminal-id-length",1342177283,"24"}, - {"ub-unformatted-address-length",1342177283,"180"}, - {"ub-x121-address-length",1342177283,"16"}, - {"pkcs-7-ContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"content",541073421,0}, - {0,1073743880,"0"}, - {"contentType",1,0}, - {"pkcs-7-DigestInfo",1610612741,0}, - {"digestAlgorithm",1073741826,"pkcs-7-DigestAlgorithmIdentifier"}, - {"digest",2,"pkcs-7-Digest"}, - {"pkcs-7-Digest",1073741831,0}, - {"pkcs-7-ContentType",1073741836,0}, - {"pkcs-7-SignedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"digestAlgorithms",1073741826,"pkcs-7-DigestAlgorithmIdentifiers"}, - {"encapContentInfo",1073741826,"pkcs-7-EncapsulatedContentInfo"}, - {"certificates",1610637314,"pkcs-7-CertificateSet"}, - {0,4104,"0"}, - {"crls",1610637314,"pkcs-7-CertificateRevocationLists"}, - {0,4104,"1"}, - {"signerInfos",2,"pkcs-7-SignerInfos"}, - {"pkcs-7-CMSVersion",1610874883,0}, - {"v0",1073741825,"0"}, - {"v1",1073741825,"1"}, - {"v2",1073741825,"2"}, - {"v3",1073741825,"3"}, - {"v4",1,"4"}, - {"pkcs-7-DigestAlgorithmIdentifiers",1610612751,0}, - {0,2,"pkcs-7-DigestAlgorithmIdentifier"}, - {"pkcs-7-DigestAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncapsulatedContentInfo",1610612741,0}, - {"eContentType",1073741826,"pkcs-7-ContentType"}, - {"eContent",536895495,0}, - {0,2056,"0"}, - {"pkcs-7-CertificateRevocationLists",1610612751,0}, - {0,13,0}, - {"pkcs-7-CertificateChoices",1610612754,0}, - {"certificate",13,0}, - {"pkcs-7-CertificateSet",1610612751,0}, - {0,2,"pkcs-7-CertificateChoices"}, - {"pkcs-7-SignerInfos",1610612751,0}, - {0,13,0}, - {"pkcs-10-CertificationRequestInfo",1610612741,0}, - {"version",1610874883,0}, - {"v1",1,"0"}, - {"subject",1073741826,"Name"}, - {"subjectPKInfo",1073741826,"SubjectPublicKeyInfo"}, - {"attributes",536879106,"Attributes"}, - {0,4104,"0"}, - {"Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-10-CertificationRequest",1610612741,0}, - {"certificationRequestInfo",1073741826,"pkcs-10-CertificationRequestInfo"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"pkcs-9-ub-challengePassword",1342177283,"255"}, - {"pkcs-9-certTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"22"}, - {"pkcs-9-crlTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"23"}, - {"pkcs-9-at-challengePassword",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"7"}, - {"pkcs-9-challengePassword",1610612754,0}, - {"printableString",1612709890,"PrintableString"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"pkcs-9-at-localKeyId",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"21"}, - {"pkcs-9-localKeyId",1073741831,0}, - {"pkcs-9-at-friendlyName",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"20"}, - {"pkcs-9-friendlyName",1612709890,"BMPString"}, - {"255",524298,"1"}, - {"pkcs-8-PrivateKeyInfo",1610612741,0}, - {"version",1073741826,"pkcs-8-Version"}, - {"privateKeyAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"privateKey",1073741826,"pkcs-8-PrivateKey"}, - {"attributes",536895490,"Attributes"}, - {0,4104,"0"}, - {"pkcs-8-Version",1610874883,0}, - {"v1",1,"0"}, - {"pkcs-8-PrivateKey",1073741831,0}, - {"pkcs-8-Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-8-EncryptedPrivateKeyInfo",1610612741,0}, - {"encryptionAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"encryptedData",2,"pkcs-8-EncryptedData"}, - {"pkcs-8-EncryptedData",1073741831,0}, - {"pkcs-5",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"5"}, - {"pkcs-5-encryptionAlgorithm",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {0,1,"3"}, - {"pkcs-5-des-EDE3-CBC",1879048204,0}, - {0,1073741825,"pkcs-5-encryptionAlgorithm"}, - {0,1,"7"}, - {"pkcs-5-des-EDE3-CBC-params",1612709895,0}, - {0,1048586,"8"}, - {"pkcs-5-id-PBES2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"13"}, - {"pkcs-5-PBES2-params",1610612741,0}, - {"keyDerivationFunc",1073741826,"AlgorithmIdentifier"}, - {"encryptionScheme",2,"AlgorithmIdentifier"}, - {"pkcs-5-id-PBKDF2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"12"}, - {"pkcs-5-PBKDF2-params",1610612741,0}, - {"salt",1610612754,0}, - {"specified",1073741831,0}, - {"otherSource",2,"AlgorithmIdentifier"}, - {"iterationCount",1611137027,0}, - {"1",10,"MAX"}, - {"keyLength",1611153411,0}, - {"1",10,"MAX"}, - {"prf",16386,"AlgorithmIdentifier"}, - {"pkcs-12",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"12"}, - {"pkcs-12-PFX",1610612741,0}, - {"version",1610874883,0}, - {"v3",1,"3"}, - {"authSafe",1073741826,"pkcs-7-ContentInfo"}, - {"macData",16386,"pkcs-12-MacData"}, - {"pkcs-12-PbeParams",1610612741,0}, - {"salt",1073741831,0}, - {"iterations",3,0}, - {"pkcs-12-MacData",1610612741,0}, - {"mac",1073741826,"pkcs-7-DigestInfo"}, - {"macSalt",1073741831,0}, - {"iterations",536903683,0}, - {0,9,"1"}, - {"pkcs-12-AuthenticatedSafe",1610612747,0}, - {0,2,"pkcs-7-ContentInfo"}, - {"pkcs-12-SafeContents",1610612747,0}, - {0,2,"pkcs-12-SafeBag"}, - {"pkcs-12-SafeBag",1610612741,0}, - {"bagId",1073741836,0}, - {"bagValue",1614815245,0}, - {0,1073743880,"0"}, - {"badId",1,0}, - {"bagAttributes",536887311,0}, - {0,2,"pkcs-12-PKCS12Attribute"}, - {"pkcs-12-bagtypes",1879048204,0}, - {0,1073741825,"pkcs-12"}, - {0,1073741825,"10"}, - {0,1,"1"}, - {"pkcs-12-keyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"1"}, - {"pkcs-12-pkcs8ShroudedKeyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"2"}, - {"pkcs-12-certBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"3"}, - {"pkcs-12-crlBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"4"}, - {"pkcs-12-KeyBag",1073741826,"pkcs-8-PrivateKeyInfo"}, - {"pkcs-12-PKCS8ShroudedKeyBag",1073741826,"pkcs-8-EncryptedPrivateKeyInfo"}, - {"pkcs-12-CertBag",1610612741,0}, - {"certId",1073741836,0}, - {"certValue",541073421,0}, - {0,1073743880,"0"}, - {"certId",1,0}, - {"pkcs-12-CRLBag",1610612741,0}, - {"crlId",1073741836,0}, - {"crlValue",541073421,0}, - {0,1073743880,"0"}, - {"crlId",1,0}, - {"pkcs-12-PKCS12Attribute",1073741826,"Attribute"}, - {"pkcs-7-data",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"1"}, - {"pkcs-7-encryptedData",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"6"}, - {"pkcs-7-Data",1073741831,0}, - {"pkcs-7-EncryptedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"encryptedContentInfo",1073741826,"pkcs-7-EncryptedContentInfo"}, - {"unprotectedAttrs",536895490,"pkcs-7-UnprotectedAttributes"}, - {0,4104,"1"}, - {"pkcs-7-EncryptedContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"contentEncryptionAlgorithm",1073741826,"pkcs-7-ContentEncryptionAlgorithmIdentifier"}, - {"encryptedContent",536895490,"pkcs-7-EncryptedContent"}, - {0,4104,"0"}, - {"pkcs-7-ContentEncryptionAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncryptedContent",1073741831,0}, - {"pkcs-7-UnprotectedAttributes",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-at-ldap-DC",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"25"}, - {"ldap-DC",1073741826,"IA5String"}, - {"id-at-ldap-UID",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"1"}, - {"ldap-UID",1073741826,"IA5String"}, - {"id-pda",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"9"}, - {"id-pda-dateOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"1"}, - {"DateOfBirth",1082130449,0}, - {"id-pda-placeOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"2"}, - {"PlaceOfBirth",1073741826,"DirectoryString"}, - {"id-pda-gender",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"3"}, - {"Gender",1612709890,"PrintableString"}, - {0,1048586,"1"}, - {"id-pda-countryOfCitizenship",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"4"}, - {"CountryOfCitizenship",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-pda-countryOfResidence",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"5"}, - {"CountryOfResidence",538968066,"PrintableString"}, - {0,1048586,"2"}, - {0,0,0} +const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { + {"PKIX1", 536875024, 0}, + {0, 1073741836, 0}, + {"id-ce", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "29"}, + {"id-ce-authorityKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "35"}, + {"AuthorityKeyIdentifier", 1610612741, 0}, + {"keyIdentifier", 1610637314, "KeyIdentifier"}, + {0, 4104, "0"}, + {"authorityCertIssuer", 1610637314, "GeneralNames"}, + {0, 4104, "1"}, + {"authorityCertSerialNumber", 536895490, "CertificateSerialNumber"}, + {0, 4104, "2"}, + {"KeyIdentifier", 1073741831, 0}, + {"id-ce-subjectKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "14"}, + {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, + {"id-ce-keyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "15"}, + {"KeyUsage", 1610874886, 0}, + {"digitalSignature", 1073741825, "0"}, + {"nonRepudiation", 1073741825, "1"}, + {"keyEncipherment", 1073741825, "2"}, + {"dataEncipherment", 1073741825, "3"}, + {"keyAgreement", 1073741825, "4"}, + {"keyCertSign", 1073741825, "5"}, + {"cRLSign", 1073741825, "6"}, + {"encipherOnly", 1073741825, "7"}, + {"decipherOnly", 1, "8"}, + {"id-ce-privateKeyUsagePeriod", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "16"}, + {"PrivateKeyUsagePeriod", 1610612741, 0}, + {"notBefore", 1619025937, 0}, + {0, 4104, "0"}, + {"notAfter", 545284113, 0}, + {0, 4104, "1"}, + {"id-ce-certificatePolicies", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "32"}, + {"CertificatePolicies", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyInformation"}, + {"PolicyInformation", 1610612741, 0}, + {"policyIdentifier", 1073741826, "CertPolicyId"}, + {"policyQualifiers", 538984459, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyQualifierInfo"}, + {"CertPolicyId", 1073741836, 0}, + {"PolicyQualifierInfo", 1610612741, 0}, + {"policyQualifierId", 1073741826, "PolicyQualifierId"}, + {"qualifier", 541065229, 0}, + {"policyQualifierId", 1, 0}, + {"PolicyQualifierId", 1073741836, 0}, + {"CPSuri", 1073741826, "IA5String"}, + {"UserNotice", 1610612741, 0}, + {"noticeRef", 1073758210, "NoticeReference"}, + {"explicitText", 16386, "DisplayText"}, + {"NoticeReference", 1610612741, 0}, + {"organization", 1073741826, "DisplayText"}, + {"noticeNumbers", 536870923, 0}, + {0, 3, 0}, + {"DisplayText", 1610612754, 0}, + {"visibleString", 1612709890, "VisibleString"}, + {"200", 524298, "1"}, + {"bmpString", 1612709890, "BMPString"}, + {"200", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"200", 524298, "1"}, + {"id-ce-policyMappings", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "33"}, + {"PolicyMappings", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 536870917, 0}, + {"issuerDomainPolicy", 1073741826, "CertPolicyId"}, + {"subjectDomainPolicy", 2, "CertPolicyId"}, + {"DirectoryString", 1610612754, 0}, + {"teletexString", 1612709890, "TeletexString"}, + {"MAX", 524298, "1"}, + {"printableString", 1612709890, "PrintableString"}, + {"MAX", 524298, "1"}, + {"universalString", 1612709890, "UniversalString"}, + {"MAX", 524298, "1"}, + {"utf8String", 1612709890, "UTF8String"}, + {"MAX", 524298, "1"}, + {"bmpString", 538968066, "BMPString"}, + {"MAX", 524298, "1"}, + {"id-ce-subjectAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "17"}, + {"SubjectAltName", 1073741826, "GeneralNames"}, + {"GeneralNames", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralName"}, + {"GeneralName", 1610612754, 0}, + {"otherName", 1610620930, "AnotherName"}, + {0, 4104, "0"}, + {"rfc822Name", 1610620930, "IA5String"}, + {0, 4104, "1"}, + {"dNSName", 1610620930, "IA5String"}, + {0, 4104, "2"}, + {"x400Address", 1610620930, "ORAddress"}, + {0, 4104, "3"}, + {"directoryName", 1610620930, "RDNSequence"}, + {0, 2056, "4"}, + {"ediPartyName", 1610620930, "EDIPartyName"}, + {0, 4104, "5"}, + {"uniformResourceIdentifier", 1610620930, "IA5String"}, + {0, 4104, "6"}, + {"iPAddress", 1610620935, 0}, + {0, 4104, "7"}, + {"registeredID", 536879116, 0}, + {0, 4104, "8"}, + {"AnotherName", 1610612741, 0}, + {"type-id", 1073741836, 0}, + {"value", 541073421, 0}, + {0, 1073743880, "0"}, + {"type-id", 1, 0}, + {"EDIPartyName", 1610612741, 0}, + {"nameAssigner", 1610637314, "DirectoryString"}, + {0, 4104, "0"}, + {"partyName", 536879106, "DirectoryString"}, + {0, 4104, "1"}, + {"id-ce-issuerAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "18"}, + {"IssuerAltName", 1073741826, "GeneralNames"}, + {"id-ce-subjectDirectoryAttributes", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "9"}, + {"SubjectDirectoryAttributes", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-ce-basicConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "19"}, + {"BasicConstraints", 1610612741, 0}, + {"cA", 1610645508, 0}, + {0, 131081, 0}, + {"pathLenConstraint", 537411587, 0}, + {"0", 10, "MAX"}, + {"id-ce-nameConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "30"}, + {"NameConstraints", 1610612741, 0}, + {"permittedSubtrees", 1610637314, "GeneralSubtrees"}, + {0, 4104, "0"}, + {"excludedSubtrees", 536895490, "GeneralSubtrees"}, + {0, 4104, "1"}, + {"GeneralSubtrees", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralSubtree"}, + {"GeneralSubtree", 1610612741, 0}, + {"base", 1073741826, "GeneralName"}, + {"minimum", 1610653698, "BaseDistance"}, + {0, 1073741833, "0"}, + {0, 4104, "0"}, + {"maximum", 536895490, "BaseDistance"}, + {0, 4104, "1"}, + {"BaseDistance", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-policyConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "36"}, + {"PolicyConstraints", 1610612741, 0}, + {"requireExplicitPolicy", 1610637314, "SkipCerts"}, + {0, 4104, "0"}, + {"inhibitPolicyMapping", 536895490, "SkipCerts"}, + {0, 4104, "1"}, + {"SkipCerts", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-cRLDistributionPoints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "31"}, + {"CRLDistributionPoints", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "DistributionPoint"}, + {"DistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 2056, "0"}, + {"reasons", 1610637314, "ReasonFlags"}, + {0, 4104, "1"}, + {"cRLIssuer", 536895490, "GeneralNames"}, + {0, 4104, "2"}, + {"DistributionPointName", 1610612754, 0}, + {"fullName", 1610620930, "GeneralNames"}, + {0, 4104, "0"}, + {"nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"}, + {0, 4104, "1"}, + {"ReasonFlags", 1610874886, 0}, + {"unused", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"privilegeWithdrawn", 1073741825, "7"}, + {"aACompromise", 1, "8"}, + {"id-ce-extKeyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "37"}, + {"ExtKeyUsageSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "KeyPurposeId"}, + {"KeyPurposeId", 1073741836, 0}, + {"id-kp-serverAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "1"}, + {"id-kp-clientAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "2"}, + {"id-kp-codeSigning", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "3"}, + {"id-kp-emailProtection", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "4"}, + {"id-kp-ipsecEndSystem", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "5"}, + {"id-kp-ipsecTunnel", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "6"}, + {"id-kp-ipsecUser", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "7"}, + {"id-kp-timeStamping", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "8"}, + {"id-pe-authorityInfoAccess", 1879048204, 0}, + {0, 1073741825, "id-pe"}, + {0, 1, "1"}, + {"AuthorityInfoAccessSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AccessDescription"}, + {"AccessDescription", 1610612741, 0}, + {"accessMethod", 1073741836, 0}, + {"accessLocation", 2, "GeneralName"}, + {"id-ce-cRLNumber", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "20"}, + {"CRLNumber", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-issuingDistributionPoint", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "28"}, + {"IssuingDistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 4104, "0"}, + {"onlyContainsUserCerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "1"}, + {"onlyContainsCACerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "2"}, + {"onlySomeReasons", 1610637314, "ReasonFlags"}, + {0, 4104, "3"}, + {"indirectCRL", 536911876, 0}, + {0, 1073872905, 0}, + {0, 4104, "4"}, + {"id-ce-deltaCRLIndicator", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "27"}, + {"BaseCRLNumber", 1073741826, "CRLNumber"}, + {"id-ce-cRLReasons", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "21"}, + {"CRLReason", 1610874901, 0}, + {"unspecified", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"removeFromCRL", 1, "8"}, + {"id-ce-certificateIssuer", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "29"}, + {"CertificateIssuer", 1073741826, "GeneralNames"}, + {"id-ce-holdInstructionCode", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "23"}, + {"HoldInstructionCode", 1073741836, 0}, + {"holdInstruction", 1879048204, 0}, + {"joint-iso-itu-t", 1073741825, "2"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9cm", 1073741825, "10040"}, + {0, 1, "2"}, + {"id-holdinstruction-none", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "1"}, + {"id-holdinstruction-callissuer", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "2"}, + {"id-holdinstruction-reject", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "3"}, + {"id-ce-invalidityDate", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "24"}, + {"InvalidityDate", 1082130449, 0}, + {"VisibleString", 1610620935, 0}, + {0, 4360, "26"}, + {"NumericString", 1610620935, 0}, + {0, 4360, "18"}, + {"IA5String", 1610620935, 0}, + {0, 4360, "22"}, + {"TeletexString", 1610620935, 0}, + {0, 4360, "20"}, + {"PrintableString", 1610620935, 0}, + {0, 4360, "19"}, + {"UniversalString", 1610620935, 0}, + {0, 4360, "28"}, + {"BMPString", 1610620935, 0}, + {0, 4360, "30"}, + {"UTF8String", 1610620935, 0}, + {0, 4360, "12"}, + {"id-pkix", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"identified-organization", 1073741825, "3"}, + {"dod", 1073741825, "6"}, + {"internet", 1073741825, "1"}, + {"security", 1073741825, "5"}, + {"mechanisms", 1073741825, "5"}, + {"pkix", 1, "7"}, + {"id-pe", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "1"}, + {"id-qt", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "2"}, + {"id-kp", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "3"}, + {"id-ad", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "48"}, + {"id-qt-cps", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "1"}, + {"id-qt-unotice", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "2"}, + {"id-ad-ocsp", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "1"}, + {"id-ad-caIssuers", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "2"}, + {"Attribute", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"values", 536870927, 0}, + {0, 2, "AttributeValue"}, + {"AttributeType", 1073741836, 0}, + {"AttributeValue", 1614807053, 0}, + {"type", 1, 0}, + {"AttributeTypeAndValue", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"value", 2, "AttributeValue"}, + {"id-at", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "4"}, + {"id-at-initials", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "43"}, + {"X520initials", 1073741826, "DirectoryString"}, + {"id-at-generationQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "44"}, + {"X520generationQualifier", 1073741826, "DirectoryString"}, + {"id-at-surname", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "4"}, + {"X520surName", 1073741826, "DirectoryString"}, + {"id-at-givenName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "42"}, + {"X520givenName", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-commonName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "3"}, + {"X520CommonName", 1073741826, "DirectoryString"}, + {"id-at-localityName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "7"}, + {"X520LocalityName", 1073741826, "DirectoryString"}, + {"id-at-stateOrProvinceName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "8"}, + {"X520StateOrProvinceName", 1073741826, "DirectoryString"}, + {"id-at-organizationName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "10"}, + {"X520OrganizationName", 1073741826, "DirectoryString"}, + {"id-at-organizationalUnitName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "11"}, + {"X520OrganizationalUnitName", 1073741826, "DirectoryString"}, + {"id-at-title", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "12"}, + {"X520Title", 1073741826, "DirectoryString"}, + {"id-at-description", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "13"}, + {"X520Description", 1073741826, "DirectoryString"}, + {"id-at-dnQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "46"}, + {"X520dnQualifier", 1073741826, "PrintableString"}, + {"id-at-countryName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "6"}, + {"X520countryName", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-at-serialNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "5"}, + {"X520serialNumber", 1073741826, "PrintableString"}, + {"id-at-telephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "20"}, + {"X520telephoneNumber", 1073741826, "PrintableString"}, + {"id-at-facsimileTelephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "23"}, + {"X520facsimileTelephoneNumber", 1073741826, "PrintableString"}, + {"id-at-pseudonym", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "65"}, + {"X520pseudonym", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-streetAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "9"}, + {"X520streetAddress", 1073741826, "DirectoryString"}, + {"id-at-postalAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "16"}, + {"X520postalAddress", 1073741826, "PostalAddress"}, + {"PostalAddress", 1610612747, 0}, + {0, 2, "DirectoryString"}, + {"pkcs", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1, "1"}, + {"pkcs-9", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "9"}, + {"emailAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "1"}, + {"Pkcs9email", 1612709890, "IA5String"}, + {"ub-emailaddress-length", 524298, "1"}, + {"Name", 1610612754, 0}, + {"rdnSequence", 2, "RDNSequence"}, + {"RDNSequence", 1610612747, 0}, + {0, 2, "RelativeDistinguishedName"}, + {"DistinguishedName", 1073741826, "RDNSequence"}, + {"RelativeDistinguishedName", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AttributeTypeAndValue"}, + {"Certificate", 1610612741, 0}, + {"tbsCertificate", 1073741826, "TBSCertificate"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertificate", 1610612741, 0}, + {"version", 1610653698, "Version"}, + {0, 1073741833, "v1"}, + {0, 2056, "0"}, + {"serialNumber", 1073741826, "CertificateSerialNumber"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"validity", 1073741826, "Validity"}, + {"subject", 1073741826, "Name"}, + {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"issuerUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "1"}, + {"subjectUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "2"}, + {"extensions", 536895490, "Extensions"}, + {0, 2056, "3"}, + {"Version", 1610874883, 0}, + {"v1", 1073741825, "0"}, + {"v2", 1073741825, "1"}, + {"v3", 1, "2"}, + {"CertificateSerialNumber", 1073741827, 0}, + {"Validity", 1610612741, 0}, + {"notBefore", 1073741826, "Time"}, + {"notAfter", 2, "Time"}, + {"Time", 1610612754, 0}, + {"utcTime", 1090519057, 0}, + {"generalTime", 8388625, 0}, + {"UniqueIdentifier", 1073741830, 0}, + {"SubjectPublicKeyInfo", 1610612741, 0}, + {"algorithm", 1073741826, "AlgorithmIdentifier"}, + {"subjectPublicKey", 6, 0}, + {"Extensions", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Extension"}, + {"Extension", 1610612741, 0}, + {"extnID", 1073741836, 0}, + {"critical", 1610645508, 0}, + {0, 131081, 0}, + {"extnValue", 7, 0}, + {"CertificateList", 1610612741, 0}, + {"tbsCertList", 1073741826, "TBSCertList"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertList", 1610612741, 0}, + {"version", 1073758210, "Version"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"thisUpdate", 1073741826, "Time"}, + {"nextUpdate", 1073758210, "Time"}, + {"revokedCertificates", 1610629131, 0}, + {0, 536870917, 0}, + {"userCertificate", 1073741826, "CertificateSerialNumber"}, + {"revocationDate", 1073741826, "Time"}, + {"crlEntryExtensions", 16386, "Extensions"}, + {"crlExtensions", 536895490, "Extensions"}, + {0, 2056, "0"}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"pkcs-1", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "1"}, + {"rsaEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "1"}, + {"md2WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "2"}, + {"md5WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "4"}, + {"sha1WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "5"}, + {"id-dsa-with-sha1", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "3"}, + {"Dss-Sig-Value", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"dhpublicnumber", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"ansi-x942", 1073741825, "10046"}, + {"number-type", 1073741825, "2"}, + {0, 1, "1"}, + {"DomainParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"g", 1073741827, 0}, + {"q", 1073741827, 0}, + {"j", 1073758211, 0}, + {"validationParms", 16386, "ValidationParms"}, + {"ValidationParms", 1610612741, 0}, + {"seed", 1073741830, 0}, + {"pgenCounter", 3, 0}, + {"id-dsa", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "1"}, + {"Dss-Parms", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"ORAddress", 1610612741, 0}, + {"built-in-standard-attributes", 1073741826, "BuiltInStandardAttributes"}, + {"built-in-domain-defined-attributes", 1073758210, + "BuiltInDomainDefinedAttributes"}, + {"extension-attributes", 16386, "ExtensionAttributes"}, + {"BuiltInStandardAttributes", 1610612741, 0}, + {"country-name", 1073758210, "CountryName"}, + {"administration-domain-name", 1073758210, "AdministrationDomainName"}, + {"network-address", 1610637314, "NetworkAddress"}, + {0, 2056, "0"}, + {"terminal-identifier", 1610637314, "TerminalIdentifier"}, + {0, 2056, "1"}, + {"private-domain-name", 1610637314, "PrivateDomainName"}, + {0, 2056, "2"}, + {"organization-name", 1610637314, "OrganizationName"}, + {0, 2056, "3"}, + {"numeric-user-identifier", 1610637314, "NumericUserIdentifier"}, + {0, 2056, "4"}, + {"personal-name", 1610637314, "PersonalName"}, + {0, 2056, "5"}, + {"organizational-unit-names", 536895490, "OrganizationalUnitNames"}, + {0, 2056, "6"}, + {"CountryName", 1610620946, 0}, + {0, 1073746952, "1"}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"AdministrationDomainName", 1610620946, 0}, + {0, 1073744904, "2"}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "0"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "0"}, + {"NetworkAddress", 1073741826, "X121Address"}, + {"X121Address", 1612709890, "NumericString"}, + {"ub-x121-address-length", 524298, "1"}, + {"TerminalIdentifier", 1612709890, "PrintableString"}, + {"ub-terminal-id-length", 524298, "1"}, + {"PrivateDomainName", 1610612754, 0}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "1"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "1"}, + {"OrganizationName", 1612709890, "PrintableString"}, + {"ub-organization-name-length", 524298, "1"}, + {"NumericUserIdentifier", 1612709890, "NumericString"}, + {"ub-numeric-user-id-length", 524298, "1"}, + {"PersonalName", 1610612750, 0}, + {"surname", 1814044674, "PrintableString"}, + {0, 1073745928, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "PrintableString"}, + {0, 1073745928, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "PrintableString"}, + {0, 1073745928, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "PrintableString"}, + {0, 1073745928, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"OrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "OrganizationalUnitName"}, + {"OrganizationalUnitName", 1612709890, "PrintableString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"BuiltInDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "BuiltInDomainDefinedAttribute"}, + {"BuiltInDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "PrintableString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "PrintableString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ExtensionAttributes", 1612709903, 0}, + {"ub-extension-attributes", 1074266122, "1"}, + {0, 2, "ExtensionAttribute"}, + {"ExtensionAttribute", 1610612741, 0}, + {"extension-attribute-type", 1611145219, 0}, + {0, 1073743880, "0"}, + {"0", 10, "ub-extension-attributes"}, + {"extension-attribute-value", 541073421, 0}, + {0, 1073743880, "1"}, + {"extension-attribute-type", 1, 0}, + {"common-name", 1342177283, "1"}, + {"CommonName", 1612709890, "PrintableString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-common-name", 1342177283, "2"}, + {"TeletexCommonName", 1612709890, "TeletexString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-organization-name", 1342177283, "3"}, + {"TeletexOrganizationName", 1612709890, "TeletexString"}, + {"ub-organization-name-length", 524298, "1"}, + {"teletex-personal-name", 1342177283, "4"}, + {"TeletexPersonalName", 1610612750, 0}, + {"surname", 1814044674, "TeletexString"}, + {0, 1073743880, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "TeletexString"}, + {0, 1073743880, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "TeletexString"}, + {0, 1073743880, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "TeletexString"}, + {0, 1073743880, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"teletex-organizational-unit-names", 1342177283, "5"}, + {"TeletexOrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "TeletexOrganizationalUnitName"}, + {"TeletexOrganizationalUnitName", 1612709890, "TeletexString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"pds-name", 1342177283, "7"}, + {"PDSName", 1612709890, "PrintableString"}, + {"ub-pds-name-length", 524298, "1"}, + {"physical-delivery-country-name", 1342177283, "8"}, + {"PhysicalDeliveryCountryName", 1610612754, 0}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"postal-code", 1342177283, "9"}, + {"PostalCode", 1610612754, 0}, + {"numeric-code", 1612709890, "NumericString"}, + {"ub-postal-code-length", 524298, "1"}, + {"printable-code", 538968066, "PrintableString"}, + {"ub-postal-code-length", 524298, "1"}, + {"physical-delivery-office-name", 1342177283, "10"}, + {"PhysicalDeliveryOfficeName", 1073741826, "PDSParameter"}, + {"physical-delivery-office-number", 1342177283, "11"}, + {"PhysicalDeliveryOfficeNumber", 1073741826, "PDSParameter"}, + {"extension-OR-address-components", 1342177283, "12"}, + {"ExtensionORAddressComponents", 1073741826, "PDSParameter"}, + {"physical-delivery-personal-name", 1342177283, "13"}, + {"PhysicalDeliveryPersonalName", 1073741826, "PDSParameter"}, + {"physical-delivery-organization-name", 1342177283, "14"}, + {"PhysicalDeliveryOrganizationName", 1073741826, "PDSParameter"}, + {"extension-physical-delivery-address-components", 1342177283, "15"}, + {"ExtensionPhysicalDeliveryAddressComponents", 1073741826, "PDSParameter"}, + {"unformatted-postal-address", 1342177283, "16"}, + {"UnformattedPostalAddress", 1610612750, 0}, + {"printable-address", 1814052875, 0}, + {"ub-pds-physical-address-lines", 1074266122, "1"}, + {0, 538968066, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-unformatted-address-length", 524298, "1"}, + {"street-address", 1342177283, "17"}, + {"StreetAddress", 1073741826, "PDSParameter"}, + {"post-office-box-address", 1342177283, "18"}, + {"PostOfficeBoxAddress", 1073741826, "PDSParameter"}, + {"poste-restante-address", 1342177283, "19"}, + {"PosteRestanteAddress", 1073741826, "PDSParameter"}, + {"unique-postal-name", 1342177283, "20"}, + {"UniquePostalName", 1073741826, "PDSParameter"}, + {"local-postal-attributes", 1342177283, "21"}, + {"LocalPostalAttributes", 1073741826, "PDSParameter"}, + {"PDSParameter", 1610612750, 0}, + {"printable-string", 1814052866, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"extended-network-address", 1342177283, "22"}, + {"ExtendedNetworkAddress", 1610612754, 0}, + {"e163-4-address", 1610612741, 0}, + {"number", 1612718082, "NumericString"}, + {0, 1073743880, "0"}, + {"ub-e163-4-number-length", 524298, "1"}, + {"sub-address", 538992642, "NumericString"}, + {0, 1073743880, "1"}, + {"ub-e163-4-sub-address-length", 524298, "1"}, + {"psap-address", 536879106, "PresentationAddress"}, + {0, 2056, "0"}, + {"PresentationAddress", 1610612741, 0}, + {"pSelector", 1610637319, 0}, + {0, 2056, "0"}, + {"sSelector", 1610637319, 0}, + {0, 2056, "1"}, + {"tSelector", 1610637319, 0}, + {0, 2056, "2"}, + {"nAddresses", 538976271, 0}, + {0, 1073743880, "3"}, + {"MAX", 1074266122, "1"}, + {0, 7, 0}, + {"terminal-type", 1342177283, "23"}, + {"TerminalType", 1610874883, 0}, + {"telex", 1073741825, "3"}, + {"teletex", 1073741825, "4"}, + {"g3-facsimile", 1073741825, "5"}, + {"g4-facsimile", 1073741825, "6"}, + {"ia5-terminal", 1073741825, "7"}, + {"videotex", 1, "8"}, + {"teletex-domain-defined-attributes", 1342177283, "6"}, + {"TeletexDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "TeletexDomainDefinedAttribute"}, + {"TeletexDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "TeletexString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "TeletexString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ub-name", 1342177283, "32768"}, + {"ub-common-name", 1342177283, "64"}, + {"ub-locality-name", 1342177283, "128"}, + {"ub-state-name", 1342177283, "128"}, + {"ub-organization-name", 1342177283, "64"}, + {"ub-organizational-unit-name", 1342177283, "64"}, + {"ub-title", 1342177283, "64"}, + {"ub-match", 1342177283, "128"}, + {"ub-emailaddress-length", 1342177283, "128"}, + {"ub-common-name-length", 1342177283, "64"}, + {"ub-country-name-alpha-length", 1342177283, "2"}, + {"ub-country-name-numeric-length", 1342177283, "3"}, + {"ub-domain-defined-attributes", 1342177283, "4"}, + {"ub-domain-defined-attribute-type-length", 1342177283, "8"}, + {"ub-domain-defined-attribute-value-length", 1342177283, "128"}, + {"ub-domain-name-length", 1342177283, "16"}, + {"ub-extension-attributes", 1342177283, "256"}, + {"ub-e163-4-number-length", 1342177283, "15"}, + {"ub-e163-4-sub-address-length", 1342177283, "40"}, + {"ub-generation-qualifier-length", 1342177283, "3"}, + {"ub-given-name-length", 1342177283, "16"}, + {"ub-initials-length", 1342177283, "5"}, + {"ub-integer-options", 1342177283, "256"}, + {"ub-numeric-user-id-length", 1342177283, "32"}, + {"ub-organization-name-length", 1342177283, "64"}, + {"ub-organizational-unit-name-length", 1342177283, "32"}, + {"ub-organizational-units", 1342177283, "4"}, + {"ub-pds-name-length", 1342177283, "16"}, + {"ub-pds-parameter-length", 1342177283, "30"}, + {"ub-pds-physical-address-lines", 1342177283, "6"}, + {"ub-postal-code-length", 1342177283, "16"}, + {"ub-surname-length", 1342177283, "40"}, + {"ub-terminal-id-length", 1342177283, "24"}, + {"ub-unformatted-address-length", 1342177283, "180"}, + {"ub-x121-address-length", 1342177283, "16"}, + {"pkcs-7-ContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"content", 541073421, 0}, + {0, 1073743880, "0"}, + {"contentType", 1, 0}, + {"pkcs-7-DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"}, + {"digest", 2, "pkcs-7-Digest"}, + {"pkcs-7-Digest", 1073741831, 0}, + {"pkcs-7-ContentType", 1073741836, 0}, + {"pkcs-7-SignedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"}, + {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, + {"certificates", 1610637314, "pkcs-7-CertificateSet"}, + {0, 4104, "0"}, + {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, + {0, 4104, "1"}, + {"signerInfos", 2, "pkcs-7-SignerInfos"}, + {"pkcs-7-CMSVersion", 1610874883, 0}, + {"v0", 1073741825, "0"}, + {"v1", 1073741825, "1"}, + {"v2", 1073741825, "2"}, + {"v3", 1073741825, "3"}, + {"v4", 1, "4"}, + {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, 0}, + {0, 2, "pkcs-7-DigestAlgorithmIdentifier"}, + {"pkcs-7-DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, + {"pkcs-7-EncapsulatedContentInfo", 1610612741, 0}, + {"eContentType", 1073741826, "pkcs-7-ContentType"}, + {"eContent", 536895495, 0}, + {0, 2056, "0"}, + {"pkcs-7-CertificateRevocationLists", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-7-CertificateChoices", 1610612754, 0}, + {"certificate", 13, 0}, + {"pkcs-7-CertificateSet", 1610612751, 0}, + {0, 2, "pkcs-7-CertificateChoices"}, + {"pkcs-7-SignerInfos", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-10-CertificationRequestInfo", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v1", 1, "0"}, + {"subject", 1073741826, "Name"}, + {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"attributes", 536879106, "Attributes"}, + {0, 4104, "0"}, + {"Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-10-CertificationRequest", 1610612741, 0}, + {"certificationRequestInfo", 1073741826, + "pkcs-10-CertificationRequestInfo"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"pkcs-9-ub-challengePassword", 1342177283, "255"}, + {"pkcs-9-certTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "22"}, + {"pkcs-9-crlTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "23"}, + {"pkcs-9-at-challengePassword", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "7"}, + {"pkcs-9-challengePassword", 1610612754, 0}, + {"printableString", 1612709890, "PrintableString"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"pkcs-9-at-localKeyId", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "21"}, + {"pkcs-9-localKeyId", 1073741831, 0}, + {"pkcs-9-at-friendlyName", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "20"}, + {"pkcs-9-friendlyName", 1612709890, "BMPString"}, + {"255", 524298, "1"}, + {"pkcs-8-PrivateKeyInfo", 1610612741, 0}, + {"version", 1073741826, "pkcs-8-Version"}, + {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"privateKey", 1073741826, "pkcs-8-PrivateKey"}, + {"attributes", 536895490, "Attributes"}, + {0, 4104, "0"}, + {"pkcs-8-Version", 1610874883, 0}, + {"v1", 1, "0"}, + {"pkcs-8-PrivateKey", 1073741831, 0}, + {"pkcs-8-Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, 0}, + {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"encryptedData", 2, "pkcs-8-EncryptedData"}, + {"pkcs-8-EncryptedData", 1073741831, 0}, + {"pkcs-5", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "5"}, + {"pkcs-5-encryptionAlgorithm", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {0, 1, "3"}, + {"pkcs-5-des-EDE3-CBC", 1879048204, 0}, + {0, 1073741825, "pkcs-5-encryptionAlgorithm"}, + {0, 1, "7"}, + {"pkcs-5-des-EDE3-CBC-params", 1612709895, 0}, + {0, 1048586, "8"}, + {"pkcs-5-id-PBES2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "13"}, + {"pkcs-5-PBES2-params", 1610612741, 0}, + {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, + {"encryptionScheme", 2, "AlgorithmIdentifier"}, + {"pkcs-5-id-PBKDF2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "12"}, + {"pkcs-5-PBKDF2-params", 1610612741, 0}, + {"salt", 1610612754, 0}, + {"specified", 1073741831, 0}, + {"otherSource", 2, "AlgorithmIdentifier"}, + {"iterationCount", 1611137027, 0}, + {"1", 10, "MAX"}, + {"keyLength", 1611153411, 0}, + {"1", 10, "MAX"}, + {"prf", 16386, "AlgorithmIdentifier"}, + {"pkcs-12", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "12"}, + {"pkcs-12-PFX", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v3", 1, "3"}, + {"authSafe", 1073741826, "pkcs-7-ContentInfo"}, + {"macData", 16386, "pkcs-12-MacData"}, + {"pkcs-12-PbeParams", 1610612741, 0}, + {"salt", 1073741831, 0}, + {"iterations", 3, 0}, + {"pkcs-12-MacData", 1610612741, 0}, + {"mac", 1073741826, "pkcs-7-DigestInfo"}, + {"macSalt", 1073741831, 0}, + {"iterations", 536903683, 0}, + {0, 9, "1"}, + {"pkcs-12-AuthenticatedSafe", 1610612747, 0}, + {0, 2, "pkcs-7-ContentInfo"}, + {"pkcs-12-SafeContents", 1610612747, 0}, + {0, 2, "pkcs-12-SafeBag"}, + {"pkcs-12-SafeBag", 1610612741, 0}, + {"bagId", 1073741836, 0}, + {"bagValue", 1614815245, 0}, + {0, 1073743880, "0"}, + {"badId", 1, 0}, + {"bagAttributes", 536887311, 0}, + {0, 2, "pkcs-12-PKCS12Attribute"}, + {"pkcs-12-bagtypes", 1879048204, 0}, + {0, 1073741825, "pkcs-12"}, + {0, 1073741825, "10"}, + {0, 1, "1"}, + {"pkcs-12-keyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "1"}, + {"pkcs-12-pkcs8ShroudedKeyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "2"}, + {"pkcs-12-certBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "3"}, + {"pkcs-12-crlBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "4"}, + {"pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"}, + {"pkcs-12-PKCS8ShroudedKeyBag", 1073741826, + "pkcs-8-EncryptedPrivateKeyInfo"}, + {"pkcs-12-CertBag", 1610612741, 0}, + {"certId", 1073741836, 0}, + {"certValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"certId", 1, 0}, + {"pkcs-12-CRLBag", 1610612741, 0}, + {"crlId", 1073741836, 0}, + {"crlValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"crlId", 1, 0}, + {"pkcs-12-PKCS12Attribute", 1073741826, "Attribute"}, + {"pkcs-7-data", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "1"}, + {"pkcs-7-encryptedData", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "6"}, + {"pkcs-7-Data", 1073741831, 0}, + {"pkcs-7-EncryptedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"}, + {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, + {0, 4104, "1"}, + {"pkcs-7-EncryptedContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"contentEncryptionAlgorithm", 1073741826, + "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, + {"encryptedContent", 536895490, "pkcs-7-EncryptedContent"}, + {0, 4104, "0"}, + {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, + "AlgorithmIdentifier"}, + {"pkcs-7-EncryptedContent", 1073741831, 0}, + {"pkcs-7-UnprotectedAttributes", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-at-ldap-DC", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "25"}, + {"ldap-DC", 1073741826, "IA5String"}, + {"id-at-ldap-UID", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "1"}, + {"ldap-UID", 1073741826, "IA5String"}, + {"id-pda", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "9"}, + {"id-pda-dateOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "1"}, + {"DateOfBirth", 1082130449, 0}, + {"id-pda-placeOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "2"}, + {"PlaceOfBirth", 1073741826, "DirectoryString"}, + {"id-pda-gender", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "3"}, + {"Gender", 1612709890, "PrintableString"}, + {0, 1048586, "1"}, + {"id-pda-countryOfCitizenship", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "4"}, + {"CountryOfCitizenship", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-pda-countryOfResidence", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "5"}, + {"CountryOfResidence", 538968066, "PrintableString"}, + {0, 1048586, "2"}, + {0, 0, 0} }; diff --git a/lib/strfile.h b/lib/strfile.h index 0d376f752c..3a4d30e0b0 100644 --- a/lib/strfile.h +++ b/lib/strfile.h @@ -22,11 +22,12 @@ * */ -typedef struct { - opaque *data; - size_t size; - int mmaped; +typedef struct +{ + opaque *data; + size_t size; + int mmaped; } strfile; -void _gnutls_strfile_free(strfile * x); -strfile _gnutls_file_to_str(const char *file); +void _gnutls_strfile_free (strfile * x); +strfile _gnutls_file_to_str (const char *file); diff --git a/lib/x509/common.c b/lib/x509/common.c index a619e59625..ae707c2afc 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -35,69 +35,73 @@ #include <mpi.h> #include <time.h> -typedef struct _oid2string { - const char *oid; - const char *ldap_desc; - int choice; /* of type DirectoryString */ - int printable; +typedef struct _oid2string +{ + const char *oid; + const char *ldap_desc; + int choice; /* of type DirectoryString */ + int printable; } oid2string; /* This list contains all the OIDs that may be * contained in a rdnSequence and are printable. */ static const oid2string _oid2str[] = { - /* PKIX - */ - {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, - {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, - {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, - - {"2.5.4.6", "C", 0, 1}, - {"2.5.4.9", "STREET", 1, 1}, - {"2.5.4.12", "T", 1, 1}, - {"2.5.4.10", "O", 1, 1}, - {"2.5.4.11", "OU", 1, 1}, - {"2.5.4.3", "CN", 1, 1}, - {"2.5.4.7", "L", 1, 1}, - {"2.5.4.8", "ST", 1, 1}, - - {"2.5.4.5", "serialNumber", 0, 1}, - {"2.5.4.20", "telephoneNumber", 0, 1}, - {"2.5.4.4", "surName", 1, 1}, - {"2.5.4.43", "initials", 1, 1}, - {"2.5.4.44", "generationQualifier", 1, 1}, - {"2.5.4.42", "givenName", 1, 1}, - {"2.5.4.65", "pseudonym", 1, 1}, - {"2.5.4.46", "dnQualifier", 0, 1}, - - {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, - {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, - - /* PKCS #9 - */ - {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, - {"1.2.840.113549.1.9.7", NULL, 1, 1}, - - /* friendly name */ - {"1.2.840.113549.1.9.20", NULL, 0, 1}, - {NULL, NULL, 0, 0} + /* PKIX + */ + {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, + {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, + {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, + + {"2.5.4.6", "C", 0, 1}, + {"2.5.4.9", "STREET", 1, 1}, + {"2.5.4.12", "T", 1, 1}, + {"2.5.4.10", "O", 1, 1}, + {"2.5.4.11", "OU", 1, 1}, + {"2.5.4.3", "CN", 1, 1}, + {"2.5.4.7", "L", 1, 1}, + {"2.5.4.8", "ST", 1, 1}, + + {"2.5.4.5", "serialNumber", 0, 1}, + {"2.5.4.20", "telephoneNumber", 0, 1}, + {"2.5.4.4", "surName", 1, 1}, + {"2.5.4.43", "initials", 1, 1}, + {"2.5.4.44", "generationQualifier", 1, 1}, + {"2.5.4.42", "givenName", 1, 1}, + {"2.5.4.65", "pseudonym", 1, 1}, + {"2.5.4.46", "dnQualifier", 0, 1}, + + {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, + {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, + + /* PKCS #9 + */ + {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, + {"1.2.840.113549.1.9.7", NULL, 1, 1}, + + /* friendly name */ + {"1.2.840.113549.1.9.20", NULL, 0, 1}, + {NULL, NULL, 0, 0} }; /* Returns 1 if the data defined by the OID are printable. */ -int _gnutls_x509_oid_data_printable(const char *oid) +int +_gnutls_x509_oid_data_printable (const char *oid) { - int i = 0; + int i = 0; - do { - if (strcmp(_oid2str[i].oid, oid) == 0) - return _oid2str[i].printable; - i++; - } while (_oid2str[i].oid != NULL); + do + { + if (strcmp (_oid2str[i].oid, oid) == 0) + return _oid2str[i].printable; + i++; + } + while (_oid2str[i].oid != NULL); - return 0; + return 0; } /** @@ -114,46 +118,55 @@ int _gnutls_x509_oid_data_printable(const char *oid) * Returns 1 on known OIDs and 0 otherwise. * **/ -int gnutls_x509_dn_oid_known(const char *oid) +int +gnutls_x509_dn_oid_known (const char *oid) { - int i = 0; + int i = 0; - do { - if (strcmp(_oid2str[i].oid, oid) == 0) - return 1; - i++; - } while (_oid2str[i].oid != NULL); + do + { + if (strcmp (_oid2str[i].oid, oid) == 0) + return 1; + i++; + } + while (_oid2str[i].oid != NULL); - return 0; + return 0; } /* Returns 1 if the data defined by the OID are of a choice * type. */ -int _gnutls_x509_oid_data_choice(const char *oid) +int +_gnutls_x509_oid_data_choice (const char *oid) { - int i = 0; + int i = 0; - do { - if (strcmp(_oid2str[i].oid, oid) == 0) - return _oid2str[i].choice; - i++; - } while (_oid2str[i].oid != NULL); + do + { + if (strcmp (_oid2str[i].oid, oid) == 0) + return _oid2str[i].choice; + i++; + } + while (_oid2str[i].oid != NULL); - return 0; + return 0; } -const char *_gnutls_x509_oid2ldap_string(const char *oid) +const char * +_gnutls_x509_oid2ldap_string (const char *oid) { - int i = 0; + int i = 0; - do { - if (strcmp(_oid2str[i].oid, oid) == 0) - return _oid2str[i].ldap_desc; - i++; - } while (_oid2str[i].oid != NULL); + do + { + if (strcmp (_oid2str[i].oid, oid) == 0) + return _oid2str[i].ldap_desc; + i++; + } + while (_oid2str[i].oid != NULL); - return NULL; + return NULL; } /* This function will convert an attribute value, specified by the OID, @@ -162,166 +175,187 @@ const char *_gnutls_x509_oid2ldap_string(const char *oid) * res may be null. This will just return the res_size, needed to * hold the string. */ -int _gnutls_x509_oid_data2string(const char *oid, void *value, - int value_size, char *res, - size_t * res_size) +int +_gnutls_x509_oid_data2string (const char *oid, void *value, + int value_size, char *res, size_t * res_size) { - char str[MAX_STRING_LEN], tmpname[128]; - const char *ANAME = NULL; - int CHOICE = -1, len = -1, result; - ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; - - if (value == NULL || value_size <= 0 || res_size == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + char str[MAX_STRING_LEN], tmpname[128]; + const char *ANAME = NULL; + int CHOICE = -1, len = -1, result; + ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; + + if (value == NULL || value_size <= 0 || res_size == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (_gnutls_x509_oid_data_printable(oid) == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (_gnutls_x509_oid_data_printable (oid) == 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - ANAME = asn1_find_structure_from_oid(_gnutls_get_pkix(), oid); - CHOICE = _gnutls_x509_oid_data_choice(oid); + ANAME = asn1_find_structure_from_oid (_gnutls_get_pkix (), oid); + CHOICE = _gnutls_x509_oid_data_choice (oid); - if (ANAME == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (ANAME == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - _gnutls_str_cpy(str, sizeof(str), "PKIX1."); - _gnutls_str_cat(str, sizeof(str), ANAME); + _gnutls_str_cpy (str, sizeof (str), "PKIX1."); + _gnutls_str_cat (str, sizeof (str), ANAME); - if ((result = - asn1_create_element(_gnutls_get_pkix(), str, - &tmpasn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_pkix (), str, + &tmpasn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if ((result = - asn1_der_decoding(&tmpasn, value, value_size, - NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); + if ((result = + asn1_der_decoding (&tmpasn, value, value_size, NULL)) != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&tmpasn); + return _gnutls_asn2err (result); } - /* If this is a choice then we read the choice. Otherwise it - * is the value; - */ - len = sizeof(str) - 1; - if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); + /* If this is a choice then we read the choice. Otherwise it + * is the value; + */ + len = sizeof (str) - 1; + if ((result = asn1_read_value (tmpasn, "", str, &len)) != ASN1_SUCCESS) + { /* CHOICE */ + gnutls_assert (); + asn1_delete_structure (&tmpasn); + return _gnutls_asn2err (result); } - if (CHOICE == 0) { - str[len] = 0; - - if (res) - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; + if (CHOICE == 0) + { + str[len] = 0; - asn1_delete_structure(&tmpasn); - } else { /* CHOICE */ - int non_printable = 0, teletex = 0; - str[len] = 0; + if (res) + _gnutls_str_cpy (res, *res_size, str); + *res_size = len; - /* Note that we do not support strings other than - * UTF-8 (thus ASCII as well). - */ - if (strcmp(str, "printableString") != 0 && - strcmp(str, "utf8String") != 0) { - non_printable = 1; + asn1_delete_structure (&tmpasn); + } + else + { /* CHOICE */ + int non_printable = 0, teletex = 0; + str[len] = 0; + + /* Note that we do not support strings other than + * UTF-8 (thus ASCII as well). + */ + if (strcmp (str, "printableString") != 0 && + strcmp (str, "utf8String") != 0) + { + non_printable = 1; } - if (strcmp(str, "teletexString") == 0) - teletex = 1; + if (strcmp (str, "teletexString") == 0) + teletex = 1; - _gnutls_str_cpy(tmpname, sizeof(tmpname), str); + _gnutls_str_cpy (tmpname, sizeof (tmpname), str); - len = sizeof(str) - 1; - if ((result = - asn1_read_value(tmpasn, tmpname, str, - &len)) != ASN1_SUCCESS) { - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); + len = sizeof (str) - 1; + if ((result = + asn1_read_value (tmpasn, tmpname, str, &len)) != ASN1_SUCCESS) + { + asn1_delete_structure (&tmpasn); + return _gnutls_asn2err (result); } - asn1_delete_structure(&tmpasn); + asn1_delete_structure (&tmpasn); - if (teletex != 0) { - int ascii = 0, i; - /* HACK: if the teletex string contains only ascii - * characters then treat it as printable. - */ - for (i = 0; i < len; i++) - if (!isascii(str[i])) - ascii = 1; + if (teletex != 0) + { + int ascii = 0, i; + /* HACK: if the teletex string contains only ascii + * characters then treat it as printable. + */ + for (i = 0; i < len; i++) + if (!isascii (str[i])) + ascii = 1; - if (ascii == 0) - non_printable = 0; + if (ascii == 0) + non_printable = 0; } - if (res) { - if (non_printable == 0) { - str[len] = 0; - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; - } else { - result = _gnutls_x509_data2hex(str, len, res, res_size); - if (result < 0) { - gnutls_assert(); - return result; + if (res) + { + if (non_printable == 0) + { + str[len] = 0; + _gnutls_str_cpy (res, *res_size, str); + *res_size = len; + } + else + { + result = _gnutls_x509_data2hex (str, len, res, res_size); + if (result < 0) + { + gnutls_assert (); + return result; } } } } - return 0; + return 0; } /* Converts a data string to an LDAP rfc2253 hex string * something like '#01020304' */ -int _gnutls_x509_data2hex(const opaque * data, size_t data_size, - opaque * out, size_t * sizeof_out) +int +_gnutls_x509_data2hex (const opaque * data, size_t data_size, + opaque * out, size_t * sizeof_out) { - char *res; - char escaped[MAX_STRING_LEN]; - - if (2 * data_size + 1 > MAX_STRING_LEN) - { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - res = _gnutls_bin2hex(data, data_size, escaped, sizeof(escaped)); - - if (res) { - unsigned int size = strlen(res) + 1; - if (size + 1 > *sizeof_out) { - *sizeof_out = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + char *res; + char escaped[MAX_STRING_LEN]; + + if (2 * data_size + 1 > MAX_STRING_LEN) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } + + res = _gnutls_bin2hex (data, data_size, escaped, sizeof (escaped)); + + if (res) + { + unsigned int size = strlen (res) + 1; + if (size + 1 > *sizeof_out) + { + *sizeof_out = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *sizeof_out = size; /* -1 for the null +1 for the '#' */ + *sizeof_out = size; /* -1 for the null +1 for the '#' */ - if (out) { - strcpy(out, "#"); - strcat(out, res); + if (out) + { + strcpy (out, "#"); + strcat (out, res); } - return 0; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return 0; + } + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } @@ -329,12 +363,13 @@ int _gnutls_x509_data2hex(const opaque * data, size_t data_size, * numbers to characters. Use a character string of MAX_INT_DIGITS, in * order to have enough space for it. */ -void _gnutls_int2str(unsigned int k, char *data) +void +_gnutls_int2str (unsigned int k, char *data) { - if (k > 999) - sprintf(data, "%d", 999); - else - sprintf(data, "%d", k); + if (k > 999) + sprintf (data, "%d", 999); + else + sprintf (data, "%d", k); } /* TIME functions @@ -346,13 +381,14 @@ void _gnutls_int2str(unsigned int k, char *data) * Since we do not use libc's functions, we don't need to * depend on the libc structure. */ -typedef struct fake_tm { - int tm_mon; - int tm_year; /* FULL year - ie 1971 */ - int tm_mday; - int tm_hour; - int tm_min; - int tm_sec; +typedef struct fake_tm +{ + int tm_mon; + int tm_year; /* FULL year - ie 1971 */ + int tm_mday; + int tm_hour; + int tm_min; + int tm_sec; } fake_tm; /* The mktime_utc function is due to Russ Allbery (rra@stanford.edu), @@ -362,7 +398,7 @@ typedef struct fake_tm { /* The number of days in each month. */ static const int MONTHDAYS[] = { - 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 + 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; /* Whether a given year is a leap year. */ @@ -375,31 +411,32 @@ static const int MONTHDAYS[] = { ** convertable. Note that this function does not canonicalize the provided ** struct tm, nor does it allow out of range values or years before 1970. */ -static time_t mktime_utc(const struct fake_tm *tm) +static time_t +mktime_utc (const struct fake_tm *tm) { - time_t result = 0; - int i; + time_t result = 0; + int i; /* We do allow some ill-formed dates, but we don't do anything special * with them and our callers really shouldn't pass them to us. Do * explicitly disallow the ones that would cause invalid array accesses * or other algorithm problems. */ - if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) - return (time_t) - 1; + if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) + return (time_t) - 1; /* Convert to a time_t. */ - for (i = 1970; i < tm->tm_year; i++) - result += 365 + ISLEAP(i); - for (i = 0; i < tm->tm_mon; i++) - result += MONTHDAYS[i]; - if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) - result++; - result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; - result = 60 * result + tm->tm_min; - result = 60 * result + tm->tm_sec; - return result; + for (i = 1970; i < tm->tm_year; i++) + result += 365 + ISLEAP (i); + for (i = 0; i < tm->tm_mon; i++) + result += MONTHDAYS[i]; + if (tm->tm_mon > 1 && ISLEAP (tm->tm_year)) + result++; + result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; + result = 60 * result + tm->tm_min; + result = 60 * result + tm->tm_sec; + return result; } @@ -407,61 +444,65 @@ static time_t mktime_utc(const struct fake_tm *tm) * month|day|hour|minute|sec* (2 chars each) * and year is given. Returns a time_t date. */ -time_t _gnutls_x509_time2gtime(const char *ttime, int year) +time_t +_gnutls_x509_time2gtime (const char *ttime, int year) { - char xx[3]; - struct fake_tm etime; - time_t ret; - - if (strlen(ttime) < 8) { - gnutls_assert(); - return (time_t) - 1; + char xx[3]; + struct fake_tm etime; + time_t ret; + + if (strlen (ttime) < 8) + { + gnutls_assert (); + return (time_t) - 1; } - etime.tm_year = year; + etime.tm_year = year; - /* In order to work with 32 bit - * time_t. - */ - if (sizeof(time_t) <= 4 && etime.tm_year >= 2038) - return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ + /* In order to work with 32 bit + * time_t. + */ + if (sizeof (time_t) <= 4 && etime.tm_year >= 2038) + return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ - xx[2] = 0; + xx[2] = 0; /* get the month */ - memcpy(xx, ttime, 2); /* month */ - etime.tm_mon = atoi(xx) - 1; - ttime += 2; + memcpy (xx, ttime, 2); /* month */ + etime.tm_mon = atoi (xx) - 1; + ttime += 2; /* get the day */ - memcpy(xx, ttime, 2); /* day */ - etime.tm_mday = atoi(xx); - ttime += 2; + memcpy (xx, ttime, 2); /* day */ + etime.tm_mday = atoi (xx); + ttime += 2; /* get the hour */ - memcpy(xx, ttime, 2); /* hour */ - etime.tm_hour = atoi(xx); - ttime += 2; + memcpy (xx, ttime, 2); /* hour */ + etime.tm_hour = atoi (xx); + ttime += 2; /* get the minutes */ - memcpy(xx, ttime, 2); /* minutes */ - etime.tm_min = atoi(xx); - ttime += 2; - - if (strlen(ttime) >= 2) { - memcpy(xx, ttime, 2); - etime.tm_sec = atoi(xx); - ttime += 2; - } else - etime.tm_sec = 0; + memcpy (xx, ttime, 2); /* minutes */ + etime.tm_min = atoi (xx); + ttime += 2; + + if (strlen (ttime) >= 2) + { + memcpy (xx, ttime, 2); + etime.tm_sec = atoi (xx); + ttime += 2; + } + else + etime.tm_sec = 0; - ret = mktime_utc(&etime); + ret = mktime_utc (&etime); - return ret; + return ret; } @@ -471,59 +512,62 @@ time_t _gnutls_x509_time2gtime(const char *ttime, int year) * * (seconds are optional) */ -time_t _gnutls_x509_utcTime2gtime(const char *ttime) +time_t +_gnutls_x509_utcTime2gtime (const char *ttime) { - char xx[3]; - int year; + char xx[3]; + int year; - if (strlen(ttime) < 10) { - gnutls_assert(); - return (time_t) - 1; + if (strlen (ttime) < 10) + { + gnutls_assert (); + return (time_t) - 1; } - xx[2] = 0; + xx[2] = 0; /* get the year */ - memcpy(xx, ttime, 2); /* year */ - year = atoi(xx); - ttime += 2; + memcpy (xx, ttime, 2); /* year */ + year = atoi (xx); + ttime += 2; - if (year > 49) - year += 1900; - else - year += 2000; + if (year > 49) + year += 1900; + else + year += 2000; - return _gnutls_x509_time2gtime(ttime, year); + return _gnutls_x509_time2gtime (ttime, year); } /* returns a time value that contains the given time. * The given time is expressed as: * YEAR(2)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2)|SEC(2) */ -int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, - int str_time_size) +int +_gnutls_x509_gtime2utcTime (time_t gtime, char *str_time, int str_time_size) { - size_t ret; + size_t ret; #ifdef HAVE_GMTIME_R - struct tm _tm; + struct tm _tm; - gmtime_r(>ime, &_tm); + gmtime_r (>ime, &_tm); - ret = strftime(str_time, str_time_size, "%y%m%d%H%M%SZ", &_tm); + ret = strftime (str_time, str_time_size, "%y%m%d%H%M%SZ", &_tm); #else - struct tm *_tm; + struct tm *_tm; - _tm = gmtime(>ime); + _tm = gmtime (>ime); - ret = strftime(str_time, str_time_size, "%y%m%d%H%M%SZ", _tm); + ret = strftime (str_time, str_time_size, "%y%m%d%H%M%SZ", _tm); #endif - if (!ret) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (!ret) + { + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - return 0; + return 0; } @@ -531,31 +575,34 @@ int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, * The given time is expressed as: * YEAR(4)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2)|SEC(2)* */ -time_t _gnutls_x509_generalTime2gtime(const char *ttime) +time_t +_gnutls_x509_generalTime2gtime (const char *ttime) { - char xx[5]; - int year; + char xx[5]; + int year; - if (strlen(ttime) < 12) { - gnutls_assert(); - return (time_t) - 1; + if (strlen (ttime) < 12) + { + gnutls_assert (); + return (time_t) - 1; } - if (strchr(ttime, 'Z') == 0) { - gnutls_assert(); - /* sorry we don't support it yet - */ - return (time_t) - 1; + if (strchr (ttime, 'Z') == 0) + { + gnutls_assert (); + /* sorry we don't support it yet + */ + return (time_t) - 1; } - xx[4] = 0; + xx[4] = 0; /* get the year */ - memcpy(xx, ttime, 4); /* year */ - year = atoi(xx); - ttime += 4; + memcpy (xx, ttime, 4); /* year */ + year = atoi (xx); + ttime += 4; - return _gnutls_x509_time2gtime(ttime, year); + return _gnutls_x509_time2gtime (ttime, year); } @@ -563,240 +610,267 @@ time_t _gnutls_x509_generalTime2gtime(const char *ttime) * be something like "tbsCertList.thisUpdate". */ #define MAX_TIME 1024 -time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when) +time_t +_gnutls_x509_get_time (ASN1_TYPE c2, const char *when) { - char ttime[MAX_TIME]; - char name[1024]; - time_t c_time = (time_t) - 1; - int len, result; - - _gnutls_str_cpy(name, sizeof(name), when); - - len = sizeof(ttime) - 1; - if ((result = asn1_read_value(c2, name, ttime, &len)) < 0) { - gnutls_assert(); - return (time_t) (-1); + char ttime[MAX_TIME]; + char name[1024]; + time_t c_time = (time_t) - 1; + int len, result; + + _gnutls_str_cpy (name, sizeof (name), when); + + len = sizeof (ttime) - 1; + if ((result = asn1_read_value (c2, name, ttime, &len)) < 0) + { + gnutls_assert (); + return (time_t) (-1); } - /* CHOICE */ - if (strcmp(ttime, "generalTime") == 0) { - - _gnutls_str_cat(name, sizeof(name), ".generalTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - c_time = _gnutls_x509_generalTime2gtime(ttime); - } else { /* UTCTIME */ + /* CHOICE */ + if (strcmp (ttime, "generalTime") == 0) + { - _gnutls_str_cat(name, sizeof(name), ".utcTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - c_time = _gnutls_x509_utcTime2gtime(ttime); + _gnutls_str_cat (name, sizeof (name), ".generalTime"); + len = sizeof (ttime) - 1; + result = asn1_read_value (c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + c_time = _gnutls_x509_generalTime2gtime (ttime); + } + else + { /* UTCTIME */ + + _gnutls_str_cat (name, sizeof (name), ".utcTime"); + len = sizeof (ttime) - 1; + result = asn1_read_value (c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + c_time = _gnutls_x509_utcTime2gtime (ttime); } - /* We cannot handle dates after 2031 in 32 bit machines. - * a time_t of 64bits has to be used. - */ + /* We cannot handle dates after 2031 in 32 bit machines. + * a time_t of 64bits has to be used. + */ - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return (time_t) (-1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return (time_t) (-1); } - return c_time; + return c_time; } /* Sets the time in time_t in the ASN1_TYPE given. Where should * be something like "tbsCertList.thisUpdate". */ -int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim) +int +_gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim) { - char str_time[MAX_TIME]; - char name[1024]; - int result, len; + char str_time[MAX_TIME]; + char name[1024]; + int result, len; - _gnutls_str_cpy(name, sizeof(name), where); + _gnutls_str_cpy (name, sizeof (name), where); - if ((result = asn1_write_value(c2, name, "utcTime", 1)) < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_write_value (c2, name, "utcTime", 1)) < 0) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_gtime2utcTime(tim, str_time, sizeof(str_time)); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_gtime2utcTime (tim, str_time, sizeof (str_time)); + if (result < 0) + { + gnutls_assert (); + return result; } - _gnutls_str_cat(name, sizeof(name), ".utcTime"); + _gnutls_str_cat (name, sizeof (name), ".utcTime"); - len = strlen( str_time); - result = asn1_write_value(c2, name, str_time, len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + len = strlen (str_time); + result = asn1_write_value (c2, name, str_time, len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } -gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) +gnutls_x509_subject_alt_name_t +_gnutls_x509_san_find_type (char *str_type) { - if (strcmp(str_type, "dNSName") == 0) - return GNUTLS_SAN_DNSNAME; - if (strcmp(str_type, "rfc822Name") == 0) - return GNUTLS_SAN_RFC822NAME; - if (strcmp(str_type, "uniformResourceIdentifier") == 0) - return GNUTLS_SAN_URI; - if (strcmp(str_type, "iPAddress") == 0) - return GNUTLS_SAN_IPADDRESS; - return (gnutls_x509_subject_alt_name_t) - 1; + if (strcmp (str_type, "dNSName") == 0) + return GNUTLS_SAN_DNSNAME; + if (strcmp (str_type, "rfc822Name") == 0) + return GNUTLS_SAN_RFC822NAME; + if (strcmp (str_type, "uniformResourceIdentifier") == 0) + return GNUTLS_SAN_URI; + if (strcmp (str_type, "iPAddress") == 0) + return GNUTLS_SAN_IPADDRESS; + return (gnutls_x509_subject_alt_name_t) - 1; } /* A generic export function. Will export the given ASN.1 encoded data * to PEM or DER raw data. */ -int _gnutls_x509_export_int(ASN1_TYPE asn1_data, - gnutls_x509_crt_fmt_t format, char *pem_header, - int tmp_buf_size, unsigned char *output_data, - size_t * output_data_size) +int +_gnutls_x509_export_int (ASN1_TYPE asn1_data, + gnutls_x509_crt_fmt_t format, char *pem_header, + int tmp_buf_size, unsigned char *output_data, + size_t * output_data_size) { - int result, len; - if (tmp_buf_size == 0) - tmp_buf_size = 16 * 1024; - - if (format == GNUTLS_X509_FMT_DER) { - - if (output_data == NULL) - *output_data_size = 0; - - len = *output_data_size; - - if ((result = - asn1_der_coding(asn1_data, "", output_data, &len, - NULL)) != ASN1_SUCCESS) { - *output_data_size = len; - if (result == ASN1_MEM_ERROR) { - return GNUTLS_E_SHORT_MEMORY_BUFFER; + int result, len; + if (tmp_buf_size == 0) + tmp_buf_size = 16 * 1024; + + if (format == GNUTLS_X509_FMT_DER) + { + + if (output_data == NULL) + *output_data_size = 0; + + len = *output_data_size; + + if ((result = + asn1_der_coding (asn1_data, "", output_data, &len, + NULL)) != ASN1_SUCCESS) + { + *output_data_size = len; + if (result == ASN1_MEM_ERROR) + { + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert (); + return _gnutls_asn2err (result); } - *output_data_size = len; - - } else { /* PEM */ - opaque *tmp; - opaque *out; + *output_data_size = len; - len = tmp_buf_size; - - tmp = gnutls_alloca(len); - if (tmp == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + } + else + { /* PEM */ + opaque *tmp; + opaque *out; + + len = tmp_buf_size; + + tmp = gnutls_alloca (len); + if (tmp == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - if ((result = - asn1_der_coding(asn1_data, "", tmp, &len, - NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) { - *output_data_size = B64FSIZE(strlen(pem_header), len) + 1; + if ((result = + asn1_der_coding (asn1_data, "", tmp, &len, NULL)) != ASN1_SUCCESS) + { + gnutls_assert (); + if (result == ASN1_MEM_ERROR) + { + *output_data_size = B64FSIZE (strlen (pem_header), len) + 1; } - gnutls_afree(tmp); - return _gnutls_asn2err(result); + gnutls_afree (tmp); + return _gnutls_asn2err (result); } - result = _gnutls_fbase64_encode(pem_header, tmp, len, &out); + result = _gnutls_fbase64_encode (pem_header, tmp, len, &out); - gnutls_afree(tmp); + gnutls_afree (tmp); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - if (result == 0) { /* oooops */ - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (result == 0) + { /* oooops */ + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if ((uint) result > *output_data_size) { - gnutls_assert(); - gnutls_free(out); - *output_data_size = result; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if ((uint) result > *output_data_size) + { + gnutls_assert (); + gnutls_free (out); + *output_data_size = result; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *output_data_size = result; + *output_data_size = result; - if (output_data) { - memcpy(output_data, out, result); + if (output_data) + { + memcpy (output_data, out, result); - /* do not include the null character into output size. - */ - *output_data_size = result - 1; + /* do not include the null character into output size. + */ + *output_data_size = result - 1; } - gnutls_free(out); + gnutls_free (out); } - return 0; + return 0; } /* Decodes an octet string. Leave string_type null for a normal * octet string. Otherwise put something like BMPString, PrintableString * etc. */ -int _gnutls_x509_decode_octet_string( const char* string_type, - const opaque* der, size_t der_size, - opaque* output, size_t* output_size) +int +_gnutls_x509_decode_octet_string (const char *string_type, + const opaque * der, size_t der_size, + opaque * output, size_t * output_size) { -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -int result, tmp_output_size; -char strname[64]; - - if (string_type == NULL) - _gnutls_str_cpy( strname, sizeof(strname), "PKIX1.pkcs-7-Data"); - else { - _gnutls_str_cpy( strname, sizeof(strname), "PKIX1."); - _gnutls_str_cat( strname, sizeof(strname), string_type); - } - - if ((result = asn1_create_element - (_gnutls_get_pkix(), strname, - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, tmp_output_size; + char strname[64]; + + if (string_type == NULL) + _gnutls_str_cpy (strname, sizeof (strname), "PKIX1.pkcs-7-Data"); + else + { + _gnutls_str_cpy (strname, sizeof (strname), "PKIX1."); + _gnutls_str_cat (strname, sizeof (strname), string_type); + } - result = asn1_der_decoding(&c2, der, der_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if ((result = asn1_create_element + (_gnutls_get_pkix (), strname, &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } - tmp_output_size = *output_size; - result = asn1_read_value(c2, "", output, &tmp_output_size); - *output_size = tmp_output_size; + result = asn1_der_decoding (&c2, der, der_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - if (c2) - asn1_delete_structure(&c2); - - return result; + tmp_output_size = *output_size; + result = asn1_read_value (c2, "", output, &tmp_output_size); + *output_size = tmp_output_size; + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + return 0; + +cleanup: + if (c2) + asn1_delete_structure (&c2); + + return result; } @@ -805,55 +879,61 @@ char strname[64]; * If str is non zero, then the output will be treated as * an octet string. */ -int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, - gnutls_datum_t * ret, int str) +int +_gnutls_x509_read_value (ASN1_TYPE c, const char *root, + gnutls_datum_t * ret, int str) { - int len = 0, result; - size_t slen; - opaque *tmp = NULL; - - result = asn1_read_value(c, root, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; + int len = 0, result; + size_t slen; + opaque *tmp = NULL; + + result = asn1_read_value (c, root, NULL, &len); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + return result; } - tmp = gnutls_malloc(len); - if (tmp == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + tmp = gnutls_malloc (len); + if (tmp == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - result = asn1_read_value(c, root, tmp, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_read_value (c, root, tmp, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Extract the OCTET STRING. - */ - - if (str) { - slen = len; - result = _gnutls_x509_decode_octet_string(NULL, tmp, slen, tmp, &slen); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - len = slen; + /* Extract the OCTET STRING. + */ + + if (str) + { + slen = len; + result = _gnutls_x509_decode_octet_string (NULL, tmp, slen, tmp, &slen); + if (result < 0) + { + gnutls_assert (); + goto cleanup; + } + len = slen; } - ret->data = tmp; - ret->size = len; + ret->data = tmp; + ret->size = len; - return 0; + return 0; - cleanup: - gnutls_free(tmp); - return result; +cleanup: + gnutls_free (tmp); + return result; } @@ -861,79 +941,86 @@ int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, * the given datum. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * res, int str) +int +_gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * res, int str) { - int size, result; - int asize; - opaque *data = NULL; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - size = 0; - result = asn1_der_coding(src, src_name, NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* allocate data for the der - */ - - if (str) - size += 16; /* for later to include the octet tags */ - asize = size; - - data = gnutls_malloc(size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_der_coding(src, src_name, data, &size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (str) { - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + int size, result; + int asize; + opaque *data = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + size = 0; + result = asn1_der_coding (src, src_name, NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + /* allocate data for the der + */ + + if (str) + size += 16; /* for later to include the octet tags */ + asize = size; + + data = gnutls_malloc (size); + if (data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_der_coding (src, src_name, data, &size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if (str) + { + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_write_value(c2, "", data, size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "", data, size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_der_coding(c2, "", data, &asize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_der_coding (c2, "", data, &asize, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - size = asize; + size = asize; - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); } - res->data = data; - res->size = size; - return 0; + res->data = data; + res->size = size; + return 0; - cleanup: - gnutls_free(data); - asn1_delete_structure(&c2); - return result; +cleanup: + gnutls_free (data); + asn1_delete_structure (&c2); + return result; } @@ -942,438 +1029,485 @@ int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, * as OCTET. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, - ASN1_TYPE dest, const char *dest_name, - int str) +int +_gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str) { - int result; - gnutls_datum_t encoded; + int result; + gnutls_datum_t encoded; - result = _gnutls_x509_der_encode(src, src_name, &encoded, str); + result = _gnutls_x509_der_encode (src, src_name, &encoded, str); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - /* Write the data. - */ - result = asn1_write_value(dest, dest_name, encoded.data, encoded.size); + /* Write the data. + */ + result = asn1_write_value (dest, dest_name, encoded.data, encoded.size); - _gnutls_free_datum(&encoded); + _gnutls_free_datum (&encoded); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /* Writes the value of the datum in the given ASN1_TYPE. If str is non * zero it encodes it as OCTET STRING. */ -int _gnutls_x509_write_value(ASN1_TYPE c, const char *root, - const gnutls_datum_t * data, int str) +int +_gnutls_x509_write_value (ASN1_TYPE c, const char *root, + const gnutls_datum_t * data, int str) { - int result; - int asize; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_datum_t val; - - asize = data->size + 16; - - val.data = gnutls_malloc(asize); - if (val.data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - if (str) { - /* Convert it to OCTET STRING - */ - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + int result; + int asize; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum_t val; + + asize = data->size + 16; + + val.data = gnutls_malloc (asize); + if (val.data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + if (str) + { + /* Convert it to OCTET STRING + */ + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_write_value(c2, "", data->data, data->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "", data->data, data->size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = _gnutls_x509_der_encode(c2, "", &val, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_der_encode (c2, "", &val, 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - } else { - val.data = data->data; - val.size = data->size; + } + else + { + val.data = data->data; + val.size = data->size; } - /* Write the data. - */ - result = asn1_write_value(c, root, val.data, val.size); + /* Write the data. + */ + result = asn1_write_value (c, root, val.data, val.size); - if (val.data != data->data) - _gnutls_free_datum(&val); + if (val.data != data->data) + _gnutls_free_datum (&val); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; - cleanup: - if (val.data != data->data) - _gnutls_free_datum(&val); - return result; +cleanup: + if (val.data != data->data) + _gnutls_free_datum (&val); + return result; } /* Encodes and copies the private key parameters into a * subjectPublicKeyInfo structure. * */ -int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, - const char *dst_name, - gnutls_pk_algorithm_t - pk_algorithm, mpi_t * params, - int params_size) +int +_gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm_t + pk_algorithm, mpi_t * params, + int params_size) { - const char *pk; - gnutls_datum_t der = { NULL, 0 }; - int result; - char name[128]; - - pk = _gnutls_x509_pk_to_oid(pk_algorithm); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - /* write the OID - */ - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); - result = asn1_write_value(dst, name, pk, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (pk_algorithm == GNUTLS_PK_RSA) { - /* disable parameters, which are not used in RSA. - */ - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value(dst, name, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + const char *pk; + gnutls_datum_t der = { NULL, 0 }; + int result; + char name[128]; + + pk = _gnutls_x509_pk_to_oid (pk_algorithm); + if (pk == NULL) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + /* write the OID + */ + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".algorithm.algorithm"); + result = asn1_write_value (dst, name, pk, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + if (pk_algorithm == GNUTLS_PK_RSA) + { + /* disable parameters, which are not used in RSA. + */ + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".algorithm.parameters"); + result = asn1_write_value (dst, name, NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_write_rsa_params(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_write_rsa_params (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Write the DER parameters. (in bits) - */ - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value(dst, name, der.data, der.size * 8); + /* Write the DER parameters. (in bits) + */ + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".subjectPublicKey"); + result = asn1_write_value (dst, name, der.data, der.size * 8); - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - } else if (pk_algorithm == GNUTLS_PK_DSA) { - - result = _gnutls_x509_write_dsa_params(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; + } + else if (pk_algorithm == GNUTLS_PK_DSA) + { + + result = _gnutls_x509_write_dsa_params (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Write the DER parameters. - */ - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value(dst, name, der.data, der.size); + /* Write the DER parameters. + */ + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".algorithm.parameters"); + result = asn1_write_value (dst, name, der.data, der.size); - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_write_dsa_public_key(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_write_dsa_public_key (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + return result; } - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value(dst, name, der.data, der.size * 8); + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".subjectPublicKey"); + result = asn1_write_value (dst, name, der.data, der.size * 8); - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - } else - return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + else + return GNUTLS_E_UNIMPLEMENTED_FEATURE; - return 0; + return 0; } /* Reads and returns the PK algorithm of the given certificate-like * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". */ -int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, - unsigned int *bits) +int +_gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, + unsigned int *bits) { - int result; - opaque *str = NULL; - int algo; - char oid[64]; - int len; - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - char name[128]; - - _gnutls_str_cpy(name, sizeof(name), src_name); - _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); - - len = sizeof(oid); - result = asn1_read_value(src, name, oid, &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + int result; + opaque *str = NULL; + int algo; + char oid[64]; + int len; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + char name[128]; + + _gnutls_str_cpy (name, sizeof (name), src_name); + _gnutls_str_cat (name, sizeof (name), ".algorithm.algorithm"); + + len = sizeof (oid); + result = asn1_read_value (src, name, oid, &len); + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - algo = _gnutls_x509_oid2pk_algorithm(oid); + algo = _gnutls_x509_oid2pk_algorithm (oid); - if (bits == NULL) { - gnutls_free(str); - return algo; + if (bits == NULL) + { + gnutls_free (str); + return algo; } - /* Now read the parameters' bits - */ - _gnutls_str_cpy(name, sizeof(name), src_name); - _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); - - len = 0; - result = asn1_read_value(src, name, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Now read the parameters' bits + */ + _gnutls_str_cpy (name, sizeof (name), src_name); + _gnutls_str_cat (name, sizeof (name), ".subjectPublicKey"); + + len = 0; + result = asn1_read_value (src, name, NULL, &len); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (len % 8 != 0) { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + if (len % 8 != 0) + { + gnutls_assert (); + return GNUTLS_E_CERTIFICATE_ERROR; } - len /= 8; + len /= 8; - str = gnutls_malloc(len); - if (str == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + str = gnutls_malloc (len); + if (str == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_str_cpy(name, sizeof(name), src_name); - _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + _gnutls_str_cpy (name, sizeof (name), src_name); + _gnutls_str_cat (name, sizeof (name), ".subjectPublicKey"); - result = asn1_read_value(src, name, str, &len); + result = asn1_read_value (src, name, str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(str); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (str); + return _gnutls_asn2err (result); } - len /= 8; + len /= 8; - if (algo == GNUTLS_PK_RSA) { - if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { - gnutls_assert(); - return result; + if (algo == GNUTLS_PK_RSA) + { + if ((result = _gnutls_x509_read_rsa_params (str, len, params)) < 0) + { + gnutls_assert (); + return result; } - bits[0] = _gnutls_mpi_get_nbits(params[0]); + bits[0] = _gnutls_mpi_get_nbits (params[0]); - _gnutls_mpi_release(¶ms[0]); - _gnutls_mpi_release(¶ms[1]); + _gnutls_mpi_release (¶ms[0]); + _gnutls_mpi_release (¶ms[1]); } - if (algo == GNUTLS_PK_DSA) { + if (algo == GNUTLS_PK_DSA) + { - if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { - gnutls_assert(); - return result; + if ((result = _gnutls_x509_read_dsa_pubkey (str, len, params)) < 0) + { + gnutls_assert (); + return result; } - bits[0] = _gnutls_mpi_get_nbits(params[3]); + bits[0] = _gnutls_mpi_get_nbits (params[3]); - _gnutls_mpi_release(¶ms[3]); + _gnutls_mpi_release (¶ms[3]); } - gnutls_free(str); - return algo; + gnutls_free (str); + return algo; } -ASN1_TYPE _asn1_find_node(ASN1_TYPE pointer, const char *name); +ASN1_TYPE _asn1_find_node (ASN1_TYPE pointer, const char *name); -int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name, - ASN1_TYPE src, const char *src_name) +int +_gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name, + ASN1_TYPE src, const char *src_name) { - int result; - gnutls_datum_t der; - ASN1_TYPE dst_node; + int result; + gnutls_datum_t der; + ASN1_TYPE dst_node; - result = _gnutls_x509_der_encode(src, src_name, &der, 0); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_der_encode (src, src_name, &der, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - dst_node = _asn1_find_node(*dst, dst_name); - if (dst_node == NULL) { - gnutls_assert(); - return _gnutls_asn2err(ASN1_ELEMENT_NOT_FOUND); + dst_node = _asn1_find_node (*dst, dst_name); + if (dst_node == NULL) + { + gnutls_assert (); + return _gnutls_asn2err (ASN1_ELEMENT_NOT_FOUND); } - result = asn1_der_decoding(&dst_node, der.data, der.size, NULL); + result = asn1_der_decoding (&dst_node, der.data, der.size, NULL); #if 0 - result = asn1_der_decoding_element(dst, dst_name, der.data, - der.size, NULL); + result = asn1_der_decoding_element (dst, dst_name, der.data, + der.size, NULL); #endif - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /* Reads the DER signed data from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signed_data) +int +_gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signed_data) { - gnutls_datum_t der; - int start, end, result; - - result = _gnutls_x509_der_encode(src, "", &der, 0); - if (result < 0) { - gnutls_assert(); - return result; + gnutls_datum_t der; + int start, end, result; + + result = _gnutls_x509_der_encode (src, "", &der, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Get the signed data - */ - result = asn1_der_decoding_startEnd(src, der.data, der.size, - src_name, &start, &end); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + /* Get the signed data + */ + result = asn1_der_decoding_startEnd (src, der.data, der.size, + src_name, &start, &end); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - result = - _gnutls_set_datum(signed_data, &der.data[start], end - start + 1); + result = _gnutls_set_datum (signed_data, &der.data[start], end - start + 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = 0; + result = 0; - cleanup: - _gnutls_free_datum(&der); +cleanup: + _gnutls_free_datum (&der); - return result; + return result; } /* Reads the DER signature from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signature) +int +_gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signature) { - int bits, result, len; + int bits, result, len; - signature->data = NULL; - signature->size = 0; + signature->data = NULL; + signature->size = 0; - /* Read the signature - */ - bits = 0; - result = asn1_read_value(src, src_name, NULL, &bits); + /* Read the signature + */ + bits = 0; + result = asn1_read_value (src, src_name, NULL, &bits); - if (result != ASN1_MEM_ERROR) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + if (result != ASN1_MEM_ERROR) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - if (bits % 8 != 0) { - gnutls_assert(); - result = GNUTLS_E_CERTIFICATE_ERROR; - goto cleanup; + if (bits % 8 != 0) + { + gnutls_assert (); + result = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; } - len = bits / 8; + len = bits / 8; - signature->data = gnutls_malloc(len); - if (signature->data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - return result; + signature->data = gnutls_malloc (len); + if (signature->data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + return result; } - /* read the bit string of the signature - */ - bits = len; - result = asn1_read_value(src, src_name, signature->data, &bits); + /* read the bit string of the signature + */ + bits = len; + result = asn1_read_value (src, src_name, signature->data, &bits); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - signature->size = len; + signature->size = len; - return 0; + return 0; - cleanup: - return result; +cleanup: + return result; } diff --git a/lib/x509/common.h b/lib/x509/common.h index ec700faa04..cd82c4e14b 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -29,7 +29,7 @@ /* for int2str */ #define MAX_INT_DIGITS 4 -void _gnutls_int2str(unsigned int k, char *data); +void _gnutls_int2str (unsigned int k, char *data); #define MAX_STRING_LEN 512 @@ -58,60 +58,69 @@ void _gnutls_int2str(unsigned int k, char *data); #define SIG_GOST_R3410_94_OID "1.2.643.2.2.4" #define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3" -time_t _gnutls_x509_utcTime2gtime(const char *ttime); -time_t _gnutls_x509_generalTime2gtime(const char *ttime); -int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim); - -int _gnutls_x509_decode_octet_string( const char* string_type, - const opaque* der, size_t der_size, opaque* output, size_t* output_size); -int _gnutls_x509_oid_data2string(const char *OID, void *value, - int value_size, char *res, size_t * res_size); -int _gnutls_x509_data2hex(const opaque * data, size_t data_size, - opaque * out, size_t * sizeof_out); - -const char *_gnutls_x509_oid2ldap_string(const char *OID); - -int _gnutls_x509_oid_data_choice(const char *OID); -int _gnutls_x509_oid_data_printable(const char *OID); - -time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when); - -gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type); - -int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, - ASN1_TYPE dest, const char *dest_name, - int str); -int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * res, int str); - -int _gnutls_x509_export_int(ASN1_TYPE asn1_data, - gnutls_x509_crt_fmt_t format, char *pem_header, - int tmp_buf_size, unsigned char *output_data, - size_t * output_data_size); - -int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, - gnutls_datum_t * ret, int str); -int _gnutls_x509_write_value(ASN1_TYPE c, const char *root, - const gnutls_datum_t * data, int str); - -int _gnutls_x509_encode_and_write_attribute(const char *given_oid, - ASN1_TYPE asn1_struct, const char *where, const void *data, - int sizeof_data, int multi); -int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, - const char *where, char *oid, int oid_size, gnutls_datum_t * value, int multi, int octet); - -int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, - unsigned int *bits); - -int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, - const char *dst_name, gnutls_pk_algorithm_t pk_algorithm, mpi_t * params, - int params_size); -int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name, - ASN1_TYPE src, const char *src_name); - -int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signed_data); -int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signature); +time_t _gnutls_x509_utcTime2gtime (const char *ttime); +time_t _gnutls_x509_generalTime2gtime (const char *ttime); +int _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim); + +int _gnutls_x509_decode_octet_string (const char *string_type, + const opaque * der, size_t der_size, + opaque * output, size_t * output_size); +int _gnutls_x509_oid_data2string (const char *OID, void *value, + int value_size, char *res, + size_t * res_size); +int _gnutls_x509_data2hex (const opaque * data, size_t data_size, + opaque * out, size_t * sizeof_out); + +const char *_gnutls_x509_oid2ldap_string (const char *OID); + +int _gnutls_x509_oid_data_choice (const char *OID); +int _gnutls_x509_oid_data_printable (const char *OID); + +time_t _gnutls_x509_get_time (ASN1_TYPE c2, const char *when); + +gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type (char *str_type); + +int _gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str); +int _gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * res, int str); + +int _gnutls_x509_export_int (ASN1_TYPE asn1_data, + gnutls_x509_crt_fmt_t format, char *pem_header, + int tmp_buf_size, unsigned char *output_data, + size_t * output_data_size); + +int _gnutls_x509_read_value (ASN1_TYPE c, const char *root, + gnutls_datum_t * ret, int str); +int _gnutls_x509_write_value (ASN1_TYPE c, const char *root, + const gnutls_datum_t * data, int str); + +int _gnutls_x509_encode_and_write_attribute (const char *given_oid, + ASN1_TYPE asn1_struct, + const char *where, + const void *data, + int sizeof_data, int multi); +int _gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct, + const char *where, char *oid, + int oid_size, + gnutls_datum_t * value, int multi, + int octet); + +int _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, + unsigned int *bits); + +int _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm_t + pk_algorithm, mpi_t * params, + int params_size); +int _gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name, + ASN1_TYPE src, const char *src_name); + +int _gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signed_data); +int _gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signature); #endif diff --git a/lib/x509/compat.c b/lib/x509/compat.c index ea3c6db596..f3e5a50a4c 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -38,27 +38,28 @@ * Returns a (time_t) -1 in case of an error. * -*/ -time_t _gnutls_x509_get_raw_crt_activation_time(const gnutls_datum_t * - cert) +time_t +_gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert) { - gnutls_x509_crt_t xcert; - time_t result; + gnutls_x509_crt_t xcert; + time_t result; - result = gnutls_x509_crt_init(&xcert); - if (result < 0) - return result; + result = gnutls_x509_crt_init (&xcert); + if (result < 0) + return result; - result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit(xcert); - return result; + result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) + { + gnutls_x509_crt_deinit (xcert); + return result; } - result = gnutls_x509_crt_get_activation_time(xcert); + result = gnutls_x509_crt_get_activation_time (xcert); - gnutls_x509_crt_deinit(xcert); + gnutls_x509_crt_deinit (xcert); - return result; + return result; } /*- @@ -70,25 +71,26 @@ time_t _gnutls_x509_get_raw_crt_activation_time(const gnutls_datum_t * * Returns a (time_t) -1 in case of an error. * -*/ -time_t _gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum_t * - cert) +time_t +_gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert) { - gnutls_x509_crt_t xcert; - time_t result; + gnutls_x509_crt_t xcert; + time_t result; - result = gnutls_x509_crt_init(&xcert); - if (result < 0) - return result; + result = gnutls_x509_crt_init (&xcert); + if (result < 0) + return result; - result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit(xcert); - return result; + result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) + { + gnutls_x509_crt_deinit (xcert); + return result; } - result = gnutls_x509_crt_get_expiration_time(xcert); + result = gnutls_x509_crt_get_expiration_time (xcert); - gnutls_x509_crt_deinit(xcert); + gnutls_x509_crt_deinit (xcert); - return result; + return result; } diff --git a/lib/x509/compat.h b/lib/x509/compat.h index d0639ec542..d5e8fdde43 100644 --- a/lib/x509/compat.h +++ b/lib/x509/compat.h @@ -22,5 +22,5 @@ * */ -time_t _gnutls_x509_get_raw_crt_activation_time(const gnutls_datum_t *); -time_t _gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum_t *); +time_t _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t *); +time_t _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t *); diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 20f8321209..3fd0431dbf 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -48,22 +48,25 @@ * Returns 0 on success. * **/ -int gnutls_x509_crl_init(gnutls_x509_crl_t * crl) +int +gnutls_x509_crl_init (gnutls_x509_crl_t * crl) { - *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); - - if (*crl) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.CertificateList", - &(*crl)->crl); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(*crl); - return _gnutls_asn2err(result); + *crl = gnutls_calloc (1, sizeof (gnutls_x509_crl_int)); + + if (*crl) + { + int result = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.CertificateList", + &(*crl)->crl); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (*crl); + return _gnutls_asn2err (result); } - return 0; /* success */ + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -73,15 +76,16 @@ int gnutls_x509_crl_init(gnutls_x509_crl_t * crl) * This function will deinitialize a CRL structure. * **/ -void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl) +void +gnutls_x509_crl_deinit (gnutls_x509_crl_t crl) { - if (!crl) - return; + if (!crl) + return; - if (crl->crl) - asn1_delete_structure(&crl->crl); + if (crl->crl) + asn1_delete_structure (&crl->crl); - gnutls_free(crl); + gnutls_free (crl); } /** @@ -98,59 +102,63 @@ void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl) * Returns 0 on success. * **/ -int gnutls_x509_crl_import(gnutls_x509_crl_t crl, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +int +gnutls_x509_crl_import (gnutls_x509_crl_t crl, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; + int result = 0, need_free = 0; + gnutls_datum_t _data; - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* If the CRL is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + /* If the CRL is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; - result = - _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, &out); + result = _gnutls_fbase64_decode (PEM_CRL, data->data, data->size, &out); - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - result = asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = asn1_der_decoding (&crl->crl, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - return 0; + return 0; - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + if (need_free) + _gnutls_free_datum (&_data); + return result; } @@ -171,17 +179,19 @@ int gnutls_x509_crl_import(gnutls_x509_crl_t crl, * 0 on success. * **/ -int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl, char *buf, - size_t * sizeof_buf) +int +gnutls_x509_crl_get_issuer_dn (gnutls_x509_crl_t crl, char *buf, + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn(crl->crl, - "tbsCertList.issuer.rdnSequence", - buf, sizeof_buf); + return _gnutls_x509_parse_dn (crl->crl, + "tbsCertList.issuer.rdnSequence", + buf, sizeof_buf); } /** @@ -209,19 +219,21 @@ int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl, char *buf, * and 0 on success. * **/ -int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl, - const char *oid, int indx, - unsigned int raw_flag, void *buf, - size_t * sizeof_buf) +int +gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn_oid(crl->crl, - "tbsCertList.issuer.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid (crl->crl, + "tbsCertList.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -241,17 +253,19 @@ int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl, * On success 0 is returned. * **/ -int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl, - int indx, void *oid, size_t * sizeof_oid) +int +gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl, + int indx, void *oid, size_t * sizeof_oid) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_get_dn_oid(crl->crl, - "tbsCertList.issuer.rdnSequence", indx, - oid, sizeof_oid); + return _gnutls_x509_get_dn_oid (crl->crl, + "tbsCertList.issuer.rdnSequence", indx, + oid, sizeof_oid); } @@ -265,34 +279,37 @@ int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl, * Returns a negative value on error. * **/ -int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl) +int +gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl) { - int result; - gnutls_datum_t sa; + int result; + gnutls_datum_t sa; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ - result = - _gnutls_x509_read_value(crl->crl, "signatureAlgorithm.algorithm", - &sa, 0); + result = + _gnutls_x509_read_value (crl->crl, "signatureAlgorithm.algorithm", + &sa, 0); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - result = _gnutls_x509_oid2sign_algorithm((const char *) sa.data); + result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data); - _gnutls_free_datum(&sa); + _gnutls_free_datum (&sa); - return result; + return result; } /** @@ -304,25 +321,28 @@ int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl) * Returns a negative value on error. * **/ -int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl) +int +gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) { - opaque version[5]; - int len, result; + opaque version[5]; + int len, result; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - if ((result = - asn1_read_value(crl->crl, "tbsCertList.version", version, - &len)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + len = sizeof (version); + if ((result = + asn1_read_value (crl->crl, "tbsCertList.version", version, + &len)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -334,14 +354,16 @@ int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl) * Returns (time_t)-1 on error. * **/ -time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl) +time_t +gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t) - 1; + if (crl == NULL) + { + gnutls_assert (); + return (time_t) - 1; } - return _gnutls_x509_get_time(crl->crl, "tbsCertList.thisUpdate"); + return _gnutls_x509_get_time (crl->crl, "tbsCertList.thisUpdate"); } /** @@ -355,14 +377,16 @@ time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl) * Returns (time_t)-1 on error. * **/ -time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl) +time_t +gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t) - 1; + if (crl == NULL) + { + gnutls_assert (); + return (time_t) - 1; } - return _gnutls_x509_get_time(crl->crl, "tbsCertList.nextUpdate"); + return _gnutls_x509_get_time (crl->crl, "tbsCertList.nextUpdate"); } /** @@ -375,26 +399,29 @@ time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl) * Returns a negative value on failure. * **/ -int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl) +int +gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) { - int count, result; + int count, result; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = - asn1_number_of_elements(crl->crl, - "tbsCertList.revokedCertificates", &count); + result = + asn1_number_of_elements (crl->crl, + "tbsCertList.revokedCertificates", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return 0; /* no certificates */ } - return count; + return count; } /** @@ -411,48 +438,52 @@ int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl) * Returns a negative value on failure. * **/ -int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, int indx, - unsigned char *serial, - size_t * serial_size, time_t * t) +int +gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, + unsigned char *serial, + size_t * serial_size, time_t * t) { - int result, _serial_size; - char str_index[MAX_INT_DIGITS]; - char serial_name[64]; - char date_name[64]; + int result, _serial_size; + char str_index[MAX_INT_DIGITS]; + char serial_name[64]; + char date_name[64]; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - _gnutls_int2str(indx + 1, str_index); - _gnutls_str_cpy(serial_name, sizeof(serial_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(serial_name, sizeof(serial_name), str_index); - _gnutls_str_cat(serial_name, sizeof(serial_name), ".userCertificate"); - - _gnutls_str_cpy(date_name, sizeof(date_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(date_name, sizeof(date_name), str_index); - _gnutls_str_cat(date_name, sizeof(date_name), ".revocationDate"); - - _serial_size = *serial_size; - result = asn1_read_value(crl->crl, serial_name, serial, &_serial_size); - - *serial_size = _serial_size; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return _gnutls_asn2err(result); + _gnutls_int2str (indx + 1, str_index); + _gnutls_str_cpy (serial_name, sizeof (serial_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat (serial_name, sizeof (serial_name), str_index); + _gnutls_str_cat (serial_name, sizeof (serial_name), ".userCertificate"); + + _gnutls_str_cpy (date_name, sizeof (date_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat (date_name, sizeof (date_name), str_index); + _gnutls_str_cat (date_name, sizeof (date_name), ".revocationDate"); + + _serial_size = *serial_size; + result = asn1_read_value (crl->crl, serial_name, serial, &_serial_size); + + *serial_size = _serial_size; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return _gnutls_asn2err (result); } - if (t) { - *t = _gnutls_x509_get_time(crl->crl, date_name); + if (t) + { + *t = _gnutls_x509_get_time (crl->crl, date_name); } - return 0; + return 0; } /*- @@ -466,68 +497,72 @@ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, int indx, * Returns a negative value on error, and zero on success. * -*/ -int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, - gnutls_datum_t * dn) +int +_gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl, + gnutls_datum_t * dn) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum_t crl_signed_data; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum_t crl_signed_data; + + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* get the issuer of 'crl' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertList", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* get the issuer of 'crl' + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), "PKIX1.TBSCertList", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", - &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_get_signed_data (crl->crl, "tbsCertList", &crl_signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = - asn1_der_decoding(&c2, crl_signed_data.data, - crl_signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; + result = + asn1_der_decoding (&c2, crl_signed_data.data, crl_signed_data.size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&c2); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_der_decoding_startEnd(c2, crl_signed_data.data, - crl_signed_data.size, "issuer", - &start1, &end1); + result = + asn1_der_decoding_startEnd (c2, crl_signed_data.data, + crl_signed_data.size, "issuer", + &start1, &end1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum(dn, &crl_signed_data.data[start1], len1); + _gnutls_set_datum (dn, &crl_signed_data.data[start1], len1); - result = 0; + result = 0; - cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum(&crl_signed_data); - return result; +cleanup: + asn1_delete_structure (&c2); + _gnutls_free_datum (&crl_signed_data); + return result; } /** @@ -548,18 +583,20 @@ int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, * Returns 0 on success, and a negative value on failure. * **/ -int gnutls_x509_crl_export(gnutls_x509_crl_t crl, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +int +gnutls_x509_crl_export (gnutls_x509_crl_t crl, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_export_int(crl->crl, format, PEM_CRL, - *output_data_size, output_data, - output_data_size); + return _gnutls_x509_export_int (crl->crl, format, PEM_CRL, + *output_data_size, output_data, + output_data_size); } /*- @@ -572,45 +609,49 @@ int gnutls_x509_crl_export(gnutls_x509_crl_t crl, * Returns 0 on success. * -*/ -int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src) +int +_gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src) { - int ret; - size_t der_size; - opaque *der; - gnutls_datum_t tmp; - - ret = - gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; + int ret; + size_t der_size; + opaque *der; + gnutls_datum_t tmp; + + ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + gnutls_assert (); + return ret; } - der = gnutls_alloca(der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + der = gnutls_alloca (der_size); + if (der == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree(der); - return ret; + ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) + { + gnutls_assert (); + gnutls_afree (der); + return ret; } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crl_import(dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crl_import (dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree(der); + gnutls_afree (der); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c index a92a359f5b..97b7ece4f0 100644 --- a/lib/x509/crl_write.c +++ b/lib/x509/crl_write.c @@ -42,7 +42,7 @@ #include <extensions.h> #include <libtasn1.h> -static void disable_optional_stuff(gnutls_x509_crl_t crl); +static void disable_optional_stuff (gnutls_x509_crl_t crl); /** * gnutls_x509_crl_set_version - This function will set the CRL version @@ -56,28 +56,30 @@ static void disable_optional_stuff(gnutls_x509_crl_t crl); * Returns 0 on success. * **/ -int gnutls_x509_crl_set_version(gnutls_x509_crl_t crl, - unsigned int version) +int +gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) { - int result; - char null = version; + int result; + char null = version; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - null -= 1; - if (null < 0) - null = 0; + null -= 1; + if (null < 0) + null = 0; - result = asn1_write_value(crl->crl, "tbsCertList.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /** @@ -97,28 +99,32 @@ int gnutls_x509_crl_set_version(gnutls_x509_crl_t crl, * Returns 0 on success. * **/ -int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key, gnutls_digest_algorithm_t dig, unsigned int flags) +int +gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; + int result; - if (crl == NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL || issuer == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff(crl); + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff (crl); - result = _gnutls_x509_pkix_sign(crl->crl, "tbsCertList", - dig, issuer, issuer_key); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList", + dig, issuer, issuer_key); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -133,10 +139,11 @@ int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, * Returns 0 on success. * **/ -int gnutls_x509_crl_sign(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key) +int +gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key) { - return gnutls_x509_crl_sign2( crl, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crl_sign2 (crl, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); } /** @@ -149,15 +156,16 @@ int gnutls_x509_crl_sign(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl, time_t act_time) +int +gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_time(crl->crl, "tbsCertList.thisUpdate", - act_time); + return _gnutls_x509_set_time (crl->crl, "tbsCertList.thisUpdate", act_time); } /** @@ -170,14 +178,15 @@ int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl, time_t act_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl, time_t exp_time) +int +gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_time(crl->crl, "tbsCertList.nextUpdate", - exp_time); + return _gnutls_x509_set_time (crl->crl, "tbsCertList.nextUpdate", exp_time); } /** @@ -192,53 +201,58 @@ int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl, time_t exp_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl, - const void *serial, size_t serial_size, - time_t revocation_time) +int +gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, + const void *serial, size_t serial_size, + time_t revocation_time) { - int ret; + int ret; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crl == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = - asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", - "NEW", 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); + ret = + asn1_write_value (crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - ret = - asn1_write_value(crl->crl, - "tbsCertList.revokedCertificates.?LAST.userCertificate", - serial, serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); + ret = + asn1_write_value (crl->crl, + "tbsCertList.revokedCertificates.?LAST.userCertificate", + serial, serial_size); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - ret = - _gnutls_x509_set_time(crl->crl, - "tbsCertList.revokedCertificates.?LAST.revocationDate", - revocation_time); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + _gnutls_x509_set_time (crl->crl, + "tbsCertList.revokedCertificates.?LAST.revocationDate", + revocation_time); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - asn1_write_value(crl->crl, - "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", - NULL, 0); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); + ret = + asn1_write_value (crl->crl, + "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", + NULL, 0); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - return 0; + return 0; } /** @@ -252,46 +266,51 @@ int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, - time_t revocation_time) +int +gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, + time_t revocation_time) { - int ret; - opaque serial[128]; - size_t serial_size; - - if (crl == NULL || crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int ret; + opaque serial[128]; + size_t serial_size; + + if (crl == NULL || crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - serial_size = sizeof(serial); - ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; + serial_size = sizeof (serial); + ret = gnutls_x509_crt_get_serial (crt, serial, &serial_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - gnutls_x509_crl_set_crt_serial(crl, serial, serial_size, - revocation_time); - if (ret < 0) { - gnutls_assert(); - return _gnutls_asn2err(ret); + ret = + gnutls_x509_crl_set_crt_serial (crl, serial, serial_size, + revocation_time); + if (ret < 0) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - return 0; + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff(gnutls_x509_crl_t crl) +static void +disable_optional_stuff (gnutls_x509_crl_t crl) { - asn1_write_value(crl->crl, "tbsCertList.crlExtensions", NULL, 0); + asn1_write_value (crl->crl, "tbsCertList.crlExtensions", NULL, 0); - return; + return; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 016afdee3d..35dd524f9f 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -51,22 +51,25 @@ * Returns 0 on success. * **/ -int gnutls_x509_crq_init(gnutls_x509_crq_t * crq) +int +gnutls_x509_crq_init (gnutls_x509_crq_t * crq) { - *crq = gnutls_calloc(1, sizeof(gnutls_x509_crq_int)); - - if (*crq) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-10-CertificationRequest", - &((*crq)->crq)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(*crq); - return _gnutls_asn2err(result); + *crq = gnutls_calloc (1, sizeof (gnutls_x509_crq_int)); + + if (*crq) + { + int result = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-10-CertificationRequest", + &((*crq)->crq)); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (*crq); + return _gnutls_asn2err (result); } - return 0; /* success */ + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -76,15 +79,16 @@ int gnutls_x509_crq_init(gnutls_x509_crq_t * crq) * This function will deinitialize a CRL structure. * **/ -void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq) +void +gnutls_x509_crq_deinit (gnutls_x509_crq_t crq) { - if (!crq) - return; + if (!crq) + return; - if (crq->crq) - asn1_delete_structure(&crq->crq); + if (crq->crq) + asn1_delete_structure (&crq->crq); - gnutls_free(crq); + gnutls_free (crq); } #define PEM_CRQ "NEW CERTIFICATE REQUEST" @@ -104,61 +108,64 @@ void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq) * Returns 0 on success. * **/ -int gnutls_x509_crq_import(gnutls_x509_crq_t crq, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +int +gnutls_x509_crq_import (gnutls_x509_crq_t crq, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; + int result = 0, need_free = 0; + gnutls_datum_t _data; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, - &out); + /* Try the first header */ + result = _gnutls_fbase64_decode (PEM_CRQ, data->data, data->size, &out); - if (result <= 0) /* Go for the second header */ - result = - _gnutls_fbase64_decode(PEM_CRQ2, data->data, data->size, - &out); + if (result <= 0) /* Go for the second header */ + result = + _gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &out); - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - result = asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = asn1_der_decoding (&crq->crq, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - result = 0; + result = 0; - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + if (need_free) + _gnutls_free_datum (&_data); + return result; } @@ -181,17 +188,18 @@ int gnutls_x509_crq_import(gnutls_x509_crq_t crq, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq, char *buf, - size_t * sizeof_buf) +int +gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * sizeof_buf) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn(crq->crq, - "certificationRequestInfo.subject.rdnSequence", - buf, sizeof_buf); + return _gnutls_x509_parse_dn (crq->crq, + "certificationRequestInfo.subject.rdnSequence", + buf, sizeof_buf); } /** @@ -222,18 +230,20 @@ int gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq, char *buf, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * sizeof_buf) +int +gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn_oid(crq->crq, - "certificationRequestInfo.subject.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid (crq->crq, + "certificationRequestInfo.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -253,17 +263,19 @@ int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq, - int indx, void *oid, size_t * sizeof_oid) +int +gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq, + int indx, void *oid, size_t * sizeof_oid) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_get_dn_oid(crq->crq, - "certificationRequestInfo.subject.rdnSequence", - indx, oid, sizeof_oid); + return _gnutls_x509_get_dn_oid (crq->crq, + "certificationRequestInfo.subject.rdnSequence", + indx, oid, sizeof_oid); } /* Parses an Attribute list in the asn1_struct, and searches for the @@ -274,127 +286,146 @@ int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq, * asn1_attr_name must be a string in the form "certificationRequestInfo.attributes" * */ -static int parse_attribute(ASN1_TYPE asn1_struct, - const char *attr_name, const char *given_oid, int indx, int raw, - char *buf, size_t * sizeof_buf) +static int +parse_attribute (ASN1_TYPE asn1_struct, + const char *attr_name, const char *given_oid, int indx, + int raw, char *buf, size_t * sizeof_buf) { - int k1, result; - char tmpbuffer1[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[200]; - char oid[128]; - int len, printable; - - if (*sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int k1, result; + char tmpbuffer1[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[200]; + char oid[128]; + int len, printable; + + if (*sizeof_buf == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - buf[0] = 0; + buf[0] = 0; - k1 = 0; - do { + k1 = 0; + do + { - k1++; - /* create a string like "attribute.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), attr_name); + k1++; + /* create a string like "attribute.?1" + */ + _gnutls_int2str (k1, counter); + _gnutls_str_cpy (tmpbuffer1, sizeof (tmpbuffer1), attr_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + if (strlen (tmpbuffer1) > 0) + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "."); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "?"); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), counter); - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Move to the attibute type and values - */ - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - - len = sizeof(oid) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Move to the attibute type and values + */ + /* Read the OID + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer1); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); + + len = sizeof (oid) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (strcmp(oid, given_oid) == 0) { /* Found the OID */ + if (strcmp (oid, given_oid) == 0) + { /* Found the OID */ - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); + /* Read the Value + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer1); - _gnutls_int2str(indx + 1, counter); + _gnutls_int2str (indx + 1, counter); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".values.?"); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), counter); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".values.?"); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), counter); - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer3, value, &len); + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer3, value, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (raw==0) { - printable = _gnutls_x509_oid_data_printable(oid); - if (printable == 1) { - if ((result = - _gnutls_x509_oid_data2string - (oid, value, len, buf, sizeof_buf)) < 0) { - gnutls_assert(); - goto cleanup; - } - return 0; - } else { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; - } - } else { /* raw!=0 */ - if (*sizeof_buf > (size_t)len && buf!=NULL) { - *sizeof_buf = len; - memcpy( buf, value, len); - - return 0; - } else { - *sizeof_buf = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - } + if (raw == 0) + { + printable = _gnutls_x509_oid_data_printable (oid); + if (printable == 1) + { + if ((result = + _gnutls_x509_oid_data2string + (oid, value, len, buf, sizeof_buf)) < 0) + { + gnutls_assert (); + goto cleanup; + } + return 0; + } + else + { + gnutls_assert (); + return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; + } + } + else + { /* raw!=0 */ + if (*sizeof_buf > (size_t) len && buf != NULL) + { + *sizeof_buf = len; + memcpy (buf, value, len); + + return 0; + } + else + { + *sizeof_buf = len; + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + } } - } while (1); + } + while (1); - gnutls_assert(); + gnutls_assert (); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - cleanup: - return result; +cleanup: + return result; } /** @@ -409,17 +440,19 @@ static int parse_attribute(ASN1_TYPE asn1_struct, * Returns 0 on success. * **/ -int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq, - const char *pass, - size_t * sizeof_pass) +int +gnutls_x509_crq_get_challenge_password (gnutls_x509_crq_t crq, + const char *pass, + size_t * sizeof_pass) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return parse_attribute(crq->crq, "certificationRequestInfo.attributes", - "1.2.840.113549.1.9.7", 0, 0, pass, sizeof_pass); + return parse_attribute (crq->crq, "certificationRequestInfo.attributes", + "1.2.840.113549.1.9.7", 0, 0, pass, sizeof_pass); } /** @@ -435,37 +468,43 @@ int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq, - const char* oid, void* buf, size_t sizeof_buf) +int +gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq, + const char *oid, void *buf, + size_t sizeof_buf) { - int result; + int result; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Add the attribute. - */ - result = - asn1_write_value(crq->crq, "certificationRequestInfo.attributes", - "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Add the attribute. + */ + result = + asn1_write_value (crq->crq, "certificationRequestInfo.attributes", + "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_encode_and_write_attribute(oid, - crq->crq, "certificationRequestInfo.attributes.?LAST", - buf, sizeof_buf, 1); + result = + _gnutls_x509_encode_and_write_attribute (oid, + crq->crq, + "certificationRequestInfo.attributes.?LAST", + buf, sizeof_buf, 1); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -483,16 +522,19 @@ int gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq, - const char* oid, int indx, void* buf, size_t* sizeof_buf) +int +gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq, + const char *oid, int indx, void *buf, + size_t * sizeof_buf) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return parse_attribute(crq->crq, "certificationRequestInfo.attributes", - oid, indx, 1, buf, sizeof_buf); + return parse_attribute (crq->crq, "certificationRequestInfo.attributes", + oid, indx, 1, buf, sizeof_buf); } /** @@ -515,17 +557,19 @@ int gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, - unsigned int raw_flag, const void *data, - unsigned int sizeof_data) +int +gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, + unsigned int raw_flag, const void *data, + unsigned int sizeof_data) { - if (sizeof_data == 0 || data == NULL || crq == NULL) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_data == 0 || data == NULL || crq == NULL) + { + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_dn_oid(crq->crq, - "certificationRequestInfo.subject", oid, - raw_flag, data, sizeof_data); + return _gnutls_x509_set_dn_oid (crq->crq, + "certificationRequestInfo.subject", oid, + raw_flag, data, sizeof_data); } /** @@ -539,29 +583,30 @@ int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_version(gnutls_x509_crq_t crq, - unsigned int version) +int +gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version) { - int result; - unsigned char null = version; + int result; + unsigned char null = version; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (null > 0) - null--; + if (null > 0) + null--; - result = - asn1_write_value(crq->crq, "certificationRequestInfo.version", - &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_write_value (crq->crq, "certificationRequestInfo.version", &null, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /** @@ -573,28 +618,31 @@ int gnutls_x509_crq_set_version(gnutls_x509_crq_t crq, * Returns a negative value on error. * **/ -int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq) +int +gnutls_x509_crq_get_version (gnutls_x509_crq_t crq) { - opaque version[5]; - int len, result; + opaque version[5]; + int len, result; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - if ((result = - asn1_read_value(crq->crq, "certificationRequestInfo.version", - version, &len)) != ASN1_SUCCESS) { + len = sizeof (version); + if ((result = + asn1_read_value (crq->crq, "certificationRequestInfo.version", + version, &len)) != ASN1_SUCCESS) + { - if (result == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert (); + return _gnutls_asn2err (result); } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -608,28 +656,30 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq) * Returns 0 on success. * **/ -int gnutls_x509_crq_set_key(gnutls_x509_crq_t crq, - gnutls_x509_privkey_t key) +int +gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) { - int result; + int result; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = _gnutls_x509_encode_and_copy_PKI_params(crq->crq, - "certificationRequestInfo.subjectPKInfo", - key->pk_algorithm, - key->params, - key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params (crq->crq, + "certificationRequestInfo.subjectPKInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -642,38 +692,42 @@ int gnutls_x509_crq_set_key(gnutls_x509_crq_t crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq, - const char *pass) +int +gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t crq, + const char *pass) { - int result; + int result; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Add the attribute. - */ - result = - asn1_write_value(crq->crq, "certificationRequestInfo.attributes", - "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Add the attribute. + */ + result = + asn1_write_value (crq->crq, "certificationRequestInfo.attributes", + "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_encode_and_write_attribute("1.2.840.113549.1.9.7", - crq->crq, - "certificationRequestInfo.attributes.?LAST", - pass, strlen(pass), 1); + result = + _gnutls_x509_encode_and_write_attribute ("1.2.840.113549.1.9.7", + crq->crq, + "certificationRequestInfo.attributes.?LAST", + pass, strlen (pass), 1); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -693,51 +747,57 @@ int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_sign2(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, - gnutls_digest_algorithm_t dig, unsigned int flags) +int +gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; - gnutls_datum_t signature; + int result; + gnutls_datum_t signature; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Step 1. Self sign the request. - */ - result = - _gnutls_x509_sign_tbs(crq->crq, "certificationRequestInfo", - dig, key, &signature); + /* Step 1. Self sign the request. + */ + result = + _gnutls_x509_sign_tbs (crq->crq, "certificationRequestInfo", + dig, key, &signature); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. write the signature (bits) - */ - result = - asn1_write_value(crq->crq, "signature", signature.data, - signature.size * 8); + /* Step 2. write the signature (bits) + */ + result = + asn1_write_value (crq->crq, "signature", signature.data, + signature.size * 8); - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Step 3. Write the signatureAlgorithm field. - */ - result = _gnutls_x509_write_sig_params(crq->crq, "signatureAlgorithm", - key->pk_algorithm, dig, key->params, key->params_size); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 3. Write the signatureAlgorithm field. + */ + result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm", + key->pk_algorithm, dig, key->params, + key->params_size); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -751,9 +811,10 @@ int gnutls_x509_crq_sign2(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, * Returns 0 on success. * **/ -int gnutls_x509_crq_sign(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) +int +gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) { - return gnutls_x509_crq_sign2(crq, key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0); } /** @@ -777,18 +838,20 @@ int gnutls_x509_crq_sign(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) * returned, and 0 on success. * **/ -int gnutls_x509_crq_export(gnutls_x509_crq_t crq, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +int +gnutls_x509_crq_export (gnutls_x509_crq_t crq, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_export_int(crq->crq, format, PEM_CRQ, - *output_data_size, output_data, - output_data_size); + return _gnutls_x509_export_int (crq->crq, format, PEM_CRQ, + *output_data_size, output_data, + output_data_size); } /** @@ -808,25 +871,27 @@ int gnutls_x509_crq_export(gnutls_x509_crq_t crq, * or a negative value on error. * **/ -int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq, - unsigned int *bits) +int +gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits) { - int result; + int result; - if (crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = - _gnutls_x509_get_pk_algorithm(crq->crq, - "certificationRequestInfo.subjectPKInfo", - bits); - if (result < 0) { - gnutls_assert(); + result = + _gnutls_x509_get_pk_algorithm (crq->crq, + "certificationRequestInfo.subjectPKInfo", + bits); + if (result < 0) + { + gnutls_assert (); } - return result; + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/crq.h b/lib/x509/crq.h index 96b215ea9d..6021096b5c 100644 --- a/lib/x509/crq.h +++ b/lib/x509/crq.h @@ -24,6 +24,7 @@ #include <gnutls/x509.h> -typedef struct gnutls_x509_crq_int { +typedef struct gnutls_x509_crq_int +{ ASN1_TYPE crq; } gnutls_x509_crq_int; diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 9f4a23b7e1..c8b28c5fb3 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -39,42 +39,45 @@ /* Converts the given OID to an ldap acceptable string or * a dotted OID. */ -static const char *oid2ldap_string(const char *oid) +static const char * +oid2ldap_string (const char *oid) { - const char *ret; + const char *ret; - ret = _gnutls_x509_oid2ldap_string(oid); - if (ret) - return ret; + ret = _gnutls_x509_oid2ldap_string (oid); + if (ret) + return ret; - /* else return the OID in dotted format */ - return oid; + /* else return the OID in dotted format */ + return oid; } /* Escapes a string following the rules from RFC2253. */ -static char *str_escape(char *str, char *buffer, unsigned int buffer_size) +static char * +str_escape (char *str, char *buffer, unsigned int buffer_size) { - int str_length, j, i; + int str_length, j, i; - if (str == NULL || buffer == NULL) - return NULL; + if (str == NULL || buffer == NULL) + return NULL; - str_length = MIN(strlen(str), buffer_size - 1); + str_length = MIN (strlen (str), buffer_size - 1); - for (i = j = 0; i < str_length; i++) { - if (str[i] == ',' || str[i] == '+' || str[i] == '"' - || str[i] == '\\' || str[i] == '<' || str[i] == '>' - || str[i] == ';') - buffer[j++] = '\\'; + for (i = j = 0; i < str_length; i++) + { + if (str[i] == ',' || str[i] == '+' || str[i] == '"' + || str[i] == '\\' || str[i] == '<' || str[i] == '>' + || str[i] == ';') + buffer[j++] = '\\'; - buffer[j++] = str[i]; + buffer[j++] = str[i]; } - /* null terminate the string */ - buffer[j] = 0; + /* null terminate the string */ + buffer[j] = 0; - return buffer; + return buffer; } /* Parses an X509 DN in the asn1_struct, and puts the output into @@ -83,224 +86,241 @@ static char *str_escape(char *str, char *buffer, unsigned int buffer_size) * asn1_rdn_name must be a string in the form "tbsCertificate.issuer.rdnSequence". * That is to point in the rndSequence. */ -int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, char *buf, - size_t * sizeof_buf) +int +_gnutls_x509_parse_dn (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, char *buf, + size_t * sizeof_buf) { - gnutls_string out_str; - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[MAX_STRING_LEN], *value2 = NULL; - char *escaped = NULL; - const char *ldap_desc; - char oid[128]; - int len, printable; - char *string = NULL; - size_t sizeof_string, sizeof_escaped; - - if (sizeof_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_string out_str; + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[MAX_STRING_LEN], *value2 = NULL; + char *escaped = NULL; + const char *ldap_desc; + char oid[128]; + int len, printable; + char *string = NULL; + size_t sizeof_string, sizeof_escaped; + + if (sizeof_buf == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (buf) - buf[0] = 0; - else - *sizeof_buf = 0; + if (buf) + buf[0] = 0; + else + *sizeof_buf = 0; + + _gnutls_string_init (&out_str, gnutls_malloc, gnutls_realloc, gnutls_free); + + k1 = 0; + do + { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str (k1, counter); + _gnutls_str_cpy (tmpbuffer1, sizeof (tmpbuffer1), asn1_rdn_name); + if (strlen (tmpbuffer1) > 0) + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "."); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "?"); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), counter); + + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; + } - _gnutls_string_init(&out_str, gnutls_malloc, gnutls_realloc, - gnutls_free); + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } - k1 = 0; - do { + k2 = 0; - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + do + { /* Move to the attibute type and values + */ + k2++; - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + _gnutls_int2str (k2, counter); + _gnutls_str_cpy (tmpbuffer2, sizeof (tmpbuffer2), tmpbuffer1); + if (strlen (tmpbuffer2) > 0) + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "."); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "?"); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), counter); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + /* Try to read the RelativeDistinguishedName attributes. + */ - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - k2 = 0; + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - do { /* Move to the attibute type and values - */ - k2++; - - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + /* Read the OID + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + len = sizeof (oid) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); + /* Read the Value + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value"); - len = 0; - result = asn1_read_value(asn1_struct, tmpbuffer3, NULL, &len); + len = 0; + result = asn1_read_value (asn1_struct, tmpbuffer3, NULL, &len); - value2 = gnutls_malloc(len); - if (value2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + value2 = gnutls_malloc (len); + if (value2 == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - result = - asn1_read_value(asn1_struct, tmpbuffer3, value2, &len); + result = asn1_read_value (asn1_struct, tmpbuffer3, value2, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } #define STR_APPEND(y) if ((result=_gnutls_string_append_str( &out_str, y)) < 0) { \ gnutls_assert(); \ goto cleanup; \ } - /* The encodings of adjoining RelativeDistinguishedNames are separated - * by a comma character (',' ASCII 44). - */ - - /* Where there is a multi-valued RDN, the outputs from adjoining - * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) - * character. - */ - if (k1 != 1) { /* the first time do not append a comma */ - if (k2 != 1) { /* adjoining multi-value RDN */ - STR_APPEND("+"); - } else { - STR_APPEND(","); + /* The encodings of adjoining RelativeDistinguishedNames are separated + * by a comma character (',' ASCII 44). + */ + + /* Where there is a multi-valued RDN, the outputs from adjoining + * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) + * character. + */ + if (k1 != 1) + { /* the first time do not append a comma */ + if (k2 != 1) + { /* adjoining multi-value RDN */ + STR_APPEND ("+"); + } + else + { + STR_APPEND (","); } } - ldap_desc = oid2ldap_string(oid); - printable = _gnutls_x509_oid_data_printable(oid); + ldap_desc = oid2ldap_string (oid); + printable = _gnutls_x509_oid_data_printable (oid); - sizeof_escaped = 2 * len + 1; + sizeof_escaped = 2 * len + 1; - escaped = gnutls_malloc(sizeof_escaped); - if (escaped == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + escaped = gnutls_malloc (sizeof_escaped); + if (escaped == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - sizeof_string = 2 * len + 2; /* in case it is not printable */ + sizeof_string = 2 * len + 2; /* in case it is not printable */ - string = gnutls_malloc(sizeof_string); - if (string == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + string = gnutls_malloc (sizeof_string); + if (string == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - STR_APPEND(ldap_desc); - STR_APPEND("="); - if (printable) - result = - _gnutls_x509_oid_data2string(oid, - value2, len, - string, &sizeof_string); - else - result = - _gnutls_x509_data2hex(value2, len, string, - &sizeof_string); - - if (result < 0) { - gnutls_assert(); - _gnutls_x509_log - ("Found OID: '%s' with value '%s'\n", - oid, _gnutls_bin2hex(value2, - len, escaped, sizeof_escaped)); - goto cleanup; + STR_APPEND (ldap_desc); + STR_APPEND ("="); + if (printable) + result = + _gnutls_x509_oid_data2string (oid, + value2, len, + string, &sizeof_string); + else + result = + _gnutls_x509_data2hex (value2, len, string, &sizeof_string); + + if (result < 0) + { + gnutls_assert (); + _gnutls_x509_log + ("Found OID: '%s' with value '%s'\n", + oid, _gnutls_bin2hex (value2, len, escaped, sizeof_escaped)); + goto cleanup; } - STR_APPEND(str_escape(string, escaped, sizeof_escaped)); - gnutls_free(string); - string = NULL; + STR_APPEND (str_escape (string, escaped, sizeof_escaped)); + gnutls_free (string); + string = NULL; - gnutls_free(escaped); - escaped = NULL; - gnutls_free(value2); - value2 = NULL; + gnutls_free (escaped); + escaped = NULL; + gnutls_free (value2); + value2 = NULL; - } while (1); - - } while (1); + } + while (1); - if (out_str.length >= (unsigned int) *sizeof_buf) { - gnutls_assert(); - *sizeof_buf = out_str.length + 1; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; + } + while (1); + + if (out_str.length >= (unsigned int) *sizeof_buf) + { + gnutls_assert (); + *sizeof_buf = out_str.length + 1; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - if (buf) { - memcpy(buf, out_str.data, out_str.length); - buf[out_str.length] = 0; + if (buf) + { + memcpy (buf, out_str.data, out_str.length); + buf[out_str.length] = 0; } - *sizeof_buf = out_str.length; + *sizeof_buf = out_str.length; - result = 0; + result = 0; - cleanup: - gnutls_free(value2); - gnutls_free(string); - gnutls_free(escaped); - _gnutls_string_clear(&out_str); - return result; +cleanup: + gnutls_free (value2); + gnutls_free (string); + gnutls_free (escaped); + _gnutls_string_clear (&out_str); + return result; } /* Parses an X509 DN in the asn1_struct, and searches for the @@ -315,162 +335,176 @@ int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, * indx specifies which OID to return. Ie 0 means return the first specified * OID found, 1 the second etc. */ -int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - const char *given_oid, int indx, - unsigned int raw_flag, - void *buf, size_t * sizeof_buf) +int +_gnutls_x509_parse_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + const char *given_oid, int indx, + unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[256]; - char oid[128]; - int len, printable; - int i = 0; - char *cbuf = buf; - - if (cbuf == NULL) - *sizeof_buf = 0; - else - cbuf[0] = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[256]; + char oid[128]; + int len, printable; + int i = 0; + char *cbuf = buf; + + if (cbuf == NULL) + *sizeof_buf = 0; + else + cbuf[0] = 0; + + k1 = 0; + do + { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str (k1, counter); + _gnutls_str_cpy (tmpbuffer1, sizeof (tmpbuffer1), asn1_rdn_name); + + if (strlen (tmpbuffer1) > 0) + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "."); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "?"); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), counter); + + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do + { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); + _gnutls_int2str (k2, counter); + _gnutls_str_cpy (tmpbuffer2, sizeof (tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); + if (strlen (tmpbuffer2) > 0) + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "."); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "?"); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + /* Read the OID + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + len = sizeof (oid) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + if (strcmp (oid, given_oid) == 0 && indx == i++) + { /* Found the OID */ - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); + /* Read the Value + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value"); - len = *sizeof_buf; - result = - asn1_read_value(asn1_struct, tmpbuffer3, buf, &len); + len = *sizeof_buf; + result = asn1_read_value (asn1_struct, tmpbuffer3, buf, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result==ASN1_MEM_ERROR) - *sizeof_buf = len; - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + if (result == ASN1_MEM_ERROR) + *sizeof_buf = len; + result = _gnutls_asn2err (result); + goto cleanup; } - if (raw_flag != 0) { - if ((uint) len > *sizeof_buf) { - *sizeof_buf = len; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; + if (raw_flag != 0) + { + if ((uint) len > *sizeof_buf) + { + *sizeof_buf = len; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - *sizeof_buf = len; - - return 0; - - } else { /* parse data. raw_flag == 0 */ - printable = _gnutls_x509_oid_data_printable(oid); + *sizeof_buf = len; - if (printable == 1) - result = - _gnutls_x509_oid_data2string(oid, buf, len, - cbuf, sizeof_buf); - else - result = - _gnutls_x509_data2hex(buf, len, cbuf, - sizeof_buf); + return 0; - if (result < 0) { - gnutls_assert(); - goto cleanup; + } + else + { /* parse data. raw_flag == 0 */ + printable = _gnutls_x509_oid_data_printable (oid); + + if (printable == 1) + result = + _gnutls_x509_oid_data2string (oid, buf, len, + cbuf, sizeof_buf); + else + result = + _gnutls_x509_data2hex (buf, len, cbuf, sizeof_buf); + + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - return 0; + return 0; } /* raw_flag == 0 */ } - } while (1); + } + while (1); - } while (1); + } + while (1); - gnutls_assert(); + gnutls_assert (); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - cleanup: - return result; +cleanup: + return result; } @@ -483,281 +517,309 @@ int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, * indx specifies which OID to return. Ie 0 means return the first specified * OID found, 1 the second etc. */ -int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid) +int +_gnutls_x509_get_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[256]; - char oid[128]; - int len; - int i = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[256]; + char oid[128]; + int len; + int i = 0; + + k1 = 0; + do + { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str (k1, counter); + _gnutls_str_cpy (tmpbuffer1, sizeof (tmpbuffer1), asn1_rdn_name); + + if (strlen (tmpbuffer1) > 0) + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "."); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), "?"); + _gnutls_str_cat (tmpbuffer1, sizeof (tmpbuffer1), counter); + + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do + { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); + _gnutls_int2str (k2, counter); + _gnutls_str_cpy (tmpbuffer2, sizeof (tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); + if (strlen (tmpbuffer2) > 0) + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "."); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), "?"); + _gnutls_str_cat (tmpbuffer2, sizeof (tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); + len = sizeof (value) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + /* Read the OID + */ + _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); + _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + len = sizeof (oid) - 1; + result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (indx == i++) { /* Found the OID */ + if (indx == i++) + { /* Found the OID */ - len = strlen(oid) + 1; + len = strlen (oid) + 1; - if (*sizeof_oid < (uint) len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (*sizeof_oid < (uint) len) + { + *sizeof_oid = len; + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - memcpy(_oid, oid, len); - *sizeof_oid = len - 1; + memcpy (_oid, oid, len); + *sizeof_oid = len - 1; - return 0; + return 0; } - } while (1); + } + while (1); - } while (1); + } + while (1); - gnutls_assert(); + gnutls_assert (); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - cleanup: - return result; +cleanup: + return result; } /* This will encode and write the AttributeTypeAndValue field. * 'multi' must be zero if writing an AttributeTypeAndValue, and 1 if Attribute. * In all cases only one value is written. */ -int _gnutls_x509_encode_and_write_attribute(const char *given_oid, - ASN1_TYPE asn1_struct, - const char *where, - const void *_data, - int sizeof_data, int multi) +int +_gnutls_x509_encode_and_write_attribute (const char *given_oid, + ASN1_TYPE asn1_struct, + const char *where, + const void *_data, + int sizeof_data, int multi) { - const char *val_name; - const opaque *data = _data; - char tmp[128]; - ASN1_TYPE c2; - int result; - - - /* Find how to encode the data. - */ - val_name = asn1_find_structure_from_oid(_gnutls_get_pkix(), given_oid); - if (val_name == NULL) { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_OID; + const char *val_name; + const opaque *data = _data; + char tmp[128]; + ASN1_TYPE c2; + int result; + + + /* Find how to encode the data. + */ + val_name = asn1_find_structure_from_oid (_gnutls_get_pkix (), given_oid); + if (val_name == NULL) + { + gnutls_assert (); + return GNUTLS_E_X509_UNSUPPORTED_OID; } - _gnutls_str_cpy(tmp, sizeof(tmp), "PKIX1."); - _gnutls_str_cat(tmp, sizeof(tmp), val_name); + _gnutls_str_cpy (tmp, sizeof (tmp), "PKIX1."); + _gnutls_str_cat (tmp, sizeof (tmp), val_name); - result = asn1_create_element(_gnutls_get_pkix(), tmp, &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_create_element (_gnutls_get_pkix (), tmp, &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - tmp[0] = 0; + tmp[0] = 0; - if ((result = _gnutls_x509_oid_data_choice(given_oid)) > 0) { - char *string_type; - int i; + if ((result = _gnutls_x509_oid_data_choice (given_oid)) > 0) + { + char *string_type; + int i; - string_type = "printableString"; + string_type = "printableString"; - /* Check if the data is plain ascii, and use - * the UTF8 string type if not. - */ - for (i = 0; i < sizeof_data; i++) { - if (!isascii(data[i])) { - string_type = "utf8String"; - break; + /* Check if the data is plain ascii, and use + * the UTF8 string type if not. + */ + for (i = 0; i < sizeof_data; i++) + { + if (!isascii (data[i])) + { + string_type = "utf8String"; + break; } } - /* if the type is a CHOICE then write the - * type we'll use. - */ - result = asn1_write_value(c2, "", string_type, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + /* if the type is a CHOICE then write the + * type we'll use. + */ + result = asn1_write_value (c2, "", string_type, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + _gnutls_str_cpy (tmp, sizeof (tmp), string_type); } - result = asn1_write_value(c2, tmp, data, sizeof_data); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + result = asn1_write_value (c2, tmp, data, sizeof_data); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - /* write the data (value) - */ + /* write the data (value) + */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + _gnutls_str_cpy (tmp, sizeof (tmp), where); + _gnutls_str_cat (tmp, sizeof (tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + if (multi != 0) + { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat (tmp, sizeof (tmp), "s"); /* values */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST"); } - result = _gnutls_x509_der_encode_and_copy(c2, "", asn1_struct, tmp, 0); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_der_encode_and_copy (c2, "", asn1_struct, tmp, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + /* write the type + */ + _gnutls_str_cpy (tmp, sizeof (tmp), where); + _gnutls_str_cat (tmp, sizeof (tmp), ".type"); - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /* This will write the AttributeTypeAndValue field. The data must be already DER encoded. * 'multi' must be zero if writing an AttributeTypeAndValue, and 1 if Attribute. * In all cases only one value is written. */ -int _gnutls_x509_write_attribute(const char *given_oid, - ASN1_TYPE asn1_struct, const char *where, - const void *_data, int sizeof_data, - int multi) +int +_gnutls_x509_write_attribute (const char *given_oid, + ASN1_TYPE asn1_struct, const char *where, + const void *_data, int sizeof_data, int multi) { - char tmp[128]; - int result; + char tmp[128]; + int result; - /* write the data (value) - */ + /* write the data (value) + */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + _gnutls_str_cpy (tmp, sizeof (tmp), where); + _gnutls_str_cat (tmp, sizeof (tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + if (multi != 0) + { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat (tmp, sizeof (tmp), "s"); /* values */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST"); } - result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); - if (result < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn1_struct, tmp, _data, sizeof_data); + if (result < 0) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + /* write the type + */ + _gnutls_str_cpy (tmp, sizeof (tmp), where); + _gnutls_str_cat (tmp, sizeof (tmp), ".type"); - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } @@ -769,43 +831,48 @@ int _gnutls_x509_write_attribute(const char *given_oid, * * The output is allocated and stored in value. */ -int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, - const char *where, char *oid, int oid_size, - gnutls_datum_t * value, int multi, int octet_string) +int +_gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct, + const char *where, char *oid, + int oid_size, gnutls_datum_t * value, + int multi, int octet_string) { - char tmpbuffer[128]; - int len, result; - - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); - - len = oid_size - 1; - result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; + char tmpbuffer[128]; + int len, result; + + /* Read the OID + */ + _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where); + _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".type"); + + len = oid_size - 1; + result = asn1_read_value (asn1_struct, tmpbuffer, oid, &len); + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + return result; } - /* Read the Value - */ + /* Read the Value + */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); + _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where); + _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".value"); - if (multi) - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ + if (multi) + _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), "s.?1"); /* .values.?1 */ - result = _gnutls_x509_read_value(asn1_struct, tmpbuffer, value, octet_string); - if (result < 0) { - gnutls_assert(); - return result; + result = + _gnutls_x509_read_value (asn1_struct, tmpbuffer, value, octet_string); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } @@ -816,73 +883,80 @@ int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, * That is to point before the rndSequence. * */ -int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_name, const char *given_oid, - int raw_flag, const char *name, - int sizeof_name) +int +_gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_name, const char *given_oid, + int raw_flag, const char *name, int sizeof_name) { - int result; - char tmp[64], asn1_rdn_name[64]; + int result; + char tmp[64], asn1_rdn_name[64]; - if (sizeof_name == 0 || name == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_name == 0 || name == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* create the rdnSequence - */ - result = asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* create the rdnSequence + */ + result = asn1_write_value (asn1_struct, asn1_name, "rdnSequence", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); - _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), ".rdnSequence"); + _gnutls_str_cpy (asn1_rdn_name, sizeof (asn1_rdn_name), asn1_name); + _gnutls_str_cat (asn1_rdn_name, sizeof (asn1_rdn_name), ".rdnSequence"); - /* create a new element - */ - result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* create a new element + */ + result = asn1_write_value (asn1_struct, asn1_rdn_name, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name); + _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST"); - /* create the set with only one element - */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* create the set with only one element + */ + result = asn1_write_value (asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Encode and write the data - */ - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); - - if (!raw_flag) { - result = - _gnutls_x509_encode_and_write_attribute(given_oid, - asn1_struct, - tmp, name, - sizeof_name, 0); - } else { - result = - _gnutls_x509_write_attribute(given_oid, asn1_struct, - tmp, name, sizeof_name, 0); + /* Encode and write the data + */ + _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name); + _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST.?LAST"); + + if (!raw_flag) + { + result = + _gnutls_x509_encode_and_write_attribute (given_oid, + asn1_struct, + tmp, name, sizeof_name, 0); + } + else + { + result = + _gnutls_x509_write_attribute (given_oid, asn1_struct, + tmp, name, sizeof_name, 0); } - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } @@ -901,40 +975,44 @@ int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, * success 0 is returned. * **/ -int gnutls_x509_rdn_get(const gnutls_datum_t * idn, - char *buf, size_t * sizeof_buf) +int +gnutls_x509_rdn_get (const gnutls_datum_t * idn, + char *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_buf == 0) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (buf) - buf[0] = 0; + if (buf) + buf[0] = 0; - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); } - result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, sizeof_buf); + result = _gnutls_x509_parse_dn (dn, "rdnSequence", buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure (&dn); + return result; } @@ -956,38 +1034,42 @@ int gnutls_x509_rdn_get(const gnutls_datum_t * idn, * the provided buffer is not long enough, and 0 on success. * **/ -int gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * sizeof_buf) +int +gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_buf == 0) + { + return GNUTLS_E_INVALID_REQUEST; } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, - raw_flag, buf, sizeof_buf); + result = + _gnutls_x509_parse_dn_oid (dn, "rdnSequence", oid, indx, + raw_flag, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure (&dn); + return result; } @@ -1005,36 +1087,39 @@ int gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, const char *oid, * the provided buffer is not long enough, and 0 on success. * **/ -int gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, - int indx, void *buf, size_t * sizeof_buf) +int +gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn, + int indx, void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_buf == 0) + { + return GNUTLS_E_INVALID_REQUEST; } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, buf, sizeof_buf); + result = _gnutls_x509_get_dn_oid (dn, "rdnSequence", indx, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure (&dn); + return result; } @@ -1046,17 +1131,20 @@ int gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, * Returns 1 if the DN's match and zero if they don't match. Otherwise * a negative value is returned to indicate error. */ -int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, - const gnutls_datum_t * dn2) +int +_gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, + const gnutls_datum_t * dn2) { - if (dn1->size != dn2->size) { - gnutls_assert(); - return 0; + if (dn1->size != dn2->size) + { + gnutls_assert (); + return 0; } - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { - gnutls_assert(); - return 0; + if (memcmp (dn1->data, dn2->data, dn2->size) != 0) + { + gnutls_assert (); + return 0; } - return 1; /* they match */ + return 1; /* they match */ } diff --git a/lib/x509/dn.h b/lib/x509/dn.h index 77d0356470..08cce091aa 100644 --- a/lib/x509/dn.h +++ b/lib/x509/dn.h @@ -37,23 +37,22 @@ #define OID_LDAP_UID "0.9.2342.19200300.100.1.1" #define OID_PKCS9_EMAIL "1.2.840.113549.1.9.1" -int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, char *buf, - size_t * sizeof_buf); - -int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, const char *oid, - int indx, unsigned int raw_flag, void *buf, - size_t * sizeof_buf); - -int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, const char *oid, - int raw_flag, const char *name, - int sizeof_name); - -int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid); +int _gnutls_x509_parse_dn (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, char *buf, + size_t * sizeof_buf); + +int _gnutls_x509_parse_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, const char *oid, + int indx, unsigned int raw_flag, void *buf, + size_t * sizeof_buf); + +int _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, const char *oid, + int raw_flag, const char *name, int sizeof_name); + +int _gnutls_x509_get_dn_oid (ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid); #endif diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c index 358fbb91bc..46559746e1 100644 --- a/lib/x509/dsa.c +++ b/lib/x509/dsa.c @@ -32,95 +32,104 @@ /* resarr will contain: p(0), q(1), g(2), y(3), x(4). */ -int _gnutls_dsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) +int +_gnutls_dsa_generate_params (mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; + int ret; + gcry_sexp_t parms, key, list; - if (bits < 512 || bits > 1024) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bits < 512 || bits > 1024) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = gcry_sexp_build(&parms, NULL, "(genkey(dsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + ret = gcry_sexp_build (&parms, NULL, "(genkey(dsa(nbits %d)))", bits); + if (ret != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - /* generate the DSA key - */ - ret = gcry_pk_genkey(&key, parms); - gcry_sexp_release(parms); + /* generate the DSA key + */ + ret = gcry_pk_genkey (&key, parms); + gcry_sexp_release (parms); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (ret != 0) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - list = gcry_sexp_find_token(key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "p", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "q", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "g", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "g", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "y", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "y", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - list = gcry_sexp_find_token(key, "x", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(key); - return GNUTLS_E_INTERNAL_ERROR; + list = gcry_sexp_find_token (key, "x", 0); + if (list == NULL) + { + gnutls_assert (); + gcry_sexp_release (key); + return GNUTLS_E_INTERNAL_ERROR; } - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); + gcry_sexp_release (list); - gcry_sexp_release(key); + gcry_sexp_release (key); - _gnutls_dump_mpi("p: ", resarr[0]); - _gnutls_dump_mpi("q: ", resarr[1]); - _gnutls_dump_mpi("g: ", resarr[2]); - _gnutls_dump_mpi("y: ", resarr[3]); - _gnutls_dump_mpi("x: ", resarr[4]); + _gnutls_dump_mpi ("p: ", resarr[0]); + _gnutls_dump_mpi ("q: ", resarr[1]); + _gnutls_dump_mpi ("g: ", resarr[2]); + _gnutls_dump_mpi ("y: ", resarr[3]); + _gnutls_dump_mpi ("x: ", resarr[4]); - *resarr_len = 5; + *resarr_len = 5; - return 0; + return 0; } diff --git a/lib/x509/dsa.h b/lib/x509/dsa.h index 0ab9f113fc..2d1e2fda9b 100644 --- a/lib/x509/dsa.h +++ b/lib/x509/dsa.h @@ -22,4 +22,4 @@ * */ -int _gnutls_dsa_generate_params(mpi_t * resarr, int *resarr_len, int bits); +int _gnutls_dsa_generate_params (mpi_t * resarr, int *resarr_len, int bits); diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 435a1d94d9..2961ce6914 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -43,116 +43,130 @@ * If the extension does not exist, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, - const char *extension_id, int indx, - gnutls_datum_t * ret, - unsigned int *_critical) +int +_gnutls_x509_crt_get_extension (gnutls_x509_crt_t cert, + const char *extension_id, int indx, + gnutls_datum_t * ret, unsigned int *_critical) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char str_critical[10]; - int critical = 0; - char extnID[128]; - gnutls_datum_t value; - int indx_counter = 0; - - ret->data = NULL; - ret->size = 0; - - k = 0; - do { - k++; - - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); - - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char str_critical[10]; + int critical = 0; + char extnID[128]; + gnutls_datum_t value; + int indx_counter = 0; + + ret->data = NULL; + ret->size = 0; + + k = 0; + do + { + k++; + + _gnutls_str_cpy (name, sizeof (name), "tbsCertificate.extensions.?"); + _gnutls_int2str (k, counter); + _gnutls_str_cat (name, sizeof (name), counter); + + len = sizeof (str) - 1; + result = asn1_read_value (cert->cert, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; } - do { + do + { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof (extnID) - 1; + result = asn1_read_value (cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; + } + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Handle Extension - */ - if (strcmp(extnID, extension_id) == 0 - && indx == indx_counter++) { - /* extension was found - */ - - /* read the critical status. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); - - len = sizeof(str_critical); - result = - asn1_read_value(cert->cert, name2, str_critical, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Handle Extension + */ + if (strcmp (extnID, extension_id) == 0 && indx == indx_counter++) + { + /* extension was found + */ + + /* read the critical status. + */ + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".critical"); + + len = sizeof (str_critical); + result = + asn1_read_value (cert->cert, name2, str_critical, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; + } + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (str_critical[0] == 'T') - critical = 1; - else - critical = 0; - - /* read the value. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); - - result = _gnutls_x509_read_value(cert->cert, name2, - &value, 0); - if (result < 0) { - gnutls_assert(); - return result; + if (str_critical[0] == 'T') + critical = 1; + else + critical = 0; + + /* read the value. + */ + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnValue"); + + result = _gnutls_x509_read_value (cert->cert, name2, &value, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - ret->data = value.data; - ret->size = value.size; + ret->data = value.data; + ret->size = value.size; - if (_critical) - *_critical = critical; + if (_critical) + *_critical = critical; - return 0; + return 0; } - } while (0); - } while (1); + } + while (0); + } + while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + else + { + gnutls_assert (); + return _gnutls_asn2err (result); } } @@ -162,76 +176,89 @@ int _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, * If you have passed the last extension, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, - int indx, void *oid, - size_t * sizeof_oid) +int +_gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, + int indx, void *oid, size_t * sizeof_oid) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char extnID[128]; - int indx_counter = 0; - - k = 0; - do { - k++; - - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); - - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char extnID[128]; + int indx_counter = 0; + + k = 0; + do + { + k++; + + _gnutls_str_cpy (name, sizeof (name), "tbsCertificate.extensions.?"); + _gnutls_int2str (k, counter); + _gnutls_str_cat (name, sizeof (name), counter); + + len = sizeof (str) - 1; + result = asn1_read_value (cert->cert, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; } - do { + do + { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof (extnID) - 1; + result = asn1_read_value (cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; + } + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Handle Extension - */ - if (indx == indx_counter++) { - len = strlen(extnID) + 1; - - if (*sizeof_oid < (uint) len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + /* Handle Extension + */ + if (indx == indx_counter++) + { + len = strlen (extnID) + 1; + + if (*sizeof_oid < (uint) len) + { + *sizeof_oid = len; + gnutls_assert (); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - memcpy(oid, extnID, len); - *sizeof_oid = len - 1; + memcpy (oid, extnID, len); + *sizeof_oid = len - 1; - return 0; + return 0; } - } while (0); - } while (1); + } + while (0); + } + while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + else + { + gnutls_assert (); + return _gnutls_asn2err (result); } } @@ -240,94 +267,100 @@ int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, * * Critical will be either 0 or 1. */ -static int set_extension(ASN1_TYPE asn, const char *extension_id, - const gnutls_datum_t * ext_data, - unsigned int critical) +static int +set_extension (ASN1_TYPE asn, const char *extension_id, + const gnutls_datum_t * ext_data, unsigned int critical) { - int result; - const char *str; + int result; + const char *str; - /* Add a new extension in the list. - */ - result = asn1_write_value(asn, "tbsCertificate.extensions", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Add a new extension in the list. + */ + result = asn1_write_value (asn, "tbsCertificate.extensions", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - asn1_write_value(asn, "tbsCertificate.extensions.?LAST.extnID", - extension_id, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_write_value (asn, "tbsCertificate.extensions.?LAST.extnID", + extension_id, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (critical == 0) - str = "FALSE"; - else - str = "TRUE"; + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; - result = - asn1_write_value(asn, "tbsCertificate.extensions.?LAST.critical", - str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_write_value (asn, "tbsCertificate.extensions.?LAST.critical", + str, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_write_value(asn, - "tbsCertificate.extensions.?LAST.extnValue", - ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; + result = + _gnutls_x509_write_value (asn, + "tbsCertificate.extensions.?LAST.extnValue", + ext_data, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* Overwrite the given extension (using the index) * index here starts from one. */ -static int overwrite_extension(ASN1_TYPE asn, unsigned int indx, - const gnutls_datum_t * ext_data, - unsigned int critical) +static int +overwrite_extension (ASN1_TYPE asn, unsigned int indx, + const gnutls_datum_t * ext_data, unsigned int critical) { - char name[128], name2[128], counter[MAX_INT_DIGITS]; - const char *str; - int result; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + const char *str; + int result; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(indx, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy (name, sizeof (name), "tbsCertificate.extensions.?"); + _gnutls_int2str (indx, counter); + _gnutls_str_cat (name, sizeof (name), counter); - if (critical == 0) - str = "FALSE"; - else - str = "TRUE"; + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".critical"); - result = asn1_write_value(asn, name2, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (asn, name2, str, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnValue"); - result = _gnutls_x509_write_value(asn, name2, ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_write_value (asn, name2, ext_data, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* This function will attempt to overwrite the requested extension with @@ -335,412 +368,456 @@ static int overwrite_extension(ASN1_TYPE asn, unsigned int indx, * * Critical will be either 0 or 1. */ -int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical) +int +_gnutls_x509_crt_set_extension (gnutls_x509_crt_t cert, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical) { - int result; - int k, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char extnID[128]; - - /* Find the index of the given extension. - */ - k = 0; - do { - k++; - - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); - - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name, extnID, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + int result; + int k, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char extnID[128]; + + /* Find the index of the given extension. + */ + k = 0; + do + { + k++; + + _gnutls_str_cpy (name, sizeof (name), "tbsCertificate.extensions.?"); + _gnutls_int2str (k, counter); + _gnutls_str_cat (name, sizeof (name), counter); + + len = sizeof (extnID) - 1; + result = asn1_read_value (cert->cert, name, extnID, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) + { + break; } - do { + do + { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof (extnID) - 1; + result = asn1_read_value (cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + break; + } + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Handle Extension - */ - if (strcmp(extnID, ext_id) == 0) { - /* extension was found - */ - return overwrite_extension(cert->cert, k, ext_data, - critical); + /* Handle Extension + */ + if (strcmp (extnID, ext_id) == 0) + { + /* extension was found + */ + return overwrite_extension (cert->cert, k, ext_data, critical); } - } while (0); - } while (1); + } + while (0); + } + while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return set_extension(cert->cert, ext_id, ext_data, critical); - } else { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + { + return set_extension (cert->cert, ext_id, ext_data, critical); + } + else + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /* Here we only extract the KeyUsage field, from the DER encoded * extension. */ -int _gnutls_x509_ext_extract_keyUsage(uint16 * keyUsage, - opaque * extnValue, int extnValueLen) +int +_gnutls_x509_ext_extract_keyUsage (uint16 * keyUsage, + opaque * extnValue, int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int len, result; - uint8 str[2]; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int len, result; + uint8 str[2]; - str[0] = str[1] = 0; - *keyUsage = 0; + str[0] = str[1] = 0; + *keyUsage = 0; - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - len = sizeof(str); - result = asn1_read_value(ext, "", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return 0; + len = sizeof (str); + result = asn1_read_value (ext, "", str, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return 0; } - *keyUsage = str[0] | (str[1] << 8); + *keyUsage = str[0] | (str[1] << 8); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - return 0; + return 0; } /* extract the basicConstraints from the DER encoded extension */ -int _gnutls_x509_ext_extract_basicConstraints(int *CA, opaque * extnValue, - int extnValueLen) +int +_gnutls_x509_ext_extract_basicConstraints (int *CA, opaque * extnValue, + int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - char str[128]; - int len, result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + char str[128]; + int len, result; - *CA = 0; + *CA = 0; - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.BasicConstraints", - &ext)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.BasicConstraints", &ext)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - len = sizeof(str) - 1; - /* the default value of cA is false. - */ - result = asn1_read_value(ext, "cA", str, &len); - if (result != ASN1_SUCCESS) { - asn1_delete_structure(&ext); - return 0; + len = sizeof (str) - 1; + /* the default value of cA is false. + */ + result = asn1_read_value (ext, "cA", str, &len); + if (result != ASN1_SUCCESS) + { + asn1_delete_structure (&ext); + return 0; } - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (strcmp(str, "TRUE") == 0) - *CA = 1; - else - *CA = 0; + if (strcmp (str, "TRUE") == 0) + *CA = 1; + else + *CA = 0; - return 0; + return 0; } /* generate the basicConstraints in a DER encoded extension * Use 0 or 1 (TRUE) for CA. */ -int _gnutls_x509_ext_gen_basicConstraints(int CA, gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_basicConstraints (int CA, gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - const char *str; - int result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + const char *str; + int result; - if (CA == 0) - str = "FALSE"; - else - str = "TRUE"; + if (CA == 0) + str = "FALSE"; + else + str = "TRUE"; - result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.BasicConstraints", - &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_create_element (_gnutls_get_pkix (), "PKIX1.BasicConstraints", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_write_value(ext, "cA", str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, "cA", str, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - asn1_write_value(ext, "pathLenConstraint", NULL, 0); + asn1_write_value (ext, "pathLenConstraint", NULL, 0); - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* generate the keyUsage in a DER encoded extension * Use an ORed SEQUENCE of GNUTLS_KEY_* for usage. */ -int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_keyUsage (uint16 usage, gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - uint8 str[2]; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + uint8 str[2]; - result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.KeyUsage", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - str[0] = usage & 0xff; - str[1] = usage >> 8; + str[0] = usage & 0xff; + str[1] = usage >> 8; - result = asn1_write_value(ext, "", str, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, "", str, 9); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } -static int write_new_general_name(ASN1_TYPE ext, const char *ext_name, - gnutls_x509_subject_alt_name_t type, - const char *data_string) +static int +write_new_general_name (ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name_t type, + const char *data_string) { - const char *str; - int result; - char name[128]; + const char *str; + int result; + char name[128]; - result = asn1_write_value(ext, ext_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, ext_name, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - switch (type) { + switch (type) + { case GNUTLS_SAN_DNSNAME: - str = "dNSName"; - break; + str = "dNSName"; + break; case GNUTLS_SAN_RFC822NAME: - str = "rfc822Name"; - break; + str = "rfc822Name"; + break; case GNUTLS_SAN_URI: - str = "uniformResourceIdentifier"; - break; + str = "uniformResourceIdentifier"; + break; case GNUTLS_SAN_IPADDRESS: - str = "iPAddress"; - break; + str = "iPAddress"; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - if (ext_name[0] == 0) { /* no dot */ - _gnutls_str_cpy(name, sizeof(name), "?LAST"); - } else { - _gnutls_str_cpy(name, sizeof(name), ext_name); - _gnutls_str_cat(name, sizeof(name), ".?LAST"); + if (ext_name[0] == 0) + { /* no dot */ + _gnutls_str_cpy (name, sizeof (name), "?LAST"); + } + else + { + _gnutls_str_cpy (name, sizeof (name), ext_name); + _gnutls_str_cat (name, sizeof (name), ".?LAST"); } - result = asn1_write_value(ext, name, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, name, str, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cat(name, sizeof(name), "."); - _gnutls_str_cat(name, sizeof(name), str); + _gnutls_str_cat (name, sizeof (name), "."); + _gnutls_str_cat (name, sizeof (name), str); - result = asn1_write_value(ext, name, data_string, strlen(data_string)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, name, data_string, strlen (data_string)); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - return 0; + return 0; } /* Convert the given name to GeneralNames in a DER encoded extension. * This is the same as subject alternative name. */ -int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t - type, const char *data_string, - gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_subject_alt_name (gnutls_x509_subject_alt_name_t + type, const char *data_string, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; - result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", - &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_create_element (_gnutls_get_pkix (), "PKIX1.GeneralNames", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = write_new_general_name(ext, "", type, data_string); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&ext); - return result; + result = write_new_general_name (ext, "", type, data_string); + if (result < 0) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return result; } - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* generate the SubjectKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, - gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_key_id (const void *id, size_t id_size, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; - result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.SubjectKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.SubjectKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_write_value(ext, "", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, "", id, id_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* generate the AuthorityKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, - gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_auth_key_id (const void *id, size_t id_size, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; - result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.AuthorityKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.AuthorityKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_write_value(ext, "keyIdentifier", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); + result = asn1_write_value (ext, "keyIdentifier", id, id_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&ext); + return _gnutls_asn2err (result); } - asn1_write_value(ext, "authorityCertIssuer", NULL, 0); - asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); + asn1_write_value (ext, "authorityCertIssuer", NULL, 0); + asn1_write_value (ext, "authorityCertSerialNumber", NULL, 0); - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure (&ext); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } @@ -749,95 +826,106 @@ int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, * reason_flags should be an or'ed sequence of GNUTLS_CRL_REASON_*. * */ -int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name_t - type, const void *data_string, - unsigned int reason_flags, - gnutls_datum_t * der_ext) +int +_gnutls_x509_ext_gen_crl_dist_points (gnutls_x509_subject_alt_name_t + type, const void *data_string, + unsigned int reason_flags, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - gnutls_datum_t gnames = { NULL, 0 }; - int result; - uint8 reasons[2]; - - reasons[0] = reason_flags & 0xff; - reasons[1] = reason_flags >> 8; - - result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.CRLDistributionPoints", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(ext, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (reason_flags) { - result = asn1_write_value(ext, "?LAST.reasons", reasons, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + gnutls_datum_t gnames = { NULL, 0 }; + int result; + uint8 reasons[2]; + + reasons[0] = reason_flags & 0xff; + reasons[1] = reason_flags >> 8; + + result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.CRLDistributionPoints", &ext); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + result = asn1_write_value (ext, "", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if (reason_flags) + { + result = asn1_write_value (ext, "?LAST.reasons", reasons, 9); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - } else { - result = asn1_write_value(ext, "?LAST.reasons", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + } + else + { + result = asn1_write_value (ext, "?LAST.reasons", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } } - result = asn1_write_value(ext, "?LAST.cRLIssuer", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (ext, "?LAST.cRLIssuer", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* When used as type CHOICE. - */ - result = - asn1_write_value(ext, "?LAST.distributionPoint", "fullName", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* When used as type CHOICE. + */ + result = asn1_write_value (ext, "?LAST.distributionPoint", "fullName", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } #if 0 - /* only needed in old code (where defined as SEQUENCE OF) */ - asn1_write_value(ext, - "?LAST.distributionPoint.nameRelativeToCRLIssuer", - NULL, 0); + /* only needed in old code (where defined as SEQUENCE OF) */ + asn1_write_value (ext, + "?LAST.distributionPoint.nameRelativeToCRLIssuer", + NULL, 0); #endif - result = - write_new_general_name(ext, "?LAST.distributionPoint.fullName", - type, data_string); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + write_new_general_name (ext, "?LAST.distributionPoint.fullName", + type, data_string); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = 0; + result = 0; - cleanup: - _gnutls_free_datum(&gnames); - asn1_delete_structure(&ext); +cleanup: + _gnutls_free_datum (&gnames); + asn1_delete_structure (&ext); - return result; + return result; } diff --git a/lib/x509/extensions.h b/lib/x509/extensions.h index 96fa52bf2b..13bf0b8177 100644 --- a/lib/x509/extensions.h +++ b/lib/x509/extensions.h @@ -22,35 +22,33 @@ * */ -int _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, - const char *extension_id, int indx, - gnutls_datum_t * ret, - unsigned int *critical); +int _gnutls_x509_crt_get_extension (gnutls_x509_crt_t cert, + const char *extension_id, int indx, + gnutls_datum_t * ret, + unsigned int *critical); -int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, - int indx, void *ret, - size_t * ret_size); -int _gnutls_x509_ext_extract_keyUsage(uint16 * keyUsage, - opaque * extnValue, - int extnValueLen); -int _gnutls_x509_ext_extract_basicConstraints(int *CA, opaque * extnValue, - int extnValueLen); +int _gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, + int indx, void *ret, + size_t * ret_size); +int _gnutls_x509_ext_extract_keyUsage (uint16 * keyUsage, + opaque * extnValue, int extnValueLen); +int _gnutls_x509_ext_extract_basicConstraints (int *CA, opaque * extnValue, + int extnValueLen); -int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert, - const char *extension_id, - const gnutls_datum_t * ext_data, - unsigned int critical); -int _gnutls_x509_ext_gen_basicConstraints(int CA, +int _gnutls_x509_crt_set_extension (gnutls_x509_crt_t cert, + const char *extension_id, + const gnutls_datum_t * ext_data, + unsigned int critical); +int _gnutls_x509_ext_gen_basicConstraints (int CA, gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_keyUsage (uint16 usage, gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_subject_alt_name (gnutls_x509_subject_alt_name_t + type, const char *data_string, + gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_crl_dist_points (gnutls_x509_subject_alt_name_t + type, const void *data_string, + unsigned int reason_flags, gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t - type, const char *data_string, - gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name_t - type, const void *data_string, - unsigned int reason_flags, - gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, - gnutls_datum_t * der_data); -int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, - gnutls_datum_t * der_data); +int _gnutls_x509_ext_gen_key_id (const void *id, size_t id_size, + gnutls_datum_t * der_data); +int _gnutls_x509_ext_gen_auth_key_id (const void *id, size_t id_size, + gnutls_datum_t * der_data); diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 280aa794f5..4c891c4159 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -37,44 +37,49 @@ * extraction. This reads the BIT STRING subjectPublicKey. * Returns 2 parameters (m,e). */ -int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) +int +_gnutls_x509_read_rsa_params (opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&spk, der, dersize, NULL); + result = asn1_der_decoding (&spk, der, dersize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return _gnutls_asn2err (result); } - if ((result = _gnutls_x509_read_int(spk, "modulus", ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if ((result = _gnutls_x509_read_int (spk, "modulus", ¶ms[0])) < 0) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - if ((result = _gnutls_x509_read_int(spk, "publicExponent", - ¶ms[1])) < 0) { - gnutls_assert(); - _gnutls_mpi_release(¶ms[0]); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if ((result = _gnutls_x509_read_int (spk, "publicExponent", + ¶ms[1])) < 0) + { + gnutls_assert (); + _gnutls_mpi_release (¶ms[0]); + asn1_delete_structure (&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - asn1_delete_structure(&spk); + asn1_delete_structure (&spk); - return 0; + return 0; } @@ -83,60 +88,66 @@ int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) * from the certificate (subjectPublicKey BIT STRING). * params[0-2] */ -int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) +int +_gnutls_x509_read_dsa_params (opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&spk, der, dersize, NULL); + result = asn1_der_decoding (&spk, der, dersize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return _gnutls_asn2err (result); } - /* FIXME: If the parameters are not included in the certificate - * then the issuer's parameters should be used. This is not - * done yet. - */ + /* FIXME: If the parameters are not included in the certificate + * then the issuer's parameters should be used. This is not + * done yet. + */ - /* Read p */ + /* Read p */ - if ((result = _gnutls_x509_read_int(spk, "p", ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if ((result = _gnutls_x509_read_int (spk, "p", ¶ms[0])) < 0) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - /* Read q */ + /* Read q */ - if ((result = _gnutls_x509_read_int(spk, "q", ¶ms[1])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if ((result = _gnutls_x509_read_int (spk, "q", ¶ms[1])) < 0) + { + gnutls_assert (); + asn1_delete_structure (&spk); + _gnutls_mpi_release (¶ms[0]); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - /* Read g */ + /* Read g */ - if ((result = _gnutls_x509_read_int(spk, "g", ¶ms[2])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - _gnutls_mpi_release(¶ms[1]); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if ((result = _gnutls_x509_read_int (spk, "g", ¶ms[2])) < 0) + { + gnutls_assert (); + asn1_delete_structure (&spk); + _gnutls_mpi_release (¶ms[0]); + _gnutls_mpi_release (¶ms[1]); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - asn1_delete_structure(&spk); + asn1_delete_structure (&spk); - return 0; + return 0; } @@ -144,133 +155,146 @@ int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) * from the certificate * only sets params[3] */ -int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, mpi_t * params) +int +_gnutls_x509_read_dsa_pubkey (opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", - &spk)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPublicKey", + &spk)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&spk, der, dersize, NULL); + result = asn1_der_decoding (&spk, der, dersize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return _gnutls_asn2err (result); } - /* Read Y */ + /* Read Y */ - if ((result = _gnutls_x509_read_int(spk, "", ¶ms[3])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); + if ((result = _gnutls_x509_read_int (spk, "", ¶ms[3])) < 0) + { + gnutls_assert (); + asn1_delete_structure (&spk); + return _gnutls_asn2err (result); } - asn1_delete_structure(&spk); + asn1_delete_structure (&spk); - return 0; + return 0; } /* Extracts DSA and RSA parameters from a certificate. */ -int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, - mpi_t * params, int *params_size) +int +_gnutls_x509_crt_get_mpis (gnutls_x509_crt_t cert, + mpi_t * params, int *params_size) { - int len, result; - opaque str[5 * 1024]; - int pk_algorithm; - - /* Read the algorithm's OID - */ - pk_algorithm = gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - /* Read the algorithm's parameters - */ - len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", - str, &len); - len /= 8; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - switch (pk_algorithm) { + int len, result; + opaque str[5 * 1024]; + int pk_algorithm; + + /* Read the algorithm's OID + */ + pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL); + + /* Read the algorithm's parameters + */ + len = sizeof (str); + result = asn1_read_value (cert->cert, + "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", + str, &len); + len /= 8; + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + switch (pk_algorithm) + { case GNUTLS_PK_RSA: - /* params[0] is the modulus, - * params[1] is the exponent - */ - if (*params_size < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; + /* params[0] is the modulus, + * params[1] is the exponent + */ + if (*params_size < RSA_PUBLIC_PARAMS) + { + gnutls_assert (); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; } - if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { - gnutls_assert(); - return result; + if ((result = _gnutls_x509_read_rsa_params (str, len, params)) < 0) + { + gnutls_assert (); + return result; } - *params_size = RSA_PUBLIC_PARAMS; + *params_size = RSA_PUBLIC_PARAMS; - return 0; - break; + return 0; + break; case GNUTLS_PK_DSA: - /* params[0] is p, - * params[1] is q, - * params[2] is q, - * params[3] is pub. - */ - - if (*params_size < DSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; + /* params[0] is p, + * params[1] is q, + * params[2] is q, + * params[3] is pub. + */ + + if (*params_size < DSA_PUBLIC_PARAMS) + { + gnutls_assert (); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; } - if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { - gnutls_assert(); - return result; + if ((result = _gnutls_x509_read_dsa_pubkey (str, len, params)) < 0) + { + gnutls_assert (); + return result; } - /* Now read the parameters - */ + /* Now read the parameters + */ - len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", - str, &len); + len = sizeof (str); + result = asn1_read_value (cert->cert, + "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", + str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if ((result = _gnutls_x509_read_dsa_params(str, len, params)) < 0) { - gnutls_assert(); - return result; + if ((result = _gnutls_x509_read_dsa_params (str, len, params)) < 0) + { + gnutls_assert (); + return result; } - *params_size = DSA_PUBLIC_PARAMS; + *params_size = DSA_PUBLIC_PARAMS; - return 0; - break; + return 0; + break; default: - /* other types like DH - * currently not supported - */ - gnutls_assert(); + /* other types like DH + * currently not supported + */ + gnutls_assert (); - return GNUTLS_E_X509_CERTIFICATE_ERROR; + return GNUTLS_E_X509_CERTIFICATE_ERROR; } } @@ -281,116 +305,132 @@ int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_rsa_params(mpi_t * params, int params_size, - gnutls_datum_t * der) +int +_gnutls_x509_write_rsa_params (mpi_t * params, int params_size, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - der->data = NULL; - der->size = 0; + der->data = NULL; + der->size = 0; - if (params_size < 2) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; + if (params_size < 2) + { + gnutls_assert (); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; } - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_write_int(spk, "modulus", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "modulus", params[0], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_write_int(spk, "publicExponent", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_der_encode(spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_der_encode (spk, "", der, 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&spk); - return 0; + asn1_delete_structure (&spk); + return 0; - cleanup: - asn1_delete_structure(&spk); +cleanup: + asn1_delete_structure (&spk); - return result; + return result; } /* * This function writes and encodes the parameters for DSS or RSA keys. * This is the "signatureAlgorithm" fields. */ -int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, - gnutls_pk_algorithm_t pk_algorithm, gnutls_digest_algorithm_t dig, - mpi_t * params, int params_size) +int +_gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm_t pk_algorithm, + gnutls_digest_algorithm_t dig, mpi_t * params, + int params_size) { - gnutls_datum_t der; - int result; - char name[128]; - const char *pk; + gnutls_datum_t der; + int result; + char name[128]; + const char *pk; - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".algorithm"); + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".algorithm"); - pk = _gnutls_x509_sign_to_oid(pk_algorithm, HASH2MAC(dig)); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + pk = _gnutls_x509_sign_to_oid (pk_algorithm, HASH2MAC (dig)); + if (pk == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* write the OID. - */ - result = asn1_write_value(dst, name, pk, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* write the OID. + */ + result = asn1_write_value (dst, name, pk, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(name, sizeof(name), dst_name); - _gnutls_str_cat(name, sizeof(name), ".parameters"); + _gnutls_str_cpy (name, sizeof (name), dst_name); + _gnutls_str_cat (name, sizeof (name), ".parameters"); - if (pk_algorithm == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_params(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; + if (pk_algorithm == GNUTLS_PK_DSA) + { + result = _gnutls_x509_write_dsa_params (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + return result; } - result = asn1_write_value(dst, name, der.data, der.size); - _gnutls_free_datum(&der); + result = asn1_write_value (dst, name, der.data, der.size); + _gnutls_free_datum (&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - } else { /* RSA */ - result = asn1_write_value(dst, name, NULL, 0); - - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ - gnutls_assert(); - return _gnutls_asn2err(result); + } + else + { /* RSA */ + result = asn1_write_value (dst, name, NULL, 0); + + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) + { + /* Here we ignore the element not found error, since this + * may have been disabled before. + */ + gnutls_assert (); + return _gnutls_asn2err (result); } } - return 0; + return 0; } /* @@ -399,58 +439,65 @@ int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_params(mpi_t * params, int params_size, - gnutls_datum_t * der) +int +_gnutls_x509_write_dsa_params (mpi_t * params, int params_size, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - der->data = NULL; - der->size = 0; + der->data = NULL; + der->size = 0; - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; + if (params_size < 3) + { + gnutls_assert (); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; } - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DSAParameters", &spk)) + != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_write_int(spk, "p", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "p", params[0], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_write_int(spk, "q", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "q", params[1], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_write_int(spk, "g", params[2], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "g", params[2], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_der_encode(spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_der_encode (spk, "", der, 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&spk); - return 0; + asn1_delete_structure (&spk); + return 0; - cleanup: - asn1_delete_structure(&spk); - return result; +cleanup: + asn1_delete_structure (&spk); + return result; } /* @@ -459,46 +506,51 @@ int _gnutls_x509_write_dsa_params(mpi_t * params, int params_size, * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_public_key(mpi_t * params, int params_size, - gnutls_datum_t * der) +int +_gnutls_x509_write_dsa_public_key (mpi_t * params, int params_size, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - der->data = NULL; - der->size = 0; + der->data = NULL; + der->size = 0; - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; + if (params_size < 3) + { + gnutls_assert (); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; } - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPublicKey", &spk)) + != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_write_int(spk, "", params[3], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_write_int (spk, "", params[3], 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_der_encode(spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_der_encode (spk, "", der, 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&spk); - return 0; + asn1_delete_structure (&spk); + return 0; - cleanup: - asn1_delete_structure(&spk); - return result; +cleanup: + asn1_delete_structure (&spk); + return result; } @@ -506,66 +558,71 @@ int _gnutls_x509_write_dsa_public_key(mpi_t * params, int params_size, * from asn1 structs. Combines the read and the convertion * steps. */ -int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value, - unsigned int *ret) +int +_gnutls_x509_read_uint (ASN1_TYPE node, const char *value, unsigned int *ret) { - int len, result; - opaque *tmpstr; + int len, result; + opaque *tmpstr; - len = 0; - result = asn1_read_value(node, value, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); + len = 0; + result = asn1_read_value (node, value, NULL, &len); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - tmpstr = gnutls_alloca(len); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + tmpstr = gnutls_alloca (len); + if (tmpstr == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - result = asn1_read_value(node, value, tmpstr, &len); + result = asn1_read_value (node, value, tmpstr, &len); - gnutls_afree(tmpstr); + gnutls_afree (tmpstr); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (len == 1) - *ret = tmpstr[0]; - else if (len == 2) - *ret = _gnutls_read_uint16(tmpstr); - else if (len == 3) - *ret = _gnutls_read_uint24(tmpstr); - else if (len == 4) - *ret = _gnutls_read_uint32(tmpstr); - else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (len == 1) + *ret = tmpstr[0]; + else if (len == 2) + *ret = _gnutls_read_uint16 (tmpstr); + else if (len == 3) + *ret = _gnutls_read_uint24 (tmpstr); + else if (len == 4) + *ret = _gnutls_read_uint32 (tmpstr); + else + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, - uint32 num) +int +_gnutls_x509_write_uint32 (ASN1_TYPE node, const char *value, uint32 num) { - opaque tmpstr[4]; - int result; + opaque tmpstr[4]; + int result; - _gnutls_write_uint32(num, tmpstr); + _gnutls_write_uint32 (num, tmpstr); - result = asn1_write_value(node, value, tmpstr, 4); + result = asn1_write_value (node, value, tmpstr, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } diff --git a/lib/x509/mpi.h b/lib/x509/mpi.h index af5c0eb3eb..2244aa62d4 100644 --- a/lib/x509/mpi.h +++ b/lib/x509/mpi.h @@ -25,31 +25,29 @@ #include <gnutls_int.h> #include "x509.h" -int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, - mpi_t * params, int *params_size); -int _gnutls_x509_read_rsa_params(opaque * der, int dersize, - mpi_t * params); -int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, - mpi_t * params); -int _gnutls_x509_read_dsa_params(opaque * der, int dersize, - mpi_t * params); +int _gnutls_x509_crt_get_mpis (gnutls_x509_crt_t cert, + mpi_t * params, int *params_size); +int _gnutls_x509_read_rsa_params (opaque * der, int dersize, mpi_t * params); +int _gnutls_x509_read_dsa_pubkey (opaque * der, int dersize, mpi_t * params); +int _gnutls_x509_read_dsa_params (opaque * der, int dersize, mpi_t * params); -int _gnutls_x509_write_rsa_params(mpi_t * params, int params_size, - gnutls_datum_t * der); -int _gnutls_x509_write_dsa_params(mpi_t * params, int params_size, - gnutls_datum_t * der); -int _gnutls_x509_write_dsa_public_key(mpi_t * params, int params_size, - gnutls_datum_t * der); +int _gnutls_x509_write_rsa_params (mpi_t * params, int params_size, + gnutls_datum_t * der); +int _gnutls_x509_write_dsa_params (mpi_t * params, int params_size, + gnutls_datum_t * der); +int _gnutls_x509_write_dsa_public_key (mpi_t * params, int params_size, + gnutls_datum_t * der); -int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value, - unsigned int *ret); +int _gnutls_x509_read_uint (ASN1_TYPE node, const char *value, + unsigned int *ret); -int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, - mpi_t * ret_mpi); -int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, mpi_t mpi, - int lz); -int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, uint32 num); +int _gnutls_x509_read_int (ASN1_TYPE node, const char *value, + mpi_t * ret_mpi); +int _gnutls_x509_write_int (ASN1_TYPE node, const char *value, mpi_t mpi, + int lz); +int _gnutls_x509_write_uint32 (ASN1_TYPE node, const char *value, uint32 num); -int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, - gnutls_pk_algorithm_t pk_algorithm, gnutls_digest_algorithm_t, - mpi_t * params, int params_size); +int _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm_t pk_algorithm, + gnutls_digest_algorithm_t, mpi_t * params, + int params_size); diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index d71716316d..78de1c24c1 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -45,74 +45,82 @@ /* Decodes the PKCS #12 auth_safe, and returns the allocated raw data, * which holds them. Returns an ASN1_TYPE of authenticatedSafe. */ -static -int _decode_pkcs12_auth_safe(ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, - gnutls_datum_t * raw) +static int +_decode_pkcs12_auth_safe (ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, + gnutls_datum_t * raw) { - char oid[128]; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_datum_t auth_safe = { NULL, 0 }; - int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + char oid[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum_t auth_safe = { NULL, 0 }; + int tmp_size, len, result; + + len = sizeof (oid) - 1; + result = asn1_read_value (pkcs12, "authSafe.contentType", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (strcmp(oid, DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log("Unknown PKCS12 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + if (strcmp (oid, DATA_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log ("Unknown PKCS12 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; } - /* Step 1. Read the content data - */ + /* Step 1. Read the content data + */ - tmp_size = 0; - result = - _gnutls_x509_read_value(pkcs12, "authSafe.content", &auth_safe, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + tmp_size = 0; + result = + _gnutls_x509_read_value (pkcs12, "authSafe.content", &auth_safe, 1); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - /* Step 2. Extract the authenticatedSafe. - */ + /* Step 2. Extract the authenticatedSafe. + */ - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_der_decoding (&c2, auth_safe.data, auth_safe.size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (raw == NULL) { - _gnutls_free_datum(&auth_safe); - } else { - raw->data = auth_safe.data; - raw->size = auth_safe.size; + if (raw == NULL) + { + _gnutls_free_datum (&auth_safe); + } + else + { + raw->data = auth_safe.data; + raw->size = auth_safe.size; } - if (authen_safe) - *authen_safe = c2; + if (authen_safe) + *authen_safe = c2; - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - _gnutls_free_datum(&auth_safe); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + _gnutls_free_datum (&auth_safe); + return result; } /** @@ -126,21 +134,25 @@ int _decode_pkcs12_auth_safe(ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, * Returns 0 on success. * **/ -int gnutls_pkcs12_init(gnutls_pkcs12_t * pkcs12) +int +gnutls_pkcs12_init (gnutls_pkcs12_t * pkcs12) { - *pkcs12 = gnutls_calloc(1, sizeof(gnutls_pkcs12_int)); - - if (*pkcs12) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PFX", &(*pkcs12)->pkcs12); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(*pkcs12); - return _gnutls_asn2err(result); + *pkcs12 = gnutls_calloc (1, sizeof (gnutls_pkcs12_int)); + + if (*pkcs12) + { + int result = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-PFX", + &(*pkcs12)->pkcs12); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (*pkcs12); + return _gnutls_asn2err (result); } - return 0; /* success */ + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -150,15 +162,16 @@ int gnutls_pkcs12_init(gnutls_pkcs12_t * pkcs12) * This function will deinitialize a PKCS12 structure. * **/ -void gnutls_pkcs12_deinit(gnutls_pkcs12_t pkcs12) +void +gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12) { - if (!pkcs12) - return; + if (!pkcs12) + return; - if (pkcs12->pkcs12) - asn1_delete_structure(&pkcs12->pkcs12); + if (pkcs12->pkcs12) + asn1_delete_structure (&pkcs12->pkcs12); - gnutls_free(pkcs12); + gnutls_free (pkcs12); } /** @@ -176,59 +189,63 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12_t pkcs12) * Returns 0 on success. * **/ -int gnutls_pkcs12_import(gnutls_pkcs12_t pkcs12, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) +int +gnutls_pkcs12_import (gnutls_pkcs12_t pkcs12, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum_t _data; + int result = 0, need_free = 0; + gnutls_datum_t _data; - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* If the PKCS12 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS12, data->data, data->size, - &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + /* If the PKCS12 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; + + result = _gnutls_fbase64_decode (PEM_PKCS12, data->data, data->size, + &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - result = - asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = asn1_der_decoding (&pkcs12->pkcs12, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - return 0; + return 0; - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + if (need_free) + _gnutls_free_datum (&_data); + return result; } @@ -253,282 +270,311 @@ int gnutls_pkcs12_import(gnutls_pkcs12_t pkcs12, * returned, and 0 on success. * **/ -int gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +int +gnutls_pkcs12_export (gnutls_pkcs12_t pkcs12, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, - *output_data_size, output_data, - output_data_size); + return _gnutls_x509_export_int (pkcs12->pkcs12, format, PEM_PKCS12, + *output_data_size, output_data, + output_data_size); } -static int oid2bag(const char *oid) +static int +oid2bag (const char *oid) { - if (strcmp(oid, BAG_PKCS8_KEY) == 0) - return GNUTLS_BAG_PKCS8_KEY; - if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) - return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; - if (strcmp(oid, BAG_CERTIFICATE) == 0) - return GNUTLS_BAG_CERTIFICATE; - if (strcmp(oid, BAG_CRL) == 0) - return GNUTLS_BAG_CRL; - - return GNUTLS_BAG_UNKNOWN; + if (strcmp (oid, BAG_PKCS8_KEY) == 0) + return GNUTLS_BAG_PKCS8_KEY; + if (strcmp (oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) + return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; + if (strcmp (oid, BAG_CERTIFICATE) == 0) + return GNUTLS_BAG_CERTIFICATE; + if (strcmp (oid, BAG_CRL) == 0) + return GNUTLS_BAG_CRL; + + return GNUTLS_BAG_UNKNOWN; } -static const char *bag_to_oid(int bag) +static const char * +bag_to_oid (int bag) { - switch (bag) { + switch (bag) + { case GNUTLS_BAG_PKCS8_KEY: - return BAG_PKCS8_KEY; + return BAG_PKCS8_KEY; case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - return BAG_PKCS8_ENCRYPTED_KEY; + return BAG_PKCS8_ENCRYPTED_KEY; case GNUTLS_BAG_CERTIFICATE: - return BAG_CERTIFICATE; + return BAG_CERTIFICATE; case GNUTLS_BAG_CRL: - return BAG_CRL; + return BAG_CRL; } - return NULL; + return NULL; } -static inline char *ucs2_to_ascii(char *data, int size) +static inline char * +ucs2_to_ascii (char *data, int size) { - int i, j; - - for (i = 0; i < size / 2; i++) { - j = 2*i + 1; - if (isascii(data[j])) - data[i] = data[i * 2 + 1]; - else - data[i] = '?'; + int i, j; + + for (i = 0; i < size / 2; i++) + { + j = 2 * i + 1; + if (isascii (data[j])) + data[i] = data[i * 2 + 1]; + else + data[i] = '?'; } - data[i] = 0; + data[i] = 0; - return data; + return data; } /* Decodes the SafeContents, and puts the output in * the given bag. */ int -_pkcs12_decode_safe_contents(const gnutls_datum_t * content, - gnutls_pkcs12_bag_t bag) +_pkcs12_decode_safe_contents (const gnutls_datum_t * content, + gnutls_pkcs12_bag_t bag) { - char oid[128], root[128]; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int len, result; - int bag_type; - gnutls_datum_t attr_val; - int count = 0, i, attributes, j; - char counter[MAX_INT_DIGITS]; - size_t size; - - /* Step 1. Extract the SEQUENCE. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + char oid[128], root[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int len, result; + int bag_type; + gnutls_datum_t attr_val; + int count = 0, i, attributes, j; + char counter[MAX_INT_DIGITS]; + size_t size; + + /* Step 1. Extract the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_der_decoding(&c2, content->data, content->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_der_decoding (&c2, content->data, content->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Count the number of bags - */ - result = asn1_number_of_elements(c2, "", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Count the number of bags + */ + result = asn1_number_of_elements (c2, "", &count); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - bag->bag_elements = MIN(MAX_BAG_ELEMENTS, count); + bag->bag_elements = MIN (MAX_BAG_ELEMENTS, count); - for (i = 0; i < bag->bag_elements; i++) { + for (i = 0; i < bag->bag_elements; i++) + { - _gnutls_str_cpy(root, sizeof(root), "?"); - _gnutls_int2str(i + 1, counter); - _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cat(root, sizeof(root), ".bagId"); + _gnutls_str_cpy (root, sizeof (root), "?"); + _gnutls_int2str (i + 1, counter); + _gnutls_str_cat (root, sizeof (root), counter); + _gnutls_str_cat (root, sizeof (root), ".bagId"); - len = sizeof(oid); - result = asn1_read_value(c2, root, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + len = sizeof (oid); + result = asn1_read_value (c2, root, oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Read the Bag type - */ - bag_type = oid2bag(oid); + /* Read the Bag type + */ + bag_type = oid2bag (oid); - if (bag_type < 0) { - gnutls_assert(); - goto cleanup; + if (bag_type < 0) + { + gnutls_assert (); + goto cleanup; } - /* Read the Bag Value - */ + /* Read the Bag Value + */ - _gnutls_str_cpy(root, sizeof(root), "?"); - _gnutls_int2str(i + 1, counter); - _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cat(root, sizeof(root), ".bagValue"); + _gnutls_str_cpy (root, sizeof (root), "?"); + _gnutls_int2str (i + 1, counter); + _gnutls_str_cat (root, sizeof (root), counter); + _gnutls_str_cat (root, sizeof (root), ".bagValue"); - result = - _gnutls_x509_read_value(c2, root, &bag->element[i].data, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_read_value (c2, root, &bag->element[i].data, 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - if (bag_type == GNUTLS_BAG_CERTIFICATE || - bag_type == GNUTLS_BAG_CRL) { - gnutls_datum_t tmp = bag->element[i].data; + if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL) + { + gnutls_datum_t tmp = bag->element[i].data; - result = - _pkcs12_decode_crt_bag(bag_type, &tmp, - &bag->element[i].data); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _pkcs12_decode_crt_bag (bag_type, &tmp, &bag->element[i].data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - _gnutls_free_datum(&tmp); + _gnutls_free_datum (&tmp); } - /* read the bag attributes - */ - _gnutls_str_cpy(root, sizeof(root), "?"); - _gnutls_int2str(i + 1, counter); - _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cat(root, sizeof(root), ".bagAttributes"); - - result = asn1_number_of_elements(c2, root, &attributes); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* read the bag attributes + */ + _gnutls_str_cpy (root, sizeof (root), "?"); + _gnutls_int2str (i + 1, counter); + _gnutls_str_cat (root, sizeof (root), counter); + _gnutls_str_cat (root, sizeof (root), ".bagAttributes"); + + result = asn1_number_of_elements (c2, root, &attributes); + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (attributes < 0) - attributes = 1; + if (attributes < 0) + attributes = 1; - if (result != ASN1_ELEMENT_NOT_FOUND) - for (j = 0; j < attributes; j++) { + if (result != ASN1_ELEMENT_NOT_FOUND) + for (j = 0; j < attributes; j++) + { - _gnutls_str_cpy(root, sizeof(root), "?"); - _gnutls_int2str(i + 1, counter); - _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cat(root, sizeof(root), ".bagAttributes.?"); - _gnutls_int2str(j + 1, counter); - _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cpy (root, sizeof (root), "?"); + _gnutls_int2str (i + 1, counter); + _gnutls_str_cat (root, sizeof (root), counter); + _gnutls_str_cat (root, sizeof (root), ".bagAttributes.?"); + _gnutls_int2str (j + 1, counter); + _gnutls_str_cat (root, sizeof (root), counter); - result = - _gnutls_x509_decode_and_read_attribute(c2, root, oid, - sizeof(oid), &attr_val, 1, 0); - - if (result < 0) { - gnutls_assert(); - continue; /* continue in case we find some known attributes */ - } - - if (strcmp(oid, KEY_ID_OID) == 0) { - size = attr_val.size; - - result = _gnutls_x509_decode_octet_string( NULL, attr_val.data, size, - attr_val.data, &size); - attr_val.size = size; - if (result < 0) { - _gnutls_free_datum( &attr_val); - gnutls_assert(); - _gnutls_x509_log - ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); - continue; - } - bag->element[i].local_key_id = attr_val; - } else if (strcmp(oid, FRIENDLY_NAME_OID) == 0) { - size = attr_val.size; - result = _gnutls_x509_decode_octet_string( "BMPString", attr_val.data, size, - attr_val.data, &size); - attr_val.size = size; - if (result < 0) { - _gnutls_free_datum( &attr_val); - gnutls_assert(); - _gnutls_x509_log - ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); - continue; - } - bag->element[i].friendly_name = - ucs2_to_ascii(attr_val.data, attr_val.size); - } else { - _gnutls_free_datum( &attr_val); - _gnutls_x509_log - ("Unknown PKCS12 Bag Attribute OID '%s'\n", oid); - } - } + result = + _gnutls_x509_decode_and_read_attribute (c2, root, oid, + sizeof (oid), &attr_val, + 1, 0); + + if (result < 0) + { + gnutls_assert (); + continue; /* continue in case we find some known attributes */ + } + if (strcmp (oid, KEY_ID_OID) == 0) + { + size = attr_val.size; - bag->element[i].type = bag_type; + result = + _gnutls_x509_decode_octet_string (NULL, attr_val.data, size, + attr_val.data, &size); + attr_val.size = size; + if (result < 0) + { + _gnutls_free_datum (&attr_val); + gnutls_assert (); + _gnutls_x509_log + ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); + continue; + } + bag->element[i].local_key_id = attr_val; + } + else if (strcmp (oid, FRIENDLY_NAME_OID) == 0) + { + size = attr_val.size; + result = + _gnutls_x509_decode_octet_string ("BMPString", + attr_val.data, size, + attr_val.data, &size); + attr_val.size = size; + if (result < 0) + { + _gnutls_free_datum (&attr_val); + gnutls_assert (); + _gnutls_x509_log + ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); + continue; + } + bag->element[i].friendly_name = + ucs2_to_ascii (attr_val.data, attr_val.size); + } + else + { + _gnutls_free_datum (&attr_val); + _gnutls_x509_log + ("Unknown PKCS12 Bag Attribute OID '%s'\n", oid); + } + } + + + bag->element[i].type = bag_type; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } -static -int _parse_safe_contents(ASN1_TYPE sc, const char *sc_name, - gnutls_pkcs12_bag_t bag) +static int +_parse_safe_contents (ASN1_TYPE sc, const char *sc_name, + gnutls_pkcs12_bag_t bag) { - gnutls_datum_t content = { NULL, 0 }; - int result; + gnutls_datum_t content = { NULL, 0 }; + int result; - /* Step 1. Extract the content. - */ + /* Step 1. Extract the content. + */ - result = _gnutls_x509_read_value(sc, sc_name, &content, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_read_value (sc, sc_name, &content, 1); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _pkcs12_decode_safe_contents(&content, bag); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _pkcs12_decode_safe_contents (&content, bag); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - _gnutls_free_datum(&content); + _gnutls_free_datum (&content); - return 0; + return 0; - cleanup: - _gnutls_free_datum(&content); - return result; +cleanup: + _gnutls_free_datum (&content); + return result; } @@ -545,137 +591,148 @@ int _parse_safe_contents(ASN1_TYPE sc, const char *sc_name, * will be returned. * **/ -int gnutls_pkcs12_get_bag(gnutls_pkcs12_t pkcs12, - int indx, gnutls_pkcs12_bag_t bag) +int +gnutls_pkcs12_get_bag (gnutls_pkcs12_t pkcs12, + int indx, gnutls_pkcs12_bag_t bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum_t tmp = { NULL, 0 }; - - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum_t tmp = { NULL, 0 }; + + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Step 1. decode the data. - */ - result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 1. decode the data. + */ + result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Parse the AuthenticatedSafe - */ + /* Step 2. Parse the AuthenticatedSafe + */ - _gnutls_str_cpy(root2, sizeof(root2), "?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); - _gnutls_str_cat(root2, sizeof(root2), ".contentType"); + _gnutls_str_cpy (root2, sizeof (root2), "?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); + _gnutls_str_cat (root2, sizeof (root2), ".contentType"); - len = sizeof(oid) - 1; + len = sizeof (oid) - 1; - result = asn1_read_value(c2, root2, oid, &len); + result = asn1_read_value (c2, root2, oid, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; + if (result == ASN1_ELEMENT_NOT_FOUND) + { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Not encrypted Bag - */ + /* Not encrypted Bag + */ - _gnutls_str_cpy(root2, sizeof(root2), "?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); - _gnutls_str_cat(root2, sizeof(root2), ".content"); + _gnutls_str_cpy (root2, sizeof (root2), "?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); + _gnutls_str_cat (root2, sizeof (root2), ".content"); - if (strcmp(oid, DATA_OID) == 0) { - result = _parse_safe_contents(c2, root2, bag); - goto cleanup; + if (strcmp (oid, DATA_OID) == 0) + { + result = _parse_safe_contents (c2, root2, bag); + goto cleanup; } - /* ENC_DATA_OID needs decryption */ + /* ENC_DATA_OID needs decryption */ - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->bag_elements = 1; + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->bag_elements = 1; - result = _gnutls_x509_read_value(c2, root2, &bag->element[0].data, 0); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_read_value (c2, root2, &bag->element[0].data, 0); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; - cleanup: - _gnutls_free_datum(&tmp); - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + _gnutls_free_datum (&tmp); + if (c2) + asn1_delete_structure (&c2); + return result; } /* Creates an empty PFX structure for the PKCS12 structure. */ -static int create_empty_pfx(ASN1_TYPE pkcs12) +static int +create_empty_pfx (ASN1_TYPE pkcs12) { - uint8 three = 3; - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - /* Use version 3 - */ - result = asn1_write_value(pkcs12, "version", &three, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + uint8 three = 3; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + /* Use version 3 + */ + result = asn1_write_value (pkcs12, "version", &three, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Write the content type of the data - */ - result = asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Write the content type of the data + */ + result = asn1_write_value (pkcs12, "authSafe.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Check if the authenticatedSafe content is empty, and encode a - * null one in that case. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Check if the authenticatedSafe content is empty, and encode a + * null one in that case. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs12, - "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs12, "authSafe.content", 1); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - asn1_delete_structure(&c2); - return result; +cleanup: + asn1_delete_structure (&c2); + return result; } @@ -688,114 +745,126 @@ static int create_empty_pfx(ASN1_TYPE pkcs12) * Returns 0 on success. * **/ -int gnutls_pkcs12_set_bag(gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) +int +gnutls_pkcs12_set_bag (gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - int result; - int enc = 0, dum = 1; - char null; - - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + int result; + int enc = 0, dum = 1; + char null; + + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Step 1. Check if the pkcs12 structure is empty. In that - * case generate an empty PFX. - */ - result = - asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, &dum); - if (result == ASN1_VALUE_NOT_FOUND) { - result = create_empty_pfx(pkcs12->pkcs12); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 1. Check if the pkcs12 structure is empty. In that + * case generate an empty PFX. + */ + result = asn1_read_value (pkcs12->pkcs12, "authSafe.content", &null, &dum); + if (result == ASN1_VALUE_NOT_FOUND) + { + result = create_empty_pfx (pkcs12->pkcs12); + if (result < 0) + { + gnutls_assert (); + return result; } } - /* Step 2. decode the authenticatedSafe. - */ - result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 2. decode the authenticatedSafe. + */ + result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 3. Encode the bag elements into a SafeContents - * structure. - */ - result = _pkcs12_encode_safe_contents(bag, &safe_cont, &enc); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 3. Encode the bag elements into a SafeContents + * structure. + */ + result = _pkcs12_encode_safe_contents (bag, &safe_cont, &enc); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe - * structure. - */ - result = asn1_write_value(c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe + * structure. + */ + result = asn1_write_value (c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (enc) - result = - asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, 1); - else - result = asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (enc) + result = asn1_write_value (c2, "?LAST.contentType", ENC_DATA_OID, 1); + else + result = asn1_write_value (c2, "?LAST.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (enc) { - /* Encrypted packets are written directly. - */ - result = - asn1_write_value(c2, "?LAST.content", - bag->element[0].data.data, - bag->element[0].data.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (enc) + { + /* Encrypted packets are written directly. + */ + result = + asn1_write_value (c2, "?LAST.content", + bag->element[0].data.data, + bag->element[0].data.size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - } else { - result = - _gnutls_x509_der_encode_and_copy(safe_cont, "", c2, - "?LAST.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + } + else + { + result = + _gnutls_x509_der_encode_and_copy (safe_cont, "", c2, + "?LAST.content", 1); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } } - asn1_delete_structure(&safe_cont); + asn1_delete_structure (&safe_cont); - /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 - * structure. - */ - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs12->pkcs12, - "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 + * structure. + */ + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs12->pkcs12, + "authSafe.content", 1); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - asn1_delete_structure(&c2); - asn1_delete_structure(&safe_cont); - return result; +cleanup: + asn1_delete_structure (&c2); + asn1_delete_structure (&safe_cont); + return result; } /** @@ -807,117 +876,127 @@ int gnutls_pkcs12_set_bag(gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) * Returns 0 on success. * **/ -int gnutls_pkcs12_generate_mac(gnutls_pkcs12_t pkcs12, const char *pass) +int +gnutls_pkcs12_generate_mac (gnutls_pkcs12_t pkcs12, const char *pass) { - opaque salt[8], key[20]; - int result; - const int iter = 1; - mac_hd_t td1 = NULL; - gnutls_datum_t tmp = { NULL, 0 }; - opaque sha_mac[20]; - - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + opaque salt[8], key[20]; + int result; + const int iter = 1; + mac_hd_t td1 = NULL; + gnutls_datum_t tmp = { NULL, 0 }; + opaque sha_mac[20]; + + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Generate the salt. - */ - if (gc_nonce (salt, sizeof(salt)) != GC_OK) { - gnutls_assert(); + /* Generate the salt. + */ + if (gc_nonce (salt, sizeof (salt)) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - /* Write the salt into the structure. - */ - result = - asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, - sizeof(salt)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Write the salt into the structure. + */ + result = + asn1_write_value (pkcs12->pkcs12, "macData.macSalt", salt, sizeof (salt)); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* write the iterations - */ - - if (iter > 1) { - result = - _gnutls_x509_write_uint32(pkcs12->pkcs12, "macData.iterations", - iter); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* write the iterations + */ + + if (iter > 1) + { + result = + _gnutls_x509_write_uint32 (pkcs12->pkcs12, "macData.iterations", + iter); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } } - /* Generate the key. - */ - result = _pkcs12_string_to_key(3 /*MAC*/, salt, sizeof(salt), - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Generate the key. + */ + result = _pkcs12_string_to_key (3 /*MAC*/, salt, sizeof (salt), + iter, pass, sizeof (key), key); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, NULL, &tmp); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - /* MAC the data - */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA1, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + /* MAC the data + */ + td1 = _gnutls_hmac_init (GNUTLS_MAC_SHA1, key, sizeof (key)); + if (td1 == GNUTLS_MAC_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum(&tmp); + _gnutls_hmac (td1, tmp.data, tmp.size); + _gnutls_free_datum (&tmp); - _gnutls_hmac_deinit(td1, sha_mac); + _gnutls_hmac_deinit (td1, sha_mac); - result = - asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, - sizeof(sha_mac)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = + asn1_write_value (pkcs12->pkcs12, "macData.mac.digest", sha_mac, + sizeof (sha_mac)); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_write_value(pkcs12->pkcs12, - "macData.mac.digestAlgorithm.parameters", NULL, - 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = + asn1_write_value (pkcs12->pkcs12, + "macData.mac.digestAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_write_value(pkcs12->pkcs12, - "macData.mac.digestAlgorithm.algorithm", HASH_OID_SHA1, - 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = + asn1_write_value (pkcs12->pkcs12, + "macData.mac.digestAlgorithm.algorithm", HASH_OID_SHA1, + 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - return 0; + return 0; - cleanup: - _gnutls_free_datum(&tmp); - return result; +cleanup: + _gnutls_free_datum (&tmp); + return result; } /** @@ -929,195 +1008,214 @@ int gnutls_pkcs12_generate_mac(gnutls_pkcs12_t pkcs12, const char *pass) * Returns 0 on success. * **/ -int gnutls_pkcs12_verify_mac(gnutls_pkcs12_t pkcs12, const char *pass) +int +gnutls_pkcs12_verify_mac (gnutls_pkcs12_t pkcs12, const char *pass) { - opaque key[20]; - int result; - unsigned int iter; - int len; - mac_hd_t td1 = NULL; - gnutls_datum_t tmp = { NULL, 0 }, salt = { - NULL, 0}; - opaque sha_mac[20]; - opaque sha_mac_orig[20]; - - if (pkcs12 == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + opaque key[20]; + int result; + unsigned int iter; + int len; + mac_hd_t td1 = NULL; + gnutls_datum_t tmp = { NULL, 0 }, salt = + { + NULL, 0}; + opaque sha_mac[20]; + opaque sha_mac_orig[20]; + + if (pkcs12 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* read the iterations - */ + /* read the iterations + */ - result = - _gnutls_x509_read_uint(pkcs12->pkcs12, "macData.iterations", - &iter); - if (result < 0) { - iter = 1; /* the default */ + result = + _gnutls_x509_read_uint (pkcs12->pkcs12, "macData.iterations", &iter); + if (result < 0) + { + iter = 1; /* the default */ } - /* Read the salt from the structure. - */ - result = - _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", &salt, - 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Read the salt from the structure. + */ + result = + _gnutls_x509_read_value (pkcs12->pkcs12, "macData.macSalt", &salt, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Generate the key. - */ - result = _pkcs12_string_to_key(3 /*MAC*/, salt.data, salt.size, - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Generate the key. + */ + result = _pkcs12_string_to_key (3 /*MAC*/, salt.data, salt.size, + iter, pass, sizeof (key), key); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - _gnutls_free_datum(&salt); + _gnutls_free_datum (&salt); - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, NULL, &tmp); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - /* MAC the data - */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA1, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + /* MAC the data + */ + td1 = _gnutls_hmac_init (GNUTLS_MAC_SHA1, key, sizeof (key)); + if (td1 == GNUTLS_MAC_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum(&tmp); + _gnutls_hmac (td1, tmp.data, tmp.size); + _gnutls_free_datum (&tmp); - _gnutls_hmac_deinit(td1, sha_mac); + _gnutls_hmac_deinit (td1, sha_mac); - len = sizeof(sha_mac_orig); - result = - asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + len = sizeof (sha_mac_orig); + result = + asn1_read_value (pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, + &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (memcmp(sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { - gnutls_assert(); - return GNUTLS_E_MAC_VERIFY_FAILED; + if (memcmp (sha_mac_orig, sha_mac, sizeof (sha_mac)) != 0) + { + gnutls_assert (); + return GNUTLS_E_MAC_VERIFY_FAILED; } - return 0; + return 0; - cleanup: - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&salt); - return result; +cleanup: + _gnutls_free_datum (&tmp); + _gnutls_free_datum (&salt); + return result; } -static int write_attributes(gnutls_pkcs12_bag_t bag, int elem, - ASN1_TYPE c2, const char *where) +static int +write_attributes (gnutls_pkcs12_bag_t bag, int elem, + ASN1_TYPE c2, const char *where) { - int result; - char root[128]; - - /* If the bag attributes are empty, then write - * nothing to the attribute field. - */ - if (bag->element[elem].friendly_name == NULL && - bag->element[elem].local_key_id.data == NULL) { - /* no attributes - */ - result = asn1_write_value(c2, where, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + int result; + char root[128]; + + /* If the bag attributes are empty, then write + * nothing to the attribute field. + */ + if (bag->element[elem].friendly_name == NULL && + bag->element[elem].local_key_id.data == NULL) + { + /* no attributes + */ + result = asn1_write_value (c2, where, NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } - if (bag->element[elem].local_key_id.data != NULL) { + if (bag->element[elem].local_key_id.data != NULL) + { - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* Add a new Attribute + */ + result = asn1_write_value (c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - _gnutls_str_cpy(root, sizeof(root), where); - _gnutls_str_cat(root, sizeof(root), ".?LAST"); - - result = - _gnutls_x509_encode_and_write_attribute(KEY_ID_OID, c2, root, - bag->element[elem]. - local_key_id.data, - bag->element[elem]. - local_key_id.size, 1); - if (result < 0) { - gnutls_assert(); - return result; + _gnutls_str_cpy (root, sizeof (root), where); + _gnutls_str_cat (root, sizeof (root), ".?LAST"); + + result = + _gnutls_x509_encode_and_write_attribute (KEY_ID_OID, c2, root, + bag->element[elem]. + local_key_id.data, + bag->element[elem]. + local_key_id.size, 1); + if (result < 0) + { + gnutls_assert (); + return result; } } - if (bag->element[elem].friendly_name != NULL) { - opaque *name; - int size, i; - const char *p; - - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (bag->element[elem].friendly_name != NULL) + { + opaque *name; + int size, i; + const char *p; + + /* Add a new Attribute + */ + result = asn1_write_value (c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* convert name to BMPString - */ - size = strlen(bag->element[elem].friendly_name) * 2; - name = gnutls_malloc(size); + /* convert name to BMPString + */ + size = strlen (bag->element[elem].friendly_name) * 2; + name = gnutls_malloc (size); - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (name == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - p = bag->element[elem].friendly_name; - for (i = 0; i < size; i += 2) { - name[i] = 0; - name[i + 1] = *p; - p++; + p = bag->element[elem].friendly_name; + for (i = 0; i < size; i += 2) + { + name[i] = 0; + name[i + 1] = *p; + p++; } - _gnutls_str_cpy(root, sizeof(root), where); - _gnutls_str_cat(root, sizeof(root), ".?LAST"); + _gnutls_str_cpy (root, sizeof (root), where); + _gnutls_str_cat (root, sizeof (root), ".?LAST"); - result = - _gnutls_x509_encode_and_write_attribute(FRIENDLY_NAME_OID, c2, - root, name, size, 1); + result = + _gnutls_x509_encode_and_write_attribute (FRIENDLY_NAME_OID, c2, + root, name, size, 1); - gnutls_free(name); + gnutls_free (name); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } } - return 0; + return 0; } @@ -1125,114 +1223,126 @@ static int write_attributes(gnutls_pkcs12_bag_t bag, int elem, * the given datum. Enc is set to non zero if the data are encrypted; */ int -_pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents, - int *enc) +_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents, + int *enc) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - int i; - const char *oid; - - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { - *enc = 1; - return 0; /* ENCRYPTED BAG, do nothing. */ - } else if (enc) - *enc = 0; - - /* Step 1. Create the SEQUENCE. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + int i; + const char *oid; + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) + { + *enc = 1; + return 0; /* ENCRYPTED BAG, do nothing. */ + } + else if (enc) + *enc = 0; + + /* Step 1. Create the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - for (i = 0; i < bag->bag_elements; i++) { + for (i = 0; i < bag->bag_elements; i++) + { - oid = bag_to_oid(bag->element[i].type); - if (oid == NULL) { - gnutls_assert(); - continue; + oid = bag_to_oid (bag->element[i].type); + if (oid == NULL) + { + gnutls_assert (); + continue; } - result = asn1_write_value(c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Copy the bag type. - */ - result = asn1_write_value(c2, "?LAST.bagId", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Copy the bag type. + */ + result = asn1_write_value (c2, "?LAST.bagId", oid, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Set empty attributes - */ - result = write_attributes(bag, i, c2, "?LAST.bagAttributes"); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Set empty attributes + */ + result = write_attributes (bag, i, c2, "?LAST.bagAttributes"); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - /* Copy the Bag Value - */ + /* Copy the Bag Value + */ - if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || - bag->element[i].type == GNUTLS_BAG_CRL) { - gnutls_datum_t tmp; + if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || + bag->element[i].type == GNUTLS_BAG_CRL) + { + gnutls_datum_t tmp; - /* in that case encode it to a CertBag or - * a CrlBag. - */ + /* in that case encode it to a CertBag or + * a CrlBag. + */ - result = - _pkcs12_encode_crt_bag(bag->element[i].type, - &bag->element[i].data, &tmp); + result = + _pkcs12_encode_crt_bag (bag->element[i].type, + &bag->element[i].data, &tmp); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = _gnutls_x509_write_value(c2, "?LAST.bagValue", - &tmp, 0); + result = _gnutls_x509_write_value (c2, "?LAST.bagValue", &tmp, 0); - _gnutls_free_datum(&tmp); + _gnutls_free_datum (&tmp); - } else { + } + else + { - result = _gnutls_x509_write_value(c2, "?LAST.bagValue", - &bag->element[i].data, 0); + result = _gnutls_x509_write_value (c2, "?LAST.bagValue", + &bag->element[i].data, 0); } - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } } - /* Encode the data and copy them into the datum - */ - *contents = c2; + /* Encode the data and copy them into the datum + */ + *contents = c2; - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12.h b/lib/x509/pkcs12.h index 45769c995e..5f547830bc 100644 --- a/lib/x509/pkcs12.h +++ b/lib/x509/pkcs12.h @@ -22,33 +22,37 @@ * */ -typedef struct gnutls_pkcs12_int { - ASN1_TYPE pkcs12; +typedef struct gnutls_pkcs12_int +{ + ASN1_TYPE pkcs12; } gnutls_pkcs12_int; -typedef enum gnutls_pkcs12_bag_type_t { - GNUTLS_BAG_EMPTY = 0, +typedef enum gnutls_pkcs12_bag_type_t +{ + GNUTLS_BAG_EMPTY = 0, - GNUTLS_BAG_PKCS8_ENCRYPTED_KEY = 1, - GNUTLS_BAG_PKCS8_KEY, - GNUTLS_BAG_CERTIFICATE, - GNUTLS_BAG_CRL, - GNUTLS_BAG_ENCRYPTED = 10, - GNUTLS_BAG_UNKNOWN = 20 + GNUTLS_BAG_PKCS8_ENCRYPTED_KEY = 1, + GNUTLS_BAG_PKCS8_KEY, + GNUTLS_BAG_CERTIFICATE, + GNUTLS_BAG_CRL, + GNUTLS_BAG_ENCRYPTED = 10, + GNUTLS_BAG_UNKNOWN = 20 } gnutls_pkcs12_bag_type_t; #define MAX_BAG_ELEMENTS 32 -struct bag_element { - gnutls_datum_t data; - gnutls_pkcs12_bag_type_t type; - gnutls_datum_t local_key_id; - char *friendly_name; +struct bag_element +{ + gnutls_datum_t data; + gnutls_pkcs12_bag_type_t type; + gnutls_datum_t local_key_id; + char *friendly_name; }; -typedef struct gnutls_pkcs12_bag_int { - struct bag_element element[MAX_BAG_ELEMENTS]; - int bag_elements; +typedef struct gnutls_pkcs12_bag_int +{ + struct bag_element element[MAX_BAG_ELEMENTS]; + int bag_elements; } gnutls_pkcs12_bag_int; #define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1" @@ -69,47 +73,46 @@ typedef struct gnutls_pkcs12_bag_int { typedef struct gnutls_pkcs12_int *gnutls_pkcs12_t; typedef struct gnutls_pkcs12_bag_int *gnutls_pkcs12_bag_t; -int gnutls_pkcs12_init(gnutls_pkcs12_t * pkcs12); -void gnutls_pkcs12_deinit(gnutls_pkcs12_t pkcs12); -int gnutls_pkcs12_import(gnutls_pkcs12_t pkcs12, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags); +int gnutls_pkcs12_init (gnutls_pkcs12_t * pkcs12); +void gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12); +int gnutls_pkcs12_import (gnutls_pkcs12_t pkcs12, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, unsigned int flags); -int gnutls_pkcs12_get_bag(gnutls_pkcs12_t pkcs12, - int indx, gnutls_pkcs12_bag_t bag); +int gnutls_pkcs12_get_bag (gnutls_pkcs12_t pkcs12, + int indx, gnutls_pkcs12_bag_t bag); -int gnutls_pkcs12_bag_init(gnutls_pkcs12_bag_t * bag); -void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag_t bag); +int gnutls_pkcs12_bag_init (gnutls_pkcs12_bag_t * bag); +void gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t bag); int -_pkcs12_string_to_key(unsigned int id, const opaque * salt, - unsigned int salt_size, unsigned int iter, - const char *pw, unsigned int req_keylen, - opaque * keybuf); - -int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data, - const char *password, gnutls_datum_t * dec); - -typedef enum schema_id { - PBES2, /* the stuff in PKCS #5 */ - PKCS12_3DES_SHA1, /* the fucking stuff in PKCS #12 */ - PKCS12_ARCFOUR_SHA1, - PKCS12_RC2_40_SHA1 +_pkcs12_string_to_key (unsigned int id, const opaque * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + opaque * keybuf); + +int _gnutls_pkcs7_decrypt_data (const gnutls_datum_t * data, + const char *password, gnutls_datum_t * dec); + +typedef enum schema_id +{ + PBES2, /* the stuff in PKCS #5 */ + PKCS12_3DES_SHA1, /* the fucking stuff in PKCS #12 */ + PKCS12_ARCFOUR_SHA1, + PKCS12_RC2_40_SHA1 } schema_id; -int _gnutls_pkcs7_encrypt_data(schema_id schema, - const gnutls_datum_t * data, - const char *password, gnutls_datum_t * enc); -int _pkcs12_decode_safe_contents(const gnutls_datum_t * content, - gnutls_pkcs12_bag_t bag); +int _gnutls_pkcs7_encrypt_data (schema_id schema, + const gnutls_datum_t * data, + const char *password, gnutls_datum_t * enc); +int _pkcs12_decode_safe_contents (const gnutls_datum_t * content, + gnutls_pkcs12_bag_t bag); int -_pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * content, - int *enc); - -int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * in, - gnutls_datum_t * out); -int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * raw, - gnutls_datum_t * out); +_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * content, + int *enc); + +int _pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * in, gnutls_datum_t * out); +int _pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * raw, gnutls_datum_t * out); diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index 6c3d3b5164..5ffcf4ad99 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -47,26 +47,30 @@ * Returns 0 on success. * **/ -int gnutls_pkcs12_bag_init(gnutls_pkcs12_bag_t * bag) +int +gnutls_pkcs12_bag_init (gnutls_pkcs12_bag_t * bag) { - *bag = gnutls_calloc(1, sizeof(gnutls_pkcs12_bag_int)); + *bag = gnutls_calloc (1, sizeof (gnutls_pkcs12_bag_int)); - if (*bag) { - return 0; /* success */ + if (*bag) + { + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } -static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag) +static inline void +_pkcs12_bag_free_data (gnutls_pkcs12_bag_t bag) { - int i; + int i; - for (i = 0; i < bag->bag_elements; i++) { - _gnutls_free_datum(&bag->element[i].data); - _gnutls_free_datum(&bag->element[i].local_key_id); - gnutls_free(bag->element[i].friendly_name); - bag->element[i].friendly_name = NULL; - bag->element[i].type = 0; + for (i = 0; i < bag->bag_elements; i++) + { + _gnutls_free_datum (&bag->element[i].data); + _gnutls_free_datum (&bag->element[i].local_key_id); + gnutls_free (bag->element[i].friendly_name); + bag->element[i].friendly_name = NULL; + bag->element[i].type = 0; } } @@ -79,14 +83,15 @@ static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag) * This function will deinitialize a PKCS12 Bag structure. * **/ -void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag_t bag) +void +gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t bag) { - if (!bag) - return; + if (!bag) + return; - _pkcs12_bag_free_data(bag); + _pkcs12_bag_free_data (bag); - gnutls_free(bag); + gnutls_free (bag); } /** @@ -98,17 +103,18 @@ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag_t bag) * enumerations. * **/ -gnutls_pkcs12_bag_type_t gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag_t - bag, int indx) +gnutls_pkcs12_bag_type_t +gnutls_pkcs12_bag_get_type (gnutls_pkcs12_bag_t bag, int indx) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return bag->element[indx].type; + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return bag->element[indx].type; } /** @@ -118,14 +124,16 @@ gnutls_pkcs12_bag_type_t gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag_t * This function will return the number of the elements withing the bag. * **/ -int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag_t bag) +int +gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return bag->bag_elements; + return bag->bag_elements; } /** @@ -141,157 +149,179 @@ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag_t bag) * Returns 0 on success and a negative error code on error. * **/ -int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag_t bag, int indx, - gnutls_datum_t * data) +int +gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t bag, int indx, + gnutls_datum_t * data) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - data->data = bag->element[indx].data.data; - data->size = bag->element[indx].data.size; + data->data = bag->element[indx].data.data; + data->size = bag->element[indx].data.size; - return 0; + return 0; } #define X509_CERT_OID "1.2.840.113549.1.9.22.1" #define X509_CRL_OID "1.2.840.113549.1.9.23.1" -int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * in, gnutls_datum_t * out) +int +_pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * in, gnutls_datum_t * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) + { + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = asn1_der_decoding(&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + ret = asn1_der_decoding (&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = _gnutls_x509_read_value(c2, "certValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_read_value (c2, "certValue", out, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - } else { /* CRL */ - if ((ret = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + } + else + { /* CRL */ + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = asn1_der_decoding(&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + ret = asn1_der_decoding (&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = _gnutls_x509_read_value(c2, "crlValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_read_value (c2, "crlValue", out, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: +cleanup: - asn1_delete_structure(&c2); - return ret; + asn1_delete_structure (&c2); + return ret; } -int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * raw, - gnutls_datum_t * out) +int +_pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * raw, gnutls_datum_t * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) + { + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = asn1_write_value(c2, "certId", X509_CERT_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = _gnutls_x509_write_value(c2, "certValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_write_value (c2, "certValue", raw, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - } else { /* CRL */ - if ((ret = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + } + else + { /* CRL */ + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = asn1_write_value(c2, "crlId", X509_CRL_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; + ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; } - ret = _gnutls_x509_write_value(c2, "crlValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_write_value (c2, "crlValue", raw, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } } - ret = _gnutls_x509_der_encode(c2, "", out, 0); + ret = _gnutls_x509_der_encode (c2, "", out, 0); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: +cleanup: - asn1_delete_structure(&c2); - return ret; + asn1_delete_structure (&c2); + return ret; } @@ -308,49 +338,55 @@ int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type, * value on error. * **/ -int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag, - gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * data) +int +gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t bag, + gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * data) { - int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { - gnutls_assert(); - /* bag is full */ - return GNUTLS_E_MEMORY_ERROR; - } - - if (bag->bag_elements == 1) { - /* A bag with a key or an encrypted bag, must have - * only one element. - */ - - if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || - bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || - bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int ret; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) + { + gnutls_assert (); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; + } + + if (bag->bag_elements == 1) + { + /* A bag with a key or an encrypted bag, must have + * only one element. + */ + + if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || + bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || + bag->element[0].type == GNUTLS_BAG_ENCRYPTED) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } } - ret = - _gnutls_set_datum(&bag->element[bag->bag_elements].data, - data->data, data->size); + ret = + _gnutls_set_datum (&bag->element[bag->bag_elements].data, + data->data, data->size); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - bag->element[bag->bag_elements].type = type; + bag->element[bag->bag_elements].type = type; - bag->bag_elements++; + bag->bag_elements++; - return bag->bag_elements - 1; + return bag->bag_elements - 1; } /** @@ -365,28 +401,30 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag, * value on failure. * **/ -int gnutls_pkcs12_bag_set_crt(gnutls_pkcs12_bag_t bag, - gnutls_x509_crt_t crt) +int +gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CERTIFICATE, &data); + ret = gnutls_pkcs12_bag_set_data (bag, GNUTLS_BAG_CERTIFICATE, &data); - _gnutls_free_datum(&data); + _gnutls_free_datum (&data); - return ret; + return ret; } /** @@ -401,29 +439,31 @@ int gnutls_pkcs12_bag_set_crt(gnutls_pkcs12_bag_t bag, * value on failure. * **/ -int gnutls_pkcs12_bag_set_crl(gnutls_pkcs12_bag_t bag, - gnutls_x509_crl_t crl) +int +gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CRL, &data); + ret = gnutls_pkcs12_bag_set_data (bag, GNUTLS_BAG_CRL, &data); - _gnutls_free_datum(&data); + _gnutls_free_datum (&data); - return ret; + return ret; } /** @@ -439,31 +479,35 @@ int gnutls_pkcs12_bag_set_crl(gnutls_pkcs12_bag_t bag, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag_t bag, int indx, - const gnutls_datum_t * id) +int +gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int indx, + const gnutls_datum_t * id) { - int ret; + int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx > bag->bag_elements - 1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (indx > bag->bag_elements - 1) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_set_datum(&bag->element[indx].local_key_id, - id->data, id->size); + ret = _gnutls_set_datum (&bag->element[indx].local_key_id, + id->data, id->size); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -478,23 +522,26 @@ int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag_t bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag_t bag, int indx, - gnutls_datum_t * id) +int +gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int indx, + gnutls_datum_t * id) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx > bag->bag_elements - 1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (indx > bag->bag_elements - 1) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - id->data = bag->element[indx].local_key_id.data; - id->size = bag->element[indx].local_key_id.size; + id->data = bag->element[indx].local_key_id.data; + id->size = bag->element[indx].local_key_id.size; - return 0; + return 0; } /** @@ -509,22 +556,25 @@ int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag_t bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag_t bag, int indx, - char **name) +int +gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t bag, int indx, + char **name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx > bag->bag_elements - 1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (indx > bag->bag_elements - 1) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - *name = bag->element[indx].friendly_name; + *name = bag->element[indx].friendly_name; - return 0; + return 0; } @@ -541,27 +591,31 @@ int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag_t bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag_t bag, int indx, - const char *name) +int +gnutls_pkcs12_bag_set_friendly_name (gnutls_pkcs12_bag_t bag, int indx, + const char *name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (indx > bag->bag_elements - 1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (indx > bag->bag_elements - 1) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - bag->element[indx].friendly_name = gnutls_strdup(name); + bag->element[indx].friendly_name = gnutls_strdup (name); - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (name == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - return 0; + return 0; } @@ -573,44 +627,49 @@ int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag_t bag, int indx, * This function will decrypt the given encrypted bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag_t bag, const char *pass) +int +gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const char *pass) { - int ret; - gnutls_datum_t dec; + int ret; + gnutls_datum_t dec; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_pkcs7_decrypt_data(&bag->element[0].data, pass, &dec); + ret = _gnutls_pkcs7_decrypt_data (&bag->element[0].data, pass, &dec); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* decryption succeeded. Now decode the SafeContents - * stuff, and parse it. - */ + /* decryption succeeded. Now decode the SafeContents + * stuff, and parse it. + */ - _gnutls_free_datum(&bag->element[0].data); + _gnutls_free_datum (&bag->element[0].data); - ret = _pkcs12_decode_safe_contents(&dec, bag); + ret = _pkcs12_decode_safe_contents (&dec, bag); - _gnutls_free_datum(&dec); + _gnutls_free_datum (&dec); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -622,83 +681,90 @@ int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag_t bag, const char *pass) * This function will encrypt the given bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag_t bag, const char *pass, - unsigned int flags) +int +gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t bag, const char *pass, + unsigned int flags) { - int ret; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - gnutls_datum_t der = { NULL, 0 }; - gnutls_datum_t enc = { NULL, 0 }; - schema_id id; + int ret; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + gnutls_datum_t der = { NULL, 0 }; + gnutls_datum_t enc = { NULL, 0 }; + schema_id id; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Encode the whole bag to a safe contents - * structure. - */ - ret = _pkcs12_encode_safe_contents(bag, &safe_cont, NULL); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Encode the whole bag to a safe contents + * structure. + */ + ret = _pkcs12_encode_safe_contents (bag, &safe_cont, NULL); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* DER encode the SafeContents. - */ - ret = _gnutls_x509_der_encode(safe_cont, "", &der, 0); + /* DER encode the SafeContents. + */ + ret = _gnutls_x509_der_encode (safe_cont, "", &der, 0); - asn1_delete_structure(&safe_cont); + asn1_delete_structure (&safe_cont); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (flags & GNUTLS_PKCS_PLAIN) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (flags & GNUTLS_PKCS_PLAIN) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - id = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - id = PKCS12_RC2_40_SHA1; - else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) - id = PBES2; - else - id = PKCS12_3DES_SHA1; + if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + id = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + id = PKCS12_RC2_40_SHA1; + else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) + id = PBES2; + else + id = PKCS12_3DES_SHA1; - /* Now encrypt them. - */ - ret = _gnutls_pkcs7_encrypt_data(id, &der, pass, &enc); + /* Now encrypt them. + */ + ret = _gnutls_pkcs7_encrypt_data (id, &der, pass, &enc); - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* encryption succeeded. - */ + /* encryption succeeded. + */ - _pkcs12_bag_free_data(bag); + _pkcs12_bag_free_data (bag); - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->element[0].data = enc; + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->element[0].data = enc; - bag->bag_elements = 1; + bag->bag_elements = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index e7827b14fb..edbec8b702 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -32,18 +32,20 @@ /* Returns 0 if the password is ok, or a negative error * code instead. */ -static int _pkcs12_check_pass(const char *pass, size_t plen) +static int +_pkcs12_check_pass (const char *pass, size_t plen) { - const unsigned char *p = pass; - unsigned int i; - - for (i = 0; i < plen; i++) { - if (isascii(p[i])) - continue; - return GNUTLS_E_INVALID_PASSWORD; + const unsigned char *p = pass; + unsigned int i; + + for (i = 0; i < plen; i++) + { + if (isascii (p[i])) + continue; + return GNUTLS_E_INVALID_PASSWORD; } - return 0; + return 0; } /* ID should be: @@ -52,103 +54,116 @@ static int _pkcs12_check_pass(const char *pass, size_t plen) * 1 for encryption key */ int -_pkcs12_string_to_key(unsigned int id, const opaque * salt, - unsigned int salt_size, unsigned int iter, - const char *pw, unsigned int req_keylen, - opaque * keybuf) +_pkcs12_string_to_key (unsigned int id, const opaque * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + opaque * keybuf) { - int rc; - unsigned int i, j; - gc_hash_handle md; - mpi_t num_b1 = NULL; - unsigned int pwlen; - opaque hash[20], buf_b[64], buf_i[128], *p; - size_t cur_keylen; - size_t n; - - cur_keylen = 0; - - if (pw == NULL) - pwlen = 0; - else - pwlen = strlen(pw); - - if (pwlen > 63 / 2) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int rc; + unsigned int i, j; + gc_hash_handle md; + mpi_t num_b1 = NULL; + unsigned int pwlen; + opaque hash[20], buf_b[64], buf_i[128], *p; + size_t cur_keylen; + size_t n; + + cur_keylen = 0; + + if (pw == NULL) + pwlen = 0; + else + pwlen = strlen (pw); + + if (pwlen > 63 / 2) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if ((rc = _pkcs12_check_pass(pw, pwlen)) < 0) { - gnutls_assert(); - return rc; + if ((rc = _pkcs12_check_pass (pw, pwlen)) < 0) + { + gnutls_assert (); + return rc; } - /* Store salt and password in BUF_I */ - p = buf_i; - for (i = 0; i < 64; i++) - *p++ = salt[i % salt_size]; - if (pw) { - for (i = j = 0; i < 64; i += 2) { - *p++ = 0; - *p++ = pw[j]; - if (++j > pwlen) /* Note, that we include the trailing zero */ - j = 0; - } - } else - memset(p, 0, 64); - - for (;;) { - rc = gc_hash_open(GC_SHA1, 0, &md); - if (rc) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; + /* Store salt and password in BUF_I */ + p = buf_i; + for (i = 0; i < 64; i++) + *p++ = salt[i % salt_size]; + if (pw) + { + for (i = j = 0; i < 64; i += 2) + { + *p++ = 0; + *p++ = pw[j]; + if (++j > pwlen) /* Note, that we include the trailing zero */ + j = 0; + } + } + else + memset (p, 0, 64); + + for (;;) + { + rc = gc_hash_open (GC_SHA1, 0, &md); + if (rc) + { + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; } - for (i = 0; i < 64; i++) { - unsigned char lid = id & 0xFF; - gc_hash_write(md, 1, &lid); + for (i = 0; i < 64; i++) + { + unsigned char lid = id & 0xFF; + gc_hash_write (md, 1, &lid); } - gc_hash_write(md, pw?128:64, buf_i); - memcpy(hash, gc_hash_read(md), 20); - gc_hash_close(md); - for (i = 1; i < iter; i++) - gc_hash_buffer(GC_SHA1, hash, 20, hash); - for (i = 0; i < 20 && cur_keylen < req_keylen; i++) - keybuf[cur_keylen++] = hash[i]; - if (cur_keylen == req_keylen) { - gcry_mpi_release(num_b1); - return 0; /* ready */ + gc_hash_write (md, pw ? 128 : 64, buf_i); + memcpy (hash, gc_hash_read (md), 20); + gc_hash_close (md); + for (i = 1; i < iter; i++) + gc_hash_buffer (GC_SHA1, hash, 20, hash); + for (i = 0; i < 20 && cur_keylen < req_keylen; i++) + keybuf[cur_keylen++] = hash[i]; + if (cur_keylen == req_keylen) + { + gcry_mpi_release (num_b1); + return 0; /* ready */ } - /* need more bytes. */ - for (i = 0; i < 64; i++) - buf_b[i] = hash[i % 20]; - n = 64; - rc = _gnutls_mpi_scan(&num_b1, buf_b, &n); - if (rc < 0) { - gnutls_assert(); - return rc; + /* need more bytes. */ + for (i = 0; i < 64; i++) + buf_b[i] = hash[i % 20]; + n = 64; + rc = _gnutls_mpi_scan (&num_b1, buf_b, &n); + if (rc < 0) + { + gnutls_assert (); + return rc; } - gcry_mpi_add_ui(num_b1, num_b1, 1); - for (i = 0; i < 128; i += 64) { - mpi_t num_ij; - - n = 64; - rc = _gnutls_mpi_scan(&num_ij, buf_i + i, &n); - if (rc < 0) { - gnutls_assert(); - return rc; + gcry_mpi_add_ui (num_b1, num_b1, 1); + for (i = 0; i < 128; i += 64) + { + mpi_t num_ij; + + n = 64; + rc = _gnutls_mpi_scan (&num_ij, buf_i + i, &n); + if (rc < 0) + { + gnutls_assert (); + return rc; } - gcry_mpi_add(num_ij, num_ij, num_b1); - gcry_mpi_clear_highbit(num_ij, 64 * 8); - n = 64; - rc = _gnutls_mpi_print(buf_i + i, &n, num_ij); - if (rc < 0) { - gnutls_assert(); - return rc; + gcry_mpi_add (num_ij, num_ij, num_b1); + gcry_mpi_clear_highbit (num_ij, 64 * 8); + n = 64; + rc = _gnutls_mpi_print (buf_i + i, &n, num_ij); + if (rc < 0) + { + gnutls_assert (); + return rc; } - gcry_mpi_release(num_ij); + gcry_mpi_release (num_ij); } } } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 6507704546..6a915bef6b 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -44,90 +44,99 @@ * which holds them. If raw is non null then the raw decoded * data are copied (they are locally allocated) there. */ -static -int _decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata, - gnutls_datum_t * raw) +static int +_decode_pkcs7_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata, + gnutls_datum_t * raw) { - char oid[128]; - ASN1_TYPE c2; - opaque *tmp = NULL; - int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs7, "contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + char oid[128]; + ASN1_TYPE c2; + opaque *tmp = NULL; + int tmp_size, len, result; + + len = sizeof (oid) - 1; + result = asn1_read_value (pkcs7, "contentType", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - if (strcmp(oid, SIGNED_DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log("Unknown PKCS7 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + if (strcmp (oid, SIGNED_DATA_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log ("Unknown PKCS7 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; } - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* the Signed-data has been created, so - * decode them. - */ - tmp_size = 0; - result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* the Signed-data has been created, so + * decode them. + */ + tmp_size = 0; + result = asn1_read_value (pkcs7, "content", NULL, &tmp_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - tmp = gnutls_malloc(tmp_size); - if (tmp == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + tmp = gnutls_malloc (tmp_size); + if (tmp == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } - result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_read_value (pkcs7, "content", tmp, &tmp_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* tmp, tmp_size hold the data and the size of the CertificateSet structure - * actually the ANY stuff. - */ + /* tmp, tmp_size hold the data and the size of the CertificateSet structure + * actually the ANY stuff. + */ - /* Step 1. In case of a signed structure extract certificate set. - */ + /* Step 1. In case of a signed structure extract certificate set. + */ - result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_der_decoding (&c2, tmp, tmp_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - if (raw == NULL) { - gnutls_free(tmp); - } else { - raw->data = tmp; - raw->size = tmp_size; + if (raw == NULL) + { + gnutls_free (tmp); + } + else + { + raw->data = tmp; + raw->size = tmp_size; } - *sdata = c2; + *sdata = c2; - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - gnutls_free(tmp); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + gnutls_free (tmp); + return result; } /** @@ -141,22 +150,25 @@ int _decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata, * Returns 0 on success. * **/ -int gnutls_pkcs7_init(gnutls_pkcs7_t * pkcs7) +int +gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) { - *pkcs7 = gnutls_calloc(1, sizeof(gnutls_pkcs7_int)); - - if (*pkcs7) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-ContentInfo", - &(*pkcs7)->pkcs7); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(*pkcs7); - return _gnutls_asn2err(result); + *pkcs7 = gnutls_calloc (1, sizeof (gnutls_pkcs7_int)); + + if (*pkcs7) + { + int result = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-7-ContentInfo", + &(*pkcs7)->pkcs7); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (*pkcs7); + return _gnutls_asn2err (result); } - return 0; /* success */ + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -166,15 +178,16 @@ int gnutls_pkcs7_init(gnutls_pkcs7_t * pkcs7) * This function will deinitialize a PKCS7 structure. * **/ -void gnutls_pkcs7_deinit(gnutls_pkcs7_t pkcs7) +void +gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) { - if (!pkcs7) - return; + if (!pkcs7) + return; - if (pkcs7->pkcs7) - asn1_delete_structure(&pkcs7->pkcs7); + if (pkcs7->pkcs7) + asn1_delete_structure (&pkcs7->pkcs7); - gnutls_free(pkcs7); + gnutls_free (pkcs7); } /** @@ -191,57 +204,60 @@ void gnutls_pkcs7_deinit(gnutls_pkcs7_t pkcs7) * Returns 0 on success. * **/ -int gnutls_pkcs7_import(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +int +gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - _data.data = data->data; - _data.size = data->size; - - /* If the PKCS7 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS7, data->data, data->size, - &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + _data.data = data->data; + _data.size = data->size; + + /* If the PKCS7 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; + + result = _gnutls_fbase64_decode (PEM_PKCS7, data->data, data->size, + &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - result = - asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = asn1_der_decoding (&pkcs7->pkcs7, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - return 0; + return 0; - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + if (need_free) + _gnutls_free_datum (&_data); + return result; } /** @@ -259,88 +275,97 @@ int gnutls_pkcs7_import(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, * will be returned. * **/ -int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7_t pkcs7, - int indx, void *certificate, - size_t * certificate_size) +int +gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7, + int indx, void *certificate, + size_t * certificate_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum_t tmp = { NULL, 0 }; - - if (certificate_size == NULL || pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum_t tmp = { NULL, 0 }; + + if (certificate_size == NULL || pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Parse the CertificateSet - */ + /* Step 2. Parse the CertificateSet + */ - _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cpy (root2, sizeof (root2), "certificates.?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); - len = sizeof(oid) - 1; + len = sizeof (oid) - 1; - result = asn1_read_value(c2, root2, oid, &len); + result = asn1_read_value (c2, root2, oid, &len); - if (result == ASN1_VALUE_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; + if (result == ASN1_VALUE_NOT_FOUND) + { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* if 'Certificate' is the choice found: - */ - if (strcmp(oid, "certificate") == 0) { - int start, end; + /* if 'Certificate' is the choice found: + */ + if (strcmp (oid, "certificate") == 0) + { + int start, end; - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); + result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size, + root2, &start, &end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - end = end - start + 1; + end = end - start + 1; - if ((uint) end > *certificate_size) { - *certificate_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; + if ((uint) end > *certificate_size) + { + *certificate_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - if (certificate) - memcpy(certificate, &tmp.data[start], end); + if (certificate) + memcpy (certificate, &tmp.data[start], end); - *certificate_size = end; + *certificate_size = end; - result = 0; + result = 0; - } else { - result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + else + { + result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } - cleanup: - _gnutls_free_datum(&tmp); - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + _gnutls_free_datum (&tmp); + if (c2) + asn1_delete_structure (&c2); + return result; } /** @@ -353,34 +378,37 @@ int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7_t pkcs7, * Returns a negative value on failure. * **/ -int gnutls_pkcs7_get_crt_count(gnutls_pkcs7_t pkcs7) +int +gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Count the CertificateSet */ + /* Step 2. Count the CertificateSet */ - result = asn1_number_of_elements(c2, "certificates", &count); + result = asn1_number_of_elements (c2, "certificates", &count); - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return 0; /* no certificates */ } - return count; + return count; } @@ -405,89 +433,95 @@ int gnutls_pkcs7_get_crt_count(gnutls_pkcs7_t pkcs7) * returned, and 0 on success. * **/ -int gnutls_pkcs7_export(gnutls_pkcs7_t pkcs7, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +int +gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - return _gnutls_x509_export_int(pkcs7->pkcs7, format, PEM_PKCS7, - *output_data_size, output_data, - output_data_size); + return _gnutls_x509_export_int (pkcs7->pkcs7, format, PEM_PKCS7, + *output_data_size, output_data, + output_data_size); } /* Creates an empty signed data structure in the pkcs7 * structure and returns a handle to the signed data. */ -static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) +static int +create_empty_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata) { - uint8 one = 1; - int result; - - *sdata = ASN1_TYPE_EMPTY; - - if ((result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", - sdata)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + uint8 one = 1; + int result; + + *sdata = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", + sdata)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Use version 1 - */ - result = asn1_write_value(*sdata, "version", &one, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Use version 1 + */ + result = asn1_write_value (*sdata, "version", &one, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Use no digest algorithms - */ - - /* id-data */ - result = - asn1_write_value(*sdata, "encapContentInfo.eContentType", - "1.2.840.113549.1.7.5", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Use no digest algorithms + */ + + /* id-data */ + result = + asn1_write_value (*sdata, "encapContentInfo.eContentType", + "1.2.840.113549.1.7.5", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_write_value(*sdata, "encapContentInfo.eContent", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (*sdata, "encapContentInfo.eContent", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Add no certificates. - */ + /* Add no certificates. + */ - /* Add no crls. - */ + /* Add no crls. + */ - /* Add no signerInfos. - */ + /* Add no signerInfos. + */ - /* Write the content type of the signed data - */ - result = asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Write the content type of the signed data + */ + result = asn1_write_value (pkcs7, "contentType", SIGNED_DATA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - return 0; + return 0; - cleanup: - asn1_delete_structure(sdata); - return result; +cleanup: + asn1_delete_structure (sdata); + return result; } @@ -500,81 +534,87 @@ static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7_t pkcs7, - const gnutls_datum_t * crt) +int +gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data(pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + return result; + } + + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) + { + /* The pkcs7 structure is new, so create the + * signedData. + */ + result = create_empty_signed_data (pkcs7->pkcs7, &c2); + if (result < 0) + { + gnutls_assert (); + return result; } } - /* Step 2. Append the new certificate. - */ + /* Step 2. Append the new certificate. + */ - result = asn1_write_value(c2, "certificates", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "certificates", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_write_value(c2, "certificates.?LAST", "certificate", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "certificates.?LAST", "certificate", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_write_value(c2, "certificates.?LAST.certificate", crt->data, - crt->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = + asn1_write_value (c2, "certificates.?LAST.certificate", crt->data, + crt->size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", - 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } /** @@ -588,30 +628,33 @@ int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7_t pkcs7, * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt(gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) +int +gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_pkcs7_set_crt_raw(pkcs7, &data); + ret = gnutls_pkcs7_set_crt_raw (pkcs7, &data); - _gnutls_free_datum(&data); + _gnutls_free_datum (&data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -624,56 +667,59 @@ int gnutls_pkcs7_set_crt(gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) * Index starts from 0. Returns 0 on success. * **/ -int gnutls_pkcs7_delete_crt(gnutls_pkcs7_t pkcs7, int indx) +int +gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Delete the certificate. - */ + /* Step 2. Delete the certificate. + */ - _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cpy (root2, sizeof (root2), "certificates.?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", - 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } /* Read and write CRLs @@ -694,66 +740,70 @@ int gnutls_pkcs7_delete_crt(gnutls_pkcs7_t pkcs7, int indx) * will be returned. * **/ -int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7_t pkcs7, - int indx, void *crl, size_t * crl_size) +int +gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7, + int indx, void *crl, size_t * crl_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[64]; - char counter[MAX_INT_DIGITS]; - gnutls_datum_t tmp = { NULL, 0 }; - int start, end; - - if (pkcs7 == NULL || crl_size == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[64]; + char counter[MAX_INT_DIGITS]; + gnutls_datum_t tmp = { NULL, 0 }; + int start, end; + + if (pkcs7 == NULL || crl_size == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Parse the CertificateSet - */ + /* Step 2. Parse the CertificateSet + */ - _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cpy (root2, sizeof (root2), "crls.?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); - /* Get the raw CRL - */ - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); + /* Get the raw CRL + */ + result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size, + root2, &start, &end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - end = end - start + 1; + end = end - start + 1; - if ((uint) end > *crl_size) { - *crl_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; + if ((uint) end > *crl_size) + { + *crl_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - if (crl) - memcpy(crl, &tmp.data[start], end); + if (crl) + memcpy (crl, &tmp.data[start], end); - *crl_size = end; + *crl_size = end; - result = 0; + result = 0; - cleanup: - _gnutls_free_datum(&tmp); - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + _gnutls_free_datum (&tmp); + if (c2) + asn1_delete_structure (&c2); + return result; } /** @@ -766,34 +816,37 @@ int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7_t pkcs7, * Returns a negative value on failure. * **/ -int gnutls_pkcs7_get_crl_count(gnutls_pkcs7_t pkcs7) +int +gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Count the CertificateSet */ + /* Step 2. Count the CertificateSet */ - result = asn1_number_of_elements(c2, "crls", &count); + result = asn1_number_of_elements (c2, "crls", &count); - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no crls */ + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return 0; /* no crls */ } - return count; + return count; } @@ -806,72 +859,77 @@ int gnutls_pkcs7_get_crl_count(gnutls_pkcs7_t pkcs7) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7_t pkcs7, - const gnutls_datum_t * crl) +int +gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data(pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) + { + gnutls_assert (); + return result; + } + + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) + { + /* The pkcs7 structure is new, so create the + * signedData. + */ + result = create_empty_signed_data (pkcs7->pkcs7, &c2); + if (result < 0) + { + gnutls_assert (); + return result; } } - /* Step 2. Append the new crl. - */ + /* Step 2. Append the new crl. + */ - result = asn1_write_value(c2, "crls", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "crls", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, "crls.?LAST", crl->data, crl->size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", - 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } /** @@ -883,30 +941,33 @@ int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7_t pkcs7, * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crl(gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) +int +gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = gnutls_pkcs7_set_crl_raw(pkcs7, &data); + ret = gnutls_pkcs7_set_crl_raw (pkcs7, &data); - _gnutls_free_datum(&data); + _gnutls_free_datum (&data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /** @@ -918,56 +979,59 @@ int gnutls_pkcs7_set_crl(gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) * Index starts from 0. Returns 0 on success. * **/ -int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx) +int +gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Delete the crl. - */ + /* Step 2. Delete the crl. + */ - _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); - _gnutls_int2str(indx + 1, counter); - _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cpy (root2, sizeof (root2), "crls.?"); + _gnutls_int2str (indx + 1, counter); + _gnutls_str_cat (root2, sizeof (root2), counter); - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value (c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", - 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - return 0; + return 0; - cleanup: - if (c2) - asn1_delete_structure(&c2); - return result; +cleanup: + if (c2) + asn1_delete_structure (&c2); + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs7.h b/lib/x509/pkcs7.h index d51858e317..7f9e3b8627 100644 --- a/lib/x509/pkcs7.h +++ b/lib/x509/pkcs7.h @@ -24,6 +24,7 @@ #include <gnutls/x509.h> -typedef struct gnutls_pkcs7_int { +typedef struct gnutls_pkcs7_int +{ ASN1_TYPE pkcs7; } gnutls_pkcs7_int; diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 1b0409e448..dd29e89d4d 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -38,8 +38,8 @@ #include <dsa.h> #include <verify.h> -static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params); -static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params); +static int _encode_rsa (ASN1_TYPE * c2, mpi_t * params); +static int _encode_dsa (ASN1_TYPE * c2, mpi_t * params); /* remove this when libgcrypt can handle the PKCS #1 coefficients from * rsa keys @@ -55,17 +55,19 @@ static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params); * Returns 0 on success. * **/ -int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key) +int +gnutls_x509_privkey_init (gnutls_x509_privkey_t * key) { - *key = gnutls_calloc(1, sizeof(gnutls_x509_privkey_int)); + *key = gnutls_calloc (1, sizeof (gnutls_x509_privkey_int)); - if (*key) { - (*key)->key = ASN1_TYPE_EMPTY; - (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; - return 0; /* success */ + if (*key) + { + (*key)->key = ASN1_TYPE_EMPTY; + (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -75,19 +77,21 @@ int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key) * This function will deinitialize a private key structure. * **/ -void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key) +void +gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key) { - int i; + int i; - if (!key) - return; + if (!key) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release(&key->params[i]); + for (i = 0; i < key->params_size; i++) + { + _gnutls_mpi_release (&key->params[i]); } - asn1_delete_structure(&key->key); - gnutls_free(key); + asn1_delete_structure (&key->key); + gnutls_free (key); } /** @@ -98,216 +102,234 @@ void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key) * This function will copy a private key from source to destination key. * **/ -int gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst, - gnutls_x509_privkey_t src) +int +gnutls_x509_privkey_cpy (gnutls_x509_privkey_t dst, gnutls_x509_privkey_t src) { - int i, ret; + int i, ret; - if (!src || !dst) - return GNUTLS_E_INVALID_REQUEST; + if (!src || !dst) + return GNUTLS_E_INVALID_REQUEST; - for (i = 0; i < src->params_size; i++) { - dst->params[i] = _gnutls_mpi_copy(src->params[i]); - if (dst->params[i] == NULL) - return GNUTLS_E_MEMORY_ERROR; + for (i = 0; i < src->params_size; i++) + { + dst->params[i] = _gnutls_mpi_copy (src->params[i]); + if (dst->params[i] == NULL) + return GNUTLS_E_MEMORY_ERROR; } - dst->params_size = src->params_size; - dst->pk_algorithm = src->pk_algorithm; - dst->crippled = src->crippled; + dst->params_size = src->params_size; + dst->pk_algorithm = src->pk_algorithm; + dst->crippled = src->crippled; - if (!src->crippled) { - switch (dst->pk_algorithm) { + if (!src->crippled) + { + switch (dst->pk_algorithm) + { case GNUTLS_PK_DSA: - ret = _encode_dsa(&dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _encode_dsa (&dst->key, dst->params); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; case GNUTLS_PK_RSA: - ret = _encode_rsa(&dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _encode_rsa (&dst->key, dst->params); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } } - return 0; + return 0; } /* Converts an RSA PKCS#1 key to * an internal structure (gnutls_private_key) */ -ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key( - const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) +ASN1_TYPE +_gnutls_privkey_decode_pkcs1_rsa_key (const gnutls_datum_t * raw_key, + gnutls_x509_privkey_t pkey) { - int result; - ASN1_TYPE pkey_asn; + int result; + ASN1_TYPE pkey_asn; - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.RSAPrivateKey", - &pkey_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; + if ((result = + asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.RSAPrivateKey", + &pkey_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return NULL; } - if ((sizeof(pkey->params) / sizeof(mpi_t)) < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; + if ((sizeof (pkey->params) / sizeof (mpi_t)) < RSA_PRIVATE_PARAMS) + { + gnutls_assert (); + /* internal error. Increase the mpi_ts in params */ + return NULL; } - result = - asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + result = asn1_der_decoding (&pkey_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (pkey_asn, "modulus", + &pkey->params[0])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = - _gnutls_x509_read_int(pkey_asn, "publicExponent", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; + if ((result = + _gnutls_x509_read_int (pkey_asn, "publicExponent", + &pkey->params[1])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = - _gnutls_x509_read_int(pkey_asn, "privateExponent", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; + if ((result = + _gnutls_x509_read_int (pkey_asn, "privateExponent", + &pkey->params[2])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (pkey_asn, "prime1", + &pkey->params[3])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (pkey_asn, "prime2", + &pkey->params[4])) < 0) + { + gnutls_assert (); + goto error; } #ifdef CALC_COEFF - /* Calculate the coefficient. This is because the gcrypt - * library is uses the p,q in the reverse order. - */ - pkey->params[5] = - _gnutls_mpi_snew(_gnutls_mpi_get_nbits(pkey->params[0])); + /* Calculate the coefficient. This is because the gcrypt + * library is uses the p,q in the reverse order. + */ + pkey->params[5] = + _gnutls_mpi_snew (_gnutls_mpi_get_nbits (pkey->params[0])); - if (pkey->params[5] == NULL) { - gnutls_assert(); - goto error; + if (pkey->params[5] == NULL) + { + gnutls_assert (); + goto error; } - _gnutls_mpi_invm(pkey->params[5], pkey->params[3], pkey->params[4]); - /* p, q */ + _gnutls_mpi_invm (pkey->params[5], pkey->params[3], pkey->params[4]); + /* p, q */ #else - if ((result = _gnutls_x509_read_int(pkey_asn, "coefficient", - &pkey->params[5])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (pkey_asn, "coefficient", + &pkey->params[5])) < 0) + { + gnutls_assert (); + goto error; } #endif - pkey->params_size = 6; + pkey->params_size = 6; - return pkey_asn; + return pkey_asn; - error: - asn1_delete_structure(&pkey_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - _gnutls_mpi_release(&pkey->params[5]); - return NULL; +error: + asn1_delete_structure (&pkey_asn); + _gnutls_mpi_release (&pkey->params[0]); + _gnutls_mpi_release (&pkey->params[1]); + _gnutls_mpi_release (&pkey->params[2]); + _gnutls_mpi_release (&pkey->params[3]); + _gnutls_mpi_release (&pkey->params[4]); + _gnutls_mpi_release (&pkey->params[5]); + return NULL; } -static ASN1_TYPE decode_dsa_key(const gnutls_datum_t * raw_key, - gnutls_x509_privkey_t pkey) +static ASN1_TYPE +decode_dsa_key (const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) { - int result; - ASN1_TYPE dsa_asn; + int result; + ASN1_TYPE dsa_asn; - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSAPrivateKey", - &dsa_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; + if ((result = + asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DSAPrivateKey", + &dsa_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return NULL; } - if ((sizeof(pkey->params) / sizeof(mpi_t)) < DSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; + if ((sizeof (pkey->params) / sizeof (mpi_t)) < DSA_PRIVATE_PARAMS) + { + gnutls_assert (); + /* internal error. Increase the mpi_ts in params */ + return NULL; } - result = - asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + result = asn1_der_decoding (&dsa_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(dsa_asn, "p", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (dsa_asn, "p", &pkey->params[0])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(dsa_asn, "q", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (dsa_asn, "q", &pkey->params[1])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(dsa_asn, "g", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (dsa_asn, "g", &pkey->params[2])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(dsa_asn, "Y", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (dsa_asn, "Y", &pkey->params[3])) < 0) + { + gnutls_assert (); + goto error; } - if ((result = _gnutls_x509_read_int(dsa_asn, "priv", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; + if ((result = _gnutls_x509_read_int (dsa_asn, "priv", + &pkey->params[4])) < 0) + { + gnutls_assert (); + goto error; } - pkey->params_size = 5; + pkey->params_size = 5; - return dsa_asn; + return dsa_asn; - error: - asn1_delete_structure(&dsa_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - return NULL; +error: + asn1_delete_structure (&dsa_asn); + _gnutls_mpi_release (&pkey->params[0]); + _gnutls_mpi_release (&pkey->params[1]); + _gnutls_mpi_release (&pkey->params[2]); + _gnutls_mpi_release (&pkey->params[3]); + _gnutls_mpi_release (&pkey->params[4]); + return NULL; } @@ -330,99 +352,113 @@ static ASN1_TYPE decode_dsa_key(const gnutls_datum_t * raw_key, * Returns 0 on success. * **/ -int gnutls_x509_privkey_import(gnutls_x509_privkey_t key, - const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format) +int +gnutls_x509_privkey_import (gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = - _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_RSA; - - if (result <= 0) { - /* try for the second header */ - result = - _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_DSA; - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; + + /* Try the first header */ + result = + _gnutls_fbase64_decode (PEM_KEY_RSA, data->data, data->size, &out); + key->pk_algorithm = GNUTLS_PK_RSA; + + if (result <= 0) + { + /* try for the second header */ + result = + _gnutls_fbase64_decode (PEM_KEY_DSA, data->data, data->size, + &out); + key->pk_algorithm = GNUTLS_PK_DSA; + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - if (key->pk_algorithm == GNUTLS_PK_RSA) { - key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; + if (key->pk_algorithm == GNUTLS_PK_RSA) + { + key->key = _gnutls_privkey_decode_pkcs1_rsa_key (&_data, key); + if (key->key == NULL) + { + gnutls_assert (); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - key->key = decode_dsa_key(&_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; + } + else if (key->pk_algorithm == GNUTLS_PK_DSA) + { + key->key = decode_dsa_key (&_data, key); + if (key->key == NULL) + { + gnutls_assert (); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; } - } else { - /* Try decoding with both, and accept the one that - * succeeds. - */ - key->pk_algorithm = GNUTLS_PK_DSA; - key->key = decode_dsa_key(&_data, key); - - if (key->key == NULL) { - key->pk_algorithm = GNUTLS_PK_RSA; - key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; + } + else + { + /* Try decoding with both, and accept the one that + * succeeds. + */ + key->pk_algorithm = GNUTLS_PK_DSA; + key->key = decode_dsa_key (&_data, key); + + if (key->key == NULL) + { + key->pk_algorithm = GNUTLS_PK_RSA; + key->key = _gnutls_privkey_decode_pkcs1_rsa_key (&_data, key); + if (key->key == NULL) + { + gnutls_assert (); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; } } } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - /* The key has now been decoded. - */ + /* The key has now been decoded. + */ - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum (&_data); + return result; } #define FREE_RSA_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ @@ -444,86 +480,100 @@ int gnutls_x509_privkey_import(gnutls_x509_privkey_t key, * to the native gnutls_x509_privkey_t format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key, - const gnutls_datum_t * m, const gnutls_datum_t * e, const gnutls_datum_t * d, - const gnutls_datum_t * p, const gnutls_datum_t * q, const gnutls_datum_t * u) +int +gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, + const gnutls_datum_t * m, + const gnutls_datum_t * e, + const gnutls_datum_t * d, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * u) { - int i = 0, ret; - size_t siz = 0; + int i = 0, ret; + size_t siz = 0; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - siz = m->size; - if (_gnutls_mpi_scan_nz(&key->params[0], m->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = m->size; + if (_gnutls_mpi_scan_nz (&key->params[0], m->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } - siz = e->size; - if (_gnutls_mpi_scan_nz(&key->params[1], e->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = e->size; + if (_gnutls_mpi_scan_nz (&key->params[1], e->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } - siz = d->size; - if (_gnutls_mpi_scan_nz(&key->params[2], d->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = d->size; + if (_gnutls_mpi_scan_nz (&key->params[2], d->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } - siz = p->size; - if (_gnutls_mpi_scan_nz(&key->params[3], p->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = p->size; + if (_gnutls_mpi_scan_nz (&key->params[3], p->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } - siz = q->size; - if (_gnutls_mpi_scan_nz(&key->params[4], q->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = q->size; + if (_gnutls_mpi_scan_nz (&key->params[4], q->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } #ifdef CALC_COEFF - key->params[5] = - _gnutls_mpi_snew(_gnutls_mpi_get_nbits(key->params[0])); + key->params[5] = _gnutls_mpi_snew (_gnutls_mpi_get_nbits (key->params[0])); - if (key->params[5] == NULL) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MEMORY_ERROR; + if (key->params[5] == NULL) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_invm(key->params[5], key->params[3], key->params[4]); + _gnutls_mpi_invm (key->params[5], key->params[3], key->params[4]); #else - siz = u->size; - if (_gnutls_mpi_scan_nz(&key->params[5], u->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; + siz = u->size; + if (_gnutls_mpi_scan_nz (&key->params[5], u->data, &siz)) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; } #endif - if (!key->crippled) { - ret = _encode_rsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return ret; + if (!key->crippled) + { + ret = _encode_rsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + FREE_RSA_PRIVATE_PARAMS; + return ret; } } - key->params_size = RSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_RSA; + key->params_size = RSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_RSA; - return 0; + return 0; } @@ -540,66 +590,78 @@ int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key, * to the native gnutls_x509_privkey_t format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, - const gnutls_datum_t * p, const gnutls_datum_t * q, const gnutls_datum_t * g, - const gnutls_datum_t * y, const gnutls_datum_t * x) +int +gnutls_x509_privkey_import_dsa_raw (gnutls_x509_privkey_t key, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * g, + const gnutls_datum_t * y, + const gnutls_datum_t * x) { - int i = 0, ret; - size_t siz = 0; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = p->size; - if (_gnutls_mpi_scan_nz(&key->params[0], p->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = q->size; - if (_gnutls_mpi_scan_nz(&key->params[1], q->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = g->size; - if (_gnutls_mpi_scan_nz(&key->params[2], g->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = y->size; - if (_gnutls_mpi_scan_nz(&key->params[3], y->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = x->size; - if (_gnutls_mpi_scan_nz(&key->params[4], x->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (!key->crippled) { - ret = _encode_dsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return ret; + int i = 0, ret; + size_t siz = 0; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = p->size; + if (_gnutls_mpi_scan_nz (&key->params[0], p->data, &siz)) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q->size; + if (_gnutls_mpi_scan_nz (&key->params[1], q->data, &siz)) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = g->size; + if (_gnutls_mpi_scan_nz (&key->params[2], g->data, &siz)) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = y->size; + if (_gnutls_mpi_scan_nz (&key->params[3], y->data, &siz)) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = x->size; + if (_gnutls_mpi_scan_nz (&key->params[4], x->data, &siz)) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (!key->crippled) + { + ret = _encode_dsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + FREE_DSA_PRIVATE_PARAMS; + return ret; } } - key->params_size = DSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_DSA; + key->params_size = DSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_DSA; - return 0; + return 0; } @@ -615,14 +677,16 @@ int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, * or a negative value on error. * **/ -int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key) +int +gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key) { - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return key->pk_algorithm; + return key->pk_algorithm; } @@ -649,49 +713,57 @@ int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key) * returned, and 0 on success. * **/ -int gnutls_x509_privkey_export(gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, void *output_data, size_t * output_data_size) +int +gnutls_x509_privkey_export (gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - char *msg; - int ret; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (key->pk_algorithm == GNUTLS_PK_RSA) - msg = PEM_KEY_RSA; - else if (key->pk_algorithm == GNUTLS_PK_DSA) - msg = PEM_KEY_DSA; - else - msg = NULL; - - if (key->crippled) { /* encode the parameters on the fly. + char *msg; + int ret; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) + msg = PEM_KEY_RSA; + else if (key->pk_algorithm == GNUTLS_PK_DSA) + msg = PEM_KEY_DSA; + else + msg = NULL; + + if (key->crippled) + { /* encode the parameters on the fly. */ - switch (key->pk_algorithm) { + switch (key->pk_algorithm) + { case GNUTLS_PK_DSA: - ret = _encode_dsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _encode_dsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; case GNUTLS_PK_RSA: - ret = _encode_rsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _encode_rsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + return ret; } - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } } - return _gnutls_x509_export_int(key->key, format, msg, - *output_data_size, output_data, output_data_size); + return _gnutls_x509_export_int (key->key, format, msg, + *output_data_size, output_data, + output_data_size); } @@ -710,93 +782,103 @@ int gnutls_x509_privkey_export(gnutls_x509_privkey_t key, * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key, - gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d, - gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u) +int +gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, + gnutls_datum_t * m, gnutls_datum_t * e, + gnutls_datum_t * d, gnutls_datum_t * p, + gnutls_datum_t * q, gnutls_datum_t * u) { - int ret; - mpi_t coeff = NULL; + int ret; + mpi_t coeff = NULL; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - - m->data=e->data=d->data=p->data=q->data=u->data=NULL; - m->size=e->size=d->size=p->size=q->size=u->size=0; - ret = _gnutls_mpi_dprint(m, key->params[0]); - if (ret < 0) { - gnutls_assert(); - goto error; + m->data = e->data = d->data = p->data = q->data = u->data = NULL; + m->size = e->size = d->size = p->size = q->size = u->size = 0; + + ret = _gnutls_mpi_dprint (m, key->params[0]); + if (ret < 0) + { + gnutls_assert (); + goto error; } - /* E */ - ret = _gnutls_mpi_dprint(e, key->params[1]); - if (ret < 0) { - gnutls_assert(); - goto error; + /* E */ + ret = _gnutls_mpi_dprint (e, key->params[1]); + if (ret < 0) + { + gnutls_assert (); + goto error; } - /* D */ - ret = _gnutls_mpi_dprint(d, key->params[2]); - if (ret < 0) { - gnutls_assert(); - goto error; + /* D */ + ret = _gnutls_mpi_dprint (d, key->params[2]); + if (ret < 0) + { + gnutls_assert (); + goto error; } - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[3]); - if (ret < 0) { - gnutls_assert(); - goto error; + /* P */ + ret = _gnutls_mpi_dprint (p, key->params[3]); + if (ret < 0) + { + gnutls_assert (); + goto error; } - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[4]); - if (ret < 0) { - gnutls_assert(); - goto error; + /* Q */ + ret = _gnutls_mpi_dprint (q, key->params[4]); + if (ret < 0) + { + gnutls_assert (); + goto error; } #ifdef CALC_COEFF - coeff = - _gnutls_mpi_snew(_gnutls_mpi_get_nbits(key->params[0])); + coeff = _gnutls_mpi_snew (_gnutls_mpi_get_nbits (key->params[0])); - if (coeff == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; + if (coeff == NULL) + { + gnutls_assert (); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; } - _gnutls_mpi_invm(coeff, key->params[4], key->params[3]); - ret = _gnutls_mpi_dprint(u, coeff); - if (ret < 0) { - gnutls_assert(); - goto error; + _gnutls_mpi_invm (coeff, key->params[4], key->params[3]); + ret = _gnutls_mpi_dprint (u, coeff); + if (ret < 0) + { + gnutls_assert (); + goto error; } - _gnutls_mpi_release( &coeff); + _gnutls_mpi_release (&coeff); #else - /* U */ - ret = _gnutls_mpi_dprint(u, key->params[5]); - if (ret < 0) { - gnutls_assert(); - goto error; + /* U */ + ret = _gnutls_mpi_dprint (u, key->params[5]); + if (ret < 0) + { + gnutls_assert (); + goto error; } #endif - return 0; + return 0; error: - _gnutls_free_datum(m); - _gnutls_free_datum(d); - _gnutls_free_datum(e); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - _gnutls_mpi_release( &coeff); - - return ret; + _gnutls_free_datum (m); + _gnutls_free_datum (d); + _gnutls_free_datum (e); + _gnutls_free_datum (p); + _gnutls_free_datum (q); + _gnutls_mpi_release (&coeff); + + return ret; } /** @@ -813,391 +895,422 @@ error: * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey_t key, - gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * g, - gnutls_datum_t * y, gnutls_datum_t * x) +int +gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key, + gnutls_datum_t * p, gnutls_datum_t * q, + gnutls_datum_t * g, gnutls_datum_t * y, + gnutls_datum_t * x) { - int ret; + int ret; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[0]); - if (ret < 0) { - gnutls_assert(); - return ret; + /* P */ + ret = _gnutls_mpi_dprint (p, key->params[0]); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - return ret; + /* Q */ + ret = _gnutls_mpi_dprint (q, key->params[1]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + return ret; } - /* G */ - ret = _gnutls_mpi_dprint(g, key->params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - return ret; + /* G */ + ret = _gnutls_mpi_dprint (g, key->params[2]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + _gnutls_free_datum (q); + return ret; } - /* Y */ - ret = _gnutls_mpi_dprint(y, key->params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; + /* Y */ + ret = _gnutls_mpi_dprint (y, key->params[3]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + _gnutls_free_datum (g); + _gnutls_free_datum (q); + return ret; } - /* X */ - ret = _gnutls_mpi_dprint(x, key->params[4]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(y); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; + /* X */ + ret = _gnutls_mpi_dprint (x, key->params[4]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (y); + _gnutls_free_datum (p); + _gnutls_free_datum (g); + _gnutls_free_datum (q); + return ret; } - return 0; + return 0; } /* Encodes the RSA parameters into an ASN.1 RSA private key structure. */ -static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params) +static int +_encode_rsa (ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[8], total; - opaque *m_data, *pube_data, *prie_data; - opaque *p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; - opaque *all_data = NULL, *p; - mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL, u=NULL; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i = 0; i < 5; i++) { - _gnutls_mpi_print_lz(NULL, &size[i], params[i]); - total += size[i]; - } - - /* Now generate exp1 and exp2 - */ - exp1 = _gnutls_mpi_salloc_like(params[0]); /* like modulus */ - if (exp1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - exp2 = _gnutls_mpi_salloc_like(params[0]); - if (exp2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - q1 = _gnutls_mpi_salloc_like(params[4]); - if (q1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p1 = _gnutls_mpi_salloc_like(params[3]); - if (p1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - u = _gnutls_mpi_salloc_like(params[3]); - if (u == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - _gnutls_mpi_invm(u, params[4], params[3]); - /* inverse of q mod p */ - _gnutls_mpi_print_lz(NULL, &size[5], u); - total += size[5]; - - _gnutls_mpi_sub_ui(p1, params[3], 1); - _gnutls_mpi_sub_ui(q1, params[4], 1); - - _gnutls_mpi_mod(exp1, params[2], p1); - _gnutls_mpi_mod(exp2, params[2], q1); - - - /* calculate exp's size */ - _gnutls_mpi_print_lz(NULL, &size[6], exp1); - total += size[6]; - - _gnutls_mpi_print_lz(NULL, &size[7], exp2); - total += size[7]; - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc(total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - m_data = p; - p += size[0]; - pube_data = p; - p += size[1]; - prie_data = p; - p += size[2]; - p1_data = p; - p += size[3]; - p2_data = p; - p += size[4]; - u_data = p; - p += size[5]; - exp1_data = p; - p += size[6]; - exp2_data = p; - - _gnutls_mpi_print_lz(m_data, &size[0], params[0]); - _gnutls_mpi_print_lz(pube_data, &size[1], params[1]); - _gnutls_mpi_print_lz(prie_data, &size[2], params[2]); - _gnutls_mpi_print_lz(p1_data, &size[3], params[3]); - _gnutls_mpi_print_lz(p2_data, &size[4], params[4]); - _gnutls_mpi_print_lz(u_data, &size[5], u); - _gnutls_mpi_print_lz(exp1_data, &size[6], exp1); - _gnutls_mpi_print_lz(exp2_data, &size[7], exp2); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "modulus", - m_data, size[0])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "publicExponent", - pube_data, size[1])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "privateExponent", - prie_data, size[2])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime1", - p1_data, size[3])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime2", - p2_data, size[4])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent1", - exp1_data, size[6])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent2", - exp2_data, size[7])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "coefficient", - u_data, size[5])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - _gnutls_mpi_release(&exp1); - _gnutls_mpi_release(&exp2); - _gnutls_mpi_release(&q1); - _gnutls_mpi_release(&p1); - _gnutls_mpi_release(&u); - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "otherPrimeInfos", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; + int result, i; + size_t size[8], total; + opaque *m_data, *pube_data, *prie_data; + opaque *p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; + opaque *all_data = NULL, *p; + mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL, u = NULL; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < 5; i++) + { + _gnutls_mpi_print_lz (NULL, &size[i], params[i]); + total += size[i]; + } + + /* Now generate exp1 and exp2 + */ + exp1 = _gnutls_mpi_salloc_like (params[0]); /* like modulus */ + if (exp1 == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + exp2 = _gnutls_mpi_salloc_like (params[0]); + if (exp2 == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + q1 = _gnutls_mpi_salloc_like (params[4]); + if (q1 == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p1 = _gnutls_mpi_salloc_like (params[3]); + if (p1 == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + u = _gnutls_mpi_salloc_like (params[3]); + if (u == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + _gnutls_mpi_invm (u, params[4], params[3]); + /* inverse of q mod p */ + _gnutls_mpi_print_lz (NULL, &size[5], u); + total += size[5]; + + _gnutls_mpi_sub_ui (p1, params[3], 1); + _gnutls_mpi_sub_ui (q1, params[4], 1); + + _gnutls_mpi_mod (exp1, params[2], p1); + _gnutls_mpi_mod (exp2, params[2], q1); + + + /* calculate exp's size */ + _gnutls_mpi_print_lz (NULL, &size[6], exp1); + total += size[6]; + + _gnutls_mpi_print_lz (NULL, &size[7], exp2); + total += size[7]; + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc (total); + if (all_data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + m_data = p; + p += size[0]; + pube_data = p; + p += size[1]; + prie_data = p; + p += size[2]; + p1_data = p; + p += size[3]; + p2_data = p; + p += size[4]; + u_data = p; + p += size[5]; + exp1_data = p; + p += size[6]; + exp2_data = p; + + _gnutls_mpi_print_lz (m_data, &size[0], params[0]); + _gnutls_mpi_print_lz (pube_data, &size[1], params[1]); + _gnutls_mpi_print_lz (prie_data, &size[2], params[2]); + _gnutls_mpi_print_lz (p1_data, &size[3], params[3]); + _gnutls_mpi_print_lz (p2_data, &size[4], params[4]); + _gnutls_mpi_print_lz (u_data, &size[5], u); + _gnutls_mpi_print_lz (exp1_data, &size[6], exp1); + _gnutls_mpi_print_lz (exp2_data, &size[7], exp2); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPrivateKey", c2)) + != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value (*c2, "modulus", + m_data, size[0])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "publicExponent", + pube_data, size[1])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "privateExponent", + prie_data, size[2])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "prime1", + p1_data, size[3])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "prime2", + p2_data, size[4])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "exponent1", + exp1_data, size[6])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "exponent2", + exp2_data, size[7])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "coefficient", + u_data, size[5])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + _gnutls_mpi_release (&exp1); + _gnutls_mpi_release (&exp2); + _gnutls_mpi_release (&q1); + _gnutls_mpi_release (&p1); + _gnutls_mpi_release (&u); + gnutls_free (all_data); + + if ((result = asn1_write_value (*c2, "otherPrimeInfos", + NULL, 0)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "version", &null, 1)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + return 0; + +cleanup: + _gnutls_mpi_release (&u); + _gnutls_mpi_release (&exp1); + _gnutls_mpi_release (&exp2); + _gnutls_mpi_release (&q1); + _gnutls_mpi_release (&p1); + asn1_delete_structure (c2); + gnutls_free (all_data); - cleanup: - _gnutls_mpi_release(&u); - _gnutls_mpi_release(&exp1); - _gnutls_mpi_release(&exp2); - _gnutls_mpi_release(&q1); - _gnutls_mpi_release(&p1); - asn1_delete_structure(c2); - gnutls_free(all_data); - - return result; + return result; } /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure. */ -static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params) +static int +_encode_dsa (ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[DSA_PRIVATE_PARAMS], total; - opaque *p_data, *q_data, *g_data, *x_data, *y_data; - opaque *all_data = NULL, *p; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i = 0; i < DSA_PRIVATE_PARAMS; i++) { - _gnutls_mpi_print_lz(NULL, &size[i], params[i]); - total += size[i]; - } - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc(total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - p_data = p; - p += size[0]; - q_data = p; - p += size[1]; - g_data = p; - p += size[2]; - y_data = p; - p += size[3]; - x_data = p; - - _gnutls_mpi_print_lz(p_data, &size[0], params[0]); - _gnutls_mpi_print_lz(q_data, &size[1], params[1]); - _gnutls_mpi_print_lz(g_data, &size[2], params[2]); - _gnutls_mpi_print_lz(y_data, &size[3], params[3]); - _gnutls_mpi_print_lz(x_data, &size[4], params[4]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "p", - p_data, size[0])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "q", - q_data, size[1])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "g", - g_data, size[2])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "Y", - y_data, size[3])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "priv", - x_data, size[4])) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - asn1_delete_structure(c2); - gnutls_free(all_data); - - return result; + int result, i; + size_t size[DSA_PRIVATE_PARAMS], total; + opaque *p_data, *q_data, *g_data, *x_data, *y_data; + opaque *all_data = NULL, *p; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < DSA_PRIVATE_PARAMS; i++) + { + _gnutls_mpi_print_lz (NULL, &size[i], params[i]); + total += size[i]; + } + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc (total); + if (all_data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + p_data = p; + p += size[0]; + q_data = p; + p += size[1]; + g_data = p; + p += size[2]; + y_data = p; + p += size[3]; + x_data = p; + + _gnutls_mpi_print_lz (p_data, &size[0], params[0]); + _gnutls_mpi_print_lz (q_data, &size[1], params[1]); + _gnutls_mpi_print_lz (g_data, &size[2], params[2]); + _gnutls_mpi_print_lz (y_data, &size[3], params[3]); + _gnutls_mpi_print_lz (x_data, &size[4], params[4]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPrivateKey", c2)) + != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value (*c2, "p", p_data, size[0])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "q", q_data, size[1])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "g", g_data, size[2])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "Y", y_data, size[3])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + if ((result = asn1_write_value (*c2, "priv", + x_data, size[4])) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + gnutls_free (all_data); + + if ((result = asn1_write_value (*c2, "version", &null, 1)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; + } + + return 0; + +cleanup: + asn1_delete_structure (c2); + gnutls_free (all_data); + + return result; } @@ -1214,69 +1327,79 @@ static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params) * Returns 0 on success or a negative value on error. * **/ -int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key, - gnutls_pk_algorithm_t algo, unsigned int bits, unsigned int flags) +int +gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, + gnutls_pk_algorithm_t algo, unsigned int bits, + unsigned int flags) { - int ret, params_len; - int i; + int ret, params_len; + int i; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - switch (algo) { + switch (algo) + { case GNUTLS_PK_DSA: - ret = _gnutls_dsa_generate_params(key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_dsa_generate_params (key->params, ¶ms_len, bits); + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (!key->crippled) { - ret = _encode_dsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + if (!key->crippled) + { + ret = _encode_dsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } } - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_DSA; + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_DSA; - break; + break; case GNUTLS_PK_RSA: - ret = _gnutls_rsa_generate_params(key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_rsa_generate_params (key->params, ¶ms_len, bits); + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (!key->crippled) { - ret = _encode_rsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + if (!key->crippled) + { + ret = _encode_rsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } } - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_RSA; + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_RSA; - break; + break; default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - key->params_size = 0; - for (i = 0; i < params_len; i++) - _gnutls_mpi_release(&key->params[i]); +cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->params_size = 0; + for (i = 0; i < params_len; i++) + _gnutls_mpi_release (&key->params[i]); - return ret; + return ret; } /** @@ -1300,63 +1423,72 @@ int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key, * returned, and 0 on success. * **/ -int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key, - unsigned int flags, - unsigned char *output_data, - size_t * output_data_size) +int +gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, + unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { - int result; - GNUTLS_HASH_HANDLE hd; - gnutls_datum_t der = { NULL, 0 }; - - if (key == NULL || key->crippled) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - if (key->pk_algorithm == GNUTLS_PK_RSA) { - result = - _gnutls_x509_write_rsa_params(key->params, key->params_size, - &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; + int result; + GNUTLS_HASH_HANDLE hd; + gnutls_datum_t der = { NULL, 0 }; + + if (key == NULL || key->crippled) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + if (*output_data_size < 20) + { + gnutls_assert (); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) + { + result = + _gnutls_x509_write_rsa_params (key->params, key->params_size, &der); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - result = - _gnutls_x509_write_dsa_public_key(key->params, - key->params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; + } + else if (key->pk_algorithm == GNUTLS_PK_DSA) + { + result = + _gnutls_x509_write_dsa_public_key (key->params, + key->params_size, &der); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - } else - return GNUTLS_E_INTERNAL_ERROR; + } + else + return GNUTLS_E_INTERNAL_ERROR; - hd = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (hd == GNUTLS_HASH_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - _gnutls_hash(hd, der.data, der.size); + _gnutls_hash (hd, der.data, der.size); - _gnutls_hash_deinit(hd, output_data); - *output_data_size = 20; + _gnutls_hash_deinit (hd, output_data); + *output_data_size = 20; - result = 0; + result = 0; - cleanup: +cleanup: - _gnutls_free_datum(&der); - return result; + _gnutls_free_datum (&der); + return result; } #ifdef ENABLE_PKI @@ -1384,38 +1516,42 @@ int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key, * 0 on success. * **/ -int gnutls_x509_privkey_sign_data(gnutls_x509_privkey_t key, - gnutls_digest_algorithm_t digest, - unsigned int flags, - const gnutls_datum_t * data, - void *signature, size_t * signature_size) +int +gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, + gnutls_digest_algorithm_t digest, + unsigned int flags, + const gnutls_datum_t * data, + void *signature, size_t * signature_size) { - int result; - gnutls_datum_t sig = { NULL, 0 }; + int result; + gnutls_datum_t sig = { NULL, 0 }; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = _gnutls_x509_sign(data, digest, key, &sig); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_sign (data, digest, key, &sig); + if (result < 0) + { + gnutls_assert (); + return result; } - if (*signature_size < sig.size) { - *signature_size = sig.size; - _gnutls_free_datum(&sig); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (*signature_size < sig.size) + { + *signature_size = sig.size; + _gnutls_free_datum (&sig); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *signature_size = sig.size; - memcpy(signature, sig.data, sig.size); + *signature_size = sig.size; + memcpy (signature, sig.data, sig.size); - _gnutls_free_datum(&sig); + _gnutls_free_datum (&sig); - return 0; + return 0; } /** @@ -1432,25 +1568,28 @@ int gnutls_x509_privkey_sign_data(gnutls_x509_privkey_t key, * 1 on success. * **/ -int gnutls_x509_privkey_verify_data(gnutls_x509_privkey_t key, - unsigned int flags, - const gnutls_datum_t * data, - const gnutls_datum_t * signature) +int +gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, + unsigned int flags, + const gnutls_datum_t * data, + const gnutls_datum_t * signature) { - int result; + int result; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = _gnutls_x509_privkey_verify_signature(data, signature, key); - if (result < 0) { - gnutls_assert(); - return 0; + result = _gnutls_x509_privkey_verify_signature (data, signature, key); + if (result < 0) + { + gnutls_assert (); + return 0; } - return result; + return result; } /** @@ -1464,37 +1603,43 @@ int gnutls_x509_privkey_verify_data(gnutls_x509_privkey_t key, * returned, and 0 on success. * **/ -int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key) +int +gnutls_x509_privkey_fix (gnutls_x509_privkey_t key) { - int ret; + int ret; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (!key->crippled) asn1_delete_structure(&key->key); - switch (key->pk_algorithm) { - case GNUTLS_PK_DSA: - ret = _encode_dsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - case GNUTLS_PK_RSA: - ret = _encode_rsa(&key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (!key->crippled) + asn1_delete_structure (&key->key); + switch (key->pk_algorithm) + { + case GNUTLS_PK_DSA: + ret = _encode_dsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + break; + case GNUTLS_PK_RSA: + ret = _encode_rsa (&key->key, key->params); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + break; + default: + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return 0; + return 0; } #endif diff --git a/lib/x509/privkey.h b/lib/x509/privkey.h index 60ea116ba0..0100aeec3a 100644 --- a/lib/x509/privkey.h +++ b/lib/x509/privkey.h @@ -24,5 +24,6 @@ #include <gnutls/x509.h> -ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t *raw_key, - gnutls_x509_privkey_t pkey); +ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key (const gnutls_datum_t * + raw_key, + gnutls_x509_privkey_t pkey); diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 1e16df7541..0e1e021327 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -54,49 +54,51 @@ #define PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" #define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" -struct pbkdf2_params { - opaque salt[32]; - int salt_size; - unsigned int iter_count; - unsigned int key_size; +struct pbkdf2_params +{ + opaque salt[32]; + int salt_size; + unsigned int iter_count; + unsigned int key_size; }; -struct pbe_enc_params { - gnutls_cipher_algorithm_t cipher; - opaque iv[8]; - int iv_size; +struct pbe_enc_params +{ + gnutls_cipher_algorithm_t cipher; + opaque iv[8]; + int iv_size; }; -static int generate_key(schema_id schema, const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, - gnutls_datum_t * key); -static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbkdf2_params *params); -static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, +static int generate_key (schema_id schema, const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, + gnutls_datum_t * key); +static int read_pbkdf2_params (ASN1_TYPE pbes2_asn, const gnutls_datum_t * der, - struct pbe_enc_params *params); -static int decrypt_data(schema_id, ASN1_TYPE pkcs8_asn, const char *root, - const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data); -static int decode_private_key_info(const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey, - ASN1_TYPE * out); -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params); -static int encrypt_data(const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted); - -static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params); -static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *params); + struct pbkdf2_params *params); +static int read_pbe_enc_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params); +static int decrypt_data (schema_id, ASN1_TYPE pkcs8_asn, const char *root, + const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data); +static int decode_private_key_info (const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey, + ASN1_TYPE * out); +static int write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params); +static int encrypt_data (const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted); + +static int read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + struct pbkdf2_params *params); +static int write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *params); #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" @@ -104,25 +106,25 @@ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, /* Returns a negative error code if the encryption schema in * the OID is not supported. The schema ID is returned. */ -inline static int check_schema(const char *oid) +inline static int +check_schema (const char *oid) { - if (strcmp(oid, PBES2_OID) == 0) - return PBES2; + if (strcmp (oid, PBES2_OID) == 0) + return PBES2; - if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) - return PKCS12_3DES_SHA1; + if (strcmp (oid, PKCS12_PBE_3DES_SHA1_OID) == 0) + return PKCS12_3DES_SHA1; - if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) - return PKCS12_ARCFOUR_SHA1; + if (strcmp (oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) + return PKCS12_ARCFOUR_SHA1; - if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) - return PKCS12_RC2_40_SHA1; + if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) + return PKCS12_RC2_40_SHA1; - _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", - oid); + _gnutls_x509_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } /* @@ -130,247 +132,265 @@ inline static int check_schema(const char *oid) * info. The output will be allocated and stored into der. Also * the ASN1_TYPE of private key info will be returned. */ -static int encode_to_private_key_info(gnutls_x509_privkey_t pkey, - gnutls_datum_t * der, - ASN1_TYPE * pkey_info) +static int +encode_to_private_key_info (gnutls_x509_privkey_t pkey, + gnutls_datum_t * der, ASN1_TYPE * pkey_info) { - int result, len; - size_t size; - opaque *data = NULL; - opaque null = 0; - - if (pkey->pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - pkey_info)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the version. - */ - result = asn1_write_value(*pkey_info, "version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the privateKeyAlgorithm - * fields. (OID+NULL data) - */ - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", - PK_PKIX1_RSA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", - NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the raw private key - */ - size = 0; - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, &size); - if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - goto error; - } - - data = gnutls_alloca(size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, &size); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = asn1_write_value(*pkey_info, "privateKey", data, size); - - gnutls_afree(data); - data = NULL; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Append an empty Attributes field. - */ - result = asn1_write_value(*pkey_info, "attributes", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* DER Encode the generated private key info. - */ - len = 0; - result = asn1_der_coding(*pkey_info, "", NULL, &len, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* allocate data for the der - */ - der->size = len; - der->data = gnutls_malloc(len); - if (der->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int result, len; + size_t size; + opaque *data = NULL; + opaque null = 0; + + if (pkey->pk_algorithm != GNUTLS_PK_RSA) + { + gnutls_assert (); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-PrivateKeyInfo", + pkey_info)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the version. + */ + result = asn1_write_value (*pkey_info, "version", &null, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* write the privateKeyAlgorithm + * fields. (OID+NULL data) + */ + result = + asn1_write_value (*pkey_info, "privateKeyAlgorithm.algorithm", + PK_PKIX1_RSA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = + asn1_write_value (*pkey_info, "privateKeyAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the raw private key + */ + size = 0; + result = + gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, NULL, &size); + if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + gnutls_assert (); + goto error; + } + + data = gnutls_alloca (size); + if (data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + + result = + gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, data, &size); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + result = asn1_write_value (*pkey_info, "privateKey", data, size); + + gnutls_afree (data); + data = NULL; + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Append an empty Attributes field. + */ + result = asn1_write_value (*pkey_info, "attributes", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* DER Encode the generated private key info. + */ + len = 0; + result = asn1_der_coding (*pkey_info, "", NULL, &len, NULL); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* allocate data for the der + */ + der->size = len; + der->data = gnutls_malloc (len); + if (der->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding (*pkey_info, "", der->data, &len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + return 0; + +error: + asn1_delete_structure (pkey_info); + if (data != NULL) + { + gnutls_afree (data); } - - result = asn1_der_coding(*pkey_info, "", der->data, &len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - return 0; - - error: - asn1_delete_structure(pkey_info); - if (data != NULL) { - gnutls_afree(data); - } - return result; + return result; } /* Converts a PKCS #8 private key info to * a PKCS #8 EncryptedPrivateKeyInfo. */ -static -int encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, - const char *password, ASN1_TYPE * out) +static int +encode_to_pkcs8_key (schema_id schema, const gnutls_datum_t * der_key, + const char *password, ASN1_TYPE * out) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) + { case PBES2: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Generate a symmetric key. - */ + /* Generate a symmetric key. + */ - result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; + result = generate_key (schema, password, &kdf_params, &enc_params, &key); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = - write_schema_params(schema, pkcs8_asn, - "encryptionAlgorithm.parameters", &kdf_params, - &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = + write_schema_params (schema, pkcs8_asn, + "encryptionAlgorithm.parameters", &kdf_params, + &enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data(der_key, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data (der_key, &enc_params, &key, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* write the encrypted data. - */ - result = - asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* write the encrypted data. + */ + result = asn1_write_value (pkcs8_asn, "encryptedData", tmp.data, tmp.size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_free_datum (&tmp); + _gnutls_free_datum (&key); - *out = pkcs8_asn; + *out = pkcs8_asn; - return 0; + return 0; - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs8_asn); - return result; +error: + _gnutls_free_datum (&key); + _gnutls_free_datum (&tmp); + asn1_delete_structure (&pkcs8_asn); + return result; } @@ -405,198 +425,220 @@ int encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, * returned, and 0 on success. * **/ -int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags, - void *output_data, - size_t * output_data_size) +int +gnutls_x509_privkey_export_pkcs8 (gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + const char *password, + unsigned int flags, + void *output_data, + size_t * output_data_size) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum_t tmp; - schema_id schema; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info(key, &tmp, &pkey_info); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) - schema = PKCS12_3DES_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - schema = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - schema = PKCS12_RC2_40_SHA1; - else - schema = PBES2; - - - if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) { - _gnutls_free_datum(&tmp); - - ret = - _gnutls_x509_export_int(pkey_info, format, - PEM_UNENCRYPTED_PKCS8, - *output_data_size, output_data, - output_data_size); - - asn1_delete_structure(&pkey_info); - } else { - asn1_delete_structure(&pkey_info); /* we don't need it */ - - ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum(&tmp); - - if (ret < 0) { - gnutls_assert(); - return ret; + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum_t tmp; + schema_id schema; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info (key, &tmp, &pkey_info); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) + schema = PKCS12_3DES_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + schema = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + schema = PKCS12_RC2_40_SHA1; + else + schema = PBES2; + + + if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) + { + _gnutls_free_datum (&tmp); + + ret = + _gnutls_x509_export_int (pkey_info, format, + PEM_UNENCRYPTED_PKCS8, + *output_data_size, output_data, + output_data_size); + + asn1_delete_structure (&pkey_info); + } + else + { + asn1_delete_structure (&pkey_info); /* we don't need it */ + + ret = encode_to_pkcs8_key (schema, &tmp, password, &pkcs8_asn); + _gnutls_free_datum (&tmp); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int (pkcs8_asn, format, PEM_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkcs8_asn); + asn1_delete_structure (&pkcs8_asn); } - return ret; + return ret; } /* Read the parameters cipher, IV, salt etc using the given * schema ID. */ -static -int read_pkcs_schema_params(schema_id schema, const char *password, - const opaque * data, int data_size, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params) +static int +read_pkcs_schema_params (schema_id schema, const char *password, + const opaque * data, int data_size, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params) { - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int result; - gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int result; + gnutls_datum_t tmp; - switch (schema) { + switch (schema) + { case PBES2: - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Decode the parameters. - */ - result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Decode the parameters. + */ + result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - tmp.data = (opaque *) data; - tmp.size = data_size; + tmp.data = (opaque *) data; + tmp.size = data_size; - result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = read_pbkdf2_params (pbes2_asn, &tmp, kdf_params); + if (result < 0) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = read_pbe_enc_params (pbes2_asn, &tmp, enc_params); + if (result < 0) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - asn1_delete_structure(&pbes2_asn); - return 0; - break; + asn1_delete_structure (&pbes2_asn); + return 0; + break; case PKCS12_3DES_SHA1: case PKCS12_ARCFOUR_SHA1: case PKCS12_RC2_40_SHA1: - if ((schema) == PKCS12_3DES_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - enc_params->iv_size = 8; - } else if ((schema) == PKCS12_ARCFOUR_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - enc_params->iv_size = 0; - } else if ((schema) == PKCS12_RC2_40_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - enc_params->iv_size = 8; + if ((schema) == PKCS12_3DES_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + enc_params->iv_size = 8; + } + else if ((schema) == PKCS12_ARCFOUR_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + enc_params->iv_size = 0; + } + else if ((schema) == PKCS12_RC2_40_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + enc_params->iv_size = 8; } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Decode the parameters. - */ - result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Decode the parameters. + */ + result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = read_pkcs12_kdf_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - if (enc_params->iv_size) { - result = - _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, enc_params->iv); - if (result < 0) { - gnutls_assert(); - goto error; + if (enc_params->iv_size) + { + result = + _pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (result < 0) + { + gnutls_assert (); + goto error; } } - asn1_delete_structure(&pbes2_asn); + asn1_delete_structure (&pbes2_asn); - return 0; - break; + return 0; + break; } /* switch */ - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - error: - asn1_delete_structure(&pbes2_asn); - return result; +error: + asn1_delete_structure (&pbes2_asn); + return result; } @@ -604,202 +646,216 @@ int read_pkcs_schema_params(schema_id schema, const char *password, * an internal structure (gnutls_private_key) * (normally a PKCS #1 encoded RSA key) */ -static -int decode_pkcs8_key(const gnutls_datum_t * raw_key, - const char *password, - gnutls_x509_privkey_t pkey, ASN1_TYPE * out) +static int +decode_pkcs8_key (const gnutls_datum_t * raw_key, + const char *password, + gnutls_x509_privkey_t pkey, ASN1_TYPE * out) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, - raw_key->size, - "encryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &raw_key->data[params_start], - params_len, &kdf_params, &enc_params); - - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - result = - decrypt_data(schema, pkcs8_asn, "encryptedData", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pkcs8_asn); - - result = decode_private_key_info(&tmp, pkey, &ret_asn); - _gnutls_free_datum(&tmp); - - if (result < 0) { - gnutls_assert(); - goto error; - } - - *out = ret_asn; - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = asn1_der_decoding (&pkcs8_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof (enc_oid); + result = + asn1_read_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + + if ((result = check_schema (enc_oid)) < 0) + { + gnutls_assert (); + goto error; + } + + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd (pkcs8_asn, raw_key->data, + raw_key->size, + "encryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params (schema, password, + &raw_key->data[params_start], + params_len, &kdf_params, &enc_params); + + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + result = + decrypt_data (schema, pkcs8_asn, "encryptedData", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + asn1_delete_structure (&pkcs8_asn); + + result = decode_private_key_info (&tmp, pkey, &ret_asn); + _gnutls_free_datum (&tmp); + + if (result < 0) + { + gnutls_assert (); + goto error; + } + + *out = ret_asn; + + return 0; + +error: + asn1_delete_structure (&pbes2_asn); + asn1_delete_structure (&pkcs8_asn); + return result; } -static -int decode_private_key_info(const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey, ASN1_TYPE * out) +static int +decode_private_key_info (const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey, ASN1_TYPE * out) { - int result, len; - opaque oid[64], *data = NULL; - gnutls_datum_t tmp; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int data_size; + int result, len; + opaque oid[64], *data = NULL; + gnutls_datum_t tmp; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int data_size; - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-PrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + result = asn1_der_decoding (&pkcs8_asn, der->data, der->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - /* Check the private key algorithm OID - */ - len = sizeof(oid); - result = - asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", - oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Check the private key algorithm OID + */ + len = sizeof (oid); + result = + asn1_read_value (pkcs8_asn, "privateKeyAlgorithm.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* we only support RSA private keys. - */ - if (strcmp(oid, PK_PKIX1_RSA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 private key OID '%s' is unsupported.\n", oid); - result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; - goto error; + /* we only support RSA private keys. + */ + if (strcmp (oid, PK_PKIX1_RSA_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log + ("PKCS #8 private key OID '%s' is unsupported.\n", oid); + result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + goto error; } - /* Get the DER encoding of the actual private key. - */ - data_size = 0; - result = asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Get the DER encoding of the actual private key. + */ + data_size = 0; + result = asn1_read_value (pkcs8_asn, "privateKey", NULL, &data_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - data = gnutls_alloca(data_size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; + data = gnutls_alloca (data_size); + if (data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; } - result = asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = asn1_read_value (pkcs8_asn, "privateKey", data, &data_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - asn1_delete_structure(&pkcs8_asn); + asn1_delete_structure (&pkcs8_asn); - tmp.data = data; - tmp.size = data_size; + tmp.data = data; + tmp.size = data_size; - pkey->pk_algorithm = GNUTLS_PK_RSA; + pkey->pk_algorithm = GNUTLS_PK_RSA; - ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); - if (ret_asn == NULL) { - gnutls_assert(); + ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key (&tmp, pkey); + if (ret_asn == NULL) + { + gnutls_assert (); } - *out = ret_asn; + *out = ret_asn; - return 0; + return 0; - error: - asn1_delete_structure(&pkcs8_asn); - if (data != NULL) { - gnutls_afree(data); +error: + asn1_delete_structure (&pkcs8_asn); + if (data != NULL) + { + gnutls_afree (data); } - return result; + return result; } @@ -826,1122 +882,1220 @@ int decode_private_key_info(const gnutls_datum_t * der, * Returns 0 on success. * **/ -int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags) +int +gnutls_x509_privkey_import_pkcs8 (gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + const char *password, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - int encrypted; + int result = 0, need_free = 0; + gnutls_datum_t _data; + int encrypted; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->pk_algorithm = GNUTLS_PK_UNKNOWN; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; - /* Try the first header - */ - result = - _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, - data->data, data->size, &out); - encrypted = 0; + /* Try the first header + */ + result = + _gnutls_fbase64_decode (PEM_UNENCRYPTED_PKCS8, + data->data, data->size, &out); + encrypted = 0; - if (result < 0) { /* Try the encrypted header + if (result < 0) + { /* Try the encrypted header */ - result = - _gnutls_fbase64_decode(PEM_PKCS8, data->data, - data->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + result = + _gnutls_fbase64_decode (PEM_PKCS8, data->data, data->size, &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - encrypted = 1; + encrypted = 1; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - if (flags & GNUTLS_PKCS_PLAIN) { - result = decode_private_key_info(&_data, key, &key->key); - } else { /* encrypted. */ - result = decode_pkcs8_key(&_data, password, key, &key->key); + if (flags & GNUTLS_PKCS_PLAIN) + { + result = decode_private_key_info (&_data, key, &key->key); + } + else + { /* encrypted. */ + result = decode_pkcs8_key (&_data, password, key, &key->key); } - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - /* The key has now been decoded. - */ + /* The key has now been decoded. + */ - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum (&_data); + return result; } /* Reads the PBKDF2 parameters. */ -static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbkdf2_params *params) +static int +read_pbkdf2_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, struct pbkdf2_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the key derivation algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); - - if (strcmp(oid, PBKDF2_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "keyDerivationFunc.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - /* read the keylength, if it is set. - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", ¶ms->key_size); - if (result < 0) { - params->key_size = 0; - } - _gnutls_hard_log("keyLength: %d\n", params->key_size); - - /* We don't read the PRF. We only use the default. - */ - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset (params, 0, sizeof (params)); + + /* Check the key derivation algorithm + */ + len = sizeof (oid); + result = + asn1_read_value (pbes2_asn, "keyDerivationFunc.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + _gnutls_hard_log ("keyDerivationFunc.algorithm: %s\n", oid); + + if (strcmp (oid, PBKDF2_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log + ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, + "keyDerivationFunc.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + params_len = params_end - params_start + 1; + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding (&pbkdf2_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* read the salt */ + params->salt_size = sizeof (params->salt); + result = + asn1_read_value (pbkdf2_asn, "salt.specified", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.specified.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint (pbkdf2_asn, "iterationCount", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); + + /* read the keylength, if it is set. + */ + result = + _gnutls_x509_read_uint (pbkdf2_asn, "keyLength", ¶ms->key_size); + if (result < 0) + { + params->key_size = 0; + } + _gnutls_hard_log ("keyLength: %d\n", params->key_size); + + /* We don't read the PRF. We only use the default. + */ + + return 0; + +error: + asn1_delete_structure (&pbkdf2_asn); + return result; } /* Reads the PBE parameters from PKCS-12 schemas (*&#%*&#% RSA). */ -static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params) +static int +read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, struct pbkdf2_params *params) { - int result; + int result; - memset(params, 0, sizeof(params)); + memset (params, 0, sizeof (params)); - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbes2_asn, "salt", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* read the salt */ + params->salt_size = sizeof (params->salt); + result = + asn1_read_value (pbes2_asn, "salt", params->salt, ¶ms->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_hard_log("salt.size: %d\n", params->salt_size); + _gnutls_hard_log ("salt.size: %d\n", params->salt_size); - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbes2_asn, "iterations", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + /* read the iteration count + */ + result = + _gnutls_x509_read_uint (pbes2_asn, "iterations", ¶ms->iter_count); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); - params->key_size = 0; + params->key_size = 0; - return 0; + return 0; - error: - return result; +error: + return result; } /* Writes the PBE parameters for PKCS-12 schemas. */ -static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +static int +write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - - /* write the salt - */ - result = - asn1_write_value(pbes2_asn, "salt", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - result = - _gnutls_x509_write_uint32(pbes2_asn, "iterations", - kdf_params->iter_count); - if (result < 0) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - return 0; - - error: - return result; + int result; + + /* write the salt + */ + result = + asn1_write_value (pbes2_asn, "salt", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + result = + _gnutls_x509_write_uint32 (pbes2_asn, "iterations", + kdf_params->iter_count); + if (result < 0) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); + + return 0; + +error: + return result; } /* Converts an OID to a gnutls cipher type. */ -inline - static int oid2cipher(const char *oid, - gnutls_cipher_algorithm_t * algo) +inline static int +oid2cipher (const char *oid, gnutls_cipher_algorithm_t * algo) { - *algo = 0; + *algo = 0; - if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_3DES_CBC; - return 0; + if (strcmp (oid, DES_EDE3_CBC_OID) == 0) + { + *algo = GNUTLS_CIPHER_3DES_CBC; + return 0; } - if (strcmp(oid, DES_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_DES_CBC; - return 0; + if (strcmp (oid, DES_CBC_OID) == 0) + { + *algo = GNUTLS_CIPHER_DES_CBC; + return 0; } - _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + _gnutls_x509_log ("PKCS #8 encryption OID '%s' is unsupported.\n", oid); + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } -static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbe_enc_params *params) +static int +read_pbe_enc_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the encryption algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); - - if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { - gnutls_assert(); - goto error; - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "encryptionScheme.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbe_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the IV */ - params->iv_size = sizeof(params->iv); - result = asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset (params, 0, sizeof (params)); + + /* Check the encryption algorithm + */ + len = sizeof (oid); + result = + asn1_read_value (pbes2_asn, "encryptionScheme.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", oid); + + if ((result = oid2cipher (oid, ¶ms->cipher)) < 0) + { + gnutls_assert (); + goto error; + } + + result = + asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, + "encryptionScheme.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + params_len = params_end - params_start + 1; + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding (&pbe_asn, &der->data[params_start], params_len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* read the IV */ + params->iv_size = sizeof (params->iv); + result = asn1_read_value (pbe_asn, "", params->iv, ¶ms->iv_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("IV.size: %d\n", params->iv_size); + + return 0; + +error: + asn1_delete_structure (&pbe_asn); + return result; } -static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *root, const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data) +static int +decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *root, const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data) { - int result; - int data_size; - opaque *data = NULL, *key = NULL; - gnutls_datum_t dkey, d_iv; - cipher_hd_t ch = NULL; - int key_size; - - data_size = 0; - result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - data = gnutls_malloc(data_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value(pkcs8_asn, root, data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - if (kdf_params->key_size == 0) { - key_size = gnutls_cipher_get_key_size(enc_params->cipher); - } else - key_size = kdf_params->key_size; - - key = gnutls_alloca(key_size); - if (key == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - /* generate the key - */ - if (schema == PBES2) { - result = gc_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, key, key_size); - - if (result != GC_OK) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; + int result; + int data_size; + opaque *data = NULL, *key = NULL; + gnutls_datum_t dkey, d_iv; + cipher_hd_t ch = NULL; + int key_size; + + data_size = 0; + result = asn1_read_value (pkcs8_asn, root, NULL, &data_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + data = gnutls_malloc (data_size); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value (pkcs8_asn, root, data, &data_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + if (kdf_params->key_size == 0) + { + key_size = gnutls_cipher_get_key_size (enc_params->cipher); + } + else + key_size = kdf_params->key_size; + + key = gnutls_alloca (key_size); + if (key == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* generate the key + */ + if (schema == PBES2) + { + result = gc_pbkdf2_sha1 (password, strlen (password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, key, key_size); + + if (result != GC_OK) + { + gnutls_assert (); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } - } else { - result = - _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - key_size, key); - - if (result < 0) { - gnutls_assert(); - goto error; + } + else + { + result = + _pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + key_size, key); + + if (result < 0) + { + gnutls_assert (); + goto error; } } - /* do the decryption. - */ - dkey.data = key; - dkey.size = key_size; + /* do the decryption. + */ + dkey.data = key; + dkey.size = key_size; - d_iv.data = (opaque *) enc_params->iv; - d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &d_iv); + d_iv.data = (opaque *) enc_params->iv; + d_iv.size = enc_params->iv_size; + ch = _gnutls_cipher_init (enc_params->cipher, &dkey, &d_iv); - gnutls_afree(key); - key = NULL; + gnutls_afree (key); + key = NULL; - if (ch == NULL) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; + if (ch == NULL) + { + gnutls_assert (); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } - result = _gnutls_cipher_decrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_cipher_decrypt (ch, data, data_size); + if (result < 0) + { + gnutls_assert (); + goto error; } - decrypted_data->data = data; + decrypted_data->data = data; - if (_gnutls_cipher_get_block_size(enc_params->cipher) != 1) - decrypted_data->size = data_size - data[data_size - 1]; - else - decrypted_data->size = data_size; + if (_gnutls_cipher_get_block_size (enc_params->cipher) != 1) + decrypted_data->size = data_size - data[data_size - 1]; + else + decrypted_data->size = data_size; - _gnutls_cipher_deinit(ch); + _gnutls_cipher_deinit (ch); - return 0; + return 0; - error: - gnutls_free(data); - gnutls_afree(key); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; +error: + gnutls_free (data); + gnutls_afree (key); + if (ch != NULL) + _gnutls_cipher_deinit (ch); + return result; } /* Writes the PBKDF2 parameters. */ -static int write_pbkdf2_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +static int +write_pbkdf2_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - opaque tmp[64]; - - /* Write the key derivation algorithm - */ - result = - asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", - PBKDF2_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Now write the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the salt - */ - result = - asn1_write_value(pbkdf2_asn, "salt.specified", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - _gnutls_write_uint32(kdf_params->iter_count, tmp); - - result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - /* write the keylength, if it is set. - */ - result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* We write an emptry prf. - */ - result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* now encode them an put the DER output - * in the keyDerivationFunc.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", - pbes2_asn, - "keyDerivationFunc.parameters", - 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + opaque tmp[64]; + + /* Write the key derivation algorithm + */ + result = + asn1_write_value (pbes2_asn, "keyDerivationFunc.algorithm", + PBKDF2_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + /* Now write the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = asn1_write_value (pbkdf2_asn, "salt", "specified", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* write the salt + */ + result = + asn1_write_value (pbkdf2_asn, "salt.specified", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.specified.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + _gnutls_write_uint32 (kdf_params->iter_count, tmp); + + result = asn1_write_value (pbkdf2_asn, "iterationCount", tmp, 4); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); + + /* write the keylength, if it is set. + */ + result = asn1_write_value (pbkdf2_asn, "keyLength", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* We write an emptry prf. + */ + result = asn1_write_value (pbkdf2_asn, "prf", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* now encode them an put the DER output + * in the keyDerivationFunc.parameters + */ + result = _gnutls_x509_der_encode_and_copy (pbkdf2_asn, "", + pbes2_asn, + "keyDerivationFunc.parameters", + 0); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + return 0; + +error: + asn1_delete_structure (&pbkdf2_asn); + return result; } -static int write_pbe_enc_params(ASN1_TYPE pbes2_asn, - const struct pbe_enc_params *params) +static int +write_pbe_enc_params (ASN1_TYPE pbes2_asn, + const struct pbe_enc_params *params) { - int result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - - /* Write the encryption algorithm - */ - result = - asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", - DES_EDE3_CBC_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* read the salt */ - result = asn1_write_value(pbe_asn, "", params->iv, params->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - /* now encode them an put the DER output - * in the encryptionScheme.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", - pbes2_asn, - "encryptionScheme.parameters", - 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + + /* Write the encryption algorithm + */ + result = + asn1_write_value (pbes2_asn, "encryptionScheme.algorithm", + DES_EDE3_CBC_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + /* read the salt */ + result = asn1_write_value (pbe_asn, "", params->iv, params->iv_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("IV.size: %d\n", params->iv_size); + + /* now encode them an put the DER output + * in the encryptionScheme.parameters + */ + result = _gnutls_x509_der_encode_and_copy (pbe_asn, "", + pbes2_asn, + "encryptionScheme.parameters", + 0); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + return 0; + +error: + asn1_delete_structure (&pbe_asn); + return result; } /* Generates a key and also stores the key parameters. */ -static int generate_key(schema_id schema, - const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, - gnutls_datum_t * key) +static int +generate_key (schema_id schema, + const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, gnutls_datum_t * key) { - opaque rnd[2]; - int ret; - - /* We should use the flags here to use different - * encryption algorithms etc. - */ - - if (schema == PKCS12_ARCFOUR_SHA1) - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - else if (schema == PKCS12_3DES_SHA1) - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - else if (schema == PKCS12_RC2_40_SHA1) - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - - if (gc_pseudo_random (rnd, 2) != GC_OK) { - gnutls_assert(); + opaque rnd[2]; + int ret; + + /* We should use the flags here to use different + * encryption algorithms etc. + */ + + if (schema == PKCS12_ARCFOUR_SHA1) + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + else if (schema == PKCS12_3DES_SHA1) + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + else if (schema == PKCS12_RC2_40_SHA1) + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + + if (gc_pseudo_random (rnd, 2) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - /* generate salt */ + /* generate salt */ - if (schema == PBES2) - kdf_params->salt_size = - MIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); - else - kdf_params->salt_size = 8; + if (schema == PBES2) + kdf_params->salt_size = + MIN (sizeof (kdf_params->salt), (uint) (10 + (rnd[1] % 10))); + else + kdf_params->salt_size = 8; - if (gc_pseudo_random (kdf_params->salt, kdf_params->salt_size) != GC_OK) { - gnutls_assert(); + if (gc_pseudo_random (kdf_params->salt, kdf_params->salt_size) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - kdf_params->iter_count = 256 + rnd[0]; - key->size = kdf_params->key_size = - gnutls_cipher_get_key_size(enc_params->cipher); + kdf_params->iter_count = 256 + rnd[0]; + key->size = kdf_params->key_size = + gnutls_cipher_get_key_size (enc_params->cipher); - enc_params->iv_size = _gnutls_cipher_get_iv_size(enc_params->cipher); + enc_params->iv_size = _gnutls_cipher_get_iv_size (enc_params->cipher); - key->data = gnutls_secure_malloc(key->size); - if (key->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + key->data = gnutls_secure_malloc (key->size); + if (key->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* now generate the key. - */ + /* now generate the key. + */ - if (schema == PBES2) { + if (schema == PBES2) + { - ret = gc_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, - key->data, kdf_params->key_size); - if (ret != GC_OK) { - gnutls_assert(); - return GNUTLS_E_ENCRYPTION_FAILED; + ret = gc_pbkdf2_sha1 (password, strlen (password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, + key->data, kdf_params->key_size); + if (ret != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_ENCRYPTION_FAILED; } - if (enc_params->iv_size && - gc_nonce (enc_params->iv, enc_params->iv_size) != GC_OK) { - gnutls_assert(); - return GNUTLS_E_RANDOM_FAILED; + if (enc_params->iv_size && + gc_nonce (enc_params->iv, enc_params->iv_size) != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_RANDOM_FAILED; } - } else { /* PKCS12 schemas */ - ret = - _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - kdf_params->key_size, key->data); - if (ret < 0) { - gnutls_assert(); - return ret; + } + else + { /* PKCS12 schemas */ + ret = + _pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + kdf_params->key_size, key->data); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Now generate the IV - */ - if (enc_params->iv_size) { - ret = - _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, enc_params->iv); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Now generate the IV + */ + if (enc_params->iv_size) + { + ret = + _pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (ret < 0) + { + gnutls_assert (); + return ret; } } } - return 0; + return 0; } /* Encodes the parameters to be written in the encryptionAlgorithm.parameters * part. */ -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params) +static int +write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params) { - int result; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - - if (schema == PBES2) { - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + int result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + + if (schema == PBES2) + { + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = write_pbkdf2_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pbkdf2_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = write_pbe_enc_params(pbes2_asn, enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pbe_enc_params (pbes2_asn, enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - asn1_delete_structure(&pbes2_asn); - } else { /* PKCS12 schemas */ + asn1_delete_structure (&pbes2_asn); + } + else + { /* PKCS12 schemas */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pkcs12_kdf_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - asn1_delete_structure(&pbes2_asn); + asn1_delete_structure (&pbes2_asn); } - return 0; + return 0; - error: - asn1_delete_structure(&pbes2_asn); - return result; +error: + asn1_delete_structure (&pbes2_asn); + return result; } -static int encrypt_data(const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted) +static int +encrypt_data (const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted) { - int result; - int data_size; - opaque *data = NULL; - gnutls_datum_t d_iv; - cipher_hd_t ch = NULL; - opaque pad, pad_size; + int result; + int data_size; + opaque *data = NULL; + gnutls_datum_t d_iv; + cipher_hd_t ch = NULL; + opaque pad, pad_size; - pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); + pad_size = _gnutls_cipher_get_block_size (enc_params->cipher); - if (pad_size == 1) /* stream */ - pad_size = 0; + if (pad_size == 1) /* stream */ + pad_size = 0; - data = gnutls_malloc(plain->size + pad_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + data = gnutls_malloc (plain->size + pad_size); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(data, plain->data, plain->size); + memcpy (data, plain->data, plain->size); - if (pad_size > 0) { - pad = pad_size - (plain->size % pad_size); - if (pad == 0) - pad = pad_size; - memset(&data[plain->size], pad, pad); - } else - pad = 0; + if (pad_size > 0) + { + pad = pad_size - (plain->size % pad_size); + if (pad == 0) + pad = pad_size; + memset (&data[plain->size], pad, pad); + } + else + pad = 0; - data_size = plain->size + pad; + data_size = plain->size + pad; - d_iv.data = (opaque *) enc_params->iv; - d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, key, &d_iv); + d_iv.data = (opaque *) enc_params->iv; + d_iv.size = enc_params->iv_size; + ch = _gnutls_cipher_init (enc_params->cipher, key, &d_iv); - if (ch == GNUTLS_CIPHER_FAILED) { - gnutls_assert(); - result = GNUTLS_E_ENCRYPTION_FAILED; - goto error; + if (ch == GNUTLS_CIPHER_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_ENCRYPTION_FAILED; + goto error; } - result = _gnutls_cipher_encrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_cipher_encrypt (ch, data, data_size); + if (result < 0) + { + gnutls_assert (); + goto error; } - encrypted->data = data; - encrypted->size = data_size; + encrypted->data = data; + encrypted->size = data_size; - _gnutls_cipher_deinit(ch); + _gnutls_cipher_deinit (ch); - return 0; + return 0; - error: - gnutls_free(data); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; +error: + gnutls_free (data); + if (ch != NULL) + _gnutls_cipher_deinit (ch); + return result; } /* Decrypts a PKCS #7 encryptedData. The output is allocated * and stored in dec. */ -int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data, - const char *password, gnutls_datum_t * dec) +int +_gnutls_pkcs7_decrypt_data (const gnutls_datum_t * data, + const char *password, gnutls_datum_t * dec) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &data->data[params_start], - params_len, &kdf_params, &enc_params); - if (result < ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - - result = - decrypt_data(schema, pkcs7_asn, - "encryptedContentInfo.encryptedContent", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pkcs7_asn); - - *dec = tmp; - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs7_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = asn1_der_decoding (&pkcs7_asn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof (enc_oid); + result = + asn1_read_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + if ((result = check_schema (enc_oid)) < 0) + { + gnutls_assert (); + goto error; + } + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd (pkcs7_asn, data->data, data->size, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params (schema, password, + &data->data[params_start], + params_len, &kdf_params, &enc_params); + if (result < ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + + result = + decrypt_data (schema, pkcs7_asn, + "encryptedContentInfo.encryptedContent", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + asn1_delete_structure (&pkcs7_asn); + + *dec = tmp; + + return 0; + +error: + asn1_delete_structure (&pbes2_asn); + asn1_delete_structure (&pkcs7_asn); + return result; } /* Encrypts to a PKCS #7 encryptedData. The output is allocated * and stored in enc. */ -int _gnutls_pkcs7_encrypt_data(schema_id schema, - const gnutls_datum_t * data, - const char *password, gnutls_datum_t * enc) +int +_gnutls_pkcs7_encrypt_data (schema_id schema, + const gnutls_datum_t * data, + const char *password, gnutls_datum_t * enc) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) + { case PBES2: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Generate a symmetric key. - */ + /* Generate a symmetric key. + */ - result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; + result = generate_key (schema, password, &kdf_params, &enc_params, &key); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = write_schema_params(schema, pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_schema_params (schema, pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data(data, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data (data, &enc_params, &key, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* write the encrypted data. - */ - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.encryptedContent", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* write the encrypted data. + */ + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.encryptedContent", tmp.data, + tmp.size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_free_datum (&tmp); + _gnutls_free_datum (&key); - /* Now write the rest of the pkcs-7 stuff. - */ + /* Now write the rest of the pkcs-7 stuff. + */ - result = _gnutls_x509_write_uint32(pkcs7_asn, "version", 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_write_uint32 (pkcs7_asn, "version", 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", - DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = + asn1_write_value (pkcs7_asn, "encryptedContentInfo.contentType", + DATA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = asn1_write_value (pkcs7_asn, "unprotectedAttrs", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Now encode and copy the DER stuff. - */ - result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0); + /* Now encode and copy the DER stuff. + */ + result = _gnutls_x509_der_encode (pkcs7_asn, "", enc, 0); - asn1_delete_structure(&pkcs7_asn); + asn1_delete_structure (&pkcs7_asn); - if (result < 0) { - gnutls_assert(); - goto error; + if (result < 0) + { + gnutls_assert (); + goto error; } - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs7_asn); - return result; +error: + _gnutls_free_datum (&key); + _gnutls_free_datum (&tmp); + asn1_delete_structure (&pkcs7_asn); + return result; } diff --git a/lib/x509/rfc2818.h b/lib/x509/rfc2818.h index ed9749a734..4bea2165f6 100644 --- a/lib/x509/rfc2818.h +++ b/lib/x509/rfc2818.h @@ -22,5 +22,5 @@ * */ -int _gnutls_hostname_compare(const char *certname, const char *hostname); +int _gnutls_hostname_compare (const char *certname, const char *hostname); #define MAX_CN 256 diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index a1075ce24a..e52a905fd4 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -32,38 +32,43 @@ /* compare hostname against certificate, taking account of wildcards * return 1 on success or 0 on error */ -int _gnutls_hostname_compare(const char *certname, const char *hostname) +int +_gnutls_hostname_compare (const char *certname, const char *hostname) { - const char *cmpstr1, *cmpstr2; + const char *cmpstr1, *cmpstr2; - if (strlen(certname) == 0 || strlen(hostname) == 0) - return 0; + if (strlen (certname) == 0 || strlen (hostname) == 0) + return 0; - if (strlen(certname) > 2 && strncmp(certname, "*.", 2) == 0) { - /* a wildcard certificate */ + if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0) + { + /* a wildcard certificate */ - cmpstr1 = certname + 1; + cmpstr1 = certname + 1; - /* find the first dot in hostname, compare from there on */ - cmpstr2 = strchr(hostname, '.'); + /* find the first dot in hostname, compare from there on */ + cmpstr2 = strchr (hostname, '.'); - if (cmpstr2 == NULL) { - /* error, the hostname we're connecting to is only a local part */ - return 0; + if (cmpstr2 == NULL) + { + /* error, the hostname we're connecting to is only a local part */ + return 0; } - if (strcasecmp(cmpstr1, cmpstr2) == 0) { - return 1; + if (strcasecmp (cmpstr1, cmpstr2) == 0) + { + return 1; } - return 0; + return 0; } - if (strcasecmp(certname, hostname) == 0) { - return 1; + if (strcasecmp (certname, hostname) == 0) + { + return 1; } - return 0; + return 0; } /** @@ -79,64 +84,69 @@ int _gnutls_hostname_compare(const char *certname, const char *hostname) * Returns non zero on success, and zero on failure. * **/ -int gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, - const char *hostname) +int +gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname) { - char dnsname[MAX_CN]; - size_t dnsnamesize; - int found_dnsname = 0; - int ret = 0; - int i = 0; - - /* try matching against: - * 1) a DNS name as an alternative name (subjectAltName) extension - * in the certificate - * 2) the common name (CN) in the certificate - * - * either of these may be of the form: *.domain.tld - * - * only try (2) if there is no subjectAltName extension of - * type dNSName - */ - - /* Check through all included subjectAltName extensions, comparing - * against all those of type dNSName. - */ - for (i = 0; !(ret < 0); i++) { - - dnsnamesize = sizeof(dnsname); - ret = - gnutls_x509_crt_get_subject_alt_name(cert, i, - dnsname, &dnsnamesize, - NULL); - - if (ret == GNUTLS_SAN_DNSNAME) { - found_dnsname = 1; - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; + char dnsname[MAX_CN]; + size_t dnsnamesize; + int found_dnsname = 0; + int ret = 0; + int i = 0; + + /* try matching against: + * 1) a DNS name as an alternative name (subjectAltName) extension + * in the certificate + * 2) the common name (CN) in the certificate + * + * either of these may be of the form: *.domain.tld + * + * only try (2) if there is no subjectAltName extension of + * type dNSName + */ + + /* Check through all included subjectAltName extensions, comparing + * against all those of type dNSName. + */ + for (i = 0; !(ret < 0); i++) + { + + dnsnamesize = sizeof (dnsname); + ret = + gnutls_x509_crt_get_subject_alt_name (cert, i, + dnsname, &dnsnamesize, NULL); + + if (ret == GNUTLS_SAN_DNSNAME) + { + found_dnsname = 1; + if (_gnutls_hostname_compare (dnsname, hostname)) + { + return 1; } } } - if (!found_dnsname) { - /* not got the necessary extension, use CN instead - */ - dnsnamesize = sizeof(dnsname); - if (gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, 0, - 0, dnsname, &dnsnamesize) < 0) { - /* got an error, can't find a name - */ - return 1; + if (!found_dnsname) + { + /* not got the necessary extension, use CN instead + */ + dnsnamesize = sizeof (dnsname); + if (gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0, + 0, dnsname, &dnsnamesize) < 0) + { + /* got an error, can't find a name + */ + return 1; } - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; + if (_gnutls_hostname_compare (dnsname, hostname)) + { + return 1; } } - /* not found a matching name - */ - return 0; + /* not found a matching name + */ + return 0; } diff --git a/lib/x509/sign.c b/lib/x509/sign.c index e712858a1e..a26956adc2 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -48,68 +48,75 @@ /* Writes the digest information and the digest in a DER encoded * structure. The digest info is allocated and stored into the info structure. */ -static int encode_ber_digest_info(gnutls_digest_algorithm_t hash, - const gnutls_datum_t * digest, gnutls_datum_t * info) +static int +encode_ber_digest_info (gnutls_digest_algorithm_t hash, + const gnutls_datum_t * digest, gnutls_datum_t * info) { - ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; - int result; - const char *algo; - - algo = _gnutls_x509_mac_to_oid(hash); - if (algo == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + const char *algo; + + algo = _gnutls_x509_mac_to_oid (hash); + if (algo == NULL) + { + gnutls_assert (); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; } - if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", - &dinfo)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if ((result = asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_write_value(dinfo, "digestAlgorithm.algorithm", algo, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - result = - asn1_write_value(dinfo, "digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_write_value (dinfo, "digestAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - result = asn1_write_value(dinfo, "digest", digest->data, digest->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_write_value (dinfo, "digest", digest->data, digest->size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - info->size = 0; - asn1_der_coding(dinfo, "", NULL, &info->size, NULL); + info->size = 0; + asn1_der_coding (dinfo, "", NULL, &info->size, NULL); - info->data = gnutls_malloc(info->size); - if (info->data == NULL) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_MEMORY_ERROR; + info->data = gnutls_malloc (info->size); + if (info->data == NULL) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return GNUTLS_E_MEMORY_ERROR; } - result = asn1_der_coding(dinfo, "", info->data, &info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_der_coding (dinfo, "", info->data, &info->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - asn1_delete_structure(&dinfo); + asn1_delete_structure (&dinfo); - return 0; + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -118,75 +125,80 @@ static int encode_ber_digest_info(gnutls_digest_algorithm_t hash, * params[1] is public key */ static int -pkcs1_rsa_sign(gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, - mpi_t * params, int params_len, gnutls_datum_t * signature) +pkcs1_rsa_sign (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, + mpi_t * params, int params_len, gnutls_datum_t * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum_t digest, info; - - hd = _gnutls_hash_init(HASH2MAC(hash)); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum_t digest, info; + + hd = _gnutls_hash_init (HASH2MAC (hash)); + if (hd == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(hd, text->data, text->size); - _gnutls_hash_deinit(hd, _digest); + _gnutls_hash (hd, text->data, text->size); + _gnutls_hash_deinit (hd, _digest); - digest.data = _digest; - digest.size = _gnutls_hash_get_algo_len(HASH2MAC(hash)); + digest.data = _digest; + digest.size = _gnutls_hash_get_algo_len (HASH2MAC (hash)); - /* Encode the digest as a DigestInfo - */ - if ((ret = encode_ber_digest_info(hash, &digest, &info)) != 0) { - gnutls_assert(); - return ret; + /* Encode the digest as a DigestInfo + */ + if ((ret = encode_ber_digest_info (hash, &digest, &info)) != 0) + { + gnutls_assert (); + return ret; } - if ((ret = - _gnutls_sign(GNUTLS_PK_RSA, params, params_len, &info, - signature)) < 0) { - gnutls_assert(); - _gnutls_free_datum(&info); - return ret; + if ((ret = + _gnutls_sign (GNUTLS_PK_RSA, params, params_len, &info, + signature)) < 0) + { + gnutls_assert (); + _gnutls_free_datum (&info); + return ret; } - _gnutls_free_datum(&info); + _gnutls_free_datum (&info); - return 0; + return 0; } static int -dsa_sign(const gnutls_datum_t * text, - mpi_t * params, int params_len, gnutls_datum_t * signature) +dsa_sign (const gnutls_datum_t * text, + mpi_t * params, int params_len, gnutls_datum_t * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum_t digest; - - hd = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum_t digest; + + hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (hd == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(hd, text->data, text->size); - _gnutls_hash_deinit(hd, _digest); + _gnutls_hash (hd, text->data, text->size); + _gnutls_hash_deinit (hd, _digest); - digest.data = _digest; - digest.size = 20; + digest.data = _digest; + digest.size = 20; - if ((ret = - _gnutls_sign(GNUTLS_PK_DSA, params, params_len, &digest, - signature)) < 0) { - gnutls_assert(); - return ret; + if ((ret = + _gnutls_sign (GNUTLS_PK_DSA, params, params_len, &digest, + signature)) < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* Signs the given data using the parameters from the signer's @@ -198,36 +210,39 @@ dsa_sign(const gnutls_datum_t * text, * 'signature' will hold the signature! * 'hash' is only used in PKCS1 RSA signing. */ -int _gnutls_x509_sign(const gnutls_datum_t * tbs, - gnutls_digest_algorithm_t hash, gnutls_x509_privkey_t signer, - gnutls_datum_t * signature) +int +_gnutls_x509_sign (const gnutls_datum_t * tbs, + gnutls_digest_algorithm_t hash, + gnutls_x509_privkey_t signer, gnutls_datum_t * signature) { - int ret; + int ret; - switch (signer->pk_algorithm) { + switch (signer->pk_algorithm) + { case GNUTLS_PK_RSA: - ret = - pkcs1_rsa_sign(hash, tbs, signer->params, signer->params_size, - signature); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = + pkcs1_rsa_sign (hash, tbs, signer->params, signer->params_size, + signature); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; - break; + return 0; + break; case GNUTLS_PK_DSA: - ret = - dsa_sign(tbs, signer->params, signer->params_size, signature); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = dsa_sign (tbs, signer->params, signer->params_size, signature); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; - break; + return 0; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } @@ -236,39 +251,43 @@ int _gnutls_x509_sign(const gnutls_datum_t * tbs, * the ASN1_TYPE given, and sign the DER data. Actually used to get the DER * of the TBS and sign it on the fly. */ -int _gnutls_x509_sign_tbs(ASN1_TYPE cert, const char *tbs_name, - gnutls_digest_algorithm_t hash, gnutls_x509_privkey_t signer, - gnutls_datum_t * signature) +int +_gnutls_x509_sign_tbs (ASN1_TYPE cert, const char *tbs_name, + gnutls_digest_algorithm_t hash, + gnutls_x509_privkey_t signer, + gnutls_datum_t * signature) { - int result; - opaque *buf; - int buf_size; - gnutls_datum_t tbs; - - buf_size = 0; - asn1_der_coding(cert, tbs_name, NULL, &buf_size, NULL); - - buf = gnutls_alloca(buf_size); - if (buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int result; + opaque *buf; + int buf_size; + gnutls_datum_t tbs; + + buf_size = 0; + asn1_der_coding (cert, tbs_name, NULL, &buf_size, NULL); + + buf = gnutls_alloca (buf_size); + if (buf == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - result = asn1_der_coding(cert, tbs_name, buf, &buf_size, NULL); + result = asn1_der_coding (cert, tbs_name, buf, &buf_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree(buf); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_afree (buf); + return _gnutls_asn2err (result); } - tbs.data = buf; - tbs.size = buf_size; + tbs.data = buf; + tbs.size = buf_size; - result = _gnutls_x509_sign(&tbs, hash, signer, signature); - gnutls_afree(buf); + result = _gnutls_x509_sign (&tbs, hash, signer, signature); + gnutls_afree (buf); - return result; + return result; } /*- @@ -283,75 +302,82 @@ int _gnutls_x509_sign_tbs(ASN1_TYPE cert, const char *tbs_name, * Returns 0 on success. * -*/ -int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, - gnutls_digest_algorithm_t dig, - gnutls_x509_crt_t issuer, gnutls_x509_privkey_t issuer_key) +int +_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, + gnutls_digest_algorithm_t dig, + gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key) { - int result; - gnutls_datum_t signature; - char name[128]; - - /* Step 1. Copy the issuer's name into the certificate. - */ - _gnutls_str_cpy(name, sizeof(name), src_name); - _gnutls_str_cat(name, sizeof(name), ".issuer"); - - result = _gnutls_asn1_copy_node(&src, name, - issuer->cert, "tbsCertificate.subject"); - if (result < 0) { - gnutls_assert(); - return result; + int result; + gnutls_datum_t signature; + char name[128]; + + /* Step 1. Copy the issuer's name into the certificate. + */ + _gnutls_str_cpy (name, sizeof (name), src_name); + _gnutls_str_cat (name, sizeof (name), ".issuer"); + + result = _gnutls_asn1_copy_node (&src, name, + issuer->cert, "tbsCertificate.subject"); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 1.5. Write the signature stuff in the tbsCertificate. - */ - _gnutls_str_cpy(name, sizeof(name), src_name); - _gnutls_str_cat(name, sizeof(name), ".signature"); - - result = _gnutls_x509_write_sig_params(src, name, - issuer_key->pk_algorithm, dig, issuer_key->params, - issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 1.5. Write the signature stuff in the tbsCertificate. + */ + _gnutls_str_cpy (name, sizeof (name), src_name); + _gnutls_str_cat (name, sizeof (name), ".signature"); + + result = _gnutls_x509_write_sig_params (src, name, + issuer_key->pk_algorithm, dig, + issuer_key->params, + issuer_key->params_size); + if (result < 0) + { + gnutls_assert (); + return result; } - /* Step 2. Sign the certificate. - */ - result = _gnutls_x509_sign_tbs(src, src_name, dig, - issuer_key, &signature); + /* Step 2. Sign the certificate. + */ + result = _gnutls_x509_sign_tbs (src, src_name, dig, issuer_key, &signature); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - /* write the signature (bits) - */ - result = - asn1_write_value(src, "signature", signature.data, - signature.size * 8); + /* write the signature (bits) + */ + result = + asn1_write_value (src, "signature", signature.data, signature.size * 8); - _gnutls_free_datum(&signature); + _gnutls_free_datum (&signature); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - /* Step 3. Move up and write the AlgorithmIdentifier, which is also - * the same. - */ - - result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", - issuer_key->pk_algorithm, dig, issuer_key->params, - issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; + /* Step 3. Move up and write the AlgorithmIdentifier, which is also + * the same. + */ + + result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm", + issuer_key->pk_algorithm, dig, + issuer_key->params, + issuer_key->params_size); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } #endif diff --git a/lib/x509/sign.h b/lib/x509/sign.h index b06e57e48c..8ac00f43ed 100644 --- a/lib/x509/sign.h +++ b/lib/x509/sign.h @@ -22,12 +22,15 @@ * */ -int _gnutls_x509_sign(const gnutls_datum_t * tbs, - gnutls_digest_algorithm_t hash, gnutls_x509_privkey_t signer, - gnutls_datum_t * signature); -int _gnutls_x509_sign_tbs(ASN1_TYPE cert, const char *tbs_name, - gnutls_digest_algorithm_t hash, gnutls_x509_privkey_t signer, - gnutls_datum_t * signature); -int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, - gnutls_digest_algorithm_t, - gnutls_x509_crt_t issuer, gnutls_x509_privkey_t issuer_key); +int _gnutls_x509_sign (const gnutls_datum_t * tbs, + gnutls_digest_algorithm_t hash, + gnutls_x509_privkey_t signer, + gnutls_datum_t * signature); +int _gnutls_x509_sign_tbs (ASN1_TYPE cert, const char *tbs_name, + gnutls_digest_algorithm_t hash, + gnutls_x509_privkey_t signer, + gnutls_datum_t * signature); +int _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, + gnutls_digest_algorithm_t, + gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key); diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 5cca9431fa..fc2f2759a6 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -41,17 +41,20 @@ #include <common.h> #include <verify.h> -static int _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - const gnutls_x509_crt_t *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output); -int _gnutls_x509_verify_signature(const gnutls_datum_t * signed_data, - const gnutls_datum_t * signature, gnutls_x509_crt_t issuer); +static int _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); +int _gnutls_x509_verify_signature (const gnutls_datum_t * signed_data, + const gnutls_datum_t * signature, + gnutls_x509_crt_t issuer); static -int is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert); -static int _gnutls_verify_crl2(gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * trusted_cas, int tcas_size, unsigned int flags, - unsigned int *output); + int is_crl_issuer (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert); +static int _gnutls_verify_crl2 (gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); /* Checks if the issuer of a certificate is a @@ -61,81 +64,88 @@ static int _gnutls_verify_crl2(gnutls_x509_crl_t crl, * Returns true or false, if the issuer is a CA, * or not. */ -static int check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - unsigned int flags) +static int +check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + unsigned int flags) { - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t issuer_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_datum_t issuer_signature = { NULL, 0 }; - int result; - - /* Check if the issuer is the same with the - * certificate. This is added in order for trusted - * certificates to be able to verify themselves. - */ - - result = - _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate", - &issuer_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = - _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", - &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = - _gnutls_x509_get_signature(issuer->cert, "signature", - &issuer_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = - _gnutls_x509_get_signature(cert->cert, "signature", - &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* If the subject certificate is the same as the issuer - * return true. - */ - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) - if (cert_signed_data.size == issuer_signed_data.size) { - if ((memcmp(cert_signed_data.data, issuer_signed_data.data, - cert_signed_data.size) == 0) && - (cert_signature.size == issuer_signature.size) && - (memcmp(cert_signature.data, issuer_signature.data, - cert_signature.size) == 0)) { - result = 1; - goto cleanup; - } - } + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t issuer_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_datum_t issuer_signature = { NULL, 0 }; + int result; + + /* Check if the issuer is the same with the + * certificate. This is added in order for trusted + * certificates to be able to verify themselves. + */ + + result = + _gnutls_x509_get_signed_data (issuer->cert, "tbsCertificate", + &issuer_signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; + } + + result = + _gnutls_x509_get_signed_data (cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; + } - if (gnutls_x509_crt_get_ca_status(issuer, NULL) == 1) { - result = 1; - goto cleanup; - } else - gnutls_assert(); + result = + _gnutls_x509_get_signature (issuer->cert, "signature", &issuer_signature); + if (result < 0) + { + gnutls_assert (); + goto cleanup; + } + + result = + _gnutls_x509_get_signature (cert->cert, "signature", &cert_signature); + if (result < 0) + { + gnutls_assert (); + goto cleanup; + } + + /* If the subject certificate is the same as the issuer + * return true. + */ + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) + if (cert_signed_data.size == issuer_signed_data.size) + { + if ((memcmp (cert_signed_data.data, issuer_signed_data.data, + cert_signed_data.size) == 0) && + (cert_signature.size == issuer_signature.size) && + (memcmp (cert_signature.data, issuer_signature.data, + cert_signature.size) == 0)) + { + result = 1; + goto cleanup; + } + } + + if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1) + { + result = 1; + goto cleanup; + } + else + gnutls_assert (); - result = 0; + result = 0; - cleanup: - _gnutls_free_datum(&cert_signed_data); - _gnutls_free_datum(&issuer_signed_data); - _gnutls_free_datum(&cert_signature); - _gnutls_free_datum(&issuer_signature); - return result; +cleanup: + _gnutls_free_datum (&cert_signed_data); + _gnutls_free_datum (&issuer_signed_data); + _gnutls_free_datum (&cert_signature); + _gnutls_free_datum (&issuer_signature); + return result; } @@ -146,52 +156,55 @@ static int check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, * Returns 1 if they match and zero if they don't match. Otherwise * a negative value is returned to indicate error. */ -static -int is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert) +static int +is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert) { - gnutls_datum_t dn1 = { NULL, 0 }, dn2 = { - NULL, 0}; - int ret; + gnutls_datum_t dn1 = { NULL, 0 }, dn2 = + { + NULL, 0}; + int ret; - ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); - cleanup: - _gnutls_free_datum(&dn1); - _gnutls_free_datum(&dn2); - return ret; +cleanup: + _gnutls_free_datum (&dn1); + _gnutls_free_datum (&dn2); + return ret; } -static inline - gnutls_x509_crt_t find_issuer(gnutls_x509_crt_t cert, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size) +static inline gnutls_x509_crt_t +find_issuer (gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * trusted_cas, int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_issuer(cert, trusted_cas[i]) == 1) - return trusted_cas[i]; + for (i = 0; i < tcas_size; i++) + { + if (is_issuer (cert, trusted_cas[i]) == 1) + return trusted_cas[i]; } - gnutls_assert(); - return NULL; + gnutls_assert (); + return NULL; } @@ -208,91 +221,102 @@ static inline * Output will hold some extra information about the verification * procedure. */ -static int _gnutls_verify_certificate2(gnutls_x509_crt_t cert, - const gnutls_x509_crt_t *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output) +static int +_gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output) { - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer; - int ret, issuer_version, result; - - if (output) - *output = 0; - - if (tcas_size >= 1) - issuer = find_issuer(cert, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer; + int ret, issuer_version, result; + + if (output) + *output = 0; + + if (tcas_size >= 1) + issuer = find_issuer (cert, trusted_cas, tcas_size); + else + { + gnutls_assert (); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; } - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - gnutls_assert(); - return 0; + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) + { + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + gnutls_assert (); + return 0; } - issuer_version = gnutls_x509_crt_get_version(issuer); - if (issuer_version < 0) { - gnutls_assert(); - return issuer_version; + issuer_version = gnutls_x509_crt_get_version (issuer); + if (issuer_version < 0) + { + gnutls_assert (); + return issuer_version; } - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) - && issuer_version == 1)) { - if (check_if_ca(cert, issuer, flags) == 0) { - gnutls_assert(); - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) + { + if (check_if_ca (cert, issuer, flags) == 0) + { + gnutls_assert (); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } } - result = - _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", - &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_get_signed_data (cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = - _gnutls_x509_get_signature(cert->cert, "signature", - &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_get_signature (cert->cert, "signature", &cert_signature); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - ret = - _gnutls_x509_verify_signature(&cert_signed_data, &cert_signature, - issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) - *output |= GNUTLS_CERT_INVALID; - ret = 0; + ret = + _gnutls_x509_verify_signature (&cert_signed_data, &cert_signature, + issuer); + if (ret < 0) + { + gnutls_assert (); + } + else if (ret == 0) + { + gnutls_assert (); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; } - /* If the certificate is not self signed check if the algorithms - * used are secure. If the certificate is self signed it doesn't - * really matter. - */ - if (is_issuer(cert, cert) == 0) { + /* If the certificate is not self signed check if the algorithms + * used are secure. If the certificate is self signed it doesn't + * really matter. + */ + if (is_issuer (cert, cert) == 0) + { int sigalg; - sigalg = gnutls_x509_crt_get_signature_algorithm(cert); + sigalg = gnutls_x509_crt_get_signature_algorithm (cert); if (((sigalg == GNUTLS_SIGN_RSA_MD2) && !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || @@ -304,13 +328,13 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt_t cert, } } - result = ret; + result = ret; - cleanup: - _gnutls_free_datum(&cert_signed_data); - _gnutls_free_datum(&cert_signature); +cleanup: + _gnutls_free_datum (&cert_signed_data); + _gnutls_free_datum (&cert_signature); - return result; + return result; } /** @@ -325,10 +349,11 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt_t cert, * A negative value is returned in case of an error. * **/ -int gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer) +int +gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer) { - return is_issuer(cert, issuer); + return is_issuer (cert, issuer); } @@ -343,80 +368,89 @@ int gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert, * This function verifies a X.509 certificate list. The certificate list should * lead to a trusted CA in order to be trusted. */ -static -unsigned int _gnutls_x509_verify_certificate( - const gnutls_x509_crt_t *certificate_list, int clist_size, - const gnutls_x509_crt_t *trusted_cas, int tcas_size, - const gnutls_x509_crl_t *CRLs, int crls_size, - unsigned int flags) +static unsigned int +_gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + int clist_size, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, + const gnutls_x509_crl_t * CRLs, + int crls_size, unsigned int flags) { - int i = 0, ret; - unsigned int status = 0, output; - - /* Verify the last certificate in the certificate path - * against the trusted CA certificate list. - * - * If no CAs are present returns CERT_INVALID. Thus works - * in self signed etc certificates. - */ - ret = - _gnutls_verify_certificate2(certificate_list[clist_size-1], - trusted_cas, tcas_size, flags, &output); - - if (ret == 0) { - /* if the last certificate in the certificate - * list is invalid, then the certificate is not - * trusted. - */ - gnutls_assert(); - status |= output; - status |= GNUTLS_CERT_INVALID; - return status; - } - - /* Check for revoked certificates in the chain - */ + int i = 0, ret; + unsigned int status = 0, output; + + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * + * If no CAs are present returns CERT_INVALID. Thus works + * in self signed etc certificates. + */ + ret = + _gnutls_verify_certificate2 (certificate_list[clist_size - 1], + trusted_cas, tcas_size, flags, &output); + + if (ret == 0) + { + /* if the last certificate in the certificate + * list is invalid, then the certificate is not + * trusted. + */ + gnutls_assert (); + status |= output; + status |= GNUTLS_CERT_INVALID; + return status; + } + + /* Check for revoked certificates in the chain + */ #ifdef ENABLE_PKI - for (i = 0; i < clist_size; i++) { - ret = gnutls_x509_crt_check_revocation(certificate_list[i], - CRLs, crls_size); - if (ret == 1) { /* revoked */ - status |= GNUTLS_CERT_REVOKED; - status |= GNUTLS_CERT_INVALID; - return status; + for (i = 0; i < clist_size; i++) + { + ret = gnutls_x509_crt_check_revocation (certificate_list[i], + CRLs, crls_size); + if (ret == 1) + { /* revoked */ + status |= GNUTLS_CERT_REVOKED; + status |= GNUTLS_CERT_INVALID; + return status; } } #endif - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - */ - if (gnutls_x509_crt_check_issuer( certificate_list[clist_size-1], - certificate_list[clist_size-1]) > 0 && clist_size > 0) { - clist_size--; - } - - /* Verify the certificate path (chain) - */ - for (i = clist_size-1; i > 0; i--) { - if (i - 1 < 0) - break; - - /* note that here we disable this V1 CA flag. So that no version 1 - * certificates can exist in a supplied chain. - */ - if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) - flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; - if ((ret = - _gnutls_verify_certificate2(certificate_list[i-1], - &certificate_list[i], 1, flags, NULL)) == 0) { - status |= GNUTLS_CERT_INVALID; - return status; + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0 + && clist_size > 0) + { + clist_size--; + } + + /* Verify the certificate path (chain) + */ + for (i = clist_size - 1; i > 0; i--) + { + if (i - 1 < 0) + break; + + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) + flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, + NULL)) == 0) + { + status |= GNUTLS_CERT_INVALID; + return status; } } - return 0; + return 0; } @@ -424,59 +458,64 @@ unsigned int _gnutls_x509_verify_certificate( * we use DER here, although we should use BER. It works fine * anyway. */ -static int decode_ber_digest_info(const gnutls_datum_t * info, - gnutls_mac_algorithm_t * hash, - opaque * digest, int *digest_size) +static int +decode_ber_digest_info (const gnutls_datum_t * info, + gnutls_mac_algorithm_t * hash, + opaque * digest, int *digest_size) { - ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; - int result; - char str[1024]; - int len; - - if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", - &dinfo)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + char str[1024]; + int len; + + if ((result = asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&dinfo, info->data, info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_der_decoding (&dinfo, info->data, info->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - len = sizeof(str) - 1; - result = - asn1_read_value(dinfo, "digestAlgorithm.algorithm", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + len = sizeof (str) - 1; + result = asn1_read_value (dinfo, "digestAlgorithm.algorithm", str, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - *hash = _gnutls_x509_oid2mac_algorithm(str); + *hash = _gnutls_x509_oid2mac_algorithm (str); - if (*hash == GNUTLS_MAC_UNKNOWN) { + if (*hash == GNUTLS_MAC_UNKNOWN) + { - _gnutls_x509_log("verify.c: HASH OID: %s\n", str); + _gnutls_x509_log ("verify.c: HASH OID: %s\n", str); - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; + gnutls_assert (); + asn1_delete_structure (&dinfo); + return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; } - result = asn1_read_value(dinfo, "digest", digest, digest_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); + result = asn1_read_value (dinfo, "digest", digest, digest_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); } - asn1_delete_structure(&dinfo); + asn1_delete_structure (&dinfo); - return 0; + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -485,123 +524,131 @@ static int decode_ber_digest_info(const gnutls_datum_t * info, * params[1] is public key */ static int -_pkcs1_rsa_verify_sig(const gnutls_datum_t * text, - const gnutls_datum_t * signature, mpi_t * params, - int params_len) +_pkcs1_rsa_verify_sig (const gnutls_datum_t * text, + const gnutls_datum_t * signature, mpi_t * params, + int params_len) { - gnutls_mac_algorithm_t hash; - int ret; - opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; - int digest_size; - GNUTLS_HASH_HANDLE hd; - gnutls_datum_t decrypted; - - ret = - _gnutls_pkcs1_rsa_decrypt(&decrypted, signature, params, - params_len, 1); - if (ret < 0) { - gnutls_assert(); - return ret; + gnutls_mac_algorithm_t hash; + int ret; + opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; + int digest_size; + GNUTLS_HASH_HANDLE hd; + gnutls_datum_t decrypted; + + ret = + _gnutls_pkcs1_rsa_decrypt (&decrypted, signature, params, params_len, 1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* decrypted is a BER encoded data of type DigestInfo - */ + /* decrypted is a BER encoded data of type DigestInfo + */ - digest_size = sizeof(digest); - if ((ret = - decode_ber_digest_info(&decrypted, &hash, digest, - &digest_size)) != 0) { - gnutls_assert(); - _gnutls_free_datum(&decrypted); - return ret; + digest_size = sizeof (digest); + if ((ret = + decode_ber_digest_info (&decrypted, &hash, digest, &digest_size)) != 0) + { + gnutls_assert (); + _gnutls_free_datum (&decrypted); + return ret; } - _gnutls_free_datum(&decrypted); + _gnutls_free_datum (&decrypted); - if (digest_size != _gnutls_hash_get_algo_len(hash)) { - gnutls_assert(); - return GNUTLS_E_ASN1_GENERIC_ERROR; + if (digest_size != _gnutls_hash_get_algo_len (hash)) + { + gnutls_assert (); + return GNUTLS_E_ASN1_GENERIC_ERROR; } - hd = _gnutls_hash_init(hash); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + hd = _gnutls_hash_init (hash); + if (hd == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(hd, text->data, text->size); - _gnutls_hash_deinit(hd, md); + _gnutls_hash (hd, text->data, text->size); + _gnutls_hash_deinit (hd, md); - if (memcmp(md, digest, digest_size) != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; + if (memcmp (md, digest, digest_size) != 0) + { + gnutls_assert (); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - return 0; + return 0; } /* Hashes input data and verifies a DSA signature. */ static int -dsa_verify_sig(const gnutls_datum_t * text, - const gnutls_datum_t * signature, mpi_t * params, - int params_len) +dsa_verify_sig (const gnutls_datum_t * text, + const gnutls_datum_t * signature, mpi_t * params, + int params_len) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - gnutls_datum_t digest; - GNUTLS_HASH_HANDLE hd; + int ret; + opaque _digest[MAX_HASH_SIZE]; + gnutls_datum_t digest; + GNUTLS_HASH_HANDLE hd; - hd = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (hd == NULL) + { + gnutls_assert (); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash(hd, text->data, text->size); - _gnutls_hash_deinit(hd, _digest); + _gnutls_hash (hd, text->data, text->size); + _gnutls_hash_deinit (hd, _digest); - digest.data = _digest; - digest.size = 20; + digest.data = _digest; + digest.size = 20; - ret = _gnutls_dsa_verify(&digest, signature, params, params_len); + ret = _gnutls_dsa_verify (&digest, signature, params, params_len); - return ret; + return ret; } /* Verifies the signature data, and returns 0 if not verified, * or 1 otherwise. */ -static int verify_sig(const gnutls_datum_t * tbs, - const gnutls_datum_t * signature, - gnutls_pk_algorithm_t pk, mpi_t * issuer_params, - int issuer_params_size) +static int +verify_sig (const gnutls_datum_t * tbs, + const gnutls_datum_t * signature, + gnutls_pk_algorithm_t pk, mpi_t * issuer_params, + int issuer_params_size) { - switch (pk) { + switch (pk) + { case GNUTLS_PK_RSA: - if (_pkcs1_rsa_verify_sig - (tbs, signature, issuer_params, issuer_params_size) != 0) { - gnutls_assert(); - return 0; + if (_pkcs1_rsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) + { + gnutls_assert (); + return 0; } - return 1; - break; + return 1; + break; case GNUTLS_PK_DSA: - if (dsa_verify_sig - (tbs, signature, issuer_params, issuer_params_size) != 0) { - gnutls_assert(); - return 0; + if (dsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) + { + gnutls_assert (); + return 0; } - return 1; - break; + return 1; + break; default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; } } @@ -612,39 +659,42 @@ static int verify_sig(const gnutls_datum_t * tbs, * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_verify_signature(const gnutls_datum_t * tbs, - const gnutls_datum_t * signature, - gnutls_x509_crt_t issuer) +int +_gnutls_x509_verify_signature (const gnutls_datum_t * tbs, + const gnutls_datum_t * signature, + gnutls_x509_crt_t issuer) { - mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; - int ret, issuer_params_size, i; - - /* Read the MPI parameters from the issuer's certificate. - */ - issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = - _gnutls_x509_crt_get_mpis(issuer, issuer_params, - &issuer_params_size); - if (ret < 0) { - gnutls_assert(); - return ret; + mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; + int ret, issuer_params_size, i; + + /* Read the MPI parameters from the issuer's certificate. + */ + issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis (issuer, issuer_params, &issuer_params_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - verify_sig(tbs, signature, - gnutls_x509_crt_get_pk_algorithm(issuer, NULL), - issuer_params, issuer_params_size); - if (ret < 0) { - gnutls_assert(); + ret = + verify_sig (tbs, signature, + gnutls_x509_crt_get_pk_algorithm (issuer, NULL), + issuer_params, issuer_params_size); + if (ret < 0) + { + gnutls_assert (); } - /* release all allocated MPIs - */ - for (i = 0; i < issuer_params_size; i++) { - _gnutls_mpi_release(&issuer_params[i]); + /* release all allocated MPIs + */ + for (i = 0; i < issuer_params_size; i++) + { + _gnutls_mpi_release (&issuer_params[i]); } - return ret; + return ret; } /* verifies if the certificate is properly signed. @@ -653,19 +703,21 @@ int _gnutls_x509_verify_signature(const gnutls_datum_t * tbs, * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_privkey_verify_signature(const gnutls_datum_t * tbs, - const gnutls_datum_t * signature, - gnutls_x509_privkey_t issuer) +int +_gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, + const gnutls_datum_t * signature, + gnutls_x509_privkey_t issuer) { - int ret; + int ret; - ret = verify_sig(tbs, signature, issuer->pk_algorithm, - issuer->params, issuer->params_size); - if (ret < 0) { - gnutls_assert(); + ret = verify_sig (tbs, signature, issuer->pk_algorithm, + issuer->params, issuer->params_size); + if (ret < 0) + { + gnutls_assert (); } - return ret; + return ret; } /** @@ -702,22 +754,26 @@ int _gnutls_x509_privkey_verify_signature(const gnutls_datum_t * tbs, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t * cert_list, - int cert_list_length, const gnutls_x509_crt_t * CA_list, - int CA_list_length, const gnutls_x509_crl_t * CRL_list, - int CRL_list_length, unsigned int flags, unsigned int *verify) +int +gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, + int cert_list_length, + const gnutls_x509_crt_t * CA_list, + int CA_list_length, + const gnutls_x509_crl_t * CRL_list, + int CRL_list_length, unsigned int flags, + unsigned int *verify) { - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - /* Verify certificate - */ - *verify = - _gnutls_x509_verify_certificate(cert_list, cert_list_length, - CA_list, CA_list_length, CRL_list, - CRL_list_length, flags); + /* Verify certificate + */ + *verify = + _gnutls_x509_verify_certificate (cert_list, cert_list_length, + CA_list, CA_list_length, CRL_list, + CRL_list_length, flags); - return 0; + return 0; } /** @@ -734,22 +790,25 @@ int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t * cert_list, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_verify(gnutls_x509_crt_t cert, - const gnutls_x509_crt_t * CA_list, - int CA_list_length, unsigned int flags, unsigned int *verify) +int +gnutls_x509_crt_verify (gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * CA_list, + int CA_list_length, unsigned int flags, + unsigned int *verify) { - int ret; - /* Verify certificate - */ - ret = - _gnutls_verify_certificate2(cert, CA_list, CA_list_length, flags, - verify); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; + int ret; + /* Verify certificate + */ + ret = + _gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags, + verify); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + return 0; } @@ -768,10 +827,11 @@ int gnutls_x509_crt_verify(gnutls_x509_crt_t cert, * A negative value is returned in case of an error. * **/ -int gnutls_x509_crl_check_issuer(gnutls_x509_crl_t cert, - gnutls_x509_crt_t issuer) +int +gnutls_x509_crl_check_issuer (gnutls_x509_crl_t cert, + gnutls_x509_crt_t issuer) { - return is_crl_issuer(cert, issuer); + return is_crl_issuer (cert, issuer); } /** @@ -789,71 +849,76 @@ int gnutls_x509_crl_check_issuer(gnutls_x509_crl_t cert, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crl_verify(gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * CA_list, - int CA_list_length, unsigned int flags, - unsigned int *verify) +int +gnutls_x509_crl_verify (gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * CA_list, + int CA_list_length, unsigned int flags, + unsigned int *verify) { - int ret; - /* Verify crl - */ - ret = _gnutls_verify_crl2(crl, CA_list, CA_list_length, flags, verify); - if (ret < 0) { - gnutls_assert(); - return ret; + int ret; + /* Verify crl + */ + ret = _gnutls_verify_crl2 (crl, CA_list, CA_list_length, flags, verify); + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } /* The same as above, but here we've got a CRL. */ -static -int is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert) +static int +is_crl_issuer (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert) { - gnutls_datum_t dn1 = { NULL, 0 }, dn2 = { - NULL, 0}; - int ret; + gnutls_datum_t dn1 = { NULL, 0 }, dn2 = + { + NULL, 0}; + int ret; - ret = _gnutls_x509_crl_get_raw_issuer_dn(crl, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_x509_crl_get_raw_issuer_dn (crl, &dn1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); - cleanup: - _gnutls_free_datum(&dn1); - _gnutls_free_datum(&dn2); +cleanup: + _gnutls_free_datum (&dn1); + _gnutls_free_datum (&dn2); - return ret; + return ret; } -static inline - gnutls_x509_crt_t find_crl_issuer(gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * - trusted_cas, int tcas_size) +static inline gnutls_x509_crt_t +find_crl_issuer (gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * trusted_cas, int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_crl_issuer(crl, trusted_cas[i]) == 1) - return trusted_cas[i]; + for (i = 0; i < tcas_size; i++) + { + if (is_crl_issuer (crl, trusted_cas[i]) == 1) + return trusted_cas[i]; } - gnutls_assert(); - return NULL; + gnutls_assert (); + return NULL; } /* @@ -865,98 +930,104 @@ static inline * Output will hold information about the verification * procedure. */ -static int _gnutls_verify_crl2(gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size, unsigned int flags, - unsigned int *output) +static int +_gnutls_verify_crl2 (gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, unsigned int *output) { /* CRL is ignored for now */ - gnutls_datum_t crl_signed_data = { NULL, 0 }; - gnutls_datum_t crl_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer; - int ret, result; - - if (output) - *output = 0; - - if (tcas_size >= 1) - issuer = find_crl_issuer(crl, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; + gnutls_datum_t crl_signed_data = { NULL, 0 }; + gnutls_datum_t crl_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer; + int ret, result; + + if (output) + *output = 0; + + if (tcas_size >= 1) + issuer = find_crl_issuer (crl, trusted_cas, tcas_size); + else + { + gnutls_assert (); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; } - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - gnutls_assert(); - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) + { + gnutls_assert (); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; } - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { - if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { - gnutls_assert(); - if (output) - *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) + { + if (gnutls_x509_crt_get_ca_status (issuer, NULL) != 1) + { + gnutls_assert (); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } } - result = - _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", - &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_get_signed_data (crl->crl, "tbsCertList", &crl_signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = - _gnutls_x509_get_signature(crl->crl, "signature", &crl_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = _gnutls_x509_get_signature (crl->crl, "signature", &crl_signature); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - ret = - _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, - issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) - *output |= GNUTLS_CERT_INVALID; - ret = 0; + ret = + _gnutls_x509_verify_signature (&crl_signed_data, &crl_signature, issuer); + if (ret < 0) + { + gnutls_assert (); } - + else if (ret == 0) { - int sigalg; + gnutls_assert (); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; + } - sigalg = gnutls_x509_crl_get_signature_algorithm(crl); + { + int sigalg; - if (((sigalg == GNUTLS_SIGN_RSA_MD2) && - !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || - ((sigalg == GNUTLS_SIGN_RSA_MD5) && - !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) - { - if (output) - *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; - } - } + sigalg = gnutls_x509_crl_get_signature_algorithm (crl); + + if (((sigalg == GNUTLS_SIGN_RSA_MD2) && + !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || + ((sigalg == GNUTLS_SIGN_RSA_MD5) && + !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) + { + if (output) + *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; + } + } - result = ret; + result = ret; - cleanup: - _gnutls_free_datum(&crl_signed_data); - _gnutls_free_datum(&crl_signature); +cleanup: + _gnutls_free_datum (&crl_signed_data); + _gnutls_free_datum (&crl_signature); - return result; + return result; } #endif diff --git a/lib/x509/verify.h b/lib/x509/verify.h index deb28e8638..3f2bbfa1e9 100644 --- a/lib/x509/verify.h +++ b/lib/x509/verify.h @@ -24,9 +24,11 @@ #include "x509.h" -int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer); -int _gnutls_x509_verify_signature(const gnutls_datum_t * tbs, - const gnutls_datum_t * signature, gnutls_x509_crt_t issuer); -int _gnutls_x509_privkey_verify_signature(const gnutls_datum_t * tbs, - const gnutls_datum_t * signature, gnutls_x509_privkey_t issuer); +int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer); +int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, + const gnutls_datum_t * signature, + gnutls_x509_crt_t issuer); +int _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, + const gnutls_datum_t * signature, + gnutls_x509_privkey_t issuer); diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 71b145923e..3d25d74fb4 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -49,22 +49,25 @@ * Returns 0 on success. * **/ -int gnutls_x509_crt_init(gnutls_x509_crt_t * cert) +int +gnutls_x509_crt_init (gnutls_x509_crt_t * cert) { - *cert = gnutls_calloc(1, sizeof(gnutls_x509_crt_int)); - - if (*cert) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Certificate", - &(*cert)->cert); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(*cert); - return _gnutls_asn2err(result); + *cert = gnutls_calloc (1, sizeof (gnutls_x509_crt_int)); + + if (*cert) + { + int result = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Certificate", + &(*cert)->cert); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_free (*cert); + return _gnutls_asn2err (result); } - return 0; /* success */ + return 0; /* success */ } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /*- @@ -77,45 +80,49 @@ int gnutls_x509_crt_init(gnutls_x509_crt_t * cert) * Returns 0 on success. * -*/ -int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src) +int +_gnutls_x509_crt_cpy (gnutls_x509_crt_t dest, gnutls_x509_crt_t src) { - int ret; - size_t der_size; - opaque *der; - gnutls_datum_t tmp; + int ret; + size_t der_size; + opaque *der; + gnutls_datum_t tmp; - ret = - gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; + ret = gnutls_x509_crt_export (src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + gnutls_assert (); + return ret; } - der = gnutls_alloca(der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + der = gnutls_alloca (der_size); + if (der == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree(der); - return ret; + ret = gnutls_x509_crt_export (src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) + { + gnutls_assert (); + gnutls_afree (der); + return ret; } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crt_import (dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree(der); + gnutls_afree (der); - if (ret < 0) { - gnutls_assert(); - return ret; + if (ret < 0) + { + gnutls_assert (); + return ret; } - return 0; + return 0; } @@ -126,15 +133,16 @@ int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src) * This function will deinitialize a CRL structure. * **/ -void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert) +void +gnutls_x509_crt_deinit (gnutls_x509_crt_t cert) { - if (!cert) - return; + if (!cert) + return; - if (cert->cert) - asn1_delete_structure(&cert->cert); + if (cert->cert) + asn1_delete_structure (&cert->cert); - gnutls_free(cert); + gnutls_free (cert); } /** @@ -152,72 +160,77 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert) * Returns 0 on success. * **/ -int gnutls_x509_crt_import(gnutls_x509_crt_t cert, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +int +gnutls_x509_crt_import (gnutls_x509_crt_t cert, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - opaque *signature = NULL; - - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = - _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, data->size, - &out); - - if (result <= 0) { - /* try for the second header */ - result = - _gnutls_fbase64_decode(PEM_X509_CERT, data->data, - data->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + opaque *signature = NULL; + + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; + + /* Try the first header */ + result = + _gnutls_fbase64_decode (PEM_X509_CERT2, data->data, data->size, &out); + + if (result <= 0) + { + /* try for the second header */ + result = + _gnutls_fbase64_decode (PEM_X509_CERT, data->data, + data->size, &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - result = asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = asn1_der_decoding (&cert->cert, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) + { + result = _gnutls_asn2err (result); + gnutls_assert (); + goto cleanup; } - /* Since we do not want to disable any extension - */ - cert->use_extensions = 1; - if (need_free) - _gnutls_free_datum(&_data); + /* Since we do not want to disable any extension + */ + cert->use_extensions = 1; + if (need_free) + _gnutls_free_datum (&_data); - return 0; + return 0; - cleanup: - gnutls_free(signature); - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + gnutls_free (signature); + if (need_free) + _gnutls_free_datum (&_data); + return result; } @@ -239,17 +252,19 @@ int gnutls_x509_crt_import(gnutls_x509_crt_t cert, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert, char *buf, - size_t * sizeof_buf) +int +gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, + size_t * sizeof_buf) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn(cert->cert, - "tbsCertificate.issuer.rdnSequence", buf, - sizeof_buf); + return _gnutls_x509_parse_dn (cert->cert, + "tbsCertificate.issuer.rdnSequence", buf, + sizeof_buf); } /** @@ -279,19 +294,21 @@ int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert, char *buf, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, - const char *oid, int indx, - unsigned int raw_flag, void *buf, - size_t * sizeof_buf) +int +gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn_oid(cert->cert, - "tbsCertificate.issuer.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid (cert->cert, + "tbsCertificate.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -311,18 +328,19 @@ int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert, - int indx, void *oid, - size_t * sizeof_oid) +int +gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, + int indx, void *oid, size_t * sizeof_oid) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_get_dn_oid(cert->cert, - "tbsCertificate.issuer.rdnSequence", - indx, oid, sizeof_oid); + return _gnutls_x509_get_dn_oid (cert->cert, + "tbsCertificate.issuer.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -343,17 +361,19 @@ int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert, char *buf, - size_t * sizeof_buf) +int +gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, + size_t * sizeof_buf) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn(cert->cert, - "tbsCertificate.subject.rdnSequence", buf, - sizeof_buf); + return _gnutls_x509_parse_dn (cert->cert, + "tbsCertificate.subject.rdnSequence", buf, + sizeof_buf); } /** @@ -383,18 +403,20 @@ int gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert, char *buf, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * sizeof_buf) +int +gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_parse_dn_oid(cert->cert, - "tbsCertificate.subject.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid (cert->cert, + "tbsCertificate.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -414,17 +436,19 @@ int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, const char *oid, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert, - int indx, void *oid, size_t * sizeof_oid) +int +gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert, + int indx, void *oid, size_t * sizeof_oid) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_get_dn_oid(cert->cert, - "tbsCertificate.subject.rdnSequence", - indx, oid, sizeof_oid); + return _gnutls_x509_get_dn_oid (cert->cert, + "tbsCertificate.subject.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -437,33 +461,36 @@ int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert, * Returns a negative value on error. * **/ -int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert) +int +gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert) { - int result; - gnutls_datum_t sa; + int result; + gnutls_datum_t sa; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - result = - _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.algorithm", - &sa, 0); + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ + result = + _gnutls_x509_read_value (cert->cert, "signatureAlgorithm.algorithm", + &sa, 0); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - result = _gnutls_x509_oid2sign_algorithm(sa.data); + result = _gnutls_x509_oid2sign_algorithm (sa.data); - _gnutls_free_datum(&sa); + _gnutls_free_datum (&sa); - return result; + return result; } /** @@ -475,28 +502,31 @@ int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert) * Returns a negative value on error. * **/ -int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert) +int +gnutls_x509_crt_get_version (gnutls_x509_crt_t cert) { - opaque version[5]; - int len, result; + opaque version[5]; + int len, result; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - len = sizeof(version); - if ((result = - asn1_read_value(cert->cert, "tbsCertificate.version", version, - &len)) != ASN1_SUCCESS) { + len = sizeof (version); + if ((result = + asn1_read_value (cert->cert, "tbsCertificate.version", version, + &len)) != ASN1_SUCCESS) + { - if (result == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert (); + return _gnutls_asn2err (result); } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -508,15 +538,17 @@ int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert) * Returns (time_t)-1 on error. * **/ -time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert) +time_t +gnutls_x509_crt_get_activation_time (gnutls_x509_crt_t cert) { - if (cert == NULL) { - gnutls_assert(); - return (time_t) - 1; + if (cert == NULL) + { + gnutls_assert (); + return (time_t) - 1; } - return _gnutls_x509_get_time(cert->cert, - "tbsCertificate.validity.notBefore"); + return _gnutls_x509_get_time (cert->cert, + "tbsCertificate.validity.notBefore"); } /** @@ -528,15 +560,17 @@ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert) * Returns (time_t)-1 on error. * **/ -time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert) +time_t +gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) { - if (cert == NULL) { - gnutls_assert(); - return (time_t) - 1; + if (cert == NULL) + { + gnutls_assert (); + return (time_t) - 1; } - return _gnutls_x509_get_time(cert->cert, - "tbsCertificate.validity.notAfter"); + return _gnutls_x509_get_time (cert->cert, + "tbsCertificate.validity.notAfter"); } /** @@ -554,28 +588,30 @@ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert) * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, void *result, - size_t * result_size) +int +gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, + size_t * result_size) { - int ret, len; + int ret, len; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - - len = *result_size; - ret = - asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, - &len); - *result_size = len; - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); + len = *result_size; + ret = + asn1_read_value (cert->cert, "tbsCertificate.serialNumber", result, &len); + *result_size = len; + + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - return 0; + return 0; } /** @@ -592,69 +628,76 @@ int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, void *result, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, void *ret, - size_t * ret_size, - unsigned int *critical) +int +gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t cert, void *ret, + size_t * ret_size, unsigned int *critical) { - int result, len; - gnutls_datum_t id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + gnutls_datum_t id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (ret) - memset(ret, 0, *ret_size); - else - *ret_size = 0; + if (ret) + memset (ret, 0, *ret_size); + else + *ret_size = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &id, + critical)) < 0) + { + return result; } - if (id.size == 0 || id.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (id.size == 0 || id.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum(&id); - return _gnutls_asn2err(result); + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.SubjectKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + _gnutls_free_datum (&id); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum(&id); + result = asn1_der_decoding (&c2, id.data, id.size, NULL); + _gnutls_free_datum (&id); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - len = *ret_size; - result = asn1_read_value(c2, "", ret, &len); + len = *ret_size; + result = asn1_read_value (c2, "", ret, &len); - *ret_size = len; - asn1_delete_structure(&c2); + *ret_size = len; + asn1_delete_structure (&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /** @@ -672,69 +715,77 @@ int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, void *ret, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert, void *ret, - size_t * ret_size, - unsigned int *critical) +int +gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result, len; - gnutls_datum_t id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + gnutls_datum_t id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (ret) - memset(ret, 0, *ret_size); - else - *ret_size = 0; + if (ret) + memset (ret, 0, *ret_size); + else + *ret_size = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &id, + critical)) < 0) + { + return result; } - if (id.size == 0 || id.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (id.size == 0 || id.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum(&id); - return _gnutls_asn2err(result); + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.AuthorityKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + _gnutls_free_datum (&id); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum(&id); + result = asn1_der_decoding (&c2, id.data, id.size, NULL); + _gnutls_free_datum (&id); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - len = *ret_size; - result = asn1_read_value(c2, "keyIdentifier", ret, &len); + len = *ret_size; + result = asn1_read_value (c2, "keyIdentifier", ret, &len); - *ret_size = len; - asn1_delete_structure(&c2); + *ret_size = len; + asn1_delete_structure (&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /** @@ -754,87 +805,94 @@ int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert, void *ret, * or a negative value on error. * **/ -int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert, - unsigned int *bits) +int +gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits) { - int result; + int result; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = - _gnutls_x509_get_pk_algorithm(cert->cert, - "tbsCertificate.subjectPublicKeyInfo", - bits); + result = + _gnutls_x509_get_pk_algorithm (cert->cert, + "tbsCertificate.subjectPublicKeyInfo", + bits); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return result; + return result; } /* returns the type and the name. */ -static int parse_general_name(ASN1_TYPE src, const char *src_name, - int seq, void *name, size_t * name_size) +static int +parse_general_name (ASN1_TYPE src, const char *src_name, + int seq, void *name, size_t * name_size) { - int len; - char num[MAX_INT_DIGITS]; - char nptr[128]; - int result; - opaque choice_type[128]; - gnutls_x509_subject_alt_name_t type; + int len; + char num[MAX_INT_DIGITS]; + char nptr[128]; + int result; + opaque choice_type[128]; + gnutls_x509_subject_alt_name_t type; - seq++; /* 0->1, 1->2 etc */ - _gnutls_int2str(seq, num); + seq++; /* 0->1, 1->2 etc */ + _gnutls_int2str (seq, num); - _gnutls_str_cpy(nptr, sizeof(nptr), src_name); - if (src_name[0] != 0) - _gnutls_str_cat(nptr, sizeof(nptr), "."); + _gnutls_str_cpy (nptr, sizeof (nptr), src_name); + if (src_name[0] != 0) + _gnutls_str_cat (nptr, sizeof (nptr), "."); - _gnutls_str_cat(nptr, sizeof(nptr), "?"); - _gnutls_str_cat(nptr, sizeof(nptr), num); + _gnutls_str_cat (nptr, sizeof (nptr), "?"); + _gnutls_str_cat (nptr, sizeof (nptr), num); - len = sizeof(choice_type); - result = asn1_read_value(src, nptr, choice_type, &len); + len = sizeof (choice_type); + result = asn1_read_value (src, nptr, choice_type, &len); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - type = _gnutls_x509_san_find_type(choice_type); - if (type == (gnutls_x509_subject_alt_name_t) - 1) { - gnutls_assert(); - return GNUTLS_E_X509_UNKNOWN_SAN; + type = _gnutls_x509_san_find_type (choice_type); + if (type == (gnutls_x509_subject_alt_name_t) - 1) + { + gnutls_assert (); + return GNUTLS_E_X509_UNKNOWN_SAN; } - _gnutls_str_cat(nptr, sizeof(nptr), "."); - _gnutls_str_cat(nptr, sizeof(nptr), choice_type); + _gnutls_str_cat (nptr, sizeof (nptr), "."); + _gnutls_str_cat (nptr, sizeof (nptr), choice_type); - len = *name_size; - result = asn1_read_value(src, nptr, name, &len); - *name_size = len; + len = *name_size; + result = asn1_read_value (src, nptr, name, &len); + *name_size = len; - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return type; + return type; } /** @@ -860,65 +918,72 @@ static int parse_general_name(ASN1_TYPE src, const char *src_name, * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert, - unsigned int seq, void *ret, - size_t * ret_size, - unsigned int *critical) +int +gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result; - gnutls_datum_t dnsname; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_x509_subject_alt_name_t type; + int result; + gnutls_datum_t dnsname; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_x509_subject_alt_name_t type; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (ret) - memset(ret, 0, *ret_size); - else - *ret_size = 0; + if (ret) + memset (ret, 0, *ret_size); + else + *ret_size = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.17", 0, &dnsname, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.17", 0, &dnsname, + critical)) < 0) + { + return result; } - if (dnsname.size == 0 || dnsname.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (dnsname.size == 0 || dnsname.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum(&dnsname); - return _gnutls_asn2err(result); + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.SubjectAltName", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + _gnutls_free_datum (&dnsname); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); - _gnutls_free_datum(&dnsname); + result = asn1_der_decoding (&c2, dnsname.data, dnsname.size, NULL); + _gnutls_free_datum (&dnsname); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - result = parse_general_name(c2, "", seq, ret, ret_size); + result = parse_general_name (c2, "", seq, ret, ret_size); - asn1_delete_structure(&c2); + asn1_delete_structure (&c2); - if (result < 0) { - return result; + if (result < 0) + { + return result; } - type = result; + type = result; - return type; + return type; } /** @@ -936,42 +1001,45 @@ int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, - unsigned int *critical) +int +gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical) { - int result; - gnutls_datum_t basicConstraints; - int ca; + int result; + gnutls_datum_t basicConstraints; + int ca; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, - &basicConstraints, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.19", 0, + &basicConstraints, critical)) < 0) + { + return result; } - if (basicConstraints.size == 0 || basicConstraints.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (basicConstraints.size == 0 || basicConstraints.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = - _gnutls_x509_ext_extract_basicConstraints(&ca, - basicConstraints.data, - basicConstraints.size); - _gnutls_free_datum(&basicConstraints); + result = + _gnutls_x509_ext_extract_basicConstraints (&ca, + basicConstraints.data, + basicConstraints.size); + _gnutls_free_datum (&basicConstraints); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return ca; + return ca; } /** @@ -993,42 +1061,47 @@ int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, - unsigned int *key_usage, - unsigned int *critical) +int +gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, + unsigned int *key_usage, + unsigned int *critical) { - int result; - gnutls_datum_t keyUsage; - uint16 _usage; + int result; + gnutls_datum_t keyUsage; + uint16 _usage; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, &keyUsage, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.15", 0, &keyUsage, + critical)) < 0) + { + return result; } - if (keyUsage.size == 0 || keyUsage.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (keyUsage.size == 0 || keyUsage.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = _gnutls_x509_ext_extract_keyUsage(&_usage, keyUsage.data, - keyUsage.size); - _gnutls_free_datum(&keyUsage); + result = _gnutls_x509_ext_extract_keyUsage (&_usage, keyUsage.data, + keyUsage.size); + _gnutls_free_datum (&keyUsage); - *key_usage = _usage; + *key_usage = _usage; - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -1049,45 +1122,50 @@ int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert, - const char *oid, int indx, - void *buf, size_t * sizeof_buf, - unsigned int *critical) +int +gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t cert, + const char *oid, int indx, + void *buf, size_t * sizeof_buf, + unsigned int *critical) { - int result; - gnutls_datum_t output; + int result; + gnutls_datum_t output; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if ((result = - _gnutls_x509_crt_get_extension(cert, oid, indx, &output, - critical)) < 0) { - gnutls_assert(); - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, oid, indx, &output, + critical)) < 0) + { + gnutls_assert (); + return result; } - if (output.size == 0 || output.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (output.size == 0 || output.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (output.size > (unsigned int) *sizeof_buf) { - *sizeof_buf = output.size; - _gnutls_free_datum(&output); - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (output.size > (unsigned int) *sizeof_buf) + { + *sizeof_buf = output.size; + _gnutls_free_datum (&output); + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - *sizeof_buf = output.size; + *sizeof_buf = output.size; - if (buf) - memcpy(buf, output.data, output.size); + if (buf) + memcpy (buf, output.data, output.size); - _gnutls_free_datum(&output); + _gnutls_free_datum (&output); - return 0; + return 0; } @@ -1106,82 +1184,86 @@ int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, int indx, - void *oid, size_t * sizeof_oid) +int +gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, int indx, + void *oid, size_t * sizeof_oid) { - int result; + int result; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = - _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid); - if (result < 0) { - return result; + result = _gnutls_x509_crt_get_extension_oid (cert, indx, oid, sizeof_oid); + if (result < 0) + { + return result; } - return 0; + return 0; } -static -int _gnutls_x509_crt_get_raw_dn2(gnutls_x509_crt_t cert, - const char *whom, gnutls_datum_t * start) +static int +_gnutls_x509_crt_get_raw_dn2 (gnutls_x509_crt_t cert, + const char *whom, gnutls_datum_t * start) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum_t signed_data = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum_t signed_data = { NULL, 0 }; - /* get the issuer of 'cert' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertificate", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + /* get the issuer of 'cert' + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), "PKIX1.TBSCertificate", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = - _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", - &signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = + _gnutls_x509_get_signed_data (cert->cert, "tbsCertificate", &signed_data); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - result = - asn1_der_decoding(&c2, signed_data.data, signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_der_decoding (&c2, signed_data.data, signed_data.size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + result = _gnutls_asn2err (result); + goto cleanup; } - result = - asn1_der_decoding_startEnd(c2, signed_data.data, signed_data.size, - whom, &start1, &end1); + result = + asn1_der_decoding_startEnd (c2, signed_data.data, signed_data.size, + whom, &start1, &end1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto cleanup; } - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum(start, &signed_data.data[start1], len1); + _gnutls_set_datum (start, &signed_data.data[start1], len1); - result = 0; + result = 0; - cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum(&signed_data); - return result; +cleanup: + asn1_delete_structure (&c2); + _gnutls_free_datum (&signed_data); + return result; } /*- @@ -1195,10 +1277,11 @@ int _gnutls_x509_crt_get_raw_dn2(gnutls_x509_crt_t cert, * Returns 0 on success or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert, - gnutls_datum_t * start) +int +_gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert, + gnutls_datum_t * start) { - return _gnutls_x509_crt_get_raw_dn2(cert, "issuer", start); + return _gnutls_x509_crt_get_raw_dn2 (cert, "issuer", start); } /*- @@ -1212,10 +1295,10 @@ int _gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert, * Returns 0 on success, or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert, - gnutls_datum_t * start) +int +_gnutls_x509_crt_get_raw_dn (gnutls_x509_crt_t cert, gnutls_datum_t * start) { - return _gnutls_x509_crt_get_raw_dn2(cert, "subject", start); + return _gnutls_x509_crt_get_raw_dn2 (cert, "subject", start); } @@ -1236,44 +1319,47 @@ int _gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert, - gnutls_digest_algorithm_t algo, - void *buf, size_t * sizeof_buf) +int +gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t cert, + gnutls_digest_algorithm_t algo, + void *buf, size_t * sizeof_buf) { - opaque *cert_buf; - int cert_buf_size; - int result; - gnutls_datum_t tmp; + opaque *cert_buf; + int cert_buf_size; + int result; + gnutls_datum_t tmp; - if (sizeof_buf == 0 || cert == NULL) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_buf == 0 || cert == NULL) + { + return GNUTLS_E_INVALID_REQUEST; } - cert_buf_size = 0; - asn1_der_coding(cert->cert, "", NULL, &cert_buf_size, NULL); + cert_buf_size = 0; + asn1_der_coding (cert->cert, "", NULL, &cert_buf_size, NULL); - cert_buf = gnutls_alloca(cert_buf_size); - if (cert_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + cert_buf = gnutls_alloca (cert_buf_size); + if (cert_buf == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - result = asn1_der_coding(cert->cert, "", - cert_buf, &cert_buf_size, NULL); + result = asn1_der_coding (cert->cert, "", cert_buf, &cert_buf_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree(cert_buf); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + gnutls_afree (cert_buf); + return _gnutls_asn2err (result); } - tmp.data = cert_buf; - tmp.size = cert_buf_size; + tmp.data = cert_buf; + tmp.size = cert_buf_size; - result = gnutls_fingerprint(algo, &tmp, buf, sizeof_buf); - gnutls_afree(cert_buf); + result = gnutls_fingerprint (algo, &tmp, buf, sizeof_buf); + gnutls_afree (cert_buf); - return result; + return result; } /** @@ -1297,18 +1383,20 @@ int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert, * returned, and 0 on success. * **/ -int gnutls_x509_crt_export(gnutls_x509_crt_t cert, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +int +gnutls_x509_crt_export (gnutls_x509_crt_t cert, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_export_int(cert->cert, format, "CERTIFICATE", - *output_data_size, output_data, - output_data_size); + return _gnutls_x509_export_int (cert->cert, format, "CERTIFICATE", + *output_data_size, output_data, + output_data_size); } @@ -1333,81 +1421,93 @@ int gnutls_x509_crt_export(gnutls_x509_crt_t cert, * returned, and 0 on success. * **/ -int gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt, unsigned int flags, - unsigned char *output_data, - size_t * output_data_size) +int +gnutls_x509_crt_get_key_id (gnutls_x509_crt_t crt, unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_size = MAX_PUBLIC_PARAMS_SIZE; - int i, pk, result = 0; - gnutls_datum_t der = { NULL, 0 }; - GNUTLS_HASH_HANDLE hd; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i, pk, result = 0; + gnutls_datum_t der = { NULL, 0 }; + GNUTLS_HASH_HANDLE hd; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (*output_data_size < 20) + { + gnutls_assert (); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); - if (pk < 0) { - gnutls_assert(); - return pk; + if (pk < 0) + { + gnutls_assert (); + return pk; } - result = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); + result = _gnutls_x509_crt_get_mpis (crt, params, ¶ms_size); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - if (pk == GNUTLS_PK_RSA) { - result = _gnutls_x509_write_rsa_params(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (pk == GNUTLS_PK_RSA) + { + result = _gnutls_x509_write_rsa_params (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - } else if (pk == GNUTLS_PK_DSA) { - result = - _gnutls_x509_write_dsa_public_key(params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; + } + else if (pk == GNUTLS_PK_DSA) + { + result = _gnutls_x509_write_dsa_public_key (params, params_size, &der); + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - } else - return GNUTLS_E_INTERNAL_ERROR; + } + else + return GNUTLS_E_INTERNAL_ERROR; - hd = _gnutls_hash_init(GNUTLS_MAC_SHA1); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); + if (hd == GNUTLS_HASH_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - _gnutls_hash(hd, der.data, der.size); + _gnutls_hash (hd, der.data, der.size); - _gnutls_hash_deinit(hd, output_data); - *output_data_size = 20; + _gnutls_hash_deinit (hd, output_data); + *output_data_size = 20; - result = 0; + result = 0; - cleanup: +cleanup: - _gnutls_free_datum(&der); + _gnutls_free_datum (&der); - /* release all allocated MPIs - */ - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release(¶ms[i]); + /* release all allocated MPIs + */ + for (i = 0; i < params_size; i++) + { + _gnutls_mpi_release (¶ms[i]); } - return result; + return result; } @@ -1426,89 +1526,99 @@ int gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt, unsigned int flags, * A negative value is returned on error. * **/ -int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, - const gnutls_x509_crl_t * crl_list, - int crl_list_length) +int +gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, + const gnutls_x509_crl_t * crl_list, + int crl_list_length) { - opaque serial[64]; - opaque cert_serial[64]; - size_t serial_size, cert_serial_size; - int ncerts, ret, i, j; - gnutls_datum_t dn1, dn2; - - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ - - /* Step 1. check if issuer's DN match - */ - ret = _gnutls_x509_crl_get_raw_issuer_dn(crl_list[j], &dn1); - if (ret < 0) { - gnutls_assert(); - return ret; + opaque serial[64]; + opaque cert_serial[64]; + size_t serial_size, cert_serial_size; + int ncerts, ret, i, j; + gnutls_datum_t dn1, dn2; + + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + for (j = 0; j < crl_list_length; j++) + { /* do for all the crls */ + + /* Step 1. check if issuer's DN match + */ + ret = _gnutls_x509_crl_get_raw_issuer_dn (crl_list[j], &dn1); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_crt_get_raw_issuer_dn (cert, &dn2); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); - _gnutls_free_datum(&dn1); - _gnutls_free_datum(&dn2); - if (ret == 0) { - /* issuers do not match so don't even - * bother checking. - */ - continue; + ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); + _gnutls_free_datum (&dn1); + _gnutls_free_datum (&dn2); + if (ret == 0) + { + /* issuers do not match so don't even + * bother checking. + */ + continue; } - /* Step 2. Read the certificate's serial number - */ - cert_serial_size = sizeof(cert_serial); - ret = - gnutls_x509_crt_get_serial(cert, cert_serial, - &cert_serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Step 2. Read the certificate's serial number + */ + cert_serial_size = sizeof (cert_serial); + ret = gnutls_x509_crt_get_serial (cert, cert_serial, &cert_serial_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Step 3. cycle through the CRL serials and compare with - * certificate serial we have. - */ + /* Step 3. cycle through the CRL serials and compare with + * certificate serial we have. + */ - ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); - if (ncerts < 0) { - gnutls_assert(); - return ncerts; + ncerts = gnutls_x509_crl_get_crt_count (crl_list[j]); + if (ncerts < 0) + { + gnutls_assert (); + return ncerts; } - for (i = 0; i < ncerts; i++) { - serial_size = sizeof(serial); - ret = - gnutls_x509_crl_get_crt_serial(crl_list[j], i, serial, - &serial_size, NULL); - - if (ret < 0) { - gnutls_assert(); - return ret; + for (i = 0; i < ncerts; i++) + { + serial_size = sizeof (serial); + ret = + gnutls_x509_crl_get_crt_serial (crl_list[j], i, serial, + &serial_size, NULL); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - if (serial_size == cert_serial_size) { - if (memcmp(serial, cert_serial, serial_size) == 0) { - /* serials match */ - return 1; /* revoked! */ + if (serial_size == cert_serial_size) + { + if (memcmp (serial, cert_serial, serial_size) == 0) + { + /* serials match */ + return 1; /* revoked! */ } } } } - return 0; /* not revoked. */ + return 0; /* not revoked. */ } /** @@ -1525,24 +1635,27 @@ int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, * 1 on success. * **/ -int gnutls_x509_crt_verify_data(gnutls_x509_crt_t crt, unsigned int flags, - const gnutls_datum_t * data, - const gnutls_datum_t * signature) +int +gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, + const gnutls_datum_t * data, + const gnutls_datum_t * signature) { - int result; + int result; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = _gnutls_x509_verify_signature(data, signature, crt); - if (result < 0) { - gnutls_assert(); - return 0; + result = _gnutls_x509_verify_signature (data, signature, crt); + if (result < 0) + { + gnutls_assert (); + return 0; } - return result; + return result; } /** @@ -1575,96 +1688,106 @@ int gnutls_x509_crt_verify_data(gnutls_x509_crt_t crt, unsigned int flags, * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert, - unsigned int seq, void *ret, size_t * ret_size, - unsigned int *reason_flags, unsigned int *critical) +int +gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *reason_flags, + unsigned int *critical) { - int result; - gnutls_datum_t dist_points = { NULL, 0 }; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - char name[128]; - int len; - char num[MAX_INT_DIGITS]; - gnutls_x509_subject_alt_name_t type; - uint8 reasons[2]; + int result; + gnutls_datum_t dist_points = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char name[128]; + int len; + char num[MAX_INT_DIGITS]; + gnutls_x509_subject_alt_name_t type; + uint8 reasons[2]; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (ret) - memset(ret, 0, *ret_size); - else - *ret_size = 0; + if (ret) + memset (ret, 0, *ret_size); + else + *ret_size = 0; - if (reason_flags) - *reason_flags = 0; + if (reason_flags) + *reason_flags = 0; - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, &dist_points, - critical); - if (result < 0) { - return result; + result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.31", 0, &dist_points, + critical); + if (result < 0) + { + return result; } - if (dist_points.size == 0 || dist_points.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (dist_points.size == 0 || dist_points.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum(&dist_points); - return _gnutls_asn2err(result); + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.CRLDistributionPoints", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + _gnutls_free_datum (&dist_points); + return _gnutls_asn2err (result); } - result = - asn1_der_decoding(&c2, dist_points.data, dist_points.size, NULL); - _gnutls_free_datum(&dist_points); + result = asn1_der_decoding (&c2, dist_points.data, dist_points.size, NULL); + _gnutls_free_datum (&dist_points); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - /* Return the different names from the first CRLDistr. point. - * The whole thing is a mess. - */ - _gnutls_str_cpy(name, sizeof(name), "?1.distributionPoint.fullName"); + /* Return the different names from the first CRLDistr. point. + * The whole thing is a mess. + */ + _gnutls_str_cpy (name, sizeof (name), "?1.distributionPoint.fullName"); - result = parse_general_name(c2, name, seq, ret, ret_size); - if (result < 0) { - asn1_delete_structure(&c2); - return result; + result = parse_general_name (c2, name, seq, ret, ret_size); + if (result < 0) + { + asn1_delete_structure (&c2); + return result; } - type = result; + type = result; - /* Read the CRL reasons. - */ - if (reason_flags) { - _gnutls_str_cpy(name, sizeof(name), "?"); - _gnutls_str_cat(name, sizeof(name), num); - _gnutls_str_cat(name, sizeof(name), ".reasons"); + /* Read the CRL reasons. + */ + if (reason_flags) + { + _gnutls_str_cpy (name, sizeof (name), "?"); + _gnutls_str_cat (name, sizeof (name), num); + _gnutls_str_cat (name, sizeof (name), ".reasons"); - len = sizeof(reasons); - result = asn1_read_value(c2, name, reasons, &len); + len = sizeof (reasons); + result = asn1_read_value (c2, name, reasons, &len); - if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - *reason_flags = reasons[0] | (reasons[1] << 8); + *reason_flags = reasons[0] | (reasons[1] << 8); } - return type; + return type; } /** @@ -1686,76 +1809,85 @@ int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert, * the required size. On success 0 is returned. * **/ -int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert, - int indx, void *oid, size_t * sizeof_oid, unsigned int *critical) +int +gnutls_x509_crt_get_key_purpose_oid (gnutls_x509_crt_t cert, + int indx, void *oid, size_t * sizeof_oid, + unsigned int *critical) { - char counter[MAX_INT_DIGITS]; - char tmpstr[64]; - int result, len; - gnutls_datum_t id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char counter[MAX_INT_DIGITS]; + char tmpstr[64]; + int result, len; + gnutls_datum_t id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (oid) - memset(oid, 0, *sizeof_oid); - else - *sizeof_oid = 0; + if (oid) + memset (oid, 0, *sizeof_oid); + else + *sizeof_oid = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, - critical)) < 0) { - return result; + if ((result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &id, + critical)) < 0) + { + return result; } - if (id.size == 0 || id.data == NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (id.size == 0 || id.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum(&id); - return _gnutls_asn2err(result); + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + _gnutls_free_datum (&id); + return _gnutls_asn2err (result); } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum(&id); + result = asn1_der_decoding (&c2, id.data, id.size, NULL); + _gnutls_free_datum (&id); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - indx++; - /* create a string like "?1" - */ - _gnutls_int2str(indx, counter); - _gnutls_str_cpy(tmpstr, sizeof(tmpstr), "?"); - _gnutls_str_cat(tmpstr, sizeof(tmpstr), counter); + indx++; + /* create a string like "?1" + */ + _gnutls_int2str (indx, counter); + _gnutls_str_cpy (tmpstr, sizeof (tmpstr), "?"); + _gnutls_str_cat (tmpstr, sizeof (tmpstr), counter); - len = *sizeof_oid; - result = asn1_read_value(c2, tmpstr, oid, &len); + len = *sizeof_oid; + result = asn1_read_value (c2, tmpstr, oid, &len); - *sizeof_oid = len; - asn1_delete_structure(&c2); + *sizeof_oid = len; + asn1_delete_structure (&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) + { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } @@ -1770,51 +1902,58 @@ int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert, * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, - gnutls_datum_t * m, gnutls_datum_t * e) +int +gnutls_x509_crt_get_pk_rsa_raw (gnutls_x509_crt_t crt, + gnutls_datum_t * m, gnutls_datum_t * e) { - int ret; - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_size = MAX_PUBLIC_PARAMS_SIZE; - int i; + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (ret != GNUTLS_PK_RSA) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + ret = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + if (ret != GNUTLS_PK_RSA) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_crt_get_mpis (crt, params, ¶ms_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = _gnutls_mpi_dprint(m, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + ret = _gnutls_mpi_dprint (m, params[0]); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - ret = _gnutls_mpi_dprint(e, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(m); - goto cleanup; + ret = _gnutls_mpi_dprint (e, params[1]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (m); + goto cleanup; } - ret = 0; + ret = 0; - cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release(¶ms[i]); +cleanup: + for (i = 0; i < params_size; i++) + { + _gnutls_mpi_release (¶ms[i]); } - return ret; + return ret; } /** @@ -1830,76 +1969,85 @@ int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, * gnutls_malloc() and will be stored in the appropriate datum. * **/ -int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, - gnutls_datum_t * p, gnutls_datum_t * q, - gnutls_datum_t * g, gnutls_datum_t * y) +int +gnutls_x509_crt_get_pk_dsa_raw (gnutls_x509_crt_t crt, + gnutls_datum_t * p, gnutls_datum_t * q, + gnutls_datum_t * g, gnutls_datum_t * y) { - int ret; - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_size = MAX_PUBLIC_PARAMS_SIZE; - int i; + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (ret != GNUTLS_PK_DSA) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + ret = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + if (ret != GNUTLS_PK_DSA) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = _gnutls_x509_crt_get_mpis (crt, params, ¶ms_size); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* P */ - ret = _gnutls_mpi_dprint(p, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; + /* P */ + ret = _gnutls_mpi_dprint (p, params[0]); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; } - /* Q */ - ret = _gnutls_mpi_dprint(q, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - goto cleanup; + /* Q */ + ret = _gnutls_mpi_dprint (q, params[1]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + goto cleanup; } - /* G */ - ret = _gnutls_mpi_dprint(g, params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - goto cleanup; + /* G */ + ret = _gnutls_mpi_dprint (g, params[2]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + _gnutls_free_datum (q); + goto cleanup; } - /* Y */ - ret = _gnutls_mpi_dprint(y, params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - goto cleanup; + /* Y */ + ret = _gnutls_mpi_dprint (y, params[3]); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (p); + _gnutls_free_datum (g); + _gnutls_free_datum (q); + goto cleanup; } - ret = 0; + ret = 0; - cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release(¶ms[i]); +cleanup: + for (i = 0; i < params_size; i++) + { + _gnutls_mpi_release (¶ms[i]); } - return ret; + return ret; } @@ -1925,112 +2073,127 @@ int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, * Returns the number of certificates read or a negative error value. * **/ -int gnutls_x509_crt_list_import(gnutls_x509_crt_t *certs, unsigned int* cert_max, - const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format, unsigned int flags) +int +gnutls_x509_crt_list_import (gnutls_x509_crt_t * certs, + unsigned int *cert_max, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, unsigned int flags) { - int size; - const char *ptr; - gnutls_datum_t tmp; - int ret, nocopy=0; - unsigned int count=0,j; - - if (format==GNUTLS_X509_FMT_DER) { - if (*cert_max < 1) { - *cert_max = 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - count = 1; /* import only the first one */ - - ret = gnutls_x509_crt_init( &certs[0]); - if (ret < 0) { - gnutls_assert(); - goto error; - } - - ret = gnutls_x509_crt_import( certs[0], data, format); - if (ret < 0) { - gnutls_assert(); - goto error; - } - - *cert_max = 1; - return 1; - } - - /* move to the certificate - */ - ptr = memmem(data->data, data->size, - PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr == NULL) - ptr = memmem(data->data, data->size, - PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); - - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - size = data->size - (ptr - (char*)data->data); - - count = 0; - - do { - if (count >= *cert_max) { - if (!(flags & GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) - break; - else - nocopy = 1; - } - - if (!nocopy) { - ret = gnutls_x509_crt_init( &certs[count]); - if (ret < 0) { - gnutls_assert(); - goto error; - } - - tmp.data = (void*)ptr; - tmp.size = size; - - ret = gnutls_x509_crt_import( certs[count], &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - goto error; - } - } - - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = data->size - (ptr - (char*)data->data); - - if (size > 0) { - char *ptr2; - - ptr2 = - memmem(ptr, size, PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); - if (ptr2 == NULL) - ptr2 = memmem(ptr, size, PEM_CERT_SEP2, - sizeof(PEM_CERT_SEP2) - 1); - - ptr = ptr2; - } else - ptr = NULL; - - count++; - } while (ptr != NULL); - - *cert_max = count; - - if (nocopy==0) - return count; - else - return GNUTLS_E_SHORT_MEMORY_BUFFER; + int size; + const char *ptr; + gnutls_datum_t tmp; + int ret, nocopy = 0; + unsigned int count = 0, j; + + if (format == GNUTLS_X509_FMT_DER) + { + if (*cert_max < 1) + { + *cert_max = 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + count = 1; /* import only the first one */ + + ret = gnutls_x509_crt_init (&certs[0]); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + + ret = gnutls_x509_crt_import (certs[0], data, format); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + + *cert_max = 1; + return 1; + } + + /* move to the certificate + */ + ptr = memmem (data->data, data->size, + PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr == NULL) + ptr = memmem (data->data, data->size, + PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1); + + if (ptr == NULL) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = data->size - (ptr - (char *) data->data); + + count = 0; + + do + { + if (count >= *cert_max) + { + if (!(flags & GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) + break; + else + nocopy = 1; + } + + if (!nocopy) + { + ret = gnutls_x509_crt_init (&certs[count]); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + + tmp.data = (void *) ptr; + tmp.size = size; + + ret = + gnutls_x509_crt_import (certs[count], &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + } + + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = data->size - (ptr - (char *) data->data); + + if (size > 0) + { + char *ptr2; + + ptr2 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); + if (ptr2 == NULL) + ptr2 = memmem (ptr, size, PEM_CERT_SEP2, + sizeof (PEM_CERT_SEP2) - 1); + + ptr = ptr2; + } + else + ptr = NULL; + + count++; + } + while (ptr != NULL); + + *cert_max = count; + + if (nocopy == 0) + return count; + else + return GNUTLS_E_SHORT_MEMORY_BUFFER; error: - CLEAR_CERTS; - return ret; + CLEAR_CERTS; + return ret; } - diff --git a/lib/x509/x509.h b/lib/x509/x509.h index c1b911a2f5..7f36abb77e 100644 --- a/lib/x509/x509.h +++ b/lib/x509/x509.h @@ -32,13 +32,15 @@ #define HASH_OID_MD2 "1.2.840.113549.2.2" #define HASH_OID_RMD160 "1.3.36.3.2.1" -typedef struct gnutls_x509_crl_int { - ASN1_TYPE crl; +typedef struct gnutls_x509_crl_int +{ + ASN1_TYPE crl; } gnutls_x509_crl_int; -typedef struct gnutls_x509_crt_int { - ASN1_TYPE cert; - int use_extensions; +typedef struct gnutls_x509_crt_int +{ + ASN1_TYPE cert; + int use_extensions; } gnutls_x509_crt_int; #define MAX_PRIV_PARAMS_SIZE 6 /* ok for RSA and DSA */ @@ -57,113 +59,131 @@ typedef struct gnutls_x509_crt_int { # error INCREASE MAX_PRIV_PARAMS #endif -typedef struct gnutls_x509_privkey_int { - mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public +typedef struct gnutls_x509_privkey_int +{ + mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public * key algorithm */ - /* - * RSA: [0] is modulus - * [1] is public exponent - * [2] is private exponent - * [3] is prime1 (p) - * [4] is prime2 (q) - * [5] is coefficient (u == inverse of p mod q) - * note that other packages used inverse of q mod p, - * so we need to perform conversions. - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is y (public key) - * [4] is x (private key) - */ - int params_size; /* holds the number of params */ - - gnutls_pk_algorithm_t pk_algorithm; - - int crippled; /* The crippled keys will not use the ASN1_TYPE key. + /* + * RSA: [0] is modulus + * [1] is public exponent + * [2] is private exponent + * [3] is prime1 (p) + * [4] is prime2 (q) + * [5] is coefficient (u == inverse of p mod q) + * note that other packages used inverse of q mod p, + * so we need to perform conversions. + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is y (public key) + * [4] is x (private key) + */ + int params_size; /* holds the number of params */ + + gnutls_pk_algorithm_t pk_algorithm; + + int crippled; /* The crippled keys will not use the ASN1_TYPE key. * The encoding will only be performed at the export * phase, to optimize copying etc. Cannot be used with * the exported API (used internally only). */ - ASN1_TYPE key; + ASN1_TYPE key; } gnutls_x509_privkey_int; -int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, - const char *oid, int indx, unsigned int raw_flag, void *buf, - size_t * sizeof_buf); -int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert, - unsigned int seq, void *ret, size_t * ret_size, - unsigned int *critical); -int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, const char *oid, - int indx, unsigned int raw_flag, void *buf, size_t * sizeof_buf); -int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, - unsigned int *critical); -int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert, - unsigned int *bits); - -int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src); -int _gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert, - gnutls_datum_t * start); -int _gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert, - gnutls_datum_t * start); - -int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, void *result, - size_t * result_size); - -int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, - const gnutls_datum_t * dn2); - -int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, - const gnutls_x509_crl_t * crl_list, int crl_list_length); - - -int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src); -int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, - gnutls_datum_t * dn); -int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl); -int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, int indx, - unsigned char *serial, size_t * serial_size, time_t * t); - -void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl); -int gnutls_x509_crl_init(gnutls_x509_crl_t * crl); -int gnutls_x509_crl_import(gnutls_x509_crl_t crl, - const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format); -int gnutls_x509_crl_export(gnutls_x509_crl_t crl, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size); - -int gnutls_x509_crt_init(gnutls_x509_crt_t * cert); -void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert); -int gnutls_x509_crt_import(gnutls_x509_crt_t cert, - const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format); -int gnutls_x509_crt_export(gnutls_x509_crt_t cert, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size); - -int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, - unsigned int *key_usage, unsigned int *critical); -int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert); -int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert); - -int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key); -void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key); - -int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key, - gnutls_pk_algorithm_t algo, unsigned int bits, unsigned int flags); - -int gnutls_x509_privkey_import(gnutls_x509_privkey_t key, - const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format); -int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key); -int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key, - const gnutls_datum_t * m, const gnutls_datum_t * e, - const gnutls_datum_t * d, const gnutls_datum_t * p, - const gnutls_datum_t * q, const gnutls_datum_t * u); -int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key, - gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d, - gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u); -int gnutls_x509_privkey_export(gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size); +int gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf); +int gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *critical); +int gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, + int indx, unsigned int raw_flag, void *buf, + size_t * sizeof_buf); +int gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, + unsigned int *critical); +int gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, + unsigned int *bits); + +int _gnutls_x509_crt_cpy (gnutls_x509_crt_t dest, gnutls_x509_crt_t src); +int _gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert, + gnutls_datum_t * start); +int _gnutls_x509_crt_get_raw_dn (gnutls_x509_crt_t cert, + gnutls_datum_t * start); + +int gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, + size_t * result_size); + +int _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, + const gnutls_datum_t * dn2); + +int gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, + const gnutls_x509_crl_t * crl_list, + int crl_list_length); + + +int _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src); +int _gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl, + gnutls_datum_t * dn); +int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl); +int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, + unsigned char *serial, + size_t * serial_size, time_t * t); + +void gnutls_x509_crl_deinit (gnutls_x509_crl_t crl); +int gnutls_x509_crl_init (gnutls_x509_crl_t * crl); +int gnutls_x509_crl_import (gnutls_x509_crl_t crl, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format); +int gnutls_x509_crl_export (gnutls_x509_crl_t crl, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size); + +int gnutls_x509_crt_init (gnutls_x509_crt_t * cert); +void gnutls_x509_crt_deinit (gnutls_x509_crt_t cert); +int gnutls_x509_crt_import (gnutls_x509_crt_t cert, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format); +int gnutls_x509_crt_export (gnutls_x509_crt_t cert, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size); + +int gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, + unsigned int *key_usage, + unsigned int *critical); +int gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert); +int gnutls_x509_crt_get_version (gnutls_x509_crt_t cert); + +int gnutls_x509_privkey_init (gnutls_x509_privkey_t * key); +void gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key); + +int gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, + gnutls_pk_algorithm_t algo, + unsigned int bits, unsigned int flags); + +int gnutls_x509_privkey_import (gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format); +int gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key); +int gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, + const gnutls_datum_t * m, + const gnutls_datum_t * e, + const gnutls_datum_t * d, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * u); +int gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, + gnutls_datum_t * m, + gnutls_datum_t * e, + gnutls_datum_t * d, + gnutls_datum_t * p, + gnutls_datum_t * q, + gnutls_datum_t * u); +int gnutls_x509_privkey_export (gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + void *output_data, size_t * output_data_size); #define GNUTLS_CRL_REASON_UNUSED 128 #define GNUTLS_CRL_REASON_KEY_COMPROMISE 64 diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index 60d21dcd42..2a97cc353a 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -42,7 +42,7 @@ #include <extensions.h> #include <libtasn1.h> -static void disable_optional_stuff(gnutls_x509_crt_t cert); +static void disable_optional_stuff (gnutls_x509_crt_t cert); /** * gnutls_x509_crt_set_dn_by_oid - This function will set the Certificate request subject's distinguished name @@ -64,16 +64,18 @@ static void disable_optional_stuff(gnutls_x509_crt_t cert); * Returns 0 on success. * **/ -int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt, const char *oid, - unsigned int raw_flag, const void *name, - unsigned int sizeof_name) +int +gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, + unsigned int raw_flag, const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_name == 0 || name == NULL || crt == NULL) + { + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.subject", - oid, raw_flag, name, sizeof_name); + return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject", + oid, raw_flag, name, sizeof_name); } /** @@ -99,18 +101,20 @@ int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt, const char *oid, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt, - const char *oid, - unsigned int raw_flag, - const void *name, - unsigned int sizeof_name) +int +gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, + const char *oid, + unsigned int raw_flag, + const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; + if (sizeof_name == 0 || name == NULL || crt == NULL) + { + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.issuer", oid, - raw_flag, name, sizeof_name); + return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid, + raw_flag, name, sizeof_name); } /** @@ -125,28 +129,29 @@ int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_version(gnutls_x509_crt_t crt, - unsigned int version) +int +gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) { - int result; - unsigned char null = version; + int result; + unsigned char null = version; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - if (null > 0) - null--; + if (null > 0) + null--; - result = - asn1_write_value(crt->cert, "tbsCertificate.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - return 0; + return 0; } /** @@ -160,28 +165,30 @@ int gnutls_x509_crt_set_version(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_key(gnutls_x509_crt_t crt, - gnutls_x509_privkey_t key) +int +gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) { - int result; + int result; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert, - "tbsCertificate.subjectPublicKeyInfo", - key->pk_algorithm, - key->params, - key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -195,37 +202,41 @@ int gnutls_x509_crt_set_key(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) +int +gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) { - int result; - int pk_algorithm; + int result; + int pk_algorithm; - if (crt == NULL || crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL || crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - pk_algorithm = gnutls_x509_crq_get_pk_algorithm(crq, NULL); + pk_algorithm = gnutls_x509_crq_get_pk_algorithm (crq, NULL); - result = _gnutls_asn1_copy_node(&crt->cert, "tbsCertificate.subject", - crq->crq, - "certificationRequestInfo.subject"); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_asn1_copy_node (&crt->cert, "tbsCertificate.subject", + crq->crq, + "certificationRequestInfo.subject"); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_asn1_copy_node(&crt->cert, - "tbsCertificate.subjectPublicKeyInfo", - crq->crq, - "certificationRequestInfo.subjectPKInfo"); - if (result < 0) { - gnutls_assert(); - return result; + result = + _gnutls_asn1_copy_node (&crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + crq->crq, + "certificationRequestInfo.subjectPKInfo"); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -242,31 +253,34 @@ int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt, - const char *oid, const void *buf, size_t sizeof_buf, - unsigned int critical) +int +gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, + const char *oid, const void *buf, + size_t sizeof_buf, + unsigned int critical) { - int result; - gnutls_datum_t der_data; + int result; + gnutls_datum_t der_data; - der_data.data =(void*)buf; - der_data.size = sizeof_buf; + der_data.data = (void *) buf; + der_data.size = sizeof_buf; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - result = - _gnutls_x509_crt_set_extension(crt, oid, &der_data, critical); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical); + if (result < 0) + { + gnutls_assert (); + return result; } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } @@ -281,37 +295,40 @@ int gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt, unsigned int ca) +int +gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) { - int result; - gnutls_datum_t der_data; + int result; + gnutls_datum_t der_data; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_basicConstraints(ca, &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_basicConstraints (ca, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(crt, "2.5.29.19", &der_data, 1); + result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -324,38 +341,40 @@ int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt, unsigned int ca) * Returns 0 on success. * **/ -int gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, - unsigned int usage) +int +gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) { - int result; - gnutls_datum_t der_data; + int result; + gnutls_datum_t der_data; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_keyUsage((uint16) usage, &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_keyUsage ((uint16) usage, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(crt, "2.5.29.15", &der_data, 1); + result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -369,57 +388,58 @@ int gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t - type, - const char *data_string) +int +gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t + type, const char *data_string) { - int result; - gnutls_datum_t der_data; - gnutls_datum_t dnsname; - unsigned int critical; + int result; + gnutls_datum_t der_data; + gnutls_datum_t dnsname; + unsigned int critical; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, &dnsname, - &critical); + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0, &dnsname, &critical); - if (result >= 0) - _gnutls_free_datum(&dnsname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (result >= 0) + _gnutls_free_datum (&dnsname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = - _gnutls_x509_ext_gen_subject_alt_name(type, data_string, - &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_subject_alt_name (type, data_string, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(crt, "2.5.29.17", &der_data, 0); + result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data, 0); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -439,28 +459,32 @@ int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key, gnutls_digest_algorithm_t dig, unsigned int flags) +int +gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; + int result; - if (crt == NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL || issuer == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff(crt); + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff (crt); - result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate", - dig, issuer, issuer_key); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate", + dig, issuer, issuer_key); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /** @@ -475,10 +499,11 @@ int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, * Returns 0 on success. * **/ -int gnutls_x509_crt_sign(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key) +int +gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key) { - return gnutls_x509_crt_sign2( crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); } /** @@ -491,17 +516,18 @@ int gnutls_x509_crt_sign(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert, - time_t act_time) +int +gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_time(cert->cert, - "tbsCertificate.validity.notBefore", - act_time); + return _gnutls_x509_set_time (cert->cert, + "tbsCertificate.validity.notBefore", + act_time); } /** @@ -514,16 +540,16 @@ int gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert, - time_t exp_time) +int +gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) { - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_set_time(cert->cert, - "tbsCertificate.validity.notAfter", - exp_time); + return _gnutls_x509_set_time (cert->cert, + "tbsCertificate.validity.notAfter", exp_time); } /** @@ -540,45 +566,49 @@ int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_serial(gnutls_x509_crt_t cert, const void *serial, - size_t serial_size) +int +gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial, + size_t serial_size) { - int ret; + int ret; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - ret = - asn1_write_value(cert->cert, "tbsCertificate.serialNumber", serial, - serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); + ret = + asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial, + serial_size); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (ret); } - return 0; + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff(gnutls_x509_crt_t cert) +static void +disable_optional_stuff (gnutls_x509_crt_t cert) { - asn1_write_value(cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); + asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); - asn1_write_value(cert->cert, "tbsCertificate.subjectUniqueID", NULL, - 0); + asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0); - if (cert->use_extensions == 0) { - _gnutls_x509_log("Disabling X.509 extensions.\n"); - asn1_write_value(cert->cert, "tbsCertificate.extensions", NULL, 0); + if (cert->use_extensions == 0) + { + _gnutls_x509_log ("Disabling X.509 extensions.\n"); + asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0); } - return; + return; } /** @@ -593,57 +623,60 @@ static void disable_optional_stuff(gnutls_x509_crt_t cert) * Returns 0 on success. * **/ -int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t - type, const void *data_string, - unsigned int reason_flags) +int +gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t + type, const void *data_string, + unsigned int reason_flags) { - int result; - gnutls_datum_t der_data; - gnutls_datum_t oldname; - unsigned int critical; + int result; + gnutls_datum_t der_data; + gnutls_datum_t oldname; + unsigned int critical; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crt == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, - &critical); + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical); - if (result >= 0) - _gnutls_free_datum(&oldname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (result >= 0) + _gnutls_free_datum (&oldname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = - _gnutls_x509_ext_gen_crl_dist_points(type, data_string, - reason_flags, &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_crl_dist_points (type, data_string, + reason_flags, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(crt, "2.5.29.31", &der_data, 0); + result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -658,41 +691,44 @@ int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt, * Returns 0 on success. * **/ -int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst, - gnutls_x509_crt_t src) +int +gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, + gnutls_x509_crt_t src) { - int result; - gnutls_datum_t der_data; - unsigned int critical; + int result; + gnutls_datum_t der_data; + unsigned int critical; - if (dst == NULL || src == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (dst == NULL || src == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, - &critical); - if (result < 0) { - gnutls_assert(); - return result; + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data, + &critical); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(dst, "2.5.29.31", &der_data, - critical); - _gnutls_free_datum(&der_data); + result = + _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - dst->use_extensions = 1; + dst->use_extensions = 1; - return 0; + return 0; } /** @@ -706,52 +742,55 @@ int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert, - const void *id, size_t id_size) +int +gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, + const void *id, size_t id_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, - &critical); + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical); - if (result >= 0) - _gnutls_free_datum(&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (result >= 0) + _gnutls_free_datum (&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_key_id(id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(cert, "2.5.29.14", &der_data, 0); + result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - cert->use_extensions = 1; + cert->use_extensions = 1; - return 0; + return 0; } /** @@ -766,52 +805,55 @@ int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert, - const void *id, size_t id_size) +int +gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert, + const void *id, size_t id_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, - &critical); + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical); - if (result >= 0) - _gnutls_free_datum(&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (result >= 0) + _gnutls_free_datum (&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_auth_key_id(id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data); + if (result < 0) + { + gnutls_assert (); + return result; } - result = - _gnutls_x509_crt_set_extension(cert, "2.5.29.35", &der_data, 0); + result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - cert->use_extensions = 1; + cert->use_extensions = 1; - return 0; + return 0; } /** @@ -829,88 +871,95 @@ int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert, * On success 0 is returned. * **/ -int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert, - const void *oid, - unsigned int critical) +int +gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert, + const void *oid, unsigned int critical) { - int result; - gnutls_datum_t old_id, der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - result = asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, - NULL); - - if (result >= 0) { - /* decode it. - */ - result = asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); - _gnutls_free_datum(&old_id); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + int result; + gnutls_datum_t old_id, der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + result = asn1_create_element + (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL); + + if (result >= 0) + { + /* decode it. + */ + result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL); + _gnutls_free_datum (&old_id); + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } } - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value(c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value (c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - /* 2. Add the OID. - */ - result = asn1_write_value(c2, "?LAST", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + /* 2. Add the OID. + */ + result = asn1_write_value (c2, "?LAST", oid, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&c2); + return _gnutls_asn2err (result); } - result = _gnutls_x509_der_encode(c2, "", &der_data, 0); - asn1_delete_structure(&c2); + result = _gnutls_x509_der_encode (c2, "", &der_data, 0); + asn1_delete_structure (&c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = _gnutls_x509_crt_set_extension(cert, "2.5.29.37", - &der_data, critical); + result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37", + &der_data, critical); - _gnutls_free_datum(&der_data); + _gnutls_free_datum (&der_data); - if (result < 0) { - gnutls_assert(); - return result; + if (result < 0) + { + gnutls_assert (); + return result; } - cert->use_extensions = 1; + cert->use_extensions = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/xml.c b/lib/x509/xml.c index ef45f630e1..2585f55ad7 100644 --- a/lib/x509/xml.c +++ b/lib/x509/xml.c @@ -49,83 +49,96 @@ #include <x509.h> #include <common.h> -const char *asn1_find_structure_from_oid(ASN1_TYPE definitions, - const char *oidValue); +const char *asn1_find_structure_from_oid (ASN1_TYPE definitions, + const char *oidValue); -static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn); +static int _gnutls_x509_expand_extensions (ASN1_TYPE * rasn); -static const void *find_default_value(ASN1_TYPE x) +static const void * +find_default_value (ASN1_TYPE x) { - ASN1_TYPE p = x; - - if (x->value == NULL && x->type & CONST_DEFAULT) { - if (x->down) { - x = x->down; - do { - if (type_field(x->type) == TYPE_DEFAULT) { - if (type_field(p->type) == TYPE_BOOLEAN) { - if (x->type & CONST_TRUE) - return "TRUE"; - else - return "FALSE"; - } else - return x->value; + ASN1_TYPE p = x; + + if (x->value == NULL && x->type & CONST_DEFAULT) + { + if (x->down) + { + x = x->down; + do + { + if (type_field (x->type) == TYPE_DEFAULT) + { + if (type_field (p->type) == TYPE_BOOLEAN) + { + if (x->type & CONST_TRUE) + return "TRUE"; + else + return "FALSE"; + } + else + return x->value; } - x = x->right; - } while (x != NULL); + x = x->right; + } + while (x != NULL); } } - return NULL; + return NULL; } -static int is_node_printable(ASN1_TYPE x) +static int +is_node_printable (ASN1_TYPE x) { - switch (type_field(x->type)) { + switch (type_field (x->type)) + { case TYPE_TAG: case TYPE_SIZE: case TYPE_DEFAULT: - return 0; - case TYPE_CONSTANT:{ - ASN1_TYPE up = _asn1_find_up(x); - - if (up != NULL && type_field(up->type) != TYPE_ANY && - up->value != NULL) - return 0; - } - return 1; + return 0; + case TYPE_CONSTANT: + { + ASN1_TYPE up = _asn1_find_up (x); + + if (up != NULL && type_field (up->type) != TYPE_ANY && + up->value != NULL) + return 0; + } + return 1; } - if (x->name == NULL && _asn1_find_up(x) != NULL) - return 0; - if (x->value == NULL && x->down == NULL) - return 0; - return 1; + if (x->name == NULL && _asn1_find_up (x) != NULL) + return 0; + if (x->value == NULL && x->down == NULL) + return 0; + return 1; } /* returns true if the node is the only one printable in * the level down of it. */ -static int is_leaf(ASN1_TYPE p) +static int +is_leaf (ASN1_TYPE p) { - ASN1_TYPE x; + ASN1_TYPE x; - if (p == NULL) - return 1; - if (p->down == NULL) - return 1; + if (p == NULL) + return 1; + if (p->down == NULL) + return 1; - x = p->down; + x = p->down; - while (x != NULL) { - if (is_node_printable(x)) - return 0; - if (is_leaf(x) == 0) - return 0; - x = x->right; + while (x != NULL) + { + if (is_node_printable (x)) + return 0; + if (is_leaf (x) == 0) + return 0; + x = x->right; } - return 1; + return 1; } @@ -144,57 +157,66 @@ static int is_leaf(ASN1_TYPE p) #define ROOT "certificate" /* This function removes the '?' character from ASN.1 names */ -static int normalize_name(ASN1_TYPE p, char *output, int output_size) +static int +normalize_name (ASN1_TYPE p, char *output, int output_size) { - const char *name; - - if (output_size > 0) - output[0] = 0; - else - return GNUTLS_E_INTERNAL_ERROR; - - if (p == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - name = p->name; - if (name == NULL) - name = ROOT; - - if (type_field(p->type) == TYPE_CONSTANT) { - ASN1_TYPE up = _asn1_find_up(p); - const char *tmp; - - if (up && type_field(up->type) == TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type) == TYPE_OBJECT_ID) { - - tmp = - asn1_find_structure_from_oid(_gnutls_get_pkix(), - up->left->value); - if (tmp != NULL) - _gnutls_str_cpy(output, output_size, tmp); - else { - _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); - _gnutls_str_cat(output, output_size, name); + const char *name; + + if (output_size > 0) + output[0] = 0; + else + return GNUTLS_E_INTERNAL_ERROR; + + if (p == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + name = p->name; + if (name == NULL) + name = ROOT; + + if (type_field (p->type) == TYPE_CONSTANT) + { + ASN1_TYPE up = _asn1_find_up (p); + const char *tmp; + + if (up && type_field (up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field (up->left->type) == TYPE_OBJECT_ID) + { + + tmp = + asn1_find_structure_from_oid (_gnutls_get_pkix (), + up->left->value); + if (tmp != NULL) + _gnutls_str_cpy (output, output_size, tmp); + else + { + _gnutls_str_cpy (output, output_size, "DEFINED_BY_"); + _gnutls_str_cat (output, output_size, name); } - } else { - _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); - _gnutls_str_cat(output, output_size, name); + } + else + { + _gnutls_str_cpy (output, output_size, "DEFINED_BY_"); + _gnutls_str_cat (output, output_size, name); } - return 0; + return 0; } - if (name[0] == '?') { - _gnutls_str_cpy(output, output_size, UNNAMED); - if (strlen(name) > 1) - _gnutls_str_cat(output, output_size, &name[1]); - } else { - _gnutls_str_cpy(output, output_size, name); + if (name[0] == '?') + { + _gnutls_str_cpy (output, output_size, UNNAMED); + if (strlen (name) > 1) + _gnutls_str_cat (output, output_size, &name[1]); } - return 0; + else + { + _gnutls_str_cpy (output, output_size, name); + } + return 0; } #define XML_HEADER "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n" \ @@ -203,287 +225,323 @@ static int normalize_name(ASN1_TYPE p, char *output, int output_size) #define XML_FOOTER "</gnutls:x509:certificate>\n" static int -_gnutls_asn1_get_structure_xml(ASN1_TYPE structure, - gnutls_datum_t * res, int detail) +_gnutls_asn1_get_structure_xml (ASN1_TYPE structure, + gnutls_datum_t * res, int detail) { - node_asn *p, *root; - int k, indent = 0, len, len2, len3; - opaque tmp[1024]; - char nname[256]; - int ret; - gnutls_string str; - - if (res == NULL || structure == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + node_asn *p, *root; + int k, indent = 0, len, len2, len3; + opaque tmp[1024]; + char nname[256]; + int ret; + gnutls_string str; + + if (res == NULL || structure == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - _gnutls_string_init(&str, malloc, realloc, free); + _gnutls_string_init (&str, malloc, realloc, free); - STR_APPEND(XML_HEADER); - indent = 1; + STR_APPEND (XML_HEADER); + indent = 1; - root = _asn1_find_node(structure, ""); + root = _asn1_find_node (structure, ""); - if (root == NULL) { - gnutls_assert(); - _gnutls_string_clear(&str); - return GNUTLS_E_INTERNAL_ERROR; + if (root == NULL) + { + gnutls_assert (); + _gnutls_string_clear (&str); + return GNUTLS_E_INTERNAL_ERROR; } - if (detail == GNUTLS_XML_SHOW_ALL) - ret = asn1_expand_any_defined_by(_gnutls_get_pkix(), &structure); - /* we don't need to check the error value - * here. - */ - - if (detail == GNUTLS_XML_SHOW_ALL) { - ret = _gnutls_x509_expand_extensions(&structure); - if (ret < 0) { - gnutls_assert(); - return ret; + if (detail == GNUTLS_XML_SHOW_ALL) + ret = asn1_expand_any_defined_by (_gnutls_get_pkix (), &structure); + /* we don't need to check the error value + * here. + */ + + if (detail == GNUTLS_XML_SHOW_ALL) + { + ret = _gnutls_x509_expand_extensions (&structure); + if (ret < 0) + { + gnutls_assert (); + return ret; } } - p = root; - while (p) { - if (is_node_printable(p)) { - for (k = 0; k < indent; k++) - APPEND(" ", 1); - - if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear(&str); - gnutls_assert(); - return ret; + p = root; + while (p) + { + if (is_node_printable (p)) + { + for (k = 0; k < indent; k++) + APPEND (" ", 1); + + if ((ret = normalize_name (p, nname, sizeof (nname))) < 0) + { + _gnutls_string_clear (&str); + gnutls_assert (); + return ret; } - APPEND("<", 1); - STR_APPEND(nname); + APPEND ("<", 1); + STR_APPEND (nname); } - if (is_node_printable(p)) { - switch (type_field(p->type)) { + if (is_node_printable (p)) + { + switch (type_field (p->type)) + { case TYPE_DEFAULT: - STR_APPEND(" type=\"DEFAULT\""); - break; + STR_APPEND (" type=\"DEFAULT\""); + break; case TYPE_NULL: - STR_APPEND(" type=\"NULL\""); - break; + STR_APPEND (" type=\"NULL\""); + break; case TYPE_IDENTIFIER: - STR_APPEND(" type=\"IDENTIFIER\""); - break; + STR_APPEND (" type=\"IDENTIFIER\""); + break; case TYPE_INTEGER: - STR_APPEND(" type=\"INTEGER\""); - STR_APPEND(" encoding=\"HEX\""); - break; + STR_APPEND (" type=\"INTEGER\""); + STR_APPEND (" encoding=\"HEX\""); + break; case TYPE_ENUMERATED: - STR_APPEND(" type=\"ENUMERATED\""); - STR_APPEND(" encoding=\"HEX\""); - break; + STR_APPEND (" type=\"ENUMERATED\""); + STR_APPEND (" encoding=\"HEX\""); + break; case TYPE_TIME: - STR_APPEND(" type=\"TIME\""); - break; + STR_APPEND (" type=\"TIME\""); + break; case TYPE_BOOLEAN: - STR_APPEND(" type=\"BOOLEAN\""); - break; + STR_APPEND (" type=\"BOOLEAN\""); + break; case TYPE_SEQUENCE: - STR_APPEND(" type=\"SEQUENCE\""); - break; + STR_APPEND (" type=\"SEQUENCE\""); + break; case TYPE_BIT_STRING: - STR_APPEND(" type=\"BIT STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; + STR_APPEND (" type=\"BIT STRING\""); + STR_APPEND (" encoding=\"HEX\""); + break; case TYPE_OCTET_STRING: - STR_APPEND(" type=\"OCTET STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; + STR_APPEND (" type=\"OCTET STRING\""); + STR_APPEND (" encoding=\"HEX\""); + break; case TYPE_SEQUENCE_OF: - STR_APPEND(" type=\"SEQUENCE OF\""); - break; + STR_APPEND (" type=\"SEQUENCE OF\""); + break; case TYPE_OBJECT_ID: - STR_APPEND(" type=\"OBJECT ID\""); - break; + STR_APPEND (" type=\"OBJECT ID\""); + break; case TYPE_ANY: - STR_APPEND(" type=\"ANY\""); - if (!p->down) - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_CONSTANT:{ - ASN1_TYPE up = _asn1_find_up(p); - - if (up && type_field(up->type) == TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type) == TYPE_OBJECT_ID) { - - if (_gnutls_x509_oid_data_printable - (up->left->value) == 0) { - STR_APPEND(" encoding=\"HEX\""); - } - - } - } - break; + STR_APPEND (" type=\"ANY\""); + if (!p->down) + STR_APPEND (" encoding=\"HEX\""); + break; + case TYPE_CONSTANT: + { + ASN1_TYPE up = _asn1_find_up (p); + + if (up && type_field (up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field (up->left->type) == TYPE_OBJECT_ID) + { + + if (_gnutls_x509_oid_data_printable + (up->left->value) == 0) + { + STR_APPEND (" encoding=\"HEX\""); + } + + } + } + break; case TYPE_SET: - STR_APPEND(" type=\"SET\""); - break; + STR_APPEND (" type=\"SET\""); + break; case TYPE_SET_OF: - STR_APPEND(" type=\"SET OF\""); - break; + STR_APPEND (" type=\"SET OF\""); + break; case TYPE_CHOICE: - STR_APPEND(" type=\"CHOICE\""); - break; + STR_APPEND (" type=\"CHOICE\""); + break; case TYPE_DEFINITIONS: - STR_APPEND(" type=\"DEFINITIONS\""); - break; + STR_APPEND (" type=\"DEFINITIONS\""); + break; default: - break; + break; } } - if (p->type == TYPE_BIT_STRING) { - len2 = -1; - len = _asn1_get_length_der(p->value, &len2); - snprintf(tmp, sizeof(tmp), " length=\"%i\"", - (len - 1) * 8 - (p->value[len2])); - STR_APPEND(tmp); + if (p->type == TYPE_BIT_STRING) + { + len2 = -1; + len = _asn1_get_length_der (p->value, &len2); + snprintf (tmp, sizeof (tmp), " length=\"%i\"", + (len - 1) * 8 - (p->value[len2])); + STR_APPEND (tmp); } - if (is_node_printable(p)) - STR_APPEND(">"); + if (is_node_printable (p)) + STR_APPEND (">"); - if (is_node_printable(p)) { - const unsigned char *value; + if (is_node_printable (p)) + { + const unsigned char *value; - if (p->value == NULL) - value = find_default_value(p); - else - value = p->value; + if (p->value == NULL) + value = find_default_value (p); + else + value = p->value; - switch (type_field(p->type)) { + switch (type_field (p->type)) + { case TYPE_DEFAULT: - if (value) - STR_APPEND(value); - break; + if (value) + STR_APPEND (value); + break; case TYPE_IDENTIFIER: - if (value) - STR_APPEND(value); - break; + if (value) + STR_APPEND (value); + break; case TYPE_INTEGER: - if (value) { - len2 = -1; - len = _asn1_get_length_der(value, &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (value)[k + len2]); - STR_APPEND(tmp); + if (value) + { + len2 = -1; + len = _asn1_get_length_der (value, &len2); + + for (k = 0; k < len; k++) + { + snprintf (tmp, sizeof (tmp), "%02X", (value)[k + len2]); + STR_APPEND (tmp); } } - break; + break; case TYPE_ENUMERATED: - if (value) { - len2 = -1; - len = _asn1_get_length_der(value, &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (value)[k + len2]); - STR_APPEND(tmp); + if (value) + { + len2 = -1; + len = _asn1_get_length_der (value, &len2); + + for (k = 0; k < len; k++) + { + snprintf (tmp, sizeof (tmp), "%02X", (value)[k + len2]); + STR_APPEND (tmp); } } - break; + break; case TYPE_TIME: - if (value) - STR_APPEND(value); - break; + if (value) + STR_APPEND (value); + break; case TYPE_BOOLEAN: - if (value) { - if (value[0] == 'T') { - STR_APPEND("TRUE"); - } else if (value[0] == 'F') { - STR_APPEND("FALSE"); + if (value) + { + if (value[0] == 'T') + { + STR_APPEND ("TRUE"); + } + else if (value[0] == 'F') + { + STR_APPEND ("FALSE"); } } - break; + break; case TYPE_BIT_STRING: - if (value) { - len2 = -1; - len = _asn1_get_length_der(value, &len2); - - for (k = 1; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (value)[k + len2]); - STR_APPEND(tmp); + if (value) + { + len2 = -1; + len = _asn1_get_length_der (value, &len2); + + for (k = 1; k < len; k++) + { + snprintf (tmp, sizeof (tmp), "%02X", (value)[k + len2]); + STR_APPEND (tmp); } } - break; + break; case TYPE_OCTET_STRING: - if (value) { - len2 = -1; - len = _asn1_get_length_der(value, &len2); - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (value)[k + len2]); - STR_APPEND(tmp); + if (value) + { + len2 = -1; + len = _asn1_get_length_der (value, &len2); + for (k = 0; k < len; k++) + { + snprintf (tmp, sizeof (tmp), "%02X", (value)[k + len2]); + STR_APPEND (tmp); } } - break; + break; case TYPE_OBJECT_ID: - if (value) - STR_APPEND(value); - break; + if (value) + STR_APPEND (value); + break; case TYPE_ANY: - if (!p->down) { - if (value) { - len3 = -1; - len2 = _asn1_get_length_der(value, &len3); - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (value)[k + len3]); - STR_APPEND(tmp); + if (!p->down) + { + if (value) + { + len3 = -1; + len2 = _asn1_get_length_der (value, &len3); + for (k = 0; k < len2; k++) + { + snprintf (tmp, sizeof (tmp), + "%02X", (value)[k + len3]); + STR_APPEND (tmp); } } } - break; - case TYPE_CONSTANT:{ - ASN1_TYPE up = _asn1_find_up(p); - - if (up && type_field(up->type) == TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type) == TYPE_OBJECT_ID) { - - len2 = _asn1_get_length_der(up->value, &len3); - - if (len2 > 0 && strcmp(p->name, "type") == 0) { - size_t tmp_len = sizeof(tmp); - ret = - _gnutls_x509_oid_data2string(up->left-> - value, up->value + len3, len2, - tmp, &tmp_len); - - if (ret >= 0) { - STR_APPEND(tmp); - } - } else { - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", (up->value)[k + len3]); - STR_APPEND(tmp); - } - - } - } else { - if (value) - STR_APPEND(value); - } - - } - break; + break; + case TYPE_CONSTANT: + { + ASN1_TYPE up = _asn1_find_up (p); + + if (up && type_field (up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field (up->left->type) == TYPE_OBJECT_ID) + { + + len2 = _asn1_get_length_der (up->value, &len3); + + if (len2 > 0 && strcmp (p->name, "type") == 0) + { + size_t tmp_len = sizeof (tmp); + ret = + _gnutls_x509_oid_data2string (up->left-> + value, + up->value + len3, + len2, tmp, &tmp_len); + + if (ret >= 0) + { + STR_APPEND (tmp); + } + } + else + { + for (k = 0; k < len2; k++) + { + snprintf (tmp, sizeof (tmp), + "%02X", (up->value)[k + len3]); + STR_APPEND (tmp); + } + + } + } + else + { + if (value) + STR_APPEND (value); + } + + } + break; case TYPE_SET: case TYPE_SET_OF: case TYPE_CHOICE: @@ -491,98 +549,115 @@ _gnutls_asn1_get_structure_xml(ASN1_TYPE structure, case TYPE_SEQUENCE_OF: case TYPE_SEQUENCE: case TYPE_NULL: - break; + break; default: - break; + break; } } - if (p->down && is_node_printable(p)) { - ASN1_TYPE x; - p = p->down; - indent += 2; - x = p; - do { - if (is_node_printable(x)) { - STR_APPEND("\n"); - break; + if (p->down && is_node_printable (p)) + { + ASN1_TYPE x; + p = p->down; + indent += 2; + x = p; + do + { + if (is_node_printable (x)) + { + STR_APPEND ("\n"); + break; } - x = x->right; - } while (x != NULL); - } else if (p == root) { - if (is_node_printable(p)) { - if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear(&str); - gnutls_assert(); - return ret; + x = x->right; + } + while (x != NULL); + } + else if (p == root) + { + if (is_node_printable (p)) + { + if ((ret = normalize_name (p, nname, sizeof (nname))) < 0) + { + _gnutls_string_clear (&str); + gnutls_assert (); + return ret; } - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); + APPEND ("</", 2); + STR_APPEND (nname); + APPEND (">\n", 2); } - p = NULL; - break; - } else { - if (is_node_printable(p)) { - if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear(&str); - gnutls_assert(); - return ret; + p = NULL; + break; + } + else + { + if (is_node_printable (p)) + { + if ((ret = normalize_name (p, nname, sizeof (nname))) < 0) + { + _gnutls_string_clear (&str); + gnutls_assert (); + return ret; } - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); + APPEND ("</", 2); + STR_APPEND (nname); + APPEND (">\n", 2); } - if (p->right) - p = p->right; - else { - while (1) { - ASN1_TYPE old_p; - - old_p = p; - - p = _asn1_find_up(p); - indent -= 2; - if (is_node_printable(p)) { - if (!is_leaf(p)) /* XXX */ - for (k = 0; k < indent; k++) - STR_APPEND(" "); - - if ((ret = - normalize_name(p, nname, - sizeof(nname))) < 0) { - _gnutls_string_clear(&str); - gnutls_assert(); - return ret; + if (p->right) + p = p->right; + else + { + while (1) + { + ASN1_TYPE old_p; + + old_p = p; + + p = _asn1_find_up (p); + indent -= 2; + if (is_node_printable (p)) + { + if (!is_leaf (p)) /* XXX */ + for (k = 0; k < indent; k++) + STR_APPEND (" "); + + if ((ret = + normalize_name (p, nname, sizeof (nname))) < 0) + { + _gnutls_string_clear (&str); + gnutls_assert (); + return ret; } - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); + APPEND ("</", 2); + STR_APPEND (nname); + APPEND (">\n", 2); } - if (p == root) { - p = NULL; - break; + if (p == root) + { + p = NULL; + break; } - if (p->right) { - p = p->right; - break; + if (p->right) + { + p = p->right; + break; } } } } } - STR_APPEND(XML_FOOTER); - APPEND("\n\0", 2); + STR_APPEND (XML_FOOTER); + APPEND ("\n\0", 2); - *res = _gnutls_string2datum(&str); - res->size -= 1; /* null is not included in size */ + *res = _gnutls_string2datum (&str); + res->size -= 1; /* null is not included in size */ - return 0; + return 0; } /** @@ -596,21 +671,23 @@ _gnutls_asn1_get_structure_xml(ASN1_TYPE structure, * Returns a negative error code in case of an error. * **/ -int gnutls_x509_crt_to_xml(gnutls_x509_crt_t cert, gnutls_datum_t * res, - int detail) +int +gnutls_x509_crt_to_xml (gnutls_x509_crt_t cert, gnutls_datum_t * res, + int detail) { - int result; + int result; - res->data = NULL; - res->size = 0; + res->data = NULL; + res->size = 0; - result = _gnutls_asn1_get_structure_xml(cert->cert, res, detail); - if (result < 0) { - gnutls_assert(); - return result; + result = _gnutls_asn1_get_structure_xml (cert->cert, res, detail); + if (result < 0) + { + gnutls_assert (); + return result; } - return 0; + return 0; } /* This function will attempt to parse Extensions in @@ -619,45 +696,49 @@ int gnutls_x509_crt_to_xml(gnutls_x509_crt_t cert, gnutls_datum_t * res, * If no_critical_ext is non zero, then unsupported critical extensions * do not lead into a fatal error. */ -static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn) +static int +_gnutls_x509_expand_extensions (ASN1_TYPE * rasn) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char name1[128]; - char extnID[128]; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char name1[128]; + char extnID[128]; - k = 0; - do { - k++; + k = 0; + do + { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy (name, sizeof (name), "tbsCertificate.extensions.?"); + _gnutls_int2str (k, counter); + _gnutls_str_cat (name, sizeof (name), counter); - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy (name2, sizeof (name2), name); + _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - _gnutls_str_cpy(name1, sizeof(name1), name); - _gnutls_str_cat(name1, sizeof(name1), ".extnValue"); + _gnutls_str_cpy (name1, sizeof (name1), name); + _gnutls_str_cat (name1, sizeof (name1), ".extnValue"); - len = sizeof(extnID) - 1; + len = sizeof (extnID) - 1; - result = asn1_expand_octet_string(_gnutls_get_pkix(), - rasn, name1, name2); + result = asn1_expand_octet_string (_gnutls_get_pkix (), + rasn, name1, name2); - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - } while (1); + } + while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) - return 0; - else - return _gnutls_asn2err(result); + if (result == ASN1_ELEMENT_NOT_FOUND) + return 0; + else + return _gnutls_asn2err (result); } #endif diff --git a/lib/x509_b64.c b/lib/x509_b64.c index 93afd95d1d..0e636ca528 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -31,72 +31,74 @@ #include <x509_b64.h> static const uint8 b64table[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static const uint8 asciitable[128] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, - 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, - 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, - 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, - 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, - 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, - 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, - 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, - 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, - 0xff, 0xff + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, + 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, + 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, + 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, + 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, + 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, + 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, + 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, + 0xff, 0xff }; -inline static int encode(char *result, const uint8 * data, int left) +inline static int +encode (char *result, const uint8 * data, int left) { - int data_len; + int data_len; - if (left > 3) - data_len = 3; - else - data_len = left; + if (left > 3) + data_len = 3; + else + data_len = left; - switch (data_len) { + switch (data_len) + { case 3: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = - b64table[((((data[1] & 0x0f) << 2) & 0xff) | (data[2] >> 6))]; - result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; - break; + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = + b64table[((((data[1] & 0x0f) << 2) & 0xff) | (data[2] >> 6))]; + result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; + break; case 2: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; - result[3] = '='; - break; + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; + result[3] = '='; + break; case 1: - result[0] = b64table[(data[0] >> 2)]; - result[1] = b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; - result[2] = '='; - result[3] = '='; - break; + result[0] = b64table[(data[0] >> 2)]; + result[1] = b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; + result[2] = '='; + result[3] = '='; + break; default: - return -1; + return -1; } - return 4; + return 4; } @@ -104,64 +106,67 @@ inline static int encode(char *result, const uint8 * data, int left) * result should be 3 bytes */ #define TOASCII(c) (c < 127 ? asciitable[c] : 0xff) -inline static int decode(uint8 * result, const opaque * data) +inline static int +decode (uint8 * result, const opaque * data) { - uint8 a1, a2; - int ret = 3; - - a1 = TOASCII(data[0]); - a2 = TOASCII(data[1]); - if (a1 == 0xff || a2 == 0xff) - return -1; - result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); - - a1 = a2; - a2 = TOASCII(data[2]); - if (a2 == 0xff) - return -1; - result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); - - a1 = a2; - a2 = TOASCII(data[3]); - if (a2 == 0xff) - return -1; - result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); - - if (data[2] == '=') - ret--; - - if (data[3] == '=') - ret--; - return ret; + uint8 a1, a2; + int ret = 3; + + a1 = TOASCII (data[0]); + a2 = TOASCII (data[1]); + if (a1 == 0xff || a2 == 0xff) + return -1; + result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); + + a1 = a2; + a2 = TOASCII (data[2]); + if (a2 == 0xff) + return -1; + result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); + + a1 = a2; + a2 = TOASCII (data[3]); + if (a2 == 0xff) + return -1; + result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); + + if (data[2] == '=') + ret--; + + if (data[3] == '=') + ret--; + return ret; } /* encodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, - uint8 ** result) +int +_gnutls_base64_encode (const uint8 * data, size_t data_size, uint8 ** result) { - unsigned int i, j; - int ret, tmp; - char tmpres[4]; - - ret = B64SIZE(data_size); - - (*result) = gnutls_malloc(ret + 1); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < data_size; i += 3, j += 4) { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_free((*result)); - return GNUTLS_E_MEMORY_ERROR; + unsigned int i, j; + int ret, tmp; + char tmpres[4]; + + ret = B64SIZE (data_size); + + (*result) = gnutls_malloc (ret + 1); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (i = j = 0; i < data_size; i += 3, j += 4) + { + tmp = encode (tmpres, &data[i], data_size - i); + if (tmp == -1) + { + gnutls_free ((*result)); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(&(*result)[j], tmpres, tmp); + memcpy (&(*result)[j], tmpres, tmp); } - (*result)[ret] = 0; /* null terminated */ + (*result)[ret] = 0; /* null terminated */ - return ret; + return ret; } #define INCR(what, size) \ @@ -177,98 +182,107 @@ int _gnutls_base64_encode(const uint8 * data, size_t data_size, /* encodes data and puts the result into result (locally allocated) * The result_size (including the null terminator) is the return value. */ -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, - int data_size, uint8 ** result) +int +_gnutls_fbase64_encode (const char *msg, const uint8 * data, + int data_size, uint8 ** result) { - int i, ret, tmp, j; - char tmpres[4]; - uint8 *ptr; - uint8 top[80]; - uint8 bottom[80]; - int pos, bytes, top_len, bottom_len; - size_t msglen = strlen(msg); - - if (msglen > 50) { - gnutls_assert(); - return GNUTLS_E_BASE64_ENCODING_ERROR; + int i, ret, tmp, j; + char tmpres[4]; + uint8 *ptr; + uint8 top[80]; + uint8 bottom[80]; + int pos, bytes, top_len, bottom_len; + size_t msglen = strlen (msg); + + if (msglen > 50) + { + gnutls_assert (); + return GNUTLS_E_BASE64_ENCODING_ERROR; } - memset(bottom, 0, sizeof(bottom)); - memset(top, 0, sizeof(top)); + memset (bottom, 0, sizeof (bottom)); + memset (top, 0, sizeof (top)); - strcat(top, "-----BEGIN "); /* Flawfinder: ignore */ - strcat(top, msg); /* Flawfinder: ignore */ - strcat(top, "-----"); /* Flawfinder: ignore */ + strcat (top, "-----BEGIN "); /* Flawfinder: ignore */ + strcat (top, msg); /* Flawfinder: ignore */ + strcat (top, "-----"); /* Flawfinder: ignore */ - strcat(bottom, "\n-----END "); /* Flawfinder: ignore */ - strcat(bottom, msg); /* Flawfinder: ignore */ - strcat(bottom, "-----\n"); /* Flawfinder: ignore */ + strcat (bottom, "\n-----END "); /* Flawfinder: ignore */ + strcat (bottom, msg); /* Flawfinder: ignore */ + strcat (bottom, "-----\n"); /* Flawfinder: ignore */ - top_len = strlen(top); - bottom_len = strlen(bottom); + top_len = strlen (top); + bottom_len = strlen (bottom); - ret = B64FSIZE(msglen, data_size); + ret = B64FSIZE (msglen, data_size); - (*result) = gnutls_calloc(1, ret + 1); - if ((*result) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + (*result) = gnutls_calloc (1, ret + 1); + if ((*result) == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - bytes = pos = 0; - INCR(bytes, top_len); - pos = top_len; + bytes = pos = 0; + INCR (bytes, top_len); + pos = top_len; - strcpy(*result, top); /* Flawfinder: ignore */ + strcpy (*result, top); /* Flawfinder: ignore */ - for (i = j = 0; i < data_size; i += 3, j += 4) { + for (i = j = 0; i < data_size; i += 3, j += 4) + { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_assert(); - gnutls_free((*result)); - *result = NULL; - return GNUTLS_E_BASE64_ENCODING_ERROR; + tmp = encode (tmpres, &data[i], data_size - i); + if (tmp == -1) + { + gnutls_assert (); + gnutls_free ((*result)); + *result = NULL; + return GNUTLS_E_BASE64_ENCODING_ERROR; } - INCR(bytes, 4); - ptr = &(*result)[j + pos]; + INCR (bytes, 4); + ptr = &(*result)[j + pos]; - if ((j) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; + if ((j) % 64 == 0) + { + INCR (bytes, 1); + pos++; + *ptr++ = '\n'; } - *ptr++ = tmpres[0]; + *ptr++ = tmpres[0]; - if ((j + 1) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; + if ((j + 1) % 64 == 0) + { + INCR (bytes, 1); + pos++; + *ptr++ = '\n'; } - *ptr++ = tmpres[1]; + *ptr++ = tmpres[1]; - if ((j + 2) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; + if ((j + 2) % 64 == 0) + { + INCR (bytes, 1); + pos++; + *ptr++ = '\n'; } - *ptr++ = tmpres[2]; + *ptr++ = tmpres[2]; - if ((j + 3) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; + if ((j + 3) % 64 == 0) + { + INCR (bytes, 1); + pos++; + *ptr++ = '\n'; } - *ptr++ = tmpres[3]; + *ptr++ = tmpres[3]; } - INCR(bytes, bottom_len); + INCR (bytes, bottom_len); - memcpy(&(*result)[bytes - bottom_len], bottom, bottom_len); - (*result)[bytes] = 0; + memcpy (&(*result)[bytes - bottom_len], bottom, bottom_len); + (*result)[bytes] = 0; - return ret + 1; + return ret + 1; } /** @@ -286,27 +300,31 @@ int _gnutls_fbase64_encode(const char *msg, const uint8 * data, * the terminating null. * **/ -int gnutls_pem_base64_encode(const char *msg, const gnutls_datum_t * data, - char *result, size_t * result_size) +int +gnutls_pem_base64_encode (const char *msg, const gnutls_datum_t * data, + char *result, size_t * result_size) { - opaque *ret; - int size; - - size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); - if (size < 0) - return size; - - if (result == NULL || *result_size < (uint) size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy(result, ret, size); - gnutls_free(ret); - *result_size = size - 1; + opaque *ret; + int size; + + size = _gnutls_fbase64_encode (msg, data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) + { + gnutls_free (ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { + memcpy (result, ret, size); + gnutls_free (ret); + *result_size = size - 1; } - return 0; + return 0; } /** @@ -322,74 +340,78 @@ int gnutls_pem_base64_encode(const char *msg, const gnutls_datum_t * data, * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_encode_alloc(const char *msg, - const gnutls_datum_t * data, - gnutls_datum_t * result) +int +gnutls_pem_base64_encode_alloc (const char *msg, + const gnutls_datum_t * data, + gnutls_datum_t * result) { - opaque *ret; - int size; + opaque *ret; + int size; - if (result == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); - if (size < 0) - return size; + size = _gnutls_fbase64_encode (msg, data->data, data->size, &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size - 1; - return 0; + result->data = ret; + result->size = size - 1; + return 0; } /* decodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_decode(const uint8 * data, size_t data_size, - uint8 ** result) +int +_gnutls_base64_decode (const uint8 * data, size_t data_size, uint8 ** result) { - unsigned int i, j; - int ret, tmp, est; - uint8 tmpres[3]; - - est = ((data_size * 3) / 4) + 1; - (*result) = gnutls_malloc(est); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = 0; - for (i = j = 0; i < data_size; i += 4, j += 3) { - tmp = decode(tmpres, &data[i]); - if (tmp < 0) { - gnutls_free(*result); - *result = NULL; - return tmp; + unsigned int i, j; + int ret, tmp, est; + uint8 tmpres[3]; + + est = ((data_size * 3) / 4) + 1; + (*result) = gnutls_malloc (est); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = 0; + for (i = j = 0; i < data_size; i += 4, j += 3) + { + tmp = decode (tmpres, &data[i]); + if (tmp < 0) + { + gnutls_free (*result); + *result = NULL; + return tmp; } - memcpy(&(*result)[j], tmpres, tmp); - ret += tmp; + memcpy (&(*result)[j], tmpres, tmp); + ret += tmp; } - return ret; + return ret; } /* copies data to result but removes newlines and <CR> * returns the size of the data copied. */ -inline static int cpydata(const uint8 * data, int data_size, - uint8 ** result) +inline static int +cpydata (const uint8 * data, int data_size, uint8 ** result) { - int i, j; - - (*result) = gnutls_malloc(data_size); - if (*result == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (j = i = 0; i < data_size; i++) { - if (data[i] == '\n' || data[i] == '\r') - continue; - (*result)[j] = data[i]; - j++; + int i, j; + + (*result) = gnutls_malloc (data_size); + if (*result == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (j = i = 0; i < data_size; i++) + { + if (data[i] == '\n' || data[i] == '\r') + continue; + (*result)[j] = data[i]; + j++; } - return j; + return j; } /* Searches the given string for ONE PEM encoded certificate, and @@ -399,91 +421,100 @@ inline static int cpydata(const uint8 * data, int data_size, */ #define ENDSTR "-----\n" #define ENDSTR2 "-----\r" -int _gnutls_fbase64_decode(const char *header, const opaque * data, - size_t data_size, uint8 ** result) +int +_gnutls_fbase64_decode (const char *header, const opaque * data, + size_t data_size, uint8 ** result) { - int ret; - static const char top[] = "-----BEGIN "; - static const char bottom[] = "\n-----END "; - uint8 *rdata; - int rdata_size; - uint8 *kdata; - int kdata_size; - char pem_header[128]; - - _gnutls_str_cpy(pem_header, sizeof(pem_header), top); - if (header != NULL) - _gnutls_str_cat(pem_header, sizeof(pem_header), header); - - rdata = memmem(data, data_size, pem_header, strlen(pem_header)); - - if (rdata == NULL) { - gnutls_assert(); - _gnutls_debug_log("Could not find '%s'\n", pem_header); - return GNUTLS_E_BASE64_DECODING_ERROR; + int ret; + static const char top[] = "-----BEGIN "; + static const char bottom[] = "\n-----END "; + uint8 *rdata; + int rdata_size; + uint8 *kdata; + int kdata_size; + char pem_header[128]; + + _gnutls_str_cpy (pem_header, sizeof (pem_header), top); + if (header != NULL) + _gnutls_str_cat (pem_header, sizeof (pem_header), header); + + rdata = memmem (data, data_size, pem_header, strlen (pem_header)); + + if (rdata == NULL) + { + gnutls_assert (); + _gnutls_debug_log ("Could not find '%s'\n", pem_header); + return GNUTLS_E_BASE64_DECODING_ERROR; } - data_size -= (unsigned long int) rdata - (unsigned long int) data; + data_size -= (unsigned long int) rdata - (unsigned long int) data; - if (data_size < 4 + strlen(bottom)) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (data_size < 4 + strlen (bottom)) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - kdata = memmem(rdata, data_size, ENDSTR, sizeof(ENDSTR) - 1); - /* allow CR as well. - */ - if (kdata == NULL) - kdata = memmem(rdata, data_size, ENDSTR2, sizeof(ENDSTR2) - 1); - - if (kdata == NULL) { - gnutls_assert(); - _gnutls_x509_log("Could not find '%s'\n", ENDSTR); - return GNUTLS_E_BASE64_DECODING_ERROR; + kdata = memmem (rdata, data_size, ENDSTR, sizeof (ENDSTR) - 1); + /* allow CR as well. + */ + if (kdata == NULL) + kdata = memmem (rdata, data_size, ENDSTR2, sizeof (ENDSTR2) - 1); + + if (kdata == NULL) + { + gnutls_assert (); + _gnutls_x509_log ("Could not find '%s'\n", ENDSTR); + return GNUTLS_E_BASE64_DECODING_ERROR; } - data_size -= strlen(ENDSTR); - data_size -= (unsigned long int) kdata - (unsigned long int) rdata; + data_size -= strlen (ENDSTR); + data_size -= (unsigned long int) kdata - (unsigned long int) rdata; - rdata = kdata + strlen(ENDSTR); + rdata = kdata + strlen (ENDSTR); - /* position is now after the ---BEGIN--- headers */ + /* position is now after the ---BEGIN--- headers */ - kdata = memmem(rdata, data_size, bottom, strlen(bottom)); - if (kdata == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + kdata = memmem (rdata, data_size, bottom, strlen (bottom)); + if (kdata == NULL) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - /* position of kdata is before the ----END--- footer - */ - rdata_size = (unsigned long int) kdata - (unsigned long int) rdata; + /* position of kdata is before the ----END--- footer + */ + rdata_size = (unsigned long int) kdata - (unsigned long int) rdata; - if (rdata_size < 4) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (rdata_size < 4) + { + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - kdata_size = cpydata(rdata, rdata_size, &kdata); + kdata_size = cpydata (rdata, rdata_size, &kdata); - if (kdata_size < 0) { - gnutls_assert(); - return kdata_size; + if (kdata_size < 0) + { + gnutls_assert (); + return kdata_size; } - if (kdata_size < 4) { - gnutls_assert(); - gnutls_free(kdata); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (kdata_size < 4) + { + gnutls_assert (); + gnutls_free (kdata); + return GNUTLS_E_BASE64_DECODING_ERROR; } - if ((ret = _gnutls_base64_decode(kdata, kdata_size, result)) < 0) { - gnutls_free(kdata); - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if ((ret = _gnutls_base64_decode (kdata, kdata_size, result)) < 0) + { + gnutls_free (kdata); + gnutls_assert (); + return GNUTLS_E_BASE64_DECODING_ERROR; } - gnutls_free(kdata); + gnutls_free (kdata); - return ret; + return ret; } /** @@ -500,30 +531,33 @@ int _gnutls_fbase64_decode(const char *header, const opaque * data, * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_pem_base64_decode(const char *header, - const gnutls_datum_t * b64_data, - unsigned char *result, size_t * result_size) +int +gnutls_pem_base64_decode (const char *header, + const gnutls_datum_t * b64_data, + unsigned char *result, size_t * result_size) { - opaque *ret; - int size; - - size = - _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, - &ret); - if (size < 0) - return size; - - if (result == NULL || *result_size < (uint) size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy(result, ret, size); - gnutls_free(ret); - *result_size = size; + opaque *ret; + int size; + + size = + _gnutls_fbase64_decode (header, b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) + { + gnutls_free (ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + else + { + memcpy (result, ret, size); + gnutls_free (ret); + *result_size = size; } - return 0; + return 0; } /** @@ -541,23 +575,23 @@ int gnutls_pem_base64_decode(const char *header, * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_decode_alloc(const char *header, - const gnutls_datum_t * b64_data, - gnutls_datum_t * result) +int +gnutls_pem_base64_decode_alloc (const char *header, + const gnutls_datum_t * b64_data, + gnutls_datum_t * result) { - opaque *ret; - int size; + opaque *ret; + int size; - if (result == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = - _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, - &ret); - if (size < 0) - return size; + size = + _gnutls_fbase64_decode (header, b64_data->data, b64_data->size, &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size; - return 0; + result->data = ret; + result->size = size; + return 0; } diff --git a/lib/x509_b64.h b/lib/x509_b64.h index 80a57d64f1..d104deddf8 100644 --- a/lib/x509_b64.h +++ b/lib/x509_b64.h @@ -22,14 +22,14 @@ * */ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, - uint8 ** result); -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, - int data_size, uint8 ** result); -int _gnutls_base64_decode(const uint8 * data, size_t data_size, - uint8 ** result); -int _gnutls_fbase64_decode(const char *header, const uint8 * data, - size_t data_size, uint8 ** result); +int _gnutls_base64_encode (const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_encode (const char *msg, const uint8 * data, + int data_size, uint8 ** result); +int _gnutls_base64_decode (const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_decode (const char *header, const uint8 * data, + size_t data_size, uint8 ** result); #define B64SIZE( data_size) ((data_size%3==0)?((data_size*4)/3):(4+((data_size/3)*4))) |