Deprecated: gnutls_srp_server_set_select_function(),

gnutls_certificate_client_set_select_function(), gnutls_srp_server_set_select_function().

5 files changed, 30 insertions, 287 deletions

diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index f35bfaeeef..e54051254f 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -310,93 +310,6 @@ uint size;
 }
 
 
-/* Calls the client_cert_callback() to select an index for the
- * certificate to use.
- */
-static int call_client_cert_callback(gnutls_session session,
-       const gnutls_certificate_credentials cred, gnutls_pk_algorithm * pk_algos,
-       int pk_algos_length, gnutls_datum * issuers_dn, uint issuers_dn_len)
-{
-	uint i, j;
-	int indx, result;
-	int *ij_map = NULL;
-	gnutls_datum *my_certs = NULL;
-
-	if (cred->ncerts != 0) {
-		my_certs =
-		    gnutls_alloca(cred->ncerts *
-				  sizeof(gnutls_datum));
-		if (my_certs == NULL) {
-			result = GNUTLS_E_MEMORY_ERROR;
-			gnutls_assert();
-			goto error;
-		}
-
-
-		/* maps j -> i 
-		 */
-		ij_map = gnutls_alloca(sizeof(int) * cred->ncerts);
-		if (ij_map == NULL) {
-			result = GNUTLS_E_MEMORY_ERROR;
-			gnutls_assert();
-			goto error;
-		}
-	}
-
-	/* put our certificate's issuer and dn into cdn, idn
-	 * Note that the certificates we provide to the callback
-	 * are not all the certificates we have. Only the certificates
-	 * that are requested by the server (certificate type - and sign
-	 * algorithm matches), are provided.
-	 */
-	for (j = i = 0; i < cred->ncerts; i++) {
-		if ((cred->cert_list[i][0].cert_type ==
-		     gnutls_certificate_type_get(session)) &&
-		    (_gnutls_check_pk_algo_in_list(pk_algos,
-						   pk_algos_length,
-						   cred->
-						   cert_list[i][0].
-						   subject_pk_algorithm)
-		     == 0)) {
-			/* Add a certificate ONLY if it is allowed
-			 * by the peer.
-			 */
-			ij_map[j] = i;
-			my_certs[j++] = cred->cert_list[i][0].raw;
-		}
-	}
-
-	indx =
-	    session->internals.client_cert_callback(session,
-						    my_certs,
-						    j,
-						    issuers_dn,
-						    issuers_dn_len);
-
-	/* the indx returned by the user is relative
-	 * to the certificates we provided him.
-	 * This will make it relative to the certificates
-	 * we've got.
-	 */
-	if (indx != -1 && cred->ncerts != 0)
-		indx = ij_map[indx];
-	else
-		indx = -1;
-
-	
-	result = indx;
-
-      error:
-	if (my_certs != NULL) {
-		gnutls_afree(my_certs);
-	}
-	if (ij_map != NULL) {
-		gnutls_afree(ij_map);
-	}
-	return result;
-
-}
-
 OPENPGP_KEY_DEINIT _E_gnutls_openpgp_key_deinit;
 OPENPGP_PRIVKEY_DEINIT _E_gnutls_openpgp_privkey_deinit;
 
@@ -522,8 +435,7 @@ static int _select_client_cert(gnutls_session session,
 		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 	}
 
-	if (cred->client_get_cert_callback != NULL ||
-		session->internals.client_cert_callback != NULL) {
+	if (cred->client_get_cert_callback != NULL) {
 
 		/* use a callback to get certificate 
 		 */
@@ -547,16 +459,9 @@ static int _select_client_cert(gnutls_session session,
 			}
 		}
 
-		if (cred->client_get_cert_callback) {
-			result = call_get_cert_callback( session, issuers_dn, issuers_dn_length,
-				pk_algos, pk_algos_length);
-			goto cleanup;
-		}
-
-		/* in case of the callback that returns an index:
-		 */
-		indx = call_client_cert_callback(session, cred, pk_algos, 
-			pk_algos_length, issuers_dn, issuers_dn_length);
+		result = call_get_cert_callback( session, issuers_dn, issuers_dn_length,
+			pk_algos, pk_algos_length);
+		goto cleanup;
 
 	} else {
 		/* If we have no callbacks, try to guess.
@@ -581,18 +486,18 @@ static int _select_client_cert(gnutls_session session,
 			gnutls_assert();
 			return result;
 		}
-	}
 
-	if (indx >= 0) {
-		_gnutls_selected_certs_set(session,
+		if (indx >= 0) {
+			_gnutls_selected_certs_set(session,
 					   &cred->cert_list[indx][0],
 					   cred->cert_list_length[indx],
 					   &cred->pkey[indx], 0);
-	} else {
-		_gnutls_selected_certs_set(session, NULL, 0, NULL, 0);
-	}
+		} else {
+			_gnutls_selected_certs_set(session, NULL, 0, NULL, 0);
+		}
 
-	result = 0;
+		result = 0;
+	}
 
 cleanup:
 	gnutls_free( issuers_dn);
@@ -1587,10 +1492,9 @@ void _gnutls_selected_certs_set(gnutls_session session,
 int _gnutls_server_select_cert(gnutls_session session,
 			       gnutls_pk_algorithm requested_algo)
 {
-	uint i, j;
+	uint i;
 	int index, ret;
 	const gnutls_certificate_credentials cred;
-	int my_certs_length;
 
 	cred =
 	    _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL);
@@ -1599,6 +1503,16 @@ int _gnutls_server_select_cert(gnutls_session session,
 		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 	}
 
+	/* If the callback which retrieves certificate has been
+	 * set use it and leave.
+	 */
+	if (cred->server_get_cert_callback != NULL) {
+
+		return call_get_cert_callback( session, NULL, 0, NULL, 0);
+	}
+
+	/* Otherwise... */
+
 	ret = 0;
 	index = -1;		/* default is use no certificate */
 
@@ -1615,75 +1529,8 @@ int _gnutls_server_select_cert(gnutls_session session,
 				break;
 			}
 		}
-
 	}
-
-	/* If the callback which retrieves certificate has been
-	 * set use it.
-	 */
-	if (cred->server_get_cert_callback != NULL) {
-
-		return call_get_cert_callback( session, NULL, 0, NULL, 0);
-
-	} else if (session->internals.server_cert_callback != NULL
-		   && cred->ncerts > 0) {
-		/* use the callback to get certificate 
-		 */
-		gnutls_datum *my_certs;
-		int *ij_map;
-
-		my_certs_length = cred->ncerts;
-		my_certs =
-		    gnutls_malloc(my_certs_length * sizeof(gnutls_datum));
-		if (my_certs == NULL) {
-			ret = GNUTLS_E_MEMORY_ERROR;
-			goto out;
-		}
-
-		/* put our certificate's issuer and dn into cdn, idn
-		 */
-		ij_map = gnutls_malloc(my_certs_length * sizeof(int));
-		if (ij_map == NULL) {
-			ret = GNUTLS_E_MEMORY_ERROR;
-			goto cleanup_certs;
-		}
-
-		j = 0;
-		for (i = 0; i < cred->ncerts; i++) {
-			/* Add compatible certificates */
-			if (requested_algo == (gnutls_pk_algorithm) - 1 ||
-			    requested_algo ==
-			    cred->cert_list[i][0].subject_pk_algorithm) {
-
-				/* if cert type matches */
-				if (session->security_parameters.
-				    cert_type ==
-				    cred->cert_list[i][0].cert_type) {
-
-					ij_map[j] = i;
-					my_certs[j++] =
-					    cred->cert_list[i][0].raw;
-				}
-			}
-		}
-		my_certs_length = j;
-
-		index =
-		    session->internals.server_cert_callback(session,
-							    my_certs,
-							    my_certs_length);
-
-		if (index != -1)
-			index = ij_map[index];
-		ret = 0;
-
-		gnutls_free(ij_map);
-	      cleanup_certs:
-		gnutls_free(my_certs);
-
-	}
-
-      out:
+	
 	/* store the index for future use, in the handshake.
 	 * (This will allow not calling this callback again.)
 	 */
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 67d1520da2..b611a9b9a5 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -303,84 +303,6 @@ void gnutls_certificate_server_set_request(gnutls_session session,
 	session->internals.send_cert_req = req;
 }
 
-
-#define gnutls_certificate_client_select_function certificate_client_select_func
-
-/**
-  * gnutls_certificate_client_set_select_function - Used to set a callback while selecting the proper (client) certificate
-  * @session: is a &gnutls_session structure.
-  * @func: is the callback function
-  *
-  * This function sets a callback to be called while selecting the (client) certificate.
-  * The callback's function prototype is:
-  * int (*callback)(gnutls_session, const gnutls_datum *client_cert, int ncerts, const gnutls_datum* req_ca_dn, int nreqs);
-  *
-  * @client_cert contains @ncerts gnutls_datum structures which hold
-  * the raw certificates (DER for X.509 or binary for OpenPGP), of the
-  * client.
-  *
-  * @req_ca_dn, is only used in X.509 certificates. 
-  * Contains a list with the CA names that the server considers trusted. 
-  * Normally we should send a certificate that is signed
-  * by one of these CAs. These names are DER encoded. To get a more
-  * meaningful value use the function gnutls_x509_rdn_get().
-  *
-  * This function specifies what we, in case of a client, are going
-  * to do when we have to send a certificate. If this callback
-  * function is not provided then gnutls will automatically try to
-  * find an appropriate certificate to send. The appropriate certificate
-  * is chosen based on the CAs sent by the server, and the requested
-  * public key algorithms.
-  *
-  * If the callback function is provided then gnutls will call it, in the
-  * handshake, after the certificate request message has been received.
-  *
-  * The callback function should return the index of the certificate
-  * choosen by the user. The index is relative to the certificates in the
-  * callback's parameter. The value (-1) indicates that the user
-  * does not want to use client authentication.
-  **/
-void gnutls_certificate_client_set_select_function(gnutls_session session,
-					     gnutls_certificate_client_select_function
-					     * func)
-{
-	session->internals.client_cert_callback = func;
-}
-
-#define gnutls_certificate_server_select_function certificate_server_select_func
-/**
-  * gnutls_certificate_server_set_select_function - Used to set a callback while selecting the proper (server) certificate
-  * @session: is a &gnutls_session structure.
-  * @func: is the callback function
-  *
-  * This function sets a callback to be called while selecting the (server) certificate.
-  * The callback's function form is:
-  * int (*callback)(gnutls_session, gnutls_datum *server_cert, int ncerts);
-  *
-  * @server_cert contains @ncerts gnutls_datum structures which hold
-  * the raw certificate (DER encoded in X.509) of the server. 
-  *
-  * This function specifies what we, in case of a server, are going
-  * to do when we have to send a certificate. If this callback
-  * function is not provided then gnutls will automatically try to
-  * find an appropriate certificate to send. (actually send the first in the list)
-  *
-  * In case the callback returned a negative number then gnutls will
-  * not attempt to choose the appropriate certificate and the caller function
-  * will fail.
-  *
-  * The callback function will only be called once per handshake.
-  * The callback function should return the index of the certificate
-  * choosen by the server. -1 indicates an error.
-  *
-  **/
-void gnutls_certificate_server_set_select_function(gnutls_session session,
-					     gnutls_certificate_server_select_function
-					     * func)
-{
-	session->internals.server_cert_callback = func;
-}
-
 /**
   * gnutls_certificate_client_set_retrieve_function - Used to set a callback to retrieve the certificate
   * @cred: is a &gnutls_certificate_credentials structure.
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index 0c6bf8525a..9a5c98b1ab 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -168,8 +168,14 @@ int gnutls_global_init( void)
 	_gnutls_init++;
 
 	if (gcry_control( GCRYCTL_ANY_INITIALIZATION_P) == 0) {
-		if (gcry_check_version(GNUTLS_GCRYPT_VERSION)==NULL) {
+		const char* p;
+		p = strchr( GNUTLS_GCRYPT_VERSION, ':');
+		if (p==NULL) p = GNUTLS_GCRYPT_VERSION;
+		else p++;
+
+		if (gcry_check_version(p)==NULL) {
 			gnutls_assert();
+			_gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p);
 			return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
 		}
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 09d9f6faba..7d5c8df3f0 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -424,13 +424,6 @@ typedef struct {
 	unsigned int algorithms;
 } GNUTLS_Priority;
 
-typedef int certificate_client_select_func(struct gnutls_session_int*, 
-	const gnutls_datum *, unsigned int, const gnutls_datum *, unsigned int);
-typedef int certificate_server_select_func(struct gnutls_session_int*, 
-	const gnutls_datum *, unsigned int);
-typedef int srp_server_select_func(struct gnutls_session_int*, 
-	const char**, const char**, unsigned int);
-
 /* DH and RSA parameters types.
  */
 typedef struct {
@@ -576,16 +569,6 @@ typedef struct {
 	 */
 	int				send_cert_req;
 
-	/* this is a callback function to call if no appropriate
-	 * client certificates were found.
-	 */
-	certificate_client_select_func*	client_cert_callback;
-	certificate_server_select_func*	server_cert_callback;
-
-	/* Callback to select the proper password file
-	 */
-	srp_server_select_func*		server_srp_callback;
-
 	/* bits to use for DHE and DHA 
 	 * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() 
 	 * to access it.
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 4e04e832d4..2a97209d8d 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -8,16 +8,6 @@ typedef enum gnutls_x509_subject_alt_name {
 
 # ifdef LIBGNUTLS_VERSION	/* These are defined only in gnutls.h */
 
-/* Callback prototypes for the certificate authentication
- * callbacks.
- */
-typedef int gnutls_certificate_client_select_function(gnutls_session,
-      const gnutls_datum * client_cert, int ncerts,
-      const gnutls_datum * req_ca_cert, int nreqs);
-typedef int gnutls_certificate_server_select_function(gnutls_session,
-      const gnutls_datum * server_certs, int ncerts);
-
-
 struct gnutls_openpgp_key_int;
 typedef struct gnutls_openpgp_key_int *gnutls_openpgp_key;
 
@@ -65,11 +55,6 @@ int gnutls_rsa_export_get_modulus_bits(gnutls_session session);
 
 /* X509PKI */
 
-void gnutls_certificate_client_set_select_function(gnutls_session,
-	gnutls_certificate_client_select_function *);
-void gnutls_certificate_server_set_select_function(gnutls_session,
-	gnutls_certificate_server_select_function *);
-
 /* These are set on the credentials structure.
  */
 void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_client_credentials,