summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2001-12-04 10:57:03 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2001-12-04 10:57:03 +0000
commitf4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46 (patch)
tree86a97683c106d60fea2c07653fb5ccdf29415110 /lib
parentc488ad631dfb3f719334d5fa41ff1d2b41ad2e19 (diff)
downloadgnutls-f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46.tar.gz
moving gnutls_DN structures out of gnutls_cert and auth_info structures.
Now they are generated upon request.
Diffstat (limited to 'lib')
-rw-r--r--lib/auth_x509.c169
-rw-r--r--lib/auth_x509.h2
-rw-r--r--lib/debug.c5
-rw-r--r--lib/debug.h1
-rw-r--r--lib/gnutls_cert.c94
-rw-r--r--lib/gnutls_cert.h12
-rw-r--r--lib/gnutls_handshake.c32
-rw-r--r--lib/gnutls_int.h8
-rw-r--r--lib/gnutls_record.c24
-rw-r--r--lib/gnutls_ui.c163
-rw-r--r--lib/gnutls_ui.h8
-rw-r--r--lib/x509_extensions.c2
12 files changed, 286 insertions, 234 deletions
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index 4c134dadf3..cf3e22c292 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -45,10 +45,6 @@ int _gnutls_copy_x509_client_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cer
*/
int ret;
- memcpy( &info->peer_dn, &cert->cert_info, sizeof(gnutls_DN));
- memcpy( &info->issuer_dn, &cert->issuer_info, sizeof(gnutls_DN));
-
-
info->peer_certificate_status = verify;
info->peer_certificate_version = cert->version;
@@ -312,7 +308,7 @@ int data_size = _data_size;
* choose of certificate, otherwise (-1), he
* will be prompted to choose one.
*/
- try = cred->client_cert_callback( NULL, NULL, 0, NULL, 0);
+ try = cred->client_cert_callback( NULL, 0, NULL, 0);
}
if (try>=0)
@@ -357,18 +353,13 @@ int data_size = _data_size;
} while (1);
if (indx==-1 && cred->client_cert_callback!=NULL && cred->ncerts > 0) {/* use a callback to get certificate */
- gnutls_DN *cdn=NULL;
- gnutls_DN *idn=NULL;
- gnutls_DN *req_dn=NULL;
- gnutls_datum tmp;
+ gnutls_datum *my_certs=NULL;
+ gnutls_datum *issuers_dn=NULL;
int count;
- cdn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN));
- if (cdn==NULL) goto clear;
+ my_certs = gnutls_malloc( cred->ncerts* sizeof(gnutls_datum));
+ if (my_certs==NULL) goto clear;
- idn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN));
- if (idn==NULL) goto clear;
-
/* put the requested DNs to req_dn
*/
data = _data;
@@ -384,13 +375,14 @@ int data_size = _data_size;
data += 2;
- req_dn = gnutls_realloc_fast( req_dn, (count+1)*sizeof(gnutls_DN));
- if (req_dn==NULL) goto clear;
+ issuers_dn = gnutls_realloc_fast( issuers_dn, (count+1)*sizeof(gnutls_datum));
+ if (issuers_dn==NULL) goto clear;
+
+ issuers_dn->data = data;
+ issuers_dn->size = size;
+
+ count++; /* otherwise we have failed */
- tmp.data = data;
- tmp.size = size;
- if (_gnutls_dn2gnutlsdn( &req_dn[count], &tmp)==0)
- count++; /* otherwise we have failed */
data+=size;
if (data_size==0) break;
@@ -400,15 +392,13 @@ int data_size = _data_size;
/* put our certificate's issuer and dn into cdn, idn
*/
for(i=0;i<cred->ncerts;i++) {
- memcpy( &cdn[i], &cred->cert_list[i][0].cert_info, sizeof(gnutls_DN));
- memcpy( &idn[i], &cred->cert_list[i][0].issuer_info, sizeof(gnutls_DN));
+ my_certs[i] = cred->cert_list[i][0].raw;
}
- indx = cred->client_cert_callback( cdn, idn, cred->ncerts, req_dn, count);
+ indx = cred->client_cert_callback( my_certs, cred->ncerts, issuers_dn, count);
clear:
- gnutls_free(cdn);
- gnutls_free(req_dn);
- gnutls_free(idn);
+ gnutls_free(my_certs);
+ gnutls_free(issuers_dn);
}
*ind = indx;
return 0;
@@ -906,13 +896,10 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
*apr_cert_list_length = 0;
*apr_pkey = NULL;
} else {
- const char* dnsname = gnutls_ext_get_name_ind( state, GNUTLS_DNSNAME);
- if (dnsname==NULL) dnsname="";
ind =
- _gnutls_find_cert_list_index(cred->cert_list,
- cred->ncerts,
- dnsname);
+ _gnutls_find_cert_list_index(state, cred->cert_list,
+ cred->ncerts);
if (ind < 0) {
*apr_cert_list = NULL;
@@ -947,3 +934,123 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
return 0;
}
+
+#define CHECK_AUTH(auth, ret) if (gnutls_get_auth_type(state) != auth) { \
+ gnutls_assert(); \
+ return ret; \
+ }
+
+/**
+ * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
+ * @state: is a gnutls state
+ * @ret: a pointer to a structure to hold the peer's name
+ *
+ * This function will return the name of the peer. The name is gnutls_DN structure and
+ * is a obtained by the peer's certificate. If the certificate send by the
+ * peer is invalid, or in any other failure this function returns error.
+ * Returns a negative error code in case of an error.
+ *
+ **/
+int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+{
+ X509PKI_AUTH_INFO info;
+ node_asn *c2;
+ int result;
+
+ CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
+
+ memset( ret, 0, sizeof(gnutls_DN));
+
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_INVALID_REQUEST;
+
+ if (asn1_create_structure
+ (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
+ "certificate2")
+ != ASN_OK) {
+ gnutls_assert();
+ return GNUTLS_E_ASN1_ERROR;
+ }
+
+
+ result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size);
+ if (result != ASN_OK) {
+ /* couldn't decode DER */
+#ifdef DEBUG
+ _gnutls_log("Decoding error %d\n", result);
+#endif
+ gnutls_assert();
+ asn1_delete_structure(c2);
+ return GNUTLS_E_ASN1_PARSING_ERROR;
+ }
+ if ((result =
+ _gnutls_get_name_type(c2,
+ "certificate2.tbsCertificate.subject",
+ ret)) < 0) {
+ gnutls_assert();
+ asn1_delete_structure(c2);
+ return result;
+ }
+
+ asn1_delete_structure(c2);
+
+ return 0;
+}
+
+/**
+ * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name
+ * @state: is a gnutls state
+ * @ret: a pointer to a structure to hold the issuer's name
+ *
+ * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and
+ * is a obtained by the peer's certificate. If the certificate send by the
+ * peer is invalid, or in any other failure this function returns error.
+ * Returns a negative error code in case of an error.
+ *
+ **/
+int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+{
+ X509PKI_AUTH_INFO info;
+ node_asn *c2;
+ int result;
+
+ CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
+
+ memset( ret, 0, sizeof(gnutls_DN));
+
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_INVALID_REQUEST;
+
+ if (asn1_create_structure
+ (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
+ "certificate2")
+ != ASN_OK) {
+ gnutls_assert();
+ return GNUTLS_E_ASN1_ERROR;
+ }
+
+ result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size);
+ if (result != ASN_OK) {
+ /* couldn't decode DER */
+#ifdef DEBUG
+ _gnutls_log("Decoding error %d\n", result);
+#endif
+ gnutls_assert();
+ asn1_delete_structure(c2);
+ return GNUTLS_E_ASN1_PARSING_ERROR;
+ }
+ if ((result =
+ _gnutls_get_name_type(c2,
+ "certificate2.tbsCertificate.issuer",
+ ret)) < 0) {
+ gnutls_assert();
+ asn1_delete_structure(c2);
+ return result;
+ }
+
+ asn1_delete_structure(c2);
+
+ return 0;
+}
diff --git a/lib/auth_x509.h b/lib/auth_x509.h
index 25a831fd8b..27385a5705 100644
--- a/lib/auth_x509.h
+++ b/lib/auth_x509.h
@@ -44,8 +44,6 @@ typedef struct {
#define X509PKI_CREDENTIALS X509PKI_CREDENTIALS_INT*
typedef struct X509PKI_AUTH_INFO_INT {
- gnutls_DN peer_dn;
- gnutls_DN issuer_dn;
CertificateStatus peer_certificate_status;
int peer_certificate_version;
time_t peer_certificate_activation_time;
diff --git a/lib/debug.c b/lib/debug.c
index 3a20501955..bcaccf7d6a 100644
--- a/lib/debug.c
+++ b/lib/debug.c
@@ -218,4 +218,9 @@ static char str[512];
return str;
}
+
+const char* GET_CN( gnutls_datum cert) {
+ return NULL; /* FIXME */
+}
+
#endif
diff --git a/lib/debug.h b/lib/debug.h
index 85ad14b261..f95145d84d 100644
--- a/lib/debug.h
+++ b/lib/debug.h
@@ -25,4 +25,5 @@ void _gnutls_dump_mpi(char* prefix,MPI a);
char* _gnutls_packet2str( int packet);
char* _gnutls_alert2str( int alert);
char* _gnutls_handshake2str( int handshake);
+char* GET_CN( gnutls_datum);
#endif
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 86c7b572cb..789b54b7f8 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -820,7 +820,9 @@ static int _gnutls_get_version(node_asn * c2, char *root)
#endif
/* This function will convert a der certificate, to a format
- * (structure) that gnutls can understand and use.
+ * (structure) that gnutls can understand and use. Actually the
+ * important thing on this function is that it extracts the
+ * certificate's (public key) parameters.
*/
int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
{
@@ -924,18 +926,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
gCert->signature_size = len;
- memset(&gCert->cert_info, 0, sizeof(gCert->cert_info));
- memset(&gCert->issuer_info, 0, sizeof(gCert->issuer_info));
-
- if ((result =
- _gnutls_get_name_type(c2,
- "certificate2.tbsCertificate.subject",
- &gCert->cert_info)) < 0) {
- gnutls_assert();
- asn1_delete_structure(c2);
- return result;
- }
-
memset(&gCert->subjectAltDNSName, 0,
sizeof(gCert->subjectAltDNSName));
if ((result =
@@ -947,16 +937,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
return result;
}
- if ((result =
- _gnutls_get_name_type(c2,
- "certificate2.tbsCertificate.issuer",
- &gCert->issuer_info)) < 0) {
- gnutls_assert();
- asn1_delete_structure(c2);
- return result;
- }
-
-
gCert->expiration_time =
_gnutls_get_time(c2, "certificate2", "notAfter");
gCert->activation_time =
@@ -982,7 +962,7 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
/* Returns 0 if it's ok to use the KXAlgorithm with this cert
* (using KeyUsage field).
*/
-int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg)
+int _gnutls_check_x509_key_usage(const gnutls_cert * cert, KXAlgorithm alg)
{
if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) {
switch (alg) {
@@ -1022,7 +1002,7 @@ int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg)
* This function also uses the KeyUsage field of the certificate
* extensions in order to disable unneded algorithms.
*/
-int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg,
+int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg,
int *alg_size)
{
KXAlgorithm kx;
@@ -1052,53 +1032,30 @@ int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg,
return 0;
}
-/* finds a certificate in the cert lists that contains
- * common_name (or subjectAltDNSName) field similar to name
+/* finds the most appropriate certificate in the cert list.
+ * The 'appropriate' is defined by the user.
+ * FIXME: provide user callback.
*/
-gnutls_cert *_gnutls_find_cert(gnutls_cert ** cert_list,
- int cert_list_length, const char *name)
+const gnutls_cert *_gnutls_find_cert( GNUTLS_STATE state, gnutls_cert ** cert_list,
+ int cert_list_length)
{
- gnutls_cert *cert = NULL;
int i;
- for (i = 0; i < cert_list_length; i++) {
- if (cert_list[i][0].cert_info.common_name[0] != 0
- || cert_list[i][0].subjectAltDNSName[0] != 0) {
- if (strcasecmp
- (cert_list[i][0].cert_info.common_name,
- name) == 0
- || strcasecmp(cert_list[i][0].
- subjectAltDNSName, name) == 0) {
- cert = &cert_list[i][0];
- break;
- }
- }
- }
- return cert;
+ i = _gnutls_find_cert_list_index( state, cert_list, cert_list_length);
+ if (i<0) return NULL;
+
+ return &cert_list[i][0];
}
-/* finds the index of a certificate in the cert lists that contains
- * common_name (or subjectAltDNSName) field similar to name
+/* finds the most appropriate certificate in the cert list.
+ * The 'appropriate' is defined by the user.
+ * FIXME: provide user callback.
*/
-int _gnutls_find_cert_list_index(gnutls_cert ** cert_list,
- int cert_list_length, const char *name)
+int _gnutls_find_cert_list_index( GNUTLS_STATE state, gnutls_cert ** cert_list,
+ int cert_list_length)
{
int index = 0;
- int i;
- for (i = 0; i < cert_list_length; i++) {
- if (cert_list[i][0].cert_info.common_name[0] != 0
- || cert_list[i][0].subjectAltDNSName[0] != 0) {
- if (strcasecmp
- (cert_list[i][0].cert_info.common_name,
- name) == 0
- || strcasecmp(cert_list[i][0].
- subjectAltDNSName, name) == 0) {
- index = i;
- break;
- }
- }
- }
return index;
}
@@ -1127,16 +1084,15 @@ int gnutls_x509pki_set_cert_request(GNUTLS_STATE state,
* @func: is the callback function
*
* The callback's function form is:
- * int (*callback)(gnutls_DN *client_cert, gnutls_DN *issuer_cert, int ncerts, gnutls_DN* req_ca_cert, int nreqs);
+ * int (*callback)(gnutls_datum *client_cert, int ncerts, gnutls_datum* req_ca_cert, int nreqs);
*
- * 'client_cert' contains 'ncerts' gnutls_DN structures which hold
- * DN data from the client certificate. 'issuer_cert' holds DN data
- * for the issuer of the certificate. Ie. issuer_cert[i] is the issuer of
- * client_cert[i]. (i < ncerts)
+ * 'client_cert' contains 'ncerts' gnutls_datum structures which hold
+ * the DER encoded X.509 certificates of the client.
*
- * 'req_ca_cert' contains a list with the CA certificates that the server
+ * 'req_ca_cert' contains a list with the CA names that the server
* considers trusted. Normaly we should send a certificate that is signed
- * by one of these CAs.
+ * by one of these CAs. These names are DER encoded. To get a more
+ * meaningful value use the function _gnutls_dn2gnutlsdn().
*
* This function specifies what we (in case of a client) are going
* to do when we have to send a certificate. If this callback
diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h
index b9743ad9fc..2b9365e02b 100644
--- a/lib/gnutls_cert.h
+++ b/lib/gnutls_cert.h
@@ -12,8 +12,6 @@ typedef struct gnutls_cert {
*/
PKAlgorithm subject_pk_algorithm;
- gnutls_DN cert_info;
- gnutls_DN issuer_info;
opaque subjectAltDNSName[X509_CN_SIZE];
int subjectAltDNSName_size;
@@ -47,18 +45,18 @@ typedef struct {
gnutls_datum raw; /* the raw key */
} gnutls_private_key;
+struct GNUTLS_STATE_INT; /* because GNUTLS_STATE is not defined when this file is included */
-int _gnutls_cert_supported_kx(gnutls_cert* cert, KXAlgorithm **alg, int *alg_size);
+int _gnutls_cert_supported_kx( const gnutls_cert* cert, KXAlgorithm **alg, int *alg_size);
PKAlgorithm _gnutls_map_pk_get_pk(KXAlgorithm kx_algorithm);
int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert);
-gnutls_cert* _gnutls_find_cert( gnutls_cert** cert_list, int cert_list_length, const char* name);
-int _gnutls_find_cert_list_index(gnutls_cert ** cert_list,
- int cert_list_length, const char *name);
+const gnutls_cert* _gnutls_find_cert( struct GNUTLS_STATE_INT*, gnutls_cert** cert_list, int cert_list_length);
+int _gnutls_find_cert_list_index( struct GNUTLS_STATE_INT*, gnutls_cert ** cert_list, int cert_list_length);
#define MAX_INT_DIGITS 4
void _gnutls_int2str(int k, char* data);
int _gnutls_get_name_type( node_asn *rasn, char *root, gnutls_DN * dn);
void gnutls_free_cert(gnutls_cert cert);
-int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg);
+int _gnutls_check_x509_key_usage( const gnutls_cert * cert, KXAlgorithm alg);
#endif
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index ef9e339d0e..3557b5dec0 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1870,11 +1870,10 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
GNUTLS_CipherSuite *newSuite;
int newSuiteSize = 0, i, j, keep;
const X509PKI_CREDENTIALS x509_cred;
- gnutls_cert *cert = NULL;
+ const gnutls_cert *cert = NULL;
KXAlgorithm *alg;
int alg_size;
KXAlgorithm kx;
- const char *dnsname;
if (state->security_parameters.entity == GNUTLS_CLIENT)
return 0;
@@ -1891,23 +1890,18 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
/* if x509_cred==NULL we should remove all X509 ciphersuites
*/
- /* find the certificate that has dnsname in the subject
- * name or subject Alternative name.
- */
-
cert = NULL;
- dnsname = gnutls_ext_get_name_ind(state, GNUTLS_DNSNAME);
- if (dnsname != NULL && dnsname[0] != 0) {
- cert =
- (gnutls_cert *) _gnutls_find_cert(x509_cred->cert_list,
- x509_cred->ncerts,
- dnsname);
- }
- if (cert == NULL && x509_cred->cert_list != NULL) { /* if no such cert, use the first in the list
- */
- cert = &x509_cred->cert_list[0][0];
+ cert =
+ _gnutls_find_cert(state, x509_cred->cert_list,
+ x509_cred->ncerts);
+ if (cert == NULL) {
+ /* No certificate was found
+ */
+ alg_size = 0;
+ alg = NULL;
+ } else {
/* get all the key exchange algorithms that are
* supported by the X509 certificate parameters.
*/
@@ -1917,14 +1911,8 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
gnutls_assert();
return ret;
}
- } else {
- /* No certificate was found
- */
- alg_size = 0;
- alg = NULL;
}
-
newSuite =
gnutls_malloc(numCipherSuites * sizeof(GNUTLS_CipherSuite));
if (newSuite==NULL) {
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index dd133b29ea..1aacd4058f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -31,9 +31,9 @@
#define WRITE_DEBUG
#define READ_DEBUG
#define HANDSHAKE_DEBUG // Prints some information on handshake
-#define RECORD_DEBUG
+#define RECORD_DEBUG*/
#define DEBUG
-*/
+
/* It might be a good idea to replace int with void*
* here.
@@ -338,6 +338,8 @@ typedef struct {
#define CompressionMethod_Priority GNUTLS_Priority
#define Protocol_Priority GNUTLS_Priority
+typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
+
typedef struct {
opaque header[HANDSHAKE_HEADER_SIZE];
/* this holds the number of bytes in the handshake_header[] */
@@ -449,7 +451,7 @@ typedef struct {
/* this is a callback function to call if no appropriate
* client certificates were found.
*/
- int (*x509_client_cert_callback)(void*,void*,int, void*, int);
+ x509_cert_callback_func* x509_client_cert_callback;
gnutls_cert peer_cert;
int max_handshake_data_buffer_size;
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 1875e5d322..573fe79677 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -432,6 +432,15 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
case GNUTLS_E_ILLEGAL_PARAMETER:
ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_ILLEGAL_PARAMETER);
break;
+ case GNUTLS_E_ASN1_PARSING_ERROR:
+ ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_BAD_CERTIFICATE);
+ break;
+ case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
+ ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_HANDSHAKE_FAILURE);
+ break;
+ case GNUTLS_E_UNEXPECTED_PACKET:
+ ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE);
+ break;
}
return ret;
@@ -448,10 +457,10 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
*
* in case of GNUTLS_SHUT_RDWR then the connection gets terminated and
* further receives and sends will be disallowed. If the return
- * value is zero you may continue using the TCP connection.
+ * value is zero you may continue using the connection.
*
* in case of GNUTLS_SHUT_WR then the connection gets terminated and
- * further sends will be disallowed. In order to reuse the TCP connection
+ * further sends will be disallowed. In order to reuse the connection
* you should wait for an EOF from the peer.
*
* This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED.
@@ -1111,7 +1120,8 @@ AlertDescription gnutls_get_last_alert( GNUTLS_STATE state) {
* @sizeofdata: is the length of the data
*
* This function has the same semantics as write() has. The only
- * difference is that is accepts a GNUTLS state.
+ * difference is that is accepts a GNUTLS state, and uses different
+ * error codes.
*
* If the EINTR is returned by the internal push function (write())
* then GNUTLS_E_INTERRUPTED, will be returned. If GNUTLS_E_INTERRUPTED or
@@ -1132,10 +1142,10 @@ ssize_t gnutls_write( GNUTLS_STATE state, const void *data, size_t sizeofdata) {
* @data: contains the data to send
* @sizeofdata: is the length of the data
*
- * This function has the same semantics as read() has. The only
- * difference is that is accepts a GNUTLS state.
- * Returns the number of bytes received, zero on EOF, or
- * a negative error code.
+ * This function has the same semantics as write() has. The only
+ * difference is that is accepts a GNUTLS state.
+ * Also returns the number of bytes received, zero on EOF, but
+ * a negative error code in case of an error.
*
* If this function returns GNUTLS_E_REHANDSHAKE, then you must
* either send an alert containing NO_RENEGOTIATION, or perform a
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 7bb796b275..fb8fce623e 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -40,13 +40,15 @@
* Returns NULL in case of an error.
*
**/
-const char* gnutls_srp_server_get_username( GNUTLS_STATE state) {
-SRP_SERVER_AUTH_INFO info;
+const char *gnutls_srp_server_get_username(GNUTLS_STATE state)
+{
+ SRP_SERVER_AUTH_INFO info;
CHECK_AUTH(GNUTLS_SRP, NULL);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return NULL;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return NULL;
return info->username;
}
@@ -61,13 +63,15 @@ SRP_SERVER_AUTH_INFO info;
* Returns a negative value in case of an error.
*
**/
-int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state) {
-ANON_SERVER_AUTH_INFO info;
+int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state)
+{
+ ANON_SERVER_AUTH_INFO info;
CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_UNKNOWN_ERROR;
return info->dh_bits;
}
@@ -80,57 +84,20 @@ ANON_SERVER_AUTH_INFO info;
* Returns a negative value in case of an error.
*
**/
-int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state) {
-ANON_CLIENT_AUTH_INFO info;
+int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state)
+{
+ ANON_CLIENT_AUTH_INFO info;
CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_UNKNOWN_ERROR;
return info->dh_bits;
}
/* X509PKI */
-/**
- * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
- * @state: is a gnutls state
- *
- * This function will return the name of the peer. The name is gnutls_DN structure and
- * is a obtained by the peer's certificate. If the certificate send by the
- * peer is invalid, or in any other failure this function returns NULL.
- * Returns NULL in case of an error.
- *
- **/
-const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
-
- CHECK_AUTH(GNUTLS_X509PKI, NULL);
-
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return NULL;
- return &info->peer_dn;
-}
-
-/**
- * gnutls_x509pki_get_issuer_dn - This function returns the peer's certificate issuer distinguished name
- * @state: is a gnutls state
- *
- * This function will return the name of the peer's certificate issuer. The name is gnutls_DN structure and
- * is a obtained by the peer's certificate. If the certificate send by the
- * peer is invalid, or in any other failure this function returns NULL.
- * Returns NULL in case of an error.
- *
- **/
-const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
-
- CHECK_AUTH(GNUTLS_X509PKI, NULL);
-
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return NULL;
- return &info->issuer_dn;
-}
/**
* gnutls_x509pki_get_peer_certificate_status - This function returns the peer's certificate status
@@ -142,13 +109,16 @@ X509PKI_AUTH_INFO info;
* Returns GNUTLS_CERT_NONE in case of an error, or if no certificate was sent.
*
**/
-CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+CertificateStatus gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE
+ state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_CERT_NONE);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_CERT_NONE;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_CERT_NONE;
return info->peer_certificate_status;
}
@@ -161,13 +131,15 @@ X509PKI_AUTH_INFO info;
* Returns NULL in case of an error, or if no certificate was sent.
*
**/
-const gnutls_datum * gnutls_x509pki_get_peer_certificate( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+const gnutls_datum *gnutls_x509pki_get_peer_certificate(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, NULL);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return NULL;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return NULL;
return &info->raw_certificate;
}
@@ -180,13 +152,15 @@ X509PKI_AUTH_INFO info;
* Returns a negative value in case of an error.
*
**/
-int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_UNKNOWN_ERROR;
return info->peer_certificate_version;
}
@@ -200,13 +174,15 @@ X509PKI_AUTH_INFO info;
* Returns a negative value in case of an error.
*
**/
-int gnutls_x509pki_get_dh_bits( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_dh_bits(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_UNKNOWN_ERROR;
return info->dh_bits;
}
@@ -219,13 +195,16 @@ X509PKI_AUTH_INFO info;
* Returns a (time_t) -1 in case of an error.
*
**/
-time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
+ state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, -1);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return -1;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return -1;
return info->peer_certificate_activation_time;
}
@@ -238,13 +217,16 @@ X509PKI_AUTH_INFO info;
* Returns a (time_t) -1 in case of an error.
*
**/
-time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
+ state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, -1);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return -1;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return -1;
return info->peer_certificate_expiration_time;
}
@@ -258,13 +240,15 @@ X509PKI_AUTH_INFO info;
* Returns zero in case of an error.
*
**/
-unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+unsigned char gnutls_x509pki_get_key_usage(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, 0);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return 0;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return 0;
return info->keyUsage;
}
@@ -277,13 +261,15 @@ X509PKI_AUTH_INFO info;
* Returns a negative value in case of an error.
*
**/
-int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_certificate_request_status(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, 0);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return GNUTLS_E_UNKNOWN_ERROR;
return info->certificate_requested;
}
@@ -299,13 +285,14 @@ X509PKI_AUTH_INFO info;
* Returns NULL in case of an error.
*
**/
-const char* gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+const char *gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state)
+{
+ X509PKI_AUTH_INFO info;
CHECK_AUTH(GNUTLS_X509PKI, NULL);
- info = _gnutls_get_auth_info(state);
- if (info==NULL) return NULL;
+ info = _gnutls_get_auth_info(state);
+ if (info == NULL)
+ return NULL;
return info->subjectAltDNSName;
}
-
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 27784f24d4..ce7b6f9651 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -35,11 +35,11 @@ typedef struct {
#define X509KEY_ENCIPHER_ONLY 2
#define X509KEY_DECIPHER_ONLY 1
-typedef int x509_cert_callback_func(gnutls_DN *, gnutls_DN *, int, gnutls_DN *, int);
-
# ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */
+typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
+
/* Functions that allow AUTH_INFO structures handling
*/
@@ -60,9 +60,9 @@ int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func
int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest);
int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE);
-const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE);
+int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*);
const gnutls_datum* gnutls_x509pki_get_peer_certificate( GNUTLS_STATE);
-const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE);
+int gnutls_x509pki_get_issuer_dn( GNUTLS_STATE, gnutls_DN *);
CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE);
time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE);
diff --git a/lib/x509_extensions.c b/lib/x509_extensions.c
index 3e2922dca0..702410e4b8 100644
--- a/lib/x509_extensions.c
+++ b/lib/x509_extensions.c
@@ -191,7 +191,7 @@ static int _parse_extension( gnutls_cert* cert, char* extnID, char* critical, ch
}
#ifdef DEBUG
- _gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", cert->cert_info.common_name, extnID, critical);
+ _gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", GET_CN(cert->raw), extnID, critical);
#endif
if (strcmp( critical, "TRUE")==0) {