Fixes in anonymous authentication.

Fixes in client ciphersuite selection.

6 files changed, 86 insertions, 25 deletions

diff --git a/lib/auth_anon.h b/lib/auth_anon.h
index b706d2db67..44542c447a 100644
--- a/lib/auth_anon.h
+++ b/lib/auth_anon.h
@@ -6,6 +6,7 @@ typedef struct {
 } ANON_SERVER_CREDENTIALS_INT;
 
 #define ANON_SERVER_CREDENTIALS ANON_SERVER_CREDENTIALS_INT*
+#define ANON_CLIENT_CREDENTIALS ANON_SERVER_CREDENTIALS_INT*
 
 typedef struct ANON_CLIENT_AUTH_INFO_INT {
 	int dh_bits;
diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in
index fb45b4de8d..20f7611318 100644
--- a/lib/gnutls.h.in
+++ b/lib/gnutls.h.in
@@ -193,6 +193,10 @@ void gnutls_anon_free_server_sc( ANON_SERVER_CREDENTIALS sc);
 int gnutls_anon_allocate_server_sc( ANON_SERVER_CREDENTIALS *sc);
 int gnutls_anon_set_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits);
 
+void gnutls_anon_free_client_sc( ANON_SERVER_CREDENTIALS sc);
+int gnutls_anon_allocate_client_sc( ANON_SERVER_CREDENTIALS *sc);
+int gnutls_anon_set_client_cred( ANON_SERVER_CREDENTIALS res, int dh_bits);
+
 
 /* CERTFILE is an x509 certificate in PEM form.
  * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys).
diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c
index 393fd2ccfa..fd553c3f63 100644
--- a/lib/gnutls_anon_cred.c
+++ b/lib/gnutls_anon_cred.c
@@ -27,7 +27,7 @@
 #include "gnutls_gcry.h"
 
 /**
-  * gnutls_free_anon_server_sc - Used to free an allocated ANON_SERVER_CREDENTIALS structure
+  * gnutls_anon_free_server_sc - Used to free an allocated ANON_SERVER_CREDENTIALS structure
   * @sc: is an &ANON_SERVER_CREDENTIALS structure.
   *
   * This structure is complex enough to manipulate directly thus
@@ -39,7 +39,7 @@ void gnutls_anon_free_server_sc( ANON_SERVER_CREDENTIALS sc) {
 }
 
 /**
-  * gnutls_allocate_anon_server_sc - Used to allocate an ANON_SERVER CREDENTIALS structure
+  * gnutls_anon_allocate_server_sc - Used to allocate an ANON_SERVER CREDENTIALS structure
   * @sc: is a pointer to an &ANON_SERVER_CREDENTIALS structure.
   *
   * This structure is complex enough to manipulate directly thus
@@ -68,3 +68,34 @@ int gnutls_anon_set_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits) {
 	return 0;
 }
 
+/**
+  * gnutls_anon_free_client_sc - Used to free an allocated ANON_CLIENT_CREDENTIALS structure
+  * @sc: is an &ANON_CLIENT_CREDENTIALS structure.
+  *
+  * This structure is complex enough to manipulate directly thus
+  * this helper function is provided in order to free (deallocate)
+  * the structure.
+  **/
+void gnutls_anon_free_client_sc( ANON_CLIENT_CREDENTIALS sc) {
+	gnutls_free(sc);
+}
+
+const static int anon_tmp;
+
+/**
+  * gnutls_allocate_anon_client_sc - Used to allocate an ANON_CLIENT CREDENTIALS structure
+  * @sc: is a pointer to an &ANON_CLIENT_CREDENTIALS structure.
+  *
+  * This structure is complex enough to manipulate directly thus
+  * this helper function is provided in order to allocate
+  * the structure.
+  **/
+int gnutls_anon_allocate_client_sc( ANON_CLIENT_CREDENTIALS *sc) {
+	/* anon_tmp is only there for *sc not to be null.
+	 * it is not used at all;
+	 */
+	*sc = (void*) &anon_tmp;
+	
+	if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR;
+	return 0;
+}
diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c
index a0267b3118..7356b2aefe 100644
--- a/lib/gnutls_auth.c
+++ b/lib/gnutls_auth.c
@@ -67,7 +67,7 @@ int gnutls_clear_creds( GNUTLS_STATE state) {
   * structure. Thus you will have to keep the structure allocated until   
   * you call gnutls_deinit(). ]
   *
-  * For GNUTLS_ANON cred should be NULL in case of a client.
+  * For GNUTLS_ANON cred should be ANON_CLIENT_CREDENTIALS in case of a client.
   * In case of a server it should be ANON_SERVER_CREDENTIALS.
   * 
   * For GNUTLS_SRP cred should be SRP_CLIENT_CREDENTIALS
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index ce195e3367..b812d2d50c 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -376,7 +376,7 @@ int _gnutls_read_client_hello(GNUTLS_STATE state, opaque * data,
 					      compression_method,
 					      &data[pos], z);
 #ifdef HANDSHAKE_DEBUG
-	_gnutls_log("Selected Compression Method: %s\n",
+	_gnutls_log("*** Selected Compression Method: %s\n",
 		    gnutls_compression_get_name(state->gnutls_internals.
 						compression_method));
 #endif
@@ -518,7 +518,7 @@ static int _gnutls_server_SelectSuite(GNUTLS_STATE state, opaque ret[2],
 			if (memcmp(ciphers[i].CipherSuite, &data[j], 2) ==
 			    0) {
 #ifdef HANDSHAKE_DEBUG
-				_gnutls_log("Selected cipher suite: ");
+				_gnutls_log("*** Selected cipher suite: ");
 				_gnutls_log("%s\n",
 					    _gnutls_cipher_suite_get_name(*
 									  ((GNUTLS_CipherSuite *) & data[j])));
@@ -996,7 +996,7 @@ static int _gnutls_read_server_hello(GNUTLS_STATE state, char *data,
 	       cipher_suite.CipherSuite, 2);
 
 #ifdef HANDSHAKE_DEBUG
-	_gnutls_log("Selected cipher suite: ");
+	_gnutls_log("Hnadshake: Selected cipher suite: ");
 	_gnutls_log("%s\n",
 		    _gnutls_cipher_suite_get_name(state->
 						  security_parameters.
@@ -1139,12 +1139,24 @@ static int _gnutls_send_client_hello( GNUTLS_STATE state, int again)
 		pos += session_id_len;
 
 		ret = _gnutls_supported_ciphersuites_sorted(state, &cipher_suites);
-		if (ret<0) {
+		if (ret < 0) {
 			gnutls_free(data);
 			gnutls_assert();
 			return ret;
 		}
 
+		/* Here we remove any ciphersuite that does not conform
+		 * the certificate requested, or to the
+		 * authentication requested (eg SRP).
+		 */
+		ret = _gnutls_remove_unwanted_ciphersuites(state, &cipher_suites, ret);
+		if (ret < 0) {
+			gnutls_free(data);
+			gnutls_assert();
+			return ret;
+		}
+
+
 		x = ret;
 		x *= sizeof(uint16);	/* in order to get bytes */
 
@@ -1253,7 +1265,7 @@ static int _gnutls_send_server_hello( GNUTLS_STATE state, int again)
 		pos += session_id_len;
 
 #ifdef HANDSHAKE_DEBUG
-		_gnutls_log("Handshake: SessionID: %s\n",
+		_gnutls_log("*** SessionID: %s\n",
 			    _gnutls_bin2hex(SessionID, session_id_len));
 #endif
 
@@ -1873,11 +1885,6 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 	int alg_size;
 	KXAlgorithm kx;
 
-	/* ONLY USED IN CASE OF A SERVER.
-	 */
-	 
-	if (state->security_parameters.entity == GNUTLS_CLIENT)
-		return 0;
 
 	/* if we should use a specific certificate, 
 	 * we should remove all algorithms that are not supported
@@ -1893,8 +1900,9 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 
 	cert = NULL;
 
-	cert =
-	    _gnutls_server_find_x509_cert(state);
+	if (state->security_parameters.entity == GNUTLS_SERVER) 
+		cert =
+		    _gnutls_server_find_x509_cert(state);
 
 	if (cert == NULL) {
 		/* No certificate was found 
@@ -1934,16 +1942,19 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 		 */
 		if (_gnutls_map_kx_get_cred(kx) == GNUTLS_X509PKI) {
 			keep = 1;	/* do not keep */
-			if (x509_cred != NULL)
-				/* here we check if the KX algorithm 
-				 * is compatible with the X.509 certificate.
-				 */
-				for (j = 0; j < alg_size; j++) {
-					if (alg[j] == kx) {
-						keep = 0;
-						break;
+			if (x509_cred != NULL) {
+				if (state->security_parameters.entity == GNUTLS_SERVER) {
+					/* here we check if the KX algorithm 
+					 * is compatible with the X.509 certificate.
+					 */
+					for (j = 0; j < alg_size; j++) {
+						if (alg[j] == kx) {
+							keep = 0;
+							break;
+						}
 					}
-				}
+				} else 	/* CLIENT */ keep = 0;
+			}
 		} else {
 
 		/* if it is defined but had no credentials 
@@ -1954,9 +1965,23 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 		}
 				
 		if (keep == 0) {
+#ifdef HANDSHAKE_DEBUG
+			_gnutls_log("*** Keeping ciphersuite: ");
+			_gnutls_log("%s\n",
+					    _gnutls_cipher_suite_get_name(*
+									  ((GNUTLS_CipherSuite *) & (*cipherSuites)[i].CipherSuite)));
+#endif
 			memcpy(newSuite[newSuiteSize].CipherSuite,
 			       (*cipherSuites)[i].CipherSuite, 2);
 			newSuiteSize++;
+#ifdef HANDSHAKE_DEBUG
+		} else {
+			_gnutls_log("*** Removing ciphersuite: ");
+			_gnutls_log("%s\n",
+					    _gnutls_cipher_suite_get_name(*
+									  ((GNUTLS_CipherSuite *) & (*cipherSuites)[i].CipherSuite)));
+
+#endif
 		}
 	}
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index d7e200d043..01dff2a60f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -30,8 +30,8 @@
 #define HARD_DEBUG
 #define WRITE_DEBUG
 #define READ_DEBUG
-#define HANDSHAKE_DEBUG // Prints some information on handshake 
 #define RECORD_DEBUG
+#define HANDSHAKE_DEBUG // Prints some information on handshake 
 #define DEBUG
 */