Move TLS/IA features to libgnutls-extra.

4 files changed, 213 insertions, 30 deletions

diff --git a/libextra/Makefile.am b/libextra/Makefile.am
index 4d0704fcd1..37c377ec12 100644
--- a/libextra/Makefile.am
+++ b/libextra/Makefile.am
@@ -86,7 +86,8 @@ libgnutls_extra_la_LDFLAGS = -no-undefined
 
 # TLS/IA
 
-libgnutls_extra_la_SOURCES += gnutls_ia.c
+libgnutls_extra_la_SOURCES += \
+	ext_inner_application.h ext_inner_application.c gnutls_ia.c
 
 # Rest
 
diff --git a/libextra/ext_inner_application.c b/libextra/ext_inner_application.c
new file mode 100644
index 0000000000..521e78281c
--- /dev/null
+++ b/libextra/ext_inner_application.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2005, 2006, 2008 Free Software Foundation
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "gnutls_int.h"
+#include "gnutls_auth_int.h"
+#include "gnutls_errors.h"
+#include "gnutls_num.h"
+#include "ext_inner_application.h"
+
+#define NO 0
+#define YES 1
+
+int
+_gnutls_inner_application_recv_params (gnutls_session_t session,
+				       const opaque * data, size_t data_size)
+{
+  tls_ext_st *ext = &session->security_parameters.extensions;
+
+  if (data_size != 1)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+    }
+
+  ext->gnutls_ia_peer_enable = 1;
+  ext->gnutls_ia_peer_allowskip = 0;
+
+  switch ((unsigned char) *data)
+    {
+    case NO:			/* Peer's ia_on_resume == no */
+      ext->gnutls_ia_peer_allowskip = 1;
+      break;
+
+    case YES:
+      break;
+
+    default:
+      gnutls_assert ();
+    }
+
+  return 0;
+}
+
+
+/* returns data_size or a negative number on failure
+ */
+int
+_gnutls_inner_application_send_params (gnutls_session_t session,
+				       opaque * data, size_t data_size)
+{
+  tls_ext_st *ext = &session->security_parameters.extensions;
+
+  /* Set ext->gnutls_ia_enable depending on whether we have a TLS/IA
+     credential in the session. */
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    {
+      gnutls_ia_client_credentials_t cred = (gnutls_ia_client_credentials_t)
+	_gnutls_get_cred (session->key, GNUTLS_CRD_IA, NULL);
+
+      if (cred)
+	ext->gnutls_ia_enable = 1;
+    }
+  else
+    {
+      gnutls_ia_server_credentials_t cred = (gnutls_ia_server_credentials_t)
+	_gnutls_get_cred (session->key, GNUTLS_CRD_IA, NULL);
+
+      if (cred)
+	ext->gnutls_ia_enable = 1;
+    }
+
+  /* If we don't want gnutls_ia locally, or we are a server and the
+   * client doesn't want it, don't advertise TLS/IA support at all, as
+   * required. */
+
+  if (!ext->gnutls_ia_enable)
+    return 0;
+
+  if (session->security_parameters.entity == GNUTLS_SERVER &&
+      !ext->gnutls_ia_peer_enable)
+    return 0;
+
+  /* We'll advertise. Check if there's room in the hello buffer. */
+
+  if (data_size < 1)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_SHORT_MEMORY_BUFFER;
+    }
+
+  /* default: require new application phase */
+
+  *data = YES;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    {
+
+      /* Client: value follows local setting */
+
+      if (ext->gnutls_ia_allowskip)
+	*data = NO;
+    }
+  else
+    {
+
+      /* Server: value follows local setting and client's setting, but only
+       * if we are resuming.
+       *
+       * XXX Can server test for resumption at this stage?
+       *
+       * Ai! It seems that read_client_hello only calls parse_extensions if
+       * we're NOT resuming! That would make us automatically violate the IA
+       * draft; if we're resuming, we must first learn what the client wants
+       * -- IA or no IA -- and then prepare our response. Right now we'll
+       * always skip IA on resumption, because recv_ext isn't even called
+       * to record the peer's support for IA at all. Simon? */
+
+      if (ext->gnutls_ia_allowskip &&
+	  ext->gnutls_ia_peer_allowskip &&
+	  session->internals.resumed == RESUME_TRUE)
+	*data = NO;
+    }
+
+  return 1;
+}
diff --git a/libextra/ext_inner_application.h b/libextra/ext_inner_application.h
new file mode 100644
index 0000000000..5f63961ac7
--- /dev/null
+++ b/libextra/ext_inner_application.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2005, 2008 Free Software Foundation
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+int _gnutls_inner_application_recv_params (gnutls_session_t session,
+					   const opaque * data,
+					   size_t data_size);
+int _gnutls_inner_application_send_params (gnutls_session_t session,
+					   opaque * data, size_t);
diff --git a/libextra/gnutls_extra.c b/libextra/gnutls_extra.c
index 970208e365..01d5d1ecc8 100644
--- a/libextra/gnutls_extra.c
+++ b/libextra/gnutls_extra.c
@@ -5,24 +5,26 @@
  *
  * This file is part of GNUTLS-EXTRA.
  *
- * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *               
- * GNUTLS-EXTRA is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *                               
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
  * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * along with this program.  If not, see
+ * <http://www.gnu.org/licenses/>.
  */
 
 #include <gnutls_int.h>
 #include <gnutls_errors.h>
 #include <gnutls_extensions.h>
 #include <gnutls_algorithms.h>
+#include <ext_inner_application.h>
 #ifdef USE_LZO
 # ifdef USE_MINILZO
 #  include "minilzo/minilzo.h"
@@ -97,6 +99,8 @@ static int _gnutls_init_extra = 0;
 int
 gnutls_global_init_extra (void)
 {
+  int ret;
+
   /* If the version of libgnutls != version of
    * libextra, then do not initialize the library.
    * This is because it may break things.
@@ -113,27 +117,31 @@ gnutls_global_init_extra (void)
       return 0;
     }
 
+  ret = gnutls_ext_register (GNUTLS_EXTENSION_INNER_APPLICATION,
+			     "INNER_APPLICATION",
+			     GNUTLS_EXT_TLS,
+			     _gnutls_inner_application_recv_params,
+			     _gnutls_inner_application_send_params);
+  if (ret != GNUTLS_E_SUCCESS)
+    return ret;
+
   /* Initialize the LZO library
    */
 #ifdef USE_LZO
-  {
-    int ret;
-
-    if (lzo_init () != LZO_E_OK)
-      {
-	return GNUTLS_E_LZO_INIT_FAILED;
-      }
-
-    /* Add the LZO compression method in the list of compression
-     * methods.
-     */
-    ret = _gnutls_add_lzo_comp ();
-    if (ret < 0)
-      {
-	gnutls_assert ();
-	return ret;
-      }
-  }
+  if (lzo_init () != LZO_E_OK)
+    {
+      return GNUTLS_E_LZO_INIT_FAILED;
+    }
+
+  /* Add the LZO compression method in the list of compression
+   * methods.
+   */
+  ret = _gnutls_add_lzo_comp ();
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
 #endif
 
   return 0;