diff options
| author | Zoltan Fridrich <zfridric@redhat.com> | 2023-01-27 15:03:53 +0100 |
|---|---|---|
| committer | Zoltan Fridrich <zfridric@redhat.com> | 2023-01-27 15:11:28 +0100 |
| commit | 50e0c39fc9b8e0ae493f42a3046db5e70f8ea044 (patch) | |
| tree | 36d6eb0dde4d81527a07017d6df7d1dd4b7e436e /src | |
| parent | 21288eb0ce9d27f00c4f8ac8048b22f4003f65ac (diff) | |
| download | gnutls-50e0c39fc9b8e0ae493f42a3046db5e70f8ea044.tar.gz | |
Indent code
Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/benchmark-cipher.c | 31 | ||||
| -rw-r--r-- | src/benchmark-tls.c | 250 | ||||
| -rw-r--r-- | src/benchmark.c | 21 | ||||
| -rw-r--r-- | src/benchmark.h | 38 | ||||
| -rw-r--r-- | src/certtool-cfg.c | 742 | ||||
| -rw-r--r-- | src/certtool-cfg.h | 18 | ||||
| -rw-r--r-- | src/certtool-common.c | 227 | ||||
| -rw-r--r-- | src/certtool-common.h | 85 | ||||
| -rw-r--r-- | src/certtool-extras.c | 18 | ||||
| -rw-r--r-- | src/certtool.c | 652 | ||||
| -rw-r--r-- | src/cfg.c | 55 | ||||
| -rw-r--r-- | src/cfg.h | 4 | ||||
| -rw-r--r-- | src/cli-debug.c | 83 | ||||
| -rw-r--r-- | src/cli.c | 444 | ||||
| -rw-r--r-- | src/common.c | 332 | ||||
| -rw-r--r-- | src/common.h | 107 | ||||
| -rw-r--r-- | src/danetool.c | 116 | ||||
| -rwxr-xr-x | src/inline_cmds.h | 9 | ||||
| -rw-r--r-- | src/ocsptool-common.c | 74 | ||||
| -rw-r--r-- | src/ocsptool-common.h | 13 | ||||
| -rw-r--r-- | src/ocsptool.c | 91 | ||||
| -rw-r--r-- | src/p11tool.c | 42 | ||||
| -rw-r--r-- | src/p11tool.h | 37 | ||||
| -rw-r--r-- | src/pkcs11.c | 498 | ||||
| -rw-r--r-- | src/psk.c | 64 | ||||
| -rw-r--r-- | src/serv.c | 491 | ||||
| -rw-r--r-- | src/socket.c | 162 | ||||
| -rw-r--r-- | src/socket.h | 39 | ||||
| -rw-r--r-- | src/srptool.c | 51 | ||||
| -rw-r--r-- | src/systemkey.c | 17 | ||||
| -rw-r--r-- | src/tests.c | 181 | ||||
| -rw-r--r-- | src/tests.h | 10 | ||||
| -rw-r--r-- | src/tpmtool.c | 33 | ||||
| -rw-r--r-- | src/udp-serv.c | 68 | ||||
| -rw-r--r-- | src/udp-serv.h | 6 |
35 files changed, 2719 insertions, 2390 deletions
diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c index 76a3cdc50a..31949e35f1 100644 --- a/src/benchmark-cipher.c +++ b/src/benchmark-cipher.c @@ -115,7 +115,7 @@ static void cipher_mac_bench(int algo, int mac_algo, int size) stop_benchmark(&st, NULL, 1); - leave: + leave: FREE(input); FREE(output); free(_key); @@ -125,12 +125,12 @@ static void cipher_mac_bench(int algo, int mac_algo, int size) static void force_memcpy(void *dest, const void *src, size_t n) { volatile unsigned volatile_zero = 0; - volatile char *vdest = (volatile char*)dest; + volatile char *vdest = (volatile char *)dest; if (n > 0) { do { memcpy(dest, src, n); - } while(vdest[volatile_zero] != ((char*)src)[volatile_zero]); + } while (vdest[volatile_zero] != ((char *)src)[volatile_zero]); } } @@ -155,8 +155,8 @@ static void cipher_bench(int algo, int size, int aead) /* For AES-XTS, the block and tweak key must be different */ if (algo == GNUTLS_CIPHER_AES_128_XTS || - algo == GNUTLS_CIPHER_AES_256_XTS) { - memset((uint8_t *)_key + (keysize / 2), 0x0f, (keysize / 2)); + algo == GNUTLS_CIPHER_AES_256_XTS) { + memset((uint8_t *) _key + (keysize / 2), 0x0f, (keysize / 2)); } _iv = malloc(ivsize); @@ -177,7 +177,7 @@ static void cipher_bench(int algo, int size, int aead) assert(gnutls_rnd(GNUTLS_RND_NONCE, &c, 1) >= 0); ALLOCM(input, MAX_MEM); - ALLOCM(output, step+64); + ALLOCM(output, step + 64); i = input; start_benchmark(&st); @@ -200,9 +200,10 @@ static void cipher_bench(int algo, int size, int aead) } do { - out_size = step+tag_size; - assert(gnutls_aead_cipher_encrypt(actx, iv.data, iv.size, NULL, 0, tag_size, - i, step, output, &out_size) >= 0); + out_size = step + tag_size; + assert(gnutls_aead_cipher_encrypt + (actx, iv.data, iv.size, NULL, 0, tag_size, i, + step, output, &out_size) >= 0); st.size += step; INC(input, i, step); } @@ -229,7 +230,7 @@ static void cipher_bench(int algo, int size, int aead) FREE(input); FREE(output); - leave: + leave: free(_key); free(_iv); } @@ -286,14 +287,14 @@ void benchmark_cipher(int debug_level) cipher_bench(GNUTLS_CIPHER_AES_128_CCM, size, 1); cipher_bench(GNUTLS_CIPHER_CHACHA20_POLY1305, size, 1); - printf("\nChecking cipher-MAC combinations, payload size: %u\n", size * 1024); + printf("\nChecking cipher-MAC combinations, payload size: %u\n", + size * 1024); cipher_mac_bench(GNUTLS_CIPHER_SALSA20_256, GNUTLS_MAC_SHA1, size); cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, size); - cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256, - size); + cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256, size); #ifdef ENABLE_GOST - cipher_mac_bench(GNUTLS_CIPHER_GOST28147_TC26Z_CNT, GNUTLS_MAC_GOST28147_TC26Z_IMIT, - size); + cipher_mac_bench(GNUTLS_CIPHER_GOST28147_TC26Z_CNT, + GNUTLS_MAC_GOST28147_TC26Z_IMIT, size); #endif printf("\nChecking MAC algorithms, payload size: %u\n", size * 1024); diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c index 2c062a6ee7..d0e8c27dcb 100644 --- a/src/benchmark-tls.c +++ b/src/benchmark-tls.c @@ -21,7 +21,7 @@ */ #ifdef HAVE_CONFIG_H -#include <config.h> +# include <config.h> #endif #include <stdio.h> @@ -52,7 +52,6 @@ const char *side = ""; #define PRIO_RSA "NONE:+VERS-TLS1.2:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA" #define PRIO_ECDH_RSA_PSS "NONE:+VERS-TLS1.3:+AES-128-GCM:+AEAD:+SIGN-RSA-PSS-SHA256:+COMP-NULL:+ECDHE-RSA:+CURVE-SECP256R1" - #define PRIO_AES_CBC_SHA1 "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA" #define PRIO_TLS12_AES_GCM "NONE:+VERS-TLS1.2:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA" #define PRIO_AES_GCM "NONE:+VERS-TLS1.3:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-NULL:+GROUP-ALL" @@ -66,34 +65,33 @@ const char *side = ""; static const int rsa_bits = 3072, ec_bits = 256; static unsigned char server_rsa_pss_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIErTCCAuWgAwIBAgIIWTZrqjOeCfIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgB\n" - "ZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwFzEVMBMGA1UE\n" - "AxMMcnNhLXBzcyBjZXJ0MCAXDTE3MDYwNjA4NDUzMVoYDzk5OTkxMjMxMjM1OTU5\n" - "WjAXMRUwEwYDVQQDEwxyc2EtcHNzIGNlcnQwggHSMD0GCSqGSIb3DQEBCjAwoA0w\n" - "CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IB\n" - "jwAwggGKAoIBgQDswF+JIWGcyu+JfjTcM8UDRKaxOuLVY0SODV1uaXPB5ZW9nEX/\n" - "FFYIG+ldSKCyz5JF5ThrdvwqO+GVByuvETJdM7N4i8fzGHU8WIsj/CABAV+SaDT/\n" - "xb+h1ar9dIehKelBmXQADVFX+xvu9OM5Ft3P/wyO9gWWrR7e/MU/SVzWzMT69+5Y\n" - "oE4QkrYYCuEBtlVHDo2mmNWGSQ5tUVIWARgXbqsmj4voWkutE/CiT0+g6GQilMAR\n" - "kROElIhO5NH+u3/Lt2wRQO5tEP1JmSoqvrMOmF16txze8qMzvKg1Eafijv9DR4Nc\n" - "Cc6s8+g+CZbyODSdAybiyKsC7JCIrQjsnAjgPKKBLuZ1NTmu5liuXO05XsdcBoKD\n" - "bKNAQdJCz4uxfqTr4CGFgHQk48Nhmq01EGmpwAeA/BOCB5qsWzqURtMX8EVB1Zdo\n" - "3LD5Vwz18mm+ZdeLPlYy3L/FBpVPDbYoZlFgINUNCQvGgvzqGJAQrKR4w8X/Y6HH\n" - "9R8sv+U8kNtQI90CAwEAAaNrMGkwDAYDVR0TAQH/BAIwADAUBgNVHREEDTALggls\n" - "b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAd\n" - "BgNVHQ4EFgQU1TmyUrkZZn4yMf4asV5OKq8bZ1gwPQYJKoZIhvcNAQEKMDCgDTAL\n" - "BglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggGB\n" - "AGxMPB+Z6pgmWNRw5NjIJgnvJfdMWmQib0II5kdU9I1UybrVRUGpI6tFjIB/pRWU\n" - "SiD8wTZpxfTHkRHUn+Wyhh14XOg2Pdad5Ek2XU/QblL2k4kh1sHdOcCRFbDzP5k8\n" - "LKIzFcndgnKTRun5368H+NLcXRx/KAi7s9zi4swp9dPxRvNvp8HjQyVhdFi5pK6n\n" - "pN1Sw/QD22CE1fRVJ3OYxq4sqCEZANhRv6h/M3AcetGt4LR8ErwuzP1fdtuXeumw\n" - "T0deQ2hhSYZmbkk/S+qHA8as6J224ry7Zr5bhB9hr52yum9yC9SjFy0XEV/895jJ\n" - "0MDIM33DmPUdnn90Btt+Oq+bgZqTIolifSmcs0sPH10SuxDOnXwkbR44Wu9NbCzx\n" - "h3VzhlxAdgcnOYSmJnXKWXog4N1BPFrB4rFqXWFF0Avqs4euK81W4IQ4Sk7fYT7C\n" - "tyrDILPqBhN80Q9Me70y7KRsek6yFn4Jd0Lok6vetaeWtSW0929bhU49b1hkdSzt\n" - "kw==\n" - "-----END CERTIFICATE-----\n"; + "-----BEGIN CERTIFICATE-----\n" + "MIIErTCCAuWgAwIBAgIIWTZrqjOeCfIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgB\n" + "ZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwFzEVMBMGA1UE\n" + "AxMMcnNhLXBzcyBjZXJ0MCAXDTE3MDYwNjA4NDUzMVoYDzk5OTkxMjMxMjM1OTU5\n" + "WjAXMRUwEwYDVQQDEwxyc2EtcHNzIGNlcnQwggHSMD0GCSqGSIb3DQEBCjAwoA0w\n" + "CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IB\n" + "jwAwggGKAoIBgQDswF+JIWGcyu+JfjTcM8UDRKaxOuLVY0SODV1uaXPB5ZW9nEX/\n" + "FFYIG+ldSKCyz5JF5ThrdvwqO+GVByuvETJdM7N4i8fzGHU8WIsj/CABAV+SaDT/\n" + "xb+h1ar9dIehKelBmXQADVFX+xvu9OM5Ft3P/wyO9gWWrR7e/MU/SVzWzMT69+5Y\n" + "oE4QkrYYCuEBtlVHDo2mmNWGSQ5tUVIWARgXbqsmj4voWkutE/CiT0+g6GQilMAR\n" + "kROElIhO5NH+u3/Lt2wRQO5tEP1JmSoqvrMOmF16txze8qMzvKg1Eafijv9DR4Nc\n" + "Cc6s8+g+CZbyODSdAybiyKsC7JCIrQjsnAjgPKKBLuZ1NTmu5liuXO05XsdcBoKD\n" + "bKNAQdJCz4uxfqTr4CGFgHQk48Nhmq01EGmpwAeA/BOCB5qsWzqURtMX8EVB1Zdo\n" + "3LD5Vwz18mm+ZdeLPlYy3L/FBpVPDbYoZlFgINUNCQvGgvzqGJAQrKR4w8X/Y6HH\n" + "9R8sv+U8kNtQI90CAwEAAaNrMGkwDAYDVR0TAQH/BAIwADAUBgNVHREEDTALggls\n" + "b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAd\n" + "BgNVHQ4EFgQU1TmyUrkZZn4yMf4asV5OKq8bZ1gwPQYJKoZIhvcNAQEKMDCgDTAL\n" + "BglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggGB\n" + "AGxMPB+Z6pgmWNRw5NjIJgnvJfdMWmQib0II5kdU9I1UybrVRUGpI6tFjIB/pRWU\n" + "SiD8wTZpxfTHkRHUn+Wyhh14XOg2Pdad5Ek2XU/QblL2k4kh1sHdOcCRFbDzP5k8\n" + "LKIzFcndgnKTRun5368H+NLcXRx/KAi7s9zi4swp9dPxRvNvp8HjQyVhdFi5pK6n\n" + "pN1Sw/QD22CE1fRVJ3OYxq4sqCEZANhRv6h/M3AcetGt4LR8ErwuzP1fdtuXeumw\n" + "T0deQ2hhSYZmbkk/S+qHA8as6J224ry7Zr5bhB9hr52yum9yC9SjFy0XEV/895jJ\n" + "0MDIM33DmPUdnn90Btt+Oq+bgZqTIolifSmcs0sPH10SuxDOnXwkbR44Wu9NbCzx\n" + "h3VzhlxAdgcnOYSmJnXKWXog4N1BPFrB4rFqXWFF0Avqs4euK81W4IQ4Sk7fYT7C\n" + "tyrDILPqBhN80Q9Me70y7KRsek6yFn4Jd0Lok6vetaeWtSW0929bhU49b1hkdSzt\n" + "kw==\n" "-----END CERTIFICATE-----\n"; static unsigned char server_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" @@ -119,8 +117,7 @@ static unsigned char server_cert_pem[] = "iD0a4cO2FPjjVt5ji+iaJTaXBEd9GHklKE6ZTZhj5az9ygQj1m6HZ2i3shWtG2ks\n" "AjgnGzsA8Wm/5X6YyR8UND41rS/lAc9yx8Az9Hqzfg8aOyvixYVPNKoTEPAMmypA\n" "oQT6g4b989lZFcjrwnLCrwz83jPD683p5IenCnRI5yhuFoQauy2tgHIbC1FRgs0C\n" - "dyiOeDh80u1fekMVjRztIAwavuwxI6XgRzPSHhWR\n" - "-----END CERTIFICATE-----\n"; + "dyiOeDh80u1fekMVjRztIAwavuwxI6XgRzPSHhWR\n" "-----END CERTIFICATE-----\n"; static unsigned char server_key_pem[] = "-----BEGIN RSA PRIVATE KEY-----\n" @@ -167,8 +164,7 @@ static unsigned char server_ecc_key_pem[] = "-----BEGIN EC PRIVATE KEY-----\n" "MHgCAQEEIQDrAKCAbdMKPngHu4zdSQ2Pghob8PhyrbUpWAR8V07E+qAKBggqhkjO\n" "PQMBB6FEA0IABDfo4YLPkO4pBpQamtObIV3J6l92vI+RkyNtaQ9gtSWDj20w/aBC\n" - "WlbcTsRZ2itEpJ6GdLsGOW4RRfmiubzC9JU=\n" - "-----END EC PRIVATE KEY-----\n"; + "WlbcTsRZ2itEpJ6GdLsGOW4RRfmiubzC9JU=\n" "-----END EC PRIVATE KEY-----\n"; static unsigned char server_ecc_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" @@ -181,61 +177,59 @@ static unsigned char server_ecc_cert_pem[] = "VR0OBBYEFOuSntH2To0gJLH79Ow4wNpBuhmEMB8GA1UdIwQYMBaAFMZ1miRvZAYr\n" "nBEymOtPjbfTrnblMAoGCCqGSM49BAMCA0gAMEUCIQCMP3aBcCxSPbCUhihOsUmH\n" "G04AgT1PKw8z4LgZ4VGTVAIgYw3IFwS5sSYEAHRZAH8eaTXTz7XFmWmnkve9EBkN\n" - "cBE=\n" - "-----END CERTIFICATE-----\n"; + "cBE=\n" "-----END CERTIFICATE-----\n"; static unsigned char server_ed25519_key_pem[] = - "-----BEGIN PRIVATE KEY-----\n" - "MC4CAQAwBQYDK2VwBCIEIOXDJXOU6J6XdXx4WfcyPILPYJDH5bRfm9em+DYMkllw\n" - "-----END PRIVATE KEY-----\n"; + "-----BEGIN PRIVATE KEY-----\n" + "MC4CAQAwBQYDK2VwBCIEIOXDJXOU6J6XdXx4WfcyPILPYJDH5bRfm9em+DYMkllw\n" + "-----END PRIVATE KEY-----\n"; static unsigned char server_ed25519_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIBwTCCAWagAwIBAgIIWTZasQWGNVEwCgYIKoZIzj0EAwIwfTELMAkGA1UEBhMC\n" - "QkUxDzANBgNVBAoTBkdudVRMUzElMCMGA1UECxMcR251VExTIGNlcnRpZmljYXRl\n" - "IGF1dGhvcml0eTEPMA0GA1UECBMGTGV1dmVuMSUwIwYDVQQDExxHbnVUTFMgY2Vy\n" - "dGlmaWNhdGUgYXV0aG9yaXR5MCAXDTE3MDYwNjA3MzMwNVoYDzk5OTkxMjMxMjM1\n" - "OTU5WjAZMRcwFQYDVQQDEw5FZDI1NTE5IHNpZ25lcjAqMAUGAytlcAMhAPMF++lz\n" - "LIzfyCX0v0B7LIabZWZ/dePW9HexIbW3tYmHo2EwXzAMBgNVHRMBAf8EAjAAMA8G\n" - "A1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFONSSnOdGLzpv3xNcci8ZiKKqzyqMB8G\n" - "A1UdIwQYMBaAFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqGSM49BAMCA0kAMEYC\n" - "IQDHGfSgM44DVZfrP5CF8LSNlFN55ti3Z69YJ0SK8Fy9eQIhAN2UKeX3l8A9Ckcm\n" - "7barRoh+qx7ZVYpe+5w3JYuxy16w\n" - "-----END CERTIFICATE-----\n"; + "-----BEGIN CERTIFICATE-----\n" + "MIIBwTCCAWagAwIBAgIIWTZasQWGNVEwCgYIKoZIzj0EAwIwfTELMAkGA1UEBhMC\n" + "QkUxDzANBgNVBAoTBkdudVRMUzElMCMGA1UECxMcR251VExTIGNlcnRpZmljYXRl\n" + "IGF1dGhvcml0eTEPMA0GA1UECBMGTGV1dmVuMSUwIwYDVQQDExxHbnVUTFMgY2Vy\n" + "dGlmaWNhdGUgYXV0aG9yaXR5MCAXDTE3MDYwNjA3MzMwNVoYDzk5OTkxMjMxMjM1\n" + "OTU5WjAZMRcwFQYDVQQDEw5FZDI1NTE5IHNpZ25lcjAqMAUGAytlcAMhAPMF++lz\n" + "LIzfyCX0v0B7LIabZWZ/dePW9HexIbW3tYmHo2EwXzAMBgNVHRMBAf8EAjAAMA8G\n" + "A1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFONSSnOdGLzpv3xNcci8ZiKKqzyqMB8G\n" + "A1UdIwQYMBaAFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqGSM49BAMCA0kAMEYC\n" + "IQDHGfSgM44DVZfrP5CF8LSNlFN55ti3Z69YJ0SK8Fy9eQIhAN2UKeX3l8A9Ckcm\n" + "7barRoh+qx7ZVYpe+5w3JYuxy16w\n" "-----END CERTIFICATE-----\n"; #ifdef ENABLE_GOST static unsigned char server_gost12_256_key_pem[] = - "-----BEGIN PRIVATE KEY-----\n" - "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" - "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" - "-----END PRIVATE KEY-----\n"; + "-----BEGIN PRIVATE KEY-----\n" + "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" + "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" "-----END PRIVATE KEY-----\n"; static unsigned char server_gost12_256_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIC8DCCAVigAwIBAgIIWcZKgxkCMvcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" - "AxMEQ0EtMzAgFw0xOTEwMDgxMDQ4MTZaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" - "A1UEAxMCR1IwZjAfBggqhQMHAQEBATATBgcqhQMCAiQABggqhQMHAQECAgNDAARA\n" - "J9sMEEx0JW9QsT5bDqyc0TNcjVg9ZSdp4GkMtShM+OOgyBGrWK3zLP5IzHYSXja8\n" - "373QrJOUvdX7T7TUk5yU5aOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC\n" - "CWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AA\n" - "MB0GA1UdDgQWBBQYSEtdwsYrtnOq6Ya3nt8DgFPCQjAfBgNVHSMEGDAWgBT5qIYZ\n" - "Y7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAR0xtx7MWEP1KyIzM\n" - "4lXKdTyU4Nve5RcgqF82yR/0odqT5MPoaZDvLuRWEcQryztZD3kmRUmPmn1ujSfc\n" - "BbPfRnSutDXcf6imq0/U1/TV/BF3vpS1plltzetvibf8MYetHVFQHUBJDZJHh9h7\n" - "PGwA9SnmnGKFIxFdV6bVOLkPR54Gob9zN3E17KslL19lNtht1pxk9pshwTn35oRY\n" - "uOdxof9F4XjpI/4WbC8kp15QeG8XyZd5JWSl+niNOqYK31+ilQdVBr4RiZSDIcAg\n" - "twS5yV9Ap+R8rM8TLbeT2io4rhdUgmDllUf49zV3t6AbVvbsQfkqXmHXW8uW2WBu\n" - "A8FiXEbIIOb+QIW0ZGwk3BVQ7wdiw1M5w6kYtz5kBtNPxBmc+eu1+e6EAfYbFNr3\n" - "pkxtMk3veYWHb5s3dHZ4/t2Rn85hWqh03CWwCkKTN3qmEs4/XpybbXE/UE49e7u1\n" - "FkpM1bT/0gUNsNt5h3pyUzQZdiB0XbdGGFta3tB3+inIO45h\n" - "-----END CERTIFICATE-----\n"; + "-----BEGIN CERTIFICATE-----\n" + "MIIC8DCCAVigAwIBAgIIWcZKgxkCMvcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xOTEwMDgxMDQ4MTZaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" + "A1UEAxMCR1IwZjAfBggqhQMHAQEBATATBgcqhQMCAiQABggqhQMHAQECAgNDAARA\n" + "J9sMEEx0JW9QsT5bDqyc0TNcjVg9ZSdp4GkMtShM+OOgyBGrWK3zLP5IzHYSXja8\n" + "373QrJOUvdX7T7TUk5yU5aOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC\n" + "CWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AA\n" + "MB0GA1UdDgQWBBQYSEtdwsYrtnOq6Ya3nt8DgFPCQjAfBgNVHSMEGDAWgBT5qIYZ\n" + "Y7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAR0xtx7MWEP1KyIzM\n" + "4lXKdTyU4Nve5RcgqF82yR/0odqT5MPoaZDvLuRWEcQryztZD3kmRUmPmn1ujSfc\n" + "BbPfRnSutDXcf6imq0/U1/TV/BF3vpS1plltzetvibf8MYetHVFQHUBJDZJHh9h7\n" + "PGwA9SnmnGKFIxFdV6bVOLkPR54Gob9zN3E17KslL19lNtht1pxk9pshwTn35oRY\n" + "uOdxof9F4XjpI/4WbC8kp15QeG8XyZd5JWSl+niNOqYK31+ilQdVBr4RiZSDIcAg\n" + "twS5yV9Ap+R8rM8TLbeT2io4rhdUgmDllUf49zV3t6AbVvbsQfkqXmHXW8uW2WBu\n" + "A8FiXEbIIOb+QIW0ZGwk3BVQ7wdiw1M5w6kYtz5kBtNPxBmc+eu1+e6EAfYbFNr3\n" + "pkxtMk3veYWHb5s3dHZ4/t2Rn85hWqh03CWwCkKTN3qmEs4/XpybbXE/UE49e7u1\n" + "FkpM1bT/0gUNsNt5h3pyUzQZdiB0XbdGGFta3tB3+inIO45h\n" + "-----END CERTIFICATE-----\n"; static const gnutls_datum_t server_gost12_256_key = { server_gost12_256_key_pem, - sizeof(server_gost12_256_key_pem)-1 + sizeof(server_gost12_256_key_pem) - 1 }; -static const gnutls_datum_t server_gost12_256_cert = { server_gost12_256_cert_pem, - sizeof(server_gost12_256_cert_pem)-1 +static const gnutls_datum_t server_gost12_256_cert = + { server_gost12_256_cert_pem, + sizeof(server_gost12_256_cert_pem) - 1 }; #endif @@ -298,8 +292,7 @@ static void test_ciphersuite(const char *cipher_prio, int size) gnutls_certificate_allocate_credentials(&s_certcred); gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert, - &server_key, - GNUTLS_X509_FMT_PEM); + &server_key, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert, &server_ecc_key, GNUTLS_X509_FMT_PEM); @@ -347,8 +340,8 @@ static void test_ciphersuite(const char *cipher_prio, int size) HANDSHAKE(client, server); name = gnutls_cipher_get_name(gnutls_cipher_get(server)); - fprintf(stdout, "%30s - %s ", name, gnutls_protocol_get_name( - gnutls_protocol_get_version(server))); + fprintf(stdout, "%30s - %s ", name, + gnutls_protocol_get_name(gnutls_protocol_get_version(server))); fflush(stdout); ret = gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer)); @@ -371,13 +364,13 @@ static void test_ciphersuite(const char *cipher_prio, int size) } do { - ret = - gnutls_record_recv_packet(server, &packet); + ret = gnutls_record_recv_packet(server, &packet); } while (ret == GNUTLS_E_AGAIN); if (ret < 0) { - fprintf(stderr, "Failed receiving from client: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Failed receiving from client: %s\n", + gnutls_strerror(ret)); exit(1); } @@ -401,7 +394,7 @@ static void test_ciphersuite(const char *cipher_prio, int size) } static -double calc_avg(uint64_t *diffs, unsigned int diffs_size) +double calc_avg(uint64_t * diffs, unsigned int diffs_size) { double avg = 0; unsigned int i; @@ -415,14 +408,13 @@ double calc_avg(uint64_t *diffs, unsigned int diffs_size) } static -double calc_svar(uint64_t *diffs, unsigned int diffs_size, - double avg) +double calc_svar(uint64_t * diffs, unsigned int diffs_size, double avg) { double sum = 0, d; unsigned int i; for (i = 0; i < diffs_size; i++) { - d = ((double) diffs[i] - avg); + d = ((double)diffs[i] - avg); d *= d; sum += d; @@ -432,7 +424,6 @@ double calc_svar(uint64_t *diffs, unsigned int diffs_size, return sum; } - uint64_t total_diffs[32 * 1024]; unsigned int total_diffs_size = 0; @@ -464,13 +455,17 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) ret = 0; if (pk == GNUTLS_PK_RSA_PSS) - ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_rsa_pss_cert, - &server_key, - GNUTLS_X509_FMT_PEM); + ret = + gnutls_certificate_set_x509_key_mem(s_certcred, + &server_rsa_pss_cert, + &server_key, + GNUTLS_X509_FMT_PEM); else if (pk == GNUTLS_PK_RSA) - ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert, - &server_key, - GNUTLS_X509_FMT_PEM); + ret = + gnutls_certificate_set_x509_key_mem(s_certcred, + &server_cert, + &server_key, + GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "Error in %d: %s\n", __LINE__, gnutls_strerror(ret)); @@ -479,18 +474,24 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) ret = 0; if (pk == GNUTLS_PK_ECDSA) - ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert, - &server_ecc_key, - GNUTLS_X509_FMT_PEM); + ret = + gnutls_certificate_set_x509_key_mem(s_certcred, + &server_ecc_cert, + &server_ecc_key, + GNUTLS_X509_FMT_PEM); else if (pk == GNUTLS_PK_EDDSA_ED25519) - ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ed25519_cert, - &server_ed25519_key, - GNUTLS_X509_FMT_PEM); + ret = + gnutls_certificate_set_x509_key_mem(s_certcred, + &server_ed25519_cert, + &server_ed25519_key, + GNUTLS_X509_FMT_PEM); #ifdef ENABLE_GOST else if (pk == GNUTLS_PK_GOST_12_256) - ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_gost12_256_cert, - &server_gost12_256_key, - GNUTLS_X509_FMT_PEM); + ret = + gnutls_certificate_set_x509_key_mem(s_certcred, + &server_gost12_256_cert, + &server_gost12_256_key, + GNUTLS_X509_FMT_PEM); #endif if (ret < 0) { fprintf(stderr, "Error in %d: %s\n", __LINE__, @@ -515,15 +516,14 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) do { gnutls_init(&server, GNUTLS_SERVER); - ret = - gnutls_priority_set(server, priority_cache); + ret = gnutls_priority_set(server, priority_cache); if (ret < 0) { - fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error in setting priority: %s\n", + gnutls_strerror(ret)); exit(1); } #ifdef ENABLE_ANON - gnutls_credentials_set(server, GNUTLS_CRD_ANON, - s_anoncred); + gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); #endif gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred); @@ -535,15 +535,14 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) gnutls_init(&client, GNUTLS_CLIENT); - ret = - gnutls_priority_set(client, priority_cache); + ret = gnutls_priority_set(client, priority_cache); if (ret < 0) { - fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error in setting priority: %s\n", + gnutls_strerror(ret)); exit(1); } #ifdef ENABLE_ANON - gnutls_credentials_set(client, GNUTLS_CRD_ANON, - c_anoncred); + gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); #endif gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred); @@ -560,14 +559,15 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) gettime(&tr_stop); if (suite == NULL) - suite = - gnutls_session_get_desc(server); + suite = gnutls_session_get_desc(server); gnutls_deinit(client); gnutls_deinit(server); - total_diffs[total_diffs_size++] = timespec_sub_ns(&tr_stop, &tr_start); - if (total_diffs_size > sizeof(total_diffs)/sizeof(total_diffs[0])) + total_diffs[total_diffs_size++] = + timespec_sub_ns(&tr_stop, &tr_start); + if (total_diffs_size > + sizeof(total_diffs) / sizeof(total_diffs[0])) abort(); st.size += 1; @@ -586,19 +586,20 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) } else if (avg < 1000000) { scale = "\u00B5s"; avg /= 1000; - for (i=0;i<total_diffs_size;i++) + for (i = 0; i < total_diffs_size; i++) total_diffs[i] /= 1000; } else { scale = "ms"; - avg /= 1000*1000; - for (i=0;i<total_diffs_size;i++) - total_diffs[i] /= 1000*1000; + avg /= 1000 * 1000; + for (i = 0; i < total_diffs_size; i++) + total_diffs[i] /= 1000 * 1000; } svar = calc_svar(total_diffs, total_diffs_size, avg); - printf(" - avg. handshake time: %.2f %s\n - standard deviation: %.2f %s\n\n", - avg, scale, sqrt(svar), scale); + printf + (" - avg. handshake time: %.2f %s\n - standard deviation: %.2f %s\n\n", + avg, scale, sqrt(svar), scale); #ifdef ENABLE_ANON gnutls_anon_free_client_credentials(c_anoncred); @@ -657,7 +658,8 @@ void benchmark_tls(int debug_level, int ciphers) test_ciphersuite_kx(PRIO_ECDH_X25519, GNUTLS_PK_RSA); test_ciphersuite_kx(PRIO_ECDHE_ECDSA, GNUTLS_PK_ECC); test_ciphersuite_kx(PRIO_ECDH_X25519_ECDSA, GNUTLS_PK_ECC); - test_ciphersuite_kx(PRIO_ECDH_X25519_EDDSA, GNUTLS_PK_EDDSA_ED25519); + test_ciphersuite_kx(PRIO_ECDH_X25519_EDDSA, + GNUTLS_PK_EDDSA_ED25519); test_ciphersuite_kx(PRIO_RSA, GNUTLS_PK_RSA); #ifdef ENABLE_GOST test_ciphersuite_kx(PRIO_GOST_CNT, GNUTLS_PK_GOST_12_256); diff --git a/src/benchmark.c b/src/benchmark.c index b582571dc3..45a6f77e57 100644 --- a/src/benchmark.c +++ b/src/benchmark.c @@ -31,7 +31,7 @@ volatile int benchmark_must_finish = 0; #if defined(_WIN32) -#include <windows.h> +# include <windows.h> static DWORD WINAPI alarm_handler(LPVOID lpParameter) { HANDLE wtimer = *((HANDLE *) lpParameter); @@ -51,22 +51,22 @@ value2human(uint64_t bytes, double time, double *data, double *speed, char *metric) { if (bytes > 1000 && bytes < 1000 * 1000) { - *data = ((double) bytes) / 1000; + *data = ((double)bytes) / 1000; *speed = *data / time; strcpy(metric, "KB"); return; } else if (bytes >= 1000 * 1000 && bytes < 1000 * 1000 * 1000) { - *data = ((double) bytes) / (1000 * 1000); + *data = ((double)bytes) / (1000 * 1000); *speed = *data / time; strcpy(metric, "MB"); return; } else if (bytes >= 1000 * 1000 * 1000) { - *data = ((double) bytes) / (1000 * 1000 * 1000); + *data = ((double)bytes) / (1000 * 1000 * 1000); *speed = *data / time; strcpy(metric, "GB"); return; } else { - *data = (double) bytes; + *data = (double)bytes; *speed = *data / time; strcpy(metric, "bytes"); return; @@ -92,15 +92,13 @@ void start_benchmark(struct benchmark_st *st) st->wthread = CreateThread(NULL, 0, alarm_handler, &st->wtimer, 0, NULL); if (st->wthread == NULL) { - fprintf(stderr, "error: CreateThread %u\n", - GetLastError()); + fprintf(stderr, "error: CreateThread %u\n", GetLastError()); exit(1); } st->alarm_timeout.QuadPart = (BSECS) * 10000000; if (SetWaitableTimer (st->wtimer, &st->alarm_timeout, 0, NULL, NULL, FALSE) == 0) { - fprintf(stderr, "error: SetWaitableTimer %u\n", - GetLastError()); + fprintf(stderr, "error: SetWaitableTimer %u\n", GetLastError()); exit(1); } #else @@ -110,8 +108,7 @@ void start_benchmark(struct benchmark_st *st) } /* returns the elapsed time */ -double stop_benchmark(struct benchmark_st *st, const char *metric, - int quiet) +double stop_benchmark(struct benchmark_st *st, const char *metric, int quiet) { double secs; unsigned long lsecs; @@ -141,7 +138,7 @@ double stop_benchmark(struct benchmark_st *st, const char *metric, imetric, secs); printf("%.2f %s/sec\n", dspeed, imetric); } else { - ddata = (double) st->size; + ddata = (double)st->size; dspeed = ddata / secs; if (quiet == 0) printf(" Processed %.2f %s in %.2f secs: ", ddata, diff --git a/src/benchmark.h b/src/benchmark.h index a5e2aff124..af9bc3a4c8 100644 --- a/src/benchmark.h +++ b/src/benchmark.h @@ -18,22 +18,22 @@ */ #ifndef GNUTLS_SRC_BENCHMARK_H -#define GNUTLS_SRC_BENCHMARK_H +# define GNUTLS_SRC_BENCHMARK_H -#include <sys/time.h> -#include <time.h> -#include <signal.h> -#if defined(_WIN32) -#include <windows.h> -#endif +# include <sys/time.h> +# include <time.h> +# include <signal.h> +# if defined(_WIN32) +# include <windows.h> +# endif /* for uint64_t */ # include <stdint.h> -#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID) -#undef gettime -#define gettime(x) clock_gettime(CLOCK_PROCESS_CPUTIME_ID, x) -#else +# if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID) +# undef gettime +# define gettime(x) clock_gettime(CLOCK_PROCESS_CPUTIME_ID, x) +# else inline static void gettime(struct timespec *ts) { struct timeval tv; @@ -41,9 +41,9 @@ inline static void gettime(struct timespec *ts) ts->tv_sec = tv.tv_sec; ts->tv_nsec = tv.tv_usec * 1000; } -#endif +# endif -typedef void (*sighandler_t) (int); +typedef void (*sighandler_t)(int); void benchmark_cipher(int debug_level); void benchmark_tls(int debug_level, int ciphers); @@ -52,23 +52,23 @@ struct benchmark_st { struct timespec start; uint64_t size; sighandler_t old_handler; -#if defined(_WIN32) +# if defined(_WIN32) HANDLE wtimer; HANDLE wthread; LARGE_INTEGER alarm_timeout; -#endif +# endif }; extern volatile int benchmark_must_finish; void start_benchmark(struct benchmark_st *st); -double stop_benchmark(struct benchmark_st *st, const char *metric, - int quiet); +double stop_benchmark(struct benchmark_st *st, const char *metric, int quiet); inline static unsigned int timespec_sub_ms(struct timespec *a, struct timespec *b) { - return (a->tv_sec - b->tv_sec) * 1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000); + return (a->tv_sec - b->tv_sec) * 1000 + (a->tv_nsec - + b->tv_nsec) / (1000 * 1000); } inline static unsigned long @@ -77,4 +77,4 @@ timespec_sub_ns(struct timespec *a, struct timespec *b) return (a->tv_sec - b->tv_sec) * 1000000000 + (a->tv_nsec - b->tv_nsec); } -#endif /* GNUTLS_SRC_BENCHMARK_H */ +#endif /* GNUTLS_SRC_BENCHMARK_H */ diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index a8a135a4a4..9a323c61e8 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -43,9 +43,9 @@ #include <sys/types.h> #if HAVE_SYS_SOCKET_H -#include <sys/socket.h> +# include <sys/socket.h> #elif HAVE_WS2TCPIP_H -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif /* From gnulib for inet_pton() */ @@ -56,8 +56,8 @@ #include "certtool-common.h" /* to print uint64_t */ -# define __STDC_FORMAT_MACROS -# include <inttypes.h> +#define __STDC_FORMAT_MACROS +#include <inttypes.h> extern int batch; extern int ask_pass; @@ -75,7 +75,9 @@ extern int ask_pass; if (sizeof(time_t) < 8) \ fprintf(stderr, "This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.\n") -enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, OPTION_MULTI_LINE }; +enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, + OPTION_MULTI_LINE +}; struct cfg_options { const char *name; @@ -86,76 +88,76 @@ struct cfg_options { }; static struct cfg_options available_options[] = { - { .name = "unit", .type = OPTION_MULTI_LINE }, - { .name = "ou", .type = OPTION_MULTI_LINE }, - { .name = "organization", .type = OPTION_MULTI_LINE }, - { .name = "o", .type = OPTION_MULTI_LINE }, - { .name = "dc", .type = OPTION_MULTI_LINE }, - { .name = "dns_name", .type = OPTION_MULTI_LINE }, - { .name = "ip_address", .type = OPTION_MULTI_LINE }, - { .name = "email", .type = OPTION_MULTI_LINE }, - { .name = "krb5_principal", .type = OPTION_MULTI_LINE }, - { .name = "other_name", .type = OPTION_MULTI_LINE }, - { .name = "other_name_utf8", .type = OPTION_MULTI_LINE }, - { .name = "other_name_octet", .type = OPTION_MULTI_LINE }, - { .name = "xmpp_name", .type = OPTION_MULTI_LINE }, - { .name = "key_purpose_oid", .type = OPTION_MULTI_LINE }, - { .name = "nc_exclude_dns", .type = OPTION_MULTI_LINE }, - { .name = "nc_exclude_ip", .type = OPTION_MULTI_LINE }, - { .name = "nc_exclude_email", .type = OPTION_MULTI_LINE }, - { .name = "nc_permit_dns", .type = OPTION_MULTI_LINE }, - { .name = "nc_permit_ip", .type = OPTION_MULTI_LINE }, - { .name = "nc_permit_email", .type = OPTION_MULTI_LINE }, - { .name = "dn_oid", .type = OPTION_MULTI_LINE }, - { .name = "add_extension", .type = OPTION_MULTI_LINE }, - { .name = "add_critical_extension", .type = OPTION_MULTI_LINE }, - { .name = "crl_dist_points", .type = OPTION_MULTI_LINE }, - { .name = "uri", .type = OPTION_MULTI_LINE }, - { .name = "ocsp_uri", .type = OPTION_MULTI_LINE }, - { .name = "ca_issuers_uri", .type = OPTION_MULTI_LINE }, - { .name = "locality", .type = OPTION_STRING }, - { .name = "state", .type = OPTION_STRING }, - { .name = "dn", .type = OPTION_STRING }, - { .name = "cn", .type = OPTION_STRING }, - { .name = "uid", .type = OPTION_STRING }, - { .name = "subject_unique_id", .type = OPTION_STRING }, - { .name = "issuer_unique_id", .type = OPTION_STRING }, - { .name = "challenge_password", .type = OPTION_STRING }, - { .name = "password", .type = OPTION_STRING }, - { .name = "pkcs9_email", .type = OPTION_STRING }, - { .name = "country", .type = OPTION_STRING }, - { .name = "expiration_date", .type = OPTION_STRING }, - { .name = "activation_date", .type = OPTION_STRING }, - { .name = "crl_revocation_date", .type = OPTION_STRING }, - { .name = "crl_this_update_date", .type = OPTION_STRING }, - { .name = "crl_next_update_date", .type = OPTION_STRING }, - { .name = "policy*", .type = OPTION_MULTI_LINE }, /* not a multi-line but there are multi as it is a wildcard */ - { .name = "inhibit_anypolicy_skip_certs", .type = OPTION_NUMERIC }, - { .name = "pkcs12_key_name", .type = OPTION_STRING }, - { .name = "proxy_policy_language", .type = OPTION_STRING }, - { .name = "serial", .type = OPTION_STRING }, - { .name = "expiration_days", .type = OPTION_NUMERIC }, - { .name = "crl_next_update", .type = OPTION_NUMERIC }, - { .name = "crl_number", .type = OPTION_STRING }, - { .name = "path_len", .type = OPTION_NUMERIC }, - { .name = "ca", .type = OPTION_BOOLEAN }, - { .name = "honor_crq_extensions", .type = OPTION_BOOLEAN }, - { .name = "honor_crq_ext", .type = OPTION_MULTI_LINE }, - { .name = "tls_www_client", .type = OPTION_BOOLEAN }, - { .name = "tls_www_server", .type = OPTION_BOOLEAN }, - { .name = "signing_key", .type = OPTION_BOOLEAN }, - { .name = "encryption_key", .type = OPTION_BOOLEAN }, - { .name = "cert_signing_key", .type = OPTION_BOOLEAN }, - { .name = "crl_signing_key", .type = OPTION_BOOLEAN }, - { .name = "code_signing_key", .type = OPTION_BOOLEAN }, - { .name = "ocsp_signing_key", .type = OPTION_BOOLEAN }, - { .name = "time_stamping_key", .type = OPTION_BOOLEAN }, - { .name = "email_protection_key", .type = OPTION_BOOLEAN }, - { .name = "ipsec_ike_key", .type = OPTION_BOOLEAN }, - { .name = "key_agreement", .type = OPTION_BOOLEAN }, - { .name = "data_encipherment", .type = OPTION_BOOLEAN }, - { .name = "non_repudiation", .type = OPTION_BOOLEAN }, - { .name = "tls_feature", .type = OPTION_MULTI_LINE }, + {.name = "unit",.type = OPTION_MULTI_LINE}, + {.name = "ou",.type = OPTION_MULTI_LINE}, + {.name = "organization",.type = OPTION_MULTI_LINE}, + {.name = "o",.type = OPTION_MULTI_LINE}, + {.name = "dc",.type = OPTION_MULTI_LINE}, + {.name = "dns_name",.type = OPTION_MULTI_LINE}, + {.name = "ip_address",.type = OPTION_MULTI_LINE}, + {.name = "email",.type = OPTION_MULTI_LINE}, + {.name = "krb5_principal",.type = OPTION_MULTI_LINE}, + {.name = "other_name",.type = OPTION_MULTI_LINE}, + {.name = "other_name_utf8",.type = OPTION_MULTI_LINE}, + {.name = "other_name_octet",.type = OPTION_MULTI_LINE}, + {.name = "xmpp_name",.type = OPTION_MULTI_LINE}, + {.name = "key_purpose_oid",.type = OPTION_MULTI_LINE}, + {.name = "nc_exclude_dns",.type = OPTION_MULTI_LINE}, + {.name = "nc_exclude_ip",.type = OPTION_MULTI_LINE}, + {.name = "nc_exclude_email",.type = OPTION_MULTI_LINE}, + {.name = "nc_permit_dns",.type = OPTION_MULTI_LINE}, + {.name = "nc_permit_ip",.type = OPTION_MULTI_LINE}, + {.name = "nc_permit_email",.type = OPTION_MULTI_LINE}, + {.name = "dn_oid",.type = OPTION_MULTI_LINE}, + {.name = "add_extension",.type = OPTION_MULTI_LINE}, + {.name = "add_critical_extension",.type = OPTION_MULTI_LINE}, + {.name = "crl_dist_points",.type = OPTION_MULTI_LINE}, + {.name = "uri",.type = OPTION_MULTI_LINE}, + {.name = "ocsp_uri",.type = OPTION_MULTI_LINE}, + {.name = "ca_issuers_uri",.type = OPTION_MULTI_LINE}, + {.name = "locality",.type = OPTION_STRING}, + {.name = "state",.type = OPTION_STRING}, + {.name = "dn",.type = OPTION_STRING}, + {.name = "cn",.type = OPTION_STRING}, + {.name = "uid",.type = OPTION_STRING}, + {.name = "subject_unique_id",.type = OPTION_STRING}, + {.name = "issuer_unique_id",.type = OPTION_STRING}, + {.name = "challenge_password",.type = OPTION_STRING}, + {.name = "password",.type = OPTION_STRING}, + {.name = "pkcs9_email",.type = OPTION_STRING}, + {.name = "country",.type = OPTION_STRING}, + {.name = "expiration_date",.type = OPTION_STRING}, + {.name = "activation_date",.type = OPTION_STRING}, + {.name = "crl_revocation_date",.type = OPTION_STRING}, + {.name = "crl_this_update_date",.type = OPTION_STRING}, + {.name = "crl_next_update_date",.type = OPTION_STRING}, + {.name = "policy*",.type = OPTION_MULTI_LINE}, /* not a multi-line but there are multi as it is a wildcard */ + {.name = "inhibit_anypolicy_skip_certs",.type = OPTION_NUMERIC}, + {.name = "pkcs12_key_name",.type = OPTION_STRING}, + {.name = "proxy_policy_language",.type = OPTION_STRING}, + {.name = "serial",.type = OPTION_STRING}, + {.name = "expiration_days",.type = OPTION_NUMERIC}, + {.name = "crl_next_update",.type = OPTION_NUMERIC}, + {.name = "crl_number",.type = OPTION_STRING}, + {.name = "path_len",.type = OPTION_NUMERIC}, + {.name = "ca",.type = OPTION_BOOLEAN}, + {.name = "honor_crq_extensions",.type = OPTION_BOOLEAN}, + {.name = "honor_crq_ext",.type = OPTION_MULTI_LINE}, + {.name = "tls_www_client",.type = OPTION_BOOLEAN}, + {.name = "tls_www_server",.type = OPTION_BOOLEAN}, + {.name = "signing_key",.type = OPTION_BOOLEAN}, + {.name = "encryption_key",.type = OPTION_BOOLEAN}, + {.name = "cert_signing_key",.type = OPTION_BOOLEAN}, + {.name = "crl_signing_key",.type = OPTION_BOOLEAN}, + {.name = "code_signing_key",.type = OPTION_BOOLEAN}, + {.name = "ocsp_signing_key",.type = OPTION_BOOLEAN}, + {.name = "time_stamping_key",.type = OPTION_BOOLEAN}, + {.name = "email_protection_key",.type = OPTION_BOOLEAN}, + {.name = "ipsec_ike_key",.type = OPTION_BOOLEAN}, + {.name = "key_agreement",.type = OPTION_BOOLEAN}, + {.name = "data_encipherment",.type = OPTION_BOOLEAN}, + {.name = "non_repudiation",.type = OPTION_BOOLEAN}, + {.name = "tls_feature",.type = OPTION_MULTI_LINE}, }; typedef struct _cfg_ctx { @@ -206,7 +208,7 @@ typedef struct _cfg_ctx { uint8_t *serial; unsigned serial_size; int expiration_days; - int skip_certs; /* from inhibit anypolicy */ + int skip_certs; /* from inhibit anypolicy */ int ca; int path_len; int tls_www_client; @@ -341,23 +343,28 @@ void cfg_init(void) output_size = _output.size; \ } - static int handle_option(cfg_option_t val) { unsigned j; unsigned len, cmp; - for (j=0;j<sizeof(available_options)/sizeof(available_options[0]);j++) { + for (j = 0; + j < sizeof(available_options) / sizeof(available_options[0]); + j++) { len = strlen(available_options[j].name); - if (len > 2 && available_options[j].name[len-1] == '*') - cmp = strncasecmp(val->name, available_options[j].name, len-1); + if (len > 2 && available_options[j].name[len - 1] == '*') + cmp = + strncasecmp(val->name, available_options[j].name, + len - 1); else cmp = strcasecmp(val->name, available_options[j].name); if (cmp == 0) { if (available_options[j].type != OPTION_MULTI_LINE && available_options[j].found != 0) { - fprintf(stderr, "Warning: multiple options found for '%s'; only the first will be taken into account.\n", available_options[j].name); + fprintf(stderr, + "Warning: multiple options found for '%s'; only the first will be taken into account.\n", + available_options[j].name); } available_options[j].found = 1; return 1; @@ -385,7 +392,9 @@ int template_parse(const char *template) for (val = pov; val->name; val++) { if (handle_option(val) == 0) { - fprintf(stderr, "Warning: skipping unknown option '%s'\n", val->name); + fprintf(stderr, + "Warning: skipping unknown option '%s'\n", + val->name); } } @@ -422,11 +431,13 @@ int template_parse(const char *template) val = cfg_next(pov, "issuer_unique_id"); if (val != NULL) - HEX_DECODE(val->value, cfg.issuer_unique_id, cfg.issuer_unique_id_size); + HEX_DECODE(val->value, cfg.issuer_unique_id, + cfg.issuer_unique_id_size); val = cfg_next(pov, "subject_unique_id"); if (val != NULL) - HEX_DECODE(val->value, cfg.subject_unique_id, cfg.subject_unique_id_size); + HEX_DECODE(val->value, cfg.subject_unique_id, + cfg.subject_unique_id_size); val = cfg_next(pov, "challenge_password"); if (val != NULL) @@ -473,14 +484,12 @@ int template_parse(const char *template) cfg.policy_oid[i] = strdup(val->value); if (cfg.policy_oid[i] != NULL) { - snprintf(tmpstr, sizeof(tmpstr), "policy%d_url", - i + 1); + snprintf(tmpstr, sizeof(tmpstr), "policy%d_url", i + 1); val = cfg_next(pov, tmpstr); if (val != NULL) cfg.policy_url[i] = strdup(val->value); - snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt", - i + 1); + snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt", i + 1); val = cfg_next(pov, tmpstr); if (val != NULL) { cfg.policy_txt[i] = strdup(val->value); @@ -511,7 +520,8 @@ int template_parse(const char *template) READ_MULTI_LINE_TOKENIZED("dn_oid", cfg.dn_oid); READ_MULTI_LINE_TOKENIZED("add_extension", cfg.extensions); - READ_MULTI_LINE_TOKENIZED("add_critical_extension", cfg.crit_extensions); + READ_MULTI_LINE_TOKENIZED("add_critical_extension", + cfg.crit_extensions); READ_MULTI_LINE("crl_dist_points", cfg.crl_dist_points); @@ -519,7 +529,6 @@ int template_parse(const char *template) if (val != NULL) cfg.pkcs12_key_name = strdup(val->value); - val = cfg_next(pov, "serial"); if (val != NULL) SERIAL_DECODE(val->value, cfg.serial, cfg.serial_size); @@ -583,19 +592,20 @@ static size_t strip_nl(char *str, size_t str_size) return str_size; } -static int copystr_without_nl(char *out, size_t out_size, const char *in, size_t in_size) +static int copystr_without_nl(char *out, size_t out_size, const char *in, + size_t in_size) { - if (in_size+1 >= out_size) { - fprintf(stderr, "Too long line to parse in interactive mode; please use templates.\n"); + if (in_size + 1 >= out_size) { + fprintf(stderr, + "Too long line to parse in interactive mode; please use templates.\n"); exit(1); } - memcpy(out, in, in_size+1); /* copy terminating null */ + memcpy(out, in, in_size + 1); /* copy terminating null */ strip_nl(out, in_size); return 0; } -void -read_crt_set(gnutls_x509_crt_t crt, const char *input_str, const char *oid) +void read_crt_set(gnutls_x509_crt_t crt, const char *input_str, const char *oid) { ssize_t ret; char *lineptr = NULL; @@ -613,9 +623,7 @@ read_crt_set(gnutls_x509_crt_t crt, const char *input_str, const char *oid) linesize = strip_nl(lineptr, ret); - ret = - gnutls_x509_crt_set_dn_by_oid(crt, oid, 0, lineptr, - linesize); + ret = gnutls_x509_crt_set_dn_by_oid(crt, oid, 0, lineptr, linesize); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); @@ -623,8 +631,7 @@ read_crt_set(gnutls_x509_crt_t crt, const char *input_str, const char *oid) free(lineptr); } -void -read_crq_set(gnutls_x509_crq_t crq, const char *input_str, const char *oid) +void read_crq_set(gnutls_x509_crq_t crq, const char *input_str, const char *oid) { ssize_t ret; char *lineptr = NULL; @@ -642,9 +649,7 @@ read_crq_set(gnutls_x509_crq_t crq, const char *input_str, const char *oid) linesize = strip_nl(lineptr, ret); - ret = - gnutls_x509_crq_set_dn_by_oid(crq, oid, 0, lineptr, - linesize); + ret = gnutls_x509_crq_set_dn_by_oid(crq, oid, 0, lineptr, linesize); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); @@ -673,41 +678,40 @@ static int64_t read_int_with_default(const char *input_str, long def) l = strtoll(input, &endptr, 0); if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n') { - fprintf(stderr, "Trailing garbage ignored: `%s'\n", - endptr); + fprintf(stderr, "Trailing garbage ignored: `%s'\n", endptr); return 0; } else { *endptr = 0; } if (l <= LLONG_MIN || l >= LLONG_MAX) { - fprintf(stderr, "Integer out of range: `%s' (max: %llu)\n", input, LLONG_MAX-1); + fprintf(stderr, "Integer out of range: `%s' (max: %llu)\n", + input, LLONG_MAX - 1); return 0; } #else l = strtol(input, &endptr, 0); if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n') { - fprintf(stderr, "Trailing garbage ignored: `%s'\n", - endptr); + fprintf(stderr, "Trailing garbage ignored: `%s'\n", endptr); return 0; } else { *endptr = 0; } if (l <= LONG_MIN || l >= LONG_MAX) { - fprintf(stderr, "Integer out of range: `%s' (max: %lu)\n", input, LONG_MAX-1); + fprintf(stderr, "Integer out of range: `%s' (max: %lu)\n", + input, LONG_MAX - 1); return 0; } #endif - - if (input == endptr) l = def; return l; } + #pragma GCC diagnostic pop int64_t read_int(const char *input_str) @@ -715,7 +719,7 @@ int64_t read_int(const char *input_str) return read_int_with_default(input_str, 0); } -int serial_decode(const char *input, gnutls_datum_t *output) +int serial_decode(const char *input, gnutls_datum_t * output) { int i; int64_t value; @@ -724,14 +728,13 @@ int serial_decode(const char *input, gnutls_datum_t *output) gnutls_datum_t input_datum; if (input[0] == '0' && input[1] == 'x') { - input_datum.data = (void *) (input + 2); + input_datum.data = (void *)(input + 2); input_datum.size = strlen(input + 2); if (input_datum.size == 0) { return GNUTLS_E_PARSING_ERROR; } return gnutls_hex_decode2(&input_datum, output); } - #if SIZEOF_LONG < 8 value = strtol(input, &endptr, 10); value_limit = LONG_MAX; @@ -746,7 +749,9 @@ int serial_decode(const char *input, gnutls_datum_t *output) } if (value <= 0 || value >= value_limit) { - fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %"PRId64")\n", input, value_limit-1); + fprintf(stderr, + "Integer out of range: `%s' (min: 1, max: %" PRId64 + ")\n", input, value_limit - 1); return GNUTLS_E_PARSING_ERROR; } @@ -799,7 +804,7 @@ int read_yesno(const char *input_str, int def) { char input[MAX_INPUT_SIZE]; - restart: + restart: fputs(input_str, stderr); if (fgets(input, sizeof(input), stdin) == NULL) return def; @@ -815,7 +820,6 @@ int read_yesno(const char *input_str, int def) goto restart; } - /* Wrapper functions for non-interactive mode. */ const char *get_pass(void) @@ -846,8 +850,7 @@ const char *get_confirmed_pass(bool empty_ok) CHECK_MALLOC(copy); pass = getpass("Confirm password: "); } - while (strcmp(pass, copy) != 0 - && !(empty_ok && *pass == '\0')); + while (strcmp(pass, copy) != 0 && !(empty_ok && *pass == '\0')); free(copy); @@ -874,8 +877,7 @@ void get_crl_dist_point_set(gnutls_x509_crt_t crt) for (i = 0; cfg.crl_dist_points[i] != NULL; i++) { ret = gnutls_x509_crt_set_crl_dist_points - (crt, GNUTLS_SAN_URI, cfg.crl_dist_points[i], - 0); + (crt, GNUTLS_SAN_URI, cfg.crl_dist_points[i], 0); if (ret < 0) break; } @@ -924,8 +926,7 @@ void get_country_crt_set(gnutls_x509_crt_t crt) 0, cfg.country, strlen(cfg.country)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -947,9 +948,12 @@ void get_organization_crt_set(gnutls_x509_crt_t crt) for (i = 0; cfg.organization[i] != NULL; i++) { ret = gnutls_x509_crt_set_dn_by_oid(crt, - GNUTLS_OID_X520_ORGANIZATION_NAME, - 0, cfg.organization[i], - strlen(cfg.organization[i])); + GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, + cfg.organization[i], + strlen + (cfg.organization + [i])); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); @@ -975,9 +979,9 @@ void get_unit_crt_set(gnutls_x509_crt_t crt) for (i = 0; cfg.unit[i] != NULL; i++) { ret = gnutls_x509_crt_set_dn_by_oid(crt, - GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, - 0, cfg.unit[i], - strlen(cfg.unit[i])); + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit[i], + strlen(cfg.unit[i])); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); @@ -1004,8 +1008,7 @@ void get_state_crt_set(gnutls_x509_crt_t crt) 0, cfg.state, strlen(cfg.state)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -1028,8 +1031,7 @@ void get_locality_crt_set(gnutls_x509_crt_t crt) 0, cfg.locality, strlen(cfg.locality)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -1049,16 +1051,14 @@ void get_cn_crt_set(gnutls_x509_crt_t crt) ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, - 0, cfg.cn, - strlen(cfg.cn)); + 0, cfg.cn, strlen(cfg.cn)); if (ret < 0) { fprintf(stderr, "set_dn_by_oid: %s\n", gnutls_strerror(ret)); exit(1); } } else { - read_crt_set(crt, "Common name: ", - GNUTLS_OID_X520_COMMON_NAME); + read_crt_set(crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); } } @@ -1088,10 +1088,13 @@ void crt_constraints_set(gnutls_x509_crt_t crt) gnutls_datum_t name; if (batch) { - if (cfg.permitted_nc_dns == NULL && cfg.permitted_nc_email == NULL && - cfg.excluded_nc_dns == NULL && cfg.excluded_nc_email == NULL && - cfg.permitted_nc_ip == NULL && cfg.excluded_nc_ip == NULL) - return; /* nothing to do */ + if (cfg.permitted_nc_dns == NULL + && cfg.permitted_nc_email == NULL + && cfg.excluded_nc_dns == NULL + && cfg.excluded_nc_email == NULL + && cfg.permitted_nc_ip == NULL + && cfg.excluded_nc_ip == NULL) + return; /* nothing to do */ ret = gnutls_x509_name_constraints_init(&nc); if (ret < 0) { @@ -1101,14 +1104,22 @@ void crt_constraints_set(gnutls_x509_crt_t crt) if (cfg.permitted_nc_ip) { for (i = 0; cfg.permitted_nc_ip[i] != NULL; i++) { - ret = gnutls_x509_cidr_to_rfc5280(cfg.permitted_nc_ip[i], &name); + ret = + gnutls_x509_cidr_to_rfc5280 + (cfg.permitted_nc_ip[i], &name); if (ret < 0) { - fprintf(stderr, "error parsing IP constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error parsing IP constraint: %s\n", + gnutls_strerror(ret)); exit(1); } - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_IPADDRESS, &name); + ret = + gnutls_x509_name_constraints_add_permitted + (nc, GNUTLS_SAN_IPADDRESS, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } free(name.data); @@ -1117,14 +1128,22 @@ void crt_constraints_set(gnutls_x509_crt_t crt) if (cfg.excluded_nc_ip) { for (i = 0; cfg.excluded_nc_ip[i] != NULL; i++) { - ret = gnutls_x509_cidr_to_rfc5280(cfg.excluded_nc_ip[i], &name); + ret = + gnutls_x509_cidr_to_rfc5280 + (cfg.excluded_nc_ip[i], &name); if (ret < 0) { - fprintf(stderr, "error parsing IP constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error parsing IP constraint: %s\n", + gnutls_strerror(ret)); exit(1); } - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_IPADDRESS, &name); + ret = + gnutls_x509_name_constraints_add_excluded + (nc, GNUTLS_SAN_IPADDRESS, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } free(name.data); @@ -1135,24 +1154,31 @@ void crt_constraints_set(gnutls_x509_crt_t crt) for (i = 0; cfg.permitted_nc_dns[i] != NULL; i++) { - name.data = (void*)cfg.permitted_nc_dns[i]; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, &name); + name.data = (void *)cfg.permitted_nc_dns[i]; + name.size = strlen((char *)name.data); + ret = + gnutls_x509_name_constraints_add_permitted + (nc, GNUTLS_SAN_DNSNAME, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } } } - if (cfg.excluded_nc_dns) { for (i = 0; cfg.excluded_nc_dns[i] != NULL; i++) { - name.data = (void*)cfg.excluded_nc_dns[i]; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, &name); + name.data = (void *)cfg.excluded_nc_dns[i]; + name.size = strlen((char *)name.data); + ret = + gnutls_x509_name_constraints_add_excluded + (nc, GNUTLS_SAN_DNSNAME, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -1160,11 +1186,15 @@ void crt_constraints_set(gnutls_x509_crt_t crt) if (cfg.permitted_nc_email) { for (i = 0; cfg.permitted_nc_email[i] != NULL; i++) { - name.data = (void*)cfg.permitted_nc_email[i]; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, &name); + name.data = (void *)cfg.permitted_nc_email[i]; + name.size = strlen((char *)name.data); + ret = + gnutls_x509_name_constraints_add_permitted + (nc, GNUTLS_SAN_RFC822NAME, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -1172,11 +1202,15 @@ void crt_constraints_set(gnutls_x509_crt_t crt) if (cfg.excluded_nc_email) { for (i = 0; cfg.excluded_nc_email[i] != NULL; i++) { - name.data = (void*)cfg.excluded_nc_email[i]; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_RFC822NAME, &name); + name.data = (void *)cfg.excluded_nc_email[i]; + name.size = strlen((char *)name.data); + ret = + gnutls_x509_name_constraints_add_excluded + (nc, GNUTLS_SAN_RFC822NAME, &name); if (ret < 0) { - fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error adding constraint: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -1184,7 +1218,8 @@ void crt_constraints_set(gnutls_x509_crt_t crt) ret = gnutls_x509_crt_set_name_constraints(crt, nc, 1); if (ret < 0) { - fprintf(stderr, "error setting constraints: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "error setting constraints: %s\n", + gnutls_strerror(ret)); exit(1); } @@ -1197,21 +1232,32 @@ void crt_unique_ids_set(gnutls_x509_crt_t crt) int ret; if (batch) { - if (cfg.subject_unique_id == NULL && cfg.issuer_unique_id == NULL) - return; /* nothing to do */ + if (cfg.subject_unique_id == NULL + && cfg.issuer_unique_id == NULL) + return; /* nothing to do */ if (cfg.subject_unique_id) { - ret = gnutls_x509_crt_set_subject_unique_id(crt, cfg.subject_unique_id, cfg.subject_unique_id_size); + ret = + gnutls_x509_crt_set_subject_unique_id(crt, + cfg.subject_unique_id, + cfg.subject_unique_id_size); if (ret < 0) { - fprintf(stderr, "error setting subject unique ID: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error setting subject unique ID: %s\n", + gnutls_strerror(ret)); exit(1); } } if (cfg.issuer_unique_id) { - ret = gnutls_x509_crt_set_issuer_unique_id(crt, cfg.issuer_unique_id, cfg.issuer_unique_id_size); + ret = + gnutls_x509_crt_set_issuer_unique_id(crt, + cfg.issuer_unique_id, + cfg.issuer_unique_id_size); if (ret < 0) { - fprintf(stderr, "error setting issuer unique ID: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error setting issuer unique ID: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -1227,11 +1273,9 @@ void get_uid_crt_set(gnutls_x509_crt_t crt) return; ret = gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_UID, - 0, cfg.uid, - strlen(cfg.uid)); + 0, cfg.uid, strlen(cfg.uid)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -1259,9 +1303,8 @@ void get_oid_crt_set(gnutls_x509_crt_t crt) cfg.dn_oid[i], 0, cfg.dn_oid[i + 1], - strlen(cfg. - dn_oid[i + - 1])); + strlen(cfg.dn_oid[i + + 1])); if (ret < 0) { fprintf(stderr, "set_dn_oid: %s\n", @@ -1296,7 +1339,9 @@ static unsigned char *decode_ext_string(char *str, unsigned int *ret_size) p++; p2 = strchr(p, ')'); if (p2 == NULL) { - fprintf(stderr, "there is no terminating parenthesis in: %s\n", str); + fprintf(stderr, + "there is no terminating parenthesis in: %s\n", + str); exit(1); } *p2 = 0; @@ -1305,28 +1350,31 @@ static unsigned char *decode_ext_string(char *str, unsigned int *ret_size) } if (strncmp(p, "0x", 2) == 0) - p+=2; + p += 2; HEX_DECODE(p, raw, raw_size); - switch(action) { - case ENCODE_OCTET_STRING: - tag_len = sizeof(tag); - res = asn1_encode_simple_der(ASN1_ETYPE_OCTET_STRING, raw, raw_size, tag, &tag_len); - if (res != ASN1_SUCCESS) { - fprintf(stderr, "error in DER encoding: %s\n", asn1_strerror(res)); - exit(1); - } - tmp = gnutls_malloc(raw_size+tag_len); - if (tmp == NULL) { - fprintf(stderr, "error in allocation\n"); - exit(1); - } - memcpy(tmp, tag, tag_len); - memcpy(tmp+tag_len, raw, raw_size); - gnutls_free(raw); - raw = tmp; - raw_size += tag_len; - break; + switch (action) { + case ENCODE_OCTET_STRING: + tag_len = sizeof(tag); + res = + asn1_encode_simple_der(ASN1_ETYPE_OCTET_STRING, raw, + raw_size, tag, &tag_len); + if (res != ASN1_SUCCESS) { + fprintf(stderr, "error in DER encoding: %s\n", + asn1_strerror(res)); + exit(1); + } + tmp = gnutls_malloc(raw_size + tag_len); + if (tmp == NULL) { + fprintf(stderr, "error in allocation\n"); + exit(1); + } + memcpy(tmp, tag, tag_len); + memcpy(tmp + tag_len, raw, raw_size); + gnutls_free(raw); + raw = tmp; + raw_size += tag_len; + break; } *ret_size = raw_size; @@ -1351,18 +1399,25 @@ void get_extensions_crt_set(int type, void *crt) } /* convert hex to bin */ - raw = decode_ext_string(cfg.extensions[i+1], &raw_size); + raw = + decode_ext_string(cfg.extensions[i + 1], &raw_size); if (type == TYPE_CRT) ret = gnutls_x509_crt_set_extension_by_oid(crt, - cfg.extensions[i], - raw, raw_size, 0); + cfg.extensions + [i], + raw, + raw_size, + 0); else ret = gnutls_x509_crq_set_extension_by_oid(crt, - cfg.extensions[i], - raw, raw_size, 0); + cfg.extensions + [i], + raw, + raw_size, + 0); gnutls_free(raw); if (ret < 0) { @@ -1383,18 +1438,26 @@ void get_extensions_crt_set(int type, void *crt) exit(1); } /* convert hex to bin */ - raw = decode_ext_string(cfg.crit_extensions[i+1], &raw_size); + raw = + decode_ext_string(cfg.crit_extensions[i + 1], + &raw_size); if (type == TYPE_CRT) ret = gnutls_x509_crt_set_extension_by_oid(crt, - cfg.crit_extensions[i], - raw, raw_size, 1); + cfg.crit_extensions + [i], + raw, + raw_size, + 1); else ret = gnutls_x509_crq_set_extension_by_oid(crt, - cfg.crit_extensions[i], - raw, raw_size, 1); + cfg.crit_extensions + [i], + raw, + raw_size, + 1); gnutls_free(raw); @@ -1444,7 +1507,7 @@ void get_ocsp_issuer_set(gnutls_x509_crt_t crt) if (!cfg.ocsp_uris) return; for (i = 0; cfg.ocsp_uris[i] != NULL; i++) { - uri.data = (void*)cfg.ocsp_uris[i]; + uri.data = (void *)cfg.ocsp_uris[i]; uri.size = strlen(cfg.ocsp_uris[i]); ret = gnutls_x509_crt_set_authority_info_access(crt, @@ -1452,8 +1515,7 @@ void get_ocsp_issuer_set(gnutls_x509_crt_t crt) &uri); if (ret < 0) { fprintf(stderr, "set OCSP URI (%s): %s\n", - cfg.ocsp_uris[i], - gnutls_strerror(ret)); + cfg.ocsp_uris[i], gnutls_strerror(ret)); exit(1); } } @@ -1469,7 +1531,7 @@ void get_ca_issuers_set(gnutls_x509_crt_t crt) if (!cfg.ca_issuers_uris) return; for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++) { - uri.data = (void*)cfg.ca_issuers_uris[i]; + uri.data = (void *)cfg.ca_issuers_uris[i]; uri.size = strlen(cfg.ca_issuers_uris[i]); ret = gnutls_x509_crt_set_authority_info_access(crt, @@ -1486,7 +1548,6 @@ void get_ca_issuers_set(gnutls_x509_crt_t crt) } } - void get_pkcs9_email_crt_set(gnutls_x509_crt_t crt) { int ret; @@ -1500,8 +1561,7 @@ void get_pkcs9_email_crt_set(gnutls_x509_crt_t crt) 0, cfg.pkcs9_email, strlen(cfg.pkcs9_email)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -1510,9 +1570,8 @@ void get_pkcs9_email_crt_set(gnutls_x509_crt_t crt) } - static -int default_crl_number(unsigned char* serial, size_t *size) +int default_crl_number(unsigned char *serial, size_t *size) { struct timespec ts; time_t tv_sec_tmp; @@ -1561,7 +1620,7 @@ int default_crl_number(unsigned char* serial, size_t *size) **/ static void read_serial_value(unsigned char *serial, size_t *size, size_t max_size, - const char *label, const char *rfc_section) + const char *label, const char *rfc_section) { static char input[MAX_INPUT_SIZE]; int ret; @@ -1583,8 +1642,7 @@ void read_serial_value(unsigned char *serial, size_t *size, size_t max_size, fprintf(stderr, "Enter the %s in decimal (123) or hex (0xabcd)\n" "(default is 0x%s)\n" - "value: ", - label, encoded_default.data); + "value: ", label, encoded_default.data); if (fgets(input, sizeof(input), stdin) == NULL) break; @@ -1600,17 +1658,19 @@ void read_serial_value(unsigned char *serial, size_t *size, size_t max_size, continue; } - if ((decoded.size == SERIAL_MAX_BYTES && decoded.data[0] & 0x80) || - decoded.size > SERIAL_MAX_BYTES) { - fprintf(stderr, "%s would be encoded in more than 20 bytes," - "see RFC 5280, section %s\n", label, rfc_section); + if ((decoded.size == SERIAL_MAX_BYTES && decoded.data[0] & 0x80) + || decoded.size > SERIAL_MAX_BYTES) { + fprintf(stderr, + "%s would be encoded in more than 20 bytes," + "see RFC 5280, section %s\n", label, + rfc_section); gnutls_free(decoded.data); continue; } if (decoded.size > max_size) { fprintf(stderr, "maximum %zu octets allowed for %s\n", - max_size, label); + max_size, label); gnutls_free(decoded.data); continue; } @@ -1626,9 +1686,9 @@ void read_serial_value(unsigned char *serial, size_t *size, size_t max_size, static void get_serial_value(unsigned char *serial, size_t *size, - const unsigned char *config, size_t config_size, - int (create_default)(unsigned char *, size_t *), - const char *label, const char *rfc_section) + const unsigned char *config, size_t config_size, + int (create_default) (unsigned char *, size_t *), + const char *label, const char *rfc_section) { size_t max_size = *size; int ret; @@ -1636,7 +1696,7 @@ void get_serial_value(unsigned char *serial, size_t *size, if (batch && config != NULL) { if (config_size > max_size) { fprintf(stderr, "maximum %zu octets allowed for %s!\n", - max_size, label); + max_size, label); exit(1); } memcpy(serial, config, config_size); @@ -1645,7 +1705,7 @@ void get_serial_value(unsigned char *serial, size_t *size, ret = create_default(serial, size); if (ret < 0) { fprintf(stderr, "error generating default %s: %s\n", - label, gnutls_strerror(ret)); + label, gnutls_strerror(ret)); exit(1); } } @@ -1653,9 +1713,11 @@ void get_serial_value(unsigned char *serial, size_t *size, if (!batch) read_serial_value(serial, size, max_size, label, rfc_section); - if ((*size == SERIAL_MAX_BYTES && serial[0] & 0x80) || *size > SERIAL_MAX_BYTES) { - fprintf(stderr, "%s would be encoded in more than 20 bytes," - "see RFC 5280, section %s\n", label, rfc_section); + if ((*size == SERIAL_MAX_BYTES && serial[0] & 0x80) + || *size > SERIAL_MAX_BYTES) { + fprintf(stderr, + "%s would be encoded in more than 20 bytes," + "see RFC 5280, section %s\n", label, rfc_section); exit(1); } } @@ -1684,15 +1746,16 @@ int default_serial(unsigned char *serial, size_t *size) void get_serial(unsigned char *serial, size_t *size) { get_serial_value(serial, size, cfg.serial, cfg.serial_size, - default_serial, "certificate's serial number", "4.1.2.2"); + default_serial, "certificate's serial number", + "4.1.2.2"); } static -time_t get_date(const char* date) +time_t get_date(const char *date) { struct timespec r; - if (date==NULL || parse_datetime(&r, date, NULL) == 0) { + if (date == NULL || parse_datetime(&r, date, NULL) == 0) { PRINT_TIME_T_ERROR; fprintf(stderr, "Cannot parse date: %s\n", date); exit(1); @@ -1734,18 +1797,18 @@ time_t get_crl_this_update_date(void) static time_t days_to_secs(int days) { -time_t secs = days; -time_t now = time(NULL); + time_t secs = days; + time_t now = time(NULL); - if (secs != (time_t)-1) { - if (INT_MULTIPLY_OVERFLOW(secs, 24*60*60)) { + if (secs != (time_t) - 1) { + if (INT_MULTIPLY_OVERFLOW(secs, 24 * 60 * 60)) { goto overflow; } else { - secs *= 24*60*60; + secs *= 24 * 60 * 60; } } - if (secs != (time_t)-1) { + if (secs != (time_t) - 1) { if (INT_ADD_OVERFLOW(secs, now)) { goto overflow; } else { @@ -1780,8 +1843,7 @@ time_t get_int_date(const char *txt_val, int int_val, const char *msg) int days; do { - days = - read_int(msg); + days = read_int(msg); } while (days == 0); return days_to_secs(days); @@ -1790,7 +1852,8 @@ time_t get_int_date(const char *txt_val, int int_val, const char *msg) time_t get_expiration_date(void) { - return get_int_date(cfg.expiration_date, cfg.expiration_days, "The certificate will expire in (days): "); + return get_int_date(cfg.expiration_date, cfg.expiration_days, + "The certificate will expire in (days): "); } int get_ca_status(void) @@ -1800,8 +1863,7 @@ int get_ca_status(void) } else { return read_yesno - ("Does the certificate belong to an authority? (y/N): ", - 0); + ("Does the certificate belong to an authority? (y/N): ", 0); } } @@ -1817,10 +1879,10 @@ int get_crq_extensions_status(void) } } -void get_crl_number(unsigned char* serial, size_t * size) +void get_crl_number(unsigned char *serial, size_t *size) { get_serial_value(serial, size, cfg.crl_number, cfg.crl_number_size, - default_crl_number, "CRL's serial number", "5.2.3"); + default_crl_number, "CRL's serial number", "5.2.3"); } int get_path_len(void) @@ -2028,7 +2090,6 @@ void get_email_set(int type, void *crt) } } - void get_dc_set(int type, void *crt) { int ret = 0, i; @@ -2043,21 +2104,17 @@ void get_dc_set(int type, void *crt) gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_DC, 0, - cfg. - dc[i], + cfg.dc[i], strlen - (cfg. - dc[i])); + (cfg.dc[i])); else ret = gnutls_x509_crq_set_dn_by_oid(crt, GNUTLS_OID_LDAP_DC, 0, - cfg. - dc[i], + cfg.dc[i], strlen - (cfg. - dc[i])); + (cfg.dc[i])); if (ret < 0) break; @@ -2082,15 +2139,13 @@ void get_dc_set(int type, void *crt) gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_DC, 0, p, - strlen - (p)); + strlen(p)); else ret = gnutls_x509_crq_set_dn_by_oid(crt, GNUTLS_OID_LDAP_DC, 0, p, - strlen - (p)); + strlen(p)); counter++; if (ret < 0) break; @@ -2099,8 +2154,7 @@ void get_dc_set(int type, void *crt) } if (ret < 0) { - fprintf(stderr, "set_dn_by_oid: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn_by_oid: %s\n", gnutls_strerror(ret)); exit(1); } } @@ -2138,9 +2192,11 @@ void get_dns_name_set(int type, void *crt) do { if (counter == 0) { - p = read_str("Enter a dnsName of the subject of the certificate: "); + p = read_str + ("Enter a dnsName of the subject of the certificate: "); } else { - p = read_str("Enter an additional dnsName of the subject of the certificate: "); + p = read_str + ("Enter an additional dnsName of the subject of the certificate: "); } if (!p) return; @@ -2172,18 +2228,20 @@ static int set_krb5_principal(int type, void *crt) if (!cfg.krb5_principal) return 0; - for (i = 0; cfg.krb5_principal[i] != NULL; i ++) { + for (i = 0; cfg.krb5_principal[i] != NULL; i++) { if (type == TYPE_CRT) ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL, - cfg.krb5_principal[i], strlen(cfg.krb5_principal[i]), + cfg.krb5_principal[i], + strlen(cfg.krb5_principal[i]), GNUTLS_FSAN_APPEND); else ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL, - cfg.krb5_principal[i], strlen(cfg.krb5_principal[i]), + cfg.krb5_principal[i], + strlen(cfg.krb5_principal[i]), GNUTLS_FSAN_APPEND); if (ret < 0) @@ -2192,7 +2250,8 @@ static int set_krb5_principal(int type, void *crt) } if (ret < 0) { - fprintf(stderr, "set_subject_alt_name(GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL): %s\n", + fprintf(stderr, + "set_subject_alt_name(GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL): %s\n", gnutls_strerror(ret)); exit(1); } @@ -2221,7 +2280,7 @@ static int set_othername(int type, void *crt) exit(1); } - HEX_DECODE (cfg.other_name[i+1], binname, binnamelen); + HEX_DECODE(cfg.other_name[i + 1], binname, binnamelen); if (binnamelen == 0) break; @@ -2229,15 +2288,13 @@ static int set_othername(int type, void *crt) ret = gnutls_x509_crt_set_subject_alt_othername (crt, oid, - binname, binnamelen, - GNUTLS_FSAN_APPEND); + binname, binnamelen, GNUTLS_FSAN_APPEND); else ret = gnutls_x509_crq_set_subject_alt_othername (crt, oid, - binname, binnamelen, - GNUTLS_FSAN_APPEND); - free (binname); + binname, binnamelen, GNUTLS_FSAN_APPEND); + free(binname); binname = NULL; if (ret < 0) @@ -2277,14 +2334,18 @@ static int set_othername_utf8(int type, void *crt) ret = gnutls_x509_crt_set_subject_alt_othername (crt, oid, - cfg.other_name_utf8[i + 1], strlen(cfg.other_name_utf8[i + 1]), - GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_UTF8_STRING); + cfg.other_name_utf8[i + 1], + strlen(cfg.other_name_utf8[i + 1]), + GNUTLS_FSAN_APPEND | + GNUTLS_FSAN_ENCODE_UTF8_STRING); else ret = gnutls_x509_crq_set_subject_alt_othername (crt, oid, - cfg.other_name_utf8[i + 1], strlen(cfg.other_name_utf8[i + 1]), - GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_UTF8_STRING); + cfg.other_name_utf8[i + 1], + strlen(cfg.other_name_utf8[i + 1]), + GNUTLS_FSAN_APPEND | + GNUTLS_FSAN_ENCODE_UTF8_STRING); if (ret < 0) break; @@ -2323,14 +2384,18 @@ static int set_othername_octet(int type, void *crt) ret = gnutls_x509_crt_set_subject_alt_othername (crt, oid, - cfg.other_name_octet[i + 1], strlen(cfg.other_name_octet[i + 1]), - GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_OCTET_STRING); + cfg.other_name_octet[i + 1], + strlen(cfg.other_name_octet[i + 1]), + GNUTLS_FSAN_APPEND | + GNUTLS_FSAN_ENCODE_OCTET_STRING); else ret = gnutls_x509_crq_set_subject_alt_othername (crt, oid, - cfg.other_name_octet[i + 1], strlen(cfg.other_name_octet[i + 1]), - GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_OCTET_STRING); + cfg.other_name_octet[i + 1], + strlen(cfg.other_name_octet[i + 1]), + GNUTLS_FSAN_APPEND | + GNUTLS_FSAN_ENCODE_OCTET_STRING); if (ret < 0) break; @@ -2354,7 +2419,7 @@ static int set_xmpp_name(int type, void *crt) if (!cfg.xmpp_name) return 0; - for (i = 0; cfg.xmpp_name[i] != NULL; i ++) { + for (i = 0; cfg.xmpp_name[i] != NULL; i++) { if (type == TYPE_CRT) ret = gnutls_x509_crt_set_subject_alt_name @@ -2382,7 +2447,6 @@ static int set_xmpp_name(int type, void *crt) return ret; } - void get_other_name_set(int type, void *crt) { set_othername(type, crt); @@ -2399,9 +2463,13 @@ void get_policy_set(gnutls_x509_crt_t crt) if (batch) { if (cfg.skip_certs >= 0) { - ret = gnutls_x509_crt_set_inhibit_anypolicy(crt, cfg.skip_certs); + ret = + gnutls_x509_crt_set_inhibit_anypolicy(crt, + cfg.skip_certs); if (ret < 0) { - fprintf(stderr, "error setting inhibit anypolicy: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error setting inhibit anypolicy: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -2455,14 +2523,12 @@ void get_uri_set(int type, void *crt) ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_URI, cfg.uri[i], - strlen(cfg.uri[i]), - GNUTLS_FSAN_APPEND); + strlen(cfg.uri[i]), GNUTLS_FSAN_APPEND); else ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_URI, cfg.uri[i], - strlen(cfg.uri[i]), - GNUTLS_FSAN_APPEND); + strlen(cfg.uri[i]), GNUTLS_FSAN_APPEND); if (ret < 0) break; @@ -2504,8 +2570,6 @@ void get_uri_set(int type, void *crt) } } - - int get_sign_status(int server) { const char *msg; @@ -2559,8 +2623,7 @@ int get_crl_sign_status(void) } else { return read_yesno - ("Will the certificate be used to sign CRLs? (y/N): ", - 0); + ("Will the certificate be used to sign CRLs? (y/N): ", 0); } } @@ -2589,7 +2652,10 @@ int get_data_encipherment_status(void) if (batch) { return cfg.data_encipherment; } else { - return read_yesno("Will the certificate be used for data encryption? (y/N): ", 0); + return + read_yesno + ("Will the certificate be used for data encryption? (y/N): ", + 0); } } @@ -2600,8 +2666,7 @@ int get_code_sign_status(void) } else { return read_yesno - ("Will the certificate be used to sign code? (y/N): ", - 0); + ("Will the certificate be used to sign code? (y/N): ", 0); } } @@ -2655,10 +2720,11 @@ int get_ipsec_ike_status(void) time_t get_crl_next_update(void) { - return get_int_date(cfg.next_update_date, cfg.crl_next_update, "The next CRL will be issued in (days): "); + return get_int_date(cfg.next_update_date, cfg.crl_next_update, + "The next CRL will be issued in (days): "); } -const char *get_proxy_policy(char **policy, size_t * policylen) +const char *get_proxy_policy(char **policy, size_t *policylen) { const char *ret; @@ -2702,8 +2768,7 @@ void get_country_crq_set(gnutls_x509_crq_t crq) 0, cfg.country, strlen(cfg.country)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -2725,10 +2790,12 @@ void get_organization_crq_set(gnutls_x509_crq_t crq) for (i = 0; cfg.organization[i] != NULL; i++) { ret = gnutls_x509_crq_set_dn_by_oid(crq, - GNUTLS_OID_X520_ORGANIZATION_NAME, - 0, cfg.organization[i], - strlen(cfg. - organization[i])); + GNUTLS_OID_X520_ORGANIZATION_NAME, + 0, + cfg.organization[i], + strlen + (cfg.organization + [i])); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); @@ -2754,9 +2821,9 @@ void get_unit_crq_set(gnutls_x509_crq_t crq) for (i = 0; cfg.unit[i] != NULL; i++) { ret = gnutls_x509_crq_set_dn_by_oid(crq, - GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, - 0, cfg.unit[i], - strlen(cfg.unit[i])); + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit[i], + strlen(cfg.unit[i])); if (ret < 0) { fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); @@ -2783,8 +2850,7 @@ void get_state_crq_set(gnutls_x509_crq_t crq) 0, cfg.state, strlen(cfg.state)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -2807,8 +2873,7 @@ void get_locality_crq_set(gnutls_x509_crq_t crq) 0, cfg.locality, strlen(cfg.locality)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -2845,16 +2910,13 @@ void get_cn_crq_set(gnutls_x509_crq_t crq) ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME, - 0, cfg.cn, - strlen(cfg.cn)); + 0, cfg.cn, strlen(cfg.cn)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { - read_crq_set(crq, "Common name: ", - GNUTLS_OID_X520_COMMON_NAME); + read_crq_set(crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME); } } @@ -2868,11 +2930,9 @@ void get_uid_crq_set(gnutls_x509_crq_t crq) return; ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_LDAP_UID, - 0, cfg.uid, - strlen(cfg.uid)); + 0, cfg.uid, strlen(cfg.uid)); if (ret < 0) { - fprintf(stderr, "set_dn: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret)); exit(1); } } else { @@ -2900,9 +2960,8 @@ void get_oid_crq_set(gnutls_x509_crq_t crq) cfg.dn_oid[i], 0, cfg.dn_oid[i + 1], - strlen(cfg. - dn_oid[i + - 1])); + strlen(cfg.dn_oid[i + + 1])); if (ret < 0) { fprintf(stderr, "set_dn_oid: %s\n", @@ -2935,7 +2994,8 @@ void get_tlsfeatures_set(int type, void *crt) feature = strtoul(cfg.tls_features[i], 0, 10); ret = gnutls_x509_tlsfeatures_add(features, feature); if (ret < 0) { - fprintf(stderr, "gnutls_x509_tlsfeatures_add: %s\n", + fprintf(stderr, + "gnutls_x509_tlsfeatures_add: %s\n", gnutls_strerror(ret)); exit(1); } @@ -2944,15 +3004,16 @@ void get_tlsfeatures_set(int type, void *crt) if (type == TYPE_CRT) { ret = gnutls_x509_crt_set_tlsfeatures(crt, features); if (ret < 0) { - fprintf(stderr, "gnutls_x509_crt_set_tlsfeatures: %s\n", + fprintf(stderr, + "gnutls_x509_crt_set_tlsfeatures: %s\n", gnutls_strerror(ret)); exit(1); } - } - else { + } else { ret = gnutls_x509_crq_set_tlsfeatures(crt, features); if (ret < 0) { - fprintf(stderr, "gnutls_x509_crq_set_tlsfeatures: %s\n", + fprintf(stderr, + "gnutls_x509_crq_set_tlsfeatures: %s\n", gnutls_strerror(ret)); exit(1); } @@ -2971,9 +3032,14 @@ void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) return; for (i = 0; cfg.exts_to_honor[i]; ++i) { - ret = gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, cfg.exts_to_honor[i], 0); + ret = + gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, + cfg.exts_to_honor + [i], 0); if (ret < 0) { - fprintf(stderr, "setting extension failed: %s: %s\n", cfg.exts_to_honor[i], + fprintf(stderr, + "setting extension failed: %s: %s\n", + cfg.exts_to_honor[i], gnutls_strerror(ret)); } } diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index c23ff5b0b0..4886683e87 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -21,11 +21,11 @@ */ #ifndef GNUTLS_SRC_CERTTOOL_CFG_H -#define GNUTLS_SRC_CERTTOOL_CFG_H +# define GNUTLS_SRC_CERTTOOL_CFG_H -#include <stdbool.h> -#include <stdint.h> -#include <gnutls/x509.h> +# include <stdbool.h> +# include <stdint.h> +# include <gnutls/x509.h> void cfg_init(void); int template_parse(const char *template); @@ -35,7 +35,7 @@ void read_crt_set(gnutls_x509_crt_t crt, const char *input_str, void read_crq_set(gnutls_x509_crq_t crq, const char *input_str, const char *oid); int64_t read_int(const char *input_str); -int serial_decode(const char *input, gnutls_datum_t *output); +int serial_decode(const char *input, gnutls_datum_t * output); const char *read_str(const char *input_str); int read_yesno(const char *input_str, int def); @@ -56,11 +56,11 @@ void get_uid_crt_set(gnutls_x509_crt_t crt); void get_pkcs9_email_crt_set(gnutls_x509_crt_t crt); void get_oid_crt_set(gnutls_x509_crt_t crt); void get_key_purpose_set(int type, void *crt); -void get_serial(unsigned char* serial, size_t* serial_size); +void get_serial(unsigned char *serial, size_t *serial_size); time_t get_expiration_date(void); time_t get_activation_date(void); int get_ca_status(void); -void get_crl_number(unsigned char* serial, size_t* serial_size); +void get_crl_number(unsigned char *serial, size_t *serial_size); int get_path_len(void); int get_crq_extensions_status(void); const char *get_pkcs12_key_name(void); @@ -103,8 +103,8 @@ void get_unit_crq_set(gnutls_x509_crq_t crq); void get_organization_crq_set(gnutls_x509_crq_t crq); void get_country_crq_set(gnutls_x509_crq_t crq); void get_oid_crq_set(gnutls_x509_crq_t crq); -const char *get_proxy_policy(char **policy, size_t * policylen); +const char *get_proxy_policy(char **policy, size_t *policylen); void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq); -#endif /* GNUTLS_SRC_CERTTOOL_CFG_H */ +#endif /* GNUTLS_SRC_CERTTOOL_CFG_H */ diff --git a/src/certtool-common.c b/src/certtool-common.c index fae3a489d4..463b94477f 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -51,7 +51,7 @@ unsigned char *lbuffer = NULL; unsigned long lbuffer_size = 0; -static unsigned long file_size(FILE *fp) +static unsigned long file_size(FILE * fp) { unsigned long size; long cur = ftell(fp); @@ -74,12 +74,12 @@ void fix_lbuffer(unsigned long size) { if (lbuffer_size == 0 || lbuffer == NULL) { if (size == 0) - lbuffer_size = 64*1024; + lbuffer_size = 64 * 1024; else - lbuffer_size = MAX(64*1024,size+1); + lbuffer_size = MAX(64 * 1024, size + 1); lbuffer = malloc(lbuffer_size); } else if (size > lbuffer_size) { - lbuffer_size = MAX(64*1024,size+1); + lbuffer_size = MAX(64 * 1024, size + 1); lbuffer = realloc(lbuffer, lbuffer_size); } @@ -126,7 +126,7 @@ gnutls_datum_t *load_secret_key(int mand, common_info_st * info) return NULL; } - hex_key.data = (void *) info->secret_key; + hex_key.data = (void *)info->secret_key; hex_key.size = strlen(info->secret_key); ret = gnutls_hex_decode(&hex_key, raw_key, &raw_key_size); @@ -135,7 +135,7 @@ gnutls_datum_t *load_secret_key(int mand, common_info_st * info) app_exit(1); } - key.data = (void *) raw_key; + key.data = (void *)raw_key; key.size = raw_key_size; return &key; @@ -198,7 +198,8 @@ static gnutls_privkey_t _load_privkey(gnutls_datum_t * dat, } if (ret < 0) { - fprintf(stderr, "error loading file at --load-privkey: %s: %s\n", + fprintf(stderr, + "error loading file at --load-privkey: %s: %s\n", info->privkey, gnutls_strerror(ret)); app_exit(1); } @@ -270,7 +271,7 @@ gnutls_privkey_t load_private_key(int mand, common_info_st * info) if (gnutls_url_is_supported(info->privkey) != 0) return _load_url_privkey(info->privkey); - dat.data = (void *) read_file(info->privkey, RF_BINARY, &size); + dat.data = (void *)read_file(info->privkey, RF_BINARY, &size); dat.size = size; if (!dat.data) { @@ -289,8 +290,7 @@ gnutls_privkey_t load_private_key(int mand, common_info_st * info) /* Load the private key. * @mand should be non zero if it is required to read a private key. */ -gnutls_x509_privkey_t -load_x509_private_key(int mand, common_info_st * info) +gnutls_x509_privkey_t load_x509_private_key(int mand, common_info_st * info) { gnutls_x509_privkey_t key; int ret; @@ -313,7 +313,7 @@ load_x509_private_key(int mand, common_info_st * info) app_exit(1); } - dat.data = (void *) read_file(info->privkey, RF_BINARY, &size); + dat.data = (void *)read_file(info->privkey, RF_BINARY, &size); dat.size = size; if (!dat.data) { @@ -331,14 +331,12 @@ load_x509_private_key(int mand, common_info_st * info) } else { ret = gnutls_x509_privkey_import2(key, &dat, - info->incert_format, NULL, - 0); + info->incert_format, NULL, 0); if (ret == GNUTLS_E_DECRYPTION_FAILED) { pass = get_password(info, &flags, 0); ret = gnutls_x509_privkey_import2(key, &dat, - info-> - incert_format, + info->incert_format, pass, flags); } } @@ -361,7 +359,6 @@ load_x509_private_key(int mand, common_info_st * info) return key; } - /* Loads the certificate * If mand is non zero then a certificate is mandatory. Otherwise * null will be returned if the certificate loading fails. @@ -375,7 +372,7 @@ gnutls_x509_crt_t load_cert(int mand, common_info_st * info) crt = load_cert_list(mand, &size, info); if (crt) { ret_crt = crt[0]; - for (i=1;i<size;i++) + for (i = 1; i < size; i++) gnutls_x509_crt_deinit(crt[i]); gnutls_free(crt); return ret_crt; @@ -386,7 +383,7 @@ gnutls_x509_crt_t load_cert(int mand, common_info_st * info) /* Loads a certificate list */ -gnutls_x509_crt_t *load_cert_list(int mand, size_t * crt_size, +gnutls_x509_crt_t *load_cert_list(int mand, size_t *crt_size, common_info_st * info) { FILE *fp; @@ -422,31 +419,33 @@ gnutls_x509_crt_t *load_cert_list(int mand, size_t * crt_size, fclose(fp); - dat.data = (void *) lbuffer; + dat.data = (void *)lbuffer; dat.size = size; if (info->sort_chain) flags |= GNUTLS_X509_CRT_LIST_SORT; - ret = gnutls_x509_crt_list_import2(&crt, &crt_max, &dat, GNUTLS_X509_FMT_PEM, flags); + ret = + gnutls_x509_crt_list_import2(&crt, &crt_max, &dat, + GNUTLS_X509_FMT_PEM, flags); if (ret < 0) { - fprintf(stderr, "Error loading certificates: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error loading certificates: %s\n", + gnutls_strerror(ret)); app_exit(1); } *crt_size = crt_max; if (info->verbose) - fprintf(stderr, "Loaded %d certificates.\n", - (int) crt_max); + fprintf(stderr, "Loaded %d certificates.\n", (int)crt_max); return crt; } /* Loads a CRL list */ -gnutls_x509_crl_t *load_crl_list(int mand, size_t * crl_size, - common_info_st * info) +gnutls_x509_crl_t *load_crl_list(int mand, size_t *crl_size, + common_info_st * info) { FILE *fp; static gnutls_x509_crl_t *crl; @@ -480,23 +479,27 @@ gnutls_x509_crl_t *load_crl_list(int mand, size_t * crl_size, fclose(fp); - dat.data = (void *) lbuffer; + dat.data = (void *)lbuffer; dat.size = size; - ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_PEM, 0); + ret = + gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, + GNUTLS_X509_FMT_PEM, 0); if (ret == GNUTLS_E_BASE64_DECODING_ERROR) { - ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_DER, 0); + ret = + gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, + GNUTLS_X509_FMT_DER, 0); } if (ret < 0) { - fprintf(stderr, "Error loading CRLs: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error loading CRLs: %s\n", + gnutls_strerror(ret)); app_exit(1); } *crl_size = crl_max; if (info->verbose) - fprintf(stderr, "Loaded %d CRLs.\n", - (int) *crl_size); + fprintf(stderr, "Loaded %d CRLs.\n", (int)*crl_size); return crl; } @@ -519,7 +522,7 @@ gnutls_x509_crq_t load_request(common_info_st * info) app_exit(1); } - dat.data = (void *) read_file(info->request, RF_BINARY, &size); + dat.data = (void *)read_file(info->request, RF_BINARY, &size); dat.size = size; if (!dat.data) { @@ -560,7 +563,7 @@ gnutls_privkey_t load_ca_private_key(common_info_st * info) if (gnutls_url_is_supported(info->ca_privkey) != 0) return _load_url_privkey(info->ca_privkey); - dat.data = (void *) read_file(info->ca_privkey, RF_BINARY, &size); + dat.data = (void *)read_file(info->ca_privkey, RF_BINARY, &size); dat.size = size; if (!dat.data) { @@ -603,18 +606,20 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info) if (gnutls_url_is_supported(info->ca) != 0) { ret = gnutls_x509_crt_import_url(crt, info->ca, 0); if (ret < 0) { - fprintf(stderr, "error importing CA certificate: %s: %s\n", + fprintf(stderr, + "error importing CA certificate: %s: %s\n", info->ca, gnutls_strerror(ret)); app_exit(1); } return crt; } - dat.data = (void *) read_file(info->ca, RF_BINARY, &size); + dat.data = (void *)read_file(info->ca, RF_BINARY, &size); dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading file at --load-ca-certificate: %s\n", + fprintf(stderr, + "error reading file at --load-ca-certificate: %s\n", info->ca); app_exit(1); } @@ -657,17 +662,20 @@ gnutls_pubkey_t load_pubkey(int mand, common_info_st * info) app_exit(1); } - dat.data = (void *) read_file(info->pubkey, RF_BINARY, &size); + dat.data = (void *)read_file(info->pubkey, RF_BINARY, &size); dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading file at --load-pubkey: %s\n", info->pubkey); + fprintf(stderr, "error reading file at --load-pubkey: %s\n", + info->pubkey); app_exit(1); } ret = gnutls_pubkey_import(key, &dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { - ret = gnutls_pubkey_import_x509_raw(key, &dat, info->incert_format, 0); + ret = + gnutls_pubkey_import_x509_raw(key, &dat, + info->incert_format, 0); if (ret < 0) { fprintf(stderr, "import error: could not find a valid PEM header; " @@ -702,7 +710,8 @@ gnutls_pubkey_t load_public_key_or_import(int mand, gnutls_pubkey_deinit(pubkey); pubkey = load_pubkey(0, info); if (pubkey == NULL && mand) { - fprintf(stderr, "Could not determine the public key for the operation.\nYou must specify --load-privkey or --load-pubkey if missing.\n"); + fprintf(stderr, + "Could not determine the public key for the operation.\nYou must specify --load-privkey or --load-pubkey if missing.\n"); app_exit(1); } } @@ -729,7 +738,8 @@ get_bits(gnutls_pk_algorithm_t key_type, int info_bits, if (info_bits != 0) { static int warned = 0; - if (warned == 0 && warn != 0 && GNUTLS_BITS_ARE_CURVE(info_bits)==0) { + if (warned == 0 && warn != 0 + && GNUTLS_BITS_ARE_CURVE(info_bits) == 0) { warned = 1; fprintf(stderr, "** Note: You may use '--sec-param %s' instead of '--bits %d'\n", @@ -756,7 +766,8 @@ gnutls_sec_param_t str_to_sec_param(const char *str) return GNUTLS_SEC_PARAM_LOW; } else if (strcasecmp(str, "legacy") == 0) { return GNUTLS_SEC_PARAM_LEGACY; - } else if (strcasecmp(str, "normal") == 0 || strcasecmp(str, "medium") == 0) { + } else if (strcasecmp(str, "normal") == 0 + || strcasecmp(str, "medium") == 0) { return GNUTLS_SEC_PARAM_MEDIUM; } else if (strcasecmp(str, "high") == 0) { return GNUTLS_SEC_PARAM_HIGH; @@ -765,16 +776,14 @@ gnutls_sec_param_t str_to_sec_param(const char *str) } else if (strcasecmp(str, "future") == 0) { return GNUTLS_SEC_PARAM_FUTURE; } else { - fprintf(stderr, "Unknown security parameter string: %s\n", - str); + fprintf(stderr, "Unknown security parameter string: %s\n", str); app_exit(1); } } #define SPACE "\t" -static void -print_hex_datum(FILE * outfile, gnutls_datum_t * dat, int cprint) +static void print_hex_datum(FILE * outfile, gnutls_datum_t * dat, int cprint) { unsigned int j; @@ -782,7 +791,7 @@ print_hex_datum(FILE * outfile, gnutls_datum_t * dat, int cprint) fprintf(outfile, "\n" SPACE "\""); for (j = 0; j < dat->size; j++) { fprintf(outfile, "\\x%.2x", - (unsigned char) dat->data[j]); + (unsigned char)dat->data[j]); if ((j + 1) % 16 == 0) { fprintf(outfile, "\"\n" SPACE "\""); } @@ -795,10 +804,10 @@ print_hex_datum(FILE * outfile, gnutls_datum_t * dat, int cprint) fprintf(outfile, "\n" SPACE); for (j = 0; j < dat->size; j++) { if ((j + 1) % 16 == 0) { - fprintf(outfile, "%.2x", (unsigned char) dat->data[j]); + fprintf(outfile, "%.2x", (unsigned char)dat->data[j]); fprintf(outfile, "\n" SPACE); } else { - fprintf(outfile, "%.2x:", (unsigned char) dat->data[j]); + fprintf(outfile, "%.2x:", (unsigned char)dat->data[j]); } } fprintf(outfile, "\n\n"); @@ -860,13 +869,13 @@ print_dsa_pkey(FILE * outfile, gnutls_datum_t * x, gnutls_datum_t * y, gnutls_ecc_curve_t str_to_curve(const char *str) { -unsigned num = 0; -const gnutls_ecc_curve_t *list, *p; + unsigned num = 0; + const gnutls_ecc_curve_t *list, *p; list = gnutls_ecc_curve_list(); p = list; - while(*p != 0) { + while (*p != 0) { if (strcasecmp(str, gnutls_ecc_curve_get_name(*p)) == 0) return *p; p++; @@ -877,9 +886,8 @@ const gnutls_ecc_curve_t *list, *p; if (num == 0) printf("none\n"); p = list; - while(*p != 0) { - fprintf(stderr, "\t- %s\n", - gnutls_ecc_curve_get_name(*p)); + while (*p != 0) { + fprintf(stderr, "\t- %s\n", gnutls_ecc_curve_get_name(*p)); p++; } app_exit(1); @@ -913,7 +921,7 @@ print_ecc_pkey(FILE * outfile, gnutls_ecc_curve_t curve, } } -static void reverse_datum(gnutls_datum_t *d) +static void reverse_datum(gnutls_datum_t * d) { unsigned int i; unsigned char c; @@ -927,9 +935,9 @@ static void reverse_datum(gnutls_datum_t *d) void print_gost_pkey(FILE * outfile, gnutls_ecc_curve_t curve, - gnutls_digest_algorithm_t digest, gnutls_gost_paramset_t paramset, - gnutls_datum_t * k, gnutls_datum_t * x, gnutls_datum_t * y, - int cprint) + gnutls_digest_algorithm_t digest, + gnutls_gost_paramset_t paramset, gnutls_datum_t * k, + gnutls_datum_t * x, gnutls_datum_t * y, int cprint) { if (cprint != 0) fprintf(outfile, "/* curve: %s */\n", @@ -994,7 +1002,7 @@ print_rsa_pkey(FILE * outfile, gnutls_datum_t * m, gnutls_datum_t * e, } void print_pubkey_info(gnutls_pubkey_t pubkey, - FILE *outfile, + FILE * outfile, gnutls_certificate_print_formats_t format, gnutls_x509_crt_fmt_t outcert_format, unsigned int outtext) @@ -1018,9 +1026,7 @@ void print_pubkey_info(gnutls_pubkey_t pubkey, fix_lbuffer(0); size = lbuffer_size; - ret = - gnutls_pubkey_export(pubkey, outcert_format, lbuffer, - &size); + ret = gnutls_pubkey_export(pubkey, outcert_format, lbuffer, &size); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); app_exit(1); @@ -1050,11 +1056,11 @@ print_dh_info(FILE * outfile, gnutls_datum_t * p, gnutls_datum_t * g, print_head(outfile, "prime", p->size, cprint); print_hex_datum(outfile, p, cprint); - } static -int import_dsa_dh(gnutls_dh_params_t dh_params, gnutls_datum_t *params, gnutls_x509_crt_fmt_t format) +int import_dsa_dh(gnutls_dh_params_t dh_params, gnutls_datum_t * params, + gnutls_x509_crt_fmt_t format) { gnutls_x509_privkey_t pkey; int ret; @@ -1090,7 +1096,7 @@ void dh_info(FILE * infile, FILE * outfile, common_info_st * ci) app_exit(1); } - params.data = (void *) fread_file(infile, 0, &size); + params.data = (void *)fread_file(infile, 0, &size); params.size = size; if (params.data == NULL) { @@ -1136,8 +1142,7 @@ void dh_info(FILE * infile, FILE * outfile, common_info_st * ci) fwrite(lbuffer, 1, len, outfile); } } else { - fprintf(stderr, "Error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } } @@ -1182,7 +1187,7 @@ int cipher_to_flags(const char *cipher) app_exit(1); } -static void privkey_info_int(FILE *outfile, common_info_st * cinfo, +static void privkey_info_int(FILE * outfile, common_info_st * cinfo, gnutls_x509_privkey_t key) { int ret, key_type; @@ -1220,7 +1225,8 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, goto spki_skip; } - ret = gnutls_x509_spki_get_rsa_pss_params(spki, &dig, &salt_size); + ret = + gnutls_x509_spki_get_rsa_pss_params(spki, &dig, &salt_size); if (ret < 0) { fprintf(stderr, "spki_get_rsa_pss_params: %s\n", gnutls_strerror(ret)); @@ -1267,8 +1273,7 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, gnutls_datum_t p, q, g, y, x; ret = - gnutls_x509_privkey_export_dsa_raw(key, &p, &q, &g, &y, - &x); + gnutls_x509_privkey_export_dsa_raw(key, &p, &q, &g, &y, &x); if (ret < 0) fprintf(stderr, "Error in key DSA data export: %s\n", @@ -1292,8 +1297,7 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, gnutls_ecc_curve_t curve; ret = - gnutls_x509_privkey_export_ecc_raw(key, &curve, &x, &y, - &k); + gnutls_x509_privkey_export_ecc_raw(key, &curve, &x, &y, &k); if (ret < 0) fprintf(stderr, "Error in key ECC data export: %s\n", @@ -1317,16 +1321,14 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, ret = gnutls_x509_privkey_export_gost_raw(key, &curve, &digest, - ¶mset, - &x, &y, &k); + ¶mset, &x, &y, &k); if (ret < 0) fprintf(stderr, "Error in key GOST data export: %s\n", gnutls_strerror(ret)); else { print_gost_pkey(outfile, curve, digest, paramset, - &k, &x, &y, - cinfo->cprint); + &k, &x, &y, cinfo->cprint); gnutls_free(x.data); gnutls_free(y.data); @@ -1338,17 +1340,16 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, ret = gnutls_x509_privkey_get_seed(key, &dig, lbuffer, &size); if (ret >= 0) { fprintf(outfile, "Validation parameters:\n"); - fprintf(outfile, "\tHash: %s\n", - gnutls_digest_get_name(dig)); - fprintf(outfile, "\tSeed: %s\n", - raw_to_hex(lbuffer, size)); + fprintf(outfile, "\tHash: %s\n", gnutls_digest_get_name(dig)); + fprintf(outfile, "\tSeed: %s\n", raw_to_hex(lbuffer, size)); } fprintf(outfile, "\n"); size = lbuffer_size; ret = - gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA256, lbuffer, &size); + gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA256, + lbuffer, &size); if (ret < 0) { fprintf(stderr, "Error in key id calculation: %s\n", gnutls_strerror(ret)); @@ -1361,7 +1362,8 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, size = lbuffer_size; ret = - gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA1, lbuffer, &size); + gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA1, + lbuffer, &size); if (ret >= 0) { fprintf(outfile, "\tsha1:%s\n", raw_to_hex(lbuffer, size)); @@ -1372,7 +1374,8 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo, } void -print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t key) +print_private_key(FILE * outfile, common_info_st * cinfo, + gnutls_x509_privkey_t key) { int ret; size_t size; @@ -1382,7 +1385,8 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k /* Only print private key parameters when an unencrypted * format is used */ - switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key)); + switch_to_pkcs8_when_needed(cinfo, key, + gnutls_x509_privkey_get_pk_algorithm(key)); if (!cinfo->pkcs8) { @@ -1459,17 +1463,28 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) gnutls_keygen_data_st data; if (info->seed_size < 32) { - fprintf(stderr, "For DH parameter generation a 32-byte seed value or larger is expected (have: %d); use -d 2 for more information.\n", (int)info->seed_size); + fprintf(stderr, + "For DH parameter generation a 32-byte seed value or larger is expected (have: %d); use -d 2 for more information.\n", + (int)info->seed_size); app_exit(1); } data.type = GNUTLS_KEYGEN_SEED; - data.data = (void*)info->seed; + data.data = (void *)info->seed; data.size = info->seed_size; - ret = gnutls_x509_privkey_generate2(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE, &data, 1); + ret = + gnutls_x509_privkey_generate2(pkey, + GNUTLS_PK_DSA, + bits, + GNUTLS_PRIVKEY_FLAG_PROVABLE, + &data, 1); } else { - ret = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE); + ret = + gnutls_x509_privkey_generate(pkey, + GNUTLS_PK_DSA, + bits, + GNUTLS_PRIVKEY_FLAG_PROVABLE); } if (ret < 0) { @@ -1502,9 +1517,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) } } - ret = - gnutls_dh_params_export_raw(dh_params, &p, &g, - &q_bits); + ret = gnutls_dh_params_export_raw(dh_params, &p, &g, &q_bits); if (ret < 0) { fprintf(stderr, "Error exporting parameters: %s\n", gnutls_strerror(ret)); @@ -1512,7 +1525,8 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) } } else { if (info->provable != 0) { - fprintf(stderr, "The DH parameters obtained via this option are not provable\n"); + fprintf(stderr, + "The DH parameters obtained via this option are not provable\n"); app_exit(1); } #if defined(ENABLE_DHE) || defined(ENABLE_ANON) @@ -1569,8 +1583,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) app_exit(1); } #else - fprintf(stderr, - "Parameters unavailable as SRP is disabled.\n"); + fprintf(stderr, "Parameters unavailable as SRP is disabled.\n"); app_exit(1); #endif } @@ -1593,8 +1606,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) fwrite(lbuffer, 1, len, outfile); } else { - fprintf(stderr, "Error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } } @@ -1609,7 +1621,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) return 0; } -void decode_seed(gnutls_datum_t *seed, const char *hex, unsigned hex_size) +void decode_seed(gnutls_datum_t * seed, const char *hex, unsigned hex_size) { int ret; size_t seed_size; @@ -1625,7 +1637,8 @@ void decode_seed(gnutls_datum_t *seed, const char *hex, unsigned hex_size) seed_size = hex_size; ret = gnutls_hex2bin(hex, hex_size, seed->data, &seed_size); if (ret < 0) { - fprintf(stderr, "Could not hex decode data: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Could not hex decode data: %s\n", + gnutls_strerror(ret)); app_exit(1); } seed->size = seed_size; @@ -1639,7 +1652,8 @@ gnutls_pk_algorithm_t figure_key_type(const char *key_type) return GNUTLS_PK_RSA; else if (strcasecmp(key_type, "rsa-pss") == 0) return GNUTLS_PK_RSA_PSS; - else if (strcasecmp(key_type, "ed25519") == 0 || strcasecmp(key_type, "eddsa") == 0) + else if (strcasecmp(key_type, "ed25519") == 0 + || strcasecmp(key_type, "eddsa") == 0) return GNUTLS_PK_EDDSA_ED25519; else if (strcasecmp(key_type, "ed448") == 0) return GNUTLS_PK_EDDSA_ED448; @@ -1649,7 +1663,8 @@ gnutls_pk_algorithm_t figure_key_type(const char *key_type) return GNUTLS_PK_ECDH_X448; else if (strcasecmp(key_type, "dsa") == 0) return GNUTLS_PK_DSA; - else if (strcasecmp(key_type, "ecdsa") == 0 || strcasecmp(key_type, "ecc") == 0) + else if (strcasecmp(key_type, "ecdsa") == 0 + || strcasecmp(key_type, "ecc") == 0) return GNUTLS_PK_ECDSA; else if (strcasecmp(key_type, "gost01") == 0) return GNUTLS_PK_GOST_01; @@ -1694,7 +1709,7 @@ gnutls_digest_algorithm_t hash_to_id(const char *hash) } } -void sign_params_to_flags(common_info_st *cinfo, const char *params) +void sign_params_to_flags(common_info_st * cinfo, const char *params) { char *p, *sp; @@ -1706,15 +1721,15 @@ void sign_params_to_flags(common_info_st *cinfo, const char *params) p = strtok(sp, ","); - while(p != NULL) { - if (strcasecmp(p, "rsa-pss")==0) { + while (p != NULL) { + if (strcasecmp(p, "rsa-pss") == 0) { cinfo->rsa_pss_sign = 1; } else { fprintf(stderr, "Unknown signature parameter: %s\n", p); app_exit(1); } - p=strtok(NULL, ","); + p = strtok(NULL, ","); } free(sp); diff --git a/src/certtool-common.h b/src/certtool-common.h index 0c8c69540f..071ddd4fbe 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -20,22 +20,22 @@ */ #ifndef GNUTLS_SRC_CERTTOOL_COMMON_H -#define GNUTLS_SRC_CERTTOOL_COMMON_H +# define GNUTLS_SRC_CERTTOOL_COMMON_H -#include <gnutls/x509.h> -#include <stdio.h> -#include <stdbool.h> -#include "attribute.h" +# include <gnutls/x509.h> +# include <stdio.h> +# include <stdbool.h> +# include "attribute.h" -#define TYPE_CRT 1 -#define TYPE_CRQ 2 +# define TYPE_CRT 1 +# define TYPE_CRQ 2 -#define SERIAL_MAX_BYTES 20 +# define SERIAL_MAX_BYTES 20 void certtool_version(void); -#include <gnutls/x509.h> -#include <gnutls/abstract.h> +# include <gnutls/x509.h> +# include <gnutls/abstract.h> typedef struct common_info { const char *secret_key; @@ -86,26 +86,33 @@ typedef struct common_info { } common_info_st; static inline -void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t key, unsigned key_type) + void switch_to_pkcs8_when_needed(common_info_st * cinfo, + gnutls_x509_privkey_t key, + unsigned key_type) { if (cinfo->pkcs8) return; - if (key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519 || key_type == GNUTLS_PK_EDDSA_ED448 || - key_type == GNUTLS_PK_ECDH_X25519 || key_type == GNUTLS_PK_ECDH_X448 || - key_type == GNUTLS_PK_GOST_01 || key_type == GNUTLS_PK_GOST_12_256 || - key_type == GNUTLS_PK_GOST_12_512) { + if (key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519 + || key_type == GNUTLS_PK_EDDSA_ED448 + || key_type == GNUTLS_PK_ECDH_X25519 + || key_type == GNUTLS_PK_ECDH_X448 || key_type == GNUTLS_PK_GOST_01 + || key_type == GNUTLS_PK_GOST_12_256 + || key_type == GNUTLS_PK_GOST_12_512) { if (cinfo->verbose) - fprintf(stderr, "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n", + fprintf(stderr, + "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n", gnutls_pk_algorithm_get_name(key_type)); cinfo->pkcs8 = 1; if (cinfo->password == NULL) cinfo->password = ""; } - if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) { + if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != + GNUTLS_E_INVALID_REQUEST) { if (cinfo->verbose) - fprintf(stderr, "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n"); + fprintf(stderr, + "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n"); cinfo->pkcs8 = 1; if (cinfo->password == NULL) cinfo->password = ""; @@ -116,21 +123,20 @@ void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t ke const char *get_pass(void); const char *get_confirmed_pass(bool empty_ok); void app_exit(int val) -#ifdef __GNUC__ -__attribute__ ((__noreturn__)) -#endif -; +# ifdef __GNUC__ + __attribute__((__noreturn__)) +# endif + ; int cipher_to_flags(const char *cipher); void -print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t key); -gnutls_pubkey_t load_public_key_or_import(int mand, - gnutls_privkey_t privkey, +print_private_key(FILE * outfile, common_info_st * cinfo, + gnutls_x509_privkey_t key); +gnutls_pubkey_t load_public_key_or_import(int mand, gnutls_privkey_t privkey, common_info_st * info); gnutls_privkey_t load_private_key(int mand, common_info_st * info); -gnutls_x509_privkey_t load_x509_private_key(int mand, - common_info_st * info); -gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, +gnutls_x509_privkey_t load_x509_private_key(int mand, common_info_st * info); +gnutls_x509_privkey_t *load_privkey_list(int mand, size_t *privkey_size, common_info_st * info); gnutls_x509_crq_t load_request(common_info_st * info); gnutls_privkey_t load_ca_private_key(common_info_st * info); @@ -138,10 +144,9 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info); gnutls_x509_crt_t load_cert(int mand, common_info_st * info); gnutls_datum_t *load_secret_key(int mand, common_info_st * info); gnutls_pubkey_t load_pubkey(int mand, common_info_st * info); -gnutls_x509_crt_t *load_cert_list(int mand, size_t * size, - common_info_st * info); -gnutls_x509_crl_t *load_crl_list(int mand, size_t * size, +gnutls_x509_crt_t *load_cert_list(int mand, size_t *size, common_info_st * info); +gnutls_x509_crl_t *load_crl_list(int mand, size_t *size, common_info_st * info); int get_bits(gnutls_pk_algorithm_t key_type, int info_bits, const char *info_sec_param, int warn); @@ -152,11 +157,11 @@ gnutls_ecc_curve_t str_to_curve(const char *str); int generate_prime(FILE * outfile, int how, common_info_st * info); void dh_info(FILE * infile, FILE * outfile, common_info_st * ci); -gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, +gnutls_x509_privkey_t *load_privkey_list(int mand, size_t *privkey_size, common_info_st * info); void print_pubkey_info(gnutls_pubkey_t pubkey, - FILE *outfile, + FILE * outfile, gnutls_certificate_print_formats_t format, gnutls_x509_crt_fmt_t outcert_format, unsigned int outtext); @@ -171,14 +176,12 @@ void print_gost_pkey(FILE * outfile, gnutls_ecc_curve_t curve, void print_rsa_pkey(FILE * outfile, gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d, gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u, - gnutls_datum_t * exp1, gnutls_datum_t * exp2, - int cprint); + gnutls_datum_t * exp1, gnutls_datum_t * exp2, int cprint); void print_dsa_pkey(FILE * outfile, gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * g, int cprint); -ATTRIBUTE_MALLOC -FILE *safe_open_rw(const char *file, int privkey_op); +ATTRIBUTE_MALLOC FILE *safe_open_rw(const char *file, int privkey_op); const char *get_password(common_info_st * cinfo, unsigned int *flags, int confirm); @@ -188,14 +191,14 @@ extern unsigned long lbuffer_size; void fix_lbuffer(unsigned long); -void decode_seed(gnutls_datum_t *seed, const char *hex, unsigned hex_size); +void decode_seed(gnutls_datum_t * seed, const char *hex, unsigned hex_size); -#define GNUTLS_PK_IS_RSA(pk) ((pk) == GNUTLS_PK_RSA || (pk) == GNUTLS_PK_RSA_PSS) +# define GNUTLS_PK_IS_RSA(pk) ((pk) == GNUTLS_PK_RSA || (pk) == GNUTLS_PK_RSA_PSS) gnutls_pk_algorithm_t figure_key_type(const char *key_type); gnutls_digest_algorithm_t hash_to_id(const char *hash); -void sign_params_to_flags(common_info_st *cinfo, const char *params); +void sign_params_to_flags(common_info_st * cinfo, const char *params); -#endif /* GNUTLS_SRC_CERTTOOL_COMMON_H */ +#endif /* GNUTLS_SRC_CERTTOOL_COMMON_H */ diff --git a/src/certtool-extras.c b/src/certtool-extras.c index 7ae54faa50..38317d5b4d 100644 --- a/src/certtool-extras.c +++ b/src/certtool-extras.c @@ -41,12 +41,11 @@ #include "certtool-common.h" #include "certtool-cfg.h" - #define MAX_KEYS 256 /* Loads a x509 private key list */ -gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, +gnutls_x509_privkey_t *load_privkey_list(int mand, size_t *privkey_size, common_info_st * info) { static gnutls_x509_privkey_t key[MAX_KEYS]; @@ -74,7 +73,7 @@ gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, exit(1); } - ptr = (void *) file_data.data; + ptr = (void *)file_data.data; ptr_size = file_data.size; for (i = 0; i < MAX_KEYS; i++) { @@ -85,19 +84,17 @@ gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, exit(1); } - dat.data = (void *) ptr; + dat.data = (void *)ptr; dat.size = ptr_size; ret = gnutls_x509_privkey_import2(key[i], &dat, - info->incert_format, NULL, - 0); + info->incert_format, NULL, 0); if (ret == GNUTLS_E_DECRYPTION_FAILED) { pass = get_password(info, &flags, 0); ret = gnutls_x509_privkey_import2(key[i], &dat, - info-> - incert_format, + info->incert_format, pass, flags); } @@ -121,8 +118,7 @@ gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, ptr_size = file_data.size; ptr_size -= - ((unsigned char *) ptr - - (unsigned char *) file_data.data); + ((unsigned char *)ptr - (unsigned char *)file_data.data); if (ptr_size < 0) break; @@ -130,7 +126,7 @@ gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, } gnutls_free(file_data.data); - fprintf(stderr, "Loaded %d private keys.\n", (int) *privkey_size); + fprintf(stderr, "Loaded %d private keys.\n", (int)*privkey_size); return key; } diff --git a/src/certtool.c b/src/certtool.c index 71d4aff13e..b6cbcfb082 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -57,24 +57,26 @@ static FILE *stdlog = NULL; -static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo); -void pkcs7_info(common_info_st *cinfo, unsigned display_data); +static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, + common_info_st * cinfo); +void pkcs7_info(common_info_st * cinfo, unsigned display_data); void pkcs7_sign(common_info_st *, unsigned embed); void pkcs7_generate(common_info_st *); void pkcs8_info(void); -void pkcs8_info_int(gnutls_datum_t *data, unsigned format, - unsigned ignore_err, FILE *out, const char *tab); -void crq_info(common_info_st *cinfo); +void pkcs8_info_int(gnutls_datum_t * data, unsigned format, + unsigned ignore_err, FILE * out, const char *tab); +void crq_info(common_info_st * cinfo); void smime_to_pkcs7(void); void pkcs12_info(common_info_st *); void generate_pkcs12(common_info_st *); void generate_pkcs8(common_info_st *); static void verify_chain(common_info_st * cinfo); void verify_crl(common_info_st * cinfo); -void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data); +void verify_pkcs7(common_info_st * cinfo, const char *purpose, + unsigned display_data); void pubkey_info(gnutls_x509_crt_t crt, common_info_st *); void certificate_info(int, common_info_st *); -void crl_info(common_info_st *cinfo); +void crl_info(common_info_st * cinfo); void privkey_info(common_info_st *); static void cmd_parser(int argc, char **argv); void generate_self_signed(common_info_st *); @@ -87,10 +89,11 @@ static void privkey_to_rsa(common_info_st * cinfo); static void pubkey_keyid(common_info_st * cinfo); static void certificate_fpr(common_info_st * cinfo); -static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * cinfo); +static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, + common_info_st * cinfo); FILE *outfile; -static const char *outfile_name = NULL; /* to delete on exit */ +static const char *outfile_name = NULL; /* to delete on exit */ #define REQ_KEY_TYPE_DEFAULT GNUTLS_PK_RSA @@ -145,8 +148,7 @@ int main(int argc, char **argv) gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, _salt_size); \ } while(0) -static gnutls_x509_privkey_t -generate_private_key_int(common_info_st * cinfo) +static gnutls_x509_privkey_t generate_private_key_int(common_info_st * cinfo) { gnutls_x509_privkey_t key; int ret, key_type, bits; @@ -178,7 +180,8 @@ generate_private_key_int(common_info_st * cinfo) if (GNUTLS_BITS_ARE_CURVE(bits)) { gnutls_ecc_curve_t curve = GNUTLS_BITS_TO_CURVE(bits); ecc_bits = gnutls_ecc_curve_get_size(curve) * 8; - snprintf(name, sizeof(name), "(%s)", gnutls_ecc_curve_get_name(curve)); + snprintf(name, sizeof(name), "(%s)", + gnutls_ecc_curve_get_name(curve)); } else { ecc_bits = bits; name[0] = 0; @@ -195,7 +198,8 @@ generate_private_key_int(common_info_st * cinfo) bits, gnutls_pk_algorithm_get_name(key_type)); } - if (provable && (!GNUTLS_PK_IS_RSA(key_type) && key_type != GNUTLS_PK_DSA)) { + if (provable + && (!GNUTLS_PK_IS_RSA(key_type) && key_type != GNUTLS_PK_DSA)) { fprintf(stderr, "The --provable parameter can only be used with RSA and DSA keys.\n"); app_exit(1); @@ -211,13 +215,15 @@ generate_private_key_int(common_info_st * cinfo) if (bits != 2048 && bits != 3072 && bits != 4096 && bits != 6144 && bits != 7680 && bits != 8192 && bits != 15360) { - fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n"); + fprintf(stderr, + "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n"); } } ret = gnutls_x509_spki_init(&spki); if (ret < 0) { - fprintf(stderr, "error in SPKI initialization: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "error in SPKI initialization: %s\n", + gnutls_strerror(ret)); app_exit(1); } @@ -225,7 +231,7 @@ generate_private_key_int(common_info_st * cinfo) if (cinfo->seed_size > 0) { kdata[kdata_size].type = GNUTLS_KEYGEN_SEED; - kdata[kdata_size].data = (void*)cinfo->seed; + kdata[kdata_size].data = (void *)cinfo->seed; kdata[kdata_size++].size = cinfo->seed_size; if (GNUTLS_PK_IS_RSA(key_type)) { @@ -238,33 +244,39 @@ generate_private_key_int(common_info_st * cinfo) (bits == 7680 && cinfo->seed_size != 48) || (bits == 8192 && cinfo->seed_size != 50) || (bits == 15360 && cinfo->seed_size != 64)) { - fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size); + fprintf(stderr, + "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", + (int)cinfo->seed_size); } } else if (key_type == GNUTLS_PK_DSA) { if (cinfo->seed_size != 65) { - fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size); + fprintf(stderr, + "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", + (int)cinfo->seed_size); } } flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE; } - if (key_type == GNUTLS_PK_RSA_PSS && (cinfo->hash || HAVE_OPT(SALT_SIZE))) { + if (key_type == GNUTLS_PK_RSA_PSS + && (cinfo->hash || HAVE_OPT(SALT_SIZE))) { SET_SPKI_PARAMS(spki, cinfo); kdata[kdata_size].type = GNUTLS_KEYGEN_SPKI; - kdata[kdata_size].data = (void*)spki; + kdata[kdata_size].data = (void *)spki; kdata[kdata_size++].size = sizeof(spki); } if (provable) flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE; - ret = gnutls_x509_privkey_generate2(key, key_type, bits, flags, kdata, kdata_size); + ret = + gnutls_x509_privkey_generate2(key, key_type, bits, flags, kdata, + kdata_size); if (ret < 0) { - fprintf(stderr, "privkey_generate: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "privkey_generate: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -280,7 +292,6 @@ generate_private_key_int(common_info_st * cinfo) return key; } - static void generate_private_key(common_info_st * cinfo) { gnutls_x509_privkey_t key; @@ -300,16 +311,20 @@ static void verify_provable_privkey(common_info_st * cinfo) pkey = load_private_key(1, cinfo); if (cinfo->seed_size > 0) { - ret = gnutls_privkey_verify_seed(pkey, 0, cinfo->seed, cinfo->seed_size); + ret = + gnutls_privkey_verify_seed(pkey, 0, cinfo->seed, + cinfo->seed_size); } else { ret = gnutls_privkey_verify_seed(pkey, 0, NULL, 0); } if (ret < 0) { if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) - fprintf(stderr, "The private key type cannot be associated with validated parameters\n"); + fprintf(stderr, + "The private key type cannot be associated with validated parameters\n"); else - fprintf(stderr, "Error verifying private key: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error verifying private key: %s\n", + gnutls_strerror(ret)); app_exit(1); } @@ -449,15 +464,20 @@ generate_certificate(gnutls_privkey_t * ret_key, ask = 0; secs = get_expiration_date(); - if (ca_crt && (secs > gnutls_x509_crt_get_expiration_time(ca_crt))) { - time_t exp = gnutls_x509_crt_get_expiration_time(ca_crt); - fprintf(stderr, "\nExpiration time: %s\n", simple_ctime(&secs, timebuf)); - fprintf(stderr, "CA expiration time: %s\n", simple_ctime(&exp, timebuf)); - fprintf(stderr, "Warning: The time set exceeds the CA's expiration time\n"); + if (ca_crt + && (secs > gnutls_x509_crt_get_expiration_time(ca_crt))) { + time_t exp = + gnutls_x509_crt_get_expiration_time(ca_crt); + fprintf(stderr, "\nExpiration time: %s\n", + simple_ctime(&secs, timebuf)); + fprintf(stderr, "CA expiration time: %s\n", + simple_ctime(&exp, timebuf)); + fprintf(stderr, + "Warning: The time set exceeds the CA's expiration time\n"); ask = 1; } - } while(batch == 0 && ask != 0 && read_yesno("Is it ok to proceed? (y/N): ", 0) == 0); - + } while (batch == 0 && ask != 0 + && read_yesno("Is it ok to proceed? (y/N): ", 0) == 0); result = gnutls_x509_crt_set_expiration_time(crt, secs); if (result < 0) { @@ -497,8 +517,7 @@ generate_certificate(gnutls_privkey_t * ret_key, ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n"); } - policylanguage = - get_proxy_policy(&policy, &policylen); + policylanguage = get_proxy_policy(&policy, &policylen); result = gnutls_x509_crt_set_proxy(crt, proxypathlen, @@ -565,23 +584,18 @@ generate_certificate(gnutls_privkey_t * ret_key, } if (!ca_status || server) { - if (pk == GNUTLS_PK_RSA || - pk == GNUTLS_PK_GOST_01 || - pk == GNUTLS_PK_GOST_12_256 || - pk == GNUTLS_PK_GOST_12_512) { /* DSA and ECDSA keys can only sign. */ + if (pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { /* DSA and ECDSA keys can only sign. */ result = get_sign_status(server); if (result) - usage |= - GNUTLS_KEY_DIGITAL_SIGNATURE; + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; result = get_encrypt_status(server); if (result) - usage |= - GNUTLS_KEY_KEY_ENCIPHERMENT; + usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; } else if (pk == GNUTLS_PK_ECDH_X25519 || - pk == GNUTLS_PK_ECDH_X448) { - /* X25519 and X448 are only for key agreement. */ - usage |= GNUTLS_KEY_KEY_AGREEMENT; + pk == GNUTLS_PK_ECDH_X448) { + /* X25519 and X448 are only for key agreement. */ + usage |= GNUTLS_KEY_KEY_AGREEMENT; } else { usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } @@ -672,7 +686,6 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result) usage |= GNUTLS_KEY_CRL_SIGN; - crt_constraints_set(crt); } @@ -696,7 +709,9 @@ generate_certificate(gnutls_privkey_t * ret_key, /* Subject Key ID. */ size = lbuffer_size; - result = gnutls_x509_crt_get_key_id(crt, GNUTLS_KEYID_USE_SHA1, lbuffer, &size); + result = + gnutls_x509_crt_get_key_id(crt, GNUTLS_KEYID_USE_SHA1, + lbuffer, &size); if (result >= 0) { result = gnutls_x509_crt_set_subject_key_id(crt, lbuffer, @@ -715,8 +730,7 @@ generate_certificate(gnutls_privkey_t * ret_key, result = gnutls_x509_crt_get_subject_key_id(ca_crt, lbuffer, - &size, - NULL); + &size, NULL); if (result >= 0) { result = gnutls_x509_crt_set_authority_key_id @@ -744,10 +758,13 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } - if ((HAVE_OPT(KEY_TYPE) || req_key_type != REQ_KEY_TYPE_DEFAULT) && req_key_type != pk) { + if ((HAVE_OPT(KEY_TYPE) || req_key_type != REQ_KEY_TYPE_DEFAULT) + && req_key_type != pk) { if (pk != GNUTLS_PK_RSA || req_key_type != GNUTLS_PK_RSA_PSS) { - fprintf(stderr, "cannot set certificate type (%s) incompatible with the key (%s)\n", - gnutls_pk_get_name(req_key_type), gnutls_pk_get_name(pk)); + fprintf(stderr, + "cannot set certificate type (%s) incompatible with the key (%s)\n", + gnutls_pk_get_name(req_key_type), + gnutls_pk_get_name(pk)); app_exit(1); } } @@ -766,7 +783,8 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result >= 0) { result = gnutls_x509_crt_set_spki(crt, spki, 0); if (result < 0) { - fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n", + fprintf(stderr, + "error setting RSA-PSS SPKI information: %s\n", gnutls_strerror(result)); app_exit(1); } @@ -786,7 +804,8 @@ generate_certificate(gnutls_privkey_t * ret_key, result = gnutls_x509_crt_set_spki(crt, spki, 0); if (result < 0) { - fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n", + fprintf(stderr, + "error setting RSA-PSS SPKI information: %s\n", gnutls_strerror(result)); app_exit(1); } @@ -828,7 +847,8 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo) } else { result = gnutls_x509_crl_init(&crl); if (result < 0) { - fprintf(stderr, "crl_init: %s\n", gnutls_strerror(result)); + fprintf(stderr, "crl_init: %s\n", + gnutls_strerror(result)); app_exit(1); } } @@ -852,25 +872,21 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo) result = gnutls_x509_crl_set_this_update(crl, this_update); if (result < 0) { - fprintf(stderr, "this_update: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "this_update: %s\n", gnutls_strerror(result)); app_exit(1); } secs = get_crl_next_update(); - result = - gnutls_x509_crl_set_next_update(crl, secs); + result = gnutls_x509_crl_set_next_update(crl, secs); if (result < 0) { - fprintf(stderr, "next_update: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "next_update: %s\n", gnutls_strerror(result)); app_exit(1); } result = gnutls_x509_crl_set_version(crl, 2); if (result < 0) { - fprintf(stderr, "set_version: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); app_exit(1); } @@ -883,8 +899,7 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo) if (result >= 0) { result = gnutls_x509_crl_set_authority_key_id(crl, - lbuffer, - size); + lbuffer, size); if (result < 0) { fprintf(stderr, "set_authority_key_id: %s\n", gnutls_strerror(result)); @@ -913,15 +928,15 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo) return crl; } -static gnutls_digest_algorithm_t get_dig_for_pub(gnutls_pubkey_t pubkey, common_info_st * cinfo) +static gnutls_digest_algorithm_t get_dig_for_pub(gnutls_pubkey_t pubkey, + common_info_st * cinfo) { gnutls_digest_algorithm_t dig; int result; unsigned int mand; result = - gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &dig, - &mand); + gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &dig, &mand); if (result < 0) { { fprintf(stderr, @@ -938,7 +953,8 @@ static gnutls_digest_algorithm_t get_dig_for_pub(gnutls_pubkey_t pubkey, common_ return dig; } -static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * cinfo) +static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, + common_info_st * cinfo) { gnutls_digest_algorithm_t dig; gnutls_pubkey_t pubkey; @@ -989,14 +1005,14 @@ void generate_self_signed(common_info_st * cinfo) flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; result = - gnutls_x509_crt_privkey_sign(crt, crt, key, get_dig(crt, cinfo), flags); + gnutls_x509_crt_privkey_sign(crt, crt, key, get_dig(crt, cinfo), + flags); if (result < 0) { fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); app_exit(1); } - result = - gnutls_x509_crt_export2(crt, outcert_format, &out); + result = gnutls_x509_crt_export2(crt, outcert_format, &out); if (result < 0) { fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); app_exit(1); @@ -1041,8 +1057,7 @@ static void generate_signed_certificate(common_info_st * cinfo) app_exit(1); } - result = - gnutls_x509_crt_export2(crt, outcert_format, &out); + result = gnutls_x509_crt_export2(crt, outcert_format, &out); if (result < 0) { fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); app_exit(1); @@ -1080,15 +1095,14 @@ static void generate_proxy_certificate(common_info_st * cinfo) flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS; result = - gnutls_x509_crt_privkey_sign(crt, eecrt, eekey, get_dig(eecrt, cinfo), - flags); + gnutls_x509_crt_privkey_sign(crt, eecrt, eekey, + get_dig(eecrt, cinfo), flags); if (result < 0) { fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result)); app_exit(1); } - result = - gnutls_x509_crt_export2(crt, outcert_format, &out); + result = gnutls_x509_crt_export2(crt, outcert_format, &out); if (result < 0) { fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); app_exit(1); @@ -1147,7 +1161,6 @@ static void update_signed_certificate(common_info_st * cinfo) fprintf(stdlog, "Generating a signed certificate...\n"); - ca_key = load_ca_private_key(cinfo); ca_crt = load_ca_cert(1, cinfo); crt = load_cert(1, cinfo); @@ -1196,8 +1209,7 @@ static void update_signed_certificate(common_info_st * cinfo) app_exit(1); } - result = - gnutls_x509_crt_export2(crt, outcert_format, &out); + result = gnutls_x509_crt_export2(crt, outcert_format, &out); if (result < 0) { fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result)); app_exit(1); @@ -1213,12 +1225,13 @@ static void load_infile(const char *file) { struct stat st; if (stat(file, &st) == 0) { - fix_lbuffer(2*st.st_size); + fix_lbuffer(2 * st.st_size); } infile = fopen(file, "rb"); if (infile == NULL) { - fprintf(stderr, "Cannot open %s for reading\n", OPT_ARG(INFILE)); + fprintf(stderr, "Cannot open %s for reading\n", + OPT_ARG(INFILE)); app_exit(1); } } @@ -1246,7 +1259,8 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(OUTFILE)) { outfile = safe_open_rw(OPT_ARG(OUTFILE), privkey_op); if (outfile == NULL) { - fprintf(stderr, "Cannot open %s for writing\n", OPT_ARG(OUTFILE)); + fprintf(stderr, "Cannot open %s for writing\n", + OPT_ARG(OUTFILE)); app_exit(1); } outfile_name = OPT_ARG(OUTFILE); @@ -1274,7 +1288,6 @@ static void cmd_parser(int argc, char **argv) load_infile(OPT_ARG(INFILE)); } - fix_lbuffer(0); if (HAVE_OPT(INDER)) @@ -1308,12 +1321,11 @@ static void cmd_parser(int argc, char **argv) template_parse(OPT_ARG(TEMPLATE)); } - gnutls_global_set_log_function(tls_log_func); if (HAVE_OPT(DEBUG)) { gnutls_global_set_log_level(OPT_VALUE_DEBUG); - printf("Setting log level to %d\n", (int) OPT_VALUE_DEBUG); + printf("Setting log level to %d\n", (int)OPT_VALUE_DEBUG); } if ((ret = gnutls_global_init()) < 0) { @@ -1332,7 +1344,6 @@ static void cmd_parser(int argc, char **argv) app_exit(1); } } - #ifdef ENABLE_PKCS11 if (HAVE_OPT(PROVIDER)) { ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); @@ -1341,8 +1352,7 @@ static void cmd_parser(int argc, char **argv) gnutls_strerror(ret)); else { ret = - gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), - NULL); + gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), NULL); if (ret < 0) { fprintf(stderr, "pkcs11_add_provider: %s", gnutls_strerror(ret)); @@ -1389,7 +1399,8 @@ static void cmd_parser(int argc, char **argv) cinfo.pkcs8 = HAVE_OPT(PKCS8); cinfo.incert_format = incert_format; cinfo.outcert_format = outcert_format; - cinfo.outtext = ENABLED_OPT(TEXT) && outcert_format == GNUTLS_X509_FMT_PEM; + cinfo.outtext = ENABLED_OPT(TEXT) + && outcert_format == GNUTLS_X509_FMT_PEM; if (HAVE_OPT(LOAD_CERTIFICATE)) cinfo.cert = OPT_ARG(LOAD_CERTIFICATE); @@ -1440,14 +1451,19 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(VERIFY_PROFILE)) { if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none") == 0) { - cinfo.verification_profile = (gnutls_sec_param_t)GNUTLS_PROFILE_UNKNOWN; + cinfo.verification_profile = + (gnutls_sec_param_t) GNUTLS_PROFILE_UNKNOWN; } else { - cinfo.verification_profile = (gnutls_sec_param_t)gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + cinfo.verification_profile = (gnutls_sec_param_t) + gnutls_certificate_verification_profile_get_id + (OPT_ARG(VERIFY_PROFILE)); } } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { - fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); - fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + fprintf(stderr, + "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, + "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); } /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ } @@ -1512,7 +1528,8 @@ static void cmd_parser(int argc, char **argv) else if (HAVE_OPT(P7_DETACHED_SIGN)) pkcs7_sign(&cinfo, 0); else if (HAVE_OPT(P7_VERIFY)) - verify_pkcs7(&cinfo, OPT_ARG(VERIFY_PURPOSE), ENABLED_OPT(P7_SHOW_DATA)); + verify_pkcs7(&cinfo, OPT_ARG(VERIFY_PURPOSE), + ENABLED_OPT(P7_SHOW_DATA)); else if (HAVE_OPT(P8_INFO)) pkcs8_info(); else if (HAVE_OPT(SMIME_TO_P7)) @@ -1527,7 +1544,6 @@ static void cmd_parser(int argc, char **argv) if (outfile != stdout) fclose(outfile); - free(cinfo.seed); #ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit(); @@ -1544,7 +1560,7 @@ void certificate_info(int pubkey, common_info_st * cinfo) gnutls_datum_t pem; unsigned int crt_num; - pem.data = (void *) fread_file(infile, 0, &size); + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { @@ -1553,7 +1569,8 @@ void certificate_info(int pubkey, common_info_st * cinfo) } ret = - gnutls_x509_crt_list_import2(&crts, &crt_num, &pem, incert_format, 0); + gnutls_x509_crt_list_import2(&crts, &crt_num, &pem, incert_format, + 0); if (ret < 0) { fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); app_exit(1); @@ -1582,7 +1599,8 @@ void certificate_info(int pubkey, common_info_st * cinfo) pubkey_info(crts[i], cinfo); } else { ret = - gnutls_x509_crt_export2(crts[i], outcert_format, &out); + gnutls_x509_crt_export2(crts[i], outcert_format, + &out); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); @@ -1624,7 +1642,8 @@ print_certificate_info(gnutls_x509_crt_t crt, FILE * out, unsigned int all) } } -static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo) +static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, + common_info_st * cinfo) { gnutls_datum_t data; gnutls_datum_t cout; @@ -1633,7 +1652,8 @@ static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *ci if (cinfo->outtext) { ret = gnutls_x509_crl_print(crl, full_format, &data); if (ret < 0) { - fprintf(stderr, "crl_print: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "crl_print: %s\n", + gnutls_strerror(ret)); app_exit(1); } fprintf(out, "%s\n", data.data); @@ -1641,8 +1661,7 @@ static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *ci gnutls_free(data.data); } - ret = - gnutls_x509_crl_export2(crl, outcert_format, &cout); + ret = gnutls_x509_crl_export2(crl, outcert_format, &cout); if (ret < 0) { fprintf(stderr, "crl_export: %s\n", gnutls_strerror(ret)); app_exit(1); @@ -1652,7 +1671,7 @@ static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *ci gnutls_free(cout.data); } -void crl_info(common_info_st *cinfo) +void crl_info(common_info_st * cinfo) { gnutls_x509_crl_t crl; int ret; @@ -1665,7 +1684,7 @@ void crl_info(common_info_st *cinfo) app_exit(1); } - pem.data = (void *) fread_file(infile, 0, &size); + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { @@ -1686,7 +1705,8 @@ void crl_info(common_info_st *cinfo) gnutls_x509_crl_deinit(crl); } -static void print_crq_info(gnutls_x509_crq_t crq, FILE * out, common_info_st *cinfo) +static void print_crq_info(gnutls_x509_crq_t crq, FILE * out, + common_info_st * cinfo) { gnutls_datum_t data; int ret; @@ -1724,7 +1744,7 @@ static void print_crq_info(gnutls_x509_crq_t crq, FILE * out, common_info_st *ci fwrite(lbuffer, 1, size, outfile); } -void crq_info(common_info_st *cinfo) +void crq_info(common_info_st * cinfo) { gnutls_x509_crq_t crq; int ret; @@ -1737,7 +1757,7 @@ void crq_info(common_info_st *cinfo) app_exit(1); } - pem.data = (void *) fread_file(infile, 0, &size); + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { @@ -1780,7 +1800,8 @@ void privkey_info(common_info_st * cinfo) pem.size = size; ret = - gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, GNUTLS_PKCS_PLAIN); + gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, + GNUTLS_PKCS_PLAIN); /* If we failed to import the certificate previously try PKCS #8 */ if (ret == GNUTLS_E_DECRYPTION_FAILED) { @@ -1794,8 +1815,7 @@ void privkey_info(common_info_st * cinfo) pass = get_password(cinfo, &flags, 0); ret = gnutls_x509_privkey_import2(key, &pem, - incert_format, pass, - flags); + incert_format, pass, flags); } if (ret < 0) { fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); @@ -1838,7 +1858,8 @@ static void privkey_to_rsa(common_info_st * cinfo) pem.size = size; ret = - gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, GNUTLS_PKCS_PLAIN); + gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, + GNUTLS_PKCS_PLAIN); /* If we failed to import the certificate previously try PKCS #8 */ if (ret == GNUTLS_E_DECRYPTION_FAILED) { @@ -1852,8 +1873,7 @@ static void privkey_to_rsa(common_info_st * cinfo) pass = get_password(cinfo, &flags, 0); ret = gnutls_x509_privkey_import2(key, &pem, - incert_format, pass, - flags); + incert_format, pass, flags); } if (ret < 0) { fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); @@ -1862,7 +1882,8 @@ static void privkey_to_rsa(common_info_st * cinfo) ret = gnutls_x509_privkey_get_pk_algorithm(key); if (ret != GNUTLS_PK_RSA && ret != GNUTLS_PK_RSA_PSS) { - fprintf(stderr, "unexpected key type: %s\n", gnutls_pk_get_name(ret)); + fprintf(stderr, "unexpected key type: %s\n", + gnutls_pk_get_name(ret)); app_exit(1); } @@ -1880,7 +1901,6 @@ static void privkey_to_rsa(common_info_st * cinfo) gnutls_x509_privkey_deinit(key); } - /* Generate a PKCS #10 certificate request. */ void generate_request(common_info_st * cinfo) @@ -1906,7 +1926,8 @@ void generate_request(common_info_st * cinfo) pkey = load_private_key(0, cinfo); if (!pkey) { if (HAVE_OPT(LOAD_PUBKEY)) { - fprintf(stderr, "--load-pubkey was specified without corresponding --load-privkey\n"); + fprintf(stderr, + "--load-pubkey was specified without corresponding --load-privkey\n"); app_exit(1); } @@ -1962,8 +1983,7 @@ void generate_request(common_info_st * cinfo) if (pass != NULL && pass[0] != 0) { ret = gnutls_x509_crq_set_challenge_password(crq, pass); if (ret < 0) { - fprintf(stderr, "set_pass: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "set_pass: %s\n", gnutls_strerror(ret)); app_exit(1); } } @@ -2001,7 +2021,8 @@ void generate_request(common_info_st * cinfo) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } else { /* DSA and ECDSA are always signing */ if (get_encrypt_status(1)) - fprintf(stderr, "warning: this algorithm does not support encryption; disabling the encryption flag\n"); + fprintf(stderr, + "warning: this algorithm does not support encryption; disabling the encryption flag\n"); usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } @@ -2071,7 +2092,6 @@ void generate_request(common_info_st * cinfo) if (ret) usage |= GNUTLS_KEY_CRL_SIGN; - } ret = gnutls_x509_crq_set_key_usage(crq, usage); @@ -2156,12 +2176,11 @@ static int detailed_verification(gnutls_x509_crt_t cert, { char tmp[255]; size_t tmp_size; - gnutls_datum_t name = {NULL,0}, issuer_name = {NULL,0}; - gnutls_datum_t serial = {NULL,0}; + gnutls_datum_t name = { NULL, 0 }, issuer_name = { NULL, 0 }; + gnutls_datum_t serial = { NULL, 0 }; int ret; - ret = - gnutls_x509_crt_get_issuer_dn3(cert, &issuer_name, 0); + ret = gnutls_x509_crt_get_issuer_dn3(cert, &issuer_name, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_get_issuer_dn: %s\n", gnutls_strerror(ret)); @@ -2185,8 +2204,7 @@ static int detailed_verification(gnutls_x509_crt_t cert, if (issuer != NULL) { gnutls_free(issuer_name.data); - ret = - gnutls_x509_crt_get_dn3(issuer, &issuer_name, 0); + ret = gnutls_x509_crt_get_dn3(issuer, &issuer_name, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_get_issuer_dn: %s\n", @@ -2197,14 +2215,14 @@ static int detailed_verification(gnutls_x509_crt_t cert, fprintf(outfile, "\tChecked against: %s\n", issuer_name.data); } - fprintf(outfile, "\tSignature algorithm: %s\n", get_signature_algo(cert)); + fprintf(outfile, "\tSignature algorithm: %s\n", + get_signature_algo(cert)); if (crl != NULL) { gnutls_datum_t data; gnutls_free(issuer_name.data); - ret = - gnutls_x509_crl_get_issuer_dn3(crl, &issuer_name, 0); + ret = gnutls_x509_crl_get_issuer_dn3(crl, &issuer_name, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crl_get_issuer_dn: %s\n", @@ -2213,12 +2231,11 @@ static int detailed_verification(gnutls_x509_crt_t cert, } tmp_size = sizeof(tmp); - ret = - gnutls_x509_crl_get_number(crl, tmp, &tmp_size, NULL); + ret = gnutls_x509_crl_get_number(crl, tmp, &tmp_size, NULL); if (ret < 0) { - serial.data = (void*)gnutls_strdup("unnumbered"); + serial.data = (void *)gnutls_strdup("unnumbered"); } else { - data.data = (void *) tmp; + data.data = (void *)tmp; data.size = tmp_size; ret = gnutls_hex_encode2(&data, &serial); @@ -2244,7 +2261,7 @@ static int detailed_verification(gnutls_x509_crt_t cert, return 0; } -static void load_data(common_info_st *cinfo, gnutls_datum_t *data) +static void load_data(common_info_st * cinfo, gnutls_datum_t * data) { FILE *fp; size_t size; @@ -2255,7 +2272,7 @@ static void load_data(common_info_st *cinfo, gnutls_datum_t *data) app_exit(1); } - data->data = (void *) fread_file(fp, 0, &size); + data->data = (void *)fread_file(fp, 0, &size); if (data->data == NULL) { fprintf(stderr, "Error reading data file"); app_exit(1); @@ -2277,24 +2294,36 @@ static gnutls_x509_trust_list_t load_tl(common_info_st * cinfo) app_exit(1); } - if (cinfo->ca == NULL) { /* system */ + if (cinfo->ca == NULL) { /* system */ ret = gnutls_x509_trust_list_add_system_trust(list, 0, 0); if (ret < 0) { fprintf(stderr, "Error loading system trust: %s\n", gnutls_strerror(ret)); app_exit(1); } - fprintf(stderr, "Loaded system trust (%d CAs available)\n", ret); + fprintf(stderr, "Loaded system trust (%d CAs available)\n", + ret); } else if (cinfo->ca != NULL) { - ret = gnutls_x509_trust_list_add_trust_file(list, cinfo->ca, cinfo->crl, cinfo->incert_format, 0, 0); + ret = + gnutls_x509_trust_list_add_trust_file(list, cinfo->ca, + cinfo->crl, + cinfo->incert_format, + 0, 0); if (ret < 0) { - int ret2 = gnutls_x509_trust_list_add_trust_file(list, cinfo->ca, cinfo->crl, GNUTLS_X509_FMT_PEM, 0, 0); + int ret2 = gnutls_x509_trust_list_add_trust_file(list, + cinfo-> + ca, + cinfo-> + crl, + GNUTLS_X509_FMT_PEM, + 0, 0); if (ret2 >= 0) ret = ret2; } if (ret < 0) { - fprintf(stderr, "gnutls_x509_trust_add_trust_file: %s\n", + fprintf(stderr, + "gnutls_x509_trust_add_trust_file: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -2308,7 +2337,8 @@ static gnutls_x509_trust_list_t load_tl(common_info_st * cinfo) /* Loads from a certificate chain, the last certificate on the * trusted list. In addition it will load any CRLs if present. */ -static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int cert_size) +static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, + int cert_size) { gnutls_datum_t tmp; gnutls_x509_crt_t *x509_cert_list = NULL; @@ -2326,10 +2356,12 @@ static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int ce app_exit(1); } - tmp.data = (void *) cert; + tmp.data = (void *)cert; tmp.size = cert_size; - ret = gnutls_x509_crt_list_import2(&x509_cert_list, &x509_ncerts, &tmp, GNUTLS_X509_FMT_PEM, 0); + ret = + gnutls_x509_crt_list_import2(&x509_cert_list, &x509_ncerts, &tmp, + GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncerts < 1) { fprintf(stderr, "error parsing CRTs: %s\n", gnutls_strerror(ret)); @@ -2347,8 +2379,9 @@ static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int ce /* add CAs */ ret = - gnutls_x509_trust_list_add_cas(list, &x509_cert_list[x509_ncerts - 1], - 1, 0); + gnutls_x509_trust_list_add_cas(list, + &x509_cert_list[x509_ncerts - 1], 1, + 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n", gnutls_strerror(ret)); @@ -2368,7 +2401,7 @@ static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int ce } if (x509_ncerts > 1) { - for (i=0;i<x509_ncerts-1;i++) + for (i = 0; i < x509_ncerts - 1; i++) gnutls_x509_crt_deinit(x509_cert_list[i]); } gnutls_free(x509_cert_list); @@ -2383,11 +2416,9 @@ static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int ce * * If @system is non-zero then the system's CA will be used. */ -static int -_verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, - unsigned use_system_trust, /* if ca_file == NULL */ - const char *purpose, - const char *hostname, const char *email) +static int _verify_x509_mem(const void *cert, int cert_size, common_info_st * cinfo, unsigned use_system_trust, /* if ca_file == NULL */ + const char *purpose, + const char *hostname, const char *email) { int ret; unsigned i; @@ -2411,7 +2442,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } } - tmp.data = (void *) cert; + tmp.data = (void *)cert; tmp.size = cert_size; ret = @@ -2430,26 +2461,25 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; - if (purpose || hostname || email) { gnutls_typed_vdata_st vdata[2]; unsigned vdata_size = 0; if (purpose) { vdata[vdata_size].type = GNUTLS_DT_KEY_PURPOSE_OID; - vdata[vdata_size].data = (void*)purpose; + vdata[vdata_size].data = (void *)purpose; vdata[vdata_size].size = strlen(purpose); vdata_size++; } if (hostname) { vdata[vdata_size].type = GNUTLS_DT_DNS_HOSTNAME; - vdata[vdata_size].data = (void*)hostname; + vdata[vdata_size].data = (void *)hostname; vdata[vdata_size].size = strlen(hostname); vdata_size++; } else if (email) { vdata[vdata_size].type = GNUTLS_DT_RFC822NAME; - vdata[vdata_size].data = (void*)email; + vdata[vdata_size].data = (void *)email; vdata[vdata_size].size = strlen(email); vdata_size++; } @@ -2482,7 +2512,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, fprintf(outfile, "\n\n"); gnutls_x509_trust_list_deinit(list, 1); - for (i=0;i<x509_ncerts;i++) + for (i = 0; i < x509_ncerts; i++) gnutls_x509_crt_deinit(x509_cert_list[i]); gnutls_free(x509_cert_list); @@ -2523,11 +2553,12 @@ static void verify_chain(common_info_st * cinfo) size_t size; if (cinfo->ca != NULL) { - fprintf(stderr, "This option cannot be combined with --load-ca-certificate\n"); + fprintf(stderr, + "This option cannot be combined with --load-ca-certificate\n"); app_exit(1); } - buf = (void *) fread_file(infile, 0, &size); + buf = (void *)fread_file(infile, 0, &size); if (buf == NULL) { fprintf(stderr, "Error reading certificate chain"); app_exit(1); @@ -2544,7 +2575,7 @@ static void verify_certificate(common_info_st * cinfo) char *cas = NULL; size_t cert_size; - cert = (void *) fread_file(infile, 0, &cert_size); + cert = (void *)fread_file(infile, 0, &cert_size); if (cert == NULL) { fprintf(stderr, "Error reading certificate chain"); app_exit(1); @@ -2556,7 +2587,6 @@ static void verify_certificate(common_info_st * cinfo) free(cert); free(cas); - } void verify_crl(common_info_st * cinfo) @@ -2587,7 +2617,7 @@ void verify_crl(common_info_st * cinfo) app_exit(1); } - pem.data = (void *) fread_file(infile, 0, &size); + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { @@ -2638,15 +2668,17 @@ void verify_crl(common_info_st * cinfo) app_exit(rc); } -static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st *info, common_info_st *cinfo) +static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st * info, + common_info_st * cinfo) { int ret; gnutls_datum_t str; - ret = gnutls_pkcs7_print_signature_info(info, GNUTLS_CRT_PRINT_COMPACT, &str); + ret = + gnutls_pkcs7_print_signature_info(info, GNUTLS_CRT_PRINT_COMPACT, + &str); if (ret < 0) { - fprintf(stderr, "printing error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "printing error: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -2654,13 +2686,14 @@ static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st *info, common_in gnutls_free(str.data); } -void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data) +void verify_pkcs7(common_info_st * cinfo, const char *purpose, + unsigned display_data) { gnutls_pkcs7_t pkcs7; int ret, ecode; size_t size; - gnutls_datum_t data, detached = {NULL,0}; - gnutls_datum_t tmp = {NULL,0}; + gnutls_datum_t data, detached = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; int i; gnutls_pkcs7_signature_info_st info; gnutls_x509_trust_list_t tl = NULL; @@ -2675,7 +2708,7 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ app_exit(1); } - data.data = (void *) fread_file(infile, 0, &size); + data.data = (void *)fread_file(infile, 0, &size); data.size = size; if (!data.data) { @@ -2686,14 +2719,13 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ ret = gnutls_pkcs7_import(pkcs7, &data, cinfo->incert_format); free(data.data); if (ret < 0) { - fprintf(stderr, "import error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); app_exit(1); } if (cinfo->cert != NULL) { signer = load_cert(1, cinfo); - } else { /* trust list */ + } else { /* trust list */ tl = load_tl(cinfo); if (tl == NULL) { fprintf(stderr, "error loading trust list\n"); @@ -2705,28 +2737,34 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ if (purpose) { vdata[vdata_size].type = GNUTLS_DT_KEY_PURPOSE_OID; - vdata[vdata_size].data = (void*)purpose; + vdata[vdata_size].data = (void *)purpose; vdata[vdata_size].size = strlen(purpose); vdata_size++; } ecode = 1; - for (i=0;;i++) { + for (i = 0;; i++) { ret = gnutls_pkcs7_get_signature_info(pkcs7, i, &info); if (ret < 0) break; if (!display_data) { - if (i==0) { - fprintf(outfile, "eContent Type: %s\n", gnutls_pkcs7_get_embedded_data_oid(pkcs7)); + if (i == 0) { + fprintf(outfile, "eContent Type: %s\n", + gnutls_pkcs7_get_embedded_data_oid + (pkcs7)); fprintf(outfile, "Signers:\n"); } print_pkcs7_sig_info(&info, cinfo); } else if (i == 0) { if (!detached.data) { - ret = gnutls_pkcs7_get_embedded_data(pkcs7, 0, &tmp); + ret = + gnutls_pkcs7_get_embedded_data(pkcs7, 0, + &tmp); if (ret < 0) { - fprintf(stderr, "error getting embedded data: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error getting embedded data: %s\n", + gnutls_strerror(ret)); app_exit(1); } @@ -2734,7 +2772,8 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ gnutls_free(tmp.data); tmp.data = NULL; } else { - fwrite(detached.data, 1, detached.size, outfile); + fwrite(detached.data, 1, detached.size, + outfile); } } @@ -2744,20 +2783,32 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ flags |= GNUTLS_VERIFY_ALLOW_BROKEN; if (signer) { - ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags); + ret = + gnutls_pkcs7_verify_direct(pkcs7, signer, i, + detached.data != + NULL ? &detached : NULL, + flags); if (ret >= 0 && purpose) { - unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0); + unsigned res = + gnutls_x509_crt_check_key_purpose(signer, + purpose, + 0); if (res == 0) ret = GNUTLS_E_CONSTRAINT_ERROR; } } else { assert(tl != NULL); - ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags); + ret = + gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, + detached.data != + NULL ? &detached : NULL, flags); } if (ret < 0) { - fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "\tSignature status: verification failed: %s\n", + gnutls_strerror(ret)); ecode = 1; } else { fprintf(stderr, "\tSignature status: ok\n"); @@ -2765,7 +2816,6 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ } } - gnutls_pkcs7_deinit(pkcs7); if (signer) gnutls_x509_crt_deinit(signer); @@ -2799,7 +2849,7 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) app_exit(1); } - data.data = (void *) fread_file(infile, 0, &size); + data.data = (void *)fread_file(infile, 0, &size); data.size = size; if (!data.data) { @@ -2813,24 +2863,25 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) if (embed) flags |= GNUTLS_PKCS7_EMBED_DATA; - ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts, cinfo), flags); + ret = + gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, + get_dig(*crts, cinfo), flags); if (ret < 0) { fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret)); app_exit(1); } - for (i=1;i<crt_size;i++) { + for (i = 1; i < crt_size; i++) { ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]); if (ret < 0) { - fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error adding cert: %s\n", + gnutls_strerror(ret)); exit(1); } } - size = lbuffer_size; - ret = - gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size); + ret = gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size); if (ret < 0) { fprintf(stderr, "pkcs7_export: %s\n", gnutls_strerror(ret)); app_exit(1); @@ -2839,7 +2890,7 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) fwrite(lbuffer, 1, size, outfile); gnutls_privkey_deinit(key); - for (i=0;i<crt_size;i++) { + for (i = 0; i < crt_size; i++) { gnutls_x509_crt_deinit(crts[i]); } gnutls_free(crts); @@ -2866,28 +2917,29 @@ void pkcs7_generate(common_info_st * cinfo) app_exit(1); } - for (i=0;i<crt_size;i++) { + for (i = 0; i < crt_size; i++) { ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]); if (ret < 0) { - fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error adding cert: %s\n", + gnutls_strerror(ret)); app_exit(1); } gnutls_x509_crt_deinit(crts[i]); } gnutls_free(crts); - for (i=0;i<crl_size;i++) { + for (i = 0; i < crl_size; i++) { ret = gnutls_pkcs7_set_crl(pkcs7, crls[i]); if (ret < 0) { - fprintf(stderr, "Error adding CRL: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error adding CRL: %s\n", + gnutls_strerror(ret)); app_exit(1); } gnutls_x509_crl_deinit(crls[i]); } gnutls_free(crls); - ret = - gnutls_pkcs7_export2(pkcs7, outcert_format, &tmp); + ret = gnutls_pkcs7_export2(pkcs7, outcert_format, &tmp); if (ret < 0) { fprintf(stderr, "pkcs7_export: %s\n", gnutls_strerror(ret)); app_exit(1); @@ -2900,7 +2952,6 @@ void pkcs7_generate(common_info_st * cinfo) app_exit(0); } - void generate_pkcs8(common_info_st * cinfo) { gnutls_x509_privkey_t key; @@ -2920,8 +2971,7 @@ void generate_pkcs8(common_info_st * cinfo) size = lbuffer_size; result = gnutls_x509_privkey_export_pkcs8(key, outcert_format, - password, flags, lbuffer, - &size); + password, flags, lbuffer, &size); if (result < 0) { fprintf(stderr, "key_export: %s\n", gnutls_strerror(result)); @@ -2932,7 +2982,6 @@ void generate_pkcs8(common_info_st * cinfo) } - #include <gnutls/pkcs12.h> #include <unistd.h> @@ -2965,12 +3014,13 @@ void generate_pkcs12(common_info_st * cinfo) crls = load_crl_list(0, &ncrls, cinfo); if (keys == NULL && crts == NULL && ca_crt == NULL && crls == NULL) { - fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n\t--load-crl\n"); + fprintf(stderr, + "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n\t--load-crl\n"); app_exit(1); } if (cinfo->hash != GNUTLS_DIG_UNKNOWN) - mac = (gnutls_mac_algorithm_t)cinfo->hash; + mac = (gnutls_mac_algorithm_t) cinfo->hash; else mac = GNUTLS_MAC_SHA256; @@ -2982,8 +3032,7 @@ void generate_pkcs12(common_info_st * cinfo) result = gnutls_pkcs12_init(&pkcs12); if (result < 0) { - fprintf(stderr, "pkcs12_init: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "pkcs12_init: %s\n", gnutls_strerror(result)); app_exit(1); } @@ -3024,7 +3073,8 @@ void generate_pkcs12(common_info_st * cinfo) size = sizeof(_key_id); result = - gnutls_x509_crt_get_key_id(crts[i], GNUTLS_KEYID_USE_SHA1, _key_id, &size); + gnutls_x509_crt_get_key_id(crts[i], GNUTLS_KEYID_USE_SHA1, + _key_id, &size); if (result < 0) { fprintf(stderr, "key_id[%d]: %s\n", i, gnutls_strerror(result)); @@ -3164,8 +3214,7 @@ void generate_pkcs12(common_info_st * cinfo) indx = result; - result = - gnutls_pkcs12_bag_set_friendly_name(kbag, indx, name); + result = gnutls_pkcs12_bag_set_friendly_name(kbag, indx, name); if (result < 0) { fprintf(stderr, "bag_set_friendly_name: %s\n", gnutls_strerror(result)); @@ -3174,8 +3223,9 @@ void generate_pkcs12(common_info_st * cinfo) size = sizeof(_key_id); result = - gnutls_x509_privkey_get_key_id(keys[i], GNUTLS_KEYID_USE_SHA1, _key_id, - &size); + gnutls_x509_privkey_get_key_id(keys[i], + GNUTLS_KEYID_USE_SHA1, + _key_id, &size); if (result < 0) { fprintf(stderr, "key_id[%d]: %s\n", i, gnutls_strerror(result)); @@ -3203,22 +3253,19 @@ void generate_pkcs12(common_info_st * cinfo) result = gnutls_pkcs12_generate_mac2(pkcs12, mac, pass); if (result < 0) { - fprintf(stderr, "generate_mac: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "generate_mac: %s\n", gnutls_strerror(result)); app_exit(1); } size = lbuffer_size; - result = - gnutls_pkcs12_export(pkcs12, outcert_format, lbuffer, &size); + result = gnutls_pkcs12_export(pkcs12, outcert_format, lbuffer, &size); if (result < 0) { - fprintf(stderr, "pkcs12_export: %s\n", - gnutls_strerror(result)); + fprintf(stderr, "pkcs12_export: %s\n", gnutls_strerror(result)); app_exit(1); } fwrite(lbuffer, 1, size, outfile); - for (i=0;i<ncrts;i++) + for (i = 0; i < ncrts; i++) gnutls_x509_crt_deinit(crts[i]); gnutls_free(crts); gnutls_x509_crt_deinit(ca_crt); @@ -3282,14 +3329,13 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext) app_exit(1); } - if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY && - outtext) - pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, "\t"); + if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY && outtext) + pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, + "\t"); name = NULL; result = - gnutls_pkcs12_bag_get_friendly_name(bag, i, - (char **) &name); + gnutls_pkcs12_bag_get_friendly_name(bag, i, (char **)&name); if (result < 0) { fprintf(stderr, "get_friendly_name: %s\n", gnutls_strerror(result)); @@ -3312,7 +3358,6 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext) fprintf(outfile, "\tKey ID: %s\n", raw_to_string(id.data, id.size)); - switch (type) { case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: str = "ENCRYPTED PRIVATE KEY"; @@ -3333,9 +3378,12 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext) } if (str != NULL) { - result = gnutls_pem_base64_encode_alloc(str, &cdata, &out); + result = + gnutls_pem_base64_encode_alloc(str, &cdata, &out); if (result < 0) { - fprintf(stderr, "Error in base64 encoding: %s\n", gnutls_strerror(result)); + fprintf(stderr, + "Error in base64 encoding: %s\n", + gnutls_strerror(result)); app_exit(1); } fprintf(outfile, "%s", out.data); @@ -3346,13 +3394,13 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext) } static -void pkcs12_bag_enc_info(gnutls_pkcs12_bag_t bag, FILE *out) +void pkcs12_bag_enc_info(gnutls_pkcs12_bag_t bag, FILE * out) { int ret; unsigned schema; unsigned cipher; unsigned char salt[32]; - char hex[64+1]; + char hex[64 + 1]; unsigned salt_size = sizeof(salt); unsigned iter_count; gnutls_datum_t bin; @@ -3361,7 +3409,8 @@ void pkcs12_bag_enc_info(gnutls_pkcs12_bag_t bag, FILE *out) char *oid = NULL; ret = gnutls_pkcs12_bag_enc_info(bag, - &schema, &cipher, salt, &salt_size, &iter_count, &oid); + &schema, &cipher, salt, &salt_size, + &iter_count, &oid); if (ret == GNUTLS_E_UNKNOWN_CIPHER_TYPE) { fprintf(out, "\tSchema: unsupported (%s)\n", oid); gnutls_free(oid); @@ -3379,15 +3428,15 @@ void pkcs12_bag_enc_info(gnutls_pkcs12_bag_t bag, FILE *out) str = gnutls_pkcs_schema_get_name(schema); if (str != NULL) { - fprintf(out, "\tSchema: %s (%s)\n", str, gnutls_pkcs_schema_get_oid(schema)); + fprintf(out, "\tSchema: %s (%s)\n", str, + gnutls_pkcs_schema_get_oid(schema)); } bin.data = salt; bin.size = salt_size; ret = gnutls_hex_encode(&bin, hex, &hex_size); if (ret < 0) { - fprintf(stderr, "hex encode error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "hex encode error: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3402,7 +3451,7 @@ void pkcs12_info(common_info_st * cinfo) gnutls_pkcs12_bag_t bag; gnutls_mac_algorithm_t mac_algo; char *mac_oid = NULL; - char hex[64+1]; + char hex[64 + 1]; size_t hex_size = sizeof(hex); char salt[32]; unsigned int salt_size; @@ -3419,7 +3468,7 @@ void pkcs12_info(common_info_st * cinfo) app_exit(1); } - data.data = (void *) fread_file(infile, 0, &size); + data.data = (void *)fread_file(infile, 0, &size); data.size = size; if (!data.data) { @@ -3435,7 +3484,9 @@ void pkcs12_info(common_info_st * cinfo) } salt_size = sizeof(salt); - result = gnutls_pkcs12_mac_info(pkcs12, &mac_algo, salt, &salt_size, &mac_iter, &mac_oid); + result = + gnutls_pkcs12_mac_info(pkcs12, &mac_algo, salt, &salt_size, + &mac_iter, &mac_oid); if (result == GNUTLS_E_UNKNOWN_HASH_ALGORITHM && cinfo->outtext) { fprintf(outfile, "MAC info:\n"); if (mac_oid != NULL) @@ -3444,9 +3495,10 @@ void pkcs12_info(common_info_st * cinfo) gnutls_datum_t bin; fprintf(outfile, "MAC info:\n"); - fprintf(outfile, "\tMAC: %s (%s)\n", gnutls_mac_get_name(mac_algo), mac_oid); + fprintf(outfile, "\tMAC: %s (%s)\n", + gnutls_mac_get_name(mac_algo), mac_oid); - bin.data = (void*)salt; + bin.data = (void *)salt; bin.size = salt_size; result = gnutls_hex_encode(&bin, hex, &hex_size); if (result < 0) { @@ -3504,7 +3556,8 @@ void pkcs12_info(common_info_st * cinfo) if (result == GNUTLS_BAG_ENCRYPTED) { if (cinfo->outtext) { - fprintf(outfile, "\tType: %s\n", BAGTYPE(result)); + fprintf(outfile, "\tType: %s\n", + BAGTYPE(result)); pkcs12_bag_enc_info(bag, outfile); fprintf(outfile, "\n\tDecrypting...\n"); } @@ -3536,20 +3589,19 @@ void pkcs12_info(common_info_st * cinfo) gnutls_pkcs12_deinit(pkcs12); if (fail) { - fprintf(stderr, - "There were errors parsing the structure\n"); + fprintf(stderr, "There were errors parsing the structure\n"); app_exit(1); } } -void pkcs8_info_int(gnutls_datum_t *data, unsigned format, - unsigned ignore_err, FILE *out, const char *tab) +void pkcs8_info_int(gnutls_datum_t * data, unsigned format, + unsigned ignore_err, FILE * out, const char *tab) { int ret; unsigned schema; unsigned cipher; unsigned char salt[32]; - char hex[64+1]; + char hex[64 + 1]; unsigned salt_size = sizeof(salt); unsigned iter_count; gnutls_datum_t bin; @@ -3558,7 +3610,8 @@ void pkcs8_info_int(gnutls_datum_t *data, unsigned format, char *oid = NULL; ret = gnutls_pkcs8_info(data, format, - &schema, &cipher, salt, &salt_size, &iter_count, &oid); + &schema, &cipher, salt, &salt_size, &iter_count, + &oid); if (ret == GNUTLS_E_UNKNOWN_CIPHER_TYPE) { fprintf(out, "PKCS #8 information:\n"); fprintf(out, "\tSchema: unsupported (%s)\n", oid); @@ -3582,16 +3635,15 @@ void pkcs8_info_int(gnutls_datum_t *data, unsigned format, str = gnutls_pkcs_schema_get_name(schema); if (str != NULL) { - fprintf(out, "%s\tSchema: %s (%s)\n", tab, str, gnutls_pkcs_schema_get_oid(schema)); + fprintf(out, "%s\tSchema: %s (%s)\n", tab, str, + gnutls_pkcs_schema_get_oid(schema)); } - bin.data = salt; bin.size = salt_size; ret = gnutls_hex_encode(&bin, hex, &hex_size); if (ret < 0) { - fprintf(stderr, "hex encode error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "hex encode error: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3608,7 +3660,7 @@ void pkcs8_info(void) size_t size; gnutls_datum_t data; - data.data = (void *) fread_file(infile, 0, &size); + data.data = (void *)fread_file(infile, 0, &size); data.size = size; if (!data.data) { @@ -3620,7 +3672,7 @@ void pkcs8_info(void) free(data.data); } -void pkcs7_info(common_info_st *cinfo, unsigned display_data) +void pkcs7_info(common_info_st * cinfo, unsigned display_data) { gnutls_pkcs7_t pkcs7; int ret; @@ -3633,7 +3685,7 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) app_exit(1); } - data.data = (void *) fread_file(infile, 0, &size); + data.data = (void *)fread_file(infile, 0, &size); data.size = size; if (!data.data) { @@ -3644,8 +3696,7 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) ret = gnutls_pkcs7_import(pkcs7, &data, incert_format); free(data.data); if (ret < 0) { - fprintf(stderr, "import error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3655,7 +3706,9 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) ret = gnutls_pkcs7_get_embedded_data(pkcs7, 0, &tmp); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (ret < 0) { - fprintf(stderr, "error getting embedded data: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "error getting embedded data: %s\n", + gnutls_strerror(ret)); app_exit(1); } @@ -3667,7 +3720,9 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) } } else { if (cinfo->outtext) { - ret = gnutls_pkcs7_print(pkcs7, GNUTLS_CRT_PRINT_FULL, &str); + ret = + gnutls_pkcs7_print(pkcs7, GNUTLS_CRT_PRINT_FULL, + &str); if (ret < 0) { fprintf(stderr, "printing error: %s\n", gnutls_strerror(ret)); @@ -3680,8 +3735,7 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) size = lbuffer_size; ret = - gnutls_pkcs7_export(pkcs7, outcert_format, - lbuffer, &size); + gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); @@ -3788,8 +3842,7 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) if (privkey != NULL) { ret = - gnutls_pubkey_import_privkey(pubkey, privkey, - 0, 0); + gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); if (ret < 0) { fprintf(stderr, "pubkey_import_privkey: %s\n", @@ -3801,12 +3854,14 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) gnutls_pubkey_deinit(pubkey); pubkey = load_pubkey(0, cinfo); - if (pubkey == NULL) { /* load from stdin */ - pem.data = (void *) fread_file(infile, 0, &size); + if (pubkey == NULL) { /* load from stdin */ + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { - fprintf(stderr, "%s", infile ? "file" : "standard input"); + fprintf(stderr, "%s", + infile ? "file" : + "standard input"); app_exit(1); } @@ -3818,8 +3873,11 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) app_exit(1); } - if (memmem(pem.data, pem.size, "BEGIN CERTIFICATE", 16) != 0 || - memmem(pem.data, pem.size, "BEGIN X509", 10) != 0) { + if (memmem + (pem.data, pem.size, "BEGIN CERTIFICATE", + 16) != 0 + || memmem(pem.data, pem.size, "BEGIN X509", + 10) != 0) { ret = gnutls_x509_crt_init(&crt); if (ret < 0) { fprintf(stderr, @@ -3828,7 +3886,9 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) app_exit(1); } - ret = gnutls_x509_crt_import(crt, &pem, GNUTLS_X509_FMT_PEM); + ret = + gnutls_x509_crt_import(crt, &pem, + GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "crt_import: %s\n", @@ -3836,15 +3896,20 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) app_exit(1); } - ret = gnutls_pubkey_import_x509(pubkey, crt, 0); + ret = + gnutls_pubkey_import_x509(pubkey, + crt, 0); if (ret < 0) { - fprintf(stderr, "pubkey_import_x509: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, + "pubkey_import_x509: %s\n", + gnutls_strerror(ret)); app_exit(1); } gnutls_x509_crt_deinit(crt); } else { - ret = gnutls_pubkey_import(pubkey, &pem, incert_format); + ret = + gnutls_pubkey_import(pubkey, &pem, + incert_format); if (ret < 0) { fprintf(stderr, "pubkey_import: %s\n", @@ -3871,7 +3936,8 @@ void pubkey_info(gnutls_x509_crt_t crt, common_info_st * cinfo) app_exit(1); } - print_pubkey_info(pubkey, outfile, full_format, outcert_format, cinfo->outtext); + print_pubkey_info(pubkey, outfile, full_format, outcert_format, + cinfo->outtext); gnutls_pubkey_deinit(pubkey); } @@ -3880,7 +3946,7 @@ void pubkey_keyid(common_info_st * cinfo) { gnutls_pubkey_t pubkey; uint8_t fpr[MAX_HASH_SIZE]; - char txt[MAX_HASH_SIZE*2+1]; + char txt[MAX_HASH_SIZE * 2 + 1]; int ret; size_t size, fpr_size; gnutls_datum_t tmp; @@ -3893,22 +3959,21 @@ void pubkey_keyid(common_info_st * cinfo) } if (cinfo->hash == GNUTLS_DIG_SHA1 || cinfo->hash == GNUTLS_DIG_UNKNOWN) - flags = GNUTLS_KEYID_USE_SHA1; /* be backwards compatible */ + flags = GNUTLS_KEYID_USE_SHA1; /* be backwards compatible */ else if (cinfo->hash == GNUTLS_DIG_SHA512) flags = GNUTLS_KEYID_USE_SHA512; else if (cinfo->hash == GNUTLS_DIG_SHA256) flags = GNUTLS_KEYID_USE_SHA256; else { - fprintf(stderr, "Cannot calculate key ID with the provided hash (use sha1, sha256 or sha512)\n"); + fprintf(stderr, + "Cannot calculate key ID with the provided hash (use sha1, sha256 or sha512)\n"); app_exit(1); } fpr_size = sizeof(fpr); ret = gnutls_pubkey_get_key_id(pubkey, flags, fpr, &fpr_size); if (ret < 0) { - fprintf(stderr, - "get_key_id: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "get_key_id: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3918,9 +3983,7 @@ void pubkey_keyid(common_info_st * cinfo) size = sizeof(txt); ret = gnutls_hex_encode(&tmp, txt, &size); if (ret < 0) { - fprintf(stderr, - "hex_encode: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "hex_encode: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3940,27 +4003,28 @@ void certificate_fpr(common_info_st * cinfo) gnutls_datum_t pem, tmp; unsigned int crt_num; uint8_t fpr[MAX_HASH_SIZE]; - char txt[MAX_HASH_SIZE*2+1]; + char txt[MAX_HASH_SIZE * 2 + 1]; size_t fpr_size; crt = load_cert(0, cinfo); if (crt == NULL) { - pem.data = (void *) fread_file(infile, 0, &size); + pem.data = (void *)fread_file(infile, 0, &size); pem.size = size; if (!pem.data) { - fprintf(stderr, "%s", infile ? "file" : "standard input"); + fprintf(stderr, "%s", + infile ? "file" : "standard input"); app_exit(1); } crt_num = 1; ret = - gnutls_x509_crt_list_import(&crt, &crt_num, &pem, incert_format, + gnutls_x509_crt_list_import(&crt, &crt_num, &pem, + incert_format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - fprintf(stderr, "too many certificates (%d).", - crt_num); + fprintf(stderr, "too many certificates (%d).", crt_num); } else if (ret >= 0 && crt_num == 0) { fprintf(stderr, "no certificates were found.\n"); } @@ -3980,9 +4044,7 @@ void certificate_fpr(common_info_st * cinfo) ret = gnutls_x509_crt_get_fingerprint(crt, cinfo->hash, fpr, &fpr_size); if (ret < 0) { - fprintf(stderr, - "get_key_id: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "get_key_id: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -3992,9 +4054,7 @@ void certificate_fpr(common_info_st * cinfo) size = sizeof(txt); ret = gnutls_hex_encode(&tmp, txt, &size); if (ret < 0) { - fprintf(stderr, - "hex_encode: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "hex_encode: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -39,23 +39,20 @@ struct options_st { size_t capacity; }; -struct parser_st -{ +struct parser_st { FILE *fp; char pushback[2]; size_t pushback_length; }; -static inline void -clear_option(struct cfg_option_st *option) +static inline void clear_option(struct cfg_option_st *option) { free(option->name); free(option->value); memset(option, 0, sizeof(*option)); } -void -cfg_free(cfg_option_t options) +void cfg_free(cfg_option_t options) { for (size_t i = 0; options[i].name; i++) { clear_option(&options[i]); @@ -76,8 +73,7 @@ struct buffer_st { size_t capacity; }; -static int -buffer_append(struct buffer_st *buffer, int c) +static int buffer_append(struct buffer_st *buffer, int c) { size_t new_length = xsum(buffer->length, 1); if (size_overflow_p(new_length)) { @@ -103,8 +99,7 @@ buffer_append(struct buffer_st *buffer, int c) return 0; } -static int -parser_getc(struct parser_st *parser) +static int parser_getc(struct parser_st *parser) { if (parser->pushback_length > 0) { return parser->pushback[--parser->pushback_length]; @@ -113,15 +108,13 @@ parser_getc(struct parser_st *parser) return c; } -static void -parser_ungetc(struct parser_st *parser, int c) +static void parser_ungetc(struct parser_st *parser, int c) { assert(parser->pushback_length < SIZEOF(parser->pushback)); parser->pushback[parser->pushback_length++] = c; } -static void -skip_comment(struct parser_st *parser) +static void skip_comment(struct parser_st *parser) { int c; @@ -144,8 +137,7 @@ skip_comment(struct parser_st *parser) parser_ungetc(parser, c); } -static void -skip_chars(struct parser_st *parser, const char *chars) +static void skip_chars(struct parser_st *parser, const char *chars) { int c; @@ -161,8 +153,7 @@ skip_chars(struct parser_st *parser, const char *chars) parser_ungetc(parser, c); } -static void -skip_comments_and_whitespaces(struct parser_st *parser) +static void skip_comments_and_whitespaces(struct parser_st *parser) { int c; @@ -183,8 +174,7 @@ skip_comments_and_whitespaces(struct parser_st *parser) } /* Read the name part of an option. Returns NULL if it fails. */ -static char * -read_name(struct parser_st *parser) +static char *read_name(struct parser_st *parser) { struct buffer_st buffer; int c; @@ -227,8 +217,7 @@ read_name(struct parser_st *parser) return buffer.data; } -static char * -read_quoted_value(struct parser_st *parser) +static char *read_quoted_value(struct parser_st *parser) { struct buffer_st buffer; int c, quote_char; @@ -278,8 +267,7 @@ read_quoted_value(struct parser_st *parser) } /* Read the value part of an option. Returns NULL if it fails. */ -static char * -read_value(struct parser_st *parser) +static char *read_value(struct parser_st *parser) { struct buffer_st buffer; int c; @@ -308,7 +296,7 @@ read_value(struct parser_st *parser) } if (c == '\n') { - return strdup(""); /* empty value */ + return strdup(""); /* empty value */ } else if (c == '"' || c == '\'') { parser_ungetc(parser, c); return read_quoted_value(parser); @@ -342,8 +330,7 @@ read_value(struct parser_st *parser) } /* Append OPTION to OPTIONS. Take ownership of the fields of OPTION. */ -static int -take_option(struct options_st *options, struct cfg_option_st *option) +static int take_option(struct options_st *options, struct cfg_option_st *option) { size_t new_length = xsum(options->length, 1); if (size_overflow_p(new_length)) { @@ -379,16 +366,14 @@ take_option(struct options_st *options, struct cfg_option_st *option) return 0; } -static void -clear_options(struct options_st *options) +static void clear_options(struct options_st *options) { for (size_t i = 0; options->length; i++) { clear_option(&options->data[i]); } } -cfg_option_t -cfg_load(const char *filename) +cfg_option_t cfg_load(const char *filename) { struct parser_st parser; struct options_st options; @@ -428,14 +413,13 @@ cfg_load(const char *filename) take_option(&options, &null_option); return options.data; -error: + error: clear_options(&options); fclose(parser.fp); return NULL; } -cfg_option_t -cfg_next(const cfg_option_t options, const char *name) +cfg_option_t cfg_next(const cfg_option_t options, const char *name) { for (size_t i = 0; options[i].name; i++) { if (strcmp(options[i].name, name) == 0) { @@ -446,8 +430,7 @@ cfg_next(const cfg_option_t options, const char *name) } #ifdef TEST -int -main(int argc, char **argv) +int main(int argc, char **argv) { cfg_option_t opts; @@ -19,7 +19,7 @@ */ #ifndef CFG_H_ -#define CFG_H_ 1 +# define CFG_H_ 1 typedef struct cfg_option_st { char *name; @@ -30,4 +30,4 @@ cfg_option_t cfg_load(const char *filename); void cfg_free(cfg_option_t options); cfg_option_t cfg_next(const cfg_option_t options, const char *name); -#endif /* CFG_H_ */ +#endif /* CFG_H_ */ diff --git a/src/cli-debug.c b/src/cli-debug.c index cdd88b96ea..493556054e 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -28,9 +28,9 @@ #include <gnutls/gnutls.h> #include <sys/time.h> #if HAVE_SYS_SOCKET_H -#include <sys/socket.h> +# include <sys/socket.h> #elif HAVE_WS2TCPIP_H -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif #include <tests.h> #include <common.h> @@ -88,7 +88,8 @@ static const TLS_TEST tls_tests[] = { /* The following test will disable extensions if the server * does support SSL 3.0, but only incompletely and without * extensions. */ - {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"}, + {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", + "dunno"}, {"for SSL 3.0 with cipher suites not in SSL 3.0 spec", test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"}, #endif @@ -107,30 +108,39 @@ static const TLS_TEST tls_tests[] = { {"whether %COMPAT is required", test_record_padding, "no", "yes", "dunno"}, {"for TLS 1.0 (RFC2246) support", test_tls1, "yes", "no", "dunno"}, - {"for TLS 1.0 (RFC2246) support with TLS 1.0 record version", test_tls1_nossl3, "yes", "no", "dunno"}, + {"for TLS 1.0 (RFC2246) support with TLS 1.0 record version", + test_tls1_nossl3, "yes", "no", "dunno"}, {"for TLS 1.1 (RFC4346) support", test_tls1_1, "yes", "no", "dunno"}, {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", "SSL 3.0"}, {"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"}, {"for TLS 1.3 (RFC8446) support", test_tls1_3, "yes", "no", "dunno"}, - {"for known TLS or SSL protocols support", test_known_protocols, "yes", "no", "dunno", 0, 1}, + {"for known TLS or SSL protocols support", test_known_protocols, "yes", + "no", "dunno", 0, 1}, {"TLS1.2 neg fallback from TLS 1.6 to", test_tls1_6_fallback, NULL, "failed (server requires fallback dance)", "dunno"}, - {"for inappropriate fallback (RFC7507) support", test_rfc7507, "yes", "no", "dunno"}, - {"for HTTPS server name", test_server, NULL, "failed", "not checked", 1}, + {"for inappropriate fallback (RFC7507) support", test_rfc7507, "yes", + "no", "dunno"}, + {"for HTTPS server name", test_server, NULL, "failed", "not checked", + 1}, {"for certificate information", test_certificate, NULL, "", ""}, - {"for certificate chain order", test_chain_order, "sorted", "unsorted", "unknown"}, + {"for certificate chain order", test_chain_order, "sorted", "unsorted", + "unknown"}, {"for trusted CAs", test_server_cas, NULL, "", ""}, - {"for safe renegotiation (RFC5746) support", test_safe_renegotiation, "yes", + {"for safe renegotiation (RFC5746) support", test_safe_renegotiation, + "yes", "no", "dunno"}, {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, - {"for encrypt-then-MAC (RFC7366) support", test_etm, "yes", "no", "dunno"}, - {"for ext master secret (RFC7627) support", test_ext_master_secret, "yes", "no", "dunno"}, - {"for heartbeat (RFC6520) support", test_heartbeat_extension, "yes", "no", "dunno"}, + {"for encrypt-then-MAC (RFC7366) support", test_etm, "yes", "no", + "dunno"}, + {"for ext master secret (RFC7627) support", test_ext_master_secret, + "yes", "no", "dunno"}, + {"for heartbeat (RFC6520) support", test_heartbeat_extension, "yes", + "no", "dunno"}, {"for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", "dunno"}, {"for version rollback bug in Client Hello", test_version_rollback, @@ -141,7 +151,8 @@ static const TLS_TEST tls_tests[] = { test_small_records, "yes", "no", "dunno"}, {"whether cipher suites not in SSL 3.0 spec are accepted", test_unknown_ciphersuites, "yes", "no", "dunno"}, - {"whether a bogus TLS record version in the client hello is accepted", test_version_oob, "yes", "no", "dunno"}, + {"whether a bogus TLS record version in the client hello is accepted", + test_version_oob, "yes", "no", "dunno"}, {"whether the server understands TLS closure alerts", test_bye, "yes", "no", "partially"}, /* the fact that is after the closure alert test does matter. @@ -168,11 +179,15 @@ static const TLS_TEST tls_tests[] = { "no", "dunno"}, #ifdef ENABLE_GOST - {"for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support", test_vko_gost_12, "yes", "no", "dunno"}, + {"for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support", + test_vko_gost_12, "yes", "no", "dunno"}, #endif - {"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"}, - {"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"}, - {"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"}, + {"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", + "dunno"}, + {"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", + "dunno"}, + {"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", + "dunno"}, {"for curve X25519 (RFC8422)", test_ecdhe_x25519, "yes", "no", "dunno"}, {"for AES-GCM cipher (RFC5288) support", test_aes_gcm, "yes", "no", "dunno"}, @@ -182,14 +197,18 @@ static const TLS_TEST tls_tests[] = { "dunno"}, {"for AES-CBC cipher (RFC3268) support", test_aes, "yes", "no", "dunno"}, - {"for CAMELLIA-GCM cipher (RFC6367) support", test_camellia_gcm, "yes", "no", + {"for CAMELLIA-GCM cipher (RFC6367) support", test_camellia_gcm, "yes", + "no", + "dunno"}, + {"for CAMELLIA-CBC cipher (RFC5932) support", test_camellia_cbc, "yes", + "no", "dunno"}, - {"for CAMELLIA-CBC cipher (RFC5932) support", test_camellia_cbc, "yes", "no", + {"for 3DES-CBC cipher (RFC2246) support", test_3des, "yes", "no", "dunno"}, - {"for 3DES-CBC cipher (RFC2246) support", test_3des, "yes", "no", "dunno"}, {"for ARCFOUR 128 cipher (RFC2246) support", test_arcfour, "yes", "no", "dunno"}, - {"for CHACHA20-POLY1305 cipher (RFC7905) support", test_chacha20, "yes", "no", + {"for CHACHA20-POLY1305 cipher (RFC7905) support", test_chacha20, "yes", + "no", "dunno"}, #ifdef ENABLE_GOST {"for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support", test_gost_cnt, "yes", "no", @@ -199,7 +218,8 @@ static const TLS_TEST tls_tests[] = { {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, {"for SHA256 MAC support", test_sha256, "yes", "no", "dunno"}, #ifdef ENABLE_GOST - {"for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support", test_gost_imit, "yes", "no", "dunno"}, + {"for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support", + test_gost_imit, "yes", "no", "dunno"}, #endif {"for max record size (RFC6066) support", test_max_record_size, "yes", "no", "dunno"}, @@ -227,7 +247,7 @@ gnutls_session_t init_tls_session(const char *host) int do_handshake(socket_st * socket) { - return 0; /* we do it locally */ + return 0; /* we do it locally */ } int main(int argc, char **argv) @@ -281,11 +301,13 @@ int main(int argc, char **argv) #endif if (HAVE_OPT(STARTTLS_PROTO)) { - snprintf(app_proto, sizeof(app_proto), "%s", OPT_ARG(STARTTLS_PROTO)); + snprintf(app_proto, sizeof(app_proto), "%s", + OPT_ARG(STARTTLS_PROTO)); } if (app_proto[0] == 0) { - snprintf(app_proto, sizeof(app_proto), "%s", port_to_service(portname, "tcp")); + snprintf(app_proto, sizeof(app_proto), "%s", + port_to_service(portname, "tcp")); } sockets_init(); @@ -295,16 +317,17 @@ int main(int argc, char **argv) canonicalize_host(hostname, portname, sizeof(portname)); printf("Checking %s:%s\n", hostname, portname); - for (i = 0; - tls_tests[i].test_name != NULL; - i++) { + for (i = 0; tls_tests[i].test_name != NULL; i++) { - if (strcmp(app_proto, "https") != 0 && tls_tests[i].https_only != 0) { + if (strcmp(app_proto, "https") != 0 + && tls_tests[i].https_only != 0) { continue; } if (!socket_opened) { - socket_open(&hd, hostname, portname, app_proto, SOCKET_FLAG_STARTTLS|SOCKET_FLAG_RAW, NULL, NULL); + socket_open(&hd, hostname, portname, app_proto, + SOCKET_FLAG_STARTTLS | SOCKET_FLAG_RAW, + NULL, NULL); hd.verbose = verbose; socket_opened = true; } @@ -29,9 +29,9 @@ #include <sys/time.h> #include <sys/stat.h> #if HAVE_SYS_SOCKET_H -#include <sys/socket.h> +# include <sys/socket.h> #elif HAVE_WS2TCPIP_H -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif #include <sys/select.h> #include <unistd.h> @@ -44,7 +44,7 @@ /* Get TCP_FASTOPEN */ #ifdef HAVE_NETINET_TCP_H -#include <netinet/tcp.h> +# include <netinet/tcp.h> #endif #include <gnutls/gnutls.h> @@ -65,7 +65,7 @@ #include "inline_cmds.h" #ifdef HAVE_DANE -#include <gnutls/dane.h> +# include <gnutls/dane.h> #endif #include <common.h> @@ -86,7 +86,7 @@ int resume, starttls, insecure, ranges, rehandshake, udp, mtu, inline_commands, waitresumption; unsigned int global_vflags = 0; char *hostname = NULL; -char service[32]=""; +char service[32] = ""; int record_max_size; int crlf; int fastopen; @@ -123,11 +123,12 @@ static gnutls_certificate_credentials_t xcred; static void check_server_cmd(socket_st * socket, int ret); static void init_global_tls_stuff(void); static int cert_verify_ocsp(gnutls_session_t session); -static const char *host_from_url(const char *url, unsigned int *port, const char **path); +static const char *host_from_url(const char *url, unsigned int *port, + const char **path); static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp); static int getissuer_callback(const gnutls_x509_trust_list_t tlist, const gnutls_x509_crt_t cert, - gnutls_x509_crt_t **issuers, + gnutls_x509_crt_t ** issuers, unsigned int *issuers_size); #define MAX_CRT 6 @@ -137,10 +138,9 @@ static gnutls_privkey_t x509_key = NULL; static gnutls_pcert_st rawpk; static gnutls_privkey_t rawpk_key = NULL; - /* Load a PKCS #8, PKCS #12 private key or PKCS #11 URL */ -static void load_priv_key(gnutls_privkey_t* privkey, const char* key_source) +static void load_priv_key(gnutls_privkey_t * privkey, const char *key_source) { int ret; gnutls_datum_t data = { NULL, 0 }; @@ -153,8 +153,7 @@ static void load_priv_key(gnutls_privkey_t* privkey, const char* key_source) exit(1); } - gnutls_privkey_set_pin_function(*privkey, pin_callback, - NULL); + gnutls_privkey_set_pin_function(*privkey, pin_callback, NULL); if (gnutls_url_is_supported(key_source) != 0) { ret = gnutls_privkey_import_url(*privkey, key_source, 0); @@ -167,13 +166,12 @@ static void load_priv_key(gnutls_privkey_t* privkey, const char* key_source) } else { ret = gnutls_load_file(key_source, &data); if (ret < 0) { - fprintf(stderr, - "*** Error loading key file.\n"); + fprintf(stderr, "*** Error loading key file.\n"); exit(1); } ret = gnutls_privkey_import_x509_raw(*privkey, &data, - x509ctype, NULL, 0); + x509ctype, NULL, 0); if (ret < 0) { fprintf(stderr, "*** Error importing key: %s\n", @@ -205,13 +203,11 @@ static void load_x509_keys(void) exit(1); } gnutls_x509_crt_set_pin_function(crt_list[0], - pin_callback, - NULL); + pin_callback, NULL); ret = gnutls_x509_crt_import_pkcs11_url(crt_list[0], - x509_certfile, - 0); + x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = @@ -291,16 +287,17 @@ static void load_rawpk_keys(void) // First we load the raw public key ret = gnutls_load_file(rawpk_file, &data); if (ret < 0) { - fprintf(stderr, - "*** Error loading cert file.\n"); + fprintf(stderr, "*** Error loading cert file.\n"); exit(1); } - ret = gnutls_pcert_import_rawpk_raw(&rawpk, &data, x509ctype, 0, 0); + ret = + gnutls_pcert_import_rawpk_raw(&rawpk, &data, x509ctype, 0, + 0); if (ret < 0) { fprintf(stderr, - "*** Error importing rawpk to pcert: %s\n", - gnutls_strerror(ret)); + "*** Error importing rawpk to pcert: %s\n", + gnutls_strerror(ret)); exit(1); } @@ -310,7 +307,7 @@ static void load_rawpk_keys(void) load_priv_key(&rawpk_key, rawpk_keyfile); log_msg(stdout, - "Processed %d client raw public key pair...\n", 1); + "Processed %d client raw public key pair...\n", 1); } } @@ -353,8 +350,10 @@ static void try_save_cert(gnutls_session_t session) exit(1); } - for (i=0;i<cert_list_size;i++) { - ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t); + for (i = 0; i < cert_list_size; i++) { + ret = + gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], + &t); if (ret < 0) { fprintf(stderr, "error[%d]: %s\n", __LINE__, gnutls_strerror(ret)); @@ -374,7 +373,8 @@ static void try_save_ocsp_status(gnutls_session_t session) unsigned int cert_num = 0; gnutls_certificate_get_peers(session, &cert_num); if (cert_num == 0) { - fprintf(stderr, "no certificates sent by server, so can't get OCSP status!\n"); + fprintf(stderr, + "no certificates sent by server, so can't get OCSP status!\n"); return; } @@ -384,8 +384,7 @@ static void try_save_ocsp_status(gnutls_session_t session) /* This function is called if exactly one of SAVE_OCSP and * SAVE_OCSP_MULTI is set. */ - if (HAVE_OPT(SAVE_OCSP)) - { + if (HAVE_OPT(SAVE_OCSP)) { path = OPT_ARG(SAVE_OCSP); type = GNUTLS_X509_FMT_DER; max_out = 1; @@ -405,11 +404,12 @@ static void try_save_ocsp_status(gnutls_session_t session) gnutls_datum_t oresp; int ret = gnutls_ocsp_status_request_get2(session, i, &oresp); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - fprintf(stderr, "no OCSP response for certificate %u\n", i); + fprintf(stderr, "no OCSP response for certificate %u\n", + i); continue; } else if (ret < 0) { fprintf(stderr, "error getting OCSP response %u: %s\n", - i, gnutls_strerror(ret)); + i, gnutls_strerror(ret)); exit(1); } @@ -425,10 +425,11 @@ static void try_save_ocsp_status(gnutls_session_t session) gnutls_datum_t t; ret = gnutls_pem_base64_encode_alloc("OCSP RESPONSE", - &oresp, &t); + &oresp, &t); if (ret < 0) { - fprintf(stderr, "error allocating PEM OCSP response: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, + "error allocating PEM OCSP response: %s\n", + gnutls_strerror(ret)); exit(1); } @@ -468,7 +469,7 @@ static int cert_verify_callback(gnutls_session_t session) if (HAVE_OPT(VERIFY_HOSTNAME)) { host = OPT_ARG(VERIFY_HOSTNAME); - canonicalize_host((char *) host, NULL, 0); + canonicalize_host((char *)host, NULL, 0); } else host = hostname; @@ -493,7 +494,8 @@ static int cert_verify_callback(gnutls_session_t session) rc = cert_verify(session, host, GNUTLS_KP_TLS_WWW_SERVER); if (rc == 0) { log_msg - (stdout, "*** PKI verification of server certificate failed...\n"); + (stdout, + "*** PKI verification of server certificate failed...\n"); if (!insecure && !ssh) return -1; } @@ -502,13 +504,17 @@ static int cert_verify_callback(gnutls_session_t session) rc = cert_verify_ocsp(session); if (rc == -1) { log_msg - (stdout, "*** Verifying (with OCSP) server certificate chain failed...\n"); + (stdout, + "*** Verifying (with OCSP) server certificate chain failed...\n"); if (!insecure && !ssh) return -1; } else if (rc == 0) - log_msg(stdout, "*** OCSP: nothing to check.\n"); + log_msg(stdout, + "*** OCSP: nothing to check.\n"); else - log_msg(stdout, "*** OCSP: verified %d certificate(s).\n", rc); + log_msg(stdout, + "*** OCSP: verified %d certificate(s).\n", + rc); } #endif } @@ -518,15 +524,14 @@ static int cert_verify_callback(gnutls_session_t session) int port; unsigned vflags = 0; unsigned int sflags = - ENABLED_OPT(LOCAL_DNS) ? 0 : - DANE_F_IGNORE_LOCAL_RESOLVER; + ENABLED_OPT(LOCAL_DNS) ? 0 : DANE_F_IGNORE_LOCAL_RESOLVER; /* if we didn't verify the chain it only makes sense * to check the end certificate using dane. */ if (ca_verify == 0) vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; - port = service_to_port(service, udp?"udp":"tcp"); + port = service_to_port(service, udp ? "udp" : "tcp"); rc = dane_verify_session_crt(NULL, session, host, udp ? "udp" : "tcp", port, sflags, vflags, &status); @@ -539,8 +544,7 @@ static int cert_verify_callback(gnutls_session_t session) } else { gnutls_datum_t out; - rc = dane_verification_status_print(status, &out, - 0); + rc = dane_verification_status_print(status, &out, 0); if (rc < 0) { fprintf(stderr, "*** DANE error: %s\n", dane_strerror(rc)); @@ -553,7 +557,8 @@ static int cert_verify_callback(gnutls_session_t session) return -1; } #else - fprintf(stderr, "*** DANE error: GnuTLS is not compiled with DANE support.\n"); + fprintf(stderr, + "*** DANE error: GnuTLS is not compiled with DANE support.\n"); if (!insecure && !ssh) return -1; #endif @@ -565,12 +570,11 @@ static int cert_verify_callback(gnutls_session_t session) cert = gnutls_certificate_get_peers(session, &list_size); if (cert == NULL) { - fprintf(stderr, - "Cannot obtain peer's certificate!\n"); + fprintf(stderr, "Cannot obtain peer's certificate!\n"); return -1; } - txt_service = port_to_service(service, udp?"udp":"tcp"); + txt_service = port_to_service(service, udp ? "udp" : "tcp"); rc = gnutls_verify_stored_pubkey(NULL, NULL, host, txt_service, @@ -606,7 +610,7 @@ static int cert_verify_callback(gnutls_session_t session) return -1; rc = read_yesno - ("Do you trust the received key? (y/N): "); + ("Do you trust the received key? (y/N): "); if (rc == 0) return -1; } else if (rc < 0) { @@ -619,8 +623,7 @@ static int cert_verify_callback(gnutls_session_t session) if (rc != 0) { rc = gnutls_store_pubkey(NULL, NULL, host, txt_service, - GNUTLS_CRT_X509, cert, 0, - 0); + GNUTLS_CRT_X509, cert, 0, 0); if (rc < 0) fprintf(stderr, "Could not store key: %s\n", @@ -653,7 +656,8 @@ cert_callback(gnutls_session_t session, log_msg(stdout, "- Server's trusted authorities:\n"); else log_msg - (stdout, "- Server did not send us any trusted authorities names.\n"); + (stdout, + "- Server did not send us any trusted authorities names.\n"); /* print the names (if any) */ for (i = 0; i < nreqs; i++) { @@ -678,39 +682,42 @@ cert_callback(gnutls_session_t session, *pcert_length = 0; switch (cert_type) { - case GNUTLS_CRT_X509: - if (x509_crt_size > 0) { - if (x509_key != NULL) { - *pkey = x509_key; - } else { - log_msg - (stdout, "- Could not find a suitable key to send to server\n"); - return -1; - } - - *pcert_length = x509_crt_size; - *pcert = x509_crt; - } - break; - case GNUTLS_CRT_RAWPK: - if (rawpk_key == NULL || rawpk.type != GNUTLS_CRT_RAWPK) { + case GNUTLS_CRT_X509: + if (x509_crt_size > 0) { + if (x509_key != NULL) { + *pkey = x509_key; + } else { log_msg - (stdout, "- Could not find a suitable key to send to server\n"); + (stdout, + "- Could not find a suitable key to send to server\n"); return -1; } - *pkey = rawpk_key; - *pcert = &rawpk; - *pcert_length = 1; - break; - default: - log_msg(stdout, "- Could not retrieve unsupported certificate type %s.\n", - gnutls_certificate_type_get_name(cert_type)); - return -1; + *pcert_length = x509_crt_size; + *pcert = x509_crt; + } + break; + case GNUTLS_CRT_RAWPK: + if (rawpk_key == NULL || rawpk.type != GNUTLS_CRT_RAWPK) { + log_msg + (stdout, + "- Could not find a suitable key to send to server\n"); + return -1; + } + + *pkey = rawpk_key; + *pcert = &rawpk; + *pcert_length = 1; + break; + default: + log_msg(stdout, + "- Could not retrieve unsupported certificate type %s.\n", + gnutls_certificate_type_get_name(cert_type)); + return -1; } log_msg(stdout, "- Successfully sent %u certificate(s) to server.\n", - *pcert_length); + *pcert_length); return 0; } @@ -735,7 +742,7 @@ gnutls_session_t init_tls_session(const char *host) ret = gnutls_set_default_priority(session); if (ret < 0) { fprintf(stderr, "Error in setting priorities: %s\n", - gnutls_strerror(ret)); + gnutls_strerror(ret)); exit(1); } } else { @@ -756,8 +763,9 @@ gnutls_session_t init_tls_session(const char *host) if (HAVE_OPT(SNI_HOSTNAME)) { const char *sni_host = OPT_ARG(SNI_HOSTNAME); - canonicalize_host((char *) sni_host, NULL, 0); - gnutls_server_name_set(session, GNUTLS_NAME_DNS, sni_host, strlen(sni_host)); + canonicalize_host((char *)sni_host, NULL, 0); + gnutls_server_name_set(session, GNUTLS_NAME_DNS, + sni_host, strlen(sni_host)); } else if (host != NULL && is_ip(host) == 0) gnutls_server_name_set(session, GNUTLS_NAME_DNS, host, strlen(host)); @@ -772,24 +780,24 @@ gnutls_session_t init_tls_session(const char *host) #endif } - if (HAVE_OPT(ALPN)) { #ifndef ENABLE_ALPN fprintf(stderr, "ALPN is not supported\n"); exit(1); #else unsigned proto_n = STACKCT_OPT(ALPN); - char **protos = (void *) STACKLST_OPT(ALPN); + char **protos = (void *)STACKLST_OPT(ALPN); if (proto_n > 1024) { - fprintf(stderr, "Number of ALPN protocols too large (%d)\n", - proto_n); + fprintf(stderr, + "Number of ALPN protocols too large (%d)\n", + proto_n); exit(1); } gnutls_datum_t p[1024]; for (i = 0; i < proto_n; i++) { - p[i].data = (void *) protos[i]; + p[i].data = (void *)protos[i]; p[i].size = strlen(protos[i]); } gnutls_alpn_set_protocols(session, p, proto_n, 0); @@ -804,13 +812,11 @@ gnutls_session_t init_tls_session(const char *host) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_set_retrieve_function2(xcred, cert_callback); - gnutls_certificate_set_verify_function(xcred, - cert_verify_callback); + gnutls_certificate_set_verify_function(xcred, cert_verify_callback); /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { - if (gnutls_record_set_max_size(session, record_max_size) < - 0) { + if (gnutls_record_set_max_size(session, record_max_size) < 0) { fprintf(stderr, "Cannot set the maximum record size to %d.\n", record_max_size); @@ -843,14 +849,15 @@ gnutls_session_t init_tls_session(const char *host) else if (ret != 0) fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret)); - else fprintf(stderr,"DTLS profile set to %s\n", - OPT_ARG(SRTP_PROFILES)); + else + fprintf(stderr, "DTLS profile set to %s\n", + OPT_ARG(SRTP_PROFILES)); - if (ret != 0) exit(1); + if (ret != 0) + exit(1); } #endif - return session; } @@ -863,8 +870,7 @@ static int handle_error(socket_st * hd, int err) int alert, ret; const char *err_type, *str; - if (err >= 0 || err == GNUTLS_E_AGAIN - || err == GNUTLS_E_INTERRUPTED) + if (err >= 0 || err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED) return 0; if (gnutls_error_is_fatal(err) == 0) { @@ -992,11 +998,14 @@ static int try_rekey(socket_st * hd, unsigned peer) int ret; do { - ret = gnutls_session_key_update(hd->session, peer?GNUTLS_KU_PEER:0); - } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ret = + gnutls_session_key_update(hd->session, + peer ? GNUTLS_KU_PEER : 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { - fprintf(stderr, "*** Rekey has failed: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "*** Rekey has failed: %s\n", + gnutls_strerror(ret)); return ret; } else { log_msg(stdout, "- Rekey was completed\n"); @@ -1007,8 +1016,8 @@ static int try_rekey(socket_st * hd, unsigned peer) static int try_resume(socket_st * hd) { int ret, socket_flags = SOCKET_FLAG_DONT_PRINT_ERRORS; - gnutls_datum_t rdata = {NULL, 0}; - gnutls_datum_t edata = {NULL, 0}; + gnutls_datum_t rdata = { NULL, 0 }; + gnutls_datum_t edata = { NULL, 0 }; if (gnutls_session_is_resumed(hd->session) == 0) { do { @@ -1018,9 +1027,11 @@ static int try_resume(socket_st * hd) rdata.data = NULL; } - if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || - ((gnutls_session_get_flags(hd->session) & - GNUTLS_SFLAGS_SESSION_TICKET))) { + if ((gnutls_protocol_get_version(hd->session) != + GNUTLS_TLS1_3) + || + ((gnutls_session_get_flags(hd->session) & + GNUTLS_SFLAGS_SESSION_TICKET))) { break; } } while (waitresumption); @@ -1037,7 +1048,8 @@ static int try_resume(socket_st * hd) canonicalize_host(hostname, service, sizeof(service)); log_msg - (stdout, "\n\n- Connecting again- trying to resume previous session\n"); + (stdout, + "\n\n- Connecting again- trying to resume previous session\n"); if (HAVE_OPT(STARTTLS_PROTO)) socket_flags |= SOCKET_FLAG_STARTTLS; else if (fastopen) @@ -1052,10 +1064,11 @@ static int try_resume(socket_st * hd) fp = fopen(OPT_ARG(EARLYDATA), "r"); if (fp == NULL) { - fprintf(stderr, "could not open %s\n", OPT_ARG(EARLYDATA)); + fprintf(stderr, "could not open %s\n", + OPT_ARG(EARLYDATA)); exit(1); } - edata.data = (void *) fread_file(fp, 0, &size); + edata.data = (void *)fread_file(fp, 0, &size); edata.size = size; fclose(fp); } @@ -1085,14 +1098,12 @@ bool parse_for_inline_commands_in_buffer(char *buffer, size_t bytes, if (inline_cmds->bytes_copied) { local_buffer_ptr = - &inline_cmds->inline_cmd_buffer[inline_cmds-> - bytes_copied]; + &inline_cmds->inline_cmd_buffer[inline_cmds->bytes_copied]; local_bytes = ((inline_cmds->bytes_copied + bytes) <= MAX_INLINE_COMMAND_BYTES) ? (ssize_t) bytes - : (MAX_INLINE_COMMAND_BYTES - - inline_cmds->bytes_copied); + : (MAX_INLINE_COMMAND_BYTES - inline_cmds->bytes_copied); memcpy(local_buffer_ptr, buffer, local_bytes); prev_bytes_copied = inline_cmds->bytes_copied; @@ -1119,8 +1130,7 @@ bool parse_for_inline_commands_in_buffer(char *buffer, size_t bytes, inline_commands_def[jj].string); inline_command_string[strlen (inline_commands_def - [jj].string)] = - '\0'; + [jj].string)] = '\0'; inline_command_string[0] = inline_commands_prefix[0]; /* Inline commands are delimited by the inline_commands_prefix[0] (default is ^). @@ -1135,20 +1145,17 @@ bool parse_for_inline_commands_in_buffer(char *buffer, size_t bytes, l = strlen(ptr); match_bytes = (local_bytes <= l) ? local_bytes : l; - if (strncmp(ptr, local_buffer_ptr, match_bytes) == - 0) { + if (strncmp(ptr, local_buffer_ptr, match_bytes) == 0) { if (match_bytes == (ssize_t) strlen(ptr)) { inline_cmds->new_buffer_ptr = buffer + match_bytes - prev_bytes_copied; inline_cmds->cmd_found = - inline_commands_def[jj]. - command; + inline_commands_def[jj].command; inline_cmds->bytes_copied = 0; /* reset it */ } else { /* partial command */ - memcpy(&inline_cmds-> - inline_cmd_buffer + memcpy(&inline_cmds->inline_cmd_buffer [inline_cmds->bytes_copied], buffer, bytes); inline_cmds->bytes_copied += bytes; @@ -1200,21 +1207,19 @@ int run_inline_command(inline_cmds_st * cmd, socket_st * hd) static int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes, - socket_st * hd, - inline_cmds_st * inline_cmds) + socket_st * hd, inline_cmds_st * inline_cmds) { int skip_bytes, bytes; bool inline_cmd_start_found; bytes = curr_bytes; - continue_inline_processing: + continue_inline_processing: /* parse_for_inline_commands_in_buffer hunts for start of an inline command * sequence. The function maintains state information in inline_cmds. */ inline_cmd_start_found = - parse_for_inline_commands_in_buffer(buffer_ptr, bytes, - inline_cmds); + parse_for_inline_commands_in_buffer(buffer_ptr, bytes, inline_cmds); if (!inline_cmd_start_found) return bytes; @@ -1246,15 +1251,14 @@ int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes, } } -static void -print_other_info(gnutls_session_t session) +static void print_other_info(gnutls_session_t session) { #ifdef ENABLE_OCSP int ret; unsigned i; unsigned int list_size; gnutls_datum_t oresp; - const gnutls_datum_t * peers; + const gnutls_datum_t *peers; peers = gnutls_certificate_get_peers(session, &list_size); @@ -1291,11 +1295,10 @@ print_other_info(gnutls_session_t session) flag = GNUTLS_OCSP_PRINT_FULL; else flag = GNUTLS_OCSP_PRINT_COMPACT; - ret = - gnutls_ocsp_resp_print(r, flag, &p); + ret = gnutls_ocsp_resp_print(r, flag, &p); gnutls_ocsp_resp_deinit(r); - if (ret>=0) { - log_msg(stdout, "%s", (char*) p.data); + if (ret >= 0) { + log_msg(stdout, "%s", (char *)p.data); gnutls_free(p.data); } } @@ -1325,7 +1328,8 @@ int main(int argc, char **argv) if (HAVE_OPT(LOGFILE)) { logfile = fopen(OPT_ARG(LOGFILE), "w+"); if (!logfile) { - log_msg(stderr, "Unable to open '%s'!\n", OPT_ARG(LOGFILE)); + log_msg(stderr, "Unable to open '%s'!\n", + OPT_ARG(LOGFILE)); exit(1); } log_set(logfile); @@ -1427,8 +1431,7 @@ int main(int argc, char **argv) fprintf(stderr, "*** Starting TLS handshake\n"); ret = do_handshake(&hd); if (ret < 0) { - fprintf(stderr, - "*** Handshake has failed\n"); + fprintf(stderr, "*** Handshake has failed\n"); retval = 1; break; } @@ -1442,9 +1445,11 @@ int main(int argc, char **argv) memset(buffer, 0, MAX_BUF + 1); ret = socket_recv(&hd, buffer, MAX_BUF); - if (ret == 0 || (ret == GNUTLS_E_PREMATURE_TERMINATION && user_term)) { - log_msg - (stdout, "- Peer has closed the GnuTLS connection\n"); + if (ret == 0 + || (ret == GNUTLS_E_PREMATURE_TERMINATION + && user_term)) { + log_msg(stdout, + "- Peer has closed the GnuTLS connection\n"); break; } else if (handle_error(&hd, ret) < 0) { fprintf(stderr, @@ -1453,7 +1458,8 @@ int main(int argc, char **argv) break; } else if (ret > 0) { if (verbose != 0) - log_msg(stdout, "- Received[%d]: ", ret); + log_msg(stdout, "- Received[%d]: ", + ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } @@ -1463,8 +1469,7 @@ int main(int argc, char **argv) if (inp == IN_KEYBOARD && user_term == 0) { if ((bytes = - read(fileno(stdin), buffer, - MAX_BUF - 1)) <= 0) { + read(fileno(stdin), buffer, MAX_BUF - 1)) <= 0) { if (hd.secure == 0) { /* Warning! Do not touch this text string, it is used by external programs to search for when @@ -1481,9 +1486,11 @@ int main(int argc, char **argv) } } else { do { - ret = gnutls_bye(hd.session, GNUTLS_SHUT_WR); - } while (ret == GNUTLS_E_INTERRUPTED || - ret == GNUTLS_E_AGAIN); + ret = + gnutls_bye(hd.session, + GNUTLS_SHUT_WR); + } while (ret == GNUTLS_E_INTERRUPTED + || ret == GNUTLS_E_AGAIN); user_term = 1; } @@ -1502,7 +1509,7 @@ int main(int argc, char **argv) keyboard_bytes = bytes; keyboard_buffer_ptr = buffer; - inline_command_processing: + inline_command_processing: if (inline_commands) { keyboard_bytes = @@ -1524,8 +1531,7 @@ int main(int argc, char **argv) } if (ranges - && gnutls_record_can_use_length_hiding(hd. - session)) + && gnutls_record_can_use_length_hiding(hd.session)) { gnutls_range_st range; range.low = 0; @@ -1533,8 +1539,7 @@ int main(int argc, char **argv) ret = socket_send_range(&hd, keyboard_buffer_ptr, - keyboard_bytes, - &range); + keyboard_bytes, &range); } else { ret = socket_send(&hd, keyboard_buffer_ptr, @@ -1543,13 +1548,13 @@ int main(int argc, char **argv) if (ret > 0) { if (verbose != 0) - log_msg(stdout, "- Sent: %d bytes\n", ret); + log_msg(stdout, "- Sent: %d bytes\n", + ret); } else handle_error(&hd, ret); if (inline_commands && - inline_cmds.new_buffer_ptr < (buffer + bytes)) - { + inline_cmds.new_buffer_ptr < (buffer + bytes)) { keyboard_buffer_ptr = inline_cmds.new_buffer_ptr; keyboard_bytes = @@ -1593,11 +1598,14 @@ void print_priority_list(void) const char *str; unsigned int lineb = 0; - log_msg(stdout, "Priority strings in GnuTLS %s:\n", gnutls_check_version(NULL)); + log_msg(stdout, "Priority strings in GnuTLS %s:\n", + gnutls_check_version(NULL)); fputs("\t", stdout); - for (idx=0;;idx++) { - str = gnutls_priority_string_list(idx, GNUTLS_PRIORITY_LIST_INIT_KEYWORDS); + for (idx = 0;; idx++) { + str = + gnutls_priority_string_list(idx, + GNUTLS_PRIORITY_LIST_INIT_KEYWORDS); if (str == NULL) break; lineb += log_msg(stdout, "%s ", str); @@ -1610,8 +1618,10 @@ void print_priority_list(void) log_msg(stdout, "\n\nSpecial strings:\n"); lineb = 0; fputs("\t", stdout); - for (idx=0;;idx++) { - str = gnutls_priority_string_list(idx, GNUTLS_PRIORITY_LIST_SPECIAL); + for (idx = 0;; idx++) { + str = + gnutls_priority_string_list(idx, + GNUTLS_PRIORITY_LIST_SPECIAL); if (str == NULL) break; if (str[0] == 0) @@ -1638,7 +1648,6 @@ static void cmd_parser(int argc, char **argv) if (rest == NULL && argc > 0) rest = argv[0]; - if (HAVE_OPT(FIPS140_MODE)) { if (gnutls_fips140_mode_enabled() != 0) { fprintf(stderr, "library is in FIPS140-2 mode\n"); @@ -1654,7 +1663,8 @@ static void cmd_parser(int argc, char **argv) for (p = gnutls_get_library_config(); p->name; p++) { log_msg(stdout, "%s: %s\n", p->name, p->value); } - log_msg(stdout, "system-config: %s\n", gnutls_get_system_config_file()); + log_msg(stdout, "system-config: %s\n", + gnutls_get_system_config_file()); exit(0); } @@ -1711,7 +1721,7 @@ static void cmd_parser(int argc, char **argv) exit(1); } inline_commands_prefix = - (char *) OPT_ARG(INLINE_COMMANDS_PREFIX); + (char *)OPT_ARG(INLINE_COMMANDS_PREFIX); if (!isascii(inline_commands_prefix[0])) { fprintf(stderr, "inline-commands-prefix value is a single US-ASCII character (octets 0 - 127)\n"); @@ -1738,7 +1748,9 @@ static void cmd_parser(int argc, char **argv) snprintf(service, sizeof(service), "%s", OPT_ARG(PORT)); } else { if (HAVE_OPT(STARTTLS_PROTO)) - snprintf(service, sizeof(service), "%s", starttls_proto_to_service(OPT_ARG(STARTTLS_PROTO))); + snprintf(service, sizeof(service), "%s", + starttls_proto_to_service(OPT_ARG + (STARTTLS_PROTO))); else strcpy(service, "443"); } @@ -1778,7 +1790,7 @@ static void cmd_parser(int argc, char **argv) psk_username = OPT_ARG(PSKUSERNAME); if (HAVE_OPT(PSKKEY)) { - psk_key.data = (unsigned char *) OPT_ARG(PSKKEY); + psk_key.data = (unsigned char *)OPT_ARG(PSKKEY); psk_key.size = strlen(OPT_ARG(PSKKEY)); } else psk_key.size = 0; @@ -1789,7 +1801,8 @@ static void cmd_parser(int argc, char **argv) fastopen = HAVE_OPT(FASTOPEN); #else if (HAVE_OPT(FASTOPEN)) { - fprintf(stderr, "Warning: TCP Fast Open not supported on this OS\n"); + fprintf(stderr, + "Warning: TCP Fast Open not supported on this OS\n"); } #endif @@ -1817,9 +1830,11 @@ static void check_server_cmd(socket_st * socket, int ret) ret = do_handshake(socket); if (ret == 0) { - log_msg(stdout, "*** Rehandshake was performed.\n"); + log_msg(stdout, + "*** Rehandshake was performed.\n"); } else { - log_msg(stdout, "*** Rehandshake Failed: %s\n", gnutls_strerror(ret)); + log_msg(stdout, "*** Rehandshake Failed: %s\n", + gnutls_strerror(ret)); } } else if (ret == GNUTLS_E_REAUTH_REQUEST) { do { @@ -1829,20 +1844,21 @@ static void check_server_cmd(socket_st * socket, int ret) if (ret == 0) { log_msg(stdout, "*** Re-auth was performed.\n"); } else { - log_msg(stdout, "*** Re-auth failed: %s\n", gnutls_strerror(ret)); + log_msg(stdout, "*** Re-auth failed: %s\n", + gnutls_strerror(ret)); } } } } - int do_handshake(socket_st * socket) { int ret; if (fastopen && socket->connect_addrlen) { gnutls_transport_set_fastopen(socket->session, socket->fd, - (struct sockaddr*)&socket->connect_addr, + (struct sockaddr *) + &socket->connect_addr, socket->connect_addrlen, 0); socket->connect_addrlen = 0; } else { @@ -1862,7 +1878,8 @@ int do_handshake(socket_st * socket) if (ret == 0) { /* print some information */ - print_info(socket->session, verbose, HAVE_OPT(X509CERTFILE)?P_WAIT_FOR_CERT:0); + print_info(socket->session, verbose, + HAVE_OPT(X509CERTFILE) ? P_WAIT_FOR_CERT : 0); if (HAVE_OPT(KEYMATEXPORT)) print_key_material(socket->session, OPT_ARG(KEYMATEXPORT), @@ -1893,8 +1910,7 @@ srp_username_callback(gnutls_session_t session, #endif static int -psk_callback(gnutls_session_t session, char **username, - gnutls_datum_t * key) +psk_callback(gnutls_session_t session, char **username, gnutls_datum_t * key) { const char *hint = gnutls_psk_client_get_hint(session); char *rawkey; @@ -1920,8 +1936,7 @@ psk_callback(gnutls_session_t session, char **username, ret = getline(&p, &n, stdin); if (ret == -1 || p == NULL) { - fprintf(stderr, - "No username given, aborting...\n"); + fprintf(stderr, "No username given, aborting...\n"); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } @@ -1942,7 +1957,7 @@ psk_callback(gnutls_session_t session, char **username, return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - tmp.data = (void *) passwd; + tmp.data = (void *)passwd; tmp.size = strlen(passwd); res_size = tmp.size / 2 + 1; @@ -1959,7 +1974,7 @@ psk_callback(gnutls_session_t session, char **username, return ret; } - key->data = (void *) rawkey; + key->data = (void *)rawkey; key->size = res_size; if (HAVE_OPT(DEBUG)) { @@ -1967,7 +1982,8 @@ psk_callback(gnutls_session_t session, char **username, res_size = sizeof(hexkey); ret = gnutls_hex_encode(key, hexkey, &res_size); if (ret < 0) { - fprintf(stderr, "Error in hex encoding: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error in hex encoding: %s\n", + gnutls_strerror(ret)); exit(1); } fprintf(stderr, "PSK username: %s\n", *username); @@ -1991,8 +2007,7 @@ static void init_global_tls_stuff(void) gnutls_strerror(ret)); else { ret = - gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), - NULL); + gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), NULL); if (ret < 0) { fprintf(stderr, "pkcs11_add_provider: %s", gnutls_strerror(ret)); @@ -2020,18 +2035,19 @@ static void init_global_tls_stuff(void) if (x509_cafile != NULL) { ret = gnutls_x509_trust_list_add_trust_file(tlist, - x509_cafile, - NULL, - x509ctype, - GNUTLS_TL_USE_IN_TLS, - 0); + x509_cafile, + NULL, + x509ctype, + GNUTLS_TL_USE_IN_TLS, + 0); } else { if (insecure == 0) { ret = gnutls_x509_trust_list_add_system_trust(tlist, - GNUTLS_TL_USE_IN_TLS, - 0); + GNUTLS_TL_USE_IN_TLS, + 0); if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) { - fprintf(stderr, "Warning: this system doesn't support a default trust store\n"); + fprintf(stderr, + "Warning: this system doesn't support a default trust store\n"); ret = 0; } } else { @@ -2039,14 +2055,16 @@ static void init_global_tls_stuff(void) } } if (ret < 0) { - fprintf(stderr, "Error setting the x509 trust file: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error setting the x509 trust file: %s\n", + gnutls_strerror(ret)); exit(1); } else { log_msg(stdout, "Processed %d CA certificate(s).\n", ret); } if (ENABLED_OPT(CA_AUTO_RETRIEVE)) - gnutls_x509_trust_list_set_getissuer_function(tlist, getissuer_callback); + gnutls_x509_trust_list_set_getissuer_function(tlist, + getissuer_callback); if (x509_crlfile != NULL) { ret = @@ -2055,7 +2073,8 @@ static void init_global_tls_stuff(void) x509ctype); if (ret < 0) { fprintf(stderr, - "Error setting the x509 CRL file: %s\n", gnutls_strerror(ret)); + "Error setting the x509 CRL file: %s\n", + gnutls_strerror(ret)); exit(1); } else { log_msg(stdout, "Processed %d CRL(s).\n", ret); @@ -2139,14 +2158,18 @@ static int cert_verify_ocsp(gnutls_session_t session) ret = gnutls_x509_crt_init(&cert); if (ret < 0) { - fprintf(stderr, "Memory error: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Memory error: %s\n", + gnutls_strerror(ret)); goto cleanup; } deinit_cert = 1; - ret = gnutls_x509_crt_import(cert, &cert_list[it], GNUTLS_X509_FMT_DER); + ret = + gnutls_x509_crt_import(cert, &cert_list[it], + GNUTLS_X509_FMT_DER); if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Decoding error: %s\n", + gnutls_strerror(ret)); goto cleanup; } @@ -2159,18 +2182,23 @@ static int cert_verify_ocsp(gnutls_session_t session) if (ret < 0 && cert_list_size - it > 1) { ret = gnutls_x509_crt_init(&issuer); if (ret < 0) { - fprintf(stderr, "Memory error: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Memory error: %s\n", + gnutls_strerror(ret)); goto cleanup; } deinit_issuer = 1; - ret = gnutls_x509_crt_import(issuer, &cert_list[it + 1], GNUTLS_X509_FMT_DER); + ret = + gnutls_x509_crt_import(issuer, &cert_list[it + 1], + GNUTLS_X509_FMT_DER); if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Decoding error: %s\n", + gnutls_strerror(ret)); goto cleanup; } } else if (ret < 0) { if (it == 0) - fprintf(stderr, "Cannot find issuer: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Cannot find issuer: %s\n", + gnutls_strerror(ret)); goto cleanup; } @@ -2200,7 +2228,7 @@ static int cert_verify_ocsp(gnutls_session_t session) } } -cleanup: + cleanup: if (deinit_issuer) gnutls_x509_crt_deinit(issuer); if (deinit_cert) @@ -2208,12 +2236,13 @@ cleanup: if (failed > 0) return -1; - return ok >= 1 ? (int) ok : -1; + return ok >= 1 ? (int)ok : -1; } #endif /* returns the host part of a URL */ -static const char *host_from_url(const char *url, unsigned int *port, const char **path) +static const char *host_from_url(const char *url, unsigned int *port, + const char **path) { static char buffer[512]; char *p; @@ -2226,7 +2255,7 @@ static const char *host_from_url(const char *url, unsigned int *port, const char p = strchr(buffer, '/'); if (p != NULL) { *p = 0; - *path = p+1; + *path = p + 1; } p = strchr(buffer, ':'); @@ -2263,8 +2292,7 @@ static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp) static int getissuer_callback(const gnutls_x509_trust_list_t tlist, const gnutls_x509_crt_t cert, - gnutls_x509_crt_t **issuers, - unsigned int *issuers_size) + gnutls_x509_crt_t ** issuers, unsigned int *issuers_size) { gnutls_datum_t ud; int ret; @@ -2287,15 +2315,14 @@ getissuer_callback(const gnutls_x509_trust_list_t tlist, i = 0; do { ret = gnutls_x509_crt_get_authority_info_access(cert, i++, - GNUTLS_IA_CAISSUERS_URI, - &data, - NULL); + GNUTLS_IA_CAISSUERS_URI, + &data, NULL); } while (ret == GNUTLS_E_UNKNOWN_ALGORITHM); if (ret < 0) { fprintf(stderr, - "*** Cannot find caIssuer URI in certificate: %s\n", - gnutls_strerror(ret)); + "*** Cannot find caIssuer URI in certificate: %s\n", + gnutls_strerror(ret)); return 0; } @@ -2321,7 +2348,8 @@ getissuer_callback(const gnutls_x509_trust_list_t tlist, snprintf(headers, sizeof(headers), HEADER_PATTERN, path, _hostname); headers_size = strlen(headers); - socket_open(&hd, _hostname, _service, NULL, SOCKET_FLAG_RAW|SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL); + socket_open(&hd, _hostname, _service, NULL, + SOCKET_FLAG_RAW | SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL); socket_send(&hd, headers, headers_size); do { @@ -2365,7 +2393,7 @@ getissuer_callback(const gnutls_x509_trust_list_t tlist, ret = 0; -cleanup: + cleanup: gnutls_free(data.data); free(ud.data); free(url); diff --git a/src/common.c b/src/common.c index b0952a5faf..73b6949279 100644 --- a/src/common.c +++ b/src/common.c @@ -23,7 +23,7 @@ /* Work around problem reported in <https://permalink.gmane.org/gmane.comp.lib.gnulib.bugs/15755>.*/ #if GETTIMEOFDAY_CLOBBERS_LOCALTIME -#undef localtime +# undef localtime #endif #include <getpass.h> @@ -41,11 +41,11 @@ #ifndef _WIN32 # include <signal.h> #else -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif #ifdef ENABLE_PKCS11 -#include <gnutls/pkcs11.h> +# include <gnutls/pkcs11.h> #endif #define SU(x) (x!=NULL?x:"Unknown") @@ -97,7 +97,7 @@ const char *raw_to_hex(const unsigned char *raw, size_t raw_size) const char *raw_to_base64(const unsigned char *raw, size_t raw_size) { static char buf[1024]; - gnutls_datum_t data = {(unsigned char*)raw, raw_size}; + gnutls_datum_t data = { (unsigned char *)raw, raw_size }; size_t buf_size; int ret; @@ -115,7 +115,8 @@ const char *raw_to_base64(const unsigned char *raw, size_t raw_size) } static void -print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert, int print_crt_status) +print_x509_info(gnutls_session_t session, FILE * out, int flag, int print_cert, + int print_crt_status) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; @@ -131,7 +132,7 @@ print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert, i log_msg(out, "- Certificate type: X.509\n"); log_msg(out, "- Got a certificate list of %d certificates.\n", - cert_list_size); + cert_list_size); for (j = 0; j < cert_list_size; j++) { gnutls_datum_t cinfo; @@ -166,14 +167,14 @@ print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert, i ret = gnutls_x509_crt_export2(crt, - GNUTLS_X509_FMT_PEM, &pem); + GNUTLS_X509_FMT_PEM, &pem); if (ret < 0) { fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); return; } - log_msg(out, "\n%s\n", (char*)pem.data); + log_msg(out, "\n%s\n", (char *)pem.data); gnutls_free(pem.data); } @@ -183,7 +184,8 @@ print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert, i } static void -print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, int print_crt_status) +print_rawpk_info(gnutls_session_t session, FILE * out, int flag, int print_cert, + int print_crt_status) { gnutls_pcert_st pk_cert; gnutls_pk_algorithm_t pk_algo; @@ -199,14 +201,13 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, } log_msg(out, "- Certificate type: Raw Public Key\n"); - log_msg(out, "- Got %d Raw public-key(s).\n", - cert_list_size); + log_msg(out, "- Got %d Raw public-key(s).\n", cert_list_size); - - ret = gnutls_pcert_import_rawpk_raw(&pk_cert, cert_list, GNUTLS_X509_FMT_DER, 0, 0); + ret = + gnutls_pcert_import_rawpk_raw(&pk_cert, cert_list, + GNUTLS_X509_FMT_DER, 0, 0); if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); return; } @@ -218,14 +219,16 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, if (print_cert) { gnutls_datum_t pem; - ret = gnutls_pubkey_export2(pk_cert.pubkey, GNUTLS_X509_FMT_PEM, &pem); + ret = + gnutls_pubkey_export2(pk_cert.pubkey, GNUTLS_X509_FMT_PEM, + &pem); if (ret < 0) { fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret)); goto cleanup; } - log_msg(out, "\n%s\n", (char*)pem.data); + log_msg(out, "\n%s\n", (char *)pem.data); gnutls_free(pem.data); } @@ -236,7 +239,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, /* returns false (0) if not verified, or true (1) otherwise */ -int cert_verify(gnutls_session_t session, const char *hostname, const char *purpose) +int cert_verify(gnutls_session_t session, const char *hostname, + const char *purpose) { int rc; unsigned int status = 0; @@ -249,13 +253,13 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp if (hostname) { data[elements].type = GNUTLS_DT_DNS_HOSTNAME; - data[elements].data = (void*)hostname; + data[elements].data = (void *)hostname; elements++; } if (purpose) { data[elements].type = GNUTLS_DT_KEY_PURPOSE_OID; - data[elements].data = (void*)purpose; + data[elements].data = (void *)purpose; elements++; } @@ -267,7 +271,7 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp if (rc < 0) { log_msg(stdout, "- Could not verify certificate (err: %s)\n", - gnutls_strerror(rc)); + gnutls_strerror(rc)); return 0; } @@ -275,8 +279,9 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp rc = gnutls_certificate_verification_status_print(status, type, &out, 0); if (rc < 0) { - log_msg(stdout, "- Could not print verification flags (err: %s)\n", - gnutls_strerror(rc)); + log_msg(stdout, + "- Could not print verification flags (err: %s)\n", + gnutls_strerror(rc)); return 0; } @@ -295,8 +300,7 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp /* Parse input string and set certificate compression methods */ int compress_cert_set_methods(gnutls_session_t session, - const char **strings, - size_t n_strings) + const char **strings, size_t n_strings) { int ret = 0; gnutls_compression_method_t *methods; @@ -311,7 +315,8 @@ int compress_cert_set_methods(gnutls_session_t session, methods = reallocarray(NULL, n_strings, sizeof(*methods)); if (!methods) { - fprintf(stderr, "Could not set certificate compression methods: %s\n", + fprintf(stderr, + "Could not set certificate compression methods: %s\n", gnutls_strerror(ret)); return GNUTLS_E_MEMORY_ERROR; } @@ -325,14 +330,17 @@ int compress_cert_set_methods(gnutls_session_t session, } } - ret = gnutls_compress_certificate_set_methods(session, methods, n_strings); + ret = + gnutls_compress_certificate_set_methods(session, methods, + n_strings); if (ret < 0) { - fprintf(stderr, "Could not set certificate compression methods: %s\n", + fprintf(stderr, + "Could not set certificate compression methods: %s\n", gnutls_strerror(ret)); goto cleanup; } -cleanup: + cleanup: free(methods); #pragma GCC diagnostic pop @@ -340,8 +348,7 @@ cleanup: return ret; } -static void -print_dh_info(gnutls_session_t session, const char *str, int print) +static void print_dh_info(gnutls_session_t session, const char *str, int print) { #if defined(ENABLE_DHE) || defined(ENABLE_ANON) unsigned group; @@ -362,11 +369,11 @@ print_dh_info(gnutls_session_t session, const char *str, int print) log_msg(stdout, "- %sDiffie-Hellman parameters\n", str); log_msg(stdout, " - Using prime: %d bits\n", - gnutls_dh_get_prime_bits(session)); + gnutls_dh_get_prime_bits(session)); log_msg(stdout, " - Secret key: %d bits\n", - gnutls_dh_get_secret_bits(session)); + gnutls_dh_get_secret_bits(session)); log_msg(stdout, " - Peer's public key: %d bits\n", - gnutls_dh_get_peers_public_bits(session)); + gnutls_dh_get_peers_public_bits(session)); ret = gnutls_dh_get_group(session, &raw_gen, &raw_prime); if (ret) { @@ -380,22 +387,17 @@ print_dh_info(gnutls_session_t session, const char *str, int print) goto out; } - ret = - gnutls_dh_params_import_raw(dh_params, &raw_prime, - &raw_gen); + ret = gnutls_dh_params_import_raw(dh_params, &raw_prime, &raw_gen); if (ret) { - fprintf(stderr, "gnutls_dh_params_import_raw %d\n", - ret); + fprintf(stderr, "gnutls_dh_params_import_raw %d\n", ret); goto out; } ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, - params_data, - ¶ms_data_size); + params_data, ¶ms_data_size); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - fprintf(stderr, - "gnutls_dh_params_export_pkcs3 %d\n", ret); + fprintf(stderr, "gnutls_dh_params_export_pkcs3 %d\n", ret); goto out; } @@ -407,19 +409,16 @@ print_dh_info(gnutls_session_t session, const char *str, int print) ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, - params_data, - ¶ms_data_size); + params_data, ¶ms_data_size); if (ret) { - fprintf(stderr, - "gnutls_dh_params_export_pkcs3-2 %d\n", - ret); + fprintf(stderr, "gnutls_dh_params_export_pkcs3-2 %d\n", ret); goto out; } log_msg(stdout, " - PKCS#3 format:\n\n%.*s\n", - (int) params_data_size, params_data); + (int)params_data_size, params_data); - out: + out: gnutls_free(params_data); gnutls_free(raw_prime.data); gnutls_free(raw_gen.data); @@ -427,7 +426,8 @@ print_dh_info(gnutls_session_t session, const char *str, int print) #endif } -static void print_ecdh_info(gnutls_session_t session, const char *str, int print) +static void print_ecdh_info(gnutls_session_t session, const char *str, + int print) { int curve; @@ -438,9 +438,10 @@ static void print_ecdh_info(gnutls_session_t session, const char *str, int print curve = gnutls_ecc_curve_get(session); - log_msg(stdout, " - Using curve: %s\n", gnutls_ecc_curve_get_name(curve)); + log_msg(stdout, " - Using curve: %s\n", + gnutls_ecc_curve_get_name(curve)); log_msg(stdout, " - Curve size: %d bits\n", - gnutls_ecc_curve_get_size(curve) * 8); + gnutls_ecc_curve_get_size(curve) * 8); } @@ -452,9 +453,9 @@ struct channel_binding_request { static void print_channel_bindings(gnutls_session_t session, int print) { static const struct channel_binding_request requests[] = { - { GNUTLS_CB_TLS_UNIQUE, "tls-unique" }, - { GNUTLS_CB_TLS_SERVER_END_POINT, "tls-server-end-point" }, - { GNUTLS_CB_TLS_EXPORTER, "tls-exporter" } + {GNUTLS_CB_TLS_UNIQUE, "tls-unique"}, + {GNUTLS_CB_TLS_SERVER_END_POINT, "tls-server-end-point"}, + {GNUTLS_CB_TLS_EXPORTER, "tls-exporter"} }; size_t i; @@ -468,8 +469,7 @@ static void print_channel_bindings(gnutls_session_t session, int print) int rc; rc = gnutls_session_channel_binding(session, - requests[i].type, - &cb); + requests[i].type, &cb); if (rc == GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE) { log_msg(stdout, " - '%s': not available\n", requests[i].name); @@ -479,8 +479,7 @@ static void print_channel_bindings(gnutls_session_t session, int print) } else { size_t j; - log_msg(stdout, " - '%s': ", - requests[i].name); + log_msg(stdout, " - '%s': ", requests[i].name); for (j = 0; j < cb.size; j++) log_msg(stdout, "%02x", cb.data[j]); log_msg(stdout, "\n"); @@ -511,7 +510,7 @@ int print_info(gnutls_session_t session, int verbose, int flags) gnutls_session_get_id(session, session_id, &session_id_size); if (session_id_size > 0) { log_msg(stdout, "- Session ID: %s\n", - raw_to_string(session_id, session_id_size)); + raw_to_string(session_id, session_id_size)); } /* print the key exchange's algorithm name @@ -534,8 +533,9 @@ int print_info(gnutls_session_t session, int verbose, int flags) * side. */ if (gnutls_srp_server_get_username(session) != NULL) - log_msg(stdout, "- SRP authentication. Connected as '%s'\n", - gnutls_srp_server_get_username(session)); + log_msg(stdout, + "- SRP authentication. Connected as '%s'\n", + gnutls_srp_server_get_username(session)); break; #endif #ifdef ENABLE_PSK @@ -544,12 +544,13 @@ int print_info(gnutls_session_t session, int verbose, int flags) */ if (gnutls_psk_client_get_hint(session) != NULL) log_msg(stdout, "- PSK authentication. PSK hint '%s'\n", - gnutls_psk_client_get_hint(session)); + gnutls_psk_client_get_hint(session)); /* This returns NULL in client side. */ if (gnutls_psk_server_get_username(session) != NULL) - log_msg(stdout, "- PSK authentication. Connected as '%s'\n", - gnutls_psk_server_get_username(session)); + log_msg(stdout, + "- PSK authentication. Connected as '%s'\n", + gnutls_psk_server_get_username(session)); if (kx == GNUTLS_KX_DHE_PSK) print_dh_info(session, "Ephemeral ", verbose); if (kx == GNUTLS_KX_ECDHE_PSK) @@ -569,15 +570,17 @@ int print_info(gnutls_session_t session, int verbose, int flags) if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0) { log_msg(stdout, "- Given server name[%d]: %s\n", - type, dns); + type, dns); } } - if ((flags & P_WAIT_FOR_CERT) && gnutls_certificate_get_ours(session) == 0) + if ((flags & P_WAIT_FOR_CERT) + && gnutls_certificate_get_ours(session) == 0) log_msg(stdout, "- No certificate was sent to peer\n"); - if (flags& P_PRINT_CERT) - print_cert_info(session, verbose, (flags&P_PRINT_CERT)); + if (flags & P_PRINT_CERT) + print_cert_info(session, verbose, + (flags & P_PRINT_CERT)); if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) print_dh_info(session, "Ephemeral ", verbose); @@ -590,11 +593,9 @@ int print_info(gnutls_session_t session, int verbose, int flags) break; } - if (verbose) { version = gnutls_protocol_get_version(session); - tmp = - SU(gnutls_protocol_get_name(version)); + tmp = SU(gnutls_protocol_get_name(version)); log_msg(stdout, "- Version: %s\n", tmp); if (version < GNUTLS_TLS1_3) { @@ -625,15 +626,19 @@ int print_info(gnutls_session_t session, int verbose, int flags) } log_msg(stdout, "- Options:"); - if (gnutls_session_ext_master_secret_status(session)!=0) + if (gnutls_session_ext_master_secret_status(session) != 0) log_msg(stdout, " extended master secret,"); - if (gnutls_safe_renegotiation_status(session)!=0) + if (gnutls_safe_renegotiation_status(session) != 0) log_msg(stdout, " safe renegotiation,"); - if (gnutls_session_etm_status(session)!=0) + if (gnutls_session_etm_status(session) != 0) log_msg(stdout, " EtM,"); #ifdef ENABLE_OCSP - if (gnutls_ocsp_status_request_is_checked(session, GNUTLS_OCSP_SR_IS_AVAIL)!=0) { - log_msg(stdout, " OCSP status request%s,", gnutls_ocsp_status_request_is_checked(session,0)!=0?"":"[ignored]"); + if (gnutls_ocsp_status_request_is_checked + (session, GNUTLS_OCSP_SR_IS_AVAIL) != 0) { + log_msg(stdout, " OCSP status request%s,", + gnutls_ocsp_status_request_is_checked(session, + 0) != + 0 ? "" : "[ignored]"); } #endif log_msg(stdout, "\n"); @@ -642,13 +647,14 @@ int print_info(gnutls_session_t session, int verbose, int flags) rc = gnutls_srtp_get_selected_profile(session, &srtp_profile); if (rc == 0) log_msg(stdout, "- SRTP profile: %s\n", - gnutls_srtp_get_profile_name(srtp_profile)); + gnutls_srtp_get_profile_name(srtp_profile)); #endif #ifdef ENABLE_ALPN rc = gnutls_alpn_get_selected_protocol(session, &p); if (rc == 0) - log_msg(stdout, "- Application protocol: %.*s\n", p.size, p.data); + log_msg(stdout, "- Application protocol: %.*s\n", p.size, + p.data); #endif print_channel_bindings(session, verbose); @@ -656,10 +662,13 @@ int print_info(gnutls_session_t session, int verbose, int flags) ktls_flags = gnutls_transport_is_ktls_enabled(session); if (ktls_flags != 0) { log_msg(stdout, "- KTLS: %s\n", - (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" : - (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" : - (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" : - "unknown"); + (ktls_flags & GNUTLS_KTLS_DUPLEX) == + GNUTLS_KTLS_DUPLEX ? "send, recv" : (ktls_flags & + GNUTLS_KTLS_SEND) + == + GNUTLS_KTLS_SEND ? "send" : (ktls_flags & + GNUTLS_KTLS_RECV) == + GNUTLS_KTLS_RECV ? "recv" : "unknown"); } fflush(stdout); @@ -672,7 +681,8 @@ void print_cert_info(gnutls_session_t session, int verbose, int print_cert) print_cert_info2(session, verbose, stdout, print_cert); } -void print_cert_info2(gnutls_session_t session, int verbose, FILE *out, int print_cert) +void print_cert_info2(gnutls_session_t session, int verbose, FILE * out, + int print_cert) { int flag, print_crt_status = 0; @@ -688,10 +698,12 @@ void print_cert_info2(gnutls_session_t session, int verbose, FILE *out, int prin switch (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_PEERS)) { case GNUTLS_CRT_X509: - print_x509_info(session, out, flag, print_cert, print_crt_status); + print_x509_info(session, out, flag, print_cert, + print_crt_status); break; case GNUTLS_CRT_RAWPK: - print_rawpk_info(session, out, flag, print_cert, print_crt_status); + print_rawpk_info(session, out, flag, print_cert, + print_crt_status); break; default: break; @@ -721,15 +733,15 @@ void print_list(const char *priorities, int verbose) if (ret == GNUTLS_E_INVALID_REQUEST) fprintf(stderr, "Syntax error at: %s\n", err); else - fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error in priorities: %s\n", + gnutls_strerror(ret)); exit(1); } for (i = 0;; i++) { ret = gnutls_priority_get_cipher_suite_index(pcache, - i, - &idx); + i, &idx); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) @@ -741,9 +753,9 @@ void print_list(const char *priorities, int verbose) if (name != NULL) log_msg(stdout, "%-50s\t0x%02x, 0x%02x\t%s\n", - name, (unsigned char) id[0], - (unsigned char) id[1], - gnutls_protocol_get_name(version)); + name, (unsigned char)id[0], + (unsigned char)id[1], + gnutls_protocol_get_name(version)); } log_msg(stdout, "\n"); @@ -751,17 +763,17 @@ void print_list(const char *priorities, int verbose) { ret = gnutls_priority_certificate_type_list2(pcache, - &list, - GNUTLS_CTYPE_CLIENT); + &list, + GNUTLS_CTYPE_CLIENT); log_msg(stdout, "Certificate types: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "CTYPE-%s", - gnutls_certificate_type_get_name - (list[i])); - if (i + 1 != (unsigned) ret) + gnutls_certificate_type_get_name + (list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -775,10 +787,10 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Protocols: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "VERS-%s", - gnutls_protocol_get_name(list[i])); - if (i + 1 != (unsigned) ret) + gnutls_protocol_get_name(list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -791,10 +803,10 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Ciphers: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "%s", - gnutls_cipher_get_name(list[i])); - if (i + 1 != (unsigned) ret) + gnutls_cipher_get_name(list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -807,10 +819,10 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "MACs: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "%s", - gnutls_mac_get_name(list[i])); - if (i + 1 != (unsigned) ret) + gnutls_mac_get_name(list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -823,10 +835,10 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Key Exchange Algorithms: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "%s", - gnutls_kx_get_name(list[i])); - if (i + 1 != (unsigned) ret) + gnutls_kx_get_name(list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -834,16 +846,15 @@ void print_list(const char *priorities, int verbose) } { - ret = - gnutls_priority_group_list(pcache, &list); + ret = gnutls_priority_group_list(pcache, &list); log_msg(stdout, "Groups: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "GROUP-%s", - gnutls_group_get_name(list[i])); - if (i + 1 != (unsigned) ret) + gnutls_group_get_name(list[i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -856,11 +867,11 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "PK-signatures: "); if (ret == 0) log_msg(stdout, "none\n"); - for (i = 0; i < (unsigned) ret; i++) { + for (i = 0; i < (unsigned)ret; i++) { log_msg(stdout, "SIGN-%s", - gnutls_sign_algorithm_get_name(list - [i])); - if (i + 1 != (unsigned) ret) + gnutls_sign_algorithm_get_name(list + [i])); + if (i + 1 != (unsigned)ret) log_msg(stdout, ", "); else log_msg(stdout, "\n"); @@ -875,12 +886,13 @@ void print_list(const char *priorities, int verbose) for (i = 0; (name = gnutls_cipher_suite_info (i, id, &kx, &cipher, &mac, &version)); i++) { log_msg(stdout, "%-50s\t0x%02x, 0x%02x\t%s\n", - name, - (unsigned char) id[0], (unsigned char) id[1], - gnutls_protocol_get_name(version)); + name, + (unsigned char)id[0], (unsigned char)id[1], + gnutls_protocol_get_name(version)); if (verbose) log_msg - (stdout, "\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n", + (stdout, + "\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n", gnutls_kx_get_name(kx), gnutls_cipher_get_name(cipher), gnutls_mac_get_name(mac)); @@ -894,7 +906,7 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Certificate types: "); for (; *p; p++) { log_msg(stdout, "CTYPE-%s", - gnutls_certificate_type_get_name(*p)); + gnutls_certificate_type_get_name(*p)); if (*(p + 1)) log_msg(stdout, ", "); else @@ -907,7 +919,8 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Protocols: "); for (; *p; p++) { - log_msg(stdout, "VERS-%s", gnutls_protocol_get_name(*p)); + log_msg(stdout, "VERS-%s", + gnutls_protocol_get_name(*p)); if (*(p + 1)) log_msg(stdout, ", "); else @@ -973,7 +986,8 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "Compression: "); for (; *p; p++) { - log_msg(stdout, "COMP-%s", gnutls_compression_get_name(*p)); + log_msg(stdout, "COMP-%s", + gnutls_compression_get_name(*p)); if (*(p + 1)) log_msg(stdout, ", "); else @@ -1013,7 +1027,7 @@ void print_list(const char *priorities, int verbose) log_msg(stdout, "PK-signatures: "); for (; *p; p++) { log_msg(stdout, "SIGN-%s", - gnutls_sign_algorithm_get_name(*p)); + gnutls_sign_algorithm_get_name(*p)); if (*(p + 1)) log_msg(stdout, ", "); else @@ -1059,7 +1073,8 @@ print_key_material(gnutls_session_t session, const char *label, size_t size) gnutls_free(hex.data); } -int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert) +int check_command(gnutls_session_t session, const char *str, + unsigned no_cli_cert) { size_t len = strnlen(str, 128); int ret; @@ -1070,22 +1085,21 @@ int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cer if (strncmp (str, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**") - 1) == 0) { - fprintf(stderr, - "*** Sending rehandshake request\n"); + fprintf(stderr, "*** Sending rehandshake request\n"); gnutls_rehandshake(session); return 1; } else if (strncmp - (str, "**REAUTH**", - sizeof("**REAUTH**") - 1) == 0) { + (str, "**REAUTH**", sizeof("**REAUTH**") - 1) == 0) { /* in case we have a re-auth cmd prepare for it */ if (no_cli_cert) - gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE); + gnutls_certificate_server_set_request(session, + GNUTLS_CERT_REQUIRE); - fprintf(stderr, - "*** Sending re-auth request\n"); + fprintf(stderr, "*** Sending re-auth request\n"); do { ret = gnutls_reauth(session, 0); - } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { fprintf(stderr, "reauth: %s\n", gnutls_strerror(ret)); @@ -1184,7 +1198,8 @@ pin_callback(void *user, int attempt, const char *token_url, env = "GNUTLS_SO_PIN"; desc = "security officer"; if (info && info->so_pin) - snprintf(password, sizeof(password), "%s", info->so_pin); + snprintf(password, sizeof(password), "%s", + info->so_pin); } else { env = "GNUTLS_PIN"; desc = "user"; @@ -1207,8 +1222,7 @@ pin_callback(void *user, int attempt, const char *token_url, } if (cache > 0 && cached_url != NULL) { - if (token_url != NULL - && strcmp(cached_url, token_url) == 0) { + if (token_url != NULL && strcmp(cached_url, token_url) == 0) { if (strlen(cached_pin) >= pin_max) { fprintf(stderr, "Too long PIN given\n"); exit(1); @@ -1227,11 +1241,12 @@ pin_callback(void *user, int attempt, const char *token_url, if (password[0] == 0) { getenv_copy(password, sizeof(password), env); - if (password[0] == 0) /* compatibility */ + if (password[0] == 0) /* compatibility */ getenv_copy(password, sizeof(password), "GNUTLS_PIN"); } - if (password[0] == 0 && info != NULL && info->password != NULL && info->ask_pass == 0) { + if (password[0] == 0 && info != NULL && info->password != NULL + && info->ask_pass == 0) { if (strlen(info->password) < sizeof(password)) { strcpy(password, info->password); } else { @@ -1240,22 +1255,27 @@ pin_callback(void *user, int attempt, const char *token_url, } } - if (password[0] == 0 && (info == NULL || info->batch == 0 || info->ask_pass != 0)) { + if (password[0] == 0 + && (info == NULL || info->batch == 0 || info->ask_pass != 0)) { if (token_label && token_label[0] != 0) { - fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); + fprintf(stderr, "Token '%s' with URL '%s' ", + token_label, token_url); fprintf(stderr, "requires %s PIN\n", desc); getpass_copy(password, sizeof(password), "Enter PIN: "); } else { - getpass_copy(password, sizeof(password), "Enter password: "); + getpass_copy(password, sizeof(password), + "Enter password: "); } } else { if (flags & GNUTLS_PIN_WRONG) { if (token_label && token_label[0] != 0) { - fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); + fprintf(stderr, "Token '%s' with URL '%s' ", + token_label, token_url); fprintf(stderr, "requires %s PIN\n", desc); } - fprintf(stderr, "Cannot continue with a wrong password in the environment.\n"); + fprintf(stderr, + "Cannot continue with a wrong password in the environment.\n"); exit(1); } } @@ -1263,7 +1283,8 @@ pin_callback(void *user, int attempt, const char *token_url, if (password[0] == 0 || password[0] == '\n') { fprintf(stderr, "No PIN given.\n"); if (info != NULL && info->batch != 0) { - fprintf(stderr, "note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables\n"); + fprintf(stderr, + "note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables\n"); } exit(1); } @@ -1290,8 +1311,7 @@ pin_callback(void *user, int attempt, const char *token_url, #ifdef ENABLE_PKCS11 -static int -token_callback(void *user, const char *label, const unsigned retry) +static int token_callback(void *user, const char *label, const unsigned retry) { char buf[32]; common_info_st *info = user; @@ -1301,7 +1321,7 @@ token_callback(void *user, const char *label, const unsigned retry) return -1; } log_msg(stdout, "Please insert token '%s' in slot and press enter\n", - label); + label); if (fgets(buf, sizeof(buf), stdin) == NULL) { fprintf(stderr, "error reading input\n"); return -1; @@ -1310,7 +1330,7 @@ token_callback(void *user, const char *label, const unsigned retry) return 0; } -void pkcs11_common(common_info_st *c) +void pkcs11_common(common_info_st * c) { gnutls_pkcs11_set_pin_function(pin_callback, c); @@ -1335,8 +1355,7 @@ void sockets_init(void) #endif } - -int log_msg(FILE *file, const char *message, ...) +int log_msg(FILE * file, const char *message, ...) { va_list args; int rv; @@ -1350,7 +1369,7 @@ int log_msg(FILE *file, const char *message, ...) return rv; } -void log_set(FILE *file) +void log_set(FILE * file) { logfile = file; } @@ -1359,7 +1378,7 @@ void log_set(FILE *file) #pragma GCC diagnostic ignored "-Wformat-y2k" /* This is very similar to ctime() but it does not force a newline. */ -char *simple_ctime(const time_t *t, char out[SIMPLE_CTIME_BUF_SIZE]) +char *simple_ctime(const time_t * t, char out[SIMPLE_CTIME_BUF_SIZE]) { struct tm tm; @@ -1375,4 +1394,5 @@ char *simple_ctime(const time_t *t, char out[SIMPLE_CTIME_BUF_SIZE]) snprintf(out, SIMPLE_CTIME_BUF_SIZE, "[error]"); return out; } + #pragma GCC diagnostic pop diff --git a/src/common.h b/src/common.h index 507d0d8337..6fac0044ec 100644 --- a/src/common.h +++ b/src/common.h @@ -19,57 +19,59 @@ */ #ifndef GNUTLS_SRC_COMMON_H -#define GNUTLS_SRC_COMMON_H - -#define SERVER "127.0.0.1" - -#include <config.h> -#include <gnutls/gnutls.h> -#include <gnutls/pkcs11.h> -#include <certtool-common.h> -#include <c-ctype.h> -#include <string.h> -#include <sys/socket.h> -#include <netdb.h> -#include <unistd.h> -#ifndef _WIN32 -#include <netinet/in.h> -#endif - -#include <signal.h> -#ifdef _WIN32 -#include <io.h> -#include <winbase.h> -#include <sys/select.h> -#include "socket.h" -#undef OCSP_RESPONSE -#endif - -#ifndef __attribute__ -#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) -#define __attribute__(Spec) /* empty */ -#endif -#endif +# define GNUTLS_SRC_COMMON_H + +# define SERVER "127.0.0.1" + +# include <config.h> +# include <gnutls/gnutls.h> +# include <gnutls/pkcs11.h> +# include <certtool-common.h> +# include <c-ctype.h> +# include <string.h> +# include <sys/socket.h> +# include <netdb.h> +# include <unistd.h> +# ifndef _WIN32 +# include <netinet/in.h> +# endif + +# include <signal.h> +# ifdef _WIN32 +# include <io.h> +# include <winbase.h> +# include <sys/select.h> +# include "socket.h" +# undef OCSP_RESPONSE +# endif + +# ifndef __attribute__ +# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) +# define __attribute__(Spec) /* empty */ +# endif +# endif /* the number of elements in the priority structures. */ -#define PRI_MAX 16 +# define PRI_MAX 16 extern const char str_unknown[]; -#define P_PRINT_CERT 1 -#define P_WAIT_FOR_CERT (1<<1) +# define P_PRINT_CERT 1 +# define P_WAIT_FOR_CERT (1<<1) int print_info(gnutls_session_t state, int verbose, int flags); void print_cert_info(gnutls_session_t, int flag, int print_cert); void print_key_material(gnutls_session_t, const char *label, size_t size); -int log_msg(FILE *file, const char *message, ...) __attribute__((format(printf, 2, 3))); -void log_set(FILE *file); +int log_msg(FILE * file, const char *message, ...) + __attribute__((format(printf, 2, 3))); +void log_set(FILE * file); -void print_cert_info2(gnutls_session_t, int flag, FILE *fp, int print_cert); +void print_cert_info2(gnutls_session_t, int flag, FILE * fp, int print_cert); void print_list(const char *priorities, int verbose); -int cert_verify(gnutls_session_t session, const char *hostname, const char *purpose); +int cert_verify(gnutls_session_t session, const char *hostname, + const char *purpose); int compress_cert_set_methods(gnutls_session_t session, const char **strings, size_t n_strings); @@ -77,9 +79,10 @@ int compress_cert_set_methods(gnutls_session_t session, const char **strings, const char *raw_to_string(const unsigned char *raw, size_t raw_size); const char *raw_to_hex(const unsigned char *raw, size_t raw_size); const char *raw_to_base64(const unsigned char *raw, size_t raw_size); -int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert); +int check_command(gnutls_session_t session, const char *str, + unsigned no_cli_cert); -#define MAX_PIN_LEN GNUTLS_PKCS11_MAX_PIN_LEN +# define MAX_PIN_LEN GNUTLS_PKCS11_MAX_PIN_LEN void getenv_copy(char *str, size_t max_str_size, const char *envvar); void getpass_copy(char *pass, size_t max_pass_size, const char *prompt); @@ -88,22 +91,23 @@ pin_callback(void *user, int attempt, const char *token_url, const char *token_label, unsigned int flags, char *pin, size_t pin_max); -void pkcs11_common(common_info_st *c); +void pkcs11_common(common_info_st * c); inline static int is_ip(const char *hostname) { -int len = strlen(hostname); + int len = strlen(hostname); if (strchr(hostname, ':') != 0) return 1; - else if (len > 2 && c_isdigit(hostname[0]) && c_isdigit(hostname[len-1])) + else if (len > 2 && c_isdigit(hostname[0]) + && c_isdigit(hostname[len - 1])) return 1; return 0; } void sockets_init(void); -#ifdef _WIN32 +# ifdef _WIN32 static int system_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms) { fd_set rfds; @@ -141,13 +145,14 @@ void set_read_funcs(gnutls_session_t session) { gnutls_transport_set_push_function(session, system_write); gnutls_transport_set_pull_function(session, system_read); - gnutls_transport_set_pull_timeout_function(session, system_recv_timeout); + gnutls_transport_set_pull_timeout_function(session, + system_recv_timeout); } -#else -# define set_read_funcs(x) -#endif +# else +# define set_read_funcs(x) +# endif -#define SIMPLE_CTIME_BUF_SIZE 64 -char *simple_ctime(const time_t *t, char buf[SIMPLE_CTIME_BUF_SIZE]); +# define SIMPLE_CTIME_BUF_SIZE 64 +char *simple_ctime(const time_t * t, char buf[SIMPLE_CTIME_BUF_SIZE]); -#endif /* GNUTLS_SRC_COMMON_H */ +#endif /* GNUTLS_SRC_COMMON_H */ diff --git a/src/danetool.c b/src/danetool.c index add5d05a1f..43bce51b70 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -29,7 +29,7 @@ #include <gnutls/crypto.h> #ifdef HAVE_DANE -#include <gnutls/dane.h> +# include <gnutls/dane.h> #endif #include <stdio.h> @@ -52,8 +52,9 @@ #include "certtool-common.h" #include "socket.h" -static const char *obtain_cert(const char *hostname, const char *proto, const char *service, - const char *app_proto, unsigned quiet); +static const char *obtain_cert(const char *hostname, const char *proto, + const char *service, const char *app_proto, + unsigned quiet); static void cmd_parser(int argc, char **argv); static void dane_info(const char *host, const char *proto, const char *service, unsigned int ca, @@ -93,7 +94,6 @@ int main(int argc, char **argv) return 0; } - static void cmd_parser(int argc, char **argv) { int ret, privkey_op = 0; @@ -141,7 +141,7 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(DEBUG)) { gnutls_global_set_log_level(OPT_VALUE_DEBUG); - printf("Setting log level to %d\n", (int) OPT_VALUE_DEBUG); + printf("Setting log level to %d\n", (int)OPT_VALUE_DEBUG); } if ((ret = gnutls_global_init()) < 0) { @@ -172,7 +172,9 @@ static void cmd_parser(int argc, char **argv) snprintf(service, sizeof(service), "%s", OPT_ARG(PORT)); } else { if (HAVE_OPT(STARTTLS_PROTO)) - snprintf(service, sizeof(service), "%s", starttls_proto_to_service(OPT_ARG(STARTTLS_PROTO))); + snprintf(service, sizeof(service), "%s", + starttls_proto_to_service(OPT_ARG + (STARTTLS_PROTO))); } if (HAVE_OPT(PROTO)) @@ -233,16 +235,18 @@ static void dane_check(const char *host, const char *proto, if (HAVE_OPT(STARTTLS_PROTO)) app_proto = OPT_ARG(STARTTLS_PROTO); - cinfo->cert = obtain_cert(host, proto, service, app_proto, HAVE_OPT(QUIET)); + cinfo->cert = + obtain_cert(host, proto, service, app_proto, + HAVE_OPT(QUIET)); del = 1; } if (!HAVE_OPT(QUIET)) - fprintf(stderr, "Querying DNS for %s (%s:%d)...\n", host, proto, port); + fprintf(stderr, "Querying DNS for %s (%s:%d)...\n", host, proto, + port); ret = dane_state_init(&s, flags); if (ret < 0) { - fprintf(stderr, "dane_state_init: %s\n", - dane_strerror(ret)); + fprintf(stderr, "dane_state_init: %s\n", dane_strerror(ret)); retcode = 1; goto error; } @@ -259,8 +263,7 @@ static void dane_check(const char *host, const char *proto, ret = dane_query_tlsa(s, &q, host, proto, port); if (ret < 0) { - fprintf(stderr, "dane_query_tlsa: %s\n", - dane_strerror(ret)); + fprintf(stderr, "dane_query_tlsa: %s\n", dane_strerror(ret)); retcode = 1; goto error; } @@ -273,7 +276,7 @@ static void dane_check(const char *host, const char *proto, int bogus; ret = dane_query_to_raw_tlsa(q, &entries, &dane_data, - &dane_data_len, &secure, &bogus); + &dane_data_len, &secure, &bogus); if (ret < 0) { fprintf(stderr, "dane_query_to_raw_tlsa: %s\n", dane_strerror(ret)); @@ -281,9 +284,9 @@ static void dane_check(const char *host, const char *proto, goto error; } - for (i=0;i<entries;i++) { + for (i = 0; i < entries; i++) { size_t str_size; - t.data = (void*)dane_data[i]; + t.data = (void *)dane_data[i]; t.size = dane_data_len[i]; str_size = t.size * 2 + 1; @@ -315,8 +318,7 @@ static void dane_check(const char *host, const char *proto, gnutls_x509_crt_list_import2(&clist, &clist_size, &file, - cinfo-> - incert_format, 0); + cinfo->incert_format, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_import2: %s\n", @@ -326,18 +328,16 @@ static void dane_check(const char *host, const char *proto, } if (clist_size > 0) { - for (i = 0; i < MIN(MAX_CLIST_SIZE,clist_size); i++) { + for (i = 0; i < MIN(MAX_CLIST_SIZE, clist_size); i++) { ret = gnutls_x509_crt_export2(clist [i], GNUTLS_X509_FMT_DER, - &certs - [i]); + &certs[i]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_export2: %s\n", - gnutls_strerror - (ret)); + gnutls_strerror(ret)); retcode = 1; goto error; } @@ -356,7 +356,7 @@ static void dane_check(const char *host, const char *proto, } size = lbuffer_size; - ret = gnutls_hex_encode(&data, (void *) lbuffer, &size); + ret = gnutls_hex_encode(&data, (void *)lbuffer, &size); if (ret < 0) { fprintf(stderr, "gnutls_hex_encode: %s\n", dane_strerror(ret)); @@ -373,16 +373,22 @@ static void dane_check(const char *host, const char *proto, if (!HAVE_OPT(QUIET)) { cstr = dane_cert_usage_name(usage); - if (cstr == NULL) cstr= "Unknown"; - fprintf(outfile, "Certificate usage: %s (%.2x)\n", cstr, usage); + if (cstr == NULL) + cstr = "Unknown"; + fprintf(outfile, "Certificate usage: %s (%.2x)\n", cstr, + usage); cstr = dane_cert_type_name(type); - if (cstr == NULL) cstr= "Unknown"; - fprintf(outfile, "Certificate type: %s (%.2x)\n", cstr, type); + if (cstr == NULL) + cstr = "Unknown"; + fprintf(outfile, "Certificate type: %s (%.2x)\n", cstr, + type); cstr = dane_match_type_name(match); - if (cstr == NULL) cstr= "Unknown"; - fprintf(outfile, "Contents: %s (%.2x)\n", cstr, match); + if (cstr == NULL) + cstr = "Unknown"; + fprintf(outfile, "Contents: %s (%.2x)\n", cstr, + match); fprintf(outfile, "Data: %s\n", lbuffer); } @@ -394,8 +400,7 @@ static void dane_check(const char *host, const char *proto, ret = dane_verify_crt(s, certs, clist_size, GNUTLS_CRT_X509, host, - proto, port, 0, vflags, - &status); + proto, port, 0, vflags, &status); if (ret < 0) { fprintf(stderr, "dane_verify_crt: %s\n", @@ -404,10 +409,7 @@ static void dane_check(const char *host, const char *proto, goto error; } - ret = - dane_verification_status_print(status, - &out, - 0); + ret = dane_verification_status_print(status, &out, 0); if (ret < 0) { fprintf(stderr, "dane_verification_status_print: %s\n", @@ -417,7 +419,8 @@ static void dane_check(const char *host, const char *proto, } if (!HAVE_OPT(QUIET)) - fprintf(outfile, "\nVerification: %s\n", out.data); + fprintf(outfile, "\nVerification: %s\n", + out.data); gnutls_free(out.data); /* if there is at least one correct accept */ @@ -437,8 +440,6 @@ static void dane_check(const char *host, const char *proto, gnutls_free(clist); } - - dane_query_deinit(q); dane_state_deinit(s); @@ -572,10 +573,9 @@ static void dane_info(const char *host, const char *proto, t.size = gnutls_hash_get_len(default_dig); size = lbuffer_size; - ret = gnutls_hex_encode(&t, (void *) lbuffer, &size); + ret = gnutls_hex_encode(&t, (void *)lbuffer, &size); if (ret < 0) { - fprintf(stderr, "hex encode error: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "hex encode error: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -584,7 +584,6 @@ static void dane_info(const char *host, const char *proto, } - struct priv_st { int fd; int found; @@ -608,8 +607,10 @@ static int cert_callback(gnutls_session_t session) priv = gnutls_session_get_ptr(session); - for (i=0;i<cert_list_size;i++) { - ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t); + for (i = 0; i < cert_list_size; i++) { + ret = + gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], + &t); if (ret < 0) { fprintf(stderr, "error[%d]: %s\n", __LINE__, gnutls_strerror(ret)); @@ -637,7 +638,8 @@ gnutls_session_t init_tls_session(const char *hostname) priv.found = 0; priv.fd = file_fd; - ret = gnutls_init(&session, (udp?GNUTLS_DATAGRAM:0)|GNUTLS_CLIENT); + ret = + gnutls_init(&session, (udp ? GNUTLS_DATAGRAM : 0) | GNUTLS_CLIENT); if (ret < 0) { fprintf(stderr, "error[%d]: %s\n", __LINE__, gnutls_strerror(ret)); @@ -652,8 +654,9 @@ gnutls_session_t init_tls_session(const char *hostname) app_exit(1); } - if (hostname && is_ip(hostname)==0) { - gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, strlen(hostname)); + if (hostname && is_ip(hostname) == 0) { + gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, + strlen(hostname)); } gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -666,15 +669,16 @@ int do_handshake(socket_st * socket) do { ret = gnutls_handshake(socket->session); - } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_WARNING_ALERT_RECEIVED); /* we don't care on the result */ return 0; } - -static const char *obtain_cert(const char *hostname, const char *proto, const char *service, - const char *app_proto, unsigned quiet) +static const char *obtain_cert(const char *hostname, const char *proto, + const char *service, const char *app_proto, + unsigned quiet) { socket_st hd; const char *txt_service; @@ -707,22 +711,22 @@ static const char *obtain_cert(const char *hostname, const char *proto, const ch if (quiet) str = NULL; - if (app_proto == NULL) app_proto = txt_service; + if (app_proto == NULL) + app_proto = txt_service; if (udp) socket_flags |= SOCKET_FLAG_UDP; - umask(066); file_fd = mkstemp(tmpfile); if (file_fd == -1) { int e = errno; - fprintf(stderr, "error[%d]: %s\n", __LINE__, - strerror(e)); + fprintf(stderr, "error[%d]: %s\n", __LINE__, strerror(e)); app_exit(1); } - socket_open(&hd, hostname, txt_service, app_proto, socket_flags|SOCKET_FLAG_STARTTLS, str, NULL); + socket_open(&hd, hostname, txt_service, app_proto, + socket_flags | SOCKET_FLAG_STARTTLS, str, NULL); close(file_fd); diff --git a/src/inline_cmds.h b/src/inline_cmds.h index 2705a8cc30..70d02d9499 100755 --- a/src/inline_cmds.h +++ b/src/inline_cmds.h @@ -18,7 +18,7 @@ */ #ifndef GNUTLS_SRC_INLINE_CMDS_H -#define GNUTLS_SRC_INLINE_CMDS_H +# define GNUTLS_SRC_INLINE_CMDS_H /* * The inline commands is a facility that can be used optionally @@ -48,7 +48,7 @@ typedef enum INLINE_COMMAND { INLINE_COMMAND_NONE, INLINE_COMMAND_REKEY_BOTH } inline_command_t; -#define MAX_INLINE_COMMAND_BYTES 20 +# define MAX_INLINE_COMMAND_BYTES 20 typedef struct inline_cmds { char *current_ptr; /* points to the start of the current buffer being processed */ @@ -61,7 +61,6 @@ typedef struct inline_cmds { char inline_cmd_buffer[MAX_INLINE_COMMAND_BYTES]; } inline_cmds_st; - struct inline_command_definitions { int command; char string[MAX_INLINE_COMMAND_BYTES]; @@ -75,6 +74,6 @@ struct inline_command_definitions inline_commands_def[] = { {INLINE_COMMAND_RENEGOTIATE, "^renegotiate^\n"}, }; -#define NUM_INLINE_COMMANDS ((unsigned)(sizeof(inline_commands_def)/sizeof(inline_commands_def[0]))) +# define NUM_INLINE_COMMANDS ((unsigned)(sizeof(inline_commands_def)/sizeof(inline_commands_def[0]))) -#endif /* GNUTLS_SRC_INLINE_CMDS_H */ +#endif /* GNUTLS_SRC_INLINE_CMDS_H */ diff --git a/src/ocsptool-common.c b/src/ocsptool-common.c index 4286e1484c..00ea8b6b53 100644 --- a/src/ocsptool-common.c +++ b/src/ocsptool-common.c @@ -47,7 +47,8 @@ static char buffer[MAX_BUF + 1]; /* returns the host part of a URL */ -static const char *host_from_url(const char *url, unsigned int *port, const char **path) +static const char *host_from_url(const char *url, unsigned int *port, + const char **path) { static char hostname[512]; char *p; @@ -60,7 +61,7 @@ static const char *host_from_url(const char *url, unsigned int *port, const char p = strchr(hostname, '/'); if (p != NULL) { *p = 0; - *path = p+1; + *path = p + 1; } p = strchr(hostname, ':'); @@ -77,7 +78,7 @@ static const char *host_from_url(const char *url, unsigned int *port, const char void _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * rdata, gnutls_datum_t *nonce) + gnutls_datum_t * rdata, gnutls_datum_t * nonce) { gnutls_ocsp_req_t req; int ret; @@ -90,8 +91,7 @@ _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1, issuer, cert); if (ret < 0) { - fprintf(stderr, "ocsp_req_add_cert: %s", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_req_add_cert: %s", gnutls_strerror(ret)); exit(1); } @@ -106,8 +106,7 @@ _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, ret = gnutls_ocsp_req_export(req, rdata); if (ret != 0) { - fprintf(stderr, "ocsp_req_export: %s", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_req_export: %s", gnutls_strerror(ret)); exit(1); } @@ -115,8 +114,7 @@ _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, return; } -static size_t get_data(void *buf, size_t size, size_t nmemb, - void *userp) +static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp) { gnutls_datum_t *ud = userp; @@ -137,12 +135,12 @@ static size_t get_data(void *buf, size_t size, size_t nmemb, /* Returns 0 on ok, and -1 on error */ int send_ocsp_request(const char *server, gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * resp_data, gnutls_datum_t *nonce) + gnutls_datum_t * resp_data, gnutls_datum_t * nonce) { gnutls_datum_t ud; int ret; gnutls_datum_t req; - char *url = (void *) server; + char *url = (void *)server; char headers[1024]; char service[16]; unsigned char *p; @@ -160,19 +158,21 @@ int send_ocsp_request(const char *server, i = 0; do { - ret = gnutls_x509_crt_get_authority_info_access(cert, i++, - GNUTLS_IA_OCSP_URI, - &data, - NULL); - } while(ret == GNUTLS_E_UNKNOWN_ALGORITHM); + ret = + gnutls_x509_crt_get_authority_info_access(cert, i++, + GNUTLS_IA_OCSP_URI, + &data, + NULL); + } while (ret == GNUTLS_E_UNKNOWN_ALGORITHM); if (ret < 0) { i = 0; do { ret = gnutls_x509_crt_get_authority_info_access - (issuer, i++, GNUTLS_IA_OCSP_URI, &data, NULL); - } while(ret == GNUTLS_E_UNKNOWN_ALGORITHM); + (issuer, i++, GNUTLS_IA_OCSP_URI, &data, + NULL); + } while (ret == GNUTLS_E_UNKNOWN_ALGORITHM); } if (ret < 0) { @@ -184,7 +184,7 @@ int send_ocsp_request(const char *server, url = malloc(data.size + 1); if (url == NULL) { - return -1; + return -1; } memcpy(url, data.data, data.size); url[data.size] = 0; @@ -205,10 +205,11 @@ int send_ocsp_request(const char *server, _generate_request(cert, issuer, &req, nonce); snprintf(headers, sizeof(headers), HEADER_PATTERN, path, hostname, - (unsigned int) req.size); + (unsigned int)req.size); headers_size = strlen(headers); - socket_open(&hd, hostname, service, NULL, SOCKET_FLAG_RAW|SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL); + socket_open(&hd, hostname, service, NULL, + SOCKET_FLAG_RAW | SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL); socket_send(&hd, headers, headers_size); socket_send(&hd, req.data, req.size); @@ -314,7 +315,7 @@ void print_ocsp_verify_res(unsigned int output) if (comma) printf(", "); printf("Signer cert expired"); - /*comma = 1;*/ + /*comma = 1; */ } } @@ -342,15 +343,13 @@ check_ocsp_response(gnutls_x509_crt_t cert, ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { - fprintf(stderr, "ocsp_resp_init: %s", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_resp_init: %s", gnutls_strerror(ret)); exit(1); } ret = gnutls_ocsp_resp_import(resp, data); if (ret < 0) { - fprintf(stderr, "importing response: %s", - gnutls_strerror(ret)); + fprintf(stderr, "importing response: %s", gnutls_strerror(ret)); exit(1); } @@ -386,18 +385,17 @@ check_ocsp_response(gnutls_x509_crt_t cert, goto cleanup; } - ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, &cert_status, &vtime, &ntime, &rtime, NULL); if (ret < 0) { - fprintf(stderr, "reading response: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "reading response: %s\n", gnutls_strerror(ret)); exit(1); } if (cert_status == GNUTLS_OCSP_CERT_REVOKED) { - printf("*** Certificate was revoked at %s\n", simple_ctime(&rtime, timebuf1)); + printf("*** Certificate was revoked at %s\n", + simple_ctime(&rtime, timebuf1)); ret = 0; goto cleanup; } @@ -413,8 +411,10 @@ check_ocsp_response(gnutls_x509_crt_t cert, } else { /* there is a newer OCSP answer, don't trust this one */ if (ntime < now) { - printf("*** The OCSP response was issued at: %s but there is a newer issue at %s\n", - simple_ctime(&vtime, timebuf1), simple_ctime(&ntime, timebuf2)); + printf + ("*** The OCSP response was issued at: %s but there is a newer issue at %s\n", + simple_ctime(&vtime, timebuf1), + simple_ctime(&ntime, timebuf2)); ret = -1; goto cleanup; } @@ -426,7 +426,8 @@ check_ocsp_response(gnutls_x509_crt_t cert, ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (verbose) - fprintf(stderr, "*** The OCSP reply did not include the requested nonce.\n"); + fprintf(stderr, + "*** The OCSP reply did not include the requested nonce.\n"); goto finish_ok; } @@ -436,9 +437,10 @@ check_ocsp_response(gnutls_x509_crt_t cert, exit(1); } - if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data, - nonce->size) != 0) { - fprintf(stderr, "nonce in the response doesn't match\n"); + if (rnonce.size != nonce->size + || memcmp(nonce->data, rnonce.data, nonce->size) != 0) { + fprintf(stderr, + "nonce in the response doesn't match\n"); exit(1); } diff --git a/src/ocsptool-common.h b/src/ocsptool-common.h index 76f16b0b92..8110217408 100644 --- a/src/ocsptool-common.h +++ b/src/ocsptool-common.h @@ -19,9 +19,9 @@ */ #ifndef GNUTLS_SRC_OCSPTOOL_COMMON_H -#define GNUTLS_SRC_OCSPTOOL_COMMON_H +# define GNUTLS_SRC_OCSPTOOL_COMMON_H -#include <gnutls/ocsp.h> +# include <gnutls/ocsp.h> enum { ACTION_NONE, @@ -34,15 +34,14 @@ enum { extern void ocsptool_version(void); void _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * rdata, gnutls_datum_t* nonce); + gnutls_datum_t * rdata, gnutls_datum_t * nonce); int send_ocsp_request(const char *server, gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * resp_data, gnutls_datum_t* nonce); + gnutls_datum_t * resp_data, gnutls_datum_t * nonce); void print_ocsp_verify_res(unsigned int output); int check_ocsp_response(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * data, gnutls_datum_t *nonce, - int verbose); + gnutls_datum_t * data, gnutls_datum_t * nonce, int verbose); -#endif /* GNUTLS_SRC_OCSPTOOL_COMMON_H */ +#endif /* GNUTLS_SRC_OCSPTOOL_COMMON_H */ diff --git a/src/ocsptool.c b/src/ocsptool.c index 8e558dfb83..86df3331a7 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -31,7 +31,7 @@ #include <gnutls/x509.h> #include <gnutls/crypto.h> -#include <unistd.h> /* getpass */ +#include <unistd.h> /* getpass */ /* Gnulib portability files. */ #include <read-file.h> @@ -44,7 +44,7 @@ FILE *outfile; static unsigned int incert_format, outcert_format; -static const char *outfile_name = NULL; /* to delete on exit */ +static const char *outfile_name = NULL; /* to delete on exit */ FILE *infile; static unsigned int encoding; unsigned int verbose = 0; @@ -99,16 +99,15 @@ static void request_info(void) if (HAVE_OPT(LOAD_REQUEST)) dat.data = - (void *) read_file(OPT_ARG(LOAD_REQUEST), RF_BINARY, &size); + (void *)read_file(OPT_ARG(LOAD_REQUEST), RF_BINARY, &size); else - dat.data = (void *) fread_file(infile, 0, &size); + dat.data = (void *)fread_file(infile, 0, &size); if (dat.data == NULL) { fprintf(stderr, "error reading request\n"); app_exit(1); } dat.size = size; - ret = gnutls_ocsp_req_import(req, &dat); free(dat.data); if (ret < 0) { @@ -119,8 +118,7 @@ static void request_info(void) ret = gnutls_ocsp_req_print(req, GNUTLS_OCSP_PRINT_FULL, &dat); if (ret != 0) { - fprintf(stderr, "ocsp_req_print: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_req_print: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -133,7 +131,8 @@ static void request_info(void) } if (outcert_format == GNUTLS_X509_FMT_PEM) { - fprintf(stderr, "Cannot export requests into PEM form\n"); + fprintf(stderr, + "Cannot export requests into PEM form\n"); app_exit(1); } else { fwrite(rbuf.data, 1, rbuf.size, outfile); @@ -162,8 +161,7 @@ static void _response_info(const gnutls_datum_t * data, unsigned force_print) ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { - fprintf(stderr, "ocsp_resp_init: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_resp_init: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -181,15 +179,13 @@ static void _response_info(const gnutls_datum_t * data, unsigned force_print) if (ENABLED_OPT(VERBOSE)) ret = - gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, - &buf); + gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &buf); else ret = gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &buf); if (ret != 0) { - fprintf(stderr, "ocsp_resp_print: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_resp_print: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -212,7 +208,8 @@ static void _response_info(const gnutls_datum_t * data, unsigned force_print) } if (force_print || !HAVE_OPT(OUTFILE)) { - ret = gnutls_ocsp_resp_export2(resp, &rbuf, GNUTLS_X509_FMT_PEM); + ret = + gnutls_ocsp_resp_export2(resp, &rbuf, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "error exporting response: %s\n", gnutls_strerror(ret)); @@ -235,9 +232,9 @@ static void response_info(void) if (HAVE_OPT(LOAD_RESPONSE)) dat.data = - (void *) read_file(OPT_ARG(LOAD_RESPONSE), RF_BINARY, &size); + (void *)read_file(OPT_ARG(LOAD_RESPONSE), RF_BINARY, &size); else - dat.data = (void *) fread_file(infile, 0, &size); + dat.data = (void *)fread_file(infile, 0, &size); if (dat.data == NULL) { fprintf(stderr, "error reading response\n"); app_exit(1); @@ -249,7 +246,7 @@ static void response_info(void) gnutls_free(dat.data); } -static void generate_request(gnutls_datum_t *nonce) +static void generate_request(gnutls_datum_t * nonce) { gnutls_datum_t dat; gnutls_x509_crt_t cert, issuer; @@ -284,9 +281,8 @@ static void generate_request(gnutls_datum_t *nonce) gnutls_free(dat.data); } - static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, - gnutls_x509_crt_t signer, unsigned print_resp) + gnutls_x509_crt_t signer, unsigned print_resp) { gnutls_ocsp_resp_t resp; int ret; @@ -299,8 +295,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { - fprintf(stderr, "ocsp_resp_init: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "ocsp_resp_init: %s\n", gnutls_strerror(ret)); app_exit(1); } @@ -335,9 +330,10 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, app_exit(1); } - if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data, - nonce->size) != 0) { - fprintf(stderr, "nonce in the response doesn't match\n"); + if (rnonce.size != nonce->size + || memcmp(nonce->data, rnonce.data, nonce->size) != 0) { + fprintf(stderr, + "nonce in the response doesn't match\n"); app_exit(1); } @@ -346,7 +342,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, if (HAVE_OPT(LOAD_TRUST)) { dat.data = - (void *) read_file(OPT_ARG(LOAD_TRUST), RF_BINARY, &size); + (void *)read_file(OPT_ARG(LOAD_TRUST), RF_BINARY, &size); if (dat.data == NULL) { fprintf(stderr, "error reading --load-trust: %s\n", OPT_ARG(LOAD_TRUST)); @@ -363,8 +359,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, ret = gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, - &dat, GNUTLS_X509_FMT_PEM, - 0); + &dat, GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncas < 1) { fprintf(stderr, "error parsing CAs: %s\n", gnutls_strerror(ret)); @@ -388,8 +383,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, app_exit(1); } - printf("%d: %.*s\n", i, out.size, - out.data); + printf("%d: %.*s\n", i, out.size, out.data); gnutls_free(out.data); } printf("\n"); @@ -405,8 +399,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, } if (HAVE_OPT(VERBOSE)) - fprintf(stdout, "Loaded %d trust anchors\n", - x509_ncas); + fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); ret = gnutls_ocsp_resp_verify(resp, list, &verify, vflags); if (ret < 0) { @@ -480,7 +473,7 @@ unsigned load_chain(gnutls_x509_crt_t chain[MAX_CHAIN_SIZE]) app_exit(1); } - for (i=0;i<list_size;i++) + for (i = 0; i < list_size; i++) chain[i] = list[i]; gnutls_free(list); return list_size; @@ -510,7 +503,7 @@ unsigned load_chain(gnutls_x509_crt_t chain[MAX_CHAIN_SIZE]) } } -static void verify_response(gnutls_datum_t *nonce) +static void verify_response(gnutls_datum_t * nonce) { gnutls_datum_t dat; size_t size; @@ -522,9 +515,9 @@ static void verify_response(gnutls_datum_t *nonce) if (HAVE_OPT(LOAD_RESPONSE)) dat.data = - (void *) read_file(OPT_ARG(LOAD_RESPONSE), RF_BINARY, &size); + (void *)read_file(OPT_ARG(LOAD_RESPONSE), RF_BINARY, &size); else - dat.data = (void *) fread_file(infile, 0, &size); + dat.data = (void *)fread_file(infile, 0, &size); if (dat.data == NULL) { fprintf(stderr, "error reading response\n"); app_exit(1); @@ -545,7 +538,7 @@ static void verify_response(gnutls_datum_t *nonce) v = _verify_response(&dat, nonce, signer, 1); - for (i=0;i<chain_size;i++) + for (i = 0; i < chain_size; i++) gnutls_x509_crt_deinit(chain[i]); } else if (HAVE_OPT(LOAD_TRUST)) { v = _verify_response(&dat, nonce, NULL, 1); @@ -553,7 +546,8 @@ static void verify_response(gnutls_datum_t *nonce) memset(&info, 0, sizeof(info)); info.verbose = verbose; if (!HAVE_OPT(LOAD_SIGNER)) { - fprintf(stderr, "Missing option --load-signer or --load-chain\n"); + fprintf(stderr, + "Missing option --load-signer or --load-chain\n"); app_exit(1); } info.cert = OPT_ARG(LOAD_SIGNER); @@ -586,17 +580,19 @@ static void ask_server(const char *url) if (chain_size > 2 && HAVE_OPT(OUTFILE)) { if (outcert_format != GNUTLS_X509_FMT_PEM) { - fprintf(stderr, "error: You cannot combine --outfile when more than 2 certificates are found in a chain\n"); + fprintf(stderr, + "error: You cannot combine --outfile when more than 2 certificates are found in a chain\n"); fprintf(stderr, "Did you mean to use --outpem?\n"); app_exit(1); } } counter = chain_size; - while(counter > 1) { + while (counter > 1) { if (ENABLED_OPT(NONCE)) { ret = - gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size); + gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, + nonce.size); if (ret < 0) { fprintf(stderr, "gnutls_rnd: %s\n", gnutls_strerror(ret)); @@ -608,7 +604,8 @@ static void ask_server(const char *url) } ret = - send_ocsp_request(url, chain[idx], chain[idx+1], &resp_data, n); + send_ocsp_request(url, chain[idx], chain[idx + 1], + &resp_data, n); if (ret < 0) { fprintf(stderr, "Cannot send OCSP request\n"); app_exit(1); @@ -623,13 +620,14 @@ static void ask_server(const char *url) info.verbose = verbose; info.cert = OPT_ARG(LOAD_SIGNER); - v = _verify_response(&resp_data, n, load_cert(1, &info), 0); + v = _verify_response(&resp_data, n, load_cert(1, &info), + 0); } else { if (!HAVE_OPT(LOAD_CHAIN)) fprintf(stderr, "\nAssuming response's signer = issuer (use --load-signer to override).\n"); - v = _verify_response(&resp_data, n, chain[idx+1], 0); + v = _verify_response(&resp_data, n, chain[idx + 1], 0); } total_v += v; @@ -640,7 +638,7 @@ static void ask_server(const char *url) printf("\n"); } - for (idx = 0;idx<chain_size;idx++) { + for (idx = 0; idx < chain_size; idx++) { gnutls_x509_crt_deinit(chain[idx]); } @@ -709,7 +707,8 @@ int main(int argc, char **argv) verify_response(NULL); else if (HAVE_OPT(ASK)) { if ((!HAVE_OPT(LOAD_CERT)) && (!HAVE_OPT(LOAD_CHAIN))) { - fprintf(stderr, "This option required --load-chain or --load-cert\n"); + fprintf(stderr, + "This option required --load-chain or --load-cert\n"); app_exit(1); } ask_server(OPT_ARG(ASK)); diff --git a/src/p11tool.c b/src/p11tool.c index e60f74a9f1..d91926b79e 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -69,7 +69,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } - int main(int argc, char **argv) { cmd_parser(argc, argv); @@ -78,10 +77,10 @@ int main(int argc, char **argv) } static -unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage) +unsigned opt_to_flags(common_info_st * cinfo, unsigned *key_usage) { unsigned flags = 0; - + *key_usage = 0; if (HAVE_OPT(MARK_PRIVATE)) { @@ -90,7 +89,7 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage) } else { flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; } - } else { /* if not given mark as private the private objects, and public the public ones */ + } else { /* if not given mark as private the private objects, and public the public ones */ if (cinfo->privkey) flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE; else if (cinfo->pubkey || cinfo->cert) @@ -103,12 +102,10 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage) } if (HAVE_OPT(MARK_DISTRUSTED)) { - flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED; + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED; } else { if (ENABLED_OPT(MARK_TRUSTED)) - flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; } if (ENABLED_OPT(MARK_SIGN)) @@ -118,8 +115,7 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage) *key_usage |= GNUTLS_KEY_DECIPHER_ONLY; if (ENABLED_OPT(MARK_CA)) - flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_CA; + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_CA; if (ENABLED_OPT(MARK_WRAP)) flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP; @@ -321,12 +317,14 @@ static void cmd_parser(int argc, char **argv) } else if (HAVE_OPT(EXPORT)) { pkcs11_export(outfile, url, flags, &cinfo); } else if (HAVE_OPT(EXPORT_STAPLED)) { - pkcs11_export(outfile, url, flags|GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT, &cinfo); + pkcs11_export(outfile, url, + flags | + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT, + &cinfo); } else if (HAVE_OPT(EXPORT_CHAIN)) { pkcs11_export_chain(outfile, url, flags, &cinfo); } else if (HAVE_OPT(WRITE)) { - pkcs11_write(outfile, url, label, id, - flags, &cinfo); + pkcs11_write(outfile, url, label, id, flags, &cinfo); } else if (HAVE_OPT(TEST_SIGN)) { pkcs11_test_sign(outfile, url, flags, &cinfo); } else if (HAVE_OPT(INITIALIZE)) { @@ -343,32 +341,30 @@ static void cmd_parser(int argc, char **argv) app_exit(1); pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, id, detailed_url, - flags, &cinfo); + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_ECC)) { key_type = GNUTLS_PK_EC; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, id, detailed_url, - flags, &cinfo); + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_RSA)) { key_type = GNUTLS_PK_RSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, id, detailed_url, - flags, &cinfo); + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_DSA)) { key_type = GNUTLS_PK_DSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, id, detailed_url, - flags, &cinfo); + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(EXPORT_PUBKEY)) { pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo); } else if (HAVE_OPT(SET_ID)) { - pkcs11_set_id(outfile, url, detailed_url, flags, &cinfo, OPT_ARG(SET_ID)); + pkcs11_set_id(outfile, url, detailed_url, flags, &cinfo, + OPT_ARG(SET_ID)); } else if (HAVE_OPT(SET_LABEL)) { - pkcs11_set_label(outfile, url, detailed_url, flags, &cinfo, OPT_ARG(SET_LABEL)); + pkcs11_set_label(outfile, url, detailed_url, flags, &cinfo, + OPT_ARG(SET_LABEL)); } else { USAGE(1); } diff --git a/src/p11tool.h b/src/p11tool.h index 073bc79ca7..27f52fe7ea 100644 --- a/src/p11tool.h +++ b/src/p11tool.h @@ -21,13 +21,12 @@ */ #ifndef GNUTLS_SRC_P11TOOL_H -#define GNUTLS_SRC_P11TOOL_H +# define GNUTLS_SRC_P11TOOL_H -#include "certtool-common.h" +# include "certtool-common.h" void pkcs11_list(FILE * outfile, const char *url, int type, - unsigned int flags, unsigned int detailed, - common_info_st *); + unsigned int flags, unsigned int detailed, common_info_st *); void pkcs11_mechanism_list(FILE * outfile, const char *url, unsigned int flags, common_info_st *); void pkcs11_get_random(FILE * outfile, const char *url, @@ -36,12 +35,12 @@ void pkcs11_export(FILE * outfile, const char *pkcs11_url, unsigned int flags, common_info_st *); void pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, - common_info_st * info); + common_info_st * info); void pkcs11_token_list(FILE * outfile, unsigned int detailed, common_info_st *, unsigned brief); void pkcs11_test_sign(FILE * outfile, const char *pkcs11_url, - unsigned int flags, common_info_st *); + unsigned int flags, common_info_st *); void pkcs11_write(FILE * outfile, const char *pkcs11_url, const char *label, const char *id, unsigned int flags, common_info_st *); @@ -49,27 +48,27 @@ void pkcs11_delete(FILE * outfile, const char *pkcs11_url, unsigned int flags, common_info_st *); void pkcs11_init(FILE * outfile, const char *pkcs11_url, const char *label, common_info_st *); -void pkcs11_set_token_pin(FILE * outfile, const char *pkcs11_url, common_info_st *, unsigned so); +void pkcs11_set_token_pin(FILE * outfile, const char *pkcs11_url, + common_info_st *, unsigned so); void pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t type, unsigned int bits, const char *label, const char *id, int detailed, unsigned int flags, common_info_st * info); void pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info); + unsigned int flags, common_info_st * info); void pkcs11_set_id(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info, - const char *id); + unsigned int flags, common_info_st * info, const char *id); void pkcs11_set_label(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info, - const char *label); + unsigned int flags, common_info_st * info, + const char *label); -#define PKCS11_TYPE_CRT_ALL 1 -#define PKCS11_TYPE_TRUSTED 2 -#define PKCS11_TYPE_PK 3 -#define PKCS11_TYPE_ALL 4 -#define PKCS11_TYPE_PRIVKEY 5 -#define PKCS11_TYPE_INFO 6 +# define PKCS11_TYPE_CRT_ALL 1 +# define PKCS11_TYPE_TRUSTED 2 +# define PKCS11_TYPE_PK 3 +# define PKCS11_TYPE_ALL 4 +# define PKCS11_TYPE_PRIVKEY 5 +# define PKCS11_TYPE_INFO 6 -#endif /* GNUTLS_SRC_P11TOOL_H */ +#endif /* GNUTLS_SRC_P11TOOL_H */ diff --git a/src/pkcs11.c b/src/pkcs11.c index 0ab956f011..2016d56ec9 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -73,7 +73,6 @@ static char *_saved_url = NULL; } \ } - void pkcs11_delete(FILE * outfile, const char *url, unsigned int login_flags, common_info_st * info) @@ -81,7 +80,8 @@ pkcs11_delete(FILE * outfile, const char *url, int ret; unsigned int obj_flags = 0; - if (login_flags) obj_flags = login_flags; + if (login_flags) + obj_flags = login_flags; pkcs11_common(info); @@ -110,7 +110,8 @@ pkcs11_delete(FILE * outfile, const char *url, } static -const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl, unsigned flags, time_t *exp) +const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, + const char *objurl, unsigned flags, time_t * exp) { int ret; gnutls_pubkey_t pubkey = NULL; @@ -126,96 +127,115 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl *exp = -1; switch (otype) { - case GNUTLS_PKCS11_OBJ_X509_CRT: - ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - goto fail; - - ret = gnutls_x509_crt_import_url(crt, objurl, flags); - if (ret < 0) - goto fail; - ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits); - if (ret < 0) - goto fail; - pk = ret; - - p = gnutls_pk_get_name(pk); - if (p) { - if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) { - snprintf(str, sizeof(str), "%s-%d", p, bits); - p = str; - } else if (pk == GNUTLS_PK_ECDSA && gnutls_x509_crt_get_pk_ecc_raw(crt, &curve, NULL, NULL) >= 0) { - snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve)); - p = str; - } + case GNUTLS_PKCS11_OBJ_X509_CRT: + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + goto fail; + + ret = gnutls_x509_crt_import_url(crt, objurl, flags); + if (ret < 0) + goto fail; + ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (ret < 0) + goto fail; + pk = ret; + + p = gnutls_pk_get_name(pk); + if (p) { + if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) + && bits > 0) { + snprintf(str, sizeof(str), "%s-%d", p, bits); + p = str; + } else if (pk == GNUTLS_PK_ECDSA + && gnutls_x509_crt_get_pk_ecc_raw(crt, + &curve, + NULL, + NULL) >= + 0) { + snprintf(str, sizeof(str), "%s-%s", p, + gnutls_ecc_curve_get_name(curve)); + p = str; } + } - if (exp) - *exp = gnutls_x509_crt_get_expiration_time(crt); + if (exp) + *exp = gnutls_x509_crt_get_expiration_time(crt); - gnutls_x509_crt_deinit(crt); - return p; - case GNUTLS_PKCS11_OBJ_PUBKEY: - ret = gnutls_pubkey_init(&pubkey); - if (ret < 0) - goto fail; - - ret = gnutls_pubkey_import_url(pubkey, objurl, flags); - if (ret < 0) - goto fail; - ret = gnutls_pubkey_get_pk_algorithm(pubkey, &bits); - if (ret < 0) - goto fail; - pk = ret; - - p = gnutls_pk_get_name(pk); - if (p) { - if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) { - snprintf(str, sizeof(str), "%s-%d", p, bits); - p = str; - } else if (pk == GNUTLS_PK_ECDSA && gnutls_pubkey_export_ecc_raw(pubkey, &curve, NULL, NULL) >= 0) { - snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve)); - p = str; - } + gnutls_x509_crt_deinit(crt); + return p; + case GNUTLS_PKCS11_OBJ_PUBKEY: + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + goto fail; + + ret = gnutls_pubkey_import_url(pubkey, objurl, flags); + if (ret < 0) + goto fail; + ret = gnutls_pubkey_get_pk_algorithm(pubkey, &bits); + if (ret < 0) + goto fail; + pk = ret; + + p = gnutls_pk_get_name(pk); + if (p) { + if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) + && bits > 0) { + snprintf(str, sizeof(str), "%s-%d", p, bits); + p = str; + } else if (pk == GNUTLS_PK_ECDSA + && gnutls_pubkey_export_ecc_raw(pubkey, + &curve, NULL, + NULL) >= 0) { + snprintf(str, sizeof(str), "%s-%s", p, + gnutls_ecc_curve_get_name(curve)); + p = str; } + } - gnutls_pubkey_deinit(pubkey); - return p; - case GNUTLS_PKCS11_OBJ_PRIVKEY: - ret = gnutls_privkey_init(&privkey); - if (ret < 0) - goto fail; - - ret = gnutls_privkey_import_url(privkey, objurl, flags); - if (ret < 0) - goto fail; - ret = gnutls_privkey_get_pk_algorithm(privkey, &bits); - if (ret < 0) - goto fail; - pk = ret; - - p = gnutls_pk_get_name(pk); - if (p) { - if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) { - snprintf(str, sizeof(str), "%s-%d", p, bits); - p = str; - } else if (pk == GNUTLS_PK_ECDSA && gnutls_privkey_export_ecc_raw(privkey, &curve, NULL, NULL, NULL) >= 0) { - snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve)); - p = str; - } + gnutls_pubkey_deinit(pubkey); + return p; + case GNUTLS_PKCS11_OBJ_PRIVKEY: + ret = gnutls_privkey_init(&privkey); + if (ret < 0) + goto fail; + + ret = gnutls_privkey_import_url(privkey, objurl, flags); + if (ret < 0) + goto fail; + ret = gnutls_privkey_get_pk_algorithm(privkey, &bits); + if (ret < 0) + goto fail; + pk = ret; + + p = gnutls_pk_get_name(pk); + if (p) { + if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) + && bits > 0) { + snprintf(str, sizeof(str), "%s-%d", p, bits); + p = str; + } else if (pk == GNUTLS_PK_ECDSA + && gnutls_privkey_export_ecc_raw(privkey, + &curve, + NULL, NULL, + NULL) >= + 0) { + snprintf(str, sizeof(str), "%s-%s", p, + gnutls_ecc_curve_get_name(curve)); + p = str; } + } - gnutls_privkey_deinit(privkey); - return p; - default: + gnutls_privkey_deinit(privkey); + return p; + default: fail: - if (crt) - gnutls_x509_crt_deinit(crt); - if (pubkey) - gnutls_pubkey_deinit(pubkey); - if (privkey) - gnutls_privkey_deinit(privkey); - return NULL; + if (crt) + gnutls_x509_crt_deinit(crt); + if (pubkey) + gnutls_pubkey_deinit(pubkey); + if (privkey) + gnutls_privkey_deinit(privkey); + return NULL; } } @@ -253,10 +273,11 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY; } else if (type == PKCS11_TYPE_CRT_ALL) { attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL; - if (print_exts != 0) print_exts++; + if (print_exts != 0) + print_exts++; } else if (type == PKCS11_TYPE_PRIVKEY) { attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY; - } else { /* also PKCS11_TYPE_INFO */ + } else { /* also PKCS11_TYPE_INFO */ attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL; } @@ -305,7 +326,8 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, /* copy vendor query (e.g. pin-value) from the original URL */ vendor = strrchr(url, '?'); if (vendor) { - objurl = gnutls_malloc(strlen(output) + strlen(vendor) + 1); + objurl = + gnutls_malloc(strlen(output) + strlen(vendor) + 1); strcpy(objurl, output); strcat(objurl, vendor); } else { @@ -329,7 +351,8 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, } if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && exp != -1) { - fprintf(outfile, "\tExpires: %s\n", simple_ctime(&exp, timebuf)); + fprintf(outfile, "\tExpires: %s\n", + simple_ctime(&exp, timebuf)); } gnutls_free(output); @@ -369,8 +392,9 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf(outfile, "\tID: (too long)\n"); } else { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + fprintf(stderr, "Error in %s:%d: %s\n", + __func__, __LINE__, + gnutls_strerror(ret)); app_exit(1); } } else { @@ -378,24 +402,36 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, } if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && print_exts > 0) { - ret = gnutls_pkcs11_obj_get_exts(crt_list[i], &exts, &exts_size, 0); + ret = + gnutls_pkcs11_obj_get_exts(crt_list[i], &exts, + &exts_size, 0); if (ret >= 0 && exts_size > 0) { gnutls_datum_t txt; if (print_exts > 1) { - fprintf(outfile, "\tAttached extensions:\n"); - ret = gnutls_x509_ext_print(exts, exts_size, 0, &txt); + fprintf(outfile, + "\tAttached extensions:\n"); + ret = + gnutls_x509_ext_print(exts, + exts_size, 0, + &txt); if (ret >= 0) { - fprintf(outfile, "%s", (char*)txt.data); + fprintf(outfile, "%s", + (char *)txt.data); gnutls_free(txt.data); } } else { - fprintf(outfile, "\tAttached extensions:"); - for (j=0;j<exts_size;j++) { - fprintf(outfile, "%s%s", exts[j].oid, (j!=exts_size-1)?",":" "); + fprintf(outfile, + "\tAttached extensions:"); + for (j = 0; j < exts_size; j++) { + fprintf(outfile, "%s%s", + exts[j].oid, + (j != + exts_size - + 1) ? "," : " "); } } - for (j=0;j<exts_size;j++) { + for (j = 0; j < exts_size; j++) { gnutls_x509_ext_deinit(&exts[j]); } gnutls_free(exts); @@ -416,12 +452,12 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, void pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, - common_info_st * info) + common_info_st * info) { gnutls_privkey_t privkey; gnutls_pubkey_t pubkey; int ret; - gnutls_datum_t data, sig = {NULL, 0}; + gnutls_datum_t data, sig = { NULL, 0 }; int pk; gnutls_digest_algorithm_t hash; gnutls_sign_algorithm_t sig_algo; @@ -430,8 +466,8 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, FIX(url, outfile, 0, info); - data.data = (void*)TEST_DATA; - data.size = sizeof(TEST_DATA)-1; + data.data = (void *)TEST_DATA; + data.size = sizeof(TEST_DATA) - 1; ret = gnutls_privkey_init(&privkey); if (ret < 0) { @@ -454,7 +490,9 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, app_exit(1); } - ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags); + ret = + gnutls_pubkey_import_privkey(pubkey, privkey, + GNUTLS_KEY_DIGITAL_SIGNATURE, flags); if (ret < 0) { fprintf(stderr, "Cannot import public key: %s\n", gnutls_strerror(ret)); @@ -473,7 +511,8 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, sig_algo = gnutls_pk_to_sign(pk, hash); if (sig_algo == GNUTLS_SIGN_UNKNOWN) { - fprintf(stderr, "No supported signature algorithm for %s and %s\n", + fprintf(stderr, + "No supported signature algorithm for %s and %s\n", gnutls_pk_get_name(pk), gnutls_digest_get_name(hash)); app_exit(1); } @@ -482,8 +521,7 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, ret = gnutls_privkey_sign_data2(privkey, sig_algo, 0, &data, &sig); if (ret < 0) { - fprintf(stderr, "Cannot sign data: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "Cannot sign data: %s\n", gnutls_strerror(ret)); /* in case of unsupported signature algorithm allow * calling apps to distinguish error codes (used * by testpkcs11.sh */ @@ -495,8 +533,7 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, fprintf(stderr, "ok\n"); fprintf(stderr, "Verifying against private key parameters... "); - ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, - 0, &data, &sig); + ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); @@ -516,7 +553,8 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, ret = gnutls_pubkey_import_url(pubkey, url, flags); if (ret < 0) { - fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n", + fprintf(stderr, + "Cannot find a corresponding public key object in token: %s\n", gnutls_strerror(ret)); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) app_exit(0); @@ -524,8 +562,7 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, } fprintf(stderr, "Verifying against public key in the token... "); - ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, - 0, &data, &sig); + ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); @@ -570,7 +607,7 @@ pkcs11_export(FILE * outfile, const char *url, unsigned int flags, ret = gnutls_pkcs11_obj_export3(obj, info->outcert_format, &t); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } @@ -588,7 +625,7 @@ pkcs11_export(FILE * outfile, const char *url, unsigned int flags, void pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, - common_info_st * info) + common_info_st * info) { gnutls_pkcs11_obj_t obj; gnutls_x509_crt_t xcrt; @@ -625,14 +662,14 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, ret = gnutls_x509_crt_import_pkcs11(xcrt, obj); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } ret = gnutls_pkcs11_obj_export3(obj, GNUTLS_X509_FMT_PEM, &t); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } fwrite(t.data, 1, t.size, outfile); @@ -642,12 +679,14 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, gnutls_pkcs11_obj_deinit(obj); do { - ret = gnutls_pkcs11_get_raw_issuer(url, xcrt, &t, GNUTLS_X509_FMT_PEM, 0); + ret = + gnutls_pkcs11_get_raw_issuer(url, xcrt, &t, + GNUTLS_X509_FMT_PEM, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } @@ -659,14 +698,14 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, ret = gnutls_x509_crt_init(&xcrt); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } ret = gnutls_x509_crt_import(xcrt, &t, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + __LINE__, gnutls_strerror(ret)); app_exit(1); } @@ -678,7 +717,7 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, break; } - } while(1); + } while (1); UNFIX; return; @@ -709,7 +748,7 @@ char *get_single_token_url(common_info_st * info) } static -void print_type(FILE *outfile, unsigned flags) +void print_type(FILE * outfile, unsigned flags) { unsigned print = 0; @@ -927,13 +966,14 @@ pkcs11_token_list(FILE * outfile, unsigned int detailed, return; } -static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnutls_datum_t *cid, unsigned flags) +static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, + gnutls_datum_t * cid, unsigned flags) { gnutls_pkcs11_obj_t *obj_list; unsigned int obj_list_size = 0, i; int ret; - gnutls_datum_t praw = {NULL, 0}; - gnutls_datum_t praw2 = {NULL, 0}; + gnutls_datum_t praw = { NULL, 0 }; + gnutls_datum_t praw2 = { NULL, 0 }; gnutls_pubkey_t pubkey; uint8_t buf[128]; size_t size; @@ -948,7 +988,8 @@ static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnu ret = gnutls_pubkey_import_x509(pubkey, crt, 0); if (ret < 0) { - fprintf(stderr, "error: cannot import public key from certificate\n"); + fprintf(stderr, + "error: cannot import public key from certificate\n"); gnutls_pubkey_deinit(pubkey); return; } @@ -962,7 +1003,9 @@ static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnu ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, - url, GNUTLS_PKCS11_OBJ_FLAG_PUBKEY|flags); + url, + GNUTLS_PKCS11_OBJ_FLAG_PUBKEY | + flags); if (ret < 0) { fprintf(stderr, "Error in obj_list_import (1): %s\n", gnutls_strerror(ret)); @@ -979,9 +1022,7 @@ static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnu if (otype != GNUTLS_PKCS11_OBJ_PUBKEY) goto cont; - ret = - gnutls_pkcs11_obj_export_url(obj_list[i], 0, - &purl); + ret = gnutls_pkcs11_obj_export_url(obj_list[i], 0, &purl); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -990,21 +1031,24 @@ static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnu ret = gnutls_pkcs11_obj_export2(obj_list[i], &praw2); if (ret < 0) { - fprintf(stderr, "error: cannot export object: %s\n", purl); + fprintf(stderr, "error: cannot export object: %s\n", + purl); goto cont; } - if (praw2.size == praw.size && memcmp(praw2.data, praw.data, praw.size) == 0) { + if (praw2.size == praw.size + && memcmp(praw2.data, praw.data, praw.size) == 0) { /* found - now extract the CKA_ID */ size = sizeof(buf); ret = gnutls_pkcs11_obj_get_info(obj_list[i], - GNUTLS_PKCS11_OBJ_ID, - buf, &size); + GNUTLS_PKCS11_OBJ_ID, + buf, &size); if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + fprintf(stderr, "Error in %s:%d: %s\n", + __func__, __LINE__, + gnutls_strerror(ret)); app_exit(1); } @@ -1030,13 +1074,14 @@ static void find_same_pubkey_with_id(const char *url, gnutls_x509_crt_t crt, gnu return; } -static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gnutls_datum_t *cid, unsigned flags) +static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, + gnutls_datum_t * cid, unsigned flags) { gnutls_pkcs11_obj_t *obj_list; unsigned int obj_list_size = 0, i; int ret; - gnutls_datum_t praw = {NULL, 0}; - gnutls_datum_t praw2 = {NULL, 0}; + gnutls_datum_t praw = { NULL, 0 }; + gnutls_datum_t praw2 = { NULL, 0 }; gnutls_pubkey_t pubkey; gnutls_privkey_t privkey; uint8_t buf[128]; @@ -1052,7 +1097,8 @@ static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gn ret = gnutls_pubkey_import_x509(pubkey, crt, 0); if (ret < 0) { - fprintf(stderr, "error: cannot import public key from certificate\n"); + fprintf(stderr, + "error: cannot import public key from certificate\n"); gnutls_pubkey_deinit(pubkey); return; } @@ -1066,7 +1112,9 @@ static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gn ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, - url, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY|flags); + url, + GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY | + flags); if (ret < 0) { fprintf(stderr, "Error in obj_list_import (1): %s\n", gnutls_strerror(ret)); @@ -1085,9 +1133,7 @@ static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gn if (otype != GNUTLS_PKCS11_OBJ_PRIVKEY) goto cont; - ret = - gnutls_pkcs11_obj_export_url(obj_list[i], 0, - &purl); + ret = gnutls_pkcs11_obj_export_url(obj_list[i], 0, &purl); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -1102,11 +1148,13 @@ static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gn ret = gnutls_privkey_import_url(privkey, purl, 0); if (ret < 0) { - fprintf(stderr, "error: cannot import key: %s: %s\n", purl, gnutls_strerror(ret)); + fprintf(stderr, "error: cannot import key: %s: %s\n", + purl, gnutls_strerror(ret)); goto cont; } - if (gnutls_privkey_get_pk_algorithm(privkey, NULL) != GNUTLS_PK_RSA) { + if (gnutls_privkey_get_pk_algorithm(privkey, NULL) != + GNUTLS_PK_RSA) { /* it is not possible to obtain parameters from non-RSA private keys in PKCS#11 */ goto cont; } @@ -1119,28 +1167,34 @@ static void find_same_privkey_with_id(const char *url, gnutls_x509_crt_t crt, gn ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); if (ret < 0) { - fprintf(stderr, "error: cannot import key parameters for '%s': %s\n", purl, gnutls_strerror(ret)); + fprintf(stderr, + "error: cannot import key parameters for '%s': %s\n", + purl, gnutls_strerror(ret)); goto cont; } - ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, &praw2); + ret = + gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, &praw2); if (ret < 0) { - fprintf(stderr, "error: cannot export pubkey '%s': %s\n", purl, gnutls_strerror(ret)); + fprintf(stderr, + "error: cannot export pubkey '%s': %s\n", purl, + gnutls_strerror(ret)); goto cont; } - - if (praw2.size == praw.size && memcmp(praw2.data, praw.data, praw.size) == 0) { + if (praw2.size == praw.size + && memcmp(praw2.data, praw.data, praw.size) == 0) { /* found - now extract the CKA_ID */ size = sizeof(buf); ret = gnutls_pkcs11_obj_get_info(obj_list[i], - GNUTLS_PKCS11_OBJ_ID, - buf, &size); + GNUTLS_PKCS11_OBJ_ID, + buf, &size); if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, - __LINE__, gnutls_strerror(ret)); + fprintf(stderr, "Error in %s:%d: %s\n", + __func__, __LINE__, + gnutls_strerror(ret)); app_exit(1); } @@ -1181,7 +1235,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, unsigned key_usage = 0; unsigned char raw_id[128]; size_t raw_id_size; - gnutls_datum_t cid = {NULL, 0}; + gnutls_datum_t cid = { NULL, 0 }; pkcs11_common(info); @@ -1189,14 +1243,17 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, CHECK_LOGIN_FLAG(url, flags); if (label == NULL && info->batch == 0) { - label = read_str("warning: The object's label was not specified.\nLabel: "); + label = + read_str + ("warning: The object's label was not specified.\nLabel: "); } if (id != NULL) { raw_id_size = sizeof(raw_id); ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size); if (ret < 0) { - fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error converting hex: %s\n", + gnutls_strerror(ret)); app_exit(1); } cid.data = raw_id; @@ -1219,7 +1276,9 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, xcrt = load_cert(0, info); if (xcrt != NULL) { - if (cid.data == NULL && !(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) && !(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED)) { + if (cid.data == NULL + && !(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) + && !(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED)) { gnutls_datum_t hex; /* attempting to discover public keys matching this one, * and if yes, re-use their ID. We don't do it for CAs (trusted/distrusted @@ -1229,38 +1288,53 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, find_same_pubkey_with_id(url, xcrt, &cid, 0); if (cid.data == NULL && KEEP_LOGIN_FLAGS(flags)) - find_same_pubkey_with_id(url, xcrt, &cid, KEEP_LOGIN_FLAGS(flags)); + find_same_pubkey_with_id(url, xcrt, &cid, + KEEP_LOGIN_FLAGS + (flags)); if (cid.data) { ret = gnutls_hex_encode2(&cid, &hex); if (ret < 0) { - fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error converting hex: %s\n", + gnutls_strerror(ret)); app_exit(1); } - fprintf(stderr, "note: will re-use ID %s from corresponding public key\n", hex.data); + fprintf(stderr, + "note: will re-use ID %s from corresponding public key\n", + hex.data); gnutls_free(hex.data); - } else { /* no luck, try to get a corresponding private key */ - find_same_privkey_with_id(url, xcrt, &cid, KEEP_LOGIN_FLAGS(flags)); + } else { /* no luck, try to get a corresponding private key */ + find_same_privkey_with_id(url, xcrt, &cid, + KEEP_LOGIN_FLAGS + (flags)); if (cid.data) { ret = gnutls_hex_encode2(&cid, &hex); if (ret < 0) { - fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error converting hex: %s\n", + gnutls_strerror(ret)); app_exit(1); } - fprintf(stderr, "note: will re-use ID %s from corresponding private key\n", hex.data); + fprintf(stderr, + "note: will re-use ID %s from corresponding private key\n", + hex.data); gnutls_free(hex.data); } } } - ret = gnutls_pkcs11_copy_x509_crt2(url, xcrt, label, &cid, flags); + ret = + gnutls_pkcs11_copy_x509_crt2(url, xcrt, label, &cid, flags); if (ret < 0) { - fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret)); - if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) || - (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) && - (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0) - fprintf(stderr, "note: some tokens may require security officer login for this operation\n"); + fprintf(stderr, "Error writing certificate: %s\n", + gnutls_strerror(ret)); + if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) + || (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) + && (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0) + fprintf(stderr, + "note: some tokens may require security officer login for this operation\n"); app_exit(1); } @@ -1272,7 +1346,9 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, if (xkey != NULL) { ret = gnutls_pkcs11_copy_x509_privkey2(url, xkey, label, - &cid, key_usage|info->key_usage, + &cid, + key_usage | + info->key_usage, flags | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); if (ret < 0) { @@ -1287,8 +1363,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, if (xpubkey != NULL) { ret = gnutls_pkcs11_copy_pubkey(url, xpubkey, label, - &cid, - 0, flags); + &cid, 0, flags); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -1297,7 +1372,8 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, gnutls_pubkey_deinit(xpubkey); } - if (xkey == NULL && xcrt == NULL && secret_key == NULL && xpubkey == NULL) { + if (xkey == NULL && xcrt == NULL && secret_key == NULL + && xpubkey == NULL) { fprintf(stderr, "You must use --load-privkey, --load-certificate, --load-pubkey or --secret-key to load the file to be copied\n"); app_exit(1); @@ -1315,7 +1391,7 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, { int ret; gnutls_datum_t pubkey; - gnutls_datum_t cid = {NULL, 0}; + gnutls_datum_t cid = { NULL, 0 }; unsigned char raw_id[128]; size_t raw_id_size; @@ -1329,7 +1405,8 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, raw_id_size = sizeof(raw_id); ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size); if (ret < 0) { - fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error converting hex: %s\n", + gnutls_strerror(ret)); app_exit(1); } cid.data = raw_id; @@ -1337,7 +1414,8 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, } if (outfile == stderr || outfile == stdout) { - fprintf(stderr, "warning: no --outfile was specified and the generated public key will be printed on screen.\n"); + fprintf(stderr, + "warning: no --outfile was specified and the generated public key will be printed on screen.\n"); } if (label == NULL && info->batch == 0) { @@ -1350,7 +1428,8 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid, GNUTLS_X509_FMT_PEM, &pubkey, info->key_usage, - flags|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); + flags | + GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -1368,7 +1447,8 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, } void -pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int flags, common_info_st * info) +pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, + unsigned int flags, common_info_st * info) { int ret; gnutls_datum_t pubkey; @@ -1381,7 +1461,8 @@ pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int CHECK_LOGIN_FLAG(url, flags); if (outfile == stderr || outfile == stdout) { - fprintf(stderr, "warning: no --outfile was specified and the public key will be printed on screen.\n"); + fprintf(stderr, + "warning: no --outfile was specified and the public key will be printed on screen.\n"); sleep(3); } @@ -1432,7 +1513,8 @@ pkcs11_init(FILE * outfile, const char *url, const char *label, } if (label == NULL) { - fprintf(stderr, "error: no label provided for token initialization!\n"); + fprintf(stderr, + "error: no label provided for token initialization!\n"); app_exit(1); } @@ -1441,7 +1523,8 @@ pkcs11_init(FILE * outfile, const char *url, const char *label, } else { getenv_copy(so_pin, sizeof(so_pin), "GNUTLS_SO_PIN"); if (so_pin[0] == 0 && info->batch == 0) - getpass_copy(so_pin, sizeof(so_pin), "Enter Security Officer's PIN: "); + getpass_copy(so_pin, sizeof(so_pin), + "Enter Security Officer's PIN: "); if (so_pin[0] == 0) app_exit(1); } @@ -1458,13 +1541,15 @@ pkcs11_init(FILE * outfile, const char *url, const char *label, } fprintf(stderr, "done\n"); - fprintf(stderr, "\nToken was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs\n"); + fprintf(stderr, + "\nToken was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs\n"); return; } void -pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, unsigned so) +pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, + unsigned so) { int ret; char newpin[MAX_PIN_LEN] = ""; @@ -1484,7 +1569,8 @@ pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, uns if (so) { getenv_copy(newpin, sizeof(newpin), "GNUTLS_NEW_SO_PIN"); if (newpin[0] == 0 && info->batch == 0) { - getpass_copy(newpin, sizeof(newpin), "Enter Administrators's new PIN: "); + getpass_copy(newpin, sizeof(newpin), + "Enter Administrators's new PIN: "); } } else { if (info->pin != NULL) { @@ -1492,7 +1578,8 @@ pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, uns } else { getenv_copy(newpin, sizeof(newpin), "GNUTLS_PIN"); if (newpin[0] == 0 && info->batch == 0) - getpass_copy(newpin, sizeof(newpin), "Enter User's new PIN: "); + getpass_copy(newpin, sizeof(newpin), + "Enter User's new PIN: "); } } @@ -1501,7 +1588,10 @@ pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, uns app_exit(1); } - ret = gnutls_pkcs11_token_set_pin(url, NULL, newpin, (so!=0)?GNUTLS_PIN_SO:GNUTLS_PIN_USER); + ret = + gnutls_pkcs11_token_set_pin(url, NULL, newpin, + (so != + 0) ? GNUTLS_PIN_SO : GNUTLS_PIN_USER); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -1529,9 +1619,7 @@ pkcs11_mechanism_list(FILE * outfile, const char *url, unsigned int flags, idx = 0; do { - ret = - gnutls_pkcs11_token_get_mechanism(url, idx++, - &mechanism); + ret = gnutls_pkcs11_token_get_mechanism(url, idx++, &mechanism); if (ret >= 0) { str = NULL; if (mechanism < @@ -1542,9 +1630,13 @@ pkcs11_mechanism_list(FILE * outfile, const char *url, unsigned int flags, fprintf(outfile, "[0x%.4lx] %s", mechanism, str); - if (gnutls_pkcs11_token_check_mechanism(url, mechanism, &minfo, sizeof(minfo), 0) != 0) { + if (gnutls_pkcs11_token_check_mechanism + (url, mechanism, &minfo, sizeof(minfo), 0) != 0) { if (minfo.ulMaxKeySize != 0) - fprintf(outfile, " keysize range (%ld, %ld)", minfo.ulMinKeySize, minfo.ulMaxKeySize); + fprintf(outfile, + " keysize range (%ld, %ld)", + minfo.ulMinKeySize, + minfo.ulMaxKeySize); if (minfo.flags & CKF_HW) printf(" hw"); if (minfo.flags & CKF_ENCRYPT) @@ -1601,7 +1693,6 @@ pkcs11_mechanism_list(FILE * outfile, const char *url, unsigned int flags, } while (ret >= 0); - return; } @@ -1637,8 +1728,8 @@ pkcs11_get_random(FILE * outfile, const char *url, unsigned bytes, static void pkcs11_set_val(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info, - gnutls_pkcs11_obj_info_t val_type, const char *val) + unsigned int flags, common_info_st * info, + gnutls_pkcs11_obj_info_t val_type, const char *val) { int ret; gnutls_pkcs11_obj_t obj; @@ -1676,15 +1767,16 @@ void pkcs11_set_val(FILE * outfile, const char *url, int detailed, } void pkcs11_set_id(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info, - const char *id) + unsigned int flags, common_info_st * info, const char *id) { - pkcs11_set_val(outfile, url, detailed, flags, info, GNUTLS_PKCS11_OBJ_ID_HEX, id); + pkcs11_set_val(outfile, url, detailed, flags, info, + GNUTLS_PKCS11_OBJ_ID_HEX, id); } void pkcs11_set_label(FILE * outfile, const char *url, int detailed, - unsigned int flags, common_info_st * info, - const char *label) + unsigned int flags, common_info_st * info, + const char *label) { - pkcs11_set_val(outfile, url, detailed, flags, info, GNUTLS_PKCS11_OBJ_LABEL, label); + pkcs11_set_val(outfile, url, detailed, flags, info, + GNUTLS_PKCS11_OBJ_LABEL, label); } @@ -24,7 +24,7 @@ #ifndef ENABLE_PSK -#include <stdio.h> +# include <stdio.h> int main(int argc, char **argv) { @@ -34,43 +34,43 @@ int main(int argc, char **argv) #else -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <errno.h> -#include <gnutls/gnutls.h> -#include "psktool-options.h" +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +# include <errno.h> +# include <gnutls/gnutls.h> +# include "psktool-options.h" -#include <gnutls/crypto.h> /* for random */ +# include <gnutls/crypto.h> /* for random */ -#include <stdbool.h> -#include <sys/types.h> -#include <sys/stat.h> +# include <stdbool.h> +# include <sys/types.h> +# include <sys/stat.h> -#ifndef _WIN32 -#include <pwd.h> -#include <unistd.h> -#else -#include <windows.h> -#endif +# ifndef _WIN32 +# include <pwd.h> +# include <unistd.h> +# else +# include <windows.h> +# endif /* Gnulib portability files. */ -#include <minmax.h> -#include "close-stream.h" -#include "getpass.h" -#include "xsize.h" +# include <minmax.h> +# include "close-stream.h" +# include "getpass.h" +# include "xsize.h" static int write_key(const char *username, const unsigned char *key, size_t key_size, const char *passwd_file); -#define MAX_KEY_SIZE 512 +# define MAX_KEY_SIZE 512 int main(int argc, char **argv) { int ret; -#ifndef _WIN32 +# ifndef _WIN32 struct passwd *pwd; -#endif +# endif unsigned char key[MAX_KEY_SIZE]; size_t key_size; const char *passwd, *username; @@ -91,7 +91,7 @@ int main(int argc, char **argv) passwd = OPT_ARG(PSKFILE); if (!HAVE_OPT(USERNAME)) { -#ifndef _WIN32 +# ifndef _WIN32 pwd = getpwuid(getuid()); if (pwd == NULL) { @@ -100,10 +100,10 @@ int main(int argc, char **argv) } username = pwd->pw_name; -#else +# else fprintf(stderr, "Please specify a user\n"); return -1; -#endif +# endif } else username = OPT_ARG(USERNAME); @@ -119,7 +119,7 @@ int main(int argc, char **argv) printf("Generating a random key for user '%s'\n", username); - ret = gnutls_rnd(GNUTLS_RND_RANDOM, (char *) key, key_size); + ret = gnutls_rnd(GNUTLS_RND_RANDOM, (char *)key, key_size); if (ret < 0) { fprintf(stderr, "Not enough randomness\n"); exit(1); @@ -201,8 +201,7 @@ write_key(const char *username, const unsigned char *key, size_t key_size, fp = fopen(passwd_file, "w"); if (fp == NULL) { - fprintf(stderr, "Cannot open '%s' for write\n", - passwd_file); + fprintf(stderr, "Cannot open '%s' for write\n", passwd_file); (void)remove(tmpname); return -1; } @@ -276,9 +275,8 @@ write_key(const char *username, const unsigned char *key, size_t key_size, if (pp == NULL) continue; - if (strncmp(p, (const char *) _username.data, - MAX(_username.size, - (unsigned int) (pp - p))) == 0) { + if (strncmp(p, (const char *)_username.data, + MAX(_username.size, (unsigned int)(pp - p))) == 0) { put = true; fprintf(fp, "%s:%s\n", _username.data, _key.data); } else { diff --git a/src/serv.c b/src/serv.c index d798356bbd..640ed2ab57 100644 --- a/src/serv.c +++ b/src/serv.c @@ -134,16 +134,14 @@ const int ssl_session_cache = 2048; static void wrap_db_init(void); static void wrap_db_deinit(void); -static int wrap_db_store(void *dbf, gnutls_datum_t key, - gnutls_datum_t data); +static int wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data); static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key); static int wrap_db_delete(void *dbf, gnutls_datum_t key); -static int anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, - const gnutls_datum_t *data); +static int anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t * key, + const gnutls_datum_t * data); static void cmd_parser(int argc, char **argv); - #define HTTP_STATE_REQUEST 1 #define HTTP_STATE_RESPONSE 2 #define HTTP_STATE_CLOSING 3 @@ -174,7 +172,7 @@ static const char *safe_strerror(int value) static void listener_free(const void *elt) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; free(j->http_request); free(j->http_response); @@ -187,7 +185,6 @@ static void listener_free(const void *elt) } } - /* we use primes up to 1024 in this server. * otherwise we should add them here. */ @@ -197,9 +194,8 @@ gnutls_rsa_params_t rsa_params = NULL; static int generate_dh_primes(void) { - int prime_bits = - gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, - GNUTLS_SEC_PARAM_MEDIUM); + int prime_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, + GNUTLS_SEC_PARAM_MEDIUM); if (gnutls_dh_params_init(&dh_params) < 0) { fprintf(stderr, "Error in dh parameter initialization\n"); @@ -248,7 +244,7 @@ static void read_dh_params(void) tmpdata[size] = 0; fclose(fp); - params.data = (unsigned char *) tmpdata; + params.data = (unsigned char *)tmpdata; params.size = size; size = @@ -288,19 +284,24 @@ static gl_list_t listener_list; static int cert_verify_callback(gnutls_session_t session) { -listener_item * j = gnutls_session_get_ptr(session); -unsigned int size; -int ret; + listener_item *j = gnutls_session_get_ptr(session); + unsigned int size; + int ret; if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { - if (!require_cert && gnutls_certificate_get_peers(session, &size) == NULL) + if (!require_cert + && gnutls_certificate_get_peers(session, &size) == NULL) return 0; if (ENABLED_OPT(VERIFY_CLIENT_CERT)) { if (cert_verify(session, NULL, NULL) == 0) { do { - ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED); - } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + ret = + gnutls_alert_send(session, + GNUTLS_AL_FATAL, + GNUTLS_A_ACCESS_DENIED); + } while (ret == GNUTLS_E_INTERRUPTED + || ret == GNUTLS_E_AGAIN); j->http_state = HTTP_STATE_CLOSING; return -1; @@ -315,8 +316,7 @@ int ret; /* callback used to verify if the host name advertised in client hello matches * the one configured in server */ -static int -post_client_hello(gnutls_session_t session) +static int post_client_hello(gnutls_session_t session) { int ret; /* DNS names (only type supported) may be at most 256 byte long */ @@ -329,7 +329,7 @@ post_client_hello(gnutls_session_t session) if (name == NULL) return GNUTLS_E_MEMORY_ERROR; - for (i=0; ; ) { + for (i = 0;;) { ret = gnutls_server_name_get(session, name, &len, &type, i); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { char *new_name; @@ -339,7 +339,7 @@ post_client_hello(gnutls_session_t session) goto end; } name = new_name; - continue; /* retry call with same index */ + continue; /* retry call with same index */ } /* check if it is the last entry in list */ @@ -362,7 +362,8 @@ post_client_hello(gnutls_session_t session) }; /* when there is no extension, we can't send the extension specific alert */ if (i == 0) { - fprintf(stderr, "Warning: client did not include SNI extension, using default host\n"); + fprintf(stderr, + "Warning: client did not include SNI extension, using default host\n"); ret = GNUTLS_E_SUCCESS; goto end; } @@ -384,7 +385,7 @@ post_client_hello(gnutls_session_t session) } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); /* continue handshake, fall through */ -end: + end: free(name); return ret; } @@ -400,7 +401,8 @@ gnutls_session_t initialize_session(int dtls) gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS]; #endif unsigned alpn_size; - unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; + unsigned flags = + GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; if (dtls) flags |= GNUTLS_DATAGRAM; @@ -414,8 +416,7 @@ gnutls_session_t initialize_session(int dtls) */ gnutls_handshake_set_private_extensions(session, 1); - gnutls_handshake_set_timeout(session, - GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); if (nodb == 0) { gnutls_db_set_retrieve_function(session, wrap_db_fetch); @@ -431,9 +432,13 @@ gnutls_session_t initialize_session(int dtls) if (earlydata) { gnutls_anti_replay_enable(session, anti_replay); if (HAVE_OPT(MAXEARLYDATA)) { - ret = gnutls_record_set_max_early_data_size(session, OPT_VALUE_MAXEARLYDATA); + ret = + gnutls_record_set_max_early_data_size(session, + OPT_VALUE_MAXEARLYDATA); if (ret < 0) { - fprintf(stderr, "Could not set max early data size: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Could not set max early data size: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -446,7 +451,8 @@ gnutls_session_t initialize_session(int dtls) if (priorities == NULL) { ret = gnutls_set_default_priority(session); if (ret < 0) { - fprintf(stderr, "Could not set default policy: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Could not set default policy: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -463,15 +469,19 @@ gnutls_session_t initialize_session(int dtls) exit(1); } #else - alpn_size = MIN(MAX_ALPN_PROTOCOLS,alpn_protos_size); - for (i=0;i<alpn_size;i++) { - alpn[i].data = (void*)alpn_protos[i]; + alpn_size = MIN(MAX_ALPN_PROTOCOLS, alpn_protos_size); + for (i = 0; i < alpn_size; i++) { + alpn[i].data = (void *)alpn_protos[i]; alpn[i].size = strlen(alpn_protos[i]); } - ret = gnutls_alpn_set_protocols(session, alpn, alpn_size, HAVE_OPT(ALPN_FATAL)?GNUTLS_ALPN_MANDATORY:0); + ret = + gnutls_alpn_set_protocols(session, alpn, alpn_size, + HAVE_OPT(ALPN_FATAL) ? + GNUTLS_ALPN_MANDATORY : 0); if (ret < 0) { - fprintf(stderr, "Error setting ALPN protocols: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error setting ALPN protocols: %s\n", + gnutls_strerror(ret)); exit(1); } #endif @@ -488,7 +498,7 @@ gnutls_session_t initialize_session(int dtls) if (cert_cred != NULL) { gnutls_certificate_set_verify_function(cert_cred, - cert_verify_callback); + cert_verify_callback); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); @@ -540,14 +550,15 @@ gnutls_session_t initialize_session(int dtls) else if (ret != 0) fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret)); - else fprintf(stderr,"DTLS profile set to %s\n", - OPT_ARG(SRTP_PROFILES)); + else + fprintf(stderr, "DTLS profile set to %s\n", + OPT_ARG(SRTP_PROFILES)); - if (ret != 0) exit(1); + if (ret != 0) + exit(1); } #endif - return session; } @@ -591,7 +602,8 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, return http_buffer; } - if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == GNUTLS_CRT_X509) { + if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == + GNUTLS_CRT_X509) { const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; @@ -612,7 +624,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, const char post[] = "</PRE><P><PRE>"; char *crtinfo_new; size_t ncrtinfo_new; - + ncrtinfo_new = xsum3(ncrtinfo, info.size, sizeof(post)); if (size_overflow_p(ncrtinfo_new)) { @@ -628,8 +640,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, memcpy(crtinfo + ncrtinfo, info.data, info.size); ncrtinfo += info.size; - memcpy(crtinfo + ncrtinfo, post, - strlen(post)); + memcpy(crtinfo + ncrtinfo, post, strlen(post)); ncrtinfo += strlen(post); crtinfo[ncrtinfo] = '\0'; gnutls_free(info.data); @@ -694,12 +705,10 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, } #endif - /* print session information */ strcat(http_buffer, "<P>\n"); - tmp = - gnutls_protocol_get_name(version); + tmp = gnutls_protocol_get_name(version); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -709,16 +718,18 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, desc = gnutls_session_get_desc(session); if (desc) { snprintf(tmp_buffer, tmp_buffer_size, - "<TR><TD>Description:</TD><TD>%s</TD></TR>\n", - desc); + "<TR><TD>Description:</TD><TD>%s</TD></TR>\n", desc); gnutls_free(desc); } if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE && - gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) != GNUTLS_CRT_X509) { + gnutls_certificate_type_get2(session, + GNUTLS_CTYPE_CLIENT) != + GNUTLS_CRT_X509) { tmp = gnutls_certificate_type_get_name - (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT)); + (gnutls_certificate_type_get2 + (session, GNUTLS_CTYPE_CLIENT)); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -749,7 +760,9 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, } #endif - tmp = gnutls_compression_get_name(gnutls_compression_get(session)); + tmp = + gnutls_compression_get_name(gnutls_compression_get + (session)); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -761,8 +774,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, - "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR>\n", - tmp); + "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR>\n", tmp); } tmp = gnutls_cipher_get_name(gnutls_cipher_get(session)); @@ -777,8 +789,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, snprintf(tmp_buffer, tmp_buffer_size, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp); - snprintf(tmp_buffer, tmp_buffer_size, - "</TABLE></P>\n"); + snprintf(tmp_buffer, tmp_buffer_size, "</TABLE></P>\n"); if (crtinfo) { snprintf(tmp_buffer, tmp_buffer_size, @@ -821,9 +832,7 @@ static char *peer_print_data(gnutls_session_t session, int *ret_length) ret = asprintf(&http_buffer, "HTTP/1.0 200 OK\r\n" "Content-Type: application/octet-stream\r\n" - "Content-Length: %u\r\n" - "\r\n", - data.size); + "Content-Length: %u\r\n" "\r\n", data.size); if (ret < 0) return NULL; len = ret; @@ -861,8 +870,7 @@ const char *human_addr(const struct sockaddr *sa, socklen_t salen, buf += l; buflen -= l; - if (getnameinfo(sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != - 0) { + if (getnameinfo(sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != 0) { return "(error)"; } @@ -877,8 +885,7 @@ const char *human_addr(const struct sockaddr *sa, socklen_t salen, buf += 6; buflen -= 6; - if (getnameinfo(sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != - 0) { + if (getnameinfo(sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != 0) { snprintf(buf, buflen, "%s", " unknown"); } @@ -945,8 +952,7 @@ int listen_socket(const char *name, int listen_port, int socktype) hints.ai_flags = AI_PASSIVE; if ((s = getaddrinfo(NULL, portname, &hints, &res)) != 0) { - fprintf(stderr, "getaddrinfo() failed: %s\n", - gai_strerror(s)); + fprintf(stderr, "getaddrinfo() failed: %s\n", gai_strerror(s)); return -1; } @@ -968,26 +974,25 @@ int listen_socket(const char *name, int listen_port, int socktype) } if ((news = socket(ptr->ai_family, ptr->ai_socktype, - ptr->ai_protocol)) < 0) { + ptr->ai_protocol)) < 0) { perror("socket() failed"); continue; } - s = news; /* to not overwrite existing s from previous loops */ + s = news; /* to not overwrite existing s from previous loops */ #if defined(HAVE_IPV6) && !defined(_WIN32) if (ptr->ai_family == AF_INET6) { yes = 1; /* avoid listen on ipv6 addresses failing * because already listening on ipv4 addresses: */ (void)setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, - (const void *) &yes, sizeof(yes)); + (const void *)&yes, sizeof(yes)); } #endif if (socktype == SOCK_STREAM) { yes = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, - (const void *) &yes, - sizeof(yes)) < 0) { + (const void *)&yes, sizeof(yes)) < 0) { perror("setsockopt() failed"); close(s); continue; @@ -996,14 +1001,12 @@ int listen_socket(const char *name, int listen_port, int socktype) #if defined(IP_DONTFRAG) yes = 1; if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #elif defined(IP_MTU_DISCOVER) yes = IP_PMTUDISC_DO; if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #endif } @@ -1046,8 +1049,7 @@ static void strip(char *data) int len = strlen(data); for (i = 0; i < len; i++) { - if (data[i] == '\r' && data[i + 1] == '\n' - && data[i + 2] == 0) { + if (data[i] == '\r' && data[i + 1] == '\n' && data[i + 2] == 0) { data[i] = '\n'; data[i + 1] = 0; break; @@ -1079,7 +1081,8 @@ get_response(gnutls_session_t session, char *request, if (http != 0) { if (http_data_file == NULL) - *response = peer_print_info(session, response_length, h); + *response = + peer_print_info(session, response_length, h); else *response = peer_print_data(session, response_length); } else { @@ -1107,15 +1110,17 @@ get_response(gnutls_session_t session, char *request, } else { *response = NULL; do { - ret = gnutls_alert_send_appropriate(session, ret); - } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ret = + gnutls_alert_send_appropriate(session, ret); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); return 0; } } return 1; - unimplemented: + unimplemented: *response = strdup(HTTP_UNIMPLEMENTED); if (*response == NULL) return 0; @@ -1123,7 +1128,7 @@ get_response(gnutls_session_t session, char *request, return 1; } -static void terminate(int sig) __attribute__ ((__noreturn__)); +static void terminate(int sig) __attribute__((__noreturn__)); static void terminate(int sig) { @@ -1142,7 +1147,6 @@ static void terminate(int sig) _exit(1); } - static void check_alert(gnutls_session_t session, int ret) { if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED @@ -1188,8 +1192,7 @@ int main(int argc, char **argv) sockets_init(); listener_list = gl_list_create_empty(GL_LINKED_LIST, - NULL, NULL, listener_free, - true); + NULL, NULL, listener_free, true); if (nodb == 0) wrap_db_init(); @@ -1221,8 +1224,7 @@ int main(int argc, char **argv) gnutls_strerror(ret)); else { ret = - gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), - NULL); + gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), NULL); if (ret < 0) { fprintf(stderr, "pkcs11_add_provider: %s", gnutls_strerror(ret)); @@ -1254,8 +1256,7 @@ int main(int argc, char **argv) if (x509_cafile != NULL) { if ((ret = gnutls_certificate_set_x509_trust_file (cert_cred, x509_cafile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", - x509_cafile); + fprintf(stderr, "Error reading '%s'\n", x509_cafile); GERR(ret); exit(1); } else { @@ -1265,8 +1266,7 @@ int main(int argc, char **argv) if (x509_crlfile != NULL) { if ((ret = gnutls_certificate_set_x509_crl_file (cert_cred, x509_crlfile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", - x509_crlfile); + fprintf(stderr, "Error reading '%s'\n", x509_crlfile); GERR(ret); exit(1); } else { @@ -1277,31 +1277,35 @@ int main(int argc, char **argv) if (x509_certfile_size > 0 && x509_keyfile_size > 0) { for (i = 0; i < x509_certfile_size; i++) { ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_certfile[i], x509_keyfile[i], x509ctype); + (cert_cred, x509_certfile[i], x509_keyfile[i], + x509ctype); if (ret < 0) { fprintf(stderr, - "Error reading '%s' or '%s'\n", - x509_certfile[i], x509_keyfile[i]); + "Error reading '%s' or '%s'\n", + x509_certfile[i], x509_keyfile[i]); GERR(ret); exit(1); } else cert_set = 1; } } - + /* Raw public-key credentials */ if (rawpk_file_size > 0 && rawpk_keyfile_size > 0) { for (i = 0; i < rawpk_keyfile_size; i++) { - ret = gnutls_certificate_set_rawpk_key_file(cert_cred, rawpk_file[i], - rawpk_keyfile[i], - x509ctype, - NULL, 0, NULL, 0, - 0, 0); + ret = + gnutls_certificate_set_rawpk_key_file(cert_cred, + rawpk_file[i], + rawpk_keyfile + [i], + x509ctype, + NULL, 0, NULL, + 0, 0, 0); if (ret < 0) { - fprintf(stderr, "Error reading '%s' or '%s'\n", - rawpk_file[i], rawpk_keyfile[i]); - GERR(ret); - exit(1); + fprintf(stderr, "Error reading '%s' or '%s'\n", + rawpk_file[i], rawpk_keyfile[i]); + GERR(ret); + exit(1); } else { cert_set = 1; } @@ -1312,25 +1316,24 @@ int main(int argc, char **argv) fprintf(stderr, "Warning: no private key and certificate pairs were set.\n"); } - #ifndef ENABLE_OCSP if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS) || ocsp_responses_size != 0) { fprintf(stderr, "OCSP is not supported!\n"); - exit(1); + exit(1); } #else /* OCSP status-request TLS extension */ if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS)) - gnutls_certificate_set_flags(cert_cred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + gnutls_certificate_set_flags(cert_cred, + GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); - for (i = 0; i < ocsp_responses_size; i++ ) { + for (i = 0; i < ocsp_responses_size; i++) { ret = gnutls_certificate_set_ocsp_status_request_file (cert_cred, ocsp_responses[i], 0); if (ret < 0) { fprintf(stderr, "Cannot set OCSP status request file: %s: %s\n", - ocsp_responses[i], - gnutls_strerror(ret)); + ocsp_responses[i], gnutls_strerror(ret)); exit(1); } } @@ -1338,9 +1341,13 @@ int main(int argc, char **argv) if (use_static_dh_params) { #if defined(ENABLE_DHE) || defined(ENABLE_ANON) - ret = gnutls_certificate_set_known_dh_params(cert_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_certificate_set_known_dh_params(cert_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } #else @@ -1365,8 +1372,7 @@ int main(int argc, char **argv) < 0) { /* only exit is this function is not disabled */ - fprintf(stderr, - "Error while setting SRP parameters\n"); + fprintf(stderr, "Error while setting SRP parameters\n"); GERR(ret); } } @@ -1380,12 +1386,10 @@ int main(int argc, char **argv) if ((ret = gnutls_psk_set_server_credentials_file(psk_cred, - psk_passwd)) < - 0) { + psk_passwd)) < 0) { /* only exit is this function is not disabled */ - fprintf(stderr, - "Error while setting PSK parameters\n"); + fprintf(stderr, "Error while setting PSK parameters\n"); GERR(ret); } @@ -1401,9 +1405,13 @@ int main(int argc, char **argv) } if (use_static_dh_params) { - ret = gnutls_psk_set_server_known_dh_params(psk_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_psk_set_server_known_dh_params(psk_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -1417,9 +1425,13 @@ int main(int argc, char **argv) gnutls_anon_allocate_server_credentials(&dh_cred); if (use_static_dh_params) { - ret = gnutls_anon_set_server_known_dh_params(dh_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_anon_set_server_known_dh_params(dh_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -1433,10 +1445,13 @@ int main(int argc, char **argv) if (earlydata) { ret = gnutls_anti_replay_init(&anti_replay); if (ret < 0) { - fprintf(stderr, "Error while initializing anti-replay: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while initializing anti-replay: %s\n", + gnutls_strerror(ret)); exit(1); } - gnutls_anti_replay_set_add_function(anti_replay, anti_replay_db_add); + gnutls_anti_replay_set_add_function(anti_replay, + anti_replay_db_add); gnutls_anti_replay_set_ptr(anti_replay, NULL); } @@ -1458,7 +1473,7 @@ int main(int argc, char **argv) return 0; } -static void retry_handshake(listener_item *j) +static void retry_handshake(listener_item * j) { int r, ret; @@ -1476,17 +1491,16 @@ static void retry_handshake(listener_item *j) } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); j->close_ok = 0; } else if (r == 0) { - if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0) + if (gnutls_session_is_resumed(j->tls_session) != 0 + && verbose != 0) printf("*** This is a resumed session\n"); if (verbose != 0) { #if 0 printf("- connection from %s\n", - human_addr((struct sockaddr *) - &client_address, - calen, - topbuf, - sizeof(topbuf))); + human_addr((struct sockaddr *) + &client_address, + calen, topbuf, sizeof(topbuf))); #endif print_info(j->tls_session, verbose, verbose); @@ -1504,7 +1518,7 @@ static void retry_handshake(listener_item *j) } } -static void try_rehandshake(listener_item *j) +static void try_rehandshake(listener_item * j) { int r, ret; fprintf(stderr, "*** Received hello message\n"); @@ -1517,7 +1531,8 @@ static void try_rehandshake(listener_item *j) do { ret = gnutls_alert_send_appropriate(j->tls_session, r); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - fprintf(stderr, "Error in rehandshake: %s\n", gnutls_strerror(r)); + fprintf(stderr, "Error in rehandshake: %s\n", + gnutls_strerror(r)); j->http_state = HTTP_STATE_CLOSING; } else { j->close_ok = 1; @@ -1558,20 +1573,20 @@ static void tcp_server(const char *name, int port) /* flag which connections we are reading or writing to within the fd sets */ iter = gl_list_iterator(listener_list); while (gl_list_iterator_next(&iter, &elt, &node)) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; #ifndef _WIN32 val = fcntl(j->fd, F_GETFL, 0); if ((val == -1) - || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < - 0)) { + || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < 0)) { perror("fcntl()"); exit(1); } #endif if (j->start != 0 && now - j->start > 30) { if (verbose != 0) { - fprintf(stderr, "Scheduling inactive connection for close\n"); + fprintf(stderr, + "Scheduling inactive connection for close\n"); } j->http_state = HTTP_STATE_CLOSING; } @@ -1606,16 +1621,14 @@ static void tcp_server(const char *name, int port) /* read or write to each connection as indicated by select()'s return argument */ iter = gl_list_iterator(listener_list); while (gl_list_iterator_next(&iter, &elt, &node)) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; /* a new connection has arrived */ if (FD_ISSET(j->fd, &rd) && j->listen_socket) { calen = sizeof(client_address); memset(&client_address, 0, calen); - accept_fd = - accept(j->fd, - (struct sockaddr *) - &client_address, &calen); + accept_fd = accept(j->fd, (struct sockaddr *) + &client_address, &calen); if (accept_fd < 0) { perror("accept()"); @@ -1628,14 +1641,14 @@ static void tcp_server(const char *name, int port) /* new list entry for the connection */ jj = xzalloc(sizeof(*jj)); gl_list_add_last(accepted_list, jj); - jj->http_request = - (char *) strdup(""); + jj->http_request = (char *)strdup(""); jj->http_state = HTTP_STATE_REQUEST; jj->fd = accept_fd; jj->start = tt; jj->tls_session = initialize_session(0); - gnutls_session_set_ptr(jj->tls_session, jj); + gnutls_session_set_ptr(jj->tls_session, + jj); gnutls_transport_set_int (jj->tls_session, accept_fd); set_read_funcs(jj->tls_session); @@ -1643,27 +1656,26 @@ static void tcp_server(const char *name, int port) jj->close_ok = 0; if (verbose != 0) { - ctt = simple_ctime(&tt, timebuf); + ctt = + simple_ctime(&tt, timebuf); ctt[strlen(ctt) - 1] = 0; printf ("\n* Accepted connection from %s on %s\n", human_addr((struct - sockaddr - *) + sockaddr *) &client_address, calen, topbuf, sizeof - (topbuf)), - ctt); + (topbuf)), ctt); } } } if (FD_ISSET(j->fd, &rd) && !j->listen_socket) { /* read partial GET request */ - char buf[16*1024]; + char buf[16 * 1024]; int r; if (j->handshake_ok == 0) { @@ -1673,12 +1685,10 @@ static void tcp_server(const char *name, int port) if (j->handshake_ok == 1) { int earlydata_read = 0; if (earlydata && !j->earlydata_eof) { - r = gnutls_record_recv_early_data(j-> - tls_session, - buf, - MIN(sizeof(buf), - SMALL_READ_TEST)); - if (r == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + r = gnutls_record_recv_early_data(j->tls_session, buf, MIN(sizeof(buf), SMALL_READ_TEST)); + if (r == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { j->earlydata_eof = 1; } if (r == 0) { @@ -1686,52 +1696,62 @@ static void tcp_server(const char *name, int port) } } if (!earlydata_read) { - r = gnutls_record_recv(j-> - tls_session, - buf, - MIN(sizeof(buf), - SMALL_READ_TEST)); + r = gnutls_record_recv + (j->tls_session, buf, + MIN(sizeof(buf), + SMALL_READ_TEST)); } - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + if (r == GNUTLS_E_INTERRUPTED + || r == GNUTLS_E_AGAIN) { /* do nothing */ } else if (r <= 0) { - if (r == GNUTLS_E_HEARTBEAT_PING_RECEIVED) { - gnutls_heartbeat_pong(j->tls_session, 0); - } else if (r == GNUTLS_E_REHANDSHAKE) { + if (r == + GNUTLS_E_HEARTBEAT_PING_RECEIVED) + { + gnutls_heartbeat_pong + (j->tls_session, 0); + } else if (r == + GNUTLS_E_REHANDSHAKE) + { try_rehandshake(j); } else { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; if (r < 0) { int ret; - check_alert(j->tls_session, r); + check_alert + (j->tls_session, + r); fprintf(stderr, - "Error while receiving data\n"); + "Error while receiving data\n"); do { - ret = gnutls_alert_send_appropriate(j->tls_session, r); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ret = + gnutls_alert_send_appropriate + (j->tls_session, + r); + } while (ret == + GNUTLS_E_AGAIN + || ret + == + GNUTLS_E_INTERRUPTED); GERR(r); j->close_ok = 0; } } } else { j->http_request = - realloc(j-> - http_request, - j-> - request_length + realloc(j->http_request, + j->request_length + r + 1); - if (j->http_request != - NULL) { - memcpy(j-> - http_request + if (j->http_request != NULL) { + memcpy(j->http_request + j-> request_length, buf, r); - j->request_length - += r; - j->http_request[j-> - request_length] + j->request_length += r; + j->http_request + [j->request_length] = '\0'; } else { j->http_state = @@ -1741,31 +1761,27 @@ static void tcp_server(const char *name, int port) /* check if we have a full HTTP header */ j->http_response = NULL; - if (j->http_state == HTTP_STATE_REQUEST && j->http_request != NULL) { + if (j->http_state == HTTP_STATE_REQUEST + && j->http_request != NULL) { if ((http == 0 - && strchr(j-> - http_request, + && strchr(j->http_request, '\n')) - || strstr(j-> - http_request, + || strstr(j->http_request, "\r\n\r\n") - || strstr(j-> - http_request, + || strstr(j->http_request, "\n\n")) { - if (get_response(j-> - tls_session, - j-> - http_request, - &j-> - http_response, - &j-> - response_length)) { + if (get_response + (j->tls_session, + j->http_request, + &j->http_response, + &j-> + response_length)) { j->http_state = HTTP_STATE_RESPONSE; - j->response_written - = 0; + j->response_written = 0; } else { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; } } } @@ -1780,43 +1796,51 @@ static void tcp_server(const char *name, int port) retry_handshake(j); } - if (j->handshake_ok == 1 && j->http_response == NULL) { + if (j->handshake_ok == 1 + && j->http_response == NULL) { j->http_state = HTTP_STATE_CLOSING; - } else if (j->handshake_ok == 1 && j->http_response != NULL) { + } else if (j->handshake_ok == 1 + && j->http_response != NULL) { r = gnutls_record_send(j->tls_session, j->http_response + j->response_written, - MIN(j->response_length - - - j->response_written, - SMALL_READ_TEST)); - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + MIN + (j->response_length + - + j->response_written, + SMALL_READ_TEST)); + if (r == GNUTLS_E_INTERRUPTED + || r == GNUTLS_E_AGAIN) { /* do nothing */ } else if (r <= 0) { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; if (r < 0) { fprintf(stderr, "Error while sending data\n"); GERR(r); } - check_alert(j->tls_session, - r); + check_alert(j->tls_session, r); } else { j->response_written += r; /* check if we have written a complete response */ if (j->response_written == j->response_length) { if (http != 0) - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; else { - j->http_state = HTTP_STATE_REQUEST; + j->http_state = + HTTP_STATE_REQUEST; free(j-> http_response); - j->http_response = NULL; + j->http_response + = NULL; j->response_length = 0; j->request_length = 0; - j->http_request[0] = 0; + j->http_request + [0] = 0; } } } @@ -1849,7 +1873,6 @@ static void tcp_server(const char *name, int port) gl_list_free(accepted_list); } - gnutls_certificate_free_credentials(cert_cred); #ifdef ENABLE_SRP @@ -1937,16 +1960,17 @@ static void cmd_parser(int argc, char **argv) } if (x509_certfile_size != x509_keyfile_size) { - fprintf(stderr, "The certificate number provided (%u) doesn't match the keys (%u)\n", + fprintf(stderr, + "The certificate number provided (%u) doesn't match the keys (%u)\n", x509_certfile_size, x509_keyfile_size); - exit(1); + exit(1); } if (HAVE_OPT(X509CAFILE)) x509_cafile = OPT_ARG(X509CAFILE); if (HAVE_OPT(X509CRLFILE)) x509_crlfile = OPT_ARG(X509CRLFILE); - + if (HAVE_OPT(RAWPKKEYFILE)) { rawpk_keyfile = STACKLST_OPT(RAWPKKEYFILE); rawpk_keyfile_size = STACKCT_OPT(RAWPKKEYFILE); @@ -1958,9 +1982,10 @@ static void cmd_parser(int argc, char **argv) } if (rawpk_file_size != rawpk_keyfile_size) { - fprintf(stderr, "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n", + fprintf(stderr, + "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n", rawpk_file_size, rawpk_keyfile_size); - exit(1); + exit(1); } if (HAVE_OPT(SRPPASSWD)) @@ -2016,8 +2041,7 @@ static void wrap_db_deinit(void) free(cache_db); } -static int -wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) +static int wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) { int i; time_t now = time(0); @@ -2034,15 +2058,15 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) for (i = 0; i < cache_db_ptr; i++) if (cache_db[i].session_id_size == 0 || !(now < - gnutls_db_check_entry_expire_time(&cache_db[i]. + gnutls_db_check_entry_expire_time(&cache_db + [i]. session_data))) break; if (i == cache_db_ptr) { /* try to allocate additional slots */ if (cache_db_ptr == ssl_session_cache) { - fprintf(stderr, - "Error: too many sessions\n"); + fprintf(stderr, "Error: too many sessions\n"); return GNUTLS_E_DB_ERROR; } cache_db_alloc = cache_db_alloc * 2 + 1; @@ -2062,8 +2086,7 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) /* resize the data slot if needed */ if (cache_db[i].session_data.size < data.size) { cache_db[i].session_data.data = - realloc(cache_db[i].session_data.data, - data.size); + realloc(cache_db[i].session_data.data, data.size); if (!cache_db[i].session_data.data) return GNUTLS_E_MEMORY_ERROR; } @@ -2083,8 +2106,9 @@ static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key) if (key.size == cache_db[i].session_id_size && memcmp(key.data, cache_db[i].session_id, key.size) == 0 && - now < gnutls_db_check_entry_expire_time(&cache_db[i]. - session_data)) { + now < + gnutls_db_check_entry_expire_time(&cache_db + [i].session_data)) { res.size = cache_db[i].session_data.size; res.data = malloc(res.size); @@ -2106,8 +2130,7 @@ static int wrap_db_delete(void *dbf, gnutls_datum_t key) for (i = 0; i < cache_db_ptr; i++) { if (key.size == cache_db[i].session_id_size && - memcmp(key.data, cache_db[i].session_id, - key.size) == 0) { + memcmp(key.data, cache_db[i].session_id, key.size) == 0) { cache_db[i].session_id_size = 0; free(cache_db[i].session_data.data); @@ -2122,7 +2145,8 @@ static int wrap_db_delete(void *dbf, gnutls_datum_t key) } static int -anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, const gnutls_datum_t *data) +anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t * key, + const gnutls_datum_t * data) { time_t now = time(0); int i; @@ -2131,8 +2155,9 @@ anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, const gnutl if (key->size == cache_db[i].session_id_size && memcmp(key->data, cache_db[i].session_id, key->size) == 0 && - now < gnutls_db_check_entry_expire_time(&cache_db[i]. - session_data)) + now < + gnutls_db_check_entry_expire_time(&cache_db + [i].session_data)) return GNUTLS_E_DB_ENTRY_EXISTS; } diff --git a/src/socket.c b/src/socket.c index 36ac292700..3a6993553e 100644 --- a/src/socket.c +++ b/src/socket.c @@ -21,9 +21,9 @@ #include <config.h> #if HAVE_SYS_SOCKET_H -#include <sys/socket.h> +# include <sys/socket.h> #elif HAVE_WS2TCPIP_H -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif #include <netdb.h> #include <string.h> @@ -49,8 +49,7 @@ /* Functions to manipulate sockets */ -ssize_t -socket_recv(const socket_st * socket, void *buffer, int buffer_size) +ssize_t socket_recv(const socket_st * socket, void *buffer, int buffer_size) { int ret; @@ -75,7 +74,8 @@ socket_recv(const socket_st * socket, void *buffer, int buffer_size) } ssize_t -socket_recv_timeout(const socket_st * socket, void *buffer, int buffer_size, unsigned ms) +socket_recv_timeout(const socket_st * socket, void *buffer, int buffer_size, + unsigned ms) { int ret; @@ -95,7 +95,6 @@ socket_send(const socket_st * socket, const void *buffer, int buffer_size) return socket_send_range(socket, buffer, buffer_size, NULL); } - ssize_t socket_send_range(const socket_st * socket, const void *buffer, int buffer_size, gnutls_range_st * range) @@ -107,18 +106,15 @@ socket_send_range(const socket_st * socket, const void *buffer, if (range == NULL) ret = gnutls_record_send(socket->session, - buffer, - buffer_size); + buffer, buffer_size); else ret = - gnutls_record_send_range(socket-> - session, + gnutls_record_send_range(socket->session, buffer, buffer_size, range); } - while (ret == GNUTLS_E_AGAIN - || ret == GNUTLS_E_INTERRUPTED); + while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); else do { ret = send(socket->fd, buffer, buffer_size, 0); @@ -166,10 +162,11 @@ ssize_t wait_for_text(socket_st * socket, const char *txt, unsigned txt_size) abort(); if (socket->verbose && txt != NULL) - fprintf(stderr, "starttls: waiting for: \"%.*s\"\n", txt_size, txt); + fprintf(stderr, "starttls: waiting for: \"%.*s\"\n", txt_size, + txt); pbuf = buf; - left = sizeof(buf)-1; + left = sizeof(buf) - 1; got = 0; do { @@ -181,7 +178,8 @@ ssize_t wait_for_text(socket_st * socket, const char *txt, unsigned txt_size) if (ret > 0) ret = recv(socket->fd, pbuf, left, 0); if (ret == -1) { - fprintf(stderr, "error receiving '%s': %s\n", txt, strerror(errno)); + fprintf(stderr, "error receiving '%s': %s\n", txt, + strerror(errno)); exit(2); } else if (ret == 0) { fprintf(stderr, "error receiving '%s': Timeout\n", txt); @@ -199,33 +197,33 @@ ssize_t wait_for_text(socket_st * socket, const char *txt, unsigned txt_size) left -= ret; got += ret; - /* check for text after a newline in buffer */ if (got > txt_size) { p = memmem(buf, got, txt, txt_size); if (p != NULL && p != buf) { p--; - if (*p == '\n' || *p == '\r' || (*txt == '<' && *p == '>')) // XMPP is not line oriented, uses XML format + if (*p == '\n' || *p == '\r' || (*txt == '<' && *p == '>')) // XMPP is not line oriented, uses XML format break; } } - } while(got < txt_size || strncmp(buf, txt, txt_size) != 0); + } while (got < txt_size || strncmp(buf, txt, txt_size) != 0); return got; } -static void -socket_starttls(socket_st * socket) +static void socket_starttls(socket_st * socket) { char buf[512]; if (socket->secure) return; - if (socket->app_proto == NULL || strcasecmp(socket->app_proto, "https") == 0) + if (socket->app_proto == NULL + || strcasecmp(socket->app_proto, "https") == 0) return; - if (strcasecmp(socket->app_proto, "smtp") == 0 || strcasecmp(socket->app_proto, "submission") == 0) { + if (strcasecmp(socket->app_proto, "smtp") == 0 + || strcasecmp(socket->app_proto, "submission") == 0) { if (socket->verbose) log_msg(stdout, "Negotiating SMTP STARTTLS\n"); @@ -235,7 +233,8 @@ socket_starttls(socket_st * socket) wait_for_text(socket, "250 ", 4); send_line(socket, "STARTTLS\r\n"); wait_for_text(socket, "220 ", 4); - } else if (strcasecmp(socket->app_proto, "imap") == 0 || strcasecmp(socket->app_proto, "imap2") == 0) { + } else if (strcasecmp(socket->app_proto, "imap") == 0 + || strcasecmp(socket->app_proto, "imap2") == 0) { if (socket->verbose) log_msg(stdout, "Negotiating IMAP STARTTLS\n"); @@ -247,18 +246,22 @@ socket_starttls(socket_st * socket) if (socket->verbose) log_msg(stdout, "Negotiating XMPP STARTTLS\n"); - snprintf(buf, sizeof(buf), "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='%s' version='1.0'>\n", socket->hostname); + snprintf(buf, sizeof(buf), + "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='%s' version='1.0'>\n", + socket->hostname); send_line(socket, buf); wait_for_text(socket, "<?", 2); - send_line(socket, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); + send_line(socket, + "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); wait_for_text(socket, "<proceed", 8); } else if (strcasecmp(socket->app_proto, "ldap") == 0) { if (socket->verbose) log_msg(stdout, "Negotiating LDAP STARTTLS\n"); #define LDAP_STR "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37" - send(socket->fd, LDAP_STR, sizeof(LDAP_STR)-1, 0); + send(socket->fd, LDAP_STR, sizeof(LDAP_STR) - 1, 0); wait_for_text(socket, NULL, 0); - } else if (strcasecmp(socket->app_proto, "ftp") == 0 || strcasecmp(socket->app_proto, "ftps") == 0) { + } else if (strcasecmp(socket->app_proto, "ftp") == 0 + || strcasecmp(socket->app_proto, "ftps") == 0) { if (socket->verbose) log_msg(stdout, "Negotiating FTP STARTTLS\n"); @@ -297,18 +300,20 @@ socket_starttls(socket_st * socket) wait_for_text(socket, "OK ", 3); send_line(socket, "STARTTLS\r\n"); wait_for_text(socket, "OK ", 3); - } else if (strcasecmp(socket->app_proto, "postgres") == 0 || strcasecmp(socket->app_proto, "postgresql") == 0) { + } else if (strcasecmp(socket->app_proto, "postgres") == 0 + || strcasecmp(socket->app_proto, "postgresql") == 0) { if (socket->verbose) log_msg(stdout, "Negotiating PostgreSQL STARTTLS\n"); #define POSTGRES_STR "\x00\x00\x00\x08\x04\xD2\x16\x2F" - send(socket->fd, POSTGRES_STR, sizeof(POSTGRES_STR)-1, 0); + send(socket->fd, POSTGRES_STR, sizeof(POSTGRES_STR) - 1, 0); wait_for_text(socket, NULL, 0); } else { if (!c_isdigit(socket->app_proto[0])) { static int warned = 0; if (warned == 0) { - fprintf(stderr, "unknown protocol '%s'\n", socket->app_proto); + fprintf(stderr, "unknown protocol '%s'\n", + socket->app_proto); warned = 1; } } @@ -321,8 +326,7 @@ socket_starttls(socket_st * socket) if (strcasecmp(app_proto, "xmpp") == 0) \ app_proto = "xmpp-server"; \ -int -starttls_proto_to_port(const char *app_proto) +int starttls_proto_to_port(const char *app_proto) { struct servent *s; @@ -360,7 +364,8 @@ void socket_bye(socket_st * socket, unsigned polite) if (socket->secure && socket->session) { if (polite) { do - ret = gnutls_bye(socket->session, GNUTLS_SHUT_WR); + ret = + gnutls_bye(socket->session, GNUTLS_SHUT_WR); while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); if (socket->verbose && ret < 0) @@ -412,16 +417,15 @@ void canonicalize_host(char *hostname, char *service, unsigned service_size) *p = 0; if (service && service_size) - snprintf(service, service_size, "%s", p+1); + snprintf(service, service_size, "%s", p + 1); } else p = hostname + strlen(hostname); if (p > hostname && p[-1] == '.') - p[-1] = 0; // remove trailing dot on FQDN + p[-1] = 0; // remove trailing dot on FQDN } -static ssize_t -wrap_pull(gnutls_transport_ptr_t ptr, void *data, size_t len) +static ssize_t wrap_pull(gnutls_transport_ptr_t ptr, void *data, size_t len) { socket_st *hd = ptr; ssize_t r; @@ -447,18 +451,19 @@ wrap_push(gnutls_transport_ptr_t ptr, const void *data, size_t len) /* inline is used to avoid a gcc warning if used in mini-eagain */ inline static int wrap_pull_timeout_func(gnutls_transport_ptr_t ptr, - unsigned int ms) + unsigned int ms) { socket_st *hd = ptr; - return gnutls_system_recv_timeout((gnutls_transport_ptr_t)(long)hd->fd, ms); + return gnutls_system_recv_timeout((gnutls_transport_ptr_t) (long)hd->fd, + ms); } - void socket_open2(socket_st * hd, const char *hostname, const char *service, - const char *app_proto, int flags, const char *msg, gnutls_datum_t *rdata, gnutls_datum_t *edata, - FILE *server_trace, FILE *client_trace) + const char *app_proto, int flags, const char *msg, + gnutls_datum_t * rdata, gnutls_datum_t * edata, + FILE * server_trace, FILE * client_trace) { struct addrinfo hints, *res, *ptr; int sd, err = 0; @@ -487,12 +492,13 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, ret = gnutls_idna_map(hostname, strlen(hostname), &idna, 0); if (ret < 0) { - fprintf(stderr, "Cannot convert %s to IDNA: %s\n", hostname, gnutls_strerror(ret)); + fprintf(stderr, "Cannot convert %s to IDNA: %s\n", hostname, + gnutls_strerror(ret)); exit(1); } hd->hostname = strdup(hostname); - a_hostname = (char*)idna.data; + a_hostname = (char *)idna.data; if (msg != NULL) log_msg(stdout, "Resolving '%s:%s'...\n", a_hostname, service); @@ -508,8 +514,7 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, sd = -1; for (ptr = res; ptr != NULL; ptr = ptr->ai_next) { - sd = socket(ptr->ai_family, ptr->ai_socktype, - ptr->ai_protocol); + sd = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (sd == -1) continue; @@ -527,31 +532,34 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, #if defined(IP_DONTFRAG) int yes = 1; if (setsockopt(sd, IPPROTO_IP, IP_DONTFRAG, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #elif defined(IP_MTU_DISCOVER) int yes = IP_PMTUDISC_DO; if (setsockopt(sd, IPPROTO_IP, IP_MTU_DISCOVER, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #endif } if (fastopen && ptr->ai_socktype == SOCK_STREAM - && (ptr->ai_family == AF_INET || ptr->ai_family == AF_INET6)) { - memcpy(&hd->connect_addr, ptr->ai_addr, ptr->ai_addrlen); + && (ptr->ai_family == AF_INET + || ptr->ai_family == AF_INET6)) { + memcpy(&hd->connect_addr, ptr->ai_addr, + ptr->ai_addrlen); hd->connect_addrlen = ptr->ai_addrlen; if (msg) - log_msg(stdout, "%s '%s:%s' (TFO)...\n", msg, buffer, portname); + log_msg(stdout, "%s '%s:%s' (TFO)...\n", msg, + buffer, portname); } else { if (msg) - log_msg(stdout, "%s '%s:%s'...\n", msg, buffer, portname); + log_msg(stdout, "%s '%s:%s'...\n", msg, buffer, + portname); - if ((err = connect(sd, ptr->ai_addr, ptr->ai_addrlen)) < 0) { + if ((err = + connect(sd, ptr->ai_addr, ptr->ai_addrlen)) < 0) { close(sd); continue; } @@ -575,40 +583,53 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, if (hd->session) { if (hd->edata.data) { - ret = gnutls_record_send_early_data(hd->session, hd->edata.data, hd->edata.size); + ret = + gnutls_record_send_early_data(hd->session, + hd-> + edata.data, + hd-> + edata.size); if (ret < 0) { - fprintf(stderr, "error sending early data\n"); + fprintf(stderr, + "error sending early data\n"); close(sd); exit(1); } } if (hd->rdata.data) { - gnutls_session_set_data(hd->session, hd->rdata.data, hd->rdata.size); + gnutls_session_set_data(hd->session, + hd->rdata.data, + hd->rdata.size); } if (client_trace || server_trace) { hd->server_trace = server_trace; hd->client_trace = client_trace; - gnutls_transport_set_push_function(hd->session, wrap_push); - gnutls_transport_set_pull_function(hd->session, wrap_pull); - gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func); + gnutls_transport_set_push_function(hd->session, + wrap_push); + gnutls_transport_set_pull_function(hd->session, + wrap_pull); + gnutls_transport_set_pull_timeout_function + (hd->session, wrap_pull_timeout_func); gnutls_transport_set_ptr(hd->session, hd); } else { gnutls_transport_set_int(hd->session, hd->fd); } } - if (!(flags & SOCKET_FLAG_RAW) && !(flags & SOCKET_FLAG_SKIP_INIT)) { + if (!(flags & SOCKET_FLAG_RAW) + && !(flags & SOCKET_FLAG_SKIP_INIT)) { err = do_handshake(hd); - if (err == GNUTLS_E_PUSH_ERROR) { /* failed connecting */ + if (err == GNUTLS_E_PUSH_ERROR) { /* failed connecting */ gnutls_deinit(hd->session); hd->session = NULL; close(sd); continue; - } - else if (err < 0) { + } else if (err < 0) { if (!(flags & SOCKET_FLAG_DONT_PRINT_ERRORS)) - fprintf(stderr, "*** handshake has failed: %s\n", gnutls_strerror(err)); + fprintf(stderr, + "*** handshake has failed: %s\n", + gnutls_strerror(err)); close(sd); exit(1); } @@ -620,7 +641,7 @@ socket_open2(socket_st * hd, const char *hostname, const char *service, if (err != 0) { int e = errno; fprintf(stderr, "Could not connect to %s:%s: %s\n", - buffer, portname, strerror(e)); + buffer, portname, strerror(e)); exit(1); } @@ -667,7 +688,8 @@ const char *port_to_service(const char *sport, const char *proto) sr = getservbyport(port, proto); if (sr == NULL) { fprintf(stderr, - "Warning: getservbyport(%s) failed. Using port number as service.\n", sport); + "Warning: getservbyport(%s) failed. Using port number as service.\n", + sport); return sport; } @@ -685,7 +707,9 @@ int service_to_port(const char *service, const char *proto) sr = getservbyname(service, proto); if (sr == NULL) { - fprintf(stderr, "Warning: getservbyname() failed for '%s/%s'.\n", service, proto); + fprintf(stderr, + "Warning: getservbyname() failed for '%s/%s'.\n", + service, proto); exit(1); } diff --git a/src/socket.h b/src/socket.h index b70e188f73..89edf66e89 100644 --- a/src/socket.h +++ b/src/socket.h @@ -1,17 +1,16 @@ #ifndef GNUTLS_SRC_SOCKET_H -#define GNUTLS_SRC_SOCKET_H +# define GNUTLS_SRC_SOCKET_H -#include <gnutls/gnutls.h> -#include <gnutls/socket.h> - -#define SOCKET_FLAG_UDP 1 -#define SOCKET_FLAG_FASTOPEN (1<<1) -#define SOCKET_FLAG_STARTTLS (1<<2) -#define SOCKET_FLAG_RAW (1<<3) /* unencrypted */ -#define SOCKET_FLAG_VERBOSE (1<<4) -#define SOCKET_FLAG_SKIP_INIT (1<<5) -#define SOCKET_FLAG_DONT_PRINT_ERRORS (1<<6) +# include <gnutls/gnutls.h> +# include <gnutls/socket.h> +# define SOCKET_FLAG_UDP 1 +# define SOCKET_FLAG_FASTOPEN (1<<1) +# define SOCKET_FLAG_STARTTLS (1<<2) +# define SOCKET_FLAG_RAW (1<<3) /* unencrypted */ +# define SOCKET_FLAG_VERBOSE (1<<4) +# define SOCKET_FLAG_SKIP_INIT (1<<5) +# define SOCKET_FLAG_DONT_PRINT_ERRORS (1<<6) typedef struct { int fd; @@ -42,23 +41,23 @@ typedef struct { extern gnutls_session_t init_tls_session(const char *host); int do_handshake(socket_st * socket); -ssize_t socket_recv(const socket_st * socket, void *buffer, - int buffer_size); +ssize_t socket_recv(const socket_st * socket, void *buffer, int buffer_size); ssize_t socket_recv_timeout(const socket_st * socket, void *buffer, - int buffer_size, unsigned ms); + int buffer_size, unsigned ms); ssize_t socket_send(const socket_st * socket, const void *buffer, int buffer_size); ssize_t socket_send_range(const socket_st * socket, const void *buffer, int buffer_size, gnutls_range_st * range); void socket_open2(socket_st * hd, const char *hostname, const char *service, - const char *app_proto, int flags, const char *msg, gnutls_datum_t *rdata, gnutls_datum_t *edata, - FILE *server_trace, FILE *client_trace); + const char *app_proto, int flags, const char *msg, + gnutls_datum_t * rdata, gnutls_datum_t * edata, + FILE * server_trace, FILE * client_trace); -#define socket_open(hd, host, service, app_proto, flags, msg, rdata) \ +# define socket_open(hd, host, service, app_proto, flags, msg, rdata) \ socket_open2(hd, host, service, app_proto, flags, msg, rdata, NULL, NULL, NULL) -#define socket_open3(hd, host, service, app_proto, flags, msg, rdata, edata) \ +# define socket_open3(hd, host, service, app_proto, flags, msg, rdata, edata) \ socket_open2(hd, host, service, app_proto, flags, msg, rdata, edata, NULL, NULL) void socket_bye(socket_st * socket, unsigned polite); @@ -70,6 +69,6 @@ const char *starttls_proto_to_service(const char *app_proto); void canonicalize_host(char *hostname, char *service, unsigned service_size); -#define CONNECT_MSG "Connecting to" +# define CONNECT_MSG "Connecting to" -#endif /* GNUTLS_SRC_SOCKET_H */ +#endif /* GNUTLS_SRC_SOCKET_H */ diff --git a/src/srptool.c b/src/srptool.c index a050de09db..5688929ff2 100644 --- a/src/srptool.c +++ b/src/srptool.c @@ -30,10 +30,10 @@ #include <sys/stat.h> #ifndef _WIN32 -#include <pwd.h> -#include <unistd.h> +# include <pwd.h> +# include <unistd.h> #else -#include <windows.h> +# include <windows.h> #endif /* Gnulib portability files. */ @@ -48,8 +48,7 @@ int crypt_int(const char *username, const char *passwd, int salt, const char *tpasswd_conf, const char *tpasswd, int uindex); -static int read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, - char *str); +static int read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, char *str); static int _verify_passwd_int(const char *username, const char *passwd, char *verifier, const char *salt, const gnutls_datum_t * g, @@ -175,7 +174,7 @@ _verify_passwd_int(const char *username, const char *passwd, *pos = 0; /* convert salt to binary. */ - tmp.data = (void *) _salt; + tmp.data = (void *)_salt; tmp.size = strlen(_salt); if (gnutls_srp_base64_decode_alloc(&tmp, &raw_salt) < 0) { @@ -295,8 +294,7 @@ verify_passwd(const char *conffile, const char *tpasswd, iindex = find_strchr(username, tpasswd); if (iindex == -1) { - fprintf(stderr, "Cannot find '%s' in %s\n", username, - tpasswd); + fprintf(stderr, "Cannot find '%s' in %s\n", username, tpasswd); return -1; } @@ -412,12 +410,12 @@ int main(int argc, char **argv) if (HAVE_OPT(PASSWD)) fpasswd = OPT_ARG(PASSWD); else - fpasswd = (char *) KPASSWD; + fpasswd = (char *)KPASSWD; if (HAVE_OPT(PASSWD_CONF)) fpasswd_conf = OPT_ARG(PASSWD_CONF); else - fpasswd_conf = (char *) KPASSWD_CONF; + fpasswd_conf = (char *)KPASSWD_CONF; if (HAVE_OPT(USERNAME)) username = OPT_ARG(USERNAME); @@ -445,13 +443,11 @@ int main(int argc, char **argv) return -1; } -/* not ready yet */ + /* not ready yet */ if (HAVE_OPT(VERIFY)) { - return verify_passwd(fpasswd_conf, fpasswd, - username, passwd); + return verify_passwd(fpasswd_conf, fpasswd, username, passwd); } - return crypt_int(username, passwd, salt_size, fpasswd_conf, fpasswd, OPT_VALUE_INDEX); @@ -466,7 +462,7 @@ static char *_srp_crypt(const char *username, const char *passwd, gnutls_datum_t dat_salt, txt_salt; gnutls_datum_t verifier, txt_verifier; - if ((unsigned) salt_size > sizeof(salt)) + if ((unsigned)salt_size > sizeof(salt)) return NULL; /* generate the salt @@ -507,7 +503,6 @@ static char *_srp_crypt(const char *username, const char *passwd, } - int crypt_int(const char *username, const char *passwd, int salt_size, const char *tpasswd_conf, const char *tpasswd, int uindex) @@ -539,8 +534,7 @@ crypt_int(const char *username, const char *passwd, int salt_size, line[sizeof(line) - 1] = 0; if ((iindex = read_conf_values(&g, &n, line)) < 0) { - fprintf(stderr, "Cannot parse conf file '%s'\n", - tpasswd_conf); + fprintf(stderr, "Cannot parse conf file '%s'\n", tpasswd_conf); return -1; } @@ -555,8 +549,7 @@ crypt_int(const char *username, const char *passwd, int salt_size, int put; if (strlen(tpasswd) + 5 > sizeof(tmpname)) { - fprintf(stderr, "file '%s' is tooooo long\n", - tpasswd); + fprintf(stderr, "file '%s' is tooooo long\n", tpasswd); return -1; } @@ -583,8 +576,7 @@ crypt_int(const char *username, const char *passwd, int salt_size, fp2 = fopen(tmpname, "r"); if (fp2 == NULL) { - fprintf(stderr, "Cannot open '%s' for read\n", - tmpname); + fprintf(stderr, "Cannot open '%s' for read\n", tmpname); (void)remove(tmpname); fclose(fp); return -1; @@ -602,10 +594,9 @@ crypt_int(const char *username, const char *passwd, int salt_size, if (strncmp(p, username, MAX(strlen(username), - (unsigned int) (pp - p))) == 0) { + (unsigned int)(pp - p))) == 0) { put = 1; - fprintf(fp, "%s:%s:%u\n", username, cr, - iindex); + fprintf(fp, "%s:%s:%u\n", username, cr, iindex); } else { fputs(line, fp); } @@ -623,17 +614,13 @@ crypt_int(const char *username, const char *passwd, int salt_size, } - return 0; } - - /* this function parses tpasswd.conf file. Format is: * int(index):base64(n):base64(g) */ -static int -read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, char *str) +static int read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, char *str) { char *p; int len; @@ -655,7 +642,7 @@ read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, char *str) if (p[len - 1] == '\n') len--; - dat.data = (void *) p; + dat.data = (void *)p; dat.size = len; ret = gnutls_srp_base64_decode_alloc(&dat, g); @@ -673,7 +660,7 @@ read_conf_values(gnutls_datum_t * g, gnutls_datum_t * n, char *str) *p = '\0'; p++; - dat.data = (void *) p; + dat.data = (void *)p; dat.size = strlen(p); ret = gnutls_srp_base64_decode_alloc(&dat, n); diff --git a/src/systemkey.c b/src/systemkey.c index 11fe3cd8f4..8489879a22 100644 --- a/src/systemkey.c +++ b/src/systemkey.c @@ -72,7 +72,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } - int main(int argc, char **argv) { cmd_parser(argc, argv); @@ -91,7 +90,7 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(DEBUG)) { gnutls_global_set_log_level(OPT_VALUE_DEBUG); - printf("Setting log level to %d\n", (int) OPT_VALUE_DEBUG); + printf("Setting log level to %d\n", (int)OPT_VALUE_DEBUG); } if (HAVE_OPT(OUTDER)) { @@ -124,6 +123,7 @@ static void cmd_parser(int argc, char **argv) gnutls_global_deinit(); } + static void systemkey_delete(const char *url, FILE * out) { int ret; @@ -145,15 +145,20 @@ static void systemkey_list(FILE * out) char *cert_url, *key_url, *label; do { - ret = gnutls_system_key_iter_get_info(&iter, GNUTLS_CRT_X509, &cert_url, &key_url, &label, NULL, 0); + ret = + gnutls_system_key_iter_get_info(&iter, GNUTLS_CRT_X509, + &cert_url, &key_url, &label, + NULL, 0); if (ret >= 0) { - fprintf(out, "Label:\t%s\nCert:\t%s\nKey:\t%s\n\n", label, cert_url, key_url); + fprintf(out, "Label:\t%s\nCert:\t%s\nKey:\t%s\n\n", + label, cert_url, key_url); } - } while(ret >= 0); + } while (ret >= 0); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) { - fprintf(stderr, "Native key store is not supported, or not present on this system\n"); + fprintf(stderr, + "Native key store is not supported, or not present on this system\n"); } else { fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } diff --git a/src/tests.c b/src/tests.c index 8526b69437..4275016186 100644 --- a/src/tests.c +++ b/src/tests.c @@ -23,10 +23,10 @@ #include <gnutls/x509.h> #ifndef _WIN32 -#include <unistd.h> -#include <signal.h> +# include <unistd.h> +# include <signal.h> #else -#include <errno.h> +# include <errno.h> #endif #include <stdio.h> @@ -40,9 +40,8 @@ void _gnutls_record_set_default_version(gnutls_session_t session, unsigned char minor); void _gnutls_hello_set_default_version(gnutls_session_t session, - unsigned char major, - unsigned char minor); - + unsigned char major, + unsigned char minor); extern gnutls_srp_client_credentials_t srp_cred; extern gnutls_anon_client_credentials_t anon_cred; @@ -108,22 +107,20 @@ static int test_do_handshake(gnutls_session_t session) return TEST_SUCCEED; } -char protocol_str[] = - "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; -char protocol_all_str[] = - "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; +char protocol_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; +char protocol_all_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; char prio_str[768] = ""; #ifdef ENABLE_GOST -#define GOST_CIPHERS ":+GOST28147-TC26Z-CNT" -#define GOST_MACS ":+GOST28147-TC26Z-IMIT" -#define GOST_KX ":+VKO-GOST-12" -#define GOST_REST ":+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+GROUP-GOST-ALL" +# define GOST_CIPHERS ":+GOST28147-TC26Z-CNT" +# define GOST_MACS ":+GOST28147-TC26Z-IMIT" +# define GOST_KX ":+VKO-GOST-12" +# define GOST_REST ":+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+GROUP-GOST-ALL" #else -#define GOST_CIPHERS -#define GOST_MACS -#define GOST_KX -#define GOST_REST +# define GOST_CIPHERS +# define GOST_MACS +# define GOST_KX +# define GOST_REST #endif #define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS @@ -145,7 +142,8 @@ char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST; } static inline int -__gnutls_priority_set_direct(gnutls_session_t session, const char *str, int line) +__gnutls_priority_set_direct(gnutls_session_t session, const char *str, + int line) { const char *err; int ret = gnutls_priority_set_direct(session, str, &err); @@ -156,8 +154,7 @@ __gnutls_priority_set_direct(gnutls_session_t session, const char *str, int line return TEST_IGNORE; fprintf(stderr, "Error at %d with string %s\n", line, str); - fprintf(stderr, "Error at %s: %s\n", err, - gnutls_strerror(ret)); + fprintf(stderr, "Error at %s: %s\n", err, gnutls_strerror(ret)); exit(1); } @@ -192,8 +189,9 @@ test_code_t test_server(gnutls_session_t session) ext_text = "unknown"; p = strstr(buf, "Server:"); if (p != NULL) { - p+=7; - if (*p == ' ') p++; + p += 7; + if (*p == ' ') + p++; ext_text = p; while (*p != 0 && *p != '\r' && *p != '\n') { p++; @@ -244,7 +242,8 @@ test_code_t test_rfc7919(gnutls_session_t session) ret = test_do_handshake(session); - if (ret != TEST_FAILED && (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_RFC7919)) + if (ret != TEST_FAILED + && (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_RFC7919)) return TEST_SUCCEED; else return TEST_FAILED; @@ -285,8 +284,7 @@ test_code_t test_vko_gost_12(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS - ":+VKO-GOST-12:%s", protocol_all_str, - rest); + ":+VKO-GOST-12:%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -309,8 +307,7 @@ test_code_t test_rsa(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS - ":+RSA:%s", protocol_all_str, - rest); + ":+RSA:%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -324,7 +321,8 @@ test_code_t test_rsa(gnutls_session_t session) } static -test_code_t test_ecdhe_curve(gnutls_session_t session, const char *curve, unsigned id) +test_code_t test_ecdhe_curve(gnutls_session_t session, const char *curve, + unsigned id) { int ret; @@ -335,7 +333,8 @@ test_code_t test_ecdhe_curve(gnutls_session_t session, const char *curve, unsign * because list of curves may be also used by the server to select a cert. */ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS - ":+ECDHE-RSA:+ECDHE-ECDSA:%s:%s", protocol_all_str, curve, rest); + ":+ECDHE-RSA:+ECDHE-ECDSA:%s:%s", protocol_all_str, curve, + rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -353,22 +352,26 @@ test_code_t test_ecdhe_curve(gnutls_session_t session, const char *curve, unsign test_code_t test_ecdhe_secp256r1(gnutls_session_t session) { - return test_ecdhe_curve(session, "+CURVE-SECP256R1", GNUTLS_ECC_CURVE_SECP256R1); + return test_ecdhe_curve(session, "+CURVE-SECP256R1", + GNUTLS_ECC_CURVE_SECP256R1); } test_code_t test_ecdhe_secp384r1(gnutls_session_t session) { - return test_ecdhe_curve(session, "+CURVE-SECP384R1", GNUTLS_ECC_CURVE_SECP384R1); + return test_ecdhe_curve(session, "+CURVE-SECP384R1", + GNUTLS_ECC_CURVE_SECP384R1); } test_code_t test_ecdhe_secp521r1(gnutls_session_t session) { - return test_ecdhe_curve(session, "+CURVE-SECP521R1", GNUTLS_ECC_CURVE_SECP521R1); + return test_ecdhe_curve(session, "+CURVE-SECP521R1", + GNUTLS_ECC_CURVE_SECP521R1); } test_code_t test_ecdhe_x25519(gnutls_session_t session) { - return test_ecdhe_curve(session, "+CURVE-X25519", GNUTLS_ECC_CURVE_X25519); + return test_ecdhe_curve(session, "+CURVE-X25519", + GNUTLS_ECC_CURVE_X25519); } test_code_t test_rfc7507(gnutls_session_t session) @@ -389,7 +392,7 @@ test_code_t test_rfc7507(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS - ":"ALL_KX":%s", pstr, rest); + ":" ALL_KX ":%s", pstr, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -404,7 +407,6 @@ test_code_t test_rfc7507(gnutls_session_t session) return TEST_FAILED; } - test_code_t test_safe_renegotiation(gnutls_session_t session) { int ret; @@ -435,7 +437,7 @@ test_code_t test_ocsp_status(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS - ":" ALL_KX":%s", protocol_str, rest); + ":" ALL_KX ":%s", protocol_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL); @@ -451,7 +453,6 @@ test_code_t test_ocsp_status(gnutls_session_t session) if (ret == 0) return TEST_SUCCEED; - return TEST_FAILED; } @@ -578,14 +579,15 @@ test_code_t test_dhe_group(gnutls_session_t session) if (pubkey2.data && pubkey2.size == pubkey.size && memcmp(pubkey.data, pubkey2.data, pubkey.size) == 0) { fprintf - (fp, " (public key seems to be static among sessions)\n"); + (fp, + " (public key seems to be static among sessions)\n"); } { /* save the PKCS #3 params */ gnutls_dh_params_t dhp; gnutls_datum_t p3; - + ret2 = gnutls_dh_params_init(&dhp); if (ret2 < 0) { fclose(fp); @@ -599,7 +601,10 @@ test_code_t test_dhe_group(gnutls_session_t session) return TEST_FAILED; } - ret2 = gnutls_dh_params_export2_pkcs3(dhp, GNUTLS_X509_FMT_PEM, &p3); + ret2 = + gnutls_dh_params_export2_pkcs3(dhp, + GNUTLS_X509_FMT_PEM, + &p3); if (ret2 < 0) { gnutls_dh_params_deinit(dhp); fclose(fp); @@ -708,13 +713,13 @@ test_code_t test_bye(gnutls_session_t session) return TEST_FAILED; #ifndef _WIN32 - (void) sigaction (SIGALRM, NULL, &sa); + (void)sigaction(SIGALRM, NULL, &sa); sa.sa_flags &= ~SA_RESTART; sigaction(SIGALRM, &sa, &old_sa); alarm(secs); #else - setsockopt((int) gnutls_transport_get_ptr(session), SOL_SOCKET, - SO_RCVTIMEO, (char *) &secs, sizeof(int)); + setsockopt((int)gnutls_transport_get_ptr(session), SOL_SOCKET, + SO_RCVTIMEO, (char *)&secs, sizeof(int)); #endif do { @@ -738,8 +743,6 @@ test_code_t test_bye(gnutls_session_t session) return TEST_FAILED; } - - test_code_t test_aes(gnutls_session_t session) { int ret; @@ -761,8 +764,7 @@ test_code_t test_aes_gcm(gnutls_session_t session) sprintf(prio_str, INIT_STR "+AES-128-GCM:+AES-256-GCM:" ALL_COMP - ":%s:" ALL_MACS ":" ALL_KX ":%s", - protocol_all_str, rest); + ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -777,8 +779,7 @@ test_code_t test_aes_ccm(gnutls_session_t session) sprintf(prio_str, INIT_STR "+AES-128-CCM:+AES-256-CCM:" ALL_COMP - ":%s:" ALL_MACS ":" ALL_KX ":%s", - protocol_all_str, rest); + ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -793,8 +794,7 @@ test_code_t test_aes_ccm_8(gnutls_session_t session) sprintf(prio_str, INIT_STR "+AES-128-CCM-8:+AES-256-CCM-8:" ALL_COMP - ":%s:" ALL_MACS ":" ALL_KX ":%s", - protocol_all_str, rest); + ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -815,7 +815,6 @@ test_code_t test_camellia_cbc(gnutls_session_t session) ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); _gnutls_priority_set_direct(session, prio_str); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); ret = test_do_handshake(session); @@ -846,8 +845,7 @@ test_code_t test_unknown_ciphersuites(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":%s:" ALL_MACS ":" ALL_KX ":%s", - protocol_str, rest); + ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -865,8 +863,7 @@ test_code_t test_md5(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":%s:+MD5:" ALL_KX ":%s", protocol_str, - rest); + ":%s:+MD5:" ALL_KX ":%s", protocol_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -880,9 +877,8 @@ test_code_t test_sha(gnutls_session_t session) int ret; sprintf(prio_str, - INIT_STR ALL_CIPHERS ":" ALL_COMP - ":%s:+SHA1:" ALL_KX ":%s", protocol_str, - rest); + INIT_STR ALL_CIPHERS ":" ALL_COMP + ":%s:+SHA1:" ALL_KX ":%s", protocol_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -896,8 +892,7 @@ test_code_t test_sha256(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":%s:+SHA256:" ALL_KX ":%s", - protocol_all_str, rest); + ":%s:+SHA256:" ALL_KX ":%s", protocol_all_str, rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -998,7 +993,8 @@ test_code_t test_tls1(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.0:%%SSL3_RECORD_VERSION:" ALL_MACS ":" ALL_KX ":%s", rest); + ":+VERS-TLS1.0:%%SSL3_RECORD_VERSION:" ALL_MACS ":" ALL_KX + ":%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1020,7 +1016,8 @@ test_code_t test_tls1_nossl3(gnutls_session_t session) sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.0:%%LATEST_RECORD_VERSION:" ALL_MACS ":" ALL_KX ":%s", rest); + ":+VERS-TLS1.0:%%LATEST_RECORD_VERSION:" ALL_MACS ":" ALL_KX + ":%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1041,7 +1038,8 @@ test_code_t test_record_padding(gnutls_session_t session) sprintf(prio_str, INIT_STR BLOCK_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%s", rest); + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS + ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1051,7 +1049,8 @@ test_code_t test_record_padding(gnutls_session_t session) } else { sprintf(prio_str, INIT_STR BLOCK_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%COMPAT:%s", rest); + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" + ALL_MACS ":" ALL_KX ":%%COMPAT:%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1060,7 +1059,7 @@ test_code_t test_record_padding(gnutls_session_t session) tls1_ok = 1; strcat(rest, ":%COMPAT"); } else - ret = TEST_IGNORE2; /* neither succeeded */ + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1089,7 +1088,8 @@ test_code_t test_no_extensions(gnutls_session_t session) } else { sprintf(prio_str, INIT_STR BLOCK_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%NO_EXTENSIONS:%s", rest); + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" + ALL_MACS ":" ALL_KX ":%%NO_EXTENSIONS:%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1098,7 +1098,7 @@ test_code_t test_no_extensions(gnutls_session_t session) tls_ext_ok = 0; strcat(rest, ":%NO_EXTENSIONS"); } else - ret = TEST_IGNORE2; /* neither succeeded */ + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1205,8 +1205,8 @@ test_code_t test_tls1_6_fallback(gnutls_session_t session) * message we do not properly set in this test */ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP - ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:" ALL_MACS ":" - ALL_KX ":-RSA:%s", rest); + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:" ALL_MACS + ":" ALL_KX ":-RSA:%s", rest); _gnutls_priority_set_direct(session, prio_str); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1216,7 +1216,8 @@ test_code_t test_tls1_6_fallback(gnutls_session_t session) if (ret != TEST_SUCCEED) return TEST_FAILED; - ext_text = gnutls_protocol_get_name(gnutls_protocol_get_version(session)); + ext_text = + gnutls_protocol_get_name(gnutls_protocol_get_version(session)); return TEST_SUCCEED; } @@ -1264,7 +1265,8 @@ test_code_t test_tls_disable1(gnutls_session_t session) ret = test_do_handshake(session); if (ret == TEST_FAILED) { /* disable TLS 1.1 */ - snprintf(protocol_str, sizeof(protocol_str), "+VERS-TLS1.0:+VERS-SSL3.0"); + snprintf(protocol_str, sizeof(protocol_str), + "+VERS-TLS1.0:+VERS-SSL3.0"); } return ret; } @@ -1286,12 +1288,12 @@ test_code_t test_tls_disable2(gnutls_session_t session) ret = test_do_handshake(session); if (ret == TEST_FAILED) { /* disable TLS 1.2 */ - snprintf(protocol_str, sizeof(protocol_str), "+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"); + snprintf(protocol_str, sizeof(protocol_str), + "+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"); } return ret; } - test_code_t test_rsa_pms(gnutls_session_t session) { int ret; @@ -1356,7 +1358,8 @@ test_code_t test_heartbeat_extension(gnutls_session_t session) gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); test_do_handshake(session); - switch (gnutls_heartbeat_allowed(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND)) { + switch (gnutls_heartbeat_allowed + (session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND)) { case 0: return TEST_FAILED; default: @@ -1403,8 +1406,7 @@ test_code_t test_version_rollback(gnutls_session_t session) if (ret != TEST_SUCCEED) return ret; - if (tls1_ok != 0 - && gnutls_protocol_get_version(session) == GNUTLS_SSL3) + if (tls1_ok != 0 && gnutls_protocol_get_version(session) == GNUTLS_SSL3) return TEST_FAILED; return TEST_SUCCEED; @@ -1590,16 +1592,18 @@ test_code_t test_chain_order(gnutls_session_t session) p = 0; p_size = 0; pos = NULL; - for (i=0;i<cert_list_size;i++) { + for (i = 0; i < cert_list_size; i++) { char *new_p; t.data = NULL; - ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t); + ret = + gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], + &t); if (ret < 0) { free(p); return TEST_FAILED; } - new_p = realloc(p, p_size+t.size+1); + new_p = realloc(p, p_size + t.size + 1); if (!new_p) { free(p); return TEST_FAILED; @@ -1618,15 +1622,18 @@ test_code_t test_chain_order(gnutls_session_t session) } t.size = p_size; - t.data = (void*)p; + t.data = (void *)p; p_size = 0; - ret = gnutls_x509_crt_list_import2(&certs, &p_size, &t, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); + ret = + gnutls_x509_crt_list_import2(&certs, &p_size, &t, + GNUTLS_X509_FMT_PEM, + GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { return TEST_FAILED; } - for (i=0;i<p_size;i++) { + for (i = 0; i < p_size; i++) { gnutls_x509_crt_deinit(certs[i]); } gnutls_free(certs); @@ -1662,7 +1669,8 @@ cert_callback(gnutls_session_t session, fprintf(fp, "- Server's trusted authorities:\n"); else fprintf - (fp, "- Server did not send us any trusted authorities names.\n"); + (fp, + "- Server did not send us any trusted authorities names.\n"); /* print the names (if any) */ for (i = 0; i < nreqs; i++) { @@ -1711,8 +1719,7 @@ test_code_t test_server_cas(gnutls_session_t session) return TEST_SUCCEED; } -static test_code_t -test_do_handshake_and_send_record(gnutls_session_t session) +static test_code_t test_do_handshake_and_send_record(gnutls_session_t session) { int ret; /* This will be padded to 512 bytes. */ diff --git a/src/tests.h b/src/tests.h index d9721a70e2..f5fd646311 100644 --- a/src/tests.h +++ b/src/tests.h @@ -19,10 +19,10 @@ */ #ifndef GNUTLS_SRC_TESTS_H -#define GNUTLS_SRC_TESTS_H +# define GNUTLS_SRC_TESTS_H typedef enum { - TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE/*keep socket*/, TEST_IGNORE2/*destroy socket*/ + TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE /*keep socket */ , TEST_IGNORE2 /*destroy socket */ } test_code_t; test_code_t test_chain_order(gnutls_session_t session); @@ -89,10 +89,10 @@ test_code_t test_aes_ccm(gnutls_session_t session); test_code_t test_aes_ccm_8(gnutls_session_t session); test_code_t test_sha256(gnutls_session_t session); -#ifdef ENABLE_GOST +# ifdef ENABLE_GOST test_code_t test_vko_gost_12(gnutls_session_t session); test_code_t test_gost_cnt(gnutls_session_t session); test_code_t test_gost_imit(gnutls_session_t session); -#endif +# endif -#endif /* GNUTLS_SRC_TESTS_H */ +#endif /* GNUTLS_SRC_TESTS_H */ diff --git a/src/tpmtool.c b/src/tpmtool.c index 1b230c2ffa..33c2e0cf1f 100644 --- a/src/tpmtool.c +++ b/src/tpmtool.c @@ -82,7 +82,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } - int main(int argc, char **argv) { cmd_parser(argc, argv); @@ -163,11 +162,11 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(BITS)) bits = OPT_VALUE_BITS; - if (HAVE_OPT(GENERATE_RSA)) { key_type = GNUTLS_PK_RSA; bits = get_bits(key_type, bits, sec_param, 0); - tpm_generate(outfile, key_type, bits, genflags, HAVE_OPT(SRK_WELL_KNOWN)); + tpm_generate(outfile, key_type, bits, genflags, + HAVE_OPT(SRK_WELL_KNOWN)); } else if (HAVE_OPT(PUBKEY)) { tpm_pubkey(OPT_ARG(PUBKEY), outfile, HAVE_OPT(SRK_WELL_KNOWN)); } else if (HAVE_OPT(DELETE)) { @@ -187,19 +186,18 @@ static void cmd_parser(int argc, char **argv) #define TEST_DATA "Test data to sign" -static void -tpm_test_sign(const char *url, FILE * out) +static void tpm_test_sign(const char *url, FILE * out) { gnutls_privkey_t privkey; gnutls_pubkey_t pubkey; int ret; - gnutls_datum_t data, sig = {NULL, 0}; + gnutls_datum_t data, sig = { NULL, 0 }; int pk; pkcs11_common(NULL); - data.data = (void*)TEST_DATA; - data.size = sizeof(TEST_DATA)-1; + data.data = (void *)TEST_DATA; + data.size = sizeof(TEST_DATA) - 1; ret = gnutls_privkey_init(&privkey); if (ret < 0) { @@ -229,18 +227,20 @@ tpm_test_sign(const char *url, FILE * out) exit(1); } - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig); + ret = + gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { - fprintf(stderr, "Cannot sign data: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, "Cannot sign data: %s\n", gnutls_strerror(ret)); exit(1); } pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); fprintf(stderr, "Verifying against private key parameters... "); - ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1), - 0, &data, &sig); + ret = + gnutls_pubkey_verify_data2(pubkey, + gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1), + 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); @@ -288,7 +288,6 @@ static void tpm_generate(FILE * out, unsigned int key_type, exit(1); } - fwrite(privkey.data, 1, privkey.size, out); fputs("\n", out); @@ -296,8 +295,7 @@ static void tpm_generate(FILE * out, unsigned int key_type, gnutls_free(pubkey.data); } -static void tpm_delete(const char *url, FILE * out, - unsigned int srk_well_known) +static void tpm_delete(const char *url, FILE * out, unsigned int srk_well_known) { int ret; char *srk_pass = NULL; @@ -373,7 +371,8 @@ static void tpm_pubkey(const char *url, FILE * out, unsigned int srk_well_known) exit(1); } - print_pubkey_info(pubkey, out, GNUTLS_CRT_PRINT_FULL, GNUTLS_X509_FMT_PEM, 1); + print_pubkey_info(pubkey, out, GNUTLS_CRT_PRINT_FULL, + GNUTLS_X509_FMT_PEM, 1); gnutls_pubkey_deinit(pubkey); } diff --git a/src/udp-serv.c b/src/udp-serv.c index ca19cbebaa..7ffbf8aad1 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -21,13 +21,13 @@ #include <stdio.h> #if HAVE_SYS_SOCKET_H -#include <sys/socket.h> +# include <sys/socket.h> #elif HAVE_WS2TCPIP_H -#include <ws2tcpip.h> +# include <ws2tcpip.h> #endif #include <arpa/inet.h> #ifndef _WIN32 -#include <netinet/in.h> +# include <netinet/in.h> #endif #include <sys/select.h> #include <stdlib.h> @@ -50,8 +50,7 @@ typedef struct { static int pull_timeout_func(gnutls_transport_ptr_t ptr, unsigned int ms); static ssize_t push_func(gnutls_transport_ptr_t p, const void *data, size_t size); -static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, - size_t size); +static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, size_t size); #define MAX_BUFFER 255 /* Longest string to echo */ @@ -96,14 +95,14 @@ void udp_server(const char *name, int port, int mtu) cli_addr_size = sizeof(cli_addr); ret = - recvfrom(sock, buffer, sizeof(buffer)-1, MSG_PEEK, - (struct sockaddr *) &cli_addr, - &cli_addr_size); + recvfrom(sock, buffer, sizeof(buffer) - 1, MSG_PEEK, + (struct sockaddr *)&cli_addr, &cli_addr_size); /* only accept a valid client hello */ if (ret > HANDSHAKE_TYPE_POS && buffer[RECORD_CONTENT_POS] == HANDSHAKE_CONTENT_TYPE && - buffer[HANDSHAKE_TYPE_POS] == GNUTLS_HANDSHAKE_CLIENT_HELLO) { + buffer[HANDSHAKE_TYPE_POS] == + GNUTLS_HANDSHAKE_CLIENT_HELLO) { if (!HAVE_OPT(NOCOOKIE)) { memset(&prestate, 0, sizeof(prestate)); ret = @@ -117,7 +116,7 @@ void udp_server(const char *name, int port, int mtu) memset(&s, 0, sizeof(s)); s.fd = sock; - s.cli_addr = (void *) &cli_addr; + s.cli_addr = (void *)&cli_addr; s.cli_addr_size = cli_addr_size; printf @@ -125,17 +124,18 @@ void udp_server(const char *name, int port, int mtu) human_addr((struct sockaddr *) &cli_addr, cli_addr_size, buffer, - sizeof(buffer)-1)); + sizeof(buffer) - 1)); gnutls_dtls_cookie_send(&cookie_key, &cli_addr, cli_addr_size, &prestate, (gnutls_transport_ptr_t) - &s, push_func); + & s, push_func); /* discard peeked data */ - recvfrom(sock, buffer, sizeof(buffer)-1, 0, - (struct sockaddr *) &cli_addr, + recvfrom(sock, buffer, + sizeof(buffer) - 1, 0, + (struct sockaddr *)&cli_addr, &cli_addr_size); continue; } @@ -143,7 +143,7 @@ void udp_server(const char *name, int port, int mtu) printf("Accepted connection from %s\n", human_addr((struct sockaddr *) &cli_addr, sizeof(cli_addr), - buffer, sizeof(buffer)-1)); + buffer, sizeof(buffer) - 1)); } else continue; @@ -168,8 +168,7 @@ void udp_server(const char *name, int port, int mtu) do { ret = gnutls_handshake(session); } - while (ret == GNUTLS_E_AGAIN - || ret == GNUTLS_E_INTERRUPTED); + while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { fprintf(stderr, "Error in handshake(): %s\n", @@ -182,10 +181,9 @@ void udp_server(const char *name, int port, int mtu) do { ret = gnutls_record_recv_seq(session, buffer, - sizeof(buffer)-1, + sizeof(buffer) - 1, sequence); - if (ret == - GNUTLS_E_HEARTBEAT_PING_RECEIVED) + if (ret == GNUTLS_E_HEARTBEAT_PING_RECEIVED) gnutls_heartbeat_pong(session, 0); } while (ret == GNUTLS_E_INTERRUPTED @@ -193,8 +191,7 @@ void udp_server(const char *name, int port, int mtu) || ret == GNUTLS_E_HEARTBEAT_PING_RECEIVED); if (ret == GNUTLS_E_REHANDSHAKE) { - fprintf(stderr, - "*** Received hello message\n"); + fprintf(stderr, "*** Received hello message\n"); do { ret = gnutls_handshake(session); } @@ -221,11 +218,10 @@ void udp_server(const char *name, int port, int mtu) sequence[3], sequence[4], sequence[5], sequence[6], sequence[7], buffer); - if (check_command(session, buffer, disable_client_cert) == 0) { + if (check_command(session, buffer, disable_client_cert) + == 0) { /* reply back */ - ret = - gnutls_record_send(session, buffer, - ret); + ret = gnutls_record_send(session, buffer, ret); if (ret < 0) { fprintf(stderr, "Error in send(): %s\n", @@ -267,11 +263,10 @@ static int pull_timeout_func(gnutls_transport_ptr_t ptr, unsigned int ms) cli_addr_size = sizeof(cli_addr); ret = recvfrom(priv->fd, &c, 1, MSG_PEEK, - (struct sockaddr *) &cli_addr, &cli_addr_size); + (struct sockaddr *)&cli_addr, &cli_addr_size); if (ret > 0) { if (cli_addr_size == priv->cli_addr_size - && memcmp(&cli_addr, priv->cli_addr, - sizeof(cli_addr)) == 0) + && memcmp(&cli_addr, priv->cli_addr, sizeof(cli_addr)) == 0) return 1; } @@ -283,8 +278,8 @@ static ssize_t push_func(gnutls_transport_ptr_t p, const void *data, { priv_data_st *priv = p; - return sendto(priv->fd, data, size, 0, (struct sockaddr*)priv->cli_addr, - priv->cli_addr_size); + return sendto(priv->fd, data, size, 0, + (struct sockaddr *)priv->cli_addr, priv->cli_addr_size); } static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, size_t size) @@ -298,7 +293,7 @@ static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, size_t size) cli_addr_size = sizeof(cli_addr); ret = recvfrom(priv->fd, data, size, 0, - (struct sockaddr *) &cli_addr, &cli_addr_size); + (struct sockaddr *)&cli_addr, &cli_addr_size); if (ret == -1) return ret; @@ -306,10 +301,11 @@ static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, size_t size) && memcmp(&cli_addr, priv->cli_addr, sizeof(cli_addr)) == 0) return ret; - printf("Denied connection from %s\n", - human_addr((struct sockaddr *) - &cli_addr, sizeof(cli_addr), buffer, - sizeof(buffer))); + printf("Denied connection from %s\n", human_addr((struct sockaddr *) + &cli_addr, + sizeof(cli_addr), + buffer, + sizeof(buffer))); gnutls_transport_set_errno(priv->session, EAGAIN); return -1; diff --git a/src/udp-serv.h b/src/udp-serv.h index 08c88de254..b32f9dd664 100644 --- a/src/udp-serv.h +++ b/src/udp-serv.h @@ -18,9 +18,9 @@ */ #ifndef GNUTLS_SRC_UDP_SERV_H -#define GNUTLS_SRC_UDP_SERV_H +# define GNUTLS_SRC_UDP_SERV_H -#include <gnutls/dtls.h> +# include <gnutls/dtls.h> void udp_server(const char *name, int port, int mtu); gnutls_session_t initialize_session(int dtls); @@ -29,4 +29,4 @@ const char *human_addr(const struct sockaddr *sa, socklen_t salen, int wait_for_connection(void); int listen_socket(const char *name, int listen_port, int socktype); -#endif /* GNUTLS_SRC_UDP_SERV_H */ +#endif /* GNUTLS_SRC_UDP_SERV_H */ |