diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/tex/auth.tex | 46 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 9 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 52 | ||||
-rw-r--r-- | lib/x509/rfc2818_hostname.c | 1 | ||||
-rw-r--r-- | lib/x509/x509.c | 7 | ||||
-rw-r--r-- | src/certtool.c | 4 |
7 files changed, 81 insertions, 40 deletions
@@ -1,4 +1,4 @@ -Version 1.1.3 +Version 1.1.3 (30/12/2003) - Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection hack). diff --git a/doc/tex/auth.tex b/doc/tex/auth.tex index 3900c71f9b..7a6f08a3ee 100644 --- a/doc/tex/auth.tex +++ b/doc/tex/auth.tex @@ -40,3 +40,49 @@ ANON\_DH & This algorithm exchanges Diffie Hellman parameters. \end{figure} \input{srp} + +\section{Authentication and credentials} +In \gnutls{} every key exchange method is associated with a +credentials type. So in order to enable to enable a specific +method, the corresponding credentials type should be initialized +and set using \printfunc{gnutls_credentials_set}{gnutls\_credentials\_set}. +A mapping is shown in \hyperref{figure}{figure }{}{fig:kxcred}. + +\begin{figure}[hbtp] +\begin{tabular}{|l|l|p{4.5cm}|} + +\hline +\bf{Key exchange} & \bf{Client credentials} & \bf{Server credentials} +\\ +\hline +\hline +KX\_RSA && +\\ +\cline{1-1} +KX\_DHE\_RSA & CRD\_CERTIFICATE & CRD\_CERTIFICATE +\\ +\cline{1-1} +KX\_DHE\_DSS && +\\ +\cline{1-1} +KX\_RSA\_EXPORT && +\\ +\hline +KX\_SRP\_RSA & CRD\_SRP & CRD\_SRP +\\ +\cline{1-1} +KX\_SRP\_DSS && CRD\_CERTIFICATE +\\ +\hline +KX\_SRP & CRD\_SRP & CRD\_SRP +\\ +\hline +KX\_ANON\_DH & CRD\_ANON & CRD\_ANON +\\ +\hline +\end{tabular} + +\caption{Key exchange algorithms and the corresponding credential types} +\label{fig:kxcred} + +\end{figure} diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index c02a308f36..d20cecc3db 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -26,7 +26,10 @@ #include "gnutls_cert.h" -/* Cred type mappings to KX algorithms */ +/* Cred type mappings to KX algorithms + * FIXME: The mappings are not 1-1. Some KX such as SRP_RSA require + * more than one credentials type. + */ typedef struct { gnutls_kx_algorithm algorithm; gnutls_credentials_type client_type; @@ -41,8 +44,8 @@ static const gnutls_cred_map cred_mappings[] = { { GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, { GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, { GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP }, - { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, { 0, 0, 0} }; diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index c9b52d443b..7db05a4b24 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -12,16 +12,10 @@ typedef enum gnutls_x509_subject_alt_name { * callbacks. */ typedef int gnutls_certificate_client_select_function(gnutls_session, - const gnutls_datum * - client_cert, - int ncerts, - const gnutls_datum * - req_ca_cert, - int nreqs); + const gnutls_datum * client_cert, int ncerts, + const gnutls_datum * req_ca_cert, int nreqs); typedef int gnutls_certificate_server_select_function(gnutls_session, - const gnutls_datum * - server_certs, - int ncerts); + const gnutls_datum * server_certs, int ncerts); struct gnutls_openpgp_key_int; @@ -72,42 +66,34 @@ int gnutls_rsa_export_get_modulus_bits(gnutls_session session); /* X509PKI */ void gnutls_certificate_client_set_select_function(gnutls_session, - gnutls_certificate_client_select_function - *); + gnutls_certificate_client_select_function *); void gnutls_certificate_server_set_select_function(gnutls_session, - gnutls_certificate_server_select_function - *); + gnutls_certificate_server_select_function *); /* These are set on the credentials structure. */ void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_client_credentials, - gnutls_certificate_client_retrieve_function - *); + gnutls_certificate_client_retrieve_function *); void gnutls_certificate_server_set_retrieve_function(gnutls_certificate_server_credentials, - gnutls_certificate_server_retrieve_function - *); + gnutls_certificate_server_retrieve_function *); void gnutls_certificate_server_set_request(gnutls_session, - gnutls_certificate_request); + gnutls_certificate_request); /* X.509 certificate handling functions */ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, - gnutls_x509_crt_fmt format, - gnutls_datum * prime, - gnutls_datum * generator, - int *prime_bits); + gnutls_x509_crt_fmt format, gnutls_datum * prime, + gnutls_datum * generator, int *prime_bits); int gnutls_pkcs3_export_dh_params(const gnutls_datum * prime, - const gnutls_datum * generator, - gnutls_x509_crt_fmt format, - unsigned char *params_data, - int *params_data_size); + const gnutls_datum * generator, gnutls_x509_crt_fmt format, + unsigned char *params_data, int *params_data_size); /* get data from the session */ const gnutls_datum *gnutls_certificate_get_peers(gnutls_session, - unsigned int *list_size); + unsigned int *list_size); const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session); time_t gnutls_certificate_activation_time_peers(gnutls_session session); @@ -117,17 +103,15 @@ int gnutls_certificate_client_get_request_status(gnutls_session); int gnutls_certificate_verify_peers(gnutls_session); int gnutls_pem_base64_encode(const char *header, const gnutls_datum * data, - char *result, size_t * result_size); + char *result, size_t * result_size); int gnutls_pem_base64_decode(const char *header, - const gnutls_datum * b64_data, - unsigned char *result, size_t * result_size); + const gnutls_datum * b64_data, + unsigned char *result, size_t * result_size); int gnutls_pem_base64_encode_alloc(const char *header, - const gnutls_datum * data, - gnutls_datum * result); + const gnutls_datum * data, gnutls_datum * result); int gnutls_pem_base64_decode_alloc(const char *header, - const gnutls_datum * b64_data, - gnutls_datum * result); + const gnutls_datum * b64_data, gnutls_datum * result); /* key_usage will be an OR of the following values: */ diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index a3c4a03048..4cc66cf0ac 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -28,6 +28,7 @@ #include <common.h> #include <gnutls/compat8.h> #include <rfc2818.h> +#include <gnutls_errors.h> /* compare hostname against certificate, taking account of wildcards * return 1 on success or 0 on error diff --git a/lib/x509/x509.c b/lib/x509/x509.c index ccfbaf1580..f0455bb820 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1408,6 +1408,13 @@ int result; * * This function will return the CRL distribution points (2.5.29.31), contained in the * given certificate. + * + * @reason_flags should be an ORed sequence of GNUTLS_CRL_REASON_UNUSED, + * GNUTLS_CRL_REASON_KEY_COMPROMISE, GNUTLS_CRL_REASON_CA_COMPROMISE, + * GNUTLS_CRL_REASON_AFFILIATION_CHANGED, GNUTLS_CRL_REASON_SUPERSEEDED, + * GNUTLS_CRL_REASON_CESSATION_OF_OPERATION, GNUTLS_CRL_REASON_CERTIFICATE_HOLD, + * GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN, GNUTLS_CRL_REASON_AA_COMPROMISE, + * or zero for all possible reasons. * * This is specified in X509v3 Certificate Extensions. GNUTLS will return the * distribution point type, or a negative error code on error. diff --git a/src/certtool.c b/src/certtool.c index 40e51ae271..65d264ec19 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -720,7 +720,7 @@ int ret; } if (info.outfile) { - outfile = fopen(info.outfile, "w"); + outfile = fopen(info.outfile, "wb"); if (outfile == NULL) { fprintf(stderr, "error: could not open '%s'.\n", info.outfile); exit(1); @@ -728,7 +728,7 @@ int ret; } else outfile = stdout; if (info.infile) { - infile = fopen(info.infile, "r"); + infile = fopen(info.infile, "rb"); if (infile == NULL) { fprintf(stderr, "error: could not open '%s'.\n", info.infile); exit(1); |