diff options
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | doc/tex/certificate.tex | 79 | ||||
| -rw-r--r-- | doc/tex/cover.tex.in | 1 | ||||
| -rw-r--r-- | doc/tex/ex-rfc2818.tex | 93 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 14 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 17 | ||||
| -rw-r--r-- | lib/x509/compat.c | 7 | ||||
| -rw-r--r-- | lib/x509/verify.c | 25 | ||||
| -rw-r--r-- | libextra/openpgp/compat.c | 7 | ||||
| -rw-r--r-- | libextra/openpgp/extras.c | 1 | ||||
| -rw-r--r-- | libextra/openpgp/verify.c | 73 | ||||
| -rw-r--r-- | src/Makefile.am | 10 | ||||
| -rw-r--r-- | src/certtool-gaa.c | 124 | ||||
| -rw-r--r-- | src/certtool-gaa.h | 26 | ||||
| -rw-r--r-- | src/certtool.c | 10 | ||||
| -rw-r--r-- | src/certtool.gaa | 2 | ||||
| -rw-r--r-- | src/common.c | 24 | ||||
| -rw-r--r-- | src/prime.c | 82 |
19 files changed, 306 insertions, 299 deletions
@@ -1,7 +1,6 @@ Version 0.9.95 -- Improved the verification functions. Added the GNUTLS_CERT_ISSUER_NOT_CA, - GNUTLS_CERT_ISSUER_NOT_FOUND verification output flags, and removed - the unused GNUTLS_CERT_CORRUPTED. +- Improved the verification functions. Added new verification + output flags and removed the unused and redundant ones. - Improved the OpenPGP key support. Version 0.9.94 (30/10/2003) diff --git a/doc/tex/certificate.tex b/doc/tex/certificate.tex index 356dae48e7..62064e839e 100644 --- a/doc/tex/certificate.tex +++ b/doc/tex/certificate.tex @@ -59,20 +59,17 @@ is equivalent to the previous one, and will verify the peer's certificate in a T \begin{tabular}{|l|p{9cm}|} \hline -CERT\_INVALID & The certificate chain is broken. -\\ -\hline -CERT\_NOT\_TRUSTED & The certificate is not signed by one of the authorities marked as trusted. +CERT\_INVALID & The certificate is not signed by one of the known authorities. \\ \hline CERT\_REVOKED & The certificate has been revoked. \\ \hline -CERT\_CORRUPTED & The certificate is corrupted. +CERT\_SIGNER\_NOT\_FOUND & The certificate's issuer is not known. \\ \hline \end{tabular} -\caption{Certificate verification} +\caption{X.509 certificate verification} \label{fig:verify} \end{figure} @@ -139,44 +136,40 @@ signs other people's keys without being sure that they belong to the actual owner. \subsection{Verifying an OpenPGP key} -First we've to differentiate between ownertrust and validity. Sometimes trust -and validity is used as a synonym but this is not correct. -\par -The ownertrust describes how trustworthy the signature of a special -key owner is. Even if we've three or more signatures to make a key valid, -it's possible that we don't trust the owner at all and thus we don't trust -the signature he made. There are different ownertrust levels: -\begin{enumerate} -\item Don't know -\item I do NOT trust -\item I trust marginally -\item I trust fully -\item I trust ultimately. -\end{enumerate} - -For example we need three marginally trusted signature to make a key -valid or one full trusted signature. The ultimate trust is only used -when we are the owner of a key and we also have the secret key. -In the case we don't trust the owner, those signatures are skipped -for the web of trust calculation. +The verification functions of OpenPGP keys, included in \gnutls{}, +are simple ones, and do not use the features of the ``web of trust''. +For that reason, if the verification needs are complex, +the assistance of external tools like GnuPG is recommended. \par -All checks in GnuTLS are done in \printfunc{gnutls_openpgp_key_verify_ring}{gnutls\_openpgp\_key\_verify\_ring} -and \printfunc{gnutls_openpgp_key_verify_trustdb}{gnutls\_openpgp\_key\_verify\_trustdb}. -If a trust database is available, this is the file which contains all information about the -key owner (ownertrust), additional checks are performed. +There are two verification functions in \gnutls{}, +The \printfunc{gnutls_openpgp_key_verify_ring}{gnutls\_openpgp\_key\_verify\_ring} +and the \printfunc{gnutls_openpgp_key_verify_trustdb}{gnutls\_openpgp\_key\_verify\_trustdb}. \\ -First we get the trustdb entry to see if the key is not disabled because -those keys shouldn't be used at all. Another possible case is that we -don't trust the key, which means we don't need to perform further checks. -\par -If the ownertrust is at least marginal we continue to check all signatures -the key contains to get the validity of the key. It is likely that the -public keyring does not contain all needed keys to check all signatures. -When a signature could not be checked due to a missing key, the function -tries the next signature. When NO public key is available, the function -checks at least the self signature which must be valid in any case because -it was created by the key itself. +The first one checks an OpenPGP key against a given set of public keys (keyring) and +returns the key status. The key verification status is the same as in X.509 certificates, +although the meaning and interpretation are different. For example an OpenPGP key may +be valid, if the self signature is ok, even if no signers were found. +The meaning of verification status is shown in figure \ref{fig:pgp_verify}. \\ -Validity means if the signatures on the key are valid and the key was not -changed by somebody or corrupted during transport. +The latter function checks a GnuPG trust database for the given key. This function does not +check the key signatures, only checks for disabled and revoked keys. + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} + +\hline +CERT\_INVALID & A signature on the key is invalid. That means that the key was modified +by somebody, or corrupted during transport. +\\ +\hline +CERT\_REVOKED & The key has been revoked by its owner. +\\ +\hline +CERT\_SIGNER\_NOT\_FOUND & The key was not signed by a known signer. +\\ +\hline +\end{tabular} +\caption{OpenPGP key verification} +\label{fig:pgp_verify} +\end{figure} diff --git a/doc/tex/cover.tex.in b/doc/tex/cover.tex.in index aa7095fb96..0a3ff11bfc 100644 --- a/doc/tex/cover.tex.in +++ b/doc/tex/cover.tex.in @@ -50,7 +50,6 @@ Applies to GnuTLS @VERSION@ \begin{center} \par Copyright \copyright\ 2001,2002,2003 Nikos Mavroyanopoulos\\ -Portions copyright \copyright\ 2001,2002,2003 Timo Schulz\\ \setlength{\parskip}{4mm} \par Permission is granted to copy, distribute and/or modify this document diff --git a/doc/tex/ex-rfc2818.tex b/doc/tex/ex-rfc2818.tex index 18a2339937..6d3a36f229 100644 --- a/doc/tex/ex-rfc2818.tex +++ b/doc/tex/ex-rfc2818.tex @@ -12,6 +12,14 @@ void verify_certificate( gnutls_session session, const char* hostname) { int status; + const gnutls_datum* cert_list; + int cert_list_size; + gnutls_x509_crt cert; + + /* This function only works with X.509 certificates. + */ + if ( gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return; /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. @@ -24,66 +32,53 @@ void verify_certificate( gnutls_session session, const char* hostname) } if (status & GNUTLS_CERT_INVALID) - printf("The certificate chain is broken.\n"); + printf("The certificate is not trusted.\n"); - if (status & GNUTLS_CERT_CORRUPTED) - printf("The certificate is corrupted.\n"); + if (status & GNUTLS_CERT_ISSUER_NOT_FOUND) + printf("The certificate hasn't got a known issuer.\n"); if (status & GNUTLS_CERT_REVOKED) - printf("The certificate has been revoked.\n"); + printf("The certificate has been revoked.\n"); - if (status & GNUTLS_CERT_NOT_TRUSTED) { - printf("The certificate is not trusted.\n"); + + if ( gnutls_x509_crt_init( &cert) < 0) { + printf("error in initialization\n"); + return; + } + + cert_list = gnutls_certificate_get_peers( session, &cert_list_size); + if ( cert_list == NULL) { + printf("No certificate was found!\n"); + return; + } + + /* This is not a real world example, since we only check the first + * certificate in the given chain. + */ + if ( gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { + printf("error parsing certificate\n"); return; } + /* Beware here we do not check for errors. + */ + if ( gnutls_x509_crt_get_expiration( cert) < time(0)) { + printf("The certificate has expired\n"); + return; + } - if ( gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { - const gnutls_datum* cert_list; - int cert_list_size; - gnutls_x509_crt cert; - - if ( gnutls_x509_crt_init( &cert) < 0) { - printf("error in initialization\n"); - return; - } - - cert_list = gnutls_certificate_get_peers( session, &cert_list_size); - if ( cert_list == NULL) { - printf("No certificate was found!\n"); - return; - } - - /* Here we only check the first certificate in the given - * chain. - */ - if ( gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { - printf("error parsing certificate\n"); - return; - } - - /* Beware here we do not check for errors. - */ - if ( gnutls_x509_crt_get_expiration( cert) < time(0)) { - printf("The certificate has expired\n"); - return; - } - - if ( gnutls_x509_crt_get_activation_time( cert) > time(0)) { - printf("The certificate is not yet activated\n"); - return; - } - - if ( !gnutls_x509_crt_check_hostname( cert, hostname)) { - printf("The certificate does not match hostname\n"); - return; - } - - gnutls_x509_crt_deinit( cert); + if ( gnutls_x509_crt_get_activation_time( cert) > time(0)) { + printf("The certificate is not yet activated\n"); + return; + } + if ( !gnutls_x509_crt_check_hostname( cert, hostname)) { + printf("The certificate does not match hostname\n"); + return; } - printf("The certificate is trusted.\n"); + gnutls_x509_crt_deinit( cert); + return; } diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index e892b51f3b..932196ccb9 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -109,22 +109,20 @@ typedef enum gnutls_handshake_description { GNUTLS_HANDSHAKE_HELLO_REQUEST, /* Note that the status bits have different meanings * in openpgp keys and x.509 certificate verification. */ +#define GNUTLS_CERT_NOT_TRUSTED GNUTLS_CERT_INVALID typedef enum gnutls_certificate_status { - GNUTLS_CERT_NOT_TRUSTED=2, /* will be set if the certificate - * was not verified. - */ - GNUTLS_CERT_INVALID=4, /* in X.509 API will be set only when - * verifying certificate chains. + GNUTLS_CERT_INVALID=1, /* will be set if the certificate + * was not verified. */ - GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked + GNUTLS_CERT_REVOKED=2, /* in X.509 this will be set only if CRLs are checked */ /* Those are extra information about the verification * process. Will be set only if the certificate was * not verified. */ - GNUTLS_CERT_ISSUER_NOT_FOUND=64, - GNUTLS_CERT_ISSUER_NOT_CA=128 + GNUTLS_CERT_SIGNER_NOT_FOUND=4, + GNUTLS_CERT_SIGNER_NOT_CA=8 } gnutls_certificate_status; typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 32ffc4d8d5..eff0be5ba3 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -358,8 +358,9 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) * actual peer. * * The return value should be one or more of the gnutls_certificate_status - * enumerated elements bitwise or'd. This is the same as - * gnutls_x509_verify_certificate(). + * enumerated elements bitwise or'd. + * + * This is the same as gnutls_x509_verify_certificate(). * **/ int gnutls_certificate_verify_peers(gnutls_session session) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 2381033e05..d9d1274b2d 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -107,11 +107,18 @@ typedef struct { opaque pint[3]; } uint24; typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC=1 } ChangeCipherSpecType; typedef enum gnutls_certificate_status { - GNUTLS_CERT_NOT_TRUSTED=2, - GNUTLS_CERT_INVALID=4, /* refers to certificate chain */ - GNUTLS_CERT_REVOKED=32, /* will be present only if crls are checked */ - GNUTLS_CERT_ISSUER_NOT_FOUND=64, - GNUTLS_CERT_ISSUER_NOT_CA=128 + GNUTLS_CERT_INVALID=1, /* will be set if the certificate + * was not verified. + */ + GNUTLS_CERT_REVOKED=2, /* in X.509 this will be set only if CRLs are checked + */ + + /* Those are extra information about the verification + * process. Will be set only if the certificate was + * not verified. + */ + GNUTLS_CERT_SIGNER_NOT_FOUND=4, + GNUTLS_CERT_SIGNER_NOT_CA=8 } gnutls_certificate_status; typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; diff --git a/lib/x509/compat.c b/lib/x509/compat.c index 1d682c6b1b..1ee676e693 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -515,12 +515,9 @@ int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf * The return value (status) should be one or more of the gnutls_certificate_status * enumerated elements bitwise or'd. * - * GNUTLS_CERT_NOT_TRUSTED\: the peer's certificate is not trusted. + * GNUTLS_CERT_INVALID\: the peer's certificate is not valid. * - * GNUTLS_CERT_INVALID\: the certificate chain is broken. - * - * GNUTLS_CERT_REVOKED\: the certificate has been revoked - * (not implemented yet). + * GNUTLS_CERT_REVOKED\: the certificate has been revoked. * * A negative error code is returned in case of an error. * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that diff --git a/lib/x509/verify.c b/lib/x509/verify.c index e6f1ecf937..b63d81a278 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -203,7 +203,7 @@ int ret, issuer_version, result; issuer = find_issuer(cert, trusted_cas, tcas_size); else { gnutls_assert(); - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; return 0; } @@ -211,7 +211,7 @@ int ret, issuer_version, result; * authorities. */ if (issuer == NULL) { - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; gnutls_assert(); return 0; } @@ -226,7 +226,7 @@ int ret, issuer_version, result; !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) { if (check_if_ca(cert, issuer)==0) { gnutls_assert(); - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_CA | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; return 0; } } @@ -250,7 +250,7 @@ int ret, issuer_version, result; } else if (ret == 0) { gnutls_assert(); /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_INVALID; ret = 0; } @@ -319,7 +319,7 @@ unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, * and return immediately. */ gnutls_assert(); - return (status | GNUTLS_CERT_NOT_TRUSTED); + return (0 | GNUTLS_CERT_INVALID); } /* Now verify the last certificate in the certificate path @@ -338,7 +338,8 @@ unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, * trusted. */ gnutls_assert(); - status |= GNUTLS_CERT_NOT_TRUSTED; + if (!(status & GNUTLS_CERT_INVALID)) + status |= GNUTLS_CERT_INVALID; } return status; @@ -549,9 +550,7 @@ int ret, issuer_params_size, i; * The certificate verification output will be put in 'verify' and will be * one or more of the gnutls_certificate_status enumerated elements bitwise or'd. * - * GNUTLS_CERT_NOT_TRUSTED\: the peer's certificate is not trusted. - * - * GNUTLS_CERT_INVALID\: the certificate chain is broken. + * GNUTLS_CERT_INVALID\: the peer's certificate is not valid. * * GNUTLS_CERT_REVOKED\: the certificate has been revoked. * @@ -748,7 +747,7 @@ int ret, result; issuer = find_crl_issuer(crl, trusted_cas, tcas_size); else { gnutls_assert(); - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; return 0; } @@ -757,7 +756,7 @@ int ret, result; */ if (issuer == NULL) { gnutls_assert(); - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; return 0; } @@ -765,7 +764,7 @@ int ret, result; if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { gnutls_assert(); - if (output) *output |= GNUTLS_CERT_ISSUER_NOT_CA | GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; return 0; } } @@ -788,7 +787,7 @@ int ret, result; } else if (ret == 0) { gnutls_assert(); /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_NOT_TRUSTED; + if (output) *output |= GNUTLS_CERT_INVALID; ret = 0; } diff --git a/libextra/openpgp/compat.c b/libextra/openpgp/compat.c index 9cc9f2d915..6e956cc962 100644 --- a/libextra/openpgp/compat.c +++ b/libextra/openpgp/compat.c @@ -76,7 +76,6 @@ int gnutls_openpgp_verify_key(const char *trustdb, goto leave; } - if (trustdb) { /* Use the trustDB */ ret = gnutls_openpgp_trustdb_init( &tdb); @@ -101,8 +100,10 @@ int gnutls_openpgp_verify_key(const char *trustdb, goto leave; } - if (!keyring) { - ret = GNUTLS_CERT_NOT_TRUSTED | GNUTLS_CERT_INVALID; + if (!keyring || !keyring->data || keyring->size == 0) { + ret = GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND; +#warning CHECK SELF SIGNATURE HERE goto leave; } diff --git a/libextra/openpgp/extras.c b/libextra/openpgp/extras.c index e6ddeb317e..48a36ccb7f 100644 --- a/libextra/openpgp/extras.c +++ b/libextra/openpgp/extras.c @@ -171,7 +171,6 @@ int gnutls_openpgp_trustdb_import_file(gnutls_openpgp_trustdb trustdb, const char * file) { int rc; - rc = cdk_stream_open( file, &trustdb->st); if( rc ) { diff --git a/libextra/openpgp/verify.c b/libextra/openpgp/verify.c index af3518af4f..9df5957971 100644 --- a/libextra/openpgp/verify.c +++ b/libextra/openpgp/verify.c @@ -48,7 +48,7 @@ openpgp_get_key_trust( gnutls_openpgp_trustdb trustdb, pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); if( !pkt ) { - rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; goto leave; } pk = pkt->pkt.public_key; @@ -57,38 +57,21 @@ openpgp_get_key_trust( gnutls_openpgp_trustdb trustdb, if ( rc ) { /* no ownertrust record was found */ rc = 0; - *r_trustval = 0; goto leave; } if( flags & CDK_TFLAG_DISABLED ) { - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; *r_trustval |= GNUTLS_CERT_INVALID; goto leave; } if( flags & CDK_TFLAG_REVOKED ) { - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; *r_trustval |= GNUTLS_CERT_REVOKED; } - switch( ot ) { - case CDK_TRUST_NEVER: - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; - break; - case CDK_TRUST_UNKNOWN: - case CDK_TRUST_UNDEFINED: - case CDK_TRUST_MARGINAL: - case CDK_TRUST_FULLY: - case CDK_TRUST_ULTIMATE: - *r_trustval |= 1; /* means okay */ - rc = 0; - break; - } + rc = 0; leave: - if( rc ) - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; return rc; } @@ -99,8 +82,8 @@ leave: * @flags: unused (should be 0) * @verify: will hold the certificate verification output. * - * Verify all signatures in the certificate list. When the key - * is not available, the signature is skipped. + * Verify all signatures in the key, using the given set of keys (keyring). + * If a signer key is not available, the signature is skipped. * * The certificate verification output will be put in 'verify' and will be * one or more of the gnutls_certificate_status enumerated elements bitwise or'd. @@ -109,8 +92,6 @@ leave: * * GNUTLS_CERT_REVOKED\: The key has been revoked. * - * GNUTLS_CERT_NOT_TRUSTED\: The key is either invalid or revoked. - * * NOTE: this function does not verify using any "web of trust". You * may use GnuPG for that purpose, or any other external PGP application. * @@ -121,35 +102,33 @@ int gnutls_openpgp_key_verify_ring( gnutls_openpgp_key key, unsigned int flags, unsigned int *verify) { int rc = 0; - int status = 0; + unsigned int status = 0; if( !key || !keyring ) { gnutls_assert(); return GNUTLS_E_NO_CERTIFICATE_FOUND; } + + *verify = 0; rc = cdk_pk_check_sigs( key->knode, keyring->hd, &status ); - if( rc == CDK_Error_No_Key ) - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; /* fixme */ - - switch( status ) { - case CDK_KEY_INVALID: - *verify = GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - rc = 0; - break; - - case CDK_KEY_REVOKED: - *verify = GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED; - rc = 0; - break; - default: - rc = 0; + if( rc == CDK_Error_No_Key ) { + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + gnutls_assert(); + return rc; } - if( rc ) { + if( rc) { + rc = _gnutls_map_cdk_rc(rc); gnutls_assert(); + return rc; } - return rc; + + if (status & CDK_KEY_INVALID) *verify |= GNUTLS_CERT_INVALID; + if (status & CDK_KEY_REVOKED) *verify |= GNUTLS_CERT_REVOKED; +#warning CHECK HERE IF THE WAS ANY SIGNER + + return 0; } /** @@ -159,16 +138,15 @@ int gnutls_openpgp_key_verify_ring( gnutls_openpgp_key key, * @flags: unused (should be 0) * @verify: will hold the certificate verification output. * - * Verify all signatures in the certificate list. When the key - * is not available, the signature is skipped. - * - * The function checks the ownertrust of the key before the signatures are checked. - * It is possible that the key was disabled or the owner is not trusted - * at all. Then we don't check the signatures because it makes no sense. + * Checks if the key is revoked or disabled, in the trustdb. * * The certificate verification output will be put in 'verify' and will be * one or more of the gnutls_certificate_status enumerated elements bitwise or'd. * + * GNUTLS_CERT_INVALID\: A signature on the key is invalid. + * + * GNUTLS_CERT_REVOKED\: The key has been revoked. + * * NOTE: this function does not verify using any "web of trust". You * may use GnuPG for that purpose, or any other external PGP application. * @@ -180,7 +158,6 @@ int gnutls_openpgp_key_verify_trustdb( gnutls_openpgp_key key, { cdk_keydb_hd_t hd = NULL; int rc = 0; - int status = 0; if( !key) { gnutls_assert(); diff --git a/src/Makefile.am b/src/Makefile.am index 1623ea9d37..b8d2710e28 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,4 +1,4 @@ -EXTRA_DIST = common.h prime.gaa crypt.gaa crypt-gaa.h README.srpcrypt prime-gaa.h \ +EXTRA_DIST = common.h crypt.gaa crypt-gaa.h README.srpcrypt \ README cli.gaa cli-gaa.h serv-gaa.h serv.gaa tls_test.gaa \ tls_test-gaa.h tests.h gnutls-http-serv list.h certtool-gaa.h \ certtool.gaa @@ -18,20 +18,16 @@ gnutls_cli_debug_SOURCES = tls_test-gaa.c tls_test.c tests.c common.c gnutls_cli_debug_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la $(LIBGCRYPT_LIBS) $(LIBOPENCDK_LIBS) -noinst_PROGRAMS = prime retcodes -prime_SOURCES = prime-gaa.c prime.c -prime_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) +noinst_PROGRAMS = retcodes retcodes_SOURCES = retcodes.c retcodes_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) -certtool_SOURCES = certtool-gaa.c certtool.c +certtool_SOURCES = certtool-gaa.c certtool.c prime.c certtool_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) crypt-gaa.c: crypt.gaa -gaa crypt.gaa -o crypt-gaa.c -i crypt-gaa.h -prime-gaa.c: prime.gaa - -gaa prime.gaa -o prime-gaa.c -i prime-gaa.h certtool-gaa.c: certtool.gaa -gaa certtool.gaa -o certtool-gaa.c -i certtool-gaa.h cli-gaa.c: cli.gaa diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index c0ee7a867a..a76d11895e 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -123,11 +123,13 @@ void gaa_help(void) __gaa_helpsingle('p', "generate-privkey", "", "Generate a private key."); __gaa_helpsingle('q', "generate-request", "", "Generate a PKCS #10 certificate request."); __gaa_helpsingle('e', "verify-chain", "", "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one."); + __gaa_helpsingle(0, "generate-dh-params", "", "Generate PKCS #3 encoded Diffie Hellman parameters."); __gaa_helpsingle(0, "load-privkey", "FILE ", "Private key file to use."); __gaa_helpsingle(0, "load-request", "FILE ", "Certificate request file to use."); __gaa_helpsingle(0, "load-certificate", "FILE ", "Certificate file to use."); __gaa_helpsingle(0, "load-ca-privkey", "FILE ", "Certificate authority's private key file to use."); __gaa_helpsingle(0, "load-ca-certificate", "FILE ", "Certificate authority's certificate file to use."); + __gaa_helpsingle(0, "password", "FILE ", "Password to use."); __gaa_helpsingle('i', "certificate-info", "", "Print information on a certificate."); __gaa_helpsingle(0, "p12-info", "", "Print information on a PKCS #12 structure."); __gaa_helpsingle('k', "key-info", "", "Print information on a private key."); @@ -156,29 +158,31 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 57 "certtool.gaa" +#line 62 "certtool.gaa" int debug; -#line 54 "certtool.gaa" +#line 59 "certtool.gaa" char *infile; -#line 51 "certtool.gaa" +#line 56 "certtool.gaa" char *outfile; -#line 48 "certtool.gaa" +#line 53 "certtool.gaa" int bits; -#line 45 "certtool.gaa" +#line 50 "certtool.gaa" int outcert_format; -#line 42 "certtool.gaa" +#line 47 "certtool.gaa" int incert_format; -#line 39 "certtool.gaa" +#line 44 "certtool.gaa" int pkcs8; -#line 28 "certtool.gaa" +#line 33 "certtool.gaa" + char *pass; +#line 30 "certtool.gaa" char *ca; -#line 25 "certtool.gaa" +#line 27 "certtool.gaa" char *ca_privkey; -#line 22 "certtool.gaa" +#line 24 "certtool.gaa" char *cert; -#line 19 "certtool.gaa" +#line 21 "certtool.gaa" char *request; -#line 16 "certtool.gaa" +#line 18 "certtool.gaa" char *privkey; #line 3 "certtool.gaa" int action; @@ -236,7 +240,7 @@ int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 25 +#define GAA_NB_OPTION 27 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 @@ -251,17 +255,19 @@ int gaa_error = 0; #define GAAOPTID_key_info 12 #define GAAOPTID_p12_info 13 #define GAAOPTID_certificate_info 14 -#define GAAOPTID_load_ca_certificate 15 -#define GAAOPTID_load_ca_privkey 16 -#define GAAOPTID_load_certificate 17 -#define GAAOPTID_load_request 18 -#define GAAOPTID_load_privkey 19 -#define GAAOPTID_verify_chain 20 -#define GAAOPTID_generate_request 21 -#define GAAOPTID_generate_privkey 22 -#define GAAOPTID_update_certificate 23 -#define GAAOPTID_generate_certificate 24 -#define GAAOPTID_generate_self_signed 25 +#define GAAOPTID_password 15 +#define GAAOPTID_load_ca_certificate 16 +#define GAAOPTID_load_ca_privkey 17 +#define GAAOPTID_load_certificate 18 +#define GAAOPTID_load_request 19 +#define GAAOPTID_load_privkey 20 +#define GAAOPTID_generate_dh_params 21 +#define GAAOPTID_verify_chain 22 +#define GAAOPTID_generate_request 23 +#define GAAOPTID_generate_privkey 24 +#define GAAOPTID_update_certificate 25 +#define GAAOPTID_generate_certificate 26 +#define GAAOPTID_generate_self_signed 27 #line 168 "gaa.skel" @@ -472,6 +478,12 @@ struct GAAOPTION_bits int size1; }; +struct GAAOPTION_password +{ + char* arg1; + int size1; +}; + struct GAAOPTION_load_ca_certificate { char* arg1; @@ -535,6 +547,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_infile); GAA_CHECK1STR("", GAAOPTID_outfile); GAA_CHECK1STR("", GAAOPTID_bits); + GAA_CHECK1STR("", GAAOPTID_password); GAA_CHECK1STR("", GAAOPTID_load_ca_certificate); GAA_CHECK1STR("", GAAOPTID_load_ca_privkey); GAA_CHECK1STR("", GAAOPTID_load_certificate); @@ -552,6 +565,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("k", GAAOPTID_key_info); GAA_CHECK1STR("", GAAOPTID_p12_info); GAA_CHECK1STR("i", GAAOPTID_certificate_info); + GAA_CHECK1STR("", GAAOPTID_generate_dh_params); GAA_CHECK1STR("e", GAAOPTID_verify_chain); GAA_CHECK1STR("q", GAAOPTID_generate_request); GAA_CHECK1STR("p", GAAOPTID_generate_privkey); @@ -576,11 +590,13 @@ int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("key-info", GAAOPTID_key_info); GAA_CHECKSTR("p12-info", GAAOPTID_p12_info); GAA_CHECKSTR("certificate-info", GAAOPTID_certificate_info); + GAA_CHECKSTR("password", GAAOPTID_password); GAA_CHECKSTR("load-ca-certificate", GAAOPTID_load_ca_certificate); GAA_CHECKSTR("load-ca-privkey", GAAOPTID_load_ca_privkey); GAA_CHECKSTR("load-certificate", GAAOPTID_load_certificate); GAA_CHECKSTR("load-request", GAAOPTID_load_request); GAA_CHECKSTR("load-privkey", GAAOPTID_load_privkey); + GAA_CHECKSTR("generate-dh-params", GAAOPTID_generate_dh_params); GAA_CHECKSTR("verify-chain", GAAOPTID_verify_chain); GAA_CHECKSTR("generate-request", GAAOPTID_generate_request); GAA_CHECKSTR("generate-privkey", GAAOPTID_generate_privkey); @@ -603,6 +619,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) struct GAAOPTION_infile GAATMP_infile; struct GAAOPTION_outfile GAATMP_outfile; struct GAAOPTION_bits GAATMP_bits; + struct GAAOPTION_password GAATMP_password; struct GAAOPTION_load_ca_certificate GAATMP_load_ca_certificate; struct GAAOPTION_load_ca_privkey GAATMP_load_ca_privkey; struct GAAOPTION_load_certificate GAATMP_load_certificate; @@ -630,21 +647,21 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 63 "certtool.gaa" +#line 68 "certtool.gaa" { print_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 62 "certtool.gaa" +#line 67 "certtool.gaa" { certtool_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 60 "certtool.gaa" +#line 65 "certtool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -654,7 +671,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 58 "certtool.gaa" +#line 63 "certtool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -664,7 +681,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); gaa_index++; -#line 55 "certtool.gaa" +#line 60 "certtool.gaa" { gaaval->infile = GAATMP_infile.arg1 ;}; return GAA_OK; @@ -674,7 +691,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 52 "certtool.gaa" +#line 57 "certtool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; @@ -684,66 +701,76 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); gaa_index++; -#line 49 "certtool.gaa" +#line 54 "certtool.gaa" { gaaval->bits = GAATMP_bits.arg1 ;}; return GAA_OK; break; case GAAOPTID_outder: OK = 0; -#line 46 "certtool.gaa" +#line 51 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 43 "certtool.gaa" +#line 48 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 40 "certtool.gaa" +#line 45 "certtool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; break; case GAAOPTID_to_p12: OK = 0; -#line 37 "certtool.gaa" +#line 42 "certtool.gaa" { gaaval->action = 8; ;}; return GAA_OK; break; case GAAOPTID_key_info: OK = 0; -#line 35 "certtool.gaa" +#line 40 "certtool.gaa" { gaaval->action = 6; ;}; return GAA_OK; break; case GAAOPTID_p12_info: OK = 0; -#line 33 "certtool.gaa" +#line 38 "certtool.gaa" { gaaval->action = 9; ;}; return GAA_OK; break; case GAAOPTID_certificate_info: OK = 0; -#line 31 "certtool.gaa" +#line 36 "certtool.gaa" { gaaval->action = 2; ;}; return GAA_OK; break; + case GAAOPTID_password: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_password.arg1, gaa_getstr, GAATMP_password.size1); + gaa_index++; +#line 34 "certtool.gaa" +{ gaaval->pass = GAATMP_password.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_load_ca_certificate: OK = 0; GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_certificate.arg1, gaa_getstr, GAATMP_load_ca_certificate.size1); gaa_index++; -#line 29 "certtool.gaa" +#line 31 "certtool.gaa" { gaaval->ca = GAATMP_load_ca_certificate.arg1 ;}; return GAA_OK; @@ -753,7 +780,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_privkey.arg1, gaa_getstr, GAATMP_load_ca_privkey.size1); gaa_index++; -#line 26 "certtool.gaa" +#line 28 "certtool.gaa" { gaaval->ca_privkey = GAATMP_load_ca_privkey.arg1 ;}; return GAA_OK; @@ -763,7 +790,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, GAATMP_load_certificate.size1); gaa_index++; -#line 23 "certtool.gaa" +#line 25 "certtool.gaa" { gaaval->cert = GAATMP_load_certificate.arg1 ;}; return GAA_OK; @@ -773,7 +800,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_request.arg1, gaa_getstr, GAATMP_load_request.size1); gaa_index++; -#line 20 "certtool.gaa" +#line 22 "certtool.gaa" { gaaval->request = GAATMP_load_request.arg1 ;}; return GAA_OK; @@ -783,11 +810,18 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, GAATMP_load_privkey.size1); gaa_index++; -#line 17 "certtool.gaa" +#line 19 "certtool.gaa" { gaaval->privkey = GAATMP_load_privkey.arg1 ;}; return GAA_OK; break; + case GAAOPTID_generate_dh_params: + OK = 0; +#line 16 "certtool.gaa" +{ gaaval->action=10; ;}; + + return GAA_OK; + break; case GAAOPTID_verify_chain: OK = 0; #line 14 "certtool.gaa" @@ -854,10 +888,10 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 65 "certtool.gaa" +#line 70 "certtool.gaa" { gaaval->bits = 1024; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; - gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; ;}; + gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; ;}; } inited = 1; diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h index cbf73e1f9c..756c61b6bc 100644 --- a/src/certtool-gaa.h +++ b/src/certtool-gaa.h @@ -8,29 +8,31 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 57 "certtool.gaa" +#line 62 "certtool.gaa" int debug; -#line 54 "certtool.gaa" +#line 59 "certtool.gaa" char *infile; -#line 51 "certtool.gaa" +#line 56 "certtool.gaa" char *outfile; -#line 48 "certtool.gaa" +#line 53 "certtool.gaa" int bits; -#line 45 "certtool.gaa" +#line 50 "certtool.gaa" int outcert_format; -#line 42 "certtool.gaa" +#line 47 "certtool.gaa" int incert_format; -#line 39 "certtool.gaa" +#line 44 "certtool.gaa" int pkcs8; -#line 28 "certtool.gaa" +#line 33 "certtool.gaa" + char *pass; +#line 30 "certtool.gaa" char *ca; -#line 25 "certtool.gaa" +#line 27 "certtool.gaa" char *ca_privkey; -#line 22 "certtool.gaa" +#line 24 "certtool.gaa" char *cert; -#line 19 "certtool.gaa" +#line 21 "certtool.gaa" char *request; -#line 16 "certtool.gaa" +#line 18 "certtool.gaa" char *privkey; #line 3 "certtool.gaa" int action; diff --git a/src/certtool.c b/src/certtool.c index 8b939fafa9..7cb9a32be5 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -32,6 +32,7 @@ #include <gnutls/pkcs12.h> #include <unistd.h> +int generate_prime(int bits); void pkcs12_info( void); void generate_pkcs12( void); void verify_chain(void); @@ -52,8 +53,8 @@ FILE* infile; int in_cert_format; int out_cert_format; -static unsigned char buffer[50*1024]; -static const int buffer_size = sizeof(buffer); +unsigned char buffer[50*1024]; +const int buffer_size = sizeof(buffer); static void tls_log_func( int level, const char* str) { @@ -556,6 +557,9 @@ int ret; case 9: pkcs12_info(); break; + case 10: + generate_prime( info.bits); + break; default: fprintf(stderr, "GnuTLS' certtool utility.\n"); fprintf(stderr, "Please use the --help to get help on this program.\n"); @@ -1346,7 +1350,7 @@ time_t now = time(0); comma = 1; } - if (output&GNUTLS_CERT_ISSUER_NOT_CA) { + if (output&GNUTLS_CERT_SIGNER_NOT_CA) { if (comma) fprintf(outfile, ", "); fprintf(outfile, "Issuer is not a CA"); comma = 1; diff --git a/src/certtool.gaa b/src/certtool.gaa index 1825ecd7e5..67ee216aab 100644 --- a/src/certtool.gaa +++ b/src/certtool.gaa @@ -13,6 +13,8 @@ option (q, generate-request) { $action=3; } "Generate a PKCS #10 certificate req option (e, verify-chain) { $action=5; } "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one." +option (generate-dh-params) { $action=10; } "Generate PKCS #3 encoded Diffie Hellman parameters." + #char *privkey; option (load-privkey) STR "FILE" { $privkey = $1 } "Private key file to use." diff --git a/src/common.c b/src/common.c index e3732e0db2..a443af047c 100644 --- a/src/common.c +++ b/src/common.c @@ -345,13 +345,21 @@ void print_cert_vrfy(gnutls_session session) return; } - if (status & GNUTLS_CERT_INVALID) - printf("- Peer's certificate chain is broken\n"); - if (status & GNUTLS_CERT_NOT_TRUSTED) - printf("- Peer's certificate is NOT trusted\n"); - else - printf("- Peer's certificate is trusted\n"); - + if (gnutls_certificate_type_get(session)==GNUTLS_CRT_X509) { + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf("- Peer's certificate issuer is unknown\n"); + if (status & GNUTLS_CERT_INVALID) + printf("- Peer's certificate is NOT trusted\n"); + else + printf("- Peer's certificate is trusted\n"); + } else { + if (status & GNUTLS_CERT_INVALID) + printf("- Peer's key is invalid\n"); + else + printf("- Peer's key is valid\n"); + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf("- Could not find a signer of the peer's key\n"); + } } int print_info(gnutls_session session, const char* hostname) @@ -403,7 +411,7 @@ int print_info(gnutls_session session, const char* hostname) print_cert_info(session, hostname); print_cert_vrfy(session); - + /* Check if we have been using ephemeral Diffie Hellman. */ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { diff --git a/src/prime.c b/src/prime.c index 298700eb32..3349a3efae 100644 --- a/src/prime.c +++ b/src/prime.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos * * This file is part of GNUTLS. * @@ -22,99 +22,95 @@ #include <string.h> #include <stdlib.h> #include <unistd.h> -#include "prime-gaa.h" #include <gnutls/gnutls.h> #include "../lib/defines.h" -int main(int argc, char **argv) +extern FILE* outfile; +extern FILE* infile; +extern unsigned char buffer[]; +extern const int buffer_size; + +static int cparams = 0; + +int generate_prime(int bits) { - gaainfo info; unsigned int i; gnutls_dh_params dh_params; gnutls_datum p, g; - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, "Error in the arguments.\n"); - return -1; - } - - gnutls_global_init(); - gnutls_dh_params_init( &dh_params); fprintf(stderr, "Generating DH parameters..."); - gnutls_dh_params_generate2( dh_params, info.bits); + gnutls_dh_params_generate2( dh_params, bits); gnutls_dh_params_export_raw( dh_params, &p, &g, NULL); - if (info.cparams) { + if (cparams) { - printf( "/* generator */\n"); - printf( "\nconst uint8 g[%d] = { ", g.size); + fprintf( outfile, "/* generator */\n"); + fprintf( outfile, "\nconst uint8 g[%d] = { ", g.size); for (i=0;i<g.size;i++) { - if (i%7==0) printf("\n\t"); - printf( "0x%.2x", g.data[i]); - if (i!=g.size-1) printf( ", "); + if (i%7==0) fprintf(outfile, "\n\t"); + fprintf(outfile, "0x%.2x", g.data[i]); + if (i!=g.size-1) fprintf(outfile, ", "); } - printf("\n};\n\n"); + fprintf(outfile, "\n};\n\n"); } else { - printf( "\nGenerator: "); + fprintf( outfile, "\nGenerator: "); for (i=0;i<g.size;i++) { - if (i!=0 && i%12==0) printf("\n\t"); - else if (i!=0 && i!=g.size) printf( ":"); + if (i!=0 && i%12==0) fprintf( outfile,"\n\t"); + else if (i!=0 && i!=g.size) fprintf( outfile, ":"); - printf( "%.2x", g.data[i]); + fprintf( outfile, "%.2x", g.data[i]); } - printf("\n\n"); + fprintf( outfile,"\n\n"); } /* print prime */ - if (info.cparams) { - printf( "/* prime - %d bits */\n", p.size*8); - printf( "\nconst uint8 prime[%d] = { ", p.size); + if (cparams) { + fprintf( outfile, "/* prime - %d bits */\n", p.size*8); + fprintf( outfile, "\nconst uint8 prime[%d] = { ", p.size); for (i=0;i<p.size;i++) { - if (i%7==0) printf("\n\t"); - printf( "0x%.2x", p.data[i]); - if (i!=p.size-1) printf( ", "); + if (i%7==0) fprintf( outfile,"\n\t"); + fprintf( outfile, "0x%.2x", p.data[i]); + if (i!=p.size-1) fprintf( outfile, ", "); } - printf("\n};\n"); + fprintf( outfile,"\n};\n"); } else { - printf( "Prime: "); + fprintf( outfile, "Prime: "); for (i=0;i<p.size;i++) { - if (i!=0 && i%12==0) printf("\n\t"); - else if (i!=0 && i!=p.size) printf( ":"); - printf( "%.2x", p.data[i]); + if (i!=0 && i%12==0) fprintf( outfile,"\n\t"); + else if (i!=0 && i!=p.size) fprintf( outfile, ":"); + fprintf( outfile, "%.2x", p.data[i]); } - printf("\n\n"); + fprintf( outfile,"\n\n"); } - if (!info.cparams) { /* generate a PKCS#3 structure */ + if (!cparams) { /* generate a PKCS#3 structure */ - unsigned char out[5*1024]; - int ret, len = sizeof(out); + int ret; + size_t len = buffer_size; ret = gnutls_dh_params_export_pkcs3( dh_params, GNUTLS_X509_FMT_PEM, - out, &len); + buffer, &len); if (ret == 0) { - printf("\n%s", out); + fprintf( outfile,"\n%s", buffer); } else { fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } } - gnutls_global_deinit(); - return 0; } |