diff options
Diffstat (limited to 'lib/ext/server_cert_type.c')
-rw-r--r-- | lib/ext/server_cert_type.c | 147 |
1 files changed, 81 insertions, 66 deletions
diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c index 6db2a1f92e..1e489bf308 100644 --- a/lib/ext/server_cert_type.c +++ b/lib/ext/server_cert_type.c @@ -36,13 +36,11 @@ #include "state.h" #include "datum.h" - static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - const uint8_t* data, + const uint8_t * data, size_t data_size); static int _gnutls_server_cert_type_send_params(gnutls_session_t session, - gnutls_buffer_st* data); - + gnutls_buffer_st * data); const hello_ext_entry_st ext_mod_server_cert_type = { .name = "Server Certificate Type", @@ -51,10 +49,9 @@ const hello_ext_entry_st ext_mod_server_cert_type = { .client_parse_point = GNUTLS_EXT_TLS, .server_parse_point = GNUTLS_EXT_TLS, .validity = GNUTLS_EXT_FLAG_TLS | - GNUTLS_EXT_FLAG_DTLS | - GNUTLS_EXT_FLAG_CLIENT_HELLO | - GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO | - GNUTLS_EXT_FLAG_EE, + GNUTLS_EXT_FLAG_DTLS | + GNUTLS_EXT_FLAG_CLIENT_HELLO | + GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO | GNUTLS_EXT_FLAG_EE, .recv_func = _gnutls_server_cert_type_recv_params, .send_func = _gnutls_server_cert_type_send_params, .pack_func = _gnutls_hello_ext_default_pack, @@ -63,31 +60,31 @@ const hello_ext_entry_st ext_mod_server_cert_type = { .cannot_be_overriden = 1 }; - static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - const uint8_t* data, + const uint8_t * data, size_t data_size) { int ret; gnutls_certificate_type_t cert_type; size_t i; bool found = false; - const uint8_t* pdata = data; + const uint8_t *pdata = data; /* Only activate this extension if we have cert credentials set * and alternative cert types are allowed */ if (!are_alternative_cert_types_allowed(session) || - (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)) + (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)) return 0; if (!IS_SERVER(session)) { // client mode - gnutls_datum_t sent_cert_types; // Holds the previously sent cert types + gnutls_datum_t sent_cert_types; // Holds the previously sent cert types /* Compare packet length with expected packet length. For the * client this is a single byte. */ if (data_size != 1) { return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + gnutls_assert_val + (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } /* The server picked one of the offered cert types if he supports @@ -97,36 +94,40 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, * we're going to check it nevertheless. */ cert_type = IANA2cert_type(pdata[0]); - _gnutls_handshake_log("EXT[%p]: Received a %s server certificate type confirmation from the server.\n", - session, gnutls_certificate_type_get_name(cert_type)); + _gnutls_handshake_log + ("EXT[%p]: Received a %s server certificate type confirmation from the server.\n", + session, gnutls_certificate_type_get_name(cert_type)); // Check validity of cert type if (cert_type == GNUTLS_CRT_UNKNOWN) { - return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE); + return + gnutls_assert_val + (GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE); } /* Get the cert types that we sent to the server (they were stored * in IANA representation. */ ret = _gnutls_hello_ext_get_datum(session, - GNUTLS_EXTENSION_SERVER_CERT_TYPE, - &sent_cert_types); + GNUTLS_EXTENSION_SERVER_CERT_TYPE, + &sent_cert_types); if (ret < 0) { /* This should not happen and indicate a memory corruption! * Assertion are always on in production code so execution * will halt here. */ assert(false); } - // Check whether what we got back is actually offered by us for (i = 0; i < sent_cert_types.size; i++) { - if (IANA2cert_type(sent_cert_types.data[i]) == cert_type) + if (IANA2cert_type(sent_cert_types.data[i]) == + cert_type) found = true; } if (found) { // Everything OK, now set the server certificate type - _gnutls_session_server_cert_type_set(session, cert_type); + _gnutls_session_server_cert_type_set(session, + cert_type); ret = GNUTLS_E_SUCCESS; } else { // No valid cert type found @@ -136,24 +137,25 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, return ret; } else { // server mode - gnutls_datum_t cert_types; // Holds the received cert types + gnutls_datum_t cert_types; // Holds the received cert types // Compare packet length with expected packet length. DECR_LEN(data_size, 1); if (data[0] != data_size) { return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + gnutls_assert_val + (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } pdata += 1; // Assign the contents of our data buffer to a gnutls_datum_t - cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning + cert_types.data = (uint8_t *) pdata; // Need casting to get rid of 'discards const qualifier' warning cert_types.size = data_size; // Store the server certificate types in our session _gnutls_hello_ext_set_datum(session, - GNUTLS_EXTENSION_SERVER_CERT_TYPE, - &cert_types); + GNUTLS_EXTENSION_SERVER_CERT_TYPE, + &cert_types); /* We receive a list of supported certificate types that the client * is able to process when offered by the server via a subsequent @@ -169,11 +171,15 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, if (cert_type == GNUTLS_CRT_UNKNOWN) continue; - _gnutls_handshake_log("EXT[%p]: Checking compatibility of a %s server certificate type that was received from the client.\n", - session, gnutls_certificate_type_get_name(cert_type)); + _gnutls_handshake_log + ("EXT[%p]: Checking compatibility of a %s server certificate type that was received from the client.\n", + session, + gnutls_certificate_type_get_name(cert_type)); // Check for support of this cert type - if (_gnutls_session_is_cert_type_supported(session, cert_type, true, GNUTLS_CTYPE_SERVER) == 0) { + if (_gnutls_session_is_cert_type_supported + (session, cert_type, true, + GNUTLS_CTYPE_SERVER) == 0) { found = true; break; } @@ -181,7 +187,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, // We found a matching ctype, we pick this one if (found) { - _gnutls_session_server_cert_type_set(session, cert_type); + _gnutls_session_server_cert_type_set(session, + cert_type); ret = GNUTLS_E_SUCCESS; } else { /* If no supported certificate type can be found we terminate @@ -196,23 +203,23 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, } static int _gnutls_server_cert_type_send_params(gnutls_session_t session, - gnutls_buffer_st* data) + gnutls_buffer_st * data) { int ret; - uint8_t cert_type_IANA; // Holds an IANA cert type ID + uint8_t cert_type_IANA; // Holds an IANA cert type ID gnutls_certificate_type_t cert_type; /* Only activate this extension if we have cert credentials set * and alternative cert types are allowed */ if (!are_alternative_cert_types_allowed(session) || - (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)) + (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)) return 0; if (!IS_SERVER(session)) { // Client mode - uint8_t cert_types[GNUTLS_CRT_MAX]; // The list with supported (IANA) cert types. Inv: 0 <= cert type Id < 256 + uint8_t cert_types[GNUTLS_CRT_MAX]; // The list with supported (IANA) cert types. Inv: 0 <= cert type Id < 256 size_t i, num_cert_types = 0; - priority_st* cert_priorities; - gnutls_datum_t tmp_cert_types; // For type conversion + priority_st *cert_priorities; + gnutls_datum_t tmp_cert_types; // For type conversion // For brevity cert_priorities = &session->internals.priorities->server_ctype; @@ -230,12 +237,14 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, * types. */ if (cert_priorities->num_priorities == 1 && - cert_priorities->priorities[0] == DEFAULT_CERT_TYPE) { + cert_priorities->priorities[0] == + DEFAULT_CERT_TYPE) { _gnutls_handshake_log - ("EXT[%p]: Server certificate type was set to default cert type (%s). " - "We therefore do not send this extension.\n", - session, - gnutls_certificate_type_get_name(DEFAULT_CERT_TYPE)); + ("EXT[%p]: Server certificate type was set to default cert type (%s). " + "We therefore do not send this extension.\n", + session, + gnutls_certificate_type_get_name + (DEFAULT_CERT_TYPE)); // Explicitly set but default ctype, so don't send anything return 0; @@ -254,14 +263,17 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, cert_type = cert_priorities->priorities[i]; - if (_gnutls_session_is_cert_type_supported(session, cert_type, - false, GNUTLS_CTYPE_SERVER) == 0) { + if (_gnutls_session_is_cert_type_supported + (session, cert_type, false, + GNUTLS_CTYPE_SERVER) == 0) { /* Check whether we are allowed to store another cert type * in our buffer. In other words, prevent a possible buffer * overflow. This situation can occur when a user sets * duplicate cert types in the priority strings. */ if (num_cert_types >= GNUTLS_CRT_MAX) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + return + gnutls_assert_val + (GNUTLS_E_SHORT_MEMORY_BUFFER); // Convert to IANA representation ret = cert_type2IANA(cert_type); @@ -269,17 +281,18 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - cert_type_IANA = ret; // For readability + cert_type_IANA = ret; // For readability // Add this cert type to our list with supported types - cert_types[num_cert_types] = cert_type_IANA; + cert_types[num_cert_types] = + cert_type_IANA; num_cert_types++; _gnutls_handshake_log - ("EXT[%p]: Server certificate type %s (%d) was queued.\n", - session, - gnutls_certificate_type_get_name(cert_type), - cert_type_IANA); + ("EXT[%p]: Server certificate type %s (%d) was queued.\n", + session, + gnutls_certificate_type_get_name + (cert_type), cert_type_IANA); } } @@ -290,18 +303,20 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, */ if (num_cert_types == 0) { // For now, this should not occur since we only check priorities while pruning. _gnutls_handshake_log - ("EXT[%p]: Server certificate types were set but none of them is supported. " - "We do not send this extension.\n", - session); + ("EXT[%p]: Server certificate types were set but none of them is supported. " + "We do not send this extension.\n", + session); return 0; } else if (num_cert_types == 1 && - IANA2cert_type(cert_types[0]) == DEFAULT_CERT_TYPE) { + IANA2cert_type(cert_types[0]) == + DEFAULT_CERT_TYPE) { _gnutls_handshake_log - ("EXT[%p]: The only supported server certificate type is (%s) which is the default. " - "We therefore do not send this extension.\n", - session, - gnutls_certificate_type_get_name(DEFAULT_CERT_TYPE)); + ("EXT[%p]: The only supported server certificate type is (%s) which is the default. " + "We therefore do not send this extension.\n", + session, + gnutls_certificate_type_get_name + (DEFAULT_CERT_TYPE)); return 0; } @@ -314,8 +329,8 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, tmp_cert_types.size = num_cert_types; _gnutls_hello_ext_set_datum(session, - GNUTLS_EXTENSION_SERVER_CERT_TYPE, - &tmp_cert_types); + GNUTLS_EXTENSION_SERVER_CERT_TYPE, + &tmp_cert_types); /* Serialize the certificate types into a sequence of octets * uint8: length of sequence of cert types (1 octet) @@ -333,7 +348,7 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, return num_cert_types + 1; } } - } else { // Server mode + } else { // Server mode // Retrieve negotiated server certificate type and send it cert_type = get_certificate_type(session, GNUTLS_CTYPE_SERVER); ret = cert_type2IANA(cert_type); @@ -341,10 +356,11 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - cert_type_IANA = ret; // For readability + cert_type_IANA = ret; // For readability - _gnutls_handshake_log("EXT[%p]: Confirming to use a %s server certificate type.\n", - session, gnutls_certificate_type_get_name(cert_type)); + _gnutls_handshake_log + ("EXT[%p]: Confirming to use a %s server certificate type.\n", + session, gnutls_certificate_type_get_name(cert_type)); ret = gnutls_buffer_append_data(data, &cert_type_IANA, 1); @@ -358,7 +374,6 @@ static int _gnutls_server_cert_type_send_params(gnutls_session_t session, return 0; } - /** Extension interface **/ /* The interface is defined in state.c: |