summaryrefslogtreecommitdiff
path: root/lib/tls13/certificate_request.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/tls13/certificate_request.c')
-rw-r--r--lib/tls13/certificate_request.c146
1 files changed, 94 insertions, 52 deletions
diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
index b613cab13f..1dd92628b5 100644
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -42,15 +42,17 @@ typedef struct crt_req_ctx_st {
unsigned got_sig_algo;
gnutls_pk_algorithm_t pk_algos[MAX_ALGOS];
unsigned pk_algos_length;
- const uint8_t *rdn; /* pointer inside the message buffer */
+ const uint8_t *rdn; /* pointer inside the message buffer */
unsigned rdn_size;
} crt_req_ctx_st;
-static unsigned is_algo_in_list(gnutls_pk_algorithm_t algo, gnutls_pk_algorithm_t *list, unsigned list_size)
+static unsigned is_algo_in_list(gnutls_pk_algorithm_t algo,
+ gnutls_pk_algorithm_t * list,
+ unsigned list_size)
{
unsigned j;
- for (j=0;j<list_size;j++) {
+ for (j = 0; j < list_size; j++) {
if (list[j] == algo)
return 1;
}
@@ -58,7 +60,8 @@ static unsigned is_algo_in_list(gnutls_pk_algorithm_t algo, gnutls_pk_algorithm_
}
static
-int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned data_size)
+int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data,
+ unsigned data_size)
{
crt_req_ctx_st *ctx = _ctx;
gnutls_session_t session = ctx->session;
@@ -75,21 +78,28 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsig
unsigned i;
if (ctx->got_sig_algo)
- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
ctx->got_sig_algo = 1;
if (data_size < 2)
- return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_TLS_PACKET_DECODING_ERROR);
v = _gnutls_read_uint16(data);
- if (v != data_size-2)
- return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+ if (v != data_size - 2)
+ return
+ gnutls_assert_val
+ (GNUTLS_E_TLS_PACKET_DECODING_ERROR);
data += 2;
data_size -= 2;
- ret = _gnutls_sign_algorithm_parse_data(session, data, data_size);
+ ret =
+ _gnutls_sign_algorithm_parse_data(session, data, data_size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -97,15 +107,18 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsig
* key algorithms instead of signatures. Get the public key algorithms
* from the signatures.
*/
- for (i=0;i<(unsigned)data_size;i+=2) {
- se = _gnutls_tls_aid_to_sign_entry(data[i], data[i+1], ver);
+ for (i = 0; i < (unsigned)data_size; i += 2) {
+ se = _gnutls_tls_aid_to_sign_entry(data[i], data[i + 1],
+ ver);
if (se == NULL)
continue;
- if (ctx->pk_algos_length >= sizeof(ctx->pk_algos)/sizeof(ctx->pk_algos[0]))
+ if (ctx->pk_algos_length >=
+ sizeof(ctx->pk_algos) / sizeof(ctx->pk_algos[0]))
break;
- if (is_algo_in_list(se->pk, ctx->pk_algos, ctx->pk_algos_length))
+ if (is_algo_in_list
+ (se->pk, ctx->pk_algos, ctx->pk_algos_length))
continue;
ctx->pk_algos[ctx->pk_algos_length++] = se->pk;
@@ -113,26 +126,31 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsig
#ifdef ENABLE_OCSP
} else if (tls_id == ext_mod_status_request.tls_id) {
if (data_size != 0)
- return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_TLS_PACKET_DECODING_ERROR);
/* we are now allowed to send OCSP staples */
session->internals.hsk_flags |= HSK_CLIENT_OCSP_REQUESTED;
#endif
} else if (tls_id == EXTID_CERTIFICATE_AUTHORITIES) {
if (data_size < 3) {
- return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_TLS_PACKET_DECODING_ERROR);
}
v = _gnutls_read_uint16(data);
- if (v != data_size-2)
- return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+ if (v != data_size - 2)
+ return
+ gnutls_assert_val
+ (GNUTLS_E_TLS_PACKET_DECODING_ERROR);
- ctx->rdn = data+2;
+ ctx->rdn = data + 2;
ctx->rdn_size = v;
} else if (tls_id == ext_mod_compress_certificate.tls_id) {
ret = _gnutls_compress_certificate_recv_params(session,
- data,
- data_size);
+ data, data_size);
if (ret < 0) {
return gnutls_assert_val(ret);
}
@@ -141,7 +159,8 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsig
return 0;
}
-int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buffer_st *buf)
+int _gnutls13_recv_certificate_request_int(gnutls_session_t session,
+ gnutls_buffer_st * buf)
{
int ret;
crt_req_ctx_st ctx;
@@ -149,7 +168,8 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
- _gnutls_handshake_log("HSK[%p]: parsing certificate request\n", session);
+ _gnutls_handshake_log("HSK[%p]: parsing certificate request\n",
+ session);
if (unlikely(session->security_parameters.entity == GNUTLS_SERVER))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -158,7 +178,9 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
if (!session->internals.initial_negotiation_completed) {
if (buf->data[0] != 0) {
/* The context field must be empty during handshake */
- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
}
/* buf->length is positive */
@@ -172,8 +194,10 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
return gnutls_assert_val(ret);
gnutls_free(session->internals.post_handshake_cr_context.data);
- ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
- context.data, context.size);
+ ret =
+ _gnutls_set_datum(&session->
+ internals.post_handshake_cr_context,
+ context.data, context.size);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -181,7 +205,9 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
memset(&ctx, 0, sizeof(ctx));
ctx.session = session;
- ret = _gnutls_extv_parse(&ctx, parse_cert_extension, buf->data, buf->length);
+ ret =
+ _gnutls_extv_parse(&ctx, parse_cert_extension, buf->data,
+ buf->length);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -204,9 +230,14 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
if (apr_cert_list_length > 0) {
gnutls_sign_algorithm_t algo;
- algo = _gnutls_session_get_sign_algo(session, &apr_cert_list[0], apr_pkey, 0, GNUTLS_KX_UNKNOWN);
+ algo =
+ _gnutls_session_get_sign_algo(session, &apr_cert_list[0],
+ apr_pkey, 0,
+ GNUTLS_KX_UNKNOWN);
if (algo == GNUTLS_SIGN_UNKNOWN) {
- _gnutls_handshake_log("HSK[%p]: rejecting client auth because of no suitable signature algorithm\n", session);
+ _gnutls_handshake_log
+ ("HSK[%p]: rejecting client auth because of no suitable signature algorithm\n",
+ session);
_gnutls_selected_certs_deinit(session);
return gnutls_assert_val(0);
}
@@ -229,7 +260,10 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session)
if (unlikely(session->security_parameters.entity != GNUTLS_CLIENT))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
- ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, 1, &buf);
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, 1,
+ &buf);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -246,7 +280,7 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session)
}
static
-int write_certificate_authorities(void *ctx, gnutls_buffer_st *buf)
+int write_certificate_authorities(void *ctx, gnutls_buffer_st * buf)
{
gnutls_session_t session = ctx;
gnutls_certificate_credentials_t cred;
@@ -266,15 +300,13 @@ int write_certificate_authorities(void *ctx, gnutls_buffer_st *buf)
return
_gnutls_buffer_append_data_prefix(buf, 16,
- cred->
- tlist->x509_rdn_sequence.
+ cred->tlist->x509_rdn_sequence.
data,
- cred->
- tlist->x509_rdn_sequence.
+ cred->tlist->x509_rdn_sequence.
size);
}
-static int append_empty_ext(void *ctx, gnutls_buffer_st *buf)
+static int append_empty_ext(void *ctx, gnutls_buffer_st * buf)
{
return GNUTLS_E_INT_RET_0;
}
@@ -300,30 +332,35 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
if (cred == NULL)
- return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_INSUFFICIENT_CREDENTIALS);
ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
if (ret < 0)
return gnutls_assert_val(ret);
- if (session->internals.initial_negotiation_completed) { /* reauth */
+ if (session->internals.initial_negotiation_completed) { /* reauth */
ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
- gnutls_free(session->internals.post_handshake_cr_context.data);
- ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
- rnd, sizeof(rnd));
+ gnutls_free(session->
+ internals.post_handshake_cr_context.data);
+ ret =
+ _gnutls_set_datum(&session->
+ internals.post_handshake_cr_context,
+ rnd, sizeof(rnd));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_buffer_append_data_prefix(&buf, 8,
- session->internals.post_handshake_cr_context.data,
- session->internals.post_handshake_cr_context.size);
+ session->internals.post_handshake_cr_context.data,
+ session->internals.post_handshake_cr_context.size);
} else {
ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
}
@@ -341,23 +378,25 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
init_pos = ret;
ret = _gnutls_extv_append(&buf, ext_mod_sig.tls_id, session,
- (extv_append_func)_gnutls_sign_algorithm_write_params);
+ (extv_append_func)
+ _gnutls_sign_algorithm_write_params);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
- ret = _gnutls_extv_append(&buf, EXTID_CERTIFICATE_AUTHORITIES, session,
- write_certificate_authorities);
+ ret =
+ _gnutls_extv_append(&buf, EXTID_CERTIFICATE_AUTHORITIES,
+ session, write_certificate_authorities);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
-
#ifdef ENABLE_OCSP
/* We always advertise our support for OCSP stapling */
- ret = _gnutls_extv_append(&buf, ext_mod_status_request.tls_id, session,
- append_empty_ext);
+ ret =
+ _gnutls_extv_append(&buf, ext_mod_status_request.tls_id,
+ session, append_empty_ext);
if (ret < 0) {
gnutls_assert();
goto cleanup;
@@ -365,8 +404,11 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
session->internals.hsk_flags |= HSK_CLIENT_OCSP_REQUESTED;
#endif
- ret = _gnutls_extv_append(&buf, ext_mod_compress_certificate.tls_id, session,
- (extv_append_func)_gnutls_compress_certificate_send_params);
+ ret =
+ _gnutls_extv_append(&buf,
+ ext_mod_compress_certificate.tls_id,
+ session, (extv_append_func)
+ _gnutls_compress_certificate_send_params);
if (ret < 0) {
gnutls_assert();
goto cleanup;
@@ -383,11 +425,11 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
session->internals.hsk_flags |= HSK_CRT_REQ_SENT;
}
- return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
+ return _gnutls_send_handshake(session, bufel,
+ GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
cleanup:
_gnutls_buffer_clear(&buf);
return ret;
}
-
View Lorry Controller Status