diff options
Diffstat (limited to 'lib/tls13/certificate_verify.c')
-rw-r--r-- | lib/tls13/certificate_verify.c | 64 |
1 files changed, 42 insertions, 22 deletions
diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 45ff6facfc..fdb9f6da0d 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -32,12 +32,12 @@ #define SRV_CTX "TLS 1.3, server CertificateVerify" static const gnutls_datum_t srv_ctx = { - (void*)SRV_CTX, sizeof(SRV_CTX)-1 + (void *)SRV_CTX, sizeof(SRV_CTX) - 1 }; #define CLI_CTX "TLS 1.3, client CertificateVerify" static const gnutls_datum_t cli_ctx = { - (void*)CLI_CTX, sizeof(CLI_CTX)-1 + (void *)CLI_CTX, sizeof(CLI_CTX) - 1 }; int _gnutls13_recv_certificate_verify(gnutls_session_t session) @@ -49,7 +49,8 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) gnutls_certificate_credentials_t cred; unsigned vflags; gnutls_pcert_st peer_cert; - cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); + cert_auth_info_t info = + _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); bool server = 0; gnutls_certificate_type_t cert_type; @@ -64,13 +65,15 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) server = 1; cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); if (unlikely(cred == NULL)) return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); if (unlikely(info == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, 0, &buf); + ret = + _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, + 0, &buf); if (ret < 0) return gnutls_assert_val(ret); @@ -82,9 +85,11 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) goto cleanup; } - se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session)); + se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], + get_version(session)); if (se == NULL) { - _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]); + _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", + (int)buf.data[0], (int)buf.data[1]); ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); goto cleanup; } @@ -94,8 +99,8 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) else gnutls_sign_algorithm_set_server(session, se->id); - buf.data+=2; - buf.length-=2; + buf.data += 2; + buf.length -= 2; /* we check during verification whether the algorithm is enabled */ @@ -122,10 +127,11 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) goto cleanup; } - vflags = cred->verify_flags | session->internals.additional_verify_flags; + vflags = + cred->verify_flags | session->internals.additional_verify_flags; ret = _gnutls13_handshake_verify_data(session, vflags, &peer_cert, - server?(&cli_ctx):(&srv_ctx), + server ? (&cli_ctx) : (&srv_ctx), &sig_data, se); if (ret < 0) { gnutls_assert(); @@ -153,7 +159,7 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) int apr_cert_list_length; mbuffer_st *bufel = NULL; gnutls_buffer_st buf; - gnutls_datum_t sig = {NULL, 0}; + gnutls_datum_t sig = { NULL, 0 }; gnutls_sign_algorithm_t algo; const gnutls_sign_entry_st *se; bool server = 0; @@ -171,13 +177,16 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) server = 1; ret = _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, &apr_pkey); + &apr_cert_list_length, + &apr_pkey); if (ret < 0) return gnutls_assert_val(ret); if (apr_cert_list_length == 0) { if (server) { - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); + return + gnutls_assert_val + (GNUTLS_E_INSUFFICIENT_CREDENTIALS); } else { /* for client, this means either we * didn't get a cert request or we are @@ -188,9 +197,15 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) } if (server) { - algo = _gnutls_session_get_sign_algo(session, &apr_cert_list[0], apr_pkey, 0, GNUTLS_KX_UNKNOWN); + algo = + _gnutls_session_get_sign_algo(session, + &apr_cert_list[0], + apr_pkey, 0, + GNUTLS_KX_UNKNOWN); if (algo == GNUTLS_SIGN_UNKNOWN) - return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); + return + gnutls_assert_val + (GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); gnutls_sign_algorithm_set_server(session, algo); } else { @@ -198,14 +213,16 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) * determined from Certificate Request */ algo = gnutls_sign_algorithm_get_client(session); if (unlikely(algo == GNUTLS_SIGN_UNKNOWN)) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return + gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); } se = _gnutls_sign_to_entry(algo); - ret = _gnutls13_handshake_sign_data(session, &apr_cert_list[0], apr_pkey, - server?(&srv_ctx):(&cli_ctx), - &sig, se); + ret = + _gnutls13_handshake_sign_data(session, &apr_cert_list[0], + apr_pkey, server ? (&srv_ctx) + : (&cli_ctx), &sig, se); if (ret < 0) return gnutls_assert_val(ret); @@ -221,7 +238,9 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) goto cleanup; } - ret = _gnutls_buffer_append_data_prefix(&buf, 16, sig.data, sig.size); + ret = + _gnutls_buffer_append_data_prefix(&buf, 16, sig.data, + sig.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -232,7 +251,8 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) gnutls_free(sig.data); } - return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY); + return _gnutls_send_handshake(session, bufel, + GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY); cleanup: gnutls_free(sig.data); |