diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/auth_x509.c | 106 | ||||
-rw-r--r-- | lib/gnutls_record.c | 7 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 3 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 54 |
4 files changed, 66 insertions, 104 deletions
diff --git a/lib/auth_x509.c b/lib/auth_x509.c index b29adfb52b..054fc30a91 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -819,7 +819,7 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int /** * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name - * @state: is a gnutls state + * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the peer's name * * This function will return the name of the peer. The name is gnutls_DN structure and @@ -828,20 +828,13 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) +int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - memset( ret, 0, sizeof(gnutls_DN)); - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -851,7 +844,7 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -876,30 +869,23 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) } /** - * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name - * @state: is a gnutls state + * gnutls_x509pki_extract_issuer_dn - This function returns the certificate's issuer distinguished name + * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the issuer's name * - * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and + * This function will return the name of the issuer stated in the certificate. The name is a gnutls_DN structure and * is a obtained by the peer's certificate. If the certificate send by the * peer is invalid, or in any other failure this function returns error. * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) +int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - memset( ret, 0, sizeof(gnutls_DN)); - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -908,7 +894,7 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -933,12 +919,14 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) } /** - * gnutls_x509pki_get_subject_dns_name - This function returns the peer's dns name, if any - * @state: is a gnutls state + * gnutls_x509pki_extract_subject_dns_name - This function returns the peer's dns name, if any + * @cert: should contain an X.509 DER encoded certificate * @ret: is the place where dns name will be copied to * @ret_size: holds the size of ret. * - * This function will return the peer's alternative name (the dns part of it). + * This function will return the alternative name (the dns part of it), contained in the + * given certificate. + * * This is specified in X509v3 Certificate Extensions. * GNUTLS will only return the dnsName of the Alternative name, or a negative * error code. @@ -948,23 +936,15 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) * If the certificate does not have a DNS name then returns GNUTLS_E_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_size) +int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, int *ret_size) { - X509PKI_AUTH_INFO info; int result; gnutls_datum dnsname; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - memset(ret, 0, *ret_size); if ((result = - _gnutls_get_extension( &info->raw_certificate_list[0], "2 5 29 17", &dnsname)) < 0) { + _gnutls_get_extension( cert, "2 5 29 17", &dnsname)) < 0) { return result; } @@ -986,28 +966,20 @@ int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_ } /** - * gnutls_x509pki_get_peer_certificate_activation_time - This function returns the peer's certificate activation time - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_activation_time - This function returns the peer's certificate activation time + * @cert: should contain an X.509 DER encoded certificate * - * This function will return the peer's certificate activation time in UNIX time + * This function will return the certificate's activation time in UNIX time * (ie seconds since 00:00:00 UTC January 1, 1970). * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE - state) +time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; time_t ret; - CHECK_AUTH(GNUTLS_X509PKI, -1); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return -1; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1016,7 +988,7 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE return -1; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -1034,28 +1006,20 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE } /** - * gnutls_x509pki_get_peer_certificate_expiration_time - This function returns the peer's certificate expiration time - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_expiration_time - This function returns the certificate's expiration time + * @cert: should contain an X.509 DER encoded certificate * - * This function will return the peer's certificate expiration time in UNIX time + * This function will return the certificate's expiration time in UNIX time * (ie seconds since 00:00:00 UTC January 1, 1970). * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE - state) +time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; time_t ret; - CHECK_AUTH(GNUTLS_X509PKI, -1); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return -1; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1064,7 +1028,7 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE return -1; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -1082,26 +1046,18 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE } /** - * gnutls_x509pki_get_peer_certificate_version - This function returns the peer's certificate version - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_version - This function returns the certificate's version + * @cert: is an X.509 DER encoded certificate * - * This function will return the peer's certificate version (1, 2, 3). This is obtained by the X509 Certificate - * Version field. If the certificate is invalid then version will be zero. - * Returns a negative value in case of an error. + * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate + * Version field. Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state) +int gnutls_x509pki_extract_certificate_version( const gnutls_datum* cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1110,7 +1066,7 @@ int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state) return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 381194c627..a49ca4b186 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -408,7 +408,9 @@ int gnutls_send_alert( GNUTLS_STATE state, AlertLevel level, AlertDescription de * * Sends an alert to the peer depending on the error code returned by a gnutls * function. All alerts sent by this function are fatal, so connection should - * be considered terminated after calling this function. + * be considered terminated after calling this function. The only exception + * is when err == GNUTLS_E_REHANDSHAKE, then a warning alert is sent to + * the peer indicating the no renegotiation will be performed. * * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED. * @@ -441,6 +443,9 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; case GNUTLS_E_UNEXPECTED_PACKET: ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE); break; + case GNUTLS_E_REHANDSHAKE: + ret = gnutls_send_alert( state, GNUTLS_WARNING, GNUTLS_NO_RENEGOTIATION); + break; } return ret; diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index d1e7f4afa2..a2f4ae0032 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -105,7 +105,8 @@ int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state) * @list_size: is the length of the certificate list * * This function will return the peer's raw certificate list as sent by the peer. - * These certificates are DER encoded. + * These certificates are DER encoded. The first certificate in the list is the peer's certificate, + * following the issuer's certificate, then the issuer's issuer etc. * Returns NULL in case of an error, or if no certificate was sent. * **/ diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 0f017729b4..431833288c 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -36,7 +36,7 @@ typedef struct { #define X509KEY_DECIPHER_ONLY 1 -# ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */ +# ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */ typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); @@ -59,40 +59,40 @@ int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state); int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *); int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest); -int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); -int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*); +/* X.509 certificate handling functions */ +int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*); +int gnutls_x509pki_extract_issuer_dn( const gnutls_datum*, gnutls_DN *); +int gnutls_x509pki_extract_certificate_version( const gnutls_datum*); +time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*); +time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*); +int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*); + +/* get data from the state */ const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size); -int gnutls_x509pki_get_issuer_dn( GNUTLS_STATE, gnutls_DN *); -int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); -int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE); -time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE); -time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE); -unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE); -int gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE, char*, int*); int gnutls_x509pki_get_dh_bits( GNUTLS_STATE); +int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); +int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); #define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits #define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits -#define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn -#define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn +#define gnutls_x509pki_server_extract_dn gnutls_x509pki_extract_dn +#define gnutls_x509pki_server_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_server_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status -#define gnutls_x509pki_server_get_peer_certificate gnutls_x509pki_get_peer_certificate -#define gnutls_x509pki_server_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version -#define gnutls_x509pki_server_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time -#define gnutls_x509pki_server_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time -#define gnutls_x509pki_server_get_key_usage gnutls_x509pki_get_key_usage -#define gnutls_x509pki_server_get_subject_dns_name gnutls_x509pki_get_subject_dns_name - -#define gnutls_x509pki_client_get_peer_dn gnutls_x509pki_get_peer_dn -#define gnutls_x509pki_client_get_issuer_dn gnutls_x509pki_get_issuer_dn +#define gnutls_x509pki_server_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list +#define gnutls_x509pki_server_extract_certificate_version gnutls_x509pki_extract_certificate_version +#define gnutls_x509pki_server_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time +#define gnutls_x509pki_server_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time +#define gnutls_x509pki_server_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name + +#define gnutls_x509pki_client_extract_dn gnutls_x509pki_extract_dn +#define gnutls_x509pki_client_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_client_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status -#define gnutls_x509pki_client_get_peer_certificate gnutls_x509pki_get_peer_certificate -#define gnutls_x509pki_client_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version -#define gnutls_x509pki_client_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time -#define gnutls_x509pki_client_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time -#define gnutls_x509pki_client_get_key_usage gnutls_x509pki_get_key_usage -#define gnutls_x509pki_client_get_subject_dns_name gnutls_x509pki_get_subject_dns_name +#define gnutls_x509pki_client_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list +#define gnutls_x509pki_client_extract_certificate_version gnutls_x509pki_extract_certificate_version +#define gnutls_x509pki_client_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time +#define gnutls_x509pki_client_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time +#define gnutls_x509pki_client_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name # endif /* LIBGNUTLS_VERSION */ |