From 9a6a00a2d7bbfefdedc08a07bfb608647539cff1 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 13 Feb 2003 09:23:24 +0000 Subject: Added option to allow an X.509 server not to send the trusted CA list to the peer. --- README | 2 +- doc/TODO | 1 - lib/auth_cert.c | 16 +++++++++------- lib/gnutls_int.h | 7 ++++++- lib/gnutls_state.c | 18 ++++++++++++++++++ lib/gnutls_x509.c | 3 ++- 6 files changed, 36 insertions(+), 11 deletions(-) diff --git a/README b/README index 9c530d07c2..4c5e1949b4 100644 --- a/README +++ b/README @@ -15,7 +15,7 @@ implementation for the GNU project. ftp://ftp.gnutls.org/pub/gnutls/opencdk/ - Documentation: - view the doc/ directory and the examples in the src/ directory. + view the doc/ directory and the examples in the doc/examples directory. **************************** diff --git a/doc/TODO b/doc/TODO index 5b2bf93aae..75e7d34649 100644 --- a/doc/TODO +++ b/doc/TODO @@ -4,7 +4,6 @@ in order to avoid having people working on the same thing. Current list: + Add ability to read PKCS-12 structures (certificate and private key) -* Allow sending any client certificate. Not only the ones requested. * Convert documentation to texinfo format * Audit the code * Add GPGSM certificate manager support diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 92db8cc80f..e6fe3054cc 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos * - * This file is part of GNUTLS. + * This file is part of GNUTLS. * * The GNUTLS library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -326,7 +326,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, * of X509 certificates. */ if (gnutls_certificate_type_get(session) == - GNUTLS_CRT_X509) { + GNUTLS_CRT_X509 && issuers_dn_len > 0) { data = _data; data_size = _data_size; @@ -354,7 +354,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, } - } else { /* Other certificate types */ + } else { /* Other certificate types */ issuers_dn_len = 0; issuers_dn = NULL; } @@ -369,7 +369,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, /* put our certificate's issuer and dn into cdn, idn * Note that the certificates we provide to the callback * are not all the certificates we have. Only the certificates - * that are requested by the server (CA matches - and sign + * that are requested by the server (certificate type - and sign * algorithm matches), are provided. */ for (j = i = 0; i < cred->ncerts; i++) { @@ -1181,7 +1181,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session, size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) size += cred->x509_rdn_sequence.size; (*data) = gnutls_malloc(size); @@ -1198,7 +1199,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session, pdata[2] = DSA_SIGN; /* only these for now */ pdata += CERTTYPE_SIZE; - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) { _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); pdata += cred->x509_rdn_sequence.size + 2; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index a5ac45c5cd..8f845c71a1 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -563,7 +563,7 @@ typedef struct { */ uint16 extensions_sent[MAX_EXT_TYPES]; uint16 extensions_sent_size; - + /* is 0 if we are to send the whole PGP key, or non zero * if the fingerprint is to be sent. */ @@ -593,6 +593,11 @@ typedef struct { * openpgp key. (if the peer sends a fingerprint) */ gnutls_openpgp_recv_key_func openpgp_recv_key_func; + + /* If non zero the server will not advertize the CA's he + * trusts (do not send an RDN sequence). + */ + int ignore_rdn_sequence; /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index b5863869d8..e10da9b335 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -450,6 +450,24 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s session->internals.pgp_fingerprint = status; } +/** + * gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to or not to send the x.509 rdn sequence + * @session: is a pointer to a &gnutls_session structure. + * @status: is 0 or 1 + * + * If status is non zero, this function will order gnutls not to send the rdnSequence + * in the certificate request message. That is the server will not advertize + * it's trusted CAs to the peer. If status is zero then the default behaviour will + * take effect, which is to advertize the server's trusted CAs. + * + * This function has no effect in clients, and in authentication methods other than + * certificate with X.509 certificates. + * + **/ +void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, int status) { + session->internals.ignore_rdn_sequence = status; +} + int _gnutls_openpgp_send_fingerprint(gnutls_session session) { return session->internals.pgp_fingerprint; } diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 6cb8aee7f5..e0294318ac 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -742,7 +742,8 @@ int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials res, con return 0; } -static int generate_rdn_seq( gnutls_certificate_credentials res) { +static int generate_rdn_seq( gnutls_certificate_credentials res) +{ gnutls_const_datum tmp; gnutls_datum _tmp; int ret; -- cgit v1.2.1