From f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 4 Dec 2001 10:57:03 +0000 Subject: moving gnutls_DN structures out of gnutls_cert and auth_info structures. Now they are generated upon request. --- lib/auth_x509.c | 169 ++++++++++++++++++++++++++++++++++++++++--------- lib/auth_x509.h | 2 - lib/debug.c | 5 ++ lib/debug.h | 1 + lib/gnutls_cert.c | 94 ++++++++------------------- lib/gnutls_cert.h | 12 ++-- lib/gnutls_handshake.c | 32 +++------- lib/gnutls_int.h | 8 ++- lib/gnutls_record.c | 24 +++++-- lib/gnutls_ui.c | 163 ++++++++++++++++++++++------------------------- lib/gnutls_ui.h | 8 +-- lib/x509_extensions.c | 2 +- src/cli.c | 24 +++---- src/serv.c | 25 ++++---- 14 files changed, 310 insertions(+), 259 deletions(-) diff --git a/lib/auth_x509.c b/lib/auth_x509.c index 4c134dadf3..cf3e22c292 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -45,10 +45,6 @@ int _gnutls_copy_x509_client_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cer */ int ret; - memcpy( &info->peer_dn, &cert->cert_info, sizeof(gnutls_DN)); - memcpy( &info->issuer_dn, &cert->issuer_info, sizeof(gnutls_DN)); - - info->peer_certificate_status = verify; info->peer_certificate_version = cert->version; @@ -312,7 +308,7 @@ int data_size = _data_size; * choose of certificate, otherwise (-1), he * will be prompted to choose one. */ - try = cred->client_cert_callback( NULL, NULL, 0, NULL, 0); + try = cred->client_cert_callback( NULL, 0, NULL, 0); } if (try>=0) @@ -357,18 +353,13 @@ int data_size = _data_size; } while (1); if (indx==-1 && cred->client_cert_callback!=NULL && cred->ncerts > 0) {/* use a callback to get certificate */ - gnutls_DN *cdn=NULL; - gnutls_DN *idn=NULL; - gnutls_DN *req_dn=NULL; - gnutls_datum tmp; + gnutls_datum *my_certs=NULL; + gnutls_datum *issuers_dn=NULL; int count; - cdn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN)); - if (cdn==NULL) goto clear; + my_certs = gnutls_malloc( cred->ncerts* sizeof(gnutls_datum)); + if (my_certs==NULL) goto clear; - idn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN)); - if (idn==NULL) goto clear; - /* put the requested DNs to req_dn */ data = _data; @@ -384,13 +375,14 @@ int data_size = _data_size; data += 2; - req_dn = gnutls_realloc_fast( req_dn, (count+1)*sizeof(gnutls_DN)); - if (req_dn==NULL) goto clear; + issuers_dn = gnutls_realloc_fast( issuers_dn, (count+1)*sizeof(gnutls_datum)); + if (issuers_dn==NULL) goto clear; + + issuers_dn->data = data; + issuers_dn->size = size; + + count++; /* otherwise we have failed */ - tmp.data = data; - tmp.size = size; - if (_gnutls_dn2gnutlsdn( &req_dn[count], &tmp)==0) - count++; /* otherwise we have failed */ data+=size; if (data_size==0) break; @@ -400,15 +392,13 @@ int data_size = _data_size; /* put our certificate's issuer and dn into cdn, idn */ for(i=0;incerts;i++) { - memcpy( &cdn[i], &cred->cert_list[i][0].cert_info, sizeof(gnutls_DN)); - memcpy( &idn[i], &cred->cert_list[i][0].issuer_info, sizeof(gnutls_DN)); + my_certs[i] = cred->cert_list[i][0].raw; } - indx = cred->client_cert_callback( cdn, idn, cred->ncerts, req_dn, count); + indx = cred->client_cert_callback( my_certs, cred->ncerts, issuers_dn, count); clear: - gnutls_free(cdn); - gnutls_free(req_dn); - gnutls_free(idn); + gnutls_free(my_certs); + gnutls_free(issuers_dn); } *ind = indx; return 0; @@ -906,13 +896,10 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int *apr_cert_list_length = 0; *apr_pkey = NULL; } else { - const char* dnsname = gnutls_ext_get_name_ind( state, GNUTLS_DNSNAME); - if (dnsname==NULL) dnsname=""; ind = - _gnutls_find_cert_list_index(cred->cert_list, - cred->ncerts, - dnsname); + _gnutls_find_cert_list_index(state, cred->cert_list, + cred->ncerts); if (ind < 0) { *apr_cert_list = NULL; @@ -947,3 +934,123 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int return 0; } + +#define CHECK_AUTH(auth, ret) if (gnutls_get_auth_type(state) != auth) { \ + gnutls_assert(); \ + return ret; \ + } + +/** + * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name + * @state: is a gnutls state + * @ret: a pointer to a structure to hold the peer's name + * + * This function will return the name of the peer. The name is gnutls_DN structure and + * is a obtained by the peer's certificate. If the certificate send by the + * peer is invalid, or in any other failure this function returns error. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) +{ + X509PKI_AUTH_INFO info; + node_asn *c2; + int result; + + CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); + + memset( ret, 0, sizeof(gnutls_DN)); + + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + if (asn1_create_structure + (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, + "certificate2") + != ASN_OK) { + gnutls_assert(); + return GNUTLS_E_ASN1_ERROR; + } + + + result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size); + if (result != ASN_OK) { + /* couldn't decode DER */ +#ifdef DEBUG + _gnutls_log("Decoding error %d\n", result); +#endif + gnutls_assert(); + asn1_delete_structure(c2); + return GNUTLS_E_ASN1_PARSING_ERROR; + } + if ((result = + _gnutls_get_name_type(c2, + "certificate2.tbsCertificate.subject", + ret)) < 0) { + gnutls_assert(); + asn1_delete_structure(c2); + return result; + } + + asn1_delete_structure(c2); + + return 0; +} + +/** + * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name + * @state: is a gnutls state + * @ret: a pointer to a structure to hold the issuer's name + * + * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and + * is a obtained by the peer's certificate. If the certificate send by the + * peer is invalid, or in any other failure this function returns error. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) +{ + X509PKI_AUTH_INFO info; + node_asn *c2; + int result; + + CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); + + memset( ret, 0, sizeof(gnutls_DN)); + + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + if (asn1_create_structure + (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, + "certificate2") + != ASN_OK) { + gnutls_assert(); + return GNUTLS_E_ASN1_ERROR; + } + + result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size); + if (result != ASN_OK) { + /* couldn't decode DER */ +#ifdef DEBUG + _gnutls_log("Decoding error %d\n", result); +#endif + gnutls_assert(); + asn1_delete_structure(c2); + return GNUTLS_E_ASN1_PARSING_ERROR; + } + if ((result = + _gnutls_get_name_type(c2, + "certificate2.tbsCertificate.issuer", + ret)) < 0) { + gnutls_assert(); + asn1_delete_structure(c2); + return result; + } + + asn1_delete_structure(c2); + + return 0; +} diff --git a/lib/auth_x509.h b/lib/auth_x509.h index 25a831fd8b..27385a5705 100644 --- a/lib/auth_x509.h +++ b/lib/auth_x509.h @@ -44,8 +44,6 @@ typedef struct { #define X509PKI_CREDENTIALS X509PKI_CREDENTIALS_INT* typedef struct X509PKI_AUTH_INFO_INT { - gnutls_DN peer_dn; - gnutls_DN issuer_dn; CertificateStatus peer_certificate_status; int peer_certificate_version; time_t peer_certificate_activation_time; diff --git a/lib/debug.c b/lib/debug.c index 3a20501955..bcaccf7d6a 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -218,4 +218,9 @@ static char str[512]; return str; } + +const char* GET_CN( gnutls_datum cert) { + return NULL; /* FIXME */ +} + #endif diff --git a/lib/debug.h b/lib/debug.h index 85ad14b261..f95145d84d 100644 --- a/lib/debug.h +++ b/lib/debug.h @@ -25,4 +25,5 @@ void _gnutls_dump_mpi(char* prefix,MPI a); char* _gnutls_packet2str( int packet); char* _gnutls_alert2str( int alert); char* _gnutls_handshake2str( int handshake); +char* GET_CN( gnutls_datum); #endif diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 86c7b572cb..789b54b7f8 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -820,7 +820,9 @@ static int _gnutls_get_version(node_asn * c2, char *root) #endif /* This function will convert a der certificate, to a format - * (structure) that gnutls can understand and use. + * (structure) that gnutls can understand and use. Actually the + * important thing on this function is that it extracts the + * certificate's (public key) parameters. */ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) { @@ -924,18 +926,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) gCert->signature_size = len; - memset(&gCert->cert_info, 0, sizeof(gCert->cert_info)); - memset(&gCert->issuer_info, 0, sizeof(gCert->issuer_info)); - - if ((result = - _gnutls_get_name_type(c2, - "certificate2.tbsCertificate.subject", - &gCert->cert_info)) < 0) { - gnutls_assert(); - asn1_delete_structure(c2); - return result; - } - memset(&gCert->subjectAltDNSName, 0, sizeof(gCert->subjectAltDNSName)); if ((result = @@ -947,16 +937,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) return result; } - if ((result = - _gnutls_get_name_type(c2, - "certificate2.tbsCertificate.issuer", - &gCert->issuer_info)) < 0) { - gnutls_assert(); - asn1_delete_structure(c2); - return result; - } - - gCert->expiration_time = _gnutls_get_time(c2, "certificate2", "notAfter"); gCert->activation_time = @@ -982,7 +962,7 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) /* Returns 0 if it's ok to use the KXAlgorithm with this cert * (using KeyUsage field). */ -int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg) +int _gnutls_check_x509_key_usage(const gnutls_cert * cert, KXAlgorithm alg) { if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) { switch (alg) { @@ -1022,7 +1002,7 @@ int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg) * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ -int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg, +int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, int *alg_size) { KXAlgorithm kx; @@ -1052,53 +1032,30 @@ int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg, return 0; } -/* finds a certificate in the cert lists that contains - * common_name (or subjectAltDNSName) field similar to name +/* finds the most appropriate certificate in the cert list. + * The 'appropriate' is defined by the user. + * FIXME: provide user callback. */ -gnutls_cert *_gnutls_find_cert(gnutls_cert ** cert_list, - int cert_list_length, const char *name) +const gnutls_cert *_gnutls_find_cert( GNUTLS_STATE state, gnutls_cert ** cert_list, + int cert_list_length) { - gnutls_cert *cert = NULL; int i; - for (i = 0; i < cert_list_length; i++) { - if (cert_list[i][0].cert_info.common_name[0] != 0 - || cert_list[i][0].subjectAltDNSName[0] != 0) { - if (strcasecmp - (cert_list[i][0].cert_info.common_name, - name) == 0 - || strcasecmp(cert_list[i][0]. - subjectAltDNSName, name) == 0) { - cert = &cert_list[i][0]; - break; - } - } - } - return cert; + i = _gnutls_find_cert_list_index( state, cert_list, cert_list_length); + if (i<0) return NULL; + + return &cert_list[i][0]; } -/* finds the index of a certificate in the cert lists that contains - * common_name (or subjectAltDNSName) field similar to name +/* finds the most appropriate certificate in the cert list. + * The 'appropriate' is defined by the user. + * FIXME: provide user callback. */ -int _gnutls_find_cert_list_index(gnutls_cert ** cert_list, - int cert_list_length, const char *name) +int _gnutls_find_cert_list_index( GNUTLS_STATE state, gnutls_cert ** cert_list, + int cert_list_length) { int index = 0; - int i; - for (i = 0; i < cert_list_length; i++) { - if (cert_list[i][0].cert_info.common_name[0] != 0 - || cert_list[i][0].subjectAltDNSName[0] != 0) { - if (strcasecmp - (cert_list[i][0].cert_info.common_name, - name) == 0 - || strcasecmp(cert_list[i][0]. - subjectAltDNSName, name) == 0) { - index = i; - break; - } - } - } return index; } @@ -1127,16 +1084,15 @@ int gnutls_x509pki_set_cert_request(GNUTLS_STATE state, * @func: is the callback function * * The callback's function form is: - * int (*callback)(gnutls_DN *client_cert, gnutls_DN *issuer_cert, int ncerts, gnutls_DN* req_ca_cert, int nreqs); + * int (*callback)(gnutls_datum *client_cert, int ncerts, gnutls_datum* req_ca_cert, int nreqs); * - * 'client_cert' contains 'ncerts' gnutls_DN structures which hold - * DN data from the client certificate. 'issuer_cert' holds DN data - * for the issuer of the certificate. Ie. issuer_cert[i] is the issuer of - * client_cert[i]. (i < ncerts) + * 'client_cert' contains 'ncerts' gnutls_datum structures which hold + * the DER encoded X.509 certificates of the client. * - * 'req_ca_cert' contains a list with the CA certificates that the server + * 'req_ca_cert' contains a list with the CA names that the server * considers trusted. Normaly we should send a certificate that is signed - * by one of these CAs. + * by one of these CAs. These names are DER encoded. To get a more + * meaningful value use the function _gnutls_dn2gnutlsdn(). * * This function specifies what we (in case of a client) are going * to do when we have to send a certificate. If this callback diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index b9743ad9fc..2b9365e02b 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -12,8 +12,6 @@ typedef struct gnutls_cert { */ PKAlgorithm subject_pk_algorithm; - gnutls_DN cert_info; - gnutls_DN issuer_info; opaque subjectAltDNSName[X509_CN_SIZE]; int subjectAltDNSName_size; @@ -47,18 +45,18 @@ typedef struct { gnutls_datum raw; /* the raw key */ } gnutls_private_key; +struct GNUTLS_STATE_INT; /* because GNUTLS_STATE is not defined when this file is included */ -int _gnutls_cert_supported_kx(gnutls_cert* cert, KXAlgorithm **alg, int *alg_size); +int _gnutls_cert_supported_kx( const gnutls_cert* cert, KXAlgorithm **alg, int *alg_size); PKAlgorithm _gnutls_map_pk_get_pk(KXAlgorithm kx_algorithm); int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert); -gnutls_cert* _gnutls_find_cert( gnutls_cert** cert_list, int cert_list_length, const char* name); -int _gnutls_find_cert_list_index(gnutls_cert ** cert_list, - int cert_list_length, const char *name); +const gnutls_cert* _gnutls_find_cert( struct GNUTLS_STATE_INT*, gnutls_cert** cert_list, int cert_list_length); +int _gnutls_find_cert_list_index( struct GNUTLS_STATE_INT*, gnutls_cert ** cert_list, int cert_list_length); #define MAX_INT_DIGITS 4 void _gnutls_int2str(int k, char* data); int _gnutls_get_name_type( node_asn *rasn, char *root, gnutls_DN * dn); void gnutls_free_cert(gnutls_cert cert); -int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg); +int _gnutls_check_x509_key_usage( const gnutls_cert * cert, KXAlgorithm alg); #endif diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index ef9e339d0e..3557b5dec0 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1870,11 +1870,10 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite *newSuite; int newSuiteSize = 0, i, j, keep; const X509PKI_CREDENTIALS x509_cred; - gnutls_cert *cert = NULL; + const gnutls_cert *cert = NULL; KXAlgorithm *alg; int alg_size; KXAlgorithm kx; - const char *dnsname; if (state->security_parameters.entity == GNUTLS_CLIENT) return 0; @@ -1891,23 +1890,18 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, /* if x509_cred==NULL we should remove all X509 ciphersuites */ - /* find the certificate that has dnsname in the subject - * name or subject Alternative name. - */ - cert = NULL; - dnsname = gnutls_ext_get_name_ind(state, GNUTLS_DNSNAME); - if (dnsname != NULL && dnsname[0] != 0) { - cert = - (gnutls_cert *) _gnutls_find_cert(x509_cred->cert_list, - x509_cred->ncerts, - dnsname); - } - if (cert == NULL && x509_cred->cert_list != NULL) { /* if no such cert, use the first in the list - */ - cert = &x509_cred->cert_list[0][0]; + cert = + _gnutls_find_cert(state, x509_cred->cert_list, + x509_cred->ncerts); + if (cert == NULL) { + /* No certificate was found + */ + alg_size = 0; + alg = NULL; + } else { /* get all the key exchange algorithms that are * supported by the X509 certificate parameters. */ @@ -1917,14 +1911,8 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, gnutls_assert(); return ret; } - } else { - /* No certificate was found - */ - alg_size = 0; - alg = NULL; } - newSuite = gnutls_malloc(numCipherSuites * sizeof(GNUTLS_CipherSuite)); if (newSuite==NULL) { diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index dd133b29ea..1aacd4058f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -31,9 +31,9 @@ #define WRITE_DEBUG #define READ_DEBUG #define HANDSHAKE_DEBUG // Prints some information on handshake -#define RECORD_DEBUG +#define RECORD_DEBUG*/ #define DEBUG -*/ + /* It might be a good idea to replace int with void* * here. @@ -338,6 +338,8 @@ typedef struct { #define CompressionMethod_Priority GNUTLS_Priority #define Protocol_Priority GNUTLS_Priority +typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); + typedef struct { opaque header[HANDSHAKE_HEADER_SIZE]; /* this holds the number of bytes in the handshake_header[] */ @@ -449,7 +451,7 @@ typedef struct { /* this is a callback function to call if no appropriate * client certificates were found. */ - int (*x509_client_cert_callback)(void*,void*,int, void*, int); + x509_cert_callback_func* x509_client_cert_callback; gnutls_cert peer_cert; int max_handshake_data_buffer_size; diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 1875e5d322..573fe79677 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -432,6 +432,15 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; case GNUTLS_E_ILLEGAL_PARAMETER: ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_ILLEGAL_PARAMETER); break; + case GNUTLS_E_ASN1_PARSING_ERROR: + ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_BAD_CERTIFICATE); + break; + case GNUTLS_E_UNKNOWN_CIPHER_SUITE: + ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_HANDSHAKE_FAILURE); + break; + case GNUTLS_E_UNEXPECTED_PACKET: + ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE); + break; } return ret; @@ -448,10 +457,10 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; * * in case of GNUTLS_SHUT_RDWR then the connection gets terminated and * further receives and sends will be disallowed. If the return - * value is zero you may continue using the TCP connection. + * value is zero you may continue using the connection. * * in case of GNUTLS_SHUT_WR then the connection gets terminated and - * further sends will be disallowed. In order to reuse the TCP connection + * further sends will be disallowed. In order to reuse the connection * you should wait for an EOF from the peer. * * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED. @@ -1111,7 +1120,8 @@ AlertDescription gnutls_get_last_alert( GNUTLS_STATE state) { * @sizeofdata: is the length of the data * * This function has the same semantics as write() has. The only - * difference is that is accepts a GNUTLS state. + * difference is that is accepts a GNUTLS state, and uses different + * error codes. * * If the EINTR is returned by the internal push function (write()) * then GNUTLS_E_INTERRUPTED, will be returned. If GNUTLS_E_INTERRUPTED or @@ -1132,10 +1142,10 @@ ssize_t gnutls_write( GNUTLS_STATE state, const void *data, size_t sizeofdata) { * @data: contains the data to send * @sizeofdata: is the length of the data * - * This function has the same semantics as read() has. The only - * difference is that is accepts a GNUTLS state. - * Returns the number of bytes received, zero on EOF, or - * a negative error code. + * This function has the same semantics as write() has. The only + * difference is that is accepts a GNUTLS state. + * Also returns the number of bytes received, zero on EOF, but + * a negative error code in case of an error. * * If this function returns GNUTLS_E_REHANDSHAKE, then you must * either send an alert containing NO_RENEGOTIATION, or perform a diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 7bb796b275..fb8fce623e 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -40,13 +40,15 @@ * Returns NULL in case of an error. * **/ -const char* gnutls_srp_server_get_username( GNUTLS_STATE state) { -SRP_SERVER_AUTH_INFO info; +const char *gnutls_srp_server_get_username(GNUTLS_STATE state) +{ + SRP_SERVER_AUTH_INFO info; CHECK_AUTH(GNUTLS_SRP, NULL); - info = _gnutls_get_auth_info(state); - if (info==NULL) return NULL; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return NULL; return info->username; } @@ -61,13 +63,15 @@ SRP_SERVER_AUTH_INFO info; * Returns a negative value in case of an error. * **/ -int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state) { -ANON_SERVER_AUTH_INFO info; +int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state) +{ + ANON_SERVER_AUTH_INFO info; CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } @@ -80,57 +84,20 @@ ANON_SERVER_AUTH_INFO info; * Returns a negative value in case of an error. * **/ -int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state) { -ANON_CLIENT_AUTH_INFO info; +int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state) +{ + ANON_CLIENT_AUTH_INFO info; CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } /* X509PKI */ -/** - * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name - * @state: is a gnutls state - * - * This function will return the name of the peer. The name is gnutls_DN structure and - * is a obtained by the peer's certificate. If the certificate send by the - * peer is invalid, or in any other failure this function returns NULL. - * Returns NULL in case of an error. - * - **/ -const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; - - CHECK_AUTH(GNUTLS_X509PKI, NULL); - - info = _gnutls_get_auth_info(state); - if (info==NULL) return NULL; - return &info->peer_dn; -} - -/** - * gnutls_x509pki_get_issuer_dn - This function returns the peer's certificate issuer distinguished name - * @state: is a gnutls state - * - * This function will return the name of the peer's certificate issuer. The name is gnutls_DN structure and - * is a obtained by the peer's certificate. If the certificate send by the - * peer is invalid, or in any other failure this function returns NULL. - * Returns NULL in case of an error. - * - **/ -const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; - - CHECK_AUTH(GNUTLS_X509PKI, NULL); - - info = _gnutls_get_auth_info(state); - if (info==NULL) return NULL; - return &info->issuer_dn; -} /** * gnutls_x509pki_get_peer_certificate_status - This function returns the peer's certificate status @@ -142,13 +109,16 @@ X509PKI_AUTH_INFO info; * Returns GNUTLS_CERT_NONE in case of an error, or if no certificate was sent. * **/ -CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +CertificateStatus gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE + state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_CERT_NONE); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_CERT_NONE; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_CERT_NONE; return info->peer_certificate_status; } @@ -161,13 +131,15 @@ X509PKI_AUTH_INFO info; * Returns NULL in case of an error, or if no certificate was sent. * **/ -const gnutls_datum * gnutls_x509pki_get_peer_certificate( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +const gnutls_datum *gnutls_x509pki_get_peer_certificate(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, NULL); - info = _gnutls_get_auth_info(state); - if (info==NULL) return NULL; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return NULL; return &info->raw_certificate; } @@ -180,13 +152,15 @@ X509PKI_AUTH_INFO info; * Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; return info->peer_certificate_version; } @@ -200,13 +174,15 @@ X509PKI_AUTH_INFO info; * Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_dh_bits( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +int gnutls_x509pki_get_dh_bits(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } @@ -219,13 +195,16 @@ X509PKI_AUTH_INFO info; * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE + state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, -1); - info = _gnutls_get_auth_info(state); - if (info==NULL) return -1; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return -1; return info->peer_certificate_activation_time; } @@ -238,13 +217,16 @@ X509PKI_AUTH_INFO info; * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE + state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, -1); - info = _gnutls_get_auth_info(state); - if (info==NULL) return -1; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return -1; return info->peer_certificate_expiration_time; } @@ -258,13 +240,15 @@ X509PKI_AUTH_INFO info; * Returns zero in case of an error. * **/ -unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +unsigned char gnutls_x509pki_get_key_usage(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, 0); - info = _gnutls_get_auth_info(state); - if (info==NULL) return 0; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return 0; return info->keyUsage; } @@ -277,13 +261,15 @@ X509PKI_AUTH_INFO info; * Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +int gnutls_x509pki_get_certificate_request_status(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, 0); - info = _gnutls_get_auth_info(state); - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; return info->certificate_requested; } @@ -299,13 +285,14 @@ X509PKI_AUTH_INFO info; * Returns NULL in case of an error. * **/ -const char* gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE state) { -X509PKI_AUTH_INFO info; +const char *gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state) +{ + X509PKI_AUTH_INFO info; CHECK_AUTH(GNUTLS_X509PKI, NULL); - info = _gnutls_get_auth_info(state); - if (info==NULL) return NULL; + info = _gnutls_get_auth_info(state); + if (info == NULL) + return NULL; return info->subjectAltDNSName; } - diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 27784f24d4..ce7b6f9651 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -35,11 +35,11 @@ typedef struct { #define X509KEY_ENCIPHER_ONLY 2 #define X509KEY_DECIPHER_ONLY 1 -typedef int x509_cert_callback_func(gnutls_DN *, gnutls_DN *, int, gnutls_DN *, int); - # ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */ +typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); + /* Functions that allow AUTH_INFO structures handling */ @@ -60,9 +60,9 @@ int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest); int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); -const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE); +int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*); const gnutls_datum* gnutls_x509pki_get_peer_certificate( GNUTLS_STATE); -const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE); +int gnutls_x509pki_get_issuer_dn( GNUTLS_STATE, gnutls_DN *); CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE); time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE); diff --git a/lib/x509_extensions.c b/lib/x509_extensions.c index 3e2922dca0..702410e4b8 100644 --- a/lib/x509_extensions.c +++ b/lib/x509_extensions.c @@ -191,7 +191,7 @@ static int _parse_extension( gnutls_cert* cert, char* extnID, char* critical, ch } #ifdef DEBUG - _gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", cert->cert_info.common_name, extnID, critical); + _gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", GET_CN(cert->raw), extnID, critical); #endif if (strcmp( critical, "TRUE")==0) { diff --git a/src/cli.c b/src/cli.c index f973e6feac..19b1ad4b2e 100644 --- a/src/cli.c +++ b/src/cli.c @@ -53,19 +53,19 @@ #define CLICERTFILE "x509/clicert.pem" #define PRINTX(x,y) if (y[0]!=0) printf(" - %s %s\n", x, y) -#define PRINT_DN(X) PRINTX( "CN:", X->common_name); \ - PRINTX( "OU:", X->organizational_unit_name); \ - PRINTX( "O:", X->organization); \ - PRINTX( "L:", X->locality_name); \ - PRINTX( "S:", X->state_or_province_name); \ - PRINTX( "C:", X->country); \ - PRINTX( "E:", X->email); \ +#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \ + PRINTX( "OU:", X.organizational_unit_name); \ + PRINTX( "O:", X.organization); \ + PRINTX( "L:", X.locality_name); \ + PRINTX( "S:", X.state_or_province_name); \ + PRINTX( "C:", X.country); \ + PRINTX( "E:", X.email); \ PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state)) static int print_info( GNUTLS_STATE state) { const char *tmp; CredType cred; -const gnutls_DN* dn; +gnutls_DN dn; CertificateStatus status; @@ -102,10 +102,10 @@ CertificateStatus status; printf(" - Certificate info:\n"); printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state)); - dn = gnutls_x509pki_client_get_peer_dn( state); + gnutls_x509pki_client_get_peer_dn( state, &dn); PRINT_DN( dn); - dn = gnutls_x509pki_client_get_issuer_dn( state); + gnutls_x509pki_client_get_issuer_dn( state, &dn); printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } @@ -126,9 +126,9 @@ CertificateStatus status; return 0; } -int cert_callback( gnutls_DN *client_cert, gnutls_DN *issuer_cert, int ncerts, gnutls_DN* req_ca_cert, int nreqs) { +int cert_callback( const gnutls_datum *client_certs, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) { - if (client_cert==NULL) { + if (client_certs==NULL) { return 0; /* means the we will only be called again * if the library cannot determine which * certificate to send diff --git a/src/serv.c b/src/serv.c index 2daf33613a..8bf777f159 100644 --- a/src/serv.c +++ b/src/serv.c @@ -101,13 +101,13 @@ GNUTLS_STATE initialize_state() } #define PRINTX(x,y) if (y[0]!=0) printf(" - %s %s\n", x, y) -#define PRINT_DN(X) PRINTX( "CN:", X->common_name); \ - PRINTX( "OU:", X->organizational_unit_name); \ - PRINTX( "O:", X->organization); \ - PRINTX( "L:", X->locality_name); \ - PRINTX( "S:", X->state_or_province_name); \ - PRINTX( "C:", X->country); \ - PRINTX( "E:", X->email); \ +#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \ + PRINTX( "OU:", X.organizational_unit_name); \ + PRINTX( "O:", X.organization); \ + PRINTX( "L:", X.locality_name); \ + PRINTX( "S:", X.state_or_province_name); \ + PRINTX( "C:", X.country); \ + PRINTX( "E:", X.email); \ PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state)) void print_info(GNUTLS_STATE state) @@ -115,7 +115,7 @@ void print_info(GNUTLS_STATE state) const char *tmp; unsigned char sesid[32]; int sesid_size, i; - const gnutls_DN* dn; + gnutls_DN dn; CredType cred; CertificateStatus status; @@ -176,12 +176,11 @@ void print_info(GNUTLS_STATE state) printf(" - Certificate info:\n"); printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(state)); - dn = gnutls_x509pki_client_get_peer_dn( state); - if (dn!=NULL) + if (gnutls_x509pki_client_get_peer_dn( state, &dn) > 0) { PRINT_DN( dn); - - dn = gnutls_x509pki_client_get_issuer_dn( state); - if (dn!=NULL) { + } + + if (gnutls_x509pki_client_get_issuer_dn( state, &dn) > 0) { printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } -- cgit v1.2.1