1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
/*
* Copyright (C) 2003-2016 Free Software Foundation, Inc.
*
* Authors: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>
*
*/
#include "gnutls_int.h"
#include <datum.h>
#include <global.h>
#include "errors.h"
#include <common.h>
#include <gnutls/x509-ext.h>
#include <x509.h>
#include <x509_b64.h>
#include <x509_int.h>
#include <libtasn1.h>
#include <pk.h>
#include <pkcs11_int.h>
#include "urls.h"
/**
* gnutls_x509_tlsfeatures_init:
* @f: The TLS features
*
* This function will initialize a X.509 TLS features extension structure
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error value.
*
* Since: 3.5.1
**/
int gnutls_x509_tlsfeatures_init(gnutls_x509_tlsfeatures_t *f)
{
*f = gnutls_calloc(1, sizeof(struct gnutls_x509_tlsfeatures_st));
if (*f == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
return 0;
}
/**
* gnutls_x509_tlsfeatures_deinit:
* @f: The TLS features
*
* This function will deinitialize a X.509 TLS features extension structure
*
* Since: 3.5.1
**/
void gnutls_x509_tlsfeatures_deinit(gnutls_x509_tlsfeatures_t f)
{
gnutls_free(f);
}
/**
* gnutls_x509_tlsfeatures_get:
* @f: The TLS features
* @idx: The index of the feature to get
* @feature: If the function succeeds, the feature will be stored in this variable
*
* This function will get a feature from the X.509 TLS features
* extension structure.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error value.
*
* Since: 3.5.1
**/
int gnutls_x509_tlsfeatures_get(gnutls_x509_tlsfeatures_t f, unsigned idx,
unsigned int *feature)
{
if (f == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
if (idx >= f->size) {
return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
}
*feature = f->feature[idx];
return 0;
}
/**
* gnutls_x509_crt_get_tlsfeatures:
* @crt: A X.509 certificate
* @features: If the function succeeds, the
* features will be stored in this variable.
* @flags: zero or %GNUTLS_EXT_FLAG_APPEND
* @critical: the extension status
*
* This function will get the X.509 TLS features
* extension structure from the certificate. The
* returned structure needs to be freed using
* gnutls_x509_tlsfeatures_deinit().
*
* When the @flags is set to %GNUTLS_EXT_FLAG_APPEND,
* then if the @features structure is empty this function will behave
* identically as if the flag was not set. Otherwise if there are elements
* in the @features structure then they will be merged with.
*
* Note that @features must be initialized prior to calling this function.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error value.
*
* Since: 3.5.1
**/
int gnutls_x509_crt_get_tlsfeatures(gnutls_x509_crt_t crt,
gnutls_x509_tlsfeatures_t features,
unsigned int flags, unsigned int *critical)
{
int ret;
gnutls_datum_t der;
if (crt == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
if ((ret = _gnutls_x509_crt_get_extension(
crt, GNUTLS_X509EXT_OID_TLSFEATURES, 0, &der, critical)) <
0) {
return ret;
}
if (der.size == 0 || der.data == NULL) {
gnutls_assert();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
ret = gnutls_x509_ext_import_tlsfeatures(&der, features, flags);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
gnutls_free(der.data);
return ret;
}
/**
* gnutls_x509_crt_set_tlsfeatures:
* @crt: A X.509 certificate
* @features: If the function succeeds, the
* features will be added to the certificate.
*
* This function will set the certificates
* X.509 TLS extension from the given structure.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error value.
*
* Since: 3.5.1
**/
int gnutls_x509_crt_set_tlsfeatures(gnutls_x509_crt_t crt,
gnutls_x509_tlsfeatures_t features)
{
int ret;
gnutls_datum_t der;
if (crt == NULL || features == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
ret = gnutls_x509_ext_export_tlsfeatures(features, &der);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = _gnutls_x509_crt_set_extension(
crt, GNUTLS_X509EXT_OID_TLSFEATURES, &der, 0);
_gnutls_free_datum(&der);
if (ret < 0) {
gnutls_assert();
}
return ret;
}
/**
* gnutls_x509_tls_features_check_crt:
* @feat: a set of TLSFeatures
* @cert: the certificate to be checked
*
* This function will check the provided certificate against the TLSFeatures
* set in @feat using the RFC7633 p.4.2.2 rules. It will check whether the certificate
* contains the features in @feat or a superset.
*
* Returns: non-zero if the provided certificate complies, and zero otherwise.
*
* Since: 3.5.1
**/
unsigned gnutls_x509_tlsfeatures_check_crt(gnutls_x509_tlsfeatures_t feat,
gnutls_x509_crt_t cert)
{
int ret;
gnutls_x509_tlsfeatures_t cfeat;
unsigned i, j, uret, found;
if (feat->size == 0)
return 1; /* shortcut; no constraints to check */
ret = gnutls_x509_tlsfeatures_init(&cfeat);
if (ret < 0)
return gnutls_assert_val(0);
ret = gnutls_x509_crt_get_tlsfeatures(cert, cfeat, 0, NULL);
if (ret < 0) {
gnutls_assert();
uret = 0;
goto cleanup;
}
/* if cert's features cannot be a superset */
if (feat->size > cfeat->size) {
_gnutls_debug_log(
"certificate has %u, while issuer has %u tlsfeatures\n",
cfeat->size, feat->size);
gnutls_assert();
uret = 0;
goto cleanup;
}
for (i = 0; i < feat->size; i++) {
found = 0;
for (j = 0; j < cfeat->size; j++) {
if (feat->feature[i] == cfeat->feature[j]) {
found = 1;
break;
}
}
if (found == 0) {
_gnutls_debug_log("feature %d was not found in cert\n",
(int)feat->feature[i]);
uret = 0;
goto cleanup;
}
}
uret = 1;
cleanup:
gnutls_x509_tlsfeatures_deinit(cfeat);
return uret;
}
|
