diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-10-15 09:14:58 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-10-15 09:14:58 +0000 |
commit | cc7d4f17c5d170d086432b774656073f782de7ab (patch) | |
tree | d9a0cd4134d6ddab72fbeb5d167596e152231f5b | |
parent | d0de24a54ade8d08bbf754ad87ae744739700a1b (diff) | |
download | gnutls-cc7d4f17c5d170d086432b774656073f782de7ab.tar.gz |
auth_info types and structures were moved to the internals of the library.
This makes the library incompatible (source & binary) with the previous
versions.
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | configure.in | 4 | ||||
-rw-r--r-- | doc/TODO | 4 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 82 | ||||
-rw-r--r-- | doc/tex/serv1.tex | 8 | ||||
-rw-r--r-- | lib/auth_dhe_rsa.c | 6 | ||||
-rw-r--r-- | lib/auth_rsa.c | 2 | ||||
-rw-r--r-- | lib/auth_x509.c | 16 | ||||
-rw-r--r-- | lib/auth_x509.h | 10 | ||||
-rw-r--r-- | lib/gnutls.h.in | 12 | ||||
-rw-r--r-- | lib/gnutls_auth.c | 22 | ||||
-rw-r--r-- | lib/gnutls_auth_int.h | 3 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 1 | ||||
-rw-r--r-- | lib/gnutls_errors_int.h | 1 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 128 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 26 | ||||
-rw-r--r-- | src/cli.c | 33 | ||||
-rw-r--r-- | src/serv.c | 83 |
18 files changed, 258 insertions, 188 deletions
@@ -1,4 +1,7 @@ -Version 0.2.4 +Version 0.3.0 +- AUTH_INFO types and structures were moved to library internals + +Version 0.2.4 (12/10/2001) - Better handling of X.509 certificate extensions - Added DHE_RSA ciphersuites - Updated the Name Indication (dnsname) extension diff --git a/configure.in b/configure.in index bc4fdbeed3..e625c567e1 100644 --- a/configure.in +++ b/configure.in @@ -10,8 +10,8 @@ AC_DEFINE_UNQUOTED(T_VENDOR, "$target_vendor") AC_DEFINE_UNQUOTED(T_OS, "$target_os") GNUTLS_MAJOR_VERSION=0 -GNUTLS_MINOR_VERSION=2 -GNUTLS_MICRO_VERSION=4 +GNUTLS_MINOR_VERSION=3 +GNUTLS_MICRO_VERSION=0 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION") @@ -5,10 +5,10 @@ in order to avoid having people working on the same thing. Current list: + Make gnutls independent of the Certificate Manager (in order to support other x.509 certificate managers) -* Audit the code (volunteers?) -* Add support for PKCS8 encrypted private keys * Add support for certificates with DSS parameters * Add more TLS extensions +* Audit the code (volunteers?) +* Add support for PKCS8 encrypted private keys * OpenPGP certificate support - Add Kerberos support diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index af750d05d6..d9aab17d45 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -8,12 +8,11 @@ PRINTX( "S:", X->state_or_province_name); \ PRINTX( "C:", X->country); \ PRINTX( "E:", X->email); \ - PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(x509_info)) + PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name( state)) int print_info(GNUTLS_STATE state) { const char *tmp; - X509PKI_CLIENT_AUTH_INFO x509_info; const gnutls_DN* dn; /* print the key exchange's algorithm name @@ -23,40 +22,51 @@ int print_info(GNUTLS_STATE state) /* in case of X509 PKI */ - if (gnutls_get_auth_info_type(state) == GNUTLS_X509PKI) { - x509_info = gnutls_get_auth_info(state); - if (x509_info != NULL) { - CertificateStatus status = gnutls_x509pki_client_get_peer_certificate_status(x509_info); - switch( status) { - case GNUTLS_CERT_NOT_TRUSTED: - printf("- Peer's X509 Certificate was NOT verified\n"); - break; - case GNUTLS_CERT_EXPIRED: - printf("- Peer's X509 Certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: - printf("- Peer's X509 Certificate was verified\n"); - break; - case GNUTLS_CERT_NONE: - printf("- Peer did not send any certificate.\n"); - break; - case GNUTLS_CERT_INVALID: - printf("- Peer's X509 Certificate was invalid\n"); - break; - } - - if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { - - printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(x509_info)); - - dn = gnutls_x509pki_client_get_peer_dn( x509_info); - PRINT_DN(dn); - - printf(" - Certificate Issuer's info:\n"); - dn = gnutls_x509pki_client_get_issuer_dn( x509_info); - PRINT_DN(dn); - } + if (gnutls_get_auth_type(state) == GNUTLS_X509PKI) { + CertificateStatus status; + KXAlgorithm kx; + + kx = gnutls_get_current_kx(state); + + /* Check if we have been using ephemeral Diffie Hellman. + */ + if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { + printf("\n- Ephemeral DH using prime of %d bits\n", + gnutls_x509pki_server_get_dh_bits( state)); + } + + + status = gnutls_x509pki_client_get_peer_certificate_status( state); + + switch( status) { + case GNUTLS_CERT_NOT_TRUSTED: + printf("- Peer's X509 Certificate was NOT verified\n"); + break; + case GNUTLS_CERT_EXPIRED: + printf("- Peer's X509 Certificate was verified but is expired\n"); + break; + case GNUTLS_CERT_TRUSTED: + printf("- Peer's X509 Certificate was verified\n"); + break; + case GNUTLS_CERT_NONE: + printf("- Peer did not send any certificate.\n"); + break; + case GNUTLS_CERT_INVALID: + printf("- Peer's X509 Certificate was invalid\n"); + break; + } + + if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { + + printf(" - Certificate info:\n"); + printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state)); + + dn = gnutls_x509pki_client_get_peer_dn( state); + PRINT_DN(dn); + + printf(" - Certificate Issuer's info:\n"); + dn = gnutls_x509pki_client_get_issuer_dn( state); + PRINT_DN(dn); } } diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index 19d8a0d713..78b5b667de 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -63,7 +63,6 @@ GNUTLS_STATE initialize_state() void print_info(GNUTLS_STATE state) { - SRP_SERVER_AUTH_INFO srp_info; const char *tmp; unsigned char sesid[32]; int sesid_size, i; @@ -76,12 +75,11 @@ void print_info(GNUTLS_STATE state) printf("\n"); /* print srp specific data */ - if (gnutls_get_auth_info_type(state) == GNUTLS_SRP) { - srp_info = gnutls_get_auth_info(state); - if (srp_info != NULL) + if (gnutls_get_auth_type(state) == GNUTLS_SRP) { printf("\n- User '%s' connected\n", - gnutls_srp_server_get_username(srp_info)); + gnutls_srp_server_get_username( state)); } + /* print state information */ tmp = gnutls_version_get_name(gnutls_get_current_version(state)); printf("- Version: %s\n", tmp); diff --git a/lib/auth_dhe_rsa.c b/lib/auth_dhe_rsa.c index 475e6fe2b3..dd76e4a26f 100644 --- a/lib/auth_dhe_rsa.c +++ b/lib/auth_dhe_rsa.c @@ -68,7 +68,7 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) gnutls_private_key *apr_pkey; int apr_cert_list_length; gnutls_datum signature, ddata; - X509PKI_SERVER_AUTH_INFO info; + X509PKI_AUTH_INFO info; cred = _gnutls_get_kx_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); @@ -92,12 +92,12 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) if ( state->gnutls_key->auth_info==NULL) { state->gnutls_key->auth_info = - gnutls_calloc(1, sizeof(X509PKI_SERVER_AUTH_INFO_INT)); + gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); if (state->gnutls_key->auth_info == NULL) return GNUTLS_E_MEMORY_ERROR; state->gnutls_key->auth_info_size = - sizeof(X509PKI_SERVER_AUTH_INFO_INT); + sizeof(X509PKI_AUTH_INFO_INT); info = state->gnutls_key->auth_info; info->dh_bits = gcry_mpi_get_nbits(p); diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index b8b9eaf51c..cd45871362 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -142,7 +142,7 @@ return ret; */ int gen_rsa_client_kx(GNUTLS_STATE state, opaque ** data) { - X509PKI_CLIENT_AUTH_INFO auth = state->gnutls_key->auth_info; + X509PKI_AUTH_INFO auth = state->gnutls_key->auth_info; gnutls_datum sdata; /* data to send */ MPI pkey, n; int ret; diff --git a/lib/auth_x509.c b/lib/auth_x509.c index 86b818fed2..7d54b0038a 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -38,9 +38,9 @@ #include <ext_dnsname.h> /* Copies data from a internal certificate struct (gnutls_cert) to - * exported certificate struct (X509PKI_CLIENT_AUTH_INFO) + * exported certificate struct (X509PKI_AUTH_INFO) */ -void _gnutls_copy_x509_client_auth_info( X509PKI_CLIENT_AUTH_INFO info, gnutls_cert* cert, CertificateStatus verify) { +void _gnutls_copy_x509_client_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cert, CertificateStatus verify) { /* Copy peer's information to AUTH_INFO */ memcpy( &info->peer_dn, &cert->cert_info, sizeof(gnutls_DN)); @@ -514,7 +514,7 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int { int size, len, ret; opaque *p = data; - X509PKI_CLIENT_AUTH_INFO info; + X509PKI_AUTH_INFO info; const X509PKI_CREDENTIALS cred; int dsize = data_size; int i, j, x; @@ -529,12 +529,12 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int return GNUTLS_E_INSUFICIENT_CRED; } if (state->gnutls_key->auth_info == NULL) { - state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_CLIENT_AUTH_INFO_INT)); + state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); if (state->gnutls_key->auth_info == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - state->gnutls_key->auth_info_size = sizeof(X509PKI_CLIENT_AUTH_INFO_INT); + state->gnutls_key->auth_info_size = sizeof(X509PKI_AUTH_INFO_INT); info = state->gnutls_key->auth_info; info->peer_certificate_status = GNUTLS_CERT_NONE; @@ -674,7 +674,7 @@ int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) int size, ret; opaque *p = data; const X509PKI_CREDENTIALS cred; - X509PKI_CLIENT_AUTH_INFO info; + X509PKI_AUTH_INFO info; int dsize = data_size; int i; int found; @@ -688,12 +688,12 @@ int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) state->gnutls_key->certificate_requested = 1; if (state->gnutls_key->auth_info == NULL) { - state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_CLIENT_AUTH_INFO_INT)); + state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); if (state->gnutls_key->auth_info == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - state->gnutls_key->auth_info_size = sizeof(X509PKI_CLIENT_AUTH_INFO_INT); + state->gnutls_key->auth_info_size = sizeof(X509PKI_AUTH_INFO_INT); info = state->gnutls_key->auth_info; info->peer_certificate_status = GNUTLS_CERT_NONE; diff --git a/lib/auth_x509.h b/lib/auth_x509.h index 64657ba7dc..e4e61a076b 100644 --- a/lib/auth_x509.h +++ b/lib/auth_x509.h @@ -37,7 +37,7 @@ typedef struct { /* typedef X509PKI_CREDENTIALS_INT * X509PKI_CREDENTIALS; */ #define X509PKI_CREDENTIALS X509PKI_CREDENTIALS_INT* -typedef struct X509PKI_CLIENT_AUTH_INFO_INT { +typedef struct X509PKI_AUTH_INFO_INT { gnutls_DN peer_dn; gnutls_DN issuer_dn; CertificateStatus peer_certificate_status; @@ -48,13 +48,11 @@ typedef struct X509PKI_CLIENT_AUTH_INFO_INT { unsigned char keyUsage; int certificate_requested; int dh_bits; /* bits of the DH (if DHE_RSA is used) */ -} *X509PKI_CLIENT_AUTH_INFO; +} *X509PKI_AUTH_INFO; -typedef struct X509PKI_CLIENT_AUTH_INFO_INT X509PKI_CLIENT_AUTH_INFO_INT; -typedef X509PKI_CLIENT_AUTH_INFO X509PKI_SERVER_AUTH_INFO; -typedef X509PKI_CLIENT_AUTH_INFO_INT X509PKI_SERVER_AUTH_INFO_INT; +typedef struct X509PKI_AUTH_INFO_INT X509PKI_AUTH_INFO_INT; -void _gnutls_copy_x509_client_auth_info( X509PKI_CLIENT_AUTH_INFO info, gnutls_cert* cert, CertificateStatus verify); +void _gnutls_copy_x509_client_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cert, CertificateStatus verify); /* AUTH X509 functions */ int _gnutls_gen_x509_server_certificate(GNUTLS_STATE, opaque **); diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in index 8d8b112818..1c4170e6f4 100644 --- a/lib/gnutls.h.in +++ b/lib/gnutls.h.in @@ -147,9 +147,6 @@ int gnutls_clear_creds( GNUTLS_STATE state); /* cred is a structure defined by the kx algorithm */ int gnutls_set_cred( GNUTLS_STATE, CredType type, void* cred); -CredType gnutls_get_auth_info_type( GNUTLS_STATE); -void* gnutls_get_auth_info( GNUTLS_STATE); - /* A null terminated string containing the dnsname. * This will only exist if the client supports the dnsname * TLS extension. (draft-ietf-tls-extensions) @@ -226,13 +223,4 @@ typedef void (*LOG_FUNC)( const char*); void gnutls_global_set_send_func( SEND_FUNC send_func); void gnutls_global_set_recv_func( RECV_FUNC recv_func); -/* Auth_Info structures */ - -typedef struct X509PKI_CLIENT_AUTH_INFO_INT *X509PKI_CLIENT_AUTH_INFO; -typedef X509PKI_CLIENT_AUTH_INFO X509PKI_SERVER_AUTH_INFO; - -typedef struct SRP_CLIENT_AUTH_INFO_INT {} *SRP_CLIENT_AUTH_INFO; -typedef struct SRP_SERVER_AUTH_INFO_INT {} *SRP_SERVER_AUTH_INFO; -typedef struct ANON_CLIENT_AUTH_INFO_INT {} *ANON_CLIENT_AUTH_INFO; -typedef struct ANON_SERVER_AUTH_INFO_INT {} *ANON_SERVER_AUTH_INFO; diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index 2ddd04e8d0..30c6d10f92 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -123,18 +123,18 @@ int gnutls_set_cred( GNUTLS_STATE state, CredType type, void* cred) { } /** - * gnutls_get_auth_info_type - Returns the type of credentials for the current authentication schema. + * gnutls_get_auth_type - Returns the type of credentials for the current authentication schema. * @state: is a &GNUTLS_STATE structure. * * Returns type of credentials for the current authentication schema. - * The returned information can be used to distinguish the appropriate structures - * for the gnutls_get_auth_info() function. - * Eg. if this function returns GNUTLS_X509PKI then the return type - * of gnutls_get_auth_info() will be X509PKI_(SERVER/CLIENT)_AUTH_INFO - * (depends on the side - client/server) + * The returned information is to be used to distinguish the function used + * to access authentication data. + * + * Eg. for X509PKI ciphersuites (key exchange algorithms: KX_RSA, KX_DHE_RSA), + * the same function are to be used to access the authentication data. **/ -CredType gnutls_get_auth_info_type( GNUTLS_STATE state) { +CredType gnutls_get_auth_type( GNUTLS_STATE state) { return _gnutls_map_kx_get_cred( state->security_parameters.kx_algorithm); } @@ -165,8 +165,8 @@ const void *_gnutls_get_cred( GNUTLS_KEY key, CredType type, int *err) { return ccred->credentials; } -/** - * gnutls_get_auth_info - Returns a pointer to authentication information. +/*- + * _gnutls_get_auth_info - Returns a pointer to authentication information. * @state: is a &GNUTLS_STATE structure. * * This function must be called after a succesful gnutls_handshake(). @@ -177,8 +177,8 @@ const void *_gnutls_get_cred( GNUTLS_KEY key, CredType type, int *err) { * In case of GNUTLS_ANON returns a pointer to &ANON_(SERVER/CLIENT)_AUTH_INFO; * In case of GNUTLS_X509PKI returns a pointer to structure &X509PKI_(SERVER/CLIENT)_AUTH_INFO; * In case of GNUTLS_SRP returns a pointer to structure &SRP_(SERVER/CLIENT)_AUTH_INFO; - **/ -void* gnutls_get_auth_info( GNUTLS_STATE state) { + -*/ +void* _gnutls_get_auth_info( GNUTLS_STATE state) { return state->gnutls_key->auth_info; } diff --git a/lib/gnutls_auth_int.h b/lib/gnutls_auth_int.h index 6885edeb92..0bb10c13a1 100644 --- a/lib/gnutls_auth_int.h +++ b/lib/gnutls_auth_int.h @@ -3,4 +3,5 @@ int gnutls_set_cred( GNUTLS_STATE state, CredType type, void* cred); const void *_gnutls_get_cred( GNUTLS_KEY key, CredType kx, int* err); const void *_gnutls_get_kx_cred( GNUTLS_KEY key, KXAlgorithm algo, int *err); int _gnutls_generate_key(GNUTLS_KEY key); -CredType gnutls_get_auth_info_type( GNUTLS_STATE); +CredType gnutls_get_auth_type( GNUTLS_STATE state); +void* _gnutls_get_auth_info( GNUTLS_STATE state); diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 0ce86c2279..28bf69b53b 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -86,6 +86,7 @@ static gnutls_error_entry error_algorithms[] = { GNUTLS_ERROR_ENTRY( GNUTLS_E_GOT_APPLICATION_DATA, 0), GNUTLS_ERROR_ENTRY( GNUTLS_E_DB_ERROR, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_INVALID_PARAMETERS, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_INVALID_REQUEST, 1), {0} }; diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index 010c0ab8ef..b12d5c0e55 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -52,5 +52,6 @@ #define GNUTLS_E_PKCS1_WRONG_PAD -48 #define GNUTLS_E_NO_CERTIFICATE_FOUND -49 #define GNUTLS_E_INVALID_PARAMETERS -50 +#define GNUTLS_E_INVALID_REQUEST -51 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index b4eec79e06..3548ffccfa 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -23,18 +23,28 @@ #include <auth_anon.h> #include <auth_x509.h> #include <gnutls_errors.h> +#include <gnutls_auth_int.h> /* SRP */ +#define CHECK_AUTH(auth, ret) if (gnutls_get_auth_type(state) != auth) { \ + gnutls_assert(); \ + return ret; \ + } /** * gnutls_srp_server_get_username - This function returns the username of the peer - * @info: is a SRP_SERVER_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the username of the peer. This should only be * called in case of SRP authentication and in case of a server. * **/ -const char* gnutls_srp_server_get_username( SRP_SERVER_AUTH_INFO info) { +const char* gnutls_srp_server_get_username( GNUTLS_STATE state) { +SRP_SERVER_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_SRP, NULL); + + info = _gnutls_get_auth_info(state); if (info==NULL) return NULL; return info->username; } @@ -43,26 +53,36 @@ const char* gnutls_srp_server_get_username( SRP_SERVER_AUTH_INFO info) { /** * gnutls_anon_server_get_dh_bits - This function returns the bits used in DH authentication - * @info: is an ANON_SERVER_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the bits used in the Diffie Hellman authentication * with the peer. This should only be called in case of a server. * **/ -int gnutls_anon_server_get_dh_bits( ANON_SERVER_AUTH_INFO info) { +int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state) { +ANON_SERVER_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } /** * gnutls_anon_client_get_dh_bits - This function returns the bits used in DH authentication - * @info: is an ANON_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the bits used in the Diffie Hellman authentication * with the peer. This should only be called in case of a client. * **/ -int gnutls_anon_client_get_dh_bits( ANON_CLIENT_AUTH_INFO info) { +int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state) { +ANON_CLIENT_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } @@ -71,122 +91,167 @@ int gnutls_anon_client_get_dh_bits( ANON_CLIENT_AUTH_INFO info) { /* X509PKI */ /** * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the name of the peer. The name is gnutls_DN structure and * is a obtained by the peer's certificate. If the certificate send by the * peer is invalid, or in any other failure this function returns NULL. * **/ -const gnutls_DN* gnutls_x509pki_get_peer_dn( X509PKI_CLIENT_AUTH_INFO info) { +const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, NULL); + + info = _gnutls_get_auth_info(state); if (info==NULL) return NULL; return &info->peer_dn; } /** * gnutls_x509pki_get_issuer_dn - This function returns the peer's certificate issuer distinguished name - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the name of the peer's certificate issuer. The name is gnutls_DN structure and * is a obtained by the peer's certificate. If the certificate send by the * peer is invalid, or in any other failure this function returns NULL. * **/ -const gnutls_DN* gnutls_x509pki_get_issuer_dn( X509PKI_CLIENT_AUTH_INFO info) { +const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, NULL); + + info = _gnutls_get_auth_info(state); if (info==NULL) return NULL; return &info->issuer_dn; } /** * gnutls_x509pki_get_peer_certificate_status - This function returns the peer's certificate status - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's certificate status (TRUSTED, EXPIRED etc.). This is the output * of the certificate verification function. However you must also check the peer's name in order * to check if the verified certificate belongs to the actual peer. * **/ -CertificateStatus gnutls_x509pki_get_peer_certificate_status( X509PKI_CLIENT_AUTH_INFO info) { +CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->peer_certificate_status; } /** * gnutls_x509pki_get_peer_certificate_version - This function returns the peer's certificate version - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's certificate version (1, 2, 3). This is obtained by the X509 Certificate * Version field. If the certificate is invalid then version will be zero. * **/ -int gnutls_x509pki_get_peer_certificate_version( X509PKI_CLIENT_AUTH_INFO info) { +int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->peer_certificate_version; } /** * gnutls_x509pki_get_dh_bits - This function returns the number of bits used in a DHE handshake - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the number of bits used in a Diffie Hellman Handshake. This will only * occur in case of DHE_* ciphersuites. The return value may be zero if no applicable ciphersuite was * used. * **/ -int gnutls_x509pki_get_dh_bits( X509PKI_CLIENT_AUTH_INFO info) { +int gnutls_x509pki_get_dh_bits( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->dh_bits; } /** * gnutls_x509pki_get_peer_certificate_activation_time - This function returns the peer's certificate activation time - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's certificate activation time in UNIX time (ie seconds since * 00:00:00 UTC January 1, 1970). * **/ -time_t gnutls_x509pki_get_peer_certificate_activation_time( X509PKI_CLIENT_AUTH_INFO info) { - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; +time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, -1); + + info = _gnutls_get_auth_info(state); + if (info==NULL) return -1; return info->peer_certificate_activation_time; } /** * gnutls_x509pki_get_peer_certificate_expiration_time - This function returns the peer's certificate expiration time - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's certificate expiration time in UNIX time (ie seconds since * 00:00:00 UTC January 1, 1970). * **/ -time_t gnutls_x509pki_get_peer_certificate_expiration_time( X509PKI_CLIENT_AUTH_INFO info) { - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; +time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, -1); + + info = _gnutls_get_auth_info(state); + if (info==NULL) return -1; return info->peer_certificate_expiration_time; } /** * gnutls_x509pki_get_key_usage - This function returns the peer's certificate key usage - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's certificate key usage. This is specified in X509v3 Certificate * Extensions and is an 8bit string. * **/ -unsigned char gnutls_x509pki_get_key_usage( X509PKI_CLIENT_AUTH_INFO info) { - if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; +unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, 0); + + info = _gnutls_get_auth_info(state); + if (info==NULL) return 0; return info->keyUsage; } /** * gnutls_x509pki_get_certificate_request_status - This function returns the certificate request status - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return 0 if the peer (server) did not requested client * authentication or 1 otherwise. * **/ -unsigned char gnutls_x509pki_get_certificate_request_status( X509PKI_CLIENT_AUTH_INFO info) { +unsigned char gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, 0); + + info = _gnutls_get_auth_info(state); if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR; return info->certificate_requested; } @@ -194,7 +259,7 @@ unsigned char gnutls_x509pki_get_certificate_request_status( X509PKI_CLIENT_AUT /** * gnutls_x509pki_get_subject_dns_name - This function returns the peer's dns name, if any - * @info: is an X509PKI_CLIENT_AUTH_INFO structure + * @state: is a gnutls state * * This function will return the peer's alternative name (the dns part of it). * This is specified in X509v3 Certificate Extensions. @@ -202,7 +267,12 @@ unsigned char gnutls_x509pki_get_certificate_request_status( X509PKI_CLIENT_AUT * string. * **/ -const char* gnutls_x509pki_get_subject_dns_name( X509PKI_CLIENT_AUTH_INFO info) { +const char* gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE state) { +X509PKI_AUTH_INFO info; + + CHECK_AUTH(GNUTLS_X509PKI, NULL); + + info = _gnutls_get_auth_info(state); if (info==NULL) return NULL; return info->subjectAltDNSName; } diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 69acca5754..d7c7052c68 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -43,29 +43,31 @@ typedef int x509_cert_callback_func(gnutls_DN *, gnutls_DN *, int, gnutls_DN *, /* Functions that allow AUTH_INFO structures handling */ +CredType gnutls_get_auth_type( GNUTLS_STATE state); + /* SRP */ -const char* gnutls_srp_server_get_username( const SRP_SERVER_AUTH_INFO info); +const char* gnutls_srp_server_get_username( GNUTLS_STATE state); /* ANON */ -int gnutls_anon_server_get_dh_bits( ANON_SERVER_AUTH_INFO info); -int gnutls_anon_client_get_dh_bits( ANON_CLIENT_AUTH_INFO info); +int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state); +int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state); /* X509PKI */ int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *); int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest); -const gnutls_DN* gnutls_x509pki_get_peer_dn( X509PKI_CLIENT_AUTH_INFO info); -const gnutls_DN* gnutls_x509pki_get_issuer_dn( X509PKI_CLIENT_AUTH_INFO info); -CertificateStatus gnutls_x509pki_get_peer_certificate_status( X509PKI_CLIENT_AUTH_INFO info); -int gnutls_x509pki_get_peer_certificate_version( X509PKI_CLIENT_AUTH_INFO info); -time_t gnutls_x509pki_get_peer_certificate_activation_time( X509PKI_CLIENT_AUTH_INFO info); -time_t gnutls_x509pki_get_peer_certificate_expiration_time( X509PKI_CLIENT_AUTH_INFO info); -unsigned char gnutls_x509pki_get_key_usage( X509PKI_CLIENT_AUTH_INFO info); -const char* gnutls_x509pki_get_subject_dns_name( X509PKI_CLIENT_AUTH_INFO info); -int gnutls_x509pki_get_dh_bits( X509PKI_CLIENT_AUTH_INFO info); +const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE); +const gnutls_DN* gnutls_x509pki_get_issuer_dn( GNUTLS_STATE); +CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); +int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE); +time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE); +time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE); +unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE); +const char* gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE); +int gnutls_x509pki_get_dh_bits( GNUTLS_STATE); #define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits #define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits @@ -58,27 +58,26 @@ PRINTX( "S:", X->state_or_province_name); \ PRINTX( "C:", X->country); \ PRINTX( "E:", X->email); \ - PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(x509_info)) + PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state)) static int print_info( GNUTLS_STATE state) { const char *tmp; -ANON_CLIENT_AUTH_INFO dh_info; -X509PKI_CLIENT_AUTH_INFO x509_info; +CredType cred; const gnutls_DN* dn; +CertificateStatus status; + tmp = gnutls_kx_get_name(gnutls_get_current_kx( state)); printf("- Key Exchange: %s\n", tmp); - if (gnutls_get_auth_info_type(state) == GNUTLS_ANON) { - dh_info = gnutls_get_auth_info(state); - if (dh_info != NULL) + + cred = gnutls_get_auth_type(state); + switch(cred) { + case GNUTLS_ANON: printf("- Anonymous DH using prime of %d bits\n", - gnutls_anon_client_get_dh_bits(dh_info)); - } + gnutls_anon_client_get_dh_bits( state)); - if (gnutls_get_auth_info_type(state) == GNUTLS_X509PKI) { - x509_info = gnutls_get_auth_info(state); - if (x509_info != NULL) { - CertificateStatus status = gnutls_x509pki_client_get_peer_certificate_status(x509_info); + case GNUTLS_X509PKI: + status = gnutls_x509pki_client_get_peer_certificate_status( state); switch( status) { case GNUTLS_CERT_NOT_TRUSTED: printf("- Peer's X509 Certificate was NOT verified\n"); @@ -96,19 +95,18 @@ const gnutls_DN* dn; printf("- Peer's X509 Certificate was invalid\n"); break; } - + if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(x509_info)); + printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state)); - dn = gnutls_x509pki_client_get_peer_dn( x509_info); + dn = gnutls_x509pki_client_get_peer_dn( state); PRINT_DN( dn); - dn = gnutls_x509pki_client_get_issuer_dn( x509_info); + dn = gnutls_x509pki_client_get_issuer_dn( state); printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } - } } tmp = gnutls_version_get_name(gnutls_get_current_version(state)); @@ -256,7 +254,6 @@ int main(int argc, char** argv) shutdown( sd, SHUT_WR); close(sd); gnutls_deinit( state); - printf("\n\n- Connecting again- trying to resume previous session\n"); sd = socket(AF_INET, SOCK_STREAM, 0); diff --git a/src/serv.c b/src/serv.c index 6efb43021d..79da5428a6 100644 --- a/src/serv.c +++ b/src/serv.c @@ -75,8 +75,6 @@ GNUTLS_STATE initialize_state() GNUTLS_STATE state; int ret; - - gnutls_init(&state, GNUTLS_SERVER); if ((ret = gnutls_set_db_name(state, "gnutls-rsm.db")) < 0) fprintf(stderr, "*** DB error (%d)\n\n", ret); @@ -87,7 +85,7 @@ GNUTLS_STATE initialize_state() gnutls_set_cipher_priority(state, GNUTLS_NULL_CIPHER, GNUTLS_RIJNDAEL_CBC, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); gnutls_set_compression_priority(state, GNUTLS_ZLIB, GNUTLS_NULL_COMPRESSION, 0); - gnutls_set_kx_priority(state, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, 0); + gnutls_set_kx_priority(state, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, GNUTLS_KX_DH_ANON, 0); gnutls_set_protocol_priority( state, GNUTLS_TLS1, GNUTLS_SSL3, 0); gnutls_set_cred(state, GNUTLS_ANON, dh_cred); @@ -109,17 +107,16 @@ GNUTLS_STATE initialize_state() PRINTX( "S:", X->state_or_province_name); \ PRINTX( "C:", X->country); \ PRINTX( "E:", X->email); \ - PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(x509_info)) + PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state)) void print_info(GNUTLS_STATE state) { - SRP_SERVER_AUTH_INFO srp_info; - ANON_SERVER_AUTH_INFO dh_info; - X509PKI_SERVER_AUTH_INFO x509_info; const char *tmp; unsigned char sesid[32]; int sesid_size, i; const gnutls_DN* dn; + CredType cred; + CertificateStatus status; /* print session_id specific data */ gnutls_get_current_session_id( state, sesid, &sesid_size); @@ -133,24 +130,24 @@ void print_info(GNUTLS_STATE state) printf("%s\n", (char*)gnutls_ext_get_name_ind(state, GNUTLS_DNSNAME)); } - /* print srp specific data */ - if (gnutls_get_auth_info_type(state) == GNUTLS_SRP) { - srp_info = gnutls_get_auth_info(state); - if (srp_info != NULL) + /* we could also use the KX algorithm to distinguish the functions + * to call, but this is easier. + */ + cred = gnutls_get_auth_type(state); + + switch(cred) { + case GNUTLS_SRP: + /* print srp specific data */ printf("\n- User '%s' connected\n", - gnutls_srp_server_get_username(srp_info)); - } - if (gnutls_get_auth_info_type(state) == GNUTLS_ANON) { - dh_info = gnutls_get_auth_info(state); - if (dh_info != NULL) + gnutls_srp_server_get_username( state)); + break; + case GNUTLS_ANON: printf("\n- Anonymous DH using prime of %d bits\n", - gnutls_anon_server_get_dh_bits(dh_info)); - } + gnutls_anon_server_get_dh_bits( state)); + break; - if (gnutls_get_auth_info_type(state) == GNUTLS_X509PKI) { - x509_info = gnutls_get_auth_info(state); - if (x509_info != NULL) { - CertificateStatus status = gnutls_x509pki_client_get_peer_certificate_status(x509_info); + case GNUTLS_X509PKI: + status = gnutls_x509pki_client_get_peer_certificate_status( state); switch( status) { case GNUTLS_CERT_NOT_TRUSTED: printf("- Peer's X509 Certificate was NOT verified\n"); @@ -167,24 +164,27 @@ void print_info(GNUTLS_STATE state) case GNUTLS_CERT_INVALID: printf("- Peer's X509 Certificate was invalid\n"); break; - + } + + if (gnutls_get_current_kx(state) == GNUTLS_KX_DHE_RSA || gnutls_get_current_kx(state) == GNUTLS_KX_DHE_DSS) { + printf("\n- Ephemeral DH using prime of %d bits\n", + gnutls_x509pki_server_get_dh_bits( state)); } if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(x509_info)); + printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(state)); - dn = gnutls_x509pki_client_get_peer_dn( x509_info); + dn = gnutls_x509pki_client_get_peer_dn( state); if (dn!=NULL) PRINT_DN( dn); - - dn = gnutls_x509pki_client_get_issuer_dn( x509_info); + + dn = gnutls_x509pki_client_get_issuer_dn( state); if (dn!=NULL) { printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } } - } } @@ -215,8 +215,6 @@ void print_info(GNUTLS_STATE state) #define tmp2 &http_buffer[strlen(http_buffer)] void peer_print_info(int cd, GNUTLS_STATE state) { - SRP_SERVER_AUTH_INFO srp_info; - ANON_SERVER_AUTH_INFO dh_info; const char *tmp; unsigned char sesid[32]; int sesid_size, i; @@ -236,21 +234,19 @@ void peer_print_info(int cd, GNUTLS_STATE state) sprintf(tmp2, "<b>%s</b></p>\n", (char*)gnutls_ext_get_name_ind(state, GNUTLS_DNSNAME)); } + /* Here unlike print_info() we use the kx algorithm to distinguish + * the functions to call. + */ + /* print srp specific data */ if (gnutls_get_current_kx(state) == GNUTLS_KX_SRP) { - srp_info = gnutls_get_auth_info(state); - if (srp_info != NULL) { - sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", - gnutls_srp_server_get_username(srp_info)); - } + sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", + gnutls_srp_server_get_username( state)); } - if (gnutls_get_current_kx(state) == GNUTLS_KX_DH_ANON) { - dh_info = gnutls_get_auth_info(state); - if (dh_info != NULL) { - sprintf(tmp2, "<p> Connect using anonymous DH (prime of %d bits)</p>\n", - gnutls_anon_server_get_dh_bits( dh_info)); - } + if (gnutls_get_current_kx(state) == GNUTLS_KX_DH_ANON) { + sprintf(tmp2, "<p> Connect using anonymous DH (prime of %d bits)</p>\n", + gnutls_anon_server_get_dh_bits( state)); } /* print state information */ @@ -262,6 +258,11 @@ void peer_print_info(int cd, GNUTLS_STATE state) tmp = gnutls_kx_get_name(gnutls_get_current_kx(state)); sprintf(tmp2, "Key Exchange: <b>%s</b><br>\n", tmp); + if (gnutls_get_current_kx(state) == GNUTLS_KX_DHE_RSA || gnutls_get_current_kx(state) == GNUTLS_KX_DHE_DSS) { + sprintf(tmp2, "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", + gnutls_x509pki_server_get_dh_bits( state)); + } + tmp = gnutls_compression_get_name (gnutls_get_current_compression_method(state)); |