diff options
| author | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-06-20 22:46:23 +0300 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-06-20 22:46:23 +0300 |
| commit | 7f632c6e4164a75136751a8f728c43af92215e43 (patch) | |
| tree | e259faafaabd494ca77795dbd29dcb946f6d886f | |
| parent | 801eadca84b227d51e55d65b0249f992cdda3680 (diff) | |
| download | gnutls-7f632c6e4164a75136751a8f728c43af92215e43.tar.gz | |
merged with master.
101 files changed, 3698 insertions, 2006 deletions
diff --git a/includes/gnutls/crypto.h b/includes/gnutls/crypto.h index d7429cb113..a94eef62e7 100644 --- a/includes/gnutls/crypto.h +++ b/includes/gnutls/crypto.h @@ -22,6 +22,8 @@ * */ +#if INTERNAL_GNUTLS_CRYPTO_H_ENABLE_UNSUPPORTED_API + #ifndef GNUTLS_CRYPTO_H # define GNUTLS_CRYPTO_H @@ -215,3 +217,5 @@ int gnutls_crypto_pk_register2( int priority, int version, gnutls_crypto_pk_st* int gnutls_crypto_bigint_register2( int priority, int version, gnutls_crypto_bigint_st* s); #endif + +#endif diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index f9831d78f1..1bd5d03876 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -985,7 +985,12 @@ extern "C" int gnutls_psk_set_server_credentials_file (gnutls_psk_server_credentials_t res, const char *password_file); + int + gnutls_psk_set_server_credentials_hint (gnutls_psk_server_credentials_t res, + const char *hint); + const char *gnutls_psk_server_get_username (gnutls_session_t session); + const char *gnutls_psk_client_get_hint (gnutls_session_t session); typedef int gnutls_psk_server_credentials_function (gnutls_session_t, const char *username, @@ -1015,6 +1020,12 @@ extern "C" res, gnutls_params_function * func); + int gnutls_psk_netconf_derive_key (const char *password, + const char *psk_identity, + const char *psk_identity_hint, + gnutls_datum_t *output_key); + + typedef enum gnutls_x509_subject_alt_name_t { GNUTLS_SAN_DNSNAME = 1, @@ -1320,6 +1331,8 @@ extern "C" #define GNUTLS_E_CRYPTO_ALREADY_REGISTERED -209 +#define GNUTLS_E_HANDSHAKE_TOO_LARGE -210 + #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250 #define GNUTLS_E_APPLICATION_ERROR_MAX -65000 diff --git a/includes/gnutls/gnutlsxx.h b/includes/gnutls/gnutlsxx.h index 932f4945e1..455fa2425f 100644 --- a/includes/gnutls/gnutlsxx.h +++ b/includes/gnutls/gnutlsxx.h @@ -7,6 +7,19 @@ namespace gnutls { +class noncopyable +{ + protected: + noncopyable() { } + ~noncopyable() { } + + private: + // These are non-implemented. + noncopyable(const noncopyable &); + noncopyable &operator=(const noncopyable &); +}; + + class exception: public std::exception { public: @@ -17,7 +30,8 @@ class exception: public std::exception int retcode; }; -class dh_params + +class dh_params : private noncopyable { public: dh_params(); @@ -27,7 +41,7 @@ class dh_params void import_pkcs3( const gnutls_datum_t & pkcs3_params, gnutls_x509_crt_fmt_t format); void generate( unsigned int bits); - + void export_pkcs3( gnutls_x509_crt_fmt_t format, unsigned char *params_data, size_t * params_data_size); void export_raw( gnutls_datum_t& prime, gnutls_datum_t &generator); @@ -36,9 +50,9 @@ class dh_params protected: gnutls_dh_params_t params; }; - - -class rsa_params + + +class rsa_params : private noncopyable { public: rsa_params(); @@ -52,7 +66,7 @@ class rsa_params void import_pkcs1( const gnutls_datum_t & pkcs1_params, gnutls_x509_crt_fmt_t format); void generate( unsigned int bits); - + void export_pkcs1( gnutls_x509_crt_fmt_t format, unsigned char *params_data, size_t * params_data_size); void export_raw( gnutls_datum_t & m, gnutls_datum_t & e, gnutls_datum_t & d, gnutls_datum_t & p, @@ -64,18 +78,17 @@ class rsa_params gnutls_rsa_params_t params; }; -class session +class session : private noncopyable { protected: gnutls_session_t s; public: session( gnutls_connection_end_t); - session( session& s); virtual ~session(); int bye( gnutls_close_request_t how); int handshake (); - + gnutls_alert_description_t get_alert() const; int send_alert ( gnutls_alert_level_t level, @@ -121,8 +134,8 @@ class session void set_protocol_priority (const int *list); void set_certificate_type_priority (const int *list); -/* if you just want some defaults, use the following. - */ + /* if you just want some defaults, use the following. + */ void set_priority (const char* prio, const char** err_pos); void set_priority (gnutls_priority_t p); @@ -173,7 +186,7 @@ class session void get_dh_pubkey( gnutls_datum_t & raw_key) const; void get_rsa_export_pubkey( gnutls_datum_t& exponent, gnutls_datum_t& modulus) const; unsigned int get_rsa_export_modulus_bits() const; - + void get_our_certificate(gnutls_datum_t & cert) const; bool get_peers_certificate(std::vector<gnutls_datum_t> &out_certs) const; bool get_peers_certificate(const gnutls_datum_t** certs, unsigned int *certs_size) const; @@ -185,7 +198,7 @@ class session }; // interface for databases -class DB +class DB : private noncopyable { public: virtual ~DB()=0; @@ -198,15 +211,16 @@ class server_session: public session { public: server_session(); + ~server_session(); void db_remove() const; - + void set_db_cache_expiration (unsigned int seconds); void set_db( const DB& db); - + // returns true if session is expired bool db_check_entry ( gnutls_datum_t &session_data) const; - - // server side only + + // server side only const char *get_srp_username() const; const char *get_psk_username() const; @@ -221,35 +235,28 @@ class client_session: public session { public: client_session(); + ~client_session(); + void set_server_name (gnutls_server_name_type_t type, const void *name, size_t name_length); - + bool get_request_status(); }; -class credentials +class credentials : private noncopyable { public: - credentials(gnutls_credentials_type_t t); -#if defined(__APPLE__) || defined(__MACOS__) - /* FIXME: This #if is due to a compile bug in Mac OS X. Give - it some time and then remove this cruft. See also - lib/gnutlsxx.cpp. */ - credentials( credentials& c) { - type = c.type; - set_ptr( c.ptr()); - } -#else - credentials( credentials& c); -#endif virtual ~credentials() { } gnutls_credentials_type_t get_type() const; protected: friend class session; - virtual void* ptr() const=0; - virtual void set_ptr(void* ptr)=0; + credentials(gnutls_credentials_type_t t); + void* ptr() const; + void set_ptr(void* ptr); gnutls_credentials_type_t type; + private: + void *cred; }; class certificate_credentials: public credentials @@ -288,14 +295,11 @@ class certificate_credentials: public credentials gnutls_x509_crt_fmt_t type, const char *password); protected: - void* ptr() const; - void set_ptr(void* p); gnutls_certificate_credentials_t cred; }; class certificate_server_credentials: public certificate_credentials { - certificate_server_credentials() { } public: void set_retrieve_function( gnutls_certificate_server_retrieve_function* func); void set_params_function( gnutls_params_function* func); @@ -304,7 +308,6 @@ class certificate_server_credentials: public certificate_credentials class certificate_client_credentials: public certificate_credentials { public: - certificate_client_credentials() { } void set_retrieve_function( gnutls_certificate_client_retrieve_function* func); }; @@ -340,8 +343,6 @@ class srp_server_credentials: public credentials void set_credentials_file (const char *password_file, const char *password_conf_file); void set_credentials_function( gnutls_srp_server_credentials_function *func); protected: - void* ptr() const; - void set_ptr(void* p); gnutls_srp_server_credentials_t cred; }; @@ -353,8 +354,6 @@ class srp_client_credentials: public credentials void set_credentials (const char *username, const char *password); void set_credentials_function( gnutls_srp_client_credentials_function* func); protected: - void* ptr() const; - void set_ptr(void* p); gnutls_srp_client_credentials_t cred; }; @@ -369,8 +368,6 @@ class psk_server_credentials: public credentials void set_dh_params ( const dh_params ¶ms); void set_params_function (gnutls_params_function * func); protected: - void* ptr() const; - void set_ptr(void* p); gnutls_psk_server_credentials_t cred; }; @@ -382,12 +379,10 @@ class psk_client_credentials: public credentials void set_credentials (const char *username, const gnutls_datum_t& key, gnutls_psk_key_flags flags); void set_credentials_function( gnutls_psk_client_credentials_function* func); protected: - void* ptr() const; - void set_ptr(void* p); gnutls_psk_client_credentials_t cred; }; -}; /* namespace */ +} /* namespace */ #endif /* GNUTLSXX_H */ diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h index e56a226e4e..ecb05183c8 100644 --- a/includes/gnutls/openpgp.h +++ b/includes/gnutls/openpgp.h @@ -73,6 +73,9 @@ extern "C" unsigned int *key_usage); int gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, void *fpr, size_t * fprlen); + int gnutls_openpgp_crt_get_subkey_fingerprint (gnutls_openpgp_crt_t key, + unsigned int idx, + void *fpr, size_t * fprlen); int gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t key, int idx, char *buf, size_t * sizeof_buf); @@ -135,6 +138,10 @@ extern "C" gnutls_datum_t * signature); int gnutls_openpgp_privkey_get_fingerprint (gnutls_openpgp_privkey_t key, void *fpr, size_t * fprlen); + int + gnutls_openpgp_privkey_get_subkey_fingerprint (gnutls_openpgp_privkey_t key, + unsigned int idx, + void *fpr, size_t * fprlen); int gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key, gnutls_openpgp_keyid_t keyid); int gnutls_openpgp_privkey_get_subkey_count (gnutls_openpgp_privkey_t key); int gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key, const gnutls_openpgp_keyid_t keyid); diff --git a/includes/gnutls/openssl.h b/includes/gnutls/openssl.h index b76771a4cd..c6e86cf4a1 100644 --- a/includes/gnutls/openssl.h +++ b/includes/gnutls/openssl.h @@ -305,6 +305,7 @@ extern "C" int RAND_status (void); void RAND_seed (const void *buf, int num); int RAND_bytes (unsigned char *buf, int num); + int RAND_pseudo_bytes (unsigned char *buf, int num); const char *RAND_file_name (char *buf, size_t len); int RAND_load_file (const char *name, long maxbytes); int RAND_write_file (const char *name); diff --git a/lib/Makefile.am b/lib/Makefile.am index 1cb440c02c..d9b75f3840 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -63,7 +63,8 @@ lib_LTLIBRARIES = libgnutls.la SRP_COBJECTS = ext_srp.c gnutls_srp.c auth_srp.c auth_srp_passwd.c \ auth_srp_sb64.c auth_srp_rsa.c -PSK_COBJECTS = auth_psk.c auth_psk_passwd.c gnutls_psk.c auth_dhe_psk.c +PSK_COBJECTS = auth_psk.c auth_psk_passwd.c gnutls_psk.c \ + auth_dhe_psk.c gnutls_psk_netconf.c OPRFI_COBJECTS = ext_oprfi.c @@ -147,13 +148,13 @@ endif # C++ library if ENABLE_CXX -CPP_OBJECTS = gnutlsxx.cpp +libgnutlsxx_la_CPPFLAGS = -I$(top_srcdir)/includes -I../includes AM_CXXFLAGS = -I$(top_srcdir)/includes/ lib_LTLIBRARIES += libgnutlsxx.la -libgnutlsxx_la_SOURCES = $(CPP_OBJECTS) libgnutlsxx.vers +libgnutlsxx_la_SOURCES = gnutlsxx.cpp libgnutlsxx.vers libgnutlsxx_la_LDFLAGS = -no-undefined \ -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) diff --git a/lib/auth_cert.c b/lib/auth_cert.c index dd9daf9b3b..030caf8f8a 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1103,14 +1103,16 @@ _gnutls_proc_openpgp_server_certificate (gnutls_session_t session, gnutls_assert(); return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } - p++; + DECR_LEN (dsize, 1); + p++; + + DECR_LEN (dsize, sizeof( subkey_id)); memcpy( subkey_id, p, sizeof( subkey_id)); + p+= sizeof( subkey_id); subkey_id_set = 1; - p+= sizeof( subkey_id); - DECR_LEN (dsize, sizeof( subkey_id)); } /* read the actual key or fingerprint */ diff --git a/lib/auth_psk.c b/lib/auth_psk.c index e611b7a150..53cd1b45b0 100644 --- a/lib/auth_psk.c +++ b/lib/auth_psk.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Free Software Foundation + * Copyright (C) 2005, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -36,22 +36,26 @@ #include <gnutls_str.h> #include <gnutls_datum.h> +int _gnutls_gen_psk_server_kx (gnutls_session_t session, opaque ** data); int _gnutls_gen_psk_client_kx (gnutls_session_t, opaque **); int _gnutls_proc_psk_client_kx (gnutls_session_t, opaque *, size_t); +int _gnutls_proc_psk_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size); + const mod_auth_st psk_auth_struct = { "PSK", NULL, NULL, - NULL, + _gnutls_gen_psk_server_kx, _gnutls_gen_psk_client_kx, NULL, NULL, NULL, NULL, /* certificate */ - NULL, + _gnutls_proc_psk_server_kx, _gnutls_proc_psk_client_kx, NULL, NULL @@ -164,7 +168,37 @@ _gnutls_gen_psk_client_kx (gnutls_session_t session, opaque ** data) return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if (cred->username.data == NULL || cred->key.data == NULL) + if (cred->username.data == NULL && cred->key.data == NULL && + cred->get_function != NULL) + { + char *username; + gnutls_datum_t key; + + ret = cred->get_function (session, &username, &key); + if (ret) + { + gnutls_assert (); + return ret; + } + + ret = _gnutls_set_datum (&cred->username, username, strlen (username)); + gnutls_free (username); + if (ret < 0) + { + gnutls_assert (); + _gnutls_free_datum (&key); + return ret; + } + + ret = _gnutls_set_datum (&cred->key, key.data, key.size); + _gnutls_free_datum (&key); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + } + else if (cred->username.data == NULL || cred->key.data == NULL) { gnutls_assert (); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; @@ -254,4 +288,115 @@ error: } +/* Generates the PSK server key exchange + * + * struct { + * select (KeyExchangeAlgorithm) { + * // other cases for rsa, diffie_hellman, etc. + * case psk: // NEW + * opaque psk_identity_hint<0..2^16-1>; + * }; + * } ServerKeyExchange; + * + */ +int +_gnutls_gen_psk_server_kx (gnutls_session_t session, opaque ** data) +{ + gnutls_psk_server_credentials_t cred; + gnutls_datum_t hint; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* Abort sending this message if there is no PSK identity hint. */ + if (cred->hint == NULL) + { + gnutls_assert (); + return GNUTLS_E_INT_RET_0; + } + + hint.data = cred->hint; + hint.size = strlen (cred->hint); + + (*data) = gnutls_malloc (2 + hint.size); + if ((*data) == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_write_datum16 (*data, hint); + + return hint.size + 2; +} + + +/* just read the hint from the server key exchange. + */ +int +_gnutls_proc_psk_server_kx (gnutls_session_t session, opaque * data, + size_t _data_size) +{ + ssize_t data_size = _data_size; + int ret; + gnutls_datum_t hint; + gnutls_psk_server_credentials_t cred; + psk_auth_info_t info; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL); + + if (cred == NULL) + { + gnutls_assert (); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set (session, GNUTLS_CRD_PSK, + sizeof (psk_auth_info_st), 1)) < 0) + { + gnutls_assert (); + return ret; + } + + DECR_LENGTH_RET (data_size, 2, 0); + hint.size = _gnutls_read_uint16 (&data[0]); + + DECR_LEN (data_size, hint.size); + + hint.data = &data[2]; + + /* copy the hint to the auth info structures + */ + info = _gnutls_get_auth_info (session); + + if (hint.size > MAX_SRP_USERNAME) + { + gnutls_assert (); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; + } + + memcpy (info->hint, hint.data, hint.size); + info->hint[hint.size] = 0; + + ret = _gnutls_set_psk_session_key (session, NULL); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + + ret = 0; + + error: + return ret; +} + #endif /* ENABLE_SRP */ diff --git a/lib/auth_psk.h b/lib/auth_psk.h index 8545427def..c71ec15ff9 100644 --- a/lib/auth_psk.h +++ b/lib/auth_psk.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Free Software Foundation + * Copyright (C) 2005, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -49,6 +49,9 @@ typedef struct gnutls_psk_server_credentials_st * parameters. */ gnutls_params_function *params_func; + + /* Identity hint. */ + char *hint; } psk_server_cred_st; /* these structures should not use allocated data */ @@ -56,6 +59,7 @@ typedef struct psk_auth_info_st { char username[MAX_SRP_USERNAME + 1]; dh_info_st dh; + char hint[MAX_SRP_USERNAME + 1]; } *psk_auth_info_t; diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index 72e42ffb9f..a2db94939f 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_session_t session, len = _gnutls_read_uint16 (p); p += 2; - DECR_LENGTH_RET (data_size, len, 0); - server_names++; + if (len > 0) + { + DECR_LENGTH_RET (data_size, len, 0); + server_names++; + p += len; + } + else + _gnutls_handshake_log + ("HSK[%x]: Received zero size server name (under attack?)\n", + session); - p += len; + } + + /* we cannot accept more server names. + */ + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + { + _gnutls_handshake_log + ("HSK[%x]: Too many server names received (under attack?)\n", + session); + server_names = MAX_SERVER_NAME_EXTENSIONS; } session->security_parameters.extensions.server_names_size = @@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_session_t session, if (server_names == 0) return 0; /* no names found */ - /* we cannot accept more server names. - */ - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; p = data + 2; for (i = 0; i < server_names; i++) diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 2caf266599..8d9be9cf2d 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -1185,7 +1185,7 @@ _gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data, session->internals.max_handshake_data_buffer_size)) { gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_HANDSHAKE_TOO_LARGE; } _gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data\n", length); diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 18ae9a86d6..2d5ad18ae5 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -122,6 +122,7 @@ gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc) * This function will export all the CAs associated * with the given credentials. * + * Since: 2.4.0 **/ void gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc, @@ -137,9 +138,10 @@ gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc, * @x509_crl_list: the exported CRL list. Should be treated as constant * @ncrls: the number of exported CRLs * - * This function will export the OpenPGP keyring associated - * with the given credentials. + * This function will export all the CRLs associated with the given + * credentials. * + * Since: 2.4.0 **/ void gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc, @@ -156,9 +158,10 @@ gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc, * @sc: is an #gnutls_certificate_credentials_t structure. * @ring: the exported keyring. Should be treated as constant * - * This function will export all the CRLs associated - * with the given credentials. + * This function will export the OpenPGP keyring associated with the + * given credentials. * + * Since: 2.4.0 **/ void gnutls_certificate_get_openpgp_keyring (gnutls_certificate_credentials_t sc, diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index ad192f46bd..4ee6201d99 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -459,7 +459,6 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, return GNUTLS_E_INTERNAL_ERROR; } - /* actual decryption (inplace) */ switch (_gnutls_cipher_is_block @@ -510,17 +509,20 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - length = ciphertext.size - hash_size - pad; - - if (pad > ciphertext.size - hash_size) + if ((int)pad > (int)ciphertext.size - hash_size) { gnutls_assert (); + _gnutls_record_log + ("REC[%x]: Short record length %d > %d - %d (under attack?)\n", + session, pad, ciphertext.size, hash_size); /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; } + length = ciphertext.size - hash_size - pad; + /* Check the pading bytes (TLS 1.x) */ if (ver >= GNUTLS_TLS1 && pad_failed == 0) diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 707fc00e1b..456e31d718 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -249,6 +249,10 @@ static const gnutls_error_entry error_algorithms[] = { ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."), GNUTLS_E_UNKNOWN_ALGORITHM, 1), + ERROR_ENTRY (N_("The handshake data size is too large (DoS?), " + "check gnutls_handshake_set_max_packet_length()."), + GNUTLS_E_HANDSHAKE_TOO_LARGE, 1), + {NULL, NULL, 0, 0} }; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 98aa86cb8f..d7981802a0 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1003,6 +1003,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session, *recv_type = session->internals.handshake_header_buffer.recv_type; + if (*recv_type != type) + { + gnutls_assert (); + _gnutls_handshake_log + ("HSK[%x]: Handshake type mismatch (under attack?)\n", session); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } + return session->internals.handshake_header_buffer.packet_length; } @@ -2955,16 +2963,19 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, } /** - * gnutls_handshake_set_max_packet_length - set the maximum length of a handshake message - * @session: is a #gnutls_session_t structure. - * @max: is the maximum number. - * - * This function will set the maximum size of a handshake message. - * Handshake messages over this size are rejected. The default value - * is 16kb which is large enough. Set this to 0 if you do not want to - * set an upper limit. - * - **/ + * gnutls_handshake_set_max_packet_length - set the maximum size of the handshake + * @session: is a #gnutls_session_t structure. + * @max: is the maximum number. + * + * This function will set the maximum size of all handshake messages. + * Handshakes over this size are rejected with + * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is + * 48kb which is typically large enough. Set this to 0 if you do not + * want to set an upper limit. + * + * The reason for restricting the handshake message sizes are to + * limit Denial of Service attacks. + **/ void gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max) { diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 35423e4ffe..eb392e77de 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -47,7 +47,7 @@ /* The size of a handshake message should not * be larger than this value. */ -#define MAX_HANDSHAKE_PACKET_SIZE 16*1024 +#define MAX_HANDSHAKE_PACKET_SIZE 48*1024 #define TLS_RANDOM_SIZE 32 #define TLS_MAX_SESSION_ID_SIZE 32 diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index efbe4ddec8..950366d52f 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2004, 2005, 2006 Free Software Foundation + * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -374,6 +374,7 @@ _gnutls_recv_server_kx_message (gnutls_session_t session) uint8_t *data = NULL; int datasize; int ret = 0; + Optional optflag = MANDATORY_PACKET; if (session->internals.auth_struct->gnutls_process_server_kx != NULL) { @@ -387,11 +388,15 @@ _gnutls_recv_server_kx_message (gnutls_session_t session) return 0; } + /* Server key exchange packet is optional for PSK. */ + if (_gnutls_session_is_psk (session)) + optflag = OPTIONAL_PACKET; + ret = _gnutls_recv_handshake (session, &data, &datasize, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, - MANDATORY_PACKET); + optflag); if (ret < 0) { gnutls_assert (); diff --git a/lib/gnutls_openpgp.c b/lib/gnutls_openpgp.c index 6d293b9af1..1a57dc2e67 100644 --- a/lib/gnutls_openpgp.c +++ b/lib/gnutls_openpgp.c @@ -353,6 +353,8 @@ static int get_keyid( gnutls_openpgp_keyid_t keyid, const char* str) * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. + * + * Since: 2.4.0 **/ int gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t @@ -443,6 +445,8 @@ gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. + * + * Since: 2.4.0 **/ int gnutls_certificate_set_openpgp_key_file2 (gnutls_certificate_credentials_t diff --git a/lib/gnutls_psk.c b/lib/gnutls_psk.c index abfc4e56ca..1c3209aeb9 100644 --- a/lib/gnutls_psk.c +++ b/lib/gnutls_psk.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Free Software Foundation + * Copyright (C) 2005, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -147,12 +147,12 @@ error: } /** - * gnutls_psk_free_server_credentials - Used to free an allocated gnutls_psk_server_credentials_t structure - * @sc: is an #gnutls_psk_server_credentials_t structure. - * - * This structure is complex enough to manipulate directly thus this - * helper function is provided in order to free (deallocate) it. - **/ + * gnutls_psk_free_server_credentials - Used to free an allocated gnutls_psk_server_credentials_t structure + * @sc: is an #gnutls_psk_server_credentials_t structure. + * + * This structure is complex enough to manipulate directly thus this + * helper function is provided in order to free (deallocate) it. + **/ void gnutls_psk_free_server_credentials (gnutls_psk_server_credentials_t sc) { @@ -161,14 +161,14 @@ gnutls_psk_free_server_credentials (gnutls_psk_server_credentials_t sc) } /** - * gnutls_psk_allocate_server_credentials - Used to allocate an gnutls_psk_server_credentials_t structure - * @sc: is a pointer to an #gnutls_psk_server_credentials_t structure. - * - * This structure is complex enough to manipulate directly thus this - * helper function is provided in order to allocate it. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - **/ + * gnutls_psk_allocate_server_credentials - Used to allocate an gnutls_psk_server_credentials_t structure + * @sc: is a pointer to an #gnutls_psk_server_credentials_t structure. + * + * This structure is complex enough to manipulate directly thus this + * helper function is provided in order to allocate it. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_psk_allocate_server_credentials (gnutls_psk_server_credentials_t * sc) { @@ -182,16 +182,16 @@ gnutls_psk_allocate_server_credentials (gnutls_psk_server_credentials_t * sc) /** - * gnutls_psk_set_server_credentials_file - Used to set the password files, in a gnutls_psk_server_credentials_t structure - * @res: is an #gnutls_psk_server_credentials_t structure. - * @password_file: is the PSK password file (passwd.psk) - * - * This function sets the password file, in a - * %gnutls_psk_server_credentials_t structure. This password file - * holds usernames and keys and will be used for PSK authentication. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - **/ + * gnutls_psk_set_server_credentials_file - Used to set the password files, in a gnutls_psk_server_credentials_t structure + * @res: is an #gnutls_psk_server_credentials_t structure. + * @password_file: is the PSK password file (passwd.psk) + * + * This function sets the password file, in a + * %gnutls_psk_server_credentials_t structure. This password file + * holds usernames and keys and will be used for PSK authentication. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_psk_set_server_credentials_file (gnutls_psk_server_credentials_t res, const char *password_file) @@ -220,27 +220,54 @@ gnutls_psk_set_server_credentials_file (gnutls_psk_server_credentials_t return 0; } +/** + * gnutls_psk_set_server_credentials_hint - Set a identity hint, in a %gnutls_psk_server_credentials_t structure + * @res: is an #gnutls_psk_server_credentials_t structure. + * @hint: is the PSK identity hint string + * + * This function sets the identity hint, in a + * %gnutls_psk_server_credentials_t structure. This hint is sent to + * the client to help it chose a good PSK credential (i.e., username + * and password). + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 + **/ +int +gnutls_psk_set_server_credentials_hint (gnutls_psk_server_credentials_t res, + const char *hint) +{ + res->hint = gnutls_strdup (hint); + if (res->hint == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; +} /** - * gnutls_psk_set_server_credentials_function - Used to set a callback to retrieve the user's PSK credentials - * @cred: is a #gnutls_psk_server_credentials_t structure. - * @func: is the callback function - * - * This function can be used to set a callback to retrieve the user's PSK credentials. - * The callback's function form is: - * int (*callback)(gnutls_session_t, const char* username, - * gnutls_datum_t* key); - * - * @username contains the actual username. - * The @key must be filled in using the gnutls_malloc(). - * - * In case the callback returned a negative number then gnutls will - * assume that the username does not exist. - * - * The callback function will only be called once per handshake. The - * callback function should return 0 on success, while -1 indicates - * an error. - **/ + * gnutls_psk_set_server_credentials_function - Used to set a callback to retrieve the user's PSK credentials + * @cred: is a #gnutls_psk_server_credentials_t structure. + * @func: is the callback function + * + * This function can be used to set a callback to retrieve the user's PSK credentials. + * The callback's function form is: + * int (*callback)(gnutls_session_t, const char* username, + * gnutls_datum_t* key); + * + * @username contains the actual username. + * The @key must be filled in using the gnutls_malloc(). + * + * In case the callback returned a negative number then gnutls will + * assume that the username does not exist. + * + * The callback function will only be called once per handshake. The + * callback function should return 0 on success, while -1 indicates + * an error. + **/ void gnutls_psk_set_server_credentials_function (gnutls_psk_server_credentials_t cred, @@ -251,25 +278,25 @@ gnutls_psk_set_server_credentials_function (gnutls_psk_server_credentials_t } /** - * gnutls_psk_set_client_credentials_function - Used to set a callback to retrieve the username and key - * @cred: is a #gnutls_psk_server_credentials_t structure. - * @func: is the callback function - * - * This function can be used to set a callback to retrieve the username and - * password for client PSK authentication. - * The callback's function form is: - * int (*callback)(gnutls_session_t, char** username, - * gnutls_datum_t* key); - * - * The @username and @key must be allocated using gnutls_malloc(). - * @username should be ASCII strings or UTF-8 strings prepared using - * the "SASLprep" profile of "stringprep". - * - * The callback function will be called once per handshake. - * - * The callback function should return 0 on success. - * -1 indicates an error. - **/ + * gnutls_psk_set_client_credentials_function - Used to set a callback to retrieve the username and key + * @cred: is a #gnutls_psk_server_credentials_t structure. + * @func: is the callback function + * + * This function can be used to set a callback to retrieve the username and + * password for client PSK authentication. + * The callback's function form is: + * int (*callback)(gnutls_session_t, char** username, + * gnutls_datum_t* key); + * + * The @username and @key->data must be allocated using gnutls_malloc(). + * @username should be ASCII strings or UTF-8 strings prepared using + * the "SASLprep" profile of "stringprep". + * + * The callback function will be called once per handshake. + * + * The callback function should return 0 on success. + * -1 indicates an error. + **/ void gnutls_psk_set_client_credentials_function (gnutls_psk_client_credentials_t cred, @@ -281,14 +308,14 @@ gnutls_psk_set_client_credentials_function (gnutls_psk_client_credentials_t /** - * gnutls_psk_server_get_username - return the username of the peer - * @session: is a gnutls session - * - * This should only be called in case of PSK authentication and in - * case of a server. - * - * Returns: the username of the peer, or %NULL in case of an error. - **/ + * gnutls_psk_server_get_username - return the username of the peer + * @session: is a gnutls session + * + * This should only be called in case of PSK authentication and in + * case of a server. + * + * Returns: the username of the peer, or %NULL in case of an error. + **/ const char * gnutls_psk_server_get_username (gnutls_session_t session) { @@ -307,6 +334,35 @@ gnutls_psk_server_get_username (gnutls_session_t session) } /** + * gnutls_psk_client_get_hint - return the PSK identity hint of the peer + * @session: is a gnutls session + * + * The PSK identity hint may give the client help in deciding which + * username to use. This should only be called in case of PSK + * authentication and in case of a client. + * + * Returns: the identity hint of the peer, or %NULL in case of an error. + * + * Since: 2.4.0 + **/ +const char * +gnutls_psk_client_get_hint (gnutls_session_t session) +{ + psk_auth_info_t info; + + CHECK_AUTH (GNUTLS_CRD_PSK, NULL); + + info = _gnutls_get_auth_info (session); + if (info == NULL) + return NULL; + + if (info->hint[0] != 0) + return info->hint; + + return NULL; +} + +/** * gnutls_hex_decode - decode hex encoded data * @hex_data: contain the encoded data * @result: the place where decoded data will be copied diff --git a/lib/gnutls_psk_netconf.c b/lib/gnutls_psk_netconf.c new file mode 100644 index 0000000000..6dd0e48d5d --- /dev/null +++ b/lib/gnutls_psk_netconf.c @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2008 Free Software Foundation + * + * Author: Simon Josefsson + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA + * + */ + +/* Functions to support draft-ietf-netconf-tls-01.txt. */ + +#include <gnutls_int.h> +#include <gnutls_hash_int.h> +#include <gnutls_errors.h> + +#ifdef ENABLE_PSK + + +/** + * gnutls_psk_netconf_derive_key - derive PSK Netconf key from password + * @password: zero terminated string containing password. + * @psk_identity: zero terminated string with PSK identity. + * @psk_identity_hint: zero terminated string with PSK identity hint. + * @output_key: output variable, contains newly allocated *data pointer. + * + * This function will derive a PSK key from a password, for use with + * the Netconf protocol. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 + **/ +int +gnutls_psk_netconf_derive_key (const char *password, + const char *psk_identity, + const char *psk_identity_hint, + gnutls_datum_t *output_key) +{ + const char netconf_key_pad[] = "Key Pad for Netconf"; + size_t sha1len = _gnutls_hash_get_algo_len (GNUTLS_DIG_SHA1); + size_t hintlen = strlen (psk_identity_hint); + digest_hd_st dig; + char *inner; + size_t innerlen; + int rc; + /* + * PSK = SHA-1(SHA-1(psk_identity + "Key Pad for Netconf" + password) + + * psk_identity_hint) + * + */ + + rc = _gnutls_hash_init (&dig, GNUTLS_DIG_SHA1); + if (rc) + { + gnutls_assert (); + return rc; + } + + rc = _gnutls_hash (&dig, psk_identity, strlen (psk_identity)); + if (rc) + { + gnutls_assert (); + _gnutls_hash_deinit (&dig, NULL); + return rc; + } + + rc = _gnutls_hash (&dig, netconf_key_pad, strlen (netconf_key_pad)); + if (rc) + { + gnutls_assert (); + _gnutls_hash_deinit (&dig, NULL); + return rc; + } + + rc = _gnutls_hash (&dig, password, strlen (password)); + if (rc) + { + gnutls_assert (); + _gnutls_hash_deinit (&dig, NULL); + return rc; + } + + innerlen = sha1len + hintlen; + inner = gnutls_malloc (innerlen); + _gnutls_hash_deinit (&dig, inner); + if (inner == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy (inner + sha1len, psk_identity_hint, hintlen); + + rc = _gnutls_hash_init (&dig, GNUTLS_DIG_SHA1); + if (rc) + { + gnutls_assert (); + gnutls_free (inner); + return rc; + } + + rc = _gnutls_hash (&dig, inner, innerlen); + gnutls_free (inner); + if (rc) + { + gnutls_assert (); + _gnutls_hash_deinit (&dig, NULL); + return rc; + } + + output_key->data = gnutls_malloc (sha1len); + _gnutls_hash_deinit (&dig, output_key->data); + if (output_key->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + output_key->size = sha1len; + + return 0; +} + +#endif /* ENABLE_PSK */ diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c index 51fcf98a65..f3b1255f74 100644 --- a/lib/gnutls_session_pack.c +++ b/lib/gnutls_session_pack.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2004, 2005, 2007 Free Software Foundation + * Copyright (C) 2000, 2004, 2005, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -760,14 +760,15 @@ static int pack_psk_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) { psk_auth_info_t info; - int pack_size, username_size = 0, pos; + int pack_size, username_size = 0, hint_size = 0, pos; info = _gnutls_get_auth_info (session); if (info) { - username_size = strlen (info->username) + 1; /* include the terminating null */ - pack_size = username_size + + username_size = strlen (info->username) + 1; /* include the terminating null */ + hint_size = strlen (info->hint) + 1; /* include the terminating null */ + pack_size = username_size + hint_size + 2 + 4 * 3 + info->dh.prime.size + info->dh.generator.size + info->dh.public_key.size; } @@ -804,6 +805,12 @@ pack_psk_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) memcpy (&packed_session->data[pos], info->username, username_size); pos += username_size; + _gnutls_write_uint32 (hint_size, &packed_session->data[pos]); + pos += 4; + + memcpy (&packed_session->data[pos], info->hint, hint_size); + pos += hint_size; + _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); pos += 2; @@ -813,7 +820,6 @@ pack_psk_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) pos += 4 + info->dh.generator.size; _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); pos += 4 + info->dh.public_key.size; - } @@ -824,7 +830,7 @@ static int unpack_psk_auth_info (gnutls_session_t session, const gnutls_datum_t * packed_session) { - size_t username_size; + size_t username_size, hint_size; size_t pack_size; int pos = 0, size, ret; psk_auth_info_t info; @@ -873,6 +879,12 @@ unpack_psk_auth_info (gnutls_session_t session, memcpy (info->username, &packed_session->data[pos], username_size); pos += username_size; + hint_size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + + memcpy (info->hint, &packed_session->data[pos], hint_size); + pos += hint_size; + info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); pos += 2; diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 2d6469d95d..ece4835652 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -1152,6 +1152,27 @@ _gnutls_session_is_export (gnutls_session_t session) return 0; } +/*- + * _gnutls_session_is_psk - Used to check whether this session uses PSK kx + * @session: is a #gnutls_session_t structure. + * + * This function will return non zero if this session uses a PSK key + * exchange algorithm. + * + -*/ +int +_gnutls_session_is_psk (gnutls_session_t session) +{ + gnutls_kx_algorithm_t kx; + + kx = _gnutls_cipher_suite_get_kx_algo (&session->security_parameters. + current_cipher_suite); + if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK) + return 1; + + return 0; +} + /** * gnutls_session_get_ptr - Get the user pointer from the session structure * @session: is a #gnutls_session_t structure. diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h index dbd677c95d..2e99ec0a29 100644 --- a/lib/gnutls_state.h +++ b/lib/gnutls_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -59,6 +59,8 @@ int _gnutls_rsa_export_set_pubkey (gnutls_session_t session, int _gnutls_session_is_resumable (gnutls_session_t session); int _gnutls_session_is_export (gnutls_session_t session); +int _gnutls_session_is_psk (gnutls_session_t session); + int _gnutls_openpgp_send_fingerprint (gnutls_session_t session); int _gnutls_PRF (gnutls_session_t session, diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c index 7f9c25214c..1cc1916ca9 100644 --- a/lib/gnutls_str.c +++ b/lib/gnutls_str.c @@ -281,6 +281,8 @@ _gnutls_bin2hex (const void *_old, size_t oldlen, * Convert a buffer with hex data to binary data. * * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 **/ int gnutls_hex2bin (const char * hex_data, diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 74baede6e5..b2a834dadc 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -863,6 +863,8 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t * for the server). * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 **/ int gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, @@ -1292,6 +1294,8 @@ gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t * gnutls_certificate_send_x509_rdn_sequence(). * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 **/ int gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res, @@ -1599,6 +1603,8 @@ gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t * multiple times. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 **/ int gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res, diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp index 815dae103c..9d38f2349e 100644 --- a/lib/gnutlsxx.cpp +++ b/lib/gnutlsxx.cpp @@ -1,14 +1,15 @@ #include <gnutls/gnutlsxx.h> -using namespace gnutls; +namespace gnutls +{ -inline int RETWRAP_NET(int ret) +inline static int RETWRAP_NET(int ret) { if (gnutls_error_is_fatal(ret)) throw(exception(ret)); else return ret; } -inline int RETWRAP(int ret) +inline static int RETWRAP(int ret) { if (ret < 0) throw(exception(ret)); return ret; @@ -16,27 +17,22 @@ inline int RETWRAP(int ret) session::session( gnutls_connection_end_t end) { - RETWRAP(gnutls_init( &this->s, end)); -} - -session::session( session& s) -{ - this->s = s.s; + RETWRAP(gnutls_init( &s, end)); } session::~session() { - gnutls_deinit( this->s); + gnutls_deinit( s); } int session::bye( gnutls_close_request_t how) { - return RETWRAP_NET( gnutls_bye( this->s, how)); + return RETWRAP_NET( gnutls_bye( s, how)); } int session::handshake () { - return RETWRAP_NET( gnutls_handshake( this->s)); + return RETWRAP_NET( gnutls_handshake( s)); } @@ -44,96 +40,100 @@ server_session::server_session() : session( GNUTLS_SERVER) { } +server_session::~server_session() +{ +} + int server_session::rehandshake() { - return RETWRAP_NET( gnutls_rehandshake( this->s)); + return RETWRAP_NET( gnutls_rehandshake( s)); } gnutls_alert_description_t session::get_alert() const { - return gnutls_alert_get( this->s); + return gnutls_alert_get( s); } int session::send_alert ( gnutls_alert_level_t level, gnutls_alert_description_t desc) { - return RETWRAP_NET(gnutls_alert_send( this->s, level, desc)); + return RETWRAP_NET(gnutls_alert_send( s, level, desc)); } int session::send_appropriate_alert (int err) { - return RETWRAP_NET(gnutls_alert_send_appropriate( this->s, err)); + return RETWRAP_NET(gnutls_alert_send_appropriate( s, err)); } gnutls_cipher_algorithm_t session::get_cipher() const { - return gnutls_cipher_get( this->s); + return gnutls_cipher_get( s); } gnutls_kx_algorithm_t session::get_kx () const { - return gnutls_kx_get( this->s); + return gnutls_kx_get( s); } gnutls_mac_algorithm_t session::get_mac () const { - return gnutls_mac_get( this->s); + return gnutls_mac_get( s); } gnutls_compression_method_t session::get_compression() const { - return gnutls_compression_get( this->s); + return gnutls_compression_get( s); } gnutls_certificate_type_t session::get_certificate_type() const { - return gnutls_certificate_type_get( this->s); + return gnutls_certificate_type_get( s); } void session::set_private_extensions ( bool allow) { - gnutls_handshake_set_private_extensions( this->s, (int)allow); + gnutls_handshake_set_private_extensions( s, (int)allow); } gnutls_handshake_description_t session::get_handshake_last_out() const { - return gnutls_handshake_get_last_out( this->s); + return gnutls_handshake_get_last_out( s); } gnutls_handshake_description_t session::get_handshake_last_in() const { - return gnutls_handshake_get_last_in( this->s); + return gnutls_handshake_get_last_in( s); } ssize_t session::send (const void *data, size_t sizeofdata) { - return RETWRAP_NET(gnutls_record_send( this->s, data, sizeofdata)); + return RETWRAP_NET(gnutls_record_send( s, data, sizeofdata)); } ssize_t session::recv (void *data, size_t sizeofdata) { - return RETWRAP_NET(gnutls_record_recv( this->s, data, sizeofdata)); + return RETWRAP_NET(gnutls_record_recv( s, data, sizeofdata)); } bool session::get_record_direction() const { - return gnutls_record_get_direction(this->s); + return gnutls_record_get_direction(s); } // maximum packet size size_t session::get_max_size () const { - return gnutls_record_get_max_size( this->s); + return gnutls_record_get_max_size( s); } void session::set_max_size(size_t size) { - RETWRAP( gnutls_record_set_max_size( this->s, size)); + RETWRAP( gnutls_record_set_max_size( s, size)); } size_t session::check_pending () const { - return gnutls_record_check_pending( this->s); + return gnutls_record_check_pending( s); } @@ -142,7 +142,7 @@ void session::prf (size_t label_size, const char *label, size_t extra_size, const char *extra, size_t outsize, char *out) { - RETWRAP(gnutls_prf( this->s, label_size, label, server_random_first, + RETWRAP(gnutls_prf( s, label_size, label, server_random_first, extra_size, extra, outsize, out)); } @@ -150,38 +150,38 @@ void session::prf_raw ( size_t label_size, const char *label, size_t seed_size, const char *seed, size_t outsize, char *out) { - RETWRAP( gnutls_prf_raw( this->s, label_size, label, seed_size, seed, outsize, out)); + RETWRAP( gnutls_prf_raw( s, label_size, label, seed_size, seed, outsize, out)); } void session::set_cipher_priority (const int *list) { - RETWRAP( gnutls_cipher_set_priority( this->s, list)); + RETWRAP( gnutls_cipher_set_priority( s, list)); } void session::set_mac_priority (const int *list) { - RETWRAP( gnutls_mac_set_priority( this->s, list)); + RETWRAP( gnutls_mac_set_priority( s, list)); } void session::set_compression_priority (const int *list) { - RETWRAP( gnutls_compression_set_priority( this->s, list)); + RETWRAP( gnutls_compression_set_priority( s, list)); } void session::set_kx_priority (const int *list) { - RETWRAP( gnutls_kx_set_priority( this->s, list)); + RETWRAP( gnutls_kx_set_priority( s, list)); } void session::set_protocol_priority (const int *list) { - RETWRAP( gnutls_protocol_set_priority( this->s, list)); + RETWRAP( gnutls_protocol_set_priority( s, list)); } void session::set_certificate_type_priority (const int *list) { - RETWRAP( gnutls_certificate_type_set_priority( this->s, list)); + RETWRAP( gnutls_certificate_type_set_priority( s, list)); } @@ -189,50 +189,49 @@ void session::set_certificate_type_priority (const int *list) */ void session::set_priority(const char* prio, const char** err_pos) { - RETWRAP(gnutls_priority_set_direct( this->s, prio, err_pos)); + RETWRAP(gnutls_priority_set_direct( s, prio, err_pos)); } void session::set_priority(gnutls_priority_t p) { - RETWRAP(gnutls_priority_set( this->s, p)); + RETWRAP(gnutls_priority_set( s, p)); } gnutls_protocol_t session::get_protocol_version() const { - return gnutls_protocol_get_version( this->s); + return gnutls_protocol_get_version( s); } void session::set_data ( const void *session_data, size_t session_data_size) { - RETWRAP(gnutls_session_set_data( this->s, session_data, session_data_size)); + RETWRAP(gnutls_session_set_data( s, session_data, session_data_size)); } void session::get_data (void *session_data, size_t * session_data_size) const { - RETWRAP(gnutls_session_get_data( this->s, session_data, session_data_size)); + RETWRAP(gnutls_session_get_data( s, session_data, session_data_size)); } void session::get_data(gnutls_session_t session, gnutls_datum_t & data) const { - RETWRAP(gnutls_session_get_data2( this->s, &data)); + RETWRAP(gnutls_session_get_data2( s, &data)); } void session::get_id ( void *session_id, size_t * session_id_size) const { - RETWRAP( gnutls_session_get_id( this->s, session_id, session_id_size)); + RETWRAP( gnutls_session_get_id( s, session_id, session_id_size)); } bool session::is_resumed() const { - int ret = gnutls_session_is_resumed( this->s); - - if (ret != 0) return true; - return false; + int ret = gnutls_session_is_resumed( s); + + return (ret != 0); } @@ -241,7 +240,7 @@ bool session::get_peers_certificate(std::vector<gnutls_datum_t> &out_certs) cons const gnutls_datum_t *certs; unsigned int certs_size; - certs = gnutls_certificate_get_peers (this->s, &certs_size); + certs = gnutls_certificate_get_peers (s, &certs_size); if (certs==NULL) return false; @@ -253,7 +252,7 @@ bool session::get_peers_certificate(std::vector<gnutls_datum_t> &out_certs) cons bool session::get_peers_certificate(const gnutls_datum_t** certs, unsigned int *certs_size) const { - *certs = gnutls_certificate_get_peers (this->s, certs_size); + *certs = gnutls_certificate_get_peers (s, certs_size); if (*certs==NULL) return false; return true; @@ -263,7 +262,7 @@ void session::get_our_certificate(gnutls_datum_t& cert) const { const gnutls_datum_t *d; - d = gnutls_certificate_get_ours(this->s); + d = gnutls_certificate_get_ours(s); if (d==NULL) throw(exception( GNUTLS_E_INVALID_REQUEST)); cert = *d; @@ -271,16 +270,16 @@ const gnutls_datum_t *d; time_t session::get_peers_certificate_activation_time() const { - return gnutls_certificate_activation_time_peers( this->s); + return gnutls_certificate_activation_time_peers( s); } time_t session::get_peers_certificate_expiration_time() const { - return gnutls_certificate_expiration_time_peers( this->s); + return gnutls_certificate_expiration_time_peers( s); } void session::verify_peers_certificate( unsigned int& status) const { - RETWRAP( gnutls_certificate_verify_peers2( this->s, &status)); + RETWRAP( gnutls_certificate_verify_peers2( s, &status)); } @@ -288,23 +287,27 @@ client_session::client_session() : session( GNUTLS_CLIENT) { } +client_session::~client_session() +{ +} + // client session void client_session::set_server_name (gnutls_server_name_type_t type, const void *name, size_t name_length) { - RETWRAP( gnutls_server_name_set( this->s, type, name, name_length)); + RETWRAP( gnutls_server_name_set( s, type, name, name_length)); } bool client_session::get_request_status() { - return RETWRAP(gnutls_certificate_client_get_request_status (this->s)); + return RETWRAP(gnutls_certificate_client_get_request_status (s)); } // server_session void server_session::get_server_name (void *data, size_t * data_length, unsigned int *type, unsigned int indx) const { - RETWRAP( gnutls_server_name_get( this->s, data, data_length, type, indx)); + RETWRAP( gnutls_server_name_get( s, data, data_length, type, indx)); } // internal DB stuff @@ -354,25 +357,25 @@ static int remove_function(void *_db, gnutls_datum_t key) void server_session::set_db( const DB& db) { - gnutls_db_set_ptr( this->s, const_cast<DB*>(&db)); - gnutls_db_set_store_function( this->s, store_function); - gnutls_db_set_retrieve_function( this->s, retrieve_function); - gnutls_db_set_remove_function( this->s, remove_function); + gnutls_db_set_ptr( s, const_cast<DB*>(&db)); + gnutls_db_set_store_function( s, store_function); + gnutls_db_set_retrieve_function( s, retrieve_function); + gnutls_db_set_remove_function( s, remove_function); } void server_session::set_db_cache_expiration (unsigned int seconds) { - gnutls_db_set_cache_expiration( this->s, seconds); + gnutls_db_set_cache_expiration( s, seconds); } void server_session::db_remove () const { - gnutls_db_remove_session( this->s); + gnutls_db_remove_session( s); } bool server_session::db_check_entry ( gnutls_datum_t &session_data) const { - int ret = gnutls_db_check_entry( this->s, session_data); + int ret = gnutls_db_check_entry( s, session_data); if (ret != 0) return true; return false; @@ -380,126 +383,126 @@ bool server_session::db_check_entry ( gnutls_datum_t &session_data) const void session::set_max_handshake_packet_length ( size_t max) { - gnutls_handshake_set_max_packet_length( this->s, max); + gnutls_handshake_set_max_packet_length( s, max); } void session::clear_credentials() { - gnutls_credentials_clear( this->s); + gnutls_credentials_clear( s); } void session::set_credentials( credentials &cred) { - RETWRAP(gnutls_credentials_set( this->s, cred.get_type(), cred.ptr())); + RETWRAP(gnutls_credentials_set( s, cred.get_type(), cred.ptr())); } const char* server_session::get_srp_username() const { - return gnutls_srp_server_get_username( this->s); + return gnutls_srp_server_get_username( s); } const char* server_session::get_psk_username() const { - return gnutls_psk_server_get_username( this->s); + return gnutls_psk_server_get_username( s); } void session::set_transport_ptr( gnutls_transport_ptr_t ptr) { - gnutls_transport_set_ptr( this->s, ptr); + gnutls_transport_set_ptr( s, ptr); } void session::set_transport_ptr( gnutls_transport_ptr_t recv_ptr, gnutls_transport_ptr_t send_ptr) { - gnutls_transport_set_ptr2( this->s, recv_ptr, send_ptr); + gnutls_transport_set_ptr2( s, recv_ptr, send_ptr); } gnutls_transport_ptr_t session::get_transport_ptr () const { - return gnutls_transport_get_ptr (this->s); + return gnutls_transport_get_ptr (s); } void session::get_transport_ptr( gnutls_transport_ptr_t & recv_ptr, gnutls_transport_ptr_t & send_ptr) const { - gnutls_transport_get_ptr2 (this->s, &recv_ptr, &send_ptr); + gnutls_transport_get_ptr2 (s, &recv_ptr, &send_ptr); } void session::set_transport_lowat( size_t num) { - gnutls_transport_set_lowat (this->s, num); + gnutls_transport_set_lowat (s, num); } void session::set_transport_push_function( gnutls_push_func push_func) { - gnutls_transport_set_push_function ( this->s, push_func); + gnutls_transport_set_push_function ( s, push_func); } void session::set_transport_pull_function( gnutls_pull_func pull_func) { - gnutls_transport_set_pull_function ( this->s, pull_func); + gnutls_transport_set_pull_function ( s, pull_func); } void session::set_user_ptr( void* ptr) { - gnutls_session_set_ptr( this->s, ptr); + gnutls_session_set_ptr( s, ptr); } void* session::get_user_ptr( ) const { - return gnutls_session_get_ptr(this->s); + return gnutls_session_get_ptr(s); } void session::send_openpgp_cert( gnutls_openpgp_crt_status_t status) { - gnutls_openpgp_send_cert(this->s, status); + gnutls_openpgp_send_cert(s, status); } void session::set_dh_prime_bits( unsigned int bits) { - gnutls_dh_set_prime_bits( this->s, bits); + gnutls_dh_set_prime_bits( s, bits); } unsigned int session::get_dh_secret_bits() const { - return RETWRAP( gnutls_dh_get_secret_bits( this->s)); + return RETWRAP( gnutls_dh_get_secret_bits( s)); } unsigned int session::get_dh_peers_public_bits() const { - return RETWRAP(gnutls_dh_get_peers_public_bits( this->s)); + return RETWRAP(gnutls_dh_get_peers_public_bits( s)); } unsigned int session::get_dh_prime_bits() const { - return RETWRAP( gnutls_dh_get_prime_bits( this->s)); + return RETWRAP( gnutls_dh_get_prime_bits( s)); } void session::get_dh_group( gnutls_datum_t & gen, gnutls_datum_t & prime) const { - RETWRAP( gnutls_dh_get_group( this->s, &gen, &prime)); + RETWRAP( gnutls_dh_get_group( s, &gen, &prime)); } void session::get_dh_pubkey( gnutls_datum_t & raw_key) const { - RETWRAP(gnutls_dh_get_pubkey( this->s, &raw_key)); + RETWRAP(gnutls_dh_get_pubkey( s, &raw_key)); } void session::get_rsa_export_pubkey( gnutls_datum_t& exponent, gnutls_datum_t& modulus) const { - RETWRAP( gnutls_rsa_export_get_pubkey( this->s, &exponent, &modulus)); + RETWRAP( gnutls_rsa_export_get_pubkey( s, &exponent, &modulus)); } unsigned int session::get_rsa_export_modulus_bits() const { - return RETWRAP(gnutls_rsa_export_get_modulus_bits( this->s)); + return RETWRAP(gnutls_rsa_export_get_modulus_bits( s)); } void server_session::set_certificate_request( gnutls_certificate_request_t req) { - gnutls_certificate_server_set_request (this->s, req); + gnutls_certificate_server_set_request (s, req); } @@ -507,342 +510,297 @@ void server_session::set_certificate_request( gnutls_certificate_request_t req) gnutls_credentials_type_t session::get_auth_type() const { - return gnutls_auth_get_type( this->s); + return gnutls_auth_get_type( s); } gnutls_credentials_type_t session::get_server_auth_type() const { - return gnutls_auth_server_get_type( this->s); + return gnutls_auth_server_get_type( s); } gnutls_credentials_type_t session::get_client_auth_type() const { - return gnutls_auth_client_get_type( this->s); + return gnutls_auth_client_get_type( s); } -void* certificate_credentials::ptr() const -{ - return this->cred; -} - -void certificate_credentials::set_ptr(void* p) -{ - this->cred = static_cast<gnutls_certificate_credentials_t> (p); -} - certificate_credentials::~certificate_credentials() { - gnutls_certificate_free_credentials (this->cred); + gnutls_certificate_free_credentials (cred); } certificate_credentials::certificate_credentials() : credentials(GNUTLS_CRD_CERTIFICATE) { - RETWRAP(gnutls_certificate_allocate_credentials ( &this->cred)); + RETWRAP(gnutls_certificate_allocate_credentials ( &cred)); + set_ptr(cred); } void certificate_server_credentials::set_params_function( gnutls_params_function* func) { - gnutls_certificate_set_params_function( this->cred, func); + gnutls_certificate_set_params_function( cred, func); } anon_server_credentials::anon_server_credentials() : credentials(GNUTLS_CRD_ANON) { - RETWRAP(gnutls_anon_allocate_server_credentials( &this->cred)); + RETWRAP(gnutls_anon_allocate_server_credentials( &cred)); + set_ptr(cred); } anon_server_credentials::~anon_server_credentials() { - gnutls_anon_free_server_credentials( this->cred); + gnutls_anon_free_server_credentials( cred); } void anon_server_credentials::set_dh_params( const dh_params& params) { - gnutls_anon_set_server_dh_params (this->cred, params.get_params_t()); + gnutls_anon_set_server_dh_params (cred, params.get_params_t()); } void anon_server_credentials::set_params_function ( gnutls_params_function * func) { - gnutls_anon_set_server_params_function ( this->cred, func); + gnutls_anon_set_server_params_function ( cred, func); } anon_client_credentials::anon_client_credentials() : credentials(GNUTLS_CRD_ANON) { - RETWRAP(gnutls_anon_allocate_client_credentials( &this->cred)); + RETWRAP(gnutls_anon_allocate_client_credentials( &cred)); + set_ptr(cred); } anon_client_credentials::~anon_client_credentials() { - gnutls_anon_free_client_credentials( this->cred); + gnutls_anon_free_client_credentials( cred); } void certificate_credentials::free_keys () { - gnutls_certificate_free_keys( this->cred); + gnutls_certificate_free_keys( cred); } void certificate_credentials::free_cas () { - gnutls_certificate_free_cas( this->cred); + gnutls_certificate_free_cas( cred); } void certificate_credentials::free_ca_names () { - gnutls_certificate_free_ca_names( this->cred); + gnutls_certificate_free_ca_names( cred); } void certificate_credentials::free_crls () { - gnutls_certificate_free_crls( this->cred); + gnutls_certificate_free_crls( cred); } void certificate_credentials::set_dh_params ( const dh_params& params) { - gnutls_certificate_set_dh_params( this->cred, params.get_params_t()); + gnutls_certificate_set_dh_params( cred, params.get_params_t()); } void certificate_credentials::set_rsa_export_params ( const rsa_params & params) { - gnutls_certificate_set_rsa_export_params( this->cred, params.get_params_t()); + gnutls_certificate_set_rsa_export_params( cred, params.get_params_t()); } void certificate_credentials::set_verify_flags ( unsigned int flags) { - gnutls_certificate_set_verify_flags( this->cred, flags); + gnutls_certificate_set_verify_flags( cred, flags); } void certificate_credentials::set_verify_limits ( unsigned int max_bits, unsigned int max_depth) { - gnutls_certificate_set_verify_limits( this->cred, max_bits, max_depth); + gnutls_certificate_set_verify_limits( cred, max_bits, max_depth); } void certificate_credentials::set_x509_trust_file(const char *cafile, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_trust_file( this->cred, cafile, type)); + RETWRAP( gnutls_certificate_set_x509_trust_file( cred, cafile, type)); } void certificate_credentials::set_x509_trust(const gnutls_datum_t & CA, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_trust_mem( this->cred, &CA, type)); + RETWRAP( gnutls_certificate_set_x509_trust_mem( cred, &CA, type)); } void certificate_credentials::set_x509_crl_file( const char *crlfile, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_crl_file( this->cred, crlfile, type)); + RETWRAP( gnutls_certificate_set_x509_crl_file( cred, crlfile, type)); } void certificate_credentials::set_x509_crl(const gnutls_datum_t & CRL, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_crl_mem( this->cred, &CRL, type)); + RETWRAP( gnutls_certificate_set_x509_crl_mem( cred, &CRL, type)); } void certificate_credentials::set_x509_key_file(const char *certfile, const char *keyfile, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_key_file( this->cred, certfile, keyfile, type)); + RETWRAP( gnutls_certificate_set_x509_key_file( cred, certfile, keyfile, type)); } void certificate_credentials::set_x509_key(const gnutls_datum_t & CERT, const gnutls_datum_t & KEY, gnutls_x509_crt_fmt_t type) { - RETWRAP( gnutls_certificate_set_x509_key_mem( this->cred, &CERT, &KEY, type)); + RETWRAP( gnutls_certificate_set_x509_key_mem( cred, &CERT, &KEY, type)); } void certificate_credentials::set_simple_pkcs12_file( const char *pkcs12file, gnutls_x509_crt_fmt_t type, const char *password) { - RETWRAP( gnutls_certificate_set_x509_simple_pkcs12_file( this->cred, pkcs12file, type, password)); + RETWRAP( gnutls_certificate_set_x509_simple_pkcs12_file( cred, pkcs12file, type, password)); } void certificate_credentials::set_x509_key ( gnutls_x509_crt_t * cert_list, int cert_list_size, gnutls_x509_privkey_t key) { - RETWRAP( gnutls_certificate_set_x509_key( this->cred, cert_list, cert_list_size, key)); + RETWRAP( gnutls_certificate_set_x509_key( cred, cert_list, cert_list_size, key)); } void certificate_credentials::set_x509_trust ( gnutls_x509_crt_t * ca_list, int ca_list_size) { - RETWRAP( gnutls_certificate_set_x509_trust( this->cred, ca_list, ca_list_size)); + RETWRAP( gnutls_certificate_set_x509_trust( cred, ca_list, ca_list_size)); } void certificate_credentials::set_x509_crl ( gnutls_x509_crl_t * crl_list, int crl_list_size) { - RETWRAP( gnutls_certificate_set_x509_crl( this->cred, crl_list, crl_list_size)); + RETWRAP( gnutls_certificate_set_x509_crl( cred, crl_list, crl_list_size)); } void certificate_server_credentials::set_retrieve_function( gnutls_certificate_server_retrieve_function* func) { - gnutls_certificate_server_set_retrieve_function( this->cred, func); + gnutls_certificate_server_set_retrieve_function( cred, func); } void certificate_client_credentials::set_retrieve_function( gnutls_certificate_client_retrieve_function* func) { - gnutls_certificate_client_set_retrieve_function( this->cred, func); + gnutls_certificate_client_set_retrieve_function( cred, func); } // SRP srp_server_credentials::srp_server_credentials() : credentials(GNUTLS_CRD_SRP) { - RETWRAP(gnutls_srp_allocate_server_credentials( &this->cred)); + RETWRAP(gnutls_srp_allocate_server_credentials( &cred)); + set_ptr(cred); } srp_server_credentials::~srp_server_credentials() { - gnutls_srp_free_server_credentials( this->cred); -} - -void* srp_server_credentials::ptr() const -{ - return this->cred; -} - -void srp_server_credentials::set_ptr(void* p) -{ - this->cred = static_cast<gnutls_srp_server_credentials_t> (p); + gnutls_srp_free_server_credentials( cred); } srp_client_credentials::srp_client_credentials() : credentials(GNUTLS_CRD_SRP) { - RETWRAP(gnutls_srp_allocate_client_credentials( &this->cred)); + RETWRAP(gnutls_srp_allocate_client_credentials( &cred)); + set_ptr(cred); } srp_client_credentials::~srp_client_credentials() { - gnutls_srp_free_client_credentials( this->cred); -} - -void* srp_client_credentials::ptr() const -{ - return this->cred; -} - -void srp_client_credentials::set_ptr(void* p) -{ - this->cred = static_cast<gnutls_srp_client_credentials_t> (p); + gnutls_srp_free_client_credentials( cred); } void srp_client_credentials::set_credentials( const char* username, const char* password) { - RETWRAP(gnutls_srp_set_client_credentials (this->cred, username, password)); + RETWRAP(gnutls_srp_set_client_credentials (cred, username, password)); } void srp_server_credentials::set_credentials_file ( const char *password_file, const char *password_conf_file) { - RETWRAP( gnutls_srp_set_server_credentials_file( this->cred, password_file, password_conf_file)); + RETWRAP( gnutls_srp_set_server_credentials_file( cred, password_file, password_conf_file)); } void srp_server_credentials::set_credentials_function(gnutls_srp_server_credentials_function * func) { - gnutls_srp_set_server_credentials_function( this->cred, func); + gnutls_srp_set_server_credentials_function( cred, func); } void srp_client_credentials::set_credentials_function(gnutls_srp_client_credentials_function * func) { - gnutls_srp_set_client_credentials_function( this->cred, func); + gnutls_srp_set_client_credentials_function( cred, func); } // PSK psk_server_credentials::psk_server_credentials() : credentials(GNUTLS_CRD_PSK) { - RETWRAP(gnutls_psk_allocate_server_credentials( &this->cred)); + RETWRAP(gnutls_psk_allocate_server_credentials( &cred)); + set_ptr(cred); } psk_server_credentials::~psk_server_credentials() { - gnutls_psk_free_server_credentials( this->cred); -} - -void* psk_server_credentials::ptr() const -{ - return this->cred; -} - -void psk_server_credentials::set_ptr(void* p) -{ - this->cred = static_cast<gnutls_psk_server_credentials_t> (p); + gnutls_psk_free_server_credentials( cred); } void psk_server_credentials::set_credentials_file(const char* password_file) { - RETWRAP(gnutls_psk_set_server_credentials_file( this->cred, password_file)); + RETWRAP(gnutls_psk_set_server_credentials_file( cred, password_file)); } void psk_server_credentials::set_credentials_function(gnutls_psk_server_credentials_function * func) { - gnutls_psk_set_server_credentials_function( this->cred, func); + gnutls_psk_set_server_credentials_function( cred, func); } void psk_server_credentials::set_dh_params( const dh_params ¶ms) { - gnutls_psk_set_server_dh_params( this->cred, params.get_params_t()); + gnutls_psk_set_server_dh_params( cred, params.get_params_t()); } void psk_server_credentials::set_params_function(gnutls_params_function * func) { - gnutls_psk_set_server_params_function (this->cred, func); + gnutls_psk_set_server_params_function (cred, func); } psk_client_credentials::psk_client_credentials() : credentials(GNUTLS_CRD_PSK) { - RETWRAP(gnutls_psk_allocate_client_credentials( &this->cred)); + RETWRAP(gnutls_psk_allocate_client_credentials( &cred)); + set_ptr(cred); } psk_client_credentials::~psk_client_credentials() { - gnutls_psk_free_client_credentials( this->cred); -} - -void* psk_client_credentials::ptr() const -{ - return this->cred; -} - -void psk_client_credentials::set_ptr(void* p) -{ - this->cred = static_cast<gnutls_psk_client_credentials_t> (p); + gnutls_psk_free_client_credentials( cred); } void psk_client_credentials::set_credentials(const char* username, const gnutls_datum_t& key, gnutls_psk_key_flags flags) { - RETWRAP(gnutls_psk_set_client_credentials( this->cred, username, &key, flags)); + RETWRAP(gnutls_psk_set_client_credentials( cred, username, &key, flags)); } void psk_client_credentials::set_credentials_function(gnutls_psk_client_credentials_function * func) { - gnutls_psk_set_client_credentials_function( this->cred, func); + gnutls_psk_set_client_credentials_function( cred, func); } -credentials::credentials(gnutls_credentials_type_t t) : type(t) +credentials::credentials(gnutls_credentials_type_t t) : type(t), cred(NULL) { } -#if !(defined(__APPLE__) || defined(__MACOS__)) -/* FIXME: This #if is due to a compile bug in Mac OS X. Give it some - time and then remove this cruft. See also - includes/gnutls/gnutlsxx.h. */ -credentials::credentials( credentials& c) -{ - this->type = c.type; - this->set_ptr( c.ptr()); -} -#endif - gnutls_credentials_type_t credentials::get_type() const { return type; } - + +void* credentials::ptr() const +{ + return cred; +} + + +void credentials::set_ptr(void* ptr) +{ + cred = ptr; +} - exception::exception( int x) { @@ -985,3 +943,5 @@ void rsa_params::export_raw( gnutls_datum_t & m, gnutls_datum_t & e, { RETWRAP( gnutls_rsa_params_export_raw ( params, &m, &e, &d, &p, &q, &u, NULL)); } + +} // namespace gnutls diff --git a/lib/libgnutls.vers b/lib/libgnutls.vers index f793617ba6..7a8b14820a 100644 --- a/lib/libgnutls.vers +++ b/lib/libgnutls.vers @@ -1,5 +1,5 @@ -# libgnutls.vers -- Versioning script to control what symbols to export. -# Copyright (C) 2005, 2006, 2007 Free Software Foundation +# libgnutls.vers -- linker script for libgnutls. -*- ld-script -*- +# Copyright (C) 2005, 2006, 2007, 2008 Free Software Foundation # # Author: Simon Josefsson # diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c index 1ca8a6a871..0580c58ebb 100644 --- a/lib/opencdk/keydb.c +++ b/lib/opencdk/keydb.c @@ -1569,7 +1569,7 @@ keydb_parse_allsigs (cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check) { kb->pkt->pkt.public_key->is_revoked = 1; if (check) - _cdk_pk_check_sig (hd, kb, node, NULL); + _cdk_pk_check_sig (hd, kb, node, NULL, NULL); } else return CDK_Error_No_Key; @@ -1582,7 +1582,7 @@ keydb_parse_allsigs (cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check) { kb->pkt->pkt.public_key->is_revoked = 1; if (check) - _cdk_pk_check_sig (hd, kb, node, NULL); + _cdk_pk_check_sig (hd, kb, node, NULL, NULL); } else return CDK_Error_No_Key; @@ -1597,7 +1597,7 @@ keydb_parse_allsigs (cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check) { kb->pkt->pkt.user_id->is_revoked = 1; if (check) - _cdk_pk_check_sig (hd, kb, node, NULL); + _cdk_pk_check_sig (hd, kb, node, NULL, NULL); } else return CDK_Error_No_Key; @@ -1619,7 +1619,7 @@ keydb_parse_allsigs (cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check) pk->has_expired = pk->expiredate > curtime? 0 : 1; } if (check) - _cdk_pk_check_sig (hd, kb, node, NULL); + _cdk_pk_check_sig (hd, kb, node, NULL, NULL); } else return CDK_Error_No_Key; @@ -1641,7 +1641,7 @@ keydb_parse_allsigs (cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check) pk->has_expired = pk->expiredate > curtime? 0 : 1; } if (check) - _cdk_pk_check_sig (hd, kb, node, NULL); + _cdk_pk_check_sig (hd, kb, node, NULL, NULL); } else return CDK_Error_No_Key; diff --git a/lib/opencdk/main.h b/lib/opencdk/main.h index f7271b9851..01d02e5ae0 100644 --- a/lib/opencdk/main.h +++ b/lib/opencdk/main.h @@ -134,7 +134,7 @@ cdk_error_t _cdk_hash_pubkey (cdk_pkt_pubkey_t pk, digest_hd_st *md, int use_fpr); cdk_error_t _cdk_pk_check_sig (cdk_keydb_hd_t hd, cdk_kbnode_t knode, - cdk_kbnode_t snode, int *is_selfsig); + cdk_kbnode_t snode, int *is_selfsig, char** ret_uid); /*-- kbnode.c --*/ void _cdk_kbnode_add (cdk_kbnode_t root, cdk_kbnode_t node); diff --git a/lib/opencdk/sig-check.c b/lib/opencdk/sig-check.c index e5ac5af164..62ecd5f195 100644 --- a/lib/opencdk/sig-check.c +++ b/lib/opencdk/sig-check.c @@ -263,7 +263,7 @@ _cdk_sig_check (cdk_pubkey_t pk, cdk_pkt_signature_t sig, @knode is the key node and @snode the signature node. */ cdk_error_t _cdk_pk_check_sig (cdk_keydb_hd_t keydb, - cdk_kbnode_t knode, cdk_kbnode_t snode, int *is_selfsig) + cdk_kbnode_t knode, cdk_kbnode_t snode, int *is_selfsig, char** ret_uid) { digest_hd_st md; int err; @@ -325,14 +325,21 @@ _cdk_pk_check_sig (cdk_keydb_hd_t keydb, } else { /* all other classes */ + cdk_pkt_userid_t uid; node = cdk_kbnode_find_prev (knode, snode, CDK_PKT_USER_ID); if (!node) { /* no user ID for key signature packet */ rc = CDK_Error_No_Key; goto fail; } + + uid = node->pkt->pkt.user_id; + if (ret_uid) { + *ret_uid = uid->name; + } cdk_kbnode_hash (knode, &md, 0, 0, 0); cdk_kbnode_hash (node, &md, sig->version==4, 0, 0); + if (pk->keyid[0] == sig->keyid[0] && pk->keyid[1] == sig->keyid[1]) { rc = _cdk_sig_check (pk, sig, &md, &is_expired); @@ -353,6 +360,85 @@ _cdk_pk_check_sig (cdk_keydb_hd_t keydb, return rc; } +struct verify_uid { + const char* name; + int nsigs; + struct verify_uid* next; +}; + +static int uid_list_add_sig( struct verify_uid **list, const char* uid, unsigned int flag) +{ + if (*list == NULL) { + *list = cdk_calloc( 1, sizeof(struct verify_uid)); + if (*list == NULL) + return CDK_Out_Of_Core; + (*list)->name = uid; + + if (flag != 0) + (*list)->nsigs++; + } else { + struct verify_uid* p, *prev_p = NULL; + int found = 0; + + p = *list; + + while(p != NULL) { + if (strcmp( uid, p->name) == 0) { + found = 1; + break; + } + prev_p = p; + p = p->next; + } + + if (found == 0) { /* not found add to the last */ + prev_p->next = cdk_calloc( 1, sizeof(struct verify_uid)); + if (prev_p->next==NULL) + return CDK_Out_Of_Core; + prev_p->next->name = uid; + if (flag != 0) + prev_p->next->nsigs++; + } else { /* found... increase sigs */ + if (flag != 0) + p->nsigs++; + } + } + + return CDK_Success; +} + +static void uid_list_free( struct verify_uid * list) +{ +struct verify_uid* p, *p1; + + p = list; + while(p != NULL) { + p1 = p->next; + cdk_free (p); + p = p1; + } +} + +/* returns non zero if all UIDs in the list have at least one + * signature. If the list is empty or no signatures are present + * a zero value is returned. + */ +static int uid_list_all_signed( struct verify_uid * list) +{ +struct verify_uid* p; + + if (list == NULL) + return 0; + + p = list; + while(p != NULL) { + if (p->nsigs == 0) { + return 0; + } + p = p->next; + } + return 1; /* all signed */ +} /** * cdk_pk_check_sigs: @@ -372,7 +458,8 @@ cdk_pk_check_sigs (cdk_kbnode_t key, cdk_keydb_hd_t keydb, int *r_status) cdk_error_t rc; u32 keyid; int key_status, is_selfsig = 0; - int no_signer, n_sigs = 0; + struct verify_uid* uid_list = NULL; + char* uid_name; if (!key || !r_status) return CDK_Inv_Value; @@ -381,7 +468,7 @@ cdk_pk_check_sigs (cdk_kbnode_t key, cdk_keydb_hd_t keydb, int *r_status) node = cdk_kbnode_find (key, CDK_PKT_PUBLIC_KEY); if (!node) return CDK_Error_No_Key; - + key_status = 0; /* Continue with the signature check but adjust the key status flags accordingly. */ @@ -389,30 +476,17 @@ cdk_pk_check_sigs (cdk_kbnode_t key, cdk_keydb_hd_t keydb, int *r_status) key_status |= CDK_KEY_REVOKED; if (node->pkt->pkt.public_key->has_expired) key_status |= CDK_KEY_EXPIRED; - rc = 0; - no_signer = 0; + keyid = cdk_pk_get_keyid (node->pkt->pkt.public_key, NULL); for (node = key; node; node = node->next) { if (node->pkt->pkttype != CDK_PKT_SIGNATURE) continue; sig = node->pkt->pkt.signature; - rc = _cdk_pk_check_sig (keydb, key, node, &is_selfsig); - if (IS_UID_SIG (sig)) - { - if (is_selfsig == 0) - n_sigs++; - } - if (rc && IS_UID_SIG (sig) && rc == CDK_Error_No_Key) - { - /* We do not consider it a problem when the signing key - is not avaiable. We just mark the signature accordingly - and contine.*/ - sig->flags.missing_key = 1; - no_signer++; - } - else if (rc && rc != CDK_Error_No_Key) + rc = _cdk_pk_check_sig (keydb, key, node, &is_selfsig, &uid_name); + + if (rc && rc != CDK_Error_No_Key) { /* It might be possible that a single signature has been corrupted, thus we do not consider it a problem when @@ -424,16 +498,32 @@ cdk_pk_check_sigs (cdk_kbnode_t key, cdk_keydb_hd_t keydb, int *r_status) break; } } + _cdk_log_debug ("signature %s: signer %08lX keyid %08lX\n", rc == CDK_Bad_Sig? "BAD" : "good", sig->keyid[1], keyid); + + if (IS_UID_SIG (sig) && uid_name != NULL) + { + /* add every uid in the uid list. Only consider valid: + * - verification was ok + * - not a selfsig + */ + rc = uid_list_add_sig( &uid_list, uid_name, (rc == CDK_Success && is_selfsig==0)?1:0); + if (rc != CDK_Success) + goto exit; + } + } - if (n_sigs == no_signer) + if (uid_list_all_signed(uid_list) == 0) key_status |= CDK_KEY_NOSIGNER; *r_status = key_status; if (rc == CDK_Error_No_Key) rc = 0; + +exit: + uid_list_free(uid_list); return rc; } @@ -476,7 +566,7 @@ cdk_pk_check_self_sig (cdk_kbnode_t key, int *r_status) if (sigid[0] != keyid[0] || sigid[1] != keyid[1]) continue; /* FIXME: Now we check all self signatures. */ - rc = _cdk_pk_check_sig (NULL, key, node, &is_selfsig); + rc = _cdk_pk_check_sig (NULL, key, node, &is_selfsig, NULL); if (rc) { *r_status = CDK_KEY_INVALID; diff --git a/lib/openpgp/extras.c b/lib/openpgp/extras.c index ea61a58eb7..322d6fab52 100644 --- a/lib/openpgp/extras.c +++ b/lib/openpgp/extras.c @@ -37,13 +37,12 @@ */ /** - * gnutls_openpgp_keyring_init - This function initializes a gnutls_openpgp_keyring_t structure + * gnutls_openpgp_keyring_init - initializes a #gnutls_openpgp_keyring_t structure * @keyring: The structure to be initialized * - * This function will initialize an keyring structure. - * - * Returns 0 on success. + * This function will initialize an keyring structure. * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_keyring_init (gnutls_openpgp_keyring_t * keyring) @@ -57,11 +56,10 @@ gnutls_openpgp_keyring_init (gnutls_openpgp_keyring_t * keyring) /** - * gnutls_openpgp_keyring_deinit - This function deinitializes memory used by a gnutls_openpgp_keyring_t structure + * gnutls_openpgp_keyring_deinit - deinitializes memory used by a #gnutls_openpgp_keyring_t structure * @keyring: The structure to be initialized * - * This function will deinitialize a keyring structure. - * + * This function will deinitialize a keyring structure. **/ void gnutls_openpgp_keyring_deinit (gnutls_openpgp_keyring_t keyring) @@ -86,8 +84,8 @@ gnutls_openpgp_keyring_deinit (gnutls_openpgp_keyring_t keyring) * * Check if a given key ID exists in the keyring. * - * Returns 0 on success (if keyid exists) and a negative error code - * on failure. + * Returns: %GNUTLS_E_SUCCESS on success (if keyid exists) and a + * negative error code on failure. **/ int gnutls_openpgp_keyring_check_id (gnutls_openpgp_keyring_t ring, @@ -116,12 +114,11 @@ gnutls_openpgp_keyring_check_id (gnutls_openpgp_keyring_t ring, * @data: The RAW or BASE64 encoded keyring. * @format: One of #gnutls_openpgp_keyring_fmt elements. * - * This function will convert the given RAW or Base64 encoded keyring to the - * native #gnutls_openpgp_keyring_t format. The output will be stored in - * 'keyring'. - * - * Returns 0 on success. + * This function will convert the given RAW or Base64 encoded keyring + * to the native #gnutls_openpgp_keyring_t format. The output will be + * stored in 'keyring'. * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_keyring_import (gnutls_openpgp_keyring_t keyring, @@ -209,15 +206,14 @@ error: cdk_kbnode_find_packet (node, CDK_PKT_PUBLIC_KEY)!=NULL /** - * gnutls_openpgp_keyring_get_crt_count - This function returns the number of certificates - * @ring: is an OpenPGP key ring - * - * This function will return the number of OpenPGP certificates present in the given - * keyring. - * - * Returns then number of subkeys or a negative value on error. - * - **/ + * gnutls_openpgp_keyring_get_crt_count - return the number of certificates + * @ring: is an OpenPGP key ring + * + * This function will return the number of OpenPGP certificates + * present in the given keyring. + * + * Returns: the number of subkeys, or a negative value on error. + **/ int gnutls_openpgp_keyring_get_crt_count (gnutls_openpgp_keyring_t ring) { @@ -256,18 +252,18 @@ gnutls_openpgp_keyring_get_crt_count (gnutls_openpgp_keyring_t ring) } /** - * gnutls_openpgp_keyring_get_crt - This function will export an openpgp certificate from a keyring - * @key: Holds the key. - * @idx: the index of the certificate to export - * @crt: An uninitialized &gnutls_openpgp_crt_t structure - * - * This function will extract an OpenPGP certificate from the given keyring. - * If the index given is out of range GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be - * returned. The returned structure needs to be deinited. - * - * Returns 0 on success. - * - **/ + * gnutls_openpgp_keyring_get_crt - export an openpgp certificate from a keyring + * @key: Holds the key. + * @idx: the index of the certificate to export + * @crt: An uninitialized &gnutls_openpgp_crt_t structure + * + * This function will extract an OpenPGP certificate from the given + * keyring. If the index given is out of range + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. The + * returned structure needs to be deinited. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_openpgp_keyring_get_crt (gnutls_openpgp_keyring_t ring, unsigned int idx, diff --git a/lib/openpgp/openpgp_int.h b/lib/openpgp/openpgp_int.h index e4b3f7a9df..cb95b8da2d 100644 --- a/lib/openpgp/openpgp_int.h +++ b/lib/openpgp/openpgp_int.h @@ -10,9 +10,9 @@ #include <opencdk.h> #include <gnutls/openpgp.h> -#define KEYID_IMPORT(dst, src) \ +#define KEYID_IMPORT(dst, src) { \ dst[0] = _gnutls_read_uint32( src); \ - dst[1] = _gnutls_read_uint32( src+4) + dst[1] = _gnutls_read_uint32( src+4); } /* Internal context to store the OpenPGP key. */ typedef struct gnutls_openpgp_crt_int diff --git a/lib/openpgp/output.c b/lib/openpgp/output.c index 636f86c6f7..e05c3ff94d 100644 --- a/lib/openpgp/output.c +++ b/lib/openpgp/output.c @@ -162,9 +162,9 @@ print_key_revoked (gnutls_string * str, gnutls_openpgp_crt_t cert, int idx) err = gnutls_openpgp_crt_get_subkey_revoked_status( cert, idx); if (err != 0) - addf (str, "\tRevoked: True\n"); + addf (str, _("\tRevoked: True\n")); else - addf (str, "\tRevoked: False\n"); + addf (str, _("\tRevoked: False\n")); } static void @@ -201,12 +201,19 @@ print_key_times(gnutls_string * str, gnutls_openpgp_crt_t cert, int idx) size_t max = sizeof (s); struct tm t; - if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%d)\n", t); - else if (strftime (s, max, "%a %b %e %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%d)\n", t); + if (tim == 0) + { + addf (str, _("\t\tExpiration: Never\n"), s); + } else - addf (str, _("\t\tExpiration: %s\n"), s); + { + if (gmtime_r (&tim, &t) == NULL) + addf (str, "error: gmtime_r (%d)\n", t); + else if (strftime (s, max, "%a %b %e %H:%M:%S UTC %Y", &t) == 0) + addf (str, "error: strftime (%d)\n", t); + else + addf (str, _("\t\tExpiration: %s\n"), s); + } } } @@ -227,7 +234,7 @@ print_key_info(gnutls_string * str, gnutls_openpgp_crt_t cert, int idx) { const char *name = gnutls_pk_algorithm_get_name (err); if (name == NULL) - name = "Unknown"; + name = _("unknown"); addf (str, _("\tPublic Key Algorithm: %s\n"), name); switch (err) @@ -325,15 +332,17 @@ size_t dn_size; dn_size = sizeof(dn); err = gnutls_openpgp_crt_get_name (cert, i++, dn, &dn_size); - if (err < 0 && err != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && err != GNUTLS_E_OPENPGP_UID_REVOKED) { - addf (str, "error: get_name: %s %d\n", gnutls_strerror (err), err); - break; - } + if (err < 0 && err != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && + err != GNUTLS_E_OPENPGP_UID_REVOKED) + { + addf (str, "error: get_name: %s %d\n", gnutls_strerror (err), err); + break; + } if (err >= 0) addf (str, _("\tName[%d]: %s\n"), i-1, dn); else if (err == GNUTLS_E_OPENPGP_UID_REVOKED) { - addf (str, _("\tRevoked Name[%d]: %s\n"), i-1, dn); + addf (str, _("\tRevoked Name[%d]: %s\n"), i-1, dn); } } while( err >= 0); @@ -346,10 +355,10 @@ size_t dn_size; subkeys = gnutls_openpgp_crt_get_subkey_count( cert); if (subkeys < 0) return; - + for (i=0;i<subkeys;i++) { addf( str, _("\n\tSubkey[%d]:\n"), i); - + print_key_revoked( str, cert, i); print_key_id( str, cert, i); print_key_times( str, cert, i); @@ -365,14 +374,14 @@ size_t dn_size; * @format: Indicate the format to use * @out: Newly allocated datum with zero terminated string. * - * This function will pretty print an OpenPGP certificate, suitable for - * display to a human. + * This function will pretty print an OpenPGP certificate, suitable + * for display to a human. * * The format should be zero for future compatibility. * * The output @out needs to be deallocate using gnutls_free(). * - * Returns 0 on success. + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_print (gnutls_openpgp_crt_t cert, diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c index de77e28a39..1419cf0d26 100644 --- a/lib/openpgp/pgp.c +++ b/lib/openpgp/pgp.c @@ -34,13 +34,12 @@ #include <gnutls_num.h> /** - * gnutls_openpgp_crt_init - This function initializes a gnutls_openpgp_crt_t structure + * gnutls_openpgp_crt_init - initialize a #gnutls_openpgp_crt_t structure * @key: The structure to be initialized * - * This function will initialize an OpenPGP key structure. - * - * Returns 0 on success. + * This function will initialize an OpenPGP key structure. * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_init (gnutls_openpgp_crt_t * key) @@ -53,10 +52,10 @@ gnutls_openpgp_crt_init (gnutls_openpgp_crt_t * key) } /** - * gnutls_openpgp_crt_deinit - This function deinitializes memory used by a gnutls_openpgp_crt_t structure + * gnutls_openpgp_crt_deinit - deinitialize memory used by a #gnutls_openpgp_crt_t structure * @key: The structure to be initialized * - * This function will deinitialize a key structure. + * This function will deinitialize a key structure. **/ void gnutls_openpgp_crt_deinit (gnutls_openpgp_crt_t key) @@ -69,21 +68,22 @@ gnutls_openpgp_crt_deinit (gnutls_openpgp_crt_t key) cdk_kbnode_release (key->knode); key->knode = NULL; } - + gnutls_free (key); } /** - * gnutls_openpgp_crt_import - This function will import a RAW or BASE64 encoded key - * @key: The structure to store the parsed key. - * @data: The RAW or BASE64 encoded key. - * @format: One of gnutls_openpgp_crt_fmt_t elements. - * - * This function will convert the given RAW or Base64 encoded key - * to the native gnutls_openpgp_crt_t format. The output will be stored in 'key'. - * - * Returns 0 on success. - **/ + * gnutls_openpgp_crt_import - import a RAW or BASE64 encoded key + * @key: The structure to store the parsed key. + * @data: The RAW or BASE64 encoded key. + * @format: One of gnutls_openpgp_crt_fmt_t elements. + * + * This function will convert the given RAW or Base64 encoded key to + * the native #gnutls_openpgp_crt_t format. The output will be stored + * in 'key'. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_openpgp_crt_import (gnutls_openpgp_crt_t key, const gnutls_datum_t * data, @@ -109,7 +109,7 @@ gnutls_openpgp_crt_import (gnutls_openpgp_crt_t key, rc = _gnutls_map_cdk_rc (rc); gnutls_assert (); return rc; - } + } if (cdk_armor_filter_use (inp)) rc = cdk_stream_set_armor_flag (inp, 0); if (!rc) @@ -140,8 +140,10 @@ gnutls_openpgp_crt_import (gnutls_openpgp_crt_t key, /* internal version of export */ int _gnutls_openpgp_export (cdk_kbnode_t node, - gnutls_openpgp_crt_fmt_t format, - void *output_data, size_t * output_data_size, int private) + gnutls_openpgp_crt_fmt_t format, + void *output_data, + size_t * output_data_size, + int private) { size_t input_data_size = *output_data_size; size_t calc_size; @@ -154,10 +156,10 @@ int _gnutls_openpgp_export (cdk_kbnode_t node, gnutls_assert (); return rc; } - + /* If the caller uses output_data == NULL then return what he expects. */ - if (!output_data) + if (!output_data) { gnutls_assert(); return GNUTLS_E_SHORT_MEMORY_BUFFER; @@ -167,7 +169,7 @@ int _gnutls_openpgp_export (cdk_kbnode_t node, { unsigned char *in = gnutls_calloc (1, *output_data_size); memcpy (in, output_data, *output_data_size); - + /* Calculate the size of the encoded data and check if the provided buffer is large enough. */ rc = cdk_armor_encode_buffer (in, *output_data_size, @@ -179,7 +181,7 @@ int _gnutls_openpgp_export (cdk_kbnode_t node, gnutls_assert (); return GNUTLS_E_SHORT_MEMORY_BUFFER; } - + rc = cdk_armor_encode_buffer (in, *output_data_size, output_data, input_data_size, &calc_size, private?CDK_ARMOR_SECKEY:CDK_ARMOR_PUBKEY); @@ -192,28 +194,28 @@ int _gnutls_openpgp_export (cdk_kbnode_t node, } /** - * gnutls_openpgp_crt_export - This function will export a RAW or BASE64 encoded key - * @key: Holds the key. - * @format: One of gnutls_openpgp_crt_fmt_t elements. - * @output_data: will contain the key base64 encoded or raw - * @output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters) - * - * This function will convert the given key to RAW or Base64 format. - * If the buffer provided is not long enough to hold the output, then - * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. - * - * Returns 0 on success. - * - **/ + * gnutls_openpgp_crt_export - export a RAW or BASE64 encoded key + * @key: Holds the key. + * @format: One of gnutls_openpgp_crt_fmt_t elements. + * @output_data: will contain the key base64 encoded or raw + * @output_data_size: holds the size of output_data (and will + * be replaced by the actual size of parameters) + * + * This function will convert the given key to RAW or Base64 format. + * If the buffer provided is not long enough to hold the output, then + * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_openpgp_crt_export (gnutls_openpgp_crt_t key, gnutls_openpgp_crt_fmt_t format, void *output_data, size_t * output_data_size) { - return _gnutls_openpgp_export( key->knode, format, output_data, output_data_size, 0); + return _gnutls_openpgp_export( key->knode, format, output_data, + output_data_size, 0); } - /** * gnutls_openpgp_crt_get_fingerprint - Gets the fingerprint * @key: the raw data that contains the OpenPGP public key. @@ -223,7 +225,7 @@ gnutls_openpgp_crt_export (gnutls_openpgp_crt_t key, * Get key fingerprint. Depending on the algorithm, the fingerprint * can be 16 or 20 bytes. * - * Returns: the fingerprint of the OpenPGP key. + * Returns: On success, 0 is returned. Otherwise, an error code. **/ int gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, @@ -246,7 +248,7 @@ gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, pk = pkt->pkt.public_key; *fprlen = 20; - + /* FIXME: Check if the draft allows old PGP keys. */ if (is_RSA (pk->pubkey_algo) && pk->version < 4) *fprlen = 16; @@ -267,7 +269,7 @@ _gnutls_openpgp_count_key_names (gnutls_openpgp_crt_t key) gnutls_assert (); return 0; } - + ctx = NULL; nuids = 0; while ((p = cdk_kbnode_walk (key->knode, &ctx, 0))) @@ -291,9 +293,9 @@ _gnutls_openpgp_count_key_names (gnutls_openpgp_crt_t key) * * Extracts the userID from the parsed OpenPGP key. * - * Returns 0 on success, and GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE - * if the index of the ID does not exist. - * + * Returns: %GNUTLS_E_SUCCESS on success, and if the index of the ID + * does not exist %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, or an + * error code. **/ int gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t key, @@ -313,24 +315,23 @@ gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t key, if (idx < 0 || idx >= _gnutls_openpgp_count_key_names (key)) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - if (!idx) - pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_USER_ID); - else + pos = 0; + while ((p = cdk_kbnode_walk (key->knode, &ctx, 0))) { - pos = 0; - while ((p = cdk_kbnode_walk (key->knode, &ctx, 0))) - { - pkt = cdk_kbnode_get_packet (p); - if (pkt->pkttype == CDK_PKT_USER_ID && ++pos == idx) - break; - } + pkt = cdk_kbnode_get_packet (p); + if (pkt->pkttype == CDK_PKT_USER_ID) + { + if (pos == idx) + break; + pos++; + } } if (!pkt) { gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; - } + } uid = pkt->pkt.user_id; if (uid->len >= *sizeof_buf) @@ -351,21 +352,20 @@ gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t key, } /** - * gnutls_openpgp_crt_get_pk_algorithm - This function returns the key's PublicKey algorithm - * @key: is an OpenPGP key - * @bits: if bits is non null it will hold the size of the parameters' in bits - * - * This function will return the public key algorithm of an OpenPGP - * certificate. - * - * If bits is non null, it should have enough size to hold the parameters - * size in bits. For RSA the bits returned is the modulus. - * For DSA the bits returned are of the public exponent. - * - * Returns a member of the GNUTLS_PKAlgorithm enumeration on success, - * or a negative value on error. - * - **/ + * gnutls_openpgp_crt_get_pk_algorithm - return the key's PublicKey algorithm + * @key: is an OpenPGP key + * @bits: if bits is non null it will hold the size of the parameters' in bits + * + * This function will return the public key algorithm of an OpenPGP + * certificate. + * + * If bits is non null, it should have enough size to hold the parameters + * size in bits. For RSA the bits returned is the modulus. + * For DSA the bits returned are of the public exponent. + * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. + **/ gnutls_pk_algorithm_t gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, unsigned int *bits) @@ -377,7 +377,7 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, { gnutls_assert(); return GNUTLS_PK_UNKNOWN; - } + } algo = 0; pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY); @@ -387,7 +387,7 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, *bits = cdk_pk_get_nbits (pkt->pkt.public_key); algo = _gnutls_openpgp_get_algo(pkt->pkt.public_key->pubkey_algo); } - + return algo; } @@ -397,6 +397,8 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, * @key: the structure that contains the OpenPGP public key. * * Extract the version of the OpenPGP key. + * + * Returns: the version number is returned, or a negative value on errors. **/ int gnutls_openpgp_crt_get_version (gnutls_openpgp_crt_t key) @@ -479,6 +481,8 @@ gnutls_openpgp_crt_get_expiration_time (gnutls_openpgp_crt_t key) * Get key id string. * * Returns: the 64-bit keyID of the OpenPGP key. + * + * Since: 2.4.0 **/ int gnutls_openpgp_crt_get_key_id (gnutls_openpgp_crt_t key, @@ -512,6 +516,8 @@ gnutls_openpgp_crt_get_key_id (gnutls_openpgp_crt_t key, * * Returns: true (1) if the key has been revoked, or false (0) if it * has not. + * + * Since: 2.4.0 **/ int gnutls_openpgp_crt_get_revoked_status (gnutls_openpgp_crt_t key) @@ -533,17 +539,16 @@ gnutls_openpgp_crt_get_revoked_status (gnutls_openpgp_crt_t key) } /** - * gnutls_openpgp_crt_check_hostname - This function compares the given hostname with the hostname in the key - * @key: should contain an gnutls_openpgp_crt_t structure - * @hostname: A null terminated string that contains a DNS name - * - * This function will check if the given key's owner matches - * the given hostname. This is a basic implementation of the matching - * described in RFC2818 (HTTPS), which takes into account wildcards. - * - * Returns non zero on success, and zero on failure. - * - **/ + * gnutls_openpgp_crt_check_hostname - compare hostname with the key's hostname + * @key: should contain an #gnutls_openpgp_crt_t structure + * @hostname: A null terminated string that contains a DNS name + * + * This function will check if the given key's owner matches the + * given hostname. This is a basic implementation of the matching + * described in RFC2818 (HTTPS), which takes into account wildcards. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + **/ int gnutls_openpgp_crt_check_hostname (gnutls_openpgp_crt_t key, const char *hostname) @@ -595,10 +600,9 @@ unsigned int usage = 0; * * This function will return certificate's key usage, by checking the * key algorithm. The key usage value will ORed values of the: - * GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_KEY_ENCIPHERMENT. - * - * A negative value may be returned in case of parsing error. + * %GNUTLS_KEY_DIGITAL_SIGNATURE, %GNUTLS_KEY_KEY_ENCIPHERMENT. * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. */ int gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key, @@ -622,15 +626,16 @@ gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key, } /** - * gnutls_openpgp_crt_get_subkey_count - This function returns the number of subkeys - * @key: is an OpenPGP key - * - * This function will return the number of subkeys present in the given - * OpenPGP certificate. - * - * Returns then number of subkeys or a negative value on error. - * - **/ + * gnutls_openpgp_crt_get_subkey_count - return the number of subkeys + * @key: is an OpenPGP key + * + * This function will return the number of subkeys present in the + * given OpenPGP certificate. + * + * Returns: the number of subkeys, or a negative value on error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_crt_get_subkey_count (gnutls_openpgp_crt_t key) { @@ -643,7 +648,7 @@ gnutls_openpgp_crt_get_subkey_count (gnutls_openpgp_crt_t key) gnutls_assert (); return 0; } - + ctx = NULL; subkeys = 0; while ((p = cdk_kbnode_walk (key->knode, &ctx, 0))) @@ -766,6 +771,8 @@ int _gnutls_openpgp_find_subkey_idx( cdk_kbnode_t knode, uint32_t keyid[2], * * Returns: true (1) if the key has been revoked, or false (0) if it * has not. + * + * Since: 2.4.0 **/ int gnutls_openpgp_crt_get_subkey_revoked_status (gnutls_openpgp_crt_t key, @@ -788,22 +795,23 @@ gnutls_openpgp_crt_get_subkey_revoked_status (gnutls_openpgp_crt_t key, } /** - * gnutls_openpgp_crt_get_subkey_pk_algorithm - This function returns the subkey's PublicKey algorithm - * @key: is an OpenPGP key - * @idx: is the subkey index - * @bits: if bits is non null it will hold the size of the parameters' in bits - * - * This function will return the public key algorithm of a subkey of an OpenPGP - * certificate. - * - * If bits is non null, it should have enough size to hold the parameters - * size in bits. For RSA the bits returned is the modulus. - * For DSA the bits returned are of the public exponent. - * - * Returns a member of the gnutls_pk_algorithm_t enumeration on success, - * or a negative value on error. - * - **/ + * gnutls_openpgp_crt_get_subkey_pk_algorithm - return the subkey's PublicKey algorithm + * @key: is an OpenPGP key + * @idx: is the subkey index + * @bits: if bits is non null it will hold the size of the parameters' in bits + * + * This function will return the public key algorithm of a subkey of an OpenPGP + * certificate. + * + * If bits is non null, it should have enough size to hold the + * parameters size in bits. For RSA the bits returned is the modulus. + * For DSA the bits returned are of the public exponent. + * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. + * + * Since: 2.4.0 + **/ gnutls_pk_algorithm_t gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key, unsigned int idx, unsigned int *bits) @@ -816,7 +824,7 @@ gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key, gnutls_assert(); return GNUTLS_PK_UNKNOWN; } - + pkt = _get_public_subkey( key, idx); algo = 0; @@ -826,7 +834,7 @@ gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key, *bits = cdk_pk_get_nbits (pkt->pkt.public_key); algo = _gnutls_openpgp_get_algo(pkt->pkt.public_key->pubkey_algo); } - + return algo; } @@ -838,6 +846,8 @@ gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key, * Get subkey creation time. * * Returns: the timestamp when the OpenPGP sub-key was created. + * + * Since: 2.4.0 **/ time_t gnutls_openpgp_crt_get_subkey_creation_time (gnutls_openpgp_crt_t key, @@ -868,6 +878,8 @@ gnutls_openpgp_crt_get_subkey_creation_time (gnutls_openpgp_crt_t key, * doesn't expire at all. * * Returns: the time when the OpenPGP key expires. + * + * Since: 2.4.0 **/ time_t gnutls_openpgp_crt_get_subkey_expiration_time (gnutls_openpgp_crt_t key, @@ -924,6 +936,51 @@ gnutls_openpgp_crt_get_subkey_id (gnutls_openpgp_crt_t key, } /** + * gnutls_openpgp_crt_get_subkey_fingerprint - Gets the fingerprint of a subkey + * @key: the raw data that contains the OpenPGP public key. + * @idx: the subkey index + * @fpr: the buffer to save the fingerprint, must hold at least 20 bytes. + * @fprlen: the integer to save the length of the fingerprint. + * + * Get key fingerprint of a subkey. Depending on the algorithm, the + * fingerprint can be 16 or 20 bytes. + * + * Returns: On success, 0 is returned. Otherwise, an error code. + * + * Since: 2.4.0 + **/ +int +gnutls_openpgp_crt_get_subkey_fingerprint (gnutls_openpgp_crt_t key, + unsigned int idx, + void *fpr, size_t * fprlen) +{ + cdk_packet_t pkt; + cdk_pkt_pubkey_t pk = NULL; + + if (!fpr || !fprlen) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + *fprlen = 0; + + pkt = _get_public_subkey( key, idx); + if (!pkt) + return GNUTLS_E_OPENPGP_GETKEY_FAILED; + + pk = pkt->pkt.public_key; + *fprlen = 20; + + /* FIXME: Check if the draft allows old PGP keys. */ + if (is_RSA (pk->pubkey_algo) && pk->version < 4) + *fprlen = 16; + cdk_pk_get_fingerprint (pk, fpr); + + return 0; +} + +/** * gnutls_openpgp_crt_get_subkey_idx - Returns the subkey's index * @key: the structure that contains the OpenPGP public key. * @keyid: the keyid. @@ -931,6 +988,8 @@ gnutls_openpgp_crt_get_subkey_id (gnutls_openpgp_crt_t key, * Get subkey's index. * * Returns: the index of the subkey or a negative error value. + * + * Since: 2.4.0 **/ int gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key, @@ -969,6 +1028,8 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key, * A negative value may be returned in case of parsing error. * * Returns: key usage value. + * + * Since: 2.4.0 */ int gnutls_openpgp_crt_get_subkey_usage (gnutls_openpgp_crt_t key, @@ -1290,17 +1351,19 @@ cleanup: /** - * gnutls_openpgp_crt_get_pk_rsa_raw - This function will export the RSA public key - * @crt: Holds the certificate - * @m: will hold the modulus - * @e: will hold the public exponent - * - * This function will export the RSA public key's parameters found in - * the given structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_crt_get_pk_rsa_raw - export the RSA public key + * @crt: Holds the certificate + * @m: will hold the modulus + * @e: will hold the public exponent + * + * This function will export the RSA public key's parameters found in + * the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_crt_get_pk_rsa_raw (gnutls_openpgp_crt_t crt, gnutls_datum_t * m, gnutls_datum_t * e) @@ -1319,19 +1382,21 @@ int ret; } /** - * gnutls_openpgp_crt_get_pk_dsa_raw - This function will export the DSA public key - * @crt: Holds the certificate - * @p: will hold the p - * @q: will hold the q - * @g: will hold the g - * @y: will hold the y - * - * This function will export the DSA public key's parameters found in - * the given certificate. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_crt_get_pk_dsa_raw - export the DSA public key + * @crt: Holds the certificate + * @p: will hold the p + * @q: will hold the q + * @g: will hold the g + * @y: will hold the y + * + * This function will export the DSA public key's parameters found in + * the given certificate. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_crt_get_pk_dsa_raw (gnutls_openpgp_crt_t crt, gnutls_datum_t * p, gnutls_datum_t * q, @@ -1346,23 +1411,25 @@ int ret; gnutls_assert (); return ret; } - + return _get_pk_dsa_raw( crt, keyid, p, q, g, y); } /** - * gnutls_openpgp_crt_get_subkey_pk_rsa_raw - This function will export the RSA public key - * @crt: Holds the certificate - * @idx: Is the subkey index - * @m: will hold the modulus - * @e: will hold the public exponent - * - * This function will export the RSA public key's parameters found in - * the given structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_crt_get_subkey_pk_rsa_raw - export the RSA public key + * @crt: Holds the certificate + * @idx: Is the subkey index + * @m: will hold the modulus + * @e: will hold the public exponent + * + * This function will export the RSA public key's parameters found in + * the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_crt_get_subkey_pk_rsa_raw (gnutls_openpgp_crt_t crt, unsigned int idx, gnutls_datum_t * m, gnutls_datum_t * e) @@ -1376,40 +1443,45 @@ int ret; gnutls_assert (); return ret; } - + return _get_pk_rsa_raw( crt, keyid, m, e); } /** - * gnutls_openpgp_crt_get_subkey_pk_dsa_raw - This function will export the DSA public key - * @crt: Holds the certificate - * @idx: Is the subkey index - * @p: will hold the p - * @q: will hold the q - * @g: will hold the g - * @y: will hold the y - * - * This function will export the DSA public key's parameters found in - * the given certificate. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_crt_get_subkey_pk_dsa_raw - export the DSA public key + * @crt: Holds the certificate + * @idx: Is the subkey index + * @p: will hold the p + * @q: will hold the q + * @g: will hold the g + * @y: will hold the y + * + * This function will export the DSA public key's parameters found in + * the given certificate. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int -gnutls_openpgp_crt_get_subkey_pk_dsa_raw (gnutls_openpgp_crt_t crt, unsigned int idx, - gnutls_datum_t * p, gnutls_datum_t * q, - gnutls_datum_t * g, gnutls_datum_t * y) +gnutls_openpgp_crt_get_subkey_pk_dsa_raw (gnutls_openpgp_crt_t crt, + unsigned int idx, + gnutls_datum_t * p, + gnutls_datum_t * q, + gnutls_datum_t * g, + gnutls_datum_t * y) { -gnutls_openpgp_keyid_t keyid; -int ret; + gnutls_openpgp_keyid_t keyid; + int ret; - ret = gnutls_openpgp_crt_get_subkey_id( crt, idx, keyid); + ret = gnutls_openpgp_crt_get_subkey_id( crt, idx, keyid); if (ret < 0) { gnutls_assert (); return ret; } - + return _get_pk_dsa_raw( crt, keyid, p, q, g, y); } @@ -1433,7 +1505,7 @@ gnutls_openpgp_crt_get_preferred_key_id (gnutls_openpgp_crt_t key, return GNUTLS_E_INVALID_REQUEST; } - memcpy( keyid, key->preferred_keyid, sizeof(keyid)); + memcpy( keyid, key->preferred_keyid, sizeof(gnutls_openpgp_keyid_t)); return 0; } @@ -1448,7 +1520,8 @@ gnutls_openpgp_crt_get_preferred_key_id (gnutls_openpgp_crt_t key, * **/ int -gnutls_openpgp_crt_set_preferred_key_id (gnutls_openpgp_crt_t key, const gnutls_openpgp_keyid_t keyid) +gnutls_openpgp_crt_set_preferred_key_id (gnutls_openpgp_crt_t key, + const gnutls_openpgp_keyid_t keyid) { int ret; @@ -1468,7 +1541,7 @@ int ret; } key->preferred_set = 1; - memcpy( key->preferred_keyid, keyid, sizeof(keyid)); + memcpy( key->preferred_keyid, keyid, sizeof(gnutls_openpgp_keyid_t)); return 0; } @@ -1479,13 +1552,16 @@ int ret; * @keyid: the struct to save the keyid. * @flag: Non zero indicates that a valid subkey is always returned. * - * Returns the 64-bit keyID of the first valid OpenPGP subkey marked for authentication. - * If flag is non zero and no authentication subkey exists, then a valid subkey will - * be returned even if it is not marked for authentication. - * - * Returns zero on success. + * Returns the 64-bit keyID of the first valid OpenPGP subkey marked + * for authentication. If flag is non zero and no authentication + * subkey exists, then a valid subkey will be returned even if it is + * not marked for authentication. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ -int gnutls_openpgp_crt_get_auth_subkey( gnutls_openpgp_crt_t crt, gnutls_openpgp_keyid_t keyid, unsigned int flag) +int gnutls_openpgp_crt_get_auth_subkey( gnutls_openpgp_crt_t crt, + gnutls_openpgp_keyid_t keyid, + unsigned int flag) { int ret, subkeys, i; unsigned int usage; @@ -1506,26 +1582,26 @@ int gnutls_openpgp_crt_get_auth_subkey( gnutls_openpgp_crt_t crt, gnutls_openpgp ret = gnutls_openpgp_crt_get_subkey_revoked_status(crt, i); if (ret != 0) /* it is revoked. ignore it */ - continue; + continue; if (keyid_init == 0) - { /* keep the first valid subkey */ - ret = gnutls_openpgp_crt_get_subkey_id( crt, i, keyid); - if (ret < 0) - { - gnutls_assert(); - return ret; - } - - keyid_init = 1; - } - + { /* keep the first valid subkey */ + ret = gnutls_openpgp_crt_get_subkey_id( crt, i, keyid); + if (ret < 0) + { + gnutls_assert(); + return ret; + } + + keyid_init = 1; + } + ret = gnutls_openpgp_crt_get_subkey_usage( crt, i, &usage); if (ret < 0) - { - gnutls_assert(); - return ret; - } + { + gnutls_assert(); + return ret; + } if (usage & GNUTLS_KEY_KEY_AGREEMENT) { @@ -1535,7 +1611,6 @@ int gnutls_openpgp_crt_get_auth_subkey( gnutls_openpgp_crt_t crt, gnutls_openpgp gnutls_assert(); return ret; } - return 0; } } diff --git a/lib/openpgp/pgpverify.c b/lib/openpgp/pgpverify.c index 34d15fb99c..6659a6f911 100644 --- a/lib/openpgp/pgpverify.c +++ b/lib/openpgp/pgpverify.c @@ -31,7 +31,6 @@ #include <gnutls_openpgp.h> #include <gnutls_num.h> - /** * gnutls_openpgp_crt_verify_ring - Verify all signatures in the key * @key: the structure that holds the key. @@ -39,20 +38,22 @@ * @flags: unused (should be 0) * @verify: will hold the certificate verification output. * - * Verify all signatures in the key, using the given set of keys (keyring). + * Verify all signatures in the key, using the given set of keys + * (keyring). * - * The key verification output will be put in @verify and will be - * one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd. + * The key verification output will be put in @verify and will be one + * or more of the #gnutls_certificate_status_t enumerated elements + * bitwise or'd. * - * GNUTLS_CERT_INVALID: A signature on the key is invalid. + * %GNUTLS_CERT_INVALID: A signature on the key is invalid. * - * GNUTLS_CERT_REVOKED: The key has been revoked. + * %GNUTLS_CERT_REVOKED: The key has been revoked. * - * Note that this function does not verify using any "web of - * trust". You may use GnuPG for that purpose, or any other external - * PGP application. + * Note that this function does not verify using any "web of trust". + * You may use GnuPG for that purpose, or any other external PGP + * application. * - * Returns 0 on success. + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key, @@ -70,7 +71,7 @@ gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key, } *verify = 0; - + rc = cdk_pk_check_sigs (key->knode, keyring->db, &status); if (rc == CDK_Error_No_Key) { @@ -109,7 +110,7 @@ gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key, if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND) *verify ^= GNUTLS_CERT_SIGNER_NOT_FOUND; } - + return 0; } @@ -120,13 +121,13 @@ gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key, * @flags: unused (should be 0) * @verify: will hold the key verification output. * - * Verifies the self signature in the key. - * The key verification output will be put in @verify and will be - * one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd. + * Verifies the self signature in the key. The key verification + * output will be put in @verify and will be one or more of the + * gnutls_certificate_status_t enumerated elements bitwise or'd. * - * GNUTLS_CERT_INVALID: The self signature on the key is invalid. + * %GNUTLS_CERT_INVALID: The self signature on the key is invalid. * - * Returns 0 on success. + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t key, diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c index 66cfbe40f9..13cd072ea0 100644 --- a/lib/openpgp/privkey.c +++ b/lib/openpgp/privkey.c @@ -40,7 +40,7 @@ * * This function will initialize an OpenPGP key structure. * - * Returns 0 on success. + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key) @@ -85,7 +85,7 @@ gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key) * the native gnutls_openpgp_privkey_t format. The output will be * stored in 'key'. * - * Returns 0 on success. + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key, @@ -139,21 +139,23 @@ gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key, } /** - * gnutls_openpgp_privkey_export - This function will export a RAW or BASE64 encoded key - * @key: Holds the key. - * @format: One of gnutls_openpgp_crt_fmt_t elements. - * @password: (unused for now) - * @flags: zero for future compatibility - * @output_data: will contain the key base64 encoded or raw - * @output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters) - * - * This function will convert the given key to RAW or Base64 format. - * If the buffer provided is not long enough to hold the output, then - * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. - * - * Returns 0 on success. - * - **/ + * gnutls_openpgp_privkey_export - export a RAW or BASE64 encoded key + * @key: Holds the key. + * @format: One of gnutls_openpgp_crt_fmt_t elements. + * @password: the password that will be used to encrypt the key. (unused for now) + * @flags: zero for future compatibility + * @output_data: will contain the key base64 encoded or raw + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will convert the given key to RAW or Base64 format. + * If the buffer provided is not long enough to hold the output, then + * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key, gnutls_openpgp_crt_fmt_t format, @@ -166,7 +168,7 @@ gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key, /** - * gnutls_openpgp_privkey_get_pk_algorithm - This function returns the key's PublicKey algorithm + * gnutls_openpgp_privkey_get_pk_algorithm - return the key's PublicKey algorithm * @key: is an OpenPGP key * @bits: if bits is non null it will hold the size of the parameters' in bits * @@ -174,12 +176,13 @@ gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key, * certificate. * * If bits is non null, it should have enough size to hold the parameters - * size in bits. For RSA the bits returned is the modulus. + * size in bits. For RSA the bits returned is the modulus. * For DSA the bits returned are of the public exponent. * - * Returns a member of the GNUTLS_PKAlgorithm enumeration on success, - * or a negative value on error. + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. * + * Since: 2.4.0 **/ gnutls_pk_algorithm_t gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, @@ -231,6 +234,7 @@ int algo; * Returns: true (1) if the key has been revoked, or false (0) if it * has not, or a negative value indicates an error. * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_revoked_status (gnutls_openpgp_privkey_t key) @@ -261,6 +265,8 @@ gnutls_openpgp_privkey_get_revoked_status (gnutls_openpgp_privkey_t key) * algorithm, the fingerprint can be 16 or 20 bytes. * * Returns: On success, 0 is returned, or an error code. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_fingerprint (gnutls_openpgp_privkey_t key, @@ -303,6 +309,8 @@ gnutls_openpgp_privkey_get_fingerprint (gnutls_openpgp_privkey_t key, * Get key-id. * * Returns: the 64-bit keyID of the OpenPGP key. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key, @@ -337,6 +345,8 @@ gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key, * given OpenPGP certificate. * * Returns: the number of subkeys, or a negative value on error. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_subkey_count (gnutls_openpgp_privkey_t key) @@ -391,6 +401,8 @@ static cdk_packet_t _get_secret_subkey(gnutls_openpgp_privkey_t key, unsigned in * * Returns: true (1) if the key has been revoked, or false (0) if it * has not, or a negative value indicates an error. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_subkey_revoked_status (gnutls_openpgp_privkey_t key, unsigned int idx) @@ -412,22 +424,23 @@ gnutls_openpgp_privkey_get_subkey_revoked_status (gnutls_openpgp_privkey_t key, } /** - * gnutls_openpgp_privkey_get_subkey_pk_algorithm - This function returns the subkey's PublicKey algorithm - * @key: is an OpenPGP key - * @idx: is the subkey index - * @bits: if bits is non null it will hold the size of the parameters' in bits - * - * This function will return the public key algorithm of a subkey of an OpenPGP - * certificate. - * - * If bits is non null, it should have enough size to hold the parameters - * size in bits. For RSA the bits returned is the modulus. - * For DSA the bits returned are of the public exponent. - * - * Returns a member of the gnutls_pk_algorithm_t enumeration on success, - * or a negative value on error. - * - **/ + * gnutls_openpgp_privkey_get_subkey_pk_algorithm - return the subkey's PublicKey algorithm + * @key: is an OpenPGP key + * @idx: is the subkey index + * @bits: if bits is non null it will hold the size of the parameters' in bits + * + * This function will return the public key algorithm of a subkey of an OpenPGP + * certificate. + * + * If bits is non null, it should have enough size to hold the parameters + * size in bits. For RSA the bits returned is the modulus. + * For DSA the bits returned are of the public exponent. + * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. + * + * Since: 2.4.0 + **/ gnutls_pk_algorithm_t gnutls_openpgp_privkey_get_subkey_pk_algorithm (gnutls_openpgp_privkey_t key, unsigned int idx, unsigned int *bits) @@ -468,6 +481,8 @@ gnutls_openpgp_privkey_get_subkey_pk_algorithm (gnutls_openpgp_privkey_t key, * Get index of subkey. * * Returns: the index of the subkey or a negative error value. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key, @@ -501,6 +516,8 @@ gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key, * Get subkey creation time. * * Returns: the timestamp when the OpenPGP key was created. + * + * Since: 2.4.0 **/ time_t gnutls_openpgp_privkey_get_subkey_creation_time (gnutls_openpgp_privkey_t key, @@ -530,6 +547,8 @@ gnutls_openpgp_privkey_get_subkey_creation_time (gnutls_openpgp_privkey_t key, * doesn't expire at all. * * Returns: the time when the OpenPGP key expires. + * + * Since: 2.4.0 **/ time_t gnutls_openpgp_privkey_get_subkey_expiration_time (gnutls_openpgp_privkey_t key, @@ -559,6 +578,8 @@ gnutls_openpgp_privkey_get_subkey_expiration_time (gnutls_openpgp_privkey_t key, * Get the key-id for the subkey. * * Returns: the 64-bit keyID of the OpenPGP key. + * + * Since: 2.4.0 **/ int gnutls_openpgp_privkey_get_subkey_id (gnutls_openpgp_privkey_t key, @@ -585,6 +606,52 @@ gnutls_openpgp_privkey_get_subkey_id (gnutls_openpgp_privkey_t key, return 0; } +/** + * gnutls_openpgp_privkey_get_subkey_fingerprint - Gets the fingerprint of a subkey + * @key: the raw data that contains the OpenPGP secret key. + * @idx: the subkey index + * @fpr: the buffer to save the fingerprint, must hold at least 20 bytes. + * @fprlen: the integer to save the length of the fingerprint. + * + * Get the fingerprint of an OpenPGP subkey. Depends on the + * algorithm, the fingerprint can be 16 or 20 bytes. + * + * Returns: On success, 0 is returned, or an error code. + * + * Since: 2.4.0 + **/ +int +gnutls_openpgp_privkey_get_subkey_fingerprint (gnutls_openpgp_privkey_t key, + unsigned int idx, + void *fpr, size_t * fprlen) +{ + cdk_packet_t pkt; + cdk_pkt_pubkey_t pk = NULL; + + if (!fpr || !fprlen) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + *fprlen = 0; + + pkt = _get_secret_subkey( key, idx); + if (!pkt) + return GNUTLS_E_OPENPGP_GETKEY_FAILED; + + + pk = pkt->pkt.secret_key->pk; + *fprlen = 20; + + if (is_RSA (pk->pubkey_algo) && pk->version < 4) + *fprlen = 16; + + cdk_pk_get_fingerprint (pk, fpr); + + return 0; +} + /* Extracts DSA and RSA parameters from a certificate. */ int @@ -868,21 +935,23 @@ cleanup: /** - * gnutls_openpgp_privkey_export_rsa_raw - This function will export the RSA private key - * @pkey: Holds the certificate - * @m: will hold the modulus - * @e: will hold the public exponent - * @d: will hold the private exponent - * @p: will hold the first prime (p) - * @q: will hold the second prime (q) - * @u: will hold the coefficient - * - * This function will export the RSA private key's parameters found in - * the given structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_privkey_export_rsa_raw - This function will export the RSA private key + * @pkey: Holds the certificate + * @m: will hold the modulus + * @e: will hold the public exponent + * @d: will hold the private exponent + * @p: will hold the first prime (p) + * @q: will hold the second prime (q) + * @u: will hold the coefficient + * + * This function will export the RSA private key's parameters found in + * the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_privkey_export_rsa_raw (gnutls_openpgp_privkey_t pkey, gnutls_datum_t * m, gnutls_datum_t * e, @@ -903,20 +972,22 @@ int ret; } /** - * gnutls_openpgp_privkey_export_dsa_raw - This function will export the DSA private key - * @pkey: Holds the certificate - * @p: will hold the p - * @q: will hold the q - * @g: will hold the g - * @y: will hold the y - * @x: will hold the x - * - * This function will export the DSA private key's parameters found in - * the given certificate. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_privkey_export_dsa_raw - This function will export the DSA private key + * @pkey: Holds the certificate + * @p: will hold the p + * @q: will hold the q + * @g: will hold the g + * @y: will hold the y + * @x: will hold the x + * + * This function will export the DSA private key's parameters found in + * the given certificate. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_privkey_export_dsa_raw (gnutls_openpgp_privkey_t pkey, gnutls_datum_t * p, gnutls_datum_t * q, @@ -937,22 +1008,24 @@ int ret; } /** - * gnutls_openpgp_privkey_export_subkey_rsa_raw - This function will export the RSA private key - * @pkey: Holds the certificate - * @idx: Is the subkey index - * @m: will hold the modulus - * @e: will hold the public exponent - * @d: will hold the private exponent - * @p: will hold the first prime (p) - * @q: will hold the second prime (q) - * @u: will hold the coefficient - * - * This function will export the RSA private key's parameters found in - * the given structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_privkey_export_subkey_rsa_raw - export the RSA private key + * @pkey: Holds the certificate + * @idx: Is the subkey index + * @m: will hold the modulus + * @e: will hold the public exponent + * @d: will hold the private exponent + * @p: will hold the first prime (p) + * @q: will hold the second prime (q) + * @u: will hold the coefficient + * + * This function will export the RSA private key's parameters found in + * the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_privkey_export_subkey_rsa_raw (gnutls_openpgp_privkey_t pkey, unsigned int idx, gnutls_datum_t * m, gnutls_datum_t * e, @@ -973,21 +1046,23 @@ int ret; } /** - * gnutls_openpgp_privkey_export_subkey_dsa_raw - export the DSA private key - * @pkey: Holds the certificate - * @idx: Is the subkey index - * @p: will hold the p - * @q: will hold the q - * @g: will hold the g - * @y: will hold the y - * @x: will hold the x - * - * This function will export the DSA private key's parameters found - * in the given certificate. The new parameters will be allocated - * using gnutls_malloc() and will be stored in the appropriate datum. - * - * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. - **/ + * gnutls_openpgp_privkey_export_subkey_dsa_raw - export the DSA private key + * @pkey: Holds the certificate + * @idx: Is the subkey index + * @p: will hold the p + * @q: will hold the q + * @g: will hold the g + * @y: will hold the y + * @x: will hold the x + * + * This function will export the DSA private key's parameters found + * in the given certificate. The new parameters will be allocated + * using gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + * Since: 2.4.0 + **/ int gnutls_openpgp_privkey_export_subkey_dsa_raw (gnutls_openpgp_privkey_t pkey, unsigned int idx, @@ -1030,7 +1105,7 @@ gnutls_openpgp_privkey_get_preferred_key_id (gnutls_openpgp_privkey_t key, return GNUTLS_E_INVALID_REQUEST; } - memcpy( keyid, key->preferred_keyid, sizeof(keyid)); + memcpy( keyid, key->preferred_keyid, sizeof(gnutls_openpgp_keyid_t)); return 0; } @@ -1067,7 +1142,7 @@ gnutls_openpgp_privkey_set_preferred_key_id (gnutls_openpgp_privkey_t key, } key->preferred_set = 1; - memcpy( key->preferred_keyid, keyid, sizeof(keyid)); + memcpy( key->preferred_keyid, keyid, sizeof(gnutls_openpgp_keyid_t)); return 0; } diff --git a/lib/pk-libgcrypt.c b/lib/pk-libgcrypt.c index 891118e0e3..2c1c83c117 100644 --- a/lib/pk-libgcrypt.c +++ b/lib/pk-libgcrypt.c @@ -64,7 +64,7 @@ _wrap_gcry_pk_encrypt(gnutls_pk_algorithm_t algo, /* make a sexp from pkey */ switch (algo) { - case GCRY_PK_RSA: + case GNUTLS_PK_RSA: if (pk_params->params_nr >= 2) rc = gcry_sexp_build(&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))", @@ -164,7 +164,7 @@ _wrap_gcry_pk_decrypt(gnutls_pk_algorithm_t algo, /* make a sexp from pkey */ switch (algo) { - case GCRY_PK_RSA: + case GNUTLS_PK_RSA: if (pk_params->params_nr >= 6) rc = gcry_sexp_build(&s_pkey, NULL, "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", @@ -258,7 +258,7 @@ _wrap_gcry_pk_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t * signature, /* make a sexp from pkey */ switch (algo) { - case GCRY_PK_DSA: + case GNUTLS_PK_DSA: if (pk_params->params_nr >= 5) rc = gcry_sexp_build(&s_key, NULL, "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", @@ -270,7 +270,7 @@ _wrap_gcry_pk_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t * signature, } break; - case GCRY_PK_RSA: + case GNUTLS_PK_RSA: if (pk_params->params_nr >= 6) rc = gcry_sexp_build(&s_key, NULL, "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", @@ -314,7 +314,7 @@ _wrap_gcry_pk_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t * signature, ret = GNUTLS_E_INTERNAL_ERROR; - if (algo == GCRY_PK_DSA) { + if (algo == GNUTLS_PK_DSA) { list = gcry_sexp_find_token(s_sig, "r", 0); if (list == NULL) { gnutls_assert(); @@ -337,7 +337,7 @@ _wrap_gcry_pk_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t * signature, ret = _gnutls_encode_ber_rs(signature, res[0], res[1]); - } else if (algo == GCRY_PK_RSA) { /* GCRY_PK_RSA */ + } else if (algo == GNUTLS_PK_RSA) { /* GCRY_PK_RSA */ list = gcry_sexp_find_token(s_sig, "s", 0); if (list == NULL) { gnutls_assert(); @@ -392,13 +392,13 @@ int _wrap_gcry_pk_verify( gnutls_pk_algorithm_t algo, /* make a sexp from pkey */ switch (algo) { - case GCRY_PK_DSA: + case GNUTLS_PK_DSA: if (pk_params->params_nr >= 4) rc = gcry_sexp_build(&s_pkey, NULL, "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", pk_params->params[0], pk_params->params[1], pk_params->params[2], pk_params->params[3]); break; - case GCRY_PK_RSA: + case GNUTLS_PK_RSA: if (pk_params->params_nr >= 2) rc = gcry_sexp_build(&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))", @@ -425,7 +425,7 @@ int _wrap_gcry_pk_verify( gnutls_pk_algorithm_t algo, } switch (algo) { - case GCRY_PK_DSA: + case GNUTLS_PK_DSA: ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]); if (ret < 0) { @@ -436,7 +436,7 @@ int _wrap_gcry_pk_verify( gnutls_pk_algorithm_t algo, "(sig-val(dsa(r%m)(s%m)))", tmp[0], tmp[1]); break; - case GCRY_PK_RSA: + case GNUTLS_PK_RSA: ret = _gnutls_mpi_scan_nz( &tmp[0], signature->data, signature->size); if (ret < 0) { diff --git a/lib/x509/common.c b/lib/x509/common.c index b59f6a05f0..925051eae9 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -105,19 +105,19 @@ _gnutls_x509_oid_data_printable (const char *oid) } /** - * gnutls_x509_dn_oid_known - This function will return true if the given OID is known - * @oid: holds an Object Identifier in a null terminated string - * - * This function will inform about known DN OIDs. This is useful since functions - * like gnutls_x509_crt_set_dn_by_oid() use the information on known - * OIDs to properly encode their input. Object Identifiers that are not - * known are not encoded by these functions, and their input is stored directly - * into the ASN.1 structure. In that case of unknown OIDs, you have - * the responsibility of DER encoding your data. - * - * Returns 1 on known OIDs and 0 otherwise. - * - **/ + * gnutls_x509_dn_oid_known - return true if the given OID is known + * @oid: holds an Object Identifier in a null terminated string + * + * This function will inform about known DN OIDs. This is useful since + * functions like gnutls_x509_crt_set_dn_by_oid() use the information + * on known OIDs to properly encode their input. Object Identifiers + * that are not known are not encoded by these functions, and their + * input is stored directly into the ASN.1 structure. In that case of + * unknown OIDs, you have the responsibility of DER encoding your + * data. + * + * Returns: 1 on known OIDs and 0 otherwise. + **/ int gnutls_x509_dn_oid_known (const char *oid) { diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 9bfc284508..b37f26cf78 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -35,18 +35,18 @@ #include <x509_int.h> /** - * gnutls_x509_crl_init - This function initializes a gnutls_x509_crl_t structure - * @crl: The structure to be initialized - * - * This function will initialize a CRL structure. CRL stands for - * Certificate Revocation List. A revocation list usually contains - * lists of certificate serial numbers that have been revoked - * by an Authority. The revocation lists are always signed with - * the authority's private key. - * - * Returns 0 on success. - * - **/ + * gnutls_x509_crl_init - initializes a #gnutls_x509_crl_t structure + * @crl: The structure to be initialized + * + * This function will initialize a CRL structure. CRL stands for + * Certificate Revocation List. A revocation list usually contains + * lists of certificate serial numbers that have been revoked by an + * Authority. The revocation lists are always signed with the + * authority's private key. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_crl_init (gnutls_x509_crl_t * crl) { @@ -69,12 +69,11 @@ gnutls_x509_crl_init (gnutls_x509_crl_t * crl) } /** - * gnutls_x509_crl_deinit - This function deinitializes memory used by a gnutls_x509_crl_t structure - * @crl: The structure to be initialized - * - * This function will deinitialize a CRL structure. - * - **/ + * gnutls_x509_crl_deinit - deinitializes a #gnutls_x509_crl_t structure + * @crl: The structure to be initialized + * + * This function will deinitialize a CRL structure. + **/ void gnutls_x509_crl_deinit (gnutls_x509_crl_t crl) { @@ -88,19 +87,19 @@ gnutls_x509_crl_deinit (gnutls_x509_crl_t crl) } /** - * gnutls_x509_crl_import - This function will import a DER or PEM encoded CRL - * @crl: The structure to store the parsed CRL. - * @data: The DER or PEM encoded CRL. - * @format: One of DER or PEM - * - * This function will convert the given DER or PEM encoded CRL - * to the native gnutls_x509_crl_t format. The output will be stored in 'crl'. - * - * If the CRL is PEM encoded it should have a header of "X509 CRL". - * - * Returns 0 on success. - * - **/ + * gnutls_x509_crl_import - import a DER or PEM encoded CRL + * @crl: The structure to store the parsed CRL. + * @data: The DER or PEM encoded CRL. + * @format: One of DER or PEM + * + * This function will convert the given DER or PEM encoded CRL + * to the native #gnutls_x509_crl_t format. The output will be stored in 'crl'. + * + * If the CRL is PEM encoded it should have a header of "X509 CRL". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_crl_import (gnutls_x509_crl_t crl, const gnutls_datum_t * data, @@ -162,22 +161,23 @@ cleanup: /** - * gnutls_x509_crl_get_issuer_dn - This function returns the CRL's issuer distinguished name - * @crl: should contain a gnutls_x509_crl_t structure - * @buf: a pointer to a structure to hold the peer's name (may be null) - * @sizeof_buf: initially holds the size of @buf - * - * This function will copy the name of the CRL issuer in the provided buffer. The name - * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output - * string will be ASCII or UTF-8 encoded, depending on the certificate data. - * - * If buf is null then only the size will be filled. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and - * in that case the sizeof_buf will be updated with the required size, and - * 0 on success. - * - **/ + * gnutls_x509_crl_get_issuer_dn - returns the CRL's issuer distinguished name + * @crl: should contain a gnutls_x509_crl_t structure + * @buf: a pointer to a structure to hold the peer's name (may be null) + * @sizeof_buf: initially holds the size of @buf + * + * This function will copy the name of the CRL issuer in the provided + * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as + * described in RFC2253. The output string will be ASCII or UTF-8 + * encoded, depending on the certificate data. + * + * If buf is %NULL then only the size will be filled. + * + * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is + * not long enough, and in that case the sizeof_buf will be updated + * with the required size, and 0 on success. + * + **/ int gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf, size_t * sizeof_buf) @@ -194,30 +194,31 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf, } /** - * gnutls_x509_crl_get_issuer_dn_by_oid - This function returns the CRL's issuer distinguished name - * @crl: should contain a gnutls_x509_crl_t structure - * @oid: holds an Object Identified in null terminated string - * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. - * @raw_flag: If non zero returns the raw DER data of the DN part. - * @buf: a pointer to a structure to hold the peer's name (may be null) - * @sizeof_buf: initially holds the size of @buf - * - * This function will extract the part of the name of the CRL issuer specified - * by the given OID. The output will be encoded as described in RFC2253. The output - * string will be ASCII or UTF-8 encoded, depending on the certificate data. - * - * Some helper macros with popular OIDs can be found in gnutls/x509.h - * If raw flag is zero, this function will only return known OIDs as text. Other OIDs - * will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix. - * You can check about known OIDs using gnutls_x509_dn_oid_known(). - * - * If buf is null then only the size will be filled. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and - * in that case the sizeof_buf will be updated with the required size, - * and 0 on success. - * - **/ + * gnutls_x509_crl_get_issuer_dn_by_oid - return the CRL's issuer distinguished name + * @crl: should contain a gnutls_x509_crl_t structure + * @oid: holds an Object Identified in null terminated string + * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. + * @raw_flag: If non zero returns the raw DER data of the DN part. + * @buf: a pointer to a structure to hold the peer's name (may be null) + * @sizeof_buf: initially holds the size of @buf + * + * This function will extract the part of the name of the CRL issuer + * specified by the given OID. The output will be encoded as described + * in RFC2253. The output string will be ASCII or UTF-8 encoded, + * depending on the certificate data. + * + * Some helper macros with popular OIDs can be found in gnutls/x509.h + * If raw flag is zero, this function will only return known OIDs as + * text. Other OIDs will be DER encoded, as described in RFC2253 -- in + * hex format with a '\#' prefix. You can check about known OIDs + * using gnutls_x509_dn_oid_known(). + * + * If buf is null then only the size will be filled. + * + * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is + * not long enough, and in that case the sizeof_buf will be updated + * with the required size, and 0 on success. + **/ int gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl, const char *oid, int indx, @@ -236,22 +237,21 @@ gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl, } /** - * gnutls_x509_crl_get_dn_oid - This function returns the Certificate request issuer's distinguished name OIDs - * @crl: should contain a gnutls_x509_crl_t structure - * @indx: Specifies which DN OID to send. Use zero to get the first one. - * @oid: a pointer to a structure to hold the name (may be null) - * @sizeof_oid: initially holds the size of 'oid' - * - * This function will extract the requested OID of the name of the CRL issuer, specified - * by the given index. - * - * If oid is null then only the size will be filled. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and - * in that case the sizeof_oid will be updated with the required size. - * On success 0 is returned. - * - **/ + * gnutls_x509_crl_get_dn_oid - returns the Certificate request issuer's distinguished name OIDs + * @crl: should contain a gnutls_x509_crl_t structure + * @indx: Specifies which DN OID to send. Use zero to get the first one. + * @oid: a pointer to a structure to hold the name (may be null) + * @sizeof_oid: initially holds the size of 'oid' + * + * This function will extract the requested OID of the name of the CRL + * issuer, specified by the given index. + * + * If oid is null then only the size will be filled. + * + * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is + * not long enough, and in that case the sizeof_oid will be updated + * with the required size. On success 0 is returned. + **/ int gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl, int indx, void *oid, size_t * sizeof_oid) @@ -269,15 +269,15 @@ gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl, /** - * gnutls_x509_crl_get_signature_algorithm - This function returns the CRL's signature algorithm - * @crl: should contain a gnutls_x509_crl_t structure - * - * This function will return a value of the gnutls_sign_algorithm_t enumeration that - * is the signature algorithm. - * - * Returns a negative value on error. - * - **/ + * gnutls_x509_crl_get_signature_algorithm - returns the CRL's signature algorithm + * @crl: should contain a #gnutls_x509_crl_t structure + * + * This function will return a value of the #gnutls_sign_algorithm_t + * enumeration that is the signature algorithm. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl) { @@ -319,7 +319,8 @@ gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl) * * This function will extract the signature field of a CRL. * - * Returns 0 on success, and a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. and a negative value on error. **/ int gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl, @@ -368,14 +369,13 @@ gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl, } /** - * gnutls_x509_crl_get_version - This function returns the CRL's version number - * @crl: should contain a gnutls_x509_crl_t structure - * - * This function will return the version of the specified CRL. - * - * Returns a negative value on error. - * - **/ + * gnutls_x509_crl_get_version - returns the CRL's version number + * @crl: should contain a #gnutls_x509_crl_t structure + * + * This function will return the version of the specified CRL. + * + * Returns: The version number, or a negative value on error. + **/ int gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) { @@ -401,14 +401,13 @@ gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) } /** - * gnutls_x509_crl_get_this_update - This function returns the CRL's thisUpdate time - * @crl: should contain a gnutls_x509_crl_t structure - * - * This function will return the time this CRL was issued. - * - * Returns (time_t)-1 on error. - * - **/ + * gnutls_x509_crl_get_this_update - return the CRL's thisUpdate time + * @crl: should contain a #gnutls_x509_crl_t structure + * + * This function will return the time this CRL was issued. + * + * Returns: when the CRL was issued, or (time_t)-1 on error. + **/ time_t gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) { @@ -422,16 +421,15 @@ gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) } /** - * gnutls_x509_crl_get_next_update - This function returns the CRL's nextUpdate time - * @crl: should contain a gnutls_x509_crl_t structure - * - * This function will return the time the next CRL will be issued. - * This field is optional in a CRL so it might be normal to get - * an error instead. - * - * Returns (time_t)-1 on error. - * - **/ + * gnutls_x509_crl_get_next_update - return the CRL's nextUpdate time + * @crl: should contain a #gnutls_x509_crl_t structure + * + * This function will return the time the next CRL will be issued. + * This field is optional in a CRL so it might be normal to get an + * error instead. + * + * Returns: when the next CRL will be issued, or (time_t)-1 on error. + **/ time_t gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) { @@ -445,15 +443,14 @@ gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) } /** - * gnutls_x509_crl_get_crt_count - This function returns the number of revoked certificates in a CRL - * @crl: should contain a gnutls_x509_crl_t structure - * - * This function will return the number of revoked certificates in the - * given CRL. - * - * Returns a negative value on failure. - * - **/ + * gnutls_x509_crl_get_crt_count - get number of revoked certificates in a CRL + * @crl: should contain a #gnutls_x509_crl_t structure + * + * This function will return the number of revoked certificates in the + * given CRL. + * + * Returns: number of certificates, a negative value on failure. + **/ int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) { @@ -480,19 +477,19 @@ gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) } /** - * gnutls_x509_crl_get_crt_serial - This function returns the serial number of a revoked certificate - * @crl: should contain a gnutls_x509_crl_t structure - * @indx: the index of the certificate to extract (starting from 0) - * @serial: where the serial number will be copied - * @serial_size: initially holds the size of serial - * @t: if non null, will hold the time this certificate was revoked - * - * This function will return the serial number of the specified, by - * the index, revoked certificate. - * - * Returns a negative value on failure. - * - **/ + * gnutls_x509_crl_get_crt_serial - get the serial number of a revoked certificate + * @crl: should contain a #gnutls_x509_crl_t structure + * @indx: the index of the certificate to extract (starting from 0) + * @serial: where the serial number will be copied + * @serial_size: initially holds the size of serial + * @t: if non null, will hold the time this certificate was revoked + * + * This function will retrieve the serial number of the specified, by + * the index, revoked certificate. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. and a negative value on error. + **/ int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, unsigned char *serial, @@ -612,23 +609,24 @@ cleanup: } /** - * gnutls_x509_crl_export - This function will export the CRL - * @crl: Holds the revocation list - * @format: the format of output params. One of PEM or DER. - * @output_data: will contain a private key PEM or DER encoded - * @output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters) - * - * This function will export the revocation list to DER or PEM format. - * - * If the buffer provided is not long enough to hold the output, then - * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. - * - * If the structure is PEM encoded, it will have a header - * of "BEGIN X509 CRL". - * - * Returns 0 on success, and a negative value on failure. - * - **/ + * gnutls_x509_crl_export - export the CRL + * @crl: Holds the revocation list + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a private key PEM or DER encoded + * @output_data_size: holds the size of output_data (and will + * be replaced by the actual size of parameters) + * + * This function will export the revocation list to DER or PEM format. + * + * If the buffer provided is not long enough to hold the output, then + * ¤GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN X509 CRL". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. and a negative value on failure. + **/ int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void *output_data, @@ -652,7 +650,8 @@ gnutls_x509_crl_export (gnutls_x509_crl_t crl, * * This function will copy an X.509 certificate structure. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * -*/ int diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c index 6834fc858c..5ab7c1cfb4 100644 --- a/lib/x509/crl_write.c +++ b/lib/x509/crl_write.c @@ -49,14 +49,15 @@ static void disable_optional_stuff (gnutls_x509_crl_t crl); * must be one for CRL version 1, and so on. The CRLs generated * by gnutls should have a version number of 2. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) { int result; - char null = version; + uint8_t null = version & 0xFF; if (crl == NULL) { @@ -64,9 +65,8 @@ gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) return GNUTLS_E_INVALID_REQUEST; } - null -= 1; - if (null < 0) - null = 0; + if (null > 0) + null -= 1; result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1); if (result != ASN1_SUCCESS) @@ -92,7 +92,8 @@ gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) * This must be the last step in a certificate CRL since all * the previously set parameters are now signed. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -132,7 +133,8 @@ gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, * This function is the same a gnutls_x509_crl_sign2() with no flags, and * SHA1 as the hash algorithm. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -149,7 +151,8 @@ gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, * * This function will set the time this CRL was issued. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -171,7 +174,8 @@ gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) * * This function will set the time this CRL will be updated. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -194,7 +198,8 @@ gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) * * This function will set a revoked certificate's serial number to the CRL. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -259,7 +264,8 @@ gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, * * This function will set a revoked certificate's serial number to the CRL. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 9201709ca4..6aaaf83f4c 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -44,7 +44,8 @@ * * This function will initialize a PKCS10 certificate request structure. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -101,7 +102,8 @@ gnutls_x509_crq_deinit (gnutls_x509_crq_t crq) * * If the Certificate is PEM encoded it should have a header of "NEW CERTIFICATE REQUEST". * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -179,7 +181,7 @@ cleanup: * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -221,7 +223,7 @@ gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * sizeof_buf) * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -254,7 +256,7 @@ gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, * * If oid is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_oid will be updated with * the required size. On success 0 is returned. * @@ -424,7 +426,8 @@ cleanup: * This function will return the challenge password in the * request. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -451,7 +454,8 @@ gnutls_x509_crq_get_challenge_password (gnutls_x509_crq_t crq, * This function will set the attribute in the certificate request specified * by the given Object ID. The attribute must be be DER encoded. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -505,7 +509,8 @@ gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq, * This function will return the attribute in the certificate request specified * by the given Object ID. The attribute will be DER encoded. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -540,7 +545,8 @@ gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq, * not known (by gnutls) you should properly DER encode your data, and * call this function with raw_flag set. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -566,7 +572,8 @@ gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, * This function will set the version of the certificate request. For * version 1 requests this must be one. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -601,8 +608,8 @@ gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version) * * This function will return the version of the specified Certificate request. * - * Returns a negative value on error. - * + * Returns: version of certificate request, or a negative value on + * error. **/ int gnutls_x509_crq_get_version (gnutls_x509_crq_t crq) @@ -639,7 +646,8 @@ gnutls_x509_crq_get_version (gnutls_x509_crq_t crq) * This function will set the public parameters from the given private key to the * request. Only RSA keys are currently supported. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -675,7 +683,8 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) * * This function will set a challenge password to be used when revoking the request. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -809,7 +818,8 @@ gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, * This function is the same a gnutls_x509_crq_sign2() with no flags, and * SHA1 as the hash algorithm. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -868,9 +878,8 @@ gnutls_x509_crq_export (gnutls_x509_crq_t crq, * For DSA the bits returned are of the public * exponent. * - * Returns a member of the gnutls_pk_algorithm_t enumeration on success, - * or a negative value on error. - * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. **/ int gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits) diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 129227a722..44fe5ad8c8 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -943,17 +943,19 @@ _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, } /** - * gnutls_x509_dn_init: initialize an opaque DN object - * - * @odn: the object to be initialized - * - * This function initializes a #gnutls_x509_dn_t structure. - * - * The object returned must be deallocated using - * gnutls_x509_dn_deinit(). - * - * Returns: 0 on success, or an error code. - **/ + * gnutls_x509_dn_init: initialize an opaque DN object + * @odn: the object to be initialized + * + * This function initializes a #gnutls_x509_dn_t structure. + * + * The object returned must be deallocated using + * gnutls_x509_dn_deinit(). + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + * + * Since: 2.4.0 + **/ int gnutls_x509_dn_init (gnutls_x509_dn_t * odn) { int result; @@ -972,23 +974,25 @@ int gnutls_x509_dn_init (gnutls_x509_dn_t * odn) return 0; } - /** - * gnutls_x509_dn_import: get opaque DN object from DER RDN sequence - * - * @odn: the structure that will hold the imported DN - * @data: should contain a DER encoded RDN sequence - * - * This function parses an RDN sequence and stores the result to a - * #gnutls_x509_dn_t structure. The structure must have been initialized - * with gnutls_x509_dn_init(). You may use gnutls_x509_dn_get_rdn_ava() to - * decode the DN. - * - * Returns: 0 on success, or an error code. - **/ + * gnutls_x509_dn_import: get opaque DN object from DER RDN sequence + * + * @odn: the structure that will hold the imported DN + * @data: should contain a DER encoded RDN sequence + * + * This function parses an RDN sequence and stores the result to a + * #gnutls_x509_dn_t structure. The structure must have been initialized + * with gnutls_x509_dn_init(). You may use gnutls_x509_dn_get_rdn_ava() to + * decode the DN. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + * + * Since: 2.4.0 + **/ int gnutls_x509_dn_import (gnutls_x509_dn_t odn, - const gnutls_datum_t * data) + const gnutls_datum_t * data) { int result; char err[MAX_ERROR_DESCRIPTION_SIZE]; @@ -1007,14 +1011,15 @@ gnutls_x509_dn_import (gnutls_x509_dn_t odn, } /** - * gnutls_x509_dn_deinit: deallocate a DN object - * @idn: a DN opaque object pointer. - * - * This function deallocates the DN object as returned by - * gnutls_x509_dn_import(). - * - **/ -void + * gnutls_x509_dn_deinit: deallocate a DN object + * @idn: a DN opaque object pointer. + * + * This function deallocates the DN object as returned by + * gnutls_x509_dn_import(). + * + * Since: 2.4.0 + **/ +void gnutls_x509_dn_deinit (gnutls_x509_dn_t idn) { ASN1_TYPE dn = idn; @@ -1023,20 +1028,20 @@ gnutls_x509_dn_deinit (gnutls_x509_dn_t idn) } /** - * gnutls_x509_rdn_get - This function parses an RDN sequence and returns a string - * @idn: should contain a DER encoded RDN sequence - * @buf: a pointer to a structure to hold the peer's name - * @sizeof_buf: holds the size of @buf - * - * This function will return the name of the given RDN sequence. The - * name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in - * RFC2253. - * - * If the provided buffer is not long enough, returns - * GNUTLS_E_SHORT_MEMORY_BUFFER and *sizeof_buf will be updated. On - * success 0 is returned. - * - **/ + * gnutls_x509_rdn_get - parse an RDN sequence and returns a string + * @idn: should contain a DER encoded RDN sequence + * @buf: a pointer to a structure to hold the peer's name + * @sizeof_buf: holds the size of @buf + * + * This function will return the name of the given RDN sequence. The + * name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in + * RFC2253. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, or + * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is + * updated if the provided buffer is not long enough, otherwise a + * negative error value. + **/ int gnutls_x509_rdn_get (const gnutls_datum_t * idn, char *buf, size_t * sizeof_buf) @@ -1079,23 +1084,24 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn, } /** - * gnutls_x509_rdn_get_by_oid - This function parses an RDN sequence and returns a string - * @idn: should contain a DER encoded RDN sequence - * @oid: an Object Identifier - * @indx: In case multiple same OIDs exist in the RDN indicates which - * to send. Use 0 for the first one. - * @raw_flag: If non zero then the raw DER data are returned. - * @buf: a pointer to a structure to hold the peer's name - * @sizeof_buf: holds the size of @buf - * - * This function will return the name of the given Object identifier, - * of the RDN sequence. The name will be encoded using the rules - * from RFC2253. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if - * the provided buffer is not long enough, and 0 on success. - * - **/ + * gnutls_x509_rdn_get_by_oid - parse an RDN sequence and returns a string + * @idn: should contain a DER encoded RDN sequence + * @oid: an Object Identifier + * @indx: In case multiple same OIDs exist in the RDN indicates which + * to send. Use 0 for the first one. + * @raw_flag: If non zero then the raw DER data are returned. + * @buf: a pointer to a structure to hold the peer's name + * @sizeof_buf: holds the size of @buf + * + * This function will return the name of the given Object identifier, + * of the RDN sequence. The name will be encoded using the rules + * from RFC2253. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, or + * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is + * updated if the provided buffer is not long enough, otherwise a + * negative error value. + **/ int gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid, int indx, unsigned int raw_flag, @@ -1136,19 +1142,22 @@ gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid, } /** - * gnutls_x509_rdn_get_oid - This function parses an RDN sequence and returns an OID. - * @idn: should contain a DER encoded RDN sequence - * @indx: Indicates which OID to return. Use 0 for the first one. - * @oid: a pointer to a structure to hold the peer's name OID - * @sizeof_oid: holds the size of @oid - * - * This function will return the specified Object identifier, of the - * RDN sequence. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if - * the provided buffer is not long enough, and 0 on success. - * - **/ + * gnutls_x509_rdn_get_oid - parse an RDN sequence and returns an OID. + * @idn: should contain a DER encoded RDN sequence + * @indx: Indicates which OID to return. Use 0 for the first one. + * @oid: a pointer to a structure to hold the peer's name OID + * @sizeof_oid: holds the size of @oid + * + * This function will return the specified Object identifier, of the + * RDN sequence. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, or + * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is + * updated if the provided buffer is not long enough, otherwise a + * negative error value. + * + * Since: 2.4.0 + **/ int gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn, int indx, void *buf, size_t * sizeof_buf) @@ -1212,29 +1221,29 @@ _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, } /** - * gnutls_x509_dn_export - This function will export the DN - * @dn: Holds the opaque DN object - * @format: the format of output params. One of PEM or DER. - * @output_data: will contain a DN PEM or DER encoded - * @output_data_size: holds the size of output_data (and will be - * replaced by the actual size of parameters) - * - * This function will export the DN to DER or PEM format. - * - * If the buffer provided is not long enough to hold the output, then - * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. - * - * If the structure is PEM encoded, it will have a header - * of "BEGIN NAME". - * - * Return value: In case of failure a negative value will be - * returned, and 0 on success. - **/ + * gnutls_x509_dn_export - This function will export the DN + * @dn: Holds the opaque DN object + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a DN PEM or DER encoded + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will export the DN to DER or PEM format. + * + * If the buffer provided is not long enough to hold the output, then + * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER + * will be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN NAME". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_dn_export (gnutls_x509_dn_t dn, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { ASN1_TYPE asn1 = dn; diff --git a/lib/x509/output.c b/lib/x509/output.c index 30aec75f3e..c0fd18a4fd 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -607,7 +607,7 @@ print_cert (gnutls_string * str, gnutls_x509_crt_t cert, int notsigned) { const char *name = gnutls_pk_algorithm_get_name (err); if (name == NULL) - name = "Unknown"; + name = _("unknown"); addf (str, _("\tSubject Public Key Algorithm: %s\n"), name); switch (err) @@ -878,7 +878,7 @@ print_cert (gnutls_string * str, gnutls_x509_crt_t cert, int notsigned) { const char *name = gnutls_sign_algorithm_get_name (err); if (name == NULL) - name = "Unknown"; + name = _("unknown"); addf (str, _("\tSignature Algorithm: %s\n"), name); } if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) @@ -1119,7 +1119,8 @@ print_oneline (gnutls_string * str, gnutls_x509_crt_t cert) * * The output @out needs to be deallocate using gnutls_free(). * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_print (gnutls_x509_crt_t cert, @@ -1287,7 +1288,7 @@ print_crl (gnutls_string *str, { const char *name = gnutls_sign_algorithm_get_name (err); if (name == NULL) - name = "Unknown"; + name = _("unknown"); addf (str, _("\tSignature Algorithm: %s\n"), name); } if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) @@ -1335,7 +1336,8 @@ print_crl (gnutls_string *str, * * The output @out needs to be deallocate using gnutls_free(). * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crl_print (gnutls_x509_crl_t crl, diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 9df7890198..3fc73ea9b2 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -131,7 +131,8 @@ cleanup: * usually contain lists of X.509 Certificates and X.509 Certificate * revocation lists. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -186,7 +187,8 @@ gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12) * * If the PKCS12 is PEM encoded it should have a header of "PKCS12". * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -570,7 +572,8 @@ cleanup: * @bag: An initialized bag, where the contents of the bag will be copied * * This function will return a Bag from the PKCS12 structure. - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * * After the last Bag has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE * will be returned. @@ -717,7 +720,8 @@ cleanup: * @bag: An initialized bag * * This function will insert a Bag into the PKCS12 structure. - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -848,7 +852,8 @@ cleanup: * @pass: The password for the MAC * * This function will generate a MAC for the PKCS12 structure. - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -980,7 +985,8 @@ cleanup: * @pass: The password for the MAC * * This function will verify the MAC for the PKCS12 structure. - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index 0c613f1f56..42bc8f2075 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -43,7 +43,8 @@ * usually contain private keys, lists of X.509 Certificates and X.509 Certificate * revocation lists. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -145,7 +146,8 @@ gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag) * that is stored into the bag. Should not be accessed after the bag * is deleted. * - * Returns 0 on success and a negative error code on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative error code on error. * **/ int @@ -325,18 +327,17 @@ cleanup: /** - * gnutls_pkcs12_bag_set_data - This function inserts data into the bag - * @bag: The bag - * @type: The data's type - * @data: the data to be copied. - * - * This function will insert the given data of the given type into the - * bag. - * - * Returns the index of the added bag on success, or a negative - * value on error. - * - **/ + * gnutls_pkcs12_bag_set_data - This function inserts data into the bag + * @bag: The bag + * @type: The data's type + * @data: the data to be copied. + * + * This function will insert the given data of the given type into + * the bag. + * + * Returns: the index of the added bag on success, or a negative + * value on error. + **/ int gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t bag, gnutls_pkcs12_bag_type_t type, @@ -389,17 +390,16 @@ gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t bag, } /** - * gnutls_pkcs12_bag_set_crt - This function inserts a certificate into the bag - * @bag: The bag - * @crt: the certificate to be copied. - * - * This function will insert the given certificate into the - * bag. This is just a wrapper over gnutls_pkcs12_bag_set_data(). - * - * Returns the index of the added bag on success, or a negative - * value on failure. - * - **/ + * gnutls_pkcs12_bag_set_crt - This function inserts a certificate into the bag + * @bag: The bag + * @crt: the certificate to be copied. + * + * This function will insert the given certificate into the + * bag. This is just a wrapper over gnutls_pkcs12_bag_set_data(). + * + * Returns: the index of the added bag on success, or a negative + * value on failure. + **/ int gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) { @@ -427,17 +427,16 @@ gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) } /** - * gnutls_pkcs12_bag_set_crl - This function inserts the CRL into the bag - * @bag: The bag - * @crl: the CRL to be copied. - * - * This function will insert the given CRL into the - * bag. This is just a wrapper over gnutls_pkcs12_bag_set_data(). - * - * Returns the index of the added bag on success, or a negative - * value on failure. - * - **/ + * gnutls_pkcs12_bag_set_crl - insert the CRL into the bag + * @bag: The bag + * @crl: the CRL to be copied. + * + * This function will insert the given CRL into the + * bag. This is just a wrapper over gnutls_pkcs12_bag_set_data(). + * + * Returns: the index of the added bag on success, or a negative value + * on failure. + **/ int gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) { @@ -475,7 +474,8 @@ gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) * element. The key ID will be encoded as a 'Local key identifier' bag attribute, * which is usually used to distinguish the local private key and the certificate pair. * - * Returns 0 on success, or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. or a negative value on error. * **/ int @@ -518,7 +518,8 @@ gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int indx, * This function will return the key ID, of the specified bag element. * The key ID is usually used to distinguish the local private key and the certificate pair. * - * Returns 0 on success, or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. or a negative value on error. * **/ int @@ -552,7 +553,8 @@ gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int indx, * This function will return the friendly name, of the specified bag element. * The key ID is usually used to distinguish the local private key and the certificate pair. * - * Returns 0 on success, or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. or a negative value on error. * **/ int @@ -587,7 +589,8 @@ gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t bag, int indx, * element. The name will be encoded as a 'Friendly name' bag attribute, * which is usually used to set a user name to the local private key and the certificate pair. * - * Returns 0 on success, or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. or a negative value on error. * **/ int diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 399d93280d..02b7305e9b 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -138,16 +138,16 @@ cleanup: } /** - * gnutls_pkcs7_init - This function initializes a gnutls_pkcs7_t structure - * @pkcs7: The structure to be initialized - * - * This function will initialize a PKCS7 structure. PKCS7 structures - * usually contain lists of X.509 Certificates and X.509 Certificate - * revocation lists. - * - * Returns 0 on success. - * - **/ + * gnutls_pkcs7_init - initialize a #gnutls_pkcs7_t structure + * @pkcs7: The structure to be initialized + * + * This function will initialize a PKCS7 structure. PKCS7 structures + * usually contain lists of X.509 Certificates and X.509 Certificate + * revocation lists. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) { @@ -170,12 +170,11 @@ gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) } /** - * gnutls_pkcs7_deinit - This function deinitializes memory used by a gnutls_pkcs7_t structure - * @pkcs7: The structure to be initialized - * - * This function will deinitialize a PKCS7 structure. - * - **/ + * gnutls_pkcs7_deinit - deinitializes a #gnutls_pkcs7_t structure + * @pkcs7: The structure to be initialized + * + * This function will deinitialize a PKCS7 structure. + **/ void gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) { @@ -189,19 +188,20 @@ gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) } /** - * gnutls_pkcs7_import - This function will import a DER or PEM encoded PKCS7 - * @pkcs7: The structure to store the parsed PKCS7. - * @data: The DER or PEM encoded PKCS7. - * @format: One of DER or PEM - * - * This function will convert the given DER or PEM encoded PKCS7 - * to the native gnutls_pkcs7_t format. The output will be stored in 'pkcs7'. - * - * If the PKCS7 is PEM encoded it should have a header of "PKCS7". - * - * Returns 0 on success. - * - **/ + * gnutls_pkcs7_import - import a DER or PEM encoded PKCS7 + * @pkcs7: The structure to store the parsed PKCS7. + * @data: The DER or PEM encoded PKCS7. + * @format: One of DER or PEM + * + * This function will convert the given DER or PEM encoded PKCS7 to + * the native #gnutls_pkcs7_t format. The output will be stored in + * 'pkcs7'. + * + * If the PKCS7 is PEM encoded it should have a header of "PKCS7". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format) @@ -259,20 +259,24 @@ cleanup: } /** - * gnutls_pkcs7_get_crt_raw - This function returns a certificate in a PKCS7 certificate set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @indx: contains the index of the certificate to extract - * @certificate: the contents of the certificate will be copied there (may be null) - * @certificate_size: should hold the size of the certificate - * - * This function will return a certificate of the PKCS7 or RFC2630 certificate set. - * Returns 0 on success. If the provided buffer is not long enough, - * then @certificate_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned. - * - * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE - * will be returned. - * - **/ + * gnutls_pkcs7_get_crt_raw - get a certificate from a PKCS7 certificate set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * @indx: contains the index of the certificate to extract + * @certificate: the contents of the certificate will be copied + * there (may be null) + * @certificate_size: should hold the size of the certificate + * + * This function will return a certificate of the PKCS7 or RFC2630 + * certificate set. + * + * After the last certificate has been read + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. If the provided buffer is not long enough, + * then @certificate_size is updated and + * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned. + **/ int gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7, int indx, void *certificate, @@ -364,15 +368,15 @@ cleanup: } /** - * gnutls_pkcs7_get_crt_count - This function returns the number of certificates in a PKCS7 certificate set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * - * This function will return the number of certifcates in the PKCS7 or - * RFC2630 certificate set. - * - * Returns a negative value on failure. - * - **/ + * gnutls_pkcs7_get_crt_count - return the number of certificates in a PKCS7 certificate set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * + * This function will return the number of certifcates in the PKCS7 + * or RFC2630 certificate set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7) { @@ -408,25 +412,24 @@ gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7) } /** - * gnutls_pkcs7_export - This function will export the pkcs7 structure - * @pkcs7: Holds the pkcs7 structure - * @format: the format of output params. One of PEM or DER. - * @output_data: will contain a structure PEM or DER encoded - * @output_data_size: holds the size of output_data (and will be - * replaced by the actual size of parameters) - * - * This function will export the pkcs7 structure to DER or PEM format. - * - * If the buffer provided is not long enough to hold the output, then - * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. - * - * If the structure is PEM encoded, it will have a header - * of "BEGIN PKCS7". - * - * Return value: In case of failure a negative value will be - * returned, and 0 on success. - * + * gnutls_pkcs7_export - export the pkcs7 structure + * @pkcs7: Holds the pkcs7 structure + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a structure PEM or DER encoded + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will export the pkcs7 structure to DER or PEM format. + * + * If the buffer provided is not long enough to hold the output, then + * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER + * will be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN PKCS7". + * + * Return value: In case of failure a negative value will be + * returned, and 0 on success. **/ int gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7, @@ -521,14 +524,16 @@ cleanup: } /** - * gnutls_pkcs7_set_crt_raw - This function adds a certificate in a PKCS7 certificate set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @crt: the DER encoded certificate to be added - * - * This function will add a certificate to the PKCS7 or RFC2630 certificate set. - * Returns 0 on success. - * - **/ + * gnutls_pkcs7_set_crt_raw - add a certificate in a PKCS7 certificate set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * @crt: the DER encoded certificate to be added + * + * This function will add a certificate to the PKCS7 or RFC2630 + * certificate set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt) { @@ -613,15 +618,16 @@ cleanup: } /** - * gnutls_pkcs7_set_crt - This function adds a parsed certificate in a PKCS7 certificate set + * gnutls_pkcs7_set_crt - add a parsed certificate in a PKCS7 certificate set * @pkcs7_struct: should contain a gnutls_pkcs7_t structure * @crt: the certificate to be copied. * - * This function will add a parsed certificate to the PKCS7 or RFC2630 certificate set. - * This is a wrapper function over gnutls_pkcs7_set_crt_raw() . - * - * Returns 0 on success. + * This function will add a parsed certificate to the PKCS7 or + * RFC2630 certificate set. This is a wrapper function over + * gnutls_pkcs7_set_crt_raw() . * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) @@ -654,14 +660,16 @@ gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) /** - * gnutls_pkcs7_delete_crt - This function deletes a certificate from a PKCS7 certificate set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @indx: the index of the certificate to delete - * - * This function will delete a certificate from a PKCS7 or RFC2630 certificate set. - * Index starts from 0. Returns 0 on success. - * - **/ + * gnutls_pkcs7_delete_crt - deletes a certificate from a PKCS7 certificate set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * @indx: the index of the certificate to delete + * + * This function will delete a certificate from a PKCS7 or RFC2630 + * certificate set. Index starts from 0. Returns 0 on success. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7, int indx) { @@ -718,20 +726,20 @@ cleanup: */ /** - * gnutls_pkcs7_get_crl_raw - This function returns a crl in a PKCS7 crl set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @indx: contains the index of the crl to extract - * @crl: the contents of the crl will be copied there (may be null) - * @crl_size: should hold the size of the crl - * - * This function will return a crl of the PKCS7 or RFC2630 crl set. - * Returns 0 on success. If the provided buffer is not long enough, - * then @crl_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned. - * - * After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE - * will be returned. - * - **/ + * gnutls_pkcs7_get_crl_raw - This function returns a crl in a PKCS7 crl set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * @indx: contains the index of the crl to extract + * @crl: the contents of the crl will be copied there (may be null) + * @crl_size: should hold the size of the crl + * + * This function will return a crl of the PKCS7 or RFC2630 crl set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. If the provided buffer is not long enough, + * then @crl_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER is + * returned. After the last crl has been read + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. + **/ int gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7, int indx, void *crl, size_t * crl_size) @@ -795,15 +803,15 @@ cleanup: } /** - * gnutls_pkcs7_get_crl_count - This function returns the number of crls in a PKCS7 crl set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * - * This function will return the number of certifcates in the PKCS7 or - * RFC2630 crl set. - * - * Returns a negative value on failure. - * - **/ + * gnutls_pkcs7_get_crl_count - returns the number of CRLs in a PKCS7 crl set + * @pkcs7_struct: should contain a gnutls_pkcs7_t structure + * + * This function will return the number of certifcates in the PKCS7 + * or RFC2630 crl set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7) { @@ -839,14 +847,15 @@ gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7) } /** - * gnutls_pkcs7_set_crl_raw - This function adds a crl in a PKCS7 crl set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @crl: the DER encoded crl to be added - * - * This function will add a crl to the PKCS7 or RFC2630 crl set. - * Returns 0 on success. - * - **/ + * gnutls_pkcs7_set_crl_raw - add a crl in a PKCS7 crl set + * @pkcs7_struct: should contain #a gnutls_pkcs7_t structure + * @crl: the DER encoded crl to be added + * + * This function will add a crl to the PKCS7 or RFC2630 crl set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl) { @@ -921,14 +930,16 @@ cleanup: } /** - * gnutls_pkcs7_set_crl - This function adds a parsed crl in a PKCS7 crl set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @crl: the DER encoded crl to be added - * - * This function will add a parsed crl to the PKCS7 or RFC2630 crl set. - * Returns 0 on success. - * - **/ + * gnutls_pkcs7_set_crl - add a parsed crl in a PKCS7 crl set + * @pkcs7_struct: should contain a #gnutls_pkcs7_t structure + * @crl: the DER encoded crl to be added + * + * This function will add a parsed CRL to the PKCS7 or RFC2630 crl + * set. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) { @@ -959,14 +970,16 @@ gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) } /** - * gnutls_pkcs7_delete_crl - This function deletes a crl from a PKCS7 crl set - * @pkcs7_struct: should contain a gnutls_pkcs7_t structure - * @indx: the index of the crl to delete - * - * This function will delete a crl from a PKCS7 or RFC2630 crl set. - * Index starts from 0. Returns 0 on success. - * - **/ + * gnutls_pkcs7_delete_crl - deletes a CRL from a PKCS7 crl set + * @pkcs7_struct: should contain a #gnutls_pkcs7_t structure + * @indx: the index of the crl to delete + * + * This function will delete a crl from a PKCS7 or RFC2630 crl set. + * Index starts from 0. Returns 0 on success. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7, int indx) { diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 6c52c98ef0..61a95d212b 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -43,14 +43,14 @@ int _gnutls_asn1_encode_dsa (ASN1_TYPE * c2, bigint_t * params); #define CALC_COEFF 1 /** - * gnutls_x509_privkey_init - This function initializes a gnutls_crl structure - * @key: The structure to be initialized - * - * This function will initialize an private key structure. - * - * Returns 0 on success. - * - **/ + * gnutls_x509_privkey_init - initialize a #gnutls_privkey_t structure + * @key: The structure to be initialized + * + * This function will initialize an private key structure. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_init (gnutls_x509_privkey_t * key) { @@ -67,12 +67,11 @@ gnutls_x509_privkey_init (gnutls_x509_privkey_t * key) } /** - * gnutls_x509_privkey_deinit - This function deinitializes memory used by a gnutls_x509_privkey_t structure - * @key: The structure to be initialized - * - * This function will deinitialize a private key structure. - * - **/ + * gnutls_x509_privkey_deinit - deinitializes a #gnutls_x509_privkey_t structure + * @key: The structure to be initialized + * + * This function will deinitialize a private key structure. + **/ void gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key) { @@ -91,13 +90,16 @@ gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key) } /** - * gnutls_x509_privkey_cpy - This function copies a private key - * @dst: The destination key, which should be initialized. - * @src: The source key - * - * This function will copy a private key from source to destination key. - * - **/ + * gnutls_x509_privkey_cpy - copy a private key + * @dst: The destination key, which should be initialized. + * @src: The source key + * + * This function will copy a private key from source to destination + * key. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_cpy (gnutls_x509_privkey_t dst, gnutls_x509_privkey_t src) { @@ -337,20 +339,21 @@ error: #define PEM_KEY_RSA "RSA PRIVATE KEY" /** - * gnutls_x509_privkey_import - This function will import a DER or PEM encoded key - * @key: The structure to store the parsed key - * @data: The DER or PEM encoded certificate. - * @format: One of DER or PEM - * - * This function will convert the given DER or PEM encoded key - * to the native gnutls_x509_privkey_t format. The output will be stored in @key . - * - * If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or - * "DSA PRIVATE KEY". - * - * Returns 0 on success. - * - **/ + * gnutls_x509_privkey_import - import a DER or PEM encoded key + * @key: The structure to store the parsed key + * @data: The DER or PEM encoded certificate. + * @format: One of DER or PEM + * + * This function will convert the given DER or PEM encoded key to the + * native #gnutls_x509_privkey_t format. The output will be stored in + * @key . + * + * If the key is PEM encoded it should have a header of "RSA PRIVATE + * KEY", or "DSA PRIVATE KEY". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_import (gnutls_x509_privkey_t key, const gnutls_datum_t * data, @@ -416,7 +419,7 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key, } else { - /* Try decoding with both, and accept the one that + /* Try decoding with both, and accept the one that * succeeds. */ key->pk_algorithm = GNUTLS_PK_RSA; @@ -458,19 +461,22 @@ cleanup: _gnutls_mpi_release(&key->params[i]) /** - * gnutls_x509_privkey_import_rsa_raw - This function will import a raw RSA key - * @key: The structure to store the parsed key - * @m: holds the modulus - * @e: holds the public exponent - * @d: holds the private exponent - * @p: holds the first prime (p) - * @q: holds the second prime (q) - * @u: holds the coefficient - * - * This function will convert the given RSA raw parameters - * to the native gnutls_x509_privkey_t format. The output will be stored in @key. - * - **/ + * gnutls_x509_privkey_import_rsa_raw - import a raw RSA key + * @key: The structure to store the parsed key + * @m: holds the modulus + * @e: holds the public exponent + * @d: holds the private exponent + * @p: holds the first prime (p) + * @q: holds the second prime (q) + * @u: holds the coefficient + * + * This function will convert the given RSA raw parameters to the + * native #gnutls_x509_privkey_t format. The output will be stored in + * @key. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, const gnutls_datum_t * m, @@ -575,18 +581,21 @@ gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, } /** - * gnutls_x509_privkey_import_dsa_raw - This function will import a raw DSA key - * @key: The structure to store the parsed key - * @p: holds the p - * @q: holds the q - * @g: holds the g - * @y: holds the y - * @x: holds the x - * - * This function will convert the given DSA raw parameters - * to the native gnutls_x509_privkey_t format. The output will be stored in @key. - * - **/ + * gnutls_x509_privkey_import_dsa_raw - import a raw DSA key + * @key: The structure to store the parsed key + * @p: holds the p + * @q: holds the q + * @g: holds the g + * @y: holds the y + * @x: holds the x + * + * This function will convert the given DSA raw parameters to the + * native #gnutls_x509_privkey_t format. The output will be stored + * in @key. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_import_dsa_raw (gnutls_x509_privkey_t key, const gnutls_datum_t * p, @@ -664,16 +673,15 @@ gnutls_x509_privkey_import_dsa_raw (gnutls_x509_privkey_t key, /** - * gnutls_x509_privkey_get_pk_algorithm - This function returns the key's PublicKey algorithm - * @key: should contain a gnutls_x509_privkey_t structure - * - * This function will return the public key algorithm of a private - * key. - * - * Returns a member of the gnutls_pk_algorithm_t enumeration on success, - * or a negative value on error. - * - **/ + * gnutls_x509_privkey_get_pk_algorithm - returns the key's PublicKey algorithm + * @key: should contain a #gnutls_x509_privkey_t structure + * + * This function will return the public key algorithm of a private + * key. + * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. + **/ int gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key) { @@ -686,30 +694,28 @@ gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key) return key->pk_algorithm; } - /** - * gnutls_x509_privkey_export - This function will export the private key - * @key: Holds the key - * @format: the format of output params. One of PEM or DER. - * @output_data: will contain a private key PEM or DER encoded - * @output_data_size: holds the size of output_data (and will be - * replaced by the actual size of parameters) - * - * This function will export the private key to a PKCS1 structure for - * RSA keys, or an integer sequence for DSA keys. The DSA keys are in - * the same format with the parameters used by openssl. - * - * If the buffer provided is not long enough to hold the output, then - * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. - * - * If the structure is PEM encoded, it will have a header - * of "BEGIN RSA PRIVATE KEY". - * - * Return value: In case of failure a negative value will be - * returned, and 0 on success. - * - **/ + * gnutls_x509_privkey_export - export the private key + * @key: Holds the key + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a private key PEM or DER encoded + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will export the private key to a PKCS1 structure for + * RSA keys, or an integer sequence for DSA keys. The DSA keys are in + * the same format with the parameters used by openssl. + * + * If the buffer provided is not long enough to hold the output, then + * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER + * will be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN RSA PRIVATE KEY". + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_export (gnutls_x509_privkey_t key, gnutls_x509_crt_fmt_t format, void *output_data, @@ -763,22 +769,23 @@ gnutls_x509_privkey_export (gnutls_x509_privkey_t key, output_data_size); } - /** - * gnutls_x509_privkey_export_rsa_raw - This function will export the RSA private key - * @key: a structure that holds the rsa parameters - * @m: will hold the modulus - * @e: will hold the public exponent - * @d: will hold the private exponent - * @p: will hold the first prime (p) - * @q: will hold the second prime (q) - * @u: will hold the coefficient - * - * This function will export the RSA private key's parameters found in the given - * structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - **/ + * gnutls_x509_privkey_export_rsa_raw - export the RSA private key + * @key: a structure that holds the rsa parameters + * @m: will hold the modulus + * @e: will hold the public exponent + * @d: will hold the private exponent + * @p: will hold the first prime (p) + * @q: will hold the second prime (q) + * @u: will hold the coefficient + * + * This function will export the RSA private key's parameters found + * in the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, gnutls_datum_t * m, gnutls_datum_t * e, @@ -874,19 +881,21 @@ error: } /** - * gnutls_x509_privkey_export_dsa_raw - This function will export the DSA private key - * @params: a structure that holds the DSA parameters - * @p: will hold the p - * @q: will hold the q - * @g: will hold the g - * @y: will hold the y - * @x: will hold the x - * - * This function will export the DSA private key's parameters found in the given - * structure. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * - **/ + * gnutls_x509_privkey_export_dsa_raw - export the DSA private key + * @params: a structure that holds the DSA parameters + * @p: will hold the p + * @q: will hold the q + * @g: will hold the g + * @y: will hold the y + * @x: will hold the x + * + * This function will export the DSA private key's parameters found + * in the given structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key, gnutls_datum_t * p, gnutls_datum_t * q, @@ -1307,18 +1316,18 @@ cleanup: /** - * gnutls_x509_privkey_generate - This function will generate a private key - * @key: should contain a gnutls_x509_privkey_t structure - * @algo: is one of RSA or DSA. - * @bits: the size of the modulus - * @flags: unused for now. Must be 0. - * - * This function will generate a random private key. Note that - * this function must be called on an empty private key. - * - * Returns 0 on success or a negative value on error. - * - **/ + * gnutls_x509_privkey_generate - generate a private key + * @key: should contain a #gnutls_x509_privkey_t structure + * @algo: is one of RSA or DSA. + * @bits: the size of the modulus + * @flags: unused for now. Must be 0. + * + * This function will generate a random private key. Note that this + * function must be called on an empty private key. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, gnutls_pk_algorithm_t algo, unsigned int bits, @@ -1396,26 +1405,25 @@ cleanup: } /** - * gnutls_x509_privkey_get_key_id - Return unique ID of the key's parameters - * @key: Holds the key - * @flags: should be 0 for now - * @output_data: will contain the key ID - * @output_data_size: holds the size of output_data (and will be - * replaced by the actual size of parameters) - * - * This function will return a unique ID the depends on the public key - * parameters. This ID can be used in checking whether a certificate - * corresponds to the given key. - * - * If the buffer provided is not long enough to hold the output, then - * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. The output will normally be a SHA-1 hash output, - * which is 20 bytes. - * - * Return value: In case of failure a negative value will be - * returned, and 0 on success. - * - **/ + * gnutls_x509_privkey_get_key_id - Return unique ID of the key's parameters + * @key: Holds the key + * @flags: should be 0 for now + * @output_data: will contain the key ID + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will return a unique ID the depends on the public key + * parameters. This ID can be used in checking whether a certificate + * corresponds to the given key. + * + * If the buffer provided is not long enough to hold the output, then + * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will + * be returned. The output will normally be a SHA-1 hash output, + * which is 20 bytes. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, unsigned int flags, @@ -1486,28 +1494,27 @@ cleanup: #ifdef ENABLE_PKI /** - * gnutls_x509_privkey_sign_data - This function will sign the given data using the private key params - * @key: Holds the key - * @digest: should be MD5 or SHA1 - * @flags: should be 0 for now - * @data: holds the data to be signed - * @signature: will contain the signature - * @signature_size: holds the size of signature (and will be replaced - * by the new size) - * - * This function will sign the given data using a signature algorithm - * supported by the private key. Signature algorithms are always used - * together with a hash functions. Different hash functions may be - * used for the RSA algorithm, but only SHA-1 for the DSA keys. - * - * If the buffer provided is not long enough to hold the output, then - * *signature_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. - * - * In case of failure a negative value will be returned, and - * 0 on success. - * - **/ + * gnutls_x509_privkey_sign_data - sign data using the private key + * @key: Holds the key + * @digest: should be MD5 or SHA1 + * @flags: should be 0 for now + * @data: holds the data to be signed + * @signature: will contain the signature + * @signature_size: holds the size of signature (and will be replaced + * by the new size) + * + * This function will sign the given data using a signature algorithm + * supported by the private key. Signature algorithms are always used + * together with a hash functions. Different hash functions may be + * used for the RSA algorithm, but only SHA-1 for the DSA keys. + * + * If the buffer provided is not long enough to hold the output, then + * *@signature_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will + * be returned. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, gnutls_digest_algorithm_t digest, @@ -1547,15 +1554,15 @@ gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, } /** - * gnutls_x509_privkey_sign_hash - This function will sign the given data using the private key params + * gnutls_x509_privkey_sign_hash - sign hash using the private key * @key: Holds the key * @hash: holds the data to be signed * @signature: will contain newly allocated signature * * This function will sign the given hash using the private key. * - * Return value: In case of failure a negative value will be returned, - * and 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key, @@ -1582,18 +1589,17 @@ gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key, } /** - * gnutls_x509_privkey_verify_data - This function will verify the given signed data. + * gnutls_x509_privkey_verify_data - Verify the signed data using private key * @key: Holds the key * @flags: should be 0 for now * @data: holds the data to be signed * @signature: contains the signature * - * This function will verify the given signed data, using the parameters in the - * private key. - * - * In case of a verification failure 0 is returned, and - * 1 on success. + * This function will verify the given signed data, using the + * parameters in the private key. * + * Returns: In case of a verification failure 0 is returned, and 1 on + * success. **/ int gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, @@ -1620,16 +1626,15 @@ gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, } /** - * gnutls_x509_privkey_fix - This function will recalculate some parameters of the key. - * @key: Holds the key - * - * This function will recalculate the secondary parameters in a key. - * In RSA keys, this can be the coefficient and exponent1,2. - * - * Return value: In case of failure a negative value will be - * returned, and 0 on success. - * - **/ + * gnutls_x509_privkey_fix - recalculate some parameters of the key. + * @key: Holds the key + * + * This function will recalculate the secondary parameters in a key. + * In RSA keys, this can be the coefficient and exponent1,2. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_privkey_fix (gnutls_x509_privkey_t key) { diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index c285601630..0026d1d728 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1045,7 +1045,8 @@ error: * or "PRIVATE KEY". You only need to specify the flags if the key is DER encoded, since * in that case the encryption status cannot be auto-detected. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index eeac3454f8..ca066cd737 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -28,18 +28,17 @@ #include <gnutls_errors.h> /** - * gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate - * @cert: should contain an gnutls_x509_crt_t structure - * @hostname: A null terminated string that contains a DNS name - * - * This function will check if the given certificate's subject - * matches the given hostname. This is a basic implementation of the - * matching described in RFC2818 (HTTPS), which takes into account - * wildcards, and the DNSName/IPAddress subject alternative name PKIX - * extension. - * - * Returns non zero for a successful match, and zero on failure. - **/ + * gnutls_x509_crt_check_hostname - compares the hostname with certificate's hostname + * @cert: should contain an gnutls_x509_crt_t structure + * @hostname: A null terminated string that contains a DNS name + * + * This function will check if the given certificate's subject matches + * the given hostname. This is a basic implementation of the matching + * described in RFC2818 (HTTPS), which takes into account wildcards, + * and the DNSName/IPAddress subject alternative name PKIX extension. + * + * Returns: non zero for a successful match, and zero on failure. + **/ int gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname) { diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 67078b5468..79ebda0425 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -302,7 +302,8 @@ _gnutls_x509_sign_tbs (ASN1_TYPE cert, const char *tbs_name, * This function will sign a CRL or a certificate with the issuer's private key, and * will copy the issuer's information into the CRL or certificate. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * -*/ int diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 9fbe8eda3e..34ba499137 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -761,7 +761,8 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, * * GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int @@ -797,7 +798,8 @@ gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, * This function will try to verify the given certificate and return its status. * The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int @@ -856,7 +858,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t cert, * See gnutls_x509_crt_list_verify() for a detailed description of * return values. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int diff --git a/lib/x509/x509.c b/lib/x509/x509.c index f911e0d657..e621cdef65 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -40,7 +40,8 @@ * * This function will initialize an X.509 certificate structure. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -74,7 +75,8 @@ gnutls_x509_crt_init (gnutls_x509_crt_t * cert) * * This function will copy an X.509 certificate structure. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * -*/ int @@ -154,7 +156,8 @@ gnutls_x509_crt_deinit (gnutls_x509_crt_t cert) * If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or * "CERTIFICATE". * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -233,7 +236,7 @@ cleanup: /** * gnutls_x509_crt_get_issuer_dn - This function returns the Certificate's issuer distinguished name - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @buf: a pointer to a structure to hold the name (may be null) * @sizeof_buf: initially holds the size of @buf * @@ -244,7 +247,7 @@ cleanup: * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -266,7 +269,7 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, /** * gnutls_x509_crt_get_issuer_dn_by_oid - This function returns the Certificate's issuer distinguished name - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @oid: holds an Object Identified in null terminated string * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. * @raw_flag: If non zero returns the raw DER data of the DN part. @@ -286,7 +289,7 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -310,7 +313,7 @@ gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_issuer_dn_oid - This function returns the Certificate's issuer distinguished name OIDs - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: This specifies which OID to return. Use zero to get the first one. * @oid: a pointer to a buffer to hold the OID (may be null) * @sizeof_oid: initially holds the size of @oid @@ -320,7 +323,7 @@ gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, * * If @oid is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_oid will be updated with * the required size. On success 0 is returned. * @@ -342,7 +345,7 @@ gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_dn - This function returns the Certificate's distinguished name - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @buf: a pointer to a structure to hold the name (may be null) * @sizeof_buf: initially holds the size of @buf * @@ -353,7 +356,7 @@ gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -375,7 +378,7 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, /** * gnutls_x509_crt_get_dn_by_oid - This function returns the Certificate's distinguished name - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @oid: holds an Object Identified in null terminated string * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. * @raw_flag: If non zero returns the raw DER data of the DN part. @@ -395,7 +398,7 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, * * If @buf is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_buf will be updated with * the required size. On success 0 is returned. * @@ -418,7 +421,7 @@ gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, /** * gnutls_x509_crt_get_dn_oid - This function returns the Certificate's subject distinguished name OIDs - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: This specifies which OID to return. Use zero to get the first one. * @oid: a pointer to a buffer to hold the OID (may be null) * @sizeof_oid: initially holds the size of @oid @@ -428,7 +431,7 @@ gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, * * If oid is null then only the size will be filled. * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not + * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the *sizeof_oid will be updated with * the required size. On success 0 is returned. * @@ -450,13 +453,13 @@ gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_signature_algorithm - This function returns the Certificate's signature algorithm - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * - * This function will return a value of the gnutls_sign_algorithm_t enumeration that - * is the signature algorithm. - * - * Returns a negative value on error. + * This function will return a value of the #gnutls_sign_algorithm_t + * enumeration that is the signature algorithm. * + * Returns: a #gnutls_sign_algorithm_t value, or a negative value on + * error. **/ int gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert) @@ -492,13 +495,14 @@ gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert) /** * gnutls_x509_crt_get_signature - Returns the Certificate's signature - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @sig: a pointer where the signature part will be copied (may be null). * @sizeof_sig: initially holds the size of @sig * * This function will extract the signature field of a certificate. * - * Returns 0 on success, and a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. and a negative value on error. **/ int gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert, @@ -546,14 +550,13 @@ gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert, } /** - * gnutls_x509_crt_get_version - This function returns the Certificate's version number - * @cert: should contain a gnutls_x509_crt_t structure - * - * This function will return the version of the specified Certificate. - * - * Returns a negative value on error. - * - **/ + * gnutls_x509_crt_get_version - return the Certificate's version number + * @cert: should contain a #gnutls_x509_crt_t structure + * + * This function will return the version of the specified Certificate. + * + * Returns: version of certificate, or a negative value on error. + **/ int gnutls_x509_crt_get_version (gnutls_x509_crt_t cert) { @@ -582,12 +585,13 @@ gnutls_x509_crt_get_version (gnutls_x509_crt_t cert) } /** - * gnutls_x509_crt_get_activation_time - This function returns the Certificate's activation time - * @cert: should contain a gnutls_x509_crt_t structure + * gnutls_x509_crt_get_activation_time - returns the Certificate's activation time + * @cert: should contain a #gnutls_x509_crt_t structure * - * This function will return the time this Certificate was or will be activated. + * This function will return the time this Certificate was or will be + * activated. * - * Returns (time_t)-1 on error. + * Returns: activation time, or (time_t)-1 on error. * **/ time_t @@ -604,14 +608,15 @@ gnutls_x509_crt_get_activation_time (gnutls_x509_crt_t cert) } /** - * gnutls_x509_crt_get_expiration_time - This function returns the Certificate's expiration time - * @cert: should contain a gnutls_x509_crt_t structure - * - * This function will return the time this Certificate was or will be expired. - * - * Returns (time_t)-1 on error. - * - **/ + * gnutls_x509_crt_get_expiration_time - returns the Certificate's expiration time + * @cert: should contain a #gnutls_x509_crt_t structure + * + * This function will return the time this Certificate was or will be + * expired. + * + * Returns: expiration time, or (time_t)-1 on error. + * + **/ time_t gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) { @@ -627,7 +632,7 @@ gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) /** * gnutls_x509_crt_get_serial - This function returns the certificate's serial number - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @result: The place where the serial number will be copied * @result_size: Holds the size of the result field. * @@ -637,7 +642,8 @@ gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) * large serial numbers, thus it may be wise to handle it as something * opaque. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int @@ -668,7 +674,7 @@ gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, /** * gnutls_x509_crt_get_subject_key_id - This function returns the certificate's key identifier - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @ret: The place where the identifier will be copied * @ret_size: Holds the size of the result field. * @critical: will be non zero if the extension is marked as critical (may be null) @@ -677,7 +683,8 @@ gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, * This is obtained by the X.509 Subject Key identifier extension * field (2.5.29.14). * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int @@ -754,7 +761,7 @@ gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t cert, void *ret, /** * gnutls_x509_crt_get_authority_key_id - This function returns the certificate authority's identifier - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @result: The place where the identifier will be copied * @result_size: Holds the size of the result field. * @critical: will be non zero if the extension is marked as critical (may be null) @@ -764,7 +771,8 @@ gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t cert, void *ret, * field (2.5.29.35). Note that this function only returns the keyIdentifier * field of the extension. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. * **/ int @@ -841,8 +849,8 @@ gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert, void *ret, } /** - * gnutls_x509_crt_get_pk_algorithm - This function returns the certificate's PublicKey algorithm - * @cert: should contain a gnutls_x509_crt_t structure + * gnutls_x509_crt_get_pk_algorithm - return the certificate's PublicKey algorithm + * @cert: should contain a #gnutls_x509_crt_t structure * @bits: if bits is non null it will hold the size of the parameters' in bits * * This function will return the public key algorithm of an X.509 @@ -853,9 +861,8 @@ gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert, void *ret, * For DSA the bits returned are of the public * exponent. * - * Returns a member of the gnutls_pk_algorithm_t enumeration on success, - * or a negative value on error. - * + * Returns: a member of the #gnutls_pk_algorithm_t enumeration on + * success, or a negative value on error. **/ int gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits) @@ -1139,7 +1146,7 @@ get_subject_alt_name (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_subject_alt_name - Get certificate's alternative name, if any - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) * @ret: is the place where the alternative name will be copied to * @ret_size: holds the size of ret. @@ -1162,14 +1169,13 @@ get_subject_alt_name (gnutls_x509_crt_t cert, * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is * recognized. * - * Returns the alternative subject name type on success. The type is - * one of the enumerated gnutls_x509_subject_alt_name_t. It will - * return %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large - * enough to hold the value. In that case @ret_size will be updated - * with the required size. If the certificate does not have an - * Alternative name with the specified sequence number then + * Returns: the alternative subject name type on success, one of the + * enumerated #gnutls_x509_subject_alt_name_t. It will return + * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough to + * hold the value. In that case @ret_size will be updated with the + * required size. If the certificate does not have an Alternative + * name with the specified sequence number then * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. - * **/ int gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, @@ -1182,7 +1188,7 @@ gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_subject_alt_name2 - Get certificate's alternative name, if any - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) * @ret: is the place where the alternative name will be copied to * @ret_size: holds the size of ret. @@ -1210,7 +1216,7 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_subject_alt_othername_oid - Get SAN otherName OID - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) * @ret: is the place where the otherName OID will be copied to * @ret_size: holds the size of ret. @@ -1223,16 +1229,16 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert, * gnutls_x509_crt_get_subject_alt_name() returned * %GNUTLS_SAN_OTHERNAME. * - * Returns the alternative subject name type on success. The type is - * one of the enumerated gnutls_x509_subject_alt_name_t. For - * supported OIDs, it will return one of the virtual - * (GNUTLS_SAN_OTHERNAME_*) types, e.g. %GNUTLS_SAN_OTHERNAME_XMPP, - * and %GNUTLS_SAN_OTHERNAME for unknown OIDs. It will return - * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough to - * hold the value. In that case @ret_size will be updated with the - * required size. If the certificate does not have an Alternative - * name with the specified sequence number and with the otherName type - * then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. + * Returns: the alternative subject name type on success, one of the + * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it + * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types, + * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for + * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if + * @ret_size is not large enough to hold the value. In that case + * @ret_size will be updated with the required size. If the + * certificate does not have an Alternative name with the specified + * sequence number and with the otherName type then + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. **/ int gnutls_x509_crt_get_subject_alt_othername_oid (gnutls_x509_crt_t cert, @@ -1245,7 +1251,7 @@ gnutls_x509_crt_get_subject_alt_othername_oid (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_basic_constraints - This function returns the certificate basic constraints - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @critical: will be non zero if the extension is marked as critical * @ca: pointer to output integer indicating CA status, may be NULL, * value is 1 if the certificate CA flag is set, 0 otherwise. @@ -1312,7 +1318,7 @@ gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_ca_status - This function returns the certificate CA status - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @critical: will be non zero if the extension is marked as critical * * This function will return certificates CA status, by reading the @@ -1337,7 +1343,7 @@ gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical) /** * gnutls_x509_crt_get_key_usage - return the certificate's key usage - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @key_usage: where the key usage bits will be stored * @critical: will be non zero if the extension is marked as critical * @@ -1399,7 +1405,7 @@ gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_proxy - This function returns the proxy certificate info - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @critical: will be non zero if the extension is marked as critical * @pathlen: pointer to output integer indicating path length (may be * NULL), non-negative values indicate a present pCPathLenConstraint @@ -1463,7 +1469,7 @@ gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_extension_by_oid - This function returns the specified extension - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @oid: holds an Object Identified in null terminated string * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use zero to get the first one. * @buf: a pointer to a structure to hold the name (may be null) @@ -1528,7 +1534,7 @@ gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_extension_oid - This function returns the specified extension OID - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: Specifies which extension OID to send. Use zero to get the first one. * @oid: a pointer to a structure to hold the OID (may be null) * @sizeof_oid: initially holds the size of @oid @@ -1565,10 +1571,11 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, int indx, /** * gnutls_x509_crt_get_extension_info - Get extension id and criticality - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: Specifies which extension OID to send. Use zero to get the first one. * @oid: a pointer to a structure to hold the OID - * @sizeof_oid: initially holds the size of @oid + * @sizeof_oid: initially holds the maximum size of @oid, on return + * holds actual size of @oid. * @critical: output variable with critical flag, may be NULL. * * This function will return the requested extension OID in the @@ -1576,6 +1583,10 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, int indx, * be stored as a string in the provided buffer. Use * gnutls_x509_crt_get_extension_data() to extract the data. * + * If the buffer provided is not long enough to hold the output, then + * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be + * returned. + * * Return 0 on success. A negative value may be returned in case of * parsing error. If you have reached the last extension available * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @@ -1636,7 +1647,7 @@ gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t cert, int indx, /** * gnutls_x509_crt_get_extension_data - Get the specified extension data - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: Specifies which extension OID to send. Use zero to get the first one. * @data: a pointer to a structure to hold the data (may be null) * @sizeof_data: initially holds the size of @oid @@ -1746,13 +1757,14 @@ cleanup: /** * gnutls_x509_crt_get_raw_issuer_dn - This function returns the issuer's DN DER encoded - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @start: will hold the starting point of the DN * * This function will return a pointer to the DER encoded DN structure * and the length. * - * Returns 0 on success or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.or a negative value on error. * **/ int @@ -1764,13 +1776,14 @@ gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_raw_dn - This function returns the subject's DN DER encoded - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @start: will hold the starting point of the DN * * This function will return a pointer to the DER encoded DN structure and * the length. * - * Returns 0 on success, or a negative value on error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. or a negative value on error. * **/ int @@ -1790,7 +1803,7 @@ get_dn (gnutls_x509_crt_t cert, const char *whom, gnutls_x509_dn_t *dn) /** * gnutls_x509_crt_get_subject: get opaque subject DN pointer - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @dn: output variable with pointer to opaque DN. * * Return the Certificate's Subject DN as an opaque data type. You @@ -1811,7 +1824,7 @@ gnutls_x509_crt_get_subject (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_issuer: get opaque issuer DN pointer - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @dn: output variable with pointer to opaque DN * * Return the Certificate's Issuer DN as an opaque data type. You may @@ -1930,7 +1943,7 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn, /** * gnutls_x509_crt_get_fingerprint - This function returns the Certificate's fingerprint - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @algo: is a digest algorithm * @buf: a pointer to a structure to hold the fingerprint (may be null) * @sizeof_buf: initially holds the size of @buf @@ -2186,7 +2199,7 @@ gnutls_x509_crt_get_key_id (gnutls_x509_crt_t crt, unsigned int flags, /** * gnutls_x509_crt_check_revocation - This function checks if the given certificate is revoked - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @crl_list: should contain a list of gnutls_x509_crl_t structures * @crl_list_length: the length of the crl_list * @@ -2329,7 +2342,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, /** * gnutls_x509_crt_get_crl_dist_points - This function returns the CRL distribution points - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.) * @ret: is the place where the distribution point will be copied to * @ret_size: holds the size of ret. @@ -2353,7 +2366,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, * return the distribution point type, or a negative error code on * error. * - * Returns %GNUTLS_E_SHORT_MEMORY_BUFFER and updates &@ret_size if + * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates &@ret_size if * &@ret_size is not enough to hold the distribution point, or the * type of the distribution point if everything was ok. The type is * one of the enumerated %gnutls_x509_subject_alt_name_t. If the @@ -2464,7 +2477,7 @@ gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t cert, /** * gnutls_x509_crt_get_key_purpose_oid - This function returns the Certificate's key purpose OIDs - * @cert: should contain a gnutls_x509_crt_t structure + * @cert: should contain a #gnutls_x509_crt_t structure * @indx: This specifies which OID to return. Use zero to get the first one. * @oid: a pointer to a buffer to hold the OID (may be null) * @sizeof_oid: initially holds the size of @oid diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index dda29d5987..e7381ae5ac 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -58,7 +58,8 @@ static void disable_optional_stuff (gnutls_x509_crt_t cert); * not known (by gnutls) you should properly DER encode your data, * and call this function with @raw_flag set. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, @@ -96,7 +97,8 @@ gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, * operation will copy the signer's name as the issuer of the * certificate. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, @@ -128,7 +130,8 @@ gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, * certificate naming style. Note that if @name is %NULL, you MUST * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt,gnutls_x509_crt_t eecrt, @@ -174,7 +177,8 @@ gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt,gnutls_x509_crt_t eecrt, * functions such as gnutls_x509_crt_set_subject_alternative_name() * or gnutls_x509_crt_set_key_usage(). * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) @@ -210,7 +214,8 @@ gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) * private key to the certificate. Only RSA keys are currently * supported. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. * **/ int @@ -248,7 +253,8 @@ gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) * given certificate request to the certificate. Only RSA keys are * currently supported. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) @@ -296,7 +302,8 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) * the certificate. The extension data should be binary data DER * encoded. * - * Returns 0 on success and a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value.and a negative value in case of an error. **/ int gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, @@ -339,7 +346,8 @@ gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, * * This function will set the basicConstraints certificate extension. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt, @@ -389,7 +397,8 @@ gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt, * Use gnutls_x509_crt_set_basic_constraints() if you want to control * the pathLenConstraint field too. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) @@ -404,7 +413,8 @@ gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) * * This function will set the keyUsage certificate extension. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) @@ -451,7 +461,8 @@ gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) * This function will set the subject alternative name certificate * extension. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, @@ -519,7 +530,8 @@ gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, * * This function will set the proxyCertInfo extension. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt, @@ -579,7 +591,8 @@ gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt, * This must be the last step in a certificate generation since all * the previously set parameters are now signed. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, @@ -618,7 +631,8 @@ gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, * This function is the same a gnutls_x509_crt_sign2() with no flags, * and SHA1 as the hash algorithm. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, @@ -635,7 +649,8 @@ gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, * This function will set the time this Certificate was or will be * activated. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) @@ -658,7 +673,8 @@ gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) * * This function will set the time this Certificate will expire. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) @@ -683,7 +699,8 @@ gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) * serial numbers, thus it may be wise to handle it as something * opaque. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial, @@ -739,7 +756,8 @@ disable_optional_stuff (gnutls_x509_crt_t cert) * * This function will set the CRL distribution points certificate extension. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, @@ -806,7 +824,8 @@ gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, * extension, from the source to the destination certificate. * This may be useful to copy from a CA certificate to issued ones. * - * Returns 0 on success. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, @@ -857,7 +876,8 @@ gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, * This function will set the X.509 certificate's subject key ID * extension. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, @@ -919,7 +939,8 @@ gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, * This function will set the X.509 certificate's authority key ID extension. * Only the keyIdentifier field can be set with this function. * - * Returns 0 on success, or a negative value in case of an error. + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. **/ int gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert, diff --git a/libextra/gnutls_openssl.c b/libextra/gnutls_openssl.c index b667566ea3..7618cbbc3f 100644 --- a/libextra/gnutls_openssl.c +++ b/libextra/gnutls_openssl.c @@ -964,6 +964,13 @@ RAND_bytes (unsigned char *buf, int num) return 1; } +int +RAND_pseudo_bytes (unsigned char *buf, int num) +{ + gc_pseudo_random (buf, num); + return 1; +} + const char * RAND_file_name (char *buf, size_t len) { diff --git a/libextra/libgnutls-extra.vers b/libextra/libgnutls-extra.vers index 3a3cd1cb9c..d8972ce407 100644 --- a/libextra/libgnutls-extra.vers +++ b/libextra/libgnutls-extra.vers @@ -1,5 +1,5 @@ -# libgnutls-extra.vers -- Versioning script to control what symbols to export. -# Copyright (C) 2005, 2007 Free Software Foundation +# libgnutls-extra.vers -- linker script for libgnutls-extra. -*- ld-script -*- +# Copyright (C) 2005, 2007, 2008 Free Software Foundation # # Author: Simon Josefsson # diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index bdb61b9a83..ca3431508c 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * This file is part of GNUTLS. * @@ -308,6 +308,36 @@ get_pass (void) } const char * +get_confirmed_pass (bool empty_ok) +{ + if (batch) + return cfg.password; + else + { + const char *pass = NULL; + char *copy = NULL; + + do + { + if (pass) + printf ("Password missmatch, try again.\n"); + + if (copy) + free (copy); + + pass = getpass ("Enter password: "); + copy = strdup (pass); + pass = getpass ("Confirm password: "); + } + while (strcmp (pass, copy) != 0 && !(empty_ok && *pass == '\0')); + + free (copy); + + return pass; + } +} + +const char * get_challenge_pass (void) { if (batch) diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index 81c48e9fbf..af6576e3c4 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <gnutls/x509.h> extern char *organization, *unit, *locality, *state; @@ -21,6 +22,7 @@ const char *read_str (const char *input_str); int read_yesno (const char *input_str); const char *get_pass (void); +const char *get_confirmed_pass (bool empty_ok); const char *get_challenge_pass (void); const char *get_crl_dist_point_url (void); void get_country_crt_set (gnutls_x509_crt_t crt); diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index a04176a0a3..bc0cdf0f34 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -189,48 +189,50 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 120 "certtool.gaa" +#line 123 "certtool.gaa" int debug; -#line 116 "certtool.gaa" +#line 119 "certtool.gaa" char *template; -#line 113 "certtool.gaa" +#line 116 "certtool.gaa" char *infile; -#line 110 "certtool.gaa" +#line 113 "certtool.gaa" char *outfile; -#line 107 "certtool.gaa" +#line 110 "certtool.gaa" int quick_random; -#line 104 "certtool.gaa" +#line 107 "certtool.gaa" int bits; -#line 100 "certtool.gaa" +#line 103 "certtool.gaa" int outcert_format; -#line 96 "certtool.gaa" +#line 99 "certtool.gaa" int incert_format; -#line 93 "certtool.gaa" +#line 96 "certtool.gaa" int export; -#line 90 "certtool.gaa" +#line 93 "certtool.gaa" char *hash; -#line 87 "certtool.gaa" +#line 90 "certtool.gaa" int dsa; -#line 84 "certtool.gaa" +#line 87 "certtool.gaa" int pkcs8; -#line 77 "certtool.gaa" +#line 80 "certtool.gaa" int v1_cert; -#line 74 "certtool.gaa" +#line 77 "certtool.gaa" int fix_key; -#line 53 "certtool.gaa" +#line 54 "certtool.gaa" char *pass; -#line 50 "certtool.gaa" +#line 51 "certtool.gaa" char *ca; -#line 47 "certtool.gaa" +#line 48 "certtool.gaa" char *ca_privkey; -#line 44 "certtool.gaa" +#line 45 "certtool.gaa" char *cert; -#line 41 "certtool.gaa" +#line 42 "certtool.gaa" char *request; -#line 38 "certtool.gaa" +#line 39 "certtool.gaa" char *privkey; -#line 16 "certtool.gaa" +#line 17 "certtool.gaa" int action; +#line 16 "certtool.gaa" + int privkey_op; #line 114 "gaa.skel" }; @@ -763,14 +765,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_version: OK = 0; -#line 125 "certtool.gaa" +#line 128 "certtool.gaa" { certtool_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 123 "certtool.gaa" +#line 126 "certtool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -780,7 +782,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 121 "certtool.gaa" +#line 124 "certtool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -790,7 +792,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1); gaa_index++; -#line 117 "certtool.gaa" +#line 120 "certtool.gaa" { gaaval->template = GAATMP_template.arg1 ;}; return GAA_OK; @@ -800,7 +802,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); gaa_index++; -#line 114 "certtool.gaa" +#line 117 "certtool.gaa" { gaaval->infile = GAATMP_infile.arg1 ;}; return GAA_OK; @@ -810,14 +812,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 111 "certtool.gaa" +#line 114 "certtool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; break; case GAAOPTID_disable_quick_random: OK = 0; -#line 108 "certtool.gaa" +#line 111 "certtool.gaa" { gaaval->quick_random = 0; ;}; return GAA_OK; @@ -827,42 +829,42 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); gaa_index++; -#line 105 "certtool.gaa" +#line 108 "certtool.gaa" { gaaval->bits = GAATMP_bits.arg1 ;}; return GAA_OK; break; case GAAOPTID_outraw: OK = 0; -#line 102 "certtool.gaa" +#line 105 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_outder: OK = 0; -#line 101 "certtool.gaa" +#line 104 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inraw: OK = 0; -#line 98 "certtool.gaa" +#line 101 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 97 "certtool.gaa" +#line 100 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_export_ciphers: OK = 0; -#line 94 "certtool.gaa" +#line 97 "certtool.gaa" { gaaval->export=1 ;}; return GAA_OK; @@ -872,112 +874,112 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_hash.arg1, gaa_getstr, GAATMP_hash.size1); gaa_index++; -#line 91 "certtool.gaa" +#line 94 "certtool.gaa" { gaaval->hash = GAATMP_hash.arg1 ;}; return GAA_OK; break; case GAAOPTID_dsa: OK = 0; -#line 88 "certtool.gaa" +#line 91 "certtool.gaa" { gaaval->dsa=1 ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 85 "certtool.gaa" +#line 88 "certtool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; break; case GAAOPTID_to_p8: OK = 0; -#line 82 "certtool.gaa" +#line 85 "certtool.gaa" { gaaval->action = 18; ;}; return GAA_OK; break; case GAAOPTID_to_p12: OK = 0; -#line 80 "certtool.gaa" +#line 83 "certtool.gaa" { gaaval->action = 8; ;}; return GAA_OK; break; case GAAOPTID_v1: OK = 0; -#line 78 "certtool.gaa" +#line 81 "certtool.gaa" { gaaval->v1_cert = 1; ;}; return GAA_OK; break; case GAAOPTID_fix_key: OK = 0; -#line 75 "certtool.gaa" -{ gaaval->fix_key = 1; ;}; +#line 78 "certtool.gaa" +{ gaaval->privkey_op=1; gaaval->fix_key = 1; ;}; return GAA_OK; break; case GAAOPTID_pgp_key_info: OK = 0; -#line 72 "certtool.gaa" -{ gaaval->action = 20; ;}; +#line 75 "certtool.gaa" +{ gaaval->privkey_op=1; gaaval->action = 20; ;}; return GAA_OK; break; case GAAOPTID_key_info: OK = 0; -#line 70 "certtool.gaa" -{ gaaval->action = 6; ;}; +#line 73 "certtool.gaa" +{ gaaval->privkey_op=1; gaaval->action = 6; ;}; return GAA_OK; break; case GAAOPTID_smime_to_p7: OK = 0; -#line 68 "certtool.gaa" +#line 69 "certtool.gaa" { gaaval->action = 15; ;}; return GAA_OK; break; case GAAOPTID_p7_info: OK = 0; -#line 66 "certtool.gaa" +#line 67 "certtool.gaa" { gaaval->action = 12; ;}; return GAA_OK; break; case GAAOPTID_p12_info: OK = 0; -#line 64 "certtool.gaa" +#line 65 "certtool.gaa" { gaaval->action = 9; ;}; return GAA_OK; break; case GAAOPTID_crl_info: OK = 0; -#line 62 "certtool.gaa" +#line 63 "certtool.gaa" { gaaval->action = 11; ;}; return GAA_OK; break; case GAAOPTID_pgp_ring_info: OK = 0; -#line 60 "certtool.gaa" +#line 61 "certtool.gaa" { gaaval->action = 21; ;}; return GAA_OK; break; case GAAOPTID_pgp_certificate_info: OK = 0; -#line 58 "certtool.gaa" +#line 59 "certtool.gaa" { gaaval->action = 19; ;}; return GAA_OK; break; case GAAOPTID_certificate_info: OK = 0; -#line 56 "certtool.gaa" +#line 57 "certtool.gaa" { gaaval->action = 2; ;}; return GAA_OK; @@ -987,7 +989,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_password.arg1, gaa_getstr, GAATMP_password.size1); gaa_index++; -#line 54 "certtool.gaa" +#line 55 "certtool.gaa" { gaaval->pass = GAATMP_password.arg1 ;}; return GAA_OK; @@ -997,7 +999,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_certificate.arg1, gaa_getstr, GAATMP_load_ca_certificate.size1); gaa_index++; -#line 51 "certtool.gaa" +#line 52 "certtool.gaa" { gaaval->ca = GAATMP_load_ca_certificate.arg1 ;}; return GAA_OK; @@ -1007,7 +1009,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_privkey.arg1, gaa_getstr, GAATMP_load_ca_privkey.size1); gaa_index++; -#line 48 "certtool.gaa" +#line 49 "certtool.gaa" { gaaval->ca_privkey = GAATMP_load_ca_privkey.arg1 ;}; return GAA_OK; @@ -1017,7 +1019,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, GAATMP_load_certificate.size1); gaa_index++; -#line 45 "certtool.gaa" +#line 46 "certtool.gaa" { gaaval->cert = GAATMP_load_certificate.arg1 ;}; return GAA_OK; @@ -1027,7 +1029,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_request.arg1, gaa_getstr, GAATMP_load_request.size1); gaa_index++; -#line 42 "certtool.gaa" +#line 43 "certtool.gaa" { gaaval->request = GAATMP_load_request.arg1 ;}; return GAA_OK; @@ -1037,84 +1039,84 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, GAATMP_load_privkey.size1); gaa_index++; -#line 39 "certtool.gaa" +#line 40 "certtool.gaa" { gaaval->privkey = GAATMP_load_privkey.arg1 ;}; return GAA_OK; break; case GAAOPTID_get_dh_params: OK = 0; -#line 36 "certtool.gaa" +#line 37 "certtool.gaa" { gaaval->action=16; ;}; return GAA_OK; break; case GAAOPTID_generate_dh_params: OK = 0; -#line 35 "certtool.gaa" +#line 36 "certtool.gaa" { gaaval->action=10; ;}; return GAA_OK; break; case GAAOPTID_verify_crl: OK = 0; -#line 33 "certtool.gaa" +#line 34 "certtool.gaa" { gaaval->action=14; ;}; return GAA_OK; break; case GAAOPTID_verify_chain: OK = 0; -#line 31 "certtool.gaa" +#line 32 "certtool.gaa" { gaaval->action=5; ;}; return GAA_OK; break; case GAAOPTID_generate_request: OK = 0; -#line 29 "certtool.gaa" +#line 30 "certtool.gaa" { gaaval->action=3; ;}; return GAA_OK; break; case GAAOPTID_generate_privkey: OK = 0; -#line 27 "certtool.gaa" -{ gaaval->action=1; ;}; +#line 28 "certtool.gaa" +{ gaaval->privkey_op=1; gaaval->action=1; ;}; return GAA_OK; break; case GAAOPTID_update_certificate: OK = 0; -#line 25 "certtool.gaa" +#line 26 "certtool.gaa" { gaaval->action=7; ;}; return GAA_OK; break; case GAAOPTID_generate_crl: OK = 0; -#line 23 "certtool.gaa" +#line 24 "certtool.gaa" { gaaval->action=13; ;}; return GAA_OK; break; case GAAOPTID_generate_proxy: OK = 0; -#line 21 "certtool.gaa" +#line 22 "certtool.gaa" { gaaval->action=17; ;}; return GAA_OK; break; case GAAOPTID_generate_certificate: OK = 0; -#line 19 "certtool.gaa" +#line 20 "certtool.gaa" { gaaval->action=4; ;}; return GAA_OK; break; case GAAOPTID_generate_self_signed: OK = 0; -#line 17 "certtool.gaa" +#line 18 "certtool.gaa" { gaaval->action=0; ;}; return GAA_OK; @@ -1143,11 +1145,12 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 127 "certtool.gaa" +#line 130 "certtool.gaa" { gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; gaaval->v1_cert = 0; - gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=1; ;}; + gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=1; + gaaval->privkey_op = 0; ;}; } inited = 1; diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h index a6a8e0b6f4..a95546562d 100644 --- a/src/certtool-gaa.h +++ b/src/certtool-gaa.h @@ -8,48 +8,50 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 120 "certtool.gaa" +#line 123 "certtool.gaa" int debug; -#line 116 "certtool.gaa" +#line 119 "certtool.gaa" char *template; -#line 113 "certtool.gaa" +#line 116 "certtool.gaa" char *infile; -#line 110 "certtool.gaa" +#line 113 "certtool.gaa" char *outfile; -#line 107 "certtool.gaa" +#line 110 "certtool.gaa" int quick_random; -#line 104 "certtool.gaa" +#line 107 "certtool.gaa" int bits; -#line 100 "certtool.gaa" +#line 103 "certtool.gaa" int outcert_format; -#line 96 "certtool.gaa" +#line 99 "certtool.gaa" int incert_format; -#line 93 "certtool.gaa" +#line 96 "certtool.gaa" int export; -#line 90 "certtool.gaa" +#line 93 "certtool.gaa" char *hash; -#line 87 "certtool.gaa" +#line 90 "certtool.gaa" int dsa; -#line 84 "certtool.gaa" +#line 87 "certtool.gaa" int pkcs8; -#line 77 "certtool.gaa" +#line 80 "certtool.gaa" int v1_cert; -#line 74 "certtool.gaa" +#line 77 "certtool.gaa" int fix_key; -#line 53 "certtool.gaa" +#line 54 "certtool.gaa" char *pass; -#line 50 "certtool.gaa" +#line 51 "certtool.gaa" char *ca; -#line 47 "certtool.gaa" +#line 48 "certtool.gaa" char *ca_privkey; -#line 44 "certtool.gaa" +#line 45 "certtool.gaa" char *cert; -#line 41 "certtool.gaa" +#line 42 "certtool.gaa" char *request; -#line 38 "certtool.gaa" +#line 39 "certtool.gaa" char *privkey; -#line 16 "certtool.gaa" +#line 17 "certtool.gaa" int action; +#line 16 "certtool.gaa" + int privkey_op; #line 114 "gaa.skel" }; diff --git a/src/certtool.c b/src/certtool.c index a59319fc55..bf0990f7a7 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -34,6 +34,9 @@ #include <certtool-cfg.h> #include <gcrypt.h> #include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> /* Gnulib portability files. */ #include <read-file.h> @@ -219,7 +222,7 @@ print_private_key (gnutls_x509_privkey_t key) else flags = GNUTLS_PKCS_USE_PKCS12_3DES; - if ((pass = get_pass ()) == NULL || *pass == '\0') + if ((pass = get_confirmed_pass (true)) == NULL || *pass == '\0') flags = GNUTLS_PKCS_PLAIN; size = sizeof (buffer); @@ -231,6 +234,7 @@ print_private_key (gnutls_x509_privkey_t key) gnutls_strerror (ret)); } + fwrite (buffer, 1, size, outfile); } @@ -815,6 +819,26 @@ update_signed_certificate (void) gnutls_x509_crt_deinit (crt); } +FILE* safe_open_rw(const char* file) +{ + mode_t oldmask; + FILE *fh; + + if (info.privkey_op != 0) + { + oldmask = umask (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH); + } + + fh = fopen (file, "wb"); + + if (info.privkey_op != 0) + { + umask (oldmask); + } + + return fh; +} + void gaa_parser (int argc, char **argv) { @@ -829,7 +853,7 @@ gaa_parser (int argc, char **argv) if (info.outfile) { - outfile = fopen (info.outfile, "wb"); + outfile = safe_open_rw (info.outfile); if (outfile == NULL) error (EXIT_FAILURE, errno, "%s", info.outfile); } @@ -2218,7 +2242,6 @@ generate_pkcs8 (void) flags = GNUTLS_PKCS_PLAIN; } - size = sizeof (buffer); result = gnutls_x509_privkey_export_pkcs8 (key, info.outcert_format, diff --git a/src/certtool.gaa b/src/certtool.gaa index e5316bc06f..623678405b 100644 --- a/src/certtool.gaa +++ b/src/certtool.gaa @@ -13,6 +13,7 @@ void certtool_version(void); helpnode "Certtool help\nUsage: certtool [options]" +#int privkey_op; #int action; option (s, generate-self-signed) { $action=0; } "Generate a self-signed certificate." @@ -24,7 +25,7 @@ option (generate-crl) { $action=13; } "Generate a CRL." option (u, update-certificate) { $action=7; } "Update a signed certificate." -option (p, generate-privkey) { $action=1; } "Generate a private key." +option (p, generate-privkey) { $privkey_op=1; $action=1; } "Generate a private key." option (q, generate-request) { $action=3; } "Generate a PKCS #10 certificate request." @@ -67,12 +68,14 @@ option (p7-info) { $action = 12; } "Print information on a PKCS #7 structure." option (smime-to-p7) { $action = 15; } "Convert S/MIME to PKCS #7 structure." -option (k, key-info) { $action = 6; } "Print information on a private key." +/* on private key operations set $privkey_op to != 0 + */ +option (k, key-info) { $privkey_op=1; $action = 6; } "Print information on a private key." -option (pgp-key-info) { $action = 20; } "Print information on a OpenPGP private key." +option (pgp-key-info) { $privkey_op=1; $action = 20; } "Print information on a OpenPGP private key." #int fix_key; -option (fix-key) { $fix_key = 1; } "Regenerate the parameters in a private key." +option (fix-key) { $privkey_op=1; $fix_key = 1; } "Regenerate the parameters in a private key." #int v1_cert; option (v1) { $v1_cert = 1; } "Generate an X.509 version 1 certificate (no extensions)." @@ -127,5 +130,6 @@ option (v, version) { certtool_version(); exit(0); } "shows the program's versio init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; $debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; $v1_cert = 0; - $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=1; } + $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=1; + $privkey_op = 0; } @@ -39,6 +39,7 @@ #include "error.h" #include "read-file.h" +#include "getpass.h" #include "common.h" #include "cli-gaa.h" @@ -649,7 +650,7 @@ main (int argc, char **argv) gnutls_session_get_id (hd.session, session_id, &session_id_size); /* print some information */ - print_info (hd.session, hostname); + print_info (hd.session, hostname, info.insecure); printf ("- Disconnecting\n"); socket_bye (&hd); @@ -694,7 +695,6 @@ after_handshake: if (ret < 0) { fprintf (stderr, "*** Handshake has failed\n"); - socket_bye (&hd); user_term = 1; break; } @@ -934,7 +934,7 @@ do_handshake (socket_st * socket) if (ret == 0) { /* print some information */ - print_info (socket->session, socket->hostname); + print_info (socket->session, socket->hostname, info.insecure); if ((x509_cafile || pgp_keyring) && !insecure) { @@ -971,6 +971,80 @@ srp_username_callback (gnutls_session_t session, return 0; } +static int psk_callback (gnutls_session_t session, + char **username, + gnutls_datum_t * key) +{ + const char *hint = gnutls_psk_client_get_hint (session); + char *passwd; + int ret; + + printf ("- PSK client callback. "); + if (hint) + printf ("PSK hint '%s'\n", hint); + else + printf ("No PSK hint\n"); + + if (info.psk_username) + *username = gnutls_strdup (info.psk_username); + else + { + char *tmp = NULL; + size_t n; + ssize_t len; + + printf ("Enter PSK identity: "); + fflush (stdout); + len = getline (&tmp, &n, stdin); + + if (tmp == NULL) + { + fprintf (stderr, "No username given, aborting...\n"); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (tmp[strlen (tmp) - 1] == '\n') + tmp[strlen (tmp) - 1] = '\0'; + if (tmp[strlen (tmp) - 1] == '\r') + tmp[strlen (tmp) - 1] = '\0'; + + *username = gnutls_strdup (tmp); + free (tmp); + } + if (!*username) + return GNUTLS_E_MEMORY_ERROR; + + passwd = getpass ("Enter password: "); + if (passwd == NULL) + { + fprintf (stderr, "No password given, aborting...\n"); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + ret = gnutls_psk_netconf_derive_key (passwd, + *username, + hint ? hint : "", + key); + if (ret < 0) + { + fprintf (stderr, "Error deriving password: %s\n", gnutls_strerror (ret)); + gnutls_free (*username); + return ret; + } + + if (info.debug) + { + char hexkey[41]; + size_t res_size = sizeof (hexkey); + gnutls_hex_encode (key, hexkey, &res_size); + fprintf (stderr, "PSK username: %s\n", *username); + fprintf (stderr, "PSK hint: %s\n", hint); + fprintf (stderr, "PSK key: %s\n", hexkey); + } + + return 0; +} + static void init_global_tls_stuff (void) { @@ -1046,18 +1120,24 @@ init_global_tls_stuff (void) #endif #ifdef ENABLE_PSK - if (psk_username && !psk_key.data) + /* PSK stuff */ + if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0) { - /* SRP stuff */ - if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0) + fprintf (stderr, "PSK authentication error\n"); + } + + if (psk_username && psk_key.data) + { + ret = gnutls_psk_set_client_credentials (psk_cred, + psk_username, &psk_key, + GNUTLS_PSK_KEY_HEX); + if (ret < 0) { - fprintf (stderr, "PSK authentication error\n"); + fprintf (stderr, "Error setting the PSK credentials: %s\n", + gnutls_strerror (ret)); } - - gnutls_psk_set_client_credentials (psk_cred, - psk_username, &psk_key, - GNUTLS_PSK_KEY_HEX); } + gnutls_psk_set_client_credentials_function (psk_cred, psk_callback); #endif #ifdef ENABLE_ANON diff --git a/src/common.c b/src/common.c index aec6966299..a181597598 100644 --- a/src/common.c +++ b/src/common.c @@ -82,7 +82,7 @@ my_ctime (const time_t * tv) void -print_x509_info (gnutls_session_t session, const char *hostname) +print_x509_info (gnutls_session_t session, const char *hostname, int insecure) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; @@ -153,6 +153,8 @@ print_x509_info (gnutls_session_t session, const char *hostname) printf (" # The hostname in the certificate does NOT match '%s'.\n", hostname); + if (!insecure) + exit(1); } else { @@ -280,7 +282,7 @@ print_x509_info (gnutls_session_t session, const char *hostname) #ifdef ENABLE_OPENPGP void -print_openpgp_info (gnutls_session_t session, const char *hostname) +print_openpgp_info (gnutls_session_t session, const char *hostname, int insecure) { char digest[20]; @@ -340,12 +342,14 @@ print_openpgp_info (gnutls_session_t session, const char *hostname) if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) { printf - (" # The hostname in the key does NOT match '%s'.\n", + (" # The hostname in the certificate does NOT match '%s'.\n", hostname); + if (!insecure) + exit(1); } else { - printf (" # The hostname in the key matches '%s'.\n", hostname); + printf (" # The hostname in the certificate matches '%s'.\n", hostname); } } @@ -517,7 +521,7 @@ print_dh_info (gnutls_session_t session, const char *str) } int -print_info (gnutls_session_t session, const char *hostname) +print_info (gnutls_session_t session, const char *hostname, int insecure) { const char *tmp; gnutls_credentials_type_t cred; @@ -548,8 +552,12 @@ print_info (gnutls_session_t session, const char *hostname) #endif #ifdef ENABLE_PSK case GNUTLS_CRD_PSK: - /* This should be only called in server - * side. + /* This returns NULL in server side. + */ + if (gnutls_psk_client_get_hint (session) != NULL) + printf ("- PSK authentication. PSK hint '%s'\n", + gnutls_psk_client_get_hint (session)); + /* This returns NULL in client side. */ if (gnutls_psk_server_get_username (session) != NULL) printf ("- PSK authentication. Connected as '%s'\n", @@ -577,7 +585,7 @@ print_info (gnutls_session_t session, const char *hostname) if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) print_dh_info (session, "Ephemeral "); - print_cert_info (session, hostname); + print_cert_info (session, hostname, insecure); print_cert_vrfy (session); @@ -612,7 +620,7 @@ print_info (gnutls_session_t session, const char *hostname) } void -print_cert_info (gnutls_session_t session, const char *hostname) +print_cert_info (gnutls_session_t session, const char *hostname, int insecure) { if (gnutls_certificate_client_get_request_status (session) != 0) @@ -623,15 +631,18 @@ print_cert_info (gnutls_session_t session, const char *hostname) { case GNUTLS_CRT_UNKNOWN: printf ("Unknown\n"); + + if (!insecure) + exit(1); break; case GNUTLS_CRT_X509: printf ("X.509\n"); - print_x509_info (session, hostname); + print_x509_info (session, hostname, insecure); break; #ifdef ENABLE_OPENPGP case GNUTLS_CRT_OPENPGP: printf ("OpenPGP\n"); - print_openpgp_info (session, hostname); + print_openpgp_info (session, hostname, insecure); break; #endif } diff --git a/src/common.h b/src/common.h index d22d995c13..89d22ce944 100644 --- a/src/common.h +++ b/src/common.h @@ -23,8 +23,8 @@ extern const char str_unknown[]; -int print_info (gnutls_session_t state, const char *hostname); -void print_cert_info (gnutls_session_t state, const char *hostname); +int print_info (gnutls_session_t state, const char *hostname, int insecure); +void print_cert_info (gnutls_session_t state, const char *hostname, int insecure); void print_list (int verbose); void parse_comp (char **comp, int ncomp, int *comp_priority); diff --git a/src/crypt.c b/src/crypt.c index 9058381c47..27ac16faa7 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Simon Josefsson + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Simon Josefsson * Copyright (C) 2001,2003 Nikos Mavrogiannopoulos * Copyright (C) 2004 Free Software Foundation * @@ -433,9 +433,7 @@ main (int argc, char **argv) exit (1); } -#ifdef HAVE_UMASK umask (066); -#endif if (gaa (argc, argv, &info) != -1) { diff --git a/src/psk-gaa.c b/src/psk-gaa.c index 928986e586..f10b2efd2b 100644 --- a/src/psk-gaa.c +++ b/src/psk-gaa.c @@ -131,6 +131,7 @@ void gaa_help(void) printf("PSKtool help\nUsage : psktool [options]\n"); __gaa_helpsingle('u', "username", "username ", "specify username."); __gaa_helpsingle('p', "passwd", "FILE ", "specify a password file."); + __gaa_helpsingle('n', "netconf-hint", "HINT ", "derive key from Netconf password, using HINT as the psk_identity_hint."); __gaa_helpsingle('s', "keysize", "SIZE ", "specify the key size in bytes."); __gaa_helpsingle('v', "version", "", "prints the program's version number"); __gaa_helpsingle('h', "help", "", "shows this help text"); @@ -148,8 +149,10 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 22 "psk.gaa" +#line 25 "psk.gaa" int key_size; +#line 22 "psk.gaa" + char *netconf_hint; #line 19 "psk.gaa" char *passwd; #line 16 "psk.gaa" @@ -208,12 +211,13 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 5 +#define GAA_NB_OPTION 6 #define GAAOPTID_help 1 #define GAAOPTID_version 2 #define GAAOPTID_keysize 3 -#define GAAOPTID_passwd 4 -#define GAAOPTID_username 5 +#define GAAOPTID_netconf_hint 4 +#define GAAOPTID_passwd 5 +#define GAAOPTID_username 6 #line 168 "gaa.skel" @@ -406,6 +410,12 @@ struct GAAOPTION_keysize int size1; }; +struct GAAOPTION_netconf_hint +{ + char* arg1; + int size1; +}; + struct GAAOPTION_passwd { char* arg1; @@ -448,6 +458,7 @@ static int gaa_get_option_num(char *str, int status) { case GAA_LETTER_OPTION: GAA_CHECK1STR("s", GAAOPTID_keysize); + GAA_CHECK1STR("n", GAAOPTID_netconf_hint); GAA_CHECK1STR("p", GAAOPTID_passwd); GAA_CHECK1STR("u", GAAOPTID_username); case GAA_MULTIPLE_OPTION: @@ -461,6 +472,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("help", GAAOPTID_help); GAA_CHECKSTR("version", GAAOPTID_version); GAA_CHECKSTR("keysize", GAAOPTID_keysize); + GAA_CHECKSTR("netconf-hint", GAAOPTID_netconf_hint); GAA_CHECKSTR("passwd", GAAOPTID_passwd); GAA_CHECKSTR("username", GAAOPTID_username); @@ -476,6 +488,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) int OK = 0; int gaa_last_non_option; struct GAAOPTION_keysize GAATMP_keysize; + struct GAAOPTION_netconf_hint GAATMP_netconf_hint; struct GAAOPTION_passwd GAATMP_passwd; struct GAAOPTION_username GAATMP_username; @@ -500,14 +513,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_help: OK = 0; -#line 26 "psk.gaa" +#line 29 "psk.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 25 "psk.gaa" +#line 28 "psk.gaa" { psktool_version(); exit(0); ;}; return GAA_OK; @@ -517,11 +530,21 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_keysize.arg1, gaa_getint, GAATMP_keysize.size1); gaa_index++; -#line 23 "psk.gaa" +#line 26 "psk.gaa" { gaaval->key_size = GAATMP_keysize.arg1 ;}; return GAA_OK; break; + case GAAOPTID_netconf_hint: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_netconf_hint.arg1, gaa_getstr, GAATMP_netconf_hint.size1); + gaa_index++; +#line 23 "psk.gaa" +{ gaaval->netconf_hint = GAATMP_netconf_hint.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_passwd: OK = 0; GAA_TESTMOREARGS; @@ -566,8 +589,8 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 28 "psk.gaa" -{ gaaval->username=NULL; gaaval->passwd=NULL; gaaval->key_size = 0; ;}; +#line 31 "psk.gaa" +{ gaaval->username=NULL; gaaval->passwd=NULL; gaaval->key_size = 0; gaaval->netconf_hint = NULL; ;}; } inited = 1; @@ -715,7 +738,7 @@ static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc len++; a = fgetc( file); - if(a==EOF) return 0; /* a = ' '; */ + if(a==EOF) return 0; //a = ' '; } len += 1; diff --git a/src/psk-gaa.h b/src/psk-gaa.h index 88c5de5aed..57b36a6edc 100644 --- a/src/psk-gaa.h +++ b/src/psk-gaa.h @@ -8,8 +8,10 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 22 "psk.gaa" +#line 25 "psk.gaa" int key_size; +#line 22 "psk.gaa" + char *netconf_hint; #line 19 "psk.gaa" char *passwd; #line 16 "psk.gaa" @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2007 Free Software Foundation + * Copyright (C) 2005, 2007, 2008 Free Software Foundation * * This file is part of GNUTLS. * @@ -49,6 +49,7 @@ psktool_version (void) #include <psk-gaa.h> #include <gc.h> /* for randomize */ +#include "getpass.h" #include <sys/types.h> #include <sys/stat.h> @@ -93,9 +94,7 @@ main (int argc, char **argv) exit (1); } -#ifdef HAVE_UMASK umask (066); -#endif if (gaa (argc, argv, &info) != -1) { @@ -130,21 +129,49 @@ main (int argc, char **argv) exit (1); } - if (info.key_size < 1) - info.key_size = 16; - - ret = gc_pseudo_random ((char *) key, info.key_size); - if (ret != GC_OK) + if (info.netconf_hint) { - fprintf (stderr, "Not enough randomness\n"); - exit (1); + char *passwd; + + if (info.key_size != 0 && info.key_size != 20) + { + fprintf (stderr, "For netconf, key size must always be 20.\n"); + exit (1); + } + + passwd = getpass ("Enter password: "); + if (passwd == NULL) + { + fprintf (stderr, "Please specify a password\n"); + exit (1); + } + + ret = gnutls_psk_netconf_derive_key (passwd, + info.username, + info.netconf_hint, + &dkey); } + else + { + if (info.key_size < 1) + info.key_size = 16; + + printf ("Generating a random key for user '%s'\n", info.username); - printf ("Generating a random key for user '%s'\n", info.username); + ret = gc_pseudo_random ((char *) key, info.key_size); + if (ret != GC_OK) + { + fprintf (stderr, "Not enough randomness\n"); + exit (1); + } + + dkey.data = key; + dkey.size = info.key_size; + } - dkey.data = key; - dkey.size = info.key_size; ret = gnutls_hex_encode (&dkey, hex_key, &hex_key_size); + if (info.netconf_hint) + gnutls_free (dkey.data); if (ret < 0) { fprintf (stderr, "HEX encoding error\n"); diff --git a/src/psk.gaa b/src/psk.gaa index db2edcf880..9b4cc31f5a 100644 --- a/src/psk.gaa +++ b/src/psk.gaa @@ -19,11 +19,13 @@ option (u,username) STR "username" { $username = $1 } "specify username." #char *passwd; option (p, passwd) STR "FILE" { $passwd = $1 } "specify a password file." +#char *netconf_hint; +option (n, netconf-hint) STR "HINT" { $netconf_hint = $1 } "derive key from Netconf password, using HINT as the psk_identity_hint." + #int key_size; option (s, keysize) INT "SIZE" { $key_size = $1 } "specify the key size in bytes." option (v, version) { psktool_version(); exit(0); } "prints the program's version number" option (h, help) { gaa_help(); exit(0); } "shows this help text" -init { $username=NULL; $passwd=NULL; $key_size = 0; } - +init { $username=NULL; $passwd=NULL; $key_size = 0; $netconf_hint = NULL; } diff --git a/src/serv-gaa.c b/src/serv-gaa.c index c2c4f13388..7d8a9da29c 100644 --- a/src/serv-gaa.c +++ b/src/serv-gaa.c @@ -147,6 +147,7 @@ void gaa_help(void) __gaa_helpsingle('r', "require-cert", "", "Require a valid certificate."); __gaa_helpsingle('a', "disable-client-cert", "", "Disable request for a client certificate."); __gaa_helpsingle(0, "pskpasswd", "FILE ", "PSK password file to use."); + __gaa_helpsingle(0, "pskhint", "HINT ", "PSK identity hint to use."); __gaa_helpsingle(0, "srppasswd", "FILE ", "SRP password file to use."); __gaa_helpsingle(0, "srppasswdconf", "FILE ", "SRP password conf file to use."); __gaa_helpsingle(0, "opaque-prf-input", "DATA ", "Use Opaque PRF Input DATA."); @@ -175,38 +176,40 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 109 "serv.gaa" +#line 112 "serv.gaa" char *priorities; -#line 106 "serv.gaa" +#line 109 "serv.gaa" char **ctype; -#line 105 "serv.gaa" +#line 108 "serv.gaa" int nctype; -#line 102 "serv.gaa" +#line 105 "serv.gaa" char **kx; -#line 101 "serv.gaa" +#line 104 "serv.gaa" int nkx; -#line 98 "serv.gaa" +#line 101 "serv.gaa" char **macs; -#line 97 "serv.gaa" +#line 100 "serv.gaa" int nmacs; -#line 94 "serv.gaa" +#line 97 "serv.gaa" char **comp; -#line 93 "serv.gaa" +#line 96 "serv.gaa" int ncomp; -#line 90 "serv.gaa" +#line 93 "serv.gaa" char **proto; -#line 89 "serv.gaa" +#line 92 "serv.gaa" int nproto; -#line 86 "serv.gaa" +#line 89 "serv.gaa" char **ciphers; -#line 85 "serv.gaa" +#line 88 "serv.gaa" int nciphers; -#line 82 "serv.gaa" +#line 85 "serv.gaa" char *opaque_prf_input; -#line 79 "serv.gaa" +#line 82 "serv.gaa" char *srp_passwd_conf; -#line 76 "serv.gaa" +#line 79 "serv.gaa" char *srp_passwd; +#line 76 "serv.gaa" + char *psk_hint; #line 73 "serv.gaa" char *psk_passwd; #line 70 "serv.gaa" @@ -303,7 +306,7 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 36 +#define GAA_NB_OPTION 37 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 @@ -318,28 +321,29 @@ static int gaa_error = 0; #define GAAOPTID_opaque_prf_input 12 #define GAAOPTID_srppasswdconf 13 #define GAAOPTID_srppasswd 14 -#define GAAOPTID_pskpasswd 15 -#define GAAOPTID_disable_client_cert 16 -#define GAAOPTID_require_cert 17 -#define GAAOPTID_x509dsacertfile 18 -#define GAAOPTID_x509dsakeyfile 19 -#define GAAOPTID_x509certfile 20 -#define GAAOPTID_x509keyfile 21 -#define GAAOPTID_pgpsubkey 22 -#define GAAOPTID_pgpcertfile 23 -#define GAAOPTID_pgpkeyfile 24 -#define GAAOPTID_pgpkeyring 25 -#define GAAOPTID_x509crlfile 26 -#define GAAOPTID_x509cafile 27 -#define GAAOPTID_x509fmtder 28 -#define GAAOPTID_dhparams 29 -#define GAAOPTID_echo 30 -#define GAAOPTID_http 31 -#define GAAOPTID_nodb 32 -#define GAAOPTID_quiet 33 -#define GAAOPTID_port 34 -#define GAAOPTID_generate 35 -#define GAAOPTID_debug 36 +#define GAAOPTID_pskhint 15 +#define GAAOPTID_pskpasswd 16 +#define GAAOPTID_disable_client_cert 17 +#define GAAOPTID_require_cert 18 +#define GAAOPTID_x509dsacertfile 19 +#define GAAOPTID_x509dsakeyfile 20 +#define GAAOPTID_x509certfile 21 +#define GAAOPTID_x509keyfile 22 +#define GAAOPTID_pgpsubkey 23 +#define GAAOPTID_pgpcertfile 24 +#define GAAOPTID_pgpkeyfile 25 +#define GAAOPTID_pgpkeyring 26 +#define GAAOPTID_x509crlfile 27 +#define GAAOPTID_x509cafile 28 +#define GAAOPTID_x509fmtder 29 +#define GAAOPTID_dhparams 30 +#define GAAOPTID_echo 31 +#define GAAOPTID_http 32 +#define GAAOPTID_nodb 33 +#define GAAOPTID_quiet 34 +#define GAAOPTID_port 35 +#define GAAOPTID_generate 36 +#define GAAOPTID_debug 37 #line 168 "gaa.skel" @@ -586,6 +590,12 @@ struct GAAOPTION_srppasswd int size1; }; +struct GAAOPTION_pskhint +{ + char* arg1; + int size1; +}; + struct GAAOPTION_pskpasswd { char* arg1; @@ -709,6 +719,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_opaque_prf_input); GAA_CHECK1STR("", GAAOPTID_srppasswdconf); GAA_CHECK1STR("", GAAOPTID_srppasswd); + GAA_CHECK1STR("", GAAOPTID_pskhint); GAA_CHECK1STR("", GAAOPTID_pskpasswd); GAA_CHECK1STR("", GAAOPTID_x509dsacertfile); GAA_CHECK1STR("", GAAOPTID_x509dsakeyfile); @@ -755,6 +766,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("opaque-prf-input", GAAOPTID_opaque_prf_input); GAA_CHECKSTR("srppasswdconf", GAAOPTID_srppasswdconf); GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); + GAA_CHECKSTR("pskhint", GAAOPTID_pskhint); GAA_CHECKSTR("pskpasswd", GAAOPTID_pskpasswd); GAA_CHECKSTR("disable-client-cert", GAAOPTID_disable_client_cert); GAA_CHECKSTR("require-cert", GAAOPTID_require_cert); @@ -799,6 +811,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) struct GAAOPTION_opaque_prf_input GAATMP_opaque_prf_input; struct GAAOPTION_srppasswdconf GAATMP_srppasswdconf; struct GAAOPTION_srppasswd GAATMP_srppasswd; + struct GAAOPTION_pskhint GAATMP_pskhint; struct GAAOPTION_pskpasswd GAATMP_pskpasswd; struct GAAOPTION_x509dsacertfile GAATMP_x509dsacertfile; struct GAAOPTION_x509dsakeyfile GAATMP_x509dsakeyfile; @@ -835,28 +848,28 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 116 "serv.gaa" +#line 119 "serv.gaa" { print_serv_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 115 "serv.gaa" +#line 118 "serv.gaa" { serv_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 113 "serv.gaa" +#line 116 "serv.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 112 "serv.gaa" +#line 115 "serv.gaa" { print_list(0); exit(0); ;}; return GAA_OK; @@ -866,7 +879,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_priority.arg1, gaa_getstr, GAATMP_priority.size1); gaa_index++; -#line 110 "serv.gaa" +#line 113 "serv.gaa" { gaaval->priorities = GAATMP_priority.arg1 ;}; return GAA_OK; @@ -874,7 +887,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); -#line 107 "serv.gaa" +#line 110 "serv.gaa" { gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;}; return GAA_OK; @@ -882,7 +895,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_kx: OK = 0; GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1); -#line 103 "serv.gaa" +#line 106 "serv.gaa" { gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;}; return GAA_OK; @@ -890,7 +903,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_macs: OK = 0; GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1); -#line 99 "serv.gaa" +#line 102 "serv.gaa" { gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;}; return GAA_OK; @@ -898,7 +911,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_comp: OK = 0; GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1); -#line 95 "serv.gaa" +#line 98 "serv.gaa" { gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;}; return GAA_OK; @@ -906,7 +919,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_protocols: OK = 0; GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1); -#line 91 "serv.gaa" +#line 94 "serv.gaa" { gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;}; return GAA_OK; @@ -914,7 +927,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ciphers: OK = 0; GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1); -#line 87 "serv.gaa" +#line 90 "serv.gaa" { gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;}; return GAA_OK; @@ -924,7 +937,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_opaque_prf_input.arg1, gaa_getstr, GAATMP_opaque_prf_input.size1); gaa_index++; -#line 83 "serv.gaa" +#line 86 "serv.gaa" { gaaval->opaque_prf_input = GAATMP_opaque_prf_input.arg1 ;}; return GAA_OK; @@ -934,7 +947,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, GAATMP_srppasswdconf.size1); gaa_index++; -#line 80 "serv.gaa" +#line 83 "serv.gaa" { gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1 ;}; return GAA_OK; @@ -944,11 +957,21 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); gaa_index++; -#line 77 "serv.gaa" +#line 80 "serv.gaa" { gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; return GAA_OK; break; + case GAAOPTID_pskhint: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pskhint.arg1, gaa_getstr, GAATMP_pskhint.size1); + gaa_index++; +#line 77 "serv.gaa" +{ gaaval->psk_hint = GAATMP_pskhint.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_pskpasswd: OK = 0; GAA_TESTMOREARGS; @@ -1169,7 +1192,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 120 "serv.gaa" +#line 123 "serv.gaa" { gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->nodb = 0; @@ -1329,7 +1352,7 @@ static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc len++; a = fgetc( file); - if(a==EOF) return 0; //a = ' '; + if(a==EOF) return 0; /* a = ' '; */ } len += 1; diff --git a/src/serv-gaa.h b/src/serv-gaa.h index 9f0e062595..90b72266b9 100644 --- a/src/serv-gaa.h +++ b/src/serv-gaa.h @@ -8,38 +8,40 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 109 "serv.gaa" +#line 112 "serv.gaa" char *priorities; -#line 106 "serv.gaa" +#line 109 "serv.gaa" char **ctype; -#line 105 "serv.gaa" +#line 108 "serv.gaa" int nctype; -#line 102 "serv.gaa" +#line 105 "serv.gaa" char **kx; -#line 101 "serv.gaa" +#line 104 "serv.gaa" int nkx; -#line 98 "serv.gaa" +#line 101 "serv.gaa" char **macs; -#line 97 "serv.gaa" +#line 100 "serv.gaa" int nmacs; -#line 94 "serv.gaa" +#line 97 "serv.gaa" char **comp; -#line 93 "serv.gaa" +#line 96 "serv.gaa" int ncomp; -#line 90 "serv.gaa" +#line 93 "serv.gaa" char **proto; -#line 89 "serv.gaa" +#line 92 "serv.gaa" int nproto; -#line 86 "serv.gaa" +#line 89 "serv.gaa" char **ciphers; -#line 85 "serv.gaa" +#line 88 "serv.gaa" int nciphers; -#line 82 "serv.gaa" +#line 85 "serv.gaa" char *opaque_prf_input; -#line 79 "serv.gaa" +#line 82 "serv.gaa" char *srp_passwd_conf; -#line 76 "serv.gaa" +#line 79 "serv.gaa" char *srp_passwd; +#line 76 "serv.gaa" + char *psk_hint; #line 73 "serv.gaa" char *psk_passwd; #line 70 "serv.gaa" diff --git a/src/serv.c b/src/serv.c index 2edaca30e6..c03c191fc5 100644 --- a/src/serv.c +++ b/src/serv.c @@ -987,6 +987,17 @@ main (int argc, char **argv) GERR (ret); } + if (info.psk_hint) + { + ret = gnutls_psk_set_server_credentials_hint (psk_cred, + info.psk_hint); + if (ret) + { + fprintf (stderr, "Error setting PSK identity hint.\n"); + GERR (ret); + } + } + gnutls_psk_set_server_params_function (psk_cred, get_params); } #endif @@ -1143,7 +1154,7 @@ main (int argc, char **argv) addr_ntop ((struct sockaddr *)&client_address, calen, topbuf, sizeof (topbuf)), get_port (&client_address)); - print_info (j->tls_session, NULL); + print_info (j->tls_session, NULL, 1); } j->handshake_ok = 1; } @@ -1240,7 +1251,7 @@ main (int argc, char **argv) topbuf, sizeof (topbuf)), get_port (&client_address)); - print_info (j->tls_session, NULL); + print_info (j->tls_session, NULL, 1); } j->handshake_ok = 1; } diff --git a/src/serv.gaa b/src/serv.gaa index 2f83e995e2..ed0137b6d6 100644 --- a/src/serv.gaa +++ b/src/serv.gaa @@ -73,6 +73,9 @@ option (a, disable-client-cert) { $disable_client_cert = 1 } "Disable request fo #char *psk_passwd; option (pskpasswd) STR "FILE" { $psk_passwd = $1 } "PSK password file to use." +#char *psk_hint; +option (pskhint) STR "HINT" { $psk_hint = $1 } "PSK identity hint to use." + #char *srp_passwd; option (srppasswd) STR "FILE" { $srp_passwd = $1 } "SRP password file to use." diff --git a/src/tests.c b/src/tests.c index 66cd61baf4..844013f26a 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1086,7 +1086,7 @@ test_certificate (gnutls_session_t session) return ret; printf ("\n"); - print_cert_info (session, hostname); + print_cert_info (session, hostname, 1); return TEST_SUCCEED; } diff --git a/tests/Makefile.am b/tests/Makefile.am index 508d0e01b6..1f434304b3 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -23,9 +23,11 @@ SUBDIRS = rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ userid pathlen key-id sha2 hostname-check if ENABLE_OPENPGP -SUBDIRS += openpgp +SUBDIRS += openpgp openpgp-certs endif +EXTRA_DIST = libgcrypt.supp + AM_CPPFLAGS = -I$(top_srcdir)/lgl -I$(top_builddir)/lgl \ -I$(top_srcdir)/gl -I$(top_builddir)/gl \ -I$(top_srcdir)/includes -I$(top_builddir)/includes \ @@ -37,16 +39,25 @@ LDADD = ../lib/libgnutls.la ../gl/libgnu.la ../lgl/liblgnu.la libutils.la noinst_LTLIBRARIES = libutils.la libutils_la_SOURCES = utils.h utils.c -ctests = simple openssl gc set_pkcs12_cred certder \ - certificate_set_x509_crl dn parse_ca moredn mpi crypto_rng +ctests = simple openssl gc set_pkcs12_cred certder \ + certificate_set_x509_crl dn parse_ca moredn crypto_rng mini openssl_LDADD = $(LDADD) ../libextra/libgnutls-openssl.la + if HAVE_FORK -ctests += openpgpself x509self x509signself x509dn anonself pskself dhepskself tlsia resume +ctests += x509self x509signself x509dn anonself pskself dhepskself \ + tlsia resume netconf-psk + +if ENABLE_OPENPGP +ctests += openpgpself +endif + tlsia_LDADD = ../libextra/libgnutls-extra.la $(LDADD) @LTLIBREADLINE@ endif + if ENABLE_OPRFI ctests += oprfi endif + gc_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) check_PROGRAMS = $(ctests) diff --git a/tests/anonself.c b/tests/anonself.c index 4b940ecd8f..1341a48458 100644 --- a/tests/anonself.c +++ b/tests/anonself.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -103,7 +103,8 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_anon_allocate_client_credentials (&anoncred); @@ -237,21 +238,6 @@ int optval = 1; void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); - - gnutls_anon_allocate_server_credentials (&anoncred); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_anon_set_server_dh_params (anoncred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -291,6 +277,22 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + gnutls_anon_allocate_server_credentials (&anoncred); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_anon_set_server_dh_params (anoncred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -352,6 +354,8 @@ server (void) gnutls_anon_free_server_credentials (anoncred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); diff --git a/tests/certder.c b/tests/certder.c index 50110735c8..b39583404d 100644 --- a/tests/certder.c +++ b/tests/certder.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Free Software Foundation + * Copyright (C) 2006, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -305,6 +305,8 @@ doit (void) if (ret != GNUTLS_E_ASN1_DER_ERROR) fail ("crt_import %d\n", ret); + gnutls_x509_crt_deinit (cert); + ret = gnutls_x509_crt_init (&cert); if (ret < 0) fail ("crt_init %d\n", ret); @@ -313,6 +315,8 @@ doit (void) if (ret != GNUTLS_E_ASN1_DER_ERROR) fail ("crt2_import %d\n", ret); + gnutls_x509_crt_deinit (cert); + ret = gnutls_x509_crt_init (&cert); if (ret < 0) fail ("crt_init %d\n", ret); @@ -324,4 +328,6 @@ doit (void) success ("done\n"); gnutls_x509_crt_deinit (cert); + + gnutls_global_deinit (); } diff --git a/tests/dhepskself.c b/tests/dhepskself.c index 73c901afe2..dd0998849f 100644 --- a/tests/dhepskself.c +++ b/tests/dhepskself.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Free Software Foundation + * Copyright (C) 2004, 2005, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -241,19 +241,6 @@ int optval = 1; void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); -// gnutls_global_set_log_level (99); - - generate_dh_params (); - - gnutls_psk_allocate_server_credentials (&server_pskcred); - gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); - gnutls_psk_set_server_dh_params (server_pskcred, dh_params); - success ("Launched, generating DH parameters...\n"); /* Socket operations @@ -295,6 +282,20 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + generate_dh_params (); + + gnutls_psk_allocate_server_credentials (&server_pskcred); + gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); + gnutls_psk_set_server_dh_params (server_pskcred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -353,6 +354,8 @@ server (void) gnutls_psk_free_server_credentials (server_pskcred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); diff --git a/tests/gc.c b/tests/gc.c index 0915ff763b..8965fda6ec 100644 --- a/tests/gc.c +++ b/tests/gc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Free Software Foundation + * Copyright (C) 2004, 2005, 2008 Free Software Foundation * * This file is part of GNUTLS. * @@ -143,4 +143,6 @@ doit (void) } gc_done (); + + gnutls_global_deinit(); } diff --git a/tests/libgcrypt.supp b/tests/libgcrypt.supp new file mode 100644 index 0000000000..abdacd5fc5 --- /dev/null +++ b/tests/libgcrypt.supp @@ -0,0 +1,87 @@ +# libgcrypt.supp -- Valgrind suppresion file for libgcrypt + +# Copyright (C) 2008 Simon Josefsson + +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. + +{ + libgcrypt1 + Memcheck:Leak + fun:malloc + fun:_gcry_private_malloc + fun:do_malloc + fun:_gcry_malloc + fun:_gcry_module_add + fun:gcry_pk_register_default + fun:_gcry_pk_init + fun:global_init + fun:_gcry_check_version + fun:gcry_check_version + fun:gnutls_global_init +} + +{ + libgcrypt2 + Memcheck:Leak + fun:malloc + fun:_gcry_private_malloc + fun:do_malloc + fun:_gcry_malloc + fun:_gcry_module_add + fun:gcry_md_register_default + fun:_gcry_md_init + fun:global_init + fun:_gcry_check_version + fun:gcry_check_version + fun:gnutls_global_init +} + +{ + libgcrypt3 + Memcheck:Leak + fun:malloc + fun:_gcry_private_malloc + fun:do_malloc + fun:_gcry_malloc + fun:_gcry_module_add + fun:gcry_cipher_register_default + fun:_gcry_cipher_init + fun:global_init + fun:_gcry_check_version + fun:gcry_check_version + fun:gnutls_global_init +} + +{ + libgcrypt4 + Memcheck:Leak + fun:malloc + fun:do_malloc + fun:_gcry_malloc + fun:_gcry_xmalloc + fun:_gcry_xcalloc + fun:initialize + fun:_gcry_randomize + fun:gcry_randomize + fun:gc_pseudo_random + fun:_gnutls_rnd_init + fun:gnutls_global_init +} + +{ + libgcrypt5 + Memcheck:Leak + fun:malloc + fun:do_malloc + fun:_gcry_malloc + fun:_gcry_xmalloc + fun:_gcry_xcalloc + fun:initialize + fun:_gcry_randomize + fun:gcry_randomize + fun:gc_pseudo_random + fun:_gnutls_rnd_init + fun:gnutls_global_init +} diff --git a/tests/mini.c b/tests/mini.c new file mode 100644 index 0000000000..0a638e075d --- /dev/null +++ b/tests/mini.c @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2008 Free Software Foundation + * + * Author: Simon Josefsson + * + * This file is part of GNUTLS. + * + * GNUTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GNUTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GNUTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#if HAVE_CONFIG_H +# include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <gnutls/gnutls.h> + +#include "utils.h" + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "|<%d>| %s", level, str); +} + +char *to_server; +size_t to_server_len; + +char *to_client; +size_t to_client_len; + +ssize_t +client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) +{ + success ("client_pull len %d has %d\n", len, to_client_len); + + if (to_client_len < len) + { + gnutls_transport_set_global_errno (EAGAIN); + return -1; + } + + memcpy (data, to_client, len); + + memmove (to_client, to_client + len, to_client_len - len); + to_client_len -= len; + + return len; +} + +ssize_t +client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) +{ + size_t newlen = to_server_len + len; + char *tmp; + + success ("client_push len %d has %d\n", len, to_server_len); + hexprint (data, len); + + tmp = realloc (to_server, newlen); + if (!tmp) + { + fail ("Memory allocation failure...\n"); + exit (1); + } + to_server = tmp; + + memcpy (to_server + to_server_len, data, len); + to_server_len = newlen; + + return len; +} + +ssize_t +server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) +{ + success ("server_pull len %d has %d\n", len, to_server_len); + + if (to_server_len < len) + { + gnutls_transport_set_global_errno (EAGAIN); + return -1; + } + + memcpy (data, to_server, len); + + memmove (to_server, to_server + len, to_server_len - len); + to_server_len -= len; + + return len; +} + +ssize_t +server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) +{ + size_t newlen = to_client_len + len; + char *tmp; + + success ("server_push len %d has %d\n", len, to_client_len); + + hexprint (data, len); + + tmp = realloc (to_client, newlen); + if (!tmp) + { + fail ("Memory allocation failure...\n"); + exit (1); + } + to_client = tmp; + + memcpy (to_client + to_client_len, data, len); + to_client_len = newlen; + + return len; +} + +#define MAX_BUF 1024 +#define MSG "Hello TLS" + +void +doit (void) +{ + /* Server stuff. */ + gnutls_anon_server_credentials_t s_anoncred; + const gnutls_datum_t p3 = { pkcs3, strlen (pkcs3) }; + static gnutls_dh_params_t dh_params; + gnutls_session_t server; + int sret = GNUTLS_E_AGAIN; + /* Client stuff. */ + gnutls_anon_client_credentials_t c_anoncred; + gnutls_session_t client; + int n, cret = GNUTLS_E_AGAIN; + /* Need to enable anonymous KX specifically. */ + const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; + char buffer[MAX_BUF + 1]; + ssize_t ns; + int ret; + + /* General init. */ + gnutls_global_init (); + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + /* Init server */ + gnutls_anon_allocate_server_credentials (&s_anoncred); + gnutls_dh_params_init (&dh_params); + gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); + gnutls_anon_set_server_dh_params (s_anoncred, dh_params); + gnutls_init (&server, GNUTLS_SERVER); + gnutls_set_default_priority (server); + gnutls_kx_set_priority (server, kx_prio); + gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); + gnutls_dh_set_prime_bits (server, 1024); + gnutls_transport_set_push_function (server, server_push); + gnutls_transport_set_pull_function (server, server_pull); + + /* Init client */ + gnutls_anon_allocate_client_credentials (&c_anoncred); + gnutls_init (&client, GNUTLS_CLIENT); + gnutls_set_default_priority (client); + gnutls_kx_set_priority (client, kx_prio); + gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); + gnutls_transport_set_push_function (client, client_push); + gnutls_transport_set_pull_function (client, client_pull); + + do { + if (cret == GNUTLS_E_AGAIN) + { + success ("loop invoking client:\n"); + cret = gnutls_handshake (client); + success ("client %d: %s\n", cret, gnutls_strerror (cret)); + } + + if (sret == GNUTLS_E_AGAIN) + { + success ("loop invoking server:\n"); + sret = gnutls_handshake (server); + success ("server %d: %s\n", sret, gnutls_strerror (sret)); + } + } while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN); + + success ("Handshake established\n"); + + ns = gnutls_record_send (client, MSG, strlen (MSG)); + success ("client: sent %d\n", ns); + + ret = gnutls_record_recv (server, buffer, MAX_BUF); + if (ret == 0) + fail ("server: didn't receive any data\n"); + else if (ret < 0) + fail ("server: error: %s\n", gnutls_strerror (ret)); + else + { + printf ("server: received %d: ", ret); + for (n = 0; n < ret; n++) + fputc (buffer[n], stdout); + fputs ("\n", stdout); + } + + ns = gnutls_record_send (server, MSG, strlen (MSG)); + success ("server: sent %d\n", ns); + + ret = gnutls_record_recv (client, buffer, MAX_BUF); + if (ret == 0) + { + fail ("client: Peer has closed the TLS connection\n"); + } + else if (ret < 0) + { + fail ("client: Error: %s\n", gnutls_strerror (ret)); + } + else + { + printf ("client: received %d: ", ret); + for (n = 0; n < ret; n++) + fputc (buffer[n], stdout); + fputs ("\n", stdout); + } + + gnutls_bye (client, GNUTLS_SHUT_RDWR); + gnutls_bye (server, GNUTLS_SHUT_RDWR); + + gnutls_deinit (client); + gnutls_deinit (server); + + free (to_server); + free (to_client); + + gnutls_anon_free_client_credentials (c_anoncred); + gnutls_anon_free_server_credentials (s_anoncred); + + gnutls_dh_params_deinit (dh_params); + + gnutls_global_deinit (); +} diff --git a/tests/moredn.c b/tests/moredn.c index 9226a5a9a9..c98153f28b 100644 --- a/tests/moredn.c +++ b/tests/moredn.c @@ -58,8 +58,6 @@ static const gnutls_datum_t cert_datum = { (char *)cert_pem, void doit (void) { - - gnutls_global_init (); gnutls_x509_crt_t cert; gnutls_x509_dn_t sdn, dn2; unsigned char buf[8192], buf2[8192]; @@ -67,6 +65,8 @@ doit (void) gnutls_datum_t datum; int rv; + gnutls_global_init (); + if (gnutls_x509_crt_init(&cert) == 0) success ("success: cert init\n"); else @@ -119,4 +119,6 @@ doit (void) gnutls_x509_dn_deinit (dn2); gnutls_x509_crt_deinit (cert); + + gnutls_global_deinit (); } diff --git a/tests/netconf-psk.c b/tests/netconf-psk.c new file mode 100644 index 0000000000..4674283af4 --- /dev/null +++ b/tests/netconf-psk.c @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2008 Free Software Foundation + * + * Author: Simon Josefsson + * + * This file is part of GNUTLS. + * + * GNUTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GNUTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GNUTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#if HAVE_CONFIG_H +# include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <unistd.h> + +#include <gnutls/gnutls.h> + +#include "utils.h" + +void +doit (void) +{ + const char *known = + "\x88\xf3\x82\x4b\x3e\x56\x59\xf5\x2d\x00" + "\xe9\x59\xba\xca\xb9\x54\xb6\x54\x03\x44"; + gnutls_datum_t key = { NULL, 0 }; + + gnutls_global_init (); + + if (gnutls_psk_netconf_derive_key ("password", "psk_identity", + "psk_identity_hint", &key) == 0) + success ("success: gnutls_psk_netconf_derive_key\n"); + else + fail ("gnutls_psk_netconf_derive_key failure\n"); + + if (debug) + hexprint (key.data, key.size); + + if (key.size == 20 && memcmp (key.data, known, 20) == 0) + success ("success: match.\n"); + else + fail ("FAIL: key differ.\n"); + + gnutls_free (key.data); + + gnutls_global_deinit (); +} diff --git a/tests/openpgp-certs/Makefile.am b/tests/openpgp-certs/Makefile.am new file mode 100644 index 0000000000..d437dc51be --- /dev/null +++ b/tests/openpgp-certs/Makefile.am @@ -0,0 +1,33 @@ +## Process this file with automake to produce Makefile.in +# Copyright (C) 2007, 2008 Free Software Foundation +# +# This file is part of GNUTLS. +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this file; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +if ENABLE_OPENPGP + +EXTRA_DIST = ca-public.gpg srv-public-all-signed.gpg srv-secret.gpg \ + ca-secret.gpg srv-public.gpg srv-public-127.0.0.1-signed.gpg \ + srv-public-localhost-signed.gpg + +# The selftest is disabled until we can make it work under Wine and +# under Debian buildds (problem with 127.0.0.2?). Just extra-dist it +# for now. +EXTRA_DIST += testcerts +#dist_check_SCRIPTS = testcerts +#TESTS = testcerts + +endif diff --git a/tests/openpgp-certs/ca-public.gpg b/tests/openpgp-certs/ca-public.gpg new file mode 100644 index 0000000000..b723a56068 --- /dev/null +++ b/tests/openpgp-certs/ca-public.gpg @@ -0,0 +1,14 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mI0ESCeL9AEEAKkKkm7GHWCDcH8czhIJ/6SlWvVfRkztA4hg3KXLGe4TD9I+yHg6 +XNKuu2tDVJOsLCtpIzqyBz+Ov2nJs893c4aTInxFFXTs99pWxiEl77YegcnC2LNz +QurUszDYjEm6cU/cI/M4vqLf9CtnnThBsiOvM0YwjuQOviEjVUth/4KVABEBAAG0 +SUNlcnRpZmljYXRlIEF1dGhvcml0eSAoRk9SIFRFU1QgVVNFIE9OTFkgLS0gRE8g +Tk9UIFVTRSEpIDxjYUBleGFtcGxlLm5ldD6ItgQTAQIAIAUCSCeL9AIbAwYLCQgH +AwIEFQIIAwQWAgMBAh4BAheAAAoJEFivn820S0CBo/ID/jizo8QzauEbbRitHLjY +vZhvwbH44m3mNqehxHsPxYJFGvtlzs0kXWcHoO9jL86zPHJRiy+iIEU58HNaH3za +BqJ4LAqo/yl57uP/RwPP0O+vPYgP0UmfyJX/n9DnTKG1kjA/m/2HmIgSxNx8jBb2 +J0tdVShq6fYGS2dRQRbq6SCi +=1W5B +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp-certs/ca-secret.gpg b/tests/openpgp-certs/ca-secret.gpg new file mode 100644 index 0000000000..05344005a5 --- /dev/null +++ b/tests/openpgp-certs/ca-secret.gpg @@ -0,0 +1,21 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +lQHYBEgni/QBBACpCpJuxh1gg3B/HM4SCf+kpVr1X0ZM7QOIYNylyxnuEw/SPsh4 +OlzSrrtrQ1STrCwraSM6sgc/jr9pybPPd3OGkyJ8RRV07PfaVsYhJe+2HoHJwtiz +c0Lq1LMw2IxJunFP3CPzOL6i3/QrZ504QbIjrzNGMI7kDr4hI1VLYf+ClQARAQAB +AAP7BCvyxRSTEFKi4b3JSrhf8t7lm07mKksigYjAatmgpdeaSTPYi/nTi7VMgnjN +wZVn0D9yCazWKts5pC4nFGYY6scTr9tp4k4U/79PXWCmTQjAQeAv/gFn9ZHk+2Js +c7ScZ4gr/ZtyY7UUUxOrAPA5wCmei7GchD/AgCRs0IF6akECAMz88+bjsFUomHv+ +6gfaNFT3OzZoS8NNM/aBmFKmPrBEUBaRdQ0lcIEsUlK2yGXsAJvQue57lwWNsxN4 +FohDbNUCANMblEVSUOamaFLx+DyxCf1xm2r5n0jkH/nAKEJur0vozcIF6qTgN8vf +Yj5VfuIFHrQ1LH7SsBpIrAakm3WDnsEB/1AuVFoRuYSS4DH60fWhD01CJaEe8/Qz +eTRorHpDO8MGVoV5EViNO5vF9u0wkYQS7H4UAlhrUcTJNP9/SBIaF1mhubRJQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5IChGT1IgVEVTVCBVU0UgT05MWSAtLSBETyBOT1Qg +VVNFISkgPGNhQGV4YW1wbGUubmV0Poi2BBMBAgAgBQJIJ4v0AhsDBgsJCAcDAgQV +AggDBBYCAwECHgECF4AACgkQWK+fzbRLQIGj8gP+OLOjxDNq4RttGK0cuNi9mG/B +sfjibeY2p6HEew/FgkUa+2XOzSRdZweg72MvzrM8clGLL6IgRTnwc1offNoGongs +Cqj/KXnu4/9HA8/Q7689iA/RSZ/Ilf+f0OdMobWSMD+b/YeYiBLE3HyMFvYnS11V +KGrp9gZLZ1FBFurpIKI= +=1M8/ +-----END PGP PRIVATE KEY BLOCK----- diff --git a/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg b/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg new file mode 100644 index 0000000000..eae97b3770 --- /dev/null +++ b/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mI0ESCeNFwEEAONcXan/Y5ML5KCFlUN5l0fyFUr6GiKW4gCgydjv9lSJvkEhulTY +mTAu5mTEuxxlwrACMSaSF0IZ9OKyezYJ1NP77ktfgDEvXcTrqfz2RybPDHWjo/kQ +1LyCd+l6iPgApyC+vXWChaaBf/RTpwxQX2aCngy7miWLvp3gJRAJYhULABEBAAG0 +CWxvY2FsaG9zdIi2BBMBAgAgBQJIJ5BTAhsjBgsJCAcDAgQVAggDBBYCAwECHgEC +F4AACgkQkfGmlGU5bl1QlwQAjvoZ5UVBY2hlxI5I+jdLmbKxY0MKu3E27jqFMqjv +ljIYodXQmBPLnL0+sxsk5/3PQaKa7u4pRbqXEVi5UTySCyk9+li5a6S0fOYZdG0x +c4N2M2hycM/n9vS8DbxBddgNyBCHMDp+wUGhyWMpTCOjgfEJLv36oTr/2jYaZLDs +mfS0CTEyNy4wLjAuMYi2BBMBAgAgBQJIJ40XAhsjBgsJCAcDAgQVAggDBBYCAwEC +HgECF4AACgkQkfGmlGU5bl3r5wQAgZPFhKacRyLNfSDNIuzWdsPCm2MaHkjPWPY1 +ms+bQPw8Qju2S45QeiIRgyK62LfCMcTdxXAtqvQ45+Zp7TZa8+O10XF8gaQlKjRk +duUu04XX0eBI20Fzq/OfAb+ECRUaqLYdrfC9zj/f0BZU17xXcJmxKjlsVcffSFJT +qJG161GInAQQAQIABgUCSCeQtAAKCRBYr5/NtEtAgbPyA/oCvo+Uv2/JO+U3Yvjz +vZeqE6cpNyYjOVyeh94y6WqIMfb9f7XblBalhm61vtNoQziNmN46W29FHrvvCXdj +SDbfg6lsNkr1M2j9ppvZnbn9B2MsEbwTLVS8EGB/kvgXzZZEtzgZU8Qf8e9q6xCh +evUnsgESjY6TTBziLCdos8ooSQ== +=O699 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp-certs/srv-public-all-signed.gpg b/tests/openpgp-certs/srv-public-all-signed.gpg new file mode 100644 index 0000000000..f6e7fad431 --- /dev/null +++ b/tests/openpgp-certs/srv-public-all-signed.gpg @@ -0,0 +1,23 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mI0ESCeNFwEEAONcXan/Y5ML5KCFlUN5l0fyFUr6GiKW4gCgydjv9lSJvkEhulTY +mTAu5mTEuxxlwrACMSaSF0IZ9OKyezYJ1NP77ktfgDEvXcTrqfz2RybPDHWjo/kQ +1LyCd+l6iPgApyC+vXWChaaBf/RTpwxQX2aCngy7miWLvp3gJRAJYhULABEBAAG0 +CWxvY2FsaG9zdIi2BBMBAgAgBQJIJ5BTAhsjBgsJCAcDAgQVAggDBBYCAwECHgEC +F4AACgkQkfGmlGU5bl1QlwQAjvoZ5UVBY2hlxI5I+jdLmbKxY0MKu3E27jqFMqjv +ljIYodXQmBPLnL0+sxsk5/3PQaKa7u4pRbqXEVi5UTySCyk9+li5a6S0fOYZdG0x +c4N2M2hycM/n9vS8DbxBddgNyBCHMDp+wUGhyWMpTCOjgfEJLv36oTr/2jYaZLDs +mfSInAQQAQIABgUCSEuWfgAKCRBYr5/NtEtAgQSCBACYAc4TV5/4ttqECCqPdyWY +LXqcisgqr7Vwyff+1QLELdh5vvyBFc0FD/mvzpgScSiKTP07njw7KgGl2K6mVlPa +ztdYhfIKUyhLoj9G52dZZNBtUFi9dlNY/vUDCnDKuTV5BqjoznNYZ5Ti9QsD/TEL +GevqKn8ejNWkd79cOhpSCrQJMTI3LjAuMC4xiLYEEwECACAFAkgnjRcCGyMGCwkI +BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCR8aaUZTluXevnBACBk8WEppxHIs19IM0i +7NZ2w8KbYxoeSM9Y9jWaz5tA/DxCO7ZLjlB6IhGDIrrYt8IxxN3FcC2q9Djn5mnt +Nlrz47XRcXyBpCUqNGR25S7ThdfR4EjbQXOr858Bv4QJFRqoth2t8L3OP9/QFlTX +vFdwmbEqOWxVx99IUlOokbXrUYicBBABAgAGBQJIJ5C0AAoJEFivn820S0CBs/ID ++gK+j5S/b8k75Tdi+PO9l6oTpyk3JiM5XJ6H3jLpaogx9v1/tduUFqWGbrW+02hD +OI2Y3jpbb0Ueu+8Jd2NINt+DqWw2SvUzaP2mm9mduf0HYywRvBMtVLwQYH+S+BfN +lkS3OBlTxB/x72rrEKF69SeyARKNjpNMHOIsJ2izyihJ +=HB4x +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp-certs/srv-public-localhost-signed.gpg b/tests/openpgp-certs/srv-public-localhost-signed.gpg new file mode 100644 index 0000000000..40958f6d38 --- /dev/null +++ b/tests/openpgp-certs/srv-public-localhost-signed.gpg @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mI0ESCeNFwEEAONcXan/Y5ML5KCFlUN5l0fyFUr6GiKW4gCgydjv9lSJvkEhulTY +mTAu5mTEuxxlwrACMSaSF0IZ9OKyezYJ1NP77ktfgDEvXcTrqfz2RybPDHWjo/kQ +1LyCd+l6iPgApyC+vXWChaaBf/RTpwxQX2aCngy7miWLvp3gJRAJYhULABEBAAG0 +CWxvY2FsaG9zdIi2BBMBAgAgBQJIJ5BTAhsjBgsJCAcDAgQVAggDBBYCAwECHgEC +F4AACgkQkfGmlGU5bl1QlwQAjvoZ5UVBY2hlxI5I+jdLmbKxY0MKu3E27jqFMqjv +ljIYodXQmBPLnL0+sxsk5/3PQaKa7u4pRbqXEVi5UTySCyk9+li5a6S0fOYZdG0x +c4N2M2hycM/n9vS8DbxBddgNyBCHMDp+wUGhyWMpTCOjgfEJLv36oTr/2jYaZLDs +mfSInAQQAQIABgUCSCeQ7gAKCRBYr5/NtEtAgetPA/9uOggR2zLSE2/WyvKUIQO/ +H/V5e7O4dIZMsfiyRwbF0oGXQ2/fM+mehkvAeAsR17vPJ1uVphQ4w1F0inSt0m5f +L2i2Ci/ZbMtXTP139I/9RPX1yfKKk+b7eYvAvtq3gJ8RuA5QBDQTjy/9pGFDodn7 +1z+5gwJtR6xXxwHOkK8nBbQJMTI3LjAuMC4xiLYEEwECACAFAkgnjRcCGyMGCwkI +BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCR8aaUZTluXevnBACBk8WEppxHIs19IM0i +7NZ2w8KbYxoeSM9Y9jWaz5tA/DxCO7ZLjlB6IhGDIrrYt8IxxN3FcC2q9Djn5mnt +Nlrz47XRcXyBpCUqNGR25S7ThdfR4EjbQXOr858Bv4QJFRqoth2t8L3OP9/QFlTX +vFdwmbEqOWxVx99IUlOokbXrUQ== +=ALwQ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp-certs/srv-public.gpg b/tests/openpgp-certs/srv-public.gpg new file mode 100644 index 0000000000..f5693d1f0e --- /dev/null +++ b/tests/openpgp-certs/srv-public.gpg @@ -0,0 +1,17 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mI0ESCeNFwEEAONcXan/Y5ML5KCFlUN5l0fyFUr6GiKW4gCgydjv9lSJvkEhulTY +mTAu5mTEuxxlwrACMSaSF0IZ9OKyezYJ1NP77ktfgDEvXcTrqfz2RybPDHWjo/kQ +1LyCd+l6iPgApyC+vXWChaaBf/RTpwxQX2aCngy7miWLvp3gJRAJYhULABEBAAG0 +CTEyNy4wLjAuMYi2BBMBAgAgBQJIJ40XAhsjBgsJCAcDAgQVAggDBBYCAwECHgEC +F4AACgkQkfGmlGU5bl3r5wQAgZPFhKacRyLNfSDNIuzWdsPCm2MaHkjPWPY1ms+b +QPw8Qju2S45QeiIRgyK62LfCMcTdxXAtqvQ45+Zp7TZa8+O10XF8gaQlKjRkduUu +04XX0eBI20Fzq/OfAb+ECRUaqLYdrfC9zj/f0BZU17xXcJmxKjlsVcffSFJTqJG1 +61G0CWxvY2FsaG9zdIi2BBMBAgAgBQJIJ5BTAhsjBgsJCAcDAgQVAggDBBYCAwEC +HgECF4AACgkQkfGmlGU5bl1QlwQAjvoZ5UVBY2hlxI5I+jdLmbKxY0MKu3E27jqF +MqjvljIYodXQmBPLnL0+sxsk5/3PQaKa7u4pRbqXEVi5UTySCyk9+li5a6S0fOYZ +dG0xc4N2M2hycM/n9vS8DbxBddgNyBCHMDp+wUGhyWMpTCOjgfEJLv36oTr/2jYa +ZLDsmfQ= +=LSvO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp-certs/srv-secret.gpg b/tests/openpgp-certs/srv-secret.gpg new file mode 100644 index 0000000000..7de4ee35da --- /dev/null +++ b/tests/openpgp-certs/srv-secret.gpg @@ -0,0 +1,24 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +lQHYBEgnjRcBBADjXF2p/2OTC+SghZVDeZdH8hVK+hoiluIAoMnY7/ZUib5BIbpU +2JkwLuZkxLscZcKwAjEmkhdCGfTisns2CdTT++5LX4AxL13E66n89kcmzwx1o6P5 +ENS8gnfpeoj4AKcgvr11goWmgX/0U6cMUF9mgp4Mu5oli76d4CUQCWIVCwARAQAB +AAP+Pl2iz7PfY4GaqDGcXRLoXXLZRmTOcHiE6/kvBRPltRDHoGQZEZcMhjwHNNMG +JGcBfXhMdTETsi0ekGS3CX6u4ybVoLzsUhcQUcn/+5dzWxdwQRufXhQ1kfFxDI6E +tjzfVfb5BeJO8lsPYcafjZau3ndRYNjQtctLfnwp6ohxWzkCAO6BrZARpv6BGS8C +ipbb2soWC2oYWXxYUES6MPbtbIJ9I1pgYAc+wzJMZJXW9Gw6cvPITMTg0JVBgao1 +/BlmZy8CAPQJaNeiKUA4uRcDRll0AR4iezN8iGNuyuWmZR03FQwE1sDemkEmYb/9 +QDkPGqoqQs2fiMPgsq3Q1S8xRYvCuOUCANWQsAX0cxa4oq32BX4w7jkwoTgV5xVU +qYGDy2JEmRImrcwkq5O89FbsYYf0EVz8wkIhrFJWZg5WtzpPmNPFcbOZDrQJMTI3 +LjAuMC4xiLYEEwECACAFAkgnjRcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK +CRCR8aaUZTluXevnBACBk8WEppxHIs19IM0i7NZ2w8KbYxoeSM9Y9jWaz5tA/DxC +O7ZLjlB6IhGDIrrYt8IxxN3FcC2q9Djn5mntNlrz47XRcXyBpCUqNGR25S7ThdfR +4EjbQXOr858Bv4QJFRqoth2t8L3OP9/QFlTXvFdwmbEqOWxVx99IUlOokbXrUbQJ +bG9jYWxob3N0iLYEEwECACAFAkgnkFMCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIX +gAAKCRCR8aaUZTluXVCXBACO+hnlRUFjaGXEjkj6N0uZsrFjQwq7cTbuOoUyqO+W +Mhih1dCYE8ucvT6zGyTn/c9Bopru7ilFupcRWLlRPJILKT36WLlrpLR85hl0bTFz +g3YzaHJwz+f29LwNvEF12A3IEIcwOn7BQaHJYylMI6OB8Qku/fqhOv/aNhpksOyZ +9A== +=OxUt +-----END PGP PRIVATE KEY BLOCK----- diff --git a/tests/openpgp-certs/testcerts b/tests/openpgp-certs/testcerts new file mode 100755 index 0000000000..33643d9b39 --- /dev/null +++ b/tests/openpgp-certs/testcerts @@ -0,0 +1,65 @@ +#!/bin/bash + +srcdir="${srcdir:-.}" +SERV="${SERV:-../../src/gnutls-serv} -q" +CLI="${CLI:-../../src/gnutls-cli}" +PORT="${PORT:-5557}" +unset RETCODE + +fail() { + echo "Failure: $1" >&2 + RETCODE=${RETCODE:-${2:-1}} +} + +echo "Checking OpenPGP certificate verification" + +$SERV -p $PORT --pgpcertfile $srcdir/srv-public-127.0.0.1-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & + +# give the server a chance to initialize +sleep 2 + +#gnutls currently only considers PGP certificates verified only if +#all user IDs in the certificate were signed. + +#$CLI -p $PORT 127.0.0.1 --pgpkeyring ca-public.gpg </dev/null >/dev/null || \ +# fail "Connection to verified IP address should have succeeded! (error code $?)" $? + +$CLI -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null && \ + fail "Connection to unrecognized IP address should have failed!" + +$CLI -p $PORT localhost --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null && \ + fail "Connection to unverified (but present) 'localhost' should have failed!" + +kill %1 +wait + +$SERV -p $PORT --pgpcertfile $srcdir/srv-public-localhost-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & +# give the server a chance to initialize +sleep 2 + +echo | $CLI -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null && \ + fail "Connection to unverified IP address should have failed! (error code $?)" $? + +$CLI -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null && \ + fail "Connection to unrecognized IP address should have failed!" + +#see reason above +#$CLI -p $PORT localhost --pgpkeyring ca-public.gpg </dev/null >/dev/null || \ +# fail "Connection to verified 'localhost' should have succeded! (error code $?)" $? + +kill %1 >/dev/null 2>&1 +wait + +$SERV -p $PORT --pgpcertfile $srcdir/srv-public-all-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & +# give the server a chance to initialize +sleep 2 +echo | $CLI -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null || \ + fail "Connection to signed PGP certificate should have succeeded! (error code $?)" $? + +$CLI -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null && \ + fail "Connection to unrecognized IP address should have failed!" + +kill %1 >/dev/null 2>&1 +wait + +exit ${RETCODE:-0} diff --git a/tests/openpgpself.c b/tests/openpgpself.c index bf647ee197..1c9aceea2b 100644 --- a/tests/openpgpself.c +++ b/tests/openpgpself.c @@ -152,7 +152,7 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + gnutls_global_set_log_level (2); gnutls_certificate_allocate_credentials (&xcred); @@ -379,29 +379,6 @@ const gnutls_datum_t server_key = { server_key_txt, sizeof (server_key_txt) }; void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); - - gnutls_certificate_allocate_credentials (&pgp_cred); - - ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt, - &server_key, "auto", - GNUTLS_OPENPGP_FMT_BASE64); - if (err < 0) - { - fail ("Could not set server key files...\n"); - } - - success ("Launched, setting DH parameters...\n"); - - generate_dh_params (); - - gnutls_certificate_set_dh_params (pgp_cred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -441,6 +418,30 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&pgp_cred); + + ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt, + &server_key, "auto", + GNUTLS_OPENPGP_FMT_BASE64); + if (err < 0) + { + fail ("Could not set server key files...\n"); + } + + success ("Launched, setting DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (pgp_cred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -502,6 +503,8 @@ server (void) gnutls_certificate_free_credentials (pgp_cred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); @@ -532,7 +535,4 @@ doit (void) } else client (); - - /* Until Nikos fix the self test... */ - exit(0); } diff --git a/tests/oprfi.c b/tests/oprfi.c index be190e36d9..75a1218d12 100644 --- a/tests/oprfi.c +++ b/tests/oprfi.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -103,7 +103,8 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_anon_allocate_client_credentials (&anoncred); @@ -266,7 +267,8 @@ server_start (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_anon_allocate_server_credentials (&anoncred); diff --git a/tests/pskself.c b/tests/pskself.c index ca82baee83..8b4fd70fef 100644 --- a/tests/pskself.c +++ b/tests/pskself.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Free Software Foundation + * Copyright (C) 2004, 2005, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -226,13 +226,6 @@ int optval = 1; void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_psk_allocate_server_credentials (&server_pskcred); - gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); - success ("Launched...\n"); /* Socket operations @@ -274,6 +267,13 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_psk_allocate_server_credentials (&server_pskcred); + gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); + client_len = sizeof (sa_cli); session = initialize_tls_session (); diff --git a/tests/resume.c b/tests/resume.c index eda370fe17..e36f9c0167 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -280,23 +280,6 @@ int optval = 1; void global_start (void) { - /* this must be called once in the program, it is mostly for the server. - */ - gnutls_global_init (); - - gnutls_anon_allocate_server_credentials (&anoncred); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_anon_set_server_dh_params (anoncred, dh_params); - - if (TLS_SESSION_CACHE != 0) - { - wrap_db_init (); - } - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -348,6 +331,23 @@ global_stop (void) void server (void) { + /* this must be called once in the program, it is mostly for the server. + */ + gnutls_global_init (); + + gnutls_anon_allocate_server_credentials (&anoncred); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_anon_set_server_dh_params (anoncred, dh_params); + + if (TLS_SESSION_CACHE != 0) + { + wrap_db_init (); + } + int t; for (t = 0; t < 2; t++) @@ -411,6 +411,11 @@ server (void) close (listen_sd); + if (TLS_SESSION_CACHE != 0) + { + wrap_db_deinit (); + } + success ("server: finished\n"); } @@ -475,6 +480,9 @@ wrap_db_init (void) static void wrap_db_deinit (void) { + if (cache_db) + free (cache_db); + cache_db = NULL; return; } diff --git a/tests/set_pkcs12_cred.c b/tests/set_pkcs12_cred.c index 8794abed66..8e292d484b 100644 --- a/tests/set_pkcs12_cred.c +++ b/tests/set_pkcs12_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2006 Free Software Foundation + * Copyright (C) 2005, 2006, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -47,7 +47,7 @@ doit (void) password = getenv ("PKCS12PASSWORD"); if (!file) - file = "client.p12"; + file = "pkcs12-decode/client.p12"; if (!password) password = "foobar"; diff --git a/tests/tlsia.c b/tests/tlsia.c index 013ba3e3c6..0b5a38e315 100644 --- a/tests/tlsia.c +++ b/tests/tlsia.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -400,19 +400,6 @@ server_avp (gnutls_session_t session, void *ptr, void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_anon_allocate_server_credentials (&anoncred); - gnutls_ia_allocate_server_credentials (&iacred); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_anon_set_server_dh_params (anoncred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -452,6 +439,19 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_anon_allocate_server_credentials (&anoncred); + gnutls_ia_allocate_server_credentials (&iacred); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_anon_set_server_dh_params (anoncred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -547,6 +547,8 @@ server (void) gnutls_anon_free_server_credentials (anoncred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); diff --git a/tests/x509dn.c b/tests/x509dn.c index 95ec900faa..2d57793418 100644 --- a/tests/x509dn.c +++ b/tests/x509dn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -223,7 +223,8 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); @@ -408,25 +409,6 @@ const gnutls_datum_t server_key = { server_key_pem, void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); - - gnutls_certificate_allocate_credentials (&x509_cred); - gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); - - gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, - GNUTLS_X509_FMT_PEM); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_certificate_set_dh_params (x509_cred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -466,6 +448,26 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -527,6 +529,8 @@ server (void) gnutls_certificate_free_credentials (x509_cred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); diff --git a/tests/x509self.c b/tests/x509self.c index 3f1bff3bae..a29809b9b7 100644 --- a/tests/x509self.c +++ b/tests/x509self.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -157,7 +157,8 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); @@ -342,25 +343,6 @@ const gnutls_datum_t server_key = { server_key_pem, void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); - - gnutls_certificate_allocate_credentials (&x509_cred); - gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); - - gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, - GNUTLS_X509_FMT_PEM); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_certificate_set_dh_params (x509_cred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -400,6 +382,26 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -461,6 +463,8 @@ server (void) gnutls_certificate_free_credentials (x509_cred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); @@ -470,6 +474,7 @@ server (void) void doit (void) { + /* parent */ server_start (); if (error_count) return; @@ -485,7 +490,7 @@ doit (void) if (child) { int status; - /* parent */ + server (); wait (&status); } diff --git a/tests/x509signself.c b/tests/x509signself.c index a6fa4d94e3..0d17ed1aea 100644 --- a/tests/x509signself.c +++ b/tests/x509signself.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Simon Josefsson * @@ -188,7 +188,8 @@ client (void) gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); + if (debug) + gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); @@ -375,25 +376,6 @@ const gnutls_datum_t server_key = { server_key_pem, void server_start (void) { - /* this must be called once in the program - */ - gnutls_global_init (); - - gnutls_global_set_log_function (tls_log_func); - gnutls_global_set_log_level (4711); - - gnutls_certificate_allocate_credentials (&x509_cred); - gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); - - gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, - GNUTLS_X509_FMT_PEM); - - success ("Launched, generating DH parameters...\n"); - - generate_dh_params (); - - gnutls_certificate_set_dh_params (x509_cred, dh_params); - /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); @@ -433,6 +415,26 @@ server_start (void) void server (void) { + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + client_len = sizeof (sa_cli); session = initialize_tls_session (); @@ -494,6 +496,8 @@ server (void) gnutls_certificate_free_credentials (x509_cred); + gnutls_dh_params_deinit (dh_params); + gnutls_global_deinit (); success ("server: finished\n"); |