diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-07 10:05:43 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-07 10:05:43 +0000 |
commit | 802e1ede038010ddab31225f4b8a7e8d74f3b987 (patch) | |
tree | f9f07d2fb57da9843ac6b79e06e9266301b7e8b7 /lib | |
parent | e0781d87ea58ff1ac1b6439d60510a8a26ea9f54 (diff) | |
download | gnutls-802e1ede038010ddab31225f4b8a7e8d74f3b987.tar.gz |
changed indentation to 4 spaces instead of tabs.
Diffstat (limited to 'lib')
125 files changed, 28709 insertions, 27293 deletions
diff --git a/lib/auth_anon.c b/lib/auth_anon.c index 4eb120307f..6d2feecd5b 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -38,118 +38,125 @@ #include <gnutls_state.h> #include <auth_dh_common.h> -static int gen_anon_server_kx( gnutls_session, opaque**); -static int proc_anon_client_kx( gnutls_session, opaque*, size_t); -static int proc_anon_server_kx( gnutls_session, opaque*, size_t); +static int gen_anon_server_kx(gnutls_session, opaque **); +static int proc_anon_client_kx(gnutls_session, opaque *, size_t); +static int proc_anon_server_kx(gnutls_session, opaque *, size_t); const mod_auth_st anon_auth_struct = { - "ANON", - NULL, - NULL, - gen_anon_server_kx, - _gnutls_gen_dh_common_client_kx, /* this can be shared */ - NULL, - NULL, - - NULL, - NULL, /* certificate */ - proc_anon_server_kx, - proc_anon_client_kx, - NULL, - NULL + "ANON", + NULL, + NULL, + gen_anon_server_kx, + _gnutls_gen_dh_common_client_kx, /* this can be shared */ + NULL, + NULL, + + NULL, + NULL, /* certificate */ + proc_anon_server_kx, + proc_anon_client_kx, + NULL, + NULL }; -static int gen_anon_server_kx( gnutls_session session, opaque** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret; - gnutls_dh_params dh_params; - const gnutls_anon_server_credentials cred; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_anon_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( anon_server_auth_info_st), 1)) < 0) - { - gnutls_assert(); - return ret; - } - - _gnutls_dh_set_group( session, g, p); - - ret = _gnutls_dh_common_print_server_kx( session, g, p, data); - if (ret < 0) { - gnutls_assert(); - } - +static int gen_anon_server_kx(gnutls_session session, opaque ** data) +{ + mpi_t g, p; + const mpi_t *mpis; + int ret; + gnutls_dh_params dh_params; + const gnutls_anon_server_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_anon_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, + sizeof(anon_server_auth_info_st), 1)) < 0) { + gnutls_assert(); return ret; + } + + _gnutls_dh_set_group(session, g, p); + + ret = _gnutls_dh_common_print_server_kx(session, g, p, data); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } -static int proc_anon_client_kx( gnutls_session session, opaque* data, size_t _data_size) +static int proc_anon_client_kx(gnutls_session session, opaque * data, + size_t _data_size) { -const gnutls_anon_server_credentials cred; -int bits; -int ret; -mpi_t p, g; -gnutls_dh_params dh_params; -const mpi_t *mpis; - - bits = _gnutls_dh_get_allowed_prime_bits( session); - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_anon_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); + const gnutls_anon_server_credentials cred; + int bits; + int ret; + mpi_t p, g; + gnutls_dh_params dh_params; + const mpi_t *mpis; - return ret; + bits = _gnutls_dh_get_allowed_prime_bits(session); + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_anon_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + ret = + _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + + return ret; } -int proc_anon_server_kx( gnutls_session session, opaque* data, size_t _data_size) +int proc_anon_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { -int ret; + int ret; - /* set auth_info */ - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( anon_client_auth_info_st), 1)) < 0) { - gnutls_assert(); - return ret; - } + /* set auth_info */ + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_ANON, + sizeof(anon_client_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_proc_dh_common_server_kx( session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } -#endif /* ENABLE_ANON */ +#endif /* ENABLE_ANON */ diff --git a/lib/auth_anon.h b/lib/auth_anon.h index 8173814be4..c722826663 100644 --- a/lib/auth_anon.h +++ b/lib/auth_anon.h @@ -3,18 +3,18 @@ #include <auth_dh_common.h> typedef struct { - gnutls_dh_params dh_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function * params_func; + gnutls_dh_params dh_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; } anon_server_credentials_st; #define gnutls_anon_server_credentials anon_server_credentials_st* #define gnutls_anon_client_credentials void* typedef struct anon_client_auth_info_st { - dh_info_t dh; + dh_info_t dh; } *anon_client_auth_info_t; typedef anon_client_auth_info_t anon_server_auth_info_t; @@ -22,5 +22,6 @@ typedef anon_client_auth_info_t anon_server_auth_info_t; typedef struct anon_client_auth_info_st anon_client_auth_info_st; typedef anon_client_auth_info_st anon_server_auth_info_st; -gnutls_dh_params _gnutls_anon_get_dh_params(const gnutls_anon_server_credentials sc, - gnutls_session session); +gnutls_dh_params _gnutls_anon_get_dh_params(const + gnutls_anon_server_credentials + sc, gnutls_session session); diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 9e67b1a791..57cfc4c62f 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -45,10 +45,12 @@ #include <gnutls_extra.h> #include "debug.h" -static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, uint); +static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, + uint); static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey key); static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key cert); -static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey key); +static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey + key); /* Copies data from a internal certificate struct (gnutls_cert) to @@ -58,49 +60,48 @@ static int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, gnutls_cert * cert, int ncerts) { - /* Copy peer's information to auth_info_t - */ - int ret, i, j; - - if (ncerts == 0) { - info->raw_certificate_list = NULL; - info->ncerts = 0; - return 0; - } + /* Copy peer's information to auth_info_t + */ + int ret, i, j; - info->raw_certificate_list = - gnutls_calloc(1, sizeof(gnutls_datum) * ncerts); - if (info->raw_certificate_list == NULL) { + if (ncerts == 0) { + info->raw_certificate_list = NULL; + info->ncerts = 0; + return 0; + } + + info->raw_certificate_list = + gnutls_calloc(1, sizeof(gnutls_datum) * ncerts); + if (info->raw_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ncerts; i++) { + if (cert->raw.size > 0) { + ret = + _gnutls_set_datum(&info-> + raw_certificate_list[i], + cert[i].raw.data, cert[i].raw.size); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + goto clear; + } } + } + info->ncerts = ncerts; - for (i = 0; i < ncerts; i++) { - if (cert->raw.size > 0) { - ret = - _gnutls_set_datum(&info-> - raw_certificate_list[i], - cert[i].raw.data, - cert[i].raw.size); - if (ret < 0) { - gnutls_assert(); - goto clear; - } - } - } - info->ncerts = ncerts; + return 0; - return 0; + clear: - clear: + for (j = 0; j < i; j++) + _gnutls_free_datum(&info->raw_certificate_list[j]); - for (j = 0; j < i; j++) - _gnutls_free_datum(&info->raw_certificate_list[j]); - - gnutls_free(info->raw_certificate_list); - info->raw_certificate_list = NULL; + gnutls_free(info->raw_certificate_list); + info->raw_certificate_list = NULL; - return ret; + return ret; } @@ -110,60 +111,63 @@ int _gnutls_copy_certificate_auth_info(cert_auth_info_t info, * -1 otherwise. */ inline -static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm *pk_algos, - int pk_algos_length, gnutls_pk_algorithm algo_to_check) + static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm * + pk_algos, int pk_algos_length, + gnutls_pk_algorithm + algo_to_check) { - int i; - for (i = 0; i < pk_algos_length; i++) { - if (algo_to_check == pk_algos[i]) { - return 0; - } + int i; + for (i = 0; i < pk_algos_length; i++) { + if (algo_to_check == pk_algos[i]) { + return 0; } - return -1; + } + return -1; } /* Returns the issuer's Distinguished name in odn, of the certificate * specified in cert. */ -static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, gnutls_datum * odn) +static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, + gnutls_datum * odn) { - ASN1_TYPE dn; - int len, result; - int start, end; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + ASN1_TYPE dn; + int len, result; + int start, end; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size, + result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size, "tbsCertificate.issuer", &start, &end); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } + asn1_delete_structure(&dn); - len = end - start + 1; + len = end - start + 1; - odn->size = len; - odn->data = &cert->raw.data[start]; + odn->size = len; + odn->data = &cert->raw.data[start]; - return 0; + return 0; } @@ -178,64 +182,61 @@ static int _find_x509_cert(const gnutls_certificate_credentials cred, const gnutls_pk_algorithm * pk_algos, int pk_algos_length, int *indx) { - uint size; - gnutls_datum odn; - opaque *data = _data; - ssize_t data_size = _data_size; - uint i, j; - int result, cert_pk; + uint size; + gnutls_datum odn; + opaque *data = _data; + ssize_t data_size = _data_size; + uint i, j; + int result, cert_pk; - *indx = -1; + *indx = -1; - do { + do { - DECR_LENGTH_RET(data_size, 2, 0); - size = _gnutls_read_uint16(data); - DECR_LENGTH_RET(data_size, size, 0); - data += 2; - - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - if ((result = - _gnutls_cert_get_issuer_dn(&cred-> - cert_list[i][j], - &odn)) < 0) { - gnutls_assert(); - return result; - } - - if (odn.size != size) - continue; - - /* If the DN matches and - * the *_SIGN algorithm matches - * the cert is our cert! - */ - cert_pk = - cred->cert_list[i][0]. - subject_pk_algorithm; - - if ((memcmp(odn.data, data, size) == 0) && - (_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cert_pk) == 0)) { - *indx = i; - break; - } - } - if (*indx != -1) - break; + DECR_LENGTH_RET(data_size, 2, 0); + size = _gnutls_read_uint16(data); + DECR_LENGTH_RET(data_size, size, 0); + data += 2; + + for (i = 0; i < cred->ncerts; i++) { + for (j = 0; j < cred->cert_list_length[i]; j++) { + if ((result = + _gnutls_cert_get_issuer_dn(&cred-> + cert_list[i][j], + &odn)) < 0) { + gnutls_assert(); + return result; } - if (*indx != -1) - break; + if (odn.size != size) + continue; - /* move to next record */ - data += size; + /* If the DN matches and + * the *_SIGN algorithm matches + * the cert is our cert! + */ + cert_pk = cred->cert_list[i][0].subject_pk_algorithm; - } while (1); + if ((memcmp(odn.data, data, size) == 0) && + (_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, cert_pk) == 0)) { + *indx = i; + break; + } + } + if (*indx != -1) + break; + } - return 0; + if (*indx != -1) + break; + + /* move to next record */ + data += size; + + } while (1); + + return 0; } @@ -245,114 +246,114 @@ static int _find_openpgp_cert(const gnutls_certificate_credentials cred, gnutls_pk_algorithm * pk_algos, int pk_algos_length, int *indx) { - uint i, j; + uint i, j; - *indx = -1; + *indx = -1; - for (i = 0; i < cred->ncerts; i++) { - for (j = 0; j < cred->cert_list_length[i]; j++) { - - /* If the *_SIGN algorithm matches - * the cert is our cert! - */ - if ((_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cred->cert_list[i][0]. - subject_pk_algorithm) == 0) - && (cred->cert_list[i][0].cert_type == - GNUTLS_CRT_OPENPGP)) { - *indx = i; - break; - } - } - if (*indx != -1) - break; + for (i = 0; i < cred->ncerts; i++) { + for (j = 0; j < cred->cert_list_length[i]; j++) { + + /* If the *_SIGN algorithm matches + * the cert is our cert! + */ + if ((_gnutls_check_pk_algo_in_list + (pk_algos, pk_algos_length, + cred->cert_list[i][0].subject_pk_algorithm) == 0) + && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP)) { + *indx = i; + break; + } } + if (*indx != -1) + break; + } - return 0; + return 0; } /* Returns the number of issuers in the server's * certificate request packet. */ -static int get_issuers_num( gnutls_session session, opaque * data, ssize_t data_size) +static int get_issuers_num(gnutls_session session, opaque * data, + ssize_t data_size) { -int issuers_dn_len = 0, result; -uint size; + int issuers_dn_len = 0, result; + uint size; - /* Count the number of the given issuers; - * This is used to allocate the issuers_dn without - * using realloc(). - */ + /* Count the number of the given issuers; + * This is used to allocate the issuers_dn without + * using realloc(). + */ - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return 0; - if (data_size > 0) do { - /* This works like DECR_LEN() - */ - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, 2, goto error); - size = _gnutls_read_uint16(data); + if (data_size > 0) + do { + /* This works like DECR_LEN() + */ + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM(data_size, 2, goto error); + size = _gnutls_read_uint16(data); - result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - DECR_LENGTH_COM(data_size, size, goto error); + result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + DECR_LENGTH_COM(data_size, size, goto error); - data += 2; + data += 2; - if (size > 0) { - issuers_dn_len++; - data += size; - } + if (size > 0) { + issuers_dn_len++; + data += size; + } - if (data_size == 0) - break; + if (data_size == 0) + break; } while (1); - return issuers_dn_len; - - error: - return result; + return issuers_dn_len; + + error: + return result; } /* Returns the issuers in the server's certificate request * packet. */ -static int get_issuers( gnutls_session session, - gnutls_datum* issuers_dn, int issuers_len, - opaque * data, size_t data_size) +static int get_issuers(gnutls_session session, + gnutls_datum * issuers_dn, int issuers_len, + opaque * data, size_t data_size) { -int i; -uint size; + int i; + uint size; - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return 0; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return 0; - /* put the requested DNs to req_dn, only in case - * of X509 certificates. - */ - if (issuers_len > 0) { + /* put the requested DNs to req_dn, only in case + * of X509 certificates. + */ + if (issuers_len > 0) { - for (i = 0; i < issuers_len; i++) { - /* The checks here for the buffer boundaries - * are not needed since the buffer has been - * parsed above. - */ - data_size -= 2; + for (i = 0; i < issuers_len; i++) { + /* The checks here for the buffer boundaries + * are not needed since the buffer has been + * parsed above. + */ + data_size -= 2; - size = _gnutls_read_uint16(data); + size = _gnutls_read_uint16(data); - data += 2; + data += 2; - issuers_dn[i].data = data; - issuers_dn[i].size = size; + issuers_dn[i].data = data; + issuers_dn[i].size = size; - data += size; - } + data += size; } + } - return 0; + return 0; } @@ -361,100 +362,99 @@ OPENPGP_PRIVKEY_DEINIT _E_gnutls_openpgp_privkey_deinit; /* Calls the client get callback. */ -static int call_get_cert_callback( gnutls_session session, - gnutls_datum* issuers_dn, int issuers_dn_length, - gnutls_pk_algorithm* pk_algos, int pk_algos_length) +static int call_get_cert_callback(gnutls_session session, + gnutls_datum * issuers_dn, + int issuers_dn_length, + gnutls_pk_algorithm * pk_algos, + int pk_algos_length) { -uint i; -gnutls_cert *local_certs = NULL; -gnutls_privkey *local_key = NULL; -gnutls_retr_st st; -int ret; -gnutls_certificate_type type = - gnutls_certificate_type_get(session); -const gnutls_certificate_credentials cred; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - memset( &st, 0, sizeof(st)); - - if (session->security_parameters.entity == GNUTLS_SERVER) { - ret = - cred->server_get_cert_callback(session, &st); - } else { /* CLIENT */ - ret = - cred->client_get_cert_callback(session, - issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length, - &st); - } - - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (st.ncerts == 0) - return 0; /* no certificate was selected */ - - if (type != st.type) { + uint i; + gnutls_cert *local_certs = NULL; + gnutls_privkey *local_key = NULL; + gnutls_retr_st st; + int ret; + gnutls_certificate_type type = gnutls_certificate_type_get(session); + const gnutls_certificate_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + memset(&st, 0, sizeof(st)); + + if (session->security_parameters.entity == GNUTLS_SERVER) { + ret = cred->server_get_cert_callback(session, &st); + } else { /* CLIENT */ + ret = + cred->client_get_cert_callback(session, + issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length, &st); + } + + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (st.ncerts == 0) + return 0; /* no certificate was selected */ + + if (type != st.type) { + gnutls_assert(); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if (type == GNUTLS_CRT_X509) { + local_certs = alloc_and_load_x509_certs(st.cert.x509, st.ncerts); + if (local_certs != NULL) + local_key = alloc_and_load_x509_key(st.key.x509); + + } else { /* PGP */ + if (st.ncerts > 1) { + gnutls_assert(); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + local_certs = alloc_and_load_pgp_certs(st.cert.pgp); + if (local_certs != NULL) + local_key = alloc_and_load_pgp_key(st.key.pgp); + + } + + _gnutls_selected_certs_set(session, local_certs, + (local_certs != NULL) ? st.ncerts : 0, + local_key, 1); + + ret = 0; + + cleanup: + + if (st.type == GNUTLS_CRT_X509) { + if (st.deinit_all) { + for (i = 0; i < st.ncerts; i++) { + gnutls_x509_crt_deinit(st.cert.x509[i]); + } + gnutls_free(st.cert.x509); + gnutls_x509_privkey_deinit(st.key.x509); + } + } else { + if (st.deinit_all) { + if (_E_gnutls_openpgp_key_deinit == NULL || + _E_gnutls_openpgp_privkey_deinit == NULL) { gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if (type == GNUTLS_CRT_X509) { - local_certs = alloc_and_load_x509_certs(st.cert.x509, st.ncerts); - if (local_certs != NULL) - local_key = alloc_and_load_x509_key(st.key.x509); - - } else { /* PGP */ - if (st.ncerts > 1) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - local_certs = alloc_and_load_pgp_certs(st.cert.pgp); - if (local_certs != NULL) - local_key = alloc_and_load_pgp_key(st.key.pgp); - - } - - _gnutls_selected_certs_set(session, local_certs, (local_certs!=NULL)?st.ncerts:0, - local_key, 1); - - ret = 0; - -cleanup: + return GNUTLS_E_INIT_LIBEXTRA; + } - if (st.type == GNUTLS_CRT_X509) { - if (st.deinit_all) { - for (i = 0; i < st.ncerts; i++) { - gnutls_x509_crt_deinit(st.cert.x509[i]); - } - gnutls_free( st.cert.x509); - gnutls_x509_privkey_deinit(st.key.x509); - } - } else { - if (st.deinit_all) { - if (_E_gnutls_openpgp_key_deinit == NULL || - _E_gnutls_openpgp_privkey_deinit == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - - _E_gnutls_openpgp_key_deinit(st.cert.pgp); - _E_gnutls_openpgp_privkey_deinit(st.key.pgp); - } + _E_gnutls_openpgp_key_deinit(st.cert.pgp); + _E_gnutls_openpgp_privkey_deinit(st.key.pgp); } + } - return ret; + return ret; } /* Finds the appropriate certificate depending on the cA Distinguished name @@ -469,92 +469,92 @@ static int _select_client_cert(gnutls_session session, gnutls_pk_algorithm * pk_algos, int pk_algos_length) { - int result; - int indx = -1; - const gnutls_certificate_credentials cred; - opaque *data = _data; - ssize_t data_size = _data_size; - int issuers_dn_length; - gnutls_datum * issuers_dn = NULL; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { + int result; + int indx = -1; + const gnutls_certificate_credentials cred; + opaque *data = _data; + ssize_t data_size = _data_size; + int issuers_dn_length; + gnutls_datum *issuers_dn = NULL; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (cred->client_get_cert_callback != NULL) { + + /* use a callback to get certificate + */ + if (session->security_parameters.cert_type != GNUTLS_CRT_X509) + issuers_dn_length = 0; + else { + issuers_dn_length = get_issuers_num(session, data, data_size); + if (issuers_dn_length < 0) { gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (cred->client_get_cert_callback != NULL) { + return issuers_dn_length; + } + + if (issuers_dn_length > 0) { + issuers_dn = + gnutls_malloc(sizeof(gnutls_datum) * + issuers_dn_length); + if (issuers_dn == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* use a callback to get certificate - */ - if (session->security_parameters.cert_type != GNUTLS_CRT_X509) - issuers_dn_length = 0; - else { - issuers_dn_length = get_issuers_num( session, data, data_size); - if (issuers_dn_length < 0) { - gnutls_assert(); - return issuers_dn_length; - } - - if (issuers_dn_length > 0) { - issuers_dn = gnutls_malloc( sizeof(gnutls_datum)*issuers_dn_length); - if (issuers_dn == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = get_issuers( session, issuers_dn, issuers_dn_length, data, data_size); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } + result = + get_issuers(session, issuers_dn, issuers_dn_length, + data, data_size); + if (result < 0) { + gnutls_assert(); + goto cleanup; } + } + } - result = call_get_cert_callback( session, issuers_dn, issuers_dn_length, - pk_algos, pk_algos_length); - goto cleanup; + result = + call_get_cert_callback(session, issuers_dn, issuers_dn_length, + pk_algos, pk_algos_length); + goto cleanup; - } else { - /* If we have no callbacks, try to guess. - */ - result = 0; - - if (session->security_parameters.cert_type == - GNUTLS_CRT_X509) - result = - _find_x509_cert(cred, _data, _data_size, - pk_algos, pk_algos_length, - &indx); + } else { + /* If we have no callbacks, try to guess. + */ + result = 0; - if (session->security_parameters.cert_type == - GNUTLS_CRT_OPENPGP) - result = - _find_openpgp_cert(cred, pk_algos, - pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) + result = + _find_x509_cert(cred, _data, _data_size, + pk_algos, pk_algos_length, &indx); + if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP) + result = + _find_openpgp_cert(cred, pk_algos, pk_algos_length, &indx); - if (result < 0) { - gnutls_assert(); - return result; - } - if (indx >= 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[indx][0], - cred->cert_list_length[indx], - &cred->pkey[indx], 0); - } else { - _gnutls_selected_certs_set(session, NULL, 0, NULL, 0); - } + if (result < 0) { + gnutls_assert(); + return result; + } - result = 0; + if (indx >= 0) { + _gnutls_selected_certs_set(session, + &cred->cert_list[indx][0], + cred->cert_list_length[indx], + &cred->pkey[indx], 0); + } else { + _gnutls_selected_certs_set(session, NULL, 0, NULL, 0); } -cleanup: - gnutls_free( issuers_dn); - return result; + result = 0; + } + + cleanup: + gnutls_free(issuers_dn); + return result; } @@ -563,100 +563,100 @@ cleanup: int _gnutls_gen_x509_crt(gnutls_session session, opaque ** data) { - int ret, i; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate - */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - ret = 3; - for (i = 0; i < apr_cert_list_length; i++) { - ret += apr_cert_list[i].raw.size + 3; - /* hold size - * for uint24 */ - } - - /* if no certificates were found then send: - * 0B 00 00 03 00 00 00 // Certificate with no certs - * instead of: - * 0B 00 00 00 // empty certificate handshake - * - * ( the above is the whole handshake message, not - * the one produced here ) - */ - - (*data) = gnutls_malloc(ret); - pdata = (*data); - - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; - for (i = 0; i < apr_cert_list_length; i++) { - _gnutls_write_datum24(pdata, apr_cert_list[i].raw); - pdata += (3 + apr_cert_list[i].raw.size); - } - + int ret, i; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate + */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); return ret; + } + + ret = 3; + for (i = 0; i < apr_cert_list_length; i++) { + ret += apr_cert_list[i].raw.size + 3; + /* hold size + * for uint24 */ + } + + /* if no certificates were found then send: + * 0B 00 00 03 00 00 00 // Certificate with no certs + * instead of: + * 0B 00 00 00 // empty certificate handshake + * + * ( the above is the whole handshake message, not + * the one produced here ) + */ + + (*data) = gnutls_malloc(ret); + pdata = (*data); + + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_write_uint24(ret - 3, pdata); + pdata += 3; + for (i = 0; i < apr_cert_list_length; i++) { + _gnutls_write_datum24(pdata, apr_cert_list[i].raw); + pdata += (3 + apr_cert_list[i].raw.size); + } + + return ret; } enum PGPKeyDescriptorType { PGP_KEY_FINGERPRINT, PGP_KEY }; int _gnutls_gen_openpgp_certificate(gnutls_session session, opaque ** data) { - int ret; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + int ret; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - ret = 3 + 1 + 3; + ret = 3 + 1 + 3; - if (apr_cert_list_length > 0) - ret += apr_cert_list[0].raw.size; + if (apr_cert_list_length > 0) + ret += apr_cert_list[0].raw.size; - (*data) = gnutls_malloc(ret); - pdata = (*data); + (*data) = gnutls_malloc(ret); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint24(ret - 3, pdata); - pdata += 3; + _gnutls_write_uint24(ret - 3, pdata); + pdata += 3; - *pdata = PGP_KEY; /* whole key */ - pdata++; + *pdata = PGP_KEY; /* whole key */ + pdata++; - if (apr_cert_list_length > 0) { - _gnutls_write_datum24(pdata, apr_cert_list[0].raw); - pdata += (3 + apr_cert_list[0].raw.size); - } else /* empty - no certificate */ - _gnutls_write_uint24(0, pdata); + if (apr_cert_list_length > 0) { + _gnutls_write_datum24(pdata, apr_cert_list[0].raw); + pdata += (3 + apr_cert_list[0].raw.size); + } else /* empty - no certificate */ + _gnutls_write_uint24(0, pdata); - return ret; + return ret; } OPENPGP_FINGERPRINT _E_gnutls_openpgp_fingerprint = NULL; @@ -666,63 +666,63 @@ extern OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; int _gnutls_gen_openpgp_certificate_fpr(gnutls_session session, opaque ** data) { - int ret, packet_size; - size_t fpr_size; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + int ret, packet_size; + size_t fpr_size; + opaque *pdata; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - packet_size = 3 + 1; + packet_size = 3 + 1; - /* Only v4 fingerprints are sent - */ - if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) - packet_size += 20 + 1; - else /* empty certificate case */ - return _gnutls_gen_openpgp_certificate(session, data); + /* Only v4 fingerprints are sent + */ + if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) + packet_size += 20 + 1; + else /* empty certificate case */ + return _gnutls_gen_openpgp_certificate(session, data); - (*data) = gnutls_malloc(packet_size); - pdata = (*data); + (*data) = gnutls_malloc(packet_size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint24(packet_size - 3, pdata); - pdata += 3; + _gnutls_write_uint24(packet_size - 3, pdata); + pdata += 3; - *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ - pdata++; + *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ + pdata++; - *pdata = 20; - pdata++; + *pdata = 20; + pdata++; - fpr_size = 20; + fpr_size = 20; - if (_E_gnutls_openpgp_fingerprint == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } + if (_E_gnutls_openpgp_fingerprint == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; + } - if ((ret = - _E_gnutls_openpgp_fingerprint(&apr_cert_list[0].raw, pdata, - &fpr_size)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = + _E_gnutls_openpgp_fingerprint(&apr_cert_list[0].raw, pdata, + &fpr_size)) < 0) { + gnutls_assert(); + return ret; + } - return packet_size; + return packet_size; } @@ -730,37 +730,34 @@ int _gnutls_gen_openpgp_certificate_fpr(gnutls_session session, int _gnutls_gen_cert_client_certificate(gnutls_session session, opaque ** data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - if (_gnutls_openpgp_send_fingerprint(session) == 0) - return - _gnutls_gen_openpgp_certificate(session, data); - else - return - _gnutls_gen_openpgp_certificate_fpr - (session, data); - - case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + if (_gnutls_openpgp_send_fingerprint(session) == 0) + return _gnutls_gen_openpgp_certificate(session, data); + else + return _gnutls_gen_openpgp_certificate_fpr(session, data); + + case GNUTLS_CRT_X509: + return _gnutls_gen_x509_crt(session, data); + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } int _gnutls_gen_cert_server_certificate(gnutls_session session, opaque ** data) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - return _gnutls_gen_openpgp_certificate(session, data); - case GNUTLS_CRT_X509: - return _gnutls_gen_x509_crt(session, data); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + return _gnutls_gen_openpgp_certificate(session, data); + case GNUTLS_CRT_X509: + return _gnutls_gen_x509_crt(session, data); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } /* Process server certificate @@ -770,130 +767,126 @@ int _gnutls_gen_cert_server_certificate(gnutls_session session, int _gnutls_proc_x509_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - int size, len, ret; - opaque *p = data; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - ssize_t dsize = data_size; - int i, j, x; - gnutls_cert *peer_certificate_list; - int peer_certificate_list_size = 0; - gnutls_datum tmp; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + int size, len, ret; + opaque *p = data; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + ssize_t dsize = data_size; + int i, j, x; + gnutls_cert *peer_certificate_list; + int peer_certificate_list_size = 0; + gnutls_datum tmp; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } + info = _gnutls_get_auth_info(session); - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < - 0) { - gnutls_assert(); - return ret; - } + if (data == NULL || data_size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - info = _gnutls_get_auth_info(session); + DECR_LEN(dsize, 3); + size = _gnutls_read_uint24(p); + p += 3; - if (data == NULL || data_size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + if (size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + i = dsize; + while (i > 0) { DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); + len = _gnutls_read_uint24(p); + p += 3; + DECR_LEN(dsize, len); + peer_certificate_list_size++; + p += len; + i -= len + 3; + } + + if (peer_certificate_list_size == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* Ok we now allocate the memory to hold the + * certificate list + */ + + peer_certificate_list = + gnutls_malloc(sizeof(gnutls_cert) * (peer_certificate_list_size)); + + if (peer_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + memset(peer_certificate_list, 0, sizeof(gnutls_cert) * + peer_certificate_list_size); + + p = data + 3; + + /* Now we start parsing the list (again). + * We don't use DECR_LEN since the list has + * been parsed before. + */ + + for (j = 0; j < peer_certificate_list_size; j++) { + len = _gnutls_read_uint24(p); p += 3; - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - i = dsize; - while (i > 0) { - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; - DECR_LEN(dsize, len); - peer_certificate_list_size++; - p += len; - i -= len + 3; - } + tmp.size = len; + tmp.data = p; - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if ((ret = + _gnutls_x509_raw_cert_to_gcert(&peer_certificate_list + [j], &tmp, + CERT_ONLY_EXTENSIONS)) < 0) { + gnutls_assert(); + goto cleanup; } - /* Ok we now allocate the memory to hold the - * certificate list - */ + p += len; + } - peer_certificate_list = - gnutls_malloc(sizeof(gnutls_cert) * - (peer_certificate_list_size)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); + if ((ret = + _gnutls_copy_certificate_auth_info(info, + peer_certificate_list, + peer_certificate_list_size)) + < 0) { + gnutls_assert(); + goto cleanup; + } - p = data + 3; + if ((ret = + _gnutls_check_key_usage(&peer_certificate_list[0], + gnutls_kx_get(session))) < 0) { + gnutls_assert(); + goto cleanup; + } - /* Now we start parsing the list (again). - * We don't use DECR_LEN since the list has - * been parsed before. - */ + ret = 0; - for (j = 0; j < peer_certificate_list_size; j++) { - len = _gnutls_read_uint24(p); - p += 3; - - tmp.size = len; - tmp.data = p; - - if ((ret = - _gnutls_x509_raw_cert_to_gcert(&peer_certificate_list - [j], &tmp, - CERT_ONLY_EXTENSIONS)) < - 0) { - gnutls_assert(); - goto cleanup; - } - - p += len; - } - - - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; - } - - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = 0; - - cleanup: - CLEAR_CERTS; - gnutls_free(peer_certificate_list); - return ret; + cleanup: + CLEAR_CERTS; + gnutls_free(peer_certificate_list); + return ret; } @@ -902,181 +895,177 @@ int _gnutls_proc_openpgp_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - int size, ret, len; - opaque *p = data; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - ssize_t dsize = data_size; - int i, x; - gnutls_cert *peer_certificate_list = NULL; - int peer_certificate_list_size = 0; - gnutls_datum tmp, akey = { NULL, 0 }; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + int size, ret, len; + opaque *p = data; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + ssize_t dsize = data_size; + int i, x; + gnutls_cert *peer_certificate_list = NULL; + int peer_certificate_list_size = 0; + gnutls_datum tmp, akey = { NULL, 0 }; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 1)) < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < - 0) { - gnutls_assert(); - return ret; - } + info = _gnutls_get_auth_info(session); - info = _gnutls_get_auth_info(session); + if (data == NULL || data_size == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - if (data == NULL || data_size == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + DECR_LEN(dsize, 3); + size = _gnutls_read_uint24(p); + p += 3; - DECR_LEN(dsize, 3); - size = _gnutls_read_uint24(p); - p += 3; + if (size == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + i = dsize; - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - i = dsize; + /* Read PGPKeyDescriptor */ + DECR_LEN(dsize, 1); + if (*p == PGP_KEY_FINGERPRINT) { /* the fingerprint */ + p++; - /* Read PGPKeyDescriptor */ DECR_LEN(dsize, 1); - if (*p == PGP_KEY_FINGERPRINT) { /* the fingerprint */ - p++; - - DECR_LEN(dsize, 1); - len = (uint8) * p; - p++; - - if (len != 20) { - gnutls_assert(); - return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; - } - - DECR_LEN(dsize, 20); - - /* request the actual key from our database, or - * a key server or anything. - */ - if (_E_gnutls_openpgp_request_key == NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - if ((ret = - _E_gnutls_openpgp_request_key(session, &akey, cred, p, - 20)) < 0) { - gnutls_assert(); - return ret; - } - tmp = akey; - peer_certificate_list_size++; - - } else if (*p == PGP_KEY) { /* the whole key */ - - p++; - - /* Read the actual certificate */ - DECR_LEN(dsize, 3); - len = _gnutls_read_uint24(p); - p += 3; - - if (len == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN(dsize, len); - peer_certificate_list_size++; - - tmp.size = len; - tmp.data = p; - - } else { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - } - - /* ok we now have the peer's key in tmp datum - */ - - if (peer_certificate_list_size == 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + len = (uint8) * p; + p++; - peer_certificate_list = - gnutls_alloca(sizeof(gnutls_cert) * - (peer_certificate_list_size)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + if (len != 20) { + gnutls_assert(); + return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; } - memset(peer_certificate_list, 0, sizeof(gnutls_cert) * - peer_certificate_list_size); - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { - gnutls_assert(); - ret = GNUTLS_E_INIT_LIBEXTRA; - goto cleanup; - } + DECR_LEN(dsize, 20); - if ((ret = - _E_gnutls_openpgp_raw_key_to_gcert(&peer_certificate_list[0], - &tmp)) < 0) { - gnutls_assert(); - goto cleanup; + /* request the actual key from our database, or + * a key server or anything. + */ + if (_E_gnutls_openpgp_request_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } - if ((ret = - _gnutls_copy_certificate_auth_info(info, - peer_certificate_list, - peer_certificate_list_size)) - < 0) { - gnutls_assert(); - goto cleanup; + _E_gnutls_openpgp_request_key(session, &akey, cred, p, + 20)) < 0) { + gnutls_assert(); + return ret; } + tmp = akey; + peer_certificate_list_size++; - if ((ret = - _gnutls_check_key_usage(&peer_certificate_list[0], - gnutls_kx_get(session))) < 0) { - gnutls_assert(); - goto cleanup; - } + } else if (*p == PGP_KEY) { /* the whole key */ - ret = 0; + p++; - cleanup: + /* Read the actual certificate */ + DECR_LEN(dsize, 3); + len = _gnutls_read_uint24(p); + p += 3; - _gnutls_free_datum(&akey); - CLEAR_CERTS; - gnutls_afree(peer_certificate_list); - return ret; + if (len == 0) { + gnutls_assert(); + /* no certificate was sent */ + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + DECR_LEN(dsize, len); + peer_certificate_list_size++; + + tmp.size = len; + tmp.data = p; + + } else { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + + /* ok we now have the peer's key in tmp datum + */ + + if (peer_certificate_list_size == 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + peer_certificate_list = + gnutls_alloca(sizeof(gnutls_cert) * (peer_certificate_list_size)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + memset(peer_certificate_list, 0, sizeof(gnutls_cert) * + peer_certificate_list_size); + + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { + gnutls_assert(); + ret = GNUTLS_E_INIT_LIBEXTRA; + goto cleanup; + } + + if ((ret = + _E_gnutls_openpgp_raw_key_to_gcert(&peer_certificate_list[0], + &tmp)) < 0) { + gnutls_assert(); + goto cleanup; + } + + if ((ret = + _gnutls_copy_certificate_auth_info(info, + peer_certificate_list, + peer_certificate_list_size)) + < 0) { + gnutls_assert(); + goto cleanup; + } + + if ((ret = + _gnutls_check_key_usage(&peer_certificate_list[0], + gnutls_kx_get(session))) < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + + _gnutls_free_datum(&akey); + CLEAR_CERTS; + gnutls_afree(peer_certificate_list); + return ret; } int _gnutls_proc_cert_server_certificate(gnutls_session session, opaque * data, size_t data_size) { - switch (session->security_parameters.cert_type) { - case GNUTLS_CRT_OPENPGP: - return _gnutls_proc_openpgp_server_certificate(session, - data, - data_size); - case GNUTLS_CRT_X509: - return _gnutls_proc_x509_server_certificate(session, data, - data_size); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + switch (session->security_parameters.cert_type) { + case GNUTLS_CRT_OPENPGP: + return _gnutls_proc_openpgp_server_certificate(session, + data, data_size); + case GNUTLS_CRT_X509: + return _gnutls_proc_x509_server_certificate(session, data, + data_size); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } #define MAX_SIGN_ALGOS 2 @@ -1090,238 +1079,235 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN inline static int _gnutls_check_supported_sign_algo(CertificateSigType algo) { - switch (algo) { - case RSA_SIGN: - return GNUTLS_PK_RSA; - case DSA_SIGN: - return GNUTLS_PK_DSA; - } - - return -1; + switch (algo) { + case RSA_SIGN: + return GNUTLS_PK_RSA; + case DSA_SIGN: + return GNUTLS_PK_DSA; + } + + return -1; } int _gnutls_proc_cert_cert_req(gnutls_session session, opaque * data, size_t data_size) { - int size, ret; - opaque *p; - const gnutls_certificate_credentials cred; - cert_auth_info_t info; - ssize_t dsize; - int i, j; - gnutls_pk_algorithm pk_algos[MAX_SIGN_ALGOS]; - int pk_algos_length; - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if ((ret = - _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 0)) < - 0) { - gnutls_assert(); - return ret; - } + int size, ret; + opaque *p; + const gnutls_certificate_credentials cred; + cert_auth_info_t info; + ssize_t dsize; + int i, j; + gnutls_pk_algorithm pk_algos[MAX_SIGN_ALGOS]; + int pk_algos_length; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if ((ret = + _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - info = _gnutls_get_auth_info(session); + info = _gnutls_get_auth_info(session); - p = data; - dsize = data_size; + p = data; + dsize = data_size; + DECR_LEN(dsize, 1); + size = p[0]; + p++; + /* check if the sign algorithm is supported. + */ + pk_algos_length = j = 0; + for (i = 0; i < size; i++, p++) { DECR_LEN(dsize, 1); - size = p[0]; - p++; - /* check if the sign algorithm is supported. - */ - pk_algos_length = j = 0; - for (i = 0; i < size; i++, p++) { - DECR_LEN(dsize, 1); - if ((ret = _gnutls_check_supported_sign_algo(*p)) > 0) { - if (j < MAX_SIGN_ALGOS) { - pk_algos[j++] = ret; - pk_algos_length++; - } - } - } - - if (pk_algos_length == 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(p); - p += 2; - } else { - p = NULL; - size = 0; + if ((ret = _gnutls_check_supported_sign_algo(*p)) > 0) { + if (j < MAX_SIGN_ALGOS) { + pk_algos[j++] = ret; + pk_algos_length++; + } } + } - DECR_LEN(dsize, size); + if (pk_algos_length == 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } - /* now we ask the user to tell which one - * he wants to use. - */ - if ((ret = - _select_client_cert(session, p, size, - pk_algos, pk_algos_length)) < 0) { - gnutls_assert(); - return ret; - } + if (session->security_parameters.cert_type == GNUTLS_CRT_X509) { + DECR_LEN(dsize, 2); + size = _gnutls_read_uint16(p); + p += 2; + } else { + p = NULL; + size = 0; + } + + DECR_LEN(dsize, size); + + /* now we ask the user to tell which one + * he wants to use. + */ + if ((ret = + _select_client_cert(session, p, size, + pk_algos, pk_algos_length)) < 0) { + gnutls_assert(); + return ret; + } - /* We should reply with a certificate message, - * even if we have no certificate to send. - */ - session->key->certificate_requested = 1; + /* We should reply with a certificate message, + * even if we have no certificate to send. + */ + session->key->certificate_requested = 1; - return 0; + return 0; } int _gnutls_gen_cert_client_cert_vrfy(gnutls_session session, opaque ** data) { - int ret; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length, size; - gnutls_datum signature; - - *data = NULL; + int ret; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length, size; + gnutls_datum signature; + + *data = NULL; + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { + gnutls_assert(); + return ret; + } - /* find the appropriate certificate */ + if (apr_pkey != NULL) { if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, - &apr_cert_list_length, - &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_hdata(session, - &apr_cert_list[0], - apr_pkey, &signature)) < 0) { - gnutls_assert(); - return ret; - } - } else { - return 0; + _gnutls_tls_sign_hdata(session, + &apr_cert_list[0], + apr_pkey, &signature)) < 0) { + gnutls_assert(); + return ret; } + } else { + return 0; + } - *data = gnutls_malloc(signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - return GNUTLS_E_MEMORY_ERROR; - } - size = signature.size; - _gnutls_write_uint16(size, *data); + *data = gnutls_malloc(signature.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&signature); + return GNUTLS_E_MEMORY_ERROR; + } + size = signature.size; + _gnutls_write_uint16(size, *data); - memcpy(&(*data)[2], signature.data, size); + memcpy(&(*data)[2], signature.data, size); - _gnutls_free_datum(&signature); + _gnutls_free_datum(&signature); - return size + 2; + return size + 2; } int _gnutls_proc_cert_client_cert_vrfy(gnutls_session session, opaque * data, size_t data_size) { - int size, ret; - ssize_t dsize = data_size; - opaque *pdata = data; - gnutls_datum sig; - cert_auth_info_t info = _gnutls_get_auth_info(session); - gnutls_cert peer_cert; - - if (info == NULL || info->ncerts == 0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - DECR_LEN(dsize, 2); - size = _gnutls_read_uint16(pdata); - pdata += 2; - - DECR_LEN(dsize, size); - - sig.data = pdata; - sig.size = size; - - ret = _gnutls_raw_cert_to_gcert( &peer_cert, - session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int size, ret; + ssize_t dsize = data_size; + opaque *pdata = data; + gnutls_datum sig; + cert_auth_info_t info = _gnutls_get_auth_info(session); + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + DECR_LEN(dsize, 2); + size = _gnutls_read_uint16(pdata); + pdata += 2; + + DECR_LEN(dsize, size); + + sig.data = pdata; + sig.size = size; + + ret = _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_verify_sig_hdata(session, &peer_cert, &sig)) < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(&peer_cert); - return ret; - } + if ((ret = _gnutls_verify_sig_hdata(session, &peer_cert, &sig)) < 0) { + gnutls_assert(); _gnutls_gcert_deinit(&peer_cert); + return ret; + } + _gnutls_gcert_deinit(&peer_cert); - return 0; + return 0; } #define CERTTYPE_SIZE 3 int _gnutls_gen_cert_server_cert_req(gnutls_session session, opaque ** data) { - const gnutls_certificate_credentials cred; - int size; - opaque *pdata; - - /* Now we need to generate the RDN sequence. This is - * already in the CERTIFICATE_CRED structure, to improve - * performance. - */ - - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq - */ + const gnutls_certificate_credentials cred; + int size; + opaque *pdata; + + /* Now we need to generate the RDN sequence. This is + * already in the CERTIFICATE_CRED structure, to improve + * performance. + */ + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq + */ - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) - size += cred->x509_rdn_sequence.size; + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) + size += cred->x509_rdn_sequence.size; - (*data) = gnutls_malloc(size); - pdata = (*data); + (*data) = gnutls_malloc(size); + pdata = (*data); - if (pdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (pdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - pdata[0] = CERTTYPE_SIZE - 1; + pdata[0] = CERTTYPE_SIZE - 1; - pdata[1] = RSA_SIGN; - pdata[2] = DSA_SIGN; /* only these for now */ - pdata += CERTTYPE_SIZE; + pdata[1] = RSA_SIGN; + pdata[2] = DSA_SIGN; /* only these for now */ + pdata += CERTTYPE_SIZE; - if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && - session->internals.ignore_rdn_sequence == 0) { - _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); - /* pdata += cred->x509_rdn_sequence.size + 2; */ - } + if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && + session->internals.ignore_rdn_sequence == 0) { + _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); + /* pdata += cred->x509_rdn_sequence.size + 2; */ + } - return size; + return size; } @@ -1337,73 +1323,73 @@ int _gnutls_get_selected_cert(gnutls_session session, int *apr_cert_list_length, gnutls_privkey ** apr_pkey) { - if (session->security_parameters.entity == GNUTLS_SERVER) { + if (session->security_parameters.entity == GNUTLS_SERVER) { - /* select_client_cert() has been called before. - */ + /* select_client_cert() has been called before. + */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_pkey = session->internals.selected_key; - *apr_cert_list_length = - session->internals.selected_cert_list_length; + *apr_cert_list = session->internals.selected_cert_list; + *apr_pkey = session->internals.selected_key; + *apr_cert_list_length = + session->internals.selected_cert_list_length; - if (apr_cert_list_length == 0 || apr_pkey == NULL || - apr_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + if (apr_cert_list_length == 0 || apr_pkey == NULL || + apr_cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - } else { /* CLIENT SIDE + } else { /* CLIENT SIDE */ - /* we have already decided which certificate - * to send. - */ - *apr_cert_list = session->internals.selected_cert_list; - *apr_cert_list_length = - session->internals.selected_cert_list_length; - *apr_pkey = session->internals.selected_key; + /* we have already decided which certificate + * to send. + */ + *apr_cert_list = session->internals.selected_cert_list; + *apr_cert_list_length = + session->internals.selected_cert_list_length; + *apr_pkey = session->internals.selected_key; - } + } - return 0; + return 0; } /* converts the given x509 certificate to gnutls_cert* and allocates * space for them. */ static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, - uint ncerts) + uint ncerts) { - gnutls_cert *local_certs; - int ret = 0; - uint i, j; - - if (certs == NULL) return NULL; - - local_certs = gnutls_malloc(sizeof(gnutls_cert) * ncerts); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; - } - - for (i = 0; i < ncerts; i++) { - ret = _gnutls_x509_crt_to_gcert(&local_certs[i], - certs[i], 0); - if (ret < 0) - break; - } - - if (ret < 0) { - gnutls_assert(); - for (j = 0; j < i; j++) { - _gnutls_gcert_deinit(&local_certs[j]); - } - gnutls_free(local_certs); - return NULL; - } - - return local_certs; + gnutls_cert *local_certs; + int ret = 0; + uint i, j; + + if (certs == NULL) + return NULL; + + local_certs = gnutls_malloc(sizeof(gnutls_cert) * ncerts); + if (local_certs == NULL) { + gnutls_assert(); + return NULL; + } + + for (i = 0; i < ncerts; i++) { + ret = _gnutls_x509_crt_to_gcert(&local_certs[i], certs[i], 0); + if (ret < 0) + break; + } + + if (ret < 0) { + gnutls_assert(); + for (j = 0; j < i; j++) { + _gnutls_gcert_deinit(&local_certs[j]); + } + gnutls_free(local_certs); + return NULL; + } + + return local_certs; } /* converts the given x509 key to gnutls_privkey* and allocates @@ -1411,25 +1397,25 @@ static gnutls_cert *alloc_and_load_x509_certs(gnutls_x509_crt * certs, */ static gnutls_privkey *alloc_and_load_x509_key(gnutls_x509_privkey key) { - gnutls_privkey *local_key; - int ret = 0; + gnutls_privkey *local_key; + int ret = 0; - if (key == NULL) return NULL; + if (key == NULL) + return NULL; - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; - } + local_key = gnutls_malloc(sizeof(gnutls_privkey)); + if (local_key == NULL) { + gnutls_assert(); + return NULL; + } - ret = - _gnutls_x509_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; - } + ret = _gnutls_x509_privkey_to_gkey(local_key, key); + if (ret < 0) { + gnutls_assert(); + return NULL; + } - return local_key; + return local_key; } @@ -1441,100 +1427,100 @@ OPENPGP_PRIVKEY_TO_GKEY _E_gnutls_openpgp_privkey_to_gkey; */ static gnutls_cert *alloc_and_load_pgp_certs(gnutls_openpgp_key cert) { - gnutls_cert *local_certs; - int ret = 0; - - if (cert == NULL) return NULL; - - local_certs = gnutls_malloc(sizeof(gnutls_cert)); - if (local_certs == NULL) { - gnutls_assert(); - return NULL; - } - - if (_E_gnutls_openpgp_key_to_gcert==NULL) { - gnutls_assert(); - return NULL; - } - - ret = _E_gnutls_openpgp_key_to_gcert(local_certs, cert); - if (ret < 0) { - gnutls_assert(); - return NULL; - } - - if (ret < 0) { - gnutls_assert(); - _gnutls_gcert_deinit(local_certs); - gnutls_free(local_certs); - return NULL; - } - - return local_certs; + gnutls_cert *local_certs; + int ret = 0; + + if (cert == NULL) + return NULL; + + local_certs = gnutls_malloc(sizeof(gnutls_cert)); + if (local_certs == NULL) { + gnutls_assert(); + return NULL; + } + + if (_E_gnutls_openpgp_key_to_gcert == NULL) { + gnutls_assert(); + return NULL; + } + + ret = _E_gnutls_openpgp_key_to_gcert(local_certs, cert); + if (ret < 0) { + gnutls_assert(); + return NULL; + } + + if (ret < 0) { + gnutls_assert(); + _gnutls_gcert_deinit(local_certs); + gnutls_free(local_certs); + return NULL; + } + + return local_certs; } /* converts the given raw key to gnutls_privkey* and allocates * space for it. */ -static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey key) +static gnutls_privkey *alloc_and_load_pgp_key(const gnutls_openpgp_privkey + key) { - gnutls_privkey *local_key; - int ret = 0; - - if (key == NULL) return NULL; - - local_key = gnutls_malloc(sizeof(gnutls_privkey)); - if (local_key == NULL) { - gnutls_assert(); - return NULL; - } - - if (_E_gnutls_openpgp_privkey_to_gkey==NULL) { - gnutls_assert(); - return NULL; - } - - ret = - _E_gnutls_openpgp_privkey_to_gkey(local_key, key); - if (ret < 0) { - gnutls_assert(); - return NULL; - } - - return local_key; + gnutls_privkey *local_key; + int ret = 0; + + if (key == NULL) + return NULL; + + local_key = gnutls_malloc(sizeof(gnutls_privkey)); + if (local_key == NULL) { + gnutls_assert(); + return NULL; + } + + if (_E_gnutls_openpgp_privkey_to_gkey == NULL) { + gnutls_assert(); + return NULL; + } + + ret = _E_gnutls_openpgp_privkey_to_gkey(local_key, key); + if (ret < 0) { + gnutls_assert(); + return NULL; + } + + return local_key; } void _gnutls_selected_certs_deinit(gnutls_session session) { - if (session->internals.selected_need_free != 0) { - int i; - - for (i = 0; - i < session->internals.selected_cert_list_length; - i++) { - _gnutls_gcert_deinit(&session->internals. - selected_cert_list[i]); - } - session->internals.selected_cert_list = NULL; - session->internals.selected_cert_list_length = 0; + if (session->internals.selected_need_free != 0) { + int i; - _gnutls_gkey_deinit(session->internals.selected_key); + for (i = 0; i < session->internals.selected_cert_list_length; i++) { + _gnutls_gcert_deinit(&session->internals. + selected_cert_list[i]); } + session->internals.selected_cert_list = NULL; + session->internals.selected_cert_list_length = 0; - return; + _gnutls_gkey_deinit(session->internals.selected_key); + } + + return; } void _gnutls_selected_certs_set(gnutls_session session, gnutls_cert * certs, int ncerts, gnutls_privkey * key, int need_free) { - _gnutls_selected_certs_deinit(session); + _gnutls_selected_certs_deinit(session); - session->internals.selected_cert_list = certs; - session->internals.selected_cert_list_length = ncerts; - session->internals.selected_key = key; - session->internals.selected_need_free = need_free; + session->internals.selected_cert_list = certs; + session->internals.selected_cert_list_length = ncerts; + session->internals.selected_key = key; + session->internals.selected_need_free = need_free; } @@ -1552,54 +1538,52 @@ void _gnutls_selected_certs_set(gnutls_session session, int _gnutls_server_select_cert(gnutls_session session, gnutls_pk_algorithm requested_algo) { - uint i; - int index, ret; - const gnutls_certificate_credentials cred; + uint i; + int index, ret; + const gnutls_certificate_credentials cred; - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* If the callback which retrieves certificate has been set, - * use it and leave. - */ - if (cred->server_get_cert_callback != NULL) - return call_get_cert_callback( session, NULL, 0, NULL, 0); + /* If the callback which retrieves certificate has been set, + * use it and leave. + */ + if (cred->server_get_cert_callback != NULL) + return call_get_cert_callback(session, NULL, 0, NULL, 0); - /* Otherwise... */ + /* Otherwise... */ - ret = 0; - index = -1; /* default is use no certificate */ - + ret = 0; + index = -1; /* default is use no certificate */ - for (i = 0; i < cred->ncerts; i++) { - /* find one compatible certificate - */ - if (requested_algo == GNUTLS_PK_ANY || - requested_algo == - cred->cert_list[i][0].subject_pk_algorithm) { - /* if cert type matches - */ - if (session->security_parameters.cert_type == - cred->cert_list[i][0].cert_type) { - index = i; - break; - } - } - } - - /* store the certificate pointer for future use, in the handshake. - * (This will allow not calling this callback again.) - */ - if (index >= 0 && ret == 0) { - _gnutls_selected_certs_set(session, - &cred->cert_list[index][0], - cred->cert_list_length[index], - &cred->pkey[index], 0); - } - return ret; + for (i = 0; i < cred->ncerts; i++) { + /* find one compatible certificate + */ + if (requested_algo == GNUTLS_PK_ANY || + requested_algo == cred->cert_list[i][0].subject_pk_algorithm) { + /* if cert type matches + */ + if (session->security_parameters.cert_type == + cred->cert_list[i][0].cert_type) { + index = i; + break; + } + } + } + + /* store the certificate pointer for future use, in the handshake. + * (This will allow not calling this callback again.) + */ + if (index >= 0 && ret == 0) { + _gnutls_selected_certs_set(session, + &cred->cert_list[index][0], + cred->cert_list_length[index], + &cred->pkey[index], 0); + } + + return ret; } diff --git a/lib/auth_cert.h b/lib/auth_cert.h index d024f16e4f..d7a0ebcb33 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -7,113 +7,121 @@ #include "../libextra/openpgp/openpgp.h" typedef struct retr_st { - gnutls_certificate_type type; - union cert { - gnutls_x509_crt* x509; - gnutls_openpgp_key pgp; - } cert; - uint ncerts; - - union key { - gnutls_x509_privkey x509; - gnutls_openpgp_privkey pgp; - } key; - - uint deinit_all; + gnutls_certificate_type type; + union cert { + gnutls_x509_crt *x509; + gnutls_openpgp_key pgp; + } cert; + uint ncerts; + + union key { + gnutls_x509_privkey x509; + gnutls_openpgp_privkey pgp; + } key; + + uint deinit_all; } gnutls_retr_st; typedef int gnutls_certificate_client_retrieve_function(gnutls_session, - const gnutls_datum* req_ca_rdn, int nreqs, - const gnutls_pk_algorithm* pk_algos, int pk_algos_length, - gnutls_retr_st *); - -typedef int gnutls_certificate_server_retrieve_function( - struct gnutls_session_int*, gnutls_retr_st*); + const gnutls_datum + * req_ca_rdn, + int nreqs, + const + gnutls_pk_algorithm + * pk_algos, + int + pk_algos_length, + gnutls_retr_st *); + +typedef int gnutls_certificate_server_retrieve_function(struct + gnutls_session_int + *, + gnutls_retr_st *); /* This structure may be complex, but it's the only way to * support a server that has multiple certificates */ typedef struct { - gnutls_dh_params dh_params; - gnutls_rsa_params rsa_params; - /* this callback is used to retrieve the DH or RSA - * parameters. - */ - gnutls_params_function * params_func; - - gnutls_cert ** cert_list; - /* contains a list of a list of certificates. - * eg (X509): [0] certificate1, certificate11, certificate111 - * (if more than one, one certificate certifies the one before) - * [1] certificate2, certificate22, ... - */ - uint * cert_list_length; - /* contains the number of the certificates in a - * row (should be 1 for OpenPGP keys). - */ - uint ncerts;/* contains the number of columns in cert_list. - * This is the same with the number of pkeys. - */ - - gnutls_privkey * pkey; - /* private keys. It contains ncerts private - * keys. pkey[i] corresponds to certificate in - * cert_list[i][0]. - */ - - /* OpenPGP specific stuff */ - - gnutls_datum keyring; - char * pgp_key_server; - int pgp_key_server_port; - - char * pgp_trustdb; - - /* X509 specific stuff */ - - gnutls_x509_crt * x509_ca_list; - uint x509_ncas; /* number of CAs in the ca_list - */ - - gnutls_x509_crl * x509_crl_list; - uint x509_ncrls;/* number of CRLs in the crl_list - */ - - unsigned int verify_flags; /* flags to be used at - * certificate verification. - */ - - /* holds a sequence of the - * RDNs of the CAs above. - * This is better than - * generating on every handshake. - */ - gnutls_datum x509_rdn_sequence; - - gnutls_certificate_client_retrieve_function* client_get_cert_callback; - gnutls_certificate_server_retrieve_function* server_get_cert_callback; + gnutls_dh_params dh_params; + gnutls_rsa_params rsa_params; + /* this callback is used to retrieve the DH or RSA + * parameters. + */ + gnutls_params_function *params_func; + + gnutls_cert **cert_list; + /* contains a list of a list of certificates. + * eg (X509): [0] certificate1, certificate11, certificate111 + * (if more than one, one certificate certifies the one before) + * [1] certificate2, certificate22, ... + */ + uint *cert_list_length; + /* contains the number of the certificates in a + * row (should be 1 for OpenPGP keys). + */ + uint ncerts; /* contains the number of columns in cert_list. + * This is the same with the number of pkeys. + */ + + gnutls_privkey *pkey; + /* private keys. It contains ncerts private + * keys. pkey[i] corresponds to certificate in + * cert_list[i][0]. + */ + + /* OpenPGP specific stuff */ + + gnutls_datum keyring; + char *pgp_key_server; + int pgp_key_server_port; + + char *pgp_trustdb; + + /* X509 specific stuff */ + + gnutls_x509_crt *x509_ca_list; + uint x509_ncas; /* number of CAs in the ca_list + */ + + gnutls_x509_crl *x509_crl_list; + uint x509_ncrls; /* number of CRLs in the crl_list + */ + + unsigned int verify_flags; /* flags to be used at + * certificate verification. + */ + + /* holds a sequence of the + * RDNs of the CAs above. + * This is better than + * generating on every handshake. + */ + gnutls_datum x509_rdn_sequence; + + gnutls_certificate_client_retrieve_function *client_get_cert_callback; + gnutls_certificate_server_retrieve_function *server_get_cert_callback; } certificate_credentials_st; #define gnutls_certificate_credentials certificate_credentials_st* typedef struct rsa_info_st { - opaque modulus[65]; - size_t modulus_size; - opaque exponent[65]; - size_t exponent_size; + opaque modulus[65]; + size_t modulus_size; + opaque exponent[65]; + size_t exponent_size; } rsa_info_t; typedef struct cert_auth_info_st { - int certificate_requested; /* if the peer requested certificate - * this is non zero; - */ - dh_info_t dh; - - rsa_info_t rsa_export; - gnutls_datum* raw_certificate_list; /* holds the raw certificate of the - * peer. - */ - unsigned int ncerts; /* holds the size of the list above */ + int certificate_requested; /* if the peer requested certificate + * this is non zero; + */ + dh_info_t dh; + + rsa_info_t rsa_export; + gnutls_datum *raw_certificate_list; /* holds the raw certificate of the + * peer. + */ + unsigned int ncerts; /* holds the size of the list above */ } *cert_auth_info_t; typedef struct cert_auth_info_st cert_auth_info_st; @@ -126,20 +134,28 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session, opaque **); int _gnutls_proc_cert_cert_req(gnutls_session, opaque *, size_t); int _gnutls_proc_cert_client_cert_vrfy(gnutls_session, opaque *, size_t); int _gnutls_proc_cert_server_certificate(gnutls_session, opaque *, size_t); -int _gnutls_get_selected_cert( gnutls_session session, gnutls_cert** apr_cert_list, int *apr_cert_list_length, gnutls_privkey** apr_pkey); - -int _gnutls_server_select_cert( struct gnutls_session_int*, gnutls_pk_algorithm); -void _gnutls_selected_certs_deinit( gnutls_session session); -void _gnutls_selected_certs_set( gnutls_session session, - gnutls_cert* certs, int ncerts, gnutls_privkey* key, - int need_free); +int _gnutls_get_selected_cert(gnutls_session session, + gnutls_cert ** apr_cert_list, + int *apr_cert_list_length, + gnutls_privkey ** apr_pkey); + +int _gnutls_server_select_cert(struct gnutls_session_int *, + gnutls_pk_algorithm); +void _gnutls_selected_certs_deinit(gnutls_session session); +void _gnutls_selected_certs_set(gnutls_session session, + gnutls_cert * certs, int ncerts, + gnutls_privkey * key, int need_free); #define _gnutls_proc_cert_client_certificate _gnutls_proc_cert_server_certificate -gnutls_rsa_params _gnutls_certificate_get_rsa_params(const gnutls_certificate_credentials sc, - gnutls_session session); -gnutls_dh_params _gnutls_certificate_get_dh_params(const gnutls_certificate_credentials sc, - gnutls_session session); +gnutls_rsa_params _gnutls_certificate_get_rsa_params(const + gnutls_certificate_credentials + sc, + gnutls_session + session); +gnutls_dh_params _gnutls_certificate_get_dh_params(const + gnutls_certificate_credentials + sc, + gnutls_session session); #endif - diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c index a4842710f3..3114435eeb 100644 --- a/lib/auth_dh_common.c +++ b/lib/auth_dh_common.c @@ -38,234 +38,237 @@ #include <auth_dh_common.h> int _gnutls_proc_dh_common_client_kx(gnutls_session session, opaque * data, - size_t _data_size, mpi_t g, mpi_t p) + size_t _data_size, mpi_t g, mpi_t p) { - uint16 n_Y; - size_t _n_Y; - int ret; - ssize_t data_size = _data_size; + uint16 n_Y; + size_t _n_Y; + int ret; + ssize_t data_size = _data_size; - DECR_LEN( data_size, 2); - n_Y = _gnutls_read_uint16(&data[0]); - _n_Y = n_Y; + DECR_LEN(data_size, 2); + n_Y = _gnutls_read_uint16(&data[0]); + _n_Y = n_Y; - DECR_LEN( data_size, n_Y); - if (_gnutls_mpi_scan(&session->key->client_Y, &data[2], &_n_Y)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + DECR_LEN(data_size, n_Y); + if (_gnutls_mpi_scan(&session->key->client_Y, &data[2], &_n_Y)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - _gnutls_dh_set_peer_public( session, session->key->client_Y); + _gnutls_dh_set_peer_public(session, session->key->client_Y); - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, - session->key->dh_secret, p); + session->key->KEY = + gnutls_calc_dh_key(session->key->client_Y, + session->key->dh_secret, p); - if (session->key->KEY == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->key->KEY == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->dh_secret); + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->dh_secret); - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&session->key->KEY); - if (ret < 0) { - return ret; - } + if (ret < 0) { + return ret; + } - return 0; + return 0; } int _gnutls_gen_dh_common_client_kx(gnutls_session session, opaque ** data) { - mpi_t x = NULL, X = NULL; - size_t n_X; - int ret; - - *data = NULL; - - X = gnutls_calc_dh_secret(&x, session->key->client_g, - session->key->client_p); - if (X == NULL || x == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_dh_set_secret_bits( session, _gnutls_mpi_get_nbits(x)); - - _gnutls_mpi_print( NULL, &n_X, X); - (*data) = gnutls_malloc(n_X + 2); - if (*data == NULL) { - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_mpi_print( &(*data)[2], &n_X, X); - _gnutls_mpi_release(&X); - - _gnutls_write_uint16(n_X, &(*data)[0]); - - /* calculate the key after calculating the message */ - session->key->KEY = - gnutls_calc_dh_key(session->key->client_Y, x, - session->key->client_p); - - _gnutls_mpi_release(&x); - if (session->key->KEY == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - _gnutls_dh_set_peer_public( session, session->key->client_Y); - - /* THESE SHOULD BE DISCARDED */ - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); - - ret = _gnutls_generate_session_key(session->key); - _gnutls_mpi_release(&session->key->KEY); - - if (ret < 0) { - gnutls_assert(); - goto error; - } - - return n_X + 2; - -error: - _gnutls_mpi_release(&x); - _gnutls_mpi_release(&X); - gnutls_free(*data); *data = NULL; - return ret; + mpi_t x = NULL, X = NULL; + size_t n_X; + int ret; + + *data = NULL; + + X = gnutls_calc_dh_secret(&x, session->key->client_g, + session->key->client_p); + if (X == NULL || x == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); + + _gnutls_mpi_print(NULL, &n_X, X); + (*data) = gnutls_malloc(n_X + 2); + if (*data == NULL) { + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_mpi_print(&(*data)[2], &n_X, X); + _gnutls_mpi_release(&X); + + _gnutls_write_uint16(n_X, &(*data)[0]); + + /* calculate the key after calculating the message */ + session->key->KEY = + gnutls_calc_dh_key(session->key->client_Y, x, + session->key->client_p); + + _gnutls_mpi_release(&x); + if (session->key->KEY == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + _gnutls_dh_set_peer_public(session, session->key->client_Y); + + /* THESE SHOULD BE DISCARDED */ + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->client_p); + _gnutls_mpi_release(&session->key->client_g); + + ret = _gnutls_generate_session_key(session->key); + _gnutls_mpi_release(&session->key->KEY); + + if (ret < 0) { + gnutls_assert(); + goto error; + } + + return n_X + 2; + + error: + _gnutls_mpi_release(&x); + _gnutls_mpi_release(&X); + gnutls_free(*data); + *data = NULL; + return ret; } -int _gnutls_proc_dh_common_server_kx( gnutls_session session, opaque* data, size_t _data_size) +int _gnutls_proc_dh_common_server_kx(gnutls_session session, opaque * data, + size_t _data_size) { - uint16 n_Y, n_g, n_p; - size_t _n_Y, _n_g, _n_p; - uint8 *data_p; - uint8 *data_g; - uint8 *data_Y; - int i, bits; - ssize_t data_size = _data_size; - - i = 0; - DECR_LEN( data_size, 2); - n_p = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_p); - data_p = &data[i]; - i += n_p; - if (i > data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - DECR_LEN( data_size, 2); - n_g = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_g); - data_g = &data[i]; - i += n_g; - - DECR_LEN( data_size, 2); - n_Y = _gnutls_read_uint16( &data[i]); - i += 2; - - DECR_LEN( data_size, n_Y); - data_Y = &data[i]; - i += n_Y; - - _n_Y = n_Y; - _n_g = n_g; - _n_p = n_p; - - if (_gnutls_mpi_scan(&session->key->client_Y, data_Y, &_n_Y) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&session->key->client_g, data_g, &_n_g) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - if (_gnutls_mpi_scan(&session->key->client_p, data_p, &_n_p) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - bits = _gnutls_dh_get_allowed_prime_bits( session); - if (bits < 0) { - gnutls_assert(); - return bits; - } - - if ( _gnutls_mpi_get_nbits( session->key->client_p) < (size_t)bits) { - /* the prime used by the peer is not acceptable - */ - gnutls_assert(); - return GNUTLS_E_DH_PRIME_UNACCEPTABLE; - } - - _gnutls_dh_set_group( session, session->key->client_g, session->key->client_p); - _gnutls_dh_set_peer_public( session, session->key->client_Y); - - return n_Y + n_p + n_g + 6; + uint16 n_Y, n_g, n_p; + size_t _n_Y, _n_g, _n_p; + uint8 *data_p; + uint8 *data_g; + uint8 *data_Y; + int i, bits; + ssize_t data_size = _data_size; + + i = 0; + DECR_LEN(data_size, 2); + n_p = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_p); + data_p = &data[i]; + i += n_p; + if (i > data_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + DECR_LEN(data_size, 2); + n_g = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_g); + data_g = &data[i]; + i += n_g; + + DECR_LEN(data_size, 2); + n_Y = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_Y); + data_Y = &data[i]; + i += n_Y; + + _n_Y = n_Y; + _n_g = n_g; + _n_p = n_p; + + if (_gnutls_mpi_scan(&session->key->client_Y, data_Y, &_n_Y) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&session->key->client_g, data_g, &_n_g) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + if (_gnutls_mpi_scan(&session->key->client_p, data_p, &_n_p) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + bits = _gnutls_dh_get_allowed_prime_bits(session); + if (bits < 0) { + gnutls_assert(); + return bits; + } + + if (_gnutls_mpi_get_nbits(session->key->client_p) < (size_t) bits) { + /* the prime used by the peer is not acceptable + */ + gnutls_assert(); + return GNUTLS_E_DH_PRIME_UNACCEPTABLE; + } + + _gnutls_dh_set_group(session, session->key->client_g, + session->key->client_p); + _gnutls_dh_set_peer_public(session, session->key->client_Y); + + return n_Y + n_p + n_g + 6; } -int _gnutls_dh_common_print_server_kx( gnutls_session session, - mpi_t g, mpi_t p, opaque** data) +int _gnutls_dh_common_print_server_kx(gnutls_session session, + mpi_t g, mpi_t p, opaque ** data) { - mpi_t x, X; - size_t n_X, n_g, n_p; - int ret; - uint8 *data_p; - uint8 *data_g; - uint8 *data_X; - - X = gnutls_calc_dh_secret(&x, g, p); - if (X == NULL || x == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - session->key->dh_secret = x; - _gnutls_dh_set_secret_bits( session, _gnutls_mpi_get_nbits(x)); - - _gnutls_mpi_print( NULL, &n_g, g); - _gnutls_mpi_print( NULL, &n_p, p); - _gnutls_mpi_print( NULL, &n_X, X); - (*data) = gnutls_malloc(n_g + n_p + n_X + 6); - if (*data == NULL) { - _gnutls_mpi_release(&X); - return GNUTLS_E_MEMORY_ERROR; - } - - data_p = &(*data)[0]; - _gnutls_mpi_print( &data_p[2], &n_p, p); - - _gnutls_write_uint16(n_p, data_p); - - data_g = &data_p[2 + n_p]; - _gnutls_mpi_print( &data_g[2], &n_g, g); - - _gnutls_write_uint16(n_g, data_g); - - data_X = &data_g[2 + n_g]; - _gnutls_mpi_print( &data_X[2], &n_X, X); + mpi_t x, X; + size_t n_X, n_g, n_p; + int ret; + uint8 *data_p; + uint8 *data_g; + uint8 *data_X; + + X = gnutls_calc_dh_secret(&x, g, p); + if (X == NULL || x == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + session->key->dh_secret = x; + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(x)); + + _gnutls_mpi_print(NULL, &n_g, g); + _gnutls_mpi_print(NULL, &n_p, p); + _gnutls_mpi_print(NULL, &n_X, X); + (*data) = gnutls_malloc(n_g + n_p + n_X + 6); + if (*data == NULL) { _gnutls_mpi_release(&X); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_uint16(n_X, data_X); + data_p = &(*data)[0]; + _gnutls_mpi_print(&data_p[2], &n_p, p); - ret = n_p + n_g + n_X + 6; + _gnutls_write_uint16(n_p, data_p); - return ret; + data_g = &data_p[2 + n_p]; + _gnutls_mpi_print(&data_g[2], &n_g, g); + + _gnutls_write_uint16(n_g, data_g); + + data_X = &data_g[2 + n_g]; + _gnutls_mpi_print(&data_X[2], &n_X, X); + _gnutls_mpi_release(&X); + + _gnutls_write_uint16(n_X, data_X); + + ret = n_p + n_g + n_X + 6; + + return ret; } diff --git a/lib/auth_dh_common.h b/lib/auth_dh_common.h index 0da5c59f92..a1400cac2c 100644 --- a/lib/auth_dh_common.h +++ b/lib/auth_dh_common.h @@ -2,22 +2,22 @@ # define AUTH_DH_COMMON typedef struct dh_info_st { - int secret_bits; + int secret_bits; - opaque prime[1025]; - size_t prime_size; - opaque generator[16]; - size_t generator_size; - opaque public_key[1025]; - size_t public_key_size; + opaque prime[1025]; + size_t prime_size; + opaque generator[16]; + size_t generator_size; + opaque public_key[1025]; + size_t public_key_size; } dh_info_t; int _gnutls_gen_dh_common_client_kx(gnutls_session, opaque **); int _gnutls_proc_dh_common_client_kx(gnutls_session session, opaque * data, - size_t _data_size, mpi_t p, mpi_t g); -int _gnutls_dh_common_print_server_kx( gnutls_session, mpi_t g, - mpi_t p, opaque** data); -int _gnutls_proc_dh_common_server_kx( gnutls_session session, opaque* data, - size_t _data_size); + size_t _data_size, mpi_t p, mpi_t g); +int _gnutls_dh_common_print_server_kx(gnutls_session, mpi_t g, + mpi_t p, opaque ** data); +int _gnutls_proc_dh_common_server_kx(gnutls_session session, opaque * data, + size_t _data_size); #endif diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 8025801a2e..386545eb13 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -43,214 +43,214 @@ static int proc_dhe_server_kx(gnutls_session, opaque *, size_t); static int proc_dhe_client_kx(gnutls_session, opaque *, size_t); const mod_auth_st dhe_rsa_auth_struct = { - "DHE_RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; const mod_auth_st dhe_dss_auth_struct = { - "DHE_DSS", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_dhe_server_kx, - _gnutls_gen_dh_common_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_dhe_server_kx, - proc_dhe_client_kx, - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "DHE_DSS", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_dhe_server_kx, + _gnutls_gen_dh_common_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_dhe_server_kx, + proc_dhe_client_kx, + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; static int gen_dhe_server_kx(gnutls_session session, opaque ** data) { - mpi_t g, p; - const mpi_t *mpis; - int ret = 0, data_size; - int bits; - gnutls_cert *apr_cert_list; - gnutls_privkey* apr_pkey; - int apr_cert_list_length; - gnutls_datum signature, ddata; - const gnutls_certificate_credentials cred; - gnutls_dh_params dh_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - bits = _gnutls_dh_get_allowed_prime_bits( session); - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, + mpi_t g, p; + const mpi_t *mpis; + int ret = 0, data_size; + int bits; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum signature, ddata; + const gnutls_certificate_credentials cred; + gnutls_dh_params dh_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + bits = _gnutls_dh_get_allowed_prime_bits(session); + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; + } - dh_params = _gnutls_certificate_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } + dh_params = _gnutls_certificate_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } - p = mpis[0]; - g = mpis[1]; + p = mpis[0]; + g = mpis[1]; - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, - sizeof( cert_auth_info_st), 0)) < 0) - { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - _gnutls_dh_set_group( session, g, p); + _gnutls_dh_set_group(session, g, p); - ret = _gnutls_dh_common_print_server_kx( session, g, p, data); - if (ret < 0) { - gnutls_assert(); - return ret; - } - data_size = ret; - - /* Generate the signature. */ - - ddata.data = *data; - ddata.size = data_size; - - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, - &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); - return ret; - } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ - } + ret = _gnutls_dh_common_print_server_kx(session, g, p, data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + data_size = ret; - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* Generate the signature. */ - _gnutls_write_datum16(&(*data)[data_size], signature); - data_size += signature.size + 2; + ddata.data = *data; + ddata.size = data_size; + if (apr_pkey != NULL) { + if ((ret = + _gnutls_tls_sign_params(session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) { + gnutls_assert(); + gnutls_free(*data); + return ret; + } + } else { + gnutls_assert(); + return data_size; /* do not put a signature - ILLEGAL! */ + } + + *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); + if (*data == NULL) { _gnutls_free_datum(&signature); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_write_datum16(&(*data)[data_size], signature); + data_size += signature.size + 2; - return data_size; + _gnutls_free_datum(&signature); + + return data_size; } static int proc_dhe_server_kx(gnutls_session session, opaque * data, - size_t _data_size) + size_t _data_size) { - int sigsize; - gnutls_datum vparams, signature; - int ret; - cert_auth_info_t info = _gnutls_get_auth_info( session); - ssize_t data_size = _data_size; - gnutls_cert peer_cert; - - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - ret = _gnutls_proc_dh_common_server_kx( session, data, _data_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int sigsize; + gnutls_datum vparams, signature; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info(session); + ssize_t data_size = _data_size; + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* VERIFY SIGNATURE */ + /* VERIFY SIGNATURE */ - vparams.size = ret; - vparams.data = data; + vparams.size = ret; + vparams.data = data; - DECR_LEN( data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + DECR_LEN(data_size, 2); + sigsize = _gnutls_read_uint16(&data[vparams.size]); - DECR_LEN( data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; + DECR_LEN(data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return ret; + } - ret = - _gnutls_verify_sig_params(session, - &peer_cert, - &vparams, &signature); - - _gnutls_gcert_deinit( &peer_cert); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = + _gnutls_verify_sig_params(session, + &peer_cert, &vparams, &signature); + _gnutls_gcert_deinit(&peer_cert); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } static int proc_dhe_client_kx(gnutls_session session, opaque * data, - size_t _data_size) + size_t _data_size) { -const gnutls_certificate_credentials cred; -int ret; -mpi_t p, g; -const mpi_t *mpis; -gnutls_dh_params dh_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - dh_params = _gnutls_certificate_get_dh_params( cred, session); - mpis = _gnutls_get_dh_params( dh_params); - if (mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; - } - - p = mpis[0]; - g = mpis[1]; - - ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); - - return ret; + const gnutls_certificate_credentials cred; + int ret; + mpi_t p, g; + const mpi_t *mpis; + gnutls_dh_params dh_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + dh_params = _gnutls_certificate_get_dh_params(cred, session); + mpis = _gnutls_get_dh_params(dh_params); + if (mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; + } + + p = mpis[0]; + g = mpis[1]; + + ret = + _gnutls_proc_dh_common_client_kx(session, data, _data_size, g, p); + + return ret; } diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index 5e6f412b92..f62c7e5684 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -45,140 +45,146 @@ int _gnutls_gen_rsa_client_kx(gnutls_session, opaque **); int _gnutls_proc_rsa_client_kx(gnutls_session, opaque *, size_t); const mod_auth_st rsa_auth_struct = { - "RSA", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - NULL, /* gen server kx */ - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - NULL, /* proc server kx */ - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + NULL, /* gen server kx */ + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + NULL, /* proc server kx */ + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; /* This function reads the RSA parameters from peer's certificate; */ -int _gnutls_get_public_rsa_params(gnutls_session session, - mpi_t params[MAX_PUBLIC_PARAMS_SIZE], int* params_len) +int _gnutls_get_public_rsa_params(gnutls_session session, + mpi_t params[MAX_PUBLIC_PARAMS_SIZE], + int *params_len) { -int ret; -cert_auth_info_t info; -gnutls_cert peer_cert; -int i; + int ret; + cert_auth_info_t info; + gnutls_cert peer_cert; + int i; - /* normal non export case */ + /* normal non export case */ - info = _gnutls_get_auth_info( session); + info = _gnutls_get_auth_info(session); - if (info==NULL || info->ncerts==0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_ONLY_PUBKEY|CERT_NO_COPY); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_ONLY_PUBKEY | CERT_NO_COPY); - /* EXPORT case: */ - if ( _gnutls_cipher_suite_get_kx_algo(&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT && - _gnutls_mpi_get_nbits(peer_cert.params[0]) > 512) { + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_gcert_deinit( &peer_cert); - if (session->key->rsa[0] == NULL || - session->key->rsa[1] == NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + /* EXPORT case: */ + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT + && _gnutls_mpi_get_nbits(peer_cert.params[0]) > 512) { - if (*params_len < 2) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - *params_len = 2; - for (i=0;i<*params_len;i++) { - params[i] = _gnutls_mpi_copy(session->key->rsa[i]); - } + _gnutls_gcert_deinit(&peer_cert); - return 0; + if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - /* end of export case */ - - if (*params_len < peer_cert.params_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (*params_len < 2) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - *params_len = peer_cert.params_size; - - for (i=0;i<*params_len;i++) { - params[i] = _gnutls_mpi_copy(peer_cert.params[i]); + *params_len = 2; + for (i = 0; i < *params_len; i++) { + params[i] = _gnutls_mpi_copy(session->key->rsa[i]); } - _gnutls_gcert_deinit( &peer_cert); return 0; + } + + /* end of export case */ + + if (*params_len < peer_cert.params_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + *params_len = peer_cert.params_size; + + for (i = 0; i < *params_len; i++) { + params[i] = _gnutls_mpi_copy(peer_cert.params[i]); + } + _gnutls_gcert_deinit(&peer_cert); + + return 0; } /* This function reads the RSA parameters from the private key */ -int _gnutls_get_private_rsa_params(gnutls_session session, mpi_t **params, int* params_size) +int _gnutls_get_private_rsa_params(gnutls_session session, mpi_t ** params, + int *params_size) { -int bits; -const gnutls_certificate_credentials cred; -gnutls_rsa_params rsa_params; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (session->internals.selected_cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + int bits; + const gnutls_certificate_credentials cred; + gnutls_rsa_params rsa_params; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (session->internals.selected_cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + bits = + _gnutls_mpi_get_nbits(session->internals.selected_cert_list[0]. + params[0]); + + if (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite) + == GNUTLS_KX_RSA_EXPORT && bits > 512) { + + rsa_params = _gnutls_certificate_get_rsa_params(cred, session); + /* EXPORT case: */ + if (rsa_params == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; } - bits = _gnutls_mpi_get_nbits(session->internals.selected_cert_list[0].params[0]); + /* In the export case, we do use temporary RSA params + * of 512 bits size. The params in the certificate are + * used to sign this temporary stuff. + */ + *params_size = RSA_PRIVATE_PARAMS; + *params = rsa_params->params; - if ( _gnutls_cipher_suite_get_kx_algo(&session->security_parameters.current_cipher_suite) - == GNUTLS_KX_RSA_EXPORT && - bits > 512) { + return 0; + } - rsa_params = _gnutls_certificate_get_rsa_params( cred, session); - /* EXPORT case: */ - if (rsa_params == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; - } - - /* In the export case, we do use temporary RSA params - * of 512 bits size. The params in the certificate are - * used to sign this temporary stuff. - */ - *params_size = RSA_PRIVATE_PARAMS; - *params = rsa_params->params; - - return 0; - } + /* non export cipher suites. */ - /* non export cipher suites. */ - - *params_size = session->internals.selected_key->params_size; - *params = session->internals.selected_key->params; + *params_size = session->internals.selected_key->params_size; + *params = session->internals.selected_key->params; - return 0; + return 0; } @@ -190,88 +196,88 @@ gnutls_rsa_params rsa_params; return GNUTLS_E_MEMORY_ERROR; \ } -int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, size_t _data_size) +int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, + size_t _data_size) { - gnutls_datum plaintext; - gnutls_datum ciphertext; - int ret, dsize; - mpi_t *params; - int params_len; - int randomize_key = 0; - ssize_t data_size = _data_size; - - if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { - /* SSL 3.0 - */ - ciphertext.data = data; - ciphertext.size = data_size; - } else { - /* TLS 1.0 - */ - DECR_LEN( data_size, 2); - ciphertext.data = &data[2]; - dsize = _gnutls_read_uint16(data); - - if (dsize != data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - ciphertext.size = dsize; - } + gnutls_datum plaintext; + gnutls_datum ciphertext; + int ret, dsize; + mpi_t *params; + int params_len; + int randomize_key = 0; + ssize_t data_size = _data_size; + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + /* SSL 3.0 + */ + ciphertext.data = data; + ciphertext.size = data_size; + } else { + /* TLS 1.0 + */ + DECR_LEN(data_size, 2); + ciphertext.data = &data[2]; + dsize = _gnutls_read_uint16(data); - ret = _gnutls_get_private_rsa_params(session, ¶ms, ¶ms_len); - if (ret < 0) { - gnutls_assert(); - return ret; + if (dsize != data_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + ciphertext.size = dsize; + } - ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, &ciphertext, params, - params_len, 2); /* btype==2 */ - - if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { - /* In case decryption fails then don't inform - * the peer. Just use a random key. (in order to avoid - * attack against pkcs-1 formating). - */ - gnutls_assert(); - _gnutls_x509_log("auth_rsa: Possible PKCS #1 format attack\n"); - randomize_key = 1; - } else { - /* If the secret was properly formatted, then - * check the version number. - */ - if (_gnutls_get_adv_version_major(session) != plaintext.data[0] - || _gnutls_get_adv_version_minor(session) != plaintext.data[1]) - { - /* No error is returned here, if the version number check - * fails. We proceed normally. - * That is to defend against the attack described in the paper - * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, - * Ondej Pokorny and Tomas Rosa. - */ - gnutls_assert(); - _gnutls_x509_log("auth_rsa: Possible PKCS #1 version check format attack\n"); - } - } + ret = _gnutls_get_private_rsa_params(session, ¶ms, ¶ms_len); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (randomize_key != 0) { - /* we do not need strong random numbers here. - */ - RANDOMIZE_KEY(session->key->key, - gnutls_malloc, GNUTLS_WEAK_RANDOM); + ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */ - } else { - session->key->key.data = plaintext.data; - session->key->key.size = plaintext.size; + if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { + /* In case decryption fails then don't inform + * the peer. Just use a random key. (in order to avoid + * attack against pkcs-1 formating). + */ + gnutls_assert(); + _gnutls_x509_log("auth_rsa: Possible PKCS #1 format attack\n"); + randomize_key = 1; + } else { + /* If the secret was properly formatted, then + * check the version number. + */ + if (_gnutls_get_adv_version_major(session) != plaintext.data[0] + || _gnutls_get_adv_version_minor(session) != plaintext.data[1]) { + /* No error is returned here, if the version number check + * fails. We proceed normally. + * That is to defend against the attack described in the paper + * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, + * Ondej Pokorny and Tomas Rosa. + */ + gnutls_assert(); + _gnutls_x509_log + ("auth_rsa: Possible PKCS #1 version check format attack\n"); } + } - /* This is here to avoid the version check attack - * discussed above. + if (randomize_key != 0) { + /* we do not need strong random numbers here. */ - session->key->key.data[0] = _gnutls_get_adv_version_major(session); - session->key->key.data[1] = _gnutls_get_adv_version_minor(session); + RANDOMIZE_KEY(session->key->key, + gnutls_malloc, GNUTLS_WEAK_RANDOM); - return 0; + } else { + session->key->key.data = plaintext.data; + session->key->key.size = plaintext.size; + } + + /* This is here to avoid the version check attack + * discussed above. + */ + session->key->key.data[0] = _gnutls_get_adv_version_major(session); + session->key->key.data[1] = _gnutls_get_adv_version_minor(session); + + return 0; } @@ -280,64 +286,66 @@ int _gnutls_proc_rsa_client_kx(gnutls_session session, opaque * data, size_t _da */ int _gnutls_gen_rsa_client_kx(gnutls_session session, opaque ** data) { - cert_auth_info_t auth = session->key->auth_info; - gnutls_datum sdata; /* data to send */ - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; - int params_len = MAX_PUBLIC_PARAMS_SIZE; - int ret, i; - gnutls_protocol_version ver; - - if (auth == NULL) { - /* this shouldn't have happened. The proc_certificate - * function should have detected that. - */ - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - RANDOMIZE_KEY(session->key->key, gnutls_secure_malloc, GNUTLS_STRONG_RANDOM); - - ver = _gnutls_get_adv_version(session); - - if (session->internals.rsa_pms_version[0] == 0) { - session->key->key.data[0] = _gnutls_version_get_major(ver); - session->key->key.data[1] = _gnutls_version_get_minor(ver); - } else { /* use the version provided */ - session->key->key.data[0] = session->internals.rsa_pms_version[0]; - session->key->key.data[1] = session->internals.rsa_pms_version[1]; - } - - /* move RSA parameters to key (session). + cert_auth_info_t auth = session->key->auth_info; + gnutls_datum sdata; /* data to send */ + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_len = MAX_PUBLIC_PARAMS_SIZE; + int ret, i; + gnutls_protocol_version ver; + + if (auth == NULL) { + /* this shouldn't have happened. The proc_certificate + * function should have detected that. */ - if ((ret = - _gnutls_get_public_rsa_params(session, params, ¶ms_len)) < 0) { - gnutls_assert(); - return ret; - } - - if ((ret = - _gnutls_pkcs1_rsa_encrypt(&sdata, &session->key->key, - params, params_len, 2)) < 0) { - gnutls_assert(); - return ret; - } - - for (i=0;i<params_len;i++) - _gnutls_mpi_release( ¶ms[i]); - - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - /* SSL 3.0 */ - *data = sdata.data; - return sdata.size; - } else { /* TLS 1 */ - *data = gnutls_malloc(sdata.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&sdata); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_write_datum16( *data, sdata); - ret = sdata.size + 2; - _gnutls_free_datum(&sdata); - return ret; + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + RANDOMIZE_KEY(session->key->key, gnutls_secure_malloc, + GNUTLS_STRONG_RANDOM); + + ver = _gnutls_get_adv_version(session); + + if (session->internals.rsa_pms_version[0] == 0) { + session->key->key.data[0] = _gnutls_version_get_major(ver); + session->key->key.data[1] = _gnutls_version_get_minor(ver); + } else { /* use the version provided */ + session->key->key.data[0] = session->internals.rsa_pms_version[0]; + session->key->key.data[1] = session->internals.rsa_pms_version[1]; + } + + /* move RSA parameters to key (session). + */ + if ((ret = + _gnutls_get_public_rsa_params(session, params, + ¶ms_len)) < 0) { + gnutls_assert(); + return ret; + } + + if ((ret = + _gnutls_pkcs1_rsa_encrypt(&sdata, &session->key->key, + params, params_len, 2)) < 0) { + gnutls_assert(); + return ret; + } + + for (i = 0; i < params_len; i++) + _gnutls_mpi_release(¶ms[i]); + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + /* SSL 3.0 */ + *data = sdata.data; + return sdata.size; + } else { /* TLS 1 */ + *data = gnutls_malloc(sdata.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&sdata); + return GNUTLS_E_MEMORY_ERROR; } + _gnutls_write_datum16(*data, sdata); + ret = sdata.size + 2; + _gnutls_free_datum(&sdata); + return ret; + } } diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index fe952d8d40..3246eacb77 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -49,251 +49,255 @@ static int gen_rsa_export_server_kx(gnutls_session, opaque **); static int proc_rsa_export_server_kx(gnutls_session, opaque *, size_t); const mod_auth_st rsa_export_auth_struct = { - "RSA EXPORT", - _gnutls_gen_cert_server_certificate, - _gnutls_gen_cert_client_certificate, - gen_rsa_export_server_kx, - _gnutls_gen_rsa_client_kx, - _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ - _gnutls_gen_cert_server_cert_req, /* server cert request */ - - _gnutls_proc_cert_server_certificate, - _gnutls_proc_cert_client_certificate, - proc_rsa_export_server_kx, - _gnutls_proc_rsa_client_kx, /* proc client kx */ - _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ - _gnutls_proc_cert_cert_req /* proc server cert request */ + "RSA EXPORT", + _gnutls_gen_cert_server_certificate, + _gnutls_gen_cert_client_certificate, + gen_rsa_export_server_kx, + _gnutls_gen_rsa_client_kx, + _gnutls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */ + _gnutls_gen_cert_server_cert_req, /* server cert request */ + + _gnutls_proc_cert_server_certificate, + _gnutls_proc_cert_client_certificate, + proc_rsa_export_server_kx, + _gnutls_proc_rsa_client_kx, /* proc client kx */ + _gnutls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */ + _gnutls_proc_cert_cert_req /* proc server cert request */ }; static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) { - gnutls_rsa_params rsa_params; - const mpi_t *rsa_mpis; - size_t n_e, n_m; - uint8 *data_e, *data_m; - int ret = 0, data_size; - gnutls_cert *apr_cert_list; - gnutls_privkey* apr_pkey; - int apr_cert_list_length; - gnutls_datum signature, ddata; - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - /* find the appropriate certificate */ - if ((ret = - _gnutls_get_selected_cert(session, &apr_cert_list, + gnutls_rsa_params rsa_params; + const mpi_t *rsa_mpis; + size_t n_e, n_m; + uint8 *data_e, *data_m; + int ret = 0, data_size; + gnutls_cert *apr_cert_list; + gnutls_privkey *apr_pkey; + int apr_cert_list_length; + gnutls_datum signature, ddata; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + /* find the appropriate certificate */ + if ((ret = + _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey)) < 0) { - gnutls_assert(); - return ret; - } - - /* abort sending this message if we have a certificate - * of 512 bits or less. - */ - if ( _gnutls_mpi_get_nbits( apr_pkey->params[0]) <= 512) { - gnutls_assert(); - return GNUTLS_E_INT_RET_0; - } - - rsa_params = _gnutls_certificate_get_rsa_params( cred, session); - rsa_mpis = _gnutls_get_rsa_params( rsa_params); - if (rsa_mpis == NULL) { - gnutls_assert(); - return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; - } - - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, - sizeof( cert_auth_info_st), 0)) < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; + } + + /* abort sending this message if we have a certificate + * of 512 bits or less. + */ + if (_gnutls_mpi_get_nbits(apr_pkey->params[0]) <= 512) { + gnutls_assert(); + return GNUTLS_E_INT_RET_0; + } + + rsa_params = _gnutls_certificate_get_rsa_params(cred, session); + rsa_mpis = _gnutls_get_rsa_params(rsa_params); + if (rsa_mpis == NULL) { + gnutls_assert(); + return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; + } + + if ((ret = _gnutls_auth_info_set(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 0)) < 0) { + gnutls_assert(); + return ret; + } - info = _gnutls_get_auth_info( session); - _gnutls_rsa_export_set_pubkey( session, rsa_mpis[1], rsa_mpis[0]); + info = _gnutls_get_auth_info(session); + _gnutls_rsa_export_set_pubkey(session, rsa_mpis[1], rsa_mpis[0]); - _gnutls_mpi_print( NULL, &n_m, rsa_mpis[0]); - _gnutls_mpi_print( NULL, &n_e, rsa_mpis[1]); + _gnutls_mpi_print(NULL, &n_m, rsa_mpis[0]); + _gnutls_mpi_print(NULL, &n_e, rsa_mpis[1]); - (*data) = gnutls_malloc(n_e + n_m + 4); - if (*data == NULL) { - return GNUTLS_E_MEMORY_ERROR; - } + (*data) = gnutls_malloc(n_e + n_m + 4); + if (*data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } - data_m = &(*data)[0]; - _gnutls_mpi_print( &data_m[2], &n_m, rsa_mpis[0]); + data_m = &(*data)[0]; + _gnutls_mpi_print(&data_m[2], &n_m, rsa_mpis[0]); - _gnutls_write_uint16(n_m, data_m); + _gnutls_write_uint16(n_m, data_m); - data_e = &data_m[2 + n_m]; - _gnutls_mpi_print( &data_e[2], &n_e, rsa_mpis[1]); + data_e = &data_m[2 + n_m]; + _gnutls_mpi_print(&data_e[2], &n_e, rsa_mpis[1]); - _gnutls_write_uint16(n_e, data_e); + _gnutls_write_uint16(n_e, data_e); - data_size = n_m + n_e + 4; + data_size = n_m + n_e + 4; - /* Generate the signature. */ + /* Generate the signature. */ - ddata.data = *data; - ddata.size = data_size; + ddata.data = *data; + ddata.size = data_size; - if (apr_pkey != NULL) { - if ((ret = - _gnutls_tls_sign_params(session, &apr_cert_list[0], - apr_pkey, &ddata, - &signature)) < 0) { - gnutls_assert(); - gnutls_free(*data); *data = NULL; - return ret; - } - } else { - gnutls_assert(); - return data_size; /* do not put a signature - ILLEGAL! */ + if (apr_pkey != NULL) { + if ((ret = + _gnutls_tls_sign_params(session, &apr_cert_list[0], + apr_pkey, &ddata, &signature)) < 0) { + gnutls_assert(); + gnutls_free(*data); + *data = NULL; + return ret; } + } else { + gnutls_assert(); + return data_size; /* do not put a signature - ILLEGAL! */ + } - *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); - if (*data == NULL) { - _gnutls_free_datum(&signature); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + *data = gnutls_realloc_fast(*data, data_size + signature.size + 2); + if (*data == NULL) { + _gnutls_free_datum(&signature); + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - _gnutls_write_datum16(&((*data)[data_size]), signature); - data_size += signature.size + 2; + _gnutls_write_datum16(&((*data)[data_size]), signature); + data_size += signature.size + 2; - _gnutls_free_datum(&signature); + _gnutls_free_datum(&signature); - return data_size; + return data_size; } /* if the peer's certificate is of 512 bits or less, returns non zero. */ -int _gnutls_peers_cert_less_512( gnutls_session session) +int _gnutls_peers_cert_less_512(gnutls_session session) { -gnutls_cert peer_cert; -int ret; -cert_auth_info_t info = _gnutls_get_auth_info( session); - - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return 0; - } - - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return 0; - } - - if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - _gnutls_gcert_deinit( &peer_cert); - return 0; - } + gnutls_cert peer_cert; + int ret; + cert_auth_info_t info = _gnutls_get_auth_info(session); - if ( _gnutls_mpi_get_nbits( peer_cert.params[0]) - <= 512) { - _gnutls_gcert_deinit( &peer_cert); - return 1; - } - - _gnutls_gcert_deinit( &peer_cert); - + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ return 0; -} - -static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, - size_t _data_size) -{ - uint16 n_m, n_e; - size_t _n_m, _n_e; - uint8 *data_m; - uint8 *data_e; - int i, sigsize; - gnutls_datum vparams, signature; - int ret; - ssize_t data_size = _data_size; - cert_auth_info_t info; - gnutls_cert peer_cert; - - info = _gnutls_get_auth_info( session); - if (info == NULL || info->ncerts==0) { - gnutls_assert(); - /* we need this in order to get peer's certificate */ - return GNUTLS_E_INTERNAL_ERROR; - } - - - i = 0; - - DECR_LEN( data_size, 2); - n_m = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN( data_size, n_m); - data_m = &data[i]; - i += n_m; - - DECR_LEN( data_size, 2); - n_e = _gnutls_read_uint16(&data[i]); - i += 2; - - DECR_LEN( data_size, n_e); - data_e = &data[i]; - i += n_e; - - _n_e = n_e; - _n_m = n_m; - - if (_gnutls_mpi_scan(&session->key->rsa[0], data_m, &_n_m) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (_gnutls_mpi_scan(&session->key->rsa[1], data_e, &_n_e) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + } + + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return 0; + } - _gnutls_rsa_export_set_pubkey( session, session->key->rsa[1], session->key->rsa[0]); + if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { + gnutls_assert(); + _gnutls_gcert_deinit(&peer_cert); + return 0; + } - /* VERIFY SIGNATURE */ + if (_gnutls_mpi_get_nbits(peer_cert.params[0]) + <= 512) { + _gnutls_gcert_deinit(&peer_cert); + return 1; + } - vparams.size = n_m + n_e + 4; - vparams.data = data; + _gnutls_gcert_deinit(&peer_cert); - DECR_LEN( data_size, 2); - sigsize = _gnutls_read_uint16(&data[vparams.size]); + return 0; +} - DECR_LEN( data_size, sigsize); - signature.data = &data[vparams.size + 2]; - signature.size = sigsize; +static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, + size_t _data_size) +{ + uint16 n_m, n_e; + size_t _n_m, _n_e; + uint8 *data_m; + uint8 *data_e; + int i, sigsize; + gnutls_datum vparams, signature; + int ret; + ssize_t data_size = _data_size; + cert_auth_info_t info; + gnutls_cert peer_cert; + + info = _gnutls_get_auth_info(session); + if (info == NULL || info->ncerts == 0) { + gnutls_assert(); + /* we need this in order to get peer's certificate */ + return GNUTLS_E_INTERNAL_ERROR; + } + + + i = 0; + + DECR_LEN(data_size, 2); + n_m = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_m); + data_m = &data[i]; + i += n_m; + + DECR_LEN(data_size, 2); + n_e = _gnutls_read_uint16(&data[i]); + i += 2; + + DECR_LEN(data_size, n_e); + data_e = &data[i]; + i += n_e; + + _n_e = n_e; + _n_m = n_m; + + if (_gnutls_mpi_scan(&session->key->rsa[0], data_m, &_n_m) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (_gnutls_mpi_scan(&session->key->rsa[1], data_e, &_n_e) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + _gnutls_rsa_export_set_pubkey(session, session->key->rsa[1], + session->key->rsa[0]); + + /* VERIFY SIGNATURE */ + + vparams.size = n_m + n_e + 4; + vparams.data = data; + + DECR_LEN(data_size, 2); + sigsize = _gnutls_read_uint16(&data[vparams.size]); + + DECR_LEN(data_size, sigsize); + signature.data = &data[vparams.size + 2]; + signature.size = sigsize; + + if ((ret = + _gnutls_raw_cert_to_gcert(&peer_cert, + session->security_parameters.cert_type, + &info->raw_certificate_list[0], + CERT_NO_COPY)) < 0) { + gnutls_assert(); + return ret; + } - if ((ret = - _gnutls_raw_cert_to_gcert( &peer_cert, session->security_parameters.cert_type, - &info->raw_certificate_list[0], CERT_NO_COPY)) < 0) { - gnutls_assert(); - return ret; - } + ret = + _gnutls_verify_sig_params(session, + &peer_cert, &vparams, &signature); - ret = - _gnutls_verify_sig_params(session, - &peer_cert, - &vparams, &signature); - - _gnutls_gcert_deinit( &peer_cert); - if (ret < 0) { - gnutls_assert(); - } + _gnutls_gcert_deinit(&peer_cert); + if (ret < 0) { + gnutls_assert(); + } - return ret; + return ret; } diff --git a/lib/debug.c b/lib/debug.c index bc02df8cec..1a9d519586 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -31,84 +31,87 @@ void _gnutls_print_state(gnutls_session session) { - _gnutls_debug_log( "GNUTLS State:\n"); - _gnutls_debug_log( "Connection End: %d\n", - session->security_parameters.entity); - _gnutls_debug_log( "Cipher Algorithm: %d\n", - session->security_parameters.read_bulk_cipher_algorithm); - _gnutls_debug_log( "MAC algorithm: %d\n", - session->security_parameters.read_mac_algorithm); - _gnutls_debug_log( "Compression Algorithm: %d\n", - session->security_parameters.read_compression_algorithm); - _gnutls_debug_log( "\n"); + _gnutls_debug_log("GNUTLS State:\n"); + _gnutls_debug_log("Connection End: %d\n", + session->security_parameters.entity); + _gnutls_debug_log("Cipher Algorithm: %d\n", + session->security_parameters. + read_bulk_cipher_algorithm); + _gnutls_debug_log("MAC algorithm: %d\n", + session->security_parameters.read_mac_algorithm); + _gnutls_debug_log("Compression Algorithm: %d\n", + session->security_parameters. + read_compression_algorithm); + _gnutls_debug_log("\n"); } #endif -const char* _gnutls_packet2str( content_type_t packet) +const char *_gnutls_packet2str(content_type_t packet) { - switch(packet) { - case GNUTLS_CHANGE_CIPHER_SPEC: - return "Change Cipher Spec"; - case GNUTLS_ALERT: - return "Alert"; - case GNUTLS_HANDSHAKE: - return "Handshake"; - case GNUTLS_APPLICATION_DATA: - return "Application Data"; + switch (packet) { + case GNUTLS_CHANGE_CIPHER_SPEC: + return "Change Cipher Spec"; + case GNUTLS_ALERT: + return "Alert"; + case GNUTLS_HANDSHAKE: + return "Handshake"; + case GNUTLS_APPLICATION_DATA: + return "Application Data"; - default: - return "Unknown Packet"; - } + default: + return "Unknown Packet"; + } } -const char* _gnutls_handshake2str( HandshakeType handshake) +const char *_gnutls_handshake2str(HandshakeType handshake) { - switch(handshake) { - case GNUTLS_HELLO_REQUEST: - return "HELLO REQUEST"; - break; - case GNUTLS_CLIENT_HELLO: - return "CLIENT HELLO"; - break; - case GNUTLS_SERVER_HELLO: - return "SERVER HELLO"; - break; - case GNUTLS_CERTIFICATE_PKT: - return "CERTIFICATE"; - break; - case GNUTLS_SERVER_KEY_EXCHANGE: - return "SERVER KEY EXCHANGE"; - break; - case GNUTLS_CERTIFICATE_REQUEST: - return "CERTIFICATE REQUEST"; - break; - case GNUTLS_SERVER_HELLO_DONE: - return "SERVER HELLO DONE"; - break; - case GNUTLS_CERTIFICATE_VERIFY: - return "CERTIFICATE VERIFY"; - break; - case GNUTLS_CLIENT_KEY_EXCHANGE: - return "CLIENT KEY EXCHANGE"; - break; - case GNUTLS_FINISHED: - return "FINISHED"; - break; - default: - return "Unknown Handshake packet"; - - } + switch (handshake) { + case GNUTLS_HELLO_REQUEST: + return "HELLO REQUEST"; + break; + case GNUTLS_CLIENT_HELLO: + return "CLIENT HELLO"; + break; + case GNUTLS_SERVER_HELLO: + return "SERVER HELLO"; + break; + case GNUTLS_CERTIFICATE_PKT: + return "CERTIFICATE"; + break; + case GNUTLS_SERVER_KEY_EXCHANGE: + return "SERVER KEY EXCHANGE"; + break; + case GNUTLS_CERTIFICATE_REQUEST: + return "CERTIFICATE REQUEST"; + break; + case GNUTLS_SERVER_HELLO_DONE: + return "SERVER HELLO DONE"; + break; + case GNUTLS_CERTIFICATE_VERIFY: + return "CERTIFICATE VERIFY"; + break; + case GNUTLS_CLIENT_KEY_EXCHANGE: + return "CLIENT KEY EXCHANGE"; + break; + case GNUTLS_FINISHED: + return "FINISHED"; + break; + default: + return "Unknown Handshake packet"; + + } } -void _gnutls_dump_mpi(const char* prefix, mpi_t a) +void _gnutls_dump_mpi(const char *prefix, mpi_t a) { - opaque buf[1024]; - size_t n = sizeof buf; - - if (gcry_mpi_print(GCRYMPI_FMT_HEX, buf, n, &n, a)) - strcpy(buf, "[can't print value]"); /* Flawfinder: ignore */ - _gnutls_hard_log( "MPI: length: %d\n\t%s%s\n", (n-1)/2, prefix, buf); + opaque buf[1024]; + size_t n = sizeof buf; + + if (gcry_mpi_print(GCRYMPI_FMT_HEX, buf, n, &n, a)) + strcpy(buf, "[can't print value]"); /* Flawfinder: ignore */ + _gnutls_hard_log("MPI: length: %d\n\t%s%s\n", (n - 1) / 2, prefix, + buf); } diff --git a/lib/debug.h b/lib/debug.h index c874abf4f3..e49190af01 100644 --- a/lib/debug.h +++ b/lib/debug.h @@ -21,6 +21,6 @@ #ifdef DEBUG void _gnutls_print_state(gnutls_session session); #endif -const char* _gnutls_packet2str( content_type_t packet); -const char* _gnutls_handshake2str( HandshakeType handshake); -void _gnutls_dump_mpi(const char* prefix, mpi_t a); +const char *_gnutls_packet2str(content_type_t packet); +const char *_gnutls_handshake2str(HandshakeType handshake); +void _gnutls_dump_mpi(const char *prefix, mpi_t a); diff --git a/lib/defines.h b/lib/defines.h index d5079c22e9..b87f0fe3c2 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -54,7 +54,8 @@ typedef long ptrdiff_t; #endif #ifndef HAVE_STRNSTR -char *strnstr(const char *haystack, const char *needle, size_t haystacklen); +char *strnstr(const char *haystack, const char *needle, + size_t haystacklen); #endif #ifdef HAVE_STDDEF_H @@ -99,7 +100,7 @@ typedef signed int sint; * it is not used. */ typedef struct { - unsigned char i[8]; + unsigned char i[8]; } uint64; #ifndef HAVE_ISASCII diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c index 97e769d0e7..1f927654f3 100644 --- a/lib/ext_cert_type.c +++ b/lib/ext_cert_type.c @@ -31,8 +31,8 @@ #include <gnutls_state.h> #include <gnutls_num.h> -inline static int _gnutls_num2cert_type( int num); -inline static int _gnutls_cert_type2num( int record_size); +inline static int _gnutls_num2cert_type(int num); +inline static int _gnutls_cert_type2num(int record_size); /* * In case of a server: if a CERT_TYPE extension type is received then it stores @@ -43,160 +43,174 @@ inline static int _gnutls_cert_type2num( int record_size); * */ -int _gnutls_cert_type_recv_params( gnutls_session session, const opaque* data, size_t _data_size) +int _gnutls_cert_type_recv_params(gnutls_session session, + const opaque * data, size_t _data_size) { - int new_type = -1, ret, i; - ssize_t data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (data_size > 0) { - if ( data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - new_type = _gnutls_num2cert_type(data[0]); - - if (new_type < 0) { - gnutls_assert(); - return new_type; - } - - /* Check if we support this cert_type */ - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_session_cert_type_set( session, new_type); - } - } else { /* SERVER SIDE - we must check if the sent cert type is the right one - */ - if (data_size > 1) { - uint8 len; - - len = data[0]; - DECR_LEN( data_size, len); - - for (i=0;i<len;i++) { - new_type = _gnutls_num2cert_type(data[i+1]); - - if (new_type < 0) continue; - - /* Check if we support this cert_type */ - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - continue; - } else break; - /* new_type is ok */ - } - - if (new_type < 0) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } - - if ( (ret=_gnutls_session_cert_type_supported( session, new_type)) < 0) { - gnutls_assert(); - /* The peer has requested unsupported certificate - * types. Instead of failing, procceed normally. - * (the ciphersuite selection would fail, or a - * non certificate ciphersuite will be selected). + int new_type = -1, ret, i; + ssize_t data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (data_size > 0) { + if (data_size != 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + new_type = _gnutls_num2cert_type(data[0]); + + if (new_type < 0) { + gnutls_assert(); + return new_type; + } + + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_session_cert_type_set(session, new_type); + } + } else { /* SERVER SIDE - we must check if the sent cert type is the right one */ - return 0; - } + if (data_size > 1) { + uint8 len; + + len = data[0]; + DECR_LEN(data_size, len); + + for (i = 0; i < len; i++) { + new_type = _gnutls_num2cert_type(data[i + 1]); + + if (new_type < 0) + continue; + + /* Check if we support this cert_type */ + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + continue; + } else + break; + /* new_type is ok */ + } + + if (new_type < 0) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + if ((ret = + _gnutls_session_cert_type_supported(session, + new_type)) < 0) { + gnutls_assert(); + /* The peer has requested unsupported certificate + * types. Instead of failing, procceed normally. + * (the ciphersuite selection would fail, or a + * non certificate ciphersuite will be selected). + */ + return 0; + } - _gnutls_session_cert_type_set( session, new_type); - } - - + _gnutls_session_cert_type_set(session, new_type); } - - return 0; + + + } + + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_cert_type_send_params( gnutls_session session, opaque* data, size_t data_size) { - uint len, i; - - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->internals.cert_type_priority.algorithms > 0) { - - len = session->internals.cert_type_priority.algorithms; - - if (len==1 && - session->internals.cert_type_priority.priority[0]==GNUTLS_CRT_X509) - { - /* We don't use this extension if X.509 certificates - * are used. - */ - return 0; - } - - if (data_size < len + 1) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - /* this is a vector! - */ - data[0] = (uint8) len; - - for (i=0;i<len;i++) { - data[i+1] = _gnutls_cert_type2num( session->internals. - cert_type_priority.priority[i]); - } - return len + 1; - } - - } else { /* server side */ - if ( session->security_parameters.cert_type != DEFAULT_CERT_TYPE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = _gnutls_cert_type2num( session->security_parameters.cert_type); - return len; - } - - +int _gnutls_cert_type_send_params(gnutls_session session, opaque * data, + size_t data_size) +{ + uint len, i; + + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->internals.cert_type_priority.algorithms > 0) { + + len = session->internals.cert_type_priority.algorithms; + + if (len == 1 && + session->internals.cert_type_priority.priority[0] == + GNUTLS_CRT_X509) { + /* We don't use this extension if X.509 certificates + * are used. + */ + return 0; + } + + if (data_size < len + 1) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + /* this is a vector! + */ + data[0] = (uint8) len; + + for (i = 0; i < len; i++) { + data[i + 1] = _gnutls_cert_type2num(session->internals. + cert_type_priority. + priority[i]); + } + return len + 1; } - return 0; + } else { /* server side */ + if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + _gnutls_cert_type2num(session->security_parameters. + cert_type); + return len; + } + + + } + + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -inline -static int _gnutls_num2cert_type( int num) { - switch( num) { - case 0: - return GNUTLS_CRT_X509; - case 1: - return GNUTLS_CRT_OPENPGP; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +inline static int _gnutls_num2cert_type(int num) +{ + switch (num) { + case 0: + return GNUTLS_CRT_X509; + case 1: + return GNUTLS_CRT_OPENPGP; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } /* Maps record size to numbers according to the * extensions draft. */ -inline -static int _gnutls_cert_type2num( int cert_type) { - switch(cert_type) { - case GNUTLS_CRT_X509: - return 0; - case GNUTLS_CRT_OPENPGP: - return 1; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +inline static int _gnutls_cert_type2num(int cert_type) +{ + switch (cert_type) { + case GNUTLS_CRT_X509: + return 0; + case GNUTLS_CRT_OPENPGP: + return 1; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } diff --git a/lib/ext_cert_type.h b/lib/ext_cert_type.h index c011befc19..287125da3f 100644 --- a/lib/ext_cert_type.h +++ b/lib/ext_cert_type.h @@ -1,5 +1,7 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_cert_type_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_cert_type_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_cert_type_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_cert_type_send_params(gnutls_session session, opaque * data, + size_t); diff --git a/lib/ext_max_record.c b/lib/ext_max_record.c index c0ccff7f58..52e9a72876 100644 --- a/lib/ext_max_record.c +++ b/lib/ext_max_record.c @@ -38,124 +38,135 @@ * */ -int _gnutls_max_record_recv_params( gnutls_session session, const opaque* data, - size_t _data_size) +int _gnutls_max_record_recv_params(gnutls_session session, + const opaque * data, size_t _data_size) { - ssize_t new_size; - ssize_t data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - if (data_size > 0) { - DECR_LEN( data_size, 1); - - new_size = _gnutls_mre_num2record(data[0]); - - if (new_size < 0) { - gnutls_assert(); - return new_size; - } - - session->security_parameters.max_record_send_size = new_size; - session->security_parameters.max_record_recv_size = new_size; - } - } else { /* CLIENT SIDE - we must check if the sent record size is the right one - */ - if (data_size > 0) { - - if ( data_size != 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - new_size = _gnutls_mre_num2record(data[0]); - - if (new_size < 0 || new_size != session->internals.proposed_record_size) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } else { - session->security_parameters.max_record_recv_size = session->internals.proposed_record_size; - } - - } - - + ssize_t new_size; + ssize_t data_size = _data_size; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + if (data_size > 0) { + DECR_LEN(data_size, 1); + + new_size = _gnutls_mre_num2record(data[0]); + + if (new_size < 0) { + gnutls_assert(); + return new_size; + } + + session->security_parameters.max_record_send_size = new_size; + session->security_parameters.max_record_recv_size = new_size; + } + } else { /* CLIENT SIDE - we must check if the sent record size is the right one + */ + if (data_size > 0) { + + if (data_size != 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + new_size = _gnutls_mre_num2record(data[0]); + + if (new_size < 0 + || new_size != session->internals.proposed_record_size) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } else { + session->security_parameters.max_record_recv_size = + session->internals.proposed_record_size; + } + } - - return 0; + + + } + + return 0; } /* returns data_size or a negative number on failure */ -int _gnutls_max_record_send_params( gnutls_session session, opaque* data, - size_t data_size) +int _gnutls_max_record_send_params(gnutls_session session, opaque * data, + size_t data_size) { - uint16 len; - /* this function sends the client extension data (dnsname) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->internals.proposed_record_size != DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = (uint8) _gnutls_mre_record2num( session->internals.proposed_record_size); - return len; - } - - } else { /* server side */ - - if (session->security_parameters.max_record_recv_size != DEFAULT_MAX_RECORD_SIZE) { - len = 1; - if (data_size < len) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - data[0] = (uint8) _gnutls_mre_record2num( session->security_parameters.max_record_recv_size); - return len; - } - - + uint16 len; + /* this function sends the client extension data (dnsname) */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->internals.proposed_record_size != + DEFAULT_MAX_RECORD_SIZE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + (uint8) _gnutls_mre_record2num(session->internals. + proposed_record_size); + return len; + } + + } else { /* server side */ + + if (session->security_parameters.max_record_recv_size != + DEFAULT_MAX_RECORD_SIZE) { + len = 1; + if (data_size < len) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + data[0] = + (uint8) _gnutls_mre_record2num(session-> + security_parameters. + max_record_recv_size); + return len; } - return 0; + + } + + return 0; } /* Maps numbers to record sizes according to the * extensions draft. */ -int _gnutls_mre_num2record( int num) { - switch( num) { - case 1: - return 512; - case 2: - return 1024; - case 3: - return 2048; - case 4: - return 4096; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +int _gnutls_mre_num2record(int num) +{ + switch (num) { + case 1: + return 512; + case 2: + return 1024; + case 3: + return 2048; + case 4: + return 4096; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_record2num( uint16 record_size) { - switch(record_size) { - case 512: - return 1; - case 1024: - return 2; - case 2048: - return 3; - case 4096: - return 4; - default: - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } +int _gnutls_mre_record2num(uint16 record_size) +{ + switch (record_size) { + case 512: + return 1; + case 1024: + return 2; + case 2048: + return 3; + case 4096: + return 4; + default: + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } } diff --git a/lib/ext_max_record.h b/lib/ext_max_record.h index f804915ab3..b6f158f353 100644 --- a/lib/ext_max_record.h +++ b/lib/ext_max_record.h @@ -1,7 +1,9 @@ /* Maps record size to numbers according to the * extensions draft. */ -int _gnutls_mre_num2record( int num); -int _gnutls_mre_record2num( uint16 record_size); -int _gnutls_max_record_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_max_record_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_mre_num2record(int num); +int _gnutls_mre_record2num(uint16 record_size); +int _gnutls_max_record_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_max_record_send_params(gnutls_session session, opaque * data, + size_t); diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index e0cd9d5ccb..7b83240f0e 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -38,77 +38,77 @@ int _gnutls_server_name_recv_params(gnutls_session session, const opaque * data, size_t _data_size) { - int i; - const unsigned char *p; - uint16 len, type; - ssize_t data_size = _data_size; - int server_names = 0; - - if (session->security_parameters.entity == GNUTLS_SERVER) { - DECR_LENGTH_RET(data_size, 2, 0); - len = _gnutls_read_uint16(data); - - if ( len != data_size) { - /* This is unexpected packet length, but - * just ignore it, for now. - */ - gnutls_assert(); - return 0; - } - - p = data + 2; - - /* Count all server_names in the packet. */ - while (data_size > 0) { - DECR_LENGTH_RET(data_size, 1, 0); - p++; - - DECR_LEN(data_size, 2); - len = _gnutls_read_uint16(p); - p += 2; - - DECR_LENGTH_RET(data_size, len, 0); - server_names++; - - p += len; - } - - session->security_parameters.extensions.server_names_size = - server_names; - if (server_names == 0) - return 0; /* no names found */ - - /* we cannot accept more server names. - */ - if ( server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; - - p = data + 2; - for (i = 0; i < server_names; i++) { - type = *p; - p++; - - len = _gnutls_read_uint16(p); - p += 2; - - switch (type) { - case 0: /* NAME_DNS */ - if (len <= MAX_SERVER_NAME_SIZE) { - memcpy(session->security_parameters.extensions. - server_names[i].name, p, len); - session->security_parameters.extensions.server_names[i]. - name_length = len; - session->security_parameters.extensions.server_names[i]. - type = GNUTLS_NAME_DNS; - break; + int i; + const unsigned char *p; + uint16 len, type; + ssize_t data_size = _data_size; + int server_names = 0; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + DECR_LENGTH_RET(data_size, 2, 0); + len = _gnutls_read_uint16(data); + + if (len != data_size) { + /* This is unexpected packet length, but + * just ignore it, for now. + */ + gnutls_assert(); + return 0; + } + + p = data + 2; + + /* Count all server_names in the packet. */ + while (data_size > 0) { + DECR_LENGTH_RET(data_size, 1, 0); + p++; + + DECR_LEN(data_size, 2); + len = _gnutls_read_uint16(p); + p += 2; + + DECR_LENGTH_RET(data_size, len, 0); + server_names++; + + p += len; + } + + session->security_parameters.extensions.server_names_size = + server_names; + if (server_names == 0) + return 0; /* no names found */ + + /* we cannot accept more server names. + */ + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; + + p = data + 2; + for (i = 0; i < server_names; i++) { + type = *p; + p++; + + len = _gnutls_read_uint16(p); + p += 2; + + switch (type) { + case 0: /* NAME_DNS */ + if (len <= MAX_SERVER_NAME_SIZE) { + memcpy(session->security_parameters.extensions. + server_names[i].name, p, len); + session->security_parameters.extensions. + server_names[i].name_length = len; + session->security_parameters.extensions. + server_names[i].type = GNUTLS_NAME_DNS; + break; + } } - } - /* move to next record */ - p += len; - } - } - return 0; + /* move to next record */ + p += len; + } + } + return 0; } /* returns data_size or a negative number on failure @@ -116,80 +116,84 @@ int _gnutls_server_name_recv_params(gnutls_session session, int _gnutls_server_name_send_params(gnutls_session session, opaque * data, size_t _data_size) { - uint16 len; - opaque *p; - uint i; - ssize_t data_size = _data_size; - int total_size = 0; - - /* this function sends the client extension data (dnsname) - */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - - if (session->security_parameters.extensions.server_names_size == 0) - return 0; - - /* uint16 - */ - total_size = 2; - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) - { - /* count the total size - */ - len = session->security_parameters.extensions.server_names[i].name_length; - - /* uint8 + uint16 + size - */ - total_size += 1 + 2 + len; - } - - p = data; - - /* UINT16: write total size of all names - */ - DECR_LENGTH_RET( data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); - _gnutls_write_uint16(total_size-2, p); - p += 2; - - for (i = 0; - i < session->security_parameters.extensions.server_names_size; - i++) - { - - switch (session->security_parameters.extensions.server_names[i]. - type) { - case GNUTLS_NAME_DNS: - - len = session->security_parameters.extensions.server_names[i].name_length; - if (len == 0) break; - - /* UINT8: type of this extension - * UINT16: size of the first name - * LEN: the actual server name. - */ - DECR_LENGTH_RET( data_size, len + 3, GNUTLS_E_SHORT_MEMORY_BUFFER); - - *p = 0; /* NAME_DNS type */ - p++; - - _gnutls_write_uint16(len, p); - p += 2; - - memcpy(p, - session->security_parameters.extensions. - server_names[0].name, len); - p += len; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - } - } + uint16 len; + opaque *p; + uint i; + ssize_t data_size = _data_size; + int total_size = 0; + + /* this function sends the client extension data (dnsname) + */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + + if (session->security_parameters.extensions.server_names_size == 0) + return 0; + + /* uint16 + */ + total_size = 2; + for (i = 0; + i < session->security_parameters.extensions.server_names_size; + i++) { + /* count the total size + */ + len = + session->security_parameters.extensions.server_names[i]. + name_length; + + /* uint8 + uint16 + size + */ + total_size += 1 + 2 + len; + } + + p = data; + + /* UINT16: write total size of all names + */ + DECR_LENGTH_RET(data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); + _gnutls_write_uint16(total_size - 2, p); + p += 2; + + for (i = 0; + i < session->security_parameters.extensions.server_names_size; + i++) { + + switch (session->security_parameters.extensions. + server_names[i].type) { + case GNUTLS_NAME_DNS: + + len = + session->security_parameters.extensions. + server_names[i].name_length; + if (len == 0) + break; + + /* UINT8: type of this extension + * UINT16: size of the first name + * LEN: the actual server name. + */ + DECR_LENGTH_RET(data_size, len + 3, + GNUTLS_E_SHORT_MEMORY_BUFFER); + + *p = 0; /* NAME_DNS type */ + p++; + + _gnutls_write_uint16(len, p); + p += 2; + + memcpy(p, + session->security_parameters.extensions. + server_names[0].name, len); + p += len; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + } - return total_size; + return total_size; } /** @@ -216,46 +220,45 @@ int _gnutls_server_name_send_params(gnutls_session session, opaque * data, * **/ int gnutls_server_name_get(gnutls_session session, void *data, - size_t *data_length, - unsigned int * type, - unsigned int indx) + size_t * data_length, + unsigned int *type, unsigned int indx) { - char *_data = data; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx+1 > - session->security_parameters.extensions.server_names_size) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - *type = - session->security_parameters.extensions.server_names[indx].type; - - if (*data_length > /* greater since we need one extra byte for the null */ - session->security_parameters.extensions.server_names[indx]. - name_length) { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - memcpy(data, - session->security_parameters.extensions.server_names[indx]. - name, *data_length); - - if (*type == GNUTLS_NAME_DNS) /* null terminate */ - _data[(*data_length)] = 0; - - } else { - *data_length = - session->security_parameters.extensions.server_names[indx]. - name_length; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - return 0; + char *_data = data; + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx + 1 > + session->security_parameters.extensions.server_names_size) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + *type = + session->security_parameters.extensions.server_names[indx].type; + + if (*data_length > /* greater since we need one extra byte for the null */ + session->security_parameters.extensions.server_names[indx]. + name_length) { + *data_length = + session->security_parameters.extensions.server_names[indx]. + name_length; + memcpy(data, + session->security_parameters.extensions.server_names[indx]. + name, *data_length); + + if (*type == GNUTLS_NAME_DNS) /* null terminate */ + _data[(*data_length)] = 0; + + } else { + *data_length = + session->security_parameters.extensions.server_names[indx]. + name_length; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + return 0; } /** @@ -279,31 +282,31 @@ int gnutls_server_name_set(gnutls_session session, gnutls_server_name_type type, const void *name, size_t name_length) { - int server_names; + int server_names; - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (name_length > MAX_SERVER_NAME_SIZE) - return GNUTLS_E_SHORT_MEMORY_BUFFER; + if (name_length > MAX_SERVER_NAME_SIZE) + return GNUTLS_E_SHORT_MEMORY_BUFFER; - server_names = - session->security_parameters.extensions.server_names_size + 1; + server_names = + session->security_parameters.extensions.server_names_size + 1; - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + server_names = MAX_SERVER_NAME_EXTENSIONS; - session->security_parameters.extensions.server_names[server_names - - 1].type = type; - memcpy(session->security_parameters.extensions. - server_names[server_names - 1].name, name, name_length); - session->security_parameters.extensions.server_names[server_names - - 1].name_length = - name_length; + session->security_parameters.extensions.server_names[server_names - + 1].type = type; + memcpy(session->security_parameters.extensions. + server_names[server_names - 1].name, name, name_length); + session->security_parameters.extensions.server_names[server_names - + 1].name_length = + name_length; - session->security_parameters.extensions.server_names_size++; + session->security_parameters.extensions.server_names_size++; - return 0; + return 0; } diff --git a/lib/ext_server_name.h b/lib/ext_server_name.h index 69a62ba9bf..a6eb92d94d 100644 --- a/lib/ext_server_name.h +++ b/lib/ext_server_name.h @@ -1,10 +1,11 @@ -int _gnutls_server_name_recv_params( gnutls_session session, const opaque* data, size_t data_size); -int _gnutls_server_name_send_params( gnutls_session session, opaque* data, size_t); +int _gnutls_server_name_recv_params(gnutls_session session, + const opaque * data, size_t data_size); +int _gnutls_server_name_send_params(gnutls_session session, opaque * data, + size_t); -int gnutls_get_server_name(gnutls_session session, void* data, int* data_length, - int *type, int indx); +int gnutls_get_server_name(gnutls_session session, void *data, + int *data_length, int *type, int indx); int gnutls_set_server_name(gnutls_session session, - gnutls_server_name_type type, - const void *name, int name_length); - + gnutls_server_name_type type, + const void *name, int name_length); diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index c83067fc8e..883c80f865 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -61,29 +61,29 @@ extern "C" { #define GNUTLS_CIPHER_ARCFOUR GNUTLS_CIPHER_ARCFOUR_128 typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40 + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40 } gnutls_cipher_algorithm; typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, - GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS + GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT=1, - GNUTLS_PARAMS_DH + GNUTLS_PARAMS_DH } gnutls_params_type; typedef enum gnutls_credentials_type { GNUTLS_CRD_CERTIFICATE=1, GNUTLS_CRD_ANON, GNUTLS_CRD_SRP } gnutls_credentials_type; typedef enum gnutls_mac_algorithm { GNUTLS_MAC_NULL=1, - GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 + GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 } gnutls_mac_algorithm; /* The enumerations here should have the same value with gnutls_mac_algorithm. */ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, - GNUTLS_DIG_SHA, GNUTLS_DIG_RIPEMD160 + GNUTLS_DIG_SHA, GNUTLS_DIG_RIPEMD160 } gnutls_digest_algorithm; /* exported for other gnutls headers. This is the maximum number @@ -93,8 +93,8 @@ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, #define GNUTLS_COMP_ZLIB GNUTLS_COMP_DEFLATE typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, - GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_LZO /* only available if gnutls-extra has been initialized + GNUTLS_COMP_DEFLATE, + GNUTLS_COMP_LZO /* only available if gnutls-extra has been initialized */ } gnutls_compression_method; @@ -103,72 +103,72 @@ typedef enum gnutls_connection_end { GNUTLS_SERVER=1, GNUTLS_CLIENT } gnutls_con typedef enum gnutls_alert_level { GNUTLS_AL_WARNING=1, GNUTLS_AL_FATAL } gnutls_alert_level; typedef enum gnutls_alert_description { GNUTLS_A_CLOSE_NOTIFY, - GNUTLS_A_UNEXPECTED_MESSAGE=10, GNUTLS_A_BAD_RECORD_MAC=20, - GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, - GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, - GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, - GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, GNUTLS_A_CERTIFICATE_UNKNOWN, - GNUTLS_A_ILLEGAL_PARAMETER, GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, - GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, GNUTLS_A_PROTOCOL_VERSION=70, - GNUTLS_A_INSUFFICIENT_SECURITY, GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, - GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, - GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, - GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 + GNUTLS_A_UNEXPECTED_MESSAGE=10, GNUTLS_A_BAD_RECORD_MAC=20, + GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, + GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, + GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, + GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, GNUTLS_A_CERTIFICATE_UNKNOWN, + GNUTLS_A_ILLEGAL_PARAMETER, GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, + GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, GNUTLS_A_PROTOCOL_VERSION=70, + GNUTLS_A_INSUFFICIENT_SECURITY, GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, + GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, + GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, + GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 } gnutls_alert_description; typedef enum gnutls_handshake_description { GNUTLS_HANDSHAKE_HELLO_REQUEST, - GNUTLS_HANDSHAKE_CLIENT_HELLO, GNUTLS_HANDSHAKE_SERVER_HELLO, - GNUTLS_HANDSHAKE_CERTIFICATE_PKT=11, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, - GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, - GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, - GNUTLS_HANDSHAKE_FINISHED=20 + GNUTLS_HANDSHAKE_CLIENT_HELLO, GNUTLS_HANDSHAKE_SERVER_HELLO, + GNUTLS_HANDSHAKE_CERTIFICATE_PKT=11, GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE, + GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, + GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, + GNUTLS_HANDSHAKE_FINISHED=20 } gnutls_handshake_description; /* Note that the status bits have different meanings * in openpgp keys and x.509 certificate verification. */ typedef enum gnutls_certificate_status { - GNUTLS_CERT_INVALID=2, /* will be set if the certificate - * was not verified. - */ - GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked - */ - - /* Those are extra information about the verification - * process. Will be set only if the certificate was - * not verified. - */ - GNUTLS_CERT_SIGNER_NOT_FOUND=64, - GNUTLS_CERT_SIGNER_NOT_CA=128 + GNUTLS_CERT_INVALID=2, /* will be set if the certificate + * was not verified. + */ + GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked + */ + + /* Those are extra information about the verification + * process. Will be set only if the certificate was + * not verified. + */ + GNUTLS_CERT_SIGNER_NOT_FOUND=64, + GNUTLS_CERT_SIGNER_NOT_CA=128 } gnutls_certificate_status; typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, - GNUTLS_OPENPGP_KEY_FINGERPRINT + GNUTLS_OPENPGP_KEY_FINGERPRINT } gnutls_openpgp_key_status; typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutls_close_request; #define GNUTLS_TLS1 GNUTLS_TLS1_0 typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0, - GNUTLS_TLS1_1 } gnutls_protocol_version; + GNUTLS_TLS1_1 } gnutls_protocol_version; typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type; typedef enum gnutls_x509_crt_fmt { GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; + GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; typedef enum gnutls_pk_algorithm { GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, - GNUTLS_PK_UNKNOWN = 0xff + GNUTLS_PK_UNKNOWN = 0xff } gnutls_pk_algorithm; const char *gnutls_pk_algorithm_get_name( gnutls_pk_algorithm algorithm); typedef enum gnutls_sign_algorithm { GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, - GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, - GNUTLS_SIGN_UNKNOWN = 0xff + GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, + GNUTLS_SIGN_UNKNOWN = 0xff } gnutls_sign_algorithm; const char *gnutls_sign_algorithm_get_name( gnutls_sign_algorithm algorithm); @@ -188,8 +188,8 @@ struct gnutls_rsa_params_int; typedef struct gnutls_rsa_params_int* gnutls_rsa_params; typedef struct { - unsigned char * data; - unsigned int size; + unsigned char * data; + unsigned int size; } gnutls_datum; @@ -205,16 +205,16 @@ int gnutls_handshake( gnutls_session session); int gnutls_rehandshake( gnutls_session session); gnutls_alert_description gnutls_alert_get( gnutls_session session); -int gnutls_alert_send( gnutls_session, gnutls_alert_level, gnutls_alert_description); -int gnutls_alert_send_appropriate( gnutls_session session, int err); -const char* gnutls_alert_get_name( gnutls_alert_description alert); +int gnutls_alert_send( gnutls_session, gnutls_alert_level, gnutls_alert_description); +int gnutls_alert_send_appropriate( gnutls_session session, int err); +const char* gnutls_alert_get_name( gnutls_alert_description alert); /* get information on the current session */ -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); -gnutls_mac_algorithm gnutls_mac_get( gnutls_session session); -gnutls_compression_method gnutls_compression_get( gnutls_session session); -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); +gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); +gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); +gnutls_mac_algorithm gnutls_mac_get( gnutls_session session); +gnutls_compression_method gnutls_compression_get( gnutls_session session); +gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); size_t gnutls_cipher_get_key_size( gnutls_cipher_algorithm algorithm); @@ -259,12 +259,12 @@ typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS=1 } gnutls_server_name_type; int gnutls_server_name_set(gnutls_session session, - gnutls_server_name_type type, - const void *name, size_t name_length); + gnutls_server_name_type type, + const void *name, size_t name_length); int gnutls_server_name_get(gnutls_session session, - void *data, size_t *data_length, - unsigned int * type, int unsigned indx); + void *data, size_t *data_length, + unsigned int * type, int unsigned indx); /* functions to set priority of cipher suites */ @@ -282,7 +282,7 @@ int gnutls_set_default_export_priority(gnutls_session session); /* Returns the name of a cipher suite */ const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm kx_algorithm, - gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm); + gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm); /* get the currently used protocol version */ gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session); @@ -366,20 +366,20 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, uns int gnutls_certificate_set_x509_trust_file( gnutls_certificate_credentials res, const char* CAFILE, - gnutls_x509_crt_fmt); + gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, - const gnutls_datum *CA, gnutls_x509_crt_fmt); + const gnutls_datum *CA, gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, - const char *crlfile, gnutls_x509_crt_fmt type); + const char *crlfile, gnutls_x509_crt_fmt type); int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, - const gnutls_datum *CRL, gnutls_x509_crt_fmt type); + const gnutls_datum *CRL, gnutls_x509_crt_fmt type); int gnutls_certificate_set_x509_key_file( gnutls_certificate_credentials res, - const char *CERTFILE, const char* KEYFILE, gnutls_x509_crt_fmt); + const char *CERTFILE, const char* KEYFILE, gnutls_x509_crt_fmt); int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, - const gnutls_datum* CERT, const gnutls_datum* KEY, - gnutls_x509_crt_fmt); + const gnutls_datum* CERT, const gnutls_datum* KEY, + gnutls_x509_crt_fmt); /* New functions to allow setting already parsed X.509 stuff. @@ -394,12 +394,12 @@ struct gnutls_x509_crt_int; typedef struct gnutls_x509_crt_int* gnutls_x509_crt; int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, - gnutls_x509_crt *cert_list, int cert_list_size, - gnutls_x509_privkey key); + gnutls_x509_crt *cert_list, int cert_list_size, + gnutls_x509_privkey key); int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, - gnutls_x509_crt * ca_list, int ca_list_size); + gnutls_x509_crt * ca_list, int ca_list_size); int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, - gnutls_x509_crl* crl_list, int crl_list_size); + gnutls_x509_crl* crl_list, int crl_list_size); /* global state functions @@ -413,9 +413,9 @@ typedef void (*gnutls_free_function)(void*); typedef void* (*gnutls_realloc_function)(void*, size_t); void gnutls_global_set_mem_functions( - gnutls_alloc_function, gnutls_alloc_function, - int (*gnutls_is_secure_func)(const void*), gnutls_realloc_function, - gnutls_free_function); + gnutls_alloc_function, gnutls_alloc_function, + int (*gnutls_is_secure_func)(const void*), gnutls_realloc_function, + gnutls_free_function); /* For use in callbacks */ extern gnutls_alloc_function gnutls_malloc; @@ -432,14 +432,14 @@ void gnutls_global_set_log_level( int level); int gnutls_dh_params_init( gnutls_dh_params*); void gnutls_dh_params_deinit( gnutls_dh_params); int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, - const gnutls_datum* generator); + const gnutls_datum* generator); int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, - const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format); + const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format); int gnutls_dh_params_generate2(gnutls_dh_params params, int bits); int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, size_t* params_data_size); + gnutls_x509_crt_fmt format, unsigned char* params_data, size_t* params_data_size); int gnutls_dh_params_export_raw(gnutls_dh_params params, - gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits); + gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits); int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src); @@ -449,19 +449,19 @@ int gnutls_rsa_params_init(gnutls_rsa_params * rsa_params); void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params); int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src); int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, - const gnutls_datum *m, const gnutls_datum *e, - const gnutls_datum *d, const gnutls_datum *p, - const gnutls_datum *q, const gnutls_datum *u); + const gnutls_datum *m, const gnutls_datum *e, + const gnutls_datum *d, const gnutls_datum *p, + const gnutls_datum *q, const gnutls_datum *u); int gnutls_rsa_params_generate2(gnutls_rsa_params params, int bits); int gnutls_rsa_params_export_raw(gnutls_rsa_params params, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, unsigned int *bits); + gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, unsigned int *bits); int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size); + gnutls_x509_crt_fmt format, unsigned char* params_data, + size_t* params_data_size); int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, - const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format); + const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format); /* Session stuff */ @@ -469,12 +469,12 @@ typedef ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, void*, size_t); typedef ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr); void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv_ptr, - gnutls_transport_ptr send_ptr); + gnutls_transport_ptr send_ptr); gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session); void gnutls_transport_get_ptr2(gnutls_session session, - gnutls_transport_ptr *recv_ptr, - gnutls_transport_ptr *send_ptr); + gnutls_transport_ptr *recv_ptr, + gnutls_transport_ptr *send_ptr); void gnutls_transport_set_lowat( gnutls_session session, int num); @@ -493,5 +493,5 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s * Actually this function returns the hash of the given data. */ int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size); + void* result, size_t* result_size); diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index 462bb795b6..3e70b46027 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -27,40 +27,42 @@ #include <debug.h> typedef struct { - gnutls_alert_description alert; - const char *desc; + gnutls_alert_description alert; + const char *desc; } gnutls_alert_entry; static const gnutls_alert_entry sup_alerts[] = { - { GNUTLS_A_CLOSE_NOTIFY, "Close notify" }, - { GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message" }, - { GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC" }, - { GNUTLS_A_DECRYPTION_FAILED, "Decryption failed" }, - { GNUTLS_A_RECORD_OVERFLOW, "Record overflow" }, - { GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed" }, - { GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed" }, - { GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad" }, - { GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported" }, - { GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked" }, - { GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired" }, - { GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate" }, - { GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter" }, - { GNUTLS_A_UNKNOWN_CA, "CA is unknown" }, - { GNUTLS_A_ACCESS_DENIED, "Access was denied" }, - { GNUTLS_A_DECODE_ERROR, "Decode error" }, - { GNUTLS_A_DECRYPT_ERROR, "Decrypt error" }, - { GNUTLS_A_EXPORT_RESTRICTION, "Export restriction" }, - { GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version" }, - { GNUTLS_A_INSUFFICIENT_SECURITY,"Insufficient security" }, - { GNUTLS_A_USER_CANCELED, "User canceled" }, - { GNUTLS_A_INTERNAL_ERROR, "Internal error" }, - { GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed" }, - { GNUTLS_A_CERTIFICATE_UNOBTAINABLE, "Could not retrieve the specified certificate" }, - { GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent" }, - { GNUTLS_A_UNRECOGNIZED_NAME, "The server name sent was not recognized" }, - { GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known" }, - { GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent" }, - {0, NULL} + {GNUTLS_A_CLOSE_NOTIFY, "Close notify"}, + {GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message"}, + {GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC"}, + {GNUTLS_A_DECRYPTION_FAILED, "Decryption failed"}, + {GNUTLS_A_RECORD_OVERFLOW, "Record overflow"}, + {GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed"}, + {GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed"}, + {GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad"}, + {GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported"}, + {GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked"}, + {GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired"}, + {GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate"}, + {GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter"}, + {GNUTLS_A_UNKNOWN_CA, "CA is unknown"}, + {GNUTLS_A_ACCESS_DENIED, "Access was denied"}, + {GNUTLS_A_DECODE_ERROR, "Decode error"}, + {GNUTLS_A_DECRYPT_ERROR, "Decrypt error"}, + {GNUTLS_A_EXPORT_RESTRICTION, "Export restriction"}, + {GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version"}, + {GNUTLS_A_INSUFFICIENT_SECURITY, "Insufficient security"}, + {GNUTLS_A_USER_CANCELED, "User canceled"}, + {GNUTLS_A_INTERNAL_ERROR, "Internal error"}, + {GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed"}, + {GNUTLS_A_CERTIFICATE_UNOBTAINABLE, + "Could not retrieve the specified certificate"}, + {GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent"}, + {GNUTLS_A_UNRECOGNIZED_NAME, + "The server name sent was not recognized"}, + {GNUTLS_A_UNKNOWN_SRP_USERNAME, "The SRP username is not known"}, + {GNUTLS_A_MISSING_SRP_USERNAME, "The SRP username was not sent"}, + {0, NULL} }; #define GNUTLS_ALERT_LOOP(b) \ @@ -79,13 +81,13 @@ static const gnutls_alert_entry sup_alerts[] = { * See gnutls_alert_get(). * **/ -const char* gnutls_alert_get_name( gnutls_alert_level alert) +const char *gnutls_alert_get_name(gnutls_alert_level alert) { -const char* ret = NULL; + const char *ret = NULL; - GNUTLS_ALERT_ID_LOOP( ret = p->desc); + GNUTLS_ALERT_ID_LOOP(ret = p->desc); - return ret; + return ret; } /** @@ -105,23 +107,26 @@ const char* ret = NULL; * Returns 0 on success. * **/ -int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_alert_description desc) +int gnutls_alert_send(gnutls_session session, gnutls_alert_level level, + gnutls_alert_description desc) { - uint8 data[2]; - int ret; - const char *name; + uint8 data[2]; + int ret; + const char *name; - data[0] = (uint8) level; - data[1] = (uint8) desc; + data[0] = (uint8) level; + data[1] = (uint8) desc; - name = gnutls_alert_get_name((int)data[1]); - if (name == NULL) name = "(unknown)"; - _gnutls_record_log( "REC: Sending Alert[%d|%d] - %s\n", data[0], data[1], name); + name = gnutls_alert_get_name((int) data[1]); + if (name == NULL) + name = "(unknown)"; + _gnutls_record_log("REC: Sending Alert[%d|%d] - %s\n", data[0], + data[1], name); - if ( (ret = _gnutls_send_int( session, GNUTLS_ALERT, -1, data, 2)) >= 0) - return 0; - else - return ret; + if ((ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, data, 2)) >= 0) + return 0; + else + return ret; } /** @@ -139,100 +144,101 @@ int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_ * mapping to an alert. * **/ -int gnutls_error_to_alert( int err, int* level) +int gnutls_error_to_alert(int err, int *level) { -int ret = GNUTLS_E_INVALID_REQUEST; -int _level = -1; + int ret = GNUTLS_E_INVALID_REQUEST; + int _level = -1; - switch (err) { /* send appropriate alert */ - case GNUTLS_E_DECRYPTION_FAILED: - /* GNUTLS_A_DECRYPTION_FAILED is not sent, because - * it is not defined in SSL3. Note that we must - * not distinguish Decryption failures from mac - * check failures, due to the possibility of some - * attacks. - */ - ret = GNUTLS_A_BAD_RECORD_MAC; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_DECOMPRESSION_FAILED: - ret = GNUTLS_A_DECOMPRESSION_FAILURE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: - case GNUTLS_E_ILLEGAL_SRP_USERNAME: - ret = GNUTLS_A_ILLEGAL_PARAMETER; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: - case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: - case GNUTLS_E_ASN1_DER_ERROR: - case GNUTLS_E_ASN1_VALUE_NOT_FOUND: - case GNUTLS_E_ASN1_GENERIC_ERROR: - case GNUTLS_E_ASN1_VALUE_NOT_VALID: - case GNUTLS_E_ASN1_TAG_ERROR: - case GNUTLS_E_ASN1_TAG_IMPLICIT: - case GNUTLS_E_ASN1_TYPE_ANY_ERROR: - case GNUTLS_E_ASN1_SYNTAX_ERROR: - case GNUTLS_E_ASN1_DER_OVERFLOW: - case GNUTLS_E_NO_CERTIFICATE_FOUND: - ret = GNUTLS_A_BAD_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNKNOWN_CIPHER_SUITE: - case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: - case GNUTLS_E_INSUFFICIENT_CREDENTIALS: - case GNUTLS_E_NO_CIPHER_SUITES: - case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: - ret = GNUTLS_A_HANDSHAKE_FAILURE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: - ret = GNUTLS_A_UNSUPPORTED_EXTENSION; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNEXPECTED_PACKET: - ret = GNUTLS_A_UNEXPECTED_MESSAGE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_REHANDSHAKE: - ret = GNUTLS_A_NO_RENEGOTIATION; - _level = GNUTLS_AL_WARNING; - break; - case GNUTLS_E_UNSUPPORTED_VERSION_PACKET: - ret = GNUTLS_A_PROTOCOL_VERSION; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: - ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: - ret = GNUTLS_A_RECORD_OVERFLOW; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_INTERNAL_ERROR: - case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: - case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: - ret = GNUTLS_A_INTERNAL_ERROR; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_OPENPGP_GETKEY_FAILED: - ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_DH_PRIME_UNACCEPTABLE: - ret = GNUTLS_A_INSUFFICIENT_SECURITY; - _level = GNUTLS_AL_FATAL; - break; - } - - if (level != NULL) *level = _level; + switch (err) { /* send appropriate alert */ + case GNUTLS_E_DECRYPTION_FAILED: + /* GNUTLS_A_DECRYPTION_FAILED is not sent, because + * it is not defined in SSL3. Note that we must + * not distinguish Decryption failures from mac + * check failures, due to the possibility of some + * attacks. + */ + ret = GNUTLS_A_BAD_RECORD_MAC; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_DECOMPRESSION_FAILED: + ret = GNUTLS_A_DECOMPRESSION_FAILURE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: + case GNUTLS_E_ILLEGAL_SRP_USERNAME: + ret = GNUTLS_A_ILLEGAL_PARAMETER; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: + case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: + case GNUTLS_E_ASN1_DER_ERROR: + case GNUTLS_E_ASN1_VALUE_NOT_FOUND: + case GNUTLS_E_ASN1_GENERIC_ERROR: + case GNUTLS_E_ASN1_VALUE_NOT_VALID: + case GNUTLS_E_ASN1_TAG_ERROR: + case GNUTLS_E_ASN1_TAG_IMPLICIT: + case GNUTLS_E_ASN1_TYPE_ANY_ERROR: + case GNUTLS_E_ASN1_SYNTAX_ERROR: + case GNUTLS_E_ASN1_DER_OVERFLOW: + case GNUTLS_E_NO_CERTIFICATE_FOUND: + ret = GNUTLS_A_BAD_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNKNOWN_CIPHER_SUITE: + case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + case GNUTLS_E_NO_CIPHER_SUITES: + case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: + ret = GNUTLS_A_HANDSHAKE_FAILURE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION: + ret = GNUTLS_A_UNSUPPORTED_EXTENSION; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNEXPECTED_PACKET: + ret = GNUTLS_A_UNEXPECTED_MESSAGE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_REHANDSHAKE: + ret = GNUTLS_A_NO_RENEGOTIATION; + _level = GNUTLS_AL_WARNING; + break; + case GNUTLS_E_UNSUPPORTED_VERSION_PACKET: + ret = GNUTLS_A_PROTOCOL_VERSION; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: + ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: + ret = GNUTLS_A_RECORD_OVERFLOW; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_INTERNAL_ERROR: + case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: + case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: + ret = GNUTLS_A_INTERNAL_ERROR; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_OPENPGP_GETKEY_FAILED: + ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_DH_PRIME_UNACCEPTABLE: + ret = GNUTLS_A_INSUFFICIENT_SECURITY; + _level = GNUTLS_AL_FATAL; + break; + } - return ret; + if (level != NULL) + *level = _level; + + return ret; } - + /* Sends the appropriate alert, depending * on the error message. Deprecated. May be removed. */ @@ -251,16 +257,17 @@ int _level = -1; * been sent to the peer. * -*/ -int gnutls_alert_send_appropriate( gnutls_session session, int err) { -int alert; -int level; +int gnutls_alert_send_appropriate(gnutls_session session, int err) +{ + int alert; + int level; - alert = gnutls_error_to_alert( err, &level); - if (alert < 0) { - return alert; - } - - return gnutls_alert_send( session, level, alert); + alert = gnutls_error_to_alert(err, &level); + if (alert < 0) { + return alert; + } + + return gnutls_alert_send(session, level, alert); } /** @@ -273,6 +280,7 @@ int level; * The peer may send alerts if he thinks some things were not * right. Check gnutls.h for the available alert descriptions. **/ -gnutls_alert_description gnutls_alert_get( gnutls_session session) { - return session->internals.last_alert; +gnutls_alert_description gnutls_alert_get(gnutls_session session) +{ + return session->internals.last_alert; } diff --git a/lib/gnutls_alert.h b/lib/gnutls_alert.h index e877c9ab57..b042c5a85a 100644 --- a/lib/gnutls_alert.h +++ b/lib/gnutls_alert.h @@ -1,23 +1,27 @@ -typedef enum gnutls_alert_level { GNUTLS_AL_WARNING=1, GNUTLS_AL_FATAL +typedef enum gnutls_alert_level { GNUTLS_AL_WARNING = 1, GNUTLS_AL_FATAL } gnutls_alert_level; -typedef enum AlertDescription { - GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTED_MESSAGE=10, - GNUTLS_A_BAD_RECORD_MAC=20, GNUTLS_A_DECRYPTION_FAILED, - GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE=30, - GNUTLS_A_HANDSHAKE_FAILURE=40, GNUTLS_A_SSL3_NO_CERTIFICATE=41, - GNUTLS_A_BAD_CERTIFICATE=42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, - GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, - GNUTLS_A_CERTIFICATE_UNKNOWN, GNUTLS_A_ILLEGAL_PARAMETER, - GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR=50, - GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION=60, - GNUTLS_A_PROTOCOL_VERSION=70, GNUTLS_A_INSUFFICIENT_SECURITY, - GNUTLS_A_INTERNAL_ERROR=80, GNUTLS_A_USER_CANCELED=90, - GNUTLS_A_NO_RENEGOTIATION=100, GNUTLS_A_UNSUPPORTED_EXTENSION=110, - GNUTLS_A_CERTIFICATE_UNOBTAINABLE=111, GNUTLS_A_UNRECOGNIZED_NAME=112, - GNUTLS_A_UNKNOWN_SRP_USERNAME=120, GNUTLS_A_MISSING_SRP_USERNAME=121 +typedef enum AlertDescription { + GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTED_MESSAGE = 10, + GNUTLS_A_BAD_RECORD_MAC = 20, GNUTLS_A_DECRYPTION_FAILED, + GNUTLS_A_RECORD_OVERFLOW, GNUTLS_A_DECOMPRESSION_FAILURE = 30, + GNUTLS_A_HANDSHAKE_FAILURE = 40, GNUTLS_A_SSL3_NO_CERTIFICATE = 41, + GNUTLS_A_BAD_CERTIFICATE = 42, GNUTLS_A_UNSUPPORTED_CERTIFICATE, + GNUTLS_A_CERTIFICATE_REVOKED, GNUTLS_A_CERTIFICATE_EXPIRED, + GNUTLS_A_CERTIFICATE_UNKNOWN, GNUTLS_A_ILLEGAL_PARAMETER, + GNUTLS_A_UNKNOWN_CA, GNUTLS_A_ACCESS_DENIED, GNUTLS_A_DECODE_ERROR = + 50, + GNUTLS_A_DECRYPT_ERROR, GNUTLS_A_EXPORT_RESTRICTION = 60, + GNUTLS_A_PROTOCOL_VERSION = 70, GNUTLS_A_INSUFFICIENT_SECURITY, + GNUTLS_A_INTERNAL_ERROR = 80, GNUTLS_A_USER_CANCELED = 90, + GNUTLS_A_NO_RENEGOTIATION = 100, GNUTLS_A_UNSUPPORTED_EXTENSION = 110, + GNUTLS_A_CERTIFICATE_UNOBTAINABLE = 111, GNUTLS_A_UNRECOGNIZED_NAME = + 112, + GNUTLS_A_UNKNOWN_SRP_USERNAME = 120, GNUTLS_A_MISSING_SRP_USERNAME = + 121 } gnutls_alert_description; -gnutls_alert_description gnutls_alert_get( gnutls_session session); -int gnutls_alert_send( gnutls_session session, gnutls_alert_level level, gnutls_alert_description desc); -const char* gnutls_alert_get_name( gnutls_alert_level alert); +gnutls_alert_description gnutls_alert_get(gnutls_session session); +int gnutls_alert_send(gnutls_session session, gnutls_alert_level level, + gnutls_alert_description desc); +const char *gnutls_alert_get_name(gnutls_alert_level alert); diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index c79acf683c..d0d3d8384e 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -31,22 +31,22 @@ * more than one credentials type. */ typedef struct { - gnutls_kx_algorithm algorithm; - gnutls_credentials_type client_type; - gnutls_credentials_type server_type; /* The type of credentials a server - * needs to set */ + gnutls_kx_algorithm algorithm; + gnutls_credentials_type client_type; + gnutls_credentials_type server_type; /* The type of credentials a server + * needs to set */ } gnutls_cred_map; static const gnutls_cred_map cred_mappings[] = { - { GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON }, - { GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP }, - { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, - { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, - { 0, 0, 0} + {GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, + {GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP}, + {GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, + {0, 0, 0} }; #define GNUTLS_KX_MAP_LOOP(b) \ @@ -61,15 +61,15 @@ static const gnutls_cred_map cred_mappings[] = { /* KX mappings to PK algorithms */ typedef struct { - gnutls_kx_algorithm kx_algorithm; - gnutls_pk_algorithm pk_algorithm; - enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used - * for encryption, CIPHER_SIGN if signature only, - * CIPHER_IGN if this does not apply at all. - * - * This is useful to certificate cipher suites, which check - * against the certificate key usage bits. - */ + gnutls_kx_algorithm kx_algorithm; + gnutls_pk_algorithm pk_algorithm; + enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used + * for encryption, CIPHER_SIGN if signature only, + * CIPHER_IGN if this does not apply at all. + * + * This is useful to certificate cipher suites, which check + * against the certificate key usage bits. + */ } gnutls_pk_map; /* This table maps the Key exchange algorithms to @@ -78,13 +78,13 @@ typedef struct { * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, - {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {0, 0, 0} + {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, + {GNUTLS_KX_RSA_EXPORT, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, + {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, + {0, 0, 0} }; #define GNUTLS_PK_MAP_LOOP(b) \ @@ -99,18 +99,18 @@ static const gnutls_pk_map pk_mappings[] = { /* TLS Versions */ typedef struct { - const char *name; - gnutls_protocol_version id; /* gnutls internal version number */ - int major; /* defined by the protocol */ - int minor; /* defined by the protocol */ - int supported; /* 0 not supported, > 0 is supported */ + const char *name; + gnutls_protocol_version id; /* gnutls internal version number */ + int major; /* defined by the protocol */ + int minor; /* defined by the protocol */ + int supported; /* 0 not supported, > 0 is supported */ } gnutls_version_entry; static const gnutls_version_entry sup_versions[] = { - {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, - {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, - {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, - {0, 0, 0, 0, 0} + {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, + {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, + {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, + {0, 0, 0, 0, 0} }; #define GNUTLS_VERSION_LOOP(b) \ @@ -122,13 +122,13 @@ static const gnutls_version_entry sup_versions[] = { struct gnutls_cipher_entry { - const char *name; - gnutls_cipher_algorithm id; - uint16 blocksize; - uint16 keysize; - cipher_type_t block; - uint16 iv; - int export_flag; /* 0 non export */ + const char *name; + gnutls_cipher_algorithm id; + uint16 blocksize; + uint16 keysize; + cipher_type_t block; + uint16 iv; + int export_flag; /* 0 non export */ }; typedef struct gnutls_cipher_entry gnutls_cipher_entry; @@ -138,15 +138,17 @@ typedef struct gnutls_cipher_entry gnutls_cipher_entry; * protecting communications" by Hugo Krawczyk - CRYPTO 2001 */ static const gnutls_cipher_entry algorithms[] = { - {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0 }, - {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0 }, - {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0 }, - {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0 }, - {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1 }, - {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1 }, - {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0 }, - {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0 }, - {0, 0, 0, 0, 0, 0, 0} + {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, + {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, + 0}, + {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, + 0}, + {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, + {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, + {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, + {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, + {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, + {0, 0, 0, 0, 0, 0, 0} }; #define GNUTLS_LOOP(b) \ @@ -158,17 +160,17 @@ static const gnutls_cipher_entry algorithms[] = { struct gnutls_hash_entry { - const char *name; - gnutls_mac_algorithm id; + const char *name; + gnutls_mac_algorithm id; }; typedef struct gnutls_hash_entry gnutls_hash_entry; static const gnutls_hash_entry hash_algorithms[] = { - {"SHA", GNUTLS_MAC_SHA}, - {"MD5", GNUTLS_MAC_MD5}, - {"RIPEMD160", GNUTLS_MAC_RMD160}, - {"NULL", GNUTLS_MAC_NULL}, - {0, 0} + {"SHA", GNUTLS_MAC_SHA}, + {"MD5", GNUTLS_MAC_MD5}, + {"RIPEMD160", GNUTLS_MAC_RMD160}, + {"NULL", GNUTLS_MAC_NULL}, + {0, 0} }; #define GNUTLS_HASH_LOOP(b) \ @@ -189,14 +191,13 @@ const int _gnutls_comp_algorithms_size = MAX_COMP_METHODS; /* the compression entry is defined in gnutls_algorithms.h */ -gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = -{ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), +gnutls_compression_entry _gnutls_compression_algorithms[MAX_COMP_METHODS] = { + GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_NULL, 0x00, 0, 0, 0), #ifdef HAVE_LIBZ - /* draft-ietf-tls-compression-02 */ - GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), + /* draft-ietf-tls-compression-02 */ + GNUTLS_COMPRESSION_ENTRY(GNUTLS_COMP_DEFLATE, 0x01, 15, 8, 3), #endif - {0, 0, 0, 0, 0, 0} + {0, 0, 0, 0, 0, 0} }; #define GNUTLS_COMPRESSION_LOOP(b) \ @@ -223,16 +224,16 @@ const int _gnutls_kx_algorithms_size = MAX_KX_ALGOS; gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { #ifdef ENABLE_ANON - { "Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0 }, + {"Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, #endif - { "RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0 }, - { "RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1 }, - { "DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0 }, - { "DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0 }, - /* other algorithms are appended here by gnutls-extra - * initialization function. - */ - {0, 0, 0, 0, 0} + {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, + {"RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1}, + {"DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, + {"DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, + /* other algorithms are appended here by gnutls-extra + * initialization function. + */ + {0, 0, 0, 0, 0} }; #define GNUTLS_KX_LOOP(b) \ @@ -249,14 +250,14 @@ gnutls_kx_algo_entry _gnutls_kx_algorithms[MAX_KX_ALGOS] = { { #name, {name}, block_algorithm, kx_algorithm, mac_algorithm, version } typedef struct { - const char *name; - cipher_suite_st id; - gnutls_cipher_algorithm block_algorithm; - gnutls_kx_algorithm kx_algorithm; - gnutls_mac_algorithm mac_algorithm; - gnutls_protocol_version version; /* this cipher suite is supported - * from 'version' and above; - */ + const char *name; + cipher_suite_st id; + gnutls_cipher_algorithm block_algorithm; + gnutls_kx_algorithm kx_algorithm; + gnutls_mac_algorithm mac_algorithm; + gnutls_protocol_version version; /* this cipher suite is supported + * from 'version' and above; + */ } gnutls_cipher_suite_entry; /** RSA with NULL cipher and MD5 MAC @@ -345,129 +346,132 @@ typedef struct { #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 static const gnutls_cipher_suite_entry cs_algorithms[] = { - /* ANON_DH */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - /* SRP */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - - /* DHE_DSS */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* DHE_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - /* RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, - GNUTLS_CIPHER_NULL, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, - GNUTLS_CIPHER_ARCFOUR_40, - GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, GNUTLS_SSL3), - - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_SHA, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_RMD, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_RMD, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_RMD160, GNUTLS_TLS1), - {0, {{0,0}}, 0, 0, 0, 0} + /* ANON_DH */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + /* SRP */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + + /* DHE_DSS */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* DHE_RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + /* RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, + GNUTLS_CIPHER_NULL, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5, + GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5, + GNUTLS_SSL3), + + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_SHA, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA, GNUTLS_SSL3), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, + GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_128_CBC_RMD, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_RMD, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_RMD160, GNUTLS_TLS1), + {0, {{0, 0}}, 0, 0, 0, 0} }; #define GNUTLS_CIPHER_SUITE_LOOP(b) \ @@ -481,18 +485,17 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { /* Generic Functions */ -inline int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm algorithm) +inline int _gnutls_mac_priority(gnutls_session session, + gnutls_mac_algorithm algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < session->internals.mac_algorithm_priority.algorithms; - i++) { - if (session->internals. - mac_algorithm_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < session->internals.mac_algorithm_priority.algorithms; i++) { + if (session->internals. + mac_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -502,26 +505,25 @@ inline int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm alg * Returns a string that contains the name * of the specified MAC algorithm or NULL. **/ -const char *gnutls_mac_get_name( gnutls_mac_algorithm algorithm) +const char *gnutls_mac_get_name(gnutls_mac_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_HASH_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_HASH_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_HASH_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_HASH_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Compression Functions */ @@ -529,17 +531,15 @@ inline int _gnutls_compression_priority(gnutls_session session, gnutls_compression_method algorithm) { /* actually returns the priority */ - unsigned int i; - for (i = 0; - i < - session->internals.compression_method_priority.algorithms; - i++) { - if (session->internals. - compression_method_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < + session->internals.compression_method_priority.algorithms; i++) { + if (session->internals. + compression_method_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -549,51 +549,51 @@ inline * Returns a pointer to a string that contains the name * of the specified compression algorithm or NULL. **/ -const char *gnutls_compression_get_name( gnutls_compression_method algorithm) +const char *gnutls_compression_get_name(gnutls_compression_method + algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_COMP_") - - 1); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = + p->name + sizeof("GNUTLS_COMP_") - 1); - return ret; + return ret; } /* return the tls number of the specified algorithm */ int _gnutls_compression_get_num(gnutls_compression_method algorithm) { - int ret = -1; + int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->num); - return ret; + return ret; } int _gnutls_compression_get_wbits(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->window_bits); + return ret; } int _gnutls_compression_get_mem_level(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->mem_level); + return ret; } int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm) { - int ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); - return ret; + int ret = -1; + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->comp_level); + return ret; } /* returns the gnutls internal ID of the TLS compression @@ -601,23 +601,23 @@ int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm) */ gnutls_compression_method _gnutls_compression_get_id(int num) { - gnutls_compression_method ret = -1; + gnutls_compression_method ret = -1; - /* avoid prefix */ - GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); + /* avoid prefix */ + GNUTLS_COMPRESSION_ALG_LOOP_NUM(ret = p->id); - return ret; + return ret; } int _gnutls_compression_is_ok(gnutls_compression_method algorithm) { - ssize_t ret = -1; - GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_COMPRESSION_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } @@ -625,37 +625,36 @@ int _gnutls_compression_is_ok(gnutls_compression_method algorithm) /* CIPHER functions */ int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm algorithm) { - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->blocksize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->blocksize); + return ret; } /* returns the priority */ inline int -_gnutls_cipher_priority(gnutls_session session, gnutls_cipher_algorithm algorithm) +_gnutls_cipher_priority(gnutls_session session, + gnutls_cipher_algorithm algorithm) { - unsigned int i; - for (i = 0; - i < - session->internals. - cipher_algorithm_priority.algorithms; i++) { - if (session->internals. - cipher_algorithm_priority.priority[i] == - algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < + session->internals.cipher_algorithm_priority.algorithms; i++) { + if (session->internals. + cipher_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm) { - size_t ret = 0; + size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->block); - return ret; + GNUTLS_ALG_LOOP(ret = p->block); + return ret; } @@ -667,27 +666,27 @@ int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm) * Returns 0 if the given cipher is invalid. * **/ -size_t gnutls_cipher_get_key_size( gnutls_cipher_algorithm algorithm) +size_t gnutls_cipher_get_key_size(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->keysize); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->keysize); + return ret; } int _gnutls_cipher_get_iv_size(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->iv); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->iv); + return ret; } int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm) { /* In bytes */ - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->export_flag); - return ret; + size_t ret = 0; + GNUTLS_ALG_LOOP(ret = p->export_flag); + return ret; } @@ -698,49 +697,49 @@ int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm) * Returns a pointer to a string that contains the name * of the specified cipher or NULL. **/ -const char *gnutls_cipher_get_name( gnutls_cipher_algorithm algorithm) +const char *gnutls_cipher_get_name(gnutls_cipher_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_cipher_is_ok(gnutls_cipher_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_ALG_LOOP(ret = p->id); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_ALG_LOOP(ret = p->id); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } /* Key EXCHANGE functions */ mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm) { - mod_auth_st *ret = NULL; - GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); - return ret; + mod_auth_st *ret = NULL; + GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); + return ret; } -inline int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algorithm) +inline int _gnutls_kx_priority(gnutls_session session, + gnutls_kx_algorithm algorithm) { - unsigned int i; - for (i = 0; - i < session->internals.kx_algorithm_priority.algorithms; - i++) { - if (session->internals. - kx_algorithm_priority.priority[i] == algorithm) - return i; - } - return -1; + unsigned int i; + for (i = 0; + i < session->internals.kx_algorithm_priority.algorithms; i++) { + if (session->internals. + kx_algorithm_priority.priority[i] == algorithm) + return i; + } + return -1; } /** @@ -750,97 +749,96 @@ inline int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algor * Returns a pointer to a string that contains the name * of the specified key exchange algorithm or NULL. **/ -const char *gnutls_kx_get_name( gnutls_kx_algorithm algorithm) +const char *gnutls_kx_get_name(gnutls_kx_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_KX_ALG_LOOP(ret = p->name); + /* avoid prefix */ + GNUTLS_KX_ALG_LOOP(ret = p->name); - return ret; + return ret; } int _gnutls_kx_is_ok(gnutls_kx_algorithm algorithm) { - ssize_t ret = -1; - GNUTLS_KX_ALG_LOOP(ret = p->algorithm); - if (ret >= 0) - ret = 0; - else - ret = 1; - return ret; + ssize_t ret = -1; + GNUTLS_KX_ALG_LOOP(ret = p->algorithm); + if (ret >= 0) + ret = 0; + else + ret = 1; + return ret; } int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_rsa_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP(ret = p->needs_rsa_params); + return ret; } int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm algorithm) { - ssize_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->needs_dh_params); - return ret; + ssize_t ret = 0; + GNUTLS_KX_ALG_LOOP(ret = p->needs_dh_params); + return ret; } /* Version */ int _gnutls_version_priority(gnutls_session session, - gnutls_protocol_version version) + gnutls_protocol_version version) { /* actually returns the priority */ - unsigned int i; + unsigned int i; - if (session->internals.protocol_priority.priority==NULL) { - gnutls_assert(); - return -1; - } - - for (i = 0; - i < - session->internals.protocol_priority.algorithms; - i++) { - if (session->internals. - protocol_priority.priority[i] == - version) - return i; - } + if (session->internals.protocol_priority.priority == NULL) { + gnutls_assert(); return -1; + } + + for (i = 0; i < session->internals.protocol_priority.algorithms; i++) { + if (session->internals.protocol_priority.priority[i] == version) + return i; + } + return -1; } gnutls_protocol_version _gnutls_version_lowest(gnutls_session session) { /* returns the lowest version supported */ - unsigned int i, min = 0xff; - - if (session->internals.protocol_priority.priority==NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i=0;i<session->internals.protocol_priority.algorithms;i++) { - if (session->internals.protocol_priority.priority[i] < min) - min = session->internals.protocol_priority.priority[i]; - } - - if (min==0xff) return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - - return min; + unsigned int i, min = 0xff; + + if (session->internals.protocol_priority.priority == NULL) { + return GNUTLS_VERSION_UNKNOWN; + } else + for (i = 0; i < session->internals.protocol_priority.algorithms; + i++) { + if (session->internals.protocol_priority.priority[i] < min) + min = session->internals.protocol_priority.priority[i]; + } + + if (min == 0xff) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + + return min; } gnutls_protocol_version _gnutls_version_max(gnutls_session session) { /* returns the maximum version supported */ - unsigned int i, max=0x00; - - if (session->internals.protocol_priority.priority==NULL) { - return GNUTLS_VERSION_UNKNOWN; - } else - for (i=0;i<session->internals.protocol_priority.algorithms;i++) { - if (session->internals.protocol_priority.priority[i] > max) - max = session->internals.protocol_priority.priority[i]; - } - - if (max==0x00) return GNUTLS_VERSION_UNKNOWN; /* unknown version */ - - return max; + unsigned int i, max = 0x00; + + if (session->internals.protocol_priority.priority == NULL) { + return GNUTLS_VERSION_UNKNOWN; + } else + for (i = 0; i < session->internals.protocol_priority.algorithms; + i++) { + if (session->internals.protocol_priority.priority[i] > max) + max = session->internals.protocol_priority.priority[i]; + } + + if (max == 0x00) + return GNUTLS_VERSION_UNKNOWN; /* unknown version */ + + return max; } @@ -851,39 +849,38 @@ gnutls_protocol_version _gnutls_version_max(gnutls_session session) * Returns a string that contains the name * of the specified TLS version or NULL. **/ -const char *gnutls_protocol_get_name( gnutls_protocol_version version) +const char *gnutls_protocol_get_name(gnutls_protocol_version version) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_VERSION_ALG_LOOP(ret = - p->name); - return ret; + /* avoid prefix */ + GNUTLS_VERSION_ALG_LOOP(ret = p->name); + return ret; } int _gnutls_version_get_minor(gnutls_protocol_version version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->minor); - return ret; + GNUTLS_VERSION_ALG_LOOP(ret = p->minor); + return ret; } gnutls_protocol_version _gnutls_version_get(int major, int minor) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_LOOP(if ((p->major == major) && (p->minor == minor)) - ret = p->id); - return ret; + GNUTLS_VERSION_LOOP(if ((p->major == major) && (p->minor == minor)) + ret = p->id); + return ret; } int _gnutls_version_get_major(gnutls_protocol_version version) { - int ret = -1; + int ret = -1; - GNUTLS_VERSION_ALG_LOOP(ret = p->major); - return ret; + GNUTLS_VERSION_ALG_LOOP(ret = p->major); + return ret; } /* Version Functions */ @@ -892,89 +889,92 @@ int _gnutls_version_is_supported(gnutls_session session, const gnutls_protocol_version version) { -int ret=0; + int ret = 0; - GNUTLS_VERSION_ALG_LOOP(ret = p->supported); - if (ret == 0) return 0; + GNUTLS_VERSION_ALG_LOOP(ret = p->supported); + if (ret == 0) + return 0; - if (_gnutls_version_priority( session, version) < 0) - return 0; /* disabled by the user */ - else - return 1; + if (_gnutls_version_priority(session, version) < 0) + return 0; /* disabled by the user */ + else + return 1; } /* Type to KX mappings */ -gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, int server) +gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, + int server) { - gnutls_kx_algorithm ret = -1; - - if (server) { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); - } else { - GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); - } - return ret; + gnutls_kx_algorithm ret = -1; + + if (server) { + GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); + } else { + GNUTLS_KX_MAP_ALG_LOOP_SERVER(ret = p->algorithm); + } + return ret; } -gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm algorithm, int server) +gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm + algorithm, int server) { - gnutls_credentials_type ret = -1; - if (server) { - GNUTLS_KX_MAP_LOOP(if (p->algorithm==algorithm) ret = p->server_type); - } else { - GNUTLS_KX_MAP_LOOP(if (p->algorithm==algorithm) ret = p->client_type); - } - - return ret; + gnutls_credentials_type ret = -1; + if (server) { + GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = + p->server_type); + } else { + GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) ret = + p->client_type); + } + + return ret; } /* Cipher Suite's functions */ gnutls_cipher_algorithm -_gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st* suite) +_gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm); + return ret; } gnutls_protocol_version -_gnutls_cipher_suite_get_version(const cipher_suite_st* suite) +_gnutls_cipher_suite_get_version(const cipher_suite_st * suite) { - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->version); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->version); + return ret; } -gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st* - suite) +gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st + * suite) { - int ret = 0; + int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm); - return ret; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm); + return ret; } gnutls_mac_algorithm -_gnutls_cipher_suite_get_mac_algo(const cipher_suite_st *suite) +_gnutls_cipher_suite_get_mac_algo(const cipher_suite_st * suite) { /* In bytes */ - int ret = 0; - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm); - return ret; + int ret = 0; + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm); + return ret; } -const char *_gnutls_cipher_suite_get_name(cipher_suite_st* suite) +const char *_gnutls_cipher_suite_get_name(cipher_suite_st * suite) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = - p->name + sizeof("GNUTLS_") - - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_ALG_LOOP(ret = p->name + sizeof("GNUTLS_") - 1); - return ret; + return ret; } /** @@ -991,32 +991,33 @@ const char *_gnutls_cipher_suite_get_name(cipher_suite_st* suite) * **/ const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm kx_algorithm, - gnutls_cipher_algorithm cipher_algorithm, gnutls_mac_algorithm mac_algorithm) + gnutls_cipher_algorithm + cipher_algorithm, + gnutls_mac_algorithm + mac_algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_CIPHER_SUITE_LOOP( - if (kx_algorithm == p->kx_algorithm && - cipher_algorithm == p->block_algorithm && - mac_algorithm == p->mac_algorithm) - ret = p->name + sizeof("GNUTLS_") - 1); + /* avoid prefix */ + GNUTLS_CIPHER_SUITE_LOOP(if (kx_algorithm == p->kx_algorithm && + cipher_algorithm == p->block_algorithm && + mac_algorithm == p->mac_algorithm) + ret = p->name + sizeof("GNUTLS_") - 1); - return ret; + return ret; } -inline -static int _gnutls_cipher_suite_is_ok(cipher_suite_st *suite) +inline static int _gnutls_cipher_suite_is_ok(cipher_suite_st * suite) { - size_t ret; - const char *name = NULL; - - GNUTLS_CIPHER_SUITE_ALG_LOOP(name = p->name); - if (name != NULL) - ret = 0; - else - ret = 1; - return ret; + size_t ret; + const char *name = NULL; + + GNUTLS_CIPHER_SUITE_ALG_LOOP(name = p->name); + if (name != NULL) + ret = 0; + else + ret = 1; + return ret; } @@ -1028,67 +1029,69 @@ static int _gnutls_cipher_suite_is_ok(cipher_suite_st *suite) inline static int _gnutls_partition(gnutls_session session, void *_base, size_t nmemb, size_t size, - int (*compar) (gnutls_session, const void *, + int (*compar) (gnutls_session, + const void *, const void *)) { - uint8 *base = _base; - uint8 tmp[MAX_ELEM_SIZE]; - uint8 ptmp[MAX_ELEM_SIZE]; - unsigned int pivot; - unsigned int i, j; - unsigned int full; - - i = pivot = 0; - j = full = (nmemb - 1) * size; - - memcpy(ptmp, &base[0], size); /* set pivot item */ - - while (i < j) { - while ((compar(session, &base[i], ptmp) <= 0) && (i < full)) { - i += size; - } - while ((compar(session, &base[j], ptmp) >= 0) && (j > 0)) - j -= size; - - if (i < j) { - SWAP(&base[j], &base[i]); - } + uint8 *base = _base; + uint8 tmp[MAX_ELEM_SIZE]; + uint8 ptmp[MAX_ELEM_SIZE]; + unsigned int pivot; + unsigned int i, j; + unsigned int full; + + i = pivot = 0; + j = full = (nmemb - 1) * size; + + memcpy(ptmp, &base[0], size); /* set pivot item */ + + while (i < j) { + while ((compar(session, &base[i], ptmp) <= 0) && (i < full)) { + i += size; } + while ((compar(session, &base[j], ptmp) >= 0) && (j > 0)) + j -= size; - if (j > pivot) { - SWAP(&base[pivot], &base[j]); - pivot = j; - } else if (i < pivot) { - SWAP(&base[pivot], &base[i]); - pivot = i; + if (i < j) { + SWAP(&base[j], &base[i]); } - return pivot / size; + } + + if (j > pivot) { + SWAP(&base[pivot], &base[j]); + pivot = j; + } else if (i < pivot) { + SWAP(&base[pivot], &base[i]); + pivot = i; + } + return pivot / size; } static void -_gnutls_qsort(gnutls_session session, void *_base, size_t nmemb, size_t size, - int (*compar) (gnutls_session, const void *, const void *)) +_gnutls_qsort(gnutls_session session, void *_base, size_t nmemb, + size_t size, int (*compar) (gnutls_session, const void *, + const void *)) { - unsigned int pivot; - char *base = _base; - size_t snmemb = nmemb; + unsigned int pivot; + char *base = _base; + size_t snmemb = nmemb; #ifdef DEBUG - if (size > MAX_ELEM_SIZE) { - gnutls_assert(); - _gnutls_debug_log( "QSORT BUG\n"); - exit(1); - } + if (size > MAX_ELEM_SIZE) { + gnutls_assert(); + _gnutls_debug_log("QSORT BUG\n"); + exit(1); + } #endif - if (snmemb <= 1) - return; - pivot = _gnutls_partition(session, _base, nmemb, size, compar); + if (snmemb <= 1) + return; + pivot = _gnutls_partition(session, _base, nmemb, size, compar); - _gnutls_qsort(session, base, pivot < nmemb ? pivot + 1 : pivot, size, - compar); - _gnutls_qsort(session, &base[(pivot + 1) * size], nmemb - pivot - 1, - size, compar); + _gnutls_qsort(session, base, pivot < nmemb ? pivot + 1 : pivot, size, + compar); + _gnutls_qsort(session, &base[(pivot + 1) * size], nmemb - pivot - 1, + size, compar); } @@ -1099,38 +1102,38 @@ static int _gnutls_compare_algo(gnutls_session session, const void *i_A1, const void *i_A2) { - gnutls_kx_algorithm kA1 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A1); - gnutls_kx_algorithm kA2 = - _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A2); - gnutls_cipher_algorithm cA1 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A1); - gnutls_cipher_algorithm cA2 = - _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) - i_A2); - gnutls_mac_algorithm mA1 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A1); - gnutls_mac_algorithm mA2 = - _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) - i_A2); - - int p1 = (_gnutls_kx_priority(session, kA1) + 1) * 64; - int p2 = (_gnutls_kx_priority(session, kA2) + 1) * 64; - p1 += (_gnutls_cipher_priority(session, cA1) + 1) * 8; - p2 += (_gnutls_cipher_priority(session, cA2) + 1) * 8; - p1 += _gnutls_mac_priority(session, mA1); - p2 += _gnutls_mac_priority(session, mA2); - - if (p1 > p2) { - return 1; - } else { - if (p1 == p2) { - return 0; - } - return -1; + gnutls_kx_algorithm kA1 = + _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A1); + gnutls_kx_algorithm kA2 = + _gnutls_cipher_suite_get_kx_algo((const cipher_suite_st *) i_A2); + gnutls_cipher_algorithm cA1 = + _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) + i_A1); + gnutls_cipher_algorithm cA2 = + _gnutls_cipher_suite_get_cipher_algo((const cipher_suite_st *) + i_A2); + gnutls_mac_algorithm mA1 = + _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) + i_A1); + gnutls_mac_algorithm mA2 = + _gnutls_cipher_suite_get_mac_algo((const cipher_suite_st *) + i_A2); + + int p1 = (_gnutls_kx_priority(session, kA1) + 1) * 64; + int p2 = (_gnutls_kx_priority(session, kA2) + 1) * 64; + p1 += (_gnutls_cipher_priority(session, cA1) + 1) * 8; + p2 += (_gnutls_cipher_priority(session, cA2) + 1) * 8; + p1 += _gnutls_mac_priority(session, mA1); + p2 += _gnutls_mac_priority(session, mA2); + + if (p1 > p2) { + return 1; + } else { + if (p1 == p2) { + return 0; } + return -1; + } } #ifdef SORT_DEBUG @@ -1139,18 +1142,18 @@ _gnutls_bsort(gnutls_session session, void *_base, size_t nmemb, size_t size, int (*compar) (gnutls_session, const void *, const void *)) { - unsigned int i, j; - int full = nmemb * size; - char *base = _base; - char tmp[MAX_ELEM_SIZE]; - - for (i = 0; i < full; i += size) { - for (j = 0; j < full; j += size) { - if (compar(session, &base[i], &base[j]) < 0) { - SWAP(&base[j], &base[i]); - } - } + unsigned int i, j; + int full = nmemb * size; + char *base = _base; + char tmp[MAX_ELEM_SIZE]; + + for (i = 0; i < full; i += size) { + for (j = 0; j < full; j += size) { + if (compar(session, &base[i], &base[j]) < 0) { + SWAP(&base[j], &base[i]); + } } + } } #endif @@ -1161,34 +1164,33 @@ _gnutls_supported_ciphersuites_sorted(gnutls_session session, { #ifdef SORT_DEBUG - unsigned int i; + unsigned int i; #endif - int count; - - count = _gnutls_supported_ciphersuites( session, ciphers); - if (count<=0) { - gnutls_assert(); - return count; - } + int count; + count = _gnutls_supported_ciphersuites(session, ciphers); + if (count <= 0) { + gnutls_assert(); + return count; + } #ifdef SORT_DEBUG - _gnutls_debug_log( "Unsorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log( "\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log("Unsorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name((*ciphers)[i])); #endif - _gnutls_qsort(session, *ciphers, count, - sizeof(cipher_suite_st), _gnutls_compare_algo); + _gnutls_qsort(session, *ciphers, count, + sizeof(cipher_suite_st), _gnutls_compare_algo); #ifdef SORT_DEBUG - _gnutls_debug_log( "Sorted: \n"); - for (i = 0; i < count; i++) - _gnutls_debug_log( "\t%d: %s\n", i, - _gnutls_cipher_suite_get_name((*ciphers)[i])); + _gnutls_debug_log("Sorted: \n"); + for (i = 0; i < count; i++) + _gnutls_debug_log("\t%d: %s\n", i, + _gnutls_cipher_suite_get_name((*ciphers)[i])); #endif - return count; + return count; } int @@ -1196,91 +1198,91 @@ _gnutls_supported_ciphersuites(gnutls_session session, cipher_suite_st ** _ciphers) { - unsigned int i, ret_count, j; - unsigned int count = CIPHER_SUITES_COUNT; - cipher_suite_st *tmp_ciphers; - cipher_suite_st* ciphers; - gnutls_protocol_version version; - - if (count == 0) { - return 0; - } + unsigned int i, ret_count, j; + unsigned int count = CIPHER_SUITES_COUNT; + cipher_suite_st *tmp_ciphers; + cipher_suite_st *ciphers; + gnutls_protocol_version version; - tmp_ciphers = gnutls_alloca(count * sizeof(cipher_suite_st)); - if ( tmp_ciphers==NULL) - return GNUTLS_E_MEMORY_ERROR; + if (count == 0) { + return 0; + } - ciphers = gnutls_malloc(count * sizeof(cipher_suite_st)); - if ( ciphers==NULL) { - gnutls_afree( tmp_ciphers); - return GNUTLS_E_MEMORY_ERROR; - } - - version = gnutls_protocol_get_version( session); + tmp_ciphers = gnutls_alloca(count * sizeof(cipher_suite_st)); + if (tmp_ciphers == NULL) + return GNUTLS_E_MEMORY_ERROR; - for (i = 0; i < count; i++) { - memcpy( &tmp_ciphers[i], &cs_algorithms[i].id, sizeof( cipher_suite_st)); - } + ciphers = gnutls_malloc(count * sizeof(cipher_suite_st)); + if (ciphers == NULL) { + gnutls_afree(tmp_ciphers); + return GNUTLS_E_MEMORY_ERROR; + } - for (i = j = 0; i < count; i++) { - /* remove private cipher suites, if requested. - */ - if ( tmp_ciphers[i].suite[0] == 0xFF && - session->internals.enable_private == 0) - continue; - - /* remove cipher suites which do not support the - * protocol version used. - */ - if ( _gnutls_cipher_suite_get_version(&tmp_ciphers[i]) > version) - continue; - - if (_gnutls_kx_priority - (session, - _gnutls_cipher_suite_get_kx_algo(&tmp_ciphers[i])) < 0) - continue; - if (_gnutls_mac_priority - (session, - _gnutls_cipher_suite_get_mac_algo(&tmp_ciphers[i])) < - 0) - continue; - if (_gnutls_cipher_priority - (session, - _gnutls_cipher_suite_get_cipher_algo(&tmp_ciphers[i])) - < 0) - continue; - - memcpy( &ciphers[j], &tmp_ciphers[i], sizeof( cipher_suite_st)); - j++; - } + version = gnutls_protocol_get_version(session); - ret_count = j; - -#if 0 /* expensive */ - if (ret_count > 0 && ret_count != count) { - ciphers = - gnutls_realloc_fast(ciphers, - ret_count * sizeof(cipher_suite_st)); - } else { - if (ret_count != count) { - gnutls_free(ciphers); - ciphers = NULL; - } - } -#endif + for (i = 0; i < count; i++) { + memcpy(&tmp_ciphers[i], &cs_algorithms[i].id, + sizeof(cipher_suite_st)); + } - gnutls_afree(tmp_ciphers); + for (i = j = 0; i < count; i++) { + /* remove private cipher suites, if requested. + */ + if (tmp_ciphers[i].suite[0] == 0xFF && + session->internals.enable_private == 0) + continue; - /* This function can no longer return 0 cipher suites. - * It returns an error code instead. + /* remove cipher suites which do not support the + * protocol version used. */ - if (ret_count == 0) { - gnutls_assert(); - gnutls_free(ciphers); - return GNUTLS_E_NO_CIPHER_SUITES; + if (_gnutls_cipher_suite_get_version(&tmp_ciphers[i]) > version) + continue; + + if (_gnutls_kx_priority + (session, + _gnutls_cipher_suite_get_kx_algo(&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_mac_priority + (session, + _gnutls_cipher_suite_get_mac_algo(&tmp_ciphers[i])) < 0) + continue; + if (_gnutls_cipher_priority + (session, + _gnutls_cipher_suite_get_cipher_algo(&tmp_ciphers[i])) + < 0) + continue; + + memcpy(&ciphers[j], &tmp_ciphers[i], sizeof(cipher_suite_st)); + j++; + } + + ret_count = j; + +#if 0 /* expensive */ + if (ret_count > 0 && ret_count != count) { + ciphers = + gnutls_realloc_fast(ciphers, + ret_count * sizeof(cipher_suite_st)); + } else { + if (ret_count != count) { + gnutls_free(ciphers); + ciphers = NULL; } - *_ciphers = ciphers; - return ret_count; + } +#endif + + gnutls_afree(tmp_ciphers); + + /* This function can no longer return 0 cipher suites. + * It returns an error code instead. + */ + if (ret_count == 0) { + gnutls_assert(); + gnutls_free(ciphers); + return GNUTLS_E_NO_CIPHER_SUITES; + } + *_ciphers = ciphers; + return ret_count; } @@ -1292,37 +1294,39 @@ _gnutls_supported_ciphersuites(gnutls_session session, */ #define SUPPORTED_COMPRESSION_METHODS session->internals.compression_method_priority.algorithms int -_gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) +_gnutls_supported_compression_methods(gnutls_session session, + uint8 ** comp) { - unsigned int i, j; - - *comp = gnutls_malloc( sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); - if (*comp == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - int tmp = _gnutls_compression_get_num(session->internals. - compression_method_priority. - priority[i]); - - /* remove private compression algorithms, if requested. - */ - if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && - session->internals.enable_private == 0)) { - gnutls_assert(); - continue; - } - - (*comp)[j] = (uint8) tmp; - j++; - } + unsigned int i, j; + + *comp = gnutls_malloc(sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); + if (*comp == NULL) + return GNUTLS_E_MEMORY_ERROR; - if (j==0) { - gnutls_assert(); - gnutls_free( *comp); *comp = NULL; - return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; + for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { + int tmp = _gnutls_compression_get_num(session->internals. + compression_method_priority. + priority[i]); + + /* remove private compression algorithms, if requested. + */ + if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO && + session->internals.enable_private == 0)) { + gnutls_assert(); + continue; } - return j; + + (*comp)[j] = (uint8) tmp; + j++; + } + + if (j == 0) { + gnutls_assert(); + gnutls_free(*comp); + *comp = NULL; + return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; + } + return j; } /** @@ -1332,14 +1336,16 @@ _gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) * Returns a string (or NULL) that contains the name * of the specified certificate type. **/ -const char *gnutls_certificate_type_get_name( gnutls_certificate_type type) +const char *gnutls_certificate_type_get_name(gnutls_certificate_type type) { - const char *ret = NULL; + const char *ret = NULL; - if (type==GNUTLS_CRT_X509) ret = "X.509"; - if (type==GNUTLS_CRT_OPENPGP) ret = "OPENPGP"; + if (type == GNUTLS_CRT_X509) + ret = "X.509"; + if (type == GNUTLS_CRT_OPENPGP) + ret = "OPENPGP"; - return ret; + return ret; } /* returns the gnutls_pk_algorithm which is compatible with @@ -1347,9 +1353,9 @@ const char *gnutls_certificate_type_get_name( gnutls_certificate_type type) */ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) { - gnutls_pk_algorithm ret = -1; + gnutls_pk_algorithm ret = -1; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) + GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) return ret; } @@ -1358,10 +1364,11 @@ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) * * ex. GNUTLS_KX_RSA requires a certificate able to encrypt... so returns CIPHER_ENCRYPT. */ -enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm kx_algorithm) +enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm + kx_algorithm) { - int ret = CIPHER_IGN; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) + int ret = CIPHER_IGN; + GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) return ret; } @@ -1369,17 +1376,17 @@ enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm kx_algorithm) /* signature algorithms; */ struct gnutls_sign_entry { - const char *name; - gnutls_sign_algorithm id; + const char *name; + gnutls_sign_algorithm id; }; typedef struct gnutls_sign_entry gnutls_sign_entry; static const gnutls_sign_entry sign_algorithms[] = { - {"RSA-SHA", GNUTLS_SIGN_RSA_SHA}, - {"DSA-SHA", GNUTLS_SIGN_DSA_SHA}, - {"RSA-MD5", GNUTLS_SIGN_RSA_MD5}, - {"RSA-MD2", GNUTLS_SIGN_RSA_MD2}, - {0, 0} + {"RSA-SHA", GNUTLS_SIGN_RSA_SHA}, + {"DSA-SHA", GNUTLS_SIGN_DSA_SHA}, + {"RSA-MD5", GNUTLS_SIGN_RSA_MD5}, + {"RSA-MD2", GNUTLS_SIGN_RSA_MD2}, + {0, 0} }; #define GNUTLS_SIGN_LOOP(b) \ @@ -1398,29 +1405,28 @@ static const gnutls_sign_entry sign_algorithms[] = { * Returns a string that contains the name * of the specified sign algorithm or NULL. **/ -const char *gnutls_sign_algorithm_get_name( gnutls_sign_algorithm algorithm) +const char *gnutls_sign_algorithm_get_name(gnutls_sign_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_SIGN_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_SIGN_ALG_LOOP(ret = p->name); - return ret; + return ret; } /* pk algorithms; */ struct gnutls_pk_entry { - const char *name; - gnutls_pk_algorithm id; + const char *name; + gnutls_pk_algorithm id; }; typedef struct gnutls_pk_entry gnutls_pk_entry; static const gnutls_pk_entry pk_algorithms[] = { - {"RSA", GNUTLS_PK_RSA}, - {"DSA", GNUTLS_PK_DSA}, - {0, 0} + {"RSA", GNUTLS_PK_RSA}, + {"DSA", GNUTLS_PK_DSA}, + {0, 0} }; #define GNUTLS_PK_LOOP(b) \ @@ -1439,13 +1445,12 @@ static const gnutls_pk_entry pk_algorithms[] = { * Returns a string that contains the name * of the specified public key algorithm or NULL. **/ -const char *gnutls_pk_algorithm_get_name( gnutls_pk_algorithm algorithm) +const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm algorithm) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_PK_ALG_LOOP(ret = - p->name); + /* avoid prefix */ + GNUTLS_PK_ALG_LOOP(ret = p->name); - return ret; + return ret; } diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 9962eb8a0d..b43398a10d 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -22,33 +22,48 @@ /* functions for version */ -gnutls_protocol_version _gnutls_version_lowest( gnutls_session session); -gnutls_protocol_version _gnutls_version_max( gnutls_session session); -int _gnutls_version_priority(gnutls_session session, gnutls_protocol_version version); -int _gnutls_version_is_supported(gnutls_session session, const gnutls_protocol_version version); -int _gnutls_version_get_major( gnutls_protocol_version ver); -int _gnutls_version_get_minor( gnutls_protocol_version ver); -gnutls_protocol_version _gnutls_version_get( int major, int minor); +gnutls_protocol_version _gnutls_version_lowest(gnutls_session session); +gnutls_protocol_version _gnutls_version_max(gnutls_session session); +int _gnutls_version_priority(gnutls_session session, + gnutls_protocol_version version); +int _gnutls_version_is_supported(gnutls_session session, + const gnutls_protocol_version version); +int _gnutls_version_get_major(gnutls_protocol_version ver); +int _gnutls_version_get_minor(gnutls_protocol_version ver); +gnutls_protocol_version _gnutls_version_get(int major, int minor); /* functions for macs */ -const char* gnutls_mac_get_name(gnutls_mac_algorithm algorithm); -int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm); -int _gnutls_mac_priority(gnutls_session session, gnutls_mac_algorithm algorithm); +const char *gnutls_mac_get_name(gnutls_mac_algorithm algorithm); +int _gnutls_mac_is_ok(gnutls_mac_algorithm algorithm); +int _gnutls_mac_priority(gnutls_session session, + gnutls_mac_algorithm algorithm); /* functions for cipher suites */ -int _gnutls_supported_ciphersuites(gnutls_session session, cipher_suite_st **ciphers); -int _gnutls_supported_ciphersuites_sorted(gnutls_session session, cipher_suite_st **ciphers); -int _gnutls_supported_compression_methods(gnutls_session session, uint8 **comp); - -const char* _gnutls_cipher_suite_get_name(cipher_suite_st *algorithm); -gnutls_cipher_algorithm _gnutls_cipher_suite_get_cipher_algo(const cipher_suite_st *algorithm); -gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st *algorithm); -gnutls_mac_algorithm _gnutls_cipher_suite_get_mac_algo(const cipher_suite_st *algorithm); -gnutls_protocol_version _gnutls_cipher_suite_get_version(const cipher_suite_st *algorithm); -cipher_suite_st _gnutls_cipher_suite_get_suite_name(cipher_suite_st *algorithm); +int _gnutls_supported_ciphersuites(gnutls_session session, + cipher_suite_st ** ciphers); +int _gnutls_supported_ciphersuites_sorted(gnutls_session session, + cipher_suite_st ** ciphers); +int _gnutls_supported_compression_methods(gnutls_session session, + uint8 ** comp); + +const char *_gnutls_cipher_suite_get_name(cipher_suite_st * algorithm); +gnutls_cipher_algorithm _gnutls_cipher_suite_get_cipher_algo(const + cipher_suite_st + * algorithm); +gnutls_kx_algorithm _gnutls_cipher_suite_get_kx_algo(const cipher_suite_st + * algorithm); +gnutls_mac_algorithm _gnutls_cipher_suite_get_mac_algo(const + cipher_suite_st * + algorithm); +gnutls_protocol_version _gnutls_cipher_suite_get_version(const + cipher_suite_st * + algorithm); +cipher_suite_st _gnutls_cipher_suite_get_suite_name(cipher_suite_st * + algorithm); /* functions for ciphers */ -int _gnutls_cipher_priority(gnutls_session session, gnutls_cipher_algorithm algorithm); +int _gnutls_cipher_priority(gnutls_session session, + gnutls_cipher_algorithm algorithm); int _gnutls_cipher_get_block_size(gnutls_cipher_algorithm algorithm); int _gnutls_cipher_is_block(gnutls_cipher_algorithm algorithm); int _gnutls_cipher_is_ok(gnutls_cipher_algorithm algorithm); @@ -58,54 +73,61 @@ int _gnutls_cipher_get_export_flag(gnutls_cipher_algorithm algorithm); const char *gnutls_cipher_get_name(gnutls_cipher_algorithm algorithm); /* functions for key exchange */ -int _gnutls_kx_priority(gnutls_session session, gnutls_kx_algorithm algorithm); +int _gnutls_kx_priority(gnutls_session session, + gnutls_kx_algorithm algorithm); int _gnutls_kx_needs_dh_params(gnutls_kx_algorithm algorithm); int _gnutls_kx_needs_rsa_params(gnutls_kx_algorithm algorithm); -mod_auth_st * _gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm); +mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm algorithm); const char *gnutls_kx_get_name(gnutls_kx_algorithm algorithm); int _gnutls_kx_is_ok(gnutls_kx_algorithm algorithm); /* functions for compression */ -int _gnutls_compression_priority(gnutls_session session, gnutls_compression_method algorithm); +int _gnutls_compression_priority(gnutls_session session, + gnutls_compression_method algorithm); int _gnutls_compression_is_ok(gnutls_compression_method algorithm); int _gnutls_compression_get_num(gnutls_compression_method algorithm); gnutls_compression_method _gnutls_compression_get_id(int num); -const char *gnutls_compression_get_name(gnutls_compression_method algorithm); +const char *gnutls_compression_get_name(gnutls_compression_method + algorithm); int _gnutls_compression_get_mem_level(gnutls_compression_method algorithm); -int _gnutls_compression_get_comp_level(gnutls_compression_method algorithm); +int _gnutls_compression_get_comp_level(gnutls_compression_method + algorithm); int _gnutls_compression_get_wbits(gnutls_compression_method algorithm); /* Type to KX mappings */ -gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, int server); -gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm algorithm, int server); +gnutls_kx_algorithm _gnutls_map_kx_get_kx(gnutls_credentials_type type, + int server); +gnutls_credentials_type _gnutls_map_kx_get_cred(gnutls_kx_algorithm + algorithm, int server); /* KX to PK mapping */ -gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm); +gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm + kx_algorithm); -enum encipher_type { CIPHER_ENCRYPT=0, CIPHER_SIGN=1, CIPHER_IGN }; +enum encipher_type { CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN }; enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm algorithm); struct gnutls_kx_algo_entry { - const char *name; - gnutls_kx_algorithm algorithm; - mod_auth_st *auth_struct; - int needs_dh_params; - int needs_rsa_params; + const char *name; + gnutls_kx_algorithm algorithm; + mod_auth_st *auth_struct; + int needs_dh_params; + int needs_rsa_params; }; typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; struct gnutls_compression_entry { - const char *name; - gnutls_compression_method id; - int num; /* the number reserved in TLS for the specific compression method */ - - /* used in zlib compressor */ - int window_bits; - int mem_level; - int comp_level; + const char *name; + gnutls_compression_method id; + int num; /* the number reserved in TLS for the specific compression method */ + + /* used in zlib compressor */ + int window_bits; + int mem_level; + int comp_level; }; typedef struct gnutls_compression_entry gnutls_compression_entry; diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 50da169d3d..55e088c06e 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -40,10 +40,10 @@ static const int anon_dummy; * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) +void gnutls_anon_free_server_credentials(gnutls_anon_server_credentials sc) { - gnutls_free( sc); + gnutls_free(sc); } /*- @@ -53,26 +53,27 @@ void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) * This function will return the dh parameters pointer. * -*/ -gnutls_dh_params _gnutls_anon_get_dh_params(const gnutls_anon_server_credentials sc, - gnutls_session session) +gnutls_dh_params _gnutls_anon_get_dh_params(const + gnutls_anon_server_credentials + sc, gnutls_session session) { -gnutls_params_st params; -int ret; - - if (session->internals.params.anon_dh_params) - return session->internals.params.anon_dh_params; - - if (sc->dh_params) { - session->internals.params.anon_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.anon_dh_params = params.params.dh; - session->internals.params.free_anon_dh_params = params.deinit; - } - } - + gnutls_params_st params; + int ret; + + if (session->internals.params.anon_dh_params) return session->internals.params.anon_dh_params; + + if (sc->dh_params) { + session->internals.params.anon_dh_params = sc->dh_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { + session->internals.params.anon_dh_params = params.params.dh; + session->internals.params.free_anon_dh_params = params.deinit; + } + } + + return session->internals.params.anon_dh_params; } /** @@ -82,11 +83,13 @@ int ret; * This structure is complex enough to manipulate directly thus * this helper function is provided in order to allocate it. **/ -int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) { +int gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials + * sc) +{ - *sc = gnutls_calloc( 1, sizeof(anon_server_credentials_st)); + *sc = gnutls_calloc(1, sizeof(anon_server_credentials_st)); - return 0; + return 0; } @@ -97,7 +100,8 @@ int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) it. **/ -void gnutls_anon_free_client_credentials( gnutls_anon_client_credentials sc) { +void gnutls_anon_free_client_credentials(gnutls_anon_client_credentials sc) +{ } /** @@ -107,14 +111,15 @@ void gnutls_anon_free_client_credentials( gnutls_anon_client_credentials sc) { * This structure is complex enough to manipulate directly thus * this helper function is provided in order to allocate it. **/ -int gnutls_anon_allocate_client_credentials( gnutls_anon_client_credentials *sc) +int gnutls_anon_allocate_client_credentials(gnutls_anon_client_credentials + * sc) { - /* anon_dummy is only there for *sc not to be null. - * it is not used at all; - */ - *sc = (void*) &anon_dummy; - - return 0; + /* anon_dummy is only there for *sc not to be null. + * it is not used at all; + */ + *sc = (void *) &anon_dummy; + + return 0; } #endif diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c index b7bfa2e03d..39c056c875 100644 --- a/lib/gnutls_asn1_tab.c +++ b/lib/gnutls_asn1_tab.c @@ -1,60 +1,60 @@ #include "libtasn1.h" -const ASN1_ARRAY_TYPE gnutls_asn1_tab[]={ - {"GNUTLS",536872976,0}, - {0,1073741836,0}, - {"RSAPublicKey",1610612741,0}, - {"modulus",1073741827,0}, - {"publicExponent",3,0}, - {"RSAPrivateKey",1610612741,0}, - {"version",1073741826,"Version"}, - {"modulus",1073741827,0}, - {"publicExponent",1073741827,0}, - {"privateExponent",1073741827,0}, - {"prime1",1073741827,0}, - {"prime2",1073741827,0}, - {"exponent1",1073741827,0}, - {"exponent2",1073741827,0}, - {"coefficient",1073741827,0}, - {"otherPrimeInfos",16386,"OtherPrimeInfos"}, - {"Version",1610874883,0}, - {"two-prime",1073741825,"0"}, - {"multi",1,"1"}, - {"OtherPrimeInfos",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"OtherPrimeInfo"}, - {"OtherPrimeInfo",1610612741,0}, - {"prime",1073741827,0}, - {"exponent",1073741827,0}, - {"coefficient",3,0}, - {"AlgorithmIdentifier",1610612741,0}, - {"algorithm",1073741836,0}, - {"parameters",541081613,0}, - {"algorithm",1,0}, - {"DigestInfo",1610612741,0}, - {"digestAlgorithm",1073741826,"DigestAlgorithmIdentifier"}, - {"digest",2,"Digest"}, - {"DigestAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"Digest",1073741831,0}, - {"DSAPublicKey",1073741827,0}, - {"DSAParameters",1610612741,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",3,0}, - {"DSASignatureValue",1610612741,0}, - {"r",1073741827,0}, - {"s",3,0}, - {"DSAPrivateKey",1610612741,0}, - {"version",1073741827,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",1073741827,0}, - {"Y",1073741827,0}, - {"priv",3,0}, - {"DHParameter",536870917,0}, - {"prime",1073741827,0}, - {"base",1073741827,0}, - {"privateValueLength",16387,0}, - {0,0,0} +const ASN1_ARRAY_TYPE gnutls_asn1_tab[] = { + {"GNUTLS", 536872976, 0}, + {0, 1073741836, 0}, + {"RSAPublicKey", 1610612741, 0}, + {"modulus", 1073741827, 0}, + {"publicExponent", 3, 0}, + {"RSAPrivateKey", 1610612741, 0}, + {"version", 1073741826, "Version"}, + {"modulus", 1073741827, 0}, + {"publicExponent", 1073741827, 0}, + {"privateExponent", 1073741827, 0}, + {"prime1", 1073741827, 0}, + {"prime2", 1073741827, 0}, + {"exponent1", 1073741827, 0}, + {"exponent2", 1073741827, 0}, + {"coefficient", 1073741827, 0}, + {"otherPrimeInfos", 16386, "OtherPrimeInfos"}, + {"Version", 1610874883, 0}, + {"two-prime", 1073741825, "0"}, + {"multi", 1, "1"}, + {"OtherPrimeInfos", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "OtherPrimeInfo"}, + {"OtherPrimeInfo", 1610612741, 0}, + {"prime", 1073741827, 0}, + {"exponent", 1073741827, 0}, + {"coefficient", 3, 0}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"}, + {"digest", 2, "Digest"}, + {"DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, + {"Digest", 1073741831, 0}, + {"DSAPublicKey", 1073741827, 0}, + {"DSAParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"DSASignatureValue", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"DSAPrivateKey", 1610612741, 0}, + {"version", 1073741827, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 1073741827, 0}, + {"Y", 1073741827, 0}, + {"priv", 3, 0}, + {"DHParameter", 536870917, 0}, + {"prime", 1073741827, 0}, + {"base", 1073741827, 0}, + {"privateValueLength", 16387, 0}, + {0, 0, 0} }; diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index a383ff1eaa..1819a6ab76 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -41,17 +41,18 @@ * Clears all the credentials previously set in this session. * **/ -void gnutls_credentials_clear( gnutls_session session) { - if (session->key && session->key->cred) { /* beginning of the list */ - auth_cred_st * ccred, *ncred; - ccred = session->key->cred; - while(ccred!=NULL) { - ncred = ccred->next; - gnutls_free(ccred); - ccred = ncred; - } - session->key->cred = NULL; +void gnutls_credentials_clear(gnutls_session session) +{ + if (session->key && session->key->cred) { /* beginning of the list */ + auth_cred_st *ccred, *ncred; + ccred = session->key->cred; + while (ccred != NULL) { + ncred = ccred->next; + gnutls_free(ccred); + ccred = ncred; } + session->key->cred = NULL; + } } /* @@ -83,51 +84,55 @@ void gnutls_credentials_clear( gnutls_session session) { * For GNUTLS_CRD_CERTIFICATE cred should be gnutls_certificate_credentials. * **/ -int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type, void* cred) { - auth_cred_st * ccred=NULL, *pcred=NULL; - int exists=0; - - if (session->key->cred==NULL) { /* beginning of the list */ - - session->key->cred = gnutls_malloc(sizeof(auth_cred_st)); - if (session->key->cred == NULL) return GNUTLS_E_MEMORY_ERROR; - - /* copy credentials locally */ - session->key->cred->credentials = cred; - - session->key->cred->next = NULL; - session->key->cred->algorithm = type; - } else { - ccred = session->key->cred; - while(ccred!=NULL) { - if (ccred->algorithm==type) { - exists=1; - break; - } - pcred = ccred; - ccred = ccred->next; - } - /* After this, pcred is not null. - */ - - if (exists==0) { /* new entry */ - pcred->next = gnutls_malloc(sizeof(auth_cred_st)); - if (pcred->next == NULL) return GNUTLS_E_MEMORY_ERROR; - - ccred = pcred->next; - - /* copy credentials locally */ - ccred->credentials = cred; - - ccred->next = NULL; - ccred->algorithm = type; - } else { /* modify existing entry */ - gnutls_free(ccred->credentials); - ccred->credentials = cred; - } +int gnutls_credentials_set(gnutls_session session, + gnutls_credentials_type type, void *cred) +{ + auth_cred_st *ccred = NULL, *pcred = NULL; + int exists = 0; + + if (session->key->cred == NULL) { /* beginning of the list */ + + session->key->cred = gnutls_malloc(sizeof(auth_cred_st)); + if (session->key->cred == NULL) + return GNUTLS_E_MEMORY_ERROR; + + /* copy credentials locally */ + session->key->cred->credentials = cred; + + session->key->cred->next = NULL; + session->key->cred->algorithm = type; + } else { + ccred = session->key->cred; + while (ccred != NULL) { + if (ccred->algorithm == type) { + exists = 1; + break; + } + pcred = ccred; + ccred = ccred->next; } + /* After this, pcred is not null. + */ + + if (exists == 0) { /* new entry */ + pcred->next = gnutls_malloc(sizeof(auth_cred_st)); + if (pcred->next == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ccred = pcred->next; + + /* copy credentials locally */ + ccred->credentials = cred; - return 0; + ccred->next = NULL; + ccred->algorithm = type; + } else { /* modify existing entry */ + gnutls_free(ccred->credentials); + ccred->credentials = cred; + } + } + + return 0; } /** @@ -141,16 +146,18 @@ int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type * Eg. for CERTIFICATE ciphersuites (key exchange algorithms: KX_RSA, KX_DHE_RSA), * the same function are to be used to access the authentication data. **/ -gnutls_credentials_type gnutls_auth_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_get_type(gnutls_session session) { /* This is not the credentials we must set, but the authentication data * we get by the peer, so it should be reversed. */ -int server = session->security_parameters.entity==GNUTLS_SERVER?0:1; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1; - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), server); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), server); } /** @@ -162,11 +169,12 @@ int server = session->security_parameters.entity==GNUTLS_SERVER?0:1; * to access authentication data. * **/ -gnutls_credentials_type gnutls_auth_server_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session session) { - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), 1); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 1); } /** @@ -178,11 +186,12 @@ gnutls_credentials_type gnutls_auth_server_get_type( gnutls_session session) * to access authentication data. * **/ -gnutls_credentials_type gnutls_auth_client_get_type( gnutls_session session) +gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session session) { - return _gnutls_map_kx_get_cred( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), 0); + return + _gnutls_map_kx_get_cred(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite), 0); } @@ -190,35 +199,43 @@ gnutls_credentials_type gnutls_auth_client_get_type( gnutls_session session) * This returns a pointer to the linked list. Don't * free that!!! */ -const void *_gnutls_get_kx_cred( gnutls_session session, gnutls_kx_algorithm algo, int *err) +const void *_gnutls_get_kx_cred(gnutls_session session, + gnutls_kx_algorithm algo, int *err) { -int server = session->security_parameters.entity==GNUTLS_SERVER?1:0; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; - return _gnutls_get_cred( session->key, _gnutls_map_kx_get_cred(algo, server), err); + return _gnutls_get_cred(session->key, + _gnutls_map_kx_get_cred(algo, server), err); } -const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type type, int *err) { - const void *retval = NULL; - int _err = -1; - auth_cred_st * ccred; +const void *_gnutls_get_cred(gnutls_key_st key, + gnutls_credentials_type type, int *err) +{ + const void *retval = NULL; + int _err = -1; + auth_cred_st *ccred; - if (key == NULL) goto out; + if (key == NULL) + goto out; - ccred = key->cred; - while(ccred!=NULL) { - if (ccred->algorithm==type) { - break; - } - ccred = ccred->next; + ccred = key->cred; + while (ccred != NULL) { + if (ccred->algorithm == type) { + break; } - if (ccred==NULL) goto out; + ccred = ccred->next; + } + if (ccred == NULL) + goto out; - _err = 0; - retval = ccred->credentials; + _err = 0; + retval = ccred->credentials; - out: - if (err!=NULL) *err=_err; - return retval; + out: + if (err != NULL) + *err = _err; + return retval; } /*- @@ -234,8 +251,9 @@ const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type type, i * In case of GNUTLS_CRD_CERTIFICATE returns a type of &cert_auth_info_t; * In case of GNUTLS_CRD_SRP returns a type of &srp_(server/client)_auth_info_t; -*/ -void* _gnutls_get_auth_info( gnutls_session session) { - return session->key->auth_info; +void *_gnutls_get_auth_info(gnutls_session session) +{ + return session->key->auth_info; } /*- @@ -246,43 +264,44 @@ void* _gnutls_get_auth_info( gnutls_session session) { * null. It must be called since some structures contain malloced * elements. -*/ -void _gnutls_free_auth_info( gnutls_session session) { - if (session==NULL || session->key==NULL) { - gnutls_assert(); - return; - } - - switch ( session->key->auth_info_type) { - case GNUTLS_CRD_SRP: - case GNUTLS_CRD_ANON: - - break; - case GNUTLS_CRD_CERTIFICATE: { - unsigned int i; - cert_auth_info_t info = - _gnutls_get_auth_info(session); - - if (info==NULL) break; - for (i=0;i<info->ncerts;i++) { - _gnutls_free_datum( &info->raw_certificate_list[i]); - } - - gnutls_free( info->raw_certificate_list); - info->raw_certificate_list = NULL; - info->ncerts = 0; - } +void _gnutls_free_auth_info(gnutls_session session) +{ + if (session == NULL || session->key == NULL) { + gnutls_assert(); + return; + } + + switch (session->key->auth_info_type) { + case GNUTLS_CRD_SRP: + case GNUTLS_CRD_ANON: + break; + case GNUTLS_CRD_CERTIFICATE:{ + unsigned int i; + cert_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL) break; - default: - return; + for (i = 0; i < info->ncerts; i++) { + _gnutls_free_datum(&info->raw_certificate_list[i]); + } + gnutls_free(info->raw_certificate_list); + info->raw_certificate_list = NULL; + info->ncerts = 0; } - gnutls_free( session->key->auth_info); - session->key->auth_info = NULL; - session->key->auth_info_size = 0; - session->key->auth_info_type = 0; + + break; + default: + return; + + } + + gnutls_free(session->key->auth_info); + session->key->auth_info = NULL; + session->key->auth_info_size = 0; + session->key->auth_info_type = 0; } @@ -291,65 +310,69 @@ void _gnutls_free_auth_info( gnutls_session session) { * If allow change is !=0 then this will allow changing the auth * info structure to a different type. */ -int _gnutls_auth_info_set( gnutls_session session, - gnutls_credentials_type type, int size, int allow_change) +int _gnutls_auth_info_set(gnutls_session session, + gnutls_credentials_type type, int size, + int allow_change) { - if ( session->key->auth_info == NULL) { - session->key->auth_info = gnutls_calloc( 1, size); + if (session->key->auth_info == NULL) { + session->key->auth_info = gnutls_calloc(1, size); + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_type = type; + session->key->auth_info_size = size; + } else { + if (allow_change == 0) { + /* If the credentials for the current authentication scheme, + * are not the one we want to set, then it's an error. + * This may happen if a rehandshake is performed an the + * ciphersuite which is negotiated has different authentication + * schema. + */ + if (gnutls_auth_get_type(session) != + session->key->auth_info_type) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + } else { + /* The new behaviour: Here we reallocate the auth info structure + * in order to be able to negotiate different authentication + * types. Ie. perform an auth_anon and then authenticate again using a + * certificate (in order to prevent revealing the certificate's contents, + * to passive eavesdropers. + */ + if (gnutls_auth_get_type(session) != + session->key->auth_info_type) { + session->key->auth_info = + gnutls_realloc_fast(session->key->auth_info, size); if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + memset(session->key->auth_info, 0, size); session->key->auth_info_type = type; session->key->auth_info_size = size; - } else { - if (allow_change==0) { - /* If the credentials for the current authentication scheme, - * are not the one we want to set, then it's an error. - * This may happen if a rehandshake is performed an the - * ciphersuite which is negotiated has different authentication - * schema. - */ - if ( gnutls_auth_get_type( session) != session->key->auth_info_type) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - } else { - /* The new behaviour: Here we reallocate the auth info structure - * in order to be able to negotiate different authentication - * types. Ie. perform an auth_anon and then authenticate again using a - * certificate (in order to prevent revealing the certificate's contents, - * to passive eavesdropers. - */ - if ( gnutls_auth_get_type( session) != session->key->auth_info_type) { - session->key->auth_info = gnutls_realloc_fast( - session->key->auth_info, size); - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - memset( session->key->auth_info, 0, size); - session->key->auth_info_type = type; - session->key->auth_info_size = size; - } - } + } } - return 0; + } + return 0; } /* this function will copy an mpi_t key to * opaque data. */ -int _gnutls_generate_session_key(gnutls_key_st key) { -size_t tmp; +int _gnutls_generate_session_key(gnutls_key_st key) +{ + size_t tmp; - _gnutls_mpi_print( NULL, &tmp, key->KEY); - key->key.data = gnutls_secure_malloc( tmp); - if ( key->key.data==NULL) { - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print( key->key.data, &tmp, key->KEY); - - key->key.size = tmp; - return 0; + _gnutls_mpi_print(NULL, &tmp, key->KEY); + key->key.data = gnutls_secure_malloc(tmp); + if (key->key.data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(key->key.data, &tmp, key->KEY); + + key->key.size = tmp; + return 0; } diff --git a/lib/gnutls_auth.h b/lib/gnutls_auth.h index 23cb6d742e..1012ad0b0d 100644 --- a/lib/gnutls_auth.h +++ b/lib/gnutls_auth.h @@ -2,20 +2,25 @@ # define GNUTLS_AUTH_H typedef struct mod_auth_st_int { - const char* name; /* null terminated */ - int (*gnutls_generate_server_certificate)( gnutls_session, opaque**); - int (*gnutls_generate_client_certificate)( gnutls_session, opaque**); - int (*gnutls_generate_server_kx)( gnutls_session, opaque**); - int (*gnutls_generate_client_kx)( gnutls_session, opaque**); /* used in SRP */ - int (*gnutls_generate_client_cert_vrfy) ( gnutls_session, opaque**); - int (*gnutls_generate_server_certificate_request) ( gnutls_session, opaque**); - - int (*gnutls_process_server_certificate)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_certificate)( gnutls_session, opaque*, size_t); - int (*gnutls_process_server_kx)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_kx)( gnutls_session, opaque*, size_t); - int (*gnutls_process_client_cert_vrfy) ( gnutls_session, opaque*, size_t); - int (*gnutls_process_server_certificate_request) ( gnutls_session, opaque*, size_t); + const char *name; /* null terminated */ + int (*gnutls_generate_server_certificate) (gnutls_session, opaque **); + int (*gnutls_generate_client_certificate) (gnutls_session, opaque **); + int (*gnutls_generate_server_kx) (gnutls_session, opaque **); + int (*gnutls_generate_client_kx) (gnutls_session, opaque **); /* used in SRP */ + int (*gnutls_generate_client_cert_vrfy) (gnutls_session, opaque **); + int (*gnutls_generate_server_certificate_request) (gnutls_session, + opaque **); + + int (*gnutls_process_server_certificate) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_client_certificate) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_server_kx) (gnutls_session, opaque *, size_t); + int (*gnutls_process_client_kx) (gnutls_session, opaque *, size_t); + int (*gnutls_process_client_cert_vrfy) (gnutls_session, opaque *, + size_t); + int (*gnutls_process_server_certificate_request) (gnutls_session, + opaque *, size_t); } mod_auth_st; #endif diff --git a/lib/gnutls_auth_int.h b/lib/gnutls_auth_int.h index c8ee82e373..e0de2f440a 100644 --- a/lib/gnutls_auth_int.h +++ b/lib/gnutls_auth_int.h @@ -1,8 +1,13 @@ -void gnutls_credentials_clear( gnutls_session session); -int gnutls_credentials_set( gnutls_session session, gnutls_credentials_type type, void* cred); -const void *_gnutls_get_cred( gnutls_key_st key, gnutls_credentials_type kx, int* err); -const void *_gnutls_get_kx_cred( gnutls_session session, gnutls_kx_algorithm algo, int *err); +void gnutls_credentials_clear(gnutls_session session); +int gnutls_credentials_set(gnutls_session session, + gnutls_credentials_type type, void *cred); +const void *_gnutls_get_cred(gnutls_key_st key, gnutls_credentials_type kx, + int *err); +const void *_gnutls_get_kx_cred(gnutls_session session, + gnutls_kx_algorithm algo, int *err); int _gnutls_generate_session_key(gnutls_key_st key); -gnutls_credentials_type gnutls_auth_get_type( gnutls_session session); -void* _gnutls_get_auth_info( gnutls_session session); -int _gnutls_auth_info_set( gnutls_session session, gnutls_credentials_type type, int size, int allow_change); +gnutls_credentials_type gnutls_auth_get_type(gnutls_session session); +void *_gnutls_get_auth_info(gnutls_session session); +int _gnutls_auth_info_set(gnutls_session session, + gnutls_credentials_type type, int size, + int allow_change); diff --git a/lib/gnutls_buffer.h b/lib/gnutls_buffer.h index 58531d9383..8670d85ed8 100644 --- a/lib/gnutls_buffer.h +++ b/lib/gnutls_buffer.h @@ -5,4 +5,3 @@ typedef gnutls_string gnutls_buffer; #define _gnutls_buffer_init(buf) _gnutls_string_init(buf, gnutls_malloc, gnutls_realloc, gnutls_free); #define _gnutls_buffer_clear _gnutls_string_clear #define _gnutls_buffer_append _gnutls_string_append_data - diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index aa31d7a70a..13fb79035f 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -63,10 +63,11 @@ # define EAGAIN EWOULDBLOCK #endif -inline -static int RET( int err) { - if (err==EAGAIN) return GNUTLS_E_AGAIN; - return GNUTLS_E_INTERRUPTED; +inline static int RET(int err) +{ + if (err == EAGAIN) + return GNUTLS_E_AGAIN; + return GNUTLS_E_INTERRUPTED; } #ifdef IO_DEBUG @@ -76,52 +77,59 @@ static int RET( int err) { /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ -int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, opaque *data, size_t length) +int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, + opaque * data, size_t length) { - if (length==0) return 0; - switch( type) { - case GNUTLS_APPLICATION_DATA: - - if ( _gnutls_buffer_append( &session->internals.application_data_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_buffers_log( "BUF[REC]: Inserted %d bytes of Data(%d)\n", length, type); + if (length == 0) + return 0; + switch (type) { + case GNUTLS_APPLICATION_DATA: + + if (_gnutls_buffer_append + (&session->internals.application_data_buffer, data, + length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_buffers_log("BUF[REC]: Inserted %d bytes of Data(%d)\n", + length, type); + + break; + case GNUTLS_HANDSHAKE: + if (_gnutls_buffer_append + (&session->internals.handshake_data_buffer, data, + length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - break; - case GNUTLS_HANDSHAKE: - if ( _gnutls_buffer_append( &session->internals.handshake_data_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data(%d)\n", + length, type); - _gnutls_buffers_log( "BUF[HSK]: Inserted %d bytes of Data(%d)\n", length, type); + break; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return 0; + return 0; } -int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session) +int _gnutls_record_buffer_get_size(content_type_t type, + gnutls_session session) { - switch( type) { - case GNUTLS_APPLICATION_DATA: - return session->internals.application_data_buffer.length; - - case GNUTLS_HANDSHAKE: - return session->internals.handshake_data_buffer.length; - - default: - return GNUTLS_E_INVALID_REQUEST; - } + switch (type) { + case GNUTLS_APPLICATION_DATA: + return session->internals.application_data_buffer.length; + + case GNUTLS_HANDSHAKE: + return session->internals.handshake_data_buffer.length; + + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -135,63 +143,70 @@ int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session) * (gnutls leaves some data in the tcp buffer in order for select * to work). **/ -size_t gnutls_record_check_pending(gnutls_session session) { - return _gnutls_record_buffer_get_size(GNUTLS_APPLICATION_DATA, session); +size_t gnutls_record_check_pending(gnutls_session session) +{ + return _gnutls_record_buffer_get_size(GNUTLS_APPLICATION_DATA, + session); } -int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaque *data, size_t length) +int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, + opaque * data, size_t length) { - if (length==0 || data==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (length == 0 || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + switch (type) { + case GNUTLS_APPLICATION_DATA: + + if (length > session->internals.application_data_buffer.length) { + length = session->internals.application_data_buffer.length; } - - switch(type) { - case GNUTLS_APPLICATION_DATA: - if (length > session->internals.application_data_buffer.length) { - length = session->internals.application_data_buffer.length; - } + _gnutls_buffers_log("BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", + length, type); - _gnutls_buffers_log( "BUFFER[REC][AD]: Read %d bytes of Data(%d)\n", length, type); + session->internals.application_data_buffer.length -= length; + memcpy(data, session->internals.application_data_buffer.data, + length); - session->internals.application_data_buffer.length -= length; - memcpy(data, session->internals.application_data_buffer.data, length); + /* overwrite buffer */ + memmove(session->internals.application_data_buffer.data, + &session->internals.application_data_buffer.data[length], + session->internals.application_data_buffer.length); - /* overwrite buffer */ - memmove(session->internals.application_data_buffer.data, - &session->internals.application_data_buffer.data[length], - session->internals.application_data_buffer.length); + /* we do no longer realloc the application_data_buffer.data, + * since it serves no practical reason. It also decreases + * performance. + */ + break; - /* we do no longer realloc the application_data_buffer.data, - * since it serves no practical reason. It also decreases - * performance. - */ - break; - - case GNUTLS_HANDSHAKE: - if (length > session->internals.handshake_data_buffer.length) { - length = session->internals.handshake_data_buffer.length; - } + case GNUTLS_HANDSHAKE: + if (length > session->internals.handshake_data_buffer.length) { + length = session->internals.handshake_data_buffer.length; + } - _gnutls_buffers_log( "BUF[REC][HD]: Read %d bytes of Data(%d)\n", length, type); + _gnutls_buffers_log("BUF[REC][HD]: Read %d bytes of Data(%d)\n", + length, type); - session->internals.handshake_data_buffer.length -= length; - memcpy(data, session->internals.handshake_data_buffer.data, length); + session->internals.handshake_data_buffer.length -= length; + memcpy(data, session->internals.handshake_data_buffer.data, + length); - /* overwrite buffer */ - memmove(session->internals.handshake_data_buffer.data, - &session->internals.handshake_data_buffer.data[length], - session->internals.handshake_data_buffer.length); + /* overwrite buffer */ + memmove(session->internals.handshake_data_buffer.data, + &session->internals.handshake_data_buffer.data[length], + session->internals.handshake_data_buffer.length); - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return length; + return length; } @@ -200,124 +215,134 @@ int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaqu * * Flags are only used if the default recv() function is being used. */ -static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPtr, int flags) +static ssize_t _gnutls_read(gnutls_session session, void *iptr, + size_t sizeOfPtr, int flags) { - size_t left; - ssize_t i=0; - char *ptr = iptr; - uint j,x, sum=0; - gnutls_transport_ptr fd = session->internals.transport_recv_ptr; - - session->internals.direction = 0; - - left = sizeOfPtr; - while (left > 0) { - - if (session->internals._gnutls_pull_func==NULL) - i = recv( (int)fd, &ptr[sizeOfPtr-left], left, flags); - else - i = session->internals._gnutls_pull_func(fd, &ptr[sizeOfPtr-left], left); - - if (i < 0) { - _gnutls_read_log( "READ: %d returned from %d, errno=%d\n", i, fd, errno); - - if (errno == EAGAIN || errno == EINTR) { - if (sizeOfPtr-left > 0) { - - _gnutls_read_log( "READ: returning %d bytes from %d\n", sizeOfPtr-left, fd); - - goto finish; - } - gnutls_assert(); - - return RET(errno); - } else { - gnutls_assert(); - return GNUTLS_E_PULL_ERROR; - } - } else { - - _gnutls_read_log( "READ: Got %d bytes from %d\n", i, fd); - - if (i == 0) - break; /* EOF */ + size_t left; + ssize_t i = 0; + char *ptr = iptr; + uint j, x, sum = 0; + gnutls_transport_ptr fd = session->internals.transport_recv_ptr; + + session->internals.direction = 0; + + left = sizeOfPtr; + while (left > 0) { + + if (session->internals._gnutls_pull_func == NULL) + i = recv((int) fd, &ptr[sizeOfPtr - left], left, flags); + else + i = session->internals._gnutls_pull_func(fd, + &ptr[sizeOfPtr - + left], left); + + if (i < 0) { + _gnutls_read_log("READ: %d returned from %d, errno=%d\n", i, + fd, errno); + + if (errno == EAGAIN || errno == EINTR) { + if (sizeOfPtr - left > 0) { + + _gnutls_read_log("READ: returning %d bytes from %d\n", + sizeOfPtr - left, fd); + + goto finish; } + gnutls_assert(); + + return RET(errno); + } else { + gnutls_assert(); + return GNUTLS_E_PULL_ERROR; + } + } else { - left -= i; + _gnutls_read_log("READ: Got %d bytes from %d\n", i, fd); + if (i == 0) + break; /* EOF */ } - finish: + left -= i; - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; - - - _gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd); - - for (x=0;x<((sizeOfPtr-left)/16)+1;x++) { - line[0] = 0; - - sprintf( tmp, "%.4x - ",x); - _gnutls_str_cat( line, sizeof(line), tmp); - - for (j=0;j<16;j++) { - if (sum<(sizeOfPtr-left)) { - sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); - _gnutls_str_cat( line, sizeof(line), tmp); - } - } - _gnutls_read_log( "%s\n", line); + } + + finish: + + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; + + + _gnutls_read_log("READ: read %d bytes from %d\n", + (sizeOfPtr - left), fd); + + for (x = 0; x < ((sizeOfPtr - left) / 16) + 1; x++) { + line[0] = 0; + + sprintf(tmp, "%.4x - ", x); + _gnutls_str_cat(line, sizeof(line), tmp); + + for (j = 0; j < 16; j++) { + if (sum < (sizeOfPtr - left)) { + sprintf(tmp, "%.2x ", ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat(line, sizeof(line), tmp); } + } + _gnutls_read_log("%s\n", line); } + } - return (sizeOfPtr - left); + return (sizeOfPtr - left); } -#define RCVLOWAT session->internals.lowat +#define RCVLOWAT session->internals.lowat /* This function is only used with berkeley style sockets. * Clears the peeked data (read with MSG_PEEK). */ -int _gnutls_io_clear_peeked_data( gnutls_session session) { -char *peekdata; -int ret, sum; - - if (session->internals.have_peeked_data==0 || RCVLOWAT==0) - return 0; - - peekdata = gnutls_alloca( RCVLOWAT); - if (peekdata==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* this was already read by using MSG_PEEK - so it shouldn't fail */ - sum = 0; - do { /* we need this to finish now */ - ret = _gnutls_read( session, peekdata, RCVLOWAT-sum, 0); - if (ret > 0) sum+=ret; - } while( ret==GNUTLS_E_INTERRUPTED || ret==GNUTLS_E_AGAIN || sum < RCVLOWAT); - - gnutls_afree(peekdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } +int _gnutls_io_clear_peeked_data(gnutls_session session) +{ + char *peekdata; + int ret, sum; + + if (session->internals.have_peeked_data == 0 || RCVLOWAT == 0) + return 0; + + peekdata = gnutls_alloca(RCVLOWAT); + if (peekdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* this was already read by using MSG_PEEK - so it shouldn't fail */ + sum = 0; + do { /* we need this to finish now */ + ret = _gnutls_read(session, peekdata, RCVLOWAT - sum, 0); + if (ret > 0) + sum += ret; + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN + || sum < RCVLOWAT); - session->internals.have_peeked_data=0; + gnutls_afree(peekdata); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + session->internals.have_peeked_data = 0; + + return 0; } -void _gnutls_io_clear_read_buffer( gnutls_session session) { - session->internals.record_recv_buffer.length = 0; +void _gnutls_io_clear_read_buffer(gnutls_session session) +{ + session->internals.record_recv_buffer.length = 0; } - + /* This function is like recv(with MSG_PEEK). But it does not return -1 on error. * It does return gnutls_errno instead. * This function reads data from the socket and keeps them in a buffer, of up to @@ -327,152 +352,163 @@ void _gnutls_io_clear_read_buffer( gnutls_session session) { * which are stored in a local (in the session) buffer. A pointer (iptr) to this buffer is returned. * */ -ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t sizeOfPtr, content_type_t recv_type) +ssize_t _gnutls_io_read_buffered(gnutls_session session, opaque ** iptr, + size_t sizeOfPtr, + content_type_t recv_type) { - ssize_t ret=0, ret2=0; - size_t min; - int buf_pos; - opaque *buf; - int recvlowat; - int recvdata, alloc_size; - - *iptr = session->internals.record_recv_buffer.data; - - if ( sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; - } - - /* If an external pull function is used, then do not leave - * any data into the kernel buffer. - */ - if (session->internals._gnutls_pull_func != NULL) { - recvlowat = 0; - } else { - /* leave peeked data to the kernel space only if application data - * is received and we don't have any peeked - * data in gnutls session. - */ - if ( recv_type != GNUTLS_APPLICATION_DATA - && session->internals.have_peeked_data==0) - recvlowat = 0; - else recvlowat = RCVLOWAT; - } - + ssize_t ret = 0, ret2 = 0; + size_t min; + int buf_pos; + opaque *buf; + int recvlowat; + int recvdata, alloc_size; + + *iptr = session->internals.record_recv_buffer.data; + + if (sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { + gnutls_assert(); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; + } - - /* calculate the actual size, ie. get the minimum of the - * buffered data and the requested data. + /* If an external pull function is used, then do not leave + * any data into the kernel buffer. + */ + if (session->internals._gnutls_pull_func != NULL) { + recvlowat = 0; + } else { + /* leave peeked data to the kernel space only if application data + * is received and we don't have any peeked + * data in gnutls session. */ - min = GMIN( session->internals.record_recv_buffer.length, sizeOfPtr); - if ( min > 0) { - /* if we have enough buffered data - * then just return them. - */ - if ( min == sizeOfPtr) { - return min; - } - } + if (recv_type != GNUTLS_APPLICATION_DATA + && session->internals.have_peeked_data == 0) + recvlowat = 0; + else + recvlowat = RCVLOWAT; + } - /* min is over zero. recvdata is the data we must - * receive in order to return the requested data. - */ - recvdata = sizeOfPtr - min; - /* Check if the previously read data plus the new data to - * receive are longer than the maximum receive buffer size. - */ - if ((session->internals.record_recv_buffer.length + recvdata) > MAX_RECV_SIZE) - { - gnutls_assert(); /* internal error */ - return GNUTLS_E_INVALID_REQUEST; - } - - /* Allocate the data required to store the new packet. + + /* calculate the actual size, ie. get the minimum of the + * buffered data and the requested data. + */ + min = GMIN(session->internals.record_recv_buffer.length, sizeOfPtr); + if (min > 0) { + /* if we have enough buffered data + * then just return them. */ - alloc_size = recvdata+session->internals.record_recv_buffer.length; - session->internals.record_recv_buffer.data = gnutls_realloc_fast( - session->internals.record_recv_buffer.data, alloc_size); - if ( session->internals.record_recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (min == sizeOfPtr) { + return min; } + } - buf_pos = session->internals.record_recv_buffer.length; - buf = session->internals.record_recv_buffer.data; - *iptr = buf; + /* min is over zero. recvdata is the data we must + * receive in order to return the requested data. + */ + recvdata = sizeOfPtr - min; + + /* Check if the previously read data plus the new data to + * receive are longer than the maximum receive buffer size. + */ + if ((session->internals.record_recv_buffer.length + recvdata) > + MAX_RECV_SIZE) { + gnutls_assert(); /* internal error */ + return GNUTLS_E_INVALID_REQUEST; + } - /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. - */ - if ( recvdata - recvlowat > 0) { - ret = _gnutls_read( session, &buf[buf_pos], recvdata - recvlowat, 0); - - /* return immediately if we got an interrupt or eagain - * error. - */ - if (ret < 0 && gnutls_error_is_fatal(ret)==0) { - return ret; - } - } + /* Allocate the data required to store the new packet. + */ + alloc_size = recvdata + session->internals.record_recv_buffer.length; + session->internals.record_recv_buffer.data = + gnutls_realloc_fast(session->internals.record_recv_buffer.data, + alloc_size); + if (session->internals.record_recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + buf_pos = session->internals.record_recv_buffer.length; + buf = session->internals.record_recv_buffer.data; + *iptr = buf; + + /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. + */ + if (recvdata - recvlowat > 0) { + ret = + _gnutls_read(session, &buf[buf_pos], recvdata - recvlowat, 0); - /* copy fresh data to our buffer. + /* return immediately if we got an interrupt or eagain + * error. */ - if (ret > 0) { - _gnutls_read_log("RB: Have %d bytes into buffer. Adding %d bytes.\n", session->internals.record_recv_buffer.length, ret); - _gnutls_read_log("RB: Requested %d bytes\n", sizeOfPtr); - session->internals.record_recv_buffer.length += ret; + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { + return ret; } + } - buf_pos = session->internals.record_recv_buffer.length; - - /* This is hack in order for select to work. Just leave recvlowat data, - * into the kernel buffer (using a read with MSG_PEEK), thus making - * select think, that the socket is ready for reading. - * MSG_PEEK is only used with berkeley style sockets. - */ - if (ret == (recvdata - recvlowat) && recvlowat > 0) { - ret2 = _gnutls_read( session, &buf[buf_pos], recvlowat, MSG_PEEK); + /* copy fresh data to our buffer. + */ + if (ret > 0) { + _gnutls_read_log + ("RB: Have %d bytes into buffer. Adding %d bytes.\n", + session->internals.record_recv_buffer.length, ret); + _gnutls_read_log("RB: Requested %d bytes\n", sizeOfPtr); + session->internals.record_recv_buffer.length += ret; + } - if (ret2 < 0 && gnutls_error_is_fatal(ret2)==0) { - return ret2; - } + buf_pos = session->internals.record_recv_buffer.length; - if (ret2 > 0) { - _gnutls_read_log("RB-PEEK: Read %d bytes in PEEK MODE.\n", ret2); - _gnutls_read_log("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", session->internals.record_recv_buffer.length, ret2, sizeOfPtr); - session->internals.have_peeked_data = 1; - session->internals.record_recv_buffer.length += ret2; + /* This is hack in order for select to work. Just leave recvlowat data, + * into the kernel buffer (using a read with MSG_PEEK), thus making + * select think, that the socket is ready for reading. + * MSG_PEEK is only used with berkeley style sockets. + */ + if (ret == (recvdata - recvlowat) && recvlowat > 0) { + ret2 = _gnutls_read(session, &buf[buf_pos], recvlowat, MSG_PEEK); - } + if (ret2 < 0 && gnutls_error_is_fatal(ret2) == 0) { + return ret2; } - if (ret < 0 || ret2 < 0) { - gnutls_assert(); - /* that's because they are initialized to 0 */ - return GMIN(ret, ret2); + if (ret2 > 0) { + _gnutls_read_log("RB-PEEK: Read %d bytes in PEEK MODE.\n", + ret2); + _gnutls_read_log + ("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n", + session->internals.record_recv_buffer.length, ret2, + sizeOfPtr); + session->internals.have_peeked_data = 1; + session->internals.record_recv_buffer.length += ret2; + } + } - ret += ret2; + if (ret < 0 || ret2 < 0) { + gnutls_assert(); + /* that's because they are initialized to 0 */ + return GMIN(ret, ret2); + } - if (ret > 0 && ret < recvlowat) { - gnutls_assert(); - return GNUTLS_E_AGAIN; - } - - if (ret==0) { /* EOF */ - gnutls_assert(); - return 0; - } + ret += ret2; - ret = session->internals.record_recv_buffer.length; + if (ret > 0 && ret < recvlowat) { + gnutls_assert(); + return GNUTLS_E_AGAIN; + } - if ((ret > 0) && ((size_t)ret < sizeOfPtr)) { - /* Short Read */ - gnutls_assert(); - return GNUTLS_E_AGAIN; - } else { - return ret; - } + if (ret == 0) { /* EOF */ + gnutls_assert(); + return 0; + } + + ret = session->internals.record_recv_buffer.length; + + if ((ret > 0) && ((size_t) ret < sizeOfPtr)) { + /* Short Read */ + gnutls_assert(); + return GNUTLS_E_AGAIN; + } else { + return ret; + } } @@ -480,48 +516,53 @@ ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t * record protocol. The send buffer is kept if a send is interrupted and we need to keep * the data left to sent, in order to send them later. */ - + #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) inline -static int _gnutls_buffer_insert( gnutls_buffer * buffer, const opaque* _data, size_t data_size) + static int _gnutls_buffer_insert(gnutls_buffer * buffer, + const opaque * _data, + size_t data_size) { - if ( ( MEMSUB(_data, buffer->data) >= 0) && (MEMSUB(_data, buffer->data) < (ssize_t)buffer->length) ) { - /* the given _data is part of the buffer. - */ - if (data_size > buffer->length) { - gnutls_assert(); - /* this shouldn't have happened */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if (_data==buffer->data) { /* then don't even memmove */ - buffer->length = data_size; - return 0; - } - - memmove( buffer->data, _data, data_size); - buffer->length = data_size; - - return 0; - + if ((MEMSUB(_data, buffer->data) >= 0) + && (MEMSUB(_data, buffer->data) < (ssize_t) buffer->length)) { + /* the given _data is part of the buffer. + */ + if (data_size > buffer->length) { + gnutls_assert(); + /* this shouldn't have happened */ + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_buffer_append( buffer, _data, data_size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (_data == buffer->data) { /* then don't even memmove */ + buffer->length = data_size; + return 0; } + memmove(buffer->data, _data, data_size); + buffer->length = data_size; + return 0; + + } + + if (_gnutls_buffer_append(buffer, _data, data_size) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } inline -static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size_t *ptr_size) { - *ptr_size = buffer->length; - *ptr = buffer->data; - - return 0; + static int _gnutls_buffer_get(gnutls_buffer * buffer, + const opaque ** ptr, size_t * ptr_size) +{ + *ptr_size = buffer->length; + *ptr = buffer->data; + + return 0; } @@ -536,138 +577,155 @@ static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size * to decrypt and verify the integrity. * */ -ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, size_t n) +ssize_t _gnutls_io_write_buffered(gnutls_session session, const void *iptr, + size_t n) { - size_t left; - uint j,x, sum=0; - ssize_t retval, i; - const opaque * ptr; - int ret; - gnutls_transport_ptr fd = session->internals.transport_send_ptr; - - /* to know where the procedure was interrupted. - */ - session->internals.direction = 1; - - ptr = iptr; + size_t left; + uint j, x, sum = 0; + ssize_t retval, i; + const opaque *ptr; + int ret; + gnutls_transport_ptr fd = session->internals.transport_send_ptr; + + /* to know where the procedure was interrupted. + */ + session->internals.direction = 1; + + ptr = iptr; + + /* In case the previous write was interrupted, check if the + * iptr != NULL and we have data in the buffer. + * If this is true then return an error. + */ + if (session->internals.record_send_buffer.length > 0 && iptr != NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* In case the previous write was interrupted, check if the - * iptr != NULL and we have data in the buffer. - * If this is true then return an error. - */ - if (session->internals.record_send_buffer.length > 0 && iptr != NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + /* If data in the buffer exist + */ + if (iptr == NULL) { + /* checking is handled above */ + ret = + _gnutls_buffer_get(&session->internals.record_send_buffer, + &ptr, &n); + if (ret < 0) { + gnutls_assert(); + return ret; } - /* If data in the buffer exist - */ - if (iptr == NULL) { - /* checking is handled above */ - ret = _gnutls_buffer_get( &session->internals.record_send_buffer, &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return ret; + _gnutls_write_log + ("WRITE: Restoring old write. (%d bytes to send)\n", n); + } + + _gnutls_write_log("WRITE: Will write %d bytes to %d.\n", n, fd); + + i = 0; + left = n; + while (left > 0) { + + if (session->internals._gnutls_push_func == NULL) + i = send((int) fd, &ptr[n - left], left, 0); + else + i = session->internals._gnutls_push_func(fd, &ptr[n - left], + left); + + if (i == -1) { + if (errno == EAGAIN || errno == EINTR) { + session->internals.record_send_buffer_prev_size += + n - left; + + retval = + _gnutls_buffer_insert(&session->internals. + record_send_buffer, + &ptr[n - left], left); + if (retval < 0) { + gnutls_assert(); + return retval; } - _gnutls_write_log( "WRITE: Restoring old write. (%d bytes to send)\n", n); + _gnutls_write_log + ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", + left, n - left); + + retval = RET(errno); + + return retval; + } else { + gnutls_assert(); + return GNUTLS_E_PUSH_ERROR; + } } + left -= i; - _gnutls_write_log( "WRITE: Will write %d bytes to %d.\n", n, fd); - i = 0; - left = n; - while (left > 0) { - - if (session->internals._gnutls_push_func==NULL) - i = send( (int)fd, &ptr[n-left], left, 0); - else - i = session->internals._gnutls_push_func(fd, &ptr[n-left], left); + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) { - session->internals.record_send_buffer_prev_size += n - left; - retval = _gnutls_buffer_insert( &session->internals.record_send_buffer, &ptr[n-left], left); - if (retval < 0) { - gnutls_assert(); - return retval; - } + _gnutls_write_log + ("WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", + i, fd, left, n); + for (x = 0; x < (uint) ((i) / 16) + 1; x++) { + line[0] = 0; - _gnutls_write_log( "WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n-left); + if (sum > n - left) + break; - retval = RET(errno); + sprintf(tmp, "%.4x - ", x); + _gnutls_str_cat(line, sizeof(line), tmp); - return retval; - } else { - gnutls_assert(); - return GNUTLS_E_PUSH_ERROR; - } - } - left -= i; - - - if (_gnutls_log_level >= 7) { - char line[128]; - char tmp[16]; - - - _gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n); - for (x=0;x<(uint)((i)/16)+1;x++) { - line[0] = 0; - - if (sum>n-left) - break; - - sprintf( tmp, "%.4x - ",x); - _gnutls_str_cat( line, sizeof(line), tmp); - - for (j=0;j<16;j++) { - if (sum<n-left) { - sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); - _gnutls_str_cat( line, sizeof(line), tmp); - } else break; - } - _gnutls_write_log( "%s\n", line); - } + for (j = 0; j < 16; j++) { + if (sum < n - left) { + sprintf(tmp, "%.2x ", + ((unsigned char *) ptr)[sum++]); + _gnutls_str_cat(line, sizeof(line), tmp); + } else + break; } + _gnutls_write_log("%s\n", line); + } } + } - retval = n + session->internals.record_send_buffer_prev_size; + retval = n + session->internals.record_send_buffer_prev_size; - session->internals.record_send_buffer.length = 0; - session->internals.record_send_buffer_prev_size = 0; + session->internals.record_send_buffer.length = 0; + session->internals.record_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is exactly like write_buffered, but will use two buffers to read * from. */ -ssize_t _gnutls_io_write_buffered2( gnutls_session session, const void *iptr, size_t n, const void* iptr2, size_t n2) +ssize_t _gnutls_io_write_buffered2(gnutls_session session, + const void *iptr, size_t n, + const void *iptr2, size_t n2) { - if (n==0) { - return _gnutls_io_write_buffered( session, iptr2, n2); - } else { - opaque* sptr; - ssize_t ret; + if (n == 0) { + return _gnutls_io_write_buffered(session, iptr2, n2); + } else { + opaque *sptr; + ssize_t ret; - sptr = gnutls_alloca( n+n2); - if (sptr==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy( sptr, iptr, n); - memcpy( &sptr[n], iptr2, n2); + sptr = gnutls_alloca(n + n2); + if (sptr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = _gnutls_io_write_buffered( session, sptr, n+n2); - gnutls_afree( sptr); + memcpy(sptr, iptr, n); + memcpy(&sptr[n], iptr2, n2); - return ret; - } + ret = _gnutls_io_write_buffered(session, sptr, n + n2); + gnutls_afree(sptr); + + return ret; + } } @@ -675,15 +733,16 @@ ssize_t _gnutls_io_write_buffered2( gnutls_session session, const void *iptr, si * TLS write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_io_write_flush( gnutls_session session) +ssize_t _gnutls_io_write_flush(gnutls_session session) { ssize_t ret; if (session->internals.record_send_buffer.length == 0) - return 0; /* done */ + return 0; /* done */ - ret = _gnutls_io_write_buffered( session, NULL, 0); - _gnutls_write_log("WRITE FLUSH: %d [buffer: %d]\n", ret, session->internals.record_send_buffer.length); + ret = _gnutls_io_write_buffered(session, NULL, 0); + _gnutls_write_log("WRITE FLUSH: %d [buffer: %d]\n", ret, + session->internals.record_send_buffer.length); return ret; } @@ -692,19 +751,19 @@ ssize_t _gnutls_io_write_flush( gnutls_session session) * Handshake write buffer (ie. because the previous write was * interrupted. */ -ssize_t _gnutls_handshake_io_write_flush( gnutls_session session) +ssize_t _gnutls_handshake_io_write_flush(gnutls_session session) { ssize_t ret; - ret = _gnutls_handshake_io_send_int( session, 0, 0, NULL, 0); + ret = _gnutls_handshake_io_send_int(session, 0, 0, NULL, 0); if (ret < 0) { gnutls_assert(); - return ret; + return ret; } _gnutls_write_log("HANDSHAKE_FLUSH: written[1] %d bytes\n", ret); if (session->internals.handshake_send_buffer.length == 0) { - ret = session->internals.handshake_send_buffer_prev_size; /* done */ + ret = session->internals.handshake_send_buffer_prev_size; /* done */ session->internals.handshake_send_buffer_prev_size = 0; } @@ -715,276 +774,303 @@ ssize_t _gnutls_handshake_io_write_flush( gnutls_session session) /* This is a send function for the gnutls handshake * protocol. Just makes sure that all data have been sent. */ -ssize_t _gnutls_handshake_io_send_int( gnutls_session session, content_type_t type, HandshakeType htype, const void *iptr, size_t n) +ssize_t _gnutls_handshake_io_send_int(gnutls_session session, + content_type_t type, + HandshakeType htype, + const void *iptr, size_t n) { - size_t left; - ssize_t ret=0; - const opaque *ptr; - ssize_t retval = 0; - - ptr = iptr; - - if (session->internals.handshake_send_buffer.length > 0 && ptr==NULL && n == 0) { - /* resuming previously interrupted write - */ - gnutls_assert(); - ret = _gnutls_buffer_get( &session->internals.handshake_send_buffer, &ptr, &n); - if (ret < 0) { - gnutls_assert(); - return retval; - } + size_t left; + ssize_t ret = 0; + const opaque *ptr; + ssize_t retval = 0; - type = session->internals.handshake_send_buffer_type; - htype = session->internals.handshake_send_buffer_htype; + ptr = iptr; - } else if (session->internals.handshake_send_buffer.length > 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (session->internals.handshake_send_buffer.length > 0 && ptr == NULL + && n == 0) { + /* resuming previously interrupted write + */ + gnutls_assert(); + ret = + _gnutls_buffer_get(&session->internals.handshake_send_buffer, + &ptr, &n); + if (ret < 0) { + gnutls_assert(); + return retval; } + + type = session->internals.handshake_send_buffer_type; + htype = session->internals.handshake_send_buffer_htype; + + } else if (session->internals.handshake_send_buffer.length > 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } #ifdef WRITE_DEBUG - else { - size_t sum=0, x, j; - - _gnutls_write_log( "HWRITE: will write %d bytes to %d.\n", n, gnutls_transport_get_ptr(session)); - for (x=0;x<((n)/16)+1;x++) { - if (sum>n) - break; - - _gnutls_write_log( "%.4x - ",x); - for (j=0;j<16;j++) { - if (sum<n) { - _gnutls_write_log( "%.2x ", ((unsigned char*)ptr)[sum++]); - } else break; - } - _gnutls_write_log( "\n"); - } - _gnutls_write_log( "\n"); + else { + size_t sum = 0, x, j; + + _gnutls_write_log("HWRITE: will write %d bytes to %d.\n", n, + gnutls_transport_get_ptr(session)); + for (x = 0; x < ((n) / 16) + 1; x++) { + if (sum > n) + break; + + _gnutls_write_log("%.4x - ", x); + for (j = 0; j < 16; j++) { + if (sum < n) { + _gnutls_write_log("%.2x ", + ((unsigned char *) ptr)[sum++]); + } else + break; + } + _gnutls_write_log("\n"); } + _gnutls_write_log("\n"); + } #endif - if (n==0) { /* if we have no data to send */ - gnutls_assert(); - return 0; - } else if (ptr==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - + if (n == 0) { /* if we have no data to send */ + gnutls_assert(); + return 0; + } else if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - left = n; - while (left > 0) { - ret = _gnutls_send_int( session, type, htype, &ptr[n-left], left); - if (ret <= 0) { - if (ret==0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; - } + left = n; + while (left > 0) { + ret = _gnutls_send_int(session, type, htype, &ptr[n - left], left); - if ( left > 0 && (ret==GNUTLS_E_INTERRUPTED || ret==GNUTLS_E_AGAIN)) { - gnutls_assert(); + if (ret <= 0) { + if (ret == 0) { + gnutls_assert(); + ret = GNUTLS_E_INTERNAL_ERROR; + } - retval = _gnutls_buffer_insert( &session->internals.handshake_send_buffer, &ptr[n-left], left); - if (retval < 0) { - gnutls_assert(); - return retval; - } + if (left > 0 + && (ret == GNUTLS_E_INTERRUPTED + || ret == GNUTLS_E_AGAIN)) { + gnutls_assert(); - session->internals.handshake_send_buffer_prev_size += n-left; + retval = + _gnutls_buffer_insert(&session->internals. + handshake_send_buffer, + &ptr[n - left], left); + if (retval < 0) { + gnutls_assert(); + return retval; + } - session->internals.handshake_send_buffer_type = type; - session->internals.handshake_send_buffer_htype = htype; + session->internals.handshake_send_buffer_prev_size += + n - left; - } else { - session->internals.handshake_send_buffer_prev_size = 0; - session->internals.handshake_send_buffer.length = 0; - } + session->internals.handshake_send_buffer_type = type; + session->internals.handshake_send_buffer_htype = htype; - gnutls_assert(); - return ret; - } - left -= ret; + } else { + session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; + } + + gnutls_assert(); + return ret; } + left -= ret; + } - retval = n + session->internals.handshake_send_buffer_prev_size; + retval = n + session->internals.handshake_send_buffer_prev_size; - session->internals.handshake_send_buffer.length = 0; - session->internals.handshake_send_buffer_prev_size = 0; + session->internals.handshake_send_buffer.length = 0; + session->internals.handshake_send_buffer_prev_size = 0; - return retval; + return retval; } /* This is a receive function for the gnutls handshake * protocol. Makes sure that we have received all data. */ -ssize_t _gnutls_handshake_io_recv_int( gnutls_session session, - content_type_t type, HandshakeType htype, void *iptr, size_t sizeOfPtr) +ssize_t _gnutls_handshake_io_recv_int(gnutls_session session, + content_type_t type, + HandshakeType htype, void *iptr, + size_t sizeOfPtr) { - size_t left; - ssize_t i; - opaque *ptr; - size_t dsize; - - ptr = iptr; - left = sizeOfPtr; - - if (sizeOfPtr == 0 || iptr == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + size_t left; + ssize_t i; + opaque *ptr; + size_t dsize; + + ptr = iptr; + left = sizeOfPtr; + + if (sizeOfPtr == 0 || iptr == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (session->internals.handshake_recv_buffer.length > 0) { + /* if we have already received some data */ + if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) { + /* if requested less data then return it. + */ + gnutls_assert(); + memcpy(iptr, session->internals.handshake_recv_buffer.data, + sizeOfPtr); + + session->internals.handshake_recv_buffer.length -= sizeOfPtr; + + memmove(session->internals.handshake_recv_buffer.data, + &session->internals.handshake_recv_buffer. + data[sizeOfPtr], + session->internals.handshake_recv_buffer.length); + + return sizeOfPtr; } + gnutls_assert(); + memcpy(iptr, session->internals.handshake_recv_buffer.data, + session->internals.handshake_recv_buffer.length); - if (session->internals.handshake_recv_buffer.length > 0) { - /* if we have already received some data */ - if (sizeOfPtr <= session->internals.handshake_recv_buffer.length) { - /* if requested less data then return it. - */ - gnutls_assert(); - memcpy( iptr, session->internals.handshake_recv_buffer.data, sizeOfPtr); - - session->internals.handshake_recv_buffer.length -= sizeOfPtr; - - memmove( session->internals.handshake_recv_buffer.data, - &session->internals.handshake_recv_buffer.data[sizeOfPtr], - session->internals.handshake_recv_buffer.length); - - return sizeOfPtr; - } + htype = session->internals.handshake_recv_buffer_htype; + type = session->internals.handshake_recv_buffer_type; + + left -= session->internals.handshake_recv_buffer.length; + + session->internals.handshake_recv_buffer.length = 0; + } + + while (left > 0) { + dsize = sizeOfPtr - left; + i = _gnutls_recv_int(session, type, htype, &ptr[dsize], left); + if (i < 0) { + + if (dsize > 0 + && (i == GNUTLS_E_INTERRUPTED || i == GNUTLS_E_AGAIN)) { gnutls_assert(); - memcpy( iptr, session->internals.handshake_recv_buffer.data, session->internals.handshake_recv_buffer.length); - htype = session->internals.handshake_recv_buffer_htype; - type = session->internals.handshake_recv_buffer_type; + session->internals.handshake_recv_buffer.data = + gnutls_realloc_fast(session->internals. + handshake_recv_buffer.data, dsize); + if (session->internals.handshake_recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(session->internals.handshake_recv_buffer.data, iptr, + dsize); - left -= session->internals.handshake_recv_buffer.length; + session->internals.handshake_recv_buffer_htype = htype; + session->internals.handshake_recv_buffer_type = type; + session->internals.handshake_recv_buffer.length = dsize; + } else session->internals.handshake_recv_buffer.length = 0; - } - - while (left > 0) { - dsize = sizeOfPtr - left; - i = _gnutls_recv_int( session, type, htype, &ptr[dsize], left); - if (i < 0) { - - if (dsize > 0 && (i==GNUTLS_E_INTERRUPTED || i==GNUTLS_E_AGAIN)) { - gnutls_assert(); - - session->internals.handshake_recv_buffer.data = gnutls_realloc_fast( - session->internals.handshake_recv_buffer.data, dsize); - if (session->internals.handshake_recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy( session->internals.handshake_recv_buffer.data, iptr, dsize); - - session->internals.handshake_recv_buffer_htype = htype; - session->internals.handshake_recv_buffer_type = type; - - session->internals.handshake_recv_buffer.length = dsize; - } else - session->internals.handshake_recv_buffer.length = 0; - - gnutls_assert(); - - return i; - } else { - if (i == 0) - break; /* EOF */ - } - left -= i; + gnutls_assert(); + return i; + } else { + if (i == 0) + break; /* EOF */ } - session->internals.handshake_recv_buffer.length = 0; + left -= i; + + } + + session->internals.handshake_recv_buffer.length = 0; - return sizeOfPtr - left; + return sizeOfPtr - left; } /* Buffer for handshake packets. Keeps the packets in order * for finished messages to use them. Used in HMAC calculation * and finished messages. */ -int _gnutls_handshake_buffer_put( gnutls_session session, opaque *data, size_t length) +int _gnutls_handshake_buffer_put(gnutls_session session, opaque * data, + size_t length) { - if (length==0) return 0; + if (length == 0) + return 0; - if ( (session->internals.max_handshake_data_buffer_size > 0) && - ((length+session->internals.handshake_hash_buffer.length) > - session->internals.max_handshake_data_buffer_size)) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_buffers_log( "BUF[HSK]: Inserted %d bytes of Data\n", length); + if ((session->internals.max_handshake_data_buffer_size > 0) && + ((length + session->internals.handshake_hash_buffer.length) > + session->internals.max_handshake_data_buffer_size)) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - if ( _gnutls_buffer_append( &session->internals.handshake_hash_buffer, - data, length) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffers_log("BUF[HSK]: Inserted %d bytes of Data\n", length); - return 0; + if (_gnutls_buffer_append(&session->internals.handshake_hash_buffer, + data, length) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } -int _gnutls_handshake_buffer_get_size( gnutls_session session) +int _gnutls_handshake_buffer_get_size(gnutls_session session) { - return session->internals.handshake_hash_buffer.length; + return session->internals.handshake_hash_buffer.length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_peek( gnutls_session session, opaque *data, size_t length) +int _gnutls_handshake_buffer_peek(gnutls_session session, opaque * data, + size_t length) { - if (length > session->internals.handshake_hash_buffer.length) { - length = session->internals.handshake_hash_buffer.length; - } + if (length > session->internals.handshake_hash_buffer.length) { + length = session->internals.handshake_hash_buffer.length; + } - _gnutls_buffers_log( "BUF[HSK]: Peeked %d bytes of Data\n", length); + _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", length); - memcpy(data, session->internals.handshake_hash_buffer.data, length); - return length; + memcpy(data, session->internals.handshake_hash_buffer.data, length); + return length; } /* this function does not touch the buffer * and returns data from it (peek mode!) */ -int _gnutls_handshake_buffer_get_ptr( gnutls_session session, opaque **data_ptr, size_t *length) +int _gnutls_handshake_buffer_get_ptr(gnutls_session session, + opaque ** data_ptr, size_t * length) { - if (length!=NULL) - *length = session->internals.handshake_hash_buffer.length; + if (length != NULL) + *length = session->internals.handshake_hash_buffer.length; - _gnutls_buffers_log( "BUF[HSK]: Peeked %d bytes of Data\n", *length); + _gnutls_buffers_log("BUF[HSK]: Peeked %d bytes of Data\n", *length); - if (data_ptr!=NULL) - *data_ptr = session->internals.handshake_hash_buffer.data; + if (data_ptr != NULL) + *data_ptr = session->internals.handshake_hash_buffer.data; - return 0; + return 0; } /* Does not free the buffer */ -int _gnutls_handshake_buffer_empty( gnutls_session session) +int _gnutls_handshake_buffer_empty(gnutls_session session) { - _gnutls_buffers_log( "BUF[HSK]: Emptied buffer\n"); + _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n"); - session->internals.handshake_hash_buffer.length = 0; - - return 0; + session->internals.handshake_hash_buffer.length = 0; + + return 0; } -int _gnutls_handshake_buffer_clear( gnutls_session session) +int _gnutls_handshake_buffer_clear(gnutls_session session) { - _gnutls_buffers_log( "BUF[HSK]: Cleared Data from buffer\n"); + _gnutls_buffers_log("BUF[HSK]: Cleared Data from buffer\n"); - _gnutls_buffer_clear( &session->internals.handshake_hash_buffer); - - return 0; + _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); + + return 0; } diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h index 8552377971..b858d10860 100644 --- a/lib/gnutls_buffers.h +++ b/lib/gnutls_buffers.h @@ -18,33 +18,42 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, opaque *data, size_t length); -int _gnutls_record_buffer_get_size(content_type_t type, gnutls_session session); -int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, opaque *data, size_t length); -ssize_t _gnutls_io_read_buffered( gnutls_session, opaque **iptr, size_t n, content_type_t); -void _gnutls_io_clear_read_buffer( gnutls_session); -int _gnutls_io_clear_peeked_data( gnutls_session session); +int _gnutls_record_buffer_put(content_type_t type, gnutls_session session, + opaque * data, size_t length); +int _gnutls_record_buffer_get_size(content_type_t type, + gnutls_session session); +int _gnutls_record_buffer_get(content_type_t type, gnutls_session session, + opaque * data, size_t length); +ssize_t _gnutls_io_read_buffered(gnutls_session, opaque ** iptr, size_t n, + content_type_t); +void _gnutls_io_clear_read_buffer(gnutls_session); +int _gnutls_io_clear_peeked_data(gnutls_session session); -ssize_t _gnutls_io_write_buffered( gnutls_session, const void *iptr, size_t n ); -ssize_t _gnutls_io_write_buffered2( gnutls_session, const void *iptr, size_t n, - const void* iptr2, size_t n2); +ssize_t _gnutls_io_write_buffered(gnutls_session, const void *iptr, + size_t n); +ssize_t _gnutls_io_write_buffered2(gnutls_session, const void *iptr, + size_t n, const void *iptr2, size_t n2); -int _gnutls_handshake_buffer_get_size( gnutls_session session); -int _gnutls_handshake_buffer_peek( gnutls_session session, opaque *data, size_t length); -int _gnutls_handshake_buffer_put( gnutls_session session, opaque *data, size_t length); -int _gnutls_handshake_buffer_clear( gnutls_session session); -int _gnutls_handshake_buffer_empty( gnutls_session session); -int _gnutls_handshake_buffer_get_ptr( gnutls_session session, opaque **data_ptr, size_t *length); +int _gnutls_handshake_buffer_get_size(gnutls_session session); +int _gnutls_handshake_buffer_peek(gnutls_session session, opaque * data, + size_t length); +int _gnutls_handshake_buffer_put(gnutls_session session, opaque * data, + size_t length); +int _gnutls_handshake_buffer_clear(gnutls_session session); +int _gnutls_handshake_buffer_empty(gnutls_session session); +int _gnutls_handshake_buffer_get_ptr(gnutls_session session, + opaque ** data_ptr, size_t * length); #define _gnutls_handshake_io_buffer_clear( session) \ _gnutls_buffer_clear( &session->internals.handshake_send_buffer); \ _gnutls_buffer_clear( &session->internals.handshake_recv_buffer); \ session->internals.handshake_send_buffer_prev_size = 0 -ssize_t _gnutls_handshake_io_recv_int( gnutls_session, content_type_t, HandshakeType, void *, size_t); -ssize_t _gnutls_handshake_io_send_int( gnutls_session, content_type_t, HandshakeType, const void *, size_t); -ssize_t _gnutls_io_write_flush( gnutls_session session); -ssize_t _gnutls_handshake_io_write_flush( gnutls_session session); +ssize_t _gnutls_handshake_io_recv_int(gnutls_session, content_type_t, + HandshakeType, void *, size_t); +ssize_t _gnutls_handshake_io_send_int(gnutls_session, content_type_t, + HandshakeType, const void *, size_t); +ssize_t _gnutls_io_write_flush(gnutls_session session); +ssize_t _gnutls_handshake_io_write_flush(gnutls_session session); size_t gnutls_record_check_pending(gnutls_session session); - diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index ead9d09363..b2a9a942fe 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -56,29 +56,29 @@ void gnutls_certificate_free_crls(gnutls_certificate_credentials sc); **/ void gnutls_certificate_free_keys(gnutls_certificate_credentials sc) { - uint i, j; + uint i, j; - for (i = 0; i < sc->ncerts; i++) { - for (j = 0; j < sc->cert_list_length[i]; j++) { - _gnutls_gcert_deinit( &sc->cert_list[i][j]); - } - gnutls_free( sc->cert_list[i]); + for (i = 0; i < sc->ncerts; i++) { + for (j = 0; j < sc->cert_list_length[i]; j++) { + _gnutls_gcert_deinit(&sc->cert_list[i][j]); } + gnutls_free(sc->cert_list[i]); + } - gnutls_free(sc->cert_list_length); - sc->cert_list_length = NULL; + gnutls_free(sc->cert_list_length); + sc->cert_list_length = NULL; - gnutls_free(sc->cert_list); - sc->cert_list = NULL; + gnutls_free(sc->cert_list); + sc->cert_list = NULL; - for (i = 0; i < sc->ncerts; i++) { - _gnutls_gkey_deinit( &sc->pkey[i]); - } + for (i = 0; i < sc->ncerts; i++) { + _gnutls_gkey_deinit(&sc->pkey[i]); + } + + gnutls_free(sc->pkey); + sc->pkey = NULL; - gnutls_free( sc->pkey); - sc->pkey = NULL; - - sc->ncerts = 0; + sc->ncerts = 0; } @@ -94,16 +94,16 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials sc) **/ void gnutls_certificate_free_cas(gnutls_certificate_credentials sc) { - uint j; + uint j; + + for (j = 0; j < sc->x509_ncas; j++) { + gnutls_x509_crt_deinit(sc->x509_ca_list[j]); + } - for (j = 0; j < sc->x509_ncas; j++) { - gnutls_x509_crt_deinit( sc->x509_ca_list[j]); - } - - sc->x509_ncas = 0; + sc->x509_ncas = 0; - gnutls_free( sc->x509_ca_list); - sc->x509_ca_list = NULL; + gnutls_free(sc->x509_ca_list); + sc->x509_ca_list = NULL; } @@ -121,7 +121,7 @@ void gnutls_certificate_free_cas(gnutls_certificate_credentials sc) **/ void gnutls_certificate_free_ca_names(gnutls_certificate_credentials sc) { - _gnutls_free_datum( &sc->x509_rdn_sequence); + _gnutls_free_datum(&sc->x509_rdn_sequence); } /*- @@ -133,27 +133,29 @@ void gnutls_certificate_free_ca_names(gnutls_certificate_credentials sc) * calls would not examine the credentials (or call a callback). * -*/ -gnutls_dh_params _gnutls_certificate_get_dh_params(const gnutls_certificate_credentials sc, - gnutls_session session) +gnutls_dh_params _gnutls_certificate_get_dh_params(const + gnutls_certificate_credentials + sc, + gnutls_session session) { -gnutls_params_st params; -int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.cert_dh_params) { - return session->internals.params.cert_dh_params; + if (session->internals.params.cert_dh_params) { + return session->internals.params.cert_dh_params; + } + + if (sc->dh_params) { + session->internals.params.cert_dh_params = sc->dh_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_DH, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { + session->internals.params.cert_dh_params = params.params.dh; + session->internals.params.free_cert_dh_params = params.deinit; } + } - if (sc->dh_params) { - session->internals.params.cert_dh_params = sc->dh_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_DH, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_DH) { - session->internals.params.cert_dh_params = params.params.dh; - session->internals.params.free_cert_dh_params = params.deinit; - } - } - - return session->internals.params.cert_dh_params; + return session->internals.params.cert_dh_params; } /*- @@ -163,27 +165,31 @@ int ret; * This function will return the rsa parameters pointer. * -*/ -gnutls_rsa_params _gnutls_certificate_get_rsa_params(const gnutls_certificate_credentials sc, - gnutls_session session) +gnutls_rsa_params _gnutls_certificate_get_rsa_params(const + gnutls_certificate_credentials + sc, + gnutls_session + session) { -gnutls_params_st params; -int ret; + gnutls_params_st params; + int ret; - if (session->internals.params.rsa_params) { - return session->internals.params.rsa_params; + if (session->internals.params.rsa_params) { + return session->internals.params.rsa_params; + } + + if (sc->rsa_params) { + session->internals.params.rsa_params = sc->rsa_params; + } else if (sc->params_func) { + ret = sc->params_func(session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); + if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) { + session->internals.params.rsa_params = + params.params.rsa_export; + session->internals.params.free_rsa_params = params.deinit; } + } - if (sc->rsa_params) { - session->internals.params.rsa_params = sc->rsa_params; - } else if (sc->params_func) { - ret = sc->params_func( session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms); - if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT) { - session->internals.params.rsa_params = params.params.rsa_export; - session->internals.params.free_rsa_params = params.deinit; - } - } - - return session->internals.params.rsa_params; + return session->internals.params.rsa_params; } @@ -200,15 +206,15 @@ int ret; **/ void gnutls_certificate_free_credentials(gnutls_certificate_credentials sc) { - gnutls_certificate_free_keys( sc); - gnutls_certificate_free_cas( sc); + gnutls_certificate_free_keys(sc); + gnutls_certificate_free_cas(sc); #ifdef ENABLE_PKI - gnutls_certificate_free_crls( sc); + gnutls_certificate_free_crls(sc); #endif - _gnutls_free_datum( &sc->keyring); + _gnutls_free_datum(&sc->keyring); - gnutls_free( sc); + gnutls_free(sc); } @@ -221,14 +227,15 @@ void gnutls_certificate_free_credentials(gnutls_certificate_credentials sc) * * Returns 0 on success. **/ -int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res) +int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials + * res) { - *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); + *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); - if (*res == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*res == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -238,49 +245,50 @@ int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ -int _gnutls_selected_cert_supported_kx( gnutls_session session, gnutls_kx_algorithm ** alg, - int *alg_size) +int _gnutls_selected_cert_supported_kx(gnutls_session session, + gnutls_kx_algorithm ** alg, + int *alg_size) { - gnutls_kx_algorithm kx; - gnutls_pk_algorithm pk; - gnutls_kx_algorithm kxlist[MAX_ALGOS]; - gnutls_cert * cert; - int i; - - if (session->internals.selected_cert_list_length == 0) { - *alg_size = 0; - *alg = NULL; - return 0; - } - - cert = &session->internals.selected_cert_list[0]; - i = 0; - - for (kx = 0; kx < MAX_ALGOS; kx++) { - pk = _gnutls_map_pk_get_pk(kx); - if (pk == cert->subject_pk_algorithm) { - /* then check key usage */ - if (_gnutls_check_key_usage(cert, kx) == 0) { - kxlist[i] = kx; - i++; - } - } + gnutls_kx_algorithm kx; + gnutls_pk_algorithm pk; + gnutls_kx_algorithm kxlist[MAX_ALGOS]; + gnutls_cert *cert; + int i; + + if (session->internals.selected_cert_list_length == 0) { + *alg_size = 0; + *alg = NULL; + return 0; + } + + cert = &session->internals.selected_cert_list[0]; + i = 0; + + for (kx = 0; kx < MAX_ALGOS; kx++) { + pk = _gnutls_map_pk_get_pk(kx); + if (pk == cert->subject_pk_algorithm) { + /* then check key usage */ + if (_gnutls_check_key_usage(cert, kx) == 0) { + kxlist[i] = kx; + i++; + } } + } - if (i==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (i == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - *alg = gnutls_calloc(1, sizeof(gnutls_kx_algorithm) * i); - if (*alg == NULL) - return GNUTLS_E_MEMORY_ERROR; + *alg = gnutls_calloc(1, sizeof(gnutls_kx_algorithm) * i); + if (*alg == NULL) + return GNUTLS_E_MEMORY_ERROR; - *alg_size = i; + *alg_size = i; - memcpy(*alg, kxlist, i * sizeof(gnutls_kx_algorithm)); + memcpy(*alg, kxlist, i * sizeof(gnutls_kx_algorithm)); - return 0; + return 0; } @@ -297,9 +305,9 @@ int _gnutls_selected_cert_supported_kx( gnutls_session session, gnutls_kx_algori * send a certificate. **/ void gnutls_certificate_server_set_request(gnutls_session session, - gnutls_certificate_request req) + gnutls_certificate_request req) { - session->internals.send_cert_req = req; + session->internals.send_cert_req = req; } /** @@ -332,10 +340,10 @@ void gnutls_certificate_server_set_request(gnutls_session session, * should be set to zero. The value (-1) indicates error and the handshake * will be terminated. **/ -void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_credentials cred, - gnutls_certificate_client_retrieve_function * func) -{ - cred->client_get_cert_callback = func; +void gnutls_certificate_client_set_retrieve_function + (gnutls_certificate_credentials cred, + gnutls_certificate_client_retrieve_function * func) { + cred->client_get_cert_callback = func; } /** @@ -358,18 +366,20 @@ void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_credenti * return 0 on success. The value (-1) indicates error and the handshake * will be terminated. **/ -void gnutls_certificate_server_set_retrieve_function(gnutls_certificate_credentials cred, - gnutls_certificate_server_retrieve_function * func) -{ - cred->server_get_cert_callback = func; +void gnutls_certificate_server_set_retrieve_function + (gnutls_certificate_credentials cred, + gnutls_certificate_server_retrieve_function * func) { + cred->server_get_cert_callback = func; } /* These are set by the gnutls_extra library's initialization function. */ -OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time = NULL; -OPENPGP_KEY_EXPIRATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; +OPENPGP_KEY_CREATION_TIME_FUNC _E_gnutls_openpgp_get_raw_key_creation_time + = NULL; +OPENPGP_KEY_EXPIRATION_TIME_FUNC + _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; /*- @@ -382,52 +392,54 @@ OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; -*/ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) { - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - int verify; - int peer_certificate_list_size; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - - if (peer_certificate_list_size != 1) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* Verify certificate - */ - if (_E_gnutls_openpgp_verify_key==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - verify = _E_gnutls_openpgp_verify_key( cred->pgp_trustdb, &cred->keyring, &info->raw_certificate_list[0], - peer_certificate_list_size); - - if (verify < 0) { - gnutls_assert(); - } - - return verify; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + int verify; + int peer_certificate_list_size; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + + if (peer_certificate_list_size != 1) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* Verify certificate + */ + if (_E_gnutls_openpgp_verify_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; + } + verify = + _E_gnutls_openpgp_verify_key(cred->pgp_trustdb, &cred->keyring, + &info->raw_certificate_list[0], + peer_certificate_list_size); + + if (verify < 0) { + gnutls_assert(); + } + + return verify; } /** @@ -446,26 +458,26 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) **/ int gnutls_certificate_verify_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_cert_verify_peers( session); - case GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_cert_verify_peers( session); - default: - return GNUTLS_E_INVALID_REQUEST; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_cert_verify_peers(session); + case GNUTLS_CRT_OPENPGP: + return _gnutls_openpgp_cert_verify_peers(session); + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -479,32 +491,34 @@ int gnutls_certificate_verify_peers(gnutls_session session) **/ time_t gnutls_certificate_expiration_time_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) -1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) -1; - } - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_expiration_time( - &info->raw_certificate_list[0]); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_expiration_time==NULL) - return (time_t)-1; - return _E_gnutls_openpgp_get_raw_key_expiration_time( - &info->raw_certificate_list[0]); - default: - return (time_t)-1; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_get_raw_crt_expiration_time(&info-> + raw_certificate_list + [0]); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL) + return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_expiration_time(&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; + } } /** @@ -519,76 +533,77 @@ time_t gnutls_certificate_expiration_time_peers(gnutls_session session) **/ time_t gnutls_certificate_activation_time_peers(gnutls_session session) { - cert_auth_info_t info; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - return (time_t) -1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) { - gnutls_assert(); - return (time_t) -1; - } - - switch( gnutls_certificate_type_get( session)) { - case GNUTLS_CRT_X509: - return _gnutls_x509_get_raw_crt_activation_time( - &info->raw_certificate_list[0]); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_creation_time==NULL) - return (time_t)-1; - return _E_gnutls_openpgp_get_raw_key_creation_time( - &info->raw_certificate_list[0]); - default: - return (time_t)-1; - } + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_get_raw_crt_activation_time(&info-> + raw_certificate_list + [0]); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL) + return (time_t) - 1; + return _E_gnutls_openpgp_get_raw_key_creation_time(&info-> + raw_certificate_list + [0]); + default: + return (time_t) - 1; + } } OPENPGP_RAW_KEY_TO_GCERT _E_gnutls_openpgp_raw_key_to_gcert; OPENPGP_RAW_PRIVKEY_TO_GKEY _E_gnutls_openpgp_raw_privkey_to_gkey; -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, gnutls_certificate_type type, - const gnutls_datum *raw_cert, int flags /* OR of ConvFlags */) +int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, + gnutls_certificate_type type, + const gnutls_datum * raw_cert, + int flags /* OR of ConvFlags */ ) { - switch( type) { - case GNUTLS_CRT_X509: - return _gnutls_x509_raw_cert_to_gcert( gcert, - raw_cert, flags); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_key_to_gcert==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - return - _E_gnutls_openpgp_raw_key_to_gcert( gcert, - raw_cert); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + switch (type) { + case GNUTLS_CRT_X509: + return _gnutls_x509_raw_cert_to_gcert(gcert, raw_cert, flags); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } + return _E_gnutls_openpgp_raw_key_to_gcert(gcert, raw_cert); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type type, - const gnutls_datum *raw_key, int key_enc /* DER or PEM */) +int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, + gnutls_certificate_type type, + const gnutls_datum * raw_key, + int key_enc /* DER or PEM */ ) { - switch( type) { - case GNUTLS_CRT_X509: - return _gnutls_x509_raw_privkey_to_gkey( key, - raw_key, key_enc); - case GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_privkey_to_gkey==NULL) { - gnutls_assert(); - return GNUTLS_E_INIT_LIBEXTRA; - } - return - _E_gnutls_openpgp_raw_privkey_to_gkey( key, raw_key); - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + switch (type) { + case GNUTLS_CRT_X509: + return _gnutls_x509_raw_privkey_to_gkey(key, raw_key, key_enc); + case GNUTLS_CRT_OPENPGP: + if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL) { + gnutls_assert(); + return GNUTLS_E_INIT_LIBEXTRA; } + return _E_gnutls_openpgp_raw_privkey_to_gkey(key, raw_key); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } } @@ -601,113 +616,121 @@ int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type ty * extensions found in the certificate are unsupported and critical. * The critical extensions will be catched by the verification functions. */ -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, const gnutls_datum *derCert, - int flags /* OR of ConvFlags */) +int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, + const gnutls_datum * derCert, + int flags /* OR of ConvFlags */ ) { - int ret; - gnutls_x509_crt cert; - - ret = gnutls_x509_crt_init( &cert); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + gnutls_x509_crt cert; - ret = gnutls_x509_crt_import( cert, derCert, GNUTLS_X509_FMT_DER); - if ( ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit( cert); - return ret; - } - - ret = _gnutls_x509_crt_to_gcert( gcert, cert, flags); - gnutls_x509_crt_deinit( cert); - + ret = gnutls_x509_crt_init(&cert); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_x509_crt_import(cert, derCert, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(cert); + return ret; + } + + ret = _gnutls_x509_crt_to_gcert(gcert, cert, flags); + gnutls_x509_crt_deinit(cert); + + return ret; } /* Like above but it accepts a parsed certificate instead. */ int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert, - unsigned int flags) + unsigned int flags) { - int ret = 0; - - memset(gcert, 0, sizeof(gnutls_cert)); - gcert->cert_type = GNUTLS_CRT_X509; - - if ( !(flags & CERT_NO_COPY)) { - #define SMALL_DER 512 - opaque* der; - size_t der_size = SMALL_DER; - - /* initially allocate a bogus size, just in case the certificate - * fits in it. That way we minimize the DER encodings performed. - */ - der = gnutls_malloc( SMALL_DER); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - gnutls_free(der); - return ret; - } - - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - der = gnutls_realloc( der, der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_free(der); - return ret; - } - } - - gcert->raw.data = der; - gcert->raw.size = der_size; - } else - /* now we have 0 or a bitwise or of things to decode */ - flags ^= CERT_NO_COPY; - - - if (flags & CERT_ONLY_EXTENSIONS || flags == 0) { - gnutls_x509_crt_get_key_usage( cert, &gcert->keyUsage, NULL); - gcert->version = gnutls_x509_crt_get_version( cert); + int ret = 0; + + memset(gcert, 0, sizeof(gnutls_cert)); + gcert->cert_type = GNUTLS_CRT_X509; + + if (!(flags & CERT_NO_COPY)) { +#define SMALL_DER 512 + opaque *der; + size_t der_size = SMALL_DER; + + /* initially allocate a bogus size, just in case the certificate + * fits in it. That way we minimize the DER encodings performed. + */ + der = gnutls_malloc(SMALL_DER); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm( cert, NULL); - - if (flags & CERT_ONLY_PUBKEY || flags == 0) { - gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = _gnutls_x509_crt_get_mpis( cert, gcert->params, &gcert->params_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + + ret = + gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + gnutls_free(der); + return ret; } - return 0; + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + der = gnutls_realloc(der, der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_free(der); + return ret; + } + } + + gcert->raw.data = der; + gcert->raw.size = der_size; + } else + /* now we have 0 or a bitwise or of things to decode */ + flags ^= CERT_NO_COPY; + + + if (flags & CERT_ONLY_EXTENSIONS || flags == 0) { + gnutls_x509_crt_get_key_usage(cert, &gcert->keyUsage, NULL); + gcert->version = gnutls_x509_crt_get_version(cert); + } + gcert->subject_pk_algorithm = + gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + if (flags & CERT_ONLY_PUBKEY || flags == 0) { + gcert->params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis(cert, gcert->params, + &gcert->params_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + return 0; } -void _gnutls_gcert_deinit(gnutls_cert *cert) +void _gnutls_gcert_deinit(gnutls_cert * cert) { - int i; + int i; - if (cert == NULL) return; + if (cert == NULL) + return; - for (i = 0; i < cert->params_size; i++) { - _gnutls_mpi_release( &cert->params[i]); - } + for (i = 0; i < cert->params_size; i++) { + _gnutls_mpi_release(&cert->params[i]); + } - _gnutls_free_datum(&cert->raw); + _gnutls_free_datum(&cert->raw); } - diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index 66c66a829f..37e1a821f6 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -6,7 +6,7 @@ #include <gnutls_ui.h> #include "x509/x509.h" -#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */ +#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */ /* parameters should not be larger than this limit */ #define DSA_PUBLIC_PARAMS 4 @@ -26,75 +26,81 @@ #define KEY_DECIPHER_ONLY 32768 typedef struct gnutls_cert { - mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public - * key algorithm - * RSA: [0] is modulus - * [1] is public exponent - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is public key + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public + * key algorithm + * RSA: [0] is modulus + * [1] is public exponent + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is public key + */ + int params_size; /* holds the size of MPI params */ + + gnutls_pk_algorithm subject_pk_algorithm; + + unsigned int keyUsage; /* bits from KEY_* */ - int params_size; /* holds the size of MPI params */ - - gnutls_pk_algorithm subject_pk_algorithm; - - unsigned int keyUsage; /* bits from KEY_* - */ - - unsigned int version; - /* holds the type (PGP, X509) - */ - gnutls_certificate_type cert_type; - - gnutls_datum raw; - + + unsigned int version; + /* holds the type (PGP, X509) + */ + gnutls_certificate_type cert_type; + + gnutls_datum raw; + } gnutls_cert; typedef struct gnutls_privkey_int { - mpi_t params[MAX_PRIV_PARAMS_SIZE];/* the size of params depends on the public - * key algorithm - */ - /* - * RSA: [0] is modulus - * [1] is public exponent - * [2] is private exponent - * [3] is prime1 (p) - * [4] is prime2 (q) - * [5] is coefficient (u == inverse of p mod q) - * DSA: [0] is p - * [1] is q - * [2] is g - * [3] is y (public key) - * [4] is x (private key) - */ - int params_size; /* holds the number of params */ - - gnutls_pk_algorithm pk_algorithm; + mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public + * key algorithm + */ + /* + * RSA: [0] is modulus + * [1] is public exponent + * [2] is private exponent + * [3] is prime1 (p) + * [4] is prime2 (q) + * [5] is coefficient (u == inverse of p mod q) + * DSA: [0] is p + * [1] is q + * [2] is g + * [3] is y (public key) + * [4] is x (private key) + */ + int params_size; /* holds the number of params */ + + gnutls_pk_algorithm pk_algorithm; } gnutls_privkey; -struct gnutls_session_int; /* because gnutls_session is not defined when this file is included */ +struct gnutls_session_int; /* because gnutls_session is not defined when this file is included */ -typedef enum ConvFlags { - CERT_NO_COPY=2, - CERT_ONLY_PUBKEY=4, - CERT_ONLY_EXTENSIONS=16 +typedef enum ConvFlags { + CERT_NO_COPY = 2, + CERT_ONLY_PUBKEY = 4, + CERT_ONLY_EXTENSIONS = 16 } ConvFlags; -int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, const gnutls_datum *derCert, - int flags); +int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, + const gnutls_datum * derCert, + int flags); int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert, - unsigned int flags); - -void _gnutls_gkey_deinit(gnutls_privkey *key); -void _gnutls_gcert_deinit(gnutls_cert *cert); - -int _gnutls_selected_cert_supported_kx(struct gnutls_session_int* session, - gnutls_kx_algorithm ** alg, int *alg_size); - -int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, gnutls_certificate_type type, - const gnutls_datum *raw_cert, int flags /* OR of ConvFlags */); -int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, gnutls_certificate_type type, - const gnutls_datum *raw_key, int key_enc /* DER or PEM */); + unsigned int flags); + +void _gnutls_gkey_deinit(gnutls_privkey * key); +void _gnutls_gcert_deinit(gnutls_cert * cert); + +int _gnutls_selected_cert_supported_kx(struct gnutls_session_int *session, + gnutls_kx_algorithm ** alg, + int *alg_size); + +int _gnutls_raw_cert_to_gcert(gnutls_cert * gcert, + gnutls_certificate_type type, + const gnutls_datum * raw_cert, + int flags /* OR of ConvFlags */ ); +int _gnutls_raw_privkey_to_gkey(gnutls_privkey * key, + gnutls_certificate_type type, + const gnutls_datum * raw_key, + int key_enc /* DER or PEM */ ); #endif diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index c892624880..259a752abc 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -39,20 +39,22 @@ #include "gnutls_record.h" #include "gnutls_constate.h" -inline static int -is_write_comp_null( gnutls_session session) { - if (session->security_parameters.write_compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; +inline static int is_write_comp_null(gnutls_session session) +{ + if (session->security_parameters.write_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; + + return 1; } -inline static int -is_read_comp_null( gnutls_session session) { - if (session->security_parameters.read_compression_algorithm == GNUTLS_COMP_NULL) - return 0; - - return 1; +inline static int is_read_comp_null(gnutls_session session) +{ + if (session->security_parameters.read_compression_algorithm == + GNUTLS_COMP_NULL) + return 0; + + return 1; } @@ -61,188 +63,189 @@ is_read_comp_null( gnutls_session session) { * * If random pad != 0 then the random pad data will be appended. */ -int _gnutls_encrypt(gnutls_session session, const opaque* headers, size_t headers_size, - const opaque *data, size_t data_size, - opaque * ciphertext, size_t ciphertext_size, content_type_t type, int random_pad) +int _gnutls_encrypt(gnutls_session session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, + int random_pad) { - gnutls_datum plain; - gnutls_datum comp; - int ret; - int free_comp = 1; - - plain.data = (opaque*)data; - plain.size = data_size; - - if (plain.size == 0 || is_write_comp_null( session)==0) { - comp = plain; - free_comp = 0; - } else { - /* Here comp is allocated and must be - * freed. - */ - ret = _gnutls_m_plaintext2compressed(session, &comp, plain); - if (ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_datum plain; + gnutls_datum comp; + int ret; + int free_comp = 1; + + plain.data = (opaque *) data; + plain.size = data_size; + + if (plain.size == 0 || is_write_comp_null(session) == 0) { + comp = plain; + free_comp = 0; + } else { + /* Here comp is allocated and must be + * freed. + */ + ret = _gnutls_m_plaintext2compressed(session, &comp, plain); + if (ret < 0) { + gnutls_assert(); + return ret; } + } - ret = _gnutls_compressed2ciphertext(session, &ciphertext[headers_size], - ciphertext_size - headers_size, comp, type, random_pad); + ret = _gnutls_compressed2ciphertext(session, &ciphertext[headers_size], + ciphertext_size - headers_size, + comp, type, random_pad); - if (free_comp) - _gnutls_free_datum(&comp); + if (free_comp) + _gnutls_free_datum(&comp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* copy the headers */ - memcpy( ciphertext, headers, headers_size); - _gnutls_write_uint16( ret, &ciphertext[3]); + /* copy the headers */ + memcpy(ciphertext, headers, headers_size); + _gnutls_write_uint16(ret, &ciphertext[3]); - return ret+headers_size; + return ret + headers_size; } /* Decrypts the given data. * Returns the decrypted data length. */ -int _gnutls_decrypt(gnutls_session session, opaque *ciphertext, - size_t ciphertext_size, uint8 * data, size_t max_data_size, - content_type_t type) +int _gnutls_decrypt(gnutls_session session, opaque * ciphertext, + size_t ciphertext_size, uint8 * data, + size_t max_data_size, content_type_t type) { - gnutls_datum gtxt; - gnutls_datum gcipher; - int ret; + gnutls_datum gtxt; + gnutls_datum gcipher; + int ret; + + if (ciphertext_size == 0) + return 0; + + gcipher.size = ciphertext_size; + gcipher.data = ciphertext; + + ret = + _gnutls_ciphertext2compressed(session, data, max_data_size, + gcipher, type); + if (ret < 0) { + return ret; + } - if (ciphertext_size == 0) - return 0; + if (ret == 0 || is_read_comp_null(session) == 0) { + /* ret == ret */ - gcipher.size = ciphertext_size; - gcipher.data = ciphertext; + } else { + gnutls_datum gcomp; - ret = _gnutls_ciphertext2compressed(session, data, max_data_size, gcipher, type); + /* compression has this malloc overhead. + */ + + gcomp.data = data; + gcomp.size = ret; + ret = _gnutls_m_compressed2plaintext(session, >xt, gcomp); if (ret < 0) { - return ret; + return ret; } - if (ret==0 || is_read_comp_null( session)==0) { - /* ret == ret */ - - } else { - gnutls_datum gcomp; - - /* compression has this malloc overhead. - */ - - gcomp.data = data; - gcomp.size = ret; - ret = _gnutls_m_compressed2plaintext(session, >xt, gcomp); - if (ret < 0) { - return ret; - } - - if (gtxt.size > max_data_size) { - gnutls_assert(); - _gnutls_free_datum( >xt); - /* This shouldn't have happen and - * is a TLS fatal error. - */ - return GNUTLS_E_INTERNAL_ERROR; - } - - memcpy( data, gtxt.data, gtxt.size); - ret = gtxt.size; - - _gnutls_free_datum( >xt); + if (gtxt.size > max_data_size) { + gnutls_assert(); + _gnutls_free_datum(>xt); + /* This shouldn't have happen and + * is a TLS fatal error. + */ + return GNUTLS_E_INTERNAL_ERROR; } - - return ret; + + memcpy(data, gtxt.data, gtxt.size); + ret = gtxt.size; + + _gnutls_free_datum(>xt); + } + + return ret; } inline -static mac_hd_t -mac_init( gnutls_mac_algorithm mac, opaque* secret, int secret_size, int ver) + static mac_hd_t +mac_init(gnutls_mac_algorithm mac, opaque * secret, int secret_size, + int ver) { -mac_hd_t td; + mac_hd_t td; - if (mac == GNUTLS_MAC_NULL) return GNUTLS_MAC_FAILED; + if (mac == GNUTLS_MAC_NULL) + return GNUTLS_MAC_FAILED; - if ( ver == GNUTLS_SSL3) { /* SSL 3.0 */ - td = - _gnutls_mac_init_ssl3( mac, secret, - secret_size); - } else { /* TLS 1.x */ - td = - _gnutls_hmac_init( mac, secret, secret_size); - } - - return td; + if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ + td = _gnutls_mac_init_ssl3(mac, secret, secret_size); + } else { /* TLS 1.x */ + td = _gnutls_hmac_init(mac, secret, secret_size); + } + + return td; } -inline -static void mac_deinit( mac_hd_t td, opaque* res, int ver) +inline static void mac_deinit(mac_hd_t td, opaque * res, int ver) { - if ( ver == GNUTLS_SSL3) { /* SSL 3.0 */ - _gnutls_mac_deinit_ssl3(td, res); - } else { - _gnutls_hmac_deinit(td, res); - } + if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ + _gnutls_mac_deinit_ssl3(td, res); + } else { + _gnutls_hmac_deinit(td, res); + } } inline -static int calc_enc_length( - gnutls_session session, int data_size, int hash_size, uint8* pad, - int random_pad, cipher_type_t block_algo, uint16 blocksize) + static int calc_enc_length(gnutls_session session, int data_size, + int hash_size, uint8 * pad, int random_pad, + cipher_type_t block_algo, uint16 blocksize) { -uint8 rand; -int length; - - *pad = 0; - - switch ( block_algo) { - case CIPHER_STREAM: - length = - data_size + hash_size; - - break; - case CIPHER_BLOCK: - if (_gnutls_get_random(&rand, 1, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* make rand a multiple of blocksize */ - if ( session->security_parameters.version == GNUTLS_SSL3 || - random_pad==0) { - rand = 0; - } else { - rand = (rand / blocksize) * blocksize; - /* added to avoid the case of pad calculated 0 - * seen below for pad calculation. - */ - if (rand > blocksize) rand-=blocksize; - } - - length = - data_size + - hash_size; - - *pad = (uint8) (blocksize - (length % blocksize)) + rand; - - length += *pad; - if ( session->security_parameters.version >= GNUTLS_TLS1_1) - length += blocksize; /* for the IV */ - - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 rand; + int length; + + *pad = 0; + + switch (block_algo) { + case CIPHER_STREAM: + length = data_size + hash_size; + + break; + case CIPHER_BLOCK: + if (_gnutls_get_random(&rand, 1, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - return length; + /* make rand a multiple of blocksize */ + if (session->security_parameters.version == GNUTLS_SSL3 || + random_pad == 0) { + rand = 0; + } else { + rand = (rand / blocksize) * blocksize; + /* added to avoid the case of pad calculated 0 + * seen below for pad calculation. + */ + if (rand > blocksize) + rand -= blocksize; + } + + length = data_size + hash_size; + + *pad = (uint8) (blocksize - (length % blocksize)) + rand; + + length += *pad; + if (session->security_parameters.version >= GNUTLS_TLS1_1) + length += blocksize; /* for the IV */ + + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return length; } /* This is the actual encryption @@ -251,261 +254,276 @@ int length; * return the actual encrypted data length. */ int _gnutls_compressed2ciphertext(gnutls_session session, - opaque* cipher_data, int cipher_size, - gnutls_datum compressed, content_type_t _type, - int random_pad) + opaque * cipher_data, int cipher_size, + gnutls_datum compressed, + content_type_t _type, int random_pad) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length,ret; - mac_hd_t td; - uint8 type = _type; - uint8 major, minor; - int hash_size = _gnutls_hash_get_algo_len(session->security_parameters.write_mac_algorithm); - gnutls_protocol_version ver; - int blocksize = - _gnutls_cipher_get_block_size(session->security_parameters. - write_bulk_cipher_algorithm); - cipher_type_t block_algo = _gnutls_cipher_is_block(session->security_parameters.write_bulk_cipher_algorithm); - opaque* data_ptr; - - - ver = gnutls_protocol_get_version( session); - minor = _gnutls_version_get_minor( ver); - major = _gnutls_version_get_major( ver); - - - /* Initialize MAC */ - td = mac_init(session->security_parameters.write_mac_algorithm, + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length, ret; + mac_hd_t td; + uint8 type = _type; + uint8 major, minor; + int hash_size = + _gnutls_hash_get_algo_len(session->security_parameters. + write_mac_algorithm); + gnutls_protocol_version ver; + int blocksize = + _gnutls_cipher_get_block_size(session->security_parameters. + write_bulk_cipher_algorithm); + cipher_type_t block_algo = + _gnutls_cipher_is_block(session->security_parameters. + write_bulk_cipher_algorithm); + opaque *data_ptr; + + + ver = gnutls_protocol_get_version(session); + minor = _gnutls_version_get_minor(ver); + major = _gnutls_version_get_major(ver); + + + /* Initialize MAC */ + td = mac_init(session->security_parameters.write_mac_algorithm, session->connection_state.write_mac_secret.data, session->connection_state.write_mac_secret.size, ver); - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - c_length = _gnutls_conv_uint16(compressed.size); - - if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ - _gnutls_hmac(td, UINT64DATA(session->connection_state.write_sequence_number), 8); - - _gnutls_hmac(td, &type, 1); - if ( ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); - } - _gnutls_hmac(td, &c_length, 2); - _gnutls_hmac(td, compressed.data, compressed.size); - mac_deinit( td, MAC, ver); - } + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.write_mac_algorithm != + GNUTLS_MAC_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + c_length = _gnutls_conv_uint16(compressed.size); - /* Calculate the encrypted length (padding etc.) - */ - length = calc_enc_length( session, compressed.size, hash_size, &pad, random_pad, block_algo, - blocksize); - if (length < 0) { - gnutls_assert(); - return length; - } + if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ + _gnutls_hmac(td, + UINT64DATA(session->connection_state. + write_sequence_number), 8); - /* copy the encrypted data to cipher_data. - */ - if (cipher_size < length) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + _gnutls_hmac(td, &type, 1); + if (ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ + _gnutls_hmac(td, &major, 1); + _gnutls_hmac(td, &minor, 1); } - - data_ptr = cipher_data; - if ( block_algo==CIPHER_BLOCK && - session->security_parameters.version >= GNUTLS_TLS1_1) - { - /* copy the random IV. - */ - if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - data_ptr += blocksize; - } - - memcpy(data_ptr, compressed.data, compressed.size); - data_ptr += compressed.size; - - if (hash_size > 0) { - memcpy(data_ptr, MAC, hash_size); - data_ptr += hash_size; - } - if (block_algo==CIPHER_BLOCK && pad > 0) { - memset(data_ptr, pad - 1, pad); - } - - - /* Actual encryption (inplace). + _gnutls_hmac(td, &c_length, 2); + _gnutls_hmac(td, compressed.data, compressed.size); + mac_deinit(td, MAC, ver); + } + + + /* Calculate the encrypted length (padding etc.) + */ + length = + calc_enc_length(session, compressed.size, hash_size, &pad, + random_pad, block_algo, blocksize); + if (length < 0) { + gnutls_assert(); + return length; + } + + /* copy the encrypted data to cipher_data. + */ + if (cipher_size < length) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + data_ptr = cipher_data; + if (block_algo == CIPHER_BLOCK && + session->security_parameters.version >= GNUTLS_TLS1_1) { + /* copy the random IV. */ - ret = _gnutls_cipher_encrypt(session->connection_state. - write_cipher_state, cipher_data, - length); - if (ret < 0) { - gnutls_assert(); - return ret; + if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < + 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + data_ptr += blocksize; + } + + memcpy(data_ptr, compressed.data, compressed.size); + data_ptr += compressed.size; + + if (hash_size > 0) { + memcpy(data_ptr, MAC, hash_size); + data_ptr += hash_size; + } + if (block_algo == CIPHER_BLOCK && pad > 0) { + memset(data_ptr, pad - 1, pad); + } + + + /* Actual encryption (inplace). + */ + ret = _gnutls_cipher_encrypt(session->connection_state. + write_cipher_state, cipher_data, length); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return length; + return length; } /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ int _gnutls_ciphertext2compressed(gnutls_session session, - opaque* compress_data, int compress_size, - gnutls_datum ciphertext, uint8 type) + opaque * compress_data, + int compress_size, + gnutls_datum ciphertext, uint8 type) { - uint8 MAC[MAX_HASH_SIZE]; - uint16 c_length; - uint8 pad; - int length; - mac_hd_t td; - uint16 blocksize; - int ret, i, pad_failed = 0; - uint8 major, minor; - gnutls_protocol_version ver; - int hash_size = _gnutls_hash_get_algo_len(session->security_parameters.read_mac_algorithm); - - ver = gnutls_protocol_get_version( session); - minor = _gnutls_version_get_minor(ver); - major = _gnutls_version_get_major(ver); - - blocksize = _gnutls_cipher_get_block_size(session->security_parameters. - read_bulk_cipher_algorithm); - - /* initialize MAC - */ - td = mac_init( session->security_parameters.read_mac_algorithm, - session->connection_state.read_mac_secret.data, - session->connection_state.read_mac_secret.size, ver); - - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + uint8 MAC[MAX_HASH_SIZE]; + uint16 c_length; + uint8 pad; + int length; + mac_hd_t td; + uint16 blocksize; + int ret, i, pad_failed = 0; + uint8 major, minor; + gnutls_protocol_version ver; + int hash_size = + _gnutls_hash_get_algo_len(session->security_parameters. + read_mac_algorithm); + + ver = gnutls_protocol_get_version(session); + minor = _gnutls_version_get_minor(ver); + major = _gnutls_version_get_major(ver); + + blocksize = _gnutls_cipher_get_block_size(session->security_parameters. + read_bulk_cipher_algorithm); + + /* initialize MAC + */ + td = mac_init(session->security_parameters.read_mac_algorithm, + session->connection_state.read_mac_secret.data, + session->connection_state.read_mac_secret.size, ver); + + if (td == GNUTLS_MAC_FAILED + && session->security_parameters.read_mac_algorithm != + GNUTLS_MAC_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + + /* actual decryption (inplace) + */ + switch (_gnutls_cipher_is_block + (session->security_parameters.read_bulk_cipher_algorithm)) { + case CIPHER_STREAM: + if ((ret = _gnutls_cipher_decrypt(session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) { + gnutls_assert(); + return ret; } + length = ciphertext.size - hash_size; - /* actual decryption (inplace) - */ - switch (_gnutls_cipher_is_block(session->security_parameters.read_bulk_cipher_algorithm)) { - case CIPHER_STREAM: - if ( (ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; - } - - length = - ciphertext.size - hash_size; - - break; - case CIPHER_BLOCK: - if ((ciphertext.size < blocksize) - || (ciphertext.size % blocksize != 0)) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - - if ( (ret = _gnutls_cipher_decrypt(session->connection_state. - read_cipher_state, ciphertext.data, - ciphertext.size)) < 0) { - gnutls_assert(); - return ret; - } - - /* ignore the IV in TLS 1.1. - */ - if (session->security_parameters.version >= GNUTLS_TLS1_1) { - ciphertext.size -= blocksize; - ciphertext.data += blocksize; - - if (ciphertext.size == 0) { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - } - - pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - - length = - ciphertext.size - hash_size - pad; - - if (pad > ciphertext.size - hash_size) { - gnutls_assert(); - /* We do not fail here. We check below for the - * the pad_failed. If zero means success. - */ - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - - /* Check the pading bytes (TLS 1.x) - */ - if ( ver >= GNUTLS_TLS1) - for (i=2;i<pad;i++) { - if (ciphertext.data[ciphertext.size-i] != ciphertext.data[ciphertext.size - 1]) - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case CIPHER_BLOCK: + if ((ciphertext.size < blocksize) + || (ciphertext.size % blocksize != 0)) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; } - if (length < 0) length = 0; - c_length = _gnutls_conv_uint16((uint16) length); - - /* Pass the type, version, length and compressed through - * MAC. - */ - if (td != GNUTLS_MAC_FAILED) { - _gnutls_hmac(td, UINT64DATA(session->connection_state.read_sequence_number), 8); - - _gnutls_hmac(td, &type, 1); - if ( ver >= GNUTLS_TLS1) { /* TLS 1.x */ - _gnutls_hmac(td, &major, 1); - _gnutls_hmac(td, &minor, 1); - } - _gnutls_hmac(td, &c_length, 2); - - if (length > 0) - _gnutls_hmac(td, ciphertext.data, length); - - mac_deinit( td, MAC, ver); + if ((ret = _gnutls_cipher_decrypt(session->connection_state. + read_cipher_state, + ciphertext.data, + ciphertext.size)) < 0) { + gnutls_assert(); + return ret; } - /* This one was introduced to avoid a timing attack against the TLS - * 1.0 protocol. + /* ignore the IV in TLS 1.1. */ - if (pad_failed != 0) return pad_failed; + if (session->security_parameters.version >= GNUTLS_TLS1_1) { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; - /* HMAC was not the same. - */ - if (memcmp - (MAC, &ciphertext.data[length], hash_size) != 0) { + if (ciphertext.size == 0) { gnutls_assert(); return GNUTLS_E_DECRYPTION_FAILED; + } } - /* copy the decrypted stuff to compress_data. - */ - if (compress_size < length) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + + length = ciphertext.size - hash_size - pad; + + if (pad > ciphertext.size - hash_size) { + gnutls_assert(); + /* We do not fail here. We check below for the + * the pad_failed. If zero means success. + */ + pad_failed = GNUTLS_E_DECRYPTION_FAILED; } - memcpy( compress_data, ciphertext.data, length); - return length; + /* Check the pading bytes (TLS 1.x) + */ + if (ver >= GNUTLS_TLS1) + for (i = 2; i < pad; i++) { + if (ciphertext.data[ciphertext.size - i] != + ciphertext.data[ciphertext.size - 1]) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } + + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (length < 0) + length = 0; + c_length = _gnutls_conv_uint16((uint16) length); + + /* Pass the type, version, length and compressed through + * MAC. + */ + if (td != GNUTLS_MAC_FAILED) { + _gnutls_hmac(td, + UINT64DATA(session->connection_state. + read_sequence_number), 8); + + _gnutls_hmac(td, &type, 1); + if (ver >= GNUTLS_TLS1) { /* TLS 1.x */ + _gnutls_hmac(td, &major, 1); + _gnutls_hmac(td, &minor, 1); + } + _gnutls_hmac(td, &c_length, 2); + + if (length > 0) + _gnutls_hmac(td, ciphertext.data, length); + + mac_deinit(td, MAC, ver); + } + + /* This one was introduced to avoid a timing attack against the TLS + * 1.0 protocol. + */ + if (pad_failed != 0) + return pad_failed; + + /* HMAC was not the same. + */ + if (memcmp(MAC, &ciphertext.data[length], hash_size) != 0) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } + + /* copy the decrypted stuff to compress_data. + */ + if (compress_size < length) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + memcpy(compress_data, ciphertext.data, length); + + return length; } - diff --git a/lib/gnutls_cipher.h b/lib/gnutls_cipher.h index bc89aad4ab..972c01cf87 100644 --- a/lib/gnutls_cipher.h +++ b/lib/gnutls_cipher.h @@ -18,13 +18,20 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_encrypt( gnutls_session session, const opaque* headers, size_t headers_size, const opaque* data, size_t data_size, - opaque* ciphertext, size_t ciphertext_size, content_type_t type, int random_pad); +int _gnutls_encrypt(gnutls_session session, const opaque * headers, + size_t headers_size, const opaque * data, + size_t data_size, opaque * ciphertext, + size_t ciphertext_size, content_type_t type, + int random_pad); -int _gnutls_decrypt(gnutls_session session, opaque *ciphertext, +int _gnutls_decrypt(gnutls_session session, opaque * ciphertext, size_t ciphertext_size, uint8 * data, size_t data_size, content_type_t type); -int _gnutls_compressed2ciphertext(gnutls_session session, opaque* cipher_data, int cipher_size, gnutls_datum compressed, - content_type_t _type, int random_pad); -int _gnutls_ciphertext2compressed(gnutls_session session, opaque * compress_data, int compress_size, - gnutls_datum ciphertext, uint8 type); +int _gnutls_compressed2ciphertext(gnutls_session session, + opaque * cipher_data, int cipher_size, + gnutls_datum compressed, + content_type_t _type, int random_pad); +int _gnutls_ciphertext2compressed(gnutls_session session, + opaque * compress_data, + int compress_size, + gnutls_datum ciphertext, uint8 type); diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index c68a243736..24ff0370ee 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -25,75 +25,91 @@ #include <gnutls_cipher_int.h> #include <gnutls_datum.h> -cipher_hd_t _gnutls_cipher_init( gnutls_cipher_algorithm cipher, - const gnutls_datum *key, const gnutls_datum *iv) +cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm cipher, + const gnutls_datum * key, + const gnutls_datum * iv) { -cipher_hd_t ret = NULL; -gcry_error_t err = GPG_ERR_GENERAL; /* doesn't matter */ + cipher_hd_t ret = NULL; + gcry_error_t err = GPG_ERR_GENERAL; /* doesn't matter */ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_AES_256_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL256, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_3DES_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_DES_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0); - break; - case GNUTLS_CIPHER_ARCFOUR_128: - case GNUTLS_CIPHER_ARCFOUR_40: - err = gcry_cipher_open(&ret, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0); - break; - case GNUTLS_CIPHER_RC2_40_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_RFC2268_40, GCRY_CIPHER_MODE_CBC, 0); - break; - default: - return NULL; - } + switch (cipher) { + case GNUTLS_CIPHER_AES_128_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL, + GCRY_CIPHER_MODE_CBC, 0); + break; + case GNUTLS_CIPHER_AES_256_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL256, + GCRY_CIPHER_MODE_CBC, 0); + break; + case GNUTLS_CIPHER_3DES_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, + 0); + break; + case GNUTLS_CIPHER_DES_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, + 0); + break; + case GNUTLS_CIPHER_ARCFOUR_128: + case GNUTLS_CIPHER_ARCFOUR_40: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_ARCFOUR, + GCRY_CIPHER_MODE_STREAM, 0); + break; + case GNUTLS_CIPHER_RC2_40_CBC: + err = + gcry_cipher_open(&ret, GCRY_CIPHER_RFC2268_40, + GCRY_CIPHER_MODE_CBC, 0); + break; + default: + return NULL; + } - if (err == 0) { - gcry_cipher_setkey(ret, key->data, key->size); - if (iv->data!=NULL && iv->size>0) gcry_cipher_setiv(ret, iv->data, iv->size); - } else if (cipher != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - _gnutls_x509_log("Gcrypt cipher[%d] error: %s\n", cipher, gcry_strerror(err)); - } + if (err == 0) { + gcry_cipher_setkey(ret, key->data, key->size); + if (iv->data != NULL && iv->size > 0) + gcry_cipher_setiv(ret, iv->data, iv->size); + } else if (cipher != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + _gnutls_x509_log("Gcrypt cipher[%d] error: %s\n", cipher, + gcry_strerror(err)); + } - return ret; + return ret; } -int _gnutls_cipher_encrypt(cipher_hd_t handle, void* text, - int textlen) +int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen) { - if (handle!=GNUTLS_CIPHER_FAILED) { - if (gcry_cipher_encrypt( handle, text, textlen, NULL, textlen)!=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (handle != GNUTLS_CIPHER_FAILED) { + if (gcry_cipher_encrypt(handle, text, textlen, NULL, textlen) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + } + return 0; } -int _gnutls_cipher_decrypt(cipher_hd_t handle, void* ciphertext, - int ciphertextlen) +int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, + int ciphertextlen) { - if (handle!=GNUTLS_CIPHER_FAILED) { - if (gcry_cipher_decrypt( handle, ciphertext, ciphertextlen, NULL, ciphertextlen)!=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (handle != GNUTLS_CIPHER_FAILED) { + if (gcry_cipher_decrypt + (handle, ciphertext, ciphertextlen, NULL, + ciphertextlen) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + } + return 0; } -void _gnutls_cipher_deinit(cipher_hd_t handle) +void _gnutls_cipher_deinit(cipher_hd_t handle) { - if (handle!=GNUTLS_CIPHER_FAILED) { - gcry_cipher_close(handle); - } + if (handle != GNUTLS_CIPHER_FAILED) { + gcry_cipher_close(handle); + } } diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index b1dc79569d..c27631a319 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -24,10 +24,12 @@ #define cipher_hd_t gcry_cipher_hd_t #define GNUTLS_CIPHER_FAILED NULL -cipher_hd_t _gnutls_cipher_init( gnutls_cipher_algorithm cipher, - const gnutls_datum *key, const gnutls_datum *iv); -int _gnutls_cipher_encrypt(cipher_hd_t handle, void* text, int textlen); -int _gnutls_cipher_decrypt(cipher_hd_t handle, void* ciphertext, int ciphertextlen); +cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm cipher, + const gnutls_datum * key, + const gnutls_datum * iv); +int _gnutls_cipher_encrypt(cipher_hd_t handle, void *text, int textlen); +int _gnutls_cipher_decrypt(cipher_hd_t handle, void *ciphertext, + int ciphertextlen); void _gnutls_cipher_deinit(cipher_hd_t handle); -#endif /* GNUTLS_CIPHER_INT */ +#endif /* GNUTLS_CIPHER_INT */ diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c index 06d5ccdef9..80b3036110 100644 --- a/lib/gnutls_compress.c +++ b/lib/gnutls_compress.c @@ -32,41 +32,43 @@ /* These functions allocate the return value internally */ int _gnutls_m_plaintext2compressed(gnutls_session session, - gnutls_datum* - compress, - gnutls_datum plaintext) + gnutls_datum * + compress, gnutls_datum plaintext) { - int size; - opaque *data; - - size = _gnutls_compress( session->connection_state.write_compression_state, - plaintext.data, plaintext.size, &data, MAX_RECORD_SEND_SIZE+1024); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_COMPRESSION_FAILED; - } - compress->data = data; - compress->size = size; + int size; + opaque *data; - return 0; + size = + _gnutls_compress(session->connection_state.write_compression_state, + plaintext.data, plaintext.size, &data, + MAX_RECORD_SEND_SIZE + 1024); + if (size < 0) { + gnutls_assert(); + return GNUTLS_E_COMPRESSION_FAILED; + } + compress->data = data; + compress->size = size; + + return 0; } int _gnutls_m_compressed2plaintext(gnutls_session session, - gnutls_datum* plain, - gnutls_datum - compressed) + gnutls_datum * plain, + gnutls_datum compressed) { - int size; - opaque* data; + int size; + opaque *data; - size = _gnutls_decompress( session->connection_state.read_compression_state, - compressed.data, compressed.size, &data, MAX_RECORD_RECV_SIZE); - if (size < 0) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } - plain->data = data; - plain->size = size; + size = + _gnutls_decompress(session->connection_state. + read_compression_state, compressed.data, + compressed.size, &data, MAX_RECORD_RECV_SIZE); + if (size < 0) { + gnutls_assert(); + return GNUTLS_E_DECOMPRESSION_FAILED; + } + plain->data = data; + plain->size = size; - return 0; + return 0; } diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h index 47ba103804..865344b982 100644 --- a/lib/gnutls_compress.h +++ b/lib/gnutls_compress.h @@ -18,5 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_m_plaintext2compressed(gnutls_session session, gnutls_datum* compress, gnutls_datum plaintext); -int _gnutls_m_compressed2plaintext(gnutls_session session, gnutls_datum* plain, gnutls_datum compressed); +int _gnutls_m_plaintext2compressed(gnutls_session session, + gnutls_datum * compress, + gnutls_datum plaintext); +int _gnutls_m_compressed2plaintext(gnutls_session session, + gnutls_datum * plain, + gnutls_datum compressed); diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index b0c63ee551..bee6454f79 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -27,15 +27,15 @@ #ifdef USE_LZO # ifdef USE_MINILZO -# include "../libextra/minilzo.h" /* get the prototypes only. - * Since LZO is a GPLed library, the gnutls_global_init_extra() has - * to be called, before LZO compression can be used. - */ +# include "../libextra/minilzo.h" /* get the prototypes only. + * Since LZO is a GPLed library, the gnutls_global_init_extra() has + * to be called, before LZO compression can be used. + */ # else # include <lzo1x.h> # endif -typedef int (*LZO_FUNC)(); +typedef int (*LZO_FUNC) (); LZO_FUNC _gnutls_lzo1x_decompress_safe = NULL; LZO_FUNC _gnutls_lzo1x_1_compress = NULL; @@ -45,299 +45,314 @@ LZO_FUNC _gnutls_lzo1x_1_compress = NULL; /* The flag d is the direction (compress, decompress). Non zero is * decompress. */ -comp_hd_t _gnutls_comp_init( gnutls_compression_method method, int d) +comp_hd_t _gnutls_comp_init(gnutls_compression_method method, int d) { -comp_hd_t ret; -int err; + comp_hd_t ret; + int err; - ret = gnutls_malloc( sizeof( struct comp_hd_t_STRUCT)); - if (ret==NULL) { - gnutls_assert(); - return NULL; - } + ret = gnutls_malloc(sizeof(struct comp_hd_t_STRUCT)); + if (ret == NULL) { + gnutls_assert(); + return NULL; + } - ret->algo = method; - ret->handle = NULL; + ret->algo = method; + ret->handle = NULL; - switch( method) { + switch (method) { #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - int window_bits, mem_level; - int comp_level; - z_stream* zhandle; - - window_bits = _gnutls_compression_get_wbits( method); - mem_level = _gnutls_compression_get_mem_level( method); - comp_level = _gnutls_compression_get_comp_level( method); - - ret->handle = gnutls_malloc( sizeof( z_stream)); - if (ret->handle==NULL) { - gnutls_assert(); - goto cleanup_ret; - } - - zhandle = ret->handle; - - zhandle->zalloc = (alloc_func)0; - zhandle->zfree = (free_func)0; - zhandle->opaque = (voidpf)0; - - if (d) - err = inflateInit2(zhandle, window_bits); - else { - err = deflateInit2(zhandle, - comp_level, Z_DEFLATED, - window_bits, mem_level, Z_DEFAULT_STRATEGY); - } - if (err!=Z_OK) { - gnutls_assert(); - gnutls_free( ret->handle); - goto cleanup_ret; - } - break; + case GNUTLS_COMP_DEFLATE:{ + int window_bits, mem_level; + int comp_level; + z_stream *zhandle; + + window_bits = _gnutls_compression_get_wbits(method); + mem_level = _gnutls_compression_get_mem_level(method); + comp_level = _gnutls_compression_get_comp_level(method); + + ret->handle = gnutls_malloc(sizeof(z_stream)); + if (ret->handle == NULL) { + gnutls_assert(); + goto cleanup_ret; + } + + zhandle = ret->handle; + + zhandle->zalloc = (alloc_func) 0; + zhandle->zfree = (free_func) 0; + zhandle->opaque = (voidpf) 0; + + if (d) + err = inflateInit2(zhandle, window_bits); + else { + err = deflateInit2(zhandle, + comp_level, Z_DEFLATED, + window_bits, mem_level, + Z_DEFAULT_STRATEGY); + } + if (err != Z_OK) { + gnutls_assert(); + gnutls_free(ret->handle); + goto cleanup_ret; } + break; + } #endif #ifdef USE_LZO - case GNUTLS_COMP_LZO: - if (d) /* LZO does not use memory on decompressor */ - { /* ret->handle = NULL; */ } - else { - ret->handle = gnutls_malloc( LZO1X_1_MEM_COMPRESS); - - if (ret->handle==NULL) { - gnutls_assert(); - cleanup_ret: - gnutls_free(ret); - return NULL; - } - } - - break; -#endif - case GNUTLS_COMP_NULL: - break; + case GNUTLS_COMP_LZO: + if (d) { /* LZO does not use memory on decompressor *//* ret->handle = NULL; */ + } else { + ret->handle = gnutls_malloc(LZO1X_1_MEM_COMPRESS); + + if (ret->handle == NULL) { + gnutls_assert(); + cleanup_ret: + gnutls_free(ret); + return NULL; + } } - return ret; + + break; +#endif + case GNUTLS_COMP_NULL: + break; + } + return ret; } -void _gnutls_comp_deinit(comp_hd_t handle, int d) { -int err; +void _gnutls_comp_deinit(comp_hd_t handle, int d) +{ + int err; - if (handle!=NULL) { - switch( handle->algo) { + if (handle != NULL) { + switch (handle->algo) { #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: - if (d) - err = inflateEnd( handle->handle); - else - err = deflateEnd( handle->handle); - break; + case GNUTLS_COMP_DEFLATE: + if (d) + err = inflateEnd(handle->handle); + else + err = deflateEnd(handle->handle); + break; #endif - default: - break; - } - gnutls_free( handle->handle); - gnutls_free( handle); - + default: + break; } + gnutls_free(handle->handle); + gnutls_free(handle); + + } } /* These functions are memory consuming */ -int _gnutls_compress( comp_hd_t handle, const opaque* plain, size_t plain_size, - opaque** compressed, size_t max_comp_size) +int _gnutls_compress(comp_hd_t handle, const opaque * plain, + size_t plain_size, opaque ** compressed, + size_t max_comp_size) { -int compressed_size=GNUTLS_E_COMPRESSION_FAILED; -int err; + int compressed_size = GNUTLS_E_COMPRESSION_FAILED; + int err; - /* NULL compression is not handled here - */ - - switch( handle->algo) { + /* NULL compression is not handled here + */ + + switch (handle->algo) { #ifdef USE_LZO - case GNUTLS_COMP_LZO: { - lzo_uint out_len; - size_t size; - - if ( _gnutls_lzo1x_1_compress == NULL) - return GNUTLS_E_COMPRESSION_FAILED; - - size = plain_size + plain_size / 64 + 16 + 3; - *compressed = gnutls_malloc(size); - if (*compressed==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - err = _gnutls_lzo1x_1_compress( plain, plain_size, *compressed, - &out_len, handle->handle); - - if (err!=LZO_E_OK) { - gnutls_assert(); - gnutls_free( *compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = out_len; - break; - } + case GNUTLS_COMP_LZO:{ + lzo_uint out_len; + size_t size; + + if (_gnutls_lzo1x_1_compress == NULL) + return GNUTLS_E_COMPRESSION_FAILED; + + size = plain_size + plain_size / 64 + 16 + 3; + *compressed = gnutls_malloc(size); + if (*compressed == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + err = _gnutls_lzo1x_1_compress(plain, plain_size, *compressed, + &out_len, handle->handle); + + if (err != LZO_E_OK) { + gnutls_assert(); + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = out_len; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - uLongf size; - z_stream *zhandle; - - size = (plain_size+plain_size)+10; - *compressed = gnutls_malloc(size); - if (*compressed==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - zhandle = handle->handle; - - zhandle->next_in = (Bytef*) plain; - zhandle->avail_in = plain_size; - zhandle->next_out = (Bytef*) *compressed; - zhandle->avail_out = size; - - err = deflate( zhandle, Z_SYNC_FLUSH); - - if (err!=Z_OK || zhandle->avail_in != 0) { - gnutls_assert(); - gnutls_free( *compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } - - compressed_size = size - zhandle->avail_out; - break; - } + case GNUTLS_COMP_DEFLATE:{ + uLongf size; + z_stream *zhandle; + + size = (plain_size + plain_size) + 10; + *compressed = gnutls_malloc(size); + if (*compressed == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + zhandle = handle->handle; + + zhandle->next_in = (Bytef *) plain; + zhandle->avail_in = plain_size; + zhandle->next_out = (Bytef *) * compressed; + zhandle->avail_out = size; + + err = deflate(zhandle, Z_SYNC_FLUSH); + + if (err != Z_OK || zhandle->avail_in != 0) { + gnutls_assert(); + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } + + compressed_size = size - zhandle->avail_out; + break; + } #endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } /* switch */ #ifdef COMPRESSION_DEBUG - _gnutls_debug_log("Compression ratio: %f\n", (float)((float)compressed_size / (float)plain_size)); + _gnutls_debug_log("Compression ratio: %f\n", + (float) ((float) compressed_size / + (float) plain_size)); #endif - if ((size_t)compressed_size > max_comp_size) { - gnutls_free(*compressed); *compressed = NULL; - return GNUTLS_E_COMPRESSION_FAILED; - } + if ((size_t) compressed_size > max_comp_size) { + gnutls_free(*compressed); + *compressed = NULL; + return GNUTLS_E_COMPRESSION_FAILED; + } - return compressed_size; + return compressed_size; } -int _gnutls_decompress( comp_hd_t handle, opaque* compressed, size_t compressed_size, - opaque** plain, size_t max_record_size) +int _gnutls_decompress(comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size) { -int plain_size=GNUTLS_E_DECOMPRESSION_FAILED, err; -int cur_pos; + int plain_size = GNUTLS_E_DECOMPRESSION_FAILED, err; + int cur_pos; - if (compressed_size > max_record_size+EXTRA_COMP_SIZE) { - gnutls_assert(); - return GNUTLS_E_DECOMPRESSION_FAILED; - } + if (compressed_size > max_record_size + EXTRA_COMP_SIZE) { + gnutls_assert(); + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + /* NULL compression is not handled here + */ - /* NULL compression is not handled here - */ - - switch(handle->algo) { + switch (handle->algo) { #ifdef USE_LZO - case GNUTLS_COMP_LZO: { - lzo_uint out_size; - lzo_uint new_size; - - if (_gnutls_lzo1x_decompress_safe == NULL) - return GNUTLS_E_DECOMPRESSION_FAILED; - - *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; - - do { - out_size += 512; - *plain = gnutls_realloc_fast( *plain, out_size); - if (*plain==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - new_size = out_size; - err = _gnutls_lzo1x_decompress_safe(compressed,compressed_size, - *plain, &new_size,NULL); - - } while( (err==LZO_E_OUTPUT_OVERRUN && out_size < max_record_size)); - - if (err!=LZO_E_OK) { - gnutls_assert(); - gnutls_free( *plain); *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - plain_size = new_size; - break; + case GNUTLS_COMP_LZO:{ + lzo_uint out_size; + lzo_uint new_size; + + if (_gnutls_lzo1x_decompress_safe == NULL) + return GNUTLS_E_DECOMPRESSION_FAILED; + + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; + + do { + out_size += 512; + *plain = gnutls_realloc_fast(*plain, out_size); + if (*plain == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + + new_size = out_size; + err = + _gnutls_lzo1x_decompress_safe(compressed, + compressed_size, *plain, + &new_size, NULL); + + } while ((err == LZO_E_OUTPUT_OVERRUN + && out_size < max_record_size)); + + if (err != LZO_E_OK) { + gnutls_assert(); + gnutls_free(*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + plain_size = new_size; + break; + } #endif #ifdef HAVE_LIBZ - case GNUTLS_COMP_DEFLATE: { - uLongf out_size; - z_stream* zhandle; - - *plain = NULL; - out_size = compressed_size + compressed_size; - plain_size = 0; - - zhandle = handle->handle; - - zhandle->next_in = (Bytef*) compressed; - zhandle->avail_in = compressed_size; - - cur_pos = 0; - - do { - out_size += 512; - *plain = gnutls_realloc_fast( *plain, out_size); - if (*plain==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - zhandle->next_out = (Bytef*) (*plain + cur_pos); - zhandle->avail_out = out_size - cur_pos; - - err = inflate( zhandle, Z_SYNC_FLUSH); - - cur_pos = out_size - zhandle->avail_out; - - } while( (err==Z_BUF_ERROR && zhandle->avail_out==0 && out_size < max_record_size) - || ( err==Z_OK && zhandle->avail_in != 0)); - - if (err!=Z_OK) { - gnutls_assert(); - gnutls_free( *plain); *plain = NULL; - return GNUTLS_E_DECOMPRESSION_FAILED; - } - - plain_size = out_size - zhandle->avail_out; - break; + case GNUTLS_COMP_DEFLATE:{ + uLongf out_size; + z_stream *zhandle; + + *plain = NULL; + out_size = compressed_size + compressed_size; + plain_size = 0; + + zhandle = handle->handle; + + zhandle->next_in = (Bytef *) compressed; + zhandle->avail_in = compressed_size; + + cur_pos = 0; + + do { + out_size += 512; + *plain = gnutls_realloc_fast(*plain, out_size); + if (*plain == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } -#endif - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - if ((size_t)plain_size > max_record_size) { + zhandle->next_out = (Bytef *) (*plain + cur_pos); + zhandle->avail_out = out_size - cur_pos; + + err = inflate(zhandle, Z_SYNC_FLUSH); + + cur_pos = out_size - zhandle->avail_out; + + } while ((err == Z_BUF_ERROR && zhandle->avail_out == 0 + && out_size < max_record_size) + || (err == Z_OK && zhandle->avail_in != 0)); + + if (err != Z_OK) { gnutls_assert(); - gnutls_free( *plain); *plain = NULL; + gnutls_free(*plain); + *plain = NULL; return GNUTLS_E_DECOMPRESSION_FAILED; - } + } - return plain_size; + plain_size = out_size - zhandle->avail_out; + break; + } +#endif + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } /* switch */ + + if ((size_t) plain_size > max_record_size) { + gnutls_assert(); + gnutls_free(*plain); + *plain = NULL; + return GNUTLS_E_DECOMPRESSION_FAILED; + } + + return plain_size; } diff --git a/lib/gnutls_compress_int.h b/lib/gnutls_compress_int.h index 7c1bfd404a..f285ce828f 100644 --- a/lib/gnutls_compress_int.h +++ b/lib/gnutls_compress_int.h @@ -28,14 +28,17 @@ #define GNUTLS_COMP_FAILED NULL typedef struct comp_hd_t_STRUCT { - void* handle; - gnutls_compression_method algo; + void *handle; + gnutls_compression_method algo; } *comp_hd_t; -comp_hd_t _gnutls_comp_init( gnutls_compression_method, int d); +comp_hd_t _gnutls_comp_init(gnutls_compression_method, int d); void _gnutls_comp_deinit(comp_hd_t handle, int d); -int _gnutls_decompress( comp_hd_t handle, opaque* compressed, size_t compressed_size, opaque** plain, size_t max_record_size); -int _gnutls_compress( comp_hd_t, const opaque* plain, size_t plain_size, opaque** compressed, size_t max_comp_size); +int _gnutls_decompress(comp_hd_t handle, opaque * compressed, + size_t compressed_size, opaque ** plain, + size_t max_record_size); +int _gnutls_compress(comp_hd_t, const opaque * plain, size_t plain_size, + opaque ** compressed, size_t max_comp_size); #endif diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 768a0b6c4d..78fee15e2b 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -58,337 +58,335 @@ int _gnutls_set_keys(gnutls_session session, int hash_size, int IV_size, /* FIXME: This function is too long */ - opaque *key_block; - opaque random[2 * TLS_RANDOM_SIZE]; - opaque rrandom[2 * TLS_RANDOM_SIZE]; - int pos, ret; - int block_size; - char buf[64]; - - if (session->cipher_specs.generated_keys != 0) { - /* keys have already been generated. - * reset generated_keys and exit normally. - */ - session->cipher_specs.generated_keys = 0; - return 0; + opaque *key_block; + opaque random[2 * TLS_RANDOM_SIZE]; + opaque rrandom[2 * TLS_RANDOM_SIZE]; + int pos, ret; + int block_size; + char buf[64]; + + if (session->cipher_specs.generated_keys != 0) { + /* keys have already been generated. + * reset generated_keys and exit normally. + */ + session->cipher_specs.generated_keys = 0; + return 0; + } + + block_size = 2 * hash_size + 2 * key_size; + if (export_flag == 0) + block_size += 2 * IV_size; + + key_block = gnutls_secure_malloc(block_size); + if (key_block == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(random, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + memcpy(rrandom, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + memcpy(&rrandom[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_generate_random(session-> + security_parameters. + master_secret, + TLS_MASTER_SIZE, random, + 2 * TLS_RANDOM_SIZE, + block_size, key_block); + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF(session->security_parameters.master_secret, + TLS_MASTER_SIZE, keyexp, keyexp_length, + random, 2 * TLS_RANDOM_SIZE, block_size, + key_block); + } + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); + return ret; + } + + _gnutls_hard_log("INT: KEY BLOCK[%d]: %s\n", block_size, + _gnutls_bin2hex(key_block, block_size, buf, + sizeof(buf))); + + pos = 0; + if (hash_size > 0) { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_mac_secret, + &key_block[pos], hash_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += hash_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_mac_secret, + &key_block[pos], hash_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; } + pos += hash_size; + } + + if (key_size > 0) { + opaque *client_write_key, *server_write_key; + int client_write_key_size, server_write_key_size; + int free_keys = 0; + + if (export_flag == 0) { + client_write_key = &key_block[pos]; + client_write_key_size = key_size; + + pos += key_size; - block_size = 2 * hash_size + 2 * key_size; - if (export_flag == 0) - block_size += 2 * IV_size; + server_write_key = &key_block[pos]; + server_write_key_size = key_size; - key_block = gnutls_secure_malloc(block_size); - if (key_block == NULL) { + pos += key_size; + + } else { /* export */ + free_keys = 1; + + client_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); + if (client_write_key == NULL) { gnutls_assert(); + gnutls_free(key_block); return GNUTLS_E_MEMORY_ERROR; - } + } - memcpy(random, session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(&random[TLS_RANDOM_SIZE], - session->security_parameters.client_random, TLS_RANDOM_SIZE); + server_write_key = gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); + if (server_write_key == NULL) { + gnutls_assert(); + gnutls_free(key_block); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; + } - memcpy(rrandom, session->security_parameters.client_random, - TLS_RANDOM_SIZE); - memcpy(&rrandom[TLS_RANDOM_SIZE], - session->security_parameters.server_random, TLS_RANDOM_SIZE); + /* generate the final keys */ - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ ret = - _gnutls_ssl3_generate_random(session-> - security_parameters. - master_secret, - TLS_MASTER_SIZE, random, - 2 * TLS_RANDOM_SIZE, - block_size, key_block); - } else { /* TLS 1.0 */ + _gnutls_ssl3_hash_md5(&key_block[pos], + key_size, rrandom, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + client_write_key); + + } else { /* TLS 1.0 */ ret = - _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, keyexp, keyexp_length, - random, 2 * TLS_RANDOM_SIZE, block_size, - key_block); - } + _gnutls_PRF(&key_block[pos], key_size, + cliwrite, cliwrite_length, + rrandom, + 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, client_write_key); + } + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return ret; + } - if (ret < 0) { + client_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; + + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5(&key_block[pos], key_size, + random, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, + server_write_key); + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF(&key_block[pos], key_size, + servwrite, servwrite_length, + rrandom, 2 * TLS_RANDOM_SIZE, + EXPORT_FINAL_KEY_SIZE, server_write_key); + } + + if (ret < 0) { gnutls_assert(); gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); return ret; + } + + server_write_key_size = EXPORT_FINAL_KEY_SIZE; + pos += key_size; } - _gnutls_hard_log("INT: KEY BLOCK[%d]: %s\n", block_size, - _gnutls_bin2hex(key_block, block_size, buf, sizeof(buf))); - - pos = 0; - if (hash_size > 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_mac_secret, - &key_block[pos], hash_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += hash_size; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_key, + client_write_key, client_write_key_size) < 0) { + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; } + _gnutls_hard_log("INT: CLIENT WRITE KEY [%d]: %s\n", + client_write_key_size, + _gnutls_bin2hex(client_write_key, + client_write_key_size, buf, + sizeof(buf))); + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_key, + server_write_key, server_write_key_size) < 0) { + gnutls_free(key_block); + gnutls_free(server_write_key); + gnutls_free(client_write_key); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_hard_log("INT: SERVER WRITE KEY [%d]: %s\n", + server_write_key_size, + _gnutls_bin2hex(server_write_key, + server_write_key_size, buf, + sizeof(buf))); - if (key_size > 0) { - opaque *client_write_key, *server_write_key; - int client_write_key_size, server_write_key_size; - int free_keys = 0; - - if (export_flag == 0) { - client_write_key = &key_block[pos]; - client_write_key_size = key_size; - - pos += key_size; - - server_write_key = &key_block[pos]; - server_write_key_size = key_size; - - pos += key_size; - - } else { /* export */ - free_keys = 1; - - client_write_key = - gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (client_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - server_write_key = - gnutls_secure_malloc(EXPORT_FINAL_KEY_SIZE); - if (server_write_key == NULL) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - - /* generate the final keys */ - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], - key_size, rrandom, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - client_write_key); - - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - cliwrite, cliwrite_length, - rrandom, - 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - client_write_key); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; - } - - client_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5(&key_block[pos], key_size, - random, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - server_write_key); - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF(&key_block[pos], key_size, - servwrite, servwrite_length, - rrandom, 2 * TLS_RANDOM_SIZE, - EXPORT_FINAL_KEY_SIZE, - server_write_key); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return ret; - } - - server_write_key_size = EXPORT_FINAL_KEY_SIZE; - pos += key_size; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_key, - client_write_key, client_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_hard_log("INT: CLIENT WRITE KEY [%d]: %s\n", - client_write_key_size, - _gnutls_bin2hex(client_write_key, - client_write_key_size, buf, sizeof(buf))); - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_key, - server_write_key, server_write_key_size) < 0) { - gnutls_free(key_block); - gnutls_free(server_write_key); - gnutls_free(client_write_key); - return GNUTLS_E_MEMORY_ERROR; - } - - _gnutls_hard_log("INT: SERVER WRITE KEY [%d]: %s\n", - server_write_key_size, - _gnutls_bin2hex(server_write_key, - server_write_key_size, buf, sizeof(buf))); - - if (free_keys != 0) { - gnutls_free(server_write_key); - gnutls_free(client_write_key); - } + if (free_keys != 0) { + gnutls_free(server_write_key); + gnutls_free(client_write_key); } + } - /* IV generation in export and non export ciphers. - */ - if (IV_size > 0 && export_flag == 0) { - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += IV_size; - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, &key_block[pos], - IV_size) < 0) { - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - pos += IV_size; - - } else if (IV_size > 0 && export_flag != 0) { - opaque *iv_block = gnutls_alloca(IV_size * 2); - if (iv_block == NULL) { - gnutls_assert(); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ - ret = - _gnutls_ssl3_hash_md5( "", 0, - rrandom, TLS_RANDOM_SIZE*2, - IV_size, iv_block); - - if (ret < 0) { - gnutls_assert(); - gnutls_free(key_block); - gnutls_afree(iv_block); - return ret; - } - - ret = - _gnutls_ssl3_hash_md5( "", 0, random, - TLS_RANDOM_SIZE*2, - IV_size, &iv_block[IV_size]); - - } else { /* TLS 1.0 */ - ret = - _gnutls_PRF( "", 0, - ivblock, ivblock_length, rrandom, - 2 * TLS_RANDOM_SIZE, IV_size * 2, - iv_block); - } - - if (ret < 0) { - gnutls_assert(); - gnutls_afree(iv_block); - gnutls_free(key_block); - return ret; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.client_write_IV, iv_block, - IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } - - if (_gnutls_sset_datum - (&session->cipher_specs.server_write_IV, - &iv_block[IV_size], IV_size) < 0) { - gnutls_afree(iv_block); - gnutls_free(key_block); - return GNUTLS_E_MEMORY_ERROR; - } + /* IV generation in export and non export ciphers. + */ + if (IV_size > 0 && export_flag == 0) { + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, &key_block[pos], + IV_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += IV_size; + + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, &key_block[pos], + IV_size) < 0) { + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + pos += IV_size; + + } else if (IV_size > 0 && export_flag != 0) { + opaque *iv_block = gnutls_alloca(IV_size * 2); + if (iv_block == NULL) { + gnutls_assert(); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + if (session->security_parameters.version == GNUTLS_SSL3) { /* SSL 3 */ + ret = + _gnutls_ssl3_hash_md5("", 0, + rrandom, TLS_RANDOM_SIZE * 2, + IV_size, iv_block); + + if (ret < 0) { + gnutls_assert(); + gnutls_free(key_block); gnutls_afree(iv_block); + return ret; + } + + ret = + _gnutls_ssl3_hash_md5("", 0, random, + TLS_RANDOM_SIZE * 2, + IV_size, &iv_block[IV_size]); + + } else { /* TLS 1.0 */ + ret = + _gnutls_PRF("", 0, + ivblock, ivblock_length, rrandom, + 2 * TLS_RANDOM_SIZE, IV_size * 2, iv_block); } - gnutls_free(key_block); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(iv_block); + gnutls_free(key_block); + return ret; + } - session->cipher_specs.generated_keys = 1; + if (_gnutls_sset_datum + (&session->cipher_specs.client_write_IV, iv_block, + IV_size) < 0) { + gnutls_afree(iv_block); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + if (_gnutls_sset_datum + (&session->cipher_specs.server_write_IV, + &iv_block[IV_size], IV_size) < 0) { + gnutls_afree(iv_block); + gnutls_free(key_block); + return GNUTLS_E_MEMORY_ERROR; + } + + gnutls_afree(iv_block); + } + + gnutls_free(key_block); + + session->cipher_specs.generated_keys = 1; + + return 0; } int _gnutls_set_read_keys(gnutls_session session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm algo; - gnutls_mac_algorithm mac_algo; - - mac_algo = session->security_parameters.read_mac_algorithm; - algo = session->security_parameters.read_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm algo; + gnutls_mac_algorithm mac_algo; + + mac_algo = session->security_parameters.read_mac_algorithm; + algo = session->security_parameters.read_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len(mac_algo); + IV_size = _gnutls_cipher_get_iv_size(algo); + key_size = gnutls_cipher_get_key_size(algo); + export_flag = _gnutls_cipher_get_export_flag(algo); + + return _gnutls_set_keys(session, hash_size, IV_size, key_size, + export_flag); } int _gnutls_set_write_keys(gnutls_session session) { - int hash_size; - int IV_size; - int key_size, export_flag; - gnutls_cipher_algorithm algo; - gnutls_mac_algorithm mac_algo; - - mac_algo = session->security_parameters.write_mac_algorithm; - algo = session->security_parameters.write_bulk_cipher_algorithm; - - hash_size = _gnutls_hash_get_algo_len(mac_algo); - IV_size = _gnutls_cipher_get_iv_size(algo); - key_size = gnutls_cipher_get_key_size(algo); - export_flag = _gnutls_cipher_get_export_flag(algo); - - return _gnutls_set_keys(session, hash_size, IV_size, key_size, - export_flag); + int hash_size; + int IV_size; + int key_size, export_flag; + gnutls_cipher_algorithm algo; + gnutls_mac_algorithm mac_algo; + + mac_algo = session->security_parameters.write_mac_algorithm; + algo = session->security_parameters.write_bulk_cipher_algorithm; + + hash_size = _gnutls_hash_get_algo_len(mac_algo); + IV_size = _gnutls_cipher_get_iv_size(algo); + key_size = gnutls_cipher_get_key_size(algo); + export_flag = _gnutls_cipher_get_export_flag(algo); + + return _gnutls_set_keys(session, hash_size, IV_size, key_size, + export_flag); } #define CPY_COMMON dst->entity = src->entity; \ @@ -406,26 +404,28 @@ int _gnutls_set_write_keys(gnutls_session session) dst->version = src->version; \ memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); -static void _gnutls_cpy_read_security_parameters(security_parameters_st * dst, - security_parameters_st * src) +static void _gnutls_cpy_read_security_parameters(security_parameters_st * + dst, + security_parameters_st * + src) { - CPY_COMMON; + CPY_COMMON; - dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; - dst->read_mac_algorithm = src->read_mac_algorithm; - dst->read_compression_algorithm = src->read_compression_algorithm; + dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm; + dst->read_mac_algorithm = src->read_mac_algorithm; + dst->read_compression_algorithm = src->read_compression_algorithm; } -static void _gnutls_cpy_write_security_parameters(security_parameters_st * dst, - security_parameters_st * src) +static void _gnutls_cpy_write_security_parameters(security_parameters_st * + dst, + security_parameters_st * + src) { - CPY_COMMON; + CPY_COMMON; - dst->write_bulk_cipher_algorithm = - src->write_bulk_cipher_algorithm; - dst->write_mac_algorithm = src->write_mac_algorithm; - dst->write_compression_algorithm = - src->write_compression_algorithm; + dst->write_bulk_cipher_algorithm = src->write_bulk_cipher_algorithm; + dst->write_mac_algorithm = src->write_mac_algorithm; + dst->write_compression_algorithm = src->write_compression_algorithm; } /* Sets the current connection session to conform with the @@ -436,17 +436,17 @@ static void _gnutls_cpy_write_security_parameters(security_parameters_st * dst, */ int _gnutls_connection_state_init(gnutls_session session) { - int ret; + int ret; /* Setup the master secret */ - if ((ret = _gnutls_generate_master(session, 0), 0) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_generate_master(session, 0), 0) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -455,179 +455,176 @@ int _gnutls_connection_state_init(gnutls_session session) */ int _gnutls_read_connection_state_init(gnutls_session session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.read_sequence_number); + _gnutls_uint64zero(session->connection_state.read_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_read_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_read_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_read_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_read_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); - } - + if (session->internals.resumed == RESUME_FALSE) { + rc = _gnutls_set_read_cipher(session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_read_mac(session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - rc = _gnutls_set_read_keys(session); + rc = _gnutls_set_kx(session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); if (rc < 0) - return rc; + return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", - session, _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + rc = _gnutls_set_read_compression(session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } else { /* RESUME_TRUE */ + _gnutls_cpy_read_security_parameters(&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); + } + + + rc = _gnutls_set_read_keys(session); + if (rc < 0) + return rc; + + _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", + session, _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + if (_gnutls_compression_is_ok + (session->security_parameters.read_compression_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + if (_gnutls_mac_is_ok + (session->security_parameters.read_mac_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.read_mac_secret.data != NULL) + _gnutls_free_datum(&session->connection_state.read_mac_secret); + + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state.read_cipher_state); + + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + read_compression_state, 1); + + + mac_size = + _gnutls_hash_get_algo_len(session->security_parameters. + read_mac_algorithm); + + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [read] cipher sessions\n", + session); + + switch (session->security_parameters.entity) { + case GNUTLS_SERVER: + /* initialize cipher session + */ + session->connection_state.read_cipher_state = + _gnutls_cipher_init(session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (_gnutls_compression_is_ok - (session->security_parameters.read_compression_algorithm) != 0) { + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + read_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + return GNUTLS_E_MEMORY_ERROR; + } + } - if (_gnutls_mac_is_ok - (session->security_parameters.read_mac_algorithm) != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + + case GNUTLS_CLIENT: + session->connection_state.read_cipher_state = + _gnutls_cipher_init(session->security_parameters. + read_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.read_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - /* Free all the previous keys/ sessions etc. + + /* copy mac secret to connection session */ - if (session->connection_state.read_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state. - read_mac_secret); - - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - read_cipher_state); - - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - read_compression_state, 1); - - - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - read_mac_algorithm); - - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [read] cipher sessions\n", session); - - switch (session->security_parameters.entity) { - case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs. - client_write_IV); - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - } - - break; - - case GNUTLS_CLIENT: - session->connection_state.read_cipher_state = - _gnutls_cipher_init(session->security_parameters. - read_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs. - server_write_IV); - - if (session->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - read_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - } - - break; - - default: /* this check is useless */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + read_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } } - session->connection_state.read_compression_state = - _gnutls_comp_init(session->security_parameters. - read_compression_algorithm, 1); + break; - if (session->connection_state.read_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + default: /* this check is useless */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + session->connection_state.read_compression_state = + _gnutls_comp_init(session->security_parameters. + read_compression_algorithm, 1); + + if (session->connection_state.read_compression_state == + GNUTLS_COMP_FAILED) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + return 0; } @@ -637,226 +634,223 @@ int _gnutls_read_connection_state_init(gnutls_session session) */ int _gnutls_write_connection_state_init(gnutls_session session) { - int mac_size; - int rc; + int mac_size; + int rc; - _gnutls_uint64zero(session->connection_state.write_sequence_number); + _gnutls_uint64zero(session->connection_state.write_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed == RESUME_FALSE) { - rc = _gnutls_set_write_cipher(session, - _gnutls_cipher_suite_get_cipher_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - rc = _gnutls_set_write_mac(session, - _gnutls_cipher_suite_get_mac_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_kx(session, - _gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (rc < 0) - return rc; - - rc = _gnutls_set_write_compression(session, - session->internals. - compression_method); - if (rc < 0) - return rc; - } else { /* RESUME_TRUE */ - _gnutls_cpy_write_security_parameters(&session-> - security_parameters, - &session-> - internals. - resumed_security_parameters); - } - - rc = _gnutls_set_write_keys(session); + if (session->internals.resumed == RESUME_FALSE) { + rc = _gnutls_set_write_cipher(session, + _gnutls_cipher_suite_get_cipher_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; + rc = _gnutls_set_write_mac(session, + _gnutls_cipher_suite_get_mac_algo + (&session->security_parameters. + current_cipher_suite)); if (rc < 0) - return rc; + return rc; - _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + rc = _gnutls_set_kx(session, + _gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (rc < 0) + return rc; - if (_gnutls_compression_is_ok - (session->security_parameters.write_compression_algorithm) != - 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + rc = _gnutls_set_write_compression(session, + session->internals. + compression_method); + if (rc < 0) + return rc; + } else { /* RESUME_TRUE */ + _gnutls_cpy_write_security_parameters(&session-> + security_parameters, + &session-> + internals. + resumed_security_parameters); + } + + rc = _gnutls_set_write_keys(session); + if (rc < 0) + return rc; + + _gnutls_handshake_log("HSK[%x]: Cipher Suite: %s\n", session, + _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + if (_gnutls_compression_is_ok + (session->security_parameters.write_compression_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + if (_gnutls_mac_is_ok + (session->security_parameters.write_mac_algorithm) != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + + + /* Free all the previous keys/ sessions etc. + */ + if (session->connection_state.write_mac_secret.data != NULL) + _gnutls_free_datum(&session->connection_state.write_mac_secret); + + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state. + write_cipher_state); + + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + write_compression_state, 0); + + mac_size = + _gnutls_hash_get_algo_len(session->security_parameters. + write_mac_algorithm); + + _gnutls_handshake_log + ("HSK[%x]: Initializing internal [write] cipher sessions\n", + session); + + switch (session->security_parameters.entity) { + case GNUTLS_SERVER: + /* initialize cipher session + */ + session->connection_state.write_cipher_state = + _gnutls_cipher_init(session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + server_write_key, + &session->cipher_specs.server_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - if (_gnutls_mac_is_ok - (session->security_parameters.write_mac_algorithm) != 0) { + + /* copy mac secrets from cipherspecs, to connection + * session. + */ + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + write_mac_secret, + session->cipher_specs. + server_write_mac_secret.data, + session->cipher_specs. + server_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } + } + break; - /* Free all the previous keys/ sessions etc. + case GNUTLS_CLIENT: + session->connection_state.write_cipher_state = + _gnutls_cipher_init(session->security_parameters. + write_bulk_cipher_algorithm, + &session->cipher_specs. + client_write_key, + &session->cipher_specs.client_write_IV); + + if (session->connection_state.write_cipher_state == + GNUTLS_CIPHER_FAILED + && session->security_parameters. + write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* copy mac secret to connection session */ - if (session->connection_state.write_mac_secret.data != NULL) - _gnutls_free_datum(&session->connection_state. - write_mac_secret); - - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state. - write_cipher_state); - - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state. - write_compression_state, 0); - - mac_size = - _gnutls_hash_get_algo_len(session->security_parameters. - write_mac_algorithm); - - _gnutls_handshake_log - ("HSK[%x]: Initializing internal [write] cipher sessions\n", session); - - switch (session->security_parameters.entity) { - case GNUTLS_SERVER: - /* initialize cipher session - */ - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - server_write_key, - &session->cipher_specs. - server_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - - /* copy mac secrets from cipherspecs, to connection - * session. - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - server_write_mac_secret.data, - session->cipher_specs. - server_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - } - - - break; - - case GNUTLS_CLIENT: - session->connection_state.write_cipher_state = - _gnutls_cipher_init(session->security_parameters. - write_bulk_cipher_algorithm, - &session->cipher_specs. - client_write_key, - &session->cipher_specs. - client_write_IV); - - if (session->connection_state.write_cipher_state == - GNUTLS_CIPHER_FAILED - && session->security_parameters. - write_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* copy mac secret to connection session - */ - if (mac_size > 0) { - if (_gnutls_sset_datum(&session->connection_state. - write_mac_secret, - session->cipher_specs. - client_write_mac_secret.data, - session->cipher_specs. - client_write_mac_secret.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - } - - break; - - default: + if (mac_size > 0) { + if (_gnutls_sset_datum(&session->connection_state. + write_mac_secret, + session->cipher_specs. + client_write_mac_secret.data, + session->cipher_specs. + client_write_mac_secret.size) < 0) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_MEMORY_ERROR; + } } + break; - session->connection_state.write_compression_state = - _gnutls_comp_init(session->security_parameters. - write_compression_algorithm, 0); + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (session->connection_state.write_compression_state == - GNUTLS_COMP_FAILED) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + session->connection_state.write_compression_state = + _gnutls_comp_init(session->security_parameters. + write_compression_algorithm, 0); + + if (session->connection_state.write_compression_state == + GNUTLS_COMP_FAILED) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + + return 0; } /* Sets the specified cipher into the pending session */ -int _gnutls_set_read_cipher(gnutls_session session, gnutls_cipher_algorithm algo) +int _gnutls_set_read_cipher(gnutls_session session, + gnutls_cipher_algorithm algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_cipher_is_ok(algo) == 0) { + if (_gnutls_cipher_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - session->security_parameters.read_bulk_cipher_algorithm = - algo; + session->security_parameters.read_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } -int _gnutls_set_write_cipher(gnutls_session session, gnutls_cipher_algorithm algo) +int _gnutls_set_write_cipher(gnutls_session session, + gnutls_cipher_algorithm algo) { - if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_cipher_is_ok(algo) == 0) { + if (_gnutls_cipher_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - session->security_parameters.write_bulk_cipher_algorithm = - algo; + session->security_parameters.write_bulk_cipher_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } @@ -867,14 +861,13 @@ int _gnutls_set_read_compression(gnutls_session session, gnutls_compression_method algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.read_compression_algorithm = - algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + if (_gnutls_compression_is_ok(algo) == 0) { + session->security_parameters.read_compression_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + return 0; } @@ -882,14 +875,13 @@ int _gnutls_set_write_compression(gnutls_session session, gnutls_compression_method algo) { - if (_gnutls_compression_is_ok(algo) == 0) { - session->security_parameters.write_compression_algorithm = - algo; - } else { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } - return 0; + if (_gnutls_compression_is_ok(algo) == 0) { + session->security_parameters.write_compression_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + return 0; } @@ -898,19 +890,19 @@ int _gnutls_set_write_compression(gnutls_session session, int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo) { - if (_gnutls_kx_is_ok(algo) == 0) { - session->security_parameters.kx_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_kx_priority(session, algo) < 0) { - gnutls_assert(); - /* we shouldn't get here */ - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_kx_is_ok(algo) == 0) { + session->security_parameters.kx_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_kx_priority(session, algo) < 0) { + gnutls_assert(); + /* we shouldn't get here */ + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } @@ -918,37 +910,38 @@ int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo) int _gnutls_set_read_mac(gnutls_session session, gnutls_mac_algorithm algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.read_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_mac_is_ok(algo) == 0) { + session->security_parameters.read_mac_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_mac_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } -int _gnutls_set_write_mac(gnutls_session session, gnutls_mac_algorithm algo) +int _gnutls_set_write_mac(gnutls_session session, + gnutls_mac_algorithm algo) { - if (_gnutls_mac_is_ok(algo) == 0) { - session->security_parameters.write_mac_algorithm = algo; - } else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - if (_gnutls_mac_priority(session, algo) < 0) { - gnutls_assert(); - return GNUTLS_E_UNWANTED_ALGORITHM; - } + if (_gnutls_mac_is_ok(algo) == 0) { + session->security_parameters.write_mac_algorithm = algo; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + if (_gnutls_mac_priority(session, algo) < 0) { + gnutls_assert(); + return GNUTLS_E_UNWANTED_ALGORITHM; + } - return 0; + return 0; } diff --git a/lib/gnutls_constate.h b/lib/gnutls_constate.h index a78afcd4ef..8a0e3deb70 100644 --- a/lib/gnutls_constate.h +++ b/lib/gnutls_constate.h @@ -1,10 +1,16 @@ int _gnutls_connection_state_init(gnutls_session session); int _gnutls_read_connection_state_init(gnutls_session session); int _gnutls_write_connection_state_init(gnutls_session session); -int _gnutls_set_write_cipher( gnutls_session session, gnutls_cipher_algorithm algo); -int _gnutls_set_write_mac( gnutls_session session, gnutls_mac_algorithm algo); -int _gnutls_set_read_cipher( gnutls_session session, gnutls_cipher_algorithm algo); -int _gnutls_set_read_mac( gnutls_session session, gnutls_mac_algorithm algo); -int _gnutls_set_read_compression( gnutls_session session, gnutls_compression_method algo); -int _gnutls_set_write_compression( gnutls_session session, gnutls_compression_method algo); +int _gnutls_set_write_cipher(gnutls_session session, + gnutls_cipher_algorithm algo); +int _gnutls_set_write_mac(gnutls_session session, + gnutls_mac_algorithm algo); +int _gnutls_set_read_cipher(gnutls_session session, + gnutls_cipher_algorithm algo); +int _gnutls_set_read_mac(gnutls_session session, + gnutls_mac_algorithm algo); +int _gnutls_set_read_compression(gnutls_session session, + gnutls_compression_method algo); +int _gnutls_set_write_compression(gnutls_session session, + gnutls_compression_method algo); int _gnutls_set_kx(gnutls_session session, gnutls_kx_algorithm algo); diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index edd71b2a47..667e88fbf4 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -31,59 +31,71 @@ #include <gnutls_errors.h> -void _gnutls_write_datum16( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint16( dat.size, dest); - memcpy( &dest[2], dat.data, dat.size); +void _gnutls_write_datum16(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint16(dat.size, dest); + memcpy(&dest[2], dat.data, dat.size); } -void _gnutls_write_datum24( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint24( dat.size, dest); - memcpy( &dest[3], dat.data, dat.size); + +void _gnutls_write_datum24(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint24(dat.size, dest); + memcpy(&dest[3], dat.data, dat.size); } -void _gnutls_write_datum32( opaque* dest, gnutls_datum dat) { - _gnutls_write_uint32( dat.size, dest); - memcpy( &dest[4], dat.data, dat.size); + +void _gnutls_write_datum32(opaque * dest, gnutls_datum dat) +{ + _gnutls_write_uint32(dat.size, dest); + memcpy(&dest[4], dat.data, dat.size); } -void _gnutls_write_datum8( opaque* dest, gnutls_datum dat) { - dest[0] = (uint8) dat.size; - memcpy( &dest[1], dat.data, dat.size); + +void _gnutls_write_datum8(opaque * dest, gnutls_datum dat) +{ + dest[0] = (uint8) dat.size; + memcpy(&dest[1], dat.data, dat.size); } -int _gnutls_set_datum_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_alloc_function galloc_func) +int _gnutls_set_datum_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_alloc_function galloc_func) { - if (data_size == 0) { - dat->data = NULL; - dat->size = 0; - return 0; - } - - dat->data = galloc_func(data_size); - if (dat->data==NULL) return GNUTLS_E_MEMORY_ERROR; - - dat->size = data_size; - memcpy( dat->data, data, data_size); - + if (data_size == 0) { + dat->data = NULL; + dat->size = 0; return 0; -} + } -int _gnutls_datum_append_m( gnutls_datum* dst, const void* data, int data_size, - gnutls_realloc_function grealloc_func) { + dat->data = galloc_func(data_size); + if (dat->data == NULL) + return GNUTLS_E_MEMORY_ERROR; - dst->data = grealloc_func(dst->data, data_size+dst->size); - if (dst->data==NULL) return GNUTLS_E_MEMORY_ERROR; - - memcpy( &dst->data[dst->size], data, data_size); - dst->size += data_size; + dat->size = data_size; + memcpy(dat->data, data, data_size); - return 0; + return 0; } -void _gnutls_free_datum_m( gnutls_datum* dat, gnutls_free_function gfree_func) { - if (dat->data!=NULL && dat->size!=0) - gfree_func( dat->data); +int _gnutls_datum_append_m(gnutls_datum * dst, const void *data, + int data_size, + gnutls_realloc_function grealloc_func) +{ - dat->data = NULL; - dat->size = 0; + dst->data = grealloc_func(dst->data, data_size + dst->size); + if (dst->data == NULL) + return GNUTLS_E_MEMORY_ERROR; + + memcpy(&dst->data[dst->size], data, data_size); + dst->size += data_size; + + return 0; } +void _gnutls_free_datum_m(gnutls_datum * dat, + gnutls_free_function gfree_func) +{ + if (dat->data != NULL && dat->size != 0) + gfree_func(dat->data); + + dat->data = NULL; + dat->size = 0; +} diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index f10026ffd7..8c6ee283de 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -1,17 +1,16 @@ -void _gnutls_write_datum16( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum24( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum32( opaque* dest, gnutls_datum dat); -void _gnutls_write_datum8( opaque* dest, gnutls_datum dat); +void _gnutls_write_datum16(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum24(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum32(opaque * dest, gnutls_datum dat); +void _gnutls_write_datum8(opaque * dest, gnutls_datum dat); -int _gnutls_set_datum_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_alloc_function); +int _gnutls_set_datum_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_alloc_function); #define _gnutls_set_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_malloc) #define _gnutls_sset_datum( x, y, z) _gnutls_set_datum_m(x,y,z, gnutls_secure_malloc) -int _gnutls_datum_append_m( gnutls_datum* dat, const void* data, int data_size, - gnutls_realloc_function); +int _gnutls_datum_append_m(gnutls_datum * dat, const void *data, + int data_size, gnutls_realloc_function); #define _gnutls_datum_append(x,y,z) _gnutls_datum_append_m(x,y,z, gnutls_realloc) -void _gnutls_free_datum_m( gnutls_datum* dat, - gnutls_free_function); +void _gnutls_free_datum_m(gnutls_datum * dat, gnutls_free_function); #define _gnutls_free_datum(x) _gnutls_free_datum_m(x, gnutls_free) diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c index a58c17b52e..ee90096491 100644 --- a/lib/gnutls_db.c +++ b/lib/gnutls_db.c @@ -47,8 +47,10 @@ * has been called. * **/ -void gnutls_db_set_retrieve_function( gnutls_session session, gnutls_db_retr_func retr_func) { - session->internals.db_retrieve_func = retr_func; +void gnutls_db_set_retrieve_function(gnutls_session session, + gnutls_db_retr_func retr_func) +{ + session->internals.db_retrieve_func = retr_func; } /** @@ -63,8 +65,10 @@ void gnutls_db_set_retrieve_function( gnutls_session session, gnutls_db_retr_fun * has been called. * **/ -void gnutls_db_set_remove_function( gnutls_session session, gnutls_db_remove_func rem_func) { - session->internals.db_remove_func = rem_func; +void gnutls_db_set_remove_function(gnutls_session session, + gnutls_db_remove_func rem_func) +{ + session->internals.db_remove_func = rem_func; } /** @@ -79,8 +83,10 @@ void gnutls_db_set_remove_function( gnutls_session session, gnutls_db_remove_fun * has been called. * **/ -void gnutls_db_set_store_function( gnutls_session session, gnutls_db_store_func store_func) { - session->internals.db_store_func = store_func; +void gnutls_db_set_store_function(gnutls_session session, + gnutls_db_store_func store_func) +{ + session->internals.db_store_func = store_func; } /** @@ -92,8 +98,9 @@ void gnutls_db_set_store_function( gnutls_session session, gnutls_db_store_func * the first argument. * **/ -void gnutls_db_set_ptr( gnutls_session session, void* ptr) { - session->internals.db_ptr = ptr; +void gnutls_db_set_ptr(gnutls_session session, void *ptr) +{ + session->internals.db_ptr = ptr; } /** @@ -104,8 +111,9 @@ void gnutls_db_set_ptr( gnutls_session session, void* ptr) { * the first argument. * **/ -void* gnutls_db_get_ptr( gnutls_session session) { - return session->internals.db_ptr; +void *gnutls_db_get_ptr(gnutls_session session) +{ + return session->internals.db_ptr; } /** @@ -116,8 +124,9 @@ void* gnutls_db_get_ptr( gnutls_session session) { * Sets the expiration time for resumed sessions. The default is 3600 (one hour) * at the time writing this. **/ -void gnutls_db_set_cache_expiration( gnutls_session session, int seconds) { - session->internals.expire_time = seconds; +void gnutls_db_set_cache_expiration(gnutls_session session, int seconds) +{ + session->internals.expire_time = seconds; } /** @@ -131,193 +140,215 @@ void gnutls_db_set_cache_expiration( gnutls_session session, int seconds) { * backend. * **/ -int gnutls_db_check_entry( gnutls_session session, gnutls_datum session_entry) { -time_t timestamp; +int gnutls_db_check_entry(gnutls_session session, + gnutls_datum session_entry) +{ + time_t timestamp; - timestamp = time(0); + timestamp = time(0); - if (session_entry.data != NULL) - if ( timestamp - ((security_parameters_st*)(session_entry.data))->timestamp <= session->internals.expire_time || ((security_parameters_st*)(session_entry.data))->timestamp > timestamp|| ((security_parameters_st*)(session_entry.data))->timestamp == 0) - return GNUTLS_E_EXPIRED; - - return 0; + if (session_entry.data != NULL) + if (timestamp - + ((security_parameters_st *) (session_entry.data))->timestamp <= + session->internals.expire_time + || ((security_parameters_st *) (session_entry.data))-> + timestamp > timestamp + || ((security_parameters_st *) (session_entry.data))-> + timestamp == 0) + return GNUTLS_E_EXPIRED; + + return 0; } /* The format of storing data is: * (forget it). Check gnutls_session_pack.c */ -int _gnutls_server_register_current_session( gnutls_session session) +int _gnutls_server_register_current_session(gnutls_session session) { -gnutls_datum key; -gnutls_datum content; -int ret = 0; - - key.data = session->security_parameters.session_id; - key.size = session->security_parameters.session_id_size; - - if (session->internals.resumable==RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (session->security_parameters.session_id==NULL || session->security_parameters.session_id_size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - + gnutls_datum key; + gnutls_datum content; + int ret = 0; + + key.data = session->security_parameters.session_id; + key.size = session->security_parameters.session_id_size; + + if (session->internals.resumable == RESUME_FALSE) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (session->security_parameters.session_id == NULL + || session->security_parameters.session_id_size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + /* allocate space for data */ - ret = _gnutls_session_size( session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - content.size = ret; - - content.data = gnutls_malloc( content.size); - if (content.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - + ret = _gnutls_session_size(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + content.size = ret; + + content.data = gnutls_malloc(content.size); + if (content.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + /* copy data */ - ret = _gnutls_session_pack( session, &content); - if (ret < 0) { - gnutls_free( content.data); - gnutls_assert(); - return ret; - } + ret = _gnutls_session_pack(session, &content); + if (ret < 0) { + gnutls_free(content.data); + gnutls_assert(); + return ret; + } - ret = _gnutls_store_session( session, key, content); + ret = _gnutls_store_session(session, key, content); - gnutls_free( content.data); + gnutls_free(content.data); - return ret; + return ret; } /* Checks if both db_store and db_retrieve functions have * been set up. */ -static int _gnutls_db_func_is_ok( gnutls_session session) { - if (session->internals.db_store_func!=NULL && - session->internals.db_retrieve_func!=NULL && - session->internals.db_remove_func!=NULL) return 0; - else return GNUTLS_E_DB_ERROR; +static int _gnutls_db_func_is_ok(gnutls_session session) +{ + if (session->internals.db_store_func != NULL && + session->internals.db_retrieve_func != NULL && + session->internals.db_remove_func != NULL) + return 0; + else + return GNUTLS_E_DB_ERROR; } -int _gnutls_server_restore_session( gnutls_session session, uint8* session_id, int session_id_size) +int _gnutls_server_restore_session(gnutls_session session, + uint8 * session_id, int session_id_size) { -gnutls_datum data; -gnutls_datum key; -int ret; + gnutls_datum data; + gnutls_datum key; + int ret; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - if (_gnutls_db_func_is_ok(session)!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + if (_gnutls_db_func_is_ok(session) != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - data = _gnutls_retrieve_session( session, key); + data = _gnutls_retrieve_session(session, key); - if (data.data==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + if (data.data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - /* expiration check is performed inside */ - ret = gnutls_session_set_data( session, data.data, data.size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* expiration check is performed inside */ + ret = gnutls_session_set_data(session, data.data, data.size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - gnutls_free(data.data); + gnutls_free(data.data); - return 0; + return 0; } -int _gnutls_db_remove_session( gnutls_session session, uint8* session_id, int session_id_size) +int _gnutls_db_remove_session(gnutls_session session, uint8 * session_id, + int session_id_size) { -gnutls_datum key; + gnutls_datum key; - key.data = session_id; - key.size = session_id_size; + key.data = session_id; + key.size = session_id_size; - return _gnutls_remove_session( session, key); + return _gnutls_remove_session(session, key); } /* Stores session data to the db backend. */ -int _gnutls_store_session( gnutls_session session, gnutls_datum session_id, gnutls_datum session_data) +int _gnutls_store_session(gnutls_session session, gnutls_datum session_id, + gnutls_datum session_data) { -int ret = 0; - - if (session->internals.resumable==RESUME_FALSE) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (_gnutls_db_func_is_ok(session)!=0) { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data==NULL || session_id.size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - - if (session_data.data==NULL || session_data.size==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - /* if we can't read why bother writing? */ - - if (session->internals.db_store_func!=NULL) - ret = session->internals.db_store_func( session->internals.db_ptr, session_id, session_data); - - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + int ret = 0; + + if (session->internals.resumable == RESUME_FALSE) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (_gnutls_db_func_is_ok(session) != 0) { + return GNUTLS_E_DB_ERROR; + } + + if (session_id.data == NULL || session_id.size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + + if (session_data.data == NULL || session_data.size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } + /* if we can't read why bother writing? */ + + if (session->internals.db_store_func != NULL) + ret = + session->internals.db_store_func(session->internals.db_ptr, + session_id, session_data); + + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } /* Retrieves session data from the db backend. */ -gnutls_datum _gnutls_retrieve_session( gnutls_session session, gnutls_datum session_id) +gnutls_datum _gnutls_retrieve_session(gnutls_session session, + gnutls_datum session_id) { -gnutls_datum ret = { NULL, 0 }; - - if (session_id.data==NULL || session_id.size==0) { - gnutls_assert(); - return ret; - } - - if (session->internals.db_retrieve_func!=NULL) - ret = session->internals.db_retrieve_func( session->internals.db_ptr, session_id); + gnutls_datum ret = { NULL, 0 }; + if (session_id.data == NULL || session_id.size == 0) { + gnutls_assert(); return ret; + } + + if (session->internals.db_retrieve_func != NULL) + ret = + session->internals.db_retrieve_func(session->internals.db_ptr, + session_id); + + return ret; } /* Removes session data from the db backend. */ -int _gnutls_remove_session( gnutls_session session, gnutls_datum session_id) +int _gnutls_remove_session(gnutls_session session, gnutls_datum session_id) { -int ret = 0; + int ret = 0; - if (_gnutls_db_func_is_ok(session)!=0) { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data==NULL || session_id.size==0) - return GNUTLS_E_INVALID_SESSION; + if (_gnutls_db_func_is_ok(session) != 0) { + return GNUTLS_E_DB_ERROR; + } - /* if we can't read why bother writing? */ - if (session->internals.db_remove_func!=NULL) - ret = session->internals.db_remove_func( session->internals.db_ptr, session_id); + if (session_id.data == NULL || session_id.size == 0) + return GNUTLS_E_INVALID_SESSION; - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); + /* if we can't read why bother writing? */ + if (session->internals.db_remove_func != NULL) + ret = + session->internals.db_remove_func(session->internals.db_ptr, + session_id); + + return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); } @@ -333,9 +364,13 @@ int ret = 0; * Normally gnutls_deinit() will remove abnormally terminated sessions. * **/ -void gnutls_db_remove_session(gnutls_session session) { - /* if the session has failed abnormally it has - * to be removed from the db - */ - _gnutls_db_remove_session( session, session->security_parameters.session_id, session->security_parameters.session_id_size); +void gnutls_db_remove_session(gnutls_session session) +{ + /* if the session has failed abnormally it has + * to be removed from the db + */ + _gnutls_db_remove_session(session, + session->security_parameters.session_id, + session->security_parameters. + session_id_size); } diff --git a/lib/gnutls_db.h b/lib/gnutls_db.h index a5cac00bd9..1d0f4a717c 100644 --- a/lib/gnutls_db.h +++ b/lib/gnutls_db.h @@ -18,13 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -void gnutls_set_cache_expiration( gnutls_session session, int seconds); -int gnutls_db_set_name( gnutls_session session, const char* filename); -int _gnutls_server_register_current_session( gnutls_session session); -int _gnutls_server_restore_session( gnutls_session session, uint8* session_id, int session_id_size); -int gnutls_db_clean( gnutls_session session); -int _gnutls_db_remove_session( gnutls_session session, uint8* session_id, int session_id_size); +void gnutls_set_cache_expiration(gnutls_session session, int seconds); +int gnutls_db_set_name(gnutls_session session, const char *filename); +int _gnutls_server_register_current_session(gnutls_session session); +int _gnutls_server_restore_session(gnutls_session session, + uint8 * session_id, + int session_id_size); +int gnutls_db_clean(gnutls_session session); +int _gnutls_db_remove_session(gnutls_session session, uint8 * session_id, + int session_id_size); void gnutls_db_remove_session(gnutls_session session); -int _gnutls_store_session( gnutls_session session, gnutls_datum session_id, gnutls_datum session_data); -gnutls_datum _gnutls_retrieve_session( gnutls_session session, gnutls_datum session_id); -int _gnutls_remove_session( gnutls_session session, gnutls_datum session_id); +int _gnutls_store_session(gnutls_session session, gnutls_datum session_id, + gnutls_datum session_data); +gnutls_datum _gnutls_retrieve_session(gnutls_session session, + gnutls_datum session_id); +int _gnutls_remove_session(gnutls_session session, + gnutls_datum session_id); diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index 1358f0ddda..8980a4cf0f 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -47,66 +47,65 @@ */ mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime) { - mpi_t e, x; - int x_size = _gnutls_mpi_get_nbits(prime) - 1; - /* The size of the secret key is less than - * prime/2 - */ - - if (x_size > MAX_BITS || x_size <= 0) { - gnutls_assert(); - return NULL; - } - - x = _gnutls_mpi_new(x_size); - if (x == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; - - return NULL; - } - - /* (x_size/8)*8 is there to overcome a bug in libgcrypt - * which does not really check the bits given but the bytes. - */ - _gnutls_mpi_randomize(x, (x_size/8)*8, GCRY_STRONG_RANDOM); - - e = _gnutls_mpi_alloc_like(prime); - if (e == NULL) { - gnutls_assert(); - if (ret_x) - *ret_x = NULL; - - _gnutls_mpi_release( &x); - return NULL; - } - - _gnutls_mpi_powm(e, g, x, prime); + mpi_t e, x; + int x_size = _gnutls_mpi_get_nbits(prime) - 1; + /* The size of the secret key is less than + * prime/2 + */ + + if (x_size > MAX_BITS || x_size <= 0) { + gnutls_assert(); + return NULL; + } + + x = _gnutls_mpi_new(x_size); + if (x == NULL) { + gnutls_assert(); + if (ret_x) + *ret_x = NULL; + + return NULL; + } + /* (x_size/8)*8 is there to overcome a bug in libgcrypt + * which does not really check the bits given but the bytes. + */ + _gnutls_mpi_randomize(x, (x_size / 8) * 8, GCRY_STRONG_RANDOM); + + e = _gnutls_mpi_alloc_like(prime); + if (e == NULL) { + gnutls_assert(); if (ret_x) - *ret_x = x; - else - _gnutls_mpi_release(&x); - return e; + *ret_x = NULL; + + _gnutls_mpi_release(&x); + return NULL; + } + + _gnutls_mpi_powm(e, g, x, prime); + + if (ret_x) + *ret_x = x; + else + _gnutls_mpi_release(&x); + return e; } mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime) { - mpi_t k; - int bits; - - bits = _gnutls_mpi_get_nbits(prime); - if (bits <= 0 || bits > MAX_BITS) { - gnutls_assert(); - return NULL; - } - - k = _gnutls_mpi_alloc_like(prime); - if (k == NULL) - return NULL; - _gnutls_mpi_powm(k, f, x, prime); - return k; + mpi_t k; + int bits; + + bits = _gnutls_mpi_get_nbits(prime); + if (bits <= 0 || bits > MAX_BITS) { + gnutls_assert(); + return NULL; + } + + k = _gnutls_mpi_alloc_like(prime); + if (k == NULL) + return NULL; + _gnutls_mpi_powm(k, f, x, prime); + return k; } - diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index 6b449ec72e..9336a31230 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -18,8 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -const mpi_t* _gnutls_get_dh_params(gnutls_dh_params); -mpi_t gnutls_calc_dh_secret( mpi_t *ret_x, mpi_t g, mpi_t prime ); -mpi_t gnutls_calc_dh_key( mpi_t f, mpi_t x, mpi_t prime ); -int _gnutls_dh_generate_prime(mpi_t *ret_g, mpi_t* ret_n, uint bits); +const mpi_t *_gnutls_get_dh_params(gnutls_dh_params); +mpi_t gnutls_calc_dh_secret(mpi_t * ret_x, mpi_t g, mpi_t prime); +mpi_t gnutls_calc_dh_key(mpi_t f, mpi_t x, mpi_t prime); +int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, uint bits); void gnutls_dh_params_deinit(gnutls_dh_params dh_params); diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 061868093a..e6da92c4ae 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -23,7 +23,7 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> -#include <x509_b64.h> /* for PKCS3 PEM decoding */ +#include <x509_b64.h> /* for PKCS3 PEM decoding */ #include <gnutls_global.h> #include <gnutls_dh.h> #include <x509/mpi.h> @@ -32,95 +32,96 @@ /* returns the prime and the generator of DH params. */ -const mpi_t* _gnutls_get_dh_params(gnutls_dh_params dh_primes) +const mpi_t *_gnutls_get_dh_params(gnutls_dh_params dh_primes) { - if (dh_primes == NULL || dh_primes->params[1] == NULL || - dh_primes->params[0] == NULL) - { - return NULL; - } + if (dh_primes == NULL || dh_primes->params[1] == NULL || + dh_primes->params[0] == NULL) { + return NULL; + } - return dh_primes->params; + return dh_primes->params; } int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, unsigned int bits) { - mpi_t g=NULL, prime=NULL; - gcry_error_t err; - int result, times = 0, qbits; - mpi_t *factors = NULL; - - /* Calculate the size of a prime factor of (prime-1)/2. - * This is a bad emulation of Michael Wiener's table - */ - if (bits < 256) qbits = bits/2; - else { - qbits = 120 + (((bits / 256) - 1) * 20); + mpi_t g = NULL, prime = NULL; + gcry_error_t err; + int result, times = 0, qbits; + mpi_t *factors = NULL; + + /* Calculate the size of a prime factor of (prime-1)/2. + * This is a bad emulation of Michael Wiener's table + */ + if (bits < 256) + qbits = bits / 2; + else { + qbits = 120 + (((bits / 256) - 1) * 20); + } + + if (qbits & 1) /* better have an even number */ + qbits++; + + /* find a prime number of size bits. + */ + do { + + if (times) { + _gnutls_mpi_release(&prime); + gcry_prime_release_factors(factors); } - if (qbits & 1) /* better have an even number */ - qbits++; - - /* find a prime number of size bits. - */ - do { - - if (times) { - _gnutls_mpi_release(&prime); - gcry_prime_release_factors (factors); - } - - err = gcry_prime_generate( &prime, bits, qbits, - &factors, NULL, NULL, GCRY_STRONG_RANDOM, - GCRY_PRIME_FLAG_SPECIAL_FACTOR); - - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - err = gcry_prime_check( prime, 0); - - times++; - } while( err != 0 && times < 10); + err = gcry_prime_generate(&prime, bits, qbits, + &factors, NULL, NULL, GCRY_STRONG_RANDOM, + GCRY_PRIME_FLAG_SPECIAL_FACTOR); if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; } - /* generate the group generator. - */ - err = gcry_prime_group_generator (&g, prime, factors, NULL); - if (err != 0) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } + err = gcry_prime_check(prime, 0); + + times++; + } while (err != 0 && times < 10); + + if (err != 0) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + /* generate the group generator. + */ + err = gcry_prime_group_generator(&g, prime, factors, NULL); + if (err != 0) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + gcry_prime_release_factors(factors); + factors = NULL; + + if (ret_g) + *ret_g = g; + else + _gnutls_mpi_release(&g); + if (ret_n) + *ret_n = prime; + else + _gnutls_mpi_release(&prime); + + return 0; + + cleanup: + gcry_prime_release_factors(factors); + _gnutls_mpi_release(&g); + _gnutls_mpi_release(&prime); + + return result; - gcry_prime_release_factors (factors); factors = NULL; - - if (ret_g) - *ret_g = g; - else - _gnutls_mpi_release(&g); - if (ret_n) - *ret_n = prime; - else - _gnutls_mpi_release(&prime); - - return 0; - - cleanup: - gcry_prime_release_factors (factors); - _gnutls_mpi_release(&g); - _gnutls_mpi_release(&prime); - - return result; - } /* Replaces the prime in the static DH parameters, with a randomly @@ -137,31 +138,32 @@ int _gnutls_dh_generate_prime(mpi_t * ret_g, mpi_t * ret_n, * appropriate gnutls_datum. * **/ -int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, - const gnutls_datum* generator) +int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, + const gnutls_datum * prime, + const gnutls_datum * generator) { - mpi_t tmp_prime, tmp_g; - size_t siz; + mpi_t tmp_prime, tmp_g; + size_t siz; - siz = prime->size; - if (_gnutls_mpi_scan(&tmp_prime, prime->data, &siz)) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + siz = prime->size; + if (_gnutls_mpi_scan(&tmp_prime, prime->data, &siz)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - siz = generator->size; - if (_gnutls_mpi_scan(&tmp_g, generator->data, &siz)) { - _gnutls_mpi_release(&tmp_prime); - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } + siz = generator->size; + if (_gnutls_mpi_scan(&tmp_g, generator->data, &siz)) { + _gnutls_mpi_release(&tmp_prime); + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } - /* store the generated values - */ - dh_params->params[0] = tmp_prime; - dh_params->params[1] = tmp_g; + /* store the generated values + */ + dh_params->params[0] = tmp_prime; + dh_params->params[1] = tmp_g; - return 0; + return 0; } @@ -175,13 +177,13 @@ int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum * int gnutls_dh_params_init(gnutls_dh_params * dh_params) { - (*dh_params) = gnutls_calloc(1, sizeof(dh_params_st)); - if (*dh_params == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + (*dh_params) = gnutls_calloc(1, sizeof(dh_params_st)); + if (*dh_params == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -194,13 +196,13 @@ int gnutls_dh_params_init(gnutls_dh_params * dh_params) **/ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) { - if (dh_params == NULL) - return; + if (dh_params == NULL) + return; - _gnutls_mpi_release(&dh_params->params[0]); - _gnutls_mpi_release(&dh_params->params[1]); + _gnutls_mpi_release(&dh_params->params[0]); + _gnutls_mpi_release(&dh_params->params[1]); - gnutls_free(dh_params); + gnutls_free(dh_params); } @@ -215,16 +217,16 @@ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) **/ int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src) { - if (src == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (src == NULL) + return GNUTLS_E_INVALID_REQUEST; - dst->params[0] = _gnutls_mpi_copy(src->params[0]); - dst->params[1] = _gnutls_mpi_copy(src->params[1]); + dst->params[0] = _gnutls_mpi_copy(src->params[0]); + dst->params[1] = _gnutls_mpi_copy(src->params[1]); - if (dst->params[0]==NULL || dst->params[1] == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (dst->params[0] == NULL || dst->params[1] == NULL) + return GNUTLS_E_MEMORY_ERROR; - return 0; + return 0; } @@ -246,16 +248,16 @@ int gnutls_dh_params_cpy(gnutls_dh_params dst, gnutls_dh_params src) **/ int gnutls_dh_params_generate2(gnutls_dh_params params, unsigned int bits) { -int ret; + int ret; - ret = _gnutls_dh_generate_prime(¶ms->params[1], - ¶ms->params[0], bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_dh_generate_prime(¶ms->params[1], + ¶ms->params[0], bits); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -274,84 +276,87 @@ int ret; * 0 on success. * **/ -int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, - const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format) +int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, + const gnutls_datum * pkcs3_params, + gnutls_x509_crt_fmt format) { - ASN1_TYPE c2; - int result, need_free = 0; - gnutls_datum _params; - - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode("DH PARAMETERS", - pkcs3_params->data, pkcs3_params->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _params.data = out; - _params.size = result; - - need_free = 1; - - } else { - _params.data = pkcs3_params->data; - _params.size = pkcs3_params->size; - } + ASN1_TYPE c2; + int result, need_free = 0; + gnutls_datum _params; + + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + result = _gnutls_fbase64_decode("DH PARAMETERS", + pkcs3_params->data, + pkcs3_params->size, &out); - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - if (need_free != 0) { - gnutls_free( _params.data); _params.data = NULL; - } - return _gnutls_asn2err(result); + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - result = - asn1_der_decoding(&c2, _params.data, _params.size, NULL); - + _params.data = out; + _params.size = result; + + need_free = 1; + + } else { + _params.data = pkcs3_params->data; + _params.size = pkcs3_params->size; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) { + gnutls_assert(); if (need_free != 0) { - gnutls_free( _params.data); _params.data = NULL; + gnutls_free(_params.data); + _params.data = NULL; } + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ + result = asn1_der_decoding(&c2, _params.data, _params.size, NULL); - _gnutls_x509_log("DHParams: Decoding error %d\n", result); - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + if (need_free != 0) { + gnutls_free(_params.data); + _params.data = NULL; + } - /* Read PRIME - */ - result = _gnutls_x509_read_int( c2, "prime", ¶ms->params[0]); - if ( result < 0) { - asn1_delete_structure(&c2); - gnutls_assert(); - return result; - } + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ - /* read the generator - */ - result = _gnutls_x509_read_int( c2, "base", ¶ms->params[1]); - if ( result < 0) { - asn1_delete_structure(&c2); - _gnutls_mpi_release( ¶ms->params[0]); - gnutls_assert(); - return result; - } + _gnutls_x509_log("DHParams: Decoding error %d\n", result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + /* Read PRIME + */ + result = _gnutls_x509_read_int(c2, "prime", ¶ms->params[0]); + if (result < 0) { asn1_delete_structure(&c2); + gnutls_assert(); + return result; + } + + /* read the generator + */ + result = _gnutls_x509_read_int(c2, "base", ¶ms->params[1]); + if (result < 0) { + asn1_delete_structure(&c2); + _gnutls_mpi_release(¶ms->params[0]); + gnutls_assert(); + return result; + } + + asn1_delete_structure(&c2); - return 0; + return 0; } /** @@ -373,147 +378,148 @@ int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, * 0 on success. * **/ -int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size) +int gnutls_dh_params_export_pkcs3(gnutls_dh_params params, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + size_t * params_data_size) { - ASN1_TYPE c2; - int result, _params_data_size; - size_t g_size, p_size; - opaque * p_data, *g_data; - opaque * all_data; - - _gnutls_mpi_print( NULL, &g_size, params->params[1]); - _gnutls_mpi_print( NULL, &p_size, params->params[0]); - - all_data = gnutls_malloc( g_size + p_size); - if (all_data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + ASN1_TYPE c2; + int result, _params_data_size; + size_t g_size, p_size; + opaque *p_data, *g_data; + opaque *all_data; + + _gnutls_mpi_print(NULL, &g_size, params->params[1]); + _gnutls_mpi_print(NULL, &p_size, params->params[0]); + + all_data = gnutls_malloc(g_size + p_size); + if (all_data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + p_data = &all_data[0]; + g_data = &all_data[p_size]; + + _gnutls_mpi_print(p_data, &p_size, params->params[0]); + _gnutls_mpi_print(g_data, &g_size, params->params[1]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + return _gnutls_asn2err(result); + } + + /* Write PRIME + */ + if ((result = asn1_write_value(c2, "prime", + p_data, p_size)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* Write the GENERATOR + */ + if ((result = asn1_write_value(c2, "base", + g_data, g_size)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(all_data); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(c2, "privateValueLength", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + if (format == GNUTLS_X509_FMT_DER) { + if (params_data == NULL) + *params_data_size = 0; + + _params_data_size = *params_data_size; + result = + asn1_der_coding(c2, "", params_data, &_params_data_size, NULL); + *params_data_size = _params_data_size; + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + return _gnutls_asn2err(result); } - - p_data = &all_data[0]; - g_data = &all_data[p_size]; - - _gnutls_mpi_print( p_data, &p_size, params->params[0]); - _gnutls_mpi_print( g_data, &g_size, params->params[1]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - return _gnutls_asn2err(result); + + } else { /* PEM */ + opaque *tmp; + opaque *out; + int len; + + len = 0; + asn1_der_coding(c2, "", NULL, &len, NULL); + + tmp = gnutls_malloc(len); + if (tmp == NULL) { + gnutls_assert(); + asn1_delete_structure(&c2); + return GNUTLS_E_MEMORY_ERROR; } - /* Write PRIME - */ - if ((result = asn1_write_value(c2, "prime", - p_data, p_size)) != ASN1_SUCCESS) - { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((result = + asn1_der_coding(c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmp); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - /* Write the GENERATOR - */ - if ((result = asn1_write_value(c2, "base", - g_data, g_size)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(all_data); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + asn1_delete_structure(&c2); + + result = _gnutls_fbase64_encode("DH PARAMETERS", tmp, len, &out); + + gnutls_free(tmp); + + if (result < 0) { + gnutls_assert(); + return result; } - gnutls_free(all_data); + if (result == 0) { /* oooops */ + gnutls_assert(); + gnutls_free(out); + return GNUTLS_E_INTERNAL_ERROR; + } - if ((result = asn1_write_value(c2, "privateValueLength", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + if ((uint) result + 1 > *params_data_size) { + gnutls_assert(); + gnutls_free(out); + *params_data_size = result + 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; } - if (format == GNUTLS_X509_FMT_DER) { - if (params_data == NULL) *params_data_size = 0; - - _params_data_size = *params_data_size; - result=asn1_der_coding( c2, "", params_data, &_params_data_size, NULL); - *params_data_size = _params_data_size; - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - - return _gnutls_asn2err(result); - } - - } else { /* PEM */ - opaque *tmp; - opaque *out; - int len; - - len = 0; - asn1_der_coding( c2, "", NULL, &len, NULL); - - tmp = gnutls_malloc( len); - if (tmp == NULL) { - gnutls_assert(); - asn1_delete_structure(&c2); - return GNUTLS_E_MEMORY_ERROR; - } - - if ((result=asn1_der_coding( c2, "", tmp, &len, NULL)) != ASN1_SUCCESS) - { - gnutls_assert(); - gnutls_free( tmp); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - asn1_delete_structure(&c2); - - result = _gnutls_fbase64_encode("DH PARAMETERS", - tmp, len, &out); - - gnutls_free( tmp); - - if (result < 0) { - gnutls_assert(); - return result; - } - - if (result == 0) { /* oooops */ - gnutls_assert(); - gnutls_free(out); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((uint)result + 1 > *params_data_size) { - gnutls_assert(); - gnutls_free(out); - *params_data_size = result + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *params_data_size = result; - - if (params_data) { - memcpy( params_data, out, result); - params_data[result] = 0; - } - gnutls_free( out); - + *params_data_size = result; + + if (params_data) { + memcpy(params_data, out, result); + params_data[result] = 0; } + gnutls_free(out); + + } - return 0; + return 0; } /** @@ -529,44 +535,45 @@ int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, * **/ int gnutls_dh_params_export_raw(gnutls_dh_params params, - gnutls_datum * prime, gnutls_datum * generator, unsigned int *bits) + gnutls_datum * prime, + gnutls_datum * generator, + unsigned int *bits) { - size_t size; + size_t size; - if (params->params[1] == NULL || - params->params[0] == NULL) - { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[1]); + if (params->params[1] == NULL || params->params[0] == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - generator->data = gnutls_malloc(size); - if (generator->data == NULL) { - return GNUTLS_E_MEMORY_ERROR; - } + size = 0; + _gnutls_mpi_print(NULL, &size, params->params[1]); - generator->size = size; - _gnutls_mpi_print(generator->data, &size, params->params[1]); + generator->data = gnutls_malloc(size); + if (generator->data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + generator->size = size; + _gnutls_mpi_print(generator->data, &size, params->params[1]); - size = 0; - _gnutls_mpi_print(NULL, &size, params->params[0]); - prime->data = gnutls_malloc(size); - if (prime->data == NULL) { - gnutls_free(generator->data); generator->data = NULL; - return GNUTLS_E_MEMORY_ERROR; - } - prime->size = size; - _gnutls_mpi_print(prime->data, &size, params->params[0]); - - if (bits) - *bits = _gnutls_mpi_get_nbits( params->params[0]); + size = 0; + _gnutls_mpi_print(NULL, &size, params->params[0]); + + prime->data = gnutls_malloc(size); + if (prime->data == NULL) { + gnutls_free(generator->data); + generator->data = NULL; + return GNUTLS_E_MEMORY_ERROR; + } + prime->size = size; + _gnutls_mpi_print(prime->data, &size, params->params[0]); + + if (bits) + *bits = _gnutls_mpi_get_nbits(params->params[0]); - return 0; + return 0; } diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index c68239e28c..46e8cc3084 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -33,122 +33,201 @@ extern LOG_FUNC _gnutls_log_func; { desc, #name, name, fatal} struct gnutls_error_entry { - const char *desc; - const char *_name; - int number; - int fatal; + const char *desc; + const char *_name; + int number; + int fatal; }; typedef struct gnutls_error_entry gnutls_error_entry; static gnutls_error_entry error_algorithms[] = { - /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ - ERROR_ENTRY("Success.", GNUTLS_E_SUCCESS, 0 ), - ERROR_ENTRY("Could not negotiate a supported cipher suite.", GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1 ), - ERROR_ENTRY("The cipher type is unsupported.", GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1 ), - ERROR_ENTRY("The certificate and the given key do not match.", GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1 ), - ERROR_ENTRY("Could not negotiate a supported compression method.", GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1 ), - ERROR_ENTRY("An unknown public key algorithm was encountered.", GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1 ), - - ERROR_ENTRY("An algorithm that is not enabled was negotiated.", GNUTLS_E_UNWANTED_ALGORITHM, 1 ), - ERROR_ENTRY("A large TLS record packet was received.", GNUTLS_E_LARGE_PACKET, 1 ), - ERROR_ENTRY("A record packet with illegal version was received.", GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1 ), - ERROR_ENTRY("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1 ), - ERROR_ENTRY("A TLS packet with unexpected length was received.", GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1 ), - ERROR_ENTRY("The specified session has been invalidated for some reason.", GNUTLS_E_INVALID_SESSION, 1 ), - - ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1 ), - ERROR_ENTRY("An illegal TLS extension was received.", GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1 ), - ERROR_ENTRY("A TLS fatal alert has been received.", GNUTLS_E_FATAL_ALERT_RECEIVED ,1 ), - ERROR_ENTRY("An unexpected TLS packet was received.", GNUTLS_E_UNEXPECTED_PACKET, 1 ), - ERROR_ENTRY("A TLS warning alert has been received.", GNUTLS_E_WARNING_ALERT_RECEIVED, 0 ), - ERROR_ENTRY("An error was encountered at the TLS Finished packet calculation.", GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1 ), - ERROR_ENTRY("The peer did not send any certificate.", GNUTLS_E_NO_CERTIFICATE_FOUND, 1 ), - - ERROR_ENTRY("No temporary RSA parameters were found.", GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1 ), - ERROR_ENTRY("No temporary DH parameters were found.", GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1 ), - ERROR_ENTRY("An unexpected TLS handshake packet was received.", GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1 ), - ERROR_ENTRY("The scanning of a large integer has failed.", GNUTLS_E_MPI_SCAN_FAILED, 1 ), - ERROR_ENTRY("Could not export a large integer.", GNUTLS_E_MPI_PRINT_FAILED, 1 ), - ERROR_ENTRY("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1 ), - ERROR_ENTRY("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key decryption has failed.", GNUTLS_E_PK_DECRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key encryption has failed.", GNUTLS_E_PK_ENCRYPTION_FAILED, 1 ), - ERROR_ENTRY("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, 1 ), - ERROR_ENTRY("Public key signature verification has failed.", GNUTLS_E_PK_SIG_VERIFY_FAILED, 1 ), - ERROR_ENTRY("Decompression of the TLS record packet has failed.", GNUTLS_E_DECOMPRESSION_FAILED, 1 ), - ERROR_ENTRY("Compression of the TLS record packet has failed.", GNUTLS_E_COMPRESSION_FAILED, 1 ), - - ERROR_ENTRY("Internal error in memory allocation.", GNUTLS_E_MEMORY_ERROR, 1 ), - ERROR_ENTRY("An unimplemented or disabled feature has been requested.", GNUTLS_E_UNIMPLEMENTED_FEATURE, 1 ), - ERROR_ENTRY("Insufficient credentials for that request.", GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1 ), - ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1 ), - ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, 1 ), - ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1 ), - ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1 ), - ERROR_ENTRY("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, 1 ), - ERROR_ENTRY("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, 1 ), - ERROR_ENTRY("Parsing error in SRP password file.", GNUTLS_E_SRP_PWD_PARSING_ERROR, 1 ), - ERROR_ENTRY("The requested data were not available.", GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0 ), - ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1 ), - ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1 ), - ERROR_ENTRY("The upper limit of record packet sequence numbers has been reached. Wow!", GNUTLS_E_RECORD_LIMIT_REACHED, 1 ), - ERROR_ENTRY("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, 1 ), - ERROR_ENTRY("Unknown Subject Alternative name in X.509 certificate.", GNUTLS_E_X509_UNKNOWN_SAN, 1 ), - - ERROR_ENTRY("Unsupported critical extension in X.509 certificate.", GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1 ), - ERROR_ENTRY("Key usage violation in certificate has been detected.", GNUTLS_E_KEY_USAGE_VIOLATION, 1 ), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_AGAIN, 0 ), - ERROR_ENTRY("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0 ), - ERROR_ENTRY("Rehandshake was requested by the peer.", GNUTLS_E_REHANDSHAKE, 0 ), - ERROR_ENTRY("TLS Application data were received, while expecting handshake data.", GNUTLS_E_GOT_APPLICATION_DATA, 1 ), - ERROR_ENTRY("Error in Database backend.", GNUTLS_E_DB_ERROR, 1 ), - ERROR_ENTRY("The certificate type is not supported.", GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1 ), - ERROR_ENTRY("The given memory buffer is too short to hold parameters.", GNUTLS_E_SHORT_MEMORY_BUFFER, 1 ), - ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1 ), - ERROR_ENTRY("An illegal parameter has been received.", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1 ), - ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1 ), - - ERROR_ENTRY("ASN1 parser: Element was not found.", GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Identifier was not found", GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Error in DER parsing.", GNUTLS_E_ASN1_DER_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Value was not found.", GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1 ), - ERROR_ENTRY("ASN1 parser: Generic parsing error.", GNUTLS_E_ASN1_GENERIC_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Value is not valid.", GNUTLS_E_ASN1_VALUE_NOT_VALID, 1 ), - ERROR_ENTRY("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: error in implicit tag", GNUTLS_E_ASN1_TAG_IMPLICIT, 1 ), - ERROR_ENTRY("ASN1 parser: Error in type 'ANY'.", GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, 1 ), - ERROR_ENTRY("ASN1 parser: Overflow in DER parsing.", GNUTLS_E_ASN1_DER_OVERFLOW, 1 ), - - ERROR_ENTRY("Too many empty record packets have been received.", GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1 ), - ERROR_ENTRY("The initialization of GnuTLS-extra has failed.", GNUTLS_E_INIT_LIBEXTRA, 1 ), - ERROR_ENTRY("The GnuTLS library version does not match the GnuTLS-extra library version.", - GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1 ), - ERROR_ENTRY("The gcrypt library version is too old.", - GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1 ), - - ERROR_ENTRY("The tasn1 library version is too old.", - GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1 ), - ERROR_ENTRY("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", - GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1 ), - - ERROR_ENTRY("Error loading the keyring.", GNUTLS_E_OPENPGP_KEYRING_ERROR, 1 ), - ERROR_ENTRY("The initialization of LZO has failed.", GNUTLS_E_LZO_INIT_FAILED, 1 ), - ERROR_ENTRY("No supported compression algorithms have been found.", GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1 ), - ERROR_ENTRY("No supported cipher suites have been found.", GNUTLS_E_NO_CIPHER_SUITES, 1 ), - ERROR_ENTRY("Could not get OpenPGP key.", GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), - - ERROR_ENTRY("The SRP username supplied is illegal.", GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), - - ERROR_ENTRY("The OpenPGP fingerprint is not supported.", GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), - ERROR_ENTRY("The certificate has unsupported attributes.", GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), - ERROR_ENTRY("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, 1), - ERROR_ENTRY("The hash algorithm is unknown.", GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), - ERROR_ENTRY("The PKCS structure's content type is unknown.", GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), - ERROR_ENTRY("The PKCS structure's bag type is unknown.", GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), - ERROR_ENTRY("The given password contains invalid characters.", GNUTLS_E_INVALID_PASSWORD, 1), - ERROR_ENTRY("The Message Authentication Code verification failed.", GNUTLS_E_MAC_VERIFY_FAILED, 1), - {NULL, NULL, 0, 0} + /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */ + ERROR_ENTRY("Success.", GNUTLS_E_SUCCESS, 0), + ERROR_ENTRY("Could not negotiate a supported cipher suite.", + GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1), + ERROR_ENTRY("The cipher type is unsupported.", + GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1), + ERROR_ENTRY("The certificate and the given key do not match.", + GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1), + ERROR_ENTRY("Could not negotiate a supported compression method.", + GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1), + ERROR_ENTRY("An unknown public key algorithm was encountered.", + GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1), + + ERROR_ENTRY("An algorithm that is not enabled was negotiated.", + GNUTLS_E_UNWANTED_ALGORITHM, 1), + ERROR_ENTRY("A large TLS record packet was received.", + GNUTLS_E_LARGE_PACKET, 1), + ERROR_ENTRY("A record packet with illegal version was received.", + GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1), + ERROR_ENTRY + ("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", + GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1), + ERROR_ENTRY("A TLS packet with unexpected length was received.", + GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1), + ERROR_ENTRY + ("The specified session has been invalidated for some reason.", + GNUTLS_E_INVALID_SESSION, 1), + + ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1), + ERROR_ENTRY("An illegal TLS extension was received.", + GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1), + ERROR_ENTRY("A TLS fatal alert has been received.", + GNUTLS_E_FATAL_ALERT_RECEIVED, 1), + ERROR_ENTRY("An unexpected TLS packet was received.", + GNUTLS_E_UNEXPECTED_PACKET, 1), + ERROR_ENTRY("A TLS warning alert has been received.", + GNUTLS_E_WARNING_ALERT_RECEIVED, 0), + ERROR_ENTRY + ("An error was encountered at the TLS Finished packet calculation.", + GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1), + ERROR_ENTRY("The peer did not send any certificate.", + GNUTLS_E_NO_CERTIFICATE_FOUND, 1), + + ERROR_ENTRY("No temporary RSA parameters were found.", + GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1), + ERROR_ENTRY("No temporary DH parameters were found.", + GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1), + ERROR_ENTRY("An unexpected TLS handshake packet was received.", + GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1), + ERROR_ENTRY("The scanning of a large integer has failed.", + GNUTLS_E_MPI_SCAN_FAILED, 1), + ERROR_ENTRY("Could not export a large integer.", + GNUTLS_E_MPI_PRINT_FAILED, 1), + ERROR_ENTRY("Decryption has failed.", GNUTLS_E_DECRYPTION_FAILED, 1), + ERROR_ENTRY("Encryption has failed.", GNUTLS_E_ENCRYPTION_FAILED, 1), + ERROR_ENTRY("Public key decryption has failed.", + GNUTLS_E_PK_DECRYPTION_FAILED, 1), + ERROR_ENTRY("Public key encryption has failed.", + GNUTLS_E_PK_ENCRYPTION_FAILED, 1), + ERROR_ENTRY("Public key signing has failed.", GNUTLS_E_PK_SIGN_FAILED, + 1), + ERROR_ENTRY("Public key signature verification has failed.", + GNUTLS_E_PK_SIG_VERIFY_FAILED, 1), + ERROR_ENTRY("Decompression of the TLS record packet has failed.", + GNUTLS_E_DECOMPRESSION_FAILED, 1), + ERROR_ENTRY("Compression of the TLS record packet has failed.", + GNUTLS_E_COMPRESSION_FAILED, 1), + + ERROR_ENTRY("Internal error in memory allocation.", + GNUTLS_E_MEMORY_ERROR, 1), + ERROR_ENTRY("An unimplemented or disabled feature has been requested.", + GNUTLS_E_UNIMPLEMENTED_FEATURE, 1), + ERROR_ENTRY("Insufficient credentials for that request.", + GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1), + ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1), + ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, + 1), + ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1), + ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1), + ERROR_ENTRY("Base64 decoding error.", GNUTLS_E_BASE64_DECODING_ERROR, + 1), + ERROR_ENTRY("Base64 encoding error.", GNUTLS_E_BASE64_ENCODING_ERROR, + 1), + ERROR_ENTRY("Parsing error in SRP password file.", + GNUTLS_E_SRP_PWD_PARSING_ERROR, 1), + ERROR_ENTRY("The requested data were not available.", + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0), + ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1), + ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1), + ERROR_ENTRY + ("The upper limit of record packet sequence numbers has been reached. Wow!", + GNUTLS_E_RECORD_LIMIT_REACHED, 1), + ERROR_ENTRY("Error in the certificate.", GNUTLS_E_CERTIFICATE_ERROR, + 1), + ERROR_ENTRY("Unknown Subject Alternative name in X.509 certificate.", + GNUTLS_E_X509_UNKNOWN_SAN, 1), + + ERROR_ENTRY("Unsupported critical extension in X.509 certificate.", + GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1), + ERROR_ENTRY("Key usage violation in certificate has been detected.", + GNUTLS_E_KEY_USAGE_VIOLATION, 1), + ERROR_ENTRY("Function was interrupted.", GNUTLS_E_AGAIN, 0), + ERROR_ENTRY("Function was interrupted.", GNUTLS_E_INTERRUPTED, 0), + ERROR_ENTRY("Rehandshake was requested by the peer.", + GNUTLS_E_REHANDSHAKE, 0), + ERROR_ENTRY + ("TLS Application data were received, while expecting handshake data.", + GNUTLS_E_GOT_APPLICATION_DATA, 1), + ERROR_ENTRY("Error in Database backend.", GNUTLS_E_DB_ERROR, 1), + ERROR_ENTRY("The certificate type is not supported.", + GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1), + ERROR_ENTRY("The given memory buffer is too short to hold parameters.", + GNUTLS_E_SHORT_MEMORY_BUFFER, 1), + ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1), + ERROR_ENTRY("An illegal parameter has been received.", + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1), + ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1), + + ERROR_ENTRY("ASN1 parser: Element was not found.", + GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Identifier was not found", + GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Error in DER parsing.", + GNUTLS_E_ASN1_DER_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Value was not found.", + GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1), + ERROR_ENTRY("ASN1 parser: Generic parsing error.", + GNUTLS_E_ASN1_GENERIC_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Value is not valid.", + GNUTLS_E_ASN1_VALUE_NOT_VALID, 1), + ERROR_ENTRY("ASN1 parser: Error in TAG.", GNUTLS_E_ASN1_TAG_ERROR, 1), + ERROR_ENTRY("ASN1 parser: error in implicit tag", + GNUTLS_E_ASN1_TAG_IMPLICIT, 1), + ERROR_ENTRY("ASN1 parser: Error in type 'ANY'.", + GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1), + ERROR_ENTRY("ASN1 parser: Syntax error.", GNUTLS_E_ASN1_SYNTAX_ERROR, + 1), + ERROR_ENTRY("ASN1 parser: Overflow in DER parsing.", + GNUTLS_E_ASN1_DER_OVERFLOW, 1), + + ERROR_ENTRY("Too many empty record packets have been received.", + GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1), + ERROR_ENTRY("The initialization of GnuTLS-extra has failed.", + GNUTLS_E_INIT_LIBEXTRA, 1), + ERROR_ENTRY + ("The GnuTLS library version does not match the GnuTLS-extra library version.", + GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1), + ERROR_ENTRY("The gcrypt library version is too old.", + GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1), + + ERROR_ENTRY("The tasn1 library version is too old.", + GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1), + ERROR_ENTRY + ("The specified GnuPG TrustDB version is not supported. TrustDB v4 is supported.", + GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED, 1), + + ERROR_ENTRY("Error loading the keyring.", + GNUTLS_E_OPENPGP_KEYRING_ERROR, 1), + ERROR_ENTRY("The initialization of LZO has failed.", + GNUTLS_E_LZO_INIT_FAILED, 1), + ERROR_ENTRY("No supported compression algorithms have been found.", + GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1), + ERROR_ENTRY("No supported cipher suites have been found.", + GNUTLS_E_NO_CIPHER_SUITES, 1), + ERROR_ENTRY("Could not get OpenPGP key.", + GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), + + ERROR_ENTRY("The SRP username supplied is illegal.", + GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), + + ERROR_ENTRY("The OpenPGP fingerprint is not supported.", + GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), + ERROR_ENTRY("The certificate has unsupported attributes.", + GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), + ERROR_ENTRY("The OID is not supported.", GNUTLS_E_X509_UNSUPPORTED_OID, + 1), + ERROR_ENTRY("The hash algorithm is unknown.", + GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), + ERROR_ENTRY("The PKCS structure's content type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), + ERROR_ENTRY("The PKCS structure's bag type is unknown.", + GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1), + ERROR_ENTRY("The given password contains invalid characters.", + GNUTLS_E_INVALID_PASSWORD, 1), + ERROR_ENTRY("The Message Authentication Code verification failed.", + GNUTLS_E_MAC_VERIFY_FAILED, 1), + {NULL, NULL, 0, 0} }; #define GNUTLS_ERROR_LOOP(b) \ @@ -176,10 +255,10 @@ static gnutls_error_entry error_algorithms[] = { **/ int gnutls_error_is_fatal(int error) { - int ret = 0; + int ret = 0; - GNUTLS_ERROR_ALG_LOOP(ret = p->fatal); - return ret; + GNUTLS_ERROR_ALG_LOOP(ret = p->fatal); + return ret; } /** @@ -191,12 +270,13 @@ int gnutls_error_is_fatal(int error) **/ void gnutls_perror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = p->desc); - if (ret == NULL) ret = "(unknown)"; - fprintf(stderr, "GNUTLS ERROR: %s\n", ret); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->desc); + if (ret == NULL) + ret = "(unknown)"; + fprintf(stderr, "GNUTLS ERROR: %s\n", ret); } @@ -208,90 +288,96 @@ void gnutls_perror(int error) * number returned by a gnutls function; In case of an unknown error * a descriptive string is sent instead of NULL. **/ -const char* gnutls_strerror(int error) +const char *gnutls_strerror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = - p->desc); - if (ret == NULL) return "(unknown error code)"; - return ret; + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->desc); + if (ret == NULL) + return "(unknown error code)"; + return ret; } /* This will print the actual define of the * given error code. */ -const char* _gnutls_strerror(int error) +const char *_gnutls_strerror(int error) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_ERROR_ALG_LOOP(ret = - p->_name); + /* avoid prefix */ + GNUTLS_ERROR_ALG_LOOP(ret = p->_name); - return ret; + return ret; } -int _gnutls_asn2err( int asn_err) { - switch( asn_err) { - case ASN1_FILE_NOT_FOUND: - return GNUTLS_E_FILE_ERROR; - case ASN1_ELEMENT_NOT_FOUND: - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - case ASN1_IDENTIFIER_NOT_FOUND: - return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; - case ASN1_DER_ERROR: - return GNUTLS_E_ASN1_DER_ERROR; - case ASN1_VALUE_NOT_FOUND: - return GNUTLS_E_ASN1_VALUE_NOT_FOUND; - case ASN1_GENERIC_ERROR: - return GNUTLS_E_ASN1_GENERIC_ERROR; - case ASN1_VALUE_NOT_VALID: - return GNUTLS_E_ASN1_VALUE_NOT_VALID; - case ASN1_TAG_ERROR: - return GNUTLS_E_ASN1_TAG_ERROR; - case ASN1_TAG_IMPLICIT: - return GNUTLS_E_ASN1_TAG_IMPLICIT; - case ASN1_ERROR_TYPE_ANY: - return GNUTLS_E_ASN1_TYPE_ANY_ERROR; - case ASN1_SYNTAX_ERROR: - return GNUTLS_E_ASN1_SYNTAX_ERROR; - case ASN1_MEM_ERROR: - return GNUTLS_E_SHORT_MEMORY_BUFFER; - case ASN1_MEM_ALLOC_ERROR: - return GNUTLS_E_MEMORY_ERROR; - case ASN1_DER_OVERFLOW: - return GNUTLS_E_ASN1_DER_OVERFLOW; - default: - return GNUTLS_E_ASN1_GENERIC_ERROR; - } +int _gnutls_asn2err(int asn_err) +{ + switch (asn_err) { + case ASN1_FILE_NOT_FOUND: + return GNUTLS_E_FILE_ERROR; + case ASN1_ELEMENT_NOT_FOUND: + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + case ASN1_IDENTIFIER_NOT_FOUND: + return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND; + case ASN1_DER_ERROR: + return GNUTLS_E_ASN1_DER_ERROR; + case ASN1_VALUE_NOT_FOUND: + return GNUTLS_E_ASN1_VALUE_NOT_FOUND; + case ASN1_GENERIC_ERROR: + return GNUTLS_E_ASN1_GENERIC_ERROR; + case ASN1_VALUE_NOT_VALID: + return GNUTLS_E_ASN1_VALUE_NOT_VALID; + case ASN1_TAG_ERROR: + return GNUTLS_E_ASN1_TAG_ERROR; + case ASN1_TAG_IMPLICIT: + return GNUTLS_E_ASN1_TAG_IMPLICIT; + case ASN1_ERROR_TYPE_ANY: + return GNUTLS_E_ASN1_TYPE_ANY_ERROR; + case ASN1_SYNTAX_ERROR: + return GNUTLS_E_ASN1_SYNTAX_ERROR; + case ASN1_MEM_ERROR: + return GNUTLS_E_SHORT_MEMORY_BUFFER; + case ASN1_MEM_ALLOC_ERROR: + return GNUTLS_E_MEMORY_ERROR; + case ASN1_DER_OVERFLOW: + return GNUTLS_E_ASN1_DER_OVERFLOW; + default: + return GNUTLS_E_ASN1_GENERIC_ERROR; + } } /* this function will output a message using the * caller provided function */ -void _gnutls_log( int level, const char *fmt, ...) { - va_list args; - char str[MAX_LOG_SIZE]; - void (*log_func)(int, const char*) = _gnutls_log_func; +void _gnutls_log(int level, const char *fmt, ...) +{ + va_list args; + char str[MAX_LOG_SIZE]; + void (*log_func) (int, const char *) = _gnutls_log_func; - if (_gnutls_log_func==NULL) return; + if (_gnutls_log_func == NULL) + return; - va_start(args,fmt); - vsnprintf( str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ - va_end(args); + va_start(args, fmt); + vsnprintf(str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */ + va_end(args); - log_func( level, str); + log_func(level, str); } + #ifndef DEBUG # ifndef C99_MACROS /* Without C99 macros these functions have to * be called. This may affect performance. */ -void _gnutls_null_log( void* x, ...) { return; } +void _gnutls_null_log(void *x, ...) +{ + return; +} -# endif /* C99_MACROS */ -#endif /* DEBUG */ +# endif /* C99_MACROS */ +#endif /* DEBUG */ diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h index 922447cfc1..a673852e39 100644 --- a/lib/gnutls_errors.h +++ b/lib/gnutls_errors.h @@ -25,18 +25,18 @@ # ifdef __LINE__ # define gnutls_assert() _gnutls_debug_log( "ASSERT: %s:%d\n", __FILE__,__LINE__); # else -# define gnutls_assert() +# define gnutls_assert() # endif -#else /* __FILE__ not defined */ -# define gnutls_assert() +#else /* __FILE__ not defined */ +# define gnutls_assert() #endif -int _gnutls_asn2err( int asn_err); -const char* gnutls_strerror(int error); +int _gnutls_asn2err(int asn_err); +const char *gnutls_strerror(int error); void gnutls_perror(int error); -int gnutls_error_is_fatal( int error); +int gnutls_error_is_fatal(int error); -void _gnutls_log( int, const char *fmt, ...); +void _gnutls_log(int, const char *fmt, ...); extern int _gnutls_log_level; @@ -67,7 +67,6 @@ extern int _gnutls_log_level; # define _gnutls_write_log _gnutls_null_log # define _gnutls_x509_log _gnutls_null_log -void _gnutls_null_log( void*, ...); - -#endif /* C99_MACROS */ +void _gnutls_null_log(void *, ...); +#endif /* C99_MACROS */ diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index 3f64c626d7..19a0227f0d 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -10,35 +10,35 @@ #define GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3 #define GNUTLS_E_UNKNOWN_CIPHER_TYPE -6 #define GNUTLS_E_LARGE_PACKET -7 -#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 /* GNUTLS_A_PROTOCOL_VERSION */ -#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */ +#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 /* GNUTLS_A_PROTOCOL_VERSION */ +#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */ #define GNUTLS_E_INVALID_SESSION -10 #define GNUTLS_E_FATAL_ALERT_RECEIVED -12 -#define GNUTLS_E_UNEXPECTED_PACKET -15 /* GNUTLS_A_UNEXPECTED_MESSAGE */ +#define GNUTLS_E_UNEXPECTED_PACKET -15 /* GNUTLS_A_UNEXPECTED_MESSAGE */ #define GNUTLS_E_WARNING_ALERT_RECEIVED -16 #define GNUTLS_E_ERROR_IN_FINISHED_PACKET -18 #define GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET -19 -#define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 /* GNUTLS_A_HANDSHAKE_FAILURE */ +#define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 /* GNUTLS_A_HANDSHAKE_FAILURE */ #define GNUTLS_E_UNWANTED_ALGORITHM -22 #define GNUTLS_E_MPI_SCAN_FAILED -23 -#define GNUTLS_E_DECRYPTION_FAILED -24 /* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */ +#define GNUTLS_E_DECRYPTION_FAILED -24 /* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */ #define GNUTLS_E_MEMORY_ERROR -25 -#define GNUTLS_E_DECOMPRESSION_FAILED -26 /* GNUTLS_A_DECOMPRESSION_FAILURE */ +#define GNUTLS_E_DECOMPRESSION_FAILED -26 /* GNUTLS_A_DECOMPRESSION_FAILURE */ #define GNUTLS_E_COMPRESSION_FAILED -27 #define GNUTLS_E_AGAIN -28 #define GNUTLS_E_EXPIRED -29 #define GNUTLS_E_DB_ERROR -30 #define GNUTLS_E_SRP_PWD_ERROR -31 #define GNUTLS_E_INSUFFICIENT_CREDENTIALS -32 -#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ +#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ #define GNUTLS_E_INSUFFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS -#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ +#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */ #define GNUTLS_E_HASH_FAILED -33 #define GNUTLS_E_BASE64_DECODING_ERROR -34 #define GNUTLS_E_MPI_PRINT_FAILED -35 -#define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */ +#define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */ #define GNUTLS_E_GOT_APPLICATION_DATA -38 #define GNUTLS_E_RECORD_LIMIT_REACHED -39 #define GNUTLS_E_ENCRYPTION_FAILED -40 @@ -48,13 +48,13 @@ #define GNUTLS_E_PK_SIGN_FAILED -46 #define GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION -47 #define GNUTLS_E_KEY_USAGE_VIOLATION -48 -#define GNUTLS_E_NO_CERTIFICATE_FOUND -49 /* GNUTLS_A_BAD_CERTIFICATE */ +#define GNUTLS_E_NO_CERTIFICATE_FOUND -49 /* GNUTLS_A_BAD_CERTIFICATE */ #define GNUTLS_E_INVALID_REQUEST -50 #define GNUTLS_E_SHORT_MEMORY_BUFFER -51 #define GNUTLS_E_INTERRUPTED -52 #define GNUTLS_E_PUSH_ERROR -53 #define GNUTLS_E_PULL_ERROR -54 -#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55 /* GNUTLS_A_ILLEGAL_PARAMETER */ +#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55 /* GNUTLS_A_ILLEGAL_PARAMETER */ #define GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE -56 #define GNUTLS_E_PKCS1_WRONG_PAD -57 #define GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION -58 @@ -106,7 +106,7 @@ #define GNUTLS_E_CERTIFICATE_ERROR -43 #define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR #define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60 -#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */ +#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */ #define GNUTLS_E_X509_UNKNOWN_SAN -62 #define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94 #define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95 @@ -114,7 +114,7 @@ #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97 #define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98 #define GNUTLS_E_INVALID_PASSWORD -99 -#define GNUTLS_E_MAC_VERIFY_FAILED -100 /* for PKCS #12 MAC */ +#define GNUTLS_E_MAC_VERIFY_FAILED -100 /* for PKCS #12 MAC */ #define GNUTLS_E_BASE64_ENCODING_ERROR -201 #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 @@ -130,4 +130,4 @@ #define GNUTLS_E_INT_RET_0 -1251 #define GNUTLS_E_INT_HANDSHAKE_AGAIN -1252 -#endif /* GNUTLS_ERRORS_IH */ +#endif /* GNUTLS_ERRORS_IH */ diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 515ecb7032..868cd9ca7c 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -42,10 +42,16 @@ const int _gnutls_extensions_size = MAX_EXT_SIZE; gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_MAX_RECORD_SIZE, _gnutls_max_record_recv_params, _gnutls_max_record_send_params), - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_CERT_TYPE, _gnutls_cert_type_recv_params, _gnutls_cert_type_send_params), - GNUTLS_EXTENSION_ENTRY( GNUTLS_EXTENSION_SERVER_NAME, _gnutls_server_name_recv_params, _gnutls_server_name_send_params), - {0, 0, 0, 0} + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_MAX_RECORD_SIZE, + _gnutls_max_record_recv_params, + _gnutls_max_record_send_params), + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_CERT_TYPE, + _gnutls_cert_type_recv_params, + _gnutls_cert_type_send_params), + GNUTLS_EXTENSION_ENTRY(GNUTLS_EXTENSION_SERVER_NAME, + _gnutls_server_name_recv_params, + _gnutls_server_name_send_params), + {0, 0, 0, 0} }; #define GNUTLS_EXTENSION_LOOP2(b) \ @@ -60,101 +66,110 @@ gnutls_extension_entry _gnutls_extensions[MAX_EXT_SIZE] = { ext_recv_func _gnutls_ext_func_recv(uint16 type) { - ext_recv_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_recv); - return ret; + ext_recv_func ret = NULL; + GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_recv); + return ret; } ext_send_func _gnutls_ext_func_send(uint16 type) { - ext_send_func ret = NULL; - GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_send); - return ret; + ext_send_func ret = NULL; + GNUTLS_EXTENSION_LOOP(ret = p->gnutls_ext_func_send); + return ret; } -const char* _gnutls_extension_get_name(uint16 type) +const char *_gnutls_extension_get_name(uint16 type) { - const char *ret = NULL; + const char *ret = NULL; - /* avoid prefix */ - GNUTLS_EXTENSION_LOOP(ret = p->name + sizeof("GNUTLS_EXTENSION_") - 1); + /* avoid prefix */ + GNUTLS_EXTENSION_LOOP(ret = p->name + sizeof("GNUTLS_EXTENSION_") - 1); - return ret; + return ret; } /* Checks if the extension we just received is one of the * requested ones. Otherwise it's a fatal error. */ -static int _gnutls_extension_list_check( gnutls_session session, uint16 type) { - if (session->security_parameters.entity==GNUTLS_CLIENT) { - int i; - for(i=0;i<session->internals.extensions_sent_size;i++) { - if (type==session->internals.extensions_sent[i]) - return 0; /* ok found */ - } - return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; +static int _gnutls_extension_list_check(gnutls_session session, + uint16 type) +{ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + int i; + for (i = 0; i < session->internals.extensions_sent_size; i++) { + if (type == session->internals.extensions_sent[i]) + return 0; /* ok found */ } + return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; + } - return 0; + return 0; } -int _gnutls_parse_extensions( gnutls_session session, const opaque* data, int data_size) { -int next, ret; -int pos=0; -uint16 type; -const opaque* sdata; -ext_recv_func ext_recv; -uint16 size; +int _gnutls_parse_extensions(gnutls_session session, const opaque * data, + int data_size) +{ + int next, ret; + int pos = 0; + uint16 type; + const opaque *sdata; + ext_recv_func ext_recv; + uint16 size; #ifdef DEBUG -int i; - - if (session->security_parameters.entity==GNUTLS_CLIENT) - for (i=0;i<session->internals.extensions_sent_size;i++) { - _gnutls_debug_log("EXT[%d]: expecting extension '%s'\n", session, - _gnutls_extension_get_name(session->internals.extensions_sent[i])); - } + int i; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + for (i = 0; i < session->internals.extensions_sent_size; i++) { + _gnutls_debug_log("EXT[%d]: expecting extension '%s'\n", + session, + _gnutls_extension_get_name(session-> + internals. + extensions_sent + [i])); + } #endif - DECR_LENGTH_RET( data_size, 2, 0); - next = _gnutls_read_uint16( data); - pos+=2; - - DECR_LENGTH_RET( data_size, next, 0); - - do { - DECR_LENGTH_RET( next, 2, 0); - type = _gnutls_read_uint16( &data[pos]); - pos+=2; - - _gnutls_debug_log("EXT[%x]: Received extension '%s'\n", session, - _gnutls_extension_get_name(type)); - - if ( (ret=_gnutls_extension_list_check( session, type)) < 0) { - gnutls_assert(); - return ret; - } - - DECR_LENGTH_RET( next, 2, 0); - size = _gnutls_read_uint16(&data[pos]); - pos+=2; - - DECR_LENGTH_RET( next, size, 0); - sdata = &data[pos]; - pos+=size; - - ext_recv = _gnutls_ext_func_recv(type); - if (ext_recv == NULL) continue; - if ( (ret=ext_recv( session, sdata, size)) < 0) { - gnutls_assert(); - return ret; - } - - } while(next > 2); - - return 0; + DECR_LENGTH_RET(data_size, 2, 0); + next = _gnutls_read_uint16(data); + pos += 2; + + DECR_LENGTH_RET(data_size, next, 0); + + do { + DECR_LENGTH_RET(next, 2, 0); + type = _gnutls_read_uint16(&data[pos]); + pos += 2; + + _gnutls_debug_log("EXT[%x]: Received extension '%s'\n", session, + _gnutls_extension_get_name(type)); + + if ((ret = _gnutls_extension_list_check(session, type)) < 0) { + gnutls_assert(); + return ret; + } + + DECR_LENGTH_RET(next, 2, 0); + size = _gnutls_read_uint16(&data[pos]); + pos += 2; + + DECR_LENGTH_RET(next, size, 0); + sdata = &data[pos]; + pos += size; + + ext_recv = _gnutls_ext_func_recv(type); + if (ext_recv == NULL) + continue; + if ((ret = ext_recv(session, sdata, size)) < 0) { + gnutls_assert(); + return ret; + } + + } while (next > 2); + + return 0; } @@ -162,91 +177,95 @@ int i; * This list is used to check whether the (later) received * extensions are the ones we requested. */ -static void _gnutls_extension_list_add( gnutls_session session, uint16 type) { - - if (session->security_parameters.entity==GNUTLS_CLIENT) { - if (session->internals.extensions_sent_size < MAX_EXT_TYPES) { - session->internals.extensions_sent[session->internals.extensions_sent_size] = type; - session->internals.extensions_sent_size++; - } else { - _gnutls_debug_log("extensions: Increase MAX_EXT_TYPES\n"); - } +static void _gnutls_extension_list_add(gnutls_session session, uint16 type) +{ + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (session->internals.extensions_sent_size < MAX_EXT_TYPES) { + session->internals.extensions_sent[session->internals. + extensions_sent_size] = + type; + session->internals.extensions_sent_size++; + } else { + _gnutls_debug_log("extensions: Increase MAX_EXT_TYPES\n"); } + } } -int _gnutls_gen_extensions( gnutls_session session, opaque* data, size_t data_size) +int _gnutls_gen_extensions(gnutls_session session, opaque * data, + size_t data_size) { -int next, size; -uint16 pos=0; -opaque *sdata; -int sdata_size; -ext_send_func ext_send; - - - if (data_size < 2) { + int next, size; + uint16 pos = 0; + opaque *sdata; + int sdata_size; + ext_send_func ext_send; + + + if (data_size < 2) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* allocate enough data for each extension. + */ + sdata_size = data_size; + sdata = gnutls_malloc(sdata_size); + if (sdata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + pos += 2; + next = MAX_EXT_TYPES; /* maximum supported extensions */ + do { + next--; + ext_send = _gnutls_ext_func_send(next); + if (ext_send == NULL) + continue; + size = ext_send(session, sdata, sdata_size); + if (size > 0) { + if (data_size < pos + (size_t) size + 4) { gnutls_assert(); + gnutls_free(sdata); return GNUTLS_E_INTERNAL_ERROR; - } + } - /* allocate enough data for each extension. - */ - sdata_size = data_size; - sdata = gnutls_malloc( sdata_size); - if (sdata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - pos+=2; - next = MAX_EXT_TYPES; /* maximum supported extensions */ - do { - next--; - ext_send = _gnutls_ext_func_send(next); - if (ext_send == NULL) continue; - size = ext_send( session, sdata, sdata_size); - if (size > 0) { - if (data_size < pos+(size_t)size+4) { - gnutls_assert(); - gnutls_free(sdata); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* write extension type */ - _gnutls_write_uint16( next, &data[pos]); - pos+=2; - - /* write size */ - _gnutls_write_uint16( size, &data[pos]); - pos+=2; - - memcpy( &data[pos], sdata, size); - pos+=size; - - /* add this extension to the extension list - */ - _gnutls_extension_list_add( session, next); - - _gnutls_debug_log("EXT[%x]: Sending extension %s\n", session, - _gnutls_extension_get_name(next)); - } else if (size < 0) { - gnutls_assert(); - gnutls_free(sdata); - return size; - } - - } while(next >= 0); - - size = pos; - pos-=2; /* remove the size of the size header! */ - - _gnutls_write_uint16( pos, data); - - if (size==2) { /* empty */ - size = 0; + /* write extension type */ + _gnutls_write_uint16(next, &data[pos]); + pos += 2; + + /* write size */ + _gnutls_write_uint16(size, &data[pos]); + pos += 2; + + memcpy(&data[pos], sdata, size); + pos += size; + + /* add this extension to the extension list + */ + _gnutls_extension_list_add(session, next); + + _gnutls_debug_log("EXT[%x]: Sending extension %s\n", session, + _gnutls_extension_get_name(next)); + } else if (size < 0) { + gnutls_assert(); + gnutls_free(sdata); + return size; } - - gnutls_free( sdata); - return size; -} + } while (next >= 0); + + size = pos; + pos -= 2; /* remove the size of the size header! */ + _gnutls_write_uint16(pos, data); + + if (size == 2) { /* empty */ + size = 0; + } + + gnutls_free(sdata); + return size; + +} diff --git a/lib/gnutls_extensions.h b/lib/gnutls_extensions.h index f87bc80cbd..288ec183be 100644 --- a/lib/gnutls_extensions.h +++ b/lib/gnutls_extensions.h @@ -21,18 +21,19 @@ #include <gnutls_int.h> const char *_gnutls_extension_get_name(uint16 type); -int _gnutls_parse_extensions( gnutls_session, const opaque*, int); -int _gnutls_gen_extensions( gnutls_session session, opaque* data, size_t data_size); +int _gnutls_parse_extensions(gnutls_session, const opaque *, int); +int _gnutls_gen_extensions(gnutls_session session, opaque * data, + size_t data_size); -typedef int (*ext_recv_func)( gnutls_session, const opaque*, size_t); /* recv data */ -typedef int (*ext_send_func)( gnutls_session, opaque*, size_t); /* send data */ +typedef int (*ext_recv_func) (gnutls_session, const opaque *, size_t); /* recv data */ +typedef int (*ext_send_func) (gnutls_session, opaque *, size_t); /* send data */ ext_send_func _gnutls_ext_func_send(uint16 type); ext_recv_func _gnutls_ext_func_recv(uint16 type); typedef struct { - const char *name; - uint16 type; - ext_recv_func gnutls_ext_func_recv; - ext_send_func gnutls_ext_func_send; + const char *name; + uint16 type; + ext_recv_func gnutls_ext_func_recv; + ext_send_func gnutls_ext_func_send; } gnutls_extension_entry; diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index ccb37bafc1..c3bf7d334e 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -32,7 +32,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[]; extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; LOG_FUNC _gnutls_log_func; -int _gnutls_log_level = 0; /* default log level */ +int _gnutls_log_level = 0; /* default log level */ ASN1_TYPE _gnutls_pkix1_asn; ASN1_TYPE _gnutls_gnutls_asn; @@ -49,9 +49,9 @@ ASN1_TYPE _gnutls_gnutls_asn; * gnutls_log_func is of the form, * void (*gnutls_log_func)( int level, const char*); **/ -void gnutls_global_set_log_function( gnutls_log_func log_func) +void gnutls_global_set_log_function(gnutls_log_func log_func) { - _gnutls_log_func = log_func; + _gnutls_log_func = log_func; } /** @@ -66,28 +66,29 @@ void gnutls_global_set_log_function( gnutls_log_func log_func) * Use a log level over 10 to enable all debugging options. * **/ -void gnutls_global_set_log_level( int level) +void gnutls_global_set_log_level(int level) { - _gnutls_log_level = level; + _gnutls_log_level = level; } #ifdef DEBUG /* default logging function */ -static void dlog( int level, const char* str) { - fputs( str, stderr); +static void dlog(int level, const char *str) +{ + fputs(str, stderr); } #endif extern gnutls_alloc_function gnutls_secure_malloc; extern gnutls_alloc_function gnutls_malloc; extern gnutls_free_function gnutls_free; -extern int (*_gnutls_is_secure_memory)(const void*); +extern int (*_gnutls_is_secure_memory) (const void *); extern gnutls_realloc_function gnutls_realloc; -extern char* (*gnutls_strdup)(const char*); -extern void* (*gnutls_calloc)(size_t, size_t); +extern char *(*gnutls_strdup) (const char *); +extern void *(*gnutls_calloc) (size_t, size_t); -int _gnutls_is_secure_mem_null( const void*); +int _gnutls_is_secure_mem_null(const void *); /** * gnutls_global_set_mem_functions - This function sets the memory allocation functions @@ -106,38 +107,41 @@ int _gnutls_is_secure_mem_null( const void*); * This function must be called before gnutls_global_init() is called. * **/ -void gnutls_global_set_mem_functions( - void *(*gnutls_alloc_func)(size_t), void* (*gnutls_secure_alloc_func)(size_t), - int (*gnutls_is_secure_func)(const void*), void *(*gnutls_realloc_func)(void *, size_t), - void (*gnutls_free_func)(void*)) +void gnutls_global_set_mem_functions(void *(*gnutls_alloc_func) (size_t), void + *(*gnutls_secure_alloc_func) (size_t), + int (*gnutls_is_secure_func) (const + void *), + void *(*gnutls_realloc_func) (void *, + size_t), + void (*gnutls_free_func) (void *)) { - gnutls_secure_malloc = gnutls_secure_alloc_func; - gnutls_malloc = gnutls_alloc_func; - gnutls_realloc = gnutls_realloc_func; - gnutls_free = gnutls_free_func; - - if (gnutls_is_secure_func!=NULL) - _gnutls_is_secure_memory = gnutls_is_secure_func; - else - _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; - - /* if using the libc's default malloc - * use libc's calloc as well. - */ - if ( gnutls_malloc == malloc) { - gnutls_calloc = calloc; - } else { /* use the included ones */ - gnutls_calloc = _gnutls_calloc; - } - gnutls_strdup = _gnutls_strdup; + gnutls_secure_malloc = gnutls_secure_alloc_func; + gnutls_malloc = gnutls_alloc_func; + gnutls_realloc = gnutls_realloc_func; + gnutls_free = gnutls_free_func; + + if (gnutls_is_secure_func != NULL) + _gnutls_is_secure_memory = gnutls_is_secure_func; + else + _gnutls_is_secure_memory = _gnutls_is_secure_mem_null; + + /* if using the libc's default malloc + * use libc's calloc as well. + */ + if (gnutls_malloc == malloc) { + gnutls_calloc = calloc; + } else { /* use the included ones */ + gnutls_calloc = _gnutls_calloc; + } + gnutls_strdup = _gnutls_strdup; } #ifdef DEBUG -static void _gnutls_gcry_log_handler( void* dummy, int level, const char* fmt, - va_list list) +static void _gnutls_gcry_log_handler(void *dummy, int level, + const char *fmt, va_list list) { - _gnutls_log( fmt, list); + _gnutls_log(fmt, list); } #endif @@ -158,70 +162,74 @@ static int _gnutls_init = 0; * want to disable libgcrypt's internal lockings etc. * **/ -int gnutls_global_init( void) +int gnutls_global_init(void) { - int result = 0; - int res; - - if (_gnutls_init) goto out; - _gnutls_init++; + int result = 0; + int res; + + if (_gnutls_init) + goto out; + _gnutls_init++; + + if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) { + const char *p; + p = strchr(GNUTLS_GCRYPT_VERSION, ':'); + if (p == NULL) + p = GNUTLS_GCRYPT_VERSION; + else + p++; - if (gcry_control( GCRYCTL_ANY_INITIALIZATION_P) == 0) { - const char* p; - p = strchr( GNUTLS_GCRYPT_VERSION, ':'); - if (p==NULL) p = GNUTLS_GCRYPT_VERSION; - else p++; + if (gcry_check_version(p) == NULL) { + gnutls_assert(); + _gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p); + return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; + } - if (gcry_check_version(p)==NULL) { - gnutls_assert(); - _gnutls_debug_log("Checking for libgcrypt failed '%s'\n", p); - return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; - } + /* for gcrypt in order to be able to allocate memory */ + gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, + _gnutls_is_secure_memory, + gnutls_realloc, gnutls_free); - /* for gcrypt in order to be able to allocate memory */ - gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, _gnutls_is_secure_memory, gnutls_realloc, gnutls_free); - - /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ + /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL,0); + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, NULL, 0); #ifdef DEBUG - /* applications may want to override that, so we only use - * it in debugging mode. - */ - gcry_set_log_handler( _gnutls_gcry_log_handler, NULL); + /* applications may want to override that, so we only use + * it in debugging mode. + */ + gcry_set_log_handler(_gnutls_gcry_log_handler, NULL); #endif - } - + } #ifdef DEBUG - gnutls_global_set_log_function( dlog); + gnutls_global_set_log_function(dlog); #endif - /* initialize parser - * This should not deal with files in the final - * version. - */ + /* initialize parser + * This should not deal with files in the final + * version. + */ - if (asn1_check_version(GNUTLS_LIBTASN1_VERSION)==NULL) { - gnutls_assert(); - return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; - } - - res=asn1_array2tree( pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); - if (res != ASN1_SUCCESS) { - result = _gnutls_asn2err(res); - goto out; - } + if (asn1_check_version(GNUTLS_LIBTASN1_VERSION) == NULL) { + gnutls_assert(); + return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY; + } - res=asn1_array2tree( gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); - if (res != ASN1_SUCCESS) { - asn1_delete_structure(&_gnutls_pkix1_asn); - result = _gnutls_asn2err(res); - goto out; - } - - out: - return result; + res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); + if (res != ASN1_SUCCESS) { + result = _gnutls_asn2err(res); + goto out; + } + + res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); + if (res != ASN1_SUCCESS) { + asn1_delete_structure(&_gnutls_pkix1_asn); + result = _gnutls_asn2err(res); + goto out; + } + + out: + return result; } /** @@ -232,14 +240,15 @@ int gnutls_global_init( void) * **/ -void gnutls_global_deinit( void) { +void gnutls_global_deinit(void) +{ + + if (_gnutls_init == 1) { + _gnutls_init--; + asn1_delete_structure(&_gnutls_gnutls_asn); + asn1_delete_structure(&_gnutls_pkix1_asn); + } - if (_gnutls_init==1) { - _gnutls_init--; - asn1_delete_structure(&_gnutls_gnutls_asn); - asn1_delete_structure(&_gnutls_pkix1_asn); - } - } @@ -260,8 +269,10 @@ void gnutls_global_deinit( void) { * PULL_FUNC is of the form, * ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, const void*, size_t); **/ -void gnutls_transport_set_pull_function( gnutls_session session, gnutls_pull_func pull_func) { - session->internals._gnutls_pull_func = pull_func; +void gnutls_transport_set_pull_function(gnutls_session session, + gnutls_pull_func pull_func) +{ + session->internals._gnutls_pull_func = pull_func; } /** @@ -279,46 +290,47 @@ void gnutls_transport_set_pull_function( gnutls_session session, gnutls_pull_fun * PUSH_FUNC is of the form, * ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); **/ -void gnutls_transport_set_push_function( gnutls_session session, gnutls_push_func push_func) { - session->internals._gnutls_push_func = push_func; +void gnutls_transport_set_push_function(gnutls_session session, + gnutls_push_func push_func) +{ + session->internals._gnutls_push_func = push_func; } /* Taken from libgcrypt. Needed to configure scripts. */ -static const char* -parse_version_number( const char *s, int *number ) +static const char *parse_version_number(const char *s, int *number) { int val = 0; - if( *s == '0' && isdigit(s[1]) ) - return NULL; /* leading zeros are not allowed */ - for ( ; isdigit(*s); s++ ) { + if (*s == '0' && isdigit(s[1])) + return NULL; /* leading zeros are not allowed */ + for (; isdigit(*s); s++) { val *= 10; val += *s - '0'; } *number = val; - return val < 0? NULL : s; + return val < 0 ? NULL : s; } /* The parse version functions were copied from libgcrypt. */ -static const char * -parse_version_string( const char *s, int *major, int *minor, int *micro ) +static const char *parse_version_string(const char *s, int *major, + int *minor, int *micro) { - s = parse_version_number( s, major ); - if( !s || *s != '.' ) + s = parse_version_number(s, major); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, minor ); - if( !s || *s != '.' ) + s = parse_version_number(s, minor); + if (!s || *s != '.') return NULL; s++; - s = parse_version_number( s, micro ); - if( !s ) + s = parse_version_number(s, micro); + if (!s) return NULL; - return s; /* patchlevel */ + return s; /* patchlevel */ } /** @@ -331,34 +343,31 @@ parse_version_string( const char *s, int *major, int *minor, int *micro ) * but the version string is simply returned. * **/ -const char * -gnutls_check_version( const char *req_version ) +const char *gnutls_check_version(const char *req_version) { const char *ver = GNUTLS_VERSION; int my_major, my_minor, my_micro; int rq_major, rq_minor, rq_micro; const char *my_plvl, *rq_plvl; - if ( !req_version ) + if (!req_version) return ver; - my_plvl = parse_version_string( ver, &my_major, &my_minor, &my_micro ); - if ( !my_plvl ) - return NULL; /* very strange our own version is bogus */ - rq_plvl = parse_version_string( req_version, &rq_major, &rq_minor, - &rq_micro ); - if ( !rq_plvl ) - return NULL; /* req version string is invalid */ + my_plvl = parse_version_string(ver, &my_major, &my_minor, &my_micro); + if (!my_plvl) + return NULL; /* very strange our own version is bogus */ + rq_plvl = parse_version_string(req_version, &rq_major, &rq_minor, + &rq_micro); + if (!rq_plvl) + return NULL; /* req version string is invalid */ - if ( my_major > rq_major + if (my_major > rq_major || (my_major == rq_major && my_minor > rq_minor) || (my_major == rq_major && my_minor == rq_minor - && my_micro > rq_micro) + && my_micro > rq_micro) || (my_major == rq_major && my_minor == rq_minor - && my_micro == rq_micro - && strcmp( my_plvl, rq_plvl ) >= 0) ) { + && my_micro == rq_micro && strcmp(my_plvl, rq_plvl) >= 0)) { return ver; } return NULL; } - diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h index 55c0713872..f59fd3c7bf 100644 --- a/lib/gnutls_global.h +++ b/lib/gnutls_global.h @@ -3,8 +3,8 @@ #include <libtasn1.h> -int gnutls_global_init( void); -int gnutls_is_secure_memory(const void* mem); +int gnutls_global_init(void); +int gnutls_is_secure_memory(const void *mem); extern ASN1_TYPE _gnutls_pkix1_asn; extern ASN1_TYPE _gnutls_gnutls_asn; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 150e1864d6..9dc66a99dd 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -47,8 +47,8 @@ #include <gnutls_alert.h> #include <gnutls_state.h> #include <ext_srp.h> -#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */ -#include <auth_anon.h> /* for gnutls_anon_server_credentials */ +#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */ +#include <auth_anon.h> /* for gnutls_anon_server_credentials */ #ifdef HANDSHAKE_DEBUG #define ERR(x, y) _gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y) @@ -60,19 +60,19 @@ #define FALSE 0 int _gnutls_server_select_comp_method(gnutls_session session, - opaque * data, int datalen); + opaque * data, int datalen); /* Clears the handshake hash buffers and handles. */ inline static -void _gnutls_handshake_hash_buffers_clear( gnutls_session session) +void _gnutls_handshake_hash_buffers_clear(gnutls_session session) { - _gnutls_hash_deinit( session->internals.handshake_mac_handle_md5, NULL); - _gnutls_hash_deinit( session->internals.handshake_mac_handle_sha, NULL); - session->internals.handshake_mac_handle_md5 = NULL; - session->internals.handshake_mac_handle_sha = NULL; - _gnutls_handshake_buffer_clear( session); + _gnutls_hash_deinit(session->internals.handshake_mac_handle_md5, NULL); + _gnutls_hash_deinit(session->internals.handshake_mac_handle_sha, NULL); + session->internals.handshake_mac_handle_md5 = NULL; + session->internals.handshake_mac_handle_sha = NULL; + _gnutls_handshake_buffer_clear(session); } /* this will copy the required values for resuming to @@ -81,55 +81,57 @@ void _gnutls_handshake_hash_buffers_clear( gnutls_session session) */ static void resume_copy_required_values(gnutls_session session) { - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters. - server_random, - session->security_parameters.server_random, TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters. - client_random, - session->security_parameters.client_random, TLS_RANDOM_SIZE); - - /* keep the ciphersuite and compression - * That is because the client must see these in our - * hello message. - */ - memcpy(session->security_parameters.current_cipher_suite. - suite, - session->internals.resumed_security_parameters. - current_cipher_suite.suite, 2); - - session->internals.compression_method = - session->internals.resumed_security_parameters.read_compression_algorithm; - /* or write_compression_algorithm - * they are the same - */ - - session->security_parameters.entity = - session->internals.resumed_security_parameters.entity; - - _gnutls_set_current_version( session, session->internals.resumed_security_parameters.version); - - session->security_parameters.cert_type = - session->internals.resumed_security_parameters.cert_type; - - memcpy(session->security_parameters.session_id, - session->internals.resumed_security_parameters. - session_id, sizeof(session->security_parameters.session_id)); - session->security_parameters.session_id_size = - session->internals.resumed_security_parameters. - session_id_size; + /* get the new random values */ + memcpy(session->internals.resumed_security_parameters. + server_random, + session->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy(session->internals.resumed_security_parameters. + client_random, + session->security_parameters.client_random, TLS_RANDOM_SIZE); + + /* keep the ciphersuite and compression + * That is because the client must see these in our + * hello message. + */ + memcpy(session->security_parameters.current_cipher_suite. + suite, + session->internals.resumed_security_parameters. + current_cipher_suite.suite, 2); + + session->internals.compression_method = + session->internals.resumed_security_parameters. + read_compression_algorithm; + /* or write_compression_algorithm + * they are the same + */ + + session->security_parameters.entity = + session->internals.resumed_security_parameters.entity; + + _gnutls_set_current_version(session, + session->internals. + resumed_security_parameters.version); + + session->security_parameters.cert_type = + session->internals.resumed_security_parameters.cert_type; + + memcpy(session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, sizeof(session->security_parameters.session_id)); + session->security_parameters.session_id_size = + session->internals.resumed_security_parameters.session_id_size; } void _gnutls_set_server_random(gnutls_session session, uint8 * random) { - memcpy(session->security_parameters.server_random, random, - TLS_RANDOM_SIZE); + memcpy(session->security_parameters.server_random, random, + TLS_RANDOM_SIZE); } void _gnutls_set_client_random(gnutls_session session, uint8 * random) { - memcpy(session->security_parameters.client_random, random, - TLS_RANDOM_SIZE); + memcpy(session->security_parameters.client_random, random, + TLS_RANDOM_SIZE); } /* Calculate The SSL3 Finished message @@ -137,39 +139,46 @@ void _gnutls_set_client_random(gnutls_session session, uint8 * random) #define SSL3_CLIENT_MSG "CLNT" #define SSL3_SERVER_MSG "SRVR" #define SSL_MSG_LEN 4 -static int _gnutls_ssl3_finished(gnutls_session session, int type, opaque * ret) +static int _gnutls_ssl3_finished(gnutls_session session, int type, + opaque * ret) { - const int siz = SSL_MSG_LEN; - mac_hd_t td_md5; - mac_hd_t td_sha; - const char *mesg; - - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - if (type == GNUTLS_SERVER) { - mesg = SSL3_SERVER_MSG; - } else { - mesg = SSL3_CLIENT_MSG; - } - - _gnutls_hash(td_md5, mesg, siz); - _gnutls_hash(td_sha, mesg, siz); - - _gnutls_mac_deinit_ssl3_handshake(td_md5, ret, session->security_parameters.master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake(td_sha, &ret[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); + const int siz = SSL_MSG_LEN; + mac_hd_t td_md5; + mac_hd_t td_sha; + const char *mesg; + + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - return 0; + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + if (type == GNUTLS_SERVER) { + mesg = SSL3_SERVER_MSG; + } else { + mesg = SSL3_CLIENT_MSG; + } + + _gnutls_hash(td_md5, mesg, siz); + _gnutls_hash(td_sha, mesg, siz); + + _gnutls_mac_deinit_ssl3_handshake(td_md5, ret, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &ret[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + + return 0; } /* Hash the handshake messages as required by TLS 1.0 @@ -179,39 +188,40 @@ static int _gnutls_ssl3_finished(gnutls_session session, int type, opaque * ret) #define TLS_MSG_LEN 15 int _gnutls_finished(gnutls_session session, int type, void *ret) { - const int siz = TLS_MSG_LEN; - opaque concat[36]; - const char *mesg; - mac_hd_t td_md5; - mac_hd_t td_sha; + const int siz = TLS_MSG_LEN; + opaque concat[36]; + const char *mesg; + mac_hd_t td_md5; + mac_hd_t td_sha; - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); - if (type == GNUTLS_SERVER) { - mesg = SERVER_MSG; - } else { - mesg = CLIENT_MSG; - } + if (type == GNUTLS_SERVER) { + mesg = SERVER_MSG; + } else { + mesg = CLIENT_MSG; + } - return _gnutls_PRF(session->security_parameters.master_secret, - TLS_MASTER_SIZE, mesg, siz, concat, 36, - 12, ret); + return _gnutls_PRF(session->security_parameters.master_secret, + TLS_MASTER_SIZE, mesg, siz, concat, 36, 12, ret); } /* this function will produce TLS_RANDOM_SIZE==32 bytes of random data @@ -219,24 +229,24 @@ int _gnutls_finished(gnutls_session session, int type, void *ret) */ int _gnutls_tls_create_random(opaque * dst) { - uint32 tim; + uint32 tim; - /* Use weak random numbers for the most of the - * buffer except for the first 4 that are the - * system's time. - */ + /* Use weak random numbers for the most of the + * buffer except for the first 4 that are the + * system's time. + */ - tim = time(NULL); - /* generate server random value */ - _gnutls_write_uint32(tim, dst); + tim = time(NULL); + /* generate server random value */ + _gnutls_write_uint32(tim, dst); - if (_gnutls_get_random - (&dst[4], TLS_RANDOM_SIZE - 4, GNUTLS_WEAK_RANDOM) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (_gnutls_get_random + (&dst[4], TLS_RANDOM_SIZE - 4, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -248,154 +258,159 @@ int _gnutls_tls_create_random(opaque * dst) int _gnutls_read_client_hello(gnutls_session session, opaque * data, int datalen) { - uint8 session_id_len, z; - int pos = 0, ret; - uint16 suite_size; - gnutls_protocol_version version; - int len = datalen; - opaque random[TLS_RANDOM_SIZE], *suite_ptr; - gnutls_protocol_version ver; - - if (session->internals.v2_hello != 0) { /* version 2.0 */ - return _gnutls_read_client_hello_v2(session, data, datalen); - } - DECR_LEN(len, 2); - - _gnutls_handshake_log("HSK[%x]: Client's version: %d.%d\n", session, data[pos], data[pos + 1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - set_adv_version(session, data[pos], data[pos + 1]); - pos += 2; - - /* if we do not support that version */ - if (_gnutls_version_is_supported(session, version) == 0) { - /* If he requested something we do not support - * then we send him the highest we support. - */ - ver = _gnutls_version_max(session); - if (ver==GNUTLS_VERSION_UNKNOWN) { - /* this check is not really needed. - */ - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; - } - } else { - ver = version; - } - - _gnutls_set_current_version(session, ver); - - /* Read client random value. - */ - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_client_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; - - _gnutls_tls_create_random(random); - _gnutls_set_server_random(session, random); - - session->security_parameters.timestamp = time(NULL); - - DECR_LEN(len, 1); - session_id_len = data[pos++]; - - /* RESUME SESSION + uint8 session_id_len, z; + int pos = 0, ret; + uint16 suite_size; + gnutls_protocol_version version; + int len = datalen; + opaque random[TLS_RANDOM_SIZE], *suite_ptr; + gnutls_protocol_version ver; + + if (session->internals.v2_hello != 0) { /* version 2.0 */ + return _gnutls_read_client_hello_v2(session, data, datalen); + } + DECR_LEN(len, 2); + + _gnutls_handshake_log("HSK[%x]: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + version = _gnutls_version_get(data[pos], data[pos + 1]); + set_adv_version(session, data[pos], data[pos + 1]); + pos += 2; + + /* if we do not support that version */ + if (_gnutls_version_is_supported(session, version) == 0) { + /* If he requested something we do not support + * then we send him the highest we support. */ - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + ver = _gnutls_version_max(session); + if (ver == GNUTLS_VERSION_UNKNOWN) { + /* this check is not really needed. + */ + gnutls_assert(); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - DECR_LEN(len, session_id_len); - ret = _gnutls_server_restore_session(session, &data[pos], session_id_len); - pos += session_id_len; + } else { + ver = version; + } - if (ret == 0) { /* resumed! */ - resume_copy_required_values(session); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); + _gnutls_set_current_version(session, ver); - session->internals.resumed = RESUME_FALSE; - } + /* Read client random value. + */ + DECR_LEN(len, TLS_RANDOM_SIZE); + _gnutls_set_client_random(session, &data[pos]); + pos += TLS_RANDOM_SIZE; - /* Remember ciphersuites for later - */ - DECR_LEN(len, 2); - suite_size = _gnutls_read_uint16(&data[pos]); - pos += 2; + _gnutls_tls_create_random(random); + _gnutls_set_server_random(session, random); - DECR_LEN(len, suite_size); - suite_ptr = &data[pos]; - pos += suite_size; + session->security_parameters.timestamp = time(NULL); - /* Select an appropriate compression method - */ - DECR_LEN(len, 1); - z = data[pos++]; /* z is the number of compression methods */ + DECR_LEN(len, 1); + session_id_len = data[pos++]; - DECR_LEN(len, z); - ret = _gnutls_server_select_comp_method(session, &data[pos], z); - pos += z; + /* RESUME SESSION + */ + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + DECR_LEN(len, session_id_len); + ret = + _gnutls_server_restore_session(session, &data[pos], + session_id_len); + pos += session_id_len; + + if (ret == 0) { /* resumed! */ + resume_copy_required_values(session); + session->internals.resumed = RESUME_TRUE; + return 0; + } else { + _gnutls_generate_session_id(session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); + + session->internals.resumed = RESUME_FALSE; + } + + /* Remember ciphersuites for later + */ + DECR_LEN(len, 2); + suite_size = _gnutls_read_uint16(&data[pos]); + pos += 2; + + DECR_LEN(len, suite_size); + suite_ptr = &data[pos]; + pos += suite_size; + + /* Select an appropriate compression method + */ + DECR_LEN(len, 1); + z = data[pos++]; /* z is the number of compression methods */ + + DECR_LEN(len, z); + ret = _gnutls_server_select_comp_method(session, &data[pos], z); + pos += z; + + if (ret < 0) { + gnutls_assert(); + return ret; + } + /* Parse the extensions (if any) + */ + if (ver >= GNUTLS_TLS1) { + ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Parse the extensions (if any) - */ - if (ver >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - - /* select an appropriate cipher suite - */ - ret = _gnutls_server_select_suite(session, suite_ptr, suite_size); - if (ret < 0) { - gnutls_assert(); - return ret; + gnutls_assert(); + return ret; } + } - return 0; + /* select an appropriate cipher suite + */ + ret = _gnutls_server_select_suite(session, suite_ptr, suite_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /* here we hash all pending data. */ -inline static int -_gnutls_handshake_hash_pending( gnutls_session session) { -size_t siz; -int ret; -opaque * data; - - if (session->internals.handshake_mac_handle_sha==NULL || - session->internals.handshake_mac_handle_md5==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +inline static int _gnutls_handshake_hash_pending(gnutls_session session) +{ + size_t siz; + int ret; + opaque *data; - /* We check if there are pending data to hash. - */ - if ((ret=_gnutls_handshake_buffer_get_ptr(session, &data, &siz)) < 0) { - gnutls_assert(); - return ret; - } + if (session->internals.handshake_mac_handle_sha == NULL || + session->internals.handshake_mac_handle_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (siz > 0) { - _gnutls_hash( session->internals.handshake_mac_handle_sha, data, siz); - _gnutls_hash( session->internals.handshake_mac_handle_md5, data, siz); - } - - _gnutls_handshake_buffer_empty( session); - - return 0; + /* We check if there are pending data to hash. + */ + if ((ret = _gnutls_handshake_buffer_get_ptr(session, &data, &siz)) < 0) { + gnutls_assert(); + return ret; + } + + if (siz > 0) { + _gnutls_hash(session->internals.handshake_mac_handle_sha, data, + siz); + _gnutls_hash(session->internals.handshake_mac_handle_md5, data, + siz); + } + + _gnutls_handshake_buffer_empty(session); + + return 0; } @@ -405,48 +420,46 @@ opaque * data; */ int _gnutls_send_finished(gnutls_session session, int again) { - uint8 data[36]; - int ret; - int data_size = 0; + uint8 data[36]; + int ret; + int data_size = 0; - if (again == 0) { - - /* This is needed in order to hash all the required - * messages. - */ - if ((ret=_gnutls_handshake_hash_pending(session)) < 0) { - gnutls_assert(); - return ret; - } + if (again == 0) { - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - session-> - security_parameters. - entity, data); - data_size = 36; - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - session->security_parameters. - entity, data); - data_size = 12; - } + /* This is needed in order to hash all the required + * messages. + */ + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_finished(session, + session-> + security_parameters.entity, data); + data_size = 36; + } else { /* TLS 1.0 */ + ret = + _gnutls_finished(session, + session->security_parameters. + entity, data); + data_size = 12; + } + if (ret < 0) { + gnutls_assert(); + return ret; } - ret = - _gnutls_send_handshake(session, data, data_size, - GNUTLS_FINISHED); + } - return ret; + ret = + _gnutls_send_handshake(session, data, data_size, GNUTLS_FINISHED); + + return ret; } /* This is to be called after sending our finished message. If everything @@ -454,245 +467,256 @@ int _gnutls_send_finished(gnutls_session session, int again) */ int _gnutls_recv_finished(gnutls_session session) { - uint8 data[36], *vrfy; - int data_size; - int ret; - int vrfysize; - - ret = - _gnutls_recv_handshake(session, &vrfy, &vrfysize, - GNUTLS_FINISHED, MANDATORY_PACKET); - if (ret < 0) { - ERR("recv finished int", ret); - gnutls_assert(); - return ret; - } + uint8 data[36], *vrfy; + int data_size; + int ret; + int vrfysize; + + ret = + _gnutls_recv_handshake(session, &vrfy, &vrfysize, + GNUTLS_FINISHED, MANDATORY_PACKET); + if (ret < 0) { + ERR("recv finished int", ret); + gnutls_assert(); + return ret; + } - if ( gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - data_size = 36; - } else { - data_size = 12; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + data_size = 36; + } else { + data_size = 12; + } - if (vrfysize != data_size) { - gnutls_assert(); - gnutls_free(vrfy); - return GNUTLS_E_ERROR_IN_FINISHED_PACKET; - } - - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_finished(session, - (session->security_parameters. - entity + 1) % 2, data); - } else { /* TLS 1.0 */ - ret = - _gnutls_finished(session, - (session->security_parameters.entity + - 1) % 2, data); - } + if (vrfysize != data_size) { + gnutls_assert(); + gnutls_free(vrfy); + return GNUTLS_E_ERROR_IN_FINISHED_PACKET; + } - if (ret < 0) { - gnutls_assert(); - gnutls_free(vrfy); - return ret; - } + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_finished(session, + (session->security_parameters. + entity + 1) % 2, data); + } else { /* TLS 1.0 */ + ret = + _gnutls_finished(session, + (session->security_parameters.entity + + 1) % 2, data); + } - if (memcmp(vrfy, data, data_size) != 0) { - gnutls_assert(); - ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; - } + if (ret < 0) { + gnutls_assert(); gnutls_free(vrfy); - return ret; + } + + if (memcmp(vrfy, data, data_size) != 0) { + gnutls_assert(); + ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; + } + gnutls_free(vrfy); + + return ret; } /* returns PK_RSA if the given cipher suite list only supports, * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none. */ -static int _gnutls_server_find_pk_algos_in_ciphersuites( const opaque* data, int datalen) +static int _gnutls_server_find_pk_algos_in_ciphersuites(const opaque * + data, int datalen) { -int j; -gnutls_pk_algorithm algo=GNUTLS_PK_NONE, prev_algo = 0; -gnutls_kx_algorithm kx; -cipher_suite_st cs; + int j; + gnutls_pk_algorithm algo = GNUTLS_PK_NONE, prev_algo = 0; + gnutls_kx_algorithm kx; + cipher_suite_st cs; - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if (datalen % 2 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - for (j = 0; j < datalen; j += 2) { - memcpy( &cs.suite, &data[j], 2); - kx = _gnutls_cipher_suite_get_kx_algo( &cs); - - if ( _gnutls_map_kx_get_cred( kx, 1) == GNUTLS_CRD_CERTIFICATE) { - algo = _gnutls_map_pk_get_pk( kx); - - if (algo!=prev_algo && prev_algo!=0) return GNUTLS_PK_ANY; - prev_algo = algo; - } + for (j = 0; j < datalen; j += 2) { + memcpy(&cs.suite, &data[j], 2); + kx = _gnutls_cipher_suite_get_kx_algo(&cs); + + if (_gnutls_map_kx_get_cred(kx, 1) == GNUTLS_CRD_CERTIFICATE) { + algo = _gnutls_map_pk_get_pk(kx); + + if (algo != prev_algo && prev_algo != 0) + return GNUTLS_PK_ANY; + prev_algo = algo; } + } - return algo; + return algo; } /* This selects the best supported ciphersuite from the given ones. Then * it adds the suite to the session and performs some checks. */ -int _gnutls_server_select_suite(gnutls_session session, opaque *data, int datalen) +int _gnutls_server_select_suite(gnutls_session session, opaque * data, + int datalen) { - int x, i, j; - cipher_suite_st *ciphers, cs; - int retval, err; - gnutls_pk_algorithm pk_algo; /* will hold the pk algorithms - * supported by the peer. - */ + int x, i, j; + cipher_suite_st *ciphers, cs; + int retval, err; + gnutls_pk_algorithm pk_algo; /* will hold the pk algorithms + * supported by the peer. + */ - pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites( data, datalen); - - x = _gnutls_supported_ciphersuites(session, &ciphers); - if (x < 0) { /* the case x==0 is handled within the function. */ - gnutls_assert(); - return x; - } - - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (e.g. SRP). - */ - x = _gnutls_remove_unwanted_ciphersuites(session, &ciphers, x, pk_algo); - if (x<=0) { - gnutls_assert(); - gnutls_free(ciphers); - if (x<0) return x; - else return GNUTLS_E_UNKNOWN_CIPHER_SUITE; - } - - /* Data length should be zero mod 2 since - * every ciphersuite is 2 bytes. (this check is needed - * see below). - */ - if (datalen % 2 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites(data, datalen); + x = _gnutls_supported_ciphersuites(session, &ciphers); + if (x < 0) { /* the case x==0 is handled within the function. */ + gnutls_assert(); + return x; + } + + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (e.g. SRP). + */ + x = _gnutls_remove_unwanted_ciphersuites(session, &ciphers, x, + pk_algo); + if (x <= 0) { + gnutls_assert(); + gnutls_free(ciphers); + if (x < 0) + return x; + else + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + } + + /* Data length should be zero mod 2 since + * every ciphersuite is 2 bytes. (this check is needed + * see below). + */ + if (datalen % 2 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } #ifdef HANDSHAKE_DEBUG - _gnutls_handshake_log("HSK[%x]: Requested cipher suites: \n", session); - for (j = 0; j < datalen; j += 2) { - memcpy( &cs.suite, &data[j], 2); - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&cs)); - } - _gnutls_handshake_log("HSK[%x]: Supported cipher suites: \n", session); - for (j = 0; j < x; j++) - _gnutls_handshake_log("\t%s\n", - _gnutls_cipher_suite_get_name(&ciphers[j])); + _gnutls_handshake_log("HSK[%x]: Requested cipher suites: \n", session); + for (j = 0; j < datalen; j += 2) { + memcpy(&cs.suite, &data[j], 2); + _gnutls_handshake_log("\t%s\n", + _gnutls_cipher_suite_get_name(&cs)); + } + _gnutls_handshake_log("HSK[%x]: Supported cipher suites: \n", session); + for (j = 0; j < x; j++) + _gnutls_handshake_log("\t%s\n", + _gnutls_cipher_suite_get_name(&ciphers[j])); #endif - memset(session->security_parameters.current_cipher_suite.suite, '\0', 2); - - retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; - - for (j = 0; j < datalen; j += 2) { - for (i = 0; i < x; i++) { - if (memcmp(ciphers[i].suite, &data[j], 2) == - 0) { - memcpy( &cs.suite, &data[j], 2); - - _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", - session, _gnutls_cipher_suite_get_name(&cs)); - memcpy(session->security_parameters.current_cipher_suite.suite, ciphers[i].suite, 2); - retval = 0; - goto finish; - } - } - } - - finish: - gnutls_free(ciphers); - - if (retval != 0) { - gnutls_assert(); - return retval; - } - - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred - (session, _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + memset(session->security_parameters.current_cipher_suite.suite, '\0', + 2); + retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE; - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + for (j = 0; j < datalen; j += 2) { + for (i = 0; i < x; i++) { + if (memcmp(ciphers[i].suite, &data[j], 2) == 0) { + memcpy(&cs.suite, &data[j], 2); _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + ("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name(&cs)); + memcpy(session->security_parameters.current_cipher_suite. + suite, ciphers[i].suite, 2); + retval = 0; + goto finish; + } } + } - return 0; + finish: + gnutls_free(ciphers); + + if (retval != 0) { + gnutls_assert(); + return retval; + } + + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) { + + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return 0; } /* This selects the best supported compression method from the ones provided */ -int _gnutls_server_select_comp_method(gnutls_session session, opaque * data, - int datalen) +int _gnutls_server_select_comp_method(gnutls_session session, + opaque * data, int datalen) { - int x, i, j; - uint8 *comps; + int x, i, j; + uint8 *comps; - x = _gnutls_supported_compression_methods(session, &comps); - if (x < 0) { - gnutls_assert(); - return x; - } + x = _gnutls_supported_compression_methods(session, &comps); + if (x < 0) { + gnutls_assert(); + return x; + } - memset( &session->internals.compression_method, 0, sizeof(gnutls_compression_method)); + memset(&session->internals.compression_method, 0, + sizeof(gnutls_compression_method)); - for (j = 0; j < datalen; j++) { - for (i = 0; i < x; i++) { - if (comps[i] == data[j]) { - gnutls_compression_method method = - _gnutls_compression_get_id(comps[i]); + for (j = 0; j < datalen; j++) { + for (i = 0; i < x; i++) { + if (comps[i] == data[j]) { + gnutls_compression_method method = + _gnutls_compression_get_id(comps[i]); - session->internals.compression_method = method; - gnutls_free(comps); + session->internals.compression_method = method; + gnutls_free(comps); - _gnutls_handshake_log("HSK[%x]: Selected Compression Method: %s\n", - session, gnutls_compression_get_name(session->internals. - compression_method)); + _gnutls_handshake_log + ("HSK[%x]: Selected Compression Method: %s\n", session, + gnutls_compression_get_name(session->internals. + compression_method)); - return 0; - } - } + return 0; + } } + } - /* we were not able to find a compatible compression - * algorithm - */ - gnutls_free(comps); - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + /* we were not able to find a compatible compression + * algorithm + */ + gnutls_free(comps); + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } @@ -701,39 +725,43 @@ int _gnutls_server_select_comp_method(gnutls_session session, opaque * data, * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ -int _gnutls_send_empty_handshake(gnutls_session session, HandshakeType type, - int again) +int _gnutls_send_empty_handshake(gnutls_session session, + HandshakeType type, int again) { - opaque data = 0; - opaque *ptr; + opaque data = 0; + opaque *ptr; - if (again == 0) - ptr = &data; - else - ptr = NULL; + if (again == 0) + ptr = &data; + else + ptr = NULL; - return _gnutls_send_handshake(session, ptr, 0, type); + return _gnutls_send_handshake(session, ptr, 0, type); } /* This function will hash the handshake message we sent. */ static -int _gnutls_handshake_hash_add_sent( gnutls_session session, HandshakeType type, - opaque* dataptr, uint32 datalen) { -int ret; +int _gnutls_handshake_hash_add_sent(gnutls_session session, + HandshakeType type, opaque * dataptr, + uint32 datalen) +{ + int ret; - if ( (ret=_gnutls_handshake_hash_pending( session)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } - if ( type != GNUTLS_HELLO_REQUEST) { - _gnutls_hash( session->internals.handshake_mac_handle_sha, dataptr, datalen); - _gnutls_hash( session->internals.handshake_mac_handle_md5, dataptr, datalen); - } + if (type != GNUTLS_HELLO_REQUEST) { + _gnutls_hash(session->internals.handshake_mac_handle_sha, dataptr, + datalen); + _gnutls_hash(session->internals.handshake_mac_handle_md5, dataptr, + datalen); + } - return 0; + return 0; } @@ -745,62 +773,64 @@ int ret; int _gnutls_send_handshake(gnutls_session session, void *i_data, uint32 i_datasize, HandshakeType type) { - int ret; - uint8 *data; - uint32 datasize; - int pos = 0; - - if (i_data == NULL && i_datasize == 0) { - /* we are resuming a previously interrupted - * send. - */ - ret = _gnutls_handshake_io_write_flush(session); - return ret; + int ret; + uint8 *data; + uint32 datasize; + int pos = 0; + + if (i_data == NULL && i_datasize == 0) { + /* we are resuming a previously interrupted + * send. + */ + ret = _gnutls_handshake_io_write_flush(session); + return ret; - } + } - if (i_data == NULL && i_datasize > 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (i_data == NULL && i_datasize > 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* first run */ - datasize = i_datasize + HANDSHAKE_HEADER_SIZE; - data = gnutls_alloca(datasize); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + /* first run */ + datasize = i_datasize + HANDSHAKE_HEADER_SIZE; + data = gnutls_alloca(datasize); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - data[pos++] = (uint8) type; - _gnutls_write_uint24(i_datasize, &data[pos]); - pos += 3; + data[pos++] = (uint8) type; + _gnutls_write_uint24(i_datasize, &data[pos]); + pos += 3; - if (i_datasize > 0) - memcpy(&data[pos], i_data, i_datasize); + if (i_datasize > 0) + memcpy(&data[pos], i_data, i_datasize); - _gnutls_handshake_log("HSK[%x]: %s was send [%ld bytes]\n", - session, _gnutls_handshake2str(type), datasize); + _gnutls_handshake_log("HSK[%x]: %s was send [%ld bytes]\n", + session, _gnutls_handshake2str(type), datasize); - /* Here we keep the handshake messages in order to hash them... - */ - if ( type != GNUTLS_HELLO_REQUEST) - if ( (ret= _gnutls_handshake_hash_add_sent( session, type, data, datasize)) < 0) { - gnutls_assert(); - gnutls_afree(data); - return ret; - } + /* Here we keep the handshake messages in order to hash them... + */ + if (type != GNUTLS_HELLO_REQUEST) + if ((ret = + _gnutls_handshake_hash_add_sent(session, type, data, + datasize)) < 0) { + gnutls_assert(); + gnutls_afree(data); + return ret; + } - session->internals.last_handshake_out = type; + session->internals.last_handshake_out = type; - ret = - _gnutls_handshake_io_send_int(session, GNUTLS_HANDSHAKE, type, - data, datasize); + ret = + _gnutls_handshake_io_send_int(session, GNUTLS_HANDSHAKE, type, + data, datasize); - gnutls_afree(data); + gnutls_afree(data); - return ret; + return ret; } /* This function will read the handshake header and return it to the caller. If the @@ -814,127 +844,117 @@ static int _gnutls_recv_handshake_header(gnutls_session session, HandshakeType type, HandshakeType * recv_type) { - int ret; - uint32 length32 = 0; - uint8 *dataptr = NULL; /* for realloc */ - size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; - - /* if we have data into the buffer then return them, do not read the next packet. - * In order to return we need a full TLS handshake header, or in case of a version 2 - * packet, then we return the first byte. - */ - if (session->internals.handshake_header_buffer.header_size == - handshake_header_size || (session->internals.v2_hello != 0 - && type == GNUTLS_CLIENT_HELLO - && session->internals. - handshake_header_buffer. - packet_length > 0)) { - - *recv_type = - session->internals.handshake_header_buffer. - recv_type; - - return session->internals.handshake_header_buffer. - packet_length; - } - - /* Note: SSL2_HEADERS == 1 */ + int ret; + uint32 length32 = 0; + uint8 *dataptr = NULL; /* for realloc */ + size_t handshake_header_size = HANDSHAKE_HEADER_SIZE; + + /* if we have data into the buffer then return them, do not read the next packet. + * In order to return we need a full TLS handshake header, or in case of a version 2 + * packet, then we return the first byte. + */ + if (session->internals.handshake_header_buffer.header_size == + handshake_header_size || (session->internals.v2_hello != 0 + && type == GNUTLS_CLIENT_HELLO + && session->internals. + handshake_header_buffer. + packet_length > 0)) { + + *recv_type = session->internals.handshake_header_buffer.recv_type; + + return session->internals.handshake_header_buffer.packet_length; + } + + /* Note: SSL2_HEADERS == 1 */ + + dataptr = session->internals.handshake_header_buffer.header; + + /* If we haven't already read the handshake headers. + */ + if (session->internals.handshake_header_buffer.header_size < + SSL2_HEADERS) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, dataptr, SSL2_HEADERS); - dataptr = session->internals.handshake_header_buffer.header; + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* If we haven't already read the handshake headers. + /* The case ret==0 is caught here. */ - if (session->internals.handshake_header_buffer.header_size < - SSL2_HEADERS) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, - SSL2_HEADERS); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* The case ret==0 is caught here. - */ - if (ret != SSL2_HEADERS) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - session->internals.handshake_header_buffer. - header_size = SSL2_HEADERS; + if (ret != SSL2_HEADERS) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + session->internals.handshake_header_buffer. + header_size = SSL2_HEADERS; + } - if (session->internals.v2_hello == 0 - || type != GNUTLS_CLIENT_HELLO) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, - &dataptr[session-> - internals. - handshake_header_buffer. - header_size], - HANDSHAKE_HEADER_SIZE - - session->internals. - handshake_header_buffer. - header_size); - if (ret <= 0) { - gnutls_assert(); - return (ret < - 0) ? ret : - GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - if ((size_t)ret != - HANDSHAKE_HEADER_SIZE - - session->internals.handshake_header_buffer. - header_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - *recv_type = dataptr[0]; - - /* we do not use DECR_LEN because we know - * that the packet has enough data. - */ - length32 = _gnutls_read_uint24(&dataptr[1]); - handshake_header_size = HANDSHAKE_HEADER_SIZE; + if (session->internals.v2_hello == 0 || type != GNUTLS_CLIENT_HELLO) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, + &dataptr[session-> + internals. + handshake_header_buffer. + header_size], + HANDSHAKE_HEADER_SIZE - + session->internals. + handshake_header_buffer. + header_size); + if (ret <= 0) { + gnutls_assert(); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + if ((size_t) ret != + HANDSHAKE_HEADER_SIZE - + session->internals.handshake_header_buffer.header_size) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + *recv_type = dataptr[0]; + + /* we do not use DECR_LEN because we know + * that the packet has enough data. + */ + length32 = _gnutls_read_uint24(&dataptr[1]); + handshake_header_size = HANDSHAKE_HEADER_SIZE; - _gnutls_handshake_log("HSK[%x]: %s was received [%ld bytes]\n", - session, _gnutls_handshake2str(dataptr[0]), - length32 + HANDSHAKE_HEADER_SIZE); + _gnutls_handshake_log("HSK[%x]: %s was received [%ld bytes]\n", + session, _gnutls_handshake2str(dataptr[0]), + length32 + HANDSHAKE_HEADER_SIZE); - } else { /* v2 hello */ - length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ + } else { /* v2 hello */ + length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */ - handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ + handshake_header_size = SSL2_HEADERS; /* we've already read one byte */ - *recv_type = dataptr[0]; + *recv_type = dataptr[0]; - _gnutls_handshake_log("HSK[%x]: %s(v2) was received [%ld bytes]\n", - session, _gnutls_handshake2str(*recv_type), - length32 + handshake_header_size); + _gnutls_handshake_log("HSK[%x]: %s(v2) was received [%ld bytes]\n", + session, _gnutls_handshake2str(*recv_type), + length32 + handshake_header_size); - if (*recv_type != GNUTLS_CLIENT_HELLO) { /* it should be one or nothing */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (*recv_type != GNUTLS_CLIENT_HELLO) { /* it should be one or nothing */ + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } + } - /* put the packet into the buffer */ - session->internals.handshake_header_buffer.header_size = - handshake_header_size; - session->internals.handshake_header_buffer.packet_length = - length32; - session->internals.handshake_header_buffer.recv_type = - *recv_type; + /* put the packet into the buffer */ + session->internals.handshake_header_buffer.header_size = + handshake_header_size; + session->internals.handshake_header_buffer.packet_length = length32; + session->internals.handshake_header_buffer.recv_type = *recv_type; - if (*recv_type != type) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (*recv_type != type) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } - return length32; + return length32; } #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0 @@ -945,40 +965,43 @@ static int _gnutls_recv_handshake_header(gnutls_session session, * handshake data. */ static -int _gnutls_handshake_hash_add_recvd( gnutls_session session, HandshakeType recv_type, - opaque* header, uint16 header_size, opaque* dataptr, uint32 datalen) { -int ret; +int _gnutls_handshake_hash_add_recvd(gnutls_session session, + HandshakeType recv_type, + opaque * header, uint16 header_size, + opaque * dataptr, uint32 datalen) +{ + int ret; - /* The idea here is to hash the previous message we received, - * and add the one we just received into the handshake_hash_buffer. - */ - - if ( (ret=_gnutls_handshake_hash_pending( session)) < 0) { - gnutls_assert(); - return ret; + /* The idea here is to hash the previous message we received, + * and add the one we just received into the handshake_hash_buffer. + */ + + if ((ret = _gnutls_handshake_hash_pending(session)) < 0) { + gnutls_assert(); + return ret; + } + + /* here we buffer the handshake messages - needed at Finished message */ + if (recv_type != GNUTLS_HELLO_REQUEST) { + + if ((ret = + _gnutls_handshake_buffer_put(session, + header, header_size)) < 0) { + gnutls_assert(); + return ret; } - - /* here we buffer the handshake messages - needed at Finished message */ - if ( recv_type != GNUTLS_HELLO_REQUEST) { - - if ((ret = - _gnutls_handshake_buffer_put(session, - header, header_size)) < 0) { - gnutls_assert(); - return ret; - } - if ( datalen > 0) { - if ((ret = - _gnutls_handshake_buffer_put(session, dataptr, - datalen)) < 0) { - gnutls_assert(); - return ret; - } - } + if (datalen > 0) { + if ((ret = + _gnutls_handshake_buffer_put(session, dataptr, + datalen)) < 0) { + gnutls_assert(); + return ret; + } } + } - return 0; + return 0; } @@ -991,118 +1014,121 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, int *datalen, HandshakeType type, Optional optional) { - int ret; - uint32 length32 = 0; - opaque *dataptr = NULL; - HandshakeType recv_type; - - ret = _gnutls_recv_handshake_header(session, type, &recv_type); - if (ret < 0) { + int ret; + uint32 length32 = 0; + opaque *dataptr = NULL; + HandshakeType recv_type; - /* In SRP when expecting the server hello we may receive - * an alert instead. Do as the draft demands. - */ - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_alert_get( session) == GNUTLS_A_MISSING_SRP_USERNAME && - type == GNUTLS_SERVER_HELLO) - { - gnutls_assert(); - return GNUTLS_E_INT_HANDSHAKE_AGAIN; - } - - if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET - && optional == OPTIONAL_PACKET) { - if (datalen != NULL) - *datalen = 0; - if (data != NULL) - *data = NULL; - return 0; /* ok just ignore the packet */ - } - - return ret; - } + ret = _gnutls_recv_handshake_header(session, type, &recv_type); + if (ret < 0) { - session->internals.last_handshake_in = recv_type; - - length32 = ret; - - if (length32 > 0) - dataptr = gnutls_malloc(length32); - else if (recv_type != GNUTLS_SERVER_HELLO_DONE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + /* In SRP when expecting the server hello we may receive + * an alert instead. Do as the draft demands. + */ + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_alert_get(session) == GNUTLS_A_MISSING_SRP_USERNAME && + type == GNUTLS_SERVER_HELLO) { + gnutls_assert(); + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } - if (dataptr == NULL && length32 > 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET + && optional == OPTIONAL_PACKET) { + if (datalen != NULL) + *datalen = 0; + if (data != NULL) + *data = NULL; + return 0; /* ok just ignore the packet */ } - if (datalen != NULL) - *datalen = length32; - - if (length32 > 0) { - ret = - _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, - type, dataptr, length32); - if (ret <= 0) { - gnutls_assert(); - gnutls_free(dataptr); - return (ret == - 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : - ret; - } - } + return ret; + } - if (data != NULL && length32 > 0) - *data = dataptr; + session->internals.last_handshake_in = recv_type; + length32 = ret; - ret = _gnutls_handshake_hash_add_recvd( session, recv_type, - session->internals.handshake_header_buffer.header, - session->internals.handshake_header_buffer.header_size, - dataptr, length32); - if (ret < 0) { - gnutls_assert(); - _gnutls_handshake_header_buffer_clear(session); - return ret; - } + if (length32 > 0) + dataptr = gnutls_malloc(length32); + else if (recv_type != GNUTLS_SERVER_HELLO_DONE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - /* If we fail before this then we will reuse the handshake header - * have have received above. if we get here the we clear the handshake - * header we received. - */ - _gnutls_handshake_header_buffer_clear(session); + if (dataptr == NULL && length32 > 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - switch (recv_type) { - case GNUTLS_CLIENT_HELLO: - case GNUTLS_SERVER_HELLO: - ret = _gnutls_recv_hello(session, dataptr, length32); - /* dataptr is freed because the caller does not - * need it */ - gnutls_free(dataptr); - if (data!=NULL) *data = NULL; - break; - case GNUTLS_SERVER_HELLO_DONE: - if (length32==0) ret = 0; - else ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - break; - case GNUTLS_CERTIFICATE_PKT: - case GNUTLS_FINISHED: - case GNUTLS_SERVER_KEY_EXCHANGE: - case GNUTLS_CLIENT_KEY_EXCHANGE: - case GNUTLS_CERTIFICATE_REQUEST: - case GNUTLS_CERTIFICATE_VERIFY: - ret = length32; - break; - default: - gnutls_assert(); - gnutls_free(dataptr); - if (data!=NULL) *data = NULL; - ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; - } + if (datalen != NULL) + *datalen = length32; + if (length32 > 0) { + ret = + _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE, + type, dataptr, length32); + if (ret <= 0) { + gnutls_assert(); + gnutls_free(dataptr); + return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret; + } + } + + if (data != NULL && length32 > 0) + *data = dataptr; + + + ret = _gnutls_handshake_hash_add_recvd(session, recv_type, + session->internals. + handshake_header_buffer.header, + session->internals. + handshake_header_buffer. + header_size, dataptr, length32); + if (ret < 0) { + gnutls_assert(); + _gnutls_handshake_header_buffer_clear(session); return ret; + } + + /* If we fail before this then we will reuse the handshake header + * have have received above. if we get here the we clear the handshake + * header we received. + */ + _gnutls_handshake_header_buffer_clear(session); + + switch (recv_type) { + case GNUTLS_CLIENT_HELLO: + case GNUTLS_SERVER_HELLO: + ret = _gnutls_recv_hello(session, dataptr, length32); + /* dataptr is freed because the caller does not + * need it */ + gnutls_free(dataptr); + if (data != NULL) + *data = NULL; + break; + case GNUTLS_SERVER_HELLO_DONE: + if (length32 == 0) + ret = 0; + else + ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + break; + case GNUTLS_CERTIFICATE_PKT: + case GNUTLS_FINISHED: + case GNUTLS_SERVER_KEY_EXCHANGE: + case GNUTLS_CLIENT_KEY_EXCHANGE: + case GNUTLS_CERTIFICATE_REQUEST: + case GNUTLS_CERTIFICATE_VERIFY: + ret = length32; + break; + default: + gnutls_assert(); + gnutls_free(dataptr); + if (data != NULL) + *data = NULL; + ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } + + return ret; } /* This function checks if the given cipher suite is supported, and sets it @@ -1111,72 +1137,75 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, static int _gnutls_client_set_ciphersuite(gnutls_session session, opaque suite[2]) { - uint8 z; - cipher_suite_st *cipher_suites; - int cipher_suite_num; - int i, err; - - z = 1; - cipher_suite_num = _gnutls_supported_ciphersuites(session, &cipher_suites); - if (cipher_suite_num < 0) { - gnutls_assert(); - return cipher_suite_num; - } - - for (i = 0; i < cipher_suite_num; i++) { - if (memcmp(&cipher_suites[i], suite, 2) == 0) { - z = 0; break; - } - } - - gnutls_free(cipher_suites); + uint8 z; + cipher_suite_st *cipher_suites; + int cipher_suite_num; + int i, err; + + z = 1; + cipher_suite_num = + _gnutls_supported_ciphersuites(session, &cipher_suites); + if (cipher_suite_num < 0) { + gnutls_assert(); + return cipher_suite_num; + } - if (z != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + for (i = 0; i < cipher_suite_num; i++) { + if (memcmp(&cipher_suites[i], suite, 2) == 0) { + z = 0; + break; } + } - memcpy(session->security_parameters. - current_cipher_suite.suite, suite, 2); - - _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", session, - _gnutls_cipher_suite_get_name(&session-> - security_parameters. - current_cipher_suite)); + gnutls_free(cipher_suites); - - /* check if the credentials (username, public key etc.) are ok. - * Actually checks if they exist. - */ - if (_gnutls_get_kx_cred - (session, _gnutls_cipher_suite_get_kx_algo(&session-> - security_parameters. - current_cipher_suite), - &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + if (z != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; + } + + memcpy(session->security_parameters. + current_cipher_suite.suite, suite, 2); + + _gnutls_handshake_log("HSK[%x]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name(&session-> + security_parameters. + current_cipher_suite)); + + + /* check if the credentials (username, public key etc.) are ok. + * Actually checks if they exist. + */ + if (_gnutls_get_kx_cred + (session, _gnutls_cipher_suite_get_kx_algo(&session-> + security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); - if (session->internals.auth_struct == NULL) { + if (session->internals.auth_struct == NULL) { - _gnutls_handshake_log - ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", session); - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + _gnutls_handshake_log + ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n", + session); + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + return 0; } /* This function sets the given comp method to the session. @@ -1184,35 +1213,36 @@ static int _gnutls_client_set_ciphersuite(gnutls_session session, static int _gnutls_client_set_comp_method(gnutls_session session, opaque comp_method) { - int comp_methods_num; - uint8 *compression_methods; - int i; + int comp_methods_num; + uint8 *compression_methods; + int i; - comp_methods_num = _gnutls_supported_compression_methods(session, - &compression_methods); - if ( comp_methods_num < 0) { - gnutls_assert(); - return comp_methods_num; - } - - for (i = 0; i < comp_methods_num; i++) { - if (compression_methods[i] == comp_method) { - comp_methods_num = 0; break; - } + comp_methods_num = _gnutls_supported_compression_methods(session, + &compression_methods); + if (comp_methods_num < 0) { + gnutls_assert(); + return comp_methods_num; + } + + for (i = 0; i < comp_methods_num; i++) { + if (compression_methods[i] == comp_method) { + comp_methods_num = 0; + break; } + } - gnutls_free(compression_methods); + gnutls_free(compression_methods); - if (comp_methods_num != 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + if (comp_methods_num != 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } - session->internals.compression_method = - _gnutls_compression_get_id(comp_method); + session->internals.compression_method = + _gnutls_compression_get_id(comp_method); - return 0; + return 0; } /* This function returns 0 if we are resuming a session or -1 otherwise. @@ -1223,40 +1253,41 @@ static int _gnutls_client_check_if_resuming(gnutls_session session, opaque * session_id, int session_id_len) { -opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + + _gnutls_handshake_log("HSK[%x]: SessionID length: %d\n", session, + session_id_len); + _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex(session_id, session_id_len, buf, + sizeof(buf))); + + if ((session->internals.resumed_security_parameters. + session_id_size > 0) + && memcmp(session_id, + session->internals. + resumed_security_parameters.session_id, + session_id_len) == 0) { + /* resume session */ + memcpy(session->internals. + resumed_security_parameters.server_random, + session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(session->internals. + resumed_security_parameters.client_random, + session->security_parameters.client_random, + TLS_RANDOM_SIZE); + session->internals.resumed = RESUME_TRUE; /* we are resuming */ - _gnutls_handshake_log("HSK[%x]: SessionID length: %d\n", session, session_id_len); - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(session_id, session_id_len, buf, sizeof(buf))); - - if ((session->internals.resumed_security_parameters. - session_id_size > 0) - && memcmp(session_id, - session->internals. - resumed_security_parameters.session_id, - session_id_len) == 0) { - /* resume session */ - memcpy(session->internals. - resumed_security_parameters.server_random, - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - memcpy(session->internals. - resumed_security_parameters.client_random, - session->security_parameters.client_random, - TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; /* we are resuming */ + return 0; + } else { + /* keep the new session id */ + session->internals.resumed = RESUME_FALSE; /* we are not resuming */ + session->security_parameters.session_id_size = session_id_len; + memcpy(session->security_parameters.session_id, + session_id, session_id_len); - return 0; - } else { - /* keep the new session id */ - session->internals.resumed = RESUME_FALSE; /* we are not resuming */ - session->security_parameters.session_id_size = - session_id_len; - memcpy(session->security_parameters.session_id, - session_id, session_id_len); - - return -1; - } + return -1; + } } @@ -1264,94 +1295,94 @@ opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; * This function also restores resumed parameters if we are resuming a * session. */ -static int _gnutls_read_server_hello(gnutls_session session, opaque *data, +static int _gnutls_read_server_hello(gnutls_session session, opaque * data, int datalen) { - uint8 session_id_len = 0; - int pos = 0; - int ret = 0; - gnutls_protocol_version version; - int len = datalen; + uint8 session_id_len = 0; + int pos = 0; + int ret = 0; + gnutls_protocol_version version; + int len = datalen; - if (datalen < 38) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if (datalen < 38) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - _gnutls_handshake_log("HSK[%x]: Server's version: %d.%d\n", - session, data[pos], data[pos + 1]); + _gnutls_handshake_log("HSK[%x]: Server's version: %d.%d\n", + session, data[pos], data[pos + 1]); - DECR_LEN(len, 2); - version = _gnutls_version_get(data[pos], data[pos + 1]); - if (_gnutls_version_is_supported(session, version) == 0) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } else { - _gnutls_set_current_version(session, version); - } + DECR_LEN(len, 2); + version = _gnutls_version_get(data[pos], data[pos + 1]); + if (_gnutls_version_is_supported(session, version) == 0) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } else { + _gnutls_set_current_version(session, version); + } - pos += 2; + pos += 2; - DECR_LEN(len, TLS_RANDOM_SIZE); - _gnutls_set_server_random(session, &data[pos]); - pos += TLS_RANDOM_SIZE; + DECR_LEN(len, TLS_RANDOM_SIZE); + _gnutls_set_server_random(session, &data[pos]); + pos += TLS_RANDOM_SIZE; - /* Read session ID - */ - DECR_LEN(len, 1); - session_id_len = data[pos++]; + /* Read session ID + */ + DECR_LEN(len, 1); + session_id_len = data[pos++]; - if (len < session_id_len) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } - DECR_LEN(len, session_id_len); + if (len < session_id_len) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + DECR_LEN(len, session_id_len); - /* check if we are resuming and set the appropriate - * values; - */ - if (_gnutls_client_check_if_resuming - (session, &data[pos], session_id_len) == 0) - return 0; - pos += session_id_len; + /* check if we are resuming and set the appropriate + * values; + */ + if (_gnutls_client_check_if_resuming + (session, &data[pos], session_id_len) == 0) + return 0; + pos += session_id_len; - /* Check if the given cipher suite is supported and copy - * it to the session. - */ + /* Check if the given cipher suite is supported and copy + * it to the session. + */ - DECR_LEN(len, 2); - ret = _gnutls_client_set_ciphersuite(session, &data[pos]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - pos += 2; + DECR_LEN(len, 2); + ret = _gnutls_client_set_ciphersuite(session, &data[pos]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + pos += 2; - /* move to compression - */ - DECR_LEN(len, 1); + /* move to compression + */ + DECR_LEN(len, 1); - ret = _gnutls_client_set_comp_method(session, data[pos++]); - if (ret < 0) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; - } + ret = _gnutls_client_set_comp_method(session, data[pos++]); + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } - /* Parse extensions. - */ - if (version >= GNUTLS_TLS1) { - ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* Parse extensions. + */ + if (version >= GNUTLS_TLS1) { + ret = _gnutls_parse_extensions(session, &data[pos], len); /* len is the rest of the parsed length */ + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + } + return ret; } @@ -1359,63 +1390,64 @@ static int _gnutls_read_server_hello(gnutls_session session, opaque *data, * Needed in client hello messages. Returns the new data length. */ static int _gnutls_copy_ciphersuites(gnutls_session session, - opaque * ret_data, size_t ret_data_size) + opaque * ret_data, + size_t ret_data_size) { - int ret, i; - cipher_suite_st *cipher_suites; - uint16 cipher_num; - int datalen, pos; + int ret, i; + cipher_suite_st *cipher_suites; + uint16 cipher_num; + int datalen, pos; - ret = _gnutls_supported_ciphersuites_sorted(session, &cipher_suites); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_supported_ciphersuites_sorted(session, &cipher_suites); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Here we remove any ciphersuite that does not conform + * the certificate requested, or to the + * authentication requested (eg SRP). + */ + ret = + _gnutls_remove_unwanted_ciphersuites(session, &cipher_suites, + ret, -1); + if (ret < 0) { + gnutls_assert(); + gnutls_free(cipher_suites); + return ret; + } - /* Here we remove any ciphersuite that does not conform - * the certificate requested, or to the - * authentication requested (eg SRP). - */ - ret = - _gnutls_remove_unwanted_ciphersuites(session, &cipher_suites, - ret, -1); - if (ret < 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return ret; - } + /* If no cipher suites were enabled. + */ + if (ret == 0) { + gnutls_assert(); + gnutls_free(cipher_suites); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* If no cipher suites were enabled. - */ - if (ret == 0) { - gnutls_assert(); - gnutls_free(cipher_suites); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + cipher_num = ret; - cipher_num = ret; - - cipher_num *= sizeof(uint16); /* in order to get bytes */ - - datalen = pos = 0; + cipher_num *= sizeof(uint16); /* in order to get bytes */ - datalen += sizeof(uint16) + cipher_num; + datalen = pos = 0; - if ((size_t)datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - _gnutls_write_uint16(cipher_num, ret_data); - pos += 2; + datalen += sizeof(uint16) + cipher_num; - for (i = 0; i < (cipher_num / 2); i++) { - memcpy( &ret_data[pos], cipher_suites[i].suite, 2); - pos += 2; - } - gnutls_free(cipher_suites); + if ((size_t) datalen > ret_data_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + _gnutls_write_uint16(cipher_num, ret_data); + pos += 2; + + for (i = 0; i < (cipher_num / 2); i++) { + memcpy(&ret_data[pos], cipher_suites[i].suite, 2); + pos += 2; + } + gnutls_free(cipher_suites); - return datalen; + return datalen; } @@ -1423,39 +1455,40 @@ static int _gnutls_copy_ciphersuites(gnutls_session session, * Needed in hello messages. Returns the new data length. */ static int _gnutls_copy_comp_methods(gnutls_session session, - opaque * ret_data, size_t ret_data_size) + opaque * ret_data, + size_t ret_data_size) { - int ret, i; - uint8 *compression_methods, comp_num; - int datalen, pos; - - ret = - _gnutls_supported_compression_methods(session, - &compression_methods); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret, i; + uint8 *compression_methods, comp_num; + int datalen, pos; + + ret = + _gnutls_supported_compression_methods(session, + &compression_methods); + if (ret < 0) { + gnutls_assert(); + return ret; + } - comp_num = ret; + comp_num = ret; - datalen = pos = 0; - datalen += comp_num + 1; + datalen = pos = 0; + datalen += comp_num + 1; - if ((size_t)datalen > ret_data_size) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if ((size_t) datalen > ret_data_size) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - ret_data[pos++] = comp_num; /* put the number of compression methods */ + ret_data[pos++] = comp_num; /* put the number of compression methods */ - for (i = 0; i < comp_num; i++) { - ret_data[pos++] = compression_methods[i]; - } + for (i = 0; i < comp_num; i++) { + ret_data[pos++] = compression_methods[i]; + } - gnutls_free(compression_methods); + gnutls_free(compression_methods); - return datalen; + return datalen; } /* This should be sufficient by now. It should hold all the extensions @@ -1467,312 +1500,313 @@ static int _gnutls_copy_comp_methods(gnutls_session session, */ static int _gnutls_send_client_hello(gnutls_session session, int again) { - opaque *data = NULL; - int extdatalen; - int pos = 0; - int datalen = 0, ret = 0; - opaque random[TLS_RANDOM_SIZE]; - gnutls_protocol_version hver; - opaque extdata[MAX_EXT_DATA_LENGTH]; - - opaque *SessionID = - session->internals.resumed_security_parameters.session_id; - uint8 session_id_len = - session->internals.resumed_security_parameters. - session_id_size; - - if (SessionID == NULL) session_id_len = 0; - else if (session_id_len == 0) SessionID = NULL; - - if (again == 0) { - - datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; - /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) - */ - - data = gnutls_malloc(datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + opaque *data = NULL; + int extdatalen; + int pos = 0; + int datalen = 0, ret = 0; + opaque random[TLS_RANDOM_SIZE]; + gnutls_protocol_version hver; + opaque extdata[MAX_EXT_DATA_LENGTH]; + + opaque *SessionID = + session->internals.resumed_security_parameters.session_id; + uint8 session_id_len = + session->internals.resumed_security_parameters.session_id_size; + + if (SessionID == NULL) + session_id_len = 0; + else if (session_id_len == 0) + SessionID = NULL; + + if (again == 0) { + + datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; + /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE) + */ - /* if we are resuming a session then we set the - * version number to the previously established. - */ - if (SessionID == NULL) - hver = _gnutls_version_max(session); - else { /* we are resuming a session */ - hver = - session->internals. - resumed_security_parameters.version; - } + data = gnutls_malloc(datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) { - gnutls_assert(); - gnutls_free(data); - return GNUTLS_E_INTERNAL_ERROR; - } + /* if we are resuming a session then we set the + * version number to the previously established. + */ + if (SessionID == NULL) + hver = _gnutls_version_max(session); + else { /* we are resuming a session */ + hver = session->internals.resumed_security_parameters.version; + } - data[pos++] = _gnutls_version_get_major(hver); - data[pos++] = _gnutls_version_get_minor(hver); - - /* Set the version we advertized as maximum - * (RSA uses it). - */ - _gnutls_set_adv_version( session, hver); - - /* Some old implementations do not interoperate if we send a - * different version in the record layer. - * It seems they prefer to read the record's version - * as the one we actually requested. - * The proper behaviour is to use the one in the client hello - * handshake packet and ignore the one in the packet's record - * header. - */ - _gnutls_set_current_version(session, hver); - - /* In order to know when this session was initiated. - */ - session->security_parameters.timestamp = time(NULL); - - /* Generate random data - */ - _gnutls_tls_create_random(random); - _gnutls_set_client_random(session, random); - - memcpy(&data[pos], random, TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - /* Copy the Session ID - */ - data[pos++] = session_id_len; - - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); - pos += session_id_len; - } + if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0) { + gnutls_assert(); + gnutls_free(data); + return GNUTLS_E_INTERNAL_ERROR; + } + data[pos++] = _gnutls_version_get_major(hver); + data[pos++] = _gnutls_version_get_minor(hver); - /* Copy the ciphersuites. - */ - extdatalen = _gnutls_copy_ciphersuites(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; - - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; - } + /* Set the version we advertized as maximum + * (RSA uses it). + */ + _gnutls_set_adv_version(session, hver); + + /* Some old implementations do not interoperate if we send a + * different version in the record layer. + * It seems they prefer to read the record's version + * as the one we actually requested. + * The proper behaviour is to use the one in the client hello + * handshake packet and ignore the one in the packet's record + * header. + */ + _gnutls_set_current_version(session, hver); + + /* In order to know when this session was initiated. + */ + session->security_parameters.timestamp = time(NULL); + /* Generate random data + */ + _gnutls_tls_create_random(random); + _gnutls_set_client_random(session, random); - /* Copy the compression methods. - */ - extdatalen = _gnutls_copy_comp_methods(session, extdata, sizeof(extdata)); - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - pos += extdatalen; - - } else { - if (extdatalen == 0) - extdatalen = GNUTLS_E_INTERNAL_ERROR; - gnutls_free(data); - gnutls_assert(); - return extdatalen; - } + memcpy(&data[pos], random, TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + /* Copy the Session ID + */ + data[pos++] = session_id_len; + + if (session_id_len > 0) { + memcpy(&data[pos], SessionID, session_id_len); + pos += session_id_len; + } + + + /* Copy the ciphersuites. + */ + extdatalen = + _gnutls_copy_ciphersuites(session, extdata, sizeof(extdata)); + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(&data[pos], extdata, extdatalen); + pos += extdatalen; + + } else { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free(data); + gnutls_assert(); + return extdatalen; + } + + + /* Copy the compression methods. + */ + extdatalen = + _gnutls_copy_comp_methods(session, extdata, sizeof(extdata)); + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - /* Generate and copy TLS extensions. - */ - if (hver >= GNUTLS_TLS1) { - extdatalen = _gnutls_gen_extensions(session, extdata, sizeof(extdata)); - - if (extdatalen > 0) { - datalen += extdatalen; - data = gnutls_realloc_fast(data, datalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy(&data[pos], extdata, extdatalen); - } else if (extdatalen < 0) { - gnutls_assert(); - gnutls_free(data); - return extdatalen; - } + memcpy(&data[pos], extdata, extdatalen); + pos += extdatalen; + + } else { + if (extdatalen == 0) + extdatalen = GNUTLS_E_INTERNAL_ERROR; + gnutls_free(data); + gnutls_assert(); + return extdatalen; + } + + /* Generate and copy TLS extensions. + */ + if (hver >= GNUTLS_TLS1) { + extdatalen = + _gnutls_gen_extensions(session, extdata, sizeof(extdata)); + + if (extdatalen > 0) { + datalen += extdatalen; + data = gnutls_realloc_fast(data, datalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + + memcpy(&data[pos], extdata, extdatalen); + } else if (extdatalen < 0) { + gnutls_assert(); + gnutls_free(data); + return extdatalen; + } } + } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_CLIENT_HELLO); - gnutls_free(data); + ret = + _gnutls_send_handshake(session, data, datalen, + GNUTLS_CLIENT_HELLO); + gnutls_free(data); - return ret; + return ret; } static int _gnutls_send_server_hello(gnutls_session session, int again) { - opaque *data = NULL; - opaque extdata[MAX_EXT_DATA_LENGTH]; - int extdatalen; - int pos = 0; - int datalen, ret = 0; - uint8 comp; - opaque *SessionID = session->security_parameters.session_id; - uint8 session_id_len = session->security_parameters.session_id_size; - opaque buf[2*TLS_MAX_SESSION_ID_SIZE+1]; + opaque *data = NULL; + opaque extdata[MAX_EXT_DATA_LENGTH]; + int extdatalen; + int pos = 0; + int datalen, ret = 0; + uint8 comp; + opaque *SessionID = session->security_parameters.session_id; + uint8 session_id_len = session->security_parameters.session_id_size; + opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1]; + + if (SessionID == NULL) + session_id_len = 0; + + datalen = 0; + + if (IS_SRP_KX + (_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters.current_cipher_suite))) { + /* While resuming we cannot check the username extension since it is + * not available at this point. It will be copied on connection + * state activation. + */ + if (session->internals.resumed == RESUME_FALSE && + session->security_parameters.extensions.srp_username[0] == 0) { + /* The peer didn't send a valid SRP extension with the + * SRP username. The draft requires that we send an + * alert and start the handshake again. + */ + gnutls_assert(); + ret = gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_MISSING_SRP_USERNAME); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (SessionID == NULL) - session_id_len = 0; - - datalen = 0; - - if (IS_SRP_KX( - _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite))) - { - /* While resuming we cannot check the username extension since it is - * not available at this point. It will be copied on connection - * state activation. - */ - if (session->internals.resumed == RESUME_FALSE && - session->security_parameters.extensions.srp_username[0] == 0) - { - /* The peer didn't send a valid SRP extension with the - * SRP username. The draft requires that we send an - * alert and start the handshake again. - */ - gnutls_assert(); - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, - GNUTLS_A_MISSING_SRP_USERNAME); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return GNUTLS_E_INT_HANDSHAKE_AGAIN; - } + return GNUTLS_E_INT_HANDSHAKE_AGAIN; } + } - if (again == 0) { - datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; - extdatalen = _gnutls_gen_extensions(session, extdata, sizeof(extdata)); + if (again == 0) { + datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3; + extdatalen = + _gnutls_gen_extensions(session, extdata, sizeof(extdata)); - if (extdatalen < 0) { - gnutls_assert(); - return extdatalen; - } + if (extdatalen < 0) { + gnutls_assert(); + return extdatalen; + } - data = gnutls_alloca(datalen + extdatalen); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + data = gnutls_alloca(datalen + extdatalen); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - data[pos++] = - _gnutls_version_get_major(session->security_parameters. - version); - data[pos++] = - _gnutls_version_get_minor(session->security_parameters. - version); - - memcpy(&data[pos], - session->security_parameters.server_random, - TLS_RANDOM_SIZE); - pos += TLS_RANDOM_SIZE; - - data[pos++] = session_id_len; - if (session_id_len > 0) { - memcpy(&data[pos], SessionID, session_id_len); - } - pos += session_id_len; + data[pos++] = + _gnutls_version_get_major(session->security_parameters. + version); + data[pos++] = + _gnutls_version_get_minor(session->security_parameters. + version); + + memcpy(&data[pos], + session->security_parameters.server_random, + TLS_RANDOM_SIZE); + pos += TLS_RANDOM_SIZE; + + data[pos++] = session_id_len; + if (session_id_len > 0) { + memcpy(&data[pos], SessionID, session_id_len); + } + pos += session_id_len; - _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, - _gnutls_bin2hex(SessionID, session_id_len, buf, sizeof(buf))); + _gnutls_handshake_log("HSK[%x]: SessionID: %s\n", session, + _gnutls_bin2hex(SessionID, session_id_len, + buf, sizeof(buf))); - memcpy(&data[pos], - session->security_parameters. - current_cipher_suite.suite, 2); - pos += 2; + memcpy(&data[pos], + session->security_parameters.current_cipher_suite.suite, 2); + pos += 2; - comp = - (uint8) _gnutls_compression_get_num(session-> - internals. - compression_method); - data[pos++] = comp; + comp = + (uint8) _gnutls_compression_get_num(session-> + internals. + compression_method); + data[pos++] = comp; - if (extdatalen > 0) { - datalen += extdatalen; + if (extdatalen > 0) { + datalen += extdatalen; - memcpy(&data[pos], extdata, extdatalen); - } + memcpy(&data[pos], extdata, extdatalen); } + } - ret = - _gnutls_send_handshake(session, data, datalen, - GNUTLS_SERVER_HELLO); - gnutls_afree(data); + ret = + _gnutls_send_handshake(session, data, datalen, + GNUTLS_SERVER_HELLO); + gnutls_afree(data); - return ret; + return ret; } int _gnutls_send_hello(gnutls_session session, int again) { - int ret; + int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_send_client_hello(session, again); + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_send_client_hello(session, again); - } else { /* SERVER */ - ret = _gnutls_send_server_hello(session, again); - } + } else { /* SERVER */ + ret = _gnutls_send_server_hello(session, again); + } - return ret; + return ret; } /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a * hello message is expected. It uses the security_parameters.current_cipher_suite * and internals.compression_method. */ -int _gnutls_recv_hello(gnutls_session session, opaque *data, int datalen) +int _gnutls_recv_hello(gnutls_session session, opaque * data, int datalen) { - int ret; + int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_read_server_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } else { /* Server side reading a client hello */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_read_server_hello(session, data, datalen); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } else { /* Server side reading a client hello */ - ret = _gnutls_read_client_hello(session, data, datalen); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_read_client_hello(session, data, datalen); + if (ret < 0) { + gnutls_assert(); + return ret; } + } - return ret; + return ret; } /* The packets in gnutls_handshake (it's more broad than original TLS handshake) @@ -1821,64 +1855,67 @@ int _gnutls_recv_hello(gnutls_session session, opaque *data, int datalen) **/ int gnutls_rehandshake(gnutls_session session) { - int ret; + int ret; - /* only server sends that handshake packet */ - if (session->security_parameters.entity == GNUTLS_CLIENT) - return GNUTLS_E_INVALID_REQUEST; + /* only server sends that handshake packet */ + if (session->security_parameters.entity == GNUTLS_CLIENT) + return GNUTLS_E_INVALID_REQUEST; - ret = - _gnutls_send_empty_handshake(session, GNUTLS_HELLO_REQUEST, - AGAIN(STATE50)); - STATE = STATE50; + ret = + _gnutls_send_empty_handshake(session, GNUTLS_HELLO_REQUEST, + AGAIN(STATE50)); + STATE = STATE50; - if (ret < 0) { - gnutls_assert(); - return ret; - } - STATE = STATE0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + STATE = STATE0; - return 0; + return 0; } -inline -static int _gnutls_abort_handshake( gnutls_session session, int ret) +inline static int _gnutls_abort_handshake(gnutls_session session, int ret) { - if ( ((ret==GNUTLS_E_WARNING_ALERT_RECEIVED) && - ( gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) - || ret==GNUTLS_E_GOT_APPLICATION_DATA) - return 0; + if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && + (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) + || ret == GNUTLS_E_GOT_APPLICATION_DATA) + return 0; - /* this doesn't matter */ - return GNUTLS_E_INTERNAL_ERROR; + /* this doesn't matter */ + return GNUTLS_E_INTERNAL_ERROR; } /* This function initialized the handshake hash session. * required for finished messages. */ -inline -static int _gnutls_handshake_hash_init( gnutls_session session) { +inline static int _gnutls_handshake_hash_init(gnutls_session session) +{ - if ( session->internals.handshake_mac_handle_md5==NULL) { - session->internals.handshake_mac_handle_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); + if (session->internals.handshake_mac_handle_md5 == NULL) { + session->internals.handshake_mac_handle_md5 = + _gnutls_hash_init(GNUTLS_MAC_MD5); - if (session->internals.handshake_mac_handle_md5==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->internals.handshake_mac_handle_md5 == + GNUTLS_HASH_FAILED) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + } - if ( session->internals.handshake_mac_handle_sha==NULL) { - session->internals.handshake_mac_handle_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (session->internals.handshake_mac_handle_sha==GNUTLS_HASH_FAILED) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (session->internals.handshake_mac_handle_sha == NULL) { + session->internals.handshake_mac_handle_sha = + _gnutls_hash_init(GNUTLS_MAC_SHA); + if (session->internals.handshake_mac_handle_sha == + GNUTLS_HASH_FAILED) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + } - return 0; -} + return 0; +} /** * gnutls_handshake - This is the main function in the handshake protocol. @@ -1906,43 +1943,43 @@ static int _gnutls_handshake_hash_init( gnutls_session session) { **/ int gnutls_handshake(gnutls_session session) { - int ret; + int ret; - if ( (ret=_gnutls_handshake_hash_init( session)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_handshake_hash_init(session)) < 0) { + gnutls_assert(); + return ret; + } + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + ret = _gnutls_handshake_client(session); + } else { + ret = _gnutls_handshake_server(session); + } + if (ret < 0) { + /* In the case of a rehandshake abort + * we should reset the handshake's internal state. + */ + if (_gnutls_abort_handshake(session, ret) == 0) + STATE = STATE0; - if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_handshake_client(session); - } else { - ret = _gnutls_handshake_server(session); - } - if (ret < 0) { - /* In the case of a rehandshake abort - * we should reset the handshake's internal state. - */ - if (_gnutls_abort_handshake( session, ret) == 0) - STATE = STATE0; + return ret; + } - return ret; - } - - ret = _gnutls_handshake_common(session); + ret = _gnutls_handshake_common(session); - if (ret < 0) { - if (_gnutls_abort_handshake( session, ret) == 0) - STATE = STATE0; - - return ret; - } - - STATE = STATE0; + if (ret < 0) { + if (_gnutls_abort_handshake(session, ret) == 0) + STATE = STATE0; - _gnutls_handshake_io_buffer_clear(session); - _gnutls_handshake_internal_state_clear(session); + return ret; + } - return 0; + STATE = STATE0; + + _gnutls_handshake_io_buffer_clear(session); + _gnutls_handshake_internal_state_clear(session); + + return 0; } /* Here if GNUTLS_E_INT_HANDSHAKE_AGAIN is received we go to @@ -1975,162 +2012,154 @@ int gnutls_handshake(gnutls_session session) */ int _gnutls_handshake_client(gnutls_session session) { - int ret = 0; + int ret = 0; #ifdef HANDSHAKE_DEBUG - char buf[64]; - - if (session->internals.resumed_security_parameters. - session_id_size > 0) - _gnutls_handshake_log("HSK[%x]: Ask to resume: %s\n", session, - _gnutls_bin2hex(session->internals. - resumed_security_parameters. - session_id, - session->internals. - resumed_security_parameters. - session_id_size, buf, sizeof(buf))); + char buf[64]; + + if (session->internals.resumed_security_parameters.session_id_size > 0) + _gnutls_handshake_log("HSK[%x]: Ask to resume: %s\n", session, + _gnutls_bin2hex(session->internals. + resumed_security_parameters. + session_id, + session->internals. + resumed_security_parameters. + session_id_size, buf, + sizeof(buf))); #endif - restart: - - switch (STATE) { - case STATE0: - case STATE1: - ret = _gnutls_send_hello(session, AGAIN(STATE1)); - STATE = STATE1; - IMED_RET("send hello", ret); - - case STATE2: - /* receive the server hello */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_SERVER_HELLO, - MANDATORY_PACKET); - STATE = STATE2; - IMED_RET("recv hello", ret); - - case STATE3: - /* RECV CERTIFICATE */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_certificate(session); - STATE = STATE3; - IMED_RET("recv server certificate", ret); - - case STATE4: - /* receive the server key exchange */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_server_kx_message(session); - STATE = STATE4; - IMED_RET("recv server kx message", ret); - - case STATE5: - /* receive the server certificate request - if any - */ - - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_server_certificate_request(session); - STATE = STATE5; - IMED_RET("recv server certificate request message", ret); - - case STATE6: - /* receive the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_SERVER_HELLO_DONE, - MANDATORY_PACKET); - STATE = STATE6; - IMED_RET("recv server hello done", ret); - - case STATE7: - /* send our certificate - if any and if requested - */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_certificate(session, - AGAIN(STATE7)); - STATE = STATE7; - IMED_RET("send client certificate", ret); - - case STATE8: - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_kx_message(session, - AGAIN(STATE8)); - STATE = STATE8; - IMED_RET("send client kx", ret); - - case STATE9: - /* send client certificate verify */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_client_certificate_verify(session, - AGAIN - (STATE9)); - STATE = STATE9; - IMED_RET("send client certificate verify", ret); - - STATE = STATE0; - default: - break; - } + restart: + switch (STATE) { + case STATE0: + case STATE1: + ret = _gnutls_send_hello(session, AGAIN(STATE1)); + STATE = STATE1; + IMED_RET("send hello", ret); - return 0; + case STATE2: + /* receive the server hello */ + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_SERVER_HELLO, MANDATORY_PACKET); + STATE = STATE2; + IMED_RET("recv hello", ret); + + case STATE3: + /* RECV CERTIFICATE */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate(session); + STATE = STATE3; + IMED_RET("recv server certificate", ret); + + case STATE4: + /* receive the server key exchange */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_kx_message(session); + STATE = STATE4; + IMED_RET("recv server kx message", ret); + + case STATE5: + /* receive the server certificate request - if any + */ + + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_server_certificate_request(session); + STATE = STATE5; + IMED_RET("recv server certificate request message", ret); + + case STATE6: + /* receive the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_SERVER_HELLO_DONE, + MANDATORY_PACKET); + STATE = STATE6; + IMED_RET("recv server hello done", ret); + + case STATE7: + /* send our certificate - if any and if requested + */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_certificate(session, AGAIN(STATE7)); + STATE = STATE7; + IMED_RET("send client certificate", ret); + + case STATE8: + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_send_client_kx_message(session, AGAIN(STATE8)); + STATE = STATE8; + IMED_RET("send client kx", ret); + + case STATE9: + /* send client certificate verify */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_client_certificate_verify(session, + AGAIN(STATE9)); + STATE = STATE9; + IMED_RET("send client certificate verify", ret); + + STATE = STATE0; + default: + break; + } + + + return 0; } /* This function sends the final handshake packets and initializes connection */ static int _gnutls_send_handshake_final(gnutls_session session, int init) { - int ret = 0; - - /* Send the CHANGE CIPHER SPEC PACKET */ - - switch (STATE) { - case STATE0: - case STATE20: - ret = - _gnutls_send_change_cipher_spec(session, AGAIN(STATE20)); - STATE = STATE20; - if (ret < 0) { - ERR("send ChangeCipherSpec", ret); - gnutls_assert(); - return ret; - } + int ret = 0; - /* Initialize the connection session (start encryption) - in case of client - */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } + /* Send the CHANGE CIPHER SPEC PACKET */ - ret = _gnutls_write_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } + switch (STATE) { + case STATE0: + case STATE20: + ret = _gnutls_send_change_cipher_spec(session, AGAIN(STATE20)); + STATE = STATE20; + if (ret < 0) { + ERR("send ChangeCipherSpec", ret); + gnutls_assert(); + return ret; + } - case STATE21: - /* send the finished message */ - ret = _gnutls_send_finished(session, AGAIN(STATE21)); - STATE = STATE21; - if (ret < 0) { - ERR("send Finished", ret); - gnutls_assert(); - return ret; - } + /* Initialize the connection session (start encryption) - in case of client + */ + if (init == TRUE) { + ret = _gnutls_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - STATE = STATE0; - default: - break; + ret = _gnutls_write_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; } - return 0; + case STATE21: + /* send the finished message */ + ret = _gnutls_send_finished(session, AGAIN(STATE21)); + STATE = STATE21; + if (ret < 0) { + ERR("send Finished", ret); + gnutls_assert(); + return ret; + } + + STATE = STATE0; + default: + break; + } + + return 0; } /* This function receives the final handshake packets @@ -2139,54 +2168,52 @@ static int _gnutls_send_handshake_final(gnutls_session session, int init) */ static int _gnutls_recv_handshake_final(gnutls_session session, int init) { - int ret = 0; - uint8 ch; - - switch (STATE) { - case STATE0: - case STATE30: - ret = - _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, - &ch, 1); - STATE = STATE30; - if (ret <= 0) { - ERR("recv ChangeCipherSpec", ret); - gnutls_assert(); - return (ret < - 0) ? ret : - GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + int ret = 0; + uint8 ch; - /* Initialize the connection session (start encryption) - in case of server */ - if (init == TRUE) { - ret = _gnutls_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } + switch (STATE) { + case STATE0: + case STATE30: + ret = + _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, + &ch, 1); + STATE = STATE30; + if (ret <= 0) { + ERR("recv ChangeCipherSpec", ret); + gnutls_assert(); + return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + /* Initialize the connection session (start encryption) - in case of server */ + if (init == TRUE) { + ret = _gnutls_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - ret = _gnutls_read_connection_state_init(session); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_read_connection_state_init(session); + if (ret < 0) { + gnutls_assert(); + return ret; + } - case STATE31: - ret = _gnutls_recv_finished(session); - STATE = STATE31; - if (ret < 0) { - ERR("recv finished", ret); - gnutls_assert(); - return ret; - } - STATE = STATE0; - default: - break; + case STATE31: + ret = _gnutls_recv_finished(session); + STATE = STATE31; + if (ret < 0) { + ERR("recv finished", ret); + gnutls_assert(); + return ret; } + STATE = STATE0; + default: + break; + } - return 0; + return 0; } /* @@ -2196,236 +2223,231 @@ static int _gnutls_recv_handshake_final(gnutls_session session, int init) int _gnutls_handshake_server(gnutls_session session) { - int ret = 0; - - restart: - - switch (STATE) { - case STATE0: - case STATE1: - ret = - _gnutls_recv_handshake(session, NULL, NULL, - GNUTLS_CLIENT_HELLO, - MANDATORY_PACKET); - STATE = STATE1; - IMED_RET("recv hello", ret); - - case STATE2: - ret = _gnutls_send_hello(session, AGAIN(STATE2)); - STATE = STATE2; - IMED_RET("send hello", ret); - - /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ - case STATE3: - /* NOTE: these should not be send if we are resuming */ - - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_certificate(session, - AGAIN(STATE3)); - STATE = STATE3; - IMED_RET("send server certificate", ret); - - case STATE4: - /* send server key exchange (A) */ - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_kx_message(session, - AGAIN(STATE4)); - STATE = STATE4; - IMED_RET("send server kx", ret); - - case STATE5: - /* Send certificate request - if requested to */ - if (session->internals.resumed == RESUME_FALSE) - ret = - _gnutls_send_server_certificate_request(session, - AGAIN - (STATE5)); - STATE = STATE5; - IMED_RET("send server cert request", ret); - - case STATE6: - /* send the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_send_empty_handshake(session, - GNUTLS_SERVER_HELLO_DONE, - AGAIN(STATE6)); - STATE = STATE6; - IMED_RET("send server hello done", ret); - - - /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ - case STATE7: - /* receive the client certificate message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_certificate(session); - STATE = STATE7; - IMED_RET("recv client certificate", ret); - - case STATE8: - /* receive the client key exchange message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_recv_client_kx_message(session); - STATE = STATE8; - IMED_RET("recv client kx", ret); - - case STATE9: - /* receive the client certificate verify message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = - _gnutls_recv_client_certificate_verify_message - (session); - STATE = STATE9; - IMED_RET("recv client certificate verify", ret); - - STATE = STATE0; /* finished thus clear session */ - default: - break; - } + int ret = 0; - return 0; + restart: + + switch (STATE) { + case STATE0: + case STATE1: + ret = + _gnutls_recv_handshake(session, NULL, NULL, + GNUTLS_CLIENT_HELLO, MANDATORY_PACKET); + STATE = STATE1; + IMED_RET("recv hello", ret); + + case STATE2: + ret = _gnutls_send_hello(session, AGAIN(STATE2)); + STATE = STATE2; + IMED_RET("send hello", ret); + + /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ + case STATE3: + /* NOTE: these should not be send if we are resuming */ + + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_certificate(session, AGAIN(STATE3)); + STATE = STATE3; + IMED_RET("send server certificate", ret); + + case STATE4: + /* send server key exchange (A) */ + if (session->internals.resumed == RESUME_FALSE) + ret = _gnutls_send_server_kx_message(session, AGAIN(STATE4)); + STATE = STATE4; + IMED_RET("send server kx", ret); + + case STATE5: + /* Send certificate request - if requested to */ + if (session->internals.resumed == RESUME_FALSE) + ret = + _gnutls_send_server_certificate_request(session, + AGAIN(STATE5)); + STATE = STATE5; + IMED_RET("send server cert request", ret); + + case STATE6: + /* send the server hello done */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = + _gnutls_send_empty_handshake(session, + GNUTLS_SERVER_HELLO_DONE, + AGAIN(STATE6)); + STATE = STATE6; + IMED_RET("send server hello done", ret); + + + /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ + case STATE7: + /* receive the client certificate message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate(session); + STATE = STATE7; + IMED_RET("recv client certificate", ret); + + case STATE8: + /* receive the client key exchange message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_kx_message(session); + STATE = STATE8; + IMED_RET("recv client kx", ret); + + case STATE9: + /* receive the client certificate verify message */ + if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + ret = _gnutls_recv_client_certificate_verify_message(session); + STATE = STATE9; + IMED_RET("recv client certificate verify", ret); + + STATE = STATE0; /* finished thus clear session */ + default: + break; + } + + return 0; } int _gnutls_handshake_common(gnutls_session session) { - int ret = 0; + int ret = 0; - restart: + restart: - /* send and recv the change cipher spec and finished messages */ - if ((session->internals.resumed == RESUME_TRUE - && session->security_parameters.entity == GNUTLS_CLIENT) - || (session->internals.resumed == RESUME_FALSE - && session->security_parameters.entity == GNUTLS_SERVER)) { - /* if we are a client resuming - or we are a server not resuming */ + /* send and recv the change cipher spec and finished messages */ + if ((session->internals.resumed == RESUME_TRUE + && session->security_parameters.entity == GNUTLS_CLIENT) + || (session->internals.resumed == RESUME_FALSE + && session->security_parameters.entity == GNUTLS_SERVER)) { + /* if we are a client resuming - or we are a server not resuming */ - ret = _gnutls_recv_handshake_final(session, TRUE); - IMED_RET("recv handshake final", ret); + ret = _gnutls_recv_handshake_final(session, TRUE); + IMED_RET("recv handshake final", ret); - ret = _gnutls_send_handshake_final(session, FALSE); - IMED_RET("send handshake final", ret); - } else { /* if we are a client not resuming - or we are a server resuming */ + ret = _gnutls_send_handshake_final(session, FALSE); + IMED_RET("send handshake final", ret); + } else { /* if we are a client not resuming - or we are a server resuming */ - ret = _gnutls_send_handshake_final(session, TRUE); - IMED_RET("send handshake final 2", ret); + ret = _gnutls_send_handshake_final(session, TRUE); + IMED_RET("send handshake final 2", ret); - ret = _gnutls_recv_handshake_final(session, FALSE); - IMED_RET("recv handshake final 2", ret); - } + ret = _gnutls_recv_handshake_final(session, FALSE); + IMED_RET("recv handshake final 2", ret); + } - if (session->security_parameters.entity == GNUTLS_SERVER) { - /* in order to support session resuming */ - _gnutls_server_register_current_session(session); - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + /* in order to support session resuming */ + _gnutls_server_register_current_session(session); + } - /* clear handshake buffer */ - _gnutls_handshake_hash_buffers_clear(session); - return ret; + /* clear handshake buffer */ + _gnutls_handshake_hash_buffers_clear(session); + return ret; } -int _gnutls_generate_session_id(opaque *session_id, uint8 * len) +int _gnutls_generate_session_id(opaque * session_id, uint8 * len) { - *len = TLS_MAX_SESSION_ID_SIZE; + *len = TLS_MAX_SESSION_ID_SIZE; - if (_gnutls_get_random(session_id, *len, GNUTLS_WEAK_RANDOM) < - 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (_gnutls_get_random(session_id, *len, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } int _gnutls_recv_hello_request(gnutls_session session, void *data, uint32 data_size) { - uint8 type; + uint8 type; - if (session->security_parameters.entity == GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } - if (data_size < 1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - type = ((uint8 *) data)[0]; - if (type == GNUTLS_HELLO_REQUEST) - return GNUTLS_E_REHANDSHAKE; - else { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; - } + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; + } + if (data_size < 1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + type = ((uint8 *) data)[0]; + if (type == GNUTLS_HELLO_REQUEST) + return GNUTLS_E_REHANDSHAKE; + else { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; + } } /* Returns 1 if the given KX has not the corresponding parameters * (DH or RSA) set up. Otherwise returns 0. */ -inline static int check_server_params( gnutls_session session, gnutls_kx_algorithm kx, - gnutls_kx_algorithm* alg, int alg_size) +inline static int check_server_params(gnutls_session session, + gnutls_kx_algorithm kx, + gnutls_kx_algorithm * alg, + int alg_size) { - int cred_type; - const gnutls_certificate_credentials x509_cred; - const gnutls_anon_server_credentials anon_cred; - gnutls_dh_params dh_params = NULL; - gnutls_rsa_params rsa_params = NULL; - int j, remove; - - cred_type = _gnutls_map_kx_get_cred( kx, 1); - - if (cred_type == GNUTLS_CRD_CERTIFICATE) { - x509_cred = - _gnutls_get_cred(session->key, cred_type, NULL); - - if (x509_cred != NULL) { - dh_params = _gnutls_certificate_get_dh_params(x509_cred, session); - rsa_params = _gnutls_certificate_get_rsa_params(x509_cred, session); - } + int cred_type; + const gnutls_certificate_credentials x509_cred; + const gnutls_anon_server_credentials anon_cred; + gnutls_dh_params dh_params = NULL; + gnutls_rsa_params rsa_params = NULL; + int j, remove; - /* Check also if the certificate supports the - * KX method. - */ - remove = 1; - for (j = 0; j < alg_size; j++) { - if (alg[j] == kx) { - remove = 0; - break; - } - } - - if (remove == 1) return 1; + cred_type = _gnutls_map_kx_get_cred(kx, 1); -#ifdef ENABLE_ANON - } else if ( cred_type == GNUTLS_CRD_ANON) { - anon_cred = - _gnutls_get_cred(session->key, cred_type, NULL); - - if (anon_cred != NULL) { - dh_params = _gnutls_anon_get_dh_params(anon_cred, session); - } -#endif - } else return 0; /* no need for params */ + if (cred_type == GNUTLS_CRD_CERTIFICATE) { + x509_cred = _gnutls_get_cred(session->key, cred_type, NULL); + if (x509_cred != NULL) { + dh_params = + _gnutls_certificate_get_dh_params(x509_cred, session); + rsa_params = + _gnutls_certificate_get_rsa_params(x509_cred, session); + } - /* If the key exchange method needs RSA or DH params, - * but they are not set then remove it. + /* Check also if the certificate supports the + * KX method. */ - if (_gnutls_kx_needs_rsa_params( kx) != 0) { - /* needs rsa params. */ - if (_gnutls_get_rsa_params( rsa_params)==NULL) - return 1; - } - - if (_gnutls_kx_needs_dh_params( kx) != 0) { - /* needs DH params. */ - if (_gnutls_get_dh_params( dh_params)==NULL) - return 1; + remove = 1; + for (j = 0; j < alg_size; j++) { + if (alg[j] == kx) { + remove = 0; + break; + } } - return 0; + if (remove == 1) + return 1; + +#ifdef ENABLE_ANON + } else if (cred_type == GNUTLS_CRD_ANON) { + anon_cred = _gnutls_get_cred(session->key, cred_type, NULL); + + if (anon_cred != NULL) { + dh_params = _gnutls_anon_get_dh_params(anon_cred, session); + } +#endif + } else + return 0; /* no need for params */ + + + /* If the key exchange method needs RSA or DH params, + * but they are not set then remove it. + */ + if (_gnutls_kx_needs_rsa_params(kx) != 0) { + /* needs rsa params. */ + if (_gnutls_get_rsa_params(rsa_params) == NULL) + return 1; + } + + if (_gnutls_kx_needs_dh_params(kx) != 0) { + /* needs DH params. */ + if (_gnutls_get_dh_params(dh_params) == NULL) + return 1; + } + + return 0; } /* This function will remove algorithms that are not supported by @@ -2437,103 +2459,107 @@ inline static int check_server_params( gnutls_session session, gnutls_kx_algorit */ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, cipher_suite_st ** - cipherSuites, int numCipherSuites, - gnutls_pk_algorithm requested_pk_algo) + cipherSuites, int numCipherSuites, + gnutls_pk_algorithm + requested_pk_algo) { - int ret = 0; - cipher_suite_st *newSuite, cs; - int newSuiteSize = 0, i, remove; - const gnutls_certificate_credentials x509_cred; - gnutls_kx_algorithm kx; - int server = session->security_parameters.entity==GNUTLS_SERVER?1:0; - gnutls_kx_algorithm *alg; - int alg_size; - - /* if we should use a specific certificate, - * we should remove all algorithms that are not supported - * by that certificate and are on the same authentication - * method (CERTIFICATE). - */ + int ret = 0; + cipher_suite_st *newSuite, cs; + int newSuiteSize = 0, i, remove; + const gnutls_certificate_credentials x509_cred; + gnutls_kx_algorithm kx; + int server = + session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; + gnutls_kx_algorithm *alg; + int alg_size; + + /* if we should use a specific certificate, + * we should remove all algorithms that are not supported + * by that certificate and are on the same authentication + * method (CERTIFICATE). + */ + + x509_cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + + /* if x509_cred==NULL we should remove all X509 ciphersuites + */ + + if (session->security_parameters.entity == GNUTLS_SERVER + && x509_cred != NULL) { + ret = _gnutls_server_select_cert(session, requested_pk_algo); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } - x509_cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + /* get all the key exchange algorithms that are + * supported by the X509 certificate parameters. + */ + if ((ret = + _gnutls_selected_cert_supported_kx(session, &alg, + &alg_size)) < 0) { + gnutls_assert(); + return ret; + } - /* if x509_cred==NULL we should remove all X509 ciphersuites + newSuite = gnutls_malloc(numCipherSuites * sizeof(cipher_suite_st)); + if (newSuite == NULL) { + gnutls_assert(); + gnutls_free(alg); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now removes ciphersuites based on the KX algorithm + */ + for (i = 0; i < numCipherSuites; i++) { + /* finds the key exchange algorithm in + * the ciphersuite */ + kx = _gnutls_cipher_suite_get_kx_algo(&(*cipherSuites)[i]); + remove = 0; - if (session->security_parameters.entity == GNUTLS_SERVER && x509_cred != NULL) { - ret = _gnutls_server_select_cert(session, requested_pk_algo); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - - /* get all the key exchange algorithms that are - * supported by the X509 certificate parameters. + /* if it is defined but had no credentials */ - if ((ret = - _gnutls_selected_cert_supported_kx(session, &alg, - &alg_size)) < 0) { - gnutls_assert(); - return ret; - } + if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { + remove = 1; + } else { + remove = 0; - newSuite = - gnutls_malloc(numCipherSuites * sizeof(cipher_suite_st)); - if (newSuite == NULL) { - gnutls_assert(); - gnutls_free(alg); - return GNUTLS_E_MEMORY_ERROR; + if (server) + remove = check_server_params(session, kx, alg, alg_size); } - /* now removes ciphersuites based on the KX algorithm - */ - for (i = 0; i < numCipherSuites; i++) { - /* finds the key exchange algorithm in - * the ciphersuite - */ - kx = _gnutls_cipher_suite_get_kx_algo(&(*cipherSuites)[i]); - remove = 0; - /* if it is defined but had no credentials - */ - if (_gnutls_get_kx_cred(session, kx, NULL) == NULL) { - remove = 1; - } else { - remove = 0; - if (server) - remove = check_server_params( session, kx, alg, alg_size); - } - - - - memcpy( &cs.suite, &(*cipherSuites)[i].suite, 2); + memcpy(&cs.suite, &(*cipherSuites)[i].suite, 2); - if (remove == 0) { + if (remove == 0) { - _gnutls_handshake_log("HSK[%x]: Keeping ciphersuite: %s\n", session, - _gnutls_cipher_suite_get_name(&cs)); + _gnutls_handshake_log("HSK[%x]: Keeping ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name(&cs)); - memcpy(newSuite[newSuiteSize].suite, - (*cipherSuites)[i].suite, 2); - newSuiteSize++; - } else { - _gnutls_handshake_log("HSK[%x]: Removing ciphersuite: %s\n", session, - _gnutls_cipher_suite_get_name(&cs)); + memcpy(newSuite[newSuiteSize].suite, + (*cipherSuites)[i].suite, 2); + newSuiteSize++; + } else { + _gnutls_handshake_log("HSK[%x]: Removing ciphersuite: %s\n", + session, + _gnutls_cipher_suite_get_name(&cs)); - } } + } - gnutls_free(alg); - gnutls_free(*cipherSuites); - *cipherSuites = newSuite; + gnutls_free(alg); + gnutls_free(*cipherSuites); + *cipherSuites = newSuite; - ret = newSuiteSize; + ret = newSuiteSize; - return ret; + return ret; } @@ -2548,18 +2574,23 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, * to set an upper limit. * **/ -void gnutls_handshake_set_max_packet_length(gnutls_session session, int max) +void gnutls_handshake_set_max_packet_length(gnutls_session session, + int max) { - session->internals.max_handshake_data_buffer_size = max; + session->internals.max_handshake_data_buffer_size = max; } -void _gnutls_set_adv_version( gnutls_session session, gnutls_protocol_version ver) { - set_adv_version( session, _gnutls_version_get_major(ver), _gnutls_version_get_minor(ver)); +void _gnutls_set_adv_version(gnutls_session session, + gnutls_protocol_version ver) +{ + set_adv_version(session, _gnutls_version_get_major(ver), + _gnutls_version_get_minor(ver)); } -gnutls_protocol_version _gnutls_get_adv_version( gnutls_session session) { - return _gnutls_version_get( _gnutls_get_adv_version_major( session), - _gnutls_get_adv_version_minor( session)); +gnutls_protocol_version _gnutls_get_adv_version(gnutls_session session) +{ + return _gnutls_version_get(_gnutls_get_adv_version_major(session), + _gnutls_get_adv_version_minor(session)); } /** @@ -2572,9 +2603,10 @@ gnutls_protocol_version _gnutls_get_adv_version( gnutls_session session) { * * Check gnutls.h for the available handshake descriptions. **/ -gnutls_handshake_description gnutls_handshake_get_last_in( gnutls_session session) +gnutls_handshake_description gnutls_handshake_get_last_in(gnutls_session + session) { - return session->internals.last_handshake_in; + return session->internals.last_handshake_in; } /** @@ -2588,8 +2620,8 @@ gnutls_handshake_description gnutls_handshake_get_last_in( gnutls_session sessio * Check gnutls.h for the available handshake descriptions. * **/ -gnutls_handshake_description gnutls_handshake_get_last_out( gnutls_session session) +gnutls_handshake_description gnutls_handshake_get_last_out(gnutls_session + session) { - return session->internals.last_handshake_out; + return session->internals.last_handshake_out; } - diff --git a/lib/gnutls_handshake.h b/lib/gnutls_handshake.h index 5a86c9be74..52bb61dc9d 100644 --- a/lib/gnutls_handshake.h +++ b/lib/gnutls_handshake.h @@ -20,24 +20,32 @@ typedef enum Optional { OPTIONAL_PACKET, MANDATORY_PACKET } Optional; -int _gnutls_send_handshake( gnutls_session session, void* i_data, uint32 i_datasize, HandshakeType type); -int gnutls_send_hello_request( gnutls_session session); -int _gnutls_recv_hello_request( gnutls_session session, void* data, uint32 data_size); -int _gnutls_send_hello( gnutls_session session, int again); -int _gnutls_recv_hello( gnutls_session session, opaque* data, int datalen); -int gnutls_handshake( gnutls_session session); -int _gnutls_recv_handshake( gnutls_session session, uint8**, int*, HandshakeType, Optional optional); -int _gnutls_generate_session_id( opaque* session_id, uint8* len); -int _gnutls_handshake_common( gnutls_session session); -int _gnutls_handshake_client( gnutls_session session); -int _gnutls_handshake_server( gnutls_session session); -void _gnutls_set_server_random( gnutls_session session, uint8* random); -void _gnutls_set_client_random( gnutls_session session, uint8* random); -int _gnutls_tls_create_random( opaque* dst); -int _gnutls_remove_unwanted_ciphersuites( gnutls_session session, cipher_suite_st ** cipherSuites, int numCipherSuites, gnutls_pk_algorithm); -void gnutls_handshake_set_max_packet_length( gnutls_session session, int max); -int _gnutls_find_pk_algos_in_ciphersuites( opaque* data, int datalen); -int _gnutls_server_select_suite(gnutls_session session, opaque *data, int datalen); +int _gnutls_send_handshake(gnutls_session session, void *i_data, + uint32 i_datasize, HandshakeType type); +int gnutls_send_hello_request(gnutls_session session); +int _gnutls_recv_hello_request(gnutls_session session, void *data, + uint32 data_size); +int _gnutls_send_hello(gnutls_session session, int again); +int _gnutls_recv_hello(gnutls_session session, opaque * data, int datalen); +int gnutls_handshake(gnutls_session session); +int _gnutls_recv_handshake(gnutls_session session, uint8 **, int *, + HandshakeType, Optional optional); +int _gnutls_generate_session_id(opaque * session_id, uint8 * len); +int _gnutls_handshake_common(gnutls_session session); +int _gnutls_handshake_client(gnutls_session session); +int _gnutls_handshake_server(gnutls_session session); +void _gnutls_set_server_random(gnutls_session session, uint8 * random); +void _gnutls_set_client_random(gnutls_session session, uint8 * random); +int _gnutls_tls_create_random(opaque * dst); +int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, + cipher_suite_st ** cipherSuites, + int numCipherSuites, + gnutls_pk_algorithm); +void gnutls_handshake_set_max_packet_length(gnutls_session session, + int max); +int _gnutls_find_pk_algos_in_ciphersuites(opaque * data, int datalen); +int _gnutls_server_select_suite(gnutls_session session, opaque * data, + int datalen); #define STATE session->internals.handshake_state /* This returns true if we have got there diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 7cecfa705c..af09e431e1 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -31,360 +31,365 @@ GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm algorithm) { - mac_hd_t ret; - gcry_error_t result; - - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) { - gnutls_assert(); - return GNUTLS_HASH_FAILED; - } - - ret->algorithm = algorithm; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - result = gcry_md_open( &ret->handle, GCRY_MD_SHA1, 0); - break; - case GNUTLS_MAC_MD5: - result = gcry_md_open( &ret->handle, GCRY_MD_MD5, 0); - break; - case GNUTLS_MAC_RMD160: - result = gcry_md_open( &ret->handle, GCRY_MD_RMD160, 0); - break; - default: - gnutls_assert(); - result = -1; - } - - if (result) { - gnutls_assert(); - gnutls_free(ret); - ret = GNUTLS_HASH_FAILED; - } - - return ret; + mac_hd_t ret; + gcry_error_t result; + + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + if (ret == NULL) { + gnutls_assert(); + return GNUTLS_HASH_FAILED; + } + + ret->algorithm = algorithm; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + result = gcry_md_open(&ret->handle, GCRY_MD_SHA1, 0); + break; + case GNUTLS_MAC_MD5: + result = gcry_md_open(&ret->handle, GCRY_MD_MD5, 0); + break; + case GNUTLS_MAC_RMD160: + result = gcry_md_open(&ret->handle, GCRY_MD_RMD160, 0); + break; + default: + gnutls_assert(); + result = -1; + } + + if (result) { + gnutls_assert(); + gnutls_free(ret); + ret = GNUTLS_HASH_FAILED; + } + + return ret; } int _gnutls_hash_get_algo_len(gnutls_mac_algorithm algorithm) { - int ret; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - ret = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - break; - case GNUTLS_MAC_MD5: - ret = gcry_md_get_algo_dlen(GCRY_MD_MD5); - break; - case GNUTLS_MAC_RMD160: - ret = gcry_md_get_algo_dlen(GCRY_MD_RMD160); - break; - default: - ret = 0; break; - } - - return ret; + int ret; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + ret = gcry_md_get_algo_dlen(GCRY_MD_SHA1); + break; + case GNUTLS_MAC_MD5: + ret = gcry_md_get_algo_dlen(GCRY_MD_MD5); + break; + case GNUTLS_MAC_RMD160: + ret = gcry_md_get_algo_dlen(GCRY_MD_RMD160); + break; + default: + ret = 0; + break; + } + + return ret; } -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, size_t textlen) +int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, + size_t textlen) { - if (textlen > 0) - gcry_md_write(handle->handle, text, textlen); - return 0; + if (textlen > 0) + gcry_md_write(handle->handle, text, textlen); + return 0; } GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle) { - GNUTLS_HASH_HANDLE ret; - gcry_error_t result; + GNUTLS_HASH_HANDLE ret; + gcry_error_t result; - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) - return GNUTLS_HASH_FAILED; + if (ret == NULL) + return GNUTLS_HASH_FAILED; - ret->algorithm = handle->algorithm; - ret->key = NULL; /* it's a hash anyway */ - ret->keysize = 0; + ret->algorithm = handle->algorithm; + ret->key = NULL; /* it's a hash anyway */ + ret->keysize = 0; - result = gcry_md_copy( &ret->handle, handle->handle); + result = gcry_md_copy(&ret->handle, handle->handle); - if (result) { - gnutls_free(ret); - return GNUTLS_HASH_FAILED; - } + if (result) { + gnutls_free(ret); + return GNUTLS_HASH_FAILED; + } - return ret; + return ret; } void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest) { - opaque *mac; - int maclen; + opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len( handle->algorithm); + maclen = _gnutls_hash_get_algo_len(handle->algorithm); - gcry_md_final(handle->handle); - mac = gcry_md_read(handle->handle, 0); - if (digest != NULL) - memcpy(digest, mac, maclen); + gcry_md_final(handle->handle); + mac = gcry_md_read(handle->handle, 0); + if (digest != NULL) + memcpy(digest, mac, maclen); - gcry_md_close(handle->handle); + gcry_md_close(handle->handle); - gnutls_free(handle); + gnutls_free(handle); } mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm algorithm, - const void *key, int keylen) + const void *key, int keylen) { - mac_hd_t ret; - gcry_error_t result; - - ret = gnutls_malloc(sizeof(mac_hd_t_INT)); - if (ret == NULL) - return GNUTLS_MAC_FAILED; - - switch (algorithm) { - case GNUTLS_MAC_SHA: - result = gcry_md_open(&ret->handle, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); - break; - case GNUTLS_MAC_MD5: - result = gcry_md_open(&ret->handle, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC); - break; - case GNUTLS_MAC_RMD160: - result = gcry_md_open(&ret->handle, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC); - break; - default: - result = -1; - } - - if (result) { - gnutls_free(ret); - ret = GNUTLS_MAC_FAILED; - } - - if (ret != GNUTLS_MAC_FAILED) { - gcry_md_setkey(ret->handle, key, keylen); + mac_hd_t ret; + gcry_error_t result; + + ret = gnutls_malloc(sizeof(mac_hd_t_INT)); + if (ret == NULL) + return GNUTLS_MAC_FAILED; + + switch (algorithm) { + case GNUTLS_MAC_SHA: + result = + gcry_md_open(&ret->handle, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + break; + case GNUTLS_MAC_MD5: + result = + gcry_md_open(&ret->handle, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC); + break; + case GNUTLS_MAC_RMD160: + result = + gcry_md_open(&ret->handle, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC); + break; + default: + result = -1; + } + + if (result) { + gnutls_free(ret); + ret = GNUTLS_MAC_FAILED; + } + + if (ret != GNUTLS_MAC_FAILED) { + gcry_md_setkey(ret->handle, key, keylen); - ret->algorithm = algorithm; - ret->key = key; - ret->keysize = keylen; - } + ret->algorithm = algorithm; + ret->key = key; + ret->keysize = keylen; + } - return ret; + return ret; } void _gnutls_hmac_deinit(mac_hd_t handle, void *digest) { - opaque *mac; - int maclen; + opaque *mac; + int maclen; - maclen = _gnutls_hash_get_algo_len( handle->algorithm); + maclen = _gnutls_hash_get_algo_len(handle->algorithm); - gcry_md_final(handle->handle); - mac = gcry_md_read(handle->handle, 0); + gcry_md_final(handle->handle); + mac = gcry_md_read(handle->handle, 0); - if (digest != NULL) - memcpy(digest, mac, maclen); + if (digest != NULL) + memcpy(digest, mac, maclen); - gcry_md_close(handle->handle); + gcry_md_close(handle->handle); - gnutls_free(handle); + gnutls_free(handle); } -inline static int get_padsize( gnutls_mac_algorithm algorithm) +inline static int get_padsize(gnutls_mac_algorithm algorithm) { - switch (algorithm) { - case GNUTLS_MAC_MD5: - return 48; - case GNUTLS_MAC_SHA: - return 40; - default: - return 0; - } + switch (algorithm) { + case GNUTLS_MAC_MD5: + return 48; + case GNUTLS_MAC_SHA: + return 40; + default: + return 0; + } } mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm algorithm, void *key, - int keylen) + int keylen) { - mac_hd_t ret; - opaque ipad[48]; - int padsize; - - padsize = get_padsize( algorithm); - if (padsize == 0) { - gnutls_assert(); - return GNUTLS_MAC_FAILED; - } + mac_hd_t ret; + opaque ipad[48]; + int padsize; - memset(ipad, 0x36, padsize); + padsize = get_padsize(algorithm); + if (padsize == 0) { + gnutls_assert(); + return GNUTLS_MAC_FAILED; + } - ret = _gnutls_hash_init(algorithm); - if (ret != GNUTLS_HASH_FAILED) { - ret->key = key; - ret->keysize = keylen; + memset(ipad, 0x36, padsize); - if (keylen > 0) - _gnutls_hash(ret, key, keylen); - _gnutls_hash(ret, ipad, padsize); - } + ret = _gnutls_hash_init(algorithm); + if (ret != GNUTLS_HASH_FAILED) { + ret->key = key; + ret->keysize = keylen; - return ret; + if (keylen > 0) + _gnutls_hash(ret, key, keylen); + _gnutls_hash(ret, ipad, padsize); + } + + return ret; } void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - int padsize; - int block; - - padsize = get_padsize( handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; - } - - memset(opad, 0x5C, padsize); - - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_MAC_FAILED) { - if (handle->keysize > 0) - _gnutls_hash(td, handle->key, handle->keysize); + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + int padsize; + int block; + + padsize = get_padsize(handle->algorithm); + if (padsize == 0) { + gnutls_assert(); + return; + } + + memset(opad, 0x5C, padsize); + + td = _gnutls_hash_init(handle->algorithm); + if (td != GNUTLS_MAC_FAILED) { + if (handle->keysize > 0) + _gnutls_hash(td, handle->key, handle->keysize); + + _gnutls_hash(td, opad, padsize); + block = _gnutls_hmac_get_algo_len(handle->algorithm); + _gnutls_hash_deinit(handle, ret); /* get the previous hash */ + _gnutls_hash(td, ret, block); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ - _gnutls_hash(td, ret, block); - - _gnutls_hash_deinit(td, digest); - } + _gnutls_hash_deinit(td, digest); + } } void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void *digest, opaque * key, uint32 key_size) { - opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; - opaque opad[48]; - opaque ipad[48]; - int padsize; - int block; - - padsize = get_padsize( handle->algorithm); - if (padsize == 0) { - gnutls_assert(); - return; - } + opaque ret[MAX_HASH_SIZE]; + mac_hd_t td; + opaque opad[48]; + opaque ipad[48]; + int padsize; + int block; - memset(opad, 0x5C, padsize); - memset(ipad, 0x36, padsize); + padsize = get_padsize(handle->algorithm); + if (padsize == 0) { + gnutls_assert(); + return; + } - td = _gnutls_hash_init(handle->algorithm); - if (td != GNUTLS_HASH_FAILED) { - if (key_size > 0) - _gnutls_hash(td, key, key_size); + memset(opad, 0x5C, padsize); + memset(ipad, 0x36, padsize); - _gnutls_hash(td, opad, padsize); - block = _gnutls_hmac_get_algo_len(handle->algorithm); + td = _gnutls_hash_init(handle->algorithm); + if (td != GNUTLS_HASH_FAILED) { + if (key_size > 0) + _gnutls_hash(td, key, key_size); - if (key_size > 0) - _gnutls_hash(handle, key, key_size); - _gnutls_hash(handle, ipad, padsize); - _gnutls_hash_deinit(handle, ret); /* get the previous hash */ + _gnutls_hash(td, opad, padsize); + block = _gnutls_hmac_get_algo_len(handle->algorithm); - _gnutls_hash(td, ret, block); + if (key_size > 0) + _gnutls_hash(handle, key, key_size); + _gnutls_hash(handle, ipad, padsize); + _gnutls_hash_deinit(handle, ret); /* get the previous hash */ - _gnutls_hash_deinit(td, digest); - } + _gnutls_hash(td, ret, block); + + _gnutls_hash_deinit(td, digest); + } } -static int ssl3_sha(int i, opaque *secret, int secret_len, opaque *random, - int random_len, void *digest) +static int ssl3_sha(int i, opaque * secret, int secret_len, + opaque * random, int random_len, void *digest) { - int j; - opaque text1[26]; + int j; + opaque text1[26]; - GNUTLS_HASH_HANDLE td; + GNUTLS_HASH_HANDLE td; - for (j = 0; j < i + 1; j++) { - text1[j] = 65 + i; /* A==65 */ - } + for (j = 0; j < i + 1; j++) { + text1[j] = 65 + i; /* A==65 */ + } - td = _gnutls_hash_init(GNUTLS_MAC_SHA); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + td = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash(td, text1, i + 1); - _gnutls_hash(td, secret, secret_len); - _gnutls_hash(td, random, random_len); + _gnutls_hash(td, text1, i + 1); + _gnutls_hash(td, secret, secret_len); + _gnutls_hash(td, random, random_len); - _gnutls_hash_deinit(td, digest); - return 0; + _gnutls_hash_deinit(td, digest); + return 0; } -static int ssl3_md5(int i, opaque *secret, int secret_len, opaque *random, - int random_len, void *digest) +static int ssl3_md5(int i, opaque * secret, int secret_len, + opaque * random, int random_len, void *digest) { - opaque tmp[MAX_HASH_SIZE]; - mac_hd_t td; - int ret; - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + opaque tmp[MAX_HASH_SIZE]; + mac_hd_t td; + int ret; - _gnutls_hash(td, secret, secret_len); + td = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - ret = ssl3_sha(i, secret, secret_len, random, random_len, tmp); - if (ret < 0) { - gnutls_assert(); - _gnutls_hash_deinit(td, digest); - return ret; - } - - _gnutls_hash(td, tmp, _gnutls_hash_get_algo_len(GNUTLS_MAC_SHA)); + _gnutls_hash(td, secret, secret_len); + ret = ssl3_sha(i, secret, secret_len, random, random_len, tmp); + if (ret < 0) { + gnutls_assert(); _gnutls_hash_deinit(td, digest); - return 0; + return ret; + } + + _gnutls_hash(td, tmp, _gnutls_hash_get_algo_len(GNUTLS_MAC_SHA)); + + _gnutls_hash_deinit(td, digest); + return 0; } int _gnutls_ssl3_hash_md5(void *first, int first_len, void *second, int second_len, int ret_len, opaque * ret) { - opaque digest[MAX_HASH_SIZE]; - mac_hd_t td; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - - td = _gnutls_hash_init(GNUTLS_MAC_MD5); - if (td == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + opaque digest[MAX_HASH_SIZE]; + mac_hd_t td; + int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - _gnutls_hash(td, first, first_len); - _gnutls_hash(td, second, second_len); + td = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash_deinit(td, digest); + _gnutls_hash(td, first, first_len); + _gnutls_hash(td, second, second_len); - if (ret_len > block) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + _gnutls_hash_deinit(td, digest); - memcpy(ret, digest, ret_len); + if (ret_len > block) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + memcpy(ret, digest, ret_len); + + return 0; } @@ -392,37 +397,35 @@ int _gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int ret_bytes, opaque * ret) { - int i = 0, copy, output_bytes; - opaque digest[MAX_HASH_SIZE]; - int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); - int result, times; - - output_bytes = 0; - do { - output_bytes += block; - } while (output_bytes < ret_bytes); - - times = output_bytes / block; - - for (i = 0; i < times; i++) { - - result = - ssl3_md5(i, secret, secret_len, random, random_len, - digest); - if (result < 0) { - gnutls_assert(); - return result; - } - - if ((1 + i) * block < ret_bytes) { - copy = block; - } else { - copy = ret_bytes - (i) * block; - } - - memcpy(&ret[i * block], digest, copy); + int i = 0, copy, output_bytes; + opaque digest[MAX_HASH_SIZE]; + int block = _gnutls_hash_get_algo_len(GNUTLS_MAC_MD5); + int result, times; + + output_bytes = 0; + do { + output_bytes += block; + } while (output_bytes < ret_bytes); + + times = output_bytes / block; + + for (i = 0; i < times; i++) { + + result = + ssl3_md5(i, secret, secret_len, random, random_len, digest); + if (result < 0) { + gnutls_assert(); + return result; } - return 0; -} + if ((1 + i) * block < ret_bytes) { + copy = block; + } else { + copy = ret_bytes - (i) * block; + } + memcpy(&ret[i * block], digest, copy); + } + + return 0; +} diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index 15c7e19514..2e626c9f8e 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -26,36 +26,42 @@ /* for message digests */ typedef struct { - gcry_md_hd_t handle; - gnutls_mac_algorithm algorithm; - const void* key; - int keysize; + gcry_md_hd_t handle; + gnutls_mac_algorithm algorithm; + const void *key; + int keysize; } mac_hd_t_INT; -typedef mac_hd_t_INT* mac_hd_t; +typedef mac_hd_t_INT *mac_hd_t; typedef mac_hd_t GNUTLS_HASH_HANDLE; #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL -mac_hd_t _gnutls_hmac_init( gnutls_mac_algorithm algorithm, const void* key, int keylen); +mac_hd_t _gnutls_hmac_init(gnutls_mac_algorithm algorithm, const void *key, + int keylen); #define _gnutls_hmac_get_algo_len _gnutls_hash_get_algo_len #define _gnutls_hmac _gnutls_hash -void _gnutls_hmac_deinit( mac_hd_t handle, void* digest); +void _gnutls_hmac_deinit(mac_hd_t handle, void *digest); -mac_hd_t _gnutls_mac_init_ssl3( gnutls_mac_algorithm algorithm, void* key, int keylen); -void _gnutls_mac_deinit_ssl3( mac_hd_t handle, void* digest); +mac_hd_t _gnutls_mac_init_ssl3(gnutls_mac_algorithm algorithm, void *key, + int keylen); +void _gnutls_mac_deinit_ssl3(mac_hd_t handle, void *digest); GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm algorithm); int _gnutls_hash_get_algo_len(gnutls_mac_algorithm algorithm); -int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void* text, size_t textlen); -void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void* digest); +int _gnutls_hash(GNUTLS_HASH_HANDLE handle, const void *text, + size_t textlen); +void _gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle, void *digest); -int _gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int bytes, opaque* ret); -int _gnutls_ssl3_hash_md5(void *first, int first_len, - void *second, int second_len, int ret_len, opaque* ret); +int _gnutls_ssl3_generate_random(void *secret, int secret_len, + void *random, int random_len, int bytes, + opaque * ret); +int _gnutls_ssl3_hash_md5(void *first, int first_len, void *second, + int second_len, int ret_len, opaque * ret); -void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void* digest, opaque* key, uint32 key_size); +void _gnutls_mac_deinit_ssl3_handshake(mac_hd_t handle, void *digest, + opaque * key, uint32 key_size); GNUTLS_HASH_HANDLE _gnutls_hash_copy(GNUTLS_HASH_HANDLE handle); -#endif /* GNUTLS_HASH_INT_H */ +#endif /* GNUTLS_HASH_INT_H */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b9415b9c12..8f7e13dbc5 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -41,7 +41,7 @@ /* It might be a good idea to replace int with void* * here. */ -typedef void * gnutls_transport_ptr; +typedef void *gnutls_transport_ptr; #define MAX32 4294967295 #define MAX24 16777215 @@ -60,7 +60,7 @@ typedef void * gnutls_transport_ptr; */ #define MAX_HASH_SIZE 20 -#define MAX_LOG_SIZE 1024 /* maximum size of log message */ +#define MAX_LOG_SIZE 1024 /* maximum size of log message */ #define MAX_SRP_USERNAME 128 #define MAX_SERVER_NAME_SIZE 128 @@ -100,49 +100,60 @@ typedef void * gnutls_transport_ptr; #define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0) typedef unsigned char opaque; -typedef struct { opaque pint[3]; } uint24; +typedef struct { + opaque pint[3]; +} uint24; typedef struct { - opaque * data; - unsigned int size; + opaque *data; + unsigned int size; } gnutls_datum; #include <gnutls_mpi.h> -typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC=1 } ChangeCipherSpecType; +typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC = + 1 } ChangeCipherSpecType; -typedef enum gnutls_certificate_status { - GNUTLS_CERT_INVALID=2, /* will be set if the certificate - * was not verified. - */ - GNUTLS_CERT_REVOKED=32, /* in X.509 this will be set only if CRLs are checked +typedef enum gnutls_certificate_status { + GNUTLS_CERT_INVALID = 2, /* will be set if the certificate + * was not verified. + */ + GNUTLS_CERT_REVOKED = 32, /* in X.509 this will be set only if CRLs are checked */ - /* Those are extra information about the verification - * process. Will be set only if the certificate was - * not verified. - */ - GNUTLS_CERT_SIGNER_NOT_FOUND=64, - GNUTLS_CERT_SIGNER_NOT_CA=128 + /* Those are extra information about the verification + * process. Will be set only if the certificate was + * not verified. + */ + GNUTLS_CERT_SIGNER_NOT_FOUND = 64, + GNUTLS_CERT_SIGNER_NOT_CA = 128 } gnutls_certificate_status; -typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; +typedef enum gnutls_certificate_request { GNUTLS_CERT_IGNORE, + GNUTLS_CERT_REQUEST = + 1, GNUTLS_CERT_REQUIRE } gnutls_certificate_request; -typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, - GNUTLS_OPENPGP_KEY_FINGERPRINT +typedef enum gnutls_openpgp_key_status { GNUTLS_OPENPGP_KEY, + GNUTLS_OPENPGP_KEY_FINGERPRINT } gnutls_openpgp_key_status; -typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutls_close_request; +typedef enum gnutls_close_request { + GNUTLS_SHUT_RDWR = 0, GNUTLS_SHUT_WR = 1 +} gnutls_close_request; -typedef enum HandshakeState { STATE0=0, STATE1, STATE2, STATE3, STATE4, STATE5, - STATE6, STATE7, STATE8, STATE9, STATE20=20, STATE21, - STATE30=30, STATE31, STATE50=50, STATE60=60, STATE61, STATE62 } HandshakeState; +typedef enum HandshakeState { STATE0 = 0, STATE1, STATE2, + STATE3, STATE4, STATE5, + STATE6, STATE7, STATE8, STATE9, STATE20 = 20, STATE21, + STATE30 = 30, STATE31, STATE50 = 50, STATE60 = 60, STATE61, STATE62 +} HandshakeState; -typedef enum HandshakeType { GNUTLS_HELLO_REQUEST, GNUTLS_CLIENT_HELLO, GNUTLS_SERVER_HELLO, - GNUTLS_CERTIFICATE_PKT=11, GNUTLS_SERVER_KEY_EXCHANGE, - GNUTLS_CERTIFICATE_REQUEST, GNUTLS_SERVER_HELLO_DONE, - GNUTLS_CERTIFICATE_VERIFY, GNUTLS_CLIENT_KEY_EXCHANGE, - GNUTLS_FINISHED=20 } HandshakeType; +typedef enum HandshakeType { GNUTLS_HELLO_REQUEST, + GNUTLS_CLIENT_HELLO, GNUTLS_SERVER_HELLO, + GNUTLS_CERTIFICATE_PKT = 11, GNUTLS_SERVER_KEY_EXCHANGE, + GNUTLS_CERTIFICATE_REQUEST, GNUTLS_SERVER_HELLO_DONE, + GNUTLS_CERTIFICATE_VERIFY, GNUTLS_CLIENT_KEY_EXCHANGE, + GNUTLS_FINISHED = 20 +} HandshakeType; typedef HandshakeType gnutls_handshake_description; @@ -157,41 +168,49 @@ typedef HandshakeType gnutls_handshake_description; /* STATE */ -typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, - - GNUTLS_CIPHER_RC2_40_CBC=90, GNUTLS_CIPHER_DES_CBC +typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL = 1, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_CIPHER_RC2_40_CBC = 90, GNUTLS_CIPHER_DES_CBC } gnutls_cipher_algorithm; -typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, - GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, - GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS +typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA = 1, GNUTLS_KX_DHE_DSS, + GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm; -typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT=1, - GNUTLS_PARAMS_DH +typedef enum gnutls_params_type { GNUTLS_PARAMS_RSA_EXPORT = 1, + GNUTLS_PARAMS_DH } gnutls_params_type; -typedef enum gnutls_mac_algorithm { GNUTLS_MAC_UNKNOWN=0, GNUTLS_MAC_NULL=1, -GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160 +typedef enum gnutls_mac_algorithm { GNUTLS_MAC_UNKNOWN = 0, + GNUTLS_MAC_NULL = 1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA, + GNUTLS_MAC_RMD160 } gnutls_mac_algorithm; typedef gnutls_mac_algorithm gnutls_digest_algorithm; -typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_LZO +typedef enum gnutls_compression_method { + GNUTLS_COMP_NULL = 1, GNUTLS_COMP_DEFLATE, + GNUTLS_COMP_LZO } gnutls_compression_method; -typedef enum gnutls_connection_end { GNUTLS_SERVER=1, GNUTLS_CLIENT } gnutls_connection_end; +typedef enum gnutls_connection_end { + GNUTLS_SERVER = 1, GNUTLS_CLIENT +} gnutls_connection_end; -typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME=0, - GNUTLS_EXTENSION_MAX_RECORD_SIZE=1, GNUTLS_EXTENSION_SRP=6, - GNUTLS_EXTENSION_CERT_TYPE=7 +typedef enum extensions_t { GNUTLS_EXTENSION_SERVER_NAME = 0, + GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1, GNUTLS_EXTENSION_SRP = 6, + GNUTLS_EXTENSION_CERT_TYPE = 7 } extensions_t; -typedef enum gnutls_credentials_type { GNUTLS_CRD_CERTIFICATE=1, GNUTLS_CRD_ANON, GNUTLS_CRD_SRP } gnutls_credentials_type; +typedef enum gnutls_credentials_type { + GNUTLS_CRD_CERTIFICATE = 1, GNUTLS_CRD_ANON, + GNUTLS_CRD_SRP +} gnutls_credentials_type; -typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP +typedef enum gnutls_certificate_type { + GNUTLS_CRT_X509 = 1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type; typedef enum { CIPHER_STREAM, CIPHER_BLOCK } cipher_type_t; @@ -200,94 +219,102 @@ typedef enum valid_session_t { VALID_TRUE, VALID_FALSE } valid_session_t; typedef enum resumable_session_t { RESUME_TRUE, RESUME_FALSE } resumable_session_t; /* Record Protocol */ -typedef enum content_type_t { GNUTLS_CHANGE_CIPHER_SPEC=20, GNUTLS_ALERT, - GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA +typedef enum content_type_t { + GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT, + GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA } content_type_t; -typedef enum gnutls_x509_crt_fmt { GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM } gnutls_x509_crt_fmt; +typedef enum gnutls_x509_crt_fmt { + GNUTLS_X509_FMT_DER, + GNUTLS_X509_FMT_PEM +} gnutls_x509_crt_fmt; -typedef enum gnutls_pk_algorithm { GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, - GNUTLS_PK_UNKNOWN = 0xff +typedef enum gnutls_pk_algorithm { + GNUTLS_PK_RSA = 1, GNUTLS_PK_DSA, + GNUTLS_PK_UNKNOWN = 0xff } gnutls_pk_algorithm; + #define GNUTLS_PK_ANY (gnutls_pk_algorithm)-1 #define GNUTLS_PK_NONE (gnutls_pk_algorithm)0 -typedef enum gnutls_sign_algorithm { GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, - GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, - GNUTLS_SIGN_UNKNOWN = 0xff +typedef enum gnutls_sign_algorithm { + GNUTLS_SIGN_RSA_SHA = 1, GNUTLS_SIGN_DSA_SHA, + GNUTLS_SIGN_RSA_MD5, GNUTLS_SIGN_RSA_MD2, + GNUTLS_SIGN_UNKNOWN = 0xff } gnutls_sign_algorithm; /* STATE (stop) */ -typedef void (*LOG_FUNC)( int, const char*); +typedef void (*LOG_FUNC) (int, const char *); /* Pull & Push functions defines: */ -typedef ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, void*, size_t); -typedef ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); +typedef ssize_t(*gnutls_pull_func) (gnutls_transport_ptr, void *, size_t); +typedef ssize_t(*gnutls_push_func) (gnutls_transport_ptr, const void *, + size_t); /* Store & Retrieve functions defines: */ -typedef int (*gnutls_db_store_func)(void*, gnutls_datum key, gnutls_datum data); -typedef int (*gnutls_db_remove_func)(void*, gnutls_datum key); -typedef gnutls_datum (*gnutls_db_retr_func)(void*, gnutls_datum key); +typedef int (*gnutls_db_store_func) (void *, gnutls_datum key, + gnutls_datum data); +typedef int (*gnutls_db_remove_func) (void *, gnutls_datum key); +typedef gnutls_datum(*gnutls_db_retr_func) (void *, gnutls_datum key); typedef struct auth_cred_st { - gnutls_credentials_type algorithm; + gnutls_credentials_type algorithm; - /* the type of credentials depends on algorithm - */ - void* credentials; - struct auth_cred_st* next; + /* the type of credentials depends on algorithm + */ + void *credentials; + struct auth_cred_st *next; } auth_cred_st; struct gnutls_key_st { - /* For DH KX */ - gnutls_datum key; - mpi_t KEY; - mpi_t client_Y; - mpi_t client_g; - mpi_t client_p; - mpi_t dh_secret; - /* for SRP */ - mpi_t A; - mpi_t B; - mpi_t u; - mpi_t b; - mpi_t a; - mpi_t x; - /* RSA: e, m - */ - mpi_t rsa[2]; - - /* this is used to hold the peers authentication data - */ - /* auth_info_t structures SHOULD NOT contain malloced - * elements. Check gnutls_session_pack.c, and gnutls_auth.c. - * Rememember that this should be calloced! - */ - void* auth_info; - gnutls_credentials_type auth_info_type; - int auth_info_size; /* needed in order to store to db for restoring - */ - uint8 crypt_algo; - - auth_cred_st* cred; /* used to specify keys/certificates etc */ - - int certificate_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ + /* For DH KX */ + gnutls_datum key; + mpi_t KEY; + mpi_t client_Y; + mpi_t client_g; + mpi_t client_p; + mpi_t dh_secret; + /* for SRP */ + mpi_t A; + mpi_t B; + mpi_t u; + mpi_t b; + mpi_t a; + mpi_t x; + /* RSA: e, m + */ + mpi_t rsa[2]; + + /* this is used to hold the peers authentication data + */ + /* auth_info_t structures SHOULD NOT contain malloced + * elements. Check gnutls_session_pack.c, and gnutls_auth.c. + * Rememember that this should be calloced! + */ + void *auth_info; + gnutls_credentials_type auth_info_type; + int auth_info_size; /* needed in order to store to db for restoring + */ + uint8 crypt_algo; + + auth_cred_st *cred; /* used to specify keys/certificates etc */ + + int certificate_requested; + /* some ciphersuites use this + * to provide client authentication. + * 1 if client auth was requested + * by the peer, 0 otherwise + *** In case of a server this + * holds 1 if we should wait + * for a client certificate verify + */ }; -typedef struct gnutls_key_st* gnutls_key_st; +typedef struct gnutls_key_st *gnutls_key_st; /* STATE (cont) */ @@ -298,44 +325,45 @@ typedef struct gnutls_key_st* gnutls_key_st; #include <gnutls_cert.h> typedef struct { - uint8 suite[2]; + uint8 suite[2]; } cipher_suite_st; /* Versions should be in order of the oldest * (eg. SSL3 is before TLS1) */ #define GNUTLS_TLS1 GNUTLS_TLS1_0 -typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0, - GNUTLS_TLS1_1, GNUTLS_VERSION_UNKNOWN=0xff } -gnutls_protocol_version; +typedef enum gnutls_protocol_version { + GNUTLS_SSL3 = 1, GNUTLS_TLS1_0, + GNUTLS_TLS1_1, GNUTLS_VERSION_UNKNOWN = 0xff +} gnutls_protocol_version; /* This structure holds parameters got from TLS extension * mechanism. (some extensions may hold parameters in auth_info_t * structures also - see SRP). */ -typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS=1 +typedef enum gnutls_server_name_type { GNUTLS_NAME_DNS = 1 } gnutls_server_name_type; typedef struct { - opaque name[MAX_SERVER_NAME_SIZE]; - uint name_length; - gnutls_server_name_type type; + opaque name[MAX_SERVER_NAME_SIZE]; + uint name_length; + gnutls_server_name_type type; } server_name_st; #define MAX_SERVER_NAME_EXTENSIONS 3 typedef struct { - server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; - /* limit server_name extensions */ - uint server_names_size; - opaque srp_username[MAX_SRP_USERNAME]; + server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; + /* limit server_name extensions */ + uint server_names_size; + opaque srp_username[MAX_SRP_USERNAME]; } tls_ext_st; /* auth_info_t structures now MAY contain malloced * elements. */ - + /* This structure and auth_info_t, are stored in the resume database, * and are restored, in case of resume. * Holds all the required parameters to resume the current @@ -351,82 +379,82 @@ typedef struct { * the handshake is in progress is the cipher suite value. */ typedef struct { - gnutls_connection_end entity; - gnutls_kx_algorithm kx_algorithm; - /* we've got separate write/read bulk/macs because - * there is a time in handshake where the peer has - * null cipher and we don't - */ - gnutls_cipher_algorithm read_bulk_cipher_algorithm; - gnutls_mac_algorithm read_mac_algorithm; - gnutls_compression_method read_compression_algorithm; - - gnutls_cipher_algorithm write_bulk_cipher_algorithm; - gnutls_mac_algorithm write_mac_algorithm; - gnutls_compression_method write_compression_algorithm; - - /* this is the ciphersuite we are going to use - * moved here from internals in order to be restored - * on resume; - */ - cipher_suite_st current_cipher_suite; - opaque master_secret[TLS_MASTER_SIZE]; - opaque client_random[TLS_RANDOM_SIZE]; - opaque server_random[TLS_RANDOM_SIZE]; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - uint8 session_id_size; - time_t timestamp; - tls_ext_st extensions; - - /* The send size is the one requested by the programmer. - * The recv size is the one negotiated with the peer. - */ - uint16 max_record_send_size; - uint16 max_record_recv_size; - /* holds the negotiated certificate type */ - gnutls_certificate_type cert_type; - gnutls_protocol_version version; /* moved here */ + gnutls_connection_end entity; + gnutls_kx_algorithm kx_algorithm; + /* we've got separate write/read bulk/macs because + * there is a time in handshake where the peer has + * null cipher and we don't + */ + gnutls_cipher_algorithm read_bulk_cipher_algorithm; + gnutls_mac_algorithm read_mac_algorithm; + gnutls_compression_method read_compression_algorithm; + + gnutls_cipher_algorithm write_bulk_cipher_algorithm; + gnutls_mac_algorithm write_mac_algorithm; + gnutls_compression_method write_compression_algorithm; + + /* this is the ciphersuite we are going to use + * moved here from internals in order to be restored + * on resume; + */ + cipher_suite_st current_cipher_suite; + opaque master_secret[TLS_MASTER_SIZE]; + opaque client_random[TLS_RANDOM_SIZE]; + opaque server_random[TLS_RANDOM_SIZE]; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + uint8 session_id_size; + time_t timestamp; + tls_ext_st extensions; + + /* The send size is the one requested by the programmer. + * The recv size is the one negotiated with the peer. + */ + uint16 max_record_send_size; + uint16 max_record_recv_size; + /* holds the negotiated certificate type */ + gnutls_certificate_type cert_type; + gnutls_protocol_version version; /* moved here */ } security_parameters_st; /* This structure holds the generated keys */ typedef struct { - gnutls_datum server_write_mac_secret; - gnutls_datum client_write_mac_secret; - gnutls_datum server_write_IV; - gnutls_datum client_write_IV; - gnutls_datum server_write_key; - gnutls_datum client_write_key; - int generated_keys; /* zero if keys have not - * been generated. Non zero - * otherwise. - */ + gnutls_datum server_write_mac_secret; + gnutls_datum client_write_mac_secret; + gnutls_datum server_write_IV; + gnutls_datum client_write_IV; + gnutls_datum server_write_key; + gnutls_datum client_write_key; + int generated_keys; /* zero if keys have not + * been generated. Non zero + * otherwise. + */ } cipher_specs_st; typedef struct { - cipher_hd_t write_cipher_state; - cipher_hd_t read_cipher_state; - comp_hd_t read_compression_state; - comp_hd_t write_compression_state; - gnutls_datum read_mac_secret; - gnutls_datum write_mac_secret; - uint64 read_sequence_number; - uint64 write_sequence_number; + cipher_hd_t write_cipher_state; + cipher_hd_t read_cipher_state; + comp_hd_t read_compression_state; + comp_hd_t write_compression_state; + gnutls_datum read_mac_secret; + gnutls_datum write_mac_secret; + uint64 read_sequence_number; + uint64 write_sequence_number; } conn_stat_st; typedef struct { - unsigned int priority[MAX_ALGOS]; - unsigned int algorithms; + unsigned int priority[MAX_ALGOS]; + unsigned int algorithms; } priority_st; /* DH and RSA parameters types. */ typedef struct { - /* [0] is the prime, [1] is the generator. - */ - mpi_t params[2]; + /* [0] is the prime, [1] is the generator. + */ + mpi_t params[2]; } dh_params_st; #define gnutls_dh_params dh_params_st* @@ -434,253 +462,255 @@ typedef struct { #define gnutls_rsa_params gnutls_x509_privkey typedef struct { - gnutls_dh_params anon_dh_params; - int free_anon_dh_params; - gnutls_dh_params cert_dh_params; - int free_cert_dh_params; - gnutls_rsa_params rsa_params; - int free_rsa_params; + gnutls_dh_params anon_dh_params; + int free_anon_dh_params; + gnutls_dh_params cert_dh_params; + int free_cert_dh_params; + gnutls_rsa_params rsa_params; + int free_rsa_params; } internal_params_st; typedef struct gnutls_params_st { - gnutls_params_type type; - union params { - gnutls_dh_params dh; - gnutls_rsa_params rsa_export; - } params; - int deinit; + gnutls_params_type type; + union params { + gnutls_dh_params dh; + gnutls_rsa_params rsa_export; + } params; + int deinit; } gnutls_params_st; typedef struct { - opaque header[HANDSHAKE_HEADER_SIZE]; - /* this holds the number of bytes in the handshake_header[] */ - size_t header_size; - /* this holds the length of the handshake packet */ - size_t packet_length; - HandshakeType recv_type; + opaque header[HANDSHAKE_HEADER_SIZE]; + /* this holds the number of bytes in the handshake_header[] */ + size_t header_size; + /* this holds the length of the handshake packet */ + size_t packet_length; + HandshakeType recv_type; } handshake_header_buffer_st; /* Openpgp key retrieval callback */ -typedef int (*gnutls_openpgp_recv_key_func)(struct gnutls_session_int*, - const unsigned char *keyfpr, unsigned int keyfpr_length, gnutls_datum *); +typedef int (*gnutls_openpgp_recv_key_func) (struct gnutls_session_int *, + const unsigned char *keyfpr, + unsigned int keyfpr_length, + gnutls_datum *); typedef struct { - gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ - gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake - * message */ - mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ - mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ - - gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ - resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ - HandshakeState handshake_state; /* holds - * a number which indicates where - * the handshake procedure has been - * interrupted. If it is 0 then - * no interruption has happened. - */ - - valid_session_t valid_connection; /* true or FALSE - if this session is valid */ - - int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write - */ - int may_not_write; - int read_eof; /* non-zero if we have received a closure alert. */ - - int last_alert; /* last alert received */ - - /* The last handshake messages sent or received. - */ - int last_handshake_in; - int last_handshake_out; - - /* this is the compression method we are going to use */ - gnutls_compression_method compression_method; - /* priorities */ - priority_st cipher_algorithm_priority; - priority_st mac_algorithm_priority; - priority_st kx_algorithm_priority; - priority_st compression_method_priority; - priority_st protocol_priority; - priority_st cert_type_priority; - - /* resumed session */ - resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ - security_parameters_st resumed_security_parameters; - - /* sockets internals */ - int lowat; - - /* These buffers are used in the handshake - * protocol only. freed using _gnutls_handshake_io_buffer_clear(); - */ - gnutls_buffer handshake_send_buffer; - size_t handshake_send_buffer_prev_size; - content_type_t handshake_send_buffer_type; - HandshakeType handshake_send_buffer_htype; - content_type_t handshake_recv_buffer_type; - HandshakeType handshake_recv_buffer_htype; - gnutls_buffer handshake_recv_buffer; - - /* this buffer holds a record packet -mostly used for - * non blocking IO. + gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ + gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake + * message */ + mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ + mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ + + gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ + resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */ + HandshakeState handshake_state; /* holds + * a number which indicates where + * the handshake procedure has been + * interrupted. If it is 0 then + * no interruption has happened. */ - gnutls_buffer record_recv_buffer; - gnutls_buffer record_send_buffer; /* holds cached data - * for the gnutls_io_write_buffered() - * function. - */ - size_t record_send_buffer_prev_size; /* holds the - * data written in the previous runs. - */ - size_t record_send_buffer_user_size; /* holds the - * size of the user specified data to - * send. - */ - - /* 0 if no peeked data was kept, 1 otherwise. + + valid_session_t valid_connection; /* true or FALSE - if this session is valid */ + + int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write + */ + int may_not_write; + int read_eof; /* non-zero if we have received a closure alert. */ + + int last_alert; /* last alert received */ + + /* The last handshake messages sent or received. + */ + int last_handshake_in; + int last_handshake_out; + + /* this is the compression method we are going to use */ + gnutls_compression_method compression_method; + /* priorities */ + priority_st cipher_algorithm_priority; + priority_st mac_algorithm_priority; + priority_st kx_algorithm_priority; + priority_st compression_method_priority; + priority_st protocol_priority; + priority_st cert_type_priority; + + /* resumed session */ + resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ + security_parameters_st resumed_security_parameters; + + /* sockets internals */ + int lowat; + + /* These buffers are used in the handshake + * protocol only. freed using _gnutls_handshake_io_buffer_clear(); + */ + gnutls_buffer handshake_send_buffer; + size_t handshake_send_buffer_prev_size; + content_type_t handshake_send_buffer_type; + HandshakeType handshake_send_buffer_htype; + content_type_t handshake_recv_buffer_type; + HandshakeType handshake_recv_buffer_htype; + gnutls_buffer handshake_recv_buffer; + + /* this buffer holds a record packet -mostly used for + * non blocking IO. + */ + gnutls_buffer record_recv_buffer; + gnutls_buffer record_send_buffer; /* holds cached data + * for the gnutls_io_write_buffered() + * function. */ - int have_peeked_data; - - int expire_time; /* after expire_time seconds this session will expire */ - struct mod_auth_st_int* auth_struct; /* used in handshake packets and KX algorithms */ - int v2_hello; /* 0 if the client hello is v3+. - * non-zero if we got a v2 hello. - */ - /* keeps the headers of the handshake packet - */ - handshake_header_buffer_st handshake_header_buffer; - - /* this is the highest version available - * to the peer. (advertized version). - * This is obtained by the Handshake Client Hello - * message. (some implementations read the Record version) - */ - uint8 adv_version_major; - uint8 adv_version_minor; - - /* if this is non zero a certificate request message - * will be sent to the client. - only if the ciphersuite - * supports it. - */ - int send_cert_req; - - /* bits to use for DHE and DHA - * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() - * to access it. - */ - uint16 dh_prime_bits; - - size_t max_handshake_data_buffer_size; - - /* PUSH & PULL functions. - */ - gnutls_pull_func _gnutls_pull_func; - gnutls_push_func _gnutls_push_func; - /* Holds the first argument of PUSH and PULL - * functions; - */ - gnutls_transport_ptr transport_recv_ptr; - gnutls_transport_ptr transport_send_ptr; - - /* STORE & RETRIEVE functions. Only used if other - * backend than gdbm is used. - */ - gnutls_db_store_func db_store_func; - gnutls_db_retr_func db_retrieve_func; - gnutls_db_remove_func db_remove_func; - void* db_ptr; - - /* Holds the record size requested by the - * user. - */ - uint16 proposed_record_size; - - /* holds the selected certificate and key. - * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() - * to change them. - */ - gnutls_cert* selected_cert_list; - int selected_cert_list_length; - gnutls_privkey* selected_key; - int selected_need_free; - - /* holds the extensions we sent to the peer - * (in case of a client) - */ - uint16 extensions_sent[MAX_EXT_TYPES]; - uint16 extensions_sent_size; - - /* is 0 if we are to send the whole PGP key, or non zero - * if the fingerprint is to be sent. - */ - int pgp_fingerprint; - - /* This holds the default version that our first - * record packet will have. */ - opaque default_record_version[2]; - - int cbc_protection_hack; - - void* user_ptr; - - int enable_private;/* non zero to - * enable cipher suites - * which have 0xFF status. - */ - - /* Holds 0 if the last called function was interrupted while - * receiving, and non zero otherwise. - */ - int direction; - - /* This callback will be used (if set) to receive an - * openpgp key. (if the peer sends a fingerprint) - */ - gnutls_openpgp_recv_key_func openpgp_recv_key_func; - - /* If non zero the server will not advertize the CA's he - * trusts (do not send an RDN sequence). - */ - int ignore_rdn_sequence; - - /* This is used to set an arbitary version in the RSA - * PMS secret. Can be used by clients to test whether the - * server checks that version. (** only used in gnutls-cli-debug) - */ - opaque rsa_pms_version[2]; - - char* srp_username; - char* srp_password; - - /* This is only set in SRP, when the handshake is - * restarted if an username is not found. - */ - int handshake_restarted; - - /* Here we cache the DH or RSA parameters got from the - * credentials structure, or from a callback. That is to - * minimize external calls. - */ - internal_params_st params; - - /* This buffer is used by the record recv functions, - * as a temporary store buffer. - */ - gnutls_datum recv_buffer; - - /* If you add anything here, check _gnutls_handshake_internal_state_clear(). - */ + size_t record_send_buffer_prev_size; /* holds the + * data written in the previous runs. + */ + size_t record_send_buffer_user_size; /* holds the + * size of the user specified data to + * send. + */ + + /* 0 if no peeked data was kept, 1 otherwise. + */ + int have_peeked_data; + + int expire_time; /* after expire_time seconds this session will expire */ + struct mod_auth_st_int *auth_struct; /* used in handshake packets and KX algorithms */ + int v2_hello; /* 0 if the client hello is v3+. + * non-zero if we got a v2 hello. + */ + /* keeps the headers of the handshake packet + */ + handshake_header_buffer_st handshake_header_buffer; + + /* this is the highest version available + * to the peer. (advertized version). + * This is obtained by the Handshake Client Hello + * message. (some implementations read the Record version) + */ + uint8 adv_version_major; + uint8 adv_version_minor; + + /* if this is non zero a certificate request message + * will be sent to the client. - only if the ciphersuite + * supports it. + */ + int send_cert_req; + + /* bits to use for DHE and DHA + * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits() + * to access it. + */ + uint16 dh_prime_bits; + + size_t max_handshake_data_buffer_size; + + /* PUSH & PULL functions. + */ + gnutls_pull_func _gnutls_pull_func; + gnutls_push_func _gnutls_push_func; + /* Holds the first argument of PUSH and PULL + * functions; + */ + gnutls_transport_ptr transport_recv_ptr; + gnutls_transport_ptr transport_send_ptr; + + /* STORE & RETRIEVE functions. Only used if other + * backend than gdbm is used. + */ + gnutls_db_store_func db_store_func; + gnutls_db_retr_func db_retrieve_func; + gnutls_db_remove_func db_remove_func; + void *db_ptr; + + /* Holds the record size requested by the + * user. + */ + uint16 proposed_record_size; + + /* holds the selected certificate and key. + * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() + * to change them. + */ + gnutls_cert *selected_cert_list; + int selected_cert_list_length; + gnutls_privkey *selected_key; + int selected_need_free; + + /* holds the extensions we sent to the peer + * (in case of a client) + */ + uint16 extensions_sent[MAX_EXT_TYPES]; + uint16 extensions_sent_size; + + /* is 0 if we are to send the whole PGP key, or non zero + * if the fingerprint is to be sent. + */ + int pgp_fingerprint; + + /* This holds the default version that our first + * record packet will have. */ + opaque default_record_version[2]; + + int cbc_protection_hack; + + void *user_ptr; + + int enable_private; /* non zero to + * enable cipher suites + * which have 0xFF status. + */ + + /* Holds 0 if the last called function was interrupted while + * receiving, and non zero otherwise. + */ + int direction; + + /* This callback will be used (if set) to receive an + * openpgp key. (if the peer sends a fingerprint) + */ + gnutls_openpgp_recv_key_func openpgp_recv_key_func; + + /* If non zero the server will not advertize the CA's he + * trusts (do not send an RDN sequence). + */ + int ignore_rdn_sequence; + + /* This is used to set an arbitary version in the RSA + * PMS secret. Can be used by clients to test whether the + * server checks that version. (** only used in gnutls-cli-debug) + */ + opaque rsa_pms_version[2]; + + char *srp_username; + char *srp_password; + + /* This is only set in SRP, when the handshake is + * restarted if an username is not found. + */ + int handshake_restarted; + + /* Here we cache the DH or RSA parameters got from the + * credentials structure, or from a callback. That is to + * minimize external calls. + */ + internal_params_st params; + + /* This buffer is used by the record recv functions, + * as a temporary store buffer. + */ + gnutls_datum recv_buffer; + + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). + */ } internals_st; struct gnutls_session_int { - security_parameters_st security_parameters; - cipher_specs_st cipher_specs; - conn_stat_st connection_state; - internals_st internals; - gnutls_key_st key; + security_parameters_st security_parameters; + cipher_specs_st cipher_specs; + conn_stat_st connection_state; + internals_st internals; + gnutls_key_st key; }; typedef struct gnutls_session_int *gnutls_session; @@ -689,9 +719,11 @@ typedef struct gnutls_session_int *gnutls_session; /* functions */ -void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version version); -gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session); -void _gnutls_free_auth_info( gnutls_session session); +void _gnutls_set_current_version(gnutls_session session, + gnutls_protocol_version version); +gnutls_protocol_version gnutls_protocol_get_version(gnutls_session + session); +void _gnutls_free_auth_info(gnutls_session session); /* These two macros return the advertized TLS version of * the peer. @@ -706,13 +738,14 @@ void _gnutls_free_auth_info( gnutls_session session); session->internals.adv_version_major = major; \ session->internals.adv_version_minor = minor -void _gnutls_set_adv_version( gnutls_session, gnutls_protocol_version); -gnutls_protocol_version _gnutls_get_adv_version( gnutls_session); +void _gnutls_set_adv_version(gnutls_session, gnutls_protocol_version); +gnutls_protocol_version _gnutls_get_adv_version(gnutls_session); -int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size); +int gnutls_fingerprint(gnutls_digest_algorithm algo, + const gnutls_datum * data, void *result, + size_t * result_size); typedef int gnutls_params_function(gnutls_session, gnutls_params_type, - gnutls_params_st*); + gnutls_params_st *); -#endif /* GNUTLS_INT_H */ +#endif /* GNUTLS_INT_H */ diff --git a/lib/gnutls_int_compat.c b/lib/gnutls_int_compat.c index ffb367a6b3..39ee08c2cd 100644 --- a/lib/gnutls_int_compat.c +++ b/lib/gnutls_int_compat.c @@ -3,10 +3,10 @@ /* This file contains functions needed only for binary compatibility * with previous versions. */ -#define GNUTLS_BACKWARDS_COMPATIBLE +#define GNUTLS_BACKWARDS_COMPATIBLE #ifdef GNUTLS_BACKWARDS_COMPATIBLE /* removed everything for 0.9.0 release */ -#endif /* GNUTLS_BACKWARDS_COMPATIBLE */ +#endif /* GNUTLS_BACKWARDS_COMPATIBLE */ diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 59ae665333..0de4eaff99 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -41,52 +41,68 @@ */ #define MASTER_SECRET "master secret" -static int generate_normal_master( gnutls_session session, int); +static int generate_normal_master(gnutls_session session, int); -int _gnutls_generate_master( gnutls_session session, int keep_premaster) +int _gnutls_generate_master(gnutls_session session, int keep_premaster) { - if (session->internals.resumed==RESUME_FALSE) - return generate_normal_master(session, keep_premaster); - return 0; + if (session->internals.resumed == RESUME_FALSE) + return generate_normal_master(session, keep_premaster); + return 0; } /* here we generate the TLS Master secret. */ #define PREMASTER session->key->key -static int generate_normal_master( gnutls_session session, int keep_premaster) +static int generate_normal_master(gnutls_session session, + int keep_premaster) { -int ret = 0; -opaque random[2*TLS_RANDOM_SIZE]; -char buf[64]; - - memcpy(random, session->security_parameters.client_random, TLS_RANDOM_SIZE); - memcpy(&random[TLS_RANDOM_SIZE], session->security_parameters.server_random, TLS_RANDOM_SIZE); - - _gnutls_hard_log( "INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, _gnutls_bin2hex(PREMASTER.data, PREMASTER.size, buf, sizeof(buf))); - _gnutls_hard_log( "INT: CLIENT RANDOM[%d]: %s\n", 32, _gnutls_bin2hex(session->security_parameters.client_random,32, buf, sizeof(buf))); - _gnutls_hard_log( "INT: SERVER RANDOM[%d]: %s\n", 32, _gnutls_bin2hex(session->security_parameters.server_random,32, buf, sizeof(buf))); - - if ( gnutls_protocol_get_version( session) == GNUTLS_SSL3) { - ret = - _gnutls_ssl3_generate_random( PREMASTER.data, PREMASTER.size, - random, 2*TLS_RANDOM_SIZE, TLS_MASTER_SIZE, - session->security_parameters.master_secret); - - } else { - ret = - _gnutls_PRF( PREMASTER.data, PREMASTER.size, - MASTER_SECRET, strlen(MASTER_SECRET), - random, 2*TLS_RANDOM_SIZE, TLS_MASTER_SIZE, - session->security_parameters.master_secret); - } - - if (!keep_premaster) _gnutls_free_datum(&PREMASTER); - - if (ret<0) return ret; + int ret = 0; + opaque random[2 * TLS_RANDOM_SIZE]; + char buf[64]; + + memcpy(random, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], + session->security_parameters.server_random, TLS_RANDOM_SIZE); + + _gnutls_hard_log("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size, + _gnutls_bin2hex(PREMASTER.data, PREMASTER.size, buf, + sizeof(buf))); + _gnutls_hard_log("INT: CLIENT RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex(session->security_parameters. + client_random, 32, buf, sizeof(buf))); + _gnutls_hard_log("INT: SERVER RANDOM[%d]: %s\n", 32, + _gnutls_bin2hex(session->security_parameters. + server_random, 32, buf, sizeof(buf))); + + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3) { + ret = + _gnutls_ssl3_generate_random(PREMASTER.data, PREMASTER.size, + random, 2 * TLS_RANDOM_SIZE, + TLS_MASTER_SIZE, + session->security_parameters. + master_secret); + + } else { + ret = + _gnutls_PRF(PREMASTER.data, PREMASTER.size, + MASTER_SECRET, strlen(MASTER_SECRET), + random, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE, + session->security_parameters.master_secret); + } - _gnutls_hard_log( "INT: MASTER SECRET: %s\n", _gnutls_bin2hex(session->security_parameters.master_secret, TLS_MASTER_SIZE, buf, sizeof(buf))); + if (!keep_premaster) + _gnutls_free_datum(&PREMASTER); + if (ret < 0) return ret; + + _gnutls_hard_log("INT: MASTER SECRET: %s\n", + _gnutls_bin2hex(session->security_parameters. + master_secret, TLS_MASTER_SIZE, buf, + sizeof(buf))); + + return ret; } @@ -94,483 +110,537 @@ char buf[64]; * server. It does nothing if this type of message is not required * by the selected ciphersuite. */ -int _gnutls_send_server_kx_message( gnutls_session session, int again) +int _gnutls_send_server_kx_message(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_kx==NULL) - return 0; + if (session->internals.auth_struct->gnutls_generate_server_kx == NULL) + return 0; - data = NULL; - data_size = 0; - - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_kx( session, &data); - - if (data_size == GNUTLS_E_INT_RET_0) { - gnutls_assert(); - return 0; - } - - if (data_size < 0) { - gnutls_assert(); - return data_size; - } + data = NULL; + data_size = 0; + + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_kx(session, &data); + + if (data_size == GNUTLS_E_INT_RET_0) { + gnutls_assert(); + return 0; } - - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_SERVER_KEY_EXCHANGE); - gnutls_free(data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } - return data_size; + } + + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_SERVER_KEY_EXCHANGE); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + return data_size; } /* This function sends a certificate request message to the * client. */ -int _gnutls_send_server_certificate_request( gnutls_session session, int again) +int _gnutls_send_server_certificate_request(gnutls_session session, + int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_certificate_request==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate_request == NULL) + return 0; - if (session->internals.send_cert_req <= 0) - return 0; - - data = NULL; - data_size = 0; + if (session->internals.send_cert_req <= 0) + return 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_certificate_request( session, &data); + data = NULL; + data_size = 0; - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_REQUEST); - gnutls_free(data); + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate_request(session, &data); - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } - return data_size; + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_REQUEST); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + return data_size; } /* This is the function for the client to send the key * exchange message */ -int _gnutls_send_client_kx_message( gnutls_session session, int again) +int _gnutls_send_client_kx_message(gnutls_session session, int again) { - uint8 *data; - int data_size; - int ret = 0; - - if (session->internals.auth_struct->gnutls_generate_client_kx==NULL) - return 0; + uint8 *data; + int data_size; + int ret = 0; + if (session->internals.auth_struct->gnutls_generate_client_kx == NULL) + return 0; - data = NULL; - data_size = 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_client_kx( session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CLIENT_KEY_EXCHANGE); - gnutls_free(data); + data = NULL; + data_size = 0; - if (ret<0) { - gnutls_assert(); - return ret; + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_kx(session, &data); + if (data_size < 0) { + gnutls_assert(); + return data_size; } - + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CLIENT_KEY_EXCHANGE); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /* This is the function for the client to send the certificate * verify message */ -int _gnutls_send_client_certificate_verify( gnutls_session session, int again) +int _gnutls_send_client_certificate_verify(gnutls_session session, + int again) { - uint8 *data; - int ret = 0; - int data_size; + uint8 *data; + int ret = 0; + int data_size; - /* This is a packet that is only sent by the client - */ - if (session->security_parameters.entity==GNUTLS_SERVER) return 0; - - /* if certificate verify is not needed just exit - */ - if (session->key->certificate_requested==0) - return 0; + /* This is a packet that is only sent by the client + */ + if (session->security_parameters.entity == GNUTLS_SERVER) + return 0; - if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy==NULL) { - gnutls_assert(); - return 0; /* this algorithm does not support cli_cert_vrfy - */ - } - - data = NULL; - data_size = 0; - - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_client_cert_vrfy( session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - if (data_size == 0) - return 0; + /* if certificate verify is not needed just exit + */ + if (session->key->certificate_requested == 0) + return 0; + if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy == + NULL) { + gnutls_assert(); + return 0; /* this algorithm does not support cli_cert_vrfy + */ + } + + data = NULL; + data_size = 0; + + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_client_cert_vrfy(session, &data); + if (data_size < 0) { + gnutls_assert(); + return data_size; } - ret = - _gnutls_send_handshake( session, data, - data_size, - GNUTLS_CERTIFICATE_VERIFY); - gnutls_free(data); + if (data_size == 0) + return 0; - return ret; + } + ret = + _gnutls_send_handshake(session, data, + data_size, GNUTLS_CERTIFICATE_VERIFY); + gnutls_free(data); + + return ret; } -int _gnutls_recv_server_kx_message( gnutls_session session) +int _gnutls_recv_server_kx_message(gnutls_session session) { - uint8 *data = NULL; - int datasize; - int ret = 0; + uint8 *data = NULL; + int datasize; + int ret = 0; - if (session->internals.auth_struct->gnutls_process_server_kx!=NULL) { + if (session->internals.auth_struct->gnutls_process_server_kx != NULL) { - /* EXCEPTION FOR RSA_EXPORT cipher suite - */ - if ( _gnutls_session_is_export( session) != 0 && - _gnutls_peers_cert_less_512(session) != 0) { - gnutls_assert(); - return 0; - } - - ret = - _gnutls_recv_handshake( session, &data, + /* EXCEPTION FOR RSA_EXPORT cipher suite + */ + if (_gnutls_session_is_export(session) != 0 && + _gnutls_peers_cert_less_512(session) != 0) { + gnutls_assert(); + return 0; + } + + ret = + _gnutls_recv_handshake(session, &data, &datasize, - GNUTLS_SERVER_KEY_EXCHANGE, MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = session->internals.auth_struct->gnutls_process_server_kx( session, data, datasize); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + GNUTLS_SERVER_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + + ret = + session->internals.auth_struct-> + gnutls_process_server_kx(session, data, datasize); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + } + return ret; } -int _gnutls_recv_server_certificate_request( gnutls_session session) +int _gnutls_recv_server_certificate_request(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - if (session->internals.auth_struct->gnutls_process_server_certificate_request!=NULL) { + if (session->internals.auth_struct-> + gnutls_process_server_certificate_request != NULL) { - ret = - _gnutls_recv_handshake( session, &data, + ret = + _gnutls_recv_handshake(session, &data, &datasize, - GNUTLS_CERTIFICATE_REQUEST, OPTIONAL_PACKET); - if (ret < 0) - return ret; - - if (ret==0 && datasize == 0) - return 0; /* ignored */ - - ret = session->internals.auth_struct->gnutls_process_server_certificate_request( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; - - } - return ret; + GNUTLS_CERTIFICATE_REQUEST, + OPTIONAL_PACKET); + if (ret < 0) + return ret; + + if (ret == 0 && datasize == 0) + return 0; /* ignored */ + + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate_request(session, data, + datasize); + gnutls_free(data); + if (ret < 0) + return ret; + + } + return ret; } -int _gnutls_recv_client_kx_message( gnutls_session session) +int _gnutls_recv_client_kx_message(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; + uint8 *data; + int datasize; + int ret = 0; - /* Do key exchange only if the algorithm permits it */ - if (session->internals.auth_struct->gnutls_process_client_kx != NULL) { + /* Do key exchange only if the algorithm permits it */ + if (session->internals.auth_struct->gnutls_process_client_kx != NULL) { - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CLIENT_KEY_EXCHANGE, MANDATORY_PACKET); - if (ret < 0) - return ret; + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CLIENT_KEY_EXCHANGE, + MANDATORY_PACKET); + if (ret < 0) + return ret; - ret = session->internals.auth_struct->gnutls_process_client_kx( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_client_kx(session, data, datasize); + gnutls_free(data); + if (ret < 0) + return ret; - } + } - return ret; + return ret; } /* This is called when we want send our certificate */ -int _gnutls_send_client_certificate( gnutls_session session, int again) +int _gnutls_send_client_certificate(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->key->certificate_requested == 0) - return 0; + if (session->key->certificate_requested == 0) + return 0; - if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_client_certificate == NULL) + return 0; - data = NULL; - data_size = 0; - - if (again == 0) { - if (gnutls_protocol_get_version( session) != GNUTLS_SSL3 || - session->internals.selected_cert_list_length > 0) { - /* TLS 1.0 or SSL 3.0 with a valid certificate - */ - data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data); - - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - } + data = NULL; + data_size = 0; - /* In the SSL 3.0 protocol we need to send a - * no certificate alert instead of an - * empty certificate. - */ - if (gnutls_protocol_get_version( session) == GNUTLS_SSL3 && - session->internals.selected_cert_list_length == 0) - { - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_SSL3_NO_CERTIFICATE); - - } else { /* TLS 1.0 or SSL 3.0 with a valid certificate - */ - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); - gnutls_free(data); - } + if (again == 0) { + if (gnutls_protocol_get_version(session) != GNUTLS_SSL3 || + session->internals.selected_cert_list_length > 0) { + /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + data_size = + session->internals.auth_struct-> + gnutls_generate_client_certificate(session, &data); - if (ret < 0) { + if (data_size < 0) { gnutls_assert(); - return ret; + return data_size; + } } + } + + /* In the SSL 3.0 protocol we need to send a + * no certificate alert instead of an + * empty certificate. + */ + if (gnutls_protocol_get_version(session) == GNUTLS_SSL3 && + session->internals.selected_cert_list_length == 0) { + ret = + gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_SSL3_NO_CERTIFICATE); + + } else { /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_PKT); + gnutls_free(data); + } + + if (ret < 0) { + gnutls_assert(); + return ret; + } - return data_size; + return data_size; } /* This is called when we want send our certificate */ -int _gnutls_send_server_certificate( gnutls_session session, int again) +int _gnutls_send_server_certificate(gnutls_session session, int again) { - uint8 *data = NULL; - int data_size = 0; - int ret = 0; + uint8 *data = NULL; + int data_size = 0; + int ret = 0; - if (session->internals.auth_struct->gnutls_generate_server_certificate==NULL) - return 0; + if (session->internals.auth_struct-> + gnutls_generate_server_certificate == NULL) + return 0; - data = NULL; - data_size = 0; + data = NULL; + data_size = 0; - if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_server_certificate( session, &data); + if (again == 0) { + data_size = + session->internals.auth_struct-> + gnutls_generate_server_certificate(session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; - } - } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); - gnutls_free(data); - - if (ret < 0) { - gnutls_assert(); - return ret; + if (data_size < 0) { + gnutls_assert(); + return data_size; } + } + ret = + _gnutls_send_handshake(session, data, data_size, + GNUTLS_CERTIFICATE_PKT); + gnutls_free(data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - return data_size; + return data_size; } -int _gnutls_recv_client_certificate( gnutls_session session) +int _gnutls_recv_client_certificate(gnutls_session session) { - int datasize; - opaque * data; - int ret = 0; - int optional; + int datasize; + opaque *data; + int ret = 0; + int optional; - if (session->internals.auth_struct->gnutls_process_client_certificate!=NULL) { + if (session->internals.auth_struct-> + gnutls_process_client_certificate != NULL) { - /* if we have not requested a certificate then just return - */ - if ( session->internals.send_cert_req == 0) { - return 0; - } - - if ( session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) - optional = MANDATORY_PACKET; - else - optional = OPTIONAL_PACKET; - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_PKT, optional); - if (ret < 0) { - if (optional == OPTIONAL_PACKET && - ret==GNUTLS_E_WARNING_ALERT_RECEIVED && - gnutls_protocol_get_version(session) == GNUTLS_SSL3 && - gnutls_alert_get(session)==GNUTLS_A_SSL3_NO_CERTIFICATE) { - - /* SSL3 does not send an empty certificate, - * but this alert. So we just ignore it. - */ - gnutls_assert(); - return 0; - } - /* certificate was required */ - if (optional==MANDATORY_PACKET) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - return ret; - } - - if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) { - /* Client has not sent the certificate message. - * well I'm not sure we should accept this - * behaviour. - */ - gnutls_assert(); - return 0; - } - - - ret = session->internals.auth_struct->gnutls_process_client_certificate( session, data, datasize); - gnutls_free(data); - if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) { - gnutls_assert(); - return ret; - } - - /* ok we should expect a certificate verify message now + /* if we have not requested a certificate then just return + */ + if (session->internals.send_cert_req == 0) { + return 0; + } + + if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) + optional = MANDATORY_PACKET; + else + optional = OPTIONAL_PACKET; + + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_PKT, optional); + if (ret < 0) { + if (optional == OPTIONAL_PACKET && + ret == GNUTLS_E_WARNING_ALERT_RECEIVED && + gnutls_protocol_get_version(session) == GNUTLS_SSL3 && + gnutls_alert_get(session) == + GNUTLS_A_SSL3_NO_CERTIFICATE) { + + /* SSL3 does not send an empty certificate, + * but this alert. So we just ignore it. */ - if (ret==GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET) - ret = 0; - else - session->key->certificate_requested = 1; + gnutls_assert(); + return 0; + } + /* certificate was required */ + if (optional == MANDATORY_PACKET) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + return ret; } - return ret; + if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET) { + /* Client has not sent the certificate message. + * well I'm not sure we should accept this + * behaviour. + */ + gnutls_assert(); + return 0; + } + + + ret = + session->internals.auth_struct-> + gnutls_process_client_certificate(session, data, datasize); + gnutls_free(data); + if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) { + gnutls_assert(); + return ret; + } + + /* ok we should expect a certificate verify message now + */ + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND + && optional == OPTIONAL_PACKET) + ret = 0; + else + session->key->certificate_requested = 1; + + } + + return ret; } -int _gnutls_recv_server_certificate( gnutls_session session) +int _gnutls_recv_server_certificate(gnutls_session session) { - int datasize; - opaque * data; - int ret = 0; - - if (session->internals.auth_struct->gnutls_process_server_certificate!=NULL) { - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_PKT, MANDATORY_PACKET); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = session->internals.auth_struct->gnutls_process_server_certificate( session, data, datasize); - gnutls_free(data); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int datasize; + opaque *data; + int ret = 0; + + if (session->internals.auth_struct-> + gnutls_process_server_certificate != NULL) { + + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_PKT, + MANDATORY_PACKET); + if (ret < 0) { + gnutls_assert(); + return ret; } - return ret; + ret = + session->internals.auth_struct-> + gnutls_process_server_certificate(session, data, datasize); + gnutls_free(data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + return ret; } /* Recv the client certificate verify. This packet may not * arrive if the peer did not send us a certificate. */ -int _gnutls_recv_client_certificate_verify_message( gnutls_session session) +int _gnutls_recv_client_certificate_verify_message(gnutls_session session) { - uint8 *data; - int datasize; - int ret = 0; - - - if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != NULL) { - - if ( session->internals.send_cert_req == 0 || - session->key->certificate_requested == 0) { - return 0; - } - - ret = - _gnutls_recv_handshake( session, &data, - &datasize, - GNUTLS_CERTIFICATE_VERIFY, OPTIONAL_PACKET); - if (ret < 0) - return ret; - - if (ret==0 && datasize == 0 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) { - /* certificate was required */ - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - ret = session->internals.auth_struct->gnutls_process_client_cert_vrfy( session, data, datasize); - gnutls_free(data); - if (ret < 0) - return ret; + uint8 *data; + int datasize; + int ret = 0; + + if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != + NULL) { + + if (session->internals.send_cert_req == 0 || + session->key->certificate_requested == 0) { + return 0; } - return ret; + ret = + _gnutls_recv_handshake(session, &data, + &datasize, + GNUTLS_CERTIFICATE_VERIFY, + OPTIONAL_PACKET); + if (ret < 0) + return ret; + + if (ret == 0 && datasize == 0 + && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) { + /* certificate was required */ + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + ret = + session->internals.auth_struct-> + gnutls_process_client_cert_vrfy(session, data, datasize); + gnutls_free(data); + if (ret < 0) + return ret; + + } + + return ret; } diff --git a/lib/gnutls_kx.h b/lib/gnutls_kx.h index a2d8eea197..41f9ad4506 100644 --- a/lib/gnutls_kx.h +++ b/lib/gnutls_kx.h @@ -18,17 +18,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int _gnutls_send_server_kx_message( gnutls_session session, int again); -int _gnutls_send_client_kx_message( gnutls_session session, int again); -int _gnutls_recv_server_kx_message( gnutls_session session); -int _gnutls_recv_client_kx_message( gnutls_session session); -int _gnutls_send_client_certificate_verify( gnutls_session session, int again); -int _gnutls_send_server_certificate( gnutls_session session, int again); -int _gnutls_generate_master( gnutls_session session, int keep_premaster); -int _gnutls_recv_client_certificate( gnutls_session session); -int _gnutls_recv_server_certificate( gnutls_session session); -int _gnutls_send_client_certificate( gnutls_session session, int again); -int _gnutls_recv_server_certificate_request( gnutls_session session); -int _gnutls_send_server_certificate_request( gnutls_session session, int again); -int _gnutls_recv_client_certificate_verify_message( gnutls_session session); - +int _gnutls_send_server_kx_message(gnutls_session session, int again); +int _gnutls_send_client_kx_message(gnutls_session session, int again); +int _gnutls_recv_server_kx_message(gnutls_session session); +int _gnutls_recv_client_kx_message(gnutls_session session); +int _gnutls_send_client_certificate_verify(gnutls_session session, + int again); +int _gnutls_send_server_certificate(gnutls_session session, int again); +int _gnutls_generate_master(gnutls_session session, int keep_premaster); +int _gnutls_recv_client_certificate(gnutls_session session); +int _gnutls_recv_server_certificate(gnutls_session session); +int _gnutls_send_client_certificate(gnutls_session session, int again); +int _gnutls_recv_server_certificate_request(gnutls_session session); +int _gnutls_send_server_certificate_request(gnutls_session session, + int again); +int _gnutls_recv_client_certificate_verify_message(gnutls_session session); diff --git a/lib/gnutls_mem.c b/lib/gnutls_mem.c index 0762c6f1ae..2202e75e54 100644 --- a/lib/gnutls_mem.c +++ b/lib/gnutls_mem.c @@ -29,56 +29,65 @@ gnutls_alloc_function gnutls_malloc = malloc; gnutls_free_function gnutls_free = free; gnutls_realloc_function gnutls_realloc = realloc; -void* (*gnutls_calloc)(size_t, size_t) = calloc; -char* (*gnutls_strdup)(const char*) = _gnutls_strdup; +void *(*gnutls_calloc) (size_t, size_t) = calloc; +char *(*gnutls_strdup) (const char *) = _gnutls_strdup; -int _gnutls_is_secure_mem_null( const void* ign) { return 0; } +int _gnutls_is_secure_mem_null(const void *ign) +{ + return 0; +} -int (*_gnutls_is_secure_memory)(const void*) = _gnutls_is_secure_mem_null; +int (*_gnutls_is_secure_memory) (const void *) = + _gnutls_is_secure_mem_null; void *_gnutls_calloc(size_t nmemb, size_t size) { - void *ret; - size *= nmemb; - ret = gnutls_malloc(size); - if (ret != NULL) memset(ret, 0, size); - return ret; + void *ret; + size *= nmemb; + ret = gnutls_malloc(size); + if (ret != NULL) + memset(ret, 0, size); + return ret; } svoid *gnutls_secure_calloc(size_t nmemb, size_t size) { - svoid *ret; - size *= nmemb; - ret = gnutls_secure_malloc(size); - if (ret != NULL) memset(ret, 0, size); - return ret; + svoid *ret; + size *= nmemb; + ret = gnutls_secure_malloc(size); + if (ret != NULL) + memset(ret, 0, size); + return ret; } /* This realloc will free ptr in case realloc * fails. */ -void* gnutls_realloc_fast( void* ptr, size_t size) +void *gnutls_realloc_fast(void *ptr, size_t size) { -void *ret; + void *ret; - if (size == 0) return ptr; + if (size == 0) + return ptr; - ret = gnutls_realloc( ptr, size); - if ( ret == NULL) { - gnutls_free( ptr); - } + ret = gnutls_realloc(ptr, size); + if (ret == NULL) { + gnutls_free(ptr); + } - return ret; + return ret; } -char* _gnutls_strdup( const char* str) { -size_t siz = strlen( str) + 1; -char* ret; +char *_gnutls_strdup(const char *str) +{ + size_t siz = strlen(str) + 1; + char *ret; - ret = gnutls_malloc( siz); - if (ret != NULL) memcpy( ret, str, siz); - return ret; + ret = gnutls_malloc(siz); + if (ret != NULL) + memcpy(ret, str, siz); + return ret; } @@ -96,7 +105,7 @@ char* ret; * The allocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void* gnutls_malloc( size_t s) +void *gnutls_malloc(size_t s) { } @@ -109,9 +118,8 @@ void* gnutls_malloc( size_t s) * The deallocation function used is the one set by gnutls_global_set_mem_functions(). * **/ -void gnutls_free( void* ptr) +void gnutls_free(void *ptr) { } #endif - diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h index 959757a27f..06bb2167e3 100644 --- a/lib/gnutls_mem.h +++ b/lib/gnutls_mem.h @@ -5,7 +5,7 @@ # include <dmalloc.h> #endif -typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ +typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ /* Use gnutls_afree() when calling alloca, or * memory leaks may occur in systems which do not @@ -29,30 +29,30 @@ typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ # define gnutls_alloca gnutls_malloc # define gnutls_afree gnutls_free # endif -#endif /* HAVE_ALLOCA */ +#endif /* HAVE_ALLOCA */ -typedef void* (*gnutls_alloc_function)(size_t); -typedef void (*gnutls_free_function)(void*); -typedef void* (*gnutls_realloc_function)(void*, size_t); +typedef void *(*gnutls_alloc_function) (size_t); +typedef void (*gnutls_free_function) (void *); +typedef void *(*gnutls_realloc_function) (void *, size_t); extern gnutls_alloc_function gnutls_secure_malloc; extern gnutls_alloc_function gnutls_malloc; extern gnutls_free_function gnutls_free; -extern int (*_gnutls_is_secure_memory)(const void*); +extern int (*_gnutls_is_secure_memory) (const void *); extern gnutls_realloc_function gnutls_realloc; -extern void* (*gnutls_calloc)(size_t, size_t); -extern char* (*gnutls_strdup)( const char*); +extern void *(*gnutls_calloc) (size_t, size_t); +extern char *(*gnutls_strdup) (const char *); /* this realloc function will return ptr if size==0, and * will free the ptr if the new allocation failed. */ -void* gnutls_realloc_fast( void* ptr, size_t size); +void *gnutls_realloc_fast(void *ptr, size_t size); -svoid* gnutls_secure_calloc( size_t nmemb, size_t size); -void* _gnutls_calloc( size_t nmemb, size_t size); +svoid *gnutls_secure_calloc(size_t nmemb, size_t size); +void *_gnutls_calloc(size_t nmemb, size_t size); -char* _gnutls_strdup( const char*); +char *_gnutls_strdup(const char *); -#endif /* GNUTLS_MEM_H */ +#endif /* GNUTLS_MEM_H */ diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index 9d135ae092..2ba9ac7713 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -31,97 +31,109 @@ /* Functions that refer to the libgcrypt library. */ - -void _gnutls_mpi_release( mpi_t* x) { - if (*x==NULL) return; - gcry_mpi_release(*x); - *x=NULL; + +void _gnutls_mpi_release(mpi_t * x) +{ + if (*x == NULL) + return; + gcry_mpi_release(*x); + *x = NULL; } /* returns zero on success */ -int _gnutls_mpi_scan( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ) { - int ret; - - ret = gcry_mpi_scan( ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); - if (ret) return GNUTLS_E_MPI_SCAN_FAILED; - - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits( *ret_mpi) == 0) { - _gnutls_mpi_release( ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; - } +int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes) +{ + int ret; - return 0; -} + ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; -int _gnutls_mpi_scan_pgp( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes) -{ -int ret; - ret = gcry_mpi_scan( ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); - if (ret) return GNUTLS_E_MPI_SCAN_FAILED; + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { + _gnutls_mpi_release(ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; + } - /* MPIs with 0 bits are illegal - */ - if (_gnutls_mpi_get_nbits( *ret_mpi) == 0) { - _gnutls_mpi_release( ret_mpi); - return GNUTLS_E_MPI_SCAN_FAILED; - } + return 0; +} - return 0; +int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes) +{ + int ret; + ret = gcry_mpi_scan(ret_mpi, GCRYMPI_FMT_PGP, buffer, *nbytes, nbytes); + if (ret) + return GNUTLS_E_MPI_SCAN_FAILED; + + /* MPIs with 0 bits are illegal + */ + if (_gnutls_mpi_get_nbits(*ret_mpi) == 0) { + _gnutls_mpi_release(ret_mpi); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + return 0; } -int _gnutls_mpi_print( void *buffer, size_t *nbytes, const mpi_t a ) +int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a) { -int ret; + int ret; - if (nbytes == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print( GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); - if (!ret) return 0; - - return GNUTLS_E_MPI_PRINT_FAILED; + ret = gcry_mpi_print(GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; + + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const mpi_t a ) +int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a) { -int ret; + int ret; - if (nbytes == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; + if (nbytes == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = gcry_mpi_print( GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); - if (!ret) return 0; - - return GNUTLS_E_MPI_PRINT_FAILED; + ret = gcry_mpi_print(GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a); + if (!ret) + return 0; + + return GNUTLS_E_MPI_PRINT_FAILED; } /* Always has the first bit zero */ -int _gnutls_mpi_dprint_lz( gnutls_datum* dest, const mpi_t a ) +int _gnutls_mpi_dprint_lz(gnutls_datum * dest, const mpi_t a) { -int ret; -opaque* buf = NULL; -size_t bytes = 0; - - if (dest == NULL || a == NULL) return GNUTLS_E_INVALID_REQUEST; - - gcry_mpi_print( GCRYMPI_FMT_STD, NULL, 0, &bytes, a); - - if (bytes != 0) - buf = gnutls_malloc( bytes); - if (buf == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = gcry_mpi_print( GCRYMPI_FMT_STD, buf, bytes, &bytes, a); - if (!ret) { - dest->data = buf; - dest->size = bytes; - return 0; - } - - gnutls_free(buf); - return GNUTLS_E_MPI_PRINT_FAILED; + int ret; + opaque *buf = NULL; + size_t bytes = 0; + + if (dest == NULL || a == NULL) + return GNUTLS_E_INVALID_REQUEST; + + gcry_mpi_print(GCRYMPI_FMT_STD, NULL, 0, &bytes, a); + + if (bytes != 0) + buf = gnutls_malloc(bytes); + if (buf == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = gcry_mpi_print(GCRYMPI_FMT_STD, buf, bytes, &bytes, a); + if (!ret) { + dest->data = buf; + dest->size = bytes; + return 0; + } + + gnutls_free(buf); + return GNUTLS_E_MPI_PRINT_FAILED; } @@ -129,82 +141,86 @@ size_t bytes = 0; * from asn1 structs. Combines the read and mpi_scan * steps. */ -int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, - mpi_t* ret_mpi) +int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, + mpi_t * ret_mpi) { -int result; -size_t s_len; -opaque* tmpstr = NULL; -int tmpstr_size; - - tmpstr_size = 0; - result = asn1_read_value( node, value, NULL, &tmpstr_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - tmpstr = gnutls_alloca( tmpstr_size); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value( node, value, tmpstr, &tmpstr_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree( tmpstr); - return _gnutls_asn2err(result); - } - - s_len = tmpstr_size; - if (_gnutls_mpi_scan( ret_mpi, tmpstr, &s_len) != 0) { - gnutls_assert(); - gnutls_afree( tmpstr); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - gnutls_afree( tmpstr); - - return 0; + int result; + size_t s_len; + opaque *tmpstr = NULL; + int tmpstr_size; + + tmpstr_size = 0; + result = asn1_read_value(node, value, NULL, &tmpstr_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmpstr = gnutls_alloca(tmpstr_size); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(node, value, tmpstr, &tmpstr_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_afree(tmpstr); + return _gnutls_asn2err(result); + } + + s_len = tmpstr_size; + if (_gnutls_mpi_scan(ret_mpi, tmpstr, &s_len) != 0) { + gnutls_assert(); + gnutls_afree(tmpstr); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + gnutls_afree(tmpstr); + + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_int( ASN1_TYPE node, const char* value, mpi_t mpi, int lz) +int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, mpi_t mpi, + int lz) { -opaque *tmpstr; -size_t s_len; -int result; - - s_len = 0; - if (lz) result = _gnutls_mpi_print_lz( NULL, &s_len, mpi); - else result = _gnutls_mpi_print( NULL, &s_len, mpi); - - tmpstr = gnutls_alloca( s_len); - if (tmpstr == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (lz) result = _gnutls_mpi_print_lz( tmpstr, &s_len, mpi); - else result = _gnutls_mpi_print( tmpstr, &s_len, mpi); - - if (result != 0) { - gnutls_assert(); - gnutls_afree( tmpstr); - return GNUTLS_E_MPI_PRINT_FAILED; - } - - result = asn1_write_value( node, value, tmpstr, s_len); - - gnutls_afree( tmpstr); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + opaque *tmpstr; + size_t s_len; + int result; + + s_len = 0; + if (lz) + result = _gnutls_mpi_print_lz(NULL, &s_len, mpi); + else + result = _gnutls_mpi_print(NULL, &s_len, mpi); + + tmpstr = gnutls_alloca(s_len); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (lz) + result = _gnutls_mpi_print_lz(tmpstr, &s_len, mpi); + else + result = _gnutls_mpi_print(tmpstr, &s_len, mpi); + + if (result != 0) { + gnutls_assert(); + gnutls_afree(tmpstr); + return GNUTLS_E_MPI_PRINT_FAILED; + } - return 0; -} + result = asn1_write_value(node, value, tmpstr, s_len); + gnutls_afree(tmpstr); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; +} diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h index 350226691d..41a05bf7ee 100644 --- a/lib/gnutls_mpi.h +++ b/lib/gnutls_mpi.h @@ -31,18 +31,20 @@ typedef mpi_t GNUTLS_MPI; #define _gnutls_prime_check gcry_prime_check #define _gnutls_mpi_div gcry_mpi_div -# define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) -# define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) +# define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) +# define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) -void _gnutls_mpi_release( mpi_t* x); +void _gnutls_mpi_release(mpi_t * x); -int _gnutls_mpi_scan( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ); -int _gnutls_mpi_scan_pgp( mpi_t *ret_mpi, const opaque *buffer, size_t *nbytes ); +int _gnutls_mpi_scan(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); +int _gnutls_mpi_scan_pgp(mpi_t * ret_mpi, const opaque * buffer, + size_t * nbytes); -int _gnutls_mpi_print( void *buffer, size_t *nbytes, const mpi_t a ); -int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const mpi_t a ); +int _gnutls_mpi_print(void *buffer, size_t * nbytes, const mpi_t a); +int _gnutls_mpi_print_lz(void *buffer, size_t * nbytes, const mpi_t a); -int _gnutls_mpi_dprint_lz( gnutls_datum* dest, const mpi_t a ); +int _gnutls_mpi_dprint_lz(gnutls_datum * dest, const mpi_t a); #define _gnutls_mpi_dprint _gnutls_mpi_dprint_lz #endif diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index 8d9ed1c8c4..259e230f20 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -32,130 +32,144 @@ * Returns 0 on success, or -1 if the uint64 max limit * has been reached. */ -int _gnutls_uint64pp( uint64 *x) { -register int i, y=0; - - for (i=7;i>=0;i--) { - y = 0; - if ( x->i[i] == 0xff) { - x->i[i] = 0; - y = 1; - } else x->i[i]++; - - if (y==0) break; - } - if (y != 0) return -1; /* over 64 bits! WOW */ - - return 0; +int _gnutls_uint64pp(uint64 * x) +{ + register int i, y = 0; + + for (i = 7; i >= 0; i--) { + y = 0; + if (x->i[i] == 0xff) { + x->i[i] = 0; + y = 1; + } else + x->i[i]++; + + if (y == 0) + break; + } + if (y != 0) + return -1; /* over 64 bits! WOW */ + + return 0; } -uint32 _gnutls_uint24touint32( uint24 num) { -uint32 ret=0; +uint32 _gnutls_uint24touint32(uint24 num) +{ + uint32 ret = 0; - ((uint8*)&ret)[1] = num.pint[0]; - ((uint8*)&ret)[2] = num.pint[1]; - ((uint8*)&ret)[3] = num.pint[2]; - return ret; + ((uint8 *) & ret)[1] = num.pint[0]; + ((uint8 *) & ret)[2] = num.pint[1]; + ((uint8 *) & ret)[3] = num.pint[2]; + return ret; } -uint24 _gnutls_uint32touint24( uint32 num) { -uint24 ret; +uint24 _gnutls_uint32touint24(uint32 num) +{ + uint24 ret; - ret.pint[0] = ((uint8*)&num)[1]; - ret.pint[1] = ((uint8*)&num)[2]; - ret.pint[2] = ((uint8*)&num)[3]; - return ret; + ret.pint[0] = ((uint8 *) & num)[1]; + ret.pint[1] = ((uint8 *) & num)[2]; + ret.pint[2] = ((uint8 *) & num)[3]; + return ret; } /* data should be at least 3 bytes */ -uint32 _gnutls_read_uint24( const opaque* data) { -uint32 res; -uint24 num; - - num.pint[0] = data[0]; - num.pint[1] = data[1]; - num.pint[2] = data[2]; - - res = _gnutls_uint24touint32( num); +uint32 _gnutls_read_uint24(const opaque * data) +{ + uint32 res; + uint24 num; + + num.pint[0] = data[0]; + num.pint[1] = data[1]; + num.pint[2] = data[2]; + + res = _gnutls_uint24touint32(num); #ifndef WORDS_BIGENDIAN - res = byteswap32( res); + res = byteswap32(res); #endif -return res; + return res; } -void _gnutls_write_uint24( uint32 num, opaque* data) { -uint24 tmp; - +void _gnutls_write_uint24(uint32 num, opaque * data) +{ + uint24 tmp; + #ifndef WORDS_BIGENDIAN - num = byteswap32( num); + num = byteswap32(num); #endif - tmp = _gnutls_uint32touint24( num); + tmp = _gnutls_uint32touint24(num); - data[0] = tmp.pint[0]; - data[1] = tmp.pint[1]; - data[2] = tmp.pint[2]; + data[0] = tmp.pint[0]; + data[1] = tmp.pint[1]; + data[2] = tmp.pint[2]; } -uint32 _gnutls_read_uint32( const opaque* data) { -uint32 res; +uint32 _gnutls_read_uint32(const opaque * data) +{ + uint32 res; - memcpy( &res, data, sizeof(uint32)); + memcpy(&res, data, sizeof(uint32)); #ifndef WORDS_BIGENDIAN - res = byteswap32( res); + res = byteswap32(res); #endif -return res; + return res; } -void _gnutls_write_uint32( uint32 num, opaque* data) { +void _gnutls_write_uint32(uint32 num, opaque * data) +{ #ifndef WORDS_BIGENDIAN - num = byteswap32( num); + num = byteswap32(num); #endif - memcpy( data, &num, sizeof(uint32)); + memcpy(data, &num, sizeof(uint32)); } -uint16 _gnutls_read_uint16( const opaque* data) { -uint16 res; - memcpy( &res, data, sizeof(uint16)); +uint16 _gnutls_read_uint16(const opaque * data) +{ + uint16 res; + memcpy(&res, data, sizeof(uint16)); #ifndef WORDS_BIGENDIAN - res = byteswap16( res); + res = byteswap16(res); #endif -return res; + return res; } -void _gnutls_write_uint16( uint16 num, opaque* data) { +void _gnutls_write_uint16(uint16 num, opaque * data) +{ #ifndef WORDS_BIGENDIAN - num = byteswap16( num); + num = byteswap16(num); #endif - memcpy( data, &num, sizeof(uint16)); + memcpy(data, &num, sizeof(uint16)); } -uint32 _gnutls_conv_uint32( uint32 data) { +uint32 _gnutls_conv_uint32(uint32 data) +{ #ifndef WORDS_BIGENDIAN - return byteswap32( data); + return byteswap32(data); #else - return data; + return data; #endif } -uint16 _gnutls_conv_uint16( uint16 data) { +uint16 _gnutls_conv_uint16(uint16 data) +{ #ifndef WORDS_BIGENDIAN - return byteswap16( data); + return byteswap16(data); #else - return data; + return data; #endif } -uint32 _gnutls_uint64touint32( const uint64* num) { -uint32 ret; +uint32 _gnutls_uint64touint32(const uint64 * num) +{ + uint32 ret; - memcpy( &ret, &num->i[4], 4); + memcpy(&ret, &num->i[4], 4); #ifndef WORDS_BIGENDIAN - ret = byteswap32(ret); + ret = byteswap32(ret); #endif - return ret; + return ret; } - diff --git a/lib/gnutls_num.h b/lib/gnutls_num.h index 91a54a4073..2c49ddb50f 100644 --- a/lib/gnutls_num.h +++ b/lib/gnutls_num.h @@ -31,18 +31,18 @@ #define byteswap16(x) ((rotl16(x, 8) & 0x00ff) | (rotr16(x, 8) & 0xff00)) #define byteswap32(x) ((rotl32(x, 8) & 0x00ff00ffUL) | (rotr32(x, 8) & 0xff00ff00UL)) -uint32 _gnutls_uint24touint32( uint24 num); -uint24 _gnutls_uint32touint24( uint32 num); -uint32 _gnutls_read_uint32( const opaque* data); -uint16 _gnutls_read_uint16( const opaque* data); -uint32 _gnutls_conv_uint32( uint32 data); -uint16 _gnutls_conv_uint16( uint16 data); -uint32 _gnutls_read_uint24( const opaque* data); -void _gnutls_write_uint24( uint32 num, opaque* data); -void _gnutls_write_uint32( uint32 num, opaque* data); -void _gnutls_write_uint16( uint16 num, opaque* data); -uint32 _gnutls_uint64touint32( const uint64*); +uint32 _gnutls_uint24touint32(uint24 num); +uint24 _gnutls_uint32touint24(uint32 num); +uint32 _gnutls_read_uint32(const opaque * data); +uint16 _gnutls_read_uint16(const opaque * data); +uint32 _gnutls_conv_uint32(uint32 data); +uint16 _gnutls_conv_uint16(uint16 data); +uint32 _gnutls_read_uint24(const opaque * data); +void _gnutls_write_uint24(uint32 num, opaque * data); +void _gnutls_write_uint32(uint32 num, opaque * data); +void _gnutls_write_uint16(uint16 num, opaque * data); +uint32 _gnutls_uint64touint32(const uint64 *); -int _gnutls_uint64pp( uint64 *); +int _gnutls_uint64pp(uint64 *); # define _gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0 # define UINT64DATA(x) x.i diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index fa49381d96..fce507b6de 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -36,162 +36,173 @@ #include <x509/mpi.h> #include <x509/common.h> -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len); -static int _gnutls_pk_sign(int algo, mpi_t* data, mpi_t hash, mpi_t * pkey, int); -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t* data, mpi_t *pkey, int); -static int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int); +static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len); +static int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, + mpi_t * pkey, int); +static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, + mpi_t * pkey, int); +static int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int); /* Do PKCS-1 RSA encryption. * params is modulus, public exp. */ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, - const gnutls_datum *plaintext, mpi_t* params, - uint params_len, - uint btype) + const gnutls_datum * plaintext, + mpi_t * params, uint params_len, uint btype) { - unsigned int i, pad; - int ret; - mpi_t m, res; - opaque *edata, *ps; - size_t k, psize; - size_t mod_bits; - - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if ( mod_bits % 8 != 0) k++; - - if (plaintext->size > k - 11) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; - } - - edata = gnutls_alloca(k); - if (edata == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ - - edata[0] = 0; - edata[1] = btype; - psize = k - 3 - plaintext->size; - - ps = &edata[2]; - switch (btype) { - case 2: - /* using public key */ - if (params_len < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ( (ret=_gnutls_get_random(ps, psize, GNUTLS_STRONG_RANDOM)) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return ret; - } - for (i = 0; i < psize; i++) { - opaque rnd[3]; - - /* Read three random bytes that will be - * used to replace the zeros. - */ - if ( (ret=_gnutls_get_random( rnd, 3, GNUTLS_STRONG_RANDOM)) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return ret; - } - /* use non zero values for - * the first two. - */ - if (rnd[0]==0) rnd[0] = 0xaf; - if (rnd[1]==0) rnd[1] = 0xae; - - if (ps[i] == 0) { - /* If the first one is zero then set it to rnd[0]. - * If the second one is zero then set it to rnd[1]. - * Otherwise add (mod 256) the two previous ones plus rnd[3], or use - * rnd[1] if the value == 0. - */ - if (i<2) ps[i] = rnd[i]; - else ps[i] = GMAX( rnd[3] + ps[i-1] + ps[i-2], rnd[1]); - } - } - break; - case 1: - /* using private key */ - - if (params_len < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - for (i = 0; i < psize; i++) - ps[i] = 0xff; - break; - default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; - } - - ps[psize] = 0; - memcpy(&ps[psize + 1], plaintext->data, plaintext->size); - - if (_gnutls_mpi_scan(&m, edata, &k) != 0) { + unsigned int i, pad; + int ret; + mpi_t m, res; + opaque *edata, *ps; + size_t k, psize; + size_t mod_bits; + + mod_bits = _gnutls_mpi_get_nbits(params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; + + if (plaintext->size > k - 11) { + gnutls_assert(); + return GNUTLS_E_PK_ENCRYPTION_FAILED; + } + + edata = gnutls_alloca(k); + if (edata == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ + + edata[0] = 0; + edata[1] = btype; + psize = k - 3 - plaintext->size; + + ps = &edata[2]; + switch (btype) { + case 2: + /* using public key */ + if (params_len < RSA_PUBLIC_PARAMS) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((ret = + _gnutls_get_random(ps, psize, GNUTLS_STRONG_RANDOM)) < 0) { + gnutls_assert(); + gnutls_afree(edata); + return ret; + } + for (i = 0; i < psize; i++) { + opaque rnd[3]; + + /* Read three random bytes that will be + * used to replace the zeros. + */ + if ((ret = + _gnutls_get_random(rnd, 3, GNUTLS_STRONG_RANDOM)) < 0) { gnutls_assert(); gnutls_afree(edata); - return GNUTLS_E_MPI_SCAN_FAILED; - } - gnutls_afree(edata); - - if (btype==2) /* encrypt */ - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, params, params_len); - else /* sign */ - ret = _gnutls_pk_sign(GCRY_PK_RSA, &res, m, params, params_len); - - _gnutls_mpi_release(&m); - - if (ret < 0) { - gnutls_assert(); return ret; - } + } + /* use non zero values for + * the first two. + */ + if (rnd[0] == 0) + rnd[0] = 0xaf; + if (rnd[1] == 0) + rnd[1] = 0xae; + + if (ps[i] == 0) { + /* If the first one is zero then set it to rnd[0]. + * If the second one is zero then set it to rnd[1]. + * Otherwise add (mod 256) the two previous ones plus rnd[3], or use + * rnd[1] if the value == 0. + */ + if (i < 2) + ps[i] = rnd[i]; + else + ps[i] = GMAX(rnd[3] + ps[i - 1] + ps[i - 2], rnd[1]); + } + } + break; + case 1: + /* using private key */ + + if (params_len < RSA_PRIVATE_PARAMS) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + + for (i = 0; i < psize; i++) + ps[i] = 0xff; + break; + default: + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_mpi_print(NULL, &psize, res); + ps[psize] = 0; + memcpy(&ps[psize + 1], plaintext->data, plaintext->size); - if (psize < k) { - /* padding psize */ - pad = k - psize; - psize = k; - } else if (psize==k) { - pad = 0; - } else { /* psize > k !!! */ - /* This is an impossible situation */ - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_INTERNAL_ERROR; - } + if (_gnutls_mpi_scan(&m, edata, &k) != 0) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_MPI_SCAN_FAILED; + } + gnutls_afree(edata); + + if (btype == 2) /* encrypt */ + ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, m, params, params_len); + else /* sign */ + ret = _gnutls_pk_sign(GCRY_PK_RSA, &res, m, params, params_len); + + _gnutls_mpi_release(&m); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_mpi_print(NULL, &psize, res); + + if (psize < k) { + /* padding psize */ + pad = k - psize; + psize = k; + } else if (psize == k) { + pad = 0; + } else { /* psize > k !!! */ + /* This is an impossible situation */ + gnutls_assert(); + _gnutls_mpi_release(&res); + return GNUTLS_E_INTERNAL_ERROR; + } - ciphertext->data = gnutls_malloc(psize); - if (ciphertext->data == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print( &ciphertext->data[pad], &psize, res); - for (i=0;i<pad;i++) ciphertext->data[i] = 0; + ciphertext->data = gnutls_malloc(psize); + if (ciphertext->data == NULL) { + gnutls_assert(); + _gnutls_mpi_release(&res); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(&ciphertext->data[pad], &psize, res); + for (i = 0; i < pad; i++) + ciphertext->data[i] = 0; - ciphertext->size = k; + ciphertext->size = k; - _gnutls_mpi_release(&res); + _gnutls_mpi_release(&res); - return 0; + return 0; } @@ -200,309 +211,322 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, * Can decrypt block type 1 and type 2 packets. */ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, - const gnutls_datum *ciphertext, mpi_t* params, uint params_len, - uint btype) + const gnutls_datum * ciphertext, + mpi_t * params, uint params_len, uint btype) { - uint k, i; - int ret; - mpi_t c, res; - opaque *edata; - size_t esize, mod_bits; - - mod_bits = _gnutls_mpi_get_nbits(params[0]); - k = mod_bits / 8; - if ( mod_bits % 8 != 0) k++; - - esize = ciphertext->size; - - if (esize != k) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; - } - - if (_gnutls_mpi_scan(&c, ciphertext->data, &esize) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - /* we can use btype to see if the private key is - * available. - */ - if (btype==2) - ret = _gnutls_pk_decrypt(GCRY_PK_RSA, &res, c, params, params_len); - else { - ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, c, params, params_len); - } - _gnutls_mpi_release(&c); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mpi_print(NULL, &esize, res); - edata = gnutls_alloca(esize + 1); - if (edata == NULL) { - gnutls_assert(); - _gnutls_mpi_release(&res); - return GNUTLS_E_MEMORY_ERROR; - } - _gnutls_mpi_print(&edata[1], &esize, res); - + uint k, i; + int ret; + mpi_t c, res; + opaque *edata; + size_t esize, mod_bits; + + mod_bits = _gnutls_mpi_get_nbits(params[0]); + k = mod_bits / 8; + if (mod_bits % 8 != 0) + k++; + + esize = ciphertext->size; + + if (esize != k) { + gnutls_assert(); + return GNUTLS_E_PK_DECRYPTION_FAILED; + } + + if (_gnutls_mpi_scan(&c, ciphertext->data, &esize) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + /* we can use btype to see if the private key is + * available. + */ + if (btype == 2) + ret = _gnutls_pk_decrypt(GCRY_PK_RSA, &res, c, params, params_len); + else { + ret = _gnutls_pk_encrypt(GCRY_PK_RSA, &res, c, params, params_len); + } + _gnutls_mpi_release(&c); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + _gnutls_mpi_print(NULL, &esize, res); + edata = gnutls_alloca(esize + 1); + if (edata == NULL) { + gnutls_assert(); _gnutls_mpi_release(&res); + return GNUTLS_E_MEMORY_ERROR; + } + _gnutls_mpi_print(&edata[1], &esize, res); - /* EB = 00||BT||PS||00||D - * (use block type 'btype') - */ + _gnutls_mpi_release(&res); + /* EB = 00||BT||PS||00||D + * (use block type 'btype') + */ - edata[0] = 0; - esize++; - if (edata[0] != 0 || edata[1] != btype) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; - } + edata[0] = 0; + esize++; - ret = GNUTLS_E_DECRYPTION_FAILED; - switch (btype) { - case 2: - for (i = 2; i < esize; i++) { - if (edata[i] == 0) { - ret = 0; - break; - } - } - break; - case 1: - for (i = 2; i < esize; i++) { - if (edata[i] == 0 && i > 2) { - ret = 0; - break; - } - if (edata[i] != 0xff) { - _gnutls_handshake_log("PKCS #1 padding error"); - ret = GNUTLS_E_PKCS1_WRONG_PAD; - break; - } - } + if (edata[0] != 0 || edata[1] != btype) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_DECRYPTION_FAILED; + } + + ret = GNUTLS_E_DECRYPTION_FAILED; + switch (btype) { + case 2: + for (i = 2; i < esize; i++) { + if (edata[i] == 0) { + ret = 0; break; - default: - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_INTERNAL_ERROR; + } } - i++; - - if (ret < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_DECRYPTION_FAILED; + break; + case 1: + for (i = 2; i < esize; i++) { + if (edata[i] == 0 && i > 2) { + ret = 0; + break; + } + if (edata[i] != 0xff) { + _gnutls_handshake_log("PKCS #1 padding error"); + ret = GNUTLS_E_PKCS1_WRONG_PAD; + break; + } } + break; + default: + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_INTERNAL_ERROR; + } + i++; - if (_gnutls_sset_datum(plaintext, &edata[i], esize - i) < 0) { - gnutls_assert(); - gnutls_afree(edata); - return GNUTLS_E_MEMORY_ERROR; - } + if (ret < 0) { + gnutls_assert(); + gnutls_afree(edata); + return GNUTLS_E_DECRYPTION_FAILED; + } + if (_gnutls_sset_datum(plaintext, &edata[i], esize - i) < 0) { + gnutls_assert(); gnutls_afree(edata); + return GNUTLS_E_MEMORY_ERROR; + } + + gnutls_afree(edata); - return 0; + return 0; } -int _gnutls_rsa_verify( const gnutls_datum* vdata, const gnutls_datum *ciphertext, - mpi_t *params, int params_len, int btype) { +int _gnutls_rsa_verify(const gnutls_datum * vdata, + const gnutls_datum * ciphertext, mpi_t * params, + int params_len, int btype) +{ - gnutls_datum plain; - int ret; + gnutls_datum plain; + int ret; - /* decrypt signature */ - if ( (ret=_gnutls_pkcs1_rsa_decrypt( &plain, ciphertext, params, params_len, btype)) < 0) { - gnutls_assert(); - return ret; - } + /* decrypt signature */ + if ((ret = + _gnutls_pkcs1_rsa_decrypt(&plain, ciphertext, params, params_len, + btype)) < 0) { + gnutls_assert(); + return ret; + } - if (plain.size != vdata->size) { - gnutls_assert(); - _gnutls_free_datum( &plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (plain.size != vdata->size) { + gnutls_assert(); + _gnutls_free_datum(&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - if ( memcmp(plain.data, vdata->data, plain.size)!=0) { - gnutls_assert(); - _gnutls_free_datum( &plain); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (memcmp(plain.data, vdata->data, plain.size) != 0) { + gnutls_assert(); + _gnutls_free_datum(&plain); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - _gnutls_free_datum( &plain); + _gnutls_free_datum(&plain); - return 0; /* ok */ + return 0; /* ok */ } /* encodes the Dss-Sig-Value structure */ -static int encode_ber_rs( gnutls_datum* sig_value, mpi_t r, mpi_t s) { -ASN1_TYPE sig; -int result, tot_len; - - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", - &sig))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } +static int encode_ber_rs(gnutls_datum * sig_value, mpi_t r, mpi_t s) +{ + ASN1_TYPE sig; + int result, tot_len; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(sig, "r", r, 1); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = _gnutls_x509_write_int( sig, "r", r, 1); - if ( result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + result = _gnutls_x509_write_int(sig, "s", s, 1); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = _gnutls_x509_write_int( sig, "s", s, 1); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + tot_len = 0; - tot_len = 0; - - result = _gnutls_x509_der_encode( sig, "", sig_value, 0); + result = _gnutls_x509_der_encode(sig, "", sig_value, 0); - asn1_delete_structure(&sig); + asn1_delete_structure(&sig); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* Do DSA signature calculation. params is p, q, g, y, x in that order. */ -int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *hash, +int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum * hash, mpi_t * params, uint params_len) { - mpi_t rs[2], mdata; - int ret; - size_t k; - - k = hash->size; - if (k!=20) { /* SHA only */ - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; - } - - if (_gnutls_mpi_scan(&mdata, hash->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); - /* rs[0], rs[1] now hold r,s */ - _gnutls_mpi_release(&mdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = encode_ber_rs( signature, rs[0], rs[1]); - - /* free r,s */ - _gnutls_mpi_release(&rs[0]); - _gnutls_mpi_release(&rs[1]); - - if (ret!=0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - return 0; + mpi_t rs[2], mdata; + int ret; + size_t k; + + k = hash->size; + if (k != 20) { /* SHA only */ + gnutls_assert(); + return GNUTLS_E_PK_SIGN_FAILED; + } + + if (_gnutls_mpi_scan(&mdata, hash->data, &k) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); + /* rs[0], rs[1] now hold r,s */ + _gnutls_mpi_release(&mdata); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = encode_ber_rs(signature, rs[0], rs[1]); + + /* free r,s */ + _gnutls_mpi_release(&rs[0]); + _gnutls_mpi_release(&rs[1]); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } /* decodes the Dss-Sig-Value structure */ -static int decode_ber_rs( const gnutls_datum* sig_value, mpi_t* r, mpi_t* s) { -ASN1_TYPE sig; -int result; +static int decode_ber_rs(const gnutls_datum * sig_value, mpi_t * r, + mpi_t * s) +{ + ASN1_TYPE sig; + int result; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSASignatureValue", + &sig)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&sig, sig_value->data, sig_value->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&sig); + return _gnutls_asn2err(result); + } - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_read_int(sig, "r", r); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&sig); + return result; + } - result = asn1_der_decoding( &sig, sig_value->data, sig_value->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&sig); - return _gnutls_asn2err(result); - } - - result = - _gnutls_x509_read_int( sig, "r", r); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&sig); - return result; - } + result = _gnutls_x509_read_int(sig, "s", s); + if (result < 0) { + gnutls_assert(); + _gnutls_mpi_release(s); + asn1_delete_structure(&sig); + return result; + } - result = - _gnutls_x509_read_int( sig, "s", s); - if (result < 0) { - gnutls_assert(); - _gnutls_mpi_release( s); - asn1_delete_structure(&sig); - return result; - } + asn1_delete_structure(&sig); - asn1_delete_structure(&sig); - - return 0; + return 0; } /* params is p, q, g, y in that order */ -int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value, - mpi_t * params, int params_len) { - - mpi_t mdata; - int ret; - size_t k; - mpi_t rs[2]; - - if (vdata->size != 20) { /* sha-1 only */ - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } - - if (decode_ber_rs( sig_value, &rs[0], &rs[1])!=0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - k = vdata->size; - if (_gnutls_mpi_scan(&mdata, vdata->data, &k) != 0) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - /* decrypt signature */ - ret=_gnutls_pk_verify( GCRY_PK_DSA, mdata, rs, params, - params_len); - _gnutls_mpi_release(&mdata); - - if (ret < 0) { - gnutls_assert(); - return ret; - } +int _gnutls_dsa_verify(const gnutls_datum * vdata, + const gnutls_datum * sig_value, mpi_t * params, + int params_len) +{ - return 0; /* ok */ + mpi_t mdata; + int ret; + size_t k; + mpi_t rs[2]; + + if (vdata->size != 20) { /* sha-1 only */ + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } + + if (decode_ber_rs(sig_value, &rs[0], &rs[1]) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + k = vdata->size; + if (_gnutls_mpi_scan(&mdata, vdata->data, &k) != 0) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + /* decrypt signature */ + ret = _gnutls_pk_verify(GCRY_PK_DSA, mdata, rs, params, params_len); + _gnutls_mpi_release(&mdata); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; /* ok */ } @@ -513,295 +537,298 @@ int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value * Emulate our old PK interface here - sometime in the future we might * change the internal design to directly fit to libgcrypt. */ -static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len) +static int _gnutls_pk_encrypt(int algo, mpi_t * resarr, mpi_t data, + mpi_t * pkey, int pkey_len) { - gcry_sexp_t s_ciph, s_data, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + gcry_sexp_t s_ciph, s_data, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_RSA: + if (pkey_len >= 2) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_data, NULL, "%m", data)) { + gnutls_assert(); + gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + /* pass it to libgcrypt */ + rc = gcry_pk_encrypt(&s_ciph, s_data, s_pkey); + gcry_sexp_release(s_data); + gcry_sexp_release(s_pkey); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_ENCRYPTION_FAILED; - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "%m", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; + } else { /* add better error handling or make gnupg use S-Exp directly */ + gcry_sexp_t list = gcry_sexp_find_token(s_ciph, "a", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } - /* pass it to libgcrypt */ - rc = gcry_pk_encrypt(&s_ciph, s_data, s_pkey); - gcry_sexp_release(s_data); - gcry_sexp_release(s_pkey); + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_ENCRYPTION_FAILED; - - } else { /* add better error handling or make gnupg use S-Exp directly */ - gcry_sexp_t list = gcry_sexp_find_token(s_ciph, "a", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_ciph); - return GNUTLS_E_INTERNAL_ERROR; - } + if (resarr[0] == NULL) { + gnutls_assert(); + gcry_sexp_release(s_ciph); + return GNUTLS_E_INTERNAL_ERROR; } + } - gcry_sexp_release(s_ciph); - return rc; + gcry_sexp_release(s_ciph); + return rc; } -static -int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len) +static +int _gnutls_pk_decrypt(int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_plain, s_data, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_RSA: - if (pkey_len >=6) - rc = gcry_sexp_build(&s_pkey, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5]); - - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* put the data into a simple list */ - if (gcry_sexp_build(&s_data, NULL, "(enc-val(rsa(a%m)))", data)) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* pass it to libgcrypt */ - rc = gcry_pk_decrypt(&s_plain, s_data, s_pkey); - gcry_sexp_release(s_data); + gcry_sexp_t s_plain, s_data, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_RSA: + if (pkey_len >= 6) + rc = gcry_sexp_build(&s_pkey, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_data, NULL, "(enc-val(rsa(a%m)))", data)) { + gnutls_assert(); gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_DECRYPTION_FAILED; + /* pass it to libgcrypt */ + rc = gcry_pk_decrypt(&s_plain, s_data, s_pkey); + gcry_sexp_release(s_data); + gcry_sexp_release(s_pkey); - } else { /* add better error handling or make gnupg use S-Exp directly */ - resarr[0] = gcry_sexp_nth_mpi(s_plain, 0, 0); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_DECRYPTION_FAILED; - if (resarr[0] == NULL) { - gnutls_assert(); - gcry_sexp_release(s_plain); - return GNUTLS_E_INTERNAL_ERROR; - } + } else { /* add better error handling or make gnupg use S-Exp directly */ + resarr[0] = gcry_sexp_nth_mpi(s_plain, 0, 0); + + if (resarr[0] == NULL) { + gnutls_assert(); + gcry_sexp_release(s_plain); + return GNUTLS_E_INTERNAL_ERROR; } + } - gcry_sexp_release(s_plain); - return rc; + gcry_sexp_release(s_plain); + return rc; } /* in case of DSA puts into data, r,s */ -static -int _gnutls_pk_sign(int algo, mpi_t* data, mpi_t hash, mpi_t * pkey, int pkey_len) +static +int _gnutls_pk_sign(int algo, mpi_t * data, mpi_t hash, mpi_t * pkey, + int pkey_len) { - gcry_sexp_t s_hash, s_key, s_sig; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_DSA: - if (pkey_len >= 5) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", - pkey[0], pkey[1], pkey[2], - pkey[3], pkey[4]); - else { - gnutls_assert(); - } - - break; - case GCRY_PK_RSA: - if (pkey_len >=6) - rc = gcry_sexp_build(&s_key, NULL, - "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5]); - else { - gnutls_assert(); - } - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + gcry_sexp_t s_hash, s_key, s_sig; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_DSA: + if (pkey_len >= 5) + rc = gcry_sexp_build(&s_key, NULL, + "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", + pkey[0], pkey[1], pkey[2], + pkey[3], pkey[4]); + else { + gnutls_assert(); } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case GCRY_PK_RSA: + if (pkey_len >= 6) + rc = gcry_sexp_build(&s_key, NULL, + "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))", + pkey[0], pkey[1], pkey[2], pkey[3], + pkey[4], pkey[5]); + else { + gnutls_assert(); } + break; - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - /* pass it to libgcrypt */ - rc = gcry_pk_sign(&s_sig, s_hash, s_key); - gcry_sexp_release(s_hash); - gcry_sexp_release(s_key); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIGN_FAILED; - - } else { - gcry_sexp_t list; - - if (algo==GCRY_PK_DSA) { - list = gcry_sexp_find_token( s_sig, "r" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[0] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - - list = gcry_sexp_find_token( s_sig, "s" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[1] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - } else { /* GCRY_PK_RSA */ - list = gcry_sexp_find_token( s_sig, "s" , 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release(s_sig); - return GNUTLS_E_INTERNAL_ERROR; - } - - data[0] = gcry_sexp_nth_mpi( list, 1, 0 ); - gcry_sexp_release (list); - } - } + /* put the data into a simple list */ + if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - gcry_sexp_release(s_sig); - return 0; -} + /* pass it to libgcrypt */ + rc = gcry_pk_sign(&s_sig, s_hash, s_key); + gcry_sexp_release(s_hash); + gcry_sexp_release(s_key); + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIGN_FAILED; -static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t* data, mpi_t *pkey, int pkey_len) -{ - gcry_sexp_t s_sig, s_hash, s_pkey; - int rc=-1; - - /* make a sexp from pkey */ - switch (algo) { - case GCRY_PK_DSA: - if (pkey_len >= 4) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", - pkey[0], pkey[1], pkey[2], pkey[3]); - break; - case GCRY_PK_RSA: - if (pkey_len >= 2) - rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(n%m)(e%m)))", - pkey[0], pkey[1]); - break; + } else { + gcry_sexp_t list; - default: + if (algo == GCRY_PK_DSA) { + list = gcry_sexp_find_token(s_sig, "r", 0); + if (list == NULL) { gnutls_assert(); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + data[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - /* put the data into a simple list */ - if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + list = gcry_sexp_find_token(s_sig, "s", 0); + if (list == NULL) { gnutls_assert(); - gcry_sexp_release(s_pkey); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - switch (algo) { - case GCRY_PK_DSA: - rc = gcry_sexp_build(&s_sig, NULL, - "(sig-val(dsa(r%m)(s%m)))", - data[0], data[1]); - break; - case GCRY_PK_RSA: - rc = gcry_sexp_build(&s_sig, NULL, - "(sig-val(rsa(s%m)))", - data[0]); - break; - - default: + data[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + } else { /* GCRY_PK_RSA */ + list = gcry_sexp_find_token(s_sig, "s", 0); + if (list == NULL) { gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); + gcry_sexp_release(s_sig); return GNUTLS_E_INTERNAL_ERROR; - } + } - if (rc != 0) { - gnutls_assert(); - gcry_sexp_release(s_pkey); - gcry_sexp_release(s_hash); - return GNUTLS_E_INTERNAL_ERROR; + data[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); } + } - rc = gcry_pk_verify( s_sig, s_hash, s_pkey); - - gcry_sexp_release(s_sig); + gcry_sexp_release(s_sig); + return 0; +} + + +static int _gnutls_pk_verify(int algo, mpi_t hash, mpi_t * data, + mpi_t * pkey, int pkey_len) +{ + gcry_sexp_t s_sig, s_hash, s_pkey; + int rc = -1; + + /* make a sexp from pkey */ + switch (algo) { + case GCRY_PK_DSA: + if (pkey_len >= 4) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", + pkey[0], pkey[1], pkey[2], pkey[3]); + break; + case GCRY_PK_RSA: + if (pkey_len >= 2) + rc = gcry_sexp_build(&s_pkey, NULL, + "(public-key(rsa(n%m)(e%m)))", + pkey[0], pkey[1]); + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* put the data into a simple list */ + if (gcry_sexp_build(&s_hash, NULL, "%m", hash)) { + gnutls_assert(); + gcry_sexp_release(s_pkey); + return GNUTLS_E_INTERNAL_ERROR; + } + + switch (algo) { + case GCRY_PK_DSA: + rc = gcry_sexp_build(&s_sig, NULL, + "(sig-val(dsa(r%m)(s%m)))", data[0], data[1]); + break; + case GCRY_PK_RSA: + rc = gcry_sexp_build(&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]); + break; + + default: + gnutls_assert(); + gcry_sexp_release(s_pkey); gcry_sexp_release(s_hash); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (rc != 0) { + gnutls_assert(); gcry_sexp_release(s_pkey); + gcry_sexp_release(s_hash); + return GNUTLS_E_INTERNAL_ERROR; + } - if (rc != 0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + rc = gcry_pk_verify(s_sig, s_hash, s_pkey); + + gcry_sexp_release(s_sig); + gcry_sexp_release(s_hash); + gcry_sexp_release(s_pkey); + + if (rc != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - return 0; + return 0; } diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h index 9838d6589b..9378706af0 100644 --- a/lib/gnutls_pk.h +++ b/lib/gnutls_pk.h @@ -1,15 +1,20 @@ #ifndef GNUTLS_PK_H # define GNUTLS_PK_H -int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, const gnutls_datum *plaintext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *plaintext, - mpi_t *params, uint params_len); -int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, const gnutls_datum* ciphertext, - mpi_t * params, uint params_len, uint btype); -int _gnutls_rsa_verify( const gnutls_datum* vdata, const gnutls_datum *ciphertext, - mpi_t* params, int params_len, int btype); -int _gnutls_dsa_verify( const gnutls_datum* vdata, const gnutls_datum *sig_value, - mpi_t * params, int params_len); +int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, + const gnutls_datum * plaintext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_dsa_sign(gnutls_datum * signature, + const gnutls_datum * plaintext, mpi_t * params, + uint params_len); +int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, + const gnutls_datum * ciphertext, + mpi_t * params, uint params_len, uint btype); +int _gnutls_rsa_verify(const gnutls_datum * vdata, + const gnutls_datum * ciphertext, mpi_t * params, + int params_len, int btype); +int _gnutls_dsa_verify(const gnutls_datum * vdata, + const gnutls_datum * sig_value, mpi_t * params, + int params_len); -#endif /* GNUTLS_PK_H */ +#endif /* GNUTLS_PK_H */ diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7a39b827a1..e3fa10e409 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -42,18 +42,19 @@ **/ int gnutls_cipher_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.cipher_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cipher_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cipher_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.cipher_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -70,18 +71,19 @@ int gnutls_cipher_set_priority(gnutls_session session, const int *list) **/ int gnutls_kx_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.kx_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.kx_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.kx_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.kx_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -98,18 +100,19 @@ int gnutls_kx_set_priority(gnutls_session session, const int *list) **/ int gnutls_mac_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.mac_algorithm_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.mac_algorithm_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.mac_algorithm_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.mac_algorithm_priority.priority[i] = list[i]; + } - return 0; + return 0; } /** @@ -132,17 +135,19 @@ int gnutls_mac_set_priority(gnutls_session session, const int *list) int gnutls_compression_set_priority(gnutls_session session, const int *list) { - int num = 0, i; - - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.compression_method_priority.algorithms = num; - - for (i = 0; i < num; i++) { - session->internals.compression_method_priority. - priority[i] = list[i]; - } - return 0; + int num = 0, i; + + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.compression_method_priority.algorithms = num; + + for (i = 0; i < num; i++) { + session->internals.compression_method_priority. + priority[i] = list[i]; + } + return 0; } /** @@ -157,23 +162,25 @@ int gnutls_compression_set_priority(gnutls_session session, **/ int gnutls_protocol_set_priority(gnutls_session session, const int *list) { - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.protocol_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.protocol_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.protocol_priority.priority[i] = list[i]; - } + for (i = 0; i < num; i++) { + session->internals.protocol_priority.priority[i] = list[i]; + } - /* set the current version to the first in the chain. - * This will be overridden later. - */ - if (num > 0) - _gnutls_set_current_version(session, list[0]); + /* set the current version to the first in the chain. + * This will be overridden later. + */ + if (num > 0) + _gnutls_set_current_version(session, list[0]); - return 0; + return 0; } /** @@ -193,22 +200,23 @@ int gnutls_certificate_type_set_priority(gnutls_session session, { #ifdef USE_OPENPGP - int num = 0, i; + int num = 0, i; - while (list[num] != 0) num++; - if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.cert_type_priority.algorithms = num; + while (list[num] != 0) + num++; + if (num > MAX_ALGOS) + num = MAX_ALGOS; + session->internals.cert_type_priority.algorithms = num; - for (i = 0; i < num; i++) { - session->internals.cert_type_priority.priority[i] = - list[i]; - } + for (i = 0; i < num; i++) { + session->internals.cert_type_priority.priority[i] = list[i]; + } - return 0; + return 0; #else - return GNUTLS_E_UNIMPLEMENTED_FEATURE; + return GNUTLS_E_UNIMPLEMENTED_FEATURE; #endif } @@ -231,25 +239,24 @@ int gnutls_certificate_type_set_priority(gnutls_session session, **/ int gnutls_set_default_priority(gnutls_session session) { - static const int protocol_priority[] = - { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - static const int kx_priority[] = - { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; + static const int kx_priority[] = + { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + + return 0; } /** @@ -268,27 +275,27 @@ int gnutls_set_default_priority(gnutls_session session) **/ int gnutls_set_default_export_priority(gnutls_session session) { - static const int protocol_priority[] = { - GNUTLS_TLS1, GNUTLS_SSL3, 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_RSA_EXPORT, 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; - - gnutls_cipher_set_priority(session, cipher_priority); - gnutls_compression_set_priority(session, comp_priority); - gnutls_kx_set_priority(session, kx_priority); - gnutls_protocol_set_priority(session, protocol_priority); - gnutls_mac_set_priority(session, mac_priority); - - return 0; + static const int protocol_priority[] = { + GNUTLS_TLS1, GNUTLS_SSL3, 0 + }; + static const int kx_priority[] = { + GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, + GNUTLS_KX_RSA_EXPORT, 0 + }; + static const int cipher_priority[] = { + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_ARCFOUR_40, 0 + }; + static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; + static const int mac_priority[] = + { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 }; + + gnutls_cipher_set_priority(session, cipher_priority); + gnutls_compression_set_priority(session, comp_priority); + gnutls_kx_set_priority(session, kx_priority); + gnutls_protocol_set_priority(session, protocol_priority); + gnutls_mac_set_priority(session, mac_priority); + + return 0; } diff --git a/lib/gnutls_priority.h b/lib/gnutls_priority.h index 43cee47ea9..45b84c35d1 100644 --- a/lib/gnutls_priority.h +++ b/lib/gnutls_priority.h @@ -18,9 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int gnutls_cipher_set_priority( gnutls_session session, const int*); -int gnutls_kx_set_priority( gnutls_session session, const int*); -int gnutls_mac_set_priority( gnutls_session session, const int*); -int gnutls_compression_set_priority( gnutls_session session, const int*); -int gnutls_protocol_set_priority( gnutls_session session, const int*); -int gnutls_certificate_type_set_priority( gnutls_session session, const int*); +int gnutls_cipher_set_priority(gnutls_session session, const int *); +int gnutls_kx_set_priority(gnutls_session session, const int *); +int gnutls_mac_set_priority(gnutls_session session, const int *); +int gnutls_compression_set_priority(gnutls_session session, const int *); +int gnutls_protocol_set_priority(gnutls_session session, const int *); +int gnutls_certificate_type_set_priority(gnutls_session session, + const int *); diff --git a/lib/gnutls_random.c b/lib/gnutls_random.c index 01e61d4c54..d8360e8e66 100644 --- a/lib/gnutls_random.c +++ b/lib/gnutls_random.c @@ -33,11 +33,11 @@ int _gnutls_get_random(opaque * res, int bytes, int level) { if (level == GNUTLS_WEAK_RANDOM) { - gcry_create_nonce( res, bytes); - return 0; + gcry_create_nonce(res, bytes); + return 0; } - gcry_randomize( res, bytes, level); + gcry_randomize(res, bytes, level); return 0; } diff --git a/lib/gnutls_random.h b/lib/gnutls_random.h index 790ed7d2c9..2cbde3cbf6 100644 --- a/lib/gnutls_random.h +++ b/lib/gnutls_random.h @@ -4,4 +4,4 @@ #define GNUTLS_STRONG_RANDOM GCRY_STRONG_RANDOM #define GNUTLS_VERY_STRONG_RANDOM GCRY_VERY_STRONG_RANDOM -int _gnutls_get_random(opaque* res, int bytes, int); +int _gnutls_get_random(opaque * res, int bytes, int); diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index f90d01a683..9cf774dfa4 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -51,14 +51,15 @@ * Returns the version of the currently used protocol. * **/ -gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session) +gnutls_protocol_version gnutls_protocol_get_version(gnutls_session session) { - return session->security_parameters.version; + return session->security_parameters.version; } -void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version version) +void _gnutls_set_current_version(gnutls_session session, + gnutls_protocol_version version) { - session->security_parameters.version = version; + session->security_parameters.version = version; } /** @@ -74,9 +75,9 @@ void _gnutls_set_current_version(gnutls_session session, gnutls_protocol_version * Otherwise it must be called and set lowat to zero. * **/ -void gnutls_transport_set_lowat(gnutls_session session, int num) +void gnutls_transport_set_lowat(gnutls_session session, int num) { - session->internals.lowat = num; + session->internals.lowat = num; } /** @@ -89,10 +90,11 @@ void gnutls_transport_set_lowat(gnutls_session session, int num) * handle. * **/ -void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr) +void gnutls_transport_set_ptr(gnutls_session session, + gnutls_transport_ptr ptr) { - session->internals.transport_recv_ptr = ptr; - session->internals.transport_send_ptr = ptr; + session->internals.transport_recv_ptr = ptr; + session->internals.transport_send_ptr = ptr; } @@ -108,11 +110,12 @@ void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr) * receiving and sending. * **/ -void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv_ptr, - gnutls_transport_ptr send_ptr) +void gnutls_transport_set_ptr2(gnutls_session session, + gnutls_transport_ptr recv_ptr, + gnutls_transport_ptr send_ptr) { - session->internals.transport_send_ptr = send_ptr; - session->internals.transport_recv_ptr = recv_ptr; + session->internals.transport_send_ptr = send_ptr; + session->internals.transport_recv_ptr = recv_ptr; } /** @@ -123,9 +126,9 @@ void gnutls_transport_set_ptr2(gnutls_session session, gnutls_transport_ptr recv * PULL). This must have been set using gnutls_transport_set_ptr(). * **/ -gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) +gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) { - return session->internals.transport_recv_ptr; + return session->internals.transport_recv_ptr; } /** @@ -139,12 +142,12 @@ gnutls_transport_ptr gnutls_transport_get_ptr(gnutls_session session) * **/ void gnutls_transport_get_ptr2(gnutls_session session, - gnutls_transport_ptr *recv_ptr, - gnutls_transport_ptr *send_ptr) + gnutls_transport_ptr * recv_ptr, + gnutls_transport_ptr * send_ptr) { - - *recv_ptr = session->internals.transport_recv_ptr; - *send_ptr = session->internals.transport_send_ptr; + + *recv_ptr = session->internals.transport_recv_ptr; + *send_ptr = session->internals.transport_send_ptr; } /** @@ -171,92 +174,94 @@ void gnutls_transport_get_ptr2(gnutls_session session, * gnutls_record_get_direction(). * **/ -int gnutls_bye( gnutls_session session, gnutls_close_request how) +int gnutls_bye(gnutls_session session, gnutls_close_request how) { - int ret = 0; - - switch (STATE) { - case STATE0: - case STATE60: - ret = _gnutls_io_write_flush( session); - STATE = STATE60; - if (ret < 0) { - gnutls_assert(); - return ret; - } - - case STATE61: - ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY); - STATE = STATE61; - if (ret < 0) { - gnutls_assert(); - return ret; - } - - case STATE62: - if ( how == GNUTLS_SHUT_RDWR) { - ret = _gnutls_recv_int( session, GNUTLS_ALERT, -1, NULL, 0); - if (ret >= 0) session->internals.may_not_read = 1; - } - STATE = STATE62; - - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + int ret = 0; + + switch (STATE) { + case STATE0: + case STATE60: + ret = _gnutls_io_write_flush(session); + STATE = STATE60; + if (ret < 0) { + gnutls_assert(); + return ret; } - STATE = STATE0; - - session->internals.may_not_write = 1; - return 0; + case STATE61: + ret = + gnutls_alert_send(session, GNUTLS_AL_WARNING, + GNUTLS_A_CLOSE_NOTIFY); + STATE = STATE61; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + case STATE62: + if (how == GNUTLS_SHUT_RDWR) { + ret = _gnutls_recv_int(session, GNUTLS_ALERT, -1, NULL, 0); + if (ret >= 0) + session->internals.may_not_read = 1; + } + STATE = STATE62; + + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + STATE = STATE0; + + session->internals.may_not_write = 1; + return 0; } -inline -static void session_invalidate( gnutls_session session) +inline static void session_invalidate(gnutls_session session) { - session->internals.valid_connection = VALID_FALSE; + session->internals.valid_connection = VALID_FALSE; } -inline -static void session_unresumable( gnutls_session session) +inline static void session_unresumable(gnutls_session session) { - session->internals.resumable = RESUME_FALSE; + session->internals.resumable = RESUME_FALSE; } /* returns 0 if session is valid */ -inline -static int session_is_valid( gnutls_session session) { - if (session->internals.valid_connection==VALID_FALSE) - return GNUTLS_E_INVALID_SESSION; - - return 0; +inline static int session_is_valid(gnutls_session session) +{ + if (session->internals.valid_connection == VALID_FALSE) + return GNUTLS_E_INVALID_SESSION; + + return 0; } /* Copies the record version into the headers. The * version must have 2 bytes at least. */ -inline static -void copy_record_version( gnutls_session session, HandshakeType htype, - opaque version[2]) +inline static +void copy_record_version(gnutls_session session, HandshakeType htype, + opaque version[2]) { -gnutls_protocol_version lver; - - if (htype != GNUTLS_CLIENT_HELLO || session->internals.default_record_version[0] == 0) { - lver = gnutls_protocol_get_version( session); - - version[0] = _gnutls_version_get_major( lver); - version[1] = _gnutls_version_get_minor( lver); - } else { - version[0] = session->internals.default_record_version[0]; - version[1] = session->internals.default_record_version[1]; - } + gnutls_protocol_version lver; + + if (htype != GNUTLS_CLIENT_HELLO + || session->internals.default_record_version[0] == 0) { + lver = gnutls_protocol_get_version(session); + + version[0] = _gnutls_version_get_major(lver); + version[1] = _gnutls_version_get_minor(lver); + } else { + version[0] = session->internals.default_record_version[0]; + version[1] = session->internals.default_record_version[1]; + } } /* This function behaves exactly like write(). The only difference is @@ -273,157 +278,174 @@ gnutls_protocol_version lver; * and only if the previous send was interrupted for some reason. * */ -ssize_t _gnutls_send_int( gnutls_session session, content_type_t type, - HandshakeType htype, const void *_data, size_t sizeofdata) +ssize_t _gnutls_send_int(gnutls_session session, content_type_t type, + HandshakeType htype, const void *_data, + size_t sizeofdata) { - uint8 *cipher; - int cipher_size; - int retval, ret; - int data2send_size; - uint8 headers[5]; - const uint8 *data=_data; - int erecord_size = 0; - opaque* erecord = NULL; - - /* Do not allow null pointer if the send buffer is empty. - * If the previous send was interrupted then a null pointer is - * ok, and means to resume. - */ - if (session->internals.record_send_buffer.length == 0 && - (sizeofdata == 0 || _data==NULL)) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + uint8 *cipher; + int cipher_size; + int retval, ret; + int data2send_size; + uint8 headers[5]; + const uint8 *data = _data; + int erecord_size = 0; + opaque *erecord = NULL; + + /* Do not allow null pointer if the send buffer is empty. + * If the previous send was interrupted then a null pointer is + * ok, and means to resume. + */ + if (session->internals.record_send_buffer.length == 0 && + (sizeofdata == 0 || _data == NULL)) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (type != GNUTLS_ALERT) /* alert messages are sent anyway */ + if (session_is_valid(session) + || session->internals.may_not_write != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; } - if (type!=GNUTLS_ALERT) /* alert messages are sent anyway */ - if ( session_is_valid( session) || session->internals.may_not_write != 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } + headers[0] = type; - headers[0] = type; - - /* Use the default record version, if it is - * set. - */ - copy_record_version( session, htype, &headers[1]); + /* Use the default record version, if it is + * set. + */ + copy_record_version(session, htype, &headers[1]); - _gnutls_record_log( "REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.write_sequence_number), _gnutls_packet2str(type), type, sizeofdata); + _gnutls_record_log + ("REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + write_sequence_number), + _gnutls_packet2str(type), type, sizeofdata); - if ( sizeofdata > MAX_RECORD_SEND_SIZE) - data2send_size = MAX_RECORD_SEND_SIZE; - else - data2send_size = sizeofdata; + if (sizeofdata > MAX_RECORD_SEND_SIZE) + data2send_size = MAX_RECORD_SEND_SIZE; + else + data2send_size = sizeofdata; - /* Only encrypt if we don't have data to send - * from the previous run. - probably interrupted. - */ - if (session->internals.record_send_buffer.length > 0) { - ret = _gnutls_io_write_flush( session); - if (ret > 0) cipher_size = ret; - else cipher_size = 0; - - cipher = NULL; + /* Only encrypt if we don't have data to send + * from the previous run. - probably interrupted. + */ + if (session->internals.record_send_buffer.length > 0) { + ret = _gnutls_io_write_flush(session); + if (ret > 0) + cipher_size = ret; + else + cipher_size = 0; - retval = session->internals.record_send_buffer_user_size; - } else { + cipher = NULL; - /* now proceed to packet encryption - */ - cipher_size = data2send_size + MAX_RECORD_OVERHEAD; - cipher = gnutls_malloc( cipher_size); - if (cipher==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + retval = session->internals.record_send_buffer_user_size; + } else { - cipher_size = _gnutls_encrypt( session, headers, RECORD_HEADER_SIZE, data, data2send_size, cipher, - cipher_size, type, 1); - if (cipher_size <= 0) { - gnutls_assert(); - if (cipher_size==0) cipher_size = GNUTLS_E_ENCRYPTION_FAILED; - gnutls_afree( erecord); - gnutls_free( cipher); - return cipher_size; /* error */ - } + /* now proceed to packet encryption + */ + cipher_size = data2send_size + MAX_RECORD_OVERHEAD; + cipher = gnutls_malloc(cipher_size); + if (cipher == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - retval = data2send_size; - session->internals.record_send_buffer_user_size = data2send_size; + cipher_size = + _gnutls_encrypt(session, headers, RECORD_HEADER_SIZE, data, + data2send_size, cipher, cipher_size, type, 1); + if (cipher_size <= 0) { + gnutls_assert(); + if (cipher_size == 0) + cipher_size = GNUTLS_E_ENCRYPTION_FAILED; + gnutls_afree(erecord); + gnutls_free(cipher); + return cipher_size; /* error */ + } - /* increase sequence number - */ - if (_gnutls_uint64pp( &session->connection_state.write_sequence_number) != 0) { - session_invalidate( session); - gnutls_assert(); - gnutls_afree( erecord); - gnutls_free( cipher); - return GNUTLS_E_RECORD_LIMIT_REACHED; - } + retval = data2send_size; + session->internals.record_send_buffer_user_size = data2send_size; - ret = _gnutls_io_write_buffered2( session, erecord, erecord_size, cipher, cipher_size); - gnutls_afree( erecord); - gnutls_free( cipher); + /* increase sequence number + */ + if (_gnutls_uint64pp + (&session->connection_state.write_sequence_number) != 0) { + session_invalidate(session); + gnutls_assert(); + gnutls_afree(erecord); + gnutls_free(cipher); + return GNUTLS_E_RECORD_LIMIT_REACHED; } - if ( ret != cipher_size + erecord_size) { - if ( ret < 0 && gnutls_error_is_fatal(ret)==0) { - /* If we have sent any data then just return - * the error value. Do not invalidate the session. - */ - gnutls_assert(); - return ret; - } - - if (ret > 0) { - gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; - } - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return ret; + ret = + _gnutls_io_write_buffered2(session, erecord, erecord_size, + cipher, cipher_size); + gnutls_afree(erecord); + gnutls_free(cipher); + } + + if (ret != cipher_size + erecord_size) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { + /* If we have sent any data then just return + * the error value. Do not invalidate the session. + */ + gnutls_assert(); + return ret; + } + + if (ret > 0) { + gnutls_assert(); + ret = GNUTLS_E_INTERNAL_ERROR; } + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return ret; + } - session->internals.record_send_buffer_user_size = 0; + session->internals.record_send_buffer_user_size = 0; - _gnutls_record_log( "REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.write_sequence_number), _gnutls_packet2str(type), type, cipher_size); + _gnutls_record_log("REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n", + session, + (int) _gnutls_uint64touint32(&session-> + connection_state. + write_sequence_number), + _gnutls_packet2str(type), type, cipher_size); - return retval; + return retval; } /* This function is to be called if the handshake was successfully * completed. This sends a Change Cipher Spec packet to the peer. */ -ssize_t _gnutls_send_change_cipher_spec( gnutls_session session, int again) +ssize_t _gnutls_send_change_cipher_spec(gnutls_session session, int again) { - static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; + static const opaque data[1] = { GNUTLS_TYPE_CHANGE_CIPHER_SPEC }; - _gnutls_handshake_log( "REC[%x]: Sent ChangeCipherSpec\n", session); + _gnutls_handshake_log("REC[%x]: Sent ChangeCipherSpec\n", session); - if (again==0) - return _gnutls_send_int( session, GNUTLS_CHANGE_CIPHER_SPEC, -1, data, 1); - else { - return _gnutls_io_write_flush( session); - } + if (again == 0) + return _gnutls_send_int(session, GNUTLS_CHANGE_CIPHER_SPEC, -1, + data, 1); + else { + return _gnutls_io_write_flush(session); + } } -static int check_recv_type( content_type_t recv_type) +static int check_recv_type(content_type_t recv_type) { - switch( recv_type) { - case GNUTLS_CHANGE_CIPHER_SPEC: - case GNUTLS_ALERT: - case GNUTLS_HANDSHAKE: - case GNUTLS_APPLICATION_DATA: - return 0; - default: - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + switch (recv_type) { + case GNUTLS_CHANGE_CIPHER_SPEC: + case GNUTLS_ALERT: + case GNUTLS_HANDSHAKE: + case GNUTLS_APPLICATION_DATA: + return 0; + default: + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } } @@ -431,28 +453,30 @@ static int check_recv_type( content_type_t recv_type) /* Checks if there are pending data in the record buffers. If there are * then it copies the data. */ -static int check_buffers( gnutls_session session, content_type_t type, opaque* data, int sizeofdata) +static int check_buffers(gnutls_session session, content_type_t type, + opaque * data, int sizeofdata) { - if ( (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) && _gnutls_record_buffer_get_size(type, session) > 0) { - int ret, ret2; - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* if the buffer just got empty */ - if (_gnutls_record_buffer_get_size(type, session)==0) { - if ( (ret2=_gnutls_io_clear_peeked_data( session)) < 0) { - gnutls_assert(); - return ret2; - } - } + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && _gnutls_record_buffer_get_size(type, session) > 0) { + int ret, ret2; + ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return ret; + /* if the buffer just got empty */ + if (_gnutls_record_buffer_get_size(type, session) == 0) { + if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { + gnutls_assert(); + return ret2; + } } - - return 0; + + return ret; + } + + return 0; } @@ -461,50 +485,56 @@ static int check_buffers( gnutls_session session, content_type_t type, opaque* d /* Checks the record headers and returns the length, version and * content type. */ -static -int record_check_headers( gnutls_session session, uint8 headers[RECORD_HEADER_SIZE], content_type_t type, - HandshakeType htype, /*output*/ content_type_t *recv_type, opaque version[2], uint16 *length, uint16* header_size) +static +int record_check_headers(gnutls_session session, + uint8 headers[RECORD_HEADER_SIZE], + content_type_t type, HandshakeType htype, + /*output */ content_type_t * recv_type, + opaque version[2], uint16 * length, + uint16 * header_size) { - /* Read the first two bytes to determine if this is a - * version 2 message + /* Read the first two bytes to determine if this is a + * version 2 message + */ + + if (htype == GNUTLS_CLIENT_HELLO && type == GNUTLS_HANDSHAKE + && headers[0] > 127) { + + /* if msb set and expecting handshake message + * it should be SSL 2 hello */ + version[0] = 3; /* assume SSL 3.0 */ + version[1] = 0; - if ( htype == GNUTLS_CLIENT_HELLO && type==GNUTLS_HANDSHAKE && headers[0] > 127) { + *length = (((headers[0] & 0x7f) << 8)) | headers[1]; - /* if msb set and expecting handshake message - * it should be SSL 2 hello - */ - version[0] = 3; /* assume SSL 3.0 */ - version[1] = 0; - - *length = (((headers[0] & 0x7f) << 8)) | headers[1]; - - /* SSL 2.0 headers */ - *header_size = 2; - *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello - */ - - /* in order to assist the handshake protocol. - * V2 compatibility is a mess. - */ - session->internals.v2_hello = *length; + /* SSL 2.0 headers */ + *header_size = 2; + *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello + */ - _gnutls_record_log( "REC[%x]: V2 packet received. Length: %d\n", session, *length); + /* in order to assist the handshake protocol. + * V2 compatibility is a mess. + */ + session->internals.v2_hello = *length; - } else { - /* version 3.x - */ - *recv_type = headers[0]; - version[0] = headers[1]; - version[1] = headers[2]; + _gnutls_record_log("REC[%x]: V2 packet received. Length: %d\n", + session, *length); - /* No DECR_LEN, since headers has enough size. - */ - *length = _gnutls_read_uint16( &headers[3]); - } + } else { + /* version 3.x + */ + *recv_type = headers[0]; + version[0] = headers[1]; + version[1] = headers[2]; - return 0; + /* No DECR_LEN, since headers has enough size. + */ + *length = _gnutls_read_uint16(&headers[3]); + } + + return 0; } /* Here we check if the advertized version is the one we @@ -512,19 +542,21 @@ int record_check_headers( gnutls_session session, uint8 headers[RECORD_HEADER_SI */ #ifdef CHECK_RECORD_VERSION inline -static int record_check_version( gnutls_session session, HandshakeType htype, opaque version[2]) + static int record_check_version(gnutls_session session, + HandshakeType htype, opaque version[2]) { - if ( (htype!=GNUTLS_CLIENT_HELLO && htype!=GNUTLS_SERVER_HELLO) && - gnutls_protocol_get_version(session) != _gnutls_version_get( version[0], version[1])) { + if ((htype != GNUTLS_CLIENT_HELLO && htype != GNUTLS_SERVER_HELLO) && + gnutls_protocol_get_version(session) != + _gnutls_version_get(version[0], version[1])) { - gnutls_assert(); - _gnutls_record_log( "REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", - session, htype, version[0], version[1]); + gnutls_assert(); + _gnutls_record_log("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", + session, htype, version[0], version[1]); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } - return 0; + return 0; } #else # define record_check_version(x,y,z) 0 @@ -533,104 +565,114 @@ static int record_check_version( gnutls_session session, HandshakeType htype, op /* This function will check if the received record type is * the one we actually expect. */ -static int record_check_type( gnutls_session session, content_type_t recv_type, - content_type_t type, HandshakeType htype, opaque* data, int data_size) +static int record_check_type(gnutls_session session, + content_type_t recv_type, content_type_t type, + HandshakeType htype, opaque * data, + int data_size) { - - int ret; - - if ( (recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) { - _gnutls_record_buffer_put(type, session, (void *) data, data_size); - } else { - switch (recv_type) { - case GNUTLS_ALERT: - - _gnutls_record_log( "REC[%x]: Alert[%d|%d] - %s - was received\n", - session, data[0], data[1], gnutls_alert_get_name((int)data[1])); - - session->internals.last_alert = data[1]; - - /* if close notify is received and - * the alert is not fatal - */ - if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) { - /* If we have been expecting for an alert do - */ - session->internals.read_eof = 1; - return GNUTLS_E_INT_RET_0; /* EOF */ - } else { - - /* if the alert is FATAL or WARNING - * return the apropriate message - */ - - gnutls_assert(); - ret = GNUTLS_E_WARNING_ALERT_RECEIVED; - if (data[0] == GNUTLS_AL_FATAL) { - session_unresumable( session); - session_invalidate( session); - ret = GNUTLS_E_FATAL_ALERT_RECEIVED; - } - - return ret; - } - break; - - case GNUTLS_CHANGE_CIPHER_SPEC: - /* this packet is now handled in the recv_int() - * function - */ - gnutls_assert(); - - return GNUTLS_E_UNEXPECTED_PACKET; - - case GNUTLS_APPLICATION_DATA: - /* even if data is unexpected put it into the buffer */ - if ( (ret=_gnutls_record_buffer_put(recv_type, session, (void *) data, data_size)) < 0) { - gnutls_assert(); - return ret; - } - - gnutls_assert(); - - /* the got_application data is only returned - * if expecting client hello (for rehandshake - * reasons). Otherwise it is an unexpected packet - */ - if (htype == GNUTLS_CLIENT_HELLO && type==GNUTLS_HANDSHAKE) - return GNUTLS_E_GOT_APPLICATION_DATA; - else return GNUTLS_E_UNEXPECTED_PACKET; - - break; - case GNUTLS_HANDSHAKE: - /* This is legal if HELLO_REQUEST is received - and we are a client. - * If we are a server, a client may initiate a renegotiation at any time. - */ - if ( session->security_parameters.entity==GNUTLS_SERVER) { - gnutls_assert(); - return GNUTLS_E_REHANDSHAKE; - } - - /* If we are already in a handshake then a Hello - * Request is illegal. But here we don't really care - * since this message will never make it up here. - */ - - /* So we accept it */ - return _gnutls_recv_hello_request( session, data, data_size); - - break; - default: - - _gnutls_record_log( "REC[%x]: Received Unknown packet %d expecting %d\n", - session, recv_type, type); - - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + + int ret; + + if ((recv_type == type) + && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE)) { + _gnutls_record_buffer_put(type, session, (void *) data, data_size); + } else { + switch (recv_type) { + case GNUTLS_ALERT: + + _gnutls_record_log + ("REC[%x]: Alert[%d|%d] - %s - was received\n", session, + data[0], data[1], gnutls_alert_get_name((int) data[1])); + + session->internals.last_alert = data[1]; + + /* if close notify is received and + * the alert is not fatal + */ + if (data[1] == GNUTLS_A_CLOSE_NOTIFY + && data[0] != GNUTLS_AL_FATAL) { + /* If we have been expecting for an alert do + */ + session->internals.read_eof = 1; + return GNUTLS_E_INT_RET_0; /* EOF */ + } else { + + /* if the alert is FATAL or WARNING + * return the apropriate message + */ + + gnutls_assert(); + ret = GNUTLS_E_WARNING_ALERT_RECEIVED; + if (data[0] == GNUTLS_AL_FATAL) { + session_unresumable(session); + session_invalidate(session); + ret = GNUTLS_E_FATAL_ALERT_RECEIVED; } + + return ret; + } + break; + + case GNUTLS_CHANGE_CIPHER_SPEC: + /* this packet is now handled in the recv_int() + * function + */ + gnutls_assert(); + + return GNUTLS_E_UNEXPECTED_PACKET; + + case GNUTLS_APPLICATION_DATA: + /* even if data is unexpected put it into the buffer */ + if ((ret = + _gnutls_record_buffer_put(recv_type, session, + (void *) data, + data_size)) < 0) { + gnutls_assert(); + return ret; + } + + gnutls_assert(); + + /* the got_application data is only returned + * if expecting client hello (for rehandshake + * reasons). Otherwise it is an unexpected packet + */ + if (htype == GNUTLS_CLIENT_HELLO && type == GNUTLS_HANDSHAKE) + return GNUTLS_E_GOT_APPLICATION_DATA; + else + return GNUTLS_E_UNEXPECTED_PACKET; + + break; + case GNUTLS_HANDSHAKE: + /* This is legal if HELLO_REQUEST is received - and we are a client. + * If we are a server, a client may initiate a renegotiation at any time. + */ + if (session->security_parameters.entity == GNUTLS_SERVER) { + gnutls_assert(); + return GNUTLS_E_REHANDSHAKE; + } + + /* If we are already in a handshake then a Hello + * Request is illegal. But here we don't really care + * since this message will never make it up here. + */ + + /* So we accept it */ + return _gnutls_recv_hello_request(session, data, data_size); + + break; + default: + + _gnutls_record_log + ("REC[%x]: Received Unknown packet %d expecting %d\n", + session, recv_type, type); + + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - - return 0; + } + + return 0; } @@ -639,35 +681,37 @@ static int record_check_type( gnutls_session session, content_type_t recv_type, * recv buffer. If the buffer was not initialized before it will * also initialize it. */ -inline -static int get_temp_recv_buffer( gnutls_session session, gnutls_datum* tmp) +inline + static int get_temp_recv_buffer(gnutls_session session, + gnutls_datum * tmp) { - /* We allocate MAX_RECORD_RECV_SIZE length - * because we cannot predict the output data by the record - * packet length (due to compression). - */ + /* We allocate MAX_RECORD_RECV_SIZE length + * because we cannot predict the output data by the record + * packet length (due to compression). + */ - if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || - session->internals.recv_buffer.data == NULL) { - - /* Initialize the internal buffer. - */ - session->internals.recv_buffer.data = gnutls_realloc( - session->internals.recv_buffer.data, MAX_RECORD_RECV_SIZE); + if (MAX_RECORD_RECV_SIZE > session->internals.recv_buffer.size || + session->internals.recv_buffer.data == NULL) { - if (session->internals.recv_buffer.data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; + /* Initialize the internal buffer. + */ + session->internals.recv_buffer.data = + gnutls_realloc(session->internals.recv_buffer.data, + MAX_RECORD_RECV_SIZE); + + if (session->internals.recv_buffer.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - tmp->data = session->internals.recv_buffer.data; - tmp->size = session->internals.recv_buffer.size; - - return 0; + session->internals.recv_buffer.size = MAX_RECORD_RECV_SIZE; + } + + tmp->data = session->internals.recv_buffer.data; + tmp->size = session->internals.recv_buffer.size; + + return 0; } @@ -680,195 +724,226 @@ static int get_temp_recv_buffer( gnutls_session session, gnutls_datum* tmp) * * The HandshakeType was introduced to support SSL V2.0 client hellos. */ -ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, - HandshakeType htype, opaque *data, size_t sizeofdata) +ssize_t _gnutls_recv_int(gnutls_session session, content_type_t type, + HandshakeType htype, opaque * data, + size_t sizeofdata) { - gnutls_datum tmp; - int decrypted_length; - opaque version[2]; - uint8 *headers; - content_type_t recv_type; - uint16 length; - uint8 *ciphertext; - uint8 *recv_data; - int ret, ret2; - uint16 header_size; - int empty_packet = 0; - - if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) { - return GNUTLS_E_INVALID_REQUEST; - } + gnutls_datum tmp; + int decrypted_length; + opaque version[2]; + uint8 *headers; + content_type_t recv_type; + uint16 length; + uint8 *ciphertext; + uint8 *recv_data; + int ret, ret2; + uint16 header_size; + int empty_packet = 0; + + if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL)) { + return GNUTLS_E_INVALID_REQUEST; + } + + begin: + + if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) { + gnutls_assert(); + return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; + } + + if (session->internals.read_eof != 0) { + /* if we have already read an EOF + */ + return 0; + } else if (session_is_valid(session) != 0 + || session->internals.may_not_read != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_SESSION; + } - begin: - - if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE) { - gnutls_assert(); - return GNUTLS_E_TOO_MANY_EMPTY_PACKETS; - } - - if (session->internals.read_eof != 0) { - /* if we have already read an EOF - */ - return 0; - } else if ( session_is_valid(session)!=0 || session->internals.may_not_read!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_SESSION; - } - /* If we have enough data in the cache do not bother receiving * a new packet. (in order to flush the cache) */ - ret = check_buffers( session, type, data, sizeofdata); - if (ret != 0) - return ret; + ret = check_buffers(session, type, data, sizeofdata); + if (ret != 0) + return ret; /* default headers for TLS 1.0 */ - header_size = RECORD_HEADER_SIZE; - - if ( (ret = _gnutls_io_read_buffered( session, &headers, header_size, -1)) != header_size) { - if (ret < 0 && gnutls_error_is_fatal(ret)==0) return ret; - - session_invalidate( session); - if (type==GNUTLS_ALERT) { - gnutls_assert(); - return 0; /* we were expecting close notify */ - } - session_unresumable( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - if ( (ret=record_check_headers( session, headers, type, htype, &recv_type, version, &length, &header_size)) < 0) { - gnutls_assert(); - return ret; + header_size = RECORD_HEADER_SIZE; + + if ((ret = + _gnutls_io_read_buffered(session, &headers, header_size, + -1)) != header_size) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) + return ret; + + session_invalidate(session); + if (type == GNUTLS_ALERT) { + gnutls_assert(); + return 0; /* we were expecting close notify */ } + session_unresumable(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + if ((ret = + record_check_headers(session, headers, type, htype, &recv_type, + version, &length, &header_size)) < 0) { + gnutls_assert(); + return ret; + } /* Here we check if the Type of the received packet is * ok. */ - if ( (ret = check_recv_type( recv_type)) < 0) { - - gnutls_assert(); - return ret; - } + if ((ret = check_recv_type(recv_type)) < 0) { + + gnutls_assert(); + return ret; + } /* Here we check if the advertized version is the one we * negotiated in the handshake. */ - if ( (ret=record_check_version( session, htype, version)) < 0) { - gnutls_assert(); - session_invalidate( session); - return ret; - } - - _gnutls_record_log( "REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(type), type, sizeofdata); - _gnutls_record_log( "REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(recv_type), recv_type, length); - - if (length > MAX_RECV_SIZE) { - - _gnutls_record_log( "REC[%x]: FATAL ERROR: Received packet with length: %d\n", session, length); - - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + if ((ret = record_check_version(session, htype, version)) < 0) { + gnutls_assert(); + session_invalidate(session); + return ret; + } + + _gnutls_record_log + ("REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(type), type, sizeofdata); + _gnutls_record_log + ("REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(recv_type), recv_type, length); + + if (length > MAX_RECV_SIZE) { + + _gnutls_record_log + ("REC[%x]: FATAL ERROR: Received packet with length: %d\n", + session, length); + + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } /* check if we have that data into buffer. */ - if ( (ret = _gnutls_io_read_buffered( session, &recv_data, header_size+length, recv_type)) != header_size+length) { - if (ret<0 && gnutls_error_is_fatal(ret)==0) return ret; + if ((ret = + _gnutls_io_read_buffered(session, &recv_data, + header_size + length, + recv_type)) != header_size + length) { + if (ret < 0 && gnutls_error_is_fatal(ret) == 0) + return ret; + + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - /* ok now we are sure that we can read all the data - so * move on ! */ - _gnutls_io_clear_read_buffer( session); - ciphertext = &recv_data[header_size]; - - ret = get_temp_recv_buffer( session, &tmp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_io_clear_read_buffer(session); + ciphertext = &recv_data[header_size]; + + ret = get_temp_recv_buffer(session, &tmp); + if (ret < 0) { + gnutls_assert(); + return ret; + } /* decrypt the data we got. */ - ret = _gnutls_decrypt( session, ciphertext, length, tmp.data, tmp.size, recv_type); - if (ret < 0) { - session_unresumable( session); - session_invalidate( session); - gnutls_assert(); - return ret; - } - decrypted_length = ret; + ret = + _gnutls_decrypt(session, ciphertext, length, tmp.data, tmp.size, + recv_type); + if (ret < 0) { + session_unresumable(session); + session_invalidate(session); + gnutls_assert(); + return ret; + } + decrypted_length = ret; /* Check if this is a CHANGE_CIPHER_SPEC */ - if (type == GNUTLS_CHANGE_CIPHER_SPEC && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { - - _gnutls_record_log( "REC[%x]: ChangeCipherSpec Packet was received\n", session); + if (type == GNUTLS_CHANGE_CIPHER_SPEC + && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { - if ((size_t)ret!=sizeofdata) { /* sizeofdata should be 1 */ - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - memcpy( data, tmp.data, sizeofdata); + _gnutls_record_log + ("REC[%x]: ChangeCipherSpec Packet was received\n", session); - return ret; + if ((size_t) ret != sizeofdata) { /* sizeofdata should be 1 */ + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } + memcpy(data, tmp.data, sizeofdata); + + return ret; + } - _gnutls_record_log( "REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", - session, (int) _gnutls_uint64touint32(&session->connection_state.read_sequence_number), _gnutls_packet2str(recv_type), recv_type, decrypted_length); + _gnutls_record_log + ("REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", session, + (int) _gnutls_uint64touint32(&session->connection_state. + read_sequence_number), + _gnutls_packet2str(recv_type), recv_type, decrypted_length); /* increase sequence number */ - if (_gnutls_uint64pp( &session->connection_state.read_sequence_number)!=0) { - session_invalidate( session); - gnutls_assert(); - return GNUTLS_E_RECORD_LIMIT_REACHED; - } - - ret= record_check_type( session, recv_type, type, htype, tmp.data, decrypted_length); - if (ret < 0) { - if (ret==GNUTLS_E_INT_RET_0) return 0; - gnutls_assert(); - return ret; - } + if (_gnutls_uint64pp(&session->connection_state.read_sequence_number) + != 0) { + session_invalidate(session); + gnutls_assert(); + return GNUTLS_E_RECORD_LIMIT_REACHED; + } + + ret = + record_check_type(session, recv_type, type, htype, tmp.data, + decrypted_length); + if (ret < 0) { + if (ret == GNUTLS_E_INT_RET_0) + return 0; + gnutls_assert(); + return ret; + } /* Get Application data from buffer */ - if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) && (recv_type == type)) { + if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) + && (recv_type == type)) { - ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); + if (ret < 0) { + gnutls_assert(); + return ret; + } /* if the buffer just got empty - */ - if (_gnutls_record_buffer_get_size(type, session)==0) { - if ( (ret2 = _gnutls_io_clear_peeked_data( session)) < 0) { - gnutls_assert(); - return ret2; - } - } - } else { + */ + if (_gnutls_record_buffer_get_size(type, session) == 0) { + if ((ret2 = _gnutls_io_clear_peeked_data(session)) < 0) { gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET; + return ret2; + } + } + } else { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET; /* we didn't get what we wanted to */ - } + } /* (originally for) TLS 1.0 CBC protection. * Actually this code is called if we just received @@ -877,12 +952,12 @@ ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, * In that case we go to the beginning and start reading * the next packet. */ - if (ret==0) { - empty_packet++; - goto begin; - } - - return ret; + if (ret == 0) { + empty_packet++; + goto begin; + } + + return ret; } @@ -910,9 +985,11 @@ ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, * maximum record size. * **/ -ssize_t gnutls_record_send( gnutls_session session, const void *data, size_t sizeofdata) +ssize_t gnutls_record_send(gnutls_session session, const void *data, + size_t sizeofdata) { - return _gnutls_send_int( session, GNUTLS_APPLICATION_DATA, -1, data, sizeofdata); + return _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -937,9 +1014,11 @@ ssize_t gnutls_record_send( gnutls_session session, const void *data, size_t siz * A negative error code is returned in case of an error. * **/ -ssize_t gnutls_record_recv( gnutls_session session, void *data, size_t sizeofdata) +ssize_t gnutls_record_recv(gnutls_session session, void *data, + size_t sizeofdata) { - return _gnutls_recv_int( session, GNUTLS_APPLICATION_DATA, -1, data, sizeofdata); + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, data, + sizeofdata); } /** @@ -951,12 +1030,12 @@ ssize_t gnutls_record_recv( gnutls_session session, void *data, size_t sizeofdat * first handshake message. * **/ -size_t gnutls_record_get_max_size( gnutls_session session) +size_t gnutls_record_get_max_size(gnutls_session session) { - /* Recv will hold the negotiated max record size - * always. - */ - return session->security_parameters.max_record_recv_size; + /* Recv will hold the negotiated max record size + * always. + */ + return session->security_parameters.max_record_recv_size; } @@ -978,23 +1057,23 @@ size_t gnutls_record_get_max_size( gnutls_session session) * Not all TLS implementations use or even understand this extension. * **/ -ssize_t gnutls_record_set_max_size( gnutls_session session, size_t size) +ssize_t gnutls_record_set_max_size(gnutls_session session, size_t size) { -ssize_t new_size; + ssize_t new_size; - if (session->security_parameters.entity==GNUTLS_SERVER) - return GNUTLS_E_INVALID_REQUEST; + if (session->security_parameters.entity == GNUTLS_SERVER) + return GNUTLS_E_INVALID_REQUEST; - new_size = _gnutls_mre_record2num( size); + new_size = _gnutls_mre_record2num(size); - if (new_size < 0) { - gnutls_assert(); - return new_size; - } - - session->security_parameters.max_record_send_size = size; + if (new_size < 0) { + gnutls_assert(); + return new_size; + } - session->internals.proposed_record_size = size; + session->security_parameters.max_record_send_size = size; - return 0; + session->internals.proposed_record_size = size; + + return 0; } diff --git a/lib/gnutls_record.h b/lib/gnutls_record.h index 2b4f5e4f92..1952f487da 100644 --- a/lib/gnutls_record.h +++ b/lib/gnutls_record.h @@ -1,6 +1,7 @@ -ssize_t _gnutls_send_int( gnutls_session session, content_type_t type, - HandshakeType htype, const void* data, size_t sizeofdata); -ssize_t _gnutls_recv_int( gnutls_session session, content_type_t type, - HandshakeType, opaque* data, size_t sizeofdata); -ssize_t _gnutls_send_change_cipher_spec( gnutls_session session, int again); +ssize_t _gnutls_send_int(gnutls_session session, content_type_t type, + HandshakeType htype, const void *data, + size_t sizeofdata); +ssize_t _gnutls_recv_int(gnutls_session session, content_type_t type, + HandshakeType, opaque * data, size_t sizeofdata); +ssize_t _gnutls_send_change_cipher_spec(gnutls_session session, int again); void gnutls_transport_set_lowat(gnutls_session session, int num); diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index 597a45145a..84d25436d9 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -23,7 +23,7 @@ /* This file contains code for RSA temporary keys. These keys are * only used in export cipher suites. */ - + #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> @@ -42,114 +42,114 @@ /* returns e and m, depends on the requested bits. * We only support limited key sizes. */ -const mpi_t* _gnutls_get_rsa_params(gnutls_rsa_params rsa_params) +const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params rsa_params) { - if (rsa_params == NULL) { - return NULL; - } + if (rsa_params == NULL) { + return NULL; + } - return rsa_params->params; + return rsa_params->params; } /* resarr will contain: modulus(0), public exponent(1), private exponent(2), * prime1 - p (3), prime2 - q(4), u (5). */ -int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) +int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; - - ret = gcry_sexp_build( &parms, NULL, "(genkey(rsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* generate the RSA key */ - ret = gcry_pk_genkey( &key, parms); - gcry_sexp_release( parms); - - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - list = gcry_sexp_find_token( key, "n", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "e", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "d", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "u", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[5] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + int ret; + gcry_sexp_t parms, key, list; + + ret = gcry_sexp_build(&parms, NULL, "(genkey(rsa(nbits %d)))", bits); + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* generate the RSA key */ + ret = gcry_pk_genkey(&key, parms); + gcry_sexp_release(parms); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + list = gcry_sexp_find_token(key, "n", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + list = gcry_sexp_find_token(key, "e", 0); + if (list == NULL) { + gnutls_assert(); gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_dump_mpi( "n: ", resarr[0]); - _gnutls_dump_mpi( "e: ", resarr[1]); - _gnutls_dump_mpi( "d: ", resarr[2]); - _gnutls_dump_mpi( "p: ", resarr[3]); - _gnutls_dump_mpi( "q: ", resarr[4]); - _gnutls_dump_mpi( "u: ", resarr[5]); - - *resarr_len = 6; + resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - return 0; + list = gcry_sexp_find_token(key, "d", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + list = gcry_sexp_find_token(key, "p", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "q", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "u", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[5] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + gcry_sexp_release(key); + + _gnutls_dump_mpi("n: ", resarr[0]); + _gnutls_dump_mpi("e: ", resarr[1]); + _gnutls_dump_mpi("d: ", resarr[2]); + _gnutls_dump_mpi("p: ", resarr[3]); + _gnutls_dump_mpi("q: ", resarr[4]); + _gnutls_dump_mpi("u: ", resarr[5]); + + *resarr_len = 6; + + return 0; } @@ -168,13 +168,16 @@ int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) * The new parameters should be stored in the appropriate gnutls_datum. * **/ -int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, - const gnutls_datum *m, const gnutls_datum *e, - const gnutls_datum *d, const gnutls_datum *p, - const gnutls_datum *q, const gnutls_datum *u) +int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, + const gnutls_datum * m, + const gnutls_datum * e, + const gnutls_datum * d, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * u) { - return gnutls_x509_privkey_import_rsa_raw( rsa_params, - m, e, d, p, q, u); + return gnutls_x509_privkey_import_rsa_raw(rsa_params, + m, e, d, p, q, u); } /** @@ -186,17 +189,17 @@ int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, **/ int gnutls_rsa_params_init(gnutls_rsa_params * rsa_params) { -int ret; - - ret = gnutls_x509_privkey_init( rsa_params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - (*rsa_params)->crippled = 1; - - return 0; + int ret; + + ret = gnutls_x509_privkey_init(rsa_params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + (*rsa_params)->crippled = 1; + + return 0; } /** @@ -208,7 +211,7 @@ int ret; **/ void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params) { - gnutls_x509_privkey_deinit(rsa_params); + gnutls_x509_privkey_deinit(rsa_params); } /** @@ -222,7 +225,7 @@ void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params) **/ int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src) { - return gnutls_x509_privkey_cpy( dst, src); + return gnutls_x509_privkey_cpy(dst, src); } /** @@ -240,9 +243,10 @@ int gnutls_rsa_params_cpy(gnutls_rsa_params dst, gnutls_rsa_params src) * no use calling this in client side. * **/ -int gnutls_rsa_params_generate2(gnutls_rsa_params params, unsigned int bits) +int gnutls_rsa_params_generate2(gnutls_rsa_params params, + unsigned int bits) { - return gnutls_x509_privkey_generate( params, GNUTLS_PK_RSA, bits, 0); + return gnutls_x509_privkey_generate(params, GNUTLS_PK_RSA, bits, 0); } /** @@ -261,11 +265,11 @@ int gnutls_rsa_params_generate2(gnutls_rsa_params params, unsigned int bits) * 0 on success. * **/ -int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, - const gnutls_datum * pkcs1_params, gnutls_x509_crt_fmt format) +int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, + const gnutls_datum * pkcs1_params, + gnutls_x509_crt_fmt format) { - return gnutls_x509_privkey_import( params, pkcs1_params, - format); + return gnutls_x509_privkey_import(params, pkcs1_params, format); } @@ -287,12 +291,13 @@ int gnutls_rsa_params_import_pkcs1(gnutls_rsa_params params, * 0 on success. * **/ -int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, - gnutls_x509_crt_fmt format, unsigned char* params_data, - size_t* params_data_size) +int gnutls_rsa_params_export_pkcs1(gnutls_rsa_params params, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + size_t * params_data_size) { - return gnutls_x509_privkey_export( params, format, - params_data, params_data_size); + return gnutls_x509_privkey_export(params, format, + params_data, params_data_size); } @@ -313,21 +318,22 @@ int gnutls_rsa_params_export_pkcs1( gnutls_rsa_params params, * **/ int gnutls_rsa_params_export_raw(gnutls_rsa_params params, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, unsigned int *bits) + gnutls_datum * m, gnutls_datum * e, + gnutls_datum * d, gnutls_datum * p, + gnutls_datum * q, gnutls_datum * u, + unsigned int *bits) { -int ret; + int ret; - ret = gnutls_x509_privkey_export_rsa_raw( params, m, e, d, p, q, u); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_privkey_export_rsa_raw(params, m, e, d, p, q, u); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (bits) - *bits = _gnutls_mpi_get_nbits(params->params[3]); + if (bits) + *bits = _gnutls_mpi_get_nbits(params->params[3]); - return 0; + return 0; } diff --git a/lib/gnutls_rsa_export.h b/lib/gnutls_rsa_export.h index ce2c70e4f0..0d18464982 100644 --- a/lib/gnutls_rsa_export.h +++ b/lib/gnutls_rsa_export.h @@ -18,8 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -const mpi_t* _gnutls_get_rsa_params(gnutls_rsa_params); -int _gnutls_peers_cert_less_512( gnutls_session session); -int _gnutls_rsa_generate_params(mpi_t* resarr, int* resarr_len, int bits); +const mpi_t *_gnutls_get_rsa_params(gnutls_rsa_params); +int _gnutls_peers_cert_less_512(gnutls_session session); +int _gnutls_rsa_generate_params(mpi_t * resarr, int *resarr_len, int bits); void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params); - diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c index ca043c5b21..9eabfa043f 100644 --- a/lib/gnutls_session.c +++ b/lib/gnutls_session.c @@ -39,34 +39,35 @@ * * Resuming sessions is really useful and speedups connections after a succesful one. **/ -int gnutls_session_get_data( gnutls_session session, - void* session_data, size_t *session_data_size) +int gnutls_session_get_data(gnutls_session session, + void *session_data, size_t * session_data_size) { - gnutls_datum psession; - int ret; - - if (*session_data_size < SESSION_SIZE || session_data==NULL) { - *session_data_size = SESSION_SIZE; - session_data = NULL; /* return with the new session_data_size value */ - } - - if (session->internals.resumable==RESUME_FALSE) return GNUTLS_E_INVALID_SESSION; - /* just return the session size */ - if (session_data==NULL) { - return 0; - } - - psession.data = session_data; - - ret = _gnutls_session_pack( session, &psession); - if (ret< 0) { - gnutls_assert(); - return ret; - } - *session_data_size = psession.size; + gnutls_datum psession; + int ret; + if (*session_data_size < SESSION_SIZE || session_data == NULL) { + *session_data_size = SESSION_SIZE; + session_data = NULL; /* return with the new session_data_size value */ + } + + if (session->internals.resumable == RESUME_FALSE) + return GNUTLS_E_INVALID_SESSION; + /* just return the session size */ + if (session_data == NULL) { return 0; + } + + psession.data = session_data; + + ret = _gnutls_session_pack(session, &psession); + if (ret < 0) { + gnutls_assert(); + return ret; + } + *session_data_size = psession.size; + + return 0; } @@ -84,19 +85,20 @@ int gnutls_session_get_data( gnutls_session session, * Session id is some data set by the server, that identify the current session. * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. **/ -int gnutls_session_get_id( gnutls_session session, - void* session_id, size_t *session_id_size) +int gnutls_session_get_id(gnutls_session session, + void *session_id, size_t * session_id_size) { - *session_id_size = session->security_parameters.session_id_size; - - /* just return the session size */ - if (session_id==NULL) { - return 0; - } - memcpy( session_id, &session->security_parameters.session_id, *session_id_size); - + *session_id_size = session->security_parameters.session_id_size; + + /* just return the session size */ + if (session_id == NULL) { return 0; + } + memcpy(session_id, &session->security_parameters.session_id, + *session_id_size); + + return 0; } /** @@ -116,24 +118,25 @@ int gnutls_session_get_id( gnutls_session session, * Returns a negative value on error. * **/ -int gnutls_session_set_data( gnutls_session session, const void* session_data, - size_t session_data_size) +int gnutls_session_set_data(gnutls_session session, + const void *session_data, + size_t session_data_size) { - int ret; - gnutls_datum psession; - - psession.data = (opaque*)session_data; - psession.size = session_data_size; - - if (session_data==NULL || session_data_size == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - ret = _gnutls_session_unpack( session, &psession); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; + int ret; + gnutls_datum psession; + + psession.data = (opaque *) session_data; + psession.size = session_data_size; + + if (session_data == NULL || session_data_size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + ret = _gnutls_session_unpack(session, &psession); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } diff --git a/lib/gnutls_session.h b/lib/gnutls_session.h index c9c25b4fa4..882d56fed0 100644 --- a/lib/gnutls_session.h +++ b/lib/gnutls_session.h @@ -18,5 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -int gnutls_session_set_data( gnutls_session session, const opaque* session_data, int session_data_size); -int gnutls_session_get_data( gnutls_session session, opaque* session_data, int *session_data_size); +int gnutls_session_set_data(gnutls_session session, + const opaque * session_data, + int session_data_size); +int gnutls_session_get_data(gnutls_session session, opaque * session_data, + int *session_data_size); diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c index 3fff4977fb..ff0c990621 100644 --- a/lib/gnutls_session_pack.c +++ b/lib/gnutls_session_pack.c @@ -19,7 +19,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ - + /* Contains functions that are supposed to pack and unpack session data, * before and after they are sent to the database backend. */ @@ -35,382 +35,391 @@ #include <gnutls_num.h> #define PACK_HEADER_SIZE 1 -int _gnutls_pack_certificate_auth_info( cert_auth_info_t info, - gnutls_datum * packed_session); +int _gnutls_pack_certificate_auth_info(cert_auth_info_t info, + gnutls_datum * packed_session); int _gnutls_unpack_certificate_auth_info(cert_auth_info_t info, - const gnutls_datum * packed_session); -static int _gnutls_pack_certificate_auth_info_size( cert_auth_info_t info); + const gnutls_datum * + packed_session); +static int _gnutls_pack_certificate_auth_info_size(cert_auth_info_t info); /* Since auth_info structures contain malloced data, this function * is required in order to pack these structures in a vector in * order to store them to the DB. */ -int _gnutls_session_pack(gnutls_session session, gnutls_datum * packed_session) +int _gnutls_session_pack(gnutls_session session, + gnutls_datum * packed_session) { - uint32 pack_size; - int ret; + uint32 pack_size; + int ret; - if (packed_session==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (packed_session == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - switch (gnutls_auth_get_type(session)) { + switch (gnutls_auth_get_type(session)) { #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP:{ - srp_server_auth_info_t info = - _gnutls_get_auth_info(session); - - - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - pack_size = session->key->auth_info_size; - packed_session->size = - PACK_HEADER_SIZE + pack_size + sizeof(uint32); - - packed_session->data[0] = GNUTLS_CRD_SRP; - _gnutls_write_uint32(pack_size, - &packed_session-> - data[PACK_HEADER_SIZE]); - - if (session->key->auth_info_size > 0) - memcpy(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32)], - info, session->key->auth_info_size); + case GNUTLS_CRD_SRP:{ + srp_server_auth_info_t info = _gnutls_get_auth_info(session); - } - break; -#endif - case GNUTLS_CRD_ANON:{ - anon_client_auth_info_t info = - _gnutls_get_auth_info(session); - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - packed_session->size = - PACK_HEADER_SIZE + session->key->auth_info_size + sizeof(uint32); - - packed_session->data[0] = GNUTLS_CRD_ANON; - _gnutls_write_uint32(session->key->auth_info_size, - &packed_session-> - data[PACK_HEADER_SIZE]); - - if (session->key->auth_info_size > 0) - memcpy(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32)], - info, session->key->auth_info_size); - - } - break; - case GNUTLS_CRD_CERTIFICATE:{ - cert_auth_info_t info = - _gnutls_get_auth_info(session); - if (info == NULL && session->key->auth_info_size!=0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = - _gnutls_pack_certificate_auth_info(info, - packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - break; - default: - return GNUTLS_E_INTERNAL_ERROR; + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + pack_size = session->key->auth_info_size; + packed_session->size = + PACK_HEADER_SIZE + pack_size + sizeof(uint32); + + packed_session->data[0] = GNUTLS_CRD_SRP; + _gnutls_write_uint32(pack_size, + &packed_session->data[PACK_HEADER_SIZE]); + + if (session->key->auth_info_size > 0) + memcpy(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32)], + info, session->key->auth_info_size); } - /* Auth_info structures copied. Now copy security_parameters_st. - */ - packed_session->size += sizeof(security_parameters_st)+sizeof(uint32); + break; +#endif + case GNUTLS_CRD_ANON:{ + anon_client_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + packed_session->size = + PACK_HEADER_SIZE + session->key->auth_info_size + + sizeof(uint32); + + packed_session->data[0] = GNUTLS_CRD_ANON; + _gnutls_write_uint32(session->key->auth_info_size, + &packed_session->data[PACK_HEADER_SIZE]); + + if (session->key->auth_info_size > 0) + memcpy(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32)], + info, session->key->auth_info_size); - _gnutls_write_uint32( sizeof(security_parameters_st), &packed_session->data[packed_session->size - sizeof(security_parameters_st) - sizeof(uint32)]); - memcpy(&packed_session-> - data[packed_session->size - sizeof(security_parameters_st)], - &session->security_parameters, sizeof(security_parameters_st)); + } + break; + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info = _gnutls_get_auth_info(session); + if (info == NULL && session->key->auth_info_size != 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return 0; + ret = _gnutls_pack_certificate_auth_info(info, packed_session); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + break; + default: + return GNUTLS_E_INTERNAL_ERROR; + + } + + /* Auth_info structures copied. Now copy security_parameters_st. + */ + packed_session->size += + sizeof(security_parameters_st) + sizeof(uint32); + + _gnutls_write_uint32(sizeof(security_parameters_st), + &packed_session->data[packed_session->size - + sizeof + (security_parameters_st) - + sizeof(uint32)]); + memcpy(&packed_session-> + data[packed_session->size - sizeof(security_parameters_st)], + &session->security_parameters, sizeof(security_parameters_st)); + + return 0; } /* Returns the size needed to hold the current session. */ -uint _gnutls_session_size( gnutls_session session) +uint _gnutls_session_size(gnutls_session session) { - uint32 pack_size; + uint32 pack_size; - pack_size = PACK_HEADER_SIZE + sizeof(uint32); + pack_size = PACK_HEADER_SIZE + sizeof(uint32); - switch ( gnutls_auth_get_type(session)) { - case GNUTLS_CRD_SRP: - case GNUTLS_CRD_ANON: - pack_size += session->key->auth_info_size; - break; - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info = - _gnutls_get_auth_info(session); - - pack_size += _gnutls_pack_certificate_auth_info_size( info); - } - break; + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_SRP: + case GNUTLS_CRD_ANON: + pack_size += session->key->auth_info_size; + break; + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info = _gnutls_get_auth_info(session); + + pack_size += _gnutls_pack_certificate_auth_info_size(info); } + break; + } - /* Auth_info structures copied. Now copy security_parameters_st. - */ - pack_size += sizeof(security_parameters_st) + sizeof(uint32); + /* Auth_info structures copied. Now copy security_parameters_st. + */ + pack_size += sizeof(security_parameters_st) + sizeof(uint32); - return pack_size; + return pack_size; } int _gnutls_session_unpack(gnutls_session session, const gnutls_datum * packed_session) { - uint32 pack_size; - int ret; - time_t timestamp = time(0); - security_parameters_st sp; + uint32 pack_size; + int ret; + time_t timestamp = time(0); + security_parameters_st sp; - if (packed_session==NULL || packed_session->size == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (packed_session == NULL || packed_session->size == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (session->key->auth_info != NULL) { - _gnutls_free_auth_info( session); - } - - switch ( packed_session->data[0]) { + if (session->key->auth_info != NULL) { + _gnutls_free_auth_info(session); + } + + switch (packed_session->data[0]) { #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP:{ - - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) break; - if (pack_size != sizeof(srp_server_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( pack_size); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = - sizeof(srp_server_auth_info_st); - - - memcpy(session->key->auth_info, - &packed_session->data[PACK_HEADER_SIZE + - sizeof(uint32)], - pack_size); - } - break; -#endif - case GNUTLS_CRD_ANON:{ - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) break; - - if (pack_size != sizeof(anon_client_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( pack_size); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = pack_size; - - memcpy(session->key->auth_info, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - pack_size); - } - break; - case GNUTLS_CRD_CERTIFICATE:{ - pack_size = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE]); - - if (pack_size == 0) { - session->key->auth_info = NULL; - session->key->auth_info_size = 0; - break; - } - if (pack_size < sizeof(cert_auth_info_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; - } - - session->key->auth_info = - gnutls_malloc( sizeof(cert_auth_info_st)); - - if (session->key->auth_info == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - session->key->auth_info_size = - sizeof(cert_auth_info_st); - - ret = - _gnutls_unpack_certificate_auth_info(session-> - key-> - auth_info, - packed_session); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - } + case GNUTLS_CRD_SRP:{ + + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); + + if (pack_size == 0) break; - default: + if (pack_size != sizeof(srp_server_auth_info_st)) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return GNUTLS_E_DB_ERROR; + } - } + session->key->auth_info = gnutls_malloc(pack_size); - session->key->auth_info_type = packed_session->data[0]; + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = sizeof(srp_server_auth_info_st); - /* Auth_info structures copied. Now copy security_parameters_st. - */ - ret = - _gnutls_read_uint32(&packed_session-> - data[PACK_HEADER_SIZE + sizeof(uint32) + - pack_size]); - if (ret != sizeof(security_parameters_st)) { - gnutls_assert(); - return GNUTLS_E_DB_ERROR; + memcpy(session->key->auth_info, + &packed_session->data[PACK_HEADER_SIZE + + sizeof(uint32)], pack_size); } - memcpy(&sp, &packed_session->data[PACK_HEADER_SIZE + - 2 * sizeof(uint32) + pack_size], - sizeof(security_parameters_st)); + break; +#endif + case GNUTLS_CRD_ANON:{ + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); - if ( timestamp - sp.timestamp <= session->internals.expire_time - && sp.timestamp <= timestamp) { + if (pack_size == 0) + break; - memcpy( &session->internals.resumed_security_parameters, &sp, sizeof(security_parameters_st)); - } else { - _gnutls_free_auth_info( session); + if (pack_size != sizeof(anon_client_auth_info_st)) { gnutls_assert(); - return GNUTLS_E_EXPIRED; - } + return GNUTLS_E_DB_ERROR; + } + session->key->auth_info = gnutls_malloc(pack_size); - return 0; -} + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = pack_size; -int _gnutls_pack_certificate_auth_info( cert_auth_info_t info, - gnutls_datum * packed_session) -{ - unsigned int pos, i; - int info_size; + memcpy(session->key->auth_info, + &packed_session->data[PACK_HEADER_SIZE + + sizeof(uint32)], pack_size); + } + break; + case GNUTLS_CRD_CERTIFICATE:{ + pack_size = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE]); - packed_session->size = _gnutls_pack_certificate_auth_info_size( info); + if (pack_size == 0) { + session->key->auth_info = NULL; + session->key->auth_info_size = 0; + break; + } + if (pack_size < sizeof(cert_auth_info_st)) { + gnutls_assert(); + return GNUTLS_E_DB_ERROR; + } - if (info==NULL) info_size = 0; - else info_size = sizeof(cert_auth_info_st); + session->key->auth_info = + gnutls_malloc(sizeof(cert_auth_info_st)); - packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; - _gnutls_write_uint32( packed_session->size-PACK_HEADER_SIZE-sizeof(uint32), &packed_session->data[PACK_HEADER_SIZE]); + if (session->key->auth_info == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + session->key->auth_info_size = sizeof(cert_auth_info_st); + + ret = + _gnutls_unpack_certificate_auth_info(session-> + key-> + auth_info, + packed_session); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (info!=NULL) { - memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - info, sizeof(cert_auth_info_st)); } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + + } + + session->key->auth_info_type = packed_session->data[0]; + + /* Auth_info structures copied. Now copy security_parameters_st. + */ + ret = + _gnutls_read_uint32(&packed_session-> + data[PACK_HEADER_SIZE + sizeof(uint32) + + pack_size]); + + if (ret != sizeof(security_parameters_st)) { + gnutls_assert(); + return GNUTLS_E_DB_ERROR; + } + memcpy(&sp, &packed_session->data[PACK_HEADER_SIZE + + 2 * sizeof(uint32) + pack_size], + sizeof(security_parameters_st)); + + if (timestamp - sp.timestamp <= session->internals.expire_time + && sp.timestamp <= timestamp) { + + memcpy(&session->internals.resumed_security_parameters, &sp, + sizeof(security_parameters_st)); + } else { + _gnutls_free_auth_info(session); + gnutls_assert(); + return GNUTLS_E_EXPIRED; + } + + + return 0; +} - pos = PACK_HEADER_SIZE + sizeof(uint32) + info_size; - - if (info!=NULL) { - for (i=0;i<info->ncerts;i++) { - _gnutls_write_uint32( info->raw_certificate_list[i].size, &packed_session->data[pos]); - pos += sizeof(uint32); - - memcpy(&packed_session->data[pos], info->raw_certificate_list[i].data, info->raw_certificate_list[i].size); - pos += info->raw_certificate_list[i].size; - } +int _gnutls_pack_certificate_auth_info(cert_auth_info_t info, + gnutls_datum * packed_session) +{ + unsigned int pos, i; + int info_size; + + packed_session->size = _gnutls_pack_certificate_auth_info_size(info); + + if (info == NULL) + info_size = 0; + else + info_size = sizeof(cert_auth_info_st); + + packed_session->data[0] = GNUTLS_CRD_CERTIFICATE; + _gnutls_write_uint32(packed_session->size - PACK_HEADER_SIZE - + sizeof(uint32), + &packed_session->data[PACK_HEADER_SIZE]); + + if (info != NULL) { + memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], + info, sizeof(cert_auth_info_st)); + } + + pos = PACK_HEADER_SIZE + sizeof(uint32) + info_size; + + if (info != NULL) { + for (i = 0; i < info->ncerts; i++) { + _gnutls_write_uint32(info->raw_certificate_list[i].size, + &packed_session->data[pos]); + pos += sizeof(uint32); + + memcpy(&packed_session->data[pos], + info->raw_certificate_list[i].data, + info->raw_certificate_list[i].size); + pos += info->raw_certificate_list[i].size; } - - return 0; + } + + return 0; } -static int _gnutls_pack_certificate_auth_info_size( cert_auth_info_t info) +static int _gnutls_pack_certificate_auth_info_size(cert_auth_info_t info) { - uint32 pack_size = sizeof(cert_auth_info_st); - unsigned int i; + uint32 pack_size = sizeof(cert_auth_info_st); + unsigned int i; - if (info == NULL) - return sizeof(uint32) + PACK_HEADER_SIZE; + if (info == NULL) + return sizeof(uint32) + PACK_HEADER_SIZE; - for (i=0;i<info->ncerts;i++) { - pack_size += sizeof(uint32) + info->raw_certificate_list[i].size; - } + for (i = 0; i < info->ncerts; i++) { + pack_size += sizeof(uint32) + info->raw_certificate_list[i].size; + } - return pack_size + PACK_HEADER_SIZE + sizeof(uint32); + return pack_size + PACK_HEADER_SIZE + sizeof(uint32); } int _gnutls_unpack_certificate_auth_info(cert_auth_info_t info, - const gnutls_datum * packed_session) + const gnutls_datum * + packed_session) { -unsigned int i,j, pos; -int ret; -uint32 size; - - memcpy(info, - &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], - sizeof(cert_auth_info_st)); - - pos = PACK_HEADER_SIZE + sizeof(uint32) + sizeof(cert_auth_info_st); - if (info->ncerts > 0) { - info->raw_certificate_list = gnutls_calloc( 1, info->ncerts * sizeof( gnutls_datum)); - if (info->raw_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<info->ncerts;i++) { - size = _gnutls_read_uint32( &packed_session->data[ pos]); - pos += sizeof(uint32); - - ret = _gnutls_set_datum( &info->raw_certificate_list[i], &packed_session->data[ pos], size); - pos += size; - - if (ret < 0) { - gnutls_assert(); - goto clear; - } - } + unsigned int i, j, pos; + int ret; + uint32 size; + + memcpy(info, + &packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)], + sizeof(cert_auth_info_st)); + + pos = PACK_HEADER_SIZE + sizeof(uint32) + sizeof(cert_auth_info_st); + if (info->ncerts > 0) { + info->raw_certificate_list = + gnutls_calloc(1, info->ncerts * sizeof(gnutls_datum)); + if (info->raw_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - return 0; - - clear: - for (j=0;j<i;j++) - _gnutls_free_datum( &info->raw_certificate_list[j]); - gnutls_free( info->raw_certificate_list); - return GNUTLS_E_MEMORY_ERROR; - + for (i = 0; i < info->ncerts; i++) { + size = _gnutls_read_uint32(&packed_session->data[pos]); + pos += sizeof(uint32); + + ret = + _gnutls_set_datum(&info->raw_certificate_list[i], + &packed_session->data[pos], size); + pos += size; + + if (ret < 0) { + gnutls_assert(); + goto clear; + } + } + } + return 0; + + clear: + for (j = 0; j < i; j++) + _gnutls_free_datum(&info->raw_certificate_list[j]); + + gnutls_free(info->raw_certificate_list); + return GNUTLS_E_MEMORY_ERROR; + } diff --git a/lib/gnutls_session_pack.h b/lib/gnutls_session_pack.h index 8602d9f976..0956beb758 100644 --- a/lib/gnutls_session_pack.h +++ b/lib/gnutls_session_pack.h @@ -1,3 +1,5 @@ -int _gnutls_session_pack( gnutls_session session, gnutls_datum* packed_session); -int _gnutls_session_unpack( gnutls_session session, const gnutls_datum* packed_session); +int _gnutls_session_pack(gnutls_session session, + gnutls_datum * packed_session); +int _gnutls_session_unpack(gnutls_session session, + const gnutls_datum * packed_session); uint _gnutls_session_size(gnutls_session session); diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 045f2f33f7..e84508b3a9 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -36,129 +36,145 @@ #include <gnutls_kx.h> static -int _gnutls_tls_sign( gnutls_cert* cert, gnutls_privkey* pkey, const gnutls_datum* hash_concat, gnutls_datum *signature); +int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum * hash_concat, + gnutls_datum * signature); /* Generates a signature of all the previous sent packets in the * handshake procedure. (20040227: now it works for SSL 3.0 as well) */ -int _gnutls_tls_sign_hdata( gnutls_session session, - gnutls_cert* cert, gnutls_privkey* pkey, gnutls_datum *signature) +int _gnutls_tls_sign_hdata(gnutls_session session, + gnutls_cert * cert, gnutls_privkey * pkey, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -opaque concat[36]; -mac_hd_t td_md5; -mac_hd_t td_sha; -gnutls_protocol_version ver = gnutls_protocol_get_version( session); - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum dconcat; + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_protocol_version ver = gnutls_protocol_get_version(session); + + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + if (ver == GNUTLS_SSL3) { + ret = _gnutls_generate_master(session, 1); + if (ret < 0) { + gnutls_assert(); + return ret; } - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master( session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mac_deinit_ssl3_handshake( td_sha, &concat[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); - } else - _gnutls_hash_deinit(td_sha, &concat[16]); - - switch (cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - if (ver == GNUTLS_SSL3) - _gnutls_mac_deinit_ssl3_handshake( td_md5, concat, session->security_parameters.master_secret, TLS_MASTER_SIZE); - else - _gnutls_hash_deinit(td_md5, concat); - - dconcat.data = concat; - dconcat.size = 36; - break; - case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - ret = _gnutls_tls_sign( cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } else + _gnutls_hash_deinit(td_sha, &concat[16]); + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; } - - return ret; + + if (ver == GNUTLS_SSL3) + _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, + session->security_parameters. + master_secret, + TLS_MASTER_SIZE); + else + _gnutls_hash_deinit(td_md5, concat); + + dconcat.data = concat; + dconcat.size = 36; + break; + case GNUTLS_PK_DSA: + dconcat.data = &concat[16]; + dconcat.size = 20; + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_tls_sign_params( gnutls_session session, gnutls_cert* cert, gnutls_privkey* pkey, gnutls_datum* params, gnutls_datum *signature) +int _gnutls_tls_sign_params(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, gnutls_datum * params, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -mac_hd_t td_md5; -mac_hd_t td_sha; -opaque concat[36]; - - - td_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (td_sha == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; + gnutls_datum dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + + td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td_sha == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, params->data, params->size); + + _gnutls_hash_deinit(td_sha, &concat[16]); + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; } - _gnutls_hash( td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, params->data, params->size); + _gnutls_hash(td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, params->data, params->size); - _gnutls_hash_deinit(td_sha, &concat[16]); + _gnutls_hash_deinit(td_md5, concat); - switch (cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - td_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, params->data, params->size); - - _gnutls_hash_deinit(td_md5, concat); - - dconcat.data = concat; - dconcat.size = 36; - break; - case GNUTLS_PK_DSA: - dconcat.data = &concat[16]; - dconcat.size = 20; - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - ret = _gnutls_tls_sign( cert, pkey, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - } - - return ret; + dconcat.data = concat; + dconcat.size = 36; + break; + case GNUTLS_PK_DSA: + dconcat.data = &concat[16]; + dconcat.size = 20; + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + ret = _gnutls_tls_sign(cert, pkey, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } @@ -166,36 +182,36 @@ opaque concat[36]; /* This will create a PKCS1 or DSA signature, using the given parameters, and the * given data. The output will be allocated and be put in signature. */ -int _gnutls_sign( gnutls_pk_algorithm algo, mpi_t* params, int params_size, - const gnutls_datum* data, gnutls_datum *signature) +int _gnutls_sign(gnutls_pk_algorithm algo, mpi_t * params, int params_size, + const gnutls_datum * data, gnutls_datum * signature) { -int ret; - - switch(algo) { - case GNUTLS_PK_RSA: - /* encrypt */ - if ((ret=_gnutls_pkcs1_rsa_encrypt( signature, data, params, - params_size, 1)) < 0) { - gnutls_assert(); - return ret; - } - - break; - case GNUTLS_PK_DSA: - /* sign */ - if ((ret=_gnutls_dsa_sign( signature, data, params, - params_size)) < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - break; + int ret; + + switch (algo) { + case GNUTLS_PK_RSA: + /* encrypt */ + if ((ret = _gnutls_pkcs1_rsa_encrypt(signature, data, params, + params_size, 1)) < 0) { + gnutls_assert(); + return ret; } - return 0; + break; + case GNUTLS_PK_DSA: + /* sign */ + if ((ret = _gnutls_dsa_sign(signature, data, params, + params_size)) < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + break; + } + + return 0; } /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol. @@ -203,185 +219,199 @@ int ret; * it supports signing. */ static -int _gnutls_tls_sign( gnutls_cert* cert, gnutls_privkey* pkey, - const gnutls_datum* hash_concat, gnutls_datum *signature) +int _gnutls_tls_sign(gnutls_cert * cert, gnutls_privkey * pkey, + const gnutls_datum * hash_concat, + gnutls_datum * signature) { - /* If our certificate supports signing - */ + /* If our certificate supports signing + */ + + if (cert != NULL) + if (cert->keyUsage != 0) + if (!(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } - if ( cert != NULL) - if ( cert->keyUsage != 0) - if ( !(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } + return _gnutls_sign(pkey->pk_algorithm, pkey->params, + pkey->params_size, hash_concat, signature); - return _gnutls_sign( pkey->pk_algorithm, pkey->params, pkey->params_size, - hash_concat, signature); - } static -int _gnutls_pkcs1_rsa_verify_sig( gnutls_cert *cert, const gnutls_datum *hash_concat, - gnutls_datum *signature) +int _gnutls_pkcs1_rsa_verify_sig(gnutls_cert * cert, + const gnutls_datum * hash_concat, + gnutls_datum * signature) { - int ret; - gnutls_datum vdata; - - if (cert->version == 0 || cert==NULL) { /* this is the only way to check - * if it is initialized - */ + int ret; + gnutls_datum vdata; + + if (cert->version == 0 || cert == NULL) { /* this is the only way to check + * if it is initialized + */ + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + /* If the certificate supports signing continue. + */ + if (cert != NULL) + if (cert->keyUsage != 0) + if (!(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + return GNUTLS_E_KEY_USAGE_VIOLATION; + } + + switch (cert->subject_pk_algorithm) { + case GNUTLS_PK_RSA: + + vdata.data = hash_concat->data; + vdata.size = hash_concat->size; + + /* verify signature */ + if ((ret = _gnutls_rsa_verify(&vdata, signature, cert->params, + cert->params_size, 1)) < 0) { + gnutls_assert(); + return ret; } - /* If the certificate supports signing continue. - */ - if ( cert != NULL) - if ( cert->keyUsage != 0) - if ( !(cert->keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return GNUTLS_E_KEY_USAGE_VIOLATION; - } - - switch(cert->subject_pk_algorithm) { - case GNUTLS_PK_RSA: - - vdata.data = hash_concat->data; - vdata.size = hash_concat->size; - - /* verify signature */ - if ( (ret=_gnutls_rsa_verify( &vdata, signature, cert->params, - cert->params_size, 1)) < 0) { - gnutls_assert(); - return ret; - } - - break; - case GNUTLS_PK_DSA: - - vdata.data = &hash_concat->data[16]; - vdata.size = 20; /* sha1 */ - - /* verify signature */ - if ( (ret=_gnutls_dsa_verify( &vdata, signature, cert->params, - cert->params_size)) < 0) { - gnutls_assert(); - return ret; - } - - break; - - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + break; + case GNUTLS_PK_DSA: + + vdata.data = &hash_concat->data[16]; + vdata.size = 20; /* sha1 */ + + /* verify signature */ + if ((ret = _gnutls_dsa_verify(&vdata, signature, cert->params, + cert->params_size)) < 0) { + gnutls_assert(); + return ret; } - + + break; + + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + - return 0; + return 0; } /* Verifies a TLS signature (like the one in the client certificate * verify message). */ -int _gnutls_verify_sig_hdata( gnutls_session session, gnutls_cert *cert, gnutls_datum* signature) +int _gnutls_verify_sig_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_datum * signature) { -int ret; -opaque concat[36]; -mac_hd_t td_md5; -mac_hd_t td_sha; -gnutls_datum dconcat; -gnutls_protocol_version ver = gnutls_protocol_get_version( session); - - td_md5 = _gnutls_hash_copy( session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_copy( session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - if (ver == GNUTLS_SSL3) { - ret = _gnutls_generate_master( session, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - _gnutls_mac_deinit_ssl3_handshake( td_md5, concat, session->security_parameters.master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake( td_sha, &concat[16], session->security_parameters.master_secret, TLS_MASTER_SIZE); - } else { - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); + int ret; + opaque concat[36]; + mac_hd_t td_md5; + mac_hd_t td_sha; + gnutls_datum dconcat; + gnutls_protocol_version ver = gnutls_protocol_get_version(session); + + td_md5 = + _gnutls_hash_copy(session->internals.handshake_mac_handle_md5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + td_sha = + _gnutls_hash_copy(session->internals.handshake_mac_handle_sha); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + if (ver == GNUTLS_SSL3) { + ret = _gnutls_generate_master(session, 1); + if (ret < 0) { + gnutls_assert(); + return ret; } - dconcat.data = concat; - dconcat.size = 20+16; /* md5+ sha */ + _gnutls_mac_deinit_ssl3_handshake(td_md5, concat, + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + _gnutls_mac_deinit_ssl3_handshake(td_sha, &concat[16], + session->security_parameters. + master_secret, TLS_MASTER_SIZE); + } else { + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); + } - ret = _gnutls_pkcs1_rsa_verify_sig( cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } + dconcat.data = concat; + dconcat.size = 20 + 16; /* md5+ sha */ + ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /* Generates a signature of all the random data and the parameters. * Used in DHE_* ciphersuites. */ -int _gnutls_verify_sig_params( gnutls_session session, gnutls_cert *cert, const gnutls_datum* params, gnutls_datum *signature) +int _gnutls_verify_sig_params(gnutls_session session, gnutls_cert * cert, + const gnutls_datum * params, + gnutls_datum * signature) { -gnutls_datum dconcat; -int ret; -mac_hd_t td_md5; -mac_hd_t td_sha; -opaque concat[36]; - - td_md5 = _gnutls_hash_init( GNUTLS_MAC_MD5); - if (td_md5 == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - td_sha = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (td_sha == NULL) { - gnutls_assert(); - _gnutls_hash_deinit( td_md5, NULL); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_md5, params->data, params->size); - - _gnutls_hash( td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash( td_sha, params->data, params->size); - - _gnutls_hash_deinit(td_md5, concat); - _gnutls_hash_deinit(td_sha, &concat[16]); - - dconcat.data = concat; - dconcat.size = 36; - - ret = _gnutls_pkcs1_rsa_verify_sig( cert, &dconcat, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - + gnutls_datum dconcat; + int ret; + mac_hd_t td_md5; + mac_hd_t td_sha; + opaque concat[36]; + + td_md5 = _gnutls_hash_init(GNUTLS_MAC_MD5); + if (td_md5 == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + td_sha = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (td_sha == NULL) { + gnutls_assert(); + _gnutls_hash_deinit(td_md5, NULL); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(td_md5, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_md5, params->data, params->size); + + _gnutls_hash(td_sha, session->security_parameters.client_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + _gnutls_hash(td_sha, params->data, params->size); + + _gnutls_hash_deinit(td_md5, concat); + _gnutls_hash_deinit(td_sha, &concat[16]); + + dconcat.data = concat; + dconcat.size = 36; + + ret = _gnutls_pkcs1_rsa_verify_sig(cert, &dconcat, signature); + if (ret < 0) { + gnutls_assert(); return ret; + } -} + return ret; +} diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h index eb832e30e9..4cc217fb77 100644 --- a/lib/gnutls_sig.h +++ b/lib/gnutls_sig.h @@ -2,12 +2,21 @@ # define GNUTLS_SIG_H # include <auth_cert.h> -gnutls_certificate_status gnutls_x509_verify_signature(gnutls_cert* cert, gnutls_cert* issuer); -int _gnutls_tls_sign_hdata( gnutls_session session, gnutls_cert* cert, gnutls_privkey *pkey, gnutls_datum *signature); -int _gnutls_tls_sign_params( gnutls_session session, gnutls_cert* cert, gnutls_privkey *pkey, gnutls_datum* params, gnutls_datum *signature); -int _gnutls_verify_sig_hdata( gnutls_session session, gnutls_cert *cert, gnutls_datum* signature); -int _gnutls_verify_sig_params( gnutls_session session, gnutls_cert *cert, const gnutls_datum* params, gnutls_datum* signature); -int _gnutls_sign( gnutls_pk_algorithm algo, mpi_t* params, int params_size, - const gnutls_datum* data, gnutls_datum *signature); +gnutls_certificate_status gnutls_x509_verify_signature(gnutls_cert * cert, + gnutls_cert * + issuer); +int _gnutls_tls_sign_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, + gnutls_datum * signature); +int _gnutls_tls_sign_params(gnutls_session session, gnutls_cert * cert, + gnutls_privkey * pkey, gnutls_datum * params, + gnutls_datum * signature); +int _gnutls_verify_sig_hdata(gnutls_session session, gnutls_cert * cert, + gnutls_datum * signature); +int _gnutls_verify_sig_params(gnutls_session session, gnutls_cert * cert, + const gnutls_datum * params, + gnutls_datum * signature); +int _gnutls_sign(gnutls_pk_algorithm algo, mpi_t * params, int params_size, + const gnutls_datum * data, gnutls_datum * signature); #endif diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 7f3d89bf5a..65e8848a2a 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -47,9 +47,10 @@ return ret; \ } -void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_type ct) +void _gnutls_session_cert_type_set(gnutls_session session, + gnutls_certificate_type ct) { - session->security_parameters.cert_type = ct; + session->security_parameters.cert_type = ct; } /** @@ -58,8 +59,9 @@ void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_t * * Returns the currently used cipher. **/ -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session) { - return session->security_parameters.read_bulk_cipher_algorithm; +gnutls_cipher_algorithm gnutls_cipher_get(gnutls_session session) +{ + return session->security_parameters.read_bulk_cipher_algorithm; } /** @@ -70,9 +72,9 @@ gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session) { * is by default X.509, unless it is negotiated as a TLS extension. * **/ -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session) +gnutls_certificate_type gnutls_certificate_type_get(gnutls_session session) { - return session->security_parameters.cert_type; + return session->security_parameters.cert_type; } /** @@ -81,9 +83,9 @@ gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session) * * Returns the key exchange algorithm used in the last handshake. **/ -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session) +gnutls_kx_algorithm gnutls_kx_get(gnutls_session session) { - return session->security_parameters.kx_algorithm; + return session->security_parameters.kx_algorithm; } /** @@ -92,9 +94,9 @@ gnutls_kx_algorithm gnutls_kx_get( gnutls_session session) * * Returns the currently used mac algorithm. **/ -gnutls_mac_algorithm gnutls_mac_get( gnutls_session session) +gnutls_mac_algorithm gnutls_mac_get(gnutls_session session) { - return session->security_parameters.read_mac_algorithm; + return session->security_parameters.read_mac_algorithm; } /** @@ -103,104 +105,105 @@ gnutls_mac_algorithm gnutls_mac_get( gnutls_session session) * * Returns the currently used compression method. **/ -gnutls_compression_method gnutls_compression_get( gnutls_session session) +gnutls_compression_method gnutls_compression_get(gnutls_session session) { - return session->security_parameters.read_compression_algorithm; + return session->security_parameters.read_compression_algorithm; } /* Check if the given certificate type is supported. * This means that it is enabled by the priority functions, * and a matching certificate exists. */ -int _gnutls_session_cert_type_supported( gnutls_session session, - gnutls_certificate_type cert_type) -{ -uint i; -uint cert_found = 0; -const gnutls_certificate_credentials cred; - - if (session->security_parameters.entity==GNUTLS_SERVER) { - cred = - _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - - if (cred == NULL) - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - - for (i = 0; i < cred->ncerts; i++) { - if (cred->cert_list[i][0].cert_type == cert_type) { - cert_found = 1; - break; - } - } - if (cert_found == 0) - /* no certificate is of that type. - */ - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; +int _gnutls_session_cert_type_supported(gnutls_session session, + gnutls_certificate_type cert_type) +{ + uint i; + uint cert_found = 0; + const gnutls_certificate_credentials cred; + + if (session->security_parameters.entity == GNUTLS_SERVER) { + cred = + _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + + if (cred == NULL) + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + + for (i = 0; i < cred->ncerts; i++) { + if (cred->cert_list[i][0].cert_type == cert_type) { + cert_found = 1; + break; + } } - + if (cert_found == 0) + /* no certificate is of that type. + */ + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } - if (session->internals.cert_type_priority.algorithms==0 && cert_type == - DEFAULT_CERT_TYPE) return 0; - for (i=0;i<session->internals.cert_type_priority.algorithms;i++) { - if (session->internals.cert_type_priority.priority[i] - == cert_type) { - return 0; /* ok */ - } + if (session->internals.cert_type_priority.algorithms == 0 + && cert_type == DEFAULT_CERT_TYPE) + return 0; + + for (i = 0; i < session->internals.cert_type_priority.algorithms; i++) { + if (session->internals.cert_type_priority.priority[i] + == cert_type) { + return 0; /* ok */ } + } - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } /* this function deinitializes all the internal parameters stored * in a session struct. */ -inline -static void deinit_internal_params( gnutls_session session) +inline static void deinit_internal_params(gnutls_session session) { - if (session->internals.params.free_anon_dh_params) - gnutls_dh_params_deinit( session->internals.params.anon_dh_params); + if (session->internals.params.free_anon_dh_params) + gnutls_dh_params_deinit(session->internals.params.anon_dh_params); + + if (session->internals.params.free_cert_dh_params) + gnutls_dh_params_deinit(session->internals.params.cert_dh_params); - if (session->internals.params.free_cert_dh_params) - gnutls_dh_params_deinit( session->internals.params.cert_dh_params); + if (session->internals.params.free_rsa_params) + gnutls_rsa_params_deinit(session->internals.params.rsa_params); - if (session->internals.params.free_rsa_params) - gnutls_rsa_params_deinit( session->internals.params.rsa_params); - - memset( &session->internals.params, 0, sizeof( session->internals.params)); + memset(&session->internals.params, 0, + sizeof(session->internals.params)); } /* This function will clear all the variables in internals * structure within the session, which depend on the current handshake. * This is used to allow further handshakes. */ -void _gnutls_handshake_internal_state_clear( gnutls_session session) +void _gnutls_handshake_internal_state_clear(gnutls_session session) { - session->internals.extensions_sent_size = 0; + session->internals.extensions_sent_size = 0; - /* by default no selected certificate */ - session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; - session->internals.adv_version_major = 0; - session->internals.adv_version_minor = 0; - session->internals.v2_hello = 0; - memset( &session->internals.handshake_header_buffer, 0, - sizeof(handshake_header_buffer_st)); - session->internals.adv_version_minor = 0; - session->internals.adv_version_minor = 0; - session->internals.direction = 0; + /* by default no selected certificate */ + session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE; + session->internals.adv_version_major = 0; + session->internals.adv_version_minor = 0; + session->internals.v2_hello = 0; + memset(&session->internals.handshake_header_buffer, 0, + sizeof(handshake_header_buffer_st)); + session->internals.adv_version_minor = 0; + session->internals.adv_version_minor = 0; + session->internals.direction = 0; - /* use out of band data for the last - * handshake messages received. - */ - session->internals.last_handshake_in = -1; - session->internals.last_handshake_out = -1; + /* use out of band data for the last + * handshake messages received. + */ + session->internals.last_handshake_in = -1; + session->internals.last_handshake_out = -1; - session->internals.handshake_restarted = 0; + session->internals.handshake_restarted = 0; - session->internals.resumable = RESUME_TRUE; - _gnutls_free_datum( &session->internals.recv_buffer); + session->internals.resumable = RESUME_TRUE; + _gnutls_free_datum(&session->internals.recv_buffer); - deinit_internal_params( session); + deinit_internal_params(session); } @@ -218,86 +221,96 @@ void _gnutls_handshake_internal_state_clear( gnutls_session session) **/ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end) { - *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); - if (*session==NULL) return GNUTLS_E_MEMORY_ERROR; - - (*session)->security_parameters.entity = con_end; + *session = gnutls_calloc(1, sizeof(struct gnutls_session_int)); + if (*session == NULL) + return GNUTLS_E_MEMORY_ERROR; - /* the default certificate type for TLS */ - (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; + (*session)->security_parameters.entity = con_end; + + /* the default certificate type for TLS */ + (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE; /* Set the defaults for initial handshake */ - (*session)->security_parameters.read_bulk_cipher_algorithm = - (*session)->security_parameters.write_bulk_cipher_algorithm = GNUTLS_CIPHER_NULL; + (*session)->security_parameters.read_bulk_cipher_algorithm = + (*session)->security_parameters.write_bulk_cipher_algorithm = + GNUTLS_CIPHER_NULL; - (*session)->security_parameters.read_mac_algorithm = - (*session)->security_parameters.write_mac_algorithm = GNUTLS_MAC_NULL; + (*session)->security_parameters.read_mac_algorithm = + (*session)->security_parameters.write_mac_algorithm = + GNUTLS_MAC_NULL; - (*session)->security_parameters.read_compression_algorithm = GNUTLS_COMP_NULL; - (*session)->security_parameters.write_compression_algorithm = GNUTLS_COMP_NULL; + (*session)->security_parameters.read_compression_algorithm = + GNUTLS_COMP_NULL; + (*session)->security_parameters.write_compression_algorithm = + GNUTLS_COMP_NULL; - (*session)->internals.enable_private = 0; - - /* Initialize buffers */ - _gnutls_buffer_init( &(*session)->internals.application_data_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_data_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_hash_buffer); + (*session)->internals.enable_private = 0; - _gnutls_buffer_init( &(*session)->internals.record_send_buffer); - _gnutls_buffer_init( &(*session)->internals.record_recv_buffer); + /* Initialize buffers */ + _gnutls_buffer_init(&(*session)->internals.application_data_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_data_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_send_buffer); - _gnutls_buffer_init( &(*session)->internals.handshake_recv_buffer); + _gnutls_buffer_init(&(*session)->internals.record_send_buffer); + _gnutls_buffer_init(&(*session)->internals.record_recv_buffer); - (*session)->key = gnutls_calloc(1, sizeof(struct gnutls_key_st)); - if ( (*session)->key == NULL) { - cleanup_session: - gnutls_free( *session); *session = NULL; - return GNUTLS_E_MEMORY_ERROR; - } + _gnutls_buffer_init(&(*session)->internals.handshake_send_buffer); + _gnutls_buffer_init(&(*session)->internals.handshake_recv_buffer); - (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ + (*session)->key = gnutls_calloc(1, sizeof(struct gnutls_key_st)); + if ((*session)->key == NULL) { + cleanup_session: + gnutls_free(*session); + *session = NULL; + return GNUTLS_E_MEMORY_ERROR; + } - gnutls_dh_set_prime_bits( (*session), MIN_DH_BITS); + (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ - gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ + gnutls_dh_set_prime_bits((*session), MIN_DH_BITS); - gnutls_handshake_set_max_packet_length( (*session), MAX_HANDSHAKE_PACKET_SIZE); + gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ - /* Allocate a minimum size for recv_data - * This is allocated in order to avoid small messages, making - * the receive procedure slow. - */ - (*session)->internals.record_recv_buffer.data = gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); - if ( (*session)->internals.record_recv_buffer.data == NULL) { - gnutls_free((*session)->key); - goto cleanup_session; - } + gnutls_handshake_set_max_packet_length((*session), + MAX_HANDSHAKE_PACKET_SIZE); - /* set the socket pointers to -1; - */ - (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr)-1; - (*session)->internals.transport_send_ptr = (gnutls_transport_ptr)-1; - - /* set the default maximum record size for TLS - */ - (*session)->security_parameters.max_record_recv_size = DEFAULT_MAX_RECORD_SIZE; - (*session)->security_parameters.max_record_send_size = DEFAULT_MAX_RECORD_SIZE; + /* Allocate a minimum size for recv_data + * This is allocated in order to avoid small messages, making + * the receive procedure slow. + */ + (*session)->internals.record_recv_buffer.data = + gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); + if ((*session)->internals.record_recv_buffer.data == NULL) { + gnutls_free((*session)->key); + goto cleanup_session; + } - /* everything else not initialized here is initialized - * as NULL or 0. This is why calloc is used. - */ + /* set the socket pointers to -1; + */ + (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr) - 1; + (*session)->internals.transport_send_ptr = (gnutls_transport_ptr) - 1; - _gnutls_handshake_internal_state_clear( *session); + /* set the default maximum record size for TLS + */ + (*session)->security_parameters.max_record_recv_size = + DEFAULT_MAX_RECORD_SIZE; + (*session)->security_parameters.max_record_send_size = + DEFAULT_MAX_RECORD_SIZE; - return 0; + /* everything else not initialized here is initialized + * as NULL or 0. This is why calloc is used. + */ + + _gnutls_handshake_internal_state_clear(*session); + + return 0; } /* returns RESUME_FALSE or RESUME_TRUE. */ -int _gnutls_session_is_resumable( gnutls_session session) +int _gnutls_session_is_resumable(gnutls_session session) { - return session->internals.resumable; + return session->internals.resumable; } @@ -313,238 +326,248 @@ int _gnutls_session_is_resumable( gnutls_session session) void gnutls_deinit(gnutls_session session) { - if (session==NULL) return; + if (session == NULL) + return; - /* remove auth info firstly */ - _gnutls_free_auth_info(session ); + /* remove auth info firstly */ + _gnutls_free_auth_info(session); - _gnutls_handshake_internal_state_clear( session); - _gnutls_handshake_io_buffer_clear( session); + _gnutls_handshake_internal_state_clear(session); + _gnutls_handshake_io_buffer_clear(session); - _gnutls_free_datum(&session->connection_state.read_mac_secret); - _gnutls_free_datum(&session->connection_state.write_mac_secret); + _gnutls_free_datum(&session->connection_state.read_mac_secret); + _gnutls_free_datum(&session->connection_state.write_mac_secret); - _gnutls_buffer_clear( &session->internals.handshake_hash_buffer); - _gnutls_buffer_clear( &session->internals.handshake_data_buffer); - _gnutls_buffer_clear( &session->internals.application_data_buffer); - _gnutls_buffer_clear( &session->internals.record_recv_buffer); - _gnutls_buffer_clear( &session->internals.record_send_buffer); + _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); + _gnutls_buffer_clear(&session->internals.handshake_data_buffer); + _gnutls_buffer_clear(&session->internals.application_data_buffer); + _gnutls_buffer_clear(&session->internals.record_recv_buffer); + _gnutls_buffer_clear(&session->internals.record_send_buffer); - gnutls_credentials_clear( session); - _gnutls_selected_certs_deinit( session); + gnutls_credentials_clear(session); + _gnutls_selected_certs_deinit(session); - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.read_cipher_state); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit(session->connection_state.write_cipher_state); + if (session->connection_state.read_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state.read_cipher_state); + if (session->connection_state.write_cipher_state != NULL) + _gnutls_cipher_deinit(session->connection_state. + write_cipher_state); - if (session->connection_state.read_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state.read_compression_state, 1); - if (session->connection_state.write_compression_state != NULL) - _gnutls_comp_deinit(session->connection_state.write_compression_state, 0); + if (session->connection_state.read_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + read_compression_state, 1); + if (session->connection_state.write_compression_state != NULL) + _gnutls_comp_deinit(session->connection_state. + write_compression_state, 0); - _gnutls_free_datum( &session->cipher_specs.server_write_mac_secret); - _gnutls_free_datum( &session->cipher_specs.client_write_mac_secret); - _gnutls_free_datum( &session->cipher_specs.server_write_IV); - _gnutls_free_datum( &session->cipher_specs.client_write_IV); - _gnutls_free_datum( &session->cipher_specs.server_write_key); - _gnutls_free_datum( &session->cipher_specs.client_write_key); + _gnutls_free_datum(&session->cipher_specs.server_write_mac_secret); + _gnutls_free_datum(&session->cipher_specs.client_write_mac_secret); + _gnutls_free_datum(&session->cipher_specs.server_write_IV); + _gnutls_free_datum(&session->cipher_specs.client_write_IV); + _gnutls_free_datum(&session->cipher_specs.server_write_key); + _gnutls_free_datum(&session->cipher_specs.client_write_key); - if (session->key != NULL) { - _gnutls_mpi_release(&session->key->KEY); - _gnutls_mpi_release(&session->key->client_Y); - _gnutls_mpi_release(&session->key->client_p); - _gnutls_mpi_release(&session->key->client_g); + if (session->key != NULL) { + _gnutls_mpi_release(&session->key->KEY); + _gnutls_mpi_release(&session->key->client_Y); + _gnutls_mpi_release(&session->key->client_p); + _gnutls_mpi_release(&session->key->client_g); - _gnutls_mpi_release(&session->key->u); - _gnutls_mpi_release(&session->key->a); - _gnutls_mpi_release(&session->key->x); - _gnutls_mpi_release(&session->key->A); - _gnutls_mpi_release(&session->key->B); - _gnutls_mpi_release(&session->key->b); + _gnutls_mpi_release(&session->key->u); + _gnutls_mpi_release(&session->key->a); + _gnutls_mpi_release(&session->key->x); + _gnutls_mpi_release(&session->key->A); + _gnutls_mpi_release(&session->key->B); + _gnutls_mpi_release(&session->key->b); - /* RSA */ - _gnutls_mpi_release(&session->key->rsa[0]); - _gnutls_mpi_release(&session->key->rsa[1]); + /* RSA */ + _gnutls_mpi_release(&session->key->rsa[0]); + _gnutls_mpi_release(&session->key->rsa[1]); - _gnutls_mpi_release(&session->key->dh_secret); - gnutls_free(session->key); + _gnutls_mpi_release(&session->key->dh_secret); + gnutls_free(session->key); - session->key = NULL; - } + session->key = NULL; + } - gnutls_free( session->internals.srp_username); + gnutls_free(session->internals.srp_username); - if (session->internals.srp_password) { - memset( session->internals.srp_password, 0, - strlen(session->internals.srp_password)); - gnutls_free( session->internals.srp_password); - } + if (session->internals.srp_password) { + memset(session->internals.srp_password, 0, + strlen(session->internals.srp_password)); + gnutls_free(session->internals.srp_password); + } - memset( session, 0, sizeof(struct gnutls_session_int)); - gnutls_free(session); + memset(session, 0, sizeof(struct gnutls_session_int)); + gnutls_free(session); } /* Returns the minimum prime bits that are acceptable. */ -int _gnutls_dh_get_allowed_prime_bits( gnutls_session session) +int _gnutls_dh_get_allowed_prime_bits(gnutls_session session) { - return session->internals.dh_prime_bits; + return session->internals.dh_prime_bits; } -int _gnutls_dh_set_peer_public( gnutls_session session, mpi_t public) +int _gnutls_dh_set_peer_public(gnutls_session session, mpi_t public) { -dh_info_t * dh; -int ret; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + dh_info_t *dh; + int ret; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; + dh = &info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + dh = &info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - dh->public_key_size = sizeof( dh->public_key); - ret = _gnutls_mpi_print_lz( dh->public_key, &dh->public_key_size, public); - if (ret < 0) { - gnutls_assert(); - dh->public_key_size = 0; - return ret; - } + dh->public_key_size = sizeof(dh->public_key); + ret = + _gnutls_mpi_print_lz(dh->public_key, &dh->public_key_size, public); + if (ret < 0) { + gnutls_assert(); + dh->public_key_size = 0; + return ret; + } - return 0; + return 0; } -int _gnutls_dh_set_secret_bits( gnutls_session session, uint bits) -{ - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - info->dh.secret_bits = bits; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - info->dh.secret_bits = bits; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +int _gnutls_dh_set_secret_bits(gnutls_session session, uint bits) +{ + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + info->dh.secret_bits = bits; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return 0; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + info->dh.secret_bits = bits; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + + return 0; } /* This function will set in the auth info structure the * RSA exponent and the modulus. */ -int _gnutls_rsa_export_set_pubkey( gnutls_session session, mpi_t exp, mpi_t mod) +int _gnutls_rsa_export_set_pubkey(gnutls_session session, mpi_t exp, + mpi_t mod) { - cert_auth_info_t info; - int ret; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + cert_auth_info_t info; + int ret; - info->rsa_export.modulus_size = sizeof( info->rsa_export.modulus); + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - ret = _gnutls_mpi_print_lz( info->rsa_export.modulus, &info->rsa_export.modulus_size, mod); - if (ret < 0) { - gnutls_assert(); - info->rsa_export.modulus_size = 0; - return ret; - } + info->rsa_export.modulus_size = sizeof(info->rsa_export.modulus); - info->rsa_export.exponent_size = sizeof( info->rsa_export.exponent); - ret = _gnutls_mpi_print_lz( info->rsa_export.exponent, &info->rsa_export.exponent_size, exp); - if (ret < 0) { - gnutls_assert(); - info->rsa_export.exponent_size = 0; - return ret; - } + ret = + _gnutls_mpi_print_lz(info->rsa_export.modulus, + &info->rsa_export.modulus_size, mod); + if (ret < 0) { + gnutls_assert(); + info->rsa_export.modulus_size = 0; + return ret; + } - return 0; + info->rsa_export.exponent_size = sizeof(info->rsa_export.exponent); + ret = + _gnutls_mpi_print_lz(info->rsa_export.exponent, + &info->rsa_export.exponent_size, exp); + if (ret < 0) { + gnutls_assert(); + info->rsa_export.exponent_size = 0; + return ret; + } + + return 0; } /* Sets the prime and the generator in the auth info structure. */ -int _gnutls_dh_set_group( gnutls_session session, mpi_t gen, mpi_t prime) -{ -dh_info_t* dh; -int ret; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } +int _gnutls_dh_set_group(gnutls_session session, mpi_t gen, mpi_t prime) +{ + dh_info_t *dh; + int ret; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - dh->prime_size = sizeof( dh->prime); - ret = _gnutls_mpi_print_lz( dh->prime, &dh->prime_size, prime); - if (ret < 0) { - gnutls_assert(); - dh->prime_size = 0; - return ret; + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - dh->generator_size = sizeof( dh->generator); - ret = _gnutls_mpi_print_lz( dh->generator, &dh->generator_size, gen); - if (ret < 0) { - gnutls_assert(); - dh->generator_size = 0; - return ret; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - - return 0; + dh->prime_size = sizeof(dh->prime); + ret = _gnutls_mpi_print_lz(dh->prime, &dh->prime_size, prime); + if (ret < 0) { + gnutls_assert(); + dh->prime_size = 0; + return ret; + } + + dh->generator_size = sizeof(dh->generator); + ret = _gnutls_mpi_print_lz(dh->generator, &dh->generator_size, gen); + if (ret < 0) { + gnutls_assert(); + dh->generator_size = 0; + return ret; + } + + + return 0; } /** @@ -558,9 +581,10 @@ int ret; * server can obtain the client's key. * **/ -void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status status) +void gnutls_openpgp_send_key(gnutls_session session, + gnutls_openpgp_key_status status) { - session->internals.pgp_fingerprint = status; + session->internals.pgp_fingerprint = status; } /** @@ -577,14 +601,15 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s * certificate with X.509 certificates. * **/ -void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, int status) +void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, + int status) { - session->internals.ignore_rdn_sequence = status; + session->internals.ignore_rdn_sequence = status; } -int _gnutls_openpgp_send_fingerprint(gnutls_session session) +int _gnutls_openpgp_send_fingerprint(gnutls_session session) { - return session->internals.pgp_fingerprint; + return session->internals.pgp_fingerprint; } /*- @@ -599,10 +624,11 @@ int _gnutls_openpgp_send_fingerprint(gnutls_session session) * -*/ void _gnutls_record_set_default_version(gnutls_session session, - unsigned char major, unsigned char minor) + unsigned char major, + unsigned char minor) { - session->internals.default_record_version[0] = major; - session->internals.default_record_version[1] = minor; + session->internals.default_record_version[0] = major; + session->internals.default_record_version[1] = minor; } /** @@ -623,26 +649,30 @@ void _gnutls_record_set_default_version(gnutls_session session, * servers and clients may cause interoperability problems. * **/ -void gnutls_handshake_set_private_extensions(gnutls_session session, int allow) +void gnutls_handshake_set_private_extensions(gnutls_session session, + int allow) { - session->internals.enable_private = allow; + session->internals.enable_private = allow; } inline -static int _gnutls_cal_PRF_A( gnutls_mac_algorithm algorithm, const void *secret, int secret_size, const void *seed, int seed_size, void* result) + static int _gnutls_cal_PRF_A(gnutls_mac_algorithm algorithm, + const void *secret, int secret_size, + const void *seed, int seed_size, + void *result) { - mac_hd_t td1; + mac_hd_t td1; - td1 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + td1 = _gnutls_hmac_init(algorithm, secret, secret_size); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_hmac(td1, seed, seed_size); - _gnutls_hmac_deinit(td1, result); - - return 0; + _gnutls_hmac(td1, seed, seed_size); + _gnutls_hmac_deinit(td1, result); + + return 0; } #define MAX_SEED_SIZE 200 @@ -650,75 +680,81 @@ static int _gnutls_cal_PRF_A( gnutls_mac_algorithm algorithm, const void *secret /* Produces "total_bytes" bytes using the hash algorithm specified. * (used in the PRF function) */ -static int _gnutls_P_hash( gnutls_mac_algorithm algorithm, const opaque * secret, int secret_size, const opaque * seed, int seed_size, int total_bytes, opaque* ret) +static int _gnutls_P_hash(gnutls_mac_algorithm algorithm, + const opaque * secret, int secret_size, + const opaque * seed, int seed_size, + int total_bytes, opaque * ret) { - mac_hd_t td2; - int i, times, how, blocksize, A_size; - opaque final[20], Atmp[MAX_SEED_SIZE]; - int output_bytes, result; + mac_hd_t td2; + int i, times, how, blocksize, A_size; + opaque final[20], Atmp[MAX_SEED_SIZE]; + int output_bytes, result; - if (seed_size > MAX_SEED_SIZE || total_bytes<=0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + if (seed_size > MAX_SEED_SIZE || total_bytes <= 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + blocksize = _gnutls_hmac_get_algo_len(algorithm); + + output_bytes = 0; + do { + output_bytes += blocksize; + } while (output_bytes < total_bytes); + + /* calculate A(0) */ + + memcpy(Atmp, seed, seed_size); + A_size = seed_size; + + times = output_bytes / blocksize; + + for (i = 0; i < times; i++) { + td2 = _gnutls_hmac_init(algorithm, secret, secret_size); + if (td2 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - - blocksize = _gnutls_hmac_get_algo_len(algorithm); - - output_bytes = 0; - do { - output_bytes += blocksize; - } while (output_bytes < total_bytes); - - /* calculate A(0) */ - - memcpy( Atmp, seed, seed_size); - A_size = seed_size; - - times = output_bytes / blocksize; - - for (i = 0; i < times; i++) { - td2 = _gnutls_hmac_init(algorithm, secret, secret_size); - if (td2 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* here we calculate A(i+1) */ - if ((result=_gnutls_cal_PRF_A( algorithm, secret, secret_size, Atmp, A_size, Atmp)) < 0) { - gnutls_assert(); - _gnutls_hmac_deinit(td2, final); - return result; - } - - A_size = blocksize; - - _gnutls_hmac(td2, Atmp, A_size); - _gnutls_hmac(td2, seed, seed_size); - _gnutls_hmac_deinit(td2, final); - - if ( (1+i) * blocksize < total_bytes) { - how = blocksize; - } else { - how = total_bytes - (i) * blocksize; - } - - if (how > 0) { - memcpy(&ret[i * blocksize], final, how); - } + + /* here we calculate A(i+1) */ + if ((result = + _gnutls_cal_PRF_A(algorithm, secret, secret_size, Atmp, + A_size, Atmp)) < 0) { + gnutls_assert(); + _gnutls_hmac_deinit(td2, final); + return result; } - - return 0; + + A_size = blocksize; + + _gnutls_hmac(td2, Atmp, A_size); + _gnutls_hmac(td2, seed, seed_size); + _gnutls_hmac_deinit(td2, final); + + if ((1 + i) * blocksize < total_bytes) { + how = blocksize; + } else { + how = total_bytes - (i) * blocksize; + } + + if (how > 0) { + memcpy(&ret[i * blocksize], final, how); + } + } + + return 0; } /* Xor's two buffers and puts the output in the first one. */ inline static -void _gnutls_xor(opaque* o1, opaque* o2, int length) { -int i; - for (i = 0; i < length; i++) { - o1[i] ^= o2[i]; - } +void _gnutls_xor(opaque * o1, opaque * o2, int length) +{ + int i; + for (i = 0; i < length; i++) { + o1[i] ^= o2[i]; + } } @@ -729,56 +765,61 @@ int i; * needed by the TLS specification. ret must have a least total_bytes * available. */ -int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, int label_size, - opaque * seed, int seed_size, int total_bytes, void* ret) +int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret) { - int l_s, s_seed_size; - const opaque *s1, *s2; - opaque s_seed[MAX_SEED_SIZE]; - opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; - int result; + int l_s, s_seed_size; + const opaque *s1, *s2; + opaque s_seed[MAX_SEED_SIZE]; + opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES]; + int result; - if (total_bytes > MAX_PRF_BYTES) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - /* label+seed = s_seed */ - s_seed_size = seed_size + label_size; + if (total_bytes > MAX_PRF_BYTES) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + /* label+seed = s_seed */ + s_seed_size = seed_size + label_size; - if (s_seed_size > MAX_SEED_SIZE) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (s_seed_size > MAX_SEED_SIZE) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - memcpy(s_seed, label, label_size); - memcpy(&s_seed[label_size], seed, seed_size); + memcpy(s_seed, label, label_size); + memcpy(&s_seed[label_size], seed, seed_size); - l_s = secret_size / 2; - - s1 = &secret[0]; - s2 = &secret[l_s]; + l_s = secret_size / 2; - if (secret_size % 2 != 0) { - l_s++; - } + s1 = &secret[0]; + s2 = &secret[l_s]; - result = _gnutls_P_hash( GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes, o1); - if (result<0) { - gnutls_assert(); - return result; - } + if (secret_size % 2 != 0) { + l_s++; + } - result = _gnutls_P_hash( GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes, o2); - if (result<0) { - gnutls_assert(); - return result; - } + result = + _gnutls_P_hash(GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, + total_bytes, o1); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_P_hash(GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, + total_bytes, o2); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_xor(o1, o2, total_bytes); + _gnutls_xor(o1, o2, total_bytes); - memcpy( ret, o1, total_bytes); + memcpy(ret, o1, total_bytes); - return 0; /* ok */ + return 0; /* ok */ } @@ -792,17 +833,18 @@ int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, int **/ int gnutls_session_is_resumed(gnutls_session session) { - if (session->security_parameters.entity==GNUTLS_CLIENT) { - if (memcmp( session->security_parameters.session_id, - session->internals.resumed_security_parameters.session_id, - session->security_parameters.session_id_size)==0) - return 1; - } else { - if (session->internals.resumed==RESUME_TRUE) - return 1; - } + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (memcmp(session->security_parameters.session_id, + session->internals.resumed_security_parameters. + session_id, + session->security_parameters.session_id_size) == 0) + return 1; + } else { + if (session->internals.resumed == RESUME_TRUE) + return 1; + } - return 0; + return 0; } /*- @@ -814,14 +856,16 @@ int gnutls_session_is_resumed(gnutls_session session) -*/ int _gnutls_session_is_export(gnutls_session session) { - gnutls_cipher_algorithm cipher; - - cipher = _gnutls_cipher_suite_get_cipher_algo( &session->security_parameters.current_cipher_suite); - - if (_gnutls_cipher_get_export_flag( cipher) != 0) - return 1; + gnutls_cipher_algorithm cipher; - return 0; + cipher = + _gnutls_cipher_suite_get_cipher_algo(&session->security_parameters. + current_cipher_suite); + + if (_gnutls_cipher_get_export_flag(cipher) != 0) + return 1; + + return 0; } /** @@ -832,9 +876,9 @@ int _gnutls_session_is_export(gnutls_session session) * This is the pointer set with gnutls_session_set_ptr(). * **/ -void* gnutls_session_get_ptr(gnutls_session session) +void *gnutls_session_get_ptr(gnutls_session session) { - return session->internals.user_ptr; + return session->internals.user_ptr; } /** @@ -846,9 +890,9 @@ void* gnutls_session_get_ptr(gnutls_session session) * This is pointer can be accessed with gnutls_session_get_ptr(). * **/ -void gnutls_session_set_ptr(gnutls_session session, void* ptr) +void gnutls_session_set_ptr(gnutls_session session, void *ptr) { - session->internals.user_ptr = ptr; + session->internals.user_ptr = ptr; } @@ -867,8 +911,9 @@ void gnutls_session_set_ptr(gnutls_session session, void* ptr) * write data. * **/ -int gnutls_record_get_direction(gnutls_session session) { - return session->internals.direction; +int gnutls_record_get_direction(gnutls_session session) +{ + return session->internals.direction; } /*- @@ -882,9 +927,9 @@ int gnutls_record_get_direction(gnutls_session session) { * test server's capabilities. * -*/ -void _gnutls_rsa_pms_set_version(gnutls_session session, unsigned char major, - unsigned char minor) +void _gnutls_rsa_pms_set_version(gnutls_session session, + unsigned char major, unsigned char minor) { - session->internals.rsa_pms_version[0] = major; - session->internals.rsa_pms_version[1] = minor; + session->internals.rsa_pms_version[0] = major; + session->internals.rsa_pms_version[1] = minor; } diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h index 41b8b178ad..19433fef05 100644 --- a/lib/gnutls_state.h +++ b/lib/gnutls_state.h @@ -3,10 +3,12 @@ #include <gnutls_int.h> -void _gnutls_session_cert_type_set( gnutls_session session, gnutls_certificate_type); -gnutls_kx_algorithm gnutls_kx_get( gnutls_session session); -gnutls_cipher_algorithm gnutls_cipher_get( gnutls_session session); -gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); +void _gnutls_session_cert_type_set(gnutls_session session, + gnutls_certificate_type); +gnutls_kx_algorithm gnutls_kx_get(gnutls_session session); +gnutls_cipher_algorithm gnutls_cipher_get(gnutls_session session); +gnutls_certificate_type gnutls_certificate_type_get(gnutls_session + session); #include <gnutls_auth_int.h> @@ -17,25 +19,28 @@ gnutls_certificate_type gnutls_certificate_type_get( gnutls_session session); #endif -int _gnutls_session_cert_type_supported( gnutls_session, gnutls_certificate_type); +int _gnutls_session_cert_type_supported(gnutls_session, + gnutls_certificate_type); -int _gnutls_dh_set_secret_bits( gnutls_session session, uint bits); +int _gnutls_dh_set_secret_bits(gnutls_session session, uint bits); -int _gnutls_dh_set_peer_public( gnutls_session session, mpi_t public); -int _gnutls_dh_set_group( gnutls_session session, mpi_t gen, mpi_t prime); +int _gnutls_dh_set_peer_public(gnutls_session session, mpi_t public); +int _gnutls_dh_set_group(gnutls_session session, mpi_t gen, mpi_t prime); -int _gnutls_dh_get_allowed_prime_bits( gnutls_session session); -void gnutls_dh_set_prime_bits( gnutls_session session, unsigned int bits); -void _gnutls_handshake_internal_state_clear( gnutls_session); +int _gnutls_dh_get_allowed_prime_bits(gnutls_session session); +void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits); +void _gnutls_handshake_internal_state_clear(gnutls_session); -int _gnutls_rsa_export_set_pubkey( gnutls_session session, mpi_t exp, mpi_t mod); +int _gnutls_rsa_export_set_pubkey(gnutls_session session, mpi_t exp, + mpi_t mod); -int _gnutls_session_is_resumable( gnutls_session session); -int _gnutls_session_is_export( gnutls_session session); +int _gnutls_session_is_resumable(gnutls_session session); +int _gnutls_session_is_export(gnutls_session session); -int _gnutls_openpgp_send_fingerprint( gnutls_session session); +int _gnutls_openpgp_send_fingerprint(gnutls_session session); -int _gnutls_PRF( const opaque * secret, int secret_size, const char * label, - int label_size, opaque * seed, int seed_size, int total_bytes, void* ret); +int _gnutls_PRF(const opaque * secret, int secret_size, const char *label, + int label_size, opaque * seed, int seed_size, + int total_bytes, void *ret); #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c index 10911bedfd..0e55c35d9a 100644 --- a/lib/gnutls_str.c +++ b/lib/gnutls_str.c @@ -31,157 +31,166 @@ * * They should be used only with null terminated strings. */ -void _gnutls_str_cat( char* dest, size_t dest_tot_size, const char* src) { -size_t str_size = strlen(src); -size_t dest_size = strlen(dest); - - if ( dest_tot_size - dest_size > str_size) { - strcat( dest, src); - } else { - if ( dest_tot_size - dest_size > 0) { - strncat( dest, src, (dest_tot_size - dest_size) -1); - dest[dest_tot_size-1] = 0; - } +void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src) +{ + size_t str_size = strlen(src); + size_t dest_size = strlen(dest); + + if (dest_tot_size - dest_size > str_size) { + strcat(dest, src); + } else { + if (dest_tot_size - dest_size > 0) { + strncat(dest, src, (dest_tot_size - dest_size) - 1); + dest[dest_tot_size - 1] = 0; } + } } -void _gnutls_str_cpy( char* dest, size_t dest_tot_size, const char* src) { -size_t str_size = strlen(src); - - if ( dest_tot_size > str_size) { - strcpy( dest, src); - } else { - if ( dest_tot_size > 0) { - strncpy( dest, src, (dest_tot_size) -1); - dest[dest_tot_size-1] = 0; - } +void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src) +{ + size_t str_size = strlen(src); + + if (dest_tot_size > str_size) { + strcpy(dest, src); + } else { + if (dest_tot_size > 0) { + strncpy(dest, src, (dest_tot_size) - 1); + dest[dest_tot_size - 1] = 0; } + } } -void _gnutls_mem_cpy( char* dest, size_t dest_tot_size, const char* src, size_t src_size) +void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, + size_t src_size) { - if ( dest_tot_size >= src_size) { - memcpy( dest, src, src_size); - } else { - if ( dest_tot_size > 0) { - memcpy( dest, src, dest_tot_size); - } + if (dest_tot_size >= src_size) { + memcpy(dest, src, src_size); + } else { + if (dest_tot_size > 0) { + memcpy(dest, src, dest_tot_size); } + } } -void _gnutls_string_init( gnutls_string* str, gnutls_alloc_function alloc_func, - gnutls_realloc_function realloc_func, - gnutls_free_function free_func) +void _gnutls_string_init(gnutls_string * str, + gnutls_alloc_function alloc_func, + gnutls_realloc_function realloc_func, + gnutls_free_function free_func) { - str->data = NULL; - str->max_length = 0; - str->length = 0; - - str->alloc_func = alloc_func; - str->free_func = free_func; - str->realloc_func = realloc_func; + str->data = NULL; + str->max_length = 0; + str->length = 0; + + str->alloc_func = alloc_func; + str->free_func = free_func; + str->realloc_func = realloc_func; } -void _gnutls_string_clear( gnutls_string* str) +void _gnutls_string_clear(gnutls_string * str) { - if (str==NULL || str->data == NULL) return; - str->free_func( str->data); - - str->data = NULL; - str->max_length = 0; - str->length = 0; + if (str == NULL || str->data == NULL) + return; + str->free_func(str->data); + + str->data = NULL; + str->max_length = 0; + str->length = 0; } /* This one does not copy the string. */ -gnutls_datum _gnutls_string2datum( gnutls_string* str) +gnutls_datum _gnutls_string2datum(gnutls_string * str) { - gnutls_datum ret; - - ret.data = str->data; - ret.size = str->length; - - return ret; + gnutls_datum ret; + + ret.data = str->data; + ret.size = str->length; + + return ret; } #define MIN_CHUNK 256 -int _gnutls_string_copy_str( gnutls_string* dest, const char * src) +int _gnutls_string_copy_str(gnutls_string * dest, const char *src) { - size_t src_len = strlen( src); - - if (dest->max_length >= src_len) { - memcpy( dest->data, src, src_len); - dest->length = src_len; - - return src_len; - } else { - dest->data = dest->realloc_func( dest->data, GMAX(src_len, MIN_CHUNK)); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = GMAX( MIN_CHUNK, src_len); - - memcpy( dest->data, src, src_len); - dest->length = src_len; - - return src_len; + size_t src_len = strlen(src); + + if (dest->max_length >= src_len) { + memcpy(dest->data, src, src_len); + dest->length = src_len; + + return src_len; + } else { + dest->data = + dest->realloc_func(dest->data, GMAX(src_len, MIN_CHUNK)); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = GMAX(MIN_CHUNK, src_len); + + memcpy(dest->data, src, src_len); + dest->length = src_len; + + return src_len; + } } -int _gnutls_string_append_str( gnutls_string* dest, const char * src) +int _gnutls_string_append_str(gnutls_string * dest, const char *src) { - size_t src_len = strlen( src); - size_t tot_len = src_len + dest->length; - - if (dest->max_length >= tot_len) { - memcpy( &dest->data[dest->length], src, src_len); - dest->length = tot_len; - - return tot_len; - } else { - size_t new_len = GMAX( src_len, MIN_CHUNK) + GMAX( dest->max_length, MIN_CHUNK); - - dest->data = dest->realloc_func( dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = new_len; - - memcpy( &dest->data[dest->length], src, src_len); - dest->length = tot_len; - - return tot_len; + size_t src_len = strlen(src); + size_t tot_len = src_len + dest->length; + + if (dest->max_length >= tot_len) { + memcpy(&dest->data[dest->length], src, src_len); + dest->length = tot_len; + + return tot_len; + } else { + size_t new_len = + GMAX(src_len, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func(dest->data, new_len); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = new_len; + + memcpy(&dest->data[dest->length], src, src_len); + dest->length = tot_len; + + return tot_len; + } } -int _gnutls_string_append_data( gnutls_string* dest, const void * data, size_t data_size) +int _gnutls_string_append_data(gnutls_string * dest, const void *data, + size_t data_size) { - size_t tot_len = data_size + dest->length; - - if (dest->max_length >= tot_len) { - memcpy( &dest->data[dest->length], data, data_size); - dest->length = tot_len; - - return tot_len; - } else { - size_t new_len = GMAX( data_size, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); - - dest->data = dest->realloc_func( dest->data, new_len); - if (dest->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - dest->max_length = new_len; - - memcpy( &dest->data[dest->length], data, data_size); - dest->length = tot_len; - - return tot_len; + size_t tot_len = data_size + dest->length; + + if (dest->max_length >= tot_len) { + memcpy(&dest->data[dest->length], data, data_size); + dest->length = tot_len; + + return tot_len; + } else { + size_t new_len = + GMAX(data_size, MIN_CHUNK) + GMAX(dest->max_length, MIN_CHUNK); + + dest->data = dest->realloc_func(dest->data, new_len); + if (dest->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } + dest->max_length = new_len; + + memcpy(&dest->data[dest->length], data, data_size); + dest->length = tot_len; + + return tot_len; + } } /* Converts the given string (old) to hex. A buffer must be provided @@ -190,18 +199,19 @@ int _gnutls_string_append_data( gnutls_string* dest, const void * data, size_t d * NULL. */ char *_gnutls_bin2hex(const void *_old, size_t oldlen, - char *buffer, size_t buffer_size) + char *buffer, size_t buffer_size) { - unsigned int i, j; - const opaque *old = _old; + unsigned int i, j; + const opaque *old = _old; - if ((oldlen * 2) + 1 > buffer_size) return NULL; + if ((oldlen * 2) + 1 > buffer_size) + return NULL; - for (i = j = 0; i < oldlen; j+=2) { - sprintf(&buffer[j], "%.2x", old[i]); - i++; - } - buffer[j] = '\0'; + for (i = j = 0; i < oldlen; j += 2) { + sprintf(&buffer[j], "%.2x", old[i]); + i++; + } + buffer[j] = '\0'; - return buffer; + return buffer; } diff --git a/lib/gnutls_str.h b/lib/gnutls_str.h index 97007fffa6..ec94878593 100644 --- a/lib/gnutls_str.h +++ b/lib/gnutls_str.h @@ -3,32 +3,35 @@ #include <gnutls_int.h> -void _gnutls_str_cpy( char* dest, size_t dest_tot_size, const char* src); -void _gnutls_mem_cpy( char* dest, size_t dest_tot_size, const char* src, size_t src_size); -void _gnutls_str_cat( char* dest, size_t dest_tot_size, const char* src); +void _gnutls_str_cpy(char *dest, size_t dest_tot_size, const char *src); +void _gnutls_mem_cpy(char *dest, size_t dest_tot_size, const char *src, + size_t src_size); +void _gnutls_str_cat(char *dest, size_t dest_tot_size, const char *src); typedef struct { - opaque * data; - size_t max_length; - size_t length; - gnutls_realloc_function realloc_func; - gnutls_alloc_function alloc_func; - gnutls_free_function free_func; + opaque *data; + size_t max_length; + size_t length; + gnutls_realloc_function realloc_func; + gnutls_alloc_function alloc_func; + gnutls_free_function free_func; } gnutls_string; -void _gnutls_string_init( gnutls_string*, gnutls_alloc_function, gnutls_realloc_function, gnutls_free_function); -void _gnutls_string_clear( gnutls_string*); +void _gnutls_string_init(gnutls_string *, gnutls_alloc_function, + gnutls_realloc_function, gnutls_free_function); +void _gnutls_string_clear(gnutls_string *); /* Beware, do not clear the string, after calling this * function */ -gnutls_datum _gnutls_string2datum( gnutls_string* str); +gnutls_datum _gnutls_string2datum(gnutls_string * str); -int _gnutls_string_copy_str( gnutls_string* dest, const char* src); -int _gnutls_string_append_str( gnutls_string*, const char* str); -int _gnutls_string_append_data( gnutls_string*, const void* data, size_t data_size); +int _gnutls_string_copy_str(gnutls_string * dest, const char *src); +int _gnutls_string_append_str(gnutls_string *, const char *str); +int _gnutls_string_append_data(gnutls_string *, const void *data, + size_t data_size); -char * _gnutls_bin2hex(const void *old, size_t oldlen, char* buffer, - size_t buffer_size); +char *_gnutls_bin2hex(const void *old, size_t oldlen, char *buffer, + size_t buffer_size); #endif diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 6871f38f5c..462aec6de3 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -53,7 +53,7 @@ **/ void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits) { - session->internals.dh_prime_bits = bits; + session->internals.dh_prime_bits = bits; } @@ -71,46 +71,46 @@ void gnutls_dh_set_prime_bits(gnutls_session session, unsigned int bits) * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_group(gnutls_session session, - gnutls_datum* raw_gen, gnutls_datum* raw_prime) +int gnutls_dh_get_group(gnutls_session session, + gnutls_datum * raw_gen, gnutls_datum * raw_prime) { -dh_info_t *dh; -int ret; -anon_server_auth_info_t anon_info; -cert_auth_info_t cert_info; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; - case GNUTLS_CRD_CERTIFICATE: - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_set_datum( raw_prime, dh->prime, dh->prime_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_set_datum( raw_gen, dh->generator, dh->generator_size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( raw_prime); - return ret; - } - - return 0; + dh_info_t *dh; + int ret; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON: + anon_info = _gnutls_get_auth_info(session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; + case GNUTLS_CRD_CERTIFICATE: + cert_info = _gnutls_get_auth_info(session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_set_datum(raw_prime, dh->prime, dh->prime_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_set_datum(raw_gen, dh->generator, dh->generator_size); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(raw_prime); + return ret; + } + + return 0; } /** @@ -125,34 +125,34 @@ cert_auth_info_t cert_info; * Returns a negative value in case of an error. * **/ -int gnutls_dh_get_pubkey(gnutls_session session, gnutls_datum* raw_key) +int gnutls_dh_get_pubkey(gnutls_session session, gnutls_datum * raw_key) { -dh_info_t* dh; -anon_server_auth_info_t anon_info; -cert_auth_info_t cert_info; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_info = _gnutls_get_auth_info(session); - if (anon_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &anon_info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - - cert_info = _gnutls_get_auth_info(session); - if (cert_info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &cert_info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + anon_server_auth_info_t anon_info; + cert_auth_info_t cert_info; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_info = _gnutls_get_auth_info(session); + if (anon_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &anon_info->dh; + break; + } + case GNUTLS_CRD_CERTIFICATE:{ + + cert_info = _gnutls_get_auth_info(session); + if (cert_info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &cert_info->dh; + break; } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_set_datum( raw_key, dh->public_key, dh->public_key_size); + return _gnutls_set_datum(raw_key, dh->public_key, dh->public_key_size); } /** @@ -167,35 +167,36 @@ cert_auth_info_t cert_info; * Returns a negative value in case of an error. * **/ -int gnutls_rsa_export_get_pubkey(gnutls_session session, gnutls_datum* exp, gnutls_datum* mod) +int gnutls_rsa_export_get_pubkey(gnutls_session session, + gnutls_datum * exp, gnutls_datum * mod) { -cert_auth_info_t info; -int ret; - - if ( gnutls_auth_get_type( session) == GNUTLS_CRD_CERTIFICATE) { - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - ret = _gnutls_set_datum( mod, info->rsa_export.modulus, - info->rsa_export.modulus_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_set_datum( exp, info->rsa_export.exponent, - info->rsa_export.exponent_size); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum( mod); - return ret; - } - - return 0; + cert_auth_info_t info; + int ret; + + if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + ret = _gnutls_set_datum(mod, info->rsa_export.modulus, + info->rsa_export.modulus_size); + if (ret < 0) { + gnutls_assert(); + return ret; } - return GNUTLS_E_INVALID_REQUEST; + ret = _gnutls_set_datum(exp, info->rsa_export.exponent, + info->rsa_export.exponent_size); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(mod); + return ret; + } + + return 0; + } + + return GNUTLS_E_INVALID_REQUEST; } @@ -210,28 +211,28 @@ int ret; **/ int gnutls_dh_get_secret_bits(gnutls_session session) { - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->dh.secret_bits; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - return info->dh.secret_bits; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->dh.secret_bits; + } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + return info->dh.secret_bits; } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } } @@ -246,34 +247,34 @@ int gnutls_dh_get_secret_bits(gnutls_session session) **/ int gnutls_dh_get_prime_bits(gnutls_session session) { -dh_info_t *dh; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return (dh->prime_size)*8; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return (dh->prime_size) * 8; } @@ -288,13 +289,13 @@ dh_info_t *dh; **/ int gnutls_rsa_export_get_modulus_bits(gnutls_session session) { -cert_auth_info_t info; + cert_auth_info_t info; - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; - return info->rsa_export.modulus_size*8; + return info->rsa_export.modulus_size * 8; } /** @@ -308,35 +309,35 @@ cert_auth_info_t info; **/ int gnutls_dh_get_peers_public_bits(gnutls_session session) { -dh_info_t * dh; - - switch( gnutls_auth_get_type( session)) { - case GNUTLS_CRD_ANON: { - anon_server_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - case GNUTLS_CRD_CERTIFICATE: { - cert_auth_info_t info; - - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - - dh = &info->dh; - break; - } - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + dh_info_t *dh; + + switch (gnutls_auth_get_type(session)) { + case GNUTLS_CRD_ANON:{ + anon_server_auth_info_t info; + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; } + case GNUTLS_CRD_CERTIFICATE:{ + cert_auth_info_t info; - return dh->public_key_size*8; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + dh = &info->dh; + break; + } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return dh->public_key_size * 8; } @@ -355,20 +356,20 @@ dh_info_t * dh; **/ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session) { - const gnutls_certificate_credentials cred; + const gnutls_certificate_credentials cred; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL || cred->cert_list == NULL) { - gnutls_assert(); - return NULL; - } + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL || cred->cert_list == NULL) { + gnutls_assert(); + return NULL; + } - if (session->internals.selected_cert_list == NULL) - return NULL; + if (session->internals.selected_cert_list == NULL) + return NULL; - return &session->internals.selected_cert_list[0].raw; + return &session->internals.selected_cert_list[0].raw; } /** @@ -385,19 +386,19 @@ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session) * Returns NULL in case of an error, or if no certificate was sent. * **/ -const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, - unsigned int *list_size) +const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, + unsigned int *list_size) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return NULL; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return NULL; - *list_size = info->ncerts; - return info->raw_certificate_list; + *list_size = info->ncerts; + return info->raw_certificate_list; } @@ -412,14 +413,14 @@ const gnutls_datum *gnutls_certificate_get_peers(gnutls_session session, **/ int gnutls_certificate_client_get_request_status(gnutls_session session) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, 0); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, 0); - info = _gnutls_get_auth_info(session); - if (info == NULL) - return GNUTLS_E_INTERNAL_ERROR; - return info->certificate_requested; + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INTERNAL_ERROR; + return info->certificate_requested; } /** @@ -442,30 +443,30 @@ int gnutls_certificate_client_get_request_status(gnutls_session session) * Returns a negative value in case of an error. * **/ -int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, - void* result, size_t* result_size) +int gnutls_fingerprint(gnutls_digest_algorithm algo, + const gnutls_datum * data, void *result, + size_t * result_size) { - GNUTLS_HASH_HANDLE td; - int hash_len = _gnutls_hash_get_algo_len(algo); - - if (hash_len < 0 || (uint)hash_len > *result_size || - result==NULL) - { - *result_size = hash_len; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + GNUTLS_HASH_HANDLE td; + int hash_len = _gnutls_hash_get_algo_len(algo); + + if (hash_len < 0 || (uint) hash_len > *result_size || result == NULL) { *result_size = hash_len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *result_size = hash_len; - if (result) { - td = _gnutls_hash_init( algo); - if (td==NULL) return GNUTLS_E_HASH_FAILED; - - _gnutls_hash( td, data->data, data->size); - - _gnutls_hash_deinit( td, result); - } - - return 0; + if (result) { + td = _gnutls_hash_init(algo); + if (td == NULL) + return GNUTLS_E_HASH_FAILED; + + _gnutls_hash(td, data->data, data->size); + + _gnutls_hash_deinit(td, result); + } + + return 0; } /** @@ -478,9 +479,10 @@ int gnutls_fingerprint(gnutls_digest_algorithm algo, const gnutls_datum* data, * cipher suites. * **/ -void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutls_dh_params dh_params) +void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials res, + gnutls_dh_params dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -493,9 +495,10 @@ void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutl * cipher suites. * **/ -void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) +void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, + gnutls_dh_params dh_params) { - res->dh_params = dh_params; + res->dh_params = dh_params; } /** @@ -508,10 +511,11 @@ void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls * should return zero on success. * **/ -void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func) +void gnutls_certificate_set_params_function(gnutls_certificate_credentials + res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } /** @@ -524,10 +528,10 @@ void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, * return zero on success. * **/ -void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, - gnutls_params_function* func) +void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, + gnutls_params_function * func) { - res->params_func = func; + res->params_func = func; } @@ -540,9 +544,10 @@ void gnutls_anon_set_params_function(gnutls_anon_server_credentials res, * Flags must be OR of the gnutls_certificate_verify_flags enumerations. * **/ -void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags) +void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials + res, unsigned int flags) { - res->verify_flags = flags; + res->verify_flags = flags; } /** @@ -555,7 +560,9 @@ void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, uns * cipher suites. * **/ -void gnutls_certificate_set_rsa_export_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) +void +gnutls_certificate_set_rsa_export_params(gnutls_certificate_credentials + res, gnutls_rsa_params rsa_params) { - res->rsa_params = rsa_params; + res->rsa_params = rsa_params; } diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 29093fa989..29f6baa8b3 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -2,8 +2,8 @@ # define GNUTLS_UI_H typedef enum gnutls_x509_subject_alt_name { - GNUTLS_SAN_DNSNAME = 1, GNUTLS_SAN_RFC822NAME, - GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS + GNUTLS_SAN_DNSNAME = 1, GNUTLS_SAN_RFC822NAME, + GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS } gnutls_x509_subject_alt_name; # ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */ @@ -15,35 +15,43 @@ struct gnutls_openpgp_privkey_int; typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey; typedef struct gnutls_retr_st { - gnutls_certificate_type type; - union cert { - gnutls_x509_crt *x509; - gnutls_openpgp_key pgp; - } cert; - unsigned int ncerts; /* one for pgp keys */ - - union key { - gnutls_x509_privkey x509; - gnutls_openpgp_privkey pgp; - } key; - - unsigned int deinit_all; /* if non zero all keys will be deinited */ + gnutls_certificate_type type; + union cert { + gnutls_x509_crt *x509; + gnutls_openpgp_key pgp; + } cert; + unsigned int ncerts; /* one for pgp keys */ + + union key { + gnutls_x509_privkey x509; + gnutls_openpgp_privkey pgp; + } key; + + unsigned int deinit_all; /* if non zero all keys will be deinited */ } gnutls_retr_st; typedef int gnutls_certificate_client_retrieve_function(gnutls_session, - const gnutls_datum* req_ca_rdn, int nreqs, - const gnutls_pk_algorithm* pk_algos, int pk_algos_length, - gnutls_retr_st *); + const gnutls_datum + * req_ca_rdn, + int nreqs, + const + gnutls_pk_algorithm + * pk_algos, + int + pk_algos_length, + gnutls_retr_st *); typedef int gnutls_certificate_server_retrieve_function(gnutls_session, - gnutls_retr_st *); + gnutls_retr_st *); /* Functions that allow auth_info_t structures handling */ gnutls_credentials_type gnutls_auth_get_type(gnutls_session session); -gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session session); -gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session session); +gnutls_credentials_type gnutls_auth_server_get_type(gnutls_session + session); +gnutls_credentials_type gnutls_auth_client_get_type(gnutls_session + session); /* DH */ @@ -52,39 +60,49 @@ int gnutls_dh_get_secret_bits(gnutls_session); int gnutls_dh_get_peers_public_bits(gnutls_session); int gnutls_dh_get_prime_bits(gnutls_session); -int gnutls_dh_get_group(gnutls_session, gnutls_datum* gen, gnutls_datum* prime); -int gnutls_dh_get_pubkey(gnutls_session, gnutls_datum* pub); +int gnutls_dh_get_group(gnutls_session, gnutls_datum * gen, + gnutls_datum * prime); +int gnutls_dh_get_pubkey(gnutls_session, gnutls_datum * pub); /* RSA */ -int gnutls_rsa_export_get_pubkey(gnutls_session session, gnutls_datum* exp, gnutls_datum* mod); +int gnutls_rsa_export_get_pubkey(gnutls_session session, + gnutls_datum * exp, gnutls_datum * mod); int gnutls_rsa_export_get_modulus_bits(gnutls_session session); /* X509PKI */ /* These are set on the credentials structure. */ -void gnutls_certificate_client_set_retrieve_function(gnutls_certificate_client_credentials, - gnutls_certificate_client_retrieve_function *); -void gnutls_certificate_server_set_retrieve_function(gnutls_certificate_server_credentials, - gnutls_certificate_server_retrieve_function *); +void +gnutls_certificate_client_set_retrieve_function +(gnutls_certificate_client_credentials, +gnutls_certificate_client_retrieve_function *); +void +gnutls_certificate_server_set_retrieve_function +(gnutls_certificate_server_credentials, +gnutls_certificate_server_retrieve_function *); void gnutls_certificate_server_set_request(gnutls_session, - gnutls_certificate_request); + gnutls_certificate_request); /* X.509 certificate handling functions */ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, - gnutls_x509_crt_fmt format, gnutls_datum * prime, - gnutls_datum * generator, int *prime_bits); + gnutls_x509_crt_fmt format, + gnutls_datum * prime, + gnutls_datum * generator, + int *prime_bits); int gnutls_pkcs3_export_dh_params(const gnutls_datum * prime, - const gnutls_datum * generator, gnutls_x509_crt_fmt format, - unsigned char *params_data, int *params_data_size); + const gnutls_datum * generator, + gnutls_x509_crt_fmt format, + unsigned char *params_data, + int *params_data_size); /* get data from the session */ const gnutls_datum *gnutls_certificate_get_peers(gnutls_session, - unsigned int *list_size); + unsigned int *list_size); const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session); time_t gnutls_certificate_activation_time_peers(gnutls_session session); @@ -94,15 +112,17 @@ int gnutls_certificate_client_get_request_status(gnutls_session); int gnutls_certificate_verify_peers(gnutls_session); int gnutls_pem_base64_encode(const char *header, const gnutls_datum * data, - char *result, size_t * result_size); + char *result, size_t * result_size); int gnutls_pem_base64_decode(const char *header, - const gnutls_datum * b64_data, - unsigned char *result, size_t * result_size); + const gnutls_datum * b64_data, + unsigned char *result, size_t * result_size); int gnutls_pem_base64_encode_alloc(const char *header, - const gnutls_datum * data, gnutls_datum * result); + const gnutls_datum * data, + gnutls_datum * result); int gnutls_pem_base64_decode_alloc(const char *header, - const gnutls_datum * b64_data, gnutls_datum * result); + const gnutls_datum * b64_data, + gnutls_datum * result); /* key_usage will be an OR of the following values: */ @@ -121,21 +141,22 @@ int gnutls_pem_base64_decode_alloc(const char *header, #define GNUTLS_KEY_DECIPHER_ONLY 32768 typedef struct gnutls_params_st { - gnutls_params_type type; - union params { - gnutls_dh_params dh; - gnutls_rsa_params rsa_export; - } params; - int deinit; + gnutls_params_type type; + union params { + gnutls_dh_params dh; + gnutls_rsa_params rsa_export; + } params; + int deinit; } gnutls_params_st; typedef int gnutls_params_function(gnutls_session, gnutls_params_type, - gnutls_params_st*); + gnutls_params_st *); -void gnutls_certificate_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func); -void gnutls_anon_set_params_function(gnutls_certificate_credentials res, - gnutls_params_function* func); +void gnutls_certificate_set_params_function(gnutls_certificate_credentials + res, + gnutls_params_function * func); +void gnutls_anon_set_params_function(gnutls_certificate_credentials res, + gnutls_params_function * func); diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 7e19848582..0cda405a00 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -41,38 +41,40 @@ #include "gnutls_auth_int.h" /* This selects the best supported ciphersuite from the ones provided */ -static int _gnutls_handshake_select_v2_suite(gnutls_session session, opaque *data, int datalen) +static int _gnutls_handshake_select_v2_suite(gnutls_session session, + opaque * data, int datalen) { - int i, j, ret; - opaque* _data; - int _datalen; - - _gnutls_handshake_log( "HSK[%x]: Parsing a version 2.0 client hello.\n", session); - - _data = gnutls_malloc( datalen); - if (_data==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int i, j, ret; + opaque *_data; + int _datalen; + + _gnutls_handshake_log("HSK[%x]: Parsing a version 2.0 client hello.\n", + session); + + _data = gnutls_malloc(datalen); + if (_data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (datalen % 3 != 0) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + i = _datalen = 0; + for (j = 0; j < datalen; j += 3) { + if (data[j] == 0) { + memcpy(&_data[i], &data[j + 1], 2); + i += 2; + _datalen += 2; } + } - if (datalen % 3 != 0) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - i = _datalen = 0; - for (j = 0; j < datalen; j += 3) { - if (data[j] == 0) { - memcpy( &_data[i], &data[j+1], 2); - i+=2; - _datalen+=2; - } - } + ret = _gnutls_server_select_suite(session, _data, _datalen); + gnutls_free(_data); - ret = _gnutls_server_select_suite( session, _data, _datalen); - gnutls_free(_data); - - return ret; + return ret; } @@ -81,152 +83,162 @@ static int _gnutls_handshake_select_v2_suite(gnutls_session session, opaque *dat * However they set their version to 3.0 or 3.1. */ int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, - int datalen) + int datalen) { - uint16 session_id_len = 0; - int pos = 0; - int ret = 0; - uint16 sizeOfSuites; - gnutls_protocol_version version; - opaque random[TLS_RANDOM_SIZE]; - int len = datalen; - int err; - uint16 challenge; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - gnutls_protocol_version ver; - - /* we only want to get here once - only in client hello */ - session->internals.v2_hello = 0; - - DECR_LEN(len, 2); - - _gnutls_handshake_log( "HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", - session, data[pos], data[pos + 1]); - - set_adv_version( session, data[pos], data[pos+1]); - - version = _gnutls_version_get(data[pos], data[pos + 1]); - - /* if we do not support that version - */ - if (_gnutls_version_is_supported(session, version) == 0) { - ver = _gnutls_version_lowest( session); - } else { - ver = version; - } - - _gnutls_set_current_version(session, ver); - - pos += 2; - - - /* Read uint16 cipher_spec_length */ - DECR_LEN(len, 2); - sizeOfSuites = _gnutls_read_uint16( &data[pos]); - pos += 2; - - /* read session id length */ - DECR_LEN(len, 2); - session_id_len = _gnutls_read_uint16( &data[pos]); - pos += 2; + uint16 session_id_len = 0; + int pos = 0; + int ret = 0; + uint16 sizeOfSuites; + gnutls_protocol_version version; + opaque random[TLS_RANDOM_SIZE]; + int len = datalen; + int err; + uint16 challenge; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + gnutls_protocol_version ver; + + /* we only want to get here once - only in client hello */ + session->internals.v2_hello = 0; + + DECR_LEN(len, 2); + + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Client's version: %d.%d\n", session, + data[pos], data[pos + 1]); + + set_adv_version(session, data[pos], data[pos + 1]); + + version = _gnutls_version_get(data[pos], data[pos + 1]); + + /* if we do not support that version + */ + if (_gnutls_version_is_supported(session, version) == 0) { + ver = _gnutls_version_lowest(session); + } else { + ver = version; + } + + _gnutls_set_current_version(session, ver); + + pos += 2; + + + /* Read uint16 cipher_spec_length */ + DECR_LEN(len, 2); + sizeOfSuites = _gnutls_read_uint16(&data[pos]); + pos += 2; + + /* read session id length */ + DECR_LEN(len, 2); + session_id_len = _gnutls_read_uint16(&data[pos]); + pos += 2; + + if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + /* read challenge length */ + DECR_LEN(len, 2); + challenge = _gnutls_read_uint16(&data[pos]); + pos += 2; + + if (challenge < 16 || challenge > TLS_RANDOM_SIZE) { + gnutls_assert(); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } + + /* find an appropriate cipher suite */ + + DECR_LEN(len, sizeOfSuites); + ret = + _gnutls_handshake_select_v2_suite(session, &data[pos], + sizeOfSuites); + + pos += sizeOfSuites; + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (session_id_len > TLS_MAX_SESSION_ID_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } + /* check if the credentials (username, public key etc.) are ok + */ + if (_gnutls_get_kx_cred + (session, + _gnutls_cipher_suite_get_kx_algo(&session->security_parameters. + current_cipher_suite), + &err) == NULL && err != 0) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } - /* read challenge length */ - DECR_LEN(len, 2); - challenge = _gnutls_read_uint16( &data[pos]); - pos += 2; + /* set the mod_auth_st to the appropriate struct + * according to the KX algorithm. This is needed since all the + * handshake functions are read from there; + */ + session->internals.auth_struct = + _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo + (&session->security_parameters. + current_cipher_suite)); + if (session->internals.auth_struct == NULL) { - if ( challenge < 16 || challenge > TLS_RANDOM_SIZE) { - gnutls_assert(); - return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; - } + _gnutls_handshake_log + ("HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", + session); - /* find an appropriate cipher suite */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - DECR_LEN(len, sizeOfSuites); - ret = _gnutls_handshake_select_v2_suite(session, &data[pos], sizeOfSuites); - pos += sizeOfSuites; - if (ret < 0) { - gnutls_assert(); - return ret; - } - /* check if the credentials (username, public key etc.) are ok - */ - if (_gnutls_get_kx_cred( session, _gnutls_cipher_suite_get_kx_algo( - &session->security_parameters.current_cipher_suite), &err) == NULL && err != 0) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + /* read random new values -skip session id for now */ + DECR_LEN(len, session_id_len); /* skip session id for now */ + memcpy(session_id, &data[pos], session_id_len); + pos += session_id_len; - /* set the mod_auth_st to the appropriate struct - * according to the KX algorithm. This is needed since all the - * handshake functions are read from there; - */ - session->internals.auth_struct = - _gnutls_kx_auth_struct(_gnutls_cipher_suite_get_kx_algo - (&session->security_parameters. - current_cipher_suite)); - if (session->internals.auth_struct == NULL) { - - _gnutls_handshake_log( - "HSK[%x]: SSL 2.0 Hello: Cannot find the appropriate handler for the KX algorithm\n", - session); - - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + DECR_LEN(len, challenge); + memset(random, 0, TLS_RANDOM_SIZE); - + memcpy(&random[TLS_RANDOM_SIZE - challenge], &data[pos], challenge); - /* read random new values -skip session id for now */ - DECR_LEN(len, session_id_len); /* skip session id for now */ - memcpy( session_id, &data[pos], session_id_len); - pos += session_id_len; - - DECR_LEN(len, challenge); - memset( random, 0, TLS_RANDOM_SIZE); - - memcpy( &random[TLS_RANDOM_SIZE-challenge], &data[pos], challenge); + _gnutls_set_client_random(session, random); - _gnutls_set_client_random( session, random); + /* generate server random value */ - /* generate server random value */ + _gnutls_tls_create_random(random); + _gnutls_set_server_random(session, random); - _gnutls_tls_create_random( random); - _gnutls_set_server_random( session, random); - - session->security_parameters.timestamp = time(NULL); + session->security_parameters.timestamp = time(NULL); - /* RESUME SESSION */ + /* RESUME SESSION */ - DECR_LEN(len, session_id_len); - ret = _gnutls_server_restore_session(session, session_id, session_id_len); + DECR_LEN(len, session_id_len); + ret = + _gnutls_server_restore_session(session, session_id, + session_id_len); - if (ret == 0) { /* resumed! */ - /* get the new random values */ - memcpy(session->internals.resumed_security_parameters.server_random, - session->security_parameters.server_random, TLS_RANDOM_SIZE); - memcpy(session->internals.resumed_security_parameters.client_random, - session->security_parameters.client_random, TLS_RANDOM_SIZE); + if (ret == 0) { /* resumed! */ + /* get the new random values */ + memcpy(session->internals.resumed_security_parameters. + server_random, session->security_parameters.server_random, + TLS_RANDOM_SIZE); + memcpy(session->internals.resumed_security_parameters. + client_random, session->security_parameters.client_random, + TLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; - return 0; - } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); - session->internals.resumed = RESUME_FALSE; - } + session->internals.resumed = RESUME_TRUE; + return 0; + } else { + _gnutls_generate_session_id(session->security_parameters. + session_id, + &session->security_parameters. + session_id_size); + session->internals.resumed = RESUME_FALSE; + } - session->internals.compression_method = GNUTLS_COMP_NULL; + session->internals.compression_method = GNUTLS_COMP_NULL; - return 0; + return 0; } diff --git a/lib/gnutls_v2_compat.h b/lib/gnutls_v2_compat.h index 77297cac3d..ce935d5782 100644 --- a/lib/gnutls_v2_compat.h +++ b/lib/gnutls_v2_compat.h @@ -1 +1,2 @@ -int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, int datalen); +int _gnutls_read_client_hello_v2(gnutls_session session, opaque * data, + int datalen); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 705b56a230..6e6ca037c5 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -71,78 +71,79 @@ -*/ int _gnutls_x509_cert_verify_peers(gnutls_session session) { - cert_auth_info_t info; - const gnutls_certificate_credentials cred; - unsigned int verify; - gnutls_x509_crt *peer_certificate_list; - int peer_certificate_list_size, i, x, ret; - - CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(session); - if (info == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) { - gnutls_assert(); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - peer_certificate_list = - gnutls_calloc(1, - peer_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + cert_auth_info_t info; + const gnutls_certificate_credentials cred; + unsigned int verify; + gnutls_x509_crt *peer_certificate_list; + int peer_certificate_list_size, i, x, ret; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + peer_certificate_list = + gnutls_calloc(1, + peer_certificate_list_size * + sizeof(gnutls_x509_crt)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < peer_certificate_list_size; i++) { + ret = gnutls_x509_crt_init(&peer_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + CLEAR_CERTS; + return ret; } - for (i = 0; i < peer_certificate_list_size; i++) { - ret = gnutls_x509_crt_init( &peer_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; - } - - ret = - gnutls_x509_crt_import(peer_certificate_list[i], - &info-> - raw_certificate_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; - } + ret = + gnutls_x509_crt_import(peer_certificate_list[i], + &info-> + raw_certificate_list[i], + GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + CLEAR_CERTS; + return ret; } + } - /* Verify certificate - */ - ret = - gnutls_x509_crt_list_verify(peer_certificate_list, - peer_certificate_list_size, - cred->x509_ca_list, cred->x509_ncas, - cred->x509_crl_list, cred->x509_ncrls, - cred->verify_flags, &verify); + /* Verify certificate + */ + ret = + gnutls_x509_crt_list_verify(peer_certificate_list, + peer_certificate_list_size, + cred->x509_ca_list, cred->x509_ncas, + cred->x509_crl_list, cred->x509_ncrls, + cred->verify_flags, &verify); - CLEAR_CERTS; + CLEAR_CERTS; - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return verify; + return verify; } /* @@ -152,118 +153,123 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session) /* returns error if the certificate has different algorithm than * the given key parameters. */ -static int _gnutls_check_key_cert_match( gnutls_certificate_credentials res) +static int _gnutls_check_key_cert_match(gnutls_certificate_credentials res) { -gnutls_datum cid; -gnutls_datum kid; -uint pk = res->cert_list[res->ncerts-1][0].subject_pk_algorithm; - - if (res->pkey[res->ncerts-1].pk_algorithm != pk) - { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - if (pk == GNUTLS_PK_RSA) { - _gnutls_x509_write_rsa_params( res->pkey[res->ncerts-1].params, - res->pkey[res->ncerts-1].params_size, &kid); - - - _gnutls_x509_write_rsa_params( res->cert_list[res->ncerts-1][0].params, - res->cert_list[res->ncerts-1][0].params_size, &cid); - } else if ( pk == GNUTLS_PK_DSA) { - - _gnutls_x509_write_dsa_params( res->pkey[res->ncerts-1].params, - res->pkey[res->ncerts-1].params_size, &kid); - - _gnutls_x509_write_dsa_params( res->cert_list[res->ncerts-1][0].params, - res->cert_list[res->ncerts-1][0].params_size, &cid); - } - - if (cid.size != kid.size) { - gnutls_assert(); - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - if (memcmp( kid.data, cid.data, kid.size) != 0) { - gnutls_assert(); - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - _gnutls_free_datum( &kid); - _gnutls_free_datum( &cid); - return 0; + gnutls_datum cid; + gnutls_datum kid; + uint pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm; + + if (res->pkey[res->ncerts - 1].pk_algorithm != pk) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + if (pk == GNUTLS_PK_RSA) { + _gnutls_x509_write_rsa_params(res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); + + + _gnutls_x509_write_rsa_params(res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, + &cid); + } else if (pk == GNUTLS_PK_DSA) { + + _gnutls_x509_write_dsa_params(res->pkey[res->ncerts - 1].params, + res->pkey[res->ncerts - + 1].params_size, &kid); + + _gnutls_x509_write_dsa_params(res->cert_list[res->ncerts - 1][0]. + params, + res->cert_list[res->ncerts - + 1][0].params_size, + &cid); + } + + if (cid.size != kid.size) { + gnutls_assert(); + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + if (memcmp(kid.data, cid.data, kid.size) != 0) { + gnutls_assert(); + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + _gnutls_free_datum(&kid); + _gnutls_free_datum(&cid); + return 0; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_crt_mem( gnutls_cert** cert_list, uint* ncerts, - gnutls_x509_crt cert) +static int parse_crt_mem(gnutls_cert ** cert_list, uint * ncerts, + gnutls_x509_crt cert) { - int i; - int ret; + int i; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_cert)); + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * sizeof(gnutls_cert)); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = _gnutls_x509_crt_to_gcert( - &cert_list[0][i-1], cert, 0); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - *ncerts = i; + ret = _gnutls_x509_crt_to_gcert(&cert_list[0][i - 1], cert, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 1; /* one certificate parsed */ + *ncerts = i; + + return 1; /* one certificate parsed */ } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_cert_mem( gnutls_cert** cert_list, uint* ncerts, - const void *input_cert, int input_cert_size) +static int parse_der_cert_mem(gnutls_cert ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - gnutls_datum tmp; - gnutls_x509_crt cert; - int ret; - - ret = gnutls_x509_crt_init( &cert); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_datum tmp; + gnutls_x509_crt cert; + int ret; - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + ret = gnutls_x509_crt_init(&cert); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_x509_crt_import( cert, &tmp, GNUTLS_X509_FMT_DER); - if ( ret < 0) { - gnutls_assert(); - gnutls_x509_crt_deinit( cert); - return ret; - } + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = parse_crt_mem( cert_list, ncerts, cert); - gnutls_x509_crt_deinit( cert); - + ret = gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(cert); return ret; + } + + ret = parse_crt_mem(cert_list, ncerts, cert); + gnutls_x509_crt_deinit(cert); + + return ret; } #define CERT_PEM 1 @@ -273,350 +279,369 @@ static int parse_der_cert_mem( gnutls_cert** cert_list, uint* ncerts, * a gnutls_cert structure. * returns the number of certificate parsed */ -static int parse_pkcs7_cert_mem( gnutls_cert** cert_list, uint* ncerts, const - void *input_cert, int input_cert_size, int flags) +static int parse_pkcs7_cert_mem(gnutls_cert ** cert_list, uint * ncerts, const + void *input_cert, int input_cert_size, + int flags) { #ifdef ENABLE_PKI - int i, j, count; - gnutls_datum tmp, tmp2; - int ret; - opaque *pcert = NULL; - size_t pcert_size; - gnutls_pkcs7 pkcs7; - - ret = gnutls_pkcs7_init( &pkcs7); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (flags & CERT_PEM) - ret = gnutls_pkcs7_import( pkcs7, &tmp, GNUTLS_X509_FMT_PEM); - else - ret = gnutls_pkcs7_import( pkcs7, &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - /* if we failed to read the structure, - * then just try to decode a plain DER - * certificate. - */ - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); + int i, j, count; + gnutls_datum tmp, tmp2; + int ret; + opaque *pcert = NULL; + size_t pcert_size; + gnutls_pkcs7 pkcs7; + + ret = gnutls_pkcs7_init(&pkcs7); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (flags & CERT_PEM) + ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_PEM); + else + ret = gnutls_pkcs7_import(pkcs7, &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + /* if we failed to read the structure, + * then just try to decode a plain DER + * certificate. + */ + gnutls_assert(); + gnutls_pkcs7_deinit(pkcs7); #endif - return parse_der_cert_mem( cert_list, ncerts, - input_cert, input_cert_size); + return parse_der_cert_mem(cert_list, ncerts, + input_cert, input_cert_size); #ifdef ENABLE_PKI + } + + i = *ncerts + 1; + + /* tmp now contains the decoded certificate list */ + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; + + ret = gnutls_pkcs7_get_crt_count(pkcs7); + + if (ret < 0) { + gnutls_assert(); + gnutls_pkcs7_deinit(pkcs7); + return ret; + } + count = ret; + + j = count - 1; + do { + pcert_size = 0; + ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, NULL, &pcert_size); + if (ret != GNUTLS_E_MEMORY_ERROR) { + count--; + continue; + } + + pcert = gnutls_malloc(pcert_size); + if (ret == GNUTLS_E_MEMORY_ERROR) { + gnutls_assert(); + count--; + continue; } - i = *ncerts + 1; + /* read the certificate + */ + ret = gnutls_pkcs7_get_crt_raw(pkcs7, j, pcert, &pcert_size); - /* tmp now contains the decoded certificate list */ - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + j--; - ret = gnutls_pkcs7_get_crt_count( pkcs7); + if (ret >= 0) { + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * + sizeof(gnutls_cert)); - if (ret < 0) { + if (*cert_list == NULL) { + gnutls_assert(); + gnutls_free(pcert); + return GNUTLS_E_MEMORY_ERROR; + } + + tmp2.data = pcert; + tmp2.size = pcert_size; + + ret = + _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp2, + 0); + + if (ret < 0) { gnutls_assert(); gnutls_pkcs7_deinit(pkcs7); + gnutls_free(pcert); return ret; + } + + i++; } - count = ret; - - j = count - 1; - do { - pcert_size = 0; - ret = gnutls_pkcs7_get_crt_raw( pkcs7, j, NULL, &pcert_size); - if (ret!=GNUTLS_E_MEMORY_ERROR) { - count--; - continue; - } - - pcert = gnutls_malloc( pcert_size); - if (ret==GNUTLS_E_MEMORY_ERROR) { - gnutls_assert(); - count--; - continue; - } - /* read the certificate - */ - ret = gnutls_pkcs7_get_crt_raw( pkcs7, j, pcert, &pcert_size); - - j--; - - if (ret >= 0) { - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * sizeof(gnutls_cert)); - - if ( *cert_list == NULL) { - gnutls_assert(); - gnutls_free( pcert); - return GNUTLS_E_MEMORY_ERROR; - } - - tmp2.data = pcert; - tmp2.size = pcert_size; - - ret = _gnutls_x509_raw_cert_to_gcert( - &cert_list[0][i - 1], &tmp2, 0); - - if ( ret < 0) { - gnutls_assert(); - gnutls_pkcs7_deinit(pkcs7); - gnutls_free( pcert); - return ret; - } - - i++; - } - - gnutls_free( pcert); + gnutls_free(pcert); - } while (ret >= 0 && j >= 0); + } while (ret >= 0 && j >= 0); - *ncerts = i - 1; + *ncerts = i - 1; - gnutls_pkcs7_deinit(pkcs7); - return count; + gnutls_pkcs7_deinit(pkcs7); + return count; #endif } /* Reads a base64 encoded certificate list from memory and stores it to * a gnutls_cert structure. Returns the number of certificate parsed. */ -static int parse_pem_cert_mem( gnutls_cert** cert_list, uint* ncerts, - const char *input_cert, int input_cert_size) +static int parse_pem_cert_mem(gnutls_cert ** cert_list, uint * ncerts, + const char *input_cert, int input_cert_size) { - int size, siz2, i; - const char *ptr; - opaque *ptr2; - gnutls_datum tmp; - int ret, count; + int size, siz2, i; + const char *ptr; + opaque *ptr2; + gnutls_datum tmp; + int ret, count; #ifdef ENABLE_PKI - if ( (ptr = strnstr( input_cert, PEM_PKCS7_SEP, input_cert_size)) != NULL) - { - size = strlen( ptr); + if ((ptr = + strnstr(input_cert, PEM_PKCS7_SEP, input_cert_size)) != NULL) { + size = strlen(ptr); - ret = parse_pkcs7_cert_mem( cert_list, ncerts, ptr, - size, CERT_PEM); + ret = parse_pkcs7_cert_mem(cert_list, ncerts, ptr, size, CERT_PEM); - return ret; - } + return ret; + } #endif - /* move to the certificate - */ - ptr = strnstr( input_cert, PEM_CERT_SEP, input_cert_size); - if (ptr == NULL) ptr = strnstr( input_cert, PEM_CERT_SEP2, input_cert_size); + /* move to the certificate + */ + ptr = strnstr(input_cert, PEM_CERT_SEP, input_cert_size); + if (ptr == NULL) + ptr = strnstr(input_cert, PEM_CERT_SEP2, input_cert_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = input_cert_size - (ptr - input_cert); + + i = *ncerts + 1; + count = 0; + + do { + + siz2 = _gnutls_fbase64_decode(NULL, ptr, size, &ptr2); + + if (siz2 < 0) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; } - size = input_cert_size - (ptr - input_cert); - i = *ncerts + 1; - count = 0; + *cert_list = + (gnutls_cert *) gnutls_realloc_fast(*cert_list, + i * sizeof(gnutls_cert)); - do { + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - siz2 = _gnutls_fbase64_decode(NULL, ptr, size, &ptr2); + tmp.data = ptr2; + tmp.size = siz2; - if (siz2 < 0) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + ret = + _gnutls_x509_raw_cert_to_gcert(&cert_list[0][i - 1], &tmp, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - *cert_list = - (gnutls_cert *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_cert)); + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = input_cert_size - (ptr - input_cert); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (size > 0) { + char *ptr2; - tmp.data = ptr2; - tmp.size = siz2; + ptr2 = strnstr(ptr, PEM_CERT_SEP, size); + if (ptr2 == NULL) + ptr2 = strnstr(ptr, PEM_CERT_SEP2, size); - ret = _gnutls_x509_raw_cert_to_gcert( - &cert_list[0][i - 1], &tmp, 0); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = input_cert_size - (ptr - input_cert); - - if (size > 0) { - char* ptr2; - - ptr2 = strnstr(ptr, PEM_CERT_SEP, size); - if (ptr2 == NULL) ptr2 = strnstr( ptr, PEM_CERT_SEP2, size); - - ptr = ptr2; - } else ptr = NULL; + ptr = ptr2; + } else + ptr = NULL; - i++; - count++; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER or PEM certificate from memory */ -static -int read_cert_mem(gnutls_certificate_credentials res, const void *cert, int cert_size, - gnutls_x509_crt_fmt type) +static +int read_cert_mem(gnutls_certificate_credentials res, const void *cert, + int cert_size, gnutls_x509_crt_fmt type) { - int ret; - - /* allocate space for the certificate to add - */ - res->cert_list = gnutls_realloc_fast( res->cert_list, - (1+ res->ncerts)*sizeof(gnutls_cert*)); - if ( res->cert_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast( res->cert_list_length, - (1+ res->ncerts)*sizeof(int)); - if (res->cert_list_length==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_pkcs7_cert_mem( &res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], cert, cert_size, 0); - else - ret = parse_pem_cert_mem( &res->cert_list[res->ncerts], &res->cert_list_length[res->ncerts], - cert, cert_size); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + + /* allocate space for the certificate to add + */ + res->cert_list = gnutls_realloc_fast(res->cert_list, + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); + if (res->cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, + (1 + + res->ncerts) * + sizeof(int)); + if (res->cert_list_length == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_pkcs7_cert_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], + cert, cert_size, 0); + else + ret = + parse_pem_cert_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], cert, + cert_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } -int _gnutls_x509_privkey_to_gkey( gnutls_privkey* dest, gnutls_x509_privkey src) +int _gnutls_x509_privkey_to_gkey(gnutls_privkey * dest, + gnutls_x509_privkey src) { -int i, ret; + int i, ret; - memset( dest, 0, sizeof(gnutls_privkey)); + memset(dest, 0, sizeof(gnutls_privkey)); - for(i=0;i<src->params_size;i++) { - dest->params[i] = _gnutls_mpi_copy( src->params[i]); - if (dest->params[i] == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + for (i = 0; i < src->params_size; i++) { + dest->params[i] = _gnutls_mpi_copy(src->params[i]); + if (dest->params[i] == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; } + } - dest->pk_algorithm = src->pk_algorithm; - dest->params_size = src->params_size; + dest->pk_algorithm = src->pk_algorithm; + dest->params_size = src->params_size; - return 0; + return 0; - cleanup: - - for (i=0;i<src->params_size;i++) { - _gnutls_mpi_release( &dest->params[i]); - } - return ret; + cleanup: + + for (i = 0; i < src->params_size; i++) { + _gnutls_mpi_release(&dest->params[i]); + } + return ret; } -void _gnutls_gkey_deinit(gnutls_privkey *key) +void _gnutls_gkey_deinit(gnutls_privkey * key) { -int i; - if (key == NULL) return; + int i; + if (key == NULL) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release( &key->params[i]); - } + for (i = 0; i < key->params_size; i++) { + _gnutls_mpi_release(&key->params[i]); + } } -int _gnutls_x509_raw_privkey_to_gkey( gnutls_privkey* privkey, const gnutls_datum* raw_key, - gnutls_x509_crt_fmt type) +int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, + const gnutls_datum * raw_key, + gnutls_x509_crt_fmt type) { -gnutls_x509_privkey tmpkey; -int ret; + gnutls_x509_privkey tmpkey; + int ret; - ret = gnutls_x509_privkey_init( &tmpkey); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_privkey_init(&tmpkey); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_x509_privkey_import( tmpkey, raw_key, type); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit( tmpkey); - return ret; - } + ret = gnutls_x509_privkey_import(tmpkey, raw_key, type); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(tmpkey); + return ret; + } - ret = _gnutls_x509_privkey_to_gkey( privkey, tmpkey); - if (ret < 0) { - gnutls_assert(); - gnutls_x509_privkey_deinit( tmpkey); - return ret; - } + ret = _gnutls_x509_privkey_to_gkey(privkey, tmpkey); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(tmpkey); + return ret; + } + + gnutls_x509_privkey_deinit(tmpkey); - gnutls_x509_privkey_deinit( tmpkey); - - return 0; + return 0; } /* Reads a PEM encoded PKCS-1 RSA private key from memory * 2002-01-26: Added ability to read DSA keys. * type indicates the certificate format. */ -static int read_key_mem(gnutls_certificate_credentials res, const void *key, int key_size, - gnutls_x509_crt_fmt type) +static int read_key_mem(gnutls_certificate_credentials res, + const void *key, int key_size, + gnutls_x509_crt_fmt type) { - int ret; - gnutls_datum tmp; - - /* allocate space for the pkey list - */ - res->pkey = gnutls_realloc_fast( res->pkey, (res->ncerts+1)*sizeof(gnutls_privkey)); - if (res->pkey==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - tmp.data = (opaque*)key; - tmp.size = key_size; - - ret = _gnutls_x509_raw_privkey_to_gkey( &res->pkey[res->ncerts], &tmp, type); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + gnutls_datum tmp; + + /* allocate space for the pkey list + */ + res->pkey = + gnutls_realloc_fast(res->pkey, + (res->ncerts + 1) * sizeof(gnutls_privkey)); + if (res->pkey == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + tmp.data = (opaque *) key; + tmp.size = key_size; + + ret = + _gnutls_x509_raw_privkey_to_gkey(&res->pkey[res->ncerts], &tmp, + type); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /* Opens a file reads its contents and stores it @@ -634,113 +659,115 @@ static int read_key_mem(gnutls_certificate_credentials res, const void *key, int #include <strfile.h> -void _gnutls_strfile_free( strfile *x) +void _gnutls_strfile_free(strfile * x) { #ifdef HAVE_MMAP - if (x->mmaped) { - munmap( x->data, x->size); - return; - } + if (x->mmaped) { + munmap(x->data, x->size); + return; + } #endif - gnutls_free( x->data); - x->data = NULL; + gnutls_free(x->data); + x->data = NULL; } -strfile _gnutls_file_to_str( const char * file) +strfile _gnutls_file_to_str(const char *file) { - int fd1 = -1; - struct stat stat_st; - size_t tot_size; - size_t left; - opaque* tmp; - ssize_t i = 0; - strfile null = { NULL, 0, 0 }; - strfile ret = { NULL, 0, 0 }; - - fd1 = open( file, 0); - if (fd1==-1) { - gnutls_assert(); - return null; - } - - if (fstat( fd1, &stat_st) == -1) { - gnutls_assert(); - goto error; - } - - tot_size = stat_st.st_size; - if (tot_size == 0) { - gnutls_assert(); - goto error; - } - + int fd1 = -1; + struct stat stat_st; + size_t tot_size; + size_t left; + opaque *tmp; + ssize_t i = 0; + strfile null = { NULL, 0, 0 }; + strfile ret = { NULL, 0, 0 }; + + fd1 = open(file, 0); + if (fd1 == -1) { + gnutls_assert(); + return null; + } + + if (fstat(fd1, &stat_st) == -1) { + gnutls_assert(); + goto error; + } + + tot_size = stat_st.st_size; + if (tot_size == 0) { + gnutls_assert(); + goto error; + } #ifdef HAVE_MMAP - if ((tmp=mmap( NULL, tot_size, PROT_READ, MAP_SHARED, fd1, 0)) != MAP_FAILED) { - ret.mmaped = 1; - ret.data = tmp; - ret.size = tot_size; - - close(fd1); - return ret; - } + if ((tmp = + mmap(NULL, tot_size, PROT_READ, MAP_SHARED, fd1, + 0)) != MAP_FAILED) { + ret.mmaped = 1; + ret.data = tmp; + ret.size = tot_size; + + close(fd1); + return ret; + } #endif - ret.data = gnutls_malloc( tot_size); - if (ret.data == NULL) { + ret.data = gnutls_malloc(tot_size); + if (ret.data == NULL) { + gnutls_assert(); + goto error; + } + + left = tot_size; + while (left > 0) { + i = read(fd1, &ret.data[tot_size - left], left); + if (i == -1) { + if (errno == EAGAIN || errno == EINTR) + continue; + else { gnutls_assert(); goto error; - } - - left = tot_size; - while (left > 0) { - i = read( fd1, &ret.data[tot_size - left], left); - if (i == -1) { - if (errno == EAGAIN || errno == EINTR) - continue; - else { - gnutls_assert(); - goto error; - } - } else if (i==0) break; - - left -= i; - } + } + } else if (i == 0) + break; - ret.size = tot_size - left; + left -= i; + } - ret.mmaped = 0; + ret.size = tot_size - left; - close(fd1); + ret.mmaped = 0; - return ret; - - error: - - if (!ret.mmaped) - gnutls_free( ret.data); - close(fd1); - return null; + close(fd1); + + return ret; + + error: + + if (!ret.mmaped) + gnutls_free(ret.data); + close(fd1); + return null; } /* Reads a certificate file */ -static int read_cert_file(gnutls_certificate_credentials res, const char *certfile, - gnutls_x509_crt_fmt type) +static int read_cert_file(gnutls_certificate_credentials res, + const char *certfile, gnutls_x509_crt_fmt type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str( certfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } + x = _gnutls_file_to_str(certfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } - ret = read_cert_mem( res, x.data, x.size, type); - _gnutls_strfile_free(&x); - - return ret; + ret = read_cert_mem(res, x.data, x.size, type); + _gnutls_strfile_free(&x); + + return ret; } @@ -749,22 +776,22 @@ static int read_cert_file(gnutls_certificate_credentials res, const char *certfi /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl * stores it). */ -static int read_key_file(gnutls_certificate_credentials res, const char *keyfile, - gnutls_x509_crt_fmt type) +static int read_key_file(gnutls_certificate_credentials res, + const char *keyfile, gnutls_x509_crt_fmt type) { - int ret; - strfile x; + int ret; + strfile x; - x = _gnutls_file_to_str( keyfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } + x = _gnutls_file_to_str(keyfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } - ret = read_key_mem( res, x.data, x.size, type); - _gnutls_strfile_free(&x); - - return ret; + ret = read_key_mem(res, x.data, x.size, type); + _gnutls_strfile_free(&x); + + return ret; } /** @@ -793,27 +820,29 @@ static int read_key_file(gnutls_certificate_credentials res, const char *keyfile * then the strings that hold their values must be null terminated. * **/ -int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, const gnutls_datum* cert, - const gnutls_datum* key, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, + const gnutls_datum * cert, + const gnutls_datum * key, + gnutls_x509_crt_fmt type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_mem( res, key->data, key->size, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_mem(res, key->data, key->size, type)) < 0) + return ret; - if ((ret = read_cert_mem( res, cert->data, cert->size, type)) < 0) - return ret; + if ((ret = read_cert_mem(res, cert->data, cert->size, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -829,61 +858,69 @@ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, cons * server). * **/ -int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, - gnutls_x509_crt *cert_list, int cert_list_size, - gnutls_x509_privkey key) +int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, + gnutls_x509_crt * cert_list, + int cert_list_size, + gnutls_x509_privkey key) { - int ret, i; - - /* this should be first - */ - - res->pkey = gnutls_realloc_fast( res->pkey, (res->ncerts+1)*sizeof(gnutls_privkey)); - if (res->pkey==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_x509_privkey_to_gkey( &res->pkey[res->ncerts], key); + int ret, i; + + /* this should be first + */ + + res->pkey = + gnutls_realloc_fast(res->pkey, + (res->ncerts + 1) * sizeof(gnutls_privkey)); + if (res->pkey == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_x509_privkey_to_gkey(&res->pkey[res->ncerts], key); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + res->cert_list = gnutls_realloc_fast(res->cert_list, + (1 + + res->ncerts) * + sizeof(gnutls_cert *)); + if (res->cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast(res->cert_list_length, + (1 + + res->ncerts) * + sizeof(int)); + if (res->cert_list_length == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = NULL; /* for realloc */ + res->cert_list_length[res->ncerts] = 0; + + + for (i = 0; i < cert_list_size; i++) { + ret = parse_crt_mem(&res->cert_list[res->ncerts], + &res->cert_list_length[res->ncerts], + cert_list[i]); if (ret < 0) { - gnutls_assert(); - return ret; - } - - res->cert_list = gnutls_realloc_fast( res->cert_list, - (1+ res->ncerts)*sizeof(gnutls_cert*)); - if ( res->cert_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast( res->cert_list_length, - (1+ res->ncerts)*sizeof(int)); - if (res->cert_list_length==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = NULL; /* for realloc */ - res->cert_list_length[res->ncerts] = 0; - - - for (i=0;i<cert_list_size;i++) { - ret = parse_crt_mem( &res->cert_list[res->ncerts], - &res->cert_list_length[res->ncerts], cert_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_assert(); + return ret; } - res->ncerts++; + } + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -903,87 +940,91 @@ int gnutls_certificate_set_x509_key(gnutls_certificate_credentials res, * this function. * **/ -int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials res, const char *CERTFILE, - const char *KEYFILE, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials + res, const char *CERTFILE, + const char *KEYFILE, + gnutls_x509_crt_fmt type) { - int ret; + int ret; - /* this should be first - */ - if ((ret = read_key_file(res, KEYFILE, type)) < 0) - return ret; + /* this should be first + */ + if ((ret = read_key_file(res, KEYFILE, type)) < 0) + return ret; - if ((ret = read_cert_file(res, CERTFILE, type)) < 0) - return ret; + if ((ret = read_cert_file(res, CERTFILE, type)) < 0) + return ret; - res->ncerts++; + res->ncerts++; - if ((ret=_gnutls_check_key_cert_match( res)) < 0) { - gnutls_assert(); - return ret; - } + if ((ret = _gnutls_check_key_cert_match(res)) < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } -static int generate_rdn_seq( gnutls_certificate_credentials res) +static int generate_rdn_seq(gnutls_certificate_credentials res) { -gnutls_datum tmp; -gnutls_datum _tmp; -int ret; -uint size, i; -opaque *pdata; - - /* Generate the RDN sequence - * This will be sent to clients when a certificate - * request message is sent. - */ - - /* FIXME: in case of a client it is not needed - * to do that. This would save time and memory. - * However we don't have that information available - * here. - */ - - size = 0; - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = _gnutls_x509_crt_get_raw_issuer_dn( - res->x509_ca_list[i], &tmp)) < 0) { - gnutls_assert(); - return ret; - } - size += (2 + tmp.size); - } - - if (res->x509_rdn_sequence.data != NULL) - gnutls_free( res->x509_rdn_sequence.data); - - res->x509_rdn_sequence.data = gnutls_malloc(size); - if (res->x509_rdn_sequence.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - res->x509_rdn_sequence.size = size; - - pdata = res->x509_rdn_sequence.data; - - for (i = 0; i < res->x509_ncas; i++) { - if ((ret = _gnutls_x509_crt_get_raw_issuer_dn( - res->x509_ca_list[i], &tmp)) < 0) { - gnutls_free(res->x509_rdn_sequence.data); - res->x509_rdn_sequence.size = 0; - res->x509_rdn_sequence.data = NULL; - gnutls_assert(); - return ret; - } - - _tmp.data = (opaque*) tmp.data; - _tmp.size = tmp.size; - _gnutls_write_datum16(pdata, _tmp); - pdata += (2 + tmp.size); - } - - return 0; + gnutls_datum tmp; + gnutls_datum _tmp; + int ret; + uint size, i; + opaque *pdata; + + /* Generate the RDN sequence + * This will be sent to clients when a certificate + * request message is sent. + */ + + /* FIXME: in case of a client it is not needed + * to do that. This would save time and memory. + * However we don't have that information available + * here. + */ + + size = 0; + for (i = 0; i < res->x509_ncas; i++) { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], + &tmp)) < 0) { + gnutls_assert(); + return ret; + } + size += (2 + tmp.size); + } + + if (res->x509_rdn_sequence.data != NULL) + gnutls_free(res->x509_rdn_sequence.data); + + res->x509_rdn_sequence.data = gnutls_malloc(size); + if (res->x509_rdn_sequence.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + res->x509_rdn_sequence.size = size; + + pdata = res->x509_rdn_sequence.data; + + for (i = 0; i < res->x509_ncas; i++) { + if ((ret = + _gnutls_x509_crt_get_raw_issuer_dn(res->x509_ca_list[i], + &tmp)) < 0) { + gnutls_free(res->x509_rdn_sequence.data); + res->x509_rdn_sequence.size = 0; + res->x509_rdn_sequence.data = NULL; + gnutls_assert(); + return ret; + } + + _tmp.data = (opaque *) tmp.data; + _tmp.size = tmp.size; + _gnutls_write_datum16(pdata, _tmp); + pdata += (2 + tmp.size); + } + + return 0; } @@ -992,180 +1033,179 @@ opaque *pdata; /* Returns 0 if it's ok to use the gnutls_kx_algorithm with this * certificate (uses the KeyUsage field). */ -int _gnutls_check_key_usage( const gnutls_cert* cert, - gnutls_kx_algorithm alg) +int _gnutls_check_key_usage(const gnutls_cert * cert, + gnutls_kx_algorithm alg) { - unsigned int keyUsage = 0; - int encipher_type; + unsigned int keyUsage = 0; + int encipher_type; - if ( cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - if (_gnutls_map_kx_get_cred(alg, 1) == GNUTLS_CRD_CERTIFICATE || - _gnutls_map_kx_get_cred(alg, 0) == GNUTLS_CRD_CERTIFICATE) - { - - keyUsage = cert->keyUsage; - - encipher_type = _gnutls_kx_encipher_type( alg); - - if (keyUsage != 0 && encipher_type != CIPHER_IGN) { - /* If keyUsage has been set in the certificate - */ - - if ( encipher_type == CIPHER_ENCRYPT) { - /* If the key exchange method requires an encipher - * type algorithm, and key's usage does not permit - * encipherment, then fail. - */ - if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) { - gnutls_assert(); - return - GNUTLS_E_KEY_USAGE_VIOLATION; - } - } - - if ( encipher_type == CIPHER_SIGN) { - /* The same as above, but for sign only keys - */ - if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) { - gnutls_assert(); - return - GNUTLS_E_KEY_USAGE_VIOLATION; - } - } + if (_gnutls_map_kx_get_cred(alg, 1) == GNUTLS_CRD_CERTIFICATE || + _gnutls_map_kx_get_cred(alg, 0) == GNUTLS_CRD_CERTIFICATE) { + + keyUsage = cert->keyUsage; + + encipher_type = _gnutls_kx_encipher_type(alg); + + if (keyUsage != 0 && encipher_type != CIPHER_IGN) { + /* If keyUsage has been set in the certificate + */ + + if (encipher_type == CIPHER_ENCRYPT) { + /* If the key exchange method requires an encipher + * type algorithm, and key's usage does not permit + * encipherment, then fail. + */ + if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; } + } + + if (encipher_type == CIPHER_SIGN) { + /* The same as above, but for sign only keys + */ + if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) { + gnutls_assert(); + return GNUTLS_E_KEY_USAGE_VIOLATION; + } + } } - return 0; + } + return 0; } -static int parse_pem_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, - const opaque *input_cert, int input_cert_size) +static int parse_pem_ca_mem(gnutls_x509_crt ** cert_list, uint * ncerts, + const opaque * input_cert, int input_cert_size) { - int i, size; - const opaque *ptr; - gnutls_datum tmp; - int ret, count; + int i, size; + const opaque *ptr; + gnutls_datum tmp; + int ret, count; - /* move to the certificate - */ - ptr = strnstr( input_cert, PEM_CERT_SEP, input_cert_size); - if (ptr == NULL) ptr = strnstr( input_cert, PEM_CERT_SEP2, input_cert_size); + /* move to the certificate + */ + ptr = strnstr(input_cert, PEM_CERT_SEP, input_cert_size); + if (ptr == NULL) + ptr = strnstr(input_cert, PEM_CERT_SEP2, input_cert_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + size = input_cert_size - (ptr - input_cert); + + i = *ncerts + 1; + count = 0; + + do { + + *cert_list = + (gnutls_x509_crt *) gnutls_realloc_fast(*cert_list, + i * + sizeof + (gnutls_x509_crt)); + + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; } - size = input_cert_size - (ptr - input_cert); - i = *ncerts + 1; - count = 0; + tmp.data = (opaque *) ptr; + tmp.size = size; - do { + ret = + gnutls_x509_crt_import(cert_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + return ret; + } - *cert_list = - (gnutls_x509_crt *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_x509_crt)); + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + size = input_cert_size - (ptr - input_cert); - ret = gnutls_x509_crt_init( &cert_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - tmp.data = (opaque*)ptr; - tmp.size = size; - - ret = - gnutls_x509_crt_import( - cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (size > 0) { + char *ptr2; - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + ptr2 = strnstr(ptr, PEM_CERT_SEP, size); + if (ptr2 == NULL) + ptr = strnstr(ptr, PEM_CERT_SEP2, size); - size = input_cert_size - (ptr - input_cert); - - if (size > 0) { - char* ptr2; - - ptr2 = strnstr(ptr, PEM_CERT_SEP, size); - if (ptr2 == NULL) ptr = strnstr( ptr, PEM_CERT_SEP2, size); - - ptr = ptr2; - } else ptr = NULL; + ptr = ptr2; + } else + ptr = NULL; - i++; - count++; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncerts = i - 1; + *ncerts = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, - const void *input_cert, int input_cert_size) +static int parse_der_ca_mem(gnutls_x509_crt ** cert_list, uint * ncerts, + const void *input_cert, int input_cert_size) { - int i; - gnutls_datum tmp; - int ret; + int i; + gnutls_datum tmp; + int ret; - i = *ncerts + 1; + i = *ncerts + 1; - *cert_list = - (gnutls_x509_crt *) gnutls_realloc_fast( *cert_list, - i * - sizeof(gnutls_x509_crt)); + *cert_list = + (gnutls_x509_crt *) gnutls_realloc_fast(*cert_list, + i * + sizeof(gnutls_x509_crt)); - if ( *cert_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*cert_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - tmp.data = (opaque*)input_cert; - tmp.size = input_cert_size; + tmp.data = (opaque *) input_cert; + tmp.size = input_cert_size; - ret = gnutls_x509_crt_init( &cert_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - ret = - gnutls_x509_crt_import( - cert_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - *ncerts = i; + ret = gnutls_x509_crt_init(&cert_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 1; /* one certificate parsed */ + ret = + gnutls_x509_crt_import(cert_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + *ncerts = i; + + return 1; /* one certificate parsed */ } /** @@ -1188,22 +1228,23 @@ static int parse_der_ca_mem( gnutls_x509_crt** cert_list, uint* ncerts, * value on error. * **/ -int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, - const gnutls_datum *ca, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials + res, const gnutls_datum * ca, + gnutls_x509_crt_fmt type) { - int ret, ret2; + int ret, ret2; - if (type==GNUTLS_X509_FMT_DER) - return parse_der_ca_mem( &res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); - else - return parse_pem_ca_mem( &res->x509_ca_list, &res->x509_ncas, - ca->data, ca->size); + if (type == GNUTLS_X509_FMT_DER) + return parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); + else + return parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, + ca->data, ca->size); - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return ret; + return ret; } /** @@ -1225,32 +1266,35 @@ int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials res, * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, - gnutls_x509_crt * ca_list, int ca_list_size) +int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, + gnutls_x509_crt * ca_list, + int ca_list_size) { - int ret, i, ret2; - - res->x509_ca_list = gnutls_realloc_fast( res->x509_ca_list, - (ca_list_size + res->x509_ncas)*sizeof(gnutls_x509_crt)); - if ( res->x509_ca_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<ca_list_size;i++) { - ret = _gnutls_x509_crt_cpy( res->x509_ca_list[i+res->x509_ncas], - ca_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - res->x509_ncas++; + int ret, i, ret2; + + res->x509_ca_list = gnutls_realloc_fast(res->x509_ca_list, + (ca_list_size + + res->x509_ncas) * + sizeof(gnutls_x509_crt)); + if (res->x509_ca_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < ca_list_size; i++) { + ret = _gnutls_x509_crt_cpy(res->x509_ca_list[i + res->x509_ncas], + ca_list[i]); + if (ret < 0) { + gnutls_assert(); + return ret; } + res->x509_ncas++; + } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return 0; + return 0; } /** @@ -1273,189 +1317,192 @@ int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials res, * value on error. * **/ -int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials res, - const char *cafile, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials + res, const char *cafile, + gnutls_x509_crt_fmt type) { - int ret, ret2; - strfile x; - - x = _gnutls_file_to_str( cafile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_ca_mem( &res->x509_ca_list, &res->x509_ncas, - x.data, x.size); - else - ret = parse_pem_ca_mem( &res->x509_ca_list, &res->x509_ncas, - x.data, x.size); - - _gnutls_strfile_free(&x); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret, ret2; + strfile x; + + x = _gnutls_file_to_str(cafile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_ca_mem(&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); + else + ret = parse_pem_ca_mem(&res->x509_ca_list, &res->x509_ncas, + x.data, x.size); + + _gnutls_strfile_free(&x); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if ((ret2 = generate_rdn_seq(res)) < 0) - return ret2; + if ((ret2 = generate_rdn_seq(res)) < 0) + return ret2; - return ret; + return ret; } #ifdef ENABLE_PKI -static int parse_pem_crl_mem( gnutls_x509_crl** crl_list, uint* ncrls, - const opaque *input_crl, int input_crl_size) +static int parse_pem_crl_mem(gnutls_x509_crl ** crl_list, uint * ncrls, + const opaque * input_crl, int input_crl_size) { - int size, i; - const opaque *ptr; - gnutls_datum tmp; - int ret, count; + int size, i; + const opaque *ptr; + gnutls_datum tmp; + int ret, count; - /* move to the certificate - */ - ptr = strnstr( input_crl, PEM_CRL_SEP, input_crl_size); - if (ptr == NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + /* move to the certificate + */ + ptr = strnstr(input_crl, PEM_CRL_SEP, input_crl_size); + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } - size = input_crl_size - (ptr - input_crl); + size = input_crl_size - (ptr - input_crl); - i = *ncrls + 1; - count = 0; + i = *ncrls + 1; + count = 0; - do { + do { - *crl_list = - (gnutls_x509_crl *) gnutls_realloc_fast( *crl_list, - i * - sizeof(gnutls_x509_crl)); + *crl_list = + (gnutls_x509_crl *) gnutls_realloc_fast(*crl_list, + i * + sizeof + (gnutls_x509_crl)); - if ( *crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crl_init( &crl_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - tmp.data = (char*)ptr; - tmp.size = size; - - ret = - gnutls_x509_crl_import( - crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ + tmp.data = (char *) ptr; + tmp.size = size; - size = input_crl_size - (ptr - input_crl); + ret = + gnutls_x509_crl_import(crl_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + + size = input_crl_size - (ptr - input_crl); - if (size > 0) - ptr = strnstr(ptr, PEM_CRL_SEP, size); - else ptr = NULL; - i++; - count++; + if (size > 0) + ptr = strnstr(ptr, PEM_CRL_SEP, size); + else + ptr = NULL; + i++; + count++; - } while ( ptr != NULL); + } while (ptr != NULL); - *ncrls = i - 1; + *ncrls = i - 1; - return count; + return count; } /* Reads a DER encoded certificate list from memory and stores it to * a gnutls_cert structure. This is only called if PKCS7 read fails. * returns the number of certificates parsed (1) */ -static int parse_der_crl_mem( gnutls_x509_crl** crl_list, uint* ncrls, - const void *input_crl, int input_crl_size) +static int parse_der_crl_mem(gnutls_x509_crl ** crl_list, uint * ncrls, + const void *input_crl, int input_crl_size) { - int i; - gnutls_datum tmp; - int ret; + int i; + gnutls_datum tmp; + int ret; - i = *ncrls + 1; + i = *ncrls + 1; - *crl_list = - (gnutls_x509_crl *) gnutls_realloc_fast( *crl_list, - i * - sizeof(gnutls_x509_crl)); + *crl_list = + (gnutls_x509_crl *) gnutls_realloc_fast(*crl_list, + i * + sizeof(gnutls_x509_crl)); - if ( *crl_list == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (*crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - tmp.data = (opaque*)input_crl; - tmp.size = input_crl_size; + tmp.data = (opaque *) input_crl; + tmp.size = input_crl_size; - ret = gnutls_x509_crl_init( &crl_list[0][i - 1]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - ret = - gnutls_x509_crl_import( - crl_list[0][i - 1], - &tmp, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - *ncrls = i; + ret = gnutls_x509_crl_init(&crl_list[0][i - 1]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + gnutls_x509_crl_import(crl_list[0][i - 1], + &tmp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + *ncrls = i; - return 1; /* one certificate parsed */ + return 1; /* one certificate parsed */ } /* Reads a DER or PEM CRL from memory */ -static -int read_crl_mem(gnutls_certificate_credentials res, const void *crl, int crl_size, - gnutls_x509_crt_fmt type) +static +int read_crl_mem(gnutls_certificate_credentials res, const void *crl, + int crl_size, gnutls_x509_crt_fmt type) { - int ret; - - /* allocate space for the certificate to add - */ - res->x509_crl_list = gnutls_realloc_fast( res->x509_crl_list, - (1+ res->x509_ncrls)*sizeof(gnutls_x509_crl)); - if ( res->x509_crl_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem( &res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - else - ret = parse_pem_crl_mem( &res->x509_crl_list, - &res->x509_ncrls, crl, crl_size); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + int ret; + + /* allocate space for the certificate to add + */ + res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, + (1 + + res->x509_ncrls) * + sizeof(gnutls_x509_crl)); + if (res->x509_crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem(&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + else + ret = parse_pem_crl_mem(&res->x509_crl_list, + &res->x509_ncrls, crl, crl_size); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } /** @@ -1474,15 +1521,16 @@ int read_crl_mem(gnutls_certificate_credentials res, const void *crl, int crl_si * on error. * **/ -int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, - const gnutls_datum *CRL, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, + const gnutls_datum * CRL, + gnutls_x509_crt_fmt type) { - int ret; - - if ((ret = read_crl_mem(res, CRL->data, CRL->size, type)) < 0) - return ret; + int ret; + if ((ret = read_crl_mem(res, CRL->data, CRL->size, type)) < 0) return ret; + + return ret; } /** @@ -1500,29 +1548,32 @@ int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials res, * Returns 0 on success. * **/ -int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, - gnutls_x509_crl* crl_list, int crl_list_size) +int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, + gnutls_x509_crl * crl_list, + int crl_list_size) { - int ret, i; - - res->x509_crl_list = gnutls_realloc_fast( res->x509_crl_list, - (crl_list_size + res->x509_ncrls)*sizeof(gnutls_x509_crl)); - if ( res->x509_crl_list==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - for (i=0;i<crl_list_size;i++) { - ret = _gnutls_x509_crl_cpy( res->x509_crl_list[i+res->x509_ncrls], - crl_list[i]); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - res->x509_ncrls++; + int ret, i; + + res->x509_crl_list = gnutls_realloc_fast(res->x509_crl_list, + (crl_list_size + + res->x509_ncrls) * + sizeof(gnutls_x509_crl)); + if (res->x509_crl_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (i = 0; i < crl_list_size; i++) { + ret = _gnutls_x509_crl_cpy(res->x509_crl_list[i + res->x509_ncrls], + crl_list[i]); + if (ret < 0) { + gnutls_assert(); + return ret; } + res->x509_ncrls++; + } - return 0; + return 0; } /** @@ -1541,33 +1592,34 @@ int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials res, * on error. * **/ -int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, - const char *crlfile, gnutls_x509_crt_fmt type) +int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials + res, const char *crlfile, + gnutls_x509_crt_fmt type) { - int ret; - strfile x; - - x = _gnutls_file_to_str( crlfile); - if (x.data == NULL) { - gnutls_assert(); - return GNUTLS_E_FILE_ERROR; - } - - if (type==GNUTLS_X509_FMT_DER) - ret = parse_der_crl_mem( &res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); - else - ret = parse_pem_crl_mem( &res->x509_crl_list, &res->x509_ncrls, - x.data, x.size); - - _gnutls_strfile_free(&x); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - + int ret; + strfile x; + + x = _gnutls_file_to_str(crlfile); + if (x.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + + if (type == GNUTLS_X509_FMT_DER) + ret = parse_der_crl_mem(&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); + else + ret = parse_pem_crl_mem(&res->x509_crl_list, &res->x509_ncrls, + x.data, x.size); + + _gnutls_strfile_free(&x); + + if (ret < 0) { + gnutls_assert(); return ret; + } + + return ret; } @@ -1581,16 +1633,16 @@ int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials res, **/ void gnutls_certificate_free_crls(gnutls_certificate_credentials sc) { - uint j; + uint j; + + for (j = 0; j < sc->x509_ncrls; j++) { + gnutls_x509_crl_deinit(sc->x509_crl_list[j]); + } - for (j = 0; j < sc->x509_ncrls; j++) { - gnutls_x509_crl_deinit( sc->x509_crl_list[j]); - } - - sc->x509_ncrls = 0; + sc->x509_ncrls = 0; - gnutls_free( sc->x509_crl_list); - sc->x509_crl_list = NULL; + gnutls_free(sc->x509_crl_list); + sc->x509_crl_list = NULL; } #endif diff --git a/lib/gnutls_x509.h b/lib/gnutls_x509.h index f6ff1e32ac..ed29e3534a 100644 --- a/lib/gnutls_x509.h +++ b/lib/gnutls_x509.h @@ -11,11 +11,16 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session); #define PEM_KEY_RSA_SEP "-----BEGIN RSA" #define PEM_KEY_DSA_SEP "-----BEGIN DSA" -int _gnutls_check_key_usage( const gnutls_cert* cert, gnutls_kx_algorithm alg); +int _gnutls_check_key_usage(const gnutls_cert * cert, + gnutls_kx_algorithm alg); -int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params); -int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, mpi_t * params); +int _gnutls_x509_read_rsa_params(opaque * der, int dersize, + mpi_t * params); +int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, + mpi_t * params); -int _gnutls_x509_raw_privkey_to_gkey( gnutls_privkey* privkey, const gnutls_datum* raw_key, - gnutls_x509_crt_fmt type); -int _gnutls_x509_privkey_to_gkey( gnutls_privkey* privkey, gnutls_x509_privkey); +int _gnutls_x509_raw_privkey_to_gkey(gnutls_privkey * privkey, + const gnutls_datum * raw_key, + gnutls_x509_crt_fmt type); +int _gnutls_x509_privkey_to_gkey(gnutls_privkey * privkey, + gnutls_x509_privkey); diff --git a/lib/io_debug.h b/lib/io_debug.h index 2c3e2ff8ab..85c499fcd1 100644 --- a/lib/io_debug.h +++ b/lib/io_debug.h @@ -15,7 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ - + /* This debug file was contributed by * Paul Sheer <psheer@icon.co.za>. Some changes were made by nmav. * Its purpose is to debug non blocking behaviour of gnutls. The included @@ -27,7 +27,7 @@ #include <gnutls_int.h> -#define EDUNNO EAGAIN /* EAGAIN */ +#define EDUNNO EAGAIN /* EAGAIN */ extern int errno; static int initialized_rand = 0; @@ -36,32 +36,32 @@ static int initialized_rand = 0; srand(time(0)); \ initialized_rand = 1; \ } -static int recv_debug (int fd, char *buf, int len, int flags) +static int recv_debug(int fd, char *buf, int len, int flags) { INITIALIZE_RAND; - + if (!(rand() % IO_DEBUG)) { errno = EDUNNO; return -1; } if (len > 1) len = 1; - return recv (fd, buf, len, flags); + return recv(fd, buf, len, flags); } #define recv recv_debug -static int send_debug (int fd, const char *buf, int len, int flags) +static int send_debug(int fd, const char *buf, int len, int flags) { INITIALIZE_RAND; - + if (!(rand() % IO_DEBUG)) { errno = EDUNNO; return -1; } if (len > 10) len = 10; - return send (fd, buf, len, flags); + return send(fd, buf, len, flags); } #define send send_debug diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index c31c516258..0e2ec9bba7 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -1,1095 +1,1103 @@ #include "libtasn1.h" -const ASN1_ARRAY_TYPE pkix_asn1_tab[]={ - {"PKIX1",536875024,0}, - {0,1073741836,0}, - {"id-ce",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"29"}, - {"id-ce-authorityKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"35"}, - {"AuthorityKeyIdentifier",1610612741,0}, - {"keyIdentifier",1610637314,"KeyIdentifier"}, - {0,4104,"0"}, - {"authorityCertIssuer",1610637314,"GeneralNames"}, - {0,4104,"1"}, - {"authorityCertSerialNumber",536895490,"CertificateSerialNumber"}, - {0,4104,"2"}, - {"KeyIdentifier",1073741831,0}, - {"id-ce-subjectKeyIdentifier",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"14"}, - {"SubjectKeyIdentifier",1073741826,"KeyIdentifier"}, - {"id-ce-keyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"15"}, - {"KeyUsage",1610874886,0}, - {"digitalSignature",1073741825,"0"}, - {"nonRepudiation",1073741825,"1"}, - {"keyEncipherment",1073741825,"2"}, - {"dataEncipherment",1073741825,"3"}, - {"keyAgreement",1073741825,"4"}, - {"keyCertSign",1073741825,"5"}, - {"cRLSign",1073741825,"6"}, - {"encipherOnly",1073741825,"7"}, - {"decipherOnly",1,"8"}, - {"id-ce-privateKeyUsagePeriod",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"16"}, - {"PrivateKeyUsagePeriod",1610612741,0}, - {"notBefore",1619025937,0}, - {0,4104,"0"}, - {"notAfter",545284113,0}, - {0,4104,"1"}, - {"id-ce-certificatePolicies",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"32"}, - {"CertificatePolicies",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyInformation"}, - {"PolicyInformation",1610612741,0}, - {"policyIdentifier",1073741826,"CertPolicyId"}, - {"policyQualifiers",538984459,0}, - {"MAX",1074266122,"1"}, - {0,2,"PolicyQualifierInfo"}, - {"CertPolicyId",1073741836,0}, - {"PolicyQualifierInfo",1610612741,0}, - {"policyQualifierId",1073741826,"PolicyQualifierId"}, - {"qualifier",541065229,0}, - {"policyQualifierId",1,0}, - {"PolicyQualifierId",1073741836,0}, - {"CPSuri",1073741826,"IA5String"}, - {"UserNotice",1610612741,0}, - {"noticeRef",1073758210,"NoticeReference"}, - {"explicitText",16386,"DisplayText"}, - {"NoticeReference",1610612741,0}, - {"organization",1073741826,"DisplayText"}, - {"noticeNumbers",536870923,0}, - {0,3,0}, - {"DisplayText",1610612754,0}, - {"visibleString",1612709890,"VisibleString"}, - {"200",524298,"1"}, - {"bmpString",1612709890,"BMPString"}, - {"200",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"200",524298,"1"}, - {"id-ce-policyMappings",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"33"}, - {"PolicyMappings",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,536870917,0}, - {"issuerDomainPolicy",1073741826,"CertPolicyId"}, - {"subjectDomainPolicy",2,"CertPolicyId"}, - {"DirectoryString",1610612754,0}, - {"teletexString",1612709890,"TeletexString"}, - {"MAX",524298,"1"}, - {"printableString",1612709890,"PrintableString"}, - {"MAX",524298,"1"}, - {"universalString",1612709890,"UniversalString"}, - {"MAX",524298,"1"}, - {"utf8String",1612709890,"UTF8String"}, - {"MAX",524298,"1"}, - {"bmpString",538968066,"BMPString"}, - {"MAX",524298,"1"}, - {"id-ce-subjectAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"17"}, - {"SubjectAltName",1073741826,"GeneralNames"}, - {"GeneralNames",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralName"}, - {"GeneralName",1610612754,0}, - {"otherName",1610620930,"AnotherName"}, - {0,4104,"0"}, - {"rfc822Name",1610620930,"IA5String"}, - {0,4104,"1"}, - {"dNSName",1610620930,"IA5String"}, - {0,4104,"2"}, - {"x400Address",1610620930,"ORAddress"}, - {0,4104,"3"}, - {"directoryName",1610620930,"Name"}, - {0,4104,"4"}, - {"ediPartyName",1610620930,"EDIPartyName"}, - {0,4104,"5"}, - {"uniformResourceIdentifier",1610620930,"IA5String"}, - {0,4104,"6"}, - {"iPAddress",1610620935,0}, - {0,4104,"7"}, - {"registeredID",536879116,0}, - {0,4104,"8"}, - {"AnotherName",1610612741,0}, - {"type-id",1073741836,0}, - {"value",541073421,0}, - {0,1073743880,"0"}, - {"type-id",1,0}, - {"EDIPartyName",1610612741,0}, - {"nameAssigner",1610637314,"DirectoryString"}, - {0,4104,"0"}, - {"partyName",536879106,"DirectoryString"}, - {0,4104,"1"}, - {"id-ce-issuerAltName",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"18"}, - {"IssuerAltName",1073741826,"GeneralNames"}, - {"id-ce-subjectDirectoryAttributes",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"9"}, - {"SubjectDirectoryAttributes",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-ce-basicConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"19"}, - {"BasicConstraints",1610612741,0}, - {"cA",1610645508,0}, - {0,131081,0}, - {"pathLenConstraint",537411587,0}, - {"0",10,"MAX"}, - {"id-ce-nameConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"30"}, - {"NameConstraints",1610612741,0}, - {"permittedSubtrees",1610637314,"GeneralSubtrees"}, - {0,4104,"0"}, - {"excludedSubtrees",536895490,"GeneralSubtrees"}, - {0,4104,"1"}, - {"GeneralSubtrees",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"GeneralSubtree"}, - {"GeneralSubtree",1610612741,0}, - {"base",1073741826,"GeneralName"}, - {"minimum",1610653698,"BaseDistance"}, - {0,1073741833,"0"}, - {0,4104,"0"}, - {"maximum",536895490,"BaseDistance"}, - {0,4104,"1"}, - {"BaseDistance",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-policyConstraints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"36"}, - {"PolicyConstraints",1610612741,0}, - {"requireExplicitPolicy",1610637314,"SkipCerts"}, - {0,4104,"0"}, - {"inhibitPolicyMapping",536895490,"SkipCerts"}, - {0,4104,"1"}, - {"SkipCerts",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-cRLDistributionPoints",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"31"}, - {"CRLDistributionPoints",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"DistributionPoint"}, - {"DistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,2056,"0"}, - {"reasons",1610637314,"ReasonFlags"}, - {0,4104,"1"}, - {"cRLIssuer",536895490,"GeneralNames"}, - {0,4104,"2"}, - {"DistributionPointName",1610612754,0}, - {"fullName",1610620930,"GeneralNames"}, - {0,4104,"0"}, - {"nameRelativeToCRLIssuer",536879106,"RelativeDistinguishedName"}, - {0,4104,"1"}, - {"ReasonFlags",1610874886,0}, - {"unused",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"privilegeWithdrawn",1073741825,"7"}, - {"aACompromise",1,"8"}, - {"id-ce-extKeyUsage",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"37"}, - {"ExtKeyUsageSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"KeyPurposeId"}, - {"KeyPurposeId",1073741836,0}, - {"id-kp-serverAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"1"}, - {"id-kp-clientAuth",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"2"}, - {"id-kp-codeSigning",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"3"}, - {"id-kp-emailProtection",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"4"}, - {"id-kp-ipsecEndSystem",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"5"}, - {"id-kp-ipsecTunnel",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"6"}, - {"id-kp-ipsecUser",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"7"}, - {"id-kp-timeStamping",1879048204,0}, - {0,1073741825,"id-kp"}, - {0,1,"8"}, - {"id-pe-authorityInfoAccess",1879048204,0}, - {0,1073741825,"id-pe"}, - {0,1,"1"}, - {"AuthorityInfoAccessSyntax",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"AccessDescription"}, - {"AccessDescription",1610612741,0}, - {"accessMethod",1073741836,0}, - {"accessLocation",2,"GeneralName"}, - {"id-ce-cRLNumber",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"20"}, - {"CRLNumber",1611137027,0}, - {"0",10,"MAX"}, - {"id-ce-issuingDistributionPoint",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"28"}, - {"IssuingDistributionPoint",1610612741,0}, - {"distributionPoint",1610637314,"DistributionPointName"}, - {0,4104,"0"}, - {"onlyContainsUserCerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"1"}, - {"onlyContainsCACerts",1610653700,0}, - {0,1073872905,0}, - {0,4104,"2"}, - {"onlySomeReasons",1610637314,"ReasonFlags"}, - {0,4104,"3"}, - {"indirectCRL",536911876,0}, - {0,1073872905,0}, - {0,4104,"4"}, - {"id-ce-deltaCRLIndicator",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"27"}, - {"BaseCRLNumber",1073741826,"CRLNumber"}, - {"id-ce-cRLReasons",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"21"}, - {"CRLReason",1610874901,0}, - {"unspecified",1073741825,"0"}, - {"keyCompromise",1073741825,"1"}, - {"cACompromise",1073741825,"2"}, - {"affiliationChanged",1073741825,"3"}, - {"superseded",1073741825,"4"}, - {"cessationOfOperation",1073741825,"5"}, - {"certificateHold",1073741825,"6"}, - {"removeFromCRL",1,"8"}, - {"id-ce-certificateIssuer",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"29"}, - {"CertificateIssuer",1073741826,"GeneralNames"}, - {"id-ce-holdInstructionCode",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"23"}, - {"HoldInstructionCode",1073741836,0}, - {"holdInstruction",1879048204,0}, - {"joint-iso-itu-t",1073741825,"2"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9cm",1073741825,"10040"}, - {0,1,"2"}, - {"id-holdinstruction-none",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"1"}, - {"id-holdinstruction-callissuer",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"2"}, - {"id-holdinstruction-reject",1879048204,0}, - {0,1073741825,"holdInstruction"}, - {0,1,"3"}, - {"id-ce-invalidityDate",1879048204,0}, - {0,1073741825,"id-ce"}, - {0,1,"24"}, - {"InvalidityDate",1082130449,0}, - {"VisibleString",1610620935,0}, - {0,4360,"26"}, - {"NumericString",1610620935,0}, - {0,4360,"18"}, - {"IA5String",1610620935,0}, - {0,4360,"22"}, - {"TeletexString",1610620935,0}, - {0,4360,"20"}, - {"PrintableString",1610620935,0}, - {0,4360,"19"}, - {"UniversalString",1610620935,0}, - {0,4360,"28"}, - {"BMPString",1610620935,0}, - {0,4360,"30"}, - {"UTF8String",1610620935,0}, - {0,4360,"12"}, - {"id-pkix",1879048204,0}, - {"iso",1073741825,"1"}, - {"identified-organization",1073741825,"3"}, - {"dod",1073741825,"6"}, - {"internet",1073741825,"1"}, - {"security",1073741825,"5"}, - {"mechanisms",1073741825,"5"}, - {"pkix",1,"7"}, - {"id-pe",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"1"}, - {"id-qt",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"2"}, - {"id-kp",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"3"}, - {"id-ad",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"48"}, - {"id-qt-cps",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"1"}, - {"id-qt-unotice",1879048204,0}, - {0,1073741825,"id-qt"}, - {0,1,"2"}, - {"id-ad-ocsp",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"1"}, - {"id-ad-caIssuers",1879048204,0}, - {0,1073741825,"id-ad"}, - {0,1,"2"}, - {"Attribute",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"values",536870927,0}, - {0,2,"AttributeValue"}, - {"AttributeType",1073741836,0}, - {"AttributeValue",1614807053,0}, - {"type",1,0}, - {"AttributeTypeAndValue",1610612741,0}, - {"type",1073741826,"AttributeType"}, - {"value",2,"AttributeValue"}, - {"id-at",1879048204,0}, - {"joint-iso-ccitt",1073741825,"2"}, - {"ds",1073741825,"5"}, - {0,1,"4"}, - {"id-at-initials",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"43"}, - {"X520initials",1073741826,"DirectoryString"}, - {"id-at-generationQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"44"}, - {"X520generationQualifier",1073741826,"DirectoryString"}, - {"id-at-surname",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"4"}, - {"X520surName",1073741826,"DirectoryString"}, - {"id-at-givenName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"42"}, - {"X520givenName",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-commonName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"3"}, - {"X520CommonName",1073741826,"DirectoryString"}, - {"id-at-localityName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"7"}, - {"X520LocalityName",1073741826,"DirectoryString"}, - {"id-at-stateOrProvinceName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"8"}, - {"X520StateOrProvinceName",1073741826,"DirectoryString"}, - {"id-at-organizationName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"10"}, - {"X520OrganizationName",1073741826,"DirectoryString"}, - {"id-at-organizationalUnitName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"11"}, - {"X520OrganizationalUnitName",1073741826,"DirectoryString"}, - {"id-at-title",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"12"}, - {"X520Title",1073741826,"DirectoryString"}, - {"id-at-description",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"13"}, - {"X520Description",1073741826,"DirectoryString"}, - {"id-at-dnQualifier",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"46"}, - {"X520dnQualifier",1073741826,"PrintableString"}, - {"id-at-countryName",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"6"}, - {"X520countryName",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-at-serialNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"5"}, - {"X520serialNumber",1073741826,"PrintableString"}, - {"id-at-telephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"20"}, - {"X520telephoneNumber",1073741826,"PrintableString"}, - {"id-at-facsimileTelephoneNumber",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"23"}, - {"X520facsimileTelephoneNumber",1073741826,"PrintableString"}, - {"id-at-pseudonym",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"65"}, - {"X520pseudonym",1073741826,"DirectoryString"}, - {"id-at-name",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"41"}, - {"X520name",1073741826,"DirectoryString"}, - {"id-at-streetAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"9"}, - {"X520streetAddress",1073741826,"DirectoryString"}, - {"id-at-postalAddress",1880096780,"AttributeType"}, - {0,1073741825,"id-at"}, - {0,1,"16"}, - {"X520postalAddress",1073741826,"PostalAddress"}, - {"PostalAddress",1610612747,0}, - {0,2,"DirectoryString"}, - {"pkcs",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1,"1"}, - {"pkcs-9",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"9"}, - {"emailAddress",1880096780,"AttributeType"}, - {0,1073741825,"pkcs-9"}, - {0,1,"1"}, - {"Pkcs9email",1612709890,"IA5String"}, - {"ub-emailaddress-length",524298,"1"}, - {"Name",1610612754,0}, - {"rdnSequence",2,"RDNSequence"}, - {"RDNSequence",1610612747,0}, - {0,2,"RelativeDistinguishedName"}, - {"DistinguishedName",1073741826,"RDNSequence"}, - {"RelativeDistinguishedName",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"AttributeTypeAndValue"}, - {"Certificate",1610612741,0}, - {"tbsCertificate",1073741826,"TBSCertificate"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertificate",1610612741,0}, - {"version",1610653698,"Version"}, - {0,1073741833,"v1"}, - {0,2056,"0"}, - {"serialNumber",1073741826,"CertificateSerialNumber"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"validity",1073741826,"Validity"}, - {"subject",1073741826,"Name"}, - {"subjectPublicKeyInfo",1073741826,"SubjectPublicKeyInfo"}, - {"issuerUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"1"}, - {"subjectUniqueID",1610637314,"UniqueIdentifier"}, - {0,4104,"2"}, - {"extensions",536895490,"Extensions"}, - {0,2056,"3"}, - {"Version",1610874883,0}, - {"v1",1073741825,"0"}, - {"v2",1073741825,"1"}, - {"v3",1,"2"}, - {"CertificateSerialNumber",1073741827,0}, - {"Validity",1610612741,0}, - {"notBefore",1073741826,"Time"}, - {"notAfter",2,"Time"}, - {"Time",1610612754,0}, - {"utcTime",1090519057,0}, - {"generalTime",8388625,0}, - {"UniqueIdentifier",1073741830,0}, - {"SubjectPublicKeyInfo",1610612741,0}, - {"algorithm",1073741826,"AlgorithmIdentifier"}, - {"subjectPublicKey",6,0}, - {"Extensions",1612709899,0}, - {"MAX",1074266122,"1"}, - {0,2,"Extension"}, - {"Extension",1610612741,0}, - {"extnID",1073741836,0}, - {"critical",1610645508,0}, - {0,131081,0}, - {"extnValue",7,0}, - {"CertificateList",1610612741,0}, - {"tbsCertList",1073741826,"TBSCertList"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"TBSCertList",1610612741,0}, - {"version",1073758210,"Version"}, - {"signature",1073741826,"AlgorithmIdentifier"}, - {"issuer",1073741826,"Name"}, - {"thisUpdate",1073741826,"Time"}, - {"nextUpdate",1073758210,"Time"}, - {"revokedCertificates",1610629131,0}, - {0,536870917,0}, - {"userCertificate",1073741826,"CertificateSerialNumber"}, - {"revocationDate",1073741826,"Time"}, - {"crlEntryExtensions",16386,"Extensions"}, - {"crlExtensions",536895490,"Extensions"}, - {0,2056,"0"}, - {"AlgorithmIdentifier",1610612741,0}, - {"algorithm",1073741836,0}, - {"parameters",541081613,0}, - {"algorithm",1,0}, - {"pkcs-1",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"1"}, - {"rsaEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"1"}, - {"md2WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"2"}, - {"md5WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"4"}, - {"sha1WithRSAEncryption",1879048204,0}, - {0,1073741825,"pkcs-1"}, - {0,1,"5"}, - {"id-dsa-with-sha1",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"3"}, - {"Dss-Sig-Value",1610612741,0}, - {"r",1073741827,0}, - {"s",3,0}, - {"dhpublicnumber",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"ansi-x942",1073741825,"10046"}, - {"number-type",1073741825,"2"}, - {0,1,"1"}, - {"DomainParameters",1610612741,0}, - {"p",1073741827,0}, - {"g",1073741827,0}, - {"q",1073741827,0}, - {"j",1073758211,0}, - {"validationParms",16386,"ValidationParms"}, - {"ValidationParms",1610612741,0}, - {"seed",1073741830,0}, - {"pgenCounter",3,0}, - {"id-dsa",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"x9-57",1073741825,"10040"}, - {"x9algorithm",1073741825,"4"}, - {0,1,"1"}, - {"Dss-Parms",1610612741,0}, - {"p",1073741827,0}, - {"q",1073741827,0}, - {"g",3,0}, - {"ORAddress",1610612741,0}, - {"built-in-standard-attributes",1073741826,"BuiltInStandardAttributes"}, - {"built-in-domain-defined-attributes",1073758210,"BuiltInDomainDefinedAttributes"}, - {"extension-attributes",16386,"ExtensionAttributes"}, - {"BuiltInStandardAttributes",1610612741,0}, - {"country-name",1073758210,"CountryName"}, - {"administration-domain-name",1073758210,"AdministrationDomainName"}, - {"network-address",1610637314,"NetworkAddress"}, - {0,2056,"0"}, - {"terminal-identifier",1610637314,"TerminalIdentifier"}, - {0,2056,"1"}, - {"private-domain-name",1610637314,"PrivateDomainName"}, - {0,2056,"2"}, - {"organization-name",1610637314,"OrganizationName"}, - {0,2056,"3"}, - {"numeric-user-identifier",1610637314,"NumericUserIdentifier"}, - {0,2056,"4"}, - {"personal-name",1610637314,"PersonalName"}, - {0,2056,"5"}, - {"organizational-unit-names",536895490,"OrganizationalUnitNames"}, - {0,2056,"6"}, - {"CountryName",1610620946,0}, - {0,1073746952,"1"}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"AdministrationDomainName",1610620946,0}, - {0,1073744904,"2"}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"0"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"0"}, - {"NetworkAddress",1073741826,"X121Address"}, - {"X121Address",1612709890,"NumericString"}, - {"ub-x121-address-length",524298,"1"}, - {"TerminalIdentifier",1612709890,"PrintableString"}, - {"ub-terminal-id-length",524298,"1"}, - {"PrivateDomainName",1610612754,0}, - {"numeric",1612709890,"NumericString"}, - {"ub-domain-name-length",524298,"1"}, - {"printable",538968066,"PrintableString"}, - {"ub-domain-name-length",524298,"1"}, - {"OrganizationName",1612709890,"PrintableString"}, - {"ub-organization-name-length",524298,"1"}, - {"NumericUserIdentifier",1612709890,"NumericString"}, - {"ub-numeric-user-id-length",524298,"1"}, - {"PersonalName",1610612750,0}, - {"surname",1814044674,"PrintableString"}, - {0,1073745928,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"PrintableString"}, - {0,1073745928,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"PrintableString"}, - {0,1073745928,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"PrintableString"}, - {0,1073745928,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"OrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"OrganizationalUnitName"}, - {"OrganizationalUnitName",1612709890,"PrintableString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"BuiltInDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"BuiltInDomainDefinedAttribute"}, - {"BuiltInDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"PrintableString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"PrintableString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ExtensionAttributes",1612709903,0}, - {"ub-extension-attributes",1074266122,"1"}, - {0,2,"ExtensionAttribute"}, - {"ExtensionAttribute",1610612741,0}, - {"extension-attribute-type",1611145219,0}, - {0,1073743880,"0"}, - {"0",10,"ub-extension-attributes"}, - {"extension-attribute-value",541073421,0}, - {0,1073743880,"1"}, - {"extension-attribute-type",1,0}, - {"common-name",1342177283,"1"}, - {"CommonName",1612709890,"PrintableString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-common-name",1342177283,"2"}, - {"TeletexCommonName",1612709890,"TeletexString"}, - {"ub-common-name-length",524298,"1"}, - {"teletex-organization-name",1342177283,"3"}, - {"TeletexOrganizationName",1612709890,"TeletexString"}, - {"ub-organization-name-length",524298,"1"}, - {"teletex-personal-name",1342177283,"4"}, - {"TeletexPersonalName",1610612750,0}, - {"surname",1814044674,"TeletexString"}, - {0,1073743880,"0"}, - {"ub-surname-length",524298,"1"}, - {"given-name",1814061058,"TeletexString"}, - {0,1073743880,"1"}, - {"ub-given-name-length",524298,"1"}, - {"initials",1814061058,"TeletexString"}, - {0,1073743880,"2"}, - {"ub-initials-length",524298,"1"}, - {"generation-qualifier",740319234,"TeletexString"}, - {0,1073743880,"3"}, - {"ub-generation-qualifier-length",524298,"1"}, - {"teletex-organizational-unit-names",1342177283,"5"}, - {"TeletexOrganizationalUnitNames",1612709899,0}, - {"ub-organizational-units",1074266122,"1"}, - {0,2,"TeletexOrganizationalUnitName"}, - {"TeletexOrganizationalUnitName",1612709890,"TeletexString"}, - {"ub-organizational-unit-name-length",524298,"1"}, - {"pds-name",1342177283,"7"}, - {"PDSName",1612709890,"PrintableString"}, - {"ub-pds-name-length",524298,"1"}, - {"physical-delivery-country-name",1342177283,"8"}, - {"PhysicalDeliveryCountryName",1610612754,0}, - {"x121-dcc-code",1612709890,"NumericString"}, - {0,1048586,"ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code",538968066,"PrintableString"}, - {0,1048586,"ub-country-name-alpha-length"}, - {"postal-code",1342177283,"9"}, - {"PostalCode",1610612754,0}, - {"numeric-code",1612709890,"NumericString"}, - {"ub-postal-code-length",524298,"1"}, - {"printable-code",538968066,"PrintableString"}, - {"ub-postal-code-length",524298,"1"}, - {"physical-delivery-office-name",1342177283,"10"}, - {"PhysicalDeliveryOfficeName",1073741826,"PDSParameter"}, - {"physical-delivery-office-number",1342177283,"11"}, - {"PhysicalDeliveryOfficeNumber",1073741826,"PDSParameter"}, - {"extension-OR-address-components",1342177283,"12"}, - {"ExtensionORAddressComponents",1073741826,"PDSParameter"}, - {"physical-delivery-personal-name",1342177283,"13"}, - {"PhysicalDeliveryPersonalName",1073741826,"PDSParameter"}, - {"physical-delivery-organization-name",1342177283,"14"}, - {"PhysicalDeliveryOrganizationName",1073741826,"PDSParameter"}, - {"extension-physical-delivery-address-components",1342177283,"15"}, - {"ExtensionPhysicalDeliveryAddressComponents",1073741826,"PDSParameter"}, - {"unformatted-postal-address",1342177283,"16"}, - {"UnformattedPostalAddress",1610612750,0}, - {"printable-address",1814052875,0}, - {"ub-pds-physical-address-lines",1074266122,"1"}, - {0,538968066,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-unformatted-address-length",524298,"1"}, - {"street-address",1342177283,"17"}, - {"StreetAddress",1073741826,"PDSParameter"}, - {"post-office-box-address",1342177283,"18"}, - {"PostOfficeBoxAddress",1073741826,"PDSParameter"}, - {"poste-restante-address",1342177283,"19"}, - {"PosteRestanteAddress",1073741826,"PDSParameter"}, - {"unique-postal-name",1342177283,"20"}, - {"UniquePostalName",1073741826,"PDSParameter"}, - {"local-postal-attributes",1342177283,"21"}, - {"LocalPostalAttributes",1073741826,"PDSParameter"}, - {"PDSParameter",1610612750,0}, - {"printable-string",1814052866,"PrintableString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"teletex-string",740311042,"TeletexString"}, - {"ub-pds-parameter-length",524298,"1"}, - {"extended-network-address",1342177283,"22"}, - {"ExtendedNetworkAddress",1610612754,0}, - {"e163-4-address",1610612741,0}, - {"number",1612718082,"NumericString"}, - {0,1073743880,"0"}, - {"ub-e163-4-number-length",524298,"1"}, - {"sub-address",538992642,"NumericString"}, - {0,1073743880,"1"}, - {"ub-e163-4-sub-address-length",524298,"1"}, - {"psap-address",536879106,"PresentationAddress"}, - {0,2056,"0"}, - {"PresentationAddress",1610612741,0}, - {"pSelector",1610637319,0}, - {0,2056,"0"}, - {"sSelector",1610637319,0}, - {0,2056,"1"}, - {"tSelector",1610637319,0}, - {0,2056,"2"}, - {"nAddresses",538976271,0}, - {0,1073743880,"3"}, - {"MAX",1074266122,"1"}, - {0,7,0}, - {"terminal-type",1342177283,"23"}, - {"TerminalType",1610874883,0}, - {"telex",1073741825,"3"}, - {"teletex",1073741825,"4"}, - {"g3-facsimile",1073741825,"5"}, - {"g4-facsimile",1073741825,"6"}, - {"ia5-terminal",1073741825,"7"}, - {"videotex",1,"8"}, - {"teletex-domain-defined-attributes",1342177283,"6"}, - {"TeletexDomainDefinedAttributes",1612709899,0}, - {"ub-domain-defined-attributes",1074266122,"1"}, - {0,2,"TeletexDomainDefinedAttribute"}, - {"TeletexDomainDefinedAttribute",1610612741,0}, - {"type",1612709890,"TeletexString"}, - {"ub-domain-defined-attribute-type-length",524298,"1"}, - {"value",538968066,"TeletexString"}, - {"ub-domain-defined-attribute-value-length",524298,"1"}, - {"ub-name",1342177283,"32768"}, - {"ub-common-name",1342177283,"64"}, - {"ub-locality-name",1342177283,"128"}, - {"ub-state-name",1342177283,"128"}, - {"ub-organization-name",1342177283,"64"}, - {"ub-organizational-unit-name",1342177283,"64"}, - {"ub-title",1342177283,"64"}, - {"ub-match",1342177283,"128"}, - {"ub-emailaddress-length",1342177283,"128"}, - {"ub-common-name-length",1342177283,"64"}, - {"ub-country-name-alpha-length",1342177283,"2"}, - {"ub-country-name-numeric-length",1342177283,"3"}, - {"ub-domain-defined-attributes",1342177283,"4"}, - {"ub-domain-defined-attribute-type-length",1342177283,"8"}, - {"ub-domain-defined-attribute-value-length",1342177283,"128"}, - {"ub-domain-name-length",1342177283,"16"}, - {"ub-extension-attributes",1342177283,"256"}, - {"ub-e163-4-number-length",1342177283,"15"}, - {"ub-e163-4-sub-address-length",1342177283,"40"}, - {"ub-generation-qualifier-length",1342177283,"3"}, - {"ub-given-name-length",1342177283,"16"}, - {"ub-initials-length",1342177283,"5"}, - {"ub-integer-options",1342177283,"256"}, - {"ub-numeric-user-id-length",1342177283,"32"}, - {"ub-organization-name-length",1342177283,"64"}, - {"ub-organizational-unit-name-length",1342177283,"32"}, - {"ub-organizational-units",1342177283,"4"}, - {"ub-pds-name-length",1342177283,"16"}, - {"ub-pds-parameter-length",1342177283,"30"}, - {"ub-pds-physical-address-lines",1342177283,"6"}, - {"ub-postal-code-length",1342177283,"16"}, - {"ub-surname-length",1342177283,"40"}, - {"ub-terminal-id-length",1342177283,"24"}, - {"ub-unformatted-address-length",1342177283,"180"}, - {"ub-x121-address-length",1342177283,"16"}, - {"pkcs-7-ContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"content",541073421,0}, - {0,1073743880,"0"}, - {"contentType",1,0}, - {"pkcs-7-DigestInfo",1610612741,0}, - {"digestAlgorithm",1073741826,"pkcs-7-DigestAlgorithmIdentifier"}, - {"digest",2,"pkcs-7-Digest"}, - {"pkcs-7-Digest",1073741831,0}, - {"pkcs-7-ContentType",1073741836,0}, - {"pkcs-7-SignedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"digestAlgorithms",1073741826,"pkcs-7-DigestAlgorithmIdentifiers"}, - {"encapContentInfo",1073741826,"pkcs-7-EncapsulatedContentInfo"}, - {"certificates",1610637314,"pkcs-7-CertificateSet"}, - {0,4104,"0"}, - {"crls",1610637314,"pkcs-7-CertificateRevocationLists"}, - {0,4104,"1"}, - {"signerInfos",2,"pkcs-7-SignerInfos"}, - {"pkcs-7-CMSVersion",1610874883,0}, - {"v0",1073741825,"0"}, - {"v1",1073741825,"1"}, - {"v2",1073741825,"2"}, - {"v3",1073741825,"3"}, - {"v4",1,"4"}, - {"pkcs-7-DigestAlgorithmIdentifiers",1610612751,0}, - {0,2,"pkcs-7-DigestAlgorithmIdentifier"}, - {"pkcs-7-DigestAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncapsulatedContentInfo",1610612741,0}, - {"eContentType",1073741826,"pkcs-7-ContentType"}, - {"eContent",536895495,0}, - {0,2056,"0"}, - {"pkcs-7-CertificateRevocationLists",1610612751,0}, - {0,13,0}, - {"pkcs-7-CertificateChoices",1610612754,0}, - {"certificate",13,0}, - {"pkcs-7-CertificateSet",1610612751,0}, - {0,2,"pkcs-7-CertificateChoices"}, - {"pkcs-7-SignerInfos",1610612751,0}, - {0,13,0}, - {"pkcs-10-CertificationRequestInfo",1610612741,0}, - {"version",1610874883,0}, - {"v1",1,"0"}, - {"subject",1073741826,"Name"}, - {"subjectPKInfo",1073741826,"SubjectPublicKeyInfo"}, - {"attributes",536879106,"Attributes"}, - {0,4104,"0"}, - {"Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-10-CertificationRequest",1610612741,0}, - {"certificationRequestInfo",1073741826,"pkcs-10-CertificationRequestInfo"}, - {"signatureAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"signature",6,0}, - {"pkcs-9-ub-challengePassword",1342177283,"255"}, - {"pkcs-9-certTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"22"}, - {"pkcs-9-crlTypes",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"23"}, - {"pkcs-9-at-challengePassword",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"7"}, - {"pkcs-9-challengePassword",1610612754,0}, - {"printableString",1612709890,"PrintableString"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"utf8String",538968066,"UTF8String"}, - {"pkcs-9-ub-challengePassword",524298,"1"}, - {"pkcs-9-at-localKeyId",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"21"}, - {"pkcs-9-localKeyId",1073741831,0}, - {"pkcs-9-at-friendlyName",1879048204,0}, - {0,1073741825,"pkcs-9"}, - {0,1,"20"}, - {"pkcs-9-friendlyName",1612709890,"BMPString"}, - {"255",524298,"1"}, - {"pkcs-8-PrivateKeyInfo",1610612741,0}, - {"version",1073741826,"pkcs-8-Version"}, - {"privateKeyAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"privateKey",1073741826,"pkcs-8-PrivateKey"}, - {"attributes",536895490,"Attributes"}, - {0,4104,"0"}, - {"pkcs-8-Version",1610874883,0}, - {"v1",1,"0"}, - {"pkcs-8-PrivateKey",1073741831,0}, - {"pkcs-8-Attributes",1610612751,0}, - {0,2,"Attribute"}, - {"pkcs-8-EncryptedPrivateKeyInfo",1610612741,0}, - {"encryptionAlgorithm",1073741826,"AlgorithmIdentifier"}, - {"encryptedData",2,"pkcs-8-EncryptedData"}, - {"pkcs-8-EncryptedData",1073741831,0}, - {"pkcs-5",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"5"}, - {"pkcs-5-encryptionAlgorithm",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {0,1,"3"}, - {"pkcs-5-des-EDE3-CBC",1879048204,0}, - {0,1073741825,"pkcs-5-encryptionAlgorithm"}, - {0,1,"7"}, - {"pkcs-5-des-EDE3-CBC-params",1612709895,0}, - {0,1048586,"8"}, - {"pkcs-5-id-PBES2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"13"}, - {"pkcs-5-PBES2-params",1610612741,0}, - {"keyDerivationFunc",1073741826,"AlgorithmIdentifier"}, - {"encryptionScheme",2,"AlgorithmIdentifier"}, - {"pkcs-5-id-PBKDF2",1879048204,0}, - {0,1073741825,"pkcs-5"}, - {0,1,"12"}, - {"pkcs-5-PBKDF2-params",1610612741,0}, - {"salt",1610612754,0}, - {"specified",1073741831,0}, - {"otherSource",2,"AlgorithmIdentifier"}, - {"iterationCount",1611137027,0}, - {"1",10,"MAX"}, - {"keyLength",1611153411,0}, - {"1",10,"MAX"}, - {"prf",16386,"AlgorithmIdentifier"}, - {"pkcs-12",1879048204,0}, - {0,1073741825,"pkcs"}, - {0,1,"12"}, - {"pkcs-12-PFX",1610612741,0}, - {"version",1610874883,0}, - {"v3",1,"3"}, - {"authSafe",1073741826,"pkcs-7-ContentInfo"}, - {"macData",16386,"pkcs-12-MacData"}, - {"pkcs-12-PbeParams",1610612741,0}, - {"salt",1073741831,0}, - {"iterations",3,0}, - {"pkcs-12-MacData",1610612741,0}, - {"mac",1073741826,"pkcs-7-DigestInfo"}, - {"macSalt",1073741831,0}, - {"iterations",536903683,0}, - {0,9,"1"}, - {"pkcs-12-AuthenticatedSafe",1610612747,0}, - {0,2,"pkcs-7-ContentInfo"}, - {"pkcs-12-SafeContents",1610612747,0}, - {0,2,"pkcs-12-SafeBag"}, - {"pkcs-12-SafeBag",1610612741,0}, - {"bagId",1073741836,0}, - {"bagValue",1614815245,0}, - {0,1073743880,"0"}, - {"badId",1,0}, - {"bagAttributes",536887311,0}, - {0,2,"pkcs-12-PKCS12Attribute"}, - {"pkcs-12-bagtypes",1879048204,0}, - {0,1073741825,"pkcs-12"}, - {0,1073741825,"10"}, - {0,1,"1"}, - {"pkcs-12-keyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"1"}, - {"pkcs-12-pkcs8ShroudedKeyBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"2"}, - {"pkcs-12-certBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"3"}, - {"pkcs-12-crlBag",1879048204,0}, - {0,1073741825,"pkcs-12-bagtypes"}, - {0,1,"4"}, - {"pkcs-12-KeyBag",1073741826,"pkcs-8-PrivateKeyInfo"}, - {"pkcs-12-PKCS8ShroudedKeyBag",1073741826,"pkcs-8-EncryptedPrivateKeyInfo"}, - {"pkcs-12-CertBag",1610612741,0}, - {"certId",1073741836,0}, - {"certValue",541073421,0}, - {0,1073743880,"0"}, - {"certId",1,0}, - {"pkcs-12-CRLBag",1610612741,0}, - {"crlId",1073741836,0}, - {"crlValue",541073421,0}, - {0,1073743880,"0"}, - {"crlId",1,0}, - {"pkcs-12-PKCS12Attribute",1073741826,"Attribute"}, - {"pkcs-7-data",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"1"}, - {"pkcs-7-encryptedData",1879048204,0}, - {"iso",1073741825,"1"}, - {"member-body",1073741825,"2"}, - {"us",1073741825,"840"}, - {"rsadsi",1073741825,"113549"}, - {"pkcs",1073741825,"1"}, - {"pkcs7",1073741825,"7"}, - {0,1,"6"}, - {"pkcs-7-Data",1073741831,0}, - {"pkcs-7-EncryptedData",1610612741,0}, - {"version",1073741826,"pkcs-7-CMSVersion"}, - {"encryptedContentInfo",1073741826,"pkcs-7-EncryptedContentInfo"}, - {"unprotectedAttrs",536895490,"pkcs-7-UnprotectedAttributes"}, - {0,4104,"1"}, - {"pkcs-7-EncryptedContentInfo",1610612741,0}, - {"contentType",1073741826,"pkcs-7-ContentType"}, - {"contentEncryptionAlgorithm",1073741826,"pkcs-7-ContentEncryptionAlgorithmIdentifier"}, - {"encryptedContent",536895490,"pkcs-7-EncryptedContent"}, - {0,4104,"0"}, - {"pkcs-7-ContentEncryptionAlgorithmIdentifier",1073741826,"AlgorithmIdentifier"}, - {"pkcs-7-EncryptedContent",1073741831,0}, - {"pkcs-7-UnprotectedAttributes",1612709903,0}, - {"MAX",1074266122,"1"}, - {0,2,"Attribute"}, - {"id-at-ldap-DC",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"25"}, - {"ldap-DC",1073741826,"IA5String"}, - {"id-at-ldap-UID",1880096780,"AttributeType"}, - {0,1073741825,"0"}, - {0,1073741825,"9"}, - {0,1073741825,"2342"}, - {0,1073741825,"19200300"}, - {0,1073741825,"100"}, - {0,1073741825,"1"}, - {0,1,"1"}, - {"ldap-UID",1073741826,"IA5String"}, - {"id-pda",1879048204,0}, - {0,1073741825,"id-pkix"}, - {0,1,"9"}, - {"id-pda-dateOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"1"}, - {"DateOfBirth",1082130449,0}, - {"id-pda-placeOfBirth",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"2"}, - {"PlaceOfBirth",1073741826,"DirectoryString"}, - {"id-pda-gender",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"3"}, - {"Gender",1612709890,"PrintableString"}, - {0,1048586,"1"}, - {"id-pda-countryOfCitizenship",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"4"}, - {"CountryOfCitizenship",1612709890,"PrintableString"}, - {0,1048586,"2"}, - {"id-pda-countryOfResidence",1880096780,"AttributeType"}, - {0,1073741825,"id-pda"}, - {0,1,"5"}, - {"CountryOfResidence",538968066,"PrintableString"}, - {0,1048586,"2"}, - {0,0,0} +const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { + {"PKIX1", 536875024, 0}, + {0, 1073741836, 0}, + {"id-ce", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "29"}, + {"id-ce-authorityKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "35"}, + {"AuthorityKeyIdentifier", 1610612741, 0}, + {"keyIdentifier", 1610637314, "KeyIdentifier"}, + {0, 4104, "0"}, + {"authorityCertIssuer", 1610637314, "GeneralNames"}, + {0, 4104, "1"}, + {"authorityCertSerialNumber", 536895490, "CertificateSerialNumber"}, + {0, 4104, "2"}, + {"KeyIdentifier", 1073741831, 0}, + {"id-ce-subjectKeyIdentifier", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "14"}, + {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, + {"id-ce-keyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "15"}, + {"KeyUsage", 1610874886, 0}, + {"digitalSignature", 1073741825, "0"}, + {"nonRepudiation", 1073741825, "1"}, + {"keyEncipherment", 1073741825, "2"}, + {"dataEncipherment", 1073741825, "3"}, + {"keyAgreement", 1073741825, "4"}, + {"keyCertSign", 1073741825, "5"}, + {"cRLSign", 1073741825, "6"}, + {"encipherOnly", 1073741825, "7"}, + {"decipherOnly", 1, "8"}, + {"id-ce-privateKeyUsagePeriod", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "16"}, + {"PrivateKeyUsagePeriod", 1610612741, 0}, + {"notBefore", 1619025937, 0}, + {0, 4104, "0"}, + {"notAfter", 545284113, 0}, + {0, 4104, "1"}, + {"id-ce-certificatePolicies", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "32"}, + {"CertificatePolicies", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyInformation"}, + {"PolicyInformation", 1610612741, 0}, + {"policyIdentifier", 1073741826, "CertPolicyId"}, + {"policyQualifiers", 538984459, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "PolicyQualifierInfo"}, + {"CertPolicyId", 1073741836, 0}, + {"PolicyQualifierInfo", 1610612741, 0}, + {"policyQualifierId", 1073741826, "PolicyQualifierId"}, + {"qualifier", 541065229, 0}, + {"policyQualifierId", 1, 0}, + {"PolicyQualifierId", 1073741836, 0}, + {"CPSuri", 1073741826, "IA5String"}, + {"UserNotice", 1610612741, 0}, + {"noticeRef", 1073758210, "NoticeReference"}, + {"explicitText", 16386, "DisplayText"}, + {"NoticeReference", 1610612741, 0}, + {"organization", 1073741826, "DisplayText"}, + {"noticeNumbers", 536870923, 0}, + {0, 3, 0}, + {"DisplayText", 1610612754, 0}, + {"visibleString", 1612709890, "VisibleString"}, + {"200", 524298, "1"}, + {"bmpString", 1612709890, "BMPString"}, + {"200", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"200", 524298, "1"}, + {"id-ce-policyMappings", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "33"}, + {"PolicyMappings", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 536870917, 0}, + {"issuerDomainPolicy", 1073741826, "CertPolicyId"}, + {"subjectDomainPolicy", 2, "CertPolicyId"}, + {"DirectoryString", 1610612754, 0}, + {"teletexString", 1612709890, "TeletexString"}, + {"MAX", 524298, "1"}, + {"printableString", 1612709890, "PrintableString"}, + {"MAX", 524298, "1"}, + {"universalString", 1612709890, "UniversalString"}, + {"MAX", 524298, "1"}, + {"utf8String", 1612709890, "UTF8String"}, + {"MAX", 524298, "1"}, + {"bmpString", 538968066, "BMPString"}, + {"MAX", 524298, "1"}, + {"id-ce-subjectAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "17"}, + {"SubjectAltName", 1073741826, "GeneralNames"}, + {"GeneralNames", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralName"}, + {"GeneralName", 1610612754, 0}, + {"otherName", 1610620930, "AnotherName"}, + {0, 4104, "0"}, + {"rfc822Name", 1610620930, "IA5String"}, + {0, 4104, "1"}, + {"dNSName", 1610620930, "IA5String"}, + {0, 4104, "2"}, + {"x400Address", 1610620930, "ORAddress"}, + {0, 4104, "3"}, + {"directoryName", 1610620930, "Name"}, + {0, 4104, "4"}, + {"ediPartyName", 1610620930, "EDIPartyName"}, + {0, 4104, "5"}, + {"uniformResourceIdentifier", 1610620930, "IA5String"}, + {0, 4104, "6"}, + {"iPAddress", 1610620935, 0}, + {0, 4104, "7"}, + {"registeredID", 536879116, 0}, + {0, 4104, "8"}, + {"AnotherName", 1610612741, 0}, + {"type-id", 1073741836, 0}, + {"value", 541073421, 0}, + {0, 1073743880, "0"}, + {"type-id", 1, 0}, + {"EDIPartyName", 1610612741, 0}, + {"nameAssigner", 1610637314, "DirectoryString"}, + {0, 4104, "0"}, + {"partyName", 536879106, "DirectoryString"}, + {0, 4104, "1"}, + {"id-ce-issuerAltName", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "18"}, + {"IssuerAltName", 1073741826, "GeneralNames"}, + {"id-ce-subjectDirectoryAttributes", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "9"}, + {"SubjectDirectoryAttributes", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-ce-basicConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "19"}, + {"BasicConstraints", 1610612741, 0}, + {"cA", 1610645508, 0}, + {0, 131081, 0}, + {"pathLenConstraint", 537411587, 0}, + {"0", 10, "MAX"}, + {"id-ce-nameConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "30"}, + {"NameConstraints", 1610612741, 0}, + {"permittedSubtrees", 1610637314, "GeneralSubtrees"}, + {0, 4104, "0"}, + {"excludedSubtrees", 536895490, "GeneralSubtrees"}, + {0, 4104, "1"}, + {"GeneralSubtrees", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "GeneralSubtree"}, + {"GeneralSubtree", 1610612741, 0}, + {"base", 1073741826, "GeneralName"}, + {"minimum", 1610653698, "BaseDistance"}, + {0, 1073741833, "0"}, + {0, 4104, "0"}, + {"maximum", 536895490, "BaseDistance"}, + {0, 4104, "1"}, + {"BaseDistance", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-policyConstraints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "36"}, + {"PolicyConstraints", 1610612741, 0}, + {"requireExplicitPolicy", 1610637314, "SkipCerts"}, + {0, 4104, "0"}, + {"inhibitPolicyMapping", 536895490, "SkipCerts"}, + {0, 4104, "1"}, + {"SkipCerts", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-cRLDistributionPoints", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "31"}, + {"CRLDistributionPoints", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "DistributionPoint"}, + {"DistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 2056, "0"}, + {"reasons", 1610637314, "ReasonFlags"}, + {0, 4104, "1"}, + {"cRLIssuer", 536895490, "GeneralNames"}, + {0, 4104, "2"}, + {"DistributionPointName", 1610612754, 0}, + {"fullName", 1610620930, "GeneralNames"}, + {0, 4104, "0"}, + {"nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"}, + {0, 4104, "1"}, + {"ReasonFlags", 1610874886, 0}, + {"unused", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"privilegeWithdrawn", 1073741825, "7"}, + {"aACompromise", 1, "8"}, + {"id-ce-extKeyUsage", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "37"}, + {"ExtKeyUsageSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "KeyPurposeId"}, + {"KeyPurposeId", 1073741836, 0}, + {"id-kp-serverAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "1"}, + {"id-kp-clientAuth", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "2"}, + {"id-kp-codeSigning", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "3"}, + {"id-kp-emailProtection", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "4"}, + {"id-kp-ipsecEndSystem", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "5"}, + {"id-kp-ipsecTunnel", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "6"}, + {"id-kp-ipsecUser", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "7"}, + {"id-kp-timeStamping", 1879048204, 0}, + {0, 1073741825, "id-kp"}, + {0, 1, "8"}, + {"id-pe-authorityInfoAccess", 1879048204, 0}, + {0, 1073741825, "id-pe"}, + {0, 1, "1"}, + {"AuthorityInfoAccessSyntax", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AccessDescription"}, + {"AccessDescription", 1610612741, 0}, + {"accessMethod", 1073741836, 0}, + {"accessLocation", 2, "GeneralName"}, + {"id-ce-cRLNumber", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "20"}, + {"CRLNumber", 1611137027, 0}, + {"0", 10, "MAX"}, + {"id-ce-issuingDistributionPoint", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "28"}, + {"IssuingDistributionPoint", 1610612741, 0}, + {"distributionPoint", 1610637314, "DistributionPointName"}, + {0, 4104, "0"}, + {"onlyContainsUserCerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "1"}, + {"onlyContainsCACerts", 1610653700, 0}, + {0, 1073872905, 0}, + {0, 4104, "2"}, + {"onlySomeReasons", 1610637314, "ReasonFlags"}, + {0, 4104, "3"}, + {"indirectCRL", 536911876, 0}, + {0, 1073872905, 0}, + {0, 4104, "4"}, + {"id-ce-deltaCRLIndicator", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "27"}, + {"BaseCRLNumber", 1073741826, "CRLNumber"}, + {"id-ce-cRLReasons", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "21"}, + {"CRLReason", 1610874901, 0}, + {"unspecified", 1073741825, "0"}, + {"keyCompromise", 1073741825, "1"}, + {"cACompromise", 1073741825, "2"}, + {"affiliationChanged", 1073741825, "3"}, + {"superseded", 1073741825, "4"}, + {"cessationOfOperation", 1073741825, "5"}, + {"certificateHold", 1073741825, "6"}, + {"removeFromCRL", 1, "8"}, + {"id-ce-certificateIssuer", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "29"}, + {"CertificateIssuer", 1073741826, "GeneralNames"}, + {"id-ce-holdInstructionCode", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "23"}, + {"HoldInstructionCode", 1073741836, 0}, + {"holdInstruction", 1879048204, 0}, + {"joint-iso-itu-t", 1073741825, "2"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9cm", 1073741825, "10040"}, + {0, 1, "2"}, + {"id-holdinstruction-none", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "1"}, + {"id-holdinstruction-callissuer", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "2"}, + {"id-holdinstruction-reject", 1879048204, 0}, + {0, 1073741825, "holdInstruction"}, + {0, 1, "3"}, + {"id-ce-invalidityDate", 1879048204, 0}, + {0, 1073741825, "id-ce"}, + {0, 1, "24"}, + {"InvalidityDate", 1082130449, 0}, + {"VisibleString", 1610620935, 0}, + {0, 4360, "26"}, + {"NumericString", 1610620935, 0}, + {0, 4360, "18"}, + {"IA5String", 1610620935, 0}, + {0, 4360, "22"}, + {"TeletexString", 1610620935, 0}, + {0, 4360, "20"}, + {"PrintableString", 1610620935, 0}, + {0, 4360, "19"}, + {"UniversalString", 1610620935, 0}, + {0, 4360, "28"}, + {"BMPString", 1610620935, 0}, + {0, 4360, "30"}, + {"UTF8String", 1610620935, 0}, + {0, 4360, "12"}, + {"id-pkix", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"identified-organization", 1073741825, "3"}, + {"dod", 1073741825, "6"}, + {"internet", 1073741825, "1"}, + {"security", 1073741825, "5"}, + {"mechanisms", 1073741825, "5"}, + {"pkix", 1, "7"}, + {"id-pe", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "1"}, + {"id-qt", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "2"}, + {"id-kp", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "3"}, + {"id-ad", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "48"}, + {"id-qt-cps", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "1"}, + {"id-qt-unotice", 1879048204, 0}, + {0, 1073741825, "id-qt"}, + {0, 1, "2"}, + {"id-ad-ocsp", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "1"}, + {"id-ad-caIssuers", 1879048204, 0}, + {0, 1073741825, "id-ad"}, + {0, 1, "2"}, + {"Attribute", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"values", 536870927, 0}, + {0, 2, "AttributeValue"}, + {"AttributeType", 1073741836, 0}, + {"AttributeValue", 1614807053, 0}, + {"type", 1, 0}, + {"AttributeTypeAndValue", 1610612741, 0}, + {"type", 1073741826, "AttributeType"}, + {"value", 2, "AttributeValue"}, + {"id-at", 1879048204, 0}, + {"joint-iso-ccitt", 1073741825, "2"}, + {"ds", 1073741825, "5"}, + {0, 1, "4"}, + {"id-at-initials", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "43"}, + {"X520initials", 1073741826, "DirectoryString"}, + {"id-at-generationQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "44"}, + {"X520generationQualifier", 1073741826, "DirectoryString"}, + {"id-at-surname", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "4"}, + {"X520surName", 1073741826, "DirectoryString"}, + {"id-at-givenName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "42"}, + {"X520givenName", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-commonName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "3"}, + {"X520CommonName", 1073741826, "DirectoryString"}, + {"id-at-localityName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "7"}, + {"X520LocalityName", 1073741826, "DirectoryString"}, + {"id-at-stateOrProvinceName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "8"}, + {"X520StateOrProvinceName", 1073741826, "DirectoryString"}, + {"id-at-organizationName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "10"}, + {"X520OrganizationName", 1073741826, "DirectoryString"}, + {"id-at-organizationalUnitName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "11"}, + {"X520OrganizationalUnitName", 1073741826, "DirectoryString"}, + {"id-at-title", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "12"}, + {"X520Title", 1073741826, "DirectoryString"}, + {"id-at-description", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "13"}, + {"X520Description", 1073741826, "DirectoryString"}, + {"id-at-dnQualifier", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "46"}, + {"X520dnQualifier", 1073741826, "PrintableString"}, + {"id-at-countryName", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "6"}, + {"X520countryName", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-at-serialNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "5"}, + {"X520serialNumber", 1073741826, "PrintableString"}, + {"id-at-telephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "20"}, + {"X520telephoneNumber", 1073741826, "PrintableString"}, + {"id-at-facsimileTelephoneNumber", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "23"}, + {"X520facsimileTelephoneNumber", 1073741826, "PrintableString"}, + {"id-at-pseudonym", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "65"}, + {"X520pseudonym", 1073741826, "DirectoryString"}, + {"id-at-name", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "41"}, + {"X520name", 1073741826, "DirectoryString"}, + {"id-at-streetAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "9"}, + {"X520streetAddress", 1073741826, "DirectoryString"}, + {"id-at-postalAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "id-at"}, + {0, 1, "16"}, + {"X520postalAddress", 1073741826, "PostalAddress"}, + {"PostalAddress", 1610612747, 0}, + {0, 2, "DirectoryString"}, + {"pkcs", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1, "1"}, + {"pkcs-9", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "9"}, + {"emailAddress", 1880096780, "AttributeType"}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "1"}, + {"Pkcs9email", 1612709890, "IA5String"}, + {"ub-emailaddress-length", 524298, "1"}, + {"Name", 1610612754, 0}, + {"rdnSequence", 2, "RDNSequence"}, + {"RDNSequence", 1610612747, 0}, + {0, 2, "RelativeDistinguishedName"}, + {"DistinguishedName", 1073741826, "RDNSequence"}, + {"RelativeDistinguishedName", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "AttributeTypeAndValue"}, + {"Certificate", 1610612741, 0}, + {"tbsCertificate", 1073741826, "TBSCertificate"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertificate", 1610612741, 0}, + {"version", 1610653698, "Version"}, + {0, 1073741833, "v1"}, + {0, 2056, "0"}, + {"serialNumber", 1073741826, "CertificateSerialNumber"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"validity", 1073741826, "Validity"}, + {"subject", 1073741826, "Name"}, + {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"issuerUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "1"}, + {"subjectUniqueID", 1610637314, "UniqueIdentifier"}, + {0, 4104, "2"}, + {"extensions", 536895490, "Extensions"}, + {0, 2056, "3"}, + {"Version", 1610874883, 0}, + {"v1", 1073741825, "0"}, + {"v2", 1073741825, "1"}, + {"v3", 1, "2"}, + {"CertificateSerialNumber", 1073741827, 0}, + {"Validity", 1610612741, 0}, + {"notBefore", 1073741826, "Time"}, + {"notAfter", 2, "Time"}, + {"Time", 1610612754, 0}, + {"utcTime", 1090519057, 0}, + {"generalTime", 8388625, 0}, + {"UniqueIdentifier", 1073741830, 0}, + {"SubjectPublicKeyInfo", 1610612741, 0}, + {"algorithm", 1073741826, "AlgorithmIdentifier"}, + {"subjectPublicKey", 6, 0}, + {"Extensions", 1612709899, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Extension"}, + {"Extension", 1610612741, 0}, + {"extnID", 1073741836, 0}, + {"critical", 1610645508, 0}, + {0, 131081, 0}, + {"extnValue", 7, 0}, + {"CertificateList", 1610612741, 0}, + {"tbsCertList", 1073741826, "TBSCertList"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"TBSCertList", 1610612741, 0}, + {"version", 1073758210, "Version"}, + {"signature", 1073741826, "AlgorithmIdentifier"}, + {"issuer", 1073741826, "Name"}, + {"thisUpdate", 1073741826, "Time"}, + {"nextUpdate", 1073758210, "Time"}, + {"revokedCertificates", 1610629131, 0}, + {0, 536870917, 0}, + {"userCertificate", 1073741826, "CertificateSerialNumber"}, + {"revocationDate", 1073741826, "Time"}, + {"crlEntryExtensions", 16386, "Extensions"}, + {"crlExtensions", 536895490, "Extensions"}, + {0, 2056, "0"}, + {"AlgorithmIdentifier", 1610612741, 0}, + {"algorithm", 1073741836, 0}, + {"parameters", 541081613, 0}, + {"algorithm", 1, 0}, + {"pkcs-1", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "1"}, + {"rsaEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "1"}, + {"md2WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "2"}, + {"md5WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "4"}, + {"sha1WithRSAEncryption", 1879048204, 0}, + {0, 1073741825, "pkcs-1"}, + {0, 1, "5"}, + {"id-dsa-with-sha1", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "3"}, + {"Dss-Sig-Value", 1610612741, 0}, + {"r", 1073741827, 0}, + {"s", 3, 0}, + {"dhpublicnumber", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"ansi-x942", 1073741825, "10046"}, + {"number-type", 1073741825, "2"}, + {0, 1, "1"}, + {"DomainParameters", 1610612741, 0}, + {"p", 1073741827, 0}, + {"g", 1073741827, 0}, + {"q", 1073741827, 0}, + {"j", 1073758211, 0}, + {"validationParms", 16386, "ValidationParms"}, + {"ValidationParms", 1610612741, 0}, + {"seed", 1073741830, 0}, + {"pgenCounter", 3, 0}, + {"id-dsa", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"x9-57", 1073741825, "10040"}, + {"x9algorithm", 1073741825, "4"}, + {0, 1, "1"}, + {"Dss-Parms", 1610612741, 0}, + {"p", 1073741827, 0}, + {"q", 1073741827, 0}, + {"g", 3, 0}, + {"ORAddress", 1610612741, 0}, + {"built-in-standard-attributes", 1073741826, + "BuiltInStandardAttributes"}, + {"built-in-domain-defined-attributes", 1073758210, + "BuiltInDomainDefinedAttributes"}, + {"extension-attributes", 16386, "ExtensionAttributes"}, + {"BuiltInStandardAttributes", 1610612741, 0}, + {"country-name", 1073758210, "CountryName"}, + {"administration-domain-name", 1073758210, "AdministrationDomainName"}, + {"network-address", 1610637314, "NetworkAddress"}, + {0, 2056, "0"}, + {"terminal-identifier", 1610637314, "TerminalIdentifier"}, + {0, 2056, "1"}, + {"private-domain-name", 1610637314, "PrivateDomainName"}, + {0, 2056, "2"}, + {"organization-name", 1610637314, "OrganizationName"}, + {0, 2056, "3"}, + {"numeric-user-identifier", 1610637314, "NumericUserIdentifier"}, + {0, 2056, "4"}, + {"personal-name", 1610637314, "PersonalName"}, + {0, 2056, "5"}, + {"organizational-unit-names", 536895490, "OrganizationalUnitNames"}, + {0, 2056, "6"}, + {"CountryName", 1610620946, 0}, + {0, 1073746952, "1"}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"AdministrationDomainName", 1610620946, 0}, + {0, 1073744904, "2"}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "0"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "0"}, + {"NetworkAddress", 1073741826, "X121Address"}, + {"X121Address", 1612709890, "NumericString"}, + {"ub-x121-address-length", 524298, "1"}, + {"TerminalIdentifier", 1612709890, "PrintableString"}, + {"ub-terminal-id-length", 524298, "1"}, + {"PrivateDomainName", 1610612754, 0}, + {"numeric", 1612709890, "NumericString"}, + {"ub-domain-name-length", 524298, "1"}, + {"printable", 538968066, "PrintableString"}, + {"ub-domain-name-length", 524298, "1"}, + {"OrganizationName", 1612709890, "PrintableString"}, + {"ub-organization-name-length", 524298, "1"}, + {"NumericUserIdentifier", 1612709890, "NumericString"}, + {"ub-numeric-user-id-length", 524298, "1"}, + {"PersonalName", 1610612750, 0}, + {"surname", 1814044674, "PrintableString"}, + {0, 1073745928, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "PrintableString"}, + {0, 1073745928, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "PrintableString"}, + {0, 1073745928, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "PrintableString"}, + {0, 1073745928, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"OrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "OrganizationalUnitName"}, + {"OrganizationalUnitName", 1612709890, "PrintableString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"BuiltInDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "BuiltInDomainDefinedAttribute"}, + {"BuiltInDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "PrintableString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "PrintableString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ExtensionAttributes", 1612709903, 0}, + {"ub-extension-attributes", 1074266122, "1"}, + {0, 2, "ExtensionAttribute"}, + {"ExtensionAttribute", 1610612741, 0}, + {"extension-attribute-type", 1611145219, 0}, + {0, 1073743880, "0"}, + {"0", 10, "ub-extension-attributes"}, + {"extension-attribute-value", 541073421, 0}, + {0, 1073743880, "1"}, + {"extension-attribute-type", 1, 0}, + {"common-name", 1342177283, "1"}, + {"CommonName", 1612709890, "PrintableString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-common-name", 1342177283, "2"}, + {"TeletexCommonName", 1612709890, "TeletexString"}, + {"ub-common-name-length", 524298, "1"}, + {"teletex-organization-name", 1342177283, "3"}, + {"TeletexOrganizationName", 1612709890, "TeletexString"}, + {"ub-organization-name-length", 524298, "1"}, + {"teletex-personal-name", 1342177283, "4"}, + {"TeletexPersonalName", 1610612750, 0}, + {"surname", 1814044674, "TeletexString"}, + {0, 1073743880, "0"}, + {"ub-surname-length", 524298, "1"}, + {"given-name", 1814061058, "TeletexString"}, + {0, 1073743880, "1"}, + {"ub-given-name-length", 524298, "1"}, + {"initials", 1814061058, "TeletexString"}, + {0, 1073743880, "2"}, + {"ub-initials-length", 524298, "1"}, + {"generation-qualifier", 740319234, "TeletexString"}, + {0, 1073743880, "3"}, + {"ub-generation-qualifier-length", 524298, "1"}, + {"teletex-organizational-unit-names", 1342177283, "5"}, + {"TeletexOrganizationalUnitNames", 1612709899, 0}, + {"ub-organizational-units", 1074266122, "1"}, + {0, 2, "TeletexOrganizationalUnitName"}, + {"TeletexOrganizationalUnitName", 1612709890, "TeletexString"}, + {"ub-organizational-unit-name-length", 524298, "1"}, + {"pds-name", 1342177283, "7"}, + {"PDSName", 1612709890, "PrintableString"}, + {"ub-pds-name-length", 524298, "1"}, + {"physical-delivery-country-name", 1342177283, "8"}, + {"PhysicalDeliveryCountryName", 1610612754, 0}, + {"x121-dcc-code", 1612709890, "NumericString"}, + {0, 1048586, "ub-country-name-numeric-length"}, + {"iso-3166-alpha2-code", 538968066, "PrintableString"}, + {0, 1048586, "ub-country-name-alpha-length"}, + {"postal-code", 1342177283, "9"}, + {"PostalCode", 1610612754, 0}, + {"numeric-code", 1612709890, "NumericString"}, + {"ub-postal-code-length", 524298, "1"}, + {"printable-code", 538968066, "PrintableString"}, + {"ub-postal-code-length", 524298, "1"}, + {"physical-delivery-office-name", 1342177283, "10"}, + {"PhysicalDeliveryOfficeName", 1073741826, "PDSParameter"}, + {"physical-delivery-office-number", 1342177283, "11"}, + {"PhysicalDeliveryOfficeNumber", 1073741826, "PDSParameter"}, + {"extension-OR-address-components", 1342177283, "12"}, + {"ExtensionORAddressComponents", 1073741826, "PDSParameter"}, + {"physical-delivery-personal-name", 1342177283, "13"}, + {"PhysicalDeliveryPersonalName", 1073741826, "PDSParameter"}, + {"physical-delivery-organization-name", 1342177283, "14"}, + {"PhysicalDeliveryOrganizationName", 1073741826, "PDSParameter"}, + {"extension-physical-delivery-address-components", 1342177283, "15"}, + {"ExtensionPhysicalDeliveryAddressComponents", 1073741826, + "PDSParameter"}, + {"unformatted-postal-address", 1342177283, "16"}, + {"UnformattedPostalAddress", 1610612750, 0}, + {"printable-address", 1814052875, 0}, + {"ub-pds-physical-address-lines", 1074266122, "1"}, + {0, 538968066, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-unformatted-address-length", 524298, "1"}, + {"street-address", 1342177283, "17"}, + {"StreetAddress", 1073741826, "PDSParameter"}, + {"post-office-box-address", 1342177283, "18"}, + {"PostOfficeBoxAddress", 1073741826, "PDSParameter"}, + {"poste-restante-address", 1342177283, "19"}, + {"PosteRestanteAddress", 1073741826, "PDSParameter"}, + {"unique-postal-name", 1342177283, "20"}, + {"UniquePostalName", 1073741826, "PDSParameter"}, + {"local-postal-attributes", 1342177283, "21"}, + {"LocalPostalAttributes", 1073741826, "PDSParameter"}, + {"PDSParameter", 1610612750, 0}, + {"printable-string", 1814052866, "PrintableString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"teletex-string", 740311042, "TeletexString"}, + {"ub-pds-parameter-length", 524298, "1"}, + {"extended-network-address", 1342177283, "22"}, + {"ExtendedNetworkAddress", 1610612754, 0}, + {"e163-4-address", 1610612741, 0}, + {"number", 1612718082, "NumericString"}, + {0, 1073743880, "0"}, + {"ub-e163-4-number-length", 524298, "1"}, + {"sub-address", 538992642, "NumericString"}, + {0, 1073743880, "1"}, + {"ub-e163-4-sub-address-length", 524298, "1"}, + {"psap-address", 536879106, "PresentationAddress"}, + {0, 2056, "0"}, + {"PresentationAddress", 1610612741, 0}, + {"pSelector", 1610637319, 0}, + {0, 2056, "0"}, + {"sSelector", 1610637319, 0}, + {0, 2056, "1"}, + {"tSelector", 1610637319, 0}, + {0, 2056, "2"}, + {"nAddresses", 538976271, 0}, + {0, 1073743880, "3"}, + {"MAX", 1074266122, "1"}, + {0, 7, 0}, + {"terminal-type", 1342177283, "23"}, + {"TerminalType", 1610874883, 0}, + {"telex", 1073741825, "3"}, + {"teletex", 1073741825, "4"}, + {"g3-facsimile", 1073741825, "5"}, + {"g4-facsimile", 1073741825, "6"}, + {"ia5-terminal", 1073741825, "7"}, + {"videotex", 1, "8"}, + {"teletex-domain-defined-attributes", 1342177283, "6"}, + {"TeletexDomainDefinedAttributes", 1612709899, 0}, + {"ub-domain-defined-attributes", 1074266122, "1"}, + {0, 2, "TeletexDomainDefinedAttribute"}, + {"TeletexDomainDefinedAttribute", 1610612741, 0}, + {"type", 1612709890, "TeletexString"}, + {"ub-domain-defined-attribute-type-length", 524298, "1"}, + {"value", 538968066, "TeletexString"}, + {"ub-domain-defined-attribute-value-length", 524298, "1"}, + {"ub-name", 1342177283, "32768"}, + {"ub-common-name", 1342177283, "64"}, + {"ub-locality-name", 1342177283, "128"}, + {"ub-state-name", 1342177283, "128"}, + {"ub-organization-name", 1342177283, "64"}, + {"ub-organizational-unit-name", 1342177283, "64"}, + {"ub-title", 1342177283, "64"}, + {"ub-match", 1342177283, "128"}, + {"ub-emailaddress-length", 1342177283, "128"}, + {"ub-common-name-length", 1342177283, "64"}, + {"ub-country-name-alpha-length", 1342177283, "2"}, + {"ub-country-name-numeric-length", 1342177283, "3"}, + {"ub-domain-defined-attributes", 1342177283, "4"}, + {"ub-domain-defined-attribute-type-length", 1342177283, "8"}, + {"ub-domain-defined-attribute-value-length", 1342177283, "128"}, + {"ub-domain-name-length", 1342177283, "16"}, + {"ub-extension-attributes", 1342177283, "256"}, + {"ub-e163-4-number-length", 1342177283, "15"}, + {"ub-e163-4-sub-address-length", 1342177283, "40"}, + {"ub-generation-qualifier-length", 1342177283, "3"}, + {"ub-given-name-length", 1342177283, "16"}, + {"ub-initials-length", 1342177283, "5"}, + {"ub-integer-options", 1342177283, "256"}, + {"ub-numeric-user-id-length", 1342177283, "32"}, + {"ub-organization-name-length", 1342177283, "64"}, + {"ub-organizational-unit-name-length", 1342177283, "32"}, + {"ub-organizational-units", 1342177283, "4"}, + {"ub-pds-name-length", 1342177283, "16"}, + {"ub-pds-parameter-length", 1342177283, "30"}, + {"ub-pds-physical-address-lines", 1342177283, "6"}, + {"ub-postal-code-length", 1342177283, "16"}, + {"ub-surname-length", 1342177283, "40"}, + {"ub-terminal-id-length", 1342177283, "24"}, + {"ub-unformatted-address-length", 1342177283, "180"}, + {"ub-x121-address-length", 1342177283, "16"}, + {"pkcs-7-ContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"content", 541073421, 0}, + {0, 1073743880, "0"}, + {"contentType", 1, 0}, + {"pkcs-7-DigestInfo", 1610612741, 0}, + {"digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"}, + {"digest", 2, "pkcs-7-Digest"}, + {"pkcs-7-Digest", 1073741831, 0}, + {"pkcs-7-ContentType", 1073741836, 0}, + {"pkcs-7-SignedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"}, + {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, + {"certificates", 1610637314, "pkcs-7-CertificateSet"}, + {0, 4104, "0"}, + {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, + {0, 4104, "1"}, + {"signerInfos", 2, "pkcs-7-SignerInfos"}, + {"pkcs-7-CMSVersion", 1610874883, 0}, + {"v0", 1073741825, "0"}, + {"v1", 1073741825, "1"}, + {"v2", 1073741825, "2"}, + {"v3", 1073741825, "3"}, + {"v4", 1, "4"}, + {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, 0}, + {0, 2, "pkcs-7-DigestAlgorithmIdentifier"}, + {"pkcs-7-DigestAlgorithmIdentifier", 1073741826, + "AlgorithmIdentifier"}, + {"pkcs-7-EncapsulatedContentInfo", 1610612741, 0}, + {"eContentType", 1073741826, "pkcs-7-ContentType"}, + {"eContent", 536895495, 0}, + {0, 2056, "0"}, + {"pkcs-7-CertificateRevocationLists", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-7-CertificateChoices", 1610612754, 0}, + {"certificate", 13, 0}, + {"pkcs-7-CertificateSet", 1610612751, 0}, + {0, 2, "pkcs-7-CertificateChoices"}, + {"pkcs-7-SignerInfos", 1610612751, 0}, + {0, 13, 0}, + {"pkcs-10-CertificationRequestInfo", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v1", 1, "0"}, + {"subject", 1073741826, "Name"}, + {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, + {"attributes", 536879106, "Attributes"}, + {0, 4104, "0"}, + {"Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-10-CertificationRequest", 1610612741, 0}, + {"certificationRequestInfo", 1073741826, + "pkcs-10-CertificationRequestInfo"}, + {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"signature", 6, 0}, + {"pkcs-9-ub-challengePassword", 1342177283, "255"}, + {"pkcs-9-certTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "22"}, + {"pkcs-9-crlTypes", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "23"}, + {"pkcs-9-at-challengePassword", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "7"}, + {"pkcs-9-challengePassword", 1610612754, 0}, + {"printableString", 1612709890, "PrintableString"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"utf8String", 538968066, "UTF8String"}, + {"pkcs-9-ub-challengePassword", 524298, "1"}, + {"pkcs-9-at-localKeyId", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "21"}, + {"pkcs-9-localKeyId", 1073741831, 0}, + {"pkcs-9-at-friendlyName", 1879048204, 0}, + {0, 1073741825, "pkcs-9"}, + {0, 1, "20"}, + {"pkcs-9-friendlyName", 1612709890, "BMPString"}, + {"255", 524298, "1"}, + {"pkcs-8-PrivateKeyInfo", 1610612741, 0}, + {"version", 1073741826, "pkcs-8-Version"}, + {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"privateKey", 1073741826, "pkcs-8-PrivateKey"}, + {"attributes", 536895490, "Attributes"}, + {0, 4104, "0"}, + {"pkcs-8-Version", 1610874883, 0}, + {"v1", 1, "0"}, + {"pkcs-8-PrivateKey", 1073741831, 0}, + {"pkcs-8-Attributes", 1610612751, 0}, + {0, 2, "Attribute"}, + {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, 0}, + {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, + {"encryptedData", 2, "pkcs-8-EncryptedData"}, + {"pkcs-8-EncryptedData", 1073741831, 0}, + {"pkcs-5", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "5"}, + {"pkcs-5-encryptionAlgorithm", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {0, 1, "3"}, + {"pkcs-5-des-EDE3-CBC", 1879048204, 0}, + {0, 1073741825, "pkcs-5-encryptionAlgorithm"}, + {0, 1, "7"}, + {"pkcs-5-des-EDE3-CBC-params", 1612709895, 0}, + {0, 1048586, "8"}, + {"pkcs-5-id-PBES2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "13"}, + {"pkcs-5-PBES2-params", 1610612741, 0}, + {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, + {"encryptionScheme", 2, "AlgorithmIdentifier"}, + {"pkcs-5-id-PBKDF2", 1879048204, 0}, + {0, 1073741825, "pkcs-5"}, + {0, 1, "12"}, + {"pkcs-5-PBKDF2-params", 1610612741, 0}, + {"salt", 1610612754, 0}, + {"specified", 1073741831, 0}, + {"otherSource", 2, "AlgorithmIdentifier"}, + {"iterationCount", 1611137027, 0}, + {"1", 10, "MAX"}, + {"keyLength", 1611153411, 0}, + {"1", 10, "MAX"}, + {"prf", 16386, "AlgorithmIdentifier"}, + {"pkcs-12", 1879048204, 0}, + {0, 1073741825, "pkcs"}, + {0, 1, "12"}, + {"pkcs-12-PFX", 1610612741, 0}, + {"version", 1610874883, 0}, + {"v3", 1, "3"}, + {"authSafe", 1073741826, "pkcs-7-ContentInfo"}, + {"macData", 16386, "pkcs-12-MacData"}, + {"pkcs-12-PbeParams", 1610612741, 0}, + {"salt", 1073741831, 0}, + {"iterations", 3, 0}, + {"pkcs-12-MacData", 1610612741, 0}, + {"mac", 1073741826, "pkcs-7-DigestInfo"}, + {"macSalt", 1073741831, 0}, + {"iterations", 536903683, 0}, + {0, 9, "1"}, + {"pkcs-12-AuthenticatedSafe", 1610612747, 0}, + {0, 2, "pkcs-7-ContentInfo"}, + {"pkcs-12-SafeContents", 1610612747, 0}, + {0, 2, "pkcs-12-SafeBag"}, + {"pkcs-12-SafeBag", 1610612741, 0}, + {"bagId", 1073741836, 0}, + {"bagValue", 1614815245, 0}, + {0, 1073743880, "0"}, + {"badId", 1, 0}, + {"bagAttributes", 536887311, 0}, + {0, 2, "pkcs-12-PKCS12Attribute"}, + {"pkcs-12-bagtypes", 1879048204, 0}, + {0, 1073741825, "pkcs-12"}, + {0, 1073741825, "10"}, + {0, 1, "1"}, + {"pkcs-12-keyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "1"}, + {"pkcs-12-pkcs8ShroudedKeyBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "2"}, + {"pkcs-12-certBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "3"}, + {"pkcs-12-crlBag", 1879048204, 0}, + {0, 1073741825, "pkcs-12-bagtypes"}, + {0, 1, "4"}, + {"pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"}, + {"pkcs-12-PKCS8ShroudedKeyBag", 1073741826, + "pkcs-8-EncryptedPrivateKeyInfo"}, + {"pkcs-12-CertBag", 1610612741, 0}, + {"certId", 1073741836, 0}, + {"certValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"certId", 1, 0}, + {"pkcs-12-CRLBag", 1610612741, 0}, + {"crlId", 1073741836, 0}, + {"crlValue", 541073421, 0}, + {0, 1073743880, "0"}, + {"crlId", 1, 0}, + {"pkcs-12-PKCS12Attribute", 1073741826, "Attribute"}, + {"pkcs-7-data", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "1"}, + {"pkcs-7-encryptedData", 1879048204, 0}, + {"iso", 1073741825, "1"}, + {"member-body", 1073741825, "2"}, + {"us", 1073741825, "840"}, + {"rsadsi", 1073741825, "113549"}, + {"pkcs", 1073741825, "1"}, + {"pkcs7", 1073741825, "7"}, + {0, 1, "6"}, + {"pkcs-7-Data", 1073741831, 0}, + {"pkcs-7-EncryptedData", 1610612741, 0}, + {"version", 1073741826, "pkcs-7-CMSVersion"}, + {"encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"}, + {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, + {0, 4104, "1"}, + {"pkcs-7-EncryptedContentInfo", 1610612741, 0}, + {"contentType", 1073741826, "pkcs-7-ContentType"}, + {"contentEncryptionAlgorithm", 1073741826, + "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, + {"encryptedContent", 536895490, "pkcs-7-EncryptedContent"}, + {0, 4104, "0"}, + {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, + "AlgorithmIdentifier"}, + {"pkcs-7-EncryptedContent", 1073741831, 0}, + {"pkcs-7-UnprotectedAttributes", 1612709903, 0}, + {"MAX", 1074266122, "1"}, + {0, 2, "Attribute"}, + {"id-at-ldap-DC", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "25"}, + {"ldap-DC", 1073741826, "IA5String"}, + {"id-at-ldap-UID", 1880096780, "AttributeType"}, + {0, 1073741825, "0"}, + {0, 1073741825, "9"}, + {0, 1073741825, "2342"}, + {0, 1073741825, "19200300"}, + {0, 1073741825, "100"}, + {0, 1073741825, "1"}, + {0, 1, "1"}, + {"ldap-UID", 1073741826, "IA5String"}, + {"id-pda", 1879048204, 0}, + {0, 1073741825, "id-pkix"}, + {0, 1, "9"}, + {"id-pda-dateOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "1"}, + {"DateOfBirth", 1082130449, 0}, + {"id-pda-placeOfBirth", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "2"}, + {"PlaceOfBirth", 1073741826, "DirectoryString"}, + {"id-pda-gender", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "3"}, + {"Gender", 1612709890, "PrintableString"}, + {0, 1048586, "1"}, + {"id-pda-countryOfCitizenship", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "4"}, + {"CountryOfCitizenship", 1612709890, "PrintableString"}, + {0, 1048586, "2"}, + {"id-pda-countryOfResidence", 1880096780, "AttributeType"}, + {0, 1073741825, "id-pda"}, + {0, 1, "5"}, + {"CountryOfResidence", 538968066, "PrintableString"}, + {0, 1048586, "2"}, + {0, 0, 0} }; diff --git a/lib/strfile.h b/lib/strfile.h index 56ed41fed1..8afa7efcfe 100644 --- a/lib/strfile.h +++ b/lib/strfile.h @@ -1,8 +1,8 @@ typedef struct { - opaque * data; - size_t size; - int mmaped; + opaque *data; + size_t size; + int mmaped; } strfile; -void _gnutls_strfile_free( strfile *x); -strfile _gnutls_file_to_str( const char * file); +void _gnutls_strfile_free(strfile * x); +strfile _gnutls_file_to_str(const char *file); diff --git a/lib/strnstr.c b/lib/strnstr.c index 7eaa9d0dac..d664384ee7 100644 --- a/lib/strnstr.c +++ b/lib/strnstr.c @@ -26,23 +26,25 @@ char *strnstr(const char *haystack, const char *needle, size_t haystacklen) { - char *p; - ssize_t plen; - ssize_t len = strlen(needle); + char *p; + ssize_t plen; + ssize_t len = strlen(needle); - if (*needle == '\0') /* everything matches empty string */ - return (char*) haystack; + if (*needle == '\0') /* everything matches empty string */ + return (char *) haystack; - plen = haystacklen; - for (p = (char*) haystack; p != NULL; p = memchr(p + 1, *needle, plen-1)) { - plen = haystacklen - (p - haystack); + plen = haystacklen; + for (p = (char *) haystack; p != NULL; + p = memchr(p + 1, *needle, plen - 1)) { + plen = haystacklen - (p - haystack); - if (plen < len) return NULL; + if (plen < len) + return NULL; - if (strncmp(p, needle, len) == 0) - return (p); - } - return NULL; + if (strncmp(p, needle, len) == 0) + return (p); + } + return NULL; } #endif diff --git a/lib/x509/common.c b/lib/x509/common.c index 2cd9149917..9b281dfe4d 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -34,64 +34,65 @@ #include <time.h> typedef struct _oid2string { - const char * oid; - const char * ldap_desc; - int choice; /* of type DirectoryString */ - int printable; + const char *oid; + const char *ldap_desc; + int choice; /* of type DirectoryString */ + int printable; } oid2string; /* This list contains all the OIDs that may be * contained in a rdnSequence and are printable. */ static const oid2string _oid2str[] = { - /* PKIX - */ - {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, - {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, - {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, - {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, - - {"2.5.4.6", "C", 0, 1}, - {"2.5.4.9", "STREET", 1, 1}, - {"2.5.4.12", "T", 1, 1}, - {"2.5.4.10", "O", 1, 1}, - {"2.5.4.11", "OU", 1, 1}, - {"2.5.4.3", "CN", 1, 1}, - {"2.5.4.7", "L", 1, 1}, - {"2.5.4.8", "ST", 1, 1}, - - {"2.5.4.5", "serialNumber", 0, 1}, - {"2.5.4.20", "telephoneNumber", 0, 1}, - {"2.5.4.4", "surName", 1, 1}, - {"2.5.4.43", "initials", 1, 1}, - {"2.5.4.44", "generationQualifier", 1, 1}, - {"2.5.4.42", "givenName", 1, 1}, - {"2.5.4.65", "pseudonym", 1, 1}, - {"2.5.4.46", "dnQualifier", 0, 1}, - - {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, - {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, - {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, - {"1.2.840.113549.1.9.7", NULL, 1, 1}, - - /* friendly name */ - {"1.2.840.113549.1.9.20", NULL, 0, 1}, - {NULL, NULL, 0, 0} + /* PKIX + */ + {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1}, + {"1.3.6.1.5.5.7.9.3", "gender", 0, 1}, + {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1}, + {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1}, + + {"2.5.4.6", "C", 0, 1}, + {"2.5.4.9", "STREET", 1, 1}, + {"2.5.4.12", "T", 1, 1}, + {"2.5.4.10", "O", 1, 1}, + {"2.5.4.11", "OU", 1, 1}, + {"2.5.4.3", "CN", 1, 1}, + {"2.5.4.7", "L", 1, 1}, + {"2.5.4.8", "ST", 1, 1}, + + {"2.5.4.5", "serialNumber", 0, 1}, + {"2.5.4.20", "telephoneNumber", 0, 1}, + {"2.5.4.4", "surName", 1, 1}, + {"2.5.4.43", "initials", 1, 1}, + {"2.5.4.44", "generationQualifier", 1, 1}, + {"2.5.4.42", "givenName", 1, 1}, + {"2.5.4.65", "pseudonym", 1, 1}, + {"2.5.4.46", "dnQualifier", 0, 1}, + + {"0.9.2342.19200300.100.1.25", "DC", 0, 1}, + {"0.9.2342.19200300.100.1.1", "UID", 0, 1}, + {"1.2.840.113549.1.9.1", "EMAIL", 0, 1}, + {"1.2.840.113549.1.9.7", NULL, 1, 1}, + + /* friendly name */ + {"1.2.840.113549.1.9.20", NULL, 0, 1}, + {NULL, NULL, 0, 0} }; /* Returns 1 if the data defined by the OID are printable. */ -int _gnutls_x509_oid_data_printable( const char* oid) { -int i = 0; +int _gnutls_x509_oid_data_printable(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].printable; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].printable; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } /** @@ -108,44 +109,46 @@ int i = 0; * Returns 1 on known OIDs and 0 otherwise. * **/ -int gnutls_x509_dn_oid_known( const char* oid) +int gnutls_x509_dn_oid_known(const char *oid) { -int i = 0; + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return 1; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return 1; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } /* Returns 1 if the data defined by the OID are of a choice * type. */ -int _gnutls_x509_oid_data_choice( const char* oid) { -int i = 0; +int _gnutls_x509_oid_data_choice(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].choice; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].choice; + i++; + } while (_oid2str[i].oid != NULL); - return 0; + return 0; } -const char* _gnutls_x509_oid2ldap_string( const char* oid) { -int i = 0; +const char *_gnutls_x509_oid2ldap_string(const char *oid) +{ + int i = 0; - do { - if ( strcmp(_oid2str[i].oid, oid)==0) - return _oid2str[i].ldap_desc; - i++; - } while( _oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].ldap_desc; + i++; + } while (_oid2str[i].oid != NULL); - return NULL; + return NULL; } /* This function will convert an attribute value, specified by the OID, @@ -154,84 +157,87 @@ int i = 0; * res may be null. This will just return the res_size, needed to * hold the string. */ -int _gnutls_x509_oid_data2string( const char* oid, void* value, - int value_size, char * res, size_t *res_size) +int _gnutls_x509_oid_data2string(const char *oid, void *value, + int value_size, char *res, + size_t * res_size) { -char str[1024], tmpname[128]; -const char* ANAME = NULL; -int CHOICE = -1, len = -1, result; -ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; - - if (value==NULL || value_size <=0 || res_size == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if ( _gnutls_x509_oid_data_printable( oid) == 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - ANAME = asn1_find_structure_from_oid( _gnutls_get_pkix(), oid); - CHOICE = _gnutls_x509_oid_data_choice( oid); + char str[1024], tmpname[128]; + const char *ANAME = NULL; + int CHOICE = -1, len = -1, result; + ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; + + if (value == NULL || value_size <= 0 || res_size == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (_gnutls_x509_oid_data_printable(oid) == 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + ANAME = asn1_find_structure_from_oid(_gnutls_get_pkix(), oid); + CHOICE = _gnutls_x509_oid_data_choice(oid); + + if (ANAME == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + _gnutls_str_cpy(str, sizeof(str), "PKIX1."); + _gnutls_str_cat(str, sizeof(str), ANAME); + + if ((result = + asn1_create_element(_gnutls_get_pkix(), str, + &tmpasn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if ((result = + asn1_der_decoding(&tmpasn, value, value_size, + NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } + + /* If this is a choice then we read the choice. Otherwise it + * is the value; + */ + len = sizeof(str) - 1; + if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ + gnutls_assert(); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } - if (ANAME==NULL) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } + if (CHOICE == 0) { + str[len] = 0; + if (res) + _gnutls_str_cpy(res, *res_size, str); + *res_size = len; - _gnutls_str_cpy(str, sizeof(str), "PKIX1."); - _gnutls_str_cat(str, sizeof(str), ANAME); + } else { /* CHOICE */ + str[len] = 0; + _gnutls_str_cpy(tmpname, sizeof(tmpname), str); + len = sizeof(str) - 1; if ((result = - asn1_create_element(_gnutls_get_pkix(), str, - &tmpasn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ((result = asn1_der_decoding(&tmpasn, value, value_size, NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); + asn1_read_value(tmpasn, tmpname, str, + &len)) != ASN1_SUCCESS) { + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); } + str[len] = 0; - /* If this is a choice then we read the choice. Otherwise it - * is the value; - */ - len = sizeof( str) - 1; - if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ - gnutls_assert(); - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); - } + if (res) + _gnutls_str_cpy(res, *res_size, str); + *res_size = len; + } + asn1_delete_structure(&tmpasn); - if (CHOICE == 0) { - str[len] = 0; - if (res) - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; - - } else { /* CHOICE */ - str[len] = 0; - _gnutls_str_cpy( tmpname, sizeof(tmpname), str); - - len = sizeof(str) - 1; - if ((result = - asn1_read_value(tmpasn, tmpname, str, - &len)) != ASN1_SUCCESS) { - asn1_delete_structure(&tmpasn); - return _gnutls_asn2err(result); - } - str[len] = 0; - - if (res) - _gnutls_str_cpy(res, *res_size, str); - *res_size = len; - } - asn1_delete_structure(&tmpasn); - - return 0; + return 0; } @@ -242,92 +248,105 @@ ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; */ void _gnutls_int2str(unsigned int k, char *data) { - if (k > 999) - sprintf(data, "%d", 999); - else - sprintf(data, "%d", k); + if (k > 999) + sprintf(data, "%d", 999); + else + sprintf(data, "%d", k); } -gnutls_pk_algorithm _gnutls_x509_oid2pk_algorithm( const char* oid) +gnutls_pk_algorithm _gnutls_x509_oid2pk_algorithm(const char *oid) { - if (strcmp( oid, PKIX1_RSA_OID) == 0) /* pkix-1 1 - RSA */ - return GNUTLS_PK_RSA; - else if (strcmp( oid, DSA_OID) == 0) - return GNUTLS_PK_DSA; + if (strcmp(oid, PKIX1_RSA_OID) == 0) /* pkix-1 1 - RSA */ + return GNUTLS_PK_RSA; + else if (strcmp(oid, DSA_OID) == 0) + return GNUTLS_PK_DSA; - _gnutls_x509_log("Unknown PK OID: '%s'\n", oid); + _gnutls_x509_log("Unknown PK OID: '%s'\n", oid); - return GNUTLS_PK_UNKNOWN; + return GNUTLS_PK_UNKNOWN; } -gnutls_sign_algorithm _gnutls_x509_oid2sign_algorithm( const char* oid) +gnutls_sign_algorithm _gnutls_x509_oid2sign_algorithm(const char *oid) { - if (strcmp( oid, RSA_MD5_OID) == 0) { - return GNUTLS_SIGN_RSA_MD5; - } else if (strcmp( oid, RSA_SHA1_OID) == 0) { - return GNUTLS_SIGN_RSA_SHA; - } else if (strcmp( oid, RSA_MD2_OID) == 0) { - return GNUTLS_SIGN_RSA_MD2; - } else if (strcmp( oid, DSA_SHA1_OID) == 0) { - return GNUTLS_SIGN_DSA_SHA; - } - - _gnutls_x509_log("Unknown SIGN OID: '%s'\n", oid); - - return GNUTLS_SIGN_UNKNOWN; + if (strcmp(oid, RSA_MD5_OID) == 0) { + return GNUTLS_SIGN_RSA_MD5; + } else if (strcmp(oid, RSA_SHA1_OID) == 0) { + return GNUTLS_SIGN_RSA_SHA; + } else if (strcmp(oid, RSA_MD2_OID) == 0) { + return GNUTLS_SIGN_RSA_MD2; + } else if (strcmp(oid, DSA_SHA1_OID) == 0) { + return GNUTLS_SIGN_DSA_SHA; + } + + _gnutls_x509_log("Unknown SIGN OID: '%s'\n", oid); + + return GNUTLS_SIGN_UNKNOWN; } /* returns -1 on error */ -gnutls_mac_algorithm _gnutls_x509_oid2mac_algorithm( const char* oid) +gnutls_mac_algorithm _gnutls_x509_oid2mac_algorithm(const char *oid) { - if (strcmp( oid, OID_SHA1) == 0) - return GNUTLS_MAC_SHA; - else if (strcmp( oid, OID_MD5) == 0) - return GNUTLS_MAC_MD5; + if (strcmp(oid, OID_SHA1) == 0) + return GNUTLS_MAC_SHA; + else if (strcmp(oid, OID_MD5) == 0) + return GNUTLS_MAC_MD5; - return GNUTLS_MAC_UNKNOWN; + return GNUTLS_MAC_UNKNOWN; } -const char* _gnutls_x509_mac_to_oid( gnutls_mac_algorithm mac) +const char *_gnutls_x509_mac_to_oid(gnutls_mac_algorithm mac) { - if (mac == GNUTLS_MAC_SHA) return OID_SHA1; - else if (mac == GNUTLS_MAC_MD5) return OID_MD5; - else return NULL; + if (mac == GNUTLS_MAC_SHA) + return OID_SHA1; + else if (mac == GNUTLS_MAC_MD5) + return OID_MD5; + else + return NULL; } -const char* _gnutls_x509_pk_to_oid( gnutls_pk_algorithm pk) +const char *_gnutls_x509_pk_to_oid(gnutls_pk_algorithm pk) { - if (pk == GNUTLS_PK_RSA) return PKIX1_RSA_OID; - else if (pk == GNUTLS_PK_DSA) return DSA_OID; - else return NULL; + if (pk == GNUTLS_PK_RSA) + return PKIX1_RSA_OID; + else if (pk == GNUTLS_PK_DSA) + return DSA_OID; + else + return NULL; } -gnutls_sign_algorithm _gnutls_x509_pk_to_sign( - gnutls_pk_algorithm pk, gnutls_mac_algorithm mac) +gnutls_sign_algorithm _gnutls_x509_pk_to_sign(gnutls_pk_algorithm pk, + gnutls_mac_algorithm mac) { - if (pk == GNUTLS_PK_RSA) { - if (mac == GNUTLS_MAC_SHA) return GNUTLS_SIGN_RSA_SHA; - else if (mac == GNUTLS_MAC_MD5) return GNUTLS_SIGN_RSA_MD5; - } else if (pk == GNUTLS_PK_DSA) { - if (mac == GNUTLS_MAC_SHA) return GNUTLS_SIGN_DSA_SHA; - } - return GNUTLS_SIGN_UNKNOWN; + if (pk == GNUTLS_PK_RSA) { + if (mac == GNUTLS_MAC_SHA) + return GNUTLS_SIGN_RSA_SHA; + else if (mac == GNUTLS_MAC_MD5) + return GNUTLS_SIGN_RSA_MD5; + } else if (pk == GNUTLS_PK_DSA) { + if (mac == GNUTLS_MAC_SHA) + return GNUTLS_SIGN_DSA_SHA; + } + return GNUTLS_SIGN_UNKNOWN; } -const char* _gnutls_x509_sign_to_oid( gnutls_pk_algorithm pk, gnutls_mac_algorithm mac) +const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm pk, + gnutls_mac_algorithm mac) { -gnutls_sign_algorithm sign; + gnutls_sign_algorithm sign; - sign = _gnutls_x509_pk_to_sign( pk, mac); + sign = _gnutls_x509_pk_to_sign(pk, mac); - if (sign == GNUTLS_SIGN_RSA_SHA) return RSA_SHA1_OID; - else if (sign == GNUTLS_SIGN_RSA_MD5) return RSA_MD5_OID; - else if (sign == GNUTLS_SIGN_DSA_SHA) return DSA_SHA1_OID; - - return NULL; + if (sign == GNUTLS_SIGN_RSA_SHA) + return RSA_SHA1_OID; + else if (sign == GNUTLS_SIGN_RSA_MD5) + return RSA_MD5_OID; + else if (sign == GNUTLS_SIGN_DSA_SHA) + return DSA_SHA1_OID; + + return NULL; } @@ -341,22 +360,22 @@ gnutls_sign_algorithm sign; * depend on the libc structure. */ typedef struct fake_tm { - int tm_mon; - int tm_year; /* FULL year - ie 1971 */ - int tm_mday; - int tm_hour; - int tm_min; - int tm_sec; + int tm_mon; + int tm_year; /* FULL year - ie 1971 */ + int tm_mday; + int tm_hour; + int tm_min; + int tm_sec; } fake_tm; /* The mktime_utc function is due to Russ Allbery (rra@stanford.edu), * who placed it under public domain: */ - + /* The number of days in each month. */ static const int MONTHDAYS[] = { - 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 + 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; /* Whether a given year is a leap year. */ @@ -371,29 +390,29 @@ static const int MONTHDAYS[] = { */ static time_t mktime_utc(const struct fake_tm *tm) { - time_t result = 0; - int i; + time_t result = 0; + int i; /* We do allow some ill-formed dates, but we don't do anything special * with them and our callers really shouldn't pass them to us. Do * explicitly disallow the ones that would cause invalid array accesses * or other algorithm problems. */ - if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) - return (time_t) - 1; + if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) + return (time_t) - 1; /* Convert to a time_t. */ - for (i = 1970; i < tm->tm_year; i++) - result += 365 + ISLEAP(i); - for (i = 0; i < tm->tm_mon; i++) - result += MONTHDAYS[i]; - if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) - result++; - result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; - result = 60 * result + tm->tm_min; - result = 60 * result + tm->tm_sec; - return result; + for (i = 1970; i < tm->tm_year; i++) + result += 365 + ISLEAP(i); + for (i = 0; i < tm->tm_mon; i++) + result += MONTHDAYS[i]; + if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) + result++; + result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; + result = 60 * result + tm->tm_min; + result = 60 * result + tm->tm_sec; + return result; } @@ -403,54 +422,54 @@ static time_t mktime_utc(const struct fake_tm *tm) */ time_t _gnutls_x509_time2gtime(const char *ttime, int year) { - char xx[3]; - struct fake_tm etime; - time_t ret; + char xx[3]; + struct fake_tm etime; + time_t ret; - if (strlen( ttime) < 8) { - gnutls_assert(); - return (time_t) -1; - } + if (strlen(ttime) < 8) { + gnutls_assert(); + return (time_t) - 1; + } - etime.tm_year = year; + etime.tm_year = year; - /* In order to work with 32 bit - * time_t. - */ - if (sizeof (time_t) <= 4 && etime.tm_year >= 2038) - return (time_t)2145914603; /* 2037-12-31 23:23:23 */ + /* In order to work with 32 bit + * time_t. + */ + if (sizeof(time_t) <= 4 && etime.tm_year >= 2038) + return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ - xx[2] = 0; + xx[2] = 0; /* get the month */ - memcpy(xx, ttime, 2); /* month */ - etime.tm_mon = atoi(xx) - 1; - ttime += 2; + memcpy(xx, ttime, 2); /* month */ + etime.tm_mon = atoi(xx) - 1; + ttime += 2; /* get the day */ - memcpy(xx, ttime, 2); /* day */ - etime.tm_mday = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* day */ + etime.tm_mday = atoi(xx); + ttime += 2; /* get the hour */ - memcpy(xx, ttime, 2); /* hour */ - etime.tm_hour = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* hour */ + etime.tm_hour = atoi(xx); + ttime += 2; /* get the minutes */ - memcpy(xx, ttime, 2); /* minutes */ - etime.tm_min = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* minutes */ + etime.tm_min = atoi(xx); + ttime += 2; - etime.tm_sec = 0; + etime.tm_sec = 0; - ret = mktime_utc(&etime); + ret = mktime_utc(&etime); - return ret; + return ret; } @@ -460,57 +479,58 @@ time_t _gnutls_x509_time2gtime(const char *ttime, int year) */ time_t _gnutls_x509_utcTime2gtime(const char *ttime) { - char xx[3]; - int year; - - if (strlen( ttime) < 10) { - gnutls_assert(); - return (time_t) -1; - } - xx[2] = 0; + char xx[3]; + int year; + + if (strlen(ttime) < 10) { + gnutls_assert(); + return (time_t) - 1; + } + xx[2] = 0; /* get the year */ - memcpy(xx, ttime, 2); /* year */ - year = atoi(xx); - ttime += 2; + memcpy(xx, ttime, 2); /* year */ + year = atoi(xx); + ttime += 2; - if (year > 49) - year += 1900; - else - year += 2000; + if (year > 49) + year += 1900; + else + year += 2000; - return _gnutls_x509_time2gtime( ttime, year); + return _gnutls_x509_time2gtime(ttime, year); } /* returns a time value that contains the given time. * The given time is expressed as: * YEAR(2)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2) */ -int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, int str_time_size) +int _gnutls_x509_gtime2utcTime(time_t gtime, char *str_time, + int str_time_size) { -size_t ret; + size_t ret; #ifdef HAVE_GMTIME_R -struct tm _tm; + struct tm _tm; - gmtime_r( >ime, &_tm); + gmtime_r(>ime, &_tm); - ret = strftime( str_time, str_time_size, "%y%m%d%H%M00Z", &_tm); + ret = strftime(str_time, str_time_size, "%y%m%d%H%M00Z", &_tm); #else -struct tm* _tm; - - _tm = gmtime( >ime); - - ret = strftime( str_time, str_time_size, "%y%m%d%H%M00Z", _tm); + struct tm *_tm; + + _tm = gmtime(>ime); + + ret = strftime(str_time, str_time_size, "%y%m%d%H%M00Z", _tm); #endif - - if (!ret) { - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - return 0; - + + if (!ret) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + return 0; + } /* returns a time_t value that contains the given time. @@ -519,29 +539,29 @@ struct tm* _tm; */ time_t _gnutls_x509_generalTime2gtime(const char *ttime) { - char xx[5]; - int year; + char xx[5]; + int year; - if (strlen( ttime) < 12) { - gnutls_assert(); - return (time_t) -1; - } + if (strlen(ttime) < 12) { + gnutls_assert(); + return (time_t) - 1; + } - if (strchr(ttime, 'Z') == 0) { - gnutls_assert(); - /* sorry we don't support it yet - */ - return (time_t)-1; - } - xx[4] = 0; + if (strchr(ttime, 'Z') == 0) { + gnutls_assert(); + /* sorry we don't support it yet + */ + return (time_t) - 1; + } + xx[4] = 0; /* get the year */ - memcpy(xx, ttime, 4); /* year */ - year = atoi(xx); - ttime += 4; + memcpy(xx, ttime, 4); /* year */ + year = atoi(xx); + ttime += 4; - return _gnutls_x509_time2gtime( ttime, year); + return _gnutls_x509_time2gtime(ttime, year); } @@ -551,45 +571,45 @@ time_t _gnutls_x509_generalTime2gtime(const char *ttime) #define MAX_TIME 1024 time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when) { - char ttime[MAX_TIME]; - char name[1024]; - time_t ctime = (time_t)-1; - int len, result; + char ttime[MAX_TIME]; + char name[1024]; + time_t ctime = (time_t) - 1; + int len, result; - _gnutls_str_cpy(name, sizeof(name), when); + _gnutls_str_cpy(name, sizeof(name), when); - len = sizeof(ttime) - 1; - if ((result = asn1_read_value(c2, name, ttime, &len)) < 0) { - gnutls_assert(); - return (time_t) (-1); - } + len = sizeof(ttime) - 1; + if ((result = asn1_read_value(c2, name, ttime, &len)) < 0) { + gnutls_assert(); + return (time_t) (-1); + } - /* CHOICE */ - if (strcmp(ttime, "GeneralizedTime") == 0) { - - _gnutls_str_cat(name, sizeof(name), ".generalTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - ctime = _gnutls_x509_generalTime2gtime(ttime); - } else { /* UTCTIME */ - - _gnutls_str_cat(name, sizeof(name), ".utcTime"); - len = sizeof(ttime) - 1; - result = asn1_read_value(c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - ctime = _gnutls_x509_utcTime2gtime(ttime); - } + /* CHOICE */ + if (strcmp(ttime, "GeneralizedTime") == 0) { - /* We cannot handle dates after 2031 in 32 bit machines. - * a time_t of 64bits has to be used. - */ - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return (time_t) (-1); - } - return ctime; + _gnutls_str_cat(name, sizeof(name), ".generalTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + ctime = _gnutls_x509_generalTime2gtime(ttime); + } else { /* UTCTIME */ + + _gnutls_str_cat(name, sizeof(name), ".utcTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + ctime = _gnutls_x509_utcTime2gtime(ttime); + } + + /* We cannot handle dates after 2031 in 32 bit machines. + * a time_t of 64bits has to be used. + */ + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return (time_t) (-1); + } + return ctime; } /* Sets the time in time_t in the ASN1_TYPE given. Where should @@ -597,129 +617,138 @@ time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when) */ int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim) { - char str_time[MAX_TIME]; - char name[1024]; - int result, len; + char str_time[MAX_TIME]; + char name[1024]; + int result, len; - _gnutls_str_cpy(name, sizeof(name), where); + _gnutls_str_cpy(name, sizeof(name), where); - if ((result = asn1_write_value(c2, name, "utcTime", 1)) < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = asn1_write_value(c2, name, "utcTime", 1)) < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_gtime2utcTime( tim, str_time, sizeof(str_time)); - if (result < 0) { - gnutls_assert(); - return result; - } + result = _gnutls_x509_gtime2utcTime(tim, str_time, sizeof(str_time)); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_str_cat(name, sizeof(name), ".utcTime"); + _gnutls_str_cat(name, sizeof(name), ".utcTime"); - result = asn1_write_value(c2, name, str_time, len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(c2, name, str_time, len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } -gnutls_x509_subject_alt_name _gnutls_x509_san_find_type( char* str_type) +gnutls_x509_subject_alt_name _gnutls_x509_san_find_type(char *str_type) { - if (strcmp( str_type, "dNSName")==0) return GNUTLS_SAN_DNSNAME; - if (strcmp( str_type, "rfc822Name")==0) return GNUTLS_SAN_RFC822NAME; - if (strcmp( str_type, "uniformResourceIdentifier")==0) return GNUTLS_SAN_URI; - if (strcmp( str_type, "iPAddress")==0) return GNUTLS_SAN_IPADDRESS; - return (gnutls_x509_subject_alt_name)-1; + if (strcmp(str_type, "dNSName") == 0) + return GNUTLS_SAN_DNSNAME; + if (strcmp(str_type, "rfc822Name") == 0) + return GNUTLS_SAN_RFC822NAME; + if (strcmp(str_type, "uniformResourceIdentifier") == 0) + return GNUTLS_SAN_URI; + if (strcmp(str_type, "iPAddress") == 0) + return GNUTLS_SAN_IPADDRESS; + return (gnutls_x509_subject_alt_name) - 1; } /* A generic export function. Will export the given ASN.1 encoded data * to PEM or DER raw data. */ -int _gnutls_x509_export_int( ASN1_TYPE asn1_data, - gnutls_x509_crt_fmt format, char* pem_header, - int tmp_buf_size, unsigned char* output_data, size_t* output_data_size) +int _gnutls_x509_export_int(ASN1_TYPE asn1_data, + gnutls_x509_crt_fmt format, char *pem_header, + int tmp_buf_size, unsigned char *output_data, + size_t * output_data_size) { - int result, len; - if (tmp_buf_size == 0) tmp_buf_size = 16*1024; - - if (format == GNUTLS_X509_FMT_DER) { - - if (output_data == NULL) *output_data_size = 0; - - len = *output_data_size; - - if ((result=asn1_der_coding( asn1_data, "", output_data, &len, NULL)) != ASN1_SUCCESS) - { - *output_data_size = len; - if (result == ASN1_MEM_ERROR) { - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - gnutls_assert(); - return _gnutls_asn2err(result); - } - - *output_data_size = len; - - } else { /* PEM */ - opaque *tmp; - opaque *out; - - len = tmp_buf_size; - - tmp = gnutls_alloca( len); - if (tmp == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - if ((result=asn1_der_coding( asn1_data, "", tmp, &len, NULL)) != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_MEM_ERROR) { - *output_data_size = B64FSIZE(strlen(pem_header),len) + 1; - } - gnutls_afree(tmp); - return _gnutls_asn2err(result); - } - - result = _gnutls_fbase64_encode( pem_header, - tmp, len, &out); - - gnutls_afree(tmp); - - if (result < 0) { - gnutls_assert(); - return result; - } - - if (result == 0) { /* oooops */ - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((uint)result > *output_data_size) { - gnutls_assert(); - gnutls_free(out); - *output_data_size = result; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *output_data_size = result; - - if (output_data) { - memcpy( output_data, out, result); - - /* do not include the null character into output size. - */ - *output_data_size = result - 1; - } - gnutls_free( out); - + int result, len; + if (tmp_buf_size == 0) + tmp_buf_size = 16 * 1024; + + if (format == GNUTLS_X509_FMT_DER) { + + if (output_data == NULL) + *output_data_size = 0; + + len = *output_data_size; + + if ((result = + asn1_der_coding(asn1_data, "", output_data, &len, + NULL)) != ASN1_SUCCESS) { + *output_data_size = len; + if (result == ASN1_MEM_ERROR) { + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + gnutls_assert(); + return _gnutls_asn2err(result); + } + + *output_data_size = len; + + } else { /* PEM */ + opaque *tmp; + opaque *out; + + len = tmp_buf_size; + + tmp = gnutls_alloca(len); + if (tmp == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + if ((result = + asn1_der_coding(asn1_data, "", tmp, &len, + NULL)) != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_MEM_ERROR) { + *output_data_size = B64FSIZE(strlen(pem_header), len) + 1; + } + gnutls_afree(tmp); + return _gnutls_asn2err(result); + } + + result = _gnutls_fbase64_encode(pem_header, tmp, len, &out); + + gnutls_afree(tmp); + + if (result < 0) { + gnutls_assert(); + return result; + } + + if (result == 0) { /* oooops */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; } - return 0; + if ((uint) result > *output_data_size) { + gnutls_assert(); + gnutls_free(out); + *output_data_size = result; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *output_data_size = result; + + if (output_data) { + memcpy(output_data, out, result); + + /* do not include the null character into output size. + */ + *output_data_size = result - 1; + } + gnutls_free(out); + + } + + return 0; } @@ -728,71 +757,74 @@ int _gnutls_x509_export_int( ASN1_TYPE asn1_data, * If str is non zero, then the output will be treated as * an octet string. */ -int _gnutls_x509_read_value( ASN1_TYPE c, const char* root, gnutls_datum *ret, int str) +int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, + gnutls_datum * ret, int str) { -int len = 0, result; -opaque* tmp = NULL; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - result = asn1_read_value(c, root, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; + int len = 0, result; + opaque *tmp = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + result = asn1_read_value(c, root, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } + + tmp = gnutls_malloc(len); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(c, root, tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Extract the OCTET STRING. + */ + + if (str) { + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - tmp = gnutls_malloc(len); - if (tmp == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value(c, root, tmp, &len); + result = asn1_der_decoding(&c2, tmp, len, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* Extract the OCTET STRING. - */ - - if (str) { - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - result = asn1_der_decoding(&c2, tmp, len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + result = asn1_read_value(c2, "", tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } - result = asn1_read_value(c2, "", tmp, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + ret->data = tmp; + ret->size = len; - } - - ret->data = tmp; - ret->size = len; - - return 0; + return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - gnutls_free(tmp); - return result; + cleanup: + if (c2) + asn1_delete_structure(&c2); + gnutls_free(tmp); + return result; } @@ -800,78 +832,80 @@ ASN1_TYPE c2 = ASN1_TYPE_EMPTY; * the given datum. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode( ASN1_TYPE src, const char* src_name, - gnutls_datum *res, int str) +int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, + gnutls_datum * res, int str) { -int size, result; -int asize; -opaque *data = NULL; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - size = 0; - result = asn1_der_coding( src, src_name, NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + int size, result; + int asize; + opaque *data = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + size = 0; + result = asn1_der_coding(src, src_name, NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* allocate data for the der + */ + + if (str) + size += 16; /* for later to include the octet tags */ + asize = size; + + data = gnutls_malloc(size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_der_coding(src, src_name, data, &size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (str) { + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* allocate data for the der - */ - - if (str) size += 16; /* for later to include the octet tags */ - asize = size; - - data = gnutls_malloc( size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + result = asn1_write_value(c2, "", data, size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - result = asn1_der_coding( src, src_name, data, &size, NULL); + result = asn1_der_coding(c2, "", data, &asize, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - if (str) { - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "", data, size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_der_coding(c2, "", data, &asize, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - size = asize; - - asn1_delete_structure( &c2); - } + size = asize; + + asn1_delete_structure(&c2); + } - res->data = data; - res->size = size; - return 0; + res->data = data; + res->size = size; + return 0; - cleanup: - gnutls_free(data); - asn1_delete_structure( &c2); - return result; + cleanup: + gnutls_free(data); + asn1_delete_structure(&c2); + return result; } @@ -880,431 +914,438 @@ ASN1_TYPE c2 = ASN1_TYPE_EMPTY; * as OCTET. If str is non null then the data are encoded as * an OCTET STRING. */ -int _gnutls_x509_der_encode_and_copy( ASN1_TYPE src, const char* src_name, - ASN1_TYPE dest, const char* dest_name, int str) +int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str) { -int result; -gnutls_datum encoded; + int result; + gnutls_datum encoded; - result = _gnutls_x509_der_encode( src, src_name, &encoded, str); + result = _gnutls_x509_der_encode(src, src_name, &encoded, str); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - /* Write the data. - */ - result = asn1_write_value( dest, dest_name, encoded.data, encoded.size); + /* Write the data. + */ + result = asn1_write_value(dest, dest_name, encoded.data, encoded.size); - _gnutls_free_datum(&encoded); + _gnutls_free_datum(&encoded); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /* Writes the value of the datum in the given ASN1_TYPE. If str is non * zero it encodes it as OCTET STRING. */ -int _gnutls_x509_write_value( ASN1_TYPE c, const char* root, - const gnutls_datum *data, int str) +int _gnutls_x509_write_value(ASN1_TYPE c, const char *root, + const gnutls_datum * data, int str) { -int result; -int asize; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -gnutls_datum val; - - asize = data->size + 16; - - val.data = gnutls_malloc( asize); - if (val.data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; + int result; + int asize; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum val; + + asize = data->size + 16; + + val.data = gnutls_malloc(asize); + if (val.data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + if (str) { + /* Convert it to OCTET STRING + */ + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - if (str) { - /* Convert it to OCTET STRING - */ - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "", data->data, data->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = _gnutls_x509_der_encode( c2, "", &val, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { - val.data = data->data; - val.size = data->size; + result = asn1_write_value(c2, "", data->data, data->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* Write the data. - */ - result = asn1_write_value( c, root, val.data, val.size); + result = _gnutls_x509_der_encode(c2, "", &val, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (val.data != data->data) - _gnutls_free_datum(&val); + } else { + val.data = data->data; + val.size = data->size; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* Write the data. + */ + result = asn1_write_value(c, root, val.data, val.size); - return 0; - - cleanup: - if (val.data != data->data) _gnutls_free_datum( &val); - return result; + if (val.data != data->data) + _gnutls_free_datum(&val); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; + + cleanup: + if (val.data != data->data) + _gnutls_free_datum(&val); + return result; } /* Encodes and copies the private key parameters into a * subjectPublicKeyInfo structure. * */ -int _gnutls_x509_encode_and_copy_PKI_params( ASN1_TYPE dst, const char* dst_name, - gnutls_pk_algorithm pk_algorithm, mpi_t* params, int params_size) +int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm + pk_algorithm, mpi_t * params, + int params_size) { -const char* pk; -gnutls_datum der = {NULL, 0}; -int result; -char name[128]; - - pk = _gnutls_x509_pk_to_oid( pk_algorithm); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - /* write the OID + const char *pk; + gnutls_datum der = { NULL, 0 }; + int result; + char name[128]; + + pk = _gnutls_x509_pk_to_oid(pk_algorithm); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + /* write the OID + */ + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (pk_algorithm == GNUTLS_PK_RSA) { + /* disable parameters, which are not used in RSA. */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.algorithm"); - result = asn1_write_value( dst, name, pk, 1); + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); + result = asn1_write_value(dst, name, NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - if (pk_algorithm == GNUTLS_PK_RSA) { - /* disable parameters, which are not used in RSA. - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value( dst, name, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_rsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Write the DER parameters. (in bits) - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value( dst, name, der.data, der.size*8); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - } else if (pk_algorithm == GNUTLS_PK_DSA) { - - result = _gnutls_x509_write_dsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Write the DER parameters. - */ - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.parameters"); - result = asn1_write_value( dst, name, der.data, der.size); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_dsa_public_key( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - result = asn1_write_value( dst, name, der.data, der.size*8); - - _gnutls_free_datum(&der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - } else return GNUTLS_E_UNIMPLEMENTED_FEATURE; - - return 0; -} + result = _gnutls_x509_write_rsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; + } -/* Reads and returns the PK algorithm of the given certificate-like - * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". - */ -int _gnutls_x509_get_pk_algorithm( ASN1_TYPE src, const char* src_name, unsigned int* bits) -{ -int result; -opaque *str = NULL; -int algo; -char oid[64]; -int len; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -char name[128]; - - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm.algorithm"); - - len = sizeof(oid); - result = - asn1_read_value(src, name, oid, &len); + /* Write the DER parameters. (in bits) + */ + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + result = asn1_write_value(dst, name, der.data, der.size * 8); + + _gnutls_free_datum(&der); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } + } else if (pk_algorithm == GNUTLS_PK_DSA) { - algo = _gnutls_x509_oid2pk_algorithm( oid); - - if ( bits==NULL) { - gnutls_free(str); - return algo; + result = _gnutls_x509_write_dsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - /* Now read the parameters' bits + /* Write the DER parameters. */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); - - len = 0; - result = asn1_read_value( src, name, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.parameters"); + result = asn1_write_value(dst, name, der.data, der.size); - if (len % 8 != 0) { - gnutls_assert(); - return GNUTLS_E_CERTIFICATE_ERROR; + _gnutls_free_datum(&der); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - - len /= 8; - - str = gnutls_malloc( len); - if (str == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + + result = + _gnutls_x509_write_dsa_public_key(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".subjectPublicKey"); + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + result = asn1_write_value(dst, name, der.data, der.size * 8); + + _gnutls_free_datum(&der); - result = asn1_read_value(src, name, str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free(str); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - len /= 8; + } else + return GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (algo==GNUTLS_PK_RSA) { - if ((result=_gnutls_x509_read_rsa_params( str, len, params)) < 0) { - gnutls_assert(); - return result; - } + return 0; +} - bits[0] = _gnutls_mpi_get_nbits( params[0]); - - _gnutls_mpi_release( ¶ms[0]); - _gnutls_mpi_release( ¶ms[1]); - } +/* Reads and returns the PK algorithm of the given certificate-like + * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". + */ +int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, + unsigned int *bits) +{ + int result; + opaque *str = NULL; + int algo; + char oid[64]; + int len; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + char name[128]; - if (algo==GNUTLS_PK_DSA) { + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm.algorithm"); - if ((result = - _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { - gnutls_assert(); - return result; - } + len = sizeof(oid); + result = asn1_read_value(src, name, oid, &len); - bits[0] = _gnutls_mpi_get_nbits( params[3]); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_mpi_release( ¶ms[3]); - } + algo = _gnutls_x509_oid2pk_algorithm(oid); + if (bits == NULL) { gnutls_free(str); return algo; -} + } -ASN1_TYPE _asn1_find_node(ASN1_TYPE pointer,const char *name); + /* Now read the parameters' bits + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); -int _gnutls_asn1_copy_node( ASN1_TYPE *dst, const char* dst_name, - ASN1_TYPE src, const char* src_name) -{ + len = 0; + result = asn1_read_value(src, name, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - int result; - gnutls_datum der; - ASN1_TYPE dst_node; + if (len % 8 != 0) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } - result = _gnutls_x509_der_encode( src, src_name, &der, 0); - if (result < 0) { - gnutls_assert(); - return result; + len /= 8; + + str = gnutls_malloc(len); + if (str == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".subjectPublicKey"); + + result = asn1_read_value(src, name, str, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(str); + return _gnutls_asn2err(result); + } + + len /= 8; + + if (algo == GNUTLS_PK_RSA) { + if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; } - dst_node=_asn1_find_node(*dst, dst_name); - if(dst_node==NULL) { - gnutls_assert(); - return _gnutls_asn2err(ASN1_ELEMENT_NOT_FOUND); + bits[0] = _gnutls_mpi_get_nbits(params[0]); + + _gnutls_mpi_release(¶ms[0]); + _gnutls_mpi_release(¶ms[1]); + } + + if (algo == GNUTLS_PK_DSA) { + + if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { + gnutls_assert(); + return result; } - result = asn1_der_decoding( &dst_node, der.data, der.size, NULL); - + bits[0] = _gnutls_mpi_get_nbits(params[3]); + + _gnutls_mpi_release(¶ms[3]); + } + + gnutls_free(str); + return algo; +} + +ASN1_TYPE _asn1_find_node(ASN1_TYPE pointer, const char *name); + +int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name, + ASN1_TYPE src, const char *src_name) +{ + + int result; + gnutls_datum der; + ASN1_TYPE dst_node; + + result = _gnutls_x509_der_encode(src, src_name, &der, 0); + if (result < 0) { + gnutls_assert(); + return result; + } + + dst_node = _asn1_find_node(*dst, dst_name); + if (dst_node == NULL) { + gnutls_assert(); + return _gnutls_asn2err(ASN1_ELEMENT_NOT_FOUND); + } + + result = asn1_der_decoding(&dst_node, der.data, der.size, NULL); + #if 0 - result = asn1_der_decoding_element( dst, dst_name, der.data, - der.size, NULL); + result = asn1_der_decoding_element(dst, dst_name, der.data, + der.size, NULL); #endif - _gnutls_free_datum( &der); + _gnutls_free_datum(&der); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return 0; + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* Reads the DER signed data from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signed_data( ASN1_TYPE src, const char* src_name, gnutls_datum * signed_data) +int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, + gnutls_datum * signed_data) { -gnutls_datum der; -int start, end, result; + gnutls_datum der; + int start, end, result; - result = _gnutls_x509_der_encode( src, "", &der, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Get the signed data - */ - result = asn1_der_decoding_startEnd( src, der.data, der.size, - src_name, &start, - &end); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + result = _gnutls_x509_der_encode(src, "", &der, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = - _gnutls_set_datum( signed_data, &der.data[start], end - start + 1); + /* Get the signed data + */ + result = asn1_der_decoding_startEnd(src, der.data, der.size, + src_name, &start, &end); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_set_datum(signed_data, &der.data[start], end - start + 1); - result = 0; + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - cleanup: - _gnutls_free_datum(&der); + result = 0; - return result; -} + cleanup: + _gnutls_free_datum(&der); + + return result; +} /* Reads the DER signature from the certificate and allocates space and * returns them into signed_data. */ -int _gnutls_x509_get_signature( ASN1_TYPE src, const char* src_name, gnutls_datum * signature) +int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, + gnutls_datum * signature) { -int bits, result, len; - - signature->data = NULL; - signature->size = 0; - - /* Read the signature - */ - bits = 0; - result = asn1_read_value( src, src_name, NULL, &bits); - - if (result != ASN1_MEM_ERROR) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } - - if (bits % 8 != 0) { - gnutls_assert(); - result = GNUTLS_E_CERTIFICATE_ERROR; - goto cleanup; - } + int bits, result, len; + + signature->data = NULL; + signature->size = 0; + + /* Read the signature + */ + bits = 0; + result = asn1_read_value(src, src_name, NULL, &bits); + + if (result != ASN1_MEM_ERROR) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (bits % 8 != 0) { + gnutls_assert(); + result = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; + } + + len = bits / 8; + + signature->data = gnutls_malloc(len); + if (signature->data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + return result; + } - len = bits/8; + /* read the bit string of the signature + */ + bits = len; + result = asn1_read_value(src, src_name, signature->data, &bits); - signature->data = gnutls_malloc( len); - if (signature->data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - return result; - } - - /* read the bit string of the signature - */ - bits = len; - result = asn1_read_value( src, src_name, signature->data, - &bits); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } - - signature->size = len; + signature->size = len; - return 0; + return 0; - cleanup: - return result; + cleanup: + return result; } diff --git a/lib/x509/compat.c b/lib/x509/compat.c index 00fcd4629a..90aae9e60a 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -27,7 +27,7 @@ #include <gnutls_global.h> #include <gnutls_errors.h> -#include <string.h> /* memset */ +#include <string.h> /* memset */ #include <dn.h> #include <libtasn1.h> #include <gnutls/x509.h> @@ -41,27 +41,26 @@ * Returns a (time_t) -1 in case of an error. * **/ -time_t _gnutls_x509_get_raw_crt_activation_time(const - gnutls_datum * - cert) +time_t _gnutls_x509_get_raw_crt_activation_time(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; + gnutls_x509_crt xcert; + time_t result; - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_activation_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = gnutls_x509_crt_get_activation_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; } /** @@ -73,26 +72,24 @@ time_t _gnutls_x509_get_raw_crt_activation_time(const * Returns a (time_t) -1 in case of an error. * **/ -time_t _gnutls_x509_get_raw_crt_expiration_time(const - gnutls_datum * - cert) +time_t _gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum * cert) { - gnutls_x509_crt xcert; - time_t result; + gnutls_x509_crt xcert; + time_t result; - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_expiration_time( xcert); - - gnutls_x509_crt_deinit( xcert); - + result = gnutls_x509_crt_init(&xcert); + if (result < 0) return result; -} + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return result; + } + + result = gnutls_x509_crt_get_expiration_time(xcert); + + gnutls_x509_crt_deinit(xcert); + + return result; +} diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 3ae42dced9..3a6673b76d 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -48,20 +48,20 @@ **/ int gnutls_x509_crl_init(gnutls_x509_crl * crl) { - *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); - - if (*crl) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.CertificateList", - &(*crl)->crl); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *crl); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); + + if (*crl) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CertificateList", + &(*crl)->crl); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crl); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -73,12 +73,13 @@ int gnutls_x509_crl_init(gnutls_x509_crl * crl) **/ void gnutls_x509_crl_deinit(gnutls_x509_crl crl) { - if (!crl) return; + if (!crl) + return; - if (crl->crl) - asn1_delete_structure(&crl->crl); + if (crl->crl) + asn1_delete_structure(&crl->crl); - gnutls_free(crl); + gnutls_free(crl); } /** @@ -98,57 +99,55 @@ void gnutls_x509_crl_deinit(gnutls_x509_crl crl) int gnutls_x509_crl_import(gnutls_x509_crl crl, const gnutls_datum * data, gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; - - _data.data = data->data; - _data.size = data->size; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result = 0, need_free = 0; + gnutls_datum _data; - /* If the CRL is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + _data.data = data->data; + _data.size = data->size; - result = - _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, - &out); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } + /* If the CRL is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - _data.data = out; - _data.size = result; + result = + _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, &out); - need_free = 1; + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } + _data.data = out; + _data.size = result; - result = - asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + need_free = 1; + } - if (need_free) - _gnutls_free_datum(&_data); - return 0; + result = asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - cleanup: - if (need_free) - _gnutls_free_datum(&_data); - return result; + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -170,16 +169,16 @@ int gnutls_x509_crl_import(gnutls_x509_crl crl, const gnutls_datum * data, * **/ int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl crl, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn(crl->crl, - "tbsCertList.issuer.rdnSequence", - buf, sizeof_buf); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(crl->crl, + "tbsCertList.issuer.rdnSequence", + buf, sizeof_buf); } /** @@ -208,17 +207,18 @@ int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl crl, char *buf, * **/ int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl crl, - const char *oid, int indx, unsigned int raw_flag, - void *buf, size_t *sizeof_buf) + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn_oid(crl->crl, - "tbsCertList.issuer.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -238,16 +238,17 @@ int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl crl, * On success 0 is returned. * **/ -int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, + int indx, void *oid, size_t * sizeof_oid) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( crl->crl, - "tbsCertList.issuer.rdnSequence", indx, oid, sizeof_oid); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", indx, + oid, sizeof_oid); } @@ -263,30 +264,32 @@ int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl crl, **/ int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl crl) { - int result; - gnutls_datum sa; + int result; + gnutls_datum sa; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - - result = _gnutls_x509_read_value( crl->crl, "signatureAlgorithm.algorithm", &sa, 0); - - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_oid2sign_algorithm( (const char*)sa.data); + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ - _gnutls_free_datum( &sa); + result = + _gnutls_x509_read_value(crl->crl, "signatureAlgorithm.algorithm", + &sa, 0); + if (result < 0) { + gnutls_assert(); return result; + } + + result = _gnutls_x509_oid2sign_algorithm((const char *) sa.data); + + _gnutls_free_datum(&sa); + + return result; } /** @@ -300,23 +303,23 @@ int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl crl) **/ int gnutls_x509_crl_get_version(gnutls_x509_crl crl) { - opaque version[5]; - int len, result; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof(version); - if ((result = - asn1_read_value(crl->crl, "tbsCertList.version", version, - &len)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return (int) version[0] + 1; + opaque version[5]; + int len, result; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(crl->crl, "tbsCertList.version", version, + &len)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -330,13 +333,12 @@ int gnutls_x509_crl_get_version(gnutls_x509_crl crl) **/ time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time(crl->crl, - "tbsCertList.thisUpdate"); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.thisUpdate"); } /** @@ -352,13 +354,12 @@ time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl crl) **/ time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl crl) { - if (crl == NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time(crl->crl, - "tbsCertList.nextUpdate"); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.nextUpdate"); } /** @@ -374,24 +375,23 @@ time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl crl) int gnutls_x509_crl_get_crt_count(gnutls_x509_crl crl) { - int count, result; + int count, result; - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = - asn1_number_of_elements(crl->crl, - "tbsCertList.revokedCertificates", - &count); + result = + asn1_number_of_elements(crl->crl, + "tbsCertList.revokedCertificates", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } - return count; + return count; } /** @@ -409,50 +409,47 @@ int gnutls_x509_crl_get_crt_count(gnutls_x509_crl crl) * **/ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl crl, int index, - unsigned char *serial, - size_t *serial_size, time_t * time) + unsigned char *serial, + size_t * serial_size, time_t * time) { - int result, _serial_size; - char str_index[MAX_INT_DIGITS]; - char serial_name[64]; - char date_name[64]; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _gnutls_int2str(index + 1, str_index); - _gnutls_str_cpy(serial_name, sizeof(serial_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(serial_name, sizeof(serial_name), str_index); - _gnutls_str_cat(serial_name, sizeof(serial_name), - ".userCertificate"); - - _gnutls_str_cpy(date_name, sizeof(date_name), - "tbsCertList.revokedCertificates.?"); - _gnutls_str_cat(date_name, sizeof(date_name), str_index); - _gnutls_str_cat(date_name, sizeof(date_name), ".revocationDate"); - - _serial_size = *serial_size; - result = - asn1_read_value(crl->crl, serial_name, serial, - &_serial_size); - - *serial_size = _serial_size; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return _gnutls_asn2err(result); - } - - if (time) { - *time = _gnutls_x509_get_time(crl->crl, date_name); - } - - return 0; + int result, _serial_size; + char str_index[MAX_INT_DIGITS]; + char serial_name[64]; + char date_name[64]; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _gnutls_int2str(index + 1, str_index); + _gnutls_str_cpy(serial_name, sizeof(serial_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat(serial_name, sizeof(serial_name), str_index); + _gnutls_str_cat(serial_name, sizeof(serial_name), ".userCertificate"); + + _gnutls_str_cpy(date_name, sizeof(date_name), + "tbsCertList.revokedCertificates.?"); + _gnutls_str_cat(date_name, sizeof(date_name), str_index); + _gnutls_str_cat(date_name, sizeof(date_name), ".revocationDate"); + + _serial_size = *serial_size; + result = asn1_read_value(crl->crl, serial_name, serial, &_serial_size); + + *serial_size = _serial_size; + if (result != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return _gnutls_asn2err(result); + } + + if (time) { + *time = _gnutls_x509_get_time(crl->crl, date_name); + } + + return 0; } /*- @@ -469,63 +466,65 @@ int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl crl, int index, int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl crl, gnutls_datum * dn) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum crl_signed_data; - - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* get the issuer of 'crl' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertList", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_get_signed_data( crl->crl, "tbsCertList", &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = - asn1_der_decoding(&c2, crl_signed_data.data, - crl_signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum crl_signed_data; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* get the issuer of 'crl' + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertList", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", + &crl_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, crl_signed_data.data, + crl_signed_data.size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto cleanup; + } - result = - asn1_der_decoding_startEnd(c2, crl_signed_data.data, - crl_signed_data.size, "issuer", - &start1, &end1); + result = + asn1_der_decoding_startEnd(c2, crl_signed_data.data, + crl_signed_data.size, "issuer", + &start1, &end1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum( dn, &crl_signed_data.data[start1], len1); + _gnutls_set_datum(dn, &crl_signed_data.data[start1], len1); - result = 0; + result = 0; -cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum( &crl_signed_data); - return result; + cleanup: + asn1_delete_structure(&c2); + _gnutls_free_datum(&crl_signed_data); + return result; } /** @@ -546,16 +545,18 @@ cleanup: * Returns 0 on success, and a negative value on failure. * **/ -int gnutls_x509_crl_export( gnutls_x509_crl crl, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crl_export(gnutls_x509_crl crl, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (crl == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( crl->crl, format, PEM_CRL, *output_data_size, - output_data, output_data_size); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(crl->crl, format, PEM_CRL, + *output_data_size, output_data, + output_data_size); } /*- @@ -570,42 +571,43 @@ int gnutls_x509_crl_export( gnutls_x509_crl crl, -*/ int _gnutls_x509_crl_cpy(gnutls_x509_crl dest, gnutls_x509_crl src) { -int ret; -size_t der_size; -opaque * der; -gnutls_datum tmp; - - ret = gnutls_x509_crl_export( src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; - } - - der = gnutls_alloca( der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + int ret; + size_t der_size; + opaque *der; + gnutls_datum tmp; + + ret = + gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + der = gnutls_alloca(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crl_export( src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree( der); - return ret; - } + ret = gnutls_x509_crl_export(src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(der); + return ret; + } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crl_import( dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crl_import(dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree( der); + gnutls_afree(der); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c index 7545f2c6a8..c68889cf52 100644 --- a/lib/x509/crl_write.c +++ b/lib/x509/crl_write.c @@ -41,7 +41,7 @@ #include <libtasn1.h> #include <gnutls_ui.h> -static void disable_optional_stuff( gnutls_x509_crl crl); +static void disable_optional_stuff(gnutls_x509_crl crl); /** * gnutls_x509_crl_set_version - This function will set the CRL version @@ -57,24 +57,25 @@ static void disable_optional_stuff( gnutls_x509_crl crl); **/ int gnutls_x509_crl_set_version(gnutls_x509_crl crl, unsigned int version) { -int result; -char null = version; + int result; + char null = version; - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - null -= 1; - if (null < 0) null = 0; + null -= 1; + if (null < 0) + null = 0; - result = asn1_write_value( crl->crl, "tbsCertList.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(crl->crl, "tbsCertList.version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -92,28 +93,28 @@ char null = version; * Returns 0 on success. * **/ -int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key) +int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; - - if (crl==NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff( crl); - - result = _gnutls_x509_pkix_sign( crl->crl, "tbsCertList", issuer, - issuer_key); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + int result; + + if (crl == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crl); + + result = _gnutls_x509_pkix_sign(crl->crl, "tbsCertList", issuer, + issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -128,12 +129,13 @@ int result; **/ int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_set_time( crl->crl, "tbsCertList.thisUpdate", act_time); + return _gnutls_x509_set_time(crl->crl, "tbsCertList.thisUpdate", + act_time); } /** @@ -148,11 +150,12 @@ int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time) **/ int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time) { - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time( crl->crl, "tbsCertList.nextUpdate", exp_time); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(crl->crl, "tbsCertList.nextUpdate", + exp_time); } /** @@ -167,42 +170,53 @@ int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, - size_t serial_size, time_t revocation_time) +int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void *serial, + size_t serial_size, + time_t revocation_time) { - int ret; - - if (crl==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.userCertificate", serial, serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - ret = _gnutls_x509_set_time( crl->crl, "tbsCertList.revokedCertificates.?LAST.revocationDate", - revocation_time); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", NULL, 0); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return 0; + int ret; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", + "NEW", 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.userCertificate", + serial, serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + _gnutls_x509_set_time(crl->crl, + "tbsCertList.revokedCertificates.?LAST.revocationDate", + revocation_time); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", + NULL, 0); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /** @@ -217,43 +231,45 @@ int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, * **/ int gnutls_x509_crl_set_crt(gnutls_x509_crl crl, gnutls_x509_crt crt, - time_t revocation_time) + time_t revocation_time) { - int ret; - opaque serial[128]; - size_t serial_size; - - if (crl==NULL || crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - serial_size = sizeof(serial); - ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_x509_crl_set_crt_serial( crl, serial, serial_size, revocation_time); - if (ret < 0) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } - - return 0; + int ret; + opaque serial[128]; + size_t serial_size; + + if (crl == NULL || crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + serial_size = sizeof(serial); + ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + gnutls_x509_crl_set_crt_serial(crl, serial, serial_size, + revocation_time); + if (ret < 0) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff( gnutls_x509_crl crl) +static void disable_optional_stuff(gnutls_x509_crl crl) { - asn1_write_value( crl->crl, "tbsCertList.crlExtensions", NULL, 0); + asn1_write_value(crl->crl, "tbsCertList.crlExtensions", NULL, 0); - return; + return; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/crq.c b/lib/x509/crq.c index e6d4d1669c..0bbf0b903b 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -52,20 +52,20 @@ **/ int gnutls_x509_crq_init(gnutls_x509_crq * crq) { - *crq = gnutls_calloc( 1, sizeof(gnutls_x509_crq_int)); - - if (*crq) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-10-CertificationRequest", - &((*crq)->crq)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *crq); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *crq = gnutls_calloc(1, sizeof(gnutls_x509_crq_int)); + + if (*crq) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-10-CertificationRequest", + &((*crq)->crq)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crq); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -77,12 +77,13 @@ int gnutls_x509_crq_init(gnutls_x509_crq * crq) **/ void gnutls_x509_crq_deinit(gnutls_x509_crq crq) { - if (!crq) return; + if (!crq) + return; - if (crq->crq) - asn1_delete_structure(&crq->crq); + if (crq->crq) + asn1_delete_structure(&crq->crq); - gnutls_free(crq); + gnutls_free(crq); } #define PEM_CRQ "NEW CERTIFICATE REQUEST" @@ -103,56 +104,59 @@ void gnutls_x509_crq_deinit(gnutls_x509_crq crq) * **/ int gnutls_x509_crq_import(gnutls_x509_crq crq, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ + result = _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, + &out); + + if (result <= 0) /* Go for the second header */ + result = + _gnutls_fbase64_decode(PEM_CRQ2, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - - _data.data = data->data; - _data.size = data->size; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, - &out); - - if (result <= 0) /* Go for the second header */ - result = _gnutls_fbase64_decode(PEM_CRQ2, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = out; + _data.size = result; - result = asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; - } + need_free = 1; + } - result = 0; + result = asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + result = 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -175,15 +179,16 @@ int gnutls_x509_crq_import(gnutls_x509_crq crq, const gnutls_datum * data, * **/ int gnutls_x509_crq_get_dn(gnutls_x509_crq crq, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn( crq->crq, "certificationRequestInfo.subject.rdnSequence", - buf, sizeof_buf); + return _gnutls_x509_parse_dn(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + buf, sizeof_buf); } /** @@ -211,16 +216,18 @@ int gnutls_x509_crq_get_dn(gnutls_x509_crq crq, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn_oid( crq->crq, "certificationRequestInfo.subject.rdnSequence", - oid, indx, raw_flag, buf, sizeof_buf); + return _gnutls_x509_parse_dn_oid(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -241,15 +248,16 @@ int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq crq, const char* oid, * **/ int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq crq, - int indx, void *oid, size_t *sizeof_oid) + int indx, void *oid, size_t * sizeof_oid) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn_oid( crq->crq, "certificationRequestInfo.subject.rdnSequence", - indx, oid, sizeof_oid); + return _gnutls_x509_get_dn_oid(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + indx, oid, sizeof_oid); } /* Parses an Attribute list in the asn1_struct, and searches for the @@ -261,134 +269,117 @@ int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq crq, * */ static int parse_attribute(ASN1_TYPE asn1_struct, - const char *attr_name, - const char *given_oid, int indx, - char *buf, size_t *sizeof_buf) + const char *attr_name, + const char *given_oid, int indx, + char *buf, size_t * sizeof_buf) { - int k1, result; - char tmpbuffer1[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[200]; - char oid[128]; - int len, printable; - - if (*sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + int k1, result; + char tmpbuffer1[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[200]; + char oid[128]; + int len, printable; + + if (*sizeof_buf == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + buf[0] = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "attribute.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), attr_name); + + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; } - buf[0] = 0; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k1 = 0; - do { + /* Move to the attibute type and values + */ + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k1++; - /* create a string like "attribute.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - attr_name); + if (strcmp(oid, given_oid) == 0) { /* Found the OID */ - if (strlen( tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer1); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + _gnutls_int2str(indx + 1, counter); + + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".values.?"); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, value, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + printable = _gnutls_x509_oid_data_printable(oid); + + if (printable == 1) { + if ((result = + _gnutls_x509_oid_data2string + (oid, value, len, buf, sizeof_buf)) < 0) { + gnutls_assert(); + goto cleanup; } - /* Move to the attibute type and values - */ - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer1); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); - - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (strcmp(oid, given_oid) == 0) { /* Found the OID */ - - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, - sizeof(tmpbuffer3), - tmpbuffer1); - - _gnutls_int2str(indx + 1, counter); - - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - ".values.?"); - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - counter); - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, - tmpbuffer3, value, - &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - - printable = - _gnutls_x509_oid_data_printable(oid); - - if (printable == 1) { - if ((result = - _gnutls_x509_oid_data2string - (oid, value, len, buf, - sizeof_buf)) < 0) { - gnutls_assert(); - goto cleanup; - } - - return 0; - } else { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; - } - } - - } while (1); + return 0; + } else { + gnutls_assert(); + return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE; + } + } - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /** @@ -403,16 +394,17 @@ static int parse_attribute(ASN1_TYPE asn1_struct, * Returns 0 on success. * **/ -int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, - char* pass, size_t* sizeof_pass) +int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, + char *pass, + size_t * sizeof_pass) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return parse_attribute( crq->crq, "certificationRequestInfo.attributes", - "1.2.840.113549.1.9.7", 0, pass, sizeof_pass); + return parse_attribute(crq->crq, "certificationRequestInfo.attributes", + "1.2.840.113549.1.9.7", 0, pass, sizeof_pass); } /** @@ -435,15 +427,17 @@ int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq crq, * Returns 0 on success. * **/ -int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char* oid, - unsigned int raw_flag, const void *data, unsigned int sizeof_data) +int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char *oid, + unsigned int raw_flag, const void *data, + unsigned int sizeof_data) { - if (sizeof_data == 0 || data == NULL || crq == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crq->crq, "certificationRequestInfo.subject", - oid, raw_flag, data, sizeof_data); + if (sizeof_data == 0 || data == NULL || crq == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crq->crq, + "certificationRequestInfo.subject", oid, + raw_flag, data, sizeof_data); } /** @@ -459,23 +453,26 @@ int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq crq, const char* oid, **/ int gnutls_x509_crq_set_version(gnutls_x509_crq crq, unsigned int version) { -int result; -unsigned char null = version; + int result; + unsigned char null = version; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (null > 0) null--; - - result = asn1_write_value( crq->crq, "certificationRequestInfo.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (null > 0) + null--; + + result = + asn1_write_value(crq->crq, "certificationRequestInfo.version", + &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -489,24 +486,26 @@ unsigned char null = version; **/ int gnutls_x509_crq_get_version(gnutls_x509_crq crq) { - opaque version[5]; - int len, result; + opaque version[5]; + int len, result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - len = sizeof(version); - if ((result = asn1_read_value(crq->crq, "certificationRequestInfo.version", version, &len)) != - ASN1_SUCCESS) { - - if (result == ASN1_ELEMENT_NOT_FOUND) return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); - } + len = sizeof(version); + if ((result = + asn1_read_value(crq->crq, "certificationRequestInfo.version", + version, &len)) != ASN1_SUCCESS) { + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -522,23 +521,25 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq crq) **/ int gnutls_x509_crq_set_key(gnutls_x509_crq crq, gnutls_x509_privkey key) { -int result; + int result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_encode_and_copy_PKI_params( crq->crq, - "certificationRequestInfo.subjectPKInfo", key->pk_algorithm, - key->params, key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params(crq->crq, + "certificationRequestInfo.subjectPKInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -551,32 +552,38 @@ int result; * Returns 0 on success. * **/ -int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq crq, const char* pass) +int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq crq, + const char *pass) { -int result; - - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; - /* Add the attribute. - */ - result = asn1_write_value( crq->crq, "certificationRequestInfo.attributes", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Add the attribute. + */ + result = + asn1_write_value(crq->crq, "certificationRequestInfo.attributes", + "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_encode_and_write_attribute( "1.2.840.113549.1.9.7", crq->crq, - "certificationRequestInfo.attributes.?LAST", pass, strlen(pass), 1); + result = + _gnutls_x509_encode_and_write_attribute("1.2.840.113549.1.9.7", + crq->crq, + "certificationRequestInfo.attributes.?LAST", + pass, strlen(pass), 1); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -596,45 +603,49 @@ int result; **/ int gnutls_x509_crq_sign(gnutls_x509_crq crq, gnutls_x509_privkey key) { -int result; -gnutls_datum signature; + int result; + gnutls_datum signature; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* Step 1. Self sign the request. - */ - result = _gnutls_x509_sign_tbs( crq->crq, "certificationRequestInfo", GNUTLS_MAC_SHA, - key, &signature); - - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. Self sign the request. + */ + result = + _gnutls_x509_sign_tbs(crq->crq, "certificationRequestInfo", + GNUTLS_MAC_SHA, key, &signature); - /* Step 2. write the signature (bits) - */ - result = asn1_write_value( crq->crq, "signature", signature.data, signature.size*8); + if (result < 0) { + gnutls_assert(); + return result; + } - _gnutls_free_datum( &signature); + /* Step 2. write the signature (bits) + */ + result = + asn1_write_value(crq->crq, "signature", signature.data, + signature.size * 8); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_free_datum(&signature); - /* Step 3. Write the signatureAlgorithm field. - */ - result = _gnutls_x509_write_sig_params( crq->crq, "signatureAlgorithm", - key->pk_algorithm, key->params, key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Write the signatureAlgorithm field. + */ + result = _gnutls_x509_write_sig_params(crq->crq, "signatureAlgorithm", + key->pk_algorithm, key->params, + key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -656,16 +667,18 @@ gnutls_datum signature; * 0 on success. * **/ -int gnutls_x509_crq_export( gnutls_x509_crq crq, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crq_export(gnutls_x509_crq crq, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int( crq->crq, format, PEM_CRQ, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(crq->crq, format, PEM_CRQ, + *output_data_size, output_data, + output_data_size); } /** @@ -685,22 +698,25 @@ int gnutls_x509_crq_export( gnutls_x509_crq crq, * or a negative value on error. * **/ -int gnutls_x509_crq_get_pk_algorithm( gnutls_x509_crq crq, unsigned int* bits) +int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq crq, + unsigned int *bits) { -int result; + int result; - if (crq==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + _gnutls_x509_get_pk_algorithm(crq->crq, + "certificationRequestInfo.subjectPKInfo", + bits); + if (result < 0) { + gnutls_assert(); + } - result = _gnutls_x509_get_pk_algorithm( crq->crq, "certificationRequestInfo.subjectPKInfo", - bits); - if (result < 0) { - gnutls_assert(); - } - - return result; + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/dn.c b/lib/x509/dn.c index ef0e6401cc..aa626c8a4a 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -39,40 +39,40 @@ */ static const char *oid2ldap_string(const char *oid) { - const char *ret; + const char *ret; - ret = _gnutls_x509_oid2ldap_string(oid); - if (ret) - return ret; + ret = _gnutls_x509_oid2ldap_string(oid); + if (ret) + return ret; - /* else return the OID in dotted format */ - return oid; + /* else return the OID in dotted format */ + return oid; } /* Escapes a string following the rules from RFC2253. */ static char *str_escape(char *str, char *buffer, unsigned int buffer_size) { - int str_length, j, i; + int str_length, j, i; - if (str == NULL || buffer == NULL) - return NULL; + if (str == NULL || buffer == NULL) + return NULL; - str_length = GMIN(strlen(str), buffer_size - 1); + str_length = GMIN(strlen(str), buffer_size - 1); - for (i = j = 0; i < str_length; i++) { - if (str[i] == ',' || str[i] == '+' || str[i] == '"' - || str[i] == '\\' || str[i] == '<' || str[i] == '>' - || str[i] == ';') - buffer[j++] = '\\'; + for (i = j = 0; i < str_length; i++) { + if (str[i] == ',' || str[i] == '+' || str[i] == '"' + || str[i] == '\\' || str[i] == '<' || str[i] == '>' + || str[i] == ';') + buffer[j++] = '\\'; - buffer[j++] = str[i]; - } + buffer[j++] = str[i]; + } - /* null terminate the string */ - buffer[j] = 0; + /* null terminate the string */ + buffer[j] = 0; - return buffer; + return buffer; } /* Parses an X509 DN in the asn1_struct, and puts the output into @@ -85,251 +85,233 @@ int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, const char *asn1_rdn_name, char *buf, size_t * sizeof_buf) { - gnutls_string out_str; - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[256], *value2 = NULL; - char *escaped = NULL; - const char *ldap_desc; - char oid[128]; - int len, printable; - char* string = NULL; - size_t sizeof_string ,sizeof_escaped; - - if (sizeof_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_string out_str; + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[256], *value2 = NULL; + char *escaped = NULL; + const char *ldap_desc; + char oid[128]; + int len, printable; + char *string = NULL; + size_t sizeof_string, sizeof_escaped; + + if (sizeof_buf == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (buf) + buf[0] = 0; + else + *sizeof_buf = 0; + + _gnutls_string_init(&out_str, gnutls_malloc, gnutls_realloc, + gnutls_free); + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; } - if (buf) - buf[0] = 0; - else - *sizeof_buf = 0; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - _gnutls_string_init(&out_str, gnutls_malloc, gnutls_realloc, - gnutls_free); + k2 = 0; - k1 = 0; - do { + do { /* Move to the attibute type and values + */ + k2++; - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + /* Try to read the RelativeDistinguishedName attributes. + */ - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - do { /* Move to the attibute type and values - */ - k2++; - - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".value"); + len = 0; + result = asn1_read_value(asn1_struct, tmpbuffer3, NULL, &len); - len = 0; - result = - asn1_read_value(asn1_struct, tmpbuffer3, NULL, - &len); - - value2 = gnutls_malloc( len); - if (value2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + value2 = gnutls_malloc(len); + if (value2 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - result = - asn1_read_value(asn1_struct, tmpbuffer3, value2, - &len); + result = + asn1_read_value(asn1_struct, tmpbuffer3, value2, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #define STR_APPEND(y) if ((result=_gnutls_string_append_str( &out_str, y)) < 0) { \ gnutls_assert(); \ goto cleanup; \ } - /* The encodings of adjoining RelativeDistinguishedNames are separated - * by a comma character (',' ASCII 44). - */ - - /* Where there is a multi-valued RDN, the outputs from adjoining - * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) - * character. - */ - if (k1 != 1) { /* the first time do not append a comma */ - if (k2 != 1) { /* adjoining multi-value RDN */ - STR_APPEND("+"); - } else { - STR_APPEND(","); - } - } + /* The encodings of adjoining RelativeDistinguishedNames are separated + * by a comma character (',' ASCII 44). + */ + + /* Where there is a multi-valued RDN, the outputs from adjoining + * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) + * character. + */ + if (k1 != 1) { /* the first time do not append a comma */ + if (k2 != 1) { /* adjoining multi-value RDN */ + STR_APPEND("+"); + } else { + STR_APPEND(","); + } + } - ldap_desc = oid2ldap_string(oid); - printable = _gnutls_x509_oid_data_printable(oid); + ldap_desc = oid2ldap_string(oid); + printable = _gnutls_x509_oid_data_printable(oid); - sizeof_escaped = 2*len + 1; + sizeof_escaped = 2 * len + 1; - escaped = gnutls_malloc( sizeof_escaped); - if (escaped == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } + escaped = gnutls_malloc(sizeof_escaped); + if (escaped == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - if (printable == 1) { - sizeof_string = len; - - string = gnutls_malloc( sizeof_string); - if (string == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - - STR_APPEND(ldap_desc); - STR_APPEND("="); - result = - _gnutls_x509_oid_data2string(oid, - value2, - len, - string, - &sizeof_string); - - if (result < 0) { - gnutls_assert(); - _gnutls_x509_log - ("Found OID: '%s' with value '%s'\n", - oid, _gnutls_bin2hex(value2, - len, - escaped, - sizeof_escaped)); - goto cleanup; - } - STR_APPEND(str_escape(string, escaped, sizeof_escaped)); - gnutls_free(string); string = NULL; - } else { - char *res; - - res = - _gnutls_bin2hex(value2, len, escaped, - sizeof_escaped); - - STR_APPEND(ldap_desc); - STR_APPEND("=#"); - if (res) { - STR_APPEND(res); - } else { - STR_APPEND("(null)"); - } - } - - gnutls_free( escaped); escaped = NULL; - gnutls_free( value2); value2 = NULL; + if (printable == 1) { + sizeof_string = len; - } while (1); + string = gnutls_malloc(sizeof_string); + if (string == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } - } while (1); - if (out_str.length >= (unsigned int) *sizeof_buf) { - gnutls_assert(); - *sizeof_buf = out_str.length; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } + STR_APPEND(ldap_desc); + STR_APPEND("="); + result = + _gnutls_x509_oid_data2string(oid, + value2, + len, + string, &sizeof_string); + + if (result < 0) { + gnutls_assert(); + _gnutls_x509_log + ("Found OID: '%s' with value '%s'\n", + oid, _gnutls_bin2hex(value2, + len, + escaped, sizeof_escaped)); + goto cleanup; + } + STR_APPEND(str_escape(string, escaped, sizeof_escaped)); + gnutls_free(string); + string = NULL; + } else { + char *res; + + res = + _gnutls_bin2hex(value2, len, escaped, sizeof_escaped); + + STR_APPEND(ldap_desc); + STR_APPEND("=#"); + if (res) { + STR_APPEND(res); + } else { + STR_APPEND("(null)"); + } + } - if (buf) { - memcpy(buf, out_str.data, out_str.length); - buf[out_str.length] = 0; - } - *sizeof_buf = out_str.length; + gnutls_free(escaped); + escaped = NULL; + gnutls_free(value2); + value2 = NULL; + + } while (1); - result = 0; + } while (1); - cleanup: - gnutls_free( value2); - gnutls_free( string); - gnutls_free( escaped); - _gnutls_string_clear(&out_str); - return result; + if (out_str.length >= (unsigned int) *sizeof_buf) { + gnutls_assert(); + *sizeof_buf = out_str.length; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } + + if (buf) { + memcpy(buf, out_str.data, out_str.length); + buf[out_str.length] = 0; + } + *sizeof_buf = out_str.length; + + result = 0; + + cleanup: + gnutls_free(value2); + gnutls_free(string); + gnutls_free(escaped); + _gnutls_string_clear(&out_str); + return result; } /* Parses an X509 DN in the asn1_struct, and searches for the @@ -346,210 +328,177 @@ int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, */ int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, const char *asn1_rdn_name, - const char *given_oid, int indx, + const char *given_oid, int indx, unsigned int raw_flag, void *buf, size_t * sizeof_buf) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - opaque value[256]; - char escaped[256]; - char oid[128]; - int len, printable; - int i = 0; - char * cbuf = buf; - - if (cbuf == NULL) - *sizeof_buf = 0; - else - cbuf[0] = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + opaque value[256]; + char escaped[256]; + char oid[128]; + int len, printable; + int i = 0; + char *cbuf = buf; + + if (cbuf == NULL) + *sizeof_buf = 0; + else + cbuf[0] = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the Value - */ - _gnutls_str_cpy(tmpbuffer3, - sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, - sizeof(tmpbuffer3), - ".value"); - - len = *sizeof_buf; - result = - asn1_read_value(asn1_struct, - tmpbuffer3, buf, - &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw_flag != 0) { - if ((uint)len > *sizeof_buf) { - *sizeof_buf = len; - return - GNUTLS_E_SHORT_MEMORY_BUFFER; - } - *sizeof_buf = len; - - return 0; - - } else { /* parse data. raw_flag == 0 */ - printable = - _gnutls_x509_oid_data_printable - (oid); - - if (printable == 1) { - result = - _gnutls_x509_oid_data2string - (oid, buf, len, cbuf, - sizeof_buf); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - return 0; - } else { - char *res; - - res = - _gnutls_bin2hex(cbuf, - len, - escaped, - sizeof - (escaped)); - if (res) { - unsigned int size = - strlen(res) + - 1; - if (size + 1 > - *sizeof_buf) { - *sizeof_buf - = size; - return - GNUTLS_E_SHORT_MEMORY_BUFFER; - } - *sizeof_buf = size; /* -1 for the null +1 for the '#' */ - - if (buf) { - strcpy(cbuf, - "#"); - strcat(cbuf, - res); - } - - return 0; - } else { - gnutls_assert(); - return - GNUTLS_E_INTERNAL_ERROR; - } - } - } /* raw_flag == 0 */ + if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, + sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".value"); + + len = *sizeof_buf; + result = + asn1_read_value(asn1_struct, tmpbuffer3, buf, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw_flag != 0) { + if ((uint) len > *sizeof_buf) { + *sizeof_buf = len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *sizeof_buf = len; + + return 0; + + } else { /* parse data. raw_flag == 0 */ + printable = _gnutls_x509_oid_data_printable(oid); + + if (printable == 1) { + result = + _gnutls_x509_oid_data2string + (oid, buf, len, cbuf, sizeof_buf); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - } while (1); + return 0; + } else { + char *res; + + res = + _gnutls_bin2hex(cbuf, + len, escaped, sizeof(escaped)); + if (res) { + unsigned int size = strlen(res) + 1; + if (size + 1 > *sizeof_buf) { + *sizeof_buf = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *sizeof_buf = size; /* -1 for the null +1 for the '#' */ + + if (buf) { + strcpy(cbuf, "#"); + strcat(cbuf, res); + } + + return 0; + } else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } + } /* raw_flag == 0 */ + } } while (1); - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /* Parses an X509 DN in the asn1_struct, and returns the requested @@ -562,130 +511,117 @@ int _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, * OID found, 1 the second etc. */ int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid) + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid) { - int k2, k1, result; - char tmpbuffer1[64]; - char tmpbuffer2[64]; - char tmpbuffer3[64]; - char counter[MAX_INT_DIGITS]; - char value[256]; - char oid[128]; - int len; - int i = 0; - - k1 = 0; - do { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - _gnutls_int2str(k1, counter); - _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), - asn1_rdn_name); + int k2, k1, result; + char tmpbuffer1[64]; + char tmpbuffer2[64]; + char tmpbuffer3[64]; + char counter[MAX_INT_DIGITS]; + char value[256]; + char oid[128]; + int len; + int i = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + _gnutls_int2str(k1, counter); + _gnutls_str_cpy(tmpbuffer1, sizeof(tmpbuffer1), asn1_rdn_name); - if (strlen(tmpbuffer1) > 0) - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), - "."); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); - _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); + if (strlen(tmpbuffer1) > 0) + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "."); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), "?"); + _gnutls_str_cat(tmpbuffer1, sizeof(tmpbuffer1), counter); - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer1, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - k2 = 0; + k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attibute type and values */ - k2++; + k2++; - _gnutls_int2str(k2, counter); - _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), - tmpbuffer1); + _gnutls_int2str(k2, counter); + _gnutls_str_cpy(tmpbuffer2, sizeof(tmpbuffer2), tmpbuffer1); - if (strlen(tmpbuffer2) > 0) - _gnutls_str_cat(tmpbuffer2, - sizeof(tmpbuffer2), "."); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - "?"); - _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), - counter); + if (strlen(tmpbuffer2) > 0) + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "."); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), "?"); + _gnutls_str_cat(tmpbuffer2, sizeof(tmpbuffer2), counter); - /* Try to read the RelativeDistinguishedName attributes. - */ + /* Try to read the RelativeDistinguishedName attributes. + */ - len = sizeof(value) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer2, value, - &len); + len = sizeof(value) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer2, value, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), - tmpbuffer2); - _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), - ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); - len = sizeof(oid) - 1; - result = - asn1_read_value(asn1_struct, tmpbuffer3, oid, - &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + len = sizeof(oid) - 1; + result = asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); - if ( indx == i++) { /* Found the OID */ + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - len = strlen( oid) + 1; + if (indx == i++) { /* Found the OID */ - if ( *sizeof_oid < (uint)len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy( oid, _oid, len); - *sizeof_oid = len - 1; + len = strlen(oid) + 1; - return 0; - } - } while (1); + if (*sizeof_oid < (uint) len) { + *sizeof_oid = len; + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + memcpy(oid, _oid, len); + *sizeof_oid = len - 1; + + return 0; + } } while (1); - gnutls_assert(); + } while (1); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + gnutls_assert(); - cleanup: - return result; + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /* This will encode and write the AttributeTypeAndValue field. @@ -698,108 +634,106 @@ int _gnutls_x509_encode_and_write_attribute(const char *given_oid, const void *_data, int sizeof_data, int multi) { - const char *val_name; - const opaque *data = _data; - char tmp[128]; - ASN1_TYPE c2; - int result; - - - /* Find how to encode the data. - */ - val_name = - asn1_find_structure_from_oid(_gnutls_get_pkix(), given_oid); - if (val_name == NULL) { - gnutls_assert(); - return GNUTLS_E_X509_UNSUPPORTED_OID; - } + const char *val_name; + const opaque *data = _data; + char tmp[128]; + ASN1_TYPE c2; + int result; - _gnutls_str_cpy(tmp, sizeof(tmp), "PKIX1."); - _gnutls_str_cat(tmp, sizeof(tmp), val_name); - result = asn1_create_element(_gnutls_get_pkix(), tmp, &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* Find how to encode the data. + */ + val_name = asn1_find_structure_from_oid(_gnutls_get_pkix(), given_oid); + if (val_name == NULL) { + gnutls_assert(); + return GNUTLS_E_X509_UNSUPPORTED_OID; + } - tmp[0] = 0; + _gnutls_str_cpy(tmp, sizeof(tmp), "PKIX1."); + _gnutls_str_cat(tmp, sizeof(tmp), val_name); - if ((result = _gnutls_x509_oid_data_choice(given_oid)) > 0) { - char *string_type; - int i; + result = asn1_create_element(_gnutls_get_pkix(), tmp, &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - string_type = "printableString"; + tmp[0] = 0; - /* Check if the data is plain ascii, and use - * the UTF8 string type if not. - */ - for (i = 0; i < sizeof_data; i++) { - if (!isascii(data[i])) { - string_type = "utf8String"; - break; - } - } + if ((result = _gnutls_x509_oid_data_choice(given_oid)) > 0) { + char *string_type; + int i; - /* if the type is a CHOICE then write the - * type we'll use. - */ - result = asn1_write_value(c2, "", string_type, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + string_type = "printableString"; - _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + /* Check if the data is plain ascii, and use + * the UTF8 string type if not. + */ + for (i = 0; i < sizeof_data; i++) { + if (!isascii(data[i])) { + string_type = "utf8String"; + break; + } } - result = asn1_write_value(c2, tmp, data, sizeof_data); + /* if the type is a CHOICE then write the + * type we'll use. + */ + result = asn1_write_value(c2, "", string_type, 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } + _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + } - /* write the data (value) - */ + result = asn1_write_value(c2, tmp, data, sizeof_data); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + /* write the data (value) + */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - result = - _gnutls_x509_der_encode_and_copy(c2, "", asn1_struct, tmp, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + } - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_der_encode_and_copy(c2, "", asn1_struct, tmp, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* This will write the AttributeTypeAndValue field. The data must be already DER encoded. @@ -811,46 +745,46 @@ int _gnutls_x509_write_attribute(const char *given_oid, const void *_data, int sizeof_data, int multi) { - char tmp[128]; - int result; + char tmp[128]; + int result; - /* write the data (value) - */ + /* write the data (value) + */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); - if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - } + } - result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); - if (result < 0) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); + if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* write the type - */ - _gnutls_str_cpy(tmp, sizeof(tmp), where); - _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); - result = asn1_write_value(asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } @@ -862,39 +796,39 @@ int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, int oid_size, gnutls_datum * value, int multi) { - char tmpbuffer[128]; - int len, result; + char tmpbuffer[128]; + int len, result; - /* Read the OID - */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); - len = oid_size - 1; - result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); + len = oid_size - 1; + result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - return result; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } - /* Read the Value - */ + /* Read the Value + */ - _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); - if (multi) - _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ + if (multi) + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ - result = _gnutls_x509_read_value(asn1_struct, tmpbuffer, value, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + result = _gnutls_x509_read_value(asn1_struct, tmpbuffer, value, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -910,72 +844,68 @@ int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, int raw_flag, const char *name, int sizeof_name) { - int result; - char tmp[64], asn1_rdn_name[64]; + int result; + char tmp[64], asn1_rdn_name[64]; - if (sizeof_name == 0 || name == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_name == 0 || name == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* create the rdnSequence - */ - result = - asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create the rdnSequence + */ + result = asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); - _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), - ".rdnSequence"); + _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); + _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), ".rdnSequence"); - /* create a new element - */ - result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create a new element + */ + result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); - /* create the set with only one element - */ - result = asn1_write_value(asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* create the set with only one element + */ + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Encode and write the data - */ - _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); - _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); + /* Encode and write the data + */ + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); - if (!raw_flag) { - result = - _gnutls_x509_encode_and_write_attribute(given_oid, - asn1_struct, - tmp, name, - sizeof_name, - 0); - } else { - result = - _gnutls_x509_write_attribute(given_oid, asn1_struct, - tmp, name, sizeof_name, - 0); - } + if (!raw_flag) { + result = + _gnutls_x509_encode_and_write_attribute(given_oid, + asn1_struct, + tmp, name, + sizeof_name, 0); + } else { + result = + _gnutls_x509_write_attribute(given_oid, asn1_struct, + tmp, name, sizeof_name, 0); + } - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -996,37 +926,37 @@ int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, int gnutls_x509_rdn_get(const gnutls_datum * idn, char *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (buf) - buf[0] = 0; + if (buf) + buf[0] = 0; - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, sizeof_buf); + result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1048,37 +978,37 @@ int gnutls_x509_rdn_get(const gnutls_datum * idn, * **/ int gnutls_x509_rdn_get_by_oid(const gnutls_datum * idn, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * sizeof_buf) + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = - _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, - raw_flag, buf, sizeof_buf); + result = + _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, + raw_flag, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1096,37 +1026,36 @@ int gnutls_x509_rdn_get_by_oid(const gnutls_datum * idn, const char *oid, * and 0 on success. * **/ -int gnutls_x509_rdn_get_oid(const gnutls_datum * idn, - int indx, void *buf, size_t * sizeof_buf) +int gnutls_x509_rdn_get_oid(const gnutls_datum * idn, + int indx, void *buf, size_t * sizeof_buf) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (sizeof_buf == 0) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0) { + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - gnutls_assert(); - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = - _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, - buf, sizeof_buf); + result = + _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, buf, sizeof_buf); - asn1_delete_structure(&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -1142,13 +1071,13 @@ int _gnutls_x509_compare_raw_dn(const gnutls_datum * dn1, const gnutls_datum * dn2) { - if (dn1->size != dn2->size) { - gnutls_assert(); - return 0; - } - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { - gnutls_assert(); - return 0; - } - return 1; /* they match */ + if (dn1->size != dn2->size) { + gnutls_assert(); + return 0; + } + if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { + gnutls_assert(); + return 0; + } + return 1; /* they match */ } diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c index 1a2d593fc0..e4ac45bb07 100644 --- a/lib/x509/dsa.c +++ b/lib/x509/dsa.c @@ -22,7 +22,7 @@ /* This file contains code for DSA keys. */ - + #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> @@ -30,96 +30,95 @@ /* resarr will contain: p(0), q(1), g(2), y(3), x(4). */ -int _gnutls_dsa_generate_params(mpi_t* resarr, int* resarr_len, int bits) +int _gnutls_dsa_generate_params(mpi_t * resarr, int *resarr_len, int bits) { - int ret; - gcry_sexp_t parms, key, list; - - if (bits > 1024) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gcry_sexp_build( &parms, NULL, "(genkey(dsa(nbits %d)))", bits); - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* generate the DSA key - */ - ret = gcry_pk_genkey( &key, parms); - gcry_sexp_release( parms); - - if (ret != 0) { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - list = gcry_sexp_find_token( key, "p", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "q", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "g", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - list = gcry_sexp_find_token( key, "y", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); - - - list = gcry_sexp_find_token( key, "x", 0); - if (list == NULL) { - gnutls_assert(); - gcry_sexp_release( key); - return GNUTLS_E_INTERNAL_ERROR; - } - - resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); - gcry_sexp_release(list); + int ret; + gcry_sexp_t parms, key, list; + + if (bits > 1024) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gcry_sexp_build(&parms, NULL, "(genkey(dsa(nbits %d)))", bits); + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* generate the DSA key + */ + ret = gcry_pk_genkey(&key, parms); + gcry_sexp_release(parms); + + if (ret != 0) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + list = gcry_sexp_find_token(key, "p", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + resarr[0] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + list = gcry_sexp_find_token(key, "q", 0); + if (list == NULL) { + gnutls_assert(); gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - _gnutls_dump_mpi( "p: ", resarr[0]); - _gnutls_dump_mpi( "q: ", resarr[1]); - _gnutls_dump_mpi( "g: ", resarr[2]); - _gnutls_dump_mpi( "y: ", resarr[3]); - _gnutls_dump_mpi( "x: ", resarr[4]); + resarr[1] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); - *resarr_len = 5; + list = gcry_sexp_find_token(key, "g", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } - return 0; + resarr[2] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); -} + list = gcry_sexp_find_token(key, "y", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[3] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + list = gcry_sexp_find_token(key, "x", 0); + if (list == NULL) { + gnutls_assert(); + gcry_sexp_release(key); + return GNUTLS_E_INTERNAL_ERROR; + } + + resarr[4] = gcry_sexp_nth_mpi(list, 1, 0); + gcry_sexp_release(list); + + + gcry_sexp_release(key); + _gnutls_dump_mpi("p: ", resarr[0]); + _gnutls_dump_mpi("q: ", resarr[1]); + _gnutls_dump_mpi("g: ", resarr[2]); + _gnutls_dump_mpi("y: ", resarr[3]); + _gnutls_dump_mpi("x: ", resarr[4]); + + *resarr_len = 5; + + return 0; + +} diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 21bc965c3d..1d499f6abf 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -41,114 +41,117 @@ * If the extension does not exist, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension( gnutls_x509_crt cert, const char* extension_id, - int indx, gnutls_datum* ret, unsigned int * _critical) +int _gnutls_x509_crt_get_extension(gnutls_x509_crt cert, + const char *extension_id, int indx, + gnutls_datum * ret, + unsigned int *_critical) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char str_critical[10]; - int critical = 0; - char extnID[128]; - gnutls_datum value; - int indx_counter = 0; - - ret->data = NULL; - ret->size = 0; - - k = 0; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char str_critical[10]; + int critical = 0; + char extnID[128]; + gnutls_datum value; + int indx_counter = 0; + + ret->data = NULL; + ret->size = 0; + + k = 0; + do { + k++; + + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); + + len = sizeof(str) - 1; + result = asn1_read_value(cert->cert, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + do { - k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - /* move to next + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (strcmp(extnID, extension_id) == 0 + && indx == indx_counter++) { + /* extension was found + */ + + /* read the critical status. */ + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".critical"); + + len = sizeof(str_critical); + result = + asn1_read_value(cert->cert, name2, str_critical, &len); if (result == ASN1_ELEMENT_NOT_FOUND) { - break; + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - do { - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Handle Extension - */ - if ( strcmp(extnID, extension_id)==0 && indx == indx_counter++) { - /* extension was found - */ - - /* read the critical status. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); - - len = sizeof(str_critical); - result = - asn1_read_value(cert->cert, name2, str_critical, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (str_critical[0] == 'T') - critical = 1; - else critical = 0; - - /* read the value. - */ - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); - - result = _gnutls_x509_read_value( cert->cert, name2, - &value, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - ret->data = value.data; - ret->size = value.size; - - if (_critical) - *_critical = critical; - - return 0; - } - - - } while (0); - } while (1); + if (str_critical[0] == 'T') + critical = 1; + else + critical = 0; - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + /* read the value. + */ + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + + result = _gnutls_x509_read_value(cert->cert, name2, + &value, 0); + if (result < 0) { + gnutls_assert(); + return result; + } + + ret->data = value.data; + ret->size = value.size; + + if (_critical) + *_critical = critical; + + return 0; + } + + + } while (0); + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to return the requested extension OID found in @@ -157,77 +160,77 @@ int _gnutls_x509_crt_get_extension( gnutls_x509_crt cert, const char* extension_ * If you have passed the last extension, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will * be returned. */ -int _gnutls_x509_crt_get_extension_oid( gnutls_x509_crt cert, - int indx, void* oid, size_t* sizeof_oid) +int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char str[1024]; - char extnID[128]; - int indx_counter = 0; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char str[1024]; + char extnID[128]; + int indx_counter = 0; - k = 0; - do { - k++; + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - len = sizeof(str) - 1; - result = asn1_read_value(cert->cert, name, str, &len); + len = sizeof(str) - 1; + result = asn1_read_value(cert->cert, name, str, &len); - /* move to next - */ + /* move to next + */ - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } - do { + do { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Handle Extension - */ - if ( indx == indx_counter++) { - len = strlen( extnID) + 1; + /* Handle Extension + */ + if (indx == indx_counter++) { + len = strlen(extnID) + 1; - if ( *sizeof_oid < (uint)len) { - *sizeof_oid = len; - gnutls_assert(); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy( oid, extnID, len); - *sizeof_oid = len - 1; + if (*sizeof_oid < (uint) len) { + *sizeof_oid = len; + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - return 0; - } + memcpy(oid, extnID, len); + *sizeof_oid = len - 1; + return 0; + } - } while (0); - } while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + } while (0); + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to set the requested extension in @@ -235,82 +238,94 @@ int _gnutls_x509_crt_get_extension_oid( gnutls_x509_crt cert, * * Critical will be either 0 or 1. */ -static int set_extension( ASN1_TYPE asn, const char* extension_id, - const gnutls_datum* ext_data, unsigned int critical) +static int set_extension(ASN1_TYPE asn, const char *extension_id, + const gnutls_datum * ext_data, + unsigned int critical) { - int result; - const char *str; - - /* Add a new extension in the list. - */ - result = asn1_write_value(asn, "tbsCertificate.extensions", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(asn, "tbsCertificate.extensions.?LAST.extnID", extension_id, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (critical==0) str = "FALSE"; - else str = "TRUE"; - - - result = asn1_write_value(asn, "tbsCertificate.extensions.?LAST.critical", str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + const char *str; + + /* Add a new extension in the list. + */ + result = asn1_write_value(asn, "tbsCertificate.extensions", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_write_value(asn, "tbsCertificate.extensions.?LAST.extnID", + extension_id, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + + result = + asn1_write_value(asn, "tbsCertificate.extensions.?LAST.critical", + str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_write_value(asn, + "tbsCertificate.extensions.?LAST.extnValue", + ext_data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_write_value( asn, "tbsCertificate.extensions.?LAST.extnValue", - ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + return 0; } /* Overwrite the given extension (using the index) * index here starts from one. */ -static int overwrite_extension( ASN1_TYPE asn, unsigned int indx, - const gnutls_datum *ext_data, unsigned int critical) +static int overwrite_extension(ASN1_TYPE asn, unsigned int indx, + const gnutls_datum * ext_data, + unsigned int critical) { -char name[128], name2[128], counter[MAX_INT_DIGITS]; -const char* str; -int result; - - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(indx, counter); - _gnutls_str_cat(name, sizeof(name), counter); - - if (critical==0) str = "FALSE"; - else str = "TRUE"; - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".critical"); - - result = asn1_write_value(asn, name2, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + char name[128], name2[128], counter[MAX_INT_DIGITS]; + const char *str; + int result; + + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(indx, counter); + _gnutls_str_cat(name, sizeof(name), counter); + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".critical"); + + result = asn1_write_value(asn, name2, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + + result = _gnutls_x509_write_value(asn, name2, ext_data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_write_value( asn, name2, ext_data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + return 0; } /* This function will attempt to overwrite the requested extension with @@ -318,396 +333,412 @@ int result; * * Critical will be either 0 or 1. */ -int _gnutls_x509_crt_set_extension( gnutls_x509_crt cert, const char* ext_id, - const gnutls_datum* ext_data, unsigned int critical) +int _gnutls_x509_crt_set_extension(gnutls_x509_crt cert, + const char *ext_id, + const gnutls_datum * ext_data, + unsigned int critical) { - int result; - int k, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char extnID[128]; + int result; + int k, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char extnID[128]; - /* Find the index of the given extension. - */ - k = 0; - do { - k++; + /* Find the index of the given extension. + */ + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - len = sizeof(extnID) - 1; - result = asn1_read_value(cert->cert, name, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name, extnID, &len); - /* move to next - */ + /* move to next + */ - if (result == ASN1_ELEMENT_NOT_FOUND) { - break; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } - do { + do { - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - len = sizeof(extnID) - 1; - result = - asn1_read_value(cert->cert, name2, extnID, &len); + len = sizeof(extnID) - 1; + result = asn1_read_value(cert->cert, name2, extnID, &len); - if (result == ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - break; - } else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - /* Handle Extension - */ - if ( strcmp(extnID, ext_id)==0) { - /* extension was found - */ - return overwrite_extension( cert->cert, k, ext_data, critical); - } + /* Handle Extension + */ + if (strcmp(extnID, ext_id) == 0) { + /* extension was found + */ + return overwrite_extension(cert->cert, k, ext_data, + critical); + } - } while (0); - } while (1); + } while (0); + } while (1); - if (result == ASN1_ELEMENT_NOT_FOUND) { - return set_extension( cert->cert, ext_id, ext_data, critical); - } else { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + return set_extension(cert->cert, ext_id, ext_data, critical); + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } - - return 0; + + return 0; } /* Here we only extract the KeyUsage field, from the DER encoded * extension. */ -int _gnutls_x509_ext_extract_keyUsage(uint16 *keyUsage, opaque * extnValue, - int extnValueLen) +int _gnutls_x509_ext_extract_keyUsage(uint16 * keyUsage, + opaque * extnValue, int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int len, result; - uint8 str[2]; - - str[0] = str[1] = 0; - *keyUsage = 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int len, result; + uint8 str[2]; - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + str[0] = str[1] = 0; + *keyUsage = 0; - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } - - len = sizeof(str); - result = asn1_read_value(ext, "", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return 0; - } - - *keyUsage = str[0] | (str[1] << 8); + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + len = sizeof(str); + result = asn1_read_value(ext, "", str, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); return 0; + } + + *keyUsage = str[0] | (str[1] << 8); + + asn1_delete_structure(&ext); + + return 0; } /* extract the basicConstraints from the DER encoded extension */ int _gnutls_x509_ext_extract_basicConstraints(int *CA, opaque * extnValue, - int extnValueLen) + int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - char str[128]; - int len, result; - - *CA = 0; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.BasicConstraints", &ext - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + char str[128]; + int len, result; - result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + *CA = 0; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.BasicConstraints", + &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - len = sizeof(str) - 1; - /* the default value of cA is false. - */ - result = asn1_read_value(ext, "cA", str, &len); - if (result != ASN1_SUCCESS) { - asn1_delete_structure(&ext); - return 0; - } + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + len = sizeof(str) - 1; + /* the default value of cA is false. + */ + result = asn1_read_value(ext, "cA", str, &len); + if (result != ASN1_SUCCESS) { + asn1_delete_structure(&ext); + return 0; + } - if (strcmp(str, "TRUE") == 0) - *CA = 1; - else - *CA = 0; + asn1_delete_structure(&ext); + if (strcmp(str, "TRUE") == 0) + *CA = 1; + else + *CA = 0; - return 0; + + return 0; } /* generate the basicConstraints in a DER encoded extension * Use 0 or 1 (TRUE) for CA. */ -int _gnutls_x509_ext_gen_basicConstraints(int CA, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_basicConstraints(int CA, gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - const char *str; - int result; - - if (CA == 0) str = "FALSE"; - else str = "TRUE"; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.BasicConstraints", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + const char *str; + int result; + + if (CA == 0) + str = "FALSE"; + else + str = "TRUE"; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.BasicConstraints", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "cA", str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = asn1_write_value(ext, "cA", str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + asn1_write_value(ext, "pathLenConstraint", NULL, 0); - asn1_write_value(ext, "pathLenConstraint", NULL, 0); - - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the keyUsage in a DER encoded extension * Use an ORed SEQUENCE of GNUTLS_KEY_* for usage. */ -int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_keyUsage(uint16 usage, gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - uint8 str[2]; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - str[0] = usage & 0xff; - str[1] = usage >> 8; - - result = asn1_write_value(ext, "", str, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + uint8 str[2]; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + str[0] = usage & 0xff; + str[1] = usage >> 8; + + result = asn1_write_value(ext, "", str, 9); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } -static int write_new_general_name( ASN1_TYPE ext, const char* ext_name, - gnutls_x509_subject_alt_name type, const char* data_string) +static int write_new_general_name(ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name type, + const char *data_string) { -const char* str; -int result; -char name[128]; - - result = asn1_write_value( ext, ext_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - switch(type) { - case GNUTLS_SAN_DNSNAME: - str = "dNSName"; - break; - case GNUTLS_SAN_RFC822NAME: - str = "rfc822Name"; - break; - case GNUTLS_SAN_URI: - str = "uniformResourceIdentifier"; - break; - case GNUTLS_SAN_IPADDRESS: - str = "iPAddress"; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (ext_name[0] == 0) { /* no dot */ - _gnutls_str_cpy( name, sizeof(name), "?LAST"); - } else { - _gnutls_str_cpy( name, sizeof(name), ext_name); - _gnutls_str_cat( name, sizeof(name), ".?LAST"); - } - - result = asn1_write_value( ext, name, str, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cat( name, sizeof(name), "."); - _gnutls_str_cat( name, sizeof(name), str); - - result = asn1_write_value(ext, name, data_string, strlen(data_string)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + const char *str; + int result; + char name[128]; + + result = asn1_write_value(ext, ext_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + switch (type) { + case GNUTLS_SAN_DNSNAME: + str = "dNSName"; + break; + case GNUTLS_SAN_RFC822NAME: + str = "rfc822Name"; + break; + case GNUTLS_SAN_URI: + str = "uniformResourceIdentifier"; + break; + case GNUTLS_SAN_IPADDRESS: + str = "iPAddress"; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (ext_name[0] == 0) { /* no dot */ + _gnutls_str_cpy(name, sizeof(name), "?LAST"); + } else { + _gnutls_str_cpy(name, sizeof(name), ext_name); + _gnutls_str_cat(name, sizeof(name), ".?LAST"); + } + + result = asn1_write_value(ext, name, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cat(name, sizeof(name), "."); + _gnutls_str_cat(name, sizeof(name), str); + + result = asn1_write_value(ext, name, data_string, strlen(data_string)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /* Convert the given name to GeneralNames in a DER encoded extension. * This is the same as subject alternative name. */ -int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name type, - const char* data_string, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name + type, const char *data_string, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = write_new_general_name(ext, "", type, data_string); - if (result < 0) { - gnutls_assert(); - asn1_delete_structure(&ext); - return result; - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = write_new_general_name(ext, "", type, data_string); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the SubjectKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_key_id(const void* id, size_t id_size, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(ext, "", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.SubjectKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /* generate the AuthorityKeyID in a DER encoded extension */ -int _gnutls_x509_ext_gen_auth_key_id(const void* id, size_t id_size, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(ext, "keyIdentifier", id, id_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&ext); - return _gnutls_asn2err(result); - } + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.AuthorityKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "keyIdentifier", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } - asn1_write_value(ext, "authorityCertIssuer", NULL, 0); - asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); + asn1_write_value(ext, "authorityCertIssuer", NULL, 0); + asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - asn1_delete_structure(&ext); + asn1_delete_structure(&ext); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } @@ -716,85 +747,93 @@ int _gnutls_x509_ext_gen_auth_key_id(const void* id, size_t id_size, gnutls_datu * reason_flags should be an or'ed sequence of GNUTLS_CRL_REASON_*. * */ -int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name type, - const void* data_string, unsigned int reason_flags, gnutls_datum* der_ext) +int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name type, + const void *data_string, + unsigned int reason_flags, + gnutls_datum * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - gnutls_datum gnames = {NULL, 0}; - int result; - uint8 reasons[2]; - - reasons[0] = reason_flags & 0xff; - reasons[1] = reason_flags >> 8; - - result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &ext); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value( ext, "", "NEW", 1); + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + gnutls_datum gnames = { NULL, 0 }; + int result; + uint8 reasons[2]; + + reasons[0] = reason_flags & 0xff; + reasons[1] = reason_flags >> 8; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CRLDistributionPoints", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(ext, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (reason_flags) { + result = asn1_write_value(ext, "?LAST.reasons", reasons, 9); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (reason_flags) { - result = asn1_write_value( ext, "?LAST.reasons", reasons, 9); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - } else { - result = asn1_write_value( ext, "?LAST.reasons", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - - result = asn1_write_value( ext, "?LAST.cRLIssuer", NULL, 0); + } else { + result = asn1_write_value(ext, "?LAST.reasons", NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } + + result = asn1_write_value(ext, "?LAST.cRLIssuer", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #if 0 - /* When used as type CHOICE. - */ - result = asn1_write_value( ext, "?LAST.distributionPoint", "fullName", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* When used as type CHOICE. + */ + result = + asn1_write_value(ext, "?LAST.distributionPoint", "fullName", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #endif - asn1_write_value( ext, "?LAST.distributionPoint.nameRelativeToCRLIssuer", NULL, 0); + asn1_write_value(ext, + "?LAST.distributionPoint.nameRelativeToCRLIssuer", + NULL, 0); - result = write_new_general_name(ext, "?LAST.distributionPoint.fullName", type, data_string); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + write_new_general_name(ext, "?LAST.distributionPoint.fullName", + type, data_string); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _gnutls_x509_der_encode( ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = 0; + result = 0; -cleanup: - _gnutls_free_datum( &gnames); - asn1_delete_structure(&ext); + cleanup: + _gnutls_free_datum(&gnames); + asn1_delete_structure(&ext); - return result; + return result; } diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 7a0604ccd3..f7ea8ac213 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -37,43 +37,42 @@ */ int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - if ( (result=_gnutls_x509_read_int( spk, "modulus", - ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - if ( (result=_gnutls_x509_read_int( spk, "publicExponent", - ¶ms[1])) < 0) { - gnutls_assert(); - _gnutls_mpi_release(¶ms[0]); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if ((result = _gnutls_x509_read_int(spk, "modulus", ¶ms[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + if ((result = _gnutls_x509_read_int(spk, "publicExponent", + ¶ms[1])) < 0) { + gnutls_assert(); + _gnutls_mpi_release(¶ms[0]); asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - return 0; + asn1_delete_structure(&spk); + + return 0; } @@ -84,59 +83,58 @@ int _gnutls_x509_read_rsa_params(opaque * der, int dersize, mpi_t * params) */ int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); - /* FIXME: If the parameters are not included in the certificate - * then the issuer's parameters should be used. This is not - * done yet. - */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - /* Read p */ + /* FIXME: If the parameters are not included in the certificate + * then the issuer's parameters should be used. This is not + * done yet. + */ - if ( (result=_gnutls_x509_read_int( spk, "p", ¶ms[0])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + /* Read p */ - /* Read q */ + if ((result = _gnutls_x509_read_int(spk, "p", ¶ms[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - if ( (result=_gnutls_x509_read_int( spk, "q", ¶ms[1])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + /* Read q */ - /* Read g */ - - if ( (result=_gnutls_x509_read_int( spk, "g", ¶ms[2])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - _gnutls_mpi_release(¶ms[0]); - _gnutls_mpi_release(¶ms[1]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if ((result = _gnutls_x509_read_int(spk, "q", ¶ms[1])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms[0]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + /* Read g */ + + if ((result = _gnutls_x509_read_int(spk, "g", ¶ms[2])) < 0) { + gnutls_assert(); asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms[0]); + _gnutls_mpi_release(¶ms[1]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - return 0; + asn1_delete_structure(&spk); + + return 0; } @@ -146,133 +144,132 @@ int _gnutls_x509_read_dsa_params(opaque * der, int dersize, mpi_t * params) */ int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, mpi_t * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ( (result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk - )) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - result = asn1_der_decoding(&spk, der, dersize, NULL); + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", + &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&spk, der, dersize, NULL); - /* Read Y */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - if ( (result=_gnutls_x509_read_int( spk, "", ¶ms[3])) < 0) { - gnutls_assert(); - asn1_delete_structure(&spk); - return _gnutls_asn2err(result); - } + /* Read Y */ + if ((result = _gnutls_x509_read_int(spk, "", ¶ms[3])) < 0) { + gnutls_assert(); asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - return 0; + asn1_delete_structure(&spk); + + return 0; } /* Extracts DSA and RSA parameters from a certificate. */ -int _gnutls_x509_crt_get_mpis( gnutls_x509_crt cert, - mpi_t* params, int *params_size) +int _gnutls_x509_crt_get_mpis(gnutls_x509_crt cert, + mpi_t * params, int *params_size) { -int len, result; -opaque str[5*1024]; -int pk_algorithm; + int len, result; + opaque str[5 * 1024]; + int pk_algorithm; + + /* Read the algorithm's OID + */ + pk_algorithm = gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + /* Read the algorithm's parameters + */ + len = sizeof(str); + result = asn1_read_value(cert->cert, + "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", + str, &len); + len /= 8; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + switch (pk_algorithm) { + case GNUTLS_PK_RSA: + /* params[0] is the modulus, + * params[1] is the exponent + */ + if (*params_size < RSA_PUBLIC_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((result = _gnutls_x509_read_rsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; + } + *params_size = RSA_PUBLIC_PARAMS; - /* Read the algorithm's OID + return 0; + break; + case GNUTLS_PK_DSA: + /* params[0] is p, + * params[1] is q, + * params[2] is q, + * params[3] is pub. */ - pk_algorithm = gnutls_x509_crt_get_pk_algorithm(cert, NULL); - /* Read the algorithm's parameters + if (*params_size < DSA_PUBLIC_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((result = _gnutls_x509_read_dsa_pubkey(str, len, params)) < 0) { + gnutls_assert(); + return result; + } + + /* Now read the parameters */ + len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", str, &len); - len /= 8; + result = asn1_read_value(cert->cert, + "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", + str, &len); if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } - switch( pk_algorithm) { - case GNUTLS_PK_RSA: - /* params[0] is the modulus, - * params[1] is the exponent - */ - if ( *params_size < RSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((result = - _gnutls_x509_read_rsa_params( str, len, params)) < 0) { - gnutls_assert(); - return result; - } - *params_size = RSA_PUBLIC_PARAMS; - - return 0; - break; - case GNUTLS_PK_DSA: - /* params[0] is p, - * params[1] is q, - * params[2] is q, - * params[3] is pub. - */ - - if ( *params_size < DSA_PUBLIC_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((result = - _gnutls_x509_read_dsa_pubkey( str, len, params)) < 0) { - gnutls_assert(); - return result; - } - - /* Now read the parameters - */ - - len = sizeof(str); - result = asn1_read_value(cert->cert, - "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters", str, &len); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ((result = - _gnutls_x509_read_dsa_params(str, len, params)) < 0) { - gnutls_assert(); - return result; - } - *params_size = DSA_PUBLIC_PARAMS; - - return 0; - break; - - default: - /* other types like DH - * currently not supported - */ - gnutls_assert(); - - return GNUTLS_E_X509_CERTIFICATE_ERROR; + if ((result = _gnutls_x509_read_dsa_params(str, len, params)) < 0) { + gnutls_assert(); + return result; } + *params_size = DSA_PUBLIC_PARAMS; + + return 0; + break; + + default: + /* other types like DH + * currently not supported + */ + gnutls_assert(); + + return GNUTLS_E_X509_CERTIFICATE_ERROR; + } } /* @@ -282,115 +279,116 @@ int pk_algorithm; * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_rsa_params( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_rsa_params(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 2) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "modulus", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "publicExponent", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 2) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "modulus", params[0], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "publicExponent", params[1], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + + return result; } /* * This function writes and encodes the parameters for DSS or RSA keys. * This is the "signatureAlgorithm" fields. */ -int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name, - gnutls_pk_algorithm pk_algorithm, mpi_t * params, int params_size) +int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm pk_algorithm, + mpi_t * params, int params_size) { -gnutls_datum der; -int result; -char name[128]; -const char* pk; - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".algorithm"); - - pk = _gnutls_x509_sign_to_oid( pk_algorithm, GNUTLS_MAC_SHA); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + gnutls_datum der; + int result; + char name[128]; + const char *pk; + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm"); + + pk = _gnutls_x509_sign_to_oid(pk_algorithm, GNUTLS_MAC_SHA); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* write the OID. + */ + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".parameters"); + + if (pk_algorithm == GNUTLS_PK_DSA) { + result = _gnutls_x509_write_dsa_params(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; } - - /* write the OID. - */ - result = asn1_write_value( dst, name, pk, 1); + + result = asn1_write_value(dst, name, der.data, der.size); + _gnutls_free_datum(&der); + if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + gnutls_assert(); + return _gnutls_asn2err(result); } + } else { /* RSA */ + result = asn1_write_value(dst, name, NULL, 0); - - _gnutls_str_cpy( name, sizeof(name), dst_name); - _gnutls_str_cat( name, sizeof(name), ".parameters"); - - if (pk_algorithm == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = asn1_write_value( dst, name, der.data, der.size); - _gnutls_free_datum( &der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - } else { /* RSA */ - result = asn1_write_value( dst, name, NULL, 0); - - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + /* Here we ignore the element not found error, since this + * may have been disabled before. + */ + gnutls_assert(); + return _gnutls_asn2err(result); } + } - return 0; + return 0; } /* @@ -399,58 +397,58 @@ const char* pk; * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_params( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_dsa_params(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "p", params[0], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "q", params[1], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_int( spk, "g", params[2], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 3) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "p", params[0], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "q", params[1], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "g", params[2], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } /* @@ -459,46 +457,46 @@ cleanup: * * Allocates the space used to store the DER data. */ -int _gnutls_x509_write_dsa_public_key( mpi_t * params, int params_size, - gnutls_datum* der) +int _gnutls_x509_write_dsa_public_key(mpi_t * params, int params_size, + gnutls_datum * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params_size < 3) { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result=asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) - != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_write_int( spk, "", params[3], 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode( spk, "", der, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - asn1_delete_structure(&spk); - return 0; - -cleanup: - asn1_delete_structure(&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params_size < 3) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "", params[3], 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&spk); + return 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } @@ -506,66 +504,66 @@ cleanup: * from asn1 structs. Combines the read and the convertion * steps. */ -int _gnutls_x509_read_uint( ASN1_TYPE node, const char* value, - unsigned int* ret) +int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value, + unsigned int *ret) { -int len, result; -opaque* tmpstr; - - len = 0; - result = asn1_read_value( node, value, NULL, &len); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - tmpstr = gnutls_alloca( len); - if (tmpstr==NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value( node, value, tmpstr, &len); - - gnutls_afree( tmpstr); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (len == 1) - *ret = tmpstr[0]; - else if (len == 2) - *ret = _gnutls_read_uint16(tmpstr); - else if (len == 3) - *ret = _gnutls_read_uint24(tmpstr); - else if (len == 4) - *ret = _gnutls_read_uint32(tmpstr); - else { - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - return 0; + int len, result; + opaque *tmpstr; + + len = 0; + result = asn1_read_value(node, value, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmpstr = gnutls_alloca(len); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(node, value, tmpstr, &len); + + gnutls_afree(tmpstr); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (len == 1) + *ret = tmpstr[0]; + else if (len == 2) + *ret = _gnutls_read_uint16(tmpstr); + else if (len == 3) + *ret = _gnutls_read_uint24(tmpstr); + else if (len == 4) + *ret = _gnutls_read_uint32(tmpstr); + else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + return 0; } /* Writes the specified integer into the specified node. */ -int _gnutls_x509_write_uint32( ASN1_TYPE node, const char* value, uint32 num) +int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, + uint32 num) { -opaque tmpstr[4]; -int result; + opaque tmpstr[4]; + int result; - _gnutls_write_uint32(num, tmpstr); + _gnutls_write_uint32(num, tmpstr); - result = asn1_write_value( node, value, tmpstr, 4); + result = asn1_write_value(node, value, tmpstr, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } - diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 0b9c0253c9..ee48262401 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -44,69 +44,73 @@ * which holds them. Returns an ASN1_TYPE of authenticatedSafe. */ static -int _decode_pkcs12_auth_safe( ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, gnutls_datum* raw) +int _decode_pkcs12_auth_safe(ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, + gnutls_datum * raw) { -char oid[128]; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -gnutls_datum auth_safe = { NULL, 0 }; -int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ( strcmp( oid, DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log( "Unknown PKCS12 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - /* Step 1. Read the content data - */ - - tmp_size = 0; - result = _gnutls_x509_read_value(pkcs12, "authSafe.content", &auth_safe, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Step 2. Extract the authenticatedSafe. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw == NULL) { - _gnutls_free_datum(&auth_safe); - } else { - raw->data = auth_safe.data; - raw->size = auth_safe.size; - } - - if (authen_safe) - *authen_safe = c2; - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - _gnutls_free_datum( &auth_safe); - return result; + char oid[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum auth_safe = { NULL, 0 }; + int tmp_size, len, result; + + len = sizeof(oid) - 1; + result = asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, DATA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log("Unknown PKCS12 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + /* Step 1. Read the content data + */ + + tmp_size = 0; + result = + _gnutls_x509_read_value(pkcs12, "authSafe.content", &auth_safe, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Step 2. Extract the authenticatedSafe. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + _gnutls_free_datum(&auth_safe); + } else { + raw->data = auth_safe.data; + raw->size = auth_safe.size; + } + + if (authen_safe) + *authen_safe = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + _gnutls_free_datum(&auth_safe); + return result; } /** @@ -122,20 +126,20 @@ int tmp_size, len, result; **/ int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12) { - *pkcs12 = gnutls_calloc( 1, sizeof(gnutls_pkcs12_int)); - - if (*pkcs12) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PFX", - &(*pkcs12)->pkcs12); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *pkcs12); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *pkcs12 = gnutls_calloc(1, sizeof(gnutls_pkcs12_int)); + + if (*pkcs12) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PFX", + &(*pkcs12)->pkcs12); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs12); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -147,12 +151,13 @@ int gnutls_pkcs12_init(gnutls_pkcs12 * pkcs12) **/ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) { - if (!pkcs12) return; + if (!pkcs12) + return; - if (pkcs12->pkcs12) - asn1_delete_structure(&pkcs12->pkcs12); + if (pkcs12->pkcs12) + asn1_delete_structure(&pkcs12->pkcs12); - gnutls_free(pkcs12); + gnutls_free(pkcs12); } /** @@ -171,53 +176,57 @@ void gnutls_pkcs12_deinit(gnutls_pkcs12 pkcs12) * **/ int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, - gnutls_x509_crt_fmt format, unsigned int flags) + gnutls_x509_crt_fmt format, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum _data; - - _data.data = data->data; - _data.size = data->size; + int result = 0, need_free = 0; + gnutls_datum _data; - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + _data.data = data->data; + _data.size = data->size; - /* If the PKCS12 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS12, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + /* If the PKCS12 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + result = _gnutls_fbase64_decode(PEM_PKCS12, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + result = + asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -240,240 +249,254 @@ int gnutls_pkcs12_import(gnutls_pkcs12 pkcs12, const gnutls_datum * data, * 0 on success. * **/ -int gnutls_pkcs12_export( gnutls_pkcs12 pkcs12, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_pkcs12_export(gnutls_pkcs12 pkcs12, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( pkcs12->pkcs12, format, PEM_PKCS12, *output_data_size, - output_data, output_data_size); + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, + *output_data_size, output_data, + output_data_size); } -static int oid2bag( const char* oid) +static int oid2bag(const char *oid) { - if (strcmp(oid, BAG_PKCS8_KEY)==0) - return GNUTLS_BAG_PKCS8_KEY; - if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY)==0) - return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; - if (strcmp(oid, BAG_CERTIFICATE)==0) - return GNUTLS_BAG_CERTIFICATE; - if (strcmp(oid, BAG_CRL)==0) - return GNUTLS_BAG_CRL; - - return GNUTLS_BAG_UNKNOWN; + if (strcmp(oid, BAG_PKCS8_KEY) == 0) + return GNUTLS_BAG_PKCS8_KEY; + if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) + return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; + if (strcmp(oid, BAG_CERTIFICATE) == 0) + return GNUTLS_BAG_CERTIFICATE; + if (strcmp(oid, BAG_CRL) == 0) + return GNUTLS_BAG_CRL; + + return GNUTLS_BAG_UNKNOWN; } -static const char* bag_to_oid( int bag) +static const char *bag_to_oid(int bag) { - switch (bag) { - case GNUTLS_BAG_PKCS8_KEY: - return BAG_PKCS8_KEY; - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - return BAG_PKCS8_ENCRYPTED_KEY; - case GNUTLS_BAG_CERTIFICATE: - return BAG_CERTIFICATE; - case GNUTLS_BAG_CRL: - return BAG_CRL; - } - return NULL; + switch (bag) { + case GNUTLS_BAG_PKCS8_KEY: + return BAG_PKCS8_KEY; + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + return BAG_PKCS8_ENCRYPTED_KEY; + case GNUTLS_BAG_CERTIFICATE: + return BAG_CERTIFICATE; + case GNUTLS_BAG_CRL: + return BAG_CRL; + } + return NULL; } -static inline -char* ucs2_to_ascii( char* data, int size) { -int i; +static inline char *ucs2_to_ascii(char *data, int size) +{ + int i; + + for (i = 0; i < size / 2; i++) + data[i] = data[i * 2 + 1]; + data[i] = 0; - for (i=0;i<size/2;i++) - data[i] = data[i*2 + 1]; - data[i] = 0; - - return data; + return data; } /* Decodes the SafeContents, and puts the output in * the given bag. */ int -_pkcs12_decode_safe_contents( const gnutls_datum* content, gnutls_pkcs12_bag bag) +_pkcs12_decode_safe_contents(const gnutls_datum * content, + gnutls_pkcs12_bag bag) { -char oid[128], root[128]; -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -int len, result; -int bag_type; -gnutls_datum attr_val; -int count = 0, i, attributes, j; -char counter[MAX_INT_DIGITS]; - - /* Step 1. Extract the SEQUENCE. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + char oid[128], root[128]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int len, result; + int bag_type; + gnutls_datum attr_val; + int count = 0, i, attributes, j; + char counter[MAX_INT_DIGITS]; + + /* Step 1. Extract the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, content->data, content->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Count the number of bags + */ + result = asn1_number_of_elements(c2, "", &count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + bag->bag_elements = GMIN(MAX_BAG_ELEMENTS, count); + + for (i = 0; i < bag->bag_elements; i++) { + + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagId"); + + len = sizeof(oid); + result = asn1_read_value(c2, root, oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - result = asn1_der_decoding(&c2, content->data, content->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + /* Read the Bag type + */ + bag_type = oid2bag(oid); + + if (bag_type < 0) { + gnutls_assert(); + goto cleanup; } - /* Count the number of bags + /* Read the Bag Value */ - result = asn1_number_of_elements( c2, "", &count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagValue"); + + result = + _gnutls_x509_read_value(c2, root, &bag->element[i].data, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - bag->bag_elements = GMIN(MAX_BAG_ELEMENTS, count); + if (bag_type == GNUTLS_BAG_CERTIFICATE || + bag_type == GNUTLS_BAG_CRL) { + gnutls_datum tmp = bag->element[i].data; - for (i=0;i<bag->bag_elements;i++) { + result = + _pkcs12_decode_crt_bag(bag_type, &tmp, + &bag->element[i].data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagId"); + _gnutls_free_datum(&tmp); + } - len = sizeof(oid); - result = asn1_read_value(c2, root, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* read the bag attributes + */ + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagAttributes"); + + result = asn1_number_of_elements(c2, root, &attributes); + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Read the Bag type - */ - bag_type = oid2bag( oid); - - if (bag_type < 0) { - gnutls_assert(); - goto cleanup; - } + if (attributes < 0) + attributes = 1; + + if (result != ASN1_ELEMENT_NOT_FOUND) + for (j = 0; j < attributes; j++) { - /* Read the Bag Value - */ + _gnutls_str_cpy(root, sizeof(root), "?"); + _gnutls_int2str(i + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); + _gnutls_str_cat(root, sizeof(root), ".bagAttributes.?"); + _gnutls_int2str(j + 1, counter); + _gnutls_str_cat(root, sizeof(root), counter); - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagValue"); + result = + _gnutls_x509_decode_and_read_attribute(c2, root, oid, + sizeof(oid), + &attr_val, 1); - result = _gnutls_x509_read_value( c2, root, &bag->element[i].data, 0); if (result < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + goto cleanup; } - if (bag_type == GNUTLS_BAG_CERTIFICATE || - bag_type == GNUTLS_BAG_CRL) { - gnutls_datum tmp = bag->element[i].data; - - result = _pkcs12_decode_crt_bag( bag_type, &tmp, &bag->element[i].data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - _gnutls_free_datum( &tmp); - } - /* read the bag attributes - */ - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagAttributes"); - - result = asn1_number_of_elements( c2, root, &attributes); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + if (strcmp(oid, KEY_ID_OID) == 0) + bag->element[i].local_key_id = attr_val; + else if (strcmp(oid, FRIENDLY_NAME_OID) == 0) + bag->element[i].friendly_name = + ucs2_to_ascii(attr_val.data, attr_val.size); + else { + _gnutls_x509_log + ("Unknown PKCS12 Bag Attribute OID '%s'\n", oid); } + } - if (attributes < 0) attributes = 1; - - if (result != ASN1_ELEMENT_NOT_FOUND) - for (j=0;j<attributes;j++) { - - _gnutls_str_cpy( root, sizeof(root), "?"); - _gnutls_int2str( i+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - _gnutls_str_cat( root, sizeof(root), ".bagAttributes.?"); - _gnutls_int2str( j+1, counter); - _gnutls_str_cat( root, sizeof(root), counter); - - result = _gnutls_x509_decode_and_read_attribute( - c2, root, oid, sizeof(oid), &attr_val, 1); - - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - - if (strcmp( oid, KEY_ID_OID)==0) - bag->element[i].local_key_id = attr_val; - else if (strcmp( oid, FRIENDLY_NAME_OID)==0) - bag->element[i].friendly_name = ucs2_to_ascii( attr_val.data, attr_val.size); - else { - _gnutls_x509_log( "Unknown PKCS12 Bag Attribute OID '%s'\n", oid); - } - } - - bag->element[i].type = bag_type; - - } + bag->element[i].type = bag_type; - asn1_delete_structure(&c2); + } + asn1_delete_structure(&c2); - return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } static -int _parse_safe_contents( ASN1_TYPE sc, const char* sc_name, gnutls_pkcs12_bag bag) +int _parse_safe_contents(ASN1_TYPE sc, const char *sc_name, + gnutls_pkcs12_bag bag) { -gnutls_datum content = { NULL, 0 }; -int result; + gnutls_datum content = { NULL, 0 }; + int result; - /* Step 1. Extract the content. - */ + /* Step 1. Extract the content. + */ - result = _gnutls_x509_read_value(sc, sc_name, &content, 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = _gnutls_x509_read_value(sc, sc_name, &content, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _pkcs12_decode_safe_contents( &content, bag); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = _pkcs12_decode_safe_contents(&content, bag); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - _gnutls_free_datum( &content); + _gnutls_free_datum(&content); - return 0; - - cleanup: - _gnutls_free_datum( &content); - return result; + return 0; + + cleanup: + _gnutls_free_datum(&content); + return result; } @@ -490,133 +513,137 @@ int result; * will be returned. * **/ -int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, - int indx, gnutls_pkcs12_bag bag) +int gnutls_pkcs12_get_bag(gnutls_pkcs12 pkcs12, + int indx, gnutls_pkcs12_bag bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. decode the data. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 1. decode the data. - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the AuthenticatedSafe - */ - - _gnutls_str_cpy( root2, sizeof(root2), "?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - _gnutls_str_cat( root2, sizeof(root2), ".contentType"); + /* Step 2. Parse the AuthenticatedSafe + */ - len = sizeof(oid) - 1; + _gnutls_str_cpy(root2, sizeof(root2), "?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cat(root2, sizeof(root2), ".contentType"); - result = asn1_read_value(c2, root2, oid, &len); + len = sizeof(oid) - 1; - if (result == ASN1_ELEMENT_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } + result = asn1_read_value(c2, root2, oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (result == ASN1_ELEMENT_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } - /* Not encrypted Bag - */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - _gnutls_str_cpy( root2, sizeof(root2), "?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - _gnutls_str_cat( root2, sizeof(root2), ".content"); + /* Not encrypted Bag + */ - if (strcmp( oid, DATA_OID) == 0) { - result = _parse_safe_contents( c2, root2, bag); - goto cleanup; - } - - /* ENC_DATA_OID needs decryption */ + _gnutls_str_cpy(root2, sizeof(root2), "?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + _gnutls_str_cat(root2, sizeof(root2), ".content"); - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->bag_elements = 1; + if (strcmp(oid, DATA_OID) == 0) { + result = _parse_safe_contents(c2, root2, bag); + goto cleanup; + } - result = _gnutls_x509_read_value( c2, root2, &bag->element[0].data, 0); - if (result < 0) { - gnutls_assert(); - return result; - } + /* ENC_DATA_OID needs decryption */ - return 0; + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->bag_elements = 1; + + result = _gnutls_x509_read_value(c2, root2, &bag->element[0].data, 0); + if (result < 0) { + gnutls_assert(); + return result; + } - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /* Creates an empty PFX structure for the PKCS12 structure. */ static int create_empty_pfx(ASN1_TYPE pkcs12) { - uint8 three = 3; - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - /* Use version 3 - */ - result = asn1_write_value( pkcs12, "version", &three, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write the content type of the data - */ - result = asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Check if the authenticatedSafe content is empty, and encode a - * null one in that case. - */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs12, "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - asn1_delete_structure( &c2); - - return 0; - - cleanup: - asn1_delete_structure( &c2); - return result; + uint8 three = 3; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + /* Use version 3 + */ + result = asn1_write_value(pkcs12, "version", &three, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write the content type of the data + */ + result = asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Check if the authenticatedSafe content is empty, and encode a + * null one in that case. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + asn1_delete_structure(&c2); + + return 0; + + cleanup: + asn1_delete_structure(&c2); + return result; } @@ -631,103 +658,112 @@ static int create_empty_pfx(ASN1_TYPE pkcs12) **/ int gnutls_pkcs12_set_bag(gnutls_pkcs12 pkcs12, gnutls_pkcs12_bag bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - int result; - int enc = 0, dum = 1; - char null; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Step 1. Check if the pkcs12 structure is empty. In that - * case generate an empty PFX. - */ - result = asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, &dum); - if (result == ASN1_VALUE_NOT_FOUND) { - result = create_empty_pfx( pkcs12->pkcs12); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. decode the authenticatedSafe. - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, &c2, NULL); + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + int result; + int enc = 0, dum = 1; + char null; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. Check if the pkcs12 structure is empty. In that + * case generate an empty PFX. + */ + result = + asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, &dum); + if (result == ASN1_VALUE_NOT_FOUND) { + result = create_empty_pfx(pkcs12->pkcs12); if (result < 0) { - gnutls_assert(); - return result; + gnutls_assert(); + return result; } + } - /* Step 3. Encode the bag elements into a SafeContents - * structure. - */ - result = _pkcs12_encode_safe_contents( bag, &safe_cont, &enc); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe - * structure. + /* Step 2. decode the authenticatedSafe. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 3. Encode the bag elements into a SafeContents + * structure. + */ + result = _pkcs12_encode_safe_contents(bag, &safe_cont, &enc); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe + * structure. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) + result = + asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, 1); + else + result = asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) { + /* Encrypted packets are written directly. */ - result = asn1_write_value(c2, "", "NEW", 1); + result = + asn1_write_value(c2, "?LAST.content", + bag->element[0].data.data, + bag->element[0].data.size); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - - if (enc) - result = asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, 1); - else - result = asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + } else { + result = + _gnutls_x509_der_encode_and_copy(safe_cont, "", c2, + "?LAST.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; } + } - if (enc) { - /* Encrypted packets are written directly. - */ - result = asn1_write_value( c2, "?LAST.content", bag->element[0].data.data, bag->element[0].data.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - } else { - result = _gnutls_x509_der_encode_and_copy( safe_cont, "", c2, "?LAST.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } + asn1_delete_structure(&safe_cont); - asn1_delete_structure(&safe_cont); - - /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 - * structure. - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs12->pkcs12, "authSafe.content", 1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 + * structure. + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12->pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - asn1_delete_structure(&c2); + asn1_delete_structure(&c2); - return 0; + return 0; - cleanup: - asn1_delete_structure(&c2); - asn1_delete_structure(&safe_cont); - return result; + cleanup: + asn1_delete_structure(&c2); + asn1_delete_structure(&safe_cont); + return result; } /** @@ -739,102 +775,114 @@ int gnutls_pkcs12_set_bag(gnutls_pkcs12 pkcs12, gnutls_pkcs12_bag bag) * Returns 0 on success. * **/ -int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char* pass) +int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char *pass) { - opaque salt[8], key[20]; - int result; - const int iter = 1; - mac_hd_t td1 = NULL; - gnutls_datum tmp = {NULL, 0}; - opaque sha_mac[20]; - - if (pkcs12==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Generate the salt. - */ - _gnutls_get_random(salt, sizeof(salt), GNUTLS_WEAK_RANDOM); - - /* Write the salt into the structure. - */ - result = asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, sizeof(salt)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* write the iterations - */ - - if (iter > 1) { - result = _gnutls_x509_write_uint32( pkcs12->pkcs12, "macData.iterations", iter); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } - - /* Generate the key. - */ - result = _pkcs12_string_to_key( 3/*MAC*/, salt, sizeof(salt), - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, NULL, &tmp); + opaque salt[8], key[20]; + int result; + const int iter = 1; + mac_hd_t td1 = NULL; + gnutls_datum tmp = { NULL, 0 }; + opaque sha_mac[20]; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Generate the salt. + */ + _gnutls_get_random(salt, sizeof(salt), GNUTLS_WEAK_RANDOM); + + /* Write the salt into the structure. + */ + result = + asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, + sizeof(salt)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* write the iterations + */ + + if (iter > 1) { + result = + _gnutls_x509_write_uint32(pkcs12->pkcs12, "macData.iterations", + iter); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* MAC the data - */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum( &tmp); - - _gnutls_hmac_deinit(td1, sha_mac); - - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, sizeof(sha_mac)); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + goto cleanup; } - - result = asn1_write_value(pkcs12->pkcs12, "macData.mac.digestAlgorithm.algorithm", OID_SHA1, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - _gnutls_free_datum( &tmp); - return result; + } + + /* Generate the key. + */ + result = _pkcs12_string_to_key(3 /*MAC*/, salt, sizeof(salt), + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + _gnutls_hmac(td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_hmac_deinit(td1, sha_mac); + + + result = + asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, + sizeof(sha_mac)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.parameters", NULL, + 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.algorithm", OID_SHA1, + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + return result; } /** @@ -846,181 +894,194 @@ int gnutls_pkcs12_generate_mac(gnutls_pkcs12 pkcs12, const char* pass) * Returns 0 on success. * **/ -int gnutls_pkcs12_verify_mac(gnutls_pkcs12 pkcs12, const char* pass) +int gnutls_pkcs12_verify_mac(gnutls_pkcs12 pkcs12, const char *pass) { - opaque key[20]; - int result; - unsigned int iter, len; - mac_hd_t td1 = NULL; - gnutls_datum tmp = {NULL, 0}, salt = {NULL, 0}; - opaque sha_mac[20]; - opaque sha_mac_orig[20]; - - if (pkcs12==NULL || pass == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* read the iterations - */ - - result = _gnutls_x509_read_uint( pkcs12->pkcs12, "macData.iterations", &iter); - if (result < 0) { - iter = 1; /* the default */ - } + opaque key[20]; + int result; + unsigned int iter, len; + mac_hd_t td1 = NULL; + gnutls_datum tmp = { NULL, 0 }, salt = { + NULL, 0}; + opaque sha_mac[20]; + opaque sha_mac_orig[20]; + + if (pkcs12 == NULL || pass == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* read the iterations + */ + + result = + _gnutls_x509_read_uint(pkcs12->pkcs12, "macData.iterations", + &iter); + if (result < 0) { + iter = 1; /* the default */ + } + + + /* Read the salt from the structure. + */ + result = + _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", &salt, + 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Generate the key. + */ + result = _pkcs12_string_to_key(3 /*MAC*/, salt.data, salt.size, + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_free_datum(&salt); + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); + if (td1 == GNUTLS_MAC_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } + + _gnutls_hmac(td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_hmac_deinit(td1, sha_mac); + + len = sizeof(sha_mac_orig); + result = + asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (memcmp(sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { + gnutls_assert(); + return GNUTLS_E_MAC_VERIFY_FAILED; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&salt); + return result; +} - /* Read the salt from the structure. +static int write_attributes(gnutls_pkcs12_bag bag, int elem, ASN1_TYPE c2, + const char *where) +{ + int result; + char root[128]; + + /* If the bag attributes are empty, then write + * nothing to the attribute field. + */ + if (bag->element[elem].friendly_name == NULL && + bag->element[elem].local_key_id.data == NULL) { + /* no attributes */ - result = _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", &salt, 0); + result = asn1_write_value(c2, where, NULL, 0); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + return _gnutls_asn2err(result); } - /* Generate the key. + return 0; + } + + if (bag->element[elem].local_key_id.data != NULL) { + + /* Add a new Attribute */ - result = _pkcs12_string_to_key( 3/*MAC*/, salt.data, salt.size, - iter, pass, sizeof(key), key); - if (result < 0) { - gnutls_assert(); - goto cleanup; + result = asn1_write_value(c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - _gnutls_free_datum( &salt); + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe( pkcs12->pkcs12, NULL, &tmp); + result = + _gnutls_x509_encode_and_write_attribute(KEY_ID_OID, c2, root, + bag->element[elem]. + local_key_id.data, + bag->element[elem]. + local_key_id.size, 1); if (result < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + return result; } + } + + if (bag->element[elem].friendly_name != NULL) { + opaque *name; + int size, i; + const char *p; - /* MAC the data + /* Add a new Attribute */ - td1 = _gnutls_hmac_init(GNUTLS_MAC_SHA, key, sizeof(key)); - if (td1 == GNUTLS_MAC_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; - } - - _gnutls_hmac(td1, tmp.data, tmp.size); - _gnutls_free_datum( &tmp); - - _gnutls_hmac_deinit(td1, sha_mac); - - len = sizeof(sha_mac_orig); - result = asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, &len); + result = asn1_write_value(c2, where, "NEW", 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (memcmp( sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { - gnutls_assert(); - return GNUTLS_E_MAC_VERIFY_FAILED; + gnutls_assert(); + return _gnutls_asn2err(result); } - return 0; - - cleanup: - _gnutls_free_datum( &tmp); - _gnutls_free_datum( &salt); - return result; -} - - -static int write_attributes( gnutls_pkcs12_bag bag, int elem, ASN1_TYPE c2, const char* where) { -int result; -char root[128]; - - /* If the bag attributes are empty, then write - * nothing to the attribute field. + /* convert name to BMPString */ - if (bag->element[elem].friendly_name == NULL && - bag->element[elem].local_key_id.data == NULL) { - /* no attributes - */ - result = asn1_write_value(c2, where, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + size = strlen(bag->element[elem].friendly_name) * 2; + name = gnutls_malloc(size); - return 0; + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; } - if (bag->element[elem].local_key_id.data != NULL) { - - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - _gnutls_str_cpy( root, sizeof(root), where); - _gnutls_str_cat( root, sizeof(root), ".?LAST"); - - result = _gnutls_x509_encode_and_write_attribute( - KEY_ID_OID, c2, root, bag->element[elem].local_key_id.data, - bag->element[elem].local_key_id.size, 1); - if (result < 0) { - gnutls_assert(); - return result; - } + p = bag->element[elem].friendly_name; + for (i = 0; i < size; i += 2) { + name[i] = 0; + name[i + 1] = *p; + p++; } - if (bag->element[elem].friendly_name != NULL) { - opaque* name; - int size, i; - const char* p; - - /* Add a new Attribute - */ - result = asn1_write_value(c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* convert name to BMPString - */ - size = strlen(bag->element[elem].friendly_name)*2; - name = gnutls_malloc(size); - - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - p = bag->element[elem].friendly_name; - for (i=0;i<size;i+=2) { - name[i] = 0; - name[i+1] = *p; - p++; - } + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); - _gnutls_str_cpy( root, sizeof(root), where); - _gnutls_str_cat( root, sizeof(root), ".?LAST"); - - result = _gnutls_x509_encode_and_write_attribute( - FRIENDLY_NAME_OID, c2, root, name, size, 1); + result = + _gnutls_x509_encode_and_write_attribute(FRIENDLY_NAME_OID, c2, + root, name, size, 1); - gnutls_free(name); + gnutls_free(name); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; } + } - return 0; + return 0; } @@ -1028,108 +1089,114 @@ char root[128]; * the given datum. Enc is set to non zero if the data are encrypted; */ int -_pkcs12_encode_safe_contents( gnutls_pkcs12_bag bag, ASN1_TYPE* contents, int *enc) +_pkcs12_encode_safe_contents(gnutls_pkcs12_bag bag, ASN1_TYPE * contents, + int *enc) { -ASN1_TYPE c2 = ASN1_TYPE_EMPTY; -int result; -int i; -const char* oid; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + int i; + const char *oid; + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { + *enc = 1; + return 0; /* ENCRYPTED BAG, do nothing. */ + } else if (enc) + *enc = 0; + + /* Step 1. Create the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + for (i = 0; i < bag->bag_elements; i++) { + + oid = bag_to_oid(bag->element[i].type); + if (oid == NULL) { + gnutls_assert(); + continue; + } - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { - *enc = 1; - return 0; /* ENCRYPTED BAG, do nothing. */ - } else if (enc) *enc = 0; + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - /* Step 1. Create the SEQUENCE. + /* Copy the bag type. */ - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + result = asn1_write_value(c2, "?LAST.bagId", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - for (i=0;i<bag->bag_elements;i++) { - - oid = bag_to_oid( bag->element[i].type); - if (oid==NULL) { - gnutls_assert(); - continue; - } - - result = asn1_write_value(c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Set empty attributes + */ + result = write_attributes(bag, i, c2, "?LAST.bagAttributes"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - /* Copy the bag type. - */ - result = asn1_write_value(c2, "?LAST.bagId", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - /* Set empty attributes - */ - result = write_attributes(bag, i, c2, "?LAST.bagAttributes"); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* Copy the Bag Value + */ + if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || + bag->element[i].type == GNUTLS_BAG_CRL) { + gnutls_datum tmp; - /* Copy the Bag Value - */ + /* in that case encode it to a CertBag or + * a CrlBag. + */ - if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || - bag->element[i].type == GNUTLS_BAG_CRL) { - gnutls_datum tmp; + result = + _pkcs12_encode_crt_bag(bag->element[i].type, + &bag->element[i].data, &tmp); - /* in that case encode it to a CertBag or - * a CrlBag. - */ + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _pkcs12_encode_crt_bag( bag->element[i].type, &bag->element[i].data, &tmp); + result = _gnutls_x509_write_value(c2, "?LAST.bagValue", + &tmp, 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + _gnutls_free_datum(&tmp); - result = _gnutls_x509_write_value( c2, "?LAST.bagValue", - &tmp, 0); - - _gnutls_free_datum( &tmp); + } else { - } else { + result = _gnutls_x509_write_value(c2, "?LAST.bagValue", + &bag->element[i].data, 0); + } - result = _gnutls_x509_write_value( c2, "?LAST.bagValue", - &bag->element[i].data, 0); - } + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + } - } - - /* Encode the data and copy them into the datum - */ - *contents = c2; + /* Encode the data and copy them into the datum + */ + *contents = c2; - return 0; + return 0; - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index e27504bb01..352ddb279a 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -47,26 +47,25 @@ **/ int gnutls_pkcs12_bag_init(gnutls_pkcs12_bag * bag) { - *bag = gnutls_calloc( 1, sizeof(gnutls_pkcs12_bag_int)); + *bag = gnutls_calloc(1, sizeof(gnutls_pkcs12_bag_int)); - if (*bag) { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*bag) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } -static inline -void _pkcs12_bag_free_data( gnutls_pkcs12_bag bag) +static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag bag) { -int i; - - for (i=0;i<bag->bag_elements;i++) { - _gnutls_free_datum( &bag->element[i].data); - _gnutls_free_datum( &bag->element[i].local_key_id); - gnutls_free( bag->element[i].friendly_name); - bag->element[i].friendly_name = NULL; - bag->element[i].type = 0; - } + int i; + + for (i = 0; i < bag->bag_elements; i++) { + _gnutls_free_datum(&bag->element[i].data); + _gnutls_free_datum(&bag->element[i].local_key_id); + gnutls_free(bag->element[i].friendly_name); + bag->element[i].friendly_name = NULL; + bag->element[i].type = 0; + } } @@ -80,11 +79,12 @@ int i; **/ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag bag) { - if (!bag) return; + if (!bag) + return; - _pkcs12_bag_free_data( bag); + _pkcs12_bag_free_data(bag); - gnutls_free(bag); + gnutls_free(bag); } /** @@ -96,16 +96,17 @@ void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag bag) * enumerations. * **/ -gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx) +gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, + int indx) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return bag->element[indx].type; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return bag->element[indx].type; } /** @@ -117,12 +118,12 @@ gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int ind **/ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return bag->bag_elements; + return bag->bag_elements; } /** @@ -138,151 +139,156 @@ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag) * Returns 0 on success and a negative error code on error. * **/ -int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum * data) +int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, + gnutls_datum * data) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - data->data = bag->element[indx].data.data; - data->size = bag->element[indx].data.size; + data->data = bag->element[indx].data.data; + data->size = bag->element[indx].data.size; - return 0; + return 0; } #define X509_CERT_OID "1.2.840.113549.1.9.22.1" #define X509_CRL_OID "1.2.840.113549.1.9.23.1" -int _pkcs12_decode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* in, - gnutls_datum* out) +int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type type, + const gnutls_datum * in, gnutls_datum * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_der_decoding( &c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value( c2, "certValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { /* CRL */ - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_der_decoding( &c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value( c2, "crlValue", out, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) { + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; } - asn1_delete_structure( &c2); + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - return 0; - + ret = _gnutls_x509_read_value(c2, "certValue", out, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - cleanup: + } else { /* CRL */ + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - asn1_delete_structure( &c2); - return ret; + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = _gnutls_x509_read_value(c2, "crlValue", out, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } -int _pkcs12_encode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* raw, - gnutls_datum* out) +int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type type, + const gnutls_datum * raw, gnutls_datum * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (type == GNUTLS_BAG_CERTIFICATE) { - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_write_value( c2, "certId", X509_CERT_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value( c2, "certValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - } else { /* CRL */ - if ((ret=asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = asn1_write_value( c2, "crlId", X509_CRL_OID, 1); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value( c2, "crlValue", raw, 1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (type == GNUTLS_BAG_CERTIFICATE) { + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; } - ret = _gnutls_x509_der_encode( c2, "", out, 0); + ret = asn1_write_value(c2, "certId", X509_CERT_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + ret = _gnutls_x509_write_value(c2, "certValue", raw, 1); if (ret < 0) { - gnutls_assert(); - goto cleanup; + gnutls_assert(); + goto cleanup; } - - asn1_delete_structure( &c2); - return 0; - + } else { /* CRL */ + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - cleanup: + ret = asn1_write_value(c2, "crlId", X509_CRL_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } - asn1_delete_structure( &c2); - return ret; + ret = _gnutls_x509_write_value(c2, "crlValue", raw, 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + ret = _gnutls_x509_der_encode(c2, "", out, 0); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } @@ -299,46 +305,49 @@ int _pkcs12_encode_crt_bag( gnutls_pkcs12_bag_type type, const gnutls_datum* raw * value on error. * **/ -int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, gnutls_pkcs12_bag_type type, - const gnutls_datum* data) +int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, + gnutls_pkcs12_bag_type type, + const gnutls_datum * data) { -int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int ret; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { + gnutls_assert(); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; + } - if (bag->bag_elements == MAX_BAG_ELEMENTS-1) { - gnutls_assert(); - /* bag is full */ - return GNUTLS_E_MEMORY_ERROR; - } + if (bag->bag_elements == 1) { + /* A bag with a key or an encrypted bag, must have + * only one element. + */ - if (bag->bag_elements == 1) { - /* A bag with a key or an encrypted bag, must have - * only one element. - */ - - if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || - bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || - bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || + bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || + bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - ret = _gnutls_set_datum( &bag->element[bag->bag_elements].data, data->data, data->size); + ret = + _gnutls_set_datum(&bag->element[bag->bag_elements].data, + data->data, data->size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - bag->element[bag->bag_elements].type = type; + bag->element[bag->bag_elements].type = type; - bag->bag_elements++; + bag->bag_elements++; - return bag->bag_elements-1; + return bag->bag_elements - 1; } /** @@ -355,25 +364,25 @@ int ret; **/ int gnutls_pkcs12_bag_set_crt(gnutls_pkcs12_bag bag, gnutls_x509_crt crt) { -int ret; -gnutls_datum data; + int ret; + gnutls_datum data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode( crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs12_bag_set_data( bag, GNUTLS_BAG_CERTIFICATE, &data); - - _gnutls_free_datum( &data); - + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CERTIFICATE, &data); + + _gnutls_free_datum(&data); + + return ret; } /** @@ -390,26 +399,26 @@ gnutls_datum data; **/ int gnutls_pkcs12_bag_set_crl(gnutls_pkcs12_bag bag, gnutls_x509_crl crl) { -int ret; -gnutls_datum data; + int ret; + gnutls_datum data; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode( crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs12_bag_set_data( bag, GNUTLS_BAG_CRL, &data); - - _gnutls_free_datum( &data); - + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CRL, &data); + + _gnutls_free_datum(&data); + + return ret; } /** @@ -425,31 +434,31 @@ gnutls_datum data; * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag bag, int indx, - const gnutls_datum* id) +int gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag bag, int indx, + const gnutls_datum * id) { -int ret; + int ret; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_set_datum( &bag->element[indx].local_key_id, - id->data, id->size); + ret = _gnutls_set_datum(&bag->element[indx].local_key_id, + id->data, id->size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -464,23 +473,23 @@ int ret; * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, - gnutls_datum* id) +int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, + gnutls_datum * id) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - id->data = bag->element[indx].local_key_id.data; - id->size = bag->element[indx].local_key_id.size; + id->data = bag->element[indx].local_key_id.data; + id->size = bag->element[indx].local_key_id.size; - return 0; + return 0; } /** @@ -495,22 +504,22 @@ int gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, - char **name) +int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, + char **name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - *name = bag->element[indx].friendly_name; + *name = bag->element[indx].friendly_name; - return 0; + return 0; } @@ -527,27 +536,27 @@ int gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag bag, int indx, * Returns 0 on success, or a negative value on error. * **/ -int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, - const char* name) +int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, + const char *name) { - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements-1) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - bag->element[indx].friendly_name = gnutls_strdup(name); + bag->element[indx].friendly_name = gnutls_strdup(name); - if (name == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + return 0; } @@ -559,45 +568,44 @@ int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag bag, int indx, * This function will decrypt the given encrypted bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char* pass) +int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag bag, const char *pass) { -int ret; -gnutls_datum dec; + int ret; + gnutls_datum dec; - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_pkcs7_decrypt_data( - &bag->element[0].data, pass, &dec); + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_pkcs7_decrypt_data(&bag->element[0].data, pass, &dec); - /* decryption succeeded. Now decode the SafeContents - * stuff, and parse it. - */ + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_free_datum( &bag->element[0].data); + /* decryption succeeded. Now decode the SafeContents + * stuff, and parse it. + */ - ret = _pkcs12_decode_safe_contents( &dec, bag); + _gnutls_free_datum(&bag->element[0].data); - _gnutls_free_datum( &dec); + ret = _pkcs12_decode_safe_contents(&dec, bag); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_free_datum(&dec); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -609,78 +617,83 @@ gnutls_datum dec; * This function will encrypt the given bag and return 0 on success. * **/ -int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag bag, const char* pass, unsigned int flags) +int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag bag, const char *pass, + unsigned int flags) { -int ret; -ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; -gnutls_datum der = {NULL, 0}; -gnutls_datum enc = {NULL, 0}; -schema_id id; - - if (bag == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Encode the whole bag to a safe contents - * structure. - */ - ret = _pkcs12_encode_safe_contents( bag, &safe_cont, NULL); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* DER encode the SafeContents. - */ - ret = _gnutls_x509_der_encode( safe_cont, "", &der, 0); - - asn1_delete_structure( &safe_cont); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + gnutls_datum der = { NULL, 0 }; + gnutls_datum enc = { NULL, 0 }; + schema_id id; + + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Encode the whole bag to a safe contents + * structure. + */ + ret = _pkcs12_encode_safe_contents(bag, &safe_cont, NULL); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (flags & GNUTLS_PKCS_PLAIN) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) id = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) id = PKCS12_RC2_40_SHA1; - else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) id = PBES2; - else id = PKCS12_3DES_SHA1; + /* DER encode the SafeContents. + */ + ret = _gnutls_x509_der_encode(safe_cont, "", &der, 0); - /* Now encrypt them. - */ - ret = _gnutls_pkcs7_encrypt_data( id, &der, pass, &enc); + asn1_delete_structure(&safe_cont); - _gnutls_free_datum( &der); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (flags & GNUTLS_PKCS_PLAIN) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + id = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + id = PKCS12_RC2_40_SHA1; + else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) + id = PBES2; + else + id = PKCS12_3DES_SHA1; + + /* Now encrypt them. + */ + ret = _gnutls_pkcs7_encrypt_data(id, &der, pass, &enc); + + _gnutls_free_datum(&der); + + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* encryption succeeded. + */ - /* encryption succeeded. - */ + _pkcs12_bag_free_data(bag); - _pkcs12_bag_free_data( bag); + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->element[0].data = enc; - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->element[0].data = enc; - - bag->bag_elements = 1; + bag->bag_elements = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index 3225fa88d6..4ea40de2c7 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -30,17 +30,18 @@ /* Returns 0 if the password is ok, or a negative error * code instead. */ -static int _pkcs12_check_pass( const char* pass, size_t plen) +static int _pkcs12_check_pass(const char *pass, size_t plen) { -const unsigned char* p = pass; -unsigned int i; + const unsigned char *p = pass; + unsigned int i; - for (i=0;i<plen;i++) { - if ( isascii(p[i])) continue; - return GNUTLS_E_INVALID_PASSWORD; - } - - return 0; + for (i = 0; i < plen; i++) { + if (isascii(p[i])) + continue; + return GNUTLS_E_INVALID_PASSWORD; + } + + return 0; } /* ID should be: @@ -48,103 +49,96 @@ unsigned int i; * 2 for IV * 1 for encryption key */ -int -_pkcs12_string_to_key (unsigned int id, const opaque *salt, unsigned int salt_size, - unsigned int iter, const char *pw, - unsigned int req_keylen, opaque *keybuf) +int +_pkcs12_string_to_key(unsigned int id, const opaque * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + opaque * keybuf) { - int rc; - gcry_error_t err; - unsigned int i, j; - gcry_md_hd_t md; - mpi_t num_b1 = NULL; - unsigned int pwlen; - opaque hash[20], buf_b[64], buf_i[128], *p; - size_t cur_keylen; - size_t n; + int rc; + gcry_error_t err; + unsigned int i, j; + gcry_md_hd_t md; + mpi_t num_b1 = NULL; + unsigned int pwlen; + opaque hash[20], buf_b[64], buf_i[128], *p; + size_t cur_keylen; + size_t n; - cur_keylen = 0; - pwlen = strlen (pw); - if (pwlen > 63/2) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + cur_keylen = 0; + pwlen = strlen(pw); + if (pwlen > 63 / 2) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((rc=_pkcs12_check_pass( pw, pwlen)) < 0) { - gnutls_assert(); - return rc; - } + if ((rc = _pkcs12_check_pass(pw, pwlen)) < 0) { + gnutls_assert(); + return rc; + } - /* Store salt and password in BUF_I */ - p = buf_i; - for(i=0; i < 64; i++) - *p++ = salt [i % salt_size]; - for(i=j=0; i < 64; i += 2) - { - *p++ = 0; - *p++ = pw[j]; - if (++j > pwlen) /* Note, that we include the trailing zero */ - j = 0; + /* Store salt and password in BUF_I */ + p = buf_i; + for (i = 0; i < 64; i++) + *p++ = salt[i % salt_size]; + for (i = j = 0; i < 64; i += 2) { + *p++ = 0; + *p++ = pw[j]; + if (++j > pwlen) /* Note, that we include the trailing zero */ + j = 0; } - for (;;) - { - err = gcry_md_open (&md, GCRY_MD_SHA1, 0); - if (err) - { - gnutls_assert(); - return GNUTLS_E_DECRYPTION_FAILED; - } - for(i=0; i < 64; i++) - gcry_md_putc (md, id); - gcry_md_write (md, buf_i, 128); - memcpy (hash, gcry_md_read (md, 0), 20); - gcry_md_close (md); - for (i=1; i < iter; i++) - gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20); + for (;;) { + err = gcry_md_open(&md, GCRY_MD_SHA1, 0); + if (err) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } + for (i = 0; i < 64; i++) + gcry_md_putc(md, id); + gcry_md_write(md, buf_i, 128); + memcpy(hash, gcry_md_read(md, 0), 20); + gcry_md_close(md); + for (i = 1; i < iter; i++) + gcry_md_hash_buffer(GCRY_MD_SHA1, hash, hash, 20); - for (i=0; i < 20 && cur_keylen < req_keylen; i++) - keybuf[cur_keylen++] = hash[i]; - if (cur_keylen == req_keylen) - { - gcry_mpi_release (num_b1); - return 0; /* ready */ - } - - /* need more bytes. */ - for(i=0; i < 64; i++) - buf_b[i] = hash[i % 20]; - n = 64; - rc = _gnutls_mpi_scan(&num_b1, buf_b, &n); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_add_ui (num_b1, num_b1, 1); - for (i=0; i < 128; i += 64) - { - mpi_t num_ij; + for (i = 0; i < 20 && cur_keylen < req_keylen; i++) + keybuf[cur_keylen++] = hash[i]; + if (cur_keylen == req_keylen) { + gcry_mpi_release(num_b1); + return 0; /* ready */ + } - n = 64; - rc = _gnutls_mpi_scan (&num_ij, buf_i + i, &n); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_add (num_ij, num_ij, num_b1); - gcry_mpi_clear_highbit (num_ij, 64*8); - n = 64; - rc = _gnutls_mpi_print( buf_i + i, &n, num_ij); - if (rc < 0) - { - gnutls_assert(); - return rc; - } - gcry_mpi_release (num_ij); - } + /* need more bytes. */ + for (i = 0; i < 64; i++) + buf_b[i] = hash[i % 20]; + n = 64; + rc = _gnutls_mpi_scan(&num_b1, buf_b, &n); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_add_ui(num_b1, num_b1, 1); + for (i = 0; i < 128; i += 64) { + mpi_t num_ij; + + n = 64; + rc = _gnutls_mpi_scan(&num_ij, buf_i + i, &n); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_add(num_ij, num_ij, num_b1); + gcry_mpi_clear_highbit(num_ij, 64 * 8); + n = 64; + rc = _gnutls_mpi_print(buf_i + i, &n, num_ij); + if (rc < 0) { + gnutls_assert(); + return rc; + } + gcry_mpi_release(num_ij); + } } } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c index c1c745b71e..183b6fc5a2 100644 --- a/lib/x509/pkcs5.c +++ b/lib/x509/pkcs5.c @@ -55,159 +55,155 @@ #define MAX_PRF_BLOCK_LEN 80 int -_gnutls_pkcs5_pbkdf2 (int PRF, - const char *P, - size_t Plen, - const unsigned char *S, - size_t Slen, unsigned int c, unsigned int dkLen, char *DK) +_gnutls_pkcs5_pbkdf2(int PRF, + const char *P, + size_t Plen, + const unsigned char *S, + size_t Slen, unsigned int c, unsigned int dkLen, + char *DK) { - gcry_md_hd_t prf; - gcry_error_t err; - char U[MAX_PRF_BLOCK_LEN]; - char T[MAX_PRF_BLOCK_LEN]; - unsigned int u; - unsigned int hLen = gcry_md_get_algo_dlen (PRF); - unsigned int l; - unsigned int r; - int rc; - unsigned char *p; - int i; - int k; - - if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN) - return PKCS5_INVALID_PRF; - - if (c == 0) - return PKCS5_INVALID_ITERATION_COUNT; - - if (dkLen == 0) - return PKCS5_INVALID_DERIVED_KEY_LENGTH; - - /* - * - * Steps: - * - * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and - * stop. - */ - - if (dkLen > 4294967295U) - return PKCS5_DERIVED_KEY_TOO_LONG; - - /* - * 2. Let l be the number of hLen-octet blocks in the derived key, - * rounding up, and let r be the number of octets in the last - * block: - * - * l = CEIL (dkLen / hLen) , - * r = dkLen - (l - 1) * hLen . - * - * Here, CEIL (x) is the "ceiling" function, i.e. the smallest - * integer greater than, or equal to, x. - */ - - l = dkLen / hLen; - if (dkLen % hLen) - l++; - r = dkLen - (l - 1) * hLen; - - /* - * 3. For each block of the derived key apply the function F defined - * below to the password P, the salt S, the iteration count c, and - * the block index to compute the block: - * - * T_1 = F (P, S, c, 1) , - * T_2 = F (P, S, c, 2) , - * ... - * T_l = F (P, S, c, l) , - * - * where the function F is defined as the exclusive-or sum of the - * first c iterates of the underlying pseudorandom function PRF - * applied to the password P and the concatenation of the salt S - * and the block index i: - * - * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c - * - * where - * - * U_1 = PRF (P, S || INT (i)) , - * U_2 = PRF (P, U_1) , - * ... - * U_c = PRF (P, U_{c-1}) . - * - * Here, INT (i) is a four-octet encoding of the integer i, most - * significant octet first. - * - * 4. Concatenate the blocks and extract the first dkLen octets to - * produce a derived key DK: - * - * DK = T_1 || T_2 || ... || T_l<0..r-1> - * - * 5. Output the derived key DK. - * - * Note. The construction of the function F follows a "belt-and- - * suspenders" approach. The iterates U_i are computed recursively to - * remove a degree of parallelism from an opponent; they are exclusive- - * ored together to reduce concerns about the recursion degenerating - * into a small set of values. - * - */ - - err = gcry_md_open ( &prf, PRF, GCRY_MD_FLAG_HMAC); - if (err) - return PKCS5_INVALID_PRF; - - for (i = 1; (uint)i <= l; i++) - { - memset (T, 0, hLen); - - for (u = 1; u <= c; u++) - { - gcry_md_reset (prf); - - rc = gcry_md_setkey (prf, P, Plen); - if (rc) - return PKCS5_INVALID_PRF; - - if (u == 1) - { - char *tmp; - size_t tmplen = Slen + 4; - - tmp = gnutls_alloca( tmplen); - if (tmp == NULL) - return PKCS5_INVALID_PRF; - - memcpy (tmp, S, Slen); - tmp[Slen + 0] = (i & 0xff000000) >> 24; - tmp[Slen + 1] = (i & 0x00ff0000) >> 16; - tmp[Slen + 2] = (i & 0x0000ff00) >> 8; - tmp[Slen + 3] = (i & 0x000000ff) >> 0; - - gcry_md_write (prf, tmp, tmplen); - gnutls_afree(tmp); - } - else - { - gcry_md_write (prf, U, hLen); + gcry_md_hd_t prf; + gcry_error_t err; + char U[MAX_PRF_BLOCK_LEN]; + char T[MAX_PRF_BLOCK_LEN]; + unsigned int u; + unsigned int hLen = gcry_md_get_algo_dlen(PRF); + unsigned int l; + unsigned int r; + int rc; + unsigned char *p; + int i; + int k; + + if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN) + return PKCS5_INVALID_PRF; + + if (c == 0) + return PKCS5_INVALID_ITERATION_COUNT; + + if (dkLen == 0) + return PKCS5_INVALID_DERIVED_KEY_LENGTH; + + /* + * + * Steps: + * + * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + * stop. + */ + + if (dkLen > 4294967295U) + return PKCS5_DERIVED_KEY_TOO_LONG; + + /* + * 2. Let l be the number of hLen-octet blocks in the derived key, + * rounding up, and let r be the number of octets in the last + * block: + * + * l = CEIL (dkLen / hLen) , + * r = dkLen - (l - 1) * hLen . + * + * Here, CEIL (x) is the "ceiling" function, i.e. the smallest + * integer greater than, or equal to, x. + */ + + l = dkLen / hLen; + if (dkLen % hLen) + l++; + r = dkLen - (l - 1) * hLen; + + /* + * 3. For each block of the derived key apply the function F defined + * below to the password P, the salt S, the iteration count c, and + * the block index to compute the block: + * + * T_1 = F (P, S, c, 1) , + * T_2 = F (P, S, c, 2) , + * ... + * T_l = F (P, S, c, l) , + * + * where the function F is defined as the exclusive-or sum of the + * first c iterates of the underlying pseudorandom function PRF + * applied to the password P and the concatenation of the salt S + * and the block index i: + * + * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + * + * where + * + * U_1 = PRF (P, S || INT (i)) , + * U_2 = PRF (P, U_1) , + * ... + * U_c = PRF (P, U_{c-1}) . + * + * Here, INT (i) is a four-octet encoding of the integer i, most + * significant octet first. + * + * 4. Concatenate the blocks and extract the first dkLen octets to + * produce a derived key DK: + * + * DK = T_1 || T_2 || ... || T_l<0..r-1> + * + * 5. Output the derived key DK. + * + * Note. The construction of the function F follows a "belt-and- + * suspenders" approach. The iterates U_i are computed recursively to + * remove a degree of parallelism from an opponent; they are exclusive- + * ored together to reduce concerns about the recursion degenerating + * into a small set of values. + * + */ + + err = gcry_md_open(&prf, PRF, GCRY_MD_FLAG_HMAC); + if (err) + return PKCS5_INVALID_PRF; + + for (i = 1; (uint) i <= l; i++) { + memset(T, 0, hLen); + + for (u = 1; u <= c; u++) { + gcry_md_reset(prf); + + rc = gcry_md_setkey(prf, P, Plen); + if (rc) + return PKCS5_INVALID_PRF; + + if (u == 1) { + char *tmp; + size_t tmplen = Slen + 4; + + tmp = gnutls_alloca(tmplen); + if (tmp == NULL) + return PKCS5_INVALID_PRF; + + memcpy(tmp, S, Slen); + tmp[Slen + 0] = (i & 0xff000000) >> 24; + tmp[Slen + 1] = (i & 0x00ff0000) >> 16; + tmp[Slen + 2] = (i & 0x0000ff00) >> 8; + tmp[Slen + 3] = (i & 0x000000ff) >> 0; + + gcry_md_write(prf, tmp, tmplen); + gnutls_afree(tmp); + } else { + gcry_md_write(prf, U, hLen); } - p = gcry_md_read (prf, PRF); - if (p == NULL) - return PKCS5_INVALID_PRF; + p = gcry_md_read(prf, PRF); + if (p == NULL) + return PKCS5_INVALID_PRF; - memcpy (U, p, hLen); + memcpy(U, p, hLen); - for (k = 0; (uint)k < hLen; k++) - T[k] ^= U[k]; + for (k = 0; (uint) k < hLen; k++) + T[k] ^= U[k]; } - memcpy (DK + (i - 1) * hLen, T, (uint)i == l ? r : hLen); + memcpy(DK + (i - 1) * hLen, T, (uint) i == l ? r : hLen); } - gcry_md_close (prf); + gcry_md_close(prf); - return PKCS5_OK; + return PKCS5_OK; } #endif diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 3b969f32fb..ce301fda7d 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -43,86 +43,89 @@ * data are copied (they are locally allocated) there. */ static -int _decode_pkcs7_signed_data( ASN1_TYPE pkcs7, ASN1_TYPE * sdata, gnutls_datum* raw) +int _decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata, + gnutls_datum * raw) { -char oid[128]; -ASN1_TYPE c2; -opaque *tmp = NULL; -int tmp_size, len, result; - - len = sizeof(oid) - 1; - result = asn1_read_value(pkcs7, "contentType", oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - if ( strcmp( oid, SIGNED_DATA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log( "Unknown PKCS7 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* the Signed-data has been created, so - * decode them. - */ - tmp_size = 0; - result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); - if (result!=ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - tmp = gnutls_malloc(tmp_size); - if (tmp==NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* tmp, tmp_size hold the data and the size of the CertificateSet structure - * actually the ANY stuff. - */ - - /* Step 1. In case of a signed structure extract certificate set. - */ - - result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if (raw == NULL) { - gnutls_free(tmp); - } else { - raw->data = tmp; - raw->size = tmp_size; - } - - *sdata = c2; - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - gnutls_free(tmp); - return result; + char oid[128]; + ASN1_TYPE c2; + opaque *tmp = NULL; + int tmp_size, len, result; + + len = sizeof(oid) - 1; + result = asn1_read_value(pkcs7, "contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, SIGNED_DATA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log("Unknown PKCS7 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* the Signed-data has been created, so + * decode them. + */ + tmp_size = 0; + result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + tmp = gnutls_malloc(tmp_size); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* tmp, tmp_size hold the data and the size of the CertificateSet structure + * actually the ANY stuff. + */ + + /* Step 1. In case of a signed structure extract certificate set. + */ + + result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + gnutls_free(tmp); + } else { + raw->data = tmp; + raw->size = tmp_size; + } + + *sdata = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + gnutls_free(tmp); + return result; } /** @@ -138,20 +141,20 @@ int tmp_size, len, result; **/ int gnutls_pkcs7_init(gnutls_pkcs7 * pkcs7) { - *pkcs7 = gnutls_calloc( 1, sizeof(gnutls_pkcs7_int)); - - if (*pkcs7) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-ContentInfo", - &(*pkcs7)->pkcs7); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *pkcs7); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *pkcs7 = gnutls_calloc(1, sizeof(gnutls_pkcs7_int)); + + if (*pkcs7) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-ContentInfo", + &(*pkcs7)->pkcs7); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs7); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -163,12 +166,13 @@ int gnutls_pkcs7_init(gnutls_pkcs7 * pkcs7) **/ void gnutls_pkcs7_deinit(gnutls_pkcs7 pkcs7) { - if (!pkcs7) return; + if (!pkcs7) + return; - if (pkcs7->pkcs7) - asn1_delete_structure(&pkcs7->pkcs7); + if (pkcs7->pkcs7) + asn1_delete_structure(&pkcs7->pkcs7); - gnutls_free(pkcs7); + gnutls_free(pkcs7); } /** @@ -186,52 +190,56 @@ void gnutls_pkcs7_deinit(gnutls_pkcs7 pkcs7) * **/ int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - _data.data = data->data; - _data.size = data->size; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* If the PKCS7 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - result = _gnutls_fbase64_decode(PEM_PKCS7, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = data->data; + _data.size = data->size; + /* If the PKCS7 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - result = asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); - gnutls_assert(); - goto cleanup; + result = _gnutls_fbase64_decode(PEM_PKCS7, data->data, data->size, + &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert(); + return result; } - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - if (need_free) _gnutls_free_datum( &_data); - return result; + + result = + asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } /** @@ -249,86 +257,88 @@ int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, * will be returned. * **/ -int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, - int indx, void* certificate, size_t* certificate_size) +int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, + int indx, void *certificate, + size_t * certificate_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[64]; - char oid[128]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[64]; + char oid[128]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + + if (certificate_size == NULL || pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } - if (certificate_size == NULL || pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + /* Step 2. Parse the CertificateSet + */ - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - _gnutls_str_cpy( root2, sizeof(root2), "certificates.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); + _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); - len = sizeof(oid) - 1; + len = sizeof(oid) - 1; - result = asn1_read_value(c2, root2, oid, &len); + result = asn1_read_value(c2, root2, oid, &len); + + if (result == ASN1_VALUE_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* if 'Certificate' is the choice found: + */ + if (strcmp(oid, "certificate") == 0) { + int start, end; + + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); - if (result == ASN1_VALUE_NOT_FOUND) { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; } - /* if 'Certificate' is the choice found: - */ - if (strcmp( oid, "certificate") == 0) { - int start, end; - - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - end = end-start+1; - - if ( (uint)end > *certificate_size) { - *certificate_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } - - if (certificate) - memcpy( certificate, &tmp.data[start], end); - - *certificate_size = end; - - result = 0; - - } else { - result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + end = end - start + 1; + + if ((uint) end > *certificate_size) { + *certificate_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; } - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + if (certificate) + memcpy(certificate, &tmp.data[start], end); + + *certificate_size = end; + + result = 0; + + } else { + result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -343,33 +353,33 @@ int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_get_crt_count(gnutls_pkcs7 pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ - - result = asn1_number_of_elements( c2, "certificates", &count); + /* Step 2. Count the CertificateSet */ - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no certificates */ - } + result = asn1_number_of_elements(c2, "certificates", &count); + + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } + + return count; - return count; - } /** @@ -391,14 +401,16 @@ int gnutls_pkcs7_get_crt_count(gnutls_pkcs7 pkcs7) * 0 on success. * **/ -int gnutls_pkcs7_export( gnutls_pkcs7 pkcs7, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_pkcs7_export(gnutls_pkcs7 pkcs7, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - return _gnutls_x509_export_int( pkcs7->pkcs7, format, PEM_PKCS7, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(pkcs7->pkcs7, format, PEM_PKCS7, + *output_data_size, output_data, + output_data_size); } /* Creates an empty signed data structure in the pkcs7 @@ -406,68 +418,72 @@ int gnutls_pkcs7_export( gnutls_pkcs7 pkcs7, */ static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) { - uint8 one = 1; - int result; - - *sdata = ASN1_TYPE_EMPTY; - - if ((result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", sdata)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Use version 1 - */ - result = asn1_write_value( *sdata, "version", &one, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Use no digest algorithms - */ - - /* id-data */ - result = asn1_write_value( *sdata, "encapContentInfo.eContentType", "1.2.840.113549.1.7.5", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value( *sdata, "encapContentInfo.eContent", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Add no certificates. - */ - - /* Add no crls. - */ - - /* Add no signerInfos. - */ - - /* Write the content type of the signed data - */ - result = asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - asn1_delete_structure( sdata); - return result; + uint8 one = 1; + int result; + + *sdata = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + sdata)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use version 1 + */ + result = asn1_write_value(*sdata, "version", &one, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use no digest algorithms + */ + + /* id-data */ + result = + asn1_write_value(*sdata, "encapContentInfo.eContentType", + "1.2.840.113549.1.7.5", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(*sdata, "encapContentInfo.eContent", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Add no certificates. + */ + + /* Add no crls. + */ + + /* Add no signerInfos. + */ + + /* Write the content type of the signed data + */ + result = asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(sdata); + return result; } @@ -480,76 +496,80 @@ static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, - const gnutls_datum* crt) +int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, const gnutls_datum * crt) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data( pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. Append the new certificate. - */ + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; - result = asn1_write_value(c2, "certificates", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "certificates.?LAST", "certificate", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - result = asn1_write_value(c2, "certificates.?LAST.certificate", crt->data, crt->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } - /* Step 3. Replace the old content with the new + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); + result = create_empty_signed_data(pkcs7->pkcs7, &c2); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new certificate. + */ + + result = asn1_write_value(c2, "certificates", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "certificates.?LAST", "certificate", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(c2, "certificates.?LAST.certificate", crt->data, + crt->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /** @@ -563,31 +583,30 @@ int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7 pkcs7, * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, - gnutls_x509_crt crt) +int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, gnutls_x509_crt crt) { - int ret; - gnutls_datum data; + int ret; + gnutls_datum data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode( crt->cert, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_pkcs7_set_crt_raw( pkcs7, &data); + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_free_datum( &data); + ret = gnutls_pkcs7_set_crt_raw(pkcs7, &data); - if (ret < 0) { - gnutls_assert(); - return ret; - } + _gnutls_free_datum(&data); - return 0; + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } @@ -602,51 +621,54 @@ int gnutls_pkcs7_set_crt(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_delete_crt(gnutls_pkcs7 pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Delete the certificate. - */ - - _gnutls_str_cpy( root2, sizeof(root2), "certificates.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the certificate. + */ + + _gnutls_str_cpy(root2, sizeof(root2), "certificates.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /* Read and write CRLs @@ -667,65 +689,66 @@ int gnutls_pkcs7_delete_crt(gnutls_pkcs7 pkcs7, int indx) * will be returned. * **/ -int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, - int indx, void* crl, size_t* crl_size) +int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, + int indx, void *crl, size_t * crl_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[64]; - char counter[MAX_INT_DIGITS]; - gnutls_datum tmp = {NULL, 0}; - int start, end; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[64]; + char counter[MAX_INT_DIGITS]; + gnutls_datum tmp = { NULL, 0 }; + int start, end; + + if (pkcs7 == NULL || crl_size == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } - if (pkcs7==NULL || crl_size == NULL) - return GNUTLS_E_INVALID_REQUEST; + /* Step 2. Parse the CertificateSet + */ - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, &tmp); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - _gnutls_str_cpy( root2, sizeof(root2), "crls.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); + _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); - /* Get the raw CRL - */ - result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, - root2, &start, &end); + /* Get the raw CRL + */ + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - end = end-start+1; - - if ( (uint)end > *crl_size) { - *crl_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (crl) - memcpy( crl, &tmp.data[start], end); + end = end - start + 1; + if ((uint) end > *crl_size) { *crl_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } - result = 0; + if (crl) + memcpy(crl, &tmp.data[start], end); - cleanup: - _gnutls_free_datum( &tmp); - if (c2) asn1_delete_structure(&c2); - return result; + *crl_size = end; + + result = 0; + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -740,33 +763,33 @@ int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_get_crl_count(gnutls_pkcs7 pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ - - result = asn1_number_of_elements( c2, "crls", &count); + /* Step 2. Count the CertificateSet */ - asn1_delete_structure(&c2); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return 0; /* no crls */ - } + result = asn1_number_of_elements(c2, "crls", &count); + + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no crls */ + } + + return count; - return count; - } /** @@ -778,69 +801,71 @@ int gnutls_pkcs7_get_crl_count(gnutls_pkcs7 pkcs7) * Returns 0 on success. * **/ -int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, - const gnutls_datum* crl) +int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, const gnutls_datum * crl) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - gnutls_assert(); - return result; - } + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data( pkcs7->pkcs7, &c2); - if (result < 0) { - gnutls_assert(); - return result; - } - } - - /* Step 2. Append the new crl. - */ - - result = asn1_write_value(c2, "crls", "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } - /* Step 3. Replace the old content with the new + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); + result = create_empty_signed_data(pkcs7->pkcs7, &c2); if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new crl. + */ + + result = asn1_write_value(c2, "crls", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } /** @@ -854,28 +879,28 @@ int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7 pkcs7, **/ int gnutls_pkcs7_set_crl(gnutls_pkcs7 pkcs7, gnutls_x509_crl crl) { - int ret; - gnutls_datum data; + int ret; + gnutls_datum data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode( crl->crl, "", &data, 0); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs7_set_crl_raw( pkcs7, &data); - - _gnutls_free_datum( &data); - - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = gnutls_pkcs7_set_crl_raw(pkcs7, &data); - return 0; + _gnutls_free_datum(&data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -889,51 +914,54 @@ int gnutls_pkcs7_set_crl(gnutls_pkcs7 pkcs7, gnutls_x509_crl crl) **/ int gnutls_pkcs7_delete_crl(gnutls_pkcs7 pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char counter[MAX_INT_DIGITS]; - char root2[64]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data( pkcs7->pkcs7, &c2, NULL); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Delete the crl. - */ - - _gnutls_str_cpy( root2, sizeof(root2), "crls.?"); - _gnutls_int2str( indx+1, counter); - _gnutls_str_cat( root2, sizeof(root2), counter); - - result = asn1_write_value(c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = _gnutls_x509_der_encode_and_copy( c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char counter[MAX_INT_DIGITS]; + char root2[64]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the crl. + */ + + _gnutls_str_cpy(root2, sizeof(root2), "crls.?"); + _gnutls_int2str(indx + 1, counter); + _gnutls_str_cat(root2, sizeof(root2), counter); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, "content", + 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) asn1_delete_structure(&c2); - - return 0; - - cleanup: - if (c2) asn1_delete_structure(&c2); - return result; + return result; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 74a2eb23ec..73d7d69863 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -36,8 +36,8 @@ #include <dsa.h> #include <verify.h> -static int _encode_rsa( ASN1_TYPE* c2, mpi_t* params); -static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params); +static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params); +static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params); /** * gnutls_x509_privkey_init - This function initializes a gnutls_crl structure @@ -50,15 +50,15 @@ static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params); **/ int gnutls_x509_privkey_init(gnutls_x509_privkey * key) { - *key = gnutls_calloc( 1, sizeof(gnutls_x509_privkey_int)); + *key = gnutls_calloc(1, sizeof(gnutls_x509_privkey_int)); - if (*key) { - (*key)->key = ASN1_TYPE_EMPTY; - (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; - return 0; /* success */ - } + if (*key) { + (*key)->key = ASN1_TYPE_EMPTY; + (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; + return 0; /* success */ + } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -70,16 +70,17 @@ int gnutls_x509_privkey_init(gnutls_x509_privkey * key) **/ void gnutls_x509_privkey_deinit(gnutls_x509_privkey key) { -int i; + int i; - if (!key) return; + if (!key) + return; - for (i = 0; i < key->params_size; i++) { - _gnutls_mpi_release( &key->params[i]); - } + for (i = 0; i < key->params_size; i++) { + _gnutls_mpi_release(&key->params[i]); + } - asn1_delete_structure(&key->key); - gnutls_free(key); + asn1_delete_structure(&key->key); + gnutls_free(key); } /** @@ -90,211 +91,216 @@ int i; * This function will copy a private key from source to destination key. * **/ -int gnutls_x509_privkey_cpy(gnutls_x509_privkey dst, gnutls_x509_privkey src) +int gnutls_x509_privkey_cpy(gnutls_x509_privkey dst, + gnutls_x509_privkey src) { -int i, ret; + int i, ret; - if (!src || !dst) return GNUTLS_E_INVALID_REQUEST; + if (!src || !dst) + return GNUTLS_E_INVALID_REQUEST; - for (i = 0; i < src->params_size; i++) { - dst->params[i] = _gnutls_mpi_copy( src->params[i]); - if (dst->params[i] == NULL) return GNUTLS_E_MEMORY_ERROR; - } + for (i = 0; i < src->params_size; i++) { + dst->params[i] = _gnutls_mpi_copy(src->params[i]); + if (dst->params[i] == NULL) + return GNUTLS_E_MEMORY_ERROR; + } - dst->params_size = src->params_size; - dst->pk_algorithm = src->pk_algorithm; - dst->crippled = src->crippled; - - if (!src->crippled) { - switch( dst->pk_algorithm) { - case GNUTLS_PK_DSA: - ret = _encode_dsa( &dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - case GNUTLS_PK_RSA: - ret = _encode_rsa( &dst->key, dst->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + dst->params_size = src->params_size; + dst->pk_algorithm = src->pk_algorithm; + dst->crippled = src->crippled; + + if (!src->crippled) { + switch (dst->pk_algorithm) { + case GNUTLS_PK_DSA: + ret = _encode_dsa(&dst->key, dst->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + case GNUTLS_PK_RSA: + ret = _encode_rsa(&dst->key, dst->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - return 0; + return 0; } /* Converts an RSA PKCS#1 key to * an internal structure (gnutls_private_key) */ -ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key( const gnutls_datum *raw_key, - gnutls_x509_privkey pkey) +ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum * + raw_key, + gnutls_x509_privkey pkey) { - int result; - ASN1_TYPE pkey_asn; - - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.RSAPrivateKey", &pkey_asn - )) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; - } - - if ((sizeof(pkey->params) / sizeof(mpi_t)) < RSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; - } - - result = asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = - _gnutls_x509_read_int(pkey_asn, "publicExponent", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = - _gnutls_x509_read_int(pkey_asn, "privateExponent", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; - } - + int result; + ASN1_TYPE pkey_asn; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.RSAPrivateKey", + &pkey_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + if ((sizeof(pkey->params) / sizeof(mpi_t)) < RSA_PRIVATE_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return NULL; + } + + result = + asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", + &pkey->params[0])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_int(pkey_asn, "publicExponent", + &pkey->params[1])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_int(pkey_asn, "privateExponent", + &pkey->params[2])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", + &pkey->params[3])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", + &pkey->params[4])) < 0) { + gnutls_assert(); + goto error; + } #if 1 - /* Calculate the coefficient. This is because the gcrypt - * library is uses the p,q in the reverse order. - */ - pkey->params[5] = - _gnutls_mpi_snew(_gnutls_mpi_get_nbits(pkey->params[0])); - - if (pkey->params[5] == NULL) { - gnutls_assert(); - goto error; - } - - _gnutls_mpi_invm(pkey->params[5], pkey->params[3], pkey->params[4]); - /* p, q */ + /* Calculate the coefficient. This is because the gcrypt + * library is uses the p,q in the reverse order. + */ + pkey->params[5] = + _gnutls_mpi_snew(_gnutls_mpi_get_nbits(pkey->params[0])); + + if (pkey->params[5] == NULL) { + gnutls_assert(); + goto error; + } + + _gnutls_mpi_invm(pkey->params[5], pkey->params[3], pkey->params[4]); + /* p, q */ #else - if ( (result=_gnutls_x509_read_int( pkey_asn, "coefficient", - &pkey->params[5])) < 0) { - gnutls_assert(); - goto error; - } + if ((result = _gnutls_x509_read_int(pkey_asn, "coefficient", + &pkey->params[5])) < 0) { + gnutls_assert(); + goto error; + } #endif - pkey->params_size = 6; + pkey->params_size = 6; - return pkey_asn; + return pkey_asn; - error: - asn1_delete_structure(&pkey_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - _gnutls_mpi_release(&pkey->params[5]); - return NULL; + error: + asn1_delete_structure(&pkey_asn); + _gnutls_mpi_release(&pkey->params[0]); + _gnutls_mpi_release(&pkey->params[1]); + _gnutls_mpi_release(&pkey->params[2]); + _gnutls_mpi_release(&pkey->params[3]); + _gnutls_mpi_release(&pkey->params[4]); + _gnutls_mpi_release(&pkey->params[5]); + return NULL; } -static ASN1_TYPE decode_dsa_key( const gnutls_datum* raw_key, - gnutls_x509_privkey pkey) +static ASN1_TYPE decode_dsa_key(const gnutls_datum * raw_key, + gnutls_x509_privkey pkey) { - int result; - ASN1_TYPE dsa_asn; - - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSAPrivateKey", &dsa_asn - )) != ASN1_SUCCESS) { - gnutls_assert(); - return NULL; - } - - if ((sizeof(pkey->params) / sizeof(mpi_t)) < DSA_PRIVATE_PARAMS) { - gnutls_assert(); - /* internal error. Increase the mpi_ts in params */ - return NULL; - } - - result = asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "p", - &pkey->params[0])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "q", - &pkey->params[1])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "g", - &pkey->params[2])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "Y", - &pkey->params[3])) < 0) { - gnutls_assert(); - goto error; - } - - if ((result = _gnutls_x509_read_int(dsa_asn, "priv", - &pkey->params[4])) < 0) { - gnutls_assert(); - goto error; - } - pkey->params_size = 5; - - return dsa_asn; - - error: - asn1_delete_structure(&dsa_asn); - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - _gnutls_mpi_release(&pkey->params[2]); - _gnutls_mpi_release(&pkey->params[3]); - _gnutls_mpi_release(&pkey->params[4]); - return NULL; + int result; + ASN1_TYPE dsa_asn; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSAPrivateKey", + &dsa_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + if ((sizeof(pkey->params) / sizeof(mpi_t)) < DSA_PRIVATE_PARAMS) { + gnutls_assert(); + /* internal error. Increase the mpi_ts in params */ + return NULL; + } + + result = + asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "p", + &pkey->params[0])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "q", + &pkey->params[1])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "g", + &pkey->params[2])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "Y", + &pkey->params[3])) < 0) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(dsa_asn, "priv", + &pkey->params[4])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params_size = 5; + + return dsa_asn; + + error: + asn1_delete_structure(&dsa_asn); + _gnutls_mpi_release(&pkey->params[0]); + _gnutls_mpi_release(&pkey->params[1]); + _gnutls_mpi_release(&pkey->params[2]); + _gnutls_mpi_release(&pkey->params[3]); + _gnutls_mpi_release(&pkey->params[4]); + return NULL; } @@ -317,94 +323,100 @@ static ASN1_TYPE decode_dsa_key( const gnutls_datum* raw_key, * Returns 0 on success. * **/ -int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * data, - gnutls_x509_crt_fmt format) +int gnutls_x509_privkey_import(gnutls_x509_privkey key, + const gnutls_datum * data, + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; + int result = 0, need_free = 0; + gnutls_datum _data; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; - if (key == NULL) { + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, data->size, + &out); + key->pk_algorithm = GNUTLS_PK_RSA; + + if (result <= 0) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, data->size, + &out); + key->pk_algorithm = GNUTLS_PK_DSA; + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + return result; + } } - - _data.data = data->data; - _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + _data.data = out; + _data.size = result; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_RSA; - - if (result <= 0) { - /* try for the second header */ - result = _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, data->size, - &out); - key->pk_algorithm = GNUTLS_PK_DSA; - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - } - - _data.data = out; - _data.size = result; - - need_free = 1; + need_free = 1; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) { + key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; } + } else if (key->pk_algorithm == GNUTLS_PK_DSA) { + key->key = decode_dsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; + } + } else { + /* Try decoding with both, and accept the one that + * succeeds. + */ + key->pk_algorithm = GNUTLS_PK_DSA; + key->key = decode_dsa_key(&_data, key); - if (key->pk_algorithm == GNUTLS_PK_RSA) { - key->key = _gnutls_privkey_decode_pkcs1_rsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - key->key = decode_dsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } else { - /* Try decoding with both, and accept the one that - * succeeds. - */ - key->pk_algorithm = GNUTLS_PK_DSA; - key->key = decode_dsa_key( &_data, key); - - if (key->key == NULL) { - key->pk_algorithm = GNUTLS_PK_RSA; - key->key = _gnutls_privkey_decode_pkcs1_rsa_key( &_data, key); - if (key->key == NULL) { - gnutls_assert(); - result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; - } - } + if (key->key == NULL) { + key->pk_algorithm = GNUTLS_PK_RSA; + key->key = _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto cleanup; + } } + } - if (need_free) _gnutls_free_datum( &_data); + if (need_free) + _gnutls_free_datum(&_data); - /* The key has now been decoded. - */ + /* The key has now been decoded. + */ - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) _gnutls_free_datum( &_data); - return result; + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum(&_data); + return result; } #define FREE_RSA_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ @@ -426,74 +438,77 @@ int gnutls_x509_privkey_import(gnutls_x509_privkey key, const gnutls_datum * dat * to the native gnutls_x509_privkey format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, - const gnutls_datum* m, const gnutls_datum* e, - const gnutls_datum* d, const gnutls_datum* p, - const gnutls_datum* q, const gnutls_datum* u) +int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, + const gnutls_datum * m, + const gnutls_datum * e, + const gnutls_datum * d, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * u) { - int i = 0, ret; - size_t siz = 0; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = m->size; - if (_gnutls_mpi_scan(&key->params[0], m->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = e->size; - if (_gnutls_mpi_scan(&key->params[1], e->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = d->size; - if (_gnutls_mpi_scan(&key->params[2], d->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = p->size; - if (_gnutls_mpi_scan(&key->params[3], p->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = q->size; - if (_gnutls_mpi_scan(&key->params[4], q->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = u->size; - if (_gnutls_mpi_scan(&key->params[5], u->data, &siz)) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (!key->crippled) { - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_RSA_PRIVATE_PARAMS; - return ret; - } + int i = 0, ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = m->size; + if (_gnutls_mpi_scan(&key->params[0], m->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = e->size; + if (_gnutls_mpi_scan(&key->params[1], e->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = d->size; + if (_gnutls_mpi_scan(&key->params[2], d->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = p->size; + if (_gnutls_mpi_scan(&key->params[3], p->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q->size; + if (_gnutls_mpi_scan(&key->params[4], q->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = u->size; + if (_gnutls_mpi_scan(&key->params[5], u->data, &siz)) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (!key->crippled) { + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + FREE_RSA_PRIVATE_PARAMS; + return ret; } + } - key->params_size = RSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_RSA; + key->params_size = RSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_RSA; - return 0; + return 0; } @@ -510,67 +525,69 @@ int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey key, * to the native gnutls_x509_privkey format. The output will be stored in @key. * **/ -int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, - const gnutls_datum* p, const gnutls_datum* q, - const gnutls_datum* g, const gnutls_datum* y, - const gnutls_datum* x) +int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, + const gnutls_datum * p, + const gnutls_datum * q, + const gnutls_datum * g, + const gnutls_datum * y, + const gnutls_datum * x) { - int i = 0, ret; - size_t siz = 0; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = p->size; - if (_gnutls_mpi_scan(&key->params[0], p->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = q->size; - if (_gnutls_mpi_scan(&key->params[1], q->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = g->size; - if (_gnutls_mpi_scan(&key->params[2], g->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = y->size; - if (_gnutls_mpi_scan(&key->params[3], y->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - siz = x->size; - if (_gnutls_mpi_scan(&key->params[4], x->data, &siz)) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return GNUTLS_E_MPI_SCAN_FAILED; - } - - if (!key->crippled) { - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - FREE_DSA_PRIVATE_PARAMS; - return ret; - } + int i = 0, ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = p->size; + if (_gnutls_mpi_scan(&key->params[0], p->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q->size; + if (_gnutls_mpi_scan(&key->params[1], q->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = g->size; + if (_gnutls_mpi_scan(&key->params[2], g->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = y->size; + if (_gnutls_mpi_scan(&key->params[3], y->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = x->size; + if (_gnutls_mpi_scan(&key->params[4], x->data, &siz)) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + if (!key->crippled) { + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + FREE_DSA_PRIVATE_PARAMS; + return ret; } + } - key->params_size = DSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_DSA; + key->params_size = DSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_DSA; - return 0; + return 0; } @@ -586,14 +603,14 @@ int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey key, * or a negative value on error. * **/ -int gnutls_x509_privkey_get_pk_algorithm( gnutls_x509_privkey key) +int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey key) { - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return key->pk_algorithm; + return key->pk_algorithm; } @@ -618,48 +635,52 @@ int gnutls_x509_privkey_get_pk_algorithm( gnutls_x509_privkey key) * 0 on success. * **/ -int gnutls_x509_privkey_export( gnutls_x509_privkey key, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_privkey_export(gnutls_x509_privkey key, + gnutls_x509_crt_fmt format, + void *output_data, + size_t * output_data_size) { - char * msg; - int ret; - - if (key == NULL) { + char *msg; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) + msg = PEM_KEY_RSA; + else if (key->pk_algorithm == GNUTLS_PK_DSA) + msg = PEM_KEY_DSA; + else + msg = NULL; + + if (key->crippled) { /* encode the parameters on the fly. + */ + switch (key->pk_algorithm) { + case GNUTLS_PK_DSA: + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (key->pk_algorithm == GNUTLS_PK_RSA) - msg = PEM_KEY_RSA; - else if (key->pk_algorithm == GNUTLS_PK_DSA) - msg = PEM_KEY_DSA; - else msg = NULL; - - if (key->crippled) { /* encode the parameters on the fly. - */ - switch( key->pk_algorithm) { - case GNUTLS_PK_DSA: - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - case GNUTLS_PK_RSA: - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - return ret; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + return ret; + } + break; + case GNUTLS_PK_RSA: + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } + } - return _gnutls_x509_export_int( key->key, format, msg, *output_data_size, - output_data, output_data_size); + return _gnutls_x509_export_int(key->key, format, msg, + *output_data_size, output_data, + output_data_size); } /** @@ -678,74 +699,74 @@ int gnutls_x509_privkey_export( gnutls_x509_privkey key, * **/ int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey key, - gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u) + gnutls_datum * m, gnutls_datum * e, + gnutls_datum * d, gnutls_datum * p, + gnutls_datum * q, gnutls_datum * u) { -int ret; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_mpi_dprint(m, key->params[0]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* E */ - ret = _gnutls_mpi_dprint(e, key->params[1]); - if (ret < 0) { - _gnutls_free_datum( m); - gnutls_assert(); - return ret; - } - - /* D */ - ret = _gnutls_mpi_dprint(d, key->params[2]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( e); - gnutls_assert(); - return ret; - } - - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[3]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - gnutls_assert(); - return ret; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[4]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - _gnutls_free_datum( p); - gnutls_assert(); - return ret; - } - - /* U */ - ret = _gnutls_mpi_dprint(u, key->params[5]); - if (ret < 0) { - _gnutls_free_datum( m); - _gnutls_free_datum( d); - _gnutls_free_datum( e); - _gnutls_free_datum( p); - _gnutls_free_datum( q); - gnutls_assert(); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_mpi_dprint(m, key->params[0]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* E */ + ret = _gnutls_mpi_dprint(e, key->params[1]); + if (ret < 0) { + _gnutls_free_datum(m); + gnutls_assert(); + return ret; + } + + /* D */ + ret = _gnutls_mpi_dprint(d, key->params[2]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(e); + gnutls_assert(); + return ret; + } + + /* P */ + ret = _gnutls_mpi_dprint(p, key->params[3]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + gnutls_assert(); + return ret; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, key->params[4]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + _gnutls_free_datum(p); + gnutls_assert(); + return ret; + } + + /* U */ + ret = _gnutls_mpi_dprint(u, key->params[5]); + if (ret < 0) { + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -763,374 +784,373 @@ int ret; * **/ int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey key, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y, gnutls_datum* x) + gnutls_datum * p, gnutls_datum * q, + gnutls_datum * g, gnutls_datum * y, + gnutls_datum * x) { -int ret; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* P */ - ret = _gnutls_mpi_dprint(p, key->params[0]); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, key->params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - return ret; - } - - - /* G */ - ret = _gnutls_mpi_dprint(g, key->params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - return ret; - } - - - /* Y */ - ret = _gnutls_mpi_dprint(y, key->params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; - } - - /* X */ - ret = _gnutls_mpi_dprint(x, key->params[4]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(y); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* P */ + ret = _gnutls_mpi_dprint(p, key->params[0]); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, key->params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + return ret; + } + + + /* G */ + ret = _gnutls_mpi_dprint(g, key->params[2]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + return ret; + } + + + /* Y */ + ret = _gnutls_mpi_dprint(y, key->params[3]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + /* X */ + ret = _gnutls_mpi_dprint(x, key->params[4]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(y); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + return 0; } /* Encodes the RSA parameters into an ASN.1 RSA private key structure. */ -static int _encode_rsa( ASN1_TYPE* c2, mpi_t* params) +static int _encode_rsa(ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[8], total; - opaque * m_data, *pube_data, *prie_data; - opaque* p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; - opaque * all_data = NULL, *p; - mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i=0;i<6;i++) { - _gnutls_mpi_print_lz( NULL, &size[i], params[i]); - total += size[i]; - } - - /* Now generate exp1 and exp2 - */ - exp1 = _gnutls_mpi_salloc_like( params[0]); /* like modulus */ - if (exp1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - exp2 = _gnutls_mpi_salloc_like( params[0]); - if (exp2 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - q1 = _gnutls_mpi_salloc_like( params[4]); - if (q1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p1 = _gnutls_mpi_salloc_like( params[3]); - if (p1 == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - _gnutls_mpi_add_ui( p1, params[3], -1); - _gnutls_mpi_add_ui( q1, params[4], -1); - - _gnutls_mpi_mod( exp1, params[2], p1); - _gnutls_mpi_mod( exp2, params[2], q1); - - - /* calculate exp's size */ - _gnutls_mpi_print_lz( NULL, &size[6], exp1); - total += size[6]; - - _gnutls_mpi_print_lz( NULL, &size[7], exp2); - total += size[7]; - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc( total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - m_data = p; p+= size[0]; - pube_data = p; p+= size[1]; - prie_data = p; p+= size[2]; - p1_data = p; p+= size[3]; - p2_data = p; p+= size[4]; - u_data = p; p+= size[5]; - exp1_data = p; p+= size[6]; - exp2_data = p; - - _gnutls_mpi_print_lz( m_data, &size[0], params[0]); - _gnutls_mpi_print_lz( pube_data, &size[1], params[1]); - _gnutls_mpi_print_lz( prie_data, &size[2], params[2]); - _gnutls_mpi_print_lz( p1_data, &size[3], params[3]); - _gnutls_mpi_print_lz( p2_data, &size[4], params[4]); - _gnutls_mpi_print_lz( u_data, &size[5], params[5]); - _gnutls_mpi_print_lz( exp1_data, &size[6], exp1); - _gnutls_mpi_print_lz( exp2_data, &size[7], exp2); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "modulus", - m_data, size[0])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "publicExponent", - pube_data, size[1])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "privateExponent", - prie_data, size[2])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime1", - p1_data, size[3])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "prime2", - p2_data, size[4])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent1", - exp1_data, size[6])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "exponent2", - exp2_data, size[7])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "coefficient", - u_data, size[5])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "otherPrimeInfos", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - _gnutls_mpi_release( &exp1); - _gnutls_mpi_release( &exp2); - _gnutls_mpi_release( &q1); - _gnutls_mpi_release( &p1); - asn1_delete_structure(c2); - gnutls_free( all_data); - - return result; + int result, i; + size_t size[8], total; + opaque *m_data, *pube_data, *prie_data; + opaque *p1_data, *p2_data, *u_data, *exp1_data, *exp2_data; + opaque *all_data = NULL, *p; + mpi_t exp1 = NULL, exp2 = NULL, q1 = NULL, p1 = NULL; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < 6; i++) { + _gnutls_mpi_print_lz(NULL, &size[i], params[i]); + total += size[i]; + } + + /* Now generate exp1 and exp2 + */ + exp1 = _gnutls_mpi_salloc_like(params[0]); /* like modulus */ + if (exp1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + exp2 = _gnutls_mpi_salloc_like(params[0]); + if (exp2 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + q1 = _gnutls_mpi_salloc_like(params[4]); + if (q1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p1 = _gnutls_mpi_salloc_like(params[3]); + if (p1 == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + _gnutls_mpi_add_ui(p1, params[3], -1); + _gnutls_mpi_add_ui(q1, params[4], -1); + + _gnutls_mpi_mod(exp1, params[2], p1); + _gnutls_mpi_mod(exp2, params[2], q1); + + + /* calculate exp's size */ + _gnutls_mpi_print_lz(NULL, &size[6], exp1); + total += size[6]; + + _gnutls_mpi_print_lz(NULL, &size[7], exp2); + total += size[7]; + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc(total); + if (all_data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + m_data = p; + p += size[0]; + pube_data = p; + p += size[1]; + prie_data = p; + p += size[2]; + p1_data = p; + p += size[3]; + p2_data = p; + p += size[4]; + u_data = p; + p += size[5]; + exp1_data = p; + p += size[6]; + exp2_data = p; + + _gnutls_mpi_print_lz(m_data, &size[0], params[0]); + _gnutls_mpi_print_lz(pube_data, &size[1], params[1]); + _gnutls_mpi_print_lz(prie_data, &size[2], params[2]); + _gnutls_mpi_print_lz(p1_data, &size[3], params[3]); + _gnutls_mpi_print_lz(p2_data, &size[4], params[4]); + _gnutls_mpi_print_lz(u_data, &size[5], params[5]); + _gnutls_mpi_print_lz(exp1_data, &size[6], exp1); + _gnutls_mpi_print_lz(exp2_data, &size[7], exp2); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value(*c2, "modulus", + m_data, size[0])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "publicExponent", + pube_data, size[1])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "privateExponent", + prie_data, size[2])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime1", + p1_data, size[3])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime2", + p2_data, size[4])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent1", + exp1_data, size[6])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent2", + exp2_data, size[7])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "coefficient", + u_data, size[5])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(*c2, "otherPrimeInfos", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "version", + &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + _gnutls_mpi_release(&exp1); + _gnutls_mpi_release(&exp2); + _gnutls_mpi_release(&q1); + _gnutls_mpi_release(&p1); + asn1_delete_structure(c2); + gnutls_free(all_data); + + return result; } /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure. */ -static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params) +static int _encode_dsa(ASN1_TYPE * c2, mpi_t * params) { - int result, i; - size_t size[DSA_PRIVATE_PARAMS], total; - opaque* p_data, *q_data, *g_data, *x_data, *y_data; - opaque * all_data = NULL, *p; - opaque null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i=0;i<DSA_PRIVATE_PARAMS;i++) { - _gnutls_mpi_print_lz( NULL, &size[i], params[i]); - total += size[i]; - } - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_secure_malloc( total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - p_data = p; p += size[0]; - q_data = p; p += size[1]; - g_data = p; p += size[2]; - y_data = p; p += size[3]; - x_data = p; - - _gnutls_mpi_print_lz( p_data, &size[0], params[0]); - _gnutls_mpi_print_lz( q_data, &size[1], params[1]); - _gnutls_mpi_print_lz( g_data, &size[2], params[2]); - _gnutls_mpi_print_lz( y_data, &size[3], params[3]); - _gnutls_mpi_print_lz( x_data, &size[4], params[4]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) - != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value(*c2, "p", - p_data, size[0])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "q", - q_data, size[1])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "g", - g_data, size[2])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "Y", - y_data, size[3])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "priv", - x_data, size[4])) != ASN1_SUCCESS) - { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - gnutls_free(all_data); - - if ((result = asn1_write_value(*c2, "version", - &null, 1)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - return 0; - - cleanup: - asn1_delete_structure(c2); - gnutls_free( all_data); - - return result; + int result, i; + size_t size[DSA_PRIVATE_PARAMS], total; + opaque *p_data, *q_data, *g_data, *x_data, *y_data; + opaque *all_data = NULL, *p; + opaque null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < DSA_PRIVATE_PARAMS; i++) { + _gnutls_mpi_print_lz(NULL, &size[i], params[i]); + total += size[i]; + } + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_secure_malloc(total); + if (all_data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + p_data = p; + p += size[0]; + q_data = p; + p += size[1]; + g_data = p; + p += size[2]; + y_data = p; + p += size[3]; + x_data = p; + + _gnutls_mpi_print_lz(p_data, &size[0], params[0]); + _gnutls_mpi_print_lz(q_data, &size[1], params[1]); + _gnutls_mpi_print_lz(g_data, &size[2], params[2]); + _gnutls_mpi_print_lz(y_data, &size[3], params[3]); + _gnutls_mpi_print_lz(x_data, &size[4], params[4]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value(*c2, "p", + p_data, size[0])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "q", + q_data, size[1])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "g", + g_data, size[2])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "Y", + y_data, size[3])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "priv", + x_data, size[4])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + gnutls_free(all_data); + + if ((result = asn1_write_value(*c2, "version", + &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(c2); + gnutls_free(all_data); + + return result; } @@ -1147,69 +1167,70 @@ static int _encode_dsa( ASN1_TYPE* c2, mpi_t* params) * Returns 0 on success or a negative value on error. * **/ -int gnutls_x509_privkey_generate( gnutls_x509_privkey key, gnutls_pk_algorithm algo, - unsigned int bits, unsigned int flags) +int gnutls_x509_privkey_generate(gnutls_x509_privkey key, + gnutls_pk_algorithm algo, + unsigned int bits, unsigned int flags) { -int ret, params_len; -int i; + int ret, params_len; + int i; - if (key == NULL) { + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + switch (algo) { + case GNUTLS_PK_DSA: + ret = _gnutls_dsa_generate_params(key->params, ¶ms_len, bits); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (!key->crippled) { + ret = _encode_dsa(&key->key, key->params); + if (ret < 0) { gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + } + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_DSA; + + break; + case GNUTLS_PK_RSA: + ret = _gnutls_rsa_generate_params(key->params, ¶ms_len, bits); + if (ret < 0) { + gnutls_assert(); + return ret; } - switch( algo) { - case GNUTLS_PK_DSA: - ret = _gnutls_dsa_generate_params( key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (!key->crippled) { - ret = _encode_dsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_DSA; - - break; - case GNUTLS_PK_RSA: - ret = _gnutls_rsa_generate_params( key->params, ¶ms_len, bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (!key->crippled) { - ret = _encode_rsa( &key->key, key->params); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - - key->params_size = params_len; - key->pk_algorithm = GNUTLS_PK_RSA; - - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (!key->crippled) { + ret = _encode_rsa(&key->key, key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } } - - return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - key->params_size = 0; - for (i=0;i<params_len;i++) - _gnutls_mpi_release(&key->params[i]); + key->params_size = params_len; + key->pk_algorithm = GNUTLS_PK_RSA; - return ret; + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->params_size = 0; + for (i = 0; i < params_len; i++) + _gnutls_mpi_release(&key->params[i]); + + return ret; } /** @@ -1231,56 +1252,63 @@ int i; * 0 on success. * **/ -int gnutls_x509_privkey_get_key_id( gnutls_x509_privkey key, unsigned int flags, - unsigned char* output_data, size_t* output_data_size) +int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey key, + unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { -int result; -GNUTLS_HASH_HANDLE hd; -gnutls_datum der = { NULL, 0 }; + int result; + GNUTLS_HASH_HANDLE hd; + gnutls_datum der = { NULL, 0 }; - if (key == NULL || key->crippled) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL || key->crippled) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (*output_data_size < 20) { + gnutls_assert(); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (key->pk_algorithm == GNUTLS_PK_RSA) { - result = _gnutls_x509_write_rsa_params( key->params, key->params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_public_key( key->params, key->params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else return GNUTLS_E_INTERNAL_ERROR; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + if (key->pk_algorithm == GNUTLS_PK_RSA) { + result = + _gnutls_x509_write_rsa_params(key->params, key->params_size, + &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } else if (key->pk_algorithm == GNUTLS_PK_DSA) { + result = + _gnutls_x509_write_dsa_public_key(key->params, + key->params_size, &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - - _gnutls_hash( hd, der.data, der.size); + } else + return GNUTLS_E_INTERNAL_ERROR; - _gnutls_hash_deinit( hd, output_data); - *output_data_size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == GNUTLS_HASH_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } - result = 0; + _gnutls_hash(hd, der.data, der.size); -cleanup: - - _gnutls_free_datum( &der); - return result; + _gnutls_hash_deinit(hd, output_data); + *output_data_size = 20; + + result = 0; + + cleanup: + + _gnutls_free_datum(&der); + return result; } #ifdef ENABLE_PKI @@ -1306,36 +1334,38 @@ cleanup: * 0 on success. * **/ -int gnutls_x509_privkey_sign_data( gnutls_x509_privkey key, gnutls_digest_algorithm digest, - unsigned int flags, const gnutls_datum* data, - void* signature, size_t* signature_size) +int gnutls_x509_privkey_sign_data(gnutls_x509_privkey key, + gnutls_digest_algorithm digest, + unsigned int flags, + const gnutls_datum * data, + void *signature, size_t * signature_size) { -int result; -gnutls_datum sig = { NULL, 0 }; + int result; + gnutls_datum sig = { NULL, 0 }; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_sign( data, digest, key, &sig); - if (result < 0) { - gnutls_assert(); - return result; - } - - if (*signature_size < sig.size) { - *signature_size = sig.size; - _gnutls_free_datum( &sig); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - + result = _gnutls_x509_sign(data, digest, key, &sig); + if (result < 0) { + gnutls_assert(); + return result; + } + + if (*signature_size < sig.size) { *signature_size = sig.size; - memcpy( signature, sig.data, sig.size); - - _gnutls_free_datum( &sig); + _gnutls_free_datum(&sig); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - return 0; + *signature_size = sig.size; + memcpy(signature, sig.data, sig.size); + + _gnutls_free_datum(&sig); + + return 0; } /** @@ -1352,24 +1382,25 @@ gnutls_datum sig = { NULL, 0 }; * 1 on success. * **/ -int gnutls_x509_privkey_verify_data( gnutls_x509_privkey key, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature) +int gnutls_x509_privkey_verify_data(gnutls_x509_privkey key, + unsigned int flags, + const gnutls_datum * data, + const gnutls_datum * signature) { -int result; + int result; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_privkey_verify_signature( data, signature, key); - if (result < 0) { - gnutls_assert(); - return 0; - } - - return result; + result = _gnutls_x509_privkey_verify_signature(data, signature, key); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; } #endif - diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 894be9f1b7..c0fe3fd663 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -54,16 +54,16 @@ #define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" struct pbkdf2_params { - opaque salt[32]; - int salt_size; - unsigned int iter_count; - int key_size; + opaque salt[32]; + int salt_size; + unsigned int iter_count; + int key_size; }; struct pbe_enc_params { - gnutls_cipher_algorithm cipher; - opaque iv[8]; - int iv_size; + gnutls_cipher_algorithm cipher; + opaque iv[8]; + int iv_size; }; static int generate_key(schema_id schema, const char *password, @@ -82,18 +82,20 @@ static int decrypt_data(schema_id, ASN1_TYPE pkcs8_asn, const char *root, const struct pbe_enc_params *enc_params, gnutls_datum * decrypted_data); static int decode_private_key_info(const gnutls_datum * der, - gnutls_x509_privkey pkey, ASN1_TYPE* out); -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, const char* where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params); + gnutls_x509_privkey pkey, + ASN1_TYPE * out); +static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params); static int encrypt_data(const gnutls_datum * plain, const struct pbe_enc_params *enc_params, gnutls_datum * key, gnutls_datum * encrypted); static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params); + struct pbkdf2_params *params); static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *params); + const struct pbkdf2_params *params); #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" @@ -104,21 +106,22 @@ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, inline static int check_schema(const char *oid) { - if (strcmp(oid, PBES2_OID) == 0) - return PBES2; + if (strcmp(oid, PBES2_OID) == 0) + return PBES2; - if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) - return PKCS12_3DES_SHA1; + if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) + return PKCS12_3DES_SHA1; - if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) - return PKCS12_ARCFOUR_SHA1; + if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) + return PKCS12_ARCFOUR_SHA1; - if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) - return PKCS12_RC2_40_SHA1; + if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) + return PKCS12_RC2_40_SHA1; - _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", oid); + _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", + oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } /* @@ -130,244 +133,243 @@ static int encode_to_private_key_info(gnutls_x509_privkey pkey, gnutls_datum * der, ASN1_TYPE * pkey_info) { - int result; - size_t size; - opaque *data = NULL; - opaque null = 0; - - if (pkey->pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - pkey_info)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the version. - */ - result = asn1_write_value(*pkey_info, "version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the privateKeyAlgorithm - * fields. (OID+NULL data) - */ - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", - PKIX1_RSA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", - NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the raw private key - */ - size = 0; - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, - &size); - if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - goto error; - } - - data = gnutls_alloca(size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, - &size); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = asn1_write_value(*pkey_info, "privateKey", data, size); - + int result; + size_t size; + opaque *data = NULL; + opaque null = 0; + + if (pkey->pk_algorithm != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + pkey_info)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the version. + */ + result = asn1_write_value(*pkey_info, "version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the privateKeyAlgorithm + * fields. (OID+NULL data) + */ + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", + PKIX1_RSA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", + NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the raw private key + */ + size = 0; + result = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, &size); + if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + goto error; + } + + data = gnutls_alloca(size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + + result = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, &size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = asn1_write_value(*pkey_info, "privateKey", data, size); + + gnutls_afree(data); + data = NULL; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Append an empty Attributes field. + */ + result = asn1_write_value(*pkey_info, "attributes", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* DER Encode the generated private key info. + */ + size = 0; + result = asn1_der_coding(*pkey_info, "", NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* allocate data for the der + */ + der->size = size; + der->data = gnutls_malloc(size); + if (der->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding(*pkey_info, "", der->data, &size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + return 0; + + error: + asn1_delete_structure(pkey_info); + if (data != NULL) { gnutls_afree(data); - data = NULL; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Append an empty Attributes field. - */ - result = asn1_write_value(*pkey_info, "attributes", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* DER Encode the generated private key info. - */ - size = 0; - result = asn1_der_coding(*pkey_info, "", NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* allocate data for the der - */ - der->size = size; - der->data = gnutls_malloc(size); - if (der->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_der_coding(*pkey_info, "", der->data, &size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - return 0; - - error: - asn1_delete_structure(pkey_info); - if (data != NULL) { - gnutls_afree(data); - } - return result; + } + return result; } /* Converts a PKCS #8 private key info to * a PKCS #8 EncryptedPrivateKeyInfo. */ -static -int encode_to_pkcs8_key( schema_id schema, const gnutls_datum * der_key, - const char *password, ASN1_TYPE* out) +static +int encode_to_pkcs8_key(schema_id schema, const gnutls_datum * der_key, + const char *password, ASN1_TYPE * out) { - int result; - gnutls_datum key = { NULL, 0 }; - gnutls_datum tmp = { NULL, 0 }; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { - case PBES2: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; - case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; - case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; - case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; - - } - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Generate a symmetric key. - */ - + int result; + gnutls_datum key = { NULL, 0 }; + gnutls_datum tmp = { NULL, 0 }; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) { + case PBES2: result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_schema_params(schema, pkcs8_asn, "encryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data( der_key, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* write the encrypted data. - */ + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; + case PKCS12_3DES_SHA1: result = - asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); - - *out = pkcs8_asn; - - return 0; - - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs8_asn); - return result; + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; + case PKCS12_ARCFOUR_SHA1: + result = + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; + case PKCS12_RC2_40_SHA1: + result = + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; + + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + write_schema_params(schema, pkcs8_asn, + "encryptionAlgorithm.parameters", &kdf_params, + &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(der_key, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + *out = pkcs8_asn; + + return 0; + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs8_asn); + return result; } @@ -404,68 +406,67 @@ int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey key, const char *password, unsigned int flags, void *output_data, - size_t *output_data_size) + size_t * output_data_size) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum tmp; - schema_id schema; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info(key, &tmp, &pkey_info); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum tmp; + schema_id schema; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info(key, &tmp, &pkey_info); + if (ret < 0) { + gnutls_assert(); + return ret; + } - if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) - schema = PKCS12_3DES_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - schema = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - schema = PKCS12_RC2_40_SHA1; - else - schema = PBES2; + if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) + schema = PKCS12_3DES_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + schema = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + schema = PKCS12_RC2_40_SHA1; + else + schema = PBES2; - if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) - { - _gnutls_free_datum(&tmp); + if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) { + _gnutls_free_datum(&tmp); - ret = - _gnutls_x509_export_int(pkey_info, format, - PEM_UNENCRYPTED_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int(pkey_info, format, + PEM_UNENCRYPTED_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkey_info); - } else { - asn1_delete_structure(&pkey_info); /* we don't need it */ + asn1_delete_structure(&pkey_info); + } else { + asn1_delete_structure(&pkey_info); /* we don't need it */ - ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum(&tmp); + ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); + _gnutls_free_datum(&tmp); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = - _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkcs8_asn); - } + asn1_delete_structure(&pkcs8_asn); + } - return ret; + return ret; } @@ -473,333 +474,328 @@ int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey key, * schema ID. */ static -int read_pkcs_schema_params(schema_id schema, const char* password, - const opaque * data, int data_size, +int read_pkcs_schema_params(schema_id schema, const char *password, + const opaque * data, int data_size, struct pbkdf2_params *kdf_params, struct pbe_enc_params *enc_params) { - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int result; - gnutls_datum tmp; - - switch (schema) { - - case PBES2: - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Decode the parameters. - */ - result = - asn1_der_decoding(&pbes2_asn, - data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - tmp.data = (opaque*)data; - tmp.size = data_size; - - result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - return 0; - break; - - case PKCS12_3DES_SHA1: - case PKCS12_ARCFOUR_SHA1: - case PKCS12_RC2_40_SHA1: - - if ((schema) == PKCS12_3DES_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - enc_params->iv_size = 8; - } else if ((schema) == PKCS12_ARCFOUR_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - enc_params->iv_size = 0; - } else if ((schema) == PKCS12_RC2_40_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - enc_params->iv_size = 8; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Decode the parameters. - */ - result = - asn1_der_decoding(&pbes2_asn, - data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - if (enc_params->iv_size) { - result = _pkcs12_string_to_key( 2/*IV*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, enc_params->iv_size, enc_params->iv); - if (result < 0) { - gnutls_assert(); - goto error; - } - - } - - asn1_delete_structure(&pbes2_asn); - - return 0; - break; - - } /* switch */ - - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - - error: - asn1_delete_structure(&pbes2_asn); - return result; -} + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int result; + gnutls_datum tmp; + switch (schema) { -/* Converts a PKCS #8 key to - * an internal structure (gnutls_private_key) - * (normally a PKCS #1 encoded RSA key) - */ -static -int decode_pkcs8_key(const gnutls_datum * raw_key, - const char *password, - gnutls_x509_privkey pkey, ASN1_TYPE* out) -{ - int result, len; - char enc_oid[64]; - gnutls_datum tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; + case PBES2: + /* Now check the key derivation and the encryption + * functions. + */ if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, - NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - - schema = result; - - /* Get the DER encoding of the parameters. + /* Decode the parameters. */ - result = - asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, - raw_key->size, - "encryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); + result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &raw_key->data[params_start], - params_len, &kdf_params, &enc_params); + tmp.data = (opaque *) data; + tmp.size = data_size; - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - result = - decrypt_data(schema, pkcs8_asn, "encryptedData", password, &kdf_params, - &enc_params, &tmp); + result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - asn1_delete_structure(&pkcs8_asn); - - result = decode_private_key_info(&tmp, pkey, &ret_asn); - _gnutls_free_datum(&tmp); - + result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - *out = ret_asn; - - return 0; - - error: asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); - return result; -} + return 0; + break; -static -int decode_private_key_info(const gnutls_datum * der, - gnutls_x509_privkey pkey, ASN1_TYPE* out) -{ - int result, len; - opaque oid[64], *data = NULL; - gnutls_datum tmp; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int data_size; + case PKCS12_3DES_SHA1: + case PKCS12_ARCFOUR_SHA1: + case PKCS12_RC2_40_SHA1: + if ((schema) == PKCS12_3DES_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + enc_params->iv_size = 8; + } else if ((schema) == PKCS12_ARCFOUR_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + enc_params->iv_size = 0; + } else if ((schema) == PKCS12_RC2_40_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + enc_params->iv_size = 8; + } if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* Check the private key algorithm OID + /* Decode the parameters. */ - len = sizeof(oid); - result = - asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", - oid, &len); + result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* we only support RSA private keys. - */ - if (strcmp(oid, PKIX1_RSA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 private key OID '%s' is unsupported.\n", - oid); - result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; - goto error; + result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; } - /* Get the DER encoding of the actual private key. - */ - data_size = 0; - result = - asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); - if (result != ASN1_MEM_ERROR) { + if (enc_params->iv_size) { + result = + _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (result < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto error; - } + } - data = gnutls_alloca(data_size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; } - result = - asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } + asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); + return 0; + break; - tmp.data = data; - tmp.size = data_size; + } /* switch */ - pkey->pk_algorithm = GNUTLS_PK_RSA; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); - if (ret_asn == NULL) { - gnutls_assert(); - } + error: + asn1_delete_structure(&pbes2_asn); + return result; +} - *out = ret_asn; - return 0; +/* Converts a PKCS #8 key to + * an internal structure (gnutls_private_key) + * (normally a PKCS #1 encoded RSA key) + */ +static +int decode_pkcs8_key(const gnutls_datum * raw_key, + const char *password, + gnutls_x509_privkey pkey, ASN1_TYPE * out) +{ + int result, len; + char enc_oid[64]; + gnutls_datum tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, + raw_key->size, + "encryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(schema, password, + &raw_key->data[params_start], + params_len, &kdf_params, &enc_params); + + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + result = + decrypt_data(schema, pkcs8_asn, "encryptedData", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pkcs8_asn); + + result = decode_private_key_info(&tmp, pkey, &ret_asn); + _gnutls_free_datum(&tmp); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + *out = ret_asn; + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + asn1_delete_structure(&pkcs8_asn); + return result; +} - error: - asn1_delete_structure(&pkcs8_asn); - if (data != NULL) { - gnutls_afree(data); - } - return result; +static +int decode_private_key_info(const gnutls_datum * der, + gnutls_x509_privkey pkey, ASN1_TYPE * out) +{ + int result, len; + opaque oid[64], *data = NULL; + gnutls_datum tmp; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int data_size; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + /* Check the private key algorithm OID + */ + len = sizeof(oid); + result = + asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", + oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* we only support RSA private keys. + */ + if (strcmp(oid, PKIX1_RSA_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log + ("PKCS #8 private key OID '%s' is unsupported.\n", oid); + result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + goto error; + } + + /* Get the DER encoding of the actual private key. + */ + data_size = 0; + result = asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + data = gnutls_alloca(data_size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + result = asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + asn1_delete_structure(&pkcs8_asn); + + tmp.data = data; + tmp.size = data_size; + + pkey->pk_algorithm = GNUTLS_PK_RSA; + + ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); + if (ret_asn == NULL) { + gnutls_assert(); + } + + *out = ret_asn; + + return 0; + + error: + asn1_delete_structure(&pkcs8_asn); + if (data != NULL) { + gnutls_afree(data); + } + return result; } @@ -832,78 +828,78 @@ int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey key, const char *password, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum _data; - int encrypted; + int result = 0, need_free = 0; + gnutls_datum _data; + int encrypted; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->pk_algorithm = GNUTLS_PK_UNKNOWN; - /* If the Certificate is in PEM format then decode it + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header - */ - result = - _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, - data->data, data->size, &out); - encrypted = 0; - - if (result < 0) { /* Try the encrypted header - */ - result = - _gnutls_fbase64_decode(PEM_PKCS8, data->data, - data->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - - encrypted = 1; - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + result = + _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, + data->data, data->size, &out); + encrypted = 0; - if (flags & GNUTLS_PKCS_PLAIN || password == NULL) { - result = decode_private_key_info(&_data, key, &key->key); - } else { /* encrypted. */ - result = decode_pkcs8_key(&_data, password, key, &key->key); - } + if (result < 0) { /* Try the encrypted header + */ + result = + _gnutls_fbase64_decode(PEM_PKCS8, data->data, + data->size, &out); - if (result < 0) { + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - goto cleanup; + return result; + } + + encrypted = 1; } - if (need_free) - _gnutls_free_datum(&_data); + _data.data = out; + _data.size = result; - /* The key has now been decoded. - */ + need_free = 1; + } - return 0; + if (flags & GNUTLS_PKCS_PLAIN || password == NULL) { + result = decode_private_key_info(&_data, key, &key->key); + } else { /* encrypted. */ + result = decode_pkcs8_key(&_data, password, key, &key->key); + } - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum(&_data); - return result; + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + /* The key has now been decoded. + */ + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum(&_data); + return result; } /* Reads the PBKDF2 parameters. @@ -912,181 +908,180 @@ static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, const gnutls_datum * der, struct pbkdf2_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the key derivation algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); - - if (strcmp(oid, PBKDF2_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 key derivation OID '%s' is unsupported.\n", - oid); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "keyDerivationFunc.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - /* read the keylength, if it is set. - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", - ¶ms->key_size); - if (result < 0) { - params->key_size = 0; - } - _gnutls_hard_log("keyLength: %d\n", params->key_size); + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset(params, 0, sizeof(params)); + + /* Check the key derivation algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); + + if (strcmp(oid, PBKDF2_OID) != 0) { + gnutls_assert(); + _gnutls_x509_log + ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "keyDerivationFunc.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + /* read the keylength, if it is set. + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", ¶ms->key_size); + if (result < 0) { + params->key_size = 0; + } + _gnutls_hard_log("keyLength: %d\n", params->key_size); - /* We don't read the PRF. We only use the default. - */ + /* We don't read the PRF. We only use the default. + */ - return 0; + return 0; - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } /* Reads the PBE parameters from PKCS-12 schemas (*&#%*&#% RSA). */ static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params) + struct pbkdf2_params *params) { - int result; - - memset(params, 0, sizeof(params)); - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbes2_asn, "salt", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbes2_asn, "iterations", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - params->key_size = 0; - - return 0; - - error: - return result; + int result; + + memset(params, 0, sizeof(params)); + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbes2_asn, "salt", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbes2_asn, "iterations", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + params->key_size = 0; + + return 0; + + error: + return result; } /* Writes the PBE parameters for PKCS-12 schemas. */ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) + const struct pbkdf2_params *kdf_params) { - int result; - - /* write the salt - */ - result = - asn1_write_value(pbes2_asn, "salt", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", - kdf_params->salt_size); - - /* write the iteration count - */ - result = _gnutls_x509_write_uint32( pbes2_asn, "iterations", kdf_params->iter_count); - if (result < 0) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - return 0; - - error: - return result; + int result; + + /* write the salt + */ + result = + asn1_write_value(pbes2_asn, "salt", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + result = + _gnutls_x509_write_uint32(pbes2_asn, "iterations", + kdf_params->iter_count); + if (result < 0) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + return 0; + + error: + return result; } @@ -1097,21 +1092,20 @@ inline static int oid2cipher(const char *oid, gnutls_cipher_algorithm * algo) { - *algo = 0; + *algo = 0; - if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_3DES_CBC; - return 0; - } + if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_3DES_CBC; + return 0; + } - if (strcmp(oid, DES_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_DES_CBC; - return 0; - } + if (strcmp(oid, DES_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_DES_CBC; + return 0; + } - _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", - oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", oid); + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } @@ -1119,189 +1113,190 @@ static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, const gnutls_datum * der, struct pbe_enc_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the encryption algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); - - if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { - gnutls_assert(); - goto error; - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "encryptionScheme.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbe_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the IV */ - params->iv_size = sizeof(params->iv); - result = - asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset(params, 0, sizeof(params)); + + /* Check the encryption algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); + + if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "encryptionScheme.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbe_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the IV */ + params->iv_size = sizeof(params->iv); + result = asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + return 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } -static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, const char *root, - const char *password, +static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *root, const char *password, const struct pbkdf2_params *kdf_params, const struct pbe_enc_params *enc_params, gnutls_datum * decrypted_data) { - int result; - int data_size; - opaque *data = NULL, *key = NULL; - gnutls_datum dkey, div; - cipher_hd_t ch = NULL; - int key_size; - - data_size = 0; - result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + int data_size; + opaque *data = NULL, *key = NULL; + gnutls_datum dkey, div; + cipher_hd_t ch = NULL; + int key_size; + + data_size = 0; + result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + data = gnutls_malloc(data_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(pkcs8_asn, root, data, &data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if (kdf_params->key_size == 0) { + key_size = gnutls_cipher_get_key_size(enc_params->cipher); + } else + key_size = kdf_params->key_size; + + key = gnutls_alloca(key_size); + if (key == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* generate the key + */ + if (schema == PBES2) { + result = + _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, + strlen(password), kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, key_size, key); - data = gnutls_malloc(data_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (result != PKCS5_OK) { + gnutls_assert(); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } + } else { + result = + _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + key_size, key); - result = asn1_read_value(pkcs8_asn, root, data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result < 0) { + gnutls_assert(); + goto error; } + } - if (kdf_params->key_size == 0) { - key_size = gnutls_cipher_get_key_size(enc_params->cipher); - } else - key_size = kdf_params->key_size; + /* do the decryption. + */ + dkey.data = key; + dkey.size = key_size; - key = gnutls_alloca(key_size); - if (key == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } + div.data = (opaque *) enc_params->iv; + div.size = enc_params->iv_size; + ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &div); - /* generate the key - */ - if (schema == PBES2) { - result = - _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, - strlen(password), kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, key_size, key); - - if (result != PKCS5_OK) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; - } - } else { - result = - _pkcs12_string_to_key( 1/*KEY*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, key_size, key); - - if (result < 0) { - gnutls_assert(); - goto error; - } - } + gnutls_afree(key); + key = NULL; - /* do the decryption. - */ - dkey.data = key; - dkey.size = key_size; + if (ch == NULL) { + gnutls_assert(); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; + } - div.data = (opaque *) enc_params->iv; - div.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &div); + result = _gnutls_cipher_decrypt(ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } - gnutls_afree(key); - key = NULL; + decrypted_data->data = data; - if (ch == NULL) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; - } - - result = _gnutls_cipher_decrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; - } + if (_gnutls_cipher_get_block_size(enc_params->cipher) != 1) + decrypted_data->size = data_size - data[data_size - 1]; + else + decrypted_data->size = data_size; - decrypted_data->data = data; + _gnutls_cipher_deinit(ch); - if ( _gnutls_cipher_get_block_size(enc_params->cipher) != 1) - decrypted_data->size = data_size - data[data_size - 1]; - else - decrypted_data->size = data_size; + return 0; + error: + gnutls_free(data); + gnutls_afree(key); + if (ch != NULL) _gnutls_cipher_deinit(ch); - - return 0; - - error: - gnutls_free(data); - gnutls_afree(key); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; + return result; } @@ -1310,629 +1305,634 @@ static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, const char *root, static int write_pbkdf2_params(ASN1_TYPE pbes2_asn, const struct pbkdf2_params *kdf_params) { - int result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - opaque tmp[64]; - - /* Write the key derivation algorithm - */ - result = - asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", - PBKDF2_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Now write the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the salt - */ - result = - asn1_write_value(pbkdf2_asn, "salt.specified", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", - kdf_params->salt_size); - - /* write the iteration count - */ - _gnutls_write_uint32(kdf_params->iter_count, tmp); - - result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - /* write the keylength, if it is set. - */ - result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* We write an emptry prf. - */ - result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* now encode them an put the DER output - * in the keyDerivationFunc.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", - pbes2_asn, - "keyDerivationFunc.parameters", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + opaque tmp[64]; + + /* Write the key derivation algorithm + */ + result = + asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", + PBKDF2_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Now write the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the salt + */ + result = + asn1_write_value(pbkdf2_asn, "salt.specified", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + _gnutls_write_uint32(kdf_params->iter_count, tmp); + + result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + /* write the keylength, if it is set. + */ + result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* We write an emptry prf. + */ + result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* now encode them an put the DER output + * in the keyDerivationFunc.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", + pbes2_asn, + "keyDerivationFunc.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } static int write_pbe_enc_params(ASN1_TYPE pbes2_asn, const struct pbe_enc_params *params) { - int result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - - /* Write the encryption algorithm - */ - result = - asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", - DES_EDE3_CBC_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", - DES_EDE3_CBC_OID); - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* read the salt */ - result = - asn1_write_value(pbe_asn, "", params->iv, params->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - /* now encode them an put the DER output - * in the encryptionScheme.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", - pbes2_asn, - "encryptionScheme.parameters", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + + /* Write the encryption algorithm + */ + result = + asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", + DES_EDE3_CBC_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* read the salt */ + result = asn1_write_value(pbe_asn, "", params->iv, params->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + /* now encode them an put the DER output + * in the encryptionScheme.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", + pbes2_asn, + "encryptionScheme.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } /* Generates a key and also stores the key parameters. */ -static int generate_key( schema_id schema, - const char *password, +static int generate_key(schema_id schema, + const char *password, struct pbkdf2_params *kdf_params, struct pbe_enc_params *enc_params, gnutls_datum * key) { - opaque rnd[2]; - int ret; + opaque rnd[2]; + int ret; - /* We should use the flags here to use different - * encryption algorithms etc. - */ + /* We should use the flags here to use different + * encryption algorithms etc. + */ - if (schema == PKCS12_ARCFOUR_SHA1) - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - else if (schema == PKCS12_3DES_SHA1) - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - else if (schema == PKCS12_RC2_40_SHA1) - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + if (schema == PKCS12_ARCFOUR_SHA1) + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + else if (schema == PKCS12_3DES_SHA1) + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + else if (schema == PKCS12_RC2_40_SHA1) + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - _gnutls_get_random(rnd, 2, GNUTLS_STRONG_RANDOM); + _gnutls_get_random(rnd, 2, GNUTLS_STRONG_RANDOM); - /* generate salt */ - - if (schema==PBES2) - kdf_params->salt_size = - GMIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); - else - kdf_params->salt_size = 8; + /* generate salt */ - _gnutls_get_random(kdf_params->salt, kdf_params->salt_size, - GNUTLS_STRONG_RANDOM); + if (schema == PBES2) + kdf_params->salt_size = + GMIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); + else + kdf_params->salt_size = 8; - kdf_params->iter_count = 256 + rnd[0]; - key->size = kdf_params->key_size = - gnutls_cipher_get_key_size(enc_params->cipher); + _gnutls_get_random(kdf_params->salt, kdf_params->salt_size, + GNUTLS_STRONG_RANDOM); - enc_params->iv_size = - _gnutls_cipher_get_iv_size(enc_params->cipher); + kdf_params->iter_count = 256 + rnd[0]; + key->size = kdf_params->key_size = + gnutls_cipher_get_key_size(enc_params->cipher); - key->data = gnutls_secure_malloc(key->size); - if (key->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + enc_params->iv_size = _gnutls_cipher_get_iv_size(enc_params->cipher); - /* now generate the key. - */ + key->data = gnutls_secure_malloc(key->size); + if (key->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now generate the key. + */ - if (schema == PBES2) { + if (schema == PBES2) { - ret = _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, + ret = _gnutls_pkcs5_pbkdf2(PKCS5_PRF_SHA1, password, strlen(password), kdf_params->salt, kdf_params->salt_size, kdf_params->iter_count, kdf_params->key_size, key->data); - if (ret != PKCS5_OK) { - gnutls_assert(); - return GNUTLS_E_ENCRYPTION_FAILED; - } - - if (enc_params->iv_size) - _gnutls_get_random(enc_params->iv, enc_params->iv_size, - GNUTLS_WEAK_RANDOM); - - } else { /* PKCS12 schemas */ - ret = - _pkcs12_string_to_key( 1/*KEY*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, kdf_params->key_size, key->data); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - /* Now generate the IV - */ - if (enc_params->iv_size) { - ret = _pkcs12_string_to_key( 2/*IV*/, kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, password, enc_params->iv_size, enc_params->iv); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } - } - - - return 0; -} - - -/* Encodes the parameters to be written in the encryptionAlgorithm.parameters - * part. - */ -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char * where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params) -{ - int result; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - - if (schema == PBES2) { - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = write_pbkdf2_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_pbe_enc_params(pbes2_asn, enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, - where, 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - } else { /* PKCS12 schemas */ - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, - where, 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pbes2_asn); - - } - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - return result; - -} - -static int encrypt_data( const gnutls_datum * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum * key, gnutls_datum * encrypted) -{ - int result; - int data_size; - opaque *data = NULL; - gnutls_datum div; - cipher_hd_t ch = NULL; - opaque pad, pad_size; - - pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); - - if (pad_size == 1) /* stream */ pad_size = 0; - - data = gnutls_malloc(plain->size + pad_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if (ret != PKCS5_OK) { + gnutls_assert(); + return GNUTLS_E_ENCRYPTION_FAILED; } - memcpy(data, plain->data, plain->size); - - if (pad_size > 0) { - pad = pad_size - (plain->size % pad_size); - if (pad == 0) - pad = pad_size; - memset(&data[plain->size], pad, pad); - } else pad = 0; + if (enc_params->iv_size) + _gnutls_get_random(enc_params->iv, enc_params->iv_size, + GNUTLS_WEAK_RANDOM); - data_size = plain->size + pad; - - div.data = (opaque *) enc_params->iv; - div.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, key, &div); - - if (ch == GNUTLS_CIPHER_FAILED) { - gnutls_assert(); - result = GNUTLS_E_ENCRYPTION_FAILED; - goto error; + } else { /* PKCS12 schemas */ + ret = + _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + kdf_params->key_size, key->data); + if (ret < 0) { + gnutls_assert(); + return ret; } - result = _gnutls_cipher_encrypt(ch, data, data_size); - if (result < 0) { + /* Now generate the IV + */ + if (enc_params->iv_size) { + ret = + _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (ret < 0) { gnutls_assert(); - goto error; + return ret; + } } + } - encrypted->data = data; - encrypted->size = data_size; - - _gnutls_cipher_deinit(ch); - - return 0; - error: - gnutls_free(data); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; + return 0; } -/* Decrypts a PKCS #7 encryptedData. The output is allocated - * and stored in dec. + +/* Encodes the parameters to be written in the encryptionAlgorithm.parameters + * part. */ -int _gnutls_pkcs7_decrypt_data(const gnutls_datum * data, - const char *password, - gnutls_datum * dec) +static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params) { - int result, len; - char enc_oid[64]; - gnutls_datum tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; + int result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + if (schema == PBES2) { if ((result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); } - result = - asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = write_pbkdf2_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; } - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = write_pbe_enc_params(pbes2_asn, enc_params); + if (result < 0) { + gnutls_assert(); + goto error; } - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) { + gnutls_assert(); + goto error; } - schema = result; - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; + asn1_delete_structure(&pbes2_asn); + } else { /* PKCS12 schemas */ - result = - read_pkcs_schema_params(schema, password, - &data->data[params_start], - params_len, &kdf_params, &enc_params); - if (result < ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; } - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ + result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; + } - result = - decrypt_data(schema, pkcs7_asn, - "encryptedContentInfo.encryptedContent", password, - &kdf_params, &enc_params, &tmp); + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, 0); if (result < 0) { - gnutls_assert(); - goto error; + gnutls_assert(); + goto error; } - asn1_delete_structure(&pkcs7_asn); + asn1_delete_structure(&pbes2_asn); - *dec = tmp; + } - return 0; + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + return result; - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs7_asn); - return result; +} + +static int encrypt_data(const gnutls_datum * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum * key, gnutls_datum * encrypted) +{ + int result; + int data_size; + opaque *data = NULL; + gnutls_datum div; + cipher_hd_t ch = NULL; + opaque pad, pad_size; + + pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); + + if (pad_size == 1) /* stream */ + pad_size = 0; + + data = gnutls_malloc(plain->size + pad_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(data, plain->data, plain->size); + + if (pad_size > 0) { + pad = pad_size - (plain->size % pad_size); + if (pad == 0) + pad = pad_size; + memset(&data[plain->size], pad, pad); + } else + pad = 0; + + data_size = plain->size + pad; + + div.data = (opaque *) enc_params->iv; + div.size = enc_params->iv_size; + ch = _gnutls_cipher_init(enc_params->cipher, key, &div); + + if (ch == GNUTLS_CIPHER_FAILED) { + gnutls_assert(); + result = GNUTLS_E_ENCRYPTION_FAILED; + goto error; + } + + result = _gnutls_cipher_encrypt(ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + encrypted->data = data; + encrypted->size = data_size; + + _gnutls_cipher_deinit(ch); + + return 0; + + error: + gnutls_free(data); + if (ch != NULL) + _gnutls_cipher_deinit(ch); + return result; +} + +/* Decrypts a PKCS #7 encryptedData. The output is allocated + * and stored in dec. + */ +int _gnutls_pkcs7_decrypt_data(const gnutls_datum * data, + const char *password, gnutls_datum * dec) +{ + int result, len; + char enc_oid[64]; + gnutls_datum tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(schema, password, + &data->data[params_start], + params_len, &kdf_params, &enc_params); + if (result < ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + + result = + decrypt_data(schema, pkcs7_asn, + "encryptedContentInfo.encryptedContent", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pkcs7_asn); + + *dec = tmp; + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + asn1_delete_structure(&pkcs7_asn); + return result; } /* Encrypts to a PKCS #7 encryptedData. The output is allocated * and stored in enc. */ int _gnutls_pkcs7_encrypt_data(schema_id schema, const gnutls_datum * data, - const char *password, - gnutls_datum * enc) + const char *password, gnutls_datum * enc) { - int result; - gnutls_datum key = { NULL, 0 }; - gnutls_datum tmp = { NULL, 0 }; - ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { - case PBES2: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; - case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; - case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; - case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; - - } - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Generate a symmetric key. - */ - + int result; + gnutls_datum key = { NULL, 0 }; + gnutls_datum tmp = { NULL, 0 }; + ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) { + case PBES2: result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = write_schema_params(schema, pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data( data, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - /* write the encrypted data. - */ + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; + case PKCS12_3DES_SHA1: result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.encryptedContent", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); - - /* Now write the rest of the pkcs-7 stuff. - */ - - result = _gnutls_x509_write_uint32( pkcs7_asn, "version", 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; + case PKCS12_ARCFOUR_SHA1: result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; + case PKCS12_RC2_40_SHA1: result = - asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Now encode and copy the DER stuff. - */ - result = _gnutls_x509_der_encode( pkcs7_asn, "", enc, 0); - - asn1_delete_structure(&pkcs7_asn); - - if (result < 0) { - gnutls_assert(); - goto error; - } - - - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs7_asn); - return result; + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; + + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = write_schema_params(schema, pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(data, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.encryptedContent", tmp.data, + tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + /* Now write the rest of the pkcs-7 stuff. + */ + + result = _gnutls_x509_write_uint32(pkcs7_asn, "version", 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", + DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Now encode and copy the DER stuff. + */ + result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0); + + asn1_delete_structure(&pkcs7_asn); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs7_asn); + return result; } diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index b6229719c2..a1a7e1b82d 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -34,36 +34,36 @@ */ int _gnutls_hostname_compare(const char *certname, const char *hostname) { - const char *cmpstr1, *cmpstr2; + const char *cmpstr1, *cmpstr2; - if (strlen(certname) == 0 || strlen(hostname) == 0) - return 0; + if (strlen(certname) == 0 || strlen(hostname) == 0) + return 0; - if (strlen(certname) > 2 && strncmp(certname, "*.", 2) == 0) { - /* a wildcard certificate */ + if (strlen(certname) > 2 && strncmp(certname, "*.", 2) == 0) { + /* a wildcard certificate */ - cmpstr1 = certname + 1; + cmpstr1 = certname + 1; - /* find the first dot in hostname, compare from there on */ - cmpstr2 = strchr(hostname, '.'); + /* find the first dot in hostname, compare from there on */ + cmpstr2 = strchr(hostname, '.'); - if (cmpstr2 == NULL) { - /* error, the hostname we're connecting to is only a local part */ - return 0; - } + if (cmpstr2 == NULL) { + /* error, the hostname we're connecting to is only a local part */ + return 0; + } - if (strcasecmp(cmpstr1, cmpstr2) == 0) { - return 1; - } + if (strcasecmp(cmpstr1, cmpstr2) == 0) { + return 1; + } - return 0; - } + return 0; + } - if (strcasecmp(certname, hostname) == 0) { - return 1; - } + if (strcasecmp(certname, hostname) == 0) { + return 1; + } - return 0; + return 0; } /** @@ -80,63 +80,63 @@ int _gnutls_hostname_compare(const char *certname, const char *hostname) * **/ int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert, - const char *hostname) + const char *hostname) { - char dnsname[MAX_CN]; - size_t dnsnamesize; - int found_dnsname = 0; - int ret = 0; - int i = 0; - - /* try matching against: - * 1) a DNS name as an alternative name (subjectAltName) extension - * in the certificate - * 2) the common name (CN) in the certificate - * - * either of these may be of the form: *.domain.tld - * - * only try (2) if there is no subjectAltName extension of - * type dNSName - */ - - /* Check through all included subjectAltName extensions, comparing - * against all those of type dNSName. - */ - for (i = 0; !(ret < 0); i++) { - - dnsnamesize = sizeof(dnsname); - ret = - gnutls_x509_crt_get_subject_alt_name(cert, i, - dnsname, &dnsnamesize, NULL); - - if (ret == GNUTLS_SAN_DNSNAME) { - found_dnsname = 1; - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; - } - } - - } - - if (!found_dnsname) { - /* not got the necessary extension, use CN instead - */ - dnsnamesize = sizeof(dnsname); - if (gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, 0, - 0, dnsname, &dnsnamesize) < 0) { - /* got an error, can't find a name - */ - return 1; - } - - if (_gnutls_hostname_compare(dnsname, hostname)) { - return 1; - } - } - - /* not found a matching name - */ - return 0; + char dnsname[MAX_CN]; + size_t dnsnamesize; + int found_dnsname = 0; + int ret = 0; + int i = 0; + + /* try matching against: + * 1) a DNS name as an alternative name (subjectAltName) extension + * in the certificate + * 2) the common name (CN) in the certificate + * + * either of these may be of the form: *.domain.tld + * + * only try (2) if there is no subjectAltName extension of + * type dNSName + */ + + /* Check through all included subjectAltName extensions, comparing + * against all those of type dNSName. + */ + for (i = 0; !(ret < 0); i++) { + + dnsnamesize = sizeof(dnsname); + ret = + gnutls_x509_crt_get_subject_alt_name(cert, i, + dnsname, &dnsnamesize, + NULL); + + if (ret == GNUTLS_SAN_DNSNAME) { + found_dnsname = 1; + if (_gnutls_hostname_compare(dnsname, hostname)) { + return 1; + } + } + + } + + if (!found_dnsname) { + /* not got the necessary extension, use CN instead + */ + dnsnamesize = sizeof(dnsname); + if (gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, 0, + 0, dnsname, &dnsnamesize) < 0) { + /* got an error, can't find a name + */ + return 1; + } + + if (_gnutls_hostname_compare(dnsname, hostname)) { + return 1; + } + } + + /* not found a matching name + */ + return 0; } - diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 35e8ba8fa3..8586bd86b7 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -46,69 +46,69 @@ /* Writes the digest information and the digest in a DER encoded * structure. The digest info is allocated and stored into the info structure. */ -static int encode_ber_digest_info( gnutls_mac_algorithm hash, - const gnutls_datum* digest, gnutls_datum *info) +static int encode_ber_digest_info(gnutls_mac_algorithm hash, + const gnutls_datum * digest, + gnutls_datum * info) { -ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; -int result; -const char* algo; - - algo = _gnutls_x509_mac_to_oid( hash); - if (algo == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + const char *algo; + + algo = _gnutls_x509_mac_to_oid(hash); + if (algo == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(dinfo, "digestAlgorithm.algorithm", algo, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", &dinfo))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_write_value( dinfo, "digestAlgorithm.algorithm", algo, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = + asn1_write_value(dinfo, "digestAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = - asn1_write_value( dinfo, "digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = asn1_write_value(dinfo, "digest", digest->data, digest->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = - asn1_write_value( dinfo, "digest", digest->data, digest->size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + info->size = 0; + asn1_der_coding(dinfo, "", NULL, &info->size, NULL); - info->size = 0; - asn1_der_coding( dinfo, "", NULL, &info->size, NULL); + info->data = gnutls_malloc(info->size); + if (info->data == NULL) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return GNUTLS_E_MEMORY_ERROR; + } - info->data = gnutls_malloc( info->size); - if (info->data == NULL) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_MEMORY_ERROR; - } + result = asn1_der_coding(dinfo, "", info->data, &info->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - result = asn1_der_coding( dinfo, "", info->data, &info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + asn1_delete_structure(&dinfo); - asn1_delete_structure(&dinfo); - - return 0; + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -117,71 +117,75 @@ const char* algo; * params[1] is public key */ static int -pkcs1_rsa_sign( gnutls_mac_algorithm hash, const gnutls_datum* text, - mpi_t *params, int params_len, gnutls_datum* signature) +pkcs1_rsa_sign(gnutls_mac_algorithm hash, const gnutls_datum * text, + mpi_t * params, int params_len, gnutls_datum * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum digest, info; - - hd = _gnutls_hash_init( hash); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); - - digest.data = _digest; - digest.size = _gnutls_hash_get_algo_len(hash); - - /* Encode the digest as a DigestInfo - */ - if ( (ret = encode_ber_digest_info( hash, &digest, &info)) != 0) { - gnutls_assert(); - return ret; - } - - if ( (ret=_gnutls_sign( GNUTLS_PK_RSA, params, params_len, &info, signature)) < 0) { - gnutls_assert(); - _gnutls_free_datum( &info); - return ret; - } - - _gnutls_free_datum( &info); - - return 0; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum digest, info; + + hd = _gnutls_hash_init(hash); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); + + digest.data = _digest; + digest.size = _gnutls_hash_get_algo_len(hash); + + /* Encode the digest as a DigestInfo + */ + if ((ret = encode_ber_digest_info(hash, &digest, &info)) != 0) { + gnutls_assert(); + return ret; + } + + if ((ret = + _gnutls_sign(GNUTLS_PK_RSA, params, params_len, &info, + signature)) < 0) { + gnutls_assert(); + _gnutls_free_datum(&info); + return ret; + } + + _gnutls_free_datum(&info); + + return 0; } static int -dsa_sign( const gnutls_datum* text, - mpi_t *params, int params_len, gnutls_datum* signature) +dsa_sign(const gnutls_datum * text, + mpi_t * params, int params_len, gnutls_datum * signature) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; - gnutls_datum digest; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); - - digest.data = _digest; - digest.size = 20; - - if ( (ret=_gnutls_sign( GNUTLS_PK_DSA, params, params_len, &digest, signature)) < 0) { - gnutls_assert(); - return ret; - } - - return 0; + int ret; + opaque _digest[MAX_HASH_SIZE]; + GNUTLS_HASH_HANDLE hd; + gnutls_datum digest; + + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); + + digest.data = _digest; + digest.size = 20; + + if ((ret = + _gnutls_sign(GNUTLS_PK_DSA, params, params_len, &digest, + signature)) < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /* Signs the given data using the parameters from the signer's @@ -193,74 +197,77 @@ dsa_sign( const gnutls_datum* text, * 'signature' will hold the signature! * 'hash' is only used in PKCS1 RSA signing. */ -int _gnutls_x509_sign( const gnutls_datum* tbs, gnutls_mac_algorithm hash, - gnutls_x509_privkey signer, gnutls_datum* signature) +int _gnutls_x509_sign(const gnutls_datum * tbs, gnutls_mac_algorithm hash, + gnutls_x509_privkey signer, gnutls_datum * signature) { -int ret; - - switch( signer->pk_algorithm) - { - case GNUTLS_PK_RSA: - ret = pkcs1_rsa_sign( hash, tbs, signer->params, signer->params_size, - signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - return 0; - break; - case GNUTLS_PK_DSA: - ret = dsa_sign( tbs, signer->params, signer->params_size, signature); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - return 0; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + int ret; + + switch (signer->pk_algorithm) { + case GNUTLS_PK_RSA: + ret = + pkcs1_rsa_sign(hash, tbs, signer->params, signer->params_size, + signature); + if (ret < 0) { + gnutls_assert(); + return ret; + } + return 0; + break; + case GNUTLS_PK_DSA: + ret = + dsa_sign(tbs, signer->params, signer->params_size, signature); + if (ret < 0) { + gnutls_assert(); + return ret; } + return 0; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + } /* This is the same as the _gnutls_x509_sign, but this one will decode * the ASN1_TYPE given, and sign the DER data. Actually used to get the DER * of the TBS and sign it on the fly. */ -int _gnutls_x509_sign_tbs( ASN1_TYPE cert, const char* tbs_name, - gnutls_mac_algorithm hash, gnutls_x509_privkey signer, gnutls_datum* signature) +int _gnutls_x509_sign_tbs(ASN1_TYPE cert, const char *tbs_name, + gnutls_mac_algorithm hash, + gnutls_x509_privkey signer, + gnutls_datum * signature) { -int result; -opaque *buf; -int buf_size; -gnutls_datum tbs; - - buf_size = 0; - asn1_der_coding( cert, tbs_name, NULL, &buf_size, NULL); - - buf = gnutls_alloca( buf_size); - if (buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + int result; + opaque *buf; + int buf_size; + gnutls_datum tbs; - result = asn1_der_coding( cert, tbs_name, buf, &buf_size, NULL); + buf_size = 0; + asn1_der_coding(cert, tbs_name, NULL, &buf_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree(buf); - return _gnutls_asn2err(result); - } + buf = gnutls_alloca(buf_size); + if (buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding(cert, tbs_name, buf, &buf_size, NULL); - tbs.data = buf; - tbs.size = buf_size; - - result = _gnutls_x509_sign( &tbs, hash, signer, signature); + if (result != ASN1_SUCCESS) { + gnutls_assert(); gnutls_afree(buf); - - return result; + return _gnutls_asn2err(result); + } + + tbs.data = buf; + tbs.size = buf_size; + + result = _gnutls_x509_sign(&tbs, hash, signer, signature); + gnutls_afree(buf); + + return result; } /*- @@ -275,70 +282,78 @@ gnutls_datum tbs; * Returns 0 on success. * -*/ -int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char* src_name, - gnutls_x509_crt issuer, gnutls_x509_privkey issuer_key) +int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, + gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; -gnutls_datum signature; -char name[128]; - - /* Step 1. Copy the issuer's name into the certificate. - */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".issuer"); - - result = _gnutls_asn1_copy_node( &src, name, - issuer->cert, "tbsCertificate.subject"); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 1.5. Write the signature stuff in the tbsCertificate. - */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".signature"); - - result = _gnutls_x509_write_sig_params( src, name, - issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } - - /* Step 2. Sign the certificate. - */ - result = _gnutls_x509_sign_tbs( src, src_name, GNUTLS_MAC_SHA, - issuer_key, &signature); - - if (result < 0) { - gnutls_assert(); - return result; - } - - /* write the signature (bits) - */ - result = asn1_write_value( src, "signature", signature.data, signature.size*8); - - _gnutls_free_datum( &signature); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + int result; + gnutls_datum signature; + char name[128]; + + /* Step 1. Copy the issuer's name into the certificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".issuer"); + + result = _gnutls_asn1_copy_node(&src, name, + issuer->cert, + "tbsCertificate.subject"); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 1.5. Write the signature stuff in the tbsCertificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".signature"); + + result = _gnutls_x509_write_sig_params(src, name, + issuer_key->pk_algorithm, + issuer_key->params, + issuer_key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 3. Move up and write the AlgorithmIdentifier, which is also - * the same. - */ + /* Step 2. Sign the certificate. + */ + result = _gnutls_x509_sign_tbs(src, src_name, GNUTLS_MAC_SHA, + issuer_key, &signature); - result = _gnutls_x509_write_sig_params( src, "signatureAlgorithm", - issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } + + /* write the signature (bits) + */ + result = + asn1_write_value(src, "signature", signature.data, + signature.size * 8); + + _gnutls_free_datum(&signature); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Move up and write the AlgorithmIdentifier, which is also + * the same. + */ + + result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", + issuer_key->pk_algorithm, + issuer_key->params, + issuer_key->params_size); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } #endif diff --git a/lib/x509/verify.c b/lib/x509/verify.c index f5d1a910d4..15bb97bf58 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -40,15 +40,18 @@ #include <verify.h> static int _gnutls_verify_certificate2(gnutls_x509_crt cert, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int* output); -int _gnutls_x509_verify_signature(const gnutls_datum* signed_data, - const gnutls_datum* signature, gnutls_x509_crt issuer); + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); +int _gnutls_x509_verify_signature(const gnutls_datum * signed_data, + const gnutls_datum * signature, + gnutls_x509_crt issuer); static int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert); static int _gnutls_verify_crl2(gnutls_x509_crl crl, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output); + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output); /* Checks if the issuer of a certificate is a @@ -60,67 +63,74 @@ static int _gnutls_verify_crl2(gnutls_x509_crl crl, */ static int check_if_ca(gnutls_x509_crt cert, gnutls_x509_crt issuer) { -gnutls_datum cert_signed_data = { NULL, 0 }; -gnutls_datum issuer_signed_data = { NULL, 0 }; -gnutls_datum cert_signature = { NULL, 0 }; -gnutls_datum issuer_signature = { NULL, 0 }; -int result; - - /* Check if the issuer is the same with the - * certificate. This is added in order for trusted - * certificates to be able to verify themselves. - */ - - result = _gnutls_x509_get_signed_data( issuer->cert, "tbsCertificate", &issuer_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signature( issuer->cert, "signature", &issuer_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_get_signature( cert->cert, "signature", &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + gnutls_datum cert_signed_data = { NULL, 0 }; + gnutls_datum issuer_signed_data = { NULL, 0 }; + gnutls_datum cert_signature = { NULL, 0 }; + gnutls_datum issuer_signature = { NULL, 0 }; + int result; + + /* Check if the issuer is the same with the + * certificate. This is added in order for trusted + * certificates to be able to verify themselves. + */ + + result = + _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate", + &issuer_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (cert_signed_data.size == issuer_signed_data.size) { - if ( - (memcmp(cert_signed_data.data, issuer_signed_data.data, - cert_signed_data.size) == 0) && - (cert_signature.size == issuer_signature.size) && - (memcmp(cert_signature.data, issuer_signature.data, - cert_signature.size) == 0)) + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = 1; - goto cleanup; - } + result = + _gnutls_x509_get_signature(issuer->cert, "signature", + &issuer_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - if (gnutls_x509_crt_get_ca_status(issuer, NULL) == 1) { - result = 1; - goto cleanup; - } else - gnutls_assert(); + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (cert_signed_data.size == issuer_signed_data.size) { + if ((memcmp(cert_signed_data.data, issuer_signed_data.data, + cert_signed_data.size) == 0) && + (cert_signature.size == issuer_signature.size) && + (memcmp(cert_signature.data, issuer_signature.data, + cert_signature.size) == 0)) + + result = 1; + goto cleanup; + } + + if (gnutls_x509_crt_get_ca_status(issuer, NULL) == 1) { + result = 1; + goto cleanup; + } else + gnutls_assert(); - result = 0; + result = 0; -cleanup: - _gnutls_free_datum( &cert_signed_data); - _gnutls_free_datum( &issuer_signed_data); - _gnutls_free_datum( &cert_signature); - _gnutls_free_datum( &issuer_signature); - return result; + cleanup: + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&issuer_signed_data); + _gnutls_free_datum(&cert_signature); + _gnutls_free_datum(&issuer_signature); + return result; } @@ -134,47 +144,49 @@ cleanup: static int is_issuer(gnutls_x509_crt cert, gnutls_x509_crt issuer_cert) { - gnutls_datum dn1 = {NULL, 0}, dn2 = { NULL, 0 }; - int ret; + gnutls_datum dn1 = { NULL, 0 }, dn2 = { + NULL, 0}; + int ret; - ret = _gnutls_x509_crt_get_raw_issuer_dn( cert, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_crt_get_raw_dn( issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_compare_raw_dn( &dn1, &dn2); - -cleanup: - _gnutls_free_datum(&dn1); - _gnutls_free_datum(&dn2); - return ret; + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + + cleanup: + _gnutls_free_datum(&dn1); + _gnutls_free_datum(&dn2); + return ret; } static inline -gnutls_x509_crt find_issuer(gnutls_x509_crt cert, - gnutls_x509_crt * trusted_cas, int tcas_size) + gnutls_x509_crt find_issuer(gnutls_x509_crt cert, + gnutls_x509_crt * trusted_cas, + int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_issuer(cert, trusted_cas[i]) == 1) - return trusted_cas[i]; - } + for (i = 0; i < tcas_size; i++) { + if (is_issuer(cert, trusted_cas[i]) == 1) + return trusted_cas[i]; + } - gnutls_assert(); - return NULL; + gnutls_assert(); + return NULL; } @@ -189,78 +201,91 @@ gnutls_x509_crt find_issuer(gnutls_x509_crt cert, * procedure. */ static int _gnutls_verify_certificate2(gnutls_x509_crt cert, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int *output) + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output) { -gnutls_datum cert_signed_data = { NULL, 0 }; -gnutls_datum cert_signature = { NULL, 0 }; -gnutls_x509_crt issuer; -int ret, issuer_version, result; - - if (output) *output = 0; - - if (tcas_size >= 1) - issuer = find_issuer(cert, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + gnutls_datum cert_signed_data = { NULL, 0 }; + gnutls_datum cert_signature = { NULL, 0 }; + gnutls_x509_crt issuer; + int ret, issuer_version, result; - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - gnutls_assert(); - return 0; - } + if (output) + *output = 0; - issuer_version = gnutls_x509_crt_get_version( issuer); - if (issuer_version < 0) { - gnutls_assert(); - return issuer_version; - } + if (tcas_size >= 1) + issuer = find_issuer(cert, trusted_cas, tcas_size); + else { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } + + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + gnutls_assert(); + return 0; + } - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) { - if (check_if_ca(cert, issuer)==0) { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; - } + issuer_version = gnutls_x509_crt_get_version(issuer); + if (issuer_version < 0) { + gnutls_assert(); + return issuer_version; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) + && issuer_version == 1)) { + if (check_if_ca(cert, issuer) == 0) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } + } - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &cert_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _gnutls_x509_get_signature( cert->cert, "signature", &cert_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_verify_signature(&cert_signed_data, &cert_signature, issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; - } + ret = + _gnutls_x509_verify_signature(&cert_signed_data, &cert_signature, + issuer); + if (ret < 0) { + gnutls_assert(); + } else if (ret == 0) { + gnutls_assert(); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; + } + + result = ret; - result = ret; - -cleanup: - _gnutls_free_datum( &cert_signed_data); - _gnutls_free_datum( &cert_signature); - - return result; + cleanup: + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&cert_signature); + + return result; } @@ -278,72 +303,75 @@ cleanup: * lead to a trusted CA in order to be trusted. */ static -unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, - int clist_size, - gnutls_x509_crt * trusted_cas, - int tcas_size, gnutls_x509_crl *CRLs, - int crls_size, unsigned int flags) +unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * + certificate_list, + int clist_size, + gnutls_x509_crt * trusted_cas, + int tcas_size, + gnutls_x509_crl * CRLs, + int crls_size, + unsigned int flags) { - int i = 0, ret; - unsigned int status = 0, output; + int i = 0, ret; + unsigned int status = 0, output; - /* Check for revoked certificates in the chain - */ + /* Check for revoked certificates in the chain + */ #ifdef ENABLE_PKI - for (i = 0; i < clist_size; i++) { - ret = gnutls_x509_crt_check_revocation( certificate_list[i], - CRLs, crls_size); - if (ret == 1) { /* revoked */ - status |= GNUTLS_CERT_REVOKED; - } + for (i = 0; i < clist_size; i++) { + ret = gnutls_x509_crt_check_revocation(certificate_list[i], + CRLs, crls_size); + if (ret == 1) { /* revoked */ + status |= GNUTLS_CERT_REVOKED; } + } #endif - /* Verify the certificate path - */ - for (i = 0; i < clist_size; i++) { - if (i + 1 >= clist_size) - break; - - if ((ret = - _gnutls_verify_certificate2(certificate_list[i], - &certificate_list[i + 1], 1, flags, NULL)) != 1) - { - status |= GNUTLS_CERT_INVALID; - } - } + /* Verify the certificate path + */ + for (i = 0; i < clist_size; i++) { + if (i + 1 >= clist_size) + break; - if (status != 0) { - /* If there is any problem in the - * certificate chain then mark as not trusted - * and return immediately. - */ - gnutls_assert(); - return (0 | GNUTLS_CERT_INVALID); + if ((ret = + _gnutls_verify_certificate2(certificate_list[i], + &certificate_list[i + 1], 1, + flags, NULL)) != 1) { + status |= GNUTLS_CERT_INVALID; } - - /* Now verify the last certificate in the certificate path - * against the trusted CA certificate list. - * - * If no CAs are present returns NOT_TRUSTED. Thus works - * in self signed etc certificates. + } + + if (status != 0) { + /* If there is any problem in the + * certificate chain then mark as not trusted + * and return immediately. */ - ret = - _gnutls_verify_certificate2(certificate_list[i], trusted_cas, - tcas_size, flags, &output); - - if (ret == 0) { - /* if the last certificate in the certificate - * list is invalid, then the certificate is not - * trusted. - */ - gnutls_assert(); - status |= output; - - status |= GNUTLS_CERT_INVALID; - } + gnutls_assert(); + return (0 | GNUTLS_CERT_INVALID); + } + + /* Now verify the last certificate in the certificate path + * against the trusted CA certificate list. + * + * If no CAs are present returns NOT_TRUSTED. Thus works + * in self signed etc certificates. + */ + ret = + _gnutls_verify_certificate2(certificate_list[i], trusted_cas, + tcas_size, flags, &output); + + if (ret == 0) { + /* if the last certificate in the certificate + * list is invalid, then the certificate is not + * trusted. + */ + gnutls_assert(); + status |= output; - return status; + status |= GNUTLS_CERT_INVALID; + } + + return status; } @@ -351,58 +379,59 @@ unsigned int _gnutls_x509_verify_certificate(gnutls_x509_crt * certificate_list, * we use DER here, although we should use BER. It works fine * anyway. */ -static int decode_ber_digest_info( const gnutls_datum *info, gnutls_mac_algorithm *hash, - opaque* digest, int *digest_size) +static int decode_ber_digest_info(const gnutls_datum * info, + gnutls_mac_algorithm * hash, + opaque * digest, int *digest_size) { -ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; -int result; -char str[1024]; -int len; - - if ((result=asn1_create_element( _gnutls_get_gnutls_asn(), - "GNUTLS.DigestInfo", &dinfo))!=ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + char str[1024]; + int len; + + if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding( &dinfo, info->data, info->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } - - len = sizeof(str)-1; - result = - asn1_read_value( dinfo, "digestAlgorithm.algorithm", str, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + result = asn1_der_decoding(&dinfo, info->data, info->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - *hash = _gnutls_x509_oid2mac_algorithm( str); + len = sizeof(str) - 1; + result = + asn1_read_value(dinfo, "digestAlgorithm.algorithm", str, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } - if (*hash==GNUTLS_MAC_UNKNOWN) { + *hash = _gnutls_x509_oid2mac_algorithm(str); - _gnutls_x509_log( "verify.c: HASH OID: %s\n", str); + if (*hash == GNUTLS_MAC_UNKNOWN) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; - } - - result = - asn1_read_value( dinfo, "digest", digest, digest_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&dinfo); - return _gnutls_asn2err(result); - } + _gnutls_x509_log("verify.c: HASH OID: %s\n", str); + gnutls_assert(); asn1_delete_structure(&dinfo); - - return 0; + return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; + } + + result = asn1_read_value(dinfo, "digest", digest, digest_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&dinfo); + return _gnutls_asn2err(result); + } + + asn1_delete_structure(&dinfo); + + return 0; } /* if hash==MD5 then we do RSA-MD5 @@ -411,116 +440,124 @@ int len; * params[1] is public key */ static int -_pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, - mpi_t *params, int params_len) +_pkcs1_rsa_verify_sig(const gnutls_datum * text, + const gnutls_datum * signature, mpi_t * params, + int params_len) { - gnutls_mac_algorithm hash; - int ret; - opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; - int digest_size; - GNUTLS_HASH_HANDLE hd; - gnutls_datum decrypted; - - ret=_gnutls_pkcs1_rsa_decrypt( &decrypted, signature, params, params_len, 1); - if (ret < 0) { - gnutls_assert(); - return ret; - } + gnutls_mac_algorithm hash; + int ret; + opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; + int digest_size; + GNUTLS_HASH_HANDLE hd; + gnutls_datum decrypted; + + ret = + _gnutls_pkcs1_rsa_decrypt(&decrypted, signature, params, + params_len, 1); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* decrypted is a BER encoded data of type DigestInfo - */ + /* decrypted is a BER encoded data of type DigestInfo + */ - digest_size = sizeof(digest); - if ( (ret = decode_ber_digest_info( &decrypted, &hash, digest, &digest_size)) != 0) { - gnutls_assert(); - _gnutls_free_datum( &decrypted); - return ret; - } + digest_size = sizeof(digest); + if ((ret = + decode_ber_digest_info(&decrypted, &hash, digest, + &digest_size)) != 0) { + gnutls_assert(); + _gnutls_free_datum(&decrypted); + return ret; + } - _gnutls_free_datum( &decrypted); + _gnutls_free_datum(&decrypted); - if (digest_size != _gnutls_hash_get_algo_len(hash)) { - gnutls_assert(); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } + if (digest_size != _gnutls_hash_get_algo_len(hash)) { + gnutls_assert(); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } - hd = _gnutls_hash_init( hash); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } + hd = _gnutls_hash_init(hash); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, md); + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, md); - if (memcmp( md, digest, digest_size)!=0) { - gnutls_assert(); - return GNUTLS_E_PK_SIG_VERIFY_FAILED; - } + if (memcmp(md, digest, digest_size) != 0) { + gnutls_assert(); + return GNUTLS_E_PK_SIG_VERIFY_FAILED; + } - return 0; + return 0; } /* Hashes input data and verifies a DSA signature. */ static int -dsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, - mpi_t *params, int params_len) +dsa_verify_sig(const gnutls_datum * text, const gnutls_datum * signature, + mpi_t * params, int params_len) { - int ret; - opaque _digest[MAX_HASH_SIZE]; - gnutls_datum digest; - GNUTLS_HASH_HANDLE hd; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == NULL) { - gnutls_assert(); - return GNUTLS_E_HASH_FAILED; - } - - _gnutls_hash( hd, text->data, text->size); - _gnutls_hash_deinit( hd, _digest); + int ret; + opaque _digest[MAX_HASH_SIZE]; + gnutls_datum digest; + GNUTLS_HASH_HANDLE hd; - digest.data = _digest; - digest.size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } - ret = _gnutls_dsa_verify( &digest, signature, params, params_len); + _gnutls_hash(hd, text->data, text->size); + _gnutls_hash_deinit(hd, _digest); - return ret; + digest.data = _digest; + digest.size = 20; + + ret = _gnutls_dsa_verify(&digest, signature, params, params_len); + + return ret; } /* Verifies the signature data, and returns 0 if not verified, * or 1 otherwise. */ -static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, - gnutls_pk_algorithm pk, mpi_t* issuer_params, int issuer_params_size) +static int verify_sig(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_pk_algorithm pk, mpi_t * issuer_params, + int issuer_params_size) { - switch( pk ) - { - case GNUTLS_PK_RSA: + switch (pk) { + case GNUTLS_PK_RSA: - if (_pkcs1_rsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { - gnutls_assert(); - return 0; - } + if (_pkcs1_rsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) { + gnutls_assert(); + return 0; + } - return 1; - break; + return 1; + break; - case GNUTLS_PK_DSA: - if (dsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { - gnutls_assert(); - return 0; - } + case GNUTLS_PK_DSA: + if (dsa_verify_sig + (tbs, signature, issuer_params, issuer_params_size) != 0) { + gnutls_assert(); + return 0; + } - return 1; - break; - default: - gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; + return 1; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; - } + } } /* verifies if the certificate is properly signed. @@ -529,34 +566,39 @@ static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_verify_signature( const gnutls_datum* tbs, - const gnutls_datum* signature, gnutls_x509_crt issuer) +int _gnutls_x509_verify_signature(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_x509_crt issuer) { -mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; -int ret, issuer_params_size, i; - - /* Read the MPI parameters from the issuer's certificate. - */ - issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size); - if ( ret < 0) { - gnutls_assert(); - return ret; - } + mpi_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; + int ret, issuer_params_size, i; + + /* Read the MPI parameters from the issuer's certificate. + */ + issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis(issuer, issuer_params, + &issuer_params_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = verify_sig( tbs, signature, gnutls_x509_crt_get_pk_algorithm(issuer, NULL), - issuer_params, issuer_params_size); - if ( ret < 0) { - gnutls_assert(); - } + ret = + verify_sig(tbs, signature, + gnutls_x509_crt_get_pk_algorithm(issuer, NULL), + issuer_params, issuer_params_size); + if (ret < 0) { + gnutls_assert(); + } - /* release all allocated MPIs - */ - for (i = 0; i < issuer_params_size; i++) { - _gnutls_mpi_release( &issuer_params[i]); - } + /* release all allocated MPIs + */ + for (i = 0; i < issuer_params_size; i++) { + _gnutls_mpi_release(&issuer_params[i]); + } - return ret; + return ret; } /* verifies if the certificate is properly signed. @@ -565,18 +607,19 @@ int ret, issuer_params_size, i; * 'tbs' is the signed data * 'signature' is the signature! */ -int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, - const gnutls_datum* signature, gnutls_x509_privkey issuer) +int _gnutls_x509_privkey_verify_signature(const gnutls_datum * tbs, + const gnutls_datum * signature, + gnutls_x509_privkey issuer) { - int ret; - - ret = verify_sig( tbs, signature, issuer->pk_algorithm, - issuer->params, issuer->params_size); - if ( ret < 0) { - gnutls_assert(); - } + int ret; - return ret; + ret = verify_sig(tbs, signature, issuer->pk_algorithm, + issuer->params, issuer->params_size); + if (ret < 0) { + gnutls_assert(); + } + + return ret; } /** @@ -613,21 +656,25 @@ int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_length, - gnutls_x509_crt * CA_list, int CA_list_length, - gnutls_x509_crl* CRL_list, int CRL_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crt_list_verify(gnutls_x509_crt * cert_list, + int cert_list_length, + gnutls_x509_crt * CA_list, + int CA_list_length, + gnutls_x509_crl * CRL_list, + int CRL_list_length, unsigned int flags, + unsigned int *verify) { - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - /* Verify certificate - */ - *verify = - _gnutls_x509_verify_certificate( cert_list, cert_list_length, - CA_list, CA_list_length, CRL_list, CRL_list_length, flags); + /* Verify certificate + */ + *verify = + _gnutls_x509_verify_certificate(cert_list, cert_list_length, + CA_list, CA_list_length, CRL_list, + CRL_list_length, flags); - return 0; + return 0; } /** @@ -644,20 +691,22 @@ int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_lengt * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_verify( gnutls_x509_crt cert, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crt_verify(gnutls_x509_crt cert, + gnutls_x509_crt * CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify) { -int ret; - /* Verify certificate - */ - ret = _gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + /* Verify certificate + */ + ret = + _gnutls_verify_certificate2(cert, CA_list, CA_list_length, flags, + verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -672,10 +721,10 @@ int ret; * A negative value is returned in case of an error. * **/ -int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, - gnutls_x509_crt issuer) +int gnutls_x509_crt_check_issuer(gnutls_x509_crt cert, + gnutls_x509_crt issuer) { - return is_issuer(cert, issuer); + return is_issuer(cert, issuer); } @@ -693,10 +742,10 @@ int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, * A negative value is returned in case of an error. * **/ -int gnutls_x509_crl_check_issuer( gnutls_x509_crl cert, - gnutls_x509_crt issuer) +int gnutls_x509_crl_check_issuer(gnutls_x509_crl cert, + gnutls_x509_crt issuer) { - return is_crl_issuer(cert, issuer); + return is_crl_issuer(cert, issuer); } /** @@ -714,20 +763,20 @@ int gnutls_x509_crl_check_issuer( gnutls_x509_crl cert, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crl_verify( gnutls_x509_crl crl, - gnutls_x509_crt *CA_list, int CA_list_length, - unsigned int flags, unsigned int *verify) +int gnutls_x509_crl_verify(gnutls_x509_crl crl, + gnutls_x509_crt * CA_list, int CA_list_length, + unsigned int flags, unsigned int *verify) { -int ret; - /* Verify crl - */ - ret = _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags, verify); - if (ret < 0) { - gnutls_assert(); - return ret; - } + int ret; + /* Verify crl + */ + ret = _gnutls_verify_crl2(crl, CA_list, CA_list_length, flags, verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -736,46 +785,48 @@ int ret; static int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert) { - gnutls_datum dn1 = {NULL, 0}, dn2 = {NULL, 0}; - int ret; + gnutls_datum dn1 = { NULL, 0 }, dn2 = { + NULL, 0}; + int ret; - ret = _gnutls_x509_crl_get_raw_issuer_dn( crl, &dn1); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = _gnutls_x509_crt_get_raw_dn( issuer_cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_crl_get_raw_issuer_dn(crl, &dn1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - ret = _gnutls_x509_compare_raw_dn( &dn1, &dn2); - -cleanup: - _gnutls_free_datum( &dn1); - _gnutls_free_datum( &dn2); - + ret = _gnutls_x509_crt_get_raw_dn(issuer_cert, &dn2); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + + cleanup: + _gnutls_free_datum(&dn1); + _gnutls_free_datum(&dn2); + + return ret; } static inline -gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, - gnutls_x509_crt * trusted_cas, int tcas_size) + gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, + gnutls_x509_crt * trusted_cas, + int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) { - if (is_crl_issuer(crl, trusted_cas[i]) == 1) - return trusted_cas[i]; - } + for (i = 0; i < tcas_size; i++) { + if (is_crl_issuer(crl, trusted_cas[i]) == 1) + return trusted_cas[i]; + } - gnutls_assert(); - return NULL; + gnutls_assert(); + return NULL; } /* @@ -788,72 +839,82 @@ gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, * procedure. */ static int _gnutls_verify_crl2(gnutls_x509_crl crl, - gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags, unsigned int* output) + gnutls_x509_crt * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output) { /* CRL is ignored for now */ -gnutls_datum crl_signed_data = { NULL, 0 }; -gnutls_datum crl_signature = { NULL, 0 }; -gnutls_x509_crt issuer; -int ret, result; - - if (output) *output = 0; - - if (tcas_size >= 1) - issuer = find_crl_issuer(crl, trusted_cas, tcas_size); - else { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + gnutls_datum crl_signed_data = { NULL, 0 }; + gnutls_datum crl_signature = { NULL, 0 }; + gnutls_x509_crt issuer; + int ret, result; - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } + if (output) + *output = 0; - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { - if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) - { - gnutls_assert(); - if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; - } - } + if (tcas_size >= 1) + issuer = find_crl_issuer(crl, trusted_cas, tcas_size); + else { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } - result = _gnutls_x509_get_signed_data( crl->crl, "tbsCertList", &crl_signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + return 0; + } - result = _gnutls_x509_get_signature( crl->crl, "signature", &crl_signature); - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { + if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { + gnutls_assert(); + if (output) + *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; + return 0; } + } - ret = _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, issuer); - if (ret < 0) { - gnutls_assert(); - } else if (ret == 0) { - gnutls_assert(); - /* error. ignore it */ - if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; - } + result = + _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", + &crl_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(crl->crl, "signature", &crl_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, + issuer); + if (ret < 0) { + gnutls_assert(); + } else if (ret == 0) { + gnutls_assert(); + /* error. ignore it */ + if (output) + *output |= GNUTLS_CERT_INVALID; + ret = 0; + } + + result = ret; + + cleanup: + _gnutls_free_datum(&crl_signed_data); + _gnutls_free_datum(&crl_signature); - result = ret; - -cleanup: - _gnutls_free_datum( &crl_signed_data); - _gnutls_free_datum( &crl_signature); - - return result; + return result; } #endif diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 1692d3b2c5..afdadaf398 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -50,20 +50,20 @@ **/ int gnutls_x509_crt_init(gnutls_x509_crt * cert) { - *cert = gnutls_calloc( 1, sizeof(gnutls_x509_crt_int)); - - if (*cert) { - int result = asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Certificate", - &(*cert)->cert); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( *cert); - return _gnutls_asn2err(result); - } - return 0; /* success */ + *cert = gnutls_calloc(1, sizeof(gnutls_x509_crt_int)); + + if (*cert) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Certificate", + &(*cert)->cert); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*cert); + return _gnutls_asn2err(result); } - return GNUTLS_E_MEMORY_ERROR; + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /*- @@ -78,42 +78,43 @@ int gnutls_x509_crt_init(gnutls_x509_crt * cert) -*/ int _gnutls_x509_crt_cpy(gnutls_x509_crt dest, gnutls_x509_crt src) { -int ret; -size_t der_size; -opaque * der; -gnutls_datum tmp; - - ret = gnutls_x509_crt_export( src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - return ret; - } + int ret; + size_t der_size; + opaque *der; + gnutls_datum tmp; + + ret = + gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } - der = gnutls_alloca( der_size); - if (der == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + der = gnutls_alloca(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - ret = gnutls_x509_crt_export( src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) { - gnutls_assert(); - gnutls_afree( der); - return ret; - } + ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, der, &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_afree(der); + return ret; + } - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crt_import( dest, &tmp, GNUTLS_X509_FMT_DER); + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_afree( der); + gnutls_afree(der); - if (ret < 0) { - gnutls_assert(); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -126,12 +127,13 @@ gnutls_datum tmp; **/ void gnutls_x509_crt_deinit(gnutls_x509_crt cert) { - if (!cert) return; + if (!cert) + return; - if (cert->cert) - asn1_delete_structure(&cert->cert); + if (cert->cert) + asn1_delete_structure(&cert->cert); - gnutls_free(cert); + gnutls_free(cert); } /** @@ -150,65 +152,70 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt cert) * **/ int gnutls_x509_crt_import(gnutls_x509_crt cert, const gnutls_datum * data, - gnutls_x509_crt_fmt format) + gnutls_x509_crt_fmt format) { - int result = 0, need_free = 0; - gnutls_datum _data; - opaque *signature = NULL; + int result = 0, need_free = 0; + gnutls_datum _data; + opaque *signature = NULL; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; - - /* Try the first header */ - result = _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, data->size, - &out); - - if (result <= 0) { - /* try for the second header */ - result = _gnutls_fbase64_decode(PEM_X509_CERT, data->data, data->size, - &out); - - if (result <= 0) { - if (result==0) result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; - } - } - - _data.data = out; - _data.size = result; - - need_free = 1; - } + _data.data = data->data; + _data.size = data->size; - result = asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) { - result = _gnutls_asn2err(result); + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, data->size, + &out); + + if (result <= 0) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT, data->data, + data->size, &out); + + if (result <= 0) { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert(); - goto cleanup; + return result; + } } - /* Since we do not want to disable any extension - */ - cert->use_extensions = 1; - if (need_free) _gnutls_free_datum( &_data); + _data.data = out; + _data.size = result; - return 0; + need_free = 1; + } - cleanup: - gnutls_free( signature); - if (need_free) _gnutls_free_datum( &_data); - return result; + result = asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + /* Since we do not want to disable any extension + */ + cert->use_extensions = 1; + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + gnutls_free(signature); + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -230,15 +237,16 @@ int gnutls_x509_crt_import(gnutls_x509_crt cert, const gnutls_datum * data, * **/ int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn( cert->cert, "tbsCertificate.issuer.rdnSequence", - buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.issuer.rdnSequence", buf, + sizeof_buf); } /** @@ -266,16 +274,19 @@ int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt cert, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn_oid( cert->cert, "tbsCertificate.issuer.rdnSequence", oid, - indx, raw_flag, buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -295,16 +306,18 @@ int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt cert, const char* oid, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( cert->cert, "tbsCertificate.issuer.rdnSequence", - indx, oid, sizeof_oid); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -325,15 +338,16 @@ int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt cert, * **/ int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, - size_t *sizeof_buf) + size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn( cert->cert, "tbsCertificate.subject.rdnSequence", - buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.subject.rdnSequence", buf, + sizeof_buf); } /** @@ -361,16 +375,18 @@ int gnutls_x509_crt_get_dn(gnutls_x509_crt cert, char *buf, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf) +int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * sizeof_buf) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn_oid( cert->cert, "tbsCertificate.subject.rdnSequence", oid, - indx, raw_flag, buf, sizeof_buf); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + oid, indx, raw_flag, buf, sizeof_buf); } /** @@ -390,16 +406,17 @@ int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt cert, const char* oid, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid) +int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, + int indx, void *oid, size_t * sizeof_oid) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid( cert->cert, "tbsCertificate.subject.rdnSequence", - indx, oid, sizeof_oid); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -414,29 +431,31 @@ int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt cert, **/ int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert) { - int result; - gnutls_datum sa; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - result = _gnutls_x509_read_value( cert->cert, "signatureAlgorithm.algorithm", &sa, 0); + int result; + gnutls_datum sa; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ + result = + _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.algorithm", + &sa, 0); + + if (result < 0) { + gnutls_assert(); + return result; + } - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_oid2sign_algorithm( sa.data); + result = _gnutls_x509_oid2sign_algorithm(sa.data); - _gnutls_free_datum( &sa); + _gnutls_free_datum(&sa); - return result; + return result; } /** @@ -450,24 +469,26 @@ int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt cert) **/ int gnutls_x509_crt_get_version(gnutls_x509_crt cert) { - opaque version[5]; - int len, result; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof(version); - if ((result = asn1_read_value(cert->cert, "tbsCertificate.version", version, &len)) != - ASN1_SUCCESS) { - - if (result == ASN1_ELEMENT_NOT_FOUND) return 1; /* the DEFAULT version */ - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return (int) version[0] + 1; + opaque version[5]; + int len, result; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(cert->cert, "tbsCertificate.version", version, + &len)) != ASN1_SUCCESS) { + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -481,12 +502,13 @@ int gnutls_x509_crt_get_version(gnutls_x509_crt cert) **/ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert) { - if (cert==NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time( cert->cert, "tbsCertificate.validity.notBefore"); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notBefore"); } /** @@ -500,12 +522,13 @@ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert) **/ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert) { - if (cert==NULL) { - gnutls_assert(); - return (time_t)-1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time( cert->cert, "tbsCertificate.validity.notAfter"); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notAfter"); } /** @@ -523,22 +546,24 @@ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert) * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, - size_t* result_size) +int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void *result, + size_t * result_size) { - int ret; + int ret; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } + if ((ret = + asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, + result_size)) < 0) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /** @@ -555,66 +580,69 @@ int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, - size_t* ret_size, unsigned int* critical) +int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, critical)) < 0) { - return result; - } + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - len = *ret_size; - result = - asn1_read_value(c2, "", ret, &len); + len = *ret_size; + result = asn1_read_value(c2, "", ret, &len); - *ret_size = len; - asn1_delete_structure(&c2); + *ret_size = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -632,66 +660,69 @@ int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt cert, void* ret, * Returns 0 on success and a negative value in case of an error. * **/ -int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void* ret, - size_t* ret_size, unsigned int* critical) +int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, critical)) < 0) { - return result; - } + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); + len = *ret_size; + result = asn1_read_value(c2, "keyIdentifier", ret, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + *ret_size = len; + asn1_delete_structure(&c2); - len = *ret_size; - result = - asn1_read_value(c2, "keyIdentifier", ret, &len); - - *ret_size = len; - asn1_delete_structure(&c2); + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - return 0; + return 0; } /** @@ -711,85 +742,87 @@ int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt cert, void* ret, * or a negative value on error. * **/ -int gnutls_x509_crt_get_pk_algorithm( gnutls_x509_crt cert, unsigned int* bits) +int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt cert, + unsigned int *bits) { - int result; + int result; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_get_pk_algorithm( cert->cert, "tbsCertificate.subjectPublicKeyInfo", - bits); - - if (result < 0) { - gnutls_assert(); - return result; - } + result = + _gnutls_x509_get_pk_algorithm(cert->cert, + "tbsCertificate.subjectPublicKeyInfo", + bits); + if (result < 0) { + gnutls_assert(); return result; + } + + return result; } /* returns the type and the name. */ -static int parse_general_name( ASN1_TYPE src, const char* src_name, - int seq, void* name, size_t *name_size) +static int parse_general_name(ASN1_TYPE src, const char *src_name, + int seq, void *name, size_t * name_size) { -int len; -char num[MAX_INT_DIGITS]; -char nptr[128]; -int result; -opaque choice_type[128]; -gnutls_x509_subject_alt_name type; + int len; + char num[MAX_INT_DIGITS]; + char nptr[128]; + int result; + opaque choice_type[128]; + gnutls_x509_subject_alt_name type; - seq++; /* 0->1, 1->2 etc */ - _gnutls_int2str( seq, num); + seq++; /* 0->1, 1->2 etc */ + _gnutls_int2str(seq, num); - _gnutls_str_cpy( nptr, sizeof(nptr), src_name); - if (src_name[0] != 0) _gnutls_str_cat( nptr, sizeof(nptr), "."); + _gnutls_str_cpy(nptr, sizeof(nptr), src_name); + if (src_name[0] != 0) + _gnutls_str_cat(nptr, sizeof(nptr), "."); - _gnutls_str_cat( nptr, sizeof(nptr), "?"); - _gnutls_str_cat( nptr, sizeof(nptr), num); + _gnutls_str_cat(nptr, sizeof(nptr), "?"); + _gnutls_str_cat(nptr, sizeof(nptr), num); - len = sizeof(choice_type); - result = - asn1_read_value(src, nptr, choice_type, &len); + len = sizeof(choice_type); + result = asn1_read_value(src, nptr, choice_type, &len); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - type = _gnutls_x509_san_find_type( choice_type); - if (type == (gnutls_x509_subject_alt_name)-1) { - gnutls_assert(); - return GNUTLS_E_X509_UNKNOWN_SAN; - } + type = _gnutls_x509_san_find_type(choice_type); + if (type == (gnutls_x509_subject_alt_name) - 1) { + gnutls_assert(); + return GNUTLS_E_X509_UNKNOWN_SAN; + } - _gnutls_str_cat( nptr, sizeof(nptr), "."); - _gnutls_str_cat( nptr, sizeof(nptr), choice_type); + _gnutls_str_cat(nptr, sizeof(nptr), "."); + _gnutls_str_cat(nptr, sizeof(nptr), choice_type); - len = *name_size; - result = - asn1_read_value(src, nptr, name, &len); - *name_size = len; + len = *name_size; + result = asn1_read_value(src, nptr, name, &len); + *name_size = len; - if (result==ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return type; + return type; } /** @@ -815,60 +848,65 @@ gnutls_x509_subject_alt_name type; * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, unsigned int *critical) +int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *critical) { - int result; - gnutls_datum dnsname; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_x509_subject_alt_name type; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.17", 0, &dnsname, critical)) < 0) { - return result; - } - - if (dnsname.size == 0 || dnsname.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &dnsname); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); - _gnutls_free_datum( &dnsname); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + int result; + gnutls_datum dnsname; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_x509_subject_alt_name type; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.17", 0, &dnsname, + critical)) < 0) { + return result; + } + + if (dnsname.size == 0 || dnsname.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dnsname); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + _gnutls_free_datum(&dnsname); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - result = parse_general_name( c2, "", seq, ret, ret_size); + result = parse_general_name(c2, "", seq, ret, ret_size); - asn1_delete_structure(&c2); + asn1_delete_structure(&c2); - if (result < 0) { - return result; - } + if (result < 0) { + return result; + } - type = result; + type = result; - return type; + return type; } /** @@ -886,38 +924,43 @@ int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, unsigned int* critical) +int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, + unsigned int *critical) { - int result; - gnutls_datum basicConstraints; - int ca; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum basicConstraints; + int ca; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, + &basicConstraints, + critical)) < 0) { + gnutls_assert(); + return result; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, &basicConstraints, critical)) < 0) { - gnutls_assert(); - return result; - } + if (basicConstraints.size == 0 || basicConstraints.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (basicConstraints.size == 0 || basicConstraints.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = _gnutls_x509_ext_extract_basicConstraints( &ca, basicConstraints.data, - basicConstraints.size); - _gnutls_free_datum( &basicConstraints); + result = + _gnutls_x509_ext_extract_basicConstraints(&ca, + basicConstraints.data, + basicConstraints.size); + _gnutls_free_datum(&basicConstraints); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return ca; + return ca; } /** @@ -939,40 +982,42 @@ int gnutls_x509_crt_get_ca_status(gnutls_x509_crt cert, unsigned int* critical) * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, unsigned int *key_usage, - unsigned int *critical) +int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, + unsigned int *key_usage, + unsigned int *critical) { - int result; - gnutls_datum keyUsage; - uint16 _usage; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum keyUsage; + uint16 _usage; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, &keyUsage, + critical)) < 0) { + return result; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, &keyUsage, critical)) < 0) { - return result; - } + if (keyUsage.size == 0 || keyUsage.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (keyUsage.size == 0 || keyUsage.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + result = _gnutls_x509_ext_extract_keyUsage(&_usage, keyUsage.data, + keyUsage.size); + _gnutls_free_datum(&keyUsage); - result = _gnutls_x509_ext_extract_keyUsage( &_usage, keyUsage.data, - keyUsage.size); - _gnutls_free_datum( &keyUsage); - - *key_usage = _usage; + *key_usage = _usage; - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -993,43 +1038,46 @@ int gnutls_x509_crt_get_key_usage(gnutls_x509_crt cert, unsigned int *key_usage, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, const char* oid, - int indx, void* buf, size_t * sizeof_buf, unsigned int * critical) +int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, + const char *oid, int indx, + void *buf, size_t * sizeof_buf, + unsigned int *critical) { - int result; - gnutls_datum output; + int result; + gnutls_datum output; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, oid, indx, &output, + critical)) < 0) { + gnutls_assert(); + return result; + } - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (output.size == 0 || output.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if ((result = - _gnutls_x509_crt_get_extension(cert, oid, indx, &output, critical)) < 0) { - gnutls_assert(); - return result; - } + if (output.size > (unsigned int) *sizeof_buf) { + *sizeof_buf = output.size; + _gnutls_free_datum(&output); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (output.size == 0 || output.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + *sizeof_buf = output.size; - if (output.size > (unsigned int)*sizeof_buf) { - *sizeof_buf = output.size; - _gnutls_free_datum( &output); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (buf) + memcpy(buf, output.data, output.size); - *sizeof_buf = output.size; - - if (buf) - memcpy( buf, output.data, output.size); + _gnutls_free_datum(&output); + + return 0; - _gnutls_free_datum( &output); - - return 0; - } /** @@ -1047,79 +1095,82 @@ int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt cert, const char* oid, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * **/ -int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx, - void* oid, size_t * sizeof_oid) +int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx, + void *oid, size_t * sizeof_oid) { - int result; + int result; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = - _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid); - if (result < 0) { - return result; - } + result = + _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid); + if (result < 0) { + return result; + } + + return 0; - return 0; - } static -int _gnutls_x509_crt_get_raw_dn2( gnutls_x509_crt cert, - const char* whom, gnutls_datum* start) +int _gnutls_x509_crt_get_raw_dn2(gnutls_x509_crt cert, + const char *whom, gnutls_datum * start) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len1; - int start1, end1; - gnutls_datum signed_data; - - /* get the issuer of 'cert' - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertificate", - &c2)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = _gnutls_x509_get_signed_data( cert->cert, "tbsCertificate", &signed_data); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len1; + int start1, end1; + gnutls_datum signed_data; + + /* get the issuer of 'cert' + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.TBSCertificate", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, signed_data.data, signed_data.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto cleanup; + } - result = asn1_der_decoding(&c2, signed_data.data, signed_data.size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - result = _gnutls_asn2err(result); - goto cleanup; - } + result = + asn1_der_decoding_startEnd(c2, signed_data.data, signed_data.size, + whom, &start1, &end1); - result = - asn1_der_decoding_startEnd(c2, signed_data.data, signed_data.size, - whom, &start1, &end1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; - } - - len1 = end1 - start1 + 1; + len1 = end1 - start1 + 1; - _gnutls_set_datum( start, &signed_data.data[start1], len1); + _gnutls_set_datum(start, &signed_data.data[start1], len1); - result = 0; + result = 0; -cleanup: - asn1_delete_structure(&c2); - _gnutls_free_datum( &signed_data); - return result; + cleanup: + asn1_delete_structure(&c2); + _gnutls_free_datum(&signed_data); + return result; } /*- @@ -1133,10 +1184,10 @@ cleanup: * Returns 0 on success or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_issuer_dn( gnutls_x509_crt cert, - gnutls_datum* start) +int _gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt cert, + gnutls_datum * start) { - return _gnutls_x509_crt_get_raw_dn2( cert, "issuer", start); + return _gnutls_x509_crt_get_raw_dn2(cert, "issuer", start); } /*- @@ -1150,10 +1201,9 @@ int _gnutls_x509_crt_get_raw_issuer_dn( gnutls_x509_crt cert, * Returns 0 on success, or a negative value on error. * -*/ -int _gnutls_x509_crt_get_raw_dn( gnutls_x509_crt cert, - gnutls_datum * start) +int _gnutls_x509_crt_get_raw_dn(gnutls_x509_crt cert, gnutls_datum * start) { - return _gnutls_x509_crt_get_raw_dn2( cert, "subject", start); + return _gnutls_x509_crt_get_raw_dn2(cert, "subject", start); } @@ -1174,44 +1224,44 @@ int _gnutls_x509_crt_get_raw_dn( gnutls_x509_crt cert, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt cert, - gnutls_digest_algorithm algo, void *buf, - size_t *sizeof_buf) +int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt cert, + gnutls_digest_algorithm algo, + void *buf, size_t * sizeof_buf) { -opaque *cert_buf; -int cert_buf_size; -int result; -gnutls_datum tmp; + opaque *cert_buf; + int cert_buf_size; + int result; + gnutls_datum tmp; - if (sizeof_buf == 0 || cert == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_buf == 0 || cert == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } - cert_buf_size = 0; - asn1_der_coding( cert->cert, "", NULL, &cert_buf_size, NULL); + cert_buf_size = 0; + asn1_der_coding(cert->cert, "", NULL, &cert_buf_size, NULL); - cert_buf = gnutls_alloca( cert_buf_size); - if (cert_buf == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + cert_buf = gnutls_alloca(cert_buf_size); + if (cert_buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - result = asn1_der_coding( cert->cert, "", - cert_buf, &cert_buf_size, NULL); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_afree( cert_buf); - return _gnutls_asn2err(result); - } - - tmp.data = cert_buf; - tmp.size = cert_buf_size; + result = asn1_der_coding(cert->cert, "", + cert_buf, &cert_buf_size, NULL); - result = gnutls_fingerprint( algo, &tmp, buf, sizeof_buf); - gnutls_afree( cert_buf); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_afree(cert_buf); + return _gnutls_asn2err(result); + } - return result; + tmp.data = cert_buf; + tmp.size = cert_buf_size; + + result = gnutls_fingerprint(algo, &tmp, buf, sizeof_buf); + gnutls_afree(cert_buf); + + return result; } /** @@ -1233,16 +1283,18 @@ gnutls_datum tmp; * 0 on success. * **/ -int gnutls_x509_crt_export( gnutls_x509_crt cert, - gnutls_x509_crt_fmt format, void* output_data, size_t* output_data_size) +int gnutls_x509_crt_export(gnutls_x509_crt cert, + gnutls_x509_crt_fmt format, void *output_data, + size_t * output_data_size) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int( cert->cert, format, "CERTIFICATE", *output_data_size, - output_data, output_data_size); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(cert->cert, format, "CERTIFICATE", + *output_data_size, output_data, + output_data_size); } @@ -1265,78 +1317,81 @@ int gnutls_x509_crt_export( gnutls_x509_crt cert, * 0 on success. * **/ -int gnutls_x509_crt_get_key_id( gnutls_x509_crt crt, unsigned int flags, - unsigned char* output_data, size_t* output_data_size) +int gnutls_x509_crt_get_key_id(gnutls_x509_crt crt, unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i, pk, result = 0; -gnutls_datum der = { NULL, 0 }; -GNUTLS_HASH_HANDLE hd; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i, pk, result = 0; + gnutls_datum der = { NULL, 0 }; + GNUTLS_HASH_HANDLE hd; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (*output_data_size < 20) { + gnutls_assert(); + *output_data_size = 20; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (*output_data_size < 20) { - gnutls_assert(); - *output_data_size = 20; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (pk < 0) { + gnutls_assert(); + return pk; + } - pk = gnutls_x509_crt_get_pk_algorithm( crt, NULL); - - if ( pk < 0) { - gnutls_assert(); - return pk; - } + result = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); - result = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - + if (result < 0) { + gnutls_assert(); + return result; + } + + if (pk == GNUTLS_PK_RSA) { + result = _gnutls_x509_write_rsa_params(params, params_size, &der); if (result < 0) { - gnutls_assert(); - return result; + gnutls_assert(); + goto cleanup; } - - if (pk == GNUTLS_PK_RSA) { - result = _gnutls_x509_write_rsa_params( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else if (pk == GNUTLS_PK_DSA) { - result = _gnutls_x509_write_dsa_public_key( params, params_size, &der); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - } else return GNUTLS_E_INTERNAL_ERROR; - - hd = _gnutls_hash_init( GNUTLS_MAC_SHA); - if (hd == GNUTLS_HASH_FAILED) { - gnutls_assert(); - result = GNUTLS_E_INTERNAL_ERROR; - goto cleanup; + } else if (pk == GNUTLS_PK_DSA) { + result = + _gnutls_x509_write_dsa_public_key(params, params_size, &der); + if (result < 0) { + gnutls_assert(); + goto cleanup; } - - _gnutls_hash( hd, der.data, der.size); + } else + return GNUTLS_E_INTERNAL_ERROR; - _gnutls_hash_deinit( hd, output_data); - *output_data_size = 20; + hd = _gnutls_hash_init(GNUTLS_MAC_SHA); + if (hd == GNUTLS_HASH_FAILED) { + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + goto cleanup; + } - result = 0; + _gnutls_hash(hd, der.data, der.size); - cleanup: - - _gnutls_free_datum( &der); + _gnutls_hash_deinit(hd, output_data); + *output_data_size = 20; - /* release all allocated MPIs - */ - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } - return result; + result = 0; + + cleanup: + + _gnutls_free_datum(&der); + + /* release all allocated MPIs + */ + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return result; } @@ -1356,90 +1411,86 @@ GNUTLS_HASH_HANDLE hd; * **/ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, - gnutls_x509_crl * crl_list, - int crl_list_length) + gnutls_x509_crl * crl_list, + int crl_list_length) { - opaque serial[64]; - opaque cert_serial[64]; - size_t serial_size, cert_serial_size; - int ncerts, ret, i, j; - gnutls_datum dn1, dn2; + opaque serial[64]; + opaque cert_serial[64]; + size_t serial_size, cert_serial_size; + int ncerts, ret, i, j; + gnutls_datum dn1, dn2; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ + + /* Step 1. check if issuer's DN match + */ + ret = _gnutls_x509_crl_get_raw_issuer_dn(crl_list[j], &dn1); + if (ret < 0) { + gnutls_assert(); + return ret; } - for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ + ret = _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn2); + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* Step 1. check if issuer's DN match - */ - ret = _gnutls_x509_crl_get_raw_issuer_dn(crl_list[j], &dn1); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); + if (ret == 0) { + /* issuers do not match so don't even + * bother checking. + */ + continue; + } - ret = - _gnutls_x509_crt_get_raw_issuer_dn(cert, &dn2); - if (ret < 0) { - gnutls_assert(); - return ret; - } + /* Step 2. Read the certificate's serial number + */ + cert_serial_size = sizeof(cert_serial); + ret = + gnutls_x509_crt_get_serial(cert, cert_serial, + &cert_serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_x509_compare_raw_dn(&dn1, &dn2); - if (ret == 0) { - /* issuers do not match so don't even - * bother checking. - */ - continue; - } + /* Step 3. cycle through the CRL serials and compare with + * certificate serial we have. + */ - /* Step 2. Read the certificate's serial number - */ - cert_serial_size = sizeof(cert_serial); - ret = - gnutls_x509_crt_get_serial(cert, cert_serial, - &cert_serial_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } + ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); + if (ncerts < 0) { + gnutls_assert(); + return ncerts; + } - /* Step 3. cycle through the CRL serials and compare with - * certificate serial we have. - */ + for (i = 0; i < ncerts; i++) { + serial_size = sizeof(serial); + ret = + gnutls_x509_crl_get_crt_serial(crl_list[j], i, serial, + &serial_size, NULL); - ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); - if (ncerts < 0) { - gnutls_assert(); - return ncerts; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - for (i = 0; i < ncerts; i++) { - serial_size = sizeof(serial); - ret = - gnutls_x509_crl_get_crt_serial(crl_list[j], i, serial, - &serial_size, - NULL); - - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (serial_size == cert_serial_size) { - if (memcmp - (serial, cert_serial, - serial_size) == 0) { - /* serials match */ - return 1; /* revoked! */ - } - } + if (serial_size == cert_serial_size) { + if (memcmp(serial, cert_serial, serial_size) == 0) { + /* serials match */ + return 1; /* revoked! */ } - + } } - return 0; /* not revoked. */ + + } + return 0; /* not revoked. */ } /** @@ -1456,23 +1507,24 @@ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, * 1 on success. * **/ -int gnutls_x509_crt_verify_data( gnutls_x509_crt crt, unsigned int flags, - const gnutls_datum* data, const gnutls_datum* signature) +int gnutls_x509_crt_verify_data(gnutls_x509_crt crt, unsigned int flags, + const gnutls_datum * data, + const gnutls_datum * signature) { -int result; + int result; - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_verify_signature( data, signature, crt); - if (result < 0) { - gnutls_assert(); - return 0; - } - - return result; + result = _gnutls_x509_verify_signature(data, signature, crt); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; } /** @@ -1505,92 +1557,98 @@ int result; * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, - unsigned int seq, void *ret, size_t *ret_size, - unsigned int* reason_flags, unsigned int *critical) +int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *reason_flags, + unsigned int *critical) { - int result; - gnutls_datum dist_points = {NULL, 0}; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - char name[128]; - int len; - char num[MAX_INT_DIGITS]; - gnutls_x509_subject_alt_name type; - uint8 reasons[2]; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + int result; + gnutls_datum dist_points = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char name[128]; + int len; + char num[MAX_INT_DIGITS]; + gnutls_x509_subject_alt_name type; + uint8 reasons[2]; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if (reason_flags) + *reason_flags = 0; + + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, &dist_points, + critical); + if (result < 0) { + return result; + } + + if (dist_points.size == 0 || dist_points.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dist_points); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&c2, dist_points.data, dist_points.size, NULL); + _gnutls_free_datum(&dist_points); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - if (ret) memset(ret, 0, *ret_size); - else *ret_size = 0; - - if (reason_flags) *reason_flags = 0; + /* Return the different names from the first CRLDistr. point. + * The whole thing is a mess. + */ + _gnutls_str_cpy(name, sizeof(name), "?1.distributionPoint.fullName"); - result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, &dist_points, critical); - if (result < 0) { - return result; - } - - if (dist_points.size == 0 || dist_points.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + result = parse_general_name(c2, name, seq, ret, ret_size); + if (result < 0) { + asn1_delete_structure(&c2); + return result; + } - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &dist_points); - return _gnutls_asn2err(result); - } + type = result; - result = asn1_der_decoding(&c2, dist_points.data, dist_points.size, NULL); - _gnutls_free_datum( &dist_points); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + /* Read the CRL reasons. + */ + if (reason_flags) { + _gnutls_str_cpy(name, sizeof(name), "?"); + _gnutls_str_cat(name, sizeof(name), num); + _gnutls_str_cat(name, sizeof(name), ".reasons"); - /* Return the different names from the first CRLDistr. point. - * The whole thing is a mess. - */ - _gnutls_str_cpy( name, sizeof(name), "?1.distributionPoint.fullName"); + len = sizeof(reasons); + result = asn1_read_value(c2, name, reasons, &len); - result = parse_general_name( c2, name, seq, ret, ret_size); - if (result < 0) { - asn1_delete_structure(&c2); - return result; + if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - - type = result; - - /* Read the CRL reasons. - */ - if (reason_flags) { - _gnutls_str_cpy( name, sizeof(name), "?"); - _gnutls_str_cat( name, sizeof(name), num); - _gnutls_str_cat( name, sizeof(name), ".reasons"); - - len = sizeof(reasons); - result = - asn1_read_value(c2, name, reasons, &len); - - if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - *reason_flags = reasons[0] | (reasons[1] << 8); - } + *reason_flags = reasons[0] | (reasons[1] << 8); + } - return type; + return type; } /** @@ -1611,74 +1669,78 @@ int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert, * On success 0 is returned. * **/ -int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, - int indx, void *oid, size_t *sizeof_oid, unsigned int* critical) +int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, + int indx, void *oid, + size_t * sizeof_oid, + unsigned int *critical) { - char counter[MAX_INT_DIGITS]; - char tmpstr[64]; - int result, len; - gnutls_datum id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (oid) memset(oid, 0, *sizeof_oid); - else *sizeof_oid = 0; - - if ((result = - _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, critical)) < 0) { - return result; - } - - if (id.size == 0 || id.data==NULL) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - _gnutls_free_datum( &id); - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&c2, id.data, id.size, NULL); - _gnutls_free_datum( &id); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + char counter[MAX_INT_DIGITS]; + char tmpstr[64]; + int result, len; + gnutls_datum id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (oid) + memset(oid, 0, *sizeof_oid); + else + *sizeof_oid = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - indx++; - /* create a string like "?1" - */ - _gnutls_int2str(indx, counter); - _gnutls_str_cpy(tmpstr, sizeof(tmpstr), "?"); - _gnutls_str_cat(tmpstr, sizeof(tmpstr), counter); + indx++; + /* create a string like "?1" + */ + _gnutls_int2str(indx, counter); + _gnutls_str_cpy(tmpstr, sizeof(tmpstr), "?"); + _gnutls_str_cat(tmpstr, sizeof(tmpstr), counter); - len = *sizeof_oid; - result = - asn1_read_value(c2, tmpstr, oid, &len); + len = *sizeof_oid; + result = asn1_read_value(c2, tmpstr, oid, &len); - *sizeof_oid = len; - asn1_delete_structure(&c2); + *sizeof_oid = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } @@ -1694,44 +1756,50 @@ int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt cert, * **/ int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt crt, - gnutls_datum * m, gnutls_datum *e) + gnutls_datum * m, gnutls_datum * e) { -int ret; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i; - - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = _gnutls_mpi_dprint(m, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = _gnutls_mpi_dprint(e, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(m); - goto cleanup; - } - - ret = 0; - -cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + ret = _gnutls_mpi_dprint(m, params[0]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_mpi_dprint(e, params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(m); + goto cleanup; + } + + ret = 0; + + cleanup: + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return ret; } /** @@ -1748,69 +1816,75 @@ cleanup: * **/ int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt crt, - gnutls_datum * p, gnutls_datum *q, - gnutls_datum *g, gnutls_datum *y) + gnutls_datum * p, gnutls_datum * q, + gnutls_datum * g, gnutls_datum * y) { -int ret; -mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; -int params_size = MAX_PUBLIC_PARAMS_SIZE; -int i; - - if (crt == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis( crt, params, ¶ms_size); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - - /* P */ - ret = _gnutls_mpi_dprint(p, params[0]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - /* Q */ - ret = _gnutls_mpi_dprint(q, params[1]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - goto cleanup; - } - - - /* G */ - ret = _gnutls_mpi_dprint(g, params[2]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(q); - goto cleanup; - } - - - /* Y */ - ret = _gnutls_mpi_dprint(y, params[3]); - if (ret < 0) { - gnutls_assert(); - _gnutls_free_datum(p); - _gnutls_free_datum(g); - _gnutls_free_datum(q); - goto cleanup; - } - - ret = 0; - -cleanup: - for (i = 0; i < params_size; i++) { - _gnutls_mpi_release( ¶ms[i]); - } + int ret; + mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; + int params_size = MAX_PUBLIC_PARAMS_SIZE; + int i; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_DSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, params, ¶ms_size); + if (ret < 0) { + gnutls_assert(); return ret; + } + + + /* P */ + ret = _gnutls_mpi_dprint(p, params[0]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Q */ + ret = _gnutls_mpi_dprint(q, params[1]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + goto cleanup; + } + + + /* G */ + ret = _gnutls_mpi_dprint(g, params[2]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + goto cleanup; + } + + + /* Y */ + ret = _gnutls_mpi_dprint(y, params[3]); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + goto cleanup; + } + + ret = 0; + + cleanup: + for (i = 0; i < params_size; i++) { + _gnutls_mpi_release(¶ms[i]); + } + return ret; } diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index 32f5ea3001..0fbe906c19 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -41,7 +41,7 @@ #include <libtasn1.h> #include <gnutls_ui.h> -static void disable_optional_stuff( gnutls_x509_crt cert); +static void disable_optional_stuff(gnutls_x509_crt cert); /** * gnutls_x509_crt_set_dn_by_oid - This function will set the Certificate request subject's distinguished name @@ -63,15 +63,16 @@ static void disable_optional_stuff( gnutls_x509_crt cert); * Returns 0 on success. * **/ -int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name) +int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char *oid, + unsigned int raw_flag, const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crt->cert, "tbsCertificate.subject", oid, - raw_flag, name, sizeof_name); + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.subject", + oid, raw_flag, name, sizeof_name); } /** @@ -97,15 +98,18 @@ int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt crt, const char* oid, * Returns 0 on success. * **/ -int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, const char* oid, - unsigned int raw_flag, const void *name, unsigned int sizeof_name) +int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, + const char *oid, + unsigned int raw_flag, + const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid( crt->cert, "tbsCertificate.issuer", oid, - raw_flag, name, sizeof_name); + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.issuer", oid, + raw_flag, name, sizeof_name); } /** @@ -122,23 +126,25 @@ int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt crt, const char* oid, **/ int gnutls_x509_crt_set_version(gnutls_x509_crt crt, unsigned int version) { -int result; -unsigned char null = version; + int result; + unsigned char null = version; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (null > 0) null--; + if (null > 0) + null--; - result = asn1_write_value( crt->cert, "tbsCertificate.version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = + asn1_write_value(crt->cert, "tbsCertificate.version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -154,23 +160,25 @@ unsigned char null = version; **/ int gnutls_x509_crt_set_key(gnutls_x509_crt crt, gnutls_x509_privkey key) { -int result; + int result; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_encode_and_copy_PKI_params( crt->cert, - "tbsCertificate.subjectPublicKeyInfo", key->pk_algorithm, - key->params, key->params_size); + result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + key->pk_algorithm, + key->params, + key->params_size); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -186,31 +194,35 @@ int result; **/ int gnutls_x509_crt_set_crq(gnutls_x509_crt crt, gnutls_x509_crq crq) { -int result; -int pk_algorithm; - - if (crt==NULL || crq == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - pk_algorithm = gnutls_x509_crq_get_pk_algorithm( crq, NULL); - - result = _gnutls_asn1_copy_node( &crt->cert, "tbsCertificate.subject", - crq->crq, "certificationRequestInfo.subject"); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_asn1_copy_node( &crt->cert, "tbsCertificate.subjectPublicKeyInfo", - crq->crq, "certificationRequestInfo.subjectPKInfo"); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + int result; + int pk_algorithm; + + if (crt == NULL || crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + pk_algorithm = gnutls_x509_crq_get_pk_algorithm(crq, NULL); + + result = _gnutls_asn1_copy_node(&crt->cert, "tbsCertificate.subject", + crq->crq, + "certificationRequestInfo.subject"); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_asn1_copy_node(&crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + crq->crq, + "certificationRequestInfo.subjectPKInfo"); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } @@ -226,34 +238,35 @@ int pk_algorithm; **/ int gnutls_x509_crt_set_ca_status(gnutls_x509_crt crt, unsigned int ca) { -int result; -gnutls_datum der_data; + int result; + gnutls_datum der_data; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_basicConstraints( ca, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_basicConstraints(ca, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.19", &der_data, 1); + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.19", &der_data, 1); - _gnutls_free_datum( &der_data); + _gnutls_free_datum(&der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -268,34 +281,35 @@ gnutls_datum der_data; **/ int gnutls_x509_crt_set_key_usage(gnutls_x509_crt crt, unsigned int usage) { -int result; -gnutls_datum der_data; + int result; + gnutls_datum der_data; - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_keyUsage( (uint16)usage, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_keyUsage((uint16) usage, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.15", &der_data, 1); + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.15", &der_data, 1); - _gnutls_free_datum( &der_data); + _gnutls_free_datum(&der_data); - if (result < 0) { - gnutls_assert(); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -309,49 +323,57 @@ gnutls_datum der_data; * Returns 0 on success. * **/ -int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const char* data_string) +int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt crt, + gnutls_x509_subject_alt_name + type, + const char *data_string) { -int result; -gnutls_datum der_data; -gnutls_datum dnsname; -unsigned int critical; - - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, &dnsname, &critical); - - if (result >= 0) _gnutls_free_datum( &dnsname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_subject_alt_name( type, data_string, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.17", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + gnutls_datum dnsname; + unsigned int critical; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, &dnsname, + &critical); + + if (result >= 0) + _gnutls_free_datum(&dnsname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_subject_alt_name(type, data_string, + &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.17", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -369,28 +391,28 @@ unsigned int critical; * Returns 0 on success. * **/ -int gnutls_x509_crt_sign(gnutls_x509_crt crt, gnutls_x509_crt issuer, - gnutls_x509_privkey issuer_key) +int gnutls_x509_crt_sign(gnutls_x509_crt crt, gnutls_x509_crt issuer, + gnutls_x509_privkey issuer_key) { -int result; + int result; - if (crt==NULL || issuer == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff( crt); + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crt); - result = _gnutls_x509_pkix_sign( crt->cert, "tbsCertificate", issuer, - issuer_key); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; + result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate", issuer, + issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -403,14 +425,17 @@ int result; * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, time_t act_time) +int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, + time_t act_time) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_time( cert->cert, "tbsCertificate.validity.notBefore", act_time); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notBefore", + act_time); } /** @@ -423,13 +448,16 @@ int gnutls_x509_crt_set_activation_time(gnutls_x509_crt cert, time_t act_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, time_t exp_time) +int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, + time_t exp_time) { - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time( cert->cert, "tbsCertificate.validity.notAfter", exp_time); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notAfter", + exp_time); } /** @@ -446,42 +474,45 @@ int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt cert, time_t exp_time) * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_serial(gnutls_x509_crt cert, const void* serial, - size_t serial_size) +int gnutls_x509_crt_set_serial(gnutls_x509_crt cert, const void *serial, + size_t serial_size) { - int ret; + int ret; - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = asn1_write_value(cert->cert, "tbsCertificate.serialNumber", serial, serial_size); - if (ret != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(ret); - } + ret = + asn1_write_value(cert->cert, "tbsCertificate.serialNumber", serial, + serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void disable_optional_stuff( gnutls_x509_crt cert) +static void disable_optional_stuff(gnutls_x509_crt cert) { - asn1_write_value( cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); - asn1_write_value( cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.subjectUniqueID", NULL, + 0); - if (cert->use_extensions == 0) { - _gnutls_x509_log( "Disabling X.509 extensions.\n"); - asn1_write_value( cert->cert, "tbsCertificate.extensions", NULL, 0); - } + if (cert->use_extensions == 0) { + _gnutls_x509_log("Disabling X.509 extensions.\n"); + asn1_write_value(cert->cert, "tbsCertificate.extensions", NULL, 0); + } - return; + return; } /** @@ -496,49 +527,57 @@ static void disable_optional_stuff( gnutls_x509_crt cert) * Returns 0 on success. * **/ -int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type, - const void* data_string, unsigned int reason_flags) +int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, + gnutls_x509_subject_alt_name type, + const void *data_string, + unsigned int reason_flags) { -int result; -gnutls_datum der_data; -gnutls_datum oldname; -unsigned int critical; - - if (crt==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, &critical); - - if (result >= 0) _gnutls_free_datum( &oldname); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_crl_dist_points( type, data_string, reason_flags, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( crt, "2.5.29.31", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + gnutls_datum oldname; + unsigned int critical; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, + &critical); + + if (result >= 0) + _gnutls_free_datum(&oldname); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_crl_dist_points(type, data_string, + reason_flags, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.31", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -553,37 +592,41 @@ unsigned int critical; * Returns 0 on success. * **/ -int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, - gnutls_x509_crt src) +int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, + gnutls_x509_crt src) { -int result; -gnutls_datum der_data; -unsigned int critical; - - if (dst==NULL || src == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, &critical); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( dst, "2.5.29.31", &der_data, critical); - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - dst->use_extensions = 1; - - return 0; + int result; + gnutls_datum der_data; + unsigned int critical; + + if (dst == NULL || src == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, + &critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(dst, "2.5.29.31", &der_data, + critical); + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + dst->use_extensions = 1; + + return 0; } /** @@ -597,48 +640,52 @@ unsigned int critical; * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size) +int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, + const void *id, size_t id_size) { - int result; - gnutls_datum old_id, der_data; - unsigned int critical; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, &critical); - - if (result >= 0) _gnutls_free_datum( &old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_key_id( id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.14", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.14", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -653,48 +700,52 @@ int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt cert, const void* id, * Returns 0 on success, or a negative value in case of an error. * **/ -int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, const void* id, - size_t id_size) +int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, + const void *id, size_t id_size) { - int result; - gnutls_datum old_id, der_data; - unsigned int critical; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, &critical); - - if (result >= 0) _gnutls_free_datum( &old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_auth_key_id( id, id_size, &der_data); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.35", &der_data, 0); - - _gnutls_free_datum( &der_data); - - if (result < 0) { - gnutls_assert(); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_auth_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.35", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -712,85 +763,88 @@ int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt cert, const void* id, * On success 0 is returned. * **/ -int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, - const void *oid, unsigned int critical) +int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt cert, + const void *oid, + unsigned int critical) { - int result; - gnutls_datum old_id, der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert==NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - result=asn1_create_element - (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Check if the extension already exists. + int result; + gnutls_datum old_id, der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, + NULL); + + if (result >= 0) { + /* decode it. */ - result = _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, NULL); - - if (result >= 0) { - /* decode it. - */ - result = asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); - _gnutls_free_datum( &old_id); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - } + result = asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); + _gnutls_free_datum(&old_id); - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value( c2, "", "NEW", 1); if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); } - /* 2. Add the OID. - */ - result = asn1_write_value(c2, "?LAST", oid, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } + } - result = _gnutls_x509_der_encode( c2, "", &der_data, 0); + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* 2. Add the OID. + */ + result = asn1_write_value(c2, "?LAST", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + asn1_delete_structure(&c2); - result = _gnutls_x509_crt_set_extension( cert, "2.5.29.37", - &der_data, critical); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - _gnutls_free_datum( &der_data); + result = _gnutls_x509_crt_set_extension(cert, "2.5.29.37", + &der_data, critical); - if (result < 0) { - gnutls_assert(); - return result; - } + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } - cert->use_extensions = 1; + cert->use_extensions = 1; - return 0; + return 0; } -#endif /* ENABLE_PKI */ +#endif /* ENABLE_PKI */ diff --git a/lib/x509/xml.c b/lib/x509/xml.c index 4cac03abe4..e5b1350f34 100644 --- a/lib/x509/xml.c +++ b/lib/x509/xml.c @@ -33,10 +33,10 @@ #include <structure.h> #include <parser_aux.h> #include <der.h> -#define LIBASN1_H /* we use this since this file uses - * libtasn1 internals, and we don't want the - * exported API. - */ +#define LIBASN1_H /* we use this since this file uses + * libtasn1 internals, and we don't want the + * exported API. + */ #include <gnutls_int.h> #include <gnutls_datum.h> #include <gnutls_global.h> @@ -46,58 +46,58 @@ #include <x509.h> #include <common.h> -const char* asn1_find_structure_from_oid(ASN1_TYPE definitions, - const char *oidValue); +const char *asn1_find_structure_from_oid(ASN1_TYPE definitions, + const char *oidValue); -static int _gnutls_x509_expand_extensions(ASN1_TYPE* rasn); +static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn); static const void *find_default_value(ASN1_TYPE x) { - ASN1_TYPE p = x; - - if (x->value == NULL && x->type & CONST_DEFAULT) { - if (x->down) { - x = x->down; - do { - if (type_field(x->type) == TYPE_DEFAULT) { - if (type_field(p->type) == - TYPE_BOOLEAN) { - if (x->type & CONST_TRUE) - return "TRUE"; - else - return "FALSE"; - } else - return x->value; - } - x = x->right; - } while (x != NULL); - + ASN1_TYPE p = x; + + if (x->value == NULL && x->type & CONST_DEFAULT) { + if (x->down) { + x = x->down; + do { + if (type_field(x->type) == TYPE_DEFAULT) { + if (type_field(p->type) == TYPE_BOOLEAN) { + if (x->type & CONST_TRUE) + return "TRUE"; + else + return "FALSE"; + } else + return x->value; } + x = x->right; + } while (x != NULL); + } - return NULL; + } + return NULL; } static int is_node_printable(ASN1_TYPE x) { - switch (type_field(x->type)) { - case TYPE_TAG: - case TYPE_SIZE: - case TYPE_DEFAULT: + switch (type_field(x->type)) { + case TYPE_TAG: + case TYPE_SIZE: + case TYPE_DEFAULT: + return 0; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(x); + + if (up != NULL && type_field(up->type) != TYPE_ANY && + up->value != NULL) return 0; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up( x); - - if (up!=NULL && type_field(up->type)!= TYPE_ANY && - up->value!=NULL) return 0; - } - return 1; } - if (x->name == NULL && _asn1_find_up( x) != NULL) - return 0; - if (x->value == NULL && x->down == NULL) - return 0; return 1; + } + if (x->name == NULL && _asn1_find_up(x) != NULL) + return 0; + if (x->value == NULL && x->down == NULL) + return 0; + return 1; } /* returns true if the node is the only one printable in @@ -105,24 +105,24 @@ static int is_node_printable(ASN1_TYPE x) */ static int is_leaf(ASN1_TYPE p) { - ASN1_TYPE x; + ASN1_TYPE x; - if (p == NULL) - return 1; - if (p->down == NULL) - return 1; + if (p == NULL) + return 1; + if (p->down == NULL) + return 1; - x = p->down; + x = p->down; - while (x != NULL) { - if (is_node_printable(x)) - return 0; - if (is_leaf(x) == 0) - return 0; - x = x->right; - } + while (x != NULL) { + if (is_node_printable(x)) + return 0; + if (is_leaf(x) == 0) + return 0; + x = x->right; + } - return 1; + return 1; } @@ -141,52 +141,57 @@ static int is_leaf(ASN1_TYPE p) #define ROOT "certificate" /* This function removes the '?' character from ASN.1 names */ -static int normalize_name( ASN1_TYPE p, char* output, int output_size) +static int normalize_name(ASN1_TYPE p, char *output, int output_size) { -const char* name; - - if (output_size > 0) - output[0] = 0; - else return GNUTLS_E_INTERNAL_ERROR; - - if (p==NULL) return GNUTLS_E_INTERNAL_ERROR; - - name = p->name; - if (name == NULL) name = ROOT; - - if ( type_field(p->type)==TYPE_CONSTANT) { - ASN1_TYPE up = _asn1_find_up(p); - const char * tmp; - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - tmp = asn1_find_structure_from_oid( _gnutls_get_pkix(), up->left->value); - if ( tmp != NULL) - _gnutls_str_cpy( output, output_size, tmp); - else { - _gnutls_str_cpy( output, output_size, "DEFINED_BY_"); - _gnutls_str_cat( output, output_size, name); - } - } else { - _gnutls_str_cpy( output, output_size, "DEFINED_BY_"); - _gnutls_str_cat( output, output_size, name); - } - - - return 0; - } - - if ( name[0]=='?') { - _gnutls_str_cpy( output, output_size, UNNAMED); - if (strlen(name) > 1) - _gnutls_str_cat( output, output_size, &name[1]); + const char *name; + + if (output_size > 0) + output[0] = 0; + else + return GNUTLS_E_INTERNAL_ERROR; + + if (p == NULL) + return GNUTLS_E_INTERNAL_ERROR; + + name = p->name; + if (name == NULL) + name = ROOT; + + if (type_field(p->type) == TYPE_CONSTANT) { + ASN1_TYPE up = _asn1_find_up(p); + const char *tmp; + + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { + + tmp = + asn1_find_structure_from_oid(_gnutls_get_pkix(), + up->left->value); + if (tmp != NULL) + _gnutls_str_cpy(output, output_size, tmp); + else { + _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); + _gnutls_str_cat(output, output_size, name); + } } else { - _gnutls_str_cpy( output, output_size, name); + _gnutls_str_cpy(output, output_size, "DEFINED_BY_"); + _gnutls_str_cat(output, output_size, name); } + + return 0; + } + + if (name[0] == '?') { + _gnutls_str_cpy(output, output_size, UNNAMED); + if (strlen(name) > 1) + _gnutls_str_cat(output, output_size, &name[1]); + } else { + _gnutls_str_cpy(output, output_size, name); + } + return 0; } #define XML_HEADER "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n" \ @@ -195,406 +200,388 @@ const char* name; #define XML_FOOTER "</gnutls:x509:certificate>\n" static int -_gnutls_asn1_get_structure_xml(ASN1_TYPE structure, - gnutls_datum * res, int detail) +_gnutls_asn1_get_structure_xml(ASN1_TYPE structure, + gnutls_datum * res, int detail) { - node_asn *p, *root; - int k, indent = 0, len, len2, len3; - opaque tmp[1024]; - char nname[256]; - int ret; - gnutls_string str; - - if (res == NULL || structure == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + node_asn *p, *root; + int k, indent = 0, len, len2, len3; + opaque tmp[1024]; + char nname[256]; + int ret; + gnutls_string str; + + if (res == NULL || structure == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _gnutls_string_init(&str, malloc, realloc, free); + + STR_APPEND(XML_HEADER); + indent = 1; + + root = _asn1_find_node(structure, ""); + + if (root == NULL) { + gnutls_assert(); + _gnutls_string_clear(&str); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (detail == GNUTLS_XML_SHOW_ALL) + ret = asn1_expand_any_defined_by(_gnutls_get_pkix(), &structure); + /* we don't need to check the error value + * here. + */ + + if (detail == GNUTLS_XML_SHOW_ALL) { + ret = _gnutls_x509_expand_extensions(&structure); + if (ret < 0) { + gnutls_assert(); + return ret; } - - _gnutls_string_init( &str, malloc, realloc, free); + } - STR_APPEND(XML_HEADER); - indent = 1; + p = root; + while (p) { + if (is_node_printable(p)) { + for (k = 0; k < indent; k++) + APPEND(" ", 1); - root = _asn1_find_node(structure, ""); - - if (root == NULL) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); gnutls_assert(); - _gnutls_string_clear( &str); - return GNUTLS_E_INTERNAL_ERROR; - } + return ret; + } - if (detail == GNUTLS_XML_SHOW_ALL) - ret = asn1_expand_any_defined_by( _gnutls_get_pkix(), - &structure); - /* we don't need to check the error value - * here. - */ - - if (detail == GNUTLS_XML_SHOW_ALL) { - ret = _gnutls_x509_expand_extensions( &structure); - if (ret < 0) { - gnutls_assert(); - return ret; - } + APPEND("<", 1); + STR_APPEND(nname); } - p = root; - while (p) { - if (is_node_printable(p)) { - for (k = 0; k < indent; k++) - APPEND(" ", 1); + if (is_node_printable(p)) { + switch (type_field(p->type)) { + case TYPE_DEFAULT: + STR_APPEND(" type=\"DEFAULT\""); + break; + case TYPE_NULL: + STR_APPEND(" type=\"NULL\""); + break; + case TYPE_IDENTIFIER: + STR_APPEND(" type=\"IDENTIFIER\""); + break; + case TYPE_INTEGER: + STR_APPEND(" type=\"INTEGER\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_ENUMERATED: + STR_APPEND(" type=\"ENUMERATED\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_TIME: + STR_APPEND(" type=\"TIME\""); + break; + case TYPE_BOOLEAN: + STR_APPEND(" type=\"BOOLEAN\""); + break; + case TYPE_SEQUENCE: + STR_APPEND(" type=\"SEQUENCE\""); + break; + case TYPE_BIT_STRING: + STR_APPEND(" type=\"BIT STRING\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_OCTET_STRING: + STR_APPEND(" type=\"OCTET STRING\""); + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_SEQUENCE_OF: + STR_APPEND(" type=\"SEQUENCE OF\""); + break; + case TYPE_OBJECT_ID: + STR_APPEND(" type=\"OBJECT ID\""); + break; + case TYPE_ANY: + STR_APPEND(" type=\"ANY\""); + if (!p->down) + STR_APPEND(" encoding=\"HEX\""); + break; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(p); + + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; + if (_gnutls_x509_oid_data_printable + (up->left->value) == 0) { + STR_APPEND(" encoding=\"HEX\""); } - APPEND("<", 1); - STR_APPEND(nname); + } } + break; + case TYPE_SET: + STR_APPEND(" type=\"SET\""); + break; + case TYPE_SET_OF: + STR_APPEND(" type=\"SET OF\""); + break; + case TYPE_CHOICE: + STR_APPEND(" type=\"CHOICE\""); + break; + case TYPE_DEFINITIONS: + STR_APPEND(" type=\"DEFINITIONS\""); + break; + default: + break; + } + } - if (is_node_printable(p)) { - switch (type_field(p->type)) { - case TYPE_DEFAULT: - STR_APPEND(" type=\"DEFAULT\""); - break; - case TYPE_NULL: - STR_APPEND(" type=\"NULL\""); - break; - case TYPE_IDENTIFIER: - STR_APPEND(" type=\"IDENTIFIER\""); - break; - case TYPE_INTEGER: - STR_APPEND(" type=\"INTEGER\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_ENUMERATED: - STR_APPEND(" type=\"ENUMERATED\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_TIME: - STR_APPEND(" type=\"TIME\""); - break; - case TYPE_BOOLEAN: - STR_APPEND(" type=\"BOOLEAN\""); - break; - case TYPE_SEQUENCE: - STR_APPEND(" type=\"SEQUENCE\""); - break; - case TYPE_BIT_STRING: - STR_APPEND(" type=\"BIT STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_OCTET_STRING: - STR_APPEND(" type=\"OCTET STRING\""); - STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_SEQUENCE_OF: - STR_APPEND(" type=\"SEQUENCE OF\""); - break; - case TYPE_OBJECT_ID: - STR_APPEND(" type=\"OBJECT ID\""); - break; - case TYPE_ANY: - STR_APPEND(" type=\"ANY\""); - if (!p->down) STR_APPEND(" encoding=\"HEX\""); - break; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up(p); - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - if (_gnutls_x509_oid_data_printable( up->left->value)==0) { - STR_APPEND(" encoding=\"HEX\""); - } - - } - } - break; - case TYPE_SET: - STR_APPEND(" type=\"SET\""); - break; - case TYPE_SET_OF: - STR_APPEND(" type=\"SET OF\""); - break; - case TYPE_CHOICE: - STR_APPEND(" type=\"CHOICE\""); - break; - case TYPE_DEFINITIONS: - STR_APPEND(" type=\"DEFINITIONS\""); - break; - default: - break; - } - } + if (p->type == TYPE_BIT_STRING) { + len2 = -1; + len = _asn1_get_length_der(p->value, &len2); + snprintf(tmp, sizeof(tmp), " length=\"%i\"", + (len - 1) * 8 - (p->value[len2])); + STR_APPEND(tmp); + } - if (p->type == TYPE_BIT_STRING) { - len2 = -1; - len = _asn1_get_length_der(p->value, &len2); - snprintf(tmp, sizeof(tmp), " length=\"%i\"", - (len - 1) * 8 - (p->value[len2])); + if (is_node_printable(p)) + STR_APPEND(">"); + + if (is_node_printable(p)) { + const unsigned char *value; + + if (p->value == NULL) + value = find_default_value(p); + else + value = p->value; + + switch (type_field(p->type)) { + + case TYPE_DEFAULT: + if (value) + STR_APPEND(value); + break; + case TYPE_IDENTIFIER: + if (value) + STR_APPEND(value); + break; + case TYPE_INTEGER: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); STR_APPEND(tmp); - } + } - if (is_node_printable(p)) - STR_APPEND( ">"); + } + break; + case TYPE_ENUMERATED: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_TIME: + if (value) + STR_APPEND(value); + break; + case TYPE_BOOLEAN: + if (value) { + if (value[0] == 'T') { + STR_APPEND("TRUE"); + } else if (value[0] == 'F') { + STR_APPEND("FALSE"); + } + } + break; + case TYPE_BIT_STRING: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + + for (k = 1; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_OCTET_STRING: + if (value) { + len2 = -1; + len = _asn1_get_length_der(value, &len2); + for (k = 0; k < len; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len2]); + STR_APPEND(tmp); + } + } + break; + case TYPE_OBJECT_ID: + if (value) + STR_APPEND(value); + break; + case TYPE_ANY: + if (!p->down) { + if (value) { + len3 = -1; + len2 = _asn1_get_length_der(value, &len3); + for (k = 0; k < len2; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (value)[k + len3]); + STR_APPEND(tmp); + } + } + } + break; + case TYPE_CONSTANT:{ + ASN1_TYPE up = _asn1_find_up(p); - if (is_node_printable(p)) { - const unsigned char *value; + if (up && type_field(up->type) == TYPE_ANY && + up->left && up->left->value && + up->type & CONST_DEFINED_BY && + type_field(up->left->type) == TYPE_OBJECT_ID) { + + len2 = _asn1_get_length_der(up->value, &len3); + + if (len2 > 0 && strcmp(p->name, "type") == 0) { + int len = sizeof(tmp); + ret = + _gnutls_x509_oid_data2string(up->left-> + value, + up->value + + len3, len2, + tmp, &len); + + if (ret >= 0) { + STR_APPEND(tmp); + } + } else { + for (k = 0; k < len2; k++) { + snprintf(tmp, sizeof(tmp), + "%02X", (up->value)[k + len3]); + STR_APPEND(tmp); + } - if (p->value == NULL) - value = find_default_value(p); - else - value = p->value; - - switch (type_field(p->type)) { - - case TYPE_DEFAULT: - if (value) - STR_APPEND(value); - break; - case TYPE_IDENTIFIER: - if (value) - STR_APPEND(value); - break; - case TYPE_INTEGER: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - - } - break; - case TYPE_ENUMERATED: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_TIME: - if (value) - STR_APPEND(value); - break; - case TYPE_BOOLEAN: - if (value) { - if (value[0] == 'T') { - STR_APPEND("TRUE"); - } else if (value[0] == 'F') { - STR_APPEND("FALSE"); - } - } - break; - case TYPE_BIT_STRING: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - - for (k = 1; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_OCTET_STRING: - if (value) { - len2 = -1; - len = - _asn1_get_length_der(value, - &len2); - for (k = 0; k < len; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len2]); - STR_APPEND(tmp); - } - } - break; - case TYPE_OBJECT_ID: - if (value) - STR_APPEND(value); - break; - case TYPE_ANY: - if (!p->down) { - if (value) { - len3 = -1; - len2 = - _asn1_get_length_der(value, - &len3); - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (value)[k + - len3]); - STR_APPEND(tmp); - } - } - } - break; - case TYPE_CONSTANT: { - ASN1_TYPE up = _asn1_find_up(p); - - if ( up && type_field(up->type)==TYPE_ANY && - up->left && up->left->value && - up->type & CONST_DEFINED_BY && - type_field(up->left->type)==TYPE_OBJECT_ID) { - - len2 = - _asn1_get_length_der(up->value, - &len3); - - if (len2 > 0 && strcmp( p->name, "type")==0) { - int len = sizeof(tmp); - ret = _gnutls_x509_oid_data2string( up->left->value, up->value+len3, len2, tmp, &len); - - if (ret >= 0) { - STR_APPEND( tmp); - } - } else { - for (k = 0; k < len2; k++) { - snprintf(tmp, sizeof(tmp), - "%02X", - (up->value)[k + - len3]); - STR_APPEND(tmp); - } - - } - } else { - if (value) - STR_APPEND(value); - } - - } - break; - case TYPE_SET: - case TYPE_SET_OF: - case TYPE_CHOICE: - case TYPE_DEFINITIONS: - case TYPE_SEQUENCE_OF: - case TYPE_SEQUENCE: - case TYPE_NULL: - break; - default: - break; } + } else { + if (value) + STR_APPEND(value); + } + } + break; + case TYPE_SET: + case TYPE_SET_OF: + case TYPE_CHOICE: + case TYPE_DEFINITIONS: + case TYPE_SEQUENCE_OF: + case TYPE_SEQUENCE: + case TYPE_NULL: + break; + default: + break; + } + } - if (p->down && is_node_printable(p)) { - ASN1_TYPE x; - p = p->down; - indent += 2; - x = p; - do { - if (is_node_printable(x)) { - STR_APPEND("\n"); - break; - } - x = x->right; - } while (x != NULL); - } else if (p == root) { - if (is_node_printable(p)) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); + if (p->down && is_node_printable(p)) { + ASN1_TYPE x; + p = p->down; + indent += 2; + x = p; + do { + if (is_node_printable(x)) { + STR_APPEND("\n"); + break; + } + x = x->right; + } while (x != NULL); + } else if (p == root) { + if (is_node_printable(p)) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; + } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + p = NULL; + break; + } else { + if (is_node_printable(p)) { + if ((ret = normalize_name(p, nname, sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; + } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + if (p->right) + p = p->right; + else { + while (1) { + ASN1_TYPE old_p; + + old_p = p; + + p = _asn1_find_up(p); + indent -= 2; + if (is_node_printable(p)) { + if (!is_leaf(p)) /* XXX */ + for (k = 0; k < indent; k++) + STR_APPEND(" "); + + if ((ret = + normalize_name(p, nname, + sizeof(nname))) < 0) { + _gnutls_string_clear(&str); + gnutls_assert(); + return ret; } + + APPEND("</", 2); + STR_APPEND(nname); + APPEND(">\n", 2); + } + if (p == root) { p = NULL; break; - } else { - if (is_node_printable(p)) { - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); - } - if (p->right) - p = p->right; - else { - while (1) { - ASN1_TYPE old_p; - - old_p = p; - - p = _asn1_find_up(p); - indent -= 2; - if (is_node_printable(p)) { - if (!is_leaf(p)) /* XXX */ - for (k = 0; - k < indent; - k++) - STR_APPEND(" "); - - if ((ret=normalize_name( p, nname, sizeof(nname))) < 0) { - _gnutls_string_clear( &str); - gnutls_assert(); - return ret; - } - - APPEND("</", 2); - STR_APPEND(nname); - APPEND(">\n", 2); - } - if (p == root) { - p = NULL; - break; - } - - if (p->right) { - p = p->right; - break; - } - } - } + } + + if (p->right) { + p = p->right; + break; + } } + } } - - STR_APPEND(XML_FOOTER); - APPEND( "\n\0", 2); + } - *res = _gnutls_string2datum( &str); - res->size -= 1; /* null is not included in size */ - - return 0; + STR_APPEND(XML_FOOTER); + APPEND("\n\0", 2); + + *res = _gnutls_string2datum(&str); + res->size -= 1; /* null is not included in size */ + + return 0; } /** @@ -608,20 +595,21 @@ _gnutls_asn1_get_structure_xml(ASN1_TYPE structure, * Returns a negative error code in case of an error. * **/ -int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail) +int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum * res, + int detail) { - int result; + int result; - res->data = NULL; - res->size = 0; - - result = _gnutls_asn1_get_structure_xml( cert->cert, res, detail); - if (result < 0) { - gnutls_assert(); - return result; - } + res->data = NULL; + res->size = 0; - return 0; + result = _gnutls_asn1_get_structure_xml(cert->cert, res, detail); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* This function will attempt to parse Extensions in @@ -630,45 +618,45 @@ int gnutls_x509_crt_to_xml(gnutls_x509_crt cert, gnutls_datum* res, int detail) * If no_critical_ext is non zero, then unsupported critical extensions * do not lead into a fatal error. */ -static int _gnutls_x509_expand_extensions(ASN1_TYPE* rasn) +static int _gnutls_x509_expand_extensions(ASN1_TYPE * rasn) { - int k, result, len; - char name[128], name2[128], counter[MAX_INT_DIGITS]; - char name1[128]; - char extnID[128]; + int k, result, len; + char name[128], name2[128], counter[MAX_INT_DIGITS]; + char name1[128]; + char extnID[128]; - k = 0; - do { - k++; + k = 0; + do { + k++; - _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); - _gnutls_int2str(k, counter); - _gnutls_str_cat(name, sizeof(name), counter); + _gnutls_str_cpy(name, sizeof(name), "tbsCertificate.extensions.?"); + _gnutls_int2str(k, counter); + _gnutls_str_cat(name, sizeof(name), counter); - _gnutls_str_cpy(name2, sizeof(name2), name); - _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); - _gnutls_str_cpy(name1, sizeof(name1), name); - _gnutls_str_cat(name1, sizeof(name1), ".extnValue"); + _gnutls_str_cpy(name1, sizeof(name1), name); + _gnutls_str_cat(name1, sizeof(name1), ".extnValue"); - len = sizeof(extnID) - 1; + len = sizeof(extnID) - 1; - result = asn1_expand_octet_string( _gnutls_get_pkix(), - rasn, name1, name2); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - } while (1); + result = asn1_expand_octet_string(_gnutls_get_pkix(), + rasn, name1, name2); if (result == ASN1_ELEMENT_NOT_FOUND) - return 0; - else - return _gnutls_asn2err(result); + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + } while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 0; + else + return _gnutls_asn2err(result); } #endif diff --git a/lib/x509_b64.c b/lib/x509_b64.c index 234ca13c1a..dcdb9dbade 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -32,71 +32,69 @@ static const uint8 b64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static const uint8 asciitable[128] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, - 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, - 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, - 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, - 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, - 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, - 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, - 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, - 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, - 0xff, 0xff + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f, + 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, + 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff, + 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, + 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, + 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, + 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, + 0x31, 0x32, 0x33, 0xff, 0xff, 0xff, + 0xff, 0xff }; -inline static int encode(char * result, const uint8 * data, int left) +inline static int encode(char *result, const uint8 * data, int left) { - int data_len; - - if (left > 3) - data_len = 3; - else - data_len = left; - - switch (data_len) { - case 3: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = - b64table[((((data[1] & 0x0f) << 2) & 0xff) | - (data[2] >> 6))]; - result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; - break; - case 2: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | - (data[1] >> 4))]; - result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; - result[3] = '='; - break; - case 1: - result[0] = b64table[(data[0] >> 2)]; - result[1] = - b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; - result[2] = '='; - result[3] = '='; - break; - default: - return -1; - } - - return 4; + int data_len; + + if (left > 3) + data_len = 3; + else + data_len = left; + + switch (data_len) { + case 3: + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = + b64table[((((data[1] & 0x0f) << 2) & 0xff) | (data[2] >> 6))]; + result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)]; + break; + case 2: + result[0] = b64table[(data[0] >> 2)]; + result[1] = + b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) | + (data[1] >> 4))]; + result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)]; + result[3] = '='; + break; + case 1: + result[0] = b64table[(data[0] >> 2)]; + result[1] = b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))]; + result[2] = '='; + result[3] = '='; + break; + default: + return -1; + } + + return 4; } @@ -106,61 +104,62 @@ inline static int encode(char * result, const uint8 * data, int left) #define TOASCII(c) (c < 127 ? asciitable[c] : 0xff) inline static int decode(uint8 * result, const opaque * data) { - uint8 a1, a2; - int ret = 3; - - a1 = TOASCII(data[0]); - a2 = TOASCII(data[1]); - if (a1 == 0xff || a2 == 0xff) - return -1; - result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); - - a1 = a2; - a2 = TOASCII(data[2]); - if (a2 == 0xff) - return -1; - result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); - - a1 = a2; - a2 = TOASCII(data[3]); - if (a2 == 0xff) - return -1; - result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); - - if (data[2] == '=') - ret--; - - if (data[3] == '=') - ret--; - return ret; + uint8 a1, a2; + int ret = 3; + + a1 = TOASCII(data[0]); + a2 = TOASCII(data[1]); + if (a1 == 0xff || a2 == 0xff) + return -1; + result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff); + + a1 = a2; + a2 = TOASCII(data[2]); + if (a2 == 0xff) + return -1; + result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff); + + a1 = a2; + a2 = TOASCII(data[3]); + if (a2 == 0xff) + return -1; + result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff); + + if (data[2] == '=') + ret--; + + if (data[3] == '=') + ret--; + return ret; } /* encodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result) +int _gnutls_base64_encode(const uint8 * data, size_t data_size, + uint8 ** result) { - unsigned int i, j; - int ret, tmp; - char tmpres[4]; - - ret = B64SIZE( data_size); - - (*result) = gnutls_malloc(ret + 1); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (i = j = 0; i < data_size; i += 3, j += 4) { - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_free( (*result)); - return GNUTLS_E_MEMORY_ERROR; - } - memcpy(&(*result)[j], tmpres, tmp); + unsigned int i, j; + int ret, tmp; + char tmpres[4]; + + ret = B64SIZE(data_size); + + (*result) = gnutls_malloc(ret + 1); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (i = j = 0; i < data_size; i += 3, j += 4) { + tmp = encode(tmpres, &data[i], data_size - i); + if (tmp == -1) { + gnutls_free((*result)); + return GNUTLS_E_MEMORY_ERROR; } - (*result)[ret] = 0; /* null terminated */ + memcpy(&(*result)[j], tmpres, tmp); + } + (*result)[ret] = 0; /* null terminated */ - return ret; + return ret; } #define INCR(what, size) \ @@ -171,102 +170,103 @@ int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result) gnutls_free( (*result)); *result = NULL; \ return GNUTLS_E_INTERNAL_ERROR; \ } \ - } while(0) + } while(0) /* encodes data and puts the result into result (locally allocated) * The result_size (including the null terminator) is the return value. */ -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, - uint8 ** result) +int _gnutls_fbase64_encode(const char *msg, const uint8 * data, + int data_size, uint8 ** result) { - int i, ret, tmp, j; - char tmpres[4]; - uint8 *ptr; - uint8 top[80]; - uint8 bottom[80]; - int pos, bytes, top_len, bottom_len; - size_t msglen = strlen(msg); - - if (msglen > 50) { - gnutls_assert(); - return GNUTLS_E_BASE64_ENCODING_ERROR; + int i, ret, tmp, j; + char tmpres[4]; + uint8 *ptr; + uint8 top[80]; + uint8 bottom[80]; + int pos, bytes, top_len, bottom_len; + size_t msglen = strlen(msg); + + if (msglen > 50) { + gnutls_assert(); + return GNUTLS_E_BASE64_ENCODING_ERROR; + } + + memset(bottom, 0, sizeof(bottom)); + memset(top, 0, sizeof(top)); + + strcat(top, "-----BEGIN "); /* Flawfinder: ignore */ + strcat(top, msg); /* Flawfinder: ignore */ + strcat(top, "-----"); /* Flawfinder: ignore */ + + strcat(bottom, "\n-----END "); /* Flawfinder: ignore */ + strcat(bottom, msg); /* Flawfinder: ignore */ + strcat(bottom, "-----\n"); /* Flawfinder: ignore */ + + top_len = strlen(top); + bottom_len = strlen(bottom); + + ret = B64FSIZE(msglen, data_size); + + (*result) = gnutls_calloc(1, ret + 1); + if ((*result) == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + bytes = pos = 0; + INCR(bytes, top_len); + pos = top_len; + + strcpy(*result, top); /* Flawfinder: ignore */ + + for (i = j = 0; i < data_size; i += 3, j += 4) { + + tmp = encode(tmpres, &data[i], data_size - i); + if (tmp == -1) { + gnutls_assert(); + gnutls_free((*result)); + *result = NULL; + return GNUTLS_E_BASE64_ENCODING_ERROR; } - memset(bottom, 0, sizeof(bottom)); - memset(top, 0, sizeof(top)); + INCR(bytes, 4); + ptr = &(*result)[j + pos]; - strcat(top, "-----BEGIN "); /* Flawfinder: ignore */ - strcat(top, msg); /* Flawfinder: ignore */ - strcat(top, "-----"); /* Flawfinder: ignore */ - - strcat(bottom, "\n-----END "); /* Flawfinder: ignore */ - strcat(bottom, msg); /* Flawfinder: ignore */ - strcat(bottom, "-----\n"); /* Flawfinder: ignore */ - - top_len = strlen(top); - bottom_len = strlen(bottom); + if ((j) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; + } + *ptr++ = tmpres[0]; - ret = B64FSIZE( msglen, data_size); + if ((j + 1) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; + } + *ptr++ = tmpres[1]; - (*result) = gnutls_calloc(1, ret + 1); - if ((*result) == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + if ((j + 2) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; } + *ptr++ = tmpres[2]; - bytes = pos = 0; - INCR( bytes, top_len); - pos = top_len; - - strcpy(*result, top); /* Flawfinder: ignore */ - - for (i = j = 0; i < data_size; i += 3, j += 4) { - - tmp = encode(tmpres, &data[i], data_size - i); - if (tmp == -1) { - gnutls_assert(); - gnutls_free( (*result)); *result = NULL; - return GNUTLS_E_BASE64_ENCODING_ERROR; - } - - INCR(bytes, 4); - ptr = &(*result)[j + pos]; - - if ((j) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[0]; - - if ((j + 1) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[1]; - - if ((j + 2) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[2]; - - if ((j + 3) % 64 == 0) { - INCR(bytes, 1); - pos++; - *ptr++ = '\n'; - } - *ptr++ = tmpres[3]; + if ((j + 3) % 64 == 0) { + INCR(bytes, 1); + pos++; + *ptr++ = '\n'; } + *ptr++ = tmpres[3]; + } - INCR( bytes, bottom_len); + INCR(bytes, bottom_len); - memcpy( &(*result)[ bytes-bottom_len], bottom, bottom_len); - (*result)[ bytes] = 0; + memcpy(&(*result)[bytes - bottom_len], bottom, bottom_len); + (*result)[bytes] = 0; - return ret + 1; + return ret + 1; } /** @@ -284,26 +284,27 @@ int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, * the terminating null. * **/ -int gnutls_pem_base64_encode( const char* msg, const gnutls_datum *data, char* result, - size_t* result_size) { -opaque* ret; -int size; - - size = _gnutls_fbase64_encode( msg, data->data, data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < (uint)size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size - 1; - } - - return 0; +int gnutls_pem_base64_encode(const char *msg, const gnutls_datum * data, + char *result, size_t * result_size) +{ + opaque *ret; + int size; + + size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size - 1; + } + + return 0; } /** @@ -319,69 +320,74 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_encode_alloc( const char* msg, const gnutls_datum *data, - gnutls_datum* result) +int gnutls_pem_base64_encode_alloc(const char *msg, + const gnutls_datum * data, + gnutls_datum * result) { -opaque* ret; -int size; + opaque *ret; + int size; - if (result==NULL) return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = _gnutls_fbase64_encode( msg, data->data, data->size, &ret); - if (size < 0) - return size; + size = _gnutls_fbase64_encode(msg, data->data, data->size, &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size - 1; - return 0; + result->data = ret; + result->size = size - 1; + return 0; } /* decodes data and puts the result into result (locally allocated) * The result_size is the return value */ -int _gnutls_base64_decode(const uint8 * data, size_t data_size, uint8 ** result) +int _gnutls_base64_decode(const uint8 * data, size_t data_size, + uint8 ** result) { - unsigned int i, j; - int ret, tmp, est; - uint8 tmpres[3]; - - est = ((data_size * 3) / 4) + 1; - (*result) = gnutls_malloc(est); - if ((*result) == NULL) - return GNUTLS_E_MEMORY_ERROR; - - ret = 0; - for (i = j = 0; i < data_size; i += 4, j += 3) { - tmp = decode(tmpres, &data[i]); - if (tmp < 0) { - gnutls_free( *result); *result = NULL; - return tmp; - } - memcpy(&(*result)[j], tmpres, tmp); - ret += tmp; + unsigned int i, j; + int ret, tmp, est; + uint8 tmpres[3]; + + est = ((data_size * 3) / 4) + 1; + (*result) = gnutls_malloc(est); + if ((*result) == NULL) + return GNUTLS_E_MEMORY_ERROR; + + ret = 0; + for (i = j = 0; i < data_size; i += 4, j += 3) { + tmp = decode(tmpres, &data[i]); + if (tmp < 0) { + gnutls_free(*result); + *result = NULL; + return tmp; } - return ret; + memcpy(&(*result)[j], tmpres, tmp); + ret += tmp; + } + return ret; } /* copies data to result but removes newlines and <CR> * returns the size of the data copied. */ -inline static int cpydata(const uint8 * data, int data_size, uint8 ** result) +inline static int cpydata(const uint8 * data, int data_size, + uint8 ** result) { - int i, j; - - (*result) = gnutls_malloc(data_size); - if (*result == NULL) - return GNUTLS_E_MEMORY_ERROR; - - for (j = i = 0; i < data_size; i++) { - if (data[i] == '\n' || data[i] == '\r') - continue; - (*result)[j] = data[i]; - j++; - } - return j; + int i, j; + + (*result) = gnutls_malloc(data_size); + if (*result == NULL) + return GNUTLS_E_MEMORY_ERROR; + + for (j = i = 0; i < data_size; i++) { + if (data[i] == '\n' || data[i] == '\r') + continue; + (*result)[j] = data[i]; + j++; + } + return j; } /* Searches the given string for ONE PEM encoded certificate, and @@ -391,90 +397,91 @@ inline static int cpydata(const uint8 * data, int data_size, uint8 ** result) */ #define ENDSTR "-----\n" #define ENDSTR2 "-----\r" -int _gnutls_fbase64_decode( const char* header, const opaque * data, size_t data_size, - uint8 ** result) +int _gnutls_fbase64_decode(const char *header, const opaque * data, + size_t data_size, uint8 ** result) { - int ret; - static const char top[] = "-----BEGIN "; - static const char bottom[] = "\n-----END "; - uint8 *rdata; - int rdata_size; - uint8 *kdata; - int kdata_size; - char pem_header[128]; - - _gnutls_str_cpy( pem_header, sizeof(pem_header), top); - if (header != NULL) - _gnutls_str_cat( pem_header, sizeof(pem_header), header); - - rdata = strnstr( data, pem_header, data_size); - - if (rdata==NULL) { - gnutls_assert(); - _gnutls_debug_log( "Could not find '%s'\n", pem_header); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - data_size -= (unsigned long int)rdata-(unsigned long int)data; - - if (data_size < 4 + strlen(bottom)) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - kdata = strnstr( rdata, ENDSTR, data_size); - /* allow CR as well. - */ - if (kdata==NULL) kdata = strnstr( rdata, ENDSTR2, data_size); - - if (kdata==NULL) { - gnutls_assert(); - _gnutls_x509_log( "Could not find '%s'\n", ENDSTR); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - data_size -= strlen(ENDSTR); - data_size -= (unsigned long int)kdata-(unsigned long int)rdata; - - rdata = kdata + strlen(ENDSTR); - - /* position is now after the ---BEGIN--- headers */ - - kdata = strnstr( rdata, bottom, data_size); - if (kdata==NULL) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - /* position of kdata is before the ----END--- footer - */ - rdata_size = (unsigned long int)kdata-(unsigned long int)rdata; - - if (rdata_size < 4) { - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - kdata_size = cpydata(rdata, rdata_size, &kdata); - - if (kdata_size < 0) { - gnutls_assert(); - return kdata_size; - } - - if (kdata_size < 4) { - gnutls_assert(); - gnutls_free(kdata); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + int ret; + static const char top[] = "-----BEGIN "; + static const char bottom[] = "\n-----END "; + uint8 *rdata; + int rdata_size; + uint8 *kdata; + int kdata_size; + char pem_header[128]; + + _gnutls_str_cpy(pem_header, sizeof(pem_header), top); + if (header != NULL) + _gnutls_str_cat(pem_header, sizeof(pem_header), header); + + rdata = strnstr(data, pem_header, data_size); + + if (rdata == NULL) { + gnutls_assert(); + _gnutls_debug_log("Could not find '%s'\n", pem_header); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + data_size -= (unsigned long int) rdata - (unsigned long int) data; + + if (data_size < 4 + strlen(bottom)) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + kdata = strnstr(rdata, ENDSTR, data_size); + /* allow CR as well. + */ + if (kdata == NULL) + kdata = strnstr(rdata, ENDSTR2, data_size); + + if (kdata == NULL) { + gnutls_assert(); + _gnutls_x509_log("Could not find '%s'\n", ENDSTR); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + data_size -= strlen(ENDSTR); + data_size -= (unsigned long int) kdata - (unsigned long int) rdata; + + rdata = kdata + strlen(ENDSTR); + + /* position is now after the ---BEGIN--- headers */ + + kdata = strnstr(rdata, bottom, data_size); + if (kdata == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + /* position of kdata is before the ----END--- footer + */ + rdata_size = (unsigned long int) kdata - (unsigned long int) rdata; + + if (rdata_size < 4) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + kdata_size = cpydata(rdata, rdata_size, &kdata); + + if (kdata_size < 0) { + gnutls_assert(); + return kdata_size; + } + + if (kdata_size < 4) { + gnutls_assert(); + gnutls_free(kdata); + return GNUTLS_E_BASE64_DECODING_ERROR; + } - if ((ret = _gnutls_base64_decode( kdata, kdata_size, result)) < 0) { - gnutls_free(kdata); - gnutls_assert(); - return GNUTLS_E_BASE64_DECODING_ERROR; - } + if ((ret = _gnutls_base64_decode(kdata, kdata_size, result)) < 0) { gnutls_free(kdata); - - return ret; + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + gnutls_free(kdata); + + return ret; } /** @@ -491,27 +498,30 @@ int _gnutls_fbase64_decode( const char* header, const opaque * data, size_t data * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not long enough, * or 0 on success. **/ -int gnutls_pem_base64_decode( const char* header, const gnutls_datum *b64_data, - unsigned char* result, size_t* result_size) +int gnutls_pem_base64_decode(const char *header, + const gnutls_datum * b64_data, + unsigned char *result, size_t * result_size) { -opaque* ret; -int size; - - size = _gnutls_fbase64_decode( header, b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; - - if (result==NULL || *result_size < (uint)size) { - gnutls_free(ret); - *result_size = size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } else { - memcpy( result, ret, size); - gnutls_free(ret); - *result_size = size; - } - - return 0; + opaque *ret; + int size; + + size = + _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, + &ret); + if (size < 0) + return size; + + if (result == NULL || *result_size < (uint) size) { + gnutls_free(ret); + *result_size = size; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + memcpy(result, ret, size); + gnutls_free(ret); + *result_size = size; + } + + return 0; } /** @@ -529,19 +539,23 @@ int size; * You should use gnutls_free() to free the returned data. * **/ -int gnutls_pem_base64_decode_alloc( const char* header, const gnutls_datum *b64_data, - gnutls_datum* result) +int gnutls_pem_base64_decode_alloc(const char *header, + const gnutls_datum * b64_data, + gnutls_datum * result) { -opaque* ret; -int size; + opaque *ret; + int size; - if (result==NULL) return GNUTLS_E_INVALID_REQUEST; + if (result == NULL) + return GNUTLS_E_INVALID_REQUEST; - size = _gnutls_fbase64_decode( header, b64_data->data, b64_data->size, &ret); - if (size < 0) - return size; + size = + _gnutls_fbase64_decode(header, b64_data->data, b64_data->size, + &ret); + if (size < 0) + return size; - result->data = ret; - result->size = size; - return 0; + result->data = ret; + result->size = size; + return 0; } diff --git a/lib/x509_b64.h b/lib/x509_b64.h index ada3333742..11ce26eeb0 100644 --- a/lib/x509_b64.h +++ b/lib/x509_b64.h @@ -1,15 +1,17 @@ -int _gnutls_base64_encode(const uint8 * data, size_t data_size, uint8 ** result); -int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, - uint8 ** result); -int _gnutls_base64_decode(const uint8 * data, size_t data_size, uint8 ** result); -int _gnutls_fbase64_decode( const char* header, const uint8 * data, size_t data_size, - uint8 ** result); +int _gnutls_base64_encode(const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_encode(const char *msg, const uint8 * data, + int data_size, uint8 ** result); +int _gnutls_base64_decode(const uint8 * data, size_t data_size, + uint8 ** result); +int _gnutls_fbase64_decode(const char *header, const uint8 * data, + size_t data_size, uint8 ** result); #define B64SIZE( data_size) ((data_size%3==0)?((data_size*4)/3):(4+((data_size/3)*4))) /* The size for B64 encoding + newlines plus header */ - + #define HEADSIZE( hsize) \ sizeof("-----BEGIN ")-1+sizeof("-----")-1+ \ sizeof("\n-----END ")-1+sizeof("-----\n")-1+hsize+hsize @@ -17,4 +19,3 @@ int _gnutls_fbase64_decode( const char* header, const uint8 * data, size_t data_ #define B64FSIZE( hsize, dsize) \ (B64SIZE(dsize) + HEADSIZE(hsize) + /*newlines*/ \ B64SIZE(dsize)/64 + (((B64SIZE(dsize) % 64) > 0) ? 1 : 0)) - |