diff options
Diffstat (limited to 'lib/gnutls_cert.c')
-rw-r--r-- | lib/gnutls_cert.c | 129 |
1 files changed, 11 insertions, 118 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 74372f69b2..b97f69a789 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -47,11 +47,11 @@ typedef struct { /* This table maps the Key exchange algorithms to * the certificate algorithms. Eg. if we have * RSA algorithm in the certificate then we can - * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. + * use GNUTLS_KX_X509PKI_RSA or GNUTLS_KX_X509PKI_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_X509PKI_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_PK_RSA}, {0} }; @@ -510,102 +510,7 @@ int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, } /** - * gnutls_x509pki_set_key_mem - Used to set keys in a GNUTLS_X509PKI_CREDENTIALS structure - * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. - * @CERT: contains a PEM encoded certificate list (path) for - * the specified private key - * @KEY: is a PEM encoded private key - * - * This function sets a certificate/private key pair in the - * GNUTLS_X509PKI_CREDENTIALS structure. This function may be called - * more than once (in case multiple keys/certificates exist for the - * server). - * - * Currently only PKCS-1 PEM encoded RSA private keys are accepted by - * this function. - * - **/ -int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, - const gnutls_datum* KEY) -{ - int ret; - - /* this should be first - */ - if ((ret = read_key_mem( res, KEY->data, KEY->size)) < 0) - return ret; - - if ((ret = read_cert_mem( res, CERT->data, CERT->size)) < 0) - return ret; - - return 0; -} - -/** - * gnutls_x509pki_set_trust_mem - Used to set trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure - * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. - * @CA: is a PEM encoded list of trusted CAs - * @CRL: is a PEM encoded list of CRLs (ignored for now) - * - * This function sets the trusted CAs in order to verify client - * certificates. - **/ -int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, - const gnutls_datum *CRL) -{ - int ret, size, i; - opaque *pdata; - gnutls_datum tmp; - - if ((ret = read_ca_mem(res, CA->data, CA->size)) < 0) - return ret; - - /* Generate the RDN sequence - * This will be sent to clients when a certificate - * request message is sent. - */ - - /* FIXME: in case of a client it is not needed - * to do that. This would save time and memory. - * However we don't have that information available - * here. - */ - - size = 0; - for (i = 0; i < res->ncas; i++) { - if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { - gnutls_assert(); - return ret; - } - size += (2 + tmp.size); - } - - res->rdn_sequence.data = gnutls_malloc(size); - if (res->rdn_sequence.data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - res->rdn_sequence.size = size; - - pdata = res->rdn_sequence.data; - - for (i = 0; i < res->ncas; i++) { - if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { - gnutls_free(res->rdn_sequence.data); - res->rdn_sequence.size = 0; - res->rdn_sequence.data = NULL; - gnutls_assert(); - return ret; - } - WRITEdatum16(pdata, tmp); - pdata += (2 + tmp.size); - } - - return 0; -} - -/** - * gnutls_dh_set_dhe_bits - Used to set the bits for a DHE_* ciphersuite + * gnutls_x509pki_set_dh_bits - Used to set the bits for a DHE_* ciphersuite * @state: is a &GNUTLS_STATE structure. * @bits: is the number of bits * @@ -613,17 +518,11 @@ int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_da * This value will only be used in case of DHE ciphersuite. * **/ -void gnutls_dh_set_dhe_bits(GNUTLS_STATE state, int bits) +void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) { - state->gnutls_internals.dhe_bits = bits; + state->gnutls_internals.x509pki_dhe_bits = bits; } -#ifdef DEBUG -# warning REMOVE THIS ON LIBRARY VERSION CHANGE -#endif -void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) { - gnutls_dh_set_dhe_bits( state, bits); -} static int _read_rsa_params(opaque * der, int dersize, MPI * params) { @@ -1102,7 +1001,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, { if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) { switch (alg) { - case GNUTLS_KX_RSA: + case GNUTLS_KX_X509PKI_RSA: if (cert->keyUsage != 0) { if (! (cert-> @@ -1113,8 +1012,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, return 0; } return 0; - case GNUTLS_KX_DHE_RSA: - case GNUTLS_KX_DHE_DSS: + case GNUTLS_KX_X509PKI_DHE_RSA: if (cert->keyUsage != 0) { if (! (cert-> @@ -1135,7 +1033,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, /* returns the KX algorithms that are supported by a * certificate. (Eg a certificate with RSA params, supports - * GNUTLS_KX_RSA algorithm). + * GNUTLS_KX_X509PKI_RSA algorithm). * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ @@ -1145,10 +1043,10 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, KXAlgorithm kx; int i; PKAlgorithm pk; - KXAlgorithm kxlist[MAX_KX_ALGOS]; + KXAlgorithm kxlist[255]; i = 0; - for (kx = 0; kx < MAX_KX_ALGOS; kx++) { + for (kx = 0; kx < 255; kx++) { pk = _gnutls_map_pk_get_pk(kx); if (pk == cert->subject_pk_algorithm) { if (_gnutls_check_x509pki_key_usage(cert, kx) == 0) { @@ -1158,11 +1056,6 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, } } - if (i==0) { - gnutls_assert(); - return GNUTLS_E_INVALID_PARAMETERS; - } - *alg = gnutls_calloc(1, sizeof(KXAlgorithm) * i); if (*alg == NULL) return GNUTLS_E_MEMORY_ERROR; |