commit 3b9bb09488b3d5d03a9517c810539f5b9e985d96
parent e81f372ed145575566e03120bc759360b66b1ffe
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 16 Nov 2008 04:33:30 +0000
more dce
Diffstat:
6 files changed, 3 insertions(+), 330 deletions(-)
diff --git a/src/daemon/https/x509/Makefile.am b/src/daemon/https/x509/Makefile.am
@@ -23,7 +23,6 @@ extensions.c extensions.h \
mpi.c mpi.h \
pkcs12.h \
x509_privkey.c privkey.h \
-rfc2818_hostname.c rfc2818.h \
x509_verify.c verify.h \
x509.c x509.h
diff --git a/src/daemon/https/x509/rfc2818.h b/src/daemon/https/x509/rfc2818.h
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-int MHD__gnutls_hostname_compare (const char *certname, const char *hostname);
-#define MAX_CN 256
diff --git a/src/daemon/https/x509/rfc2818_hostname.c b/src/daemon/https/x509/rfc2818_hostname.c
@@ -1,161 +0,0 @@
-/*
- * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
- * Copyright (C) 2002 Andrew McDonald
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-#include <gnutls_int.h>
-#include <x509.h>
-#include <dn.h>
-#include <common.h>
-#include <rfc2818.h>
-#include <gnutls_errors.h>
-
-/* compare hostname against certificate, taking account of wildcards
- * return 1 on success or 0 on error
- */
-int
-MHD__gnutls_hostname_compare (const char *certname, const char *hostname)
-{
- const char *cmpstr1, *cmpstr2;
-
- if (strlen (certname) == 0 || strlen (hostname) == 0)
- return 0;
-
- if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0)
- {
- /* a wildcard certificate */
-
- cmpstr1 = certname + 1;
-
- /* find the first dot in hostname, compare from there on */
- cmpstr2 = strchr (hostname, '.');
-
- if (cmpstr2 == NULL)
- {
- /* error, the hostname we're connecting to is only a local part */
- return 0;
- }
-
- if (strcasecmp (cmpstr1, cmpstr2) == 0)
- {
- return 1;
- }
-
- return 0;
- }
-
- if (strcasecmp (certname, hostname) == 0)
- {
- return 1;
- }
-
- return 0;
-}
-
-/**
- * MHD_gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate
- * @cert: should contain an MHD_gnutls_x509_crt_t structure
- * @hostname: A null terminated string that contains a DNS name
- *
- * This function will check if the given certificate's subject
- * matches the given hostname. This is a basic implementation of the
- * matching described in RFC2818 (HTTPS), which takes into account
- * wildcards, and the DNSName/IPAddress subject alternative name PKIX
- * extension.
- *
- * Returns non zero for a successful match, and zero on failure.
- **/
-int
-MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
- const char *hostname)
-{
-
- char dnsname[MAX_CN];
- size_t dnsnamesize;
- int found_dnsname = 0;
- int ret = 0;
- int i = 0;
-
- /* try matching against:
- * 1) a DNS name as an alternative name (subjectAltName) extension
- * in the certificate
- * 2) the common name (CN) in the certificate
- *
- * either of these may be of the form: *.domain.tld
- *
- * only try (2) if there is no subjectAltName extension of
- * type dNSName
- */
-
- /* Check through all included subjectAltName extensions, comparing
- * against all those of type dNSName.
- */
- for (i = 0; !(ret < 0); i++)
- {
-
- dnsnamesize = sizeof (dnsname);
- ret = MHD_gnutls_x509_crt_get_subject_alt_name (cert, i,
- dnsname, &dnsnamesize,
- NULL);
-
- if (ret == GNUTLS_SAN_DNSNAME)
- {
- found_dnsname = 1;
- if (MHD__gnutls_hostname_compare (dnsname, hostname))
- {
- return 1;
- }
- }
- else if (ret == GNUTLS_SAN_IPADDRESS)
- {
- found_dnsname = 1; /* RFC 2818 is unclear whether the CN
- should be compared for IP addresses
- too, but we won't do it. */
- if (MHD__gnutls_hostname_compare (dnsname, hostname))
- {
- return 1;
- }
- }
- }
-
- if (!found_dnsname)
- {
- /* not got the necessary extension, use CN instead
- */
- dnsnamesize = sizeof (dnsname);
- if (MHD_gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0,
- 0, dnsname, &dnsnamesize) < 0)
- {
- /* got an error, can't find a name
- */
- return 0;
- }
-
- if (MHD__gnutls_hostname_compare (dnsname, hostname))
- {
- return 1;
- }
- }
-
- /* not found a matching name
- */
- return 0;
-}
diff --git a/src/daemon/https/x509/verify.h b/src/daemon/https/x509/verify.h
@@ -26,9 +26,6 @@
int MHD_gnutls_x509_crt_is_issuer (MHD_gnutls_x509_crt_t cert,
MHD_gnutls_x509_crt_t issuer);
-int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
- const MHD_gnutls_datum_t * signature,
- MHD_gnutls_x509_crt_t issuer);
int MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
const MHD_gnutls_datum_t *
signature,
diff --git a/src/daemon/https/x509/x509.h b/src/daemon/https/x509/x509.h
@@ -97,9 +97,6 @@ extern "C"
MHD_gnutls_x509_crt_fmt_t format,
void *output_data,
size_t * output_data_size);
- int MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
- const char *hostname);
-
int MHD_gnutls_x509_crt_get_signature_algorithm (MHD_gnutls_x509_crt_t
cert);
int MHD_gnutls_x509_crt_get_signature (MHD_gnutls_x509_crt_t cert,
@@ -214,10 +211,6 @@ extern "C"
int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,
MHD_gnutls_certificate_print_formats_t
format, MHD_gnutls_datum_t * out);
- int MHD_gnutls_x509_crl_print (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_certificate_print_formats_t
- format, MHD_gnutls_datum_t * out);
-
/* Access to internal Certificate fields.
*/
int MHD_gnutls_x509_crt_get_raw_issuer_dn (MHD_gnutls_x509_crt_t cert,
@@ -236,51 +229,6 @@ extern "C"
int MHD_gnutls_x509_crt_get_subject (MHD_gnutls_x509_crt_t cert,
MHD_gnutls_x509_dn_t * dn);
-/* CRL handling functions.
- */
- int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
- void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
-
- int MHD_gnutls_x509_crl_get_signature_algorithm (MHD_gnutls_x509_crl_t crl);
- int MHD_gnutls_x509_crl_get_signature (MHD_gnutls_x509_crl_t crl,
- char *sig, size_t * sizeof_sig);
- int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
- int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
- int indx,
- unsigned char *serial,
- size_t * serial_size, time_t * t);
-#define MHD_gnutls_x509_crl_get_certificate_count MHD_gnutls_x509_crl_get_crt_count
-#define MHD_gnutls_x509_crl_get_certificate MHD_gnutls_x509_crl_get_crt_serial
-
- int MHD_gnutls_x509_crl_check_issuer (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_x509_crt_t issuer);
-
-/* CRL writing.
- */
- int MHD_gnutls_x509_crl_set_version (MHD_gnutls_x509_crl_t crl,
- unsigned int version);
- int MHD_gnutls_x509_crl_sign (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_x509_crt_t issuer,
- MHD_gnutls_x509_privkey_t issuer_key);
- int MHD_gnutls_x509_crl_sign2 (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_x509_crt_t issuer,
- MHD_gnutls_x509_privkey_t issuer_key,
- enum MHD_GNUTLS_HashAlgorithm,
- unsigned int flags);
- int MHD_gnutls_x509_crl_set_this_update (MHD_gnutls_x509_crl_t crl,
- time_t act_time);
- int MHD_gnutls_x509_crl_set_next_update (MHD_gnutls_x509_crl_t crl,
- time_t exp_time);
- int MHD_gnutls_x509_crl_set_crt_serial (MHD_gnutls_x509_crl_t crl,
- const void *serial,
- size_t serial_size,
- time_t revocation_time);
- int MHD_gnutls_x509_crl_set_crt (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_x509_crt_t crt,
- time_t revocation_time);
-
-/* PKCS7 structures handling
- */
struct MHD_gnutls_pkcs7_int;
typedef struct MHD_gnutls_pkcs7_int *MHD_gnutls_pkcs7_t;
@@ -352,9 +300,6 @@ extern "C"
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
} MHD_gnutls_certificate_verify_flags;
- int MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
- MHD_gnutls_x509_crt_t issuer);
-
int MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t *
cert_list, int cert_list_length,
const MHD_gnutls_x509_crt_t * CA_list,
@@ -364,15 +309,6 @@ extern "C"
unsigned int flags,
unsigned int *verify);
- int MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
- const MHD_gnutls_x509_crt_t * CA_list,
- int CA_list_length,
- unsigned int flags, unsigned int *verify);
- int MHD_gnutls_x509_crl_verify (MHD_gnutls_x509_crl_t crl,
- const MHD_gnutls_x509_crt_t * CA_list,
- int CA_list_length,
- unsigned int flags, unsigned int *verify);
-
int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
const MHD_gnutls_x509_crl_t *
crl_list, int crl_list_length);
@@ -555,20 +491,6 @@ int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
const MHD_gnutls_x509_crl_t *
crl_list, int crl_list_length);
-int MHD__gnutls_x509_crl_get_raw_issuer_dn (MHD_gnutls_x509_crl_t crl,
- MHD_gnutls_datum_t * dn);
-int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
-int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
- int indx,
- unsigned char *serial,
- size_t * serial_size, time_t * t);
-
-void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
-int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
-int MHD_gnutls_x509_crl_import (MHD_gnutls_x509_crl_t crl,
- const MHD_gnutls_datum_t * data,
- MHD_gnutls_x509_crt_fmt_t format);
-
int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
diff --git a/src/daemon/https/x509/x509_verify.c b/src/daemon/https/x509/x509_verify.c
@@ -46,7 +46,7 @@ static int MHD__gnutls_verify_certificate2 (MHD_gnutls_x509_crt_t cert,
trusted_cas, int tcas_size,
unsigned int flags,
unsigned int *output);
-int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
+static int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
const MHD_gnutls_datum_t * signature,
MHD_gnutls_x509_crt_t issuer);
@@ -351,7 +351,7 @@ cleanup:MHD__gnutls_free_datum (&cert_signed_data);
* A negative value is returned in case of an error.
*
**/
-int
+static int
MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
MHD_gnutls_x509_crt_t issuer)
{
@@ -618,7 +618,7 @@ verify_sig (const MHD_gnutls_datum_t * tbs,
* 'tbs' is the signed data
* 'signature' is the signature!
*/
-int
+static int
MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
const MHD_gnutls_datum_t * signature,
MHD_gnutls_x509_crt_t issuer)
@@ -657,30 +657,6 @@ MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
return ret;
}
-/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
- *
- * 'tbs' is the signed data
- * 'signature' is the signature!
- */
-int
-MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
- const MHD_gnutls_datum_t *
- signature,
- MHD_gnutls_x509_privkey_t issuer)
-{
- int ret;
-
- ret = verify_sig (tbs, signature, issuer->pk_algorithm, issuer->params,
- issuer->params_size);
- if (ret < 0)
- {
- MHD_gnutls_assert ();
- }
-
- return ret;
-}
-
/**
* MHD_gnutls_x509_crt_list_verify - This function verifies the given certificate list
* @cert_list: is the certificate list to be verified
@@ -737,37 +713,3 @@ MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t * cert_list,
return 0;
}
-/**
- * MHD_gnutls_x509_crt_verify - This function verifies the given certificate against a given trusted one
- * @cert: is the certificate to be verified
- * @CA_list: is one certificate that is considered to be trusted one
- * @CA_list_length: holds the number of CA certificate in CA_list
- * @flags: Flags that may be used to change the verification algorithm. Use OR of the MHD_gnutls_certificate_verify_flags enumerations.
- * @verify: will hold the certificate verification output.
- *
- * This function will try to verify the given certificate and return its status.
- * The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID.
- *
- * Returns 0 on success and a negative value in case of an error.
- *
- **/
-int
-MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
- const MHD_gnutls_x509_crt_t * CA_list,
- int CA_list_length,
- unsigned int flags, unsigned int *verify)
-{
- int ret;
- /* Verify certificate
- */
- ret = MHD__gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags,
- verify);
- if (ret < 0)
- {
- MHD_gnutls_assert ();
- return ret;
- }
-
- return 0;
-}
-
