more dce

author: Christian Grothoff <christian@grothoff.org> 2008-11-16 04:33:30 +0000
committer: Christian Grothoff <christian@grothoff.org> 2008-11-16 04:33:30 +0000
commit: 3b9bb09488b3d5d03a9517c810539f5b9e985d96 (patch)
tree: daf27219d3a7bb26020541acf22942cadfd960f7
parent: e81f372ed145575566e03120bc759360b66b1ffe (diff)
download: libmicrohttpd-3b9bb09488b3d5d03a9517c810539f5b9e985d96.tar.gz
libmicrohttpd-3b9bb09488b3d5d03a9517c810539f5b9e985d96.zip
6 files changed, 3 insertions, 330 deletions
diff --git a/src/daemon/https/x509/Makefile.am b/src/daemon/https/x509/Makefile.am
index d1305b47..54982372 100644
--- a/src/daemon/https/x509/Makefile.am
+++ b/src/daemon/https/x509/Makefile.am
@@ -23,7 +23,6 @@ extensions.c extensions.h \
 mpi.c mpi.h \
 pkcs12.h \
 x509_privkey.c privkey.h \
-rfc2818_hostname.c rfc2818.h \
 x509_verify.c verify.h \
 x509.c x509.h
diff --git a/src/daemon/https/x509/rfc2818.h b/src/daemon/https/x509/rfc2818.h
deleted file mode 100644
index c38bd8a9..00000000
--- a/src/daemon/https/x509/rfc2818.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-int MHD__gnutls_hostname_compare (const char *certname, const char *hostname);
-#define MAX_CN 256
diff --git a/src/daemon/https/x509/rfc2818_hostname.c b/src/daemon/https/x509/rfc2818_hostname.c
deleted file mode 100644
index be49a778..00000000
--- a/src/daemon/https/x509/rfc2818_hostname.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/*
- * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
- * Copyright (C) 2002 Andrew McDonald
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-#include <gnutls_int.h>
-#include <x509.h>
-#include <dn.h>
-#include <common.h>
-#include <rfc2818.h>
-#include <gnutls_errors.h>
-/* compare hostname against certificate, taking account of wildcards
- * return 1 on success or 0 on error
- */
-int
-MHD__gnutls_hostname_compare (const char *certname, const char *hostname)
-{
-  const char *cmpstr1, *cmpstr2;
-  if (strlen (certname) == 0 || strlen (hostname) == 0)
-    return 0;
-  if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0)
-    {
-      /* a wildcard certificate */
-      cmpstr1 = certname + 1;
-      /* find the first dot in hostname, compare from there on */
-      cmpstr2 = strchr (hostname, '.');
-      if (cmpstr2 == NULL)
-        {
-          /* error, the hostname we're connecting to is only a local part */
-          return 0;
-        }
-      if (strcasecmp (cmpstr1, cmpstr2) == 0)
-        {
-          return 1;
-        }
-      return 0;
-    }
-  if (strcasecmp (certname, hostname) == 0)
-    {
-      return 1;
-    }
-  return 0;
-}
-/**
-  * MHD_gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate
-  * @cert: should contain an MHD_gnutls_x509_crt_t structure
-  * @hostname: A null terminated string that contains a DNS name
-  *
-  * This function will check if the given certificate's subject
-  * matches the given hostname.  This is a basic implementation of the
-  * matching described in RFC2818 (HTTPS), which takes into account
-  * wildcards, and the DNSName/IPAddress subject alternative name PKIX
-  * extension.
-  *
-  * Returns non zero for a successful match, and zero on failure.
-  **/
-int
-MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
-                                    const char *hostname)
-{
-  char dnsname[MAX_CN];
-  size_t dnsnamesize;
-  int found_dnsname = 0;
-  int ret = 0;
-  int i = 0;
-  /* try matching against:
-   *  1) a DNS name as an alternative name (subjectAltName) extension
-   *     in the certificate
-   *  2) the common name (CN) in the certificate
-   *
-   *  either of these may be of the form: *.domain.tld
-   *
-   *  only try (2) if there is no subjectAltName extension of
-   *  type dNSName
-   */
-  /* Check through all included subjectAltName extensions, comparing
-   * against all those of type dNSName.
-   */
-  for (i = 0; !(ret < 0); i++)
-    {
-      dnsnamesize = sizeof (dnsname);
-      ret = MHD_gnutls_x509_crt_get_subject_alt_name (cert, i,
-                                                      dnsname, &dnsnamesize,
-                                                      NULL);
-      if (ret == GNUTLS_SAN_DNSNAME)
-        {
-          found_dnsname = 1;
-          if (MHD__gnutls_hostname_compare (dnsname, hostname))
-            {
-              return 1;
-            }
-        }
-      else if (ret == GNUTLS_SAN_IPADDRESS)
-        {
-          found_dnsname = 1;    /* RFC 2818 is unclear whether the CN
-                                   should be compared for IP addresses
-                                   too, but we won't do it.  */
-          if (MHD__gnutls_hostname_compare (dnsname, hostname))
-            {
-              return 1;
-            }
-        }
-    }
-  if (!found_dnsname)
-    {
-      /* not got the necessary extension, use CN instead
-       */
-      dnsnamesize = sizeof (dnsname);
-      if (MHD_gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0,
-                                             0, dnsname, &dnsnamesize) < 0)
-        {
-          /* got an error, can't find a name
-           */
-          return 0;
-        }
-      if (MHD__gnutls_hostname_compare (dnsname, hostname))
-        {
-          return 1;
-        }
-    }
-  /* not found a matching name
-   */
-  return 0;
-}
diff --git a/src/daemon/https/x509/verify.h b/src/daemon/https/x509/verify.h
index bd9978e3..8949d0b6 100644
--- a/src/daemon/https/x509/verify.h
+++ b/src/daemon/https/x509/verify.h
@@ -26,9 +26,6 @@
 int MHD_gnutls_x509_crt_is_issuer (MHD_gnutls_x509_crt_t cert,
                                   MHD_gnutls_x509_crt_t issuer);
-int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
-                                       const MHD_gnutls_datum_t * signature,
-                                       MHD_gnutls_x509_crt_t issuer);
 int MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
                                               const MHD_gnutls_datum_t *
                                               signature,
diff --git a/src/daemon/https/x509/x509.h b/src/daemon/https/x509/x509.h
index 624c7cb6..f48a7d69 100644
--- a/src/daemon/https/x509/x509.h
+++ b/src/daemon/https/x509/x509.h
@@ -97,9 +97,6 @@ extern "C"
                                  MHD_gnutls_x509_crt_fmt_t format,
                                  void *output_data,
                                  size_t * output_data_size);
-  int MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
-                                          const char *hostname);
  int MHD_gnutls_x509_crt_get_signature_algorithm (MHD_gnutls_x509_crt_t
                                                   cert);
  int MHD_gnutls_x509_crt_get_signature (MHD_gnutls_x509_crt_t cert,
@@ -214,10 +211,6 @@ extern "C"
  int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,
                                 MHD_gnutls_certificate_print_formats_t
                                 format, MHD_gnutls_datum_t * out);
-  int MHD_gnutls_x509_crl_print (MHD_gnutls_x509_crl_t crl,
-                                 MHD_gnutls_certificate_print_formats_t
-                                 format, MHD_gnutls_datum_t * out);
 /* Access to internal Certificate fields.
 */
  int MHD_gnutls_x509_crt_get_raw_issuer_dn (MHD_gnutls_x509_crt_t cert,
@@ -236,51 +229,6 @@ extern "C"
  int MHD_gnutls_x509_crt_get_subject (MHD_gnutls_x509_crt_t cert,
                                       MHD_gnutls_x509_dn_t * dn);
-/* CRL handling functions.
- */
-  int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
-  void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
-  int MHD_gnutls_x509_crl_get_signature_algorithm (MHD_gnutls_x509_crl_t crl);
-  int MHD_gnutls_x509_crl_get_signature (MHD_gnutls_x509_crl_t crl,
-                                         char *sig, size_t * sizeof_sig);
-  int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
-  int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
-                                          int indx,
-                                          unsigned char *serial,
-                                          size_t * serial_size, time_t * t);
-#define MHD_gnutls_x509_crl_get_certificate_count MHD_gnutls_x509_crl_get_crt_count
-#define MHD_gnutls_x509_crl_get_certificate MHD_gnutls_x509_crl_get_crt_serial
-  int MHD_gnutls_x509_crl_check_issuer (MHD_gnutls_x509_crl_t crl,
-                                        MHD_gnutls_x509_crt_t issuer);
-/* CRL writing.
- */
-  int MHD_gnutls_x509_crl_set_version (MHD_gnutls_x509_crl_t crl,
-                                       unsigned int version);
-  int MHD_gnutls_x509_crl_sign (MHD_gnutls_x509_crl_t crl,
-                                MHD_gnutls_x509_crt_t issuer,
-                                MHD_gnutls_x509_privkey_t issuer_key);
-  int MHD_gnutls_x509_crl_sign2 (MHD_gnutls_x509_crl_t crl,
-                                 MHD_gnutls_x509_crt_t issuer,
-                                 MHD_gnutls_x509_privkey_t issuer_key,
-                                 enum MHD_GNUTLS_HashAlgorithm,
-                                 unsigned int flags);
-  int MHD_gnutls_x509_crl_set_this_update (MHD_gnutls_x509_crl_t crl,
-                                           time_t act_time);
-  int MHD_gnutls_x509_crl_set_next_update (MHD_gnutls_x509_crl_t crl,
-                                           time_t exp_time);
-  int MHD_gnutls_x509_crl_set_crt_serial (MHD_gnutls_x509_crl_t crl,
-                                          const void *serial,
-                                          size_t serial_size,
-                                          time_t revocation_time);
-  int MHD_gnutls_x509_crl_set_crt (MHD_gnutls_x509_crl_t crl,
-                                   MHD_gnutls_x509_crt_t crt,
-                                   time_t revocation_time);
-/* PKCS7 structures handling
- */
  struct MHD_gnutls_pkcs7_int;
  typedef struct MHD_gnutls_pkcs7_int *MHD_gnutls_pkcs7_t;
@@ -352,9 +300,6 @@ extern "C"
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
  } MHD_gnutls_certificate_verify_flags;
-  int MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
-                                        MHD_gnutls_x509_crt_t issuer);
  int MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t *
                                       cert_list, int cert_list_length,
                                       const MHD_gnutls_x509_crt_t * CA_list,
@@ -364,15 +309,6 @@ extern "C"
                                       unsigned int flags,
                                       unsigned int *verify);
-  int MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
-                                  const MHD_gnutls_x509_crt_t * CA_list,
-                                  int CA_list_length,
-                                  unsigned int flags, unsigned int *verify);
-  int MHD_gnutls_x509_crl_verify (MHD_gnutls_x509_crl_t crl,
-                                  const MHD_gnutls_x509_crt_t * CA_list,
-                                  int CA_list_length,
-                                  unsigned int flags, unsigned int *verify);
  int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
                                            const MHD_gnutls_x509_crl_t *
                                            crl_list, int crl_list_length);
@@ -555,20 +491,6 @@ int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
                                          const MHD_gnutls_x509_crl_t *
                                          crl_list, int crl_list_length);
-int MHD__gnutls_x509_crl_get_raw_issuer_dn (MHD_gnutls_x509_crl_t crl,
-                                            MHD_gnutls_datum_t * dn);
-int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
-int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
-                                        int indx,
-                                        unsigned char *serial,
-                                        size_t * serial_size, time_t * t);
-void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
-int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
-int MHD_gnutls_x509_crl_import (MHD_gnutls_x509_crl_t crl,
-                                const MHD_gnutls_datum_t * data,
-                                MHD_gnutls_x509_crt_fmt_t format);
 int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
 void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
 int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
diff --git a/src/daemon/https/x509/x509_verify.c b/src/daemon/https/x509/x509_verify.c
index 3dc4c9f7..a3eea5e7 100644
--- a/src/daemon/https/x509/x509_verify.c
+++ b/src/daemon/https/x509/x509_verify.c
@@ -46,7 +46,7 @@ static int MHD__gnutls_verify_certificate2 (MHD_gnutls_x509_crt_t cert,
                                            trusted_cas, int tcas_size,
                                            unsigned int flags,
                                            unsigned int *output);
-int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
+static int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
                                       const MHD_gnutls_datum_t * signature,
                                       MHD_gnutls_x509_crt_t issuer);
@@ -351,7 +351,7 @@ cleanup:MHD__gnutls_free_datum (&cert_signed_data);
 * A negative value is returned in case of an error.
 *
 **/
-int
+static int
 MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
                                  MHD_gnutls_x509_crt_t issuer)
 {
@@ -618,7 +618,7 @@ verify_sig (const MHD_gnutls_datum_t * tbs,
 * 'tbs' is the signed data
 * 'signature' is the signature!
 */
-int
+static int
 MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
                                   const MHD_gnutls_datum_t * signature,
                                   MHD_gnutls_x509_crt_t issuer)
@@ -657,30 +657,6 @@ MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
  return ret;
 }
-/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
- *
- * 'tbs' is the signed data
- * 'signature' is the signature!
- */
-int
-MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
-                                           const MHD_gnutls_datum_t *
-                                           signature,
-                                           MHD_gnutls_x509_privkey_t issuer)
-{
-  int ret;
-  ret = verify_sig (tbs, signature, issuer->pk_algorithm, issuer->params,
-                    issuer->params_size);
-  if (ret < 0)
-    {
-      MHD_gnutls_assert ();
-    }
-  return ret;
-}
 /**
 * MHD_gnutls_x509_crt_list_verify - This function verifies the given certificate list
 * @cert_list: is the certificate list to be verified
@@ -737,37 +713,3 @@ MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t * cert_list,
  return 0;
 }
-/**
- * MHD_gnutls_x509_crt_verify - This function verifies the given certificate against a given trusted one
- * @cert: is the certificate to be verified
- * @CA_list: is one certificate that is considered to be trusted one
- * @CA_list_length: holds the number of CA certificate in CA_list
- * @flags: Flags that may be used to change the verification algorithm. Use OR of the MHD_gnutls_certificate_verify_flags enumerations.
- * @verify: will hold the certificate verification output.
- *
- * This function will try to verify the given certificate and return its status.
- * The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID.
- *
- * Returns 0 on success and a negative value in case of an error.
- *
- **/
-int
-MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
-                            const MHD_gnutls_x509_crt_t * CA_list,
-                            int CA_list_length,
-                            unsigned int flags, unsigned int *verify)
-{
-  int ret;
-  /* Verify certificate
-   */
-  ret = MHD__gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags,
-                                         verify);
-  if (ret < 0)
-    {
-      MHD_gnutls_assert ();
-      return ret;
-    }
-  return 0;
-}
author	Christian Grothoff <christian@grothoff.org>	2008-11-16 04:33:30 +0000
committer	Christian Grothoff <christian@grothoff.org>	2008-11-16 04:33:30 +0000
commit	3b9bb09488b3d5d03a9517c810539f5b9e985d96 (patch)
tree	daf27219d3a7bb26020541acf22942cadfd960f7
parent	e81f372ed145575566e03120bc759360b66b1ffe (diff)
download	libmicrohttpd-3b9bb09488b3d5d03a9517c810539f5b9e985d96.tar.gz libmicrohttpd-3b9bb09488b3d5d03a9517c810539f5b9e985d96.zip

diff --git a/src/daemon/https/x509/Makefile.am b/src/daemon/https/x509/Makefile.am index d1305b47..54982372 100644 --- a/src/daemon/https/x509/Makefile.am +++ b/src/daemon/https/x509/Makefile.am
@@ -23,7 +23,6 @@ extensions.c extensions.h \
23	mpi.c mpi.h \	23	mpi.c mpi.h \
24	pkcs12.h \	24	pkcs12.h \
25	x509_privkey.c privkey.h \	25	x509_privkey.c privkey.h \
26	rfc2818_hostname.c rfc2818.h \
27	x509_verify.c verify.h \	26	x509_verify.c verify.h \
28	x509.c x509.h	27	x509.c x509.h
29		28


diff --git a/src/daemon/https/x509/rfc2818.h b/src/daemon/https/x509/rfc2818.h deleted file mode 100644 index c38bd8a9..00000000 --- a/src/daemon/https/x509/rfc2818.h +++ /dev/null
@@ -1,26 +0,0 @@
1	/*
2	* Copyright (C) 2003, 2004, 2005 Free Software Foundation
3	*
4	* Author: Nikos Mavrogiannopoulos
5	*
6	* This file is part of GNUTLS.
7	*
8	* The GNUTLS library is free software; you can redistribute it and/or
9	* modify it under the terms of the GNU Lesser General Public License
10	* as published by the Free Software Foundation; either version 2.1 of
11	* the License, or (at your option) any later version.
12	*
13	* This library is distributed in the hope that it will be useful, but
14	* WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16	* Lesser General Public License for more details.
17	*
18	* You should have received a copy of the GNU Lesser General Public
19	* License along with this library; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21	* USA
22	*
23	*/
24
25	int MHD__gnutls_hostname_compare (const char certname, const char hostname);
26	#define MAX_CN 256


diff --git a/src/daemon/https/x509/rfc2818_hostname.c b/src/daemon/https/x509/rfc2818_hostname.c deleted file mode 100644 index be49a778..00000000 --- a/src/daemon/https/x509/rfc2818_hostname.c +++ /dev/null
@@ -1,161 +0,0 @@
1	/*
2	* Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3	* Copyright (C) 2002 Andrew McDonald
4	*
5	* This file is part of GNUTLS.
6	*
7	* The GNUTLS library is free software; you can redistribute it and/or
8	* modify it under the terms of the GNU Lesser General Public License
9	* as published by the Free Software Foundation; either version 2.1 of
10	* the License, or (at your option) any later version.
11	*
12	* This library is distributed in the hope that it will be useful, but
13	* WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15	* Lesser General Public License for more details.
16	*
17	* You should have received a copy of the GNU Lesser General Public
18	* License along with this library; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20	* USA
21	*
22	*/
23
24	#include <gnutls_int.h>
25	#include <x509.h>
26	#include <dn.h>
27	#include <common.h>
28	#include <rfc2818.h>
29	#include <gnutls_errors.h>
30
31	/* compare hostname against certificate, taking account of wildcards
32	* return 1 on success or 0 on error
33	*/
34	int
35	MHD__gnutls_hostname_compare (const char certname, const char hostname)
36	{
37	const char cmpstr1, cmpstr2;
38
39	if (strlen (certname) == 0 \|\| strlen (hostname) == 0)
40	return 0;
41
42	if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0)
43	{
44	/* a wildcard certificate */
45
46	cmpstr1 = certname + 1;
47
48	/* find the first dot in hostname, compare from there on */
49	cmpstr2 = strchr (hostname, '.');
50
51	if (cmpstr2 == NULL)
52	{
53	/* error, the hostname we're connecting to is only a local part */
54	return 0;
55	}
56
57	if (strcasecmp (cmpstr1, cmpstr2) == 0)
58	{
59	return 1;
60	}
61
62	return 0;
63	}
64
65	if (strcasecmp (certname, hostname) == 0)
66	{
67	return 1;
68	}
69
70	return 0;
71	}
72
73	/**
74	* MHD_gnutls_x509_crt_check_hostname - This function compares the given hostname with the hostname in the certificate
75	* @cert: should contain an MHD_gnutls_x509_crt_t structure
76	* @hostname: A null terminated string that contains a DNS name
77	*
78	* This function will check if the given certificate's subject
79	* matches the given hostname. This is a basic implementation of the
80	* matching described in RFC2818 (HTTPS), which takes into account
81	* wildcards, and the DNSName/IPAddress subject alternative name PKIX
82	* extension.
83	*
84	* Returns non zero for a successful match, and zero on failure.
85	**/
86	int
87	MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
88	const char *hostname)
89	{
90
91	char dnsname[MAX_CN];
92	size_t dnsnamesize;
93	int found_dnsname = 0;
94	int ret = 0;
95	int i = 0;
96
97	/* try matching against:
98	* 1) a DNS name as an alternative name (subjectAltName) extension
99	* in the certificate
100	* 2) the common name (CN) in the certificate
101	*
102	* either of these may be of the form: *.domain.tld
103	*
104	* only try (2) if there is no subjectAltName extension of
105	* type dNSName
106	*/
107
108	/* Check through all included subjectAltName extensions, comparing
109	* against all those of type dNSName.
110	*/
111	for (i = 0; !(ret < 0); i++)
112	{
113
114	dnsnamesize = sizeof (dnsname);
115	ret = MHD_gnutls_x509_crt_get_subject_alt_name (cert, i,
116	dnsname, &dnsnamesize,
117	NULL);
118
119	if (ret == GNUTLS_SAN_DNSNAME)
120	{
121	found_dnsname = 1;
122	if (MHD__gnutls_hostname_compare (dnsname, hostname))
123	{
124	return 1;
125	}
126	}
127	else if (ret == GNUTLS_SAN_IPADDRESS)
128	{
129	found_dnsname = 1; /* RFC 2818 is unclear whether the CN
130	should be compared for IP addresses
131	too, but we won't do it. */
132	if (MHD__gnutls_hostname_compare (dnsname, hostname))
133	{
134	return 1;
135	}
136	}
137	}
138
139	if (!found_dnsname)
140	{
141	/* not got the necessary extension, use CN instead
142	*/
143	dnsnamesize = sizeof (dnsname);
144	if (MHD_gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0,
145	0, dnsname, &dnsnamesize) < 0)
146	{
147	/* got an error, can't find a name
148	*/
149	return 0;
150	}
151
152	if (MHD__gnutls_hostname_compare (dnsname, hostname))
153	{
154	return 1;
155	}
156	}
157
158	/* not found a matching name
159	*/
160	return 0;
161	}


diff --git a/src/daemon/https/x509/verify.h b/src/daemon/https/x509/verify.h index bd9978e3..8949d0b6 100644 --- a/src/daemon/https/x509/verify.h +++ b/src/daemon/https/x509/verify.h
@@ -26,9 +26,6 @@
26		26
27	int MHD_gnutls_x509_crt_is_issuer (MHD_gnutls_x509_crt_t cert,	27	int MHD_gnutls_x509_crt_is_issuer (MHD_gnutls_x509_crt_t cert,
28	MHD_gnutls_x509_crt_t issuer);	28	MHD_gnutls_x509_crt_t issuer);
29	int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
30	const MHD_gnutls_datum_t * signature,
31	MHD_gnutls_x509_crt_t issuer);
32	int MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,	29	int MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
33	const MHD_gnutls_datum_t *	30	const MHD_gnutls_datum_t *
34	signature,	31	signature,


diff --git a/src/daemon/https/x509/x509.h b/src/daemon/https/x509/x509.h index 624c7cb6..f48a7d69 100644 --- a/src/daemon/https/x509/x509.h +++ b/src/daemon/https/x509/x509.h
@@ -97,9 +97,6 @@ extern "C"
97	MHD_gnutls_x509_crt_fmt_t format,	97	MHD_gnutls_x509_crt_fmt_t format,
98	void *output_data,	98	void *output_data,
99	size_t * output_data_size);	99	size_t * output_data_size);
100	int MHD_gnutls_x509_crt_check_hostname (MHD_gnutls_x509_crt_t cert,
101	const char *hostname);
102
103	int MHD_gnutls_x509_crt_get_signature_algorithm (MHD_gnutls_x509_crt_t	100	int MHD_gnutls_x509_crt_get_signature_algorithm (MHD_gnutls_x509_crt_t
104	cert);	101	cert);
105	int MHD_gnutls_x509_crt_get_signature (MHD_gnutls_x509_crt_t cert,	102	int MHD_gnutls_x509_crt_get_signature (MHD_gnutls_x509_crt_t cert,
@@ -214,10 +211,6 @@ extern "C"
214	int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,	211	int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,
215	MHD_gnutls_certificate_print_formats_t	212	MHD_gnutls_certificate_print_formats_t
216	format, MHD_gnutls_datum_t * out);	213	format, MHD_gnutls_datum_t * out);
217	int MHD_gnutls_x509_crl_print (MHD_gnutls_x509_crl_t crl,
218	MHD_gnutls_certificate_print_formats_t
219	format, MHD_gnutls_datum_t * out);
220
221	/* Access to internal Certificate fields.	214	/* Access to internal Certificate fields.
222	*/	215	*/
223	int MHD_gnutls_x509_crt_get_raw_issuer_dn (MHD_gnutls_x509_crt_t cert,	216	int MHD_gnutls_x509_crt_get_raw_issuer_dn (MHD_gnutls_x509_crt_t cert,
@@ -236,51 +229,6 @@ extern "C"
236		229
237	int MHD_gnutls_x509_crt_get_subject (MHD_gnutls_x509_crt_t cert,	230	int MHD_gnutls_x509_crt_get_subject (MHD_gnutls_x509_crt_t cert,
238	MHD_gnutls_x509_dn_t * dn);	231	MHD_gnutls_x509_dn_t * dn);
239	/* CRL handling functions.
240	*/
241	int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
242	void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
243
244	int MHD_gnutls_x509_crl_get_signature_algorithm (MHD_gnutls_x509_crl_t crl);
245	int MHD_gnutls_x509_crl_get_signature (MHD_gnutls_x509_crl_t crl,
246	char sig, size_t sizeof_sig);
247	int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
248	int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
249	int indx,
250	unsigned char *serial,
251	size_t * serial_size, time_t * t);
252	#define MHD_gnutls_x509_crl_get_certificate_count MHD_gnutls_x509_crl_get_crt_count
253	#define MHD_gnutls_x509_crl_get_certificate MHD_gnutls_x509_crl_get_crt_serial
254
255	int MHD_gnutls_x509_crl_check_issuer (MHD_gnutls_x509_crl_t crl,
256	MHD_gnutls_x509_crt_t issuer);
257
258	/* CRL writing.
259	*/
260	int MHD_gnutls_x509_crl_set_version (MHD_gnutls_x509_crl_t crl,
261	unsigned int version);
262	int MHD_gnutls_x509_crl_sign (MHD_gnutls_x509_crl_t crl,
263	MHD_gnutls_x509_crt_t issuer,
264	MHD_gnutls_x509_privkey_t issuer_key);
265	int MHD_gnutls_x509_crl_sign2 (MHD_gnutls_x509_crl_t crl,
266	MHD_gnutls_x509_crt_t issuer,
267	MHD_gnutls_x509_privkey_t issuer_key,
268	enum MHD_GNUTLS_HashAlgorithm,
269	unsigned int flags);
270	int MHD_gnutls_x509_crl_set_this_update (MHD_gnutls_x509_crl_t crl,
271	time_t act_time);
272	int MHD_gnutls_x509_crl_set_next_update (MHD_gnutls_x509_crl_t crl,
273	time_t exp_time);
274	int MHD_gnutls_x509_crl_set_crt_serial (MHD_gnutls_x509_crl_t crl,
275	const void *serial,
276	size_t serial_size,
277	time_t revocation_time);
278	int MHD_gnutls_x509_crl_set_crt (MHD_gnutls_x509_crl_t crl,
279	MHD_gnutls_x509_crt_t crt,
280	time_t revocation_time);
281
282	/* PKCS7 structures handling
283	*/
284	struct MHD_gnutls_pkcs7_int;	232	struct MHD_gnutls_pkcs7_int;
285	typedef struct MHD_gnutls_pkcs7_int *MHD_gnutls_pkcs7_t;	233	typedef struct MHD_gnutls_pkcs7_int *MHD_gnutls_pkcs7_t;
286		234
@@ -352,9 +300,6 @@ extern "C"
352	GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32	300	GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
353	} MHD_gnutls_certificate_verify_flags;	301	} MHD_gnutls_certificate_verify_flags;
354		302
355	int MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
356	MHD_gnutls_x509_crt_t issuer);
357
358	int MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t *	303	int MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t *
359	cert_list, int cert_list_length,	304	cert_list, int cert_list_length,
360	const MHD_gnutls_x509_crt_t * CA_list,	305	const MHD_gnutls_x509_crt_t * CA_list,
@@ -364,15 +309,6 @@ extern "C"
364	unsigned int flags,	309	unsigned int flags,
365	unsigned int *verify);	310	unsigned int *verify);
366		311
367	int MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
368	const MHD_gnutls_x509_crt_t * CA_list,
369	int CA_list_length,
370	unsigned int flags, unsigned int *verify);
371	int MHD_gnutls_x509_crl_verify (MHD_gnutls_x509_crl_t crl,
372	const MHD_gnutls_x509_crt_t * CA_list,
373	int CA_list_length,
374	unsigned int flags, unsigned int *verify);
375
376	int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,	312	int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
377	const MHD_gnutls_x509_crl_t *	313	const MHD_gnutls_x509_crl_t *
378	crl_list, int crl_list_length);	314	crl_list, int crl_list_length);
@@ -555,20 +491,6 @@ int MHD_gnutls_x509_crt_check_revocation (MHD_gnutls_x509_crt_t cert,
555	const MHD_gnutls_x509_crl_t *	491	const MHD_gnutls_x509_crl_t *
556	crl_list, int crl_list_length);	492	crl_list, int crl_list_length);
557		493
558	int MHD__gnutls_x509_crl_get_raw_issuer_dn (MHD_gnutls_x509_crl_t crl,
559	MHD_gnutls_datum_t * dn);
560	int MHD_gnutls_x509_crl_get_crt_count (MHD_gnutls_x509_crl_t crl);
561	int MHD_gnutls_x509_crl_get_crt_serial (MHD_gnutls_x509_crl_t crl,
562	int indx,
563	unsigned char *serial,
564	size_t * serial_size, time_t * t);
565
566	void MHD_gnutls_x509_crl_deinit (MHD_gnutls_x509_crl_t crl);
567	int MHD_gnutls_x509_crl_init (MHD_gnutls_x509_crl_t * crl);
568	int MHD_gnutls_x509_crl_import (MHD_gnutls_x509_crl_t crl,
569	const MHD_gnutls_datum_t * data,
570	MHD_gnutls_x509_crt_fmt_t format);
571
572	int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);	494	int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
573	void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);	495	void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
574	int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,	496	int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,


diff --git a/src/daemon/https/x509/x509_verify.c b/src/daemon/https/x509/x509_verify.c index 3dc4c9f7..a3eea5e7 100644 --- a/src/daemon/https/x509/x509_verify.c +++ b/src/daemon/https/x509/x509_verify.c
@@ -46,7 +46,7 @@ static int MHD__gnutls_verify_certificate2 (MHD_gnutls_x509_crt_t cert,
46	trusted_cas, int tcas_size,	46	trusted_cas, int tcas_size,
47	unsigned int flags,	47	unsigned int flags,
48	unsigned int *output);	48	unsigned int *output);
49	int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,	49	static int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
50	const MHD_gnutls_datum_t * signature,	50	const MHD_gnutls_datum_t * signature,
51	MHD_gnutls_x509_crt_t issuer);	51	MHD_gnutls_x509_crt_t issuer);
52		52
@@ -351,7 +351,7 @@ cleanup:MHD__gnutls_free_datum (&cert_signed_data);
351	* A negative value is returned in case of an error.	351	* A negative value is returned in case of an error.
352	*	352	*
353	**/	353	**/
354	int	354	static int
355	MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,	355	MHD_gnutls_x509_crt_check_issuer (MHD_gnutls_x509_crt_t cert,
356	MHD_gnutls_x509_crt_t issuer)	356	MHD_gnutls_x509_crt_t issuer)
357	{	357	{
@@ -618,7 +618,7 @@ verify_sig (const MHD_gnutls_datum_t * tbs,
618	* 'tbs' is the signed data	618	* 'tbs' is the signed data
619	* 'signature' is the signature!	619	* 'signature' is the signature!
620	*/	620	*/
621	int	621	static int
622	MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,	622	MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
623	const MHD_gnutls_datum_t * signature,	623	const MHD_gnutls_datum_t * signature,
624	MHD_gnutls_x509_crt_t issuer)	624	MHD_gnutls_x509_crt_t issuer)
@@ -657,30 +657,6 @@ MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * tbs,
657	return ret;	657	return ret;
658	}	658	}
659		659
660	/* verifies if the certificate is properly signed.
661	* returns 0 on failure and 1 on success.
662	*
663	* 'tbs' is the signed data
664	* 'signature' is the signature!
665	*/
666	int
667	MHD__gnutls_x509_privkey_verify_signature (const MHD_gnutls_datum_t * tbs,
668	const MHD_gnutls_datum_t *
669	signature,
670	MHD_gnutls_x509_privkey_t issuer)
671	{
672	int ret;
673
674	ret = verify_sig (tbs, signature, issuer->pk_algorithm, issuer->params,
675	issuer->params_size);
676	if (ret < 0)
677	{
678	MHD_gnutls_assert ();
679	}
680
681	return ret;
682	}
683
684	/**	660	/**
685	* MHD_gnutls_x509_crt_list_verify - This function verifies the given certificate list	661	* MHD_gnutls_x509_crt_list_verify - This function verifies the given certificate list
686	* @cert_list: is the certificate list to be verified	662	* @cert_list: is the certificate list to be verified
@@ -737,37 +713,3 @@ MHD_gnutls_x509_crt_list_verify (const MHD_gnutls_x509_crt_t * cert_list,
737	return 0;	713	return 0;
738	}	714	}
739		715
740	/**
741	* MHD_gnutls_x509_crt_verify - This function verifies the given certificate against a given trusted one
742	* @cert: is the certificate to be verified
743	* @CA_list: is one certificate that is considered to be trusted one
744	* @CA_list_length: holds the number of CA certificate in CA_list
745	* @flags: Flags that may be used to change the verification algorithm. Use OR of the MHD_gnutls_certificate_verify_flags enumerations.
746	* @verify: will hold the certificate verification output.
747	*
748	* This function will try to verify the given certificate and return its status.
749	* The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID.
750	*
751	* Returns 0 on success and a negative value in case of an error.
752	*
753	**/
754	int
755	MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
756	const MHD_gnutls_x509_crt_t * CA_list,
757	int CA_list_length,
758	unsigned int flags, unsigned int *verify)
759	{
760	int ret;
761	/* Verify certificate
762	*/
763	ret = MHD__gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags,
764	verify);
765	if (ret < 0)
766	{
767	MHD_gnutls_assert ();
768	return ret;
769	}
770
771	return 0;
772	}
773