aboutsummaryrefslogtreecommitdiff
path: root/src/daemon
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2010-07-24 15:24:50 +0000
committerChristian Grothoff <christian@grothoff.org>2010-07-24 15:24:50 +0000
commit58d06b22557a9d06dfeff5975c8241def4f88680 (patch)
treea524c1984b580911d614ee84cc35872beaa34c7e /src/daemon
parent29529aefd1a38449647a3cea724635e87d01d3ea (diff)
downloadlibmicrohttpd-58d06b22557a9d06dfeff5975c8241def4f88680.tar.gz
libmicrohttpd-58d06b22557a9d06dfeff5975c8241def4f88680.zip
towards using libgnutls directly
Diffstat (limited to 'src/daemon')
-rw-r--r--src/daemon/Makefile.am14
-rw-r--r--src/daemon/connection.c14
-rw-r--r--src/daemon/connection_https.c39
-rw-r--r--src/daemon/daemon.c84
-rw-r--r--src/daemon/https/Makefile.am3
-rw-r--r--src/daemon/https/gnutls.h697
-rw-r--r--src/daemon/https/lgl/Makefile.am13
-rw-r--r--src/daemon/https/lgl/gc-libgcrypt.c407
-rw-r--r--src/daemon/https/lgl/gc.h172
-rw-r--r--src/daemon/https/minitasn1/Makefile.am18
-rw-r--r--src/daemon/https/minitasn1/README3
-rw-r--r--src/daemon/https/minitasn1/coding.c1211
-rw-r--r--src/daemon/https/minitasn1/decoding.c1673
-rw-r--r--src/daemon/https/minitasn1/element.c902
-rw-r--r--src/daemon/https/minitasn1/element.h14
-rw-r--r--src/daemon/https/minitasn1/gstr.c68
-rw-r--r--src/daemon/https/minitasn1/gstr.h5
-rw-r--r--src/daemon/https/minitasn1/int.h112
-rw-r--r--src/daemon/https/minitasn1/libtasn1.h216
-rw-r--r--src/daemon/https/minitasn1/mem.h25
-rw-r--r--src/daemon/https/minitasn1/parser_aux.c774
-rw-r--r--src/daemon/https/minitasn1/parser_aux.h37
-rw-r--r--src/daemon/https/minitasn1/structure.c585
-rw-r--r--src/daemon/https/minitasn1/structure.h18
-rw-r--r--src/daemon/https/tls/Makefile.am100
-rw-r--r--src/daemon/https/tls/auth_cert.c1329
-rw-r--r--src/daemon/https/tls/auth_cert.h159
-rw-r--r--src/daemon/https/tls/auth_dh_common.c327
-rw-r--r--src/daemon/https/tls/auth_dh_common.h48
-rw-r--r--src/daemon/https/tls/auth_dhe.c274
-rw-r--r--src/daemon/https/tls/auth_rsa.c415
-rw-r--r--src/daemon/https/tls/auth_rsa_export.c323
-rw-r--r--src/daemon/https/tls/debug.c95
-rw-r--r--src/daemon/https/tls/debug.h27
-rw-r--r--src/daemon/https/tls/defines.h66
-rw-r--r--src/daemon/https/tls/ext_cert_type.c246
-rw-r--r--src/daemon/https/tls/ext_cert_type.h31
-rw-r--r--src/daemon/https/tls/ext_max_record.c198
-rw-r--r--src/daemon/https/tls/ext_max_record.h33
-rw-r--r--src/daemon/https/tls/ext_server_name.c223
-rw-r--r--src/daemon/https/tls/ext_server_name.h28
-rw-r--r--src/daemon/https/tls/gnutls.asn93
-rw-r--r--src/daemon/https/tls/gnutls.pc23
-rw-r--r--src/daemon/https/tls/gnutls_alert.c296
-rw-r--r--src/daemon/https/tls/gnutls_algorithms.c1340
-rw-r--r--src/daemon/https/tls/gnutls_algorithms.h148
-rw-r--r--src/daemon/https/tls/gnutls_asn1_tab.c63
-rw-r--r--src/daemon/https/tls/gnutls_auth.c361
-rw-r--r--src/daemon/https/tls/gnutls_auth.h51
-rw-r--r--src/daemon/https/tls/gnutls_auth_int.h33
-rw-r--r--src/daemon/https/tls/gnutls_buffers.c1111
-rw-r--r--src/daemon/https/tls/gnutls_buffers.h64
-rw-r--r--src/daemon/https/tls/gnutls_cert.c441
-rw-r--r--src/daemon/https/tls/gnutls_cert.h127
-rw-r--r--src/daemon/https/tls/gnutls_cipher.c499
-rw-r--r--src/daemon/https/tls/gnutls_cipher.h41
-rw-r--r--src/daemon/https/tls/gnutls_cipher_int.c109
-rw-r--r--src/daemon/https/tls/gnutls_cipher_int.h43
-rw-r--r--src/daemon/https/tls/gnutls_constate.c999
-rw-r--r--src/daemon/https/tls/gnutls_constate.h41
-rw-r--r--src/daemon/https/tls/gnutls_datum.c82
-rw-r--r--src/daemon/https/tls/gnutls_datum.h38
-rw-r--r--src/daemon/https/tls/gnutls_dh.c162
-rw-r--r--src/daemon/https/tls/gnutls_dh.h38
-rw-r--r--src/daemon/https/tls/gnutls_dh_primes.c214
-rw-r--r--src/daemon/https/tls/gnutls_errors.c404
-rw-r--r--src/daemon/https/tls/gnutls_errors.h71
-rw-r--r--src/daemon/https/tls/gnutls_extensions.c301
-rw-r--r--src/daemon/https/tls/gnutls_extensions.h47
-rw-r--r--src/daemon/https/tls/gnutls_global.c298
-rw-r--r--src/daemon/https/tls/gnutls_global.h54
-rw-r--r--src/daemon/https/tls/gnutls_handshake.c2804
-rw-r--r--src/daemon/https/tls/gnutls_handshake.h47
-rw-r--r--src/daemon/https/tls/gnutls_hash_int.c448
-rw-r--r--src/daemon/https/tls/gnutls_hash_int.h72
-rw-r--r--src/daemon/https/tls/gnutls_int.h642
-rw-r--r--src/daemon/https/tls/gnutls_kx.c726
-rw-r--r--src/daemon/https/tls/gnutls_kx.h40
-rw-r--r--src/daemon/https/tls/gnutls_mem.c65
-rw-r--r--src/daemon/https/tls/gnutls_mem.h61
-rw-r--r--src/daemon/https/tls/gnutls_mpi.c267
-rw-r--r--src/daemon/https/tls/gnutls_mpi.h55
-rw-r--r--src/daemon/https/tls/gnutls_num.c192
-rw-r--r--src/daemon/https/tls/gnutls_num.h49
-rw-r--r--src/daemon/https/tls/gnutls_pk.c636
-rw-r--r--src/daemon/https/tls/gnutls_pk.h40
-rw-r--r--src/daemon/https/tls/gnutls_priority.c242
-rw-r--r--src/daemon/https/tls/gnutls_record.c1087
-rw-r--r--src/daemon/https/tls/gnutls_record.h33
-rw-r--r--src/daemon/https/tls/gnutls_rsa_export.c63
-rw-r--r--src/daemon/https/tls/gnutls_rsa_export.h26
-rw-r--r--src/daemon/https/tls/gnutls_sig.c476
-rw-r--r--src/daemon/https/tls/gnutls_sig.h49
-rw-r--r--src/daemon/https/tls/gnutls_state.c804
-rw-r--r--src/daemon/https/tls/gnutls_state.h77
-rw-r--r--src/daemon/https/tls/gnutls_str.c157
-rw-r--r--src/daemon/https/tls/gnutls_str.h53
-rw-r--r--src/daemon/https/tls/gnutls_supplemental.c199
-rw-r--r--src/daemon/https/tls/gnutls_supplemental.h30
-rw-r--r--src/daemon/https/tls/gnutls_ui.c58
-rw-r--r--src/daemon/https/tls/gnutls_x509.c604
-rw-r--r--src/daemon/https/tls/gnutls_x509.h50
-rw-r--r--src/daemon/https/tls/libgnutls-config104
-rw-r--r--src/daemon/https/tls/libgnutls.m4160
-rw-r--r--src/daemon/https/tls/libgnutls.vers27
-rw-r--r--src/daemon/https/tls/memmem.c78
-rw-r--r--src/daemon/https/tls/pkix.asn1241
-rw-r--r--src/daemon/https/tls/pkix_asn1_tab.c1130
-rw-r--r--src/daemon/https/tls/str-two-way.h429
-rw-r--r--src/daemon/https/tls/x509_b64.c413
-rw-r--r--src/daemon/https/tls/x509_b64.h43
-rw-r--r--src/daemon/https/x509/Makefile.am24
-rw-r--r--src/daemon/https/x509/common.c447
-rw-r--r--src/daemon/https/x509/common.h84
-rw-r--r--src/daemon/https/x509/extensions.c218
-rw-r--r--src/daemon/https/x509/extensions.h35
-rw-r--r--src/daemon/https/x509/mpi.c212
-rw-r--r--src/daemon/https/x509/mpi.h37
-rw-r--r--src/daemon/https/x509/privkey.h32
-rw-r--r--src/daemon/https/x509/x509.c364
-rw-r--r--src/daemon/https/x509/x509.h409
-rw-r--r--src/daemon/https/x509/x509_privkey.c289
-rw-r--r--src/daemon/internal.h26
123 files changed, 74 insertions, 34498 deletions
diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
index de5152f2..bea883d8 100644
--- a/src/daemon/Makefile.am
+++ b/src/daemon/Makefile.am
@@ -1,12 +1,8 @@
1AM_CPPFLAGS = \ 1AM_CPPFLAGS = \
2 -I$(top_srcdir)/src/include \ 2 -I$(top_srcdir)/src/include \
3 -I$(top_srcdir)/src/daemon \ 3 -I$(top_srcdir)/src/daemon \
4 -I$(top_srcdir)/src/daemon/https/lgl \ 4 @LIBGCRYPT_CFLAGS@ \
5 -I$(top_srcdir)/src/daemon/https/x509 \ 5 @LIBGNUTLS_CFLAGS@
6 -I$(top_srcdir)/src/daemon/https/minitasn1 \
7 -I$(top_srcdir)/src/daemon/https/tls \
8 -I$(top_srcdir)/src/daemon/https \
9 @LIBGCRYPT_CFLAGS@
10 6
11EXTRA_DIST = EXPORT.sym 7EXTRA_DIST = EXPORT.sym
12 8
@@ -31,14 +27,10 @@ endif
31 27
32 28
33if ENABLE_HTTPS 29if ENABLE_HTTPS
34SUBDIRS = https .
35libmicrohttpd_la_SOURCES += \ 30libmicrohttpd_la_SOURCES += \
36 connection_https.c connection_https.h 31 connection_https.c connection_https.h
37libmicrohttpd_la_LIBADD = \ 32libmicrohttpd_la_LIBADD = \
38 https/lgl/liblgl.la \ 33 $(LIBGNUTLS_LIBS)
39 https/x509/libx509.la \
40 https/tls/libtls.la \
41 https/minitasn1/libasn1.la
42endif 34endif
43 35
44check_PROGRAMS = \ 36check_PROGRAMS = \
diff --git a/src/daemon/connection.c b/src/daemon/connection.c
index 5a4b6f71..3eb2d1a3 100644
--- a/src/daemon/connection.c
+++ b/src/daemon/connection.c
@@ -1793,7 +1793,7 @@ MHD_connection_handle_write (struct MHD_Connection *connection)
1793#if HTTPS_SUPPORT 1793#if HTTPS_SUPPORT
1794 if (connection->daemon->options & MHD_USE_SSL) 1794 if (connection->daemon->options & MHD_USE_SSL)
1795 { 1795 {
1796 ret = MHD__gnutls_record_send (connection->tls_session, 1796 ret = gnutls_record_send (connection->tls_session,
1797 &connection->response->data 1797 &connection->response->data
1798 [connection-> 1798 [connection->
1799 response_write_position - 1799 response_write_position -
@@ -2245,10 +2245,6 @@ MHD_set_http_calbacks (struct MHD_Connection *connection)
2245 connection->idle_handler = &MHD_connection_handle_idle; 2245 connection->idle_handler = &MHD_connection_handle_idle;
2246} 2246}
2247 2247
2248#if HTTPS_SUPPORT
2249#include "gnutls_int.h"
2250#include "gnutls_record.h"
2251#endif
2252 2248
2253/** 2249/**
2254 * Obtain information about the given connection. 2250 * Obtain information about the given connection.
@@ -2269,13 +2265,13 @@ MHD_get_connection_info (struct MHD_Connection *connection,
2269 case MHD_CONNECTION_INFO_CIPHER_ALGO: 2265 case MHD_CONNECTION_INFO_CIPHER_ALGO:
2270 if (connection->tls_session == NULL) 2266 if (connection->tls_session == NULL)
2271 return NULL; 2267 return NULL;
2272 return (const union MHD_ConnectionInfo *) &connection-> 2268 connection->cipher = gnutls_cipher_get (connection->tls_session);
2273 tls_session->security_parameters.read_bulk_cipher_algorithm; 2269 return (const union MHD_ConnectionInfo *) &connection->cipher;
2274 case MHD_CONNECTION_INFO_PROTOCOL: 2270 case MHD_CONNECTION_INFO_PROTOCOL:
2275 if (connection->tls_session == NULL) 2271 if (connection->tls_session == NULL)
2276 return NULL; 2272 return NULL;
2277 return (const union MHD_ConnectionInfo *) &connection-> 2273 connection->protocol = gnutls_protocol_get_version (connection->tls_session);
2278 tls_session->security_parameters.version; 2274 return (const union MHD_ConnectionInfo *) &connection->protocol;
2279#endif 2275#endif
2280 case MHD_CONNECTION_INFO_CLIENT_ADDRESS: 2276 case MHD_CONNECTION_INFO_CLIENT_ADDRESS:
2281 return (const union MHD_ConnectionInfo *) &connection->addr; 2277 return (const union MHD_ConnectionInfo *) &connection->addr;
diff --git a/src/daemon/connection_https.c b/src/daemon/connection_https.c
index b5b1a4ba..ac8a9268 100644
--- a/src/daemon/connection_https.c
+++ b/src/daemon/connection_https.c
@@ -1,6 +1,6 @@
1/* 1/*
2 This file is part of libmicrohttpd 2 This file is part of libmicrohttpd
3 (C) 2007, 2008 Daniel Pittman and Christian Grothoff 3 (C) 2007, 2008, 2010 Daniel Pittman and Christian Grothoff
4 4
5 This library is free software; you can redistribute it and/or 5 This library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public 6 modify it under the terms of the GNU Lesser General Public
@@ -19,7 +19,7 @@
19*/ 19*/
20 20
21/** 21/**
22 * @file connection.c 22 * @file connection_https.c
23 * @brief Methods for managing SSL/TLS connections. This file is only 23 * @brief Methods for managing SSL/TLS connections. This file is only
24 * compiled if ENABLE_HTTPS is set. 24 * compiled if ENABLE_HTTPS is set.
25 * @author Sagie Amir 25 * @author Sagie Amir
@@ -31,13 +31,7 @@
31#include "memorypool.h" 31#include "memorypool.h"
32#include "response.h" 32#include "response.h"
33#include "reason_phrase.h" 33#include "reason_phrase.h"
34 34#include <gnutls/gnutls.h>
35/* get opaque type */
36#include "gnutls_int.h"
37#include "gnutls_record.h"
38
39/* TODO #include rm "gnutls_errors.h" */
40#include "gnutls_errors.h"
41 35
42/** 36/**
43 * This function is called once a secure connection has been marked 37 * This function is called once a secure connection has been marked
@@ -53,8 +47,8 @@ static void
53MHD_tls_connection_close (struct MHD_Connection *connection, 47MHD_tls_connection_close (struct MHD_Connection *connection,
54 enum MHD_RequestTerminationCode termination_code) 48 enum MHD_RequestTerminationCode termination_code)
55{ 49{
56 MHD__gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); 50 gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR);
57 connection->tls_session->internals.read_eof = 1; 51 /* connection->tls_session->internals.read_eof = 1; // FIXME_GHM: needed? */
58 MHD_connection_close (connection, termination_code); 52 MHD_connection_close (connection, termination_code);
59} 53}
60 54
@@ -107,6 +101,16 @@ MHD_tls_connection_handle_idle (struct MHD_Connection *connection)
107 return MHD_YES; 101 return MHD_YES;
108} 102}
109 103
104/* FIXME_GHM: this is digging into gnutls/SSL internals
105 that is likely wrong... */
106/* Record Protocol */
107typedef enum content_type_t
108{
109 GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT,
110 GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA,
111 GNUTLS_INNER_APPLICATION = 24
112} content_type_t;
113
110/** 114/**
111 * This function handles a particular SSL/TLS connection when 115 * This function handles a particular SSL/TLS connection when
112 * it has been determined that there is data to be read off a 116 * it has been determined that there is data to be read off a
@@ -157,7 +161,7 @@ MHD_tls_connection_handle_read (struct MHD_Connection *connection)
157 if (connection->state == MHD_TLS_CONNECTION_INIT || 161 if (connection->state == MHD_TLS_CONNECTION_INIT ||
158 connection->state == MHD_TLS_HELLO_REQUEST) 162 connection->state == MHD_TLS_HELLO_REQUEST)
159 { 163 {
160 ret = MHD__gnutls_handshake (connection->tls_session); 164 ret = gnutls_handshake (connection->tls_session);
161 if (ret == 0) 165 if (ret == 0)
162 { 166 {
163 /* set connection state to enable HTTP processing */ 167 /* set connection state to enable HTTP processing */
@@ -194,13 +198,13 @@ MHD_tls_connection_handle_read (struct MHD_Connection *connection)
194 return MHD_NO; 198 return MHD_NO;
195 199
196 case GNUTLS_ALERT: 200 case GNUTLS_ALERT:
201#if FIXME_GHM
197 /* 202 /*
198 * this call of MHD_gtls_recv_int expects 0 bytes read. 203 * this call of MHD_gtls_recv_int expects 0 bytes read.
199 * done to decrypt alert message 204 * done to decrypt alert message
200 */ 205 */
201 MHD_gtls_recv_int (connection->tls_session, GNUTLS_ALERT, 206 gnutls_recv_int (connection->tls_session, GNUTLS_ALERT,
202 GNUTLS_HANDSHAKE_FINISHED, 0, 0); 207 GNUTLS_HANDSHAKE_FINISHED, 0, 0);
203
204 /* CLOSE_NOTIFY */ 208 /* CLOSE_NOTIFY */
205 if (connection->tls_session->internals.last_alert == 209 if (connection->tls_session->internals.last_alert ==
206 GNUTLS_A_CLOSE_NOTIFY) 210 GNUTLS_A_CLOSE_NOTIFY)
@@ -209,7 +213,8 @@ MHD_tls_connection_handle_read (struct MHD_Connection *connection)
209 return MHD_YES; 213 return MHD_YES;
210 } 214 }
211 /* non FATAL or WARNING */ 215 /* non FATAL or WARNING */
212 else if (connection->tls_session->internals.last_alert_level != 216 else
217 if (connection->tls_session->internals.last_alert_level !=
213 GNUTLS_AL_FATAL) 218 GNUTLS_AL_FATAL)
214 { 219 {
215#if HAVE_MESSAGES 220#if HAVE_MESSAGES
@@ -239,12 +244,12 @@ MHD_tls_connection_handle_read (struct MHD_Connection *connection)
239#endif 244#endif
240 return MHD_NO; 245 return MHD_NO;
241 } 246 }
247#endif
242 248
243 249
244 /* forward application level content to MHD */ 250 /* forward application level content to MHD */
245 case GNUTLS_APPLICATION_DATA: 251 case GNUTLS_APPLICATION_DATA:
246 return MHD_connection_handle_read (connection); 252 return MHD_connection_handle_read (connection);
247
248 case GNUTLS_INNER_APPLICATION: 253 case GNUTLS_INNER_APPLICATION:
249 break; 254 break;
250 default: 255 default:
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c
index 74d20233..67eb5196 100644
--- a/src/daemon/daemon.c
+++ b/src/daemon/daemon.c
@@ -32,8 +32,7 @@
32 32
33#if HTTPS_SUPPORT 33#if HTTPS_SUPPORT
34#include "connection_https.h" 34#include "connection_https.h"
35#include "gnutls_int.h" 35#include <gnutls/gnutls.h>
36#include "gnutls_global.h"
37#endif 36#endif
38 37
39#ifdef HAVE_POLL_H 38#ifdef HAVE_POLL_H
@@ -331,27 +330,7 @@ MHD_ip_limit_del(struct MHD_Daemon *daemon,
331} 330}
332 331
333#if HTTPS_SUPPORT 332#if HTTPS_SUPPORT
334pthread_mutex_t MHD_gnutls_init_mutex; 333static pthread_mutex_t MHD_gnutls_init_mutex;
335
336/**
337 * Note: code duplication with code in MHD_gnutls_priority.c
338 *
339 * @return 0
340 */
341static int
342_set_priority (MHD_gtls_priority_st * st, const int *list)
343{
344 int num = 0;
345
346 if (list == NULL)
347 return 0;
348 while ((list[num] != 0) && (num < MAX_ALGOS))
349 num++;
350 st->num_algorithms = num;
351 memcpy (st->priority, list, num * sizeof (int));
352 return 0;
353}
354
355 334
356/** 335/**
357 * Callback for receiving data from the socket. 336 * Callback for receiving data from the socket.
@@ -364,7 +343,7 @@ _set_priority (MHD_gtls_priority_st * st, const int *list)
364static ssize_t 343static ssize_t
365recv_tls_adapter (struct MHD_Connection *connection, void *other, size_t i) 344recv_tls_adapter (struct MHD_Connection *connection, void *other, size_t i)
366{ 345{
367 return MHD__gnutls_record_recv (connection->tls_session, other, i); 346 return gnutls_record_recv (connection->tls_session, other, i);
368} 347}
369 348
370/** 349/**
@@ -379,7 +358,7 @@ static ssize_t
379send_tls_adapter (struct MHD_Connection *connection, 358send_tls_adapter (struct MHD_Connection *connection,
380 const void *other, size_t i) 359 const void *other, size_t i)
381{ 360{
382 return MHD__gnutls_record_send (connection->tls_session, other, i); 361 return gnutls_record_send (connection->tls_session, other, i);
383} 362}
384 363
385 364
@@ -391,8 +370,8 @@ send_tls_adapter (struct MHD_Connection *connection,
391static int 370static int
392MHD_init_daemon_certificate (struct MHD_Daemon *daemon) 371MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
393{ 372{
394 MHD_gnutls_datum_t key; 373 gnutls_datum_t key;
395 MHD_gnutls_datum_t cert; 374 gnutls_datum_t cert;
396 375
397 /* certificate & key loaded from memory */ 376 /* certificate & key loaded from memory */
398 if (daemon->https_mem_cert && daemon->https_mem_key) 377 if (daemon->https_mem_cert && daemon->https_mem_key)
@@ -402,7 +381,7 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
402 cert.data = (unsigned char *) daemon->https_mem_cert; 381 cert.data = (unsigned char *) daemon->https_mem_cert;
403 cert.size = strlen (daemon->https_mem_cert); 382 cert.size = strlen (daemon->https_mem_cert);
404 383
405 return MHD__gnutls_certificate_set_x509_key_mem (daemon->x509_cred, 384 return gnutls_certificate_set_x509_key_mem (daemon->x509_cred,
406 &cert, &key, 385 &cert, &key,
407 GNUTLS_X509_FMT_PEM); 386 GNUTLS_X509_FMT_PEM);
408 } 387 }
@@ -422,9 +401,9 @@ MHD_TLS_init (struct MHD_Daemon *daemon)
422{ 401{
423 switch (daemon->cred_type) 402 switch (daemon->cred_type)
424 { 403 {
425 case MHD_GNUTLS_CRD_CERTIFICATE: 404 case GNUTLS_CRD_CERTIFICATE:
426 if (0 != 405 if (0 !=
427 MHD__gnutls_certificate_allocate_credentials (&daemon->x509_cred)) 406 gnutls_certificate_allocate_credentials (&daemon->x509_cred))
428 return GNUTLS_E_MEMORY_ERROR; 407 return GNUTLS_E_MEMORY_ERROR;
429 return MHD_init_daemon_certificate (daemon); 408 return MHD_init_daemon_certificate (daemon);
430 default: 409 default:
@@ -785,15 +764,13 @@ MHD_accept_connection (struct MHD_Daemon *daemon)
785 connection->send_cls = &send_tls_adapter; 764 connection->send_cls = &send_tls_adapter;
786 connection->state = MHD_TLS_CONNECTION_INIT; 765 connection->state = MHD_TLS_CONNECTION_INIT;
787 MHD_set_https_calbacks (connection); 766 MHD_set_https_calbacks (connection);
788 MHD__gnutls_init (&connection->tls_session, GNUTLS_SERVER); 767 gnutls_init (&connection->tls_session, GNUTLS_SERVER);
789 MHD__gnutls_priority_set (connection->tls_session,
790 connection->daemon->priority_cache);
791 switch (connection->daemon->cred_type) 768 switch (connection->daemon->cred_type)
792 { 769 {
793 /* set needed credentials for certificate authentication. */ 770 /* set needed credentials for certificate authentication. */
794 case MHD_GNUTLS_CRD_CERTIFICATE: 771 case GNUTLS_CRD_CERTIFICATE:
795 MHD__gnutls_credentials_set (connection->tls_session, 772 gnutls_credentials_set (connection->tls_session,
796 MHD_GNUTLS_CRD_CERTIFICATE, 773 GNUTLS_CRD_CERTIFICATE,
797 connection->daemon->x509_cred); 774 connection->daemon->x509_cred);
798 break; 775 break;
799 default: 776 default:
@@ -816,13 +793,13 @@ MHD_accept_connection (struct MHD_Daemon *daemon)
816 ); 793 );
817 return MHD_NO; 794 return MHD_NO;
818 } 795 }
819 MHD__gnutls_transport_set_ptr (connection->tls_session, 796 gnutls_transport_set_ptr (connection->tls_session,
820 (MHD_gnutls_transport_ptr_t) connection); 797 (gnutls_transport_ptr_t) connection);
821 MHD__gnutls_transport_set_pull_function (connection->tls_session, 798 gnutls_transport_set_pull_function (connection->tls_session,
822 (MHD_gtls_pull_func) & 799 (gnutls_pull_func) &
823 recv_param_adapter); 800 recv_param_adapter);
824 MHD__gnutls_transport_set_push_function (connection->tls_session, 801 gnutls_transport_set_push_function (connection->tls_session,
825 (MHD_gtls_push_func) & 802 (gnutls_push_func) &
826 send_param_adapter); 803 send_param_adapter);
827 } 804 }
828#endif 805#endif
@@ -893,7 +870,7 @@ MHD_cleanup_connections (struct MHD_Daemon *daemon)
893 MHD_pool_destroy (pos->pool); 870 MHD_pool_destroy (pos->pool);
894#if HTTPS_SUPPORT 871#if HTTPS_SUPPORT
895 if (pos->tls_session != NULL) 872 if (pos->tls_session != NULL)
896 MHD__gnutls_deinit (pos->tls_session); 873 gnutls_deinit (pos->tls_session);
897#endif 874#endif
898 MHD_ip_limit_del (daemon, (struct sockaddr*)pos->addr, pos->addr_len); 875 MHD_ip_limit_del (daemon, (struct sockaddr*)pos->addr, pos->addr_len);
899 free (pos->addr); 876 free (pos->addr);
@@ -1265,9 +1242,8 @@ parse_options_va (struct MHD_Daemon *daemon,
1265 break; 1242 break;
1266#if HTTPS_SUPPORT 1243#if HTTPS_SUPPORT
1267 case MHD_OPTION_PROTOCOL_VERSION: 1244 case MHD_OPTION_PROTOCOL_VERSION:
1268 if (daemon->options & MHD_USE_SSL) 1245 FPRINTF (stderr,
1269 _set_priority (&daemon->priority_cache->protocol, 1246 "Protocol version setting currently not supported.\n");
1270 va_arg (ap, const int *));
1271#if HAVE_MESSAGES 1247#if HAVE_MESSAGES
1272 else 1248 else
1273 FPRINTF (stderr, 1249 FPRINTF (stderr,
@@ -1296,9 +1272,8 @@ parse_options_va (struct MHD_Daemon *daemon,
1296#endif 1272#endif
1297 break; 1273 break;
1298 case MHD_OPTION_CIPHER_ALGORITHM: 1274 case MHD_OPTION_CIPHER_ALGORITHM:
1299 if (daemon->options & MHD_USE_SSL) 1275 FPRINTF (stderr,
1300 _set_priority (&daemon->priority_cache->cipher, 1276 "CIPHER setting currently not supported\n");
1301 va_arg (ap, const int *));
1302#if HAVE_MESSAGES 1277#if HAVE_MESSAGES
1303 else 1278 else
1304 FPRINTF (stderr, 1279 FPRINTF (stderr,
@@ -1478,9 +1453,7 @@ MHD_start_daemon_va (unsigned int options,
1478#endif 1453#endif
1479 mhd_panic (mhd_panic_cls, __FILE__, __LINE__, NULL); 1454 mhd_panic (mhd_panic_cls, __FILE__, __LINE__, NULL);
1480 } 1455 }
1481 /* set default priorities */ 1456 retVal->cred_type = GNUTLS_CRD_CERTIFICATE;
1482 MHD_tls_set_default_priority (&retVal->priority_cache, "", NULL);
1483 retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE;
1484 } 1457 }
1485#endif 1458#endif
1486 1459
@@ -1874,9 +1847,8 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
1874#if HTTPS_SUPPORT 1847#if HTTPS_SUPPORT
1875 if (daemon->options & MHD_USE_SSL) 1848 if (daemon->options & MHD_USE_SSL)
1876 { 1849 {
1877 MHD__gnutls_priority_deinit (daemon->priority_cache);
1878 if (daemon->x509_cred) 1850 if (daemon->x509_cred)
1879 MHD__gnutls_certificate_free_credentials (daemon->x509_cred); 1851 gnutls_certificate_free_credentials (daemon->x509_cred);
1880 /* lock MHD_gnutls_global mutex since it uses reference counting */ 1852 /* lock MHD_gnutls_global mutex since it uses reference counting */
1881 if (0 != pthread_mutex_lock (&MHD_gnutls_init_mutex)) 1853 if (0 != pthread_mutex_lock (&MHD_gnutls_init_mutex))
1882 { 1854 {
@@ -1993,7 +1965,7 @@ void ATTRIBUTE_CONSTRUCTOR MHD_init ()
1993 plibc_init ("GNU", "libmicrohttpd"); 1965 plibc_init ("GNU", "libmicrohttpd");
1994#endif 1966#endif
1995#if HTTPS_SUPPORT 1967#if HTTPS_SUPPORT
1996 MHD__gnutls_global_init (); 1968 gnutls_global_init ();
1997 if (0 != pthread_mutex_init(&MHD_gnutls_init_mutex, NULL)) 1969 if (0 != pthread_mutex_init(&MHD_gnutls_init_mutex, NULL))
1998 abort(); 1970 abort();
1999#endif 1971#endif
@@ -2002,7 +1974,7 @@ void ATTRIBUTE_CONSTRUCTOR MHD_init ()
2002void ATTRIBUTE_DESTRUCTOR MHD_fini () 1974void ATTRIBUTE_DESTRUCTOR MHD_fini ()
2003{ 1975{
2004#if HTTPS_SUPPORT 1976#if HTTPS_SUPPORT
2005 MHD__gnutls_global_deinit (); 1977 gnutls_global_deinit ();
2006 if (0 != pthread_mutex_destroy(&MHD_gnutls_init_mutex)) 1978 if (0 != pthread_mutex_destroy(&MHD_gnutls_init_mutex))
2007 mhd_panic (mhd_panic_cls, __FILE__, __LINE__, NULL); 1979 mhd_panic (mhd_panic_cls, __FILE__, __LINE__, NULL);
2008#endif 1980#endif
diff --git a/src/daemon/https/Makefile.am b/src/daemon/https/Makefile.am
deleted file mode 100644
index 8b4c1aa1..00000000
--- a/src/daemon/https/Makefile.am
+++ /dev/null
@@ -1,3 +0,0 @@
1EXTRA_DIST = gnutls.h
2
3SUBDIRS = minitasn1 lgl x509 tls .
diff --git a/src/daemon/https/gnutls.h b/src/daemon/https/gnutls.h
deleted file mode 100644
index f2f6f069..00000000
--- a/src/daemon/https/gnutls.h
+++ /dev/null
@@ -1,697 +0,0 @@
1/* -*- c -*-
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavroyanopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
23 */
24
25/* This file contains the types and prototypes for all the
26 * high level functionality of gnutls main library. For the
27 * extra functionality (which is under the GNU GPL license) check
28 * the gnutls/extra.h header. The openssl compatibility layer is
29 * in gnutls/openssl.h.
30 *
31 * The low level cipher functionality is in libgcrypt. Check
32 * gcrypt.h
33 */
34
35#ifndef GNUTLS_H
36#define GNUTLS_H
37
38#ifdef __cplusplus
39extern "C"
40{
41#if 0 /* keep Emacsens' auto-indent happy */
42}
43#endif
44#endif
45
46
47/**
48 * List of key exchange algorithms.
49 * Note that not all listed algorithms are necessarily
50 * supported by all builds of MHD.
51 */
52enum MHD_GNUTLS_KeyExchangeAlgorithm
53{
54 MHD_GNUTLS_KX_UNKNOWN = 0,
55 MHD_GNUTLS_KX_RSA = 1,
56};
57
58/**
59 * Server credentials type (note that not all types
60 * maybe supported by all MHD builds).
61 */
62enum MHD_GNUTLS_CredentialsType
63{
64 /**
65 * We have a x.509 certificate.
66 */
67 MHD_GNUTLS_CRD_CERTIFICATE = 1,
68
69};
70
71/**
72 * Enumeration of possible cryptographic
73 * hash functions (for MAC and Digest operations).
74 * Note that not all listed algorithms are necessarily
75 * supported by all builds of MHD.
76 */
77enum MHD_GNUTLS_HashAlgorithm
78{
79 MHD_GNUTLS_MAC_UNKNOWN = 0,
80 MHD_GNUTLS_MAC_NULL = 1,
81 MHD_GNUTLS_MAC_MD5,
82 MHD_GNUTLS_MAC_SHA1,
83 MHD_GNUTLS_MAC_SHA256
84};
85
86/**
87 * List of compression methods.
88 * Note that not all listed algorithms are necessarily
89 * supported by all builds of MHD.
90 */
91enum MHD_GNUTLS_CompressionMethod
92{
93 MHD_GNUTLS_COMP_UNKNOWN = 0,
94
95 /**
96 * No compression.
97 */
98 MHD_GNUTLS_COMP_NULL = 1,
99
100};
101/**
102 * Types of certificates.
103 */
104enum MHD_GNUTLS_CertificateType
105{
106 MHD_GNUTLS_CRT_UNKNOWN = 0,
107 MHD_GNUTLS_CRT_X509 = 1
108};
109
110/**
111 * List of public key algorithms.
112 * Note that not all listed algorithms are necessarily
113 * supported by all builds of MHD.
114 */
115enum MHD_GNUTLS_PublicKeyAlgorithm
116{
117 MHD_GNUTLS_PK_UNKNOWN = 0,
118 MHD_GNUTLS_PK_RSA = 1,
119 MHD_GNUTLS_KX_RSA_EXPORT
120};
121
122
123
124#define LIBGNUTLS_VERSION "2.2.3"
125
126/* Get size_t. */
127#include <stddef.h>
128
129#define GNUTLS_CIPHER_RIJNDAEL_128_CBC GNUTLS_CIPHER_AES_128_CBC
130#define GNUTLS_CIPHER_RIJNDAEL_256_CBC GNUTLS_CIPHER_AES_256_CBC
131#define GNUTLS_CIPHER_RIJNDAEL_CBC GNUTLS_CIPHER_AES_128_CBC
132#define GNUTLS_CIPHER_ARCFOUR GNUTLS_CIPHER_ARCFOUR_128
133
134#define GNUTLS_MAX_SESSION_ID 32
135#define TLS_MASTER_SIZE 48
136#define TLS_RANDOM_SIZE 32
137
138#include "platform.h"
139#include "microhttpd.h"
140
141typedef enum
142{
143 GNUTLS_PARAMS_RSA_EXPORT = 1,
144 GNUTLS_PARAMS_DH
145} MHD_gnutls_params_type_t;
146
147 /* exported for other gnutls headers. This is the maximum number of
148 * algorithms (ciphers, kx or macs).
149 */
150#define GNUTLS_MAX_ALGORITHM_NUM 16
151#define GNUTLS_COMP_ZLIB GNUTLS_COMP_DEFLATE
152
153typedef enum
154{
155 GNUTLS_SERVER = 1,
156 GNUTLS_CLIENT
157} MHD_gnutls_connection_end_t;
158
159typedef enum
160{
161 GNUTLS_AL_WARNING = 1,
162 GNUTLS_AL_FATAL
163} MHD_gnutls_alert_level_t;
164
165typedef enum
166{
167 GNUTLS_A_CLOSE_NOTIFY,
168 GNUTLS_A_UNEXPECTED_MESSAGE = 10,
169 GNUTLS_A_BAD_RECORD_MAC = 20,
170 GNUTLS_A_DECRYPTION_FAILED,
171 GNUTLS_A_RECORD_OVERFLOW,
172 GNUTLS_A_DECOMPRESSION_FAILURE = 30,
173 GNUTLS_A_HANDSHAKE_FAILURE = 40,
174 GNUTLS_A_SSL3_NO_CERTIFICATE = 41,
175 GNUTLS_A_BAD_CERTIFICATE = 42,
176 GNUTLS_A_UNSUPPORTED_CERTIFICATE,
177 GNUTLS_A_CERTIFICATE_REVOKED,
178 GNUTLS_A_CERTIFICATE_EXPIRED,
179 GNUTLS_A_CERTIFICATE_UNKNOWN,
180 GNUTLS_A_ILLEGAL_PARAMETER,
181 GNUTLS_A_UNKNOWN_CA,
182 GNUTLS_A_ACCESS_DENIED,
183 GNUTLS_A_DECODE_ERROR = 50,
184 GNUTLS_A_DECRYPT_ERROR,
185 GNUTLS_A_EXPORT_RESTRICTION = 60,
186 GNUTLS_A_PROTOCOL_VERSION = 70,
187 GNUTLS_A_INSUFFICIENT_SECURITY,
188 GNUTLS_A_INTERNAL_ERROR = 80,
189 GNUTLS_A_USER_CANCELED = 90,
190 GNUTLS_A_NO_RENEGOTIATION = 100,
191 GNUTLS_A_UNSUPPORTED_EXTENSION = 110,
192 GNUTLS_A_CERTIFICATE_UNOBTAINABLE = 111,
193 GNUTLS_A_UNRECOGNIZED_NAME = 112,
194 GNUTLS_A_UNKNOWN_PSK_IDENTITY = 115,
195} MHD_gnutls_alert_description_t;
196
197typedef enum
198{ GNUTLS_HANDSHAKE_HELLO_REQUEST = 0,
199 GNUTLS_HANDSHAKE_CLIENT_HELLO = 1,
200 GNUTLS_HANDSHAKE_SERVER_HELLO = 2,
201 GNUTLS_HANDSHAKE_CERTIFICATE_PKT = 11,
202 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE = 12,
203 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST = 13,
204 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE = 14,
205 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY = 15,
206 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE = 16,
207 GNUTLS_HANDSHAKE_FINISHED = 20,
208 GNUTLS_HANDSHAKE_SUPPLEMENTAL = 23
209} MHD_gnutls_handshake_description_t;
210
211typedef enum
212{
213 GNUTLS_CERT_INVALID = 2, /* will be set if the certificate
214 * was not verified.
215 */
216 GNUTLS_CERT_REVOKED = 32, /* in X.509 this will be set only if CRLs are checked
217 */
218
219 /* Those are extra information about the verification
220 * process. Will be set only if the certificate was
221 * not verified.
222 */
223 GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
224 GNUTLS_CERT_SIGNER_NOT_CA = 128,
225 GNUTLS_CERT_INSECURE_ALGORITHM = 256
226} MHD_gnutls_certificate_status_t;
227
228typedef enum
229{
230 GNUTLS_CERT_IGNORE,
231 GNUTLS_CERT_REQUEST = 1,
232 GNUTLS_CERT_REQUIRE
233} MHD_gnutls_certificate_request_t;
234
235typedef enum
236{
237 GNUTLS_SHUT_RDWR = 0,
238 GNUTLS_SHUT_WR = 1
239} MHD_gnutls_close_request_t;
240
241typedef enum
242{
243 GNUTLS_X509_FMT_DER,
244 GNUTLS_X509_FMT_PEM
245} MHD_gnutls_x509_crt_fmt_t;
246
247typedef enum
248{
249 GNUTLS_SIGN_UNKNOWN = 0,
250 GNUTLS_SIGN_RSA_SHA1 = 1,
251 GNUTLS_SIGN_DSA_SHA1,
252 GNUTLS_SIGN_RSA_MD5,
253 GNUTLS_SIGN_RSA_MD2,
254 GNUTLS_SIGN_RSA_RMD160,
255 GNUTLS_SIGN_RSA_SHA256,
256 GNUTLS_SIGN_RSA_SHA384,
257 GNUTLS_SIGN_RSA_SHA512
258} MHD_gnutls_sign_algorithm_t;
259
260/* If you want to change this, then also change the define in
261 * MHD_gnutls_int.h, and recompile.
262 */
263typedef void *MHD_gnutls_transport_ptr_t;
264
265struct MHD_gtls_session_int;
266typedef struct MHD_gtls_session_int *MHD_gtls_session_t;
267
268struct MHD_gtls_dh_params_int;
269typedef struct MHD_gtls_dh_params_int *MHD_gtls_dh_params_t;
270
271struct MHD_gtls_x509_privkey_int; /* XXX ugly. */
272typedef struct MHD_gtls_x509_privkey_int *MHD_gtls_rsa_params_t; /* XXX ugly. */
273
274struct MHD_gtls_priority_st;
275typedef struct MHD_gtls_priority_st *MHD_gnutls_priority_t;
276
277typedef struct
278{
279 unsigned char *data;
280 unsigned int size;
281} MHD_gnutls_datum_t;
282
283
284typedef struct MHD_gnutls_params_st
285{
286 MHD_gnutls_params_type_t type;
287 union params
288 {
289 MHD_gtls_dh_params_t dh;
290 MHD_gtls_rsa_params_t rsa_export;
291 } params;
292 int deinit;
293} MHD_gnutls_params_st;
294
295typedef int MHD_gnutls_params_function (MHD_gtls_session_t,
296 MHD_gnutls_params_type_t,
297 MHD_gnutls_params_st *);
298
299/* internal functions */
300int MHD__gnutls_global_init (void);
301void MHD__gnutls_global_deinit (void);
302
303int MHD__gnutls_init (MHD_gtls_session_t * session,
304 MHD_gnutls_connection_end_t con_end);
305void MHD__gnutls_deinit (MHD_gtls_session_t session);
306
307int MHD__gnutls_bye (MHD_gtls_session_t session,
308 MHD_gnutls_close_request_t how);
309int MHD__gnutls_handshake (MHD_gtls_session_t session);
310int MHD__gnutls_rehandshake (MHD_gtls_session_t session);
311
312MHD_gnutls_alert_description_t MHD_gnutls_alert_get (MHD_gtls_session_t
313 session);
314int MHD__gnutls_alert_send (MHD_gtls_session_t session,
315 MHD_gnutls_alert_level_t level,
316 MHD_gnutls_alert_description_t desc);
317int MHD__gnutls_alert_send_appropriate (MHD_gtls_session_t session, int err);
318const char *MHD__gnutls_alert_get_name (MHD_gnutls_alert_description_t alert);
319
320size_t MHD__gnutls_cipher_get_key_size (enum MHD_GNUTLS_CipherAlgorithm
321 algorithm);
322
323 /* error functions */
324int MHD_gtls_error_is_fatal (int error);
325int MHD_gtls_error_to_alert (int err, int *level);
326void MHD_gtls_perror (int error);
327const char *MHD_gtls_strerror (int error);
328
329/*
330 * Record layer functions.
331 */
332ssize_t MHD__gnutls_record_send (MHD_gtls_session_t session,
333 const void *data, size_t sizeofdata);
334ssize_t MHD__gnutls_record_recv (MHD_gtls_session_t session, void *data,
335 size_t sizeofdata);
336
337 /* provides extra compatibility */
338int MHD__gnutls_record_get_direction (MHD_gtls_session_t session);
339
340/*
341 * TLS Extensions
342 */
343typedef enum
344{
345 GNUTLS_NAME_DNS = 1
346} MHD_gnutls_server_name_type_t;
347
348 /* Supplemental data, RFC 4680. */
349typedef enum
350{
351 GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA = 0
352} MHD_gnutls_supplemental_data_format_type_t;
353
354
355int MHD_tls_set_default_priority (MHD_gnutls_priority_t *,
356 const char *priority, const char **err_pos);
357void MHD__gnutls_priority_deinit (MHD_gnutls_priority_t);
358
359int MHD__gnutls_priority_set (MHD_gtls_session_t session,
360 MHD_gnutls_priority_t);
361int MHD__gnutls_priority_set_direct (MHD_gtls_session_t session,
362 const char *priority,
363 const char **err_pos);
364
365/* get the currently used protocol version */
366enum MHD_GNUTLS_Protocol
367MHD__gnutls_protocol_get_version (MHD_gtls_session_t session);
368
369typedef
370 int (*MHD_gnutls_handshake_post_client_hello_func) (MHD_gtls_session_t);
371void MHD__gnutls_handshake_set_max_packet_length (MHD_gtls_session_t
372 session, size_t max);
373
374/*
375 * Functions for setting/clearing credentials
376 */
377void MHD__gnutls_credentials_clear (MHD_gtls_session_t session);
378
379/*
380 * cred is a structure defined by the kx algorithm
381 */
382int MHD__gnutls_credentials_set (MHD_gtls_session_t session,
383 enum MHD_GNUTLS_CredentialsType type,
384 void *cred);
385
386/* Credential structures - used in MHD__gnutls_credentials_set(); */
387struct MHD_gtls_certificate_credentials_st;
388typedef struct MHD_gtls_certificate_credentials_st
389 *MHD_gtls_cert_credentials_t;
390typedef MHD_gtls_cert_credentials_t MHD_gtls_cert_server_credentials;
391typedef MHD_gtls_cert_credentials_t MHD_gtls_cert_client_credentials;
392
393void MHD__gnutls_certificate_free_credentials (MHD_gtls_cert_credentials_t
394 sc);
395int
396MHD__gnutls_certificate_allocate_credentials (MHD_gtls_cert_credentials_t
397 * res);
398
399void MHD__gnutls_certificate_free_keys (MHD_gtls_cert_credentials_t sc);
400void MHD__gnutls_certificate_free_cas (MHD_gtls_cert_credentials_t sc);
401void MHD__gnutls_certificate_free_ca_names (MHD_gtls_cert_credentials_t sc);
402
403int MHD__gnutls_certificate_set_x509_key_mem (MHD_gtls_cert_credentials_t
404 res,
405 const MHD_gnutls_datum_t *
406 CERT,
407 const MHD_gnutls_datum_t *
408 KEY,
409 MHD_gnutls_x509_crt_fmt_t type);
410
411void MHD__gnutls_certificate_send_x509_rdn_sequence (MHD_gtls_session_t
412 session, int status);
413
414/*
415 * New functions to allow setting already parsed X.509 stuff.
416 */
417struct MHD_gtls_x509_privkey_int;
418typedef struct MHD_gtls_x509_privkey_int *MHD_gnutls_x509_privkey_t;
419
420struct MHD_gnutls_x509_crl_int;
421typedef struct MHD_gnutls_x509_crl_int *MHD_gnutls_x509_crl_t;
422
423struct MHD_gnutls_x509_crt_int;
424typedef struct MHD_gnutls_x509_crt_int *MHD_gnutls_x509_crt_t;
425
426/* global state functions
427 */
428
429
430typedef void *(*MHD_gnutls_alloc_function) (size_t);
431typedef int (*MHD_gnutls_is_secure_function) (const void *);
432typedef void *(*MHD_gnutls_calloc_function) (size_t, size_t);
433typedef void (*MHD_gnutls_free_function) (void *);
434typedef void *(*MHD_gnutls_realloc_function) (void *, size_t);
435
436/* For use in callbacks */
437extern MHD_gnutls_alloc_function MHD_gnutls_malloc;
438extern MHD_gnutls_alloc_function MHD_gnutls_secure_malloc;
439extern MHD_gnutls_realloc_function MHD_gnutls_realloc;
440extern MHD_gnutls_calloc_function MHD_gnutls_calloc;
441extern MHD_gnutls_free_function MHD_gnutls_free;
442
443typedef void (*MHD_gnutls_log_func) (int, const char *);
444void MHD_gtls_global_set_log_function (MHD_gnutls_log_func log_func);
445void MHD_gtls_global_set_log_level (int level);
446
447/*
448 * Diffie Hellman parameter handling.
449 */
450int MHD__gnutls_dh_params_init (MHD_gtls_dh_params_t * dh_params);
451void MHD__gnutls_dh_params_deinit (MHD_gtls_dh_params_t dh_params);
452
453
454/* RSA params */
455int MHD__gnutls_rsa_params_init (MHD_gtls_rsa_params_t * rsa_params);
456void MHD__gnutls_rsa_params_deinit (MHD_gtls_rsa_params_t rsa_params);
457int MHD__gnutls_rsa_params_generate2 (MHD_gtls_rsa_params_t params,
458 unsigned int bits);
459
460
461/*
462 * Session stuff
463 */
464typedef ssize_t (*MHD_gtls_pull_func) (MHD_gnutls_transport_ptr_t, void *,
465 size_t);
466typedef ssize_t (*MHD_gtls_push_func) (MHD_gnutls_transport_ptr_t,
467 const void *, size_t);
468void MHD__gnutls_transport_set_ptr (MHD_gtls_session_t session,
469 MHD_gnutls_transport_ptr_t ptr);
470void MHD__gnutls_transport_set_lowat (MHD_gtls_session_t session, int num);
471
472
473void MHD__gnutls_transport_set_push_function (MHD_gtls_session_t session,
474 MHD_gtls_push_func push_func);
475void MHD__gnutls_transport_set_pull_function (MHD_gtls_session_t session,
476 MHD_gtls_pull_func pull_func);
477
478typedef enum MHD_gnutls_x509_subject_alt_name_t
479{
480 GNUTLS_SAN_DNSNAME = 1,
481 GNUTLS_SAN_RFC822NAME,
482 GNUTLS_SAN_URI,
483 GNUTLS_SAN_IPADDRESS,
484 GNUTLS_SAN_OTHERNAME,
485 GNUTLS_SAN_DN,
486 /* The following are "virtual" subject alternative name types, in
487 that they are represented by an otherName value and an OID.
488 Used by MHD_gnutls_x509_crt_get_subject_alt_othername_oid(). */
489 GNUTLS_SAN_OTHERNAME_XMPP = 1000
490} MHD_gnutls_x509_subject_alt_name_t;
491
492typedef struct MHD_gnutls_retr_st
493{
494 enum MHD_GNUTLS_CertificateType type;
495 union cert
496 {
497 MHD_gnutls_x509_crt_t *x509;
498 } cert;
499 unsigned int ncerts;
500
501 union key
502 {
503 MHD_gnutls_x509_privkey_t x509;
504 } key;
505
506 unsigned int deinit_all; /* if non zero all keys will be deinited */
507} MHD_gnutls_retr_st;
508
509typedef int
510MHD_gnutls_certificate_client_retrieve_function (MHD_gtls_session_t,
511 const MHD_gnutls_datum_t
512 * req_ca_rdn, int nreqs,
513 const enum
514 MHD_GNUTLS_PublicKeyAlgorithm
515 *pk_algos,
516 int pk_algos_length,
517 MHD_gnutls_retr_st *);
518
519typedef int
520MHD_gnutls_certificate_server_retrieve_function (MHD_gtls_session_t,
521 MHD_gnutls_retr_st *);
522
523 /*
524 * Functions that allow auth_info_t structures handling
525 */
526enum MHD_GNUTLS_CredentialsType MHD_gtls_auth_get_type (MHD_gtls_session_t
527 session);
528 /*
529 * DH
530 */
531void MHD__gnutls_dh_set_prime_bits (MHD_gtls_session_t session,
532 unsigned int bits);
533
534 /* External signing callback. Experimental. */
535typedef int (*MHD_gnutls_sign_func) (MHD_gtls_session_t session,
536 void *userdata,
537 enum MHD_GNUTLS_CertificateType
538 cert_type,
539 const MHD_gnutls_datum_t * cert,
540 const MHD_gnutls_datum_t * hash,
541 MHD_gnutls_datum_t * signature);
542
543 /* key_usage will be an OR of the following values: */
544 /* when the key is to be used for signing: */
545#define GNUTLS_KEY_DIGITAL_SIGNATURE 128
546#define GNUTLS_KEY_NON_REPUDIATION 64
547 /* when the key is to be used for encryption: */
548#define GNUTLS_KEY_KEY_ENCIPHERMENT 32
549#define GNUTLS_KEY_DATA_ENCIPHERMENT 16
550#define GNUTLS_KEY_KEY_AGREEMENT 8
551#define GNUTLS_KEY_KEY_CERT_SIGN 4
552#define GNUTLS_KEY_CRL_SIGN 2
553#define GNUTLS_KEY_ENCIPHER_ONLY 1
554#define GNUTLS_KEY_DECIPHER_ONLY 32768
555
556 /*
557 * Error codes. TLS alert mapping shown in comments.
558 */
559#define GNUTLS_E_SUCCESS 0
560#define GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3
561#define GNUTLS_E_UNKNOWN_CIPHER_TYPE -6
562#define GNUTLS_E_LARGE_PACKET -7
563#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 /* GNUTLS_A_PROTOCOL_VERSION */
564#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */
565#define GNUTLS_E_INVALID_SESSION -10
566#define GNUTLS_E_FATAL_ALERT_RECEIVED -12
567#define GNUTLS_E_UNEXPECTED_PACKET -15 /* GNUTLS_A_UNEXPECTED_MESSAGE */
568#define GNUTLS_E_WARNING_ALERT_RECEIVED -16
569#define GNUTLS_E_ERROR_IN_FINISHED_PACKET -18
570#define GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET -19
571#define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 /* GNUTLS_A_HANDSHAKE_FAILURE */
572#define GNUTLS_E_UNWANTED_ALGORITHM -22
573#define GNUTLS_E_MPI_SCAN_FAILED -23
574#define GNUTLS_E_DECRYPTION_FAILED -24 /* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */
575#define GNUTLS_E_MEMORY_ERROR -25
576#define GNUTLS_E_DECOMPRESSION_FAILED -26 /* GNUTLS_A_DECOMPRESSION_FAILURE */
577#define GNUTLS_E_COMPRESSION_FAILED -27
578#define GNUTLS_E_AGAIN -28
579#define GNUTLS_E_EXPIRED -29
580#define GNUTLS_E_DB_ERROR -30
581#define GNUTLS_E_SRP_PWD_ERROR -31
582#define GNUTLS_E_INSUFFICIENT_CREDENTIALS -32
583#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */
584#define GNUTLS_E_INSUFFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS
585#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS /* for backwards compatibility only */
586
587#define GNUTLS_E_HASH_FAILED -33
588#define GNUTLS_E_BASE64_DECODING_ERROR -34
589
590#define GNUTLS_E_MPI_PRINT_FAILED -35
591#define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */
592#define GNUTLS_E_GOT_APPLICATION_DATA -38
593#define GNUTLS_E_RECORD_LIMIT_REACHED -39
594#define GNUTLS_E_ENCRYPTION_FAILED -40
595
596#define GNUTLS_E_PK_ENCRYPTION_FAILED -44
597#define GNUTLS_E_PK_DECRYPTION_FAILED -45
598#define GNUTLS_E_PK_SIGN_FAILED -46
599#define GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION -47
600#define GNUTLS_E_KEY_USAGE_VIOLATION -48
601#define GNUTLS_E_NO_CERTIFICATE_FOUND -49 /* GNUTLS_A_BAD_CERTIFICATE */
602#define GNUTLS_E_INVALID_REQUEST -50
603#define GNUTLS_E_SHORT_MEMORY_BUFFER -51
604#define GNUTLS_E_INTERRUPTED -52
605#define GNUTLS_E_PUSH_ERROR -53
606#define GNUTLS_E_PULL_ERROR -54
607#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55 /* GNUTLS_A_ILLEGAL_PARAMETER */
608#define GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE -56
609#define GNUTLS_E_PKCS1_WRONG_PAD -57
610#define GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION -58
611#define GNUTLS_E_INTERNAL_ERROR -59
612#define GNUTLS_E_DH_PRIME_UNACCEPTABLE -63
613#define GNUTLS_E_FILE_ERROR -64
614#define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78
615#define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
616
617
618 /* returned if libextra functionality was requested but
619 * MHD_gnutls_global_init_extra() was not called.
620 */
621#define GNUTLS_E_INIT_LIBEXTRA -82
622#define GNUTLS_E_LIBRARY_VERSION_MISMATCH -83
623
624
625 /* returned if you need to generate temporary RSA
626 * parameters. These are needed for export cipher suites.
627 */
628#define GNUTLS_E_NO_TEMPORARY_RSA_PARAMS -84
629
630#define GNUTLS_E_LZO_INIT_FAILED -85
631#define GNUTLS_E_NO_COMPRESSION_ALGORITHMS -86
632#define GNUTLS_E_NO_CIPHER_SUITES -87
633
634#define GNUTLS_E_PK_SIG_VERIFY_FAILED -89
635
636#define GNUTLS_E_ILLEGAL_SRP_USERNAME -90
637#define GNUTLS_E_SRP_PWD_PARSING_ERROR -91
638#define GNUTLS_E_NO_TEMPORARY_DH_PARAMS -93
639
640 /* For certificate and key stuff
641 */
642#define GNUTLS_E_ASN1_ELEMENT_NOT_FOUND -67
643#define GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND -68
644#define GNUTLS_E_ASN1_DER_ERROR -69
645#define GNUTLS_E_ASN1_VALUE_NOT_FOUND -70
646#define GNUTLS_E_ASN1_GENERIC_ERROR -71
647#define GNUTLS_E_ASN1_VALUE_NOT_VALID -72
648#define GNUTLS_E_ASN1_TAG_ERROR -73
649#define GNUTLS_E_ASN1_TAG_IMPLICIT -74
650#define GNUTLS_E_ASN1_TYPE_ANY_ERROR -75
651#define GNUTLS_E_ASN1_SYNTAX_ERROR -76
652#define GNUTLS_E_ASN1_DER_OVERFLOW -77
653#define GNUTLS_E_CERTIFICATE_ERROR -43
654#define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR
655#define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60
656#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */
657#define GNUTLS_E_X509_UNKNOWN_SAN -62
658#define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95
659#define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96
660#define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97
661#define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98
662#define GNUTLS_E_INVALID_PASSWORD -99
663#define GNUTLS_E_MAC_VERIFY_FAILED -100 /* for PKCS #12 MAC */
664#define GNUTLS_E_CONSTRAINT_ERROR -101
665
666#define GNUTLS_E_WARNING_IA_IPHF_RECEIVED -102
667#define GNUTLS_E_WARNING_IA_FPHF_RECEIVED -103
668
669#define GNUTLS_E_IA_VERIFY_FAILED -104
670
671#define GNUTLS_E_UNKNOWN_ALGORITHM -105
672
673#define GNUTLS_E_BASE64_ENCODING_ERROR -201
674#define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */
675#define GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY -202
676#define GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY -203
677
678#define GNUTLS_E_X509_UNSUPPORTED_OID -205
679
680#define GNUTLS_E_RANDOM_FAILED -206
681#define GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR -207
682
683
684#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
685
686#define GNUTLS_E_APPLICATION_ERROR_MAX -65000
687#define GNUTLS_E_APPLICATION_ERROR_MIN -65500
688
689
690#if 0 /* keep Emacsens' auto-indent happy */
691{
692#endif
693#ifdef __cplusplus
694}
695#endif
696
697#endif /* GNUTLS_H */
diff --git a/src/daemon/https/lgl/Makefile.am b/src/daemon/https/lgl/Makefile.am
deleted file mode 100644
index 5659d5c5..00000000
--- a/src/daemon/https/lgl/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
1AM_CPPFLAGS = \
2 -I$(top_srcdir)/src/include @LIBGCRYPT_CFLAGS@
3
4if USE_COVERAGE
5 AM_CFLAGS = -fprofile-arcs -ftest-coverage
6endif
7
8noinst_LTLIBRARIES = liblgl.la
9
10liblgl_la_SOURCES = \
11 gc-libgcrypt.c \
12 gc.h
13liblgl_la_LIBADD = @LIBGCRYPT_LIBS@
diff --git a/src/daemon/https/lgl/gc-libgcrypt.c b/src/daemon/https/lgl/gc-libgcrypt.c
deleted file mode 100644
index 09957405..00000000
--- a/src/daemon/https/lgl/gc-libgcrypt.c
+++ /dev/null
@@ -1,407 +0,0 @@
1/* gc-libgcrypt.c --- Crypto wrappers around Libgcrypt for GC.
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Simon Josefsson
3 *
4 * This file is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU Lesser General Public License as published
6 * by the Free Software Foundation; either version 2.1, or (at your
7 * option) any later version.
8 *
9 * This file is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this file; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 */
20
21/* Note: This file is only built if GC uses Libgcrypt. */
22
23#include "MHD_config.h"
24
25/* Get prototype. */
26#include "gc.h"
27
28#include <stdlib.h>
29#include <string.h>
30
31/* Get libgcrypt API. */
32#include <gcrypt.h>
33
34#include <assert.h>
35
36/* Initialization. */
37
38Gc_rc
39MHD_gc_init (void)
40{
41 gcry_error_t err;
42
43 err = gcry_control (GCRYCTL_ANY_INITIALIZATION_P);
44 if (err == GPG_ERR_NO_ERROR)
45 {
46 if (gcry_check_version (GCRYPT_VERSION) == NULL)
47 return GC_INIT_ERROR;
48
49 err = gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
50 if (err != GPG_ERR_NO_ERROR)
51 return GC_INIT_ERROR;
52 }
53 return GC_OK;
54}
55
56void
57MHD_gc_done (void)
58{
59 return;
60}
61
62#ifdef GNULIB_GC_RANDOM
63
64/* Randomness. */
65
66Gc_rc
67MHD_gc_nonce (char *data, size_t datalen)
68{
69 gcry_create_nonce ((unsigned char *) data, datalen);
70 return GC_OK;
71}
72
73Gc_rc
74MHD_gc_pseudo_random (char *data, size_t datalen)
75{
76 gcry_randomize ((unsigned char *) data, datalen, GCRY_STRONG_RANDOM);
77 return GC_OK;
78}
79
80#endif
81
82/* Memory allocation. */
83
84/* Ciphers. */
85
86Gc_rc
87MHD_gc_cipher_open (Gc_cipher alg,
88 Gc_cipher_mode mode, MHD_gc_cipher_handle * outhandle)
89{
90 int gcryalg, gcrymode;
91 gcry_error_t err;
92
93 switch (alg)
94 {
95 case GC_AES128:
96 gcryalg = GCRY_CIPHER_RIJNDAEL;
97 break;
98
99 case GC_AES192:
100 gcryalg = GCRY_CIPHER_RIJNDAEL;
101 break;
102
103 case GC_AES256:
104 gcryalg = GCRY_CIPHER_RIJNDAEL256;
105 break;
106
107 case GC_3DES:
108 gcryalg = GCRY_CIPHER_3DES;
109 break;
110
111 case GC_DES:
112 gcryalg = GCRY_CIPHER_DES;
113 break;
114
115 case GC_ARCFOUR128:
116 case GC_ARCFOUR40:
117 gcryalg = GCRY_CIPHER_ARCFOUR;
118 break;
119
120 case GC_ARCTWO40:
121 gcryalg = GCRY_CIPHER_RFC2268_40;
122 break;
123
124 default:
125 return GC_INVALID_CIPHER;
126 }
127
128 switch (mode)
129 {
130 case GC_ECB:
131 gcrymode = GCRY_CIPHER_MODE_ECB;
132 break;
133
134 case GC_CBC:
135 gcrymode = GCRY_CIPHER_MODE_CBC;
136 break;
137
138 case GC_STREAM:
139 gcrymode = GCRY_CIPHER_MODE_STREAM;
140 break;
141
142 default:
143 return GC_INVALID_CIPHER;
144 }
145
146 err =
147 gcry_cipher_open ((gcry_cipher_hd_t *) outhandle, gcryalg, gcrymode, 0);
148 if (gcry_err_code (err))
149 return GC_INVALID_CIPHER;
150
151 return GC_OK;
152}
153
154Gc_rc
155MHD_gc_cipher_setkey (MHD_gc_cipher_handle handle, size_t keylen,
156 const char *key)
157{
158 gcry_error_t err;
159
160 err = gcry_cipher_setkey ((gcry_cipher_hd_t) handle, key, keylen);
161 if (gcry_err_code (err))
162 return GC_INVALID_CIPHER;
163
164 return GC_OK;
165}
166
167Gc_rc
168MHD_gc_cipher_setiv (MHD_gc_cipher_handle handle, size_t ivlen,
169 const char *iv)
170{
171 gcry_error_t err;
172
173 err = gcry_cipher_setiv ((gcry_cipher_hd_t) handle, iv, ivlen);
174 if (gcry_err_code (err))
175 return GC_INVALID_CIPHER;
176
177 return GC_OK;
178}
179
180Gc_rc
181MHD_gc_cipher_encrypt_inline (MHD_gc_cipher_handle handle, size_t len,
182 char *data)
183{
184 if (gcry_cipher_encrypt ((gcry_cipher_hd_t) handle, data, len, NULL, len) !=
185 0)
186 return GC_INVALID_CIPHER;
187
188 return GC_OK;
189}
190
191Gc_rc
192MHD_gc_cipher_decrypt_inline (MHD_gc_cipher_handle handle, size_t len,
193 char *data)
194{
195 if (gcry_cipher_decrypt ((gcry_cipher_hd_t) handle, data, len, NULL, len) !=
196 0)
197 return GC_INVALID_CIPHER;
198
199 return GC_OK;
200}
201
202Gc_rc
203MHD_gc_cipher_close (MHD_gc_cipher_handle handle)
204{
205 gcry_cipher_close (handle);
206
207 return GC_OK;
208}
209
210/* Hashes. */
211
212typedef struct _MHD_gc_hash_ctx
213{
214 Gc_hash alg;
215 Gc_hash_mode mode;
216 gcry_md_hd_t gch;
217} _MHD_gc_hash_ctx;
218
219Gc_rc
220MHD_gc_hash_open (Gc_hash hash, Gc_hash_mode mode,
221 MHD_gc_hash_handle * outhandle)
222{
223 _MHD_gc_hash_ctx *ctx;
224 int gcryalg = 0, gcrymode = 0;
225 gcry_error_t err;
226 Gc_rc rc = GC_OK;
227
228 ctx = calloc (sizeof (*ctx), 1);
229 if (!ctx)
230 return GC_MALLOC_ERROR;
231
232 ctx->alg = hash;
233 ctx->mode = mode;
234
235 switch (hash)
236 {
237 case GC_MD2:
238 gcryalg = GCRY_MD_NONE;
239 break;
240
241 case GC_MD4:
242 gcryalg = GCRY_MD_MD4;
243 break;
244
245 case GC_MD5:
246 gcryalg = GCRY_MD_MD5;
247 break;
248
249 case GC_SHA1:
250 gcryalg = GCRY_MD_SHA1;
251 break;
252
253 case GC_SHA256:
254 gcryalg = GCRY_MD_SHA256;
255 break;
256
257 case GC_SHA384:
258 gcryalg = GCRY_MD_SHA384;
259 break;
260
261 case GC_SHA512:
262 gcryalg = GCRY_MD_SHA512;
263 break;
264
265 case GC_RMD160:
266 gcryalg = GCRY_MD_RMD160;
267 break;
268
269 default:
270 rc = GC_INVALID_HASH;
271 }
272
273 switch (mode)
274 {
275 case 0:
276 gcrymode = 0;
277 break;
278
279 case GC_HMAC:
280 gcrymode = GCRY_MD_FLAG_HMAC;
281 break;
282
283 default:
284 rc = GC_INVALID_HASH;
285 }
286
287 if (rc == GC_OK && gcryalg != GCRY_MD_NONE)
288 {
289 err = gcry_md_open (&ctx->gch, gcryalg, gcrymode);
290 if (gcry_err_code (err))
291 rc = GC_INVALID_HASH;
292 }
293
294 if (rc == GC_OK)
295 *outhandle = ctx;
296 else
297 free (ctx);
298
299 return rc;
300}
301
302Gc_rc
303MHD_gc_hash_clone (MHD_gc_hash_handle handle, MHD_gc_hash_handle * outhandle)
304{
305 _MHD_gc_hash_ctx *in = handle;
306 _MHD_gc_hash_ctx *out;
307 int err;
308
309 *outhandle = out = calloc (sizeof (*out), 1);
310 if (!out)
311 return GC_MALLOC_ERROR;
312
313 memcpy (out, in, sizeof (*out));
314
315 err = gcry_md_copy (&out->gch, in->gch);
316 if (err)
317 {
318 free (out);
319 return GC_INVALID_HASH;
320 }
321
322 return GC_OK;
323}
324
325size_t
326MHD_gc_hash_digest_length (Gc_hash hash)
327{
328 size_t len;
329
330 switch (hash)
331 {
332 case GC_MD2:
333 len = GC_MD2_DIGEST_SIZE;
334 break;
335
336 case GC_MD4:
337 len = GC_MD4_DIGEST_SIZE;
338 break;
339
340 case GC_MD5:
341 len = GC_MD5_DIGEST_SIZE;
342 break;
343
344 case GC_RMD160:
345 len = GC_RMD160_DIGEST_SIZE;
346 break;
347
348 case GC_SHA1:
349 len = GC_SHA1_DIGEST_SIZE;
350 break;
351
352 case GC_SHA256:
353 len = GC_SHA256_DIGEST_SIZE;
354 break;
355
356 case GC_SHA384:
357 len = GC_SHA384_DIGEST_SIZE;
358 break;
359
360 case GC_SHA512:
361 len = GC_SHA512_DIGEST_SIZE;
362 break;
363
364 default:
365 return 0;
366 }
367
368 return len;
369}
370
371void
372MHD_gc_hash_MHD_hmac_setkey (MHD_gc_hash_handle handle, size_t len,
373 const char *key)
374{
375 _MHD_gc_hash_ctx *ctx = handle;
376 gcry_md_setkey (ctx->gch, key, len);
377}
378
379void
380MHD_gc_hash_write (MHD_gc_hash_handle handle, size_t len, const char *data)
381{
382 _MHD_gc_hash_ctx *ctx = handle;
383 gcry_md_write (ctx->gch, data, len);
384}
385
386const char *
387MHD_gc_hash_read (MHD_gc_hash_handle handle)
388{
389 _MHD_gc_hash_ctx *ctx = handle;
390 const char *digest;
391 {
392 gcry_md_final (ctx->gch);
393 digest = (const char *) gcry_md_read (ctx->gch, 0);
394 }
395
396 return digest;
397}
398
399void
400MHD_gc_hash_close (MHD_gc_hash_handle handle)
401{
402 _MHD_gc_hash_ctx *ctx = handle;
403
404 gcry_md_close (ctx->gch);
405
406 free (ctx);
407}
diff --git a/src/daemon/https/lgl/gc.h b/src/daemon/https/lgl/gc.h
deleted file mode 100644
index 30c4e45b..00000000
--- a/src/daemon/https/lgl/gc.h
+++ /dev/null
@@ -1,172 +0,0 @@
1/* gc.h --- Header file for implementation agnostic crypto wrapper API.
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007 Simon Josefsson
3 *
4 * This file is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU Lesser General Public License as published
6 * by the Free Software Foundation; either version 2.1, or (at your
7 * option) any later version.
8 *
9 * This file is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this file; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 */
20
21#ifndef GC_H
22#define GC_H
23
24/* Get size_t. */
25# include <stddef.h>
26
27enum Gc_rc
28{
29 GC_OK = 0,
30 GC_MALLOC_ERROR,
31 GC_INIT_ERROR,
32 GC_RANDOM_ERROR,
33 GC_INVALID_CIPHER,
34 GC_INVALID_HASH,
35 GC_PKCS5_INVALID_ITERATION_COUNT,
36 GC_PKCS5_INVALID_DERIVED_KEY_LENGTH,
37 GC_PKCS5_DERIVED_KEY_TOO_LONG
38};
39typedef enum Gc_rc Gc_rc;
40
41/* Hash types. */
42enum Gc_hash
43{
44 GC_MD4,
45 GC_MD5,
46 GC_SHA1,
47 GC_MD2,
48 GC_RMD160,
49 GC_SHA256,
50 GC_SHA384,
51 GC_SHA512
52};
53typedef enum Gc_hash Gc_hash;
54
55enum Gc_hash_mode
56{
57 GC_HMAC = 1
58};
59typedef enum Gc_hash_mode Gc_hash_mode;
60
61typedef void *MHD_gc_hash_handle;
62
63#define GC_MD2_DIGEST_SIZE 16
64#define GC_MD4_DIGEST_SIZE 16
65#define GC_MD5_DIGEST_SIZE 16
66#define GC_RMD160_DIGEST_SIZE 20
67#define GC_SHA1_DIGEST_SIZE 20
68#define GC_SHA256_DIGEST_SIZE 32
69#define GC_SHA384_DIGEST_SIZE 48
70#define GC_SHA512_DIGEST_SIZE 64
71
72/* Cipher types. */
73enum Gc_cipher
74{
75 GC_AES128,
76 GC_AES192,
77 GC_AES256,
78 GC_3DES,
79 GC_DES,
80 GC_ARCFOUR128,
81 GC_ARCFOUR40,
82 GC_ARCTWO40,
83 GC_CAMELLIA128,
84 GC_CAMELLIA256
85};
86typedef enum Gc_cipher Gc_cipher;
87
88enum Gc_cipher_mode
89{
90 GC_ECB,
91 GC_CBC,
92 GC_STREAM
93};
94typedef enum Gc_cipher_mode Gc_cipher_mode;
95
96typedef void *MHD_gc_cipher_handle;
97
98/* Call before respectively after any other functions. */
99Gc_rc MHD_gc_init (void);
100void MHD_gc_done (void);
101
102/* Memory allocation (avoid). */
103typedef void *(*MHD_gc_malloc_t) (size_t n);
104typedef int (*MHD_gc_secure_check_t) (const void *);
105typedef void *(*MHD_gc_realloc_t) (void *p, size_t n);
106typedef void (*MHD_gc_free_t) (void *);
107/* Randomness. */
108Gc_rc MHD_gc_nonce (char *data, size_t datalen);
109Gc_rc MHD_gc_pseudo_random (char *data, size_t datalen);
110
111/* Ciphers. */
112Gc_rc MHD_gc_cipher_open (Gc_cipher cipher,
113 Gc_cipher_mode mode,
114 MHD_gc_cipher_handle * outhandle);
115Gc_rc MHD_gc_cipher_setkey (MHD_gc_cipher_handle handle, size_t keylen,
116 const char *key);
117Gc_rc MHD_gc_cipher_setiv (MHD_gc_cipher_handle handle, size_t ivlen,
118 const char *iv);
119Gc_rc MHD_gc_cipher_encrypt_inline (MHD_gc_cipher_handle handle, size_t len,
120 char *data);
121Gc_rc MHD_gc_cipher_decrypt_inline (MHD_gc_cipher_handle handle, size_t len,
122 char *data);
123Gc_rc MHD_gc_cipher_close (MHD_gc_cipher_handle handle);
124
125/* Hashes. */
126
127Gc_rc MHD_gc_hash_open (Gc_hash hash,
128 Gc_hash_mode mode, MHD_gc_hash_handle * outhandle);
129Gc_rc MHD_gc_hash_clone (MHD_gc_hash_handle handle,
130 MHD_gc_hash_handle * outhandle);
131size_t MHD_gc_hash_digest_length (Gc_hash hash);
132void MHD_gc_hash_MHD_hmac_setkey (MHD_gc_hash_handle handle, size_t len,
133 const char *key);
134void MHD_gc_hash_write (MHD_gc_hash_handle handle, size_t len,
135 const char *data);
136const char *MHD_gc_hash_read (MHD_gc_hash_handle handle);
137void MHD_gc_hash_close (MHD_gc_hash_handle handle);
138
139/* Compute a hash value over buffer IN of INLEN bytes size using the
140 algorithm HASH, placing the result in the pre-allocated buffer OUT.
141 The required size of OUT depends on HASH, and is generally
142 GC_<HASH>_DIGEST_SIZE. For example, for GC_MD5 the output buffer
143 must be 16 bytes. The return value is 0 (GC_OK) on success, or
144 another Gc_rc error code. */
145Gc_rc MHD_gc_hash_buffer (Gc_hash hash, const void *in, size_t inlen,
146 char *out);
147
148/* One-call interface. */
149Gc_rc MHD_gc_md2 (const void *in, size_t inlen, void *resbuf);
150Gc_rc MHD_gc_md4 (const void *in, size_t inlen, void *resbuf);
151Gc_rc MHD_gc_md5 (const void *in, size_t inlen, void *resbuf);
152Gc_rc MHD_gc_sha1 (const void *in, size_t inlen, void *resbuf);
153Gc_rc MHD_gc_MHD_hmac_md5 (const void *key,
154 size_t keylen, const void *in, size_t inlen,
155 char *resbuf);
156Gc_rc MHD_gc_MHD_hmac_sha1 (const void *key, size_t keylen, const void *in,
157 size_t inlen, char *resbuf);
158
159/* Derive cryptographic keys from a password P of length PLEN, with
160 salt S of length SLEN, placing the result in pre-allocated buffer
161 DK of length DKLEN. An iteration count is specified in C, where a
162 larger value means this function take more time (typical iteration
163 counts are 1000-20000). This function "stretches" the key to be
164 exactly dkLen bytes long. GC_OK is returned on success, otherwise
165 an Gc_rc error code is returned. */
166Gc_rc MHD_gc_pbkdf2_sha1 (const char *P,
167 size_t Plen,
168 const char *S,
169 size_t Slen, unsigned int c, char *DK,
170 size_t dkLen);
171
172#endif /* GC_H */
diff --git a/src/daemon/https/minitasn1/Makefile.am b/src/daemon/https/minitasn1/Makefile.am
deleted file mode 100644
index 1d5c68d9..00000000
--- a/src/daemon/https/minitasn1/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
1AM_CPPFLAGS = \
2 -I$(top_srcdir)/src/include \
3 -I$(top_srcdir)/src/daemon/https/lgl \
4 -I$(top_srcdir)/src/daemon/https/tls
5
6if USE_COVERAGE
7 AM_CFLAGS = -fprofile-arcs -ftest-coverage
8endif
9
10noinst_LTLIBRARIES = libasn1.la
11
12libasn1_la_SOURCES = \
13libtasn1.h \
14mem.h \
15gstr.h \
16int.h \
17parser_aux.h structure.h element.h decoding.c gstr.c \
18parser_aux.c structure.c element.c coding.c
diff --git a/src/daemon/https/minitasn1/README b/src/daemon/https/minitasn1/README
deleted file mode 100644
index 9d484dfc..00000000
--- a/src/daemon/https/minitasn1/README
+++ /dev/null
@@ -1,3 +0,0 @@
1This is just a mirror of the files in the libtasn1's
2lib/ directory.
3
diff --git a/src/daemon/https/minitasn1/coding.c b/src/daemon/https/minitasn1/coding.c
deleted file mode 100644
index 02d04683..00000000
--- a/src/daemon/https/minitasn1/coding.c
+++ /dev/null
@@ -1,1211 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006 Free Software Foundation
3 * Copyright (C) 2002 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23
24/*****************************************************/
25/* File: coding.c */
26/* Description: Functions to create a DER coding of */
27/* an ASN1 type. */
28/*****************************************************/
29
30#include <int.h>
31#include "parser_aux.h"
32#include <gstr.h>
33#include "element.h"
34#include <structure.h>
35
36#define MAX_TAG_LEN 16
37
38/******************************************************/
39/* Function : MHD__asn1_error_description_value_not_found */
40/* Description: creates the ErrorDescription string */
41/* for the ASN1_VALUE_NOT_FOUND error. */
42/* Parameters: */
43/* node: node of the tree where the value is NULL. */
44/* ErrorDescription: string returned. */
45/* Return: */
46/******************************************************/
47static void
48MHD__asn1_error_description_value_not_found (node_asn * node,
49 char *ErrorDescription)
50{
51
52 if (ErrorDescription == NULL)
53 return;
54
55 Estrcpy (ErrorDescription, ":: value of element '");
56 MHD__asn1_hierarchical_name (node,
57 ErrorDescription + strlen (ErrorDescription),
58 MAX_ERROR_DESCRIPTION_SIZE - 40);
59 Estrcat (ErrorDescription, "' not found");
60
61}
62
63/**
64 * MHD__asn1_length_der:
65 * @len: value to convert.
66 * @ans: string returned.
67 * @ans_len: number of meaningful bytes of ANS (ans[0]..ans[ans_len-1]).
68 *
69 * Creates the DER coding for the LEN parameter (only the length).
70 * The @ans buffer is pre-allocated and must have room for the output.
71 **/
72void
73MHD__asn1_length_der (unsigned long int len, unsigned char *ans, int *ans_len)
74{
75 int k;
76 unsigned char temp[SIZEOF_UNSIGNED_LONG_INT];
77
78 if (len < 128)
79 {
80 /* short form */
81 if (ans != NULL)
82 ans[0] = (unsigned char) len;
83 *ans_len = 1;
84 }
85 else
86 {
87 /* Long form */
88 k = 0;
89 while (len)
90 {
91 temp[k++] = len & 0xFF;
92 len = len >> 8;
93 }
94 *ans_len = k + 1;
95 if (ans != NULL)
96 {
97 ans[0] = ((unsigned char) k & 0x7F) + 128;
98 while (k--)
99 ans[*ans_len - 1 - k] = temp[k];
100 }
101 }
102}
103
104/******************************************************/
105/* Function : MHD__asn1_tag_der */
106/* Description: creates the DER coding for the CLASS */
107/* and TAG parameters. */
108/* Parameters: */
109/* class: value to convert. */
110/* tag_value: value to convert. */
111/* ans: string returned. */
112/* ans_len: number of meaningful bytes of ANS */
113/* (ans[0]..ans[ans_len-1]). */
114/* Return: */
115/******************************************************/
116static void
117MHD__asn1_tag_der (unsigned char class, unsigned int tag_value,
118 unsigned char *ans, int *ans_len)
119{
120 int k;
121 unsigned char temp[SIZEOF_UNSIGNED_INT];
122
123 if (tag_value < 31)
124 {
125 /* short form */
126 ans[0] = (class & 0xE0) + ((unsigned char) (tag_value & 0x1F));
127 *ans_len = 1;
128 }
129 else
130 {
131 /* Long form */
132 ans[0] = (class & 0xE0) + 31;
133 k = 0;
134 while (tag_value)
135 {
136 temp[k++] = tag_value & 0x7F;
137 tag_value = tag_value >> 7;
138 }
139 *ans_len = k + 1;
140 while (k--)
141 ans[*ans_len - 1 - k] = temp[k] + 128;
142 ans[*ans_len - 1] -= 128;
143 }
144}
145
146/**
147 * MHD__asn1_octet_der:
148 * @str: OCTET string.
149 * @str_len: STR length (str[0]..str[str_len-1]).
150 * @der: string returned.
151 * @der_len: number of meaningful bytes of DER (der[0]..der[ans_len-1]).
152 *
153 * Creates the DER coding for an OCTET type (length included).
154 **/
155void
156MHD__asn1_octet_der (const unsigned char *str, int str_len,
157 unsigned char *der, int *der_len)
158{
159 int len_len;
160
161 if (der == NULL || str_len < 0)
162 return;
163 MHD__asn1_length_der (str_len, der, &len_len);
164 memcpy (der + len_len, str, str_len);
165 *der_len = str_len + len_len;
166}
167
168/******************************************************/
169/* Function : MHD__asn1_time_der */
170/* Description: creates the DER coding for a TIME */
171/* type (length included). */
172/* Parameters: */
173/* str: TIME null-terminated string. */
174/* der: string returned. */
175/* der_len: number of meaningful bytes of DER */
176/* (der[0]..der[ans_len-1]). Initially it */
177/* if must store the lenght of DER. */
178/* Return: */
179/* ASN1_MEM_ERROR when DER isn't big enough */
180/* ASN1_SUCCESS otherwise */
181/******************************************************/
182static MHD__asn1_retCode
183MHD__asn1_time_der (unsigned char *str, unsigned char *der, int *der_len)
184{
185 int len_len;
186 int max_len;
187
188 max_len = *der_len;
189
190 MHD__asn1_length_der (strlen ((const char *) str),
191 (max_len > 0) ? der : NULL, &len_len);
192
193 if ((len_len + (int) strlen ((const char *) str)) <= max_len)
194 memcpy (der + len_len, str, strlen ((const char *) str));
195 *der_len = len_len + strlen ((const char *) str);
196
197 if ((*der_len) > max_len)
198 return ASN1_MEM_ERROR;
199
200 return ASN1_SUCCESS;
201}
202
203/******************************************************/
204/* Function : MHD__asn1_objectid_der */
205/* Description: creates the DER coding for an */
206/* OBJECT IDENTIFIER type (length included). */
207/* Parameters: */
208/* str: OBJECT IDENTIFIER null-terminated string. */
209/* der: string returned. */
210/* der_len: number of meaningful bytes of DER */
211/* (der[0]..der[ans_len-1]). Initially it */
212/* must store the length of DER. */
213/* Return: */
214/* ASN1_MEM_ERROR when DER isn't big enough */
215/* ASN1_SUCCESS otherwise */
216/******************************************************/
217static MHD__asn1_retCode
218MHD__asn1_objectid_der (unsigned char *str, unsigned char *der, int *der_len)
219{
220 int len_len, counter, k, first, max_len;
221 char *temp, *n_end, *n_start;
222 unsigned char bit7;
223 unsigned long val, val1 = 0;
224
225 max_len = *der_len;
226
227 temp = (char *) MHD__asn1_alloca (strlen ((const char *) str) + 2);
228 if (temp == NULL)
229 return ASN1_MEM_ALLOC_ERROR;
230
231 strcpy (temp, (const char *) str);
232 strcat (temp, ".");
233
234 counter = 0;
235 n_start = temp;
236 while ((n_end = strchr (n_start, '.')))
237 {
238 *n_end = 0;
239 val = strtoul (n_start, NULL, 10);
240 counter++;
241
242 if (counter == 1)
243 val1 = val;
244 else if (counter == 2)
245 {
246 if (max_len > 0)
247 der[0] = 40 * val1 + val;
248 *der_len = 1;
249 }
250 else
251 {
252 first = 0;
253 for (k = 4; k >= 0; k--)
254 {
255 bit7 = (val >> (k * 7)) & 0x7F;
256 if (bit7 || first || !k)
257 {
258 if (k)
259 bit7 |= 0x80;
260 if (max_len > (*der_len))
261 der[*der_len] = bit7;
262 (*der_len)++;
263 first = 1;
264 }
265 }
266
267 }
268 n_start = n_end + 1;
269 }
270
271 MHD__asn1_length_der (*der_len, NULL, &len_len);
272 if (max_len >= (*der_len + len_len))
273 {
274 memmove (der + len_len, der, *der_len);
275 MHD__asn1_length_der (*der_len, der, &len_len);
276 }
277 *der_len += len_len;
278
279 MHD__asn1_afree (temp);
280
281 if (max_len < (*der_len))
282 return ASN1_MEM_ERROR;
283
284 return ASN1_SUCCESS;
285}
286
287
288const char MHD_bit_mask[] =
289 { 0xFF, 0xFE, 0xFC, 0xF8, 0xF0, 0xE0, 0xC0, 0x80 };
290
291/**
292 * MHD__asn1_bit_der:
293 * @str: BIT string.
294 * @bit_len: number of meaningful bits in STR.
295 * @der: string returned.
296 * @der_len: number of meaningful bytes of DER
297 * (der[0]..der[ans_len-1]).
298 *
299 * Creates the DER coding for a BIT STRING type (length and pad
300 * included).
301 **/
302void
303MHD__asn1_bit_der (const unsigned char *str, int bit_len,
304 unsigned char *der, int *der_len)
305{
306 int len_len, len_byte, len_pad;
307
308 if (der == NULL)
309 return;
310 len_byte = bit_len >> 3;
311 len_pad = 8 - (bit_len & 7);
312 if (len_pad == 8)
313 len_pad = 0;
314 else
315 len_byte++;
316 MHD__asn1_length_der (len_byte + 1, der, &len_len);
317 der[len_len] = len_pad;
318 memcpy (der + len_len + 1, str, len_byte);
319 der[len_len + len_byte] &= MHD_bit_mask[len_pad];
320 *der_len = len_byte + len_len + 1;
321}
322
323
324/******************************************************/
325/* Function : MHD__asn1_complete_explicit_tag */
326/* Description: add the length coding to the EXPLICIT */
327/* tags. */
328/* Parameters: */
329/* node: pointer to the tree element. */
330/* der: string with the DER coding of the whole tree*/
331/* counter: number of meaningful bytes of DER */
332/* (der[0]..der[*counter-1]). */
333/* max_len: size of der vector */
334/* Return: */
335/* ASN1_MEM_ERROR if der vector isn't big enough, */
336/* otherwise ASN1_SUCCESS. */
337/******************************************************/
338static MHD__asn1_retCode
339MHD__asn1_complete_explicit_tag (node_asn * node, unsigned char *der,
340 int *counter, int *max_len)
341{
342 node_asn *p;
343 int is_tag_implicit, len2, len3;
344 unsigned char temp[SIZEOF_UNSIGNED_INT];
345
346 is_tag_implicit = 0;
347
348 if (node->type & CONST_TAG)
349 {
350 p = node->down;
351 /* When there are nested tags we must complete them reverse to
352 the order they were created. This is because completing a tag
353 modifies all data within it, including the incomplete tags
354 which store buffer positions -- simon@josefsson.org 2002-09-06
355 */
356 while (p->right)
357 p = p->right;
358 while (p && p != node->down->left)
359 {
360 if (type_field (p->type) == TYPE_TAG)
361 {
362 if (p->type & CONST_EXPLICIT)
363 {
364 len2 = strtol (p->name, NULL, 10);
365 MHD__asn1_set_name (p, NULL);
366 MHD__asn1_length_der (*counter - len2, temp, &len3);
367 if (len3 <= (*max_len))
368 {
369 memmove (der + len2 + len3, der + len2,
370 *counter - len2);
371 memcpy (der + len2, temp, len3);
372 }
373 *max_len -= len3;
374 *counter += len3;
375 is_tag_implicit = 0;
376 }
377 else
378 { /* CONST_IMPLICIT */
379 if (!is_tag_implicit)
380 {
381 is_tag_implicit = 1;
382 }
383 }
384 }
385 p = p->left;
386 }
387 }
388
389 if (*max_len < 0)
390 return ASN1_MEM_ERROR;
391
392 return ASN1_SUCCESS;
393}
394
395
396/******************************************************/
397/* Function : MHD__asn1_insert_tag_der */
398/* Description: creates the DER coding of tags of one */
399/* NODE. */
400/* Parameters: */
401/* node: pointer to the tree element. */
402/* der: string returned */
403/* counter: number of meaningful bytes of DER */
404/* (counter[0]..der[*counter-1]). */
405/* max_len: size of der vector */
406/* Return: */
407/* ASN1_GENERIC_ERROR if the type is unknown, */
408/* ASN1_MEM_ERROR if der vector isn't big enough, */
409/* otherwise ASN1_SUCCESS. */
410/******************************************************/
411static MHD__asn1_retCode
412MHD__asn1_insert_tag_der (node_asn * node, unsigned char *der, int *counter,
413 int *max_len)
414{
415 node_asn *p;
416 int tag_len, is_tag_implicit;
417 unsigned char class, class_implicit = 0, temp[SIZEOF_UNSIGNED_INT * 3 + 1];
418 unsigned long tag_implicit = 0;
419 char tag_der[MAX_TAG_LEN];
420
421 is_tag_implicit = 0;
422
423 if (node->type & CONST_TAG)
424 {
425 p = node->down;
426 while (p)
427 {
428 if (type_field (p->type) == TYPE_TAG)
429 {
430 if (p->type & CONST_APPLICATION)
431 class = ASN1_CLASS_APPLICATION;
432 else if (p->type & CONST_UNIVERSAL)
433 class = ASN1_CLASS_UNIVERSAL;
434 else if (p->type & CONST_PRIVATE)
435 class = ASN1_CLASS_PRIVATE;
436 else
437 class = ASN1_CLASS_CONTEXT_SPECIFIC;
438
439 if (p->type & CONST_EXPLICIT)
440 {
441 if (is_tag_implicit)
442 MHD__asn1_tag_der (class_implicit, tag_implicit,
443 (unsigned char *) tag_der, &tag_len);
444 else
445 MHD__asn1_tag_der (class | ASN1_CLASS_STRUCTURED,
446 strtoul ((const char *) p->value, NULL,
447 10),
448 (unsigned char *) tag_der, &tag_len);
449
450 *max_len -= tag_len;
451 if (*max_len >= 0)
452 memcpy (der + *counter, tag_der, tag_len);
453 *counter += tag_len;
454
455 MHD__asn1_ltostr (*counter, (char *) temp);
456 MHD__asn1_set_name (p, (const char *) temp);
457
458 is_tag_implicit = 0;
459 }
460 else
461 { /* CONST_IMPLICIT */
462 if (!is_tag_implicit)
463 {
464 if ((type_field (node->type) == TYPE_SEQUENCE) ||
465 (type_field (node->type) == TYPE_SEQUENCE_OF) ||
466 (type_field (node->type) == TYPE_SET) ||
467 (type_field (node->type) == TYPE_SET_OF))
468 class |= ASN1_CLASS_STRUCTURED;
469 class_implicit = class;
470 tag_implicit =
471 strtoul ((const char *) p->value, NULL, 10);
472 is_tag_implicit = 1;
473 }
474 }
475 }
476 p = p->right;
477 }
478 }
479
480 if (is_tag_implicit)
481 {
482 MHD__asn1_tag_der (class_implicit, tag_implicit,
483 (unsigned char *) tag_der, &tag_len);
484 }
485 else
486 {
487 switch (type_field (node->type))
488 {
489 case TYPE_NULL:
490 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_NULL,
491 (unsigned char *) tag_der, &tag_len);
492 break;
493 case TYPE_BOOLEAN:
494 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_BOOLEAN,
495 (unsigned char *) tag_der, &tag_len);
496 break;
497 case TYPE_INTEGER:
498 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_INTEGER,
499 (unsigned char *) tag_der, &tag_len);
500 break;
501 case TYPE_ENUMERATED:
502 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_ENUMERATED,
503 (unsigned char *) tag_der, &tag_len);
504 break;
505 case TYPE_OBJECT_ID:
506 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_OBJECT_ID,
507 (unsigned char *) tag_der, &tag_len);
508 break;
509 case TYPE_TIME:
510 if (node->type & CONST_UTC)
511 {
512 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_UTCTime,
513 (unsigned char *) tag_der, &tag_len);
514 }
515 else
516 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_GENERALIZEDTime,
517 (unsigned char *) tag_der, &tag_len);
518 break;
519 case TYPE_OCTET_STRING:
520 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_OCTET_STRING,
521 (unsigned char *) tag_der, &tag_len);
522 break;
523 case TYPE_GENERALSTRING:
524 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_GENERALSTRING,
525 (unsigned char *) tag_der, &tag_len);
526 break;
527 case TYPE_BIT_STRING:
528 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL, ASN1_TAG_BIT_STRING,
529 (unsigned char *) tag_der, &tag_len);
530 break;
531 case TYPE_SEQUENCE:
532 case TYPE_SEQUENCE_OF:
533 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL | ASN1_CLASS_STRUCTURED,
534 ASN1_TAG_SEQUENCE, (unsigned char *) tag_der,
535 &tag_len);
536 break;
537 case TYPE_SET:
538 case TYPE_SET_OF:
539 MHD__asn1_tag_der (ASN1_CLASS_UNIVERSAL | ASN1_CLASS_STRUCTURED,
540 ASN1_TAG_SET, (unsigned char *) tag_der,
541 &tag_len);
542 break;
543 case TYPE_TAG:
544 tag_len = 0;
545 break;
546 case TYPE_CHOICE:
547 tag_len = 0;
548 break;
549 case TYPE_ANY:
550 tag_len = 0;
551 break;
552 default:
553 return ASN1_GENERIC_ERROR;
554 }
555 }
556
557 *max_len -= tag_len;
558 if (*max_len >= 0)
559 memcpy (der + *counter, tag_der, tag_len);
560 *counter += tag_len;
561
562 if (*max_len < 0)
563 return ASN1_MEM_ERROR;
564
565 return ASN1_SUCCESS;
566}
567
568/******************************************************/
569/* Function : MHD__asn1_ordering_set */
570/* Description: puts the elements of a SET type in */
571/* the correct order according to DER rules. */
572/* Parameters: */
573/* der: string with the DER coding. */
574/* node: pointer to the SET element. */
575/* Return: */
576/******************************************************/
577static void
578MHD__asn1_ordering_set (unsigned char *der, int der_len, node_asn * node)
579{
580 struct vet
581 {
582 int end;
583 uint32_t value;
584 struct vet *next, *prev;
585 };
586
587 int counter, len, len2;
588 struct vet *first, *last, *p_vet, *p2_vet;
589 node_asn *p;
590 unsigned char class, *temp;
591 unsigned long tag;
592
593 counter = 0;
594
595 if (type_field (node->type) != TYPE_SET)
596 return;
597
598 p = node->down;
599 while ((p != NULL) &&
600 ((type_field (p->type) == TYPE_TAG)
601 || (type_field (p->type) == TYPE_SIZE)))
602 p = p->right;
603
604 if ((p == NULL) || (p->right == NULL))
605 return;
606
607 first = last = NULL;
608 while (p)
609 {
610 p_vet = (struct vet *) MHD__asn1_alloca (sizeof (struct vet));
611 if (p_vet == NULL)
612 return;
613
614 p_vet->next = NULL;
615 p_vet->prev = last;
616 if (first == NULL)
617 first = p_vet;
618 else
619 last->next = p_vet;
620 last = p_vet;
621
622 /* tag value calculation */
623 if (MHD__asn1_get_tag_der
624 (der + counter, der_len - counter, &class, &len2,
625 &tag) != ASN1_SUCCESS)
626 return;
627 p_vet->value = (class << 24) | tag;
628 counter += len2;
629
630 /* extraction and length */
631 len2 =
632 MHD__asn1_get_length_der (der + counter, der_len - counter, &len);
633 if (len2 < 0)
634 return;
635 counter += len + len2;
636
637 p_vet->end = counter;
638 p = p->right;
639 }
640
641 p_vet = first;
642
643 while (p_vet)
644 {
645 p2_vet = p_vet->next;
646 counter = 0;
647 while (p2_vet)
648 {
649 if (p_vet->value > p2_vet->value)
650 {
651 /* change position */
652 temp =
653 (unsigned char *) MHD__asn1_alloca (p_vet->end - counter);
654 if (temp == NULL)
655 return;
656
657 memcpy (temp, der + counter, p_vet->end - counter);
658 memcpy (der + counter, der + p_vet->end,
659 p2_vet->end - p_vet->end);
660 memcpy (der + counter + p2_vet->end - p_vet->end, temp,
661 p_vet->end - counter);
662 MHD__asn1_afree (temp);
663
664 tag = p_vet->value;
665 p_vet->value = p2_vet->value;
666 p2_vet->value = tag;
667
668 p_vet->end = counter + (p2_vet->end - p_vet->end);
669 }
670 counter = p_vet->end;
671
672 p2_vet = p2_vet->next;
673 p_vet = p_vet->next;
674 }
675
676 if (p_vet != first)
677 p_vet->prev->next = NULL;
678 else
679 first = NULL;
680 MHD__asn1_afree (p_vet);
681 p_vet = first;
682 }
683}
684
685/******************************************************/
686/* Function : MHD__asn1_ordering_set_of */
687/* Description: puts the elements of a SET OF type in */
688/* the correct order according to DER rules. */
689/* Parameters: */
690/* der: string with the DER coding. */
691/* node: pointer to the SET OF element. */
692/* Return: */
693/******************************************************/
694static void
695MHD__asn1_ordering_set_of (unsigned char *der, int der_len, node_asn * node)
696{
697 struct vet
698 {
699 int end;
700 struct vet *next, *prev;
701 };
702
703 int counter, len, len2, change;
704 struct vet *first, *last, *p_vet, *p2_vet;
705 node_asn *p;
706 unsigned char *temp, class;
707 unsigned long k, max;
708
709 counter = 0;
710
711 if (type_field (node->type) != TYPE_SET_OF)
712 return;
713
714 p = node->down;
715 while ((type_field (p->type) == TYPE_TAG)
716 || (type_field (p->type) == TYPE_SIZE))
717 p = p->right;
718 p = p->right;
719
720 if ((p == NULL) || (p->right == NULL))
721 return;
722
723 first = last = NULL;
724 while (p)
725 {
726 p_vet = (struct vet *) MHD__asn1_alloca (sizeof (struct vet));
727 if (p_vet == NULL)
728 return;
729
730 p_vet->next = NULL;
731 p_vet->prev = last;
732 if (first == NULL)
733 first = p_vet;
734 else
735 last->next = p_vet;
736 last = p_vet;
737
738 /* extraction of tag and length */
739 if (der_len - counter > 0)
740 {
741
742 if (MHD__asn1_get_tag_der
743 (der + counter, der_len - counter, &class, &len,
744 NULL) != ASN1_SUCCESS)
745 return;
746 counter += len;
747
748 len2 =
749 MHD__asn1_get_length_der (der + counter, der_len - counter, &len);
750 if (len2 < 0)
751 return;
752 counter += len + len2;
753 }
754
755 p_vet->end = counter;
756 p = p->right;
757 }
758
759 p_vet = first;
760
761 while (p_vet)
762 {
763 p2_vet = p_vet->next;
764 counter = 0;
765 while (p2_vet)
766 {
767 if ((p_vet->end - counter) > (p2_vet->end - p_vet->end))
768 max = p_vet->end - counter;
769 else
770 max = p2_vet->end - p_vet->end;
771
772 change = -1;
773 for (k = 0; k < max; k++)
774 if (der[counter + k] > der[p_vet->end + k])
775 {
776 change = 1;
777 break;
778 }
779 else if (der[counter + k] < der[p_vet->end + k])
780 {
781 change = 0;
782 break;
783 }
784
785 if ((change == -1)
786 && ((p_vet->end - counter) > (p2_vet->end - p_vet->end)))
787 change = 1;
788
789 if (change == 1)
790 {
791 /* change position */
792 temp =
793 (unsigned char *) MHD__asn1_alloca (p_vet->end - counter);
794 if (temp == NULL)
795 return;
796
797 memcpy (temp, der + counter, (p_vet->end) - counter);
798 memcpy (der + counter, der + (p_vet->end),
799 (p2_vet->end) - (p_vet->end));
800 memcpy (der + counter + (p2_vet->end) - (p_vet->end), temp,
801 (p_vet->end) - counter);
802 MHD__asn1_afree (temp);
803
804 p_vet->end = counter + (p2_vet->end - p_vet->end);
805 }
806 counter = p_vet->end;
807
808 p2_vet = p2_vet->next;
809 p_vet = p_vet->next;
810 }
811
812 if (p_vet != first)
813 p_vet->prev->next = NULL;
814 else
815 first = NULL;
816 MHD__asn1_afree (p_vet);
817 p_vet = first;
818 }
819}
820
821/**
822 * MHD__asn1_der_coding - Creates the DER encoding for the NAME structure
823 * @element: pointer to an ASN1 element
824 * @name: the name of the structure you want to encode (it must be
825 * inside *POINTER).
826 * @ider: vector that will contain the DER encoding. DER must be a
827 * pointer to memory cells already allocated.
828 * @len: number of bytes of *@ider: @ider[0]..@ider[len-1], Initialy
829 * holds the sizeof of der vector.
830 * @errorDescription : return the error description or an empty
831 * string if success.
832 *
833 * Creates the DER encoding for the NAME structure (inside *POINTER
834 * structure).
835 *
836 * Returns:
837 *
838 * ASN1_SUCCESS: DER encoding OK.
839 *
840 * ASN1_ELEMENT_NOT_FOUND: NAME is not a valid element.
841 *
842 * ASN1_VALUE_NOT_FOUND: There is an element without a value.
843 *
844 * ASN1_MEM_ERROR: @ider vector isn't big enough. Also in this case
845 * LEN will contain the length needed.
846 *
847 **/
848MHD__asn1_retCode
849MHD__asn1_der_coding (ASN1_TYPE element, const char *name, void *ider,
850 int *len, char *ErrorDescription)
851{
852 node_asn *node, *p, *p2;
853 char temp[SIZEOF_UNSIGNED_LONG_INT * 3 + 1];
854 int counter, counter_old, len2, len3, tlen, move, max_len, max_len_old;
855 MHD__asn1_retCode err;
856 unsigned char *der = ider;
857
858 node = MHD__asn1_find_node (element, name);
859 if (node == NULL)
860 return ASN1_ELEMENT_NOT_FOUND;
861
862 /* Node is now a locally allocated variable.
863 * That is because in some point we modify the
864 * structure, and I don't know why! --nmav
865 */
866 node = MHD__asn1_copy_structure3 (node);
867 if (node == NULL)
868 return ASN1_ELEMENT_NOT_FOUND;
869
870 max_len = *len;
871
872 counter = 0;
873 move = DOWN;
874 p = node;
875 while (1)
876 {
877
878 counter_old = counter;
879 max_len_old = max_len;
880 if (move != UP)
881 {
882 err = MHD__asn1_insert_tag_der (p, der, &counter, &max_len);
883 if (err != ASN1_SUCCESS && err != ASN1_MEM_ERROR)
884 goto error;
885 }
886 switch (type_field (p->type))
887 {
888 case TYPE_NULL:
889 max_len--;
890 if (max_len >= 0)
891 der[counter] = 0;
892 counter++;
893 move = RIGHT;
894 break;
895 case TYPE_BOOLEAN:
896 if ((p->type & CONST_DEFAULT) && (p->value == NULL))
897 {
898 counter = counter_old;
899 max_len = max_len_old;
900 }
901 else
902 {
903 if (p->value == NULL)
904 {
905 MHD__asn1_error_description_value_not_found (p,
906 ErrorDescription);
907 err = ASN1_VALUE_NOT_FOUND;
908 goto error;
909 }
910 max_len -= 2;
911 if (max_len >= 0)
912 {
913 der[counter++] = 1;
914 if (p->value[0] == 'F')
915 der[counter++] = 0;
916 else
917 der[counter++] = 0xFF;
918 }
919 else
920 counter += 2;
921 }
922 move = RIGHT;
923 break;
924 case TYPE_INTEGER:
925 case TYPE_ENUMERATED:
926 if ((p->type & CONST_DEFAULT) && (p->value == NULL))
927 {
928 counter = counter_old;
929 max_len = max_len_old;
930 }
931 else
932 {
933 if (p->value == NULL)
934 {
935 MHD__asn1_error_description_value_not_found (p,
936 ErrorDescription);
937 err = ASN1_VALUE_NOT_FOUND;
938 goto error;
939 }
940 len2 = MHD__asn1_get_length_der (p->value, p->value_len, &len3);
941 if (len2 < 0)
942 {
943 err = ASN1_DER_ERROR;
944 goto error;
945 }
946 max_len -= len2 + len3;
947 if (max_len >= 0)
948 memcpy (der + counter, p->value, len3 + len2);
949 counter += len3 + len2;
950 }
951 move = RIGHT;
952 break;
953 case TYPE_OBJECT_ID:
954 if ((p->type & CONST_DEFAULT) && (p->value == NULL))
955 {
956 counter = counter_old;
957 max_len = max_len_old;
958 }
959 else
960 {
961 if (p->value == NULL)
962 {
963 MHD__asn1_error_description_value_not_found (p,
964 ErrorDescription);
965 err = ASN1_VALUE_NOT_FOUND;
966 goto error;
967 }
968 len2 = max_len;
969 err = MHD__asn1_objectid_der (p->value, der + counter, &len2);
970 if (err != ASN1_SUCCESS && err != ASN1_MEM_ERROR)
971 goto error;
972
973 max_len -= len2;
974 counter += len2;
975 }
976 move = RIGHT;
977 break;
978 case TYPE_TIME:
979 if (p->value == NULL)
980 {
981 MHD__asn1_error_description_value_not_found (p,
982 ErrorDescription);
983 err = ASN1_VALUE_NOT_FOUND;
984 goto error;
985 }
986 len2 = max_len;
987 err = MHD__asn1_time_der (p->value, der + counter, &len2);
988 if (err != ASN1_SUCCESS && err != ASN1_MEM_ERROR)
989 goto error;
990
991 max_len -= len2;
992 counter += len2;
993 move = RIGHT;
994 break;
995 case TYPE_OCTET_STRING:
996 if (p->value == NULL)
997 {
998 MHD__asn1_error_description_value_not_found (p,
999 ErrorDescription);
1000 err = ASN1_VALUE_NOT_FOUND;
1001 goto error;
1002 }
1003 len2 = MHD__asn1_get_length_der (p->value, p->value_len, &len3);
1004 if (len2 < 0)
1005 {
1006 err = ASN1_DER_ERROR;
1007 goto error;
1008 }
1009 max_len -= len2 + len3;
1010 if (max_len >= 0)
1011 memcpy (der + counter, p->value, len3 + len2);
1012 counter += len3 + len2;
1013 move = RIGHT;
1014 break;
1015 case TYPE_GENERALSTRING:
1016 if (p->value == NULL)
1017 {
1018 MHD__asn1_error_description_value_not_found (p,
1019 ErrorDescription);
1020 err = ASN1_VALUE_NOT_FOUND;
1021 goto error;
1022 }
1023 len2 = MHD__asn1_get_length_der (p->value, p->value_len, &len3);
1024 if (len2 < 0)
1025 {
1026 err = ASN1_DER_ERROR;
1027 goto error;
1028 }
1029 max_len -= len2 + len3;
1030 if (max_len >= 0)
1031 memcpy (der + counter, p->value, len3 + len2);
1032 counter += len3 + len2;
1033 move = RIGHT;
1034 break;
1035 case TYPE_BIT_STRING:
1036 if (p->value == NULL)
1037 {
1038 MHD__asn1_error_description_value_not_found (p,
1039 ErrorDescription);
1040 err = ASN1_VALUE_NOT_FOUND;
1041 goto error;
1042 }
1043 len2 = MHD__asn1_get_length_der (p->value, p->value_len, &len3);
1044 if (len2 < 0)
1045 {
1046 err = ASN1_DER_ERROR;
1047 goto error;
1048 }
1049 max_len -= len2 + len3;
1050 if (max_len >= 0)
1051 memcpy (der + counter, p->value, len3 + len2);
1052 counter += len3 + len2;
1053 move = RIGHT;
1054 break;
1055 case TYPE_SEQUENCE:
1056 case TYPE_SET:
1057 if (move != UP)
1058 {
1059 MHD__asn1_ltostr (counter, temp);
1060 tlen = strlen (temp);
1061 if (tlen > 0)
1062 MHD__asn1_set_value (p, temp, tlen + 1);
1063 if (p->down == NULL)
1064 {
1065 move = UP;
1066 continue;
1067 }
1068 else
1069 {
1070 p2 = p->down;
1071 while (p2 && (type_field (p2->type) == TYPE_TAG))
1072 p2 = p2->right;
1073 if (p2)
1074 {
1075 p = p2;
1076 move = RIGHT;
1077 continue;
1078 }
1079 move = UP;
1080 continue;
1081 }
1082 }
1083 else
1084 { /* move==UP */
1085 len2 = strtol ((const char *) p->value, NULL, 10);
1086 MHD__asn1_set_value (p, NULL, 0);
1087 if ((type_field (p->type) == TYPE_SET) && (max_len >= 0))
1088 MHD__asn1_ordering_set (der + len2, max_len - len2, p);
1089 MHD__asn1_length_der (counter - len2, (unsigned char *) temp,
1090 &len3);
1091 max_len -= len3;
1092 if (max_len >= 0)
1093 {
1094 memmove (der + len2 + len3, der + len2, counter - len2);
1095 memcpy (der + len2, temp, len3);
1096 }
1097 counter += len3;
1098 move = RIGHT;
1099 }
1100 break;
1101 case TYPE_SEQUENCE_OF:
1102 case TYPE_SET_OF:
1103 if (move != UP)
1104 {
1105 MHD__asn1_ltostr (counter, temp);
1106 tlen = strlen (temp);
1107
1108 if (tlen > 0)
1109 MHD__asn1_set_value (p, temp, tlen + 1);
1110 p = p->down;
1111 while ((type_field (p->type) == TYPE_TAG)
1112 || (type_field (p->type) == TYPE_SIZE))
1113 p = p->right;
1114 if (p->right)
1115 {
1116 p = p->right;
1117 move = RIGHT;
1118 continue;
1119 }
1120 else
1121 p = MHD__asn1_find_up (p);
1122 move = UP;
1123 }
1124 if (move == UP)
1125 {
1126 len2 = strtol ((const char *) p->value, NULL, 10);
1127 MHD__asn1_set_value (p, NULL, 0);
1128 if ((type_field (p->type) == TYPE_SET_OF)
1129 && (max_len - len2 > 0))
1130 {
1131 MHD__asn1_ordering_set_of (der + len2, max_len - len2, p);
1132 }
1133 MHD__asn1_length_der (counter - len2, (unsigned char *) temp,
1134 &len3);
1135 max_len -= len3;
1136 if (max_len >= 0)
1137 {
1138 memmove (der + len2 + len3, der + len2, counter - len2);
1139 memcpy (der + len2, temp, len3);
1140 }
1141 counter += len3;
1142 move = RIGHT;
1143 }
1144 break;
1145 case TYPE_ANY:
1146 if (p->value == NULL)
1147 {
1148 MHD__asn1_error_description_value_not_found (p,
1149 ErrorDescription);
1150 err = ASN1_VALUE_NOT_FOUND;
1151 goto error;
1152 }
1153 len2 = MHD__asn1_get_length_der (p->value, p->value_len, &len3);
1154 if (len2 < 0)
1155 {
1156 err = ASN1_DER_ERROR;
1157 goto error;
1158 }
1159 max_len -= len2;
1160 if (max_len >= 0)
1161 memcpy (der + counter, p->value + len3, len2);
1162 counter += len2;
1163 move = RIGHT;
1164 break;
1165 default:
1166 move = (move == UP) ? RIGHT : DOWN;
1167 break;
1168 }
1169
1170 if ((move != DOWN) && (counter != counter_old))
1171 {
1172 err = MHD__asn1_complete_explicit_tag (p, der, &counter, &max_len);
1173 if (err != ASN1_SUCCESS && err != ASN1_MEM_ERROR)
1174 goto error;
1175 }
1176
1177 if (p == node && move != DOWN)
1178 break;
1179
1180 if (move == DOWN)
1181 {
1182 if (p->down)
1183 p = p->down;
1184 else
1185 move = RIGHT;
1186 }
1187 if (move == RIGHT)
1188 {
1189 if (p->right)
1190 p = p->right;
1191 else
1192 move = UP;
1193 }
1194 if (move == UP)
1195 p = MHD__asn1_find_up (p);
1196 }
1197
1198 *len = counter;
1199
1200 if (max_len < 0)
1201 {
1202 err = ASN1_MEM_ERROR;
1203 goto error;
1204 }
1205
1206 err = ASN1_SUCCESS;
1207
1208error:
1209 MHD__asn1_delete_structure (&node);
1210 return err;
1211}
diff --git a/src/daemon/https/minitasn1/decoding.c b/src/daemon/https/minitasn1/decoding.c
deleted file mode 100644
index 9a4e23a3..00000000
--- a/src/daemon/https/minitasn1/decoding.c
+++ /dev/null
@@ -1,1673 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006 Free Software Foundation
3 * Copyright (C) 2002 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23
24/*****************************************************/
25/* File: decoding.c */
26/* Description: Functions to manage DER decoding */
27/*****************************************************/
28
29#include <int.h>
30#include "parser_aux.h"
31#include <gstr.h>
32#include "structure.h"
33#include "element.h"
34
35
36static void
37MHD__asn1_error_description_tag_error (node_asn * node,
38 char *ErrorDescription)
39{
40
41 Estrcpy (ErrorDescription, ":: tag error near element '");
42 MHD__asn1_hierarchical_name (node,
43 ErrorDescription + strlen (ErrorDescription),
44 MAX_ERROR_DESCRIPTION_SIZE - 40);
45 Estrcat (ErrorDescription, "'");
46
47}
48
49/**
50 * MHD__asn1_get_length_der:
51 * @der: DER data to decode.
52 * @der_len: Length of DER data to decode.
53 * @len: Output variable containing the length of the DER length field.
54 *
55 * Extract a length field from DER data.
56 *
57 * Return value: Return the decoded length value, or -1 on indefinite
58 * length, or -2 when the value was too big.
59 **/
60signed long
61MHD__asn1_get_length_der (const unsigned char *der, int der_len, int *len)
62{
63 unsigned long ans;
64 int k, punt;
65
66 *len = 0;
67 if (der_len <= 0)
68 return 0;
69
70 if (!(der[0] & 128))
71 {
72 /* short form */
73 *len = 1;
74 return der[0];
75 }
76 else
77 {
78 /* Long form */
79 k = der[0] & 0x7F;
80 punt = 1;
81 if (k)
82 { /* definite length method */
83 ans = 0;
84 while (punt <= k && punt < der_len)
85 {
86 unsigned long last = ans;
87
88 ans = ans * 256 + der[punt++];
89 if (ans < last)
90 /* we wrapped around, no bignum support... */
91 return -2;
92 }
93 }
94 else
95 { /* indefinite length method */
96 ans = -1;
97 }
98
99 *len = punt;
100 return ans;
101 }
102}
103
104
105
106
107/**
108 * MHD__asn1_get_tag_der:
109 * @der: DER data to decode.
110 * @der_len: Length of DER data to decode.
111 * @cls: Output variable containing decoded class.
112 * @len: Output variable containing the length of the DER TAG data.
113 * @tag: Output variable containing the decoded tag.
114 *
115 * Decode the class and TAG from DER code.
116 *
117 * Return value: Returns ASN1_SUCCESS on success, or an error.
118 **/
119int
120MHD__asn1_get_tag_der (const unsigned char *der, int der_len,
121 unsigned char *cls, int *len, unsigned long *tag)
122{
123 int punt, ris;
124
125 if (der == NULL || der_len <= 0 || len == NULL)
126 return ASN1_DER_ERROR;
127
128 *cls = der[0] & 0xE0;
129 if ((der[0] & 0x1F) != 0x1F)
130 {
131 /* short form */
132 *len = 1;
133 ris = der[0] & 0x1F;
134 }
135 else
136 {
137 /* Long form */
138 punt = 1;
139 ris = 0;
140 while (punt <= der_len && der[punt] & 128)
141 {
142 int last = ris;
143 ris = ris * 128 + (der[punt++] & 0x7F);
144 if (ris < last)
145 /* wrapper around, and no bignums... */
146 return ASN1_DER_ERROR;
147 }
148 if (punt >= der_len)
149 return ASN1_DER_ERROR;
150 {
151 int last = ris;
152 ris = ris * 128 + (der[punt++] & 0x7F);
153 if (ris < last)
154 /* wrapper around, and no bignums... */
155 return ASN1_DER_ERROR;
156 }
157 *len = punt;
158 }
159 if (tag)
160 *tag = ris;
161 return ASN1_SUCCESS;
162}
163
164
165
166
167/**
168 * MHD__asn1_get_octet_der:
169 * @der: DER data to decode containing the OCTET SEQUENCE.
170 * @der_len: Length of DER data to decode.
171 * @ret_len: Output variable containing the length of the DER data.
172 * @str: Pre-allocated output buffer to put decoded OCTET SEQUENCE in.
173 * @str_size: Length of pre-allocated output buffer.
174 * @str_len: Output variable containing the length of the OCTET SEQUENCE.
175 *
176 * Extract an OCTET SEQUENCE from DER data.
177 *
178 * Return value: Returns ASN1_SUCCESS on success, or an error.
179 **/
180int
181MHD__asn1_get_octet_der (const unsigned char *der, int der_len,
182 int *ret_len, unsigned char *str, int str_size,
183 int *str_len)
184{
185 int len_len;
186
187 if (der_len <= 0)
188 return ASN1_GENERIC_ERROR;
189
190 /* if(str==NULL) return ASN1_SUCCESS; */
191 *str_len = MHD__asn1_get_length_der (der, der_len, &len_len);
192
193 if (*str_len < 0)
194 return ASN1_DER_ERROR;
195
196 *ret_len = *str_len + len_len;
197 if (str_size >= *str_len)
198 memcpy (str, der + len_len, *str_len);
199 else
200 {
201 return ASN1_MEM_ERROR;
202 }
203
204 return ASN1_SUCCESS;
205}
206
207
208
209/* Returns ASN1_SUCCESS on success or an error code on error.
210 */
211static int
212MHD__asn1_get_time_der (const unsigned char *der, int der_len, int *ret_len,
213 char *str, int str_size)
214{
215 int len_len, str_len;
216
217 if (der_len <= 0 || str == NULL)
218 return ASN1_DER_ERROR;
219 str_len = MHD__asn1_get_length_der (der, der_len, &len_len);
220 if (str_len < 0 || str_size < str_len)
221 return ASN1_DER_ERROR;
222 memcpy (str, der + len_len, str_len);
223 str[str_len] = 0;
224 *ret_len = str_len + len_len;
225
226 return ASN1_SUCCESS;
227}
228
229
230
231static void
232MHD__asn1_get_objectid_der (const unsigned char *der, int der_len,
233 int *ret_len, char *str, int str_size)
234{
235 int len_len, len, k;
236 char temp[20];
237 unsigned long val, val1;
238
239 *ret_len = 0;
240 if (str && str_size > 0)
241 str[0] = 0; /* no oid */
242
243 if (str == NULL || der_len <= 0)
244 return;
245 len = MHD__asn1_get_length_der (der, der_len, &len_len);
246
247 if (len < 0 || len > der_len || len_len > der_len)
248 return;
249
250 val1 = der[len_len] / 40;
251 val = der[len_len] - val1 * 40;
252
253 MHD__asn1_str_cpy (str, str_size, MHD__asn1_ltostr (val1, temp));
254 MHD__asn1_str_cat (str, str_size, ".");
255 MHD__asn1_str_cat (str, str_size, MHD__asn1_ltostr (val, temp));
256
257 val = 0;
258 for (k = 1; k < len; k++)
259 {
260 val = val << 7;
261 val |= der[len_len + k] & 0x7F;
262 if (!(der[len_len + k] & 0x80))
263 {
264 MHD__asn1_str_cat (str, str_size, ".");
265 MHD__asn1_str_cat (str, str_size, MHD__asn1_ltostr (val, temp));
266 val = 0;
267 }
268 }
269 *ret_len = len + len_len;
270}
271
272
273
274
275/**
276 * MHD__asn1_get_bit_der:
277 * @der: DER data to decode containing the BIT SEQUENCE.
278 * @der_len: Length of DER data to decode.
279 * @ret_len: Output variable containing the length of the DER data.
280 * @str: Pre-allocated output buffer to put decoded BIT SEQUENCE in.
281 * @str_size: Length of pre-allocated output buffer.
282 * @bit_len: Output variable containing the size of the BIT SEQUENCE.
283 *
284 * Extract a BIT SEQUENCE from DER data.
285 *
286 * Return value: Return ASN1_SUCCESS on success, or an error.
287 **/
288int
289MHD__asn1_get_bit_der (const unsigned char *der, int der_len,
290 int *ret_len, unsigned char *str, int str_size,
291 int *bit_len)
292{
293 int len_len, len_byte;
294
295 if (der_len <= 0)
296 return ASN1_GENERIC_ERROR;
297 len_byte = MHD__asn1_get_length_der (der, der_len, &len_len) - 1;
298 if (len_byte < 0)
299 return ASN1_DER_ERROR;
300
301 *ret_len = len_byte + len_len + 1;
302 *bit_len = len_byte * 8 - der[len_len];
303
304 if (str_size >= len_byte)
305 memcpy (str, der + len_len + 1, len_byte);
306 else
307 {
308 return ASN1_MEM_ERROR;
309 }
310
311 return ASN1_SUCCESS;
312}
313
314
315
316
317static int
318MHD__asn1_extract_tag_der (node_asn * node, const unsigned char *der,
319 int der_len, int *ret_len)
320{
321 node_asn *p;
322 int counter, len2, len3, is_tag_implicit;
323 unsigned long tag, tag_implicit = 0;
324 unsigned char class, class2, class_implicit = 0;
325
326 if (der_len <= 0)
327 return ASN1_GENERIC_ERROR;
328
329 counter = is_tag_implicit = 0;
330
331 if (node->type & CONST_TAG)
332 {
333 p = node->down;
334 while (p)
335 {
336 if (type_field (p->type) == TYPE_TAG)
337 {
338 if (p->type & CONST_APPLICATION)
339 class2 = ASN1_CLASS_APPLICATION;
340 else if (p->type & CONST_UNIVERSAL)
341 class2 = ASN1_CLASS_UNIVERSAL;
342 else if (p->type & CONST_PRIVATE)
343 class2 = ASN1_CLASS_PRIVATE;
344 else
345 class2 = ASN1_CLASS_CONTEXT_SPECIFIC;
346
347 if (p->type & CONST_EXPLICIT)
348 {
349 if (MHD__asn1_get_tag_der
350 (der + counter, der_len - counter, &class, &len2,
351 &tag) != ASN1_SUCCESS)
352 return ASN1_DER_ERROR;
353 if (counter + len2 > der_len)
354 return ASN1_DER_ERROR;
355 counter += len2;
356 len3 =
357 MHD__asn1_get_length_der (der + counter,
358 der_len - counter, &len2);
359 if (len3 < 0)
360 return ASN1_DER_ERROR;
361 counter += len2;
362 if (!is_tag_implicit)
363 {
364 if ((class != (class2 | ASN1_CLASS_STRUCTURED)) ||
365 (tag != strtoul ((char *) p->value, NULL, 10)))
366 return ASN1_TAG_ERROR;
367 }
368 else
369 { /* ASN1_TAG_IMPLICIT */
370 if ((class != class_implicit) || (tag != tag_implicit))
371 return ASN1_TAG_ERROR;
372 }
373
374 is_tag_implicit = 0;
375 }
376 else
377 { /* ASN1_TAG_IMPLICIT */
378 if (!is_tag_implicit)
379 {
380 if ((type_field (node->type) == TYPE_SEQUENCE) ||
381 (type_field (node->type) == TYPE_SEQUENCE_OF) ||
382 (type_field (node->type) == TYPE_SET) ||
383 (type_field (node->type) == TYPE_SET_OF))
384 class2 |= ASN1_CLASS_STRUCTURED;
385 class_implicit = class2;
386 tag_implicit = strtoul ((char *) p->value, NULL, 10);
387 is_tag_implicit = 1;
388 }
389 }
390 }
391 p = p->right;
392 }
393 }
394
395 if (is_tag_implicit)
396 {
397 if (MHD__asn1_get_tag_der
398 (der + counter, der_len - counter, &class, &len2,
399 &tag) != ASN1_SUCCESS)
400 return ASN1_DER_ERROR;
401 if (counter + len2 > der_len)
402 return ASN1_DER_ERROR;
403
404 if ((class != class_implicit) || (tag != tag_implicit))
405 {
406 if (type_field (node->type) == TYPE_OCTET_STRING)
407 {
408 class_implicit |= ASN1_CLASS_STRUCTURED;
409 if ((class != class_implicit) || (tag != tag_implicit))
410 return ASN1_TAG_ERROR;
411 }
412 else
413 return ASN1_TAG_ERROR;
414 }
415 }
416 else
417 {
418 if (type_field (node->type) == TYPE_TAG)
419 {
420 counter = 0;
421 *ret_len = counter;
422 return ASN1_SUCCESS;
423 }
424
425 if (MHD__asn1_get_tag_der
426 (der + counter, der_len - counter, &class, &len2,
427 &tag) != ASN1_SUCCESS)
428 return ASN1_DER_ERROR;
429 if (counter + len2 > der_len)
430 return ASN1_DER_ERROR;
431
432 switch (type_field (node->type))
433 {
434 case TYPE_NULL:
435 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_NULL))
436 return ASN1_DER_ERROR;
437 break;
438 case TYPE_BOOLEAN:
439 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_BOOLEAN))
440 return ASN1_DER_ERROR;
441 break;
442 case TYPE_INTEGER:
443 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_INTEGER))
444 return ASN1_DER_ERROR;
445 break;
446 case TYPE_ENUMERATED:
447 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_ENUMERATED))
448 return ASN1_DER_ERROR;
449 break;
450 case TYPE_OBJECT_ID:
451 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_OBJECT_ID))
452 return ASN1_DER_ERROR;
453 break;
454 case TYPE_TIME:
455 if (node->type & CONST_UTC)
456 {
457 if ((class != ASN1_CLASS_UNIVERSAL)
458 || (tag != ASN1_TAG_UTCTime))
459 return ASN1_DER_ERROR;
460 }
461 else
462 {
463 if ((class != ASN1_CLASS_UNIVERSAL)
464 || (tag != ASN1_TAG_GENERALIZEDTime))
465 return ASN1_DER_ERROR;
466 }
467 break;
468 case TYPE_OCTET_STRING:
469 if (((class != ASN1_CLASS_UNIVERSAL)
470 && (class != (ASN1_CLASS_UNIVERSAL | ASN1_CLASS_STRUCTURED)))
471 || (tag != ASN1_TAG_OCTET_STRING))
472 return ASN1_DER_ERROR;
473 break;
474 case TYPE_GENERALSTRING:
475 if ((class != ASN1_CLASS_UNIVERSAL)
476 || (tag != ASN1_TAG_GENERALSTRING))
477 return ASN1_DER_ERROR;
478 break;
479 case TYPE_BIT_STRING:
480 if ((class != ASN1_CLASS_UNIVERSAL) || (tag != ASN1_TAG_BIT_STRING))
481 return ASN1_DER_ERROR;
482 break;
483 case TYPE_SEQUENCE:
484 case TYPE_SEQUENCE_OF:
485 if ((class != (ASN1_CLASS_UNIVERSAL | ASN1_CLASS_STRUCTURED))
486 || (tag != ASN1_TAG_SEQUENCE))
487 return ASN1_DER_ERROR;
488 break;
489 case TYPE_SET:
490 case TYPE_SET_OF:
491 if ((class != (ASN1_CLASS_UNIVERSAL | ASN1_CLASS_STRUCTURED))
492 || (tag != ASN1_TAG_SET))
493 return ASN1_DER_ERROR;
494 break;
495 case TYPE_ANY:
496 counter -= len2;
497 break;
498 default:
499 return ASN1_DER_ERROR;
500 break;
501 }
502 }
503
504 counter += len2;
505 *ret_len = counter;
506 return ASN1_SUCCESS;
507}
508
509
510static int
511MHD__asn1_delete_not_used (node_asn * node)
512{
513 node_asn *p, *p2;
514
515 if (node == NULL)
516 return ASN1_ELEMENT_NOT_FOUND;
517
518 p = node;
519 while (p)
520 {
521 if (p->type & CONST_NOT_USED)
522 {
523 p2 = NULL;
524 if (p != node)
525 {
526 p2 = MHD__asn1_find_left (p);
527 if (!p2)
528 p2 = MHD__asn1_find_up (p);
529 }
530 MHD__asn1_delete_structure (&p);
531 p = p2;
532 }
533
534 if (!p)
535 break; /* reach node */
536
537 if (p->down)
538 {
539 p = p->down;
540 }
541 else
542 {
543 if (p == node)
544 p = NULL;
545 else if (p->right)
546 p = p->right;
547 else
548 {
549 while (1)
550 {
551 p = MHD__asn1_find_up (p);
552 if (p == node)
553 {
554 p = NULL;
555 break;
556 }
557 if (p->right)
558 {
559 p = p->right;
560 break;
561 }
562 }
563 }
564 }
565 }
566 return ASN1_SUCCESS;
567}
568
569
570static MHD__asn1_retCode
571MHD__asn1_get_octet_string (const unsigned char *der, node_asn * node,
572 int *len)
573{
574 int len2, len3, counter, counter2, counter_end, tot_len, indefinite;
575 unsigned char *temp, *temp2;
576
577 counter = 0;
578
579 if (*(der - 1) & ASN1_CLASS_STRUCTURED)
580 {
581 tot_len = 0;
582 indefinite = MHD__asn1_get_length_der (der, *len, &len3);
583 if (indefinite < -1)
584 return ASN1_DER_ERROR;
585
586 counter += len3;
587 if (indefinite >= 0)
588 indefinite += len3;
589
590 while (1)
591 {
592 if (counter > (*len))
593 return ASN1_DER_ERROR;
594
595 if (indefinite == -1)
596 {
597 if ((der[counter] == 0) && (der[counter + 1] == 0))
598 {
599 counter += 2;
600 break;
601 }
602 }
603 else if (counter >= indefinite)
604 break;
605
606 if (der[counter] != ASN1_TAG_OCTET_STRING)
607 return ASN1_DER_ERROR;
608
609 counter++;
610
611 len2 =
612 MHD__asn1_get_length_der (der + counter, *len - counter, &len3);
613 if (len2 <= 0)
614 return ASN1_DER_ERROR;
615
616 counter += len3 + len2;
617 tot_len += len2;
618 }
619
620 /* copy */
621 if (node)
622 {
623 MHD__asn1_length_der (tot_len, NULL, &len2);
624 temp = MHD__asn1_alloca (len2 + tot_len);
625 if (temp == NULL)
626 {
627 return ASN1_MEM_ALLOC_ERROR;
628 }
629
630 MHD__asn1_length_der (tot_len, temp, &len2);
631 tot_len += len2;
632 temp2 = temp + len2;
633 len2 = MHD__asn1_get_length_der (der, *len, &len3);
634 if (len2 < -1)
635 {
636 MHD__asn1_afree (temp);
637 return ASN1_DER_ERROR;
638 }
639 counter2 = len3 + 1;
640
641 if (indefinite == -1)
642 counter_end = counter - 2;
643 else
644 counter_end = counter;
645
646 while (counter2 < counter_end)
647 {
648 len2 =
649 MHD__asn1_get_length_der (der + counter2, *len - counter,
650 &len3);
651 if (len2 < -1)
652 {
653 MHD__asn1_afree (temp);
654 return ASN1_DER_ERROR;
655 }
656
657 /* FIXME: to be checked. Is this ok? Has the
658 * size been checked before?
659 */
660 memcpy (temp2, der + counter2 + len3, len2);
661 temp2 += len2;
662 counter2 += len2 + len3 + 1;
663 }
664
665 MHD__asn1_set_value (node, temp, tot_len);
666 MHD__asn1_afree (temp);
667 }
668 }
669 else
670 { /* NOT STRUCTURED */
671 len2 = MHD__asn1_get_length_der (der, *len, &len3);
672 if (len2 < 0)
673 return ASN1_DER_ERROR;
674 if (len3 + len2 > *len)
675 return ASN1_DER_ERROR;
676 if (node)
677 MHD__asn1_set_value (node, der, len3 + len2);
678 counter = len3 + len2;
679 }
680
681 *len = counter;
682 return ASN1_SUCCESS;
683
684}
685
686
687static MHD__asn1_retCode
688MHD__asn1_get_indefinite_length_string (const unsigned char *der, int *len)
689{
690 int len2, len3, counter, indefinite;
691 unsigned long tag;
692 unsigned char class;
693
694 counter = indefinite = 0;
695
696 while (1)
697 {
698 if ((*len) < counter)
699 return ASN1_DER_ERROR;
700
701 if ((der[counter] == 0) && (der[counter + 1] == 0))
702 {
703 counter += 2;
704 indefinite--;
705 if (indefinite <= 0)
706 break;
707 else
708 continue;
709 }
710
711 if (MHD__asn1_get_tag_der
712 (der + counter, *len - counter, &class, &len2,
713 &tag) != ASN1_SUCCESS)
714 return ASN1_DER_ERROR;
715 if (counter + len2 > *len)
716 return ASN1_DER_ERROR;
717 counter += len2;
718 len2 = MHD__asn1_get_length_der (der + counter, *len - counter, &len3);
719 if (len2 < -1)
720 return ASN1_DER_ERROR;
721 if (len2 == -1)
722 {
723 indefinite++;
724 counter += 1;
725 }
726 else
727 {
728 counter += len2 + len3;
729 }
730 }
731
732 *len = counter;
733 return ASN1_SUCCESS;
734
735}
736
737
738/**
739 * MHD__asn1_der_decoding - Fill the structure *ELEMENT with values of a DER encoding string.
740 * @element: pointer to an ASN1 structure.
741 * @ider: vector that contains the DER encoding.
742 * @len: number of bytes of *@ider: @ider[0]..@ider[len-1].
743 * @errorDescription: null-terminated string contains details when an
744 * error occurred.
745 *
746 * Fill the structure *ELEMENT with values of a DER encoding
747 * string. The sructure must just be created with function
748 * 'create_stucture'. If an error occurs during the decoding
749 * procedure, the *ELEMENT is deleted and set equal to
750 * %ASN1_TYPE_EMPTY.
751 *
752 * Returns:
753 *
754 * ASN1_SUCCESS: DER encoding OK.
755 *
756 * ASN1_ELEMENT_NOT_FOUND: ELEMENT is ASN1_TYPE_EMPTY.
757 *
758 * ASN1_TAG_ERROR,ASN1_DER_ERROR: The der encoding doesn't match
759 * the structure NAME. *ELEMENT deleted.
760 **/
761
762MHD__asn1_retCode
763MHD__asn1_der_decoding (ASN1_TYPE * element, const void *ider, int len,
764 char *errorDescription)
765{
766 node_asn *node, *p, *p2, *p3;
767 char temp[128];
768 int counter, len2, len3, len4, move, ris, tlen;
769 unsigned char class, *temp2;
770 unsigned long tag;
771 int indefinite, result;
772 const unsigned char *der = ider;
773
774 node = *element;
775
776 if (node == ASN1_TYPE_EMPTY)
777 return ASN1_ELEMENT_NOT_FOUND;
778
779 if (node->type & CONST_OPTION)
780 {
781 MHD__asn1_delete_structure (element);
782 return ASN1_GENERIC_ERROR;
783 }
784
785 counter = 0;
786 move = DOWN;
787 p = node;
788 while (1)
789 {
790 ris = ASN1_SUCCESS;
791 if (move != UP)
792 {
793 if (p->type & CONST_SET)
794 {
795 p2 = MHD__asn1_find_up (p);
796 len2 = strtol ((const char *) p2->value, NULL, 10);
797 if (len2 == -1)
798 {
799 if (!der[counter] && !der[counter + 1])
800 {
801 p = p2;
802 move = UP;
803 counter += 2;
804 continue;
805 }
806 }
807 else if (counter == len2)
808 {
809 p = p2;
810 move = UP;
811 continue;
812 }
813 else if (counter > len2)
814 {
815 MHD__asn1_delete_structure (element);
816 return ASN1_DER_ERROR;
817 }
818 p2 = p2->down;
819 while (p2)
820 {
821 if ((p2->type & CONST_SET) && (p2->type & CONST_NOT_USED))
822 {
823 if (type_field (p2->type) != TYPE_CHOICE)
824 ris =
825 MHD__asn1_extract_tag_der (p2, der + counter,
826 len - counter, &len2);
827 else
828 {
829 p3 = p2->down;
830 while (p3)
831 {
832 ris =
833 MHD__asn1_extract_tag_der (p3, der + counter,
834 len - counter,
835 &len2);
836 if (ris == ASN1_SUCCESS)
837 break;
838 p3 = p3->right;
839 }
840 }
841 if (ris == ASN1_SUCCESS)
842 {
843 p2->type &= ~CONST_NOT_USED;
844 p = p2;
845 break;
846 }
847 }
848 p2 = p2->right;
849 }
850 if (p2 == NULL)
851 {
852 MHD__asn1_delete_structure (element);
853 return ASN1_DER_ERROR;
854 }
855 }
856
857 if ((p->type & CONST_OPTION) || (p->type & CONST_DEFAULT))
858 {
859 p2 = MHD__asn1_find_up (p);
860 len2 = strtol ((const char *) p2->value, NULL, 10);
861 if (counter == len2)
862 {
863 if (p->right)
864 {
865 p2 = p->right;
866 move = RIGHT;
867 }
868 else
869 move = UP;
870
871 if (p->type & CONST_OPTION)
872 MHD__asn1_delete_structure (&p);
873
874 p = p2;
875 continue;
876 }
877 }
878
879 if (type_field (p->type) == TYPE_CHOICE)
880 {
881 while (p->down)
882 {
883 if (counter < len)
884 ris =
885 MHD__asn1_extract_tag_der (p->down, der + counter,
886 len - counter, &len2);
887 else
888 ris = ASN1_DER_ERROR;
889 if (ris == ASN1_SUCCESS)
890 {
891 while (p->down->right)
892 {
893 p2 = p->down->right;
894 MHD__asn1_delete_structure (&p2);
895 }
896 break;
897 }
898 else if (ris == ASN1_ERROR_TYPE_ANY)
899 {
900 MHD__asn1_delete_structure (element);
901 return ASN1_ERROR_TYPE_ANY;
902 }
903 else
904 {
905 p2 = p->down;
906 MHD__asn1_delete_structure (&p2);
907 }
908 }
909
910 if (p->down == NULL)
911 {
912 if (!(p->type & CONST_OPTION))
913 {
914 MHD__asn1_delete_structure (element);
915 return ASN1_DER_ERROR;
916 }
917 }
918 else
919 p = p->down;
920 }
921
922 if ((p->type & CONST_OPTION) || (p->type & CONST_DEFAULT))
923 {
924 p2 = MHD__asn1_find_up (p);
925 len2 = strtol ((const char *) p2->value, NULL, 10);
926 if ((len2 != -1) && (counter > len2))
927 ris = ASN1_TAG_ERROR;
928 }
929
930 if (ris == ASN1_SUCCESS)
931 ris =
932 MHD__asn1_extract_tag_der (p, der + counter, len - counter,
933 &len2);
934 if (ris != ASN1_SUCCESS)
935 {
936 if (p->type & CONST_OPTION)
937 {
938 p->type |= CONST_NOT_USED;
939 move = RIGHT;
940 }
941 else if (p->type & CONST_DEFAULT)
942 {
943 MHD__asn1_set_value (p, NULL, 0);
944 move = RIGHT;
945 }
946 else
947 {
948 if (errorDescription != NULL)
949 MHD__asn1_error_description_tag_error (p,
950 errorDescription);
951
952 MHD__asn1_delete_structure (element);
953 return ASN1_TAG_ERROR;
954 }
955 }
956 else
957 counter += len2;
958 }
959
960 if (ris == ASN1_SUCCESS)
961 {
962 switch (type_field (p->type))
963 {
964 case TYPE_NULL:
965 if (der[counter])
966 {
967 MHD__asn1_delete_structure (element);
968 return ASN1_DER_ERROR;
969 }
970 counter++;
971 move = RIGHT;
972 break;
973 case TYPE_BOOLEAN:
974 if (der[counter++] != 1)
975 {
976 MHD__asn1_delete_structure (element);
977 return ASN1_DER_ERROR;
978 }
979 if (der[counter++] == 0)
980 MHD__asn1_set_value (p, "F", 1);
981 else
982 MHD__asn1_set_value (p, "T", 1);
983 move = RIGHT;
984 break;
985 case TYPE_INTEGER:
986 case TYPE_ENUMERATED:
987 len2 =
988 MHD__asn1_get_length_der (der + counter, len - counter,
989 &len3);
990 if (len2 < 0)
991 return ASN1_DER_ERROR;
992 if (len2 + len3 > len - counter)
993 return ASN1_DER_ERROR;
994 MHD__asn1_set_value (p, der + counter, len3 + len2);
995 counter += len3 + len2;
996 move = RIGHT;
997 break;
998 case TYPE_OBJECT_ID:
999 MHD__asn1_get_objectid_der (der + counter, len - counter, &len2,
1000 temp, sizeof (temp));
1001 tlen = strlen (temp);
1002 if (tlen > 0)
1003 MHD__asn1_set_value (p, temp, tlen + 1);
1004 counter += len2;
1005 move = RIGHT;
1006 break;
1007 case TYPE_TIME:
1008 result =
1009 MHD__asn1_get_time_der (der + counter, len - counter, &len2,
1010 temp, sizeof (temp) - 1);
1011 if (result != ASN1_SUCCESS)
1012 {
1013 MHD__asn1_delete_structure (element);
1014 return result;
1015 }
1016 tlen = strlen (temp);
1017 if (tlen > 0)
1018 MHD__asn1_set_value (p, temp, tlen + 1);
1019 counter += len2;
1020 move = RIGHT;
1021 break;
1022 case TYPE_OCTET_STRING:
1023 len3 = len - counter;
1024 ris = MHD__asn1_get_octet_string (der + counter, p, &len3);
1025 if (ris != ASN1_SUCCESS)
1026 return ris;
1027 counter += len3;
1028 move = RIGHT;
1029 break;
1030 case TYPE_GENERALSTRING:
1031 len2 =
1032 MHD__asn1_get_length_der (der + counter, len - counter,
1033 &len3);
1034 if (len2 < 0)
1035 return ASN1_DER_ERROR;
1036 if (len3 + len2 > len - counter)
1037 return ASN1_DER_ERROR;
1038 MHD__asn1_set_value (p, der + counter, len3 + len2);
1039 counter += len3 + len2;
1040 move = RIGHT;
1041 break;
1042 case TYPE_BIT_STRING:
1043 len2 =
1044 MHD__asn1_get_length_der (der + counter, len - counter,
1045 &len3);
1046 if (len2 < 0)
1047 return ASN1_DER_ERROR;
1048 if (len3 + len2 > len - counter)
1049 return ASN1_DER_ERROR;
1050 MHD__asn1_set_value (p, der + counter, len3 + len2);
1051 counter += len3 + len2;
1052 move = RIGHT;
1053 break;
1054 case TYPE_SEQUENCE:
1055 case TYPE_SET:
1056 if (move == UP)
1057 {
1058 len2 = strtol ((const char *) p->value, NULL, 10);
1059 MHD__asn1_set_value (p, NULL, 0);
1060 if (len2 == -1)
1061 { /* indefinite length method */
1062 if (len - counter + 1 > 0)
1063 {
1064 if ((der[counter]) || der[counter + 1])
1065 {
1066 MHD__asn1_delete_structure (element);
1067 return ASN1_DER_ERROR;
1068 }
1069 }
1070 else
1071 return ASN1_DER_ERROR;
1072 counter += 2;
1073 }
1074 else
1075 { /* definite length method */
1076 if (len2 != counter)
1077 {
1078 MHD__asn1_delete_structure (element);
1079 return ASN1_DER_ERROR;
1080 }
1081 }
1082 move = RIGHT;
1083 }
1084 else
1085 { /* move==DOWN || move==RIGHT */
1086 len3 =
1087 MHD__asn1_get_length_der (der + counter, len - counter,
1088 &len2);
1089 if (len3 < -1)
1090 return ASN1_DER_ERROR;
1091 counter += len2;
1092 if (len3 > 0)
1093 {
1094 MHD__asn1_ltostr (counter + len3, temp);
1095 tlen = strlen (temp);
1096 if (tlen > 0)
1097 MHD__asn1_set_value (p, temp, tlen + 1);
1098 move = DOWN;
1099 }
1100 else if (len3 == 0)
1101 {
1102 p2 = p->down;
1103 while (p2)
1104 {
1105 if (type_field (p2->type) != TYPE_TAG)
1106 {
1107 p3 = p2->right;
1108 MHD__asn1_delete_structure (&p2);
1109 p2 = p3;
1110 }
1111 else
1112 p2 = p2->right;
1113 }
1114 move = RIGHT;
1115 }
1116 else
1117 { /* indefinite length method */
1118 MHD__asn1_set_value (p, "-1", 3);
1119 move = DOWN;
1120 }
1121 }
1122 break;
1123 case TYPE_SEQUENCE_OF:
1124 case TYPE_SET_OF:
1125 if (move == UP)
1126 {
1127 len2 = strtol ((const char *) p->value, NULL, 10);
1128 if (len2 == -1)
1129 { /* indefinite length method */
1130 if ((counter + 2) > len)
1131 return ASN1_DER_ERROR;
1132 if ((der[counter]) || der[counter + 1])
1133 {
1134 MHD__asn1_append_sequence_set (p);
1135 p = p->down;
1136 while (p->right)
1137 p = p->right;
1138 move = RIGHT;
1139 continue;
1140 }
1141 MHD__asn1_set_value (p, NULL, 0);
1142 counter += 2;
1143 }
1144 else
1145 { /* definite length method */
1146 if (len2 > counter)
1147 {
1148 MHD__asn1_append_sequence_set (p);
1149 p = p->down;
1150 while (p->right)
1151 p = p->right;
1152 move = RIGHT;
1153 continue;
1154 }
1155 MHD__asn1_set_value (p, NULL, 0);
1156 if (len2 != counter)
1157 {
1158 MHD__asn1_delete_structure (element);
1159 return ASN1_DER_ERROR;
1160 }
1161 }
1162 }
1163 else
1164 { /* move==DOWN || move==RIGHT */
1165 len3 =
1166 MHD__asn1_get_length_der (der + counter, len - counter,
1167 &len2);
1168 if (len3 < -1)
1169 return ASN1_DER_ERROR;
1170 counter += len2;
1171 if (len3)
1172 {
1173 if (len3 > 0)
1174 { /* definite length method */
1175 MHD__asn1_ltostr (counter + len3, temp);
1176 tlen = strlen (temp);
1177
1178 if (tlen > 0)
1179 MHD__asn1_set_value (p, temp, tlen + 1);
1180 }
1181 else
1182 { /* indefinite length method */
1183 MHD__asn1_set_value (p, "-1", 3);
1184 }
1185 p2 = p->down;
1186 while ((type_field (p2->type) == TYPE_TAG)
1187 || (type_field (p2->type) == TYPE_SIZE))
1188 p2 = p2->right;
1189 if (p2->right == NULL)
1190 MHD__asn1_append_sequence_set (p);
1191 p = p2;
1192 }
1193 }
1194 move = RIGHT;
1195 break;
1196 case TYPE_ANY:
1197 if (MHD__asn1_get_tag_der
1198 (der + counter, len - counter, &class, &len2,
1199 &tag) != ASN1_SUCCESS)
1200 return ASN1_DER_ERROR;
1201 if (counter + len2 > len)
1202 return ASN1_DER_ERROR;
1203 len4 =
1204 MHD__asn1_get_length_der (der + counter + len2,
1205 len - counter - len2, &len3);
1206 if (len4 < -1)
1207 return ASN1_DER_ERROR;
1208 if (len4 > len - counter + len2 + len3)
1209 return ASN1_DER_ERROR;
1210 if (len4 != -1)
1211 {
1212 len2 += len4;
1213 MHD__asn1_length_der (len2 + len3, NULL, &len4);
1214 temp2 =
1215 (unsigned char *) MHD__asn1_alloca (len2 + len3 + len4);
1216 if (temp2 == NULL)
1217 {
1218 MHD__asn1_delete_structure (element);
1219 return ASN1_MEM_ALLOC_ERROR;
1220 }
1221
1222 MHD__asn1_octet_der (der + counter, len2 + len3, temp2,
1223 &len4);
1224 MHD__asn1_set_value (p, temp2, len4);
1225 MHD__asn1_afree (temp2);
1226 counter += len2 + len3;
1227 }
1228 else
1229 { /* indefinite length */
1230 /* Check indefinite lenth method in an EXPLICIT TAG */
1231 if ((p->type & CONST_TAG) && (der[counter - 1] == 0x80))
1232 indefinite = 1;
1233 else
1234 indefinite = 0;
1235
1236 len2 = len - counter;
1237 ris =
1238 MHD__asn1_get_indefinite_length_string (der + counter,
1239 &len2);
1240 if (ris != ASN1_SUCCESS)
1241 {
1242 MHD__asn1_delete_structure (element);
1243 return ris;
1244 }
1245 MHD__asn1_length_der (len2, NULL, &len4);
1246 temp2 = (unsigned char *) MHD__asn1_alloca (len2 + len4);
1247 if (temp2 == NULL)
1248 {
1249 MHD__asn1_delete_structure (element);
1250 return ASN1_MEM_ALLOC_ERROR;
1251 }
1252
1253 MHD__asn1_octet_der (der + counter, len2, temp2, &len4);
1254 MHD__asn1_set_value (p, temp2, len4);
1255 MHD__asn1_afree (temp2);
1256 counter += len2;
1257
1258 /* Check if a couple of 0x00 are present due to an EXPLICIT TAG with
1259 an indefinite length method. */
1260 if (indefinite)
1261 {
1262 if (!der[counter] && !der[counter + 1])
1263 {
1264 counter += 2;
1265 }
1266 else
1267 {
1268 MHD__asn1_delete_structure (element);
1269 return ASN1_DER_ERROR;
1270 }
1271 }
1272 }
1273 move = RIGHT;
1274 break;
1275 default:
1276 move = (move == UP) ? RIGHT : DOWN;
1277 break;
1278 }
1279 }
1280
1281 if (p == node && move != DOWN)
1282 break;
1283
1284 if (move == DOWN)
1285 {
1286 if (p->down)
1287 p = p->down;
1288 else
1289 move = RIGHT;
1290 }
1291 if ((move == RIGHT) && !(p->type & CONST_SET))
1292 {
1293 if (p->right)
1294 p = p->right;
1295 else
1296 move = UP;
1297 }
1298 if (move == UP)
1299 p = MHD__asn1_find_up (p);
1300 }
1301
1302 MHD__asn1_delete_not_used (*element);
1303
1304 if (counter != len)
1305 {
1306 MHD__asn1_delete_structure (element);
1307 return ASN1_DER_ERROR;
1308 }
1309
1310 return ASN1_SUCCESS;
1311}
1312
1313
1314/**
1315 * MHD__asn1_der_decoding_startEnd - Find the start and end point of an element in a DER encoding string.
1316 * @element: pointer to an ASN1 element
1317 * @ider: vector that contains the DER encoding.
1318 * @len: number of bytes of *@ider: @ider[0]..@ider[len-1]
1319 * @name_element: an element of NAME structure.
1320 * @start: the position of the first byte of NAME_ELEMENT decoding
1321 * (@ider[*start])
1322 * @end: the position of the last byte of NAME_ELEMENT decoding
1323 * (@ider[*end])
1324 *
1325 * Find the start and end point of an element in a DER encoding
1326 * string. I mean that if you have a der encoding and you have
1327 * already used the function "MHD__asn1_der_decoding" to fill a structure,
1328 * it may happen that you want to find the piece of string concerning
1329 * an element of the structure.
1330 *
1331 * Example: the sequence "tbsCertificate" inside an X509 certificate.
1332 *
1333 * Returns:
1334 *
1335 * ASN1_SUCCESS: DER encoding OK.
1336 *
1337 * ASN1_ELEMENT_NOT_FOUND: ELEMENT is ASN1_TYPE EMPTY or
1338 * NAME_ELEMENT is not a valid element.
1339 *
1340 * ASN1_TAG_ERROR,ASN1_DER_ERROR: the der encoding doesn't match
1341 * the structure ELEMENT.
1342 *
1343 **/
1344MHD__asn1_retCode
1345MHD__asn1_der_decoding_startEnd (ASN1_TYPE element, const void *ider, int len,
1346 const char *name_element, int *start,
1347 int *end)
1348{
1349 node_asn *node, *node_to_find, *p, *p2, *p3;
1350 int counter, len2, len3, len4, move, ris;
1351 unsigned char class;
1352 unsigned long tag;
1353 int indefinite;
1354 const unsigned char *der = ider;
1355
1356 node = element;
1357
1358 if (node == ASN1_TYPE_EMPTY)
1359 return ASN1_ELEMENT_NOT_FOUND;
1360
1361 node_to_find = MHD__asn1_find_node (node, name_element);
1362
1363 if (node_to_find == NULL)
1364 return ASN1_ELEMENT_NOT_FOUND;
1365
1366 if (node_to_find == node)
1367 {
1368 *start = 0;
1369 *end = len - 1;
1370 return ASN1_SUCCESS;
1371 }
1372
1373 if (node->type & CONST_OPTION)
1374 return ASN1_GENERIC_ERROR;
1375
1376 counter = 0;
1377 move = DOWN;
1378 p = node;
1379 while (1)
1380 {
1381 ris = ASN1_SUCCESS;
1382
1383 if (move != UP)
1384 {
1385 if (p->type & CONST_SET)
1386 {
1387 p2 = MHD__asn1_find_up (p);
1388 len2 = strtol ((const char *) p2->value, NULL, 10);
1389 if (len2 == -1)
1390 {
1391 if (!der[counter] && !der[counter + 1])
1392 {
1393 p = p2;
1394 move = UP;
1395 counter += 2;
1396 continue;
1397 }
1398 }
1399 else if (counter == len2)
1400 {
1401 p = p2;
1402 move = UP;
1403 continue;
1404 }
1405 else if (counter > len2)
1406 return ASN1_DER_ERROR;
1407 p2 = p2->down;
1408 while (p2)
1409 {
1410 if ((p2->type & CONST_SET) && (p2->type & CONST_NOT_USED))
1411 { /* CONTROLLARE */
1412 if (type_field (p2->type) != TYPE_CHOICE)
1413 ris =
1414 MHD__asn1_extract_tag_der (p2, der + counter,
1415 len - counter, &len2);
1416 else
1417 {
1418 p3 = p2->down;
1419 ris =
1420 MHD__asn1_extract_tag_der (p3, der + counter,
1421 len - counter, &len2);
1422 }
1423 if (ris == ASN1_SUCCESS)
1424 {
1425 p2->type &= ~CONST_NOT_USED;
1426 p = p2;
1427 break;
1428 }
1429 }
1430 p2 = p2->right;
1431 }
1432 if (p2 == NULL)
1433 return ASN1_DER_ERROR;
1434 }
1435
1436 if (p == node_to_find)
1437 *start = counter;
1438
1439 if (type_field (p->type) == TYPE_CHOICE)
1440 {
1441 p = p->down;
1442 ris =
1443 MHD__asn1_extract_tag_der (p, der + counter, len - counter,
1444 &len2);
1445 if (p == node_to_find)
1446 *start = counter;
1447 }
1448
1449 if (ris == ASN1_SUCCESS)
1450 ris =
1451 MHD__asn1_extract_tag_der (p, der + counter, len - counter,
1452 &len2);
1453 if (ris != ASN1_SUCCESS)
1454 {
1455 if (p->type & CONST_OPTION)
1456 {
1457 p->type |= CONST_NOT_USED;
1458 move = RIGHT;
1459 }
1460 else if (p->type & CONST_DEFAULT)
1461 {
1462 move = RIGHT;
1463 }
1464 else
1465 {
1466 return ASN1_TAG_ERROR;
1467 }
1468 }
1469 else
1470 counter += len2;
1471 }
1472
1473 if (ris == ASN1_SUCCESS)
1474 {
1475 switch (type_field (p->type))
1476 {
1477 case TYPE_NULL:
1478 if (der[counter])
1479 return ASN1_DER_ERROR;
1480 counter++;
1481 move = RIGHT;
1482 break;
1483 case TYPE_BOOLEAN:
1484 if (der[counter++] != 1)
1485 return ASN1_DER_ERROR;
1486 counter++;
1487 move = RIGHT;
1488 break;
1489 case TYPE_INTEGER:
1490 case TYPE_ENUMERATED:
1491 len2 =
1492 MHD__asn1_get_length_der (der + counter, len - counter,
1493 &len3);
1494 if (len2 < 0)
1495 return ASN1_DER_ERROR;
1496 counter += len3 + len2;
1497 move = RIGHT;
1498 break;
1499 case TYPE_OBJECT_ID:
1500 len2 =
1501 MHD__asn1_get_length_der (der + counter, len - counter,
1502 &len3);
1503 if (len2 < 0)
1504 return ASN1_DER_ERROR;
1505 counter += len2 + len3;
1506 move = RIGHT;
1507 break;
1508 case TYPE_TIME:
1509 len2 =
1510 MHD__asn1_get_length_der (der + counter, len - counter,
1511 &len3);
1512 if (len2 < 0)
1513 return ASN1_DER_ERROR;
1514 counter += len2 + len3;
1515 move = RIGHT;
1516 break;
1517 case TYPE_OCTET_STRING:
1518 len3 = len - counter;
1519 ris = MHD__asn1_get_octet_string (der + counter, NULL, &len3);
1520 if (ris != ASN1_SUCCESS)
1521 return ris;
1522 counter += len3;
1523 move = RIGHT;
1524 break;
1525 case TYPE_GENERALSTRING:
1526 len2 =
1527 MHD__asn1_get_length_der (der + counter, len - counter,
1528 &len3);
1529 if (len2 < 0)
1530 return ASN1_DER_ERROR;
1531 counter += len3 + len2;
1532 move = RIGHT;
1533 break;
1534 case TYPE_BIT_STRING:
1535 len2 =
1536 MHD__asn1_get_length_der (der + counter, len - counter,
1537 &len3);
1538 if (len2 < 0)
1539 return ASN1_DER_ERROR;
1540 counter += len3 + len2;
1541 move = RIGHT;
1542 break;
1543 case TYPE_SEQUENCE:
1544 case TYPE_SET:
1545 if (move != UP)
1546 {
1547 len3 =
1548 MHD__asn1_get_length_der (der + counter, len - counter,
1549 &len2);
1550 if (len3 < -1)
1551 return ASN1_DER_ERROR;
1552 counter += len2;
1553 if (len3 == 0)
1554 move = RIGHT;
1555 else
1556 move = DOWN;
1557 }
1558 else
1559 {
1560 if (!der[counter] && !der[counter + 1]) /* indefinite length method */
1561 counter += 2;
1562 move = RIGHT;
1563 }
1564 break;
1565 case TYPE_SEQUENCE_OF:
1566 case TYPE_SET_OF:
1567 if (move != UP)
1568 {
1569 len3 =
1570 MHD__asn1_get_length_der (der + counter, len - counter,
1571 &len2);
1572 if (len3 < -1)
1573 return ASN1_DER_ERROR;
1574 counter += len2;
1575 if ((len3 == -1) && !der[counter] && !der[counter + 1])
1576 counter += 2;
1577 else if (len3)
1578 {
1579 p2 = p->down;
1580 while ((type_field (p2->type) == TYPE_TAG) ||
1581 (type_field (p2->type) == TYPE_SIZE))
1582 p2 = p2->right;
1583 p = p2;
1584 }
1585 }
1586 else
1587 {
1588 if (!der[counter] && !der[counter + 1]) /* indefinite length method */
1589 counter += 2;
1590 }
1591 move = RIGHT;
1592 break;
1593 case TYPE_ANY:
1594 if (MHD__asn1_get_tag_der
1595 (der + counter, len - counter, &class, &len2,
1596 &tag) != ASN1_SUCCESS)
1597 return ASN1_DER_ERROR;
1598 if (counter + len2 > len)
1599 return ASN1_DER_ERROR;
1600
1601 len4 =
1602 MHD__asn1_get_length_der (der + counter + len2,
1603 len - counter - len2, &len3);
1604 if (len4 < -1)
1605 return ASN1_DER_ERROR;
1606
1607 if (len4 != -1)
1608 {
1609 counter += len2 + len4 + len3;
1610 }
1611 else
1612 { /* indefinite length */
1613 /* Check indefinite lenth method in an EXPLICIT TAG */
1614 if ((p->type & CONST_TAG) && (der[counter - 1] == 0x80))
1615 indefinite = 1;
1616 else
1617 indefinite = 0;
1618
1619 len2 = len - counter;
1620 ris =
1621 MHD__asn1_get_indefinite_length_string (der + counter,
1622 &len2);
1623 if (ris != ASN1_SUCCESS)
1624 return ris;
1625 counter += len2;
1626
1627 /* Check if a couple of 0x00 are present due to an EXPLICIT TAG with
1628 an indefinite length method. */
1629 if (indefinite)
1630 {
1631 if (!der[counter] && !der[counter + 1])
1632 counter += 2;
1633 else
1634 return ASN1_DER_ERROR;
1635 }
1636 }
1637 move = RIGHT;
1638 break;
1639 default:
1640 move = (move == UP) ? RIGHT : DOWN;
1641 break;
1642 }
1643 }
1644
1645 if ((p == node_to_find) && (move == RIGHT))
1646 {
1647 *end = counter - 1;
1648 return ASN1_SUCCESS;
1649 }
1650
1651 if (p == node && move != DOWN)
1652 break;
1653
1654 if (move == DOWN)
1655 {
1656 if (p->down)
1657 p = p->down;
1658 else
1659 move = RIGHT;
1660 }
1661 if ((move == RIGHT) && !(p->type & CONST_SET))
1662 {
1663 if (p->right)
1664 p = p->right;
1665 else
1666 move = UP;
1667 }
1668 if (move == UP)
1669 p = MHD__asn1_find_up (p);
1670 }
1671
1672 return ASN1_ELEMENT_NOT_FOUND;
1673}
diff --git a/src/daemon/https/minitasn1/element.c b/src/daemon/https/minitasn1/element.c
deleted file mode 100644
index bd84e71c..00000000
--- a/src/daemon/https/minitasn1/element.c
+++ /dev/null
@@ -1,902 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006 Free Software Foundation
3 * Copyright (C) 2000, 2001, 2002, 2003 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23/*****************************************************/
24/* File: element.c */
25/* Description: Functions with the read and write */
26/* functions. */
27/*****************************************************/
28
29
30#include <int.h>
31#include "parser_aux.h"
32#include <gstr.h>
33#include "structure.h"
34
35void
36MHD__asn1_hierarchical_name (node_asn * node, char *name, int name_size)
37{
38 node_asn *p;
39 char tmp_name[64];
40
41 p = node;
42
43 name[0] = 0;
44
45 while (p != NULL)
46 {
47 if (p->name != NULL)
48 {
49 MHD__asn1_str_cpy (tmp_name, sizeof (tmp_name), name),
50 MHD__asn1_str_cpy (name, name_size, p->name);
51 MHD__asn1_str_cat (name, name_size, ".");
52 MHD__asn1_str_cat (name, name_size, tmp_name);
53 }
54 p = MHD__asn1_find_up (p);
55 }
56
57 if (name[0] == 0)
58 MHD__asn1_str_cpy (name, name_size, "ROOT");
59}
60
61
62/******************************************************************/
63/* Function : MHD__asn1_convert_integer */
64/* Description: converts an integer from a null terminated string */
65/* to der decoding. The convertion from a null */
66/* terminated string to an integer is made with */
67/* the 'strtol' function. */
68/* Parameters: */
69/* value: null terminated string to convert. */
70/* value_out: convertion result (memory must be already */
71/* allocated). */
72/* value_out_size: number of bytes of value_out. */
73/* len: number of significant byte of value_out. */
74/* Return: ASN1_MEM_ERROR or ASN1_SUCCESS */
75/******************************************************************/
76MHD__asn1_retCode
77MHD__asn1_convert_integer (const char *value, unsigned char *value_out,
78 int value_out_size, int *len)
79{
80 char negative;
81 unsigned char val[SIZEOF_UNSIGNED_LONG_INT];
82 long valtmp;
83 int k, k2;
84
85 valtmp = strtol (value, NULL, 10);
86
87 for (k = 0; k < SIZEOF_UNSIGNED_LONG_INT; k++)
88 {
89 val[SIZEOF_UNSIGNED_LONG_INT - k - 1] = (valtmp >> (8 * k)) & 0xFF;
90 }
91
92 if (val[0] & 0x80)
93 negative = 1;
94 else
95 negative = 0;
96
97 for (k = 0; k < SIZEOF_UNSIGNED_LONG_INT - 1; k++)
98 {
99 if (negative && (val[k] != 0xFF))
100 break;
101 else if (!negative && val[k])
102 break;
103 }
104
105 if ((negative && !(val[k] & 0x80)) || (!negative && (val[k] & 0x80)))
106 k--;
107
108 *len = SIZEOF_UNSIGNED_LONG_INT - k;
109
110 if (SIZEOF_UNSIGNED_LONG_INT - k > value_out_size)
111 /* VALUE_OUT is too short to contain the value conversion */
112 return ASN1_MEM_ERROR;
113
114 for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
115 value_out[k2 - k] = val[k2];
116
117 return ASN1_SUCCESS;
118}
119
120
121int
122MHD__asn1_append_sequence_set (node_asn * node)
123{
124 node_asn *p, *p2;
125 char temp[10];
126 long n;
127
128 if (!node || !(node->down))
129 return ASN1_GENERIC_ERROR;
130
131 p = node->down;
132 while ((type_field (p->type) == TYPE_TAG)
133 || (type_field (p->type) == TYPE_SIZE))
134 p = p->right;
135 p2 = MHD__asn1_copy_structure3 (p);
136 while (p->right)
137 p = p->right;
138 MHD__asn1_set_right (p, p2);
139
140 if (p->name == NULL)
141 MHD__asn1_str_cpy (temp, sizeof (temp), "?1");
142 else
143 {
144 n = strtol (p->name + 1, NULL, 0);
145 n++;
146 temp[0] = '?';
147 MHD__asn1_ltostr (n, temp + 1);
148 }
149 MHD__asn1_set_name (p2, temp);
150 /* p2->type |= CONST_OPTION; */
151
152 return ASN1_SUCCESS;
153}
154
155
156/**
157 * MHD__asn1_write_value - Set the value of one element inside a structure.
158 * @node_root: pointer to a structure
159 * @name: the name of the element inside the structure that you want to set.
160 * @ivalue: vector used to specify the value to set. If len is >0,
161 * VALUE must be a two's complement form integer. if len=0 *VALUE
162 * must be a null terminated string with an integer value.
163 * @len: number of bytes of *value to use to set the value:
164 * value[0]..value[len-1] or 0 if value is a null terminated string
165 *
166 * Set the value of one element inside a structure.
167 *
168 * If an element is OPTIONAL and you want to delete it, you must use
169 * the value=NULL and len=0. Using "pkix.asn":
170 *
171 * result=MHD__asn1_write_value(cert, "tbsCertificate.issuerUniqueID",
172 * NULL, 0);
173 *
174 * Description for each type:
175 *
176 * INTEGER: VALUE must contain a two's complement form integer.
177 *
178 * value[0]=0xFF , len=1 -> integer=-1.
179 * value[0]=0xFF value[1]=0xFF , len=2 -> integer=-1.
180 * value[0]=0x01 , len=1 -> integer= 1.
181 * value[0]=0x00 value[1]=0x01 , len=2 -> integer= 1.
182 * value="123" , len=0 -> integer= 123.
183 *
184 * ENUMERATED: As INTEGER (but only with not negative numbers).
185 *
186 * BOOLEAN: VALUE must be the null terminated string "TRUE" or
187 * "FALSE" and LEN != 0.
188 *
189 * value="TRUE" , len=1 -> boolean=TRUE.
190 * value="FALSE" , len=1 -> boolean=FALSE.
191 *
192 * OBJECT IDENTIFIER: VALUE must be a null terminated string with
193 * each number separated by a dot (e.g. "1.2.3.543.1"). LEN != 0.
194 *
195 * value="1 2 840 10040 4 3" , len=1 -> OID=dsa-with-sha.
196 *
197 * UTCTime: VALUE must be a null terminated string in one of these
198 * formats: "YYMMDDhhmmssZ", "YYMMDDhhmmssZ",
199 * "YYMMDDhhmmss+hh'mm'", "YYMMDDhhmmss-hh'mm'",
200 * "YYMMDDhhmm+hh'mm'", or "YYMMDDhhmm-hh'mm'". LEN != 0.
201 *
202 * value="9801011200Z" , len=1 -> time=Jannuary 1st, 1998
203 * at 12h 00m Greenwich Mean Time
204 *
205 * GeneralizedTime: VALUE must be in one of this format:
206 * "YYYYMMDDhhmmss.sZ", "YYYYMMDDhhmmss.sZ",
207 * "YYYYMMDDhhmmss.s+hh'mm'", "YYYYMMDDhhmmss.s-hh'mm'",
208 * "YYYYMMDDhhmm+hh'mm'", or "YYYYMMDDhhmm-hh'mm'" where ss.s
209 * indicates the seconds with any precision like "10.1" or "01.02".
210 * LEN != 0
211 *
212 * value="2001010112001.12-0700" , len=1 -> time=Jannuary
213 * 1st, 2001 at 12h 00m 01.12s Pacific Daylight Time
214 *
215 * OCTET STRING: VALUE contains the octet string and LEN is the
216 * number of octets.
217 *
218 * value="$\backslash$x01$\backslash$x02$\backslash$x03" ,
219 * len=3 -> three bytes octet string
220 *
221 * GeneralString: VALUE contains the generalstring and LEN is the
222 * number of octets.
223 *
224 * value="$\backslash$x01$\backslash$x02$\backslash$x03" ,
225 * len=3 -> three bytes generalstring
226 *
227 * BIT STRING: VALUE contains the bit string organized by bytes and
228 * LEN is the number of bits.
229 *
230 * value="$\backslash$xCF" , len=6 -> bit string="110011" (six
231 * bits)
232 *
233 * CHOICE: if NAME indicates a choice type, VALUE must specify one of
234 * the alternatives with a null terminated string. LEN != 0. Using
235 * "pkix.asn"\:
236 *
237 * result=MHD__asn1_write_value(cert,
238 * "certificate1.tbsCertificate.subject", "rdnSequence",
239 * 1);
240 *
241 * ANY: VALUE indicates the der encoding of a structure. LEN != 0.
242 *
243 * SEQUENCE OF: VALUE must be the null terminated string "NEW" and
244 * LEN != 0. With this instruction another element is appended in
245 * the sequence. The name of this element will be "?1" if it's the
246 * first one, "?2" for the second and so on.
247 *
248 * Using "pkix.asn"\:
249 *
250 * result=MHD__asn1_write_value(cert,
251 * "certificate1.tbsCertificate.subject.rdnSequence", "NEW", 1);
252 *
253 * SET OF: the same as SEQUENCE OF. Using "pkix.asn":
254 *
255 * result=MHD__asn1_write_value(cert,
256 * "tbsCertificate.subject.rdnSequence.?LAST", "NEW", 1);
257 *
258 * Returns:
259 *
260 * ASN1_SUCCESS: Set value OK.
261 *
262 * ASN1_ELEMENT_NOT_FOUND: NAME is not a valid element.
263 *
264 * ASN1_VALUE_NOT_VALID: VALUE has a wrong format.
265 *
266 **/
267MHD__asn1_retCode
268MHD__asn1_write_value (ASN1_TYPE node_root, const char *name,
269 const void *ivalue, int len)
270{
271 node_asn *node, *p, *p2;
272 unsigned char *temp, *value_temp = NULL, *default_temp = NULL;
273 int len2, k, k2, negative;
274 const char *value = ivalue;
275
276 node = MHD__asn1_find_node (node_root, name);
277 if (node == NULL)
278 return ASN1_ELEMENT_NOT_FOUND;
279
280 if ((node->type & CONST_OPTION) && (value == NULL) && (len == 0))
281 {
282 MHD__asn1_delete_structure (&node);
283 return ASN1_SUCCESS;
284 }
285
286 if ((type_field (node->type) == TYPE_SEQUENCE_OF) && (value == NULL)
287 && (len == 0))
288 {
289 p = node->down;
290 while ((type_field (p->type) == TYPE_TAG)
291 || (type_field (p->type) == TYPE_SIZE))
292 p = p->right;
293
294 while (p->right)
295 MHD__asn1_delete_structure (&p->right);
296
297 return ASN1_SUCCESS;
298 }
299
300 switch (type_field (node->type))
301 {
302 case TYPE_BOOLEAN:
303 if (!strcmp (value, "TRUE"))
304 {
305 if (node->type & CONST_DEFAULT)
306 {
307 p = node->down;
308 while (type_field (p->type) != TYPE_DEFAULT)
309 p = p->right;
310 if (p->type & CONST_TRUE)
311 MHD__asn1_set_value (node, NULL, 0);
312 else
313 MHD__asn1_set_value (node, "T", 1);
314 }
315 else
316 MHD__asn1_set_value (node, "T", 1);
317 }
318 else if (!strcmp (value, "FALSE"))
319 {
320 if (node->type & CONST_DEFAULT)
321 {
322 p = node->down;
323 while (type_field (p->type) != TYPE_DEFAULT)
324 p = p->right;
325 if (p->type & CONST_FALSE)
326 MHD__asn1_set_value (node, NULL, 0);
327 else
328 MHD__asn1_set_value (node, "F", 1);
329 }
330 else
331 MHD__asn1_set_value (node, "F", 1);
332 }
333 else
334 return ASN1_VALUE_NOT_VALID;
335 break;
336 case TYPE_INTEGER:
337 case TYPE_ENUMERATED:
338 if (len == 0)
339 {
340 if ((isdigit ((unsigned char) value[0])) || (value[0] == '-'))
341 {
342 value_temp =
343 (unsigned char *) MHD__asn1_alloca (SIZEOF_UNSIGNED_LONG_INT);
344 if (value_temp == NULL)
345 return ASN1_MEM_ALLOC_ERROR;
346
347 MHD__asn1_convert_integer (value, value_temp,
348 SIZEOF_UNSIGNED_LONG_INT, &len);
349 }
350 else
351 { /* is an identifier like v1 */
352 if (!(node->type & CONST_LIST))
353 return ASN1_VALUE_NOT_VALID;
354 p = node->down;
355 while (p)
356 {
357 if (type_field (p->type) == TYPE_CONSTANT)
358 {
359 if ((p->name) && (!strcmp (p->name, value)))
360 {
361 value_temp =
362 (unsigned char *)
363 MHD__asn1_alloca (SIZEOF_UNSIGNED_LONG_INT);
364 if (value_temp == NULL)
365 return ASN1_MEM_ALLOC_ERROR;
366
367 MHD__asn1_convert_integer ((const char *) p->value,
368 value_temp,
369 SIZEOF_UNSIGNED_LONG_INT,
370 &len);
371 break;
372 }
373 }
374 p = p->right;
375 }
376 if (p == NULL)
377 return ASN1_VALUE_NOT_VALID;
378 }
379 }
380 else
381 { /* len != 0 */
382 value_temp = (unsigned char *) MHD__asn1_alloca (len);
383 if (value_temp == NULL)
384 return ASN1_MEM_ALLOC_ERROR;
385 memcpy (value_temp, value, len);
386 }
387
388
389 if (value_temp[0] & 0x80)
390 negative = 1;
391 else
392 negative = 0;
393
394 if (negative && (type_field (node->type) == TYPE_ENUMERATED))
395 {
396 MHD__asn1_afree (value_temp);
397 return ASN1_VALUE_NOT_VALID;
398 }
399
400 for (k = 0; k < len - 1; k++)
401 if (negative && (value_temp[k] != 0xFF))
402 break;
403 else if (!negative && value_temp[k])
404 break;
405
406 if ((negative && !(value_temp[k] & 0x80)) ||
407 (!negative && (value_temp[k] & 0x80)))
408 k--;
409
410 MHD__asn1_length_der (len - k, NULL, &len2);
411 temp = (unsigned char *) MHD__asn1_alloca (len - k + len2);
412 if (temp == NULL)
413 {
414 MHD__asn1_afree (value_temp);
415 return ASN1_MEM_ALLOC_ERROR;
416 }
417
418 MHD__asn1_octet_der (value_temp + k, len - k, temp, &len2);
419 MHD__asn1_set_value (node, temp, len2);
420
421 MHD__asn1_afree (temp);
422
423
424 if (node->type & CONST_DEFAULT)
425 {
426 p = node->down;
427 while (type_field (p->type) != TYPE_DEFAULT)
428 p = p->right;
429 if ((isdigit ((unsigned char) p->value[0])) || (p->value[0] == '-'))
430 {
431 default_temp =
432 (unsigned char *) MHD__asn1_alloca (SIZEOF_UNSIGNED_LONG_INT);
433 if (default_temp == NULL)
434 {
435 MHD__asn1_afree (value_temp);
436 return ASN1_MEM_ALLOC_ERROR;
437 }
438
439 MHD__asn1_convert_integer ((const char *) p->value,
440 default_temp,
441 SIZEOF_UNSIGNED_LONG_INT, &len2);
442 }
443 else
444 { /* is an identifier like v1 */
445 if (!(node->type & CONST_LIST))
446 {
447 MHD__asn1_afree (value_temp);
448 return ASN1_VALUE_NOT_VALID;
449 }
450 p2 = node->down;
451 while (p2)
452 {
453 if (type_field (p2->type) == TYPE_CONSTANT)
454 {
455 if ((p2->name)
456 && (!strcmp (p2->name, (const char *) p->value)))
457 {
458 default_temp =
459 (unsigned char *)
460 MHD__asn1_alloca (SIZEOF_UNSIGNED_LONG_INT);
461 if (default_temp == NULL)
462 {
463 MHD__asn1_afree (value_temp);
464 return ASN1_MEM_ALLOC_ERROR;
465 }
466
467 MHD__asn1_convert_integer ((const char *) p2->value,
468 default_temp,
469 SIZEOF_UNSIGNED_LONG_INT,
470 &len2);
471 break;
472 }
473 }
474 p2 = p2->right;
475 }
476 if (p2 == NULL)
477 {
478 MHD__asn1_afree (value_temp);
479 return ASN1_VALUE_NOT_VALID;
480 }
481 }
482
483
484 if ((len - k) == len2)
485 {
486 for (k2 = 0; k2 < len2; k2++)
487 if (value_temp[k + k2] != default_temp[k2])
488 {
489 break;
490 }
491 if (k2 == len2)
492 MHD__asn1_set_value (node, NULL, 0);
493 }
494 MHD__asn1_afree (default_temp);
495 }
496 MHD__asn1_afree (value_temp);
497 break;
498 case TYPE_OBJECT_ID:
499 for (k = 0; k < strlen (value); k++)
500 if ((!isdigit ((unsigned char) value[k])) && (value[k] != '.') && (value[k] != '+'))
501 return ASN1_VALUE_NOT_VALID;
502 if (node->type & CONST_DEFAULT)
503 {
504 p = node->down;
505 while (type_field (p->type) != TYPE_DEFAULT)
506 p = p->right;
507 if (!strcmp (value, (const char *) p->value))
508 {
509 MHD__asn1_set_value (node, NULL, 0);
510 break;
511 }
512 }
513 MHD__asn1_set_value (node, value, strlen (value) + 1);
514 break;
515 case TYPE_TIME:
516 if (node->type & CONST_UTC)
517 {
518 if (strlen (value) < 11)
519 return ASN1_VALUE_NOT_VALID;
520 for (k = 0; k < 10; k++)
521 if (!isdigit ( (unsigned char) value[k]))
522 return ASN1_VALUE_NOT_VALID;
523 switch (strlen (value))
524 {
525 case 11:
526 if (value[10] != 'Z')
527 return ASN1_VALUE_NOT_VALID;
528 break;
529 case 13:
530 if ((!isdigit ( (unsigned char) value[10])) || (!isdigit ( (unsigned char) value[11])) ||
531 (value[12] != 'Z'))
532 return ASN1_VALUE_NOT_VALID;
533 break;
534 case 15:
535 if ((value[10] != '+') && (value[10] != '-'))
536 return ASN1_VALUE_NOT_VALID;
537 for (k = 11; k < 15; k++)
538 if (!isdigit ( (unsigned char) value[k]))
539 return ASN1_VALUE_NOT_VALID;
540 break;
541 case 17:
542 if ((!isdigit ( (unsigned char) value[10])) || (!isdigit ( (unsigned char) value[11])))
543 return ASN1_VALUE_NOT_VALID;
544 if ((value[12] != '+') && (value[12] != '-'))
545 return ASN1_VALUE_NOT_VALID;
546 for (k = 13; k < 17; k++)
547 if (!isdigit ( (unsigned char) value[k]))
548 return ASN1_VALUE_NOT_VALID;
549 break;
550 default:
551 return ASN1_VALUE_NOT_FOUND;
552 }
553 MHD__asn1_set_value (node, value, strlen (value) + 1);
554 }
555 else
556 { /* GENERALIZED TIME */
557 if (value)
558 MHD__asn1_set_value (node, value, strlen (value) + 1);
559 }
560 break;
561 case TYPE_OCTET_STRING:
562 if (len == 0)
563 len = strlen (value);
564 MHD__asn1_length_der (len, NULL, &len2);
565 temp = (unsigned char *) MHD__asn1_alloca (len + len2);
566 if (temp == NULL)
567 return ASN1_MEM_ALLOC_ERROR;
568
569 MHD__asn1_octet_der ((const unsigned char *) value, len, temp, &len2);
570 MHD__asn1_set_value (node, temp, len2);
571 MHD__asn1_afree (temp);
572 break;
573 case TYPE_GENERALSTRING:
574 if (len == 0)
575 len = strlen (value);
576 MHD__asn1_length_der (len, NULL, &len2);
577 temp = (unsigned char *) MHD__asn1_alloca (len + len2);
578 if (temp == NULL)
579 return ASN1_MEM_ALLOC_ERROR;
580
581 MHD__asn1_octet_der ((const unsigned char *) value, len, temp, &len2);
582 MHD__asn1_set_value (node, temp, len2);
583 MHD__asn1_afree (temp);
584 break;
585 case TYPE_BIT_STRING:
586 if (len == 0)
587 len = strlen (value);
588 MHD__asn1_length_der ((len >> 3) + 2, NULL, &len2);
589 temp = (unsigned char *) MHD__asn1_alloca ((len >> 3) + 2 + len2);
590 if (temp == NULL)
591 return ASN1_MEM_ALLOC_ERROR;
592
593 MHD__asn1_bit_der ((const unsigned char *) value, len, temp, &len2);
594 MHD__asn1_set_value (node, temp, len2);
595 MHD__asn1_afree (temp);
596 break;
597 case TYPE_CHOICE:
598 p = node->down;
599 while (p)
600 {
601 if (!strcmp (p->name, value))
602 {
603 p2 = node->down;
604 while (p2)
605 {
606 if (p2 != p)
607 {
608 MHD__asn1_delete_structure (&p2);
609 p2 = node->down;
610 }
611 else
612 p2 = p2->right;
613 }
614 break;
615 }
616 p = p->right;
617 }
618 if (!p)
619 return ASN1_ELEMENT_NOT_FOUND;
620 break;
621 case TYPE_ANY:
622 MHD__asn1_length_der (len, NULL, &len2);
623 temp = (unsigned char *) MHD__asn1_alloca (len + len2);
624 if (temp == NULL)
625 return ASN1_MEM_ALLOC_ERROR;
626
627 MHD__asn1_octet_der ((const unsigned char *) value, len, temp, &len2);
628 MHD__asn1_set_value (node, temp, len2);
629 MHD__asn1_afree (temp);
630 break;
631 case TYPE_SEQUENCE_OF:
632 case TYPE_SET_OF:
633 if (strcmp (value, "NEW"))
634 return ASN1_VALUE_NOT_VALID;
635 MHD__asn1_append_sequence_set (node);
636 break;
637 default:
638 return ASN1_ELEMENT_NOT_FOUND;
639 break;
640 }
641
642 return ASN1_SUCCESS;
643}
644
645
646#define PUT_VALUE( ptr, ptr_size, data, data_size) \
647 *len = data_size; \
648 if (ptr_size < data_size) { \
649 return ASN1_MEM_ERROR; \
650 } else { \
651 memcpy( ptr, data, data_size); \
652 }
653
654#define PUT_STR_VALUE( ptr, ptr_size, data) \
655 *len = strlen(data) + 1; \
656 if (ptr_size < *len) { \
657 return ASN1_MEM_ERROR; \
658 } else { \
659 /* this strcpy is checked */ \
660 strcpy(ptr, data); \
661 }
662
663#define ADD_STR_VALUE( ptr, ptr_size, data) \
664 *len = strlen(data) + 1; \
665 if (ptr_size < strlen(ptr)+(*len)) { \
666 return ASN1_MEM_ERROR; \
667 } else { \
668 /* this strcat is checked */ \
669 strcat(ptr, data); \
670 }
671
672/**
673 * MHD__asn1_read_value - Returns the value of one element inside a structure
674 * @root: pointer to a structure.
675 * @name: the name of the element inside a structure that you want to read.
676 * @ivalue: vector that will contain the element's content, must be a
677 * pointer to memory cells already allocated.
678 * @len: number of bytes of *value: value[0]..value[len-1]. Initialy
679 * holds the sizeof value.
680 *
681 * Returns the value of one element inside a structure.
682 *
683 * If an element is OPTIONAL and the function "read_value" returns
684 * %ASN1_ELEMENT_NOT_FOUND, it means that this element wasn't present
685 * in the der encoding that created the structure. The first element
686 * of a SEQUENCE_OF or SET_OF is named "?1". The second one "?2" and
687 * so on.
688 *
689 * INTEGER: VALUE will contain a two's complement form integer.
690 *
691 * integer=-1 -> value[0]=0xFF , len=1.
692 * integer=1 -> value[0]=0x01 , len=1.
693 *
694 * ENUMERATED: As INTEGER (but only with not negative numbers).
695 *
696 * BOOLEAN: VALUE will be the null terminated string "TRUE" or
697 * "FALSE" and LEN=5 or LEN=6.
698 *
699 * OBJECT IDENTIFIER: VALUE will be a null terminated string with
700 * each number separated by a dot (i.e. "1.2.3.543.1").
701 *
702 * LEN = strlen(VALUE)+1
703 *
704 * UTCTime: VALUE will be a null terminated string in one of these
705 * formats: "YYMMDDhhmmss+hh'mm'" or "YYMMDDhhmmss-hh'mm'".
706 * LEN=strlen(VALUE)+1.
707 *
708 * GeneralizedTime: VALUE will be a null terminated string in the
709 * same format used to set the value.
710 *
711 * OCTET STRING: VALUE will contain the octet string and LEN will be
712 * the number of octets.
713 *
714 * GeneralString: VALUE will contain the generalstring and LEN will
715 * be the number of octets.
716 *
717 * BIT STRING: VALUE will contain the bit string organized by bytes
718 * and LEN will be the number of bits.
719 *
720 * CHOICE: If NAME indicates a choice type, VALUE will specify the
721 * alternative selected.
722 *
723 * ANY: If NAME indicates an any type, VALUE will indicate the DER
724 * encoding of the structure actually used.
725 *
726 * Returns:
727 *
728 * ASN1_SUCCESS: Set value OK.
729 *
730 * ASN1_ELEMENT_NOT_FOUND: NAME is not a valid element.
731 *
732 * ASN1_VALUE_NOT_FOUND: There isn't any value for the element selected.
733 *
734 * ASN1_MEM_ERROR: The value vector isn't big enough to store the result.
735 * In this case LEN will contain the number of bytes needed.
736 *
737 **/
738MHD__asn1_retCode
739MHD__asn1_read_value (ASN1_TYPE root, const char *name, void *ivalue,
740 int *len)
741{
742 node_asn *node, *p, *p2;
743 int len2, len3;
744 int value_size = *len;
745 char *value = ivalue;
746
747 node = MHD__asn1_find_node (root, name);
748 if (node == NULL)
749 return ASN1_ELEMENT_NOT_FOUND;
750
751 if ((type_field (node->type) != TYPE_NULL) &&
752 (type_field (node->type) != TYPE_CHOICE) &&
753 !(node->type & CONST_DEFAULT) && !(node->type & CONST_ASSIGN) &&
754 (node->value == NULL))
755 return ASN1_VALUE_NOT_FOUND;
756
757 switch (type_field (node->type))
758 {
759 case TYPE_NULL:
760 PUT_STR_VALUE (value, value_size, "NULL");
761 break;
762 case TYPE_BOOLEAN:
763 if ((node->type & CONST_DEFAULT) && (node->value == NULL))
764 {
765 p = node->down;
766 while (type_field (p->type) != TYPE_DEFAULT)
767 p = p->right;
768 if (p->type & CONST_TRUE)
769 {
770 PUT_STR_VALUE (value, value_size, "TRUE");
771 }
772 else
773 {
774 PUT_STR_VALUE (value, value_size, "FALSE");
775 }
776 }
777 else if (node->value[0] == 'T')
778 {
779 PUT_STR_VALUE (value, value_size, "TRUE");
780 }
781 else
782 {
783 PUT_STR_VALUE (value, value_size, "FALSE");
784 }
785 break;
786 case TYPE_INTEGER:
787 case TYPE_ENUMERATED:
788 if ((node->type & CONST_DEFAULT) && (node->value == NULL))
789 {
790 p = node->down;
791 while (type_field (p->type) != TYPE_DEFAULT)
792 p = p->right;
793 if ((isdigit ( (unsigned char) p->value[0])) || (p->value[0] == '-')
794 || (p->value[0] == '+'))
795 {
796 if (MHD__asn1_convert_integer
797 ((const char *) p->value, (unsigned char *) value,
798 value_size, len) != ASN1_SUCCESS)
799 return ASN1_MEM_ERROR;
800 }
801 else
802 { /* is an identifier like v1 */
803 p2 = node->down;
804 while (p2)
805 {
806 if (type_field (p2->type) == TYPE_CONSTANT)
807 {
808 if ((p2->name)
809 && (!strcmp (p2->name, (const char *) p->value)))
810 {
811 if (MHD__asn1_convert_integer
812 ((const char *) p2->value,
813 (unsigned char *) value, value_size,
814 len) != ASN1_SUCCESS)
815 return ASN1_MEM_ERROR;
816 break;
817 }
818 }
819 p2 = p2->right;
820 }
821 }
822 }
823 else
824 {
825 len2 = -1;
826 if (MHD__asn1_get_octet_der
827 (node->value, node->value_len, &len2, (unsigned char *) value,
828 value_size, len) != ASN1_SUCCESS)
829 return ASN1_MEM_ERROR;
830 }
831 break;
832 case TYPE_OBJECT_ID:
833 if (node->type & CONST_ASSIGN)
834 {
835 value[0] = 0;
836 p = node->down;
837 while (p)
838 {
839 if (type_field (p->type) == TYPE_CONSTANT)
840 {
841 ADD_STR_VALUE (value, value_size, (const char *) p->value);
842 if (p->right)
843 {
844 ADD_STR_VALUE (value, value_size, ".");
845 }
846 }
847 p = p->right;
848 }
849 *len = strlen (value) + 1;
850 }
851 else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
852 {
853 p = node->down;
854 while (type_field (p->type) != TYPE_DEFAULT)
855 p = p->right;
856 PUT_STR_VALUE (value, value_size, (const char *) p->value);
857 }
858 else
859 {
860 PUT_STR_VALUE (value, value_size, (const char *) node->value);
861 }
862 break;
863 case TYPE_TIME:
864 PUT_STR_VALUE (value, value_size, (const char *) node->value);
865 break;
866 case TYPE_OCTET_STRING:
867 len2 = -1;
868 if (MHD__asn1_get_octet_der
869 (node->value, node->value_len, &len2, (unsigned char *) value,
870 value_size, len) != ASN1_SUCCESS)
871 return ASN1_MEM_ERROR;
872 break;
873 case TYPE_GENERALSTRING:
874 len2 = -1;
875 if (MHD__asn1_get_octet_der
876 (node->value, node->value_len, &len2, (unsigned char *) value,
877 value_size, len) != ASN1_SUCCESS)
878 return ASN1_MEM_ERROR;
879 break;
880 case TYPE_BIT_STRING:
881 len2 = -1;
882 if (MHD__asn1_get_bit_der
883 (node->value, node->value_len, &len2, (unsigned char *) value,
884 value_size, len) != ASN1_SUCCESS)
885 return ASN1_MEM_ERROR;
886 break;
887 case TYPE_CHOICE:
888 PUT_STR_VALUE (value, value_size, node->down->name);
889 break;
890 case TYPE_ANY:
891 len3 = -1;
892 len2 = MHD__asn1_get_length_der (node->value, node->value_len, &len3);
893 if (len2 < 0)
894 return ASN1_DER_ERROR;
895 PUT_VALUE (value, value_size, node->value + len3, len2);
896 break;
897 default:
898 return ASN1_ELEMENT_NOT_FOUND;
899 break;
900 }
901 return ASN1_SUCCESS;
902}
diff --git a/src/daemon/https/minitasn1/element.h b/src/daemon/https/minitasn1/element.h
deleted file mode 100644
index e4484925..00000000
--- a/src/daemon/https/minitasn1/element.h
+++ /dev/null
@@ -1,14 +0,0 @@
1
2#ifndef _ELEMENT_H
3#define _ELEMENT_H
4
5
6MHD__asn1_retCode MHD__asn1_append_sequence_set (node_asn * node);
7
8MHD__asn1_retCode MHD__asn1_convert_integer (const char *value,
9 unsigned char *value_out,
10 int value_out_size, int *len);
11
12void MHD__asn1_hierarchical_name (node_asn * node, char *name, int name_size);
13
14#endif
diff --git a/src/daemon/https/minitasn1/gstr.c b/src/daemon/https/minitasn1/gstr.c
deleted file mode 100644
index 7068db51..00000000
--- a/src/daemon/https/minitasn1/gstr.c
+++ /dev/null
@@ -1,68 +0,0 @@
1/*
2 * Copyright (C) 2006 Free Software Foundation
3 * Copyright (C) 2002 Nikos Mavroyanopoulos
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23#include <int.h>
24
25/* These function are like strcat, strcpy. They only
26 * do bounds checking (they shouldn't cause buffer overruns),
27 * and they always produce null terminated strings.
28 *
29 * They should be used only with null terminated strings.
30 */
31void
32MHD__asn1_str_cat (char *dest, size_t dest_tot_size, const char *src)
33{
34 size_t str_size = strlen (src);
35 size_t dest_size = strlen (dest);
36
37 if (dest_tot_size - dest_size > str_size)
38 {
39 strcat (dest, src);
40 }
41 else
42 {
43 if (dest_tot_size - dest_size > 0)
44 {
45 strncat (dest, src, (dest_tot_size - dest_size) - 1);
46 dest[dest_tot_size - 1] = 0;
47 }
48 }
49}
50
51void
52MHD__asn1_str_cpy (char *dest, size_t dest_tot_size, const char *src)
53{
54 size_t str_size = strlen (src);
55
56 if (dest_tot_size > str_size)
57 {
58 strcpy (dest, src);
59 }
60 else
61 {
62 if (dest_tot_size > 0)
63 {
64 strncpy (dest, src, (dest_tot_size) - 1);
65 dest[dest_tot_size - 1] = 0;
66 }
67 }
68}
diff --git a/src/daemon/https/minitasn1/gstr.h b/src/daemon/https/minitasn1/gstr.h
deleted file mode 100644
index e0cda357..00000000
--- a/src/daemon/https/minitasn1/gstr.h
+++ /dev/null
@@ -1,5 +0,0 @@
1void MHD__asn1_str_cpy (char *dest, size_t dest_tot_size, const char *src);
2void MHD__asn1_str_cat (char *dest, size_t dest_tot_size, const char *src);
3
4#define Estrcpy(x,y) MHD__asn1_str_cpy(x,MAX_ERROR_DESCRIPTION_SIZE,y)
5#define Estrcat(x,y) MHD__asn1_str_cat(x,MAX_ERROR_DESCRIPTION_SIZE,y)
diff --git a/src/daemon/https/minitasn1/int.h b/src/daemon/https/minitasn1/int.h
deleted file mode 100644
index a99fb6db..00000000
--- a/src/daemon/https/minitasn1/int.h
+++ /dev/null
@@ -1,112 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006 Free Software Foundation, Inc.
3 * Copyright (C) 2002 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23#ifndef INT_H
24#define INT_H
25
26#include <libtasn1.h>
27#include <defines.h>
28
29/*
30#define LIBTASN1_DEBUG
31#define LIBTASN1_DEBUG_PARSER
32#define LIBTASN1_DEBUG_INTEGER
33*/
34
35#include <mem.h>
36
37#define MAX_LOG_SIZE 1024 /* maximum number of characters of a log message */
38
39/* Define used for visiting trees. */
40#define UP 1
41#define RIGHT 2
42#define DOWN 3
43
44/****************************************/
45/* Returns the first 8 bits. */
46/* Used with the field type of node_asn */
47/****************************************/
48#define type_field(x) (x&0xFF)
49
50/* List of constants for field type of typedef node_asn */
51#define TYPE_CONSTANT 1
52#define TYPE_IDENTIFIER 2
53#define TYPE_INTEGER 3
54#define TYPE_BOOLEAN 4
55#define TYPE_SEQUENCE 5
56#define TYPE_BIT_STRING 6
57#define TYPE_OCTET_STRING 7
58#define TYPE_TAG 8
59#define TYPE_DEFAULT 9
60#define TYPE_SIZE 10
61#define TYPE_SEQUENCE_OF 11
62#define TYPE_OBJECT_ID 12
63#define TYPE_ANY 13
64#define TYPE_SET 14
65#define TYPE_SET_OF 15
66#define TYPE_DEFINITIONS 16
67#define TYPE_TIME 17
68#define TYPE_CHOICE 18
69#define TYPE_IMPORTS 19
70#define TYPE_NULL 20
71#define TYPE_ENUMERATED 21
72#define TYPE_GENERALSTRING 27
73
74
75/***********************************************************************/
76/* List of constants to better specify the type of typedef node_asn. */
77/***********************************************************************/
78/* Used with TYPE_TAG */
79#define CONST_UNIVERSAL (1<<8)
80#define CONST_PRIVATE (1<<9)
81#define CONST_APPLICATION (1<<10)
82#define CONST_EXPLICIT (1<<11)
83#define CONST_IMPLICIT (1<<12)
84
85#define CONST_TAG (1<<13) /* Used in ASN.1 assignement */
86#define CONST_OPTION (1<<14)
87#define CONST_DEFAULT (1<<15)
88#define CONST_TRUE (1<<16)
89#define CONST_FALSE (1<<17)
90
91#define CONST_LIST (1<<18) /* Used with TYPE_INTEGER and TYPE_BIT_STRING */
92#define CONST_MIN_MAX (1<<19)
93
94#define CONST_1_PARAM (1<<20)
95
96#define CONST_SIZE (1<<21)
97
98#define CONST_DEFINED_BY (1<<22)
99
100#define CONST_GENERALIZED (1<<23)
101#define CONST_UTC (1<<24)
102
103/* #define CONST_IMPORTS (1<<25) */
104
105#define CONST_NOT_USED (1<<26)
106#define CONST_SET (1<<27)
107#define CONST_ASSIGN (1<<28)
108
109#define CONST_DOWN (1<<29)
110#define CONST_RIGHT (1<<30)
111
112#endif /* INT_H */
diff --git a/src/daemon/https/minitasn1/libtasn1.h b/src/daemon/https/minitasn1/libtasn1.h
deleted file mode 100644
index f478d0b7..00000000
--- a/src/daemon/https/minitasn1/libtasn1.h
+++ /dev/null
@@ -1,216 +0,0 @@
1/*
2 * Copyright (C) 2004, 2005, 2006 Free Software Foundation
3 * Copyright (C) 2002 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * LIBTASN1 is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * LIBTASN1 is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with LIBTASN1; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 *
22 */
23
24#ifndef LIBTASN1_H
25# define LIBTASN1_H
26
27#include <stdio.h> /* for FILE* */
28
29#ifdef __cplusplus
30extern "C"
31{
32#endif
33
34#define LIBTASN1_VERSION "1.2"
35
36#include <sys/types.h>
37#include <time.h>
38
39#define MAX_NAME_SIZE 128 /* maximum number of characters of a name */
40 /* inside a file with ASN1 definitons */
41#define MAX_ERROR_DESCRIPTION_SIZE 128 /* maximum number of characters */
42 /* of a description message */
43 /* (null character included) */
44
45
46 typedef int MHD__asn1_retCode; /* type returned by libtasn1 functions */
47
48 /*****************************************/
49 /* Errors returned by libtasn1 functions */
50 /*****************************************/
51#define ASN1_SUCCESS 0
52#define ASN1_FILE_NOT_FOUND 1
53#define ASN1_ELEMENT_NOT_FOUND 2
54#define ASN1_IDENTIFIER_NOT_FOUND 3
55#define ASN1_DER_ERROR 4
56#define ASN1_VALUE_NOT_FOUND 5
57#define ASN1_GENERIC_ERROR 6
58#define ASN1_VALUE_NOT_VALID 7
59#define ASN1_TAG_ERROR 8
60#define ASN1_TAG_IMPLICIT 9
61#define ASN1_ERROR_TYPE_ANY 10
62#define ASN1_SYNTAX_ERROR 11
63#define ASN1_MEM_ERROR 12
64#define ASN1_MEM_ALLOC_ERROR 13
65#define ASN1_DER_OVERFLOW 14
66#define ASN1_NAME_TOO_LONG 15
67#define ASN1_ARRAY_ERROR 16
68#define ASN1_ELEMENT_NOT_EMPTY 17
69
70/*************************************/
71/* Constants used in MHD__asn1_visit_tree */
72/*************************************/
73#define ASN1_PRINT_NAME 1
74#define ASN1_PRINT_NAME_TYPE 2
75#define ASN1_PRINT_NAME_TYPE_VALUE 3
76#define ASN1_PRINT_ALL 4
77
78/*****************************************/
79/* Constants returned by MHD__asn1_read_tag */
80/*****************************************/
81#define ASN1_CLASS_UNIVERSAL 0x00 /* old: 1 */
82#define ASN1_CLASS_APPLICATION 0x40 /* old: 2 */
83#define ASN1_CLASS_CONTEXT_SPECIFIC 0x80 /* old: 3 */
84#define ASN1_CLASS_PRIVATE 0xC0 /* old: 4 */
85#define ASN1_CLASS_STRUCTURED 0x20
86
87/*****************************************/
88/* Constants returned by MHD__asn1_read_tag */
89/*****************************************/
90#define ASN1_TAG_BOOLEAN 0x01
91#define ASN1_TAG_INTEGER 0x02
92#define ASN1_TAG_SEQUENCE 0x10
93#define ASN1_TAG_SET 0x11
94#define ASN1_TAG_OCTET_STRING 0x04
95#define ASN1_TAG_BIT_STRING 0x03
96#define ASN1_TAG_UTCTime 0x17
97#define ASN1_TAG_GENERALIZEDTime 0x18
98#define ASN1_TAG_OBJECT_ID 0x06
99#define ASN1_TAG_ENUMERATED 0x0A
100#define ASN1_TAG_NULL 0x05
101#define ASN1_TAG_GENERALSTRING 0x1B
102
103/******************************************************/
104/* Structure definition used for the node of the tree */
105/* that represent an ASN.1 DEFINITION. */
106/******************************************************/
107
108 struct node_asn_struct
109 {
110 char *name; /* Node name */
111 unsigned int type; /* Node type */
112 unsigned char *value; /* Node value */
113 int value_len;
114 struct node_asn_struct *down; /* Pointer to the son node */
115 struct node_asn_struct *right; /* Pointer to the brother node */
116 struct node_asn_struct *left; /* Pointer to the next list element */
117 };
118
119 typedef struct node_asn_struct node_asn;
120
121 typedef node_asn *ASN1_TYPE;
122
123#define ASN1_TYPE_EMPTY NULL
124
125 struct static_struct_asn
126 {
127 const char *name; /* Node name */
128 unsigned int type; /* Node type */
129 const void *value; /* Node value */
130 };
131
132 typedef struct static_struct_asn ASN1_ARRAY_TYPE;
133
134
135
136 /***********************************/
137 /* Functions definitions */
138 /***********************************/
139
140 MHD__asn1_retCode MHD__asn1_parser2tree (const char *file_name,
141 ASN1_TYPE * definitions,
142 char *errorDescription);
143
144 MHD__asn1_retCode MHD__asn1_parser2array (const char *inputFileName,
145 const char *outputFileName,
146 const char *vectorName,
147 char *errorDescription);
148
149 MHD__asn1_retCode MHD__asn1_array2tree (const ASN1_ARRAY_TYPE * array,
150 ASN1_TYPE * definitions,
151 char *errorDescription);
152
153 MHD__asn1_retCode MHD__asn1_create_element (ASN1_TYPE definitions,
154 const char *source_name,
155 ASN1_TYPE * element);
156
157 MHD__asn1_retCode MHD__asn1_delete_structure (ASN1_TYPE * structure);
158
159 MHD__asn1_retCode MHD__asn1_write_value (ASN1_TYPE node_root,
160 const char *name,
161 const void *ivalue, int len);
162
163 MHD__asn1_retCode MHD__asn1_read_value (ASN1_TYPE root, const char *name,
164 void *ivalue, int *len);
165
166 MHD__asn1_retCode MHD__asn1_der_coding (ASN1_TYPE element, const char *name,
167 void *ider, int *len,
168 char *ErrorDescription);
169
170 MHD__asn1_retCode MHD__asn1_der_decoding (ASN1_TYPE * element,
171 const void *ider, int len,
172 char *errorDescription);
173
174 MHD__asn1_retCode MHD__asn1_der_decoding_startEnd (ASN1_TYPE element,
175 const void *ider,
176 int len,
177 const char *name_element,
178 int *start, int *end);
179
180 /* DER utility functions. */
181
182 int MHD__asn1_get_tag_der (const unsigned char *der, int der_len,
183 unsigned char *cls, int *len,
184 unsigned long *tag);
185
186 void MHD__asn1_octet_der (const unsigned char *str, int str_len,
187 unsigned char *der, int *der_len);
188
189 MHD__asn1_retCode MHD__asn1_get_octet_der (const unsigned char *der,
190 int der_len, int *ret_len,
191 unsigned char *str, int str_size,
192 int *str_len);
193
194 void MHD__asn1_bit_der (const unsigned char *str, int bit_len,
195 unsigned char *der, int *der_len);
196
197 MHD__asn1_retCode MHD__asn1_get_bit_der (const unsigned char *der,
198 int der_len, int *ret_len,
199 unsigned char *str, int str_size,
200 int *bit_len);
201
202 signed long MHD__asn1_get_length_der (const unsigned char *der, int der_len,
203 int *len);
204
205 void MHD__asn1_length_der (unsigned long int len, unsigned char *ans,
206 int *ans_len);
207
208 /* Other utility functions. */
209
210 ASN1_TYPE MHD__asn1_find_node (ASN1_TYPE pointer, const char *name);
211
212#ifdef __cplusplus
213}
214#endif
215
216#endif /* LIBTASN1_H */
diff --git a/src/daemon/https/minitasn1/mem.h b/src/daemon/https/minitasn1/mem.h
deleted file mode 100644
index 76139df0..00000000
--- a/src/daemon/https/minitasn1/mem.h
+++ /dev/null
@@ -1,25 +0,0 @@
1#ifndef MEM_H
2# define MEM_H
3
4/* Use MHD__asn1_afree() when calling alloca, or
5 * memory leaks may occur in systems which do not
6 * support alloca.
7 */
8#ifdef HAVE_ALLOCA
9# ifdef HAVE_ALLOCA_H
10# include <alloca.h>
11# endif
12# define MHD__asn1_alloca alloca
13# define MHD__asn1_afree(x)
14#else
15# define MHD__asn1_alloca MHD__asn1_malloc
16# define MHD__asn1_afree MHD__asn1_free
17#endif /* HAVE_ALLOCA */
18
19#define MHD__asn1_malloc malloc
20#define MHD__asn1_free free
21#define MHD__asn1_calloc calloc
22#define MHD__asn1_realloc realloc
23#define MHD__asn1_strdup strdup
24
25#endif /* MEM_H */
diff --git a/src/daemon/https/minitasn1/parser_aux.c b/src/daemon/https/minitasn1/parser_aux.c
deleted file mode 100644
index 0643ff4c..00000000
--- a/src/daemon/https/minitasn1/parser_aux.c
+++ /dev/null
@@ -1,774 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006, 2007 Free Software Foundation
3 * Copyright (C) 2000,2001 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23#include <int.h>
24#include "parser_aux.h"
25#include "gstr.h"
26#include "structure.h"
27#include "element.h"
28
29
30
31char MHD__asn1_identifierMissing[MAX_NAME_SIZE + 1]; /* identifier name not found */
32
33/***********************************************/
34/* Type: list_type */
35/* Description: type used in the list during */
36/* the structure creation. */
37/***********************************************/
38typedef struct list_struct
39{
40 node_asn *node;
41 struct list_struct *next;
42} list_type;
43
44
45/* Pointer to the first element of the list */
46list_type *MHD_firstElement = NULL;
47
48/******************************************************/
49/* Function : MHD__asn1_add_node */
50/* Description: creates a new NODE_ASN element and */
51/* puts it in the list pointed by MHD_firstElement. */
52/* Parameters: */
53/* type: type of the new element (see TYPE_ */
54/* and CONST_ constants). */
55/* Return: pointer to the new element. */
56/******************************************************/
57node_asn *
58MHD__asn1_add_node (unsigned int type)
59{
60 list_type *listElement;
61 node_asn *punt;
62
63 punt = (node_asn *) MHD__asn1_calloc (1, sizeof (node_asn));
64 if (punt == NULL)
65 return NULL;
66
67 listElement = (list_type *) MHD__asn1_malloc (sizeof (list_type));
68 if (listElement == NULL)
69 {
70 MHD__asn1_free (punt);
71 return NULL;
72 }
73
74 listElement->node = punt;
75 listElement->next = MHD_firstElement;
76 MHD_firstElement = listElement;
77
78 punt->type = type;
79
80 return punt;
81}
82
83/**
84 * MHD__asn1_find_node:
85 * @pointer: NODE_ASN element pointer.
86 * @name: null terminated string with the element's name to find.
87 *
88 * Searches for an element called NAME starting from POINTER. The
89 * name is composed by differents identifiers separated by dots. When
90 * *POINTER has a name, the first identifier must be the name of
91 * *POINTER, otherwise it must be the name of one child of *POINTER.
92 *
93 * Return value: the searching result. NULL if not found.
94 **/
95ASN1_TYPE
96MHD__asn1_find_node (ASN1_TYPE pointer, const char *name)
97{
98 node_asn *p;
99 char *n_end, n[MAX_NAME_SIZE + 1];
100 const char *n_start;
101
102 if (pointer == NULL)
103 return NULL;
104
105 if (name == NULL)
106 return NULL;
107
108 p = pointer;
109 n_start = name;
110
111 if (p->name != NULL)
112 { /* has *pointer got a name ? */
113 n_end = strchr (n_start, '.'); /* search the first dot */
114 if (n_end)
115 {
116 memcpy (n, n_start, n_end - n_start);
117 n[n_end - n_start] = 0;
118 n_start = n_end;
119 n_start++;
120 }
121 else
122 {
123 MHD__asn1_str_cpy (n, sizeof (n), n_start);
124 n_start = NULL;
125 }
126
127 while (p)
128 {
129 if ((p->name) && (!strcmp (p->name, n)))
130 break;
131 else
132 p = p->right;
133 } /* while */
134
135 if (p == NULL)
136 return NULL;
137 }
138 else
139 { /* *pointer doesn't have a name */
140 if (n_start[0] == 0)
141 return p;
142 }
143
144 while (n_start)
145 { /* Has the end of NAME been reached? */
146 n_end = strchr (n_start, '.'); /* search the next dot */
147 if (n_end)
148 {
149 memcpy (n, n_start, n_end - n_start);
150 n[n_end - n_start] = 0;
151 n_start = n_end;
152 n_start++;
153 }
154 else
155 {
156 MHD__asn1_str_cpy (n, sizeof (n), n_start);
157 n_start = NULL;
158 }
159
160 if (p->down == NULL)
161 return NULL;
162
163 p = p->down;
164
165 /* The identifier "?LAST" indicates the last element
166 in the right chain. */
167 if (!strcmp (n, "?LAST"))
168 {
169 if (p == NULL)
170 return NULL;
171 while (p->right)
172 p = p->right;
173 }
174 else
175 { /* no "?LAST" */
176 while (p)
177 {
178 if ((p->name) && (!strcmp (p->name, n)))
179 break;
180 else
181 p = p->right;
182 }
183 if (p == NULL)
184 return NULL;
185 }
186 } /* while */
187
188 return p;
189}
190
191
192/******************************************************************/
193/* Function : MHD__asn1_set_value */
194/* Description: sets the field VALUE in a NODE_ASN element. The */
195/* previous value (if exist) will be lost */
196/* Parameters: */
197/* node: element pointer. */
198/* value: pointer to the value that you want to set. */
199/* len: character number of value. */
200/* Return: pointer to the NODE_ASN element. */
201/******************************************************************/
202node_asn *
203MHD__asn1_set_value (node_asn * node, const void *_value, unsigned int len)
204{
205 const unsigned char *value = _value;
206
207 if (node == NULL)
208 return node;
209 if (node->value)
210 {
211 MHD__asn1_free (node->value);
212 node->value = NULL;
213 node->value_len = 0;
214 }
215 if (!len)
216 return node;
217 node->value = (unsigned char *) MHD__asn1_malloc (len);
218 if (node->value == NULL)
219 return NULL;
220 node->value_len = len;
221
222 memcpy (node->value, value, len);
223 return node;
224}
225
226/******************************************************************/
227/* Function : MHD__asn1_set_name */
228/* Description: sets the field NAME in a NODE_ASN element. The */
229/* previous value (if exist) will be lost */
230/* Parameters: */
231/* node: element pointer. */
232/* name: a null terminated string with the name that you want */
233/* to set. */
234/* Return: pointer to the NODE_ASN element. */
235/******************************************************************/
236node_asn *
237MHD__asn1_set_name (node_asn * node, const char *name)
238{
239 if (node == NULL)
240 return node;
241
242 if (node->name)
243 {
244 MHD__asn1_free (node->name);
245 node->name = NULL;
246 }
247
248 if (name == NULL)
249 return node;
250
251 if (strlen (name))
252 {
253 node->name = (char *) MHD__asn1_strdup (name);
254 if (node->name == NULL)
255 return NULL;
256 }
257 else
258 node->name = NULL;
259 return node;
260}
261
262/******************************************************************/
263/* Function : MHD__asn1_set_right */
264/* Description: sets the field RIGHT in a NODE_ASN element. */
265/* Parameters: */
266/* node: element pointer. */
267/* right: pointer to a NODE_ASN element that you want be pointed*/
268/* by NODE. */
269/* Return: pointer to *NODE. */
270/******************************************************************/
271node_asn *
272MHD__asn1_set_right (node_asn * node, node_asn * right)
273{
274 if (node == NULL)
275 return node;
276 node->right = right;
277 if (right)
278 right->left = node;
279 return node;
280}
281
282/******************************************************************/
283/* Function : MHD__asn1_set_down */
284/* Description: sets the field DOWN in a NODE_ASN element. */
285/* Parameters: */
286/* node: element pointer. */
287/* down: pointer to a NODE_ASN element that you want be pointed */
288/* by NODE. */
289/* Return: pointer to *NODE. */
290/******************************************************************/
291node_asn *
292MHD__asn1_set_down (node_asn * node, node_asn * down)
293{
294 if (node == NULL)
295 return node;
296 node->down = down;
297 if (down)
298 down->left = node;
299 return node;
300}
301
302/******************************************************************/
303/* Function : MHD__asn1_remove_node */
304/* Description: gets free the memory allocated for an NODE_ASN */
305/* element (not the elements pointed by it). */
306/* Parameters: */
307/* node: NODE_ASN element pointer. */
308/******************************************************************/
309void
310MHD__asn1_remove_node (node_asn * node)
311{
312 if (node == NULL)
313 return;
314
315 if (node->name != NULL)
316 MHD__asn1_free (node->name);
317 if (node->value != NULL)
318 MHD__asn1_free (node->value);
319 MHD__asn1_free (node);
320}
321
322/******************************************************************/
323/* Function : MHD__asn1_find_up */
324/* Description: return the father of the NODE_ASN element. */
325/* Parameters: */
326/* node: NODE_ASN element pointer. */
327/* Return: Null if not found. */
328/******************************************************************/
329node_asn *
330MHD__asn1_find_up (node_asn * node)
331{
332 node_asn *p;
333
334 if (node == NULL)
335 return NULL;
336
337 p = node;
338
339 while ((p->left != NULL) && (p->left->right == p))
340 p = p->left;
341
342 return p->left;
343}
344
345/******************************************************************/
346/* Function : MHD__asn1_delete_list */
347/* Description: deletes the list elements (not the elements */
348/* pointed by them). */
349/******************************************************************/
350void
351MHD__asn1_delete_list (void)
352{
353 list_type *listElement;
354
355 while (MHD_firstElement)
356 {
357 listElement = MHD_firstElement;
358 MHD_firstElement = MHD_firstElement->next;
359 MHD__asn1_free (listElement);
360 }
361}
362
363/******************************************************************/
364/* Function : MHD__asn1_delete_list_and nodes */
365/* Description: deletes the list elements and the elements */
366/* pointed by them. */
367/******************************************************************/
368void
369MHD__asn1_delete_list_and_nodes (void)
370{
371 list_type *listElement;
372
373 while (MHD_firstElement)
374 {
375 listElement = MHD_firstElement;
376 MHD_firstElement = MHD_firstElement->next;
377 MHD__asn1_remove_node (listElement->node);
378 MHD__asn1_free (listElement);
379 }
380}
381
382
383char *
384MHD__asn1_ltostr (long v, char *str)
385{
386 long d, r;
387 char temp[20];
388 int count, k, start;
389
390 if (v < 0)
391 {
392 str[0] = '-';
393 start = 1;
394 v = -v;
395 }
396 else
397 start = 0;
398
399 count = 0;
400 do
401 {
402 d = v / 10;
403 r = v - d * 10;
404 temp[start + count] = '0' + (char) r;
405 count++;
406 v = d;
407 }
408 while (v);
409
410 for (k = 0; k < count; k++)
411 str[k + start] = temp[start + count - k - 1];
412 str[count + start] = 0;
413 return str;
414}
415
416
417/******************************************************************/
418/* Function : MHD__asn1_change_integer_value */
419/* Description: converts into DER coding the value assign to an */
420/* INTEGER constant. */
421/* Parameters: */
422/* node: root of an ASN1element. */
423/* Return: */
424/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */
425/* otherwise ASN1_SUCCESS */
426/******************************************************************/
427MHD__asn1_retCode
428MHD__asn1_change_integer_value (ASN1_TYPE node)
429{
430 node_asn *p;
431 unsigned char val[SIZEOF_UNSIGNED_LONG_INT];
432 unsigned char val2[SIZEOF_UNSIGNED_LONG_INT + 1];
433 int len;
434
435 if (node == NULL)
436 return ASN1_ELEMENT_NOT_FOUND;
437
438 p = node;
439 while (p)
440 {
441 if ((type_field (p->type) == TYPE_INTEGER) && (p->type & CONST_ASSIGN))
442 {
443 if (p->value)
444 {
445 MHD__asn1_convert_integer ((const char *) p->value, val,
446 sizeof (val), &len);
447 MHD__asn1_octet_der (val, len, val2, &len);
448 MHD__asn1_set_value (p, val2, len);
449 }
450 }
451
452 if (p->down)
453 {
454 p = p->down;
455 }
456 else
457 {
458 if (p == node)
459 p = NULL;
460 else if (p->right)
461 p = p->right;
462 else
463 {
464 while (1)
465 {
466 p = MHD__asn1_find_up (p);
467 if (p == node)
468 {
469 p = NULL;
470 break;
471 }
472 if (p->right)
473 {
474 p = p->right;
475 break;
476 }
477 }
478 }
479 }
480 }
481
482 return ASN1_SUCCESS;
483}
484
485
486/******************************************************************/
487/* Function : MHD__asn1_expand_object_id */
488/* Description: expand the IDs of an OBJECT IDENTIFIER constant. */
489/* Parameters: */
490/* node: root of an ASN1 element. */
491/* Return: */
492/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */
493/* otherwise ASN1_SUCCESS */
494/******************************************************************/
495MHD__asn1_retCode
496MHD__asn1_expand_object_id (ASN1_TYPE node)
497{
498 node_asn *p, *p2, *p3, *p4, *p5;
499 char name_root[MAX_NAME_SIZE], name2[2 * MAX_NAME_SIZE + 1];
500 int move, tlen;
501
502 if (node == NULL)
503 return ASN1_ELEMENT_NOT_FOUND;
504
505 MHD__asn1_str_cpy (name_root, sizeof (name_root), node->name);
506
507 p = node;
508 move = DOWN;
509
510 while (!((p == node) && (move == UP)))
511 {
512 if (move != UP)
513 {
514 if ((type_field (p->type) == TYPE_OBJECT_ID)
515 && (p->type & CONST_ASSIGN))
516 {
517 p2 = p->down;
518 if (p2 && (type_field (p2->type) == TYPE_CONSTANT))
519 {
520 if (p2->value && !isdigit (p2->value[0]))
521 {
522 MHD__asn1_str_cpy (name2, sizeof (name2), name_root);
523 MHD__asn1_str_cat (name2, sizeof (name2), ".");
524 MHD__asn1_str_cat (name2, sizeof (name2),
525 (const char *) p2->value);
526 p3 = MHD__asn1_find_node (node, name2);
527 if (!p3 || (type_field (p3->type) != TYPE_OBJECT_ID) ||
528 !(p3->type & CONST_ASSIGN))
529 return ASN1_ELEMENT_NOT_FOUND;
530 MHD__asn1_set_down (p, p2->right);
531 MHD__asn1_remove_node (p2);
532 p2 = p;
533 p4 = p3->down;
534 while (p4)
535 {
536 if (type_field (p4->type) == TYPE_CONSTANT)
537 {
538 p5 = MHD__asn1_add_node_only (TYPE_CONSTANT);
539 MHD__asn1_set_name (p5, p4->name);
540 tlen = strlen ((const char *) p4->value);
541 if (tlen > 0)
542 MHD__asn1_set_value (p5, p4->value, tlen + 1);
543 if (p2 == p)
544 {
545 MHD__asn1_set_right (p5, p->down);
546 MHD__asn1_set_down (p, p5);
547 }
548 else
549 {
550 MHD__asn1_set_right (p5, p2->right);
551 MHD__asn1_set_right (p2, p5);
552 }
553 p2 = p5;
554 }
555 p4 = p4->right;
556 }
557 move = DOWN;
558 continue;
559 }
560 }
561 }
562 move = DOWN;
563 }
564 else
565 move = RIGHT;
566
567 if (move == DOWN)
568 {
569 if (p->down)
570 p = p->down;
571 else
572 move = RIGHT;
573 }
574
575 if (p == node)
576 {
577 move = UP;
578 continue;
579 }
580
581 if (move == RIGHT)
582 {
583 if (p->right)
584 p = p->right;
585 else
586 move = UP;
587 }
588 if (move == UP)
589 p = MHD__asn1_find_up (p);
590 }
591
592
593 /*******************************/
594 /* expand DEFAULT */
595 /*******************************/
596 p = node;
597 move = DOWN;
598
599 while (!((p == node) && (move == UP)))
600 {
601 if (move != UP)
602 {
603 if ((type_field (p->type) == TYPE_OBJECT_ID) &&
604 (p->type & CONST_DEFAULT))
605 {
606 p2 = p->down;
607 if (p2 && (type_field (p2->type) == TYPE_DEFAULT))
608 {
609 MHD__asn1_str_cpy (name2, sizeof (name2), name_root);
610 MHD__asn1_str_cat (name2, sizeof (name2), ".");
611 MHD__asn1_str_cat (name2, sizeof (name2),
612 (const char *) p2->value);
613 p3 = MHD__asn1_find_node (node, name2);
614 if (!p3 || (type_field (p3->type) != TYPE_OBJECT_ID) ||
615 !(p3->type & CONST_ASSIGN))
616 return ASN1_ELEMENT_NOT_FOUND;
617 p4 = p3->down;
618 name2[0] = 0;
619 while (p4)
620 {
621 if (type_field (p4->type) == TYPE_CONSTANT)
622 {
623 if (name2[0])
624 MHD__asn1_str_cat (name2, sizeof (name2), ".");
625 MHD__asn1_str_cat (name2, sizeof (name2),
626 (const char *) p4->value);
627 }
628 p4 = p4->right;
629 }
630 tlen = strlen (name2);
631 if (tlen > 0)
632 MHD__asn1_set_value (p2, name2, tlen + 1);
633 }
634 }
635 move = DOWN;
636 }
637 else
638 move = RIGHT;
639
640 if (move == DOWN)
641 {
642 if (p->down)
643 p = p->down;
644 else
645 move = RIGHT;
646 }
647
648 if (p == node)
649 {
650 move = UP;
651 continue;
652 }
653
654 if (move == RIGHT)
655 {
656 if (p->right)
657 p = p->right;
658 else
659 move = UP;
660 }
661 if (move == UP)
662 p = MHD__asn1_find_up (p);
663 }
664
665 return ASN1_SUCCESS;
666}
667
668/******************************************************************/
669/* Function : MHD__asn1_check_identifier */
670/* Description: checks the definitions of all the identifiers */
671/* and the first element of an OBJECT_ID (e.g. {pkix 0 4}). */
672/* The MHD__asn1_identifierMissing global variable is filled if */
673/* necessary. */
674/* Parameters: */
675/* node: root of an ASN1 element. */
676/* Return: */
677/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */
678/* ASN1_IDENTIFIER_NOT_FOUND if an identifier is not defined, */
679/* otherwise ASN1_SUCCESS */
680/******************************************************************/
681MHD__asn1_retCode
682MHD__asn1_check_identifier (ASN1_TYPE node)
683{
684 node_asn *p, *p2;
685 char name2[MAX_NAME_SIZE * 2 + 2];
686
687 if (node == NULL)
688 return ASN1_ELEMENT_NOT_FOUND;
689
690 p = node;
691 while (p)
692 {
693 if (type_field (p->type) == TYPE_IDENTIFIER)
694 {
695 MHD__asn1_str_cpy (name2, sizeof (name2), node->name);
696 MHD__asn1_str_cat (name2, sizeof (name2), ".");
697 MHD__asn1_str_cat (name2, sizeof (name2), (const char *) p->value);
698 p2 = MHD__asn1_find_node (node, name2);
699 if (p2 == NULL)
700 {
701 strcpy (MHD__asn1_identifierMissing, (const char *) p->value);
702 return ASN1_IDENTIFIER_NOT_FOUND;
703 }
704 }
705 else if ((type_field (p->type) == TYPE_OBJECT_ID) &&
706 (p->type & CONST_DEFAULT))
707 {
708 p2 = p->down;
709 if (p2 && (type_field (p2->type) == TYPE_DEFAULT))
710 {
711 MHD__asn1_str_cpy (name2, sizeof (name2), node->name);
712 MHD__asn1_str_cat (name2, sizeof (name2), ".");
713 MHD__asn1_str_cat (name2, sizeof (name2),
714 (const char *) p2->value);
715 strcpy (MHD__asn1_identifierMissing, (const char *) p2->value);
716 p2 = MHD__asn1_find_node (node, name2);
717 if (!p2 || (type_field (p2->type) != TYPE_OBJECT_ID) ||
718 !(p2->type & CONST_ASSIGN))
719 return ASN1_IDENTIFIER_NOT_FOUND;
720 else
721 MHD__asn1_identifierMissing[0] = 0;
722 }
723 }
724 else if ((type_field (p->type) == TYPE_OBJECT_ID) &&
725 (p->type & CONST_ASSIGN))
726 {
727 p2 = p->down;
728 if (p2 && (type_field (p2->type) == TYPE_CONSTANT))
729 {
730 if (p2->value && !isdigit (p2->value[0]))
731 {
732 MHD__asn1_str_cpy (name2, sizeof (name2), node->name);
733 MHD__asn1_str_cat (name2, sizeof (name2), ".");
734 MHD__asn1_str_cat (name2, sizeof (name2),
735 (const char *) p2->value);
736 strcpy (MHD__asn1_identifierMissing,
737 (const char *) p2->value);
738 p2 = MHD__asn1_find_node (node, name2);
739 if (!p2 || (type_field (p2->type) != TYPE_OBJECT_ID) ||
740 !(p2->type & CONST_ASSIGN))
741 return ASN1_IDENTIFIER_NOT_FOUND;
742 else
743 MHD__asn1_identifierMissing[0] = 0;
744 }
745 }
746 }
747
748 if (p->down)
749 {
750 p = p->down;
751 }
752 else if (p->right)
753 p = p->right;
754 else
755 {
756 while (1)
757 {
758 p = MHD__asn1_find_up (p);
759 if (p == node)
760 {
761 p = NULL;
762 break;
763 }
764 if (p->right)
765 {
766 p = p->right;
767 break;
768 }
769 }
770 }
771 }
772
773 return ASN1_SUCCESS;
774}
diff --git a/src/daemon/https/minitasn1/parser_aux.h b/src/daemon/https/minitasn1/parser_aux.h
deleted file mode 100644
index 4437fb19..00000000
--- a/src/daemon/https/minitasn1/parser_aux.h
+++ /dev/null
@@ -1,37 +0,0 @@
1
2#ifndef _PARSER_AUX_H
3#define _PARSER_AUX_H
4
5
6/***************************************/
7/* Functions used by ASN.1 parser */
8/***************************************/
9node_asn *MHD__asn1_add_node (unsigned int type);
10
11node_asn *MHD__asn1_set_value (node_asn * node, const void *value,
12 unsigned int len);
13
14node_asn *MHD__asn1_set_name (node_asn * node, const char *name);
15
16node_asn *MHD__asn1_set_right (node_asn * node, node_asn * right);
17
18node_asn *MHD__asn1_set_down (node_asn * node, node_asn * down);
19
20void MHD__asn1_remove_node (node_asn * node);
21
22void MHD__asn1_delete_list (void);
23
24void MHD__asn1_delete_list_and_nodes (void);
25
26char *MHD__asn1_ltostr (long v, char *str);
27
28node_asn *MHD__asn1_find_up (node_asn * node);
29
30MHD__asn1_retCode MHD__asn1_change_integer_value (ASN1_TYPE node);
31
32MHD__asn1_retCode MHD__asn1_expand_object_id (ASN1_TYPE node);
33
34MHD__asn1_retCode MHD__asn1_check_identifier (ASN1_TYPE node);
35
36
37#endif
diff --git a/src/daemon/https/minitasn1/structure.c b/src/daemon/https/minitasn1/structure.c
deleted file mode 100644
index fdaeea47..00000000
--- a/src/daemon/https/minitasn1/structure.c
+++ /dev/null
@@ -1,585 +0,0 @@
1/*
2 * Copyright (C) 2004, 2006, 2007 Free Software Foundation
3 * Copyright (C) 2002 Fabio Fiorina
4 *
5 * This file is part of LIBTASN1.
6 *
7 * The LIBTASN1 library is free software; you can redistribute it
8 * and/or modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA
21 */
22
23
24/*****************************************************/
25/* File: structure.c */
26/* Description: Functions to create and delete an */
27/* ASN1 tree. */
28/*****************************************************/
29
30
31#include <int.h>
32#include <structure.h>
33#include "parser_aux.h"
34#include <gstr.h>
35
36
37extern char MHD__asn1_identifierMissing[];
38
39static node_asn *MHD__asn1_copy_structure2 (node_asn * root,
40 const char *source_name);
41
42
43
44/******************************************************/
45/* Function : MHD__asn1_add_node_only */
46/* Description: creates a new NODE_ASN element. */
47/* Parameters: */
48/* type: type of the new element (see TYPE_ */
49/* and CONST_ constants). */
50/* Return: pointer to the new element. */
51/******************************************************/
52node_asn *
53MHD__asn1_add_node_only (unsigned int type)
54{
55 node_asn *punt;
56
57 punt = (node_asn *) MHD__asn1_calloc (1, sizeof (node_asn));
58 if (punt == NULL)
59 return NULL;
60
61 punt->type = type;
62
63 return punt;
64}
65
66
67/******************************************************************/
68/* Function : MHD__asn1_find_left */
69/* Description: returns the NODE_ASN element with RIGHT field that*/
70/* points the element NODE. */
71/* Parameters: */
72/* node: NODE_ASN element pointer. */
73/* Return: NULL if not found. */
74/******************************************************************/
75node_asn *
76MHD__asn1_find_left (node_asn * node)
77{
78 if ((node == NULL) || (node->left == NULL) || (node->left->down == node))
79 return NULL;
80
81 return node->left;
82}
83
84
85
86/**
87 * MHD__asn1_array2tree - Creates the structures needed to manage the ASN1 definitions.
88 * @array: specify the array that contains ASN.1 declarations
89 * @definitions: return the pointer to the structure created by
90 * *ARRAY ASN.1 declarations
91 * @errorDescription: return the error description.
92 *
93 * Creates the structures needed to manage the ASN.1 definitions.
94 * @array is a vector created by MHD__asn1_parser2array().
95 *
96 * Returns:
97 *
98 * ASN1_SUCCESS: Structure created correctly.
99 *
100 * ASN1_ELEMENT_NOT_EMPTY: *@definitions not ASN1_TYPE_EMPTY.
101 *
102 * ASN1_IDENTIFIER_NOT_FOUND: In the file there is an identifier that
103 * is not defined (see @errorDescription for more information).
104 *
105 * ASN1_ARRAY_ERROR: The array pointed by @array is wrong.
106 **/
107MHD__asn1_retCode
108MHD__asn1_array2tree (const ASN1_ARRAY_TYPE * array, ASN1_TYPE * definitions,
109 char *errorDescription)
110{
111 node_asn *p, *p_last = NULL;
112 unsigned long k;
113 int move;
114 MHD__asn1_retCode result;
115
116
117 if (*definitions != ASN1_TYPE_EMPTY)
118 return ASN1_ELEMENT_NOT_EMPTY;
119
120 move = UP;
121
122 k = 0;
123 while (array[k].value || array[k].type || array[k].name)
124 {
125 p = MHD__asn1_add_node (array[k].type & (~CONST_DOWN));
126 if (array[k].name)
127 MHD__asn1_set_name (p, array[k].name);
128 if (array[k].value)
129 MHD__asn1_set_value (p, array[k].value, strlen (array[k].value) + 1);
130
131 if (*definitions == NULL)
132 *definitions = p;
133
134 if (move == DOWN)
135 MHD__asn1_set_down (p_last, p);
136 else if (move == RIGHT)
137 MHD__asn1_set_right (p_last, p);
138
139 p_last = p;
140
141 if (array[k].type & CONST_DOWN)
142 move = DOWN;
143 else if (array[k].type & CONST_RIGHT)
144 move = RIGHT;
145 else
146 {
147 while (1)
148 {
149 if (p_last == *definitions)
150 break;
151
152 p_last = MHD__asn1_find_up (p_last);
153
154 if (p_last == NULL)
155 break;
156
157 if (p_last->type & CONST_RIGHT)
158 {
159 p_last->type &= ~CONST_RIGHT;
160 move = RIGHT;
161 break;
162 }
163 } /* while */
164 }
165 k++;
166 } /* while */
167
168 if (p_last == *definitions)
169 {
170 result = MHD__asn1_check_identifier (*definitions);
171 if (result == ASN1_SUCCESS)
172 {
173 MHD__asn1_change_integer_value (*definitions);
174 MHD__asn1_expand_object_id (*definitions);
175 }
176 }
177 else
178 {
179 result = ASN1_ARRAY_ERROR;
180 }
181
182 if (errorDescription != NULL)
183 {
184 if (result == ASN1_IDENTIFIER_NOT_FOUND)
185 {
186 Estrcpy (errorDescription, ":: identifier '");
187 Estrcat (errorDescription, MHD__asn1_identifierMissing);
188 Estrcat (errorDescription, "' not found");
189 }
190 else
191 errorDescription[0] = 0;
192 }
193
194 if (result != ASN1_SUCCESS)
195 {
196 MHD__asn1_delete_list_and_nodes ();
197 *definitions = ASN1_TYPE_EMPTY;
198 }
199 else
200 MHD__asn1_delete_list ();
201
202 return result;
203}
204
205/**
206 * MHD__asn1_delete_structure - Deletes the structure pointed by *ROOT.
207 * @structure: pointer to the structure that you want to delete.
208 *
209 * Deletes the structure *@structure. At the end, *@structure is set
210 * to ASN1_TYPE_EMPTY.
211 *
212 * Returns:
213 *
214 * ASN1_SUCCESS: Everything OK.
215 *
216 * ASN1_ELEMENT_NOT_FOUND: *@structure was ASN1_TYPE_EMPTY.
217 *
218 **/
219MHD__asn1_retCode
220MHD__asn1_delete_structure (ASN1_TYPE * structure)
221{
222 node_asn *p, *p2, *p3;
223
224 if (*structure == ASN1_TYPE_EMPTY)
225 return ASN1_ELEMENT_NOT_FOUND;
226
227 p = *structure;
228 while (p)
229 {
230 if (p->down)
231 {
232 p = p->down;
233 }
234 else
235 { /* no down */
236 p2 = p->right;
237 if (p != *structure)
238 {
239 p3 = MHD__asn1_find_up (p);
240 MHD__asn1_set_down (p3, p2);
241 MHD__asn1_remove_node (p);
242 p = p3;
243 }
244 else
245 { /* p==root */
246 p3 = MHD__asn1_find_left (p);
247 if (!p3)
248 {
249 p3 = MHD__asn1_find_up (p);
250 if (p3)
251 MHD__asn1_set_down (p3, p2);
252 else
253 {
254 if (p->right)
255 p->right->left = NULL;
256 }
257 }
258 else
259 MHD__asn1_set_right (p3, p2);
260 MHD__asn1_remove_node (p);
261 p = NULL;
262 }
263 }
264 }
265
266 *structure = ASN1_TYPE_EMPTY;
267 return ASN1_SUCCESS;
268}
269
270node_asn *
271MHD__asn1_copy_structure3 (node_asn * source_node)
272{
273 node_asn *dest_node, *p_s, *p_d, *p_d_prev;
274 int move;
275
276 if (source_node == NULL)
277 return NULL;
278
279 dest_node = MHD__asn1_add_node_only (source_node->type);
280
281 p_s = source_node;
282 p_d = dest_node;
283
284 move = DOWN;
285
286 do
287 {
288 if (move != UP)
289 {
290 if (p_s->name)
291 MHD__asn1_set_name (p_d, p_s->name);
292 if (p_s->value)
293 MHD__asn1_set_value (p_d, p_s->value, p_s->value_len);
294 move = DOWN;
295 }
296 else
297 move = RIGHT;
298
299 if (move == DOWN)
300 {
301 if (p_s->down)
302 {
303 p_s = p_s->down;
304 p_d_prev = p_d;
305 p_d = MHD__asn1_add_node_only (p_s->type);
306 MHD__asn1_set_down (p_d_prev, p_d);
307 }
308 else
309 move = RIGHT;
310 }
311
312 if (p_s == source_node)
313 break;
314
315 if (move == RIGHT)
316 {
317 if (p_s->right)
318 {
319 p_s = p_s->right;
320 p_d_prev = p_d;
321 p_d = MHD__asn1_add_node_only (p_s->type);
322 MHD__asn1_set_right (p_d_prev, p_d);
323 }
324 else
325 move = UP;
326 }
327 if (move == UP)
328 {
329 p_s = MHD__asn1_find_up (p_s);
330 p_d = MHD__asn1_find_up (p_d);
331 }
332 }
333 while (p_s != source_node);
334
335 return dest_node;
336}
337
338
339static node_asn *
340MHD__asn1_copy_structure2 (node_asn * root, const char *source_name)
341{
342 node_asn *source_node;
343
344 source_node = MHD__asn1_find_node (root, source_name);
345
346 return MHD__asn1_copy_structure3 (source_node);
347
348}
349
350
351static MHD__asn1_retCode
352MHD__asn1_type_choice_config (node_asn * node)
353{
354 node_asn *p, *p2, *p3, *p4;
355 int move, tlen;
356
357 if (node == NULL)
358 return ASN1_ELEMENT_NOT_FOUND;
359
360 p = node;
361 move = DOWN;
362
363 while (!((p == node) && (move == UP)))
364 {
365 if (move != UP)
366 {
367 if ((type_field (p->type) == TYPE_CHOICE) && (p->type & CONST_TAG))
368 {
369 p2 = p->down;
370 while (p2)
371 {
372 if (type_field (p2->type) != TYPE_TAG)
373 {
374 p2->type |= CONST_TAG;
375 p3 = MHD__asn1_find_left (p2);
376 while (p3)
377 {
378 if (type_field (p3->type) == TYPE_TAG)
379 {
380 p4 = MHD__asn1_add_node_only (p3->type);
381 tlen = strlen ((const char *) p3->value);
382 if (tlen > 0)
383 MHD__asn1_set_value (p4, p3->value, tlen + 1);
384 MHD__asn1_set_right (p4, p2->down);
385 MHD__asn1_set_down (p2, p4);
386 }
387 p3 = MHD__asn1_find_left (p3);
388 }
389 }
390 p2 = p2->right;
391 }
392 p->type &= ~(CONST_TAG);
393 p2 = p->down;
394 while (p2)
395 {
396 p3 = p2->right;
397 if (type_field (p2->type) == TYPE_TAG)
398 MHD__asn1_delete_structure (&p2);
399 p2 = p3;
400 }
401 }
402 move = DOWN;
403 }
404 else
405 move = RIGHT;
406
407 if (move == DOWN)
408 {
409 if (p->down)
410 p = p->down;
411 else
412 move = RIGHT;
413 }
414
415 if (p == node)
416 {
417 move = UP;
418 continue;
419 }
420
421 if (move == RIGHT)
422 {
423 if (p->right)
424 p = p->right;
425 else
426 move = UP;
427 }
428 if (move == UP)
429 p = MHD__asn1_find_up (p);
430 }
431
432 return ASN1_SUCCESS;
433}
434
435
436static MHD__asn1_retCode
437MHD__asn1_expand_identifier (node_asn ** node, node_asn * root)
438{
439 node_asn *p, *p2, *p3;
440 char name2[MAX_NAME_SIZE + 2];
441 int move;
442
443 if (node == NULL)
444 return ASN1_ELEMENT_NOT_FOUND;
445
446 p = *node;
447 move = DOWN;
448
449 while (!((p == *node) && (move == UP)))
450 {
451 if (move != UP)
452 {
453 if (type_field (p->type) == TYPE_IDENTIFIER)
454 {
455 MHD__asn1_str_cpy (name2, sizeof (name2), root->name);
456 MHD__asn1_str_cat (name2, sizeof (name2), ".");
457 MHD__asn1_str_cat (name2, sizeof (name2),
458 (const char *) p->value);
459 p2 = MHD__asn1_copy_structure2 (root, name2);
460 if (p2 == NULL)
461 {
462 return ASN1_IDENTIFIER_NOT_FOUND;
463 }
464 MHD__asn1_set_name (p2, p->name);
465 p2->right = p->right;
466 p2->left = p->left;
467 if (p->right)
468 p->right->left = p2;
469 p3 = p->down;
470 if (p3)
471 {
472 while (p3->right)
473 p3 = p3->right;
474 MHD__asn1_set_right (p3, p2->down);
475 MHD__asn1_set_down (p2, p->down);
476 }
477
478 p3 = MHD__asn1_find_left (p);
479 if (p3)
480 MHD__asn1_set_right (p3, p2);
481 else
482 {
483 p3 = MHD__asn1_find_up (p);
484 if (p3)
485 MHD__asn1_set_down (p3, p2);
486 else
487 {
488 p2->left = NULL;
489 }
490 }
491
492 if (p->type & CONST_SIZE)
493 p2->type |= CONST_SIZE;
494 if (p->type & CONST_TAG)
495 p2->type |= CONST_TAG;
496 if (p->type & CONST_OPTION)
497 p2->type |= CONST_OPTION;
498 if (p->type & CONST_DEFAULT)
499 p2->type |= CONST_DEFAULT;
500 if (p->type & CONST_SET)
501 p2->type |= CONST_SET;
502 if (p->type & CONST_NOT_USED)
503 p2->type |= CONST_NOT_USED;
504
505 if (p == *node)
506 *node = p2;
507 MHD__asn1_remove_node (p);
508 p = p2;
509 move = DOWN;
510 continue;
511 }
512 move = DOWN;
513 }
514 else
515 move = RIGHT;
516
517 if (move == DOWN)
518 {
519 if (p->down)
520 p = p->down;
521 else
522 move = RIGHT;
523 }
524
525 if (p == *node)
526 {
527 move = UP;
528 continue;
529 }
530
531 if (move == RIGHT)
532 {
533 if (p->right)
534 p = p->right;
535 else
536 move = UP;
537 }
538 if (move == UP)
539 p = MHD__asn1_find_up (p);
540 }
541
542 return ASN1_SUCCESS;
543}
544
545
546/**
547 * MHD__asn1_create_element - Creates a structure of type SOURCE_NAME.
548 * @definitions: pointer to the structure returned by "parser_asn1" function
549 * @source_name: the name of the type of the new structure (must be
550 * inside p_structure).
551 * @element: pointer to the structure created.
552 *
553 * Creates a structure of type @source_name. Example using
554 * "pkix.asn":
555 *
556 * rc = MHD__asn1_create_structure(cert_def, "PKIX1.Certificate",
557 * certptr);
558 *
559 * Returns:
560 *
561 * ASN1_SUCCESS: Creation OK.
562 *
563 * ASN1_ELEMENT_NOT_FOUND: SOURCE_NAME isn't known
564 **/
565MHD__asn1_retCode
566MHD__asn1_create_element (ASN1_TYPE definitions, const char *source_name,
567 ASN1_TYPE * element)
568{
569 node_asn *dest_node;
570 int res;
571
572 dest_node = MHD__asn1_copy_structure2 (definitions, source_name);
573
574 if (dest_node == NULL)
575 return ASN1_ELEMENT_NOT_FOUND;
576
577 MHD__asn1_set_name (dest_node, "");
578
579 res = MHD__asn1_expand_identifier (&dest_node, definitions);
580 MHD__asn1_type_choice_config (dest_node);
581
582 *element = dest_node;
583
584 return res;
585}
diff --git a/src/daemon/https/minitasn1/structure.h b/src/daemon/https/minitasn1/structure.h
deleted file mode 100644
index c447fc92..00000000
--- a/src/daemon/https/minitasn1/structure.h
+++ /dev/null
@@ -1,18 +0,0 @@
1
2/*************************************************/
3/* File: structure.h */
4/* Description: list of exported object by */
5/* "structure.c" */
6/*************************************************/
7
8#ifndef _STRUCTURE_H
9#define _STRUCTURE_H
10
11node_asn *MHD__asn1_copy_structure3 (node_asn * source_node);
12
13
14node_asn *MHD__asn1_add_node_only (unsigned int type);
15
16node_asn *MHD__asn1_find_left (node_asn * node);
17
18#endif
diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am
deleted file mode 100644
index d6bb8307..00000000
--- a/src/daemon/https/tls/Makefile.am
+++ /dev/null
@@ -1,100 +0,0 @@
1AM_CPPFLAGS = \
2-I$(top_srcdir)/src/include \
3-I$(top_srcdir)/src/daemon/ \
4-I$(top_srcdir)/src/daemon/https \
5-I$(top_srcdir)/src/daemon/https/tls \
6-I$(top_srcdir)/src/daemon/https/lgl \
7-I$(top_srcdir)/src/daemon/https/minitasn1 \
8-I$(top_srcdir)/src/daemon/https/x509 \
9 @LIBGCRYPT_CFLAGS@
10
11if USE_COVERAGE
12 AM_CFLAGS = -fprofile-arcs -ftest-coverage
13endif
14
15noinst_LTLIBRARIES = libtls.la
16
17libtls_la_SOURCES = \
18auth_cert.c \
19auth_dhe.c \
20auth_dh_common.c \
21auth_rsa.c \
22auth_rsa_export.c \
23debug.c \
24defines.h \
25ext_cert_type.c \
26ext_max_record.c \
27ext_server_name.c \
28gnutls_alert.c \
29gnutls_algorithms.c \
30gnutls_asn1_tab.c \
31gnutls_auth.c \
32gnutls_buffers.c \
33gnutls_cert.c \
34gnutls_cipher.c \
35gnutls_cipher_int.c \
36gnutls_constate.c \
37gnutls_datum.c \
38gnutls_dh.c \
39gnutls_dh_primes.c \
40gnutls_errors.c \
41gnutls_extensions.c \
42gnutls_global.c \
43gnutls_handshake.c \
44gnutls_hash_int.c \
45gnutls_kx.c \
46gnutls_mem.c \
47gnutls_mpi.c \
48gnutls_num.c \
49gnutls_pk.c \
50gnutls_priority.c \
51gnutls_record.c \
52gnutls_rsa_export.c \
53gnutls_sig.c \
54gnutls_state.c \
55gnutls_str.c \
56gnutls_supplemental.c \
57gnutls_ui.c \
58gnutls_x509.c \
59pkix_asn1_tab.c \
60x509_b64.c \
61auth_cert.h \
62auth_dh_common.h \
63debug.h \
64defines.h \
65ext_cert_type.h \
66ext_max_record.h \
67ext_server_name.h \
68gnutls_algorithms.h \
69gnutls_auth.h \
70gnutls_auth_int.h \
71gnutls_buffers.h \
72gnutls_cert.h \
73gnutls_cipher.h \
74gnutls_cipher_int.h \
75gnutls_constate.h \
76gnutls_datum.h \
77gnutls_dh.h \
78gnutls_errors.h \
79gnutls_extensions.h \
80gnutls_global.h \
81gnutls_handshake.h \
82gnutls_hash_int.h \
83gnutls_int.h \
84gnutls_kx.h \
85gnutls_mem.h \
86gnutls_mpi.h \
87gnutls_num.h \
88gnutls_pk.h \
89gnutls_record.h \
90gnutls_rsa_export.h \
91gnutls_sig.h \
92gnutls_state.h \
93gnutls_str.h \
94gnutls_supplemental.h \
95gnutls_x509.h \
96x509_b64.h \
97memmem.c \
98str-two-way.h
99libtls_la_LIBADD = @LIBGCRYPT_LIBS@
100
diff --git a/src/daemon/https/tls/auth_cert.c b/src/daemon/https/tls/auth_cert.c
deleted file mode 100644
index f4a784b5..00000000
--- a/src/daemon/https/tls/auth_cert.c
+++ /dev/null
@@ -1,1329 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* The certificate authentication functions which are needed in the handshake,
26 * and are common to RSA and DHE key exchange, are in this file.
27 */
28
29#include <gnutls_int.h>
30#include "gnutls_auth_int.h"
31#include "gnutls_errors.h"
32#include <gnutls_cert.h>
33#include <auth_cert.h>
34#include "gnutls_dh.h"
35#include "gnutls_num.h"
36#include "libtasn1.h"
37#include "gnutls_datum.h"
38#include <gnutls_pk.h>
39#include <gnutls_algorithms.h>
40#include <gnutls_global.h>
41#include <gnutls_record.h>
42#include <gnutls_sig.h>
43#include <gnutls_state.h>
44#include <gnutls_pk.h>
45#include <gnutls_x509.h>
46#include "debug.h"
47
48static MHD_gnutls_cert *alloc_and_load_x509_certs (MHD_gnutls_x509_crt_t *
49 certs, unsigned);
50static MHD_gnutls_privkey *alloc_and_load_x509_key (MHD_gnutls_x509_privkey_t
51 key);
52
53
54/* Copies data from a internal certificate struct (MHD_gnutls_cert) to
55 * exported certificate struct (cert_auth_info_t)
56 */
57static int
58MHD__gnutls_copy_certificate_auth_info (cert_auth_info_t info,
59 MHD_gnutls_cert * cert, int ncerts)
60{
61 /* Copy peer's information to auth_info_t
62 */
63 int ret, i, j;
64
65 if (ncerts == 0)
66 {
67 info->raw_certificate_list = NULL;
68 info->ncerts = 0;
69 return 0;
70 }
71
72 info->raw_certificate_list =
73 MHD_gnutls_calloc (1, sizeof (MHD_gnutls_datum_t) * ncerts);
74 if (info->raw_certificate_list == NULL)
75 {
76 MHD_gnutls_assert ();
77 return GNUTLS_E_MEMORY_ERROR;
78 }
79
80 for (i = 0; i < ncerts; i++)
81 {
82 if (cert->raw.size > 0)
83 {
84 ret =
85 MHD__gnutls_set_datum (&info->raw_certificate_list[i],
86 cert[i].raw.data, cert[i].raw.size);
87 if (ret < 0)
88 {
89 MHD_gnutls_assert ();
90 goto clear;
91 }
92 }
93 }
94 info->ncerts = ncerts;
95
96 return 0;
97
98clear:
99
100 for (j = 0; j < i; j++)
101 MHD__gnutls_free_datum (&info->raw_certificate_list[j]);
102
103 MHD_gnutls_free (info->raw_certificate_list);
104 info->raw_certificate_list = NULL;
105
106 return ret;
107}
108
109
110
111
112/* returns 0 if the algo_to-check exists in the pk_algos list,
113 * -1 otherwise.
114 */
115inline static int
116MHD__gnutls_check_pk_algo_in_list (const enum MHD_GNUTLS_PublicKeyAlgorithm
117 *pk_algos, int pk_algos_length,
118 enum MHD_GNUTLS_PublicKeyAlgorithm
119 algo_to_check)
120{
121 int i;
122 for (i = 0; i < pk_algos_length; i++)
123 {
124 if (algo_to_check == pk_algos[i])
125 {
126 return 0;
127 }
128 }
129 return -1;
130}
131
132
133/* Returns the issuer's Distinguished name in odn, of the certificate
134 * specified in cert.
135 */
136static int
137MHD__gnutls_cert_get_issuer_dn (MHD_gnutls_cert * cert,
138 MHD_gnutls_datum_t * odn)
139{
140 ASN1_TYPE dn;
141 int len, result;
142 int start, end;
143
144 if ((result = MHD__asn1_create_element
145 (MHD__gnutls_get_pkix (), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS)
146 {
147 MHD_gnutls_assert ();
148 return MHD_gtls_asn2err (result);
149 }
150
151 result = MHD__asn1_der_decoding (&dn, cert->raw.data, cert->raw.size, NULL);
152 if (result != ASN1_SUCCESS)
153 {
154 /* couldn't decode DER */
155 MHD_gnutls_assert ();
156 MHD__asn1_delete_structure (&dn);
157 return MHD_gtls_asn2err (result);
158 }
159
160 result =
161 MHD__asn1_der_decoding_startEnd (dn, cert->raw.data, cert->raw.size,
162 "tbsCertificate.issuer", &start, &end);
163
164 if (result != ASN1_SUCCESS)
165 {
166 /* couldn't decode DER */
167 MHD_gnutls_assert ();
168 MHD__asn1_delete_structure (&dn);
169 return MHD_gtls_asn2err (result);
170 }
171 MHD__asn1_delete_structure (&dn);
172
173 len = end - start + 1;
174
175 odn->size = len;
176 odn->data = &cert->raw.data[start];
177
178 return 0;
179}
180
181
182/* Locates the most appropriate x509 certificate using the
183 * given DN. If indx == -1 then no certificate was found.
184 *
185 * That is to guess which certificate to use, based on the
186 * CAs and sign algorithms supported by the peer server.
187 */
188static int
189_find_x509_cert (const MHD_gtls_cert_credentials_t cred,
190 opaque * _data, size_t _data_size,
191 const enum MHD_GNUTLS_PublicKeyAlgorithm *pk_algos,
192 int pk_algos_length, int *indx)
193{
194 unsigned size;
195 MHD_gnutls_datum_t odn;
196 opaque *data = _data;
197 ssize_t data_size = _data_size;
198 unsigned i, j;
199 int result, cert_pk;
200
201 *indx = -1;
202 odn.size = 0;
203 odn.data = NULL;
204 do
205 {
206
207 DECR_LENGTH_RET (data_size, 2, 0);
208 size = MHD_gtls_read_uint16 (data);
209 DECR_LENGTH_RET (data_size, size, 0);
210 data += 2;
211
212 for (i = 0; i < cred->ncerts; i++)
213 {
214 for (j = 0; j < cred->cert_list_length[i]; j++)
215 {
216 if ((result =
217 MHD__gnutls_cert_get_issuer_dn (&cred->cert_list[i][j],
218 &odn)) != 0)
219 {
220 MHD_gnutls_assert ();
221 return result;
222 }
223
224 if (odn.size != size)
225 continue;
226
227 /* If the DN matches and
228 * the *_SIGN algorithm matches
229 * the cert is our cert!
230 */
231 cert_pk = cred->cert_list[i][0].subject_pk_algorithm;
232
233 if ((memcmp (odn.data, data, size) == 0) &&
234 (MHD__gnutls_check_pk_algo_in_list
235 (pk_algos, pk_algos_length, cert_pk) == 0))
236 {
237 *indx = i;
238 break;
239 }
240 }
241 if (*indx != -1)
242 break;
243 }
244
245 if (*indx != -1)
246 break;
247
248 /* move to next record */
249 data += size;
250
251 }
252 while (1);
253
254 return 0;
255
256}
257
258/* Returns the number of issuers in the server's
259 * certificate request packet.
260 */
261static int
262get_issuers_num (MHD_gtls_session_t session, opaque * data, ssize_t data_size)
263{
264 int issuers_dn_len = 0, result;
265 unsigned size;
266
267 /* Count the number of the given issuers;
268 * This is used to allocate the issuers_dn without
269 * using realloc().
270 */
271
272 if (data_size == 0 || data == NULL)
273 return 0;
274
275 if (data_size > 0)
276 do
277 {
278 /* This works like DECR_LEN()
279 */
280 result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
281 DECR_LENGTH_COM (data_size, 2, goto error);
282 size = MHD_gtls_read_uint16 (data);
283
284 result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
285 DECR_LENGTH_COM (data_size, size, goto error);
286
287 data += 2;
288
289 if (size > 0)
290 {
291 issuers_dn_len++;
292 data += size;
293 }
294
295 if (data_size == 0)
296 break;
297
298 }
299 while (1);
300
301 return issuers_dn_len;
302
303error:
304 return result;
305}
306
307/* Returns the issuers in the server's certificate request
308 * packet.
309 */
310static int
311get_issuers (MHD_gtls_session_t session,
312 MHD_gnutls_datum_t * issuers_dn, int issuers_len,
313 opaque * data, size_t data_size)
314{
315 int i;
316 unsigned size;
317
318 if (MHD_gnutls_certificate_type_get (session) != MHD_GNUTLS_CRT_X509)
319 return 0;
320
321 /* put the requested DNs to req_dn, only in case
322 * of X509 certificates.
323 */
324 if (issuers_len > 0)
325 {
326
327 for (i = 0; i < issuers_len; i++)
328 {
329 /* The checks here for the buffer boundaries
330 * are not needed since the buffer has been
331 * parsed above.
332 */
333 data_size -= 2;
334
335 size = MHD_gtls_read_uint16 (data);
336
337 data += 2;
338
339 issuers_dn[i].data = data;
340 issuers_dn[i].size = size;
341
342 data += size;
343 }
344 }
345
346 return 0;
347}
348
349/* Calls the client get callback.
350 */
351static int
352call_get_cert_callback (MHD_gtls_session_t session,
353 MHD_gnutls_datum_t * issuers_dn,
354 int issuers_dn_length,
355 enum MHD_GNUTLS_PublicKeyAlgorithm *pk_algos,
356 int pk_algos_length)
357{
358 unsigned i;
359 MHD_gnutls_cert *local_certs = NULL;
360 MHD_gnutls_privkey *local_key = NULL;
361 MHD_gnutls_retr_st st;
362 int ret;
363 enum MHD_GNUTLS_CertificateType type =
364 MHD_gnutls_certificate_type_get (session);
365 MHD_gtls_cert_credentials_t cred;
366
367 cred = (MHD_gtls_cert_credentials_t)
368 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
369 if (cred == NULL)
370 {
371 MHD_gnutls_assert ();
372 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
373 }
374
375 memset (&st, 0, sizeof (st));
376
377 if (session->security_parameters.entity == GNUTLS_SERVER)
378 {
379 ret = cred->server_get_cert_callback (session, &st);
380 }
381 else
382 { /* CLIENT */
383 ret =
384 cred->client_get_cert_callback (session,
385 issuers_dn, issuers_dn_length,
386 pk_algos, pk_algos_length, &st);
387 }
388
389 if (ret < 0)
390 {
391 MHD_gnutls_assert ();
392 return GNUTLS_E_INTERNAL_ERROR;
393 }
394
395 if (st.ncerts == 0)
396 return 0; /* no certificate was selected */
397
398 if (type != st.type)
399 {
400 MHD_gnutls_assert ();
401 ret = GNUTLS_E_INVALID_REQUEST;
402 goto cleanup;
403 }
404
405 if (type == MHD_GNUTLS_CRT_X509)
406 {
407 local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts);
408 if (local_certs != NULL)
409 local_key = alloc_and_load_x509_key (st.key.x509);
410
411 }
412 else
413 { /* PGP */
414 MHD_gnutls_assert ();
415 ret = GNUTLS_E_INVALID_REQUEST;
416 goto cleanup;
417 }
418
419 MHD_gtls_selected_certs_set (session, local_certs,
420 (local_certs != NULL) ? st.ncerts : 0,
421 local_key, 1);
422
423 ret = 0;
424
425cleanup:
426
427 if (st.type == MHD_GNUTLS_CRT_X509)
428 {
429 if (st.deinit_all)
430 {
431 for (i = 0; i < st.ncerts; i++)
432 {
433 MHD_gnutls_x509_crt_deinit (st.cert.x509[i]);
434 }
435 MHD_gnutls_free (st.cert.x509);
436 MHD_gnutls_x509_privkey_deinit (st.key.x509);
437 }
438 }
439 return ret;
440}
441
442/* Finds the appropriate certificate depending on the cA Distinguished name
443 * advertized by the server. If none matches then returns 0 and -1 as index.
444 * In case of an error a negative value, is returned.
445 *
446 * 20020128: added ability to select a certificate depending on the SIGN
447 * algorithm (only in automatic mode).
448 */
449static int
450_select_client_cert (MHD_gtls_session_t session,
451 opaque * _data, size_t _data_size,
452 enum MHD_GNUTLS_PublicKeyAlgorithm *pk_algos,
453 int pk_algos_length)
454{
455 int result;
456 int indx = -1;
457 MHD_gtls_cert_credentials_t cred;
458 opaque *data = _data;
459 ssize_t data_size = _data_size;
460 int issuers_dn_length;
461 MHD_gnutls_datum_t *issuers_dn = NULL;
462
463 cred = (MHD_gtls_cert_credentials_t)
464 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
465 if (cred == NULL)
466 {
467 MHD_gnutls_assert ();
468 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
469 }
470
471 if (cred->client_get_cert_callback != NULL)
472 {
473
474 /* use a callback to get certificate
475 */
476 if (session->security_parameters.cert_type != MHD_GNUTLS_CRT_X509)
477 issuers_dn_length = 0;
478 else
479 {
480 issuers_dn_length = get_issuers_num (session, data, data_size);
481 if (issuers_dn_length < 0)
482 {
483 MHD_gnutls_assert ();
484 return issuers_dn_length;
485 }
486
487 if (issuers_dn_length > 0)
488 {
489 issuers_dn =
490 MHD_gnutls_malloc (sizeof (MHD_gnutls_datum_t) *
491 issuers_dn_length);
492 if (issuers_dn == NULL)
493 {
494 MHD_gnutls_assert ();
495 return GNUTLS_E_MEMORY_ERROR;
496 }
497
498 result =
499 get_issuers (session, issuers_dn, issuers_dn_length,
500 data, data_size);
501 if (result < 0)
502 {
503 MHD_gnutls_assert ();
504 goto cleanup;
505 }
506 }
507 }
508
509 result =
510 call_get_cert_callback (session, issuers_dn, issuers_dn_length,
511 pk_algos, pk_algos_length);
512 goto cleanup;
513
514 }
515 else
516 {
517 /* If we have no callbacks, try to guess.
518 */
519 result = 0;
520
521 if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_X509)
522 result =
523 _find_x509_cert (cred, _data, _data_size,
524 pk_algos, pk_algos_length, &indx);
525 if (result < 0)
526 {
527 MHD_gnutls_assert ();
528 return result;
529 }
530
531 if (indx >= 0)
532 {
533 MHD_gtls_selected_certs_set (session,
534 &cred->cert_list[indx][0],
535 cred->cert_list_length[indx],
536 &cred->pkey[indx], 0);
537 }
538 else
539 {
540 MHD_gtls_selected_certs_set (session, NULL, 0, NULL, 0);
541 }
542
543 result = 0;
544 }
545
546cleanup:
547 MHD_gnutls_free (issuers_dn);
548 return result;
549
550}
551
552/* Generate client certificate
553 */
554static int
555MHD_gtls_gen_x509_crt (MHD_gtls_session_t session, opaque ** data)
556{
557 int ret, i;
558 opaque *pdata;
559 MHD_gnutls_cert *apr_cert_list;
560 MHD_gnutls_privkey *apr_pkey;
561 int apr_cert_list_length;
562
563 /* find the appropriate certificate
564 */
565 if ((ret =
566 MHD_gtls_get_selected_cert (session, &apr_cert_list,
567 &apr_cert_list_length, &apr_pkey)) < 0)
568 {
569 MHD_gnutls_assert ();
570 return ret;
571 }
572
573 ret = 3;
574 for (i = 0; i < apr_cert_list_length; i++)
575 {
576 ret += apr_cert_list[i].raw.size + 3;
577 /* hold size
578 * for uint24 */
579 }
580
581 /* if no certificates were found then send:
582 * 0B 00 00 03 00 00 00 // Certificate with no certs
583 * instead of:
584 * 0B 00 00 00 // empty certificate handshake
585 *
586 * ( the above is the whole handshake message, not
587 * the one produced here )
588 */
589
590 (*data) = MHD_gnutls_malloc (ret);
591 pdata = (*data);
592
593 if (pdata == NULL)
594 {
595 MHD_gnutls_assert ();
596 return GNUTLS_E_MEMORY_ERROR;
597 }
598 MHD_gtls_write_uint24 (ret - 3, pdata);
599 pdata += 3;
600 for (i = 0; i < apr_cert_list_length; i++)
601 {
602 MHD_gtls_write_datum24 (pdata, apr_cert_list[i].raw);
603 pdata += (3 + apr_cert_list[i].raw.size);
604 }
605
606 return ret;
607}
608
609int
610MHD_gtls_gen_cert_client_certificate (MHD_gtls_session_t session,
611 opaque ** data)
612{
613 switch (session->security_parameters.cert_type)
614 {
615 case MHD_GNUTLS_CRT_X509:
616 return MHD_gtls_gen_x509_crt (session, data);
617
618 default:
619 MHD_gnutls_assert ();
620 return GNUTLS_E_INTERNAL_ERROR;
621 }
622}
623
624int
625MHD_gtls_gen_cert_server_certificate (MHD_gtls_session_t session,
626 opaque ** data)
627{
628 switch (session->security_parameters.cert_type)
629 {
630 case MHD_GNUTLS_CRT_X509:
631 return MHD_gtls_gen_x509_crt (session, data);
632 default:
633 MHD_gnutls_assert ();
634 return GNUTLS_E_INTERNAL_ERROR;
635 }
636}
637
638/* Process server certificate
639 */
640
641#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) MHD_gtls_gcert_deinit(&peer_certificate_list[x])
642static int
643MHD_gtls_proc_x509_server_certificate (MHD_gtls_session_t session,
644 opaque * data, size_t data_size)
645{
646 int size, len, ret;
647 opaque *p = data;
648 cert_auth_info_t info;
649 MHD_gtls_cert_credentials_t cred;
650 ssize_t dsize = data_size;
651 int i, j, x;
652 MHD_gnutls_cert *peer_certificate_list;
653 int peer_certificate_list_size = 0;
654 MHD_gnutls_datum_t tmp;
655
656 cred = (MHD_gtls_cert_credentials_t)
657 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
658 if (cred == NULL)
659 {
660 MHD_gnutls_assert ();
661 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
662 }
663
664
665 if ((ret =
666 MHD_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
667 sizeof (cert_auth_info_st), 1)) < 0)
668 {
669 MHD_gnutls_assert ();
670 return ret;
671 }
672
673 info = MHD_gtls_get_auth_info (session);
674
675 if (data == NULL || data_size == 0)
676 {
677 MHD_gnutls_assert ();
678 /* no certificate was sent */
679 return GNUTLS_E_NO_CERTIFICATE_FOUND;
680 }
681
682 DECR_LEN (dsize, 3);
683 size = MHD_gtls_read_uint24 (p);
684 p += 3;
685
686 /* some implementations send 0B 00 00 06 00 00 03 00 00 00
687 * instead of just 0B 00 00 03 00 00 00 as an empty certificate message.
688 */
689 if (size == 0 || size == 3)
690 {
691 MHD_gnutls_assert ();
692 /* no certificate was sent */
693 return GNUTLS_E_NO_CERTIFICATE_FOUND;
694 }
695
696 i = dsize;
697 while (i > 0)
698 {
699 DECR_LEN (dsize, 3);
700 len = MHD_gtls_read_uint24 (p);
701 p += 3;
702 DECR_LEN (dsize, len);
703 peer_certificate_list_size++;
704 p += len;
705 i -= len + 3;
706 }
707
708 if (peer_certificate_list_size == 0)
709 {
710 MHD_gnutls_assert ();
711 return GNUTLS_E_NO_CERTIFICATE_FOUND;
712 }
713
714 /* Ok we now allocate the memory to hold the
715 * certificate list
716 */
717
718 peer_certificate_list =
719 MHD_gnutls_malloc (sizeof (MHD_gnutls_cert) *
720 (peer_certificate_list_size));
721
722 if (peer_certificate_list == NULL)
723 {
724 MHD_gnutls_assert ();
725 return GNUTLS_E_MEMORY_ERROR;
726 }
727 memset (peer_certificate_list, 0, sizeof (MHD_gnutls_cert) *
728 peer_certificate_list_size);
729
730 p = data + 3;
731
732 /* Now we start parsing the list (again).
733 * We don't use DECR_LEN since the list has
734 * been parsed before.
735 */
736
737 for (j = 0; j < peer_certificate_list_size; j++)
738 {
739 len = MHD_gtls_read_uint24 (p);
740 p += 3;
741
742 tmp.size = len;
743 tmp.data = p;
744
745 if ((ret =
746 MHD_gtls_x509_raw_cert_to_gcert (&peer_certificate_list
747 [j], &tmp,
748 CERT_ONLY_EXTENSIONS)) < 0)
749 {
750 MHD_gnutls_assert ();
751 goto cleanup;
752 }
753
754 p += len;
755 }
756
757
758 if ((ret =
759 MHD__gnutls_copy_certificate_auth_info (info,
760 peer_certificate_list,
761 peer_certificate_list_size)) <
762 0)
763 {
764 MHD_gnutls_assert ();
765 goto cleanup;
766 }
767
768 if ((ret =
769 MHD__gnutls_check_key_usage (&peer_certificate_list[0],
770 MHD_gnutls_kx_get (session))) < 0)
771 {
772 MHD_gnutls_assert ();
773 goto cleanup;
774 }
775
776 ret = 0;
777
778cleanup:
779 CLEAR_CERTS;
780 MHD_gnutls_free (peer_certificate_list);
781 return ret;
782
783}
784
785#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) MHD_gtls_gcert_deinit(&peer_certificate_list[x])
786
787int
788MHD_gtls_proc_cert_server_certificate (MHD_gtls_session_t session,
789 opaque * data, size_t data_size)
790{
791 switch (session->security_parameters.cert_type)
792 {
793 case MHD_GNUTLS_CRT_X509:
794 return MHD_gtls_proc_x509_server_certificate (session, data, data_size);
795 default:
796 MHD_gnutls_assert ();
797 return GNUTLS_E_INTERNAL_ERROR;
798 }
799}
800
801#define MAX_SIGN_ALGOS 2
802typedef enum CertificateSigType
803{ RSA_SIGN = 1, DSA_SIGN
804} CertificateSigType;
805
806/* Checks if we support the given signature algorithm
807 * (RSA or DSA). Returns the corresponding enum MHD_GNUTLS_PublicKeyAlgorithm
808 * if true;
809 */
810inline static int
811MHD__gnutls_check_supported_sign_algo (CertificateSigType algo)
812{
813 switch (algo)
814 {
815 case RSA_SIGN:
816 return MHD_GNUTLS_PK_RSA;
817 default:
818 return -1;
819 }
820}
821
822int
823MHD_gtls_proc_cert_cert_req (MHD_gtls_session_t session, opaque * data,
824 size_t data_size)
825{
826 int size, ret;
827 opaque *p;
828 MHD_gtls_cert_credentials_t cred;
829 ssize_t dsize;
830 int i, j;
831 enum MHD_GNUTLS_PublicKeyAlgorithm pk_algos[MAX_SIGN_ALGOS];
832 int pk_algos_length;
833 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
834
835 cred = (MHD_gtls_cert_credentials_t)
836 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
837 if (cred == NULL)
838 {
839 MHD_gnutls_assert ();
840 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
841 }
842
843 if ((ret =
844 MHD_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
845 sizeof (cert_auth_info_st), 0)) < 0)
846 {
847 MHD_gnutls_assert ();
848 return ret;
849 }
850
851 p = data;
852 dsize = data_size;
853
854 DECR_LEN (dsize, 1);
855 size = p[0];
856 p++;
857 /* check if the sign algorithm is supported.
858 */
859 pk_algos_length = j = 0;
860 for (i = 0; i < size; i++, p++)
861 {
862 DECR_LEN (dsize, 1);
863 if ((ret = MHD__gnutls_check_supported_sign_algo (*p)) > 0)
864 {
865 if (j < MAX_SIGN_ALGOS)
866 {
867 pk_algos[j++] = ret;
868 pk_algos_length++;
869 }
870 }
871 }
872
873 if (pk_algos_length == 0)
874 {
875 MHD_gnutls_assert ();
876 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
877 }
878
879 if (ver == MHD_GNUTLS_PROTOCOL_TLS1_2)
880 {
881 /* read supported hashes */
882 int hash_num;
883 DECR_LEN (dsize, 1);
884
885 hash_num = p[0] & 0xFF;
886 p++;
887
888 DECR_LEN (dsize, hash_num);
889 p += hash_num;
890 }
891
892 /* read the certificate authorities */
893 DECR_LEN (dsize, 2);
894 size = MHD_gtls_read_uint16 (p);
895 p += 2;
896
897 DECR_LEN (dsize, size);
898
899 /* now we ask the user to tell which one
900 * he wants to use.
901 */
902 if ((ret =
903 _select_client_cert (session, p, size, pk_algos, pk_algos_length)) < 0)
904 {
905 MHD_gnutls_assert ();
906 return ret;
907 }
908
909 /* We should reply with a certificate message,
910 * even if we have no certificate to send.
911 */
912 session->key->certificate_requested = 1;
913
914 return 0;
915}
916
917int
918MHD_gtls_gen_cert_client_cert_vrfy (MHD_gtls_session_t session,
919 opaque ** data)
920{
921 int ret;
922 MHD_gnutls_cert *apr_cert_list;
923 MHD_gnutls_privkey *apr_pkey;
924 int apr_cert_list_length, size;
925 MHD_gnutls_datum_t signature;
926
927 *data = NULL;
928
929 /* find the appropriate certificate */
930 if ((ret =
931 MHD_gtls_get_selected_cert (session, &apr_cert_list,
932 &apr_cert_list_length, &apr_pkey)) < 0)
933 {
934 MHD_gnutls_assert ();
935 return ret;
936 }
937
938 if (apr_cert_list_length > 0)
939 {
940 if ((ret =
941 MHD_gtls_tls_sign_hdata (session,
942 &apr_cert_list[0],
943 apr_pkey, &signature)) < 0)
944 {
945 MHD_gnutls_assert ();
946 return ret;
947 }
948 }
949 else
950 {
951 return 0;
952 }
953
954 *data = MHD_gnutls_malloc (signature.size + 2);
955 if (*data == NULL)
956 {
957 MHD__gnutls_free_datum (&signature);
958 return GNUTLS_E_MEMORY_ERROR;
959 }
960 size = signature.size;
961 MHD_gtls_write_uint16 (size, *data);
962
963 memcpy (&(*data)[2], signature.data, size);
964
965 MHD__gnutls_free_datum (&signature);
966
967 return size + 2;
968}
969
970int
971MHD_gtls_proc_cert_client_cert_vrfy (MHD_gtls_session_t session,
972 opaque * data, size_t data_size)
973{
974 int size, ret;
975 ssize_t dsize = data_size;
976 opaque *pdata = data;
977 MHD_gnutls_datum_t sig;
978 cert_auth_info_t info = MHD_gtls_get_auth_info (session);
979 MHD_gnutls_cert peer_cert;
980
981 if (info == NULL || info->ncerts == 0)
982 {
983 MHD_gnutls_assert ();
984 /* we need this in order to get peer's certificate */
985 return GNUTLS_E_INTERNAL_ERROR;
986 }
987
988 DECR_LEN (dsize, 2);
989 size = MHD_gtls_read_uint16 (pdata);
990 pdata += 2;
991
992 DECR_LEN (dsize, size);
993
994 sig.data = pdata;
995 sig.size = size;
996
997 ret = MHD_gtls_raw_cert_to_gcert (&peer_cert,
998 session->security_parameters.cert_type,
999 &info->raw_certificate_list[0],
1000 CERT_NO_COPY);
1001
1002 if (ret < 0)
1003 {
1004 MHD_gnutls_assert ();
1005 return ret;
1006 }
1007
1008 if ((ret = MHD_gtls_verify_sig_hdata (session, &peer_cert, &sig)) < 0)
1009 {
1010 MHD_gnutls_assert ();
1011 MHD_gtls_gcert_deinit (&peer_cert);
1012 return ret;
1013 }
1014 MHD_gtls_gcert_deinit (&peer_cert);
1015
1016 return 0;
1017}
1018
1019#define CERTTYPE_SIZE 3
1020int
1021MHD_gtls_gen_cert_server_cert_req (MHD_gtls_session_t session, opaque ** data)
1022{
1023 MHD_gtls_cert_credentials_t cred;
1024 int size;
1025 opaque *pdata;
1026 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
1027
1028 /* Now we need to generate the RDN sequence. This is
1029 * already in the CERTIFICATE_CRED structure, to improve
1030 * performance.
1031 */
1032
1033 cred = (MHD_gtls_cert_credentials_t)
1034 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
1035 if (cred == NULL)
1036 {
1037 MHD_gnutls_assert ();
1038 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1039 }
1040
1041 size = CERTTYPE_SIZE + 2; /* 2 for enum MHD_GNUTLS_CertificateType + 2 for size of rdn_seq
1042 */
1043
1044 if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_X509 &&
1045 session->internals.ignore_rdn_sequence == 0)
1046 size += cred->x509_rdn_sequence.size;
1047
1048 if (ver == MHD_GNUTLS_PROTOCOL_TLS1_2)
1049 /* Need at least one byte to announce the number of supported hash
1050 functions (see below). */
1051 size += 1;
1052
1053 (*data) = MHD_gnutls_malloc (size);
1054 pdata = (*data);
1055
1056 if (pdata == NULL)
1057 {
1058 MHD_gnutls_assert ();
1059 return GNUTLS_E_MEMORY_ERROR;
1060 }
1061
1062 pdata[0] = CERTTYPE_SIZE - 1;
1063
1064 pdata[1] = RSA_SIGN;
1065 pdata[2] = DSA_SIGN; /* only these for now */
1066 pdata += CERTTYPE_SIZE;
1067
1068 if (ver == MHD_GNUTLS_PROTOCOL_TLS1_2)
1069 {
1070 /* Supported hashes (nothing for now -- FIXME). */
1071 *pdata = 0;
1072 pdata++;
1073 }
1074
1075 if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_X509 &&
1076 session->internals.ignore_rdn_sequence == 0)
1077 {
1078 MHD_gtls_write_datum16 (pdata, cred->x509_rdn_sequence);
1079 /* pdata += cred->x509_rdn_sequence.size + 2; */
1080 }
1081 else
1082 {
1083 MHD_gtls_write_uint16 (0, pdata);
1084 /* pdata+=2; */
1085 }
1086
1087 return size;
1088}
1089
1090
1091/* This function will return the appropriate certificate to use.
1092 * Fills in the apr_cert_list, apr_cert_list_length and apr_pkey.
1093 * The return value is a negative value on error.
1094 *
1095 * It is normal to return 0 with no certificates in client side.
1096 *
1097 */
1098int
1099MHD_gtls_get_selected_cert (MHD_gtls_session_t session,
1100 MHD_gnutls_cert ** apr_cert_list,
1101 int *apr_cert_list_length,
1102 MHD_gnutls_privkey ** apr_pkey)
1103{
1104 if (session->security_parameters.entity == GNUTLS_SERVER)
1105 {
1106
1107 /* select_client_cert() has been called before.
1108 */
1109
1110 *apr_cert_list = session->internals.selected_cert_list;
1111 *apr_pkey = session->internals.selected_key;
1112 *apr_cert_list_length = session->internals.selected_cert_list_length;
1113
1114 if (*apr_cert_list_length == 0 || *apr_cert_list == NULL)
1115 {
1116 MHD_gnutls_assert ();
1117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1118 }
1119
1120 }
1121 else
1122 { /* CLIENT SIDE
1123 */
1124
1125 /* we have already decided which certificate
1126 * to send.
1127 */
1128 *apr_cert_list = session->internals.selected_cert_list;
1129 *apr_cert_list_length = session->internals.selected_cert_list_length;
1130 *apr_pkey = session->internals.selected_key;
1131
1132 }
1133
1134 return 0;
1135}
1136
1137/* converts the given x509 certificate to MHD_gnutls_cert* and allocates
1138 * space for them.
1139 */
1140static MHD_gnutls_cert *
1141alloc_and_load_x509_certs (MHD_gnutls_x509_crt_t * certs, unsigned ncerts)
1142{
1143 MHD_gnutls_cert *local_certs;
1144 int ret = 0;
1145 unsigned i, j;
1146
1147 if (certs == NULL)
1148 return NULL;
1149
1150 local_certs = MHD_gnutls_malloc (sizeof (MHD_gnutls_cert) * ncerts);
1151 if (local_certs == NULL)
1152 {
1153 MHD_gnutls_assert ();
1154 return NULL;
1155 }
1156
1157 for (i = 0; i < ncerts; i++)
1158 {
1159 ret = MHD_gtls_x509_crt_to_gcert (&local_certs[i], certs[i], 0);
1160 if (ret < 0)
1161 break;
1162 }
1163
1164 if (ret < 0)
1165 {
1166 MHD_gnutls_assert ();
1167 for (j = 0; j < i; j++)
1168 {
1169 MHD_gtls_gcert_deinit (&local_certs[j]);
1170 }
1171 MHD_gnutls_free (local_certs);
1172 return NULL;
1173 }
1174
1175 return local_certs;
1176}
1177
1178/* converts the given x509 key to MHD_gnutls_privkey* and allocates
1179 * space for it.
1180 */
1181static MHD_gnutls_privkey *
1182alloc_and_load_x509_key (MHD_gnutls_x509_privkey_t key)
1183{
1184 MHD_gnutls_privkey *local_key;
1185 int ret = 0;
1186
1187 if (key == NULL)
1188 return NULL;
1189
1190 local_key = MHD_gnutls_malloc (sizeof (MHD_gnutls_privkey));
1191 if (local_key == NULL)
1192 {
1193 MHD_gnutls_assert ();
1194 return NULL;
1195 }
1196
1197 ret = MHD__gnutls_x509_privkey_to_gkey (local_key, key);
1198 if (ret < 0)
1199 {
1200 MHD_gnutls_assert ();
1201 return NULL;
1202 }
1203
1204 return local_key;
1205}
1206
1207void
1208MHD_gtls_selected_certs_deinit (MHD_gtls_session_t session)
1209{
1210 if (session->internals.selected_need_free != 0)
1211 {
1212 int i;
1213
1214 for (i = 0; i < session->internals.selected_cert_list_length; i++)
1215 {
1216 MHD_gtls_gcert_deinit (&session->internals.selected_cert_list[i]);
1217 }
1218 MHD_gnutls_free (session->internals.selected_cert_list);
1219 session->internals.selected_cert_list = NULL;
1220 session->internals.selected_cert_list_length = 0;
1221
1222 MHD_gtls_gkey_deinit (session->internals.selected_key);
1223 if (session->internals.selected_key)
1224 {
1225 MHD_gnutls_free (session->internals.selected_key);
1226 session->internals.selected_key = NULL;
1227 }
1228 }
1229
1230 return;
1231}
1232
1233void
1234MHD_gtls_selected_certs_set (MHD_gtls_session_t session,
1235 MHD_gnutls_cert * certs, int ncerts,
1236 MHD_gnutls_privkey * key, int need_free)
1237{
1238 MHD_gtls_selected_certs_deinit (session);
1239
1240 session->internals.selected_cert_list = certs;
1241 session->internals.selected_cert_list_length = ncerts;
1242 session->internals.selected_key = key;
1243 session->internals.selected_need_free = need_free;
1244
1245}
1246
1247
1248/* finds the most appropriate certificate in the cert list.
1249 * The 'appropriate' is defined by the user.
1250 *
1251 * requested_algo holds the parameters required by the peer (RSA, DSA
1252 * or -1 for any).
1253 *
1254 * Returns 0 on success and a negative value on error. The
1255 * selected certificate will be in session->internals.selected_*.
1256 *
1257 */
1258int
1259MHD_gtls_server_select_cert (MHD_gtls_session_t session,
1260 enum MHD_GNUTLS_PublicKeyAlgorithm
1261 requested_algo)
1262{
1263 unsigned i;
1264 int idx, ret;
1265 MHD_gtls_cert_credentials_t cred;
1266
1267 cred = (MHD_gtls_cert_credentials_t)
1268 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
1269 if (cred == NULL)
1270 {
1271 MHD_gnutls_assert ();
1272 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1273 }
1274
1275 /* If the callback which retrieves certificate has been set,
1276 * use it and leave.
1277 */
1278 if (cred->server_get_cert_callback != NULL)
1279 return call_get_cert_callback (session, NULL, 0, NULL, 0);
1280
1281 /* Otherwise... */
1282
1283 ret = 0;
1284 idx = -1; /* default is use no certificate */
1285
1286
1287 for (i = 0; i < cred->ncerts; i++)
1288 {
1289 /* find one compatible certificate
1290 */
1291 if (requested_algo == GNUTLS_PK_ANY ||
1292 requested_algo == cred->cert_list[i][0].subject_pk_algorithm)
1293 {
1294 /* if cert type matches
1295 */
1296 if (session->security_parameters.cert_type ==
1297 cred->cert_list[i][0].cert_type)
1298 {
1299 idx = i;
1300 break;
1301 }
1302 }
1303 }
1304
1305 /* store the certificate pointer for future use, in the handshake.
1306 * (This will allow not calling this callback again.)
1307 */
1308 if (idx >= 0 && ret == 0)
1309 {
1310 MHD_gtls_selected_certs_set (session,
1311 &cred->cert_list[idx][0],
1312 cred->cert_list_length[idx],
1313 &cred->pkey[idx], 0);
1314 }
1315 else
1316 /* Certificate does not support REQUESTED_ALGO. */
1317 ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1318
1319 return ret;
1320}
1321
1322/* Frees the MHD_gtls_rsa_info_st structure.
1323 */
1324void
1325MHD_gtls_free_rsa_info (rsa_info_st * rsa)
1326{
1327 MHD__gnutls_free_datum (&rsa->modulus);
1328 MHD__gnutls_free_datum (&rsa->exponent);
1329}
diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h
deleted file mode 100644
index 395fdd29..00000000
--- a/src/daemon/https/tls/auth_cert.h
+++ /dev/null
@@ -1,159 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef AUTH_CERT_H
26#define AUTH_CERT_H
27
28#include "gnutls_cert.h"
29#include "gnutls_auth.h"
30#include "auth_dh_common.h"
31#include "x509.h"
32
33/* This structure may be complex, but it's the only way to
34 * support a server that has multiple certificates
35 */
36
37typedef struct MHD_gtls_certificate_credentials_st
38{
39 MHD_gtls_dh_params_t dh_params;
40 MHD_gtls_rsa_params_t rsa_params;
41 /* this callback is used to retrieve the DH or RSA
42 * parameters.
43 */
44 MHD_gnutls_params_function *params_func;
45
46 MHD_gnutls_cert **cert_list;
47 /* contains a list of a list of certificates.
48 * eg (X509): [0] certificate1, certificate11, certificate111
49 * (if more than one, one certificate certifies the one before)
50 * [1] certificate2, certificate22, ...
51 */
52 unsigned *cert_list_length;
53 /* contains the number of the certificates in a
54 * row (should be 1 for OpenPGP keys).
55 */
56 unsigned ncerts; /* contains the number of columns in cert_list.
57 * This is the same with the number of pkeys.
58 */
59
60 MHD_gnutls_privkey *pkey;
61 /* private keys. It contains ncerts private
62 * keys. pkey[i] corresponds to certificate in
63 * cert_list[i][0].
64 */
65
66 /* OpenPGP specific stuff */
67
68#ifndef KEYRING_HACK
69 MHD_gnutls_openpgp_keyring_t keyring;
70#else
71 MHD_gnutls_datum_t keyring;
72 int keyring_format;
73#endif
74
75 /* X509 specific stuff */
76
77 MHD_gnutls_x509_crt_t *x509_ca_list;
78 unsigned x509_ncas; /* number of CAs in the ca_list
79 */
80
81 MHD_gnutls_x509_crl_t *x509_crl_list;
82 unsigned x509_ncrls; /* number of CRLs in the crl_list
83 */
84
85 unsigned int verify_flags; /* flags to be used at
86 * certificate verification.
87 */
88 unsigned int verify_depth;
89 unsigned int verify_bits;
90
91 /* holds a sequence of the
92 * RDNs of the CAs above.
93 * This is better than
94 * generating on every handshake.
95 */
96 MHD_gnutls_datum_t x509_rdn_sequence;
97
98 MHD_gnutls_certificate_client_retrieve_function *client_get_cert_callback;
99 MHD_gnutls_certificate_server_retrieve_function *server_get_cert_callback;
100} MHD_gtls_cert_credentials_st;
101
102typedef struct MHD_gtls_rsa_info_st
103{
104 MHD_gnutls_datum_t modulus;
105 MHD_gnutls_datum_t exponent;
106} rsa_info_st;
107
108typedef struct MHD_gtls_cert_auth_info_st
109{
110 int certificate_requested; /* if the peer requested certificate
111 * this is non zero;
112 */
113
114 /* These (dh/rsa) are just copies from the credentials_t structure.
115 * They must be freed.
116 */
117 MHD_gtls_dh_info_st dh;
118 rsa_info_st rsa_export;
119
120 MHD_gnutls_datum_t *raw_certificate_list; /* holds the raw certificate of the
121 * peer.
122 */
123 unsigned int ncerts; /* holds the size of the list above */
124} *cert_auth_info_t;
125
126typedef struct MHD_gtls_cert_auth_info_st cert_auth_info_st;
127
128void MHD_gtls_free_rsa_info (rsa_info_st * rsa);
129
130/* AUTH X509 functions */
131int MHD_gtls_gen_cert_server_certificate (MHD_gtls_session_t, opaque **);
132int MHD_gtls_gen_cert_client_certificate (MHD_gtls_session_t, opaque **);
133int MHD_gtls_gen_cert_client_cert_vrfy (MHD_gtls_session_t, opaque **);
134int MHD_gtls_gen_cert_server_cert_req (MHD_gtls_session_t, opaque **);
135int MHD_gtls_proc_cert_cert_req (MHD_gtls_session_t, opaque *, size_t);
136int MHD_gtls_proc_cert_client_cert_vrfy (MHD_gtls_session_t, opaque *,
137 size_t);
138int MHD_gtls_proc_cert_server_certificate (MHD_gtls_session_t, opaque *,
139 size_t);
140int MHD_gtls_get_selected_cert (MHD_gtls_session_t session,
141 MHD_gnutls_cert ** apr_cert_list,
142 int *apr_cert_list_length,
143 MHD_gnutls_privkey ** apr_pkey);
144
145int MHD_gtls_server_select_cert (struct MHD_gtls_session_int *,
146 enum MHD_GNUTLS_PublicKeyAlgorithm);
147void MHD_gtls_selected_certs_deinit (MHD_gtls_session_t session);
148void MHD_gtls_selected_certs_set (MHD_gtls_session_t session,
149 MHD_gnutls_cert * certs, int ncerts,
150 MHD_gnutls_privkey * key, int need_free);
151
152#define MHD__gnutls_proc_cert_client_certificate MHD_gtls_proc_cert_server_certificate
153
154MHD_gtls_rsa_params_t
155MHD_gtls_certificate_get_rsa_params (MHD_gtls_rsa_params_t rsa_params,
156 MHD_gnutls_params_function * func,
157 MHD_gtls_session_t);
158
159#endif
diff --git a/src/daemon/https/tls/auth_dh_common.c b/src/daemon/https/tls/auth_dh_common.c
deleted file mode 100644
index 8fc6e391..00000000
--- a/src/daemon/https/tls/auth_dh_common.c
+++ /dev/null
@@ -1,327 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains common stuff in Ephemeral Diffie Hellman (DHE) and
26 * Anonymous DH key exchange(DHA). These are used in the handshake procedure
27 * of the certificate and anoymous authentication.
28 */
29
30#include "gnutls_int.h"
31#include "gnutls_auth_int.h"
32#include "gnutls_errors.h"
33#include "gnutls_dh.h"
34#include "gnutls_num.h"
35#include "gnutls_sig.h"
36#include <gnutls_datum.h>
37#include <gnutls_x509.h>
38#include <gnutls_state.h>
39#include <auth_dh_common.h>
40#include <gnutls_algorithms.h>
41
42/* Frees the MHD_gtls_dh_info_st structure.
43 */
44void
45MHD_gtls_free_dh_info (MHD_gtls_dh_info_st * dh)
46{
47 dh->secret_bits = 0;
48 MHD__gnutls_free_datum (&dh->prime);
49 MHD__gnutls_free_datum (&dh->generator);
50 MHD__gnutls_free_datum (&dh->public_key);
51}
52
53int
54MHD_gtls_proc_dh_common_client_kx (MHD_gtls_session_t session,
55 opaque * data, size_t _data_size,
56 mpi_t g, mpi_t p)
57{
58 uint16_t n_Y;
59 size_t _n_Y;
60 int ret;
61 ssize_t data_size = _data_size;
62
63
64 DECR_LEN (data_size, 2);
65 n_Y = MHD_gtls_read_uint16 (&data[0]);
66 _n_Y = n_Y;
67
68 DECR_LEN (data_size, n_Y);
69 if (MHD_gtls_mpi_scan_nz (&session->key->client_Y, &data[2], &_n_Y))
70 {
71 MHD_gnutls_assert ();
72 return GNUTLS_E_MPI_SCAN_FAILED;
73 }
74
75 MHD_gtls_dh_set_peer_public (session, session->key->client_Y);
76
77 session->key->KEY =
78 MHD_gtls_calc_dh_key (session->key->client_Y, session->key->dh_secret, p);
79
80 if (session->key->KEY == NULL)
81 {
82 MHD_gnutls_assert ();
83 return GNUTLS_E_MEMORY_ERROR;
84 }
85
86 MHD_gtls_mpi_release (&session->key->client_Y);
87 MHD_gtls_mpi_release (&session->key->dh_secret);
88
89 ret = MHD_gtls_mpi_dprint (&session->key->key, session->key->KEY);
90
91 MHD_gtls_mpi_release (&session->key->KEY);
92
93 if (ret < 0)
94 {
95 return ret;
96 }
97
98 return 0;
99}
100
101int
102MHD_gtls_gen_dh_common_client_kx (MHD_gtls_session_t session, opaque ** data)
103{
104 mpi_t x = NULL, X = NULL;
105 size_t n_X;
106 int ret;
107
108 *data = NULL;
109
110 X = MHD_gtls_calc_dh_secret (&x, session->key->client_g,
111 session->key->client_p);
112 if (X == NULL || x == NULL)
113 {
114 MHD_gnutls_assert ();
115 ret = GNUTLS_E_MEMORY_ERROR;
116 goto error;
117 }
118
119 MHD_gtls_dh_set_secret_bits (session, MHD__gnutls_mpi_get_nbits (x));
120
121 MHD_gtls_mpi_print (NULL, &n_X, X);
122 (*data) = MHD_gnutls_malloc (n_X + 2);
123 if (*data == NULL)
124 {
125 ret = GNUTLS_E_MEMORY_ERROR;
126 goto error;
127 }
128
129 MHD_gtls_mpi_print (&(*data)[2], &n_X, X);
130 MHD_gtls_mpi_release (&X);
131
132 MHD_gtls_write_uint16 (n_X, &(*data)[0]);
133
134 /* calculate the key after calculating the message */
135 session->key->KEY =
136 MHD_gtls_calc_dh_key (session->key->client_Y, x, session->key->client_p);
137
138 MHD_gtls_mpi_release (&x);
139 if (session->key->KEY == NULL)
140 {
141 MHD_gnutls_assert ();
142 ret = GNUTLS_E_MEMORY_ERROR;
143 goto error;
144 }
145
146 /* THESE SHOULD BE DISCARDED */
147 MHD_gtls_mpi_release (&session->key->client_Y);
148 MHD_gtls_mpi_release (&session->key->client_p);
149 MHD_gtls_mpi_release (&session->key->client_g);
150
151 ret = MHD_gtls_mpi_dprint (&session->key->key, session->key->KEY);
152
153 MHD_gtls_mpi_release (&session->key->KEY);
154
155 if (ret < 0)
156 {
157 MHD_gnutls_assert ();
158 goto error;
159 }
160
161 return n_X + 2;
162
163error:
164 MHD_gtls_mpi_release (&x);
165 MHD_gtls_mpi_release (&X);
166 MHD_gnutls_free (*data);
167 *data = NULL;
168 return ret;
169}
170
171int
172MHD_gtls_proc_dh_common_server_kx (MHD_gtls_session_t session,
173 opaque * data, size_t _data_size, int psk)
174{
175 uint16_t n_Y, n_g, n_p;
176 size_t _n_Y, _n_g, _n_p;
177 uint8_t *data_p;
178 uint8_t *data_g;
179 uint8_t *data_Y;
180 int i, bits, psk_size, ret;
181 ssize_t data_size = _data_size;
182
183 i = 0;
184
185 if (psk != 0)
186 {
187 DECR_LEN (data_size, 2);
188 psk_size = MHD_gtls_read_uint16 (&data[i]);
189 DECR_LEN (data_size, psk_size);
190 i += 2 + psk_size;
191 }
192
193 DECR_LEN (data_size, 2);
194 n_p = MHD_gtls_read_uint16 (&data[i]);
195 i += 2;
196
197 DECR_LEN (data_size, n_p);
198 data_p = &data[i];
199 i += n_p;
200
201 DECR_LEN (data_size, 2);
202 n_g = MHD_gtls_read_uint16 (&data[i]);
203 i += 2;
204
205 DECR_LEN (data_size, n_g);
206 data_g = &data[i];
207 i += n_g;
208
209 DECR_LEN (data_size, 2);
210 n_Y = MHD_gtls_read_uint16 (&data[i]);
211 i += 2;
212
213 DECR_LEN (data_size, n_Y);
214 data_Y = &data[i];
215 i += n_Y;
216
217 _n_Y = n_Y;
218 _n_g = n_g;
219 _n_p = n_p;
220
221 if (MHD_gtls_mpi_scan_nz (&session->key->client_Y, data_Y, &_n_Y) != 0)
222 {
223 MHD_gnutls_assert ();
224 return GNUTLS_E_MPI_SCAN_FAILED;
225 }
226
227 if (MHD_gtls_mpi_scan_nz (&session->key->client_g, data_g, &_n_g) != 0)
228 {
229 MHD_gnutls_assert ();
230 return GNUTLS_E_MPI_SCAN_FAILED;
231 }
232 if (MHD_gtls_mpi_scan_nz (&session->key->client_p, data_p, &_n_p) != 0)
233 {
234 MHD_gnutls_assert ();
235 return GNUTLS_E_MPI_SCAN_FAILED;
236 }
237
238 bits = MHD_gtls_dh_get_allowed_prime_bits (session);
239 if (bits < 0)
240 {
241 MHD_gnutls_assert ();
242 return bits;
243 }
244
245 if (MHD__gnutls_mpi_get_nbits (session->key->client_p) < (size_t) bits)
246 {
247 /* the prime used by the peer is not acceptable
248 */
249 MHD_gnutls_assert ();
250 return GNUTLS_E_DH_PRIME_UNACCEPTABLE;
251 }
252
253 MHD_gtls_dh_set_group (session, session->key->client_g,
254 session->key->client_p);
255 MHD_gtls_dh_set_peer_public (session, session->key->client_Y);
256
257 ret = n_Y + n_p + n_g + 6;
258 if (psk != 0)
259 ret += 2;
260
261 return ret;
262}
263
264/* If the psk flag is set, then an empty psk_identity_hint will
265 * be inserted */
266int
267MHD_gtls_dh_common_print_server_kx (MHD_gtls_session_t session,
268 mpi_t g, mpi_t p, opaque ** data, int psk)
269{
270 mpi_t x, X;
271 size_t n_X, n_g, n_p;
272 int ret, data_size, pos;
273 uint8_t *pdata;
274
275 X = MHD_gtls_calc_dh_secret (&x, g, p);
276 if (X == NULL || x == NULL)
277 {
278 MHD_gnutls_assert ();
279 return GNUTLS_E_MEMORY_ERROR;
280 }
281
282 session->key->dh_secret = x;
283 MHD_gtls_dh_set_secret_bits (session, MHD__gnutls_mpi_get_nbits (x));
284
285 MHD_gtls_mpi_print (NULL, &n_g, g);
286 MHD_gtls_mpi_print (NULL, &n_p, p);
287 MHD_gtls_mpi_print (NULL, &n_X, X);
288
289 data_size = n_g + n_p + n_X + 6;
290 if (psk != 0)
291 data_size += 2;
292
293 (*data) = MHD_gnutls_malloc (data_size);
294 if (*data == NULL)
295 {
296 MHD_gtls_mpi_release (&X);
297 return GNUTLS_E_MEMORY_ERROR;
298 }
299
300 pos = 0;
301 pdata = *data;
302
303 if (psk != 0)
304 {
305 MHD_gtls_write_uint16 (0, &pdata[pos]);
306 pos += 2;
307 }
308
309 MHD_gtls_mpi_print (&pdata[pos + 2], &n_p, p);
310 MHD_gtls_write_uint16 (n_p, &pdata[pos]);
311
312 pos += n_p + 2;
313
314 MHD_gtls_mpi_print (&pdata[pos + 2], &n_g, g);
315 MHD_gtls_write_uint16 (n_g, &pdata[pos]);
316
317 pos += n_g + 2;
318
319 MHD_gtls_mpi_print (&pdata[pos + 2], &n_X, X);
320 MHD_gtls_mpi_release (&X);
321
322 MHD_gtls_write_uint16 (n_X, &pdata[pos]);
323
324 ret = data_size;
325
326 return ret;
327}
diff --git a/src/daemon/https/tls/auth_dh_common.h b/src/daemon/https/tls/auth_dh_common.h
deleted file mode 100644
index f09ce6dc..00000000
--- a/src/daemon/https/tls/auth_dh_common.h
+++ /dev/null
@@ -1,48 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef AUTH_DH_COMMON
26# define AUTH_DH_COMMON
27
28typedef struct
29{
30 int secret_bits;
31
32 MHD_gnutls_datum_t prime;
33 MHD_gnutls_datum_t generator;
34 MHD_gnutls_datum_t public_key;
35} MHD_gtls_dh_info_st;
36
37void MHD_gtls_free_dh_info (MHD_gtls_dh_info_st * dh);
38int MHD_gtls_gen_dh_common_client_kx (MHD_gtls_session_t, opaque **);
39int MHD_gtls_proc_dh_common_client_kx (MHD_gtls_session_t session,
40 opaque * data, size_t _data_size,
41 mpi_t p, mpi_t g);
42int MHD_gtls_dh_common_print_server_kx (MHD_gtls_session_t, mpi_t g, mpi_t p,
43 opaque ** data, int psk);
44int MHD_gtls_proc_dh_common_server_kx (MHD_gtls_session_t session,
45 opaque * data, size_t _data_size,
46 int psk);
47
48#endif
diff --git a/src/daemon/https/tls/auth_dhe.c b/src/daemon/https/tls/auth_dhe.c
deleted file mode 100644
index 38407f9d..00000000
--- a/src/daemon/https/tls/auth_dhe.c
+++ /dev/null
@@ -1,274 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains everything for the Ephemeral Diffie Hellman (DHE)
26 * key exchange. This is used in the handshake procedure of the certificate
27 * authentication.
28 */
29
30#include "gnutls_int.h"
31#include "gnutls_auth_int.h"
32#include "gnutls_errors.h"
33#include "gnutls_dh.h"
34#include "gnutls_num.h"
35#include "gnutls_sig.h"
36#include <gnutls_datum.h>
37#include <auth_cert.h>
38#include <gnutls_x509.h>
39#include <gnutls_state.h>
40#include <auth_dh_common.h>
41
42static int gen_dhe_server_kx (MHD_gtls_session_t, opaque **);
43static int proc_dhe_server_kx (MHD_gtls_session_t, opaque *, size_t);
44static int proc_dhe_client_kx (MHD_gtls_session_t, opaque *, size_t);
45
46const MHD_gtls_mod_auth_st MHD_gtls_dhe_rsa_auth_struct = {
47 "DHE_RSA",
48 MHD_gtls_gen_cert_server_certificate,
49 MHD_gtls_gen_cert_client_certificate,
50 gen_dhe_server_kx,
51 MHD_gtls_gen_dh_common_client_kx,
52 MHD_gtls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */
53 MHD_gtls_gen_cert_server_cert_req, /* server cert request */
54
55 MHD_gtls_proc_cert_server_certificate,
56 MHD__gnutls_proc_cert_client_certificate,
57 proc_dhe_server_kx,
58 proc_dhe_client_kx,
59 MHD_gtls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */
60 MHD_gtls_proc_cert_cert_req /* proc server cert request */
61};
62
63const MHD_gtls_mod_auth_st MHD_gtls_dhe_dss_auth_struct = {
64 "DHE_DSS",
65 MHD_gtls_gen_cert_server_certificate,
66 MHD_gtls_gen_cert_client_certificate,
67 gen_dhe_server_kx,
68 MHD_gtls_gen_dh_common_client_kx,
69 MHD_gtls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */
70 MHD_gtls_gen_cert_server_cert_req, /* server cert request */
71
72 MHD_gtls_proc_cert_server_certificate,
73 MHD__gnutls_proc_cert_client_certificate,
74 proc_dhe_server_kx,
75 proc_dhe_client_kx,
76 MHD_gtls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */
77 MHD_gtls_proc_cert_cert_req /* proc server cert request */
78};
79
80
81static int
82gen_dhe_server_kx (MHD_gtls_session_t session, opaque ** data)
83{
84 mpi_t g, p;
85 const mpi_t *mpis;
86 int ret = 0, data_size;
87 MHD_gnutls_cert *apr_cert_list;
88 MHD_gnutls_privkey *apr_pkey;
89 int apr_cert_list_length;
90 MHD_gnutls_datum_t signature, ddata;
91 MHD_gtls_cert_credentials_t cred;
92 MHD_gtls_dh_params_t dh_params;
93
94 cred = (MHD_gtls_cert_credentials_t)
95 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
96 if (cred == NULL)
97 {
98 MHD_gnutls_assert ();
99 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
100 }
101
102 /* find the appropriate certificate */
103 if ((ret =
104 MHD_gtls_get_selected_cert (session, &apr_cert_list,
105 &apr_cert_list_length, &apr_pkey)) < 0)
106 {
107 MHD_gnutls_assert ();
108 return ret;
109 }
110
111 dh_params =
112 MHD_gtls_get_dh_params (cred->dh_params, cred->params_func, session);
113 mpis = MHD_gtls_dh_params_to_mpi (dh_params);
114 if (mpis == NULL)
115 {
116 MHD_gnutls_assert ();
117 return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
118 }
119
120 p = mpis[0];
121 g = mpis[1];
122
123 if ((ret = MHD_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
124 sizeof (cert_auth_info_st), 0)) < 0)
125 {
126 MHD_gnutls_assert ();
127 return ret;
128 }
129
130 MHD_gtls_dh_set_group (session, g, p);
131
132 ret = MHD_gtls_dh_common_print_server_kx (session, g, p, data, 0);
133 if (ret < 0)
134 {
135 MHD_gnutls_assert ();
136 return ret;
137 }
138 data_size = ret;
139
140 /* Generate the signature. */
141
142 ddata.data = *data;
143 ddata.size = data_size;
144
145 if (apr_cert_list_length > 0)
146 {
147 if ((ret =
148 MHD_gtls_tls_sign_params (session, &apr_cert_list[0],
149 apr_pkey, &ddata, &signature)) < 0)
150 {
151 MHD_gnutls_assert ();
152 MHD_gnutls_free (*data);
153 return ret;
154 }
155 }
156 else
157 {
158 MHD_gnutls_assert ();
159 return data_size; /* do not put a signature - ILLEGAL! */
160 }
161
162 *data = MHD_gtls_realloc_fast (*data, data_size + signature.size + 2);
163 if (*data == NULL)
164 {
165 MHD__gnutls_free_datum (&signature);
166 MHD_gnutls_assert ();
167 return GNUTLS_E_MEMORY_ERROR;
168 }
169
170 MHD_gtls_write_datum16 (&(*data)[data_size], signature);
171 data_size += signature.size + 2;
172
173 MHD__gnutls_free_datum (&signature);
174
175 return data_size;
176}
177
178static int
179proc_dhe_server_kx (MHD_gtls_session_t session, opaque * data,
180 size_t _data_size)
181{
182 int sigsize;
183 MHD_gnutls_datum_t vparams, signature;
184 int ret;
185 cert_auth_info_t info = MHD_gtls_get_auth_info (session);
186 ssize_t data_size = _data_size;
187 MHD_gnutls_cert peer_cert;
188
189 if (info == NULL || info->ncerts == 0)
190 {
191 MHD_gnutls_assert ();
192 /* we need this in order to get peer's certificate */
193 return GNUTLS_E_INTERNAL_ERROR;
194 }
195
196 ret = MHD_gtls_proc_dh_common_server_kx (session, data, _data_size, 0);
197 if (ret < 0)
198 {
199 MHD_gnutls_assert ();
200 return ret;
201 }
202
203 /* VERIFY SIGNATURE */
204
205 vparams.size = ret;
206 vparams.data = data;
207
208 DECR_LEN (data_size, 2);
209 sigsize = MHD_gtls_read_uint16 (&data[vparams.size]);
210
211 DECR_LEN (data_size, sigsize);
212 signature.data = &data[vparams.size + 2];
213 signature.size = sigsize;
214
215 if ((ret =
216 MHD_gtls_raw_cert_to_gcert (&peer_cert,
217 session->security_parameters.cert_type,
218 &info->raw_certificate_list[0],
219 CERT_NO_COPY)) < 0)
220 {
221 MHD_gnutls_assert ();
222 return ret;
223 }
224
225 ret =
226 MHD_gtls_verify_sig_params (session, &peer_cert, &vparams, &signature);
227
228 MHD_gtls_gcert_deinit (&peer_cert);
229 if (ret < 0)
230 {
231 MHD_gnutls_assert ();
232 return ret;
233 }
234
235 return ret;
236}
237
238
239
240static int
241proc_dhe_client_kx (MHD_gtls_session_t session, opaque * data,
242 size_t _data_size)
243{
244 MHD_gtls_cert_credentials_t cred;
245 int ret;
246 mpi_t p, g;
247 const mpi_t *mpis;
248 MHD_gtls_dh_params_t dh_params;
249
250 cred = (MHD_gtls_cert_credentials_t)
251 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
252 if (cred == NULL)
253 {
254 MHD_gnutls_assert ();
255 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
256 }
257
258 dh_params =
259 MHD_gtls_get_dh_params (cred->dh_params, cred->params_func, session);
260 mpis = MHD_gtls_dh_params_to_mpi (dh_params);
261 if (mpis == NULL)
262 {
263 MHD_gnutls_assert ();
264 return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
265 }
266
267 p = mpis[0];
268 g = mpis[1];
269
270 ret = MHD_gtls_proc_dh_common_client_kx (session, data, _data_size, g, p);
271
272 return ret;
273
274}
diff --git a/src/daemon/https/tls/auth_rsa.c b/src/daemon/https/tls/auth_rsa.c
deleted file mode 100644
index 9548a8f1..00000000
--- a/src/daemon/https/tls/auth_rsa.c
+++ /dev/null
@@ -1,415 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the RSA key exchange part of the certificate
26 * authentication.
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_auth_int.h"
31#include "gnutls_errors.h"
32#include "gnutls_dh.h"
33#include "gnutls_num.h"
34#include "gnutls_datum.h"
35#include "auth_cert.h"
36#include <gnutls_pk.h>
37#include <gnutls_algorithms.h>
38#include <gnutls_global.h>
39#include "debug.h"
40#include <gnutls_sig.h>
41#include <gnutls_x509.h>
42#include <gc.h>
43
44int MHD__gnutls_gen_rsa_client_kx (MHD_gtls_session_t, opaque **);
45int MHD__gnutls_proc_rsa_client_kx (MHD_gtls_session_t, opaque *, size_t);
46
47const MHD_gtls_mod_auth_st MHD_gtls_rsa_auth_struct = {
48 "RSA",
49 MHD_gtls_gen_cert_server_certificate,
50 MHD_gtls_gen_cert_client_certificate,
51 NULL, /* gen server kx */
52 MHD__gnutls_gen_rsa_client_kx,
53 MHD_gtls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */
54 MHD_gtls_gen_cert_server_cert_req, /* server cert request */
55
56 MHD_gtls_proc_cert_server_certificate,
57 MHD__gnutls_proc_cert_client_certificate,
58 NULL, /* proc server kx */
59 MHD__gnutls_proc_rsa_client_kx, /* proc client kx */
60 MHD_gtls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */
61 MHD_gtls_proc_cert_cert_req /* proc server cert request */
62};
63
64/* This function reads the RSA parameters from peer's certificate;
65 */
66int
67MHD__gnutls_get_public_rsa_params (MHD_gtls_session_t session,
68 mpi_t params[MAX_PUBLIC_PARAMS_SIZE],
69 int *params_len)
70{
71 int ret;
72 cert_auth_info_t info;
73 MHD_gnutls_cert peer_cert;
74 int i;
75
76 /* normal non export case */
77
78 info = MHD_gtls_get_auth_info (session);
79
80 if (info == NULL || info->ncerts == 0)
81 {
82 MHD_gnutls_assert ();
83 return GNUTLS_E_INTERNAL_ERROR;
84 }
85
86 ret =
87 MHD_gtls_raw_cert_to_gcert (&peer_cert,
88 session->security_parameters.cert_type,
89 &info->raw_certificate_list[0],
90 CERT_ONLY_PUBKEY | CERT_NO_COPY);
91
92 if (ret < 0)
93 {
94 MHD_gnutls_assert ();
95 return ret;
96 }
97
98
99 /* EXPORT case: */
100 if (MHD_gtls_cipher_suite_get_kx_algo
101 (&session->security_parameters.current_cipher_suite)
102 == MHD_GNUTLS_KX_RSA_EXPORT
103 && MHD__gnutls_mpi_get_nbits (peer_cert.params[0]) > 512)
104 {
105
106 MHD_gtls_gcert_deinit (&peer_cert);
107
108 if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL)
109 {
110 MHD_gnutls_assert ();
111 return GNUTLS_E_INTERNAL_ERROR;
112 }
113
114 if (*params_len < 2)
115 {
116 MHD_gnutls_assert ();
117 return GNUTLS_E_INTERNAL_ERROR;
118 }
119 *params_len = 2;
120 for (i = 0; i < *params_len; i++)
121 {
122 params[i] = MHD__gnutls_mpi_copy (session->key->rsa[i]);
123 }
124
125 return 0;
126 }
127
128 /* end of export case */
129
130 if (*params_len < peer_cert.params_size)
131 {
132 MHD_gnutls_assert ();
133 return GNUTLS_E_INTERNAL_ERROR;
134 }
135 *params_len = peer_cert.params_size;
136
137 for (i = 0; i < *params_len; i++)
138 {
139 params[i] = MHD__gnutls_mpi_copy (peer_cert.params[i]);
140 }
141 MHD_gtls_gcert_deinit (&peer_cert);
142
143 return 0;
144}
145
146/* This function reads the RSA parameters from the private key
147 */
148int
149MHD__gnutls_get_private_rsa_params (MHD_gtls_session_t session,
150 mpi_t ** params, int *params_size)
151{
152 int bits;
153 MHD_gtls_cert_credentials_t cred;
154 MHD_gtls_rsa_params_t rsa_params;
155
156 cred = (MHD_gtls_cert_credentials_t)
157 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
158 if (cred == NULL)
159 {
160 MHD_gnutls_assert ();
161 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
162 }
163
164 if (session->internals.selected_cert_list == NULL)
165 {
166 MHD_gnutls_assert ();
167 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
168 }
169
170 bits =
171 MHD__gnutls_mpi_get_nbits (session->internals.selected_cert_list[0].
172 params[0]);
173
174 if (MHD_gtls_cipher_suite_get_kx_algo
175 (&session->security_parameters.current_cipher_suite)
176 == MHD_GNUTLS_KX_RSA_EXPORT && bits > 512)
177 {
178
179 rsa_params =
180 MHD_gtls_certificate_get_rsa_params (cred->rsa_params,
181 cred->params_func, session);
182 /* EXPORT case: */
183 if (rsa_params == NULL)
184 {
185 MHD_gnutls_assert ();
186 return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS;
187 }
188
189 /* In the export case, we do use temporary RSA params
190 * of 512 bits size. The params in the certificate are
191 * used to sign this temporary stuff.
192 */
193 *params_size = RSA_PRIVATE_PARAMS;
194 *params = rsa_params->params;
195
196 return 0;
197 }
198
199 /* non export cipher suites. */
200
201 *params_size = session->internals.selected_key->params_size;
202 *params = session->internals.selected_key->params;
203
204 return 0;
205}
206
207int
208MHD__gnutls_proc_rsa_client_kx (MHD_gtls_session_t session, opaque * data,
209 size_t _data_size)
210{
211 MHD_gnutls_datum_t plaintext;
212 MHD_gnutls_datum_t ciphertext;
213 int ret, dsize;
214 mpi_t *params;
215 int params_len;
216 int randomize_key = 0;
217 ssize_t data_size = _data_size;
218
219 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3)
220 {
221 /* SSL 3.0
222 */
223 ciphertext.data = data;
224 ciphertext.size = data_size;
225 }
226 else
227 {
228 /* TLS 1.0
229 */
230 DECR_LEN (data_size, 2);
231 ciphertext.data = &data[2];
232 dsize = MHD_gtls_read_uint16 (data);
233
234 if (dsize != data_size)
235 {
236 MHD_gnutls_assert ();
237 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
238 }
239 ciphertext.size = dsize;
240 }
241
242 ret = MHD__gnutls_get_private_rsa_params (session, &params, &params_len);
243 if (ret < 0)
244 {
245 MHD_gnutls_assert ();
246 return ret;
247 }
248
249 ret = MHD_gtls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */
250
251 if (ret < 0 || plaintext.size != TLS_MASTER_SIZE)
252 {
253 /* In case decryption fails then don't inform
254 * the peer. Just use a random key. (in order to avoid
255 * attack against pkcs-1 formating).
256 */
257 MHD_gnutls_assert ();
258 MHD__gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n");
259 randomize_key = 1;
260 }
261 else
262 {
263 /* If the secret was properly formatted, then
264 * check the version number.
265 */
266 if (MHD__gnutls_get_adv_version_major (session) != plaintext.data[0]
267 || MHD__gnutls_get_adv_version_minor (session) != plaintext.data[1])
268 {
269 /* No error is returned here, if the version number check
270 * fails. We proceed normally.
271 * That is to defend against the attack described in the paper
272 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
273 * Ondej Pokorny and Tomas Rosa.
274 */
275 MHD_gnutls_assert ();
276 MHD__gnutls_x509_log
277 ("auth_rsa: Possible PKCS #1 version check format attack\n");
278 }
279 }
280
281 if (randomize_key != 0)
282 {
283 session->key->key.size = TLS_MASTER_SIZE;
284 session->key->key.data = MHD_gnutls_malloc (session->key->key.size);
285 if (session->key->key.data == NULL)
286 {
287 MHD_gnutls_assert ();
288 return GNUTLS_E_MEMORY_ERROR;
289 }
290
291 /* we do not need strong random numbers here.
292 */
293 if (MHD_gc_nonce
294 ((char *) session->key->key.data, session->key->key.size) != GC_OK)
295 {
296 MHD_gnutls_assert ();
297 return GNUTLS_E_RANDOM_FAILED;
298 }
299
300 }
301 else
302 {
303 session->key->key.data = plaintext.data;
304 session->key->key.size = plaintext.size;
305 }
306
307 /* This is here to avoid the version check attack
308 * discussed above.
309 */
310 session->key->key.data[0] = MHD__gnutls_get_adv_version_major (session);
311 session->key->key.data[1] = MHD__gnutls_get_adv_version_minor (session);
312
313 return 0;
314}
315
316
317
318/* return RSA(random) using the peers public key
319 */
320int
321MHD__gnutls_gen_rsa_client_kx (MHD_gtls_session_t session, opaque ** data)
322{
323 cert_auth_info_t auth;
324 MHD_gnutls_datum_t sdata; /* data to send */
325 mpi_t params[MAX_PUBLIC_PARAMS_SIZE];
326 int params_len = MAX_PUBLIC_PARAMS_SIZE;
327 int ret, i;
328 enum MHD_GNUTLS_Protocol ver;
329
330 if (session->key == NULL)
331 {
332 MHD_gnutls_assert ();
333 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
334 }
335
336 auth = session->key->auth_info;
337 if (auth == NULL)
338 {
339 /* this shouldn't have happened. The proc_certificate
340 * function should have detected that.
341 */
342 MHD_gnutls_assert ();
343 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
344 }
345
346 session->key->key.size = TLS_MASTER_SIZE;
347 session->key->key.data = MHD_gnutls_secure_malloc (session->key->key.size);
348
349 if (session->key->key.data == NULL)
350 {
351 MHD_gnutls_assert ();
352 return GNUTLS_E_MEMORY_ERROR;
353 }
354
355 if (MHD_gc_pseudo_random ((char *) session->key->key.data,
356 session->key->key.size) != GC_OK)
357 {
358 MHD_gnutls_assert ();
359 return GNUTLS_E_RANDOM_FAILED;
360 }
361
362 ver = MHD_gtls_get_adv_version (session);
363
364 if (session->internals.rsa_pms_version[0] == 0)
365 {
366 session->key->key.data[0] = MHD_gtls_version_get_major (ver);
367 session->key->key.data[1] = MHD_gtls_version_get_minor (ver);
368 }
369 else
370 { /* use the version provided */
371 session->key->key.data[0] = session->internals.rsa_pms_version[0];
372 session->key->key.data[1] = session->internals.rsa_pms_version[1];
373 }
374
375 /* move RSA parameters to key (session).
376 */
377 if ((ret =
378 MHD__gnutls_get_public_rsa_params (session, params, &params_len)) < 0)
379 {
380 MHD_gnutls_assert ();
381 return ret;
382 }
383
384 if ((ret =
385 MHD_gtls_pkcs1_rsa_encrypt (&sdata, &session->key->key,
386 params, params_len, 2)) < 0)
387 {
388 MHD_gnutls_assert ();
389 return ret;
390 }
391
392 for (i = 0; i < params_len; i++)
393 MHD_gtls_mpi_release (&params[i]);
394
395 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3)
396 {
397 /* SSL 3.0 */
398 *data = sdata.data;
399 return sdata.size;
400 }
401 else
402 { /* TLS 1 */
403 *data = MHD_gnutls_malloc (sdata.size + 2);
404 if (*data == NULL)
405 {
406 MHD__gnutls_free_datum (&sdata);
407 return GNUTLS_E_MEMORY_ERROR;
408 }
409 MHD_gtls_write_datum16 (*data, sdata);
410 ret = sdata.size + 2;
411 MHD__gnutls_free_datum (&sdata);
412 return ret;
413 }
414
415}
diff --git a/src/daemon/https/tls/auth_rsa_export.c b/src/daemon/https/tls/auth_rsa_export.c
deleted file mode 100644
index 575a2b72..00000000
--- a/src/daemon/https/tls/auth_rsa_export.c
+++ /dev/null
@@ -1,323 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the RSA key exchange part of the certificate
26 * authentication.
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_auth_int.h"
31#include "gnutls_errors.h"
32#include "gnutls_dh.h"
33#include "gnutls_num.h"
34#include "gnutls_datum.h"
35#include "auth_cert.h"
36#include <gnutls_pk.h>
37#include <gnutls_algorithms.h>
38#include <gnutls_global.h>
39#include "debug.h"
40#include <gnutls_sig.h>
41#include <gnutls_x509.h>
42#include <gnutls_rsa_export.h>
43#include <gnutls_state.h>
44
45int MHD__gnutls_gen_rsa_client_kx (MHD_gtls_session_t, opaque **);
46int MHD__gnutls_proc_rsa_client_kx (MHD_gtls_session_t, opaque *, size_t);
47static int gen_rsa_export_server_kx (MHD_gtls_session_t, opaque **);
48static int proc_rsa_export_server_kx (MHD_gtls_session_t, opaque *, size_t);
49
50const MHD_gtls_mod_auth_st MHD_rsa_export_auth_struct = {
51 "RSA EXPORT",
52 MHD_gtls_gen_cert_server_certificate,
53 MHD_gtls_gen_cert_client_certificate,
54 gen_rsa_export_server_kx,
55 MHD__gnutls_gen_rsa_client_kx,
56 MHD_gtls_gen_cert_client_cert_vrfy, /* gen client cert vrfy */
57 MHD_gtls_gen_cert_server_cert_req, /* server cert request */
58
59 MHD_gtls_proc_cert_server_certificate,
60 MHD__gnutls_proc_cert_client_certificate,
61 proc_rsa_export_server_kx,
62 MHD__gnutls_proc_rsa_client_kx, /* proc client kx */
63 MHD_gtls_proc_cert_client_cert_vrfy, /* proc client cert vrfy */
64 MHD_gtls_proc_cert_cert_req /* proc server cert request */
65};
66
67static int
68gen_rsa_export_server_kx (MHD_gtls_session_t session, opaque ** data)
69{
70 MHD_gtls_rsa_params_t rsa_params;
71 const mpi_t *rsa_mpis;
72 size_t n_e, n_m;
73 uint8_t *data_e, *data_m;
74 int ret = 0, data_size;
75 MHD_gnutls_cert *apr_cert_list;
76 MHD_gnutls_privkey *apr_pkey;
77 int apr_cert_list_length;
78 MHD_gnutls_datum_t signature, ddata;
79 MHD_gtls_cert_credentials_t cred;
80
81 cred = (MHD_gtls_cert_credentials_t)
82 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
83 if (cred == NULL)
84 {
85 MHD_gnutls_assert ();
86 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
87 }
88
89 /* find the appropriate certificate */
90 if ((ret =
91 MHD_gtls_get_selected_cert (session, &apr_cert_list,
92 &apr_cert_list_length, &apr_pkey)) < 0)
93 {
94 MHD_gnutls_assert ();
95 return ret;
96 }
97
98 /* abort sending this message if we have a certificate
99 * of 512 bits or less.
100 */
101 if (apr_pkey && MHD__gnutls_mpi_get_nbits (apr_pkey->params[0]) <= 512)
102 {
103 MHD_gnutls_assert ();
104 return GNUTLS_E_INT_RET_0;
105 }
106
107 rsa_params =
108 MHD_gtls_certificate_get_rsa_params (cred->rsa_params, cred->params_func,
109 session);
110 rsa_mpis = MHD__gnutls_rsa_params_to_mpi (rsa_params);
111 if (rsa_mpis == NULL)
112 {
113 MHD_gnutls_assert ();
114 return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS;
115 }
116
117 if ((ret = MHD_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
118 sizeof (cert_auth_info_st), 0)) < 0)
119 {
120 MHD_gnutls_assert ();
121 return ret;
122 }
123
124 MHD_gtls_rsa_export_set_pubkey (session, rsa_mpis[1], rsa_mpis[0]);
125
126 MHD_gtls_mpi_print (NULL, &n_m, rsa_mpis[0]);
127 MHD_gtls_mpi_print (NULL, &n_e, rsa_mpis[1]);
128
129 (*data) = MHD_gnutls_malloc (n_e + n_m + 4);
130 if (*data == NULL)
131 {
132 return GNUTLS_E_MEMORY_ERROR;
133 }
134
135 data_m = &(*data)[0];
136 MHD_gtls_mpi_print (&data_m[2], &n_m, rsa_mpis[0]);
137
138 MHD_gtls_write_uint16 (n_m, data_m);
139
140 data_e = &data_m[2 + n_m];
141 MHD_gtls_mpi_print (&data_e[2], &n_e, rsa_mpis[1]);
142
143 MHD_gtls_write_uint16 (n_e, data_e);
144
145 data_size = n_m + n_e + 4;
146
147
148 /* Generate the signature. */
149
150 ddata.data = *data;
151 ddata.size = data_size;
152
153 if (apr_cert_list_length > 0)
154 {
155 if ((ret =
156 MHD_gtls_tls_sign_params (session, &apr_cert_list[0],
157 apr_pkey, &ddata, &signature)) < 0)
158 {
159 MHD_gnutls_assert ();
160 MHD_gnutls_free (*data);
161 *data = NULL;
162 return ret;
163 }
164 }
165 else
166 {
167 MHD_gnutls_assert ();
168 return data_size; /* do not put a signature - ILLEGAL! */
169 }
170
171 *data = MHD_gtls_realloc_fast (*data, data_size + signature.size + 2);
172 if (*data == NULL)
173 {
174 MHD__gnutls_free_datum (&signature);
175 MHD_gnutls_assert ();
176 return GNUTLS_E_MEMORY_ERROR;
177 }
178
179 MHD_gtls_write_datum16 (&((*data)[data_size]), signature);
180 data_size += signature.size + 2;
181
182 MHD__gnutls_free_datum (&signature);
183
184 return data_size;
185}
186
187/* if the peer's certificate is of 512 bits or less, returns non zero.
188 */
189int
190MHD__gnutls_peers_cert_less_512 (MHD_gtls_session_t session)
191{
192 MHD_gnutls_cert peer_cert;
193 int ret;
194 cert_auth_info_t info = MHD_gtls_get_auth_info (session);
195
196 if (info == NULL || info->ncerts == 0)
197 {
198 MHD_gnutls_assert ();
199 /* we need this in order to get peer's certificate */
200 return 0;
201 }
202
203 if ((ret =
204 MHD_gtls_raw_cert_to_gcert (&peer_cert,
205 session->security_parameters.cert_type,
206 &info->raw_certificate_list[0],
207 CERT_NO_COPY)) < 0)
208 {
209 MHD_gnutls_assert ();
210 return 0;
211 }
212
213 if (peer_cert.subject_pk_algorithm != MHD_GNUTLS_PK_RSA)
214 {
215 MHD_gnutls_assert ();
216 MHD_gtls_gcert_deinit (&peer_cert);
217 return 0;
218 }
219
220 if (MHD__gnutls_mpi_get_nbits (peer_cert.params[0]) <= 512)
221 {
222 MHD_gtls_gcert_deinit (&peer_cert);
223 return 1;
224 }
225
226 MHD_gtls_gcert_deinit (&peer_cert);
227
228 return 0;
229}
230
231static int
232proc_rsa_export_server_kx (MHD_gtls_session_t session,
233 opaque * data, size_t _data_size)
234{
235 uint16_t n_m, n_e;
236 size_t _n_m, _n_e;
237 uint8_t *data_m;
238 uint8_t *data_e;
239 int i, sigsize;
240 MHD_gnutls_datum_t vparams, signature;
241 int ret;
242 ssize_t data_size = _data_size;
243 cert_auth_info_t info;
244 MHD_gnutls_cert peer_cert;
245
246 info = MHD_gtls_get_auth_info (session);
247 if (info == NULL || info->ncerts == 0)
248 {
249 MHD_gnutls_assert ();
250 /* we need this in order to get peer's certificate */
251 return GNUTLS_E_INTERNAL_ERROR;
252 }
253
254
255 i = 0;
256
257 DECR_LEN (data_size, 2);
258 n_m = MHD_gtls_read_uint16 (&data[i]);
259 i += 2;
260
261 DECR_LEN (data_size, n_m);
262 data_m = &data[i];
263 i += n_m;
264
265 DECR_LEN (data_size, 2);
266 n_e = MHD_gtls_read_uint16 (&data[i]);
267 i += 2;
268
269 DECR_LEN (data_size, n_e);
270 data_e = &data[i];
271 i += n_e;
272
273 _n_e = n_e;
274 _n_m = n_m;
275
276 if (MHD_gtls_mpi_scan_nz (&session->key->rsa[0], data_m, &_n_m) != 0)
277 {
278 MHD_gnutls_assert ();
279 return GNUTLS_E_MPI_SCAN_FAILED;
280 }
281
282 if (MHD_gtls_mpi_scan_nz (&session->key->rsa[1], data_e, &_n_e) != 0)
283 {
284 MHD_gnutls_assert ();
285 return GNUTLS_E_MPI_SCAN_FAILED;
286 }
287
288 MHD_gtls_rsa_export_set_pubkey (session, session->key->rsa[1],
289 session->key->rsa[0]);
290
291 /* VERIFY SIGNATURE */
292
293 vparams.size = n_m + n_e + 4;
294 vparams.data = data;
295
296 DECR_LEN (data_size, 2);
297 sigsize = MHD_gtls_read_uint16 (&data[vparams.size]);
298
299 DECR_LEN (data_size, sigsize);
300 signature.data = &data[vparams.size + 2];
301 signature.size = sigsize;
302
303 if ((ret =
304 MHD_gtls_raw_cert_to_gcert (&peer_cert,
305 session->security_parameters.cert_type,
306 &info->raw_certificate_list[0],
307 CERT_NO_COPY)) < 0)
308 {
309 MHD_gnutls_assert ();
310 return ret;
311 }
312
313 ret =
314 MHD_gtls_verify_sig_params (session, &peer_cert, &vparams, &signature);
315
316 MHD_gtls_gcert_deinit (&peer_cert);
317 if (ret < 0)
318 {
319 MHD_gnutls_assert ();
320 }
321
322 return ret;
323}
diff --git a/src/daemon/https/tls/debug.c b/src/daemon/https/tls/debug.c
deleted file mode 100644
index e7e41d0b..00000000
--- a/src/daemon/https/tls/debug.c
+++ /dev/null
@@ -1,95 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include "gnutls_int.h"
26#include "gnutls_errors.h"
27#include <stdio.h>
28#include <stdlib.h>
29#include <gcrypt.h>
30
31const char *
32MHD__gnutls_packet2str (content_type_t packet)
33{
34 switch (packet)
35 {
36 case GNUTLS_CHANGE_CIPHER_SPEC:
37 return "Change Cipher Spec";
38 case GNUTLS_ALERT:
39 return "Alert";
40 case GNUTLS_HANDSHAKE:
41 return "Handshake";
42 case GNUTLS_APPLICATION_DATA:
43 return "Application Data";
44 case GNUTLS_INNER_APPLICATION:
45 return "Inner Application";
46
47 default:
48 return "Unknown Packet";
49 }
50}
51
52const char *
53MHD__gnutls_handshake2str (MHD_gnutls_handshake_description_t handshake)
54{
55
56 switch (handshake)
57 {
58 case GNUTLS_HANDSHAKE_HELLO_REQUEST:
59 return "HELLO REQUEST";
60 break;
61 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
62 return "CLIENT HELLO";
63 break;
64 case GNUTLS_HANDSHAKE_SERVER_HELLO:
65 return "SERVER HELLO";
66 break;
67 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
68 return "CERTIFICATE";
69 break;
70 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
71 return "SERVER KEY EXCHANGE";
72 break;
73 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
74 return "CERTIFICATE REQUEST";
75 break;
76 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
77 return "SERVER HELLO DONE";
78 break;
79 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
80 return "CERTIFICATE VERIFY";
81 break;
82 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
83 return "CLIENT KEY EXCHANGE";
84 break;
85 case GNUTLS_HANDSHAKE_FINISHED:
86 return "FINISHED";
87 break;
88 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
89 return "SUPPLEMENTAL";
90 break;
91 default:
92 return "Unknown Handshake packet";
93
94 }
95}
diff --git a/src/daemon/https/tls/debug.h b/src/daemon/https/tls/debug.h
deleted file mode 100644
index ba1f1006..00000000
--- a/src/daemon/https/tls/debug.h
+++ /dev/null
@@ -1,27 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25const char *MHD__gnutls_packet2str (content_type_t packet);
26const char *MHD__gnutls_handshake2str (MHD_gnutls_handshake_description_t
27 handshake);
diff --git a/src/daemon/https/tls/defines.h b/src/daemon/https/tls/defines.h
deleted file mode 100644
index 9a636360..00000000
--- a/src/daemon/https/tls/defines.h
+++ /dev/null
@@ -1,66 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef DEFINES_H
26# define DEFINES_H
27
28#ifdef HAVE_CONFIG_H
29# include "MHD_config.h"
30#endif
31
32#include <stddef.h>
33#include <string.h>
34#include <stdlib.h>
35#include <stdio.h>
36#include <ctype.h>
37#include <limits.h>
38#include <stdint.h>
39
40#ifdef NO_SSIZE_T
41# define HAVE_SSIZE_T
42typedef int ssize_t;
43#endif
44
45#include <sys/types.h>
46#include <unistd.h>
47#include <sys/stat.h>
48#ifndef MINGW
49#include <sys/socket.h>
50#endif
51#include <time.h>
52
53/* TODO check if these should go into config.h */
54#define SIZEOF_UNSIGNED_INT 4
55#define SIZEOF_UNSIGNED_LONG 8
56#define SIZEOF_UNSIGNED_LONG_INT SIZEOF_UNSIGNED_LONG
57
58/* some systems had problems with long long int, thus,
59 * it is not used.
60 */
61typedef struct
62{
63 unsigned char i[8];
64} uint64;
65
66#endif /* defines_h */
diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c
deleted file mode 100644
index 1e7966f4..00000000
--- a/src/daemon/https/tls/ext_cert_type.c
+++ /dev/null
@@ -1,246 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the code the Certificate Type TLS extension.
26 * This extension is currently gnutls specific.
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_errors.h"
31#include "gnutls_num.h"
32#include "ext_cert_type.h"
33#include "gnutls_state.h"
34#include "gnutls_num.h"
35
36inline static int MHD__gnutls_num2cert_type (int num);
37inline static int MHD__gnutls_cert_type2num (int record_size);
38
39/*
40 * In case of a server: if a CERT_TYPE extension type is received then it stores
41 * into the session security parameters the new value. The server may use MHD_gnutls_session_certificate_type_get(),
42 * to access it.
43 *
44 * In case of a client: If a cert_types have been specified then we send the extension.
45 *
46 */
47
48int
49MHD_gtls_cert_type_recv_params (MHD_gtls_session_t session,
50 const opaque * data, size_t _data_size)
51{
52 int new_type = -1, ret, i;
53 ssize_t data_size = _data_size;
54
55#if MHD_DEBUG_TLS
56 if (session->security_parameters.entity == GNUTLS_CLIENT)
57 {
58 if (data_size > 0)
59 {
60 if (data_size != 1)
61 {
62 MHD_gnutls_assert ();
63 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
64 }
65
66 new_type = MHD__gnutls_num2cert_type (data[0]);
67
68 if (new_type < 0)
69 {
70 MHD_gnutls_assert ();
71 return new_type;
72 }
73
74 /* Check if we support this cert_type */
75 if ((ret =
76 MHD_gtls_session_cert_type_supported (session, new_type)) < 0)
77 {
78 MHD_gnutls_assert ();
79 return ret;
80 }
81
82 MHD__gnutls_session_cert_type_set (session, new_type);
83 }
84 }
85 else
86#endif
87
88 { /* SERVER SIDE - we must check if the sent cert type is the right one
89 */
90 if (data_size > 1)
91 {
92 uint8_t len;
93
94 len = data[0];
95 DECR_LEN (data_size, len);
96
97 for (i = 0; i < len; i++)
98 {
99 new_type = MHD__gnutls_num2cert_type (data[i + 1]);
100
101 if (new_type < 0)
102 continue;
103
104 /* Check if we support this cert_type */
105 if ((ret =
106 MHD_gtls_session_cert_type_supported (session,
107 new_type)) < 0)
108 {
109 MHD_gnutls_assert ();
110 continue;
111 }
112 else
113 break;
114 /* new_type is ok */
115 }
116
117 if (new_type < 0)
118 {
119 MHD_gnutls_assert ();
120 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
121 }
122
123 if ((ret =
124 MHD_gtls_session_cert_type_supported (session, new_type)) < 0)
125 {
126 MHD_gnutls_assert ();
127 /* The peer has requested unsupported certificate
128 * types. Instead of failing, procceed normally.
129 * (the ciphersuite selection would fail, or a
130 * non certificate ciphersuite will be selected).
131 */
132 return 0;
133 }
134
135 MHD__gnutls_session_cert_type_set (session, new_type);
136 }
137
138
139 }
140
141 return 0;
142}
143
144/* returns data_size or a negative number on failure
145 */
146int
147MHD_gtls_cert_type_send_params (MHD_gtls_session_t session, opaque * data,
148 size_t data_size)
149{
150 unsigned int len;
151
152 /* this function sends the client extension data (dnsname) */
153#if MHD_DEBUG_TLS
154 unsigned int i;
155 if (session->security_parameters.entity == GNUTLS_CLIENT)
156 {
157
158 if (session->internals.priorities.cert_type.num_algorithms > 0)
159 {
160
161 len = session->internals.priorities.cert_type.num_algorithms;
162
163 if (len == 1 &&
164 session->internals.priorities.cert_type.priority[0] ==
165 MHD_GNUTLS_CRT_X509)
166 {
167 /* We don't use this extension if X.509 certificates
168 * are used.
169 */
170 return 0;
171 }
172
173 if (data_size < len + 1)
174 {
175 MHD_gnutls_assert ();
176 return GNUTLS_E_SHORT_MEMORY_BUFFER;
177 }
178
179 /* this is a vector!
180 */
181 data[0] = (uint8_t) len;
182
183 for (i = 0; i < len; i++)
184 {
185 data[i + 1] =
186 MHD__gnutls_cert_type2num (session->internals.
187 priorities.cert_type.priority[i]);
188 }
189 return len + 1;
190 }
191
192 }
193 else
194#endif
195 { /* server side */
196 if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE)
197 {
198 len = 1;
199 if (data_size < len)
200 {
201 MHD_gnutls_assert ();
202 return GNUTLS_E_SHORT_MEMORY_BUFFER;
203 }
204
205 data[0] =
206 MHD__gnutls_cert_type2num (session->
207 security_parameters.cert_type);
208 return len;
209 }
210
211
212 }
213
214 return 0;
215}
216
217/* Maps numbers to record sizes according to the
218 * extensions draft.
219 */
220inline static int
221MHD__gnutls_num2cert_type (int num)
222{
223 switch (num)
224 {
225 case 0:
226 return MHD_GNUTLS_CRT_X509;
227 default:
228 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
229 }
230}
231
232/* Maps record size to numbers according to the
233 * extensions draft.
234 */
235inline static int
236MHD__gnutls_cert_type2num (int cert_type)
237{
238 switch (cert_type)
239 {
240 case MHD_GNUTLS_CRT_X509:
241 return 0;
242 default:
243 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
244 }
245
246}
diff --git a/src/daemon/https/tls/ext_cert_type.h b/src/daemon/https/tls/ext_cert_type.h
deleted file mode 100644
index f80f7ba8..00000000
--- a/src/daemon/https/tls/ext_cert_type.h
+++ /dev/null
@@ -1,31 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Maps record size to numbers according to the
26 * extensions draft.
27 */
28int MHD_gtls_cert_type_recv_params (MHD_gtls_session_t session,
29 const opaque * data, size_t data_size);
30int MHD_gtls_cert_type_send_params (MHD_gtls_session_t session, opaque * data,
31 size_t);
diff --git a/src/daemon/https/tls/ext_max_record.c b/src/daemon/https/tls/ext_max_record.c
deleted file mode 100644
index 421a1739..00000000
--- a/src/daemon/https/tls/ext_max_record.c
+++ /dev/null
@@ -1,198 +0,0 @@
1/*
2 * Copyright (C) 2001, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the code for the Max Record Size TLS extension.
26 */
27
28#include "gnutls_int.h"
29#include "gnutls_errors.h"
30#include "gnutls_num.h"
31#include <ext_max_record.h>
32
33/*
34 * In case of a server: if a MAX_RECORD_SIZE extension type is received then it stores
35 * into the session the new value. The server may use MHD_gnutls_get_max_record_size(),
36 * in order to access it.
37 *
38 * In case of a client: If a different max record size (than the default) has
39 * been specified then it sends the extension.
40 *
41 */
42
43int
44MHD_gtls_max_record_recv_params (MHD_gtls_session_t session,
45 const opaque * data, size_t _data_size)
46{
47 ssize_t new_size;
48 ssize_t data_size = _data_size;
49
50 if (session->security_parameters.entity == GNUTLS_SERVER)
51 {
52 if (data_size > 0)
53 {
54 DECR_LEN (data_size, 1);
55
56 new_size = MHD_gtls_mre_num2record (data[0]);
57
58 if (new_size < 0)
59 {
60 MHD_gnutls_assert ();
61 return new_size;
62 }
63
64 session->security_parameters.max_record_send_size = new_size;
65 session->security_parameters.max_record_recv_size = new_size;
66 }
67 }
68 else
69 { /* CLIENT SIDE - we must check if the sent record size is the right one
70 */
71 if (data_size > 0)
72 {
73
74 if (data_size != 1)
75 {
76 MHD_gnutls_assert ();
77 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
78 }
79
80 new_size = MHD_gtls_mre_num2record (data[0]);
81
82 if (new_size < 0
83 || new_size != session->internals.proposed_record_size)
84 {
85 MHD_gnutls_assert ();
86 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
87 }
88 else
89 {
90 session->security_parameters.max_record_recv_size =
91 session->internals.proposed_record_size;
92 }
93
94 }
95
96
97 }
98
99 return 0;
100}
101
102/* returns data_size or a negative number on failure
103 */
104int
105MHD_gtls_max_record_send_params (MHD_gtls_session_t session, opaque * data,
106 size_t data_size)
107{
108 uint16_t len;
109 /* this function sends the client extension data (dnsname) */
110#if MHD_DEBUG_TLS
111 if (session->security_parameters.entity == GNUTLS_CLIENT)
112 {
113
114 if (session->internals.proposed_record_size != DEFAULT_MAX_RECORD_SIZE)
115 {
116 len = 1;
117 if (data_size < len)
118 {
119 MHD_gnutls_assert ();
120 return GNUTLS_E_SHORT_MEMORY_BUFFER;
121 }
122
123 data[0] =
124 (uint8_t) MHD_gtls_mre_record2num (session->internals.
125 proposed_record_size);
126 return len;
127 }
128
129 }
130 else
131#endif
132 { /* server side */
133
134 if (session->security_parameters.max_record_recv_size !=
135 DEFAULT_MAX_RECORD_SIZE)
136 {
137 len = 1;
138 if (data_size < len)
139 {
140 MHD_gnutls_assert ();
141 return GNUTLS_E_SHORT_MEMORY_BUFFER;
142 }
143
144 data[0] =
145 (uint8_t)
146 MHD_gtls_mre_record2num
147 (session->security_parameters.max_record_recv_size);
148 return len;
149 }
150
151
152 }
153
154 return 0;
155}
156
157/* Maps numbers to record sizes according to the
158 * extensions draft.
159 */
160int
161MHD_gtls_mre_num2record (int num)
162{
163 switch (num)
164 {
165 case 1:
166 return 512;
167 case 2:
168 return 1024;
169 case 3:
170 return 2048;
171 case 4:
172 return 4096;
173 default:
174 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
175 }
176}
177
178/* Maps record size to numbers according to the
179 * extensions draft.
180 */
181int
182MHD_gtls_mre_record2num (uint16_t record_size)
183{
184 switch (record_size)
185 {
186 case 512:
187 return 1;
188 case 1024:
189 return 2;
190 case 2048:
191 return 3;
192 case 4096:
193 return 4;
194 default:
195 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
196 }
197
198}
diff --git a/src/daemon/https/tls/ext_max_record.h b/src/daemon/https/tls/ext_max_record.h
deleted file mode 100644
index 14686253..00000000
--- a/src/daemon/https/tls/ext_max_record.h
+++ /dev/null
@@ -1,33 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Maps record size to numbers according to the
26 * extensions draft.
27 */
28int MHD_gtls_mre_num2record (int num);
29int MHD_gtls_mre_record2num (uint16_t record_size);
30int MHD_gtls_max_record_recv_params (MHD_gtls_session_t session,
31 const opaque * data, size_t data_size);
32int MHD_gtls_max_record_send_params (MHD_gtls_session_t session,
33 opaque * data, size_t);
diff --git a/src/daemon/https/tls/ext_server_name.c b/src/daemon/https/tls/ext_server_name.c
deleted file mode 100644
index 911bd530..00000000
--- a/src/daemon/https/tls/ext_server_name.c
+++ /dev/null
@@ -1,223 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include "gnutls_int.h"
26#include "gnutls_auth_int.h"
27#include "gnutls_errors.h"
28#include "gnutls_num.h"
29#include <ext_server_name.h>
30
31/*
32 * In case of a server: if a NAME_DNS extension type is received then it stores
33 * into the session the value of NAME_DNS. The server may use MHD_gnutls_ext_get_server_name(),
34 * in order to access it.
35 *
36 * In case of a client: If a proper NAME_DNS extension type is found in the session then
37 * it sends the extension to the peer.
38 *
39 */
40
41int
42MHD_gtls_server_name_recv_params (MHD_gtls_session_t session,
43 const opaque * data, size_t _data_size)
44{
45 int i;
46 const unsigned char *p;
47 uint16_t len, type;
48 ssize_t data_size = _data_size;
49 int server_names = 0;
50
51 DECR_LENGTH_RET (data_size, 2, 0);
52 len = MHD_gtls_read_uint16 (data);
53
54 if (len != data_size)
55 {
56 /* This is unexpected packet length, but
57 * just ignore it, for now.
58 */
59 MHD_gnutls_assert ();
60 return 0;
61 }
62
63 p = data + 2;
64
65 /* Count all server_names in the packet. */
66 while (data_size > 0)
67 {
68 DECR_LENGTH_RET (data_size, 1, 0);
69 p++;
70
71 DECR_LEN (data_size, 2);
72 len = MHD_gtls_read_uint16 (p);
73 p += 2;
74
75 /* make sure supplied server name is not empty */
76 if (len > 0)
77 {
78 DECR_LENGTH_RET (data_size, len, 0);
79 server_names++;
80 p += len;
81 }
82 else
83 {
84#if HAVE_MESSAGES
85 MHD__gnutls_handshake_log
86 ("HSK[%x]: Received zero size server name (under attack?)\n",
87 session);
88#endif
89 }
90 }
91
92 /* we cannot accept more server names. */
93 if (server_names > MAX_SERVER_NAME_EXTENSIONS)
94 {
95#if HAVE_MESSAGES
96 MHD__gnutls_handshake_log
97 ("HSK[%x]: Too many server names received (under attack?)\n",
98 session);
99#endif
100 server_names = MAX_SERVER_NAME_EXTENSIONS;
101 }
102
103 session->security_parameters.extensions.server_names_size = server_names;
104 if (server_names == 0)
105 return 0; /* no names found */
106
107 p = data + 2;
108 for (i = 0; i < server_names; i++)
109 {
110 type = *p;
111 p++;
112
113 len = MHD_gtls_read_uint16 (p);
114 p += 2;
115
116 switch (type)
117 {
118 case 0: /* NAME_DNS */
119 if (len <= MAX_SERVER_NAME_SIZE)
120 {
121 memcpy (session->security_parameters.extensions.
122 server_names[i].name, p, len);
123 session->security_parameters.extensions.server_names[i].
124 name_length = len;
125 session->security_parameters.extensions.server_names[i].type =
126 GNUTLS_NAME_DNS;
127 break;
128 }
129 }
130
131 /* move to next record */
132 p += len;
133 }
134 return 0;
135}
136
137/* returns data_size or a negative number on failure
138 */
139int
140MHD_gtls_server_name_send_params (MHD_gtls_session_t session,
141 opaque * data, size_t _data_size)
142{
143 int total_size = 0;
144#if MHD_DEBUG_TLS
145 uint16_t len;
146 opaque *p;
147 unsigned i;
148 ssize_t data_size = _data_size;
149
150 /* this function sends the client extension data (dnsname) */
151 if (session->security_parameters.entity == GNUTLS_CLIENT)
152 {
153
154 if (session->security_parameters.extensions.server_names_size == 0)
155 return 0;
156
157 /* uint16_t
158 */
159 total_size = 2;
160 for (i = 0;
161 i < session->security_parameters.extensions.server_names_size; i++)
162 {
163 /* count the total size
164 */
165 len =
166 session->security_parameters.extensions.server_names[i].
167 name_length;
168
169 /* uint8_t + uint16_t + size
170 */
171 total_size += 1 + 2 + len;
172 }
173
174 p = data;
175
176 /* UINT16: write total size of all names
177 */
178 DECR_LENGTH_RET (data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER);
179 MHD_gtls_write_uint16 (total_size - 2, p);
180 p += 2;
181
182 for (i = 0;
183 i < session->security_parameters.extensions.server_names_size; i++)
184 {
185
186 switch (session->security_parameters.extensions.
187 server_names[i].type)
188 {
189 case GNUTLS_NAME_DNS:
190
191 len =
192 session->security_parameters.extensions.
193 server_names[i].name_length;
194 if (len == 0)
195 break;
196
197 /* UINT8: type of this extension
198 * UINT16: size of the first name
199 * LEN: the actual server name.
200 */
201 DECR_LENGTH_RET (data_size, len + 3,
202 GNUTLS_E_SHORT_MEMORY_BUFFER);
203
204 *p = 0; /* NAME_DNS type */
205 p++;
206
207 MHD_gtls_write_uint16 (len, p);
208 p += 2;
209
210 memcpy (p,
211 session->security_parameters.extensions.
212 server_names[0].name, len);
213 p += len;
214 break;
215 default:
216 MHD_gnutls_assert ();
217 return GNUTLS_E_INTERNAL_ERROR;
218 }
219 }
220 }
221#endif
222 return total_size;
223}
diff --git a/src/daemon/https/tls/ext_server_name.h b/src/daemon/https/tls/ext_server_name.h
deleted file mode 100644
index f74ce191..00000000
--- a/src/daemon/https/tls/ext_server_name.h
+++ /dev/null
@@ -1,28 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD_gtls_server_name_recv_params (MHD_gtls_session_t session,
26 const opaque * data, size_t data_size);
27int MHD_gtls_server_name_send_params (MHD_gtls_session_t session,
28 opaque * data, size_t);
diff --git a/src/daemon/https/tls/gnutls.asn b/src/daemon/https/tls/gnutls.asn
deleted file mode 100644
index 0cb98414..00000000
--- a/src/daemon/https/tls/gnutls.asn
+++ /dev/null
@@ -1,93 +0,0 @@
1GNUTLS { }
2
3DEFINITIONS EXPLICIT TAGS ::=
4
5BEGIN
6
7-- This file contains parts of PKCS-1 structures and some stuff
8-- required for DSA keys.
9
10RSAPublicKey ::= SEQUENCE {
11 modulus INTEGER, -- n
12 publicExponent INTEGER -- e
13}
14
15--
16-- Representation of RSA private key with information for the
17-- CRT algorithm.
18--
19RSAPrivateKey ::= SEQUENCE {
20 version Version,
21 modulus INTEGER, -- (Usually large) n
22 publicExponent INTEGER, -- (Usually small) e
23 privateExponent INTEGER, -- (Usually large) d
24 prime1 INTEGER, -- (Usually large) p
25 prime2 INTEGER, -- (Usually large) q
26 exponent1 INTEGER, -- (Usually large) d mod (p-1)
27 exponent2 INTEGER, -- (Usually large) d mod (q-1)
28 coefficient INTEGER, -- (Usually large) (inverse of q) mod p
29 otherPrimeInfos OtherPrimeInfos OPTIONAL
30}
31
32Version ::= INTEGER { two-prime(0), multi(1) }
33-- (CONSTRAINED BY { version must be multi if otherPrimeInfos present }) --
34
35OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo
36
37OtherPrimeInfo ::= SEQUENCE {
38 prime INTEGER, -- ri
39 exponent INTEGER, -- di
40 coefficient INTEGER -- ti
41}
42
43-- for signature calculation
44-- added by nmav
45
46AlgorithmIdentifier ::= SEQUENCE {
47 algorithm OBJECT IDENTIFIER,
48 parameters ANY DEFINED BY algorithm OPTIONAL
49}
50 -- contains a value of the type
51 -- registered for use with the
52 -- algorithm object identifier value
53
54DigestInfo ::= SEQUENCE {
55 digestAlgorithm DigestAlgorithmIdentifier,
56 digest Digest
57}
58
59DigestAlgorithmIdentifier ::= AlgorithmIdentifier
60
61Digest ::= OCTET STRING
62
63DSAPublicKey ::= INTEGER
64
65DSAParameters ::= SEQUENCE {
66 p INTEGER,
67 q INTEGER,
68 g INTEGER
69}
70
71DSASignatureValue ::= SEQUENCE {
72 r INTEGER,
73 s INTEGER
74}
75
76DSAPrivateKey ::= SEQUENCE {
77 version INTEGER, -- should be zero
78 p INTEGER,
79 q INTEGER,
80 g INTEGER,
81 Y INTEGER, -- public
82 priv INTEGER
83}
84
85-- from PKCS#3
86DHParameter ::= SEQUENCE {
87 prime INTEGER, -- p
88 base INTEGER, -- g
89 privateValueLength INTEGER OPTIONAL
90}
91
92
93END
diff --git a/src/daemon/https/tls/gnutls.pc b/src/daemon/https/tls/gnutls.pc
deleted file mode 100644
index 544428cb..00000000
--- a/src/daemon/https/tls/gnutls.pc
+++ /dev/null
@@ -1,23 +0,0 @@
1# Process this file with autoconf to produce a pkg-config metadata file.
2# Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3# Author: Simon Josefsson
4#
5# This file is free software; as a special exception the author gives
6# unlimited permission to copy and/or distribute it, with or without
7# modifications, as long as this notice is preserved.
8#
9# This file is distributed in the hope that it will be useful, but
10# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
11# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
12
13prefix=/home/lama/workbench/programming/c/gnunet/gnutls-2.2.3/build
14exec_prefix=${prefix}
15libdir=${exec_prefix}/lib
16includedir=${prefix}/include
17
18Name: GnuTLS
19Description: Transport Security Layer implementation for the GNU system
20Version: 2.2.3
21Libs: -L${libdir} -lgnutls
22Libs.private: -L${exec_prefix}/lib -lgnutls -L/usr/lib -ltasn1 -lgcrypt
23Cflags: -I${includedir}
diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c
deleted file mode 100644
index 4925f6e7..00000000
--- a/src/daemon/https/tls/gnutls_alert.c
+++ /dev/null
@@ -1,296 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_record.h>
28#include <debug.h>
29
30typedef struct
31{
32 MHD_gnutls_alert_description_t alert;
33 const char *desc;
34} MHD_gnutls_alert_entry;
35
36static const MHD_gnutls_alert_entry MHD_gtls_sup_alerts[] = {
37 {GNUTLS_A_CLOSE_NOTIFY, "Close notify"},
38 {GNUTLS_A_UNEXPECTED_MESSAGE, "Unexpected message"},
39 {GNUTLS_A_BAD_RECORD_MAC, "Bad record MAC"},
40 {GNUTLS_A_DECRYPTION_FAILED, "Decryption failed"},
41 {GNUTLS_A_RECORD_OVERFLOW, "Record overflow"},
42 {GNUTLS_A_DECOMPRESSION_FAILURE, "Decompression failed"},
43 {GNUTLS_A_HANDSHAKE_FAILURE, "Handshake failed"},
44 {GNUTLS_A_BAD_CERTIFICATE, "Certificate is bad"},
45 {GNUTLS_A_UNSUPPORTED_CERTIFICATE, "Certificate is not supported"},
46 {GNUTLS_A_CERTIFICATE_REVOKED, "Certificate was revoked"},
47 {GNUTLS_A_CERTIFICATE_EXPIRED, "Certificate is expired"},
48 {GNUTLS_A_CERTIFICATE_UNKNOWN, "Unknown certificate"},
49 {GNUTLS_A_ILLEGAL_PARAMETER, "Illegal parameter"},
50 {GNUTLS_A_UNKNOWN_CA, "CA is unknown"},
51 {GNUTLS_A_ACCESS_DENIED, "Access was denied"},
52 {GNUTLS_A_DECODE_ERROR, "Decode error"},
53 {GNUTLS_A_DECRYPT_ERROR, "Decrypt error"},
54 {GNUTLS_A_EXPORT_RESTRICTION, "Export restriction"},
55 {GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version"},
56 {GNUTLS_A_INSUFFICIENT_SECURITY, "Insufficient security"},
57 {GNUTLS_A_USER_CANCELED, "User canceled"},
58 {GNUTLS_A_INTERNAL_ERROR, "Internal error"},
59 {GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed"},
60 {GNUTLS_A_CERTIFICATE_UNOBTAINABLE,
61 "Could not retrieve the specified certificate"},
62 {GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent"},
63 {GNUTLS_A_UNRECOGNIZED_NAME,
64 "The server name sent was not recognized"},
65 {GNUTLS_A_UNKNOWN_PSK_IDENTITY,
66 "The SRP/PSK username is missing or not known"},
67};
68
69#define GNUTLS_ALERT_LOOP(b) \
70 const MHD_gnutls_alert_entry *p; \
71 for(p = MHD_gtls_sup_alerts; p->desc != NULL; p++) { b ; }
72
73#define GNUTLS_ALERT_ID_LOOP(a) \
74 GNUTLS_ALERT_LOOP( if(p->alert == alert) { a; break; })
75
76
77/**
78 * MHD__gnutls_alert_get_name - Returns a string describing the alert number given
79 * @alert: is an alert number #MHD_gtls_session_t structure.
80 *
81 * This function will return a string that describes the given alert
82 * number or NULL. See MHD_gnutls_alert_get().
83 *
84 **/
85const char *
86MHD__gnutls_alert_get_name (MHD_gnutls_alert_description_t alert)
87{
88 const char *ret = NULL;
89
90 GNUTLS_ALERT_ID_LOOP (ret = p->desc);
91
92 return ret;
93}
94
95/**
96 * MHD__gnutls_alert_send - This function sends an alert message to the peer
97 * @session: is a #MHD_gtls_session_t structure.
98 * @level: is the level of the alert
99 * @desc: is the alert description
100 *
101 * This function will send an alert to the peer in order to inform
102 * him of something important (eg. his Certificate could not be verified).
103 * If the alert level is Fatal then the peer is expected to close the
104 * connection, otherwise he may ignore the alert and continue.
105 *
106 * The error code of the underlying record send function will be returned,
107 * so you may also receive GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN as well.
108 *
109 * Returns 0 on success.
110 *
111 **/
112int
113MHD__gnutls_alert_send (MHD_gtls_session_t session,
114 MHD_gnutls_alert_level_t level,
115 MHD_gnutls_alert_description_t desc)
116{
117 uint8_t data[2];
118 int ret;
119 const char *name;
120
121 data[0] = (uint8_t) level;
122 data[1] = (uint8_t) desc;
123
124 name = MHD__gnutls_alert_get_name ((int) data[1]);
125 if (name == NULL)
126 name = "(unknown)";
127 MHD__gnutls_record_log ("REC: Sending Alert[%d|%d] - %s\n", data[0],
128 data[1], name);
129
130 if ((ret = MHD_gtls_send_int (session, GNUTLS_ALERT, -1, data, 2)) >= 0)
131 return 0;
132 else
133 return ret;
134}
135
136/**
137 * MHD_gtls_error_to_alert - This function returns an alert code based on the given error code
138 * @err: is a negative integer
139 * @level: the alert level will be stored there
140 *
141 * Returns an alert depending on the error code returned by a gnutls
142 * function. All alerts sent by this function should be considered fatal.
143 * The only exception is when err == GNUTLS_E_REHANDSHAKE, where a warning
144 * alert should be sent to the peer indicating that no renegotiation will
145 * be performed.
146 *
147 * If there is no mapping to a valid alert the alert to indicate internal error
148 * is returned.
149 *
150 **/
151int
152MHD_gtls_error_to_alert (int err, int *level)
153{
154 int ret, _level = -1;
155
156 switch (err)
157 { /* send appropriate alert */
158 case GNUTLS_E_DECRYPTION_FAILED:
159 /* GNUTLS_A_DECRYPTION_FAILED is not sent, because
160 * it is not defined in SSL3. Note that we must
161 * not distinguish Decryption failures from mac
162 * check failures, due to the possibility of some
163 * attacks.
164 */
165 ret = GNUTLS_A_BAD_RECORD_MAC;
166 _level = GNUTLS_AL_FATAL;
167 break;
168 case GNUTLS_E_DECOMPRESSION_FAILED:
169 ret = GNUTLS_A_DECOMPRESSION_FAILURE;
170 _level = GNUTLS_AL_FATAL;
171 break;
172 case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER:
173 case GNUTLS_E_ILLEGAL_SRP_USERNAME:
174 ret = GNUTLS_A_ILLEGAL_PARAMETER;
175 _level = GNUTLS_AL_FATAL;
176 break;
177 case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND:
178 case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND:
179 case GNUTLS_E_ASN1_DER_ERROR:
180 case GNUTLS_E_ASN1_VALUE_NOT_FOUND:
181 case GNUTLS_E_ASN1_GENERIC_ERROR:
182 case GNUTLS_E_ASN1_VALUE_NOT_VALID:
183 case GNUTLS_E_ASN1_TAG_ERROR:
184 case GNUTLS_E_ASN1_TAG_IMPLICIT:
185 case GNUTLS_E_ASN1_TYPE_ANY_ERROR:
186 case GNUTLS_E_ASN1_SYNTAX_ERROR:
187 case GNUTLS_E_ASN1_DER_OVERFLOW:
188 ret = GNUTLS_A_BAD_CERTIFICATE;
189 _level = GNUTLS_AL_FATAL;
190 break;
191 case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
192 case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM:
193 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
194 case GNUTLS_E_NO_CIPHER_SUITES:
195 case GNUTLS_E_NO_COMPRESSION_ALGORITHMS:
196 ret = GNUTLS_A_HANDSHAKE_FAILURE;
197 _level = GNUTLS_AL_FATAL;
198 break;
199 case GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION:
200 ret = GNUTLS_A_UNSUPPORTED_EXTENSION;
201 _level = GNUTLS_AL_FATAL;
202 break;
203 case GNUTLS_E_UNEXPECTED_PACKET:
204 case GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET:
205 ret = GNUTLS_A_UNEXPECTED_MESSAGE;
206 _level = GNUTLS_AL_FATAL;
207 break;
208 case GNUTLS_E_REHANDSHAKE:
209 ret = GNUTLS_A_NO_RENEGOTIATION;
210 _level = GNUTLS_AL_WARNING;
211 break;
212 case GNUTLS_E_UNSUPPORTED_VERSION_PACKET:
213 ret = GNUTLS_A_PROTOCOL_VERSION;
214 _level = GNUTLS_AL_FATAL;
215 break;
216 case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE:
217 ret = GNUTLS_A_UNSUPPORTED_CERTIFICATE;
218 _level = GNUTLS_AL_FATAL;
219 break;
220 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
221 ret = GNUTLS_A_RECORD_OVERFLOW;
222 _level = GNUTLS_AL_FATAL;
223 break;
224 case GNUTLS_E_INTERNAL_ERROR:
225 case GNUTLS_E_NO_TEMPORARY_DH_PARAMS:
226 case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS:
227 ret = GNUTLS_A_INTERNAL_ERROR;
228 _level = GNUTLS_AL_FATAL;
229 break;
230 case GNUTLS_E_DH_PRIME_UNACCEPTABLE:
231 case GNUTLS_E_NO_CERTIFICATE_FOUND:
232 ret = GNUTLS_A_INSUFFICIENT_SECURITY;
233 _level = GNUTLS_AL_FATAL;
234 break;
235 default:
236 ret = GNUTLS_A_INTERNAL_ERROR;
237 _level = GNUTLS_AL_FATAL;
238 break;
239 }
240
241 if (level != NULL)
242 *level = _level;
243
244 return ret;
245}
246
247
248/**
249 * MHD__gnutls_alert_send_appropriate - This function sends an alert to the peer depending on the error code
250 * @session: is a #MHD_gtls_session_t structure.
251 * @err: is an integer
252 *
253 * Sends an alert to the peer depending on the error code returned by a gnutls
254 * function. This function will call MHD_gtls_error_to_alert() to determine
255 * the appropriate alert to send.
256 *
257 * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED.
258 *
259 * If the return value is GNUTLS_E_INVALID_REQUEST, then no alert has
260 * been sent to the peer.
261 *
262 * Returns zero on success.
263 */
264int
265MHD__gnutls_alert_send_appropriate (MHD_gtls_session_t session, int err)
266{
267 int alert;
268 int level;
269
270 alert = MHD_gtls_error_to_alert (err, &level);
271 if (alert < 0)
272 {
273 return alert;
274 }
275
276 return MHD__gnutls_alert_send (session, level, alert);
277}
278
279/**
280 * MHD_gnutls_alert_get - Returns the last alert number received.
281 * @session: is a #MHD_gtls_session_t structure.
282 *
283 * This function will return the last alert number received. This
284 * function should be called if GNUTLS_E_WARNING_ALERT_RECEIVED or
285 * GNUTLS_E_FATAL_ALERT_RECEIVED has been returned by a gnutls
286 * function. The peer may send alerts if he thinks some things were
287 * not right. Check gnutls.h for the available alert descriptions.
288 *
289 * If no alert has been received the returned value is undefined.
290 *
291 **/
292MHD_gnutls_alert_description_t
293MHD_gnutls_alert_get (MHD_gtls_session_t session)
294{
295 return session->internals.last_alert;
296}
diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c
deleted file mode 100644
index f65ccbac..00000000
--- a/src/daemon/https/tls/gnutls_algorithms.c
+++ /dev/null
@@ -1,1340 +0,0 @@
1/*
2 * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include "gnutls_int.h"
26#include "gnutls_algorithms.h"
27#include "gnutls_errors.h"
28#include "gnutls_cert.h"
29/* x509 */
30#include "common.h"
31
32/* Cred type mappings to KX algorithms
33 * FIXME: The mappings are not 1-1. Some KX such as SRP_RSA require
34 * more than one credentials type.
35 */
36typedef struct
37{
38 enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm;
39 enum MHD_GNUTLS_CredentialsType client_type;
40 enum MHD_GNUTLS_CredentialsType server_type; /* The type of credentials a server
41 * needs to set */
42} MHD_gnutls_cred_map;
43
44static const MHD_gnutls_cred_map MHD_gtls_cred_mappings[] = {
45 {MHD_GNUTLS_KX_RSA,
46 MHD_GNUTLS_CRD_CERTIFICATE,
47 MHD_GNUTLS_CRD_CERTIFICATE},
48 {MHD_GNUTLS_KX_RSA_EXPORT,
49 MHD_GNUTLS_CRD_CERTIFICATE,
50 MHD_GNUTLS_CRD_CERTIFICATE},
51 {0,
52 0,
53 0}
54};
55
56#define GNUTLS_KX_MAP_LOOP(b) \
57 const MHD_gnutls_cred_map *p; \
58 for(p = MHD_gtls_cred_mappings; p->algorithm != 0; p++) { b ; }
59
60#define GNUTLS_KX_MAP_ALG_LOOP_SERVER(a) \
61 GNUTLS_KX_MAP_LOOP( if(p->server_type == type) { a; break; })
62
63#define GNUTLS_KX_MAP_ALG_LOOP_CLIENT(a) \
64 GNUTLS_KX_MAP_LOOP( if(p->client_type == type) { a; break; })
65
66/* KX mappings to PK algorithms */
67typedef struct
68{
69 enum MHD_GNUTLS_KeyExchangeAlgorithm kx_algorithm;
70 enum MHD_GNUTLS_PublicKeyAlgorithm pk_algorithm;
71 enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used
72 * for encryption, CIPHER_SIGN if signature only,
73 * CIPHER_IGN if this does not apply at all.
74 *
75 * This is useful to certificate cipher suites, which check
76 * against the certificate key usage bits.
77 */
78} MHD_gnutls_pk_map;
79
80/* This table maps the Key exchange algorithms to
81 * the certificate algorithms. Eg. if we have
82 * RSA algorithm in the certificate then we can
83 * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA.
84 */
85static const MHD_gnutls_pk_map MHD_gtls_pk_mappings[] = {
86 {MHD_GNUTLS_KX_RSA,
87 MHD_GNUTLS_PK_RSA,
88 CIPHER_ENCRYPT},
89 {MHD_GNUTLS_KX_RSA_EXPORT,
90 MHD_GNUTLS_PK_RSA,
91 CIPHER_SIGN},
92 {0,
93 0,
94 0}
95};
96
97#define GNUTLS_PK_MAP_LOOP(b) \
98 const MHD_gnutls_pk_map *p; \
99 for(p = MHD_gtls_pk_mappings; p->kx_algorithm != 0; p++) { b }
100
101#define GNUTLS_PK_MAP_ALG_LOOP(a) \
102 GNUTLS_PK_MAP_LOOP( if(p->kx_algorithm == kx_algorithm) { a; break; })
103
104/* TLS Versions */
105
106typedef struct
107{
108 const char *name;
109 enum MHD_GNUTLS_Protocol id; /* gnutls internal version number */
110 int major; /* defined by the protocol */
111 int minor; /* defined by the protocol */
112 int supported; /* 0 not supported, > 0 is supported */
113} MHD_gnutls_version_entry;
114
115static const MHD_gnutls_version_entry MHD_gtls_sup_versions[] = {
116 {"SSL3.0",
117 MHD_GNUTLS_PROTOCOL_SSL3,
118 3,
119 0,
120 1},
121 {"TLS1.0",
122 MHD_GNUTLS_PROTOCOL_TLS1_0,
123 3,
124 1,
125 1},
126 {"TLS1.1",
127 MHD_GNUTLS_PROTOCOL_TLS1_1,
128 3,
129 2,
130 1},
131 {"TLS1.2",
132 MHD_GNUTLS_PROTOCOL_TLS1_2,
133 3,
134 3,
135 1},
136 {0,
137 0,
138 0,
139 0,
140 0}
141};
142
143/* Keep the contents of this struct the same as the previous one. */
144static const enum MHD_GNUTLS_Protocol MHD_gtls_supported_protocols[] =
145{ MHD_GNUTLS_PROTOCOL_SSL3,
146 MHD_GNUTLS_PROTOCOL_TLS1_0,
147 MHD_GNUTLS_PROTOCOL_TLS1_1,
148 MHD_GNUTLS_PROTOCOL_TLS1_2,
149 0
150};
151
152#define GNUTLS_VERSION_LOOP(b) \
153 const MHD_gnutls_version_entry *p; \
154 for(p = MHD_gtls_sup_versions; p->name != NULL; p++) { b ; }
155
156#define GNUTLS_VERSION_ALG_LOOP(a) \
157 GNUTLS_VERSION_LOOP( if(p->id == version) { a; break; })
158
159struct MHD_gnutls_cipher_entry
160{
161 const char *name;
162 enum MHD_GNUTLS_CipherAlgorithm id;
163 uint16_t blocksize;
164 uint16_t keysize;
165 cipher_type_t block;
166 uint16_t iv;
167 int export_flag; /* 0 non export */
168};
169typedef struct MHD_gnutls_cipher_entry MHD_gnutls_cipher_entry;
170
171/* Note that all algorithms are in CBC or STREAM modes.
172 * Do not add any algorithms in other modes (avoid modified algorithms).
173 * View first: "The order of encryption and authentication for
174 * protecting communications" by Hugo Krawczyk - CRYPTO 2001
175 */
176static const MHD_gnutls_cipher_entry MHD_gtls_algorithms[] = {
177 {"AES-256-CBC",
178 MHD_GNUTLS_CIPHER_AES_256_CBC,
179 16,
180 32,
181 CIPHER_BLOCK,
182 16,
183 0},
184 {"AES-128-CBC",
185 MHD_GNUTLS_CIPHER_AES_128_CBC,
186 16,
187 16,
188 CIPHER_BLOCK,
189 16,
190 0},
191 {"3DES-CBC",
192 MHD_GNUTLS_CIPHER_3DES_CBC,
193 8,
194 24,
195 CIPHER_BLOCK,
196 8,
197 0},
198 {"ARCFOUR-128",
199 MHD_GNUTLS_CIPHER_ARCFOUR_128,
200 1,
201 16,
202 CIPHER_STREAM,
203 0,
204 0},
205 {"NULL",
206 MHD_GNUTLS_CIPHER_NULL,
207 1,
208 0,
209 CIPHER_STREAM,
210 0,
211 0},
212 {0,
213 0,
214 0,
215 0,
216 0,
217 0,
218 0}
219};
220
221/* Keep the contents of this struct the same as the previous one. */
222static const enum MHD_GNUTLS_CipherAlgorithm MHD_gtls_supported_ciphers[] =
223{ MHD_GNUTLS_CIPHER_AES_256_CBC,
224 MHD_GNUTLS_CIPHER_AES_128_CBC,
225 MHD_GNUTLS_CIPHER_3DES_CBC,
226 MHD_GNUTLS_CIPHER_ARCFOUR_128,
227 MHD_GNUTLS_CIPHER_NULL,
228 0
229};
230
231#define GNUTLS_LOOP(b) \
232 const MHD_gnutls_cipher_entry *p; \
233 for(p = MHD_gtls_algorithms; p->name != NULL; p++) { b ; }
234
235#define GNUTLS_ALG_LOOP(a) \
236 GNUTLS_LOOP( if(p->id == algorithm) { a; break; } )
237
238struct MHD_gnutls_hash_entry
239{
240 const char *name;
241 const char *oid;
242 enum MHD_GNUTLS_HashAlgorithm id;
243 size_t key_size; /* in case of mac */
244};
245typedef struct MHD_gnutls_hash_entry MHD_gnutls_hash_entry;
246
247static const MHD_gnutls_hash_entry MHD_gtls_hash_algorithms[] = {
248 {"SHA1",
249 HASH_OID_SHA1,
250 MHD_GNUTLS_MAC_SHA1,
251 20},
252 {"MD5",
253 HASH_OID_MD5,
254 MHD_GNUTLS_MAC_MD5,
255 16},
256 {"SHA256",
257 HASH_OID_SHA256,
258 MHD_GNUTLS_MAC_SHA256,
259 32},
260 {"NULL",
261 NULL,
262 MHD_GNUTLS_MAC_NULL,
263 0},
264 {0,
265 0,
266 0,
267 0}
268};
269
270/* Keep the contents of this struct the same as the previous one. */
271static const enum MHD_GNUTLS_HashAlgorithm MHD_gtls_supported_macs[] =
272{ MHD_GNUTLS_MAC_SHA1,
273 MHD_GNUTLS_MAC_MD5,
274 MHD_GNUTLS_MAC_SHA256,
275 MHD_GNUTLS_MAC_NULL,
276 0
277};
278
279#define GNUTLS_HASH_LOOP(b) \
280 const MHD_gnutls_hash_entry *p; \
281 for(p = MHD_gtls_hash_algorithms; p->name != NULL; p++) { b ; }
282
283#define GNUTLS_HASH_ALG_LOOP(a) \
284 GNUTLS_HASH_LOOP( if(p->id == algorithm) { a; break; } )
285
286/* Compression Section */
287#define GNUTLS_COMPRESSION_ENTRY(name, id, wb, ml, cl) \
288 { #name, name, id, wb, ml, cl}
289
290#define MAX_COMP_METHODS 5
291const int MHD__gnutls_comp_algorithms_size = MAX_COMP_METHODS;
292
293/* the compression entry is defined in MHD_gnutls_algorithms.h */
294
295MHD_gnutls_compression_entry
296 MHD__gnutls_compression_algorithms[MAX_COMP_METHODS] =
297{
298 GNUTLS_COMPRESSION_ENTRY (MHD_GNUTLS_COMP_NULL, 0x00, 0, 0, 0),
299 {
300 0, 0, 0, 0, 0, 0}
301};
302
303static const enum MHD_GNUTLS_CompressionMethod
304 MHD_gtls_supported_compressions[] =
305{
306 MHD_GNUTLS_COMP_NULL,
307 0
308};
309
310#define GNUTLS_COMPRESSION_LOOP(b) \
311 const MHD_gnutls_compression_entry *p; \
312 for(p = MHD__gnutls_compression_algorithms; p->name != NULL; p++) { b ; }
313#define GNUTLS_COMPRESSION_ALG_LOOP(a) \
314 GNUTLS_COMPRESSION_LOOP( if(p->id == algorithm) { a; break; } )
315#define GNUTLS_COMPRESSION_ALG_LOOP_NUM(a) \
316 GNUTLS_COMPRESSION_LOOP( if(p->num == num) { a; break; } )
317
318/* Key Exchange Section */
319extern MHD_gtls_mod_auth_st MHD_gtls_rsa_auth_struct;
320extern MHD_gtls_mod_auth_st MHD_rsa_export_auth_struct;
321extern MHD_gtls_mod_auth_st MHD_gtls_dhe_rsa_auth_struct;
322extern MHD_gtls_mod_auth_st MHD_gtls_dhe_dss_auth_struct;
323extern MHD_gtls_mod_auth_st srp_auth_struct;
324extern MHD_gtls_mod_auth_st psk_auth_struct;
325extern MHD_gtls_mod_auth_st dhe_psk_auth_struct;
326extern MHD_gtls_mod_auth_st srp_rsa_auth_struct;
327extern MHD_gtls_mod_auth_st srp_dss_auth_struct;
328
329typedef struct MHD_gtls_kx_algo_entry
330{
331 const char *name;
332 enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm;
333 MHD_gtls_mod_auth_st *auth_struct;
334 int needs_dh_params;
335 int needs_rsa_params;
336} MHD_gtls_kx_algo_entry_t;
337
338static const MHD_gtls_kx_algo_entry_t MHD_gtls_kx_algorithms[] = {
339 {"RSA",
340 MHD_GNUTLS_KX_RSA,
341 &MHD_gtls_rsa_auth_struct,
342 0,
343 0},
344 {"RSA-EXPORT",
345 MHD_GNUTLS_KX_RSA_EXPORT,
346 &MHD_rsa_export_auth_struct,
347 0,
348 1 /* needs RSA params */ },
349 {0,
350 0,
351 0,
352 0,
353 0}
354};
355
356/* Keep the contents of this struct the same as the previous one. */
357static const enum MHD_GNUTLS_KeyExchangeAlgorithm MHD_gtls_supported_kxs[] =
358{
359 MHD_GNUTLS_KX_RSA,
360 MHD_GNUTLS_KX_RSA_EXPORT,
361 0
362};
363
364#define GNUTLS_KX_LOOP(b) \
365 const MHD_gtls_kx_algo_entry_t *p; \
366 for(p = MHD_gtls_kx_algorithms; p->name != NULL; p++) { b ; }
367
368#define GNUTLS_KX_ALG_LOOP(a) \
369 GNUTLS_KX_LOOP( if(p->algorithm == algorithm) { a; break; } )
370
371/* Cipher SUITES */
372#define GNUTLS_CIPHER_SUITE_ENTRY( name, block_algorithm, kx_algorithm, mac_algorithm, version ) \
373 { #name, {name}, block_algorithm, kx_algorithm, mac_algorithm, version }
374
375typedef struct
376{
377 const char *name;
378 cipher_suite_st id;
379 enum MHD_GNUTLS_CipherAlgorithm block_algorithm;
380 enum MHD_GNUTLS_KeyExchangeAlgorithm kx_algorithm;
381 enum MHD_GNUTLS_HashAlgorithm mac_algorithm;
382 enum MHD_GNUTLS_Protocol version; /* this cipher suite is supported
383 * from 'version' and above;
384 */
385} MHD_gtls_cipher_suite_entry;
386
387/* RSA with NULL cipher and MD5 MAC
388 * for test purposes.
389 */
390#define GNUTLS_RSA_NULL_MD5 { 0x00, 0x01 }
391
392/* PSK (not in TLS 1.0)
393 * draft-ietf-tls-psk:
394 */
395#define GNUTLS_PSK_SHA_ARCFOUR_SHA1 { 0x00, 0x8A }
396#define GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1 { 0x00, 0x8B }
397#define GNUTLS_PSK_SHA_AES_128_CBC_SHA1 { 0x00, 0x8C }
398#define GNUTLS_PSK_SHA_AES_256_CBC_SHA1 { 0x00, 0x8D }
399
400#define GNUTLS_DHE_PSK_SHA_ARCFOUR_SHA1 { 0x00, 0x8E }
401#define GNUTLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 { 0x00, 0x8F }
402#define GNUTLS_DHE_PSK_SHA_AES_128_CBC_SHA1 { 0x00, 0x90 }
403#define GNUTLS_DHE_PSK_SHA_AES_256_CBC_SHA1 { 0x00, 0x91 }
404
405/* SRP (rfc5054)
406 */
407#define GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1A }
408#define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1B }
409#define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 { 0xC0, 0x1C }
410
411#define GNUTLS_SRP_SHA_AES_128_CBC_SHA1 { 0xC0, 0x1D }
412#define GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1 { 0xC0, 0x1E }
413#define GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1 { 0xC0, 0x1F }
414
415#define GNUTLS_SRP_SHA_AES_256_CBC_SHA1 { 0xC0, 0x20 }
416#define GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1 { 0xC0, 0x21 }
417#define GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1 { 0xC0, 0x22 }
418
419/* RSA
420 */
421#define GNUTLS_RSA_ARCFOUR_SHA1 { 0x00, 0x05 }
422#define GNUTLS_RSA_ARCFOUR_MD5 { 0x00, 0x04 }
423#define GNUTLS_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x0A }
424
425/* rfc3268:
426 */
427#define GNUTLS_RSA_AES_128_CBC_SHA1 { 0x00, 0x2F }
428#define GNUTLS_RSA_AES_256_CBC_SHA1 { 0x00, 0x35 }
429
430/* rfc4132 */
431#define GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x41 }
432#define GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x84 }
433
434/* DHE DSS
435 */
436
437#define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1 { 0x00, 0x13 }
438
439/* draft-ietf-tls-56-bit-ciphersuites-01:
440 */
441#define GNUTLS_DHE_DSS_ARCFOUR_SHA1 { 0x00, 0x66 }
442
443/* rfc3268:
444 */
445#define GNUTLS_DHE_DSS_AES_256_CBC_SHA1 { 0x00, 0x38 }
446#define GNUTLS_DHE_DSS_AES_128_CBC_SHA1 { 0x00, 0x32 }
447
448/* rfc4132 */
449#define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 { 0x00,0x44 }
450#define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 { 0x00,0x87 }
451
452/* DHE RSA
453 */
454#define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x16 }
455
456/* rfc3268:
457 */
458#define GNUTLS_DHE_RSA_AES_128_CBC_SHA1 { 0x00, 0x33 }
459#define GNUTLS_DHE_RSA_AES_256_CBC_SHA1 { 0x00, 0x39 }
460
461/* rfc4132 */
462#define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x45 }
463#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 }
464
465#define CIPHER_SUITES_COUNT sizeof(MHD_gtls_cs_algorithms)/sizeof(MHD_gtls_cipher_suite_entry)-1
466
467static const MHD_gtls_cipher_suite_entry MHD_gtls_cs_algorithms[] = {
468 /* RSA */
469 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_NULL_MD5,
470 MHD_GNUTLS_CIPHER_NULL,
471 MHD_GNUTLS_KX_RSA, MHD_GNUTLS_MAC_MD5,
472 MHD_GNUTLS_PROTOCOL_SSL3),
473 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_ARCFOUR_SHA1,
474 MHD_GNUTLS_CIPHER_ARCFOUR_128,
475 MHD_GNUTLS_KX_RSA, MHD_GNUTLS_MAC_SHA1,
476 MHD_GNUTLS_PROTOCOL_SSL3),
477 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_ARCFOUR_MD5,
478 MHD_GNUTLS_CIPHER_ARCFOUR_128,
479 MHD_GNUTLS_KX_RSA, MHD_GNUTLS_MAC_MD5,
480 MHD_GNUTLS_PROTOCOL_SSL3),
481 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_3DES_EDE_CBC_SHA1,
482 MHD_GNUTLS_CIPHER_3DES_CBC,
483 MHD_GNUTLS_KX_RSA, MHD_GNUTLS_MAC_SHA1,
484 MHD_GNUTLS_PROTOCOL_SSL3),
485 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_128_CBC_SHA1,
486 MHD_GNUTLS_CIPHER_AES_128_CBC, MHD_GNUTLS_KX_RSA,
487 MHD_GNUTLS_MAC_SHA1, MHD_GNUTLS_PROTOCOL_SSL3),
488 GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RSA_AES_256_CBC_SHA1,
489 MHD_GNUTLS_CIPHER_AES_256_CBC, MHD_GNUTLS_KX_RSA,
490 MHD_GNUTLS_MAC_SHA1, MHD_GNUTLS_PROTOCOL_SSL3),
491 {0,
492 {
493 {0,
494 0}},
495 0,
496 0,
497 0,
498 0}
499};
500
501#define GNUTLS_CIPHER_SUITE_LOOP(b) \
502 const MHD_gtls_cipher_suite_entry *p; \
503 for(p = MHD_gtls_cs_algorithms; p->name != NULL; p++) { b ; }
504
505#define GNUTLS_CIPHER_SUITE_ALG_LOOP(a) \
506 GNUTLS_CIPHER_SUITE_LOOP( if( (p->id.suite[0] == suite->suite[0]) && (p->id.suite[1] == suite->suite[1])) { a; break; } )
507
508/* Generic Functions */
509
510int
511MHD_gtls_mac_priority (MHD_gtls_session_t session,
512 enum MHD_GNUTLS_HashAlgorithm algorithm)
513{ /* actually returns the priority */
514 unsigned int i;
515 for (i = 0; i < session->internals.priorities.mac.num_algorithms; i++)
516 {
517 if (session->internals.priorities.mac.priority[i] == algorithm)
518 return i;
519 }
520 return -1;
521}
522
523
524int
525MHD_gnutls_mac_is_ok (enum MHD_GNUTLS_HashAlgorithm algorithm)
526{
527 ssize_t ret = -1;
528 GNUTLS_HASH_ALG_LOOP (ret = p->id);
529 if (ret >= 0)
530 ret = 0;
531 else
532 ret = 1;
533 return ret;
534}
535
536
537/**
538 * MHD__gnutls_compression_get_name - Returns a string with the name of the specified compression algorithm
539 * @algorithm: is a Compression algorithm
540 *
541 * Returns: a pointer to a string that contains the name of the
542 * specified compression algorithm, or %NULL.
543 **/
544const char *
545MHD_gtls_compression_get_name (enum MHD_GNUTLS_CompressionMethod algorithm)
546{
547 const char *ret = NULL;
548
549 /* avoid prefix */
550 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->name + sizeof ("GNUTLS_COMP_") - 1);
551
552 return ret;
553}
554
555/**
556 * MHD_gtls_compression_get_id - Returns the gnutls id of the specified in string algorithm
557 * @algorithm: is a compression method name
558 *
559 * The names are compared in a case insensitive way.
560 *
561 * Returns: an id of the specified in a string compression method, or
562 * %GNUTLS_COMP_UNKNOWN on error.
563 *
564 **/
565enum MHD_GNUTLS_CompressionMethod
566MHD_gtls_compression_get_id (const char *name)
567{
568 enum MHD_GNUTLS_CompressionMethod ret = MHD_GNUTLS_COMP_UNKNOWN;
569
570 GNUTLS_COMPRESSION_LOOP (if
571 (strcasecmp
572 (p->name + sizeof ("GNUTLS_COMP_") - 1,
573 name) == 0) ret = p->id)
574 ;
575
576 return ret;
577}
578
579
580/* return the tls number of the specified algorithm */
581int
582MHD_gtls_compression_get_num (enum MHD_GNUTLS_CompressionMethod algorithm)
583{
584 int ret = -1;
585
586 /* avoid prefix */
587 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->num);
588
589 return ret;
590}
591
592int
593MHD_gtls_compression_get_wbits (enum MHD_GNUTLS_CompressionMethod algorithm)
594{
595 int ret = -1;
596 /* avoid prefix */
597 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->window_bits);
598 return ret;
599}
600
601int
602MHD_gtls_compression_get_mem_level (enum MHD_GNUTLS_CompressionMethod
603 algorithm)
604{
605 int ret = -1;
606 /* avoid prefix */
607 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->mem_level);
608 return ret;
609}
610
611int
612MHD_gtls_compression_get_comp_level (enum MHD_GNUTLS_CompressionMethod
613 algorithm)
614{
615 int ret = -1;
616 /* avoid prefix */
617 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->comp_level);
618 return ret;
619}
620
621/* returns the gnutls internal ID of the TLS compression
622 * method num
623 */
624enum MHD_GNUTLS_CompressionMethod
625MHD_gtls_compression_get_id_from_int (int num)
626{
627 enum MHD_GNUTLS_CompressionMethod ret = -1;
628
629 /* avoid prefix */
630 GNUTLS_COMPRESSION_ALG_LOOP_NUM (ret = p->id);
631
632 return ret;
633}
634
635int
636MHD_gtls_compression_is_ok (enum MHD_GNUTLS_CompressionMethod algorithm)
637{
638 ssize_t ret = -1;
639 GNUTLS_COMPRESSION_ALG_LOOP (ret = p->id);
640 if (ret >= 0)
641 ret = 0;
642 else
643 ret = 1;
644 return ret;
645}
646
647/* CIPHER functions */
648int
649MHD_gtls_cipher_get_block_size (enum MHD_GNUTLS_CipherAlgorithm algorithm)
650{
651 size_t ret = 0;
652 GNUTLS_ALG_LOOP (ret = p->blocksize);
653 return ret;
654
655}
656
657/* returns the priority */
658int
659MHD_gtls_cipher_priority (MHD_gtls_session_t session,
660 enum MHD_GNUTLS_CipherAlgorithm algorithm)
661{
662 unsigned int i;
663 for (i = 0; i < session->internals.priorities.cipher.num_algorithms; i++)
664 {
665 if (session->internals.priorities.cipher.priority[i] == algorithm)
666 return i;
667 }
668 return -1;
669}
670
671int
672MHD_gtls_cipher_is_block (enum MHD_GNUTLS_CipherAlgorithm algorithm)
673{
674 size_t ret = 0;
675
676 GNUTLS_ALG_LOOP (ret = p->block);
677 return ret;
678
679}
680
681/**
682 * MHD__gnutls_cipher_get_key_size - Returns the length of the cipher's key size
683 * @algorithm: is an encryption algorithm
684 *
685 * Returns: length (in bytes) of the given cipher's key size, o 0 if
686 * the given cipher is invalid.
687 **/
688size_t
689MHD__gnutls_cipher_get_key_size (enum MHD_GNUTLS_CipherAlgorithm algorithm)
690{ /* In bytes */
691 size_t ret = 0;
692 GNUTLS_ALG_LOOP (ret = p->keysize);
693 return ret;
694
695}
696
697int
698MHD_gtls_cipher_get_iv_size (enum MHD_GNUTLS_CipherAlgorithm algorithm)
699{ /* In bytes */
700 size_t ret = 0;
701 GNUTLS_ALG_LOOP (ret = p->iv);
702 return ret;
703
704}
705
706int
707MHD_gtls_cipher_get_export_flag (enum MHD_GNUTLS_CipherAlgorithm algorithm)
708{ /* In bytes */
709 size_t ret = 0;
710 GNUTLS_ALG_LOOP (ret = p->export_flag);
711 return ret;
712
713}
714
715
716int
717MHD_gtls_cipher_is_ok (enum MHD_GNUTLS_CipherAlgorithm algorithm)
718{
719 ssize_t ret = -1;
720 GNUTLS_ALG_LOOP (ret = p->id);
721 if (ret >= 0)
722 ret = 0;
723 else
724 ret = 1;
725 return ret;
726}
727
728/* Key EXCHANGE functions */
729MHD_gtls_mod_auth_st *
730MHD_gtls_kx_auth_struct (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm)
731{
732 MHD_gtls_mod_auth_st *ret = NULL;
733 GNUTLS_KX_ALG_LOOP (ret = p->auth_struct);
734 return ret;
735
736}
737
738int
739MHD_gtls_kx_priority (MHD_gtls_session_t session,
740 enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm)
741{
742 unsigned int i;
743 for (i = 0; i < session->internals.priorities.kx.num_algorithms; i++)
744 {
745 if (session->internals.priorities.kx.priority[i] == algorithm)
746 return i;
747 }
748 return -1;
749}
750
751
752int
753MHD_gtls_kx_is_ok (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm)
754{
755 ssize_t ret = -1;
756 GNUTLS_KX_ALG_LOOP (ret = p->algorithm);
757 if (ret >= 0)
758 ret = 0;
759 else
760 ret = 1;
761 return ret;
762}
763
764int
765MHD_gtls_kx_needs_rsa_params (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm)
766{
767 ssize_t ret = 0;
768 GNUTLS_KX_ALG_LOOP (ret = p->needs_rsa_params);
769 return ret;
770}
771
772int
773MHD_gtls_kx_needs_dh_params (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm)
774{
775 ssize_t ret = 0;
776 GNUTLS_KX_ALG_LOOP (ret = p->needs_dh_params);
777 return ret;
778}
779
780/* Version */
781int
782MHD_gtls_version_priority (MHD_gtls_session_t session,
783 enum MHD_GNUTLS_Protocol version)
784{ /* actually returns the priority */
785 unsigned int i;
786
787 if (session->internals.priorities.protocol.priority == NULL)
788 {
789 MHD_gnutls_assert ();
790 return -1;
791 }
792
793 for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++)
794 {
795 if (session->internals.priorities.protocol.priority[i] == version)
796 return i;
797 }
798 return -1;
799}
800
801
802enum MHD_GNUTLS_Protocol
803MHD_gtls_version_max (MHD_gtls_session_t session)
804{ /* returns the maximum version supported */
805 unsigned int i, max = 0x00;
806
807 if (session->internals.priorities.protocol.priority == NULL)
808 {
809 return MHD_GNUTLS_PROTOCOL_VERSION_UNKNOWN;
810 }
811 else
812 for (i = 0; i < session->internals.priorities.protocol.num_algorithms;
813 i++)
814 {
815 if (session->internals.priorities.protocol.priority[i] > max)
816 max = session->internals.priorities.protocol.priority[i];
817 }
818
819 if (max == 0x00)
820 return MHD_GNUTLS_PROTOCOL_VERSION_UNKNOWN; /* unknown version */
821
822 return max;
823}
824
825int
826MHD_gtls_version_get_minor (enum MHD_GNUTLS_Protocol version)
827{
828 int ret = -1;
829
830 GNUTLS_VERSION_ALG_LOOP (ret = p->minor);
831 return ret;
832}
833
834enum MHD_GNUTLS_Protocol
835MHD_gtls_version_get (int major, int minor)
836{
837 int ret = -1;
838
839 GNUTLS_VERSION_LOOP (if ((p->major == major) && (p->minor == minor))
840 ret = p->id)
841 ;
842 return ret;
843}
844
845int
846MHD_gtls_version_get_major (enum MHD_GNUTLS_Protocol version)
847{
848 int ret = -1;
849
850 GNUTLS_VERSION_ALG_LOOP (ret = p->major);
851 return ret;
852}
853
854/* Version Functions */
855
856int
857MHD_gtls_version_is_supported (MHD_gtls_session_t session,
858 const enum MHD_GNUTLS_Protocol version)
859{
860 int ret = 0;
861
862 GNUTLS_VERSION_ALG_LOOP (ret = p->supported);
863 if (ret == 0)
864 return 0;
865
866 if (MHD_gtls_version_priority (session, version) < 0)
867 return 0; /* disabled by the user */
868 else
869 return 1;
870}
871
872enum MHD_GNUTLS_CredentialsType
873MHD_gtls_map_kx_get_cred (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm,
874 int server)
875{
876 enum MHD_GNUTLS_CredentialsType ret = -1;
877 if (server)
878 {
879 GNUTLS_KX_MAP_LOOP (if (p->algorithm == algorithm) ret = p->server_type)
880 ;
881 }
882 else
883 {
884 GNUTLS_KX_MAP_LOOP (if (p->algorithm == algorithm) ret = p->client_type)
885 ;
886 }
887
888 return ret;
889}
890
891/* Cipher Suite's functions */
892enum MHD_GNUTLS_CipherAlgorithm
893MHD_gtls_cipher_suite_get_cipher_algo (const cipher_suite_st * suite)
894{
895 int ret = 0;
896 GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->block_algorithm);
897 return ret;
898}
899
900enum MHD_GNUTLS_Protocol
901MHD_gtls_cipher_suite_get_version (const cipher_suite_st * suite)
902{
903 int ret = 0;
904 GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->version);
905 return ret;
906}
907
908enum MHD_GNUTLS_KeyExchangeAlgorithm
909MHD_gtls_cipher_suite_get_kx_algo (const cipher_suite_st * suite)
910{
911 int ret = 0;
912
913 GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->kx_algorithm);
914 return ret;
915
916}
917
918enum MHD_GNUTLS_HashAlgorithm
919MHD_gtls_cipher_suite_get_mac_algo (const cipher_suite_st * suite)
920{ /* In bytes */
921 int ret = 0;
922 GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->mac_algorithm);
923 return ret;
924
925}
926
927const char *
928MHD_gtls_cipher_suite_get_name (cipher_suite_st * suite)
929{
930 const char *ret = NULL;
931
932 /* avoid prefix */
933 GNUTLS_CIPHER_SUITE_ALG_LOOP (ret = p->name + sizeof ("GNUTLS_") - 1);
934
935 return ret;
936}
937
938static inline int
939MHD__gnutls_cipher_suite_is_ok (cipher_suite_st * suite)
940{
941 size_t ret;
942 const char *name = NULL;
943
944 GNUTLS_CIPHER_SUITE_ALG_LOOP (name = p->name);
945 if (name != NULL)
946 ret = 0;
947 else
948 ret = 1;
949 return ret;
950
951}
952
953#define SWAP(x, y) memcpy(tmp,x,size); \
954 memcpy(x,y,size); \
955 memcpy(y,tmp,size);
956
957#define MAX_ELEM_SIZE 4
958static inline int
959MHD__gnutls_partition (MHD_gtls_session_t session,
960 void *_base,
961 size_t nmemb,
962 size_t size,
963 int (*compar) (MHD_gtls_session_t,
964 const void *, const void *))
965{
966 uint8_t *base = _base;
967 uint8_t tmp[MAX_ELEM_SIZE];
968 uint8_t ptmp[MAX_ELEM_SIZE];
969 unsigned int pivot;
970 unsigned int i, j;
971 unsigned int full;
972
973 i = pivot = 0;
974 j = full = (nmemb - 1) * size;
975
976 memcpy (ptmp, &base[0], size); /* set pivot item */
977
978 while (i < j)
979 {
980 while ((compar (session, &base[i], ptmp) <= 0) && (i < full))
981 {
982 i += size;
983 }
984 while ((compar (session, &base[j], ptmp) >= 0) && (j > 0))
985 j -= size;
986
987 if (i < j)
988 {
989 SWAP (&base[j], &base[i]);
990 }
991 }
992
993 if (j > pivot)
994 {
995 SWAP (&base[pivot], &base[j]);
996 pivot = j;
997 }
998 else if (i < pivot)
999 {
1000 SWAP (&base[pivot], &base[i]);
1001 pivot = i;
1002 }
1003 return pivot / size;
1004}
1005
1006static void
1007MHD__gnutls_qsort (MHD_gtls_session_t session,
1008 void *_base,
1009 size_t nmemb,
1010 size_t size,
1011 int (*compar) (MHD_gtls_session_t, const void *,
1012 const void *))
1013{
1014 unsigned int pivot;
1015 char *base = _base;
1016 size_t snmemb = nmemb;
1017
1018 if (snmemb <= 1)
1019 return;
1020 pivot = MHD__gnutls_partition (session, _base, nmemb, size, compar);
1021
1022 MHD__gnutls_qsort (session, base, pivot < nmemb ? pivot + 1
1023 : pivot, size, compar);
1024 MHD__gnutls_qsort (session, &base[(pivot + 1) * size], nmemb - pivot - 1,
1025 size, compar);
1026}
1027
1028/* a compare function for KX algorithms (using priorities).
1029 * For use with qsort
1030 */
1031static int
1032MHD__gnutls_compare_algo (MHD_gtls_session_t session,
1033 const void *i_A1, const void *i_A2)
1034{
1035 enum MHD_GNUTLS_KeyExchangeAlgorithm kA1 =
1036 MHD_gtls_cipher_suite_get_kx_algo ((const cipher_suite_st *) i_A1);
1037 enum MHD_GNUTLS_KeyExchangeAlgorithm kA2 =
1038 MHD_gtls_cipher_suite_get_kx_algo ((const cipher_suite_st *) i_A2);
1039 enum MHD_GNUTLS_CipherAlgorithm cA1 =
1040 MHD_gtls_cipher_suite_get_cipher_algo ((const cipher_suite_st *) i_A1);
1041 enum MHD_GNUTLS_CipherAlgorithm cA2 =
1042 MHD_gtls_cipher_suite_get_cipher_algo ((const cipher_suite_st *) i_A2);
1043 enum MHD_GNUTLS_HashAlgorithm mA1 =
1044 MHD_gtls_cipher_suite_get_mac_algo ((const cipher_suite_st *) i_A1);
1045 enum MHD_GNUTLS_HashAlgorithm mA2 =
1046 MHD_gtls_cipher_suite_get_mac_algo ((const cipher_suite_st *) i_A2);
1047
1048 int p1 = (MHD_gtls_kx_priority (session, kA1) + 1) * 64;
1049 int p2 = (MHD_gtls_kx_priority (session, kA2) + 1) * 64;
1050 p1 += (MHD_gtls_cipher_priority (session, cA1) + 1) * 8;
1051 p2 += (MHD_gtls_cipher_priority (session, cA2) + 1) * 8;
1052 p1 += MHD_gtls_mac_priority (session, mA1);
1053 p2 += MHD_gtls_mac_priority (session, mA2);
1054
1055 if (p1 > p2)
1056 {
1057 return 1;
1058 }
1059 else
1060 {
1061 if (p1 == p2)
1062 {
1063 return 0;
1064 }
1065 return -1;
1066 }
1067}
1068
1069int
1070MHD_gtls_supported_ciphersuites_sorted (MHD_gtls_session_t session,
1071 cipher_suite_st ** ciphers)
1072{
1073
1074 int count;
1075
1076 count = MHD_gtls_supported_ciphersuites (session, ciphers);
1077 if (count <= 0)
1078 {
1079 MHD_gnutls_assert ();
1080 return count;
1081 }
1082 MHD__gnutls_qsort (session, *ciphers, count, sizeof (cipher_suite_st),
1083 MHD__gnutls_compare_algo);
1084
1085 return count;
1086}
1087
1088int
1089MHD_gtls_supported_ciphersuites (MHD_gtls_session_t session,
1090 cipher_suite_st ** _ciphers)
1091{
1092
1093 unsigned int i, ret_count, j;
1094 unsigned int count = CIPHER_SUITES_COUNT;
1095 cipher_suite_st *tmp_ciphers;
1096 cipher_suite_st *ciphers;
1097 enum MHD_GNUTLS_Protocol version;
1098
1099 if (count == 0)
1100 {
1101 return 0;
1102 }
1103
1104 tmp_ciphers = MHD_gnutls_alloca (count * sizeof (cipher_suite_st));
1105 if (tmp_ciphers == NULL)
1106 return GNUTLS_E_MEMORY_ERROR;
1107
1108 ciphers = MHD_gnutls_malloc (count * sizeof (cipher_suite_st));
1109 if (ciphers == NULL)
1110 {
1111 MHD_gnutls_afree (tmp_ciphers);
1112 return GNUTLS_E_MEMORY_ERROR;
1113 }
1114
1115 version = MHD__gnutls_protocol_get_version (session);
1116
1117 for (i = 0; i < count; i++)
1118 {
1119 memcpy (&tmp_ciphers[i], &MHD_gtls_cs_algorithms[i].id,
1120 sizeof (cipher_suite_st));
1121 }
1122
1123 for (i = j = 0; i < count; i++)
1124 {
1125 /* remove private cipher suites, if requested.
1126 */
1127 if (tmp_ciphers[i].suite[0] == 0xFF)
1128 continue;
1129
1130 /* remove cipher suites which do not support the
1131 * protocol version used.
1132 */
1133 if (MHD_gtls_cipher_suite_get_version (&tmp_ciphers[i]) > version)
1134 continue;
1135
1136 if (MHD_gtls_kx_priority (session,
1137 MHD_gtls_cipher_suite_get_kx_algo
1138 (&tmp_ciphers[i])) < 0)
1139 continue;
1140 if (MHD_gtls_mac_priority (session,
1141 MHD_gtls_cipher_suite_get_mac_algo
1142 (&tmp_ciphers[i])) < 0)
1143 continue;
1144 if (MHD_gtls_cipher_priority (session,
1145 MHD_gtls_cipher_suite_get_cipher_algo
1146 (&tmp_ciphers[i])) < 0)
1147 continue;
1148
1149 memcpy (&ciphers[j], &tmp_ciphers[i], sizeof (cipher_suite_st));
1150 j++;
1151 }
1152
1153 ret_count = j;
1154
1155 MHD_gnutls_afree (tmp_ciphers);
1156
1157 /* This function can no longer return 0 cipher suites.
1158 * It returns an error code instead.
1159 */
1160 if (ret_count == 0)
1161 {
1162 MHD_gnutls_assert ();
1163 MHD_gnutls_free (ciphers);
1164 return GNUTLS_E_NO_CIPHER_SUITES;
1165 }
1166 *_ciphers = ciphers;
1167 return ret_count;
1168}
1169
1170/* For compression */
1171
1172#define MIN_PRIVATE_COMP_ALGO 0xEF
1173
1174/* returns the TLS numbers of the compression methods we support
1175 */
1176#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.num_algorithms
1177int
1178MHD_gtls_supported_compression_methods (MHD_gtls_session_t session,
1179 uint8_t ** comp)
1180{
1181 unsigned int i, j;
1182
1183 *comp =
1184 MHD_gnutls_malloc (sizeof (uint8_t) * SUPPORTED_COMPRESSION_METHODS);
1185 if (*comp == NULL)
1186 return GNUTLS_E_MEMORY_ERROR;
1187
1188 for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++)
1189 {
1190 int tmp =
1191 MHD_gtls_compression_get_num (session->internals.priorities.
1192 compression.priority[i]);
1193
1194 /* remove private compression algorithms, if requested.
1195 */
1196 if (tmp == -1 || (tmp >= MIN_PRIVATE_COMP_ALGO))
1197 {
1198 MHD_gnutls_assert ();
1199 continue;
1200 }
1201
1202 (*comp)[j] = (uint8_t) tmp;
1203 j++;
1204 }
1205
1206 if (j == 0)
1207 {
1208 MHD_gnutls_assert ();
1209 MHD_gnutls_free (*comp);
1210 *comp = NULL;
1211 return GNUTLS_E_NO_COMPRESSION_ALGORITHMS;
1212 }
1213 return j;
1214}
1215
1216static const enum MHD_GNUTLS_CertificateType
1217 MHD_gtls_supported_certificate_types[] =
1218{ MHD_GNUTLS_CRT_X509,
1219 0
1220};
1221
1222
1223/* returns the enum MHD_GNUTLS_PublicKeyAlgorithm which is compatible with
1224 * the given enum MHD_GNUTLS_KeyExchangeAlgorithm.
1225 */
1226enum MHD_GNUTLS_PublicKeyAlgorithm
1227MHD_gtls_map_pk_get_pk (enum MHD_GNUTLS_KeyExchangeAlgorithm kx_algorithm)
1228{
1229 enum MHD_GNUTLS_PublicKeyAlgorithm ret = -1;
1230
1231 GNUTLS_PK_MAP_ALG_LOOP (ret = p->pk_algorithm) return ret;
1232}
1233
1234/* Returns the encipher type for the given key exchange algorithm.
1235 * That one of CIPHER_ENCRYPT, CIPHER_SIGN, CIPHER_IGN.
1236 *
1237 * ex. GNUTLS_KX_RSA requires a certificate able to encrypt... so returns CIPHER_ENCRYPT.
1238 */
1239enum encipher_type
1240MHD_gtls_kx_encipher_type (enum MHD_GNUTLS_KeyExchangeAlgorithm kx_algorithm)
1241{
1242 int ret = CIPHER_IGN;
1243 GNUTLS_PK_MAP_ALG_LOOP (ret = p->encipher_type) return ret;
1244
1245}
1246
1247/* signature algorithms;
1248 */
1249struct MHD_gnutls_sign_entry
1250{
1251 const char *name;
1252 const char *oid;
1253 MHD_gnutls_sign_algorithm_t id;
1254 enum MHD_GNUTLS_PublicKeyAlgorithm pk;
1255 enum MHD_GNUTLS_HashAlgorithm mac;
1256};
1257typedef struct MHD_gnutls_sign_entry MHD_gnutls_sign_entry;
1258
1259static const MHD_gnutls_sign_entry MHD_gtls_sign_algorithms[] = {
1260 {"RSA-SHA",
1261 SIG_RSA_SHA1_OID,
1262 GNUTLS_SIGN_RSA_SHA1,
1263 MHD_GNUTLS_PK_RSA,
1264 MHD_GNUTLS_MAC_SHA1},
1265 {"RSA-SHA256",
1266 SIG_RSA_SHA256_OID,
1267 GNUTLS_SIGN_RSA_SHA256,
1268 MHD_GNUTLS_PK_RSA,
1269 MHD_GNUTLS_MAC_SHA256},
1270 {"RSA-MD5",
1271 SIG_RSA_MD5_OID,
1272 GNUTLS_SIGN_RSA_MD5,
1273 MHD_GNUTLS_PK_RSA,
1274 MHD_GNUTLS_MAC_MD5},
1275 {"GOST R 34.10-2001",
1276 SIG_GOST_R3410_2001_OID,
1277 0,
1278 0,
1279 0},
1280 {"GOST R 34.10-94",
1281 SIG_GOST_R3410_94_OID,
1282 0,
1283 0,
1284 0},
1285 {0,
1286 0,
1287 0,
1288 0,
1289 0}
1290};
1291
1292#define GNUTLS_SIGN_LOOP(b) \
1293 do { \
1294 const MHD_gnutls_sign_entry *p; \
1295 for(p = MHD_gtls_sign_algorithms; p->name != NULL; p++) { b ; } \
1296 } while (0)
1297
1298#define GNUTLS_SIGN_ALG_LOOP(a) \
1299 GNUTLS_SIGN_LOOP( if(p->id && p->id == sign) { a; break; } )
1300
1301/* pk algorithms;
1302 */
1303struct MHD_gnutls_pk_entry
1304{
1305 const char *name;
1306 const char *oid;
1307 enum MHD_GNUTLS_PublicKeyAlgorithm id;
1308};
1309typedef struct MHD_gnutls_pk_entry MHD_gnutls_pk_entry;
1310
1311static const MHD_gnutls_pk_entry MHD_gtls_pk_algorithms[] = {
1312 {"RSA",
1313 PK_PKIX1_RSA_OID,
1314 MHD_GNUTLS_PK_RSA},
1315 {"GOST R 34.10-2001",
1316 PK_GOST_R3410_2001_OID,
1317 0},
1318 {"GOST R 34.10-94",
1319 PK_GOST_R3410_94_OID,
1320 0},
1321 {0,
1322 0,
1323 0}
1324};
1325
1326enum MHD_GNUTLS_PublicKeyAlgorithm
1327MHD_gtls_x509_oid2pk_algorithm (const char *oid)
1328{
1329 enum MHD_GNUTLS_PublicKeyAlgorithm ret = MHD_GNUTLS_PK_UNKNOWN;
1330 const MHD_gnutls_pk_entry *p;
1331
1332 for (p = MHD_gtls_pk_algorithms; p->name != NULL; p++)
1333 if (strcmp (p->oid, oid) == 0)
1334 {
1335 ret = p->id;
1336 break;
1337 }
1338
1339 return ret;
1340}
diff --git a/src/daemon/https/tls/gnutls_algorithms.h b/src/daemon/https/tls/gnutls_algorithms.h
deleted file mode 100644
index 6a4021c7..00000000
--- a/src/daemon/https/tls/gnutls_algorithms.h
+++ /dev/null
@@ -1,148 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef ALGORITHMS_H
26#define ALGORITHMS_H
27
28#include "gnutls_auth.h"
29
30/* Functions for version handling. */
31enum MHD_GNUTLS_Protocol MHD_gtls_version_max (MHD_gtls_session_t session);
32int MHD_gtls_version_priority (MHD_gtls_session_t session,
33 enum MHD_GNUTLS_Protocol version);
34int MHD_gtls_version_is_supported (MHD_gtls_session_t session,
35 const enum MHD_GNUTLS_Protocol version);
36int MHD_gtls_version_get_major (enum MHD_GNUTLS_Protocol ver);
37int MHD_gtls_version_get_minor (enum MHD_GNUTLS_Protocol ver);
38enum MHD_GNUTLS_Protocol MHD_gtls_version_get (int major, int minor);
39
40/* Functions for MACs. */
41int MHD_gnutls_mac_is_ok (enum MHD_GNUTLS_HashAlgorithm algorithm);
42/* Functions for cipher suites. */
43int MHD_gtls_supported_ciphersuites (MHD_gtls_session_t session,
44 cipher_suite_st ** ciphers);
45int MHD_gtls_supported_ciphersuites_sorted (MHD_gtls_session_t session,
46 cipher_suite_st ** ciphers);
47int MHD_gtls_supported_compression_methods (MHD_gtls_session_t session,
48 uint8_t ** comp);
49const char *MHD_gtls_cipher_suite_get_name (cipher_suite_st * algorithm);
50enum MHD_GNUTLS_CipherAlgorithm MHD_gtls_cipher_suite_get_cipher_algo (const
51 cipher_suite_st
52 *
53 algorithm);
54enum MHD_GNUTLS_KeyExchangeAlgorithm MHD_gtls_cipher_suite_get_kx_algo (const
55 cipher_suite_st
56 *
57 algorithm);
58enum MHD_GNUTLS_HashAlgorithm MHD_gtls_cipher_suite_get_mac_algo (const
59 cipher_suite_st
60 *
61 algorithm);
62enum MHD_GNUTLS_Protocol MHD_gtls_cipher_suite_get_version (const
63 cipher_suite_st *
64 algorithm);
65cipher_suite_st MHD_gtls_cipher_suite_get_suite_name (cipher_suite_st *
66 algorithm);
67
68/* Functions for ciphers. */
69int MHD_gtls_cipher_get_block_size (enum MHD_GNUTLS_CipherAlgorithm
70 algorithm);
71int MHD_gtls_cipher_is_block (enum MHD_GNUTLS_CipherAlgorithm algorithm);
72int MHD_gtls_cipher_is_ok (enum MHD_GNUTLS_CipherAlgorithm algorithm);
73int MHD_gtls_cipher_get_iv_size (enum MHD_GNUTLS_CipherAlgorithm algorithm);
74int MHD_gtls_cipher_get_export_flag (enum MHD_GNUTLS_CipherAlgorithm
75 algorithm);
76
77/* Functions for key exchange. */
78int MHD_gtls_kx_needs_dh_params (enum MHD_GNUTLS_KeyExchangeAlgorithm
79 algorithm);
80int MHD_gtls_kx_needs_rsa_params (enum MHD_GNUTLS_KeyExchangeAlgorithm
81 algorithm);
82MHD_gtls_mod_auth_st *MHD_gtls_kx_auth_struct (enum
83 MHD_GNUTLS_KeyExchangeAlgorithm
84 algorithm);
85int MHD_gtls_kx_is_ok (enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm);
86
87/* Functions for compression. */
88int MHD_gtls_compression_is_ok (enum MHD_GNUTLS_CompressionMethod algorithm);
89int MHD_gtls_compression_get_num (enum MHD_GNUTLS_CompressionMethod
90 algorithm);
91enum MHD_GNUTLS_CompressionMethod MHD_gtls_compression_get_id_from_int (int
92 num);
93int MHD_gtls_compression_get_mem_level (enum MHD_GNUTLS_CompressionMethod
94 algorithm);
95int MHD_gtls_compression_get_comp_level (enum MHD_GNUTLS_CompressionMethod
96 algorithm);
97int MHD_gtls_compression_get_wbits (enum MHD_GNUTLS_CompressionMethod
98 algorithm);
99
100/* Type to KX mappings. */
101enum MHD_GNUTLS_CredentialsType MHD_gtls_map_kx_get_cred (enum
102 MHD_GNUTLS_KeyExchangeAlgorithm
103 algorithm,
104 int server);
105
106/* KX to PK mapping. */
107enum MHD_GNUTLS_PublicKeyAlgorithm MHD_gtls_map_pk_get_pk (enum
108 MHD_GNUTLS_KeyExchangeAlgorithm
109 kx_algorithm);
110enum MHD_GNUTLS_PublicKeyAlgorithm MHD_gtls_x509_oid2pk_algorithm (const char
111 *oid);
112enum encipher_type
113{ CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN };
114
115enum encipher_type MHD_gtls_kx_encipher_type (enum
116 MHD_GNUTLS_KeyExchangeAlgorithm
117 algorithm);
118
119struct MHD_gtls_compression_entry
120{
121 const char *name;
122 enum MHD_GNUTLS_CompressionMethod id;
123 int num; /* the number reserved in TLS for the specific compression method */
124
125 /* used in zlib compressor */
126 int window_bits;
127 int mem_level;
128 int comp_level;
129};
130typedef struct MHD_gtls_compression_entry MHD_gnutls_compression_entry;
131
132/* Functions for sign algorithms. */
133
134int MHD_gtls_mac_priority (MHD_gtls_session_t session,
135 enum MHD_GNUTLS_HashAlgorithm algorithm);
136int MHD_gtls_cipher_priority (MHD_gtls_session_t session,
137 enum MHD_GNUTLS_CipherAlgorithm algorithm);
138int MHD_gtls_kx_priority (MHD_gtls_session_t session,
139 enum MHD_GNUTLS_KeyExchangeAlgorithm algorithm);
140
141enum MHD_GNUTLS_HashAlgorithm MHD_gtls_mac_get_id (const char *name);
142enum MHD_GNUTLS_CipherAlgorithm MHD_gtls_cipher_get_id (const char *name);
143enum MHD_GNUTLS_KeyExchangeAlgorithm MHD_gtls_kx_get_id (const char *name);
144enum MHD_GNUTLS_Protocol MHD_gtls_protocol_get_id (const char *name);
145enum MHD_GNUTLS_CertificateType MHD_gtls_certificate_type_get_id (const char
146 *name);
147
148#endif
diff --git a/src/daemon/https/tls/gnutls_asn1_tab.c b/src/daemon/https/tls/gnutls_asn1_tab.c
deleted file mode 100644
index 9b511521..00000000
--- a/src/daemon/https/tls/gnutls_asn1_tab.c
+++ /dev/null
@@ -1,63 +0,0 @@
1#if HAVE_CONFIG_H
2#include "MHD_config.h"
3#endif
4
5#include <libtasn1.h>
6
7const ASN1_ARRAY_TYPE MHD_gnutlsMHD__asn1_tab[] = {
8 {"GNUTLS", 536872976, 0},
9 {0, 1073741836, 0},
10 {"RSAPublicKey", 1610612741, 0},
11 {"modulus", 1073741827, 0},
12 {"publicExponent", 3, 0},
13 {"RSAPrivateKey", 1610612741, 0},
14 {"version", 1073741826, "Version"},
15 {"modulus", 1073741827, 0},
16 {"publicExponent", 1073741827, 0},
17 {"privateExponent", 1073741827, 0},
18 {"prime1", 1073741827, 0},
19 {"prime2", 1073741827, 0},
20 {"exponent1", 1073741827, 0},
21 {"exponent2", 1073741827, 0},
22 {"coefficient", 1073741827, 0},
23 {"otherPrimeInfos", 16386, "OtherPrimeInfos"},
24 {"Version", 1610874883, 0},
25 {"two-prime", 1073741825, "0"},
26 {"multi", 1, "1"},
27 {"OtherPrimeInfos", 1612709899, 0},
28 {"MAX", 1074266122, "1"},
29 {0, 2, "OtherPrimeInfo"},
30 {"OtherPrimeInfo", 1610612741, 0},
31 {"prime", 1073741827, 0},
32 {"exponent", 1073741827, 0},
33 {"coefficient", 3, 0},
34 {"AlgorithmIdentifier", 1610612741, 0},
35 {"algorithm", 1073741836, 0},
36 {"parameters", 541081613, 0},
37 {"algorithm", 1, 0},
38 {"DigestInfo", 1610612741, 0},
39 {"digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"},
40 {"digest", 2, "Digest"},
41 {"DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
42 {"Digest", 1073741831, 0},
43 {"DSAPublicKey", 1073741827, 0},
44 {"DSAParameters", 1610612741, 0},
45 {"p", 1073741827, 0},
46 {"q", 1073741827, 0},
47 {"g", 3, 0},
48 {"DSASignatureValue", 1610612741, 0},
49 {"r", 1073741827, 0},
50 {"s", 3, 0},
51 {"DSAPrivateKey", 1610612741, 0},
52 {"version", 1073741827, 0},
53 {"p", 1073741827, 0},
54 {"q", 1073741827, 0},
55 {"g", 1073741827, 0},
56 {"Y", 1073741827, 0},
57 {"priv", 3, 0},
58 {"DHParameter", 536870917, 0},
59 {"prime", 1073741827, 0},
60 {"base", 1073741827, 0},
61 {"privateValueLength", 16387, 0},
62 {0, 0, 0}
63};
diff --git a/src/daemon/https/tls/gnutls_auth.c b/src/daemon/https/tls/gnutls_auth.c
deleted file mode 100644
index 7c820c4e..00000000
--- a/src/daemon/https/tls/gnutls_auth.c
+++ /dev/null
@@ -1,361 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include "gnutls_int.h"
26#include "gnutls_errors.h"
27#include "gnutls_auth.h"
28#include "gnutls_auth_int.h"
29#include "gnutls_algorithms.h"
30#include "auth_cert.h"
31#include <gnutls_datum.h>
32
33/* The functions here are used in order for authentication algorithms
34 * to be able to retrieve the needed credentials eg public and private
35 * key etc.
36 */
37
38/**
39 * MHD__gnutls_credentials_clear - Clears all the credentials previously set
40 * @session: is a #MHD_gtls_session_t structure.
41 *
42 * Clears all the credentials previously set in this session.
43 *
44 **/
45void
46MHD__gnutls_credentials_clear (MHD_gtls_session_t session)
47{
48 if (session->key && session->key->cred)
49 { /* beginning of the list */
50 auth_cred_st *ccred, *ncred;
51 ccred = session->key->cred;
52 while (ccred != NULL)
53 {
54 ncred = ccred->next;
55 MHD_gnutls_free (ccred);
56 ccred = ncred;
57 }
58 session->key->cred = NULL;
59 }
60}
61
62/*
63 * This creates a linked list of the form:
64 * { algorithm, credentials, pointer to next }
65 */
66/**
67 * MHD__gnutls_credentials_set - Sets the needed credentials for the specified authentication algorithm.
68 * @session: is a #MHD_gtls_session_t structure.
69 * @type: is the type of the credentials
70 * @cred: is a pointer to a structure.
71 *
72 * Sets the needed credentials for the specified type.
73 * Eg username, password - or public and private keys etc.
74 * The (void* cred) parameter is a structure that depends on the
75 * specified type and on the current session (client or server).
76 * [ In order to minimize memory usage, and share credentials between
77 * several threads gnutls keeps a pointer to cred, and not the whole cred
78 * structure. Thus you will have to keep the structure allocated until
79 * you call MHD__gnutls_deinit(). ]
80 *
81 * For GNUTLS_CRD_SRP cred should be MHD_gnutls_srp_client_credentials_t
82 * in case of a client, and MHD_gnutls_srp_server_credentials_t, in case
83 * of a server.
84 *
85 * For GNUTLS_CRD_CERTIFICATE cred should be MHD_gtls_cert_credentials_t.
86 *
87 **/
88int
89MHD__gnutls_credentials_set (MHD_gtls_session_t session,
90 enum MHD_GNUTLS_CredentialsType type, void *cred)
91{
92 auth_cred_st *ccred = NULL, *pcred = NULL;
93 int exists = 0;
94
95 if (session->key->cred == NULL)
96 { /* beginning of the list */
97
98 session->key->cred = MHD_gnutls_malloc (sizeof (auth_cred_st));
99 if (session->key->cred == NULL)
100 return GNUTLS_E_MEMORY_ERROR;
101
102 /* copy credentials locally */
103 session->key->cred->credentials = cred;
104
105 session->key->cred->next = NULL;
106 session->key->cred->algorithm = type;
107 }
108 else
109 {
110 ccred = session->key->cred;
111 while (ccred != NULL)
112 {
113 if (ccred->algorithm == type)
114 {
115 exists = 1;
116 break;
117 }
118 pcred = ccred;
119 ccred = ccred->next;
120 }
121 /* After this, pcred is not null.
122 */
123
124 if (exists == 0)
125 { /* new entry */
126 pcred->next = MHD_gnutls_malloc (sizeof (auth_cred_st));
127 if (pcred->next == NULL)
128 return GNUTLS_E_MEMORY_ERROR;
129
130 ccred = pcred->next;
131
132 /* copy credentials locally */
133 ccred->credentials = cred;
134
135 ccred->next = NULL;
136 ccred->algorithm = type;
137 }
138 else
139 { /* modify existing entry */
140 MHD_gnutls_free (ccred->credentials);
141 ccred->credentials = cred;
142 }
143 }
144
145 return 0;
146}
147
148/**
149 * MHD_gtls_auth_get_type - Returns the type of credentials for the current authentication schema.
150 * @session: is a #MHD_gtls_session_t structure.
151 *
152 * Returns type of credentials for the current authentication schema.
153 * The returned information is to be used to distinguish the function used
154 * to access authentication data.
155 *
156 * Eg. for CERTIFICATE ciphersuites (key exchange algorithms: KX_RSA, KX_DHE_RSA),
157 * the same function are to be used to access the authentication data.
158 **/
159enum MHD_GNUTLS_CredentialsType
160MHD_gtls_auth_get_type (MHD_gtls_session_t session)
161{
162/* This is not the credentials we must set, but the authentication data
163 * we get by the peer, so it should be reversed.
164 */
165 int server = session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1;
166
167 return
168 MHD_gtls_map_kx_get_cred (MHD_gtls_cipher_suite_get_kx_algo
169 (&session->security_parameters.
170 current_cipher_suite), server);
171}
172
173/*
174 * This returns a pointer to the linked list. Don't
175 * free that!!!
176 */
177const void *
178MHD_gtls_get_kx_cred (MHD_gtls_session_t session,
179 enum MHD_GNUTLS_KeyExchangeAlgorithm algo, int *err)
180{
181 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
182
183 return MHD_gtls_get_cred (session->key,
184 MHD_gtls_map_kx_get_cred (algo, server), err);
185}
186
187const void *
188MHD_gtls_get_cred (MHD_gtls_key_st key, enum MHD_GNUTLS_CredentialsType type,
189 int *err)
190{
191 const void *retval = NULL;
192 int _err = -1;
193 auth_cred_st *ccred;
194
195 if (key == NULL)
196 goto out;
197
198 ccred = key->cred;
199 while (ccred != NULL)
200 {
201 if (ccred->algorithm == type)
202 {
203 break;
204 }
205 ccred = ccred->next;
206 }
207 if (ccred == NULL)
208 goto out;
209
210 _err = 0;
211 retval = ccred->credentials;
212
213out:
214 if (err != NULL)
215 *err = _err;
216 return retval;
217}
218
219/*-
220 * MHD_gtls_get_auth_info - Returns a pointer to authentication information.
221 * @session: is a #MHD_gtls_session_t structure.
222 *
223 * This function must be called after a succesful MHD__gnutls_handshake().
224 * Returns a pointer to authentication information. That information
225 * is data obtained by the handshake protocol, the key exchange algorithm,
226 * and the TLS extensions messages.
227 *
228 * In case of GNUTLS_CRD_CERTIFICATE returns a type of &cert_auth_info_t;
229 * In case of GNUTLS_CRD_SRP returns a type of &srp_(server/client)_auth_info_t;
230 -*/
231void *
232MHD_gtls_get_auth_info (MHD_gtls_session_t session)
233{
234 return session->key->auth_info;
235}
236
237/*-
238 * MHD_gtls_free_auth_info - Frees the auth info structure
239 * @session: is a #MHD_gtls_session_t structure.
240 *
241 * This function frees the auth info structure and sets it to
242 * null. It must be called since some structures contain malloced
243 * elements.
244 -*/
245void
246MHD_gtls_free_auth_info (MHD_gtls_session_t session)
247{
248 MHD_gtls_dh_info_st *dh_info;
249 rsa_info_st *rsa_info;
250
251 if (session == NULL || session->key == NULL)
252 {
253 MHD_gnutls_assert ();
254 return;
255 }
256
257 switch (session->key->auth_info_type)
258 {
259 case MHD_GNUTLS_CRD_CERTIFICATE:
260 {
261 unsigned int i;
262 cert_auth_info_t info = MHD_gtls_get_auth_info (session);
263
264 if (info == NULL)
265 break;
266
267 dh_info = &info->dh;
268 rsa_info = &info->rsa_export;
269 for (i = 0; i < info->ncerts; i++)
270 {
271 MHD__gnutls_free_datum (&info->raw_certificate_list[i]);
272 }
273
274 MHD_gnutls_free (info->raw_certificate_list);
275 info->raw_certificate_list = NULL;
276 info->ncerts = 0;
277
278 MHD_gtls_free_dh_info (dh_info);
279 MHD_gtls_free_rsa_info (rsa_info);
280 }
281
282
283 break;
284 default:
285 return;
286
287 }
288
289 MHD_gnutls_free (session->key->auth_info);
290 session->key->auth_info = NULL;
291 session->key->auth_info_size = 0;
292 session->key->auth_info_type = 0;
293
294}
295
296/* This function will set the auth info structure in the key
297 * structure.
298 * If allow change is !=0 then this will allow changing the auth
299 * info structure to a different type.
300 */
301int
302MHD_gtls_auth_info_set (MHD_gtls_session_t session,
303 enum MHD_GNUTLS_CredentialsType type, int size,
304 int allow_change)
305{
306 if (session->key->auth_info == NULL)
307 {
308 session->key->auth_info = MHD_gnutls_calloc (1, size);
309 if (session->key->auth_info == NULL)
310 {
311 MHD_gnutls_assert ();
312 return GNUTLS_E_MEMORY_ERROR;
313 }
314 session->key->auth_info_type = type;
315 session->key->auth_info_size = size;
316 }
317 else
318 {
319 if (allow_change == 0)
320 {
321 /* If the credentials for the current authentication scheme,
322 * are not the one we want to set, then it's an error.
323 * This may happen if a rehandshake is performed an the
324 * ciphersuite which is negotiated has different authentication
325 * schema.
326 */
327 if (MHD_gtls_auth_get_type (session) !=
328 session->key->auth_info_type)
329 {
330 MHD_gnutls_assert ();
331 return GNUTLS_E_INVALID_REQUEST;
332 }
333 }
334 else
335 {
336 /* The new behaviour: Here we reallocate the auth info structure
337 * in order to be able to negotiate different authentication
338 * types. Ie. perform an auth_anon and then authenticate again using a
339 * certificate (in order to prevent revealing the certificate's contents,
340 * to passive eavesdropers.
341 */
342 if (MHD_gtls_auth_get_type (session) !=
343 session->key->auth_info_type)
344 {
345
346 MHD_gtls_free_auth_info (session);
347
348 session->key->auth_info = calloc (1, size);
349 if (session->key->auth_info == NULL)
350 {
351 MHD_gnutls_assert ();
352 return GNUTLS_E_MEMORY_ERROR;
353 }
354
355 session->key->auth_info_type = type;
356 session->key->auth_info_size = size;
357 }
358 }
359 }
360 return 0;
361}
diff --git a/src/daemon/https/tls/gnutls_auth.h b/src/daemon/https/tls/gnutls_auth.h
deleted file mode 100644
index 4956268c..00000000
--- a/src/daemon/https/tls/gnutls_auth.h
+++ /dev/null
@@ -1,51 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_AUTH_H
26#define GNUTLS_AUTH_H
27
28typedef struct MHD_gtls_mod_auth_st_int
29{
30 const char *name; /* null terminated */
31 int (*MHD_gtls_gen_server_certificate) (MHD_gtls_session_t, opaque **);
32 int (*MHD_gtls_gen_client_certificate) (MHD_gtls_session_t, opaque **);
33 int (*MHD_gtls_gen_server_kx) (MHD_gtls_session_t, opaque **);
34 int (*MHD_gtls_gen_client_kx) (MHD_gtls_session_t, opaque **); /* used in SRP */
35 int (*MHD_gtls_gen_client_cert_vrfy) (MHD_gtls_session_t, opaque **);
36 int (*MHD_gtls_gen_server_certificate_request) (MHD_gtls_session_t,
37 opaque **);
38
39 int (*MHD_gtls_process_server_certificate) (MHD_gtls_session_t, opaque *,
40 size_t);
41 int (*MHD_gtls_process_client_certificate) (MHD_gtls_session_t, opaque *,
42 size_t);
43 int (*MHD_gtls_process_server_kx) (MHD_gtls_session_t, opaque *, size_t);
44 int (*MHD_gtls_process_client_kx) (MHD_gtls_session_t, opaque *, size_t);
45 int (*MHD_gtls_process_client_cert_vrfy) (MHD_gtls_session_t, opaque *,
46 size_t);
47 int (*MHD_gtls_process_server_certificate_request) (MHD_gtls_session_t,
48 opaque *, size_t);
49} MHD_gtls_mod_auth_st;
50
51#endif
diff --git a/src/daemon/https/tls/gnutls_auth_int.h b/src/daemon/https/tls/gnutls_auth_int.h
deleted file mode 100644
index 425dc8a3..00000000
--- a/src/daemon/https/tls/gnutls_auth_int.h
+++ /dev/null
@@ -1,33 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25const void *MHD_gtls_get_cred (MHD_gtls_key_st key,
26 enum MHD_GNUTLS_CredentialsType kx, int *err);
27const void *MHD_gtls_get_kx_cred (MHD_gtls_session_t session,
28 enum MHD_GNUTLS_KeyExchangeAlgorithm algo,
29 int *err);
30void *MHD_gtls_get_auth_info (MHD_gtls_session_t session);
31int MHD_gtls_auth_info_set (MHD_gtls_session_t session,
32 enum MHD_GNUTLS_CredentialsType type, int size,
33 int allow_change);
diff --git a/src/daemon/https/tls/gnutls_buffers.c b/src/daemon/https/tls/gnutls_buffers.c
deleted file mode 100644
index c687cb23..00000000
--- a/src/daemon/https/tls/gnutls_buffers.c
+++ /dev/null
@@ -1,1111 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This is the only file that uses the berkeley sockets API.
26 *
27 * Also holds all the buffering code used in gnutls.
28 * The buffering code works as:
29 *
30 * RECORD LAYER:
31 * 1. uses a buffer to hold data (application/handshake),
32 * we got but they were not requested, yet.
33 * (see MHD_gnutls_record_buffer_put(), MHD_gnutls_record_buffer_get_size() etc.)
34 *
35 * 2. uses a buffer to hold data that were incomplete (ie the read/write
36 * was interrupted)
37 * (see MHD_gtls_io_read_buffered(), MHD_gtls_io_write_buffered() etc.)
38 *
39 * HANDSHAKE LAYER:
40 * 1. Uses a buffer to hold data that was not sent or received
41 * complete. (E.g. sent 10 bytes of a handshake packet that is 20 bytes
42 * long).
43 * (see MHD__gnutls_handshake_send_int(), MHD__gnutls_handshake_recv_int())
44 *
45 * 2. Uses buffer to hold the last received handshake message.
46 * (see MHD_gtls_handshake_buffer_put() etc.)
47 *
48 */
49
50#include <gnutls_int.h>
51#include <gnutls_errors.h>
52#include <gnutls_num.h>
53#include <gnutls_record.h>
54#include <gnutls_buffers.h>
55
56#include <errno.h>
57
58#ifdef _WIN32
59# include <winsock2.h>
60#endif
61
62#ifndef EAGAIN
63# define EAGAIN EWOULDBLOCK
64#endif
65
66/* Buffers received packets of type APPLICATION DATA and
67 * HANDSHAKE DATA.
68 */
69int
70MHD_gnutls_record_buffer_put (content_type_t type,
71 MHD_gtls_session_t session, opaque * data,
72 size_t length)
73{
74 MHD_gtls_buffer *buf;
75
76 if (length == 0)
77 return 0;
78
79 switch (type)
80 {
81 case GNUTLS_APPLICATION_DATA:
82 buf = &session->internals.application_data_buffer;
83 MHD__gnutls_buffers_log ("BUF[REC]: Inserted %d bytes of Data(%d)\n",
84 length, type);
85 break;
86
87 case GNUTLS_HANDSHAKE:
88 buf = &session->internals.handshake_data_buffer;
89 MHD__gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data(%d)\n",
90 length, type);
91 break;
92
93 case GNUTLS_INNER_APPLICATION:
94 buf = &session->internals.ia_data_buffer;
95 MHD__gnutls_buffers_log ("BUF[IA]: Inserted %d bytes of Data(%d)\n",
96 length, type);
97 break;
98
99 default:
100 MHD_gnutls_assert ();
101 return GNUTLS_E_INVALID_REQUEST;
102 }
103
104 if (MHD_gtls_buffer_append (buf, data, length) < 0)
105 {
106 MHD_gnutls_assert ();
107 return GNUTLS_E_MEMORY_ERROR;
108 }
109
110 return 0;
111}
112
113int
114MHD_gnutls_record_buffer_get_size (content_type_t type,
115 MHD_gtls_session_t session)
116{
117 switch (type)
118 {
119 case GNUTLS_APPLICATION_DATA:
120 return session->internals.application_data_buffer.length;
121
122 case GNUTLS_HANDSHAKE:
123 return session->internals.handshake_data_buffer.length;
124
125 case GNUTLS_INNER_APPLICATION:
126 return session->internals.ia_data_buffer.length;
127
128 default:
129 return GNUTLS_E_INVALID_REQUEST;
130 }
131}
132
133int
134MHD_gtls_record_buffer_get (content_type_t type, MHD_gtls_session_t session,
135 opaque * data, size_t length)
136{
137 if (length == 0 || data == NULL)
138 {
139 MHD_gnutls_assert ();
140 return GNUTLS_E_INVALID_REQUEST;
141 }
142
143 switch (type)
144 {
145 case GNUTLS_APPLICATION_DATA:
146
147 if (length > session->internals.application_data_buffer.length)
148 {
149 length = session->internals.application_data_buffer.length;
150 }
151
152 MHD__gnutls_buffers_log ("BUFFER[REC][AD]: Read %d bytes of Data(%d)\n",
153 length, type);
154
155 session->internals.application_data_buffer.length -= length;
156 memcpy (data, session->internals.application_data_buffer.data, length);
157
158 /* overwrite buffer */
159 memmove (session->internals.application_data_buffer.data,
160 &session->internals.application_data_buffer.data[length],
161 session->internals.application_data_buffer.length);
162
163 /* we do no longer realloc the application_data_buffer.data,
164 * since it serves no practical reason. It also decreases
165 * performance.
166 */
167 break;
168
169 case GNUTLS_HANDSHAKE:
170 if (length > session->internals.handshake_data_buffer.length)
171 {
172 length = session->internals.handshake_data_buffer.length;
173 }
174
175 MHD__gnutls_buffers_log ("BUF[REC][HD]: Read %d bytes of Data(%d)\n",
176 length, type);
177
178 session->internals.handshake_data_buffer.length -= length;
179 memcpy (data, session->internals.handshake_data_buffer.data, length);
180
181 /* overwrite buffer */
182 memmove (session->internals.handshake_data_buffer.data,
183 &session->internals.handshake_data_buffer.data[length],
184 session->internals.handshake_data_buffer.length);
185
186 break;
187
188 case GNUTLS_INNER_APPLICATION:
189 if (length > session->internals.ia_data_buffer.length)
190 length = session->internals.ia_data_buffer.length;
191
192 MHD__gnutls_buffers_log ("BUF[REC][IA]: Read %d bytes of Data(%d)\n",
193 length, type);
194
195 session->internals.ia_data_buffer.length -= length;
196 memcpy (data, session->internals.ia_data_buffer.data, length);
197
198 /* overwrite buffer */
199 memmove (session->internals.ia_data_buffer.data,
200 &session->internals.ia_data_buffer.data[length],
201 session->internals.ia_data_buffer.length);
202
203 break;
204
205 default:
206 MHD_gnutls_assert ();
207 return GNUTLS_E_INVALID_REQUEST;
208 }
209
210 return length;
211}
212
213/* This function is like read. But it does not return -1 on error.
214 * It does return MHD_gnutls_errno instead.
215 *
216 * Flags are only used if the default recv() function is being used.
217 */
218static ssize_t
219MHD__gnutls_read (MHD_gtls_session_t session, void *iptr,
220 size_t sizeOfPtr, int flags)
221{
222 size_t left;
223 ssize_t i = 0;
224 char *ptr = iptr;
225 MHD_gnutls_transport_ptr_t fd = session->internals.transport_recv_ptr;
226
227 session->internals.direction = 0;
228
229 left = sizeOfPtr;
230 while (left > 0)
231 {
232 session->internals.errnum = 0;
233 if (session->internals.MHD__gnutls_pull_func == NULL)
234 {
235 i =
236 recv (GNUTLS_POINTER_TO_INT (fd), &ptr[sizeOfPtr - left], left,
237 flags);
238#if HAVE_WINSOCK
239 if (i < 0)
240 {
241 int tmperr = WSAGetLastError ();
242 switch (tmperr)
243 {
244 case WSAEWOULDBLOCK:
245 session->internals.errnum = EAGAIN;
246 break;
247
248 case WSAEINTR:
249 session->internals.errnum = EINTR;
250 break;
251
252 default:
253 session->internals.errnum = EIO;
254 break;
255 }
256 WSASetLastError (tmperr);
257 }
258#endif
259 }
260 else
261 i = session->internals.MHD__gnutls_pull_func (fd,
262 &ptr[sizeOfPtr - left],
263 left);
264 if (i < 0)
265 {
266 int err = session->internals.errnum ? session->internals.errnum
267 : errno;
268 if ( (err == EAGAIN) || (err == EINTR) )
269 {
270 if (sizeOfPtr - left > 0)
271 goto finish;
272 MHD_gnutls_assert ();
273 if (err == EAGAIN)
274 return GNUTLS_E_AGAIN;
275 return GNUTLS_E_INTERRUPTED;
276 }
277 else
278 {
279 MHD_gnutls_assert ();
280 return GNUTLS_E_PULL_ERROR;
281 }
282 }
283 else
284 {
285 if (i == 0)
286 break; /* EOF */
287 }
288 left -= i;
289 }
290
291finish:
292 return (sizeOfPtr - left);
293}
294
295#define RCVLOWAT session->internals.lowat
296
297/* This function is only used with berkeley style sockets.
298 * Clears the peeked data (read with MSG_PEEK).
299 */
300int
301MHD_gtls_io_clear_peeked_data (MHD_gtls_session_t session)
302{
303 char *peekdata;
304 int ret, sum;
305
306 if (session->internals.have_peeked_data == 0 || RCVLOWAT == 0)
307 return 0;
308
309 peekdata = MHD_gnutls_alloca (RCVLOWAT);
310 if (peekdata == NULL)
311 {
312 MHD_gnutls_assert ();
313 return GNUTLS_E_MEMORY_ERROR;
314 }
315
316 /* this was already read by using MSG_PEEK - so it shouldn't fail */
317 sum = 0;
318 do
319 { /* we need this to finish now */
320 ret = MHD__gnutls_read (session, peekdata, RCVLOWAT - sum, 0);
321 if (ret > 0)
322 sum += ret;
323 }
324 while ( (ret == GNUTLS_E_INTERRUPTED) ||
325 (ret == GNUTLS_E_AGAIN) ||
326 (sum < RCVLOWAT) );
327
328 MHD_gnutls_afree (peekdata);
329
330 if (ret < 0)
331 {
332 MHD_gnutls_assert ();
333 return ret;
334 }
335
336 session->internals.have_peeked_data = 0;
337
338 return 0;
339}
340
341void
342MHD_gtls_io_clear_read_buffer (MHD_gtls_session_t session)
343{
344 session->internals.record_recv_buffer.length = 0;
345}
346
347/* This function is like recv(with MSG_PEEK). But it does not return -1 on error.
348 * It does return MHD_gnutls_errno instead.
349 * This function reads data from the socket and keeps them in a buffer, of up to
350 * MAX_RECV_SIZE.
351 *
352 * This is not a general purpose function. It returns EXACTLY the data requested,
353 * which are stored in a local (in the session) buffer. A pointer (iptr) to this buffer is returned.
354 *
355 */
356ssize_t
357MHD_gtls_io_read_buffered (MHD_gtls_session_t session, opaque ** iptr,
358 size_t sizeOfPtr, content_type_t recv_type)
359{
360 ssize_t ret = 0, ret2 = 0;
361 size_t min;
362 int buf_pos;
363 opaque *buf;
364 int recvlowat;
365 int recvdata, alloc_size;
366
367 *iptr = session->internals.record_recv_buffer.data;
368
369 if (sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0)
370 {
371 MHD_gnutls_assert (); /* internal error */
372 return GNUTLS_E_INVALID_REQUEST;
373 }
374
375 /* If an external pull function is used, then do not leave
376 * any data into the kernel buffer.
377 */
378 if (session->internals.MHD__gnutls_pull_func != NULL)
379 {
380 recvlowat = 0;
381 }
382 else
383 {
384 /* leave peeked data to the kernel space only if application data
385 * is received and we don't have any peeked
386 * data in gnutls session.
387 */
388 if (recv_type != GNUTLS_APPLICATION_DATA
389 && session->internals.have_peeked_data == 0)
390 recvlowat = 0;
391 else
392 recvlowat = RCVLOWAT;
393 }
394
395 /* calculate the actual size, ie. get the minimum of the
396 * buffered data and the requested data.
397 */
398 min = MIN (session->internals.record_recv_buffer.length, sizeOfPtr);
399 if (min > 0)
400 {
401 /* if we have enough buffered data
402 * then just return them.
403 */
404 if (min == sizeOfPtr)
405 {
406 return min;
407 }
408 }
409
410 /* min is over zero. recvdata is the data we must
411 * receive in order to return the requested data.
412 */
413 recvdata = sizeOfPtr - min;
414
415 /* Check if the previously read data plus the new data to
416 * receive are longer than the maximum receive buffer size.
417 */
418 if ((session->internals.record_recv_buffer.length + recvdata)
419 > MAX_RECV_SIZE)
420 {
421 MHD_gnutls_assert (); /* internal error */
422 return GNUTLS_E_INVALID_REQUEST;
423 }
424
425 /* Allocate the data required to store the new packet.
426 */
427 alloc_size = recvdata + session->internals.record_recv_buffer.length;
428 session->internals.record_recv_buffer.data =
429 MHD_gtls_realloc_fast (session->internals.record_recv_buffer.data,
430 alloc_size);
431 if (session->internals.record_recv_buffer.data == NULL)
432 {
433 MHD_gnutls_assert ();
434 return GNUTLS_E_MEMORY_ERROR;
435 }
436
437 buf_pos = session->internals.record_recv_buffer.length;
438 buf = session->internals.record_recv_buffer.data;
439 *iptr = buf;
440
441 /* READ DATA - but leave RCVLOWAT bytes in the kernel buffer. */
442 if (recvdata - recvlowat > 0)
443 {
444 ret =
445 MHD__gnutls_read (session, &buf[buf_pos], recvdata - recvlowat, 0);
446
447 /* return immediately if we got an interrupt or eagain
448 * error.
449 */
450 if (ret < 0 && MHD_gtls_error_is_fatal (ret) == 0)
451 {
452 return ret;
453 }
454 }
455
456 /* copy fresh data to our buffer.
457 */
458 if (ret > 0)
459 {
460 MHD__gnutls_read_log
461 ("RB: Have %d bytes into buffer. Adding %d bytes.\n",
462 session->internals.record_recv_buffer.length, ret);
463 MHD__gnutls_read_log ("RB: Requested %d bytes\n", sizeOfPtr);
464 session->internals.record_recv_buffer.length += ret;
465 }
466
467 buf_pos = session->internals.record_recv_buffer.length;
468
469 /* This is a hack placed in order for select to work. Just leave recvlowat data,
470 * into the kernel buffer (using a read with MSG_PEEK), thus making
471 * select think, that the socket is ready for reading.
472 * MSG_PEEK is only used with berkeley style sockets.
473 */
474 if (ret == (recvdata - recvlowat) && recvlowat > 0)
475 {
476 ret2 = MHD__gnutls_read (session, &buf[buf_pos], recvlowat, MSG_PEEK);
477
478 if (ret2 < 0 && MHD_gtls_error_is_fatal (ret2) == 0)
479 {
480 return ret2;
481 }
482
483 if (ret2 > 0)
484 {
485 MHD__gnutls_read_log ("RB-PEEK: Read %d bytes in PEEK MODE.\n",
486 ret2);
487 MHD__gnutls_read_log
488 ("RB-PEEK: Have %d bytes into buffer. Adding %d bytes.\nRB: Requested %d bytes\n",
489 session->internals.record_recv_buffer.length, ret2, sizeOfPtr);
490 session->internals.have_peeked_data = 1;
491 session->internals.record_recv_buffer.length += ret2;
492
493 }
494 }
495
496 if (ret < 0 || ret2 < 0)
497 {
498 MHD_gnutls_assert ();
499 /* that's because they are initialized to 0 */
500 return MIN (ret, ret2);
501 }
502
503 ret += ret2;
504
505 if (ret > 0 && ret < recvlowat)
506 {
507 MHD_gnutls_assert ();
508 return GNUTLS_E_AGAIN;
509 }
510
511 if (ret == 0)
512 { /* EOF */
513 MHD_gnutls_assert ();
514 return 0;
515 }
516
517 ret = session->internals.record_recv_buffer.length;
518
519 if ((ret > 0) && ((size_t) ret < sizeOfPtr))
520 {
521 /* Short Read */
522 MHD_gnutls_assert ();
523 return GNUTLS_E_AGAIN;
524 }
525 else
526 {
527 return ret;
528 }
529}
530
531/* These two functions are used to insert data to the send buffer of the handshake or
532 * record protocol. The send buffer is kept if a send is interrupted and we need to keep
533 * the data left to sent, in order to send them later.
534 */
535
536#define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
537
538inline static int
539MHD__gnutls_buffer_insert (MHD_gtls_buffer * buffer,
540 const opaque * _data, size_t data_size)
541{
542
543 if ((MEMSUB (_data, buffer->data) >= 0)
544 && (MEMSUB (_data, buffer->data) < (ssize_t) buffer->length))
545 {
546 /* the given _data is part of the buffer.
547 */
548 if (data_size > buffer->length)
549 {
550 MHD_gnutls_assert ();
551 /* this shouldn't have happened */
552 return GNUTLS_E_INTERNAL_ERROR;
553 }
554
555 if (_data == buffer->data)
556 { /* then don't even memmove */
557 buffer->length = data_size;
558 return 0;
559 }
560
561 memmove (buffer->data, _data, data_size);
562 buffer->length = data_size;
563
564 return 0;
565
566 }
567
568 if (MHD_gtls_buffer_append (buffer, _data, data_size) < 0)
569 {
570 MHD_gnutls_assert ();
571 return GNUTLS_E_MEMORY_ERROR;
572 }
573
574 return 0;
575}
576
577inline static int
578MHD__gnutls_buffer_get (MHD_gtls_buffer * buffer,
579 const opaque ** ptr, size_t * ptr_size)
580{
581 *ptr_size = buffer->length;
582 *ptr = buffer->data;
583
584 return 0;
585}
586
587/* This function is like write. But it does not return -1 on error.
588 * It does return MHD_gnutls_errno instead.
589 *
590 * In case of E_AGAIN and E_INTERRUPTED errors, you must call MHD_gnutls_write_flush(),
591 * until it returns ok (0).
592 *
593 * We need to push exactly the data in n, since we cannot send less
594 * data. In TLS the peer must receive the whole packet in order
595 * to decrypt and verify the integrity.
596 *
597 */
598ssize_t
599MHD_gtls_io_write_buffered (MHD_gtls_session_t session,
600 const void *iptr, size_t n)
601{
602 size_t left;
603 unsigned j, x, sum = 0;
604 ssize_t retval, i;
605 const opaque *ptr;
606 int ret;
607 MHD_gnutls_transport_ptr_t fd = session->internals.transport_send_ptr;
608
609 /* to know where the procedure was interrupted.
610 */
611 session->internals.direction = 1;
612
613 ptr = iptr;
614
615 /* In case the previous write was interrupted, check if the
616 * iptr != NULL and we have data in the buffer.
617 * If this is true then return an error.
618 */
619 if (session->internals.record_send_buffer.length > 0 && iptr != NULL)
620 {
621 MHD_gnutls_assert ();
622 return GNUTLS_E_INVALID_REQUEST;
623 }
624
625 /* If data in the buffer exist
626 */
627 if (iptr == NULL)
628 {
629 /* checking is handled above */
630 ret =
631 MHD__gnutls_buffer_get (&session->internals.record_send_buffer, &ptr,
632 &n);
633 if (ret < 0)
634 {
635 MHD_gnutls_assert ();
636 return ret;
637 }
638
639 MHD__gnutls_write_log
640 ("WRITE: Restoring old write. (%d bytes to send)\n", n);
641 }
642
643 MHD__gnutls_write_log ("WRITE: Will write %d bytes to %d.\n", n, fd);
644
645 i = 0;
646 left = n;
647 while (left > 0)
648 {
649
650 session->internals.errnum = 0;
651
652 if (session->internals.MHD__gnutls_push_func == NULL)
653 {
654 i = send (GNUTLS_POINTER_TO_INT (fd), &ptr[n - left], left, 0);
655#if HAVE_WINSOCK
656 if (i < 0)
657 {
658 int tmperr = WSAGetLastError ();
659 switch (tmperr)
660 {
661 case WSAEWOULDBLOCK:
662 session->internals.errnum = EAGAIN;
663 break;
664
665 case WSAEINTR:
666 session->internals.errnum = EINTR;
667 break;
668
669 default:
670 session->internals.errnum = EIO;
671 break;
672 }
673 WSASetLastError (tmperr);
674 }
675#endif
676 }
677 else
678 i = session->internals.MHD__gnutls_push_func (fd, &ptr[n - left], left);
679 if (i == -1)
680 {
681 int err = session->internals.errnum ? session->internals.errnum
682 : errno;
683
684 if ( (err == EAGAIN) || (err == EINTR) )
685 {
686 session->internals.record_send_buffer_prev_size += n - left;
687
688 retval =
689 MHD__gnutls_buffer_insert (&session->
690 internals.record_send_buffer,
691 &ptr[n - left], left);
692 if (retval < 0)
693 {
694 MHD_gnutls_assert ();
695 return retval;
696 }
697 if (err == EAGAIN)
698 return GNUTLS_E_AGAIN;
699 return GNUTLS_E_INTERRUPTED;
700 }
701 else
702 {
703 MHD_gnutls_assert ();
704 return GNUTLS_E_PUSH_ERROR;
705 }
706 }
707 left -= i;
708
709 if (MHD__gnutls_log_level >= 7)
710 {
711 char line[128];
712 char tmp[16];
713
714 MHD__gnutls_write_log
715 ("WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n",
716 i, fd, left, n);
717 for (x = 0; x < (unsigned) ((i) / 16) + 1; x++)
718 {
719 line[0] = 0;
720
721 if (sum > n - left)
722 break;
723
724 sprintf (tmp, "%.4x - ", x);
725 MHD_gtls_str_cat (line, sizeof (line), tmp);
726
727 for (j = 0; j < 16; j++)
728 {
729 if (sum < n - left)
730 {
731 sprintf (tmp, "%.2x ", ((unsigned char *) ptr)[sum++]);
732 MHD_gtls_str_cat (line, sizeof (line), tmp);
733 }
734 else
735 break;
736 }
737 MHD__gnutls_write_log ("%s\n", line);
738 }
739 }
740 }
741
742 retval = n + session->internals.record_send_buffer_prev_size;
743
744 session->internals.record_send_buffer.length = 0;
745 session->internals.record_send_buffer_prev_size = 0;
746
747 return retval;
748
749}
750
751/* This function writes the data that are left in the
752 * TLS write buffer (ie. because the previous write was
753 * interrupted.
754 */
755ssize_t
756MHD_gtls_io_write_flush (MHD_gtls_session_t session)
757{
758 ssize_t ret;
759
760 if (session->internals.record_send_buffer.length == 0)
761 return 0; /* done */
762
763 ret = MHD_gtls_io_write_buffered (session, NULL, 0);
764 MHD__gnutls_write_log ("WRITE FLUSH: %d [buffer: %d]\n", ret,
765 session->internals.record_send_buffer.length);
766
767 return ret;
768}
769
770/* This function writes the data that are left in the
771 * Handshake write buffer (ie. because the previous write was
772 * interrupted.
773 */
774ssize_t
775MHD_gtls_handshake_io_write_flush (MHD_gtls_session_t session)
776{
777 ssize_t ret;
778 ret = MHD_gtls_handshake_io_send_int (session, 0, 0, NULL, 0);
779 if (ret < 0)
780 {
781 MHD_gnutls_assert ();
782 return ret;
783 }
784
785 MHD__gnutls_write_log ("HANDSHAKE_FLUSH: written[1] %d bytes\n", ret);
786
787 if (session->internals.handshake_send_buffer.length == 0)
788 {
789 ret = session->internals.handshake_send_buffer_prev_size; /* done */
790 session->internals.handshake_send_buffer_prev_size = 0;
791 }
792
793 return ret;
794}
795
796/* This is a send function for the gnutls handshake
797 * protocol. Just makes sure that all data have been sent.
798 */
799ssize_t
800MHD_gtls_handshake_io_send_int (MHD_gtls_session_t session,
801 content_type_t type,
802 MHD_gnutls_handshake_description_t htype,
803 const void *iptr, size_t n)
804{
805 size_t left;
806 ssize_t ret = 0;
807 const opaque *ptr;
808 ssize_t retval = 0;
809
810 ptr = iptr;
811
812 if (session->internals.handshake_send_buffer.length > 0 && ptr == NULL && n
813 == 0)
814 {
815 /* resuming previously interrupted write
816 */
817 MHD_gnutls_assert ();
818 ret = MHD__gnutls_buffer_get (&session->internals.handshake_send_buffer,
819 &ptr, &n);
820 if (ret < 0)
821 {
822 MHD_gnutls_assert ();
823 return retval;
824 }
825
826 type = session->internals.handshake_send_buffer_type;
827 htype = session->internals.handshake_send_buffer_htype;
828
829 }
830 else if (session->internals.handshake_send_buffer.length > 0)
831 {
832 MHD_gnutls_assert ();
833 return GNUTLS_E_INTERNAL_ERROR;
834 }
835#ifdef WRITE_DEBUG
836 else
837 {
838 size_t sum = 0, x, j;
839
840 MHD__gnutls_write_log ("HWRITE: will write %d bytes to %d.\n", n,
841 MHD_gnutls_transport_get_ptr (session));
842 for (x = 0; x < ((n) / 16) + 1; x++)
843 {
844 if (sum > n)
845 break;
846
847 MHD__gnutls_write_log ("%.4x - ", x);
848 for (j = 0; j < 16; j++)
849 {
850 if (sum < n)
851 {
852 MHD__gnutls_write_log ("%.2x ",
853 ((unsigned char *) ptr)[sum++]);
854 }
855 else
856 break;
857 }
858 MHD__gnutls_write_log ("\n");
859 }
860 MHD__gnutls_write_log ("\n");
861 }
862#endif
863
864 if (n == 0)
865 { /* if we have no data to send */
866 MHD_gnutls_assert ();
867 return 0;
868 }
869 else if (ptr == NULL)
870 {
871 MHD_gnutls_assert ();
872 return GNUTLS_E_INTERNAL_ERROR;
873 }
874
875 left = n;
876 while (left > 0)
877 {
878 ret = MHD_gtls_send_int (session, type, htype, &ptr[n - left], left);
879
880 if (ret <= 0)
881 {
882 if (ret == 0)
883 {
884 MHD_gnutls_assert ();
885 ret = GNUTLS_E_INTERNAL_ERROR;
886 }
887
888 if (left > 0 && (ret == GNUTLS_E_INTERRUPTED || ret
889 == GNUTLS_E_AGAIN))
890 {
891 MHD_gnutls_assert ();
892
893 retval =
894 MHD__gnutls_buffer_insert (&session->internals.
895 handshake_send_buffer,
896 &ptr[n - left], left);
897 if (retval < 0)
898 {
899 MHD_gnutls_assert ();
900 return retval;
901 }
902
903 session->internals.handshake_send_buffer_prev_size += n - left;
904
905 session->internals.handshake_send_buffer_type = type;
906 session->internals.handshake_send_buffer_htype = htype;
907
908 }
909 else
910 {
911 session->internals.handshake_send_buffer_prev_size = 0;
912 session->internals.handshake_send_buffer.length = 0;
913 }
914
915 MHD_gnutls_assert ();
916 return ret;
917 }
918 left -= ret;
919 }
920
921 retval = n + session->internals.handshake_send_buffer_prev_size;
922
923 session->internals.handshake_send_buffer.length = 0;
924 session->internals.handshake_send_buffer_prev_size = 0;
925
926 return retval;
927
928}
929
930/* This is a receive function for the gnutls handshake
931 * protocol. Makes sure that we have received all data.
932 */
933ssize_t
934MHD_gtls_handshake_io_recv_int (MHD_gtls_session_t session,
935 content_type_t type,
936 MHD_gnutls_handshake_description_t htype,
937 void *iptr, size_t sizeOfPtr)
938{
939 size_t left;
940 ssize_t i;
941 opaque *ptr;
942 size_t dsize;
943
944 ptr = iptr;
945 left = sizeOfPtr;
946
947 if (sizeOfPtr == 0 || iptr == NULL)
948 {
949 MHD_gnutls_assert ();
950 return GNUTLS_E_INVALID_REQUEST;
951 }
952
953 if (session->internals.handshake_recv_buffer.length > 0)
954 {
955 /* if we have already received some data */
956 if (sizeOfPtr <= session->internals.handshake_recv_buffer.length)
957 {
958 /* if requested less data then return it.
959 */
960 MHD_gnutls_assert ();
961 memcpy (iptr, session->internals.handshake_recv_buffer.data,
962 sizeOfPtr);
963
964 session->internals.handshake_recv_buffer.length -= sizeOfPtr;
965
966 memmove (session->internals.handshake_recv_buffer.data,
967 &session->internals.handshake_recv_buffer.data[sizeOfPtr],
968 session->internals.handshake_recv_buffer.length);
969
970 return sizeOfPtr;
971 }
972 MHD_gnutls_assert ();
973 memcpy (iptr, session->internals.handshake_recv_buffer.data,
974 session->internals.handshake_recv_buffer.length);
975
976 htype = session->internals.handshake_recv_buffer_htype;
977 type = session->internals.handshake_recv_buffer_type;
978
979 left -= session->internals.handshake_recv_buffer.length;
980
981 session->internals.handshake_recv_buffer.length = 0;
982 }
983
984 while (left > 0)
985 {
986 dsize = sizeOfPtr - left;
987 i = MHD_gtls_recv_int (session, type, htype, &ptr[dsize], left);
988 if (i < 0)
989 {
990
991 if (dsize > 0 && (i == GNUTLS_E_INTERRUPTED || i == GNUTLS_E_AGAIN))
992 {
993 MHD_gnutls_assert ();
994
995 session->internals.handshake_recv_buffer.data
996 =
997 MHD_gtls_realloc_fast (session->internals.
998 handshake_recv_buffer.data, dsize);
999 if (session->internals.handshake_recv_buffer.data == NULL)
1000 {
1001 MHD_gnutls_assert ();
1002 return GNUTLS_E_MEMORY_ERROR;
1003 }
1004
1005 memcpy (session->internals.handshake_recv_buffer.data, iptr,
1006 dsize);
1007
1008 session->internals.handshake_recv_buffer_htype = htype;
1009 session->internals.handshake_recv_buffer_type = type;
1010
1011 session->internals.handshake_recv_buffer.length = dsize;
1012 }
1013 else
1014 session->internals.handshake_recv_buffer.length = 0;
1015
1016 MHD_gnutls_assert ();
1017
1018 return i;
1019 }
1020 else
1021 {
1022 if (i == 0)
1023 break; /* EOF */
1024 }
1025
1026 left -= i;
1027
1028 }
1029
1030 session->internals.handshake_recv_buffer.length = 0;
1031
1032 return sizeOfPtr - left;
1033}
1034
1035/* Buffer for handshake packets. Keeps the packets in order
1036 * for finished messages to use them. Used in HMAC calculation
1037 * and finished messages.
1038 */
1039int
1040MHD_gtls_handshake_buffer_put (MHD_gtls_session_t session, opaque * data,
1041 size_t length)
1042{
1043
1044 if (length == 0)
1045 return 0;
1046
1047 if ((session->internals.max_handshake_data_buffer_size > 0) && ((length
1048 +
1049 session->
1050 internals.
1051 handshake_hash_buffer.
1052 length) >
1053 session->
1054 internals.
1055 max_handshake_data_buffer_size))
1056 {
1057 MHD_gnutls_assert ();
1058 return GNUTLS_E_MEMORY_ERROR;
1059 }
1060
1061 MHD__gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data\n", length);
1062
1063 if (MHD_gtls_buffer_append (&session->internals.handshake_hash_buffer, data,
1064 length) < 0)
1065 {
1066 MHD_gnutls_assert ();
1067 return GNUTLS_E_MEMORY_ERROR;
1068 }
1069
1070 return 0;
1071}
1072
1073/* this function does not touch the buffer
1074 * and returns data from it (peek mode!)
1075 */
1076int
1077MHD_gtls_handshake_buffer_get_ptr (MHD_gtls_session_t session,
1078 opaque ** data_ptr, size_t * length)
1079{
1080 if (length != NULL)
1081 *length = session->internals.handshake_hash_buffer.length;
1082
1083 MHD__gnutls_buffers_log ("BUF[HSK]: Peeked %d bytes of Data\n",
1084 session->internals.handshake_hash_buffer.length);
1085
1086 if (data_ptr != NULL)
1087 *data_ptr = session->internals.handshake_hash_buffer.data;
1088
1089 return 0;
1090}
1091
1092/* Does not free the buffer
1093 */
1094int
1095MHD_gtls_handshake_buffer_empty (MHD_gtls_session_t session)
1096{
1097
1098 MHD__gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
1099
1100 session->internals.handshake_hash_buffer.length = 0;
1101
1102 return 0;
1103}
1104
1105int
1106MHD_gtls_handshake_buffer_clear (MHD_gtls_session_t session)
1107{
1108 MHD__gnutls_buffers_log ("BUF[HSK]: Cleared Data from buffer\n");
1109 MHD_gtls_buffer_clear (&session->internals.handshake_hash_buffer);
1110 return 0;
1111}
diff --git a/src/daemon/https/tls/gnutls_buffers.h b/src/daemon/https/tls/gnutls_buffers.h
deleted file mode 100644
index e09506ac..00000000
--- a/src/daemon/https/tls/gnutls_buffers.h
+++ /dev/null
@@ -1,64 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD_gnutls_record_buffer_put (content_type_t type,
26 MHD_gtls_session_t session, opaque * data,
27 size_t length);
28int MHD_gnutls_record_buffer_get_size (content_type_t type,
29 MHD_gtls_session_t session);
30int MHD_gtls_record_buffer_get (content_type_t type,
31 MHD_gtls_session_t session, opaque * data,
32 size_t length);
33ssize_t MHD_gtls_io_read_buffered (MHD_gtls_session_t, opaque ** iptr,
34 size_t n, content_type_t);
35void MHD_gtls_io_clear_read_buffer (MHD_gtls_session_t);
36int MHD_gtls_io_clear_peeked_data (MHD_gtls_session_t session);
37
38ssize_t MHD_gtls_io_write_buffered (MHD_gtls_session_t, const void *iptr,
39 size_t n);
40ssize_t MHD_gtls_io_write_buffered2 (MHD_gtls_session_t, const void *iptr,
41 size_t n, const void *iptr2, size_t n2);
42
43int MHD_gtls_handshake_buffer_put (MHD_gtls_session_t session, opaque * data,
44 size_t length);
45int MHD_gtls_handshake_buffer_clear (MHD_gtls_session_t session);
46int MHD_gtls_handshake_buffer_empty (MHD_gtls_session_t session);
47int MHD_gtls_handshake_buffer_get_ptr (MHD_gtls_session_t session,
48 opaque ** data_ptr, size_t * length);
49
50#define MHD__gnutls_handshake_io_buffer_clear( session) \
51 MHD_gtls_buffer_clear( &session->internals.handshake_send_buffer); \
52 MHD_gtls_buffer_clear( &session->internals.handshake_recv_buffer); \
53 session->internals.handshake_send_buffer_prev_size = 0
54
55ssize_t MHD_gtls_handshake_io_recv_int (MHD_gtls_session_t, content_type_t,
56 MHD_gnutls_handshake_description_t,
57 void *, size_t);
58ssize_t MHD_gtls_handshake_io_send_int (MHD_gtls_session_t, content_type_t,
59 MHD_gnutls_handshake_description_t,
60 const void *, size_t);
61ssize_t MHD_gtls_io_write_flush (MHD_gtls_session_t session);
62ssize_t MHD_gtls_handshake_io_write_flush (MHD_gtls_session_t session);
63
64size_t MHD_gtls_record_check_pending (MHD_gtls_session_t session);
diff --git a/src/daemon/https/tls/gnutls_cert.c b/src/daemon/https/tls/gnutls_cert.c
deleted file mode 100644
index c546b607..00000000
--- a/src/daemon/https/tls/gnutls_cert.c
+++ /dev/null
@@ -1,441 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Some of the stuff needed for Certificate authentication is contained
26 * in this file.
27 */
28
29#include <gnutls_int.h>
30#include <gnutls_errors.h>
31#include <auth_cert.h>
32#include <gnutls_cert.h>
33#include <gnutls_datum.h>
34#include <gnutls_mpi.h>
35#include <gnutls_global.h>
36#include <gnutls_algorithms.h>
37#include <gnutls_dh.h>
38#include <gnutls_str.h>
39#include <gnutls_state.h>
40#include <gnutls_auth_int.h>
41#include <gnutls_x509.h>
42/* x509 */
43#include "x509.h"
44#include "mpi.h"
45
46/**
47 * MHD__gnutls_certificate_free_keys - Used to free all the keys from a MHD_gtls_cert_credentials_t structure
48 * @sc: is an #MHD_gtls_cert_credentials_t structure.
49 *
50 * This function will delete all the keys and the certificates associated
51 * with the given credentials. This function must not be called when a
52 * TLS negotiation that uses the credentials is in progress.
53 *
54 **/
55void
56MHD__gnutls_certificate_free_keys (MHD_gtls_cert_credentials_t sc)
57{
58 unsigned i, j;
59
60 for (i = 0; i < sc->ncerts; i++)
61 {
62 for (j = 0; j < sc->cert_list_length[i]; j++)
63 {
64 MHD_gtls_gcert_deinit (&sc->cert_list[i][j]);
65 }
66 MHD_gnutls_free (sc->cert_list[i]);
67 }
68
69 MHD_gnutls_free (sc->cert_list_length);
70 sc->cert_list_length = NULL;
71
72 MHD_gnutls_free (sc->cert_list);
73 sc->cert_list = NULL;
74
75 for (i = 0; i < sc->ncerts; i++)
76 {
77 MHD_gtls_gkey_deinit (&sc->pkey[i]);
78 }
79
80 MHD_gnutls_free (sc->pkey);
81 sc->pkey = NULL;
82
83 sc->ncerts = 0;
84
85}
86
87/**
88 * MHD__gnutls_certificate_free_cas - Used to free all the CAs from a MHD_gtls_cert_credentials_t structure
89 * @sc: is an #MHD_gtls_cert_credentials_t structure.
90 *
91 * This function will delete all the CAs associated
92 * with the given credentials. Servers that do not use
93 * MHD_gtls_certificate_verify_peers2() may call this to
94 * save some memory.
95 *
96 **/
97void
98MHD__gnutls_certificate_free_cas (MHD_gtls_cert_credentials_t sc)
99{
100 unsigned j;
101
102 for (j = 0; j < sc->x509_ncas; j++)
103 {
104 MHD_gnutls_x509_crt_deinit (sc->x509_ca_list[j]);
105 }
106
107 sc->x509_ncas = 0;
108
109 MHD_gnutls_free (sc->x509_ca_list);
110 sc->x509_ca_list = NULL;
111
112}
113
114/**
115 * MHD__gnutls_certificate_free_ca_names - Used to free all the CA names from a MHD_gtls_cert_credentials_t structure
116 * @sc: is an #MHD_gtls_cert_credentials_t structure.
117 *
118 * This function will delete all the CA name in the
119 * given credentials. Clients may call this to save some memory
120 * since in client side the CA names are not used.
121 *
122 * CA names are used by servers to advertize the CAs they
123 * support to clients.
124 *
125 **/
126void
127MHD__gnutls_certificate_free_ca_names (MHD_gtls_cert_credentials_t sc)
128{
129 MHD__gnutls_free_datum (&sc->x509_rdn_sequence);
130}
131
132/*-
133 * MHD_gtls_certificate_get_rsa_params - Returns the RSA parameters pointer
134 * @rsa_params: holds the RSA parameters or NULL.
135 * @func: function to retrieve the parameters or NULL.
136 * @session: The session.
137 *
138 * This function will return the rsa parameters pointer.
139 *
140 -*/
141MHD_gtls_rsa_params_t
142MHD_gtls_certificate_get_rsa_params (MHD_gtls_rsa_params_t rsa_params,
143 MHD_gnutls_params_function * func,
144 MHD_gtls_session_t session)
145{
146 MHD_gnutls_params_st params;
147 int ret;
148
149 if (session->internals.params.rsa_params)
150 {
151 return session->internals.params.rsa_params;
152 }
153
154 if (rsa_params)
155 {
156 session->internals.params.rsa_params = rsa_params;
157 }
158 else if (func)
159 {
160 ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, &params);
161 if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
162 {
163 session->internals.params.rsa_params = params.params.rsa_export;
164 session->internals.params.free_rsa_params = params.deinit;
165 }
166 }
167
168 return session->internals.params.rsa_params;
169}
170
171
172/**
173 * MHD__gnutls_certificate_free_credentials - Used to free an allocated MHD_gtls_cert_credentials_t structure
174 * @sc: is an #MHD_gtls_cert_credentials_t structure.
175 *
176 * This structure is complex enough to manipulate directly thus
177 * this helper function is provided in order to free (deallocate) it.
178 *
179 * This function does not free any temporary parameters associated
180 * with this structure (ie RSA and DH parameters are not freed by
181 * this function).
182 **/
183void
184MHD__gnutls_certificate_free_credentials (MHD_gtls_cert_credentials_t sc)
185{
186 MHD__gnutls_certificate_free_keys (sc);
187 MHD__gnutls_certificate_free_cas (sc);
188 MHD__gnutls_certificate_free_ca_names (sc);
189#ifdef KEYRING_HACK
190 MHD__gnutls_free_datum (&sc->keyring);
191#endif
192
193 MHD_gnutls_free (sc);
194}
195
196
197/**
198 * MHD__gnutls_certificate_allocate_credentials - Used to allocate a MHD_gtls_cert_credentials_t structure
199 * @res: is a pointer to an #MHD_gtls_cert_credentials_t structure.
200 *
201 * This structure is complex enough to manipulate directly thus this
202 * helper function is provided in order to allocate it.
203 *
204 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
205 **/
206int
207MHD__gnutls_certificate_allocate_credentials (MHD_gtls_cert_credentials_t *
208 res)
209{
210 *res = MHD_gnutls_calloc (1, sizeof (MHD_gtls_cert_credentials_st));
211
212 if (*res == NULL)
213 return GNUTLS_E_MEMORY_ERROR;
214
215 (*res)->verify_bits = DEFAULT_VERIFY_BITS;
216 (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
217
218 return 0;
219}
220
221
222/* returns the KX algorithms that are supported by a
223 * certificate. (Eg a certificate with RSA params, supports
224 * GNUTLS_KX_RSA algorithm).
225 * This function also uses the KeyUsage field of the certificate
226 * extensions in order to disable unneded algorithms.
227 */
228int
229MHD_gtls_selected_cert_supported_kx (MHD_gtls_session_t session,
230 enum MHD_GNUTLS_KeyExchangeAlgorithm
231 **alg, int *alg_size)
232{
233 enum MHD_GNUTLS_KeyExchangeAlgorithm kx;
234 enum MHD_GNUTLS_PublicKeyAlgorithm pk;
235 enum MHD_GNUTLS_KeyExchangeAlgorithm kxlist[MAX_ALGOS];
236 MHD_gnutls_cert *cert;
237 int i;
238
239 if (session->internals.selected_cert_list_length == 0)
240 {
241 *alg_size = 0;
242 *alg = NULL;
243 return 0;
244 }
245
246 cert = &session->internals.selected_cert_list[0];
247 i = 0;
248
249 for (kx = 0; kx < MAX_ALGOS; kx++)
250 {
251 pk = MHD_gtls_map_pk_get_pk (kx);
252 if (pk == cert->subject_pk_algorithm)
253 {
254 /* then check key usage */
255 if (MHD__gnutls_check_key_usage (cert, kx) == 0)
256 {
257 kxlist[i] = kx;
258 i++;
259 }
260 }
261 }
262
263 if (i == 0)
264 {
265 MHD_gnutls_assert ();
266 return GNUTLS_E_INVALID_REQUEST;
267 }
268
269 *alg =
270 MHD_gnutls_calloc (1, sizeof (enum MHD_GNUTLS_KeyExchangeAlgorithm) * i);
271 if (*alg == NULL)
272 return GNUTLS_E_MEMORY_ERROR;
273
274 *alg_size = i;
275
276 memcpy (*alg, kxlist, i * sizeof (enum MHD_GNUTLS_KeyExchangeAlgorithm));
277
278 return 0;
279}
280
281
282
283int
284MHD_gtls_raw_cert_to_gcert (MHD_gnutls_cert * gcert,
285 enum MHD_GNUTLS_CertificateType type,
286 const MHD_gnutls_datum_t * raw_cert,
287 int flags /* OR of ConvFlags */ )
288{
289 switch (type)
290 {
291 case MHD_GNUTLS_CRT_X509:
292 return MHD_gtls_x509_raw_cert_to_gcert (gcert, raw_cert, flags);
293 default:
294 MHD_gnutls_assert ();
295 return GNUTLS_E_INTERNAL_ERROR;
296 }
297}
298
299/* This function will convert a der certificate to a format
300 * (structure) that gnutls can understand and use. Actually the
301 * important thing on this function is that it extracts the
302 * certificate's (public key) parameters.
303 *
304 * The noext flag is used to complete the handshake even if the
305 * extensions found in the certificate are unsupported and critical.
306 * The critical extensions will be catched by the verification functions.
307 */
308int
309MHD_gtls_x509_raw_cert_to_gcert (MHD_gnutls_cert * gcert,
310 const MHD_gnutls_datum_t * derCert,
311 int flags /* OR of ConvFlags */ )
312{
313 int ret;
314 MHD_gnutls_x509_crt_t cert;
315
316 ret = MHD_gnutls_x509_crt_init (&cert);
317 if (ret < 0)
318 {
319 MHD_gnutls_assert ();
320 return ret;
321 }
322
323 ret = MHD_gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
324 if (ret < 0)
325 {
326 MHD_gnutls_assert ();
327 MHD_gnutls_x509_crt_deinit (cert);
328 return ret;
329 }
330
331 ret = MHD_gtls_x509_crt_to_gcert (gcert, cert, flags);
332 MHD_gnutls_x509_crt_deinit (cert);
333
334 return ret;
335}
336
337/* Like above but it accepts a parsed certificate instead.
338 */
339int
340MHD_gtls_x509_crt_to_gcert (MHD_gnutls_cert * gcert,
341 MHD_gnutls_x509_crt_t cert, unsigned int flags)
342{
343 int ret = 0;
344
345 memset (gcert, 0, sizeof (MHD_gnutls_cert));
346 gcert->cert_type = MHD_GNUTLS_CRT_X509;
347
348 if (!(flags & CERT_NO_COPY))
349 {
350#define SMALL_DER 512
351 opaque *der;
352 size_t der_size = SMALL_DER;
353
354 /* initially allocate a bogus size, just in case the certificate
355 * fits in it. That way we minimize the DER encodings performed.
356 */
357 der = MHD_gnutls_malloc (SMALL_DER);
358 if (der == NULL)
359 {
360 MHD_gnutls_assert ();
361 return GNUTLS_E_MEMORY_ERROR;
362 }
363
364 ret =
365 MHD_gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
366 &der_size);
367 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
368 {
369 MHD_gnutls_assert ();
370 MHD_gnutls_free (der);
371 return ret;
372 }
373
374 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
375 {
376 der = MHD_gnutls_realloc (der, der_size);
377 if (der == NULL)
378 {
379 MHD_gnutls_assert ();
380 return GNUTLS_E_MEMORY_ERROR;
381 }
382
383 ret =
384 MHD_gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
385 &der_size);
386 if (ret < 0)
387 {
388 MHD_gnutls_assert ();
389 MHD_gnutls_free (der);
390 return ret;
391 }
392 }
393
394 gcert->raw.data = der;
395 gcert->raw.size = der_size;
396 }
397 else
398 /* now we have 0 or a bitwise or of things to decode */
399 flags ^= CERT_NO_COPY;
400
401
402 if (flags & CERT_ONLY_EXTENSIONS || flags == 0)
403 {
404 MHD_gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL);
405 gcert->version = MHD_gnutls_x509_crt_get_version (cert);
406 }
407 gcert->subject_pk_algorithm =
408 MHD_gnutls_x509_crt_get_pk_algorithm (cert, NULL);
409
410 if (flags & CERT_ONLY_PUBKEY || flags == 0)
411 {
412 gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
413 ret =
414 MHD__gnutls_x509_crt_get_mpis (cert, gcert->params,
415 &gcert->params_size);
416 if (ret < 0)
417 {
418 MHD_gnutls_assert ();
419 return ret;
420 }
421 }
422
423 return 0;
424
425}
426
427void
428MHD_gtls_gcert_deinit (MHD_gnutls_cert * cert)
429{
430 int i;
431
432 if (cert == NULL)
433 return;
434
435 for (i = 0; i < cert->params_size; i++)
436 {
437 MHD_gtls_mpi_release (&cert->params[i]);
438 }
439
440 MHD__gnutls_free_datum (&cert->raw);
441}
diff --git a/src/daemon/https/tls/gnutls_cert.h b/src/daemon/https/tls/gnutls_cert.h
deleted file mode 100644
index 124ac963..00000000
--- a/src/daemon/https/tls/gnutls_cert.h
+++ /dev/null
@@ -1,127 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_CERT_H
26# define GNUTLS_CERT_H
27
28#include <gnutls_pk.h>
29#include "x509.h"
30
31#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */
32
33/* parameters should not be larger than this limit */
34#define DSA_PUBLIC_PARAMS 4
35#define RSA_PUBLIC_PARAMS 2
36
37/* For key Usage, test as:
38 * if (st.key_usage & KEY_DIGITAL_SIGNATURE) ...
39 */
40#define KEY_DIGITAL_SIGNATURE 128
41#define KEY_NON_REPUDIATION 64
42#define KEY_KEY_ENCIPHERMENT 32
43#define KEY_DATA_ENCIPHERMENT 16
44#define KEY_KEY_AGREEMENT 8
45#define KEY_KEY_CERT_SIGN 4
46#define KEY_CRL_SIGN 2
47#define KEY_ENCIPHER_ONLY 1
48#define KEY_DECIPHER_ONLY 32768
49
50typedef struct MHD_gnutls_cert
51{
52 mpi_t params[MAX_PUBLIC_PARAMS_SIZE]; /* the size of params depends on the public
53 * key algorithm
54 * RSA: [0] is modulus
55 * [1] is public exponent
56 * DSA: [0] is p
57 * [1] is q
58 * [2] is g
59 * [3] is public key
60 */
61 int params_size; /* holds the size of MPI params */
62
63 enum MHD_GNUTLS_PublicKeyAlgorithm subject_pk_algorithm;
64
65 unsigned int key_usage; /* bits from KEY_*
66 */
67
68 unsigned int version;
69 /* holds the type (PGP, X509)
70 */
71 enum MHD_GNUTLS_CertificateType cert_type;
72
73 MHD_gnutls_datum_t raw;
74
75} MHD_gnutls_cert;
76
77typedef struct MHD_gnutls_privkey_int
78{
79 mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public
80 * key algorithm
81 */
82 /*
83 * RSA: [0] is modulus
84 * [1] is public exponent
85 * [2] is private exponent
86 * [3] is prime1 (p)
87 * [4] is prime2 (q)
88 * [5] is coefficient (u == inverse of p mod q)
89 * DSA: [0] is p
90 * [1] is q
91 * [2] is g
92 * [3] is y (public key)
93 * [4] is x (private key)
94 */
95 int params_size; /* holds the number of params */
96
97 enum MHD_GNUTLS_PublicKeyAlgorithm pk_algorithm;
98} MHD_gnutls_privkey;
99
100struct MHD_gtls_session_int; /* because MHD_gtls_session_t is not defined when this file is included */
101
102typedef enum ConvFlags
103{
104 CERT_NO_COPY = 2,
105 CERT_ONLY_PUBKEY = 4,
106 CERT_ONLY_EXTENSIONS = 16
107} ConvFlags;
108
109int MHD_gtls_x509_raw_cert_to_gcert (MHD_gnutls_cert * gcert,
110 const MHD_gnutls_datum_t * derCert,
111 int flags);
112int MHD_gtls_x509_crt_to_gcert (MHD_gnutls_cert * gcert,
113 MHD_gnutls_x509_crt_t cert,
114 unsigned int flags);
115
116void MHD_gtls_gkey_deinit (MHD_gnutls_privkey * key);
117void MHD_gtls_gcert_deinit (MHD_gnutls_cert * cert);
118
119int MHD_gtls_selected_cert_supported_kx (struct MHD_gtls_session_int *session,
120 enum MHD_GNUTLS_KeyExchangeAlgorithm
121 **alg, int *alg_size);
122
123int MHD_gtls_raw_cert_to_gcert (MHD_gnutls_cert * gcert,
124 enum MHD_GNUTLS_CertificateType type,
125 const MHD_gnutls_datum_t * raw_cert,
126 int flags /* OR of ConvFlags */ );
127#endif
diff --git a/src/daemon/https/tls/gnutls_cipher.c b/src/daemon/https/tls/gnutls_cipher.c
deleted file mode 100644
index 5004d13c..00000000
--- a/src/daemon/https/tls/gnutls_cipher.c
+++ /dev/null
@@ -1,499 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Some high level functions to be used in the record encryption are
26 * included here.
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_errors.h"
31#include "gnutls_cipher.h"
32#include "gnutls_algorithms.h"
33#include "gnutls_hash_int.h"
34#include "gnutls_cipher_int.h"
35#include "debug.h"
36#include "gnutls_num.h"
37#include "gnutls_datum.h"
38#include "gnutls_kx.h"
39#include "gnutls_record.h"
40#include "gnutls_constate.h"
41#include <gc.h>
42
43/* returns ciphertext which contains the headers too. This also
44 * calculates the size in the header field.
45 *
46 * If random pad != 0 then the random pad data will be appended.
47 */
48int
49MHD_gtls_encrypt (MHD_gtls_session_t session, const opaque * headers,
50 size_t headers_size, const opaque * data,
51 size_t data_size, opaque * ciphertext,
52 size_t ciphertext_size, content_type_t type, int random_pad)
53{
54 MHD_gnutls_datum_t plain;
55 MHD_gnutls_datum_t comp;
56 int ret;
57 int free_comp = 1;
58
59 plain.data = (opaque *) data;
60 plain.size = data_size;
61
62 comp = plain;
63 free_comp = 0;
64 ret = MHD_gtls_compressed2ciphertext (session, &ciphertext[headers_size],
65 ciphertext_size - headers_size,
66 comp, type, random_pad);
67
68 if (free_comp)
69 MHD__gnutls_free_datum (&comp);
70
71 if (ret < 0)
72 {
73 MHD_gnutls_assert ();
74 return ret;
75 }
76
77
78 /* copy the headers */
79 memcpy (ciphertext, headers, headers_size);
80 MHD_gtls_write_uint16 (ret, &ciphertext[3]);
81
82 return ret + headers_size;
83}
84
85/* Decrypts the given data.
86 * Returns the decrypted data length.
87 */
88int
89MHD_gtls_decrypt (MHD_gtls_session_t session, opaque * ciphertext,
90 size_t ciphertext_size, uint8_t * data,
91 size_t max_data_size, content_type_t type)
92{
93 MHD_gnutls_datum_t gcipher;
94
95 if (ciphertext_size == 0)
96 return 0;
97
98 gcipher.size = ciphertext_size;
99 gcipher.data = ciphertext;
100
101 return
102 MHD_gtls_ciphertext2compressed (session, data, max_data_size,
103 gcipher, type);
104}
105
106inline static mac_hd_t
107mac_init (enum MHD_GNUTLS_HashAlgorithm mac, opaque * secret, int secret_size,
108 int ver)
109{
110 mac_hd_t td;
111
112 if (mac == MHD_GNUTLS_MAC_NULL)
113 return GNUTLS_MAC_FAILED;
114
115 if (ver == MHD_GNUTLS_PROTOCOL_SSL3)
116 { /* SSL 3.0 */
117 td = MHD_gnutls_mac_init_ssl3 (mac, secret, secret_size);
118 }
119 else
120 { /* TLS 1.x */
121 td = MHD_gtls_MHD_hmac_init (mac, secret, secret_size);
122 }
123
124 return td;
125}
126
127inline static void
128mac_deinit (mac_hd_t td, opaque * res, int ver)
129{
130 if (ver == MHD_GNUTLS_PROTOCOL_SSL3)
131 { /* SSL 3.0 */
132 MHD_gnutls_mac_deinit_ssl3 (td, res);
133 }
134 else
135 {
136 MHD_gnutls_MHD_hmac_deinit (td, res);
137 }
138}
139
140inline static int
141calc_enc_length (MHD_gtls_session_t session, int data_size,
142 int hash_size, uint8_t * pad, int random_pad,
143 cipher_type_t block_algo, uint16_t blocksize)
144{
145 uint8_t rnd;
146 int length;
147
148 *pad = 0;
149
150 switch (block_algo)
151 {
152 case CIPHER_STREAM:
153 length = data_size + hash_size;
154
155 break;
156 case CIPHER_BLOCK:
157 if (MHD_gc_nonce ((char *) &rnd, 1) != GC_OK)
158 {
159 MHD_gnutls_assert ();
160 return GNUTLS_E_RANDOM_FAILED;
161 }
162
163 /* make rnd a multiple of blocksize */
164 if (session->security_parameters.version == MHD_GNUTLS_PROTOCOL_SSL3 ||
165 random_pad == 0)
166 {
167 rnd = 0;
168 }
169 else
170 {
171 rnd = (rnd / blocksize) * blocksize;
172 /* added to avoid the case of pad calculated 0
173 * seen below for pad calculation.
174 */
175 if (rnd > blocksize)
176 rnd -= blocksize;
177 }
178
179 length = data_size + hash_size;
180
181 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
182
183 length += *pad;
184 if (session->security_parameters.version >= MHD_GNUTLS_PROTOCOL_TLS1_1)
185 length += blocksize; /* for the IV */
186
187 break;
188 default:
189 MHD_gnutls_assert ();
190 return GNUTLS_E_INTERNAL_ERROR;
191 }
192
193 return length;
194}
195
196/* This is the actual encryption
197 * Encrypts the given compressed datum, and puts the result to cipher_data,
198 * which has cipher_size size.
199 * return the actual encrypted data length.
200 */
201int
202MHD_gtls_compressed2ciphertext (MHD_gtls_session_t session,
203 opaque * cipher_data, int cipher_size,
204 MHD_gnutls_datum_t compressed,
205 content_type_t _type, int random_pad)
206{
207 uint8_t MAC[MAX_HASH_SIZE];
208 uint16_t c_length;
209 uint8_t pad;
210 int length, ret;
211 mac_hd_t td;
212 uint8_t type = _type;
213 uint8_t major, minor;
214 int hash_size =
215 MHD_gnutls_hash_get_algo_len (session->security_parameters.
216 write_mac_algorithm);
217 enum MHD_GNUTLS_Protocol ver;
218 int blocksize =
219 MHD_gtls_cipher_get_block_size (session->security_parameters.
220 write_bulk_cipher_algorithm);
221 cipher_type_t block_algo =
222 MHD_gtls_cipher_is_block (session->security_parameters.
223 write_bulk_cipher_algorithm);
224 opaque *data_ptr;
225
226
227 ver = MHD__gnutls_protocol_get_version (session);
228 minor = MHD_gtls_version_get_minor (ver);
229 major = MHD_gtls_version_get_major (ver);
230
231
232 /* Initialize MAC */
233 td = mac_init (session->security_parameters.write_mac_algorithm,
234 session->connection_state.write_mac_secret.data,
235 session->connection_state.write_mac_secret.size, ver);
236
237 if (td == GNUTLS_MAC_FAILED
238 && session->security_parameters.write_mac_algorithm !=
239 MHD_GNUTLS_MAC_NULL)
240 {
241 MHD_gnutls_assert ();
242 return GNUTLS_E_INTERNAL_ERROR;
243 }
244
245 c_length = MHD_gtls_conv_uint16 (compressed.size);
246
247 if (td != GNUTLS_MAC_FAILED)
248 { /* actually when the algorithm in not the NULL one */
249 MHD_gnutls_hash (td,
250 UINT64DATA (session->connection_state.
251 write_sequence_number), 8);
252
253 MHD_gnutls_hash (td, &type, 1);
254 if (ver >= MHD_GNUTLS_PROTOCOL_TLS1_0)
255 { /* TLS 1.0 or higher */
256 MHD_gnutls_hash (td, &major, 1);
257 MHD_gnutls_hash (td, &minor, 1);
258 }
259 MHD_gnutls_hash (td, &c_length, 2);
260 MHD_gnutls_hash (td, compressed.data, compressed.size);
261 mac_deinit (td, MAC, ver);
262 }
263
264
265 /* Calculate the encrypted length (padding etc.)
266 */
267 length =
268 calc_enc_length (session, compressed.size, hash_size, &pad,
269 random_pad, block_algo, blocksize);
270 if (length < 0)
271 {
272 MHD_gnutls_assert ();
273 return length;
274 }
275
276 /* copy the encrypted data to cipher_data.
277 */
278 if (cipher_size < length)
279 {
280 MHD_gnutls_assert ();
281 return GNUTLS_E_MEMORY_ERROR;
282 }
283
284 data_ptr = cipher_data;
285 if (block_algo == CIPHER_BLOCK &&
286 session->security_parameters.version >= MHD_GNUTLS_PROTOCOL_TLS1_1)
287 {
288 /* copy the random IV.
289 */
290 if (MHD_gc_nonce ((char *) data_ptr, blocksize) != GC_OK)
291 {
292 MHD_gnutls_assert ();
293 return GNUTLS_E_RANDOM_FAILED;
294 }
295 data_ptr += blocksize;
296 }
297
298 memcpy (data_ptr, compressed.data, compressed.size);
299 data_ptr += compressed.size;
300
301 if (hash_size > 0)
302 {
303 memcpy (data_ptr, MAC, hash_size);
304 data_ptr += hash_size;
305 }
306 if (block_algo == CIPHER_BLOCK && pad > 0)
307 {
308 memset (data_ptr, pad - 1, pad);
309 }
310
311
312 /* Actual encryption (inplace).
313 */
314 ret =
315 MHD_gtls_cipher_encrypt (session->connection_state.write_cipher_state,
316 cipher_data, length);
317 if (ret < 0)
318 {
319 MHD_gnutls_assert ();
320 return ret;
321 }
322
323 return length;
324}
325
326/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
327 * Returns the actual compressed packet size.
328 */
329int
330MHD_gtls_ciphertext2compressed (MHD_gtls_session_t session,
331 opaque * compress_data,
332 int compress_size,
333 MHD_gnutls_datum_t ciphertext, uint8_t type)
334{
335 uint8_t MAC[MAX_HASH_SIZE];
336 uint16_t c_length;
337 uint8_t pad;
338 int length;
339 mac_hd_t td;
340 uint16_t blocksize;
341 int ret, i, pad_failed = 0;
342 uint8_t major, minor;
343 enum MHD_GNUTLS_Protocol ver;
344 int hash_size =
345 MHD_gnutls_hash_get_algo_len (session->security_parameters.
346 read_mac_algorithm);
347
348 ver = MHD__gnutls_protocol_get_version (session);
349 minor = MHD_gtls_version_get_minor (ver);
350 major = MHD_gtls_version_get_major (ver);
351
352 blocksize =
353 MHD_gtls_cipher_get_block_size (session->security_parameters.
354 read_bulk_cipher_algorithm);
355
356 /* initialize MAC
357 */
358 td = mac_init (session->security_parameters.read_mac_algorithm,
359 session->connection_state.read_mac_secret.data,
360 session->connection_state.read_mac_secret.size, ver);
361
362 if (td == GNUTLS_MAC_FAILED
363 && session->security_parameters.read_mac_algorithm !=
364 MHD_GNUTLS_MAC_NULL)
365 {
366 MHD_gnutls_assert ();
367 return GNUTLS_E_INTERNAL_ERROR;
368 }
369
370
371 /* actual decryption (inplace)
372 */
373 switch (MHD_gtls_cipher_is_block
374 (session->security_parameters.read_bulk_cipher_algorithm))
375 {
376 case CIPHER_STREAM:
377 if ((ret =
378 MHD_gtls_cipher_decrypt (session->connection_state.
379 read_cipher_state, ciphertext.data,
380 ciphertext.size)) < 0)
381 {
382 MHD_gnutls_assert ();
383 return ret;
384 }
385
386 length = ciphertext.size - hash_size;
387
388 break;
389 case CIPHER_BLOCK:
390 if ((ciphertext.size < blocksize) || (ciphertext.size % blocksize != 0))
391 {
392 MHD_gnutls_assert ();
393 return GNUTLS_E_DECRYPTION_FAILED;
394 }
395
396 if ((ret =
397 MHD_gtls_cipher_decrypt (session->connection_state.
398 read_cipher_state, ciphertext.data,
399 ciphertext.size)) < 0)
400 {
401 MHD_gnutls_assert ();
402 return ret;
403 }
404
405 /* ignore the IV in TLS 1.1.
406 */
407 if (session->security_parameters.version >= MHD_GNUTLS_PROTOCOL_TLS1_1)
408 {
409 ciphertext.size -= blocksize;
410 ciphertext.data += blocksize;
411
412 if (ciphertext.size == 0)
413 {
414 MHD_gnutls_assert ();
415 return GNUTLS_E_DECRYPTION_FAILED;
416 }
417 }
418
419 pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
420
421 length = ciphertext.size - hash_size - pad;
422
423 if (pad > ciphertext.size - hash_size)
424 {
425 MHD_gnutls_assert ();
426 /* We do not fail here. We check below for the
427 * the pad_failed. If zero means success.
428 */
429 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
430 }
431
432 /* Check the pading bytes (TLS 1.x)
433 */
434 if (ver >= MHD_GNUTLS_PROTOCOL_TLS1_0 && pad_failed == 0)
435 for (i = 2; i < pad; i++)
436 {
437 if (ciphertext.data[ciphertext.size - i] !=
438 ciphertext.data[ciphertext.size - 1])
439 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
440 }
441 break;
442 default:
443 MHD_gnutls_assert ();
444 return GNUTLS_E_INTERNAL_ERROR;
445 }
446
447 if (length < 0)
448 length = 0;
449 c_length = MHD_gtls_conv_uint16 ((uint16_t) length);
450
451 /* Pass the type, version, length and compressed through
452 * MAC.
453 */
454 if (td != GNUTLS_MAC_FAILED)
455 {
456 MHD_gnutls_hash (td,
457 UINT64DATA (session->connection_state.
458 read_sequence_number), 8);
459
460 MHD_gnutls_hash (td, &type, 1);
461 if (ver >= MHD_GNUTLS_PROTOCOL_TLS1_0)
462 { /* TLS 1.x */
463 MHD_gnutls_hash (td, &major, 1);
464 MHD_gnutls_hash (td, &minor, 1);
465 }
466 MHD_gnutls_hash (td, &c_length, 2);
467
468 if (length > 0)
469 MHD_gnutls_hash (td, ciphertext.data, length);
470
471 mac_deinit (td, MAC, ver);
472 }
473
474 /* This one was introduced to avoid a timing attack against the TLS
475 * 1.0 protocol.
476 */
477 if (pad_failed != 0)
478 return pad_failed;
479
480 /* HMAC was not the same.
481 */
482 if ( (td != GNUTLS_MAC_FAILED) &&
483 (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) )
484 {
485 MHD_gnutls_assert ();
486 return GNUTLS_E_DECRYPTION_FAILED;
487 }
488
489 /* copy the decrypted stuff to compress_data.
490 */
491 if (compress_size < length)
492 {
493 MHD_gnutls_assert ();
494 return GNUTLS_E_DECOMPRESSION_FAILED;
495 }
496 memcpy (compress_data, ciphertext.data, length);
497
498 return length;
499}
diff --git a/src/daemon/https/tls/gnutls_cipher.h b/src/daemon/https/tls/gnutls_cipher.h
deleted file mode 100644
index b8dc0070..00000000
--- a/src/daemon/https/tls/gnutls_cipher.h
+++ /dev/null
@@ -1,41 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD_gtls_encrypt (MHD_gtls_session_t session, const opaque * headers,
26 size_t headers_size, const opaque * data,
27 size_t data_size, opaque * ciphertext,
28 size_t ciphertext_size, content_type_t type,
29 int random_pad);
30
31int MHD_gtls_decrypt (MHD_gtls_session_t session, opaque * ciphertext,
32 size_t ciphertext_size, uint8_t * data,
33 size_t data_size, content_type_t type);
34int MHD_gtls_compressed2ciphertext (MHD_gtls_session_t session,
35 opaque * cipher_data, int cipher_size,
36 MHD_gnutls_datum_t compressed,
37 content_type_t _type, int random_pad);
38int MHD_gtls_ciphertext2compressed (MHD_gtls_session_t session,
39 opaque * compress_data, int compress_size,
40 MHD_gnutls_datum_t ciphertext,
41 uint8_t type);
diff --git a/src/daemon/https/tls/gnutls_cipher_int.c b/src/daemon/https/tls/gnutls_cipher_int.c
deleted file mode 100644
index 7349436a..00000000
--- a/src/daemon/https/tls/gnutls_cipher_int.c
+++ /dev/null
@@ -1,109 +0,0 @@
1/*
2 * Copyright (C) 2000, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_cipher_int.h>
28#include <gnutls_datum.h>
29
30cipher_hd_t
31MHD_gtls_cipher_init (enum MHD_GNUTLS_CipherAlgorithm cipher,
32 const MHD_gnutls_datum_t * key,
33 const MHD_gnutls_datum_t * iv)
34{
35 cipher_hd_t ret = NULL;
36 int err = GC_INVALID_CIPHER; /* doesn't matter */
37
38 switch (cipher)
39 {
40 case MHD_GNUTLS_CIPHER_AES_128_CBC:
41 err = MHD_gc_cipher_open (GC_AES128, GC_CBC, &ret);
42 break;
43 case MHD_GNUTLS_CIPHER_AES_256_CBC:
44 err = MHD_gc_cipher_open (GC_AES256, GC_CBC, &ret);
45 break;
46 case MHD_GNUTLS_CIPHER_3DES_CBC:
47 err = MHD_gc_cipher_open (GC_3DES, GC_CBC, &ret);
48 break;
49 case MHD_GNUTLS_CIPHER_ARCFOUR_128:
50 err = MHD_gc_cipher_open (GC_ARCFOUR128, GC_STREAM, &ret);
51 break;
52 default:
53 return NULL;
54 }
55
56 if (err == 0)
57 {
58 MHD_gc_cipher_setkey (ret, key->size, (const char *) key->data);
59 if (iv->data != NULL && iv->size > 0)
60 MHD_gc_cipher_setiv (ret, iv->size, (const char *) iv->data);
61 }
62 else if (cipher != MHD_GNUTLS_CIPHER_NULL)
63 {
64 MHD_gnutls_assert ();
65 MHD__gnutls_x509_log ("Crypto cipher[%d] error: %d\n", cipher, err);
66 /* FIXME: MHD_gc_strerror */
67 }
68
69 return ret;
70}
71
72int
73MHD_gtls_cipher_encrypt (cipher_hd_t handle, void *text, int textlen)
74{
75 if (handle != GNUTLS_CIPHER_FAILED)
76 {
77 if (MHD_gc_cipher_encrypt_inline (handle, textlen, text) != 0)
78 {
79 MHD_gnutls_assert ();
80 return GNUTLS_E_INTERNAL_ERROR;
81 }
82 }
83 return 0;
84}
85
86int
87MHD_gtls_cipher_decrypt (cipher_hd_t handle, void *ciphertext,
88 int ciphertextlen)
89{
90 if (handle != GNUTLS_CIPHER_FAILED)
91 {
92 if (MHD_gc_cipher_decrypt_inline (handle, ciphertextlen, ciphertext) !=
93 0)
94 {
95 MHD_gnutls_assert ();
96 return GNUTLS_E_INTERNAL_ERROR;
97 }
98 }
99 return 0;
100}
101
102void
103MHD_gnutls_cipher_deinit (cipher_hd_t handle)
104{
105 if (handle != GNUTLS_CIPHER_FAILED)
106 {
107 MHD_gc_cipher_close (handle);
108 }
109}
diff --git a/src/daemon/https/tls/gnutls_cipher_int.h b/src/daemon/https/tls/gnutls_cipher_int.h
deleted file mode 100644
index f00f945f..00000000
--- a/src/daemon/https/tls/gnutls_cipher_int.h
+++ /dev/null
@@ -1,43 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_CIPHER_INT
26# define GNUTLS_CIPHER_INT
27
28#define cipher_hd_t MHD_gc_cipher_handle
29#define GNUTLS_CIPHER_FAILED NULL
30
31// TODO MHD_gc_cipher_handle -> void * x3
32void *MHD_gtls_cipher_init (enum MHD_GNUTLS_CipherAlgorithm cipher,
33 const MHD_gnutls_datum_t * key,
34 const MHD_gnutls_datum_t * iv);
35
36int MHD_gtls_cipher_encrypt (void *handle, void *text, int textlen);
37
38int MHD_gtls_cipher_decrypt (void *handle,
39 void *ciphertext, int ciphertextlen);
40
41void MHD_gnutls_cipher_deinit (void *handle);
42
43#endif /* GNUTLS_CIPHER_INT */
diff --git a/src/daemon/https/tls/gnutls_constate.c b/src/daemon/https/tls/gnutls_constate.c
deleted file mode 100644
index 845abfe9..00000000
--- a/src/daemon/https/tls/gnutls_constate.c
+++ /dev/null
@@ -1,999 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that are supposed to run after the handshake procedure is
26 * finished. These functions activate the established security parameters.
27 */
28
29#include "MHD_config.h"
30#include <gnutls_int.h>
31#include <gnutls_constate.h>
32#include <gnutls_errors.h>
33#include <gnutls_kx.h>
34#include <gnutls_algorithms.h>
35#include <gnutls_num.h>
36#include <gnutls_datum.h>
37#include <gnutls_state.h>
38
39static const char keyexp[] = "key expansion";
40static const int keyexp_length = sizeof (keyexp) - 1;
41
42static const char ivblock[] = "IV block";
43static const int ivblock_length = sizeof (ivblock) - 1;
44
45static const char cliwrite[] = "client write key";
46static const int cliwrite_length = sizeof (cliwrite) - 1;
47
48static const char servwrite[] = "server write key";
49static const int servwrite_length = sizeof (servwrite) - 1;
50
51#define EXPORT_FINAL_KEY_SIZE 16
52
53/* This function is to be called after handshake, when master_secret,
54 * client_random and server_random have been initialized.
55 * This function creates the keys and stores them into pending session.
56 * (session->cipher_specs)
57 */
58int
59MHD__gnutls_set_keys (MHD_gtls_session_t session, int hash_size, int IV_size,
60 int key_size, int export_flag)
61{
62 opaque *key_block;
63 opaque rnd[2 * TLS_RANDOM_SIZE];
64 opaque rrnd[2 * TLS_RANDOM_SIZE];
65 int pos, ret;
66 int block_size;
67 char buf[65];
68
69 if (session->cipher_specs.generated_keys != 0)
70 {
71 /* keys have already been generated.
72 * reset generated_keys and exit normally.
73 */
74 session->cipher_specs.generated_keys = 0;
75 return 0;
76 }
77
78 block_size = 2 * hash_size + 2 * key_size;
79 if (export_flag == 0)
80 block_size += 2 * IV_size;
81
82 key_block = MHD_gnutls_secure_malloc (block_size);
83 if (key_block == NULL)
84 {
85 MHD_gnutls_assert ();
86 return GNUTLS_E_MEMORY_ERROR;
87 }
88
89 memcpy (rnd, session->security_parameters.server_random, TLS_RANDOM_SIZE);
90 memcpy (&rnd[TLS_RANDOM_SIZE],
91 session->security_parameters.client_random, TLS_RANDOM_SIZE);
92
93 memcpy (rrnd, session->security_parameters.client_random, TLS_RANDOM_SIZE);
94 memcpy (&rrnd[TLS_RANDOM_SIZE],
95 session->security_parameters.server_random, TLS_RANDOM_SIZE);
96
97 if (session->security_parameters.version == MHD_GNUTLS_PROTOCOL_SSL3)
98 { /* SSL 3 */
99 ret =
100 MHD_gnutls_ssl3_generate_random
101 (session->security_parameters.master_secret, TLS_MASTER_SIZE, rnd,
102 2 * TLS_RANDOM_SIZE, block_size, key_block);
103 }
104 else
105 { /* TLS 1.0 */
106 ret =
107 MHD_gtls_PRF (session,
108 (const unsigned char *) session->
109 security_parameters.master_secret, TLS_MASTER_SIZE,
110 keyexp, keyexp_length, rnd, 2 * TLS_RANDOM_SIZE,
111 block_size, key_block);
112 }
113
114 if (ret < 0)
115 {
116 MHD_gnutls_assert ();
117 MHD_gnutls_free (key_block);
118 return ret;
119 }
120
121 MHD__gnutls_hard_log ("INT: KEY BLOCK[%d]: %s\n", block_size,
122 MHD_gtls_bin2hex (key_block, block_size, buf,
123 sizeof (buf)));
124
125 pos = 0;
126 if (hash_size > 0)
127 {
128 if (MHD__gnutls_sset_datum
129 (&session->cipher_specs.client_write_mac_secret,
130 &key_block[pos], hash_size) < 0)
131 {
132 MHD_gnutls_free (key_block);
133 return GNUTLS_E_MEMORY_ERROR;
134 }
135 pos += hash_size;
136
137 if (MHD__gnutls_sset_datum
138 (&session->cipher_specs.server_write_mac_secret,
139 &key_block[pos], hash_size) < 0)
140 {
141 MHD_gnutls_free (key_block);
142 return GNUTLS_E_MEMORY_ERROR;
143 }
144 pos += hash_size;
145 }
146
147 if (key_size > 0)
148 {
149 opaque *client_write_key, *server_write_key;
150 int client_write_key_size, server_write_key_size;
151 int free_keys = 0;
152
153 if (export_flag == 0)
154 {
155 client_write_key = &key_block[pos];
156 client_write_key_size = key_size;
157
158 pos += key_size;
159
160 server_write_key = &key_block[pos];
161 server_write_key_size = key_size;
162
163 pos += key_size;
164
165 }
166 else
167 { /* export */
168 free_keys = 1;
169
170 client_write_key = MHD_gnutls_secure_malloc (EXPORT_FINAL_KEY_SIZE);
171 if (client_write_key == NULL)
172 {
173 MHD_gnutls_assert ();
174 MHD_gnutls_free (key_block);
175 return GNUTLS_E_MEMORY_ERROR;
176 }
177
178 server_write_key = MHD_gnutls_secure_malloc (EXPORT_FINAL_KEY_SIZE);
179 if (server_write_key == NULL)
180 {
181 MHD_gnutls_assert ();
182 MHD_gnutls_free (key_block);
183 MHD_gnutls_free (client_write_key);
184 return GNUTLS_E_MEMORY_ERROR;
185 }
186
187 /* generate the final keys */
188
189 if (session->security_parameters.version ==
190 MHD_GNUTLS_PROTOCOL_SSL3)
191 { /* SSL 3 */
192 ret =
193 MHD_gnutls_ssl3_hash_md5 (&key_block[pos],
194 key_size, rrnd,
195 2 * TLS_RANDOM_SIZE,
196 EXPORT_FINAL_KEY_SIZE,
197 client_write_key);
198
199 }
200 else
201 { /* TLS 1.0 */
202 ret =
203 MHD_gtls_PRF (session, &key_block[pos], key_size,
204 cliwrite, cliwrite_length,
205 rrnd,
206 2 * TLS_RANDOM_SIZE,
207 EXPORT_FINAL_KEY_SIZE, client_write_key);
208 }
209
210 if (ret < 0)
211 {
212 MHD_gnutls_assert ();
213 MHD_gnutls_free (key_block);
214 MHD_gnutls_free (server_write_key);
215 MHD_gnutls_free (client_write_key);
216 return ret;
217 }
218
219 client_write_key_size = EXPORT_FINAL_KEY_SIZE;
220 pos += key_size;
221
222 if (session->security_parameters.version ==
223 MHD_GNUTLS_PROTOCOL_SSL3)
224 { /* SSL 3 */
225 ret =
226 MHD_gnutls_ssl3_hash_md5 (&key_block[pos], key_size,
227 rnd, 2 * TLS_RANDOM_SIZE,
228 EXPORT_FINAL_KEY_SIZE,
229 server_write_key);
230 }
231 else
232 { /* TLS 1.0 */
233 ret =
234 MHD_gtls_PRF (session, &key_block[pos], key_size,
235 servwrite, servwrite_length,
236 rrnd, 2 * TLS_RANDOM_SIZE,
237 EXPORT_FINAL_KEY_SIZE, server_write_key);
238 }
239
240 if (ret < 0)
241 {
242 MHD_gnutls_assert ();
243 MHD_gnutls_free (key_block);
244 MHD_gnutls_free (server_write_key);
245 MHD_gnutls_free (client_write_key);
246 return ret;
247 }
248
249 server_write_key_size = EXPORT_FINAL_KEY_SIZE;
250 pos += key_size;
251 }
252
253 if (MHD__gnutls_sset_datum
254 (&session->cipher_specs.client_write_key,
255 client_write_key, client_write_key_size) < 0)
256 {
257 MHD_gnutls_free (key_block);
258 MHD_gnutls_free (server_write_key);
259 MHD_gnutls_free (client_write_key);
260 return GNUTLS_E_MEMORY_ERROR;
261 }
262 MHD__gnutls_hard_log ("INT: CLIENT WRITE KEY [%d]: %s\n",
263 client_write_key_size,
264 MHD_gtls_bin2hex (client_write_key,
265 client_write_key_size, buf,
266 sizeof (buf)));
267
268 if (MHD__gnutls_sset_datum
269 (&session->cipher_specs.server_write_key,
270 server_write_key, server_write_key_size) < 0)
271 {
272 MHD_gnutls_free (key_block);
273 MHD_gnutls_free (server_write_key);
274 MHD_gnutls_free (client_write_key);
275 return GNUTLS_E_MEMORY_ERROR;
276 }
277
278 MHD__gnutls_hard_log ("INT: SERVER WRITE KEY [%d]: %s\n",
279 server_write_key_size,
280 MHD_gtls_bin2hex (server_write_key,
281 server_write_key_size, buf,
282 sizeof (buf)));
283
284 if (free_keys != 0)
285 {
286 MHD_gnutls_free (server_write_key);
287 MHD_gnutls_free (client_write_key);
288 }
289 }
290
291
292 /* IV generation in export and non export ciphers.
293 */
294 if (IV_size > 0 && export_flag == 0)
295 {
296 if (MHD__gnutls_sset_datum
297 (&session->cipher_specs.client_write_IV, &key_block[pos],
298 IV_size) < 0)
299 {
300 MHD_gnutls_free (key_block);
301 return GNUTLS_E_MEMORY_ERROR;
302 }
303 pos += IV_size;
304
305 if (MHD__gnutls_sset_datum
306 (&session->cipher_specs.server_write_IV, &key_block[pos],
307 IV_size) < 0)
308 {
309 MHD_gnutls_free (key_block);
310 return GNUTLS_E_MEMORY_ERROR;
311 }
312 pos += IV_size;
313
314 }
315 else if (IV_size > 0 && export_flag != 0)
316 {
317 opaque *iv_block = MHD_gnutls_alloca (IV_size * 2);
318 if (iv_block == NULL)
319 {
320 MHD_gnutls_assert ();
321 MHD_gnutls_free (key_block);
322 return GNUTLS_E_MEMORY_ERROR;
323 }
324
325 if (session->security_parameters.version == MHD_GNUTLS_PROTOCOL_SSL3)
326 { /* SSL 3 */
327 ret = MHD_gnutls_ssl3_hash_md5 ("", 0,
328 rrnd, TLS_RANDOM_SIZE * 2,
329 IV_size, iv_block);
330
331 if (ret < 0)
332 {
333 MHD_gnutls_assert ();
334 MHD_gnutls_free (key_block);
335 MHD_gnutls_afree (iv_block);
336 return ret;
337 }
338
339 ret = MHD_gnutls_ssl3_hash_md5 ("", 0, rnd,
340 TLS_RANDOM_SIZE * 2,
341 IV_size, &iv_block[IV_size]);
342
343 }
344 else
345 { /* TLS 1.0 */
346 ret = MHD_gtls_PRF (session, (const unsigned char *) "", 0,
347 ivblock, ivblock_length, rrnd,
348 2 * TLS_RANDOM_SIZE, IV_size * 2, iv_block);
349 }
350
351 if (ret < 0)
352 {
353 MHD_gnutls_assert ();
354 MHD_gnutls_afree (iv_block);
355 MHD_gnutls_free (key_block);
356 return ret;
357 }
358
359 if (MHD__gnutls_sset_datum
360 (&session->cipher_specs.client_write_IV, iv_block, IV_size) < 0)
361 {
362 MHD_gnutls_afree (iv_block);
363 MHD_gnutls_free (key_block);
364 return GNUTLS_E_MEMORY_ERROR;
365 }
366
367 if (MHD__gnutls_sset_datum
368 (&session->cipher_specs.server_write_IV,
369 &iv_block[IV_size], IV_size) < 0)
370 {
371 MHD_gnutls_afree (iv_block);
372 MHD_gnutls_free (key_block);
373 return GNUTLS_E_MEMORY_ERROR;
374 }
375
376 MHD_gnutls_afree (iv_block);
377 }
378
379 MHD_gnutls_free (key_block);
380
381 session->cipher_specs.generated_keys = 1;
382
383 return 0;
384}
385
386int
387MHD__gnutls_set_read_keys (MHD_gtls_session_t session)
388{
389 int hash_size;
390 int IV_size;
391 int key_size, export_flag;
392 enum MHD_GNUTLS_CipherAlgorithm algo;
393 enum MHD_GNUTLS_HashAlgorithm mac_algo;
394
395 mac_algo = session->security_parameters.read_mac_algorithm;
396 algo = session->security_parameters.read_bulk_cipher_algorithm;
397
398 hash_size = MHD_gnutls_hash_get_algo_len (mac_algo);
399 IV_size = MHD_gtls_cipher_get_iv_size (algo);
400 key_size = MHD__gnutls_cipher_get_key_size (algo);
401 export_flag = MHD_gtls_cipher_get_export_flag (algo);
402
403 return MHD__gnutls_set_keys (session, hash_size, IV_size, key_size,
404 export_flag);
405}
406
407int
408MHD__gnutls_set_write_keys (MHD_gtls_session_t session)
409{
410 int hash_size;
411 int IV_size;
412 int key_size, export_flag;
413 enum MHD_GNUTLS_CipherAlgorithm algo;
414 enum MHD_GNUTLS_HashAlgorithm mac_algo;
415
416 mac_algo = session->security_parameters.write_mac_algorithm;
417 algo = session->security_parameters.write_bulk_cipher_algorithm;
418
419 hash_size = MHD_gnutls_hash_get_algo_len (mac_algo);
420 IV_size = MHD_gtls_cipher_get_iv_size (algo);
421 key_size = MHD__gnutls_cipher_get_key_size (algo);
422 export_flag = MHD_gtls_cipher_get_export_flag (algo);
423
424 return MHD__gnutls_set_keys (session, hash_size, IV_size, key_size,
425 export_flag);
426}
427
428#define CPY_COMMON dst->entity = src->entity; \
429 dst->kx_algorithm = src->kx_algorithm; \
430 memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \
431 memcpy( dst->master_secret, src->master_secret, TLS_MASTER_SIZE); \
432 memcpy( dst->client_random, src->client_random, TLS_RANDOM_SIZE); \
433 memcpy( dst->server_random, src->server_random, TLS_RANDOM_SIZE); \
434 memcpy( dst->session_id, src->session_id, TLS_MAX_SESSION_ID_SIZE); \
435 dst->session_id_size = src->session_id_size; \
436 dst->cert_type = src->cert_type; \
437 dst->timestamp = src->timestamp; \
438 dst->max_record_recv_size = src->max_record_recv_size; \
439 dst->max_record_send_size = src->max_record_send_size; \
440 dst->version = src->version; \
441 memcpy( &dst->extensions, &src->extensions, sizeof(MHD_gtls_ext_st)); \
442 memcpy( &dst->inner_secret, &src->inner_secret, TLS_MASTER_SIZE);
443
444static void
445MHD__gnutls_cpy_read_security_parameters (MHD_gtls_security_param_st *
446 dst,
447 MHD_gtls_security_param_st * src)
448{
449 CPY_COMMON;
450
451 dst->read_bulk_cipher_algorithm = src->read_bulk_cipher_algorithm;
452 dst->read_mac_algorithm = src->read_mac_algorithm;
453 dst->read_compression_algorithm = src->read_compression_algorithm;
454}
455
456static void
457MHD__gnutls_cpy_write_security_parameters (MHD_gtls_security_param_st *
458 dst,
459 MHD_gtls_security_param_st * src)
460{
461 CPY_COMMON;
462
463 dst->write_bulk_cipher_algorithm = src->write_bulk_cipher_algorithm;
464 dst->write_mac_algorithm = src->write_mac_algorithm;
465 dst->write_compression_algorithm = src->write_compression_algorithm;
466}
467
468/* Sets the current connection session to conform with the
469 * Security parameters(pending session), and initializes encryption.
470 * Actually it initializes and starts encryption ( so it needs
471 * secrets and random numbers to have been negotiated)
472 * This is to be called after sending the Change Cipher Spec packet.
473 */
474int
475MHD_gtls_connection_state_init (MHD_gtls_session_t session)
476{
477 int ret;
478
479/* Setup the master secret
480 */
481 if ((ret = MHD_gtls_generate_master (session, 0), 0) < 0)
482 {
483 MHD_gnutls_assert ();
484 return ret;
485 }
486
487
488 return 0;
489}
490
491
492/* Initializes the read connection session
493 * (read encrypted data)
494 */
495int
496MHD_gtls_read_connection_state_init (MHD_gtls_session_t session)
497{
498 int mac_size;
499 int rc;
500
501 MHD__gnutls_uint64zero (session->connection_state.read_sequence_number);
502
503/* Update internals from CipherSuite selected.
504 * If we are resuming just copy the connection session
505 */
506 if (session->internals.resumed == RESUME_FALSE)
507 {
508 rc = MHD_gtls_set_read_cipher (session,
509 MHD_gtls_cipher_suite_get_cipher_algo
510 (&session->security_parameters.
511 current_cipher_suite));
512 if (rc < 0)
513 return rc;
514 rc = MHD_gtls_set_read_mac (session,
515 MHD_gtls_cipher_suite_get_mac_algo
516 (&session->security_parameters.
517 current_cipher_suite));
518 if (rc < 0)
519 return rc;
520
521 rc = MHD_gtls_set_kx (session,
522 MHD_gtls_cipher_suite_get_kx_algo
523 (&session->security_parameters.
524 current_cipher_suite));
525 if (rc < 0)
526 return rc;
527
528 rc = MHD_gtls_set_read_compression (session,
529 session->internals.
530 compression_method);
531 if (rc < 0)
532 return rc;
533 }
534 else
535 { /* RESUME_TRUE */
536 MHD__gnutls_cpy_read_security_parameters (&session->security_parameters,
537 &session->internals.
538 resumed_security_parameters);
539 }
540
541
542 rc = MHD__gnutls_set_read_keys (session);
543 if (rc < 0)
544 return rc;
545
546 MHD__gnutls_handshake_log ("HSK[%x]: Cipher Suite: %s\n",
547 session,
548 MHD_gtls_cipher_suite_get_name
549 (&session->security_parameters.
550 current_cipher_suite));
551
552 if (MHD_gtls_compression_is_ok
553 (session->security_parameters.read_compression_algorithm) != 0)
554 {
555 MHD_gnutls_assert ();
556 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
557 }
558
559 if (MHD_gnutls_mac_is_ok
560 (session->security_parameters.read_mac_algorithm) != 0)
561 {
562 MHD_gnutls_assert ();
563 return GNUTLS_E_INTERNAL_ERROR;
564 }
565
566 /* Free all the previous keys/ sessions etc.
567 */
568 if (session->connection_state.read_mac_secret.data != NULL)
569 MHD__gnutls_free_datum (&session->connection_state.read_mac_secret);
570
571 if (session->connection_state.read_cipher_state != NULL)
572 MHD_gnutls_cipher_deinit (session->connection_state.read_cipher_state);
573
574 mac_size =
575 MHD_gnutls_hash_get_algo_len (session->security_parameters.
576 read_mac_algorithm);
577
578 MHD__gnutls_handshake_log
579 ("HSK[%x]: Initializing internal [read] cipher sessions\n", session);
580
581 switch (session->security_parameters.entity)
582 {
583 case GNUTLS_SERVER:
584 /* initialize cipher session
585 */
586 session->connection_state.read_cipher_state =
587 MHD_gtls_cipher_init (session->security_parameters.
588 read_bulk_cipher_algorithm,
589 &session->cipher_specs.client_write_key,
590 &session->cipher_specs.client_write_IV);
591 if (session->connection_state.read_cipher_state == GNUTLS_CIPHER_FAILED
592 && session->security_parameters.read_bulk_cipher_algorithm !=
593 MHD_GNUTLS_CIPHER_NULL)
594 {
595 MHD_gnutls_assert ();
596 return GNUTLS_E_INTERNAL_ERROR;
597 }
598
599 /* copy mac secrets from cipherspecs, to connection
600 * session.
601 */
602 if (mac_size > 0)
603 {
604 if (MHD__gnutls_sset_datum
605 (&session->connection_state.read_mac_secret,
606 session->cipher_specs.client_write_mac_secret.data,
607 session->cipher_specs.client_write_mac_secret.size) < 0)
608 {
609 MHD_gnutls_assert ();
610 return GNUTLS_E_MEMORY_ERROR;
611 }
612
613 }
614
615 break;
616#if MHD_DEBUG_TLS
617 case GNUTLS_CLIENT:
618 session->connection_state.read_cipher_state =
619 MHD_gtls_cipher_init (session->security_parameters.
620 read_bulk_cipher_algorithm,
621 &session->cipher_specs.server_write_key,
622 &session->cipher_specs.server_write_IV);
623
624 if (session->connection_state.read_cipher_state ==
625 GNUTLS_CIPHER_FAILED
626 && session->security_parameters.read_bulk_cipher_algorithm !=
627 MHD_GNUTLS_CIPHER_NULL)
628 {
629 MHD_gnutls_assert ();
630 return GNUTLS_E_INTERNAL_ERROR;
631 }
632
633
634 /* copy mac secret to connection session
635 */
636 if (mac_size > 0)
637 {
638 if (MHD__gnutls_sset_datum
639 (&session->connection_state.read_mac_secret,
640 session->cipher_specs.server_write_mac_secret.data,
641 session->cipher_specs.server_write_mac_secret.size) < 0)
642 {
643 MHD_gnutls_assert ();
644 return GNUTLS_E_MEMORY_ERROR;
645 }
646 }
647
648 break;
649#endif
650 default: /* this check is useless */
651 MHD_gnutls_assert ();
652 return GNUTLS_E_INTERNAL_ERROR;
653 }
654
655 return 0;
656}
657
658
659
660/* Initializes the write connection session
661 * (write encrypted data)
662 */
663int
664MHD_gtls_write_connection_state_init (MHD_gtls_session_t session)
665{
666 int mac_size;
667 int rc;
668
669 MHD__gnutls_uint64zero (session->connection_state.write_sequence_number);
670
671/* Update internals from CipherSuite selected.
672 * If we are resuming just copy the connection session
673 */
674 if (session->internals.resumed == RESUME_FALSE)
675 {
676 rc = MHD_gtls_set_write_cipher (session,
677 MHD_gtls_cipher_suite_get_cipher_algo
678 (&session->security_parameters.
679 current_cipher_suite));
680 if (rc < 0)
681 return rc;
682 rc = MHD_gtls_set_write_mac (session,
683 MHD_gtls_cipher_suite_get_mac_algo
684 (&session->security_parameters.
685 current_cipher_suite));
686 if (rc < 0)
687 return rc;
688
689 rc = MHD_gtls_set_kx (session,
690 MHD_gtls_cipher_suite_get_kx_algo
691 (&session->security_parameters.
692 current_cipher_suite));
693 if (rc < 0)
694 return rc;
695
696 rc = MHD_gtls_set_write_compression (session,
697 session->internals.
698 compression_method);
699 if (rc < 0)
700 return rc;
701 }
702 else
703 { /* RESUME_TRUE */
704 MHD__gnutls_cpy_write_security_parameters
705 (&session->security_parameters,
706 &session->internals.resumed_security_parameters);
707 }
708
709 rc = MHD__gnutls_set_write_keys (session);
710 if (rc < 0)
711 return rc;
712
713 MHD__gnutls_handshake_log ("HSK[%x]: Cipher Suite: %s\n", session,
714 MHD_gtls_cipher_suite_get_name
715 (&session->security_parameters.
716 current_cipher_suite));
717
718 if (MHD_gtls_compression_is_ok
719 (session->security_parameters.write_compression_algorithm) != 0)
720 {
721 MHD_gnutls_assert ();
722 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
723 }
724
725 if (MHD_gnutls_mac_is_ok
726 (session->security_parameters.write_mac_algorithm) != 0)
727 {
728 MHD_gnutls_assert ();
729 return GNUTLS_E_INTERNAL_ERROR;
730 }
731
732
733
734 /* Free all the previous keys/ sessions etc.
735 */
736 if (session->connection_state.write_mac_secret.data != NULL)
737 MHD__gnutls_free_datum (&session->connection_state.write_mac_secret);
738
739 if (session->connection_state.write_cipher_state != NULL)
740 MHD_gnutls_cipher_deinit (session->connection_state.write_cipher_state);
741
742 mac_size =
743 MHD_gnutls_hash_get_algo_len (session->security_parameters.
744 write_mac_algorithm);
745
746 MHD__gnutls_handshake_log
747 ("HSK[%x]: Initializing internal [write] cipher sessions\n", session);
748
749 switch (session->security_parameters.entity)
750 {
751 case GNUTLS_SERVER:
752 /* initialize cipher session
753 */
754 session->connection_state.write_cipher_state =
755 MHD_gtls_cipher_init (session->security_parameters.
756 write_bulk_cipher_algorithm,
757 &session->cipher_specs.server_write_key,
758 &session->cipher_specs.server_write_IV);
759
760 if (session->connection_state.write_cipher_state ==
761 GNUTLS_CIPHER_FAILED
762 && session->security_parameters.write_bulk_cipher_algorithm !=
763 MHD_GNUTLS_CIPHER_NULL)
764 {
765 MHD_gnutls_assert ();
766 return GNUTLS_E_INTERNAL_ERROR;
767 }
768
769
770 /* copy mac secrets from cipherspecs, to connection
771 * session.
772 */
773 if (mac_size > 0)
774 {
775 if (MHD__gnutls_sset_datum
776 (&session->connection_state.write_mac_secret,
777 session->cipher_specs.server_write_mac_secret.data,
778 session->cipher_specs.server_write_mac_secret.size) < 0)
779 {
780 MHD_gnutls_assert ();
781 return GNUTLS_E_MEMORY_ERROR;
782 }
783
784 }
785
786
787 break;
788#if MHD_DEBUG_TLS
789 case GNUTLS_CLIENT:
790 session->connection_state.write_cipher_state =
791 MHD_gtls_cipher_init (session->security_parameters.
792 write_bulk_cipher_algorithm,
793 &session->cipher_specs.client_write_key,
794 &session->cipher_specs.client_write_IV);
795
796 if (session->connection_state.write_cipher_state ==
797 GNUTLS_CIPHER_FAILED
798 && session->security_parameters.write_bulk_cipher_algorithm !=
799 MHD_GNUTLS_CIPHER_NULL)
800 {
801 MHD_gnutls_assert ();
802 return GNUTLS_E_INTERNAL_ERROR;
803 }
804
805 /* copy mac secret to connection session
806 */
807 if (mac_size > 0)
808 {
809 if (MHD__gnutls_sset_datum
810 (&session->connection_state.write_mac_secret,
811 session->cipher_specs.client_write_mac_secret.data,
812 session->cipher_specs.client_write_mac_secret.size) < 0)
813 {
814 MHD_gnutls_assert ();
815 return GNUTLS_E_MEMORY_ERROR;
816 }
817 }
818
819 break;
820#endif
821 default:
822 MHD_gnutls_assert ();
823 return GNUTLS_E_INTERNAL_ERROR;
824 }
825
826
827 return 0;
828}
829
830/* Sets the specified cipher into the pending session
831 */
832int
833MHD_gtls_set_read_cipher (MHD_gtls_session_t session,
834 enum MHD_GNUTLS_CipherAlgorithm algo)
835{
836
837 if (MHD_gtls_cipher_is_ok (algo) == 0)
838 {
839 if (MHD_gtls_cipher_priority (session, algo) < 0)
840 {
841 MHD_gnutls_assert ();
842 return GNUTLS_E_UNWANTED_ALGORITHM;
843 }
844
845 session->security_parameters.read_bulk_cipher_algorithm = algo;
846
847 }
848 else
849 {
850 MHD_gnutls_assert ();
851 return GNUTLS_E_INTERNAL_ERROR;
852 }
853
854 return 0;
855
856}
857
858int
859MHD_gtls_set_write_cipher (MHD_gtls_session_t session,
860 enum MHD_GNUTLS_CipherAlgorithm algo)
861{
862
863 if (MHD_gtls_cipher_is_ok (algo) == 0)
864 {
865 if (MHD_gtls_cipher_priority (session, algo) < 0)
866 {
867 MHD_gnutls_assert ();
868 return GNUTLS_E_UNWANTED_ALGORITHM;
869 }
870
871 session->security_parameters.write_bulk_cipher_algorithm = algo;
872
873 }
874 else
875 {
876 MHD_gnutls_assert ();
877 return GNUTLS_E_INTERNAL_ERROR;
878 }
879
880 return 0;
881
882}
883
884
885/* Sets the specified algorithm into pending compression session
886 */
887int
888MHD_gtls_set_read_compression (MHD_gtls_session_t session,
889 enum MHD_GNUTLS_CompressionMethod algo)
890{
891
892 if (MHD_gtls_compression_is_ok (algo) == 0)
893 {
894 session->security_parameters.read_compression_algorithm = algo;
895 }
896 else
897 {
898 MHD_gnutls_assert ();
899 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
900 }
901 return 0;
902
903}
904
905int
906MHD_gtls_set_write_compression (MHD_gtls_session_t session,
907 enum MHD_GNUTLS_CompressionMethod algo)
908{
909
910 if (MHD_gtls_compression_is_ok (algo) == 0)
911 {
912 session->security_parameters.write_compression_algorithm = algo;
913 }
914 else
915 {
916 MHD_gnutls_assert ();
917 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
918 }
919 return 0;
920
921}
922
923/* Sets the specified kx algorithm into pending session
924 */
925int
926MHD_gtls_set_kx (MHD_gtls_session_t session,
927 enum MHD_GNUTLS_KeyExchangeAlgorithm algo)
928{
929
930 if (MHD_gtls_kx_is_ok (algo) == 0)
931 {
932 session->security_parameters.kx_algorithm = algo;
933 }
934 else
935 {
936 MHD_gnutls_assert ();
937 return GNUTLS_E_INTERNAL_ERROR;
938 }
939 if (MHD_gtls_kx_priority (session, algo) < 0)
940 {
941 MHD_gnutls_assert ();
942 /* we shouldn't get here */
943 return GNUTLS_E_UNWANTED_ALGORITHM;
944 }
945
946 return 0;
947
948}
949
950/* Sets the specified mac algorithm into pending session */
951int
952MHD_gtls_set_read_mac (MHD_gtls_session_t session,
953 enum MHD_GNUTLS_HashAlgorithm algo)
954{
955
956 if (MHD_gnutls_mac_is_ok (algo) == 0)
957 {
958 session->security_parameters.read_mac_algorithm = algo;
959 }
960 else
961 {
962 MHD_gnutls_assert ();
963 return GNUTLS_E_INTERNAL_ERROR;
964 }
965 if (MHD_gtls_mac_priority (session, algo) < 0)
966 {
967 MHD_gnutls_assert ();
968 return GNUTLS_E_UNWANTED_ALGORITHM;
969 }
970
971
972 return 0;
973
974}
975
976int
977MHD_gtls_set_write_mac (MHD_gtls_session_t session,
978 enum MHD_GNUTLS_HashAlgorithm algo)
979{
980
981 if (MHD_gnutls_mac_is_ok (algo) == 0)
982 {
983 session->security_parameters.write_mac_algorithm = algo;
984 }
985 else
986 {
987 MHD_gnutls_assert ();
988 return GNUTLS_E_INTERNAL_ERROR;
989 }
990 if (MHD_gtls_mac_priority (session, algo) < 0)
991 {
992 MHD_gnutls_assert ();
993 return GNUTLS_E_UNWANTED_ALGORITHM;
994 }
995
996
997 return 0;
998
999}
diff --git a/src/daemon/https/tls/gnutls_constate.h b/src/daemon/https/tls/gnutls_constate.h
deleted file mode 100644
index 59b67249..00000000
--- a/src/daemon/https/tls/gnutls_constate.h
+++ /dev/null
@@ -1,41 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD_gtls_connection_state_init (MHD_gtls_session_t session);
26int MHD_gtls_read_connection_state_init (MHD_gtls_session_t session);
27int MHD_gtls_write_connection_state_init (MHD_gtls_session_t session);
28int MHD_gtls_set_write_cipher (MHD_gtls_session_t session,
29 enum MHD_GNUTLS_CipherAlgorithm algo);
30int MHD_gtls_set_write_mac (MHD_gtls_session_t session,
31 enum MHD_GNUTLS_HashAlgorithm algo);
32int MHD_gtls_set_read_cipher (MHD_gtls_session_t session,
33 enum MHD_GNUTLS_CipherAlgorithm algo);
34int MHD_gtls_set_read_mac (MHD_gtls_session_t session,
35 enum MHD_GNUTLS_HashAlgorithm algo);
36int MHD_gtls_set_read_compression (MHD_gtls_session_t session,
37 enum MHD_GNUTLS_CompressionMethod algo);
38int MHD_gtls_set_write_compression (MHD_gtls_session_t session,
39 enum MHD_GNUTLS_CompressionMethod algo);
40int MHD_gtls_set_kx (MHD_gtls_session_t session,
41 enum MHD_GNUTLS_KeyExchangeAlgorithm algo);
diff --git a/src/daemon/https/tls/gnutls_datum.c b/src/daemon/https/tls/gnutls_datum.c
deleted file mode 100644
index 2f03da3b..00000000
--- a/src/daemon/https/tls/gnutls_datum.c
+++ /dev/null
@@ -1,82 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* contains functions that make it easier to
26 * write vectors of <size|data>. The destination size
27 * should be preallocated (datum.size+(bits/8))
28 */
29
30#include <gnutls_int.h>
31#include <gnutls_num.h>
32#include <gnutls_datum.h>
33#include <gnutls_errors.h>
34
35
36void
37MHD_gtls_write_datum16 (opaque * dest, MHD_gnutls_datum_t dat)
38{
39 MHD_gtls_write_uint16 (dat.size, dest);
40 if (dat.data != NULL)
41 memcpy (&dest[2], dat.data, dat.size);
42}
43
44void
45MHD_gtls_write_datum24 (opaque * dest, MHD_gnutls_datum_t dat)
46{
47 MHD_gtls_write_uint24 (dat.size, dest);
48 if (dat.data != NULL)
49 memcpy (&dest[3], dat.data, dat.size);
50}
51
52int
53MHD_gtls_set_datum_m (MHD_gnutls_datum_t * dat, const void *data,
54 size_t data_size, MHD_gnutls_alloc_function galloc_func)
55{
56 if (data_size == 0 || data == NULL)
57 {
58 dat->data = NULL;
59 dat->size = 0;
60 return 0;
61 }
62
63 dat->data = galloc_func (data_size);
64 if (dat->data == NULL)
65 return GNUTLS_E_MEMORY_ERROR;
66
67 dat->size = data_size;
68 memcpy (dat->data, data, data_size);
69
70 return 0;
71}
72
73void
74MHD_gtls_free_datum_m (MHD_gnutls_datum_t * dat,
75 MHD_gnutls_free_function gfree_func)
76{
77 if (dat->data != NULL)
78 gfree_func (dat->data);
79
80 dat->data = NULL;
81 dat->size = 0;
82}
diff --git a/src/daemon/https/tls/gnutls_datum.h b/src/daemon/https/tls/gnutls_datum.h
deleted file mode 100644
index c6813216..00000000
--- a/src/daemon/https/tls/gnutls_datum.h
+++ /dev/null
@@ -1,38 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24#include "gnutls_int.h"
25
26void MHD_gtls_write_datum16 (opaque * dest, MHD_gnutls_datum_t dat);
27void MHD_gtls_write_datum24 (opaque * dest, MHD_gnutls_datum_t dat);
28
29int MHD_gtls_set_datum_m (MHD_gnutls_datum_t * dat, const void *data,
30 size_t data_size, MHD_gnutls_alloc_function);
31#define MHD__gnutls_set_datum( x, y, z) MHD_gtls_set_datum_m(x,y,z, MHD_gnutls_malloc)
32#define MHD__gnutls_sset_datum( x, y, z) MHD_gtls_set_datum_m(x,y,z, MHD_gnutls_secure_malloc)
33
34#define MHD__gnutls_datum_append(x,y,z) MHD_gtls_datum_append_m(x,y,z, MHD_gnutls_realloc)
35
36void MHD_gtls_free_datum_m (MHD_gnutls_datum_t * dat,
37 MHD_gnutls_free_function);
38#define MHD__gnutls_free_datum(x) MHD_gtls_free_datum_m(x, MHD_gnutls_free)
diff --git a/src/daemon/https/tls/gnutls_dh.c b/src/daemon/https/tls/gnutls_dh.c
deleted file mode 100644
index d9dd4344..00000000
--- a/src/daemon/https/tls/gnutls_dh.c
+++ /dev/null
@@ -1,162 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27
28
29/*
30 --Example--
31 you: X = g ^ x mod p;
32 peer:Y = g ^ y mod p;
33
34 your_key = Y ^ x mod p;
35 his_key = X ^ y mod p;
36
37// generate our secret and the public value (X) for it
38 X = MHD_gtls_calc_dh_secret(&x, g, p);
39// now we can calculate the shared secret
40 key = MHD_gtls_calc_dh_key(Y, x, g, p);
41 MHD_gtls_mpi_release(x);
42 MHD_gtls_mpi_release(g);
43*/
44
45#define MAX_BITS 18000
46
47/* returns the public value (X), and the secret (ret_x).
48 */
49mpi_t
50MHD_gtls_calc_dh_secret (mpi_t * ret_x, mpi_t g, mpi_t prime)
51{
52 mpi_t e, x;
53 int x_size = MHD__gnutls_mpi_get_nbits (prime) - 1;
54 /* The size of the secret key is less than
55 * prime/2
56 */
57
58 if (x_size > MAX_BITS || x_size <= 0)
59 {
60 MHD_gnutls_assert ();
61 return NULL;
62 }
63
64 x = MHD__gnutls_mpi_new (x_size);
65 if (x == NULL)
66 {
67 MHD_gnutls_assert ();
68 if (ret_x)
69 *ret_x = NULL;
70
71 return NULL;
72 }
73
74 /* FIXME: (x_size/8)*8 is there to overcome a bug in libgcrypt
75 * which does not really check the bits given but the bytes.
76 */
77 do
78 {
79 MHD__gnutls_mpi_randomize (x, (x_size / 8) * 8, GCRY_STRONG_RANDOM);
80 /* Check whether x is zero.
81 */
82 }
83 while (MHD__gnutls_mpi_cmp_ui (x, 0) == 0);
84
85 e = MHD__gnutls_mpi_alloc_like (prime);
86 if (e == NULL)
87 {
88 MHD_gnutls_assert ();
89 if (ret_x)
90 *ret_x = NULL;
91
92 MHD_gtls_mpi_release (&x);
93 return NULL;
94 }
95
96 MHD__gnutls_mpi_powm (e, g, x, prime);
97
98 if (ret_x)
99 *ret_x = x;
100 else
101 MHD_gtls_mpi_release (&x);
102 return e;
103}
104
105
106mpi_t
107MHD_gtls_calc_dh_key (mpi_t f, mpi_t x, mpi_t prime)
108{
109 mpi_t k;
110 int bits;
111
112 bits = MHD__gnutls_mpi_get_nbits (prime);
113 if (bits <= 0 || bits > MAX_BITS)
114 {
115 MHD_gnutls_assert ();
116 return NULL;
117 }
118
119 k = MHD__gnutls_mpi_alloc_like (prime);
120 if (k == NULL)
121 return NULL;
122 MHD__gnutls_mpi_powm (k, f, x, prime);
123 return k;
124}
125
126/*-
127 * MHD_gtls_get_dh_params - Returns the DH parameters pointer
128 * @dh_params: is an DH parameters structure, or NULL.
129 * @func: is a callback function to receive the parameters or NULL.
130 * @session: a gnutls session.
131 *
132 * This function will return the dh parameters pointer.
133 *
134 -*/
135MHD_gtls_dh_params_t
136MHD_gtls_get_dh_params (MHD_gtls_dh_params_t dh_params,
137 MHD_gnutls_params_function * func,
138 MHD_gtls_session_t session)
139{
140 MHD_gnutls_params_st params;
141 int ret;
142
143 /* if cached return the cached */
144 if (session->internals.params.dh_params)
145 return session->internals.params.dh_params;
146
147 if (dh_params)
148 {
149 session->internals.params.dh_params = dh_params;
150 }
151 else if (func)
152 {
153 ret = func (session, GNUTLS_PARAMS_DH, &params);
154 if (ret == 0 && params.type == GNUTLS_PARAMS_DH)
155 {
156 session->internals.params.dh_params = params.params.dh;
157 session->internals.params.free_dh_params = params.deinit;
158 }
159 }
160
161 return session->internals.params.dh_params;
162}
diff --git a/src/daemon/https/tls/gnutls_dh.h b/src/daemon/https/tls/gnutls_dh.h
deleted file mode 100644
index 5d7341fc..00000000
--- a/src/daemon/https/tls/gnutls_dh.h
+++ /dev/null
@@ -1,38 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_DH_H
26# define GNUTLS_DH_H
27
28const mpi_t *MHD_gtls_dh_params_to_mpi (MHD_gtls_dh_params_t);
29mpi_t MHD_gtls_calc_dh_secret (mpi_t * ret_x, mpi_t g, mpi_t prime);
30mpi_t MHD_gtls_calc_dh_key (mpi_t f, mpi_t x, mpi_t prime);
31int MHD_gtls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, unsigned bits);
32
33MHD_gtls_dh_params_t
34MHD_gtls_get_dh_params (MHD_gtls_dh_params_t dh_params,
35 MHD_gnutls_params_function * func,
36 MHD_gtls_session_t session);
37
38#endif
diff --git a/src/daemon/https/tls/gnutls_dh_primes.c b/src/daemon/https/tls/gnutls_dh_primes.c
deleted file mode 100644
index a25759b0..00000000
--- a/src/daemon/https/tls/gnutls_dh_primes.c
+++ /dev/null
@@ -1,214 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_datum.h>
28#include <x509_b64.h> /* for PKCS3 PEM decoding */
29#include <gnutls_global.h>
30#include <gnutls_dh.h>
31#include "debug.h"
32/* x509 */
33#include "mpi.h"
34
35
36/* returns the prime and the generator of DH params.
37 */
38const mpi_t *
39MHD_gtls_dh_params_to_mpi (MHD_gtls_dh_params_t dh_primes)
40{
41 if (dh_primes == NULL || dh_primes->params[1] == NULL
42 || dh_primes->params[0] == NULL)
43 {
44 return NULL;
45 }
46
47 return dh_primes->params;
48}
49
50int
51MHD_gtls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, unsigned int bits)
52{
53 mpi_t g = NULL, prime = NULL;
54 gcry_error_t err;
55 int result, times = 0, qbits;
56 mpi_t *factors = NULL;
57
58 /* Calculate the size of a prime factor of (prime-1)/2.
59 * This is an emulation of the values in "Selecting Cryptographic Key Sizes" paper.
60 */
61 if (bits < 256)
62 qbits = bits / 2;
63 else
64 {
65 qbits = (bits / 40) + 105;
66 }
67
68 if (qbits & 1) /* better have an even number */
69 qbits++;
70
71 /* find a prime number of size bits.
72 */
73 do
74 {
75
76 if (times)
77 {
78 MHD_gtls_mpi_release (&prime);
79 gcry_prime_release_factors (factors);
80 }
81
82 err = gcry_prime_generate (&prime, bits, qbits, &factors, NULL, NULL,
83 GCRY_STRONG_RANDOM,
84 GCRY_PRIME_FLAG_SPECIAL_FACTOR);
85
86 if (err != 0)
87 {
88 MHD_gnutls_assert ();
89 result = GNUTLS_E_INTERNAL_ERROR;
90 goto cleanup;
91 }
92
93 err = gcry_prime_check (prime, 0);
94
95 times++;
96 }
97 while (err != 0 && times < 10);
98
99 if (err != 0)
100 {
101 MHD_gnutls_assert ();
102 result = GNUTLS_E_INTERNAL_ERROR;
103 goto cleanup;
104 }
105
106 /* generate the group generator.
107 */
108 err = gcry_prime_group_generator (&g, prime, factors, NULL);
109 if (err != 0)
110 {
111 MHD_gnutls_assert ();
112 result = GNUTLS_E_INTERNAL_ERROR;
113 goto cleanup;
114 }
115
116 gcry_prime_release_factors (factors);
117 factors = NULL;
118
119 if (ret_g)
120 *ret_g = g;
121 else
122 MHD_gtls_mpi_release (&g);
123 if (ret_n)
124 *ret_n = prime;
125 else
126 MHD_gtls_mpi_release (&prime);
127
128 return 0;
129
130cleanup:gcry_prime_release_factors (factors);
131 MHD_gtls_mpi_release (&g);
132 MHD_gtls_mpi_release (&prime);
133
134 return result;
135
136}
137
138/* Replaces the prime in the static DH parameters, with a randomly
139 * generated one.
140 */
141/**
142 * MHD__gnutls_dh_params_init - This function will initialize the DH parameters
143 * @dh_params: Is a structure that will hold the prime numbers
144 *
145 * This function will initialize the DH parameters structure.
146 *
147 **/
148int
149MHD__gnutls_dh_params_init (MHD_gtls_dh_params_t * dh_params)
150{
151
152 (*dh_params) = MHD_gnutls_calloc (1, sizeof (MHD_gtls_dh_params_st));
153 if (*dh_params == NULL)
154 {
155 MHD_gnutls_assert ();
156 return GNUTLS_E_MEMORY_ERROR;
157 }
158
159 return 0;
160
161}
162
163/**
164 * MHD__gnutls_dh_params_deinit - This function will deinitialize the DH parameters
165 * @dh_params: Is a structure that holds the prime numbers
166 *
167 * This function will deinitialize the DH parameters structure.
168 *
169 **/
170void
171MHD__gnutls_dh_params_deinit (MHD_gtls_dh_params_t dh_params)
172{
173 if (dh_params == NULL)
174 return;
175
176 MHD_gtls_mpi_release (&dh_params->params[0]);
177 MHD_gtls_mpi_release (&dh_params->params[1]);
178
179 MHD_gnutls_free (dh_params);
180
181}
182
183/**
184 * MHD__gnutls_dh_params_generate2 - This function will generate new DH parameters
185 * @params: Is the structure that the DH parameters will be stored
186 * @bits: is the prime's number of bits
187 *
188 * This function will generate a new pair of prime and generator for use in
189 * the Diffie-Hellman key exchange. The new parameters will be allocated using
190 * MHD_gnutls_malloc() and will be stored in the appropriate datum.
191 * This function is normally slow.
192 *
193 * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096.
194 * Also note that the DH parameters are only useful to servers.
195 * Since clients use the parameters sent by the server, it's of
196 * no use to call this in client side.
197 *
198 **/
199int
200MHD__gnutls_dh_params_generate2 (MHD_gtls_dh_params_t params,
201 unsigned int bits)
202{
203 int ret;
204
205 ret =
206 MHD_gtls_dh_generate_prime (&params->params[1], &params->params[0], bits);
207 if (ret < 0)
208 {
209 MHD_gnutls_assert ();
210 return ret;
211 }
212
213 return 0;
214}
diff --git a/src/daemon/https/tls/gnutls_errors.c b/src/daemon/https/tls/gnutls_errors.c
deleted file mode 100644
index 48b8a562..00000000
--- a/src/daemon/https/tls/gnutls_errors.c
+++ /dev/null
@@ -1,404 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include "gnutls_errors.h"
27#include <libtasn1.h>
28#ifdef STDC_HEADERS
29# include <stdarg.h>
30#endif
31
32/* I18n of error codes. */
33#define _(String) (String)
34#define N_(String) (String)
35
36extern LOG_FUNC MHD__gnutls_log_func;
37
38#define ERROR_ENTRY(desc, name, fatal) \
39 { desc, #name, name, fatal}
40
41struct MHD_gnutls_error_entry
42{
43 const char *desc;
44 const char *_name;
45 int number;
46 int fatal;
47};
48typedef struct MHD_gnutls_error_entry MHD_gnutls_error_entry;
49
50static const MHD_gnutls_error_entry MHD_gtls_error_algorithms[] = {
51 /* "Short Description", Error code define, critical (0,1) -- 1 in most cases */
52 ERROR_ENTRY (N_("Success."), GNUTLS_E_SUCCESS, 0),
53 ERROR_ENTRY (N_("Could not negotiate a supported cipher suite."),
54 GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1),
55 ERROR_ENTRY (N_("The cipher type is unsupported."),
56 GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1),
57 ERROR_ENTRY (N_("The certificate and the given key do not match."),
58 GNUTLS_E_CERTIFICATE_KEY_MISMATCH, 1),
59 ERROR_ENTRY (N_("Could not negotiate a supported compression method."),
60 GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM, 1),
61 ERROR_ENTRY (N_("An unknown public key algorithm was encountered."),
62 GNUTLS_E_UNKNOWN_PK_ALGORITHM, 1),
63
64 ERROR_ENTRY (N_("An algorithm that is not enabled was negotiated."),
65 GNUTLS_E_UNWANTED_ALGORITHM, 1),
66 ERROR_ENTRY (N_("A large TLS record packet was received."),
67 GNUTLS_E_LARGE_PACKET, 1),
68 ERROR_ENTRY (N_("A record packet with illegal version was received."),
69 GNUTLS_E_UNSUPPORTED_VERSION_PACKET, 1),
70 ERROR_ENTRY (N_
71 ("The Diffie Hellman prime sent by the server is not acceptable (not long enough)."),
72 GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1),
73 ERROR_ENTRY (N_("A TLS packet with unexpected length was received."),
74 GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1),
75 ERROR_ENTRY (N_
76 ("The specified session has been invalidated for some reason."),
77 GNUTLS_E_INVALID_SESSION, 1),
78
79 ERROR_ENTRY (N_("GnuTLS internal error."), GNUTLS_E_INTERNAL_ERROR, 1),
80 ERROR_ENTRY (N_("An illegal TLS extension was received."),
81 GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1),
82 ERROR_ENTRY (N_("A TLS fatal alert has been received."),
83 GNUTLS_E_FATAL_ALERT_RECEIVED, 1),
84 ERROR_ENTRY (N_("An unexpected TLS packet was received."),
85 GNUTLS_E_UNEXPECTED_PACKET, 1),
86 ERROR_ENTRY (N_("A TLS warning alert has been received."),
87 GNUTLS_E_WARNING_ALERT_RECEIVED, 0),
88 ERROR_ENTRY (N_
89 ("An error was encountered at the TLS Finished packet calculation."),
90 GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1),
91 ERROR_ENTRY (N_("The peer did not send any certificate."),
92 GNUTLS_E_NO_CERTIFICATE_FOUND, 1),
93
94 ERROR_ENTRY (N_("No temporary RSA parameters were found."),
95 GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1),
96 ERROR_ENTRY (N_("No temporary DH parameters were found."),
97 GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1),
98 ERROR_ENTRY (N_("An unexpected TLS handshake packet was received."),
99 GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1),
100 ERROR_ENTRY (N_("The scanning of a large integer has failed."),
101 GNUTLS_E_MPI_SCAN_FAILED, 1),
102 ERROR_ENTRY (N_("Could not export a large integer."),
103 GNUTLS_E_MPI_PRINT_FAILED, 1),
104 ERROR_ENTRY (N_("Decryption has failed."), GNUTLS_E_DECRYPTION_FAILED, 1),
105 ERROR_ENTRY (N_("Encryption has failed."), GNUTLS_E_ENCRYPTION_FAILED, 1),
106 ERROR_ENTRY (N_("Public key decryption has failed."),
107 GNUTLS_E_PK_DECRYPTION_FAILED, 1),
108 ERROR_ENTRY (N_("Public key encryption has failed."),
109 GNUTLS_E_PK_ENCRYPTION_FAILED, 1),
110 ERROR_ENTRY (N_("Public key signing has failed."), GNUTLS_E_PK_SIGN_FAILED,
111 1),
112 ERROR_ENTRY (N_("Public key signature verification has failed."),
113 GNUTLS_E_PK_SIG_VERIFY_FAILED, 1),
114 ERROR_ENTRY (N_("Decompression of the TLS record packet has failed."),
115 GNUTLS_E_DECOMPRESSION_FAILED, 1),
116 ERROR_ENTRY (N_("Compression of the TLS record packet has failed."),
117 GNUTLS_E_COMPRESSION_FAILED, 1),
118
119 ERROR_ENTRY (N_("Internal error in memory allocation."),
120 GNUTLS_E_MEMORY_ERROR, 1),
121 ERROR_ENTRY (N_("An unimplemented or disabled feature has been requested."),
122 GNUTLS_E_UNIMPLEMENTED_FEATURE, 1),
123 ERROR_ENTRY (N_("Insufficient credentials for that request."),
124 GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1),
125 ERROR_ENTRY (N_("Error in password file."), GNUTLS_E_SRP_PWD_ERROR, 1),
126 ERROR_ENTRY (N_("Wrong padding in PKCS1 packet."), GNUTLS_E_PKCS1_WRONG_PAD,
127 1),
128 ERROR_ENTRY (N_("The requested session has expired."), GNUTLS_E_EXPIRED, 1),
129 ERROR_ENTRY (N_("Hashing has failed."), GNUTLS_E_HASH_FAILED, 1),
130 ERROR_ENTRY (N_("Base64 decoding error."), GNUTLS_E_BASE64_DECODING_ERROR,
131 1),
132 ERROR_ENTRY (N_("Base64 unexpected header error."),
133 GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR,
134 1),
135 ERROR_ENTRY (N_("Base64 encoding error."), GNUTLS_E_BASE64_ENCODING_ERROR,
136 1),
137 ERROR_ENTRY (N_("Parsing error in password file."),
138 GNUTLS_E_SRP_PWD_PARSING_ERROR, 1),
139 ERROR_ENTRY (N_("The requested data were not available."),
140 GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0),
141 ERROR_ENTRY (N_("Error in the pull function."), GNUTLS_E_PULL_ERROR, 1),
142 ERROR_ENTRY (N_("Error in the push function."), GNUTLS_E_PUSH_ERROR, 1),
143 ERROR_ENTRY (N_
144 ("The upper limit of record packet sequence numbers has been reached. Wow!"),
145 GNUTLS_E_RECORD_LIMIT_REACHED, 1),
146 ERROR_ENTRY (N_("Error in the certificate."), GNUTLS_E_CERTIFICATE_ERROR,
147 1),
148 ERROR_ENTRY (N_("Unknown Subject Alternative name in X.509 certificate."),
149 GNUTLS_E_X509_UNKNOWN_SAN, 1),
150
151 ERROR_ENTRY (N_("Unsupported critical extension in X.509 certificate."),
152 GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION, 1),
153 ERROR_ENTRY (N_("Key usage violation in certificate has been detected."),
154 GNUTLS_E_KEY_USAGE_VIOLATION, 1),
155 ERROR_ENTRY (N_("Function was interrupted."), GNUTLS_E_AGAIN, 0),
156 ERROR_ENTRY (N_("Function was interrupted."), GNUTLS_E_INTERRUPTED, 0),
157 ERROR_ENTRY (N_("Rehandshake was requested by the peer."),
158 GNUTLS_E_REHANDSHAKE, 0),
159 ERROR_ENTRY (N_
160 ("TLS Application data were received, while expecting handshake data."),
161 GNUTLS_E_GOT_APPLICATION_DATA, 1),
162 ERROR_ENTRY (N_("Error in Database backend."), GNUTLS_E_DB_ERROR, 1),
163 ERROR_ENTRY (N_("The certificate type is not supported."),
164 GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE, 1),
165 ERROR_ENTRY (N_("The given memory buffer is too short to hold parameters."),
166 GNUTLS_E_SHORT_MEMORY_BUFFER, 1),
167 ERROR_ENTRY (N_("The request is invalid."), GNUTLS_E_INVALID_REQUEST, 1),
168 ERROR_ENTRY (N_("An illegal parameter has been received."),
169 GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1),
170 ERROR_ENTRY (N_("Error while reading file."), GNUTLS_E_FILE_ERROR, 1),
171
172 ERROR_ENTRY (N_("ASN1 parser: Element was not found."),
173 GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1),
174 ERROR_ENTRY (N_("ASN1 parser: Identifier was not found"),
175 GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1),
176 ERROR_ENTRY (N_("ASN1 parser: Error in DER parsing."),
177 GNUTLS_E_ASN1_DER_ERROR, 1),
178 ERROR_ENTRY (N_("ASN1 parser: Value was not found."),
179 GNUTLS_E_ASN1_VALUE_NOT_FOUND, 1),
180 ERROR_ENTRY (N_("ASN1 parser: Generic parsing error."),
181 GNUTLS_E_ASN1_GENERIC_ERROR, 1),
182 ERROR_ENTRY (N_("ASN1 parser: Value is not valid."),
183 GNUTLS_E_ASN1_VALUE_NOT_VALID, 1),
184 ERROR_ENTRY (N_("ASN1 parser: Error in TAG."), GNUTLS_E_ASN1_TAG_ERROR, 1),
185 ERROR_ENTRY (N_("ASN1 parser: error in implicit tag"),
186 GNUTLS_E_ASN1_TAG_IMPLICIT, 1),
187 ERROR_ENTRY (N_("ASN1 parser: Error in type 'ANY'."),
188 GNUTLS_E_ASN1_TYPE_ANY_ERROR, 1),
189 ERROR_ENTRY (N_("ASN1 parser: Syntax error."), GNUTLS_E_ASN1_SYNTAX_ERROR,
190 1),
191 ERROR_ENTRY (N_("ASN1 parser: Overflow in DER parsing."),
192 GNUTLS_E_ASN1_DER_OVERFLOW, 1),
193
194 ERROR_ENTRY (N_("Too many empty record packets have been received."),
195 GNUTLS_E_TOO_MANY_EMPTY_PACKETS, 1),
196 ERROR_ENTRY (N_("The initialization of GnuTLS-extra has failed."),
197 GNUTLS_E_INIT_LIBEXTRA, 1),
198 ERROR_ENTRY (N_
199 ("The GnuTLS library version does not match the GnuTLS-extra library version."),
200 GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1),
201 ERROR_ENTRY (N_("The gcrypt library version is too old."),
202 GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1),
203
204 ERROR_ENTRY (N_("The tasn1 library version is too old."),
205 GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1),
206
207 ERROR_ENTRY (N_("The initialization of LZO has failed."),
208 GNUTLS_E_LZO_INIT_FAILED, 1),
209 ERROR_ENTRY (N_("No supported compression algorithms have been found."),
210 GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1),
211 ERROR_ENTRY (N_("No supported cipher suites have been found."),
212 GNUTLS_E_NO_CIPHER_SUITES, 1),
213 ERROR_ENTRY (N_("The SRP username supplied is illegal."),
214 GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
215
216 ERROR_ENTRY (N_("The certificate has unsupported attributes."),
217 GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1),
218 ERROR_ENTRY (N_("The OID is not supported."), GNUTLS_E_X509_UNSUPPORTED_OID,
219 1),
220 ERROR_ENTRY (N_("The hash algorithm is unknown."),
221 GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1),
222 ERROR_ENTRY (N_("The PKCS structure's content type is unknown."),
223 GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1),
224 ERROR_ENTRY (N_("The PKCS structure's bag type is unknown."),
225 GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE, 1),
226 ERROR_ENTRY (N_("The given password contains invalid characters."),
227 GNUTLS_E_INVALID_PASSWORD, 1),
228 ERROR_ENTRY (N_("The Message Authentication Code verification failed."),
229 GNUTLS_E_MAC_VERIFY_FAILED, 1),
230 ERROR_ENTRY (N_("Some constraint limits were reached."),
231 GNUTLS_E_CONSTRAINT_ERROR, 1),
232 ERROR_ENTRY (N_("Failed to acquire random data."), GNUTLS_E_RANDOM_FAILED,
233 1),
234
235 ERROR_ENTRY (N_("Received a TLS/IA Intermediate Phase Finished message"),
236 GNUTLS_E_WARNING_IA_IPHF_RECEIVED, 0),
237 ERROR_ENTRY (N_("Received a TLS/IA Final Phase Finished message"),
238 GNUTLS_E_WARNING_IA_FPHF_RECEIVED, 0),
239 ERROR_ENTRY (N_("Verifying TLS/IA phase checksum failed"),
240 GNUTLS_E_IA_VERIFY_FAILED, 1),
241
242 ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."),
243 GNUTLS_E_UNKNOWN_ALGORITHM, 1),
244
245 {NULL, NULL, 0, 0}
246};
247
248#define GNUTLS_ERROR_LOOP(b) \
249 const MHD_gnutls_error_entry *p; \
250 for(p = MHD_gtls_error_algorithms; p->desc != NULL; p++) { b ; }
251
252#define GNUTLS_ERROR_ALG_LOOP(a) \
253 GNUTLS_ERROR_LOOP( if(p->number == error) { a; break; } )
254
255
256
257/**
258 * MHD_gtls_error_is_fatal - Returns non-zero in case of a fatal error
259 * @error: is an error returned by a gnutls function. Error should be a negative value.
260 *
261 * If a function returns a negative value you may feed that value
262 * to this function to see if it is fatal. Returns 1 for a fatal
263 * error 0 otherwise. However you may want to check the
264 * error code manually, since some non-fatal errors to the protocol
265 * may be fatal for you (your program).
266 *
267 * This is only useful if you are dealing with errors from the
268 * record layer or the handshake layer.
269 *
270 * For positive @error values, 0 is returned.
271 *
272 **/
273int
274MHD_gtls_error_is_fatal (int error)
275{
276 int ret = 1;
277
278 /* Input sanitzation. Positive values are not errors at all, and
279 definitely not fatal. */
280 if (error > 0)
281 return 0;
282
283 GNUTLS_ERROR_ALG_LOOP (ret = p->fatal);
284
285 return ret;
286}
287
288/**
289 * MHD_gtls_perror - prints a string to stderr with a description of an error
290 * @error: is an error returned by a gnutls function. Error is always a negative value.
291 *
292 * This function is like perror(). The only difference is that it accepts an
293 * error number returned by a gnutls function.
294 **/
295void
296MHD_gtls_perror (int error)
297{
298 const char *ret = NULL;
299
300 /* avoid prefix */
301 GNUTLS_ERROR_ALG_LOOP (ret = p->desc);
302 if (ret == NULL)
303 ret = "(unknown)";
304 fprintf (stderr, "GNUTLS ERROR: %s\n", _(ret));
305}
306
307
308/**
309 * MHD_gtls_strerror - Returns a string with a description of an error
310 * @error: is an error returned by a gnutls function. Error is always a negative value.
311 *
312 * This function is similar to strerror(). Differences: it accepts an error
313 * number returned by a gnutls function; In case of an unknown error
314 * a descriptive string is sent instead of NULL.
315 **/
316const char *
317MHD_gtls_strerror (int error)
318{
319 const char *ret = NULL;
320
321 /* avoid prefix */
322 GNUTLS_ERROR_ALG_LOOP (ret = p->desc);
323 if (ret == NULL)
324 return "(unknown error code)";
325 return _(ret);
326}
327
328/* This will print the actual define of the
329 * given error code.
330 */
331const char *
332MHD__gnutls_strerror (int error)
333{
334 const char *ret = NULL;
335
336 /* avoid prefix */
337 GNUTLS_ERROR_ALG_LOOP (ret = p->_name);
338
339 return _(ret);
340}
341
342int
343MHD_gtls_asn2err (int asn_err)
344{
345 switch (asn_err)
346 {
347 case ASN1_FILE_NOT_FOUND:
348 return GNUTLS_E_FILE_ERROR;
349 case ASN1_ELEMENT_NOT_FOUND:
350 return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
351 case ASN1_IDENTIFIER_NOT_FOUND:
352 return GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND;
353 case ASN1_DER_ERROR:
354 return GNUTLS_E_ASN1_DER_ERROR;
355 case ASN1_VALUE_NOT_FOUND:
356 return GNUTLS_E_ASN1_VALUE_NOT_FOUND;
357 case ASN1_GENERIC_ERROR:
358 return GNUTLS_E_ASN1_GENERIC_ERROR;
359 case ASN1_VALUE_NOT_VALID:
360 return GNUTLS_E_ASN1_VALUE_NOT_VALID;
361 case ASN1_TAG_ERROR:
362 return GNUTLS_E_ASN1_TAG_ERROR;
363 case ASN1_TAG_IMPLICIT:
364 return GNUTLS_E_ASN1_TAG_IMPLICIT;
365 case ASN1_ERROR_TYPE_ANY:
366 return GNUTLS_E_ASN1_TYPE_ANY_ERROR;
367 case ASN1_SYNTAX_ERROR:
368 return GNUTLS_E_ASN1_SYNTAX_ERROR;
369 case ASN1_MEM_ERROR:
370 return GNUTLS_E_SHORT_MEMORY_BUFFER;
371 case ASN1_MEM_ALLOC_ERROR:
372 return GNUTLS_E_MEMORY_ERROR;
373 case ASN1_DER_OVERFLOW:
374 return GNUTLS_E_ASN1_DER_OVERFLOW;
375 default:
376 return GNUTLS_E_ASN1_GENERIC_ERROR;
377 }
378}
379
380
381/* this function will output a message using the
382 * caller provided function
383 */
384void
385MHD_gtls_log (int level, const char *fmt, ...)
386{
387 va_list args;
388 char str[MAX_LOG_SIZE];
389 void (*log_func) (int, const char *) = MHD__gnutls_log_func;
390
391 if (MHD__gnutls_log_func == NULL)
392 return;
393
394 va_start (args, fmt);
395 vsnprintf (str, MAX_LOG_SIZE - 1, fmt, args); /* Flawfinder: ignore */
396 va_end (args);
397
398 log_func (level, str);
399}
400
401void
402MHD__gnutls_null_log (void *n, ...)
403{
404}
diff --git a/src/daemon/https/tls/gnutls_errors.h b/src/daemon/https/tls/gnutls_errors.h
deleted file mode 100644
index ecde580b..00000000
--- a/src/daemon/https/tls/gnutls_errors.h
+++ /dev/null
@@ -1,71 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <defines.h>
26
27#define GNUTLS_E_INT_RET_0 -1251
28
29#ifdef __FILE__
30# ifdef __LINE__
31# define MHD_gnutls_assert() MHD__gnutls_debug_log( "ASSERT: %s:%d\n", __FILE__,__LINE__);
32# else
33# define MHD_gnutls_assert()
34# endif
35#else /* __FILE__ not defined */
36# define MHD_gnutls_assert()
37#endif
38
39int MHD_gtls_asn2err (int asn_err);
40void MHD_gtls_log (int, const char *fmt, ...);
41
42extern int MHD__gnutls_log_level;
43
44#ifdef C99_MACROS
45#define LEVEL(l, ...) if (MHD__gnutls_log_level >= l || MHD__gnutls_log_level > 9) \
46 MHD_gtls_log( l, __VA_ARGS__)
47
48#define LEVEL_EQ(l, ...) if (MHD__gnutls_log_level == l || MHD__gnutls_log_level > 9) \
49 MHD_gtls_log( l, __VA_ARGS__)
50
51# define MHD__gnutls_debug_log(...) LEVEL(2, __VA_ARGS__)
52# define MHD__gnutls_handshake_log(...) LEVEL(3, __VA_ARGS__)
53# define MHD__gnutls_buffers_log(...) LEVEL_EQ(6, __VA_ARGS__)
54# define MHD__gnutls_hard_log(...) LEVEL(9, __VA_ARGS__)
55# define MHD__gnutls_record_log(...) LEVEL(4, __VA_ARGS__)
56# define MHD__gnutls_read_log(...) LEVEL_EQ(7, __VA_ARGS__)
57# define MHD__gnutls_write_log(...) LEVEL_EQ(7, __VA_ARGS__)
58# define MHD__gnutls_x509_log(...) LEVEL(1, __VA_ARGS__)
59#else
60# define MHD__gnutls_debug_log MHD__gnutls_null_log
61# define MHD__gnutls_handshake_log MHD__gnutls_null_log
62# define MHD__gnutls_buffers_log MHD__gnutls_null_log
63# define MHD__gnutls_hard_log MHD__gnutls_null_log
64# define MHD__gnutls_record_log MHD__gnutls_null_log
65# define MHD__gnutls_read_log MHD__gnutls_null_log
66# define MHD__gnutls_write_log MHD__gnutls_null_log
67# define MHD__gnutls_x509_log MHD__gnutls_null_log
68
69void MHD__gnutls_null_log (void *, ...);
70
71#endif /* C99_MACROS */
diff --git a/src/daemon/https/tls/gnutls_extensions.c b/src/daemon/https/tls/gnutls_extensions.c
deleted file mode 100644
index 8ee96c65..00000000
--- a/src/daemon/https/tls/gnutls_extensions.c
+++ /dev/null
@@ -1,301 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that relate to the TLS hello extension parsing.
26 * Hello extensions are packets appended in the TLS hello packet, and
27 * allow for extra functionality.
28 */
29
30#include "MHD_config.h"
31#include "gnutls_int.h"
32#include "gnutls_extensions.h"
33#include "gnutls_errors.h"
34#include "ext_max_record.h"
35#include <ext_cert_type.h>
36#include <ext_server_name.h>
37#include <gnutls_num.h>
38
39/* Key Exchange Section */
40#define GNUTLS_EXTENSION_ENTRY(type, parse_type, ext_func_recv, ext_func_send) \
41 { #type, type, parse_type, ext_func_recv, ext_func_send }
42
43
44#define MAX_EXT_SIZE 10
45const int MHD_gtls_extensions_size = MAX_EXT_SIZE;
46
47MHD_gtls_extension_entry MHD_gtls_extensions[MAX_EXT_SIZE] = {
48 GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_MAX_RECORD_SIZE,
49 EXTENSION_TLS,
50 MHD_gtls_max_record_recv_params,
51 MHD_gtls_max_record_send_params),
52 GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_CERT_TYPE,
53 EXTENSION_TLS,
54 MHD_gtls_cert_type_recv_params,
55 MHD_gtls_cert_type_send_params),
56 GNUTLS_EXTENSION_ENTRY (GNUTLS_EXTENSION_SERVER_NAME,
57 EXTENSION_APPLICATION,
58 MHD_gtls_server_name_recv_params,
59 MHD_gtls_server_name_send_params),
60 {0, 0, 0, 0}
61};
62
63#define GNUTLS_EXTENSION_LOOP2(b) \
64 MHD_gtls_extension_entry *p; \
65 for(p = MHD_gtls_extensions; p->name != NULL; p++) { b ; }
66
67#define GNUTLS_EXTENSION_LOOP(a) \
68 GNUTLS_EXTENSION_LOOP2( if(p->type == type) { a; break; } )
69
70
71/* EXTENSION functions */
72
73MHD_gtls_ext_recv_func
74MHD_gtls_ext_func_recv (uint16_t type, MHD_gtls_ext_parse_type_t parse_type)
75{
76 MHD_gtls_ext_recv_func ret = NULL;
77 GNUTLS_EXTENSION_LOOP (if
78 (parse_type == EXTENSION_ANY
79 || p->parse_type == parse_type) ret =
80 p->MHD_gnutls_ext_func_recv);
81 return ret;
82
83}
84
85MHD_gtls_ext_send_func
86MHD_gtls_ext_func_send (uint16_t type)
87{
88 MHD_gtls_ext_send_func ret = NULL;
89 GNUTLS_EXTENSION_LOOP (ret = p->MHD_gnutls_ext_func_send);
90 return ret;
91
92}
93
94const char *
95MHD_gtls_extension_get_name (uint16_t type)
96{
97 const char *ret = NULL;
98
99 /* avoid prefix */
100 GNUTLS_EXTENSION_LOOP (ret = p->name + sizeof ("GNUTLS_EXTENSION_") - 1);
101
102 return ret;
103}
104
105/* Checks if the extension we just received is one of the
106 * requested ones. Otherwise it's a fatal error.
107 */
108static int
109MHD__gnutls_extension_list_check (MHD_gtls_session_t session, uint16_t type)
110{
111#if MHD_DEBUG_TLS
112 if (session->security_parameters.entity == GNUTLS_CLIENT)
113 {
114 int i;
115 for (i = 0; i < session->internals.extensions_sent_size; i++)
116 {
117 if (type == session->internals.extensions_sent[i])
118 return 0; /* ok found */
119 }
120 return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION;
121 }
122#endif
123 return 0;
124}
125
126int
127MHD_gtls_parse_extensions (MHD_gtls_session_t session,
128 MHD_gtls_ext_parse_type_t parse_type,
129 const opaque * data, int data_size)
130{
131 int next, ret;
132 int pos = 0;
133 uint16_t type;
134 const opaque *sdata;
135 MHD_gtls_ext_recv_func ext_recv;
136 uint16_t size;
137
138#if MHD_DEBUG_TLS
139 int i;
140 if (session->security_parameters.entity == GNUTLS_CLIENT)
141 for (i = 0; i < session->internals.extensions_sent_size; i++)
142 {
143 MHD__gnutls_debug_log ("EXT[%d]: expecting extension '%s'\n",
144 session,
145 MHD_gtls_extension_get_name
146 (session->internals.extensions_sent[i]));
147 }
148#endif
149
150 DECR_LENGTH_RET (data_size, 2, 0);
151 next = MHD_gtls_read_uint16 (data);
152 pos += 2;
153
154 DECR_LENGTH_RET (data_size, next, 0);
155
156 do
157 {
158 DECR_LENGTH_RET (next, 2, 0);
159 type = MHD_gtls_read_uint16 (&data[pos]);
160 pos += 2;
161
162 MHD__gnutls_debug_log ("EXT[%x]: Received extension '%s/%d'\n", session,
163 MHD_gtls_extension_get_name (type), type);
164
165 if ((ret = MHD__gnutls_extension_list_check (session, type)) < 0)
166 {
167 MHD_gnutls_assert ();
168 return ret;
169 }
170
171 DECR_LENGTH_RET (next, 2, 0);
172 size = MHD_gtls_read_uint16 (&data[pos]);
173 pos += 2;
174
175 DECR_LENGTH_RET (next, size, 0);
176 sdata = &data[pos];
177 pos += size;
178
179 ext_recv = MHD_gtls_ext_func_recv (type, parse_type);
180 if (ext_recv == NULL)
181 continue;
182 if ((ret = ext_recv (session, sdata, size)) < 0)
183 {
184 MHD_gnutls_assert ();
185 return ret;
186 }
187
188 }
189 while (next > 2);
190
191 return 0;
192
193}
194
195/* Adds the extension we want to send in the extensions list.
196 * This list is used to check whether the (later) received
197 * extensions are the ones we requested.
198 */
199static void
200MHD__gnutls_extension_list_add (MHD_gtls_session_t session, uint16_t type)
201{
202#if MHD_DEBUG_TLS
203 if (session->security_parameters.entity == GNUTLS_CLIENT)
204 {
205 if (session->internals.extensions_sent_size < MAX_EXT_TYPES)
206 {
207 session->internals.extensions_sent[session->internals.
208 extensions_sent_size] = type;
209 session->internals.extensions_sent_size++;
210 }
211 else
212 {
213 MHD__gnutls_debug_log ("extensions: Increase MAX_EXT_TYPES\n");
214 }
215 }
216#endif
217}
218
219int
220MHD_gtls_gen_extensions (MHD_gtls_session_t session, opaque * data,
221 size_t data_size)
222{
223 int size;
224 uint16_t pos = 0;
225 opaque *sdata;
226 int sdata_size;
227 MHD_gtls_ext_send_func ext_send;
228 MHD_gtls_extension_entry *p;
229
230 if (data_size < 2)
231 {
232 MHD_gnutls_assert ();
233 return GNUTLS_E_INTERNAL_ERROR;
234 }
235
236 /* allocate enough data for each extension.
237 */
238 sdata_size = data_size;
239 sdata = MHD_gnutls_malloc (sdata_size);
240 if (sdata == NULL)
241 {
242 MHD_gnutls_assert ();
243 return GNUTLS_E_MEMORY_ERROR;
244 }
245
246 pos += 2;
247 for (p = MHD_gtls_extensions; p->name != NULL; p++)
248 {
249 ext_send = MHD_gtls_ext_func_send (p->type);
250 if (ext_send == NULL)
251 continue;
252 size = ext_send (session, sdata, sdata_size);
253 if (size > 0)
254 {
255 if (data_size < pos + (size_t) size + 4)
256 {
257 MHD_gnutls_assert ();
258 MHD_gnutls_free (sdata);
259 return GNUTLS_E_INTERNAL_ERROR;
260 }
261
262 /* write extension type */
263 MHD_gtls_write_uint16 (p->type, &data[pos]);
264 pos += 2;
265
266 /* write size */
267 MHD_gtls_write_uint16 (size, &data[pos]);
268 pos += 2;
269
270 memcpy (&data[pos], sdata, size);
271 pos += size;
272
273 /* add this extension to the extension list
274 */
275 MHD__gnutls_extension_list_add (session, p->type);
276
277 MHD__gnutls_debug_log ("EXT[%x]: Sending extension %s\n", session,
278 MHD_gtls_extension_get_name (p->type));
279 }
280 else if (size < 0)
281 {
282 MHD_gnutls_assert ();
283 MHD_gnutls_free (sdata);
284 return size;
285 }
286 }
287
288 size = pos;
289 pos -= 2; /* remove the size of the size header! */
290
291 MHD_gtls_write_uint16 (pos, data);
292
293 if (size == 2)
294 { /* empty */
295 size = 0;
296 }
297
298 MHD_gnutls_free (sdata);
299 return size;
300
301}
diff --git a/src/daemon/https/tls/gnutls_extensions.h b/src/daemon/https/tls/gnutls_extensions.h
deleted file mode 100644
index 9623b39b..00000000
--- a/src/daemon/https/tls/gnutls_extensions.h
+++ /dev/null
@@ -1,47 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26
27const char *MHD_gtls_extension_get_name (uint16_t type);
28int MHD_gtls_parse_extensions (MHD_gtls_session_t, MHD_gtls_ext_parse_type_t,
29 const opaque *, int);
30int MHD_gtls_gen_extensions (MHD_gtls_session_t session, opaque * data,
31 size_t data_size);
32
33typedef int (*MHD_gtls_ext_recv_func) (MHD_gtls_session_t, const opaque *, size_t); /* recv data */
34typedef int (*MHD_gtls_ext_send_func) (MHD_gtls_session_t, opaque *, size_t); /* send data */
35
36MHD_gtls_ext_send_func MHD_gtls_ext_func_send (uint16_t type);
37MHD_gtls_ext_recv_func MHD_gtls_ext_func_recv (uint16_t type,
38 MHD_gtls_ext_parse_type_t);
39
40typedef struct
41{
42 const char *name;
43 uint16_t type;
44 MHD_gtls_ext_parse_type_t parse_type;
45 MHD_gtls_ext_recv_func MHD_gnutls_ext_func_recv;
46 MHD_gtls_ext_send_func MHD_gnutls_ext_func_send;
47} MHD_gtls_extension_entry;
diff --git a/src/daemon/https/tls/gnutls_global.c b/src/daemon/https/tls/gnutls_global.c
deleted file mode 100644
index 818a92a1..00000000
--- a/src/daemon/https/tls/gnutls_global.c
+++ /dev/null
@@ -1,298 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <libtasn1.h>
28#include <gnutls_dh.h>
29
30/* this is used in order to make the multi-threaded initialization call to libgcrypt */
31#include <pthread.h>
32#include <gcrypt.h>
33
34/* used to set the MHD_tls logging function */
35#include "internal.h"
36
37/* TODO fix : needed by GCRY_THREAD_OPTION_PTHREAD_IMPL but missing otherwise */
38#define ENOMEM 12 /* Out of memory */
39
40#ifdef HAVE_WINSOCK
41# include <winsock2.h>
42#endif
43
44
45GCRY_THREAD_OPTION_PTHREAD_IMPL;
46
47#define MHD_gnutls_log_func LOG_FUNC
48
49/* created by asn1c */
50extern const ASN1_ARRAY_TYPE MHD_gnutlsMHD__asn1_tab[];
51extern const ASN1_ARRAY_TYPE MHD_pkix_asn1_tab[];
52
53LOG_FUNC MHD__gnutls_log_func;
54int MHD__gnutls_log_level = 0; /* default log level */
55
56ASN1_TYPE MHD__gnutls_pkix1_asn;
57ASN1_TYPE MHD__gnutlsMHD__gnutls_asn;
58
59/**
60 * MHD_gtls_global_set_log_function - This function sets the logging function
61 * @log_func: it's a log function
62 *
63 * This is the function where you set the logging function gnutls
64 * is going to use. This function only accepts a character array.
65 * Normally you may not use this function since it is only used
66 * for debugging purposes.
67 *
68 * MHD_gnutls_log_func is of the form,
69 * void (*MHD_gnutls_log_func)( int level, const char*);
70 **/
71void
72MHD_gtls_global_set_log_function (MHD_gnutls_log_func log_func)
73{
74 MHD__gnutls_log_func = log_func;
75}
76
77/**
78 * MHD_gtls_global_set_log_level - This function sets the logging level
79 * @level: it's an integer from 0 to 9.
80 *
81 * This is the function that allows you to set the log level.
82 * The level is an integer between 0 and 9. Higher values mean
83 * more verbosity. The default value is 0. Larger values should
84 * only be used with care, since they may reveal sensitive information.
85 *
86 * Use a log level over 10 to enable all debugging options.
87 *
88 **/
89void
90MHD_gtls_global_set_log_level (int level)
91{
92 MHD__gnutls_log_level = level;
93}
94
95int MHD__gnutls_is_secure_mem_null (const void *);
96
97static int MHD__gnutls_init_level = 0;
98
99/**
100 * MHD__gnutls_global_init - This function initializes the global data to defaults.
101 *
102 * This function initializes the global data to defaults.
103 * Every gnutls application has a global data which holds common parameters
104 * shared by gnutls session structures.
105 * You must call MHD__gnutls_global_deinit() when gnutls usage is no longer needed
106 * Returns zero on success.
107 *
108 * Note that this function will also initialize libgcrypt, if it has not
109 * been initialized before. Thus if you want to manually initialize libgcrypt
110 * you must do it before calling this function. This is useful in cases you
111 * want to disable libgcrypt's internal lockings etc.
112 *
113 * This function increment a global counter, so that
114 * MHD__gnutls_global_deinit() only releases resources when it has been
115 * called as many times as MHD__gnutls_global_init(). This is useful when
116 * GnuTLS is used by more than one library in an application. This
117 * function can be called many times, but will only do something the
118 * first time.
119 *
120 * Note! This function is not thread safe. If two threads call this
121 * function simultaneously, they can cause a race between checking
122 * the global counter and incrementing it, causing both threads to
123 * execute the library initialization code. That would lead to a
124 * memory leak. To handle this, your application could invoke this
125 * function after aquiring a thread mutex. To ignore the potential
126 * memory leak is also an option.
127 *
128 **/
129int
130MHD__gnutls_global_init ()
131{
132 int result = 0;
133 int res;
134
135 if (MHD__gnutls_init_level++)
136 return 0;
137
138#if HAVE_WINSOCK
139 {
140 WORD requested;
141 WSADATA data;
142 int err;
143
144 requested = MAKEWORD (1, 1);
145 err = WSAStartup (requested, &data);
146 if (err != 0)
147 {
148 MHD__gnutls_debug_log ("WSAStartup failed: %d.\n", err);
149 return GNUTLS_E_LIBRARY_VERSION_MISMATCH;
150 }
151
152 if (data.wVersion < requested)
153 {
154 MHD__gnutls_debug_log ("WSAStartup version check failed (%d < %d).\n",
155 data.wVersion, requested);
156 WSACleanup ();
157 return GNUTLS_E_LIBRARY_VERSION_MISMATCH;
158 }
159 }
160#endif
161
162 /* bindtextdomain("mhd", "./"); */
163
164 if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P) == 0)
165 {
166 const char *p;
167
168 /* to enable multi-threading this call must precede any other call made to libgcrypt */
169 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
170
171 /* set p to point at the required version of gcrypt */
172 p = strchr (MHD_GCRYPT_VERSION, ':');
173 if (p == NULL)
174 p = MHD_GCRYPT_VERSION;
175 else
176 p++;
177
178 /* this call initializes libgcrypt */
179 if (gcry_check_version (p) == NULL)
180 {
181 MHD_gnutls_assert ();
182 MHD__gnutls_debug_log ("Checking for libgcrypt failed '%s'\n", p);
183 return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
184 }
185
186 /* for gcrypt in order to be able to allocate memory */
187 gcry_set_allocation_handler (MHD_gnutls_malloc,
188 MHD_gnutls_secure_malloc,
189 MHD__gnutls_is_secure_memory,
190 MHD_gnutls_realloc, MHD_gnutls_free);
191
192 /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
193
194 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
195
196 }
197
198 if (MHD_gc_init () != GC_OK)
199 {
200 MHD_gnutls_assert ();
201 MHD__gnutls_debug_log ("Initializing crypto backend failed\n");
202 return GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY;
203 }
204
205 /* initialize parser
206 * This should not deal with files in the final
207 * version.
208 */
209 res =
210 MHD__asn1_array2tree (MHD_pkix_asn1_tab, &MHD__gnutls_pkix1_asn, NULL);
211 if (res != ASN1_SUCCESS)
212 {
213 result = MHD_gtls_asn2err (res);
214 return result;
215 }
216
217 res =
218 MHD__asn1_array2tree (MHD_gnutlsMHD__asn1_tab,
219 &MHD__gnutlsMHD__gnutls_asn, NULL);
220 if (res != ASN1_SUCCESS)
221 {
222 MHD__asn1_delete_structure (&MHD__gnutls_pkix1_asn);
223 result = MHD_gtls_asn2err (res);
224 return result;
225 }
226
227 return result;
228}
229
230/**
231 * MHD__gnutls_global_deinit - This function deinitializes the global data
232 *
233 * This function deinitializes the global data, that were initialized
234 * using MHD__gnutls_global_init().
235 *
236 * Note! This function is not thread safe. See the discussion for
237 * MHD__gnutls_global_init() for more information.
238 *
239 **/
240void
241MHD__gnutls_global_deinit ()
242{
243 if (MHD__gnutls_init_level == 1)
244 {
245#if HAVE_WINSOCK
246 WSACleanup ();
247#endif
248 MHD__asn1_delete_structure (&MHD__gnutlsMHD__gnutls_asn);
249 MHD__asn1_delete_structure (&MHD__gnutls_pkix1_asn);
250 MHD_gc_done ();
251 }
252 MHD__gnutls_init_level--;
253}
254
255/* These functions should be elsewere. Kept here for
256 * historical reasons.
257 */
258
259/**
260 * MHD__gnutls_transport_set_pull_function - This function sets a read like function
261 * @pull_func: a callback function similar to read()
262 * @session: gnutls session
263 *
264 * This is the function where you set a function for gnutls
265 * to receive data. Normally, if you use berkeley style sockets,
266 * do not need to use this function since the default (recv(2)) will
267 * probably be ok.
268 *
269 * PULL_FUNC is of the form,
270 * ssize_t (*MHD_gtls_pull_func)(MHD_gnutls_transport_ptr_t, void*, size_t);
271 **/
272void
273MHD__gnutls_transport_set_pull_function (MHD_gtls_session_t session,
274 MHD_gtls_pull_func pull_func)
275{
276 session->internals.MHD__gnutls_pull_func = pull_func;
277}
278
279/**
280 * MHD__gnutls_transport_set_push_function - This function sets the function to send data
281 * @push_func: a callback function similar to write()
282 * @session: gnutls session
283 *
284 * This is the function where you set a push function for gnutls
285 * to use in order to send data. If you are going to use berkeley style
286 * sockets, you do not need to use this function since
287 * the default (send(2)) will probably be ok. Otherwise you should
288 * specify this function for gnutls to be able to send data.
289 *
290 * PUSH_FUNC is of the form,
291 * ssize_t (*MHD_gtls_push_func)(MHD_gnutls_transport_ptr_t, const void*, size_t);
292 **/
293void
294MHD__gnutls_transport_set_push_function (MHD_gtls_session_t session,
295 MHD_gtls_push_func push_func)
296{
297 session->internals.MHD__gnutls_push_func = push_func;
298}
diff --git a/src/daemon/https/tls/gnutls_global.h b/src/daemon/https/tls/gnutls_global.h
deleted file mode 100644
index 50d6131c..00000000
--- a/src/daemon/https/tls/gnutls_global.h
+++ /dev/null
@@ -1,54 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_GLOBAL_H
26#define GNUTLS_GLOBAL_H
27
28#include "MHD_config.h"
29#include <libtasn1.h>
30#undef HAVE_CONFIG_H
31#include <pthread.h>
32#define HAVE_CONFIG_H 1
33
34/* this mutex is used to synchronize threads attempting to call MHD__gnutls_global_init / MHD__gnutls_global_deinit */
35extern pthread_mutex_t MHD_gnutls_init_mutex;
36
37int MHD_gnutls_is_secure_memory (const void *mem);
38
39extern ASN1_TYPE MHD__gnutls_pkix1_asn;
40extern ASN1_TYPE MHD__gnutlsMHD__gnutls_asn;
41
42#if !HAVE_MEMMEM
43extern void *memmem (void const *__haystack, size_t __haystack_len,
44 void const *__needle, size_t __needle_len);
45#endif
46
47/* removed const from node_asn* to
48 * prevent warnings, since libtasn1 doesn't
49 * use the const keywork in its functions.
50 */
51#define MHD__gnutls_getMHD__gnutls_asn() ((node_asn*) MHD__gnutlsMHD__gnutls_asn)
52#define MHD__gnutls_get_pkix() ((node_asn*) MHD__gnutls_pkix1_asn)
53
54#endif
diff --git a/src/daemon/https/tls/gnutls_handshake.c b/src/daemon/https/tls/gnutls_handshake.c
deleted file mode 100644
index f12f4015..00000000
--- a/src/daemon/https/tls/gnutls_handshake.c
+++ /dev/null
@@ -1,2804 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that relate to the TLS handshake procedure.
26 */
27
28#include "MHD_config.h"
29#include "gnutls_int.h"
30#include "gnutls_errors.h"
31#include "gnutls_dh.h"
32#include "debug.h"
33#include "gnutls_algorithms.h"
34#include "gnutls_cipher.h"
35#include "gnutls_buffers.h"
36#include "gnutls_kx.h"
37#include "gnutls_handshake.h"
38#include "gnutls_num.h"
39#include "gnutls_hash_int.h"
40#include "gnutls_extensions.h"
41#include "gnutls_supplemental.h"
42#include "gnutls_auth_int.h"
43#include "auth_cert.h"
44#include "gnutls_cert.h"
45#include "gnutls_constate.h"
46#include "gnutls_record.h"
47#include "gnutls_state.h"
48#include "gnutls_rsa_export.h" /* for MHD_gnutls_get_rsa_params() */
49#include "gc.h"
50
51#ifdef HANDSHAKE_DEBUG
52#define ERR(x, y) MHD__gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y)
53#else
54#define ERR(x, y)
55#endif
56
57#define TRUE 1
58#define FALSE 0
59
60
61/* This should be sufficient by now. It should hold all the extensions
62 * plus the headers in a hello message.
63 */
64#define MAX_EXT_DATA_LENGTH 1024
65
66
67static int MHD_gtls_remove_unwanted_ciphersuites (MHD_gtls_session_t session,
68 cipher_suite_st **
69 cipherSuites,
70 int numCipherSuites,
71 enum
72 MHD_GNUTLS_PublicKeyAlgorithm);
73static int MHD_gtls_server_select_suite (MHD_gtls_session_t session,
74 opaque * data, int datalen);
75
76static int MHD_gtls_generate_session_id (opaque * session_id, uint8_t * len);
77
78static int MHD_gtls_handshake_common (MHD_gtls_session_t session);
79
80static int MHD_gtls_handshake_server (MHD_gtls_session_t session);
81
82#if MHD_DEBUG_TLS
83static int MHD_gtls_handshake_client (MHD_gtls_session_t session);
84#endif
85
86
87static int MHD__gnutls_server_select_comp_method (MHD_gtls_session_t session,
88 opaque * data, int datalen);
89
90
91/* Clears the handshake hash buffers and handles.
92 */
93static void
94MHD__gnutls_handshake_hash_buffers_clear (MHD_gtls_session_t session)
95{
96 MHD_gnutls_hash_deinit (session->internals.handshake_mac_handle_md5, NULL);
97 MHD_gnutls_hash_deinit (session->internals.handshake_mac_handle_sha, NULL);
98 session->internals.handshake_mac_handle_md5 = NULL;
99 session->internals.handshake_mac_handle_sha = NULL;
100 MHD_gtls_handshake_buffer_clear (session);
101}
102
103/**
104 * gnutls_handshake_set_max_packet_length - This function will set the maximum length of a handshake message
105 * @session: is a #gnutls_session_t structure.
106 * @max: is the maximum number.
107 *
108 * This function will set the maximum size of a handshake message.
109 * Handshake messages over this size are rejected.
110 * The default value is 16kb which is large enough. Set this to 0 if you do not want
111 * to set an upper limit.
112 *
113 **/
114void
115MHD__gnutls_handshake_set_max_packet_length (MHD_gtls_session_t session,
116 size_t max)
117{
118 session->internals.max_handshake_data_buffer_size = max;
119}
120
121
122static void
123MHD_gtls_set_server_random (MHD_gtls_session_t session, uint8_t * rnd)
124{
125 memcpy (session->security_parameters.server_random, rnd, TLS_RANDOM_SIZE);
126}
127
128static void
129MHD_gtls_set_client_random (MHD_gtls_session_t session, uint8_t * rnd)
130{
131 memcpy (session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE);
132}
133
134/* Calculate The SSL3 Finished message */
135#define SSL3_CLIENT_MSG "CLNT"
136#define SSL3_SERVER_MSG "SRVR"
137#define SSL_MSG_LEN 4
138static int
139MHD__gnutls_ssl3_finished (MHD_gtls_session_t session, int type, opaque * ret)
140{
141 const int siz = SSL_MSG_LEN;
142 mac_hd_t td_md5;
143 mac_hd_t td_sha;
144 const char *mesg;
145
146 td_md5 = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
147 if (td_md5 == NULL)
148 {
149 MHD_gnutls_assert ();
150 return GNUTLS_E_HASH_FAILED;
151 }
152
153 td_sha = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
154 if (td_sha == NULL)
155 {
156 MHD_gnutls_assert ();
157 MHD_gnutls_hash_deinit (td_md5, NULL);
158 return GNUTLS_E_HASH_FAILED;
159 }
160
161 if (type == GNUTLS_SERVER)
162 {
163 mesg = SSL3_SERVER_MSG;
164 }
165 else
166 {
167 mesg = SSL3_CLIENT_MSG;
168 }
169
170 MHD_gnutls_hash (td_md5, mesg, siz);
171 MHD_gnutls_hash (td_sha, mesg, siz);
172
173 MHD_gnutls_mac_deinit_ssl3_handshake (td_md5, ret,
174 session->security_parameters.
175 master_secret, TLS_MASTER_SIZE);
176 MHD_gnutls_mac_deinit_ssl3_handshake (td_sha, &ret[16],
177 session->security_parameters.
178 master_secret, TLS_MASTER_SIZE);
179
180 return 0;
181}
182
183/* Hash the handshake messages as required by TLS 1.0 */
184#define SERVER_MSG "server finished"
185#define CLIENT_MSG "client finished"
186#define TLS_MSG_LEN 15
187static int
188MHD__gnutls_finished (MHD_gtls_session_t session, int type, void *ret)
189{
190 const int siz = TLS_MSG_LEN;
191 opaque concat[36];
192 size_t len;
193 const char *mesg;
194 mac_hd_t td_md5 = NULL;
195 mac_hd_t td_sha;
196 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
197
198 if (ver < MHD_GNUTLS_PROTOCOL_TLS1_2)
199 {
200 td_md5 =
201 MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
202 if (td_md5 == NULL)
203 {
204 MHD_gnutls_assert ();
205 return GNUTLS_E_HASH_FAILED;
206 }
207 }
208
209 td_sha = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
210 if (td_sha == NULL)
211 {
212 MHD_gnutls_assert ();
213 if (td_md5 != NULL)
214 MHD_gnutls_hash_deinit (td_md5, NULL);
215 return GNUTLS_E_HASH_FAILED;
216 }
217
218 if (ver < MHD_GNUTLS_PROTOCOL_TLS1_2)
219 {
220 MHD_gnutls_hash_deinit (td_md5, concat);
221 MHD_gnutls_hash_deinit (td_sha, &concat[16]);
222 len = 20 + 16;
223 }
224 else
225 {
226 MHD_gnutls_hash_deinit (td_sha, concat);
227 len = 20;
228 }
229
230 if (type == GNUTLS_SERVER)
231 {
232 mesg = SERVER_MSG;
233 }
234 else
235 {
236 mesg = CLIENT_MSG;
237 }
238
239 return MHD_gtls_PRF (session, session->security_parameters.master_secret,
240 TLS_MASTER_SIZE, mesg, siz, concat, len, 12, ret);
241}
242
243/* this function will produce TLS_RANDOM_SIZE==32 bytes of random data
244 * and put it to dst.
245 */
246static int
247MHD_gtls_tls_create_random (opaque * dst)
248{
249 uint32_t tim;
250
251 /* Use weak random numbers for the most of the
252 * buffer except for the first 4 that are the
253 * system's time.
254 */
255
256 tim = time (NULL);
257 /* generate server random value */
258 MHD_gtls_write_uint32 (tim, dst);
259
260 if (MHD_gc_nonce ((char *) &dst[4], TLS_RANDOM_SIZE - 4) != GC_OK)
261 {
262 MHD_gnutls_assert ();
263 return GNUTLS_E_RANDOM_FAILED;
264 }
265
266 return 0;
267}
268
269/* returns the 0 on success or a negative value.
270 */
271static int
272MHD_gtls_negotiate_version (MHD_gtls_session_t session,
273 enum MHD_GNUTLS_Protocol adv_version)
274{
275 int ret;
276
277 /* if we do not support that version */
278 if (MHD_gtls_version_is_supported (session, adv_version) == 0)
279 {
280 /* If he requested something we do not support
281 * then we send him the highest we support.
282 */
283 ret = MHD_gtls_version_max (session);
284 }
285 else
286 {
287 ret = adv_version;
288 }
289 MHD_gtls_set_current_version (session, ret);
290
291 return ret;
292}
293
294/* Read a client hello packet.
295 * A client hello must be a known version client hello
296 * or version 2.0 client hello (only for compatibility
297 * since SSL version 2.0 is not supported).
298 */
299static int
300MHD__gnutls_read_client_hello (MHD_gtls_session_t session, opaque * data,
301 int datalen)
302{
303 uint8_t session_id_len;
304 int pos = 0, ret = 0;
305 uint16_t suite_size, comp_size;
306 enum MHD_GNUTLS_Protocol adv_version;
307 int neg_version;
308 int len = datalen;
309 opaque rnd[TLS_RANDOM_SIZE], *suite_ptr, *comp_ptr;
310
311 DECR_LEN (len, 2);
312
313 MHD__gnutls_handshake_log ("HSK[%x]: Client's version: %d.%d\n", session,
314 data[pos], data[pos + 1]);
315
316 adv_version = MHD_gtls_version_get (data[pos], data[pos + 1]);
317 set_adv_version (session, data[pos], data[pos + 1]);
318 pos += 2;
319
320 neg_version = MHD_gtls_negotiate_version (session, adv_version);
321 if (neg_version < 0)
322 {
323 MHD_gnutls_assert ();
324 return ret;
325 }
326
327 /* Read client random value.
328 */
329 DECR_LEN (len, TLS_RANDOM_SIZE);
330 MHD_gtls_set_client_random (session, &data[pos]);
331 pos += TLS_RANDOM_SIZE;
332
333 MHD_gtls_tls_create_random (rnd);
334 MHD_gtls_set_server_random (session, rnd);
335
336 session->security_parameters.timestamp = time (NULL);
337
338 DECR_LEN (len, 1);
339 session_id_len = data[pos++];
340
341 /* RESUME SESSION */
342 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
343 {
344 MHD_gnutls_assert ();
345 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
346 }
347 DECR_LEN (len, session_id_len);
348
349 pos += session_id_len;
350
351 MHD_gtls_generate_session_id (session->security_parameters.session_id,
352 &session->security_parameters.
353 session_id_size);
354
355 session->internals.resumed = RESUME_FALSE;
356 /* Remember ciphersuites for later
357 */
358 DECR_LEN (len, 2);
359 suite_size = MHD_gtls_read_uint16 (&data[pos]);
360 pos += 2;
361
362 DECR_LEN (len, suite_size);
363 suite_ptr = &data[pos];
364 pos += suite_size;
365
366 /* Point to the compression methods
367 */
368 DECR_LEN (len, 1);
369 comp_size = data[pos++]; /* z is the number of compression methods */
370
371 DECR_LEN (len, comp_size);
372 comp_ptr = &data[pos];
373 pos += comp_size;
374
375 /* Parse the extensions (if any)
376 */
377 if (neg_version >= MHD_GNUTLS_PROTOCOL_TLS1_0)
378 {
379 ret = MHD_gtls_parse_extensions (session, EXTENSION_APPLICATION, &data[pos], len); /* len is the rest of the parsed length */
380 if (ret < 0)
381 {
382 MHD_gnutls_assert ();
383 return ret;
384 }
385 }
386
387 if (neg_version >= MHD_GNUTLS_PROTOCOL_TLS1_0)
388 {
389 ret = MHD_gtls_parse_extensions (session, EXTENSION_TLS, &data[pos], len); /* len is the rest of the parsed length */
390 if (ret < 0)
391 {
392 MHD_gnutls_assert ();
393 return ret;
394 }
395 }
396
397 /* select an appropriate cipher suite
398 */
399 ret = MHD_gtls_server_select_suite (session, suite_ptr, suite_size);
400 if (ret < 0)
401 {
402 MHD_gnutls_assert ();
403 return ret;
404 }
405
406 /* select appropriate compression method */
407 ret = MHD__gnutls_server_select_comp_method (session, comp_ptr, comp_size);
408 if (ret < 0)
409 {
410 MHD_gnutls_assert ();
411 return ret;
412 }
413
414 return 0;
415}
416
417/* here we hash all pending data.
418 */
419static int
420MHD__gnutls_handshake_hash_pending (MHD_gtls_session_t session)
421{
422 size_t siz;
423 int ret;
424 opaque *data;
425
426 if (session->internals.handshake_mac_handle_sha == NULL ||
427 session->internals.handshake_mac_handle_md5 == NULL)
428 {
429 MHD_gnutls_assert ();
430 return GNUTLS_E_INTERNAL_ERROR;
431 }
432
433 /* We check if there are pending data to hash.
434 */
435 if ((ret = MHD_gtls_handshake_buffer_get_ptr (session, &data, &siz)) < 0)
436 {
437 MHD_gnutls_assert ();
438 return ret;
439 }
440
441 if (siz > 0)
442 {
443 MHD_gnutls_hash (session->internals.handshake_mac_handle_sha, data,
444 siz);
445 MHD_gnutls_hash (session->internals.handshake_mac_handle_md5, data,
446 siz);
447 }
448
449 MHD_gtls_handshake_buffer_empty (session);
450
451 return 0;
452}
453
454
455/* This is to be called after sending CHANGE CIPHER SPEC packet
456 * and initializing encryption. This is the first encrypted message
457 * we send.
458 */
459static int
460MHD__gnutls_send_finished (MHD_gtls_session_t session, int again)
461{
462 uint8_t data[36];
463 int ret;
464 int data_size = 0;
465
466
467 if (again == 0)
468 {
469
470 /* This is needed in order to hash all the required
471 * messages.
472 */
473 if ((ret = MHD__gnutls_handshake_hash_pending (session)) < 0)
474 {
475 MHD_gnutls_assert ();
476 return ret;
477 }
478
479 if (MHD__gnutls_protocol_get_version (session) ==
480 MHD_GNUTLS_PROTOCOL_SSL3)
481 {
482 ret =
483 MHD__gnutls_ssl3_finished (session,
484 session->security_parameters.entity,
485 data);
486 data_size = 36;
487 }
488 else
489 { /* TLS 1.0 */
490 ret =
491 MHD__gnutls_finished (session,
492 session->security_parameters.entity, data);
493 data_size = 12;
494 }
495
496 if (ret < 0)
497 {
498 MHD_gnutls_assert ();
499 return ret;
500 }
501
502 }
503
504 ret =
505 MHD_gtls_send_handshake (session, data, data_size,
506 GNUTLS_HANDSHAKE_FINISHED);
507
508 return ret;
509}
510
511/* This is to be called after sending our finished message. If everything
512 * went fine we have negotiated a secure connection
513 */
514static int
515MHD__gnutls_recv_finished (MHD_gtls_session_t session)
516{
517 uint8_t data[36], *vrfy;
518 int data_size;
519 int ret;
520 int vrfysize;
521
522 ret =
523 MHD_gtls_recv_handshake (session, &vrfy, &vrfysize,
524 GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET);
525 if (ret < 0)
526 {
527 ERR ("recv finished int", ret);
528 MHD_gnutls_assert ();
529 return ret;
530 }
531
532
533 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3)
534 {
535 data_size = 36;
536 }
537 else
538 {
539 data_size = 12;
540 }
541
542 if (vrfysize != data_size)
543 {
544 MHD_gnutls_assert ();
545 MHD_gnutls_free (vrfy);
546 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
547 }
548
549 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3)
550 {
551 ret =
552 MHD__gnutls_ssl3_finished (session,
553 (session->security_parameters.entity +
554 1) % 2, data);
555 }
556 else
557 { /* TLS 1.0 */
558 ret =
559 MHD__gnutls_finished (session,
560 (session->security_parameters.entity +
561 1) % 2, data);
562 }
563
564 if (ret < 0)
565 {
566 MHD_gnutls_assert ();
567 MHD_gnutls_free (vrfy);
568 return ret;
569 }
570
571 if (memcmp (vrfy, data, data_size) != 0)
572 {
573 MHD_gnutls_assert ();
574 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
575 }
576 MHD_gnutls_free (vrfy);
577
578 return ret;
579}
580
581/* returns PK_RSA if the given cipher suite list only supports,
582 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
583 */
584static int
585MHD__gnutls_server_find_pk_algos_in_ciphersuites (const opaque *
586 data, int datalen)
587{
588 int j;
589 enum MHD_GNUTLS_PublicKeyAlgorithm algo = GNUTLS_PK_NONE, prev_algo = 0;
590 enum MHD_GNUTLS_KeyExchangeAlgorithm kx;
591 cipher_suite_st cs;
592
593 if (datalen % 2 != 0)
594 {
595 MHD_gnutls_assert ();
596 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
597 }
598
599 for (j = 0; j < datalen; j += 2)
600 {
601 memcpy (&cs.suite, &data[j], 2);
602 kx = MHD_gtls_cipher_suite_get_kx_algo (&cs);
603
604 if (MHD_gtls_map_kx_get_cred (kx, 1) == MHD_GNUTLS_CRD_CERTIFICATE)
605 {
606 algo = MHD_gtls_map_pk_get_pk (kx);
607
608 if (algo != prev_algo && prev_algo != 0)
609 return GNUTLS_PK_ANY;
610 prev_algo = algo;
611 }
612 }
613
614 return algo;
615}
616
617
618/* This selects the best supported ciphersuite from the given ones. Then
619 * it adds the suite to the session and performs some checks.
620 */
621static int
622MHD_gtls_server_select_suite (MHD_gtls_session_t session, opaque * data,
623 int datalen)
624{
625 int x, i, j;
626 cipher_suite_st *ciphers, cs;
627 int retval, err;
628 enum MHD_GNUTLS_PublicKeyAlgorithm pk_algo; /* will hold the pk algorithms
629 * supported by the peer.
630 */
631
632 pk_algo = MHD__gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
633
634 x = MHD_gtls_supported_ciphersuites (session, &ciphers);
635 if (x < 0)
636 { /* the case x==0 is handled within the function. */
637 MHD_gnutls_assert ();
638 return x;
639 }
640
641 /* Here we remove any ciphersuite that does not conform
642 * the certificate requested, or to the
643 * authentication requested (e.g. SRP).
644 */
645 x = MHD_gtls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo);
646 if (x <= 0)
647 {
648 MHD_gnutls_assert ();
649 MHD_gnutls_free (ciphers);
650 if (x < 0)
651 return x;
652 else
653 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
654 }
655
656 /* Data length should be zero mod 2 since
657 * every ciphersuite is 2 bytes. (this check is needed
658 * see below).
659 */
660 if (datalen % 2 != 0)
661 {
662 MHD_gnutls_assert ();
663 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
664 }
665 memset (session->security_parameters.current_cipher_suite.suite, '\0', 2);
666
667 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
668
669 for (j = 0; j < datalen; j += 2)
670 {
671 for (i = 0; i < x; i++)
672 {
673 if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
674 {
675 memcpy (&cs.suite, &data[j], 2);
676
677 MHD__gnutls_handshake_log
678 ("HSK[%x]: Selected cipher suite: %s\n", session,
679 MHD_gtls_cipher_suite_get_name (&cs));
680 memcpy (session->security_parameters.current_cipher_suite.suite,
681 ciphers[i].suite, 2);
682 retval = 0;
683 goto finish;
684 }
685 }
686 }
687
688finish:
689 MHD_gnutls_free (ciphers);
690
691 if (retval != 0)
692 {
693 MHD_gnutls_assert ();
694 return retval;
695 }
696
697 /* check if the credentials (username, public key etc.) are ok
698 */
699 if (MHD_gtls_get_kx_cred
700 (session,
701 MHD_gtls_cipher_suite_get_kx_algo (&session->security_parameters.
702 current_cipher_suite), &err) == NULL
703 && err != 0)
704 {
705 MHD_gnutls_assert ();
706 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
707 }
708
709
710 /* set the MHD_gtls_mod_auth_st to the appropriate struct
711 * according to the KX algorithm. This is needed since all the
712 * handshake functions are read from there;
713 */
714 session->internals.auth_struct =
715 MHD_gtls_kx_auth_struct (MHD_gtls_cipher_suite_get_kx_algo
716 (&session->security_parameters.
717 current_cipher_suite));
718 if (session->internals.auth_struct == NULL)
719 {
720
721 MHD__gnutls_handshake_log
722 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
723 session);
724 MHD_gnutls_assert ();
725 return GNUTLS_E_INTERNAL_ERROR;
726 }
727
728 return 0;
729
730}
731
732
733/* This selects the best supported compression method from the ones provided
734 */
735static int
736MHD__gnutls_server_select_comp_method (MHD_gtls_session_t session,
737 opaque * data, int datalen)
738{
739 int x, i, j;
740 uint8_t *comps;
741
742 x = MHD_gtls_supported_compression_methods (session, &comps);
743 if (x < 0)
744 {
745 MHD_gnutls_assert ();
746 return x;
747 }
748
749 memset (&session->internals.compression_method, 0,
750 sizeof (enum MHD_GNUTLS_CompressionMethod));
751
752 for (j = 0; j < datalen; j++)
753 {
754 for (i = 0; i < x; i++)
755 {
756 if (comps[i] == data[j])
757 {
758 enum MHD_GNUTLS_CompressionMethod method =
759 MHD_gtls_compression_get_id_from_int (comps[i]);
760
761 session->internals.compression_method = method;
762 MHD_gnutls_free (comps);
763 return 0;
764 }
765 }
766 }
767
768 /* we were not able to find a compatible compression
769 * algorithm
770 */
771 MHD_gnutls_free (comps);
772 MHD_gnutls_assert ();
773 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
774
775}
776
777/* This function sends an empty handshake packet. (like hello request).
778 * If the previous MHD__gnutls_send_empty_handshake() returned
779 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
780 * (until it returns ok), with NULL parameters.
781 */
782static int
783MHD__gnutls_send_empty_handshake (MHD_gtls_session_t session,
784 MHD_gnutls_handshake_description_t type,
785 int again)
786{
787 opaque data = 0;
788 opaque *ptr;
789
790 if (again == 0)
791 ptr = &data;
792 else
793 ptr = NULL;
794
795 return MHD_gtls_send_handshake (session, ptr, 0, type);
796}
797
798
799/* This function will hash the handshake message we sent. */
800static int
801MHD__gnutls_handshake_hash_add_sent (MHD_gtls_session_t session,
802 MHD_gnutls_handshake_description_t type,
803 opaque * dataptr, uint32_t datalen)
804{
805 int ret;
806
807 if ((ret = MHD__gnutls_handshake_hash_pending (session)) < 0)
808 {
809 MHD_gnutls_assert ();
810 return ret;
811 }
812
813 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
814 {
815 MHD_gnutls_hash (session->internals.handshake_mac_handle_sha, dataptr,
816 datalen);
817 MHD_gnutls_hash (session->internals.handshake_mac_handle_md5, dataptr,
818 datalen);
819 }
820
821 return 0;
822}
823
824
825/* This function sends a handshake message of type 'type' containing the
826 * data specified here. If the previous MHD_gtls_send_handshake() returned
827 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
828 * (until it returns ok), with NULL parameters.
829 */
830int
831MHD_gtls_send_handshake (MHD_gtls_session_t session, void *i_data,
832 uint32_t i_datasize,
833 MHD_gnutls_handshake_description_t type)
834{
835 int ret;
836 uint8_t *data;
837 uint32_t datasize;
838 int pos = 0;
839
840 if (i_data == NULL && i_datasize == 0)
841 {
842 /* we are resuming a previously interrupted
843 * send.
844 */
845 ret = MHD_gtls_handshake_io_write_flush (session);
846 return ret;
847
848 }
849
850 if (i_data == NULL && i_datasize > 0)
851 {
852 MHD_gnutls_assert ();
853 return GNUTLS_E_INVALID_REQUEST;
854 }
855
856 /* first run */
857 datasize = i_datasize + HANDSHAKE_HEADER_SIZE;
858 data = MHD_gnutls_alloca (datasize);
859 if (data == NULL)
860 {
861 MHD_gnutls_assert ();
862 return GNUTLS_E_MEMORY_ERROR;
863 }
864
865 data[pos++] = (uint8_t) type;
866 MHD_gtls_write_uint24 (i_datasize, &data[pos]);
867 pos += 3;
868
869 if (i_datasize > 0)
870 memcpy (&data[pos], i_data, i_datasize);
871
872 /* Here we keep the handshake messages in order to hash them...
873 */
874 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
875 if ((ret =
876 MHD__gnutls_handshake_hash_add_sent (session, type, data,
877 datasize)) < 0)
878 {
879 MHD_gnutls_assert ();
880 MHD_gnutls_afree (data);
881 return ret;
882 }
883
884 session->internals.last_handshake_out = type;
885
886 ret =
887 MHD_gtls_handshake_io_send_int (session, GNUTLS_HANDSHAKE, type,
888 data, datasize);
889
890 MHD__gnutls_handshake_log ("HSK[%x]: %s was sent [%ld bytes]\n",
891 session, MHD__gnutls_handshake2str (type),
892 (long) datasize);
893
894 MHD_gnutls_afree (data);
895
896 return ret;
897}
898
899/* This function will read the handshake header and return it to the caller. If the
900 * received handshake packet is not the one expected then it buffers the header, and
901 * returns UNEXPECTED_HANDSHAKE_PACKET.
902 *
903 * FIXME: This function is complex.
904 */
905#define SSL2_HEADERS 1
906static int
907MHD__gnutls_recv_handshake_header (MHD_gtls_session_t session,
908 MHD_gnutls_handshake_description_t type,
909 MHD_gnutls_handshake_description_t *
910 recv_type)
911{
912 int ret;
913 uint32_t length32 = 0;
914 uint8_t *dataptr = NULL; /* for realloc */
915 size_t handshake_header_size = HANDSHAKE_HEADER_SIZE;
916
917 /* if we have data into the buffer then return them, do not read the next packet.
918 * In order to return we need a full TLS handshake header, or in case of a version 2
919 * packet, then we return the first byte.
920 */
921 if (session->internals.handshake_header_buffer.header_size ==
922 handshake_header_size || (session->internals.v2_hello != 0
923 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
924 && session->internals.
925 handshake_header_buffer.packet_length > 0))
926 {
927
928 *recv_type = session->internals.handshake_header_buffer.recv_type;
929
930 return session->internals.handshake_header_buffer.packet_length;
931 }
932
933 /* Note: SSL2_HEADERS == 1 */
934
935 dataptr = session->internals.handshake_header_buffer.header;
936
937 /* If we haven't already read the handshake headers.
938 */
939 if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS)
940 {
941 ret =
942 MHD_gtls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
943 type, dataptr, SSL2_HEADERS);
944
945 if (ret < 0)
946 {
947 MHD_gnutls_assert ();
948 return ret;
949 }
950
951 /* The case ret==0 is caught here.
952 */
953 if (ret != SSL2_HEADERS)
954 {
955 MHD_gnutls_assert ();
956 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
957 }
958 session->internals.handshake_header_buffer.header_size = SSL2_HEADERS;
959 }
960
961 if (session->internals.v2_hello == 0
962 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
963 {
964 ret =
965 MHD_gtls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
966 type,
967 &dataptr
968 [session->internals.
969 handshake_header_buffer.header_size],
970 HANDSHAKE_HEADER_SIZE -
971 session->internals.
972 handshake_header_buffer.header_size);
973 if (ret <= 0)
974 {
975 MHD_gnutls_assert ();
976 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
977 }
978 if ((size_t) ret !=
979 HANDSHAKE_HEADER_SIZE -
980 session->internals.handshake_header_buffer.header_size)
981 {
982 MHD_gnutls_assert ();
983 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
984 }
985 *recv_type = dataptr[0];
986
987 /* we do not use DECR_LEN because we know
988 * that the packet has enough data.
989 */
990 length32 = MHD_gtls_read_uint24 (&dataptr[1]);
991 handshake_header_size = HANDSHAKE_HEADER_SIZE;
992
993 MHD__gnutls_handshake_log ("HSK[%x]: %s was received [%ld bytes]\n",
994 session,
995 MHD__gnutls_handshake2str (dataptr[0]),
996 length32 + HANDSHAKE_HEADER_SIZE);
997
998 }
999 else
1000 { /* v2 hello */
1001 length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */
1002
1003 handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
1004
1005 *recv_type = dataptr[0];
1006
1007 MHD__gnutls_handshake_log ("HSK[%x]: %s(v2) was received [%ld bytes]\n",
1008 session,
1009 MHD__gnutls_handshake2str (*recv_type),
1010 length32 + handshake_header_size);
1011
1012 if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1013 { /* it should be one or nothing */
1014 MHD_gnutls_assert ();
1015 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1016 }
1017 }
1018
1019 /* put the packet into the buffer */
1020 session->internals.handshake_header_buffer.header_size =
1021 handshake_header_size;
1022 session->internals.handshake_header_buffer.packet_length = length32;
1023 session->internals.handshake_header_buffer.recv_type = *recv_type;
1024
1025 if (*recv_type != type)
1026 {
1027 MHD_gnutls_assert ();
1028 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1029 }
1030
1031 return length32;
1032}
1033
1034#define MHD__gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1035
1036/* This function will hash the handshake headers and the
1037 * handshake data.
1038 */
1039static int
1040MHD__gnutls_handshake_hash_add_recvd (MHD_gtls_session_t session,
1041 MHD_gnutls_handshake_description_t
1042 recv_type, opaque * header,
1043 uint16_t header_size, opaque * dataptr,
1044 uint32_t datalen)
1045{
1046 int ret;
1047
1048 /* The idea here is to hash the previous message we received,
1049 * and add the one we just received into the handshake_hash_buffer.
1050 */
1051
1052 if ((ret = MHD__gnutls_handshake_hash_pending (session)) < 0)
1053 {
1054 MHD_gnutls_assert ();
1055 return ret;
1056 }
1057
1058 /* here we buffer the handshake messages - needed at Finished message */
1059 if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1060 {
1061
1062 if ((ret =
1063 MHD_gtls_handshake_buffer_put (session, header, header_size)) < 0)
1064 {
1065 MHD_gnutls_assert ();
1066 return ret;
1067 }
1068
1069 if (datalen > 0)
1070 {
1071 if ((ret =
1072 MHD_gtls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1073 {
1074 MHD_gnutls_assert ();
1075 return ret;
1076 }
1077 }
1078 }
1079
1080 return 0;
1081}
1082
1083/* This function will receive handshake messages of the given types,
1084 * and will pass the message to the right place in order to be processed.
1085 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1086 * passed to MHD_gtls_recv_hello().
1087 */
1088int
1089MHD_gtls_recv_handshake (MHD_gtls_session_t session, uint8_t ** data,
1090 int *datalen,
1091 MHD_gnutls_handshake_description_t type,
1092 Optional optional)
1093{
1094 int ret;
1095 uint32_t length32 = 0;
1096 opaque *dataptr = NULL;
1097 MHD_gnutls_handshake_description_t recv_type;
1098
1099 ret = MHD__gnutls_recv_handshake_header (session, type, &recv_type);
1100 if (ret < 0)
1101 {
1102
1103 if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1104 && optional == OPTIONAL_PACKET)
1105 {
1106 if (datalen != NULL)
1107 *datalen = 0;
1108 if (data != NULL)
1109 *data = NULL;
1110 return 0; /* ok just ignore the packet */
1111 }
1112
1113 return ret;
1114 }
1115
1116 session->internals.last_handshake_in = recv_type;
1117
1118 length32 = ret;
1119
1120 if (length32 > 0)
1121 dataptr = MHD_gnutls_malloc (length32);
1122 else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE)
1123 {
1124 MHD_gnutls_assert ();
1125 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1126 }
1127
1128 if (dataptr == NULL && length32 > 0)
1129 {
1130 MHD_gnutls_assert ();
1131 return GNUTLS_E_MEMORY_ERROR;
1132 }
1133
1134 if (datalen != NULL)
1135 *datalen = length32;
1136
1137 if (length32 > 0)
1138 {
1139 ret =
1140 MHD_gtls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1141 type, dataptr, length32);
1142 if (ret <= 0)
1143 {
1144 MHD_gnutls_assert ();
1145 MHD_gnutls_free (dataptr);
1146 return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret;
1147 }
1148 }
1149
1150 if (data != NULL && length32 > 0)
1151 *data = dataptr;
1152
1153
1154 ret = MHD__gnutls_handshake_hash_add_recvd (session, recv_type,
1155 session->internals.
1156 handshake_header_buffer.header,
1157 session->internals.
1158 handshake_header_buffer.header_size,
1159 dataptr, length32);
1160 if (ret < 0)
1161 {
1162 MHD_gnutls_assert ();
1163 MHD__gnutls_handshake_header_buffer_clear (session);
1164 return ret;
1165 }
1166
1167 /* If we fail before this then we will reuse the handshake header
1168 * have have received above. if we get here the we clear the handshake
1169 * header we received.
1170 */
1171 MHD__gnutls_handshake_header_buffer_clear (session);
1172
1173 switch (recv_type)
1174 {
1175 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1176 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1177 ret = MHD_gtls_recv_hello (session, dataptr, length32);
1178 /* dataptr is freed because the caller does not
1179 * need it */
1180 MHD_gnutls_free (dataptr);
1181 if (data != NULL)
1182 *data = NULL;
1183 break;
1184 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1185 if (length32 == 0)
1186 ret = 0;
1187 else
1188 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1189 break;
1190 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1191 case GNUTLS_HANDSHAKE_FINISHED:
1192 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1193 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1194 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1195 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1196 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1197 ret = length32;
1198 break;
1199 default:
1200 MHD_gnutls_assert ();
1201 MHD_gnutls_free (dataptr);
1202 if (data != NULL)
1203 *data = NULL;
1204 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1205 }
1206
1207 return ret;
1208}
1209
1210#if MHD_DEBUG_TLS
1211/* This function checks if the given cipher suite is supported, and sets it
1212 * to the session;
1213 */
1214static int
1215MHD__gnutls_client_set_ciphersuite (MHD_gtls_session_t session,
1216 opaque suite[2])
1217{
1218 uint8_t z;
1219 cipher_suite_st *cipher_suites;
1220 int cipher_suite_num;
1221 int i, err;
1222
1223 z = 1;
1224 cipher_suite_num =
1225 MHD_gtls_supported_ciphersuites (session, &cipher_suites);
1226 if (cipher_suite_num < 0)
1227 {
1228 MHD_gnutls_assert ();
1229 return cipher_suite_num;
1230 }
1231
1232 for (i = 0; i < cipher_suite_num; i++)
1233 {
1234 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1235 {
1236 z = 0;
1237 break;
1238 }
1239 }
1240
1241 MHD_gnutls_free (cipher_suites);
1242
1243 if (z != 0)
1244 {
1245 MHD_gnutls_assert ();
1246 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1247 }
1248
1249 memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2);
1250
1251 MHD__gnutls_handshake_log ("HSK[%x]: Selected cipher suite: %s\n", session,
1252 MHD_gtls_cipher_suite_get_name
1253 (&session->security_parameters.
1254 current_cipher_suite));
1255
1256
1257 /* check if the credentials (username, public key etc.) are ok.
1258 * Actually checks if they exist.
1259 */
1260 if (MHD_gtls_get_kx_cred
1261 (session,
1262 MHD_gtls_cipher_suite_get_kx_algo
1263 (&session->security_parameters.current_cipher_suite), &err) == NULL
1264 && err != 0)
1265 {
1266 MHD_gnutls_assert ();
1267 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1268 }
1269
1270
1271 /* set the MHD_gtls_mod_auth_st to the appropriate struct
1272 * according to the KX algorithm. This is needed since all the
1273 * handshake functions are read from there;
1274 */
1275 session->internals.auth_struct =
1276 MHD_gtls_kx_auth_struct (MHD_gtls_cipher_suite_get_kx_algo
1277 (&session->security_parameters.
1278 current_cipher_suite));
1279
1280 if (session->internals.auth_struct == NULL)
1281 {
1282
1283 MHD__gnutls_handshake_log
1284 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
1285 session);
1286 MHD_gnutls_assert ();
1287 return GNUTLS_E_INTERNAL_ERROR;
1288 }
1289
1290
1291 return 0;
1292}
1293
1294
1295/* This function sets the given comp method to the session.
1296 */
1297static int
1298MHD__gnutls_client_set_comp_method (MHD_gtls_session_t session,
1299 opaque comp_method)
1300{
1301 int comp_methods_num;
1302 uint8_t *compression_methods;
1303 int i;
1304
1305 comp_methods_num = MHD_gtls_supported_compression_methods (session,
1306 &compression_methods);
1307 if (comp_methods_num < 0)
1308 {
1309 MHD_gnutls_assert ();
1310 return comp_methods_num;
1311 }
1312
1313 for (i = 0; i < comp_methods_num; i++)
1314 {
1315 if (compression_methods[i] == comp_method)
1316 {
1317 comp_methods_num = 0;
1318 break;
1319 }
1320 }
1321
1322 MHD_gnutls_free (compression_methods);
1323
1324 if (comp_methods_num != 0)
1325 {
1326 MHD_gnutls_assert ();
1327 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1328 }
1329
1330 session->internals.compression_method =
1331 MHD_gtls_compression_get_id_from_int (comp_method);
1332
1333
1334 return 0;
1335}
1336
1337/* This function returns 0 if we are resuming a session or -1 otherwise.
1338 * This also sets the variables in the session. Used only while reading a server
1339 * hello.
1340 */
1341static int
1342MHD__gnutls_client_check_if_resuming (MHD_gtls_session_t session,
1343 opaque * session_id, int session_id_len)
1344{
1345 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1346
1347 MHD__gnutls_handshake_log ("HSK[%x]: SessionID length: %d\n", session,
1348 session_id_len);
1349 MHD__gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session,
1350 MHD_gtls_bin2hex (session_id, session_id_len,
1351 (char *) buf, sizeof (buf)));
1352
1353 if (session_id_len > 0 &&
1354 session->internals.resumed_security_parameters.session_id_size ==
1355 session_id_len
1356 && memcmp (session_id,
1357 session->internals.resumed_security_parameters.session_id,
1358 session_id_len) == 0)
1359 {
1360 /* resume session */
1361 memcpy (session->internals.resumed_security_parameters.server_random,
1362 session->security_parameters.server_random, TLS_RANDOM_SIZE);
1363 memcpy (session->internals.resumed_security_parameters.client_random,
1364 session->security_parameters.client_random, TLS_RANDOM_SIZE);
1365 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1366
1367 return 0;
1368 }
1369 else
1370 {
1371 /* keep the new session id */
1372 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1373 session->security_parameters.session_id_size = session_id_len;
1374 memcpy (session->security_parameters.session_id,
1375 session_id, session_id_len);
1376
1377 return -1;
1378 }
1379}
1380
1381/* This function reads and parses the server hello handshake message.
1382 * This function also restores resumed parameters if we are resuming a
1383 * session.
1384 */
1385static int
1386MHD__gnutls_read_server_hello (MHD_gtls_session_t session,
1387 opaque * data, int datalen)
1388{
1389 uint8_t session_id_len = 0;
1390 int pos = 0;
1391 int ret = 0;
1392 enum MHD_GNUTLS_Protocol version;
1393 int len = datalen;
1394
1395 if (datalen < 38)
1396 {
1397 MHD_gnutls_assert ();
1398 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1399 }
1400
1401 MHD__gnutls_handshake_log ("HSK[%x]: Server's version: %d.%d\n",
1402 session, data[pos], data[pos + 1]);
1403
1404 DECR_LEN (len, 2);
1405 version = MHD_gtls_version_get (data[pos], data[pos + 1]);
1406 if (MHD_gtls_version_is_supported (session, version) == 0)
1407 {
1408 MHD_gnutls_assert ();
1409 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1410 }
1411 else
1412 {
1413 MHD_gtls_set_current_version (session, version);
1414 }
1415
1416 pos += 2;
1417
1418 DECR_LEN (len, TLS_RANDOM_SIZE);
1419 MHD_gtls_set_server_random (session, &data[pos]);
1420 pos += TLS_RANDOM_SIZE;
1421
1422
1423 /* Read session ID
1424 */
1425 DECR_LEN (len, 1);
1426 session_id_len = data[pos++];
1427
1428 if (len < session_id_len)
1429 {
1430 MHD_gnutls_assert ();
1431 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1432 }
1433 DECR_LEN (len, session_id_len);
1434
1435
1436 /* check if we are resuming and set the appropriate
1437 * values;
1438 */
1439 if (MHD__gnutls_client_check_if_resuming
1440 (session, &data[pos], session_id_len) == 0)
1441 return 0;
1442 pos += session_id_len;
1443
1444
1445 /* Check if the given cipher suite is supported and copy
1446 * it to the session.
1447 */
1448
1449 DECR_LEN (len, 2);
1450 ret = MHD__gnutls_client_set_ciphersuite (session, &data[pos]);
1451 if (ret < 0)
1452 {
1453 MHD_gnutls_assert ();
1454 return ret;
1455 }
1456 pos += 2;
1457
1458
1459
1460 /* move to compression */
1461 DECR_LEN (len, 1);
1462
1463 ret = MHD__gnutls_client_set_comp_method (session, data[pos++]);
1464 if (ret < 0)
1465 {
1466 MHD_gnutls_assert ();
1467 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1468 }
1469
1470 /* Parse extensions.
1471 */
1472 if (version >= MHD_GNUTLS_PROTOCOL_TLS1_0)
1473 {
1474 ret = MHD_gtls_parse_extensions (session, EXTENSION_ANY, &data[pos], len); /* len is the rest of the parsed length */
1475 if (ret < 0)
1476 {
1477 MHD_gnutls_assert ();
1478 return ret;
1479 }
1480 }
1481 return ret;
1482}
1483
1484
1485/* This function copies the appropriate ciphersuites to a locally allocated buffer
1486 * Needed in client hello messages. Returns the new data length.
1487 */
1488int
1489MHD__gnutls_copy_ciphersuites (MHD_gtls_session_t session,
1490 opaque * ret_data, size_t ret_data_size)
1491{
1492 int ret, i;
1493 cipher_suite_st *cipher_suites;
1494 uint16_t cipher_num;
1495 int datalen, pos;
1496
1497 ret = MHD_gtls_supported_ciphersuites_sorted (session, &cipher_suites);
1498 if (ret < 0)
1499 {
1500 MHD_gnutls_assert ();
1501 return ret;
1502 }
1503
1504 /* Here we remove any ciphersuite that does not conform
1505 * the certificate requested, or to the
1506 * authentication requested (eg SRP).
1507 */
1508 ret =
1509 MHD_gtls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1);
1510 if (ret < 0)
1511 {
1512 MHD_gnutls_assert ();
1513 MHD_gnutls_free (cipher_suites);
1514 return ret;
1515 }
1516
1517 /* If no cipher suites were enabled.
1518 */
1519 if (ret == 0)
1520 {
1521 MHD_gnutls_assert ();
1522 MHD_gnutls_free (cipher_suites);
1523 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1524 }
1525
1526 cipher_num = ret;
1527
1528 cipher_num *= sizeof (uint16_t); /* in order to get bytes */
1529
1530 datalen = pos = 0;
1531
1532 datalen += sizeof (uint16_t) + cipher_num;
1533
1534 if ((size_t) datalen > ret_data_size)
1535 {
1536 MHD_gnutls_assert ();
1537 return GNUTLS_E_INTERNAL_ERROR;
1538 }
1539
1540 MHD_gtls_write_uint16 (cipher_num, ret_data);
1541 pos += 2;
1542
1543 for (i = 0; i < (cipher_num / 2); i++)
1544 {
1545 memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
1546 pos += 2;
1547 }
1548 MHD_gnutls_free (cipher_suites);
1549
1550 return datalen;
1551}
1552
1553/* This function copies the appropriate compression methods, to a locally allocated buffer
1554 * Needed in hello messages. Returns the new data length.
1555 */
1556static int
1557MHD__gnutls_copy_comp_methods (MHD_gtls_session_t session,
1558 opaque * ret_data, size_t ret_data_size)
1559{
1560 int ret, i;
1561 uint8_t *compression_methods, comp_num;
1562 int datalen, pos;
1563
1564 ret =
1565 MHD_gtls_supported_compression_methods (session, &compression_methods);
1566 if (ret < 0)
1567 {
1568 MHD_gnutls_assert ();
1569 return ret;
1570 }
1571
1572 comp_num = ret;
1573
1574 datalen = pos = 0;
1575 datalen += comp_num + 1;
1576
1577 if ((size_t) datalen > ret_data_size)
1578 {
1579 MHD_gnutls_assert ();
1580 return GNUTLS_E_INTERNAL_ERROR;
1581 }
1582
1583 ret_data[pos++] = comp_num; /* put the number of compression methods */
1584
1585 for (i = 0; i < comp_num; i++)
1586 {
1587 ret_data[pos++] = compression_methods[i];
1588 }
1589
1590 MHD_gnutls_free (compression_methods);
1591
1592 return datalen;
1593}
1594
1595static void
1596MHD_gtls_set_adv_version (MHD_gtls_session_t session,
1597 enum MHD_GNUTLS_Protocol ver)
1598{
1599 set_adv_version (session, MHD_gtls_version_get_major (ver),
1600 MHD_gtls_version_get_minor (ver));
1601}
1602
1603/* This function sends the client hello handshake message.
1604 */
1605static int
1606MHD__gnutls_send_client_hello (MHD_gtls_session_t session, int again)
1607{
1608 opaque *data = NULL;
1609 int extdatalen;
1610 int pos = 0;
1611 int datalen = 0, ret = 0;
1612 opaque rnd[TLS_RANDOM_SIZE];
1613 enum MHD_GNUTLS_Protocol hver;
1614 opaque extdata[MAX_EXT_DATA_LENGTH];
1615
1616 opaque *SessionID =
1617 session->internals.resumed_security_parameters.session_id;
1618 uint8_t session_id_len =
1619 session->internals.resumed_security_parameters.session_id_size;
1620
1621 if (SessionID == NULL)
1622 session_id_len = 0;
1623 else if (session_id_len == 0)
1624 SessionID = NULL;
1625
1626 if (again == 0)
1627 {
1628
1629 datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE;
1630 /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE)
1631 */
1632
1633 data = MHD_gnutls_malloc (datalen);
1634 if (data == NULL)
1635 {
1636 MHD_gnutls_assert ();
1637 return GNUTLS_E_MEMORY_ERROR;
1638 }
1639
1640 /* if we are resuming a session then we set the
1641 * version number to the previously established.
1642 */
1643 if (SessionID == NULL)
1644 hver = MHD_gtls_version_max (session);
1645 else
1646 { /* we are resuming a session */
1647 hver = session->internals.resumed_security_parameters.version;
1648 }
1649
1650 if (hver == MHD_GNUTLS_PROTOCOL_VERSION_UNKNOWN || hver == 0)
1651 {
1652 MHD_gnutls_assert ();
1653 MHD_gnutls_free (data);
1654 return GNUTLS_E_INTERNAL_ERROR;
1655 }
1656
1657 data[pos++] = MHD_gtls_version_get_major (hver);
1658 data[pos++] = MHD_gtls_version_get_minor (hver);
1659
1660 /* Set the version we advertized as maximum
1661 * (RSA uses it).
1662 */
1663 MHD_gtls_set_adv_version (session, hver);
1664
1665 /* Some old implementations do not interoperate if we send a
1666 * different version in the record layer.
1667 * It seems they prefer to read the record's version
1668 * as the one we actually requested.
1669 * The proper behaviour is to use the one in the client hello
1670 * handshake packet and ignore the one in the packet's record
1671 * header.
1672 */
1673 MHD_gtls_set_current_version (session, hver);
1674
1675 /* In order to know when this session was initiated.
1676 */
1677 session->security_parameters.timestamp = time (NULL);
1678
1679 /* Generate random data
1680 */
1681 MHD_gtls_tls_create_random (rnd);
1682 MHD_gtls_set_client_random (session, rnd);
1683
1684 memcpy (&data[pos], rnd, TLS_RANDOM_SIZE);
1685 pos += TLS_RANDOM_SIZE;
1686
1687 /* Copy the Session ID */
1688 data[pos++] = session_id_len;
1689
1690 if (session_id_len > 0)
1691 {
1692 memcpy (&data[pos], SessionID, session_id_len);
1693 pos += session_id_len;
1694 }
1695
1696
1697 /* Copy the ciphersuites.
1698 */
1699 extdatalen =
1700 MHD__gnutls_copy_ciphersuites (session, extdata, sizeof (extdata));
1701 if (extdatalen > 0)
1702 {
1703 datalen += extdatalen;
1704 data = MHD_gtls_realloc_fast (data, datalen);
1705 if (data == NULL)
1706 {
1707 MHD_gnutls_assert ();
1708 return GNUTLS_E_MEMORY_ERROR;
1709 }
1710
1711 memcpy (&data[pos], extdata, extdatalen);
1712 pos += extdatalen;
1713
1714 }
1715 else
1716 {
1717 if (extdatalen == 0)
1718 extdatalen = GNUTLS_E_INTERNAL_ERROR;
1719 MHD_gnutls_free (data);
1720 MHD_gnutls_assert ();
1721 return extdatalen;
1722 }
1723
1724
1725 /* Copy the compression methods.
1726 */
1727 extdatalen =
1728 MHD__gnutls_copy_comp_methods (session, extdata, sizeof (extdata));
1729 if (extdatalen > 0)
1730 {
1731 datalen += extdatalen;
1732 data = MHD_gtls_realloc_fast (data, datalen);
1733 if (data == NULL)
1734 {
1735 MHD_gnutls_assert ();
1736 return GNUTLS_E_MEMORY_ERROR;
1737 }
1738
1739 memcpy (&data[pos], extdata, extdatalen);
1740 pos += extdatalen;
1741
1742 }
1743 else
1744 {
1745 if (extdatalen == 0)
1746 extdatalen = GNUTLS_E_INTERNAL_ERROR;
1747 MHD_gnutls_free (data);
1748 MHD_gnutls_assert ();
1749 return extdatalen;
1750 }
1751
1752 /* Generate and copy TLS extensions.
1753 */
1754 if (hver >= MHD_GNUTLS_PROTOCOL_TLS1_0)
1755 {
1756 extdatalen =
1757 MHD_gtls_gen_extensions (session, extdata, sizeof (extdata));
1758
1759 if (extdatalen > 0)
1760 {
1761 datalen += extdatalen;
1762 data = MHD_gtls_realloc_fast (data, datalen);
1763 if (data == NULL)
1764 {
1765 MHD_gnutls_assert ();
1766 return GNUTLS_E_MEMORY_ERROR;
1767 }
1768
1769 memcpy (&data[pos], extdata, extdatalen);
1770 }
1771 else if (extdatalen < 0)
1772 {
1773 MHD_gnutls_assert ();
1774 MHD_gnutls_free (data);
1775 return extdatalen;
1776 }
1777 }
1778 }
1779
1780 ret =
1781 MHD_gtls_send_handshake (session, data, datalen,
1782 GNUTLS_HANDSHAKE_CLIENT_HELLO);
1783 MHD_gnutls_free (data);
1784
1785 return ret;
1786}
1787#endif
1788
1789static int
1790MHD__gnutls_send_server_hello (MHD_gtls_session_t session, int again)
1791{
1792 opaque *data = NULL;
1793 opaque extdata[MAX_EXT_DATA_LENGTH];
1794 int extdatalen;
1795 int pos = 0;
1796 int datalen, ret = 0;
1797 uint8_t comp;
1798 opaque *SessionID = session->security_parameters.session_id;
1799 uint8_t session_id_len = session->security_parameters.session_id_size;
1800 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1801
1802 if (SessionID == NULL)
1803 session_id_len = 0;
1804
1805 datalen = 0;
1806
1807 if (again == 0)
1808 {
1809 datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3;
1810 extdatalen =
1811 MHD_gtls_gen_extensions (session, extdata, sizeof (extdata));
1812
1813 if (extdatalen < 0)
1814 {
1815 MHD_gnutls_assert ();
1816 return extdatalen;
1817 }
1818
1819 data = MHD_gnutls_alloca (datalen + extdatalen);
1820 if (data == NULL)
1821 {
1822 MHD_gnutls_assert ();
1823 return GNUTLS_E_MEMORY_ERROR;
1824 }
1825
1826 data[pos++] =
1827 MHD_gtls_version_get_major (session->security_parameters.version);
1828 data[pos++] =
1829 MHD_gtls_version_get_minor (session->security_parameters.version);
1830
1831 memcpy (&data[pos],
1832 session->security_parameters.server_random, TLS_RANDOM_SIZE);
1833 pos += TLS_RANDOM_SIZE;
1834
1835 data[pos++] = session_id_len;
1836 if (session_id_len > 0)
1837 {
1838 memcpy (&data[pos], SessionID, session_id_len);
1839 }
1840 pos += session_id_len;
1841
1842 MHD__gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session,
1843 MHD_gtls_bin2hex (SessionID, session_id_len,
1844 (char *) buf,
1845 sizeof (buf)));
1846
1847 memcpy (&data[pos],
1848 session->security_parameters.current_cipher_suite.suite, 2);
1849 pos += 2;
1850
1851 comp =
1852 (uint8_t) MHD_gtls_compression_get_num (session->
1853 internals.compression_method);
1854 data[pos++] = comp;
1855
1856
1857 if (extdatalen > 0)
1858 {
1859 datalen += extdatalen;
1860
1861 memcpy (&data[pos], extdata, extdatalen);
1862 }
1863 }
1864
1865 ret =
1866 MHD_gtls_send_handshake (session, data, datalen,
1867 GNUTLS_HANDSHAKE_SERVER_HELLO);
1868 MHD_gnutls_afree (data);
1869
1870 return ret;
1871}
1872
1873int
1874MHD_gtls_send_hello (MHD_gtls_session_t session, int again)
1875{
1876 int ret;
1877#if MHD_DEBUG_TLS
1878 if (session->security_parameters.entity == GNUTLS_CLIENT)
1879 {
1880 ret = MHD__gnutls_send_client_hello (session, again);
1881
1882 }
1883 else
1884#endif
1885 { /* SERVER */
1886 ret = MHD__gnutls_send_server_hello (session, again);
1887 }
1888
1889 return ret;
1890}
1891
1892/* RECEIVE A HELLO MESSAGE. This should be called from MHD_gnutls_recv_handshake_int only if a
1893 * hello message is expected. It uses the security_parameters.current_cipher_suite
1894 * and internals.compression_method.
1895 */
1896int
1897MHD_gtls_recv_hello (MHD_gtls_session_t session, opaque * data, int datalen)
1898{
1899 int ret;
1900#if MHD_DEBUG_TLS
1901 if (session->security_parameters.entity == GNUTLS_CLIENT)
1902 {
1903 ret = MHD__gnutls_read_server_hello (session, data, datalen);
1904 if (ret < 0)
1905 {
1906 MHD_gnutls_assert ();
1907 return ret;
1908 }
1909 }
1910 else
1911#endif
1912 { /* Server side reading a client hello */
1913
1914 ret = MHD__gnutls_read_client_hello (session, data, datalen);
1915 if (ret < 0)
1916 {
1917 MHD_gnutls_assert ();
1918 return ret;
1919 }
1920 }
1921
1922 return ret;
1923}
1924
1925/* The packets in MHD__gnutls_handshake (it's more broad than original TLS handshake)
1926 *
1927 * Client Server
1928 *
1929 * ClientHello -------->
1930 * <-------- ServerHello
1931 *
1932 * Certificate*
1933 * ServerKeyExchange*
1934 * <-------- CertificateRequest*
1935 *
1936 * <-------- ServerHelloDone
1937 * Certificate*
1938 * ClientKeyExchange
1939 * CertificateVerify*
1940 * [ChangeCipherSpec]
1941 * Finished -------->
1942 * [ChangeCipherSpec]
1943 * <-------- Finished
1944 *
1945 * (*): means optional packet.
1946 */
1947
1948/**
1949 * MHD__gnutls_rehandshake - This function will renegotiate security parameters
1950 * @session: is a #MHD_gtls_session_t structure.
1951 *
1952 * This function will renegotiate security parameters with the
1953 * client. This should only be called in case of a server.
1954 *
1955 * This message informs the peer that we want to renegotiate
1956 * parameters (perform a handshake).
1957 *
1958 * If this function succeeds (returns 0), you must call the
1959 * MHD__gnutls_handshake() function in order to negotiate the new
1960 * parameters.
1961 *
1962 * If the client does not wish to renegotiate parameters he will
1963 * should with an alert message, thus the return code will be
1964 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
1965 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
1966 * this message.
1967 *
1968 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
1969 *
1970 **/
1971int
1972MHD__gnutls_rehandshake (MHD_gtls_session_t session)
1973{
1974 int ret;
1975
1976 ret =
1977 MHD__gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
1978 AGAIN (STATE50));
1979 STATE = STATE50;
1980
1981 if (ret < 0)
1982 {
1983 MHD_gnutls_assert ();
1984 return ret;
1985 }
1986 STATE = STATE0;
1987
1988 return 0;
1989}
1990
1991inline static int
1992MHD__gnutls_abort_handshake (MHD_gtls_session_t session, int ret)
1993{
1994 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
1995 (MHD_gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
1996 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
1997 return 0;
1998
1999 /* this doesn't matter */
2000 return GNUTLS_E_INTERNAL_ERROR;
2001}
2002
2003/* This function initialized the handshake hash session.
2004 * required for finished messages.
2005 */
2006inline static int
2007MHD__gnutls_handshake_hash_init (MHD_gtls_session_t session)
2008{
2009
2010 if (session->internals.handshake_mac_handle_md5 == NULL)
2011 {
2012 session->internals.handshake_mac_handle_md5 =
2013 MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
2014
2015 if (session->internals.handshake_mac_handle_md5 == GNUTLS_HASH_FAILED)
2016 {
2017 MHD_gnutls_assert ();
2018 return GNUTLS_E_MEMORY_ERROR;
2019 }
2020 }
2021
2022 if (session->internals.handshake_mac_handle_sha == NULL)
2023 {
2024 session->internals.handshake_mac_handle_sha =
2025 MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1);
2026 if (session->internals.handshake_mac_handle_sha == GNUTLS_HASH_FAILED)
2027 {
2028 MHD_gnutls_assert ();
2029 return GNUTLS_E_MEMORY_ERROR;
2030 }
2031 }
2032
2033 return 0;
2034}
2035
2036static int
2037MHD__gnutls_send_supplemental (MHD_gtls_session_t session, int again)
2038{
2039 int ret = 0;
2040
2041 MHD__gnutls_debug_log ("EXT[%x]: Sending supplemental data\n", session);
2042
2043 if (again)
2044 ret = MHD_gtls_send_handshake (session, NULL, 0,
2045 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2046 else
2047 {
2048 MHD_gtls_buffer buf;
2049 MHD_gtls_buffer_init (&buf);
2050
2051 ret = MHD__gnutls_gen_supplemental (session, &buf);
2052 if (ret < 0)
2053 {
2054 MHD_gnutls_assert ();
2055 return ret;
2056 }
2057
2058 ret = MHD_gtls_send_handshake (session, buf.data, buf.length,
2059 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2060 MHD_gtls_buffer_clear (&buf);
2061 }
2062
2063 return ret;
2064}
2065
2066static int
2067MHD__gnutls_recv_supplemental (MHD_gtls_session_t session)
2068{
2069 uint8_t *data = NULL;
2070 int datalen = 0;
2071 int ret;
2072
2073 MHD__gnutls_debug_log ("EXT[%x]: Expecting supplemental data\n", session);
2074
2075 ret = MHD_gtls_recv_handshake (session, &data, &datalen,
2076 GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2077 OPTIONAL_PACKET);
2078 if (ret < 0)
2079 {
2080 MHD_gnutls_assert ();
2081 return ret;
2082 }
2083
2084 ret = MHD__gnutls_parse_supplemental (session, data, datalen);
2085 if (ret < 0)
2086 {
2087 MHD_gnutls_assert ();
2088 return ret;
2089 }
2090
2091 MHD_gnutls_free (data);
2092
2093 return ret;
2094}
2095
2096/**
2097 * MHD__gnutls_handshake - This is the main function in the handshake protocol.
2098 * @session: is a #MHD_gtls_session_t structure.
2099 *
2100 * This function does the handshake of the TLS/SSL protocol, and
2101 * initializes the TLS connection.
2102 *
2103 * This function will fail if any problem is encountered, and will
2104 * return a negative error code. In case of a client, if the client
2105 * has asked to resume a session, but the server couldn't, then a
2106 * full handshake will be performed.
2107 *
2108 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2109 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2110 * should be later be resumed. Call this function again, until it
2111 * returns 0; cf. MHD__gnutls_record_get_direction() and
2112 * MHD_gtls_error_is_fatal().
2113 *
2114 * If this function is called by a server after a rehandshake request
2115 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2116 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2117 * are non fatal errors, only in the specific case of a rehandshake.
2118 * Their meaning is that the client rejected the rehandshake request.
2119 *
2120 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2121 *
2122 **/
2123int
2124MHD__gnutls_handshake (MHD_gtls_session_t session)
2125{
2126 int ret;
2127
2128 if ((ret = MHD__gnutls_handshake_hash_init (session)) < 0)
2129 {
2130 MHD_gnutls_assert ();
2131 return ret;
2132 }
2133#if MHD_DEBUG_TLS
2134 if (session->security_parameters.entity == GNUTLS_CLIENT)
2135 {
2136 ret = MHD_gtls_handshake_client (session);
2137 }
2138 else
2139#endif
2140 {
2141 ret = MHD_gtls_handshake_server (session);
2142 }
2143
2144 if (ret < 0)
2145 {
2146 /* In the case of a rehandshake abort
2147 * we should reset the handshake's internal state.
2148 */
2149 if (MHD__gnutls_abort_handshake (session, ret) == 0)
2150 STATE = STATE0;
2151
2152 return ret;
2153 }
2154
2155 ret = MHD_gtls_handshake_common (session);
2156
2157 if (ret < 0)
2158 {
2159 if (MHD__gnutls_abort_handshake (session, ret) == 0)
2160 STATE = STATE0;
2161
2162 return ret;
2163 }
2164
2165 STATE = STATE0;
2166
2167 MHD__gnutls_handshake_io_buffer_clear (session);
2168 MHD_gtls_handshake_internal_state_clear (session);
2169
2170 return 0;
2171}
2172
2173#define IMED_RET( str, ret) do { \
2174 if (ret < 0) { \
2175 if (MHD_gtls_error_is_fatal(ret)==0) return ret; \
2176 MHD_gnutls_assert(); \
2177 ERR( str, ret); \
2178 MHD__gnutls_handshake_hash_buffers_clear(session); \
2179 return ret; \
2180 } } while (0)
2181
2182
2183#if MHD_DEBUG_TLS
2184/*
2185 * MHD_gtls_handshake_client
2186 * This function performs the client side of the handshake of the TLS/SSL protocol.
2187 */
2188static int
2189MHD_gtls_handshake_client (MHD_gtls_session_t session)
2190{
2191 int ret = 0;
2192
2193 switch (STATE)
2194 {
2195 case STATE0:
2196 case STATE1:
2197 ret = MHD_gtls_send_hello (session, AGAIN (STATE1));
2198 STATE = STATE1;
2199 IMED_RET ("send hello", ret);
2200
2201 case STATE2:
2202 /* receive the server hello */
2203 ret =
2204 MHD_gtls_recv_handshake (session, NULL, NULL,
2205 GNUTLS_HANDSHAKE_SERVER_HELLO,
2206 MANDATORY_PACKET);
2207 STATE = STATE2;
2208 IMED_RET ("recv hello", ret);
2209
2210 case STATE70:
2211 if (session->security_parameters.extensions.do_recv_supplemental)
2212 {
2213 ret = MHD__gnutls_recv_supplemental (session);
2214 STATE = STATE70;
2215 IMED_RET ("recv supplemental", ret);
2216 }
2217
2218 case STATE3:
2219 /* RECV CERTIFICATE */
2220 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2221 ret = MHD_gtls_recv_server_certificate (session);
2222 STATE = STATE3;
2223 IMED_RET ("recv server certificate", ret);
2224
2225 case STATE4:
2226 /* receive the server key exchange */
2227 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2228 ret = MHD_gtls_recv_server_kx_message (session);
2229 STATE = STATE4;
2230 IMED_RET ("recv server kx message", ret);
2231
2232 case STATE5:
2233 /* receive the server certificate request - if any
2234 */
2235
2236 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2237 ret = MHD_gtls_recv_server_certificate_request (session);
2238 STATE = STATE5;
2239 IMED_RET ("recv server certificate request message", ret);
2240
2241 case STATE6:
2242 /* receive the server hello done */
2243 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2244 ret =
2245 MHD_gtls_recv_handshake (session, NULL, NULL,
2246 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2247 MANDATORY_PACKET);
2248 STATE = STATE6;
2249 IMED_RET ("recv server hello done", ret);
2250
2251 case STATE71:
2252 if (session->security_parameters.extensions.do_send_supplemental)
2253 {
2254 ret = MHD__gnutls_send_supplemental (session, AGAIN (STATE71));
2255 STATE = STATE71;
2256 IMED_RET ("send supplemental", ret);
2257 }
2258
2259 case STATE7:
2260 /* send our certificate - if any and if requested
2261 */
2262 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2263 ret = MHD_gtls_send_client_certificate (session, AGAIN (STATE7));
2264 STATE = STATE7;
2265 IMED_RET ("send client certificate", ret);
2266
2267 case STATE8:
2268 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2269 ret = MHD_gtls_send_client_kx_message (session, AGAIN (STATE8));
2270 STATE = STATE8;
2271 IMED_RET ("send client kx", ret);
2272
2273 case STATE9:
2274 /* send client certificate verify */
2275 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2276 ret =
2277 MHD_gtls_send_client_certificate_verify (session, AGAIN (STATE9));
2278 STATE = STATE9;
2279 IMED_RET ("send client certificate verify", ret);
2280
2281 STATE = STATE0;
2282 default:
2283 break;
2284 }
2285
2286
2287 return 0;
2288}
2289#endif
2290
2291/* This function sends the final handshake packets and initializes connection
2292 */
2293static int
2294MHD__gnutls_send_handshake_final (MHD_gtls_session_t session, int init)
2295{
2296 int ret = 0;
2297
2298 /* Send the CHANGE CIPHER SPEC PACKET */
2299
2300 switch (STATE)
2301 {
2302 case STATE0:
2303 case STATE20:
2304 ret = MHD_gtls_send_change_cipher_spec (session, AGAIN (STATE20));
2305 STATE = STATE20;
2306 if (ret < 0)
2307 {
2308 ERR ("send ChangeCipherSpec", ret);
2309 MHD_gnutls_assert ();
2310 return ret;
2311 }
2312
2313 /* Initialize the connection session (start encryption) - in case of client
2314 */
2315 if (init == TRUE)
2316 {
2317 ret = MHD_gtls_connection_state_init (session);
2318 if (ret < 0)
2319 {
2320 MHD_gnutls_assert ();
2321 return ret;
2322 }
2323 }
2324
2325 ret = MHD_gtls_write_connection_state_init (session);
2326 if (ret < 0)
2327 {
2328 MHD_gnutls_assert ();
2329 return ret;
2330 }
2331
2332 case STATE21:
2333 /* send the finished message */
2334 ret = MHD__gnutls_send_finished (session, AGAIN (STATE21));
2335 STATE = STATE21;
2336 if (ret < 0)
2337 {
2338 ERR ("send Finished", ret);
2339 MHD_gnutls_assert ();
2340 return ret;
2341 }
2342
2343 STATE = STATE0;
2344 default:
2345 break;
2346 }
2347
2348 return 0;
2349}
2350
2351/* This function receives the final handshake packets
2352 * And executes the appropriate function to initialize the
2353 * read session.
2354 */
2355static int
2356MHD__gnutls_recv_handshake_final (MHD_gtls_session_t session, int init)
2357{
2358 int ret = 0;
2359 uint8_t ch;
2360
2361 switch (STATE)
2362 {
2363 case STATE0:
2364 case STATE30:
2365 ret =
2366 MHD_gtls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1);
2367 STATE = STATE30;
2368 if (ret <= 0)
2369 {
2370 ERR ("recv ChangeCipherSpec", ret);
2371 MHD_gnutls_assert ();
2372 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2373 }
2374
2375 /* Initialize the connection session (start encryption) - in case of server */
2376 if (init == TRUE)
2377 {
2378 ret = MHD_gtls_connection_state_init (session);
2379 if (ret < 0)
2380 {
2381 MHD_gnutls_assert ();
2382 return ret;
2383 }
2384 }
2385
2386 ret = MHD_gtls_read_connection_state_init (session);
2387 if (ret < 0)
2388 {
2389 MHD_gnutls_assert ();
2390 return ret;
2391 }
2392
2393 case STATE31:
2394 ret = MHD__gnutls_recv_finished (session);
2395 STATE = STATE31;
2396 if (ret < 0)
2397 {
2398 ERR ("recv finished", ret);
2399 MHD_gnutls_assert ();
2400 return ret;
2401 }
2402 STATE = STATE0;
2403 default:
2404 break;
2405 }
2406
2407
2408 return 0;
2409}
2410
2411 /*
2412 * MHD_gtls_handshake_server
2413 * This function does the server stuff of the handshake protocol.
2414 */
2415
2416static int
2417MHD_gtls_handshake_server (MHD_gtls_session_t session)
2418{
2419 int ret = 0;
2420
2421 switch (STATE)
2422 {
2423 case STATE0:
2424 case STATE1:
2425 ret =
2426 MHD_gtls_recv_handshake (session, NULL, NULL,
2427 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2428 MANDATORY_PACKET);
2429 STATE = STATE1;
2430 IMED_RET ("recv hello", ret);
2431
2432 case STATE2:
2433 ret = MHD_gtls_send_hello (session, AGAIN (STATE2));
2434 STATE = STATE2;
2435 IMED_RET ("send hello", ret);
2436
2437 case STATE70:
2438 if (session->security_parameters.extensions.do_send_supplemental)
2439 {
2440 ret = MHD__gnutls_send_supplemental (session, AGAIN (STATE70));
2441 STATE = STATE70;
2442 IMED_RET ("send supplemental data", ret);
2443 }
2444
2445 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2446 case STATE3:
2447 /* NOTE: these should not be send if we are resuming */
2448
2449 if (session->internals.resumed == RESUME_FALSE)
2450 ret = MHD_gtls_send_server_certificate (session, AGAIN (STATE3));
2451 STATE = STATE3;
2452 IMED_RET ("send server certificate", ret);
2453
2454 case STATE4:
2455 /* send server key exchange (A) */
2456 if (session->internals.resumed == RESUME_FALSE)
2457 ret = MHD_gtls_send_server_kx_message (session, AGAIN (STATE4));
2458 STATE = STATE4;
2459 IMED_RET ("send server kx", ret);
2460
2461 case STATE5:
2462 /* Send certificate request - if requested to */
2463 if (session->internals.resumed == RESUME_FALSE)
2464 ret =
2465 MHD_gtls_send_server_certificate_request (session, AGAIN (STATE5));
2466 STATE = STATE5;
2467 IMED_RET ("send server cert request", ret);
2468
2469 case STATE6:
2470 /* send the server hello done */
2471 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2472 ret =
2473 MHD__gnutls_send_empty_handshake (session,
2474 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2475 AGAIN (STATE6));
2476 STATE = STATE6;
2477 IMED_RET ("send server hello done", ret);
2478
2479 case STATE71:
2480 if (session->security_parameters.extensions.do_recv_supplemental)
2481 {
2482 ret = MHD__gnutls_recv_supplemental (session);
2483 STATE = STATE71;
2484 IMED_RET ("recv client supplemental", ret);
2485 }
2486
2487 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2488 case STATE7:
2489 /* receive the client certificate message */
2490 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2491 ret = MHD_gtls_recv_client_certificate (session);
2492 STATE = STATE7;
2493 IMED_RET ("recv client certificate", ret);
2494
2495 case STATE8:
2496 /* receive the client key exchange message */
2497 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2498 ret = MHD_gtls_recv_client_kx_message (session);
2499 STATE = STATE8;
2500 IMED_RET ("recv client kx", ret);
2501
2502 case STATE9:
2503 /* receive the client certificate verify message */
2504 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2505 ret = MHD_gtls_recv_client_certificate_verify_message (session);
2506 STATE = STATE9;
2507 IMED_RET ("recv client certificate verify", ret);
2508
2509 STATE = STATE0; /* finished thus clear session */
2510 default:
2511 break;
2512 }
2513
2514 return 0;
2515}
2516
2517static int
2518MHD_gtls_handshake_common (MHD_gtls_session_t session)
2519{
2520 int ret = 0;
2521
2522 /* send and recv the change cipher spec and finished messages */
2523 if ((session->internals.resumed == RESUME_TRUE
2524 && session->security_parameters.entity == GNUTLS_CLIENT)
2525 || (session->internals.resumed == RESUME_FALSE
2526 && session->security_parameters.entity == GNUTLS_SERVER))
2527 {
2528 /* if we are a client resuming - or we are a server not resuming */
2529
2530 ret = MHD__gnutls_recv_handshake_final (session, TRUE);
2531 IMED_RET ("recv handshake final", ret);
2532
2533 ret = MHD__gnutls_send_handshake_final (session, FALSE);
2534 IMED_RET ("send handshake final", ret);
2535 }
2536 else
2537 { /* if we are a client not resuming - or we are a server resuming */
2538
2539 ret = MHD__gnutls_send_handshake_final (session, TRUE);
2540 IMED_RET ("send handshake final 2", ret);
2541
2542 ret = MHD__gnutls_recv_handshake_final (session, FALSE);
2543 IMED_RET ("recv handshake final 2", ret);
2544 }
2545
2546 /* clear handshake buffer */
2547 MHD__gnutls_handshake_hash_buffers_clear (session);
2548 return ret;
2549
2550}
2551
2552static int
2553MHD_gtls_generate_session_id (opaque * session_id, uint8_t * len)
2554{
2555 *len = TLS_MAX_SESSION_ID_SIZE;
2556
2557 if (MHD_gc_nonce ((char *) session_id, *len) != GC_OK)
2558 {
2559 MHD_gnutls_assert ();
2560 return GNUTLS_E_RANDOM_FAILED;
2561 }
2562
2563 return 0;
2564}
2565
2566int
2567MHD_gtls_recv_hello_request (MHD_gtls_session_t session, void *data,
2568 uint32_t data_size)
2569{
2570 uint8_t type;
2571
2572 if (session->security_parameters.entity == GNUTLS_SERVER)
2573 {
2574 MHD_gnutls_assert ();
2575 return GNUTLS_E_UNEXPECTED_PACKET;
2576 }
2577 if (data_size < 1)
2578 {
2579 MHD_gnutls_assert ();
2580 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2581 }
2582 type = ((uint8_t *) data)[0];
2583 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
2584 return GNUTLS_E_REHANDSHAKE;
2585 else
2586 {
2587 MHD_gnutls_assert ();
2588 return GNUTLS_E_UNEXPECTED_PACKET;
2589 }
2590}
2591
2592/* Returns 1 if the given KX has not the corresponding parameters
2593 * (DH or RSA) set up. Otherwise returns 0.
2594 */
2595inline static int
2596check_server_params (MHD_gtls_session_t session,
2597 enum MHD_GNUTLS_KeyExchangeAlgorithm kx,
2598 enum MHD_GNUTLS_KeyExchangeAlgorithm *alg, int alg_size)
2599{
2600 int cred_type;
2601 MHD_gtls_dh_params_t dh_params = NULL;
2602 MHD_gtls_rsa_params_t rsa_params = NULL;
2603 int j;
2604
2605 cred_type = MHD_gtls_map_kx_get_cred (kx, 1);
2606
2607 /* Read the Diffie Hellman parameters, if any.
2608 */
2609 if (cred_type == MHD_GNUTLS_CRD_CERTIFICATE)
2610 {
2611 int delete;
2612 MHD_gtls_cert_credentials_t x509_cred =
2613 (MHD_gtls_cert_credentials_t) MHD_gtls_get_cred (session->key,
2614 cred_type, NULL);
2615
2616 if (x509_cred != NULL)
2617 {
2618 dh_params =
2619 MHD_gtls_get_dh_params (x509_cred->dh_params,
2620 x509_cred->params_func, session);
2621 rsa_params =
2622 MHD_gtls_certificate_get_rsa_params (x509_cred->rsa_params,
2623 x509_cred->params_func,
2624 session);
2625 }
2626
2627 /* Check also if the certificate supports the
2628 * KX method.
2629 */
2630 delete = 1;
2631 for (j = 0; j < alg_size; j++)
2632 {
2633 if (alg[j] == kx)
2634 {
2635 delete = 0;
2636 break;
2637 }
2638 }
2639
2640 if (delete == 1)
2641 return 1;
2642
2643 }
2644 else
2645 return 0; /* no need for params */
2646
2647
2648 /* If the key exchange method needs RSA or DH params,
2649 * but they are not set then remove it.
2650 */
2651 if (MHD_gtls_kx_needs_rsa_params (kx) != 0)
2652 {
2653 /* needs rsa params. */
2654 if (MHD__gnutls_rsa_params_to_mpi (rsa_params) == NULL)
2655 {
2656 MHD_gnutls_assert ();
2657 return 1;
2658 }
2659 }
2660
2661 if (MHD_gtls_kx_needs_dh_params (kx) != 0)
2662 {
2663 /* needs DH params. */
2664 if (MHD_gtls_dh_params_to_mpi (dh_params) == NULL)
2665 {
2666 MHD_gnutls_assert ();
2667 return 1;
2668 }
2669 }
2670
2671 return 0;
2672}
2673
2674/* This function will remove algorithms that are not supported by
2675 * the requested authentication method. We remove an algorithm if
2676 * we have a certificate with keyUsage bits set.
2677 *
2678 * This does a more high level check than MHD_gnutls_supported_ciphersuites(),
2679 * by checking certificates etc.
2680 */
2681static int
2682MHD_gtls_remove_unwanted_ciphersuites (MHD_gtls_session_t session,
2683 cipher_suite_st ** cipherSuites,
2684 int numCipherSuites,
2685 enum MHD_GNUTLS_PublicKeyAlgorithm
2686 requested_pk_algo)
2687{
2688
2689 int ret = 0;
2690 cipher_suite_st *newSuite, cs;
2691 int newSuiteSize = 0, i;
2692 MHD_gtls_cert_credentials_t cert_cred;
2693 enum MHD_GNUTLS_KeyExchangeAlgorithm kx;
2694 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
2695 enum MHD_GNUTLS_KeyExchangeAlgorithm *alg = NULL;
2696 int alg_size = 0;
2697
2698 /* if we should use a specific certificate,
2699 * we should remove all algorithms that are not supported
2700 * by that certificate and are on the same authentication
2701 * method (CERTIFICATE).
2702 */
2703
2704 cert_cred =
2705 (MHD_gtls_cert_credentials_t) MHD_gtls_get_cred (session->key,
2706 MHD_GNUTLS_CRD_CERTIFICATE,
2707 NULL);
2708
2709 /* If there are certificate credentials, find an appropriate certificate
2710 * or disable them;
2711 */
2712 if (session->security_parameters.entity == GNUTLS_SERVER
2713 && cert_cred != NULL)
2714 {
2715 ret = MHD_gtls_server_select_cert (session, requested_pk_algo);
2716 if (ret < 0)
2717 {
2718 MHD_gnutls_assert ();
2719 MHD__gnutls_x509_log
2720 ("Could not find an appropriate certificate: %s\n",
2721 MHD_gtls_strerror (ret));
2722 cert_cred = NULL;
2723 }
2724 }
2725
2726 /* get all the key exchange algorithms that are
2727 * supported by the X509 certificate parameters.
2728 */
2729 if ((ret =
2730 MHD_gtls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
2731 {
2732 MHD_gnutls_assert ();
2733 return ret;
2734 }
2735
2736 newSuite = MHD_gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st));
2737 if (newSuite == NULL)
2738 {
2739 MHD_gnutls_assert ();
2740 MHD_gnutls_free (alg);
2741 return GNUTLS_E_MEMORY_ERROR;
2742 }
2743
2744 /* now removes ciphersuites based on the KX algorithm
2745 */
2746 for (i = 0; i < numCipherSuites; i++)
2747 {
2748 int delete = 0;
2749
2750 /* finds the key exchange algorithm in
2751 * the ciphersuite
2752 */
2753 kx = MHD_gtls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]);
2754
2755 /* if it is defined but had no credentials
2756 */
2757 if (MHD_gtls_get_kx_cred (session, kx, NULL) == NULL)
2758 {
2759 delete = 1;
2760 }
2761 else
2762 {
2763 delete = 0;
2764
2765 if (server)
2766 delete = check_server_params (session, kx, alg, alg_size);
2767 }
2768 memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2);
2769
2770 if (delete == 0)
2771 {
2772
2773 MHD__gnutls_handshake_log ("HSK[%x]: Keeping ciphersuite: %s\n",
2774 session,
2775 MHD_gtls_cipher_suite_get_name (&cs));
2776
2777 memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2);
2778 newSuiteSize++;
2779 }
2780 else
2781 {
2782 MHD__gnutls_handshake_log ("HSK[%x]: Removing ciphersuite: %s\n",
2783 session,
2784 MHD_gtls_cipher_suite_get_name (&cs));
2785
2786 }
2787 }
2788
2789 MHD_gnutls_free (alg);
2790 MHD_gnutls_free (*cipherSuites);
2791 *cipherSuites = newSuite;
2792
2793 ret = newSuiteSize;
2794
2795 return ret;
2796
2797}
2798
2799enum MHD_GNUTLS_Protocol
2800MHD_gtls_get_adv_version (MHD_gtls_session_t session)
2801{
2802 return MHD_gtls_version_get (MHD__gnutls_get_adv_version_major (session),
2803 MHD__gnutls_get_adv_version_minor (session));
2804}
diff --git a/src/daemon/https/tls/gnutls_handshake.h b/src/daemon/https/tls/gnutls_handshake.h
deleted file mode 100644
index 58c95a84..00000000
--- a/src/daemon/https/tls/gnutls_handshake.h
+++ /dev/null
@@ -1,47 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25typedef enum Optional
26{ OPTIONAL_PACKET, MANDATORY_PACKET } Optional;
27
28int MHD_gtls_send_handshake (MHD_gtls_session_t session, void *i_data,
29 uint32_t i_datasize,
30 MHD_gnutls_handshake_description_t type);
31int MHD_gtls_recv_hello_request (MHD_gtls_session_t session, void *data,
32 uint32_t data_size);
33int MHD_gtls_send_hello (MHD_gtls_session_t session, int again);
34int MHD_gtls_recv_hello (MHD_gtls_session_t session, opaque * data,
35 int datalen);
36int MHD_gtls_recv_handshake (MHD_gtls_session_t session, uint8_t **, int *,
37 MHD_gnutls_handshake_description_t,
38 Optional optional);
39void
40MHD__gnutls_handshake_set_max_packet_length (MHD_gtls_session_t session,
41 size_t max);
42
43#define STATE session->internals.handshake_state
44/* This returns true if we have got there
45 * before (and not finished due to an interrupt).
46 */
47#define AGAIN(target) STATE==target?1:0
diff --git a/src/daemon/https/tls/gnutls_hash_int.c b/src/daemon/https/tls/gnutls_hash_int.c
deleted file mode 100644
index cc61203d..00000000
--- a/src/daemon/https/tls/gnutls_hash_int.c
+++ /dev/null
@@ -1,448 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file handles all the internal functions that cope with hashes
26 * and HMACs.
27 */
28
29#include <gnutls_int.h>
30#include <gnutls_hash_int.h>
31#include <gnutls_errors.h>
32
33static inline Gc_hash
34MHD__gnutls_mac2gc (enum MHD_GNUTLS_HashAlgorithm mac)
35{
36 switch (mac)
37 {
38 case MHD_GNUTLS_MAC_NULL:
39 return -1;
40 break;
41 case MHD_GNUTLS_MAC_SHA1:
42 return GC_SHA1;
43 break;
44 case MHD_GNUTLS_MAC_SHA256:
45 return GC_SHA256;
46 break;
47 case MHD_GNUTLS_MAC_MD5:
48 return GC_MD5;
49 break;
50 default:
51 MHD_gnutls_assert ();
52 return -1;
53 }
54 return -1;
55}
56
57GNUTLS_HASH_HANDLE
58MHD_gtls_hash_init (enum MHD_GNUTLS_HashAlgorithm algorithm)
59{
60 mac_hd_t ret;
61 int result;
62
63 ret = MHD_gnutls_malloc (sizeof (mac_hd_st));
64 if (ret == NULL)
65 {
66 MHD_gnutls_assert ();
67 return GNUTLS_HASH_FAILED;
68 }
69
70 ret->algorithm = algorithm;
71
72 result = MHD_gc_hash_open (MHD__gnutls_mac2gc (algorithm), 0, &ret->handle);
73 if (result)
74 {
75 MHD_gnutls_assert ();
76 MHD_gnutls_free (ret);
77 ret = GNUTLS_HASH_FAILED;
78 }
79
80 return ret;
81}
82
83int
84MHD_gnutls_hash_get_algo_len (enum MHD_GNUTLS_HashAlgorithm algorithm)
85{
86 int ret;
87
88 ret = MHD_gc_hash_digest_length (MHD__gnutls_mac2gc (algorithm));
89
90 return ret;
91
92}
93
94int
95MHD_gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text, size_t textlen)
96{
97 if (textlen > 0)
98 MHD_gc_hash_write (handle->handle, textlen, text);
99 return 0;
100}
101
102GNUTLS_HASH_HANDLE
103MHD_gnutls_hash_copy (GNUTLS_HASH_HANDLE handle)
104{
105 GNUTLS_HASH_HANDLE ret;
106 int result;
107
108 ret = MHD_gnutls_malloc (sizeof (mac_hd_st));
109
110 if (ret == NULL)
111 return GNUTLS_HASH_FAILED;
112
113 ret->algorithm = handle->algorithm;
114 ret->key = NULL; /* it's a hash anyway */
115 ret->keysize = 0;
116
117 result = MHD_gc_hash_clone (handle->handle, &ret->handle);
118
119 if (result)
120 {
121 MHD_gnutls_free (ret);
122 return GNUTLS_HASH_FAILED;
123 }
124
125 return ret;
126}
127
128void
129MHD_gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest)
130{
131 const opaque *mac;
132 int maclen;
133
134 maclen = MHD_gnutls_hash_get_algo_len (handle->algorithm);
135
136 mac = (unsigned char *) MHD_gc_hash_read (handle->handle);
137 if (digest != NULL)
138 memcpy (digest, mac, maclen);
139
140 MHD_gc_hash_close (handle->handle);
141
142 MHD_gnutls_free (handle);
143}
144
145
146mac_hd_t
147MHD_gtls_MHD_hmac_init (enum MHD_GNUTLS_HashAlgorithm algorithm,
148 const void *key, int keylen)
149{
150 mac_hd_t ret;
151 int result;
152
153 ret = MHD_gnutls_malloc (sizeof (mac_hd_st));
154 if (ret == NULL)
155 return GNUTLS_MAC_FAILED;
156
157 result =
158 MHD_gc_hash_open (MHD__gnutls_mac2gc (algorithm), GC_HMAC, &ret->handle);
159 if (result)
160 {
161 MHD_gnutls_free (ret);
162 return GNUTLS_MAC_FAILED;
163 }
164
165 MHD_gc_hash_MHD_hmac_setkey (ret->handle, keylen, key);
166
167 ret->algorithm = algorithm;
168 ret->key = key;
169 ret->keysize = keylen;
170
171 return ret;
172}
173
174void
175MHD_gnutls_MHD_hmac_deinit (mac_hd_t handle, void *digest)
176{
177 const opaque *mac;
178 int maclen;
179
180 maclen = MHD_gnutls_hash_get_algo_len (handle->algorithm);
181
182 mac = (unsigned char *) MHD_gc_hash_read (handle->handle);
183
184 if (digest != NULL)
185 memcpy (digest, mac, maclen);
186
187 MHD_gc_hash_close (handle->handle);
188
189 MHD_gnutls_free (handle);
190}
191
192inline static int
193get_padsize (enum MHD_GNUTLS_HashAlgorithm algorithm)
194{
195 switch (algorithm)
196 {
197 case MHD_GNUTLS_MAC_MD5:
198 return 48;
199 case MHD_GNUTLS_MAC_SHA1:
200 return 40;
201 default:
202 return 0;
203 }
204}
205
206mac_hd_t
207MHD_gnutls_mac_init_ssl3 (enum MHD_GNUTLS_HashAlgorithm algorithm, void *key,
208 int keylen)
209{
210 mac_hd_t ret;
211 opaque ipad[48];
212 int padsize;
213
214 padsize = get_padsize (algorithm);
215 if (padsize == 0)
216 {
217 MHD_gnutls_assert ();
218 return GNUTLS_MAC_FAILED;
219 }
220
221 memset (ipad, 0x36, padsize);
222
223 ret = MHD_gtls_hash_init (algorithm);
224 if (ret != GNUTLS_HASH_FAILED)
225 {
226 ret->key = key;
227 ret->keysize = keylen;
228
229 if (keylen > 0)
230 MHD_gnutls_hash (ret, key, keylen);
231 MHD_gnutls_hash (ret, ipad, padsize);
232 }
233
234 return ret;
235}
236
237void
238MHD_gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest)
239{
240 opaque ret[MAX_HASH_SIZE];
241 mac_hd_t td;
242 opaque opad[48];
243 int padsize;
244 int block;
245
246 padsize = get_padsize (handle->algorithm);
247 if (padsize == 0)
248 {
249 MHD_gnutls_assert ();
250 return;
251 }
252
253 memset (opad, 0x5C, padsize);
254
255 td = MHD_gtls_hash_init (handle->algorithm);
256 if (td != GNUTLS_MAC_FAILED)
257 {
258 if (handle->keysize > 0)
259 MHD_gnutls_hash (td, handle->key, handle->keysize);
260
261 MHD_gnutls_hash (td, opad, padsize);
262 block = MHD_gnutls_hash_get_algo_len (handle->algorithm);
263 MHD_gnutls_hash_deinit (handle, ret); /* get the previous hash */
264 MHD_gnutls_hash (td, ret, block);
265
266 MHD_gnutls_hash_deinit (td, digest);
267 }
268}
269
270void
271MHD_gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle,
272 void *digest, opaque * key,
273 uint32_t key_size)
274{
275 opaque ret[MAX_HASH_SIZE];
276 mac_hd_t td;
277 opaque opad[48];
278 opaque ipad[48];
279 int padsize;
280 int block;
281
282 padsize = get_padsize (handle->algorithm);
283 if (padsize == 0)
284 {
285 MHD_gnutls_assert ();
286 return;
287 }
288
289 memset (opad, 0x5C, padsize);
290 memset (ipad, 0x36, padsize);
291
292 td = MHD_gtls_hash_init (handle->algorithm);
293 if (td != GNUTLS_HASH_FAILED)
294 {
295 if (key_size > 0)
296 MHD_gnutls_hash (td, key, key_size);
297
298 MHD_gnutls_hash (td, opad, padsize);
299 block = MHD_gnutls_hash_get_algo_len (handle->algorithm);
300
301 if (key_size > 0)
302 MHD_gnutls_hash (handle, key, key_size);
303 MHD_gnutls_hash (handle, ipad, padsize);
304 MHD_gnutls_hash_deinit (handle, ret); /* get the previous hash */
305
306 MHD_gnutls_hash (td, ret, block);
307
308 MHD_gnutls_hash_deinit (td, digest);
309 }
310}
311
312static int
313ssl3_sha (int i, opaque * secret, int secret_len,
314 opaque * rnd, int rnd_len, void *digest)
315{
316 int j;
317 opaque text1[26];
318
319 GNUTLS_HASH_HANDLE td;
320
321 for (j = 0; j < i + 1; j++)
322 {
323 text1[j] = 65 + i; /* A==65 */
324 }
325
326 td = MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1);
327 if (td == NULL)
328 {
329 MHD_gnutls_assert ();
330 return GNUTLS_E_HASH_FAILED;
331 }
332
333 MHD_gnutls_hash (td, text1, i + 1);
334 MHD_gnutls_hash (td, secret, secret_len);
335 MHD_gnutls_hash (td, rnd, rnd_len);
336
337 MHD_gnutls_hash_deinit (td, digest);
338 return 0;
339}
340
341static int
342ssl3_md5 (int i, opaque * secret, int secret_len,
343 opaque * rnd, int rnd_len, void *digest)
344{
345 opaque tmp[MAX_HASH_SIZE];
346 mac_hd_t td;
347 int ret;
348
349 td = MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
350 if (td == NULL)
351 {
352 MHD_gnutls_assert ();
353 return GNUTLS_E_HASH_FAILED;
354 }
355
356 MHD_gnutls_hash (td, secret, secret_len);
357
358 ret = ssl3_sha (i, secret, secret_len, rnd, rnd_len, tmp);
359 if (ret < 0)
360 {
361 MHD_gnutls_assert ();
362 MHD_gnutls_hash_deinit (td, digest);
363 return ret;
364 }
365
366 MHD_gnutls_hash (td, tmp,
367 MHD_gnutls_hash_get_algo_len (MHD_GNUTLS_MAC_SHA1));
368
369 MHD_gnutls_hash_deinit (td, digest);
370 return 0;
371}
372
373int
374MHD_gnutls_ssl3_hash_md5 (void *first, int first_len,
375 void *second, int second_len, int ret_len,
376 opaque * ret)
377{
378 opaque digest[MAX_HASH_SIZE];
379 mac_hd_t td;
380 int block = MHD_gnutls_hash_get_algo_len (MHD_GNUTLS_MAC_MD5);
381
382 td = MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
383 if (td == NULL)
384 {
385 MHD_gnutls_assert ();
386 return GNUTLS_E_HASH_FAILED;
387 }
388
389 MHD_gnutls_hash (td, first, first_len);
390 MHD_gnutls_hash (td, second, second_len);
391
392 MHD_gnutls_hash_deinit (td, digest);
393
394 if (ret_len > block)
395 {
396 MHD_gnutls_assert ();
397 return GNUTLS_E_INTERNAL_ERROR;
398 }
399
400 memcpy (ret, digest, ret_len);
401
402 return 0;
403
404}
405
406int
407MHD_gnutls_ssl3_generate_random (void *secret, int secret_len,
408 void *rnd, int rnd_len,
409 int ret_bytes, opaque * ret)
410{
411 int i = 0, copy, output_bytes;
412 opaque digest[MAX_HASH_SIZE];
413 int block = MHD_gnutls_hash_get_algo_len (MHD_GNUTLS_MAC_MD5);
414 int result, times;
415
416 output_bytes = 0;
417 do
418 {
419 output_bytes += block;
420 }
421 while (output_bytes < ret_bytes);
422
423 times = output_bytes / block;
424
425 for (i = 0; i < times; i++)
426 {
427
428 result = ssl3_md5 (i, secret, secret_len, rnd, rnd_len, digest);
429 if (result < 0)
430 {
431 MHD_gnutls_assert ();
432 return result;
433 }
434
435 if ((1 + i) * block < ret_bytes)
436 {
437 copy = block;
438 }
439 else
440 {
441 copy = ret_bytes - (i) * block;
442 }
443
444 memcpy (&ret[i * block], digest, copy);
445 }
446
447 return 0;
448}
diff --git a/src/daemon/https/tls/gnutls_hash_int.h b/src/daemon/https/tls/gnutls_hash_int.h
deleted file mode 100644
index bd3dec29..00000000
--- a/src/daemon/https/tls/gnutls_hash_int.h
+++ /dev/null
@@ -1,72 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_HASH_INT_H
26# define GNUTLS_HASH_INT_H
27
28#include <gnutls_int.h>
29
30/* for message digests */
31
32typedef struct
33{
34 MHD_gc_hash_handle handle;
35 enum MHD_GNUTLS_HashAlgorithm algorithm;
36 const void *key;
37 int keysize;
38} mac_hd_st;
39typedef mac_hd_st *mac_hd_t;
40typedef mac_hd_t GNUTLS_HASH_HANDLE;
41
42#define GNUTLS_HASH_FAILED NULL
43#define GNUTLS_MAC_FAILED NULL
44
45mac_hd_t MHD_gtls_MHD_hmac_init (enum MHD_GNUTLS_HashAlgorithm algorithm,
46 const void *key, int keylen);
47
48void MHD_gnutls_MHD_hmac_deinit (mac_hd_t handle, void *digest);
49
50mac_hd_t MHD_gnutls_mac_init_ssl3 (enum MHD_GNUTLS_HashAlgorithm algorithm,
51 void *key, int keylen);
52void MHD_gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest);
53
54GNUTLS_HASH_HANDLE MHD_gtls_hash_init (enum MHD_GNUTLS_HashAlgorithm
55 algorithm);
56int MHD_gnutls_hash_get_algo_len (enum MHD_GNUTLS_HashAlgorithm algorithm);
57int MHD_gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text,
58 size_t textlen);
59void MHD_gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest);
60
61int MHD_gnutls_ssl3_generate_random (void *secret, int secret_len,
62 void *rnd, int random_len, int bytes,
63 opaque * ret);
64int MHD_gnutls_ssl3_hash_md5 (void *first, int first_len, void *second,
65 int second_len, int ret_len, opaque * ret);
66
67void MHD_gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, void *digest,
68 opaque * key, uint32_t key_size);
69
70GNUTLS_HASH_HANDLE MHD_gnutls_hash_copy (GNUTLS_HASH_HANDLE handle);
71
72#endif /* GNUTLS_HASH_INT_H */
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h
deleted file mode 100644
index 25a861ed..00000000
--- a/src/daemon/https/tls/gnutls_int.h
+++ /dev/null
@@ -1,642 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_INT_H
26#define GNUTLS_INT_H
27
28#include <defines.h>
29
30#include "gnutls.h"
31#include "microhttpd.h"
32
33#include "gnutls_mem.h"
34
35/* FIXME: delete this once opencdk has reentrant keyring functions
36 */
37#define KEYRING_HACK
38
39#ifndef MAX
40#define MAX(X,Y) ((X) > (Y) ? (X) : (Y))
41#endif
42
43#define MAX32 4294967295
44#define MAX24 16777215
45#define MAX16 65535
46
47/* The size of a handshake message should not
48 * be larger than this value.
49 */
50#define MAX_HANDSHAKE_PACKET_SIZE 48*1024
51
52#define TLS_RANDOM_SIZE 32
53#define TLS_MAX_SESSION_ID_SIZE 32
54#define TLS_MASTER_SIZE 48
55
56/* The maximum digest size of hash algorithms.
57 */
58#define MAX_HASH_SIZE 64
59
60#define MAX_LOG_SIZE 1024 /* maximum size of log message */
61#define MAX_SERVER_NAME_SIZE 128
62
63/* we can receive up to MAX_EXT_TYPES extensions.
64 */
65#define MAX_EXT_TYPES 64
66
67/* The initial size of the receive
68 * buffer size. This will grow if larger
69 * packets are received.
70 */
71#define INITIAL_RECV_BUFFER_SIZE 256
72
73/* the default for TCP */
74#define DEFAULT_LOWAT 1
75
76/* expire time for resuming sessions */
77#define DEFAULT_EXPIRE_TIME 3600
78
79/* the maximum size of encrypted packets */
80#define DEFAULT_MAX_RECORD_SIZE 16384
81#define RECORD_HEADER_SIZE 5
82#define MAX_RECORD_SEND_SIZE (size_t)session->security_parameters.max_record_send_size
83#define MAX_RECORD_RECV_SIZE (size_t)session->security_parameters.max_record_recv_size
84#define MAX_PAD_SIZE 255
85#define EXTRA_COMP_SIZE 2048
86#define MAX_RECORD_OVERHEAD MAX_PAD_SIZE+EXTRA_COMP_SIZE
87#define MAX_RECV_SIZE MAX_RECORD_OVERHEAD+MAX_RECORD_RECV_SIZE+RECORD_HEADER_SIZE
88
89#define HANDSHAKE_HEADER_SIZE 4
90
91/* defaults for verification functions
92 */
93#define DEFAULT_VERIFY_DEPTH 32
94#define DEFAULT_VERIFY_BITS 16*1024
95
96#define DECR_LEN(len, x) do { len-=x; if (len<0) {MHD_gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
97#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {MHD_gnutls_assert(); return RET;} } while (0)
98#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {MHD_gnutls_assert(); COM;} } while (0)
99
100#define HASH2MAC(x) ((enum MHD_GNUTLS_HashAlgorithm)x)
101
102/* TODO rm */
103/* Additional cast to bring void* to a type castable to int. */
104#define GNUTLS_POINTER_TO_INT_CAST (long)
105
106#define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
107#define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
108
109typedef unsigned char opaque;
110typedef struct
111{
112 opaque pint[3];
113} uint24;
114
115#include <gnutls_mpi.h>
116
117typedef enum change_cipher_spec_t
118{
119 GNUTLS_TYPE_CHANGE_CIPHER_SPEC = 1
120} change_cipher_spec_t;
121
122typedef enum handshake_state_t
123{
124 STATE0 = 0, STATE1, STATE2,
125 STATE3, STATE4, STATE5,
126 STATE6, STATE7, STATE8, STATE9, STATE20 = 20, STATE21,
127 STATE30 = 30, STATE31, STATE50 = 50, STATE60 = 60, STATE61, STATE62,
128 STATE70, STATE71
129} handshake_state_t;
130
131#include <gnutls_str.h>
132
133typedef MHD_gtls_string MHD_gtls_buffer;
134
135#define MHD_gtls_buffer_init(buf) MHD_gtls_string_init(buf, MHD_gnutls_malloc, MHD_gnutls_realloc, MHD_gnutls_free);
136#define MHD_gtls_buffer_clear MHD_gtls_string_clear
137#define MHD_gtls_buffer_append MHD_gtls_string_append_data
138
139/* This is the maximum number of algorithms (ciphers or macs etc).
140 * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h
141 */
142#define MAX_ALGOS 16
143
144#define MAX_CIPHERSUITES 256
145
146typedef enum extensions_t
147{ GNUTLS_EXTENSION_SERVER_NAME = 0,
148 GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1,
149 GNUTLS_EXTENSION_CERT_TYPE = 9,
150 GNUTLS_EXTENSION_SRP = 12,
151 GNUTLS_EXTENSION_INNER_APPLICATION = 37703
152} extensions_t;
153
154typedef enum
155{ CIPHER_STREAM, CIPHER_BLOCK } cipher_type_t;
156
157typedef enum valid_session_t
158{ VALID_TRUE, VALID_FALSE } valid_session_t;
159typedef enum resumable_session_t
160{ RESUME_TRUE,
161 RESUME_FALSE
162} resumable_session_t;
163
164/* Record Protocol */
165typedef enum content_type_t
166{
167 GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT,
168 GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA,
169 GNUTLS_INNER_APPLICATION = 24
170} content_type_t;
171
172#define GNUTLS_PK_ANY (enum MHD_GNUTLS_PublicKeyAlgorithm)-1
173#define GNUTLS_PK_NONE (enum MHD_GNUTLS_PublicKeyAlgorithm)-2
174
175/* STATE (stop) */
176
177typedef void (*LOG_FUNC) (int, const char *);
178
179/* Store & Retrieve functions defines: */
180typedef struct MHD_gtls_auth_cred_st
181{
182 enum MHD_GNUTLS_CredentialsType algorithm;
183
184 /* the type of credentials depends on algorithm
185 */
186 void *credentials;
187 struct MHD_gtls_auth_cred_st *next;
188} auth_cred_st;
189
190struct MHD_gtls_key
191{
192 /* For DH KX */
193 MHD_gnutls_datum_t key;
194 mpi_t KEY;
195 mpi_t client_Y;
196 mpi_t client_g;
197 mpi_t client_p;
198 mpi_t dh_secret;
199 /* for SRP */
200 mpi_t A;
201 mpi_t B;
202 mpi_t u;
203 mpi_t b;
204 mpi_t a;
205 mpi_t x;
206 /* RSA: e, m
207 */
208 mpi_t rsa[2];
209
210 /* this is used to hold the peers authentication data
211 */
212 /* auth_info_t structures SHOULD NOT contain malloced
213 * elements. Check MHD_gnutls_session_pack.c, and MHD_gnutls_auth.c.
214 * Rememember that this should be calloced!
215 */
216 void *auth_info;
217 enum MHD_GNUTLS_CredentialsType auth_info_type;
218 int auth_info_size; /* needed in order to store to db for restoring
219 */
220 uint8_t crypt_algo;
221
222 auth_cred_st *cred; /* used to specify keys/certificates etc */
223
224 int certificate_requested;
225 /* some ciphersuites use this
226 * to provide client authentication.
227 * 1 if client auth was requested
228 * by the peer, 0 otherwise
229 *** In case of a server this
230 * holds 1 if we should wait
231 * for a client certificate verify
232 */
233};
234typedef struct MHD_gtls_key *MHD_gtls_key_st;
235
236/* STATE (cont) */
237#include <gnutls_hash_int.h>
238#include <gnutls_cipher_int.h>
239#include <gnutls_cert.h>
240
241typedef struct
242{
243 uint8_t suite[2];
244} cipher_suite_st;
245
246/* This structure holds parameters got from TLS extension
247 * mechanism. (some extensions may hold parameters in auth_info_t
248 * structures also - see SRP).
249 */
250typedef struct
251{
252 opaque name[MAX_SERVER_NAME_SIZE];
253 unsigned name_length;
254 MHD_gnutls_server_name_type_t type;
255} server_name_st;
256
257#define MAX_SERVER_NAME_EXTENSIONS 3
258typedef struct
259{
260 server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS];
261 /* limit server_name extensions */
262 unsigned server_names_size;
263
264 /* TLS/IA data. */
265 int MHD_gnutls_ia_enable, MHD_gnutls_ia_peer_enable;
266 int MHD_gnutls_ia_allowskip, MHD_gnutls_ia_peer_allowskip;
267
268 /* Used by extensions that enable supplemental data. */
269 int do_recv_supplemental, do_send_supplemental;
270
271} MHD_gtls_ext_st;
272
273/* This flag indicates for an extension whether
274 * it is useful to application level or TLS level only.
275 * This is used to parse the application level extensions
276 * before the user_hello callback is called.
277 */
278typedef enum tls_ext_parse_type_t
279{
280 EXTENSION_ANY,
281 EXTENSION_APPLICATION,
282 EXTENSION_TLS
283} MHD_gtls_ext_parse_type_t;
284
285/* auth_info_t structures now MAY contain malloced
286 * elements.
287 */
288
289/* This structure and auth_info_t, are stored in the resume database,
290 * and are restored, in case of resume.
291 * Holds all the required parameters to resume the current
292 * session.
293 */
294
295/* if you add anything in Security_Parameters struct, then
296 * also modify CPY_COMMON in MHD_gnutls_constate.c
297 */
298
299/* Note that the security parameters structure is set up after the
300 * handshake has finished. The only value you may depend on while
301 * the handshake is in progress is the cipher suite value.
302 */
303typedef struct
304{
305 MHD_gnutls_connection_end_t entity;
306 enum MHD_GNUTLS_KeyExchangeAlgorithm kx_algorithm;
307 /* we've got separate write/read bulk/macs because
308 * there is a time in handshake where the peer has
309 * null cipher and we don't
310 */
311 enum MHD_GNUTLS_CipherAlgorithm read_bulk_cipher_algorithm;
312 enum MHD_GNUTLS_HashAlgorithm read_mac_algorithm;
313 enum MHD_GNUTLS_CompressionMethod read_compression_algorithm;
314
315 enum MHD_GNUTLS_CipherAlgorithm write_bulk_cipher_algorithm;
316 enum MHD_GNUTLS_HashAlgorithm write_mac_algorithm;
317 enum MHD_GNUTLS_CompressionMethod write_compression_algorithm;
318
319 /* this is the ciphersuite we are going to use
320 * moved here from internals in order to be restored
321 * on resume;
322 */
323 cipher_suite_st current_cipher_suite;
324 opaque master_secret[TLS_MASTER_SIZE];
325 opaque client_random[TLS_RANDOM_SIZE];
326 opaque server_random[TLS_RANDOM_SIZE];
327 opaque session_id[TLS_MAX_SESSION_ID_SIZE];
328 uint8_t session_id_size;
329 time_t timestamp;
330 MHD_gtls_ext_st extensions;
331
332 /* The send size is the one requested by the programmer.
333 * The recv size is the one negotiated with the peer.
334 */
335 uint16_t max_record_send_size;
336 uint16_t max_record_recv_size;
337 /* holds the negotiated certificate type */
338 enum MHD_GNUTLS_CertificateType cert_type;
339 enum MHD_GNUTLS_Protocol version; /* moved here */
340 /* For TLS/IA. XXX: Move to IA credential? */
341 opaque inner_secret[TLS_MASTER_SIZE];
342} MHD_gtls_security_param_st;
343
344/* This structure holds the generated keys
345 */
346typedef struct
347{
348 MHD_gnutls_datum_t server_write_mac_secret;
349 MHD_gnutls_datum_t client_write_mac_secret;
350 MHD_gnutls_datum_t server_write_IV;
351 MHD_gnutls_datum_t client_write_IV;
352 MHD_gnutls_datum_t server_write_key;
353 MHD_gnutls_datum_t client_write_key;
354 int generated_keys; /* zero if keys have not
355 * been generated. Non zero
356 * otherwise.
357 */
358} MHD_gtls_cipher_specs_st;
359
360typedef struct
361{
362 cipher_hd_t write_cipher_state;
363 cipher_hd_t read_cipher_state;
364 MHD_gnutls_datum_t read_mac_secret;
365 MHD_gnutls_datum_t write_mac_secret;
366 uint64 read_sequence_number;
367 uint64 write_sequence_number;
368} MHD_gtls_conn_stat_st;
369
370typedef struct
371{
372 unsigned int priority[MAX_ALGOS];
373 unsigned int num_algorithms;
374} MHD_gtls_priority_st;
375
376/* For the external api */
377struct MHD_gtls_priority_st
378{
379 MHD_gtls_priority_st cipher;
380 MHD_gtls_priority_st mac;
381 MHD_gtls_priority_st kx;
382 MHD_gtls_priority_st compression;
383 MHD_gtls_priority_st protocol;
384
385 /* certificate type : x509, OpenPGP, etc. */
386 MHD_gtls_priority_st cert_type;
387
388 /* to disable record padding */
389 int no_padding;
390};
391
392/* DH and RSA parameters types.
393 */
394typedef struct MHD_gtls_dh_params_int
395{
396 /* [0] is the prime, [1] is the generator.
397 */
398 mpi_t params[2];
399} MHD_gtls_dh_params_st;
400
401typedef struct
402{
403 MHD_gtls_dh_params_t dh_params;
404 int free_dh_params;
405 MHD_gtls_rsa_params_t rsa_params;
406 int free_rsa_params;
407} MHD_gtls_internal_params_st;
408
409typedef struct
410{
411 opaque header[HANDSHAKE_HEADER_SIZE];
412 /* this holds the number of bytes in the handshake_header[] */
413 size_t header_size;
414 /* this holds the length of the handshake packet */
415 size_t packet_length;
416 MHD_gnutls_handshake_description_t recv_type;
417} MHD_gtls_handshake_header_buffer_st;
418
419typedef struct
420{
421 MHD_gtls_buffer application_data_buffer; /* holds data to be delivered to application layer */
422 MHD_gtls_buffer handshake_hash_buffer; /* used to keep the last received handshake
423 * message */
424 mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */
425 mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */
426
427 MHD_gtls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */
428 MHD_gtls_buffer ia_data_buffer; /* holds inner application data (TLS/IA) */
429 resumable_session_t resumable; /* TRUE or FALSE - if we can resume that session */
430 handshake_state_t handshake_state; /* holds
431 * a number which indicates where
432 * the handshake procedure has been
433 * interrupted. If it is 0 then
434 * no interruption has happened.
435 */
436
437 valid_session_t valid_connection; /* true or FALSE - if this session is valid */
438
439 int may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write
440 */
441 int may_not_write;
442 int read_eof; /* non-zero if we have received a closure alert. */
443
444 int last_alert; /* last alert received */
445 int last_alert_level; /* last alert level */
446
447 /* The last handshake messages sent or received.
448 */
449 int last_handshake_in;
450 int last_handshake_out;
451
452 /* this is the compression method we are going to use */
453 enum MHD_GNUTLS_CompressionMethod compression_method;
454
455 /* priorities */
456 struct MHD_gtls_priority_st priorities;
457
458 /* resumed session */
459 resumable_session_t resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */
460 MHD_gtls_security_param_st resumed_security_parameters;
461
462 /* sockets internals */
463 int lowat;
464
465 /* These buffers are used in the handshake
466 * protocol only. freed using MHD__gnutls_handshake_io_buffer_clear();
467 */
468 MHD_gtls_buffer handshake_send_buffer;
469 size_t handshake_send_buffer_prev_size;
470 content_type_t handshake_send_buffer_type;
471 MHD_gnutls_handshake_description_t handshake_send_buffer_htype;
472 content_type_t handshake_recv_buffer_type;
473 MHD_gnutls_handshake_description_t handshake_recv_buffer_htype;
474 MHD_gtls_buffer handshake_recv_buffer;
475
476 /* this buffer holds a record packet -mostly used for
477 * non blocking IO.
478 */
479 MHD_gtls_buffer record_recv_buffer;
480 MHD_gtls_buffer record_send_buffer; /* holds cached data
481 * for the MHD_gnutls_io_write_buffered()
482 * function.
483 */
484 size_t record_send_buffer_prev_size; /* holds the
485 * data written in the previous runs.
486 */
487 size_t record_send_buffer_user_size; /* holds the
488 * size of the user specified data to
489 * send.
490 */
491
492 /* 0 if no peeked data was kept, 1 otherwise.
493 */
494 int have_peeked_data;
495
496 int expire_time; /* after expire_time seconds this session will expire */
497 struct MHD_gtls_mod_auth_st_int *auth_struct; /* used in handshake packets and KX algorithms */
498
499 /* TODO rm */
500 int v2_hello; /* 0 if the client hello is v3+.
501 * non-zero if we got a v2 hello.
502 */
503 /* keeps the headers of the handshake packet
504 */
505 MHD_gtls_handshake_header_buffer_st handshake_header_buffer;
506
507 /* this is the highest version available
508 * to the peer. (advertized version).
509 * This is obtained by the Handshake Client Hello
510 * message. (some implementations read the Record version)
511 */
512 uint8_t adv_version_major;
513 uint8_t adv_version_minor;
514
515 /* if this is non zero a certificate request message
516 * will be sent to the client. - only if the ciphersuite
517 * supports it.
518 */
519 int send_cert_req;
520
521 /* bits to use for DHE and DHA
522 * use MHD__gnutls_dh_get_prime_bits() and MHD__gnutls_dh_set_prime_bits()
523 * to access it.
524 */
525 uint16_t dh_prime_bits;
526
527 size_t max_handshake_data_buffer_size;
528
529 /* PUSH & PULL functions.
530 */
531 MHD_gtls_pull_func MHD__gnutls_pull_func;
532 MHD_gtls_push_func MHD__gnutls_push_func;
533 /* Holds the first argument of PUSH and PULL
534 * functions;
535 */
536 MHD_gnutls_transport_ptr_t transport_recv_ptr;
537 MHD_gnutls_transport_ptr_t transport_send_ptr;
538
539 /* Holds the record size requested by the
540 * user.
541 */
542 uint16_t proposed_record_size;
543
544 /* holds the selected certificate and key.
545 * use MHD_gtls_selected_certs_deinit() and MHD_gtls_selected_certs_set()
546 * to change them.
547 */
548 MHD_gnutls_cert *selected_cert_list;
549 int selected_cert_list_length;
550 MHD_gnutls_privkey *selected_key;
551 int selected_need_free;
552
553 /* holds the extensions we sent to the peer
554 * (in case of a client)
555 */
556 uint16_t extensions_sent[MAX_EXT_TYPES];
557 uint16_t extensions_sent_size;
558
559 /* This holds the default version that our first
560 * record packet will have. */
561 opaque default_record_version[2];
562
563 void *user_ptr;
564
565 /* Holds 0 if the last called function was interrupted while
566 * receiving, and non zero otherwise.
567 */
568 int direction;
569
570 /* If non zero the server will not advertize the CA's he
571 * trusts (do not send an RDN sequence).
572 */
573 int ignore_rdn_sequence;
574
575 /* This is used to set an arbitary version in the RSA
576 * PMS secret. Can be used by clients to test whether the
577 * server checks that version. (** only used in gnutls-cli-debug)
578 */
579 opaque rsa_pms_version[2];
580
581 /* Here we cache the DH or RSA parameters got from the
582 * credentials structure, or from a callback. That is to
583 * minimize external calls.
584 */
585 MHD_gtls_internal_params_st params;
586
587 /* This buffer is used by the record recv functions,
588 * as a temporary store buffer.
589 */
590 MHD_gnutls_datum_t recv_buffer;
591
592 /* To avoid using global variables, and especially on Windows where
593 * the application may use a different errno variable than GnuTLS,
594 * it is possible to use MHD__gnutls_transport_set_errno to set a
595 * session-specific errno variable in the user-replaceable push/pull
596 * functions. This value is used by the send/recv functions. (The
597 * strange name of this variable is because 'errno' is typically
598 * #define'd.)
599 */
600 int errnum;
601
602 /* Function used to perform public-key signing operation during
603 handshake. Used by MHD_gnutls_sig.c:MHD__gnutls_tls_sign(), see also
604 MHD_gtls_sign_callback_set(). */
605 MHD_gnutls_sign_func sign_func;
606 void *sign_func_userdata;
607
608 /* If you add anything here, check MHD_gtls_handshake_internal_state_clear().
609 */
610} MHD_gtls_internals_st;
611
612struct MHD_gtls_session_int
613{
614 MHD_gtls_security_param_st security_parameters;
615 MHD_gtls_cipher_specs_st cipher_specs;
616 MHD_gtls_conn_stat_st connection_state;
617 MHD_gtls_internals_st internals;
618 MHD_gtls_key_st key;
619};
620
621/* functions */
622void MHD_gtls_set_current_version (MHD_gtls_session_t session,
623 enum MHD_GNUTLS_Protocol version);
624
625void MHD_gtls_free_auth_info (MHD_gtls_session_t session);
626
627/* These two macros return the advertized TLS version of
628 * the peer.
629 */
630#define MHD__gnutls_get_adv_version_major( session) \
631 session->internals.adv_version_major
632
633#define MHD__gnutls_get_adv_version_minor( session) \
634 session->internals.adv_version_minor
635
636#define set_adv_version( session, major, minor) \
637 session->internals.adv_version_major = major; \
638 session->internals.adv_version_minor = minor
639
640enum MHD_GNUTLS_Protocol MHD_gtls_get_adv_version (MHD_gtls_session_t);
641
642#endif /* GNUTLS_INT_H */
diff --git a/src/daemon/https/tls/gnutls_kx.c b/src/daemon/https/tls/gnutls_kx.c
deleted file mode 100644
index a4041e39..00000000
--- a/src/daemon/https/tls/gnutls_kx.c
+++ /dev/null
@@ -1,726 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2004, 2005, 2006 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains functions which are wrappers for the key exchange
26 * part of TLS. They are called by the handshake functions (MHD__gnutls_handshake)
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_handshake.h"
31#include "gnutls_kx.h"
32#include "gnutls_dh.h"
33#include "gnutls_errors.h"
34#include "gnutls_algorithms.h"
35#include "debug.h"
36#include "gnutls_mpi.h"
37#include <gnutls_state.h>
38#include <gnutls_datum.h>
39#include <gnutls_rsa_export.h>
40
41/* This file contains important thing for the TLS handshake procedure.
42 */
43
44#define MASTER_SECRET "master secret"
45static int generate_normal_master (MHD_gtls_session_t session, int);
46
47int
48MHD_gtls_generate_master (MHD_gtls_session_t session, int keep_premaster)
49{
50 if (session->internals.resumed == RESUME_FALSE)
51 return generate_normal_master (session, keep_premaster);
52 return 0;
53}
54
55/* here we generate the TLS Master secret.
56 */
57#define PREMASTER session->key->key
58static int
59generate_normal_master (MHD_gtls_session_t session, int keep_premaster)
60{
61 int ret = 0;
62 char buf[512];
63
64 MHD__gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size,
65 MHD_gtls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
66 sizeof (buf)));
67 MHD__gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
68 MHD_gtls_bin2hex (session->security_parameters.
69 client_random, 32, buf,
70 sizeof (buf)));
71 MHD__gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
72 MHD_gtls_bin2hex (session->security_parameters.
73 server_random, 32, buf,
74 sizeof (buf)));
75
76 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3)
77 {
78 opaque rnd[2 * TLS_RANDOM_SIZE + 1];
79
80 memcpy (rnd, session->security_parameters.client_random,
81 TLS_RANDOM_SIZE);
82 memcpy (&rnd[TLS_RANDOM_SIZE],
83 session->security_parameters.server_random, TLS_RANDOM_SIZE);
84
85 ret =
86 MHD_gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
87 rnd, 2 * TLS_RANDOM_SIZE,
88 TLS_MASTER_SIZE,
89 session->security_parameters.
90 master_secret);
91
92 }
93 else
94 {
95 opaque rnd[2 * TLS_RANDOM_SIZE + 1];
96
97 memcpy (rnd, session->security_parameters.client_random,
98 TLS_RANDOM_SIZE);
99 memcpy (&rnd[TLS_RANDOM_SIZE],
100 session->security_parameters.server_random, TLS_RANDOM_SIZE);
101
102 ret =
103 MHD_gtls_PRF (session, PREMASTER.data, PREMASTER.size,
104 MASTER_SECRET, strlen (MASTER_SECRET),
105 rnd, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE,
106 session->security_parameters.master_secret);
107 }
108
109 /* TLS/IA inner secret is derived from the master secret. */
110 memcpy (session->security_parameters.inner_secret,
111 session->security_parameters.master_secret, TLS_MASTER_SIZE);
112
113 if (!keep_premaster)
114 MHD__gnutls_free_datum (&PREMASTER);
115
116 if (ret < 0)
117 return ret;
118
119 MHD__gnutls_hard_log ("INT: MASTER SECRET: %s\n",
120 MHD_gtls_bin2hex (session->security_parameters.
121 master_secret, TLS_MASTER_SIZE, buf,
122 sizeof (buf)));
123
124 return ret;
125}
126
127
128/* This is called when we want to receive the key exchange message of the
129 * server. It does nothing if this type of message is not required
130 * by the selected ciphersuite.
131 */
132int
133MHD_gtls_send_server_kx_message (MHD_gtls_session_t session, int again)
134{
135 uint8_t *data = NULL;
136 int data_size = 0;
137 int ret = 0;
138
139 if (session->internals.auth_struct->MHD_gtls_gen_server_kx == NULL)
140 return 0;
141
142 data = NULL;
143 data_size = 0;
144
145 if (again == 0)
146 {
147 data_size =
148 session->internals.auth_struct->MHD_gtls_gen_server_kx (session,
149 &data);
150
151 if (data_size == GNUTLS_E_INT_RET_0)
152 {
153 MHD_gnutls_assert ();
154 return 0;
155 }
156
157 if (data_size < 0)
158 {
159 MHD_gnutls_assert ();
160 return data_size;
161 }
162 }
163
164 ret =
165 MHD_gtls_send_handshake (session, data, data_size,
166 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
167 MHD_gnutls_free (data);
168
169 if (ret < 0)
170 {
171 MHD_gnutls_assert ();
172 return ret;
173 }
174 return data_size;
175}
176
177/* This function sends a certificate request message to the
178 * client.
179 */
180int
181MHD_gtls_send_server_certificate_request (MHD_gtls_session_t session,
182 int again)
183{
184 uint8_t *data = NULL;
185 int data_size = 0;
186 int ret = 0;
187
188 if (session->internals.auth_struct->
189 MHD_gtls_gen_server_certificate_request == NULL)
190 return 0;
191
192 if (session->internals.send_cert_req <= 0)
193 return 0;
194
195 data = NULL;
196 data_size = 0;
197
198 if (again == 0)
199 {
200 data_size =
201 session->internals.auth_struct->
202 MHD_gtls_gen_server_certificate_request (session, &data);
203
204 if (data_size < 0)
205 {
206 MHD_gnutls_assert ();
207 return data_size;
208 }
209 }
210 ret =
211 MHD_gtls_send_handshake (session, data, data_size,
212 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
213 MHD_gnutls_free (data);
214
215 if (ret < 0)
216 {
217 MHD_gnutls_assert ();
218 return ret;
219 }
220 return data_size;
221}
222
223
224/* This is the function for the client to send the key
225 * exchange message
226 */
227int
228MHD_gtls_send_client_kx_message (MHD_gtls_session_t session, int again)
229{
230 uint8_t *data;
231 int data_size;
232 int ret = 0;
233
234 if (session->internals.auth_struct->MHD_gtls_gen_client_kx == NULL)
235 return 0;
236
237
238 data = NULL;
239 data_size = 0;
240
241 if (again == 0)
242 {
243 data_size =
244 session->internals.auth_struct->MHD_gtls_gen_client_kx (session,
245 &data);
246 if (data_size < 0)
247 {
248 MHD_gnutls_assert ();
249 return data_size;
250 }
251 }
252 ret =
253 MHD_gtls_send_handshake (session, data, data_size,
254 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
255 MHD_gnutls_free (data);
256
257 if (ret < 0)
258 {
259 MHD_gnutls_assert ();
260 return ret;
261 }
262
263 return ret;
264}
265
266
267/* This is the function for the client to send the certificate
268 * verify message
269 */
270int
271MHD_gtls_send_client_certificate_verify (MHD_gtls_session_t session,
272 int again)
273{
274 uint8_t *data;
275 int ret = 0;
276 int data_size;
277
278 /* This is a packet that is only sent by the client
279 */
280 if (session->security_parameters.entity == GNUTLS_SERVER)
281 return 0;
282
283 /* if certificate verify is not needed just exit
284 */
285 if (session->key->certificate_requested == 0)
286 return 0;
287
288 if (session->internals.auth_struct->MHD_gtls_gen_client_cert_vrfy == NULL)
289 {
290 MHD_gnutls_assert ();
291 return 0; /* this algorithm does not support cli_cert_vrfy
292 */
293 }
294
295 data = NULL;
296 data_size = 0;
297
298 if (again == 0)
299 {
300 data_size =
301 session->internals.auth_struct->
302 MHD_gtls_gen_client_cert_vrfy (session, &data);
303 if (data_size < 0)
304 {
305 MHD_gnutls_assert ();
306 return data_size;
307 }
308 if (data_size == 0)
309 return 0;
310
311 }
312 ret =
313 MHD_gtls_send_handshake (session, data,
314 data_size, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
315 MHD_gnutls_free (data);
316
317 return ret;
318}
319
320
321int
322MHD_gtls_recv_server_kx_message (MHD_gtls_session_t session)
323{
324 uint8_t *data = NULL;
325 int datasize;
326 int ret = 0;
327
328 if (session->internals.auth_struct->MHD_gtls_process_server_kx != NULL)
329 {
330
331 /* EXCEPTION FOR RSA_EXPORT cipher suite
332 */
333 if (MHD_gtls_session_is_export (session) != 0 &&
334 MHD__gnutls_peers_cert_less_512 (session) != 0)
335 {
336 MHD_gnutls_assert ();
337 return 0;
338 }
339
340 ret =
341 MHD_gtls_recv_handshake (session, &data,
342 &datasize,
343 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
344 MANDATORY_PACKET);
345 if (ret < 0)
346 {
347 MHD_gnutls_assert ();
348 return ret;
349 }
350
351 ret =
352 session->internals.auth_struct->MHD_gtls_process_server_kx (session,
353 data,
354 datasize);
355 MHD_gnutls_free (data);
356
357 if (ret < 0)
358 {
359 MHD_gnutls_assert ();
360 return ret;
361 }
362
363 }
364 return ret;
365}
366
367int
368MHD_gtls_recv_server_certificate_request (MHD_gtls_session_t session)
369{
370 uint8_t *data;
371 int datasize;
372 int ret = 0;
373
374 if (session->internals.auth_struct->
375 MHD_gtls_process_server_certificate_request != NULL)
376 {
377
378 ret =
379 MHD_gtls_recv_handshake (session, &data,
380 &datasize,
381 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
382 OPTIONAL_PACKET);
383 if (ret < 0)
384 return ret;
385
386 if (ret == 0 && datasize == 0)
387 return 0; /* ignored */
388
389 ret =
390 session->internals.auth_struct->
391 MHD_gtls_process_server_certificate_request (session, data, datasize);
392 MHD_gnutls_free (data);
393 if (ret < 0)
394 return ret;
395
396 }
397 return ret;
398}
399
400int
401MHD_gtls_recv_client_kx_message (MHD_gtls_session_t session)
402{
403 uint8_t *data;
404 int datasize;
405 int ret = 0;
406
407
408 /* Do key exchange only if the algorithm permits it */
409 if (session->internals.auth_struct->MHD_gtls_process_client_kx != NULL)
410 {
411
412 ret =
413 MHD_gtls_recv_handshake (session, &data,
414 &datasize,
415 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
416 MANDATORY_PACKET);
417 if (ret < 0)
418 return ret;
419
420 ret =
421 session->internals.auth_struct->MHD_gtls_process_client_kx (session,
422 data,
423 datasize);
424 MHD_gnutls_free (data);
425 if (ret < 0)
426 return ret;
427
428 }
429
430 return ret;
431}
432
433
434/* This is called when we want send our certificate
435 */
436int
437MHD_gtls_send_client_certificate (MHD_gtls_session_t session, int again)
438{
439 uint8_t *data = NULL;
440 int data_size = 0;
441 int ret = 0;
442
443
444 if (session->key->certificate_requested == 0)
445 return 0;
446
447 if (session->internals.auth_struct->MHD_gtls_gen_client_certificate == NULL)
448 return 0;
449
450 data = NULL;
451 data_size = 0;
452
453 if (again == 0)
454 {
455 if (MHD__gnutls_protocol_get_version (session) !=
456 MHD_GNUTLS_PROTOCOL_SSL3
457 || session->internals.selected_cert_list_length > 0)
458 {
459 /* TLS 1.0 or SSL 3.0 with a valid certificate
460 */
461 data_size =
462 session->internals.auth_struct->
463 MHD_gtls_gen_client_certificate (session, &data);
464
465 if (data_size < 0)
466 {
467 MHD_gnutls_assert ();
468 return data_size;
469 }
470 }
471 }
472
473 /* In the SSL 3.0 protocol we need to send a
474 * no certificate alert instead of an
475 * empty certificate.
476 */
477 if (MHD__gnutls_protocol_get_version (session) == MHD_GNUTLS_PROTOCOL_SSL3
478 && session->internals.selected_cert_list_length == 0)
479 {
480 ret =
481 MHD__gnutls_alert_send (session, GNUTLS_AL_WARNING,
482 GNUTLS_A_SSL3_NO_CERTIFICATE);
483
484 }
485 else
486 { /* TLS 1.0 or SSL 3.0 with a valid certificate
487 */
488 ret =
489 MHD_gtls_send_handshake (session, data, data_size,
490 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
491 MHD_gnutls_free (data);
492 }
493
494 if (ret < 0)
495 {
496 MHD_gnutls_assert ();
497 return ret;
498 }
499
500 return data_size;
501}
502
503
504/* This is called when we want send our certificate
505 */
506int
507MHD_gtls_send_server_certificate (MHD_gtls_session_t session, int again)
508{
509 uint8_t *data = NULL;
510 int data_size = 0;
511 int ret = 0;
512
513
514 if (session->internals.auth_struct->MHD_gtls_gen_server_certificate == NULL)
515 return 0;
516
517 data = NULL;
518 data_size = 0;
519
520 if (again == 0)
521 {
522 data_size =
523 session->internals.auth_struct->
524 MHD_gtls_gen_server_certificate (session, &data);
525
526 if (data_size < 0)
527 {
528 MHD_gnutls_assert ();
529 return data_size;
530 }
531 }
532 ret =
533 MHD_gtls_send_handshake (session, data, data_size,
534 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
535 MHD_gnutls_free (data);
536
537 if (ret < 0)
538 {
539 MHD_gnutls_assert ();
540 return ret;
541 }
542
543 return data_size;
544}
545
546
547int
548MHD_gtls_recv_client_certificate (MHD_gtls_session_t session)
549{
550 int datasize;
551 opaque *data;
552 int ret = 0;
553 int optional;
554
555 if (session->internals.auth_struct->MHD_gtls_process_client_certificate !=
556 NULL)
557 {
558
559 /* if we have not requested a certificate then just return
560 */
561 if (session->internals.send_cert_req == 0)
562 {
563 return 0;
564 }
565
566 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
567 optional = MANDATORY_PACKET;
568 else
569 optional = OPTIONAL_PACKET;
570
571 ret =
572 MHD_gtls_recv_handshake (session, &data,
573 &datasize,
574 GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional);
575
576 if (ret < 0)
577 {
578 /* Handle the case of old SSL3 clients who send
579 * a warning alert instead of an empty certificate to indicate
580 * no certificate.
581 */
582 if (optional == OPTIONAL_PACKET &&
583 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
584 MHD__gnutls_protocol_get_version (session) ==
585 MHD_GNUTLS_PROTOCOL_SSL3
586 && MHD_gnutls_alert_get (session) ==
587 GNUTLS_A_SSL3_NO_CERTIFICATE)
588 {
589
590 /* SSL3 does not send an empty certificate,
591 * but this alert. So we just ignore it.
592 */
593 MHD_gnutls_assert ();
594 return 0;
595 }
596
597 /* certificate was required
598 */
599 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
600 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
601 && optional == MANDATORY_PACKET)
602 {
603 MHD_gnutls_assert ();
604 return GNUTLS_E_NO_CERTIFICATE_FOUND;
605 }
606
607 return ret;
608 }
609
610 if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET)
611 {
612 /* Client has not sent the certificate message.
613 * well I'm not sure we should accept this
614 * behaviour.
615 */
616 MHD_gnutls_assert ();
617 return 0;
618 }
619 ret =
620 session->internals.auth_struct->
621 MHD_gtls_process_client_certificate (session, data, datasize);
622
623 MHD_gnutls_free (data);
624 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
625 {
626 MHD_gnutls_assert ();
627 return ret;
628 }
629
630 /* ok we should expect a certificate verify message now
631 */
632 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET)
633 ret = 0;
634 else
635 session->key->certificate_requested = 1;
636
637 }
638
639 return ret;
640}
641
642int
643MHD_gtls_recv_server_certificate (MHD_gtls_session_t session)
644{
645 int datasize;
646 opaque *data;
647 int ret = 0;
648
649 if (session->internals.auth_struct->MHD_gtls_process_server_certificate !=
650 NULL)
651 {
652
653 ret =
654 MHD_gtls_recv_handshake (session, &data,
655 &datasize,
656 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
657 MANDATORY_PACKET);
658 if (ret < 0)
659 {
660 MHD_gnutls_assert ();
661 return ret;
662 }
663
664 ret =
665 session->internals.auth_struct->
666 MHD_gtls_process_server_certificate (session, data, datasize);
667 MHD_gnutls_free (data);
668 if (ret < 0)
669 {
670 MHD_gnutls_assert ();
671 return ret;
672 }
673 }
674
675 return ret;
676}
677
678
679/* Recv the client certificate verify. This packet may not
680 * arrive if the peer did not send us a certificate.
681 */
682int
683MHD_gtls_recv_client_certificate_verify_message (MHD_gtls_session_t session)
684{
685 uint8_t *data;
686 int datasize;
687 int ret = 0;
688
689
690 if (session->internals.auth_struct->MHD_gtls_process_client_cert_vrfy !=
691 NULL)
692 {
693
694 if (session->internals.send_cert_req == 0 ||
695 session->key->certificate_requested == 0)
696 {
697 return 0;
698 }
699
700 ret =
701 MHD_gtls_recv_handshake (session, &data,
702 &datasize,
703 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
704 OPTIONAL_PACKET);
705 if (ret < 0)
706 return ret;
707
708 if (ret == 0 && datasize == 0
709 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
710 {
711 /* certificate was required */
712 MHD_gnutls_assert ();
713 return GNUTLS_E_NO_CERTIFICATE_FOUND;
714 }
715
716 ret =
717 session->internals.auth_struct->
718 MHD_gtls_process_client_cert_vrfy (session, data, datasize);
719 MHD_gnutls_free (data);
720 if (ret < 0)
721 return ret;
722
723 }
724
725 return ret;
726}
diff --git a/src/daemon/https/tls/gnutls_kx.h b/src/daemon/https/tls/gnutls_kx.h
deleted file mode 100644
index 92144615..00000000
--- a/src/daemon/https/tls/gnutls_kx.h
+++ /dev/null
@@ -1,40 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD_gtls_send_server_kx_message (MHD_gtls_session_t session, int again);
26int MHD_gtls_send_client_kx_message (MHD_gtls_session_t session, int again);
27int MHD_gtls_recv_server_kx_message (MHD_gtls_session_t session);
28int MHD_gtls_recv_client_kx_message (MHD_gtls_session_t session);
29int MHD_gtls_send_client_certificate_verify (MHD_gtls_session_t session,
30 int again);
31int MHD_gtls_send_server_certificate (MHD_gtls_session_t session, int again);
32int MHD_gtls_generate_master (MHD_gtls_session_t session, int keep_premaster);
33int MHD_gtls_recv_client_certificate (MHD_gtls_session_t session);
34int MHD_gtls_recv_server_certificate (MHD_gtls_session_t session);
35int MHD_gtls_send_client_certificate (MHD_gtls_session_t session, int again);
36int MHD_gtls_recv_server_certificate_request (MHD_gtls_session_t session);
37int MHD_gtls_send_server_certificate_request (MHD_gtls_session_t session,
38 int again);
39int MHD_gtls_recv_client_certificate_verify_message (MHD_gtls_session_t
40 session);
diff --git a/src/daemon/https/tls/gnutls_mem.c b/src/daemon/https/tls/gnutls_mem.c
deleted file mode 100644
index 44f1ccf5..00000000
--- a/src/daemon/https/tls/gnutls_mem.c
+++ /dev/null
@@ -1,65 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_num.h>
28
29MHD_gnutls_alloc_function MHD_gnutls_secure_malloc = malloc;
30MHD_gnutls_alloc_function MHD_gnutls_malloc = malloc;
31MHD_gnutls_free_function MHD_gnutls_free = free;
32MHD_gnutls_realloc_function MHD_gnutls_realloc = realloc;
33
34void *(*MHD_gnutls_calloc) (size_t, size_t) = calloc;
35
36int
37MHD__gnutls_is_secure_mem_null (const void *ign)
38{
39 return 0;
40}
41
42int (*MHD__gnutls_is_secure_memory) (const void *) =
43 MHD__gnutls_is_secure_mem_null;
44
45
46
47/* This realloc will free ptr in case realloc
48 * fails.
49 */
50void *
51MHD_gtls_realloc_fast (void *ptr, size_t size)
52{
53 void *ret;
54
55 if (size == 0)
56 return ptr;
57
58 ret = MHD_gnutls_realloc (ptr, size);
59 if (ret == NULL)
60 {
61 MHD_gnutls_free (ptr);
62 }
63
64 return ret;
65}
diff --git a/src/daemon/https/tls/gnutls_mem.h b/src/daemon/https/tls/gnutls_mem.h
deleted file mode 100644
index 0ea84a10..00000000
--- a/src/daemon/https/tls/gnutls_mem.h
+++ /dev/null
@@ -1,61 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_MEM_H
26# define GNUTLS_MEM_H
27
28#ifdef USE_DMALLOC
29# include <dmalloc.h>
30#endif
31
32typedef void svoid; /* for functions that allocate using MHD_gnutls_secure_malloc */
33
34#ifdef HAVE_ALLOCA
35# ifdef HAVE_ALLOCA_H
36# include <alloca.h>
37# endif
38# ifndef MHD_gnutls_alloca
39# define MHD_gnutls_alloca alloca
40# define MHD_gnutls_afree(x)
41# endif
42#else
43# ifndef MHD_gnutls_alloca
44# define MHD_gnutls_alloca MHD_gnutls_malloc
45# define MHD_gnutls_afree MHD_gnutls_free
46# endif
47#endif /* HAVE_ALLOCA */
48
49extern int (*MHD__gnutls_is_secure_memory) (const void *);
50
51/* this realloc function will return ptr if size==0, and
52 * will free the ptr if the new allocation failed.
53 */
54void *MHD_gtls_realloc_fast (void *ptr, size_t size);
55
56svoid *MHD_gtls_secure_calloc (size_t nmemb, size_t size);
57
58void *MHD_gtls_calloc (size_t nmemb, size_t size);
59char *MHD_gtls_strdup (const char *);
60
61#endif /* GNUTLS_MEM_H */
diff --git a/src/daemon/https/tls/gnutls_mpi.c b/src/daemon/https/tls/gnutls_mpi.c
deleted file mode 100644
index 5a4e25a4..00000000
--- a/src/daemon/https/tls/gnutls_mpi.c
+++ /dev/null
@@ -1,267 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Here lie everything that has to do with large numbers, libgcrypt and
26 * other stuff that didn't fit anywhere else.
27 */
28
29#include <gnutls_int.h>
30#include <libtasn1.h>
31#include <gnutls_errors.h>
32#include <gnutls_num.h>
33
34/* Functions that refer to the libgcrypt library.
35 */
36
37void
38MHD_gtls_mpi_release (mpi_t * x)
39{
40 if (*x == NULL)
41 return;
42 gcry_mpi_release (*x);
43 *x = NULL;
44}
45
46/* returns zero on success
47 */
48int
49MHD_gtls_mpi_scan (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes)
50{
51 int ret;
52
53 ret = gcry_mpi_scan (ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes);
54 if (ret)
55 return GNUTLS_E_MPI_SCAN_FAILED;
56
57 return 0;
58}
59
60/* returns zero on success. Fails if the number is zero.
61 */
62int
63MHD_gtls_mpi_scan_nz (mpi_t * ret_mpi, const opaque * buffer, size_t * nbytes)
64{
65 int ret;
66
67 ret = gcry_mpi_scan (ret_mpi, GCRYMPI_FMT_USG, buffer, *nbytes, nbytes);
68 if (ret)
69 return GNUTLS_E_MPI_SCAN_FAILED;
70
71 /* MPIs with 0 bits are illegal
72 */
73 if (MHD__gnutls_mpi_get_nbits (*ret_mpi) == 0)
74 {
75 MHD_gtls_mpi_release (ret_mpi);
76 return GNUTLS_E_MPI_SCAN_FAILED;
77 }
78
79 return 0;
80}
81
82int
83MHD_gtls_mpi_print (void *buffer, size_t * nbytes, const mpi_t a)
84{
85 int ret;
86
87 if (nbytes == NULL || a == NULL)
88 return GNUTLS_E_INVALID_REQUEST;
89
90 ret = gcry_mpi_print (GCRYMPI_FMT_USG, buffer, *nbytes, nbytes, a);
91 if (!ret)
92 return 0;
93
94 return GNUTLS_E_MPI_PRINT_FAILED;
95}
96
97/* Always has the first bit zero */
98static int
99MHD_gtls_mpi_print_lz (void *buffer, size_t * nbytes, const mpi_t a)
100{
101 int ret;
102
103 if (nbytes == NULL || a == NULL)
104 return GNUTLS_E_INVALID_REQUEST;
105
106 ret = gcry_mpi_print (GCRYMPI_FMT_STD, buffer, *nbytes, nbytes, a);
107 if (!ret)
108 return 0;
109
110 return GNUTLS_E_MPI_PRINT_FAILED;
111}
112
113/* Always has the first bit zero */
114int
115MHD_gtls_mpi_dprint_lz (MHD_gnutls_datum_t * dest, const mpi_t a)
116{
117 int ret;
118 opaque *buf = NULL;
119 size_t bytes = 0;
120
121 if (dest == NULL || a == NULL)
122 return GNUTLS_E_INVALID_REQUEST;
123
124 gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &bytes, a);
125
126 if (bytes != 0)
127 buf = MHD_gnutls_malloc (bytes);
128 if (buf == NULL)
129 return GNUTLS_E_MEMORY_ERROR;
130
131 ret = gcry_mpi_print (GCRYMPI_FMT_STD, buf, bytes, &bytes, a);
132 if (!ret)
133 {
134 dest->data = buf;
135 dest->size = bytes;
136 return 0;
137 }
138
139 MHD_gnutls_free (buf);
140 return GNUTLS_E_MPI_PRINT_FAILED;
141}
142
143int
144MHD_gtls_mpi_dprint (MHD_gnutls_datum_t * dest, const mpi_t a)
145{
146 int ret;
147 opaque *buf = NULL;
148 size_t bytes = 0;
149
150 if (dest == NULL || a == NULL)
151 return GNUTLS_E_INVALID_REQUEST;
152
153 gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &bytes, a);
154
155 if (bytes != 0)
156 buf = MHD_gnutls_malloc (bytes);
157 if (buf == NULL)
158 return GNUTLS_E_MEMORY_ERROR;
159
160 ret = gcry_mpi_print (GCRYMPI_FMT_USG, buf, bytes, &bytes, a);
161 if (!ret)
162 {
163 dest->data = buf;
164 dest->size = bytes;
165 return 0;
166 }
167
168 MHD_gnutls_free (buf);
169 return GNUTLS_E_MPI_PRINT_FAILED;
170}
171
172
173/* this function reads an integer
174 * from asn1 structs. Combines the read and mpi_scan
175 * steps.
176 */
177int
178MHD__gnutls_x509_read_int (ASN1_TYPE node, const char *value, mpi_t * ret_mpi)
179{
180 int result;
181 size_t s_len;
182 opaque *tmpstr = NULL;
183 int tmpstr_size;
184
185 tmpstr_size = 0;
186 result = MHD__asn1_read_value (node, value, NULL, &tmpstr_size);
187 if (result != ASN1_MEM_ERROR)
188 {
189 MHD_gnutls_assert ();
190 return MHD_gtls_asn2err (result);
191 }
192
193 tmpstr = MHD_gnutls_alloca (tmpstr_size);
194 if (tmpstr == NULL)
195 {
196 MHD_gnutls_assert ();
197 return GNUTLS_E_MEMORY_ERROR;
198 }
199
200 result = MHD__asn1_read_value (node, value, tmpstr, &tmpstr_size);
201 if (result != ASN1_SUCCESS)
202 {
203 MHD_gnutls_assert ();
204 MHD_gnutls_afree (tmpstr);
205 return MHD_gtls_asn2err (result);
206 }
207
208 s_len = tmpstr_size;
209 if (MHD_gtls_mpi_scan (ret_mpi, tmpstr, &s_len) != 0)
210 {
211 MHD_gnutls_assert ();
212 MHD_gnutls_afree (tmpstr);
213 return GNUTLS_E_MPI_SCAN_FAILED;
214 }
215
216 MHD_gnutls_afree (tmpstr);
217
218 return 0;
219}
220
221/* Writes the specified integer into the specified node.
222 */
223int
224MHD__gnutls_x509_write_int (ASN1_TYPE node, const char *value, mpi_t mpi,
225 int lz)
226{
227 opaque *tmpstr;
228 size_t s_len;
229 int result;
230
231 s_len = 0;
232 if (lz)
233 result = MHD_gtls_mpi_print_lz (NULL, &s_len, mpi);
234 else
235 result = MHD_gtls_mpi_print (NULL, &s_len, mpi);
236
237 tmpstr = MHD_gnutls_alloca (s_len);
238 if (tmpstr == NULL)
239 {
240 MHD_gnutls_assert ();
241 return GNUTLS_E_MEMORY_ERROR;
242 }
243
244 if (lz)
245 result = MHD_gtls_mpi_print_lz (tmpstr, &s_len, mpi);
246 else
247 result = MHD_gtls_mpi_print (tmpstr, &s_len, mpi);
248
249 if (result != 0)
250 {
251 MHD_gnutls_assert ();
252 MHD_gnutls_afree (tmpstr);
253 return GNUTLS_E_MPI_PRINT_FAILED;
254 }
255
256 result = MHD__asn1_write_value (node, value, tmpstr, s_len);
257
258 MHD_gnutls_afree (tmpstr);
259
260 if (result != ASN1_SUCCESS)
261 {
262 MHD_gnutls_assert ();
263 return MHD_gtls_asn2err (result);
264 }
265
266 return 0;
267}
diff --git a/src/daemon/https/tls/gnutls_mpi.h b/src/daemon/https/tls/gnutls_mpi.h
deleted file mode 100644
index 77b7c9e4..00000000
--- a/src/daemon/https/tls/gnutls_mpi.h
+++ /dev/null
@@ -1,55 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_MPI_H
26#define GNUTLS_MPI_H
27
28# include <gnutls_int.h>
29# include <gcrypt.h>
30# include "gc.h"
31
32typedef gcry_mpi_t mpi_t;
33
34#define MHD__gnutls_mpi_cmp gcry_mpi_cmp
35#define MHD__gnutls_mpi_cmp_ui gcry_mpi_cmp_ui
36#define MHD__gnutls_mpi_new gcry_mpi_new
37#define MHD__gnutls_mpi_snew gcry_mpi_snew
38#define MHD__gnutls_mpi_copy gcry_mpi_copy
39#define MHD__gnutls_mpi_randomize gcry_mpi_randomize
40#define MHD__gnutls_mpi_get_nbits gcry_mpi_get_nbits
41#define MHD__gnutls_mpi_powm gcry_mpi_powm
42#define MHD__gnutls_mpi_invm gcry_mpi_invm
43#define MHD__gnutls_mpi_alloc_like(x) MHD__gnutls_mpi_new(MHD__gnutls_mpi_get_nbits(x))
44
45void MHD_gtls_mpi_release (mpi_t * x);
46
47int MHD_gtls_mpi_scan_nz (mpi_t * ret_mpi, const opaque * buffer,
48 size_t * nbytes);
49int MHD_gtls_mpi_scan (mpi_t * ret_mpi, const opaque * buffer,
50 size_t * nbytes);
51int MHD_gtls_mpi_print (void *buffer, size_t * nbytes, const mpi_t a);
52int MHD_gtls_mpi_dprint_lz (MHD_gnutls_datum_t * dest, const mpi_t a);
53int MHD_gtls_mpi_dprint (MHD_gnutls_datum_t * dest, const mpi_t a);
54
55#endif
diff --git a/src/daemon/https/tls/gnutls_num.c b/src/daemon/https/tls/gnutls_num.c
deleted file mode 100644
index 06d2e4eb..00000000
--- a/src/daemon/https/tls/gnutls_num.c
+++ /dev/null
@@ -1,192 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the functions needed for 64 bit integer support in
26 * TLS, and functions which ease the access to TLS vectors (data of given size).
27 */
28
29#include <gnutls_int.h>
30#include <gnutls_num.h>
31#include <gnutls_errors.h>
32
33/* This function will add one to uint64 x.
34 * Returns 0 on success, or -1 if the uint64 max limit
35 * has been reached.
36 */
37int
38MHD_gtls_uint64pp (uint64 * x)
39{
40 register int i, y = 0;
41
42 for (i = 7; i >= 0; i--)
43 {
44 y = 0;
45 if (x->i[i] == 0xff)
46 {
47 x->i[i] = 0;
48 y = 1;
49 }
50 else
51 x->i[i]++;
52
53 if (y == 0)
54 break;
55 }
56 if (y != 0)
57 return -1; /* over 64 bits! WOW */
58
59 return 0;
60}
61
62uint32_t
63MHD_gtls_uint24touint32 (uint24 num)
64{
65 uint32_t ret = 0;
66
67 ((uint8_t *) & ret)[1] = num.pint[0];
68 ((uint8_t *) & ret)[2] = num.pint[1];
69 ((uint8_t *) & ret)[3] = num.pint[2];
70 return ret;
71}
72
73uint24
74MHD_gtls_uint32touint24 (uint32_t num)
75{
76 uint24 ret;
77
78 ret.pint[0] = ((uint8_t *) & num)[1];
79 ret.pint[1] = ((uint8_t *) & num)[2];
80 ret.pint[2] = ((uint8_t *) & num)[3];
81 return ret;
82
83}
84
85/* data should be at least 3 bytes */
86uint32_t
87MHD_gtls_read_uint24 (const opaque * data)
88{
89 uint32_t res;
90 uint24 num;
91
92 num.pint[0] = data[0];
93 num.pint[1] = data[1];
94 num.pint[2] = data[2];
95
96 res = MHD_gtls_uint24touint32 (num);
97#ifndef WORDS_BIGENDIAN
98 res = byteswap32 (res);
99#endif
100 return res;
101}
102
103void
104MHD_gtls_write_uint24 (uint32_t num, opaque * data)
105{
106 uint24 tmp;
107
108#ifndef WORDS_BIGENDIAN
109 num = byteswap32 (num);
110#endif
111 tmp = MHD_gtls_uint32touint24 (num);
112
113 data[0] = tmp.pint[0];
114 data[1] = tmp.pint[1];
115 data[2] = tmp.pint[2];
116}
117
118uint32_t
119MHD_gtls_read_uint32 (const opaque * data)
120{
121 uint32_t res;
122
123 memcpy (&res, data, sizeof (uint32_t));
124#ifndef WORDS_BIGENDIAN
125 res = byteswap32 (res);
126#endif
127 return res;
128}
129
130void
131MHD_gtls_write_uint32 (uint32_t num, opaque * data)
132{
133
134#ifndef WORDS_BIGENDIAN
135 num = byteswap32 (num);
136#endif
137 memcpy (data, &num, sizeof (uint32_t));
138}
139
140uint16_t
141MHD_gtls_read_uint16 (const opaque * data)
142{
143 uint16_t res;
144 memcpy (&res, data, sizeof (uint16_t));
145#ifndef WORDS_BIGENDIAN
146 res = byteswap16 (res);
147#endif
148 return res;
149}
150
151void
152MHD_gtls_write_uint16 (uint16_t num, opaque * data)
153{
154
155#ifndef WORDS_BIGENDIAN
156 num = byteswap16 (num);
157#endif
158 memcpy (data, &num, sizeof (uint16_t));
159}
160
161uint32_t
162MHD_gtls_conv_uint32 (uint32_t data)
163{
164#ifndef WORDS_BIGENDIAN
165 return byteswap32 (data);
166#else
167 return data;
168#endif
169}
170
171uint16_t
172MHD_gtls_conv_uint16 (uint16_t data)
173{
174#ifndef WORDS_BIGENDIAN
175 return byteswap16 (data);
176#else
177 return data;
178#endif
179}
180
181uint32_t
182MHD_gtls_uint64touint32 (const uint64 * num)
183{
184 uint32_t ret;
185
186 memcpy (&ret, &num->i[4], 4);
187#ifndef WORDS_BIGENDIAN
188 ret = byteswap32 (ret);
189#endif
190
191 return ret;
192}
diff --git a/src/daemon/https/tls/gnutls_num.h b/src/daemon/https/tls/gnutls_num.h
deleted file mode 100644
index 3a0f1f88..00000000
--- a/src/daemon/https/tls/gnutls_num.h
+++ /dev/null
@@ -1,49 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26
27#define rotl32(x,n) (((x) << ((uint16_t)(n))) | ((x) >> (32 - (uint16_t)(n))))
28#define rotr32(x,n) (((x) >> ((uint16_t)(n))) | ((x) << (32 - (uint16_t)(n))))
29#define rotl16(x,n) (((x) << ((uint16_t)(n))) | ((x) >> (16 - (uint16_t)(n))))
30#define rotr16(x,n) (((x) >> ((uint16_t)(n))) | ((x) << (16 - (uint16_t)(n))))
31
32#define byteswap16(x) ((rotl16(x, 8) & 0x00ff) | (rotr16(x, 8) & 0xff00))
33#define byteswap32(x) ((rotl32(x, 8) & 0x00ff00ffUL) | (rotr32(x, 8) & 0xff00ff00UL))
34
35uint32_t MHD_gtls_uint24touint32 (uint24 num);
36uint24 MHD_gtls_uint32touint24 (uint32_t num);
37uint32_t MHD_gtls_read_uint32 (const opaque * data);
38uint16_t MHD_gtls_read_uint16 (const opaque * data);
39uint32_t MHD_gtls_conv_uint32 (uint32_t data);
40uint16_t MHD_gtls_conv_uint16 (uint16_t data);
41uint32_t MHD_gtls_read_uint24 (const opaque * data);
42void MHD_gtls_write_uint24 (uint32_t num, opaque * data);
43void MHD_gtls_write_uint32 (uint32_t num, opaque * data);
44void MHD_gtls_write_uint16 (uint16_t num, opaque * data);
45uint32_t MHD_gtls_uint64touint32 (const uint64 *);
46
47int MHD_gtls_uint64pp (uint64 *);
48#define MHD__gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0
49#define UINT64DATA(x) x.i
diff --git a/src/daemon/https/tls/gnutls_pk.c b/src/daemon/https/tls/gnutls_pk.c
deleted file mode 100644
index f8514cae..00000000
--- a/src/daemon/https/tls/gnutls_pk.c
+++ /dev/null
@@ -1,636 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains the functions needed for RSA/DSA public key
26 * encryption and signatures.
27 */
28
29#include <gnutls_int.h>
30#include <gnutls_mpi.h>
31#include <gnutls_pk.h>
32#include <gnutls_errors.h>
33#include <gnutls_datum.h>
34#include <gnutls_global.h>
35#include <gnutls_num.h>
36#include "debug.h"
37#include <gc.h>
38
39/* x509 */
40#include "common.h"
41#include "mpi.h"
42
43static int MHD__gnutls_pk_encrypt (int algo, mpi_t * resarr, mpi_t data,
44 mpi_t * pkey, int pkey_len);
45static int MHD__gnutls_pk_sign (int algo, mpi_t * data, mpi_t hash,
46 mpi_t * pkey, int);
47static int MHD__gnutls_pk_decrypt (int algo, mpi_t * resarr, mpi_t data,
48 mpi_t * pkey, int);
49
50
51/* Do PKCS-1 RSA encryption.
52 * params is modulus, public exp.
53 */
54int
55MHD_gtls_pkcs1_rsa_encrypt (MHD_gnutls_datum_t * ciphertext,
56 const MHD_gnutls_datum_t * plaintext,
57 mpi_t * params, unsigned params_len,
58 unsigned btype)
59{
60 unsigned int i, pad;
61 int ret;
62 mpi_t m, res;
63 opaque *edata, *ps;
64 size_t k, psize;
65 size_t mod_bits;
66
67 mod_bits = MHD__gnutls_mpi_get_nbits (params[0]);
68 k = mod_bits / 8;
69 if (mod_bits % 8 != 0)
70 k++;
71
72 if (plaintext->size > k - 11)
73 {
74 MHD_gnutls_assert ();
75 return GNUTLS_E_PK_ENCRYPTION_FAILED;
76 }
77
78 edata = MHD_gnutls_alloca (k);
79 if (edata == NULL)
80 {
81 MHD_gnutls_assert ();
82 return GNUTLS_E_MEMORY_ERROR;
83 }
84
85 /* EB = 00||BT||PS||00||D
86 * (use block type 'btype')
87 */
88
89 edata[0] = 0;
90 edata[1] = btype;
91 psize = k - 3 - plaintext->size;
92
93 ps = &edata[2];
94 switch (btype)
95 {
96 case 2:
97 /* using public key */
98 if (params_len < RSA_PUBLIC_PARAMS)
99 {
100 MHD_gnutls_assert ();
101 MHD_gnutls_afree (edata);
102 return GNUTLS_E_INTERNAL_ERROR;
103 }
104
105 if (MHD_gc_pseudo_random ((char *) ps, psize) != GC_OK)
106 {
107 MHD_gnutls_assert ();
108 MHD_gnutls_afree (edata);
109 return GNUTLS_E_RANDOM_FAILED;
110 }
111 for (i = 0; i < psize; i++)
112 while (ps[i] == 0)
113 {
114 if (MHD_gc_pseudo_random ((char *) &ps[i], 1) != GC_OK)
115 {
116 MHD_gnutls_assert ();
117 MHD_gnutls_afree (edata);
118 return GNUTLS_E_RANDOM_FAILED;
119 }
120 }
121 break;
122 case 1:
123 /* using private key */
124
125 if (params_len < RSA_PRIVATE_PARAMS)
126 {
127 MHD_gnutls_assert ();
128 MHD_gnutls_afree (edata);
129 return GNUTLS_E_INTERNAL_ERROR;
130 }
131
132 for (i = 0; i < psize; i++)
133 ps[i] = 0xff;
134 break;
135 default:
136 MHD_gnutls_assert ();
137 MHD_gnutls_afree (edata);
138 return GNUTLS_E_INTERNAL_ERROR;
139 }
140
141 ps[psize] = 0;
142 memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
143
144 if (MHD_gtls_mpi_scan_nz (&m, edata, &k) != 0)
145 {
146 MHD_gnutls_assert ();
147 MHD_gnutls_afree (edata);
148 return GNUTLS_E_MPI_SCAN_FAILED;
149 }
150 MHD_gnutls_afree (edata);
151
152 if (btype == 2) /* encrypt */
153 ret = MHD__gnutls_pk_encrypt (GCRY_PK_RSA, &res, m, params, params_len);
154 else /* sign */
155 ret = MHD__gnutls_pk_sign (GCRY_PK_RSA, &res, m, params, params_len);
156
157 MHD_gtls_mpi_release (&m);
158
159 if (ret < 0)
160 {
161 MHD_gnutls_assert ();
162 return ret;
163 }
164
165 MHD_gtls_mpi_print (NULL, &psize, res);
166
167 if (psize < k)
168 {
169 /* padding psize */
170 pad = k - psize;
171 psize = k;
172 }
173 else if (psize == k)
174 {
175 pad = 0;
176 }
177 else
178 { /* psize > k !!! */
179 /* This is an impossible situation */
180 MHD_gnutls_assert ();
181 MHD_gtls_mpi_release (&res);
182 return GNUTLS_E_INTERNAL_ERROR;
183 }
184
185 ciphertext->data = MHD_gnutls_malloc (psize);
186 if (ciphertext->data == NULL)
187 {
188 MHD_gnutls_assert ();
189 MHD_gtls_mpi_release (&res);
190 return GNUTLS_E_MEMORY_ERROR;
191 }
192 MHD_gtls_mpi_print (&ciphertext->data[pad], &psize, res);
193 for (i = 0; i < pad; i++)
194 ciphertext->data[i] = 0;
195
196 ciphertext->size = k;
197
198 MHD_gtls_mpi_release (&res);
199
200 return 0;
201}
202
203
204/* Do PKCS-1 RSA decryption.
205 * params is modulus, public exp., private key
206 * Can decrypt block type 1 and type 2 packets.
207 */
208int
209MHD_gtls_pkcs1_rsa_decrypt (MHD_gnutls_datum_t * plaintext,
210 const MHD_gnutls_datum_t * ciphertext,
211 mpi_t * params, unsigned params_len,
212 unsigned btype)
213{
214 unsigned k, i;
215 int ret;
216 mpi_t c, res;
217 opaque *edata;
218 size_t esize, mod_bits;
219
220 mod_bits = MHD__gnutls_mpi_get_nbits (params[0]);
221 k = mod_bits / 8;
222 if (mod_bits % 8 != 0)
223 k++;
224
225 esize = ciphertext->size;
226
227 if (esize != k)
228 {
229 MHD_gnutls_assert ();
230 return GNUTLS_E_PK_DECRYPTION_FAILED;
231 }
232
233 if (MHD_gtls_mpi_scan_nz (&c, ciphertext->data, &esize) != 0)
234 {
235 MHD_gnutls_assert ();
236 return GNUTLS_E_MPI_SCAN_FAILED;
237 }
238
239 /* we can use btype to see if the private key is
240 * available.
241 */
242 if (btype == 2)
243 ret = MHD__gnutls_pk_decrypt (GCRY_PK_RSA, &res, c, params, params_len);
244 else
245 {
246 ret = MHD__gnutls_pk_encrypt (GCRY_PK_RSA, &res, c, params, params_len);
247 }
248 MHD_gtls_mpi_release (&c);
249
250 if (ret < 0)
251 {
252 MHD_gnutls_assert ();
253 return ret;
254 }
255
256 MHD_gtls_mpi_print (NULL, &esize, res);
257 edata = MHD_gnutls_alloca (esize + 1);
258 if (edata == NULL)
259 {
260 MHD_gnutls_assert ();
261 MHD_gtls_mpi_release (&res);
262 return GNUTLS_E_MEMORY_ERROR;
263 }
264 MHD_gtls_mpi_print (&edata[1], &esize, res);
265
266 MHD_gtls_mpi_release (&res);
267
268 /* EB = 00||BT||PS||00||D
269 * (use block type 'btype')
270 *
271 * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
272 * avoid attacks similar to the one described by Bleichenbacher in:
273 * "Chosen Ciphertext Attacks against Protocols Based on RSA
274 * Encryption Standard PKCS #1".
275 */
276
277
278 edata[0] = 0;
279 esize++;
280
281 if (edata[0] != 0 || edata[1] != btype)
282 {
283 MHD_gnutls_assert ();
284 MHD_gnutls_afree (edata);
285 return GNUTLS_E_DECRYPTION_FAILED;
286 }
287
288 ret = GNUTLS_E_DECRYPTION_FAILED;
289 switch (btype)
290 {
291 case 2:
292 for (i = 2; i < esize; i++)
293 {
294 if (edata[i] == 0)
295 {
296 ret = 0;
297 break;
298 }
299 }
300 break;
301 case 1:
302 for (i = 2; i < esize; i++)
303 {
304 if (edata[i] == 0 && i > 2)
305 {
306 ret = 0;
307 break;
308 }
309 if (edata[i] != 0xff)
310 {
311 MHD__gnutls_handshake_log ("PKCS #1 padding error");
312 /* PKCS #1 padding error. Don't use
313 GNUTLS_E_PKCS1_WRONG_PAD here. */
314 break;
315 }
316 }
317 break;
318 default:
319 MHD_gnutls_assert ();
320 MHD_gnutls_afree (edata);
321 return GNUTLS_E_DECRYPTION_FAILED;
322 }
323 i++;
324
325 if (ret < 0)
326 {
327 MHD_gnutls_assert ();
328 MHD_gnutls_afree (edata);
329 return GNUTLS_E_DECRYPTION_FAILED;
330 }
331
332 if (MHD__gnutls_sset_datum (plaintext, &edata[i], esize - i) < 0)
333 {
334 MHD_gnutls_assert ();
335 MHD_gnutls_afree (edata);
336 return GNUTLS_E_MEMORY_ERROR;
337 }
338
339 MHD_gnutls_afree (edata);
340
341 return 0;
342}
343
344
345int
346MHD_gtls_rsa_verify (const MHD_gnutls_datum_t * vdata,
347 const MHD_gnutls_datum_t * ciphertext, mpi_t * params,
348 int params_len, int btype)
349{
350
351 MHD_gnutls_datum_t plain;
352 int ret;
353
354 /* decrypt signature */
355 if ((ret =
356 MHD_gtls_pkcs1_rsa_decrypt (&plain, ciphertext, params, params_len,
357 btype)) < 0)
358 {
359 MHD_gnutls_assert ();
360 return ret;
361 }
362
363 if (plain.size != vdata->size)
364 {
365 MHD_gnutls_assert ();
366 MHD__gnutls_free_datum (&plain);
367 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
368 }
369
370 if (memcmp (plain.data, vdata->data, plain.size) != 0)
371 {
372 MHD_gnutls_assert ();
373 MHD__gnutls_free_datum (&plain);
374 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
375 }
376
377 MHD__gnutls_free_datum (&plain);
378
379 return 0; /* ok */
380}
381
382
383/* this is taken from gnupg
384 */
385
386/****************
387 * Emulate our old PK interface here - sometime in the future we might
388 * change the internal design to directly fit to libgcrypt.
389 */
390static int
391MHD__gnutls_pk_encrypt (int algo, mpi_t * resarr, mpi_t data,
392 mpi_t * pkey, int pkey_len)
393{
394 gcry_sexp_t s_ciph, s_data, s_pkey;
395 int rc = -1;
396
397 /* make a sexp from pkey */
398 switch (algo)
399 {
400 case GCRY_PK_RSA:
401 if (pkey_len >= 2)
402 rc = gcry_sexp_build (&s_pkey, NULL,
403 "(public-key(rsa(n%m)(e%m)))",
404 pkey[0], pkey[1]);
405 break;
406
407 default:
408 MHD_gnutls_assert ();
409 return GNUTLS_E_INTERNAL_ERROR;
410 }
411
412 if (rc != 0)
413 {
414 MHD_gnutls_assert ();
415 return GNUTLS_E_INTERNAL_ERROR;
416 }
417
418 /* put the data into a simple list */
419 if (gcry_sexp_build (&s_data, NULL, "%m", data))
420 {
421 MHD_gnutls_assert ();
422 gcry_sexp_release (s_pkey);
423 return GNUTLS_E_INTERNAL_ERROR;
424 }
425
426 /* pass it to libgcrypt */
427 rc = gcry_pk_encrypt (&s_ciph, s_data, s_pkey);
428 gcry_sexp_release (s_data);
429 gcry_sexp_release (s_pkey);
430
431 if (rc != 0)
432 {
433 MHD_gnutls_assert ();
434 return GNUTLS_E_PK_ENCRYPTION_FAILED;
435
436 }
437 else
438 { /* add better error handling or make gnupg use S-Exp directly */
439 gcry_sexp_t list = gcry_sexp_find_token (s_ciph, "a", 0);
440 if (list == NULL)
441 {
442 MHD_gnutls_assert ();
443 gcry_sexp_release (s_ciph);
444 return GNUTLS_E_INTERNAL_ERROR;
445 }
446
447 resarr[0] = gcry_sexp_nth_mpi (list, 1, 0);
448 gcry_sexp_release (list);
449
450 if (resarr[0] == NULL)
451 {
452 MHD_gnutls_assert ();
453 gcry_sexp_release (s_ciph);
454 return GNUTLS_E_INTERNAL_ERROR;
455 }
456 }
457
458 gcry_sexp_release (s_ciph);
459 return rc;
460}
461
462static int
463MHD__gnutls_pk_decrypt (int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey,
464 int pkey_len)
465{
466 gcry_sexp_t s_plain, s_data, s_pkey;
467 int rc = -1;
468
469 /* make a sexp from pkey */
470 switch (algo)
471 {
472 case GCRY_PK_RSA:
473 if (pkey_len >= 6)
474 rc = gcry_sexp_build (&s_pkey, NULL,
475 "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
476 pkey[0], pkey[1], pkey[2], pkey[3],
477 pkey[4], pkey[5]);
478 break;
479
480 default:
481 MHD_gnutls_assert ();
482 return GNUTLS_E_INTERNAL_ERROR;
483 }
484
485 if (rc != 0)
486 {
487 MHD_gnutls_assert ();
488 return GNUTLS_E_INTERNAL_ERROR;
489 }
490
491 /* put the data into a simple list */
492 if (gcry_sexp_build (&s_data, NULL, "(enc-val(rsa(a%m)))", data))
493 {
494 MHD_gnutls_assert ();
495 gcry_sexp_release (s_pkey);
496 return GNUTLS_E_INTERNAL_ERROR;
497 }
498
499 /* pass it to libgcrypt */
500 rc = gcry_pk_decrypt (&s_plain, s_data, s_pkey);
501 gcry_sexp_release (s_data);
502 gcry_sexp_release (s_pkey);
503
504 if (rc != 0)
505 {
506 MHD_gnutls_assert ();
507 return GNUTLS_E_PK_DECRYPTION_FAILED;
508
509 }
510 else
511 { /* add better error handling or make gnupg use S-Exp directly */
512 resarr[0] = gcry_sexp_nth_mpi (s_plain, 0, 0);
513
514 if (resarr[0] == NULL)
515 {
516 MHD_gnutls_assert ();
517 gcry_sexp_release (s_plain);
518 return GNUTLS_E_INTERNAL_ERROR;
519 }
520 }
521
522 gcry_sexp_release (s_plain);
523 return rc;
524}
525
526
527/* in case of DSA puts into data, r,s
528 */
529static int
530MHD__gnutls_pk_sign (int algo, mpi_t * data, mpi_t hash, mpi_t * pkey,
531 int pkey_len)
532{
533 gcry_sexp_t s_hash, s_key, s_sig;
534 int rc = -1;
535
536 /* make a sexp from pkey */
537 switch (algo)
538 {
539 case GCRY_PK_DSA:
540 if (pkey_len >= 5)
541 rc = gcry_sexp_build (&s_key, NULL,
542 "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))",
543 pkey[0], pkey[1], pkey[2], pkey[3], pkey[4]);
544 else
545 {
546 MHD_gnutls_assert ();
547 }
548
549 break;
550 case GCRY_PK_RSA:
551 if (pkey_len >= 6)
552 rc = gcry_sexp_build (&s_key, NULL,
553 "(private-key(rsa((n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
554 pkey[0], pkey[1], pkey[2], pkey[3],
555 pkey[4], pkey[5]);
556 else
557 {
558 MHD_gnutls_assert ();
559 }
560 break;
561
562 default:
563 MHD_gnutls_assert ();
564 return GNUTLS_E_INTERNAL_ERROR;
565 }
566
567 if (rc != 0)
568 {
569 MHD_gnutls_assert ();
570 return GNUTLS_E_INTERNAL_ERROR;
571 }
572
573 /* put the data into a simple list */
574 if (gcry_sexp_build (&s_hash, NULL, "%m", hash))
575 {
576 MHD_gnutls_assert ();
577 return GNUTLS_E_INTERNAL_ERROR;
578 }
579
580 /* pass it to libgcrypt */
581 rc = gcry_pk_sign (&s_sig, s_hash, s_key);
582 gcry_sexp_release (s_hash);
583 gcry_sexp_release (s_key);
584
585 if (rc != 0)
586 {
587 MHD_gnutls_assert ();
588 return GNUTLS_E_PK_SIGN_FAILED;
589
590 }
591 else
592 {
593 gcry_sexp_t list;
594
595 if (algo == GCRY_PK_DSA)
596 {
597 list = gcry_sexp_find_token (s_sig, "r", 0);
598 if (list == NULL)
599 {
600 MHD_gnutls_assert ();
601 gcry_sexp_release (s_sig);
602 return GNUTLS_E_INTERNAL_ERROR;
603 }
604
605 data[0] = gcry_sexp_nth_mpi (list, 1, 0);
606 gcry_sexp_release (list);
607
608 list = gcry_sexp_find_token (s_sig, "s", 0);
609 if (list == NULL)
610 {
611 MHD_gnutls_assert ();
612 gcry_sexp_release (s_sig);
613 return GNUTLS_E_INTERNAL_ERROR;
614 }
615
616 data[1] = gcry_sexp_nth_mpi (list, 1, 0);
617 gcry_sexp_release (list);
618 }
619 else
620 { /* GCRY_PK_RSA */
621 list = gcry_sexp_find_token (s_sig, "s", 0);
622 if (list == NULL)
623 {
624 MHD_gnutls_assert ();
625 gcry_sexp_release (s_sig);
626 return GNUTLS_E_INTERNAL_ERROR;
627 }
628
629 data[0] = gcry_sexp_nth_mpi (list, 1, 0);
630 gcry_sexp_release (list);
631 }
632 }
633
634 gcry_sexp_release (s_sig);
635 return 0;
636}
diff --git a/src/daemon/https/tls/gnutls_pk.h b/src/daemon/https/tls/gnutls_pk.h
deleted file mode 100644
index 4653e76e..00000000
--- a/src/daemon/https/tls/gnutls_pk.h
+++ /dev/null
@@ -1,40 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_PK_H
26#define GNUTLS_PK_H
27
28int MHD_gtls_pkcs1_rsa_encrypt (MHD_gnutls_datum_t * ciphertext,
29 const MHD_gnutls_datum_t * plaintext,
30 mpi_t * params, unsigned params_len,
31 unsigned btype);
32int MHD_gtls_pkcs1_rsa_decrypt (MHD_gnutls_datum_t * plaintext,
33 const MHD_gnutls_datum_t * ciphertext,
34 mpi_t * params, unsigned params_len,
35 unsigned btype);
36int MHD_gtls_rsa_verify (const MHD_gnutls_datum_t * vdata,
37 const MHD_gnutls_datum_t * ciphertext,
38 mpi_t * params, int params_len, int btype);
39
40#endif /* GNUTLS_PK_H */
diff --git a/src/daemon/https/tls/gnutls_priority.c b/src/daemon/https/tls/gnutls_priority.c
deleted file mode 100644
index 035c53dc..00000000
--- a/src/daemon/https/tls/gnutls_priority.c
+++ /dev/null
@@ -1,242 +0,0 @@
1/*
2 * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Here lies the code of the MHD_gnutls_*_set_priority() functions.
26 */
27
28#include "gnutls_int.h"
29#include "gnutls_algorithms.h"
30#include "gnutls_errors.h"
31#include <gnutls_num.h>
32
33#define MAX_ELEMENTS 48
34
35static int
36_set_priority (MHD_gtls_priority_st * st, const int *list)
37{
38 int num = 0;
39
40 while ((list[num] != 0) && (num < MAX_ALGOS))
41 num++;
42 st->num_algorithms = num;
43 memcpy (st->priority, list, num * sizeof (int));
44 return 0;
45}
46
47static const int MHD_gtls_protocol_priority[] = { MHD_GNUTLS_PROTOCOL_TLS1_1,
48 MHD_GNUTLS_PROTOCOL_TLS1_0,
49 MHD_GNUTLS_PROTOCOL_SSL3,
50 0
51};
52
53static const int MHD_gtls_cipher_priority_secure256[] =
54 { MHD_GNUTLS_CIPHER_AES_256_CBC,
55 0
56};
57
58static const int MHD_gtls_kx_priority_secure[] = { MHD_GNUTLS_KX_RSA,
59 0
60};
61
62static const int MHD_gtls_mac_priority_secure[] = { MHD_GNUTLS_MAC_SHA1,
63 0
64};
65
66static int MHD_gtls_cert_type_priority[] = { MHD_GNUTLS_CRT_X509,
67 0
68};
69
70static const int MHD_gtls_comp_priority[] = { MHD_GNUTLS_COMP_NULL,
71 0
72};
73
74/**
75 * MHD__gnutls_priority_set - Sets priorities for the cipher suites supported by gnutls.
76 * @session: is a #MHD_gtls_session_t structure.
77 * @priority: is a #MHD_gnutls_priority_t structure.
78 *
79 * Sets the priorities to use on the ciphers, key exchange methods,
80 * macs and compression methods.
81 *
82 * On success 0 is returned.
83 *
84 **/
85int
86MHD__gnutls_priority_set (MHD_gtls_session_t session,
87 MHD_gnutls_priority_t priority)
88{
89 if (priority == NULL)
90 {
91 MHD_gnutls_assert ();
92 return GNUTLS_E_NO_CIPHER_SUITES;
93 }
94
95 memcpy (&session->internals.priorities, priority,
96 sizeof (struct MHD_gtls_priority_st));
97
98 return 0;
99}
100
101/**
102 * MHD_tls_set_default_priority - Sets priorities for the cipher suites supported by gnutls.
103 * @priority_cache: is a #MHD_gnutls_prioritity_t structure.
104 * @priorities: is a string describing priorities
105 * @err_pos: In case of an error this will have the position in the string the error occured
106 *
107 * Sets priorities for the ciphers, key exchange methods, macs and
108 * compression methods. This is to avoid using the
109 * MHD_gnutls_*_priority() functions.
110 *
111 * The #priorities option allows you to specify a semi-colon
112 * separated list of the cipher priorities to enable.
113 *
114 * Unless the first keyword is "NONE" the defaults are:
115 * Protocols: TLS1.1, TLS1.0, and SSL3.0.
116 * Compression: NULL.
117 * Certificate types: X.509, OpenPGP.
118 *
119 * You can also use predefined sets of ciphersuites: "PERFORMANCE"
120 * all the "secure" ciphersuites are enabled, limited to 128 bit
121 * ciphers and sorted by terms of speed performance.
122 *
123 * "NORMAL" option enables all "secure" ciphersuites. The 256-bit ciphers
124 * are included as a fallback only. The ciphers are sorted by security margin.
125 *
126 * "SECURE128" flag enables all "secure" ciphersuites with ciphers up to
127 * 128 bits, sorted by security margin.
128 *
129 * "SECURE256" flag enables all "secure" ciphersuites including the 256 bit
130 * ciphers, sorted by security margin.
131 *
132 * "EXPORT" all the ciphersuites are enabled, including the
133 * low-security 40 bit ciphers.
134 *
135 * "NONE" nothing is enabled. This disables even protocols and
136 * compression methods.
137 *
138 * Special keywords:
139 * '!' or '-' appended with an algorithm will remove this algorithm.
140 * '+' appended with an algorithm will add this algorithm.
141 * '%COMPAT' will enable compatibility features for a server.
142 *
143 * To avoid collisions in order to specify a compression algorithm in
144 * this string you have to prefix it with "COMP-", protocol versions
145 * with "VERS-" and certificate types with "CTYPE-". All other
146 * algorithms don't need a prefix.
147 *
148 * For key exchange algorithms when in NORMAL or SECURE levels the
149 * perfect forward secrecy algorithms take precendence of the other
150 * protocols. In all cases all the supported key exchange algorithms
151 * are enabled (except for the RSA-EXPORT which is only enabled in
152 * EXPORT level).
153 *
154 * Note that although one can select very long key sizes (such as 256 bits)
155 * for symmetric algorithms, to actually increase security the public key
156 * algorithms have to use longer key sizes as well.
157 *
158 * Examples: "NORMAL:!AES-128-CBC",
159 * "EXPORT:!VERS-TLS1.0:+COMP-DEFLATE:+CTYPE-OPENPGP",
160 * "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL", "NORMAL",
161 * "NORMAL:%COMPAT".
162 *
163 * Returns: On syntax error GNUTLS_E_INVALID_REQUEST is returned and
164 * 0 on success.
165 **/
166int
167MHD_tls_set_default_priority (MHD_gnutls_priority_t * priority_cache,
168 const char *priorities, const char **err_pos)
169{
170 *priority_cache =
171 MHD_gnutls_calloc (1, sizeof (struct MHD_gtls_priority_st));
172 if (*priority_cache == NULL)
173 {
174 MHD_gnutls_assert ();
175 return GNUTLS_E_MEMORY_ERROR;
176 }
177
178 /* set mode to "SECURE256" */
179 _set_priority (&(*priority_cache)->protocol, MHD_gtls_protocol_priority);
180 _set_priority (&(*priority_cache)->cipher,
181 MHD_gtls_cipher_priority_secure256);
182 _set_priority (&(*priority_cache)->kx, MHD_gtls_kx_priority_secure);
183 _set_priority (&(*priority_cache)->mac, MHD_gtls_mac_priority_secure);
184 _set_priority (&(*priority_cache)->cert_type, MHD_gtls_cert_type_priority);
185 _set_priority (&(*priority_cache)->compression, MHD_gtls_comp_priority);
186
187 (*priority_cache)->no_padding = 0;
188 return 0;
189}
190
191/**
192 * MHD__gnutls_priority_deinit - Deinitialize the priorities cache for the cipher suites supported by gnutls.
193 * @priority_cache: is a #MHD_gnutls_prioritity_t structure.
194 *
195 * Deinitializes the priority cache.
196 *
197 **/
198void
199MHD__gnutls_priority_deinit (MHD_gnutls_priority_t priority_cache)
200{
201 MHD_gnutls_free (priority_cache);
202}
203
204/**
205 * MHD__gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls.
206 * @session: is a #MHD_gtls_session_t structure.
207 * @priorities: is a string describing priorities
208 * @err_pos: In case of an error this will have the position in the string the error occured
209 *
210 * Sets the priorities to use on the ciphers, key exchange methods,
211 * macs and compression methods. This function avoids keeping a
212 * priority cache and is used to directly set string priorities to a
213 * TLS session. For documentation check the MHD_tls_set_default_priority().
214 *
215 * On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success.
216 *
217 **/
218int
219MHD__gnutls_priority_set_direct (MHD_gtls_session_t session,
220 const char *priorities, const char **err_pos)
221{
222 MHD_gnutls_priority_t prio;
223 int ret;
224
225 ret = MHD_tls_set_default_priority (&prio, priorities, err_pos);
226 if (ret < 0)
227 {
228 MHD_gnutls_assert ();
229 return ret;
230 }
231
232 ret = MHD__gnutls_priority_set (session, prio);
233 if (ret < 0)
234 {
235 MHD_gnutls_assert ();
236 return ret;
237 }
238
239 MHD__gnutls_priority_deinit (prio);
240
241 return 0;
242}
diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c
deleted file mode 100644
index 07a7b46c..00000000
--- a/src/daemon/https/tls/gnutls_record.c
+++ /dev/null
@@ -1,1087 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that are record layer specific, are included in this file.
26 */
27
28#include "gnutls_int.h"
29#include "gnutls_errors.h"
30#include "debug.h"
31#include "gnutls_cipher.h"
32#include "gnutls_buffers.h"
33#include "gnutls_handshake.h"
34#include "gnutls_hash_int.h"
35#include "gnutls_cipher_int.h"
36#include "gnutls_algorithms.h"
37#include "gnutls_auth_int.h"
38#include "gnutls_num.h"
39#include "gnutls_record.h"
40#include "gnutls_datum.h"
41#include "ext_max_record.h"
42#include <gnutls_state.h>
43#include <gnutls_dh.h>
44
45/**
46 * MHD__gnutls_protocol_get_version - Returns the version of the currently used protocol
47 * @session: is a #MHD_gtls_session_t structure.
48 *
49 * Returns: the version of the currently used protocol.
50 **/
51enum MHD_GNUTLS_Protocol
52MHD__gnutls_protocol_get_version (MHD_gtls_session_t session)
53{
54 return session->security_parameters.version;
55}
56
57void
58MHD_gtls_set_current_version (MHD_gtls_session_t session,
59 enum MHD_GNUTLS_Protocol version)
60{
61 session->security_parameters.version = version;
62}
63
64/**
65 * MHD__gnutls_transport_set_lowat - Used to set the lowat value in order for select to check for pending data.
66 * @session: is a #MHD_gtls_session_t structure.
67 * @num: is the low water value.
68 *
69 * Used to set the lowat value in order for select to check if there
70 * are pending data to socket buffer. Used only if you have changed
71 * the default low water value (default is 1). Normally you will not
72 * need that function. This function is only useful if using
73 * berkeley style sockets. Otherwise it must be called and set lowat
74 * to zero.
75 **/
76void
77MHD__gnutls_transport_set_lowat (MHD_gtls_session_t session, int num)
78{
79 session->internals.lowat = num;
80}
81
82/**
83 * MHD__gnutls_transport_set_ptr - Used to set first argument of the transport functions
84 * @session: is a #MHD_gtls_session_t structure.
85 * @ptr: is the value.
86 *
87 * Used to set the first argument of the transport function (like
88 * PUSH and PULL). In berkeley style sockets this function will set
89 * the connection handle.
90 **/
91void
92MHD__gnutls_transport_set_ptr (MHD_gtls_session_t session,
93 MHD_gnutls_transport_ptr_t ptr)
94{
95 session->internals.transport_recv_ptr = ptr;
96 session->internals.transport_send_ptr = ptr;
97}
98
99/**
100 * MHD__gnutls_bye - This function terminates the current TLS/SSL connection.
101 * @session: is a #MHD_gtls_session_t structure.
102 * @how: is an integer
103 *
104 * Terminates the current TLS/SSL connection. The connection should
105 * have been initiated using MHD__gnutls_handshake(). @how should be one
106 * of %GNUTLS_SHUT_RDWR, %GNUTLS_SHUT_WR.
107 *
108 * In case of %GNUTLS_SHUT_RDWR then the TLS connection gets
109 * terminated and further receives and sends will be disallowed. If
110 * the return value is zero you may continue using the connection.
111 * %GNUTLS_SHUT_RDWR actually sends an alert containing a close
112 * request and waits for the peer to reply with the same message.
113 *
114 * In case of %GNUTLS_SHUT_WR then the TLS connection gets terminated
115 * and further sends will be disallowed. In order to reuse the
116 * connection you should wait for an EOF from the peer.
117 * %GNUTLS_SHUT_WR sends an alert containing a close request.
118 *
119 * Note that not all implementations will properly terminate a TLS
120 * connection. Some of them, usually for performance reasons, will
121 * terminate only the underlying transport layer, thus causing a
122 * transmission error to the peer. This error cannot be
123 * distinguished from a malicious party prematurely terminating the
124 * session, thus this behavior is not recommended.
125 *
126 * This function may also return %GNUTLS_E_AGAIN or
127 * %GNUTLS_E_INTERRUPTED; cf. MHD__gnutls_record_get_direction().
128 *
129 * Returns: %GNUTLS_E_SUCCESS on success, or an error code, see
130 * function documentation for entire semantics.
131 **/
132int
133MHD__gnutls_bye (MHD_gtls_session_t session, MHD_gnutls_close_request_t how)
134{
135 int ret = 0;
136
137 switch (STATE)
138 {
139 case STATE0:
140 case STATE60:
141 ret = MHD_gtls_io_write_flush (session);
142 STATE = STATE60;
143 if (ret < 0)
144 {
145 MHD_gnutls_assert ();
146 return ret;
147 }
148
149 case STATE61:
150 ret =
151 MHD__gnutls_alert_send (session, GNUTLS_AL_WARNING,
152 GNUTLS_A_CLOSE_NOTIFY);
153 STATE = STATE61;
154 if (ret < 0)
155 {
156 MHD_gnutls_assert ();
157 return ret;
158 }
159
160 case STATE62:
161 STATE = STATE62;
162 if (how == GNUTLS_SHUT_RDWR)
163 {
164 do
165 {
166 MHD_gtls_io_clear_peeked_data (session);
167 ret = MHD_gtls_recv_int (session, GNUTLS_ALERT, -1, NULL, 0);
168 }
169 while (ret == GNUTLS_E_GOT_APPLICATION_DATA);
170
171 if (ret >= 0)
172 session->internals.may_not_read = 1;
173
174 if (ret < 0)
175 {
176 MHD_gnutls_assert ();
177 return ret;
178 }
179 }
180 STATE = STATE62;
181
182 break;
183 default:
184 MHD_gnutls_assert ();
185 return GNUTLS_E_INTERNAL_ERROR;
186 }
187
188 STATE = STATE0;
189
190 session->internals.may_not_write = 1;
191 return 0;
192}
193
194inline static void
195session_invalidate (MHD_gtls_session_t session)
196{
197 session->internals.valid_connection = VALID_FALSE;
198}
199
200inline static void
201session_unresumable (MHD_gtls_session_t session)
202{
203 session->internals.resumable = RESUME_FALSE;
204}
205
206/* returns 0 if session is valid
207 */
208inline static int
209session_is_valid (MHD_gtls_session_t session)
210{
211 if (session->internals.valid_connection == VALID_FALSE)
212 return GNUTLS_E_INVALID_SESSION;
213
214 return 0;
215}
216
217/* Copies the record version into the headers. The
218 * version must have 2 bytes at least.
219 */
220inline static void
221copy_record_version (MHD_gtls_session_t session,
222 MHD_gnutls_handshake_description_t htype,
223 opaque version[2])
224{
225 enum MHD_GNUTLS_Protocol lver;
226
227 if (htype != GNUTLS_HANDSHAKE_CLIENT_HELLO
228 || session->internals.default_record_version[0] == 0)
229 {
230 lver = MHD__gnutls_protocol_get_version (session);
231
232 version[0] = MHD_gtls_version_get_major (lver);
233 version[1] = MHD_gtls_version_get_minor (lver);
234 }
235 else
236 {
237 version[0] = session->internals.default_record_version[0];
238 version[1] = session->internals.default_record_version[1];
239 }
240}
241
242/* This function behaves exactly like write(). The only difference is
243 * that it accepts, the MHD_gtls_session_t and the content_type_t of data to
244 * send (if called by the user the Content is specific)
245 * It is intended to transfer data, under the current session.
246 *
247 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE.
248 * This makes the function much easier to read, and more error resistant
249 * (there were cases were the old function could mess everything up).
250 * --nmav
251 *
252 * This function may accept a NULL pointer for data, and 0 for size, if
253 * and only if the previous send was interrupted for some reason.
254 *
255 */
256ssize_t
257MHD_gtls_send_int (MHD_gtls_session_t session,
258 content_type_t type,
259 MHD_gnutls_handshake_description_t htype,
260 const void *_data, size_t sizeofdata)
261{
262 uint8_t *cipher;
263 int cipher_size;
264 int retval, ret;
265 int data2send_size;
266 uint8_t headers[5];
267 const uint8_t *data = _data;
268
269 /* Do not allow null pointer if the send buffer is empty.
270 * If the previous send was interrupted then a null pointer is
271 * ok, and means to resume.
272 */
273 if (session->internals.record_send_buffer.length == 0 && (sizeofdata == 0
274 && _data == NULL))
275 {
276 MHD_gnutls_assert ();
277 return GNUTLS_E_INVALID_REQUEST;
278 }
279
280 if (type != GNUTLS_ALERT) /* alert messages are sent anyway */
281 if (session_is_valid (session) || session->internals.may_not_write != 0)
282 {
283 MHD_gnutls_assert ();
284 return GNUTLS_E_INVALID_SESSION;
285 }
286
287 headers[0] = type;
288
289 /* Use the default record version, if it is
290 * set.
291 */
292 copy_record_version (session, htype, &headers[1]);
293
294 MHD__gnutls_record_log
295 ("REC[%x]: Sending Packet[%d] %s(%d) with length: %d\n", session,
296 (int) MHD_gtls_uint64touint32 (&session->connection_state.
297 write_sequence_number),
298 MHD__gnutls_packet2str (type), type, sizeofdata);
299
300 if (sizeofdata > MAX_RECORD_SEND_SIZE)
301 data2send_size = MAX_RECORD_SEND_SIZE;
302 else
303 data2send_size = sizeofdata;
304
305 /* Only encrypt if we don't have data to send
306 * from the previous run. - probably interrupted.
307 */
308 if (session->internals.record_send_buffer.length > 0)
309 {
310 ret = MHD_gtls_io_write_flush (session);
311 if (ret > 0)
312 cipher_size = ret;
313 else
314 cipher_size = 0;
315
316 cipher = NULL;
317
318 retval = session->internals.record_send_buffer_user_size;
319 }
320 else
321 {
322 /* now proceed to packet encryption
323 */
324 cipher_size = data2send_size + MAX_RECORD_OVERHEAD;
325 cipher = MHD_gnutls_malloc (cipher_size);
326 if (cipher == NULL)
327 {
328 MHD_gnutls_assert ();
329 return GNUTLS_E_MEMORY_ERROR;
330 }
331
332 cipher_size =
333 MHD_gtls_encrypt (session, headers, RECORD_HEADER_SIZE, data,
334 data2send_size, cipher, cipher_size, type,
335 (session->internals.priorities.no_padding ==
336 0) ? 1 : 0);
337 if (cipher_size <= 0)
338 {
339 MHD_gnutls_assert ();
340 if (cipher_size == 0)
341 cipher_size = GNUTLS_E_ENCRYPTION_FAILED;
342 MHD_gnutls_free (cipher);
343 return cipher_size; /* error */
344 }
345
346 retval = data2send_size;
347 session->internals.record_send_buffer_user_size = data2send_size;
348
349 /* increase sequence number
350 */
351 if (MHD_gtls_uint64pp
352 (&session->connection_state.write_sequence_number) != 0)
353 {
354 session_invalidate (session);
355 MHD_gnutls_assert ();
356 MHD_gnutls_free (cipher);
357 return GNUTLS_E_RECORD_LIMIT_REACHED;
358 }
359
360 ret = MHD_gtls_io_write_buffered (session, cipher, cipher_size);
361 MHD_gnutls_free (cipher);
362 }
363
364 if (ret != cipher_size)
365 {
366 if (ret < 0 && MHD_gtls_error_is_fatal (ret) == 0)
367 {
368 /* If we have sent any data then just return
369 * the error value. Do not invalidate the session.
370 */
371 MHD_gnutls_assert ();
372 return ret;
373 }
374
375 if (ret > 0)
376 {
377 MHD_gnutls_assert ();
378 ret = GNUTLS_E_INTERNAL_ERROR;
379 }
380 session_unresumable (session);
381 session->internals.may_not_write = 1;
382 MHD_gnutls_assert ();
383 return ret;
384 }
385
386 session->internals.record_send_buffer_user_size = 0;
387
388 MHD__gnutls_record_log ("REC[%x]: Sent Packet[%d] %s(%d) with length: %d\n",
389 session,
390 (int)
391 MHD_gtls_uint64touint32
392 (&session->connection_state.write_sequence_number),
393 MHD__gnutls_packet2str (type), type, cipher_size);
394
395 return retval;
396}
397
398/* This function is to be called if the handshake was successfully
399 * completed. This sends a Change Cipher Spec packet to the peer.
400 */
401ssize_t
402MHD_gtls_send_change_cipher_spec (MHD_gtls_session_t session, int again)
403{
404 static const opaque data[1] = {
405 GNUTLS_TYPE_CHANGE_CIPHER_SPEC
406 };
407
408 MHD__gnutls_handshake_log ("REC[%x]: Sent ChangeCipherSpec\n", session);
409
410 if (again == 0)
411 return MHD_gtls_send_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, data,
412 1);
413 else
414 {
415 return MHD_gtls_io_write_flush (session);
416 }
417}
418
419inline static int
420check_recv_type (content_type_t recv_type)
421{
422 switch (recv_type)
423 {
424 case GNUTLS_CHANGE_CIPHER_SPEC:
425 case GNUTLS_ALERT:
426 case GNUTLS_HANDSHAKE:
427 case GNUTLS_APPLICATION_DATA:
428 case GNUTLS_INNER_APPLICATION:
429 return 0;
430 default:
431 MHD_gnutls_assert ();
432 return GNUTLS_A_UNEXPECTED_MESSAGE;
433 }
434
435}
436
437/* Checks if there are pending data in the record buffers. If there are
438 * then it copies the data.
439 */
440static int
441check_buffers (MHD_gtls_session_t session,
442 content_type_t type, opaque * data, int sizeofdata)
443{
444 if ((type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE || type
445 == GNUTLS_INNER_APPLICATION)
446 && MHD_gnutls_record_buffer_get_size (type, session) > 0)
447 {
448 int ret, ret2;
449 ret = MHD_gtls_record_buffer_get (type, session, data, sizeofdata);
450 if (ret < 0)
451 {
452 MHD_gnutls_assert ();
453 return ret;
454 }
455
456 /* if the buffer just got empty */
457 if (MHD_gnutls_record_buffer_get_size (type, session) == 0)
458 {
459 if ((ret2 = MHD_gtls_io_clear_peeked_data (session)) < 0)
460 {
461 MHD_gnutls_assert ();
462 return ret2;
463 }
464 }
465
466 return ret;
467 }
468
469 return 0;
470}
471
472/* Checks the record headers and returns the length, version and
473 * content type.
474 */
475static int
476record_check_headers (MHD_gtls_session_t session,
477 uint8_t headers[RECORD_HEADER_SIZE],
478 content_type_t type,
479 MHD_gnutls_handshake_description_t htype,
480 /*output */ content_type_t * recv_type,
481 opaque version[2],
482 uint16_t * length, uint16_t * header_size)
483{
484
485 /* Read the first two bytes to determine if this is a
486 * version 2 message
487 */
488
489 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
490 && headers[0] > 127)
491 {
492
493 /* if msb set and expecting handshake message
494 * it should be SSL 2 hello
495 */
496 version[0] = 3; /* assume SSL 3.0 */
497 version[1] = 0;
498
499 *length = (((headers[0] & 0x7f) << 8)) | headers[1];
500
501 /* SSL 2.0 headers */
502 *header_size = 2;
503 *recv_type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello
504 */
505
506 /* in order to assist the handshake protocol.
507 * V2 compatibility is a mess.
508 */
509 session->internals.v2_hello = *length;
510
511 MHD__gnutls_record_log ("REC[%x]: V2 packet received. Length: %d\n",
512 session, *length);
513
514 }
515 else
516 {
517 /* version 3.x */
518 *recv_type = headers[0];
519 version[0] = headers[1];
520 version[1] = headers[2];
521
522 /* No DECR_LEN, since headers has enough size.
523 */
524 *length = MHD_gtls_read_uint16 (&headers[3]);
525 }
526
527 return 0;
528}
529
530/* Here we check if the advertized version is the one we
531 * negotiated in the handshake.
532 */
533inline static int
534record_check_version (MHD_gtls_session_t session,
535 MHD_gnutls_handshake_description_t htype,
536 opaque version[2])
537{
538 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
539 {
540 /* Reject hello packets with major version higher than 3.
541 */
542 if (version[0] > 3)
543 {
544 MHD_gnutls_assert ();
545 MHD__gnutls_record_log
546 ("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n", session,
547 htype, version[0], version[1]);
548 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
549 }
550 }
551 else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO
552 && MHD__gnutls_protocol_get_version (session)
553 != MHD_gtls_version_get (version[0], version[1]))
554 {
555 /* Reject record packets that have a different version than the
556 * one negotiated. Note that this version is not protected by any
557 * mac. I don't really think that this check serves any purpose.
558 */
559 MHD_gnutls_assert ();
560 MHD__gnutls_record_log ("REC[%x]: INVALID VERSION PACKET: (%d) %d.%d\n",
561 session, htype, version[0], version[1]);
562
563 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
564 }
565
566 return 0;
567}
568
569/* This function will check if the received record type is
570 * the one we actually expect.
571 */
572static int
573record_check_type (MHD_gtls_session_t session,
574 content_type_t recv_type,
575 content_type_t type,
576 MHD_gnutls_handshake_description_t htype,
577 opaque * data, int data_size)
578{
579
580 int ret;
581
582 if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type
583 == GNUTLS_HANDSHAKE
584 || type == GNUTLS_INNER_APPLICATION))
585 {
586 MHD_gnutls_record_buffer_put (type, session, (void *) data, data_size);
587 }
588 else
589 {
590 switch (recv_type)
591 {
592 case GNUTLS_ALERT:
593
594 MHD__gnutls_record_log
595 ("REC[%x]: Alert[%d|%d] - %s - was received\n", session,
596 data[0], data[1], MHD__gnutls_alert_get_name ((int) data[1]));
597
598 session->internals.last_alert = data[1];
599 session->internals.last_alert_level = data[0];
600
601 /* if close notify is received and
602 * the alert is not fatal
603 */
604 if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL)
605 {
606 /* If we have been expecting for an alert do
607 */
608 session->internals.read_eof = 1;
609 return GNUTLS_E_INT_RET_0; /* EOF */
610 }
611 else
612 {
613
614 /* if the alert is FATAL or WARNING
615 * return the apropriate message
616 */
617 MHD_gnutls_assert ();
618 ret = GNUTLS_E_WARNING_ALERT_RECEIVED;
619 if (data[0] == GNUTLS_AL_FATAL)
620 {
621 session_unresumable (session);
622 session_invalidate (session);
623 ret = GNUTLS_E_FATAL_ALERT_RECEIVED;
624 }
625
626 return ret;
627 }
628 break;
629
630 case GNUTLS_CHANGE_CIPHER_SPEC:
631 /* this packet is now handled in the recv_int()
632 * function
633 */
634 MHD_gnutls_assert ();
635
636 return GNUTLS_E_UNEXPECTED_PACKET;
637
638 case GNUTLS_APPLICATION_DATA:
639 /* even if data is unexpected put it into the buffer */
640 if ((ret =
641 MHD_gnutls_record_buffer_put (recv_type, session,
642 (void *) data, data_size)) < 0)
643 {
644 MHD_gnutls_assert ();
645 return ret;
646 }
647
648 /* the got_application data is only returned
649 * if expecting client hello (for rehandshake
650 * reasons). Otherwise it is an unexpected packet
651 */
652 if (type == GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
653 && type == GNUTLS_HANDSHAKE))
654 return GNUTLS_E_GOT_APPLICATION_DATA;
655 else
656 {
657 MHD_gnutls_assert ();
658 return GNUTLS_E_UNEXPECTED_PACKET;
659 }
660
661 break;
662 case GNUTLS_HANDSHAKE:
663 /* This is legal if HELLO_REQUEST is received - and we are a client.
664 * If we are a server, a client may initiate a renegotiation at any time.
665 */
666 if (session->security_parameters.entity == GNUTLS_SERVER)
667 {
668 MHD_gnutls_assert ();
669 return GNUTLS_E_REHANDSHAKE;
670 }
671
672 /* If we are already in a handshake then a Hello
673 * Request is illegal. But here we don't really care
674 * since this message will never make it up here.
675 */
676
677 /* So we accept it */
678 return MHD_gtls_recv_hello_request (session, data, data_size);
679
680 break;
681 case GNUTLS_INNER_APPLICATION:
682 /* even if data is unexpected put it into the buffer */
683 if ((ret =
684 MHD_gnutls_record_buffer_put (recv_type, session,
685 (void *) data, data_size)) < 0)
686 {
687 MHD_gnutls_assert ();
688 return ret;
689 }
690 MHD_gnutls_assert ();
691 return GNUTLS_E_UNEXPECTED_PACKET;
692 break;
693 default:
694
695 MHD__gnutls_record_log
696 ("REC[%x]: Received Unknown packet %d expecting %d\n",
697 session, recv_type, type);
698
699 MHD_gnutls_assert ();
700 return GNUTLS_E_INTERNAL_ERROR;
701 }
702 }
703
704 return 0;
705
706}
707
708/* This function will return the internal (per session) temporary
709 * recv buffer. If the buffer was not initialized before it will
710 * also initialize it.
711 */
712inline static int
713get_temp_recv_buffer (MHD_gtls_session_t session, MHD_gnutls_datum_t * tmp)
714{
715 size_t max_record_size;
716
717 max_record_size = MAX_RECORD_RECV_SIZE;
718
719 /* We allocate MAX_RECORD_RECV_SIZE length
720 * because we cannot predict the output data by the record
721 * packet length (due to compression).
722 */
723
724 if (max_record_size > session->internals.recv_buffer.size
725 || session->internals.recv_buffer.data == NULL)
726 {
727
728 /* Initialize the internal buffer.
729 */
730 session->internals.recv_buffer.data
731 =
732 MHD_gnutls_realloc (session->internals.recv_buffer.data,
733 max_record_size);
734
735 if (session->internals.recv_buffer.data == NULL)
736 {
737 MHD_gnutls_assert ();
738 return GNUTLS_E_MEMORY_ERROR;
739 }
740
741 session->internals.recv_buffer.size = max_record_size;
742 }
743
744 tmp->data = session->internals.recv_buffer.data;
745 tmp->size = session->internals.recv_buffer.size;
746
747 return 0;
748}
749
750#define MAX_EMPTY_PACKETS_SEQUENCE 4
751
752/* This function behaves exactly like read(). The only difference is
753 * that it accepts the MHD_gtls_session_t and the content_type_t of data to
754 * receive (if called by the user the Content is Userdata only)
755 * It is intended to receive data, under the current session.
756 *
757 * The MHD_gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos.
758 */
759ssize_t
760MHD_gtls_recv_int (MHD_gtls_session_t session,
761 content_type_t type,
762 MHD_gnutls_handshake_description_t htype,
763 opaque * data, size_t sizeofdata)
764{
765 MHD_gnutls_datum_t tmp;
766 int decrypted_length;
767 opaque version[2];
768 uint8_t *headers;
769 content_type_t recv_type;
770 uint16_t length;
771 uint8_t *ciphertext;
772 uint8_t *recv_data;
773 int ret, ret2;
774 uint16_t header_size;
775 int empty_packet = 0;
776
777 if (type != GNUTLS_ALERT && (sizeofdata == 0 || data == NULL))
778 {
779 return GNUTLS_E_INVALID_REQUEST;
780 }
781
782begin:
783
784 if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE)
785 {
786 MHD_gnutls_assert ();
787 return GNUTLS_E_TOO_MANY_EMPTY_PACKETS;
788 }
789
790 if (session->internals.read_eof != 0)
791 {
792 /* if we have already read an EOF
793 */
794 return 0;
795 }
796 else if (session_is_valid (session) != 0 || session->internals.may_not_read
797 != 0)
798 {
799 MHD_gnutls_assert ();
800 return GNUTLS_E_INVALID_SESSION;
801 }
802
803 /* If we have enough data in the cache do not bother receiving
804 * a new packet. (in order to flush the cache)
805 */
806 ret = check_buffers (session, type, data, sizeofdata);
807 if (ret != 0)
808 return ret;
809
810 /* default headers for TLS 1.0
811 */
812 header_size = RECORD_HEADER_SIZE;
813
814 if ((ret = MHD_gtls_io_read_buffered (session, &headers, header_size, -1))
815 != header_size)
816 {
817 if (ret < 0 && MHD_gtls_error_is_fatal (ret) == 0)
818 return ret;
819
820 session_invalidate (session);
821 if (type == GNUTLS_ALERT)
822 {
823 MHD_gnutls_assert ();
824 return 0; /* we were expecting close notify */
825 }
826 session_unresumable (session);
827 MHD_gnutls_assert ();
828 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
829 }
830
831 if ((ret = record_check_headers (session, headers, type, htype, &recv_type,
832 version, &length, &header_size)) < 0)
833 {
834 MHD_gnutls_assert ();
835 return ret;
836 }
837
838 /* Here we check if the Type of the received packet is
839 * ok.
840 */
841 if ((ret = check_recv_type (recv_type)) < 0)
842 {
843 MHD_gnutls_assert ();
844 return ret;
845 }
846
847 /* Here we check if the advertized version is the one we
848 * negotiated in the handshake.
849 */
850 if ((ret = record_check_version (session, htype, version)) < 0)
851 {
852 MHD_gnutls_assert ();
853 session_invalidate (session);
854 return ret;
855 }
856
857 MHD__gnutls_record_log
858 ("REC[%x]: Expected Packet[%d] %s(%d) with length: %d\n", session,
859 (int) MHD_gtls_uint64touint32 (&session->connection_state.
860 read_sequence_number),
861 MHD__gnutls_packet2str (type), type, sizeofdata);
862 MHD__gnutls_record_log
863 ("REC[%x]: Received Packet[%d] %s(%d) with length: %d\n", session,
864 (int) MHD_gtls_uint64touint32 (&session->connection_state.
865 read_sequence_number),
866 MHD__gnutls_packet2str (recv_type), recv_type, length);
867
868 if (length > MAX_RECV_SIZE)
869 {
870 MHD__gnutls_record_log
871 ("REC[%x]: FATAL ERROR: Received packet with length: %d\n",
872 session, length);
873
874 session_unresumable (session);
875 session_invalidate (session);
876 MHD_gnutls_assert ();
877 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
878 }
879
880 /* check if we have that data into buffer.
881 */
882 if ((ret = MHD_gtls_io_read_buffered (session, &recv_data,
883 header_size + length, recv_type))
884 != header_size + length)
885 {
886 if (ret < 0 && MHD_gtls_error_is_fatal (ret) == 0)
887 return ret;
888
889 session_unresumable (session);
890 session_invalidate (session);
891 MHD_gnutls_assert ();
892 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
893 }
894
895 /* ok now we are sure that we can read all the data - so
896 * move on !
897 */
898 MHD_gtls_io_clear_read_buffer (session);
899 ciphertext = &recv_data[header_size];
900
901 ret = get_temp_recv_buffer (session, &tmp);
902 if (ret < 0)
903 {
904 MHD_gnutls_assert ();
905 return ret;
906 }
907
908 /* decrypt the data we got. */
909 ret = MHD_gtls_decrypt (session, ciphertext, length, tmp.data, tmp.size,
910 recv_type);
911 if (ret < 0)
912 {
913 session_unresumable (session);
914 session_invalidate (session);
915 MHD_gnutls_assert ();
916 return ret;
917 }
918 decrypted_length = ret;
919
920 /* Check if this is a CHANGE_CIPHER_SPEC
921 */
922 if (type == GNUTLS_CHANGE_CIPHER_SPEC && recv_type
923 == GNUTLS_CHANGE_CIPHER_SPEC)
924 {
925
926 MHD__gnutls_record_log
927 ("REC[%x]: ChangeCipherSpec Packet was received\n", session);
928
929 if ((size_t) ret != sizeofdata)
930 { /* sizeofdata should be 1 */
931 MHD_gnutls_assert ();
932 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
933 }
934 memcpy (data, tmp.data, sizeofdata);
935
936 return ret;
937 }
938
939 MHD__gnutls_record_log
940 ("REC[%x]: Decrypted Packet[%d] %s(%d) with length: %d\n", session,
941 (int) MHD_gtls_uint64touint32 (&session->connection_state.
942 read_sequence_number),
943 MHD__gnutls_packet2str (recv_type), recv_type, decrypted_length);
944
945 /* increase sequence number
946 */
947 if (MHD_gtls_uint64pp (&session->connection_state.read_sequence_number) !=
948 0)
949 {
950 session_invalidate (session);
951 MHD_gnutls_assert ();
952 return GNUTLS_E_RECORD_LIMIT_REACHED;
953 }
954
955 /* check type - this will also invalidate sessions if a fatal alert has been received */
956 ret = record_check_type (session, recv_type, type, htype, tmp.data,
957 decrypted_length);
958 if (ret < 0)
959 {
960 if (ret == GNUTLS_E_INT_RET_0)
961 return 0;
962 MHD_gnutls_assert ();
963 return ret;
964 }
965
966 /* Get Application data from buffer
967 */
968 if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type
969 == GNUTLS_HANDSHAKE
970 || type == GNUTLS_INNER_APPLICATION))
971 {
972
973 ret = MHD_gtls_record_buffer_get (type, session, data, sizeofdata);
974 if (ret < 0)
975 {
976 MHD_gnutls_assert ();
977 return ret;
978 }
979
980 /* if the buffer just got empty
981 */
982 if (MHD_gnutls_record_buffer_get_size (type, session) == 0)
983 {
984 if ((ret2 = MHD_gtls_io_clear_peeked_data (session)) < 0)
985 {
986 MHD_gnutls_assert ();
987 return ret2;
988 }
989 }
990 }
991 else
992 {
993 MHD_gnutls_assert ();
994 return GNUTLS_E_UNEXPECTED_PACKET;
995 /* we didn't get what we wanted to
996 */
997 }
998
999 /* (originally for) TLS 1.0 CBC protection.
1000 * Actually this code is called if we just received
1001 * an empty packet. An empty TLS packet is usually
1002 * sent to protect some vulnerabilities in the CBC mode.
1003 * In that case we go to the beginning and start reading
1004 * the next packet.
1005 */
1006 if (ret == 0)
1007 {
1008 empty_packet++;
1009 goto begin;
1010 }
1011
1012 return ret;
1013}
1014
1015/**
1016 * MHD__gnutls_record_send - sends to the peer the specified data
1017 * @session: is a #MHD_gtls_session_t structure.
1018 * @data: contains the data to send
1019 * @sizeofdata: is the length of the data
1020 *
1021 * This function has the similar semantics with send(). The only
1022 * difference is that is accepts a GNUTLS session, and uses different
1023 * error codes.
1024 *
1025 * Note that if the send buffer is full, send() will block this
1026 * function. See the send() documentation for full information. You
1027 * can replace the default push function by using
1028 * MHD__gnutls_transport_set_ptr2() with a call to send() with a
1029 * MSG_DONTWAIT flag if blocking is a problem.
1030 *
1031 * If the EINTR is returned by the internal push function (the
1032 * default is send()} then %GNUTLS_E_INTERRUPTED will be returned. If
1033 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1034 * call this function again, with the same parameters; alternatively
1035 * you could provide a %NULL pointer for data, and 0 for
1036 * size. cf. MHD__gnutls_record_get_direction().
1037 *
1038 * Returns: the number of bytes sent, or a negative error code. The
1039 * number of bytes sent might be less than @sizeofdata. The maximum
1040 * number of bytes this function can send in a single call depends on
1041 * the negotiated maximum record size.
1042 **/
1043ssize_t
1044MHD__gnutls_record_send (MHD_gtls_session_t session,
1045 const void *data, size_t sizeofdata)
1046{
1047 return MHD_gtls_send_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1048 sizeofdata);
1049}
1050
1051/**
1052 * MHD__gnutls_record_recv - reads data from the TLS record protocol
1053 * @session: is a #MHD_gtls_session_t structure.
1054 * @data: the buffer that the data will be read into
1055 * @sizeofdata: the number of requested bytes
1056 *
1057 * This function has the similar semantics with recv(). The only
1058 * difference is that is accepts a GNUTLS session, and uses different
1059 * error codes.
1060 *
1061 * In the special case that a server requests a renegotiation, the
1062 * client may receive an error code of %GNUTLS_E_REHANDSHAKE. This
1063 * message may be simply ignored, replied with an alert containing
1064 * NO_RENEGOTIATION, or replied with a new handshake, depending on
1065 * the client's will.
1066 *
1067 * If %EINTR is returned by the internal push function (the default
1068 * is recv()) then %GNUTLS_E_INTERRUPTED will be returned. If
1069 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1070 * call this function again to get the data. See also
1071 * MHD__gnutls_record_get_direction().
1072 *
1073 * A server may also receive %GNUTLS_E_REHANDSHAKE when a client has
1074 * initiated a handshake. In that case the server can only initiate a
1075 * handshake or terminate the connection.
1076 *
1077 * Returns: the number of bytes received and zero on EOF. A negative
1078 * error code is returned in case of an error. The number of bytes
1079 * received might be less than @sizeofdata.
1080 **/
1081ssize_t
1082MHD__gnutls_record_recv (MHD_gtls_session_t session, void *data,
1083 size_t sizeofdata)
1084{
1085 return MHD_gtls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1086 sizeofdata);
1087}
diff --git a/src/daemon/https/tls/gnutls_record.h b/src/daemon/https/tls/gnutls_record.h
deleted file mode 100644
index fe7300b6..00000000
--- a/src/daemon/https/tls/gnutls_record.h
+++ /dev/null
@@ -1,33 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25ssize_t MHD_gtls_send_int (MHD_gtls_session_t session, content_type_t type,
26 MHD_gnutls_handshake_description_t htype,
27 const void *data, size_t sizeofdata);
28ssize_t MHD_gtls_recv_int (MHD_gtls_session_t session, content_type_t type,
29 MHD_gnutls_handshake_description_t, opaque * data,
30 size_t sizeofdata);
31ssize_t MHD_gtls_send_change_cipher_spec (MHD_gtls_session_t session,
32 int again);
33void MHD__gnutls_transport_set_lowat (MHD_gtls_session_t session, int num);
diff --git a/src/daemon/https/tls/gnutls_rsa_export.c b/src/daemon/https/tls/gnutls_rsa_export.c
deleted file mode 100644
index 65f97c76..00000000
--- a/src/daemon/https/tls/gnutls_rsa_export.c
+++ /dev/null
@@ -1,63 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains code for RSA temporary keys. These keys are
26 * only used in export cipher suites.
27 */
28
29#include <gnutls_int.h>
30#include <gnutls_errors.h>
31#include <gnutls_datum.h>
32#include <gnutls_rsa_export.h>
33#include "debug.h"
34/* x509 */
35#include "x509.h"
36#include "privkey.h"
37
38/* returns e and m, depends on the requested bits.
39 * We only support limited key sizes.
40 */
41const mpi_t *
42MHD__gnutls_rsa_params_to_mpi (MHD_gtls_rsa_params_t rsa_params)
43{
44 if (rsa_params == NULL)
45 {
46 return NULL;
47 }
48 return rsa_params->params;
49}
50
51
52/**
53 * MHD__gnutls_rsa_params_deinit - This function will deinitialize the RSA parameters
54 * @rsa_params: Is a structure that holds the parameters
55 *
56 * This function will deinitialize the RSA parameters structure.
57 *
58 **/
59void
60MHD__gnutls_rsa_params_deinit (MHD_gtls_rsa_params_t rsa_params)
61{
62 MHD_gnutls_x509_privkey_deinit (rsa_params);
63}
diff --git a/src/daemon/https/tls/gnutls_rsa_export.h b/src/daemon/https/tls/gnutls_rsa_export.h
deleted file mode 100644
index a28f4297..00000000
--- a/src/daemon/https/tls/gnutls_rsa_export.h
+++ /dev/null
@@ -1,26 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25const mpi_t *MHD__gnutls_rsa_params_to_mpi (MHD_gtls_rsa_params_t);
26int MHD__gnutls_peers_cert_less_512 (MHD_gtls_session_t session);
diff --git a/src/daemon/https/tls/gnutls_sig.c b/src/daemon/https/tls/gnutls_sig.c
deleted file mode 100644
index e27c4684..00000000
--- a/src/daemon/https/tls/gnutls_sig.c
+++ /dev/null
@@ -1,476 +0,0 @@
1/*
2 * Copyright (C) 2001, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <x509_b64.h>
28#include <auth_cert.h>
29#include <gnutls_cert.h>
30#include <gnutls_datum.h>
31#include <gnutls_mpi.h>
32#include <gnutls_global.h>
33#include <gnutls_pk.h>
34#include <debug.h>
35#include <gnutls_buffers.h>
36#include <gnutls_sig.h>
37#include <gnutls_kx.h>
38
39static int MHD__gnutls_tls_sign (MHD_gtls_session_t session,
40 MHD_gnutls_cert * cert,
41 MHD_gnutls_privkey * pkey,
42 const MHD_gnutls_datum_t * hash_concat,
43 MHD_gnutls_datum_t * signature);
44
45/* Generates a signature of all the previous sent packets in the
46 * handshake procedure. (20040227: now it works for SSL 3.0 as well)
47 */
48int
49MHD_gtls_tls_sign_hdata (MHD_gtls_session_t session,
50 MHD_gnutls_cert * cert,
51 MHD_gnutls_privkey * pkey,
52 MHD_gnutls_datum_t * signature)
53{
54 MHD_gnutls_datum_t dconcat;
55 int ret;
56 opaque concat[36];
57 mac_hd_t td_md5;
58 mac_hd_t td_sha;
59 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
60
61 td_sha = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
62 if (td_sha == NULL)
63 {
64 MHD_gnutls_assert ();
65 return GNUTLS_E_HASH_FAILED;
66 }
67
68 if (ver == MHD_GNUTLS_PROTOCOL_SSL3)
69 {
70 ret = MHD_gtls_generate_master (session, 1);
71 if (ret < 0)
72 {
73 MHD_gnutls_assert ();
74 return ret;
75 }
76
77 MHD_gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16],
78 session->security_parameters.
79 master_secret, TLS_MASTER_SIZE);
80 }
81 else
82 MHD_gnutls_hash_deinit (td_sha, &concat[16]);
83
84 switch (cert->subject_pk_algorithm)
85 {
86 case MHD_GNUTLS_PK_RSA:
87 td_md5 =
88 MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
89 if (td_md5 == NULL)
90 {
91 MHD_gnutls_assert ();
92 return GNUTLS_E_HASH_FAILED;
93 }
94
95 if (ver == MHD_GNUTLS_PROTOCOL_SSL3)
96 MHD_gnutls_mac_deinit_ssl3_handshake (td_md5, concat,
97 session->security_parameters.
98 master_secret, TLS_MASTER_SIZE);
99 else
100 MHD_gnutls_hash_deinit (td_md5, concat);
101
102 dconcat.data = concat;
103 dconcat.size = 36;
104 break;
105 default:
106 MHD_gnutls_assert ();
107 return GNUTLS_E_INTERNAL_ERROR;
108 }
109 ret = MHD__gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
110 if (ret < 0)
111 {
112 MHD_gnutls_assert ();
113 }
114
115 return ret;
116}
117
118/* Generates a signature of all the random data and the parameters.
119 * Used in DHE_* ciphersuites.
120 */
121int
122MHD_gtls_tls_sign_params (MHD_gtls_session_t session,
123 MHD_gnutls_cert * cert,
124 MHD_gnutls_privkey * pkey,
125 MHD_gnutls_datum_t * params,
126 MHD_gnutls_datum_t * signature)
127{
128 MHD_gnutls_datum_t dconcat;
129 int ret;
130 mac_hd_t td_sha;
131 opaque concat[36];
132 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
133
134 td_sha = MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1);
135 if (td_sha == NULL)
136 {
137 MHD_gnutls_assert ();
138 return GNUTLS_E_HASH_FAILED;
139 }
140
141 MHD_gnutls_hash (td_sha, session->security_parameters.client_random,
142 TLS_RANDOM_SIZE);
143 MHD_gnutls_hash (td_sha, session->security_parameters.server_random,
144 TLS_RANDOM_SIZE);
145 MHD_gnutls_hash (td_sha, params->data, params->size);
146
147 switch (cert->subject_pk_algorithm)
148 {
149 case MHD_GNUTLS_PK_RSA:
150 if (ver < MHD_GNUTLS_PROTOCOL_TLS1_2)
151 {
152 mac_hd_t td_md5 = MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
153 if (td_md5 == NULL)
154 {
155 MHD_gnutls_assert ();
156 return GNUTLS_E_HASH_FAILED;
157 }
158
159 MHD_gnutls_hash (td_md5, session->security_parameters.client_random,
160 TLS_RANDOM_SIZE);
161 MHD_gnutls_hash (td_md5, session->security_parameters.server_random,
162 TLS_RANDOM_SIZE);
163 MHD_gnutls_hash (td_md5, params->data, params->size);
164
165 MHD_gnutls_hash_deinit (td_md5, concat);
166 MHD_gnutls_hash_deinit (td_sha, &concat[16]);
167
168 dconcat.size = 36;
169 }
170 else
171 {
172#if 1
173 /* Use NULL parameters. */
174 memcpy (concat,
175 "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
176 15);
177 MHD_gnutls_hash_deinit (td_sha, &concat[15]);
178 dconcat.size = 35;
179#else
180 /* No parameters field. */
181 memcpy (concat,
182 "\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14", 13);
183 MHD_gnutls_hash_deinit (td_sha, &concat[13]);
184 dconcat.size = 33;
185#endif
186 }
187 dconcat.data = concat;
188 break;
189 default:
190 MHD_gnutls_assert ();
191 MHD_gnutls_hash_deinit (td_sha, NULL);
192 return GNUTLS_E_INTERNAL_ERROR;
193 }
194 ret = MHD__gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
195 if (ret < 0)
196 {
197 MHD_gnutls_assert ();
198 }
199
200 return ret;
201
202}
203
204/* This will create a PKCS1 or DSA signature, using the given parameters, and the
205 * given data. The output will be allocated and be put in signature.
206 */
207static int
208MHD_gtls_sign (enum MHD_GNUTLS_PublicKeyAlgorithm algo,
209 mpi_t * params,
210 int params_size,
211 const MHD_gnutls_datum_t * data,
212 MHD_gnutls_datum_t * signature)
213{
214 int ret;
215
216 switch (algo)
217 {
218 case MHD_GNUTLS_PK_RSA:
219 /* encrypt */
220 if ((ret =
221 MHD_gtls_pkcs1_rsa_encrypt (signature, data, params, params_size,
222 1)) < 0)
223 {
224 MHD_gnutls_assert ();
225 return ret;
226 }
227
228 break;
229 default:
230 MHD_gnutls_assert ();
231 return GNUTLS_E_INTERNAL_ERROR;
232 break;
233 }
234
235 return 0;
236}
237
238/* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
239 * Cert is the certificate of the corresponding private key. It is only checked if
240 * it supports signing.
241 */
242static int
243MHD__gnutls_tls_sign (MHD_gtls_session_t session,
244 MHD_gnutls_cert * cert,
245 MHD_gnutls_privkey * pkey,
246 const MHD_gnutls_datum_t * hash_concat,
247 MHD_gnutls_datum_t * signature)
248{
249
250 /* If our certificate supports signing
251 */
252
253 if (cert != NULL)
254 if (cert->key_usage != 0)
255 if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE))
256 {
257 MHD_gnutls_assert ();
258 return GNUTLS_E_KEY_USAGE_VIOLATION;
259 }
260
261 /* External signing. */
262 if (!pkey || pkey->params_size == 0)
263 {
264 if (!session->internals.sign_func)
265 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
266
267 return (*session->internals.sign_func) (session,
268 session->internals.
269 sign_func_userdata,
270 cert->cert_type, &cert->raw,
271 hash_concat, signature);
272 }
273
274 return MHD_gtls_sign (pkey->pk_algorithm, pkey->params, pkey->params_size,
275 hash_concat, signature);
276}
277
278static int
279MHD__gnutls_verify_sig (MHD_gnutls_cert * cert,
280 const MHD_gnutls_datum_t * hash_concat,
281 MHD_gnutls_datum_t * signature, size_t sha1pos)
282{
283 int ret;
284 MHD_gnutls_datum_t vdata;
285
286 if ((cert == NULL) || (cert->version == 0))
287 { /* this is the only way to check
288 * if it is initialized
289 */
290 MHD_gnutls_assert ();
291 return GNUTLS_E_CERTIFICATE_ERROR;
292 }
293
294 /* If the certificate supports signing continue.
295 */
296 if (cert != NULL)
297 if (cert->key_usage != 0)
298 if (!(cert->key_usage & KEY_DIGITAL_SIGNATURE))
299 {
300 MHD_gnutls_assert ();
301 return GNUTLS_E_KEY_USAGE_VIOLATION;
302 }
303
304 switch (cert->subject_pk_algorithm)
305 {
306 case MHD_GNUTLS_PK_RSA:
307
308 vdata.data = hash_concat->data;
309 vdata.size = hash_concat->size;
310
311 /* verify signature */
312 if ((ret = MHD_gtls_rsa_verify (&vdata, signature, cert->params,
313 cert->params_size, 1)) < 0)
314 {
315 MHD_gnutls_assert ();
316 return ret;
317 }
318
319 break;
320 default:
321 MHD_gnutls_assert ();
322 return GNUTLS_E_INTERNAL_ERROR;
323 }
324
325 return 0;
326}
327
328/* Verifies a TLS signature (like the one in the client certificate
329 * verify message).
330 */
331int
332MHD_gtls_verify_sig_hdata (MHD_gtls_session_t session,
333 MHD_gnutls_cert * cert,
334 MHD_gnutls_datum_t * signature)
335{
336 int ret;
337 opaque concat[36];
338 mac_hd_t td_md5;
339 mac_hd_t td_sha;
340 MHD_gnutls_datum_t dconcat;
341 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
342
343 td_md5 = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
344 if (td_md5 == NULL)
345 {
346 MHD_gnutls_assert ();
347 return GNUTLS_E_HASH_FAILED;
348 }
349
350 td_sha = MHD_gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
351 if (td_sha == NULL)
352 {
353 MHD_gnutls_assert ();
354 MHD_gnutls_hash_deinit (td_md5, NULL);
355 return GNUTLS_E_HASH_FAILED;
356 }
357
358 if (ver == MHD_GNUTLS_PROTOCOL_SSL3)
359 {
360 ret = MHD_gtls_generate_master (session, 1);
361 if (ret < 0)
362 {
363 MHD_gnutls_assert ();
364 return ret;
365 }
366
367 MHD_gnutls_mac_deinit_ssl3_handshake (td_md5, concat,
368 session->security_parameters.
369 master_secret, TLS_MASTER_SIZE);
370 MHD_gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16],
371 session->security_parameters.
372 master_secret, TLS_MASTER_SIZE);
373 }
374 else
375 {
376 MHD_gnutls_hash_deinit (td_md5, concat);
377 MHD_gnutls_hash_deinit (td_sha, &concat[16]);
378 }
379
380 dconcat.data = concat;
381 dconcat.size = 20 + 16; /* md5+ sha */
382
383 ret = MHD__gnutls_verify_sig (cert, &dconcat, signature, 16);
384 if (ret < 0)
385 {
386 MHD_gnutls_assert ();
387 return ret;
388 }
389
390 return ret;
391
392}
393
394/* Generates a signature of all the random data and the parameters.
395 * Used in DHE_* ciphersuites.
396 */
397int
398MHD_gtls_verify_sig_params (MHD_gtls_session_t session,
399 MHD_gnutls_cert * cert,
400 const MHD_gnutls_datum_t * params,
401 MHD_gnutls_datum_t * signature)
402{
403 MHD_gnutls_datum_t dconcat;
404 int ret;
405 mac_hd_t td_md5 = NULL;
406 mac_hd_t td_sha;
407 opaque concat[36];
408 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
409
410 if (ver < MHD_GNUTLS_PROTOCOL_TLS1_2)
411 {
412 td_md5 = MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
413 if (td_md5 == NULL)
414 {
415 MHD_gnutls_assert ();
416 return GNUTLS_E_HASH_FAILED;
417 }
418
419 MHD_gnutls_hash (td_md5, session->security_parameters.client_random,
420 TLS_RANDOM_SIZE);
421 MHD_gnutls_hash (td_md5, session->security_parameters.server_random,
422 TLS_RANDOM_SIZE);
423 MHD_gnutls_hash (td_md5, params->data, params->size);
424 }
425
426 td_sha = MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1);
427 if (td_sha == NULL)
428 {
429 MHD_gnutls_assert ();
430 if (td_md5)
431 MHD_gnutls_hash_deinit (td_md5, NULL);
432 return GNUTLS_E_HASH_FAILED;
433 }
434
435 MHD_gnutls_hash (td_sha, session->security_parameters.client_random,
436 TLS_RANDOM_SIZE);
437 MHD_gnutls_hash (td_sha, session->security_parameters.server_random,
438 TLS_RANDOM_SIZE);
439 MHD_gnutls_hash (td_sha, params->data, params->size);
440
441 if (ver < MHD_GNUTLS_PROTOCOL_TLS1_2)
442 {
443 MHD_gnutls_hash_deinit (td_md5, concat);
444 MHD_gnutls_hash_deinit (td_sha, &concat[16]);
445 dconcat.size = 36;
446 }
447 else
448 {
449#if 1
450 /* Use NULL parameters. */
451 memcpy (concat,
452 "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
453 15);
454 MHD_gnutls_hash_deinit (td_sha, &concat[15]);
455 dconcat.size = 35;
456#else
457 /* No parameters field. */
458 memcpy (concat,
459 "\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14", 13);
460 MHD_gnutls_hash_deinit (td_sha, &concat[13]);
461 dconcat.size = 33;
462#endif
463 }
464
465 dconcat.data = concat;
466
467 ret = MHD__gnutls_verify_sig (cert, &dconcat, signature, dconcat.size - 20);
468 if (ret < 0)
469 {
470 MHD_gnutls_assert ();
471 return ret;
472 }
473
474 return ret;
475
476}
diff --git a/src/daemon/https/tls/gnutls_sig.h b/src/daemon/https/tls/gnutls_sig.h
deleted file mode 100644
index 020ef489..00000000
--- a/src/daemon/https/tls/gnutls_sig.h
+++ /dev/null
@@ -1,49 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_SIG_H
26# define GNUTLS_SIG_H
27
28int MHD_gtls_tls_sign_hdata (MHD_gtls_session_t session,
29 MHD_gnutls_cert * cert,
30 MHD_gnutls_privkey * pkey,
31 MHD_gnutls_datum_t * signature);
32
33int MHD_gtls_tls_sign_params (MHD_gtls_session_t session,
34 MHD_gnutls_cert * cert,
35 MHD_gnutls_privkey * pkey,
36 MHD_gnutls_datum_t * params,
37 MHD_gnutls_datum_t * signature);
38
39int MHD_gtls_verify_sig_hdata (MHD_gtls_session_t session,
40 MHD_gnutls_cert * cert,
41 MHD_gnutls_datum_t * signature);
42
43int MHD_gtls_verify_sig_params (MHD_gtls_session_t session,
44 MHD_gnutls_cert * cert,
45 const MHD_gnutls_datum_t * params,
46 MHD_gnutls_datum_t * signature);
47
48
49#endif
diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c
deleted file mode 100644
index 01f51abc..00000000
--- a/src/daemon/https/tls/gnutls_state.c
+++ /dev/null
@@ -1,804 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions to manipulate the session (MHD_gnutls_int.h), and some other stuff
26 * are included here. The file's name is traditionally MHD_gnutls_state even if the
27 * state has been renamed to session.
28 */
29
30#include <gnutls_int.h>
31#include <gnutls_errors.h>
32#include <gnutls_auth_int.h>
33#include <gnutls_num.h>
34#include <gnutls_datum.h>
35#include <gnutls_record.h>
36#include <gnutls_handshake.h>
37#include <gnutls_dh.h>
38#include <gnutls_buffers.h>
39#include <gnutls_state.h>
40#include <auth_cert.h>
41#include <gnutls_algorithms.h>
42#include <gnutls_rsa_export.h>
43
44void
45MHD__gnutls_session_cert_type_set (MHD_gtls_session_t session,
46 enum MHD_GNUTLS_CertificateType ct)
47{
48 session->security_parameters.cert_type = ct;
49}
50
51/**
52 * MHD_gnutls_cipher_get - Returns the currently used cipher.
53 * @session: is a #MHD_gtls_session_t structure.
54 *
55 * Returns: the currently used cipher.
56 **/
57enum MHD_GNUTLS_CipherAlgorithm
58MHD_gnutls_cipher_get (MHD_gtls_session_t session)
59{
60 return session->security_parameters.read_bulk_cipher_algorithm;
61}
62
63/**
64 * MHD_gnutls_certificate_type_get - Returns the currently used certificate type.
65 * @session: is a #MHD_gtls_session_t structure.
66 *
67 * The certificate type is by default X.509, unless it is negotiated
68 * as a TLS extension.
69 *
70 * Returns: the currently used %enum MHD_GNUTLS_CertificateType certificate
71 * type.
72 **/
73enum MHD_GNUTLS_CertificateType
74MHD_gnutls_certificate_type_get (MHD_gtls_session_t session)
75{
76 return session->security_parameters.cert_type;
77}
78
79/**
80 * MHD_gnutls_kx_get - Returns the key exchange algorithm.
81 * @session: is a #MHD_gtls_session_t structure.
82 *
83 * Returns: the key exchange algorithm used in the last handshake.
84 **/
85enum MHD_GNUTLS_KeyExchangeAlgorithm
86MHD_gnutls_kx_get (MHD_gtls_session_t session)
87{
88 return session->security_parameters.kx_algorithm;
89}
90
91/* Check if the given certificate type is supported.
92 * This means that it is enabled by the priority functions,
93 * and a matching certificate exists.
94 */
95int
96MHD_gtls_session_cert_type_supported (MHD_gtls_session_t session,
97 enum MHD_GNUTLS_CertificateType
98 cert_type)
99{
100 unsigned i;
101 unsigned cert_found = 0;
102 MHD_gtls_cert_credentials_t cred;
103
104 if (session->security_parameters.entity == GNUTLS_SERVER)
105 {
106 cred
107 = (MHD_gtls_cert_credentials_t) MHD_gtls_get_cred (session->key,
108 MHD_GNUTLS_CRD_CERTIFICATE,
109 NULL);
110
111 if (cred == NULL)
112 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
113
114 if (cred->server_get_cert_callback == NULL)
115 {
116 for (i = 0; i < cred->ncerts; i++)
117 {
118 if (cred->cert_list[i][0].cert_type == cert_type)
119 {
120 cert_found = 1;
121 break;
122 }
123 }
124
125 if (cert_found == 0)
126 /* no certificate is of that type.
127 */
128 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
129 }
130 }
131
132 if (session->internals.priorities.cert_type.num_algorithms == 0 && cert_type
133 == DEFAULT_CERT_TYPE)
134 return 0;
135
136 for (i = 0; i < session->internals.priorities.cert_type.num_algorithms; i++)
137 {
138 if (session->internals.priorities.cert_type.priority[i] == cert_type)
139 {
140 return 0; /* ok */
141 }
142 }
143
144 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
145}
146
147/* this function deinitializes all the internal parameters stored
148 * in a session struct.
149 */
150inline static void
151deinit_internal_params (MHD_gtls_session_t session)
152{
153 if (session->internals.params.free_dh_params)
154 MHD__gnutls_dh_params_deinit (session->internals.params.dh_params);
155
156 if (session->internals.params.free_rsa_params)
157 MHD__gnutls_rsa_params_deinit (session->internals.params.rsa_params);
158
159 memset (&session->internals.params, 0, sizeof (session->internals.params));
160}
161
162/* This function will clear all the variables in internals
163 * structure within the session, which depend on the current handshake.
164 * This is used to allow further handshakes.
165 */
166void
167MHD_gtls_handshake_internal_state_clear (MHD_gtls_session_t session)
168{
169 session->internals.extensions_sent_size = 0;
170
171 /* by default no selected certificate */
172 session->internals.proposed_record_size = DEFAULT_MAX_RECORD_SIZE;
173 session->internals.adv_version_major = 0;
174 session->internals.adv_version_minor = 0;
175 session->internals.v2_hello = 0;
176 memset (&session->internals.handshake_header_buffer, 0,
177 sizeof (MHD_gtls_handshake_header_buffer_st));
178 session->internals.adv_version_minor = 0;
179 session->internals.adv_version_minor = 0;
180 session->internals.direction = 0;
181
182 /* use out of band data for the last
183 * handshake messages received.
184 */
185 session->internals.last_handshake_in = -1;
186 session->internals.last_handshake_out = -1;
187
188 session->internals.resumable = RESUME_TRUE;
189 MHD__gnutls_free_datum (&session->internals.recv_buffer);
190
191 deinit_internal_params (session);
192
193}
194
195#define MIN_DH_BITS 727
196/**
197 * MHD__gnutls_init - This function initializes the session to null (null encryption etc...).
198 * @con_end: indicate if this session is to be used for server or client.
199 * @session: is a pointer to a #MHD_gtls_session_t structure.
200 *
201 * This function initializes the current session to null. Every
202 * session must be initialized before use, so internal structures can
203 * be allocated. This function allocates structures which can only
204 * be free'd by calling MHD__gnutls_deinit(). Returns zero on success.
205 *
206 * @con_end can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER.
207 *
208 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
209 **/
210
211/* TODO rm redundent pointer ref */
212int
213MHD__gnutls_init (MHD_gtls_session_t * session,
214 MHD_gnutls_connection_end_t con_end)
215{
216 *session = MHD_gnutls_calloc (1, sizeof (struct MHD_gtls_session_int));
217 if (*session == NULL)
218 return GNUTLS_E_MEMORY_ERROR;
219
220 (*session)->security_parameters.entity = con_end;
221
222 /* the default certificate type for TLS */
223 (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE;
224
225 /* Set the defaults for initial handshake */
226 (*session)->security_parameters.read_bulk_cipher_algorithm =
227 (*session)->security_parameters.write_bulk_cipher_algorithm =
228 MHD_GNUTLS_CIPHER_NULL;
229
230 (*session)->security_parameters.read_mac_algorithm =
231 (*session)->security_parameters.write_mac_algorithm = MHD_GNUTLS_MAC_NULL;
232
233 /* Initialize buffers */
234 MHD_gtls_buffer_init (&(*session)->internals.application_data_buffer);
235 MHD_gtls_buffer_init (&(*session)->internals.handshake_data_buffer);
236 MHD_gtls_buffer_init (&(*session)->internals.handshake_hash_buffer);
237 MHD_gtls_buffer_init (&(*session)->internals.ia_data_buffer);
238
239 MHD_gtls_buffer_init (&(*session)->internals.record_send_buffer);
240 MHD_gtls_buffer_init (&(*session)->internals.record_recv_buffer);
241
242 MHD_gtls_buffer_init (&(*session)->internals.handshake_send_buffer);
243 MHD_gtls_buffer_init (&(*session)->internals.handshake_recv_buffer);
244
245 (*session)->key = MHD_gnutls_calloc (1, sizeof (struct MHD_gtls_key));
246 if ((*session)->key == NULL)
247 {
248 cleanup_session:MHD_gnutls_free (*session);
249 *session = NULL;
250 return GNUTLS_E_MEMORY_ERROR;
251 }
252
253 (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */
254
255 MHD__gnutls_dh_set_prime_bits ((*session), MIN_DH_BITS);
256
257 MHD__gnutls_transport_set_lowat ((*session), DEFAULT_LOWAT); /* the default for tcp */
258
259 MHD__gnutls_handshake_set_max_packet_length ((*session),
260 MAX_HANDSHAKE_PACKET_SIZE);
261
262 /* Allocate a minimum size for recv_data
263 * This is allocated in order to avoid small messages, making
264 * the receive procedure slow.
265 */
266 (*session)->internals.record_recv_buffer.data
267 = MHD_gnutls_malloc (INITIAL_RECV_BUFFER_SIZE);
268 if ((*session)->internals.record_recv_buffer.data == NULL)
269 {
270 MHD_gnutls_free ((*session)->key);
271 goto cleanup_session;
272 }
273
274 /* set the socket pointers to -1; */
275 (*session)->internals.transport_recv_ptr = (MHD_gnutls_transport_ptr_t) - 1;
276 (*session)->internals.transport_send_ptr = (MHD_gnutls_transport_ptr_t) - 1;
277
278 /* set the default maximum record size for TLS
279 */
280 (*session)->security_parameters.max_record_recv_size
281 = DEFAULT_MAX_RECORD_SIZE;
282 (*session)->security_parameters.max_record_send_size
283 = DEFAULT_MAX_RECORD_SIZE;
284
285 /* everything else not initialized here is initialized
286 * as NULL or 0. This is why calloc is used.
287 */
288
289 MHD_gtls_handshake_internal_state_clear (*session);
290
291 return 0;
292}
293
294
295/**
296 * MHD__gnutls_deinit - This function clears all buffers associated with a session
297 * @session: is a #MHD_gtls_session_t structure.
298 *
299 * This function clears all buffers associated with the @session.
300 * This function will also remove session data from the session
301 * database if the session was terminated abnormally.
302 **/
303void
304MHD__gnutls_deinit (MHD_gtls_session_t session)
305{
306
307 if (session == NULL)
308 return;
309
310 /* remove auth info firstly */
311 MHD_gtls_free_auth_info (session);
312
313 MHD_gtls_handshake_internal_state_clear (session);
314 MHD__gnutls_handshake_io_buffer_clear (session);
315
316 MHD__gnutls_free_datum (&session->connection_state.read_mac_secret);
317 MHD__gnutls_free_datum (&session->connection_state.write_mac_secret);
318
319 MHD_gtls_buffer_clear (&session->internals.ia_data_buffer);
320 MHD_gtls_buffer_clear (&session->internals.handshake_hash_buffer);
321 MHD_gtls_buffer_clear (&session->internals.handshake_data_buffer);
322 MHD_gtls_buffer_clear (&session->internals.application_data_buffer);
323 MHD_gtls_buffer_clear (&session->internals.record_recv_buffer);
324 MHD_gtls_buffer_clear (&session->internals.record_send_buffer);
325
326 MHD__gnutls_credentials_clear (session);
327 MHD_gtls_selected_certs_deinit (session);
328
329 if (session->connection_state.read_cipher_state != NULL)
330 MHD_gnutls_cipher_deinit (session->connection_state.read_cipher_state);
331 if (session->connection_state.write_cipher_state != NULL)
332 MHD_gnutls_cipher_deinit (session->connection_state.write_cipher_state);
333
334 MHD__gnutls_free_datum (&session->cipher_specs.server_write_mac_secret);
335 MHD__gnutls_free_datum (&session->cipher_specs.client_write_mac_secret);
336 MHD__gnutls_free_datum (&session->cipher_specs.server_write_IV);
337 MHD__gnutls_free_datum (&session->cipher_specs.client_write_IV);
338 MHD__gnutls_free_datum (&session->cipher_specs.server_write_key);
339 MHD__gnutls_free_datum (&session->cipher_specs.client_write_key);
340
341 if (session->key != NULL)
342 {
343 MHD_gtls_mpi_release (&session->key->KEY);
344 MHD_gtls_mpi_release (&session->key->client_Y);
345 MHD_gtls_mpi_release (&session->key->client_p);
346 MHD_gtls_mpi_release (&session->key->client_g);
347
348 MHD_gtls_mpi_release (&session->key->u);
349 MHD_gtls_mpi_release (&session->key->a);
350 MHD_gtls_mpi_release (&session->key->x);
351 MHD_gtls_mpi_release (&session->key->A);
352 MHD_gtls_mpi_release (&session->key->B);
353 MHD_gtls_mpi_release (&session->key->b);
354
355 /* RSA */
356 MHD_gtls_mpi_release (&session->key->rsa[0]);
357 MHD_gtls_mpi_release (&session->key->rsa[1]);
358
359 MHD_gtls_mpi_release (&session->key->dh_secret);
360 MHD_gnutls_free (session->key);
361
362 session->key = NULL;
363 }
364
365 memset (session, 0, sizeof (struct MHD_gtls_session_int));
366 MHD_gnutls_free (session);
367}
368
369/* Returns the minimum prime bits that are acceptable.
370 */
371int
372MHD_gtls_dh_get_allowed_prime_bits (MHD_gtls_session_t session)
373{
374 return session->internals.dh_prime_bits;
375}
376
377int
378MHD_gtls_dh_set_peer_public (MHD_gtls_session_t session, mpi_t public)
379{
380 MHD_gtls_dh_info_st *dh;
381 int ret;
382
383 switch (MHD_gtls_auth_get_type (session))
384 {
385 case MHD_GNUTLS_CRD_CERTIFICATE:
386 {
387 cert_auth_info_t info;
388
389 info = MHD_gtls_get_auth_info (session);
390 if (info == NULL)
391 return GNUTLS_E_INTERNAL_ERROR;
392
393 dh = &info->dh;
394 break;
395 }
396 default:
397 MHD_gnutls_assert ();
398 return GNUTLS_E_INTERNAL_ERROR;
399 }
400
401 ret = MHD_gtls_mpi_dprint_lz (&dh->public_key, public);
402 if (ret < 0)
403 {
404 MHD_gnutls_assert ();
405 return ret;
406 }
407
408 return 0;
409}
410
411int
412MHD_gtls_dh_set_secret_bits (MHD_gtls_session_t session, unsigned bits)
413{
414 switch (MHD_gtls_auth_get_type (session))
415 {
416 case MHD_GNUTLS_CRD_CERTIFICATE:
417 {
418 cert_auth_info_t info;
419
420 info = MHD_gtls_get_auth_info (session);
421 if (info == NULL)
422 return GNUTLS_E_INTERNAL_ERROR;
423
424 info->dh.secret_bits = bits;
425 break;
426 default:
427 MHD_gnutls_assert ();
428 return GNUTLS_E_INTERNAL_ERROR;
429 }
430 }
431
432 return 0;
433}
434
435/* This function will set in the auth info structure the
436 * RSA exponent and the modulus.
437 */
438int
439MHD_gtls_rsa_export_set_pubkey (MHD_gtls_session_t session,
440 mpi_t exponent, mpi_t modulus)
441{
442 cert_auth_info_t info;
443 int ret;
444
445 info = MHD_gtls_get_auth_info (session);
446 if (info == NULL)
447 return GNUTLS_E_INTERNAL_ERROR;
448
449 ret = MHD_gtls_mpi_dprint_lz (&info->rsa_export.modulus, modulus);
450 if (ret < 0)
451 {
452 MHD_gnutls_assert ();
453 return ret;
454 }
455
456 ret = MHD_gtls_mpi_dprint_lz (&info->rsa_export.exponent, exponent);
457 if (ret < 0)
458 {
459 MHD_gnutls_assert ();
460 MHD__gnutls_free_datum (&info->rsa_export.modulus);
461 return ret;
462 }
463
464 return 0;
465}
466
467/* Sets the prime and the generator in the auth info structure.
468 */
469int
470MHD_gtls_dh_set_group (MHD_gtls_session_t session, mpi_t gen, mpi_t prime)
471{
472 MHD_gtls_dh_info_st *dh;
473 int ret;
474
475 switch (MHD_gtls_auth_get_type (session))
476 {
477 case MHD_GNUTLS_CRD_CERTIFICATE:
478 {
479 cert_auth_info_t info;
480
481 info = MHD_gtls_get_auth_info (session);
482 if (info == NULL)
483 return GNUTLS_E_INTERNAL_ERROR;
484
485 dh = &info->dh;
486 break;
487 }
488 default:
489 MHD_gnutls_assert ();
490 return GNUTLS_E_INTERNAL_ERROR;
491 }
492
493 /* prime
494 */
495 ret = MHD_gtls_mpi_dprint_lz (&dh->prime, prime);
496 if (ret < 0)
497 {
498 MHD_gnutls_assert ();
499 return ret;
500 }
501
502 /* generator
503 */
504 ret = MHD_gtls_mpi_dprint_lz (&dh->generator, gen);
505 if (ret < 0)
506 {
507 MHD_gnutls_assert ();
508 MHD__gnutls_free_datum (&dh->prime);
509 return ret;
510 }
511
512 return 0;
513}
514
515/**
516 * MHD__gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to send or not the x.509 rdn sequence
517 * @session: is a pointer to a #MHD_gtls_session_t structure.
518 * @status: is 0 or 1
519 *
520 * If status is non zero, this function will order gnutls not to send
521 * the rdnSequence in the certificate request message. That is the
522 * server will not advertize it's trusted CAs to the peer. If status
523 * is zero then the default behaviour will take effect, which is to
524 * advertize the server's trusted CAs.
525 *
526 * This function has no effect in clients, and in authentication
527 * methods other than certificate with X.509 certificates.
528 **/
529void
530MHD__gnutls_certificate_send_x509_rdn_sequence (MHD_gtls_session_t session,
531 int status)
532{
533 session->internals.ignore_rdn_sequence = status;
534}
535
536/*-
537 * MHD__gnutls_record_set_default_version - Used to set the default version for the first record packet
538 * @session: is a #MHD_gtls_session_t structure.
539 * @major: is a tls major version
540 * @minor: is a tls minor version
541 *
542 * This function sets the default version that we will use in the first
543 * record packet (client hello). This function is only useful to people
544 * that know TLS internals and want to debug other implementations.
545 *
546 -*/
547void
548MHD__gnutls_record_set_default_version (MHD_gtls_session_t session,
549 unsigned char major,
550 unsigned char minor)
551{
552 session->internals.default_record_version[0] = major;
553 session->internals.default_record_version[1] = minor;
554}
555
556inline static int
557MHD__gnutls_cal_PRF_A (enum MHD_GNUTLS_HashAlgorithm algorithm,
558 const void *secret,
559 int secret_size,
560 const void *seed, int seed_size, void *result)
561{
562 mac_hd_t td1;
563
564 td1 = MHD_gtls_MHD_hmac_init (algorithm, secret, secret_size);
565 if (td1 == GNUTLS_MAC_FAILED)
566 {
567 MHD_gnutls_assert ();
568 return GNUTLS_E_INTERNAL_ERROR;
569 }
570
571 MHD_gnutls_hash (td1, seed, seed_size);
572 MHD_gnutls_MHD_hmac_deinit (td1, result);
573
574 return 0;
575}
576
577#define MAX_SEED_SIZE 200
578
579/* Produces "total_bytes" bytes using the hash algorithm specified.
580 * (used in the PRF function)
581 */
582static int
583MHD__gnutls_P_hash (enum MHD_GNUTLS_HashAlgorithm algorithm,
584 const opaque * secret,
585 int secret_size,
586 const opaque * seed,
587 int seed_size, int total_bytes, opaque * ret)
588{
589
590 mac_hd_t td2;
591 int i, times, how, blocksize, A_size;
592 opaque final[20], Atmp[MAX_SEED_SIZE];
593 int output_bytes, result;
594
595 if (seed_size > MAX_SEED_SIZE || total_bytes <= 0)
596 {
597 MHD_gnutls_assert ();
598 return GNUTLS_E_INTERNAL_ERROR;
599 }
600
601 blocksize = MHD_gnutls_hash_get_algo_len (algorithm);
602
603 output_bytes = 0;
604 do
605 {
606 output_bytes += blocksize;
607 }
608 while (output_bytes < total_bytes);
609
610 /* calculate A(0) */
611
612 memcpy (Atmp, seed, seed_size);
613 A_size = seed_size;
614
615 times = output_bytes / blocksize;
616
617 for (i = 0; i < times; i++)
618 {
619 td2 = MHD_gtls_MHD_hmac_init (algorithm, secret, secret_size);
620 if (td2 == GNUTLS_MAC_FAILED)
621 {
622 MHD_gnutls_assert ();
623 return GNUTLS_E_INTERNAL_ERROR;
624 }
625
626 /* here we calculate A(i+1) */
627 if ((result =
628 MHD__gnutls_cal_PRF_A (algorithm, secret, secret_size, Atmp,
629 A_size, Atmp)) < 0)
630 {
631 MHD_gnutls_assert ();
632 MHD_gnutls_MHD_hmac_deinit (td2, final);
633 return result;
634 }
635
636 A_size = blocksize;
637
638 MHD_gnutls_hash (td2, Atmp, A_size);
639 MHD_gnutls_hash (td2, seed, seed_size);
640 MHD_gnutls_MHD_hmac_deinit (td2, final);
641
642 if ((1 + i) * blocksize < total_bytes)
643 {
644 how = blocksize;
645 }
646 else
647 {
648 how = total_bytes - (i) * blocksize;
649 }
650
651 if (how > 0)
652 {
653 memcpy (&ret[i * blocksize], final, how);
654 }
655 }
656
657 return 0;
658}
659
660/* Xor's two buffers and puts the output in the first one.
661 */
662inline static void
663MHD__gnutls_xor (opaque * o1, opaque * o2, int length)
664{
665 int i;
666 for (i = 0; i < length; i++)
667 {
668 o1[i] ^= o2[i];
669 }
670}
671
672#define MAX_PRF_BYTES 200
673
674/* The PRF function expands a given secret
675 * needed by the TLS specification. ret must have a least total_bytes
676 * available.
677 */
678int
679MHD_gtls_PRF (MHD_gtls_session_t session,
680 const opaque * secret,
681 int secret_size,
682 const char *label,
683 int label_size,
684 const opaque * seed, int seed_size, int total_bytes, void *ret)
685{
686 int l_s, s_seed_size;
687 const opaque *s1, *s2;
688 opaque s_seed[MAX_SEED_SIZE];
689 opaque o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES];
690 int result;
691 enum MHD_GNUTLS_Protocol ver = MHD__gnutls_protocol_get_version (session);
692
693 if (total_bytes > MAX_PRF_BYTES)
694 {
695 MHD_gnutls_assert ();
696 return GNUTLS_E_INTERNAL_ERROR;
697 }
698 /* label+seed = s_seed */
699 s_seed_size = seed_size + label_size;
700
701 if (s_seed_size > MAX_SEED_SIZE)
702 {
703 MHD_gnutls_assert ();
704 return GNUTLS_E_INTERNAL_ERROR;
705 }
706
707 memcpy (s_seed, label, label_size);
708 memcpy (&s_seed[label_size], seed, seed_size);
709
710 if (ver >= MHD_GNUTLS_PROTOCOL_TLS1_2)
711 {
712 result =
713 MHD__gnutls_P_hash (MHD_GNUTLS_MAC_SHA1, secret, secret_size, s_seed,
714 s_seed_size, total_bytes, ret);
715 if (result < 0)
716 {
717 MHD_gnutls_assert ();
718 return result;
719 }
720 }
721 else
722 {
723 l_s = secret_size / 2;
724
725 s1 = &secret[0];
726 s2 = &secret[l_s];
727
728 if (secret_size % 2 != 0)
729 {
730 l_s++;
731 }
732
733 result =
734 MHD__gnutls_P_hash (MHD_GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size,
735 total_bytes, o1);
736 if (result < 0)
737 {
738 MHD_gnutls_assert ();
739 return result;
740 }
741
742 result =
743 MHD__gnutls_P_hash (MHD_GNUTLS_MAC_SHA1, s2, l_s, s_seed, s_seed_size,
744 total_bytes, o2);
745 if (result < 0)
746 {
747 MHD_gnutls_assert ();
748 return result;
749 }
750
751 MHD__gnutls_xor (o1, o2, total_bytes);
752
753 memcpy (ret, o1, total_bytes);
754 }
755
756 return 0; /* ok */
757
758}
759
760
761/*-
762 * MHD_gtls_session_is_export - Used to check whether this session is of export grade
763 * @session: is a #MHD_gtls_session_t structure.
764 *
765 * This function will return non zero if this session is of export grade.
766 *
767 -*/
768int
769MHD_gtls_session_is_export (MHD_gtls_session_t session)
770{
771 enum MHD_GNUTLS_CipherAlgorithm cipher;
772
773 cipher =
774 MHD_gtls_cipher_suite_get_cipher_algo (&session->security_parameters.
775 current_cipher_suite);
776
777 if (MHD_gtls_cipher_get_export_flag (cipher) != 0)
778 return 1;
779
780 return 0;
781}
782
783/**
784 * MHD__gnutls_record_get_direction - This function will return the direction of the last interrupted function call
785 * @session: is a #MHD_gtls_session_t structure.
786 *
787 * This function provides information about the internals of the
788 * record protocol and is only useful if a prior gnutls function call
789 * (e.g. MHD__gnutls_handshake()) was interrupted for some reason, that
790 * is, if a function returned %GNUTLS_E_INTERRUPTED or
791 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
792 * or poll() before calling the interrupted gnutls function again.
793 * To tell you whether a file descriptor should be selected for
794 * either reading or writing, MHD__gnutls_record_get_direction() returns 0
795 * if the interrupted function was trying to read data, and 1 if it
796 * was trying to write data.
797 *
798 * Returns: 0 if trying to read data, 1 if trying to write data.
799 **/
800int
801MHD__gnutls_record_get_direction (MHD_gtls_session_t session)
802{
803 return session->internals.direction;
804}
diff --git a/src/daemon/https/tls/gnutls_state.h b/src/daemon/https/tls/gnutls_state.h
deleted file mode 100644
index a6ff5892..00000000
--- a/src/daemon/https/tls/gnutls_state.h
+++ /dev/null
@@ -1,77 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_STATE_H
26# define GNUTLS_STATE_H
27
28#include <gnutls_int.h>
29
30void MHD__gnutls_session_cert_type_set (MHD_gtls_session_t session,
31 enum MHD_GNUTLS_CertificateType);
32enum MHD_GNUTLS_KeyExchangeAlgorithm MHD_gnutls_kx_get (MHD_gtls_session_t
33 session);
34enum MHD_GNUTLS_CipherAlgorithm MHD_gnutls_cipher_get (MHD_gtls_session_t
35 session);
36enum MHD_GNUTLS_CertificateType
37MHD_gnutls_certificate_type_get (MHD_gtls_session_t);
38
39#include <gnutls_auth_int.h>
40
41#define CHECK_AUTH(auth, ret) if (MHD_gtls_auth_get_type(session) != auth) { \
42 MHD_gnutls_assert(); \
43 return ret; \
44 }
45
46#endif
47
48int MHD_gtls_session_cert_type_supported (MHD_gtls_session_t,
49 enum MHD_GNUTLS_CertificateType);
50
51int MHD_gtls_dh_set_secret_bits (MHD_gtls_session_t session, unsigned bits);
52
53int MHD_gtls_dh_set_peer_public (MHD_gtls_session_t session, mpi_t public);
54int MHD_gtls_dh_set_group (MHD_gtls_session_t session, mpi_t gen,
55 mpi_t prime);
56
57int MHD_gtls_dh_get_allowed_prime_bits (MHD_gtls_session_t session);
58void MHD_gtls_handshake_internal_state_clear (MHD_gtls_session_t);
59
60int MHD_gtls_rsa_export_set_pubkey (MHD_gtls_session_t session,
61 mpi_t exponent, mpi_t modulus);
62
63int MHD_gtls_session_is_resumable (MHD_gtls_session_t session);
64int MHD_gtls_session_is_export (MHD_gtls_session_t session);
65
66int MHD_gtls_openpgp_send_fingerprint (MHD_gtls_session_t session);
67
68int MHD_gtls_PRF (MHD_gtls_session_t session,
69 const opaque * secret, int secret_size,
70 const char *label, int label_size,
71 const opaque * seed, int seed_size,
72 int total_bytes, void *ret);
73
74int MHD__gnutls_init (MHD_gtls_session_t * session,
75 MHD_gnutls_connection_end_t con_end);
76
77#define DEFAULT_CERT_TYPE MHD_GNUTLS_CRT_X509
diff --git a/src/daemon/https/tls/gnutls_str.c b/src/daemon/https/tls/gnutls_str.c
deleted file mode 100644
index c8f17c25..00000000
--- a/src/daemon/https/tls/gnutls_str.c
+++ /dev/null
@@ -1,157 +0,0 @@
1/*
2 * Copyright (C) 2002, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_num.h>
28#include <gnutls_str.h>
29
30/* These function are like strcat, strcpy. They only
31 * do bound checking (they shouldn't cause buffer overruns),
32 * and they always produce null terminated strings.
33 *
34 * They should be used only with null terminated strings.
35 */
36void
37MHD_gtls_str_cat (char *dest, size_t dest_tot_size, const char *src)
38{
39 size_t str_size = strlen (src);
40 size_t dest_size = strlen (dest);
41
42 if (dest_tot_size - dest_size > str_size)
43 {
44 strcat (dest, src);
45 }
46 else
47 {
48 if (dest_tot_size - dest_size > 0)
49 {
50 strncat (dest, src, (dest_tot_size - dest_size) - 1);
51 dest[dest_tot_size - 1] = 0;
52 }
53 }
54}
55
56void
57MHD_gtls_str_cpy (char *dest, size_t dest_tot_size, const char *src)
58{
59 size_t str_size = strlen (src);
60
61 if (dest_tot_size > str_size)
62 {
63 strcpy (dest, src);
64 }
65 else
66 {
67 if (dest_tot_size > 0)
68 {
69 strncpy (dest, src, (dest_tot_size) - 1);
70 dest[dest_tot_size - 1] = 0;
71 }
72 }
73}
74
75void
76MHD_gtls_string_init (MHD_gtls_string * str,
77 MHD_gnutls_alloc_function alloc_func,
78 MHD_gnutls_realloc_function realloc_func,
79 MHD_gnutls_free_function free_func)
80{
81 str->data = NULL;
82 str->max_length = 0;
83 str->length = 0;
84
85 str->alloc_func = alloc_func;
86 str->free_func = free_func;
87 str->realloc_func = realloc_func;
88}
89
90void
91MHD_gtls_string_clear (MHD_gtls_string * str)
92{
93 if (str == NULL || str->data == NULL)
94 return;
95 str->free_func (str->data);
96
97 str->data = NULL;
98 str->max_length = 0;
99 str->length = 0;
100}
101
102#define MIN_CHUNK 256
103
104
105int
106MHD_gtls_string_append_data (MHD_gtls_string * dest,
107 const void *data, size_t data_size)
108{
109 size_t tot_len = data_size + dest->length;
110
111 if (dest->max_length >= tot_len)
112 {
113 memcpy (&dest->data[dest->length], data, data_size);
114 dest->length = tot_len;
115
116 return tot_len;
117 }
118 else
119 {
120 size_t new_len =
121 MAX (data_size, MIN_CHUNK) + MAX (dest->max_length, MIN_CHUNK);
122 dest->data = dest->realloc_func (dest->data, new_len);
123 if (dest->data == NULL)
124 {
125 MHD_gnutls_assert ();
126 return GNUTLS_E_MEMORY_ERROR;
127 }
128 dest->max_length = new_len;
129
130 memcpy (&dest->data[dest->length], data, data_size);
131 dest->length = tot_len;
132
133 return tot_len;
134 }
135}
136
137/* Converts the given string (old) to hex. A buffer must be provided
138 * to hold the new hex string. The new string will be null terminated.
139 * If the buffer does not have enough space to hold the string, a
140 * truncated hex string is returned (always null terminated).
141 */
142char *
143MHD_gtls_bin2hex (const void *_old,
144 size_t oldlen, char *buffer, size_t buffer_size)
145{
146 unsigned int i, j;
147 const opaque *old = _old;
148
149 for (i = j = 0; i < oldlen && j + 2 < buffer_size; j += 2)
150 {
151 sprintf (&buffer[j], "%.2x", old[i]);
152 i++;
153 }
154 buffer[j] = '\0';
155
156 return buffer;
157}
diff --git a/src/daemon/https/tls/gnutls_str.h b/src/daemon/https/tls/gnutls_str.h
deleted file mode 100644
index 51ed1bd1..00000000
--- a/src/daemon/https/tls/gnutls_str.h
+++ /dev/null
@@ -1,53 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef GNUTLS_STR_H
26#define GNUTLS_STR_H
27
28#include <gnutls_int.h>
29
30void MHD_gtls_str_cpy (char *dest, size_t dest_tot_size, const char *src);
31void MHD_gtls_str_cat (char *dest, size_t dest_tot_size, const char *src);
32
33typedef struct
34{
35 opaque *data;
36 size_t max_length;
37 size_t length;
38 MHD_gnutls_realloc_function realloc_func;
39 MHD_gnutls_alloc_function alloc_func;
40 MHD_gnutls_free_function free_func;
41} MHD_gtls_string;
42
43void MHD_gtls_string_init (MHD_gtls_string *, MHD_gnutls_alloc_function,
44 MHD_gnutls_realloc_function,
45 MHD_gnutls_free_function);
46void MHD_gtls_string_clear (MHD_gtls_string *);
47
48int MHD_gtls_string_append_data (MHD_gtls_string *, const void *data,
49 size_t data_size);
50char *MHD_gtls_bin2hex (const void *old, size_t oldlen, char *buffer,
51 size_t buffer_size);
52
53#endif
diff --git a/src/daemon/https/tls/gnutls_supplemental.c b/src/daemon/https/tls/gnutls_supplemental.c
deleted file mode 100644
index 3b9641d4..00000000
--- a/src/daemon/https/tls/gnutls_supplemental.c
+++ /dev/null
@@ -1,199 +0,0 @@
1/*
2 * Copyright (C) 2007 Free Software Foundation
3 *
4 * Author: Simon Josefsson
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains support functions for 'TLS Handshake Message for
26 * Supplemental Data' (RFC 4680).
27 *
28 * The idea here is simple. MHD__gnutls_handshake() in gnuts_handshake.c
29 * will call MHD__gnutls_gen_supplemental and MHD__gnutls_parse_supplemental
30 * when some extension requested that supplemental data be sent or
31 * received. Extension request this by setting the flags
32 * do_recv_supplemental or do_send_supplemental in the session.
33 *
34 * The functions in this file iterate through the MHD__gnutls_supplemental
35 * array, and calls the send/recv functions for each respective data
36 * type.
37 *
38 * The receive function of each data type is responsible for decoding
39 * its own data. If the extension did not expect to receive
40 * supplemental data, it should return GNUTLS_E_UNEXPECTED_PACKET.
41 * Otherwise, it just parse the data as normal.
42 *
43 * The send function needs to append the 2-byte data format type, and
44 * append the 2-byte length of its data, and the data. If it doesn't
45 * want to send any data, it is fine to return without doing anything.
46 */
47
48#include "gnutls_int.h"
49#include "gnutls_supplemental.h"
50#include "gnutls_errors.h"
51#include "gnutls_num.h"
52
53typedef int (*supp_recv_func) (MHD_gtls_session_t session,
54 const opaque * data, size_t data_size);
55typedef int (*supp_send_func) (MHD_gtls_session_t session,
56 MHD_gtls_buffer * buf);
57
58typedef struct
59{
60 const char *name;
61 MHD_gnutls_supplemental_data_format_type_t type;
62 supp_recv_func supp_recv_func;
63 supp_send_func supp_send_func;
64} MHD_gnutls_supplemental_entry;
65
66MHD_gnutls_supplemental_entry MHD__gnutls_supplemental[] = {
67 {0, 0, 0, 0}
68};
69
70
71static supp_recv_func
72get_supp_func_recv (MHD_gnutls_supplemental_data_format_type_t type)
73{
74 MHD_gnutls_supplemental_entry *p;
75
76 for (p = MHD__gnutls_supplemental; p->name != NULL; p++)
77 if (p->type == type)
78 return p->supp_recv_func;
79
80 return NULL;
81}
82
83int
84MHD__gnutls_gen_supplemental (MHD_gtls_session_t session,
85 MHD_gtls_buffer * buf)
86{
87 MHD_gnutls_supplemental_entry *p;
88 int ret;
89
90 /* Make room for 3 byte length field. */
91 ret = MHD_gtls_buffer_append (buf, "\0\0\0", 3);
92 if (ret < 0)
93 {
94 MHD_gnutls_assert ();
95 return ret;
96 }
97
98 for (p = MHD__gnutls_supplemental; p->name; p++)
99 {
100 supp_send_func supp_send = p->supp_send_func;
101 size_t sizepos = buf->length;
102 int ret;
103
104 /* Make room for supplement type and length byte length field. */
105 ret = MHD_gtls_buffer_append (buf, "\0\0\0\0", 4);
106 if (ret < 0)
107 {
108 MHD_gnutls_assert ();
109 return ret;
110 }
111
112 ret = supp_send (session, buf);
113 if (ret < 0)
114 {
115 MHD_gnutls_assert ();
116 return ret;
117 }
118
119 /* If data were added, store type+length, otherwise reset. */
120 if (buf->length > sizepos + 4)
121 {
122 buf->data[sizepos] = 0;
123 buf->data[sizepos + 1] = p->type;
124 buf->data[sizepos + 2] = ((buf->length - sizepos - 4) >> 8) & 0xFF;
125 buf->data[sizepos + 3] = (buf->length - sizepos - 4) & 0xFF;
126 }
127 else
128 buf->length -= 4;
129 }
130
131 buf->data[0] = ((buf->length - 3) >> 16) & 0xFF;
132 buf->data[1] = ((buf->length - 3) >> 8) & 0xFF;
133 buf->data[2] = (buf->length - 3) & 0xFF;
134
135 MHD__gnutls_debug_log ("EXT[%x]: Sending %d bytes of supplemental data\n",
136 session, buf->length);
137
138 return buf->length;
139}
140
141int
142MHD__gnutls_parse_supplemental (MHD_gtls_session_t session,
143 const uint8_t * data, int datalen)
144{
145 const opaque *p = data;
146 ssize_t dsize = datalen;
147 size_t total_size;
148
149 DECR_LEN (dsize, 3);
150 total_size = MHD_gtls_read_uint24 (p);
151 p += 3;
152
153 if (dsize != total_size)
154 {
155 MHD_gnutls_assert ();
156 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
157 }
158
159 do
160 {
161 uint16_t supp_data_type;
162 uint16_t supp_data_length;
163 supp_recv_func recv_func;
164
165 DECR_LEN (dsize, 2);
166 supp_data_type = MHD_gtls_read_uint16 (p);
167 p += 2;
168
169 DECR_LEN (dsize, 2);
170 supp_data_length = MHD_gtls_read_uint16 (p);
171 p += 2;
172
173 MHD__gnutls_debug_log
174 ("EXT[%x]: Got supplemental type=%02x length=%d\n", session,
175 supp_data_type, supp_data_length);
176
177 recv_func = get_supp_func_recv (supp_data_type);
178 if (recv_func)
179 {
180 int ret = recv_func (session, p, supp_data_length);
181 if (ret < 0)
182 {
183 MHD_gnutls_assert ();
184 return ret;
185 }
186 }
187 else
188 {
189 MHD_gnutls_assert ();
190 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
191 }
192
193 DECR_LEN (dsize, supp_data_length);
194 p += supp_data_length;
195 }
196 while (dsize > 0);
197
198 return 0;
199}
diff --git a/src/daemon/https/tls/gnutls_supplemental.h b/src/daemon/https/tls/gnutls_supplemental.h
deleted file mode 100644
index b7ad0c29..00000000
--- a/src/daemon/https/tls/gnutls_supplemental.h
+++ /dev/null
@@ -1,30 +0,0 @@
1/*
2 * Copyright (C) 2007 Free Software Foundation
3 *
4 * Author: Simon Josefsson
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26
27int MHD__gnutls_parse_supplemental (MHD_gtls_session_t session,
28 const uint8_t * data, int data_size);
29int MHD__gnutls_gen_supplemental (MHD_gtls_session_t session,
30 MHD_gtls_buffer * buf);
diff --git a/src/daemon/https/tls/gnutls_ui.c b/src/daemon/https/tls/gnutls_ui.c
deleted file mode 100644
index 5a1bfd3d..00000000
--- a/src/daemon/https/tls/gnutls_ui.c
+++ /dev/null
@@ -1,58 +0,0 @@
1/*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains certificate authentication functions to be exported in the
26 * API and did not fit elsewhere.
27 */
28
29#include <gnutls_int.h>
30#include <auth_cert.h>
31#include <gnutls_errors.h>
32#include <gnutls_auth_int.h>
33#include <gnutls_state.h>
34#include <gnutls_datum.h>
35
36/* ANON & DHE */
37
38/**
39 * MHD__gnutls_dh_set_prime_bits - Used to set the bits for a DH ciphersuite
40 * @session: is a #MHD_gtls_session_t structure.
41 * @bits: is the number of bits
42 *
43 * This function sets the number of bits, for use in an
44 * Diffie Hellman key exchange. This is used both in DH ephemeral and
45 * DH anonymous cipher suites. This will set the
46 * minimum size of the prime that will be used for the handshake.
47 *
48 * In the client side it sets the minimum accepted number of bits.
49 * If a server sends a prime with less bits than that
50 * GNUTLS_E_DH_PRIME_UNACCEPTABLE will be returned by the
51 * handshake.
52 *
53 **/
54void
55MHD__gnutls_dh_set_prime_bits (MHD_gtls_session_t session, unsigned int bits)
56{
57 session->internals.dh_prime_bits = bits;
58}
diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c
deleted file mode 100644
index 685c9642..00000000
--- a/src/daemon/https/tls/gnutls_x509.c
+++ /dev/null
@@ -1,604 +0,0 @@
1/*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include "gnutls_auth_int.h"
27#include "gnutls_errors.h"
28#include <gnutls_cert.h>
29#include <auth_cert.h>
30#include "gnutls_dh.h"
31#include "gnutls_num.h"
32#include "gnutls_datum.h"
33#include <gnutls_pk.h>
34#include <gnutls_algorithms.h>
35#include <gnutls_global.h>
36#include <gnutls_record.h>
37#include <gnutls_sig.h>
38#include <gnutls_state.h>
39#include <gnutls_pk.h>
40#include <gnutls_str.h>
41#include <debug.h>
42#include <x509_b64.h>
43#include <gnutls_x509.h>
44#include <sys/types.h>
45#include <sys/stat.h>
46#include <fcntl.h>
47
48/* x509 */
49#include "common.h"
50#include "x509.h"
51#include "mpi.h"
52#include "privkey.h"
53
54
55/*
56 * some x509 certificate parsing functions.
57 */
58
59/* Check if the number of bits of the key in the certificate
60 * is unacceptable.
61 */
62inline static int
63check_bits (MHD_gnutls_x509_crt_t crt, unsigned int max_bits)
64{
65 int ret;
66 unsigned int bits;
67
68 ret = MHD_gnutls_x509_crt_get_pk_algorithm (crt, &bits);
69 if (ret < 0)
70 {
71 MHD_gnutls_assert ();
72 return ret;
73 }
74
75 if (bits > max_bits && max_bits > 0)
76 {
77 MHD_gnutls_assert ();
78 return GNUTLS_E_CONSTRAINT_ERROR;
79 }
80
81 return 0;
82}
83
84
85#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
86 if (peer_certificate_list[x]) \
87 MHD_gnutls_x509_crt_deinit(peer_certificate_list[x]); \
88 } \
89 MHD_gnutls_free( peer_certificate_list)
90
91/*
92 * Read certificates and private keys, from memory etc.
93 */
94
95/* returns error if the certificate has different algorithm than
96 * the given key parameters.
97 */
98static int
99MHD__gnutls_check_key_cert_match (MHD_gtls_cert_credentials_t res)
100{
101 MHD_gnutls_datum_t cid;
102 MHD_gnutls_datum_t kid;
103 unsigned pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
104
105 if (res->pkey[res->ncerts - 1].pk_algorithm != pk)
106 {
107 MHD_gnutls_assert ();
108 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
109 }
110
111 MHD__gnutls_x509_write_rsa_params (res->pkey[res->ncerts - 1].params,
112 res->pkey[res->ncerts -
113 1].params_size, &kid);
114
115
116 MHD__gnutls_x509_write_rsa_params (res->
117 cert_list[res->ncerts - 1][0].params,
118 res->cert_list[res->ncerts -
119 1][0].params_size, &cid);
120
121 if (cid.size != kid.size)
122 {
123 MHD_gnutls_assert ();
124 MHD__gnutls_free_datum (&kid);
125 MHD__gnutls_free_datum (&cid);
126 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
127 }
128
129 if (memcmp (kid.data, cid.data, kid.size) != 0)
130 {
131 MHD_gnutls_assert ();
132 MHD__gnutls_free_datum (&kid);
133 MHD__gnutls_free_datum (&cid);
134 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
135 }
136
137 MHD__gnutls_free_datum (&kid);
138 MHD__gnutls_free_datum (&cid);
139 return 0;
140}
141
142/* Reads a DER encoded certificate list from memory and stores it to
143 * a MHD_gnutls_cert structure.
144 * Returns the number of certificates parsed.
145 */
146static int
147parse_crt_mem (MHD_gnutls_cert ** cert_list, unsigned *ncerts,
148 MHD_gnutls_x509_crt_t cert)
149{
150 int i;
151 int ret;
152
153 i = *ncerts + 1;
154
155 *cert_list =
156 (MHD_gnutls_cert *) MHD_gtls_realloc_fast (*cert_list,
157 i * sizeof (MHD_gnutls_cert));
158
159 if (*cert_list == NULL)
160 {
161 MHD_gnutls_assert ();
162 return GNUTLS_E_MEMORY_ERROR;
163 }
164
165 ret = MHD_gtls_x509_crt_to_gcert (&cert_list[0][i - 1], cert, 0);
166 if (ret < 0)
167 {
168 MHD_gnutls_assert ();
169 return ret;
170 }
171
172 *ncerts = i;
173
174 return 1; /* one certificate parsed */
175}
176
177/* Reads a DER encoded certificate list from memory and stores it to
178 * a MHD_gnutls_cert structure.
179 * Returns the number of certificates parsed.
180 */
181static int
182parse_der_cert_mem (MHD_gnutls_cert ** cert_list, unsigned *ncerts,
183 const void *input_cert, int input_cert_size)
184{
185 MHD_gnutls_datum_t tmp;
186 MHD_gnutls_x509_crt_t cert;
187 int ret;
188
189 ret = MHD_gnutls_x509_crt_init (&cert);
190 if (ret < 0)
191 {
192 MHD_gnutls_assert ();
193 return ret;
194 }
195
196 tmp.data = (opaque *) input_cert;
197 tmp.size = input_cert_size;
198
199 ret = MHD_gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
200 if (ret < 0)
201 {
202 MHD_gnutls_assert ();
203 MHD_gnutls_x509_crt_deinit (cert);
204 return ret;
205 }
206
207 ret = parse_crt_mem (cert_list, ncerts, cert);
208 MHD_gnutls_x509_crt_deinit (cert);
209
210 return ret;
211}
212
213/* Reads a base64 encoded certificate list from memory and stores it to
214 * a MHD_gnutls_cert structure. Returns the number of certificate parsed.
215 */
216static int
217parse_pem_cert_mem (MHD_gnutls_cert ** cert_list, unsigned *ncerts,
218 const char *input_cert, int input_cert_size)
219{
220 int size, siz2, i;
221 const char *ptr;
222 opaque *ptr2;
223 MHD_gnutls_datum_t tmp;
224 int ret, count;
225
226 /* move to the certificate
227 */
228 ptr = memmem (input_cert, input_cert_size,
229 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
230 if (ptr == NULL)
231 ptr = memmem (input_cert, input_cert_size,
232 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
233
234 if (ptr == NULL)
235 {
236 MHD_gnutls_assert ();
237 return GNUTLS_E_BASE64_DECODING_ERROR;
238 }
239 size = input_cert_size - (ptr - input_cert);
240
241 i = *ncerts + 1;
242 count = 0;
243
244 do
245 {
246
247 siz2 =
248 MHD__gnutls_fbase64_decode (NULL, (const unsigned char *) ptr, size,
249 &ptr2);
250
251 if (siz2 < 0)
252 {
253 MHD_gnutls_assert ();
254 return GNUTLS_E_BASE64_DECODING_ERROR;
255 }
256
257 *cert_list =
258 (MHD_gnutls_cert *) MHD_gtls_realloc_fast (*cert_list,
259 i *
260 sizeof (MHD_gnutls_cert));
261
262 if (*cert_list == NULL)
263 {
264 MHD_gnutls_assert ();
265 return GNUTLS_E_MEMORY_ERROR;
266 }
267
268 tmp.data = ptr2;
269 tmp.size = siz2;
270
271 ret = MHD_gtls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp, 0);
272 if (ret < 0)
273 {
274 MHD_gnutls_assert ();
275 return ret;
276 }
277 MHD__gnutls_free_datum (&tmp); /* free ptr2 */
278
279 /* now we move ptr after the pem header
280 */
281 ptr++;
282 /* find the next certificate (if any)
283 */
284 size = input_cert_size - (ptr - input_cert);
285
286 if (size > 0)
287 {
288 char *ptr3;
289
290 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
291 if (ptr3 == NULL)
292 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
293 sizeof (PEM_CERT_SEP2) - 1);
294
295 ptr = ptr3;
296 }
297 else
298 ptr = NULL;
299
300 i++;
301 count++;
302
303 }
304 while (ptr != NULL);
305
306 *ncerts = i - 1;
307
308 return count;
309}
310
311
312
313/* Reads a DER or PEM certificate from memory
314 */
315static int
316read_cert_mem (MHD_gtls_cert_credentials_t res, const void *cert,
317 int cert_size, MHD_gnutls_x509_crt_fmt_t type)
318{
319 int ret;
320
321 /* allocate space for the certificate to add
322 */
323 res->cert_list = MHD_gtls_realloc_fast (res->cert_list,
324 (1 +
325 res->ncerts) *
326 sizeof (MHD_gnutls_cert *));
327 if (res->cert_list == NULL)
328 {
329 MHD_gnutls_assert ();
330 return GNUTLS_E_MEMORY_ERROR;
331 }
332
333 res->cert_list_length = MHD_gtls_realloc_fast (res->cert_list_length,
334 (1 +
335 res->ncerts) *
336 sizeof (int));
337 if (res->cert_list_length == NULL)
338 {
339 MHD_gnutls_assert ();
340 return GNUTLS_E_MEMORY_ERROR;
341 }
342
343 res->cert_list[res->ncerts] = NULL; /* for realloc */
344 res->cert_list_length[res->ncerts] = 0;
345
346 if (type == GNUTLS_X509_FMT_DER)
347 ret = parse_der_cert_mem (&res->cert_list[res->ncerts],
348 &res->cert_list_length[res->ncerts],
349 cert, cert_size);
350 else
351 ret =
352 parse_pem_cert_mem (&res->cert_list[res->ncerts],
353 &res->cert_list_length[res->ncerts], cert,
354 cert_size);
355
356 if (ret < 0)
357 {
358 MHD_gnutls_assert ();
359 return ret;
360 }
361
362 return ret;
363}
364
365
366int
367MHD__gnutls_x509_privkey_to_gkey (MHD_gnutls_privkey * dest,
368 MHD_gnutls_x509_privkey_t src)
369{
370 int i, ret;
371
372 memset (dest, 0, sizeof (MHD_gnutls_privkey));
373
374 for (i = 0; i < src->params_size; i++)
375 {
376 dest->params[i] = MHD__gnutls_mpi_copy (src->params[i]);
377 if (dest->params[i] == NULL)
378 {
379 MHD_gnutls_assert ();
380 ret = GNUTLS_E_MEMORY_ERROR;
381 goto cleanup;
382 }
383 }
384
385 dest->pk_algorithm = src->pk_algorithm;
386 dest->params_size = src->params_size;
387
388 return 0;
389
390cleanup:
391
392 for (i = 0; i < src->params_size; i++)
393 {
394 MHD_gtls_mpi_release (&dest->params[i]);
395 }
396 return ret;
397}
398
399void
400MHD_gtls_gkey_deinit (MHD_gnutls_privkey * key)
401{
402 int i;
403 if (key == NULL)
404 return;
405
406 for (i = 0; i < key->params_size; i++)
407 {
408 MHD_gtls_mpi_release (&key->params[i]);
409 }
410}
411
412int
413MHD__gnutls_x509_raw_privkey_to_gkey (MHD_gnutls_privkey * privkey,
414 const MHD_gnutls_datum_t * raw_key,
415 MHD_gnutls_x509_crt_fmt_t type)
416{
417 MHD_gnutls_x509_privkey_t tmpkey;
418 int ret;
419
420 ret = MHD_gnutls_x509_privkey_init (&tmpkey);
421 if (ret < 0)
422 {
423 MHD_gnutls_assert ();
424 return ret;
425 }
426
427 ret = MHD_gnutls_x509_privkey_import (tmpkey, raw_key, type);
428 if (ret < 0)
429 {
430 MHD_gnutls_assert ();
431 MHD_gnutls_x509_privkey_deinit (tmpkey);
432 return ret;
433 }
434
435 ret = MHD__gnutls_x509_privkey_to_gkey (privkey, tmpkey);
436 if (ret < 0)
437 {
438 MHD_gnutls_assert ();
439 MHD_gnutls_x509_privkey_deinit (tmpkey);
440 return ret;
441 }
442
443 MHD_gnutls_x509_privkey_deinit (tmpkey);
444
445 return 0;
446}
447
448/* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
449 * indicates the certificate format. KEY can be NULL, to indicate
450 * that GnuTLS doesn't know the private key.
451 */
452static int
453read_key_mem (MHD_gtls_cert_credentials_t res,
454 const void *key, int key_size, MHD_gnutls_x509_crt_fmt_t type)
455{
456 int ret;
457 MHD_gnutls_datum_t tmp;
458
459 /* allocate space for the pkey list
460 */
461 res->pkey =
462 MHD_gtls_realloc_fast (res->pkey,
463 (res->ncerts + 1) * sizeof (MHD_gnutls_privkey));
464 if (res->pkey == NULL)
465 {
466 MHD_gnutls_assert ();
467 return GNUTLS_E_MEMORY_ERROR;
468 }
469
470 if (key)
471 {
472 tmp.data = (opaque *) key;
473 tmp.size = key_size;
474
475 ret =
476 MHD__gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp,
477 type);
478 if (ret < 0)
479 {
480 MHD_gnutls_assert ();
481 return ret;
482 }
483 }
484 else
485 memset (&res->pkey[res->ncerts], 0, sizeof (MHD_gnutls_privkey));
486
487 return 0;
488}
489
490/**
491 * MHD__gnutls_certificate_set_x509_key_mem - Used to set keys in a MHD_gtls_cert_credentials_t structure
492 * @res: is an #MHD_gtls_cert_credentials_t structure.
493 * @cert: contains a certificate list (path) for the specified private key
494 * @key: is the private key, or %NULL
495 * @type: is PEM or DER
496 *
497 * This function sets a certificate/private key pair in the
498 * MHD_gtls_cert_credentials_t structure. This function may be called
499 * more than once (in case multiple keys/certificates exist for the
500 * server).
501 *
502 * Currently are supported: RSA PKCS-1 encoded private keys,
503 * DSA private keys.
504 *
505 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
506 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
507 *
508 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
509 * is supported. This means that certificates intended for signing cannot
510 * be used for ciphersuites that require encryption.
511 *
512 * If the certificate and the private key are given in PEM encoding
513 * then the strings that hold their values must be null terminated.
514 *
515 * The @key may be %NULL if you are using a sign callback, see
516 * MHD_gtls_sign_callback_set().
517 *
518 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
519 **/
520int
521MHD__gnutls_certificate_set_x509_key_mem (MHD_gtls_cert_credentials_t
522 res,
523 const MHD_gnutls_datum_t * cert,
524 const MHD_gnutls_datum_t * key,
525 MHD_gnutls_x509_crt_fmt_t type)
526{
527 int ret;
528
529 /* this should be first
530 */
531 if ((ret = read_key_mem (res, key ? key->data : NULL,
532 key ? key->size : 0, type)) < 0)
533 return ret;
534
535 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
536 return ret;
537
538 res->ncerts++;
539
540 if (key && (ret = MHD__gnutls_check_key_cert_match (res)) < 0)
541 {
542 MHD_gnutls_assert ();
543 return ret;
544 }
545
546 return 0;
547}
548
549/* Returns 0 if it's ok to use the enum MHD_GNUTLS_KeyExchangeAlgorithm with this
550 * certificate (uses the KeyUsage field).
551 */
552int
553MHD__gnutls_check_key_usage (const MHD_gnutls_cert * cert,
554 enum MHD_GNUTLS_KeyExchangeAlgorithm alg)
555{
556 unsigned int key_usage = 0;
557 int encipher_type;
558
559 if (cert == NULL)
560 {
561 MHD_gnutls_assert ();
562 return GNUTLS_E_INTERNAL_ERROR;
563 }
564
565 if (MHD_gtls_map_kx_get_cred (alg, 1) == MHD_GNUTLS_CRD_CERTIFICATE ||
566 MHD_gtls_map_kx_get_cred (alg, 0) == MHD_GNUTLS_CRD_CERTIFICATE)
567 {
568
569 key_usage = cert->key_usage;
570
571 encipher_type = MHD_gtls_kx_encipher_type (alg);
572
573 if (key_usage != 0 && encipher_type != CIPHER_IGN)
574 {
575 /* If key_usage has been set in the certificate
576 */
577
578 if (encipher_type == CIPHER_ENCRYPT)
579 {
580 /* If the key exchange method requires an encipher
581 * type algorithm, and key's usage does not permit
582 * encipherment, then fail.
583 */
584 if (!(key_usage & KEY_KEY_ENCIPHERMENT))
585 {
586 MHD_gnutls_assert ();
587 return GNUTLS_E_KEY_USAGE_VIOLATION;
588 }
589 }
590
591 if (encipher_type == CIPHER_SIGN)
592 {
593 /* The same as above, but for sign only keys
594 */
595 if (!(key_usage & KEY_DIGITAL_SIGNATURE))
596 {
597 MHD_gnutls_assert ();
598 return GNUTLS_E_KEY_USAGE_VIOLATION;
599 }
600 }
601 }
602 }
603 return 0;
604}
diff --git a/src/daemon/https/tls/gnutls_x509.h b/src/daemon/https/tls/gnutls_x509.h
deleted file mode 100644
index 07269328..00000000
--- a/src/daemon/https/tls/gnutls_x509.h
+++ /dev/null
@@ -1,50 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <libtasn1.h>
26
27int MHD__gnutls_x509_cert_verify_peers (MHD_gtls_session_t session,
28 unsigned int *status);
29
30#define PEM_CERT_SEP2 "-----BEGIN X509 CERTIFICATE"
31#define PEM_CERT_SEP "-----BEGIN CERTIFICATE"
32
33#define PEM_CRL_SEP "-----BEGIN X509 CRL"
34
35#define PEM_KEY_RSA_SEP "-----BEGIN RSA"
36#define PEM_KEY_DSA_SEP "-----BEGIN DSA"
37
38int MHD__gnutls_check_key_usage (const MHD_gnutls_cert * cert,
39 enum MHD_GNUTLS_KeyExchangeAlgorithm alg);
40
41int MHD__gnutls_x509_read_rsa_params (opaque * der, int dersize,
42 mpi_t * params);
43int MHD__gnutls_x509_read_dsa_pubkey (opaque * der, int dersize,
44 mpi_t * params);
45
46int MHD__gnutls_x509_raw_privkey_to_gkey (MHD_gnutls_privkey * privkey,
47 const MHD_gnutls_datum_t * raw_key,
48 MHD_gnutls_x509_crt_fmt_t type);
49int MHD__gnutls_x509_privkey_to_gkey (MHD_gnutls_privkey * privkey,
50 MHD_gnutls_x509_privkey_t);
diff --git a/src/daemon/https/tls/libgnutls-config b/src/daemon/https/tls/libgnutls-config
deleted file mode 100644
index 80580a89..00000000
--- a/src/daemon/https/tls/libgnutls-config
+++ /dev/null
@@ -1,104 +0,0 @@
1#!/bin/sh
2
3prefix=/home/lama/workbench/programming/c/gnunet/gnutls-2.2.3/build
4exec_prefix=${prefix}
5exec_prefix_set=no
6
7gnutls_libs="-L${exec_prefix}/lib -lgnutls -L/usr/lib -ltasn1 -lgcrypt "
8gnutls_cflags=" -I/usr/include -I${prefix}/include"
9gnutls_la_file="${exec_prefix}/lib/libgnutls.la"
10
11usage()
12{
13 cat <<EOF
14Usage: libgnutls-config [OPTIONS]
15Options:
16 [--prefix[=DIR]]
17 [--exec-prefix[=DIR]]
18 [--version]
19 [--libs]
20 [--cflags]
21EOF
22 exit $1
23}
24
25if test $# -eq 0; then
26 usage 1 1>&2
27fi
28
29while test $# -gt 0; do
30 case "$1" in
31 -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
32 *) optarg= ;;
33 esac
34
35 case $1 in
36 --prefix=*)
37 prefix=$optarg
38 if test $exec_prefix_set = no ; then
39 exec_prefix=$optarg
40 fi
41 ;;
42 --prefix)
43 echo_prefix=yes
44 ;;
45 --exec-prefix=*)
46 exec_prefix=$optarg
47 exec_prefix_set=yes
48 ;;
49 --exec-prefix)
50 echo_exec_prefix=yes
51 ;;
52 --version)
53 echo "2.2.3"
54 exit 0
55 ;;
56 --cflags)
57 echo_cflags=yes
58 ;;
59 --libs)
60 echo_libs=yes
61 ;;
62 --la-file)
63 echo_la_file=yes
64 ;;
65 --help)
66 usage 0
67 ;;
68 *)
69 usage 1 1>&2
70 ;;
71 esac
72 shift
73done
74
75if test "$echo_prefix" = "yes"; then
76 echo $prefix
77fi
78
79if test "$echo_exec_prefix" = "yes"; then
80 echo $exec_prefix
81fi
82
83if test "$echo_cflags" = "yes"; then
84 if test "${prefix}/include" != "/usr/include" ; then
85 includes="-I${prefix}/include"
86 for i in $gnutls_cflags ; do
87 if test "$i" = "-I${prefix}/include" ; then
88 includes=""
89 fi
90 done
91 fi
92 echo $includes $gnutls_cflags
93fi
94
95if test "$echo_la_file" = "yes"; then
96 echo ${gnutls_la_file}
97fi
98
99if test "$echo_libs" = "yes"; then
100 echo ${gnutls_libs}
101fi
102
103
104
diff --git a/src/daemon/https/tls/libgnutls.m4 b/src/daemon/https/tls/libgnutls.m4
deleted file mode 100644
index 1851ca23..00000000
--- a/src/daemon/https/tls/libgnutls.m4
+++ /dev/null
@@ -1,160 +0,0 @@
1dnl Autoconf macros for libgnutls
2dnl $id$
3
4# Modified for LIBGNUTLS -- nmav
5# Configure paths for LIBGCRYPT
6# Shamelessly stolen from the one of XDELTA by Owen Taylor
7# Werner Koch 99-12-09
8
9dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
10dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
11dnl
12AC_DEFUN([AM_PATH_LIBGNUTLS],
13[dnl
14dnl Get the cflags and libraries from the libgnutls-config script
15dnl
16AC_ARG_WITH(libgnutls-prefix,
17 [ --with-libgnutls-prefix=PFX Prefix where libgnutls is installed (optional)],
18 libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
19
20 if test x$libgnutls_config_prefix != x ; then
21 if test x${LIBGNUTLS_CONFIG+set} != xset ; then
22 LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
23 fi
24 fi
25
26 AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
27 min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
28 AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
29 no_libgnutls=""
30 if test "$LIBGNUTLS_CONFIG" = "no" ; then
31 no_libgnutls=yes
32 else
33 LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
34 LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
35 libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
36
37
38 ac_save_CFLAGS="$CFLAGS"
39 ac_save_LIBS="$LIBS"
40 CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
41 LIBS="$LIBS $LIBGNUTLS_LIBS"
42dnl
43dnl Now check if the installed libgnutls is sufficiently new. Also sanity
44dnl checks the results of libgnutls-config to some extent
45dnl
46 rm -f conf.libgnutlstest
47 AC_TRY_RUN([
48#include <stdio.h>
49#include <stdlib.h>
50#include <string.h>
51#include <gnutls.h>
52
53int
54main ()
55{
56 system ("touch conf.libgnutlstest");
57
58 if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
59 {
60 printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
61 "$libgnutls_config_version", gnutls_check_version(NULL) );
62 printf("*** was found! If libgnutls-config was correct, then it is best\n");
63 printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
64 printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
65 printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
66 printf("*** required on your system.\n");
67 printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
68 printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
69 printf("*** before re-running configure\n");
70 }
71 else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
72 {
73 printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
74 printf("*** library (version %s)\n", gnutls_check_version(NULL) );
75 }
76 else
77 {
78 if ( gnutls_check_version( "$min_libgnutls_version" ) )
79 {
80 return 0;
81 }
82 else
83 {
84 printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
85 gnutls_check_version(NULL) );
86 printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
87 "$min_libgnutls_version" );
88 printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
89 printf("*** \n");
90 printf("*** If you have already installed a sufficiently new version, this error\n");
91 printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
92 printf("*** being found. The easiest way to fix this is to remove the old version\n");
93 printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
94 printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
95 printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
96 printf("*** so that the correct libraries are found at run-time))\n");
97 }
98 }
99 return 1;
100}
101],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
102 CFLAGS="$ac_save_CFLAGS"
103 LIBS="$ac_save_LIBS"
104 fi
105
106 if test "x$no_libgnutls" = x ; then
107 AC_MSG_RESULT(yes)
108 ifelse([$2], , :, [$2])
109 else
110 if test -f conf.libgnutlstest ; then
111 :
112 else
113 AC_MSG_RESULT(no)
114 fi
115 if test "$LIBGNUTLS_CONFIG" = "no" ; then
116 echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
117 echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
118 echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
119 echo "*** full path to libgnutls-config."
120 else
121 if test -f conf.libgnutlstest ; then
122 :
123 else
124 echo "*** Could not run libgnutls test program, checking why..."
125 CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
126 LIBS="$LIBS $LIBGNUTLS_LIBS"
127 AC_TRY_LINK([
128#include <stdio.h>
129#include <stdlib.h>
130#include <string.h>
131#include <gnutls.h>
132], [ return !!gnutls_check_version(NULL); ],
133 [ echo "*** The test program compiled, but did not run. This usually means"
134 echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
135 echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
136 echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
137 echo "*** to the installed location Also, make sure you have run ldconfig if that"
138 echo "*** is required on your system"
139 echo "***"
140 echo "*** If you have an old version installed, it is best to remove it, although"
141 echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
142 echo "***" ],
143 [ echo "*** The test program failed to compile or link. See the file config.log for the"
144 echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
145 echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
146 echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
147 CFLAGS="$ac_save_CFLAGS"
148 LIBS="$ac_save_LIBS"
149 fi
150 fi
151 LIBGNUTLS_CFLAGS=""
152 LIBGNUTLS_LIBS=""
153 ifelse([$3], , :, [$3])
154 fi
155 rm -f conf.libgnutlstest
156 AC_SUBST(LIBGNUTLS_CFLAGS)
157 AC_SUBST(LIBGNUTLS_LIBS)
158])
159
160dnl *-*wedit:notab*-* Please keep this as the last line.
diff --git a/src/daemon/https/tls/libgnutls.vers b/src/daemon/https/tls/libgnutls.vers
deleted file mode 100644
index f793617b..00000000
--- a/src/daemon/https/tls/libgnutls.vers
+++ /dev/null
@@ -1,27 +0,0 @@
1# libgnutls.vers -- Versioning script to control what symbols to export.
2# Copyright (C) 2005, 2006, 2007 Free Software Foundation
3#
4# Author: Simon Josefsson
5#
6# This file is part of GNUTLS.
7#
8# The GNUTLS library is free software; you can redistribute it and/or
9# modify it under the terms of the GNU Lesser General Public License
10# as published by the Free Software Foundation; either version 2.1 of
11# the License, or (at your option) any later version.
12#
13# The GNUTLS library is distributed in the hope that it will be
14#useful, but WITHOUT ANY WARRANTY; without even the implied warranty
15#of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16#Lesser General Public License for more details.
17#
18# You should have received a copy of the GNU Lesser General Public
19# License along with the GNUTLS library; if not, write to the Free
20# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
21# MA 02110-1301, USA
22
23GNUTLS_1_4
24{
25 global: _gnutls*; gnutls*;
26 local: *;
27};
diff --git a/src/daemon/https/tls/memmem.c b/src/daemon/https/tls/memmem.c
deleted file mode 100644
index 77143a7e..00000000
--- a/src/daemon/https/tls/memmem.c
+++ /dev/null
@@ -1,78 +0,0 @@
1/* Copyright (C) 1991,92,93,94,96,97,98,2000,2004,2007,2008 Free Software
2 Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU Lesser General Public License as published by
7 the Free Software Foundation; either version 2.1, or (at your option)
8 any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public License along
16 with this program; if not, write to the Free Software Foundation,
17 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
18
19/* This particular implementation was written by Eric Blake, 2008. */
20
21/* Specification of memmem. */
22#include "gnutls_global.h"
23#include <string.h>
24
25#if !HAVE_MEMMEM
26
27#ifndef _LIBC
28# define __builtin_expect(expr, val) (expr)
29#endif
30
31#define RETURN_TYPE void *
32#define AVAILABLE(h, h_l, j, n_l) ((j) <= (h_l) - (n_l))
33#include "str-two-way.h"
34
35/* Return the first occurrence of NEEDLE in HAYSTACK. Return HAYSTACK
36 if NEEDLE_LEN is 0, otherwise NULL if NEEDLE is not found in
37 HAYSTACK. */
38void *
39memmem (const void *haystack_start, size_t haystack_len,
40 const void *needle_start, size_t needle_len)
41{
42 /* Abstract memory is considered to be an array of 'unsigned char' values,
43 not an array of 'char' values. See ISO C 99 section 6.2.6.1. */
44 const unsigned char *haystack = (const unsigned char *) haystack_start;
45 const unsigned char *needle = (const unsigned char *) needle_start;
46
47 if (needle_len == 0)
48 /* The first occurrence of the empty string is deemed to occur at
49 the beginning of the string. */
50 return (void *) haystack;
51
52 /* Sanity check, otherwise the loop might search through the whole
53 memory. */
54 if (__builtin_expect (haystack_len < needle_len, 0))
55 return NULL;
56
57 /* Use optimizations in memchr when possible, to reduce the search
58 size of haystack using a linear algorithm with a smaller
59 coefficient. However, avoid memchr for long needles, since we
60 can often achieve sublinear performance. */
61 if (needle_len < LONG_NEEDLE_THRESHOLD)
62 {
63 haystack = memchr (haystack, *needle, haystack_len);
64 if (!haystack || __builtin_expect (needle_len == 1, 0))
65 return (void *) haystack;
66 haystack_len -= haystack - (const unsigned char *) haystack_start;
67 if (haystack_len < needle_len)
68 return NULL;
69 return two_way_short_needle (haystack, haystack_len, needle,
70 needle_len);
71 }
72 else
73 return two_way_long_needle (haystack, haystack_len, needle, needle_len);
74}
75
76#undef LONG_NEEDLE_THRESHOLD
77
78#endif /* !HAVE_MEMMEM */
diff --git a/src/daemon/https/tls/pkix.asn b/src/daemon/https/tls/pkix.asn
deleted file mode 100644
index d46dfa07..00000000
--- a/src/daemon/https/tls/pkix.asn
+++ /dev/null
@@ -1,1241 +0,0 @@
1
2PKIX1 { }
3
4DEFINITIONS IMPLICIT TAGS ::=
5
6BEGIN
7
8-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
9
10-- ISO arc for standard certificate and CRL extensions
11
12id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
13
14
15-- authority key identifier OID and syntax
16
17id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
18
19AuthorityKeyIdentifier ::= SEQUENCE {
20 keyIdentifier [0] KeyIdentifier OPTIONAL,
21 authorityCertIssuer [1] GeneralNames OPTIONAL,
22 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
23 -- authorityCertIssuer and authorityCertSerialNumber shall both
24 -- be present or both be absgent
25
26KeyIdentifier ::= OCTET STRING
27
28-- subject key identifier OID and syntax
29
30id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
31
32SubjectKeyIdentifier ::= KeyIdentifier
33
34-- key usage extension OID and syntax
35
36id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
37
38KeyUsage ::= BIT STRING {
39 digitalSignature (0),
40 nonRepudiation (1),
41 keyEncipherment (2),
42 dataEncipherment (3),
43 keyAgreement (4),
44 keyCertSign (5),
45 cRLSign (6),
46 encipherOnly (7),
47 decipherOnly (8) }
48
49-- private key usage period extension OID and syntax
50
51id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
52
53PrivateKeyUsagePeriod ::= SEQUENCE {
54 notBefore [0] GeneralizedTime OPTIONAL,
55 notAfter [1] GeneralizedTime OPTIONAL }
56 -- either notBefore or notAfter shall be present
57
58-- certificate policies extension OID and syntax
59
60id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
61
62CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
63
64PolicyInformation ::= SEQUENCE {
65 policyIdentifier CertPolicyId,
66 policyQualifiers SEQUENCE SIZE (1..MAX) OF
67 PolicyQualifierInfo OPTIONAL }
68
69CertPolicyId ::= OBJECT IDENTIFIER
70
71PolicyQualifierInfo ::= SEQUENCE {
72 policyQualifierId PolicyQualifierId,
73 qualifier ANY DEFINED BY policyQualifierId }
74
75-- Implementations that recognize additional policy qualifiers shall
76-- augment the following definition for PolicyQualifierId
77
78PolicyQualifierId ::=
79 OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice )
80
81-- CPS pointer qualifier
82
83CPSuri ::= IA5String
84
85-- user notice qualifier
86
87UserNotice ::= SEQUENCE {
88 noticeRef NoticeReference OPTIONAL,
89 explicitText DisplayText OPTIONAL}
90
91NoticeReference ::= SEQUENCE {
92 organization DisplayText,
93 noticeNumbers SEQUENCE OF INTEGER }
94
95DisplayText ::= CHOICE {
96 visibleString VisibleString (SIZE (1..200)),
97 bmpString BMPString (SIZE (1..200)),
98 utf8String UTF8String (SIZE (1..200)) }
99
100-- policy mapping extension OID and syntax
101
102id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
103
104PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
105 issuerDomainPolicy CertPolicyId,
106 subjectDomainPolicy CertPolicyId }
107
108-- subject alternative name extension OID and syntax
109
110-- Directory string type --
111
112DirectoryString ::= CHOICE {
113 teletexString TeletexString (SIZE (1..MAX)),
114 printableString PrintableString (SIZE (1..MAX)),
115 universalString UniversalString (SIZE (1..MAX)),
116 utf8String UTF8String (SIZE (1..MAX)),
117 bmpString BMPString (SIZE(1..MAX)),
118 -- IA5String is added here to handle old UID encoded as ia5String --
119 -- See tests/userid/ for more information. It shouldn't be here, --
120 -- so if it causes problems, considering dropping it. --
121 ia5String IA5String (SIZE(1..MAX)) }
122
123id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
124
125SubjectAltName ::= GeneralNames
126
127GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
128
129GeneralName ::= CHOICE {
130 otherName [0] AnotherName,
131 rfc822Name [1] IA5String,
132 dNSName [2] IA5String,
133 x400Address [3] ORAddress,
134-- Changed to work with the libtasn1 parser.
135 directoryName [4] EXPLICIT RDNSequence, --Name,
136 ediPartyName [5] EDIPartyName,
137 uniformResourceIdentifier [6] IA5String,
138 iPAddress [7] OCTET STRING,
139 registeredID [8] OBJECT IDENTIFIER }
140
141-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
142-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
143
144AnotherName ::= SEQUENCE {
145 type-id OBJECT IDENTIFIER,
146 value [0] EXPLICIT ANY DEFINED BY type-id }
147
148EDIPartyName ::= SEQUENCE {
149 nameAssigner [0] DirectoryString OPTIONAL,
150 partyName [1] DirectoryString }
151
152-- issuer alternative name extension OID and syntax
153
154id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
155
156IssuerAltName ::= GeneralNames
157
158id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
159
160SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
161
162-- basic constraints extension OID and syntax
163
164id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
165
166BasicConstraints ::= SEQUENCE {
167 cA BOOLEAN DEFAULT FALSE,
168 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
169
170-- name constraints extension OID and syntax
171
172id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
173
174NameConstraints ::= SEQUENCE {
175 permittedSubtrees [0] GeneralSubtrees OPTIONAL,
176 excludedSubtrees [1] GeneralSubtrees OPTIONAL }
177
178GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
179
180GeneralSubtree ::= SEQUENCE {
181 base GeneralName,
182 minimum [0] BaseDistance DEFAULT 0,
183 maximum [1] BaseDistance OPTIONAL }
184
185BaseDistance ::= INTEGER (0..MAX)
186
187-- policy constraints extension OID and syntax
188
189id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
190
191PolicyConstraints ::= SEQUENCE {
192 requireExplicitPolicy [0] SkipCerts OPTIONAL,
193 inhibitPolicyMapping [1] SkipCerts OPTIONAL }
194
195SkipCerts ::= INTEGER (0..MAX)
196
197-- CRL distribution points extension OID and syntax
198
199id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
200
201CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
202
203DistributionPoint ::= SEQUENCE {
204 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
205 reasons [1] ReasonFlags OPTIONAL,
206 cRLIssuer [2] GeneralNames OPTIONAL
207}
208
209DistributionPointName ::= CHOICE {
210 fullName [0] GeneralNames,
211 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
212}
213
214ReasonFlags ::= BIT STRING {
215 unused (0),
216 keyCompromise (1),
217 cACompromise (2),
218 affiliationChanged (3),
219 superseded (4),
220 cessationOfOperation (5),
221 certificateHold (6),
222 privilegeWithdrawn (7),
223 aACompromise (8) }
224
225-- extended key usage extension OID and syntax
226
227id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
228
229ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
230
231KeyPurposeId ::= OBJECT IDENTIFIER
232
233-- extended key purpose OIDs
234id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
235id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
236id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
237id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
238id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 }
239id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 }
240id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 }
241id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
242
243-- authority info access
244
245id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
246
247AuthorityInfoAccessSyntax ::=
248 SEQUENCE SIZE (1..MAX) OF AccessDescription
249
250AccessDescription ::= SEQUENCE {
251 accessMethod OBJECT IDENTIFIER,
252 accessLocation GeneralName }
253
254-- CRL number extension OID and syntax
255
256id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
257
258CRLNumber ::= INTEGER (0..MAX)
259
260-- issuing distribution point extension OID and syntax
261
262id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
263
264IssuingDistributionPoint ::= SEQUENCE {
265 distributionPoint [0] DistributionPointName OPTIONAL,
266 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
267 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
268 onlySomeReasons [3] ReasonFlags OPTIONAL,
269 indirectCRL [4] BOOLEAN DEFAULT FALSE }
270
271
272id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
273
274-- deltaCRLIndicator ::= BaseCRLNumber
275
276BaseCRLNumber ::= CRLNumber
277
278-- CRL reasons extension OID and syntax
279
280id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
281
282CRLReason ::= ENUMERATED {
283 unspecified (0),
284 keyCompromise (1),
285 cACompromise (2),
286 affiliationChanged (3),
287 superseded (4),
288 cessationOfOperation (5),
289 certificateHold (6),
290 removeFromCRL (8) }
291
292-- certificate issuer CRL entry extension OID and syntax
293
294id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
295
296CertificateIssuer ::= GeneralNames
297
298-- hold instruction extension OID and syntax
299
300id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
301
302HoldInstructionCode ::= OBJECT IDENTIFIER
303
304-- ANSI x9 holdinstructions
305
306-- ANSI x9 arc holdinstruction arc
307holdInstruction OBJECT IDENTIFIER ::=
308 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
309
310-- ANSI X9 holdinstructions referenced by this standard
311id-holdinstruction-none OBJECT IDENTIFIER ::=
312 {holdInstruction 1} -- deprecated
313id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
314 {holdInstruction 2}
315id-holdinstruction-reject OBJECT IDENTIFIER ::=
316 {holdInstruction 3}
317
318-- invalidity date CRL entry extension OID and syntax
319
320id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
321
322InvalidityDate ::= GeneralizedTime
323
324
325-- --------------------------------------
326-- EXPLICIT
327-- --------------------------------------
328
329-- UNIVERSAL Types defined in '93 and '98 ASN.1
330-- but required by this specification
331
332VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING
333
334NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
335
336IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
337
338TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
339
340PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
341
342UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
343 -- UniversalString is defined in ASN.1:1993
344
345BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
346 -- BMPString is the subtype of UniversalString and models
347 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
348
349UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
350 -- The content of this type conforms to RFC 2279.
351
352
353-- PKIX specific OIDs
354
355id-pkix OBJECT IDENTIFIER ::=
356 { iso(1) identified-organization(3) dod(6) internet(1)
357 security(5) mechanisms(5) pkix(7) }
358
359-- PKIX arcs
360
361id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
362 -- arc for private certificate extensions
363id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
364 -- arc for policy qualifier types
365id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
366 -- arc for extended key purpose OIDS
367id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
368 -- arc for access descriptors
369
370-- policyQualifierIds for Internet policy qualifiers
371
372id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
373 -- OID for CPS qualifier
374id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
375 -- OID for user notice qualifier
376
377-- access descriptor definitions
378
379id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
380id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
381
382-- attribute data types --
383
384Attribute ::= SEQUENCE {
385 type AttributeType,
386 values SET OF AttributeValue
387 -- at least one value is required --
388}
389
390AttributeType ::= OBJECT IDENTIFIER
391
392AttributeValue ::= ANY DEFINED BY type
393
394AttributeTypeAndValue ::= SEQUENCE {
395 type AttributeType,
396 value AttributeValue }
397
398-- suggested naming attributes: Definition of the following
399-- information object set may be augmented to meet local
400-- requirements. Note that deleting members of the set may
401-- prevent interoperability with conforming implementations.
402-- presented in pairs: the AttributeType followed by the
403-- type definition for the corresponding AttributeValue
404
405-- Arc for standard naming attributes
406id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
407
408-- Attributes of type NameDirectoryString
409id-at-initials AttributeType ::= { id-at 43 }
410X520initials ::= DirectoryString
411
412id-at-generationQualifier AttributeType ::= { id-at 44 }
413X520generationQualifier ::= DirectoryString
414
415id-at-surname AttributeType ::= { id-at 4 }
416X520surName ::= DirectoryString
417
418id-at-givenName AttributeType ::= { id-at 42 }
419X520givenName ::= DirectoryString
420
421id-at-name AttributeType ::= { id-at 41 }
422X520name ::= DirectoryString
423
424id-at-commonName AttributeType ::= {id-at 3}
425X520CommonName ::= DirectoryString
426
427id-at-localityName AttributeType ::= {id-at 7}
428X520LocalityName ::= DirectoryString
429
430id-at-stateOrProvinceName AttributeType ::= {id-at 8}
431X520StateOrProvinceName ::= DirectoryString
432
433id-at-organizationName AttributeType ::= {id-at 10}
434X520OrganizationName ::= DirectoryString
435
436id-at-organizationalUnitName AttributeType ::= {id-at 11}
437X520OrganizationalUnitName ::= DirectoryString
438
439id-at-title AttributeType ::= {id-at 12}
440X520Title ::= DirectoryString
441
442id-at-description AttributeType ::= {id-at 13}
443X520Description ::= DirectoryString
444
445id-at-dnQualifier AttributeType ::= {id-at 46}
446X520dnQualifier ::= PrintableString
447
448id-at-countryName AttributeType ::= {id-at 6}
449X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes
450
451id-at-serialNumber AttributeType ::= {id-at 5}
452X520serialNumber ::= PrintableString
453
454id-at-telephoneNumber AttributeType ::= {id-at 20}
455X520telephoneNumber ::= PrintableString
456
457id-at-facsimileTelephoneNumber AttributeType ::= {id-at 23}
458X520facsimileTelephoneNumber ::= PrintableString
459
460id-at-pseudonym AttributeType ::= {id-at 65}
461X520pseudonym ::= DirectoryString
462
463id-at-name AttributeType ::= {id-at 41}
464X520name ::= DirectoryString
465
466id-at-streetAddress AttributeType ::= {id-at 9}
467X520streetAddress ::= DirectoryString
468
469id-at-postalAddress AttributeType ::= {id-at 16}
470X520postalAddress ::= PostalAddress
471
472PostalAddress ::= SEQUENCE OF DirectoryString
473
474
475 -- Legacy attributes
476
477pkcs OBJECT IDENTIFIER ::=
478 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) }
479
480pkcs-9 OBJECT IDENTIFIER ::=
481 { pkcs 9 }
482
483
484emailAddress AttributeType ::= { pkcs-9 1 }
485
486Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
487
488-- naming data types --
489
490Name ::= CHOICE { -- only one possibility for now --
491 rdnSequence RDNSequence }
492
493RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
494
495DistinguishedName ::= RDNSequence
496
497RelativeDistinguishedName ::=
498 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
499
500
501
502-- --------------------------------------------------------
503-- certificate and CRL specific structures begin here
504-- --------------------------------------------------------
505
506Certificate ::= SEQUENCE {
507 tbsCertificate TBSCertificate,
508 signatureAlgorithm AlgorithmIdentifier,
509 signature BIT STRING }
510
511TBSCertificate ::= SEQUENCE {
512 version [0] EXPLICIT Version DEFAULT v1,
513 serialNumber CertificateSerialNumber,
514 signature AlgorithmIdentifier,
515 issuer Name,
516 validity Validity,
517 subject Name,
518 subjectPublicKeyInfo SubjectPublicKeyInfo,
519 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
520 -- If present, version shall be v2 or v3
521 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
522 -- If present, version shall be v2 or v3
523 extensions [3] EXPLICIT Extensions OPTIONAL
524 -- If present, version shall be v3 --
525}
526
527Version ::= INTEGER { v1(0), v2(1), v3(2) }
528
529CertificateSerialNumber ::= INTEGER
530
531Validity ::= SEQUENCE {
532 notBefore Time,
533 notAfter Time }
534
535Time ::= CHOICE {
536 utcTime UTCTime,
537 generalTime GeneralizedTime }
538
539UniqueIdentifier ::= BIT STRING
540
541SubjectPublicKeyInfo ::= SEQUENCE {
542 algorithm AlgorithmIdentifier,
543 subjectPublicKey BIT STRING }
544
545Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
546
547Extension ::= SEQUENCE {
548 extnID OBJECT IDENTIFIER,
549 critical BOOLEAN DEFAULT FALSE,
550 extnValue OCTET STRING }
551
552
553-- ------------------------------------------
554-- CRL structures
555-- ------------------------------------------
556
557CertificateList ::= SEQUENCE {
558 tbsCertList TBSCertList,
559 signatureAlgorithm AlgorithmIdentifier,
560 signature BIT STRING }
561
562TBSCertList ::= SEQUENCE {
563 version Version OPTIONAL,
564 -- if present, shall be v2
565 signature AlgorithmIdentifier,
566 issuer Name,
567 thisUpdate Time,
568 nextUpdate Time OPTIONAL,
569 revokedCertificates SEQUENCE OF SEQUENCE {
570 userCertificate CertificateSerialNumber,
571 revocationDate Time,
572 crlEntryExtensions Extensions OPTIONAL
573 -- if present, shall be v2
574 } OPTIONAL,
575 crlExtensions [0] EXPLICIT Extensions OPTIONAL
576 -- if present, shall be v2 --
577}
578
579-- Version, Time, CertificateSerialNumber, and Extensions were
580-- defined earlier for use in the certificate structure
581
582AlgorithmIdentifier ::= SEQUENCE {
583 algorithm OBJECT IDENTIFIER,
584 parameters ANY DEFINED BY algorithm OPTIONAL }
585 -- contains a value of the type
586 -- registered for use with the
587 -- algorithm object identifier value
588
589-- Algorithm OIDs and parameter structures
590
591pkcs-1 OBJECT IDENTIFIER ::= {
592 pkcs 1 }
593
594rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
595
596md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
597
598md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
599
600sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
601
602id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
603 iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
604
605Dss-Sig-Value ::= SEQUENCE {
606 r INTEGER,
607 s INTEGER
608}
609
610dhpublicnumber OBJECT IDENTIFIER ::= {
611 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
612
613DomainParameters ::= SEQUENCE {
614 p INTEGER, -- odd prime, p=jq +1
615 g INTEGER, -- generator, g
616 q INTEGER, -- factor of p-1
617 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
618 validationParms ValidationParms OPTIONAL }
619
620ValidationParms ::= SEQUENCE {
621 seed BIT STRING,
622 pgenCounter INTEGER }
623
624id-dsa OBJECT IDENTIFIER ::= {
625 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
626
627Dss-Parms ::= SEQUENCE {
628 p INTEGER,
629 q INTEGER,
630 g INTEGER }
631
632-- x400 address syntax starts here
633-- OR Names
634
635ORAddress ::= SEQUENCE {
636 built-in-standard-attributes BuiltInStandardAttributes,
637 built-in-domain-defined-attributes
638 BuiltInDomainDefinedAttributes OPTIONAL,
639 -- see also teletex-domain-defined-attributes
640 extension-attributes ExtensionAttributes OPTIONAL }
641-- The OR-address is semantically absent from the OR-name if the
642-- built-in-standard-attribute sequence is empty and the
643-- built-in-domain-defined-attributes and extension-attributes are
644-- both omitted.
645
646-- Built-in Standard Attributes
647
648BuiltInStandardAttributes ::= SEQUENCE {
649 country-name CountryName OPTIONAL,
650 administration-domain-name AdministrationDomainName OPTIONAL,
651 network-address [0] EXPLICIT NetworkAddress OPTIONAL,
652 -- see also extended-network-address
653 terminal-identifier [1] EXPLICIT TerminalIdentifier OPTIONAL,
654 private-domain-name [2] EXPLICIT PrivateDomainName OPTIONAL,
655 organization-name [3] EXPLICIT OrganizationName OPTIONAL,
656 -- see also teletex-organization-name
657 numeric-user-identifier [4] EXPLICIT NumericUserIdentifier OPTIONAL,
658 personal-name [5] EXPLICIT PersonalName OPTIONAL,
659 -- see also teletex-personal-name
660 organizational-unit-names [6] EXPLICIT OrganizationalUnitNames OPTIONAL
661 -- see also teletex-organizational-unit-names --
662}
663
664CountryName ::= [APPLICATION 1] CHOICE {
665 x121-dcc-code NumericString
666 (SIZE (ub-country-name-numeric-length)),
667 iso-3166-alpha2-code PrintableString
668 (SIZE (ub-country-name-alpha-length)) }
669
670AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE {
671 numeric NumericString (SIZE (0..ub-domain-name-length)),
672 printable PrintableString (SIZE (0..ub-domain-name-length)) }
673
674NetworkAddress ::= X121Address -- see also extended-network-address
675
676X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
677
678TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
679
680PrivateDomainName ::= CHOICE {
681 numeric NumericString (SIZE (1..ub-domain-name-length)),
682 printable PrintableString (SIZE (1..ub-domain-name-length)) }
683
684OrganizationName ::= PrintableString
685 (SIZE (1..ub-organization-name-length))
686-- see also teletex-organization-name
687
688NumericUserIdentifier ::= NumericString
689 (SIZE (1..ub-numeric-user-id-length))
690
691PersonalName ::= SET {
692 surname [0] PrintableString (SIZE (1..ub-surname-length)),
693 given-name [1] PrintableString
694 (SIZE (1..ub-given-name-length)) OPTIONAL,
695 initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
696 generation-qualifier [3] PrintableString
697 (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
698-- see also teletex-personal-name
699
700OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
701 OF OrganizationalUnitName
702-- see also teletex-organizational-unit-names
703
704OrganizationalUnitName ::= PrintableString (SIZE
705 (1..ub-organizational-unit-name-length))
706
707-- Built-in Domain-defined Attributes
708
709BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
710 (1..ub-domain-defined-attributes) OF
711 BuiltInDomainDefinedAttribute
712
713BuiltInDomainDefinedAttribute ::= SEQUENCE {
714 type PrintableString (SIZE
715 (1..ub-domain-defined-attribute-type-length)),
716 value PrintableString (SIZE
717 (1..ub-domain-defined-attribute-value-length))}
718
719-- Extension Attributes
720
721ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
722 ExtensionAttribute
723
724ExtensionAttribute ::= SEQUENCE {
725 extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes),
726 extension-attribute-value [1] EXPLICIT
727 ANY DEFINED BY extension-attribute-type }
728
729-- Extension types and attribute values
730--
731
732common-name INTEGER ::= 1
733
734CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
735
736teletex-common-name INTEGER ::= 2
737
738TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
739
740teletex-organization-name INTEGER ::= 3
741
742TeletexOrganizationName ::=
743 TeletexString (SIZE (1..ub-organization-name-length))
744
745teletex-personal-name INTEGER ::= 4
746
747TeletexPersonalName ::= SET {
748 surname [0] EXPLICIT TeletexString (SIZE (1..ub-surname-length)),
749 given-name [1] EXPLICIT TeletexString
750 (SIZE (1..ub-given-name-length)) OPTIONAL,
751 initials [2] EXPLICIT TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
752 generation-qualifier [3] EXPLICIT TeletexString (SIZE
753 (1..ub-generation-qualifier-length)) OPTIONAL }
754
755teletex-organizational-unit-names INTEGER ::= 5
756
757TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
758 (1..ub-organizational-units) OF TeletexOrganizationalUnitName
759
760TeletexOrganizationalUnitName ::= TeletexString
761 (SIZE (1..ub-organizational-unit-name-length))
762
763pds-name INTEGER ::= 7
764
765PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
766
767physical-delivery-country-name INTEGER ::= 8
768
769PhysicalDeliveryCountryName ::= CHOICE {
770 x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
771 iso-3166-alpha2-code PrintableString
772 (SIZE (ub-country-name-alpha-length)) }
773
774postal-code INTEGER ::= 9
775
776PostalCode ::= CHOICE {
777 numeric-code NumericString (SIZE (1..ub-postal-code-length)),
778 printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
779
780physical-delivery-office-name INTEGER ::= 10
781
782PhysicalDeliveryOfficeName ::= PDSParameter
783
784physical-delivery-office-number INTEGER ::= 11
785
786PhysicalDeliveryOfficeNumber ::= PDSParameter
787
788extension-OR-address-components INTEGER ::= 12
789
790ExtensionORAddressComponents ::= PDSParameter
791
792physical-delivery-personal-name INTEGER ::= 13
793
794PhysicalDeliveryPersonalName ::= PDSParameter
795
796physical-delivery-organization-name INTEGER ::= 14
797
798PhysicalDeliveryOrganizationName ::= PDSParameter
799
800extension-physical-delivery-address-components INTEGER ::= 15
801
802ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
803
804unformatted-postal-address INTEGER ::= 16
805
806UnformattedPostalAddress ::= SET {
807 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
808 PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
809 teletex-string TeletexString
810 (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
811
812street-address INTEGER ::= 17
813
814StreetAddress ::= PDSParameter
815
816post-office-box-address INTEGER ::= 18
817
818PostOfficeBoxAddress ::= PDSParameter
819
820poste-restante-address INTEGER ::= 19
821
822PosteRestanteAddress ::= PDSParameter
823
824unique-postal-name INTEGER ::= 20
825
826UniquePostalName ::= PDSParameter
827
828local-postal-attributes INTEGER ::= 21
829
830LocalPostalAttributes ::= PDSParameter
831
832PDSParameter ::= SET {
833 printable-string PrintableString
834 (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
835 teletex-string TeletexString
836 (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
837
838extended-network-address INTEGER ::= 22
839
840ExtendedNetworkAddress ::= CHOICE {
841 e163-4-address SEQUENCE {
842 number [0] EXPLICIT NumericString (SIZE (1..ub-e163-4-number-length)),
843 sub-address [1] EXPLICIT NumericString
844 (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
845 psap-address [0] EXPLICIT PresentationAddress }
846
847PresentationAddress ::= SEQUENCE {
848 pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
849 sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
850 tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
851 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
852
853terminal-type INTEGER ::= 23
854
855TerminalType ::= INTEGER {
856 telex (3),
857 teletex (4),
858 g3-facsimile (5),
859 g4-facsimile (6),
860 ia5-terminal (7),
861 videotex (8) } -- (0..ub-integer-options)
862
863-- Extension Domain-defined Attributes
864
865teletex-domain-defined-attributes INTEGER ::= 6
866
867TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
868 (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
869
870TeletexDomainDefinedAttribute ::= SEQUENCE {
871 type TeletexString
872 (SIZE (1..ub-domain-defined-attribute-type-length)),
873 value TeletexString
874 (SIZE (1..ub-domain-defined-attribute-value-length)) }
875
876-- specifications of Upper Bounds shall be regarded as mandatory
877-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
878-- Upper Bounds
879
880-- Upper Bounds
881ub-name INTEGER ::= 32768
882ub-common-name INTEGER ::= 64
883ub-locality-name INTEGER ::= 128
884ub-state-name INTEGER ::= 128
885ub-organization-name INTEGER ::= 64
886ub-organizational-unit-name INTEGER ::= 64
887ub-title INTEGER ::= 64
888ub-match INTEGER ::= 128
889
890ub-emailaddress-length INTEGER ::= 128
891
892ub-common-name-length INTEGER ::= 64
893ub-country-name-alpha-length INTEGER ::= 2
894ub-country-name-numeric-length INTEGER ::= 3
895ub-domain-defined-attributes INTEGER ::= 4
896ub-domain-defined-attribute-type-length INTEGER ::= 8
897ub-domain-defined-attribute-value-length INTEGER ::= 128
898ub-domain-name-length INTEGER ::= 16
899ub-extension-attributes INTEGER ::= 256
900ub-e163-4-number-length INTEGER ::= 15
901ub-e163-4-sub-address-length INTEGER ::= 40
902ub-generation-qualifier-length INTEGER ::= 3
903ub-given-name-length INTEGER ::= 16
904ub-initials-length INTEGER ::= 5
905ub-integer-options INTEGER ::= 256
906ub-numeric-user-id-length INTEGER ::= 32
907ub-organization-name-length INTEGER ::= 64
908ub-organizational-unit-name-length INTEGER ::= 32
909ub-organizational-units INTEGER ::= 4
910ub-pds-name-length INTEGER ::= 16
911ub-pds-parameter-length INTEGER ::= 30
912ub-pds-physical-address-lines INTEGER ::= 6
913ub-postal-code-length INTEGER ::= 16
914ub-surname-length INTEGER ::= 40
915ub-terminal-id-length INTEGER ::= 24
916ub-unformatted-address-length INTEGER ::= 180
917ub-x121-address-length INTEGER ::= 16
918
919-- Note - upper bounds on string types, such as TeletexString, are
920-- measured in characters. Excepting PrintableString or IA5String, a
921-- significantly greater number of octets will be required to hold
922-- such a value. As a minimum, 16 octets, or twice the specified upper
923-- bound, whichever is the larger, should be allowed for TeletexString.
924-- For UTF8String or UniversalString at least four times the upper
925-- bound should be allowed.
926
927
928
929-- END of PKIX1Implicit88
930
931
932-- BEGIN of RFC2630
933
934-- Cryptographic Message Syntax
935
936pkcs-7-ContentInfo ::= SEQUENCE {
937 contentType pkcs-7-ContentType,
938 content [0] EXPLICIT ANY DEFINED BY contentType }
939
940pkcs-7-DigestInfo ::= SEQUENCE {
941 digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
942 digest pkcs-7-Digest
943}
944
945pkcs-7-Digest ::= OCTET STRING
946
947pkcs-7-ContentType ::= OBJECT IDENTIFIER
948
949pkcs-7-SignedData ::= SEQUENCE {
950 version pkcs-7-CMSVersion,
951 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
952 encapContentInfo pkcs-7-EncapsulatedContentInfo,
953 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
954 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
955 signerInfos pkcs-7-SignerInfos
956}
957
958pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
959
960pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
961
962pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
963
964pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
965 eContentType pkcs-7-ContentType,
966 eContent [0] EXPLICIT OCTET STRING OPTIONAL }
967
968-- We don't use CertificateList here since we only want
969-- to read the raw data.
970pkcs-7-CertificateRevocationLists ::= SET OF ANY
971
972pkcs-7-CertificateChoices ::= CHOICE {
973-- Although the paper uses Certificate type, we
974-- don't use it since, we don't need to parse it.
975-- We only need to read and store it.
976 certificate ANY
977}
978
979pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
980
981pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
982 -- anyway
983
984
985-- BEGIN of RFC2986
986
987-- Certificate requests
988pkcs-10-CertificationRequestInfo ::= SEQUENCE {
989 version INTEGER { v1(0) },
990 subject Name,
991 subjectPKInfo SubjectPublicKeyInfo,
992 attributes [0] Attributes
993}
994
995Attributes ::= SET OF Attribute
996
997pkcs-10-CertificationRequest ::= SEQUENCE {
998 certificationRequestInfo pkcs-10-CertificationRequestInfo,
999 signatureAlgorithm AlgorithmIdentifier,
1000 signature BIT STRING
1001}
1002
1003-- stuff from PKCS#9
1004
1005pkcs-9-ub-challengePassword INTEGER ::= 255
1006
1007pkcs-9-certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}
1008pkcs-9-crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}
1009
1010pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}
1011
1012pkcs-9-challengePassword ::= CHOICE {
1013 printableString PrintableString (SIZE (1..pkcs-9-ub-challengePassword)),
1014 utf8String UTF8String (SIZE (1..pkcs-9-ub-challengePassword)) }
1015
1016pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}
1017
1018pkcs-9-localKeyId ::= OCTET STRING
1019
1020pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}
1021
1022pkcs-9-friendlyName ::= BMPString (SIZE (1..255))
1023
1024-- PKCS #8 stuff
1025
1026-- Private-key information syntax
1027
1028pkcs-8-PrivateKeyInfo ::= SEQUENCE {
1029 version pkcs-8-Version,
1030 privateKeyAlgorithm AlgorithmIdentifier,
1031 privateKey pkcs-8-PrivateKey,
1032 attributes [0] Attributes OPTIONAL }
1033
1034pkcs-8-Version ::= INTEGER {v1(0)}
1035
1036pkcs-8-PrivateKey ::= OCTET STRING
1037
1038pkcs-8-Attributes ::= SET OF Attribute
1039
1040-- Encrypted private-key information syntax
1041
1042pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
1043 encryptionAlgorithm AlgorithmIdentifier,
1044 encryptedData pkcs-8-EncryptedData
1045}
1046
1047pkcs-8-EncryptedData ::= OCTET STRING
1048
1049-- PKCS #5 stuff
1050
1051pkcs-5 OBJECT IDENTIFIER ::=
1052 { pkcs 5 }
1053
1054pkcs-5-encryptionAlgorithm OBJECT IDENTIFIER ::=
1055 { iso(1) member-body(2) us(840) rsadsi(113549) 3 }
1056
1057pkcs-5-des-EDE3-CBC OBJECT IDENTIFIER ::= {pkcs-5-encryptionAlgorithm 7}
1058
1059pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
1060
1061pkcs-5-id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
1062
1063pkcs-5-PBES2-params ::= SEQUENCE {
1064 keyDerivationFunc AlgorithmIdentifier,
1065 encryptionScheme AlgorithmIdentifier }
1066
1067-- PBKDF2
1068
1069pkcs-5-id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
1070
1071-- pkcs-5-id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) 2 7}
1072
1073-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
1074-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
1075
1076pkcs-5-PBKDF2-params ::= SEQUENCE {
1077 salt CHOICE {
1078 specified OCTET STRING,
1079 otherSource AlgorithmIdentifier
1080 },
1081 iterationCount INTEGER (1..MAX),
1082 keyLength INTEGER (1..MAX) OPTIONAL,
1083 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
1084}
1085
1086-- PKCS #12 stuff
1087
1088pkcs-12 OBJECT IDENTIFIER ::= {pkcs 12}
1089
1090pkcs-12-PFX ::= SEQUENCE {
1091 version INTEGER {v3(3)},
1092 authSafe pkcs-7-ContentInfo,
1093 macData pkcs-12-MacData OPTIONAL
1094}
1095
1096pkcs-12-PbeParams ::= SEQUENCE {
1097 salt OCTET STRING,
1098 iterations INTEGER
1099}
1100
1101pkcs-12-MacData ::= SEQUENCE {
1102 mac pkcs-7-DigestInfo,
1103 macSalt OCTET STRING,
1104 iterations INTEGER DEFAULT 1
1105-- Note: The default is for historical reasons and its use is
1106-- deprecated. A higher value, like 1024 is recommended.
1107}
1108
1109pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
1110 -- Data if unencrypted
1111 -- EncryptedData if password-encrypted
1112 -- EnvelopedData if public key-encrypted
1113
1114pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
1115
1116pkcs-12-SafeBag ::= SEQUENCE {
1117 bagId OBJECT IDENTIFIER,
1118 bagValue [0] EXPLICIT ANY DEFINED BY badId,
1119 bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
1120}
1121
1122-- Bag types
1123
1124
1125pkcs-12-bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}
1126
1127pkcs-12-keyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 1}
1128pkcs-12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 2}
1129pkcs-12-certBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 3}
1130pkcs-12-crlBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 4}
1131
1132pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
1133
1134-- Shrouded KeyBag
1135
1136pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
1137
1138-- CertBag
1139
1140pkcs-12-CertBag ::= SEQUENCE {
1141 certId OBJECT IDENTIFIER,
1142 certValue [0] EXPLICIT ANY DEFINED BY certId
1143}
1144
1145-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
1146-- DER-encoded X.509 certificate stored in OCTET STRING
1147
1148pkcs-12-CRLBag ::= SEQUENCE {
1149 crlId OBJECT IDENTIFIER,
1150 crlValue [0] EXPLICIT ANY DEFINED BY crlId
1151}
1152
1153-- x509CRL BAG-TYPE ::=
1154-- {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
1155-- DER-encoded X.509 CRL stored in OCTET STRING
1156
1157pkcs-12-PKCS12Attribute ::= Attribute
1158
1159-- PKCS #7 stuff (needed in PKCS 12)
1160
1161pkcs-7-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
1162 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
1163
1164pkcs-7-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
1165 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
1166
1167pkcs-7-Data ::= OCTET STRING
1168
1169pkcs-7-EncryptedData ::= SEQUENCE {
1170 version pkcs-7-CMSVersion,
1171 encryptedContentInfo pkcs-7-EncryptedContentInfo,
1172 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
1173
1174pkcs-7-EncryptedContentInfo ::= SEQUENCE {
1175 contentType pkcs-7-ContentType,
1176 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
1177 encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
1178
1179pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1180
1181pkcs-7-EncryptedContent ::= OCTET STRING
1182
1183pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
1184
1185-- LDAP stuff
1186-- may not be correct
1187
1188id-at-ldap-DC AttributeType ::= { 0 9 2342 19200300 100 1 25 }
1189
1190ldap-DC ::= IA5String
1191
1192id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 }
1193
1194ldap-UID ::= DirectoryString
1195
1196-- rfc3039
1197
1198id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
1199
1200id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
1201DateOfBirth ::= GeneralizedTime
1202
1203id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
1204PlaceOfBirth ::= DirectoryString
1205
1206id-pda-gender AttributeType ::= { id-pda 3 }
1207Gender ::= PrintableString (SIZE(1))
1208 -- "M", "F", "m" or "f"
1209
1210id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
1211CountryOfCitizenship ::= PrintableString (SIZE (2))
1212 -- ISO 3166 Country Code
1213
1214id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
1215CountryOfResidence ::= PrintableString (SIZE (2))
1216 -- ISO 3166 Country Code
1217
1218-- rfc3820
1219
1220id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pe 14 }
1221
1222id-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix 21 1 }
1223id-ppl-independent OBJECT IDENTIFIER ::= { id-pkix 21 2 }
1224
1225ProxyCertInfo ::= SEQUENCE {
1226 pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
1227 proxyPolicy ProxyPolicy }
1228
1229ProxyPolicy ::= SEQUENCE {
1230 policyLanguage OBJECT IDENTIFIER,
1231 policy OCTET STRING OPTIONAL }
1232
1233-- rfc3920 section 5.1.1
1234
1235id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
1236
1237id-on-xmppAddr OBJECT IDENTIFIER ::= { id-on 5 }
1238
1239XmppAddr ::= UTF8String
1240
1241END
diff --git a/src/daemon/https/tls/pkix_asn1_tab.c b/src/daemon/https/tls/pkix_asn1_tab.c
deleted file mode 100644
index 30b5ddd1..00000000
--- a/src/daemon/https/tls/pkix_asn1_tab.c
+++ /dev/null
@@ -1,1130 +0,0 @@
1#if HAVE_CONFIG_H
2#include "MHD_config.h"
3#endif
4
5#include <libtasn1.h>
6
7const ASN1_ARRAY_TYPE MHD_pkix_asn1_tab[] = {
8 {"PKIX1", 536875024, 0},
9 {0, 1073741836, 0},
10 {"id-ce", 1879048204, 0},
11 {"joint-iso-ccitt", 1073741825, "2"},
12 {"ds", 1073741825, "5"},
13 {0, 1, "29"},
14 {"id-ce-authorityKeyIdentifier", 1879048204, 0},
15 {0, 1073741825, "id-ce"},
16 {0, 1, "35"},
17 {"AuthorityKeyIdentifier", 1610612741, 0},
18 {"keyIdentifier", 1610637314, "KeyIdentifier"},
19 {0, 4104, "0"},
20 {"authorityCertIssuer", 1610637314, "GeneralNames"},
21 {0, 4104, "1"},
22 {"authorityCertSerialNumber", 536895490, "CertificateSerialNumber"},
23 {0, 4104, "2"},
24 {"KeyIdentifier", 1073741831, 0},
25 {"id-ce-subjectKeyIdentifier", 1879048204, 0},
26 {0, 1073741825, "id-ce"},
27 {0, 1, "14"},
28 {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"},
29 {"id-ce-keyUsage", 1879048204, 0},
30 {0, 1073741825, "id-ce"},
31 {0, 1, "15"},
32 {"KeyUsage", 1610874886, 0},
33 {"digitalSignature", 1073741825, "0"},
34 {"nonRepudiation", 1073741825, "1"},
35 {"keyEncipherment", 1073741825, "2"},
36 {"dataEncipherment", 1073741825, "3"},
37 {"keyAgreement", 1073741825, "4"},
38 {"keyCertSign", 1073741825, "5"},
39 {"cRLSign", 1073741825, "6"},
40 {"encipherOnly", 1073741825, "7"},
41 {"decipherOnly", 1, "8"},
42 {"id-ce-privateKeyUsagePeriod", 1879048204, 0},
43 {0, 1073741825, "id-ce"},
44 {0, 1, "16"},
45 {"PrivateKeyUsagePeriod", 1610612741, 0},
46 {"notBefore", 1619025937, 0},
47 {0, 4104, "0"},
48 {"notAfter", 545284113, 0},
49 {0, 4104, "1"},
50 {"id-ce-certificatePolicies", 1879048204, 0},
51 {0, 1073741825, "id-ce"},
52 {0, 1, "32"},
53 {"CertificatePolicies", 1612709899, 0},
54 {"MAX", 1074266122, "1"},
55 {0, 2, "PolicyInformation"},
56 {"PolicyInformation", 1610612741, 0},
57 {"policyIdentifier", 1073741826, "CertPolicyId"},
58 {"policyQualifiers", 538984459, 0},
59 {"MAX", 1074266122, "1"},
60 {0, 2, "PolicyQualifierInfo"},
61 {"CertPolicyId", 1073741836, 0},
62 {"PolicyQualifierInfo", 1610612741, 0},
63 {"policyQualifierId", 1073741826, "PolicyQualifierId"},
64 {"qualifier", 541065229, 0},
65 {"policyQualifierId", 1, 0},
66 {"PolicyQualifierId", 1073741836, 0},
67 {"CPSuri", 1073741826, "IA5String"},
68 {"UserNotice", 1610612741, 0},
69 {"noticeRef", 1073758210, "NoticeReference"},
70 {"explicitText", 16386, "DisplayText"},
71 {"NoticeReference", 1610612741, 0},
72 {"organization", 1073741826, "DisplayText"},
73 {"noticeNumbers", 536870923, 0},
74 {0, 3, 0},
75 {"DisplayText", 1610612754, 0},
76 {"visibleString", 1612709890, "VisibleString"},
77 {"200", 524298, "1"},
78 {"bmpString", 1612709890, "BMPString"},
79 {"200", 524298, "1"},
80 {"utf8String", 538968066, "UTF8String"},
81 {"200", 524298, "1"},
82 {"id-ce-policyMappings", 1879048204, 0},
83 {0, 1073741825, "id-ce"},
84 {0, 1, "33"},
85 {"PolicyMappings", 1612709899, 0},
86 {"MAX", 1074266122, "1"},
87 {0, 536870917, 0},
88 {"issuerDomainPolicy", 1073741826, "CertPolicyId"},
89 {"subjectDomainPolicy", 2, "CertPolicyId"},
90 {"DirectoryString", 1610612754, 0},
91 {"teletexString", 1612709890, "TeletexString"},
92 {"MAX", 524298, "1"},
93 {"printableString", 1612709890, "PrintableString"},
94 {"MAX", 524298, "1"},
95 {"universalString", 1612709890, "UniversalString"},
96 {"MAX", 524298, "1"},
97 {"utf8String", 1612709890, "UTF8String"},
98 {"MAX", 524298, "1"},
99 {"bmpString", 1612709890, "BMPString"},
100 {"MAX", 524298, "1"},
101 {"ia5String", 538968066, "IA5String"},
102 {"MAX", 524298, "1"},
103 {"id-ce-subjectAltName", 1879048204, 0},
104 {0, 1073741825, "id-ce"},
105 {0, 1, "17"},
106 {"SubjectAltName", 1073741826, "GeneralNames"},
107 {"GeneralNames", 1612709899, 0},
108 {"MAX", 1074266122, "1"},
109 {0, 2, "GeneralName"},
110 {"GeneralName", 1610612754, 0},
111 {"otherName", 1610620930, "AnotherName"},
112 {0, 4104, "0"},
113 {"rfc822Name", 1610620930, "IA5String"},
114 {0, 4104, "1"},
115 {"dNSName", 1610620930, "IA5String"},
116 {0, 4104, "2"},
117 {"x400Address", 1610620930, "ORAddress"},
118 {0, 4104, "3"},
119 {"directoryName", 1610620930, "RDNSequence"},
120 {0, 2056, "4"},
121 {"ediPartyName", 1610620930, "EDIPartyName"},
122 {0, 4104, "5"},
123 {"uniformResourceIdentifier", 1610620930, "IA5String"},
124 {0, 4104, "6"},
125 {"iPAddress", 1610620935, 0},
126 {0, 4104, "7"},
127 {"registeredID", 536879116, 0},
128 {0, 4104, "8"},
129 {"AnotherName", 1610612741, 0},
130 {"type-id", 1073741836, 0},
131 {"value", 541073421, 0},
132 {0, 1073743880, "0"},
133 {"type-id", 1, 0},
134 {"EDIPartyName", 1610612741, 0},
135 {"nameAssigner", 1610637314, "DirectoryString"},
136 {0, 4104, "0"},
137 {"partyName", 536879106, "DirectoryString"},
138 {0, 4104, "1"},
139 {"id-ce-issuerAltName", 1879048204, 0},
140 {0, 1073741825, "id-ce"},
141 {0, 1, "18"},
142 {"IssuerAltName", 1073741826, "GeneralNames"},
143 {"id-ce-subjectDirectoryAttributes", 1879048204, 0},
144 {0, 1073741825, "id-ce"},
145 {0, 1, "9"},
146 {"SubjectDirectoryAttributes", 1612709899, 0},
147 {"MAX", 1074266122, "1"},
148 {0, 2, "Attribute"},
149 {"id-ce-basicConstraints", 1879048204, 0},
150 {0, 1073741825, "id-ce"},
151 {0, 1, "19"},
152 {"BasicConstraints", 1610612741, 0},
153 {"cA", 1610645508, 0},
154 {0, 131081, 0},
155 {"pathLenConstraint", 537411587, 0},
156 {"0", 10, "MAX"},
157 {"id-ce-nameConstraints", 1879048204, 0},
158 {0, 1073741825, "id-ce"},
159 {0, 1, "30"},
160 {"NameConstraints", 1610612741, 0},
161 {"permittedSubtrees", 1610637314, "GeneralSubtrees"},
162 {0, 4104, "0"},
163 {"excludedSubtrees", 536895490, "GeneralSubtrees"},
164 {0, 4104, "1"},
165 {"GeneralSubtrees", 1612709899, 0},
166 {"MAX", 1074266122, "1"},
167 {0, 2, "GeneralSubtree"},
168 {"GeneralSubtree", 1610612741, 0},
169 {"base", 1073741826, "GeneralName"},
170 {"minimum", 1610653698, "BaseDistance"},
171 {0, 1073741833, "0"},
172 {0, 4104, "0"},
173 {"maximum", 536895490, "BaseDistance"},
174 {0, 4104, "1"},
175 {"BaseDistance", 1611137027, 0},
176 {"0", 10, "MAX"},
177 {"id-ce-policyConstraints", 1879048204, 0},
178 {0, 1073741825, "id-ce"},
179 {0, 1, "36"},
180 {"PolicyConstraints", 1610612741, 0},
181 {"requireExplicitPolicy", 1610637314, "SkipCerts"},
182 {0, 4104, "0"},
183 {"inhibitPolicyMapping", 536895490, "SkipCerts"},
184 {0, 4104, "1"},
185 {"SkipCerts", 1611137027, 0},
186 {"0", 10, "MAX"},
187 {"id-ce-cRLDistributionPoints", 1879048204, 0},
188 {0, 1073741825, "id-ce"},
189 {0, 1, "31"},
190 {"CRLDistributionPoints", 1612709899, 0},
191 {"MAX", 1074266122, "1"},
192 {0, 2, "DistributionPoint"},
193 {"DistributionPoint", 1610612741, 0},
194 {"distributionPoint", 1610637314, "DistributionPointName"},
195 {0, 2056, "0"},
196 {"reasons", 1610637314, "ReasonFlags"},
197 {0, 4104, "1"},
198 {"cRLIssuer", 536895490, "GeneralNames"},
199 {0, 4104, "2"},
200 {"DistributionPointName", 1610612754, 0},
201 {"fullName", 1610620930, "GeneralNames"},
202 {0, 4104, "0"},
203 {"nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"},
204 {0, 4104, "1"},
205 {"ReasonFlags", 1610874886, 0},
206 {"unused", 1073741825, "0"},
207 {"keyCompromise", 1073741825, "1"},
208 {"cACompromise", 1073741825, "2"},
209 {"affiliationChanged", 1073741825, "3"},
210 {"superseded", 1073741825, "4"},
211 {"cessationOfOperation", 1073741825, "5"},
212 {"certificateHold", 1073741825, "6"},
213 {"privilegeWithdrawn", 1073741825, "7"},
214 {"aACompromise", 1, "8"},
215 {"id-ce-extKeyUsage", 1879048204, 0},
216 {0, 1073741825, "id-ce"},
217 {0, 1, "37"},
218 {"ExtKeyUsageSyntax", 1612709899, 0},
219 {"MAX", 1074266122, "1"},
220 {0, 2, "KeyPurposeId"},
221 {"KeyPurposeId", 1073741836, 0},
222 {"id-kp-serverAuth", 1879048204, 0},
223 {0, 1073741825, "id-kp"},
224 {0, 1, "1"},
225 {"id-kp-clientAuth", 1879048204, 0},
226 {0, 1073741825, "id-kp"},
227 {0, 1, "2"},
228 {"id-kp-codeSigning", 1879048204, 0},
229 {0, 1073741825, "id-kp"},
230 {0, 1, "3"},
231 {"id-kp-emailProtection", 1879048204, 0},
232 {0, 1073741825, "id-kp"},
233 {0, 1, "4"},
234 {"id-kp-ipsecEndSystem", 1879048204, 0},
235 {0, 1073741825, "id-kp"},
236 {0, 1, "5"},
237 {"id-kp-ipsecTunnel", 1879048204, 0},
238 {0, 1073741825, "id-kp"},
239 {0, 1, "6"},
240 {"id-kp-ipsecUser", 1879048204, 0},
241 {0, 1073741825, "id-kp"},
242 {0, 1, "7"},
243 {"id-kp-timeStamping", 1879048204, 0},
244 {0, 1073741825, "id-kp"},
245 {0, 1, "8"},
246 {"id-pe-authorityInfoAccess", 1879048204, 0},
247 {0, 1073741825, "id-pe"},
248 {0, 1, "1"},
249 {"AuthorityInfoAccessSyntax", 1612709899, 0},
250 {"MAX", 1074266122, "1"},
251 {0, 2, "AccessDescription"},
252 {"AccessDescription", 1610612741, 0},
253 {"accessMethod", 1073741836, 0},
254 {"accessLocation", 2, "GeneralName"},
255 {"id-ce-cRLNumber", 1879048204, 0},
256 {0, 1073741825, "id-ce"},
257 {0, 1, "20"},
258 {"CRLNumber", 1611137027, 0},
259 {"0", 10, "MAX"},
260 {"id-ce-issuingDistributionPoint", 1879048204, 0},
261 {0, 1073741825, "id-ce"},
262 {0, 1, "28"},
263 {"IssuingDistributionPoint", 1610612741, 0},
264 {"distributionPoint", 1610637314, "DistributionPointName"},
265 {0, 4104, "0"},
266 {"onlyContainsUserCerts", 1610653700, 0},
267 {0, 1073872905, 0},
268 {0, 4104, "1"},
269 {"onlyContainsCACerts", 1610653700, 0},
270 {0, 1073872905, 0},
271 {0, 4104, "2"},
272 {"onlySomeReasons", 1610637314, "ReasonFlags"},
273 {0, 4104, "3"},
274 {"indirectCRL", 536911876, 0},
275 {0, 1073872905, 0},
276 {0, 4104, "4"},
277 {"id-ce-deltaCRLIndicator", 1879048204, 0},
278 {0, 1073741825, "id-ce"},
279 {0, 1, "27"},
280 {"BaseCRLNumber", 1073741826, "CRLNumber"},
281 {"id-ce-cRLReasons", 1879048204, 0},
282 {0, 1073741825, "id-ce"},
283 {0, 1, "21"},
284 {"CRLReason", 1610874901, 0},
285 {"unspecified", 1073741825, "0"},
286 {"keyCompromise", 1073741825, "1"},
287 {"cACompromise", 1073741825, "2"},
288 {"affiliationChanged", 1073741825, "3"},
289 {"superseded", 1073741825, "4"},
290 {"cessationOfOperation", 1073741825, "5"},
291 {"certificateHold", 1073741825, "6"},
292 {"removeFromCRL", 1, "8"},
293 {"id-ce-certificateIssuer", 1879048204, 0},
294 {0, 1073741825, "id-ce"},
295 {0, 1, "29"},
296 {"CertificateIssuer", 1073741826, "GeneralNames"},
297 {"id-ce-holdInstructionCode", 1879048204, 0},
298 {0, 1073741825, "id-ce"},
299 {0, 1, "23"},
300 {"HoldInstructionCode", 1073741836, 0},
301 {"holdInstruction", 1879048204, 0},
302 {"joint-iso-itu-t", 1073741825, "2"},
303 {"member-body", 1073741825, "2"},
304 {"us", 1073741825, "840"},
305 {"x9cm", 1073741825, "10040"},
306 {0, 1, "2"},
307 {"id-holdinstruction-none", 1879048204, 0},
308 {0, 1073741825, "holdInstruction"},
309 {0, 1, "1"},
310 {"id-holdinstruction-callissuer", 1879048204, 0},
311 {0, 1073741825, "holdInstruction"},
312 {0, 1, "2"},
313 {"id-holdinstruction-reject", 1879048204, 0},
314 {0, 1073741825, "holdInstruction"},
315 {0, 1, "3"},
316 {"id-ce-invalidityDate", 1879048204, 0},
317 {0, 1073741825, "id-ce"},
318 {0, 1, "24"},
319 {"InvalidityDate", 1082130449, 0},
320 {"VisibleString", 1610620935, 0},
321 {0, 4360, "26"},
322 {"NumericString", 1610620935, 0},
323 {0, 4360, "18"},
324 {"IA5String", 1610620935, 0},
325 {0, 4360, "22"},
326 {"TeletexString", 1610620935, 0},
327 {0, 4360, "20"},
328 {"PrintableString", 1610620935, 0},
329 {0, 4360, "19"},
330 {"UniversalString", 1610620935, 0},
331 {0, 4360, "28"},
332 {"BMPString", 1610620935, 0},
333 {0, 4360, "30"},
334 {"UTF8String", 1610620935, 0},
335 {0, 4360, "12"},
336 {"id-pkix", 1879048204, 0},
337 {"iso", 1073741825, "1"},
338 {"identified-organization", 1073741825, "3"},
339 {"dod", 1073741825, "6"},
340 {"internet", 1073741825, "1"},
341 {"security", 1073741825, "5"},
342 {"mechanisms", 1073741825, "5"},
343 {"pkix", 1, "7"},
344 {"id-pe", 1879048204, 0},
345 {0, 1073741825, "id-pkix"},
346 {0, 1, "1"},
347 {"id-qt", 1879048204, 0},
348 {0, 1073741825, "id-pkix"},
349 {0, 1, "2"},
350 {"id-kp", 1879048204, 0},
351 {0, 1073741825, "id-pkix"},
352 {0, 1, "3"},
353 {"id-ad", 1879048204, 0},
354 {0, 1073741825, "id-pkix"},
355 {0, 1, "48"},
356 {"id-qt-cps", 1879048204, 0},
357 {0, 1073741825, "id-qt"},
358 {0, 1, "1"},
359 {"id-qt-unotice", 1879048204, 0},
360 {0, 1073741825, "id-qt"},
361 {0, 1, "2"},
362 {"id-ad-ocsp", 1879048204, 0},
363 {0, 1073741825, "id-ad"},
364 {0, 1, "1"},
365 {"id-ad-caIssuers", 1879048204, 0},
366 {0, 1073741825, "id-ad"},
367 {0, 1, "2"},
368 {"Attribute", 1610612741, 0},
369 {"type", 1073741826, "AttributeType"},
370 {"values", 536870927, 0},
371 {0, 2, "AttributeValue"},
372 {"AttributeType", 1073741836, 0},
373 {"AttributeValue", 1614807053, 0},
374 {"type", 1, 0},
375 {"AttributeTypeAndValue", 1610612741, 0},
376 {"type", 1073741826, "AttributeType"},
377 {"value", 2, "AttributeValue"},
378 {"id-at", 1879048204, 0},
379 {"joint-iso-ccitt", 1073741825, "2"},
380 {"ds", 1073741825, "5"},
381 {0, 1, "4"},
382 {"id-at-initials", 1880096780, "AttributeType"},
383 {0, 1073741825, "id-at"},
384 {0, 1, "43"},
385 {"X520initials", 1073741826, "DirectoryString"},
386 {"id-at-generationQualifier", 1880096780, "AttributeType"},
387 {0, 1073741825, "id-at"},
388 {0, 1, "44"},
389 {"X520generationQualifier", 1073741826, "DirectoryString"},
390 {"id-at-surname", 1880096780, "AttributeType"},
391 {0, 1073741825, "id-at"},
392 {0, 1, "4"},
393 {"X520surName", 1073741826, "DirectoryString"},
394 {"id-at-givenName", 1880096780, "AttributeType"},
395 {0, 1073741825, "id-at"},
396 {0, 1, "42"},
397 {"X520givenName", 1073741826, "DirectoryString"},
398 {"id-at-name", 1880096780, "AttributeType"},
399 {0, 1073741825, "id-at"},
400 {0, 1, "41"},
401 {"X520name", 1073741826, "DirectoryString"},
402 {"id-at-commonName", 1880096780, "AttributeType"},
403 {0, 1073741825, "id-at"},
404 {0, 1, "3"},
405 {"X520CommonName", 1073741826, "DirectoryString"},
406 {"id-at-localityName", 1880096780, "AttributeType"},
407 {0, 1073741825, "id-at"},
408 {0, 1, "7"},
409 {"X520LocalityName", 1073741826, "DirectoryString"},
410 {"id-at-stateOrProvinceName", 1880096780, "AttributeType"},
411 {0, 1073741825, "id-at"},
412 {0, 1, "8"},
413 {"X520StateOrProvinceName", 1073741826, "DirectoryString"},
414 {"id-at-organizationName", 1880096780, "AttributeType"},
415 {0, 1073741825, "id-at"},
416 {0, 1, "10"},
417 {"X520OrganizationName", 1073741826, "DirectoryString"},
418 {"id-at-organizationalUnitName", 1880096780, "AttributeType"},
419 {0, 1073741825, "id-at"},
420 {0, 1, "11"},
421 {"X520OrganizationalUnitName", 1073741826, "DirectoryString"},
422 {"id-at-title", 1880096780, "AttributeType"},
423 {0, 1073741825, "id-at"},
424 {0, 1, "12"},
425 {"X520Title", 1073741826, "DirectoryString"},
426 {"id-at-description", 1880096780, "AttributeType"},
427 {0, 1073741825, "id-at"},
428 {0, 1, "13"},
429 {"X520Description", 1073741826, "DirectoryString"},
430 {"id-at-dnQualifier", 1880096780, "AttributeType"},
431 {0, 1073741825, "id-at"},
432 {0, 1, "46"},
433 {"X520dnQualifier", 1073741826, "PrintableString"},
434 {"id-at-countryName", 1880096780, "AttributeType"},
435 {0, 1073741825, "id-at"},
436 {0, 1, "6"},
437 {"X520countryName", 1612709890, "PrintableString"},
438 {0, 1048586, "2"},
439 {"id-at-serialNumber", 1880096780, "AttributeType"},
440 {0, 1073741825, "id-at"},
441 {0, 1, "5"},
442 {"X520serialNumber", 1073741826, "PrintableString"},
443 {"id-at-telephoneNumber", 1880096780, "AttributeType"},
444 {0, 1073741825, "id-at"},
445 {0, 1, "20"},
446 {"X520telephoneNumber", 1073741826, "PrintableString"},
447 {"id-at-facsimileTelephoneNumber", 1880096780, "AttributeType"},
448 {0, 1073741825, "id-at"},
449 {0, 1, "23"},
450 {"X520facsimileTelephoneNumber", 1073741826, "PrintableString"},
451 {"id-at-pseudonym", 1880096780, "AttributeType"},
452 {0, 1073741825, "id-at"},
453 {0, 1, "65"},
454 {"X520pseudonym", 1073741826, "DirectoryString"},
455 {"id-at-name", 1880096780, "AttributeType"},
456 {0, 1073741825, "id-at"},
457 {0, 1, "41"},
458 {"X520name", 1073741826, "DirectoryString"},
459 {"id-at-streetAddress", 1880096780, "AttributeType"},
460 {0, 1073741825, "id-at"},
461 {0, 1, "9"},
462 {"X520streetAddress", 1073741826, "DirectoryString"},
463 {"id-at-postalAddress", 1880096780, "AttributeType"},
464 {0, 1073741825, "id-at"},
465 {0, 1, "16"},
466 {"X520postalAddress", 1073741826, "PostalAddress"},
467 {"PostalAddress", 1610612747, 0},
468 {0, 2, "DirectoryString"},
469 {"pkcs", 1879048204, 0},
470 {"iso", 1073741825, "1"},
471 {"member-body", 1073741825, "2"},
472 {"us", 1073741825, "840"},
473 {"rsadsi", 1073741825, "113549"},
474 {"pkcs", 1, "1"},
475 {"pkcs-9", 1879048204, 0},
476 {0, 1073741825, "pkcs"},
477 {0, 1, "9"},
478 {"emailAddress", 1880096780, "AttributeType"},
479 {0, 1073741825, "pkcs-9"},
480 {0, 1, "1"},
481 {"Pkcs9email", 1612709890, "IA5String"},
482 {"ub-emailaddress-length", 524298, "1"},
483 {"Name", 1610612754, 0},
484 {"rdnSequence", 2, "RDNSequence"},
485 {"RDNSequence", 1610612747, 0},
486 {0, 2, "RelativeDistinguishedName"},
487 {"DistinguishedName", 1073741826, "RDNSequence"},
488 {"RelativeDistinguishedName", 1612709903, 0},
489 {"MAX", 1074266122, "1"},
490 {0, 2, "AttributeTypeAndValue"},
491 {"Certificate", 1610612741, 0},
492 {"tbsCertificate", 1073741826, "TBSCertificate"},
493 {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
494 {"signature", 6, 0},
495 {"TBSCertificate", 1610612741, 0},
496 {"version", 1610653698, "Version"},
497 {0, 1073741833, "v1"},
498 {0, 2056, "0"},
499 {"serialNumber", 1073741826, "CertificateSerialNumber"},
500 {"signature", 1073741826, "AlgorithmIdentifier"},
501 {"issuer", 1073741826, "Name"},
502 {"validity", 1073741826, "Validity"},
503 {"subject", 1073741826, "Name"},
504 {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"},
505 {"issuerUniqueID", 1610637314, "UniqueIdentifier"},
506 {0, 4104, "1"},
507 {"subjectUniqueID", 1610637314, "UniqueIdentifier"},
508 {0, 4104, "2"},
509 {"extensions", 536895490, "Extensions"},
510 {0, 2056, "3"},
511 {"Version", 1610874883, 0},
512 {"v1", 1073741825, "0"},
513 {"v2", 1073741825, "1"},
514 {"v3", 1, "2"},
515 {"CertificateSerialNumber", 1073741827, 0},
516 {"Validity", 1610612741, 0},
517 {"notBefore", 1073741826, "Time"},
518 {"notAfter", 2, "Time"},
519 {"Time", 1610612754, 0},
520 {"utcTime", 1090519057, 0},
521 {"generalTime", 8388625, 0},
522 {"UniqueIdentifier", 1073741830, 0},
523 {"SubjectPublicKeyInfo", 1610612741, 0},
524 {"algorithm", 1073741826, "AlgorithmIdentifier"},
525 {"subjectPublicKey", 6, 0},
526 {"Extensions", 1612709899, 0},
527 {"MAX", 1074266122, "1"},
528 {0, 2, "Extension"},
529 {"Extension", 1610612741, 0},
530 {"extnID", 1073741836, 0},
531 {"critical", 1610645508, 0},
532 {0, 131081, 0},
533 {"extnValue", 7, 0},
534 {"CertificateList", 1610612741, 0},
535 {"tbsCertList", 1073741826, "TBSCertList"},
536 {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
537 {"signature", 6, 0},
538 {"TBSCertList", 1610612741, 0},
539 {"version", 1073758210, "Version"},
540 {"signature", 1073741826, "AlgorithmIdentifier"},
541 {"issuer", 1073741826, "Name"},
542 {"thisUpdate", 1073741826, "Time"},
543 {"nextUpdate", 1073758210, "Time"},
544 {"revokedCertificates", 1610629131, 0},
545 {0, 536870917, 0},
546 {"userCertificate", 1073741826, "CertificateSerialNumber"},
547 {"revocationDate", 1073741826, "Time"},
548 {"crlEntryExtensions", 16386, "Extensions"},
549 {"crlExtensions", 536895490, "Extensions"},
550 {0, 2056, "0"},
551 {"AlgorithmIdentifier", 1610612741, 0},
552 {"algorithm", 1073741836, 0},
553 {"parameters", 541081613, 0},
554 {"algorithm", 1, 0},
555 {"pkcs-1", 1879048204, 0},
556 {0, 1073741825, "pkcs"},
557 {0, 1, "1"},
558 {"rsaEncryption", 1879048204, 0},
559 {0, 1073741825, "pkcs-1"},
560 {0, 1, "1"},
561 {"md2WithRSAEncryption", 1879048204, 0},
562 {0, 1073741825, "pkcs-1"},
563 {0, 1, "2"},
564 {"md5WithRSAEncryption", 1879048204, 0},
565 {0, 1073741825, "pkcs-1"},
566 {0, 1, "4"},
567 {"sha1WithRSAEncryption", 1879048204, 0},
568 {0, 1073741825, "pkcs-1"},
569 {0, 1, "5"},
570 {"id-dsa-with-sha1", 1879048204, 0},
571 {"iso", 1073741825, "1"},
572 {"member-body", 1073741825, "2"},
573 {"us", 1073741825, "840"},
574 {"x9-57", 1073741825, "10040"},
575 {"x9algorithm", 1073741825, "4"},
576 {0, 1, "3"},
577 {"Dss-Sig-Value", 1610612741, 0},
578 {"r", 1073741827, 0},
579 {"s", 3, 0},
580 {"dhpublicnumber", 1879048204, 0},
581 {"iso", 1073741825, "1"},
582 {"member-body", 1073741825, "2"},
583 {"us", 1073741825, "840"},
584 {"ansi-x942", 1073741825, "10046"},
585 {"number-type", 1073741825, "2"},
586 {0, 1, "1"},
587 {"DomainParameters", 1610612741, 0},
588 {"p", 1073741827, 0},
589 {"g", 1073741827, 0},
590 {"q", 1073741827, 0},
591 {"j", 1073758211, 0},
592 {"validationParms", 16386, "ValidationParms"},
593 {"ValidationParms", 1610612741, 0},
594 {"seed", 1073741830, 0},
595 {"pgenCounter", 3, 0},
596 {"id-dsa", 1879048204, 0},
597 {"iso", 1073741825, "1"},
598 {"member-body", 1073741825, "2"},
599 {"us", 1073741825, "840"},
600 {"x9-57", 1073741825, "10040"},
601 {"x9algorithm", 1073741825, "4"},
602 {0, 1, "1"},
603 {"Dss-Parms", 1610612741, 0},
604 {"p", 1073741827, 0},
605 {"q", 1073741827, 0},
606 {"g", 3, 0},
607 {"ORAddress", 1610612741, 0},
608 {"built-in-standard-attributes", 1073741826, "BuiltInStandardAttributes"},
609 {"built-in-domain-defined-attributes", 1073758210,
610 "BuiltInDomainDefinedAttributes"},
611 {"extension-attributes", 16386, "ExtensionAttributes"},
612 {"BuiltInStandardAttributes", 1610612741, 0},
613 {"country-name", 1073758210, "CountryName"},
614 {"administration-domain-name", 1073758210, "AdministrationDomainName"},
615 {"network-address", 1610637314, "NetworkAddress"},
616 {0, 2056, "0"},
617 {"terminal-identifier", 1610637314, "TerminalIdentifier"},
618 {0, 2056, "1"},
619 {"private-domain-name", 1610637314, "PrivateDomainName"},
620 {0, 2056, "2"},
621 {"organization-name", 1610637314, "OrganizationName"},
622 {0, 2056, "3"},
623 {"numeric-user-identifier", 1610637314, "NumericUserIdentifier"},
624 {0, 2056, "4"},
625 {"personal-name", 1610637314, "PersonalName"},
626 {0, 2056, "5"},
627 {"organizational-unit-names", 536895490, "OrganizationalUnitNames"},
628 {0, 2056, "6"},
629 {"CountryName", 1610620946, 0},
630 {0, 1073746952, "1"},
631 {"x121-dcc-code", 1612709890, "NumericString"},
632 {0, 1048586, "ub-country-name-numeric-length"},
633 {"iso-3166-alpha2-code", 538968066, "PrintableString"},
634 {0, 1048586, "ub-country-name-alpha-length"},
635 {"AdministrationDomainName", 1610620946, 0},
636 {0, 1073744904, "2"},
637 {"numeric", 1612709890, "NumericString"},
638 {"ub-domain-name-length", 524298, "0"},
639 {"printable", 538968066, "PrintableString"},
640 {"ub-domain-name-length", 524298, "0"},
641 {"NetworkAddress", 1073741826, "X121Address"},
642 {"X121Address", 1612709890, "NumericString"},
643 {"ub-x121-address-length", 524298, "1"},
644 {"TerminalIdentifier", 1612709890, "PrintableString"},
645 {"ub-terminal-id-length", 524298, "1"},
646 {"PrivateDomainName", 1610612754, 0},
647 {"numeric", 1612709890, "NumericString"},
648 {"ub-domain-name-length", 524298, "1"},
649 {"printable", 538968066, "PrintableString"},
650 {"ub-domain-name-length", 524298, "1"},
651 {"OrganizationName", 1612709890, "PrintableString"},
652 {"ub-organization-name-length", 524298, "1"},
653 {"NumericUserIdentifier", 1612709890, "NumericString"},
654 {"ub-numeric-user-id-length", 524298, "1"},
655 {"PersonalName", 1610612750, 0},
656 {"surname", 1814044674, "PrintableString"},
657 {0, 1073745928, "0"},
658 {"ub-surname-length", 524298, "1"},
659 {"given-name", 1814061058, "PrintableString"},
660 {0, 1073745928, "1"},
661 {"ub-given-name-length", 524298, "1"},
662 {"initials", 1814061058, "PrintableString"},
663 {0, 1073745928, "2"},
664 {"ub-initials-length", 524298, "1"},
665 {"generation-qualifier", 740319234, "PrintableString"},
666 {0, 1073745928, "3"},
667 {"ub-generation-qualifier-length", 524298, "1"},
668 {"OrganizationalUnitNames", 1612709899, 0},
669 {"ub-organizational-units", 1074266122, "1"},
670 {0, 2, "OrganizationalUnitName"},
671 {"OrganizationalUnitName", 1612709890, "PrintableString"},
672 {"ub-organizational-unit-name-length", 524298, "1"},
673 {"BuiltInDomainDefinedAttributes", 1612709899, 0},
674 {"ub-domain-defined-attributes", 1074266122, "1"},
675 {0, 2, "BuiltInDomainDefinedAttribute"},
676 {"BuiltInDomainDefinedAttribute", 1610612741, 0},
677 {"type", 1612709890, "PrintableString"},
678 {"ub-domain-defined-attribute-type-length", 524298, "1"},
679 {"value", 538968066, "PrintableString"},
680 {"ub-domain-defined-attribute-value-length", 524298, "1"},
681 {"ExtensionAttributes", 1612709903, 0},
682 {"ub-extension-attributes", 1074266122, "1"},
683 {0, 2, "ExtensionAttribute"},
684 {"ExtensionAttribute", 1610612741, 0},
685 {"extension-attribute-type", 1611145219, 0},
686 {0, 1073743880, "0"},
687 {"0", 10, "ub-extension-attributes"},
688 {"extension-attribute-value", 541073421, 0},
689 {0, 1073743880, "1"},
690 {"extension-attribute-type", 1, 0},
691 {"common-name", 1342177283, "1"},
692 {"CommonName", 1612709890, "PrintableString"},
693 {"ub-common-name-length", 524298, "1"},
694 {"teletex-common-name", 1342177283, "2"},
695 {"TeletexCommonName", 1612709890, "TeletexString"},
696 {"ub-common-name-length", 524298, "1"},
697 {"teletex-organization-name", 1342177283, "3"},
698 {"TeletexOrganizationName", 1612709890, "TeletexString"},
699 {"ub-organization-name-length", 524298, "1"},
700 {"teletex-personal-name", 1342177283, "4"},
701 {"TeletexPersonalName", 1610612750, 0},
702 {"surname", 1814044674, "TeletexString"},
703 {0, 1073743880, "0"},
704 {"ub-surname-length", 524298, "1"},
705 {"given-name", 1814061058, "TeletexString"},
706 {0, 1073743880, "1"},
707 {"ub-given-name-length", 524298, "1"},
708 {"initials", 1814061058, "TeletexString"},
709 {0, 1073743880, "2"},
710 {"ub-initials-length", 524298, "1"},
711 {"generation-qualifier", 740319234, "TeletexString"},
712 {0, 1073743880, "3"},
713 {"ub-generation-qualifier-length", 524298, "1"},
714 {"teletex-organizational-unit-names", 1342177283, "5"},
715 {"TeletexOrganizationalUnitNames", 1612709899, 0},
716 {"ub-organizational-units", 1074266122, "1"},
717 {0, 2, "TeletexOrganizationalUnitName"},
718 {"TeletexOrganizationalUnitName", 1612709890, "TeletexString"},
719 {"ub-organizational-unit-name-length", 524298, "1"},
720 {"pds-name", 1342177283, "7"},
721 {"PDSName", 1612709890, "PrintableString"},
722 {"ub-pds-name-length", 524298, "1"},
723 {"physical-delivery-country-name", 1342177283, "8"},
724 {"PhysicalDeliveryCountryName", 1610612754, 0},
725 {"x121-dcc-code", 1612709890, "NumericString"},
726 {0, 1048586, "ub-country-name-numeric-length"},
727 {"iso-3166-alpha2-code", 538968066, "PrintableString"},
728 {0, 1048586, "ub-country-name-alpha-length"},
729 {"postal-code", 1342177283, "9"},
730 {"PostalCode", 1610612754, 0},
731 {"numeric-code", 1612709890, "NumericString"},
732 {"ub-postal-code-length", 524298, "1"},
733 {"printable-code", 538968066, "PrintableString"},
734 {"ub-postal-code-length", 524298, "1"},
735 {"physical-delivery-office-name", 1342177283, "10"},
736 {"PhysicalDeliveryOfficeName", 1073741826, "PDSParameter"},
737 {"physical-delivery-office-number", 1342177283, "11"},
738 {"PhysicalDeliveryOfficeNumber", 1073741826, "PDSParameter"},
739 {"extension-OR-address-components", 1342177283, "12"},
740 {"ExtensionORAddressComponents", 1073741826, "PDSParameter"},
741 {"physical-delivery-personal-name", 1342177283, "13"},
742 {"PhysicalDeliveryPersonalName", 1073741826, "PDSParameter"},
743 {"physical-delivery-organization-name", 1342177283, "14"},
744 {"PhysicalDeliveryOrganizationName", 1073741826, "PDSParameter"},
745 {"extension-physical-delivery-address-components", 1342177283, "15"},
746 {"ExtensionPhysicalDeliveryAddressComponents", 1073741826, "PDSParameter"},
747 {"unformatted-postal-address", 1342177283, "16"},
748 {"UnformattedPostalAddress", 1610612750, 0},
749 {"printable-address", 1814052875, 0},
750 {"ub-pds-physical-address-lines", 1074266122, "1"},
751 {0, 538968066, "PrintableString"},
752 {"ub-pds-parameter-length", 524298, "1"},
753 {"teletex-string", 740311042, "TeletexString"},
754 {"ub-unformatted-address-length", 524298, "1"},
755 {"street-address", 1342177283, "17"},
756 {"StreetAddress", 1073741826, "PDSParameter"},
757 {"post-office-box-address", 1342177283, "18"},
758 {"PostOfficeBoxAddress", 1073741826, "PDSParameter"},
759 {"poste-restante-address", 1342177283, "19"},
760 {"PosteRestanteAddress", 1073741826, "PDSParameter"},
761 {"unique-postal-name", 1342177283, "20"},
762 {"UniquePostalName", 1073741826, "PDSParameter"},
763 {"local-postal-attributes", 1342177283, "21"},
764 {"LocalPostalAttributes", 1073741826, "PDSParameter"},
765 {"PDSParameter", 1610612750, 0},
766 {"printable-string", 1814052866, "PrintableString"},
767 {"ub-pds-parameter-length", 524298, "1"},
768 {"teletex-string", 740311042, "TeletexString"},
769 {"ub-pds-parameter-length", 524298, "1"},
770 {"extended-network-address", 1342177283, "22"},
771 {"ExtendedNetworkAddress", 1610612754, 0},
772 {"e163-4-address", 1610612741, 0},
773 {"number", 1612718082, "NumericString"},
774 {0, 1073743880, "0"},
775 {"ub-e163-4-number-length", 524298, "1"},
776 {"sub-address", 538992642, "NumericString"},
777 {0, 1073743880, "1"},
778 {"ub-e163-4-sub-address-length", 524298, "1"},
779 {"psap-address", 536879106, "PresentationAddress"},
780 {0, 2056, "0"},
781 {"PresentationAddress", 1610612741, 0},
782 {"pSelector", 1610637319, 0},
783 {0, 2056, "0"},
784 {"sSelector", 1610637319, 0},
785 {0, 2056, "1"},
786 {"tSelector", 1610637319, 0},
787 {0, 2056, "2"},
788 {"nAddresses", 538976271, 0},
789 {0, 1073743880, "3"},
790 {"MAX", 1074266122, "1"},
791 {0, 7, 0},
792 {"terminal-type", 1342177283, "23"},
793 {"TerminalType", 1610874883, 0},
794 {"telex", 1073741825, "3"},
795 {"teletex", 1073741825, "4"},
796 {"g3-facsimile", 1073741825, "5"},
797 {"g4-facsimile", 1073741825, "6"},
798 {"ia5-terminal", 1073741825, "7"},
799 {"videotex", 1, "8"},
800 {"teletex-domain-defined-attributes", 1342177283, "6"},
801 {"TeletexDomainDefinedAttributes", 1612709899, 0},
802 {"ub-domain-defined-attributes", 1074266122, "1"},
803 {0, 2, "TeletexDomainDefinedAttribute"},
804 {"TeletexDomainDefinedAttribute", 1610612741, 0},
805 {"type", 1612709890, "TeletexString"},
806 {"ub-domain-defined-attribute-type-length", 524298, "1"},
807 {"value", 538968066, "TeletexString"},
808 {"ub-domain-defined-attribute-value-length", 524298, "1"},
809 {"ub-name", 1342177283, "32768"},
810 {"ub-common-name", 1342177283, "64"},
811 {"ub-locality-name", 1342177283, "128"},
812 {"ub-state-name", 1342177283, "128"},
813 {"ub-organization-name", 1342177283, "64"},
814 {"ub-organizational-unit-name", 1342177283, "64"},
815 {"ub-title", 1342177283, "64"},
816 {"ub-match", 1342177283, "128"},
817 {"ub-emailaddress-length", 1342177283, "128"},
818 {"ub-common-name-length", 1342177283, "64"},
819 {"ub-country-name-alpha-length", 1342177283, "2"},
820 {"ub-country-name-numeric-length", 1342177283, "3"},
821 {"ub-domain-defined-attributes", 1342177283, "4"},
822 {"ub-domain-defined-attribute-type-length", 1342177283, "8"},
823 {"ub-domain-defined-attribute-value-length", 1342177283, "128"},
824 {"ub-domain-name-length", 1342177283, "16"},
825 {"ub-extension-attributes", 1342177283, "256"},
826 {"ub-e163-4-number-length", 1342177283, "15"},
827 {"ub-e163-4-sub-address-length", 1342177283, "40"},
828 {"ub-generation-qualifier-length", 1342177283, "3"},
829 {"ub-given-name-length", 1342177283, "16"},
830 {"ub-initials-length", 1342177283, "5"},
831 {"ub-integer-options", 1342177283, "256"},
832 {"ub-numeric-user-id-length", 1342177283, "32"},
833 {"ub-organization-name-length", 1342177283, "64"},
834 {"ub-organizational-unit-name-length", 1342177283, "32"},
835 {"ub-organizational-units", 1342177283, "4"},
836 {"ub-pds-name-length", 1342177283, "16"},
837 {"ub-pds-parameter-length", 1342177283, "30"},
838 {"ub-pds-physical-address-lines", 1342177283, "6"},
839 {"ub-postal-code-length", 1342177283, "16"},
840 {"ub-surname-length", 1342177283, "40"},
841 {"ub-terminal-id-length", 1342177283, "24"},
842 {"ub-unformatted-address-length", 1342177283, "180"},
843 {"ub-x121-address-length", 1342177283, "16"},
844 {"pkcs-7-ContentInfo", 1610612741, 0},
845 {"contentType", 1073741826, "pkcs-7-ContentType"},
846 {"content", 541073421, 0},
847 {0, 1073743880, "0"},
848 {"contentType", 1, 0},
849 {"pkcs-7-DigestInfo", 1610612741, 0},
850 {"digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"},
851 {"digest", 2, "pkcs-7-Digest"},
852 {"pkcs-7-Digest", 1073741831, 0},
853 {"pkcs-7-ContentType", 1073741836, 0},
854 {"pkcs-7-SignedData", 1610612741, 0},
855 {"version", 1073741826, "pkcs-7-CMSVersion"},
856 {"digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"},
857 {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"},
858 {"certificates", 1610637314, "pkcs-7-CertificateSet"},
859 {0, 4104, "0"},
860 {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"},
861 {0, 4104, "1"},
862 {"signerInfos", 2, "pkcs-7-SignerInfos"},
863 {"pkcs-7-CMSVersion", 1610874883, 0},
864 {"v0", 1073741825, "0"},
865 {"v1", 1073741825, "1"},
866 {"v2", 1073741825, "2"},
867 {"v3", 1073741825, "3"},
868 {"v4", 1, "4"},
869 {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, 0},
870 {0, 2, "pkcs-7-DigestAlgorithmIdentifier"},
871 {"pkcs-7-DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
872 {"pkcs-7-EncapsulatedContentInfo", 1610612741, 0},
873 {"eContentType", 1073741826, "pkcs-7-ContentType"},
874 {"eContent", 536895495, 0},
875 {0, 2056, "0"},
876 {"pkcs-7-CertificateRevocationLists", 1610612751, 0},
877 {0, 13, 0},
878 {"pkcs-7-CertificateChoices", 1610612754, 0},
879 {"certificate", 13, 0},
880 {"pkcs-7-CertificateSet", 1610612751, 0},
881 {0, 2, "pkcs-7-CertificateChoices"},
882 {"pkcs-7-SignerInfos", 1610612751, 0},
883 {0, 13, 0},
884 {"pkcs-10-CertificationRequestInfo", 1610612741, 0},
885 {"version", 1610874883, 0},
886 {"v1", 1, "0"},
887 {"subject", 1073741826, "Name"},
888 {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"},
889 {"attributes", 536879106, "Attributes"},
890 {0, 4104, "0"},
891 {"Attributes", 1610612751, 0},
892 {0, 2, "Attribute"},
893 {"pkcs-10-CertificationRequest", 1610612741, 0},
894 {"certificationRequestInfo", 1073741826,
895 "pkcs-10-CertificationRequestInfo"},
896 {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
897 {"signature", 6, 0},
898 {"pkcs-9-ub-challengePassword", 1342177283, "255"},
899 {"pkcs-9-certTypes", 1879048204, 0},
900 {0, 1073741825, "pkcs-9"},
901 {0, 1, "22"},
902 {"pkcs-9-crlTypes", 1879048204, 0},
903 {0, 1073741825, "pkcs-9"},
904 {0, 1, "23"},
905 {"pkcs-9-at-challengePassword", 1879048204, 0},
906 {0, 1073741825, "pkcs-9"},
907 {0, 1, "7"},
908 {"pkcs-9-challengePassword", 1610612754, 0},
909 {"printableString", 1612709890, "PrintableString"},
910 {"pkcs-9-ub-challengePassword", 524298, "1"},
911 {"utf8String", 538968066, "UTF8String"},
912 {"pkcs-9-ub-challengePassword", 524298, "1"},
913 {"pkcs-9-at-localKeyId", 1879048204, 0},
914 {0, 1073741825, "pkcs-9"},
915 {0, 1, "21"},
916 {"pkcs-9-localKeyId", 1073741831, 0},
917 {"pkcs-9-at-friendlyName", 1879048204, 0},
918 {0, 1073741825, "pkcs-9"},
919 {0, 1, "20"},
920 {"pkcs-9-friendlyName", 1612709890, "BMPString"},
921 {"255", 524298, "1"},
922 {"pkcs-8-PrivateKeyInfo", 1610612741, 0},
923 {"version", 1073741826, "pkcs-8-Version"},
924 {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"},
925 {"privateKey", 1073741826, "pkcs-8-PrivateKey"},
926 {"attributes", 536895490, "Attributes"},
927 {0, 4104, "0"},
928 {"pkcs-8-Version", 1610874883, 0},
929 {"v1", 1, "0"},
930 {"pkcs-8-PrivateKey", 1073741831, 0},
931 {"pkcs-8-Attributes", 1610612751, 0},
932 {0, 2, "Attribute"},
933 {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, 0},
934 {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"},
935 {"encryptedData", 2, "pkcs-8-EncryptedData"},
936 {"pkcs-8-EncryptedData", 1073741831, 0},
937 {"pkcs-5", 1879048204, 0},
938 {0, 1073741825, "pkcs"},
939 {0, 1, "5"},
940 {"pkcs-5-encryptionAlgorithm", 1879048204, 0},
941 {"iso", 1073741825, "1"},
942 {"member-body", 1073741825, "2"},
943 {"us", 1073741825, "840"},
944 {"rsadsi", 1073741825, "113549"},
945 {0, 1, "3"},
946 {"pkcs-5-des-EDE3-CBC", 1879048204, 0},
947 {0, 1073741825, "pkcs-5-encryptionAlgorithm"},
948 {0, 1, "7"},
949 {"pkcs-5-des-EDE3-CBC-params", 1612709895, 0},
950 {0, 1048586, "8"},
951 {"pkcs-5-id-PBES2", 1879048204, 0},
952 {0, 1073741825, "pkcs-5"},
953 {0, 1, "13"},
954 {"pkcs-5-PBES2-params", 1610612741, 0},
955 {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"},
956 {"encryptionScheme", 2, "AlgorithmIdentifier"},
957 {"pkcs-5-id-PBKDF2", 1879048204, 0},
958 {0, 1073741825, "pkcs-5"},
959 {0, 1, "12"},
960 {"pkcs-5-PBKDF2-params", 1610612741, 0},
961 {"salt", 1610612754, 0},
962 {"specified", 1073741831, 0},
963 {"otherSource", 2, "AlgorithmIdentifier"},
964 {"iterationCount", 1611137027, 0},
965 {"1", 10, "MAX"},
966 {"keyLength", 1611153411, 0},
967 {"1", 10, "MAX"},
968 {"prf", 16386, "AlgorithmIdentifier"},
969 {"pkcs-12", 1879048204, 0},
970 {0, 1073741825, "pkcs"},
971 {0, 1, "12"},
972 {"pkcs-12-PFX", 1610612741, 0},
973 {"version", 1610874883, 0},
974 {"v3", 1, "3"},
975 {"authSafe", 1073741826, "pkcs-7-ContentInfo"},
976 {"macData", 16386, "pkcs-12-MacData"},
977 {"pkcs-12-PbeParams", 1610612741, 0},
978 {"salt", 1073741831, 0},
979 {"iterations", 3, 0},
980 {"pkcs-12-MacData", 1610612741, 0},
981 {"mac", 1073741826, "pkcs-7-DigestInfo"},
982 {"macSalt", 1073741831, 0},
983 {"iterations", 536903683, 0},
984 {0, 9, "1"},
985 {"pkcs-12-AuthenticatedSafe", 1610612747, 0},
986 {0, 2, "pkcs-7-ContentInfo"},
987 {"pkcs-12-SafeContents", 1610612747, 0},
988 {0, 2, "pkcs-12-SafeBag"},
989 {"pkcs-12-SafeBag", 1610612741, 0},
990 {"bagId", 1073741836, 0},
991 {"bagValue", 1614815245, 0},
992 {0, 1073743880, "0"},
993 {"badId", 1, 0},
994 {"bagAttributes", 536887311, 0},
995 {0, 2, "pkcs-12-PKCS12Attribute"},
996 {"pkcs-12-bagtypes", 1879048204, 0},
997 {0, 1073741825, "pkcs-12"},
998 {0, 1073741825, "10"},
999 {0, 1, "1"},
1000 {"pkcs-12-keyBag", 1879048204, 0},
1001 {0, 1073741825, "pkcs-12-bagtypes"},
1002 {0, 1, "1"},
1003 {"pkcs-12-pkcs8ShroudedKeyBag", 1879048204, 0},
1004 {0, 1073741825, "pkcs-12-bagtypes"},
1005 {0, 1, "2"},
1006 {"pkcs-12-certBag", 1879048204, 0},
1007 {0, 1073741825, "pkcs-12-bagtypes"},
1008 {0, 1, "3"},
1009 {"pkcs-12-crlBag", 1879048204, 0},
1010 {0, 1073741825, "pkcs-12-bagtypes"},
1011 {0, 1, "4"},
1012 {"pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"},
1013 {"pkcs-12-PKCS8ShroudedKeyBag", 1073741826,
1014 "pkcs-8-EncryptedPrivateKeyInfo"},
1015 {"pkcs-12-CertBag", 1610612741, 0},
1016 {"certId", 1073741836, 0},
1017 {"certValue", 541073421, 0},
1018 {0, 1073743880, "0"},
1019 {"certId", 1, 0},
1020 {"pkcs-12-CRLBag", 1610612741, 0},
1021 {"crlId", 1073741836, 0},
1022 {"crlValue", 541073421, 0},
1023 {0, 1073743880, "0"},
1024 {"crlId", 1, 0},
1025 {"pkcs-12-PKCS12Attribute", 1073741826, "Attribute"},
1026 {"pkcs-7-data", 1879048204, 0},
1027 {"iso", 1073741825, "1"},
1028 {"member-body", 1073741825, "2"},
1029 {"us", 1073741825, "840"},
1030 {"rsadsi", 1073741825, "113549"},
1031 {"pkcs", 1073741825, "1"},
1032 {"pkcs7", 1073741825, "7"},
1033 {0, 1, "1"},
1034 {"pkcs-7-encryptedData", 1879048204, 0},
1035 {"iso", 1073741825, "1"},
1036 {"member-body", 1073741825, "2"},
1037 {"us", 1073741825, "840"},
1038 {"rsadsi", 1073741825, "113549"},
1039 {"pkcs", 1073741825, "1"},
1040 {"pkcs7", 1073741825, "7"},
1041 {0, 1, "6"},
1042 {"pkcs-7-Data", 1073741831, 0},
1043 {"pkcs-7-EncryptedData", 1610612741, 0},
1044 {"version", 1073741826, "pkcs-7-CMSVersion"},
1045 {"encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"},
1046 {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"},
1047 {0, 4104, "1"},
1048 {"pkcs-7-EncryptedContentInfo", 1610612741, 0},
1049 {"contentType", 1073741826, "pkcs-7-ContentType"},
1050 {"contentEncryptionAlgorithm", 1073741826,
1051 "pkcs-7-ContentEncryptionAlgorithmIdentifier"},
1052 {"encryptedContent", 536895490, "pkcs-7-EncryptedContent"},
1053 {0, 4104, "0"},
1054 {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826,
1055 "AlgorithmIdentifier"},
1056 {"pkcs-7-EncryptedContent", 1073741831, 0},
1057 {"pkcs-7-UnprotectedAttributes", 1612709903, 0},
1058 {"MAX", 1074266122, "1"},
1059 {0, 2, "Attribute"},
1060 {"id-at-ldap-DC", 1880096780, "AttributeType"},
1061 {0, 1073741825, "0"},
1062 {0, 1073741825, "9"},
1063 {0, 1073741825, "2342"},
1064 {0, 1073741825, "19200300"},
1065 {0, 1073741825, "100"},
1066 {0, 1073741825, "1"},
1067 {0, 1, "25"},
1068 {"ldap-DC", 1073741826, "IA5String"},
1069 {"id-at-ldap-UID", 1880096780, "AttributeType"},
1070 {0, 1073741825, "0"},
1071 {0, 1073741825, "9"},
1072 {0, 1073741825, "2342"},
1073 {0, 1073741825, "19200300"},
1074 {0, 1073741825, "100"},
1075 {0, 1073741825, "1"},
1076 {0, 1, "1"},
1077 {"ldap-UID", 1073741826, "DirectoryString"},
1078 {"id-pda", 1879048204, 0},
1079 {0, 1073741825, "id-pkix"},
1080 {0, 1, "9"},
1081 {"id-pda-dateOfBirth", 1880096780, "AttributeType"},
1082 {0, 1073741825, "id-pda"},
1083 {0, 1, "1"},
1084 {"DateOfBirth", 1082130449, 0},
1085 {"id-pda-placeOfBirth", 1880096780, "AttributeType"},
1086 {0, 1073741825, "id-pda"},
1087 {0, 1, "2"},
1088 {"PlaceOfBirth", 1073741826, "DirectoryString"},
1089 {"id-pda-gender", 1880096780, "AttributeType"},
1090 {0, 1073741825, "id-pda"},
1091 {0, 1, "3"},
1092 {"Gender", 1612709890, "PrintableString"},
1093 {0, 1048586, "1"},
1094 {"id-pda-countryOfCitizenship", 1880096780, "AttributeType"},
1095 {0, 1073741825, "id-pda"},
1096 {0, 1, "4"},
1097 {"CountryOfCitizenship", 1612709890, "PrintableString"},
1098 {0, 1048586, "2"},
1099 {"id-pda-countryOfResidence", 1880096780, "AttributeType"},
1100 {0, 1073741825, "id-pda"},
1101 {0, 1, "5"},
1102 {"CountryOfResidence", 1612709890, "PrintableString"},
1103 {0, 1048586, "2"},
1104 {"id-pe-proxyCertInfo", 1879048204, 0},
1105 {0, 1073741825, "id-pe"},
1106 {0, 1, "14"},
1107 {"id-ppl-inheritAll", 1879048204, 0},
1108 {0, 1073741825, "id-pkix"},
1109 {0, 1073741825, "21"},
1110 {0, 1, "1"},
1111 {"id-ppl-independent", 1879048204, 0},
1112 {0, 1073741825, "id-pkix"},
1113 {0, 1073741825, "21"},
1114 {0, 1, "2"},
1115 {"ProxyCertInfo", 1610612741, 0},
1116 {"pCPathLenConstraint", 1611153411, 0},
1117 {"0", 10, "MAX"},
1118 {"proxyPolicy", 2, "ProxyPolicy"},
1119 {"ProxyPolicy", 1610612741, 0},
1120 {"policyLanguage", 1073741836, 0},
1121 {"policy", 16391, 0},
1122 {"id-on", 1879048204, 0},
1123 {0, 1073741825, "id-pkix"},
1124 {0, 1, "8"},
1125 {"id-on-xmppAddr", 1879048204, 0},
1126 {0, 1073741825, "id-on"},
1127 {0, 1, "5"},
1128 {"XmppAddr", 2, "UTF8String"},
1129 {0, 0, 0}
1130};
diff --git a/src/daemon/https/tls/str-two-way.h b/src/daemon/https/tls/str-two-way.h
deleted file mode 100644
index 29bb09f6..00000000
--- a/src/daemon/https/tls/str-two-way.h
+++ /dev/null
@@ -1,429 +0,0 @@
1/* Byte-wise substring search, using the Two-Way algorithm.
2 Copyright (C) 2008 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Written by Eric Blake <ebb9@byu.net>, 2008.
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1, or (at your option)
9 any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License along
17 with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19
20/* Before including this file, you need to include <config.h> and
21 <string.h>, and define:
22 RESULT_TYPE A macro that expands to the return type.
23 AVAILABLE(h, h_l, j, n_l)
24 A macro that returns nonzero if there are
25 at least N_L bytes left starting at H[J].
26 H is 'unsigned char *', H_L, J, and N_L
27 are 'size_t'; H_L is an lvalue. For
28 NUL-terminated searches, H_L can be
29 modified each iteration to avoid having
30 to compute the end of H up front.
31
32 For case-insensitivity, you may optionally define:
33 CMP_FUNC(p1, p2, l) A macro that returns 0 iff the first L
34 characters of P1 and P2 are equal.
35 CANON_ELEMENT(c) A macro that canonicalizes an element right after
36 it has been fetched from one of the two strings.
37 The argument is an 'unsigned char'; the result
38 must be an 'unsigned char' as well.
39
40 This file undefines the macros documented above, and defines
41 LONG_NEEDLE_THRESHOLD.
42*/
43
44#include <limits.h>
45#include <stdint.h>
46
47/* We use the Two-Way string matching algorithm, which guarantees
48 linear complexity with constant space. Additionally, for long
49 needles, we also use a bad character shift table similar to the
50 Boyer-Moore algorithm to achieve improved (potentially sub-linear)
51 performance.
52
53 See http://www-igm.univ-mlv.fr/~lecroq/string/node26.html#SECTION00260
54 and http://en.wikipedia.org/wiki/Boyer-Moore_string_search_algorithm
55*/
56
57/* Point at which computing a bad-byte shift table is likely to be
58 worthwhile. Small needles should not compute a table, since it
59 adds (1 << CHAR_BIT) + NEEDLE_LEN computations of preparation for a
60 speedup no greater than a factor of NEEDLE_LEN. The larger the
61 needle, the better the potential performance gain. On the other
62 hand, on non-POSIX systems with CHAR_BIT larger than eight, the
63 memory required for the table is prohibitive. */
64#if CHAR_BIT < 10
65# define LONG_NEEDLE_THRESHOLD 32U
66#else
67# define LONG_NEEDLE_THRESHOLD SIZE_MAX
68#endif
69
70#ifndef MAX
71# define MAX(a, b) ((a < b) ? (b) : (a))
72#endif
73
74#ifndef CANON_ELEMENT
75# define CANON_ELEMENT(c) c
76#endif
77#ifndef CMP_FUNC
78# define CMP_FUNC memcmp
79#endif
80
81/* Perform a critical factorization of NEEDLE, of length NEEDLE_LEN.
82 Return the index of the first byte in the right half, and set
83 *PERIOD to the global period of the right half.
84
85 The global period of a string is the smallest index (possibly its
86 length) at which all remaining bytes in the string are repetitions
87 of the prefix (the last repetition may be a subset of the prefix).
88
89 When NEEDLE is factored into two halves, a local period is the
90 length of the smallest word that shares a suffix with the left half
91 and shares a prefix with the right half. All factorizations of a
92 non-empty NEEDLE have a local period of at least 1 and no greater
93 than NEEDLE_LEN.
94
95 A critical factorization has the property that the local period
96 equals the global period. All strings have at least one critical
97 factorization with the left half smaller than the global period.
98
99 Given an ordered alphabet, a critical factorization can be computed
100 in linear time, with 2 * NEEDLE_LEN comparisons, by computing the
101 larger of two ordered maximal suffixes. The ordered maximal
102 suffixes are determined by lexicographic comparison of
103 periodicity. */
104static size_t
105critical_factorization (const unsigned char *needle, size_t needle_len,
106 size_t * period)
107{
108 /* Index of last byte of left half, or SIZE_MAX. */
109 size_t max_suffix, max_suffix_rev;
110 size_t j; /* Index into NEEDLE for current candidate suffix. */
111 size_t k; /* Offset into current period. */
112 size_t p; /* Intermediate period. */
113 unsigned char a, b; /* Current comparison bytes. */
114
115 /* Invariants:
116 0 <= j < NEEDLE_LEN - 1
117 -1 <= max_suffix{,_rev} < j (treating SIZE_MAX as if it were signed)
118 min(max_suffix, max_suffix_rev) < global period of NEEDLE
119 1 <= p <= global period of NEEDLE
120 p == global period of the substring NEEDLE[max_suffix{,_rev}+1...j]
121 1 <= k <= p
122 */
123
124 /* Perform lexicographic search. */
125 max_suffix = SIZE_MAX;
126 j = 0;
127 k = p = 1;
128 while (j + k < needle_len)
129 {
130 a = CANON_ELEMENT (needle[j + k]);
131 b = CANON_ELEMENT (needle[max_suffix + k]);
132 if (a < b)
133 {
134 /* Suffix is smaller, period is entire prefix so far. */
135 j += k;
136 k = 1;
137 p = j - max_suffix;
138 }
139 else if (a == b)
140 {
141 /* Advance through repetition of the current period. */
142 if (k != p)
143 ++k;
144 else
145 {
146 j += p;
147 k = 1;
148 }
149 }
150 else /* b < a */
151 {
152 /* Suffix is larger, start over from current location. */
153 max_suffix = j++;
154 k = p = 1;
155 }
156 }
157 *period = p;
158
159 /* Perform reverse lexicographic search. */
160 max_suffix_rev = SIZE_MAX;
161 j = 0;
162 k = p = 1;
163 while (j + k < needle_len)
164 {
165 a = CANON_ELEMENT (needle[j + k]);
166 b = CANON_ELEMENT (needle[max_suffix_rev + k]);
167 if (b < a)
168 {
169 /* Suffix is smaller, period is entire prefix so far. */
170 j += k;
171 k = 1;
172 p = j - max_suffix_rev;
173 }
174 else if (a == b)
175 {
176 /* Advance through repetition of the current period. */
177 if (k != p)
178 ++k;
179 else
180 {
181 j += p;
182 k = 1;
183 }
184 }
185 else /* a < b */
186 {
187 /* Suffix is larger, start over from current location. */
188 max_suffix_rev = j++;
189 k = p = 1;
190 }
191 }
192
193 /* Choose the longer suffix. Return the first byte of the right
194 half, rather than the last byte of the left half. */
195 if (max_suffix_rev + 1 < max_suffix + 1)
196 return max_suffix + 1;
197 *period = p;
198 return max_suffix_rev + 1;
199}
200
201/* Return the first location of non-empty NEEDLE within HAYSTACK, or
202 NULL. HAYSTACK_LEN is the minimum known length of HAYSTACK. This
203 method is optimized for NEEDLE_LEN < LONG_NEEDLE_THRESHOLD.
204 Performance is guaranteed to be linear, with an initialization cost
205 of 2 * NEEDLE_LEN comparisons.
206
207 If AVAILABLE does not modify HAYSTACK_LEN (as in memmem), then at
208 most 2 * HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching.
209 If AVAILABLE modifies HAYSTACK_LEN (as in strstr), then at most 3 *
210 HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching. */
211static RETURN_TYPE
212two_way_short_needle (const unsigned char *haystack, size_t haystack_len,
213 const unsigned char *needle, size_t needle_len)
214{
215 size_t i; /* Index into current byte of NEEDLE. */
216 size_t j; /* Index into current window of HAYSTACK. */
217 size_t period; /* The period of the right half of needle. */
218 size_t suffix; /* The index of the right half of needle. */
219
220 /* Factor the needle into two halves, such that the left half is
221 smaller than the global period, and the right half is
222 periodic (with a period as large as NEEDLE_LEN - suffix). */
223 suffix = critical_factorization (needle, needle_len, &period);
224
225 /* Perform the search. Each iteration compares the right half
226 first. */
227 if (CMP_FUNC (needle, needle + period, suffix) == 0)
228 {
229 /* Entire needle is periodic; a mismatch can only advance by the
230 period, so use memory to avoid rescanning known occurrences
231 of the period. */
232 size_t memory = 0;
233 j = 0;
234 while (AVAILABLE (haystack, haystack_len, j, needle_len))
235 {
236 /* Scan for matches in right half. */
237 i = MAX (suffix, memory);
238 while (i < needle_len && (CANON_ELEMENT (needle[i])
239 == CANON_ELEMENT (haystack[i + j])))
240 ++i;
241 if (needle_len <= i)
242 {
243 /* Scan for matches in left half. */
244 i = suffix - 1;
245 while (memory < i + 1 && (CANON_ELEMENT (needle[i])
246 == CANON_ELEMENT (haystack[i + j])))
247 --i;
248 if (i + 1 < memory + 1)
249 return (RETURN_TYPE) (haystack + j);
250 /* No match, so remember how many repetitions of period
251 on the right half were scanned. */
252 j += period;
253 memory = needle_len - period;
254 }
255 else
256 {
257 j += i - suffix + 1;
258 memory = 0;
259 }
260 }
261 }
262 else
263 {
264 /* The two halves of needle are distinct; no extra memory is
265 required, and any mismatch results in a maximal shift. */
266 period = MAX (suffix, needle_len - suffix) + 1;
267 j = 0;
268 while (AVAILABLE (haystack, haystack_len, j, needle_len))
269 {
270 /* Scan for matches in right half. */
271 i = suffix;
272 while (i < needle_len && (CANON_ELEMENT (needle[i])
273 == CANON_ELEMENT (haystack[i + j])))
274 ++i;
275 if (needle_len <= i)
276 {
277 /* Scan for matches in left half. */
278 i = suffix - 1;
279 while (i != SIZE_MAX && (CANON_ELEMENT (needle[i])
280 == CANON_ELEMENT (haystack[i + j])))
281 --i;
282 if (i == SIZE_MAX)
283 return (RETURN_TYPE) (haystack + j);
284 j += period;
285 }
286 else
287 j += i - suffix + 1;
288 }
289 }
290 return NULL;
291}
292
293/* Return the first location of non-empty NEEDLE within HAYSTACK, or
294 NULL. HAYSTACK_LEN is the minimum known length of HAYSTACK. This
295 method is optimized for LONG_NEEDLE_THRESHOLD <= NEEDLE_LEN.
296 Performance is guaranteed to be linear, with an initialization cost
297 of 3 * NEEDLE_LEN + (1 << CHAR_BIT) operations.
298
299 If AVAILABLE does not modify HAYSTACK_LEN (as in memmem), then at
300 most 2 * HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching,
301 and sublinear performance O(HAYSTACK_LEN / NEEDLE_LEN) is possible.
302 If AVAILABLE modifies HAYSTACK_LEN (as in strstr), then at most 3 *
303 HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching, and
304 sublinear performance is not possible. */
305static RETURN_TYPE
306two_way_long_needle (const unsigned char *haystack, size_t haystack_len,
307 const unsigned char *needle, size_t needle_len)
308{
309 size_t i; /* Index into current byte of NEEDLE. */
310 size_t j; /* Index into current window of HAYSTACK. */
311 size_t period; /* The period of the right half of needle. */
312 size_t suffix; /* The index of the right half of needle. */
313 size_t shift_table[1U << CHAR_BIT]; /* See below. */
314
315 /* Factor the needle into two halves, such that the left half is
316 smaller than the global period, and the right half is
317 periodic (with a period as large as NEEDLE_LEN - suffix). */
318 suffix = critical_factorization (needle, needle_len, &period);
319
320 /* Populate shift_table. For each possible byte value c,
321 shift_table[c] is the distance from the last occurrence of c to
322 the end of NEEDLE, or NEEDLE_LEN if c is absent from the NEEDLE.
323 shift_table[NEEDLE[NEEDLE_LEN - 1]] contains the only 0. */
324 for (i = 0; i < 1U << CHAR_BIT; i++)
325 shift_table[i] = needle_len;
326 for (i = 0; i < needle_len; i++)
327 shift_table[CANON_ELEMENT (needle[i])] = needle_len - i - 1;
328
329 /* Perform the search. Each iteration compares the right half
330 first. */
331 if (CMP_FUNC (needle, needle + period, suffix) == 0)
332 {
333 /* Entire needle is periodic; a mismatch can only advance by the
334 period, so use memory to avoid rescanning known occurrences
335 of the period. */
336 size_t memory = 0;
337 size_t shift;
338 j = 0;
339 while (AVAILABLE (haystack, haystack_len, j, needle_len))
340 {
341 /* Check the last byte first; if it does not match, then
342 shift to the next possible match location. */
343 shift = shift_table[CANON_ELEMENT (haystack[j + needle_len - 1])];
344 if (0 < shift)
345 {
346 if (memory && shift < period)
347 {
348 /* Since needle is periodic, but the last period has
349 a byte out of place, there can be no match until
350 after the mismatch. */
351 shift = needle_len - period;
352 memory = 0;
353 }
354 j += shift;
355 continue;
356 }
357 /* Scan for matches in right half. The last byte has
358 already been matched, by virtue of the shift table. */
359 i = MAX (suffix, memory);
360 while (i < needle_len - 1 && (CANON_ELEMENT (needle[i])
361 == CANON_ELEMENT (haystack[i + j])))
362 ++i;
363 if (needle_len - 1 <= i)
364 {
365 /* Scan for matches in left half. */
366 i = suffix - 1;
367 while (memory < i + 1 && (CANON_ELEMENT (needle[i])
368 == CANON_ELEMENT (haystack[i + j])))
369 --i;
370 if (i + 1 < memory + 1)
371 return (RETURN_TYPE) (haystack + j);
372 /* No match, so remember how many repetitions of period
373 on the right half were scanned. */
374 j += period;
375 memory = needle_len - period;
376 }
377 else
378 {
379 j += i - suffix + 1;
380 memory = 0;
381 }
382 }
383 }
384 else
385 {
386 /* The two halves of needle are distinct; no extra memory is
387 required, and any mismatch results in a maximal shift. */
388 size_t shift;
389 period = MAX (suffix, needle_len - suffix) + 1;
390 j = 0;
391 while (AVAILABLE (haystack, haystack_len, j, needle_len))
392 {
393 /* Check the last byte first; if it does not match, then
394 shift to the next possible match location. */
395 shift = shift_table[CANON_ELEMENT (haystack[j + needle_len - 1])];
396 if (0 < shift)
397 {
398 j += shift;
399 continue;
400 }
401 /* Scan for matches in right half. The last byte has
402 already been matched, by virtue of the shift table. */
403 i = suffix;
404 while (i < needle_len - 1 && (CANON_ELEMENT (needle[i])
405 == CANON_ELEMENT (haystack[i + j])))
406 ++i;
407 if (needle_len - 1 <= i)
408 {
409 /* Scan for matches in left half. */
410 i = suffix - 1;
411 while (i != SIZE_MAX && (CANON_ELEMENT (needle[i])
412 == CANON_ELEMENT (haystack[i + j])))
413 --i;
414 if (i == SIZE_MAX)
415 return (RETURN_TYPE) (haystack + j);
416 j += period;
417 }
418 else
419 j += i - suffix + 1;
420 }
421 }
422 return NULL;
423}
424
425#undef AVAILABLE
426#undef CANON_ELEMENT
427#undef CMP_FUNC
428#undef MAX
429#undef RETURN_TYPE
diff --git a/src/daemon/https/tls/x509_b64.c b/src/daemon/https/tls/x509_b64.c
deleted file mode 100644
index 152f7409..00000000
--- a/src/daemon/https/tls/x509_b64.c
+++ /dev/null
@@ -1,413 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that relate to base64 encoding and decoding.
26 */
27
28#include "gnutls_int.h"
29#include "gnutls_errors.h"
30#include <gnutls_datum.h>
31#include <x509_b64.h>
32
33static const uint8_t b64table[] =
34 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
35
36static const uint8_t asciitable[128] = {
37 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
38 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
39 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
40 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
41 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
42 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
43 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
44 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f,
45 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,
46 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff,
47 0xff, 0xf1, 0xff, 0xff, 0xff, 0x00, /* 0xf1 for '=' */
48 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
49 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
50 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12,
51 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
52 0x19, 0xff, 0xff, 0xff, 0xff, 0xff,
53 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
54 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24,
55 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a,
56 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30,
57 0x31, 0x32, 0x33, 0xff, 0xff, 0xff,
58 0xff, 0xff
59};
60
61#define INCR(what, size) \
62 do { \
63 what+=size; \
64 if (what > ret) { \
65 MHD_gnutls_assert(); \
66 MHD_gnutls_free( (*result)); *result = NULL; \
67 return GNUTLS_E_INTERNAL_ERROR; \
68 } \
69 } while(0)
70
71
72inline static int
73encode (char *result, const uint8_t * data, int left)
74{
75
76 int data_len;
77
78 if (left > 3)
79 data_len = 3;
80 else
81 data_len = left;
82
83 switch (data_len)
84 {
85 case 3:
86 result[0] = b64table[(data[0] >> 2)];
87 result[1] =
88 b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) |
89 (data[1] >> 4))];
90 result[2] =
91 b64table[((((data[1] & 0x0f) << 2) & 0xff) | (data[2] >> 6))];
92 result[3] = b64table[(((data[2] << 2) & 0xff) >> 2)];
93 break;
94 case 2:
95 result[0] = b64table[(data[0] >> 2)];
96 result[1] =
97 b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff) |
98 (data[1] >> 4))];
99 result[2] = b64table[(((data[1] << 4) & 0xff) >> 2)];
100 result[3] = '=';
101 break;
102 case 1:
103 result[0] = b64table[(data[0] >> 2)];
104 result[1] = b64table[(((((data[0] & 0x03) & 0xff) << 4) & 0xff))];
105 result[2] = '=';
106 result[3] = '=';
107 break;
108 default:
109 return -1;
110 }
111
112 return 4;
113
114}
115
116/* data must be 4 bytes
117 * result should be 3 bytes
118 */
119#define TOASCII(c) (c < 127 ? asciitable[c] : 0xff)
120inline static int
121decode (uint8_t * result, const opaque * data)
122{
123 uint8_t a1, a2;
124 int ret = 3;
125
126 a1 = TOASCII (data[0]);
127 a2 = TOASCII (data[1]);
128 if (a1 == 0xff || a2 == 0xff)
129 return -1;
130 result[0] = ((a1 << 2) & 0xff) | ((a2 >> 4) & 0xff);
131
132 a1 = a2;
133 a2 = TOASCII (data[2]);
134 if (a2 == 0xff)
135 return -1;
136 result[1] = ((a1 << 4) & 0xff) | ((a2 >> 2) & 0xff);
137
138 a1 = a2;
139 a2 = TOASCII (data[3]);
140 if (a2 == 0xff)
141 return -1;
142 result[2] = ((a1 << 6) & 0xff) | (a2 & 0xff);
143
144 if (data[2] == '=')
145 ret--;
146
147 if (data[3] == '=')
148 ret--;
149 return ret;
150}
151
152/* encodes data and puts the result into result (locally allocated)
153 * The result_size (including the null terminator) is the return value.
154 */
155int
156MHD__gnutls_fbase64_encode (const char *msg, const uint8_t * data,
157 int data_size, uint8_t ** result)
158{
159 int i, ret, tmp, j;
160 char tmpres[4];
161 uint8_t *ptr;
162 uint8_t top[80];
163 uint8_t bottom[80];
164 int pos, bytes, top_len, bottom_len;
165 size_t msglen = strlen (msg);
166
167 if (msglen > 50)
168 {
169 MHD_gnutls_assert ();
170 return GNUTLS_E_BASE64_ENCODING_ERROR;
171 }
172
173 memset (bottom, 0, sizeof (bottom));
174 memset (top, 0, sizeof (top));
175
176 strcat ((char *) top, "-----BEGIN "); /* Flawfinder: ignore */
177 strcat ((char *) top, msg); /* Flawfinder: ignore */
178 strcat ((char *) top, "-----"); /* Flawfinder: ignore */
179
180 strcat ((char *) bottom, "\n-----END "); /* Flawfinder: ignore */
181 strcat ((char *) bottom, msg); /* Flawfinder: ignore */
182 strcat ((char *) bottom, "-----\n"); /* Flawfinder: ignore */
183
184 top_len = strlen ((char *) top);
185 bottom_len = strlen ((char *) bottom);
186
187 ret = B64FSIZE (msglen, data_size);
188
189 (*result) = MHD_gnutls_calloc (1, ret + 1);
190 if ((*result) == NULL)
191 {
192 MHD_gnutls_assert ();
193 return GNUTLS_E_MEMORY_ERROR;
194 }
195
196 bytes = pos = 0;
197 INCR (bytes, top_len);
198 pos = top_len;
199
200 strcpy ((char *) *result, (char *) top); /* Flawfinder: ignore */
201
202 for (i = j = 0; i < data_size; i += 3, j += 4)
203 {
204
205 tmp = encode (tmpres, &data[i], data_size - i);
206 if (tmp == -1)
207 {
208 MHD_gnutls_assert ();
209 MHD_gnutls_free ((*result));
210 *result = NULL;
211 return GNUTLS_E_BASE64_ENCODING_ERROR;
212 }
213
214 INCR (bytes, 4);
215 ptr = &(*result)[j + pos];
216
217 if ((j) % 64 == 0)
218 {
219 INCR (bytes, 1);
220 pos++;
221 *ptr++ = '\n';
222 }
223 *ptr++ = tmpres[0];
224
225 if ((j + 1) % 64 == 0)
226 {
227 INCR (bytes, 1);
228 pos++;
229 *ptr++ = '\n';
230 }
231 *ptr++ = tmpres[1];
232
233 if ((j + 2) % 64 == 0)
234 {
235 INCR (bytes, 1);
236 pos++;
237 *ptr++ = '\n';
238 }
239 *ptr++ = tmpres[2];
240
241 if ((j + 3) % 64 == 0)
242 {
243 INCR (bytes, 1);
244 pos++;
245 *ptr++ = '\n';
246 }
247 *ptr++ = tmpres[3];
248 }
249
250 INCR (bytes, bottom_len);
251
252 memcpy (&(*result)[bytes - bottom_len], bottom, bottom_len);
253 (*result)[bytes] = 0;
254
255 return ret + 1;
256}
257
258/* decodes data and puts the result into result (locally allocated)
259 * The result_size is the return value
260 */
261int
262MHD__gnutls_base64_decode (const uint8_t * data, size_t data_size,
263 uint8_t ** result)
264{
265 unsigned int i, j;
266 int ret, tmp, est;
267 uint8_t tmpres[3];
268
269 est = ((data_size * 3) / 4) + 1;
270 (*result) = MHD_gnutls_malloc (est);
271 if ((*result) == NULL)
272 return GNUTLS_E_MEMORY_ERROR;
273
274 ret = 0;
275 for (i = j = 0; i < data_size; i += 4, j += 3)
276 {
277 tmp = decode (tmpres, &data[i]);
278 if (tmp < 0)
279 {
280 MHD_gnutls_free (*result);
281 *result = NULL;
282 return tmp;
283 }
284 memcpy (&(*result)[j], tmpres, tmp);
285 ret += tmp;
286 }
287 return ret;
288}
289
290/* copies data to result but removes newlines and <CR>
291 * returns the size of the data copied.
292 */
293inline static int
294cpydata (const uint8_t * data, int data_size, uint8_t ** result)
295{
296 int i, j;
297
298 (*result) = MHD_gnutls_malloc (data_size);
299 if (*result == NULL)
300 return GNUTLS_E_MEMORY_ERROR;
301
302 for (j = i = 0; i < data_size; i++)
303 {
304 if (data[i] == '\n' || data[i] == '\r')
305 continue;
306 (*result)[j] = data[i];
307 j++;
308 }
309 return j;
310}
311
312/* Searches the given string for ONE PEM encoded certificate, and
313 * stores it in the result.
314 *
315 * The result_size is the return value
316 */
317#define ENDSTR "-----\n"
318#define ENDSTR2 "-----\r"
319int
320MHD__gnutls_fbase64_decode (const char *header, const opaque * data,
321 size_t data_size, uint8_t ** result)
322{
323 int ret;
324 static const char top[] = "-----BEGIN ";
325 static const char bottom[] = "\n-----END ";
326 uint8_t *rdata;
327 int rdata_size;
328 uint8_t *kdata;
329 int kdata_size;
330 char pem_header[128];
331
332 MHD_gtls_str_cpy (pem_header, sizeof (pem_header), top);
333 if (header != NULL)
334 MHD_gtls_str_cat (pem_header, sizeof (pem_header), header);
335
336 rdata = memmem (data, data_size, pem_header, strlen (pem_header));
337
338 if (rdata == NULL)
339 {
340 MHD_gnutls_assert ();
341 MHD__gnutls_debug_log ("Could not find '%s'\n", pem_header);
342 return GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR;
343 }
344
345 data_size -= (unsigned long int) rdata - (unsigned long int) data;
346
347 if (data_size < 4 + strlen (bottom))
348 {
349 MHD_gnutls_assert ();
350 return GNUTLS_E_BASE64_DECODING_ERROR;
351 }
352
353 kdata = memmem (rdata, data_size, ENDSTR, sizeof (ENDSTR) - 1);
354 /* allow CR as well.
355 */
356 if (kdata == NULL)
357 kdata = memmem (rdata, data_size, ENDSTR2, sizeof (ENDSTR2) - 1);
358
359 if (kdata == NULL)
360 {
361 MHD_gnutls_assert ();
362 MHD__gnutls_x509_log ("Could not find '%s'\n", ENDSTR);
363 return GNUTLS_E_BASE64_DECODING_ERROR;
364 }
365 data_size -= strlen (ENDSTR);
366 data_size -= (unsigned long int) kdata - (unsigned long int) rdata;
367
368 rdata = kdata + strlen (ENDSTR);
369
370 /* position is now after the ---BEGIN--- headers */
371
372 kdata = memmem (rdata, data_size, bottom, strlen (bottom));
373 if (kdata == NULL)
374 {
375 MHD_gnutls_assert ();
376 return GNUTLS_E_BASE64_DECODING_ERROR;
377 }
378
379 /* position of kdata is before the ----END--- footer
380 */
381 rdata_size = (unsigned long int) kdata - (unsigned long int) rdata;
382
383 if (rdata_size < 4)
384 {
385 MHD_gnutls_assert ();
386 return GNUTLS_E_BASE64_DECODING_ERROR;
387 }
388
389 kdata_size = cpydata (rdata, rdata_size, &kdata);
390
391 if (kdata_size < 0)
392 {
393 MHD_gnutls_assert ();
394 return kdata_size;
395 }
396
397 if (kdata_size < 4)
398 {
399 MHD_gnutls_assert ();
400 MHD_gnutls_free (kdata);
401 return GNUTLS_E_BASE64_DECODING_ERROR;
402 }
403
404 if ((ret = MHD__gnutls_base64_decode (kdata, kdata_size, result)) < 0)
405 {
406 MHD_gnutls_free (kdata);
407 MHD_gnutls_assert ();
408 return GNUTLS_E_BASE64_DECODING_ERROR;
409 }
410 MHD_gnutls_free (kdata);
411
412 return ret;
413}
diff --git a/src/daemon/https/tls/x509_b64.h b/src/daemon/https/tls/x509_b64.h
deleted file mode 100644
index ebb48639..00000000
--- a/src/daemon/https/tls/x509_b64.h
+++ /dev/null
@@ -1,43 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD__gnutls_fbase64_encode (const char *msg, const uint8_t * data,
26 int data_size, uint8_t ** result);
27int MHD__gnutls_base64_decode (const uint8_t * data, size_t data_size,
28 uint8_t ** result);
29int MHD__gnutls_fbase64_decode (const char *header, const uint8_t * data,
30 size_t data_size, uint8_t ** result);
31
32#define B64SIZE( data_size) ((data_size%3==0)?((data_size*4)/3):(4+((data_size/3)*4)))
33
34/* The size for B64 encoding + newlines plus header
35 */
36
37#define HEADSIZE( hsize) \
38 sizeof("-----BEGIN ")-1+sizeof("-----")-1+ \
39 sizeof("\n-----END ")-1+sizeof("-----\n")-1+hsize+hsize
40
41#define B64FSIZE( hsize, dsize) \
42 (B64SIZE(dsize) + HEADSIZE(hsize) + /*newlines*/ \
43 B64SIZE(dsize)/64 + (((B64SIZE(dsize) % 64) > 0) ? 1 : 0))
diff --git a/src/daemon/https/x509/Makefile.am b/src/daemon/https/x509/Makefile.am
deleted file mode 100644
index 78844a11..00000000
--- a/src/daemon/https/x509/Makefile.am
+++ /dev/null
@@ -1,24 +0,0 @@
1AM_CPPFLAGS = \
2 -I$(top_srcdir)/src/include \
3 -I$(top_srcdir)/src/daemon/https \
4 -I$(top_srcdir)/src/daemon/https/minitasn1 \
5 -I$(top_srcdir)/src/daemon/https/lgl \
6 -I$(top_srcdir)/src/daemon/https/tls \
7 -I$(top_srcdir)/src/daemon/https/x509 \
8 @LIBGCRYPT_CFLAGS@
9
10noinst_LTLIBRARIES = libx509.la
11
12if USE_COVERAGE
13 AM_CFLAGS = -fprofile-arcs -ftest-coverage
14endif
15
16
17libx509_la_SOURCES = \
18 common.c common.h \
19 extensions.c extensions.h \
20 mpi.c mpi.h \
21 x509_privkey.c privkey.h \
22 x509.c x509.h
23libx509_la_LIBADD = @LIBGCRYPT_LIBS@
24
diff --git a/src/daemon/https/x509/common.c b/src/daemon/https/x509/common.c
deleted file mode 100644
index 0c8410d1..00000000
--- a/src/daemon/https/x509/common.c
+++ /dev/null
@@ -1,447 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <libtasn1.h>
27#include <gnutls_datum.h>
28#include <gnutls_global.h>
29#include <gnutls_errors.h>
30#include <gnutls_str.h>
31#include <gnutls_x509.h>
32#include <gnutls_num.h>
33#include <x509_b64.h>
34#include <common.h>
35#include <mpi.h>
36#include <time.h>
37
38/* A generic export function. Will export the given ASN.1 encoded data
39 * to PEM or DER raw data.
40 */
41int
42MHD__gnutls_x509_export_int (ASN1_TYPE MHD__asn1_data,
43 MHD_gnutls_x509_crt_fmt_t format,
44 char *pem_header,
45 unsigned char *output_data,
46 size_t * output_data_size)
47{
48 int result, len;
49
50 if (format == GNUTLS_X509_FMT_DER)
51 {
52
53 if (output_data == NULL)
54 *output_data_size = 0;
55
56 len = *output_data_size;
57
58 if ((result =
59 MHD__asn1_der_coding (MHD__asn1_data, "", output_data, &len,
60 NULL)) != ASN1_SUCCESS)
61 {
62 *output_data_size = len;
63 if (result == ASN1_MEM_ERROR)
64 {
65 return GNUTLS_E_SHORT_MEMORY_BUFFER;
66 }
67 MHD_gnutls_assert ();
68 return MHD_gtls_asn2err (result);
69 }
70
71 *output_data_size = len;
72
73 }
74 else
75 { /* PEM */
76 opaque *out;
77 MHD_gnutls_datum_t tmp;
78
79 result = MHD__gnutls_x509_der_encode (MHD__asn1_data, "", &tmp, 0);
80 if (result < 0)
81 {
82 MHD_gnutls_assert ();
83 return result;
84 }
85
86 result =
87 MHD__gnutls_fbase64_encode (pem_header, tmp.data, tmp.size, &out);
88
89 MHD__gnutls_free_datum (&tmp);
90
91 if (result < 0)
92 {
93 MHD_gnutls_assert ();
94 return result;
95 }
96
97 if (result == 0)
98 { /* oooops */
99 MHD_gnutls_assert ();
100 return GNUTLS_E_INTERNAL_ERROR;
101 }
102
103 if ((unsigned) result > *output_data_size)
104 {
105 MHD_gnutls_assert ();
106 MHD_gnutls_free (out);
107 *output_data_size = result;
108 return GNUTLS_E_SHORT_MEMORY_BUFFER;
109 }
110
111 *output_data_size = result;
112
113 if (output_data)
114 {
115 memcpy (output_data, out, result);
116
117 /* do not include the null character into output size.
118 */
119 *output_data_size = result - 1;
120 }
121 MHD_gnutls_free (out);
122
123 }
124
125 return 0;
126}
127
128/* Decodes an octet string. Leave string_type null for a normal
129 * octet string. Otherwise put something like BMPString, PrintableString
130 * etc.
131 */
132static int
133MHD__gnutls_x509_decode_octet_string (const char *string_type,
134 const opaque * der,
135 size_t der_size,
136 opaque * output, size_t * output_size)
137{
138 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
139 int result, tmp_output_size;
140 char strname[64];
141
142 if (string_type == NULL)
143 MHD_gtls_str_cpy (strname, sizeof (strname), "PKIX1.pkcs-7-Data");
144 else
145 {
146 MHD_gtls_str_cpy (strname, sizeof (strname), "PKIX1.");
147 MHD_gtls_str_cat (strname, sizeof (strname), string_type);
148 }
149
150 if ((result =
151 MHD__asn1_create_element (MHD__gnutls_get_pkix (), strname,
152 &c2)) != ASN1_SUCCESS)
153 {
154 MHD_gnutls_assert ();
155 result = MHD_gtls_asn2err (result);
156 goto cleanup;
157 }
158
159 result = MHD__asn1_der_decoding (&c2, der, der_size, NULL);
160 if (result != ASN1_SUCCESS)
161 {
162 MHD_gnutls_assert ();
163 result = MHD_gtls_asn2err (result);
164 goto cleanup;
165 }
166
167 tmp_output_size = *output_size;
168 result = MHD__asn1_read_value (c2, "", output, &tmp_output_size);
169 *output_size = tmp_output_size;
170
171 if (result != ASN1_SUCCESS)
172 {
173 MHD_gnutls_assert ();
174 result = MHD_gtls_asn2err (result);
175 goto cleanup;
176 }
177
178 return 0;
179
180cleanup:if (c2)
181 MHD__asn1_delete_structure (&c2);
182
183 return result;
184}
185
186/* Reads a value from an ASN1 tree, and puts the output
187 * in an allocated variable in the given datum.
188 * flags == 0 do nothing with the DER output
189 * flags == 1 parse the DER output as OCTET STRING
190 * flags == 2 the value is a BIT STRING
191 */
192int
193MHD__gnutls_x509_read_value (ASN1_TYPE c,
194 const char *root, MHD_gnutls_datum_t * ret,
195 int flags)
196{
197 int len = 0, result;
198 size_t slen;
199 opaque *tmp = NULL;
200
201 result = MHD__asn1_read_value (c, root, NULL, &len);
202 if (result != ASN1_MEM_ERROR)
203 {
204 MHD_gnutls_assert ();
205 result = MHD_gtls_asn2err (result);
206 return result;
207 }
208
209 if (flags == 2)
210 len /= 8;
211
212 tmp = MHD_gnutls_malloc (len);
213 if (tmp == NULL)
214 {
215 MHD_gnutls_assert ();
216 result = GNUTLS_E_MEMORY_ERROR;
217 goto cleanup;
218 }
219
220 result = MHD__asn1_read_value (c, root, tmp, &len);
221 if (result != ASN1_SUCCESS)
222 {
223 MHD_gnutls_assert ();
224 result = MHD_gtls_asn2err (result);
225 goto cleanup;
226 }
227
228 if (flags == 2)
229 len /= 8;
230
231 /* Extract the OCTET STRING.
232 */
233
234 if (flags == 1)
235 {
236 slen = len;
237 result =
238 MHD__gnutls_x509_decode_octet_string (NULL, tmp, slen, tmp, &slen);
239 if (result < 0)
240 {
241 MHD_gnutls_assert ();
242 goto cleanup;
243 }
244 len = slen;
245 }
246
247 ret->data = tmp;
248 ret->size = len;
249
250 return 0;
251
252cleanup:MHD_gnutls_free (tmp);
253 return result;
254
255}
256
257/* DER Encodes the src ASN1_TYPE and stores it to
258 * the given datum. If str is non null then the data are encoded as
259 * an OCTET STRING.
260 */
261int
262MHD__gnutls_x509_der_encode (ASN1_TYPE src,
263 const char *src_name, MHD_gnutls_datum_t * res,
264 int str)
265{
266 int size, result;
267 int asize;
268 opaque *data = NULL;
269 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
270
271 size = 0;
272 result = MHD__asn1_der_coding (src, src_name, NULL, &size, NULL);
273 if (result != ASN1_MEM_ERROR)
274 {
275 MHD_gnutls_assert ();
276 result = MHD_gtls_asn2err (result);
277 goto cleanup;
278 }
279
280 /* allocate data for the der
281 */
282
283 if (str)
284 size += 16; /* for later to include the octet tags */
285 asize = size;
286
287 data = MHD_gnutls_malloc (size);
288 if (data == NULL)
289 {
290 MHD_gnutls_assert ();
291 result = GNUTLS_E_MEMORY_ERROR;
292 goto cleanup;
293 }
294
295 result = MHD__asn1_der_coding (src, src_name, data, &size, NULL);
296 if (result != ASN1_SUCCESS)
297 {
298 MHD_gnutls_assert ();
299 result = MHD_gtls_asn2err (result);
300 goto cleanup;
301 }
302
303 if (str)
304 {
305 if ((result =
306 MHD__asn1_create_element (MHD__gnutls_get_pkix (),
307 "PKIX1.pkcs-7-Data",
308 &c2)) != ASN1_SUCCESS)
309 {
310 MHD_gnutls_assert ();
311 result = MHD_gtls_asn2err (result);
312 goto cleanup;
313 }
314
315 result = MHD__asn1_write_value (c2, "", data, size);
316 if (result != ASN1_SUCCESS)
317 {
318 MHD_gnutls_assert ();
319 result = MHD_gtls_asn2err (result);
320 goto cleanup;
321 }
322
323 result = MHD__asn1_der_coding (c2, "", data, &asize, NULL);
324 if (result != ASN1_SUCCESS)
325 {
326 MHD_gnutls_assert ();
327 result = MHD_gtls_asn2err (result);
328 goto cleanup;
329 }
330
331 size = asize;
332
333 MHD__asn1_delete_structure (&c2);
334 }
335
336 res->data = data;
337 res->size = size;
338 return 0;
339
340cleanup:MHD_gnutls_free (data);
341 MHD__asn1_delete_structure (&c2);
342 return result;
343
344}
345
346/* Reads and returns the PK algorithm of the given certificate-like
347 * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo".
348 */
349int
350MHD__gnutls_x509_get_pk_algorithm (ASN1_TYPE src,
351 const char *src_name, unsigned int *bits)
352{
353 int result;
354 opaque *str = NULL;
355 int algo;
356 char oid[64];
357 int len;
358 mpi_t params[MAX_PUBLIC_PARAMS_SIZE];
359 char name[128];
360
361 MHD_gtls_str_cpy (name, sizeof (name), src_name);
362 MHD_gtls_str_cat (name, sizeof (name), ".algorithm.algorithm");
363
364 len = sizeof (oid);
365 result = MHD__asn1_read_value (src, name, oid, &len);
366
367 if (result != ASN1_SUCCESS)
368 {
369 MHD_gnutls_assert ();
370 return MHD_gtls_asn2err (result);
371 }
372
373 algo = MHD_gtls_x509_oid2pk_algorithm (oid);
374
375 if (bits == NULL)
376 {
377 MHD_gnutls_free (str);
378 return algo;
379 }
380
381 /* Now read the parameters' bits
382 */
383 MHD_gtls_str_cpy (name, sizeof (name), src_name);
384 MHD_gtls_str_cat (name, sizeof (name), ".subjectPublicKey");
385
386 len = 0;
387 result = MHD__asn1_read_value (src, name, NULL, &len);
388 if (result != ASN1_MEM_ERROR)
389 {
390 MHD_gnutls_assert ();
391 return MHD_gtls_asn2err (result);
392 }
393
394 if (len % 8 != 0)
395 {
396 MHD_gnutls_assert ();
397 return GNUTLS_E_CERTIFICATE_ERROR;
398 }
399
400 len /= 8;
401
402 str = MHD_gnutls_malloc (len);
403 if (str == NULL)
404 {
405 MHD_gnutls_assert ();
406 return GNUTLS_E_MEMORY_ERROR;
407 }
408
409 MHD_gtls_str_cpy (name, sizeof (name), src_name);
410 MHD_gtls_str_cat (name, sizeof (name), ".subjectPublicKey");
411
412 result = MHD__asn1_read_value (src, name, str, &len);
413
414 if (result != ASN1_SUCCESS)
415 {
416 MHD_gnutls_assert ();
417 MHD_gnutls_free (str);
418 return MHD_gtls_asn2err (result);
419 }
420
421 len /= 8;
422
423 switch (algo)
424 {
425 case MHD_GNUTLS_PK_RSA:
426 {
427 if ((result =
428 MHD__gnutls_x509_read_rsa_params (str, len, params)) < 0)
429 {
430 MHD_gnutls_assert ();
431 return result;
432 }
433
434 bits[0] = MHD__gnutls_mpi_get_nbits (params[0]);
435
436 MHD_gtls_mpi_release (&params[0]);
437 MHD_gtls_mpi_release (&params[1]);
438 }
439 break;
440 default:
441 MHD__gnutls_x509_log
442 ("MHD__gnutls_x509_get_pk_algorithm: unhandled algorithm %d\n", algo);
443 }
444
445 MHD_gnutls_free (str);
446 return algo;
447}
diff --git a/src/daemon/https/x509/common.h b/src/daemon/https/x509/common.h
deleted file mode 100644
index d78c7cc2..00000000
--- a/src/daemon/https/x509/common.h
+++ /dev/null
@@ -1,84 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef COMMON_H
26# define COMMON_H
27
28#include <gnutls.h>
29#include <gnutls_algorithms.h>
30
31#define MAX_STRING_LEN 512
32
33#define GNUTLS_XML_SHOW_ALL 1
34
35#define PEM_CRL "X509 CRL"
36#define PEM_X509_CERT "X509 CERTIFICATE"
37#define PEM_X509_CERT2 "CERTIFICATE"
38#define PEM_PKCS7 "PKCS7"
39#define PEM_PKCS12 "PKCS12"
40
41/* public key algorithm's OIDs
42 */
43#define PK_PKIX1_RSA_OID "1.2.840.113549.1.1.1"
44#define PK_DSA_OID "1.2.840.10040.4.1"
45#define PK_GOST_R3410_94_OID "1.2.643.2.2.20"
46#define PK_GOST_R3410_2001_OID "1.2.643.2.2.19"
47
48/* signature OIDs
49 */
50#define SIG_DSA_SHA1_OID "1.2.840.10040.4.3"
51#define SIG_RSA_MD5_OID "1.2.840.113549.1.1.4"
52#define SIG_RSA_MD2_OID "1.2.840.113549.1.1.2"
53#define SIG_RSA_SHA1_OID "1.2.840.113549.1.1.5"
54#define SIG_RSA_SHA256_OID "1.2.840.113549.1.1.11"
55#define SIG_RSA_SHA384_OID "1.2.840.113549.1.1.12"
56#define SIG_RSA_SHA512_OID "1.2.840.113549.1.1.13"
57#define SIG_RSA_RMD160_OID "1.3.36.3.3.1.2"
58#define SIG_GOST_R3410_94_OID "1.2.643.2.2.4"
59#define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3"
60
61int MHD__gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name,
62 MHD_gnutls_datum_t * res, int str);
63
64int MHD__gnutls_x509_export_int (ASN1_TYPE MHD__asn1_data,
65 MHD_gnutls_x509_crt_fmt_t format,
66 char *pem_header, unsigned char *output_data,
67 size_t * output_data_size);
68
69int MHD__gnutls_x509_read_value (ASN1_TYPE c, const char *root,
70 MHD_gnutls_datum_t * ret, int str);
71
72int MHD__gnutls_x509_decode_and_read_attribute (ASN1_TYPE MHD__asn1_struct,
73 const char *where, char *oid,
74 int oid_size,
75 MHD_gnutls_datum_t * value,
76 int multi, int octet);
77
78int MHD__gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
79 unsigned int *bits);
80
81int MHD__gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name,
82 ASN1_TYPE src, const char *src_name);
83
84#endif
diff --git a/src/daemon/https/x509/extensions.c b/src/daemon/https/x509/extensions.c
deleted file mode 100644
index 82fddc5d..00000000
--- a/src/daemon/https/x509/extensions.c
+++ /dev/null
@@ -1,218 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* Functions that relate to the X.509 extension parsing.
26 */
27
28#include <gnutls_int.h>
29#include <gnutls_errors.h>
30#include <gnutls_global.h>
31#include <mpi.h>
32#include <libtasn1.h>
33#include <common.h>
34#include <x509.h>
35#include <extensions.h>
36#include <gnutls_datum.h>
37
38/* This function will attempt to return the requested extension found in
39 * the given X509v3 certificate. The return value is allocated and stored into
40 * ret.
41 *
42 * Critical will be either 0 or 1.
43 *
44 * If the extension does not exist, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
45 * be returned.
46 */
47int
48MHD__gnutls_x509_crt_get_extension (MHD_gnutls_x509_crt_t cert,
49 const char *extension_id, int indx,
50 MHD_gnutls_datum_t * ret,
51 unsigned int *_critical)
52{
53 int k, result, len;
54 char name[MAX_NAME_SIZE], name2[MAX_NAME_SIZE];
55 char str[1024];
56 char str_critical[10];
57 int critical = 0;
58 char extnID[128];
59 MHD_gnutls_datum_t value;
60 int indx_counter = 0;
61
62 ret->data = NULL;
63 ret->size = 0;
64
65 k = 0;
66 do
67 {
68 k++;
69
70 snprintf (name, sizeof (name), "tbsCertificate.extensions.?%u", k);
71
72 len = sizeof (str) - 1;
73 result = MHD__asn1_read_value (cert->cert, name, str, &len);
74
75 /* move to next
76 */
77
78 if (result == ASN1_ELEMENT_NOT_FOUND)
79 {
80 break;
81 }
82
83 do
84 {
85
86 MHD_gtls_str_cpy (name2, sizeof (name2), name);
87 MHD_gtls_str_cat (name2, sizeof (name2), ".extnID");
88
89 len = sizeof (extnID) - 1;
90 result = MHD__asn1_read_value (cert->cert, name2, extnID, &len);
91
92 if (result == ASN1_ELEMENT_NOT_FOUND)
93 {
94 MHD_gnutls_assert ();
95 break;
96 }
97 else if (result != ASN1_SUCCESS)
98 {
99 MHD_gnutls_assert ();
100 return MHD_gtls_asn2err (result);
101 }
102
103 /* Handle Extension
104 */
105 if (strcmp (extnID, extension_id) == 0 && indx == indx_counter++)
106 {
107 /* extension was found
108 */
109
110 /* read the critical status.
111 */
112 MHD_gtls_str_cpy (name2, sizeof (name2), name);
113 MHD_gtls_str_cat (name2, sizeof (name2), ".critical");
114
115 len = sizeof (str_critical);
116 result =
117 MHD__asn1_read_value (cert->cert, name2, str_critical, &len);
118
119 if (result == ASN1_ELEMENT_NOT_FOUND)
120 {
121 MHD_gnutls_assert ();
122 break;
123 }
124 else if (result != ASN1_SUCCESS)
125 {
126 MHD_gnutls_assert ();
127 return MHD_gtls_asn2err (result);
128 }
129
130 if (str_critical[0] == 'T')
131 critical = 1;
132 else
133 critical = 0;
134
135 /* read the value.
136 */
137 MHD_gtls_str_cpy (name2, sizeof (name2), name);
138 MHD_gtls_str_cat (name2, sizeof (name2), ".extnValue");
139
140 result =
141 MHD__gnutls_x509_read_value (cert->cert, name2, &value, 0);
142 if (result < 0)
143 {
144 MHD_gnutls_assert ();
145 return result;
146 }
147
148 ret->data = value.data;
149 ret->size = value.size;
150
151 if (_critical)
152 *_critical = critical;
153
154 return 0;
155 }
156
157
158 }
159 while (0);
160 }
161 while (1);
162
163 if (result == ASN1_ELEMENT_NOT_FOUND)
164 {
165 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
166 }
167 else
168 {
169 MHD_gnutls_assert ();
170 return MHD_gtls_asn2err (result);
171 }
172}
173
174/* Here we only extract the KeyUsage field, from the DER encoded
175 * extension.
176 */
177int
178MHD__gnutls_x509_ext_extract_keyUsage (uint16_t * keyUsage,
179 opaque * extnValue, int extnValueLen)
180{
181 ASN1_TYPE ext = ASN1_TYPE_EMPTY;
182 int len, result;
183 uint8_t str[2];
184
185 str[0] = str[1] = 0;
186 *keyUsage = 0;
187
188 if ((result = MHD__asn1_create_element
189 (MHD__gnutls_get_pkix (), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS)
190 {
191 MHD_gnutls_assert ();
192 return MHD_gtls_asn2err (result);
193 }
194
195 result = MHD__asn1_der_decoding (&ext, extnValue, extnValueLen, NULL);
196
197 if (result != ASN1_SUCCESS)
198 {
199 MHD_gnutls_assert ();
200 MHD__asn1_delete_structure (&ext);
201 return MHD_gtls_asn2err (result);
202 }
203
204 len = sizeof (str);
205 result = MHD__asn1_read_value (ext, "", str, &len);
206 if (result != ASN1_SUCCESS)
207 {
208 MHD_gnutls_assert ();
209 MHD__asn1_delete_structure (&ext);
210 return 0;
211 }
212
213 *keyUsage = str[0] | (str[1] << 8);
214
215 MHD__asn1_delete_structure (&ext);
216
217 return 0;
218}
diff --git a/src/daemon/https/x509/extensions.h b/src/daemon/https/x509/extensions.h
deleted file mode 100644
index 5a945cb1..00000000
--- a/src/daemon/https/x509/extensions.h
+++ /dev/null
@@ -1,35 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int MHD__gnutls_x509_crt_get_extension (MHD_gnutls_x509_crt_t cert,
26 const char *extension_id, int indx,
27 MHD_gnutls_datum_t * ret,
28 unsigned int *critical);
29
30int MHD__gnutls_x509_crt_get_extension_oid (MHD_gnutls_x509_crt_t cert,
31 int indx, void *ret,
32 size_t * ret_size);
33int MHD__gnutls_x509_ext_extract_keyUsage (uint16_t * keyUsage,
34 opaque * extnValue,
35 int extnValueLen);
diff --git a/src/daemon/https/x509/mpi.c b/src/daemon/https/x509/mpi.c
deleted file mode 100644
index 4a540702..00000000
--- a/src/daemon/https/x509/mpi.c
+++ /dev/null
@@ -1,212 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_errors.h>
27#include <gnutls_global.h>
28#include <libtasn1.h>
29#include <gnutls_datum.h>
30#include "common.h"
31#include "x509.h"
32#include <gnutls_num.h>
33#include "mpi.h"
34
35/*
36 * some x509 certificate parsing functions that relate to MPI parameter
37 * extraction. This reads the BIT STRING subjectPublicKey.
38 * Returns 2 parameters (m,e).
39 */
40int
41MHD__gnutls_x509_read_rsa_params (opaque * der, int dersize, mpi_t * params)
42{
43 int result;
44 ASN1_TYPE spk = ASN1_TYPE_EMPTY;
45
46 if ((result =
47 MHD__asn1_create_element (MHD__gnutls_getMHD__gnutls_asn (),
48 "GNUTLS.RSAPublicKey",
49 &spk)) != ASN1_SUCCESS)
50 {
51 MHD_gnutls_assert ();
52 return MHD_gtls_asn2err (result);
53 }
54
55 result = MHD__asn1_der_decoding (&spk, der, dersize, NULL);
56
57 if (result != ASN1_SUCCESS)
58 {
59 MHD_gnutls_assert ();
60 MHD__asn1_delete_structure (&spk);
61 return MHD_gtls_asn2err (result);
62 }
63
64 if ((result = MHD__gnutls_x509_read_int (spk, "modulus", &params[0])) < 0)
65 {
66 MHD_gnutls_assert ();
67 MHD__asn1_delete_structure (&spk);
68 return GNUTLS_E_ASN1_GENERIC_ERROR;
69 }
70
71 if ((result =
72 MHD__gnutls_x509_read_int (spk, "publicExponent", &params[1])) < 0)
73 {
74 MHD_gnutls_assert ();
75 MHD_gtls_mpi_release (&params[0]);
76 MHD__asn1_delete_structure (&spk);
77 return GNUTLS_E_ASN1_GENERIC_ERROR;
78 }
79
80 MHD__asn1_delete_structure (&spk);
81
82 return 0;
83
84}
85
86
87/* Extracts DSA and RSA parameters from a certificate.
88 */
89int
90MHD__gnutls_x509_crt_get_mpis (MHD_gnutls_x509_crt_t cert,
91 mpi_t * params, int *params_size)
92{
93 int result;
94 int pk_algorithm;
95 MHD_gnutls_datum_t tmp = { NULL, 0 };
96
97 /* Read the algorithm's OID
98 */
99 pk_algorithm = MHD_gnutls_x509_crt_get_pk_algorithm (cert, NULL);
100
101 /* Read the algorithm's parameters
102 */
103 result
104 = MHD__gnutls_x509_read_value (cert->cert,
105 "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey",
106 &tmp, 2);
107
108 if (result < 0)
109 {
110 MHD_gnutls_assert ();
111 return result;
112 }
113
114 switch (pk_algorithm)
115 {
116 case MHD_GNUTLS_PK_RSA:
117 /* params[0] is the modulus,
118 * params[1] is the exponent
119 */
120 if (*params_size < RSA_PUBLIC_PARAMS)
121 {
122 MHD_gnutls_assert ();
123 /* internal error. Increase the mpi_ts in params */
124 result = GNUTLS_E_INTERNAL_ERROR;
125 goto error;
126 }
127
128 if ((result =
129 MHD__gnutls_x509_read_rsa_params (tmp.data, tmp.size, params)) < 0)
130 {
131 MHD_gnutls_assert ();
132 goto error;
133 }
134 *params_size = RSA_PUBLIC_PARAMS;
135
136 break;
137 default:
138 /* other types like DH
139 * currently not supported
140 */
141 MHD_gnutls_assert ();
142 result = GNUTLS_E_X509_CERTIFICATE_ERROR;
143 goto error;
144 }
145
146 result = 0;
147
148error:MHD__gnutls_free_datum (&tmp);
149 return result;
150}
151
152/*
153 * some x509 certificate functions that relate to MPI parameter
154 * setting. This writes the BIT STRING subjectPublicKey.
155 * Needs 2 parameters (m,e).
156 *
157 * Allocates the space used to store the DER data.
158 */
159int
160MHD__gnutls_x509_write_rsa_params (mpi_t * params,
161 int params_size, MHD_gnutls_datum_t * der)
162{
163 int result;
164 ASN1_TYPE spk = ASN1_TYPE_EMPTY;
165
166 der->data = NULL;
167 der->size = 0;
168
169 if (params_size < 2)
170 {
171 MHD_gnutls_assert ();
172 result = GNUTLS_E_INVALID_REQUEST;
173 goto cleanup;
174 }
175
176 if ((result =
177 MHD__asn1_create_element (MHD__gnutls_getMHD__gnutls_asn (),
178 "GNUTLS.RSAPublicKey",
179 &spk)) != ASN1_SUCCESS)
180 {
181 MHD_gnutls_assert ();
182 return MHD_gtls_asn2err (result);
183 }
184
185 result = MHD__gnutls_x509_write_int (spk, "modulus", params[0], 0);
186 if (result < 0)
187 {
188 MHD_gnutls_assert ();
189 goto cleanup;
190 }
191
192 result = MHD__gnutls_x509_write_int (spk, "publicExponent", params[1], 0);
193 if (result < 0)
194 {
195 MHD_gnutls_assert ();
196 goto cleanup;
197 }
198
199 result = MHD__gnutls_x509_der_encode (spk, "", der, 0);
200 if (result < 0)
201 {
202 MHD_gnutls_assert ();
203 goto cleanup;
204 }
205
206 MHD__asn1_delete_structure (&spk);
207 return 0;
208
209cleanup:MHD__asn1_delete_structure (&spk);
210
211 return result;
212}
diff --git a/src/daemon/https/x509/mpi.h b/src/daemon/https/x509/mpi.h
deleted file mode 100644
index ff9fdc19..00000000
--- a/src/daemon/https/x509/mpi.h
+++ /dev/null
@@ -1,37 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include "x509.h"
27
28int MHD__gnutls_x509_crt_get_mpis (MHD_gnutls_x509_crt_t cert,
29 mpi_t * params, int *params_size);
30int MHD__gnutls_x509_read_rsa_params (opaque * der, int dersize,
31 mpi_t * params);
32int MHD__gnutls_x509_write_rsa_params (mpi_t * params, int params_size,
33 MHD_gnutls_datum_t * der);
34int MHD__gnutls_x509_read_int (ASN1_TYPE node, const char *value,
35 mpi_t * ret_mpi);
36int MHD__gnutls_x509_write_int (ASN1_TYPE node, const char *value, mpi_t mpi,
37 int lz);
diff --git a/src/daemon/https/x509/privkey.h b/src/daemon/https/x509/privkey.h
deleted file mode 100644
index 37c68703..00000000
--- a/src/daemon/https/x509/privkey.h
+++ /dev/null
@@ -1,32 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include "x509.h"
26
27ASN1_TYPE MHD__gnutls_privkey_decode_pkcs1_rsa_key (const MHD_gnutls_datum_t *
28 raw_key,
29 MHD_gnutls_x509_privkey_t
30 pkey);
31
32int MHD__gnutls_asn1_encode_dsa (ASN1_TYPE * c2, mpi_t * params);
diff --git a/src/daemon/https/x509/x509.c b/src/daemon/https/x509/x509.c
deleted file mode 100644
index ff0d21e8..00000000
--- a/src/daemon/https/x509/x509.c
+++ /dev/null
@@ -1,364 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GNUTLS.
6 *
7 * The GNUTLS library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA
21 *
22 */
23
24/* Functions on X.509 Certificate parsing
25 */
26
27#include <gnutls_int.h>
28#include <gnutls_datum.h>
29#include <gnutls_global.h>
30#include <gnutls_errors.h>
31#include <common.h>
32#include <gnutls_x509.h>
33#include <x509_b64.h>
34#include <x509.h>
35#include <extensions.h>
36#include <libtasn1.h>
37#include <mpi.h>
38#include <privkey.h>
39
40/**
41 * MHD_gnutls_x509_crt_init - This function initializes a MHD_gnutls_x509_crt_t structure
42 * @cert: The structure to be initialized
43 *
44 * This function will initialize an X.509 certificate structure.
45 *
46 * Returns 0 on success.
47 *
48 **/
49int
50MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert)
51{
52 MHD_gnutls_x509_crt_t tmp =
53 MHD_gnutls_calloc (1, sizeof (MHD_gnutls_x509_crt_int));
54 int result;
55
56 if (!tmp)
57 return GNUTLS_E_MEMORY_ERROR;
58
59 result = MHD__asn1_create_element (MHD__gnutls_get_pkix (),
60 "PKIX1.Certificate", &tmp->cert);
61 if (result != ASN1_SUCCESS)
62 {
63 MHD_gnutls_assert ();
64 MHD_gnutls_free (tmp);
65 return MHD_gtls_asn2err (result);
66 }
67
68 *cert = tmp;
69
70 return 0; /* success */
71}
72
73/**
74 * MHD_gnutls_x509_crt_deinit - This function deinitializes memory used by a MHD_gnutls_x509_crt_t structure
75 * @cert: The structure to be initialized
76 *
77 * This function will deinitialize a CRL structure.
78 *
79 **/
80void
81MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert)
82{
83 if (!cert)
84 return;
85
86 if (cert->cert)
87 MHD__asn1_delete_structure (&cert->cert);
88
89 MHD_gnutls_free (cert);
90}
91
92/**
93 * MHD_gnutls_x509_crt_import - This function will import a DER or PEM encoded Certificate
94 * @cert: The structure to store the parsed certificate.
95 * @data: The DER or PEM encoded certificate.
96 * @format: One of DER or PEM
97 *
98 * This function will convert the given DER or PEM encoded Certificate
99 * to the native MHD_gnutls_x509_crt_t format. The output will be stored in @cert.
100 *
101 * If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or
102 * "CERTIFICATE".
103 *
104 * Returns 0 on success.
105 *
106 **/
107int
108MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
109 const MHD_gnutls_datum_t * data,
110 MHD_gnutls_x509_crt_fmt_t format)
111{
112 int result = 0, need_free = 0;
113 MHD_gnutls_datum_t _data;
114 opaque *signature = NULL;
115
116 if (cert == NULL)
117 {
118 MHD_gnutls_assert ();
119 return GNUTLS_E_INVALID_REQUEST;
120 }
121
122 _data.data = data->data;
123 _data.size = data->size;
124
125 /* If the Certificate is in PEM format then decode it
126 */
127 if (format == GNUTLS_X509_FMT_PEM)
128 {
129 opaque *out;
130
131 /* Try the first header */
132 result =
133 MHD__gnutls_fbase64_decode (PEM_X509_CERT2, data->data, data->size,
134 &out);
135
136 if (result <= 0)
137 {
138 /* try for the second header */
139 result = MHD__gnutls_fbase64_decode (PEM_X509_CERT, data->data,
140 data->size, &out);
141
142 if (result <= 0)
143 {
144 if (result == 0)
145 result = GNUTLS_E_INTERNAL_ERROR;
146 MHD_gnutls_assert ();
147 return result;
148 }
149 }
150
151 _data.data = out;
152 _data.size = result;
153
154 need_free = 1;
155 }
156
157 result = MHD__asn1_der_decoding (&cert->cert, _data.data, _data.size, NULL);
158 if (result != ASN1_SUCCESS)
159 {
160 result = MHD_gtls_asn2err (result);
161 MHD_gnutls_assert ();
162 goto cleanup;
163 }
164
165 /* Since we do not want to disable any extension
166 */
167 cert->use_extensions = 1;
168 if (need_free)
169 MHD__gnutls_free_datum (&_data);
170
171 return 0;
172
173cleanup:MHD_gnutls_free (signature);
174 if (need_free)
175 MHD__gnutls_free_datum (&_data);
176 return result;
177}
178
179/**
180 * MHD_gnutls_x509_crt_get_version - This function returns the Certificate's version number
181 * @cert: should contain a MHD_gnutls_x509_crt_t structure
182 *
183 * This function will return the version of the specified Certificate.
184 *
185 * Returns a negative value on error.
186 *
187 **/
188int
189MHD_gnutls_x509_crt_get_version (MHD_gnutls_x509_crt_t cert)
190{
191 opaque version[5];
192 int len, result;
193
194 if (cert == NULL)
195 {
196 MHD_gnutls_assert ();
197 return GNUTLS_E_INVALID_REQUEST;
198 }
199
200 len = sizeof (version);
201 if ((result =
202 MHD__asn1_read_value (cert->cert, "tbsCertificate.version", version,
203 &len)) != ASN1_SUCCESS)
204 {
205
206 if (result == ASN1_ELEMENT_NOT_FOUND)
207 return 1; /* the DEFAULT version */
208 MHD_gnutls_assert ();
209 return MHD_gtls_asn2err (result);
210 }
211
212 return (int) version[0] + 1;
213}
214
215/**
216 * MHD_gnutls_x509_crt_get_pk_algorithm - This function returns the certificate's PublicKey algorithm
217 * @cert: should contain a MHD_gnutls_x509_crt_t structure
218 * @bits: if bits is non null it will hold the size of the parameters' in bits
219 *
220 * This function will return the public key algorithm of an X.509
221 * certificate.
222 *
223 * If bits is non null, it should have enough size to hold the parameters
224 * size in bits. For RSA the bits returned is the modulus.
225 * For DSA the bits returned are of the public
226 * exponent.
227 *
228 * Returns a member of the enum MHD_GNUTLS_PublicKeyAlgorithm enumeration on success,
229 * or a negative value on error.
230 *
231 **/
232int
233MHD_gnutls_x509_crt_get_pk_algorithm (MHD_gnutls_x509_crt_t cert,
234 unsigned int *bits)
235{
236 int result;
237
238 if (cert == NULL)
239 {
240 MHD_gnutls_assert ();
241 return GNUTLS_E_INVALID_REQUEST;
242 }
243
244 result = MHD__gnutls_x509_get_pk_algorithm (cert->cert,
245 "tbsCertificate.subjectPublicKeyInfo",
246 bits);
247
248 if (result < 0)
249 {
250 MHD_gnutls_assert ();
251 return result;
252 }
253
254 return result;
255
256}
257
258inline static int
259is_type_printable (int type)
260{
261 if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || type
262 == GNUTLS_SAN_URI)
263 return 1;
264 else
265 return 0;
266}
267
268/**
269 * MHD_gnutls_x509_crt_get_key_usage - This function returns the certificate's key usage
270 * @cert: should contain a MHD_gnutls_x509_crt_t structure
271 * @key_usage: where the key usage bits will be stored
272 * @critical: will be non zero if the extension is marked as critical
273 *
274 * This function will return certificate's key usage, by reading the
275 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the:
276 * GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION,
277 * GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT,
278 * GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN,
279 * GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY,
280 * GNUTLS_KEY_DECIPHER_ONLY.
281 *
282 * A negative value may be returned in case of parsing error.
283 * If the certificate does not contain the keyUsage extension
284 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
285 *
286 **/
287int
288MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
289 unsigned int *key_usage,
290 unsigned int *critical)
291{
292 int result;
293 MHD_gnutls_datum_t keyUsage;
294 uint16_t _usage;
295
296 if (cert == NULL)
297 {
298 MHD_gnutls_assert ();
299 return GNUTLS_E_INVALID_REQUEST;
300 }
301
302 if ((result =
303 MHD__gnutls_x509_crt_get_extension (cert, "2.5.29.15", 0, &keyUsage,
304 critical)) < 0)
305 {
306 return result;
307 }
308
309 if (keyUsage.size == 0 || keyUsage.data == NULL)
310 {
311 MHD_gnutls_assert ();
312 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
313 }
314
315 result = MHD__gnutls_x509_ext_extract_keyUsage (&_usage, keyUsage.data,
316 keyUsage.size);
317 MHD__gnutls_free_datum (&keyUsage);
318
319 *key_usage = _usage;
320
321 if (result < 0)
322 {
323 MHD_gnutls_assert ();
324 return result;
325 }
326
327 return 0;
328}
329
330
331/**
332 * MHD_gnutls_x509_crt_export - This function will export the certificate
333 * @cert: Holds the certificate
334 * @format: the format of output params. One of PEM or DER.
335 * @output_data: will contain a certificate PEM or DER encoded
336 * @output_data_size: holds the size of output_data (and will be
337 * replaced by the actual size of parameters)
338 *
339 * This function will export the certificate to DER or PEM format.
340 *
341 * If the buffer provided is not long enough to hold the output, then
342 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
343 * be returned.
344 *
345 * If the structure is PEM encoded, it will have a header
346 * of "BEGIN CERTIFICATE".
347 *
348 * Return value: In case of failure a negative value will be
349 * returned, and 0 on success.
350 **/
351int
352MHD_gnutls_x509_crt_export (MHD_gnutls_x509_crt_t cert,
353 MHD_gnutls_x509_crt_fmt_t format,
354 void *output_data, size_t * output_data_size)
355{
356 if (cert == NULL)
357 {
358 MHD_gnutls_assert ();
359 return GNUTLS_E_INVALID_REQUEST;
360 }
361
362 return MHD__gnutls_x509_export_int (cert->cert, format, "CERTIFICATE",
363 output_data, output_data_size);
364}
diff --git a/src/daemon/https/x509/x509.h b/src/daemon/https/x509/x509.h
deleted file mode 100644
index 9a01d95b..00000000
--- a/src/daemon/https/x509/x509.h
+++ /dev/null
@@ -1,409 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#ifndef X509_H
26#define X509_H
27
28#ifndef MIN
29#define MIN(X,Y) ((X) > (Y) ? (Y) : (X));
30#endif
31
32#ifdef __cplusplus
33extern "C"
34{
35#endif
36
37#include <gnutls.h>
38#include <libtasn1.h>
39#include "gnutls_mpi.h"
40
41/* Some OIDs usually found in Distinguished names, or
42 * in Subject Directory Attribute extensions.
43 */
44#define GNUTLS_OID_X520_COUNTRY_NAME "2.5.4.6"
45#define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10"
46#define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
47#define GNUTLS_OID_X520_COMMON_NAME "2.5.4.3"
48#define GNUTLS_OID_X520_LOCALITY_NAME "2.5.4.7"
49#define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
50
51#define GNUTLS_OID_X520_INITIALS "2.5.4.43"
52#define GNUTLS_OID_X520_GENERATION_QUALIFIER "2.5.4.44"
53#define GNUTLS_OID_X520_SURNAME "2.5.4.4"
54#define GNUTLS_OID_X520_GIVEN_NAME "2.5.4.42"
55#define GNUTLS_OID_X520_TITLE "2.5.4.12"
56#define GNUTLS_OID_X520_DN_QUALIFIER "2.5.4.46"
57#define GNUTLS_OID_X520_PSEUDONYM "2.5.4.65"
58
59#define GNUTLS_OID_LDAP_DC "0.9.2342.19200300.100.1.25"
60#define GNUTLS_OID_LDAP_UID "0.9.2342.19200300.100.1.1"
61
62/* The following should not be included in DN.
63 */
64#define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
65
66#define GNUTLS_OID_PKIX_DATE_OF_BIRTH "1.3.6.1.5.5.7.9.1"
67#define GNUTLS_OID_PKIX_PLACE_OF_BIRTH "1.3.6.1.5.5.7.9.2"
68#define GNUTLS_OID_PKIX_GENDER "1.3.6.1.5.5.7.9.3"
69#define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP "1.3.6.1.5.5.7.9.4"
70#define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE "1.3.6.1.5.5.7.9.5"
71
72/* Key purpose Object Identifiers.
73 */
74#define GNUTLS_KP_TLS_WWW_SERVER "1.3.6.1.5.5.7.3.1"
75#define GNUTLS_KP_TLS_WWW_CLIENT "1.3.6.1.5.5.7.3.2"
76#define GNUTLS_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
77#define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
78#define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
79#define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
80#define GNUTLS_KP_ANY "2.5.29.37.0"
81
82/* Certificate handling functions.
83 */
84 typedef enum MHD_gnutls_certificate_import_flags
85 {
86 /* Fail if the certificates in the buffer are more than the space
87 * allocated for certificates. The error code will be
88 * GNUTLS_E_SHORT_MEMORY_BUFFER.
89 */
90 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED = 1
91 } MHD_gnutls_certificate_import_flags;
92
93 int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
94 void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
95 int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
96 const MHD_gnutls_datum_t * data,
97 MHD_gnutls_x509_crt_fmt_t format);
98 int MHD_gnutls_x509_crt_export (MHD_gnutls_x509_crt_t cert,
99 MHD_gnutls_x509_crt_fmt_t format,
100 void *output_data,
101 size_t * output_data_size);
102 int MHD_gnutls_x509_crt_get_version (MHD_gnutls_x509_crt_t cert);
103
104#define GNUTLS_CRL_REASON_UNUSED 128
105#define GNUTLS_CRL_REASON_KEY_COMPROMISE 64
106#define GNUTLS_CRL_REASON_CA_COMPROMISE 32
107#define GNUTLS_CRL_REASON_AFFILIATION_CHANGED 16
108#define GNUTLS_CRL_REASON_SUPERSEEDED 8
109#define GNUTLS_CRL_REASON_CESSATION_OF_OPERATION 4
110#define GNUTLS_CRL_REASON_CERTIFICATE_HOLD 2
111#define GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN 1
112#define GNUTLS_CRL_REASON_AA_COMPROMISE 32768
113
114 int MHD_gnutls_x509_crt_get_pk_algorithm (MHD_gnutls_x509_crt_t cert,
115 unsigned int *bits);
116 int MHD_gnutls_x509_crt_get_ca_status (MHD_gnutls_x509_crt_t cert,
117 unsigned int *critical);
118/* The key_usage flags are defined in gnutls.h. They are the
119 * GNUTLS_KEY_* definitions.
120 */
121 int MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
122 unsigned int *key_usage,
123 unsigned int *critical);
124 int MHD_gnutls_x509_crt_set_key_usage (MHD_gnutls_x509_crt_t crt,
125 unsigned int usage);
126
127/* Read extensions by sequence number. */
128 int MHD_gnutls_x509_crt_set_extension_by_oid (MHD_gnutls_x509_crt_t crt,
129 const char *oid,
130 const void *buf,
131 size_t sizeof_buf,
132 unsigned int critical);
133
134/* X.509 Certificate writing.
135 */
136 int MHD_gnutls_x509_crt_set_dn_by_oid (MHD_gnutls_x509_crt_t crt,
137 const char *oid,
138 unsigned int raw_flag,
139 const void *name,
140 unsigned int sizeof_name);
141 int MHD_gnutls_x509_crt_set_issuer_dn_by_oid (MHD_gnutls_x509_crt_t crt,
142 const char *oid,
143 unsigned int raw_flag,
144 const void *name,
145 unsigned int sizeof_name);
146 int MHD_gnutls_x509_crt_set_version (MHD_gnutls_x509_crt_t crt,
147 unsigned int version);
148 int MHD_gnutls_x509_crt_set_key (MHD_gnutls_x509_crt_t crt,
149 MHD_gnutls_x509_privkey_t key);
150 int MHD_gnutls_x509_crt_set_ca_status (MHD_gnutls_x509_crt_t crt,
151 unsigned int ca);
152 int MHD_gnutls_x509_crt_set_basic_constraints (MHD_gnutls_x509_crt_t crt,
153 unsigned int ca,
154 int pathLenConstraint);
155 int MHD_gnutls_x509_crt_set_subject_alternative_name (MHD_gnutls_x509_crt_t
156 crt,
157 MHD_gnutls_x509_subject_alt_name_t
158 type,
159 const char
160 *data_string);
161 int MHD_gnutls_x509_crt_sign (MHD_gnutls_x509_crt_t crt,
162 MHD_gnutls_x509_crt_t issuer,
163 MHD_gnutls_x509_privkey_t issuer_key);
164 int MHD_gnutls_x509_crt_sign2 (MHD_gnutls_x509_crt_t crt,
165 MHD_gnutls_x509_crt_t issuer,
166 MHD_gnutls_x509_privkey_t issuer_key,
167 enum MHD_GNUTLS_HashAlgorithm,
168 unsigned int flags);
169 int MHD_gnutls_x509_crt_set_serial (MHD_gnutls_x509_crt_t cert,
170 const void *serial, size_t serial_size);
171
172 int MHD_gnutls_x509_crt_set_subject_key_id (MHD_gnutls_x509_crt_t cert,
173 const void *id, size_t id_size);
174
175 int MHD_gnutls_x509_crt_set_proxy_dn (MHD_gnutls_x509_crt_t crt,
176 MHD_gnutls_x509_crt_t eecrt,
177 unsigned int raw_flag,
178 const void *name,
179 unsigned int sizeof_name);
180 int MHD_gnutls_x509_crt_set_proxy (MHD_gnutls_x509_crt_t crt,
181 int pathLenConstraint,
182 const char *policyLanguage,
183 const char *policy,
184 size_t sizeof_policy);
185
186 typedef enum MHD_gnutls_certificate_print_formats
187 {
188 GNUTLS_X509_CRT_FULL,
189 GNUTLS_X509_CRT_ONELINE,
190 GNUTLS_X509_CRT_UNSIGNED_FULL
191 } MHD_gnutls_certificate_print_formats_t;
192
193 int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,
194 MHD_gnutls_certificate_print_formats_t
195 format, MHD_gnutls_datum_t * out);
196/* Access to internal Certificate fields.
197 */
198
199 typedef void *MHD_gnutls_x509_dn_t;
200
201/* X.509 Certificate verification functions.
202 */
203 typedef enum MHD_gnutls_certificate_verify_flags
204 {
205 /* If set a signer does not have to be a certificate authority. This
206 * flag should normaly be disabled, unless you know what this means.
207 */
208 GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
209
210 /* Allow only trusted CA certificates that have version 1. This is
211 * safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
212 * used instead. That way only signers in your trusted list will be
213 * allowed to have certificates of version 1.
214 */
215 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
216
217 /* If a certificate is not signed by anyone trusted but exists in
218 * the trusted CA list do not treat it as trusted.
219 */
220 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
221
222 /* Allow CA certificates that have version 1 (both root and
223 * intermediate). This might be dangerous since those haven't the
224 * basicConstraints extension. Must be used in combination with
225 * GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
226 */
227 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
228
229 /* Allow certificates to be signed using the broken MD2 algorithm.
230 */
231 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
232
233 /* Allow certificates to be signed using the broken MD5 algorithm.
234 */
235 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
236 } MHD_gnutls_certificate_verify_flags;
237
238
239/* Flags for the MHD_gnutls_x509_privkey_export_pkcs8() function.
240 */
241 typedef enum MHD_gnutls_pkcs_encrypt_flags_t
242 {
243 GNUTLS_PKCS_PLAIN = 1, /* if set the private key will not
244 * be encrypted.
245 */
246 GNUTLS_PKCS_USE_PKCS12_3DES = 2,
247 GNUTLS_PKCS_USE_PKCS12_ARCFOUR = 4,
248 GNUTLS_PKCS_USE_PKCS12_RC2_40 = 8,
249 GNUTLS_PKCS_USE_PBES2_3DES = 16
250 } MHD_gnutls_pkcs_encrypt_flags_t;
251
252#define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN
253#define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_USE_PKCS12_3DES
254#define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_USE_PKCS12_ARCFOUR
255#define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_USE_PKCS12_RC2_40
256
257 int MHD_gnutls_x509_privkey_init (MHD_gnutls_x509_privkey_t * key);
258 void MHD_gnutls_x509_privkey_deinit (MHD_gnutls_x509_privkey_t key);
259 int MHD_gnutls_x509_privkey_import (MHD_gnutls_x509_privkey_t key,
260 const MHD_gnutls_datum_t * data,
261 MHD_gnutls_x509_crt_fmt_t format);
262 int MHD_gnutls_x509_privkey_get_key_id (MHD_gnutls_x509_privkey_t key,
263 unsigned int flags,
264 unsigned char *output_data,
265 size_t * output_data_size);
266
267 int MHD_gnutls_x509_privkey_export (MHD_gnutls_x509_privkey_t key,
268 MHD_gnutls_x509_crt_fmt_t format,
269 void *output_data,
270 size_t * output_data_size);
271 int MHD_gnutls_x509_privkey_export_pkcs8 (MHD_gnutls_x509_privkey_t key,
272 MHD_gnutls_x509_crt_fmt_t format,
273 const char *password,
274 unsigned int flags,
275 void *output_data,
276 size_t * output_data_size);
277 int MHD_gnutls_x509_privkey_export_rsa_raw (MHD_gnutls_x509_privkey_t key,
278 MHD_gnutls_datum_t * m,
279 MHD_gnutls_datum_t * e,
280 MHD_gnutls_datum_t * d,
281 MHD_gnutls_datum_t * p,
282 MHD_gnutls_datum_t * q,
283 MHD_gnutls_datum_t * u);
284
285 int MHD_gnutls_x509_privkey_verify_data (MHD_gnutls_x509_privkey_t key,
286 unsigned int flags,
287 const MHD_gnutls_datum_t * data,
288 const MHD_gnutls_datum_t *
289 signature);
290
291#ifdef __cplusplus
292}
293#endif
294
295#define HASH_OID_SHA1 "1.3.14.3.2.26"
296#define HASH_OID_MD5 "1.2.840.113549.2.5"
297#define HASH_OID_MD2 "1.2.840.113549.2.2"
298#define HASH_OID_RMD160 "1.3.36.3.2.1"
299#define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
300#define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
301#define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
302
303typedef struct MHD_gnutls_x509_crt_int
304{
305 ASN1_TYPE cert;
306 int use_extensions;
307} MHD_gnutls_x509_crt_int;
308
309#define MAX_PRIV_PARAMS_SIZE 6 /* ok for RSA and DSA */
310
311/* parameters should not be larger than this limit */
312#define DSA_PRIVATE_PARAMS 5
313#define DSA_PUBLIC_PARAMS 4
314#define RSA_PRIVATE_PARAMS 6
315#define RSA_PUBLIC_PARAMS 2
316
317#if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0
318# error INCREASE MAX_PRIV_PARAMS
319#endif
320
321#if MAX_PRIV_PARAMS_SIZE - DSA_PRIVATE_PARAMS < 0
322# error INCREASE MAX_PRIV_PARAMS
323#endif
324
325typedef struct MHD_gtls_x509_privkey_int
326{
327 mpi_t params[MAX_PRIV_PARAMS_SIZE]; /* the size of params depends on the public
328 * key algorithm
329 */
330 /*
331 * RSA: [0] is modulus
332 * [1] is public exponent
333 * [2] is private exponent
334 * [3] is prime1 (p)
335 * [4] is prime2 (q)
336 * [5] is coefficient (u == inverse of p mod q)
337 * note that other packages used inverse of q mod p,
338 * so we need to perform conversions.
339 * DSA: [0] is p
340 * [1] is q
341 * [2] is g
342 * [3] is y (public key)
343 * [4] is x (private key)
344 */
345 int params_size; /* holds the number of params */
346
347 enum MHD_GNUTLS_PublicKeyAlgorithm pk_algorithm;
348
349 int crippled; /* The crippled keys will not use the ASN1_TYPE key.
350 * The encoding will only be performed at the export
351 * phase, to optimize copying etc. Cannot be used with
352 * the exported API (used internally only).
353 */
354 ASN1_TYPE key;
355} MHD_gnutls_x509_privkey_int;
356
357int MHD_gnutls_x509_crt_get_pk_algorithm (MHD_gnutls_x509_crt_t cert,
358 unsigned int *bits);
359
360int MHD_gnutls_x509_crt_get_serial (MHD_gnutls_x509_crt_t cert,
361 void *result, size_t * result_size);
362
363int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
364void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
365int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
366 const MHD_gnutls_datum_t * data,
367 MHD_gnutls_x509_crt_fmt_t format);
368int MHD_gnutls_x509_crt_export (MHD_gnutls_x509_crt_t cert,
369 MHD_gnutls_x509_crt_fmt_t format,
370 void *output_data, size_t * output_data_size);
371
372int MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
373 unsigned int *key_usage,
374 unsigned int *critical);
375int MHD_gnutls_x509_crt_get_version (MHD_gnutls_x509_crt_t cert);
376
377int MHD_gnutls_x509_privkey_init (MHD_gnutls_x509_privkey_t * key);
378void MHD_gnutls_x509_privkey_deinit (MHD_gnutls_x509_privkey_t key);
379
380int MHD_gnutls_x509_privkey_generate (MHD_gnutls_x509_privkey_t key,
381 enum MHD_GNUTLS_PublicKeyAlgorithm algo,
382 unsigned int bits, unsigned int flags);
383
384int MHD_gnutls_x509_privkey_import (MHD_gnutls_x509_privkey_t key,
385 const MHD_gnutls_datum_t * data,
386 MHD_gnutls_x509_crt_fmt_t format);
387int MHD_gnutls_x509_privkey_export_rsa_raw (MHD_gnutls_x509_privkey_t key,
388 MHD_gnutls_datum_t * m,
389 MHD_gnutls_datum_t * e,
390 MHD_gnutls_datum_t * d,
391 MHD_gnutls_datum_t * p,
392 MHD_gnutls_datum_t * q,
393 MHD_gnutls_datum_t * u);
394int MHD_gnutls_x509_privkey_export (MHD_gnutls_x509_privkey_t key,
395 MHD_gnutls_x509_crt_fmt_t format,
396 void *output_data,
397 size_t * output_data_size);
398
399#define GNUTLS_CRL_REASON_UNUSED 128
400#define GNUTLS_CRL_REASON_KEY_COMPROMISE 64
401#define GNUTLS_CRL_REASON_CA_COMPROMISE 32
402#define GNUTLS_CRL_REASON_AFFILIATION_CHANGED 16
403#define GNUTLS_CRL_REASON_SUPERSEEDED 8
404#define GNUTLS_CRL_REASON_CESSATION_OF_OPERATION 4
405#define GNUTLS_CRL_REASON_CERTIFICATE_HOLD 2
406#define GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN 1
407#define GNUTLS_CRL_REASON_AA_COMPROMISE 32768
408
409#endif
diff --git a/src/daemon/https/x509/x509_privkey.c b/src/daemon/https/x509/x509_privkey.c
deleted file mode 100644
index e22da040..00000000
--- a/src/daemon/https/x509/x509_privkey.c
+++ /dev/null
@@ -1,289 +0,0 @@
1/*
2 * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25#include <gnutls_int.h>
26#include <gnutls_datum.h>
27#include <gnutls_global.h>
28#include <gnutls_errors.h>
29#include <gnutls_rsa_export.h>
30#include <gnutls_sig.h>
31#include <common.h>
32#include <gnutls_x509.h>
33#include <x509_b64.h>
34#include <x509.h>
35#include <mpi.h>
36#include <extensions.h>
37
38/* remove this when libgcrypt can handle the PKCS #1 coefficients from
39 * rsa keys
40 */
41#define CALC_COEFF 1
42
43/**
44 * MHD_gnutls_x509_privkey_init - This function initializes a MHD_gnutls_crl structure
45 * @key: The structure to be initialized
46 *
47 * This function will initialize an private key structure.
48 *
49 * Returns 0 on success.
50 *
51 **/
52int
53MHD_gnutls_x509_privkey_init (MHD_gnutls_x509_privkey_t * key)
54{
55 *key = MHD_gnutls_calloc (1, sizeof (MHD_gnutls_x509_privkey_int));
56
57 if (*key)
58 {
59 (*key)->key = ASN1_TYPE_EMPTY;
60 (*key)->pk_algorithm = MHD_GNUTLS_PK_UNKNOWN;
61 return 0; /* success */
62 }
63
64 return GNUTLS_E_MEMORY_ERROR;
65}
66
67/**
68 * MHD_gnutls_x509_privkey_deinit - This function deinitializes memory used by a MHD_gnutls_x509_privkey_t structure
69 * @key: The structure to be initialized
70 *
71 * This function will deinitialize a private key structure.
72 *
73 **/
74void
75MHD_gnutls_x509_privkey_deinit (MHD_gnutls_x509_privkey_t key)
76{
77 int i;
78
79 if (!key)
80 return;
81
82 for (i = 0; i < key->params_size; i++)
83 {
84 MHD_gtls_mpi_release (&key->params[i]);
85 }
86
87 MHD__asn1_delete_structure (&key->key);
88 MHD_gnutls_free (key);
89}
90
91
92/* Converts an RSA PKCS#1 key to
93 * an internal structure (MHD_gnutls_private_key)
94 */
95ASN1_TYPE
96MHD__gnutls_privkey_decode_pkcs1_rsa_key (const MHD_gnutls_datum_t * raw_key,
97 MHD_gnutls_x509_privkey_t pkey)
98{
99 int result;
100 ASN1_TYPE pkey_asn;
101
102 if ((result = MHD__asn1_create_element (MHD__gnutls_getMHD__gnutls_asn (),
103 "GNUTLS.RSAPrivateKey",
104 &pkey_asn)) != ASN1_SUCCESS)
105 {
106 MHD_gnutls_assert ();
107 return NULL;
108 }
109
110 if ((sizeof (pkey->params) / sizeof (mpi_t)) < RSA_PRIVATE_PARAMS)
111 {
112 MHD_gnutls_assert ();
113 /* internal error. Increase the mpi_ts in params */
114 return NULL;
115 }
116
117 result =
118 MHD__asn1_der_decoding (&pkey_asn, raw_key->data, raw_key->size, NULL);
119 if (result != ASN1_SUCCESS)
120 {
121 MHD_gnutls_assert ();
122 goto error;
123 }
124
125 if ((result =
126 MHD__gnutls_x509_read_int (pkey_asn, "modulus", &pkey->params[0])) < 0)
127 {
128 MHD_gnutls_assert ();
129 goto error;
130 }
131
132 if ((result = MHD__gnutls_x509_read_int (pkey_asn, "publicExponent",
133 &pkey->params[1])) < 0)
134 {
135 MHD_gnutls_assert ();
136 goto error;
137 }
138
139 if ((result = MHD__gnutls_x509_read_int (pkey_asn, "privateExponent",
140 &pkey->params[2])) < 0)
141 {
142 MHD_gnutls_assert ();
143 goto error;
144 }
145
146 if ((result =
147 MHD__gnutls_x509_read_int (pkey_asn, "prime1", &pkey->params[3])) < 0)
148 {
149 MHD_gnutls_assert ();
150 goto error;
151 }
152
153 if ((result =
154 MHD__gnutls_x509_read_int (pkey_asn, "prime2", &pkey->params[4])) < 0)
155 {
156 MHD_gnutls_assert ();
157 goto error;
158 }
159
160#ifdef CALC_COEFF
161 /* Calculate the coefficient. This is because the gcrypt
162 * library is uses the p,q in the reverse order.
163 */
164 pkey->params[5] =
165 MHD__gnutls_mpi_snew (MHD__gnutls_mpi_get_nbits (pkey->params[0]));
166
167 if (pkey->params[5] == NULL)
168 {
169 MHD_gnutls_assert ();
170 goto error;
171 }
172
173 MHD__gnutls_mpi_invm (pkey->params[5], pkey->params[3], pkey->params[4]);
174 /* p, q */
175#else
176 if ((result = MHD__gnutls_x509_read_int (pkey_asn, "coefficient",
177 &pkey->params[5])) < 0)
178 {
179 MHD_gnutls_assert ();
180 goto error;
181 }
182#endif
183 pkey->params_size = 6;
184
185 return pkey_asn;
186
187error:MHD__asn1_delete_structure (&pkey_asn);
188 MHD_gtls_mpi_release (&pkey->params[0]);
189 MHD_gtls_mpi_release (&pkey->params[1]);
190 MHD_gtls_mpi_release (&pkey->params[2]);
191 MHD_gtls_mpi_release (&pkey->params[3]);
192 MHD_gtls_mpi_release (&pkey->params[4]);
193 MHD_gtls_mpi_release (&pkey->params[5]);
194 return NULL;
195
196}
197
198#define PEM_KEY_RSA "RSA PRIVATE KEY"
199
200/**
201 * MHD_gnutls_x509_privkey_import - This function will import a DER or PEM encoded key
202 * @key: The structure to store the parsed key
203 * @data: The DER or PEM encoded certificate.
204 * @format: One of DER or PEM
205 *
206 * This function will convert the given DER or PEM encoded key
207 * to the native MHD_gnutls_x509_privkey_t format. The output will be stored in @key .
208 *
209 * If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or
210 * "DSA PRIVATE KEY".
211 *
212 * Returns 0 on success.
213 *
214 **/
215int
216MHD_gnutls_x509_privkey_import (MHD_gnutls_x509_privkey_t key,
217 const MHD_gnutls_datum_t * data,
218 MHD_gnutls_x509_crt_fmt_t format)
219{
220 int result = 0, need_free = 0;
221 MHD_gnutls_datum_t _data;
222
223 if (key == NULL)
224 {
225 MHD_gnutls_assert ();
226 return GNUTLS_E_INVALID_REQUEST;
227 }
228
229 _data.data = data->data;
230 _data.size = data->size;
231
232 key->pk_algorithm = MHD_GNUTLS_PK_UNKNOWN;
233
234 /* If the Certificate is in PEM format then decode it */
235 if (format == GNUTLS_X509_FMT_PEM)
236 {
237 opaque *out;
238
239 /* Try the first header */
240 result
241 =
242 MHD__gnutls_fbase64_decode (PEM_KEY_RSA, data->data, data->size,
243 &out);
244 key->pk_algorithm = MHD_GNUTLS_PK_RSA;
245
246 _data.data = out;
247 _data.size = result;
248
249 need_free = 1;
250 }
251
252 if (key->pk_algorithm == MHD_GNUTLS_PK_RSA)
253 {
254 key->key = MHD__gnutls_privkey_decode_pkcs1_rsa_key (&_data, key);
255 if (key->key == NULL)
256 MHD_gnutls_assert ();
257 }
258 else
259 {
260 /* Try decoding with both, and accept the one that succeeds. */
261 key->pk_algorithm = MHD_GNUTLS_PK_RSA;
262 key->key = MHD__gnutls_privkey_decode_pkcs1_rsa_key (&_data, key);
263
264 // TODO rm
265// if (key->key == NULL)
266// {
267// key->pk_algorithm = GNUTLS_PK_DSA;
268// key->key = decode_dsa_key(&_data, key);
269// if (key->key == NULL)
270// MHD_gnutls_assert();
271// }
272 }
273
274 if (key->key == NULL)
275 {
276 MHD_gnutls_assert ();
277 result = GNUTLS_E_ASN1_DER_ERROR;
278 key->pk_algorithm = MHD_GNUTLS_PK_UNKNOWN;
279 return result;
280 }
281
282 if (need_free)
283 MHD__gnutls_free_datum (&_data);
284
285 /* The key has now been decoded.
286 */
287
288 return 0;
289}
diff --git a/src/daemon/internal.h b/src/daemon/internal.h
index 71c4f7ff..805d8848 100644
--- a/src/daemon/internal.h
+++ b/src/daemon/internal.h
@@ -30,7 +30,7 @@
30#include "platform.h" 30#include "platform.h"
31#include "microhttpd.h" 31#include "microhttpd.h"
32#if HTTPS_SUPPORT 32#if HTTPS_SUPPORT
33#include "gnutls.h" 33#include <gnutls/gnutls.h>
34#endif 34#endif
35 35
36#define EXTRA_CHECKS MHD_YES 36#define EXTRA_CHECKS MHD_YES
@@ -660,7 +660,17 @@ struct MHD_Connection
660 /** 660 /**
661 * State required for HTTPS/SSL/TLS support. 661 * State required for HTTPS/SSL/TLS support.
662 */ 662 */
663 MHD_gtls_session_t tls_session; 663 gnutls_session_t tls_session;
664
665 /**
666 * Memory location to return for protocol session info.
667 */
668 int protocol;
669
670 /**
671 * Memory location to return for protocol session info.
672 */
673 int cipher;
664#endif 674#endif
665}; 675};
666 676
@@ -799,22 +809,17 @@ struct MHD_Daemon
799 * What kind of credentials are we offering 809 * What kind of credentials are we offering
800 * for SSL/TLS? 810 * for SSL/TLS?
801 */ 811 */
802 enum MHD_GNUTLS_CredentialsType cred_type; 812 gnutls_credentials_type_t cred_type;
803 813
804 /** 814 /**
805 * Server x509 credentials 815 * Server x509 credentials
806 */ 816 */
807 MHD_gtls_cert_credentials_t x509_cred; 817 gnutls_certificate_credentials_t x509_cred;
808
809 /**
810 * Cipher priority cache
811 */
812 MHD_gnutls_priority_t priority_cache;
813 818
814 /** 819 /**
815 * Diffie-Hellman parameters 820 * Diffie-Hellman parameters
816 */ 821 */
817 MHD_gtls_dh_params_t dh_params; 822 gnutls_dh_params_t dh_params;
818 823
819 /** 824 /**
820 * Pointer to our SSL/TLS key (in ASCII) in memory. 825 * Pointer to our SSL/TLS key (in ASCII) in memory.
@@ -825,6 +830,7 @@ struct MHD_Daemon
825 * Pointer to our SSL/TLS certificate (in ASCII) in memory. 830 * Pointer to our SSL/TLS certificate (in ASCII) in memory.
826 */ 831 */
827 const char *https_mem_cert; 832 const char *https_mem_cert;
833
828#endif 834#endif
829 835
830 /** 836 /**
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-25 04:49:02 +0000