diff options
Diffstat (limited to 'src/daemon/https/tls')
-rw-r--r-- | src/daemon/https/tls/Makefile.am | 1 | ||||
-rw-r--r-- | src/daemon/https/tls/auth_cert.h | 9 | ||||
-rw-r--r-- | src/daemon/https/tls/ext_cert_type.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_alert.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_algorithms.c | 16 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_anon_cred.c | 3 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_db.c | 386 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_db.h | 37 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_handshake.c | 13 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_int.h | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_priority.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_record.c | 33 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_session.c | 6 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_session_pack.c | 330 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_state.c | 5 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_x509.c | 33 |
16 files changed, 232 insertions, 656 deletions
diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am index 40d49e08..3155e0bd 100644 --- a/src/daemon/https/tls/Makefile.am +++ b/src/daemon/https/tls/Makefile.am | |||
@@ -43,7 +43,6 @@ gnutls_compress.c \ | |||
43 | gnutls_compress_int.c \ | 43 | gnutls_compress_int.c \ |
44 | gnutls_constate.c \ | 44 | gnutls_constate.c \ |
45 | gnutls_datum.c \ | 45 | gnutls_datum.c \ |
46 | gnutls_db.c \ | ||
47 | gnutls_dh.c \ | 46 | gnutls_dh.c \ |
48 | gnutls_dh_primes.c \ | 47 | gnutls_dh_primes.c \ |
49 | gnutls_errors.c \ | 48 | gnutls_errors.c \ |
diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h index 86e0230f..e49a6089 100644 --- a/src/daemon/https/tls/auth_cert.h +++ b/src/daemon/https/tls/auth_cert.h | |||
@@ -34,6 +34,7 @@ | |||
34 | /* This structure may be complex, but it's the only way to | 34 | /* This structure may be complex, but it's the only way to |
35 | * support a server that has multiple certificates | 35 | * support a server that has multiple certificates |
36 | */ | 36 | */ |
37 | |||
37 | typedef struct gnutls_certificate_credentials_st | 38 | typedef struct gnutls_certificate_credentials_st |
38 | { | 39 | { |
39 | gnutls_dh_params_t dh_params; | 40 | gnutls_dh_params_t dh_params; |
@@ -45,7 +46,7 @@ typedef struct gnutls_certificate_credentials_st | |||
45 | 46 | ||
46 | gnutls_cert **cert_list; | 47 | gnutls_cert **cert_list; |
47 | /* contains a list of a list of certificates. | 48 | /* contains a list of a list of certificates. |
48 | * eg (X509): [0] certificate1, certificate11, certificate111 | 49 | * eg (X509): [0] certificate1, certificate11, certificate111 |
49 | * (if more than one, one certificate certifies the one before) | 50 | * (if more than one, one certificate certifies the one before) |
50 | * [1] certificate2, certificate22, ... | 51 | * [1] certificate2, certificate22, ... |
51 | */ | 52 | */ |
@@ -75,14 +76,14 @@ typedef struct gnutls_certificate_credentials_st | |||
75 | /* X509 specific stuff */ | 76 | /* X509 specific stuff */ |
76 | 77 | ||
77 | gnutls_x509_crt_t *x509_ca_list; | 78 | gnutls_x509_crt_t *x509_ca_list; |
78 | unsigned x509_ncas; /* number of CAs in the ca_list | 79 | unsigned x509_ncas; /* number of CAs in the ca_list |
79 | */ | 80 | */ |
80 | 81 | ||
81 | gnutls_x509_crl_t *x509_crl_list; | 82 | gnutls_x509_crl_t *x509_crl_list; |
82 | unsigned x509_ncrls; /* number of CRLs in the crl_list | 83 | unsigned x509_ncrls; /* number of CRLs in the crl_list |
83 | */ | 84 | */ |
84 | 85 | ||
85 | unsigned int verify_flags; /* flags to be used at | 86 | unsigned int verify_flags; /* flags to be used at |
86 | * certificate verification. | 87 | * certificate verification. |
87 | */ | 88 | */ |
88 | unsigned int verify_depth; | 89 | unsigned int verify_depth; |
diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c index 6f1c17bc..a1bec6a1 100644 --- a/src/daemon/https/tls/ext_cert_type.c +++ b/src/daemon/https/tls/ext_cert_type.c | |||
@@ -150,10 +150,10 @@ _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data, | |||
150 | if (session->security_parameters.entity == GNUTLS_CLIENT) | 150 | if (session->security_parameters.entity == GNUTLS_CLIENT) |
151 | { | 151 | { |
152 | 152 | ||
153 | if (session->internals.priorities.cert_type.algorithms > 0) | 153 | if (session->internals.priorities.cert_type.num_algorithms > 0) |
154 | { | 154 | { |
155 | 155 | ||
156 | len = session->internals.priorities.cert_type.algorithms; | 156 | len = session->internals.priorities.cert_type.num_algorithms; |
157 | 157 | ||
158 | if (len == 1 && | 158 | if (len == 1 && |
159 | session->internals.priorities.cert_type.priority[0] == | 159 | session->internals.priorities.cert_type.priority[0] == |
diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c index dfa35f85..29422dab 100644 --- a/src/daemon/https/tls/gnutls_alert.c +++ b/src/daemon/https/tls/gnutls_alert.c | |||
@@ -148,7 +148,7 @@ gnutls_alert_send (gnutls_session_t session, gnutls_alert_level_t level, | |||
148 | * alert should be sent to the peer indicating that no renegotiation will | 148 | * alert should be sent to the peer indicating that no renegotiation will |
149 | * be performed. | 149 | * be performed. |
150 | * | 150 | * |
151 | * If there is no mapping to a valid alert the alert to indicate internal error | 151 | * If there is no mapping to a valid alert the alert to indicate internal error |
152 | * is returned. | 152 | * is returned. |
153 | * | 153 | * |
154 | **/ | 154 | **/ |
@@ -163,7 +163,7 @@ gnutls_error_to_alert (int err, int *level) | |||
163 | /* GNUTLS_A_DECRYPTION_FAILED is not sent, because | 163 | /* GNUTLS_A_DECRYPTION_FAILED is not sent, because |
164 | * it is not defined in SSL3. Note that we must | 164 | * it is not defined in SSL3. Note that we must |
165 | * not distinguish Decryption failures from mac | 165 | * not distinguish Decryption failures from mac |
166 | * check failures, due to the possibility of some | 166 | * check failures, due to the possibility of some |
167 | * attacks. | 167 | * attacks. |
168 | */ | 168 | */ |
169 | ret = GNUTLS_A_BAD_RECORD_MAC; | 169 | ret = GNUTLS_A_BAD_RECORD_MAC; |
diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c index 56435345..1809afda 100644 --- a/src/daemon/https/tls/gnutls_algorithms.c +++ b/src/daemon/https/tls/gnutls_algorithms.c | |||
@@ -767,7 +767,7 @@ _gnutls_mac_priority (gnutls_session_t session, | |||
767 | gnutls_mac_algorithm_t algorithm) | 767 | gnutls_mac_algorithm_t algorithm) |
768 | { /* actually returns the priority */ | 768 | { /* actually returns the priority */ |
769 | unsigned int i; | 769 | unsigned int i; |
770 | for (i = 0; i < session->internals.priorities.mac.algorithms; i++) | 770 | for (i = 0; i < session->internals.priorities.mac.num_algorithms; i++) |
771 | { | 771 | { |
772 | if (session->internals.priorities.mac.priority[i] == algorithm) | 772 | if (session->internals.priorities.mac.priority[i] == algorithm) |
773 | return i; | 773 | return i; |
@@ -893,7 +893,7 @@ _gnutls_compression_priority (gnutls_session_t session, | |||
893 | gnutls_compression_method_t algorithm) | 893 | gnutls_compression_method_t algorithm) |
894 | { /* actually returns the priority */ | 894 | { /* actually returns the priority */ |
895 | unsigned int i; | 895 | unsigned int i; |
896 | for (i = 0; i < session->internals.priorities.compression.algorithms; i++) | 896 | for (i = 0; i < session->internals.priorities.compression.num_algorithms; i++) |
897 | { | 897 | { |
898 | if (session->internals.priorities.compression.priority[i] == algorithm) | 898 | if (session->internals.priorities.compression.priority[i] == algorithm) |
899 | return i; | 899 | return i; |
@@ -1040,7 +1040,7 @@ _gnutls_cipher_priority (gnutls_session_t session, | |||
1040 | gnutls_cipher_algorithm_t algorithm) | 1040 | gnutls_cipher_algorithm_t algorithm) |
1041 | { | 1041 | { |
1042 | unsigned int i; | 1042 | unsigned int i; |
1043 | for (i = 0; i < session->internals.priorities.cipher.algorithms; i++) | 1043 | for (i = 0; i < session->internals.priorities.cipher.num_algorithms; i++) |
1044 | { | 1044 | { |
1045 | if (session->internals.priorities.cipher.priority[i] == algorithm) | 1045 | if (session->internals.priorities.cipher.priority[i] == algorithm) |
1046 | return i; | 1046 | return i; |
@@ -1176,7 +1176,7 @@ _gnutls_kx_priority (gnutls_session_t session, | |||
1176 | gnutls_kx_algorithm_t algorithm) | 1176 | gnutls_kx_algorithm_t algorithm) |
1177 | { | 1177 | { |
1178 | unsigned int i; | 1178 | unsigned int i; |
1179 | for (i = 0; i < session->internals.priorities.kx.algorithms; i++) | 1179 | for (i = 0; i < session->internals.priorities.kx.num_algorithms; i++) |
1180 | { | 1180 | { |
1181 | if (session->internals.priorities.kx.priority[i] == algorithm) | 1181 | if (session->internals.priorities.kx.priority[i] == algorithm) |
1182 | return i; | 1182 | return i; |
@@ -1276,7 +1276,7 @@ _gnutls_version_priority (gnutls_session_t session, gnutls_protocol_t version) | |||
1276 | return -1; | 1276 | return -1; |
1277 | } | 1277 | } |
1278 | 1278 | ||
1279 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1279 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1280 | { | 1280 | { |
1281 | if (session->internals.priorities.protocol.priority[i] == version) | 1281 | if (session->internals.priorities.protocol.priority[i] == version) |
1282 | return i; | 1282 | return i; |
@@ -1294,7 +1294,7 @@ _gnutls_version_lowest (gnutls_session_t session) | |||
1294 | return MHD_GNUTLS_VERSION_UNKNOWN; | 1294 | return MHD_GNUTLS_VERSION_UNKNOWN; |
1295 | } | 1295 | } |
1296 | else | 1296 | else |
1297 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1297 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1298 | { | 1298 | { |
1299 | if (session->internals.priorities.protocol.priority[i] < min) | 1299 | if (session->internals.priorities.protocol.priority[i] < min) |
1300 | min = session->internals.priorities.protocol.priority[i]; | 1300 | min = session->internals.priorities.protocol.priority[i]; |
@@ -1316,7 +1316,7 @@ _gnutls_version_max (gnutls_session_t session) | |||
1316 | return MHD_GNUTLS_VERSION_UNKNOWN; | 1316 | return MHD_GNUTLS_VERSION_UNKNOWN; |
1317 | } | 1317 | } |
1318 | else | 1318 | else |
1319 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1319 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1320 | { | 1320 | { |
1321 | if (session->internals.priorities.protocol.priority[i] > max) | 1321 | if (session->internals.priorities.protocol.priority[i] > max) |
1322 | max = session->internals.priorities.protocol.priority[i]; | 1322 | max = session->internals.priorities.protocol.priority[i]; |
@@ -1886,7 +1886,7 @@ _gnutls_supported_ciphersuites (gnutls_session_t session, | |||
1886 | 1886 | ||
1887 | /* returns the TLS numbers of the compression methods we support | 1887 | /* returns the TLS numbers of the compression methods we support |
1888 | */ | 1888 | */ |
1889 | #define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms | 1889 | #define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.num_algorithms |
1890 | int | 1890 | int |
1891 | _gnutls_supported_compression_methods (gnutls_session_t session, | 1891 | _gnutls_supported_compression_methods (gnutls_session_t session, |
1892 | uint8_t ** comp) | 1892 | uint8_t ** comp) |
diff --git a/src/daemon/https/tls/gnutls_anon_cred.c b/src/daemon/https/tls/gnutls_anon_cred.c index 919315ef..fd0917f8 100644 --- a/src/daemon/https/tls/gnutls_anon_cred.c +++ b/src/daemon/https/tls/gnutls_anon_cred.c | |||
@@ -62,8 +62,9 @@ int | |||
62 | gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * | 62 | gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * |
63 | sc) | 63 | sc) |
64 | { | 64 | { |
65 | |||
66 | *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); | 65 | *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); |
66 | if (*sc == NULL) | ||
67 | return GNUTLS_E_MEMORY_ERROR; | ||
67 | 68 | ||
68 | return 0; | 69 | return 0; |
69 | } | 70 | } |
diff --git a/src/daemon/https/tls/gnutls_db.c b/src/daemon/https/tls/gnutls_db.c deleted file mode 100644 index 806961c1..00000000 --- a/src/daemon/https/tls/gnutls_db.c +++ /dev/null | |||
@@ -1,386 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | /* This file contains functions that manipulate a database backend | ||
26 | * for resumed sessions. | ||
27 | */ | ||
28 | |||
29 | #include "gnutls_int.h" | ||
30 | #include "gnutls_errors.h" | ||
31 | // #include "gnutls_session.h" | ||
32 | #include <gnutls_db.h> | ||
33 | #include "debug.h" | ||
34 | #include <gnutls_session_pack.h> | ||
35 | #include <gnutls_datum.h> | ||
36 | |||
37 | /** | ||
38 | * gnutls_db_set_retrieve_function - Sets the function that will be used to get data | ||
39 | * @session: is a #gnutls_session_t structure. | ||
40 | * @retr_func: is the function. | ||
41 | * | ||
42 | * Sets the function that will be used to retrieve data from the resumed | ||
43 | * sessions database. This function must return a gnutls_datum_t containing the | ||
44 | * data on success, or a gnutls_datum_t containing null and 0 on failure. | ||
45 | * | ||
46 | * The datum's data must be allocated using the function | ||
47 | * gnutls_malloc(). | ||
48 | * | ||
49 | * The first argument to retr_func() will be null unless gnutls_db_set_ptr() | ||
50 | * has been called. | ||
51 | * | ||
52 | **/ | ||
53 | void | ||
54 | gnutls_db_set_retrieve_function (gnutls_session_t session, | ||
55 | gnutls_db_retr_func retr_func) | ||
56 | { | ||
57 | session->internals.db_retrieve_func = retr_func; | ||
58 | } | ||
59 | |||
60 | /** | ||
61 | * gnutls_db_set_remove_function - Sets the function that will be used to remove data | ||
62 | * @session: is a #gnutls_session_t structure. | ||
63 | * @rem_func: is the function. | ||
64 | * | ||
65 | * Sets the function that will be used to remove data from the resumed | ||
66 | * sessions database. This function must return 0 on success. | ||
67 | * | ||
68 | * The first argument to rem_func() will be null unless gnutls_db_set_ptr() | ||
69 | * has been called. | ||
70 | * | ||
71 | **/ | ||
72 | void | ||
73 | gnutls_db_set_remove_function (gnutls_session_t session, | ||
74 | gnutls_db_remove_func rem_func) | ||
75 | { | ||
76 | session->internals.db_remove_func = rem_func; | ||
77 | } | ||
78 | |||
79 | /** | ||
80 | * gnutls_db_set_store_function - Sets the function that will be used to put data | ||
81 | * @session: is a #gnutls_session_t structure. | ||
82 | * @store_func: is the function | ||
83 | * | ||
84 | * Sets the function that will be used to store data from the resumed | ||
85 | * sessions database. This function must remove 0 on success. | ||
86 | * | ||
87 | * The first argument to store_func() will be null unless gnutls_db_set_ptr() | ||
88 | * has been called. | ||
89 | * | ||
90 | **/ | ||
91 | void | ||
92 | gnutls_db_set_store_function (gnutls_session_t session, | ||
93 | gnutls_db_store_func store_func) | ||
94 | { | ||
95 | session->internals.db_store_func = store_func; | ||
96 | } | ||
97 | |||
98 | /** | ||
99 | * gnutls_db_set_ptr - Sets a pointer to be sent to db functions | ||
100 | * @session: is a #gnutls_session_t structure. | ||
101 | * @ptr: is the pointer | ||
102 | * | ||
103 | * Sets the pointer that will be provided to db store, retrieve and delete functions, as | ||
104 | * the first argument. | ||
105 | * | ||
106 | **/ | ||
107 | void | ||
108 | gnutls_db_set_ptr (gnutls_session_t session, void *ptr) | ||
109 | { | ||
110 | session->internals.db_ptr = ptr; | ||
111 | } | ||
112 | |||
113 | /** | ||
114 | * gnutls_db_get_ptr - Returns the pointer which is sent to db functions | ||
115 | * @session: is a #gnutls_session_t structure. | ||
116 | * | ||
117 | * Returns the pointer that will be sent to db store, retrieve and delete functions, as | ||
118 | * the first argument. | ||
119 | * | ||
120 | **/ | ||
121 | void * | ||
122 | gnutls_db_get_ptr (gnutls_session_t session) | ||
123 | { | ||
124 | return session->internals.db_ptr; | ||
125 | } | ||
126 | |||
127 | /** | ||
128 | * gnutls_db_set_cache_expiration - Sets the expiration time for resumed sessions. | ||
129 | * @session: is a #gnutls_session_t structure. | ||
130 | * @seconds: is the number of seconds. | ||
131 | * | ||
132 | * Sets the expiration time for resumed sessions. The default is 3600 (one hour) | ||
133 | * at the time writing this. | ||
134 | **/ | ||
135 | void | ||
136 | gnutls_db_set_cache_expiration (gnutls_session_t session, int seconds) | ||
137 | { | ||
138 | session->internals.expire_time = seconds; | ||
139 | } | ||
140 | |||
141 | /** | ||
142 | * gnutls_db_check_entry - checks if the given db entry has expired | ||
143 | * @session: is a #gnutls_session_t structure. | ||
144 | * @session_entry: is the session data (not key) | ||
145 | * | ||
146 | * This function returns GNUTLS_E_EXPIRED, if the database entry | ||
147 | * has expired or 0 otherwise. This function is to be used when | ||
148 | * you want to clear unnesessary session which occupy space in your | ||
149 | * backend. | ||
150 | * | ||
151 | **/ | ||
152 | int | ||
153 | gnutls_db_check_entry (gnutls_session_t session, gnutls_datum_t session_entry) | ||
154 | { | ||
155 | time_t timestamp; | ||
156 | |||
157 | timestamp = time (0); | ||
158 | |||
159 | if (session_entry.data != NULL) | ||
160 | if (timestamp - | ||
161 | ((security_parameters_st *) (session_entry.data))->timestamp <= | ||
162 | session->internals.expire_time | ||
163 | || ((security_parameters_st *) (session_entry.data))-> | ||
164 | timestamp > timestamp | ||
165 | || ((security_parameters_st *) (session_entry.data))->timestamp == 0) | ||
166 | return GNUTLS_E_EXPIRED; | ||
167 | |||
168 | return 0; | ||
169 | } | ||
170 | |||
171 | /* The format of storing data is: | ||
172 | * (forget it). Check gnutls_session_pack.c | ||
173 | */ | ||
174 | int | ||
175 | _gnutls_server_register_current_session (gnutls_session_t session) | ||
176 | { | ||
177 | gnutls_datum_t key; | ||
178 | gnutls_datum_t content; | ||
179 | int ret = 0; | ||
180 | |||
181 | key.data = session->security_parameters.session_id; | ||
182 | key.size = session->security_parameters.session_id_size; | ||
183 | |||
184 | if (session->internals.resumable == RESUME_FALSE) | ||
185 | { | ||
186 | gnutls_assert (); | ||
187 | return GNUTLS_E_INVALID_SESSION; | ||
188 | } | ||
189 | |||
190 | if (session->security_parameters.session_id == NULL | ||
191 | || session->security_parameters.session_id_size == 0) | ||
192 | { | ||
193 | gnutls_assert (); | ||
194 | return GNUTLS_E_INVALID_SESSION; | ||
195 | } | ||
196 | |||
197 | /* copy data */ | ||
198 | ret = _gnutls_session_pack (session, &content); | ||
199 | if (ret < 0) | ||
200 | { | ||
201 | gnutls_assert (); | ||
202 | return ret; | ||
203 | } | ||
204 | |||
205 | ret = _gnutls_store_session (session, key, content); | ||
206 | _gnutls_free_datum (&content); | ||
207 | |||
208 | return ret; | ||
209 | } | ||
210 | |||
211 | /* Checks if both db_store and db_retrieve functions have | ||
212 | * been set up. | ||
213 | */ | ||
214 | static int | ||
215 | _gnutls_db_func_is_ok (gnutls_session_t session) | ||
216 | { | ||
217 | if (session->internals.db_store_func != NULL && | ||
218 | session->internals.db_retrieve_func != NULL && | ||
219 | session->internals.db_remove_func != NULL) | ||
220 | return 0; | ||
221 | else | ||
222 | return GNUTLS_E_DB_ERROR; | ||
223 | } | ||
224 | |||
225 | |||
226 | int | ||
227 | _gnutls_server_restore_session (gnutls_session_t session, | ||
228 | uint8_t * session_id, int session_id_size) | ||
229 | { | ||
230 | gnutls_datum_t data; | ||
231 | gnutls_datum_t key; | ||
232 | int ret; | ||
233 | |||
234 | key.data = session_id; | ||
235 | key.size = session_id_size; | ||
236 | |||
237 | if (_gnutls_db_func_is_ok (session) != 0) | ||
238 | { | ||
239 | gnutls_assert (); | ||
240 | return GNUTLS_E_INVALID_SESSION; | ||
241 | } | ||
242 | |||
243 | data = _gnutls_retrieve_session (session, key); | ||
244 | |||
245 | if (data.data == NULL) | ||
246 | { | ||
247 | gnutls_assert (); | ||
248 | return GNUTLS_E_INVALID_SESSION; | ||
249 | } | ||
250 | |||
251 | /* expiration check is performed inside */ | ||
252 | ret = gnutls_session_set_data (session, data.data, data.size); | ||
253 | if (ret < 0) | ||
254 | { | ||
255 | gnutls_assert (); | ||
256 | return ret; | ||
257 | } | ||
258 | |||
259 | gnutls_free (data.data); | ||
260 | |||
261 | return 0; | ||
262 | } | ||
263 | |||
264 | int | ||
265 | _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, | ||
266 | int session_id_size) | ||
267 | { | ||
268 | gnutls_datum_t key; | ||
269 | |||
270 | key.data = session_id; | ||
271 | key.size = session_id_size; | ||
272 | |||
273 | return _gnutls_remove_session (session, key); | ||
274 | } | ||
275 | |||
276 | |||
277 | /* Stores session data to the db backend. | ||
278 | */ | ||
279 | int | ||
280 | _gnutls_store_session (gnutls_session_t session, | ||
281 | gnutls_datum_t session_id, gnutls_datum_t session_data) | ||
282 | { | ||
283 | int ret = 0; | ||
284 | |||
285 | if (session->internals.resumable == RESUME_FALSE) | ||
286 | { | ||
287 | gnutls_assert (); | ||
288 | return GNUTLS_E_INVALID_SESSION; | ||
289 | } | ||
290 | |||
291 | if (_gnutls_db_func_is_ok (session) != 0) | ||
292 | { | ||
293 | return GNUTLS_E_DB_ERROR; | ||
294 | } | ||
295 | |||
296 | if (session_id.data == NULL || session_id.size == 0) | ||
297 | { | ||
298 | gnutls_assert (); | ||
299 | return GNUTLS_E_INVALID_SESSION; | ||
300 | } | ||
301 | |||
302 | if (session_data.data == NULL || session_data.size == 0) | ||
303 | { | ||
304 | gnutls_assert (); | ||
305 | return GNUTLS_E_INVALID_SESSION; | ||
306 | } | ||
307 | /* if we can't read why bother writing? */ | ||
308 | |||
309 | if (session->internals.db_store_func != NULL) | ||
310 | ret = | ||
311 | session->internals.db_store_func (session->internals.db_ptr, | ||
312 | session_id, session_data); | ||
313 | |||
314 | return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); | ||
315 | |||
316 | } | ||
317 | |||
318 | /* Retrieves session data from the db backend. | ||
319 | */ | ||
320 | gnutls_datum_t | ||
321 | _gnutls_retrieve_session (gnutls_session_t session, gnutls_datum_t session_id) | ||
322 | { | ||
323 | gnutls_datum_t ret = { NULL, 0 }; | ||
324 | |||
325 | if (session_id.data == NULL || session_id.size == 0) | ||
326 | { | ||
327 | gnutls_assert (); | ||
328 | return ret; | ||
329 | } | ||
330 | |||
331 | if (session->internals.db_retrieve_func != NULL) | ||
332 | ret = | ||
333 | session->internals.db_retrieve_func (session->internals.db_ptr, | ||
334 | session_id); | ||
335 | |||
336 | return ret; | ||
337 | |||
338 | } | ||
339 | |||
340 | /* Removes session data from the db backend. | ||
341 | */ | ||
342 | int | ||
343 | _gnutls_remove_session (gnutls_session_t session, gnutls_datum_t session_id) | ||
344 | { | ||
345 | int ret = 0; | ||
346 | |||
347 | if (_gnutls_db_func_is_ok (session) != 0) | ||
348 | { | ||
349 | return GNUTLS_E_DB_ERROR; | ||
350 | } | ||
351 | |||
352 | if (session_id.data == NULL || session_id.size == 0) | ||
353 | return GNUTLS_E_INVALID_SESSION; | ||
354 | |||
355 | /* if we can't read why bother writing? */ | ||
356 | if (session->internals.db_remove_func != NULL) | ||
357 | ret = | ||
358 | session->internals.db_remove_func (session->internals.db_ptr, | ||
359 | session_id); | ||
360 | |||
361 | return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); | ||
362 | |||
363 | } | ||
364 | |||
365 | /** | ||
366 | * gnutls_db_remove_session - This function will remove the current session data from the database | ||
367 | * @session: is a #gnutls_session_t structure. | ||
368 | * | ||
369 | * This function will remove the current session data from the session | ||
370 | * database. This will prevent future handshakes reusing these session | ||
371 | * data. This function should be called if a session was terminated | ||
372 | * abnormally, and before gnutls_deinit() is called. | ||
373 | * | ||
374 | * Normally gnutls_deinit() will remove abnormally terminated sessions. | ||
375 | * | ||
376 | **/ | ||
377 | void | ||
378 | gnutls_db_remove_session (gnutls_session_t session) | ||
379 | { | ||
380 | /* if the session has failed abnormally it has | ||
381 | * to be removed from the db | ||
382 | */ | ||
383 | _gnutls_db_remove_session (session, | ||
384 | session->security_parameters.session_id, | ||
385 | session->security_parameters.session_id_size); | ||
386 | } | ||
diff --git a/src/daemon/https/tls/gnutls_db.h b/src/daemon/https/tls/gnutls_db.h deleted file mode 100644 index 9adece4e..00000000 --- a/src/daemon/https/tls/gnutls_db.h +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | int _gnutls_server_register_current_session (gnutls_session_t session); | ||
26 | int _gnutls_server_restore_session (gnutls_session_t session, | ||
27 | uint8_t * session_id, | ||
28 | int session_id_size); | ||
29 | int _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, | ||
30 | int session_id_size); | ||
31 | int _gnutls_store_session (gnutls_session_t session, | ||
32 | gnutls_datum_t session_id, | ||
33 | gnutls_datum_t session_data); | ||
34 | gnutls_datum_t _gnutls_retrieve_session (gnutls_session_t session, | ||
35 | gnutls_datum_t session_id); | ||
36 | int _gnutls_remove_session (gnutls_session_t session, | ||
37 | gnutls_datum_t session_id); | ||
diff --git a/src/daemon/https/tls/gnutls_handshake.c b/src/daemon/https/tls/gnutls_handshake.c index b304bdcb..5f56822e 100644 --- a/src/daemon/https/tls/gnutls_handshake.c +++ b/src/daemon/https/tls/gnutls_handshake.c | |||
@@ -37,7 +37,6 @@ | |||
37 | #include "gnutls_handshake.h" | 37 | #include "gnutls_handshake.h" |
38 | #include "gnutls_num.h" | 38 | #include "gnutls_num.h" |
39 | #include "gnutls_hash_int.h" | 39 | #include "gnutls_hash_int.h" |
40 | #include "gnutls_db.h" | ||
41 | #include "gnutls_extensions.h" | 40 | #include "gnutls_extensions.h" |
42 | #include "gnutls_supplemental.h" | 41 | #include "gnutls_supplemental.h" |
43 | #include "gnutls_auth_int.h" | 42 | #include "gnutls_auth_int.h" |
@@ -338,7 +337,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, | |||
338 | int datalen) | 337 | int datalen) |
339 | { | 338 | { |
340 | uint8_t session_id_len; | 339 | uint8_t session_id_len; |
341 | int pos = 0, ret; | 340 | int pos = 0, ret = 0; |
342 | uint16_t suite_size, comp_size; | 341 | uint16_t suite_size, comp_size; |
343 | gnutls_protocol_t adv_version; | 342 | gnutls_protocol_t adv_version; |
344 | int neg_version; | 343 | int neg_version; |
@@ -383,10 +382,10 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, | |||
383 | } | 382 | } |
384 | DECR_LEN (len, session_id_len); | 383 | DECR_LEN (len, session_id_len); |
385 | 384 | ||
386 | ret = _gnutls_server_restore_session (session, &data[pos], session_id_len); | ||
387 | pos += session_id_len; | 385 | pos += session_id_len; |
388 | 386 | ||
389 | if (ret == 0) | 387 | /* TODO rm if support for resumed sessions won't be supported */ |
388 | if (0) | ||
390 | { /* resumed! */ | 389 | { /* resumed! */ |
391 | resume_copy_required_values (session); | 390 | resume_copy_required_values (session); |
392 | session->internals.resumed = RESUME_TRUE; | 391 | session->internals.resumed = RESUME_TRUE; |
@@ -2647,12 +2646,6 @@ _gnutls_handshake_common (gnutls_session_t session) | |||
2647 | IMED_RET ("recv handshake final 2", ret); | 2646 | IMED_RET ("recv handshake final 2", ret); |
2648 | } | 2647 | } |
2649 | 2648 | ||
2650 | if (session->security_parameters.entity == GNUTLS_SERVER) | ||
2651 | { | ||
2652 | /* in order to support session resuming */ | ||
2653 | _gnutls_server_register_current_session (session); | ||
2654 | } | ||
2655 | |||
2656 | /* clear handshake buffer */ | 2649 | /* clear handshake buffer */ |
2657 | _gnutls_handshake_hash_buffers_clear (session); | 2650 | _gnutls_handshake_hash_buffers_clear (session); |
2658 | return ret; | 2651 | return ret; |
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h index 5d30ac58..7791b554 100644 --- a/src/daemon/https/tls/gnutls_int.h +++ b/src/daemon/https/tls/gnutls_int.h | |||
@@ -380,7 +380,7 @@ typedef struct | |||
380 | typedef struct | 380 | typedef struct |
381 | { | 381 | { |
382 | unsigned int priority[MAX_ALGOS]; | 382 | unsigned int priority[MAX_ALGOS]; |
383 | unsigned int algorithms; | 383 | unsigned int num_algorithms; |
384 | } priority_st; | 384 | } priority_st; |
385 | 385 | ||
386 | /* For the external api */ | 386 | /* For the external api */ |
@@ -391,6 +391,8 @@ struct gnutls_priority_st | |||
391 | priority_st kx; | 391 | priority_st kx; |
392 | priority_st compression; | 392 | priority_st compression; |
393 | priority_st protocol; | 393 | priority_st protocol; |
394 | |||
395 | /* certificate type : x509, OpenPGP, etc. */ | ||
394 | priority_st cert_type; | 396 | priority_st cert_type; |
395 | 397 | ||
396 | /* to disable record padding */ | 398 | /* to disable record padding */ |
diff --git a/src/daemon/https/tls/gnutls_priority.c b/src/daemon/https/tls/gnutls_priority.c index 0dfb27e3..cea6446b 100644 --- a/src/daemon/https/tls/gnutls_priority.c +++ b/src/daemon/https/tls/gnutls_priority.c | |||
@@ -56,7 +56,7 @@ gnutls_cipher_set_priority (gnutls_session_t session, const int *list) | |||
56 | num++; | 56 | num++; |
57 | if (num > MAX_ALGOS) | 57 | if (num > MAX_ALGOS) |
58 | num = MAX_ALGOS; | 58 | num = MAX_ALGOS; |
59 | session->internals.priorities.cipher.algorithms = num; | 59 | session->internals.priorities.cipher.num_algorithms = num; |
60 | 60 | ||
61 | for (i = 0; i < num; i++) | 61 | for (i = 0; i < num; i++) |
62 | { | 62 | { |
@@ -75,7 +75,7 @@ _set_priority (priority_st * st, const int *list) | |||
75 | num++; | 75 | num++; |
76 | if (num > MAX_ALGOS) | 76 | if (num > MAX_ALGOS) |
77 | num = MAX_ALGOS; | 77 | num = MAX_ALGOS; |
78 | st->algorithms = num; | 78 | st->num_algorithms = num; |
79 | 79 | ||
80 | for (i = 0; i < num; i++) | 80 | for (i = 0; i < num; i++) |
81 | { | 81 | { |
diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c index e52cf922..68c83330 100644 --- a/src/daemon/https/tls/gnutls_record.c +++ b/src/daemon/https/tls/gnutls_record.c | |||
@@ -35,7 +35,6 @@ | |||
35 | #include "gnutls_hash_int.h" | 35 | #include "gnutls_hash_int.h" |
36 | #include "gnutls_cipher_int.h" | 36 | #include "gnutls_cipher_int.h" |
37 | #include "gnutls_algorithms.h" | 37 | #include "gnutls_algorithms.h" |
38 | #include "gnutls_db.h" | ||
39 | #include "gnutls_auth_int.h" | 38 | #include "gnutls_auth_int.h" |
40 | #include "gnutls_num.h" | 39 | #include "gnutls_num.h" |
41 | #include "gnutls_record.h" | 40 | #include "gnutls_record.h" |
@@ -289,7 +288,7 @@ session_is_valid (gnutls_session_t session) | |||
289 | return 0; | 288 | return 0; |
290 | } | 289 | } |
291 | 290 | ||
292 | /* Copies the record version into the headers. The | 291 | /* Copies the record version into the headers. The |
293 | * version must have 2 bytes at least. | 292 | * version must have 2 bytes at least. |
294 | */ | 293 | */ |
295 | inline static void | 294 | inline static void |
@@ -316,7 +315,7 @@ copy_record_version (gnutls_session_t session, | |||
316 | /* This function behaves exactly like write(). The only difference is | 315 | /* This function behaves exactly like write(). The only difference is |
317 | * that it accepts, the gnutls_session_t and the content_type_t of data to | 316 | * that it accepts, the gnutls_session_t and the content_type_t of data to |
318 | * send (if called by the user the Content is specific) | 317 | * send (if called by the user the Content is specific) |
319 | * It is intended to transfer data, under the current session. | 318 | * It is intended to transfer data, under the current session. |
320 | * | 319 | * |
321 | * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. | 320 | * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. |
322 | * This makes the function much easier to read, and more error resistant | 321 | * This makes the function much easier to read, and more error resistant |
@@ -376,7 +375,7 @@ _gnutls_send_int (gnutls_session_t session, | |||
376 | else | 375 | else |
377 | data2send_size = sizeofdata; | 376 | data2send_size = sizeofdata; |
378 | 377 | ||
379 | /* Only encrypt if we don't have data to send | 378 | /* Only encrypt if we don't have data to send |
380 | * from the previous run. - probably interrupted. | 379 | * from the previous run. - probably interrupted. |
381 | */ | 380 | */ |
382 | if (session->internals.record_send_buffer.length > 0) | 381 | if (session->internals.record_send_buffer.length > 0) |
@@ -469,7 +468,7 @@ _gnutls_send_int (gnutls_session_t session, | |||
469 | return retval; | 468 | return retval; |
470 | } | 469 | } |
471 | 470 | ||
472 | /* This function is to be called if the handshake was successfully | 471 | /* This function is to be called if the handshake was successfully |
473 | * completed. This sends a Change Cipher Spec packet to the peer. | 472 | * completed. This sends a Change Cipher Spec packet to the peer. |
474 | */ | 473 | */ |
475 | ssize_t | 474 | ssize_t |
@@ -556,8 +555,8 @@ record_check_headers (gnutls_session_t session, | |||
556 | uint16_t * length, uint16_t * header_size) | 555 | uint16_t * length, uint16_t * header_size) |
557 | { | 556 | { |
558 | 557 | ||
559 | /* Read the first two bytes to determine if this is a | 558 | /* Read the first two bytes to determine if this is a |
560 | * version 2 message | 559 | * version 2 message |
561 | */ | 560 | */ |
562 | 561 | ||
563 | if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE | 562 | if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE |
@@ -565,7 +564,7 @@ record_check_headers (gnutls_session_t session, | |||
565 | { | 564 | { |
566 | 565 | ||
567 | /* if msb set and expecting handshake message | 566 | /* if msb set and expecting handshake message |
568 | * it should be SSL 2 hello | 567 | * it should be SSL 2 hello |
569 | */ | 568 | */ |
570 | version[0] = 3; /* assume SSL 3.0 */ | 569 | version[0] = 3; /* assume SSL 3.0 */ |
571 | version[1] = 0; | 570 | version[1] = 0; |
@@ -593,7 +592,7 @@ record_check_headers (gnutls_session_t session, | |||
593 | version[0] = headers[1]; | 592 | version[0] = headers[1]; |
594 | version[1] = headers[2]; | 593 | version[1] = headers[2]; |
595 | 594 | ||
596 | /* No DECR_LEN, since headers has enough size. | 595 | /* No DECR_LEN, since headers has enough size. |
597 | */ | 596 | */ |
598 | *length = _gnutls_read_uint16 (&headers[3]); | 597 | *length = _gnutls_read_uint16 (&headers[3]); |
599 | } | 598 | } |
@@ -676,7 +675,7 @@ record_check_type (gnutls_session_t session, | |||
676 | */ | 675 | */ |
677 | if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) | 676 | if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) |
678 | { | 677 | { |
679 | /* If we have been expecting for an alert do | 678 | /* If we have been expecting for an alert do |
680 | */ | 679 | */ |
681 | session->internals.read_eof = 1; | 680 | session->internals.read_eof = 1; |
682 | return GNUTLS_E_INT_RET_0; /* EOF */ | 681 | return GNUTLS_E_INT_RET_0; /* EOF */ |
@@ -911,7 +910,7 @@ begin: | |||
911 | } | 910 | } |
912 | 911 | ||
913 | /* Here we check if the Type of the received packet is | 912 | /* Here we check if the Type of the received packet is |
914 | * ok. | 913 | * ok. |
915 | */ | 914 | */ |
916 | if ((ret = check_recv_type (recv_type)) < 0) | 915 | if ((ret = check_recv_type (recv_type)) < 0) |
917 | { | 916 | { |
@@ -952,7 +951,7 @@ begin: | |||
952 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; | 951 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
953 | } | 952 | } |
954 | 953 | ||
955 | /* check if we have that data into buffer. | 954 | /* check if we have that data into buffer. |
956 | */ | 955 | */ |
957 | if ((ret = _gnutls_io_read_buffered (session, &recv_data, | 956 | if ((ret = _gnutls_io_read_buffered (session, &recv_data, |
958 | header_size + length, recv_type)) | 957 | header_size + length, recv_type)) |
@@ -1017,7 +1016,7 @@ begin: | |||
1017 | read_sequence_number), | 1016 | read_sequence_number), |
1018 | _gnutls_packet2str (recv_type), recv_type, decrypted_length); | 1017 | _gnutls_packet2str (recv_type), recv_type, decrypted_length); |
1019 | 1018 | ||
1020 | /* increase sequence number | 1019 | /* increase sequence number |
1021 | */ | 1020 | */ |
1022 | if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) | 1021 | if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) |
1023 | { | 1022 | { |
@@ -1037,7 +1036,7 @@ begin: | |||
1037 | return ret; | 1036 | return ret; |
1038 | } | 1037 | } |
1039 | 1038 | ||
1040 | /* Get Application data from buffer | 1039 | /* Get Application data from buffer |
1041 | */ | 1040 | */ |
1042 | if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type | 1041 | if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type |
1043 | == GNUTLS_HANDSHAKE | 1042 | == GNUTLS_HANDSHAKE |
@@ -1051,7 +1050,7 @@ begin: | |||
1051 | return ret; | 1050 | return ret; |
1052 | } | 1051 | } |
1053 | 1052 | ||
1054 | /* if the buffer just got empty | 1053 | /* if the buffer just got empty |
1055 | */ | 1054 | */ |
1056 | if (_gnutls_record_buffer_get_size (type, session) == 0) | 1055 | if (_gnutls_record_buffer_get_size (type, session) == 0) |
1057 | { | 1056 | { |
@@ -1066,11 +1065,11 @@ begin: | |||
1066 | { | 1065 | { |
1067 | gnutls_assert (); | 1066 | gnutls_assert (); |
1068 | return GNUTLS_E_UNEXPECTED_PACKET; | 1067 | return GNUTLS_E_UNEXPECTED_PACKET; |
1069 | /* we didn't get what we wanted to | 1068 | /* we didn't get what we wanted to |
1070 | */ | 1069 | */ |
1071 | } | 1070 | } |
1072 | 1071 | ||
1073 | /* (originally for) TLS 1.0 CBC protection. | 1072 | /* (originally for) TLS 1.0 CBC protection. |
1074 | * Actually this code is called if we just received | 1073 | * Actually this code is called if we just received |
1075 | * an empty packet. An empty TLS packet is usually | 1074 | * an empty packet. An empty TLS packet is usually |
1076 | * sent to protect some vulnerabilities in the CBC mode. | 1075 | * sent to protect some vulnerabilities in the CBC mode. |
diff --git a/src/daemon/https/tls/gnutls_session.c b/src/daemon/https/tls/gnutls_session.c index 541cc699..fb9b5e80 100644 --- a/src/daemon/https/tls/gnutls_session.c +++ b/src/daemon/https/tls/gnutls_session.c | |||
@@ -24,7 +24,7 @@ | |||
24 | #include "gnutls_int.h" | 24 | #include "gnutls_int.h" |
25 | #include "gnutls_errors.h" | 25 | #include "gnutls_errors.h" |
26 | #include "debug.h" | 26 | #include "debug.h" |
27 | #include <gnutls_session_pack.h> | 27 | #include "gnutls_session_pack.h" |
28 | #include <gnutls_datum.h> | 28 | #include <gnutls_datum.h> |
29 | 29 | ||
30 | /** | 30 | /** |
@@ -123,10 +123,10 @@ gnutls_session_get_data2 (gnutls_session_t session, gnutls_datum_t * data) | |||
123 | * | 123 | * |
124 | * Returns the current session id. This can be used if you want to check if | 124 | * Returns the current session id. This can be used if you want to check if |
125 | * the next session you tried to resume was actually resumed. | 125 | * the next session you tried to resume was actually resumed. |
126 | * This is because resumed sessions have the same sessionID with the | 126 | * This is because resumed sessions have the same sessionID with the |
127 | * original session. | 127 | * original session. |
128 | * | 128 | * |
129 | * Session id is some data set by the server, that identify the current session. | 129 | * Session id is some data set by the server, that identify the current session. |
130 | * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. | 130 | * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. |
131 | * | 131 | * |
132 | * Returns zero on success. | 132 | * Returns zero on success. |
diff --git a/src/daemon/https/tls/gnutls_session_pack.c b/src/daemon/https/tls/gnutls_session_pack.c index ed4945b6..3e549c4c 100644 --- a/src/daemon/https/tls/gnutls_session_pack.c +++ b/src/daemon/https/tls/gnutls_session_pack.c | |||
@@ -54,6 +54,169 @@ static int unpack_security_parameters (gnutls_session_t session, | |||
54 | static int pack_security_parameters (gnutls_session_t session, | 54 | static int pack_security_parameters (gnutls_session_t session, |
55 | gnutls_datum_t * packed_session); | 55 | gnutls_datum_t * packed_session); |
56 | 56 | ||
57 | /* Packs the ANON session authentication data. */ | ||
58 | #ifdef ENABLE_ANON | ||
59 | |||
60 | /* Format: | ||
61 | * 1 byte the credentials type | ||
62 | * 4 bytes the size of the whole structure | ||
63 | * 2 bytes the size of secret key in bits | ||
64 | * 4 bytes the size of the prime | ||
65 | * x bytes the prime | ||
66 | * 4 bytes the size of the generator | ||
67 | * x bytes the generator | ||
68 | * 4 bytes the size of the public key | ||
69 | * x bytes the public key | ||
70 | */ | ||
71 | static int | ||
72 | pack_anon_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) | ||
73 | { | ||
74 | anon_auth_info_t info = _gnutls_get_auth_info (session); | ||
75 | int pos = 0; | ||
76 | size_t pack_size; | ||
77 | |||
78 | if (info) | ||
79 | pack_size = 2 + 4 * 3 + info->dh.prime.size + | ||
80 | info->dh.generator.size + info->dh.public_key.size; | ||
81 | else | ||
82 | pack_size = 0; | ||
83 | |||
84 | packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); | ||
85 | |||
86 | /* calculate the size and allocate the data. | ||
87 | */ | ||
88 | packed_session->data = | ||
89 | gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); | ||
90 | |||
91 | if (packed_session->data == NULL) | ||
92 | { | ||
93 | gnutls_assert (); | ||
94 | return GNUTLS_E_MEMORY_ERROR; | ||
95 | } | ||
96 | |||
97 | packed_session->data[0] = MHD_GNUTLS_CRD_ANON; | ||
98 | _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); | ||
99 | pos += 4 + PACK_HEADER_SIZE; | ||
100 | |||
101 | if (pack_size > 0) | ||
102 | { | ||
103 | _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); | ||
104 | pos += 2; | ||
105 | |||
106 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); | ||
107 | pos += 4 + info->dh.prime.size; | ||
108 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); | ||
109 | pos += 4 + info->dh.generator.size; | ||
110 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); | ||
111 | pos += 4 + info->dh.public_key.size; | ||
112 | |||
113 | } | ||
114 | |||
115 | return 0; | ||
116 | } | ||
117 | |||
118 | /* Format: | ||
119 | * 1 byte the credentials type | ||
120 | * 4 bytes the size of the whole structure | ||
121 | * 2 bytes the size of secret key in bits | ||
122 | * 4 bytes the size of the prime | ||
123 | * x bytes the prime | ||
124 | * 4 bytes the size of the generator | ||
125 | * x bytes the generator | ||
126 | * 4 bytes the size of the public key | ||
127 | * x bytes the public key | ||
128 | */ | ||
129 | static int | ||
130 | unpack_anon_auth_info (gnutls_session_t session, | ||
131 | const gnutls_datum_t * packed_session) | ||
132 | { | ||
133 | size_t pack_size; | ||
134 | int pos = 0, size, ret; | ||
135 | anon_auth_info_t info; | ||
136 | |||
137 | if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) | ||
138 | { | ||
139 | gnutls_assert (); | ||
140 | return GNUTLS_E_INVALID_REQUEST; | ||
141 | } | ||
142 | |||
143 | pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); | ||
144 | pos += PACK_HEADER_SIZE + 4; | ||
145 | |||
146 | |||
147 | if (pack_size == 0) | ||
148 | return 0; /* nothing to be done */ | ||
149 | |||
150 | /* a simple check for integrity */ | ||
151 | if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) | ||
152 | { | ||
153 | gnutls_assert (); | ||
154 | return GNUTLS_E_INVALID_REQUEST; | ||
155 | } | ||
156 | |||
157 | /* client and serer have the same auth_info here | ||
158 | */ | ||
159 | ret = | ||
160 | _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, | ||
161 | sizeof (anon_auth_info_st), 1); | ||
162 | if (ret < 0) | ||
163 | { | ||
164 | gnutls_assert (); | ||
165 | return ret; | ||
166 | } | ||
167 | |||
168 | info = _gnutls_get_auth_info (session); | ||
169 | if (info == NULL) | ||
170 | { | ||
171 | gnutls_assert (); | ||
172 | return GNUTLS_E_INTERNAL_ERROR; | ||
173 | } | ||
174 | |||
175 | info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); | ||
176 | pos += 2; | ||
177 | |||
178 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
179 | pos += 4; | ||
180 | ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); | ||
181 | if (ret < 0) | ||
182 | { | ||
183 | gnutls_assert (); | ||
184 | goto error; | ||
185 | } | ||
186 | pos += size; | ||
187 | |||
188 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
189 | pos += 4; | ||
190 | ret = | ||
191 | _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); | ||
192 | if (ret < 0) | ||
193 | { | ||
194 | gnutls_assert (); | ||
195 | goto error; | ||
196 | } | ||
197 | pos += size; | ||
198 | |||
199 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
200 | pos += 4; | ||
201 | ret = | ||
202 | _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], | ||
203 | size); | ||
204 | if (ret < 0) | ||
205 | { | ||
206 | gnutls_assert (); | ||
207 | goto error; | ||
208 | } | ||
209 | pos += size; | ||
210 | |||
211 | return 0; | ||
212 | |||
213 | error: | ||
214 | _gnutls_free_datum (&info->dh.prime); | ||
215 | _gnutls_free_datum (&info->dh.generator); | ||
216 | _gnutls_free_datum (&info->dh.public_key); | ||
217 | return ret; | ||
218 | } | ||
219 | #endif /* ANON */ | ||
57 | 220 | ||
58 | /* Since auth_info structures contain malloced data, this function | 221 | /* Since auth_info structures contain malloced data, this function |
59 | * is required in order to pack these structures in a vector in | 222 | * is required in order to pack these structures in a vector in |
@@ -121,7 +284,7 @@ _gnutls_session_pack (gnutls_session_t session, | |||
121 | 284 | ||
122 | } | 285 | } |
123 | 286 | ||
124 | /* Auth_info structures copied. Now copy security_parameters_st. | 287 | /* Auth_info structures copied. Now copy security_parameters_st. |
125 | * packed_session must have allocated space for the security parameters. | 288 | * packed_session must have allocated space for the security parameters. |
126 | */ | 289 | */ |
127 | ret = pack_security_parameters (session, packed_session); | 290 | ret = pack_security_parameters (session, packed_session); |
@@ -201,7 +364,7 @@ _gnutls_session_unpack (gnutls_session_t session, | |||
201 | 364 | ||
202 | } | 365 | } |
203 | 366 | ||
204 | /* Auth_info structures copied. Now copy security_parameters_st. | 367 | /* Auth_info structures copied. Now copy security_parameters_st. |
205 | * packed_session must have allocated space for the security parameters. | 368 | * packed_session must have allocated space for the security parameters. |
206 | */ | 369 | */ |
207 | ret = unpack_security_parameters (session, packed_session); | 370 | ret = unpack_security_parameters (session, packed_session); |
@@ -477,7 +640,7 @@ error: | |||
477 | /* Packs the SRP session authentication data. | 640 | /* Packs the SRP session authentication data. |
478 | */ | 641 | */ |
479 | 642 | ||
480 | /* Format: | 643 | /* Format: |
481 | * 1 byte the credentials type | 644 | * 1 byte the credentials type |
482 | * 4 bytes the size of the SRP username (x) | 645 | * 4 bytes the size of the SRP username (x) |
483 | * x bytes the SRP username | 646 | * x bytes the SRP username |
@@ -569,167 +732,12 @@ unpack_srp_auth_info (gnutls_session_t session, | |||
569 | #endif | 732 | #endif |
570 | 733 | ||
571 | 734 | ||
572 | #ifdef ENABLE_ANON | ||
573 | /* Packs the ANON session authentication data. | ||
574 | */ | ||
575 | |||
576 | /* Format: | ||
577 | * 1 byte the credentials type | ||
578 | * 4 bytes the size of the whole structure | ||
579 | * 2 bytes the size of secret key in bits | ||
580 | * 4 bytes the size of the prime | ||
581 | * x bytes the prime | ||
582 | * 4 bytes the size of the generator | ||
583 | * x bytes the generator | ||
584 | * 4 bytes the size of the public key | ||
585 | * x bytes the public key | ||
586 | */ | ||
587 | static int | ||
588 | pack_anon_auth_info (gnutls_session_t session, | ||
589 | gnutls_datum_t * packed_session) | ||
590 | { | ||
591 | anon_auth_info_t info = _gnutls_get_auth_info (session); | ||
592 | int pos = 0; | ||
593 | size_t pack_size; | ||
594 | |||
595 | if (info) | ||
596 | pack_size = 2 + 4 * 3 + info->dh.prime.size + | ||
597 | info->dh.generator.size + info->dh.public_key.size; | ||
598 | else | ||
599 | pack_size = 0; | ||
600 | |||
601 | packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); | ||
602 | |||
603 | /* calculate the size and allocate the data. | ||
604 | */ | ||
605 | packed_session->data = | ||
606 | gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); | ||
607 | |||
608 | if (packed_session->data == NULL) | ||
609 | { | ||
610 | gnutls_assert (); | ||
611 | return GNUTLS_E_MEMORY_ERROR; | ||
612 | } | ||
613 | |||
614 | packed_session->data[0] = MHD_GNUTLS_CRD_ANON; | ||
615 | _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); | ||
616 | pos += 4 + PACK_HEADER_SIZE; | ||
617 | |||
618 | if (pack_size > 0) | ||
619 | { | ||
620 | _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); | ||
621 | pos += 2; | ||
622 | |||
623 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); | ||
624 | pos += 4 + info->dh.prime.size; | ||
625 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); | ||
626 | pos += 4 + info->dh.generator.size; | ||
627 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); | ||
628 | pos += 4 + info->dh.public_key.size; | ||
629 | |||
630 | } | ||
631 | |||
632 | return 0; | ||
633 | } | ||
634 | |||
635 | |||
636 | static int | ||
637 | unpack_anon_auth_info (gnutls_session_t session, | ||
638 | const gnutls_datum_t * packed_session) | ||
639 | { | ||
640 | size_t pack_size; | ||
641 | int pos = 0, size, ret; | ||
642 | anon_auth_info_t info; | ||
643 | |||
644 | if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) | ||
645 | { | ||
646 | gnutls_assert (); | ||
647 | return GNUTLS_E_INVALID_REQUEST; | ||
648 | } | ||
649 | |||
650 | pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); | ||
651 | pos += PACK_HEADER_SIZE + 4; | ||
652 | |||
653 | |||
654 | if (pack_size == 0) | ||
655 | return 0; /* nothing to be done */ | ||
656 | |||
657 | /* a simple check for integrity */ | ||
658 | if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) | ||
659 | { | ||
660 | gnutls_assert (); | ||
661 | return GNUTLS_E_INVALID_REQUEST; | ||
662 | } | ||
663 | |||
664 | /* client and serer have the same auth_info here | ||
665 | */ | ||
666 | ret = | ||
667 | _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, | ||
668 | sizeof (anon_auth_info_st), 1); | ||
669 | if (ret < 0) | ||
670 | { | ||
671 | gnutls_assert (); | ||
672 | return ret; | ||
673 | } | ||
674 | |||
675 | info = _gnutls_get_auth_info (session); | ||
676 | if (info == NULL) | ||
677 | { | ||
678 | gnutls_assert (); | ||
679 | return GNUTLS_E_INTERNAL_ERROR; | ||
680 | } | ||
681 | |||
682 | info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); | ||
683 | pos += 2; | ||
684 | |||
685 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
686 | pos += 4; | ||
687 | ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); | ||
688 | if (ret < 0) | ||
689 | { | ||
690 | gnutls_assert (); | ||
691 | goto error; | ||
692 | } | ||
693 | pos += size; | ||
694 | |||
695 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
696 | pos += 4; | ||
697 | ret = | ||
698 | _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); | ||
699 | if (ret < 0) | ||
700 | { | ||
701 | gnutls_assert (); | ||
702 | goto error; | ||
703 | } | ||
704 | pos += size; | ||
705 | |||
706 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
707 | pos += 4; | ||
708 | ret = | ||
709 | _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], | ||
710 | size); | ||
711 | if (ret < 0) | ||
712 | { | ||
713 | gnutls_assert (); | ||
714 | goto error; | ||
715 | } | ||
716 | pos += size; | ||
717 | |||
718 | return 0; | ||
719 | |||
720 | error: | ||
721 | _gnutls_free_datum (&info->dh.prime); | ||
722 | _gnutls_free_datum (&info->dh.generator); | ||
723 | _gnutls_free_datum (&info->dh.public_key); | ||
724 | return ret; | ||
725 | } | ||
726 | #endif /* ANON */ | ||
727 | 735 | ||
728 | #ifdef ENABLE_PSK | 736 | #ifdef ENABLE_PSK |
729 | /* Packs the PSK session authentication data. | 737 | /* Packs the PSK session authentication data. |
730 | */ | 738 | */ |
731 | 739 | ||
732 | /* Format: | 740 | /* Format: |
733 | * 1 byte the credentials type | 741 | * 1 byte the credentials type |
734 | * 4 bytes the size of the whole structure | 742 | * 4 bytes the size of the whole structure |
735 | * 4 bytes the size of the PSK username (x) | 743 | * 4 bytes the size of the PSK username (x) |
@@ -909,7 +917,7 @@ error: | |||
909 | /* Packs the security parameters. | 917 | /* Packs the security parameters. |
910 | */ | 918 | */ |
911 | 919 | ||
912 | /* Format: | 920 | /* Format: |
913 | * 4 bytes the total security data size | 921 | * 4 bytes the total security data size |
914 | * 1 byte the entity type (client/server) | 922 | * 1 byte the entity type (client/server) |
915 | * 1 byte the key exchange algorithm used | 923 | * 1 byte the key exchange algorithm used |
@@ -947,7 +955,7 @@ error: | |||
947 | * | 955 | * |
948 | * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) | 956 | * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) |
949 | * 1 byte the first name type | 957 | * 1 byte the first name type |
950 | * 2 bytes the size of the first name | 958 | * 2 bytes the size of the first name |
951 | * x bytes the first name (MAX_SERVER_NAME_SIZE) | 959 | * x bytes the first name (MAX_SERVER_NAME_SIZE) |
952 | * and so on... | 960 | * and so on... |
953 | * | 961 | * |
diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c index 3fde3db4..3931b393 100644 --- a/src/daemon/https/tls/gnutls_state.c +++ b/src/daemon/https/tls/gnutls_state.c | |||
@@ -32,7 +32,6 @@ | |||
32 | #include <gnutls_auth_int.h> | 32 | #include <gnutls_auth_int.h> |
33 | #include <gnutls_num.h> | 33 | #include <gnutls_num.h> |
34 | #include <gnutls_datum.h> | 34 | #include <gnutls_datum.h> |
35 | #include <gnutls_db.h> | ||
36 | #include <gnutls_record.h> | 35 | #include <gnutls_record.h> |
37 | #include <gnutls_handshake.h> | 36 | #include <gnutls_handshake.h> |
38 | #include <gnutls_dh.h> | 37 | #include <gnutls_dh.h> |
@@ -154,11 +153,11 @@ _gnutls_session_cert_type_supported (gnutls_session_t session, | |||
154 | } | 153 | } |
155 | } | 154 | } |
156 | 155 | ||
157 | if (session->internals.priorities.cert_type.algorithms == 0 && cert_type | 156 | if (session->internals.priorities.cert_type.num_algorithms == 0 && cert_type |
158 | == DEFAULT_CERT_TYPE) | 157 | == DEFAULT_CERT_TYPE) |
159 | return 0; | 158 | return 0; |
160 | 159 | ||
161 | for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++) | 160 | for (i = 0; i < session->internals.priorities.cert_type.num_algorithms; i++) |
162 | { | 161 | { |
163 | if (session->internals.priorities.cert_type.priority[i] == cert_type) | 162 | if (session->internals.priorities.cert_type.priority[i] == cert_type) |
164 | { | 163 | { |
diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c index 7c84fa0a..a9b6829d 100644 --- a/src/daemon/https/tls/gnutls_x509.c +++ b/src/daemon/https/tls/gnutls_x509.c | |||
@@ -93,9 +93,9 @@ check_bits (gnutls_x509_crt_t crt, unsigned int max_bits) | |||
93 | * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status | 93 | * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status |
94 | * @session: is a gnutls session | 94 | * @session: is a gnutls session |
95 | * | 95 | * |
96 | * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). | 96 | * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). |
97 | * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. | 97 | * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. |
98 | * However you must also check the peer's name in order to check if the verified certificate belongs to the | 98 | * However you must also check the peer's name in order to check if the verified certificate belongs to the |
99 | * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. | 99 | * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. |
100 | * | 100 | * |
101 | -*/ | 101 | -*/ |
@@ -178,7 +178,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, | |||
178 | 178 | ||
179 | } | 179 | } |
180 | 180 | ||
181 | /* Verify certificate | 181 | /* Verify certificate |
182 | */ | 182 | */ |
183 | ret = | 183 | ret = |
184 | gnutls_x509_crt_list_verify (peer_certificate_list, | 184 | gnutls_x509_crt_list_verify (peer_certificate_list, |
@@ -522,7 +522,7 @@ parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts, | |||
522 | } | 522 | } |
523 | _gnutls_free_datum (&tmp); /* free ptr2 */ | 523 | _gnutls_free_datum (&tmp); /* free ptr2 */ |
524 | 524 | ||
525 | /* now we move ptr after the pem header | 525 | /* now we move ptr after the pem header |
526 | */ | 526 | */ |
527 | ptr++; | 527 | ptr++; |
528 | /* find the next certificate (if any) | 528 | /* find the next certificate (if any) |
@@ -794,18 +794,18 @@ read_key_file (gnutls_certificate_credentials_t res, | |||
794 | * @key: is the private key, or %NULL | 794 | * @key: is the private key, or %NULL |
795 | * @type: is PEM or DER | 795 | * @type: is PEM or DER |
796 | * | 796 | * |
797 | * This function sets a certificate/private key pair in the | 797 | * This function sets a certificate/private key pair in the |
798 | * gnutls_certificate_credentials_t structure. This function may be called | 798 | * gnutls_certificate_credentials_t structure. This function may be called |
799 | * more than once (in case multiple keys/certificates exist for the | 799 | * more than once (in case multiple keys/certificates exist for the |
800 | * server). | 800 | * server). |
801 | * | 801 | * |
802 | * Currently are supported: RSA PKCS-1 encoded private keys, | 802 | * Currently are supported: RSA PKCS-1 encoded private keys, |
803 | * DSA private keys. | 803 | * DSA private keys. |
804 | * | 804 | * |
805 | * DSA private keys are encoded the OpenSSL way, which is an ASN.1 | 805 | * DSA private keys are encoded the OpenSSL way, which is an ASN.1 |
806 | * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. | 806 | * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. |
807 | * | 807 | * |
808 | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates | 808 | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
809 | * is supported. This means that certificates intended for signing cannot | 809 | * is supported. This means that certificates intended for signing cannot |
810 | * be used for ciphersuites that require encryption. | 810 | * be used for ciphersuites that require encryption. |
811 | * | 811 | * |
@@ -825,7 +825,7 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t | |||
825 | { | 825 | { |
826 | int ret; | 826 | int ret; |
827 | 827 | ||
828 | /* this should be first | 828 | /* this should be first |
829 | */ | 829 | */ |
830 | if ((ret = read_key_mem (res, key ? key->data : NULL, | 830 | if ((ret = read_key_mem (res, key ? key->data : NULL, |
831 | key ? key->size : 0, type)) < 0) | 831 | key ? key->size : 0, type)) < 0) |
@@ -867,7 +867,7 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, | |||
867 | { | 867 | { |
868 | int ret, i; | 868 | int ret, i; |
869 | 869 | ||
870 | /* this should be first | 870 | /* this should be first |
871 | */ | 871 | */ |
872 | 872 | ||
873 | res->pkey = | 873 | res->pkey = |
@@ -956,7 +956,7 @@ gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t | |||
956 | { | 956 | { |
957 | int ret; | 957 | int ret; |
958 | 958 | ||
959 | /* this should be first | 959 | /* this should be first |
960 | */ | 960 | */ |
961 | if ((ret = read_key_file (res, KEYFILE, type)) < 0) | 961 | if ((ret = read_key_file (res, KEYFILE, type)) < 0) |
962 | return ret; | 962 | return ret; |
@@ -983,7 +983,7 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) | |||
983 | unsigned size, i; | 983 | unsigned size, i; |
984 | opaque *pdata; | 984 | opaque *pdata; |
985 | 985 | ||
986 | /* Generate the RDN sequence | 986 | /* Generate the RDN sequence |
987 | * This will be sent to clients when a certificate | 987 | * This will be sent to clients when a certificate |
988 | * request message is sent. | 988 | * request message is sent. |
989 | */ | 989 | */ |
@@ -1036,11 +1036,8 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) | |||
1036 | return 0; | 1036 | return 0; |
1037 | } | 1037 | } |
1038 | 1038 | ||
1039 | 1039 | /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this | |
1040 | 1040 | * certificate (uses the KeyUsage field). | |
1041 | |||
1042 | /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this | ||
1043 | * certificate (uses the KeyUsage field). | ||
1044 | */ | 1041 | */ |
1045 | int | 1042 | int |
1046 | _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) | 1043 | _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) |
@@ -1158,7 +1155,7 @@ parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts, | |||
1158 | return ret; | 1155 | return ret; |
1159 | } | 1156 | } |
1160 | 1157 | ||
1161 | /* now we move ptr after the pem header | 1158 | /* now we move ptr after the pem header |
1162 | */ | 1159 | */ |
1163 | ptr++; | 1160 | ptr++; |
1164 | size--; | 1161 | size--; |
@@ -1452,7 +1449,7 @@ parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls, | |||
1452 | return ret; | 1449 | return ret; |
1453 | } | 1450 | } |
1454 | 1451 | ||
1455 | /* now we move ptr after the pem header | 1452 | /* now we move ptr after the pem header |
1456 | */ | 1453 | */ |
1457 | ptr++; | 1454 | ptr++; |
1458 | /* find the next certificate (if any) | 1455 | /* find the next certificate (if any) |