| blob | 6221b5e8488c97eee75eb39817f430c2091277a3 |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* This file contains certificate authentication functions to be exported in the
24 * API which did not fit elsewhere.
25 */
27 #include <gnutls_int.h>
28 #include <auth/srp.h>
29 #include <auth/anon.h>
30 #include <auth/cert.h>
31 #include <auth/psk.h>
32 #include <gnutls_errors.h>
33 #include <gnutls_auth.h>
34 #include <gnutls_state.h>
35 #include <gnutls_datum.h>
36 #include <extras/randomart.h>
38 /**
39 * gnutls_random_art:
40 * @type: The type of the random art
41 * @key_type: The type of the key (RSA, DSA etc.)
42 * @key_size: The size of the key in bits
43 * @fpr: The fingerprint of the key
44 * @fpr_size: The size of the fingerprint
45 * @art: The returned random art
46 *
47 * This function will convert a given fingerprint to an "artistic"
48 * image. The returned image is allocated using gnutls_malloc()
49 *
50 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
51 * an error code is returned.
52 *
53 **/
58 {
69 }
71 /* ANON & DHE */
73 /**
74 * gnutls_dh_set_prime_bits:
75 * @session: is a #gnutls_session_t structure.
76 * @bits: is the number of bits
77 *
78 * This function sets the number of bits, for use in a Diffie-Hellman
79 * key exchange. This is used both in DH ephemeral and DH anonymous
80 * cipher suites. This will set the minimum size of the prime that
81 * will be used for the handshake.
82 *
83 * In the client side it sets the minimum accepted number of bits. If
84 * a server sends a prime with less bits than that
85 * %GNUTLS_E_DH_PRIME_UNACCEPTABLE will be returned by the handshake.
86 *
87 * Note that values lower than 512 bits may allow decryption of the
88 * exchanged data.
89 *
90 * This function has no effect in server side.
91 *
92 **/
93 void
95 {
96 if (bits < 512) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits);
98 }
101 /**
102 * gnutls_dh_get_group:
103 * @session: is a gnutls session
104 * @raw_gen: will hold the generator.
105 * @raw_prime: will hold the prime.
106 *
107 * This function will return the group parameters used in the last
108 * Diffie-Hellman key exchange with the peer. These are the prime and
109 * the generator used. This function should be used for both
110 * anonymous and ephemeral Diffie-Hellman. The output parameters must
111 * be freed with gnutls_free().
112 *
113 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
114 * an error code is returned.
115 **/
116 int
119 {
122 anon_auth_info_t anon_info;
123 cert_auth_info_t cert_info;
124 psk_auth_info_t psk_info;
127 {
149 }
153 {
156 }
160 {
164 }
167 }
169 /**
170 * gnutls_dh_get_pubkey:
171 * @session: is a gnutls session
172 * @raw_key: will hold the public key.
173 *
174 * This function will return the peer's public key used in the last
175 * Diffie-Hellman key exchange. This function should be used for both
176 * anonymous and ephemeral Diffie-Hellman. The output parameters must
177 * be freed with gnutls_free().
178 *
179 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
180 * an error code is returned.
181 **/
182 int
184 {
186 anon_auth_info_t anon_info;
187 cert_auth_info_t cert_info;
188 cert_auth_info_t psk_info;
191 {
193 {
199 }
201 {
207 }
209 {
216 }
220 }
224 }
226 /**
227 * gnutls_rsa_export_get_pubkey:
228 * @session: is a gnutls session
229 * @exponent: will hold the exponent.
230 * @modulus: will hold the modulus.
231 *
232 * This function will return the peer's public key exponent and
233 * modulus used in the last RSA-EXPORT authentication. The output
234 * parameters must be freed with gnutls_free().
235 *
236 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
237 * an error code is returned.
238 **/
239 int
243 {
244 cert_auth_info_t info;
248 {
256 {
259 }
264 {
268 }
271 }
274 }
277 /**
278 * gnutls_dh_get_secret_bits:
279 * @session: is a gnutls session
280 *
281 * This function will return the bits used in the last Diffie-Hellman
282 * key exchange with the peer. Should be used for both anonymous and
283 * ephemeral Diffie-Hellman.
284 *
285 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
286 * an error code is returned.
287 **/
288 int
290 {
292 {
294 {
295 anon_auth_info_t info;
301 }
303 {
304 psk_auth_info_t info;
310 }
312 {
313 cert_auth_info_t info;
320 }
324 }
325 }
327 static int
329 {
330 bigint_t mpi;
335 {
338 }
344 }
346 /**
347 * gnutls_dh_get_prime_bits:
348 * @session: is a gnutls session
349 *
350 * This function will return the bits of the prime used in the last
351 * Diffie-Hellman key exchange with the peer. Should be used for both
352 * anonymous and ephemeral Diffie-Hellman. Note that some ciphers,
353 * like RSA and DSA without DHE, do not use a Diffie-Hellman key
354 * exchange, and then this function will return 0.
355 *
356 * Returns: The Diffie-Hellman bit strength is returned, or 0 if no
357 * Diffie-Hellman key exchange was done, or a negative error code on
358 * failure.
359 **/
360 int
362 {
366 {
368 {
369 anon_auth_info_t info;
376 }
378 {
379 psk_auth_info_t info;
386 }
388 {
389 cert_auth_info_t info;
397 }
401 }
404 }
406 /**
407 * gnutls_rsa_export_get_modulus_bits:
408 * @session: is a gnutls session
409 *
410 * Get the export RSA parameter's modulus size.
411 *
412 * Returns: The bits used in the last RSA-EXPORT key exchange with the
413 * peer, or a negative error code in case of error.
414 **/
415 int
417 {
418 cert_auth_info_t info;
425 }
427 /**
428 * gnutls_dh_get_peers_public_bits:
429 * @session: is a gnutls session
430 *
431 * Get the Diffie-Hellman public key bit size. Can be used for both
432 * anonymous and ephemeral Diffie-Hellman.
433 *
434 * Returns: The public key bit size used in the last Diffie-Hellman
435 * key exchange with the peer, or a negative error code in case of error.
436 **/
437 int
439 {
443 {
445 {
446 anon_auth_info_t info;
454 }
456 {
457 psk_auth_info_t info;
465 }
467 {
468 cert_auth_info_t info;
476 }
480 }
483 }
485 /* CERTIFICATE STUFF */
487 /**
488 * gnutls_certificate_get_ours:
489 * @session: is a gnutls session
490 *
491 * Gets the certificate as sent to the peer in the last handshake.
492 * The certificate is in raw (DER) format. No certificate
493 * list is being returned. Only the first certificate.
494 *
495 * Returns: a pointer to a #gnutls_datum_t containing our
496 * certificate, or %NULL in case of an error or if no certificate
497 * was used.
498 **/
501 {
502 gnutls_certificate_credentials_t cred;
509 {
512 }
518 }
520 /**
521 * gnutls_certificate_get_peers:
522 * @session: is a gnutls session
523 * @list_size: is the length of the certificate list
524 *
525 * Get the peer's raw certificate (chain) as sent by the peer. These
526 * certificates are in raw format (DER encoded for X.509). In case of
527 * a X.509 then a certificate list may be present. The first
528 * certificate in the list is the peer's certificate, following the
529 * issuer's certificate, then the issuer's issuer etc.
530 *
531 * In case of OpenPGP keys a single key will be returned in raw
532 * format.
533 *
534 * Returns: a pointer to a #gnutls_datum_t containing our
535 * certificates, or %NULL in case of an error or if no certificate
536 * was used.
537 **/
541 {
542 cert_auth_info_t info;
552 }
555 /**
556 * gnutls_certificate_client_get_request_status:
557 * @session: is a gnutls session
558 *
559 * Get whether client certificate is requested or not.
560 *
561 * Returns: 0 if the peer (server) did not request client
562 * authentication or 1 otherwise, or a negative error code in case of
563 * error.
564 **/
565 int
567 {
569 }
571 /**
572 * gnutls_fingerprint:
573 * @algo: is a digest algorithm
574 * @data: is the data
575 * @result: is the place where the result will be copied (may be null).
576 * @result_size: should hold the size of the result. The actual size
577 * of the returned result will also be copied there.
578 *
579 * This function will calculate a fingerprint (actually a hash), of
580 * the given data. The result is not printable data. You should
581 * convert it to hex, or to something else printable.
582 *
583 * This is the usual way to calculate a fingerprint of an X.509 DER
584 * encoded certificate. Note however that the fingerprint of an
585 * OpenPGP is not just a hash and cannot be calculated with this
586 * function.
587 *
588 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
589 * an error code is returned.
590 **/
591 int
595 {
600 {
603 }
607 {
611 }
614 }
617 /**
618 * gnutls_certificate_set_dh_params:
619 * @res: is a gnutls_certificate_credentials_t structure
620 * @dh_params: is a structure that holds Diffie-Hellman parameters.
621 *
622 * This function will set the Diffie-Hellman parameters for a
623 * certificate server to use. These parameters will be used in
624 * Ephemeral Diffie-Hellman cipher suites. Note that only a pointer
625 * to the parameters are stored in the certificate handle, so if you
626 * deallocate the parameters before the certificate is deallocated,
627 * you must change the parameters stored in the certificate first.
628 *
629 **/
630 void
632 gnutls_dh_params_t dh_params)
633 {
635 }
637 /**
638 * gnutls_certificate_set_params_function:
639 * @res: is a gnutls_certificate_credentials_t structure
640 * @func: is the function to be called
641 *
642 * This function will set a callback in order for the server to get
643 * the Diffie-Hellman or RSA parameters for certificate
644 * authentication. The callback should return %GNUTLS_E_SUCCESS (0) on success.
645 **/
646 void
649 {
651 }
654 /**
655 * gnutls_certificate_set_verify_flags:
656 * @res: is a gnutls_certificate_credentials_t structure
657 * @flags: are the flags
658 *
659 * This function will set the flags to be used at verification of the
660 * certificates. Flags must be OR of the
661 * #gnutls_certificate_verify_flags enumerations.
662 *
663 **/
664 void
667 {
669 }
671 /**
672 * gnutls_certificate_set_verify_limits:
673 * @res: is a gnutls_certificate_credentials structure
674 * @max_bits: is the number of bits of an acceptable certificate (default 8200)
675 * @max_depth: is maximum depth of the verification of a certificate chain (default 5)
676 *
677 * This function will set some upper limits for the default
678 * verification function, gnutls_certificate_verify_peers2(), to avoid
679 * denial of service attacks. You can set them to zero to disable
680 * limits.
681 **/
682 void
686 {
689 }
691 /**
692 * gnutls_certificate_set_rsa_export_params:
693 * @res: is a gnutls_certificate_credentials_t structure
694 * @rsa_params: is a structure that holds temporary RSA parameters.
695 *
696 * This function will set the temporary RSA parameters for a
697 * certificate server to use. These parameters will be used in
698 * RSA-EXPORT cipher suites.
699 **/
700 void
703 {
705 }
707 /**
708 * gnutls_psk_set_params_function:
709 * @res: is a gnutls_psk_server_credentials_t structure
710 * @func: is the function to be called
711 *
712 * This function will set a callback in order for the server to get
713 * the Diffie-Hellman or RSA parameters for PSK authentication. The
714 * callback should return %GNUTLS_E_SUCCESS (0) on success.
715 **/
716 void
719 {
721 }
723 /**
724 * gnutls_anon_set_params_function:
725 * @res: is a gnutls_anon_server_credentials_t structure
726 * @func: is the function to be called
727 *
728 * This function will set a callback in order for the server to get
729 * the Diffie-Hellman or RSA parameters for anonymous authentication.
730 * The callback should return %GNUTLS_E_SUCCESS (0) on success.
731 **/
732 void
735 {
737 }