lib/crypto/gnutls_server_end_point_cb.c

   1 /*
   2  * Copyright (C) 2002-2016 Free Software Foundation, Inc.
   3  * Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
   4  * Copyright (C) 2015-2018 Red Hat, Inc.
   5  *
   6  * Author: Nikos Mavrogiannopoulos
   7  *
   8  * This file is part of GnuTLS.
   9  *
  10  * The GnuTLS is free software; you can redistribute it and/or
  11  * modify it under the terms of the GNU Lesser General Public License
  12  * as published by the Free Software Foundation; either version 2.1 of
  13  * the License, or (at your option) any later version.
  14  *
  15  * This library is distributed in the hope that it will be useful, but
  16  * WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  18  * Lesser General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU Lesser General Public License
  21  * along with this program.  If not, see <https://www.gnu.org/licenses/>
  22  *
  23  */
  24
  25 #include "replace.h"
  26 #include "gnutls_helpers.h"
  27 #include <gnutls/gnutls.h>
  28 #include <gnutls/x509.h>
  29
  30 int legacy_gnutls_server_end_point_cb(gnutls_session_t session,
  31                                       bool is_server,
  32                                       gnutls_datum_t * cb)
  33 {
  34         /*
  35          * copied from the logic in gnutls_session_channel_binding()
  36          * introduced by gnutls commit (as LGPL 2.1+):
  37          *
  38          * commit 9ebee00c793e40e3e8c797c645577c9e025b9f1e
  39          * Author: Ruslan N. Marchenko <me@ruff.mobi>
  40          * Date:   Sat May 1 23:05:54 2021 +0200
  41          *
  42          *  Add tls-server-end-point tls channel binding implementation.
  43          *  ...
  44          */
  45         const gnutls_datum_t *ders = NULL;
  46         unsigned int num_certs = 1;
  47         int ret;
  48         size_t rlen;
  49         gnutls_x509_crt_t cert;
  50         gnutls_digest_algorithm_t algo;
  51
  52         /* Only X509 certificates are supported for this binding type */
  53         ret = gnutls_certificate_type_get(session);
  54         if (ret != GNUTLS_CRT_X509) {
  55                 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
  56         }
  57
  58         if (is_server) {
  59                 ders = gnutls_certificate_get_ours(session);
  60         } else {
  61                 ders = gnutls_certificate_get_peers(session, &num_certs);
  62         }
  63
  64         /* Previous check indicated we have x509 but you never know */
  65         if (!ders || num_certs == 0) {
  66                 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
  67         }
  68
  69         ret = gnutls_x509_crt_list_import(&cert,
  70                                           &num_certs,
  71                                           ders,
  72                                           GNUTLS_X509_FMT_DER,
  73                                           0);
  74         /* Again, this is not supposed to happen (normally) */
  75         if (ret < 0 || num_certs == 0) {
  76                 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
  77         }
  78
  79         /* Obtain signature algorithm used by certificate */
  80         ret = gnutls_x509_crt_get_signature_algorithm(cert);
  81         if (ret < 0 || ret == GNUTLS_SIGN_UNKNOWN) {
  82                 gnutls_x509_crt_deinit(cert);
  83                 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
  84         }
  85
  86         /* obtain hash function from signature and normalize it */
  87         algo = gnutls_sign_get_hash_algorithm(ret);
  88         switch (algo) {
  89         case GNUTLS_DIG_MD5:
  90         case GNUTLS_DIG_SHA1:
  91                 algo = GNUTLS_DIG_SHA256;
  92                 break;
  93         case GNUTLS_DIG_UNKNOWN:
  94         case GNUTLS_DIG_NULL:
  95         case GNUTLS_DIG_MD5_SHA1:
  96                 /* double hashing not supported either */
  97                 gnutls_x509_crt_deinit(cert);
  98                 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
  99         default:
 100                 break;
 101         }
 102
 103         /* preallocate 512 bits buffer as maximum supported digest */
 104         rlen = 64;
 105         cb->data = gnutls_malloc(rlen);
 106         if (cb->data == NULL) {
 107                 gnutls_x509_crt_deinit(cert);
 108                 return GNUTLS_E_MEMORY_ERROR;
 109         }
 110
 111         ret = gnutls_x509_crt_get_fingerprint(cert,
 112                                               algo,
 113                                               cb->data,
 114                                               &rlen);
 115         if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
 116                 cb->data = gnutls_realloc(cb->data, cb->size);
 117                 if (cb->data == NULL) {
 118                         gnutls_x509_crt_deinit(cert);
 119                         return GNUTLS_E_MEMORY_ERROR;
 120                 }
 121                 ret = gnutls_x509_crt_get_fingerprint(cert,
 122                                                       algo,
 123                                                       cb->data,
 124                                                       &rlen);
 125         }
 126
 127         cb->size = rlen;
 128         gnutls_x509_crt_deinit(cert);
 129         return ret;
 130 }