2 * Copyright (C) 2002-2016 Free Software Foundation, Inc.
3 * Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
4 * Copyright (C) 2015-2018 Red Hat, Inc.
6 * Author: Nikos Mavrogiannopoulos
8 * This file is part of GnuTLS.
10 * The GnuTLS is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 2.1 of
13 * the License, or (at your option) any later version.
15 * This library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with this program. If not, see <https://www.gnu.org/licenses/>
26 #include "gnutls_helpers.h"
27 #include <gnutls/gnutls.h>
28 #include <gnutls/x509.h>
30 int legacy_gnutls_server_end_point_cb(gnutls_session_t session
,
35 * copied from the logic in gnutls_session_channel_binding()
36 * introduced by gnutls commit (as LGPL 2.1+):
38 * commit 9ebee00c793e40e3e8c797c645577c9e025b9f1e
39 * Author: Ruslan N. Marchenko <me@ruff.mobi>
40 * Date: Sat May 1 23:05:54 2021 +0200
42 * Add tls-server-end-point tls channel binding implementation.
45 const gnutls_datum_t
*ders
= NULL
;
46 unsigned int num_certs
= 1;
49 gnutls_x509_crt_t cert
;
50 gnutls_digest_algorithm_t algo
;
52 /* Only X509 certificates are supported for this binding type */
53 ret
= gnutls_certificate_type_get(session
);
54 if (ret
!= GNUTLS_CRT_X509
) {
55 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
59 ders
= gnutls_certificate_get_ours(session
);
61 ders
= gnutls_certificate_get_peers(session
, &num_certs
);
64 /* Previous check indicated we have x509 but you never know */
65 if (!ders
|| num_certs
== 0) {
66 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
69 ret
= gnutls_x509_crt_list_import(&cert
,
74 /* Again, this is not supposed to happen (normally) */
75 if (ret
< 0 || num_certs
== 0) {
76 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE
;
79 /* Obtain signature algorithm used by certificate */
80 ret
= gnutls_x509_crt_get_signature_algorithm(cert
);
81 if (ret
< 0 || ret
== GNUTLS_SIGN_UNKNOWN
) {
82 gnutls_x509_crt_deinit(cert
);
83 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
86 /* obtain hash function from signature and normalize it */
87 algo
= gnutls_sign_get_hash_algorithm(ret
);
91 algo
= GNUTLS_DIG_SHA256
;
93 case GNUTLS_DIG_UNKNOWN
:
95 case GNUTLS_DIG_MD5_SHA1
:
96 /* double hashing not supported either */
97 gnutls_x509_crt_deinit(cert
);
98 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
103 /* preallocate 512 bits buffer as maximum supported digest */
105 cb
->data
= gnutls_malloc(rlen
);
106 if (cb
->data
== NULL
) {
107 gnutls_x509_crt_deinit(cert
);
108 return GNUTLS_E_MEMORY_ERROR
;
111 ret
= gnutls_x509_crt_get_fingerprint(cert
,
115 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
) {
116 cb
->data
= gnutls_realloc(cb
->data
, cb
->size
);
117 if (cb
->data
== NULL
) {
118 gnutls_x509_crt_deinit(cert
);
119 return GNUTLS_E_MEMORY_ERROR
;
121 ret
= gnutls_x509_crt_get_fingerprint(cert
,
128 gnutls_x509_crt_deinit(cert
);