lib/ext_cert_type.c

   1 /*
   2  * Copyright (C) 2002, 2003, 2004, 2005, 2010 Free Software Foundation,
   3  * Inc.
   4  *
   5  * Author: Nikos Mavrogiannopoulos
   6  *
   7  * This file is part of GnuTLS.
   8  *
   9  * The GnuTLS is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * as published by the Free Software Foundation; either version 2.1 of
  12  * the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  22  * USA
  23  *
  24  */
  25
  26 /* This file contains the code the Certificate Type TLS extension.
  27  * This extension is currently gnutls specific.
  28  */
  29
  30 #include "gnutls_int.h"
  31 #include "gnutls_errors.h"
  32 #include "gnutls_num.h"
  33 #include "ext_cert_type.h"
  34 #include <gnutls_state.h>
  35 #include <gnutls_num.h>
  36
  37 /* Maps record size to numbers according to the
  38  * extensions draft.
  39  */
  40 inline static int _gnutls_num2cert_type (int num);
  41 inline static int _gnutls_cert_type2num (int record_size);
  42 static int _gnutls_cert_type_recv_params (gnutls_session_t session,
  43                                           const opaque * data,
  44                                           size_t data_size);
  45 static int _gnutls_cert_type_send_params (gnutls_session_t session,
  46                                           opaque * data, size_t);
  47
  48 extension_entry_st ext_mod_cert_type = {
  49   .name = "CERT TYPE",
  50   .type = GNUTLS_EXTENSION_CERT_TYPE,
  51   .parse_type = GNUTLS_EXT_TLS,
  52
  53   .recv_func = _gnutls_cert_type_recv_params,
  54   .send_func = _gnutls_cert_type_send_params,
  55   .pack_func = NULL,
  56   .unpack_func = NULL,
  57   .deinit_func = NULL
  58 };
  59
  60 /*
  61  * In case of a server: if a CERT_TYPE extension type is received then it stores
  62  * into the session security parameters the new value. The server may use gnutls_session_certificate_type_get(),
  63  * to access it.
  64  *
  65  * In case of a client: If a cert_types have been specified then we send the extension.
  66  *
  67  */
  68
  69 static int
  70 _gnutls_cert_type_recv_params (gnutls_session_t session,
  71                                const opaque * data, size_t _data_size)
  72 {
  73   int new_type = -1, ret, i;
  74   ssize_t data_size = _data_size;
  75
  76   if (session->security_parameters.entity == GNUTLS_CLIENT)
  77     {
  78       if (data_size > 0)
  79         {
  80           if (data_size != 1)
  81             {
  82               gnutls_assert ();
  83               return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
  84             }
  85
  86           new_type = _gnutls_num2cert_type (data[0]);
  87
  88           if (new_type < 0)
  89             {
  90               gnutls_assert ();
  91               return new_type;
  92             }
  93
  94           /* Check if we support this cert_type */
  95           if ((ret =
  96                _gnutls_session_cert_type_supported (session, new_type)) < 0)
  97             {
  98               gnutls_assert ();
  99               return ret;
 100             }
 101
 102           _gnutls_session_cert_type_set (session, new_type);
 103         }
 104     }
 105   else
 106     {                           /* SERVER SIDE - we must check if the sent cert type is the right one
 107                                  */
 108       if (data_size > 1)
 109         {
 110           uint8_t len;
 111
 112           DECR_LEN (data_size, 1);
 113           len = data[0];
 114           DECR_LEN (data_size, len);
 115
 116           for (i = 0; i < len; i++)
 117             {
 118               new_type = _gnutls_num2cert_type (data[i + 1]);
 119
 120               if (new_type < 0)
 121                 continue;
 122
 123               /* Check if we support this cert_type */
 124               if ((ret =
 125                    _gnutls_session_cert_type_supported (session,
 126                                                         new_type)) < 0)
 127                 {
 128                   gnutls_assert ();
 129                   continue;
 130                 }
 131               else
 132                 break;
 133               /* new_type is ok */
 134             }
 135
 136           if (new_type < 0)
 137             {
 138               gnutls_assert ();
 139               return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 140             }
 141
 142           if ((ret =
 143                _gnutls_session_cert_type_supported (session, new_type)) < 0)
 144             {
 145               gnutls_assert ();
 146               /* The peer has requested unsupported certificate
 147                * types. Instead of failing, procceed normally.
 148                * (the ciphersuite selection would fail, or a
 149                * non certificate ciphersuite will be selected).
 150                */
 151               return 0;
 152             }
 153
 154           _gnutls_session_cert_type_set (session, new_type);
 155         }
 156
 157
 158     }
 159
 160   return 0;
 161 }
 162
 163 /* returns data_size or a negative number on failure
 164  */
 165 static int
 166 _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data,
 167                                size_t data_size)
 168 {
 169   unsigned len, i;
 170
 171   /* this function sends the client extension data (dnsname) */
 172   if (session->security_parameters.entity == GNUTLS_CLIENT)
 173     {
 174
 175       if (session->internals.priorities.cert_type.algorithms > 0)
 176         {
 177
 178           len = session->internals.priorities.cert_type.algorithms;
 179
 180           if (len == 1 &&
 181               session->internals.priorities.cert_type.priority[0] ==
 182               GNUTLS_CRT_X509)
 183             {
 184               /* We don't use this extension if X.509 certificates
 185                * are used.
 186                */
 187               return 0;
 188             }
 189
 190           if (data_size < len + 1)
 191             {
 192               gnutls_assert ();
 193               return GNUTLS_E_SHORT_MEMORY_BUFFER;
 194             }
 195
 196           /* this is a vector!
 197            */
 198           data[0] = (uint8_t) len;
 199
 200           for (i = 0; i < len; i++)
 201             {
 202               data[i + 1] =
 203                 _gnutls_cert_type2num (session->internals.priorities.
 204                                        cert_type.priority[i]);
 205             }
 206           return len + 1;
 207         }
 208
 209     }
 210   else
 211     {                           /* server side */
 212       if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE)
 213         {
 214           len = 1;
 215           if (data_size < len)
 216             {
 217               gnutls_assert ();
 218               return GNUTLS_E_SHORT_MEMORY_BUFFER;
 219             }
 220
 221           data[0] =
 222             _gnutls_cert_type2num (session->security_parameters.cert_type);
 223           return len;
 224         }
 225
 226
 227     }
 228
 229   return 0;
 230 }
 231
 232 /* Maps numbers to record sizes according to the
 233  * extensions draft.
 234  */
 235 inline static int
 236 _gnutls_num2cert_type (int num)
 237 {
 238   switch (num)
 239     {
 240     case 0:
 241       return GNUTLS_CRT_X509;
 242     case 1:
 243       return GNUTLS_CRT_OPENPGP;
 244     default:
 245       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 246     }
 247 }
 248
 249 /* Maps record size to numbers according to the
 250  * extensions draft.
 251  */
 252 inline static int
 253 _gnutls_cert_type2num (int cert_type)
 254 {
 255   switch (cert_type)
 256     {
 257     case GNUTLS_CRT_X509:
 258       return 0;
 259     case GNUTLS_CRT_OPENPGP:
 260       return 1;
 261     default:
 262       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 263     }
 264
 265 }