lib/ext/cert_type.c

   1 /*
   2  * Copyright (C) 2002-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* This file contains the code the Certificate Type TLS extension.
  24  * This extension is currently gnutls specific.
  25  */
  26
  27 #include "gnutls_int.h"
  28 #include "gnutls_errors.h"
  29 #include "gnutls_num.h"
  30 #include <ext/cert_type.h>
  31 #include <gnutls_state.h>
  32 #include <gnutls_num.h>
  33
  34 /* Maps record size to numbers according to the
  35  * extensions draft.
  36  */
  37 inline static int _gnutls_num2cert_type (int num);
  38 inline static int _gnutls_cert_type2num (int record_size);
  39 static int _gnutls_cert_type_recv_params (gnutls_session_t session,
  40                                           const uint8_t * data,
  41                                           size_t data_size);
  42 static int _gnutls_cert_type_send_params (gnutls_session_t session,
  43                                           gnutls_buffer_st * extdata);
  44
  45 extension_entry_st ext_mod_cert_type = {
  46   .name = "CERT TYPE",
  47   .type = GNUTLS_EXTENSION_CERT_TYPE,
  48   .parse_type = GNUTLS_EXT_TLS,
  49
  50   .recv_func = _gnutls_cert_type_recv_params,
  51   .send_func = _gnutls_cert_type_send_params,
  52   .pack_func = NULL,
  53   .unpack_func = NULL,
  54   .deinit_func = NULL
  55 };
  56
  57 /*
  58  * In case of a server: if a CERT_TYPE extension type is received then it stores
  59  * into the session security parameters the new value. The server may use gnutls_session_certificate_type_get(),
  60  * to access it.
  61  *
  62  * In case of a client: If a cert_types have been specified then we send the extension.
  63  *
  64  */
  65
  66 static int
  67 _gnutls_cert_type_recv_params (gnutls_session_t session,
  68                                const uint8_t * data, size_t _data_size)
  69 {
  70   int new_type = -1, ret, i;
  71   ssize_t data_size = _data_size;
  72
  73   if (session->security_parameters.entity == GNUTLS_CLIENT)
  74     {
  75       if (data_size > 0)
  76         {
  77           if (data_size != 1)
  78             {
  79               gnutls_assert ();
  80               return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
  81             }
  82
  83           new_type = _gnutls_num2cert_type (data[0]);
  84
  85           if (new_type < 0)
  86             {
  87               gnutls_assert ();
  88               return new_type;
  89             }
  90
  91           /* Check if we support this cert_type */
  92           if ((ret =
  93                _gnutls_session_cert_type_supported (session, new_type)) < 0)
  94             {
  95               gnutls_assert ();
  96               return ret;
  97             }
  98
  99           _gnutls_session_cert_type_set (session, new_type);
 100         }
 101     }
 102   else
 103     {                           /* SERVER SIDE - we must check if the sent cert type is the right one
 104                                  */
 105       if (data_size > 1)
 106         {
 107           uint8_t len;
 108
 109           DECR_LEN (data_size, 1);
 110           len = data[0];
 111           DECR_LEN (data_size, len);
 112
 113           for (i = 0; i < len; i++)
 114             {
 115               new_type = _gnutls_num2cert_type (data[i + 1]);
 116
 117               if (new_type < 0)
 118                 continue;
 119
 120               /* Check if we support this cert_type */
 121               if ((ret =
 122                    _gnutls_session_cert_type_supported (session,
 123                                                         new_type)) < 0)
 124                 {
 125                   gnutls_assert ();
 126                   continue;
 127                 }
 128               else
 129                 break;
 130               /* new_type is ok */
 131             }
 132
 133           if (new_type < 0)
 134             {
 135               gnutls_assert ();
 136               return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 137             }
 138
 139           if ((ret =
 140                _gnutls_session_cert_type_supported (session, new_type)) < 0)
 141             {
 142               gnutls_assert ();
 143               /* The peer has requested unsupported certificate
 144                * types. Instead of failing, procceed normally.
 145                * (the ciphersuite selection would fail, or a
 146                * non certificate ciphersuite will be selected).
 147                */
 148               return 0;
 149             }
 150
 151           _gnutls_session_cert_type_set (session, new_type);
 152         }
 153     }
 154
 155   return 0;
 156 }
 157
 158 /* returns data_size or a negative number on failure
 159  */
 160 static int
 161 _gnutls_cert_type_send_params (gnutls_session_t session, gnutls_buffer_st* extdata)
 162 {
 163   unsigned len, i;
 164   int ret;
 165   uint8_t p;
 166
 167   /* this function sends the client extension data (dnsname) */
 168   if (session->security_parameters.entity == GNUTLS_CLIENT)
 169     {
 170
 171       if (session->internals.priorities.cert_type.algorithms > 0)
 172         {
 173
 174           len = session->internals.priorities.cert_type.algorithms;
 175
 176           if (len == 1 &&
 177               session->internals.priorities.cert_type.priority[0] ==
 178               GNUTLS_CRT_X509)
 179             {
 180               /* We don't use this extension if X.509 certificates
 181                * are used.
 182                */
 183               return 0;
 184             }
 185
 186           /* this is a vector!
 187            */
 188           p = (uint8_t) len;
 189           ret = _gnutls_buffer_append_data(extdata, &p, 1);
 190           if (ret < 0)
 191             return gnutls_assert_val(ret);
 192
 193           for (i = 0; i < len; i++)
 194             {
 195               p =
 196                 _gnutls_cert_type2num (session->internals.priorities.
 197                                        cert_type.priority[i]);
 198               ret = _gnutls_buffer_append_data(extdata, &p, 1);
 199               if (ret < 0)
 200                 return gnutls_assert_val(ret);
 201             }
 202           return len + 1;
 203         }
 204
 205     }
 206   else
 207     {                           /* server side */
 208       if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE)
 209         {
 210           len = 1;
 211
 212           p =
 213             _gnutls_cert_type2num (session->security_parameters.cert_type);
 214           ret = _gnutls_buffer_append_data(extdata, &p, 1);
 215           if (ret < 0)
 216             return gnutls_assert_val(ret);
 217
 218           return len;
 219         }
 220
 221
 222     }
 223
 224   return 0;
 225 }
 226
 227 /* Maps numbers to record sizes according to the
 228  * extensions draft.
 229  */
 230 inline static int
 231 _gnutls_num2cert_type (int num)
 232 {
 233   switch (num)
 234     {
 235     case 0:
 236       return GNUTLS_CRT_X509;
 237     case 1:
 238       return GNUTLS_CRT_OPENPGP;
 239     default:
 240       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 241     }
 242 }
 243
 244 /* Maps record size to numbers according to the
 245  * extensions draft.
 246  */
 247 inline static int
 248 _gnutls_cert_type2num (int cert_type)
 249 {
 250   switch (cert_type)
 251     {
 252     case GNUTLS_CRT_X509:
 253       return 0;
 254     case GNUTLS_CRT_OPENPGP:
 255       return 1;
 256     default:
 257       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 258     }
 259
 260 }