search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Version 2.3.13.
[gnutls.git] / lib / auth_cert.c
blob030caf8f8adb6f6d32321d3d815941e92000e81c
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 /* The certificate authentication functions which are needed in the handshake,
26 * and are common to RSA and DHE key exchange, are in this file.
27 */
28
29 #include <gnutls_int.h>
30 #include "gnutls_auth_int.h"
31 #include "gnutls_errors.h"
32 #include <gnutls_cert.h>
33 #include <auth_cert.h>
34 #include "gnutls_dh.h"
35 #include "gnutls_num.h"
36 #include "libtasn1.h"
37 #include "gnutls_datum.h"
38 #include <gnutls_pk.h>
39 #include <gnutls_algorithms.h>
40 #include <gnutls_global.h>
41 #include <gnutls_record.h>
42 #include <gnutls_sig.h>
43 #include <gnutls_state.h>
44 #include <gnutls_pk.h>
45 #include <gnutls_x509.h>
46 #include "debug.h"
47
48 #ifdef ENABLE_OPENPGP
49 # include "openpgp/gnutls_openpgp.h"
50
51 static gnutls_privkey *
52 alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t key);
53 static gnutls_cert *
54 alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert);
55
56 #endif
57
58 static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
59 unsigned);
60 static gnutls_privkey *alloc_and_load_x509_key (gnutls_x509_privkey_t key);
61
62
63
64 /* Copies data from a internal certificate struct (gnutls_cert) to
65 * exported certificate struct (cert_auth_info_t)
66 */
67 static int
68 _gnutls_copy_certificate_auth_info (cert_auth_info_t info,
69 gnutls_cert * cert, int ncerts)
70 {
71 /* Copy peer's information to auth_info_t
72 */
73 int ret, i, j;
74
75 if (ncerts == 0)
76 {
77 info->raw_certificate_list = NULL;
78 info->ncerts = 0;
79 return 0;
80 }
81
82 info->raw_certificate_list =
83 gnutls_calloc (1, sizeof (gnutls_datum_t) * ncerts);
84 if (info->raw_certificate_list == NULL)
85 {
86 gnutls_assert ();
87 return GNUTLS_E_MEMORY_ERROR;
88 }
89
90 for (i = 0; i < ncerts; i++)
91 {
92 if (cert->raw.size > 0)
93 {
94 ret =
95 _gnutls_set_datum (&info->
96 raw_certificate_list[i],
97 cert[i].raw.data, cert[i].raw.size);
98 if (ret < 0)
99 {
100 gnutls_assert ();
101 goto clear;
102 }
103 }
104 }
105 info->ncerts = ncerts;
106
107 info->cert_type = cert[0].cert_type;
108 #ifdef ENABLE_OPENPGP
109 if (cert[0].cert_type == GNUTLS_CRT_OPENPGP)
110 {
111 info->use_subkey = cert[0].use_subkey;
112 memcpy( info->subkey_id, cert[0].subkey_id, sizeof(info->subkey_id));
113 }
114 #endif
115
116 return 0;
117
118 clear:
119
120 for (j = 0; j < i; j++)
121 _gnutls_free_datum (&info->raw_certificate_list[j]);
122
123 gnutls_free (info->raw_certificate_list);
124 info->raw_certificate_list = NULL;
125
126 return ret;
127 }
128
129
130
131
132 /* returns 0 if the algo_to-check exists in the pk_algos list,
133 * -1 otherwise.
134 */
135 inline static int
136 _gnutls_check_pk_algo_in_list (const gnutls_pk_algorithm_t *
137 pk_algos, int pk_algos_length,
138 gnutls_pk_algorithm_t algo_to_check)
139 {
140 int i;
141 for (i = 0; i < pk_algos_length; i++)
142 {
143 if (algo_to_check == pk_algos[i])
144 {
145 return 0;
146 }
147 }
148 return -1;
149 }
150
151
152 /* Returns the issuer's Distinguished name in odn, of the certificate
153 * specified in cert.
154 */
155 static int
156 _gnutls_cert_get_issuer_dn (gnutls_cert * cert, gnutls_datum_t * odn)
157 {
158 ASN1_TYPE dn;
159 int len, result;
160 int start, end;
161
162 if ((result = asn1_create_element
163 (_gnutls_get_pkix (), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS)
164 {
165 gnutls_assert ();
166 return _gnutls_asn2err (result);
167 }
168
169 result = asn1_der_decoding (&dn, cert->raw.data, cert->raw.size, NULL);
170 if (result != ASN1_SUCCESS)
171 {
172 /* couldn't decode DER */
173 gnutls_assert ();
174 asn1_delete_structure (&dn);
175 return _gnutls_asn2err (result);
176 }
177
178 result = asn1_der_decoding_startEnd (dn, cert->raw.data, cert->raw.size,
179 "tbsCertificate.issuer", &start, &end);
180
181 if (result != ASN1_SUCCESS)
182 {
183 /* couldn't decode DER */
184 gnutls_assert ();
185 asn1_delete_structure (&dn);
186 return _gnutls_asn2err (result);
187 }
188 asn1_delete_structure (&dn);
189
190 len = end - start + 1;
191
192 odn->size = len;
193 odn->data = &cert->raw.data[start];
194
195 return 0;
196 }
197
198
199 /* Locates the most appropriate x509 certificate using the
200 * given DN. If indx == -1 then no certificate was found.
201 *
202 * That is to guess which certificate to use, based on the
203 * CAs and sign algorithms supported by the peer server.
204 */
205 static int
206 _find_x509_cert (const gnutls_certificate_credentials_t cred,
207 opaque * _data, size_t _data_size,
208 const gnutls_pk_algorithm_t * pk_algos,
209 int pk_algos_length, int *indx)
210 {
211 unsigned size;
212 gnutls_datum_t odn = { NULL, 0 };
213 opaque *data = _data;
214 ssize_t data_size = _data_size;
215 unsigned i, j;
216 int result, cert_pk;
217
218 *indx = -1;
219
220 do
221 {
222
223 DECR_LENGTH_RET (data_size, 2, 0);
224 size = _gnutls_read_uint16 (data);
225 DECR_LENGTH_RET (data_size, size, 0);
226 data += 2;
227
228 for (i = 0; i < cred->ncerts; i++)
229 {
230 for (j = 0; j < cred->cert_list_length[i]; j++)
231 {
232 if ((result =
233 _gnutls_cert_get_issuer_dn (&cred->
234 cert_list[i][j], &odn)) < 0)
235 {
236 gnutls_assert ();
237 return result;
238 }
239
240 if (odn.size != size)
241 continue;
242
243 /* If the DN matches and
244 * the *_SIGN algorithm matches
245 * the cert is our cert!
246 */
247 cert_pk = cred->cert_list[i][0].subject_pk_algorithm;
248
249 if ((memcmp (odn.data, data, size) == 0) &&
250 (_gnutls_check_pk_algo_in_list
251 (pk_algos, pk_algos_length, cert_pk) == 0))
252 {
253 *indx = i;
254 break;
255 }
256 }
257 if (*indx != -1)
258 break;
259 }
260
261 if (*indx != -1)
262 break;
263
264 /* move to next record */
265 data += size;
266
267 }
268 while (1);
269
270 return 0;
271
272 }
273
274 #ifdef ENABLE_OPENPGP
275 /* Locates the most appropriate openpgp cert
276 */
277 static int
278 _find_openpgp_cert (const gnutls_certificate_credentials_t cred,
279 gnutls_pk_algorithm_t * pk_algos,
280 int pk_algos_length, int *indx)
281 {
282 unsigned i, j;
283
284 *indx = -1;
285
286 for (i = 0; i < cred->ncerts; i++)
287 {
288 for (j = 0; j < cred->cert_list_length[i]; j++)
289 {
290
291 /* If the *_SIGN algorithm matches
292 * the cert is our cert!
293 */
294 if ((_gnutls_check_pk_algo_in_list
295 (pk_algos, pk_algos_length,
296 cred->cert_list[i][0].subject_pk_algorithm) == 0)
297 && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP))
298 {
299 *indx = i;
300 break;
301 }
302 }
303 if (*indx != -1)
304 break;
305 }
306
307 return 0;
308 }
309 #endif
310
311 /* Returns the number of issuers in the server's
312 * certificate request packet.
313 */
314 static int
315 get_issuers_num (gnutls_session_t session, opaque * data, ssize_t data_size)
316 {
317 int issuers_dn_len = 0, result;
318 unsigned size;
319
320 /* Count the number of the given issuers;
321 * This is used to allocate the issuers_dn without
322 * using realloc().
323 */
324
325 if (data_size == 0 || data == NULL)
326 return 0;
327
328 if (data_size > 0)
329 do
330 {
331 /* This works like DECR_LEN()
332 */
333 result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
334 DECR_LENGTH_COM (data_size, 2, goto error);
335 size = _gnutls_read_uint16 (data);
336
337 result = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
338 DECR_LENGTH_COM (data_size, size, goto error);
339
340 data += 2;
341
342 if (size > 0)
343 {
344 issuers_dn_len++;
345 data += size;
346 }
347
348 if (data_size == 0)
349 break;
350
351 }
352 while (1);
353
354 return issuers_dn_len;
355
356 error:
357 return result;
358 }
359
360 /* Returns the issuers in the server's certificate request
361 * packet.
362 */
363 static int
364 get_issuers (gnutls_session_t session,
365 gnutls_datum_t * issuers_dn, int issuers_len,
366 opaque * data, size_t data_size)
367 {
368 int i;
369 unsigned size;
370
371 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
372 return 0;
373
374 /* put the requested DNs to req_dn, only in case
375 * of X509 certificates.
376 */
377 if (issuers_len > 0)
378 {
379
380 for (i = 0; i < issuers_len; i++)
381 {
382 /* The checks here for the buffer boundaries
383 * are not needed since the buffer has been
384 * parsed above.
385 */
386 data_size -= 2;
387
388 size = _gnutls_read_uint16 (data);
389
390 data += 2;
391
392 issuers_dn[i].data = data;
393 issuers_dn[i].size = size;
394
395 data += size;
396 }
397 }
398
399 return 0;
400 }
401
402 /* Calls the client get callback.
403 */
404 static int
405 call_get_cert_callback (gnutls_session_t session,
406 gnutls_datum_t * issuers_dn,
407 int issuers_dn_length,
408 gnutls_pk_algorithm_t * pk_algos, int pk_algos_length)
409 {
410 unsigned i;
411 gnutls_cert *local_certs = NULL;
412 gnutls_privkey *local_key = NULL;
413 gnutls_retr_st st;
414 int ret;
415 gnutls_certificate_type_t type = gnutls_certificate_type_get (session);
416 gnutls_certificate_credentials_t cred;
417
418 cred = (gnutls_certificate_credentials_t)
419 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
420 if (cred == NULL)
421 {
422 gnutls_assert ();
423 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
424 }
425
426 memset (&st, 0, sizeof (st));
427
428 if (session->security_parameters.entity == GNUTLS_SERVER)
429 {
430 ret = cred->server_get_cert_callback (session, &st);
431 }
432 else
433 { /* CLIENT */
434 ret =
435 cred->client_get_cert_callback (session,
436 issuers_dn, issuers_dn_length,
437 pk_algos, pk_algos_length, &st);
438 }
439
440 if (ret < 0)
441 {
442 gnutls_assert ();
443 return GNUTLS_E_INTERNAL_ERROR;
444 }
445
446 if (st.ncerts == 0)
447 return 0; /* no certificate was selected */
448
449 if (type != st.type)
450 {
451 gnutls_assert ();
452 ret = GNUTLS_E_INVALID_REQUEST;
453 goto cleanup;
454 }
455
456 if (type == GNUTLS_CRT_X509)
457 {
458 local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts);
459 if (local_certs != NULL && st.key.x509 != NULL)
460 {
461 local_key = alloc_and_load_x509_key (st.key.x509);
462 if (local_key == NULL)
463 {
464 gnutls_assert();
465 ret = GNUTLS_E_INTERNAL_ERROR;
466 goto cleanup;
467 }
468 }
469
470 }
471 else
472 { /* PGP */
473 if (st.ncerts > 1)
474 {
475 gnutls_assert ();
476 ret = GNUTLS_E_INVALID_REQUEST;
477 goto cleanup;
478 }
479
480 #ifdef ENABLE_OPENPGP
481 {
482 local_certs = alloc_and_load_pgp_certs (st.cert.pgp);
483 if (local_certs != NULL && st.key.pgp != NULL)
484 {
485 local_key = alloc_and_load_pgp_key (st.key.pgp);
486 if (local_key == NULL)
487 {
488 gnutls_assert();
489 ret = GNUTLS_E_INTERNAL_ERROR;
490 goto cleanup;
491 }
492 }
493 }
494 #endif
495 }
496
497 _gnutls_selected_certs_set (session, local_certs,
498 (local_certs != NULL) ? st.ncerts : 0,
499 local_key, 1);
500
501 ret = 0;
502
503 cleanup:
504
505 if (st.type == GNUTLS_CRT_X509)
506 {
507 if (st.deinit_all)
508 {
509 for (i = 0; i < st.ncerts; i++)
510 {
511 gnutls_x509_crt_deinit (st.cert.x509[i]);
512 }
513 gnutls_free (st.cert.x509);
514 gnutls_x509_privkey_deinit (st.key.x509);
515 }
516 }
517 else
518 {
519 #ifdef ENABLE_OPENPGP
520 if (st.deinit_all)
521 {
522 gnutls_openpgp_crt_deinit (st.cert.pgp);
523 gnutls_openpgp_privkey_deinit (st.key.pgp);
524 }
525 #endif
526 }
527
528 return ret;
529 }
530
531 /* Finds the appropriate certificate depending on the cA Distinguished name
532 * advertized by the server. If none matches then returns 0 and -1 as index.
533 * In case of an error a negative value, is returned.
534 *
535 * 20020128: added ability to select a certificate depending on the SIGN
536 * algorithm (only in automatic mode).
537 */
538 static int
539 _select_client_cert (gnutls_session_t session,
540 opaque * _data, size_t _data_size,
541 gnutls_pk_algorithm_t * pk_algos, int pk_algos_length)
542 {
543 int result;
544 int indx = -1;
545 gnutls_certificate_credentials_t cred;
546 opaque *data = _data;
547 ssize_t data_size = _data_size;
548 int issuers_dn_length;
549 gnutls_datum_t *issuers_dn = NULL;
550
551 cred = (gnutls_certificate_credentials_t)
552 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
553 if (cred == NULL)
554 {
555 gnutls_assert ();
556 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
557 }
558
559 if (cred->client_get_cert_callback != NULL)
560 {
561
562 /* use a callback to get certificate
563 */
564 if (session->security_parameters.cert_type != GNUTLS_CRT_X509)
565 issuers_dn_length = 0;
566 else
567 {
568 issuers_dn_length = get_issuers_num (session, data, data_size);
569 if (issuers_dn_length < 0)
570 {
571 gnutls_assert ();
572 return issuers_dn_length;
573 }
574
575 if (issuers_dn_length > 0)
576 {
577 issuers_dn =
578 gnutls_malloc (sizeof (gnutls_datum_t) * issuers_dn_length);
579 if (issuers_dn == NULL)
580 {
581 gnutls_assert ();
582 return GNUTLS_E_MEMORY_ERROR;
583 }
584
585 result =
586 get_issuers (session, issuers_dn, issuers_dn_length,
587 data, data_size);
588 if (result < 0)
589 {
590 gnutls_assert ();
591 goto cleanup;
592 }
593 }
594 }
595
596 result =
597 call_get_cert_callback (session, issuers_dn, issuers_dn_length,
598 pk_algos, pk_algos_length);
599 goto cleanup;
600
601 }
602 else
603 {
604 /* If we have no callbacks, try to guess.
605 */
606 result = 0;
607
608 if (session->security_parameters.cert_type == GNUTLS_CRT_X509)
609 result =
610 _find_x509_cert (cred, _data, _data_size,
611 pk_algos, pk_algos_length, &indx);
612
613 #ifdef ENABLE_OPENPGP
614 if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP)
615 result = _find_openpgp_cert (cred, pk_algos, pk_algos_length, &indx);
616 #endif
617
618 if (result < 0)
619 {
620 gnutls_assert ();
621 return result;
622 }
623
624 if (indx >= 0)
625 {
626 _gnutls_selected_certs_set (session,
627 &cred->cert_list[indx][0],
628 cred->cert_list_length[indx],
629 &cred->pkey[indx], 0);
630 }
631 else
632 {
633 _gnutls_selected_certs_set (session, NULL, 0, NULL, 0);
634 }
635
636 result = 0;
637 }
638
639 cleanup:
640 gnutls_free (issuers_dn);
641 return result;
642
643 }
644
645 /* Generate client certificate
646 */
647
648 int
649 _gnutls_gen_x509_crt (gnutls_session_t session, opaque ** data)
650 {
651 int ret, i;
652 opaque *pdata;
653 gnutls_cert *apr_cert_list;
654 gnutls_privkey *apr_pkey;
655 int apr_cert_list_length;
656
657 /* find the appropriate certificate
658 */
659 if ((ret =
660 _gnutls_get_selected_cert (session, &apr_cert_list,
661 &apr_cert_list_length, &apr_pkey)) < 0)
662 {
663 gnutls_assert ();
664 return ret;
665 }
666
667 ret = 3;
668 for (i = 0; i < apr_cert_list_length; i++)
669 {
670 ret += apr_cert_list[i].raw.size + 3;
671 /* hold size
672 * for uint24 */
673 }
674
675 /* if no certificates were found then send:
676 * 0B 00 00 03 00 00 00 // Certificate with no certs
677 * instead of:
678 * 0B 00 00 00 // empty certificate handshake
679 *
680 * ( the above is the whole handshake message, not
681 * the one produced here )
682 */
683
684 (*data) = gnutls_malloc (ret);
685 pdata = (*data);
686
687 if (pdata == NULL)
688 {
689 gnutls_assert ();
690 return GNUTLS_E_MEMORY_ERROR;
691 }
692 _gnutls_write_uint24 (ret - 3, pdata);
693 pdata += 3;
694 for (i = 0; i < apr_cert_list_length; i++)
695 {
696 _gnutls_write_datum24 (pdata, apr_cert_list[i].raw);
697 pdata += (3 + apr_cert_list[i].raw.size);
698 }
699
700 return ret;
701 }
702
703 enum PGPKeyDescriptorType
704 { PGP_KEY_FINGERPRINT, PGP_KEY, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY };
705
706 #ifdef ENABLE_OPENPGP
707 int
708 _gnutls_gen_openpgp_certificate (gnutls_session_t session, opaque ** data)
709 {
710 int ret;
711 opaque *pdata;
712 gnutls_cert *apr_cert_list;
713 gnutls_privkey *apr_pkey;
714 int apr_cert_list_length;
715
716 /* find the appropriate certificate */
717 if ((ret =
718 _gnutls_get_selected_cert (session, &apr_cert_list,
719 &apr_cert_list_length, &apr_pkey)) < 0)
720 {
721 gnutls_assert ();
722 return ret;
723 }
724
725 ret = 3 + 1 + 3;
726
727
728 if (apr_cert_list_length > 0)
729 {
730 if (apr_cert_list[0].use_subkey != 0)
731 ret += 1 + sizeof(apr_cert_list[0].subkey_id); /* for the keyid */
732
733 ret += apr_cert_list[0].raw.size;
734 }
735
736 (*data) = gnutls_malloc (ret);
737 pdata = (*data);
738
739 if (pdata == NULL)
740 {
741 gnutls_assert ();
742 return GNUTLS_E_MEMORY_ERROR;
743 }
744
745 _gnutls_write_uint24 (ret - 3, pdata);
746 pdata += 3;
747
748
749 if (apr_cert_list_length > 0)
750 {
751 if (apr_cert_list[0].use_subkey != 0)
752 {
753 *pdata = PGP_KEY_SUBKEY;
754 pdata++;
755 *pdata = sizeof(apr_cert_list[0].subkey_id);
756 pdata++;
757 memcpy( pdata, apr_cert_list[0].subkey_id, sizeof(apr_cert_list[0].subkey_id));
758 pdata += sizeof(apr_cert_list[0].subkey_id);
759 }
760 else
761 {
762 *pdata = PGP_KEY;
763 pdata++;
764 }
765
766 _gnutls_write_datum24 (pdata, apr_cert_list[0].raw);
767 pdata += (3 + apr_cert_list[0].raw.size);
768 }
769 else /* empty - no certificate */
770 {
771 *pdata = PGP_KEY;
772 pdata++;
773 _gnutls_write_uint24 (0, pdata);
774 }
775
776 return ret;
777 }
778
779 int
780 _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, opaque ** data)
781 {
782 int ret, packet_size;
783 size_t fpr_size;
784 opaque *pdata;
785 gnutls_cert *apr_cert_list;
786 gnutls_privkey *apr_pkey;
787 int apr_cert_list_length;
788
789 /* find the appropriate certificate */
790 if ((ret =
791 _gnutls_get_selected_cert (session, &apr_cert_list,
792 &apr_cert_list_length, &apr_pkey)) < 0)
793 {
794 gnutls_assert ();
795 return ret;
796 }
797
798 packet_size = 3 + 1;
799
800 if (apr_cert_list[0].use_subkey)
801 packet_size += 1 + sizeof(apr_cert_list[0].subkey_id); /* for the keyid */
802
803 /* Only v4 fingerprints are sent
804 */
805 if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4)
806 packet_size += 20 + 1;
807 else /* empty certificate case */
808 return _gnutls_gen_openpgp_certificate (session, data);
809
810 (*data) = gnutls_malloc (packet_size);
811 pdata = (*data);
812
813 if (pdata == NULL)
814 {
815 gnutls_assert ();
816 return GNUTLS_E_MEMORY_ERROR;
817 }
818
819 _gnutls_write_uint24 (packet_size - 3, pdata);
820 pdata += 3;
821
822 if (apr_cert_list[0].use_subkey)
823 {
824 *pdata = PGP_KEY_FINGERPRINT_SUBKEY;
825 pdata++;
826 *pdata = sizeof(apr_cert_list[0].subkey_id);
827 pdata++;
828 memcpy( pdata, apr_cert_list[0].subkey_id, sizeof(apr_cert_list[0].subkey_id));
829 pdata += sizeof(apr_cert_list[0].subkey_id);
830 }
831 else
832 {
833 *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */
834 pdata++;
835 }
836
837 *pdata = 20;
838 pdata++;
839
840 fpr_size = 20;
841
842 if ((ret =
843 _gnutls_openpgp_fingerprint (&apr_cert_list[0].raw, pdata,
844 &fpr_size)) < 0)
845 {
846 gnutls_assert ();
847 return ret;
848 }
849
850 return packet_size;
851 }
852 #endif
853
854
855 int
856 _gnutls_gen_cert_client_certificate (gnutls_session_t session, opaque ** data)
857 {
858 switch (session->security_parameters.cert_type)
859 {
860 #ifdef ENABLE_OPENPGP
861 case GNUTLS_CRT_OPENPGP:
862 if (_gnutls_openpgp_send_fingerprint (session) == 0)
863 return _gnutls_gen_openpgp_certificate (session, data);
864 else
865 return _gnutls_gen_openpgp_certificate_fpr (session, data);
866 #endif
867 case GNUTLS_CRT_X509:
868 return _gnutls_gen_x509_crt (session, data);
869
870 default:
871 gnutls_assert ();
872 return GNUTLS_E_INTERNAL_ERROR;
873 }
874 }
875
876 int
877 _gnutls_gen_cert_server_certificate (gnutls_session_t session, opaque ** data)
878 {
879 switch (session->security_parameters.cert_type)
880 {
881 #ifdef ENABLE_OPENPGP
882 case GNUTLS_CRT_OPENPGP:
883 return _gnutls_gen_openpgp_certificate (session, data);
884 #endif
885 case GNUTLS_CRT_X509:
886 return _gnutls_gen_x509_crt (session, data);
887 default:
888 gnutls_assert ();
889 return GNUTLS_E_INTERNAL_ERROR;
890 }
891 }
892
893 /* Process server certificate
894 */
895
896 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x])
897 int
898 _gnutls_proc_x509_server_certificate (gnutls_session_t session,
899 opaque * data, size_t data_size)
900 {
901 int size, len, ret;
902 opaque *p = data;
903 cert_auth_info_t info;
904 gnutls_certificate_credentials_t cred;
905 ssize_t dsize = data_size;
906 int i, j, x;
907 gnutls_cert *peer_certificate_list;
908 int peer_certificate_list_size = 0;
909 gnutls_datum_t tmp;
910
911 cred = (gnutls_certificate_credentials_t)
912 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
913 if (cred == NULL)
914 {
915 gnutls_assert ();
916 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
917 }
918
919
920 if ((ret =
921 _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE,
922 sizeof (cert_auth_info_st), 1)) < 0)
923 {
924 gnutls_assert ();
925 return ret;
926 }
927
928 info = _gnutls_get_auth_info (session);
929
930 if (data == NULL || data_size == 0)
931 {
932 gnutls_assert ();
933 /* no certificate was sent */
934 return GNUTLS_E_NO_CERTIFICATE_FOUND;
935 }
936
937 DECR_LEN (dsize, 3);
938 size = _gnutls_read_uint24 (p);
939 p += 3;
940
941 /* some implementations send 0B 00 00 06 00 00 03 00 00 00
942 * instead of just 0B 00 00 03 00 00 00 as an empty certificate message.
943 */
944 if (size == 0 || size == 3)
945 {
946 gnutls_assert ();
947 /* no certificate was sent */
948 return GNUTLS_E_NO_CERTIFICATE_FOUND;
949 }
950
951 i = dsize;
952 while (i > 0)
953 {
954 DECR_LEN (dsize, 3);
955 len = _gnutls_read_uint24 (p);
956 p += 3;
957 DECR_LEN (dsize, len);
958 peer_certificate_list_size++;
959 p += len;
960 i -= len + 3;
961 }
962
963 if (peer_certificate_list_size == 0)
964 {
965 gnutls_assert ();
966 return GNUTLS_E_NO_CERTIFICATE_FOUND;
967 }
968
969 /* Ok we now allocate the memory to hold the
970 * certificate list
971 */
972
973 peer_certificate_list =
974 gnutls_malloc (sizeof (gnutls_cert) * (peer_certificate_list_size));
975
976 if (peer_certificate_list == NULL)
977 {
978 gnutls_assert ();
979 return GNUTLS_E_MEMORY_ERROR;
980 }
981 memset (peer_certificate_list, 0, sizeof (gnutls_cert) *
982 peer_certificate_list_size);
983
984 p = data + 3;
985
986 /* Now we start parsing the list (again).
987 * We don't use DECR_LEN since the list has
988 * been parsed before.
989 */
990
991 for (j = 0; j < peer_certificate_list_size; j++)
992 {
993 len = _gnutls_read_uint24 (p);
994 p += 3;
995
996 tmp.size = len;
997 tmp.data = p;
998
999 if ((ret =
1000 _gnutls_x509_raw_cert_to_gcert (&peer_certificate_list
1001 [j], &tmp,
1002 CERT_ONLY_EXTENSIONS)) < 0)
1003 {
1004 gnutls_assert ();
1005 goto cleanup;
1006 }
1007
1008 p += len;
1009 }
1010
1011
1012 if ((ret =
1013 _gnutls_copy_certificate_auth_info (info,
1014 peer_certificate_list,
1015 peer_certificate_list_size)) < 0)
1016 {
1017 gnutls_assert ();
1018 goto cleanup;
1019 }
1020
1021 if ((ret =
1022 _gnutls_check_key_usage (&peer_certificate_list[0],
1023 gnutls_kx_get (session))) < 0)
1024 {
1025 gnutls_assert ();
1026 goto cleanup;
1027 }
1028
1029 ret = 0;
1030
1031 cleanup:
1032 CLEAR_CERTS;
1033 gnutls_free (peer_certificate_list);
1034 return ret;
1035
1036 }
1037
1038 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x])
1039 #ifdef ENABLE_OPENPGP
1040 int
1041 _gnutls_proc_openpgp_server_certificate (gnutls_session_t session,
1042 opaque * data, size_t data_size)
1043 {
1044 int size, ret, len;
1045 opaque *p = data;
1046 cert_auth_info_t info;
1047 gnutls_certificate_credentials_t cred;
1048 ssize_t dsize = data_size;
1049 int i, x, key_type;
1050 gnutls_cert *peer_certificate_list = NULL;
1051 int peer_certificate_list_size = 0;
1052 gnutls_datum_t tmp, akey = { NULL, 0 };
1053 gnutls_openpgp_keyid_t subkey_id;
1054 unsigned int subkey_id_set = 0;
1055
1056 cred = (gnutls_certificate_credentials_t)
1057 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1058 if (cred == NULL)
1059 {
1060 gnutls_assert ();
1061 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1062 }
1063
1064 if ((ret =
1065 _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE,
1066 sizeof (cert_auth_info_st), 1)) < 0)
1067 {
1068 gnutls_assert ();
1069 return ret;
1070 }
1071
1072 info = _gnutls_get_auth_info (session);
1073
1074 if (data == NULL || data_size == 0)
1075 {
1076 gnutls_assert ();
1077 return GNUTLS_E_NO_CERTIFICATE_FOUND;
1078 }
1079
1080 DECR_LEN (dsize, 3);
1081 size = _gnutls_read_uint24 (p);
1082 p += 3;
1083
1084 if (size == 0)
1085 {
1086 gnutls_assert ();
1087 /* no certificate was sent */
1088 return GNUTLS_E_NO_CERTIFICATE_FOUND;
1089 }
1090 i = dsize;
1091
1092 /* Read PGPKeyDescriptor */
1093 DECR_LEN (dsize, 1);
1094 key_type = *p;
1095 p++;
1096
1097 /* Try to read the keyid if present */
1098 if (key_type == PGP_KEY_FINGERPRINT_SUBKEY || key_type == PGP_KEY_SUBKEY)
1099 {
1100 /* check size */
1101 if (*p != sizeof( subkey_id))
1102 {
1103 gnutls_assert();
1104 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
1105 }
1106
1107 DECR_LEN (dsize, 1);
1108 p++;
1109
1110 DECR_LEN (dsize, sizeof( subkey_id));
1111 memcpy( subkey_id, p, sizeof( subkey_id));
1112 p+= sizeof( subkey_id);
1113
1114 subkey_id_set = 1;
1115
1116 }
1117
1118 /* read the actual key or fingerprint */
1119 if (key_type == PGP_KEY_FINGERPRINT || key_type == PGP_KEY_FINGERPRINT_SUBKEY)
1120 { /* the fingerprint */
1121
1122 DECR_LEN (dsize, 1);
1123 len = (uint8_t) * p;
1124 p++;
1125
1126 if (len != 20)
1127 {
1128 gnutls_assert ();
1129 return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED;
1130 }
1131
1132 DECR_LEN (dsize, 20);
1133
1134 /* request the actual key from our database, or
1135 * a key server or anything.
1136 */
1137 if ((ret =
1138 _gnutls_openpgp_request_key (session, &akey, cred, p, 20)) < 0)
1139 {
1140 gnutls_assert ();
1141 return ret;
1142 }
1143 tmp = akey;
1144 peer_certificate_list_size++;
1145
1146 }
1147 else if (key_type == PGP_KEY || key_type == PGP_KEY_SUBKEY)
1148 { /* the whole key */
1149
1150 /* Read the actual certificate */
1151 DECR_LEN (dsize, 3);
1152 len = _gnutls_read_uint24 (p);
1153 p += 3;
1154
1155 if (len == 0)
1156 {
1157 gnutls_assert ();
1158 /* no certificate was sent */
1159 return GNUTLS_E_NO_CERTIFICATE_FOUND;
1160 }
1161
1162 DECR_LEN (dsize, len);
1163 peer_certificate_list_size++;
1164
1165 tmp.size = len;
1166 tmp.data = p;
1167
1168 }
1169 else
1170 {
1171 gnutls_assert ();
1172 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
1173 }
1174
1175 /* ok we now have the peer's key in tmp datum
1176 */
1177
1178 if (peer_certificate_list_size == 0)
1179 {
1180 gnutls_assert ();
1181 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1182 }
1183
1184 peer_certificate_list =
1185 gnutls_malloc (sizeof (gnutls_cert) * (peer_certificate_list_size));
1186 if (peer_certificate_list == NULL)
1187 {
1188 gnutls_assert ();
1189 ret = GNUTLS_E_MEMORY_ERROR;
1190 goto cleanup;
1191 }
1192 memset (peer_certificate_list, 0, sizeof (gnutls_cert) *
1193 peer_certificate_list_size);
1194
1195 if ((ret =
1196 _gnutls_openpgp_raw_crt_to_gcert (&peer_certificate_list[0],
1197 &tmp, subkey_id_set?subkey_id:NULL)) < 0)
1198 {
1199 gnutls_assert ();
1200 goto cleanup;
1201 }
1202
1203 if ((ret =
1204 _gnutls_copy_certificate_auth_info (info,
1205 peer_certificate_list,
1206 peer_certificate_list_size)) < 0)
1207 {
1208 gnutls_assert ();
1209 goto cleanup;
1210 }
1211
1212 if ((ret =
1213 _gnutls_check_key_usage (&peer_certificate_list[0],
1214 gnutls_kx_get (session))) < 0)
1215 {
1216 gnutls_assert ();
1217 goto cleanup;
1218 }
1219
1220 ret = 0;
1221
1222 cleanup:
1223
1224 _gnutls_free_datum (&akey);
1225 CLEAR_CERTS;
1226 gnutls_free (peer_certificate_list);
1227 return ret;
1228
1229 }
1230 #endif
1231
1232 int
1233 _gnutls_proc_cert_server_certificate (gnutls_session_t session,
1234 opaque * data, size_t data_size)
1235 {
1236 switch (session->security_parameters.cert_type)
1237 {
1238 #ifdef ENABLE_OPENPGP
1239 case GNUTLS_CRT_OPENPGP:
1240 return _gnutls_proc_openpgp_server_certificate (session,
1241 data, data_size);
1242 #endif
1243 case GNUTLS_CRT_X509:
1244 return _gnutls_proc_x509_server_certificate (session, data, data_size);
1245 default:
1246 gnutls_assert ();
1247 return GNUTLS_E_INTERNAL_ERROR;
1248 }
1249 }
1250
1251 #define MAX_SIGN_ALGOS 2
1252 typedef enum CertificateSigType
1253 { RSA_SIGN = 1, DSA_SIGN
1254 } CertificateSigType;
1255
1256 /* Checks if we support the given signature algorithm
1257 * (RSA or DSA). Returns the corresponding gnutls_pk_algorithm_t
1258 * if true;
1259 */
1260 inline static int
1261 _gnutls_check_supported_sign_algo (CertificateSigType algo)
1262 {
1263 switch (algo)
1264 {
1265 case RSA_SIGN:
1266 return GNUTLS_PK_RSA;
1267 case DSA_SIGN:
1268 return GNUTLS_PK_DSA;
1269 }
1270
1271 return -1;
1272 }
1273
1274 int
1275 _gnutls_proc_cert_cert_req (gnutls_session_t session, opaque * data,
1276 size_t data_size)
1277 {
1278 int size, ret;
1279 opaque *p;
1280 gnutls_certificate_credentials_t cred;
1281 cert_auth_info_t info;
1282 ssize_t dsize;
1283 int i, j;
1284 gnutls_pk_algorithm_t pk_algos[MAX_SIGN_ALGOS];
1285 int pk_algos_length;
1286 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
1287
1288 cred = (gnutls_certificate_credentials_t)
1289 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1290 if (cred == NULL)
1291 {
1292 gnutls_assert ();
1293 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1294 }
1295
1296 if ((ret =
1297 _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE,
1298 sizeof (cert_auth_info_st), 0)) < 0)
1299 {
1300 gnutls_assert ();
1301 return ret;
1302 }
1303
1304 info = _gnutls_get_auth_info (session);
1305
1306 p = data;
1307 dsize = data_size;
1308
1309 DECR_LEN (dsize, 1);
1310 size = p[0];
1311 p++;
1312 /* check if the sign algorithm is supported.
1313 */
1314 pk_algos_length = j = 0;
1315 for (i = 0; i < size; i++, p++)
1316 {
1317 DECR_LEN (dsize, 1);
1318 if ((ret = _gnutls_check_supported_sign_algo (*p)) > 0)
1319 {
1320 if (j < MAX_SIGN_ALGOS)
1321 {
1322 pk_algos[j++] = ret;
1323 pk_algos_length++;
1324 }
1325 }
1326 }
1327
1328 if (pk_algos_length == 0)
1329 {
1330 gnutls_assert ();
1331 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
1332 }
1333
1334 if (ver == GNUTLS_TLS1_2)
1335 {
1336 /* read supported hashes */
1337 int hash_num;
1338 DECR_LEN (dsize, 1);
1339
1340 hash_num = p[0] & 0xFF;
1341 p++;
1342
1343 DECR_LEN (dsize, hash_num);
1344 p+=hash_num;
1345 }
1346
1347 /* read the certificate authorities */
1348 DECR_LEN (dsize, 2);
1349 size = _gnutls_read_uint16 (p);
1350 p += 2;
1351
1352 if (session->security_parameters.cert_type == GNUTLS_CRT_OPENPGP && size != 0)
1353 {
1354 gnutls_assert(); // size should be zero
1355 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1356 }
1357
1358 DECR_LEN (dsize, size);
1359
1360 /* now we ask the user to tell which one
1361 * he wants to use.
1362 */
1363 if ((ret =
1364 _select_client_cert (session, p, size, pk_algos, pk_algos_length)) < 0)
1365 {
1366 gnutls_assert ();
1367 return ret;
1368 }
1369
1370 /* We should reply with a certificate message,
1371 * even if we have no certificate to send.
1372 */
1373 session->key->certificate_requested = 1;
1374
1375 return 0;
1376 }
1377
1378 int
1379 _gnutls_gen_cert_client_cert_vrfy (gnutls_session_t session, opaque ** data)
1380 {
1381 int ret;
1382 gnutls_cert *apr_cert_list;
1383 gnutls_privkey *apr_pkey;
1384 int apr_cert_list_length, size;
1385 gnutls_datum_t signature;
1386
1387 *data = NULL;
1388
1389 /* find the appropriate certificate */
1390 if ((ret =
1391 _gnutls_get_selected_cert (session, &apr_cert_list,
1392 &apr_cert_list_length, &apr_pkey)) < 0)
1393 {
1394 gnutls_assert ();
1395 return ret;
1396 }
1397
1398 if (apr_cert_list_length > 0)
1399 {
1400 if ((ret =
1401 _gnutls_tls_sign_hdata (session,
1402 &apr_cert_list[0],
1403 apr_pkey, &signature)) < 0)
1404 {
1405 gnutls_assert ();
1406 return ret;
1407 }
1408 }
1409 else
1410 {
1411 return 0;
1412 }
1413
1414 *data = gnutls_malloc (signature.size + 2);
1415 if (*data == NULL)
1416 {
1417 _gnutls_free_datum (&signature);
1418 return GNUTLS_E_MEMORY_ERROR;
1419 }
1420 size = signature.size;
1421 _gnutls_write_uint16 (size, *data);
1422
1423 memcpy (&(*data)[2], signature.data, size);
1424
1425 _gnutls_free_datum (&signature);
1426
1427 return size + 2;
1428 }
1429
1430 int
1431 _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t session,
1432 opaque * data, size_t data_size)
1433 {
1434 int size, ret;
1435 ssize_t dsize = data_size;
1436 opaque *pdata = data;
1437 gnutls_datum_t sig;
1438 cert_auth_info_t info = _gnutls_get_auth_info (session);
1439 gnutls_cert peer_cert;
1440
1441 if (info == NULL || info->ncerts == 0)
1442 {
1443 gnutls_assert ();
1444 /* we need this in order to get peer's certificate */
1445 return GNUTLS_E_INTERNAL_ERROR;
1446 }
1447
1448 DECR_LEN (dsize, 2);
1449 size = _gnutls_read_uint16 (pdata);
1450 pdata += 2;
1451
1452 DECR_LEN (dsize, size);
1453
1454 sig.data = pdata;
1455 sig.size = size;
1456
1457 ret = _gnutls_get_auth_info_gcert (&peer_cert,
1458 session->security_parameters.cert_type,
1459 info, CERT_NO_COPY);
1460
1461 if (ret < 0)
1462 {
1463 gnutls_assert ();
1464 return ret;
1465 }
1466
1467 if ((ret = _gnutls_verify_sig_hdata (session, &peer_cert, &sig)) < 0)
1468 {
1469 gnutls_assert ();
1470 _gnutls_gcert_deinit (&peer_cert);
1471 return ret;
1472 }
1473 _gnutls_gcert_deinit (&peer_cert);
1474
1475 return 0;
1476 }
1477
1478 #define CERTTYPE_SIZE 3
1479 int
1480 _gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data)
1481 {
1482 gnutls_certificate_credentials_t cred;
1483 int size;
1484 opaque *pdata;
1485 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
1486
1487 /* Now we need to generate the RDN sequence. This is
1488 * already in the CERTIFICATE_CRED structure, to improve
1489 * performance.
1490 */
1491
1492 cred = (gnutls_certificate_credentials_t)
1493 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1494 if (cred == NULL)
1495 {
1496 gnutls_assert ();
1497 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1498 }
1499
1500 size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type_t + 2 for size of rdn_seq
1501 */
1502
1503 if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
1504 session->internals.ignore_rdn_sequence == 0)
1505 size += cred->x509_rdn_sequence.size;
1506
1507 if (ver == GNUTLS_TLS1_2)
1508 /* Need at least one byte to announce the number of supported hash
1509 functions (see below). */
1510 size += 1;
1511
1512 (*data) = gnutls_malloc (size);
1513 pdata = (*data);
1514
1515 if (pdata == NULL)
1516 {
1517 gnutls_assert ();
1518 return GNUTLS_E_MEMORY_ERROR;
1519 }
1520
1521 pdata[0] = CERTTYPE_SIZE - 1;
1522
1523 pdata[1] = RSA_SIGN;
1524 pdata[2] = DSA_SIGN; /* only these for now */
1525 pdata += CERTTYPE_SIZE;
1526
1527 if (ver == GNUTLS_TLS1_2)
1528 {
1529 /* Supported hashes (nothing for now -- FIXME). */
1530 *pdata = 0;
1531 pdata++;
1532 }
1533
1534 if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
1535 session->internals.ignore_rdn_sequence == 0)
1536 {
1537 _gnutls_write_datum16 (pdata, cred->x509_rdn_sequence);
1538 /* pdata += cred->x509_rdn_sequence.size + 2; */
1539 }
1540 else
1541 {
1542 _gnutls_write_uint16( 0, pdata);
1543 /* pdata+=2; */
1544 }
1545
1546 return size;
1547 }
1548
1549
1550 /* This function will return the appropriate certificate to use.
1551 * Fills in the apr_cert_list, apr_cert_list_length and apr_pkey.
1552 * The return value is a negative value on error.
1553 *
1554 * It is normal to return 0 with no certificates in client side.
1555 *
1556 */
1557 int
1558 _gnutls_get_selected_cert (gnutls_session_t session,
1559 gnutls_cert ** apr_cert_list,
1560 int *apr_cert_list_length,
1561 gnutls_privkey ** apr_pkey)
1562 {
1563 if (session->security_parameters.entity == GNUTLS_SERVER)
1564 {
1565
1566 /* select_client_cert() has been called before.
1567 */
1568
1569 *apr_cert_list = session->internals.selected_cert_list;
1570 *apr_pkey = session->internals.selected_key;
1571 *apr_cert_list_length = session->internals.selected_cert_list_length;
1572
1573 if (*apr_cert_list_length == 0 || *apr_cert_list == NULL)
1574 {
1575 gnutls_assert ();
1576 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1577 }
1578
1579 }
1580 else
1581 { /* CLIENT SIDE
1582 */
1583
1584 /* we have already decided which certificate
1585 * to send.
1586 */
1587 *apr_cert_list = session->internals.selected_cert_list;
1588 *apr_cert_list_length = session->internals.selected_cert_list_length;
1589 *apr_pkey = session->internals.selected_key;
1590
1591 }
1592
1593 return 0;
1594 }
1595
1596 /* converts the given x509 certificate to gnutls_cert* and allocates
1597 * space for them.
1598 */
1599 static gnutls_cert *
1600 alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, unsigned ncerts)
1601 {
1602 gnutls_cert *local_certs;
1603 int ret = 0;
1604 unsigned i, j;
1605
1606 if (certs == NULL)
1607 return NULL;
1608
1609 local_certs = gnutls_malloc (sizeof (gnutls_cert) * ncerts);
1610 if (local_certs == NULL)
1611 {
1612 gnutls_assert ();
1613 return NULL;
1614 }
1615
1616 for (i = 0; i < ncerts; i++)
1617 {
1618 ret = _gnutls_x509_crt_to_gcert (&local_certs[i], certs[i], 0);
1619 if (ret < 0)
1620 break;
1621 }
1622
1623 if (ret < 0)
1624 {
1625 gnutls_assert ();
1626 for (j = 0; j < i; j++)
1627 {
1628 _gnutls_gcert_deinit (&local_certs[j]);
1629 }
1630 gnutls_free (local_certs);
1631 return NULL;
1632 }
1633
1634 return local_certs;
1635 }
1636
1637 /* converts the given x509 key to gnutls_privkey* and allocates
1638 * space for it.
1639 */
1640 static gnutls_privkey *
1641 alloc_and_load_x509_key (gnutls_x509_privkey_t key)
1642 {
1643 gnutls_privkey *local_key;
1644 int ret = 0;
1645
1646 if (key == NULL)
1647 return NULL;
1648
1649 local_key = gnutls_malloc (sizeof (gnutls_privkey));
1650 if (local_key == NULL)
1651 {
1652 gnutls_assert ();
1653 return NULL;
1654 }
1655
1656 ret = _gnutls_x509_privkey_to_gkey (local_key, key);
1657 if (ret < 0)
1658 {
1659 gnutls_assert ();
1660 return NULL;
1661 }
1662
1663 return local_key;
1664 }
1665
1666 /* converts the given pgp certificate to gnutls_cert* and allocates
1667 * space for them.
1668 */
1669 #ifdef ENABLE_OPENPGP
1670 static gnutls_cert *
1671 alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert)
1672 {
1673 gnutls_cert *local_certs;
1674 int ret = 0;
1675
1676 if (cert == NULL)
1677 return NULL;
1678
1679 local_certs = gnutls_malloc (sizeof (gnutls_cert));
1680 if (local_certs == NULL)
1681 {
1682 gnutls_assert ();
1683 return NULL;
1684 }
1685
1686 ret = _gnutls_openpgp_crt_to_gcert (local_certs, cert);
1687 if (ret < 0)
1688 {
1689 gnutls_assert ();
1690 return NULL;
1691 }
1692
1693 if (ret < 0)
1694 {
1695 gnutls_assert ();
1696 _gnutls_gcert_deinit (local_certs);
1697 gnutls_free (local_certs);
1698 return NULL;
1699 }
1700
1701 ret = gnutls_openpgp_crt_get_preferred_key_id( cert, local_certs->subkey_id);
1702 if (ret < 0)
1703 local_certs->use_subkey = 0;
1704 else
1705 local_certs->use_subkey = 1;
1706
1707 return local_certs;
1708 }
1709
1710 /* converts the given raw key to gnutls_privkey* and allocates
1711 * space for it.
1712 */
1713 static gnutls_privkey *
1714 alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t key)
1715 {
1716 gnutls_privkey *local_key;
1717 int ret = 0;
1718
1719 if (key == NULL)
1720 return NULL;
1721
1722 local_key = gnutls_malloc (sizeof (gnutls_privkey));
1723 if (local_key == NULL)
1724 {
1725 gnutls_assert ();
1726 return NULL;
1727 }
1728
1729 ret = _gnutls_openpgp_privkey_to_gkey (local_key, key);
1730 if (ret < 0)
1731 {
1732 gnutls_assert ();
1733 return NULL;
1734 }
1735
1736 return local_key;
1737 }
1738 #endif
1739
1740 void
1741 _gnutls_selected_certs_deinit (gnutls_session_t session)
1742 {
1743 if (session->internals.selected_need_free != 0)
1744 {
1745 int i;
1746
1747 for (i = 0; i < session->internals.selected_cert_list_length; i++)
1748 {
1749 _gnutls_gcert_deinit (&session->internals.selected_cert_list[i]);
1750 }
1751 gnutls_free (session->internals.selected_cert_list);
1752 session->internals.selected_cert_list = NULL;
1753 session->internals.selected_cert_list_length = 0;
1754
1755 _gnutls_gkey_deinit (session->internals.selected_key);
1756 if (session->internals.selected_key)
1757 {
1758 gnutls_free (session->internals.selected_key);
1759 session->internals.selected_key = NULL;
1760 }
1761 }
1762
1763 return;
1764 }
1765
1766 void
1767 _gnutls_selected_certs_set (gnutls_session_t session,
1768 gnutls_cert * certs, int ncerts,
1769 gnutls_privkey * key, int need_free)
1770 {
1771 _gnutls_selected_certs_deinit (session);
1772
1773 session->internals.selected_cert_list = certs;
1774 session->internals.selected_cert_list_length = ncerts;
1775 session->internals.selected_key = key;
1776 session->internals.selected_need_free = need_free;
1777
1778 }
1779
1780
1781 /* finds the most appropriate certificate in the cert list.
1782 * The 'appropriate' is defined by the user.
1783 *
1784 * requested_algo holds the parameters required by the peer (RSA, DSA
1785 * or -1 for any).
1786 *
1787 * Returns 0 on success and a negative value on error. The
1788 * selected certificate will be in session->internals.selected_*.
1789 *
1790 */
1791 int
1792 _gnutls_server_select_cert (gnutls_session_t session,
1793 gnutls_pk_algorithm_t requested_algo)
1794 {
1795 unsigned i;
1796 int idx, ret;
1797 gnutls_certificate_credentials_t cred;
1798
1799 cred = (gnutls_certificate_credentials_t)
1800 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1801 if (cred == NULL)
1802 {
1803 gnutls_assert ();
1804 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1805 }
1806
1807 /* If the callback which retrieves certificate has been set,
1808 * use it and leave.
1809 */
1810 if (cred->server_get_cert_callback != NULL)
1811 return call_get_cert_callback (session, NULL, 0, NULL, 0);
1812
1813 /* Otherwise... */
1814
1815 ret = 0;
1816 idx = -1; /* default is use no certificate */
1817
1818
1819 for (i = 0; i < cred->ncerts; i++)
1820 {
1821 /* find one compatible certificate
1822 */
1823 if (requested_algo == GNUTLS_PK_ANY ||
1824 requested_algo == cred->cert_list[i][0].subject_pk_algorithm)
1825 {
1826 /* if cert type matches
1827 */
1828 if (session->security_parameters.cert_type ==
1829 cred->cert_list[i][0].cert_type)
1830 {
1831 idx = i;
1832 break;
1833 }
1834 }
1835 }
1836
1837 /* store the certificate pointer for future use, in the handshake.
1838 * (This will allow not calling this callback again.)
1839 */
1840 if (idx >= 0 && ret == 0)
1841 {
1842 _gnutls_selected_certs_set (session,
1843 &cred->cert_list[idx][0],
1844 cred->cert_list_length[idx],
1845 &cred->pkey[idx], 0);
1846 }
1847 else
1848 /* Certificate does not support REQUESTED_ALGO. */
1849 ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1850
1851 return ret;
1852 }
1853
1854 /* Frees the rsa_info_st structure.
1855 */
1856 void
1857 _gnutls_free_rsa_info (rsa_info_st * rsa)
1858 {
1859 _gnutls_free_datum (&rsa->modulus);
1860 _gnutls_free_datum (&rsa->exponent);
1861 }
Implementation of the SSL/TLS protocol