| blob | 654810abbc4c773f8338bf1ddd1ab03a627e744c |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* This file contains certificate authentication functions to be exported in the
24 * API which did not fit elsewhere.
25 */
27 #include <gnutls_int.h>
28 #include <auth/srp.h>
29 #include <auth/anon.h>
30 #include <auth/cert.h>
31 #include <auth/psk.h>
32 #include <gnutls_errors.h>
33 #include <gnutls_auth.h>
34 #include <gnutls_state.h>
35 #include <gnutls_datum.h>
36 #include <extras/randomart.h>
37 #include <read-file.h>
39 /**
40 * gnutls_random_art:
41 * @type: The type of the random art
42 * @key_type: The type of the key (RSA, DSA etc.)
43 * @key_size: The size of the key in bits
44 * @fpr: The fingerprint of the key
45 * @fpr_size: The size of the fingerprint
46 * @art: The returned random art
47 *
48 * This function will convert a given fingerprint to an "artistic"
49 * image. The returned image is allocated using gnutls_malloc()
50 *
51 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
52 * an error code is returned.
53 *
54 **/
59 {
70 }
72 /* ANON & DHE */
74 /**
75 * gnutls_dh_set_prime_bits:
76 * @session: is a #gnutls_session_t structure.
77 * @bits: is the number of bits
78 *
79 * This function sets the number of bits, for use in a Diffie-Hellman
80 * key exchange. This is used both in DH ephemeral and DH anonymous
81 * cipher suites. This will set the minimum size of the prime that
82 * will be used for the handshake.
83 *
84 * In the client side it sets the minimum accepted number of bits. If
85 * a server sends a prime with less bits than that
86 * %GNUTLS_E_DH_PRIME_UNACCEPTABLE will be returned by the handshake.
87 *
88 * Note that values lower than 512 bits may allow decryption of the
89 * exchanged data.
90 *
91 * This function has no effect in server side.
92 *
93 **/
94 void
96 {
97 if (bits <= 512) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits);
99 }
102 /**
103 * gnutls_dh_get_group:
104 * @session: is a gnutls session
105 * @raw_gen: will hold the generator.
106 * @raw_prime: will hold the prime.
107 *
108 * This function will return the group parameters used in the last
109 * Diffie-Hellman key exchange with the peer. These are the prime and
110 * the generator used. This function should be used for both
111 * anonymous and ephemeral Diffie-Hellman. The output parameters must
112 * be freed with gnutls_free().
113 *
114 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
115 * an error code is returned.
116 **/
117 int
120 {
123 anon_auth_info_t anon_info;
124 cert_auth_info_t cert_info;
125 psk_auth_info_t psk_info;
128 {
150 }
154 {
157 }
161 {
165 }
168 }
170 /**
171 * gnutls_dh_get_pubkey:
172 * @session: is a gnutls session
173 * @raw_key: will hold the public key.
174 *
175 * This function will return the peer's public key used in the last
176 * Diffie-Hellman key exchange. This function should be used for both
177 * anonymous and ephemeral Diffie-Hellman. The output parameters must
178 * be freed with gnutls_free().
179 *
180 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
181 * an error code is returned.
182 **/
183 int
185 {
187 anon_auth_info_t anon_info;
188 cert_auth_info_t cert_info;
189 cert_auth_info_t psk_info;
192 {
194 {
200 }
202 {
208 }
210 {
217 }
221 }
225 }
227 /**
228 * gnutls_rsa_export_get_pubkey:
229 * @session: is a gnutls session
230 * @exponent: will hold the exponent.
231 * @modulus: will hold the modulus.
232 *
233 * This function will return the peer's public key exponent and
234 * modulus used in the last RSA-EXPORT authentication. The output
235 * parameters must be freed with gnutls_free().
236 *
237 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
238 * an error code is returned.
239 **/
240 int
244 {
245 cert_auth_info_t info;
249 {
257 {
260 }
265 {
269 }
272 }
275 }
278 /**
279 * gnutls_dh_get_secret_bits:
280 * @session: is a gnutls session
281 *
282 * This function will return the bits used in the last Diffie-Hellman
283 * key exchange with the peer. Should be used for both anonymous and
284 * ephemeral Diffie-Hellman.
285 *
286 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
287 * an error code is returned.
288 **/
289 int
291 {
293 {
295 {
296 anon_auth_info_t info;
302 }
304 {
305 psk_auth_info_t info;
311 }
313 {
314 cert_auth_info_t info;
321 }
325 }
326 }
328 static int
330 {
331 bigint_t mpi;
336 {
339 }
345 }
347 /**
348 * gnutls_dh_get_prime_bits:
349 * @session: is a gnutls session
350 *
351 * This function will return the bits of the prime used in the last
352 * Diffie-Hellman key exchange with the peer. Should be used for both
353 * anonymous and ephemeral Diffie-Hellman. Note that some ciphers,
354 * like RSA and DSA without DHE, do not use a Diffie-Hellman key
355 * exchange, and then this function will return 0.
356 *
357 * Returns: The Diffie-Hellman bit strength is returned, or 0 if no
358 * Diffie-Hellman key exchange was done, or a negative error code on
359 * failure.
360 **/
361 int
363 {
367 {
369 {
370 anon_auth_info_t info;
377 }
379 {
380 psk_auth_info_t info;
387 }
389 {
390 cert_auth_info_t info;
398 }
402 }
405 }
407 /**
408 * gnutls_rsa_export_get_modulus_bits:
409 * @session: is a gnutls session
410 *
411 * Get the export RSA parameter's modulus size.
412 *
413 * Returns: The bits used in the last RSA-EXPORT key exchange with the
414 * peer, or a negative error code in case of error.
415 **/
416 int
418 {
419 cert_auth_info_t info;
426 }
428 /**
429 * gnutls_dh_get_peers_public_bits:
430 * @session: is a gnutls session
431 *
432 * Get the Diffie-Hellman public key bit size. Can be used for both
433 * anonymous and ephemeral Diffie-Hellman.
434 *
435 * Returns: The public key bit size used in the last Diffie-Hellman
436 * key exchange with the peer, or a negative error code in case of error.
437 **/
438 int
440 {
444 {
446 {
447 anon_auth_info_t info;
455 }
457 {
458 psk_auth_info_t info;
466 }
468 {
469 cert_auth_info_t info;
477 }
481 }
484 }
486 /* CERTIFICATE STUFF */
488 /**
489 * gnutls_certificate_get_ours:
490 * @session: is a gnutls session
491 *
492 * Gets the certificate as sent to the peer in the last handshake.
493 * The certificate is in raw (DER) format. No certificate
494 * list is being returned. Only the first certificate.
495 *
496 * Returns: a pointer to a #gnutls_datum_t containing our
497 * certificate, or %NULL in case of an error or if no certificate
498 * was used.
499 **/
502 {
503 gnutls_certificate_credentials_t cred;
510 {
513 }
519 }
521 /**
522 * gnutls_certificate_get_peers:
523 * @session: is a gnutls session
524 * @list_size: is the length of the certificate list
525 *
526 * Get the peer's raw certificate (chain) as sent by the peer. These
527 * certificates are in raw format (DER encoded for X.509). In case of
528 * a X.509 then a certificate list may be present. The first
529 * certificate in the list is the peer's certificate, following the
530 * issuer's certificate, then the issuer's issuer etc.
531 *
532 * In case of OpenPGP keys a single key will be returned in raw
533 * format.
534 *
535 * Returns: a pointer to a #gnutls_datum_t containing our
536 * certificates, or %NULL in case of an error or if no certificate
537 * was used.
538 **/
542 {
543 cert_auth_info_t info;
553 }
556 /**
557 * gnutls_certificate_client_get_request_status:
558 * @session: is a gnutls session
559 *
560 * Get whether client certificate is requested or not.
561 *
562 * Returns: 0 if the peer (server) did not request client
563 * authentication or 1 otherwise, or a negative error code in case of
564 * error.
565 **/
566 int
568 {
570 }
572 /**
573 * gnutls_fingerprint:
574 * @algo: is a digest algorithm
575 * @data: is the data
576 * @result: is the place where the result will be copied (may be null).
577 * @result_size: should hold the size of the result. The actual size
578 * of the returned result will also be copied there.
579 *
580 * This function will calculate a fingerprint (actually a hash), of
581 * the given data. The result is not printable data. You should
582 * convert it to hex, or to something else printable.
583 *
584 * This is the usual way to calculate a fingerprint of an X.509 DER
585 * encoded certificate. Note however that the fingerprint of an
586 * OpenPGP is not just a hash and cannot be calculated with this
587 * function.
588 *
589 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
590 * an error code is returned.
591 **/
592 int
596 {
601 {
604 }
608 {
612 }
615 }
618 /**
619 * gnutls_certificate_set_dh_params:
620 * @res: is a gnutls_certificate_credentials_t structure
621 * @dh_params: is a structure that holds Diffie-Hellman parameters.
622 *
623 * This function will set the Diffie-Hellman parameters for a
624 * certificate server to use. These parameters will be used in
625 * Ephemeral Diffie-Hellman cipher suites. Note that only a pointer
626 * to the parameters are stored in the certificate handle, so if you
627 * deallocate the parameters before the certificate is deallocated,
628 * you must change the parameters stored in the certificate first.
629 *
630 **/
631 void
633 gnutls_dh_params_t dh_params)
634 {
636 }
638 /**
639 * gnutls_certificate_set_params_function:
640 * @res: is a gnutls_certificate_credentials_t structure
641 * @func: is the function to be called
642 *
643 * This function will set a callback in order for the server to get
644 * the Diffie-Hellman or RSA parameters for certificate
645 * authentication. The callback should return %GNUTLS_E_SUCCESS (0) on success.
646 **/
647 void
650 {
652 }
655 /**
656 * gnutls_certificate_set_verify_flags:
657 * @res: is a gnutls_certificate_credentials_t structure
658 * @flags: are the flags
659 *
660 * This function will set the flags to be used at verification of the
661 * certificates. Flags must be OR of the
662 * #gnutls_certificate_verify_flags enumerations. The default
663 * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
664 *
665 **/
666 void
669 {
671 }
673 /**
674 * gnutls_certificate_set_verify_limits:
675 * @res: is a gnutls_certificate_credentials structure
676 * @max_bits: is the number of bits of an acceptable certificate (default 8200)
677 * @max_depth: is maximum depth of the verification of a certificate chain (default 5)
678 *
679 * This function will set some upper limits for the default
680 * verification function, gnutls_certificate_verify_peers2(), to avoid
681 * denial of service attacks. You can set them to zero to disable
682 * limits.
683 **/
684 void
688 {
691 }
693 /**
694 * gnutls_certificate_set_rsa_export_params:
695 * @res: is a gnutls_certificate_credentials_t structure
696 * @rsa_params: is a structure that holds temporary RSA parameters.
697 *
698 * This function will set the temporary RSA parameters for a
699 * certificate server to use. These parameters will be used in
700 * RSA-EXPORT cipher suites.
701 **/
702 void
705 {
707 }
709 /**
710 * gnutls_psk_set_params_function:
711 * @res: is a gnutls_psk_server_credentials_t structure
712 * @func: is the function to be called
713 *
714 * This function will set a callback in order for the server to get
715 * the Diffie-Hellman or RSA parameters for PSK authentication. The
716 * callback should return %GNUTLS_E_SUCCESS (0) on success.
717 **/
718 void
721 {
723 }
725 /**
726 * gnutls_anon_set_params_function:
727 * @res: is a gnutls_anon_server_credentials_t structure
728 * @func: is the function to be called
729 *
730 * This function will set a callback in order for the server to get
731 * the Diffie-Hellman or RSA parameters for anonymous authentication.
732 * The callback should return %GNUTLS_E_SUCCESS (0) on success.
733 **/
734 void
737 {
739 }
741 /**
742 * gnutls_load_file:
743 * @filename: the name of the file to load
744 * @data: Where the file will be stored
745 *
746 * This function will load a file into a datum. The data are
747 * zero terminated but the terminating null is not included in length.
748 * The returned data are allocated using gnutls_malloc().
749 *
750 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
751 * an error code is returned.
752 *
753 * Since 3.1.0
754 **/
756 {
764 {
770 }
775 }
777 /**
778 * gnutls_url_is_supported:
779 * @url: A PKCS 11 url
780 *
781 * Check whether url is supported. Depending on the system libraries
782 * GnuTLS may support pkcs11 or tpmkey URLs.
783 *
784 * Returns: return non-zero if the given URL is supported, and zero if
785 * it is not known.
786 *
787 * Since: 3.1.0
788 **/
789 int
791 {
792 #ifdef ENABLE_PKCS11
795 #endif
796 #ifdef HAVE_TROUSERS
799 #endif
801 }