2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
25 /* Some of the stuff needed for Certificate authentication is contained
29 #include <gnutls_int.h>
30 #include <gnutls_errors.h>
31 #include <auth_cert.h>
32 #include <gnutls_cert.h>
33 #include <gnutls_datum.h>
34 #include <gnutls_mpi.h>
35 #include <gnutls_global.h>
36 #include <gnutls_algorithms.h>
37 #include <gnutls_dh.h>
38 #include <gnutls_str.h>
39 #include <gnutls_state.h>
40 #include <gnutls_auth.h>
41 #include <gnutls_x509.h>
42 #include "x509/x509_int.h"
44 # include "openpgp/gnutls_openpgp.h"
48 * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials_t structure
49 * @sc: is a #gnutls_certificate_credentials_t structure.
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
57 gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc
)
61 for (i
= 0; i
< sc
->ncerts
; i
++)
63 for (j
= 0; j
< sc
->cert_list_length
[i
]; j
++)
65 _gnutls_gcert_deinit (&sc
->cert_list
[i
][j
]);
67 gnutls_free (sc
->cert_list
[i
]);
70 gnutls_free (sc
->cert_list_length
);
71 sc
->cert_list_length
= NULL
;
73 gnutls_free (sc
->cert_list
);
76 for (i
= 0; i
< sc
->ncerts
; i
++)
78 _gnutls_gkey_deinit (&sc
->pkey
[i
]);
81 gnutls_free (sc
->pkey
);
89 * gnutls_certificate_free_cas - Used to free all the CAs from a gnutls_certificate_credentials_t structure
90 * @sc: is a #gnutls_certificate_credentials_t structure.
92 * This function will delete all the CAs associated
93 * with the given credentials. Servers that do not use
94 * gnutls_certificate_verify_peers2() may call this to
99 gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc
)
103 for (j
= 0; j
< sc
->x509_ncas
; j
++)
105 gnutls_x509_crt_deinit (sc
->x509_ca_list
[j
]);
110 gnutls_free (sc
->x509_ca_list
);
111 sc
->x509_ca_list
= NULL
;
116 * gnutls_certificate_get_x509_cas - Used to export all the CAs from a gnutls_certificate_credentials_t structure
117 * @sc: is a #gnutls_certificate_credentials_t structure.
118 * @x509_ca_list: will point to the CA list. Should be treated as constant
119 * @ncas: the number of CAs
121 * This function will export all the CAs associated
122 * with the given credentials.
127 gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc
,
128 gnutls_x509_crt_t
** x509_ca_list
,
131 *x509_ca_list
= sc
->x509_ca_list
;
132 *ncas
= sc
->x509_ncas
;
136 * gnutls_certificate_get_x509_crls - Used to export all the CRLs from a gnutls_certificate_credentials_t structure
137 * @sc: is a #gnutls_certificate_credentials_t structure.
138 * @x509_crl_list: the exported CRL list. Should be treated as constant
139 * @ncrls: the number of exported CRLs
141 * This function will export all the CRLs associated with the given
147 gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc
,
148 gnutls_x509_crl_t
** x509_crl_list
,
151 *x509_crl_list
= sc
->x509_crl_list
;
152 *ncrls
= sc
->x509_ncrls
;
155 #ifdef ENABLE_OPENPGP
158 * gnutls_certificate_get_openpgp_keyring - export keyring from a #gnutls_certificate_credentials_t
159 * @sc: is a #gnutls_certificate_credentials_t structure.
160 * @keyring: the exported keyring. Should be treated as constant
162 * This function will export the OpenPGP keyring associated with the
168 gnutls_certificate_get_openpgp_keyring (gnutls_certificate_credentials_t sc
,
169 gnutls_openpgp_keyring_t
* keyring
)
171 *keyring
= sc
->keyring
;
177 * gnutls_certificate_free_ca_names - Used to free all the CA names from a gnutls_certificate_credentials_t structure
178 * @sc: is a #gnutls_certificate_credentials_t structure.
180 * This function will delete all the CA name in the
181 * given credentials. Clients may call this to save some memory
182 * since in client side the CA names are not used.
184 * CA names are used by servers to advertize the CAs they
185 * support to clients.
189 gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc
)
191 _gnutls_free_datum (&sc
->x509_rdn_sequence
);
195 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
196 * @rsa_params: holds the RSA parameters or NULL.
197 * @func: function to retrieve the parameters or NULL.
198 * @session: The session.
200 * This function will return the rsa parameters pointer.
204 _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params
,
205 gnutls_params_function
* func
,
206 gnutls_session_t session
)
208 gnutls_params_st params
;
211 if (session
->internals
.params
.rsa_params
)
213 return session
->internals
.params
.rsa_params
;
218 session
->internals
.params
.rsa_params
= rsa_params
;
222 ret
= func (session
, GNUTLS_PARAMS_RSA_EXPORT
, ¶ms
);
223 if (ret
== 0 && params
.type
== GNUTLS_PARAMS_RSA_EXPORT
)
225 session
->internals
.params
.rsa_params
= params
.params
.rsa_export
;
226 session
->internals
.params
.free_rsa_params
= params
.deinit
;
230 return session
->internals
.params
.rsa_params
;
235 * gnutls_certificate_free_credentials - Used to free an allocated gnutls_certificate_credentials_t structure
236 * @sc: is a #gnutls_certificate_credentials_t structure.
238 * This structure is complex enough to manipulate directly thus
239 * this helper function is provided in order to free (deallocate) it.
241 * This function does not free any temporary parameters associated
242 * with this structure (ie RSA and DH parameters are not freed by
246 gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc
)
248 gnutls_certificate_free_keys (sc
);
249 gnutls_certificate_free_cas (sc
);
250 gnutls_certificate_free_ca_names (sc
);
252 gnutls_certificate_free_crls (sc
);
255 #ifdef ENABLE_OPENPGP
256 gnutls_openpgp_keyring_deinit (sc
->keyring
);
264 * gnutls_certificate_allocate_credentials - Used to allocate a gnutls_certificate_credentials_t structure
265 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
267 * This structure is complex enough to manipulate directly thus this
268 * helper function is provided in order to allocate it.
270 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
273 gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t
*
276 *res
= gnutls_calloc (1, sizeof (certificate_credentials_st
));
279 return GNUTLS_E_MEMORY_ERROR
;
281 (*res
)->verify_bits
= DEFAULT_VERIFY_BITS
;
282 (*res
)->verify_depth
= DEFAULT_VERIFY_DEPTH
;
288 /* returns the KX algorithms that are supported by a
289 * certificate. (Eg a certificate with RSA params, supports
290 * GNUTLS_KX_RSA algorithm).
291 * This function also uses the KeyUsage field of the certificate
292 * extensions in order to disable unneded algorithms.
295 _gnutls_selected_cert_supported_kx (gnutls_session_t session
,
296 gnutls_kx_algorithm_t
** alg
,
299 gnutls_kx_algorithm_t kx
;
300 gnutls_pk_algorithm_t pk
;
301 gnutls_kx_algorithm_t kxlist
[MAX_ALGOS
];
305 if (session
->internals
.selected_cert_list_length
== 0)
312 cert
= &session
->internals
.selected_cert_list
[0];
315 for (kx
= 0; kx
< MAX_ALGOS
; kx
++)
317 pk
= _gnutls_map_pk_get_pk (kx
);
318 if (pk
== cert
->subject_pk_algorithm
)
320 /* then check key usage */
321 if (_gnutls_check_key_usage (cert
, kx
) == 0)
332 return GNUTLS_E_INVALID_REQUEST
;
335 *alg
= gnutls_calloc (i
, sizeof (gnutls_kx_algorithm_t
));
337 return GNUTLS_E_MEMORY_ERROR
;
341 memcpy (*alg
, kxlist
, i
* sizeof (gnutls_kx_algorithm_t
));
348 * gnutls_certificate_server_set_request - Used to set whether to request a client certificate
349 * @session: is a #gnutls_session_t structure.
350 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
352 * This function specifies if we (in case of a server) are going
353 * to send a certificate request message to the client. If @req
354 * is GNUTLS_CERT_REQUIRE then the server will return an error if
355 * the peer does not provide a certificate. If you do not
356 * call this function then the client will not be asked to
357 * send a certificate.
360 gnutls_certificate_server_set_request (gnutls_session_t session
,
361 gnutls_certificate_request_t req
)
363 session
->internals
.send_cert_req
= req
;
367 * gnutls_certificate_client_set_retrieve_function - Used to set a callback to retrieve the certificate
368 * @cred: is a #gnutls_certificate_credentials_t structure.
369 * @func: is the callback function
371 * This function sets a callback to be called in order to retrieve the certificate
372 * to be used in the handshake.
373 * The callback's function prototype is:
374 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
375 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
377 * @req_ca_cert is only used in X.509 certificates.
378 * Contains a list with the CA names that the server considers trusted.
379 * Normally we should send a certificate that is signed
380 * by one of these CAs. These names are DER encoded. To get a more
381 * meaningful value use the function gnutls_x509_rdn_get().
383 * @pk_algos contains a list with server's acceptable signature algorithms.
384 * The certificate returned should support the server's given algorithms.
386 * @st should contain the certificates and private keys.
388 * If the callback function is provided then gnutls will call it, in the
389 * handshake, after the certificate request message has been received.
391 * The callback function should set the certificate list to be sent, and
392 * return 0 on success. If no certificate was selected then the number of certificates
393 * should be set to zero. The value (-1) indicates error and the handshake
394 * will be terminated.
396 void gnutls_certificate_client_set_retrieve_function
397 (gnutls_certificate_credentials_t cred
,
398 gnutls_certificate_client_retrieve_function
* func
)
400 cred
->client_get_cert_callback
= func
;
404 * gnutls_certificate_server_set_retrieve_function - Used to set a callback to retrieve the certificate
405 * @cred: is a #gnutls_certificate_credentials_t structure.
406 * @func: is the callback function
408 * This function sets a callback to be called in order to retrieve the certificate
409 * to be used in the handshake.
410 * The callback's function prototype is:
411 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
413 * @st should contain the certificates and private keys.
415 * If the callback function is provided then gnutls will call it, in the
416 * handshake, after the certificate request message has been received.
418 * The callback function should set the certificate list to be sent, and
419 * return 0 on success. The value (-1) indicates error and the handshake
420 * will be terminated.
422 void gnutls_certificate_server_set_retrieve_function
423 (gnutls_certificate_credentials_t cred
,
424 gnutls_certificate_server_retrieve_function
* func
)
426 cred
->server_get_cert_callback
= func
;
430 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
431 * @cert: should contain an X.509 DER encoded certificate
433 * This function will return the certificate's activation time in UNIX time
434 * (ie seconds since 00:00:00 UTC January 1, 1970).
436 * Returns a (time_t) -1 in case of an error.
440 _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t
* cert
)
442 gnutls_x509_crt_t xcert
;
445 result
= gnutls_x509_crt_init (&xcert
);
449 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
452 gnutls_x509_crt_deinit (xcert
);
456 result
= gnutls_x509_crt_get_activation_time (xcert
);
458 gnutls_x509_crt_deinit (xcert
);
464 * gnutls_x509_extract_certificate_expiration_time - return the certificate's expiration time
465 * @cert: should contain an X.509 DER encoded certificate
467 * This function will return the certificate's expiration time in UNIX
468 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
470 * (time_t) -1 in case of an error.
474 _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t
* cert
)
476 gnutls_x509_crt_t xcert
;
479 result
= gnutls_x509_crt_init (&xcert
);
483 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
486 gnutls_x509_crt_deinit (xcert
);
490 result
= gnutls_x509_crt_get_expiration_time (xcert
);
492 gnutls_x509_crt_deinit (xcert
);
497 #ifdef ENABLE_OPENPGP
499 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
500 * @session: is a gnutls session
502 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
503 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
507 _gnutls_openpgp_crt_verify_peers (gnutls_session_t session
,
508 unsigned int *status
)
510 cert_auth_info_t info
;
511 gnutls_certificate_credentials_t cred
;
512 int peer_certificate_list_size
, ret
;
514 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
516 info
= _gnutls_get_auth_info (session
);
518 return GNUTLS_E_INVALID_REQUEST
;
520 cred
= (gnutls_certificate_credentials_t
)
521 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
525 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
528 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
531 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
534 /* generate a list of gnutls_certs based on the auth info
537 peer_certificate_list_size
= info
->ncerts
;
539 if (peer_certificate_list_size
!= 1)
542 return GNUTLS_E_INTERNAL_ERROR
;
545 /* Verify certificate
548 _gnutls_openpgp_verify_key (cred
, &info
->raw_certificate_list
[0],
549 peer_certificate_list_size
, status
);
562 * gnutls_certificate_verify_peers2 - return the peer's certificate verification status
563 * @session: is a gnutls session
564 * @status: is the output of the verification
566 * This function will try to verify the peer's certificate and return
567 * its status (trusted, invalid etc.). The value of @status should
568 * be one or more of the gnutls_certificate_status_t enumerated
569 * elements bitwise or'd. To avoid denial of service attacks some
570 * default upper limits regarding the certificate key size and chain
571 * size are set. To override them use
572 * gnutls_certificate_set_verify_limits().
574 * Note that you must also check the peer's name in order to check if
575 * the verified certificate belongs to the actual peer.
577 * This function uses gnutls_x509_crt_list_verify() with the CAs in
578 * the credentials as trusted CAs.
580 * Note that some commonly used X.509 Certificate Authorities are
581 * still using Version 1 certificates. If you want to accept them,
582 * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
583 * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
585 * Returns: a negative error code on error and zero on success.
588 gnutls_certificate_verify_peers2 (gnutls_session_t session
,
589 unsigned int *status
)
591 cert_auth_info_t info
;
593 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
595 info
= _gnutls_get_auth_info (session
);
598 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
601 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
602 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
604 switch (gnutls_certificate_type_get (session
))
606 case GNUTLS_CRT_X509
:
607 return _gnutls_x509_cert_verify_peers (session
, status
);
608 #ifdef ENABLE_OPENPGP
609 case GNUTLS_CRT_OPENPGP
:
610 return _gnutls_openpgp_crt_verify_peers (session
, status
);
613 return GNUTLS_E_INVALID_REQUEST
;
618 * gnutls_certificate_verify_peers - return the peer's certificate verification status
619 * @session: is a gnutls session
621 * This function will try to verify the peer's certificate and return
622 * its status (trusted, invalid etc.). However you must also check
623 * the peer's name in order to check if the verified certificate
624 * belongs to the actual peer.
626 * This function uses gnutls_x509_crt_list_verify().
628 * Returns: one or more of the #gnutls_certificate_status_t
629 * enumerated elements bitwise or'd, or a negative value on error.
631 * Deprecated: Use gnutls_certificate_verify_peers2() instead.
634 gnutls_certificate_verify_peers (gnutls_session_t session
)
639 ret
= gnutls_certificate_verify_peers2 (session
, &status
);
651 * gnutls_certificate_expiration_time_peers - return the peer's certificate expiration time
652 * @session: is a gnutls session
654 * This function will return the peer's certificate expiration time.
656 * Returns: (time_t)-1 on error.
658 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
661 gnutls_certificate_expiration_time_peers (gnutls_session_t session
)
663 cert_auth_info_t info
;
665 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
667 info
= _gnutls_get_auth_info (session
);
673 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
679 switch (gnutls_certificate_type_get (session
))
681 case GNUTLS_CRT_X509
:
683 _gnutls_x509_get_raw_crt_expiration_time (&info
->raw_certificate_list
685 #ifdef ENABLE_OPENPGP
686 case GNUTLS_CRT_OPENPGP
:
688 _gnutls_openpgp_get_raw_key_expiration_time
689 (&info
->raw_certificate_list
[0]);
697 * gnutls_certificate_activation_time_peers - return the peer's certificate activation time
698 * @session: is a gnutls session
700 * This function will return the peer's certificate activation time.
701 * This is the creation time for openpgp keys.
703 * Returns: (time_t)-1 on error.
705 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
708 gnutls_certificate_activation_time_peers (gnutls_session_t session
)
710 cert_auth_info_t info
;
712 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
714 info
= _gnutls_get_auth_info (session
);
720 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
726 switch (gnutls_certificate_type_get (session
))
728 case GNUTLS_CRT_X509
:
730 _gnutls_x509_get_raw_crt_activation_time (&info
->raw_certificate_list
732 #ifdef ENABLE_OPENPGP
733 case GNUTLS_CRT_OPENPGP
:
735 _gnutls_openpgp_get_raw_key_creation_time (&info
->raw_certificate_list
743 /* Converts the first certificate for the cert_auth_info structure
747 _gnutls_get_auth_info_gcert (gnutls_cert
* gcert
,
748 gnutls_certificate_type_t type
,
749 cert_auth_info_t info
,
750 int flags
/* OR of ConvFlags */ )
754 case GNUTLS_CRT_X509
:
755 return _gnutls_x509_raw_cert_to_gcert (gcert
,
756 &info
->raw_certificate_list
[0],
758 #ifdef ENABLE_OPENPGP
759 case GNUTLS_CRT_OPENPGP
:
760 return _gnutls_openpgp_raw_crt_to_gcert (gcert
,
761 &info
->raw_certificate_list
[0],
763 use_subkey
? info
->subkey_id
:
768 return GNUTLS_E_INTERNAL_ERROR
;
772 /* This function will convert a der certificate to a format
773 * (structure) that gnutls can understand and use. Actually the
774 * important thing on this function is that it extracts the
775 * certificate's (public key) parameters.
777 * The noext flag is used to complete the handshake even if the
778 * extensions found in the certificate are unsupported and critical.
779 * The critical extensions will be catched by the verification functions.
782 _gnutls_x509_raw_cert_to_gcert (gnutls_cert
* gcert
,
783 const gnutls_datum_t
* derCert
,
784 int flags
/* OR of ConvFlags */ )
787 gnutls_x509_crt_t cert
;
789 ret
= gnutls_x509_crt_init (&cert
);
796 ret
= gnutls_x509_crt_import (cert
, derCert
, GNUTLS_X509_FMT_DER
);
800 gnutls_x509_crt_deinit (cert
);
804 ret
= _gnutls_x509_crt_to_gcert (gcert
, cert
, flags
);
805 gnutls_x509_crt_deinit (cert
);
810 /* Like above but it accepts a parsed certificate instead.
813 _gnutls_x509_crt_to_gcert (gnutls_cert
* gcert
,
814 gnutls_x509_crt_t cert
, unsigned int flags
)
818 memset (gcert
, 0, sizeof (gnutls_cert
));
819 gcert
->cert_type
= GNUTLS_CRT_X509
;
821 if (!(flags
& CERT_NO_COPY
))
823 #define SMALL_DER 512
825 size_t der_size
= SMALL_DER
;
827 /* initially allocate a bogus size, just in case the certificate
828 * fits in it. That way we minimize the DER encodings performed.
830 der
= gnutls_malloc (SMALL_DER
);
834 return GNUTLS_E_MEMORY_ERROR
;
838 gnutls_x509_crt_export (cert
, GNUTLS_X509_FMT_DER
, der
, &der_size
);
839 if (ret
< 0 && ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
846 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
)
848 der
= gnutls_realloc (der
, der_size
);
852 return GNUTLS_E_MEMORY_ERROR
;
856 gnutls_x509_crt_export (cert
, GNUTLS_X509_FMT_DER
, der
,
866 gcert
->raw
.data
= der
;
867 gcert
->raw
.size
= der_size
;
870 /* now we have 0 or a bitwise or of things to decode */
871 flags
^= CERT_NO_COPY
;
874 if (flags
& CERT_ONLY_EXTENSIONS
|| flags
== 0)
876 gnutls_x509_crt_get_key_usage (cert
, &gcert
->key_usage
, NULL
);
877 gcert
->version
= gnutls_x509_crt_get_version (cert
);
879 gcert
->subject_pk_algorithm
= gnutls_x509_crt_get_pk_algorithm (cert
, NULL
);
881 if (flags
& CERT_ONLY_PUBKEY
|| flags
== 0)
883 gcert
->params_size
= MAX_PUBLIC_PARAMS_SIZE
;
885 _gnutls_x509_crt_get_mpis (cert
, gcert
->params
, &gcert
->params_size
);
898 _gnutls_gcert_deinit (gnutls_cert
* cert
)
905 for (i
= 0; i
< cert
->params_size
; i
++)
907 _gnutls_mpi_release (&cert
->params
[i
]);
910 _gnutls_free_datum (&cert
->raw
);
914 * gnutls_sign_callback_set:
915 * @session: is a gnutls session
916 * @sign_func: function pointer to application's sign callback.
917 * @userdata: void pointer that will be passed to sign callback.
919 * Set the callback function. The function must have this prototype:
921 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
923 * gnutls_certificate_type_t cert_type,
924 * const gnutls_datum_t * cert,
925 * const gnutls_datum_t * hash,
926 * gnutls_datum_t * signature);
928 * The @userdata parameter is passed to the @sign_func verbatim, and
929 * can be used to store application-specific data needed in the
930 * callback function. See also gnutls_sign_callback_get().
933 gnutls_sign_callback_set (gnutls_session_t session
,
934 gnutls_sign_func sign_func
, void *userdata
)
936 session
->internals
.sign_func
= sign_func
;
937 session
->internals
.sign_func_userdata
= userdata
;
941 * gnutls_sign_callback_get:
942 * @session: is a gnutls session
943 * @userdata: if non-%NULL, will be set to abstract callback pointer.
945 * Retrieve the callback function, and its userdata pointer.
947 * Returns: The function pointer set by gnutls_sign_callback_set(), or
951 gnutls_sign_callback_get (gnutls_session_t session
, void **userdata
)
954 *userdata
= session
->internals
.sign_func_userdata
;
955 return session
->internals
.sign_func
;