|
Packit |
549fdc |
/*
|
|
Packit |
549fdc |
* Copyright (C) 2001-2015 Free Software Foundation, Inc.
|
|
Packit |
549fdc |
* Copyright (C) 2015 Nikos Mavrogiannopoulos
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Author: Nikos Mavrogiannopoulos
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This file is part of GnuTLS.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
549fdc |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
549fdc |
* the License, or (at your option) any later version.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
549fdc |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
549fdc |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
549fdc |
* Lesser General Public License for more details.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* This file contains certificate authentication functions to be exported in the
|
|
Packit |
549fdc |
* API which did not fit elsewhere.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include "gnutls_int.h"
|
|
Packit |
549fdc |
#include <auth/srp_kx.h>
|
|
Packit |
549fdc |
#include <auth/anon.h>
|
|
Packit |
549fdc |
#include <auth/cert.h>
|
|
Packit |
549fdc |
#include <auth/psk.h>
|
|
Packit |
549fdc |
#include "errors.h"
|
|
Packit |
549fdc |
#include <auth.h>
|
|
Packit |
549fdc |
#include <state.h>
|
|
Packit |
549fdc |
#include <datum.h>
|
|
Packit |
549fdc |
#include <algorithms.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* CERTIFICATE STUFF */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_get_ours:
|
|
Packit |
549fdc |
* @session: is a gnutls session
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Gets the certificate as sent to the peer in the last handshake.
|
|
Packit |
549fdc |
* The certificate is in raw (DER) format. No certificate
|
|
Packit |
549fdc |
* list is being returned. Only the first certificate.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: a pointer to a #gnutls_datum_t containing our
|
|
Packit |
549fdc |
* certificate, or %NULL in case of an error or if no certificate
|
|
Packit |
549fdc |
* was used.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
gnutls_certificate_credentials_t cred;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cred = (gnutls_certificate_credentials_t)
|
|
Packit |
549fdc |
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit |
549fdc |
if (cred == NULL) {
|
|
Packit |
549fdc |
gnutls_assert();
|
|
Packit |
549fdc |
return NULL;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (session->internals.selected_cert_list == NULL)
|
|
Packit |
549fdc |
return NULL;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return &session->internals.selected_cert_list[0].cert;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_get_peers:
|
|
Packit |
549fdc |
* @session: is a gnutls session
|
|
Packit |
549fdc |
* @list_size: is the length of the certificate list (may be %NULL)
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Get the peer's raw certificate (chain) as sent by the peer. These
|
|
Packit |
549fdc |
* certificates are in raw format (DER encoded for X.509). In case of
|
|
Packit |
549fdc |
* a X.509 then a certificate list may be present. The list
|
|
Packit |
549fdc |
* is provided as sent by the server; the server must send as first
|
|
Packit |
549fdc |
* certificate in the list its own certificate, following the
|
|
Packit |
549fdc |
* issuer's certificate, then the issuer's issuer etc. However, there
|
|
Packit |
549fdc |
* are servers which violate this principle and thus on certain
|
|
Packit |
549fdc |
* occasions this may be an unsorted list.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* In case of OpenPGP keys a single key will be returned in raw
|
|
Packit |
549fdc |
* format.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: a pointer to a #gnutls_datum_t containing the peer's
|
|
Packit |
549fdc |
* certificates, or %NULL in case of an error or if no certificate
|
|
Packit |
549fdc |
* was used.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t
|
|
Packit |
549fdc |
session,
|
|
Packit |
549fdc |
unsigned int *list_size)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
cert_auth_info_t info;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit |
549fdc |
if (info == NULL)
|
|
Packit |
549fdc |
return NULL;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (list_size)
|
|
Packit |
549fdc |
*list_size = info->ncerts;
|
|
Packit |
549fdc |
return info->raw_certificate_list;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_client_get_request_status:
|
|
Packit |
549fdc |
* @session: is a gnutls session
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Get whether client certificate was requested on the last
|
|
Packit |
549fdc |
* handshake or not.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: 0 if the peer (server) did not request client
|
|
Packit |
549fdc |
* authentication or 1 otherwise.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
int gnutls_certificate_client_get_request_status(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
return session->internals.crt_requested;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_set_params_function:
|
|
Packit |
549fdc |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit |
549fdc |
* @func: is the function to be called
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will set a callback in order for the server to get
|
|
Packit |
549fdc |
* the Diffie-Hellman or RSA parameters for certificate
|
|
Packit |
549fdc |
* authentication. The callback should return %GNUTLS_E_SUCCESS (0) on success.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit |
549fdc |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit |
549fdc |
* following RFC7919.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
void
|
|
Packit |
549fdc |
gnutls_certificate_set_params_function(gnutls_certificate_credentials_t
|
|
Packit |
549fdc |
res, gnutls_params_function * func)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
res->params_func = func;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_set_flags:
|
|
Packit |
549fdc |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit |
549fdc |
* @flags: are the flags of #gnutls_certificate_flags type
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will set flags to tweak the operation of
|
|
Packit |
549fdc |
* the credentials structure. See the #gnutls_certificate_flags enumerations
|
|
Packit |
549fdc |
* for more information on the available flags.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Since: 3.4.7
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
void
|
|
Packit |
549fdc |
gnutls_certificate_set_flags(gnutls_certificate_credentials_t res,
|
|
Packit |
549fdc |
unsigned int flags)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
res->flags = flags;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_set_verify_flags:
|
|
Packit |
549fdc |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit |
549fdc |
* @flags: are the flags
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will set the flags to be used for verification
|
|
Packit |
549fdc |
* of certificates and override any defaults. The provided flags must be an OR of the
|
|
Packit |
549fdc |
* #gnutls_certificate_verify_flags enumerations.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
void
|
|
Packit |
549fdc |
gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t
|
|
Packit |
549fdc |
res, unsigned int flags)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
res->verify_flags = flags;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_get_verify_flags:
|
|
Packit |
549fdc |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns the verification flags set with
|
|
Packit |
549fdc |
* gnutls_certificate_set_verify_flags().
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: The certificate verification flags used by @res.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Since: 3.4.0
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
unsigned int
|
|
Packit |
549fdc |
gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
return res->verify_flags;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_certificate_set_verify_limits:
|
|
Packit |
549fdc |
* @res: is a gnutls_certificate_credentials type
|
|
Packit |
549fdc |
* @max_bits: is the number of bits of an acceptable certificate (default 8200)
|
|
Packit |
549fdc |
* @max_depth: is maximum depth of the verification of a certificate chain (default 5)
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will set some upper limits for the default
|
|
Packit |
549fdc |
* verification function, gnutls_certificate_verify_peers2(), to avoid
|
|
Packit |
549fdc |
* denial of service attacks. You can set them to zero to disable
|
|
Packit |
549fdc |
* limits.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
void
|
|
Packit |
549fdc |
gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res,
|
|
Packit |
549fdc |
unsigned int max_bits,
|
|
Packit |
549fdc |
unsigned int max_depth)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
res->verify_depth = max_depth;
|
|
Packit |
549fdc |
res->verify_bits = max_bits;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|