/*

 * Copyright (C) 2001-2015 Free Software Foundation, Inc.

 * Copyright (C) 2015 Nikos Mavrogiannopoulos

 *

 * Author: Nikos Mavrogiannopoulos

 *

 * This file is part of GnuTLS.

 *

 * The GnuTLS is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public License

 * as published by the Free Software Foundation; either version 2.1 of

 * the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>

 *

 */

/* This file contains certificate authentication functions to be exported in the

 * API which did not fit elsewhere.

 */

#include "gnutls_int.h"

#include <auth/srp_kx.h>

#include <auth/anon.h>

#include <auth/cert.h>

#include <auth/psk.h>

#include "errors.h"

#include <auth.h>

#include <state.h>

#include <datum.h>

#include <algorithms.h>

/* CERTIFICATE STUFF */

/**

 * gnutls_certificate_get_ours:

 * @session: is a gnutls session

 *

 * Gets the certificate as sent to the peer in the last handshake.

 * The certificate is in raw (DER) format.  No certificate

 * list is being returned. Only the first certificate.

 *

 * Returns: a pointer to a #gnutls_datum_t containing our

 *   certificate, or %NULL in case of an error or if no certificate

 *   was used.

 **/

const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session)

{

	gnutls_certificate_credentials_t cred;

	CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);

	cred = (gnutls_certificate_credentials_t)

	    _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);

	if (cred == NULL) {

		gnutls_assert();

		return NULL;

	}

	if (session->internals.selected_cert_list == NULL)

		return NULL;

	return &session->internals.selected_cert_list[0].cert;

}

/**

 * gnutls_certificate_get_peers:

 * @session: is a gnutls session

 * @list_size: is the length of the certificate list (may be %NULL)

 *

 * Get the peer's raw certificate (chain) as sent by the peer.  These

 * certificates are in raw format (DER encoded for X.509).  In case of

 * a X.509 then a certificate list may be present.  The list

 * is provided as sent by the server; the server must send as first

 * certificate in the list its own certificate, following the

 * issuer's certificate, then the issuer's issuer etc. However, there

 * are servers which violate this principle and thus on certain

 * occasions this may be an unsorted list.

 *

 * In case of OpenPGP keys a single key will be returned in raw

 * format.

 *

 * Returns: a pointer to a #gnutls_datum_t containing the peer's

 *   certificates, or %NULL in case of an error or if no certificate

 *   was used.

 **/

const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t

						   session,

						   unsigned int *list_size)

{

	cert_auth_info_t info;

	CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);

	info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);

	if (info == NULL)

		return NULL;

	if (list_size)

		*list_size = info->ncerts;

	return info->raw_certificate_list;

}

/**

 * gnutls_certificate_client_get_request_status:

 * @session: is a gnutls session

 *

 * Get whether client certificate was requested on the last

 * handshake or not.

 *

 * Returns: 0 if the peer (server) did not request client

 *   authentication or 1 otherwise.

 **/

int gnutls_certificate_client_get_request_status(gnutls_session_t session)

{

	return session->internals.crt_requested;

}

/**

 * gnutls_certificate_set_params_function:

 * @res: is a gnutls_certificate_credentials_t type

 * @func: is the function to be called

 *

 * This function will set a callback in order for the server to get

 * the Diffie-Hellman or RSA parameters for certificate

 * authentication.  The callback should return %GNUTLS_E_SUCCESS (0) on success.

 *

 * Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0

 * or later. Since 3.6.0, DH parameters are negotiated

 * following RFC7919.

 *

 **/

void

gnutls_certificate_set_params_function(gnutls_certificate_credentials_t

				       res, gnutls_params_function * func)

{

	res->params_func = func;

}

/**

 * gnutls_certificate_set_flags:

 * @res: is a gnutls_certificate_credentials_t type

 * @flags: are the flags of #gnutls_certificate_flags type

 *

 * This function will set flags to tweak the operation of

 * the credentials structure. See the #gnutls_certificate_flags enumerations

 * for more information on the available flags. 

 *

 * Since: 3.4.7

 **/

void

gnutls_certificate_set_flags(gnutls_certificate_credentials_t res,

			     unsigned int flags)

{

	res->flags = flags;

}

/**

 * gnutls_certificate_set_verify_flags:

 * @res: is a gnutls_certificate_credentials_t type

 * @flags: are the flags

 *

 * This function will set the flags to be used for verification 

 * of certificates and override any defaults.  The provided flags must be an OR of the

 * #gnutls_certificate_verify_flags enumerations. 

 *

 **/

void

gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t

				    res, unsigned int flags)

{

	res->verify_flags = flags;

}

/**

 * gnutls_certificate_get_verify_flags:

 * @res: is a gnutls_certificate_credentials_t type

 *

 * Returns the verification flags set with

 * gnutls_certificate_set_verify_flags().

 *

 * Returns: The certificate verification flags used by @res.

 *

 * Since: 3.4.0

 */

unsigned int

gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res)

{

	return res->verify_flags;

}

/**

 * gnutls_certificate_set_verify_limits:

 * @res: is a gnutls_certificate_credentials type

 * @max_bits: is the number of bits of an acceptable certificate (default 8200)

 * @max_depth: is maximum depth of the verification of a certificate chain (default 5)

 *

 * This function will set some upper limits for the default

 * verification function, gnutls_certificate_verify_peers2(), to avoid

 * denial of service attacks.  You can set them to zero to disable

 * limits.

 **/

void

gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res,

				     unsigned int max_bits,

				     unsigned int max_depth)

{

	res->verify_depth = max_depth;

	res->verify_bits = max_bits;

}