/**
* gnutls_certificate_verify_peers3:
* @session: is a gnutls session
* @hostname: is the expected name of the peer; may be %NULL
* @status: is the output of the verification
*
* This function will verify the peer's certificate and store the
* status in the @status variable as a bitwise or'd gnutls_certificate_status_t
* values or zero if the certificate is trusted. Note that value in @status
* is set only when the return value of this function is success (i.e, failure
* to trust a certificate does not imply a negative return value).
*
* If the @hostname provided is non-NULL then this function will compare
* the hostname in the certificate against the given. If they do not match
* the %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set.
*
* If available the OCSP Certificate Status extension will be
* utilized by this function.
*
* To avoid denial of service attacks some
* default upper limits regarding the certificate key size and chain
* size are set. To override them use gnutls_certificate_set_verify_limits().
*
* Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
*
* Since: 3.1.4
**/
int
gnutls_certificate_verify_peers3 (gnutls_session_t session,
const char* hostname,
unsigned int *status)
{
cert_auth_info_t info;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
if (info == NULL)
{
return GNUTLS_E_NO_CERTIFICATE_FOUND;
}
if (info->raw_certificate_list == NULL || info->ncerts == 0)
return GNUTLS_E_NO_CERTIFICATE_FOUND;
switch (gnutls_certificate_type_get (session))
{
case GNUTLS_CRT_X509:
return _gnutls_x509_cert_verify_peers (session, hostname, status);
#ifdef ENABLE_OPENPGP
case GNUTLS_CRT_OPENPGP:
return _gnutls_openpgp_crt_verify_peers (session, hostname, status);
#endif
default:
return GNUTLS_E_INVALID_REQUEST;
}
}
/**
* gnutls_certificate_activation_time_peers:
* @session: is a gnutls session
*
* This function will return the peer's certificate activation time.
* This is the creation time for openpgp keys.
*
* Returns: (time_t)-1 on error.
*
* Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
**/
time_t
gnutls_certificate_activation_time_peers (gnutls_session_t session)
{
cert_auth_info_t info;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
if (info == NULL)
{
return (time_t) - 1;
}
if (info->raw_certificate_list == NULL || info->ncerts == 0)
{
gnutls_assert ();
return (time_t) - 1;
}
switch (gnutls_certificate_type_get (session))
{
case GNUTLS_CRT_X509:
return
_gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list
[0]);
#ifdef ENABLE_OPENPGP
case GNUTLS_CRT_OPENPGP:
return
_gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list
[0]);
#endif
default:
return (time_t) - 1;
}
}
/*-
* _gnutls_openpgp_crt_verify_peers - This function returns the peer's certificate status
* @session: is a gnutls session
*
* This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
* Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
*
-*/
int
_gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
unsigned int *status)
{
cert_auth_info_t info;
gnutls_certificate_credentials_t cred;
int peer_certificate_list_size, ret;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
if (info == NULL)
return GNUTLS_E_INVALID_REQUEST;
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
if (cred == NULL)
{
gnutls_assert ();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
if (info->raw_certificate_list == NULL || info->ncerts == 0)
{
gnutls_assert ();
return GNUTLS_E_NO_CERTIFICATE_FOUND;
}
/* generate a list of gnutls_certs based on the auth info
* raw certs.
*/
peer_certificate_list_size = info->ncerts;
if (peer_certificate_list_size != 1)
{
gnutls_assert ();
return GNUTLS_E_INTERNAL_ERROR;
}
/* Verify certificate
*/
if (_E_gnutls_openpgp_verify_key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INIT_LIBEXTRA;
}
ret =
_E_gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0],
peer_certificate_list_size, status);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
return 0;
}
/**
* gnutls_srp_server_get_username:
* @session: is a gnutls session
*
* This function will return the username of the peer. This should
* only be called in case of SRP authentication and in case of a
* server. Returns NULL in case of an error.
*
* Returns: SRP username of the peer, or NULL in case of error.
**/
const char *gnutls_srp_server_get_username(gnutls_session_t session)
{
srp_server_auth_info_t info;
CHECK_AUTH(GNUTLS_CRD_SRP, NULL);
info = _gnutls_get_auth_info(session, GNUTLS_CRD_SRP);
if (info == NULL)
return NULL;
return info->username;
}
/**
* gnutls_certificate_get_peers:
* @session: is a gnutls session
* @list_size: is the length of the certificate list
*
* Get the peer's raw certificate (chain) as sent by the peer. These
* certificates are in raw format (DER encoded for X.509). In case of
* a X.509 then a certificate list may be present. The first
* certificate in the list is the peer's certificate, following the
* issuer's certificate, then the issuer's issuer etc.
*
* In case of OpenPGP keys a single key will be returned in raw
* format.
*
* Returns: a pointer to a #gnutls_datum_t containing our
* certificates, or %NULL in case of an error or if no certificate
* was used.
**/
const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t
session,
unsigned int *list_size)
{
cert_auth_info_t info;
CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
if (info == NULL)
return NULL;
*list_size = info->ncerts;
return info->raw_certificate_list;
}
/**
* gnutls_certificate_get_peers_subkey_id:
* @session: is a gnutls session
* @id: will contain the ID
*
* Get the peer's subkey ID when OpenPGP certificates are
* used. The returned @id should be treated as constant.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
* an error code is returned.
*
* Since: 3.1.3
**/
int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
gnutls_datum_t * id)
{
cert_auth_info_t info;
CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
if (info == NULL)
return GNUTLS_E_INVALID_REQUEST;
id->data = info->subkey_id;
id->size = GNUTLS_OPENPGP_KEYID_SIZE;
return 0;
}
/**
* gnutls_psk_server_get_username - return the username of the peer
* @session: is a gnutls session
*
* This should only be called in case of PSK authentication and in
* case of a server.
*
* Returns: the username of the peer, or %NULL in case of an error.
**/
const char *
gnutls_psk_server_get_username (gnutls_session_t session)
{
psk_auth_info_t info;
CHECK_AUTH (GNUTLS_CRD_PSK, NULL);
info = _gnutls_get_auth_info (session);
if (info == NULL)
return NULL;
if (info->username[0] != 0)
return info->username;
return NULL;
}
/**
* gnutls_psk_client_get_hint - return the PSK identity hint of the peer
* @session: is a gnutls session
*
* The PSK identity hint may give the client help in deciding which
* username to use. This should only be called in case of PSK
* authentication and in case of a client.
*
* Returns: the identity hint of the peer, or %NULL in case of an error.
*
* Since: 2.4.0
**/
const char *
gnutls_psk_client_get_hint (gnutls_session_t session)
{
psk_auth_info_t info;
CHECK_AUTH (GNUTLS_CRD_PSK, NULL);
info = _gnutls_get_auth_info (session);
if (info == NULL)
return NULL;
if (info->hint[0] != 0)
return info->hint;
return NULL;
}
/**
* gnutls_certificate_get_ours:
* @session: is a gnutls session
*
* Gets the certificate as sent to the peer in the last handshake.
* The certificate is in raw (DER) format. No certificate
* list is being returned. Only the first certificate.
*
* Returns: a pointer to a #gnutls_datum_t containing our
* certificate, or %NULL in case of an error or if no certificate
* was used.
**/
const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session)
{
gnutls_certificate_credentials_t cred;
CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL);
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
if (cred == NULL || cred->certs == NULL) {
gnutls_assert();
return NULL;
}
if (session->internals.selected_cert_list == NULL)
return NULL;
return &session->internals.selected_cert_list[0].cert;
}
void push_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->pub(req, false);
}
void psub_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->psub(req);
}
void check_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->check(req);
}
void info_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->info(req);
}
void broadcast_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->broadcast(req);
}
void sign_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->sign(req);
}
void close_handler(struct evhttp_request *req, void *arg){
CHECK_AUTH();
serv->close(req);
}
/*-
* _gnutls_x509_cert_verify_peers - return the peer's certificate status
* @session: is a gnutls session
*
* This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
* The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
* However you must also check the peer's name in order to check if the verified certificate belongs to the
* actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
-*/
int
_gnutls_x509_cert_verify_peers (gnutls_session_t session,
unsigned int *status)
{
cert_auth_info_t info;
gnutls_certificate_credentials_t cred;
gnutls_x509_crt_t *peer_certificate_list;
int peer_certificate_list_size, i, x, ret;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
if (info == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
if (cred == NULL)
{
gnutls_assert ();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
if (info->raw_certificate_list == NULL || info->ncerts == 0)
return GNUTLS_E_NO_CERTIFICATE_FOUND;
if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
{
gnutls_assert ();
return GNUTLS_E_CONSTRAINT_ERROR;
}
/* generate a list of gnutls_certs based on the auth info
* raw certs.
*/
peer_certificate_list_size = info->ncerts;
peer_certificate_list =
gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
if (peer_certificate_list == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
for (i = 0; i < peer_certificate_list_size; i++)
{
ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
if (ret < 0)
{
gnutls_assert ();
CLEAR_CERTS;
return ret;
}
ret =
gnutls_x509_crt_import (peer_certificate_list[i],
&info->raw_certificate_list[i],
GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
CLEAR_CERTS;
return ret;
}
if (ret < 0)
{
gnutls_assert ();
CLEAR_CERTS;
return ret;
}
ret = check_bits (peer_certificate_list[i], cred->verify_bits);
if (ret < 0)
{
gnutls_assert ();
CLEAR_CERTS;
return ret;
}
}
/* Verify certificate
*/
ret = gnutls_x509_crt_list_verify (peer_certificate_list,
peer_certificate_list_size,
cred->x509_ca_list, cred->x509_ncas,
cred->x509_crl_list, cred->x509_ncrls,
cred->verify_flags | session->internals.
priorities.additional_verify_flags,
status);
CLEAR_CERTS;
if (ret < 0)
{
gnutls_assert ();
return ret;
}
return 0;
}
