/** * gnutls_certificate_verify_peers3: * @session: is a gnutls session * @hostname: is the expected name of the peer; may be %NULL * @status: is the output of the verification * * This function will verify the peer's certificate and store the * status in the @status variable as a bitwise or'd gnutls_certificate_status_t * values or zero if the certificate is trusted. Note that value in @status * is set only when the return value of this function is success (i.e, failure * to trust a certificate does not imply a negative return value). * * If the @hostname provided is non-NULL then this function will compare * the hostname in the certificate against the given. If they do not match * the %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set. * * If available the OCSP Certificate Status extension will be * utilized by this function. * * To avoid denial of service attacks some * default upper limits regarding the certificate key size and chain * size are set. To override them use gnutls_certificate_set_verify_limits(). * * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. * * Since: 3.1.4 **/ int gnutls_certificate_verify_peers3 (gnutls_session_t session, const char* hostname, unsigned int *status) { cert_auth_info_t info; CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); info = _gnutls_get_auth_info (session); if (info == NULL) { return GNUTLS_E_NO_CERTIFICATE_FOUND; } if (info->raw_certificate_list == NULL || info->ncerts == 0) return GNUTLS_E_NO_CERTIFICATE_FOUND; switch (gnutls_certificate_type_get (session)) { case GNUTLS_CRT_X509: return _gnutls_x509_cert_verify_peers (session, hostname, status); #ifdef ENABLE_OPENPGP case GNUTLS_CRT_OPENPGP: return _gnutls_openpgp_crt_verify_peers (session, hostname, status); #endif default: return GNUTLS_E_INVALID_REQUEST; } }
/** * gnutls_certificate_activation_time_peers: * @session: is a gnutls session * * This function will return the peer's certificate activation time. * This is the creation time for openpgp keys. * * Returns: (time_t)-1 on error. * * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times. **/ time_t gnutls_certificate_activation_time_peers (gnutls_session_t session) { cert_auth_info_t info; CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); info = _gnutls_get_auth_info (session); if (info == NULL) { return (time_t) - 1; } if (info->raw_certificate_list == NULL || info->ncerts == 0) { gnutls_assert (); return (time_t) - 1; } switch (gnutls_certificate_type_get (session)) { case GNUTLS_CRT_X509: return _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list [0]); #ifdef ENABLE_OPENPGP case GNUTLS_CRT_OPENPGP: return _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list [0]); #endif default: return (time_t) - 1; } }
/*- * _gnutls_openpgp_crt_verify_peers - This function returns the peer's certificate status * @session: is a gnutls session * * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.). * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ int _gnutls_openpgp_crt_verify_peers (gnutls_session_t session, unsigned int *status) { cert_auth_info_t info; gnutls_certificate_credentials_t cred; int peer_certificate_list_size, ret; CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); info = _gnutls_get_auth_info (session); if (info == NULL) return GNUTLS_E_INVALID_REQUEST; cred = (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); if (cred == NULL) { gnutls_assert (); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } if (info->raw_certificate_list == NULL || info->ncerts == 0) { gnutls_assert (); return GNUTLS_E_NO_CERTIFICATE_FOUND; } /* generate a list of gnutls_certs based on the auth info * raw certs. */ peer_certificate_list_size = info->ncerts; if (peer_certificate_list_size != 1) { gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } /* Verify certificate */ if (_E_gnutls_openpgp_verify_key == NULL) { gnutls_assert (); return GNUTLS_E_INIT_LIBEXTRA; } ret = _E_gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0], peer_certificate_list_size, status); if (ret < 0) { gnutls_assert (); return ret; } return 0; }
/** * gnutls_srp_server_get_username: * @session: is a gnutls session * * This function will return the username of the peer. This should * only be called in case of SRP authentication and in case of a * server. Returns NULL in case of an error. * * Returns: SRP username of the peer, or NULL in case of error. **/ const char *gnutls_srp_server_get_username(gnutls_session_t session) { srp_server_auth_info_t info; CHECK_AUTH(GNUTLS_CRD_SRP, NULL); info = _gnutls_get_auth_info(session, GNUTLS_CRD_SRP); if (info == NULL) return NULL; return info->username; }
/** * gnutls_certificate_get_peers: * @session: is a gnutls session * @list_size: is the length of the certificate list * * Get the peer's raw certificate (chain) as sent by the peer. These * certificates are in raw format (DER encoded for X.509). In case of * a X.509 then a certificate list may be present. The first * certificate in the list is the peer's certificate, following the * issuer's certificate, then the issuer's issuer etc. * * In case of OpenPGP keys a single key will be returned in raw * format. * * Returns: a pointer to a #gnutls_datum_t containing our * certificates, or %NULL in case of an error or if no certificate * was used. **/ const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t session, unsigned int *list_size) { cert_auth_info_t info; CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); if (info == NULL) return NULL; *list_size = info->ncerts; return info->raw_certificate_list; }
/** * gnutls_certificate_get_peers_subkey_id: * @session: is a gnutls session * @id: will contain the ID * * Get the peer's subkey ID when OpenPGP certificates are * used. The returned @id should be treated as constant. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise * an error code is returned. * * Since: 3.1.3 **/ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session, gnutls_datum_t * id) { cert_auth_info_t info; CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); if (info == NULL) return GNUTLS_E_INVALID_REQUEST; id->data = info->subkey_id; id->size = GNUTLS_OPENPGP_KEYID_SIZE; return 0; }
/** * gnutls_psk_server_get_username - return the username of the peer * @session: is a gnutls session * * This should only be called in case of PSK authentication and in * case of a server. * * Returns: the username of the peer, or %NULL in case of an error. **/ const char * gnutls_psk_server_get_username (gnutls_session_t session) { psk_auth_info_t info; CHECK_AUTH (GNUTLS_CRD_PSK, NULL); info = _gnutls_get_auth_info (session); if (info == NULL) return NULL; if (info->username[0] != 0) return info->username; return NULL; }
/** * gnutls_psk_client_get_hint - return the PSK identity hint of the peer * @session: is a gnutls session * * The PSK identity hint may give the client help in deciding which * username to use. This should only be called in case of PSK * authentication and in case of a client. * * Returns: the identity hint of the peer, or %NULL in case of an error. * * Since: 2.4.0 **/ const char * gnutls_psk_client_get_hint (gnutls_session_t session) { psk_auth_info_t info; CHECK_AUTH (GNUTLS_CRD_PSK, NULL); info = _gnutls_get_auth_info (session); if (info == NULL) return NULL; if (info->hint[0] != 0) return info->hint; return NULL; }
/** * gnutls_certificate_get_ours: * @session: is a gnutls session * * Gets the certificate as sent to the peer in the last handshake. * The certificate is in raw (DER) format. No certificate * list is being returned. Only the first certificate. * * Returns: a pointer to a #gnutls_datum_t containing our * certificate, or %NULL in case of an error or if no certificate * was used. **/ const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t session) { gnutls_certificate_credentials_t cred; CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, NULL); cred = (gnutls_certificate_credentials_t) _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); if (cred == NULL || cred->certs == NULL) { gnutls_assert(); return NULL; } if (session->internals.selected_cert_list == NULL) return NULL; return &session->internals.selected_cert_list[0].cert; }
void push_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->pub(req, false); }
void psub_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->psub(req); }
void check_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->check(req); }
void info_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->info(req); }
void broadcast_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->broadcast(req); }
void sign_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->sign(req); }
void close_handler(struct evhttp_request *req, void *arg){ CHECK_AUTH(); serv->close(req); }
/*- * _gnutls_x509_cert_verify_peers - return the peer's certificate status * @session: is a gnutls session * * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. * However you must also check the peer's name in order to check if the verified certificate belongs to the * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. -*/ int _gnutls_x509_cert_verify_peers (gnutls_session_t session, unsigned int *status) { cert_auth_info_t info; gnutls_certificate_credentials_t cred; gnutls_x509_crt_t *peer_certificate_list; int peer_certificate_list_size, i, x, ret; CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); info = _gnutls_get_auth_info (session); if (info == NULL) { gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } cred = (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); if (cred == NULL) { gnutls_assert (); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } if (info->raw_certificate_list == NULL || info->ncerts == 0) return GNUTLS_E_NO_CERTIFICATE_FOUND; if (info->ncerts > cred->verify_depth && cred->verify_depth > 0) { gnutls_assert (); return GNUTLS_E_CONSTRAINT_ERROR; } /* generate a list of gnutls_certs based on the auth info * raw certs. */ peer_certificate_list_size = info->ncerts; peer_certificate_list = gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t)); if (peer_certificate_list == NULL) { gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } for (i = 0; i < peer_certificate_list_size; i++) { ret = gnutls_x509_crt_init (&peer_certificate_list[i]); if (ret < 0) { gnutls_assert (); CLEAR_CERTS; return ret; } ret = gnutls_x509_crt_import (peer_certificate_list[i], &info->raw_certificate_list[i], GNUTLS_X509_FMT_DER); if (ret < 0) { gnutls_assert (); CLEAR_CERTS; return ret; } if (ret < 0) { gnutls_assert (); CLEAR_CERTS; return ret; } ret = check_bits (peer_certificate_list[i], cred->verify_bits); if (ret < 0) { gnutls_assert (); CLEAR_CERTS; return ret; } } /* Verify certificate */ ret = gnutls_x509_crt_list_verify (peer_certificate_list, peer_certificate_list_size, cred->x509_ca_list, cred->x509_ncas, cred->x509_crl_list, cred->x509_ncrls, cred->verify_flags | session->internals. priorities.additional_verify_flags, status); CLEAR_CERTS; if (ret < 0) { gnutls_assert (); return ret; } return 0; }