static CRYPT_ATTRIBUTE_TYPE checkClientParameters( const SESSION_INFO *sessionInfoPtr )
{
assert( isReadPtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
/* Make sure that the network comms parameters are present */
if( sessionInfoPtr->transportSession == CRYPT_ERROR && \
sessionInfoPtr->networkSocket == CRYPT_ERROR && \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME ) == NULL )
return( CRYPT_SESSINFO_SERVER_NAME );
/* Make sure that the username + password and/or user private key are
present if required */
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_USERID ) && \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_USERNAME ) == NULL )
return( CRYPT_SESSINFO_USERNAME );
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_PASSWORD ) && \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
{
/* There's no password present, see if we can use a private key as
an alternative */
if( !( sessionInfoPtr->clientReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
sessionInfoPtr->privateKey == CRYPT_ERROR )
return( CRYPT_SESSINFO_PASSWORD );
}
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_PRIVATEKEY ) && \
sessionInfoPtr->privateKey == CRYPT_ERROR )
{
/* There's no private key present, see if we can use a password as
an alternative */
if( !( sessionInfoPtr->clientReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
return( CRYPT_SESSINFO_PRIVATEKEY );
}
/* Make sure that request/response protocol data is present if required */
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_REQUEST ) && \
sessionInfoPtr->iCertRequest == CRYPT_ERROR )
return( CRYPT_SESSINFO_REQUEST );
return( CRYPT_ATTRIBUTE_NONE );
}
static int updateMacInfo( INOUT SESSION_INFO *sessionInfoPtr,
INOUT CMP_PROTOCOL_INFO *protocolInfo,
INOUT STREAM *stream,
const BOOLEAN isRevocation )
{
const ATTRIBUTE_LIST *passwordPtr = \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD );
BYTE macKey[ 64 + 8 ];
BOOLEAN decodedMacKey = FALSE;
const void *macKeyPtr;
const int streamPos = stell( stream );
int macKeyLength, status;
REQUIRES( passwordPtr != NULL );
sseek( stream, protocolInfo->macInfoPos );
if( isRevocation && protocolInfo->altMacKeySize > 0 )
{
/* If it's a revocation and we're using a distinct revocation
password (which we've already decoded into a MAC key), use
that */
macKeyPtr = protocolInfo->altMacKey;
macKeyLength = protocolInfo->altMacKeySize;
}
else
{
/* It's a standard issue (or we're using the same password/key
for the issue and revocation), use that */
if( passwordPtr->flags & ATTR_FLAG_ENCODEDVALUE )
{
/* It's an encoded value, get the decoded form */
macKeyPtr = macKey;
status = decodePKIUserValue( macKey, 64, &macKeyLength,
passwordPtr->value,
passwordPtr->valueLength );
ENSURES( cryptStatusOK( status ) );
decodedMacKey = TRUE;
}
else
{
macKeyPtr = passwordPtr->value;
macKeyLength = passwordPtr->valueLength;
}
}
status = readMacInfo( stream, protocolInfo, macKeyPtr,
macKeyLength, SESSION_ERRINFO );
if( decodedMacKey )
zeroise( macKey, 64 );
if( cryptStatusError( status ) )
return( status );
sseek( stream, streamPos );
return( CRYPT_OK );
}
static CRYPT_ATTRIBUTE_TYPE checkServerParameters( const SESSION_INFO *sessionInfoPtr )
{
assert( isReadPtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
/* Make sure that server key and keyset information is present if
required */
if( ( sessionInfoPtr->serverReqAttrFlags & SESSION_NEEDS_PRIVATEKEY ) && \
sessionInfoPtr->privateKey == CRYPT_ERROR )
{
/* There's no private key present, see if we can use a username +
password as an alternative */
if( !( sessionInfoPtr->serverReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
return( CRYPT_SESSINFO_PRIVATEKEY );
}
if( ( sessionInfoPtr->serverReqAttrFlags & SESSION_NEEDS_KEYSET ) && \
sessionInfoPtr->cryptKeyset == CRYPT_ERROR )
return( CRYPT_SESSINFO_KEYSET );
return( CRYPT_ATTRIBUTE_NONE );
}
* *
* Utility Functions *
* *
****************************************************************************/
/* Generate/check an SSH key fingerprint. This is simply an MD5 hash of the
server's key/certificate data */
CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
static int processKeyFingerprint( INOUT SESSION_INFO *sessionInfoPtr,
IN_BUFFER( keyDataLength ) const void *keyData,
IN_LENGTH_SHORT const int keyDataLength )
{
HASHFUNCTION_ATOMIC hashFunctionAtomic;
const ATTRIBUTE_LIST *attributeListPtr = \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_FINGERPRINT );
BYTE fingerPrint[ CRYPT_MAX_HASHSIZE + 8 ];
int hashSize;
assert( isReadPtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
assert( isReadPtr( keyData, keyDataLength ) );
REQUIRES( keyDataLength > 0 && keyDataLength < MAX_INTLENGTH_SHORT );
getHashAtomicParameters( CRYPT_ALGO_MD5, 0, &hashFunctionAtomic,
&hashSize );
hashFunctionAtomic( fingerPrint, CRYPT_MAX_HASHSIZE,
keyData, keyDataLength );
if( attributeListPtr == NULL )
{
/* Remember the value for the caller */
static int checkPkiUserInfo( INOUT SESSION_INFO *sessionInfoPtr,
INOUT SCEP_PROTOCOL_INFO *protocolInfo )
{
const ATTRIBUTE_LIST *userNamePtr = \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_USERNAME );
MESSAGE_KEYMGMT_INFO getkeyInfo;
MESSAGE_DATA msgData;
BYTE keyID[ 64 + 8 ];
BYTE requestPassword[ CRYPT_MAX_TEXTSIZE + 8 ];
BYTE userPassword[ CRYPT_MAX_TEXTSIZE + 8 ];
int requestPasswordSize, userPasswordSize = DUMMY_INIT;
int keyIDsize, status;
assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
assert( isWritePtr( protocolInfo, sizeof( SCEP_PROTOCOL_INFO ) ) );
REQUIRES( userNamePtr != NULL );
/* Get the password from the PKCS #10 request */
setMessageData( &msgData, requestPassword, CRYPT_MAX_TEXTSIZE );
status = krnlSendMessage( sessionInfoPtr->iCertRequest,
IMESSAGE_GETATTRIBUTE_S, &msgData,
CRYPT_CERTINFO_CHALLENGEPASSWORD );
if( cryptStatusError( status ) )
{
retExt( status,
( status, SESSION_ERRINFO,
"Couldn't get challenge password from PKCS #10 request" ) );
}
requestPasswordSize = msgData.length;
/* Since it's a cryptlib encoded user ID we need to decode it before we
can look up a PKI user with it */
REQUIRES( userNamePtr->flags & ATTR_FLAG_ENCODEDVALUE );
status = decodePKIUserValue( keyID, 64, &keyIDsize,
userNamePtr->value,
userNamePtr->valueLength );
ENSURES( cryptStatusOK( status ) );
/* Get the user information for the request from the certificate
store */
setMessageKeymgmtInfo( &getkeyInfo, CRYPT_IKEYID_KEYID, keyID,
keyIDsize, NULL, 0, KEYMGMT_FLAG_NONE );
status = krnlSendMessage( sessionInfoPtr->cryptKeyset,
IMESSAGE_KEY_GETKEY, &getkeyInfo,
KEYMGMT_ITEM_PKIUSER );
if( cryptStatusError( status ) )
{
char userID[ CRYPT_MAX_TEXTSIZE + 8 ];
int userIDlen;
zeroise( requestPassword, CRYPT_MAX_TEXTSIZE );
userIDlen = min( userNamePtr->valueLength, CRYPT_MAX_TEXTSIZE );
memcpy( userID, userNamePtr->value, userIDlen );
retExtObj( status,
( status, SESSION_ERRINFO, sessionInfoPtr->cryptKeyset,
"Couldn't find PKI user information for %s",
sanitiseString( userID, CRYPT_MAX_TEXTSIZE,
userIDlen ) ) );
}
/* Get the password from the PKI user object */
setMessageData( &msgData, userPassword, CRYPT_MAX_TEXTSIZE );
status = krnlSendMessage( getkeyInfo.cryptHandle,
IMESSAGE_GETATTRIBUTE_S, &msgData,
CRYPT_CERTINFO_PKIUSER_ISSUEPASSWORD );
if( cryptStatusOK( status ) )
{
userPasswordSize = msgData.length;
status = updateSessionInfo( &sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD,
userPassword, userPasswordSize,
CRYPT_MAX_TEXTSIZE,
ATTR_FLAG_ENCODEDVALUE );
}
if( cryptStatusError( status ) )
{
zeroise( requestPassword, CRYPT_MAX_TEXTSIZE );
zeroise( userPassword, CRYPT_MAX_TEXTSIZE );
krnlSendNotifier( getkeyInfo.cryptHandle, IMESSAGE_DECREFCOUNT );
retExt( status,
( status, SESSION_ERRINFO,
"Couldn't copy read PKI user data from PKI user object "
"into session object" ) );
}
/* Make sure that the password matches the one in the request */
if( userPasswordSize != requestPasswordSize || \
!compareDataConstTime( userPassword, requestPassword,
userPasswordSize ) )
{
zeroise( requestPassword, CRYPT_MAX_TEXTSIZE );
zeroise( userPassword, CRYPT_MAX_TEXTSIZE );
krnlSendNotifier( getkeyInfo.cryptHandle, IMESSAGE_DECREFCOUNT );
retExt( status,
( status, SESSION_ERRINFO,
"Password in PKCS #10 request doesn't match PKI user "
"password" ) );
}
zeroise( userPassword, CRYPT_MAX_TEXTSIZE );
/* If the subject only knows their CN, they may send a CN-only subject DN
in the hope that we can fill it in for them. In addition there may be
other constraints that the CA wants to apply, these are handled by
applying the PKI user information to the request */
status = krnlSendMessage( sessionInfoPtr->iCertRequest,
IMESSAGE_SETATTRIBUTE, &getkeyInfo.cryptHandle,
CRYPT_IATTRIBUTE_PKIUSERINFO );
krnlSendNotifier( getkeyInfo.cryptHandle, IMESSAGE_DECREFCOUNT );
if( cryptStatusError( status ) )
{
retExt( CRYPT_ERROR_INVALID,
( CRYPT_ERROR_INVALID, SESSION_ERRINFO,
"User information in PKCS #10 request can't be "
"reconciled with stored information for the user" ) );
}
return( CRYPT_OK );
}
int initSessionNetConnectInfo( const SESSION_INFO *sessionInfoPtr,
OUT NET_CONNECT_INFO *connectInfo )
{
const ATTRIBUTE_LIST *clientNamePtr, *serverNamePtr, *portInfoPtr;
assert( isReadPtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
assert( isWritePtr( connectInfo, sizeof( NET_CONNECT_INFO ) ) );
initNetConnectInfo( connectInfo, sessionInfoPtr->ownerHandle,
sessionInfoPtr->readTimeout, sessionInfoPtr->connectTimeout,
( sessionInfoPtr->transportSession != CRYPT_ERROR ) ? \
NET_OPTION_TRANSPORTSESSION : \
( sessionInfoPtr->networkSocket != CRYPT_ERROR ) ? \
NET_OPTION_NETWORKSOCKET : NET_OPTION_HOSTNAME );
/* If the user has supplied the network transport information, there's
nothing further to do */
if( sessionInfoPtr->transportSession != CRYPT_ERROR )
{
connectInfo->iCryptSession = sessionInfoPtr->transportSession;
return( CRYPT_OK );
}
if( sessionInfoPtr->networkSocket != CRYPT_ERROR )
{
connectInfo->networkSocket = sessionInfoPtr->networkSocket;
return( CRYPT_OK );
}
/* If there are explicit client and/or server names set, record them.
For a client the server name is the remote system to connect to
and the client name is the optional local interface to bind to, for
the server the server name is the optional local interface to bind
to */
clientNamePtr = findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_CLIENT_NAME );
serverNamePtr = findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME );
if( isServer( sessionInfoPtr ) )
{
if( serverNamePtr != NULL )
{
connectInfo->interface = serverNamePtr->value;
connectInfo->interfaceLength = serverNamePtr->valueLength;
}
}
else
{
REQUIRES( serverNamePtr != NULL );
connectInfo->name = serverNamePtr->value;
connectInfo->nameLength = serverNamePtr->valueLength;
if( clientNamePtr != NULL )
{
connectInfo->interface = clientNamePtr->value;
connectInfo->interfaceLength = clientNamePtr->valueLength;
}
}
/* If there's an explicit port set, connect/bind to it, otherwise use the
default port for the protocol */
if( ( portInfoPtr = \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_PORT ) ) != NULL )
connectInfo->port = portInfoPtr->intValue;
else
connectInfo->port = sessionInfoPtr->protocolInfo->port;
return( CRYPT_OK );
}
static int activateConnection( INOUT SESSION_INFO *sessionInfoPtr )
{
CRYPT_ATTRIBUTE_TYPE errorAttribute;
int status;
assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
/* Make sure that everything is set up ready to go */
errorAttribute = isServer( sessionInfoPtr ) ? \
checkServerParameters( sessionInfoPtr ) : \
checkClientParameters( sessionInfoPtr );
if( errorAttribute != CRYPT_ATTRIBUTE_NONE )
{
setErrorInfo( sessionInfoPtr, errorAttribute,
CRYPT_ERRTYPE_ATTR_ABSENT );
return( CRYPT_ERROR_NOTINITED );
}
ENSURES( isServer( sessionInfoPtr ) || \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME ) != NULL || \
sessionInfoPtr->networkSocket != CRYPT_ERROR );
ENSURES( findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_PORT ) != NULL || \
sessionInfoPtr->protocolInfo->port > 0 );
/* Allocate the send and receive buffers if necessary. The send buffer
isn't used for request-response session types that use the receive
buffer for both outgoing and incoming data so we only allocate it if
it's actually required */
if( sessionInfoPtr->sendBuffer == NULL )
{
REQUIRES( sessionInfoPtr->receiveBufSize >= MIN_BUFFER_SIZE && \
sessionInfoPtr->receiveBufSize < MAX_BUFFER_SIZE );
REQUIRES( ( sessionInfoPtr->sendBufSize >= MIN_BUFFER_SIZE && \
sessionInfoPtr->sendBufSize < MAX_BUFFER_SIZE ) || \
sessionInfoPtr->sendBufSize == CRYPT_UNUSED );
if( ( sessionInfoPtr->receiveBuffer = \
clAlloc( "activateConnection", \
sessionInfoPtr->receiveBufSize + 8 ) ) == NULL )
return( CRYPT_ERROR_MEMORY );
if( sessionInfoPtr->sendBufSize != CRYPT_UNUSED )
{
/* When allocating the send buffer we use the size given for the
receive buffer since the user may have overridden the default
buffer size */
if( ( sessionInfoPtr->sendBuffer = \
clAlloc( "activateConnection", \
sessionInfoPtr->receiveBufSize + 8 ) ) == NULL )
{
clFree( "activateConnection", sessionInfoPtr->receiveBuffer );
sessionInfoPtr->receiveBuffer = NULL;
return( CRYPT_ERROR_MEMORY );
}
sessionInfoPtr->sendBufSize = sessionInfoPtr->receiveBufSize;
}
}
ENSURES( sessionInfoPtr->receiveBuffer != NULL && \
sessionInfoPtr->receiveBufSize >= MIN_BUFFER_SIZE && \
sessionInfoPtr->receiveBufSize < MAX_BUFFER_SIZE );
ENSURES( sessionInfoPtr->sendBufSize == CRYPT_UNUSED || \
sessionInfoPtr->sendBuffer != NULL );
/* Set timeouts if they're not set yet. If there's an error then we use
the default value rather than aborting the entire session because of
a minor difference in timeout values, although we also warn the
caller in debug mode */
if( sessionInfoPtr->connectTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_CONNECTTIMEOUT );
if( cryptStatusOK( status ) )
sessionInfoPtr->connectTimeout = timeout;
else
{
DEBUG_DIAG(( "Couldn't get connect timeout config value" ));
assert( DEBUG_WARN );
sessionInfoPtr->connectTimeout = 30;
}
}
if( sessionInfoPtr->readTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_READTIMEOUT );
if( cryptStatusOK( status ) )
sessionInfoPtr->readTimeout = timeout;
else
{
DEBUG_DIAG(( "Couldn't get read timeout config value" ));
assert( DEBUG_WARN );
sessionInfoPtr->readTimeout = 30;
}
}
if( sessionInfoPtr->writeTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_WRITETIMEOUT );
if( cryptStatusOK( status ) )
sessionInfoPtr->writeTimeout = timeout;
else
{
DEBUG_DIAG(( "Couldn't get write timeout config value" ));
assert( DEBUG_WARN );
sessionInfoPtr->writeTimeout = 30;
}
}
/* Wait for any async driver binding to complete. We can delay this
until this very late stage because no networking functionality is
used until this point */
if( !krnlWaitSemaphore( SEMAPHORE_DRIVERBIND ) )
{
/* The kernel is shutting down, bail out */
return( CRYPT_ERROR_PERMISSION );
}
/* If this is the first time that we've got here, activate the session */
if( !( sessionInfoPtr->flags & SESSION_PARTIALOPEN ) )
{
REQUIRES( !( sessionInfoPtr->flags & SESSION_ISOPEN ) )
status = sessionInfoPtr->connectFunction( sessionInfoPtr );
if( cryptStatusError( status ) )
return( status );
}
/* If it's a secure data transport session, complete the session state
setup. Note that some sessions dynamically change the protocol
information during the handshake to accommodate parameters negotiated
during the handshake so we can only access the protocol information
after the handshake has completed */
if( !sessionInfoPtr->protocolInfo->isReqResp )
{
/* Complete the session handshake to set up the secure state */
status = sessionInfoPtr->transactFunction( sessionInfoPtr );
if( cryptStatusError( status ) )
{
/* If we need feedback from the user before we can complete the
handshake (for example checking a user name and password or
certificate supplied by the other side) we remain in the
handshake state so that the user can re-activate the session
after confirming (or denying) the check */
if( status == CRYPT_ENVELOPE_RESOURCE )
sessionInfoPtr->flags |= SESSION_PARTIALOPEN;
return( status );
}
/* Notify the kernel that the session key context is attached to the
session object. Note that we increment its reference count even
though it's an internal object used only by the session because
otherwise it'll be automatically destroyed by the kernel as a
zero-reference dependent object when the session object is
destroyed (but before the session object itself since the context
is just a dependent object). This automatic cleanup could cause
problems for lower-level session management code that tries to
work with the (apparently still-valid) handle, for example
protocols that need to encrypt a close-channel message on session
shutdown */
krnlSendMessage( sessionInfoPtr->objectHandle, IMESSAGE_SETDEPENDENT,
&sessionInfoPtr->iCryptInContext,
SETDEP_OPTION_INCREF );
/* Set up the buffer management variables */
sessionInfoPtr->receiveBufPos = sessionInfoPtr->receiveBufEnd = 0;
sessionInfoPtr->sendBufPos = sessionInfoPtr->sendBufStartOfs;
/* For data transport sessions, partial reads and writes (that is,
sending and receiving partial packets in the presence of
timeouts) are permitted */
sioctlSet( &sessionInfoPtr->stream, STREAM_IOCTL_PARTIALREAD, TRUE );
sioctlSet( &sessionInfoPtr->stream, STREAM_IOCTL_PARTIALWRITE, TRUE );
}
/* The handshake has been completed, switch from the handshake timeout
to the data transfer timeout and remember that the session has been
successfully established */
sioctlSet( &sessionInfoPtr->stream, STREAM_IOCTL_HANDSHAKECOMPLETE, TRUE );
sessionInfoPtr->flags &= ~SESSION_PARTIALOPEN;
sessionInfoPtr->flags |= SESSION_ISOPEN;
return( CRYPT_OK );
}
BOOLEAN checkAttributesConsistent( INOUT SESSION_INFO *sessionInfoPtr,
IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute )
{
static const MAP_TABLE excludedAttrTbl[] = {
{ CRYPT_SESSINFO_REQUEST,
CHECK_ATTR_REQUEST | CHECK_ATTR_PRIVKEY | CHECK_ATTR_PRIVKEYSET },
{ CRYPT_SESSINFO_PRIVATEKEY,
CHECK_ATTR_PRIVKEY | CHECK_ATTR_PRIVKEYSET },
{ CRYPT_SESSINFO_CACERTIFICATE,
CHECK_ATTR_CACERT | CHECK_ATTR_FINGERPRINT },
{ CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1,
CHECK_ATTR_FINGERPRINT | CHECK_ATTR_CACERT },
{ CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
};
int flags = 0, status;
assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
REQUIRES_B( attribute == CRYPT_SESSINFO_REQUEST || \
attribute == CRYPT_SESSINFO_PRIVATEKEY || \
attribute == CRYPT_SESSINFO_CACERTIFICATE || \
attribute == CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1 );
/* Find the excluded-attribute information for this attribute */
status = mapValue( attribute, &flags, excludedAttrTbl,
FAILSAFE_ARRAYSIZE( excludedAttrTbl, MAP_TABLE ) );
ENSURES( cryptStatusOK( status ) );
/* Make sure that none of the excluded attributes are present */
if( ( flags & CHECK_ATTR_REQUEST ) && \
sessionInfoPtr->iCertRequest != CRYPT_ERROR )
{
setErrorInfo( sessionInfoPtr, CRYPT_SESSINFO_REQUEST,
CRYPT_ERRTYPE_ATTR_PRESENT );
return( FALSE );
}
if( ( flags & CHECK_ATTR_PRIVKEYSET ) && \
sessionInfoPtr->privKeyset != CRYPT_ERROR )
{
setErrorInfo( sessionInfoPtr, CRYPT_SESSINFO_CMP_PRIVKEYSET,
CRYPT_ERRTYPE_ATTR_PRESENT );
return( FALSE );
}
if( ( flags & CHECK_ATTR_CACERT ) && \
sessionInfoPtr->iAuthInContext != CRYPT_ERROR )
{
setErrorInfo( sessionInfoPtr, CRYPT_SESSINFO_CACERTIFICATE,
CRYPT_ERRTYPE_ATTR_PRESENT );
return( FALSE );
}
if( ( flags & CHECK_ATTR_FINGERPRINT ) && \
findSessionInfo( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1 ) != NULL )
{
setErrorInfo( sessionInfoPtr, CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1,
CRYPT_ERRTYPE_ATTR_PRESENT );
return( FALSE );
}
return( TRUE );
}
