| blob | 9fb6c50bbbbf4dbf66a9d3c3c28b8e537a56e8b2 |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* This file contains certificate authentication functions to be exported in the
24 * API which did not fit elsewhere.
25 */
27 #include <gnutls_int.h>
28 #include <auth/srp.h>
29 #include <auth/anon.h>
30 #include <auth/cert.h>
31 #include <auth/psk.h>
32 #include <gnutls_errors.h>
33 #include <gnutls_auth.h>
34 #include <gnutls_state.h>
35 #include <gnutls_datum.h>
36 #include <extras/randomart.h>
37 #include <read-file.h>
39 /**
40 * gnutls_random_art:
41 * @type: The type of the random art
42 * @key_type: The type of the key (RSA, DSA etc.)
43 * @key_size: The size of the key in bits
44 * @fpr: The fingerprint of the key
45 * @fpr_size: The size of the fingerprint
46 * @art: The returned random art
47 *
48 * This function will convert a given fingerprint to an "artistic"
49 * image. The returned image is allocated using gnutls_malloc()
50 *
51 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
52 * an error code is returned.
53 *
54 **/
59 {
70 }
72 /* ANON & DHE */
74 /**
75 * gnutls_dh_set_prime_bits:
76 * @session: is a #gnutls_session_t structure.
77 * @bits: is the number of bits
78 *
79 * This function sets the number of bits, for use in a Diffie-Hellman
80 * key exchange. This is used both in DH ephemeral and DH anonymous
81 * cipher suites. This will set the minimum size of the prime that
82 * will be used for the handshake.
83 *
84 * In the client side it sets the minimum accepted number of bits. If
85 * a server sends a prime with less bits than that
86 * %GNUTLS_E_DH_PRIME_UNACCEPTABLE will be returned by the handshake.
87 *
88 * Note that values lower than 512 bits may allow decryption of the
89 * exchanged data.
90 *
91 * This function has no effect in server side.
92 *
93 **/
94 void
96 {
97 if (bits <= 512) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits);
99 }
102 /**
103 * gnutls_dh_get_group:
104 * @session: is a gnutls session
105 * @raw_gen: will hold the generator.
106 * @raw_prime: will hold the prime.
107 *
108 * This function will return the group parameters used in the last
109 * Diffie-Hellman key exchange with the peer. These are the prime and
110 * the generator used. This function should be used for both
111 * anonymous and ephemeral Diffie-Hellman. The output parameters must
112 * be freed with gnutls_free().
113 *
114 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
115 * an error code is returned.
116 **/
117 int
120 {
123 anon_auth_info_t anon_info;
124 cert_auth_info_t cert_info;
125 psk_auth_info_t psk_info;
128 {
150 }
154 {
157 }
161 {
165 }
168 }
170 /**
171 * gnutls_dh_get_pubkey:
172 * @session: is a gnutls session
173 * @raw_key: will hold the public key.
174 *
175 * This function will return the peer's public key used in the last
176 * Diffie-Hellman key exchange. This function should be used for both
177 * anonymous and ephemeral Diffie-Hellman. The output parameters must
178 * be freed with gnutls_free().
179 *
180 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
181 * an error code is returned.
182 **/
183 int
185 {
187 anon_auth_info_t anon_info;
188 cert_auth_info_t cert_info;
189 cert_auth_info_t psk_info;
192 {
194 {
200 }
202 {
208 }
210 {
217 }
221 }
225 }
227 /**
228 * gnutls_rsa_export_get_pubkey:
229 * @session: is a gnutls session
230 * @exponent: will hold the exponent.
231 * @modulus: will hold the modulus.
232 *
233 * This function will return the peer's public key exponent and
234 * modulus used in the last RSA-EXPORT authentication. The output
235 * parameters must be freed with gnutls_free().
236 *
237 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
238 * an error code is returned.
239 **/
240 int
244 {
245 cert_auth_info_t info;
249 {
257 {
260 }
265 {
269 }
272 }
275 }
278 /**
279 * gnutls_dh_get_secret_bits:
280 * @session: is a gnutls session
281 *
282 * This function will return the bits used in the last Diffie-Hellman
283 * key exchange with the peer. Should be used for both anonymous and
284 * ephemeral Diffie-Hellman.
285 *
286 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
287 * an error code is returned.
288 **/
289 int
291 {
293 {
295 {
296 anon_auth_info_t info;
302 }
304 {
305 psk_auth_info_t info;
311 }
313 {
314 cert_auth_info_t info;
321 }
325 }
326 }
328 static int
330 {
331 bigint_t mpi;
336 {
339 }
345 }
347 /**
348 * gnutls_dh_get_prime_bits:
349 * @session: is a gnutls session
350 *
351 * This function will return the bits of the prime used in the last
352 * Diffie-Hellman key exchange with the peer. Should be used for both
353 * anonymous and ephemeral Diffie-Hellman. Note that some ciphers,
354 * like RSA and DSA without DHE, do not use a Diffie-Hellman key
355 * exchange, and then this function will return 0.
356 *
357 * Returns: The Diffie-Hellman bit strength is returned, or 0 if no
358 * Diffie-Hellman key exchange was done, or a negative error code on
359 * failure.
360 **/
361 int
363 {
367 {
369 {
370 anon_auth_info_t info;
377 }
379 {
380 psk_auth_info_t info;
387 }
389 {
390 cert_auth_info_t info;
398 }
402 }
405 }
407 /**
408 * gnutls_rsa_export_get_modulus_bits:
409 * @session: is a gnutls session
410 *
411 * Get the export RSA parameter's modulus size.
412 *
413 * Returns: The bits used in the last RSA-EXPORT key exchange with the
414 * peer, or a negative error code in case of error.
415 **/
416 int
418 {
419 cert_auth_info_t info;
426 }
428 /**
429 * gnutls_dh_get_peers_public_bits:
430 * @session: is a gnutls session
431 *
432 * Get the Diffie-Hellman public key bit size. Can be used for both
433 * anonymous and ephemeral Diffie-Hellman.
434 *
435 * Returns: The public key bit size used in the last Diffie-Hellman
436 * key exchange with the peer, or a negative error code in case of error.
437 **/
438 int
440 {
444 {
446 {
447 anon_auth_info_t info;
455 }
457 {
458 psk_auth_info_t info;
466 }
468 {
469 cert_auth_info_t info;
477 }
481 }
484 }
486 /* CERTIFICATE STUFF */
488 /**
489 * gnutls_certificate_get_ours:
490 * @session: is a gnutls session
491 *
492 * Gets the certificate as sent to the peer in the last handshake.
493 * The certificate is in raw (DER) format. No certificate
494 * list is being returned. Only the first certificate.
495 *
496 * Returns: a pointer to a #gnutls_datum_t containing our
497 * certificate, or %NULL in case of an error or if no certificate
498 * was used.
499 **/
502 {
503 gnutls_certificate_credentials_t cred;
510 {
513 }
519 }
521 /**
522 * gnutls_certificate_get_peers:
523 * @session: is a gnutls session
524 * @list_size: is the length of the certificate list
525 *
526 * Get the peer's raw certificate (chain) as sent by the peer. These
527 * certificates are in raw format (DER encoded for X.509). In case of
528 * a X.509 then a certificate list may be present. The first
529 * certificate in the list is the peer's certificate, following the
530 * issuer's certificate, then the issuer's issuer etc.
531 *
532 * In case of OpenPGP keys a single key will be returned in raw
533 * format.
534 *
535 * Returns: a pointer to a #gnutls_datum_t containing our
536 * certificates, or %NULL in case of an error or if no certificate
537 * was used.
538 **/
542 {
543 cert_auth_info_t info;
553 }
555 /**
556 * gnutls_certificate_get_peers_subkey_id:
557 * @session: is a gnutls session
558 * @id: will contain the ID
559 *
560 * Get the peer's subkey ID when OpenPGP certificates are
561 * used. The returned @id should be treated as constant.
562 *
563 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
564 * an error code is returned.
565 **/
568 {
569 cert_auth_info_t info;
581 }
583 /**
584 * gnutls_certificate_client_get_request_status:
585 * @session: is a gnutls session
586 *
587 * Get whether client certificate is requested or not.
588 *
589 * Returns: 0 if the peer (server) did not request client
590 * authentication or 1 otherwise, or a negative error code in case of
591 * error.
592 **/
593 int
595 {
597 }
599 /**
600 * gnutls_fingerprint:
601 * @algo: is a digest algorithm
602 * @data: is the data
603 * @result: is the place where the result will be copied (may be null).
604 * @result_size: should hold the size of the result. The actual size
605 * of the returned result will also be copied there.
606 *
607 * This function will calculate a fingerprint (actually a hash), of
608 * the given data. The result is not printable data. You should
609 * convert it to hex, or to something else printable.
610 *
611 * This is the usual way to calculate a fingerprint of an X.509 DER
612 * encoded certificate. Note however that the fingerprint of an
613 * OpenPGP is not just a hash and cannot be calculated with this
614 * function.
615 *
616 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
617 * an error code is returned.
618 **/
619 int
623 {
628 {
631 }
635 {
639 }
642 }
645 /**
646 * gnutls_certificate_set_dh_params:
647 * @res: is a gnutls_certificate_credentials_t structure
648 * @dh_params: is a structure that holds Diffie-Hellman parameters.
649 *
650 * This function will set the Diffie-Hellman parameters for a
651 * certificate server to use. These parameters will be used in
652 * Ephemeral Diffie-Hellman cipher suites. Note that only a pointer
653 * to the parameters are stored in the certificate handle, so if you
654 * deallocate the parameters before the certificate is deallocated,
655 * you must change the parameters stored in the certificate first.
656 *
657 **/
658 void
660 gnutls_dh_params_t dh_params)
661 {
663 }
665 /**
666 * gnutls_certificate_set_params_function:
667 * @res: is a gnutls_certificate_credentials_t structure
668 * @func: is the function to be called
669 *
670 * This function will set a callback in order for the server to get
671 * the Diffie-Hellman or RSA parameters for certificate
672 * authentication. The callback should return %GNUTLS_E_SUCCESS (0) on success.
673 **/
674 void
677 {
679 }
682 /**
683 * gnutls_certificate_set_verify_flags:
684 * @res: is a gnutls_certificate_credentials_t structure
685 * @flags: are the flags
686 *
687 * This function will set the flags to be used for verification
688 * of certificates and override any defaults. The provided flags must be an OR of the
689 * #gnutls_certificate_verify_flags enumerations.
690 *
691 **/
692 void
695 {
697 }
699 /**
700 * gnutls_certificate_set_verify_limits:
701 * @res: is a gnutls_certificate_credentials structure
702 * @max_bits: is the number of bits of an acceptable certificate (default 8200)
703 * @max_depth: is maximum depth of the verification of a certificate chain (default 5)
704 *
705 * This function will set some upper limits for the default
706 * verification function, gnutls_certificate_verify_peers2(), to avoid
707 * denial of service attacks. You can set them to zero to disable
708 * limits.
709 **/
710 void
714 {
717 }
719 /**
720 * gnutls_certificate_set_rsa_export_params:
721 * @res: is a gnutls_certificate_credentials_t structure
722 * @rsa_params: is a structure that holds temporary RSA parameters.
723 *
724 * This function will set the temporary RSA parameters for a
725 * certificate server to use. These parameters will be used in
726 * RSA-EXPORT cipher suites.
727 **/
728 void
731 {
733 }
735 /**
736 * gnutls_psk_set_params_function:
737 * @res: is a gnutls_psk_server_credentials_t structure
738 * @func: is the function to be called
739 *
740 * This function will set a callback in order for the server to get
741 * the Diffie-Hellman or RSA parameters for PSK authentication. The
742 * callback should return %GNUTLS_E_SUCCESS (0) on success.
743 **/
744 void
747 {
749 }
751 /**
752 * gnutls_anon_set_params_function:
753 * @res: is a gnutls_anon_server_credentials_t structure
754 * @func: is the function to be called
755 *
756 * This function will set a callback in order for the server to get
757 * the Diffie-Hellman or RSA parameters for anonymous authentication.
758 * The callback should return %GNUTLS_E_SUCCESS (0) on success.
759 **/
760 void
763 {
765 }
767 /**
768 * gnutls_load_file:
769 * @filename: the name of the file to load
770 * @data: Where the file will be stored
771 *
772 * This function will load a file into a datum. The data are
773 * zero terminated but the terminating null is not included in length.
774 * The returned data are allocated using gnutls_malloc().
775 *
776 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
777 * an error code is returned.
778 *
779 * Since 3.1.0
780 **/
782 {
790 {
796 }
801 }
803 /**
804 * gnutls_url_is_supported:
805 * @url: A PKCS 11 url
806 *
807 * Check whether url is supported. Depending on the system libraries
808 * GnuTLS may support pkcs11 or tpmkey URLs.
809 *
810 * Returns: return non-zero if the given URL is supported, and zero if
811 * it is not known.
812 *
813 * Since: 3.1.0
814 **/
815 int
817 {
818 #ifdef ENABLE_PKCS11
821 #endif
822 #ifdef HAVE_TROUSERS
825 #endif
827 }
829 /**
830 * gnutls_ocsp_status_request_is_checked:
831 * @session: is a gnutls session
832 * @flags: should be zero
833 *
834 * Check whether an OCSP status response was included in the handshake
835 * and whether it was checked and valid (not too old or superseded).
836 * This is a helper function when needing to decide whether to perform an
837 * OCSP validity check on the peer's certificate. Must be called after
838 * gnutls_certificate_verify_peers3() is called.
839 *
840 * Returns: non zero it was valid, or a zero if it wasn't sent,
841 * or sent and was invalid.
842 **/
843 int
845 {
847 }