[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-38-g0b9c265
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-38-g0b9c265 |
|
Date: |
Sun, 16 May 2010 09:16:16 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=0b9c265d62e4e72fdbfa24b0bae8843a63c0f4b3
The branch, new has been updated
via 0b9c265d62e4e72fdbfa24b0bae8843a63c0f4b3 (commit)
via f019bad4c364d608ede6df4a976bd45573612cba (commit)
via 5bfa5071d7136e831fb2569f802232a887e750a0 (commit)
via cf96a1c38546172dfd4873f07914770dc1bfd910 (commit)
from 9872e884158b89c5c75c9cd12b7c1f27af7a75c1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0b9c265d62e4e72fdbfa24b0bae8843a63c0f4b3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 16 11:13:21 2010 +0200
Updated self tests and examples to avoid using deprecated functions such as
gnutls_certificate_server_set_retrieve_function and the sign callback.
commit f019bad4c364d608ede6df4a976bd45573612cba
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 16 11:04:23 2010 +0200
Use the new callback function.
commit 5bfa5071d7136e831fb2569f802232a887e750a0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 16 10:56:13 2010 +0200
Added documentation for most of the new functions.
commit cf96a1c38546172dfd4873f07914770dc1bfd910
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 16 09:42:35 2010 +0200
Documented that it was initially based on neon pkcs11 and got ideas from
pkcs11-helper library.
-----------------------------------------------------------------------
Summary of changes:
doc/examples/ex-cert-select.c | 9 +-
lib/gnutls_privkey.c | 108 ++++++++-
lib/gnutlsxx.cpp | 12 +-
lib/includes/gnutls/gnutlsxx.h | 7 +-
lib/includes/gnutls/pkcs11.h | 1 +
lib/includes/gnutls/privkey.h | 2 +-
lib/libgnutls.map | 1 +
lib/pkcs11.c | 210 ++++++++++++++---
lib/pkcs11_int.h | 2 +-
lib/pkcs11_privkey.c | 89 +++++++-
lib/x509/privkey.c | 2 +-
src/tests.c | 6 +-
tests/Makefile.am | 2 +-
tests/pkcs12_s2k.c | 8 +-
tests/x509dn.c | 4 +-
tests/x509signself.c | 509 ----------------------------------------
16 files changed, 394 insertions(+), 578 deletions(-)
delete mode 100644 tests/x509signself.c
diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c
index fe38ac2..316ca77 100644
--- a/doc/examples/ex-cert-select.c
+++ b/doc/examples/ex-cert-select.c
@@ -33,7 +33,7 @@ extern void tcp_close (int sd);
static int cert_callback (gnutls_session_t session,
const gnutls_datum_t * req_ca_rdn, int nreqs,
const gnutls_pk_algorithm_t * sign_algos,
- int sign_algos_length, gnutls_retr_st * st);
+ int sign_algos_length, gnutls_retr2_st * st);
gnutls_x509_crt_t crt;
gnutls_x509_privkey_t key;
@@ -143,7 +143,7 @@ main (void)
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
- gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
+ gnutls_certificate_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
@@ -225,7 +225,7 @@ static int
cert_callback (gnutls_session_t session,
const gnutls_datum_t * req_ca_rdn, int nreqs,
const gnutls_pk_algorithm_t * sign_algos,
- int sign_algos_length, gnutls_retr_st * st)
+ int sign_algos_length, gnutls_retr2_st * st)
{
char issuer_dn[256];
int i, ret;
@@ -300,11 +300,12 @@ cert_callback (gnutls_session_t session,
return -1;
}
- st->type = type;
+ st->cert_type = type;
st->ncerts = 1;
st->cert.x509 = &crt;
st->key.x509 = key;
+ st->key_type = GNUTLS_PRIVKEY_X509;
st->deinit_all = 0;
}
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 9917f71..852333d 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -48,11 +48,33 @@ struct gnutls_privkey_st {
unsigned int flags;
};
-int gnutls_privkey_get_type (gnutls_privkey_t key)
+/**
+ * gnutls_privkey_get_type:
+ * @key: should contain a #gnutls_privkey_t structure
+ *
+ * This function will return the type of the private key. This is
+ * actually the type of the subsystem used to set this private key.
+ *
+ * Returns: a member of the #gnutls_privkey_type_t enumeration on
+ * success, or a negative value on error.
+ **/
+gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key)
{
return key->type;
}
+/**
+ * gnutls_privkey_get_pk_algorithm:
+ * @key: should contain a #gnutls_privkey_t structure
+ * @bits: If set will return the number of bits of the parameters (may be NULL)
+ *
+ * This function will return the public key algorithm of a private
+ * key and if possible will return a number of bits that indicates
+ * the security parameter of the key.
+ *
+ * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
+ * success, or a negative value on error.
+ **/
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int* bits)
{
switch(key->type) {
@@ -71,6 +93,15 @@ int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,
unsigned int* bits)
}
+/**
+ * gnutls_privkey_init:
+ * @key: The structure to be initialized
+ *
+ * This function will initialize an private key structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_init(gnutls_privkey_t * key)
{
*key = gnutls_calloc(1, sizeof(struct gnutls_privkey_st));
@@ -82,6 +113,12 @@ int gnutls_privkey_init(gnutls_privkey_t * key)
return 0;
}
+/**
+ * gnutls_privkey_deinit:
+ * @key: The structure to be deinitialized
+ *
+ * This function will deinitialize a private key structure.
+ **/
void gnutls_privkey_deinit(gnutls_privkey_t key)
{
if (key->flags & GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE)
@@ -96,6 +133,18 @@ void gnutls_privkey_deinit(gnutls_privkey_t key)
gnutls_free(key);
}
+/**
+ * gnutls_privkey_import_pkcs11:
+ * @pkey: The private key
+ * @key: The private key to be imported
+ * @flags: should be zero
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
gnutls_pkcs11_privkey_t key, unsigned int flags)
{
pkey->key.pkcs11 = key;
@@ -106,6 +155,18 @@ int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
gnutls_pkcs11_privkey_t
return 0;
}
+/**
+ * gnutls_privkey_import_x509:
+ * @pkey: The private key
+ * @key: The private key to be imported
+ * @flags: should be zero
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_import_x509 (gnutls_privkey_t pkey, gnutls_x509_privkey_t
key, unsigned int flags)
{
pkey->key.x509 = key;
@@ -116,6 +177,18 @@ int gnutls_privkey_import_x509 (gnutls_privkey_t pkey,
gnutls_x509_privkey_t key
return 0;
}
+/**
+ * gnutls_privkey_import_openpgp:
+ * @pkey: The private key
+ * @key: The private key to be imported
+ * @flags: should be zero
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
gnutls_openpgp_privkey_t key, unsigned int flags)
{
pkey->key.openpgp = key;
@@ -139,10 +212,6 @@ int gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
gnutls_openpgp_privkey
* together with a hash functions. Different hash functions may be
* used for the RSA algorithm, but only SHA-1 for the DSA keys.
*
- * If the buffer provided is not long enough to hold the output, then
- * address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
- * be returned.
- *
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
@@ -188,9 +257,21 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
return 0;
}
+/**
+ * gnutls_privkey_sign_hash:
+ * @key: Holds the key
+ * @data: holds the data to be signed
+ * @signature: will contain the signature allocate with gnutls_malloc()
+ *
+ * This function will sign the given data using a signature algorithm
+ * supported by the private key.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_sign_hash (gnutls_privkey_t key,
- const gnutls_datum_t * hash,
- gnutls_datum_t * signature)
+ const gnutls_datum_t * hash,
+ gnutls_datum_t * signature)
{
switch(key->type) {
case GNUTLS_PRIVKEY_OPENPGP:
@@ -205,6 +286,19 @@ int gnutls_privkey_sign_hash (gnutls_privkey_t key,
}
}
+/**
+ * gnutls_privkey_decrypt_data:
+ * @key: Holds the key
+ * @flags: zero for now
+ * @ciphertext: holds the data to be decrypted
+ * @plaintext: will contain the decrypted data, allocated with gnutls_malloc()
+ *
+ * This function will decrypt the given data using the algorithm
+ * supported by the private key.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_privkey_decrypt_data(gnutls_privkey_t key,
unsigned int flags,
const gnutls_datum_t * ciphertext,
diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp
index b9f5c3e..400d87b 100644
--- a/lib/gnutlsxx.cpp
+++ b/lib/gnutlsxx.cpp
@@ -716,16 +716,10 @@ namespace gnutls
RETWRAP (gnutls_certificate_set_x509_crl (cred, crl_list, crl_list_size));
}
- void certificate_server_credentials::
- set_retrieve_function (gnutls_certificate_server_retrieve_function * func)
- {
- gnutls_certificate_server_set_retrieve_function (cred, func);
- }
-
- void certificate_client_credentials::
- set_retrieve_function (gnutls_certificate_client_retrieve_function * func)
+ void certificate_credentials::
+ set_retrieve_function (gnutls_certificate_retrieve_function * func)
{
- gnutls_certificate_client_set_retrieve_function (cred, func);
+ gnutls_certificate_set_retrieve_function (cred, func);
}
// SRP
diff --git a/lib/includes/gnutls/gnutlsxx.h b/lib/includes/gnutls/gnutlsxx.h
index b3013d2..9f88fe8 100644
--- a/lib/includes/gnutls/gnutlsxx.h
+++ b/lib/includes/gnutls/gnutlsxx.h
@@ -310,6 +310,9 @@ namespace gnutls
gnutls_x509_crt_fmt_t type,
const char *password);
+ void set_retrieve_function (gnutls_certificate_retrieve_function *
+ func);
+
protected:
gnutls_certificate_credentials_t cred;
};
@@ -317,16 +320,12 @@ namespace gnutls
class certificate_server_credentials:public certificate_credentials
{
public:
- void set_retrieve_function (gnutls_certificate_server_retrieve_function *
- func);
void set_params_function (gnutls_params_function * func);
};
class certificate_client_credentials:public certificate_credentials
{
public:
- void set_retrieve_function (gnutls_certificate_client_retrieve_function *
- func);
};
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index d912d32..a54b96c 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -241,6 +241,7 @@ int
gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
unsigned int flags, const gnutls_datum_t *
ciphertext,
gnutls_datum_t * plaintext);
+int gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key, char **
url);
/** @} */
diff --git a/lib/includes/gnutls/privkey.h b/lib/includes/gnutls/privkey.h
index 1f37325..c6cdef5 100644
--- a/lib/includes/gnutls/privkey.h
+++ b/lib/includes/gnutls/privkey.h
@@ -13,7 +13,7 @@ typedef struct gnutls_privkey_st* gnutls_privkey_t;
int gnutls_privkey_init (gnutls_privkey_t * key);
void gnutls_privkey_deinit (gnutls_privkey_t key);
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int* bits);
-int gnutls_privkey_get_type (gnutls_privkey_t key);
+gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key);
#define GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE 1
int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
gnutls_pkcs11_privkey_t key, unsigned int flags);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 4ca82a8..7f9fa81 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -645,6 +645,7 @@ GNUTLS_2_11
gnutls_privkey_sign_data;
gnutls_privkey_sign_hash;
gnutls_privkey_decrypt_data;
+ gnutls_pkcs11_privkey_export_url;
} GNUTLS_2_10;
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 1b1d4f9..79c0f4e 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -4,6 +4,9 @@
*
* Author: Nikos Mavrogiannopoulos
*
+ * Inspired and some parts based on neon PKCS #11 support by Joe Orton.
+ * More ideas came from the pkcs11-helper library.
+ *
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
@@ -76,6 +79,18 @@ unsigned long slots;
pakchois_get_slot_list(providers[active_providers-1].module, 0, NULL,
&slots);
}
+/**
+ * gnutls_pkcs11_add_provider:
+ * @name: The filename of the module
+ * @params: should be NULL
+ *
+ * This function will load and add a PKCS 11 module to the module
+ * list used in gnutls. After this function is called the module will
+ * be used for PKCS 11 operations.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_add_provider (const char * name, const char * params)
{
@@ -121,10 +136,21 @@ fail:
}
-/* returns strings of the PKCS#11 certificate structure.
- * Returns null terminated strings but output_size contains
+
+/**
+ * gnutls_pkcs11_crt_get_info:
+ * @crt: should contain a #gnutls_pkcs11_crt_t structure
+ * @itype: Denotes the type of information requested
+ * @output: where output will be stored
+ * @output_size: contains the maximum size of the output and will be
overwritten with actual
+ *
+ * This function will return information about the PKCS 11 certificatesuch
+ * as the label, id as well as token information where the key is stored. When
+ * output is text it returns null terminated string although %output_size
contains
* the size of the actual data only.
- */
+ *
+ * Returns: zero on success or a negative value on error.
+ **/
int gnutls_pkcs11_crt_get_info(gnutls_pkcs11_crt_t crt,
gnutls_pkcs11_cert_info_t itype,
void* output, size_t* output_size)
{
@@ -186,6 +212,20 @@ int pkcs11_get_info(struct pkcs11_url_info *info,
gnutls_pkcs11_cert_info_t ityp
static int init = 0;
+
+/**
+ * gnutls_pkcs11_init:
+ * @flags: GNUTLS_PKCS11_FLAG_MANUAL or GNUTLS_PKCS11_FLAG_AUTO
+ * @configfile: either NULL or the location of a configuration file
+ *
+ * This function will initialize the PKCS 11 subsystem in gnutls. It will
+ * read a configuration file if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
+ * you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
+ * if %GNUTLS_PKCS11_FLAG_MANUAL is specified.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_init(unsigned int flags, const char* configfile)
{
int ret;
@@ -239,6 +279,12 @@ int gnutls_pkcs11_init(unsigned int flags, const char*
configfile)
return 0;
}
+/**
+ * gnutls_pkcs11_deinit:
+ *
+ * This function will deinitialize the PKCS 11 subsystem in gnutls.
+ *
+ **/
void gnutls_pkcs11_deinit (void)
{
int i;
@@ -258,6 +304,17 @@ void gnutls_pkcs11_deinit (void)
active_providers = 0;
}
+/**
+ * gnutls_pkcs11_set_pin_function:
+ * @fn: The PIN callback
+ * @userdata: data to be supplied to callback
+ *
+ * This function will set a callback function to be used when a PIN
+ * is required for PKCS 11 operations.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
void gnutls_pkcs11_set_pin_function(gnutls_pkcs11_pin_callback_t fn,
void *userdata)
{
@@ -265,6 +322,17 @@ void
gnutls_pkcs11_set_pin_function(gnutls_pkcs11_pin_callback_t fn,
pin_data = userdata;
}
+/**
+ * gnutls_pkcs11_set_token_function:
+ * @fn: The PIN callback
+ * @userdata: data to be supplied to callback
+ *
+ * This function will set a callback function to be used when a token
+ * needs to be inserted to continue PKCS 11 operations.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
void gnutls_pkcs11_set_token_function(gnutls_pkcs11_token_callback_t fn,
void *userdata)
{
@@ -451,7 +519,7 @@ cleanup:
}
-static int pkcs11_info_to_url(const struct pkcs11_url_info* info, char** url)
+int pkcs11_info_to_url(const struct pkcs11_url_info* info, char** url)
{
gnutls_string str;
int init = 0;
@@ -526,6 +594,15 @@ cleanup:
return ret;
}
+/**
+ * gnutls_pkcs11_crt_init:
+ * @crt: The structure to be initialized
+ *
+ * This function will initialize a pkcs11 certificate structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_crt_init(gnutls_pkcs11_crt_t * crt)
{
*crt = gnutls_calloc(1, sizeof(struct gnutls_pkcs11_crt_st));
@@ -537,6 +614,12 @@ int gnutls_pkcs11_crt_init(gnutls_pkcs11_crt_t * crt)
return 0;
}
+/**
+ * gnutls_pkcs11_crt_deinit:
+ * @key: The structure to be initialized
+ *
+ * This function will deinitialize a certificate structure.
+ **/
void gnutls_pkcs11_crt_deinit(gnutls_pkcs11_crt_t crt)
{
free(crt);
@@ -785,6 +868,19 @@ cleanup:
return ret;
}
+/**
+ * gnutls_pkcs11_privkey_import_url:
+ * @cert: The structure to store the parsed certificate
+ * @url: a PKCS 11 url identifying the key
+ *
+ * This function will "import" a PKCS 11 URL identifying a certificate
+ * key to the #gnutls_pkcs11_crt_t structure. This does not involve any
+ * parsing (such as X.509 or OpenPGP) since the #gnutls_pkcs11_crt_t is
+ * format agnostic. Only data are transferred.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_crt_import_url (gnutls_pkcs11_crt_t cert, const char * url)
{
int ret;
@@ -839,6 +935,18 @@ static int find_token_num(pakchois_session_t *pks, struct
token_info *tinfo, voi
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* non zero is enough */
}
+/**
+ * gnutls_pkcs11_token_get_url:
+ * @seq: sequence number starting from 0
+ * @url: will contain an allocated url
+ *
+ * This function will return the URL for each token available
+ * in system. The url has to be released using gnutls_free()
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned,
%GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * if the sequence number exceeds the available tokens, otherwise a negative
error value.
+ **/
+
int gnutls_pkcs11_token_get_url (unsigned int seq, char** url)
{
int ret;
@@ -862,7 +970,18 @@ int gnutls_pkcs11_token_get_url (unsigned int seq, char**
url)
return 0;
}
-
+/**
+ * gnutls_pkcs11_token_get_info:
+ * @url: should contain a PKCS 11 URL
+ * @itype: Denotes the type of information requested
+ * @output: where output will be stored
+ * @output_size: contains the maximum size of the output and will be
overwritten with actual
+ *
+ * This function will return information about the PKCS 11 private key such
+ * as the label, id as well as token information where the key is stored.
+ *
+ * Returns: zero on success or a negative value on error.
+ **/
int gnutls_pkcs11_token_get_info(const char* url, gnutls_pkcs11_token_info_t
ttype, void* output, size_t *output_size)
{
const char* str;
@@ -908,7 +1027,16 @@ int gnutls_pkcs11_token_get_info(const char* url,
gnutls_pkcs11_token_info_t tty
return 0;
}
-
+/**
+ * gnutls_pkcs11_crt_export_url:
+ * @crt: Holds the PKCS 11 certificate
+ * @url: will contain an allocated url
+ *
+ * This function will export a URL identifying the given certificate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_crt_export_url (gnutls_pkcs11_crt_t cert, char ** url)
{
int ret;
@@ -922,6 +1050,15 @@ int ret;
return 0;
}
+/**
+ * gnutls_pkcs11_crt_get_type:
+ * @certificate: Holds the PKCS 11 certificate
+ *
+ * This function will return the type of the certificate being
+ * stored in the structure.
+ *
+ * Returns: The type of the certificate.
+ **/
gnutls_certificate_type_t gnutls_pkcs11_crt_get_type (gnutls_pkcs11_crt_t
certificate)
{
return certificate->type;
@@ -1286,6 +1423,19 @@ fail:
return ret;
}
+/**
+ * gnutls_pkcs11_crt_list_import_url:
+ * @p_list: An uninitialized certificate list (may be NULL)
+ * @n_list: initially should hold the maximum size of the list. Will contain
the actual size.
+ * @url: A PKCS 11 url identifying a set of certificates
+ * @flags: Attributes of type #gnutls_pkcs11_crt_attr_t that can be used to
limit output
+ *
+ * This function will initialize and set value to a certificate list
+ * specified by a PKCS 11 URL.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_crt_list_import_url (gnutls_pkcs11_crt_t * p_list, unsigned
int *n_list, const char* url, gnutls_pkcs11_crt_attr_t flags)
{
int ret;
@@ -1316,6 +1466,18 @@ int gnutls_pkcs11_crt_list_import_url
(gnutls_pkcs11_crt_t * p_list, unsigned in
return 0;
}
+/**
+ * gnutls_x509_crt_import_pkcs11_url:
+ * @crt: A certificate of type #gnutls_x509_crt_t
+ * @url: A PKCS 11 url
+ *
+ * This function will import a PKCS 11 certificate directly from a token
+ * without involving the #gnutls_pkcs11_crt_t structure. This function will
+ * fail if the certificate stored is not of X.509 type.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_x509_crt_import_pkcs11_url( gnutls_x509_crt_t crt, const char* url)
{
gnutls_pkcs11_crt_t pcrt;
@@ -1348,7 +1510,17 @@ cleanup:
}
-
+/**
+ * gnutls_x509_crt_import_pkcs11:
+ * @crt: A certificate of type #gnutls_x509_crt_t
+ * @pkcs11_crt: A PKCS 11 certificate
+ *
+ * This function will import a PKCS 11 certificate to a #gnutls_x509_crt_t
+ * structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_x509_crt_import_pkcs11( gnutls_x509_crt_t crt, gnutls_pkcs11_crt_t
pkcs11_crt)
{
return gnutls_x509_crt_import(crt, &pkcs11_crt->raw, GNUTLS_X509_FMT_DER);
@@ -1385,27 +1557,3 @@ cleanup:
return ret;
}
-
-/* To do list for PKCS#11 support:
-
- - propagate error strings back to ne_session; use new
- pakchois_error() for pakchois API 0.2
- - add API to specify a particular slot number to use for clicert
- - add API to specify a particular cert ID for clicert
- - find a certificate which has an issuer matching the
- CA dnames given by GnuTLS
- - make sure subject name matches between pubkey and privkey
- - check error handling & fail gracefully if the token is
- ejected mid-session
- - add API to enumerate/search provided certs and allow
- direct choice? (or just punt)
- - the session<->provider interface requires that
- one clicert is used for all sessions. remove this limitation
- - add API to import all CA certs as trusted
- (CKA_CERTIFICATE_CATEGORY seems to be unused unfortunately;
- just add all X509 certs with CKA_TRUSTED set to true))
- - make DSA work
-
-*/
-
-
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 3ca93e1..c070832 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -46,6 +46,6 @@ extern gnutls_pkcs11_token_callback_t token_func;
extern void* token_data;
void pkcs11_rescan_slots(void);
-
+int pkcs11_info_to_url(const struct pkcs11_url_info* info, char** url);
#endif
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 1854a3d..60a6888 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -45,6 +45,15 @@ struct privkey_find_data_st {
static int find_privkey_url(pakchois_session_t * pks,
struct token_info *info, void *input);
+/**
+ * gnutls_pkcs11_privkey_init:
+ * @key: The structure to be initialized
+ *
+ * This function will initialize an private key structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_privkey_init(gnutls_pkcs11_privkey_t * key)
{
*key = gnutls_calloc(1, sizeof(struct gnutls_pkcs11_privkey_st));
@@ -57,6 +66,12 @@ int gnutls_pkcs11_privkey_init(gnutls_pkcs11_privkey_t * key)
return 0;
}
+/**
+ * gnutls_pkcs11_privkey_deinit:
+ * @key: The structure to be initialized
+ *
+ * This function will deinitialize a private key structure.
+ **/
void gnutls_pkcs11_privkey_deinit(gnutls_pkcs11_privkey_t key)
{
if (key->pks) {
@@ -65,6 +80,16 @@ void gnutls_pkcs11_privkey_deinit(gnutls_pkcs11_privkey_t
key)
gnutls_free(key);
}
+/**
+ * gnutls_pkcs11_privkey_get_pk_algorithm:
+ * @key: should contain a #gnutls_pkcs11_privkey_t structure
+ *
+ * This function will return the public key algorithm of a private
+ * key.
+ *
+ * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
+ * success, or a negative value on error.
+ **/
int gnutls_pkcs11_privkey_get_pk_algorithm(gnutls_pkcs11_privkey_t key,
unsigned int *bits)
{
if (bits)
@@ -72,6 +97,20 @@ int
gnutls_pkcs11_privkey_get_pk_algorithm(gnutls_pkcs11_privkey_t key, unsigned
return key->pk_algorithm;
}
+/**
+ * gnutls_pkcs11_privkey_get_info:
+ * @key: should contain a #gnutls_pkcs11_privkey_t structure
+ * @itype: Denotes the type of information requested
+ * @output: where output will be stored
+ * @output_size: contains the maximum size of the output and will be
overwritten with actual
+ *
+ * This function will return information about the PKCS 11 private key such
+ * as the label, id as well as token information where the key is stored. When
+ * output is text it returns null terminated string although #output_size
contains
+ * the size of the actual data only.
+ *
+ * Returns: zero on success or a negative value on error.
+ **/
int gnutls_pkcs11_privkey_get_info(gnutls_pkcs11_privkey_t pkey,
gnutls_pkcs11_cert_info_t itype,
void *output, size_t * output_size)
@@ -160,7 +199,19 @@ gnutls_pkcs11_privkey_sign_data(gnutls_pkcs11_privkey_t
signer,
}
-
+/**
+ * gnutls_pkcs11_privkey_sign_hash:
+ * @key: Holds the key
+ * @hash: holds the data to be signed (should be output of a hash)
+ * @signature: will contain the signature allocated with gnutls_malloc()
+ *
+ * This function will sign the given data using a signature algorithm
+ * supported by the private key. It is assumed that the given data
+ * are the output of a hash function.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
const gnutls_datum_t * hash,
gnutls_datum_t * signature)
@@ -338,6 +389,19 @@ static int find_privkey_url(pakchois_session_t * pks,
return ret;
}
+/**
+ * gnutls_pkcs11_privkey_import_url:
+ * @pkey: The structure to store the parsed key
+ * @url: a PKCS 11 url identifying the key
+ *
+ * This function will "import" a PKCS 11 URL identifying a private
+ * key to the #gnutls_pkcs11_privkey_t structure. In reality since
+ * in most cases keys cannot be exported, the private key structure
+ * is being associated with the available operations on the token.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
const char *url)
{
@@ -435,3 +499,26 @@ gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t
key,
return 0;
}
+
+/**
+ * gnutls_pkcs11_privkey_export_url:
+ * @key: Holds the PKCS 11 key
+ * @url: will contain an allocated url
+ *
+ * This function will export a URL identifying the given key.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key, char ** url)
+{
+int ret;
+
+ ret = pkcs11_info_to_url(&key->info, url);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index ccdd28d..e5b03aa 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -64,7 +64,7 @@ gnutls_x509_privkey_init (gnutls_x509_privkey_t * key)
/**
* gnutls_x509_privkey_deinit:
- * @key: The structure to be initialized
+ * @key: The structure to be deinitialized
*
* This function will deinitialize a private key structure.
**/
diff --git a/src/tests.c b/src/tests.c
index 3bccf4a..a6d7f76 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -975,7 +975,7 @@ static int
cert_callback (gnutls_session_t session,
const gnutls_datum_t * req_ca_rdn, int nreqs,
const gnutls_pk_algorithm_t * sign_algos,
- int sign_algos_length, gnutls_retr_st * st)
+ int sign_algos_length, gnutls_retr2_st * st)
{
char issuer_dn[256];
int i, ret;
@@ -1025,10 +1025,10 @@ test_server_cas (gnutls_session_t session)
_gnutls_priority_set_direct (session, prio_str);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
- gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
+ gnutls_certificate_set_retrieve_function (xcred, cert_callback);
ret = do_handshake (session);
- gnutls_certificate_client_set_retrieve_function (xcred, NULL);
+ gnutls_certificate_set_retrieve_function (xcred, NULL);
if (ret == TEST_FAILED)
return ret;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9379fc8..9c0c5c6 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -73,7 +73,7 @@ openpgp_keyring_LDADD = $(LDADD)
../libextra/libgnutls-extra.la
endif
if HAVE_FORK
-ctests += x509self x509signself x509dn anonself pskself dhepskself \
+ctests += x509self x509dn anonself pskself dhepskself \
tlsia resume netconf-psk setcredcrash
if ENABLE_OPENPGP
diff --git a/tests/pkcs12_s2k.c b/tests/pkcs12_s2k.c
index 4136f2b..1c38319 100644
--- a/tests/pkcs12_s2k.c
+++ b/tests/pkcs12_s2k.c
@@ -133,12 +133,12 @@ doit (void)
fail ("_gnutls_pkcs12_string_to_key failed[0]: %d\n", rc);
if (strcmp (_gnutls_bin2hex (key, sizeof (key),
- tmp, sizeof (tmp)), values[x]) != 0)
+ tmp, sizeof (tmp), NULL), values[x]) !=
0)
fail ("_gnutls_pkcs12_string_to_key failed[1]\n");
if (debug)
printf ("ij: %d.%d: %s\n", i, j,
- _gnutls_bin2hex (key, sizeof (key), tmp, sizeof (tmp)));
+ _gnutls_bin2hex (key, sizeof (key), tmp, sizeof (tmp),
NULL));
x++;
}
}
@@ -154,13 +154,13 @@ doit (void)
fail ("_gnutls_pkcs12_string_to_key failed[2]: %d\n", rc);
if (memcmp (_gnutls_bin2hex (key, tv[i].keylen,
- tmp, sizeof (tmp)),
+ tmp, sizeof (tmp), NULL),
tv[i].key, tv[i].keylen) != 0)
fail ("_gnutls_pkcs12_string_to_key failed[3]\n");
if (debug)
printf ("tv[%d]: %s\n", i,
- _gnutls_bin2hex (key, tv[i].keylen, tmp, sizeof (tmp)));
+ _gnutls_bin2hex (key, tv[i].keylen, tmp, sizeof (tmp), NULL));
}
if (debug)
printf ("\n");
diff --git a/tests/x509dn.c b/tests/x509dn.c
index eabad48..a0dba67 100644
--- a/tests/x509dn.c
+++ b/tests/x509dn.c
@@ -113,7 +113,7 @@ static int
cert_callback (gnutls_session_t session,
const gnutls_datum_t * req_ca_rdn, int nreqs,
const gnutls_pk_algorithm_t * sign_algos,
- int sign_algos_length, gnutls_retr_st * st)
+ int sign_algos_length, gnutls_retr2_st * st)
{
int result;
gnutls_x509_dn_t dn;
@@ -197,7 +197,7 @@ client (void)
*/
gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM);
- gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
+ gnutls_certificate_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
diff --git a/tests/x509signself.c b/tests/x509signself.c
deleted file mode 100644
index c05ecee..0000000
--- a/tests/x509signself.c
+++ /dev/null
@@ -1,509 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
- * Foundation, Inc.
- *
- * Author: Simon Josefsson
- *
- * This file is part of GNUTLS.
- *
- * GNUTLS is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GNUTLS is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with GNUTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
-/* Parts copied from GnuTLS example programs. */
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#include "ex-session-info.c"
-#include "ex-x509-info.c"
-#include "tcp.c"
-
-#include "utils.h"
-
-pid_t child;
-
-static void
-tls_log_func (int level, const char *str)
-{
- fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str);
-}
-
-/* A very basic TLS client, with anonymous authentication.
- */
-
-#define MAX_BUF 1024
-#define MSG "Hello TLS"
-
-static char ca_pem[] =
- "-----BEGIN CERTIFICATE-----\n"
- "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
- "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n"
- "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n"
- "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n"
- "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n"
- "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n"
- "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n"
- "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n"
- "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n"
- "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n"
- "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n";
-const gnutls_datum_t ca = { ca_pem, sizeof (ca_pem) };
-
-static char cert_pem[] =
- "-----BEGIN CERTIFICATE-----\n"
- "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
- "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n"
- "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n"
- "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n"
- "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n"
- "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n"
- "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n"
- "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n"
- "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n"
- "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n"
- "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n"
- "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n";
-const gnutls_datum_t cert = { cert_pem, sizeof (cert_pem) };
-
-static int
-sign_func (gnutls_session_t session,
- void *userdata,
- gnutls_certificate_type_t cert_type,
- const gnutls_datum_t * cert,
- const gnutls_datum_t * hash, gnutls_datum_t * signature)
-{
- gnutls_x509_privkey_t key;
- char key_pem[] =
- "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n"
- "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n"
- "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n"
- "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n"
- "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n"
- "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n"
- "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n"
- "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n"
- "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n"
- "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n"
- "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n"
- "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n"
- "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n"
- "-----END RSA PRIVATE KEY-----\n";
- const gnutls_datum_t key_dat = { key_pem, sizeof (key_pem) };
- int ret;
-
- ret = gnutls_x509_privkey_init (&key);
- if (ret < 0)
- return ret;
-
- ret = gnutls_x509_privkey_import (key, &key_dat, GNUTLS_X509_FMT_PEM);
- if (ret < 0)
- goto done;
-
- ret = gnutls_x509_privkey_sign_hash (key, hash, signature);
- if (ret < 0)
- goto done;
-
- ret = 0;
-
-done:
- gnutls_x509_privkey_deinit (key);
- return ret;
-}
-
-static void
-client (void)
-{
- int ret, sd, ii;
- gnutls_session_t session;
- char buffer[MAX_BUF + 1];
- gnutls_certificate_credentials_t xcred;
-
- gnutls_global_init ();
-
- gnutls_global_set_log_function (tls_log_func);
- if (debug)
- gnutls_global_set_log_level (4711);
-
- gnutls_certificate_allocate_credentials (&xcred);
-
- /* sets the trusted cas file
- */
- gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM);
- gnutls_certificate_set_x509_key_mem (xcred, &cert, NULL,
- GNUTLS_X509_FMT_PEM);
-
- /* Initialize TLS session
- */
- gnutls_init (&session, GNUTLS_CLIENT);
-
- /* Set sign callback. */
- gnutls_sign_callback_set (session, sign_func, NULL);
-
- /* Use default priorities */
- gnutls_set_default_priority (session);
-
- /* put the x509 credentials to the current session
- */
- gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
-
- /* connect to the peer
- */
- sd = tcp_connect ();
-
- gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
-
- /* Perform the TLS handshake
- */
- ret = gnutls_handshake (session);
-
- if (ret < 0)
- {
- fail ("client: Handshake failed\n");
- gnutls_perror (ret);
- goto end;
- }
- else
- {
- if (debug)
- success ("client: Handshake was completed\n");
- }
-
- if (debug)
- success ("client: TLS version is: %s\n",
- gnutls_protocol_get_name (gnutls_protocol_get_version
- (session)));
-
- /* see the Getting peer's information example */
- if (debug)
- print_info (session);
-
- gnutls_record_send (session, MSG, strlen (MSG));
-
- ret = gnutls_record_recv (session, buffer, MAX_BUF);
- if (ret == 0)
- {
- if (debug)
- success ("client: Peer has closed the TLS connection\n");
- goto end;
- }
- else if (ret < 0)
- {
- fail ("client: Error: %s\n", gnutls_strerror (ret));
- goto end;
- }
-
- if (debug)
- {
- printf ("- Received %d bytes: ", ret);
- for (ii = 0; ii < ret; ii++)
- {
- fputc (buffer[ii], stdout);
- }
- fputs ("\n", stdout);
- }
-
- gnutls_bye (session, GNUTLS_SHUT_RDWR);
-
-end:
-
- tcp_close (sd);
-
- gnutls_deinit (session);
-
- gnutls_certificate_free_credentials (xcred);
-
- gnutls_global_deinit ();
-}
-
-/* This is a sample TLS 1.0 echo server, using X.509 authentication.
- */
-
-#define SA struct sockaddr
-#define MAX_BUF 1024
-#define PORT 5556 /* listen to 5556 port */
-#define DH_BITS 1024
-
-/* These are global */
-gnutls_certificate_credentials_t x509_cred;
-
-static gnutls_session_t
-initialize_tls_session (void)
-{
- gnutls_session_t session;
-
- gnutls_init (&session, GNUTLS_SERVER);
-
- /* avoid calling all the priority functions, since the defaults
- * are adequate.
- */
- gnutls_set_default_priority (session);
-
- gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
-
- /* request client certificate if any.
- */
- gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
-
- gnutls_dh_set_prime_bits (session, DH_BITS);
-
- return session;
-}
-
-static gnutls_dh_params_t dh_params;
-
-static int
-generate_dh_params (void)
-{
- const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) };
- /* Generate Diffie-Hellman parameters - for use with DHE
- * kx algorithms. These should be discarded and regenerated
- * once a day, once a week or once a month. Depending on the
- * security requirements.
- */
- gnutls_dh_params_init (&dh_params);
- return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
-}
-
-int err, listen_sd, i;
-int sd, ret;
-struct sockaddr_in sa_serv;
-struct sockaddr_in sa_cli;
-int client_len;
-char topbuf[512];
-gnutls_session_t session;
-char buffer[MAX_BUF + 1];
-int optval = 1;
-
-static char server_cert_pem[] =
- "-----BEGIN CERTIFICATE-----\n"
- "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
- "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
- "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
- "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
- "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
- "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
- "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
- "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
- "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
- "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
- "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
- "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
- "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
-
-const gnutls_datum_t server_cert = { server_cert_pem,
- sizeof (server_cert_pem)
-};
-
-static char server_key_pem[] =
- "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
- "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
- "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
- "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
- "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
- "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
- "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
- "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
- "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
- "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
- "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
- "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
- "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
- "-----END RSA PRIVATE KEY-----\n";
-
-const gnutls_datum_t server_key = { server_key_pem,
- sizeof (server_key_pem)
-};
-
-static void
-server_start (void)
-{
- /* Socket operations
- */
- listen_sd = socket (AF_INET, SOCK_STREAM, 0);
- if (err == -1)
- {
- perror ("socket");
- fail ("server: socket failed\n");
- return;
- }
-
- memset (&sa_serv, '\0', sizeof (sa_serv));
- sa_serv.sin_family = AF_INET;
- sa_serv.sin_addr.s_addr = INADDR_ANY;
- sa_serv.sin_port = htons (PORT); /* Server Port number */
-
- setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
- sizeof (int));
-
- err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
- if (err == -1)
- {
- perror ("bind");
- fail ("server: bind failed\n");
- return;
- }
-
- err = listen (listen_sd, 1024);
- if (err == -1)
- {
- perror ("listen");
- fail ("server: listen failed\n");
- return;
- }
-
- if (debug)
- success ("server: ready. Listening to port '%d'.\n", PORT);
-}
-
-static void
-server (void)
-{
- /* this must be called once in the program
- */
- gnutls_global_init ();
-
- gnutls_global_set_log_function (tls_log_func);
- if (debug)
- gnutls_global_set_log_level (4711);
-
- gnutls_certificate_allocate_credentials (&x509_cred);
- gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
-
- gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
- GNUTLS_X509_FMT_PEM);
-
- if (debug)
- success ("Launched, generating DH parameters...\n");
-
- generate_dh_params ();
-
- gnutls_certificate_set_dh_params (x509_cred, dh_params);
-
- client_len = sizeof (sa_cli);
-
- session = initialize_tls_session ();
-
- sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
-
- if (debug)
- success ("server: connection from %s, port %d\n",
- inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
- sizeof (topbuf)), ntohs (sa_cli.sin_port));
-
- gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
- ret = gnutls_handshake (session);
- if (ret < 0)
- {
- close (sd);
- gnutls_deinit (session);
- fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
- return;
- }
- if (debug)
- success ("server: Handshake was completed\n");
-
- if (debug)
- success ("server: TLS version is: %s\n",
- gnutls_protocol_get_name (gnutls_protocol_get_version
- (session)));
-
- /* see the Getting peer's information example */
- if (debug)
- print_info (session);
-
- i = 0;
- for (;;)
- {
- memset (buffer, 0, MAX_BUF + 1);
- ret = gnutls_record_recv (session, buffer, MAX_BUF);
-
- if (ret == 0)
- {
- if (debug)
- success ("server: Peer has closed the GNUTLS connection\n");
- break;
- }
- else if (ret < 0)
- {
- fail ("server: Received corrupted data(%d). Closing...\n", ret);
- break;
- }
- else if (ret > 0)
- {
- /* echo data back to the client
- */
- gnutls_record_send (session, buffer, strlen (buffer));
- }
- }
- /* do not wait for the peer to close the connection.
- */
- gnutls_bye (session, GNUTLS_SHUT_WR);
-
- close (sd);
- gnutls_deinit (session);
-
- close (listen_sd);
-
- gnutls_certificate_free_credentials (x509_cred);
-
- gnutls_dh_params_deinit (dh_params);
-
- gnutls_global_deinit ();
-
- if (debug)
- success ("server: finished\n");
-}
-
-
-void
-doit (void)
-{
- server_start ();
- if (error_count)
- return;
-
- child = fork ();
- if (child < 0)
- {
- perror ("fork");
- fail ("fork");
- return;
- }
-
- if (child)
- {
- int status;
- /* parent */
- server ();
- wait (&status);
- }
- else
- client ();
-}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-38-g0b9c265,
Nikos Mavrogiannopoulos <=