00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030 #include "gnutls_int.h"
00031 #include "gnutls_auth_int.h"
00032 #include "gnutls_errors.h"
00033 #include "gnutls_dh.h"
00034 #include "gnutls_num.h"
00035 #include "gnutls_sig.h"
00036 #include <gnutls_datum.h>
00037 #include <auth_cert.h>
00038 #include <gnutls_x509.h>
00039 #include <gnutls_state.h>
00040 #include <auth_dh_common.h>
00041
00042 static int gen_dhe_server_kx (MHD_gtls_session_t, opaque **);
00043 static int proc_dhe_server_kx (MHD_gtls_session_t, opaque *, size_t);
00044 static int proc_dhe_client_kx (MHD_gtls_session_t, opaque *, size_t);
00045
00046 const MHD_gtls_mod_auth_st MHD_gtls_dhe_rsa_auth_struct = {
00047 "DHE_RSA",
00048 MHD_gtls_gen_cert_server_certificate,
00049 MHD_gtls_gen_cert_client_certificate,
00050 gen_dhe_server_kx,
00051 MHD_gtls_gen_dh_common_client_kx,
00052 MHD_gtls_gen_cert_client_cert_vrfy,
00053 MHD_gtls_gen_cert_server_cert_req,
00054
00055 MHD_gtls_proc_cert_server_certificate,
00056 MHD__gnutls_proc_cert_client_certificate,
00057 proc_dhe_server_kx,
00058 proc_dhe_client_kx,
00059 MHD_gtls_proc_cert_client_cert_vrfy,
00060 MHD_gtls_proc_cert_cert_req
00061 };
00062
00063 const MHD_gtls_mod_auth_st MHD_gtls_dhe_dss_auth_struct = {
00064 "DHE_DSS",
00065 MHD_gtls_gen_cert_server_certificate,
00066 MHD_gtls_gen_cert_client_certificate,
00067 gen_dhe_server_kx,
00068 MHD_gtls_gen_dh_common_client_kx,
00069 MHD_gtls_gen_cert_client_cert_vrfy,
00070 MHD_gtls_gen_cert_server_cert_req,
00071
00072 MHD_gtls_proc_cert_server_certificate,
00073 MHD__gnutls_proc_cert_client_certificate,
00074 proc_dhe_server_kx,
00075 proc_dhe_client_kx,
00076 MHD_gtls_proc_cert_client_cert_vrfy,
00077 MHD_gtls_proc_cert_cert_req
00078 };
00079
00080
00081 static int
00082 gen_dhe_server_kx (MHD_gtls_session_t session, opaque ** data)
00083 {
00084 mpi_t g, p;
00085 const mpi_t *mpis;
00086 int ret = 0, data_size;
00087 MHD_gnutls_cert *apr_cert_list;
00088 MHD_gnutls_privkey *apr_pkey;
00089 int apr_cert_list_length;
00090 MHD_gnutls_datum_t signature, ddata;
00091 MHD_gtls_cert_credentials_t cred;
00092 MHD_gtls_dh_params_t dh_params;
00093
00094 cred = (MHD_gtls_cert_credentials_t)
00095 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
00096 if (cred == NULL)
00097 {
00098 MHD_gnutls_assert ();
00099 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
00100 }
00101
00102
00103 if ((ret =
00104 MHD_gtls_get_selected_cert (session, &apr_cert_list,
00105 &apr_cert_list_length, &apr_pkey)) < 0)
00106 {
00107 MHD_gnutls_assert ();
00108 return ret;
00109 }
00110
00111 dh_params =
00112 MHD_gtls_get_dh_params (cred->dh_params, cred->params_func, session);
00113 mpis = MHD_gtls_dh_params_to_mpi (dh_params);
00114 if (mpis == NULL)
00115 {
00116 MHD_gnutls_assert ();
00117 return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
00118 }
00119
00120 p = mpis[0];
00121 g = mpis[1];
00122
00123 if ((ret = MHD_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
00124 sizeof (cert_auth_info_st), 0)) < 0)
00125 {
00126 MHD_gnutls_assert ();
00127 return ret;
00128 }
00129
00130 MHD_gtls_dh_set_group (session, g, p);
00131
00132 ret = MHD_gtls_dh_common_print_server_kx (session, g, p, data, 0);
00133 if (ret < 0)
00134 {
00135 MHD_gnutls_assert ();
00136 return ret;
00137 }
00138 data_size = ret;
00139
00140
00141
00142 ddata.data = *data;
00143 ddata.size = data_size;
00144
00145 if (apr_cert_list_length > 0)
00146 {
00147 if ((ret =
00148 MHD_gtls_tls_sign_params (session, &apr_cert_list[0],
00149 apr_pkey, &ddata, &signature)) < 0)
00150 {
00151 MHD_gnutls_assert ();
00152 MHD_gnutls_free (*data);
00153 return ret;
00154 }
00155 }
00156 else
00157 {
00158 MHD_gnutls_assert ();
00159 return data_size;
00160 }
00161
00162 *data = MHD_gtls_realloc_fast (*data, data_size + signature.size + 2);
00163 if (*data == NULL)
00164 {
00165 MHD__gnutls_free_datum (&signature);
00166 MHD_gnutls_assert ();
00167 return GNUTLS_E_MEMORY_ERROR;
00168 }
00169
00170 MHD_gtls_write_datum16 (&(*data)[data_size], signature);
00171 data_size += signature.size + 2;
00172
00173 MHD__gnutls_free_datum (&signature);
00174
00175 return data_size;
00176 }
00177
00178 static int
00179 proc_dhe_server_kx (MHD_gtls_session_t session, opaque * data,
00180 size_t _data_size)
00181 {
00182 int sigsize;
00183 MHD_gnutls_datum_t vparams, signature;
00184 int ret;
00185 cert_auth_info_t info = MHD_gtls_get_auth_info (session);
00186 ssize_t data_size = _data_size;
00187 MHD_gnutls_cert peer_cert;
00188
00189 if (info == NULL || info->ncerts == 0)
00190 {
00191 MHD_gnutls_assert ();
00192
00193 return GNUTLS_E_INTERNAL_ERROR;
00194 }
00195
00196 ret = MHD_gtls_proc_dh_common_server_kx (session, data, _data_size, 0);
00197 if (ret < 0)
00198 {
00199 MHD_gnutls_assert ();
00200 return ret;
00201 }
00202
00203
00204
00205 vparams.size = ret;
00206 vparams.data = data;
00207
00208 DECR_LEN (data_size, 2);
00209 sigsize = MHD_gtls_read_uint16 (&data[vparams.size]);
00210
00211 DECR_LEN (data_size, sigsize);
00212 signature.data = &data[vparams.size + 2];
00213 signature.size = sigsize;
00214
00215 if ((ret =
00216 MHD_gtls_raw_cert_to_gcert (&peer_cert,
00217 session->security_parameters.cert_type,
00218 &info->raw_certificate_list[0],
00219 CERT_NO_COPY)) < 0)
00220 {
00221 MHD_gnutls_assert ();
00222 return ret;
00223 }
00224
00225 ret =
00226 MHD_gtls_verify_sig_params (session, &peer_cert, &vparams, &signature);
00227
00228 MHD_gtls_gcert_deinit (&peer_cert);
00229 if (ret < 0)
00230 {
00231 MHD_gnutls_assert ();
00232 return ret;
00233 }
00234
00235 return ret;
00236 }
00237
00238
00239
00240 static int
00241 proc_dhe_client_kx (MHD_gtls_session_t session, opaque * data,
00242 size_t _data_size)
00243 {
00244 MHD_gtls_cert_credentials_t cred;
00245 int ret;
00246 mpi_t p, g;
00247 const mpi_t *mpis;
00248 MHD_gtls_dh_params_t dh_params;
00249
00250 cred = (MHD_gtls_cert_credentials_t)
00251 MHD_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
00252 if (cred == NULL)
00253 {
00254 MHD_gnutls_assert ();
00255 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
00256 }
00257
00258 dh_params =
00259 MHD_gtls_get_dh_params (cred->dh_params, cred->params_func, session);
00260 mpis = MHD_gtls_dh_params_to_mpi (dh_params);
00261 if (mpis == NULL)
00262 {
00263 MHD_gnutls_assert ();
00264 return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
00265 }
00266
00267 p = mpis[0];
00268 g = mpis[1];
00269
00270 ret = MHD_gtls_proc_dh_common_client_kx (session, data, _data_size, g, p);
00271
00272 return ret;
00273
00274 }