]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added simpler verification functions for clients
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 24 Aug 2015 10:00:10 +0000 (12:00 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 24 Aug 2015 11:13:39 +0000 (13:13 +0200)
The major use-case for the TLS protocol is verification of PKIX
certificates. However, certificate verification support while is
similar for almost all projects it requires around 100 lines of code
(a callback) to be duplicated to all applications. That patch
set gets rid of the callback and simplifies certificate verification
support, by introducing a very simple API; one that would accept
the session and the hostname only.

Resolves #27

lib/Makefile.am
lib/auto-verify.c [new file with mode: 0644]
lib/gnutls_int.h
lib/handshake.c
lib/includes/gnutls/gnutls.h.in
lib/libgnutls.map

index 9e60733fbca652f674f4f597b2c684e8f69a47f0..6c455b0d5b2b39458c637cb62ab704fca58b52b6 100644 (file)
@@ -75,7 +75,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c                       \
        random.c crypto-api.c privkey.c pcert.c pubkey.c locks.c dtls.c         \
        system_override.c crypto-backend.c verify-tofu.c pin.c tpm.c fips.c     \
        safe-memfuncs.c inet_pton.c atfork.c atfork.h \
-       system-keys.h urls.c urls.h prf.c
+       system-keys.h urls.c urls.h prf.c auto-verify.c
 
 if WINDOWS
 COBJECTS += system-keys-win.c
diff --git a/lib/auto-verify.c b/lib/auto-verify.c
new file mode 100644 (file)
index 0000000..b1d3a1c
--- /dev/null
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include "gnutls_int.h"
+#include "errors.h"
+#include <auth/cert.h>
+#include <gnutls/gnutls.h>
+
+/* This file implements the client certificate auto verification functionality.
+ */
+
+/* The actual verification callback. */
+static int auto_verify_cb(gnutls_session_t session)
+{
+        unsigned int status;
+        int ret;
+
+        if (session->internals.vc_elements == 0) {
+               ret = gnutls_certificate_verify_peers2(session, &status);
+       } else {
+               ret = gnutls_certificate_verify_peers(session, session->internals.vc_data,
+                                                     session->internals.vc_elements, &status);
+        }
+        if (ret < 0) {
+                return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+        }
+
+        session->internals.vc_status = status;
+
+        if (status != 0)        /* Certificate is not trusted */
+                return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+
+        /* notify gnutls to continue handshake normally */
+        return 0;
+}
+
+/**
+ * gnutls_session_auto_verify_cert:
+ * @session: is a gnutls session
+ * @hostname: is the expected name of the peer; may be %NULL
+ * @flags: should be zero
+ *
+ * This function instructs GnuTLS to verify the peer's certificate
+ * using the provided hostname. If the verification fails the handshake
+ * will also fail. The verification result can be obtained using
+ * gnutls_session_get_verify_cert_status().
+ *
+ * The hostname pointer provided must remain valid for the lifetime
+ * of the session. If not hostname is provided, no hostname verification
+ * will be performed.
+ *
+ * That function is intended to be used by clients.
+ *
+ * Since: 3.5.0
+ **/
+void gnutls_session_auto_verify_cert(gnutls_session_t session,
+                                    const char *hostname, unsigned flags)
+{
+       if (hostname) {
+               session->internals.vc_sdata.type = GNUTLS_DT_DNS_HOSTNAME;
+               session->internals.vc_sdata.data = (void*)hostname;
+               session->internals.vc_sdata.size = 0;
+               session->internals.vc_elements = 1;
+               session->internals.vc_data = &session->internals.vc_sdata;
+       } else {
+               session->internals.vc_elements = 0;
+       }
+
+       gnutls_session_set_verify_function(session, auto_verify_cb);
+}
+
+/**
+ * gnutls_session_auto_verify_cert2:
+ * @session: is a gnutls session
+ * @data: an array of typed data
+ * @elements: the number of data elements
+ * @flags: should be zero
+ *
+ * This function instructs GnuTLS to verify the peer's certificate
+ * using the provided typed data information. If the verification fails the handshake
+ * will also fail. The verification result can be obtained using
+ * gnutls_session_get_verify_cert_status().
+ *
+ * The acceptable typed data are the same as in gnutls_certificate_verify_peers(),
+ * and once set must remain valid for the lifetime of the session.
+ *
+ * Since: 3.5.0
+ **/
+void gnutls_session_auto_verify_cert2(gnutls_session_t session,
+                                    gnutls_typed_vdata_st * data,
+                                    unsigned elements,
+                                    unsigned flags)
+{
+       session->internals.vc_data = data;
+       session->internals.vc_elements = elements;
+       gnutls_session_set_verify_function(session, auto_verify_cb);
+}
+
+/**
+ * gnutls_session_get_verify_cert_status:
+ * @session: is a gnutls session
+ *
+ * This function returns the status of the verification when initiated
+ * via auto-verification, i.e., by gnutls_session_auto_verify_cert2() or
+ * gnutls_session_auto_verify_cert().
+ *
+ * The certificate verification status is the same as in gnutls_certificate_verify_peers().
+ *
+ * Returns: the certificate verification status.
+ *
+ * Since: 3.5.0
+ **/
+unsigned int gnutls_session_get_verify_cert_status(gnutls_session_t session)
+{
+       return session->internals.vc_status;
+}
index 6e28296737665142298db3ebb50e52ac297388c3..8c38cc85f5408885a01f7eafadb15bf36a93b009 100644 (file)
@@ -1001,6 +1001,10 @@ typedef struct {
        /* a verify callback to override the verify callback from the credentials
         * structure */
        gnutls_certificate_verify_function *verify_callback;
+       gnutls_typed_vdata_st *vc_data;
+       gnutls_typed_vdata_st vc_sdata;
+       unsigned vc_elements;
+       unsigned vc_status;
 
        /* whether this session uses non-blocking sockets */
        bool blocking;
index f31161c8bfc4bf6d66de16fad061228f9d471b69..776513b63477e45087618e679ab5fdfa4ac6283c 100644 (file)
@@ -2556,6 +2556,7 @@ int gnutls_handshake(gnutls_session_t session)
                        return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
                session->internals.handshake_in_progress = 1;
+               session->internals.vc_status = -1;
                gettime(&session->internals.handshake_start_time);
                if (session->internals.handshake_timeout_ms &&
                    session->internals.handshake_endtime == 0)
index bfd4ba5e751d60de0f3182d84e3830148ee11c31..370e0fddf43684eb42888f8f78fe98e4f101ed46 100644 (file)
@@ -1271,6 +1271,38 @@ char *gnutls_session_get_desc(gnutls_session_t session);
 typedef int gnutls_certificate_verify_function(gnutls_session_t);
 void gnutls_session_set_verify_function(gnutls_session_t session, gnutls_certificate_verify_function * func);
 
+/**
+ * gnutls_vdata_types_t:
+ * @GNUTLS_DT_UNKNOWN: Unknown data type.
+ * @GNUTLS_DT_DNS_HOSTNAME: The data contain a null-terminated DNS hostname.
+ * @GNUTLS_DT_RFC822NAME: The data contain a null-terminated email address.
+ * @GNUTLS_DT_KEY_PURPOSE_OID: The data contain a null-terminated key purpose OID.
+ *
+ * Enumeration of different key exchange algorithms.
+ */
+typedef enum {
+       GNUTLS_DT_UNKNOWN = 0,
+       GNUTLS_DT_DNS_HOSTNAME = 1,
+       GNUTLS_DT_KEY_PURPOSE_OID = 2,
+       GNUTLS_DT_RFC822NAME = 3
+} gnutls_vdata_types_t;
+
+typedef struct {
+       gnutls_vdata_types_t type;
+       unsigned char *data;
+       unsigned int size;
+} gnutls_typed_vdata_st;
+
+void gnutls_session_auto_verify_cert(gnutls_session_t session,
+                              const char *hostname, unsigned flags);
+
+void
+gnutls_session_auto_verify_cert2(gnutls_session_t session,
+                               gnutls_typed_vdata_st * data,
+                               unsigned elements, unsigned flags);
+
+unsigned int gnutls_session_get_verify_cert_status(gnutls_session_t);
+
 int gnutls_session_set_premaster(gnutls_session_t session,
                                 unsigned int entity,
                                 gnutls_protocol_t version,
@@ -2099,28 +2131,6 @@ int gnutls_certificate_verify_peers3(gnutls_session_t session,
                                     const char *hostname,
                                     unsigned int *status);
 
-/**
- * gnutls_vdata_types_t:
- * @GNUTLS_DT_UNKNOWN: Unknown data type.
- * @GNUTLS_DT_DNS_HOSTNAME: The data contain a null-terminated DNS hostname.
- * @GNUTLS_DT_RFC822NAME: The data contain a null-terminated email address.
- * @GNUTLS_DT_KEY_PURPOSE_OID: The data contain a null-terminated key purpose OID.
- *
- * Enumeration of different key exchange algorithms.
- */
-typedef enum {
-       GNUTLS_DT_UNKNOWN = 0,
-       GNUTLS_DT_DNS_HOSTNAME = 1,
-       GNUTLS_DT_KEY_PURPOSE_OID = 2,
-       GNUTLS_DT_RFC822NAME = 3
-} gnutls_vdata_types_t;
-
-typedef struct {
-       gnutls_vdata_types_t type;
-       unsigned char *data;
-       unsigned int size;
-} gnutls_typed_vdata_st;
-
 int
 gnutls_certificate_verify_peers(gnutls_session_t session,
                                gnutls_typed_vdata_st * data,
index dcb303f85c7d8b5c28c488e64f688ce3c5275b45..f80fc842b15ee4f36b1bf1ced1f7cce68b380f2c 100644 (file)
@@ -1053,6 +1053,9 @@ GNUTLS_3_4
        gnutls_hex_decode2;
        gnutls_hex_encode2;
        gnutls_session_set_verify_function;
+       gnutls_session_auto_verify_cert;
+       gnutls_session_auto_verify_cert2;
+       gnutls_session_get_verify_cert_status;
  local:
        *;
 };