#include <syslog.h>
#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <arpa/inet.h>
-#include <netinet/in.h>
-
#include <gnutls/gnutls.h>
#include <gnutls/pkcs11.h>
#include <gnutls/abstract.h>
#ifdef WINDOWS_PORT
#include <winsock2.h>
+#include <ws2tcpip.h>
#else
#include <poll.h>
#include <sys/types.h>
#ifndef __MINGW64__
#include <arpa/inet.h>
#endif
+#include <netinet/in.h>
#endif
#ifdef WINDOWS_PORT
static struct credinfo cli_creds [EXPECTED_CLI_CREDCOUNT];
static int srv_credcount = 0;
static int cli_credcount = 0;
-static const char const *onthefly_p11uri = "pkcs11:manufacturer=ARPA2.net;token=TLS+Pool+internal;object=on-the-fly+signer;type=private;serial=1";
+static const char onthefly_p11uri[] = "pkcs11:manufacturer=ARPA2.net;token=TLS+Pool+internal;object=on-the-fly+signer;type=private;serial=1";
static unsigned long long onthefly_serial; //TODO: Fill with now * 1000
static gnutls_x509_crt_t onthefly_issuercrt = NULL;
static gnutls_privkey_t onthefly_issuerkey = NULL;
return GNUTLS_E_PKCS11_TOKEN_ERROR;
}
}
-
+
/*
* Implement the GnuTLS function for PIN callback. This function calls
GNUTLS_E_FILE_ERROR);
} else {
gnutls_datum_t cd = {
- .data = crt,
+ .data = (unsigned char *)(&crt[0]),
.size = len
};
fprintf (stderr, "DEBUG: gtls_errno==%d before importing onthefly_issuercrt\n", gtls_errno);
char *rolestr;
char sni [sizeof (cmd->cmd.pio_data.pioc_starttls.localid)];
size_t snilen = sizeof (sni);
- int snitype;
+ unsigned int snitype;
int ok;
uint32_t flags;
char *p11priv;
} else {
//
// For KDH-Only, the server supplies one of:
- // - an empty ticket (0 bytes long)
- // - a TGT for user-to-user mode (where considered useful)
+ // - a TGT for user-to-user mode (for p2p exchanges)
+ // - an DER NULL to waive u2u mode
//TODO// E_g2e ("MOVED: Failed to import Kerberos ticket",
//TODO// gnutls_pcert_import_krb_raw (
//TODO// *pcert,
// u2u = u2u || "shaken hands on TLS symmetry extension"
u2u = u2u && got_cc_srv; // We may simply not be able!
//
- // When not in user-to-user mode, deliver 0 bytes
+ // When not in user-to-user mode, deliver DER NULL
if (!u2u) {
- certdatum.data = "";
- certdatum.size = 0;
+ static unsigned char der_null_data[] = "\x05\x00";
+ certdatum.data = der_null_data;
+ certdatum.size = 2;
E_g2e ("Failed to withhold Kerberos server ticket",
gnutls_pcert_import_krb_raw (
*pcert,
if (status < 2) {
gtls_errno = GNUTLS_E_NO_CERTIFICATE_FOUND;
} else if (0 != krb5_copy_principal (
- krbctx_srv,
- tgt->server,
+ krbctx_srv,
+ tgt->server,
&cmd->krbid_srv)) {
gtls_errno = GNUTLS_E_NO_CERTIFICATE_FOUND;
}
//
// Return the overral error code, hopefully GNUTLS_E_SUCCESS
tlog (TLOG_TLS, LOG_DEBUG, "Returning %d / %s from clisrv_cert_retrieve()", gtls_errno, gnutls_strerror (gtls_errno));
-fprintf (stderr, "DEBUG: clisrv_cert_retrieve() sets *pcert to 0x%xl (length %d)... {pubkey = 0x%lx, cert= {data = 0x%lx, size=%ld}, type=%ld}\n", (long) *pcert, *pcert_length, (long) (*pcert)->pubkey, (long) (*pcert)->cert.data, (long) (*pcert)->cert.size, (long) (*pcert)->type);
+fprintf (stderr, "DEBUG: clisrv_cert_retrieve() sets *pcert to 0x%lx (length %d)... {pubkey = 0x%lx, cert= {data = 0x%lx, size=%ld}, type=%ld}\n", (long) *pcert, *pcert_length, (long) (*pcert)->pubkey, (long) (*pcert)->cert.data, (long) (*pcert)->cert.size, (long) (*pcert)->type);
return gtls_errno;
}
long nextlen;
// Note: Accept BER because the outside SEQUENCE is not signed
certlen = asn1_get_length_ber (
- ((char *) certdatum->data) + 1,
+ (certdatum->data) + 1,
certdatum->size,
&lenlen);
certlen += 1 + lenlen;
*chainlen = 0;
return NULL;
}
- nextdatum.data = ((char *) certdatum->data) + certlen;
- nextdatum.size = certdatum->size - certlen;
+ nextdatum.data = (certdatum->data) + certlen;
+ nextdatum.size = certdatum->size - certlen;
certdatum->size = certlen;
nextlen = asn1_get_length_ber (
- ((char *) nextdatum.data) + 1,
+ nextdatum.data + 1,
nextdatum.size,
&lenlen);
nextlen += 1 + lenlen;
/* Cleanup Kerberos resources. This must be an idempotent function, because
- * it is called when Kerberos panics as well as when
+ * it is called when Kerberos panics as well as when
*/
#ifdef HAVE_TLS_KDH
static void cleanup_starttls_kerberos (void) {
(const dercursor *) &auth,
NULL // Measure length, no output yet
);
- uint8_t *decptr = malloc (declen);
+ uint8_t *decptr = gnutls_malloc (declen);
if (decptr == NULL) {
return GNUTLS_E_MEMORY_ERROR;
}
der_pack ( auth_packer,
(const dercursor *) &auth,
decptr + declen);
+ krb5_free_keyblock_contents (krbctx_cli, &subkey);
prangefull ("cli_A", decptr, declen);
size_t rawlen;
if (0 != krb5_c_encrypt_length (krbctx_cli,
cmd->krb_key.enctype,
declen,
&rawlen)) {
- free (decptr);
+ gnutls_free (decptr);
return GNUTLS_E_ENCRYPTION_FAILED;
}
- uint8_t *rawptr = malloc (rawlen);
+ uint8_t *rawptr = gnutls_malloc (rawlen);
if (rawptr == NULL) {
- free (decptr);
+ gnutls_free (decptr);
return GNUTLS_E_MEMORY_ERROR;
}
krb5_data decdata;
NULL,
&decdata,
&rawdata)) {
- free (rawptr);
- free (decptr);
+ gnutls_free (rawptr);
+ gnutls_free (decptr);
return GNUTLS_E_ENCRYPTION_FAILED;
}
//
QDERBUF_INT32_T deretype;
QDERBUF_UINT32_T derkvno;
encrypted_data_t encdata;
+ memset (&encdata, 0, sizeof (encdata));
encdata.etype = qder2b_pack_int32 (deretype, cmd->krb_key.enctype);
//NOT// encdata.kvno = qder2b_pack_int32 (derkvno, cmd->krb_key.kvno);
encdata.cipher.derptr = rawdata.ciphertext.data;
(const dercursor *) &encdata,
NULL // Measure length, no output yet
);
- uint8_t *encptr = malloc (enclen);
+ uint8_t *encptr = gnutls_malloc (enclen);
if (encptr == NULL) {
- free (rawptr);
- free (decptr);
+ gnutls_free (rawptr);
+ gnutls_free (decptr);
return GNUTLS_E_MEMORY_ERROR;
}
der_pack ( encdata_packer,
(const dercursor *) &encdata,
encptr + enclen);
- free (rawptr);
+ gnutls_free (rawptr);
//
// Return our final verdict on the generation of the Authenticator
dec_authenticator->data = decptr;
dercursor enctransport;
enctransport.derptr = enc_authenticator->data;
enctransport.derlen = enc_authenticator->size;
+prangefull ("EncData2unpack", enctransport.derptr, enctransport.derlen);
memset (&encdata, 0, sizeof (encdata));
if (0 != der_unpack ( &enctransport,
encdata_packer,
/* valexp_I_start -- validation function for the GnuTLS backend.
* This function ensures that the remote peer provides an identity.
* TODO: We should compare the hostname as well, or compare if in remoteid
- * TODO: We may need to support more than just X509/PGP certificates
+ * TODO: We may need to support more than just X509/PGP certificates
*/
static void valexp_I_start (void *vcmd, struct valexp *ve, char pred) {
struct command *cmd = (struct command *) vcmd;
case IPPROTO_UDP:
proto = "udp";
break;
+#ifndef WINDOWS_PORT
case IPPROTO_SCTP:
proto = "sctp";
break;
+#endif
default:
goto setflagval;
}
valflag = o2vf (online_globaldir_x509 (
rid,
raw->data, raw->size));
-#ifdef GNUTLS_CRT_KRB
+#ifdef HAVE_TLS_KDH
} else if (cmd->remote_cert_type == GNUTLS_CRT_KRB) {
- // Kerberos is sufficiently "live" to always pass O
+ // Kerberos is sufficiently "live" to be pass O
valflag = 1;
goto setvalflag;
#endif
#ifdef HAVE_TLS_KDH
cmd->remote_cert_type = gnutls_certificate_type_get_peers (cmd->session);
certs = gnutls_certificate_get_peers (cmd->session, &num_certs);
+ // Note: server's certs _may_ be DER NULL due to mutual auth in Kerberos
#else
cmd->remote_cert_type = gnutls_certificate_type_get (cmd->session);
- certs = gnutls_certificate_get (cmd->session, &num_certs);
+ certs = gnutls_certificate_get_peers (cmd->session, &num_certs);
#endif
if (certs == NULL) {
num_certs = 0;
fprintf (stderr, "DEBUG: otfcert retrieval returned %d\n", gtls_errno);
return gtls_errno;
} else {
-fprintf (stderr, "DEBUG: otfcert retrieval returned GNUTLS_E_AGAIN, so skip it\n", gtls_errno);
+fprintf (stderr, "DEBUG: otfcert retrieval returned GNUTLS_E_AGAIN, so skip it\n");
gtls_errno = GNUTLS_E_SUCCESS; // Attempt failed, ignore
}
}
#endif
tlog (TLOG_DB, LOG_DEBUG, "BDB entry has flags=0x%08x, so we (%04x/%04x) %s it", flags, lidrole, LID_ROLE_MASK, ok? "store": "skip ");
if (ok) {
+ if (cmd->lids [lidtype - LID_TYPE_MIN].data != NULL) {
+ free (cmd->lids [lidtype - LID_TYPE_MIN].data);
+ }
// Move the credential into the command structure
dbt_store (&creddata,
&cmd->lids [lidtype - LID_TYPE_MIN]);
+fprintf (stderr, "DEBUG: Storing cmd->lids[%d].data %p\n", lidtype-LID_TYPE_MIN, cmd->lids [lidtype-LID_TYPE_MIN].data);
found = 1;
} else {
// Skip the credential by freeing its data structure
int gtls_errno = GNUTLS_E_SUCCESS;
char sni [sizeof (cmd->cmd.pio_data.pioc_starttls.remoteid)]; // static
size_t snilen = sizeof (sni);
- int snitype;
+ unsigned int snitype;
char *lid;
tlog (LOG_DAEMON, LOG_INFO, "Invoked %sprocessor for Client Hello, htype=%d, incoming=%d\n",
E_g2e ("Failed to reconfigure GnuTLS as a server",
configure_session (cmd,
session,
- srv_creds, srv_credcount,
+ srv_creds, srv_credcount,
cmd->anonpre & ANONPRE_SERVER));
fprintf (stderr, "DEBUG: Got gtls_errno = %d at %d\n", gtls_errno, __LINE__);
case GNUTLS_CRD_SRP:
gnutls_srp_free_server_credentials (crd->cred);
break;
+ case GNUTLS_CRD_PSK:
+ case GNUTLS_CRD_IA:
+ //TODO: not handled
+ break;
//TODO// case GNUTLS_CRD_KDH:
//TODO// gnutls_kdh_free_server_credentials (crd->cred);
//TODO// break;
case GNUTLS_CRD_SRP:
gnutls_srp_free_client_credentials (crd->cred);
break;
+ case GNUTLS_CRD_PSK:
+ case GNUTLS_CRD_IA:
+ //TODO: not handled
+ break;
//TODO// case GNUTLS_CRD_KDH:
//TODO// gnutls_kdh_free_client_credentials (crd->cred);
//TODO// break;
//
// First find the ctlkeynode_tls
ckn = (struct ctlkeynode_tls *) ctlkey_find (cmd->cmd.pio_data.pioc_starttls.ctlkey, security_tls, cmd->clientfd);
-fprintf (stderr, "DEBUG: Got ckn == 0x%0x\n", (intptr_t) ckn);
+fprintf (stderr, "DEBUG: Got ckn == %p\n", (void *) ckn);
if (ckn == NULL) {
tlog (TLOG_UNIXSOCK, LOG_ERR, "Failed to find TLS connection for renegotiation by its ctlkey");
send_error (replycmd, ESRCH, "Cannot find TLS connection for renegotiation");
// that TLS has in this respect. Maybe we'll capture it one giant loop
// at some point, but for now that does not seem to add any relief.
renegotiate:
-fprintf (stderr, "DEBUG: Renegotiating = %d, anonpost = %d, plainfd = %d, cryptfd = %d, flags = 0x%x, session = 0x%x, got_session = %d, lid = \"%s\", rid = \"%s\"\n", renegotiating, anonpost, plainfd, cryptfd, cmd->cmd.pio_data.pioc_starttls.flags, session, got_session, cmd->cmd.pio_data.pioc_starttls.localid, cmd->cmd.pio_data.pioc_starttls.remoteid);
+fprintf (stderr, "DEBUG: Renegotiating = %d, anonpost = %d, plainfd = %d, cryptfd = %d, flags = 0x%x, session = %p, got_session = %d, lid = \"%s\", rid = \"%s\"\n", renegotiating, anonpost, plainfd, cryptfd, cmd->cmd.pio_data.pioc_starttls.flags, session, got_session, cmd->cmd.pio_data.pioc_starttls.localid, cmd->cmd.pio_data.pioc_starttls.remoteid);
//
// If this is server renegotiating, send a request to that end
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
while (anonpre_regjmp > 0) {
anonpre_regjmp = anonpre_regjmp >> 1;
cmp = strncasecmp (anonpre_registry [anonpre_regidx].service,
- cmd->cmd.pio_data.pioc_starttls.service,
+ (const char *)cmd->cmd.pio_data.pioc_starttls.service,
TLSPOOL_SERVICELEN);
fprintf (stderr, "DEBUG: anonpre_determination, comparing [%d] %s to %s, found cmp==%d\n", anonpre_regidx, anonpre_registry [anonpre_regidx].service, cmd->cmd.pio_data.pioc_starttls.service, cmp);
if (cmp == 0) {
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
len++;
}
// If no usable remoteid was setup, ignore it
- if ((len + ofs > 0) && (len < 128)) {
+ if ((len > ofs) && (len < 128)) {
cmd->cmd.pio_data.pioc_starttls.remoteid [sizeof (cmd->cmd.pio_data.pioc_starttls.remoteid)-1] = '\0';
+ tlog (TLOG_TLS, LOG_DEBUG, "Sending ServerNameIndication \"%.*s\"", len - ofs, str + ofs);
E_g2e ("Client failed to setup SNI",
gnutls_server_name_set (
session,
configure_session (cmd,
session,
anonpost? NULL: cli_creds,
- anonpost? 0: cli_credcount,
+ anonpost? 0: cli_credcount,
cmd->anonpre & ANONPRE_CLIENT));
}
//
configure_session (cmd,
session,
anonpost? NULL: srv_creds,
- anonpost? 0: srv_credcount,
+ anonpost? 0: srv_credcount,
cmd->anonpre & ANONPRE_SERVER));
}
#endif
send_error (replycmd, EIO, "Failed to prepare for TLS");
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
(gnutls_error_is_fatal (gtls_errno) == 0));
//
// Handshake done -- initialise remote_xxx, vfystatus, got_remoteid
- E_g2e ("Failed to retrieve peer credentials",
- fetch_remote_credentials (cmd));
+ if ((gtls_errno == 0) && !(cmd->cmd.pio_data.pioc_starttls.flags & PIOF_STARTTLS_IGNORE_REMOTEID)) {
+ // We want to try to authenticate the peer
+ E_g2e ("Failed to retrieve peer credentials",
+ fetch_remote_credentials (cmd));
+ if (gtls_errno == GNUTLS_E_AUTH_ERROR) {
+ if (cmd->cmd.pio_data.pioc_starttls.flags & PIOF_STARTTLS_REQUEST_REMOTEID) {
+ // We do not _require_ authentication of the peer
+ gtls_errno = 0;
+ }
+ }
+ }
if (gtls_errno == 0) {
const gnutls_datum_t *certs;
unsigned int num_certs;
//TODO:ELSEWHERE// E_g2e ("Failed to reconfigure GnuTLS without anonymous precursor",
//TODO:ELSEWHERE// configure_session (cmd,
//TODO:ELSEWHERE// session,
- //TODO:ELSEWHERE// NULL, 0,
+ //TODO:ELSEWHERE// NULL, 0,
//TODO:ELSEWHERE// 0));
// We do not want to use ANON-DH if the flag
// ANONPRE_EXTEND_MASTER_SECRET is set for the protocol
// Setup for validation expression runthrough
cmd->valexp_result = -1;
if ((cmd->trust_valexp != NULL) && (0 != strcmp (cmd->trust_valexp, "1"))) {
-fprintf (stderr, "DEBUG: Trust valexp \"%s\" @ 0x%016x\n", cmd->trust_valexp, (uint64_t) cmd->trust_valexp);
+fprintf (stderr, "DEBUG: Trust valexp \"%s\" @ %p\n", cmd->trust_valexp, (void *) cmd->trust_valexp);
valexp_conj [valexp_conj_count++] = cmd->trust_valexp;
}
if (cmd->lids [LID_TYPE_VALEXP - LID_TYPE_MIN].data != NULL) {
&lid_valexp,
&ignored.data,
&ignored.size);
-fprintf (stderr, "DEBUG: LocalID valexp \"%s\" @ 0x%016x (ok=%d)\n", lid_valexp, (uint64_t) lid_valexp, ok);
+fprintf (stderr, "DEBUG: LocalID valexp \"%s\" @ %p (ok=%d)\n", lid_valexp, (void *) lid_valexp, ok);
if (ok && (lid_valexp != NULL)) {
valexp_conj [valexp_conj_count++] = lid_valexp;
} else {
valexp_conj,
have_starttls_validation (),
(void *) cmd);
-fprintf (stderr, "DEBUG: Registered to verun = 0x%016x\n", (uint64_t) verun);
+fprintf (stderr, "DEBUG: Registered to verun = %p\n", (void *) verun);
if (verun == NULL) {
gtls_errno = GNUTLS_E_AUTH_ERROR;
}
}
else fprintf (stderr, "DEBUG: valexp returns POSITIVE result\n");
valexp_unregister (verun);
-fprintf (stderr, "DEBUG: Unregistered verun 0x%016x\n", (uint64_t) verun);
+fprintf (stderr, "DEBUG: Unregistered verun %p\n", (void *) verun);
}
}
// Cleanup any prefetched identities
for (i=LID_TYPE_MIN; i<=LID_TYPE_MAX; i++) {
if (cmd->lids [i - LID_TYPE_MIN].data != NULL) {
+fprintf (stderr, "DEBUG: Freeing cmd->lids[%d].data %p\n", i-LID_TYPE_MIN, (void *)(cmd->lids [i-LID_TYPE_MIN].data));
free (cmd->lids [i - LID_TYPE_MIN].data);
}
}
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (cryptfd);
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn) { /* TODO: CHECK NEEDED? PRACTICE=>YES */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (cryptfd);
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
// already have been freed if the ctlfd was closed
// and the connection could not continue detached
// (such as after forking it).
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ctlkey_unregister (orig_starttls.ctlkey)) {
free (ckn);
}
close (cryptfd);
cleanup_any_remote_credentials (cmd);
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
/*
- * The starttls function responds to an application's request to
+ * The starttls function responds to an application's request to
* setup TLS for a given file descriptor, and return a file descriptor
* with the unencrypted view when done. The main thing done here is to
* spark off a new thread that handles the operations.
if (strlen (pf) != in1len) {
continue;
}
- if (strcmp (pf, in1) != 0) {
+ if (strcmp (pf, (const char *)in1) != 0) {
continue;
}
}
if (*prefixes == NULL) {
// RFC 5705 defines a private-use prefix "EXPERIMENTAL"
- if ((in1len <= 12) || (strncmp (in1, "EXPERIMENTAL", 12) != 0)) {
+ if ((in1len <= 12) || (strncmp ((const char *)in1, "EXPERIMENTAL", 12) != 0)) {
err = 1;
}
}
errno = 0;
E_g2e ("GnuTLS PRNG based on session master key failed",
gnutls_prf_rfc5705 (ckn->session,
- in1len, in1,
- (in2len >= 0)? in2len: 0, (in2len >= 0) ? in2: NULL,
- prnglen, prng->buffer));
+ in1len, (const char *)in1,
+ (in2len >= 0)? in2len: 0,
+ (const char *)((in2len >= 0) ? in2: NULL),
+ prnglen, (char *)prng->buffer));
err = err || (errno != 0);
//
// Wipe temporary data / buffers for security reasons
cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].data = NULL;
cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].size = 0;
}
-
+
//
// Create an empty certificate
E_g2e ("Failed to initialise on-the-fly certificate",
//TODO: gnutls_x509_crt_set_key_usage
//TODO:SKIP? gnutls_x509_crt_set_ca_status
for (i=0; i < svcusage_registry_size; i++) {
- if (strcmp (svcusage_registry [i].service, cmd->cmd.pio_data.pioc_starttls.service) == 0) {
+ if (strcmp (svcusage_registry [i].service, (const char *)(cmd->cmd.pio_data.pioc_starttls.service)) == 0) {
const char **walker;
E_g2e ("Failed to setup basic key usage during on-the-fly certificate creation",
gnutls_x509_crt_set_key_usage (otfcert, svcusage_registry [i].usage));
// This is as expected, now .size will have been set
gtls_errno = GNUTLS_E_SUCCESS;
} else {
- if (gtls_errno = GNUTLS_E_SUCCESS) {
+ if (gtls_errno == GNUTLS_E_SUCCESS) {
// Something must be wrong if we receive OK
gtls_errno = GNUTLS_E_INVALID_REQUEST;
}
cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].data = ptr;
* (uint32_t *) ptr = htonl (LID_TYPE_X509 | LID_ROLE_BOTH);
ptr += 4;
- strcpy (ptr, onthefly_p11uri);
+ strcpy ((char *)ptr, onthefly_p11uri);
ptr += strlen (onthefly_p11uri) + 1;
restsz = cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].size - 4 - strlen (onthefly_p11uri) - 1;
E_g2e ("Failed to export on-the-fly certificate as a credential",
gnutls_x509_crt_export (otfcert, GNUTLS_X509_FMT_DER, ptr, &restsz));
-char *pembuf [10000];
+char pembuf [10000];
size_t pemlen = sizeof (pembuf) - 1;
int exporterror = gnutls_x509_crt_export (otfcert, GNUTLS_X509_FMT_PEM, pembuf, &pemlen);
if (exporterror == 0) {