//
// When not in user-to-user mode, deliver DER NULL
if (!u2u) {
- certdatum.data = "\x05\x00";
+ static unsigned char der_null_data[] = "\x05\x00";
+ certdatum.data = der_null_data;
certdatum.size = 2;
E_g2e ("Failed to withhold Kerberos server ticket",
gnutls_pcert_import_krb_raw (
//
// Return the overral error code, hopefully GNUTLS_E_SUCCESS
tlog (TLOG_TLS, LOG_DEBUG, "Returning %d / %s from clisrv_cert_retrieve()", gtls_errno, gnutls_strerror (gtls_errno));
-fprintf (stderr, "DEBUG: clisrv_cert_retrieve() sets *pcert to 0x%xl (length %d)... {pubkey = 0x%lx, cert= {data = 0x%lx, size=%ld}, type=%ld}\n", (long) *pcert, *pcert_length, (long) (*pcert)->pubkey, (long) (*pcert)->cert.data, (long) (*pcert)->cert.size, (long) (*pcert)->type);
+fprintf (stderr, "DEBUG: clisrv_cert_retrieve() sets *pcert to 0x%lx (length %d)... {pubkey = 0x%lx, cert= {data = 0x%lx, size=%ld}, type=%ld}\n", (long) *pcert, *pcert_length, (long) (*pcert)->pubkey, (long) (*pcert)->cert.data, (long) (*pcert)->cert.size, (long) (*pcert)->type);
return gtls_errno;
}
long nextlen;
// Note: Accept BER because the outside SEQUENCE is not signed
certlen = asn1_get_length_ber (
- ((char *) certdatum->data) + 1,
+ (certdatum->data) + 1,
certdatum->size,
&lenlen);
certlen += 1 + lenlen;
*chainlen = 0;
return NULL;
}
- nextdatum.data = ((char *) certdatum->data) + certlen;
- nextdatum.size = certdatum->size - certlen;
+ nextdatum.data = (certdatum->data) + certlen;
+ nextdatum.size = certdatum->size - certlen;
certdatum->size = certlen;
nextlen = asn1_get_length_ber (
- ((char *) nextdatum.data) + 1,
+ nextdatum.data + 1,
nextdatum.size,
&lenlen);
nextlen += 1 + lenlen;
// Note: server's certs _may_ be DER NULL due to mutual auth in Kerberos
#else
cmd->remote_cert_type = gnutls_certificate_type_get (cmd->session);
- certs = gnutls_certificate_get (cmd->session, &num_certs);
+ certs = gnutls_certificate_get_peers (cmd->session, &num_certs);
#endif
if (certs == NULL) {
num_certs = 0;
fprintf (stderr, "DEBUG: otfcert retrieval returned %d\n", gtls_errno);
return gtls_errno;
} else {
-fprintf (stderr, "DEBUG: otfcert retrieval returned GNUTLS_E_AGAIN, so skip it\n", gtls_errno);
+fprintf (stderr, "DEBUG: otfcert retrieval returned GNUTLS_E_AGAIN, so skip it\n");
gtls_errno = GNUTLS_E_SUCCESS; // Attempt failed, ignore
}
}
// Move the credential into the command structure
dbt_store (&creddata,
&cmd->lids [lidtype - LID_TYPE_MIN]);
-fprintf (stderr, "DEBUG: Storing cmd->lids[%d].data 0x%016x\n", lidtype-LID_TYPE_MIN, cmd->lids [lidtype-LID_TYPE_MIN].data);
+fprintf (stderr, "DEBUG: Storing cmd->lids[%d].data %p\n", lidtype-LID_TYPE_MIN, cmd->lids [lidtype-LID_TYPE_MIN].data);
found = 1;
} else {
// Skip the credential by freeing its data structure
int gtls_errno = GNUTLS_E_SUCCESS;
char sni [sizeof (cmd->cmd.pio_data.pioc_starttls.remoteid)]; // static
size_t snilen = sizeof (sni);
- int snitype;
+ unsigned int snitype;
char *lid;
tlog (LOG_DAEMON, LOG_INFO, "Invoked %sprocessor for Client Hello, htype=%d, incoming=%d\n",
case GNUTLS_CRD_SRP:
gnutls_srp_free_server_credentials (crd->cred);
break;
+ case GNUTLS_CRD_PSK:
+ case GNUTLS_CRD_IA:
+ //TODO: not handled
+ break;
//TODO// case GNUTLS_CRD_KDH:
//TODO// gnutls_kdh_free_server_credentials (crd->cred);
//TODO// break;
case GNUTLS_CRD_SRP:
gnutls_srp_free_client_credentials (crd->cred);
break;
+ case GNUTLS_CRD_PSK:
+ case GNUTLS_CRD_IA:
+ //TODO: not handled
+ break;
//TODO// case GNUTLS_CRD_KDH:
//TODO// gnutls_kdh_free_client_credentials (crd->cred);
//TODO// break;
//
// First find the ctlkeynode_tls
ckn = (struct ctlkeynode_tls *) ctlkey_find (cmd->cmd.pio_data.pioc_starttls.ctlkey, security_tls, cmd->clientfd);
-fprintf (stderr, "DEBUG: Got ckn == 0x%0x\n", (intptr_t) ckn);
+fprintf (stderr, "DEBUG: Got ckn == %p\n", (void *) ckn);
if (ckn == NULL) {
tlog (TLOG_UNIXSOCK, LOG_ERR, "Failed to find TLS connection for renegotiation by its ctlkey");
send_error (replycmd, ESRCH, "Cannot find TLS connection for renegotiation");
// that TLS has in this respect. Maybe we'll capture it one giant loop
// at some point, but for now that does not seem to add any relief.
renegotiate:
-fprintf (stderr, "DEBUG: Renegotiating = %d, anonpost = %d, plainfd = %d, cryptfd = %d, flags = 0x%x, session = 0x%x, got_session = %d, lid = \"%s\", rid = \"%s\"\n", renegotiating, anonpost, plainfd, cryptfd, cmd->cmd.pio_data.pioc_starttls.flags, session, got_session, cmd->cmd.pio_data.pioc_starttls.localid, cmd->cmd.pio_data.pioc_starttls.remoteid);
+fprintf (stderr, "DEBUG: Renegotiating = %d, anonpost = %d, plainfd = %d, cryptfd = %d, flags = 0x%x, session = %p, got_session = %d, lid = \"%s\", rid = \"%s\"\n", renegotiating, anonpost, plainfd, cryptfd, cmd->cmd.pio_data.pioc_starttls.flags, session, got_session, cmd->cmd.pio_data.pioc_starttls.localid, cmd->cmd.pio_data.pioc_starttls.remoteid);
//
// If this is server renegotiating, send a request to that end
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
while (anonpre_regjmp > 0) {
anonpre_regjmp = anonpre_regjmp >> 1;
cmp = strncasecmp (anonpre_registry [anonpre_regidx].service,
- cmd->cmd.pio_data.pioc_starttls.service,
+ (const char *)cmd->cmd.pio_data.pioc_starttls.service,
TLSPOOL_SERVICELEN);
fprintf (stderr, "DEBUG: anonpre_determination, comparing [%d] %s to %s, found cmp==%d\n", anonpre_regidx, anonpre_registry [anonpre_regidx].service, cmd->cmd.pio_data.pioc_starttls.service, cmp);
if (cmp == 0) {
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
send_error (replycmd, EIO, "Failed to prepare for TLS");
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
// Setup for validation expression runthrough
cmd->valexp_result = -1;
if ((cmd->trust_valexp != NULL) && (0 != strcmp (cmd->trust_valexp, "1"))) {
-fprintf (stderr, "DEBUG: Trust valexp \"%s\" @ 0x%016x\n", cmd->trust_valexp, (uint64_t) cmd->trust_valexp);
+fprintf (stderr, "DEBUG: Trust valexp \"%s\" @ %p\n", cmd->trust_valexp, (void *) cmd->trust_valexp);
valexp_conj [valexp_conj_count++] = cmd->trust_valexp;
}
if (cmd->lids [LID_TYPE_VALEXP - LID_TYPE_MIN].data != NULL) {
&lid_valexp,
&ignored.data,
&ignored.size);
-fprintf (stderr, "DEBUG: LocalID valexp \"%s\" @ 0x%016x (ok=%d)\n", lid_valexp, (uint64_t) lid_valexp, ok);
+fprintf (stderr, "DEBUG: LocalID valexp \"%s\" @ %p (ok=%d)\n", lid_valexp, (void *) lid_valexp, ok);
if (ok && (lid_valexp != NULL)) {
valexp_conj [valexp_conj_count++] = lid_valexp;
} else {
valexp_conj,
have_starttls_validation (),
(void *) cmd);
-fprintf (stderr, "DEBUG: Registered to verun = 0x%016x\n", (uint64_t) verun);
+fprintf (stderr, "DEBUG: Registered to verun = %p\n", (void *) verun);
if (verun == NULL) {
gtls_errno = GNUTLS_E_AUTH_ERROR;
}
}
else fprintf (stderr, "DEBUG: valexp returns POSITIVE result\n");
valexp_unregister (verun);
-fprintf (stderr, "DEBUG: Unregistered verun 0x%016x\n", (uint64_t) verun);
+fprintf (stderr, "DEBUG: Unregistered verun %p\n", (void *) verun);
}
}
// Cleanup any prefetched identities
for (i=LID_TYPE_MIN; i<=LID_TYPE_MAX; i++) {
if (cmd->lids [i - LID_TYPE_MIN].data != NULL) {
-fprintf (stderr, "DEBUG: Freeing cmd->lids[%d].data 0x%016x\n", i-LID_TYPE_MIN, cmd->lids [i-LID_TYPE_MIN].data);
+fprintf (stderr, "DEBUG: Freeing cmd->lids[%d].data %p\n", i-LID_TYPE_MIN, (void *)(cmd->lids [i-LID_TYPE_MIN].data));
free (cmd->lids [i - LID_TYPE_MIN].data);
}
}
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (plainfd);
plainfd = -1;
}
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (cryptfd);
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn) { /* TODO: CHECK NEEDED? PRACTICE=>YES */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
free (preauth);
}
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
close (cryptfd);
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ckn != NULL) { /* TODO: CHECK NEEDED? */
if (ctlkey_unregister (ckn->regent.ctlkey)) {
free (ckn);
// already have been freed if the ctlfd was closed
// and the connection could not continue detached
// (such as after forking it).
-fprintf (stderr, "ctlkey_unregister under ckn=0x%x at %d\n", ckn, __LINE__);
+fprintf (stderr, "ctlkey_unregister under ckn=%p at %d\n", (void *)ckn, __LINE__);
if (ctlkey_unregister (orig_starttls.ctlkey)) {
free (ckn);
}
close (cryptfd);
cleanup_any_remote_credentials (cmd);
if (got_session) {
-fprintf (stderr, "gnutls_deinit (0x%x) at %d\n", session, __LINE__);
+fprintf (stderr, "gnutls_deinit (%p) at %d\n", (void *)session, __LINE__);
gnutls_deinit (session);
got_session = 0;
}
if (strlen (pf) != in1len) {
continue;
}
- if (strcmp (pf, in1) != 0) {
+ if (strcmp (pf, (const char *)in1) != 0) {
continue;
}
}
if (*prefixes == NULL) {
// RFC 5705 defines a private-use prefix "EXPERIMENTAL"
- if ((in1len <= 12) || (strncmp (in1, "EXPERIMENTAL", 12) != 0)) {
+ if ((in1len <= 12) || (strncmp ((const char *)in1, "EXPERIMENTAL", 12) != 0)) {
err = 1;
}
}
errno = 0;
E_g2e ("GnuTLS PRNG based on session master key failed",
gnutls_prf_rfc5705 (ckn->session,
- in1len, in1,
- (in2len >= 0)? in2len: 0, (in2len >= 0) ? in2: NULL,
- prnglen, prng->buffer));
+ in1len, (const char *)in1,
+ (in2len >= 0)? in2len: 0,
+ (const char *)((in2len >= 0) ? in2: NULL),
+ prnglen, (char *)prng->buffer));
err = err || (errno != 0);
//
// Wipe temporary data / buffers for security reasons
//TODO: gnutls_x509_crt_set_key_usage
//TODO:SKIP? gnutls_x509_crt_set_ca_status
for (i=0; i < svcusage_registry_size; i++) {
- if (strcmp (svcusage_registry [i].service, cmd->cmd.pio_data.pioc_starttls.service) == 0) {
+ if (strcmp (svcusage_registry [i].service, (const char *)(cmd->cmd.pio_data.pioc_starttls.service)) == 0) {
const char **walker;
E_g2e ("Failed to setup basic key usage during on-the-fly certificate creation",
gnutls_x509_crt_set_key_usage (otfcert, svcusage_registry [i].usage));
// This is as expected, now .size will have been set
gtls_errno = GNUTLS_E_SUCCESS;
} else {
- if (gtls_errno = GNUTLS_E_SUCCESS) {
+ if (gtls_errno == GNUTLS_E_SUCCESS) {
// Something must be wrong if we receive OK
gtls_errno = GNUTLS_E_INVALID_REQUEST;
}
cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].data = ptr;
* (uint32_t *) ptr = htonl (LID_TYPE_X509 | LID_ROLE_BOTH);
ptr += 4;
- strcpy (ptr, onthefly_p11uri);
+ strcpy ((char *)ptr, onthefly_p11uri);
ptr += strlen (onthefly_p11uri) + 1;
restsz = cmd->lids [LID_TYPE_X509 - LID_TYPE_MIN].size - 4 - strlen (onthefly_p11uri) - 1;
E_g2e ("Failed to export on-the-fly certificate as a credential",
gnutls_x509_crt_export (otfcert, GNUTLS_X509_FMT_DER, ptr, &restsz));
-char *pembuf [10000];
+char pembuf [10000];
size_t pemlen = sizeof (pembuf) - 1;
int exporterror = gnutls_x509_crt_export (otfcert, GNUTLS_X509_FMT_PEM, pembuf, &pemlen);
if (exporterror == 0) {