[gnutls-dev] External signing API
Simon Josefsson
simon at josefsson.org
Sat Aug 11 15:01:21 CEST 2007
"Alon Bar-Lev" <alon.barlev at gmail.com> writes:
> On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
>> Hi! The userdata is passed to the callback, see the prototype. Do you
>> think another function is needed anyway?
>
> Yes.
> During cleanup the user data should be accessible in order to
> optionally free it.
Ah, makes sense. Added. I also added some new error codes, see patches
below.
I've git-push'ed the changes, so tomorrow's daily snapshot should
contain this stuff (I can't trigger generation of a new daily snapshot
right now).
/Simon
commit 3d5e85faf9d1dbb3cf2d58f9accfc8d2db917016
Author: Simon Josefsson <simon at josefsson.org>
Date: Sat Aug 11 14:34:15 2007 +0200
New errors GNUTLS_E_APPLICATION_ERROR_MIN..GNUTLS_E_APPLICATION_ERROR_MAX.
diff --git a/NEWS b/NEWS
index e31fcbf..f00212d 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,16 @@ for comments and testing.
See tests/x509self.c and tests/x509signself.c. The latter also tests
the new external signing callback interface.
+** New errors GNUTLS_E_APPLICATION_ERROR_MIN..GNUTLS_E_APPLICATION_ERROR_MAX.
+These two actually describe the outer limits of a range of error codes
+reserved to the application. All of the errors are treated as fatal
+by the library (it has to since it doesn't know the semantics of the
+error codes). This can be useful in callbacks, to signal some
+application-specific error condition, which will usually eventually
+cause some gnutls API to return the same error code as the callback,
+which then can be inspected by the application. Note that error codes
+are negative.
+
** gnutls_set_default_priority now disable TLS 1.2 by default.
The RFC is not released yet, and we're approaching a major release so
let's not enable it just yet.
@@ -37,6 +47,8 @@ gnutls_sign_func: ADD, new type for sign callback.
gnutls_sign_callback_set: ADD, new function to set sign callback.
gnutls_sign_callback_get: ADD, new function to retrieve sign callback.
gnutls_x509_privkey_sign_hash: ADD, new function useful in sign callback.
+GNUTLS_E_APPLICATION_ERROR_MIN,
+GNUTLS_E_APPLICATION_ERROR_MAX: ADD, new CPP #defines for error codes.
* Version 1.7.16 (released 2007-08-07)
diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in
index 9663092..61b0b4d 100644
--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -1262,6 +1262,9 @@ extern "C"
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
+#define GNUTLS_E_APPLICATION_ERROR_MAX -65000
+#define GNUTLS_E_APPLICATION_ERROR_MIN -65500
+
#ifdef __cplusplus
}
#endif
commit cfa77b1f37a94585bea9aea81db7545a9c4fa7eb
Author: Simon Josefsson <simon at josefsson.org>
Date: Sat Aug 11 14:23:07 2007 +0200
Add gnutls_sign_callback_get.
* includes/gnutls/gnutls.h.in (gnutls_sign_callback_get): Add.
* lib/gnutls_cert.c (gnutls_sign_callback_set): Move here from
gnutls_sig.c. Doc fix.
(gnutls_sign_callback_get): New function.
* lib/gnutls_sig.c (gnutls_sign_callback_set): Removed.
diff --git a/NEWS b/NEWS
index 9f39fd1..e31fcbf 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,11 @@ See the end for copying conditions.
** New functions to perform external signing.
Set the signing callback function (of the gnutls_sign_func prototype)
-using gnutls_sign_callback_set. In the callback, you may find the new
-function gnutls_x509_privkey_sign_hash useful.
+using the gnutls_sign_callback_set function. In the callback, you may
+find the new function gnutls_x509_privkey_sign_hash useful. A new
+function gnutls_sign_callback_get is also added, to retrieve the
+function pointer. Thanks to "Alon Bar-Lev" <alon.barlev at gmail.com>
+for comments and testing.
** New self test of client and server authenticated X.509 TLS sessions.
See tests/x509self.c and tests/x509signself.c. The latter also tests
@@ -32,6 +35,7 @@ Thanks to Jakub Bogusz <qboosh at pld-linux.org> and Daniel Nylander
** API and ABI modifications:
gnutls_sign_func: ADD, new type for sign callback.
gnutls_sign_callback_set: ADD, new function to set sign callback.
+gnutls_sign_callback_get: ADD, new function to retrieve sign callback.
gnutls_x509_privkey_sign_hash: ADD, new function useful in sign callback.
* Version 1.7.16 (released 2007-08-07)
diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in
index 8f1e364..9663092 100644
--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -1058,6 +1058,9 @@ extern "C"
void gnutls_sign_callback_set (gnutls_session_t session,
gnutls_sign_func sign_func,
void *userdata);
+ gnutls_sign_func
+ gnutls_sign_callback_get (gnutls_session_t session,
+ void **userdata);
/* These are set on the credentials structure.
*/
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index cc97842..23a0f3d 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -868,3 +868,50 @@ _gnutls_gcert_deinit (gnutls_cert * cert)
_gnutls_free_datum (&cert->raw);
}
+
+/**
+ * gnutls_sign_callback_set:
+ * @session: is a gnutls session
+ * @sign_func: function pointer to application's sign callback.
+ * @userdata: void pointer that will be passed to sign callback.
+ *
+ * Set the callback function. The function must have this prototype:
+ *
+ * typedef int (*gnutls_sign_func) (gnutls_session_t session,
+ * void *userdata,
+ * gnutls_certificate_type_t cert_type,
+ * gnutls_datum_t cert,
+ * const gnutls_datum_t hash,
+ * gnutls_datum_t * signature);
+ *
+ * The @userdata parameter is passed to the @sign_func verbatim, and
+ * can be used to store application-specific data needed in the
+ * callback function. See also gnutls_sign_callback_get().
+ **/
+void
+gnutls_sign_callback_set (gnutls_session_t session,
+ gnutls_sign_func sign_func,
+ void *userdata)
+{
+ session->internals.sign_func = sign_func;
+ session->internals.sign_func_userdata = userdata;
+}
+
+/**
+ * gnutls_sign_callback_get:
+ * @session: is a gnutls session
+ * @userdata: if non-%NULL, will be set to abstract callback pointer.
+ *
+ * Retrieve the callback function, and its userdata pointer.
+ *
+ * Return value: The function pointer set by
+ * gnutls_sign_callback_set(), or if not set, %NULL.
+ **/
+gnutls_sign_func
+gnutls_sign_callback_get (gnutls_session_t session,
+ void **userdata)
+{
+ if (userdata)
+ *userdata = session->internals.sign_func_userdata;
+ return session->internals.sign_func;
+}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 31db1cf..1358b76 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -291,34 +291,6 @@ _gnutls_tls_sign (gnutls_session_t session,
pkey->params_size, hash_concat, signature);
}
-/**
- * gnutls_sign_callback_set:
- * @session:
- * @sign_func:
- * @userdata:
- *
- * Set the callback function. The function must have this prototype:
- *
- * typedef int (*gnutls_sign_func) (gnutls_session_t session,
- * void *userdata,
- * gnutls_certificate_type_t cert_type,
- * gnutls_datum_t cert,
- * const gnutls_datum_t hash,
- * gnutls_datum_t * signature);
- *
- * The @userdata parameter is passed to the @sign_func verbatim, and
- * can be used to store application-specific data needed in the
- * callback function.
- **/
-void
-gnutls_sign_callback_set (gnutls_session_t session,
- gnutls_sign_func sign_func,
- void *userdata)
-{
- session->internals.sign_func = sign_func;
- session->internals.sign_func_userdata = userdata;
-}
-
static int
_gnutls_verify_sig (gnutls_cert * cert,
const gnutls_datum_t * hash_concat,
More information about the Gnutls-dev
mailing list