diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-13 18:15:13 +0300 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-13 18:15:13 +0300 |
| commit | 7af05fa5955c8a65060326d49ba6194419b28e85 (patch) | |
| tree | 8b07f0a1b96ef897f2229175103931b7089cf0f4 | |
| parent | 9aed4c919937be769a538ca1b2c2704f4486f157 (diff) | |
| download | gnutls-7af05fa5955c8a65060326d49ba6194419b28e85.tar.gz | |
Removed all the trustdb related code. It wasn't used and trustdbs are not
specified anywhere except pgp. Now we use the standard key rings.
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | doc/gnutls.texi | 12 | ||||
| -rw-r--r-- | includes/gnutls/compat.h | 1 | ||||
| -rw-r--r-- | includes/gnutls/extra.h | 3 | ||||
| -rw-r--r-- | includes/gnutls/gnutls.h.in | 1 | ||||
| -rw-r--r-- | includes/gnutls/openpgp.h | 18 | ||||
| -rw-r--r-- | libextra/gnutls_openpgp.c | 29 | ||||
| -rw-r--r-- | libextra/openpgp/compat.c | 28 | ||||
| -rw-r--r-- | libextra/openpgp/extras.c | 74 | ||||
| -rw-r--r-- | libextra/openpgp/openpgp.h | 17 | ||||
| -rw-r--r-- | libextra/openpgp/pgpverify.c | 68 |
11 files changed, 14 insertions, 245 deletions
@@ -5,6 +5,9 @@ See the end for copying conditions. * Version 2.1.2 (unreleased) +** Removed all the trustdb code from openpgp authentication. We +now use only the well-specified keyrings. + ** The 256 bit ciphers are not enabled in the default priorities. ** Added support for DSA2 using libgcrypt 1.3.0. @@ -30,6 +33,11 @@ For generating low security test credentials. ** API and ABI modifications: gnutls_x509_crt_to_xml: REMOVED gnutls_openpgp_key_to_xml: REMOVED +gnutls_openpgp_key_verify_trustdb: REMOVED +gnutls_openpgp_trustdb_init: REMOVED +gnutls_openpgp_trustdb_deinit: REMOVED +gnutls_openpgp_trustdb_import: REMOVED +gnutls_certificate_set_openpgp_trustdb: REMOVED gnutls_srp_set_client_credentials_function: CHANGED gnutls_handshake_set_post_client_hello_function: ADDED gnutls_mac_get_key_size: ADDED diff --git a/doc/gnutls.texi b/doc/gnutls.texi index c113ca0d0b..0bd221c4cf 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -1865,18 +1865,14 @@ complex, the assistance of external tools like @acronym{GnuPG} and GPGME (@url{http://www.gnupg.org/related_software/gpgme/}) is recommended. -There are two verification functions in @acronym{GnuTLS}, The -@ref{gnutls_openpgp_key_verify_ring} and the -@ref{gnutls_openpgp_key_verify_trustdb}. The first one checks an -@acronym{OpenPGP} key against a given set of public keys (keyring) and +There is one verification function in @acronym{GnuTLS}, the +@ref{gnutls_openpgp_key_verify_ring}. +This checks an @acronym{OpenPGP} key against a given set of public keys (keyring) and returns the key status. The key verification status is the same as in @acronym{X.509} certificates, although the meaning and interpretation are different. For example an @acronym{OpenPGP} key may be valid, if the self signature is ok, even if no signers were found. The meaning of -verification status is shown in the figure below. The latter function -checks a @acronym{GnuPG} trust database for the given key. This -function does not check the key signatures, only checks for disabled -and revoked keys. +verification status is shown in the figure below. @table @code diff --git a/includes/gnutls/compat.h b/includes/gnutls/compat.h index eab5442262..e3df741ca2 100644 --- a/includes/gnutls/compat.h +++ b/includes/gnutls/compat.h @@ -31,7 +31,6 @@ #define gnutls_openpgp_key gnutls_openpgp_key_t #define gnutls_openpgp_privkey gnutls_openpgp_privkey_t #define gnutls_openpgp_keyring gnutls_openpgp_keyring_t -#define gnutls_openpgp_trustdb gnutls_openpgp_trustdb_t #define gnutls_x509_crt gnutls_x509_crt_t #define gnutls_x509_privkey gnutls_x509_privkey_t #define gnutls_x509_crl gnutls_x509_crl_t diff --git a/includes/gnutls/extra.h b/includes/gnutls/extra.h index 55e5a76317..f7c7bd998b 100644 --- a/includes/gnutls/extra.h +++ b/includes/gnutls/extra.h @@ -77,9 +77,6 @@ extern "C" res, const char *keyserver, int port); - int gnutls_certificate_set_openpgp_trustdb (gnutls_certificate_credentials_t - res, const char *trustdb); - int gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t c, const unsigned char *data, diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 01997cd1d6..34fb28bbcd 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -1257,7 +1257,6 @@ extern "C" #define GNUTLS_E_ASN1_TYPE_ANY_ERROR -75 #define GNUTLS_E_ASN1_SYNTAX_ERROR -76 #define GNUTLS_E_ASN1_DER_OVERFLOW -77 -#define GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED -81 #define GNUTLS_E_OPENPGP_UID_REVOKED -79 #define GNUTLS_E_CERTIFICATE_ERROR -43 #define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h index 5b2761068b..2393ab1967 100644 --- a/includes/gnutls/openpgp.h +++ b/includes/gnutls/openpgp.h @@ -115,17 +115,6 @@ extern "C" const unsigned char keyid[8], unsigned int flags); -/* Trustdb functions. - */ - struct gnutls_openpgp_trustdb_int; /* object to hold (parsed) openpgp trustdbs */ - typedef struct gnutls_openpgp_trustdb_int *gnutls_openpgp_trustdb_t; - - int gnutls_openpgp_trustdb_init (gnutls_openpgp_trustdb_t * trustdb); - void gnutls_openpgp_trustdb_deinit (gnutls_openpgp_trustdb_t trustdb); - - int gnutls_openpgp_trustdb_import (gnutls_openpgp_trustdb_t trustdb, - const char *file); - int gnutls_openpgp_key_verify_ring (gnutls_openpgp_key_t key, gnutls_openpgp_keyring_t keyring, @@ -136,13 +125,6 @@ extern "C" unsigned int flags, unsigned int *verify); - int gnutls_openpgp_key_verify_trustdb (gnutls_openpgp_key_t key, - gnutls_openpgp_trustdb_t trustdb, - unsigned int flags, - unsigned int *verify - /* the output of the verification */ - ); - /* certificate authentication stuff. */ diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index d07df0cb78..5b3c2415ac 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -1062,35 +1062,6 @@ gnutls_certificate_set_openpgp_keyserver (gnutls_certificate_credentials_t return 0; } - -/** - * gnutls_certificate_set_openpgp_trustdb - Used to set an GnuPG trustdb - * @res: the destination context to save the data. - * @trustdb: is the trustdb filename - * - * This funtion will set a GnuPG trustdb which will be used in key - * verification functions. Only version 3 trustdb files are supported. - * - **/ -int -gnutls_certificate_set_openpgp_trustdb (gnutls_certificate_credentials_t - res, const char *trustdb) -{ - if (!res || !trustdb) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* FIXME: We do not support the trustdb yet. */ - gnutls_free (res->pgp_trustdb); - res->pgp_trustdb = gnutls_strdup (trustdb); - if (res->pgp_trustdb == NULL) - return GNUTLS_E_MEMORY_ERROR; - - return 0; -} - /** * gnutls_openpgp_set_recv_key_function - Used to set a key retrieval callback for PGP keys * @session: a TLS session diff --git a/libextra/openpgp/compat.c b/libextra/openpgp/compat.c index 462eadfe86..ba4b7614bd 100644 --- a/libextra/openpgp/compat.c +++ b/libextra/openpgp/compat.c @@ -39,11 +39,6 @@ * Verify all signatures in the certificate list. When the key * is not available, the signature is skipped. * - * When the trustdb parameter is used, the function checks the - * ownertrust of the key before the signatures are checked. It - * is possible that the key was disabled or the owner is not trusted - * at all. Then we don't check the signatures because it makes no sense. - * * The return value is one of the CertificateStatus entries. * * NOTE: this function does not verify using any "web of trust". You @@ -57,7 +52,6 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, int ret = 0; gnutls_openpgp_key_t key = NULL; gnutls_openpgp_keyring_t ring = NULL; - gnutls_openpgp_trustdb_t tdb = NULL; unsigned int verify_ring = 0, verify_db = 0, verify_self = 0; if (!cert_list || cert_list_length != 1) @@ -105,25 +99,6 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, } } - if (cred->pgp_trustdb) - { /* Use the trustDB */ - ret = gnutls_openpgp_trustdb_init (&tdb); - if (ret < 0) - { - gnutls_assert (); - goto leave; - } - - ret = gnutls_openpgp_trustdb_import_file (tdb, cred->pgp_trustdb); - if (ret < 0) - { - gnutls_assert (); - goto leave; - } - - ret = gnutls_openpgp_key_verify_trustdb (key, tdb, 0, &verify_db); - } - /* Now try the self signature. */ ret = gnutls_openpgp_key_verify_self (key, 0, &verify_self); if (ret < 0) @@ -135,14 +110,13 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, *status = verify_self | verify_ring | verify_db; /* If we only checked the self signature. */ - if (!cred->pgp_trustdb && !cred->keyring.data) + if (!cred->keyring.data) *status |= GNUTLS_CERT_SIGNER_NOT_FOUND; ret = 0; leave: gnutls_openpgp_key_deinit (key); - gnutls_openpgp_trustdb_deinit (tdb); gnutls_openpgp_keyring_deinit (ring); return ret; diff --git a/libextra/openpgp/extras.c b/libextra/openpgp/extras.c index b3375cb589..74dda8a5e2 100644 --- a/libextra/openpgp/extras.c +++ b/libextra/openpgp/extras.c @@ -22,7 +22,7 @@ * */ -/* Functions on OpenPGP keyring and trustdb parsing +/* Functions on OpenPGP keyring parsing */ #include <gnutls_int.h> @@ -173,75 +173,3 @@ gnutls_openpgp_keyring_import (gnutls_openpgp_keyring_t keyring, return _gnutls_map_cdk_rc (err); } - -/* TrustDB stuff. - */ - -/** - * gnutls_openpgp_trustdb_init - This function initializes a gnutls_openpgp_trustdb_t structure - * @trustdb: The structure to be initialized - * - * This function will initialize an OpenPGP trustdb structure. - * - * Returns 0 on success. - * - **/ -int -gnutls_openpgp_trustdb_init (gnutls_openpgp_trustdb_t * trustdb) -{ - *trustdb = gnutls_calloc (1, sizeof (gnutls_openpgp_trustdb_int)); - - if (*trustdb) - return 0; /* success */ - return GNUTLS_E_MEMORY_ERROR; -} - -/** - * gnutls_openpgp_trustdb_deinit - This function deinitializes memory used by a gnutls_openpgp_trustdb_t structure - * @trustdb: The structure to be initialized - * - * This function will deinitialize a CRL structure. - * - **/ -void -gnutls_openpgp_trustdb_deinit (gnutls_openpgp_trustdb_t trustdb) -{ - if (!trustdb) - return; - - if (trustdb->st) - { - cdk_stream_close (trustdb->st); - trustdb->st = NULL; - } - - gnutls_free (trustdb); -} - -/** - * gnutls_openpgp_trustdb_import_file - This function will import a RAW or BASE64 encoded key - * @trustdb: The structure to store the parsed key. - * @file: The file that holds the trustdb. - * - * This function will convert the given RAW or Base64 encoded trustdb - * to the native gnutls_openpgp_trustdb_t format. The output will be stored in 'trustdb'. - * - * Returns 0 on success. - * - **/ -int -gnutls_openpgp_trustdb_import_file (gnutls_openpgp_trustdb_t trustdb, - const char *file) -{ - int rc; - - rc = cdk_stream_open (file, &trustdb->st); - if (rc) - { - rc = _gnutls_map_cdk_rc (rc); - gnutls_assert (); - return rc; - } - - return 0; -} diff --git a/libextra/openpgp/openpgp.h b/libextra/openpgp/openpgp.h index 51ad60f5b0..620ebf6deb 100644 --- a/libextra/openpgp/openpgp.h +++ b/libextra/openpgp/openpgp.h @@ -37,13 +37,7 @@ typedef struct gnutls_openpgp_keyring_int } gnutls_openpgp_keyring_int; -typedef struct gnutls_openpgp_trustdb_int -{ - cdk_stream_t st; -} gnutls_openpgp_trustdb_int; - typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring_t; -typedef struct gnutls_openpgp_trustdb_int *gnutls_openpgp_trustdb_t; int _gnutls_map_cdk_rc (int rc); int gnutls_openpgp_key_get_name (gnutls_openpgp_key_t key, @@ -77,20 +71,10 @@ int gnutls_openpgp_keyring_check_id (gnutls_openpgp_keyring_t ring, const unsigned char keyid[8], unsigned int flags); -void gnutls_openpgp_trustdb_deinit (gnutls_openpgp_trustdb_t trustdb); -int gnutls_openpgp_trustdb_init (gnutls_openpgp_trustdb_t * trustdb); -int gnutls_openpgp_trustdb_import_file (gnutls_openpgp_trustdb_t trustdb, - const char *file); - int gnutls_openpgp_key_verify_ring (gnutls_openpgp_key_t key, gnutls_openpgp_keyring_t keyring, unsigned int flags, unsigned int *verify); -int gnutls_openpgp_key_verify_trustdb (gnutls_openpgp_key_t key, - gnutls_openpgp_trustdb_t trustdb, - unsigned int flags, - unsigned int *verify); - int gnutls_openpgp_key_verify_self (gnutls_openpgp_key_t key, unsigned int flags, unsigned int *verify); @@ -104,7 +88,6 @@ void gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key); #else /* no opencdk */ typedef void *gnutls_openpgp_keyring_t; -typedef void *gnutls_openpgp_trustdb_t; #endif /* ENABLE_OPENPGP */ diff --git a/libextra/openpgp/pgpverify.c b/libextra/openpgp/pgpverify.c index df22bd77aa..5d1af3f404 100644 --- a/libextra/openpgp/pgpverify.c +++ b/libextra/openpgp/pgpverify.c @@ -32,26 +32,6 @@ #include <openpgp.h> #include <x509/verify.h> /* lib/x509/verify.h */ -static int -openpgp_get_key_trust (gnutls_openpgp_trustdb_t trustdb, - gnutls_openpgp_key_t key, unsigned int *r_trustval) -{ - int rc; - - /* FIXME: This operation is not supported any longer. */ - - if (!trustdb || !key || !r_trustval) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - *r_trustval = 0; - rc = 0; - - return rc; -} - /** * gnutls_openpgp_key_verify_ring - Verify all signatures in the key @@ -163,51 +143,3 @@ gnutls_openpgp_key_verify_self (gnutls_openpgp_key_t key, return 0; } - -/** - * gnutls_openpgp_key_verify_trustdb - Verify all signatures in the key - * @key: the structure that holds the key. - * @trustdb: holds the trustdb to check against - * @flags: unused (should be 0) - * @verify: will hold the certificate verification output. - * - * Checks if the key is revoked or disabled, in the trustdb. - * The verification output will be put in @verify and will be - * one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd. - * - * GNUTLS_CERT_INVALID: A signature on the key is invalid. - * - * GNUTLS_CERT_REVOKED: The key has been revoked. - * - * Note that this function does not verify using any "web of - * trust". You may use GnuPG for that purpose, or any other external - * PGP application. - * - * Returns 0 on success. - **/ -int -gnutls_openpgp_key_verify_trustdb (gnutls_openpgp_key_t key, - gnutls_openpgp_trustdb_t trustdb, - unsigned int flags, unsigned int *verify) -{ - int rc; - - /* FIXME: The code currently does nothing. */ - - if (!key) - { - gnutls_assert (); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - if (!trustdb) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - rc = openpgp_get_key_trust (trustdb, key, verify); - if (rc) - gnutls_assert (); - return rc; -} |