diff options
| author | Simon Josefsson <simon@josefsson.org> | 2007-10-25 10:44:15 +0200 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2007-10-25 10:44:15 +0200 |
| commit | b5d7d8aab964f551a6173d820315cbb47606005d (patch) | |
| tree | 05da8a2822cea4a33ef79007bfdda25e98ba70d8 | |
| parent | 5f6dd95d2aedc731b78b5a0fe3e149e66a33326c (diff) | |
| parent | 867ffe404fbc7e16a543d2314bca85d613a902ef (diff) | |
| download | gnutls-b5d7d8aab964f551a6173d820315cbb47606005d.tar.gz | |
Merge branch 'master' of ssh://git.sv.gnu.org/srv/git/gnutls
| -rw-r--r-- | NEWS | 10 | ||||
| -rw-r--r-- | doc/examples/ex-client-srp.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-client-tlsia.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-anon.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-pgp.c | 6 | ||||
| -rw-r--r-- | doc/examples/ex-serv-srp.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv1.c | 2 | ||||
| -rw-r--r-- | includes/gnutls/extra.h | 19 | ||||
| -rw-r--r-- | includes/gnutls/gnutls.h.in | 9 | ||||
| -rw-r--r-- | includes/gnutls/gnutlsxx.h | 2 | ||||
| -rw-r--r-- | includes/gnutls/openpgp.h | 6 | ||||
| -rw-r--r-- | lib/auth_cert.h | 5 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 55 | ||||
| -rw-r--r-- | lib/gnutlsxx.cpp | 5 | ||||
| -rw-r--r-- | libextra/gnutls_openpgp.c | 527 | ||||
| -rw-r--r-- | libextra/openpgp/compat.c | 33 | ||||
| -rw-r--r-- | libextra/openpgp/gnutls_openpgp.h | 31 | ||||
| -rw-r--r-- | libextra/openpgp/openpgp.h | 7 | ||||
| -rw-r--r-- | src/cli.c | 2 | ||||
| -rw-r--r-- | src/serv.c | 4 |
22 files changed, 311 insertions, 429 deletions
@@ -23,7 +23,15 @@ used. ** Introduced gnutls_session_enable_compatibility_mode() to allow enabling all supported compatibility options (like disabling padding). +** The gnutls_certificate_set_openpgp_* functions were modified to include +the format. This makes the interface consistent with the x509 functions. + + ** API and ABI modifications: +gnutls_certificate_set_openpgp_key_mem: MODIFIED +gnutls_certificate_set_openpgp_key_file: MODIFIED +gnutls_certificate_set_openpgp_keyring_mem: MODIFIED +gnutls_certificate_set_openpgp_keyring_file: MODIFIED gnutls_set_default_priority: DEPRECATED gnutls_set_default_priority_export: DEPRECATED gnutls_set_default_priority2: ADDED @@ -36,7 +44,7 @@ gnutls_kx_convert_priority: ADDED gnutls_cipher_convert_priority: ADDED gnutls_certificate_type_convert_priority: ADDED gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t -gnutls_openpgp_key_status_t: RENAMEDS gnutls_openpgp_crt_status_t +gnutls_openpgp_key_status_t: RENAMED to gnutls_openpgp_crt_status_t gnutls_openpgp_send_key: RENAMED to gnutls_openpgp_send_cert gnutls_openpgp_key_init: RENAMED to gnutls_openpgp_crt_init gnutls_openpgp_key_import: RENAMED to gnutls_openpgp_crt_import diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index ea09c2f82e..5a2bc137ed 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -69,7 +69,7 @@ main (void) /* Set the priorities. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority( session, kx_priorities); /* put the SRP credentials to the current session diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c index 40a5670ad6..b546c19207 100644 --- a/doc/examples/ex-client-tlsia.c +++ b/doc/examples/ex-client-tlsia.c @@ -79,7 +79,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous and TLS/IA credentials to the current session diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index 22ca9d2933..f2e8c06977 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -44,7 +44,7 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index be79e3e980..79fcca6e4f 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -68,7 +68,7 @@ initialize_tls_session (void) */ gnutls_set_default_priority (session); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); /* request client certificate if any. */ @@ -100,9 +100,9 @@ main (void) gnutls_global_init (); gnutls_certificate_allocate_credentials (&cred); - gnutls_certificate_set_openpgp_keyring_file (cred, RINGFILE); + gnutls_certificate_set_openpgp_keyring_file (cred, RINGFILE, GNUTLS_OPENPGP_FMT_BASE64); - gnutls_certificate_set_openpgp_key_file (cred, CERTFILE, KEYFILE); + gnutls_certificate_set_openpgp_key_file (cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64); generate_dh_params (); diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index b49b965293..5458db9670 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -50,7 +50,7 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_priority); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c index b1ed81cd06..f4eac9ad39 100644 --- a/doc/examples/ex-serv1.c +++ b/doc/examples/ex-serv1.c @@ -50,7 +50,7 @@ initialize_tls_session (void) * are adequate. Depending on the needs it could also be * GNUTLS_PRIORITIES_PERFORMANCE. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); diff --git a/includes/gnutls/extra.h b/includes/gnutls/extra.h index f7c7bd998b..888bd605f3 100644 --- a/includes/gnutls/extra.h +++ b/includes/gnutls/extra.h @@ -41,6 +41,12 @@ extern "C" /* Openpgp certificate stuff */ + typedef enum gnutls_openpgp_crt_fmt + { GNUTLS_OPENPGP_FMT_RAW, + GNUTLS_OPENPGP_FMT_BASE64 + } gnutls_openpgp_crt_fmt_t; +#define gnutls_openpgp_key_fmt_t gnutls_openpgp_crt_fmt_t + /** * gnutls_openpgp_recv_key_func - Callback prototype to get OpenPGP keys * @session: a TLS session @@ -66,25 +72,20 @@ extern "C" int gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res, const char *CERTFILE, - const char *KEYFILE); + const char *KEYFILE, gnutls_openpgp_crt_fmt_t); int gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t res, const gnutls_datum_t * CERT, - const gnutls_datum_t * KEY); - - int - gnutls_certificate_set_openpgp_keyserver (gnutls_certificate_credentials_t - res, const char *keyserver, - int port); + const gnutls_datum_t * KEY, gnutls_openpgp_crt_fmt_t); int gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t c, const unsigned char *data, - size_t dlen); + size_t dlen, gnutls_openpgp_crt_fmt_t); int gnutls_certificate_set_openpgp_keyring_file - (gnutls_certificate_credentials_t c, const char *file); + (gnutls_certificate_credentials_t c, const char *file, gnutls_openpgp_crt_fmt_t); /* TLS/IA stuff */ diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 30dda5a331..f282b54fbe 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -167,9 +167,10 @@ extern "C" typedef enum { - GNUTLS_PRIORITIES_PERFORMANCE=1, - GNUTLS_PRIORITIES_SECURITY=2, - GNUTLS_PRIORITIES_EXPORT=4 + GNUTLS_PRIORITIES_EXPORT, + GNUTLS_PRIORITIES_PERFORMANCE, + GNUTLS_PRIORITIES_SECURITY_NORMAL, + GNUTLS_PRIORITIES_SECURITY_HIGH } gnutls_priority_flag_t; typedef enum @@ -541,7 +542,7 @@ extern "C" /* if you just want some defaults, use the following. */ void gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t flag); - #define gnutls_set_default_priority(x) gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_SECURITY) + #define gnutls_set_default_priority(x) gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_SECURITY_NORMAL) #define gnutls_set_default_export_priority(x) gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_EXPORT) /* Returns the name of a cipher suite */ diff --git a/includes/gnutls/gnutlsxx.h b/includes/gnutls/gnutlsxx.h index be1fe5a0e3..521764f970 100644 --- a/includes/gnutls/gnutlsxx.h +++ b/includes/gnutls/gnutlsxx.h @@ -64,7 +64,7 @@ class rsa_params gnutls_rsa_params_t params; }; -enum priority_flag { ALL_CIPHERS, EXPORT_CIPHERS }; +typedef gnutls_priority_flag_t priority_flag; class session { diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h index 6657951aea..d1a27fbe89 100644 --- a/includes/gnutls/openpgp.h +++ b/includes/gnutls/openpgp.h @@ -40,12 +40,6 @@ extern "C" /* gnutls_openpgp_cert_t should be defined in gnutls.h */ - typedef enum gnutls_openpgp_crt_fmt - { GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64 - } gnutls_openpgp_crt_fmt_t; -#define gnutls_openpgp_key_fmt_t gnutls_openpgp_crt_fmt_t - #define gnutls_openpgp_key_init gnutls_openpgp_crt_init #define gnutls_openpgp_key_deinit gnutls_openpgp_crt_deinit #define gnutls_openpgp_key_import gnutls_openpgp_crt_import diff --git a/lib/auth_cert.h b/lib/auth_cert.h index c385822182..4d36bd19c7 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -64,7 +64,12 @@ typedef struct gnutls_certificate_credentials_st /* OpenPGP specific stuff */ +#ifndef KEYRING_HACK gnutls_openpgp_keyring_t keyring; +#else + gnutls_datum keyring; + int keyring_format; +#endif /* X509 specific stuff */ diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index cbfb4f35c8..12ec1f5e47 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -190,8 +190,13 @@ gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc) #ifdef ENABLE_PKI gnutls_certificate_free_crls (sc); #endif + +#ifndef KEYRING_HACK if (_E_gnutls_openpgp_keyring_deinit) _E_gnutls_openpgp_keyring_deinit( sc->keyring); +#else + _gnutls_free_datum( &sc->keyring); +#endif gnutls_free (sc); } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index fa401403fc..1d6f724e1e 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -31,6 +31,10 @@ #include <gnutls/gnutls.h> #include <gnutls/extra.h> +/* FIXME: delete this once opencdk has reentrant keyring functions + */ +#define KEYRING_HACK + /* * They are not needed any more. You can simply enable * the gnutls_log callback to get error descriptions. diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7193f10e13..5f71df270b 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -305,19 +305,31 @@ static const int kx_priority_security[] = { static const int cipher_priority_performance[] = { GNUTLS_CIPHER_ARCFOUR_128, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + +static const int cipher_priority_security_normal[] = { GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; - -static const int cipher_priority_security[] = { +static const int cipher_priority_security_high[] = { GNUTLS_CIPHER_AES_256_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_256_CBC, +#endif GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, @@ -329,13 +341,12 @@ static const int cipher_priority_security[] = { }; static const int cipher_priority_export[] = { - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 }; @@ -381,11 +392,25 @@ static int cert_type_priority[] = { * The default order is: * Protocols: TLS 1.1, TLS 1.0, and SSL3. * Compression: NULL. - * Certificate types: X.509, OpenPGP - * - * When performance is requested the fastest ciphers and key exchange - * methods are used, whilst in security, the most conservative options - * are set. + * Certificate types: X.509, OpenPGP. + * + * In GNUTLS_PRIORITIES_PERFORMANCE all the "secure" ciphersuites are enabled, + * limited to 128 bit ciphers and sorted by terms of speed performance. + * The GNUTLS_PRIORITIES_SECURITY_NORMAL flag enables all "secure" ciphersuites + * limited to 128 bit ciphers and sorted by security margin. + * The GNUTLS_PRIORITIES_SECURITY_HIGH flag enables all "secure" ciphersuites + * including 256 bit ciphers and sorted by security margin. + * In GNUTLS_PRIORITIES_EXPORT all the ciphersuites are enabled, including + * the low-security 40 bit ciphers. + * + * For key exchange algorithms when in SECURITY_NORMAL or SECURITY_HIGH levels + * the perfect forward secrecy algorithms take precendence of the other protocols. + * In all cases all the supported key exchange algorithms are enabled (except for the + * RSA-EXPORT which is only enabled in EXPORT level). + * + * Note that although one can select very long key sizes for symmetric algorithms, + * to actually increase security the public key algorithms have to use longer key + * sizes as well. * * Returns 0 on success. * @@ -398,8 +423,12 @@ gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t f gnutls_cipher_set_priority (session, cipher_priority_performance); gnutls_kx_set_priority (session, kx_priority_performance); gnutls_mac_set_priority (session, mac_priority_performance); - } else if (flag == GNUTLS_PRIORITIES_SECURITY) { - gnutls_cipher_set_priority (session, cipher_priority_security); + } else if (flag == GNUTLS_PRIORITIES_SECURITY_NORMAL) { + gnutls_cipher_set_priority (session, cipher_priority_security_normal); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } else if (flag == GNUTLS_PRIORITIES_SECURITY_HIGH) { + gnutls_cipher_set_priority (session, cipher_priority_security_high); gnutls_kx_set_priority (session, kx_priority_security); gnutls_mac_set_priority (session, mac_priority_security); } else if (flag == GNUTLS_PRIORITIES_EXPORT) { diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp index 9680dbb452..79b629a4d1 100644 --- a/lib/gnutlsxx.cpp +++ b/lib/gnutlsxx.cpp @@ -189,10 +189,7 @@ void session::set_certificate_type_priority (const int *list) */ void session::set_default_priority(priority_flag flag) { - if (flag == EXPORT_CIPHERS) - RETWRAP( gnutls_set_default_export_priority( this->s)); - else - RETWRAP( gnutls_set_default_priority( this->s)); + gnutls_set_default_priority2( this->s, flag); } gnutls_protocol_t session::get_protocol_version() const diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index 8151deed04..4a48114259 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -28,7 +28,7 @@ #include "gnutls_cert.h" #include "gnutls_datum.h" #include "gnutls_global.h" -#include <openpgp/gnutls_openpgp.h> +#include "openpgp/gnutls_openpgp.h" #include "read-file.h" #include <gnutls_str.h> #include <gnutls_sig.h> @@ -99,144 +99,6 @@ buftou32 (const uint8_t * buf) return a; } - -static int -kbx_blob_new (keybox_blob ** r_ctx) -{ - keybox_blob *c; - - if (!r_ctx) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - c = cdk_calloc (1, sizeof *c); - if (!c) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - *r_ctx = c; - - return 0; -} - - -void -kbx_blob_release (keybox_blob * ctx) -{ - if (!ctx) - return; - cdk_free (ctx->data); - cdk_free (ctx); -} - - -cdk_keydb_hd_t -kbx_to_keydb (keybox_blob * blob) -{ - cdk_keydb_hd_t db; - cdk_error_t rc; - - if (!blob) - { - gnutls_assert (); - return NULL; - } - - switch (blob->type) - { - case KBX_BLOB_FILE: - rc = cdk_keydb_new_from_file (&db, 0, (const char*)blob->data); - break; - - case KBX_BLOB_DATA: - rc = cdk_keydb_new_from_mem (&db, 0, blob->data, blob->size); - break; - - default: - gnutls_assert (); - db = NULL; - break; - } - - return db; -} - - -/* Extract a keybox blob from the given position. */ -keybox_blob * -kbx_read_blob (const gnutls_datum_t * keyring, size_t pos) -{ - keybox_blob *blob = NULL; - int rc; - - if (!keyring || !keyring->data || pos > keyring->size) - { - gnutls_assert (); - return NULL; - } - - rc = kbx_blob_new (&blob); - if (rc) - return NULL; - - blob->type = keyring->data[pos]; - if (blob->type != KBX_BLOB_FILE && blob->type != KBX_BLOB_DATA) - { - kbx_blob_release (blob); - return NULL; - } - blob->size = buftou32 (keyring->data + pos + 2); - if (!blob->size) - { - kbx_blob_release (blob); - return NULL; - } - blob->data = cdk_calloc (1, blob->size + 1); - if (!blob->data) - return NULL; - memcpy (blob->data, keyring->data + (pos + 6), blob->size); - blob->data[blob->size] = '\0'; - - return blob; -} - - -/* Creates a keyring blob from raw data - * - * Format: - * 1 octet type - * 1 octet armored - * 4 octet size of blob - * n octets data - */ -static uint8_t * -kbx_data_to_keyring (int type, int enc, const char *data, - size_t size, size_t * r_size) -{ - uint8_t *p = NULL; - - if (!data) - return NULL; - - p = gnutls_malloc (1 + 1 + 4 + size); - if (!p) - return NULL; - p[0] = type; /* type: {keyring,name} */ - p[1] = enc; /* encoded: {plain, armored} */ - p[2] = size >> 24; - p[3] = size >> 16; - p[4] = size >> 8; - p[5] = size; - memcpy (p + 6, data, size); - if (r_size) - *r_size = 6 + size; - return p; -} - - static int openpgp_pk_to_gnutls_cert (gnutls_cert * cert, cdk_pkt_pubkey_t pk) { @@ -441,6 +303,85 @@ _gnutls_openpgp_raw_key_to_gcert (gnutls_cert * cert, return rc; } +/** + * gnutls_certificate_set_openpgp_key - Used to set keys in a gnutls_certificate_credentials_t structure + * @res: is an #gnutls_certificate_credentials_t structure. + * @key: contains an openpgp public key + * @pkey: is an openpgp private key + * + * This function sets a certificate/private key pair in the + * gnutls_certificate_credentials_t structure. This function may be called + * more than once (in case multiple keys/certificates exist for the + * server). + * + **/ +int +gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t + res, gnutls_openpgp_crt_t crt, + gnutls_openpgp_privkey_t pkey) +{ + int ret; + + /* this should be first */ + + res->pkey = gnutls_realloc_fast (res->pkey, + (res->ncerts + 1) * + sizeof (gnutls_privkey)); + if (res->pkey == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_openpgp_privkey_to_gkey (&res->pkey[res->ncerts], pkey); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + res->cert_list = gnutls_realloc_fast (res->cert_list, + (1 + + res->ncerts) * + sizeof (gnutls_cert *)); + if (res->cert_list == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length = gnutls_realloc_fast (res->cert_list_length, + (1 + + res->ncerts) * sizeof (int)); + if (res->cert_list_length == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list[res->ncerts] = gnutls_calloc (1, sizeof (gnutls_cert)); + if (res->cert_list[res->ncerts] == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + res->cert_list_length[res->ncerts] = 1; + + ret = _gnutls_openpgp_crt_to_gcert (res->cert_list[res->ncerts], crt); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + res->ncerts++; + + /* FIXME: Check if the keys match. */ + + return 0; +} + /*- * gnutls_openpgp_get_key - Retrieve a key from the keyring. @@ -555,148 +496,49 @@ stream_to_datum (cdk_stream_t inp, gnutls_datum_t * raw) **/ int gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t - res, const gnutls_datum_t * cert, - const gnutls_datum_t * key) + res, const gnutls_datum_t * icert, + const gnutls_datum_t * ikey, + gnutls_openpgp_crt_fmt_t format) { - gnutls_datum_t raw; - cdk_kbnode_t knode = NULL, ctx = NULL, p; - cdk_packet_t pkt; - int i = 0; - int rc = 0; - cdk_stream_t inp = NULL; - - if (!res || !key || !cert) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - rc = cdk_stream_tmp_from_mem (cert->data, cert->size, &inp); - if (rc) - { - rc = _gnutls_map_cdk_rc (rc); - gnutls_assert (); - return rc; - } - - if (cdk_armor_filter_use (inp)) - cdk_stream_set_armor_flag (inp, 0); - - res->cert_list = gnutls_realloc_fast (res->cert_list, - (1 + res->ncerts) * - sizeof (gnutls_cert *)); - if (res->cert_list == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast (res->cert_list_length, - (1 + - res->ncerts) * sizeof (int)); - if (res->cert_list_length == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = gnutls_calloc (1, sizeof (gnutls_cert)); - if (res->cert_list[res->ncerts] == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - i = 1; - rc = cdk_keydb_get_keyblock (inp, &knode); - - while (knode && (p = cdk_kbnode_walk (knode, &ctx, 0))) - { - pkt = cdk_kbnode_get_packet (p); - if (i > MAX_PUBLIC_PARAMS_SIZE) - { - gnutls_assert (); - break; - } - if (pkt->pkttype == CDK_PKT_PUBLIC_KEY) - { - int n = res->ncerts; - - cdk_pkt_pubkey_t pk = pkt->pkt.public_key; - res->cert_list_length[n] = 1; - - if (stream_to_datum (inp, &res->cert_list[n][0].raw)) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - rc = openpgp_pk_to_gnutls_cert (&res->cert_list[n][0], pk); - if (rc < 0) - { - gnutls_assert (); - return rc; - } - i++; - } - } - - if (rc == CDK_EOF && i > 1) - rc = 0; - - cdk_stream_close (inp); - - if (rc) - { - cdk_kbnode_release (knode); - gnutls_assert (); - rc = _gnutls_map_cdk_rc (rc); - goto leave; - } - - res->ncerts++; - res->pkey = gnutls_realloc_fast (res->pkey, - (res->ncerts) * sizeof (gnutls_privkey)); - if (!res->pkey) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - /* ncerts has been incremented before */ - - rc = cdk_stream_tmp_from_mem (key->data, key->size, &inp); - if (rc) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (cdk_armor_filter_use (inp)) - cdk_stream_set_armor_flag (inp, 0); + gnutls_openpgp_privkey_t key; + gnutls_openpgp_crt_t cert; + int ret; + + ret = gnutls_openpgp_privkey_init( &key); + if (ret < 0) { + gnutls_assert(); + return ret; + } - memset (&raw, 0, sizeof raw); + ret = gnutls_openpgp_privkey_import( key, ikey, format, NULL, 0); + if (ret < 0) { + gnutls_assert(); + gnutls_openpgp_privkey_deinit( key); + return ret; + } - if (stream_to_datum (inp, &raw)) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - cdk_stream_close (inp); + ret = gnutls_openpgp_crt_init( &cert); + if (ret < 0) { + gnutls_assert(); + gnutls_openpgp_privkey_deinit( key); + return ret; + } - rc = _gnutls_openpgp_raw_privkey_to_gkey (&res->pkey[res->ncerts - 1], - &raw, - GNUTLS_OPENPGP_FMT_RAW); - if (rc) - { - gnutls_assert (); - } + ret = gnutls_openpgp_crt_import( cert, icert, format); + if (ret < 0) { + gnutls_assert(); + gnutls_openpgp_privkey_deinit( key); + gnutls_openpgp_crt_deinit( cert); + return ret; + } - _gnutls_free_datum (&raw); -leave: - cdk_kbnode_release (knode); + ret = gnutls_certificate_set_openpgp_key( res, cert, key); - return rc; + gnutls_openpgp_privkey_deinit( key); + gnutls_openpgp_crt_deinit( cert); + + return ret; } @@ -713,7 +555,8 @@ leave: int gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res, const char *certfile, - const char *keyfile) + const char *keyfile, + gnutls_openpgp_crt_fmt_t format) { struct stat statbuf; gnutls_datum_t key, cert; @@ -749,7 +592,7 @@ gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t return GNUTLS_E_FILE_ERROR; } - rc = gnutls_certificate_set_openpgp_key_mem (res, &cert, &key); + rc = gnutls_certificate_set_openpgp_key_mem (res, &cert, &key, format); free (cert.data); free (key.data); @@ -812,7 +655,7 @@ gnutls_openpgp_count_key_names (const gnutls_datum_t * cert) **/ int gnutls_certificate_set_openpgp_keyring_file - (gnutls_certificate_credentials_t c, const char *file) + (gnutls_certificate_credentials_t c, const char *file, gnutls_openpgp_crt_fmt_t format) { gnutls_datum ring; size_t size; @@ -832,7 +675,7 @@ int rc; return GNUTLS_E_FILE_ERROR; } - rc = gnutls_certificate_set_openpgp_keyring_mem (c, ring.data, ring.size); + rc = gnutls_certificate_set_openpgp_keyring_mem (c, ring.data, ring.size, format); free( ring.data); @@ -854,8 +697,9 @@ int rc; int gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t c, const opaque * data, - size_t dlen) + size_t dlen, gnutls_openpgp_crt_fmt_t format) { +#ifndef KEYRING_HACK cdk_stream_t inp; size_t count; uint8_t *buf; @@ -877,7 +721,7 @@ gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t return rc; } - rc = gnutls_openpgp_keyring_import( c->keyring, &ddata, GNUTLS_OPENPGP_FMT_BASE64); + rc = gnutls_openpgp_keyring_import( c->keyring, &ddata, format); if ( rc < 0) { gnutls_assert(); gnutls_openpgp_keyring_deinit( c->keyring); @@ -885,6 +729,21 @@ gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t } return 0; +#else + + c->keyring_format = format; + + c->keyring.data = gnutls_malloc( dlen+1); + if (c->keyring.data == NULL) + { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + memcpy(c->keyring.data, data, dlen); + c->keyring.data[dlen]=0; + c->keyring.size = dlen; + +#endif } /*- @@ -904,6 +763,9 @@ _gnutls_openpgp_request_key (gnutls_session_t session, gnutls_datum_t * ret, opaque * key_fpr, int key_fpr_size) { int rc = 0; +#ifdef KEYRING_HACK + gnutls_openpgp_keyring_t kring; +#endif if (!ret || !cred || !key_fpr) { @@ -914,9 +776,27 @@ _gnutls_openpgp_request_key (gnutls_session_t session, gnutls_datum_t * ret, if (key_fpr_size != 16 && key_fpr_size != 20) return GNUTLS_E_HASH_FAILED; /* only MD5 and SHA1 are supported */ +#ifndef KEYRING_HACK rc = gnutls_openpgp_get_key (ret, cred->keyring, KEY_ATTR_FPR, key_fpr); - if (rc >= 0) /* key was found */ +#else + rc = gnutls_openpgp_keyring_init( &kring); + if ( rc < 0) { + gnutls_assert(); + return rc; + } + + rc = gnutls_openpgp_keyring_import( kring, &cred->keyring, cred->keyring_format); + if ( rc < 0) { + gnutls_assert(); + gnutls_openpgp_keyring_deinit( kring); return rc; + } +#endif + if (rc >= 0) /* key was found */ + { + rc = 0; + goto error; + } else rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; @@ -929,10 +809,15 @@ _gnutls_openpgp_request_key (gnutls_session_t session, gnutls_datum_t * ret, if (rc < 0) { gnutls_assert (); - return GNUTLS_E_OPENPGP_GETKEY_FAILED; + rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; + goto error; } } + error: +#ifdef KEYRING_HACK + gnutls_openpgp_keyring_deinit( kring); +#endif return rc; } @@ -1040,84 +925,6 @@ _gnutls_openpgp_crt_to_gcert (gnutls_cert * gcert, gnutls_openpgp_crt_t cert) } -/** - * gnutls_certificate_set_openpgp_key - Used to set keys in a gnutls_certificate_credentials_t structure - * @res: is an #gnutls_certificate_credentials_t structure. - * @key: contains an openpgp public key - * @pkey: is an openpgp private key - * - * This function sets a certificate/private key pair in the - * gnutls_certificate_credentials_t structure. This function may be called - * more than once (in case multiple keys/certificates exist for the - * server). - * - **/ -int -gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t - res, gnutls_openpgp_crt_t key, - gnutls_openpgp_privkey_t pkey) -{ - int ret; - - /* this should be first */ - - res->pkey = gnutls_realloc_fast (res->pkey, - (res->ncerts + 1) * - sizeof (gnutls_privkey)); - if (res->pkey == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_openpgp_privkey_to_gkey (&res->pkey[res->ncerts], pkey); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - res->cert_list = gnutls_realloc_fast (res->cert_list, - (1 + - res->ncerts) * - sizeof (gnutls_cert *)); - if (res->cert_list == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length = gnutls_realloc_fast (res->cert_list_length, - (1 + - res->ncerts) * sizeof (int)); - if (res->cert_list_length == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list[res->ncerts] = gnutls_calloc (1, sizeof (gnutls_cert)); - if (res->cert_list[res->ncerts] == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - res->cert_list_length[res->ncerts] = 1; - - ret = _gnutls_openpgp_crt_to_gcert (res->cert_list[res->ncerts], key); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - res->ncerts++; - - /* FIXME: Check if the keys match. */ - - return 0; -} /** * gnutls_openpgp_privkey_sign_hash - This function will sign the given data using the private key params diff --git a/libextra/openpgp/compat.c b/libextra/openpgp/compat.c index 4f7e784108..02385db6f9 100644 --- a/libextra/openpgp/compat.c +++ b/libextra/openpgp/compat.c @@ -73,6 +73,7 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, goto leave; } +#ifndef KEYRING_HACK if (cred->keyring != NULL) { ret = gnutls_openpgp_crt_verify_ring (key, cred->keyring, 0, &verify); @@ -82,6 +83,33 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, goto leave; } } +#else + { + gnutls_openpgp_keyring_t kring; + + ret = gnutls_openpgp_keyring_init( &kring); + if ( ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_openpgp_keyring_import( kring, &cred->keyring, cred->keyring_format); + if ( ret < 0) { + gnutls_assert(); + gnutls_openpgp_keyring_deinit( kring); + return ret; + } + + ret = gnutls_openpgp_crt_verify_ring (key, kring, 0, &verify); + if (ret < 0) + { + gnutls_assert (); + gnutls_openpgp_keyring_deinit( kring); + return ret; + } + gnutls_openpgp_keyring_deinit( kring); + } +#endif /* Now try the self signature. */ ret = gnutls_openpgp_crt_verify_self (key, 0, &verify_self); @@ -93,10 +121,15 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, *status = verify_self | verify; +#ifndef KEYRING_HACK /* If we only checked the self signature. */ if (!cred->keyring) +#else + if (!cred->keyring.data || !cred->keyring.size) +#endif *status |= GNUTLS_CERT_SIGNER_NOT_FOUND; + ret = 0; leave: diff --git a/libextra/openpgp/gnutls_openpgp.h b/libextra/openpgp/gnutls_openpgp.h index 9c4124dbac..9894b084ba 100644 --- a/libextra/openpgp/gnutls_openpgp.h +++ b/libextra/openpgp/gnutls_openpgp.h @@ -33,23 +33,17 @@ typedef enum int gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res, const char *CERTFILE, - const char *KEYFILE); + const char *KEYFILE, gnutls_openpgp_crt_fmt_t); int gnutls_openpgp_count_key_names (const gnutls_datum_t * cert); -int gnutls_openpgp_add_keyring_mem (gnutls_datum_t * keyring, - const void *data, size_t len); - -int gnutls_openpgp_add_keyring_file (gnutls_datum_t * keyring, - const char *name); - int gnutls_certificate_set_openpgp_keyring_file - (gnutls_certificate_credentials_t c, const char *file); + (gnutls_certificate_credentials_t c, const char *file, gnutls_openpgp_crt_fmt_t); int gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t c, const opaque * data, - size_t dlen); + size_t dlen, gnutls_openpgp_crt_fmt_t); int gnutls_openpgp_get_key (gnutls_datum_t * key, gnutls_openpgp_keyring_t keyring, @@ -74,10 +68,6 @@ _gnutls_openpgp_request_key (gnutls_session_t, const gnutls_certificate_credentials_t cred, opaque * key_fpr, int key_fpr_size); -keybox_blob *kbx_read_blob (const gnutls_datum_t * keyring, size_t pos); -cdk_keydb_hd_t kbx_to_keydb (keybox_blob * blob); -void kbx_blob_release (keybox_blob * ctx); - int _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t, const gnutls_datum_t * cert_list, int cert_list_length, unsigned int *status); @@ -88,6 +78,21 @@ time_t _gnutls_openpgp_get_raw_key_creation_time (const gnutls_datum_t * time_t _gnutls_openpgp_get_raw_key_expiration_time (const gnutls_datum_t * cert); +int +gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key); + +int +gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key); + +void +gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key); + +int +gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key, + const gnutls_datum_t * data, + gnutls_openpgp_crt_fmt_t format, + const char *pass, unsigned int flags); + #endif /*GNUTLS_OPENPGP_H */ #endif /*ENABLE_OPENPGP */ diff --git a/libextra/openpgp/openpgp.h b/libextra/openpgp/openpgp.h index 84a1ad7625..ecdee694cc 100644 --- a/libextra/openpgp/openpgp.h +++ b/libextra/openpgp/openpgp.h @@ -5,13 +5,6 @@ # include <config.h> #endif -/* The format the OpenPGP key is stored in. */ -typedef enum gnutls_openpgp_crt_fmt_t -{ - GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64 -} gnutls_openpgp_crt_fmt_t; - #ifdef ENABLE_OPENPGP #include <opencdk.h> @@ -966,7 +966,7 @@ init_global_tls_stuff (void) #ifdef ENABLE_OPENPGP if (pgp_keyring != NULL) { - ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring); + ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fprintf (stderr, "Error setting the OpenPGP keyring file\n"); diff --git a/src/serv.c b/src/serv.c index 9ab93d4755..27959d253c 100644 --- a/src/serv.c +++ b/src/serv.c @@ -898,7 +898,7 @@ main (int argc, char **argv) if (pgp_keyring != NULL) { ret = - gnutls_certificate_set_openpgp_keyring_file (cert_cred, pgp_keyring); + gnutls_certificate_set_openpgp_keyring_file (cert_cred, pgp_keyring, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fprintf (stderr, "Error setting the OpenPGP keyring file\n"); @@ -908,7 +908,7 @@ main (int argc, char **argv) if (pgp_certfile != NULL) if ((ret = gnutls_certificate_set_openpgp_key_file - (cert_cred, pgp_certfile, pgp_keyfile)) < 0) + (cert_cred, pgp_certfile, pgp_keyfile, GNUTLS_OPENPGP_FMT_BASE64)) < 0) { fprintf (stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n", |