diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/auth/cert.c | 28 | ||||
-rw-r--r-- | lib/gnutls_pubkey.c | 41 | ||||
-rw-r--r-- | lib/includes/gnutls/abstract.h | 7 | ||||
-rw-r--r-- | lib/includes/gnutls/openpgp.h | 3 | ||||
-rw-r--r-- | lib/openpgp/gnutls_openpgp.c | 2 |
5 files changed, 69 insertions, 12 deletions
diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 3e10051df3..2ff0cc00ff 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -935,7 +935,9 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, { int ret, packet_size; uint8_t type, fpr[20]; - size_t fpr_size; + uint8_t id[20]; + unsigned int subkey; + size_t fpr_size, id_size; gnutls_pcert_st *apr_cert_list; gnutls_privkey_t apr_pkey; int apr_cert_list_length; @@ -949,10 +951,21 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, return ret; } + if (apr_cert_list_length <= 0) + return _gnutls_gen_openpgp_certificate (session, data); + + id_size = sizeof (id); + ret = + gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, id, + &id_size, &subkey); + if (ret < 0) + return gnutls_assert_val (ret); + fpr_size = sizeof (fpr); ret = - gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr, - &fpr_size, NULL); + gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, + GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT, + fpr, &fpr_size, NULL); if (ret < 0) return gnutls_assert_val (ret); @@ -961,10 +974,7 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, /* Only v4 fingerprints are sent */ - if (apr_cert_list_length > 0) - packet_size += 20 + 1; - else /* empty certificate case */ - return _gnutls_gen_openpgp_certificate (session, data); + packet_size += 20 + 1; ret = _gnutls_buffer_append_prefix (data, 24, packet_size - 3); if (ret < 0) @@ -975,6 +985,10 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, if (ret < 0) return gnutls_assert_val (ret); + ret = _gnutls_buffer_append_data_prefix (data, 8, id, id_size); + if (ret < 0) + return gnutls_assert_val (ret); + ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size); if (ret < 0) return gnutls_assert_val (ret); diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index 5d0270b7d0..941ac934d3 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -57,8 +57,13 @@ struct gnutls_pubkey_st */ gnutls_pk_params_st params; +#ifdef ENABLE_OPENPGP uint8_t openpgp_key_id[GNUTLS_OPENPGP_KEYID_SIZE]; - int openpgp_key_id_set; + unsigned int openpgp_key_id_set; + + uint8_t openpgp_key_fpr[20]; + unsigned int openpgp_key_fpr_set:1; +#endif unsigned int key_usage; /* bits from GNUTLS_KEY_* */ }; @@ -349,6 +354,13 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key, uint32_t kid32[2]; uint32_t *k; uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; + size_t len; + + len = sizeof(key->openpgp_key_fpr); + ret = gnutls_openpgp_crt_get_fingerprint(crt, key->openpgp_key_fpr, &len); + if (ret < 0) + return gnutls_assert_val(ret); + key->openpgp_key_fpr_set = 1; ret = gnutls_openpgp_crt_get_preferred_key_id (crt, keyid); if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR) @@ -402,16 +414,19 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key, /** * gnutls_pubkey_get_openpgp_key_id: * @key: Holds the public key - * @flags: should be 0 for now + * @flags: should be 0 or %GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT * @output_data: will contain the key ID * @output_data_size: holds the size of output_data (and will be * replaced by the actual size of parameters) * @subkey: Will be non zero if the key ID corresponds to a subkey * - * This function returned the OpenPGP key ID of the corresponding key. - * The key is a unique ID the depends on the public + * This function returns the OpenPGP key ID of the corresponding key. + * The key is a unique ID that depends on the public * key parameters. * + * If the flag %GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT is specified + * this function returns the fingerprint of the master key. + * * If the buffer provided is not long enough to hold the output, then * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will * be returned. The output is %GNUTLS_OPENPGP_KEYID_SIZE bytes long. @@ -433,6 +448,24 @@ gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key, unsigned int flags, return GNUTLS_E_INVALID_REQUEST; } + if (flags & GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT) + { + if (*output_data_size < sizeof(key->openpgp_key_fpr)) + { + *output_data_size = sizeof(key->openpgp_key_fpr); + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + } + + if (key->openpgp_key_fpr_set == 0) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (output_data) + memcpy(output_data, key->openpgp_key_fpr, sizeof(key->openpgp_key_fpr)); + *output_data_size = sizeof(key->openpgp_key_fpr); + + return 0; + } + if (*output_data_size < sizeof(key->openpgp_key_id)) { *output_data_size = sizeof(key->openpgp_key_id); diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index 50c1ecac35..e9b0e0fa23 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -36,6 +36,12 @@ extern "C" /* Public key operations */ +#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1 +/* The following flag disables call to PIN callbacks etc. + * Only works for TPM keys. + */ +#define GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT (1<<3) + struct gnutls_pubkey_st; typedef struct gnutls_pubkey_st *gnutls_pubkey_t; @@ -135,7 +141,6 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, gnutls_pubkey_t key); int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key); -#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1 int gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags, const gnutls_datum_t * hash, diff --git a/lib/includes/gnutls/openpgp.h b/lib/includes/gnutls/openpgp.h index b53b165484..4c0dbf87f2 100644 --- a/lib/includes/gnutls/openpgp.h +++ b/lib/includes/gnutls/openpgp.h @@ -52,6 +52,7 @@ extern "C" } gnutls_openpgp_crt_fmt_t; #define GNUTLS_OPENPGP_KEYID_SIZE 8 +#define GNUTLS_OPENPGP_V4_FINGERPRINT_SIZE 20 typedef unsigned char gnutls_openpgp_keyid_t[GNUTLS_OPENPGP_KEYID_SIZE]; /* gnutls_openpgp_cert_t should be defined in gnutls.h @@ -302,6 +303,8 @@ extern "C" * fingerprint instead of a full key. See also * gnutls_openpgp_set_recv_key_function(). * + * The variable @key must be allocated using gnutls_malloc(). + * * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned, * otherwise an error code is returned. */ diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c index 7065bf2af4..99e2c4ed43 100644 --- a/lib/openpgp/gnutls_openpgp.c +++ b/lib/openpgp/gnutls_openpgp.c @@ -681,6 +681,8 @@ error: * callback is only useful in server side, and will be used if the peer * sent a key fingerprint instead of a full key. * + * The retrieved key must be allocated using gnutls_malloc(). + * **/ void gnutls_openpgp_set_recv_key_function (gnutls_session_t session, |