commit bde481fb521f299d9c5bf654573f73a7958d461a parent 2bdfce2c5a5348faa69ca52f1721a911d527c9fa Author: Christian Grothoff <christian@grothoff.org> Date: Sun, 24 Aug 2008 15:34:34 +0000 removing more -- hopefully all -- openpgp related code Diffstat:
16 files changed, 10 insertions(+), 835 deletions(-)
diff --git a/src/daemon/https/gnutls.h b/src/daemon/https/gnutls.h @@ -128,9 +128,6 @@ extern "C" GNUTLS_HANDSHAKE_SUPPLEMENTAL = 23 } gnutls_handshake_description_t; -/* Note that the status bits have different meanings - * in openpgp keys and x.509 certificate verification. - */ typedef enum { GNUTLS_CERT_INVALID = 2, /* will be set if the certificate @@ -156,11 +153,6 @@ extern "C" } gnutls_certificate_request_t; typedef enum - { GNUTLS_OPENPGP_CERT, - GNUTLS_OPENPGP_CERT_FINGERPRINT - } gnutls_openpgp_crt_status_t; - - typedef enum { GNUTLS_SHUT_RDWR = 0, GNUTLS_SHUT_WR = 1 @@ -639,9 +631,6 @@ extern "C" void MHD_gnutls_session_set_ptr (mhd_gtls_session_t session, void *ptr); void * MHD_gtls_session_get_ptr (mhd_gtls_session_t session); - void MHD_gtls_openpgp_send_cert (mhd_gtls_session_t session, - gnutls_openpgp_crt_status_t status); - /* * this function returns the hash of the given data. */ @@ -798,26 +787,18 @@ extern "C" GNUTLS_SAN_OTHERNAME_XMPP = 1000 } gnutls_x509_subject_alt_name_t; - struct gnutls_openpgp_crt_int; - typedef struct gnutls_openpgp_crt_int *gnutls_openpgp_crt_t; - - struct gnutls_openpgp_privkey_int; - typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey_t; - typedef struct gnutls_retr_st { gnutls_certificate_type_t type; union cert { gnutls_x509_crt_t *x509; - gnutls_openpgp_crt_t pgp; } cert; - unsigned int ncerts; /* one for pgp keys */ + unsigned int ncerts; union key { gnutls_x509_privkey_t x509; - gnutls_openpgp_privkey_t pgp; } key; unsigned int deinit_all; /* if non zero all keys will be deinited */ @@ -1026,7 +1007,6 @@ extern "C" #define GNUTLS_E_NO_COMPRESSION_ALGORITHMS -86 #define GNUTLS_E_NO_CIPHER_SUITES -87 -#define GNUTLS_E_OPENPGP_GETKEY_FAILED -88 #define GNUTLS_E_PK_SIG_VERIFY_FAILED -89 #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90 @@ -1046,13 +1026,11 @@ extern "C" #define GNUTLS_E_ASN1_TYPE_ANY_ERROR -75 #define GNUTLS_E_ASN1_SYNTAX_ERROR -76 #define GNUTLS_E_ASN1_DER_OVERFLOW -77 -#define GNUTLS_E_OPENPGP_UID_REVOKED -79 #define GNUTLS_E_CERTIFICATE_ERROR -43 #define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR #define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60 #define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61 /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */ #define GNUTLS_E_X509_UNKNOWN_SAN -62 -#define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94 #define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95 #define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96 #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97 @@ -1073,7 +1051,6 @@ extern "C" #define GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY -202 #define GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY -203 -#define GNUTLS_E_OPENPGP_KEYRING_ERROR -204 #define GNUTLS_E_X509_UNSUPPORTED_OID -205 #define GNUTLS_E_RANDOM_FAILED -206 diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am @@ -47,7 +47,6 @@ gnutls_dh.c \ gnutls_dh_primes.c \ gnutls_errors.c \ gnutls_extensions.c \ -gnutls_extra_hooks.c \ gnutls_global.c \ gnutls_handshake.c \ gnutls_hash_int.c \ diff --git a/src/daemon/https/tls/auth_cert.c b/src/daemon/https/tls/auth_cert.c @@ -43,15 +43,11 @@ #include <gnutls_state.h> #include <gnutls_pk.h> #include <gnutls_x509.h> -#include <gnutls_extra_hooks.h> #include "debug.h" static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, unsigned); static gnutls_privkey *alloc_and_load_x509_key (gnutls_x509_privkey_t key); -static gnutls_cert *alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert); -static gnutls_privkey *alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t - key); /* Copies data from a internal certificate struct (gnutls_cert) to @@ -255,41 +251,6 @@ _find_x509_cert (const mhd_gtls_cert_credentials_t cred, } -/* Locates the most appropriate openpgp cert - */ -static int -_find_openpgp_cert (const mhd_gtls_cert_credentials_t cred, - gnutls_pk_algorithm_t * pk_algos, - int pk_algos_length, int *indx) -{ - unsigned i, j; - - *indx = -1; - - for (i = 0; i < cred->ncerts; i++) - { - for (j = 0; j < cred->cert_list_length[i]; j++) - { - - /* If the *_SIGN algorithm matches - * the cert is our cert! - */ - if ((_gnutls_check_pk_algo_in_list - (pk_algos, pk_algos_length, - cred->cert_list[i][0].subject_pk_algorithm) == 0) - && (cred->cert_list[i][0].cert_type == MHD_GNUTLS_CRT_OPENPGP)) - { - *indx = i; - break; - } - } - if (*indx != -1) - break; - } - - return 0; -} - /* Returns the number of issuers in the server's * certificate request packet. */ @@ -444,17 +405,9 @@ call_get_cert_callback (mhd_gtls_session_t session, } else { /* PGP */ - if (st.ncerts > 1) - { - gnutls_assert (); - ret = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - local_certs = alloc_and_load_pgp_certs (st.cert.pgp); - if (local_certs != NULL) - local_key = alloc_and_load_pgp_key (st.key.pgp); - + gnutls_assert (); + ret = GNUTLS_E_INVALID_REQUEST; + goto cleanup; } mhd_gtls_selected_certs_set (session, local_certs, @@ -477,22 +430,6 @@ cleanup: gnutls_x509_privkey_deinit (st.key.x509); } } - else - { - if (st.deinit_all) - { - if (_E_gnutls_openpgp_crt_deinit == NULL || - _E_gnutls_openpgp_privkey_deinit == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - - _E_gnutls_openpgp_crt_deinit (st.cert.pgp); - _E_gnutls_openpgp_privkey_deinit (st.key.pgp); - } - } - return ret; } @@ -577,11 +514,6 @@ _select_client_cert (mhd_gtls_session_t session, result = _find_x509_cert (cred, _data, _data_size, pk_algos, pk_algos_length, &indx); - - if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_OPENPGP) - result = _find_openpgp_cert (cred, pk_algos, pk_algos_length, &indx); - - if (result < 0) { gnutls_assert (); @@ -667,136 +599,11 @@ mhd_gtls_gen_x509_crt (mhd_gtls_session_t session, opaque ** data) return ret; } -enum PGPKeyDescriptorType -{ PGP_KEY_FINGERPRINT, PGP_KEY }; - -int -mhd_gtls_gen_openpgp_certificate (mhd_gtls_session_t session, opaque ** data) -{ - int ret; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - mhd_gtls_get_selected_cert (session, &apr_cert_list, - &apr_cert_list_length, &apr_pkey)) < 0) - { - gnutls_assert (); - return ret; - } - - ret = 3 + 1 + 3; - - if (apr_cert_list_length > 0) - ret += apr_cert_list[0].raw.size; - - (*data) = gnutls_malloc (ret); - pdata = (*data); - - if (pdata == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - mhd_gtls_write_uint24 (ret - 3, pdata); - pdata += 3; - - *pdata = PGP_KEY; /* whole key */ - pdata++; - - if (apr_cert_list_length > 0) - { - mhd_gtls_write_datum24 (pdata, apr_cert_list[0].raw); - pdata += (3 + apr_cert_list[0].raw.size); - } - else /* empty - no certificate */ - mhd_gtls_write_uint24 (0, pdata); - - return ret; -} - -int -mhd_gtls_gen_openpgp_certificate_fpr (mhd_gtls_session_t session, opaque ** data) -{ - int ret, packet_size; - size_t fpr_size; - opaque *pdata; - gnutls_cert *apr_cert_list; - gnutls_privkey *apr_pkey; - int apr_cert_list_length; - - /* find the appropriate certificate */ - if ((ret = - mhd_gtls_get_selected_cert (session, &apr_cert_list, - &apr_cert_list_length, &apr_pkey)) < 0) - { - gnutls_assert (); - return ret; - } - - packet_size = 3 + 1; - - /* Only v4 fingerprints are sent - */ - if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4) - packet_size += 20 + 1; - else /* empty certificate case */ - return mhd_gtls_gen_openpgp_certificate (session, data); - - (*data) = gnutls_malloc (packet_size); - pdata = (*data); - - if (pdata == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - mhd_gtls_write_uint24 (packet_size - 3, pdata); - pdata += 3; - - *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */ - pdata++; - - *pdata = 20; - pdata++; - - fpr_size = 20; - - if (_E_gnutls_openpgp_fingerprint == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - - if ((ret = - _E_gnutls_openpgp_fingerprint (&apr_cert_list[0].raw, pdata, - &fpr_size)) < 0) - { - gnutls_assert (); - return ret; - } - - return packet_size; -} - - - int mhd_gtls_gen_cert_client_certificate (mhd_gtls_session_t session, opaque ** data) { switch (session->security_parameters.cert_type) { - case MHD_GNUTLS_CRT_OPENPGP: - if (mhd_gtls_openpgp_send_fingerprint (session) == 0) - return mhd_gtls_gen_openpgp_certificate (session, data); - else - return mhd_gtls_gen_openpgp_certificate_fpr (session, data); - case MHD_GNUTLS_CRT_X509: return mhd_gtls_gen_x509_crt (session, data); @@ -811,8 +618,6 @@ mhd_gtls_gen_cert_server_certificate (mhd_gtls_session_t session, opaque ** data { switch (session->security_parameters.cert_type) { - case MHD_GNUTLS_CRT_OPENPGP: - return mhd_gtls_gen_openpgp_certificate (session, data); case MHD_GNUTLS_CRT_X509: return mhd_gtls_gen_x509_crt (session, data); default: @@ -967,184 +772,6 @@ cleanup: } #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) mhd_gtls_gcert_deinit(&peer_certificate_list[x]) -int -mhd_gtls_proc_openpgp_server_certificate (mhd_gtls_session_t session, - opaque * data, size_t data_size) -{ - int size, ret, len; - opaque *p = data; - cert_auth_info_t info; - mhd_gtls_cert_credentials_t cred; - ssize_t dsize = data_size; - int i, x; - gnutls_cert *peer_certificate_list = NULL; - int peer_certificate_list_size = 0; - gnutls_datum_t tmp, akey = { NULL, 0 }; - - cred = (mhd_gtls_cert_credentials_t) - mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) - { - gnutls_assert (); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if ((ret = - mhd_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE, - sizeof (cert_auth_info_st), 1)) < 0) - { - gnutls_assert (); - return ret; - } - - info = mhd_gtls_get_auth_info (session); - - if (data == NULL || data_size == 0) - { - gnutls_assert (); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN (dsize, 3); - size = mhd_gtls_read_uint24 (p); - p += 3; - - if (size == 0) - { - gnutls_assert (); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - i = dsize; - - /* Read PGPKeyDescriptor */ - DECR_LEN (dsize, 1); - if (*p == PGP_KEY_FINGERPRINT) - { /* the fingerprint */ - p++; - - DECR_LEN (dsize, 1); - len = (uint8_t) * p; - p++; - - if (len != 20) - { - gnutls_assert (); - return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED; - } - - DECR_LEN (dsize, 20); - - /* request the actual key from our database, or - * a key server or anything. - */ - if (_E_gnutls_openpgp_request_key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - if ((ret = - _E_gnutls_openpgp_request_key (session, &akey, cred, p, 20)) < 0) - { - gnutls_assert (); - return ret; - } - tmp = akey; - peer_certificate_list_size++; - - } - else if (*p == PGP_KEY) - { /* the whole key */ - - p++; - - /* Read the actual certificate */ - DECR_LEN (dsize, 3); - len = mhd_gtls_read_uint24 (p); - p += 3; - - if (len == 0) - { - gnutls_assert (); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - DECR_LEN (dsize, len); - peer_certificate_list_size++; - - tmp.size = len; - tmp.data = p; - - } - else - { - gnutls_assert (); - return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - } - - /* ok we now have the peer's key in tmp datum - */ - - if (peer_certificate_list_size == 0) - { - gnutls_assert (); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - - peer_certificate_list = - gnutls_alloca (sizeof (gnutls_cert) * (peer_certificate_list_size)); - if (peer_certificate_list == NULL) - { - gnutls_assert (); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - memset (peer_certificate_list, 0, sizeof (gnutls_cert) * - peer_certificate_list_size); - - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) - { - gnutls_assert (); - ret = GNUTLS_E_INIT_LIBEXTRA; - goto cleanup; - } - - if ((ret = - _E_gnutls_openpgp_raw_key_to_gcert (&peer_certificate_list[0], - &tmp)) < 0) - { - gnutls_assert (); - goto cleanup; - } - - if ((ret = - _gnutls_copy_certificate_auth_info (info, - peer_certificate_list, - peer_certificate_list_size)) < 0) - { - gnutls_assert (); - goto cleanup; - } - - if ((ret = - _gnutls_check_key_usage (&peer_certificate_list[0], - gnutls_kx_get (session))) < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = 0; - -cleanup: - - _gnutls_free_datum (&akey); - CLEAR_CERTS; - gnutls_afree (peer_certificate_list); - return ret; - -} int mhd_gtls_proc_cert_server_certificate (mhd_gtls_session_t session, @@ -1152,9 +779,6 @@ mhd_gtls_proc_cert_server_certificate (mhd_gtls_session_t session, { switch (session->security_parameters.cert_type) { - case MHD_GNUTLS_CRT_OPENPGP: - return mhd_gtls_proc_openpgp_server_certificate (session, - data, data_size); case MHD_GNUTLS_CRT_X509: return mhd_gtls_proc_x509_server_certificate (session, data, data_size); default: @@ -1262,13 +886,6 @@ mhd_gtls_proc_cert_cert_req (mhd_gtls_session_t session, opaque * data, size = mhd_gtls_read_uint16 (p); p += 2; - if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_OPENPGP - && size != 0) - { - gnutls_assert (); // size should be zero - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - DECR_LEN (dsize, size); /* now we ask the user to tell which one @@ -1578,85 +1195,6 @@ alloc_and_load_x509_key (gnutls_x509_privkey_t key) return local_key; } -/* converts the given pgp certificate to gnutls_cert* and allocates - * space for them. - */ -static gnutls_cert * -alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert) -{ - gnutls_cert *local_certs; - int ret = 0; - - if (cert == NULL) - return NULL; - - local_certs = gnutls_malloc (sizeof (gnutls_cert)); - if (local_certs == NULL) - { - gnutls_assert (); - return NULL; - } - - if (_E_gnutls_openpgp_crt_to_gcert == NULL) - { - gnutls_assert (); - return NULL; - } - - ret = _E_gnutls_openpgp_crt_to_gcert (local_certs, cert); - if (ret < 0) - { - gnutls_assert (); - return NULL; - } - - if (ret < 0) - { - gnutls_assert (); - mhd_gtls_gcert_deinit (local_certs); - gnutls_free (local_certs); - return NULL; - } - - return local_certs; -} - -/* converts the given raw key to gnutls_privkey* and allocates - * space for it. - */ -static gnutls_privkey * -alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t key) -{ - gnutls_privkey *local_key; - int ret = 0; - - if (key == NULL) - return NULL; - - local_key = gnutls_malloc (sizeof (gnutls_privkey)); - if (local_key == NULL) - { - gnutls_assert (); - return NULL; - } - - if (_E_gnutls_openpgp_privkey_to_gkey == NULL) - { - gnutls_assert (); - return NULL; - } - - ret = _E_gnutls_openpgp_privkey_to_gkey (local_key, key); - if (ret < 0) - { - gnutls_assert (); - return NULL; - } - - return local_key; -} - - void mhd_gtls_selected_certs_deinit (mhd_gtls_session_t session) { diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h @@ -29,8 +29,6 @@ #include "gnutls_auth.h" #include "auth_dh_common.h" #include "x509.h" -#include "openpgp.h" -#include "extra.h" /* This structure may be complex, but it's the only way to * support a server that has multiple certificates diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c @@ -221,8 +221,6 @@ _gnutls_num2cert_type (int num) { case 0: return MHD_GNUTLS_CRT_X509; - case 1: - return MHD_GNUTLS_CRT_OPENPGP; default: return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } @@ -238,8 +236,6 @@ _gnutls_cert_type2num (int cert_type) { case MHD_GNUTLS_CRT_X509: return 0; - case MHD_GNUTLS_CRT_OPENPGP: - return 1; default: return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } diff --git a/src/daemon/https/tls/ext_inner_application.c b/src/daemon/https/tls/ext_inner_application.c @@ -86,7 +86,7 @@ mhd_gtls_inner_app_send_params (mhd_gtls_session_t session, else #endif { - gnutls_ia_server_credentials_t cred = (gnutls_ia_server_credentials_t) + struct gnutls_ia_server_credentials_st * cred = (struct gnutls_ia_server_credentials_st*) mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_IA, NULL); if (cred) diff --git a/src/daemon/https/tls/ext_server_name.c b/src/daemon/https/tls/ext_server_name.c @@ -127,14 +127,14 @@ int mhd_gtls_server_name_send_params (mhd_gtls_session_t session, opaque * data, size_t _data_size) { + int total_size = 0; +#if MHD_DEBUG_TLS uint16_t len; opaque *p; unsigned i; ssize_t data_size = _data_size; - int total_size = 0; /* this function sends the client extension data (dnsname) */ -#if MHD_DEBUG_TLS if (session->security_parameters.entity == GNUTLS_CLIENT) { diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c @@ -231,10 +231,6 @@ MHD_gtls_error_to_alert (int err, int *level) ret = GNUTLS_A_INTERNAL_ERROR; _level = GNUTLS_AL_FATAL; break; - case GNUTLS_E_OPENPGP_GETKEY_FAILED: - ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE; - _level = GNUTLS_AL_FATAL; - break; case GNUTLS_E_DH_PRIME_UNACCEPTABLE: case GNUTLS_E_NO_CERTIFICATE_FOUND: ret = GNUTLS_A_INSUFFICIENT_SECURITY; diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c @@ -1866,9 +1866,6 @@ MHD_gnutls_certificate_type_get_name (gnutls_certificate_type_t type) if (type == MHD_GNUTLS_CRT_X509) ret = "X.509"; - if (type == MHD_GNUTLS_CRT_OPENPGP) - ret = "OPENPGP"; - return ret; } @@ -1888,24 +1885,18 @@ MHD_gtls_certificate_type_get_id (const char *name) if (strcasecmp (name, "X.509") == 0 || strcasecmp (name, "X509") == 0) return MHD_GNUTLS_CRT_X509; - if (strcasecmp (name, "OPENPGP") == 0) - return MHD_GNUTLS_CRT_OPENPGP; - return ret; } static const gnutls_certificate_type_t mhd_gtls_supported_certificate_types[] = { MHD_GNUTLS_CRT_X509, - MHD_GNUTLS_CRT_OPENPGP, 0 }; /** * MHD_gtls_certificate_type_list: * - * Get a list of certificate types. Note that to be able to use - * OpenPGP certificates, you must link to libgnutls-extra and call - * gnutls_global_init_extra(). + * Get a list of certificate types. * * Returns: a zero-terminated list of %gnutls_certificate_type_t * integers indicating the available certificate types. diff --git a/src/daemon/https/tls/gnutls_cert.c b/src/daemon/https/tls/gnutls_cert.c @@ -40,7 +40,6 @@ #include <gnutls_state.h> #include <gnutls_auth_int.h> #include <gnutls_x509.h> -#include <gnutls_extra_hooks.h> /* x509 */ #include "x509.h" #include "mpi.h" @@ -192,10 +191,7 @@ MHD_gnutls_certificate_free_credentials (mhd_gtls_cert_credentials_t sc) MHD_gnutls_certificate_free_crls (sc); #endif -#ifndef KEYRING_HACK - if (_E_gnutls_openpgp_keyring_deinit) - _E_gnutls_openpgp_keyring_deinit (sc->keyring); -#else +#ifdef KEYRING_HACK _gnutls_free_datum (&sc->keyring); #endif @@ -437,74 +433,6 @@ _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert) return result; } -/*- - * _gnutls_openpgp_crt_verify_peers - This function returns the peer's certificate status - * @session: is a gnutls session - * - * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.). - * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. - * - -*/ -int -_gnutls_openpgp_crt_verify_peers (mhd_gtls_session_t session, - unsigned int *status) -{ - cert_auth_info_t info; - mhd_gtls_cert_credentials_t cred; - int peer_certificate_list_size, ret; - - CHECK_AUTH (MHD_GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = mhd_gtls_get_auth_info (session); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - cred = (mhd_gtls_cert_credentials_t) - mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) - { - gnutls_assert (); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - { - gnutls_assert (); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - - if (peer_certificate_list_size != 1) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* Verify certificate - */ - if (_E_gnutls_openpgp_verify_key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - ret = - _E_gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0], - peer_certificate_list_size, status); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - return 0; -} - - /** * MHD_gtls_certificate_verify_peers2 - This function returns the peer's certificate verification status * @session: is a gnutls session @@ -552,8 +480,6 @@ MHD_gtls_certificate_verify_peers2 (mhd_gtls_session_t session, { case MHD_GNUTLS_CRT_X509: return _gnutls_x509_cert_verify_peers (session, status); - case MHD_GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_crt_verify_peers (session, status); default: return GNUTLS_E_INVALID_REQUEST; } @@ -626,12 +552,6 @@ MHD_gtls_certificate_expiration_time_peers (mhd_gtls_session_t session) return _gnutls_x509_get_raw_crt_expiration_time (&info-> raw_certificate_list [0]); - case MHD_GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL) - return (time_t) - 1; - return _E_gnutls_openpgp_get_raw_key_expiration_time (&info-> - raw_certificate_list - [0]); default: return (time_t) - 1; } @@ -671,12 +591,6 @@ MHD_gtls_certificate_activation_time_peers (mhd_gtls_session_t session) return _gnutls_x509_get_raw_crt_activation_time (&info-> raw_certificate_list [0]); - case MHD_GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL) - return (time_t) - 1; - return _E_gnutls_openpgp_get_raw_key_creation_time (&info-> - raw_certificate_list - [0]); default: return (time_t) - 1; } @@ -692,13 +606,6 @@ mhd_gtls_raw_cert_to_gcert (gnutls_cert * gcert, { case MHD_GNUTLS_CRT_X509: return mhd_gtls_x509_raw_cert_to_gcert (gcert, raw_cert, flags); - case MHD_GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_key_to_gcert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - return _E_gnutls_openpgp_raw_key_to_gcert (gcert, raw_cert); default: gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; @@ -715,17 +622,6 @@ mhd_gtls_raw_privkey_to_gkey (gnutls_privkey * key, { case MHD_GNUTLS_CRT_X509: return _gnutls_x509_raw_privkey_to_gkey (key, raw_key, key_enc); -#if ENABLE_OPENPGP - case MHD_GNUTLS_CRT_OPENPGP: - if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL) - { - gnutls_assert (); - return GNUTLS_E_INIT_LIBEXTRA; - } - return _E_gnutls_openpgp_raw_privkey_to_gkey (key, raw_key, - (gnutls_openpgp_crt_fmt_t) - key_enc); -#endif default: gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; diff --git a/src/daemon/https/tls/gnutls_errors.c b/src/daemon/https/tls/gnutls_errors.c @@ -205,22 +205,15 @@ static const gnutls_error_entry mhd_gtls_error_algorithms[] = { ERROR_ENTRY (N_("The tasn1 library version is too old."), GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1), - ERROR_ENTRY (N_("Error loading the keyring."), - GNUTLS_E_OPENPGP_KEYRING_ERROR, 1), ERROR_ENTRY (N_("The initialization of LZO has failed."), GNUTLS_E_LZO_INIT_FAILED, 1), ERROR_ENTRY (N_("No supported compression algorithms have been found."), GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1), ERROR_ENTRY (N_("No supported cipher suites have been found."), GNUTLS_E_NO_CIPHER_SUITES, 1), - ERROR_ENTRY (N_("Could not get OpenPGP key."), - GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), - ERROR_ENTRY (N_("The SRP username supplied is illegal."), GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), - ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."), - GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), ERROR_ENTRY (N_("The certificate has unsupported attributes."), GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), ERROR_ENTRY (N_("The OID is not supported."), GNUTLS_E_X509_UNSUPPORTED_OID, diff --git a/src/daemon/https/tls/gnutls_extra_hooks.c b/src/daemon/https/tls/gnutls_extra_hooks.c @@ -1,78 +0,0 @@ -/* - * Copyright (C) 2007 Free Software Foundation - * - * Author: Simon Josefsson - * - * This file is part of GNUTLS. - * - * The GNUTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -#include <gnutls_int.h> -#include <gnutls_extra_hooks.h> - -/* Variables used by libgnutls, set by - _gnutls_add_openpgp_functions(), typically invoked by - libgnutls_extra. */ -_gnutls_openpgp_verify_key_func _E_gnutls_openpgp_verify_key = NULL; -_gnutls_openpgp_crt_creation_time_func - _E_gnutls_openpgp_get_raw_key_creation_time = NULL; -_gnutls_openpgp_crt_expiration_time_func - _E_gnutls_openpgp_get_raw_key_expiration_time = NULL; -_gnutls_openpgp_fingerprint_func _E_gnutls_openpgp_fingerprint = NULL; -_gnutls_openpgp_crt_request_func _E_gnutls_openpgp_request_key = NULL; -_gnutls_openpgp_raw_key_to_gcert_func _E_gnutls_openpgp_raw_key_to_gcert = - NULL; -_gnutls_openpgp_raw_privkey_to_gkey_func _E_gnutls_openpgp_raw_privkey_to_gkey - = NULL; -_gnutls_openpgp_crt_to_gcert_func _E_gnutls_openpgp_crt_to_gcert = NULL; -_gnutls_openpgp_privkey_to_gkey_func _E_gnutls_openpgp_privkey_to_gkey = NULL; -_gnutls_openpgp_crt_deinit_func _E_gnutls_openpgp_crt_deinit = NULL; -_gnutls_openpgp_keyring_deinit_func _E_gnutls_openpgp_keyring_deinit = NULL; -_gnutls_openpgp_privkey_deinit_func _E_gnutls_openpgp_privkey_deinit = NULL; - -/* Called by libgnutls_extra to set the OpenPGP functions that are - needed by GnuTLS. */ -extern void - _gnutls_add_openpgp_functions - (_gnutls_openpgp_verify_key_func verify_key, - _gnutls_openpgp_crt_creation_time_func key_creation_time, - _gnutls_openpgp_crt_expiration_time_func key_expiration_time, - _gnutls_openpgp_fingerprint_func fingerprint, - _gnutls_openpgp_crt_request_func request_key, - _gnutls_openpgp_raw_key_to_gcert_func raw_key_to_gcert, - _gnutls_openpgp_raw_privkey_to_gkey_func raw_privkey_to_gkey, - _gnutls_openpgp_crt_to_gcert_func key_to_gcert, - _gnutls_openpgp_privkey_to_gkey_func privkey_to_gkey, - _gnutls_openpgp_crt_deinit_func key_deinit, - _gnutls_openpgp_keyring_deinit_func keyring_deinit, - _gnutls_openpgp_privkey_deinit_func privkey_deinit) -{ - _E_gnutls_openpgp_verify_key = verify_key; - _E_gnutls_openpgp_get_raw_key_creation_time = key_creation_time; - _E_gnutls_openpgp_get_raw_key_expiration_time = key_expiration_time; - _E_gnutls_openpgp_fingerprint = fingerprint; - _E_gnutls_openpgp_request_key = request_key; - _E_gnutls_openpgp_raw_key_to_gcert = raw_key_to_gcert; - _E_gnutls_openpgp_raw_privkey_to_gkey = raw_privkey_to_gkey; - _E_gnutls_openpgp_crt_to_gcert = key_to_gcert; - _E_gnutls_openpgp_privkey_to_gkey = privkey_to_gkey; - _E_gnutls_openpgp_crt_deinit = key_deinit; - _E_gnutls_openpgp_keyring_deinit = keyring_deinit; - _E_gnutls_openpgp_privkey_deinit = privkey_deinit; - -} diff --git a/src/daemon/https/tls/gnutls_extra_hooks.h b/src/daemon/https/tls/gnutls_extra_hooks.h @@ -1,106 +0,0 @@ -/* - * Copyright (C) 2007 Free Software Foundation - * - * Author: Simon Josefsson - * - * This file is part of GNUTLS. - * - * The GNUTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -/* This file is included by libgnutls-extra, and it will call the - _gnutls_add_openpgp_functions() function to register its OpenPGP - functions. */ - -#include <auth_cert.h> - -typedef int (*_gnutls_openpgp_verify_key_func) -(const mhd_gtls_cert_credentials_t, - const gnutls_datum_t *, int, - unsigned int *); - -typedef time_t (*_gnutls_openpgp_crt_creation_time_func) -(const gnutls_datum_t *); - -typedef time_t (*_gnutls_openpgp_crt_expiration_time_func) -(const gnutls_datum_t *); - -typedef int (*_gnutls_openpgp_crt_request_func) -(mhd_gtls_session_t, gnutls_datum_t *, - const mhd_gtls_cert_credentials_t, - opaque *, int); - -typedef int (*_gnutls_openpgp_fingerprint_func) -(const gnutls_datum_t *, - unsigned char *, size_t *); - -typedef int (*_gnutls_openpgp_raw_key_to_gcert_func) -(gnutls_cert *, - const gnutls_datum_t *); -typedef int (*_gnutls_openpgp_raw_privkey_to_gkey_func) -(gnutls_privkey *, - const gnutls_datum_t *, - gnutls_openpgp_crt_fmt_t); - -typedef int (*_gnutls_openpgp_crt_to_gcert_func) -(gnutls_cert *, gnutls_openpgp_crt_t); - -typedef int (*_gnutls_openpgp_privkey_to_gkey_func) -(gnutls_privkey *, - gnutls_openpgp_privkey_t); - -typedef void (*_gnutls_openpgp_crt_deinit_func) -(gnutls_openpgp_crt_t); - -typedef void (*_gnutls_openpgp_keyring_deinit_func) -(gnutls_openpgp_keyring_t); - -typedef void (*_gnutls_openpgp_privkey_deinit_func) -(gnutls_openpgp_privkey_t); - -/* These are defined in libgnutls, but not exported from libgnutls, - and not intended to be used by libgnutls-extra or elsewhere. They - are declared here, because this file is included by auth_cert.c and - gnutls_cert.c too. */ -extern _gnutls_openpgp_verify_key_func _E_gnutls_openpgp_verify_key; -extern _gnutls_openpgp_crt_creation_time_func -_E_gnutls_openpgp_get_raw_key_creation_time; -extern _gnutls_openpgp_crt_expiration_time_func -_E_gnutls_openpgp_get_raw_key_expiration_time; -extern _gnutls_openpgp_fingerprint_func _E_gnutls_openpgp_fingerprint; -extern _gnutls_openpgp_crt_request_func _E_gnutls_openpgp_request_key; -extern _gnutls_openpgp_raw_key_to_gcert_func _E_gnutls_openpgp_raw_key_to_gcert; -extern _gnutls_openpgp_raw_privkey_to_gkey_func _E_gnutls_openpgp_raw_privkey_to_gkey; -extern _gnutls_openpgp_crt_to_gcert_func _E_gnutls_openpgp_crt_to_gcert; -extern _gnutls_openpgp_privkey_to_gkey_func _E_gnutls_openpgp_privkey_to_gkey; -extern _gnutls_openpgp_crt_deinit_func _E_gnutls_openpgp_crt_deinit; -extern _gnutls_openpgp_keyring_deinit_func _E_gnutls_openpgp_keyring_deinit; -extern _gnutls_openpgp_privkey_deinit_func _E_gnutls_openpgp_privkey_deinit; - -extern void _gnutls_add_openpgp_functions -(_gnutls_openpgp_verify_key_func verify_key, - _gnutls_openpgp_crt_creation_time_func key_creation_time, - _gnutls_openpgp_crt_expiration_time_func key_expiration_time, - _gnutls_openpgp_fingerprint_func fingerprint, - _gnutls_openpgp_crt_request_func request_key, - _gnutls_openpgp_raw_key_to_gcert_func raw_key_to_gcert, - _gnutls_openpgp_raw_privkey_to_gkey_func raw_privkey_to_gkey, - _gnutls_openpgp_crt_to_gcert_func key_to_gcert, - _gnutls_openpgp_privkey_to_gkey_func privkey_to_gkey, - _gnutls_openpgp_crt_deinit_func key_deinit, - _gnutls_openpgp_keyring_deinit_func keyring_deinit, - _gnutls_openpgp_privkey_deinit_func privkey_deinit); diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h @@ -28,7 +28,6 @@ #include <defines.h> #include "gnutls.h" -#include "extra.h" #include "microhttpd.h" #include "gnutls_mem.h" diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c @@ -594,23 +594,6 @@ mhd_gtls_dh_set_group (mhd_gtls_session_t session, mpi_t gen, mpi_t prime) } /** - * MHD_gtls_openpgp_send_cert - This function will order gnutls to send the openpgp fingerprint instead of the key - * @session: is a pointer to a #mhd_gtls_session_t structure. - * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT - * - * This function will order gnutls to send the key fingerprint - * instead of the key in the initial handshake procedure. This should - * be used with care and only when there is indication or knowledge - * that the server can obtain the client's key. - **/ -void -MHD_gtls_openpgp_send_cert (mhd_gtls_session_t session, - gnutls_openpgp_crt_status_t status) -{ - session->internals.pgp_fingerprint = status; -} - -/** * MHD_gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to send or not the x.509 rdn sequence * @session: is a pointer to a #mhd_gtls_session_t structure. * @status: is 0 or 1 @@ -631,12 +614,6 @@ MHD_gnutls_certificate_send_x509_rdn_sequence (mhd_gtls_session_t session, session->internals.ignore_rdn_sequence = status; } -int -mhd_gtls_openpgp_send_fingerprint (mhd_gtls_session_t session) -{ - return session->internals.pgp_fingerprint; -} - /*- * _gnutls_record_set_default_version - Used to set the default version for the first record packet * @session: is a #mhd_gtls_session_t structure. diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h @@ -1094,8 +1094,7 @@ typedef enum typedef enum { MHD_GNUTLS_CRT_UNKNOWN = 0, - MHD_GNUTLS_CRT_X509 = 1, - MHD_GNUTLS_CRT_OPENPGP + MHD_GNUTLS_CRT_X509 = 1 } gnutls_certificate_type_t; typedef enum