878
876
if (apr_cert_list_length > 0)
880
878
fpr_size = sizeof (fpr);
882
880
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
883
&fpr_size, &use_subkey);
885
883
return gnutls_assert_val (ret);
888
ret += 1 + fpr_size; /* for the keyid */
885
ret += 1 + fpr_size; /* for the keyid */
886
_gnutls_handshake_log("Sending PGP key ID %s (%s)\n", _gnutls_bin2hex(fpr, GNUTLS_OPENPGP_KEYID_SIZE, buf, sizeof(buf), NULL),
887
subkey?"subkey":"master");
890
889
ret += apr_cert_list[0].cert.size;
898
897
if (apr_cert_list_length > 0)
902
type = PGP_KEY_SUBKEY;
904
ret = _gnutls_buffer_append_data (data, &type, 1);
906
return gnutls_assert_val (ret);
908
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
910
return gnutls_assert_val (ret);
915
ret = _gnutls_buffer_append_data (data, &type, 1);
917
return gnutls_assert_val (ret);
899
type = PGP_KEY_SUBKEY;
901
ret = _gnutls_buffer_append_data (data, &type, 1);
903
return gnutls_assert_val (ret);
905
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
907
return gnutls_assert_val (ret);
921
910
_gnutls_buffer_append_data_prefix (data, 24,
954
if (apr_cert_list_length <= 0)
955
return _gnutls_gen_openpgp_certificate (session, data);
957
id_size = sizeof (id);
959
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, id,
962
return gnutls_assert_val (ret);
964
964
fpr_size = sizeof (fpr);
966
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
967
&fpr_size, &use_subkey);
966
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey,
967
GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT,
968
fpr, &fpr_size, NULL);
969
970
return gnutls_assert_val (ret);
971
972
packet_size = 3 + 1;
974
packet_size += 1 + fpr_size; /* for the keyid */
973
packet_size += 1 + fpr_size; /* for the keyid */
976
975
/* Only v4 fingerprints are sent
978
if (apr_cert_list_length > 0)
979
packet_size += 20 + 1;
980
else /* empty certificate case */
981
return _gnutls_gen_openpgp_certificate (session, data);
977
packet_size += 20 + 1;
983
979
ret = _gnutls_buffer_append_prefix (data, 24, packet_size - 3);
985
981
return gnutls_assert_val (ret);
989
type = PGP_KEY_FINGERPRINT_SUBKEY;
990
ret = _gnutls_buffer_append_data (data, &type, 1);
992
return gnutls_assert_val (ret);
994
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
996
return gnutls_assert_val (ret);
1000
type = PGP_KEY_FINGERPRINT; /* key fingerprint */
1001
ret = _gnutls_buffer_append_data (data, &type, 1);
1003
return gnutls_assert_val (ret);
1006
fpr_size = sizeof (fpr);
1008
_gnutls_openpgp_fingerprint (&apr_cert_list[0].cert, fpr,
983
type = PGP_KEY_FINGERPRINT_SUBKEY;
984
ret = _gnutls_buffer_append_data (data, &type, 1);
986
return gnutls_assert_val (ret);
988
ret = _gnutls_buffer_append_data_prefix (data, 8, id, id_size);
990
return gnutls_assert_val (ret);
1015
992
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
1209
1186
#ifdef ENABLE_OPENPGP
1211
1188
_gnutls_proc_openpgp_server_crt (gnutls_session_t session,
1212
uint8_t * data, size_t data_size)
1189
uint8_t * data, size_t data_size)
1214
1191
int size, ret, len;
1215
1192
uint8_t *p = data;
1216
1193
cert_auth_info_t info;
1217
1194
gnutls_certificate_credentials_t cred;
1218
1195
ssize_t dsize = data_size;
1220
1197
gnutls_pcert_st *peer_certificate_list = NULL;
1221
int peer_certificate_list_size = 0;
1222
1198
gnutls_datum_t tmp, akey = { NULL, 0 };
1199
unsigned int compat = 0;
1223
1200
uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
1224
unsigned int subkey_id_set = 0;
1226
1202
cred = (gnutls_certificate_credentials_t)
1227
_gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1203
_gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
1228
1204
if (cred == NULL)
1230
1206
gnutls_assert ();
1327
1295
gnutls_assert ();
1328
1296
/* no certificate was sent */
1329
return GNUTLS_E_NO_CERTIFICATE_FOUND;
1297
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
1332
1300
DECR_LEN (dsize, len);
1333
peer_certificate_list_size++;
1306
else if (key_type == PGP_EMPTY_KEY)
1307
{ /* the whole key */
1309
/* Read the actual certificate */
1310
DECR_LEN (dsize, 3);
1311
len = _gnutls_read_uint24 (p);
1314
if (len == 0) /* PGP_EMPTY_KEY */
1315
return GNUTLS_E_NO_CERTIFICATE_FOUND;
1316
/* Uncomment to remove compatibility with RFC5081.
1318
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);*/
1320
DECR_LEN (dsize, len);
1365
1345
gnutls_pcert_import_openpgp_raw (&peer_certificate_list[0],
1367
1347
GNUTLS_OPENPGP_FMT_RAW,
1368
(subkey_id_set != 0) ? subkey_id : NULL,
1348
(compat==0)?subkey_id:NULL,
1372
1352
gnutls_assert ();
1358
size_t t = sizeof(subkey_id);
1359
gnutls_pubkey_get_openpgp_key_id(peer_certificate_list[0].pubkey, 0, subkey_id, &t, NULL);
1377
1363
_gnutls_copy_certificate_auth_info (info,
1378
1364
peer_certificate_list,
1379
peer_certificate_list_size,
1382
0) ? subkey_id : NULL);
1385
1368
gnutls_assert ();
1752
1727
cred = (gnutls_certificate_credentials_t)
1753
_gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
1728
_gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
1754
1729
if (cred == NULL)
1756
1731
gnutls_assert ();
1757
1732
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1760
size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type_t + 2 for size of rdn_seq
1763
if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
1764
session->internals.ignore_rdn_sequence == 0)
1765
size += cred->x509_rdn_sequence.size;
1767
if (_gnutls_version_has_selectable_sighash (ver))
1768
/* Need two bytes to announce the number of supported hash
1769
functions (see below). */
1770
size += MAX_SIGN_ALGO_SIZE;
1772
1735
tmp_data[0] = CERTTYPE_SIZE - 1;
1773
1736
tmp_data[1] = RSA_SIGN;
1774
1737
tmp_data[2] = DSA_SIGN;
2247
2207
_gnutls_free_datum (&rsa->modulus);
2248
2208
_gnutls_free_datum (&rsa->exponent);
2211
int _gnutls_gen_dhe_signature(gnutls_session_t session, gnutls_buffer_st* data,
2212
uint8_t* plain, unsigned plain_size)
2214
gnutls_pcert_st *apr_cert_list;
2215
gnutls_privkey_t apr_pkey;
2216
int apr_cert_list_length;
2217
gnutls_datum_t signature = { NULL, 0 }, ddata;
2218
gnutls_sign_algorithm_t sign_algo;
2219
const version_entry_st* ver = get_version (session);
2222
if (unlikely(ver == NULL))
2223
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
2226
ddata.size = plain_size;
2228
/* find the appropriate certificate */
2230
_gnutls_get_selected_cert (session, &apr_cert_list,
2231
&apr_cert_list_length, &apr_pkey)) < 0)
2237
if (apr_cert_list_length > 0)
2240
_gnutls_handshake_sign_data (session, &apr_cert_list[0],
2241
apr_pkey, &ddata, &signature,
2251
ret = 0; /* ANON-DH, do not put a signature - ILLEGAL! */
2255
if (_gnutls_version_has_selectable_sighash (ver))
2257
const sign_algorithm_st *aid;
2260
if (sign_algo == GNUTLS_SIGN_UNKNOWN)
2262
ret = GNUTLS_E_UNKNOWN_ALGORITHM;
2266
aid = _gnutls_sign_to_tls_aid (sign_algo);
2270
ret = GNUTLS_E_UNKNOWN_ALGORITHM;
2274
p[0] = aid->hash_algorithm;
2275
p[1] = aid->sign_algorithm;
2277
ret = _gnutls_buffer_append_data(data, p, 2);
2285
ret = _gnutls_buffer_append_data_prefix(data, 16, signature.data, signature.size);
2294
_gnutls_free_datum (&signature);
2299
_gnutls_proc_dhe_signature (gnutls_session_t session, uint8_t * data,
2300
size_t _data_size, gnutls_datum_t* vparams)
2303
gnutls_datum_t signature;
2305
cert_auth_info_t info = _gnutls_get_auth_info (session);
2306
ssize_t data_size = _data_size;
2307
gnutls_pcert_st peer_cert;
2308
gnutls_sign_algorithm_t sign_algo = GNUTLS_SIGN_UNKNOWN;
2309
const version_entry_st* ver = get_version (session);
2311
if (unlikely(info == NULL || info->ncerts == 0 || ver == NULL))
2314
/* we need this in order to get peer's certificate */
2315
return GNUTLS_E_INTERNAL_ERROR;
2318
/* VERIFY SIGNATURE */
2319
if (_gnutls_version_has_selectable_sighash (ver))
2321
sign_algorithm_st aid;
2323
DECR_LEN (data_size, 1);
2324
aid.hash_algorithm = *data++;
2325
DECR_LEN (data_size, 1);
2326
aid.sign_algorithm = *data++;
2327
sign_algo = _gnutls_tls_aid_to_sign (&aid);
2328
if (sign_algo == GNUTLS_SIGN_UNKNOWN)
2330
_gnutls_debug_log("unknown signature %d.%d\n", aid.sign_algorithm, aid.hash_algorithm);
2332
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
2335
DECR_LEN (data_size, 2);
2336
sigsize = _gnutls_read_uint16 (data);
2339
DECR_LEN (data_size, sigsize);
2340
signature.data = data;
2341
signature.size = sigsize;
2344
_gnutls_get_auth_info_pcert (&peer_cert,
2345
session->security_parameters.cert_type,
2353
_gnutls_handshake_verify_data (session, &peer_cert, vparams, &signature,
2356
gnutls_pcert_deinit (&peer_cert);