| blob | 3592395803f1d6e11afa2f31ff8201f9d059ff42 |
1 /*
2 * Copyright (C) 2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
25 #include <libtasn1.h>
26 #include <gnutls_global.h>
28 #include <gnutls_sig.h>
29 #include <gnutls_str.h>
30 #include <gnutls_datum.h>
32 #include <common.h>
33 #include <base64.h>
34 #include <gnutls/abstract.h>
35 #include <system.h>
36 #include <locks.h>
39 gnutls_tdb_store_func store;
40 gnutls_tdb_store_commitment_func cstore;
41 gnutls_tdb_verify_func verify;
42 };
51 static
54 gnutls_digest_algorithm_t hash_algo,
56 static
61 #define MAX_FILENAME 512
66 store_pubkey,
67 store_commitment,
68 verify_pubkey
69 };
72 /**
73 * gnutls_verify_stored_pubkey:
74 * @db_name: A file specifying the stored keys (use NULL for the default)
75 * @tdb: A storage structure or NULL to use the default
76 * @host: The peer's name
77 * @service: non-NULL if this key is specific to a service (e.g. http)
78 * @cert_type: The type of the certificate
79 * @cert: The raw (der) data of the certificate
80 * @flags: should be 0.
81 *
82 * This function will try to verify the provided certificate using
83 * a list of stored public keys. The @service field if non-NULL should
84 * be a port number.
85 *
86 * The @retrieve variable if non-null specifies a custom backend for
87 * the retrieval of entries. If it is NULL then the
88 * default file backend will be used. In POSIX-like systems the
89 * file backend uses the $HOME/.gnutls/known_hosts file.
90 *
91 * Note that if the custom storage backend is provided the
92 * retrieval function should return %GNUTLS_E_CERTIFICATE_KEY_MISMATCH
93 * if the host/service pair is found but key doesn't match,
94 * %GNUTLS_E_NO_CERTIFICATE_FOUND if no such host/service with
95 * the given key is found, and 0 if it was found. The storage
96 * function should return 0 on success.
97 *
98 * Returns: If no associated public key is found
99 * then %GNUTLS_E_NO_CERTIFICATE_FOUND will be returned. If a key
100 * is found but does not match %GNUTLS_E_CERTIFICATE_KEY_MISMATCH
101 * is returned. On success, %GNUTLS_E_SUCCESS (0) is returned,
102 * or a negative error value on other errors.
103 *
104 * Since: 3.0
105 **/
106 int
108 gnutls_tdb_t tdb,
111 gnutls_certificate_type_t cert_type,
113 {
122 {
127 }
134 else
138 {
141 }
147 cleanup:
150 }
157 {
163 gnutls_digest_algorithm_t hash_algo;
167 /* read host */
175 /* read service */
183 /* read expiration */
192 /* read hash algorithm */
201 /* read hash */
209 /* hash and hex encode */
228 /* key found and matches */
230 }
239 {
245 /* read version */
256 /* read host */
264 /* read service */
272 /* read expiration */
281 /* read key */
296 /* key found and matches */
298 }
300 /* Returns the base64 key if found
301 */
305 {
323 {
326 }
328 do
329 {
332 {
335 {
337 }
340 }
341 }
346 else
349 cleanup:
356 }
359 {
371 }
374 {
386 {
389 }
393 {
396 }
400 {
403 }
408 {
411 }
416 {
420 }
424 {
428 }
433 cleanup:
438 }
441 {
442 #ifdef ENABLE_OPENPGP
454 {
457 }
461 {
464 }
468 {
471 }
476 {
479 }
484 {
488 }
492 {
496 }
501 cleanup:
506 #else
508 #endif
509 }
511 static
515 {
526 {
529 }
533 {
536 }
546 cleanup:
554 }
556 static
559 gnutls_digest_algorithm_t hash_algo,
561 {
578 }
580 /**
581 * gnutls_store_pubkey:
582 * @db_name: A file specifying the stored keys (use NULL for the default)
583 * @tdb: A storage structure or NULL to use the default
584 * @host: The peer's name
585 * @service: non-NULL if this key is specific to a service (e.g. http)
586 * @cert_type: The type of the certificate
587 * @cert: The data of the certificate
588 * @expiration: The expiration time (use 0 to disable expiration)
589 * @flags: should be 0.
590 *
591 * This function will store the provided certificate to
592 * the list of stored public keys. The key will be considered valid until
593 * the provided expiration time.
594 *
595 * The @store variable if non-null specifies a custom backend for
596 * the storage of entries. If it is NULL then the
597 * default file backend will be used.
598 *
599 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
600 * negative error value.
601 *
602 * Since: 3.0
603 **/
604 int
606 gnutls_tdb_t tdb,
609 gnutls_certificate_type_t cert_type,
613 {
623 {
635 }
642 else
645 {
648 }
656 cleanup:
661 }
663 /**
664 * gnutls_store_commitment:
665 * @db_name: A file specifying the stored keys (use NULL for the default)
666 * @tdb: A storage structure or NULL to use the default
667 * @host: The peer's name
668 * @service: non-NULL if this key is specific to a service (e.g. http)
669 * @hash_algo: The hash algorithm type
670 * @hash: The raw hash
671 * @expiration: The expiration time (use 0 to disable expiration)
672 * @flags: should be 0.
673 *
674 * This function will store the provided hash commitment to
675 * the list of stored public keys. The key with the given
676 * hash will be considered valid until the provided expiration time.
677 *
678 * The @store variable if non-null specifies a custom backend for
679 * the storage of entries. If it is NULL then the
680 * default file backend will be used.
681 *
682 * Note that this function is not thread safe with the default backend.
683 *
684 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
685 * negative error value.
686 *
687 * Since: 3.0
688 **/
689 int
691 gnutls_tdb_t tdb,
694 gnutls_digest_algorithm_t hash_algo,
698 {
710 {
722 }
736 }
741 {
751 else
755 }
757 /**
758 * gnutls_tdb_init:
759 * @tdb: The structure to be initialized
760 *
761 * This function will initialize a public key trust storage structure.
762 *
763 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
764 * negative error value.
765 **/
767 {
774 }
776 /**
777 * gnutls_set_store_func:
778 * @tdb: The trust storage
779 * @store: The storage function
780 *
781 * This function will associate a storage function with the
782 * trust storage structure. The function is of the following form.
783 *
784 * gnutls_tdb_store_func(const char* db_name, const char* host,
785 * const char* service, time_t expiration,
786 * const gnutls_datum_t* pubkey);
787 *
788 **/
790 {
792 }
794 /**
795 * gnutls_set_store_commitment_func:
796 * @tdb: The trust storage
797 * @cstore: The commitment storage function
798 *
799 * This function will associate a commitment (hash) storage function with the
800 * trust storage structure. The function is of the following form.
801 *
802 * gnutls_tdb_store_commitment_func(const char* db_name, const char* host,
803 * const char* service, time_t expiration,
804 * gnutls_digest_algorithm_t, const gnutls_datum_t* hash);
805 *
806 **/
808 gnutls_tdb_store_commitment_func cstore)
809 {
811 }
813 /**
814 * gnutls_set_verify_func:
815 * @tdb: The trust storage
816 * @verify: The verification function
817 *
818 * This function will associate a retrieval function with the
819 * trust storage structure. The function is of the following form.
820 *
821 * gnutls_tdb_verify_func(const char* db_name, const char* host,
822 * const char* service, const gnutls_datum_t* pubkey);
823 *
824 **/
826 {
828 }
830 /**
831 * gnutls_tdb_deinit:
832 * @tdb: The structure to be deinitialized
833 *
834 * This function will deinitialize a public key trust storage structure.
835 **/
837 {
839 }