search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correctly restore gnutls_record_recv() in DTLS mode if interrupted during the retrasm...
[gnutls.git] / lib / openpgp / gnutls_openpgp.c
blob7065bf2af4010736465362bf665752f2dbf52302
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Timo Schulz, Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include "gnutls_int.h"
24 #include "gnutls_errors.h"
25 #include "gnutls_mpi.h"
26 #include "gnutls_num.h"
27 #include "gnutls_datum.h"
28 #include "gnutls_global.h"
29 #include "gnutls_openpgp.h"
30 #include "read-file.h"
31 #include <gnutls/abstract.h>
32 #include <gnutls_str.h>
33 #include <gnutls_sig.h>
34 #include <stdio.h>
35 #include <sys/stat.h>
36
37 /* Map an OpenCDK error type to a GnuTLS error type. */
38 int
39 _gnutls_map_cdk_rc (int rc)
40 {
41 switch (rc)
42 {
43 case CDK_Success:
44 return 0;
45 case CDK_EOF:
46 return GNUTLS_E_PARSING_ERROR;
47 case CDK_Too_Short:
48 return GNUTLS_E_SHORT_MEMORY_BUFFER;
49 case CDK_General_Error:
50 return GNUTLS_E_INTERNAL_ERROR;
51 case CDK_File_Error:
52 return GNUTLS_E_FILE_ERROR;
53 case CDK_MPI_Error:
54 return GNUTLS_E_MPI_SCAN_FAILED;
55 case CDK_Error_No_Key:
56 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
57 case CDK_Armor_Error:
58 return GNUTLS_E_BASE64_DECODING_ERROR;
59 case CDK_Inv_Value:
60 return GNUTLS_E_INVALID_REQUEST;
61 default:
62 return GNUTLS_E_INTERNAL_ERROR;
63 }
64 }
65
66 /**
67 * gnutls_certificate_set_openpgp_key:
68 * @res: is a #gnutls_certificate_credentials_t structure.
69 * @crt: contains an openpgp public key
70 * @pkey: is an openpgp private key
71 *
72 * This function sets a certificate/private key pair in the
73 * gnutls_certificate_credentials_t structure. This function may be
74 * called more than once (in case multiple keys/certificates exist
75 * for the server).
76 *
77 * Note that this function requires that the preferred key ids have
78 * been set and be used. See gnutls_openpgp_crt_set_preferred_key_id().
79 * Otherwise the master key will be used.
80 *
81 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
82 * otherwise a negative error code is returned.
83 **/
84 int
85 gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t res,
86 gnutls_openpgp_crt_t crt,
87 gnutls_openpgp_privkey_t pkey)
88 {
89 int ret, ret2, i;
90 gnutls_privkey_t privkey;
91 gnutls_pcert_st *ccert = NULL;
92 char name[MAX_CN];
93 size_t max_size;
94 gnutls_str_array_t names;
95
96 _gnutls_str_array_init(&names);
97
98 /* this should be first */
99
100 ret = gnutls_privkey_init (&privkey);
101 if (ret < 0)
102 {
103 gnutls_assert ();
104 return ret;
105 }
106
107 ret =
108 gnutls_privkey_import_openpgp (privkey, pkey,
109 GNUTLS_PRIVKEY_IMPORT_COPY);
110 if (ret < 0)
111 {
112 gnutls_assert ();
113 goto cleanup;
114 }
115
116 ccert = gnutls_calloc (1, sizeof (gnutls_pcert_st));
117 if (ccert == NULL)
118 {
119 gnutls_assert ();
120 ret = GNUTLS_E_MEMORY_ERROR;
121 goto cleanup;
122 }
123
124 max_size = sizeof(name);
125 ret = 0;
126 for (i = 0; !(ret < 0); i++)
127 {
128 ret = gnutls_openpgp_crt_get_name(crt, i, name, &max_size);
129 if (ret >= 0)
130 {
131 ret2 = _gnutls_str_array_append(&names, name, max_size);
132 if (ret2 < 0)
133 {
134 gnutls_assert();
135 ret = ret2;
136 goto cleanup;
137 }
138 }
139 }
140
141 ret = gnutls_pcert_import_openpgp (ccert, crt, 0);
142 if (ret < 0)
143 {
144 gnutls_assert ();
145 goto cleanup;
146 }
147
148 ret = certificate_credentials_append_pkey (res, privkey);
149 if (ret >= 0)
150 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
151
152 if (ret < 0)
153 {
154 gnutls_assert ();
155 goto cleanup;
156 }
157
158 res->ncerts++;
159
160 /* FIXME: Check if the keys match. */
161
162 return 0;
163
164 cleanup:
165 gnutls_privkey_deinit (privkey);
166 gnutls_free (ccert);
167 _gnutls_str_array_clear(&names);
168 return ret;
169 }
170
171 /*-
172 * gnutls_openpgp_get_key:
173 * @key: the destination context to save the key.
174 * @keyring: the datum struct that contains all keyring information.
175 * @attr: The attribute (keyid, fingerprint, ...).
176 * @by: What attribute is used.
177 *
178 * This function can be used to retrieve keys by different pattern
179 * from a binary or a file keyring.
180 -*/
181 int
182 gnutls_openpgp_get_key (gnutls_datum_t * key,
183 gnutls_openpgp_keyring_t keyring, key_attr_t by,
184 uint8_t * pattern)
185 {
186 cdk_kbnode_t knode = NULL;
187 unsigned long keyid[2];
188 unsigned char *buf;
189 void *desc;
190 size_t len;
191 int rc = 0;
192 cdk_keydb_search_t st;
193
194 if (!key || !keyring || by == KEY_ATTR_NONE)
195 {
196 gnutls_assert ();
197 return GNUTLS_E_INVALID_REQUEST;
198 }
199
200 memset (key, 0, sizeof *key);
201
202 if (by == KEY_ATTR_SHORT_KEYID)
203 {
204 keyid[0] = _gnutls_read_uint32 (pattern);
205 desc = keyid;
206 }
207 else if (by == KEY_ATTR_KEYID)
208 {
209 keyid[0] = _gnutls_read_uint32 (pattern);
210 keyid[1] = _gnutls_read_uint32 (pattern + 4);
211 desc = keyid;
212 }
213 else
214 desc = pattern;
215 rc = cdk_keydb_search_start (&st, keyring->db, by, desc);
216 if (!rc)
217 rc = cdk_keydb_search (st, keyring->db, &knode);
218
219 cdk_keydb_search_release (st);
220
221 if (rc)
222 {
223 rc = _gnutls_map_cdk_rc (rc);
224 goto leave;
225 }
226
227 if (!cdk_kbnode_find (knode, CDK_PKT_PUBLIC_KEY))
228 {
229 rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
230 goto leave;
231 }
232
233 /* We let the function allocate the buffer to avoid
234 to call the function twice. */
235 rc = cdk_kbnode_write_to_mem_alloc (knode, &buf, &len);
236 if (!rc)
237 _gnutls_datum_append (key, buf, len);
238 gnutls_free (buf);
239
240 leave:
241 cdk_kbnode_release (knode);
242 return rc;
243 }
244
245 /**
246 * gnutls_certificate_set_openpgp_key_mem:
247 * @res: the destination context to save the data.
248 * @cert: the datum that contains the public key.
249 * @key: the datum that contains the secret key.
250 * @format: the format of the keys
251 *
252 * This funtion is used to load OpenPGP keys into the GnuTLS credential
253 * structure. The datum should contain at least one valid non encrypted subkey.
254 *
255 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
256 * negative error value.
257 **/
258 int
259 gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t res,
260 const gnutls_datum_t * cert,
261 const gnutls_datum_t * key,
262 gnutls_openpgp_crt_fmt_t format)
263 {
264 return gnutls_certificate_set_openpgp_key_mem2 (res, cert, key,
265 NULL, format);
266 }
267
268 /**
269 * gnutls_certificate_set_openpgp_key_file:
270 * @res: the destination context to save the data.
271 * @certfile: the file that contains the public key.
272 * @keyfile: the file that contains the secret key.
273 * @format: the format of the keys
274 *
275 * This funtion is used to load OpenPGP keys into the GnuTLS
276 * credentials structure. The file should contain at least one valid non encrypted subkey.
277 *
278 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
279 * negative error value.
280 **/
281 int
282 gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res,
283 const char *certfile,
284 const char *keyfile,
285 gnutls_openpgp_crt_fmt_t format)
286 {
287 return gnutls_certificate_set_openpgp_key_file2 (res, certfile,
288 keyfile, NULL, format);
289 }
290
291 static int
292 get_keyid (gnutls_openpgp_keyid_t keyid, const char *str)
293 {
294 size_t keyid_size = GNUTLS_OPENPGP_KEYID_SIZE;
295
296 if (strlen (str) != 16)
297 {
298 _gnutls_debug_log
299 ("The OpenPGP subkey ID has to be 16 hexadecimal characters.\n");
300 return GNUTLS_E_INVALID_REQUEST;
301 }
302
303 if (_gnutls_hex2bin (str, strlen (str), keyid, &keyid_size) < 0)
304 {
305 _gnutls_debug_log ("Error converting hex string: %s.\n", str);
306 return GNUTLS_E_INVALID_REQUEST;
307 }
308
309 return 0;
310 }
311
312 /**
313 * gnutls_certificate_set_openpgp_key_mem2:
314 * @res: the destination context to save the data.
315 * @cert: the datum that contains the public key.
316 * @key: the datum that contains the secret key.
317 * @subkey_id: a hex encoded subkey id
318 * @format: the format of the keys
319 *
320 * This funtion is used to load OpenPGP keys into the GnuTLS
321 * credentials structure. The datum should contain at least one valid non encrypted subkey.
322 *
323 * The special keyword "auto" is also accepted as @subkey_id. In that
324 * case the gnutls_openpgp_crt_get_auth_subkey() will be used to
325 * retrieve the subkey.
326 *
327 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
328 * negative error value.
329 *
330 * Since: 2.4.0
331 **/
332 int
333 gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t res,
334 const gnutls_datum_t * cert,
335 const gnutls_datum_t * key,
336 const char *subkey_id,
337 gnutls_openpgp_crt_fmt_t format)
338 {
339 gnutls_openpgp_privkey_t pkey;
340 gnutls_openpgp_crt_t crt;
341 int ret;
342 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
343
344 ret = gnutls_openpgp_privkey_init (&pkey);
345 if (ret < 0)
346 {
347 gnutls_assert ();
348 return ret;
349 }
350
351 ret = gnutls_openpgp_privkey_import (pkey, key, format, NULL, 0);
352 if (ret < 0)
353 {
354 gnutls_assert ();
355 gnutls_openpgp_privkey_deinit (pkey);
356 return ret;
357 }
358
359 ret = gnutls_openpgp_crt_init (&crt);
360 if (ret < 0)
361 {
362 gnutls_assert ();
363 gnutls_openpgp_privkey_deinit (pkey);
364 return ret;
365 }
366
367 ret = gnutls_openpgp_crt_import (crt, cert, format);
368 if (ret < 0)
369 {
370 gnutls_assert ();
371 gnutls_openpgp_privkey_deinit (pkey);
372 gnutls_openpgp_crt_deinit (crt);
373 return ret;
374 }
375
376 if (subkey_id != NULL)
377 {
378 if (strcasecmp (subkey_id, "auto") == 0)
379 ret = gnutls_openpgp_crt_get_auth_subkey (crt, keyid, 1);
380 else
381 ret = get_keyid (keyid, subkey_id);
382
383 if (ret < 0)
384 gnutls_assert ();
385
386 if (ret >= 0)
387 {
388 ret = gnutls_openpgp_crt_set_preferred_key_id (crt, keyid);
389 if (ret >= 0)
390 ret = gnutls_openpgp_privkey_set_preferred_key_id (pkey, keyid);
391 }
392
393 if (ret < 0)
394 {
395 gnutls_assert ();
396 gnutls_openpgp_privkey_deinit (pkey);
397 gnutls_openpgp_crt_deinit (crt);
398 return ret;
399 }
400 }
401
402 ret = gnutls_certificate_set_openpgp_key (res, crt, pkey);
403
404 gnutls_openpgp_crt_deinit (crt);
405 gnutls_openpgp_privkey_deinit (pkey);
406
407 return ret;
408 }
409
410 /**
411 * gnutls_certificate_set_openpgp_key_file2:
412 * @res: the destination context to save the data.
413 * @certfile: the file that contains the public key.
414 * @keyfile: the file that contains the secret key.
415 * @subkey_id: a hex encoded subkey id
416 * @format: the format of the keys
417 *
418 * This funtion is used to load OpenPGP keys into the GnuTLS credential
419 * structure. The file should contain at least one valid non encrypted subkey.
420 *
421 * The special keyword "auto" is also accepted as @subkey_id. In that
422 * case the gnutls_openpgp_crt_get_auth_subkey() will be used to
423 * retrieve the subkey.
424 *
425 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
426 * negative error value.
427 *
428 * Since: 2.4.0
429 **/
430 int
431 gnutls_certificate_set_openpgp_key_file2 (gnutls_certificate_credentials_t
432 res, const char *certfile,
433 const char *keyfile,
434 const char *subkey_id,
435 gnutls_openpgp_crt_fmt_t format)
436 {
437 struct stat statbuf;
438 gnutls_datum_t key, cert;
439 int rc;
440 size_t size;
441
442 if (!res || !keyfile || !certfile)
443 {
444 gnutls_assert ();
445 return GNUTLS_E_INVALID_REQUEST;
446 }
447
448 if (stat (certfile, &statbuf) || stat (keyfile, &statbuf))
449 {
450 gnutls_assert ();
451 return GNUTLS_E_FILE_ERROR;
452 }
453
454 cert.data = (void*)read_binary_file (certfile, &size);
455 cert.size = (unsigned int) size;
456 if (cert.data == NULL)
457 {
458 gnutls_assert ();
459 return GNUTLS_E_FILE_ERROR;
460 }
461
462 key.data = (void*)read_binary_file (keyfile, &size);
463 key.size = (unsigned int) size;
464 if (key.data == NULL)
465 {
466 gnutls_assert ();
467 free (cert.data);
468 return GNUTLS_E_FILE_ERROR;
469 }
470
471 rc =
472 gnutls_certificate_set_openpgp_key_mem2 (res, &cert, &key, subkey_id,
473 format);
474
475 free (cert.data);
476 free (key.data);
477
478 if (rc < 0)
479 {
480 gnutls_assert ();
481 return rc;
482 }
483
484 return 0;
485 }
486
487
488 int
489 gnutls_openpgp_count_key_names (const gnutls_datum_t * cert)
490 {
491 cdk_kbnode_t knode, p, ctx;
492 cdk_packet_t pkt;
493 int nuids;
494
495 if (cert == NULL)
496 {
497 gnutls_assert ();
498 return 0;
499 }
500
501 if (cdk_kbnode_read_from_mem (&knode, 0, cert->data, cert->size))
502 {
503 gnutls_assert ();
504 return 0;
505 }
506
507 ctx = NULL;
508 for (nuids = 0;;)
509 {
510 p = cdk_kbnode_walk (knode, &ctx, 0);
511 if (!p)
512 break;
513 pkt = cdk_kbnode_get_packet (p);
514 if (pkt->pkttype == CDK_PKT_USER_ID)
515 nuids++;
516 }
517
518 cdk_kbnode_release (knode);
519 return nuids;
520 }
521
522 /**
523 * gnutls_certificate_set_openpgp_keyring_file:
524 * @c: A certificate credentials structure
525 * @file: filename of the keyring.
526 * @format: format of keyring.
527 *
528 * The function is used to set keyrings that will be used internally
529 * by various OpenPGP functions. For example to find a key when it
530 * is needed for an operations. The keyring will also be used at the
531 * verification functions.
532 *
533 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
534 * negative error value.
535 **/
536 int
537 gnutls_certificate_set_openpgp_keyring_file (gnutls_certificate_credentials_t c,
538 const char *file,
539 gnutls_openpgp_crt_fmt_t format)
540 {
541 gnutls_datum_t ring;
542 size_t size;
543 int rc;
544
545 if (!c || !file)
546 {
547 gnutls_assert ();
548 return GNUTLS_E_INVALID_REQUEST;
549 }
550
551 ring.data = (void*)read_binary_file (file, &size);
552 ring.size = (unsigned int) size;
553 if (ring.data == NULL)
554 {
555 gnutls_assert ();
556 return GNUTLS_E_FILE_ERROR;
557 }
558
559 rc =
560 gnutls_certificate_set_openpgp_keyring_mem (c, ring.data, ring.size,
561 format);
562
563 free (ring.data);
564
565 return rc;
566 }
567
568 /**
569 * gnutls_certificate_set_openpgp_keyring_mem:
570 * @c: A certificate credentials structure
571 * @data: buffer with keyring data.
572 * @dlen: length of data buffer.
573 * @format: the format of the keyring
574 *
575 * The function is used to set keyrings that will be used internally
576 * by various OpenPGP functions. For example to find a key when it
577 * is needed for an operations. The keyring will also be used at the
578 * verification functions.
579 *
580 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
581 * negative error value.
582 **/
583 int
584 gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t
585 c, const uint8_t * data,
586 size_t dlen,
587 gnutls_openpgp_crt_fmt_t format)
588 {
589 gnutls_datum_t ddata;
590 int rc;
591
592 ddata.data = (void *) data;
593 ddata.size = dlen;
594
595 if (!c || !data || !dlen)
596 {
597 gnutls_assert ();
598 return GNUTLS_E_INVALID_REQUEST;
599 }
600
601 rc = gnutls_openpgp_keyring_init (&c->keyring);
602 if (rc < 0)
603 {
604 gnutls_assert ();
605 return rc;
606 }
607
608 rc = gnutls_openpgp_keyring_import (c->keyring, &ddata, format);
609 if (rc < 0)
610 {
611 gnutls_assert ();
612 gnutls_openpgp_keyring_deinit (c->keyring);
613 return rc;
614 }
615
616 return 0;
617 }
618
619 /*-
620 * _gnutls_openpgp_request_key - Receives a key from a database, key server etc
621 * @ret - a pointer to gnutls_datum_t structure.
622 * @cred - a gnutls_certificate_credentials_t structure.
623 * @key_fingerprint - The keyFingerprint
624 * @key_fingerprint_size - the size of the fingerprint
625 *
626 * Retrieves a key from a local database, keyring, or a key server. The
627 * return value is locally allocated.
628 *
629 -*/
630 int
631 _gnutls_openpgp_request_key (gnutls_session_t session, gnutls_datum_t * ret,
632 const gnutls_certificate_credentials_t cred,
633 uint8_t * key_fpr, int key_fpr_size)
634 {
635 int rc = 0;
636
637 if (!ret || !cred || !key_fpr)
638 {
639 gnutls_assert ();
640 return GNUTLS_E_INVALID_REQUEST;
641 }
642
643 if (key_fpr_size != 16 && key_fpr_size != 20)
644 return GNUTLS_E_HASH_FAILED; /* only MD5 and SHA1 are supported */
645
646 rc = gnutls_openpgp_get_key (ret, cred->keyring, KEY_ATTR_FPR, key_fpr);
647
648 if (rc >= 0) /* key was found */
649 {
650 rc = 0;
651 goto error;
652 }
653 else
654 rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
655
656 /* If the callback function was set, then try this one. */
657 if (session->internals.openpgp_recv_key_func != NULL)
658 {
659 rc = session->internals.openpgp_recv_key_func (session,
660 key_fpr,
661 key_fpr_size, ret);
662 if (rc < 0)
663 {
664 gnutls_assert ();
665 rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
666 goto error;
667 }
668 }
669
670 error:
671
672 return rc;
673 }
674
675 /**
676 * gnutls_openpgp_set_recv_key_function:
677 * @session: a TLS session
678 * @func: the callback
679 *
680 * This funtion will set a key retrieval function for OpenPGP keys. This
681 * callback is only useful in server side, and will be used if the peer
682 * sent a key fingerprint instead of a full key.
683 *
684 **/
685 void
686 gnutls_openpgp_set_recv_key_function (gnutls_session_t session,
687 gnutls_openpgp_recv_key_func func)
688 {
689 session->internals.openpgp_recv_key_func = func;
690 }
691
Implementation of the SSL/TLS protocol