removing more -- hopefully all -- openpgp related code

src/daemon/https/gnutls.h

@@ -128,9 +128,6 @@ extern "C"
     GNUTLS_HANDSHAKE_SUPPLEMENTAL = 23
   } gnutls_handshake_description_t;
 
-/* Note that the status bits have different meanings
- * in openpgp keys and x.509 certificate verification.
- */
   typedef enum
   {
     GNUTLS_CERT_INVALID = 2,    /* will be set if the certificate
@@ -155,11 +152,6 @@ extern "C"
     GNUTLS_CERT_REQUIRE
   } gnutls_certificate_request_t;
 
-  typedef enum
-  { GNUTLS_OPENPGP_CERT,
-    GNUTLS_OPENPGP_CERT_FINGERPRINT
-  } gnutls_openpgp_crt_status_t;
-
   typedef enum
   {
     GNUTLS_SHUT_RDWR = 0,
@@ -639,9 +631,6 @@ extern "C"
   void MHD_gnutls_session_set_ptr (mhd_gtls_session_t session, void *ptr);
   void * MHD_gtls_session_get_ptr (mhd_gtls_session_t session);
 
-  void MHD_gtls_openpgp_send_cert (mhd_gtls_session_t session,
-                                 gnutls_openpgp_crt_status_t status);
-
 /*
  * this function returns the hash of the given data.
  */
@@ -798,26 +787,18 @@ extern "C"
     GNUTLS_SAN_OTHERNAME_XMPP = 1000
   } gnutls_x509_subject_alt_name_t;
 
-  struct gnutls_openpgp_crt_int;
-  typedef struct gnutls_openpgp_crt_int *gnutls_openpgp_crt_t;
-
-  struct gnutls_openpgp_privkey_int;
-  typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey_t;
-
   typedef struct gnutls_retr_st
   {
     gnutls_certificate_type_t type;
     union cert
     {
       gnutls_x509_crt_t *x509;
-      gnutls_openpgp_crt_t pgp;
     } cert;
-    unsigned int ncerts;        /* one for pgp keys */
+    unsigned int ncerts;
 
     union key
     {
       gnutls_x509_privkey_t x509;
-      gnutls_openpgp_privkey_t pgp;
     } key;
 
     unsigned int deinit_all;    /* if non zero all keys will be deinited */
@@ -1026,7 +1007,6 @@ extern "C"
 #define GNUTLS_E_NO_COMPRESSION_ALGORITHMS -86
 #define GNUTLS_E_NO_CIPHER_SUITES -87
 
-#define GNUTLS_E_OPENPGP_GETKEY_FAILED -88
 #define GNUTLS_E_PK_SIG_VERIFY_FAILED -89
 
 #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90
@@ -1046,13 +1026,11 @@ extern "C"
 #define GNUTLS_E_ASN1_TYPE_ANY_ERROR -75
 #define GNUTLS_E_ASN1_SYNTAX_ERROR -76
 #define GNUTLS_E_ASN1_DER_OVERFLOW -77
-#define GNUTLS_E_OPENPGP_UID_REVOKED -79
 #define GNUTLS_E_CERTIFICATE_ERROR -43
 #define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR
 #define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60
 #define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61       /* GNUTLS_A_UNSUPPORTED_CERTIFICATE */
 #define GNUTLS_E_X509_UNKNOWN_SAN -62
-#define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94
 #define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95
 #define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96
 #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97
@@ -1073,7 +1051,6 @@ extern "C"
 #define GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY -202
 #define GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY -203
 
-#define GNUTLS_E_OPENPGP_KEYRING_ERROR -204
 #define GNUTLS_E_X509_UNSUPPORTED_OID -205
 
 #define GNUTLS_E_RANDOM_FAILED -206

src/daemon/https/tls/Makefile.am

@@ -47,7 +47,6 @@ gnutls_dh.c \
 gnutls_dh_primes.c \
 gnutls_errors.c \
 gnutls_extensions.c \
-gnutls_extra_hooks.c \
 gnutls_global.c \
 gnutls_handshake.c \
 gnutls_hash_int.c \

src/daemon/https/tls/auth_cert.c

@@ -43,15 +43,11 @@
 #include <gnutls_state.h>
 #include <gnutls_pk.h>
 #include <gnutls_x509.h>
-#include <gnutls_extra_hooks.h>
 #include "debug.h"
 
 static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
                                                unsigned);
 static gnutls_privkey *alloc_and_load_x509_key (gnutls_x509_privkey_t key);
-static gnutls_cert *alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert);
-static gnutls_privkey *alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t
-                                               key);
 
 
 /* Copies data from a internal certificate struct (gnutls_cert) to 
@@ -255,41 +251,6 @@ _find_x509_cert (const mhd_gtls_cert_credentials_t cred,
 
 }
 
-/* Locates the most appropriate openpgp cert
- */
-static int
-_find_openpgp_cert (const mhd_gtls_cert_credentials_t cred,
-                    gnutls_pk_algorithm_t * pk_algos,
-                    int pk_algos_length, int *indx)
-{
-  unsigned i, j;
-
-  *indx = -1;
-
-  for (i = 0; i < cred->ncerts; i++)
-    {
-      for (j = 0; j < cred->cert_list_length[i]; j++)
-        {
-
-          /* If the *_SIGN algorithm matches
-           * the cert is our cert!
-           */
-          if ((_gnutls_check_pk_algo_in_list
-               (pk_algos, pk_algos_length,
-                cred->cert_list[i][0].subject_pk_algorithm) == 0)
-              && (cred->cert_list[i][0].cert_type == MHD_GNUTLS_CRT_OPENPGP))
-            {
-              *indx = i;
-              break;
-            }
-        }
-      if (*indx != -1)
-        break;
-    }
-
-  return 0;
-}
-
 /* Returns the number of issuers in the server's
  * certificate request packet.
  */
@@ -444,17 +405,9 @@ call_get_cert_callback (mhd_gtls_session_t session,
     }
   else
     {                           /* PGP */
-      if (st.ncerts > 1)
-        {
-          gnutls_assert ();
-          ret = GNUTLS_E_INVALID_REQUEST;
-          goto cleanup;
-        }
-
-      local_certs = alloc_and_load_pgp_certs (st.cert.pgp);
-      if (local_certs != NULL)
-        local_key = alloc_and_load_pgp_key (st.key.pgp);
-
+      gnutls_assert ();
+      ret = GNUTLS_E_INVALID_REQUEST;
+      goto cleanup;
     }
 
   mhd_gtls_selected_certs_set (session, local_certs,
@@ -477,22 +430,6 @@ cleanup:
           gnutls_x509_privkey_deinit (st.key.x509);
         }
     }
-  else
-    {
-      if (st.deinit_all)
-        {
-          if (_E_gnutls_openpgp_crt_deinit == NULL ||
-              _E_gnutls_openpgp_privkey_deinit == NULL)
-            {
-              gnutls_assert ();
-              return GNUTLS_E_INIT_LIBEXTRA;
-            }
-
-          _E_gnutls_openpgp_crt_deinit (st.cert.pgp);
-          _E_gnutls_openpgp_privkey_deinit (st.key.pgp);
-        }
-    }
-
   return ret;
 }
 
@@ -577,11 +514,6 @@ _select_client_cert (mhd_gtls_session_t session,
         result =
           _find_x509_cert (cred, _data, _data_size,
                            pk_algos, pk_algos_length, &indx);
-
-      if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_OPENPGP)
-        result = _find_openpgp_cert (cred, pk_algos, pk_algos_length, &indx);
-
-
       if (result < 0)
         {
           gnutls_assert ();
@@ -667,136 +599,11 @@ mhd_gtls_gen_x509_crt (mhd_gtls_session_t session, opaque ** data)
   return ret;
 }
 
-enum PGPKeyDescriptorType
-{ PGP_KEY_FINGERPRINT, PGP_KEY };
-
-int
-mhd_gtls_gen_openpgp_certificate (mhd_gtls_session_t session, opaque ** data)
-{
-  int ret;
-  opaque *pdata;
-  gnutls_cert *apr_cert_list;
-  gnutls_privkey *apr_pkey;
-  int apr_cert_list_length;
-
-  /* find the appropriate certificate */
-  if ((ret =
-       mhd_gtls_get_selected_cert (session, &apr_cert_list,
-                                  &apr_cert_list_length, &apr_pkey)) < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
-  ret = 3 + 1 + 3;
-
-  if (apr_cert_list_length > 0)
-    ret += apr_cert_list[0].raw.size;
-
-  (*data) = gnutls_malloc (ret);
-  pdata = (*data);
-
-  if (pdata == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_MEMORY_ERROR;
-    }
-
-  mhd_gtls_write_uint24 (ret - 3, pdata);
-  pdata += 3;
-
-  *pdata = PGP_KEY;             /* whole key */
-  pdata++;
-
-  if (apr_cert_list_length > 0)
-    {
-      mhd_gtls_write_datum24 (pdata, apr_cert_list[0].raw);
-      pdata += (3 + apr_cert_list[0].raw.size);
-    }
-  else                          /* empty - no certificate */
-    mhd_gtls_write_uint24 (0, pdata);
-
-  return ret;
-}
-
-int
-mhd_gtls_gen_openpgp_certificate_fpr (mhd_gtls_session_t session, opaque ** data)
-{
-  int ret, packet_size;
-  size_t fpr_size;
-  opaque *pdata;
-  gnutls_cert *apr_cert_list;
-  gnutls_privkey *apr_pkey;
-  int apr_cert_list_length;
-
-  /* find the appropriate certificate */
-  if ((ret =
-       mhd_gtls_get_selected_cert (session, &apr_cert_list,
-                                  &apr_cert_list_length, &apr_pkey)) < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
-  packet_size = 3 + 1;
-
-  /* Only v4 fingerprints are sent 
-   */
-  if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4)
-    packet_size += 20 + 1;
-  else                          /* empty certificate case */
-    return mhd_gtls_gen_openpgp_certificate (session, data);
-
-  (*data) = gnutls_malloc (packet_size);
-  pdata = (*data);
-
-  if (pdata == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_MEMORY_ERROR;
-    }
-
-  mhd_gtls_write_uint24 (packet_size - 3, pdata);
-  pdata += 3;
-
-  *pdata = PGP_KEY_FINGERPRINT; /* key fingerprint */
-  pdata++;
-
-  *pdata = 20;
-  pdata++;
-
-  fpr_size = 20;
-
-  if (_E_gnutls_openpgp_fingerprint == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_INIT_LIBEXTRA;
-    }
-
-  if ((ret =
-       _E_gnutls_openpgp_fingerprint (&apr_cert_list[0].raw, pdata,
-                                      &fpr_size)) < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
-  return packet_size;
-}
-
-
-
 int
 mhd_gtls_gen_cert_client_certificate (mhd_gtls_session_t session, opaque ** data)
 {
   switch (session->security_parameters.cert_type)
     {
-    case MHD_GNUTLS_CRT_OPENPGP:
-      if (mhd_gtls_openpgp_send_fingerprint (session) == 0)
-        return mhd_gtls_gen_openpgp_certificate (session, data);
-      else
-        return mhd_gtls_gen_openpgp_certificate_fpr (session, data);
-
     case MHD_GNUTLS_CRT_X509:
       return mhd_gtls_gen_x509_crt (session, data);
 
@@ -811,8 +618,6 @@ mhd_gtls_gen_cert_server_certificate (mhd_gtls_session_t session, opaque ** data
 {
   switch (session->security_parameters.cert_type)
     {
-    case MHD_GNUTLS_CRT_OPENPGP:
-      return mhd_gtls_gen_openpgp_certificate (session, data);
     case MHD_GNUTLS_CRT_X509:
       return mhd_gtls_gen_x509_crt (session, data);
     default:
@@ -967,184 +772,6 @@ cleanup:
 }
 
 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) mhd_gtls_gcert_deinit(&peer_certificate_list[x])
-int
-mhd_gtls_proc_openpgp_server_certificate (mhd_gtls_session_t session,
-                                         opaque * data, size_t data_size)
-{
-  int size, ret, len;
-  opaque *p = data;
-  cert_auth_info_t info;
-  mhd_gtls_cert_credentials_t cred;
-  ssize_t dsize = data_size;
-  int i, x;
-  gnutls_cert *peer_certificate_list = NULL;
-  int peer_certificate_list_size = 0;
-  gnutls_datum_t tmp, akey = { NULL, 0 };
-
-  cred = (mhd_gtls_cert_credentials_t)
-    mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
-  if (cred == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
-    }
-
-  if ((ret =
-       mhd_gtls_auth_info_set (session, MHD_GNUTLS_CRD_CERTIFICATE,
-                              sizeof (cert_auth_info_st), 1)) < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
-  info = mhd_gtls_get_auth_info (session);
-
-  if (data == NULL || data_size == 0)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_NO_CERTIFICATE_FOUND;
-    }
-
-  DECR_LEN (dsize, 3);
-  size = mhd_gtls_read_uint24 (p);
-  p += 3;
-
-  if (size == 0)
-    {
-      gnutls_assert ();
-      /* no certificate was sent */
-      return GNUTLS_E_NO_CERTIFICATE_FOUND;
-    }
-  i = dsize;
-
-  /* Read PGPKeyDescriptor */
-  DECR_LEN (dsize, 1);
-  if (*p == PGP_KEY_FINGERPRINT)
-    {                           /* the fingerprint */
-      p++;
-
-      DECR_LEN (dsize, 1);
-      len = (uint8_t) * p;
-      p++;
-
-      if (len != 20)
-        {
-          gnutls_assert ();
-          return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED;
-        }
-
-      DECR_LEN (dsize, 20);
-
-      /* request the actual key from our database, or
-       * a key server or anything.
-       */
-      if (_E_gnutls_openpgp_request_key == NULL)
-        {
-          gnutls_assert ();
-          return GNUTLS_E_INIT_LIBEXTRA;
-        }
-      if ((ret =
-           _E_gnutls_openpgp_request_key (session, &akey, cred, p, 20)) < 0)
-        {
-          gnutls_assert ();
-          return ret;
-        }
-      tmp = akey;
-      peer_certificate_list_size++;
-
-    }
-  else if (*p == PGP_KEY)
-    {                           /* the whole key */
-
-      p++;
-
-      /* Read the actual certificate */
-      DECR_LEN (dsize, 3);
-      len = mhd_gtls_read_uint24 (p);
-      p += 3;
-
-      if (len == 0)
-        {
-          gnutls_assert ();
-          /* no certificate was sent */
-          return GNUTLS_E_NO_CERTIFICATE_FOUND;
-        }
-
-      DECR_LEN (dsize, len);
-      peer_certificate_list_size++;
-
-      tmp.size = len;
-      tmp.data = p;
-
-    }
-  else
-    {
-      gnutls_assert ();
-      return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
-    }
-
-  /* ok we now have the peer's key in tmp datum
-   */
-
-  if (peer_certificate_list_size == 0)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
-    }
-
-  peer_certificate_list =
-    gnutls_alloca (sizeof (gnutls_cert) * (peer_certificate_list_size));
-  if (peer_certificate_list == NULL)
-    {
-      gnutls_assert ();
-      ret = GNUTLS_E_MEMORY_ERROR;
-      goto cleanup;
-    }
-  memset (peer_certificate_list, 0, sizeof (gnutls_cert) *
-          peer_certificate_list_size);
-
-  if (_E_gnutls_openpgp_raw_key_to_gcert == NULL)
-    {
-      gnutls_assert ();
-      ret = GNUTLS_E_INIT_LIBEXTRA;
-      goto cleanup;
-    }
-
-  if ((ret =
-       _E_gnutls_openpgp_raw_key_to_gcert (&peer_certificate_list[0],
-                                           &tmp)) < 0)
-    {
-      gnutls_assert ();
-      goto cleanup;
-    }
-
-  if ((ret =
-       _gnutls_copy_certificate_auth_info (info,
-                                           peer_certificate_list,
-                                           peer_certificate_list_size)) < 0)
-    {
-      gnutls_assert ();
-      goto cleanup;
-    }
-
-  if ((ret =
-       _gnutls_check_key_usage (&peer_certificate_list[0],
-                                gnutls_kx_get (session))) < 0)
-    {
-      gnutls_assert ();
-      goto cleanup;
-    }
-
-  ret = 0;
-
-cleanup:
-
-  _gnutls_free_datum (&akey);
-  CLEAR_CERTS;
-  gnutls_afree (peer_certificate_list);
-  return ret;
-
-}
 
 int
 mhd_gtls_proc_cert_server_certificate (mhd_gtls_session_t session,
@@ -1152,9 +779,6 @@ mhd_gtls_proc_cert_server_certificate (mhd_gtls_session_t session,
 {
   switch (session->security_parameters.cert_type)
     {
-    case MHD_GNUTLS_CRT_OPENPGP:
-      return mhd_gtls_proc_openpgp_server_certificate (session,
-                                                      data, data_size);
     case MHD_GNUTLS_CRT_X509:
       return mhd_gtls_proc_x509_server_certificate (session, data, data_size);
     default:
@@ -1262,13 +886,6 @@ mhd_gtls_proc_cert_cert_req (mhd_gtls_session_t session, opaque * data,
   size = mhd_gtls_read_uint16 (p);
   p += 2;
 
-  if (session->security_parameters.cert_type == MHD_GNUTLS_CRT_OPENPGP
-      && size != 0)
-    {
-      gnutls_assert ();         // size should be zero
-      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
-    }
-
   DECR_LEN (dsize, size);
 
   /* now we ask the user to tell which one
@@ -1578,85 +1195,6 @@ alloc_and_load_x509_key (gnutls_x509_privkey_t key)
   return local_key;
 }
 
-/* converts the given pgp certificate to gnutls_cert* and allocates
- * space for them.
- */
-static gnutls_cert *
-alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert)
-{
-  gnutls_cert *local_certs;
-  int ret = 0;
-
-  if (cert == NULL)
-    return NULL;
-
-  local_certs = gnutls_malloc (sizeof (gnutls_cert));
-  if (local_certs == NULL)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  if (_E_gnutls_openpgp_crt_to_gcert == NULL)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  ret = _E_gnutls_openpgp_crt_to_gcert (local_certs, cert);
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      mhd_gtls_gcert_deinit (local_certs);
-      gnutls_free (local_certs);
-      return NULL;
-    }
-
-  return local_certs;
-}
-
-/* converts the given raw key to gnutls_privkey* and allocates
- * space for it.
- */
-static gnutls_privkey *
-alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t key)
-{
-  gnutls_privkey *local_key;
-  int ret = 0;
-
-  if (key == NULL)
-    return NULL;
-
-  local_key = gnutls_malloc (sizeof (gnutls_privkey));
-  if (local_key == NULL)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  if (_E_gnutls_openpgp_privkey_to_gkey == NULL)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  ret = _E_gnutls_openpgp_privkey_to_gkey (local_key, key);
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      return NULL;
-    }
-
-  return local_key;
-}
-
-
 void
 mhd_gtls_selected_certs_deinit (mhd_gtls_session_t session)
 {

src/daemon/https/tls/auth_cert.h

@@ -29,8 +29,6 @@
 #include "gnutls_auth.h"
 #include "auth_dh_common.h"
 #include "x509.h"
-#include "openpgp.h"
-#include "extra.h"
 
 /* This structure may be complex, but it's the only way to
  * support a server that has multiple certificates

src/daemon/https/tls/ext_cert_type.c

@@ -221,8 +221,6 @@ _gnutls_num2cert_type (int num)
     {
     case 0:
       return MHD_GNUTLS_CRT_X509;
-    case 1:
-      return MHD_GNUTLS_CRT_OPENPGP;
     default:
       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
     }
@@ -238,8 +236,6 @@ _gnutls_cert_type2num (int cert_type)
     {
     case MHD_GNUTLS_CRT_X509:
       return 0;
-    case MHD_GNUTLS_CRT_OPENPGP:
-      return 1;
     default:
       return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
     }

src/daemon/https/tls/ext_inner_application.c

@@ -86,7 +86,7 @@ mhd_gtls_inner_app_send_params (mhd_gtls_session_t session,
   else
 #endif
     {
-      gnutls_ia_server_credentials_t cred = (gnutls_ia_server_credentials_t)
+      struct gnutls_ia_server_credentials_st * cred = (struct gnutls_ia_server_credentials_st*)
         mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_IA, NULL);
 
       if (cred)

src/daemon/https/tls/ext_server_name.c

@@ -127,14 +127,14 @@ int
 mhd_gtls_server_name_send_params (mhd_gtls_session_t session,
                                  opaque * data, size_t _data_size)
 {
+  int total_size = 0;
+#if MHD_DEBUG_TLS
   uint16_t len;
   opaque *p;
   unsigned i;
   ssize_t data_size = _data_size;
-  int total_size = 0;
 
   /* this function sends the client extension data (dnsname) */
-#if MHD_DEBUG_TLS
   if (session->security_parameters.entity == GNUTLS_CLIENT)
     {
 

src/daemon/https/tls/gnutls_alert.c

@@ -231,10 +231,6 @@ MHD_gtls_error_to_alert (int err, int *level)
       ret = GNUTLS_A_INTERNAL_ERROR;
       _level = GNUTLS_AL_FATAL;
       break;
-    case GNUTLS_E_OPENPGP_GETKEY_FAILED:
-      ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE;
-      _level = GNUTLS_AL_FATAL;
-      break;
     case GNUTLS_E_DH_PRIME_UNACCEPTABLE:
     case GNUTLS_E_NO_CERTIFICATE_FOUND:
       ret = GNUTLS_A_INSUFFICIENT_SECURITY;

src/daemon/https/tls/gnutls_algorithms.c

@@ -1866,9 +1866,6 @@ MHD_gnutls_certificate_type_get_name (gnutls_certificate_type_t type)
 
   if (type == MHD_GNUTLS_CRT_X509)
     ret = "X.509";
-  if (type == MHD_GNUTLS_CRT_OPENPGP)
-    ret = "OPENPGP";
-
   return ret;
 }
 
@@ -1888,24 +1885,18 @@ MHD_gtls_certificate_type_get_id (const char *name)
 
   if (strcasecmp (name, "X.509") == 0 || strcasecmp (name, "X509") == 0)
     return MHD_GNUTLS_CRT_X509;
-  if (strcasecmp (name, "OPENPGP") == 0)
-    return MHD_GNUTLS_CRT_OPENPGP;
-
   return ret;
 }
 
 static const gnutls_certificate_type_t mhd_gtls_supported_certificate_types[] =
   { MHD_GNUTLS_CRT_X509,
-  MHD_GNUTLS_CRT_OPENPGP,
   0
 };
 
 /**
  * MHD_gtls_certificate_type_list:
  *
- * Get a list of certificate types.  Note that to be able to use
- * OpenPGP certificates, you must link to libgnutls-extra and call
- * gnutls_global_init_extra().
+ * Get a list of certificate types.
  *
  * Returns: a zero-terminated list of %gnutls_certificate_type_t
  * integers indicating the available certificate types.

src/daemon/https/tls/gnutls_cert.c

@@ -40,7 +40,6 @@
 #include <gnutls_state.h>
 #include <gnutls_auth_int.h>
 #include <gnutls_x509.h>
-#include <gnutls_extra_hooks.h>
 /* x509 */
 #include "x509.h"
 #include "mpi.h"
@@ -192,10 +191,7 @@ MHD_gnutls_certificate_free_credentials (mhd_gtls_cert_credentials_t sc)
   MHD_gnutls_certificate_free_crls (sc);
 #endif
 
-#ifndef KEYRING_HACK
-  if (_E_gnutls_openpgp_keyring_deinit)
-    _E_gnutls_openpgp_keyring_deinit (sc->keyring);
-#else
+#ifdef KEYRING_HACK
   _gnutls_free_datum (&sc->keyring);
 #endif
 
@@ -437,74 +433,6 @@ _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert)
   return result;
 }
 
-/*-
-  * _gnutls_openpgp_crt_verify_peers - This function returns the peer's certificate status
-  * @session: is a gnutls session
-  *
-  * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
-  * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
-  *
-  -*/
-int
-_gnutls_openpgp_crt_verify_peers (mhd_gtls_session_t session,
-                                  unsigned int *status)
-{
-  cert_auth_info_t info;
-  mhd_gtls_cert_credentials_t cred;
-  int peer_certificate_list_size, ret;
-
-  CHECK_AUTH (MHD_GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
-
-  info = mhd_gtls_get_auth_info (session);
-  if (info == NULL)
-    return GNUTLS_E_INVALID_REQUEST;
-
-  cred = (mhd_gtls_cert_credentials_t)
-    mhd_gtls_get_cred (session->key, MHD_GNUTLS_CRD_CERTIFICATE, NULL);
-  if (cred == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
-    }
-
-  if (info->raw_certificate_list == NULL || info->ncerts == 0)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_NO_CERTIFICATE_FOUND;
-    }
-
-  /* generate a list of gnutls_certs based on the auth info
-   * raw certs.
-   */
-  peer_certificate_list_size = info->ncerts;
-
-  if (peer_certificate_list_size != 1)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_INTERNAL_ERROR;
-    }
-
-  /* Verify certificate
-   */
-  if (_E_gnutls_openpgp_verify_key == NULL)
-    {
-      gnutls_assert ();
-      return GNUTLS_E_INIT_LIBEXTRA;
-    }
-  ret =
-    _E_gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0],
-                                  peer_certificate_list_size, status);
-
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
-  return 0;
-}
-
-
 /**
   * MHD_gtls_certificate_verify_peers2 - This function returns the peer's certificate verification status
   * @session: is a gnutls session
@@ -552,8 +480,6 @@ MHD_gtls_certificate_verify_peers2 (mhd_gtls_session_t session,
     {
     case MHD_GNUTLS_CRT_X509:
       return _gnutls_x509_cert_verify_peers (session, status);
-    case MHD_GNUTLS_CRT_OPENPGP:
-      return _gnutls_openpgp_crt_verify_peers (session, status);
     default:
       return GNUTLS_E_INVALID_REQUEST;
     }
@@ -626,12 +552,6 @@ MHD_gtls_certificate_expiration_time_peers (mhd_gtls_session_t session)
       return _gnutls_x509_get_raw_crt_expiration_time (&info->
                                                        raw_certificate_list
                                                        [0]);
-    case MHD_GNUTLS_CRT_OPENPGP:
-      if (_E_gnutls_openpgp_get_raw_key_expiration_time == NULL)
-        return (time_t) - 1;
-      return _E_gnutls_openpgp_get_raw_key_expiration_time (&info->
-                                                            raw_certificate_list
-                                                            [0]);
     default:
       return (time_t) - 1;
     }
@@ -671,12 +591,6 @@ MHD_gtls_certificate_activation_time_peers (mhd_gtls_session_t session)
       return _gnutls_x509_get_raw_crt_activation_time (&info->
                                                        raw_certificate_list
                                                        [0]);
-    case MHD_GNUTLS_CRT_OPENPGP:
-      if (_E_gnutls_openpgp_get_raw_key_creation_time == NULL)
-        return (time_t) - 1;
-      return _E_gnutls_openpgp_get_raw_key_creation_time (&info->
-                                                          raw_certificate_list
-                                                          [0]);
     default:
       return (time_t) - 1;
     }
@@ -692,13 +606,6 @@ mhd_gtls_raw_cert_to_gcert (gnutls_cert * gcert,
     {
     case MHD_GNUTLS_CRT_X509:
       return mhd_gtls_x509_raw_cert_to_gcert (gcert, raw_cert, flags);
-    case MHD_GNUTLS_CRT_OPENPGP:
-      if (_E_gnutls_openpgp_raw_key_to_gcert == NULL)
-        {
-          gnutls_assert ();
-          return GNUTLS_E_INIT_LIBEXTRA;
-        }
-      return _E_gnutls_openpgp_raw_key_to_gcert (gcert, raw_cert);
     default:
       gnutls_assert ();
       return GNUTLS_E_INTERNAL_ERROR;
@@ -715,17 +622,6 @@ mhd_gtls_raw_privkey_to_gkey (gnutls_privkey * key,
     {
     case MHD_GNUTLS_CRT_X509:
       return _gnutls_x509_raw_privkey_to_gkey (key, raw_key, key_enc);
-#if ENABLE_OPENPGP
-    case MHD_GNUTLS_CRT_OPENPGP:
-      if (_E_gnutls_openpgp_raw_privkey_to_gkey == NULL)
-        {
-          gnutls_assert ();
-          return GNUTLS_E_INIT_LIBEXTRA;
-        }
-      return _E_gnutls_openpgp_raw_privkey_to_gkey (key, raw_key,
-                                                    (gnutls_openpgp_crt_fmt_t)
-                                                    key_enc);
-#endif
     default:
       gnutls_assert ();
       return GNUTLS_E_INTERNAL_ERROR;

src/daemon/https/tls/gnutls_errors.c

@@ -205,22 +205,15 @@ static const gnutls_error_entry mhd_gtls_error_algorithms[] = {
   ERROR_ENTRY (N_("The tasn1 library version is too old."),
                GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY, 1),
 
-  ERROR_ENTRY (N_("Error loading the keyring."),
-               GNUTLS_E_OPENPGP_KEYRING_ERROR, 1),
   ERROR_ENTRY (N_("The initialization of LZO has failed."),
                GNUTLS_E_LZO_INIT_FAILED, 1),
   ERROR_ENTRY (N_("No supported compression algorithms have been found."),
                GNUTLS_E_NO_COMPRESSION_ALGORITHMS, 1),
   ERROR_ENTRY (N_("No supported cipher suites have been found."),
                GNUTLS_E_NO_CIPHER_SUITES, 1),
-  ERROR_ENTRY (N_("Could not get OpenPGP key."),
-               GNUTLS_E_OPENPGP_GETKEY_FAILED, 1),
-
   ERROR_ENTRY (N_("The SRP username supplied is illegal."),
                GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
 
-  ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."),
-               GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1),
   ERROR_ENTRY (N_("The certificate has unsupported attributes."),
                GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1),
   ERROR_ENTRY (N_("The OID is not supported."), GNUTLS_E_X509_UNSUPPORTED_OID,

src/daemon/https/tls/gnutls_extra_hooks.c

@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2007 Free Software Foundation
- *
- * Author: Simon Josefsson
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-#include <gnutls_int.h>
-#include <gnutls_extra_hooks.h>
-
-/* Variables used by libgnutls, set by
-   _gnutls_add_openpgp_functions(), typically invoked by
-   libgnutls_extra. */
-_gnutls_openpgp_verify_key_func _E_gnutls_openpgp_verify_key = NULL;
-_gnutls_openpgp_crt_creation_time_func
-  _E_gnutls_openpgp_get_raw_key_creation_time = NULL;
-_gnutls_openpgp_crt_expiration_time_func
-  _E_gnutls_openpgp_get_raw_key_expiration_time = NULL;
-_gnutls_openpgp_fingerprint_func _E_gnutls_openpgp_fingerprint = NULL;
-_gnutls_openpgp_crt_request_func _E_gnutls_openpgp_request_key = NULL;
-_gnutls_openpgp_raw_key_to_gcert_func _E_gnutls_openpgp_raw_key_to_gcert =
-  NULL;
-_gnutls_openpgp_raw_privkey_to_gkey_func _E_gnutls_openpgp_raw_privkey_to_gkey
-  = NULL;
-_gnutls_openpgp_crt_to_gcert_func _E_gnutls_openpgp_crt_to_gcert = NULL;
-_gnutls_openpgp_privkey_to_gkey_func _E_gnutls_openpgp_privkey_to_gkey = NULL;
-_gnutls_openpgp_crt_deinit_func _E_gnutls_openpgp_crt_deinit = NULL;
-_gnutls_openpgp_keyring_deinit_func _E_gnutls_openpgp_keyring_deinit = NULL;
-_gnutls_openpgp_privkey_deinit_func _E_gnutls_openpgp_privkey_deinit = NULL;
-
-/* Called by libgnutls_extra to set the OpenPGP functions that are
-   needed by GnuTLS.  */
-extern void
-  _gnutls_add_openpgp_functions
-  (_gnutls_openpgp_verify_key_func verify_key,
-   _gnutls_openpgp_crt_creation_time_func key_creation_time,
-   _gnutls_openpgp_crt_expiration_time_func key_expiration_time,
-   _gnutls_openpgp_fingerprint_func fingerprint,
-   _gnutls_openpgp_crt_request_func request_key,
-   _gnutls_openpgp_raw_key_to_gcert_func raw_key_to_gcert,
-   _gnutls_openpgp_raw_privkey_to_gkey_func raw_privkey_to_gkey,
-   _gnutls_openpgp_crt_to_gcert_func key_to_gcert,
-   _gnutls_openpgp_privkey_to_gkey_func privkey_to_gkey,
-   _gnutls_openpgp_crt_deinit_func key_deinit,
-   _gnutls_openpgp_keyring_deinit_func keyring_deinit,
-   _gnutls_openpgp_privkey_deinit_func privkey_deinit)
-{
-  _E_gnutls_openpgp_verify_key = verify_key;
-  _E_gnutls_openpgp_get_raw_key_creation_time = key_creation_time;
-  _E_gnutls_openpgp_get_raw_key_expiration_time = key_expiration_time;
-  _E_gnutls_openpgp_fingerprint = fingerprint;
-  _E_gnutls_openpgp_request_key = request_key;
-  _E_gnutls_openpgp_raw_key_to_gcert = raw_key_to_gcert;
-  _E_gnutls_openpgp_raw_privkey_to_gkey = raw_privkey_to_gkey;
-  _E_gnutls_openpgp_crt_to_gcert = key_to_gcert;
-  _E_gnutls_openpgp_privkey_to_gkey = privkey_to_gkey;
-  _E_gnutls_openpgp_crt_deinit = key_deinit;
-  _E_gnutls_openpgp_keyring_deinit = keyring_deinit;
-  _E_gnutls_openpgp_privkey_deinit = privkey_deinit;
-
-}

src/daemon/https/tls/gnutls_extra_hooks.h

@@ -1,106 +0,0 @@
-/*
- * Copyright (C) 2007 Free Software Foundation
- *
- * Author: Simon Josefsson
- *
- * This file is part of GNUTLS.
- *
- * The GNUTLS library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-/* This file is included by libgnutls-extra, and it will call the
-   _gnutls_add_openpgp_functions() function to register its OpenPGP
-   functions. */
-
-#include <auth_cert.h>
-
-typedef int (*_gnutls_openpgp_verify_key_func)
-(const mhd_gtls_cert_credentials_t,
- const gnutls_datum_t *, int,
- unsigned int *);
-
-typedef time_t (*_gnutls_openpgp_crt_creation_time_func)
-(const gnutls_datum_t *);
-
-typedef time_t (*_gnutls_openpgp_crt_expiration_time_func)
-(const gnutls_datum_t *);
-
-typedef int (*_gnutls_openpgp_crt_request_func)
-(mhd_gtls_session_t, gnutls_datum_t *,
- const mhd_gtls_cert_credentials_t,
- opaque *, int);
-
-typedef int (*_gnutls_openpgp_fingerprint_func)
-(const gnutls_datum_t *,
- unsigned char *, size_t *);
-
-typedef int (*_gnutls_openpgp_raw_key_to_gcert_func)
-(gnutls_cert *,
- const gnutls_datum_t *);
-typedef int (*_gnutls_openpgp_raw_privkey_to_gkey_func)
-(gnutls_privkey *,
- const gnutls_datum_t *,
- gnutls_openpgp_crt_fmt_t);
-
-typedef int (*_gnutls_openpgp_crt_to_gcert_func)
-(gnutls_cert *, gnutls_openpgp_crt_t);
-
-typedef int (*_gnutls_openpgp_privkey_to_gkey_func)
-(gnutls_privkey *,
- gnutls_openpgp_privkey_t);
-
-typedef void (*_gnutls_openpgp_crt_deinit_func)
-(gnutls_openpgp_crt_t);
-
-typedef void (*_gnutls_openpgp_keyring_deinit_func)
-(gnutls_openpgp_keyring_t);
-
-typedef void (*_gnutls_openpgp_privkey_deinit_func)
-(gnutls_openpgp_privkey_t);
-
-/* These are defined in libgnutls, but not exported from libgnutls,
-   and not intended to be used by libgnutls-extra or elsewhere.  They
-   are declared here, because this file is included by auth_cert.c and
-   gnutls_cert.c too.  */
-extern _gnutls_openpgp_verify_key_func _E_gnutls_openpgp_verify_key;
-extern _gnutls_openpgp_crt_creation_time_func
-_E_gnutls_openpgp_get_raw_key_creation_time;
-extern _gnutls_openpgp_crt_expiration_time_func
-_E_gnutls_openpgp_get_raw_key_expiration_time;
-extern _gnutls_openpgp_fingerprint_func _E_gnutls_openpgp_fingerprint;
-extern _gnutls_openpgp_crt_request_func _E_gnutls_openpgp_request_key;
-extern _gnutls_openpgp_raw_key_to_gcert_func _E_gnutls_openpgp_raw_key_to_gcert;
-extern _gnutls_openpgp_raw_privkey_to_gkey_func _E_gnutls_openpgp_raw_privkey_to_gkey;
-extern _gnutls_openpgp_crt_to_gcert_func _E_gnutls_openpgp_crt_to_gcert;
-extern _gnutls_openpgp_privkey_to_gkey_func _E_gnutls_openpgp_privkey_to_gkey;
-extern _gnutls_openpgp_crt_deinit_func _E_gnutls_openpgp_crt_deinit;
-extern _gnutls_openpgp_keyring_deinit_func _E_gnutls_openpgp_keyring_deinit;
-extern _gnutls_openpgp_privkey_deinit_func _E_gnutls_openpgp_privkey_deinit;
-
-extern void _gnutls_add_openpgp_functions
-(_gnutls_openpgp_verify_key_func verify_key,
- _gnutls_openpgp_crt_creation_time_func key_creation_time,
- _gnutls_openpgp_crt_expiration_time_func key_expiration_time,
- _gnutls_openpgp_fingerprint_func fingerprint,
- _gnutls_openpgp_crt_request_func request_key,
- _gnutls_openpgp_raw_key_to_gcert_func raw_key_to_gcert,
- _gnutls_openpgp_raw_privkey_to_gkey_func raw_privkey_to_gkey,
- _gnutls_openpgp_crt_to_gcert_func key_to_gcert,
- _gnutls_openpgp_privkey_to_gkey_func privkey_to_gkey,
- _gnutls_openpgp_crt_deinit_func key_deinit,
- _gnutls_openpgp_keyring_deinit_func keyring_deinit,
- _gnutls_openpgp_privkey_deinit_func privkey_deinit);

src/daemon/https/tls/gnutls_int.h

@@ -28,7 +28,6 @@
 #include <defines.h>
 
 #include "gnutls.h"
-#include "extra.h"
 #include "microhttpd.h"
 
 #include "gnutls_mem.h"

src/daemon/https/tls/gnutls_state.c

@@ -593,23 +593,6 @@ mhd_gtls_dh_set_group (mhd_gtls_session_t session, mpi_t gen, mpi_t prime)
   return 0;
 }
 
-/**
- * MHD_gtls_openpgp_send_cert - This function will order gnutls to send the openpgp fingerprint instead of the key
- * @session: is a pointer to a #mhd_gtls_session_t structure.
- * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
- *
- * This function will order gnutls to send the key fingerprint
- * instead of the key in the initial handshake procedure. This should
- * be used with care and only when there is indication or knowledge
- * that the server can obtain the client's key.
- **/
-void
-MHD_gtls_openpgp_send_cert (mhd_gtls_session_t session,
-                          gnutls_openpgp_crt_status_t status)
-{
-  session->internals.pgp_fingerprint = status;
-}
-
 /**
  * MHD_gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to send or not the x.509 rdn sequence
  * @session: is a pointer to a #mhd_gtls_session_t structure.
@@ -631,12 +614,6 @@ MHD_gnutls_certificate_send_x509_rdn_sequence (mhd_gtls_session_t session,
   session->internals.ignore_rdn_sequence = status;
 }
 
-int
-mhd_gtls_openpgp_send_fingerprint (mhd_gtls_session_t session)
-{
-  return session->internals.pgp_fingerprint;
-}
-
 /*-
  * _gnutls_record_set_default_version - Used to set the default version for the first record packet
  * @session: is a #mhd_gtls_session_t structure.

src/include/microhttpd.h

@@ -1094,8 +1094,7 @@ typedef enum
 typedef enum
 {
   MHD_GNUTLS_CRT_UNKNOWN = 0,
-  MHD_GNUTLS_CRT_X509 = 1,
-  MHD_GNUTLS_CRT_OPENPGP
+  MHD_GNUTLS_CRT_X509 = 1
 } gnutls_certificate_type_t;
 
 typedef enum