The hash in gnutls_store_commitment() is specified in raw format.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-02-15 08:54:54 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-02-15 08:54:54 +0100
commit: 1f245ddb9ab672a0b253b711e58c186dd6d1ae4f (patch)
tree: f6cce0df88ae3090190c96c31107c8139ecd8cd3
parent: 0b215d3f27f52808ca7bf2b5a8192fe61ae9203f (diff)
download: gnutls-1f245ddb9ab672a0b253b711e58c186dd6d1ae4f.tar.gz
4 files changed, 15 insertions, 10 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index b27b268706..2068f5c05a 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -282,6 +282,7 @@ consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
 @cindex verifying certificate paths
 @cindex SSH-style authentication
 @cindex Trust on first use
+@cindex Key pinning
 @tindex gnutls_certificate_verify_flags
 
 It is possible to use a trust on first use (similar to SSH) authentication 
@@ -318,7 +319,7 @@ of those functions is shown below.
                                              const char* service,
                                              time_t expiration,
                                              gnutls_digest_algorithm_t halgo,
-                                             const char* hash);  
+                                             const gnutls_datum_t* hash);
 
   typedef int (*gnutls_trust_db_retr_func) (const char* db_name, 
                                             const char* host,
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 820f09062d..4b3179581a 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -74,7 +74,7 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c	\
 	gnutls_rsa_export.c gnutls_helper.c gnutls_supplemental.c	\
 	random.c crypto-api.c gnutls_privkey.c gnutls_pcert.c		\
 	gnutls_pubkey.c locks.c hash.c gnutls_dtls.c system_override.c	\
-	crypto-backend.c verify-ssh.c
+	crypto-backend.c verify-tofu.c
 
 if ENABLE_PKCS11
 COBJECTS += pkcs11.c pkcs11_privkey.c pkcs11_write.c pkcs11_secret.c
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 0c26301e7f..dc4d716bab 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1671,7 +1671,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                                              const char* service,
                                              time_t expiration,
                                              gnutls_digest_algorithm_t hash_algo,
-                                             const char* hash);
+                                             const gnutls_datum_t* hash);
   
   /* searches for the provided host/service pair that match the
    * provided public key in the database. */
@@ -1698,7 +1698,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                     const char* host,
                     const char* service,
                     gnutls_digest_algorithm_t hash_algo,
-                    const char* hash,
+                    const gnutls_datum_t* hash,
                     time_t expiration,
                     unsigned int flags);
 
diff --git a/lib/verify-ssh.c b/lib/verify-tofu.c
index f11e3205de..d4461eeca4 100644
--- a/lib/verify-ssh.c
+++ b/lib/verify-tofu.c
@@ -46,7 +46,7 @@ static
 int store_commitment(const char* db_name, const char* host,
                  const char* service, time_t expiration, 
                  gnutls_digest_algorithm_t hash_algo,
-                 const char* hash);
+                 const gnutls_datum_t* hash);
 static 
 int store_pubkey(const char* db_name, const char* host,
                  const char* service, time_t expiration, const gnutls_datum_t* pubkey);
@@ -536,9 +536,10 @@ static
 int store_commitment(const char* db_name, const char* host,
                  const char* service, time_t expiration, 
                  gnutls_digest_algorithm_t hash_algo,
-                 const char* hash)
+                 const gnutls_datum_t* hash)
 {
 FILE* fd;
+char buffer[MAX_HASH_SIZE*2+1];
 
   fd = fopen(db_name, "ab+");
   if (fd == NULL)
@@ -548,7 +549,7 @@ FILE* fd;
   if (host == NULL) host = "*";
 
   fprintf(fd, "|c0|%s|%s|%lu|%u|%s\n", host, service, (unsigned long)expiration, 
-          (unsigned)hash_algo, hash);
+          (unsigned)hash_algo, _gnutls_bin2hex(hash->data, hash->size, buffer, sizeof(buffer), NULL));
   
   fclose(fd);
   
@@ -647,7 +648,7 @@ cleanup:
  * @host: The peer's name
  * @service: non-NULL if this key is specific to a service (e.g. http)
  * @hash_algo: The hash algorithm type
- * @hash: The hex-encoded hash
+ * @hash: The raw hash
  * @expiration: The expiration time (use 0 to disable expiration)
  * @flags: should be 0.
  *
@@ -672,7 +673,7 @@ gnutls_store_commitment(const char* db_name,
                     const char* host,
                     const char* service,
                     gnutls_digest_algorithm_t hash_algo,
-                    const char* hash,
+                    const gnutls_datum_t* hash,
                     time_t expiration,
                     unsigned int flags)
 {
@@ -682,7 +683,10 @@ char local_file[MAX_FILENAME];
 
   if (hash_algo == GNUTLS_DIG_MD5 || hash_algo == GNUTLS_DIG_MD2)
     return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
-  
+    
+  if (_gnutls_hash_get_algo_len(hash_algo) != hash->size)
+    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
   if (db_name == NULL && tdb == NULL)
     {
       ret = _gnutls_find_config_path(local_file, sizeof(local_file));
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-02-15 08:54:54 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-02-15 08:54:54 +0100
commit	1f245ddb9ab672a0b253b711e58c186dd6d1ae4f (patch)
tree	f6cce0df88ae3090190c96c31107c8139ecd8cd3
parent	0b215d3f27f52808ca7bf2b5a8192fe61ae9203f (diff)
download	gnutls-1f245ddb9ab672a0b253b711e58c186dd6d1ae4f.tar.gz