diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
| commit | c8008cae74231ac83b08a2dc995415f2fea497fc (patch) | |
| tree | ef204ab9eb6d77216f5d06e1a5a1b2fad56ed0bb /lib/openpgp | |
| parent | 1566caaa8063a5b4cd544c97a60cbfedcf6c7a5c (diff) | |
| download | gnutls-c8008cae74231ac83b08a2dc995415f2fea497fc.tar.gz | |
Simplified certificate verification by adding gnutls_certificate_verify_peers3().
This function combines the RFC2818 hostname check and chain verification check.
Diffstat (limited to 'lib/openpgp')
| -rw-r--r-- | lib/openpgp/compat.c | 9 | ||||
| -rw-r--r-- | lib/openpgp/gnutls_openpgp.h | 1 | ||||
| -rw-r--r-- | lib/openpgp/pgp.c | 2 |
3 files changed, 11 insertions, 1 deletions
diff --git a/lib/openpgp/compat.c b/lib/openpgp/compat.c index 7612d3f4c6..ebcb3afb82 100644 --- a/lib/openpgp/compat.c +++ b/lib/openpgp/compat.c @@ -30,6 +30,7 @@ /*- * gnutls_openpgp_verify_key: + * @hostname: the name of the certificate holder * @cert_list: the structure that holds the certificates. * @cert_list_lenght: the items in the cert_list. * @status: the output of the verification function @@ -44,6 +45,7 @@ -*/ int _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, + const char* hostname, const gnutls_datum_t * cert_list, int cert_list_length, unsigned int *status) { @@ -95,6 +97,13 @@ _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred, /* If we only checked the self signature. */ if (!cred->keyring) *status |= GNUTLS_CERT_SIGNER_NOT_FOUND; + + if (hostname) + { + ret = gnutls_openpgp_crt_check_hostname(key, hostname); + if (ret == 0) + *status |= GNUTLS_CERT_UNEXPECTED_OWNER; + } ret = 0; diff --git a/lib/openpgp/gnutls_openpgp.h b/lib/openpgp/gnutls_openpgp.h index 8af869b9a7..4949624fa6 100644 --- a/lib/openpgp/gnutls_openpgp.h +++ b/lib/openpgp/gnutls_openpgp.h @@ -57,6 +57,7 @@ _gnutls_openpgp_request_key (gnutls_session_t, uint8_t * key_fpr, int key_fpr_size); int _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t, + const char* hostname, const gnutls_datum_t * cert_list, int cert_list_length, unsigned int *status); int _gnutls_openpgp_fingerprint (const gnutls_datum_t * cert, diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c index 9dc9cc7631..e100155f3e 100644 --- a/lib/openpgp/pgp.c +++ b/lib/openpgp/pgp.c @@ -603,7 +603,7 @@ gnutls_openpgp_crt_get_revoked_status (gnutls_openpgp_crt_t key) * given hostname. This is a basic implementation of the matching * described in RFC2818 (HTTPS), which takes into account wildcards. * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * Returns: non-zero for a successful match, and zero on failure. **/ int gnutls_openpgp_crt_check_hostname (gnutls_openpgp_crt_t key, |