[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_11_7-41-gf8dc8
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_11_7-41-gf8dc8a6 |
|
Date: |
Wed, 23 Mar 2011 19:03:58 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=f8dc8a6d74bd5c7e3172ec7633ab6e0be52fa4af
The branch, gnutls_2_12_x has been updated
via f8dc8a6d74bd5c7e3172ec7633ab6e0be52fa4af (commit)
via 364e5ad140763763bdaf626c8b7dcc650956c97b (commit)
via de85e5b92df0ef74157a38a84b252315bdefe9a7 (commit)
via f43869f2f0ce4838661c8a08a4511099a7ed3228 (commit)
from 2386cf6ffab8c4de19c910e0fa2aefbb0a3e2026 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f8dc8a6d74bd5c7e3172ec7633ab6e0be52fa4af
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 20:03:47 2011 +0100
documentation fixes.
commit 364e5ad140763763bdaf626c8b7dcc650956c97b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 19:48:43 2011 +0100
documented fix
commit de85e5b92df0ef74157a38a84b252315bdefe9a7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 19:44:52 2011 +0100
Added DSA tests for client certificates as well.
commit f43869f2f0ce4838661c8a08a4511099a7ed3228
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 19:44:32 2011 +0100
Simplified signature algorithm selection.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +
lib/ext_signature.c | 40 +++++++++++--
lib/ext_signature.h | 8 +-
lib/gnutls_handshake.c | 1 -
lib/gnutls_sig.c | 126 ++++++++++++++-------------------------
lib/includes/gnutls/abstract.h | 15 +++--
lib/includes/gnutls/gnutls.h.in | 4 +-
lib/includes/gnutls/pkcs11.h | 25 ++++----
lib/includes/gnutls/x509.h | 4 +-
lib/pkcs11.c | 18 +++---
lib/x509/crl.c | 2 +-
lib/x509/verify.c | 2 +-
tests/dsa/testdsa | 62 +++++++++++++++----
13 files changed, 175 insertions(+), 135 deletions(-)
diff --git a/NEWS b/NEWS
index 1e8368a..ad041bb 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ See the end for copying conditions.
** certtool: Warns on generation of DSA keys of over 1024 bits, about
the incompatibility with TLS other than 1.2.
+** libgnutls: Modified signature algorithm selection in client
+certificate request, to avoid failures in DSA certificates.
+
** libgnutls: Instead of failing with internal error, return
GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL if an incompatible DSA
key with the negotiated protocol is encountered.
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index 5e62f5c..edfb386 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2002, 2003, 2004, 2005, 2009, 2010 Free Software
+ * Copyright (C) 2002,2003,2004,2005,2009,2010,2011 Free Software
* Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
@@ -34,6 +34,8 @@
#include <gnutls_state.h>
#include <gnutls_num.h>
#include <gnutls_algorithms.h>
+#include <x509/common.h> /* dsa_q_to_hash */
+#include <gnutls_cert.h>
static int _gnutls_signature_algorithm_recv_params (gnutls_session_t session,
const opaque * data,
@@ -244,13 +246,36 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
return 0;
}
+int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
+{
+ if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
+ { /* override */
+ int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+
+ /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
+ if (!_gnutls_version_has_selectable_sighash (ver))
+ {
+ if (hash_algo != GNUTLS_DIG_SHA1)
+ return
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+ }
+ else
+ {
+ if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo)
+ return GNUTLS_E_UNWANTED_ALGORITHM;
+ }
+
+ }
+
+ return 0;
+}
+
/* Returns a requested by the peer signature algorithm that
* matches the given public key algorithm. Index can be increased
* to return the second choice etc.
*/
gnutls_sign_algorithm_t
-_gnutls_session_get_sign_algo (gnutls_session_t session,
- gnutls_pk_algorithm_t pk)
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert)
{
unsigned i;
int ret;
@@ -266,15 +291,18 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
if (ret < 0 || !_gnutls_version_has_selectable_sighash (ver)
|| priv->sign_algorithms_size == 0)
- /* none set, allow all */
+ /* none set, allow SHA-1 only */
{
- return _gnutls_x509_pk_to_sign (pk, GNUTLS_DIG_SHA1);
+ return _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm,
GNUTLS_DIG_SHA1);
}
for (i = 0; i < priv->sign_algorithms_size; i++)
{
- if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == pk)
+ if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) ==
cert->subject_pk_algorithm)
{
+ if (cert_compatible_with_sig(cert, ver, priv->sign_algorithms[i]) <
0)
+ continue;
+
return priv->sign_algorithms[i];
}
}
diff --git a/lib/ext_signature.h b/lib/ext_signature.h
index b56c772..0288ff1 100644
--- a/lib/ext_signature.h
+++ b/lib/ext_signature.h
@@ -34,15 +34,15 @@ extern extension_entry_st ext_mod_sig;
int _gnutls_session_sign_algo_requested (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
-gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t
- session,
- gnutls_pk_algorithm_t
- pk);
+gnutls_sign_algorithm_t
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert);
int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
const opaque * data, size_t data_size);
int _gnutls_sign_algorithm_write_params (gnutls_session_t session,
opaque * data, size_t max_data_size);
int _gnutls_session_sign_algo_enabled (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
+int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign);
#endif
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index f427a0d..a4a3aeb 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2491,7 +2491,6 @@ _gnutls_handshake_hash_init (gnutls_session_t session)
session->security_parameters.handshake_mac_handle_type =
HANDSHAKE_MAC_TYPE_10;
-
if (session->security_parameters.handshake_mac_handle_type ==
HANDSHAKE_MAC_TYPE_10)
{
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 3e72a68..1fa2750 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -55,37 +55,6 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
*/
#define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
-static int
-get_hash_algo(gnutls_session_t session, int version,
- gnutls_cert* cert,
- gnutls_sign_algorithm_t sign_algo,
- gnutls_digest_algorithm_t *hash_algo)
-{
-int ret;
-
- if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
- { /* override */
- *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
-
- /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
- if (!_gnutls_version_has_selectable_sighash (version) && *hash_algo !=
GNUTLS_DIG_SHA1)
- return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
-
- ret = _gnutls_session_sign_algo_requested(session,
_gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo));
- if (ret < 0)
- return gnutls_assert_val(ret);
- }
- else
- {
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- *hash_algo = GNUTLS_DIG_SHA1;
- else
- *hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
- }
-
- return 0;
-}
-
/* Generates a signature of all the random data and the parameters.
* Used in DHE_* ciphersuites.
*/
@@ -103,16 +72,17 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
gnutls_digest_algorithm_t hash_algo;
*sign_algo =
- _gnutls_session_get_sign_algo (session, cert->subject_pk_algorithm);
+ _gnutls_session_get_sign_algo (session, cert);
if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
{
gnutls_assert ();
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
- ret = get_hash_algo(session, ver, cert, *sign_algo, &hash_algo);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ hash_algo = _gnutls_sign_get_hash_algorithm (*sign_algo);
+
+ _gnutls_handshake_log ("HSK[%p]: signing handshake data: using %s\n",
+ session, gnutls_sign_algorithm_get_name (*sign_algo));
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
@@ -366,14 +336,22 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
gnutls_digest_algorithm_t hash_algo;
- ret = _gnutls_session_sign_algo_enabled (session, algo);
- if (ret < 0)
+ if (_gnutls_version_has_selectable_sighash (ver))
{
- gnutls_assert ();
- return ret;
- }
+ _gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
+ session, gnutls_sign_algorithm_get_name (algo));
- if (!_gnutls_version_has_selectable_sighash (ver))
+ ret = cert_compatible_with_sig(cert, ver, algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_session_sign_algo_enabled (session, algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ hash_algo = _gnutls_sign_get_hash_algorithm (algo);
+ }
+ else
{
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
if (ret < 0)
@@ -387,11 +365,9 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
_gnutls_hash (&td_md5, session->security_parameters.server_random,
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_md5, params->data, params->size);
- }
- ret = get_hash_algo(session, ver, cert, algo, &hash_algo);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ hash_algo = GNUTLS_DIG_SHA1;
+ }
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
@@ -516,6 +492,9 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t
session,
gnutls_datum_t dconcat;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+ _gnutls_handshake_log ("HSK[%p]: verify cert vrfy: using %s\n",
+ session, gnutls_sign_algorithm_get_name (sign_algo));
+
if (session->security_parameters.handshake_mac_handle_type ==
HANDSHAKE_MAC_TYPE_12)
{
@@ -603,44 +582,27 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
gnutls_digest_algorithm_t hash_algo;
digest_hd_st *handshake_td;
- handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
- hash_algo = handshake_td->algorithm;
- sign_algo = _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
-
- /* The idea here is to try signing with the one of the algorithms
- * that have been initiated at handshake (SHA1, SHA256). If they
- * are not requested by peer... tough luck
- */
- ret = _gnutls_session_sign_algo_requested (session, sign_algo);
- if (sign_algo == GNUTLS_SIGN_UNKNOWN || ret < 0)
+ sign_algo =
+ _gnutls_session_get_sign_algo (session, cert);
+ if (sign_algo == GNUTLS_SIGN_UNKNOWN)
{
- handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
- hash_algo = handshake_td->algorithm;
- sign_algo =
- _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- {
- gnutls_assert ();
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
- }
-
- ret = _gnutls_session_sign_algo_requested (session, sign_algo);
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_x509_log
- ("Server did not allow either '%s' or '%s' for signing\n",
- gnutls_mac_get_name (hash_algo),
- gnutls_mac_get_name (session->internals.handshake_mac_handle.
- tls12.sha1.algorithm));
- return ret;
- }
+ gnutls_assert ();
+ return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
- _gnutls_x509_log ("sign handshake cert vrfy: picked %s with %s\n",
+ hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
+
+ _gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
gnutls_sign_algorithm_get_name (sign_algo),
gnutls_mac_get_name (hash_algo));
+ if (hash_algo ==
session->internals.handshake_mac_handle.tls12.sha1.algorithm)
+ handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
+ else if (hash_algo ==
session->internals.handshake_mac_handle.tls12.sha256.algorithm)
+ handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
+ else
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* too bad we only
support SHA1 and SHA256 */
+
ret = _gnutls_hash_copy (&td, handshake_td);
if (ret < 0)
{
@@ -678,7 +640,7 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
gnutls_datum_t * signature)
{
gnutls_datum_t dconcat;
- int ret;
+ int ret, hash_algo;
opaque concat[MAX_SIG_SIZE];
digest_hd_st td_md5;
digest_hd_st td_sha;
@@ -748,13 +710,17 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t
session,
dconcat.size = 36;
break;
case GNUTLS_PK_DSA:
+ /* ensure 1024 bit DSA keys are used */
+ hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+ if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1)
+ return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+
dconcat.data = &concat[16];
dconcat.size = 20;
break;
default:
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
ret = sign_tls_hash (session, GNUTLS_DIG_NULL, cert, pkey, &dconcat,
signature);
if (ret < 0)
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index 8bc46c6..73266df 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -19,7 +19,7 @@ int gnutls_pubkey_init (gnutls_pubkey_t * key);
void gnutls_pubkey_deinit (gnutls_pubkey_t key);
int gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key, unsigned int *bits);
-int gnutls_pubkey_import_x509 (gnutls_pubkey_t pkey, gnutls_x509_crt_t crt,
+int gnutls_pubkey_import_x509 (gnutls_pubkey_t key, gnutls_x509_crt_t crt,
unsigned int flags);
int gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t pkey,
gnutls_pkcs11_obj_t crt, unsigned int flags);
@@ -35,9 +35,9 @@ int gnutls_pubkey_get_preferred_hash_algorithm
(gnutls_pubkey_t key,
gnutls_digest_algorithm_t *
hash, unsigned int *mand);
-int gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t crt,
+int gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
gnutls_datum_t * m, gnutls_datum_t * e);
-int gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t crt,
+int gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
gnutls_datum_t * p, gnutls_datum_t * q,
gnutls_datum_t * g, gnutls_datum_t * y);
@@ -65,7 +65,7 @@ int gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
const gnutls_datum_t * q,
const gnutls_datum_t * g,
const gnutls_datum_t * y);
-int gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t pubkey,
+int gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,
const gnutls_datum_t * m,
const gnutls_datum_t * e);
@@ -93,6 +93,11 @@ int gnutls_privkey_init (gnutls_privkey_t * key);
void gnutls_privkey_deinit (gnutls_privkey_t key);
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,
unsigned int *bits);
+
+int
+gnutls_privkey_get_preferred_hash_algorithm (gnutls_privkey_t key,
+ gnutls_digest_algorithm_t *
+ hash, unsigned int *mand);
gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key);
@@ -119,7 +124,7 @@ int gnutls_privkey_sign_hash (gnutls_privkey_t signer,
const gnutls_datum_t * hash_data,
gnutls_datum_t * signature);
-int gnutls_privkey_decrypt_data (gnutls_privkey_t signer,
+int gnutls_privkey_decrypt_data (gnutls_privkey_t key,
unsigned int flags,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index ee5da9e..be7b161 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1107,8 +1107,8 @@ extern "C"
typedef int (*mutex_unlock_func) (void **mutex);
typedef int (*mutex_deinit_func) (void **mutex);
- void gnutls_global_set_mutex (mutex_init_func init, mutex_deinit_func,
- mutex_lock_func, mutex_unlock_func);
+ void gnutls_global_set_mutex (mutex_init_func init, mutex_deinit_func deinit,
+ mutex_lock_func lock, mutex_unlock_func
unlock);
typedef void *(*gnutls_alloc_function) (size_t);
typedef void *(*gnutls_calloc_function) (size_t, size_t);
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 0b9b2f2..4f2cefd 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -59,10 +59,11 @@ int gnutls_pkcs11_init (unsigned int flags, const char
*configfile);
void gnutls_pkcs11_deinit (void);
void gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn,
void *userdata);
-void gnutls_pkcs11_set_pin_function (gnutls_pkcs11_pin_callback_t callback,
- void *data);
+
+void gnutls_pkcs11_set_pin_function (gnutls_pkcs11_pin_callback_t fn,
+ void *userdata);
int gnutls_pkcs11_add_provider (const char *name, const char *params);
-int gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * certificate);
+int gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj);
#define GNUTLS_PKCS11_OBJ_FLAG_LOGIN (1<<0) /* force login in the token
for the operation */
#define GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED (1<<1) /* object marked as
trusted */
@@ -86,10 +87,10 @@ typedef enum
int gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t, const char *url,
unsigned int flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
-int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t,
+int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj,
gnutls_pkcs11_url_type_t detailed,
char **url);
-void gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t);
+void gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj);
int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
void *output_data, size_t * output_data_size);
@@ -98,8 +99,8 @@ int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
int gnutls_pkcs11_copy_x509_crt (const char *token_url, gnutls_x509_crt_t crt,
const char *label, unsigned int flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
-int gnutls_pkcs11_copy_x509_privkey (const char *token_url,
gnutls_x509_privkey_t crt, const char *label, unsigned int key_usage
/*GNUTLS_KEY_* */
- , unsigned int flags
+int gnutls_pkcs11_copy_x509_privkey (const char *token_url,
gnutls_x509_privkey_t key,
+ const char *label, unsigned int key_usage /*GNUTLS_KEY_* */, unsigned int
flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
int gnutls_pkcs11_delete_url (const char *object_url, unsigned int flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
@@ -217,7 +218,7 @@ int gnutls_pkcs11_token_set_pin (const char *token_url,
const char *oldpin, cons
int gnutls_pkcs11_token_get_url (unsigned int seq,
gnutls_pkcs11_url_type_t detailed,
char **url);
-int gnutls_pkcs11_token_get_info (const char *url, gnutls_pkcs11_token_info_t,
+int gnutls_pkcs11_token_get_info (const char *url, gnutls_pkcs11_token_info_t
ttype,
void *output, size_t * output_size);
#define GNUTLS_PKCS11_TOKEN_HW 1
@@ -240,8 +241,8 @@ gnutls_pkcs11_obj_type_t gnutls_pkcs11_obj_get_type
(gnutls_pkcs11_obj_t
certificate);
const char *gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t);
-int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t * certs, unsigned
int cert_max, gnutls_pkcs11_obj_t * const pkcs11_certs, unsigned int flags /*
must be zero */
- );
+int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t * certs, unsigned
int cert_max,
+ gnutls_pkcs11_obj_t * const objs, unsigned int flags /* must be zero */);
/* private key functions...*/
@@ -249,11 +250,11 @@ int gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t *
key);
void gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key);
int gnutls_pkcs11_privkey_get_pk_algorithm (gnutls_pkcs11_privkey_t key,
unsigned int *bits);
-int gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t crt,
+int gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey,
gnutls_pkcs11_obj_info_t itype,
void *output, size_t * output_size);
-int gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t key,
+int gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey,
const char *url, unsigned int flags);
int gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key,
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index b40cae1..3a25d25 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -646,8 +646,8 @@ extern "C"
const gnutls_datum_t * p,
const gnutls_datum_t * q,
const gnutls_datum_t * u,
- const gnutls_datum_t * exp1,
- const gnutls_datum_t * exp2);
+ const gnutls_datum_t * e1,
+ const gnutls_datum_t * e2);
int gnutls_x509_privkey_fix (gnutls_x509_privkey_t key);
int gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key,
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index bec2d16..3b7bdee 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -496,7 +496,7 @@ gnutls_pkcs11_set_pin_function
(gnutls_pkcs11_pin_callback_t fn,
/**
* gnutls_pkcs11_set_token_function:
- * @fn: The PIN callback
+ * @fn: The token callback
* @userdata: data to be supplied to callback
*
* This function will set a callback function to be used when a token
@@ -918,7 +918,7 @@ cleanup:
/**
* gnutls_pkcs11_obj_init:
- * @crt: The structure to be initialized
+ * @obj: The structure to be initialized
*
* This function will initialize a pkcs11 certificate structure.
*
@@ -926,10 +926,10 @@ cleanup:
* negative error value.
**/
int
-gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * crt)
+gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj)
{
- *crt = gnutls_calloc (1, sizeof (struct gnutls_pkcs11_obj_st));
- if (*crt == NULL)
+ *obj = gnutls_calloc (1, sizeof (struct gnutls_pkcs11_obj_st));
+ if (*obj == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
@@ -953,7 +953,7 @@ gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj)
/**
* gnutls_pkcs11_obj_export:
- * @key: Holds the object
+ * @obj: Holds the object
* @output_data: will contain a certificate PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
@@ -1983,7 +1983,7 @@ gnutls_pkcs11_token_get_info (const char *url,
/**
* gnutls_pkcs11_obj_export_url:
- * @crt: Holds the PKCS 11 certificate
+ * @obj: Holds the PKCS 11 certificate
* @detailed: non zero if a detailed URL is required
* @url: will contain an allocated url
*
@@ -1993,12 +1993,12 @@ gnutls_pkcs11_token_get_info (const char *url,
* negative error value.
**/
int
-gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t cert,
+gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj,
gnutls_pkcs11_url_type_t detailed, char **url)
{
int ret;
- ret = pkcs11_info_to_url (&cert->info, detailed, url);
+ ret = pkcs11_info_to_url (&obj->info, detailed, url);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
index c55e0d0..2092697 100644
--- a/lib/x509/crl.c
+++ b/lib/x509/crl.c
@@ -540,7 +540,7 @@ gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int
indx,
* This function will return a pointer to the DER encoded DN structure
* and the length.
*
- * Returns a negative value on error, and zero on success.
+ * Returns: a negative value on error, and zero on success.
*
* Since: 2.12.0
**/
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 4d1c782..ff732f8 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -800,13 +800,13 @@ dsa_verify_sig (const gnutls_datum_t * text,
gnutls_digest_algorithm_t algo;
algo = _gnutls_dsa_q_to_hash (params[1]);
-
if (hash)
{
/* SHA1 or better allowed */
if (!hash->data || hash->size != _gnutls_hash_get_algo_len(algo))
{
gnutls_assert();
+ _gnutls_debug_log("Hash size (%d) does not correspond to hash %s",
(int)hash->size, gnutls_mac_get_name(algo));
return GNUTLS_E_INVALID_REQUEST;
}
digest = *hash;
diff --git a/tests/dsa/testdsa b/tests/dsa/testdsa
index 94ad95e..bbd0802 100755
--- a/tests/dsa/testdsa
+++ b/tests/dsa/testdsa
@@ -24,6 +24,7 @@ srcdir="${srcdir:-.}"
SERV="${SERV:-../../src/gnutls-serv} -q"
CLI="${CLI:-../../src/gnutls-cli}"
PORT="${PORT:-5559}"
+DEBUG=""
unset RETCODE
fail() {
@@ -37,14 +38,32 @@ echo "Checking various DSA key sizes"
echo "Checking DSA-1024 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"
+
+#try with client key of 1024 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+
+echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"
+
+#try with client key of 2048 bits (should fail)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 2048 key and TLS
1.0!"
+
+echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"
+
+#try with client key of 3072 bits (should fail)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 3072 key and TLS
1.0!"
+
kill %1
wait
@@ -52,14 +71,33 @@ wait
echo "Checking DSA-1024 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"
+
+#try with client key of 1024 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+
+echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"
+
+#try with client key of 2048 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 2048 key and TLS 1.2!"
+
+echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"
+
+#try with client key of 3072 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 3072 key and TLS 1.2!"
+
+
kill %1
wait
@@ -67,12 +105,12 @@ wait
echo "Checking DSA-2048 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should
have failed!"
kill %1
@@ -82,12 +120,12 @@ wait
echo "Checking DSA-2048 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 2048 key and TLS 1.2!"
kill %1
@@ -97,12 +135,12 @@ wait
echo "Checking DSA-3072 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should
have failed!"
kill %1
@@ -112,12 +150,12 @@ wait
echo "Checking DSA-3072 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 3072 key and TLS 1.2!"
kill %1
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_11_7-41-gf8dc8a6,
Nikos Mavrogiannopoulos <=