[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-11-g6d8

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-11-g6d80344
Date:	Sun, 31 Jul 2011 15:55:50 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=6d80344f35d1b6331a4338609aba5c7b4b897c27

The branch, gnutls_2_12_x has been updated
       via  6d80344f35d1b6331a4338609aba5c7b4b897c27 (commit)
       via  5c0711523df8f108ecc1707dcd0cc4134003343e (commit)
      from  7544a585429668e0b5b4eccc463a9cd3ac247bad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6d80344f35d1b6331a4338609aba5c7b4b897c27
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jul 31 17:55:47 2011 +0200

    bumped version to 2.12.8

commit 5c0711523df8f108ecc1707dcd0cc4134003343e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jul 31 17:47:42 2011 +0200

    Added GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
    If a certificate list is loaded then verify
    that it is sorted with order to starts with
    the subject and finished with the trusted
    root. That way we make sure we don't send
    data that violate the TLS protocol.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                            |    7 ++++
 configure.ac                    |    2 +-
 lib/configure.ac                |    2 +-
 lib/gnutls_errors.c             |    2 +
 lib/gnutls_x509.c               |   67 +++++++++++++++++++++++++++++++++++++++
 lib/includes/gnutls/gnutls.h.in |    1 +
 libextra/configure.ac           |    2 +-
 7 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index b5850db..bc8b829 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,13 @@ See the end for copying conditions.
 ** libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
 with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
 
+** libgnutls: Verify that a certificate liste specified
+using gnutls_certificate_set_x509_key*(), is sorted
+according to TLS specification (from subject to issuer).
+
+** API and ABI modifications:
+No changes since last version.
+
 ** libgnutls: writev_emu: stop on the first incomplete write. Patch by
 Sjoerd Simons.
 
diff --git a/configure.ac b/configure.ac
index 683a267..3ed57ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure 
script.
 # USA
 
 AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [2.12.7], address@hidden)
+AC_INIT([GnuTLS], [2.12.8], address@hidden)
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
 
diff --git a/lib/configure.ac b/lib/configure.ac
index e9813d7..8d873a2 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure 
script.
 # MA 02110-1301, USA
 
 AC_PREREQ(2.61)
-AC_INIT([libgnutls], [2.12.7], address@hidden)
+AC_INIT([libgnutls], [2.12.8], address@hidden)
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
 
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 137a590..37e5b1e 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -321,6 +321,8 @@ static const gnutls_error_entry error_algorithms[] = {
                GNUTLS_E_PKCS11_TOKEN_ERROR, 1),
   ERROR_ENTRY (N_("PKCS #11 user error"),
                GNUTLS_E_PKCS11_USER_ERROR, 1),
+  ERROR_ENTRY (N_("The provided X.509 certificate list is not sorted (in 
subject to issuer order)"),
+               GNUTLS_E_CERTIFICATE_LIST_UNSORTED, 1),
   {NULL, NULL, 0, 0}
 };
 
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index ee5872f..3dbc763 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -808,10 +808,77 @@ gnutls_certificate_set_x509_key_mem 
(gnutls_certificate_credentials_t res,
   return 0;
 }
 
+static int check_if_sorted(gnutls_pcert_st * crt, int nr)
+{
+gnutls_x509_crt_t x509;
+char prev_dn[MAX_CN];
+char dn[MAX_CN];
+size_t prev_dn_size, dn_size;
+int i, ret;
+
+  /* check if the X.509 list is ordered */
+  if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
+    {
+
+      for (i=0;i<nr;i++)
+        {
+          ret = gnutls_x509_crt_init(&x509);
+          if (ret < 0)
+            return gnutls_assert_val(ret);
+          
+          ret = gnutls_x509_crt_import(x509, &crt[i].cert, 
GNUTLS_X509_FMT_DER);
+          if (ret < 0)
+            {
+              ret = gnutls_assert_val(ret);
+              goto cleanup;
+            }
+          
+          if (i>0)
+            {
+              dn_size = sizeof(dn);
+              ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
+              if (ret < 0)
+                {
+                  ret = gnutls_assert_val(ret);
+                  goto cleanup;
+                }
+              
+              if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
+                {
+                  ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
+                  goto cleanup;
+                }
+            }
+
+          prev_dn_size = sizeof(prev_dn);
+          ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
+          if (ret < 0)
+            {
+              ret = gnutls_assert_val(ret);
+              goto cleanup;
+            }
+
+          gnutls_x509_crt_deinit(x509);
+        }
+    }
+
+  return 0;
+
+cleanup:
+  gnutls_x509_crt_deinit(x509);
+  return ret;
+}
+
 int
 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
                                         gnutls_cert * crt, int nr)
 {
+int ret;
+
+  ret = check_if_sorted(crt, nr);
+  if (ret < 0)
+    return gnutls_assert_val(ret);
+
   res->cert_list = gnutls_realloc_fast (res->cert_list,
                                         (1 +
                                          res->ncerts) *
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 9512ece..b7bd126 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1759,6 +1759,7 @@ extern "C"
 #define GNUTLS_E_PKCS11_USER_ERROR -317
 
 #define GNUTLS_E_CRYPTO_INIT_FAILED -318
+#define GNUTLS_E_CERTIFICATE_LIST_UNSORTED -324
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
diff --git a/libextra/configure.ac b/libextra/configure.ac
index 4009557..a9dbe0e 100644
--- a/libextra/configure.ac
+++ b/libextra/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure 
script.
 # 02110-1301, USA.
 
 AC_PREREQ(2.61)
-AC_INIT([libgnutls-extra], [2.12.7], address@hidden)
+AC_INIT([libgnutls-extra], [2.12.8], address@hidden)
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
 


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-11-g6d80344, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_0-2-g3b11ee0
Next by Date: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-13-gd6248f4
Previous by thread: [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_0-2-g3b11ee0
Next by thread: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-13-gd6248f4
Index(es):
- Date
- Thread