[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-95-g026d6fd
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-95-g026d6fd |
|
Date: |
Sat, 12 Nov 2011 11:04:28 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=026d6fd40e82e0530bb76168da2b39667ac9c3a6
The branch, ocsp has been updated
via 026d6fd40e82e0530bb76168da2b39667ac9c3a6 (commit)
via 7f98dee7078495bd90c54b6f25fa5a2643bf97e5 (commit)
via 5441fe23d07ba6af1fb86c4395d93ec133b20740 (commit)
via 0bc58b2bb637c30331133f713dd2f4d5da719f05 (commit)
via 6877c6f746a7db88407f53646c290e8c44563bf4 (commit)
via 971dcd3e4a9ec2dea780f1e9987eaf0d6f57eba3 (commit)
via c04ec01838437072859a4354953e1a47639356d5 (commit)
via 2017b24fec56f9f6ad19b73b0c758fa0dc48fd6c (commit)
via e0ce54b38ba3060bbee8f3314138fba45ce816e7 (commit)
via fa9760a72f3e840e0960837b12b693160a48e972 (commit)
via 8886a2f6029f5e7929162145970abaf1a5bcd224 (commit)
via 12a28f4fa86e8420bdaeafba0fddfbd028a446ee (commit)
via 60004868649f8731603ed2803b1fb1336e5f42b1 (commit)
via 970b984597ee43d3bba830bf377a2b27e858c061 (commit)
via 8c32e9111e4ea6b704712d98ee1c2b36c2310724 (commit)
via f2302e7902a5bf93b6f8c4d45bd1f116fac6594b (commit)
via edf0dd60490a40cc2335cfaf18cc86258a25ea13 (commit)
via 9711cc6e9925d09e1c955c2038d302d784f8b39f (commit)
via fe2212f20d438b0704c7b0c08c22f145727cd44a (commit)
via ba054cb89336cf4fd2b238860111f3d5104132a5 (commit)
via 0144bc53e999d20bfe8eeb395c1377f1f4eb06b3 (commit)
via af1aa950a2ac21851eed9cbe4fe4da8d55407b17 (commit)
via 20ae8dcfab88dcf5d82c5569541c5c407cfc4962 (commit)
via 2b91222a89d0fca3e8e00c012c973055358a3a26 (commit)
via 8b5b5f8c07a735e160efd2fa619f2d5b2ee7ea6b (commit)
via 2c4c2351f7c39ee61b3e4eebdb848db9445a6e38 (commit)
via ed4a698e12478e1c70f48de7ecf7f1e0e135e600 (commit)
via 9348de433ee9fe249d88c446303c074c26a51f23 (commit)
via b5f6c58ae2d6b4bcbeea5d25888fedb4a93849f8 (commit)
from 63ac40632a4eaae661e2c43584d68be22c2dc43a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 026d6fd40e82e0530bb76168da2b39667ac9c3a6
Merge: 63ac406 7f98dee
Author: Simon Josefsson <address@hidden>
Date: Sat Nov 12 12:03:56 2011 +0100
Merge branch 'master' into ocsp
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
NEWS | 14 ++
cfg.mk | 2 +
configure.ac | 50 +++---
doc/cha-cert-auth.texi | 77 +++++++-
doc/scripts/mytexi2latex | 4 +-
lib/crypto-backend.h | 27 +++
lib/gnutls_cipher.c | 10 +-
lib/gnutls_ecc.c | 12 +-
lib/gnutls_errors.c | 2 +
lib/gnutls_errors.h | 4 +-
lib/gnutls_int.h | 19 ++-
lib/gnutls_pk.c | 35 ----
lib/gnutls_pk.h | 3 +-
lib/gnutls_pubkey.c | 10 +-
lib/gnutls_record.c | 14 +-
lib/gnutls_state.c | 4 -
lib/includes/gnutls/gnutls.h.in | 1 +
lib/includes/gnutls/x509.h | 1 +
lib/libgnutls.map | 1 +
lib/nettle/pk.c | 257 ++++++++++++++++++++---
lib/pkcs11_write.c | 2 +-
lib/x509/crl_write.c | 8 +-
lib/x509/key_decode.c | 4 +-
lib/x509/key_encode.c | 6 +-
lib/x509/privkey.c | 46 +++-
m4/hooks.m4 | 6 +-
src/certtool-cfg.c | 3 +-
src/certtool-common.c | 3 +-
src/certtool.c | 27 ++-
src/psk.c | 2 +-
src/srptool.c | 3 +-
src/tests.c | 3 +-
src/tls_test.c | 3 +-
tests/Makefile.am | 6 +-
tests/{pathlen => ecdsa}/Makefile.am | 6 +-
tests/ecdsa/bad-key.pem | 25 +++
tests/{sha2/sha2-dsa => ecdsa/ecdsa} | 42 +++--
tests/{safe-renegotiation => slow}/Makefile.am | 8 +-
tests/slow/README | 1 +
tests/{ => slow}/gendh.c | 0
tests/slow/keygen.c | 106 ++++++++++
tests/suite/chain | 2 +-
43 files changed, 659 insertions(+), 201 deletions(-)
copy tests/{pathlen => ecdsa}/Makefile.am (90%)
create mode 100644 tests/ecdsa/bad-key.pem
copy tests/{sha2/sha2-dsa => ecdsa/ecdsa} (56%)
copy tests/{safe-renegotiation => slow}/Makefile.am (88%)
create mode 100644 tests/slow/README
rename tests/{ => slow}/gendh.c (100%)
create mode 100644 tests/slow/keygen.c
diff --git a/.gitignore b/.gitignore
index 02caaed..ca42668 100644
--- a/.gitignore
+++ b/.gitignore
@@ -534,3 +534,4 @@ tests/x509paths/
tests/x509self
tests/x509sign-verify
tests/x509signself
+tests/keygen
diff --git a/NEWS b/NEWS
index 9f136bc..72d1636 100644
--- a/NEWS
+++ b/NEWS
@@ -4,11 +4,25 @@ See the end for copying conditions.
* Version 3.0.8 (unreleased)
+** certtool: Certtool -e returns error code on verification
+failure.
+
+** certtool: Verifies parameters of generated keys.
+
+** libgnutls: Corrected ECC key generation (introduced in 3.0.6)
+
+** libgnutls: Provide less timing information when decoding
+TLS/DTLS record packets.
+
** doc: man pages for API functions were removed.
The reason was that the code that auto-generated the man pages missed
many APIs and we couldn't fix it (volunteers welcome). See the info
manual or the GTK-DOC manual instead.
+** API and ABI modifications:
+gnutls_x509_privkey_verify_params: Added
+
+
* Version 3.0.7 (released 2011-11-08)
** libgnutls: Corrected fix in gnutls_session_get_data()
diff --git a/cfg.mk b/cfg.mk
index 5c87889..156296a 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -72,6 +72,8 @@ update-po: refresh-po
bootstrap: autoreconf
./configure $(CFGFLAGS)
+# The only non-lgpl modules used are: gettime progname timespec. Those
+# are not used (and must not be used) in the library)
glimport:
gnulib-tool --add-import
diff --git a/configure.ac b/configure.ac
index b92f7f8..87eaf55 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure
script.
# USA
AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [3.0.7], address@hidden)
+AC_INIT([GnuTLS], [3.0.8], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
@@ -444,55 +444,57 @@ AC_CONFIG_FILES([
doc/credentials/srp/Makefile
doc/credentials/x509/Makefile
doc/cyclo/Makefile
- doc/latex/Makefile
doc/doxygen/Doxyfile
doc/examples/Makefile
+ doc/latex/Makefile
doc/manpages/Makefile
doc/reference/Makefile
doc/reference/version.xml
doc/scripts/Makefile
+ extra/Makefile
+ extra/includes/Makefile
gl/Makefile
gl/tests/Makefile
guile/Makefile
guile/modules/Makefile
guile/src/Makefile
guile/tests/Makefile
+ lib/Makefile
+ lib/accelerated/Makefile
+ lib/accelerated/x86/Makefile
+ lib/algorithms/Makefile
+ lib/auth/Makefile
+ lib/ext/Makefile
+ lib/gnutls.pc
+ lib/includes/Makefile
+ lib/includes/gnutls/gnutls.h
+ lib/minitasn1/Makefile
+ lib/nettle/Makefile
+ lib/opencdk/Makefile
+ lib/openpgp/Makefile
+ lib/x509/Makefile
+ po/Makefile.in
src/Makefile
- src/crywrap/Makefile
src/cfg/Makefile
src/cfg/platon/Makefile
src/cfg/platon/str/Makefile
+ src/crywrap/Makefile
tests/Makefile
- tests/key-id/Makefile
tests/dsa/Makefile
- tests/scripts/Makefile
+ tests/ecdsa/Makefile
+ tests/key-id/Makefile
tests/openpgp-certs/Makefile
- tests/safe-renegotiation/Makefile
tests/pathlen/Makefile
tests/pkcs1-padding/Makefile
tests/pkcs12-decode/Makefile
tests/pkcs8-decode/Makefile
tests/rsa-md5-collision/Makefile
+ tests/safe-renegotiation/Makefile
+ tests/scripts/Makefile
tests/sha2/Makefile
- tests/userid/Makefile
- extra/Makefile
- extra/includes/Makefile
- lib/Makefile
- lib/gnutls.pc
- lib/includes/Makefile
- lib/includes/gnutls/gnutls.h
- lib/minitasn1/Makefile
- lib/opencdk/Makefile
- lib/openpgp/Makefile
- po/Makefile.in
- lib/x509/Makefile
- lib/nettle/Makefile
+ tests/slow/Makefile
tests/suite/Makefile
- lib/accelerated/Makefile
- lib/accelerated/x86/Makefile
- lib/ext/Makefile
- lib/algorithms/Makefile
- lib/auth/Makefile
+ tests/userid/Makefile
])
AC_OUTPUT
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 96e37c4..e369117 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -35,6 +35,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}.
* Verifying a certificate in the context of TLS session::
* Certificate status::
* Certificate requests::
+* Certificate revocation lists::
* PKCS 12 structures::
@end menu
@@ -56,6 +57,9 @@ The field that indicates the version of the certificate.
@item serialNumber @tab
This field holds a unique serial number per certificate.
address@hidden signature @tab
+The issuing authority's signature.
+
@item issuer @tab
Holds the issuer's distinguished name.
@@ -419,6 +423,77 @@ which should return a signed certificate.
@anchor{ex:crq}
@verbatiminclude examples/ex-crq.c
address@hidden Certificate revocation lists
address@hidden Certificate revocation lists
address@hidden certificate revocation lists
address@hidden CRL
+
+A certificate revocation list (CRL) is a structure issued by an authority
+periodically containing a list of revoked certificates serial numbers.
+The CRL structure is signed with the issuing authorities' keys. A typical
+CRL contains the fields as shown in @ref{tab:crl}.
+Certificate revocation lists are used to complement the expiration date of a
certificate,
+in order to account for other reasons of revocation, such as compromised keys,
etc.
+
address@hidden,gnutls_x509_crl_deinit}
address@hidden,gnutls_x509_crl_export}
+
+A certificate request can be generated by
+associating it with a private key, setting the
+subject's information and finally self signing it.
+The last step ensures that the requester is in
+possession of the private key. Each CRL is valid for limited amount of
+time and is required to provide, except for the current issuing time, also
+the issuing time of the next update.
+
address@hidden Table,tab:crl
address@hidden @columnfractions .2 .7
+
address@hidden Field @tab Description
+
address@hidden version @tab
+The field that indicates the version of the CRL structure.
+
address@hidden signature @tab
+A signature by the issuing authority.
+
address@hidden issuer @tab
+Holds the issuer's distinguished name.
+
address@hidden thisUpdate @tab
+The issuing time of the revocation list.
+
address@hidden nextUpdate @tab
+The issuing time of the revocation list that will update that one.
+
address@hidden revokedCertificates @tab
+List of revoked certificates serial numbers.
+
address@hidden extensions @tab
+Optional CRL structure extensions.
+
address@hidden multitable
address@hidden revocation list fields.}
address@hidden float
+
+
address@hidden
address@hidden
+
address@hidden,gnutls_x509_crl_set_next_update,gnutls_x509_crl_set_this_update}
+
+The @funcref{gnutls_x509_crl_sign2} and @funcref{gnutls_x509_crl_privkey_sign}
+functions sign the revocation list with a private key. The latter function
+can be used to sign with a key residing in a PKCS #11 token.
+
address@hidden
address@hidden
+
+Few extensions on the CRL structure are supported, including the
+CRL number extension and the authority key identifier.
+
address@hidden,gnutls_x509_crl_set_authority_key_id}
+
@node PKCS 12 structures
@subsection @acronym{PKCS} #12 structures
@cindex PKCS #12
@@ -725,7 +800,7 @@ gnutls_privkey_t abs_key;
/* sign the certificate to be signed */
gnutls_x509_crt_privkey_sign(to_be_signed, ca_cert, ca_key,
- GNUTLS_DIG_SHA1, 0);
+ GNUTLS_DIG_SHA256, 0);
@}
@end example
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index 4b9518e..db333a0 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -262,12 +262,12 @@ multitable:
$mode = ITEMIZE;
push(@stack, NORMAL);
}
- if ($line =~ s/address@hidden
Figure\,(.*)/\\begin{figure}[htp]\n\\centering/g) {
+ if ($line =~ s/address@hidden
Figure\,(.*)/\\begin{figure}[htbp]\n\\centering/g) {
$label = $1;
push(@stack, NORMAL);
$mode = FLOAT;
}
- if ($line =~ s/address@hidden
Table\,(.*)/\\begin{table}[thp]\n\\centering/g) {
+ if ($line =~ s/address@hidden
Table\,(.*)/\\begin{table}[htbp]\n\\centering/g) {
$label = $1;
push(@stack, NORMAL);
$mode = FLOAT_TABLE;
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 0a20025..ed89deb 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -245,6 +245,31 @@
* [8] is k (private key)
*/
+#define ECC_PRIME 0
+#define ECC_ORDER 1
+#define ECC_A 2
+#define ECC_B 3
+#define ECC_GX 4
+#define ECC_GY 5
+#define ECC_X 6
+#define ECC_Y 7
+#define ECC_K 8
+
+#define DSA_P 0
+#define DSA_Q 1
+#define DSA_G 2
+#define DSA_Y 3
+#define DSA_X 4
+
+#define RSA_MODULUS 0
+#define RSA_PUB 1
+#define RSA_PRIV 2
+#define RSA_PRIME1 3
+#define RSA_PRIME2 4
+#define RSA_COEF 5
+#define RSA_E1 6
+#define RSA_E2 7
+
/**
* gnutls_direction_t:
* @GNUTLS_IMPORT: Import direction.
@@ -276,6 +301,8 @@
int (*verify) (gnutls_pk_algorithm_t, const gnutls_datum_t * data,
const gnutls_datum_t * signature,
const gnutls_pk_params_st * pub);
+ int (*verify_params) (gnutls_pk_algorithm_t,
+ const gnutls_pk_params_st * pub);
int (*generate) (gnutls_pk_algorithm_t, unsigned int nbits,
gnutls_pk_params_st *);
/* this function should convert params to ones suitable
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 716b7c9..ed4ac8b 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -533,7 +533,7 @@ ciphertext_to_compressed (gnutls_session_t session,
return gnutls_assert_val(ret);
pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
-
+
if ((int) pad > (int) ciphertext->size - tag_size)
{
gnutls_assert ();
@@ -544,13 +544,14 @@ ciphertext_to_compressed (gnutls_session_t session,
* the pad_failed. If zero means success.
*/
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ pad %= blocksize;
}
length = ciphertext->size - tag_size - pad;
/* Check the pading bytes (TLS 1.x)
*/
- if (ver != GNUTLS_SSL3 && pad_failed == 0)
+ if (ver != GNUTLS_SSL3)
for (i = 2; i < pad; i++)
{
if (ciphertext->data[ciphertext->size - i] !=
@@ -582,12 +583,9 @@ ciphertext_to_compressed (gnutls_session_t session,
/* This one was introduced to avoid a timing attack against the TLS
* 1.0 protocol.
*/
- if (pad_failed != 0)
- return gnutls_assert_val(pad_failed);
-
/* HMAC was not the same.
*/
- if (memcmp (tag, &ciphertext->data[length], tag_size) != 0)
+ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed !=
0)
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
/* copy the decrypted stuff to compress_data.
diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
index 4d85f9f..9c5a97a 100644
--- a/lib/gnutls_ecc.c
+++ b/lib/gnutls_ecc.c
@@ -122,7 +122,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[0], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_PRIME], val, val_size);
if (ret < 0)
{
gnutls_assert();
@@ -138,7 +138,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[1], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_ORDER], val, val_size);
if (ret < 0)
{
gnutls_assert();
@@ -154,7 +154,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[2], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_A], val, val_size);
if (ret < 0)
{
gnutls_assert();
@@ -170,7 +170,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[3], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_B], val, val_size);
if (ret < 0)
{
gnutls_assert();
@@ -186,7 +186,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[4], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_GX], val, val_size);
if (ret < 0)
{
gnutls_assert();
@@ -202,7 +202,7 @@ int ret;
goto cleanup;
}
- ret = _gnutls_mpi_scan_nz(¶ms->params[5], val, val_size);
+ ret = _gnutls_mpi_scan_nz(¶ms->params[ECC_GY], val, val_size);
if (ret < 0)
{
gnutls_assert();
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 0084a88..b978d1d 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -176,6 +176,8 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_("The cookie was bad."), GNUTLS_E_BAD_COOKIE, 1),
ERROR_ENTRY (N_("An illegal parameter has been received."),
GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1),
+ ERROR_ENTRY (N_("An illegal parameter was found."),
+ GNUTLS_E_ILLEGAL_PARAMETER, 1),
ERROR_ENTRY (N_("Error while reading file."), GNUTLS_E_FILE_ERROR, 1),
ERROR_ENTRY (N_("ASN1 parser: Element was not found."),
diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h
index 8f1c05d..9907c63 100644
--- a/lib/gnutls_errors.h
+++ b/lib/gnutls_errors.h
@@ -58,10 +58,10 @@ _gnutls_audit_log (gnutls_session_t, const char *fmt, ...)
void _gnutls_mpi_log (const char *prefix, bigint_t a);
#ifdef C99_MACROS
-#define LEVEL(l, ...) do { if (_gnutls_log_level >= l || _gnutls_log_level >
9) \
+#define LEVEL(l, ...) do { if (unlikely(_gnutls_log_level >= l ||
_gnutls_log_level > 9)) \
_gnutls_log( l, __VA_ARGS__); } while(0)
-#define LEVEL_EQ(l, ...) do { if (_gnutls_log_level == l || _gnutls_log_level
> 9) \
+#define LEVEL_EQ(l, ...) do { if (unlikely(_gnutls_log_level == l ||
_gnutls_log_level > 9)) \
_gnutls_log( l, __VA_ARGS__); } while(0)
#define _gnutls_debug_log(...) LEVEL(2, __VA_ARGS__)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 3c888fa..92acdd2 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -58,6 +58,21 @@ typedef int ssize_t;
# define memxor gl_memxor
#endif
+#ifdef __GNUC__
+# ifndef _GNUTLS_GCC_VERSION
+# define _GNUTLS_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 +
__GNUC_PATCHLEVEL__)
+# endif
+# if _GNUTLS_GCC_VERSION >= 30100
+# define likely(x) __builtin_expect((x), 1)
+# define unlikely(x) __builtin_expect((x), 0)
+# endif
+#endif
+
+#ifndef likely
+# define likely
+# define unlikely
+#endif
+
/* some systems had problems with long long int, thus,
* it is not used.
*/
@@ -141,9 +156,6 @@ typedef struct
/* expire time for resuming sessions */
#define DEFAULT_EXPIRE_TIME 3600
-/* printing period of messages */
-#define PRINT_MESSAGE_PERIOD 30
-
typedef enum transport_t
{
GNUTLS_STREAM,
@@ -628,7 +640,6 @@ typedef struct
/* last retransmission triggered by record layer */
time_t last_retransmit;
unsigned int packets_dropped;
- time_t last_print;
} dtls_st;
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index e80c380..59eb947 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -489,41 +489,6 @@ gnutls_pk_params_release (gnutls_pk_params_st * p)
}
int
-_gnutls_calc_rsa_exp (gnutls_pk_params_st* params)
-{
- bigint_t tmp = _gnutls_mpi_alloc_like (params->params[0]);
-
- if (params->params_nr < RSA_PRIVATE_PARAMS - 2)
- {
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- if (tmp == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- /* [6] = d % p-1, [7] = d % q-1 */
- _gnutls_mpi_sub_ui (tmp, params->params[3], 1);
- params->params[6] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
-
- _gnutls_mpi_sub_ui (tmp, params->params[4], 1);
- params->params[7] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
-
- _gnutls_mpi_release (&tmp);
-
- if (params->params[7] == NULL || params->params[6] == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- return 0;
-}
-
-int
_gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk,
gnutls_pk_params_st* params,
gnutls_digest_algorithm_t * dig,
diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h
index 6c192da..26a91ac 100644
--- a/lib/gnutls_pk.h
+++ b/lib/gnutls_pk.h
@@ -30,6 +30,7 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
#define _gnutls_pk_decrypt( algo, ciphertext, plaintext, params)
_gnutls_pk_ops.decrypt( algo, ciphertext, plaintext, params)
#define _gnutls_pk_sign( algo, sig, data, params) _gnutls_pk_ops.sign( algo,
sig, data, params)
#define _gnutls_pk_verify( algo, data, sig, params) _gnutls_pk_ops.verify(
algo, data, sig, params)
+#define _gnutls_pk_verify_params( algo, params) _gnutls_pk_ops.verify_params(
algo, params)
#define _gnutls_pk_derive( algo, out, pub, priv) _gnutls_pk_ops.derive( algo,
out, pub, priv)
#define _gnutls_pk_generate( algo, bits, priv) _gnutls_pk_ops.generate( algo,
bits, priv)
@@ -65,8 +66,6 @@ int
_gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
bigint_t * s);
-int _gnutls_calc_rsa_exp (gnutls_pk_params_st*);
-
int _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk,
gnutls_pk_params_st*,
gnutls_digest_algorithm_t * dig,
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index fbbaa57..f9d8d2f 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -740,7 +740,7 @@ gnutls_pubkey_get_pk_ecc_raw (gnutls_pubkey_t key,
gnutls_ecc_curve_t *curve,
*curve = key->params.flags;
/* X */
- ret = _gnutls_mpi_dprint_lz (key->params.params[6], x);
+ ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_X], x);
if (ret < 0)
{
gnutls_assert ();
@@ -748,7 +748,7 @@ gnutls_pubkey_get_pk_ecc_raw (gnutls_pubkey_t key,
gnutls_ecc_curve_t *curve,
}
/* Y */
- ret = _gnutls_mpi_dprint_lz (key->params.params[7], y);
+ ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_Y], y);
if (ret < 0)
{
gnutls_assert ();
@@ -1137,7 +1137,7 @@ gnutls_pubkey_import_ecc_raw (gnutls_pubkey_t key,
if (ret < 0)
return gnutls_assert_val(ret);
- if (_gnutls_mpi_scan_nz (&key->params.params[6], x->data, x->size))
+ if (_gnutls_mpi_scan_nz (&key->params.params[ECC_X], x->data, x->size))
{
gnutls_assert ();
ret = GNUTLS_E_MPI_SCAN_FAILED;
@@ -1145,7 +1145,7 @@ gnutls_pubkey_import_ecc_raw (gnutls_pubkey_t key,
}
key->params.params_nr++;
- if (_gnutls_mpi_scan_nz (&key->params.params[7], y->data, y->size))
+ if (_gnutls_mpi_scan_nz (&key->params.params[ECC_Y], y->data, y->size))
{
gnutls_assert ();
ret = GNUTLS_E_MPI_SCAN_FAILED;
@@ -1199,7 +1199,7 @@ gnutls_pubkey_import_ecc_x962 (gnutls_pubkey_t key,
}
ret = _gnutls_ecc_ansi_x963_import(ecpoint->data, ecpoint->size,
- &key->params.params[6], &key->params.params[7]);
+ &key->params.params[ECC_X], &key->params.params[ECC_Y]);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 3b89c35..4ff2951 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -1020,7 +1020,8 @@ begin:
ret = _dtls_record_check(session, packet_sequence);
if (ret < 0)
{
- gnutls_assert();
+ _gnutls_audit_log(session, "Discarded duplicate message[%u]\n",
+ (unsigned int) _gnutls_uint64touint32 (packet_sequence));
goto sanity_check_error;
}
}
@@ -1087,15 +1088,8 @@ discard:
sanity_check_error:
if (IS_DTLS(session))
{
- time_t now = time(0);
- session->internals.dtls.packets_dropped++;
-
- if (now - session->internals.dtls.last_print < PRINT_MESSAGE_PERIOD)
- {
- session->internals.dtls.last_print = now;
- _gnutls_audit_log(session, "Discarded %u messages (duplicates or
invalid decryption)\n",
- (unsigned int)session->internals.dtls.packets_dropped);
- }
+ _gnutls_audit_log(session, "Discarded message[%u] due to invalid
decryption\n",
+ (unsigned int)_gnutls_uint64touint32 (packet_sequence));
ret = gnutls_assert_val(GNUTLS_E_AGAIN);
goto cleanup;
}
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 43602cc..3c12508 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -425,10 +425,6 @@ gnutls_deinit (gnutls_session_t session)
if (session == NULL)
return;
- if (IS_DTLS(session) && session->internals.dtls.packets_dropped > 0)
- _gnutls_audit_log(session, "Discarded %u messages (duplicates or invalid
decryption)\n",
- (unsigned int)session->internals.dtls.packets_dropped);
-
/* remove auth info firstly */
_gnutls_free_auth_info (session);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 77dd47e..f6395e2 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1793,6 +1793,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
#define GNUTLS_E_ECC_UNSUPPORTED_CURVE -322
#define GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE -323
#define GNUTLS_E_CERTIFICATE_LIST_UNSORTED -324
+#define GNUTLS_E_ILLEGAL_PARAMETER -325
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 55fdd31..2ade033 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -735,6 +735,7 @@ extern "C"
int gnutls_x509_privkey_generate (gnutls_x509_privkey_t key,
gnutls_pk_algorithm_t algo,
unsigned int bits, unsigned int flags);
+ int gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t key);
int gnutls_x509_privkey_export (gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 322045a..eeee9b2 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -755,6 +755,7 @@ GNUTLS_3_0_0 {
gnutls_srp_3072_group_prime;
gnutls_srp_4096_group_generator;
gnutls_srp_4096_group_prime;
+ gnutls_x509_privkey_verify_params;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 826c27b..5221aa6 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -86,15 +86,15 @@ _ecc_params_to_privkey(const gnutls_pk_params_st *
pk_params,
ecc_key * priv)
{
priv->type = PK_PRIVATE;
- memcpy(&priv->prime, pk_params->params[0], sizeof(mpz_t));
- memcpy(&priv->order, pk_params->params[1], sizeof(mpz_t));
- memcpy(&priv->A, pk_params->params[2], sizeof(mpz_t));
- memcpy(&priv->B, pk_params->params[3], sizeof(mpz_t));
- memcpy(&priv->Gx, pk_params->params[4], sizeof(mpz_t));
- memcpy(&priv->Gy, pk_params->params[5], sizeof(mpz_t));
- memcpy(&priv->pubkey.x, pk_params->params[6], sizeof(mpz_t));
- memcpy(&priv->pubkey.y, pk_params->params[7], sizeof(mpz_t));
- memcpy(&priv->k, pk_params->params[8], sizeof(mpz_t));
+ memcpy(&priv->prime, pk_params->params[ECC_PRIME], sizeof(mpz_t));
+ memcpy(&priv->order, pk_params->params[ECC_ORDER], sizeof(mpz_t));
+ memcpy(&priv->A, pk_params->params[ECC_A], sizeof(mpz_t));
+ memcpy(&priv->B, pk_params->params[ECC_B], sizeof(mpz_t));
+ memcpy(&priv->Gx, pk_params->params[ECC_GX], sizeof(mpz_t));
+ memcpy(&priv->Gy, pk_params->params[ECC_GY], sizeof(mpz_t));
+ memcpy(&priv->pubkey.x, pk_params->params[ECC_X], sizeof(mpz_t));
+ memcpy(&priv->pubkey.y, pk_params->params[ECC_Y], sizeof(mpz_t));
+ memcpy(&priv->k, pk_params->params[ECC_K], sizeof(mpz_t));
mpz_init_set_ui(priv->pubkey.z, 1);
}
@@ -108,14 +108,14 @@ _ecc_params_to_pubkey(const gnutls_pk_params_st *
pk_params,
ecc_key * pub)
{
pub->type = PK_PUBLIC;
- memcpy(&pub->prime, pk_params->params[0], sizeof(mpz_t));
- memcpy(&pub->order, pk_params->params[1], sizeof(mpz_t));
- memcpy(&pub->A, pk_params->params[2], sizeof(mpz_t));
- memcpy(&pub->B, pk_params->params[3], sizeof(mpz_t));
- memcpy(&pub->Gx, pk_params->params[4], sizeof(mpz_t));
- memcpy(&pub->Gy, pk_params->params[5], sizeof(mpz_t));
- memcpy(&pub->pubkey.x, pk_params->params[6], sizeof(mpz_t));
- memcpy(&pub->pubkey.y, pk_params->params[7], sizeof(mpz_t));
+ memcpy(&pub->prime, pk_params->params[ECC_PRIME], sizeof(mpz_t));
+ memcpy(&pub->order, pk_params->params[ECC_ORDER], sizeof(mpz_t));
+ memcpy(&pub->A, pk_params->params[ECC_A], sizeof(mpz_t));
+ memcpy(&pub->B, pk_params->params[ECC_B], sizeof(mpz_t));
+ memcpy(&pub->Gx, pk_params->params[ECC_GX], sizeof(mpz_t));
+ memcpy(&pub->Gy, pk_params->params[ECC_GY], sizeof(mpz_t));
+ memcpy(&pub->pubkey.x, pk_params->params[ECC_X], sizeof(mpz_t));
+ memcpy(&pub->pubkey.y, pk_params->params[ECC_Y], sizeof(mpz_t));
mpz_init_set_ui(pub->pubkey.z, 1);
}
@@ -136,12 +136,12 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t
algo, gnutls_datum_t * o
out->data = NULL;
if (is_supported_curve(curve) == 0)
- return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
+ return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
_ecc_params_to_pubkey(pub, &ecc_pub);
_ecc_params_to_privkey(priv, &ecc_priv);
- if (ecc_projective_check_point(&ecc_pub.pubkey, pub->params[3],
pub->params[0]) != 0)
+ if (ecc_projective_check_point(&ecc_pub.pubkey, pub->params[ECC_B],
pub->params[ECC_PRIME]) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
goto ecc_cleanup;
@@ -792,7 +792,7 @@ rsa_fail:
st = _gnutls_ecc_curve_get_params(level);
if (st == NULL)
- return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
+ return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
tls_ecc_set.size = st->size;
tls_ecc_set.prime = st->prime;
@@ -819,15 +819,15 @@ rsa_fail:
}
params->flags = level;
- mpz_set(TOMPZ(params->params[0]), key.prime);
- mpz_set(TOMPZ(params->params[1]), key.order);
- mpz_set(TOMPZ(params->params[2]), key.A);
- mpz_set(TOMPZ(params->params[3]), key.B);
- mpz_set(TOMPZ(params->params[4]), key.Gx);
- mpz_set(TOMPZ(params->params[5]), key.Gy);
- mpz_set(TOMPZ(params->params[6]), key.pubkey.x);
- mpz_set(TOMPZ(params->params[7]), key.pubkey.y);
- mpz_set(TOMPZ(params->params[8]), key.k);
+ mpz_set(TOMPZ(params->params[ECC_PRIME]), key.prime);
+ mpz_set(TOMPZ(params->params[ECC_ORDER]), key.order);
+ mpz_set(TOMPZ(params->params[ECC_A]), key.A);
+ mpz_set(TOMPZ(params->params[ECC_B]), key.B);
+ mpz_set(TOMPZ(params->params[ECC_GX]), key.Gx);
+ mpz_set(TOMPZ(params->params[ECC_GY]), key.Gy);
+ mpz_set(TOMPZ(params->params[ECC_X]), key.pubkey.x);
+ mpz_set(TOMPZ(params->params[ECC_Y]), key.pubkey.y);
+ mpz_set(TOMPZ(params->params[ECC_K]), key.k);
ecc_fail:
ecc_free(&key);
@@ -855,6 +855,194 @@ fail:
return ret;
}
+static int
+wrap_nettle_pk_verify_params (gnutls_pk_algorithm_t algo,
+ const gnutls_pk_params_st * params)
+{
+ int ret;
+
+ switch (algo)
+ {
+ case GNUTLS_PK_RSA:
+ {
+ bigint_t t1 = NULL, t2 = NULL;
+
+ if (params->params_nr != RSA_PRIVATE_PARAMS)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ t1 = _gnutls_mpi_new (256);
+ if (t1 == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ _gnutls_mpi_mulm (t1, params->params[RSA_PRIME1],
params->params[RSA_PRIME2], params->params[RSA_MODULUS]);
+ if (_gnutls_mpi_cmp_ui(t1, 0) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto rsa_cleanup;
+ }
+
+ mpz_invert (TOMPZ(t1), TOMPZ (params->params[RSA_PRIME2]), TOMPZ
(params->params[RSA_PRIME1]));
+ if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto rsa_cleanup;
+ }
+
+ /* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
+ _gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME1], 1);
+ t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
+ if (t2 == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto rsa_cleanup;
+ }
+
+ if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto rsa_cleanup;
+ }
+
+ _gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME2], 1);
+ _gnutls_mpi_release(&t2);
+
+ t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
+ if (t2 == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto rsa_cleanup;
+ }
+
+ if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto rsa_cleanup;
+ }
+
+ ret = 0;
+
+rsa_cleanup:
+ _gnutls_mpi_release(&t1);
+ _gnutls_mpi_release(&t2);
+ }
+
+ break;
+ case GNUTLS_PK_DSA:
+ {
+ bigint_t t1 = NULL;
+
+ if (params->params_nr != DSA_PRIVATE_PARAMS)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ t1 = _gnutls_mpi_new (256);
+ if (t1 == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ _gnutls_mpi_powm (t1, params->params[DSA_G], params->params[DSA_X],
params->params[DSA_P]);
+
+ if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto dsa_cleanup;
+ }
+
+ ret = 0;
+
+dsa_cleanup:
+ _gnutls_mpi_release(&t1);
+ }
+
+ break;
+ case GNUTLS_PK_ECC:
+ {
+ int curve = params->flags;
+ ecc_key ecc_priv;
+ ecc_point *R;
+ ecc_point zero;
+
+ if (params->params_nr != ECC_PRIVATE_PARAMS)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ if (is_supported_curve(curve) == 0)
+ return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
+
+ _ecc_params_to_privkey(params, &ecc_priv);
+ R = ecc_new_point();
+
+ /* verify that x,y lie on the curve */
+ ret = ecc_projective_check_point(&ecc_priv.pubkey,
TOMPZ(params->params[ECC_B]), params->params[ECC_PRIME]);
+ if (ret != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
+ memcpy(&zero.x, ecc_priv.Gx, sizeof(mpz_t));
+ memcpy(&zero.y, ecc_priv.Gy, sizeof(mpz_t));
+ memcpy(&zero.z, ecc_priv.pubkey.z, sizeof(mpz_t)); /* z = 1 */
+
+ /* verify that k*(Gx,Gy)=(x,y) */
+ ret = ecc_mulmod(ecc_priv.k, &zero, R, TOMPZ(params->params[ECC_A]),
TOMPZ(params->params[ECC_PRIME]), 1);
+ if (ret != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
+ if (mpz_cmp(ecc_priv.pubkey.x, R->x) != 0 ||
mpz_cmp(ecc_priv.pubkey.y, R->y) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ goto ecc_cleanup;
+ }
+
+ ret = 0;
+
+ecc_cleanup:
+ _ecc_params_clear(&ecc_priv);
+ ecc_del_point(R);
+ }
+ break;
+ default:
+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+
+ return ret;
+}
+
+static int calc_rsa_exp (gnutls_pk_params_st* params)
+{
+ bigint_t tmp = _gnutls_mpi_alloc_like (params->params[0]);
+
+ if (params->params_nr < RSA_PRIVATE_PARAMS - 2)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+ if (tmp == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ /* [6] = d % p-1, [7] = d % q-1 */
+ _gnutls_mpi_sub_ui (tmp, params->params[3], 1);
+ params->params[6] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
+
+ _gnutls_mpi_sub_ui (tmp, params->params[4], 1);
+ params->params[7] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
+
+ _gnutls_mpi_release (&tmp);
+
+ if (params->params[7] == NULL || params->params[6] == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ return 0;
+}
+
static int
wrap_nettle_pk_fixup (gnutls_pk_algorithm_t algo,
@@ -870,14 +1058,14 @@ wrap_nettle_pk_fixup (gnutls_pk_algorithm_t algo,
* old but it seemed some of the shipped example private
* keys were as old.
*/
- mpz_invert (TOMPZ (params->params[5]),
- TOMPZ (params->params[4]), TOMPZ (params->params[3]));
+ mpz_invert (TOMPZ (params->params[RSA_COEF]),
+ TOMPZ (params->params[RSA_PRIME2]), TOMPZ
(params->params[RSA_PRIME1]));
/* calculate exp1 [6] and exp2 [7] */
- _gnutls_mpi_release (¶ms->params[6]);
- _gnutls_mpi_release (¶ms->params[7]);
+ _gnutls_mpi_release (¶ms->params[RSA_E1]);
+ _gnutls_mpi_release (¶ms->params[RSA_E2]);
- result = _gnutls_calc_rsa_exp (params);
+ result = calc_rsa_exp (params);
if (result < 0)
{
gnutls_assert ();
@@ -896,6 +1084,7 @@ gnutls_crypto_pk_st _gnutls_pk_ops = {
.decrypt = _wrap_nettle_pk_decrypt,
.sign = _wrap_nettle_pk_sign,
.verify = _wrap_nettle_pk_verify,
+ .verify_params = wrap_nettle_pk_verify_params,
.generate = wrap_nettle_pk_generate_params,
.pk_fixup_private_params = wrap_nettle_pk_fixup,
.derive = _wrap_nettle_pk_derive,
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 8d867fb..005b92d 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -447,7 +447,7 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
goto cleanup;
}
- ret = _gnutls_mpi_dprint_lz(&key->params.params[8], &x);
+ ret = _gnutls_mpi_dprint_lz(&key->params.params[ECC_K], &x);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
index 8a38071..8fd9f18 100644
--- a/lib/x509/crl_write.c
+++ b/lib/x509/crl_write.c
@@ -335,7 +335,9 @@ disable_optional_stuff (gnutls_x509_crl_t crl)
* @id_size: Holds the size of the serial field.
*
* This function will set the CRL's authority key ID extension. Only
- * the keyIdentifier field can be set with this function.
+ * the keyIdentifier field can be set with this function. This may
+ * be used by an authority that holds multiple private keys, to distinguish
+ * the used key.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -399,7 +401,9 @@ gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl,
* @nr: The CRL number
* @nr_size: Holds the size of the nr field.
*
- * This function will set the CRL's number extension.
+ * This function will set the CRL's number extension. This
+ * is to be used as a unique and monotonic number assigned to
+ * the CRL by the authority.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index 7d430e8..8383a94 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -102,8 +102,8 @@ _gnutls_x509_read_ecc_pubkey (opaque * der, int dersize,
gnutls_pk_params_st * p
/* Eventhough RFC5480 defines the public key to be an ECPoint (i.e. OCTET
STRING),
* it is actually copied in raw there. Why do they use ASN.1 anyway?
*/
- return _gnutls_ecc_ansi_x963_import (der, dersize, ¶ms->params[6],
- ¶ms->params[7]);
+ return _gnutls_ecc_ansi_x963_import (der, dersize, ¶ms->params[ECC_X],
+ ¶ms->params[ECC_Y]);
}
diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c
index 1caf721..926148a 100644
--- a/lib/x509/key_encode.c
+++ b/lib/x509/key_encode.c
@@ -118,7 +118,7 @@ _gnutls_x509_write_ecc_pubkey (gnutls_pk_params_st * params,
if (params->params_nr < ECC_PUBLIC_PARAMS)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- result = _gnutls_ecc_ansi_x963_export(params->flags, params->params[6],
params->params[7], /*&out*/der);
+ result = _gnutls_ecc_ansi_x963_export(params->flags, params->params[ECC_X],
params->params[ECC_Y], /*&out*/der);
if (result < 0)
return gnutls_assert_val(result);
@@ -580,7 +580,7 @@ _gnutls_asn1_encode_ecc (ASN1_TYPE * c2,
gnutls_pk_params_st * params)
if (params->params_nr != ECC_PRIVATE_PARAMS || oid == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- ret = _gnutls_ecc_ansi_x963_export(params->flags, params->params[6],
params->params[7], &pubkey);
+ ret = _gnutls_ecc_ansi_x963_export(params->flags, params->params[ECC_X],
params->params[ECC_Y], &pubkey);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -610,7 +610,7 @@ _gnutls_asn1_encode_ecc (ASN1_TYPE * c2,
gnutls_pk_params_st * params)
goto cleanup;
}
- ret = _gnutls_x509_write_int (*c2, "privateKey", params->params[7], 1);
+ ret = _gnutls_x509_write_int (*c2, "privateKey", params->params[ECC_K], 1);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index f7d7f3d..8e42dd4 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -307,8 +307,8 @@ _gnutls_privkey_decode_ecc_key (const gnutls_datum_t *
raw_key,
goto error;
}
- ret = _gnutls_ecc_ansi_x963_import (out.data, out.size,
&pkey->params.params[6],
- &pkey->params.params[7]);
+ ret = _gnutls_ecc_ansi_x963_import (out.data, out.size,
&pkey->params.params[ECC_X],
+ &pkey->params.params[ECC_Y]);
_gnutls_free_datum(&out);
if (ret < 0)
@@ -319,7 +319,7 @@ _gnutls_privkey_decode_ecc_key (const gnutls_datum_t *
raw_key,
pkey->params.params_nr += 2;
/* read the private key */
- ret = _gnutls_x509_read_int (pkey_asn, "privateKey",
&pkey->params.params[8]);
+ ret = _gnutls_x509_read_int (pkey_asn, "privateKey",
&pkey->params.params[ECC_K]);
if (ret < 0)
{
gnutls_assert();
@@ -860,7 +860,7 @@ gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t
key,
if (ret < 0)
return gnutls_assert_val(ret);
- if (_gnutls_mpi_scan_nz (&key->params.params[6], x->data, x->size))
+ if (_gnutls_mpi_scan_nz (&key->params.params[ECC_X], x->data, x->size))
{
gnutls_assert ();
ret = GNUTLS_E_MPI_SCAN_FAILED;
@@ -868,7 +868,7 @@ gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t
key,
}
key->params.params_nr++;
- if (_gnutls_mpi_scan_nz (&key->params.params[7], y->data, y->size))
+ if (_gnutls_mpi_scan_nz (&key->params.params[ECC_Y], y->data, y->size))
{
gnutls_assert ();
ret = GNUTLS_E_MPI_SCAN_FAILED;
@@ -876,7 +876,7 @@ gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t
key,
}
key->params.params_nr++;
- if (_gnutls_mpi_scan_nz (&key->params.params[8], k->data, k->size))
+ if (_gnutls_mpi_scan_nz (&key->params.params[ECC_K], k->data, k->size))
{
gnutls_assert ();
ret = GNUTLS_E_MPI_SCAN_FAILED;
@@ -1022,7 +1022,7 @@ int gnutls_x509_privkey_export_ecc_raw
(gnutls_x509_privkey_t key,
*curve = key->params.flags;
/* X */
- ret = _gnutls_mpi_dprint_lz (key->params.params[6], x);
+ ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_X], x);
if (ret < 0)
{
gnutls_assert ();
@@ -1030,7 +1030,7 @@ int gnutls_x509_privkey_export_ecc_raw
(gnutls_x509_privkey_t key,
}
/* Y */
- ret = _gnutls_mpi_dprint_lz (key->params.params[7], y);
+ ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_Y], y);
if (ret < 0)
{
gnutls_assert ();
@@ -1040,7 +1040,7 @@ int gnutls_x509_privkey_export_ecc_raw
(gnutls_x509_privkey_t key,
/* K */
- ret = _gnutls_mpi_dprint_lz (key->params.params[8], k);
+ ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_K], k);
if (ret < 0)
{
gnutls_assert ();
@@ -1306,12 +1306,10 @@ gnutls_x509_privkey_export_dsa_raw
(gnutls_x509_privkey_t key,
return 0;
}
-
-
/**
* gnutls_x509_privkey_generate:
* @key: should contain a #gnutls_x509_privkey_t structure
- * @algo: is one of RSA or DSA.
+ * @algo: is one of the algorithms in #gnutls_pk_algorithm_t.
* @bits: the size of the modulus
* @flags: unused for now. Must be 0.
*
@@ -1366,6 +1364,30 @@ cleanup:
}
/**
+ * gnutls_x509_privkey_verify_params:
+ * @key: should contain a #gnutls_x509_privkey_t structure
+ *
+ * This function will verify the private key parameters.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t key)
+{
+ int ret;
+
+ ret = _gnutls_pk_verify_params (key->pk_algorithm, &key->params);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ return 0;
+}
+
+/**
* gnutls_x509_privkey_get_key_id:
* @key: Holds the key
* @flags: should be 0 for now
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 4d6e9c7..f8621de 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
# Interfaces changed/added/removed: CURRENT++ REVISION=0
# Interfaces added: AGE++
# Interfaces removed: AGE=0
- AC_SUBST(LT_CURRENT, 30)
- AC_SUBST(LT_REVISION, 3)
- AC_SUBST(LT_AGE, 2)
+ AC_SUBST(LT_CURRENT, 31)
+ AC_SUBST(LT_REVISION, 0)
+ AC_SUBST(LT_AGE, 3)
AC_SUBST(LT_SSL_CURRENT, 27)
AC_SUBST(LT_SSL_REVISION, 1)
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index eda7391..f194e32 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
- * Software Foundation, Inc.
+ * Copyright (C) 2004-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 9f87ae8..e8f806a 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
- * 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/src/certtool.c b/src/certtool.c
index 824165a..1988aff 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
- * 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
@@ -223,6 +222,10 @@ generate_private_key_int (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_generate: %s", gnutls_strerror (ret));
+ ret = gnutls_x509_privkey_verify_params (key);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "privkey_verify_params: %s", gnutls_strerror
(ret));
+
return key;
}
@@ -1561,6 +1564,16 @@ print_crq_info (gnutls_x509_crq_t crq, FILE * out)
gnutls_free (cinfo.data);
}
+
+ ret = gnutls_x509_crq_verify(crq, 0);
+ if (ret < 0)
+ {
+ fprintf(out, "Self signature: FAILED\n\n");
+ }
+ else
+ {
+ fprintf(out, "Self signature: verified\n\n");
+ }
size = buffer_size;
ret = gnutls_x509_crq_export (crq, info.outcert_format, buffer, &size);
@@ -1728,9 +1741,12 @@ privkey_info (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
-
privkey_info_int (key);
+ ret = gnutls_x509_privkey_verify_params (key);
+ if (ret < 0)
+ fprintf (outfile, "\n** Private key parameters validation failed **\n\n");
+
if (info.fix_key != 0)
{
ret = gnutls_x509_privkey_fix (key);
@@ -1935,7 +1951,6 @@ static int detailed_verification(gnutls_x509_crt_t cert,
size_t issuer_name_size;
int ret;
-
issuer_name_size = sizeof (issuer_name);
ret =
gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
@@ -2090,8 +2105,8 @@ _verify_x509_mem (const void *cert, int cert_size, const
void* ca, int ca_size)
gnutls_free(x509_cert_list);
gnutls_x509_trust_list_deinit(list, 1);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
+ if (output != 0)
+ exit(EXIT_FAILURE);
return 0;
}
diff --git a/src/psk.c b/src/psk.c
index 85011be..f981577 100644
--- a/src/psk.c
+++ b/src/psk.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
+ * Copyright (C) 2005-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/src/srptool.c b/src/srptool.c
index 8575046..c7128c8 100644
--- a/src/srptool.c
+++ b/src/srptool.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2001, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
- * Free Software Foundation, Inc.
+ * Copyright (C) 2001-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/src/tests.c b/src/tests.c
index 616053d..087ea82 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009,
- * 2010 Free Software Foundation, Inc.
+ * Copyright (C) 2000-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/src/tls_test.c b/src/tls_test.c
index 0c9cfd7..8bd8eb2 100644
--- a/src/tls_test.c
+++ b/src/tls_test.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
- * 2009, 2010 Free Software Foundation, Inc.
+ * Copyright (C) 2000-2011 Free Software Foundation, Inc.
*
* This file is part of GnuTLS.
*
diff --git a/tests/Makefile.am b/tests/Makefile.am
index aed9ab0..33baf59 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -20,7 +20,8 @@
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \
- userid pathlen key-id sha2 safe-renegotiation dsa scripts
+ userid pathlen key-id sha2 safe-renegotiation dsa scripts ecdsa \
+ slow
if ENABLE_OPENPGP
SUBDIRS += openpgp-certs
@@ -64,8 +65,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder
certuniqueid \
crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \
nul-in-x509-names x509_altname pkcs12_encode mini-x509 \
mini-x509-rehandshake rng-fork mini-eagain-dtls cipher-test \
- x509cert x509cert-tl infoaccess #gendh
-#gendh is out because it is too slow in valgrind
+ x509cert x509cert-tl infoaccess
if ENABLE_OCSP
ctests += ocsp
diff --git a/tests/pathlen/Makefile.am b/tests/ecdsa/Makefile.am
similarity index 90%
copy from tests/pathlen/Makefile.am
copy to tests/ecdsa/Makefile.am
index bf1cd07..7970555 100644
--- a/tests/pathlen/Makefile.am
+++ b/tests/ecdsa/Makefile.am
@@ -19,10 +19,10 @@
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem
+EXTRA_DIST = bad-key.pem
-dist_check_SCRIPTS = pathlen
+dist_check_SCRIPTS = ecdsa
-TESTS = pathlen
+TESTS = ecdsa
TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT)
diff --git a/tests/ecdsa/bad-key.pem b/tests/ecdsa/bad-key.pem
new file mode 100644
index 0000000..6dfb622
--- /dev/null
+++ b/tests/ecdsa/bad-key.pem
@@ -0,0 +1,25 @@
+Public Key Info:
+ Public Key Algorithm: ECC
+ Key Security Level: High
+
+curve: SECP256R1
+private key:
+ 00:f4:fa:5f:3e:48:39:dd:4c:d1:24:3f:a1:f5:51:
+ 49:36:74:c3:2c:ae:ad:d9:96:91:93:da:ec:03:25:
+ 1f:aa:0b:
+x:
+ 56:d1:7e:b2:c4:f6:bb:02:e2:4a:76:63:14:8c:1a:
+ c1:eb:12:56:bd:3d:08:66:2f:dc:eb:e5:b9:32:15:
+ 1e:e7:
+y:
+ 00:88:27:c8:52:8f:a5:9a:3a:bb:20:e6:54:ef:a8:
+ 7c:50:39:db:af:cf:e4:5e:69:7a:25:20:6d:63:60:
+ af:29:d5:
+
+Public Key ID: 5A:37:9C:B2:B2:BA:33:AC:8E:87:7B:63:18:15:99:3F:DF:3A:F3:A3
+
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIQCIJ8hSj6WaOrsg5lTvqHxQOduvz+ReaXolIG1jYK8p1aAKBggqhkjO
+PQMBB6FEA0IABFbRfrLE9rsC4kp2YxSMGsHrEla9PQhmL9zr5bkyFR7niCfIUo+l
+mjq7IOZU76h8UDnbr8/kXml6JSBtY2CvKdU=
+-----END EC PRIVATE KEY-----
diff --git a/tests/sha2/sha2-dsa b/tests/ecdsa/ecdsa
similarity index 56%
copy from tests/sha2/sha2-dsa
copy to tests/ecdsa/ecdsa
index c62e6a2..5ac716a 100755
--- a/tests/sha2/sha2-dsa
+++ b/tests/ecdsa/ecdsa
@@ -1,8 +1,8 @@
#!/bin/sh
-# Copyright (C) 2006, 2007, 2008, 2010 Free Software Foundation, Inc.
+# Copyright (C) 2011 Free Software Foundation, Inc.
#
-# Author: Simon Josefsson
+# Author: Nikos Mavrogiannopoulos
#
# This file is part of GnuTLS.
#
@@ -26,11 +26,13 @@ srcdir=${srcdir:-.}
CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
echo ca > template
-echo cn = "SHA 256 CA" >> template
+echo cn = "ECDSA SHA 256 CA" >> template
+
+$CERTTOOL --generate-privkey --ecc > key-ca-ecdsa.pem 2>/dev/null
$CERTTOOL -d 2 --generate-self-signed --template template \
- --load-privkey $srcdir/key-ca-dsa.pem \
- --outfile new-ca-dsa.pem \
+ --load-privkey key-ca-ecdsa.pem \
+ --outfile new-ca-ecdsa.pem \
--hash sha256 >out 2>&1
if [ $? != 0 ];then
@@ -39,13 +41,14 @@ if [ $? != 0 ];then
fi
echo ca > template
-echo cn = "SHA 224 Mid CA" >> template
+$CERTTOOL --generate-privkey --ecc > key-subca-ecdsa.pem 2>/dev/null
+echo cn = "ECDSA SHA 224 Mid CA" >> template
$CERTTOOL -d 2 --generate-certificate --template template \
- --load-ca-privkey $srcdir/key-ca-dsa.pem \
- --load-ca-certificate new-ca-dsa.pem \
- --load-privkey $srcdir/key-subca-dsa.pem \
- --outfile new-subca-dsa.pem \
+ --load-ca-privkey key-ca-ecdsa.pem \
+ --load-ca-certificate new-ca-ecdsa.pem \
+ --load-privkey key-subca-ecdsa.pem \
+ --outfile new-subca-ecdsa.pem \
--hash sha224 >out 2>&1
if [ $? != 0 ];then
@@ -55,10 +58,12 @@ fi
echo cn = "End-user" > template
+$CERTTOOL --generate-privkey --ecc > key-ecdsa.pem 2>/dev/null
+
$CERTTOOL -d 2 --generate-certificate --template template \
- --load-ca-privkey $srcdir/key-subca-dsa.pem \
- --load-ca-certificate new-subca-dsa.pem \
- --load-privkey $srcdir/key-dsa.pem \
+ --load-ca-privkey key-subca-ecdsa.pem \
+ --load-ca-certificate new-subca-ecdsa.pem \
+ --load-privkey key-ecdsa.pem \
--outfile new-user.pem >out 2>&1
if [ $? != 0 ];then
@@ -66,7 +71,7 @@ if [ $? != 0 ];then
exit 1
fi
-cat new-user.pem new-subca-dsa.pem new-ca-dsa.pem > out
+cat new-user.pem new-subca-ecdsa.pem new-ca-ecdsa.pem > out
$CERTTOOL --verify-chain <out > verify
if [ $? != 0 ];then
@@ -74,6 +79,13 @@ if [ $? != 0 ];then
exit 1
fi
-rm -f verify new-user.pem new-ca-dsa.pem new-subca-dsa.pem template out
+rm -f verify new-user.pem new-ca-ecdsa.pem new-subca-ecdsa.pem template out
+rm -f key-subca-ecdsa.pem key-ca-ecdsa.pem key-ecdsa.pem
+
+$CERTTOOL -k <bad-key.pem | grep "validation failed" >/dev/null 2>&1
+if [ $? != 0 ];then
+ echo "certtool didn't detect a bad ECDSA key."
+ exit 1
+fi
exit 0
diff --git a/tests/safe-renegotiation/Makefile.am b/tests/slow/Makefile.am
similarity index 88%
copy from tests/safe-renegotiation/Makefile.am
copy to tests/slow/Makefile.am
index 17d4684..fda6f33 100644
--- a/tests/safe-renegotiation/Makefile.am
+++ b/tests/slow/Makefile.am
@@ -20,16 +20,16 @@
AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
AM_CPPFLAGS = \
-I$(top_srcdir)/lib/includes \
- -I$(top_builddir)/lib/includes
+ -I$(top_builddir)/lib/includes \
+ -I$(top_srcdir)/tests/
AM_LDFLAGS = -no-install
LDADD = ../libutils.la \
../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET)
-ctests = srn0 srn1 srn2 srn3 srn4 srn5
+ctests = gendh keygen
check_PROGRAMS = $(ctests)
TESTS = $(ctests)
-TESTS_ENVIRONMENT = $(VALGRIND)
-EXTRA_DIST = README suppressions.valgrind
+EXTRA_DIST = README
diff --git a/tests/slow/README b/tests/slow/README
new file mode 100644
index 0000000..0f1982c
--- /dev/null
+++ b/tests/slow/README
@@ -0,0 +1 @@
+Those tests are here because they are very slow when run under valgrind.
diff --git a/tests/gendh.c b/tests/slow/gendh.c
similarity index 100%
rename from tests/gendh.c
rename to tests/slow/gendh.c
diff --git a/tests/slow/keygen.c b/tests/slow/keygen.c
new file mode 100644
index 0000000..3b95479
--- /dev/null
+++ b/tests/slow/keygen.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
+ *
+ * Author: David MarÃn Carreño
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+#include "utils.h"
+
+#define MAX_TRIES 2
+
+static int sec_param[MAX_TRIES] = {GNUTLS_SEC_PARAM_WEAK,
GNUTLS_SEC_PARAM_NORMAL};
+
+static void
+tls_log_func (int level, const char *str)
+{
+ fprintf (stderr, "%s |<%d>| %s", "crq_key_id", level, str);
+}
+
+void
+doit (void)
+{
+ gnutls_x509_privkey_t pkey;
+ int ret, algorithm, i;
+
+ ret = gnutls_global_init ();
+ if (ret < 0)
+ fail ("gnutls_global_init: %d\n", ret);
+
+ gnutls_global_set_log_function (tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level (4711);
+
+ for (i = 0; i < MAX_TRIES; i++)
+ {
+ for (algorithm = GNUTLS_PK_RSA; algorithm <= GNUTLS_PK_ECC;
+ algorithm++)
+ {
+ if (algorithm == GNUTLS_PK_DH)
+ continue;
+
+ ret = gnutls_x509_privkey_init (&pkey);
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_privkey_init: %d\n", ret);
+ }
+
+ ret =
+ gnutls_x509_privkey_generate (pkey, algorithm,
+ gnutls_sec_param_to_pk_bits
+ (algorithm,
+ sec_param[i]),
+ 0);
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_privkey_generate (%s): %s (%d)\n",
+ gnutls_pk_algorithm_get_name (algorithm),
+ gnutls_strerror (ret), ret);
+ }
+ else if (debug)
+ {
+ success ("Key[%s] generation ok: %d\n",
+ gnutls_pk_algorithm_get_name (algorithm),
+ ret);
+ }
+
+ ret = gnutls_x509_privkey_verify_params (pkey);
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_privkey_generate (%s): %s (%d)\n",
+ gnutls_pk_algorithm_get_name (algorithm),
+ gnutls_strerror (ret), ret);
+ }
+
+ gnutls_x509_privkey_deinit (pkey);
+ }
+ }
+
+ gnutls_global_deinit ();
+}
diff --git a/tests/suite/chain b/tests/suite/chain
index ca3468d..99b62e5 100755
--- a/tests/suite/chain
+++ b/tests/suite/chain
@@ -43,7 +43,7 @@ while test -d X509tests/test$i; do
find X509tests/test$i -name T*.crt -print0 |sort -r -z|xargs -n1 --null
$CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null
$CERTTOOL -e --infile chains/chain$i.pem > out 2>&1
rc=$?
- if test $rc != 0; then
+ if test $rc != 0 -a $rc != 1; then
echo "Chain $i FATAL failure."
RET=1
else
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-95-g026d6fd,
Simon Josefsson <=