[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d0
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015 |
Date: |
Sun, 30 Sep 2012 16:10:40 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7b9d0158f022b8468ea7cd362ef9142889f4ff29
The branch, gnutls_3_0_x-2 has been updated
via 7b9d0158f022b8468ea7cd362ef9142889f4ff29 (commit)
from 52f373cdf26d50e05f5dd49e4ecc8b29fc742535 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7b9d0158f022b8468ea7cd362ef9142889f4ff29
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 30 18:09:46 2012 +0200
Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
response corresponds to the given certificate.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 5 ++-
lib/gnutls_errors.c | 2 +
lib/includes/gnutls/gnutls.h.in | 2 +
lib/includes/gnutls/ocsp.h | 4 ++
lib/libgnutls.map | 1 +
lib/x509/ocsp.c | 97 +++++++++++++++++++++++++++++++++++++++
6 files changed, 110 insertions(+), 1 deletions(-)
diff --git a/NEWS b/NEWS
index 345148d..e92b0d3 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,11 @@ See the end for copying conditions.
** libgnutls: Fixed the receipt of session tickets during session resumption.
Reported by danblack at http://savannah.gnu.org/support/?108146
+** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
+response corresponds to the given certificate.
+
** API and ABI modifications:
-No changes since last version.
+gnutls_ocsp_resp_check_crt: Added
* Version 3.0.24 (released 2012-09-26)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 71b6e6a..5e8df24 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -334,6 +334,8 @@ static const gnutls_error_entry error_algorithms[] = {
GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE, 1),
ERROR_ENTRY (N_("The provided X.509 certificate list is not sorted (in
subject to issuer order)"),
GNUTLS_E_CERTIFICATE_LIST_UNSORTED, 1),
+ ERROR_ENTRY (N_("The OCSP response is invalid"),
+ GNUTLS_E_OCSP_RESPONSE_ERROR, 1),
{NULL, NULL, 0, 0}
};
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 773834c..355621a 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1905,6 +1905,8 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
#define GNUTLS_E_X509_UNSUPPORTED_EXTENSION -327
#define GNUTLS_E_SESSION_EOF -328
+#define GNUTLS_E_OCSP_RESPONSE_ERROR -341
+
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index db16b70..70343a2 100644
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -249,6 +249,10 @@ extern "C"
unsigned int *verify,
unsigned int flags);
+int
+gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
+ gnutls_x509_crt_t crt);
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 1078a07..f164733 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -790,6 +790,7 @@ GNUTLS_3_0_0 {
gnutls_pk_to_sign;
gnutls_certificate_set_x509_system_trust;
gnutls_session_set_premaster;
+ gnutls_ocsp_resp_check_crt;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 0857e33..3aca0f5 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1275,6 +1275,103 @@ gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp)
}
/**
+ * gnutls_ocsp_resp_check_crt:
+ * @resp: should contain a #gnutls_ocsp_resp_t structure
+ * @crt: The certificate to check
+ *
+ * This function will check whether the OCSP response
+ * is about the provided certificate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code is returned.
+ **/
+int
+gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
+ gnutls_x509_crt_t crt)
+{
+int ret;
+gnutls_digest_algorithm_t digest;
+gnutls_datum_t rdn_hash = {NULL, 0}, rserial = {NULL, 0};
+gnutls_datum_t cserial = {NULL, 0};
+gnutls_datum_t dn = {NULL, 0};
+uint8_t cdn_hash[MAX_HASH_SIZE];
+size_t t, hash_len;
+
+ ret = gnutls_ocsp_resp_get_single (resp, 0, &digest, &rdn_hash, NULL,
+ &rserial, NULL, NULL, NULL, NULL, NULL);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (rserial.size == 0 || digest == GNUTLS_DIG_UNKNOWN)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR);
+ goto cleanup;
+ }
+
+ hash_len = _gnutls_hash_get_algo_len(digest);
+ if (hash_len != rdn_hash.size)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR);
+ goto cleanup;
+ }
+
+ cserial.size = rserial.size;
+ cserial.data = gnutls_malloc(cserial.size);
+ if (cserial.data == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto cleanup;
+ }
+
+ t = cserial.size;
+ ret = gnutls_x509_crt_get_serial(crt, cserial.data, &t);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (rserial.size != cserial.size || memcmp(cserial.data, rserial.data,
rserial.size) != 0)
+ {
+ ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &dn);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = _gnutls_hash_fast( digest, dn.data, dn.size, cdn_hash);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (memcmp(cdn_hash, rdn_hash.data, hash_len) != 0)
+ {
+ ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ gnutls_free(rdn_hash.data);
+ gnutls_free(rserial.data);
+ gnutls_free(cserial.data);
+ gnutls_free(dn.data);
+
+ return ret;
+}
+
+
+/**
* gnutls_ocsp_resp_get_single:
* @resp: should contain a #gnutls_ocsp_resp_t structure
* @indx: Specifies which extension OID to get. Use (0) to get the first one.
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015,
Nikos Mavrogiannopoulos <=