[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-65-g160abd4
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-65-g160abd4 |
Date: |
Fri, 02 Nov 2012 12:58:52 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=160abd45cee67e4c5043dd0fc47509863bd5ba4c
The branch, master has been updated
via 160abd45cee67e4c5043dd0fc47509863bd5ba4c (commit)
via 2be2aecf9ec3dc662b2df27494862121f9b0ee0b (commit)
via 1aa734d74ddad776de76807954b3ba5e4647d82d (commit)
via b4e5fc68d54be696581dd4c7c3bb21591481727f (commit)
via 9ea5adce307f8bdfeff096e924f25957a5e1c63f (commit)
via 5b4bd9afeac9eaf9b2caa235196517bf0720ec5d (commit)
via e966f37a986d51de2e7116a3a5b1086726c55529 (commit)
via 115e7a0801179d5d931399448d89831d41fe8a01 (commit)
via 0a8d6e37937ad92856e69367b2a22887fcf33ef3 (commit)
via 1491f0392fa904b1fd16a39d8aad084b43457892 (commit)
from 4ee52510ba8a6362afb3540645eccfac79bf3748 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 160abd45cee67e4c5043dd0fc47509863bd5ba4c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:55:56 2012 +0100
removed gnutls_certificate_update_verify_flags
commit 2be2aecf9ec3dc662b2df27494862121f9b0ee0b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:46:25 2012 +0100
check pathlen constraints.
commit 1aa734d74ddad776de76807954b3ba5e4647d82d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:23:49 2012 +0100
updated test
commit b4e5fc68d54be696581dd4c7c3bb21591481727f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:18:13 2012 +0100
files to ignore
commit 9ea5adce307f8bdfeff096e924f25957a5e1c63f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:11:46 2012 +0100
Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
The default is now GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, and
removed gnutls_certificate_update_verify_flags().
commit 5b4bd9afeac9eaf9b2caa235196517bf0720ec5d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 13:01:08 2012 +0100
small optimization in CRL check
commit e966f37a986d51de2e7116a3a5b1086726c55529
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 10:38:28 2012 +0100
Check the key usage bits during certificate verification.
commit 115e7a0801179d5d931399448d89831d41fe8a01
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 10:24:16 2012 +0100
CRL verification includes the time checks.
commit 0a8d6e37937ad92856e69367b2a22887fcf33ef3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 00:16:17 2012 +0100
doc update
commit 1491f0392fa904b1fd16a39d8aad084b43457892
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 00:08:58 2012 +0100
documented update
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 2 +
NEWS | 17 +++++-
doc/cha-cert-auth.texi | 3 +-
doc/cha-cert-auth2.texi | 2 -
doc/cha-gtls-app.texi | 1 -
doc/cha-intro-tls.texi | 4 +
lib/gnutls_cert.c | 33 +++++----
lib/gnutls_int.h | 1 +
lib/gnutls_ui.c | 19 -----
lib/includes/gnutls/gnutls.h.in | 29 +++++----
lib/includes/gnutls/x509.h | 28 +++++---
lib/libgnutls.map | 1 -
lib/x509/verify-high.c | 2 +-
lib/x509/verify.c | 100 ++++++++++++++++++++-------
src/certtool.c | 106 ++++++----------------------
tests/chainverify-unsorted.c | 3 +-
tests/rsa-md5-collision/rsa-md5-collision | 4 +-
tests/suite/chain | 6 +-
tests/suite/x509paths/README | 8 +--
19 files changed, 184 insertions(+), 185 deletions(-)
diff --git a/.gitignore b/.gitignore
index fbef9ce..5ef01a8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -602,3 +602,5 @@ libdane/gnutls-dane.pc
doc/latex/dane-api.tex
src/libcmd-danetool.la
src/danetool
+tests/key-openssl
+tests/mini-dtls-srtp
diff --git a/NEWS b/NEWS
index c68e4ce..79a07b3 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ See the end for copying conditions.
** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on
the available revocation data validity.
+** libgnutls: Added gnutls_certificate_verification_status_print(),
+a function to print the verification status code in human
+readable text.
+
** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.
** libgnutls: Simplified certificate verification by adding
@@ -15,6 +19,16 @@ gnutls_certificate_verify_peers3().
** libgnutls: Added support for extension to establish keys
for SRTP.
+** libgnutls: The X.509 verification functions check the key
+usage bits and pathlen constraints and on failure output
+GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
+
+** libgnutls: gnutls_x509_crl_verify() includes the time
+checks.
+
+** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
+and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
+
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
@@ -26,7 +40,6 @@ a site's DANE data.
** API and ABI modifications:
gnutls_session_get_id2: Added
-gnutls_certificate_update_verify_flags: Added
gnutls_certificate_verify_peers3: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
@@ -34,6 +47,7 @@ gnutls_srtp_set_profile_direct: Added
gnutls_srtp_get_selected_profile: Added
gnutls_srtp_get_profile_name: Added
gnutls_srtp_get_profile_id: Added
+gnutls_srtp_get_keys: Added
gnutls_srtp_profile_t: Added
dane_cert_type_name: Added
dane_match_type_name: Added
@@ -42,6 +56,7 @@ dane_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
+GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added
* Version 3.1.3 (released 2012-10-12)
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 3f66b61..e379e69 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -574,7 +574,6 @@ of the signature.
If you are using @funcref{gnutls_certificate_verify_peers3} to verify the
certificate chain, you can call
address@hidden or
@funcref{gnutls_certificate_set_verify_flags} with the flags:
@itemize
@item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
@@ -583,7 +582,7 @@ certificate chain, you can call
as in the following example:
@example
- gnutls_certificate_update_verify_flags (x509cred,
+ gnutls_certificate_set_verify_flags (x509cred,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
@end example
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index da00a40..088ec1b 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -359,8 +359,6 @@ functions below.
@showfuncdesc{gnutls_pkcs12_simple_parse}
@showfuncC{gnutls_pkcs12_bag_get_data,gnutls_pkcs12_bag_get_key_id,gnutls_pkcs12_bag_get_friendly_name}
address@hidden
-
The functions below are used to generate a PKCS #12 structure. An example
of their usage is also shown.
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index c853398..85c758a 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1049,7 +1049,6 @@ Finally the ciphersuites enabled by any priority string
can be
listed using the @code{gnutls-cli} application (see @ref{gnutls-cli
Invocation}),
or by using the priority functions as in @ref{Listing the ciphersuites in a
priority string}.
address@hidden
Example priority strings are:
@example
The default priority without the HMAC-MD5:
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index d72ae2b..b2b46de 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -607,6 +607,10 @@ To enable use the following functions.
@showfuncB{gnutls_srtp_set_profile,gnutls_srtp_set_profile_direct}
+To obtain the negotiated keys use the function below.
+
address@hidden
+
Other helper functions are listed below.
@showfuncC{gnutls_srtp_get_selected_profile,gnutls_srtp_get_profile_name,gnutls_srtp_get_profile_id}
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 9e73d91..f784cc5 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -234,7 +234,6 @@ int ret;
}
(*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
(*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
- (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
return 0;
}
@@ -935,46 +934,52 @@ gnutls_certificate_verification_status_print (unsigned
int status,
_gnutls_buffer_init (&str);
if (status == 0)
- _gnutls_buffer_append_str (&str, _("Peer's certificate is trusted. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is trusted. "));
else
- _gnutls_buffer_append_str (&str, _("Peer's certificate is NOT trusted. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is NOT trusted. "));
if (type == GNUTLS_CRT_X509)
{
if (status & GNUTLS_CERT_REVOKED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked.
"));
+ _gnutls_buffer_append_str (&str, _("The certificate chain revoked. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
- _gnutls_buffer_append_str (&str, _("The revocation data provided by
the peer are too old. "));
+ _gnutls_buffer_append_str (&str, _("The revocation data are too old.
"));
if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
- _gnutls_buffer_append_str (&str, _("The revocation data provided by
the peer are invalid. "));
+ _gnutls_buffer_append_str (&str, _("The revocation data are invalid.
"));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
+ _gnutls_buffer_append_str (&str, _("The revocation data are issued
with a future date. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is
unknown. "));
+ _gnutls_buffer_append_str (&str, _("The certificate issuer is
unknown. "));
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
- _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is not
a CA. "));
+ _gnutls_buffer_append_str (&str, _("The certificate issuer is not a
CA. "));
}
else if (type == GNUTLS_CRT_OPENPGP)
{
- _gnutls_buffer_append_str (&str, _("Peer's certificate is not trusted.
"));
+ _gnutls_buffer_append_str (&str, _("The certificate is not trusted.
"));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- _gnutls_buffer_append_str (&str, _("Could not find a signer of the
peer's certificate. "));
+ _gnutls_buffer_append_str (&str, _("Could not find a signer of the
certificate. "));
if (status & GNUTLS_CERT_REVOKED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate is revoked.
"));
+ _gnutls_buffer_append_str (&str, _("The certificate is revoked. "));
}
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses insecure
algorithm. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses insecure
algorithm. "));
+
+ if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
+ _gnutls_buffer_append_str (&str, _("The certificate chain violates the
signer's constraints. "));
if (status & GNUTLS_CERT_NOT_ACTIVATED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses not yet
valid certificate. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses not yet
valid certificate. "));
if (status & GNUTLS_CERT_EXPIRED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses expired
certificate. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses expired
certificate. "));
if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
_gnutls_buffer_append_str (&str, _("The signature in the certificate is
invalid. "));
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 68a176e..1081135 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -202,6 +202,7 @@ typedef enum transport_t
*/
#define DEFAULT_MAX_VERIFY_DEPTH 16
#define DEFAULT_MAX_VERIFY_BITS 16*1024
+#define MAX_VERIFY_DEPTH 4096
#include <gnutls_mem.h>
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 71888d4..110ebae 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -697,25 +697,6 @@ gnutls_certificate_set_verify_flags
(gnutls_certificate_credentials_t
}
/**
- * gnutls_certificate_update_verify_flags:
- * @res: is a gnutls_certificate_credentials_t structure
- * @flags: are the new flags
- *
- * This function will update the default flags to be used for verification
- * of certificates. The provided flags must be an OR of the
- * #gnutls_certificate_verify_flags enumerations. The default
- * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
- *
- * Since: 3.1.4
- **/
-void
-gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
- res, unsigned int flags)
-{
- res->verify_flags |= flags;
-}
-
-/**
* gnutls_certificate_set_verify_limits:
* @res: is a gnutls_certificate_credentials structure
* @max_bits: is the number of bits of an acceptable certificate (default 8200)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index a64db31..505b992 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -440,6 +440,8 @@ extern "C"
* @GNUTLS_CERT_SIGNER_NOT_CA: The certificate's signer was not a CA. This
* may happen if this was a version 1 certificate, which is common with
* some CAs, or a version 3 certificate without the basic constrains
extension.
+ * @GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: The certificate's signer
constraints were
+ * violated.
* @GNUTLS_CERT_INSECURE_ALGORITHM: The certificate was signed using an
insecure
* algorithm such as MD2 or MD5. These algorithms have been broken and
* should not be trusted.
@@ -447,6 +449,7 @@ extern "C"
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
* @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
* @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
+ * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a
future issue date.
* @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
*
* Enumeration of certificate status codes. Note that the status
@@ -455,17 +458,19 @@ extern "C"
*/
typedef enum
{
- GNUTLS_CERT_INVALID = 2,
- GNUTLS_CERT_REVOKED = 32,
- GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
- GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256,
- GNUTLS_CERT_NOT_ACTIVATED = 512,
- GNUTLS_CERT_EXPIRED = 1024,
- GNUTLS_CERT_SIGNATURE_FAILURE = 2048,
- GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 4096,
- GNUTLS_CERT_REVOCATION_DATA_INVALID = 8192,
- GNUTLS_CERT_UNEXPECTED_OWNER = 16384,
+ GNUTLS_CERT_INVALID = 1<<1,
+ GNUTLS_CERT_REVOKED = 1<<5,
+ GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<6,
+ GNUTLS_CERT_SIGNER_NOT_CA = 1<<7,
+ GNUTLS_CERT_INSECURE_ALGORITHM = 1<<8,
+ GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
+ GNUTLS_CERT_EXPIRED = 1<<10,
+ GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
+ GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12,
+ GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13,
+ GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14,
+ GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
+ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1<<16,
} gnutls_certificate_status_t;
/**
@@ -1192,8 +1197,6 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
gnutls_dh_params_t dh_params);
void gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
res, unsigned int flags);
- void gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
- res, unsigned int flags);
void gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t
res, unsigned int max_bits,
unsigned int max_depth);
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 8fd32eb..a3cf725 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -632,7 +632,10 @@ extern "C"
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
* @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
- * if unsorted (the case with many TLS servers out there).
+ * if unsorted (the case with many TLS servers out there). This is the
+ * default since GnuTLS 3.1.4.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted
+ * certificate chain.
* @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
* have version 1 (both root and intermediate). This might be
* dangerous since those haven't the basicConstraints
@@ -652,17 +655,18 @@ extern "C"
*/
typedef enum gnutls_certificate_verify_flags
{
- GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
- GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
- GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
- GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
- GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
- GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
- GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
- GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
+ GNUTLS_VERIFY_DISABLE_CA_SIGN = 1<<0,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 1<<1,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1<<2,
+ GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1<<3,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1<<4,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 1<<5,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 1<<6,
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 1<<7,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 1<<8,
+ GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 1<<9,
+ GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1<<10,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1<<11,
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 2843f26..33a9762 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -858,7 +858,6 @@ GNUTLS_3_1_0 {
gnutls_pubkey_import_x509_raw;
gnutls_certificate_get_peers_subkey_id;
gnutls_session_get_id2;
- gnutls_certificate_update_verify_flags;
gnutls_certificate_verify_peers3;
gnutls_certificate_verification_status_print;
gnutls_srtp_get_profile_id;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index cf603a2..ffc9730 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -553,7 +553,7 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t
list,
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN)
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN))
cert_list = sort_clist(sorted, cert_list, &cert_list_size);
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 7f39fd8..7cbbb63 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -113,13 +113,15 @@ cleanup:
*/
static int
check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ unsigned int *max_path,
unsigned int flags)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t issuer_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_datum_t issuer_signature = { NULL, 0 };
- int result;
+ int pathlen, result;
+ unsigned int ca_status;
/* Check if the issuer is the same with the
* certificate. This is added in order for trusted
@@ -176,9 +178,21 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t
issuer,
goto cleanup;
}
}
+
+ result = gnutls_x509_crt_get_basic_constraints( issuer, NULL, &ca_status,
&pathlen);
+ if (result < 0)
+ {
+ ca_status = 0;
+ pathlen = -1;
+ }
+
+ if (ca_status != 0 && pathlen != -1)
+ {
+ if ((unsigned)pathlen < *max_path)
+ *max_path = pathlen;
+ }
- result = gnutls_x509_crt_get_ca_status (issuer, NULL);
- if (result == 1)
+ if (ca_status != 0)
{
result = 1;
goto cleanup;
@@ -392,28 +406,31 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
unsigned int *output,
gnutls_x509_crt_t * _issuer,
time_t now,
+ unsigned int *max_path,
gnutls_verify_output_function func)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_x509_crt_t issuer = NULL;
int issuer_version, result, hash_algo;
- unsigned int out = 0;
+ unsigned int out = 0, usage;
if (output)
*output = 0;
-
- if (tcas_size >= 1)
- issuer = find_issuer (cert, trusted_cas, tcas_size);
- else
+
+ if (*max_path == 0)
{
- gnutls_assert ();
- out = GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
+ out = GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | GNUTLS_CERT_INVALID;
if (output)
*output |= out;
+ gnutls_assert ();
result = 0;
goto cleanup;
}
+ (*max_path)--;
+
+ if (tcas_size >= 1)
+ issuer = find_issuer (cert, trusted_cas, tcas_size);
/* issuer is not in trusted certificate
* authorities.
@@ -437,12 +454,12 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
gnutls_assert ();
return issuer_version;
}
-
+
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
|| issuer_version != 1))
{
- if (check_if_ca (cert, issuer, flags) == 0)
+ if (check_if_ca (cert, issuer, max_path, flags) == 0)
{
gnutls_assert ();
out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
@@ -451,6 +468,20 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
result = 0;
goto cleanup;
}
+
+ result = gnutls_x509_crt_get_key_usage(issuer, &usage, NULL);
+ if (result >= 0)
+ {
+ if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN))
+ {
+ gnutls_assert();
+ out = GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE |
GNUTLS_CERT_INVALID;
+ if (output)
+ *output |= out;
+ result = 0;
+ goto cleanup;
+ }
+ }
}
result =
@@ -589,6 +620,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t *
certificate_list,
unsigned int status = 0, output;
time_t now = gnutls_time (0);
gnutls_x509_crt_t issuer = NULL;
+ unsigned int max_path;
if (clist_size > 1)
{
@@ -662,9 +694,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t *
certificate_list,
* in self signed etc certificates.
*/
output = 0;
+ max_path = MAX_VERIFY_DEPTH;
ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
trusted_cas, tcas_size, flags, &output,
- &issuer, now, func);
+ &issuer, now, &max_path, func);
if (ret == 0)
{
/* if the last certificate in the certificate
@@ -693,7 +726,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t *
certificate_list,
if ((ret =
_gnutls_verify_certificate2 (certificate_list[i - 1],
&certificate_list[i], 1, flags,
- &output, NULL, now, func)) == 0)
+ &output, NULL, now, &max_path, func))
== 0)
{
status |= output;
status |= GNUTLS_CERT_INVALID;
@@ -880,7 +913,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
*
* This function will try to verify the given crl and return its status.
* See gnutls_x509_crt_list_verify() for a detailed description of
- * return values.
+ * return values. Note that since GnuTLS 3.1.4 this function includes
+ * the time checks.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -974,21 +1008,16 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
/* CRL is ignored for now */
gnutls_datum_t crl_signed_data = { NULL, 0 };
gnutls_datum_t crl_signature = { NULL, 0 };
- gnutls_x509_crt_t issuer;
+ gnutls_x509_crt_t issuer = NULL;
int result, hash_algo;
+ time_t now = gnutls_time(0);
+ unsigned int usage;
if (output)
*output = 0;
if (tcas_size >= 1)
issuer = find_crl_issuer (crl, trusted_cas, tcas_size);
- else
- {
- gnutls_assert ();
- if (output)
- *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
- return 0;
- }
/* issuer is not in trusted certificate
* authorities.
@@ -1010,6 +1039,18 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
*output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
return 0;
}
+
+ result = gnutls_x509_crt_get_key_usage(issuer, &usage, NULL);
+ if (result >= 0)
+ {
+ if (!(usage & GNUTLS_KEY_CRL_SIGN))
+ {
+ gnutls_assert();
+ if (output)
+ *output |= GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE |
GNUTLS_CERT_INVALID;
+ return 0;
+ }
+ }
}
result =
@@ -1044,7 +1085,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
gnutls_assert ();
/* error. ignore it */
if (output)
- *output |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE;
+ *output |= GNUTLS_CERT_SIGNATURE_FAILURE;
result = 0;
}
else if (result < 0)
@@ -1064,12 +1105,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
{
if (output)
- *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+ *output |= GNUTLS_CERT_INSECURE_ALGORITHM;
result = 0;
}
}
+
+ if (gnutls_x509_crl_get_this_update (crl) > now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
+
+ if (gnutls_x509_crl_get_next_update (crl) < now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+
cleanup:
+ if (*output) *output |= GNUTLS_CERT_INVALID;
+
_gnutls_free_datum (&crl_signed_data);
_gnutls_free_datum (&crl_signature);
diff --git a/src/certtool.c b/src/certtool.c
index 81ec142..c9506a1 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1982,7 +1982,7 @@ static int detailed_verification(gnutls_x509_crt_t cert,
fprintf (outfile, "\tOutput: ");
print_verification_res(outfile, verification_output);
- fputs(".\n\n", outfile);
+ fputs("\n\n", outfile);
return 0;
}
@@ -2075,7 +2075,7 @@ _verify_x509_mem (const void *cert, int cert_size, const
void* ca, int ca_size)
fprintf (outfile, "Chain verification output: ");
print_verification_res(outfile, output);
- fprintf (outfile, ".\n\n");
+ fprintf (outfile, "\n\n");
gnutls_free(x509_cert_list);
gnutls_x509_trust_list_deinit(list, 1);
@@ -2089,58 +2089,27 @@ _verify_x509_mem (const void *cert, int cert_size,
const void* ca, int ca_size)
static void
print_verification_res (FILE* outfile, unsigned int output)
{
- int comma = 0;
+ gnutls_datum_t pout;
+ int ret;
- if (output & GNUTLS_CERT_INVALID)
+ if (output)
{
- fprintf (outfile, "Not verified");
- comma = 1;
+ fprintf (outfile, "Not verified.");
}
else
{
- fprintf (outfile, "Verified");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_SIGNER_NOT_CA)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Issuer is not a CA");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Insecure algorithm");
- comma = 1;
+ fprintf (outfile, "Verified.");
}
- if (output & GNUTLS_CERT_NOT_ACTIVATED)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Not activated");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_EXPIRED)
+ ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509,
&pout, 0);
+ if (ret < 0)
{
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Expired");
- comma = 1;
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+ exit(EXIT_FAILURE);
}
- if (output & GNUTLS_CERT_REVOKED)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Revoked");
- comma = 1;
- }
+ fprintf (outfile, " %s", pout.data);
+ gnutls_free(pout.data);
}
static void
@@ -2194,11 +2163,9 @@ verify_crl (common_info_st * cinfo)
size_t size, dn_size;
char dn[128];
unsigned int output;
- int comma = 0;
int ret;
- gnutls_datum_t pem;
+ gnutls_datum_t pem, pout;
gnutls_x509_crl_t crl;
- time_t now = time (0);
gnutls_x509_crt_t issuer;
issuer = load_ca_cert (cinfo);
@@ -2231,51 +2198,24 @@ verify_crl (common_info_st * cinfo)
if (ret < 0)
error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
- if (output & GNUTLS_CERT_INVALID)
+ if (output)
{
- fprintf (outfile, "Not verified");
- comma = 1;
+ fprintf (outfile, "Not verified. ");
}
else
{
- fprintf (outfile, "Verified");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_SIGNER_NOT_CA)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Issuer is not a CA");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Insecure algorithm");
- comma = 1;
+ fprintf (outfile, "Verified.");
}
- /* Check expiration dates.
- */
-
- if (gnutls_x509_crl_get_this_update (crl) > now)
+ ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509,
&pout, 0);
+ if (ret < 0)
{
- if (comma)
- fprintf (outfile, ", ");
- comma = 1;
- fprintf (outfile, "Issued in the future!");
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+ exit(EXIT_FAILURE);
}
- if (gnutls_x509_crl_get_next_update (crl) < now)
- {
- if (comma)
- fprintf (outfile, ", ");
- comma = 1;
- fprintf (outfile, "CRL is not up to date");
- }
+ fprintf (outfile, " %s", pout.data);
+ gnutls_free(pout.data);
fprintf (outfile, "\n");
}
diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c
index 716fbd2..354c16b 100644
--- a/tests/chainverify-unsorted.c
+++ b/tests/chainverify-unsorted.c
@@ -614,6 +614,7 @@ doit (void)
unsigned int crts_size, i;
gnutls_x509_trust_list_t tl;
unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
+ unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
/* this must be called once in the program
*/
@@ -728,7 +729,7 @@ doit (void)
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status,
NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, not_flags,
&status, NULL);
if (ret < 0 || status == 0)
{
fail("gnutls_x509_trust_list_verify_crt - 5\n");
diff --git a/tests/rsa-md5-collision/rsa-md5-collision
b/tests/rsa-md5-collision/rsa-md5-collision
index 527fd9e..7f3361d 100755
--- a/tests/rsa-md5-collision/rsa-md5-collision
+++ b/tests/rsa-md5-collision/rsa-md5-collision
@@ -36,9 +36,9 @@ cat client1.pem ca.pem > chain1.pem
cat client2.pem ca.pem > chain2.pem
$CERTTOOL --verify-chain < chain1.pem | \
- grep 'Not verified, Insecure algorithm.'
+ grep 'Not verified.' | grep 'insecure algorithm' >/dev/null
$CERTTOOL --verify-chain < chain2.pem | \
- grep 'Not verified, Insecure algorithm.'
+ grep 'Not verified.' | grep 'insecure algorithm' >/dev/null
rm -f ca.pem client1.pem client2.pem \
chain1.pem chain2.pem \
diff --git a/tests/suite/chain b/tests/suite/chain
index effb686..f1967c9 100755
--- a/tests/suite/chain
+++ b/tests/suite/chain
@@ -24,7 +24,7 @@ CERTTOOL=../../../src/certtool
SUCCESS=" 1 4 7 12 15 16 17 18 24 26 27 30 33 56 57 62 63 "
FAILURE=" 2 3 5 6 8 9 10 11 13 14 19 20 21 22 23 25 28 29 31 32 54 55 58 59 60
61 "
-KNOWN_BUGS=" 15 16 17 18 19 28 29 31 32 54 55 58 59 60 61 "
+KNOWN_BUGS=" 15 16 17 18 19 31 32 "
cd x509paths
@@ -49,14 +49,14 @@ while test -d X509tests/test$i; do
if echo "$KNOWN_BUGS" | grep " $i " > /dev/null 2>&1; then
echo "Chain $i verification was skipped due to known bug."
elif echo "$SUCCESS" | grep " $i " > /dev/null 2>&1; then
- if grep 'Chain verification output:' out | grep -v 'Chain
verification output: Verified\.$' > /dev/null 2>&1; then
+ if grep 'Chain verification output:' out | grep -v 'Chain
verification output: Verified\.' > /dev/null 2>&1; then
echo "Chain $i verification failure UNEXPECTED."
RET=1
else
echo "Chain $i verification success as expected."
fi
elif echo "$FAILURE" | grep " $i " >/dev/null 2>&1; then
- if grep 'Chain verification output:' out | grep -v 'Chain
verification output: Verified\.$' > /dev/null 2>&1; then
+ if grep 'Chain verification output:' out | grep -v 'Chain
verification output: Verified\.' > /dev/null 2>&1; then
echo "Chain $i verification failure as expected."
else
echo "Chain $i verification success UNEXPECTED. "
diff --git a/tests/suite/x509paths/README b/tests/suite/x509paths/README
index 46450a0..d56032d 100644
--- a/tests/suite/x509paths/README
+++ b/tests/suite/x509paths/README
@@ -20,12 +20,10 @@ Chain 19: This requires advanced verification that we don't
support
yet. It requires to check that this path contains no revocation data.
We shouldn't make these tests.
-Chain 28-29: We fail to check keyCertSign (non-)critical key usage in
-intermediate certificates. XXX
-
Chain 31-32: The CRL is issued by a issuer without CRLSign
(non-)critical keyCertSign. We don't check the CRL, so this is not a
real problem. This is easier to be supported now with the trust_list
-that can verify CRLs on addition.
+that can verify CRLs on addition. (there is an issue there since the
+CRLs that are being added are typically of an intermediate CA which
+is not in the trust list to verify them)
-Chain 54-55,58-61: We don't check path length constraints properly. XXX
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-65-g160abd4,
Nikos Mavrogiannopoulos <=