[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_25-5-ga00dd
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_25-5-ga00dded |
|
Date: |
Tue, 06 Nov 2012 21:50:25 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=a00ddedbd3d2103bd28d8077af2a5e165cb62002
The branch, gnutls_3_0_x-2 has been updated
via a00ddedbd3d2103bd28d8077af2a5e165cb62002 (commit)
via 40d67276f0b38f5b70a876808cf97f650ec0c80c (commit)
via 4651a569b1eb36fa7bbe99e861ea26fafe4442f8 (commit)
via 694c9cce395fee2ca3b999ec90a59c71c5580344 (commit)
via 37dfcf180bdc1ebed608a45d1323a50ddeea316f (commit)
from 42e7bcb968816ac95f2c204ca6b4b81b83740fa3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a00ddedbd3d2103bd28d8077af2a5e165cb62002
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:46:26 2012 +0100
Too old -> superseded.
commit 40d67276f0b38f5b70a876808cf97f650ec0c80c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:36:33 2012 +0100
corrected checks
commit 4651a569b1eb36fa7bbe99e861ea26fafe4442f8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:22:52 2012 +0100
updated
commit 694c9cce395fee2ca3b999ec90a59c71c5580344
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Oct 10 20:12:27 2012 +0200
Increased maximum password len in PKCS #12.
commit 37dfcf180bdc1ebed608a45d1323a50ddeea316f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 10:24:16 2012 +0100
CRL verification includes the time checks.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 12 ++++++++++++
lib/gnutls_cert.c | 1 -
lib/includes/gnutls/gnutls.h.in | 19 ++++++++++++-------
lib/x509/pkcs12_encr.c | 29 ++++++++++++++++++-----------
lib/x509/verify.c | 15 +++++++++++++--
src/certtool.c | 18 +++++++-----------
6 files changed, 62 insertions(+), 32 deletions(-)
diff --git a/NEWS b/NEWS
index b45c934..97d6240 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,18 @@ GnuTLS NEWS -- History of user-visible changes.
-*- outline -*-
Copyright (C) 2000-2012 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version 3.0.26 (unreleased)
+
+** libgnutls: gnutls_x509_crl_verify() includes the time checks.
+
+** libgnutls: Increased maximum password length in the PKCS #12
+functions.
+
+** API and ABI modifications:
+GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
+GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
+
+
* Version 3.0.25 (released 2012-10-12)
** libgnutls: Fixed the receipt of session tickets during session resumption.
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 357569f..3284683 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -826,4 +826,3 @@ gnutls_sign_callback_get (gnutls_session_t session, void
**userdata)
return session->internals.sign_func;
}
-
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 355621a..c157a04 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -437,6 +437,8 @@ extern "C"
* should not be trusted.
* @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
+ * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and
have been superseded.
+ * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a
future issue date.
*
* Enumeration of certificate status codes. Note that the status
* bits have different meanings in OpenPGP keys and X.509
@@ -444,13 +446,16 @@ extern "C"
*/
typedef enum
{
- GNUTLS_CERT_INVALID = 2,
- GNUTLS_CERT_REVOKED = 32,
- GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
- GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256,
- GNUTLS_CERT_NOT_ACTIVATED = 512,
- GNUTLS_CERT_EXPIRED = 1024
+ GNUTLS_CERT_INVALID = 1<<1,
+ GNUTLS_CERT_REVOKED = 1<<5,
+ GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<6,
+ GNUTLS_CERT_SIGNER_NOT_CA = 1<<7,
+ GNUTLS_CERT_INSECURE_ALGORITHM = 1<<8,
+ GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
+ GNUTLS_CERT_EXPIRED = 1<<10,
+ GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
+ GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12,
+ GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
} gnutls_certificate_status_t;
/**
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index 68b5286..34aaf11 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -43,6 +43,8 @@ _pkcs12_check_pass (const char *pass, size_t plen)
return 0;
}
+#define MAX_PASS_LEN 128
+
/* ID should be:
* 3 for MAC
* 2 for IV
@@ -60,9 +62,10 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t
* salt,
bigint_t num_b1 = NULL, num_ij = NULL;
bigint_t mpi512 = NULL;
unsigned int pwlen;
- uint8_t hash[20], buf_b[64], buf_i[128], *p;
+ uint8_t hash[20], buf_b[64], buf_i[MAX_PASS_LEN*2+64], *p;
+ uint8_t d[64];
size_t cur_keylen;
- size_t n, m;
+ size_t n, m, p_size, i_size;
const uint8_t buf_512[] = /* 2^64 */
{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -79,7 +82,7 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t
* salt,
else
pwlen = strlen (pw);
- if (pwlen > 63 / 2)
+ if (pwlen > MAX_PASS_LEN)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
@@ -99,12 +102,17 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
}
/* Store salt and password in BUF_I */
+ p_size = ((pwlen/64)*64) + 64;
+
+ if (p_size > sizeof(buf_i)-64)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
p = buf_i;
for (i = 0; i < 64; i++)
*p++ = salt[i % salt_size];
if (pw)
{
- for (i = j = 0; i < 64; i += 2)
+ for (i = j = 0; i < p_size; i += 2)
{
*p++ = 0;
*p++ = pw[j];
@@ -113,7 +121,9 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
}
}
else
- memset (p, 0, 64);
+ memset (p, 0, p_size);
+
+ i_size = 64+p_size;
for (;;)
{
@@ -123,12 +133,9 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const
uint8_t * salt,
gnutls_assert ();
goto cleanup;
}
- for (i = 0; i < 64; i++)
- {
- unsigned char lid = id & 0xFF;
- _gnutls_hash (&md, &lid, 1);
- }
- _gnutls_hash (&md, buf_i, pw ? 128 : 64);
+ memset(d, id & 0xff, 64);
+ _gnutls_hash (&md, d, 64);
+ _gnutls_hash (&md, buf_i, pw ? i_size : 64);
_gnutls_hash_deinit (&md, hash);
for (i = 1; i < iter; i++)
{
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index bcca386..f336633 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -943,7 +943,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
*
* This function will try to verify the given crl and return its status.
* See gnutls_x509_crt_list_verify() for a detailed description of
- * return values.
+ * return values. Note that since GnuTLS 3.1.4 this function includes
+ * the time checks.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -1039,6 +1040,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
gnutls_datum_t crl_signature = { NULL, 0 };
gnutls_x509_crt_t issuer;
int result, hash_algo;
+ time_t now = gnutls_time(0);
if (output)
*output = 0;
@@ -1127,12 +1129,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
{
if (output)
- *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+ *output |= GNUTLS_CERT_INSECURE_ALGORITHM;
result = 0;
}
}
+
+ if (gnutls_x509_crl_get_this_update (crl) > now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
+
+ if (gnutls_x509_crl_get_next_update (crl) < now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
+
cleanup:
+ if (*output) *output |= GNUTLS_CERT_INVALID;
+
_gnutls_free_datum (&crl_signed_data);
_gnutls_free_datum (&crl_signature);
diff --git a/src/certtool.c b/src/certtool.c
index c438642..f182977 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2180,14 +2180,14 @@ print_verification_res (FILE* outfile, unsigned int
output)
{
int comma = 0;
- if (output & GNUTLS_CERT_INVALID)
+ if (output == 0)
{
- fprintf (outfile, "Not verified");
+ fprintf (outfile, "Verified");
comma = 1;
}
else
{
- fprintf (outfile, "Verified");
+ fprintf (outfile, "Not verified");
comma = 1;
}
@@ -2287,7 +2287,6 @@ verify_crl (common_info_st * cinfo)
int ret;
gnutls_datum_t pem;
gnutls_x509_crl_t crl;
- time_t now = time (0);
gnutls_x509_crt_t issuer;
issuer = load_ca_cert (cinfo);
@@ -2347,23 +2346,20 @@ verify_crl (common_info_st * cinfo)
comma = 1;
}
- /* Check expiration dates.
- */
-
- if (gnutls_x509_crl_get_this_update (crl) > now)
+ if (output & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
{
if (comma)
fprintf (outfile, ", ");
+ fprintf (outfile, "CRL is not up to date");
comma = 1;
- fprintf (outfile, "Issued in the future!");
}
- if (gnutls_x509_crl_get_next_update (crl) < now)
+ if (output & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
{
if (comma)
fprintf (outfile, ", ");
+ fprintf (outfile, "Issued in the future!");
comma = 1;
- fprintf (outfile, "CRL is not up to date");
}
fprintf (outfile, "\n");
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_25-5-ga00dded,
Nikos Mavrogiannopoulos <=