[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-94-gf48ef4c
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-94-gf48ef4c |
|
Date: |
Wed, 07 Nov 2012 20:58:24 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=f48ef4cf9c37338f44f92cea0c3f510ea83442ff
The branch, master has been updated
via f48ef4cf9c37338f44f92cea0c3f510ea83442ff (commit)
via 41c0452a41d61b849ee98dcb37471b9419c43b65 (commit)
via 9c167df34a227c6f87a8e138b80c87b12095bd89 (commit)
via ba1005c5e613297c24191e36c4300a96f91c0082 (commit)
via e2846b70577244b83550edbf3104582300148b3c (commit)
from c76700178f85f3bae45c296eaafba6187fb36d4e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f48ef4cf9c37338f44f92cea0c3f510ea83442ff
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Nov 7 21:55:36 2012 +0100
key usage violations are tolerated.
commit 41c0452a41d61b849ee98dcb37471b9419c43b65
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Nov 7 21:49:49 2012 +0100
Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP
parsing errors.
commit 9c167df34a227c6f87a8e138b80c87b12095bd89
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Nov 7 18:55:25 2012 +0100
doc update
commit ba1005c5e613297c24191e36c4300a96f91c0082
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Nov 7 18:30:17 2012 +0100
gnutls-cli-debug uses server name indication.
commit e2846b70577244b83550edbf3104582300148b3c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Nov 7 00:45:40 2012 +0100
updated
-----------------------------------------------------------------------
Summary of changes:
NEWS | 6 ++++--
doc/cha-cert-auth.texi | 16 ++++++++++++++++
doc/cha-tokens.texi | 6 ++++--
lib/gnutls_cert.c | 3 ---
lib/gnutls_int.h | 2 --
lib/gnutls_sig.c | 10 ++--------
lib/gnutls_x509.c | 21 ++++++++++++++++-----
lib/includes/gnutls/gnutls.h.in | 2 --
src/Makefile.am | 2 +-
src/{tls_test.c => cli-debug.c} | 9 ++++++++-
10 files changed, 51 insertions(+), 26 deletions(-)
rename src/{tls_test.c => cli-debug.c} (97%)
diff --git a/NEWS b/NEWS
index 5fe0411..d31de89 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,9 @@ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
+** libgnutls: Always tolerate key usage violation errors from the side
+of the peer, but also notify via an audit message.
+
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
@@ -53,8 +56,7 @@ dane_cert_type_name: Added
dane_match_type_name: Added
dane_cert_usage_name: Added
dane_verification_status_print: Added
-GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
-GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
+GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: Added
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index e379e69..168b106 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -87,6 +87,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}.
* X.509 certificate structure::
* Importing an X.509 certificate::
* X.509 distinguished names::
+* X.509 public and private keys::
* Verifying X.509 certificate paths::
* Verifying a certificate in the context of TLS session::
@end menu
@@ -240,6 +241,21 @@ of the issuer of the certificate.
@showfuncD{gnutls_x509_crt_get_issuer_dn,gnutls_x509_crt_get_issuer_dn_by_oid,gnutls_x509_crt_get_issuer_dn_oid,gnutls_x509_crt_get_issuer}
address@hidden X.509 public and private keys
address@hidden Accessing public and private keys
+
+Each X.509 certificate contains a public key that corresponds to a private
key. To
+get a unique identifier of the public key the
@funcref{gnutls_x509_crt_get_key_id}
+function is provided. To export the public key or its parameters you may need
+to convert the X.509 structure to a @code{gnutls_pubkey_t}. See
address@hidden public keys} for more information.
+
address@hidden
+
+The private key parameters may be directly accessed by using one of the
following functions.
+
address@hidden,gnutls_x509_privkey_export_rsa_raw2,gnutls_x509_privkey_export_ecc_raw,gnutls_x509_privkey_export_dsa_raw,gnutls_x509_privkey_get_key_id}
+
@node Verifying X.509 certificate paths
@subsection Verifying @acronym{X.509} certificate paths
@cindex verifying certificate paths
diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi
index ad61b15..e6d3fe4 100644
--- a/doc/cha-tokens.texi
+++ b/doc/cha-tokens.texi
@@ -69,9 +69,9 @@ sequence.
@showfuncC{gnutls_pubkey_import_x509,gnutls_pubkey_import_openpgp,gnutls_pubkey_import_pkcs11}
address@hidden,gnutls_pubkey_import_privkey,gnutls_pubkey_import}
address@hidden,gnutls_pubkey_import_privkey,gnutls_pubkey_import,gnutls_pubkey_export}
address@hidden,gnutls_pubkey_export2}
address@hidden
Other helper functions that allow directly importing from raw X.509 or
OpenPGP structures are shown below.
@@ -90,7 +90,9 @@ key fingerprint would provide a memorable sketch.
@showfuncD{gnutls_pubkey_get_pk_algorithm,gnutls_pubkey_get_preferred_hash_algorithm,gnutls_pubkey_get_key_id,gnutls_random_art}
+To export the key-specific parameters, or obtain a unique key ID the following
functions are provided.
address@hidden,gnutls_pubkey_get_pk_dsa_raw,gnutls_pubkey_get_pk_ecc_raw,gnutls_pubkey_get_pk_ecc_x962}
@node Abstract private keys
@subsection Private keys
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index f98ecdc..a51b2ca 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -947,9 +947,6 @@ gnutls_certificate_verification_status_print (unsigned int
status,
if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
_gnutls_buffer_append_str (&str, _("The revocation data are old and
have been superseded. "));
- if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
- _gnutls_buffer_append_str (&str, _("The revocation data are invalid.
"));
-
if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
_gnutls_buffer_append_str (&str, _("The revocation data are issued
with a future date. "));
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index bc03a8c..239c9b3 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -605,7 +605,6 @@ struct gnutls_priority_st
safe_renegotiation_t sr;
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
- unsigned int allow_key_usage_violation:1;
unsigned int allow_weak_keys:1;
/* Whether stateless compression will be used */
unsigned int stateless_compression:1;
@@ -615,7 +614,6 @@ struct gnutls_priority_st
#define ENABLE_COMPAT(x) \
(x)->no_padding = 1; \
(x)->allow_large_records = 1; \
- (x)->allow_key_usage_violation = 1; \
(x)->allow_weak_keys = 1
/* DH and RSA parameters types.
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index c3665c6..f2c2db3 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -184,10 +184,7 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- if (session->internals.priorities.allow_key_usage_violation == 0)
- return GNUTLS_E_KEY_USAGE_VIOLATION;
- else
- _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
+ _gnutls_audit_log(session, "Peer's certificate does not allow
digital signatures. Key usage violation detected (ignored).\n");
}
/* External signing. Deprecated. To be removed. */
@@ -260,10 +257,7 @@ verify_tls_hash (gnutls_session_t session,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- if (session->internals.priorities.allow_key_usage_violation == 0)
- return GNUTLS_E_KEY_USAGE_VIOLATION;
- else
- _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
+ _gnutls_audit_log(session, "Peer's certificate does not allow digital
signatures. Key usage violation detected (ignored).\n");
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 8188b79..1f6363a 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -112,12 +112,19 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
ret = gnutls_ocsp_resp_import (resp, data);
if (ret < 0)
- return gnutls_assert_val(ret);
+ {
+ _gnutls_audit_log (session, "There was an error parsing the OCSP
response: %s.\n", gnutls_strerror(ret));
+ ret = gnutls_assert_val(0);
+ check_failed = 1;
+ goto cleanup;
+ }
ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
if (ret < 0)
{
- _gnutls_audit_log (session, "Got OCSP response on an unrelated
certificate.\n");
+ ret = gnutls_assert_val(0);
+ _gnutls_audit_log (session, "Got OCSP response with an unrelated
certificate.\n");
+ check_failed = 1;
goto cleanup;
}
@@ -129,6 +136,7 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
if (status != 0)
{
ret = gnutls_assert_val(0);
+ check_failed = 1;
goto cleanup;
}
@@ -136,8 +144,9 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
&cert_status, &vtime, &ntime, &rtime, NULL);
if (ret < 0)
{
+ _gnutls_audit_log (session, "There was an error parsing the OCSP
response: %s.\n", gnutls_strerror(ret));
ret = gnutls_assert_val(0);
- *ostatus |= GNUTLS_CERT_REVOCATION_DATA_INVALID;
+ check_failed = 1;
goto cleanup;
}
@@ -159,6 +168,7 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
{
_gnutls_audit_log(session, "The OCSP response is old\n");
check_failed = 1;
+ goto cleanup;
}
}
else
@@ -168,14 +178,15 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
{
_gnutls_audit_log(session, "There is a newer OCSP response but was
not provided by the server\n");
check_failed = 1;
+ goto cleanup;
}
}
+ ret = 0;
+cleanup:
if (check_failed == 0)
session->internals.ocsp_check_ok = 1;
- ret = 0;
-cleanup:
gnutls_ocsp_resp_deinit (resp);
return ret;
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index b91f684..800323f 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -447,7 +447,6 @@ extern "C"
* should not be trusted.
* @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
- * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
* @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and
have been superseded.
* @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a
future issue date.
* @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
@@ -467,7 +466,6 @@ extern "C"
GNUTLS_CERT_EXPIRED = 1<<10,
GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12,
- GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13,
GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14,
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1<<16,
diff --git a/src/Makefile.am b/src/Makefile.am
index 9935f0d..8f5a4b1 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -116,7 +116,7 @@ noinst_LTLIBRARIES += libcmd-cli.la
libcmd_cli_la_CFLAGS =
libcmd_cli_la_SOURCES = cli-args.def cli-args.c cli-args.h
-gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c \
+gnutls_cli_debug_SOURCES = cli-debug.c tests.h tests.c \
socket.c socket.h common.h common.c
gnutls_cli_debug_LDADD = ../lib/libgnutls.la libcmd-cli-debug.la
gnutls_cli_debug_LDADD += ../gl/libgnu.la
diff --git a/src/tls_test.c b/src/cli-debug.c
similarity index 97%
rename from src/tls_test.c
rename to src/cli-debug.c
index f4f61b1..2cd2203 100644
--- a/src/tls_test.c
+++ b/src/cli-debug.c
@@ -33,6 +33,7 @@
#endif
#include <tests.h>
#include <common.h>
+#include <ctype.h>
#include <cli-debug-args.h>
#include <socket.h>
@@ -275,9 +276,15 @@ main (int argc, char **argv)
continue;
}
}
- ERR (err, "connect") gnutls_init (&state,
GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
+ ERR (err, "connect");
+
+ gnutls_init (&state, GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
+
gnutls_transport_set_ptr (state, (gnutls_transport_ptr_t)
gl_fd_to_handle (sd));
+ if (hostname && !isdigit(hostname[0]) && strchr(hostname, ':') == 0)
+ gnutls_server_name_set (state, GNUTLS_NAME_DNS, hostname,
+ strlen (hostname));
do
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-94-gf48ef4c,
Nikos Mavrogiannopoulos <=