[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-2-gc86c2f8
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-2-gc86c2f8 |
Date: |
Sun, 31 Jul 2011 15:52:17 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=c86c2f88be5644ec8c82d23138fd23bc20184842
The branch, master has been updated
via c86c2f88be5644ec8c82d23138fd23bc20184842 (commit)
via 199ef70e8d1fb87f3547f2cdb0edd20f68d4febd (commit)
from 3b0b75ab6d15cba8758248f451be0c86c28a3e22 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c86c2f88be5644ec8c82d23138fd23bc20184842
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Jul 31 17:47:42 2011 +0200
Added GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
If a certificate list is loaded then verify
that it is sorted with order to starts with
the subject and finished with the trusted
root. That way we make sure we don't send
data that violate the TLS protocol.
commit 199ef70e8d1fb87f3547f2cdb0edd20f68d4febd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Jul 31 13:03:58 2011 +0200
documentation updates.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 10 ++++++
doc/cha-cert-auth.texi | 6 ++--
doc/latex/macros.tex | 14 --------
lib/gnutls_errors.c | 2 +
lib/gnutls_x509.c | 67 +++++++++++++++++++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 1 +
6 files changed, 83 insertions(+), 17 deletions(-)
diff --git a/NEWS b/NEWS
index 056d180..6c694bb 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,16 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version 3.0.1 (unreleased)
+
+** libgnutls: Verify that a certificate liste specified
+using gnutls_certificate_set_x509_key*(), is sorted
+according to TLS specification (from subject to issuer).
+
+** API and ABI modifications:
+No changes since last version.
+
+
* Version 3.0.0 (released 2011-07-29)
** libgnutls: writev_emu: stop on the first incomplete write. Patch by
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index ae2df5d..437c68d 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -392,7 +392,7 @@ such as @acronym{Gnome Keyring}. The objects residing on
such token can be
certificates, public keys, private keys or even plain data or secret keys. Of
those
certificates and public/private key pairs can be used with @acronym{GnuTLS}.
Its
main advantage is that it allows operations on private key objects such as
decryption
-and signing without accessing the key itself.
+and signing without exposing the key.
Moreover it can be used to allow all applications in the same operating system
to access
shared cryptographic keys and certificates in a uniform way, as in
@ref{fig:pkcs11-vision}.
@@ -404,8 +404,8 @@ shared cryptographic keys and certificates in a uniform
way, as in @ref{fig:pkcs
@subsection Initialization
To allow all the @acronym{GnuTLS} applications to access @acronym{PKCS} #11
tokens
-it is advisable to use @code{/etc/pkcs11/modules/mymodule.conf}. This file has
the following
-format:
+you can use a configuration per module, such as
@code{/etc/pkcs11/modules/mymodule.conf}.
+This file has the following format:
@smallexample
module: /usr/lib/opensc-pkcs11.so
diff --git a/doc/latex/macros.tex b/doc/latex/macros.tex
index f6ea4a3..0a53b47 100644
--- a/doc/latex/macros.tex
+++ b/doc/latex/macros.tex
@@ -63,13 +63,11 @@
}
\newcommand{\showfuncdesc}[1]{%
-%\fcolorbox{black}{light-gray}{
\begin{minipage}[l]{\linewidth}
\begin{framed}
\texttt{
\input{functions/#1}
}
-% }
\end{framed}
\vspace{0.15cm}
\end{minipage}
@@ -79,9 +77,7 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
- }
% }
\end{framed}
\end{samepage}
@@ -91,10 +87,8 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
\showfunc{#2}
- }
% }
\end{framed}
\end{samepage}
@@ -104,11 +98,9 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
\showfunc{#2}
\showfunc{#3}
- }
% }
\end{framed}
\end{samepage}
@@ -118,12 +110,10 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
\showfunc{#2}
\showfunc{#3}
\showfunc{#4}
- }
% }
\end{framed}
\end{samepage}
@@ -133,13 +123,11 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
\showfunc{#2}
\showfunc{#3}
\showfunc{#4}
\showfunc{#5}
- }
% }
\end{framed}
\end{samepage}
@@ -149,14 +137,12 @@
% \fcolorbox{black}{light-gray}{
\begin{samepage}
\begin{framed}
- \texttt{
\showfunc{#1}
\showfunc{#2}
\showfunc{#3}
\showfunc{#4}
\showfunc{#5}
\showfunc{#6}
- }
% }
\end{framed}
\end{samepage}
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index fa70609..ed99d1f 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -331,6 +331,8 @@ static const gnutls_error_entry error_algorithms[] = {
GNUTLS_E_ECC_UNSUPPORTED_CURVE, 1),
ERROR_ENTRY (N_("The requested PKCS #11 object is not available"),
GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE, 1),
+ ERROR_ENTRY (N_("The provided X.509 certificate list is not sorted (in
subject to issuer order)"),
+ GNUTLS_E_CERTIFICATE_LIST_UNSORTED, 1),
{NULL, NULL, 0, 0}
};
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 37ba539..fd3537b 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -792,10 +792,77 @@ gnutls_certificate_set_x509_key_mem
(gnutls_certificate_credentials_t res,
return 0;
}
+static int check_if_sorted(gnutls_pcert_st * crt, int nr)
+{
+gnutls_x509_crt_t x509;
+char prev_dn[MAX_CN];
+char dn[MAX_CN];
+size_t prev_dn_size, dn_size;
+int i, ret;
+
+ /* check if the X.509 list is ordered */
+ if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
+ {
+
+ for (i=0;i<nr;i++)
+ {
+ ret = gnutls_x509_crt_init(&x509);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_x509_crt_import(x509, &crt[i].cert,
GNUTLS_X509_FMT_DER);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ if (i>0)
+ {
+ dn_size = sizeof(dn);
+ ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
+ goto cleanup;
+ }
+ }
+
+ prev_dn_size = sizeof(prev_dn);
+ ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ gnutls_x509_crt_deinit(x509);
+ }
+ }
+
+ return 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(x509);
+ return ret;
+}
+
int
certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
gnutls_pcert_st * crt, int nr)
{
+int ret;
+
+ ret = check_if_sorted(crt, nr);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
res->cert_list = gnutls_realloc_fast (res->cert_list,
(1 +
res->ncerts) *
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 1d6b5e1..912da27 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1808,6 +1808,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
#define GNUTLS_E_ECC_NO_SUPPORTED_CURVES -321
#define GNUTLS_E_ECC_UNSUPPORTED_CURVE -322
#define GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE -323
+#define GNUTLS_E_CERTIFICATE_LIST_UNSORTED -324
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-2-gc86c2f8,
Nikos Mavrogiannopoulos <=