[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-166-g982e81d
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-166-g982e81d |
|
Date: |
Tue, 16 Mar 2010 22:46:33 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=982e81d30114da4bda95e28f522eb06b20a1481b
The branch, master has been updated
via 982e81d30114da4bda95e28f522eb06b20a1481b (commit)
via df861cb8ae97288177c6a8188afbeed5b770cbfc (commit)
via 65f77ad16aa4fbc3db0ef50c01eec467592711d6 (commit)
via 8a5918561dea2e7f831b1515294fa2ab0b7ddab3 (commit)
via 6edc24318bbba76ca16ac3aa89ec6a0e1d68bdaa (commit)
via de9bc9b3dc1ec01d39a7a53502066ff93a56d7a9 (commit)
from de209286f0fb07ffbc4429d4896f852dd6d7259f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 982e81d30114da4bda95e28f522eb06b20a1481b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 16 22:35:44 2010 +0100
Added missing prototype.
commit df861cb8ae97288177c6a8188afbeed5b770cbfc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 16 23:07:13 2010 +0100
made SAFE_RENEGOTIATION flags explicit.
commit 65f77ad16aa4fbc3db0ef50c01eec467592711d6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 16 23:07:46 2010 +0100
gnutls_x509_crt_verify() and gnutls_x509_crt_list_verify() behave
identically.
That means that gnutls_x509_crt_verify() will now check dates as well.
Certool --verify-chain will use the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flag to
gnutls_x509_crt_verify() to force verification even if certificates are the
same.
The only exception is at the final certificate (self-checking) where the
extra
flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is specified to allow for v1 CA
certificates.
commit 8a5918561dea2e7f831b1515294fa2ab0b7ddab3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 16 23:26:30 2010 +0100
Handle dates before 1-1-1970 (handle as being equal to 1-1-1970).
commit 6edc24318bbba76ca16ac3aa89ec6a0e1d68bdaa
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 16 22:12:58 2010 +0100
Fail if required programs are not found.
commit de9bc9b3dc1ec01d39a7a53502066ff93a56d7a9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Mar 15 22:51:43 2010 +0100
Safe renegotiation is not enabled by default in client side.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 +++++---
doc/manpages/gnutls-cli.1 | 5 +++--
doc/manpages/gnutls-serv.1 | 5 +++--
lib/ext_safe_renegotiation.c | 13 +++++++++++++
lib/gnutls_priority.c | 10 +++++++++-
lib/gnutls_record.c | 4 ++++
lib/includes/gnutls/gnutls.h.in | 2 ++
lib/x509/common.c | 3 +++
lib/x509/verify.c | 17 +++++------------
src/certtool.c | 26 ++++++++++++--------------
tests/pkcs1-padding/pkcs1-pad | 3 ++-
tests/safe-renegotiation/testsrn | 10 +++++-----
12 files changed, 66 insertions(+), 40 deletions(-)
diff --git a/NEWS b/NEWS
index 5729551..ff08da9 100644
--- a/NEWS
+++ b/NEWS
@@ -12,9 +12,10 @@ unless GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is
specified.
Solves the issue discussed in:
<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and
<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>.
-Note that the TLS client implemented here will reject any connections
-to unsafe servers unless the priority string %UNSAFE_RENEGOTIATION is
-specified.
+Note that to allow connecting to unpatched servers the full protection
+is only enabled if the priority string %SAFE_RENEGOTIATION is
+specified. You can check whether protection is in place by querying
+gnutls_safe_renegotiation_status().
** libgnutls: When checking openpgp self signature also check the signatures
** of all subkeys.
@@ -56,6 +57,7 @@ Daniel Nylander, Tao Wei, and Aron Xu.
** doc: The GTK-DOC manual is significantly improved.
** API and ABI modifications:
+gnutls_safe_renegotiation_status: Added
gnutls_cipher_decrypt: Added
gnutls_cipher_deinit: Added
gnutls_cipher_encrypt: Added
diff --git a/doc/manpages/gnutls-cli.1 b/doc/manpages/gnutls-cli.1
index 6ca8da4..4e1f483 100644
--- a/doc/manpages/gnutls-cli.1
+++ b/doc/manpages/gnutls-cli.1
@@ -78,8 +78,9 @@ Special keywords:
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
hello. This is to avoid buggy servers from terminating connection.
.IP
-"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default
-behaviour at 2.8.5 and earlier releases)
+"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default)
+.IP
+"%SAFE_RENEGOTIATION" will enable safe renegotiation.
.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
diff --git a/doc/manpages/gnutls-serv.1 b/doc/manpages/gnutls-serv.1
index b056583..710dfc3 100644
--- a/doc/manpages/gnutls-serv.1
+++ b/doc/manpages/gnutls-serv.1
@@ -75,8 +75,9 @@ Special keywords:
.IP
"%COMPAT" will enable compatibility features for a server.
.IP
-"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default
-behaviour at 2.8.5 and earlier releases)
+"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default).
+.IP
+"%SAFE_RENEGOTIATION" will enable safe renegotiation.
.IP
"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
renegotiation wasn't requested.
diff --git a/lib/ext_safe_renegotiation.c b/lib/ext_safe_renegotiation.c
index 492e9be..51c98d9 100644
--- a/lib/ext_safe_renegotiation.c
+++ b/lib/ext_safe_renegotiation.c
@@ -151,3 +151,16 @@ gnutls_safe_renegotiation_set (gnutls_session_t session,
int value)
{
session->internals.priorities.unsafe_renegotiation = 1-value;
}
+
+/**
+ * gnutls_safe_renegotiation_status:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * Can be used to check whether safe renegotiation is being used
+ * in the current session. Returns 0 when not and non zero when
+ * used.
+ **/
+int gnutls_safe_renegotiation_status (gnutls_session_t session)
+{
+ return session->internals.connection_using_safe_renegotiation;
+}
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 869c525..36bdc63 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -522,7 +522,11 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
*
* "%COMPAT" will enable compatibility features for a server.
*
- * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation.
+ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
+ * the default, but will change once more servers support the safe
renegotiation
+ * TLS fix).
+ *
+ * "%SAFE_RENEGOTIATION" will allow safe renegotiation only.
*
* "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
* renegotiation wasn't requested. Only valid for server side.
@@ -571,6 +575,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
+ (*priority_cache)->unsafe_renegotiation = 1;
if (priorities == NULL)
priorities = "NORMAL";
@@ -723,6 +728,9 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
"UNSAFE_RENEGOTIATION") == 0)
(*priority_cache)->unsafe_renegotiation = 1;
else if (strcasecmp (&broken_list[i][1],
+ "SAFE_RENEGOTIATION") == 0)
+ (*priority_cache)->unsafe_renegotiation = 0;
+ else if (strcasecmp (&broken_list[i][1],
"INITIAL_SAFE_RENEGOTIATION") == 0)
(*priority_cache)->initial_safe_renegotiation = 1;
else if (strcasecmp (&broken_list[i][1],
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index f1cf2ac..1ea5c2d 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -904,9 +904,13 @@ begin:
_gnutls_io_read_buffered (session, &headers, header_size,
-1)) != header_size)
{
+ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret));
+
if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
return ret;
+ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret));
+
session_invalidate (session);
if (type == GNUTLS_ALERT)
{
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 236c651..ffe5a79 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -813,6 +813,8 @@ extern "C" {
void gnutls_safe_renegotiation_set (gnutls_session_t session, int value);
+ int gnutls_safe_renegotiation_status (gnutls_session_t session);
+
/* Opaque PRF Input
* http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt
*/
diff --git a/lib/x509/common.c b/lib/x509/common.c
index f85e0ee..f8fee2f 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -458,6 +458,9 @@ _gnutls_x509_time2gtime (const char *ttime, int year)
if (sizeof (time_t) <= 4 && etime.tm_year >= 2038)
return (time_t) 2145914603; /* 2037-12-31 23:23:23 */
+ if (etime.tm_year < 1970)
+ return (time_t) 0;
+
xx[2] = 0;
/* get the month
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 5bb20bc..88b6911 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1035,8 +1035,7 @@ gnutls_x509_crt_list_verify (const gnutls_x509_crt_t *
cert_list,
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate and return
- * its status. The verification output in this functions cannot be
- * GNUTLS_CERT_NOT_VALID.
+ * its status.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
@@ -1047,18 +1046,12 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
int CA_list_length, unsigned int flags,
unsigned int *verify)
{
- int ret;
/* Verify certificate
*/
- ret =
- _gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags,
- verify, NULL);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
+ *verify =
+ _gnutls_x509_verify_certificate (&cert, 1,
+ CA_list, CA_list_length, NULL,
+ 0, flags);
return 0;
}
diff --git a/src/certtool.c b/src/certtool.c
index 96e2642..78445ed 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2006,7 +2006,7 @@ generate_request (void)
static void print_verification_res (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
gnutls_x509_crl_t * crl_list,
- int crl_list_size);
+ int crl_list_size, unsigned int flags);
#define CERT_SEP "-----BEGIN CERT"
#define CRL_SEP "-----BEGIN X509 CRL"
@@ -2150,7 +2150,7 @@ _verify_x509_mem (const void *cert, int cert_size)
fprintf (outfile, "\tVerification output: ");
print_verification_res (x509_cert_list[i - 2],
x509_cert_list[i - 1], x509_crl_list,
- x509_ncrls);
+ x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME);
fprintf (outfile, ".\n\n");
}
@@ -2196,7 +2196,9 @@ _verify_x509_mem (const void *cert, int cert_size)
fprintf (outfile, "\tVerification output: ");
print_verification_res (x509_cert_list[x509_ncerts - 1],
x509_cert_list[x509_ncerts - 1], x509_crl_list,
- x509_ncrls);
+ /* we add GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT since it
is
+ * self signed. */
+ x509_ncrls,
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
fprintf (outfile, ".\n\n");
@@ -2208,7 +2210,7 @@ _verify_x509_mem (const void *cert, int cert_size)
&x509_cert_list[x509_ncerts - 1], 1,
x509_crl_list,
x509_ncrls,
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT|GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
&verify_status);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s",
@@ -2258,14 +2260,13 @@ _verify_x509_mem (const void *cert, int cert_size)
static void
print_verification_res (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
- gnutls_x509_crl_t * crl_list, int crl_list_size)
+ gnutls_x509_crl_t * crl_list, int crl_list_size,
unsigned int flags)
{
unsigned int output;
int comma = 0;
int ret;
- time_t now = time (0);
- ret = gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);
+ ret = gnutls_x509_crt_verify (crt, &issuer, 1, flags , &output);
if (ret < 0)
error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
@@ -2296,23 +2297,20 @@ print_verification_res (gnutls_x509_crt_t crt,
comma = 1;
}
- /* Check expiration dates.
- */
-
- if (gnutls_x509_crt_get_activation_time (crt) > now)
+ if (output & GNUTLS_CERT_NOT_ACTIVATED)
{
if (comma)
fprintf (outfile, ", ");
- comma = 1;
fprintf (outfile, "Not activated");
+ comma = 1;
}
- if (gnutls_x509_crt_get_expiration_time (crt) < now)
+ if (output & GNUTLS_CERT_EXPIRED)
{
if (comma)
fprintf (outfile, ", ");
- comma = 1;
fprintf (outfile, "Expired");
+ comma = 1;
}
ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
diff --git a/tests/pkcs1-padding/pkcs1-pad b/tests/pkcs1-padding/pkcs1-pad
index ce61fe9..2926fe6 100755
--- a/tests/pkcs1-padding/pkcs1-pad
+++ b/tests/pkcs1-padding/pkcs1-pad
@@ -28,7 +28,7 @@ CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
TSTAMP=`datefudge "2006-09-23" date -u +%s`
if test "$TSTAMP" != "1158962400"; then
echo "Cannot fake timestamps, please install datefudge..."
- exit 77
+ exit 1
fi
# Test 1, PKCS#1 pad digestAlgorithm.parameters
@@ -82,6 +82,7 @@ echo "PKCS1-PAD2 OK"
# Test 3, forged Starfield certificate,
# by Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann.
+
EXPECT3=12
datefudge "2006-09-23" $CERTTOOL --verify-chain --infile
$srcdir/pkcs1-pad-broken3.pem | tee out1
diff --git a/tests/safe-renegotiation/testsrn b/tests/safe-renegotiation/testsrn
index 1ffd64a..42176d7 100755
--- a/tests/safe-renegotiation/testsrn
+++ b/tests/safe-renegotiation/testsrn
@@ -33,16 +33,16 @@ fail() {
echo "Checking Safe renegotiation"
-$SERV -p $PORT --echo --priority NORMAL:+ANON-DH --dhparams $srcdir/params.dh
>/dev/null 2>&1 &
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION
--dhparams $srcdir/params.dh >/dev/null 2>&1 &
pid=$!
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL </dev/null
>/dev/null 2>&1 || \
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION
</dev/null >/dev/null 2>&1 || \
fail "0. Renegotiation should have succeeded!"
-$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH </dev/null
>/dev/null 2>&1 || \
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
fail "1. Safe rehandshake should have succeeded!"
$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
@@ -64,7 +64,7 @@ pid=$!
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH </dev/null
>/dev/null 2>&1 || \
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
fail "5. Safe rehandshake should have succeeded!"
$CLI -p $PORT 127.0.0.1 --rehandshake --priority
NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
@@ -85,7 +85,7 @@ pid=$!
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH </dev/null >/dev/null 2>&1
&& \
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION
</dev/null >/dev/null 2>&1 && \
fail "9. Initial connection should have failed!"
$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION
</dev/null >/dev/null 2>&1 || \
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-166-g982e81d,
Nikos Mavrogiannopoulos <=