[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-171-g6e803c7
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-171-g6e803c7 |
|
Date: |
Wed, 17 Mar 2010 16:54:09 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=6e803c7631829a527497fef23084532fd83980c4
The branch, master has been updated
via 6e803c7631829a527497fef23084532fd83980c4 (commit)
via fe279dc234c04712086b810567f5586b2696f79c (commit)
from aa9b56ffb468fbe7066062dc46a145cf4898d8cd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6e803c7631829a527497fef23084532fd83980c4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 17 17:52:36 2010 +0100
Added gnutls_certificate_set_verify_function() to allow checking (verifying)
certificate before the handshake is completed.
commit fe279dc234c04712086b810567f5586b2696f79c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 17 17:48:31 2010 +0100
Use the flags for expiration instead of getting the time of each
certificate.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 5 +++++
doc/examples/ex-rfc2818.c | 18 +++++-------------
doc/examples/ex-verify.c | 30 +++++++++---------------------
lib/auth_cert.c | 26 +++++++++++++++++++++++---
lib/auth_cert.h | 1 +
lib/gnutls_alert.c | 1 +
lib/gnutls_cert.c | 28 ++++++++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 5 +++++
lib/libgnutls.map | 1 +
src/cli.c | 31 ++++++++++++++++++-------------
10 files changed, 96 insertions(+), 50 deletions(-)
diff --git a/NEWS b/NEWS
index ff08da9..99f3e98 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,10 @@ Tested with http://www.logix.cz/michal/devel/cryptodev/.
Added
benchmark utility for AES. Exported API to access encryption and hash
algorithms.
+** libgnutls: Added gnutls_certificate_set_verify_function() to allow
+verification of certificate upon receipt rather than waiting until the
+end of the handshake.
+
** certtool: Corrected two issues that affected certificate request generation.
(1) Null padding is added on integers (found thanks to Wilankar Trupti),
(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA
@@ -57,6 +61,7 @@ Daniel Nylander, Tao Wei, and Aron Xu.
** doc: The GTK-DOC manual is significantly improved.
** API and ABI modifications:
+gnutls_certificate_set_verify_function: Added
gnutls_safe_renegotiation_status: Added
gnutls_cipher_decrypt: Added
gnutls_cipher_deinit: Added
diff --git a/doc/examples/ex-rfc2818.c b/doc/examples/ex-rfc2818.c
index 73a3d1b..1df60a8 100644
--- a/doc/examples/ex-rfc2818.c
+++ b/doc/examples/ex-rfc2818.c
@@ -43,6 +43,11 @@ verify_certificate (gnutls_session_t session, const char
*hostname)
if (status & GNUTLS_CERT_REVOKED)
printf ("The certificate has been revoked.\n");
+ if (status & GNUTLS_CERT_EXPIRED)
+ printf ("The certificate has expired\n");
+
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ printf ("The certificate is not yet activated\n");
/* Up to here the process is the same for X.509 certificates and
* OpenPGP keys. From now on X.509 certificates are assumed. This can
@@ -73,19 +78,6 @@ verify_certificate (gnutls_session_t session, const char
*hostname)
return;
}
- /* Beware here we do not check for errors.
- */
- if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
- {
- printf ("The certificate has expired\n");
- return;
- }
-
- if (gnutls_x509_crt_get_activation_time (cert) > time (0))
- {
- printf ("The certificate is not yet activated\n");
- return;
- }
if (!gnutls_x509_crt_check_hostname (cert, hostname))
{
diff --git a/doc/examples/ex-verify.c b/doc/examples/ex-verify.c
index 9c89d51..3daabed 100644
--- a/doc/examples/ex-verify.c
+++ b/doc/examples/ex-verify.c
@@ -103,7 +103,6 @@ verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t
issuer,
{
unsigned int output;
int ret;
- time_t now = time (0);
size_t name_size;
char name[64];
@@ -139,21 +138,16 @@ verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t
issuer,
fprintf (stderr, ": no issuer was found");
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf (stderr, ": issuer is not a CA");
+ if (output & GNUTLS_CERT_NOT_ACTIVATED)
+ fprintf (stderr, ": not yet activated\n");
+ if (output & GNUTLS_CERT_EXPIRED)
+ fprintf (stderr, ": expired\n");
fprintf (stderr, "\n");
}
else
fprintf (stderr, "Trusted\n");
-
- /* Now check the expiration dates.
- */
- if (gnutls_x509_crt_get_activation_time (crt) > now)
- fprintf (stderr, "Not yet activated\n");
-
- if (gnutls_x509_crt_get_expiration_time (crt) < now)
- fprintf (stderr, "Expired\n");
-
/* Check if the certificate is revoked.
*/
ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
@@ -174,7 +168,6 @@ verify_last_cert (gnutls_x509_crt_t crt,
{
unsigned int output;
int ret;
- time_t now = time (0);
size_t name_size;
char name[64];
@@ -202,21 +195,16 @@ verify_last_cert (gnutls_x509_crt_t crt,
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf (stderr, ": Issuer is not a CA\n");
- else
- fprintf (stderr, "\n");
+ if (output & GNUTLS_CERT_NOT_ACTIVATED)
+ fprintf (stderr, ": Not yet activated\n");
+ if (output & GNUTLS_CERT_EXPIRED)
+ fprintf (stderr, ": Expired\n");
+ fprintf (stderr, "\n");
}
else
fprintf (stderr, "Trusted\n");
- /* Now check the expiration dates.
- */
- if (gnutls_x509_crt_get_activation_time (crt) > now)
- fprintf (stderr, "Not yet activated\n");
-
- if (gnutls_x509_crt_get_expiration_time (crt) < now)
- fprintf (stderr, "Expired\n");
-
/* Check if the certificate is revoked.
*/
ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 8e4f4aa..d8abec6 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1251,7 +1251,7 @@ _gnutls_proc_openpgp_server_certificate (gnutls_session_t
session,
gnutls_assert ();
goto cleanup;
}
-
+
ret = 0;
cleanup:
@@ -1268,19 +1268,39 @@ int
_gnutls_proc_cert_server_certificate (gnutls_session_t session,
opaque * data, size_t data_size)
{
+int ret;
+gnutls_certificate_credentials_t cred;
+
+ cred = (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
GNUTLS_CRD_CERTIFICATE, NULL);
+ if (cred == NULL)
+ {
+ gnutls_assert();
+ return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ }
+
switch (session->security_parameters.cert_type)
{
#ifdef ENABLE_OPENPGP
case GNUTLS_CRT_OPENPGP:
- return _gnutls_proc_openpgp_server_certificate (session,
+ ret = _gnutls_proc_openpgp_server_certificate (session,
data, data_size);
+ break;
#endif
case GNUTLS_CRT_X509:
- return _gnutls_proc_x509_server_certificate (session, data, data_size);
+ ret = _gnutls_proc_x509_server_certificate (session, data, data_size);
+ break;
default:
gnutls_assert ();
return GNUTLS_E_INTERNAL_ERROR;
}
+
+ if (ret == 0 && cred->verify_callback != NULL)
+ {
+ ret = cred->verify_callback (session);
+ if (ret != 0) ret = GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ return ret;
}
#define MAX_SIGN_ALGOS 2
diff --git a/lib/auth_cert.h b/lib/auth_cert.h
index f7f752e..40c2ce8 100644
--- a/lib/auth_cert.h
+++ b/lib/auth_cert.h
@@ -93,6 +93,7 @@ typedef struct gnutls_certificate_credentials_st
gnutls_certificate_client_retrieve_function *client_get_cert_callback;
gnutls_certificate_server_retrieve_function *server_get_cert_callback;
+ gnutls_certificate_verify_function *verify_callback;
} certificate_credentials_st;
typedef struct rsa_info_st
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 71aae45..21e9017 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -196,6 +196,7 @@ gnutls_error_to_alert (int err, int *level)
case GNUTLS_E_ASN1_TYPE_ANY_ERROR:
case GNUTLS_E_ASN1_SYNTAX_ERROR:
case GNUTLS_E_ASN1_DER_OVERFLOW:
+ case GNUTLS_E_CERTIFICATE_ERROR:
ret = GNUTLS_A_BAD_CERTIFICATE;
_level = GNUTLS_AL_FATAL;
break;
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index a74ccf0..9f1d1b1 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -425,6 +425,34 @@ void gnutls_certificate_server_set_retrieve_function
cred->server_get_cert_callback = func;
}
+/**
+ * gnutls_certificate_set_verify_function:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ * @func: is the callback function
+ *
+ * This function sets a callback to be called when peer's certificate
+ * has been received in order to verify it on receipt rather than
+ * doing after the handshake is completed.
+ *
+ * The callback's function prototype is:
+ * int (*callback)(gnutls_session_t);
+ *
+ * If the callback function is provided then gnutls will call it, in the
+ * handshake, just after the certificate message has been received.
+ * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
+ * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
+ * can be used.
+ *
+ * The callback function should return 0 for the handshake to continue
+ * or non-zero to terminate.
+ **/
+void gnutls_certificate_set_verify_function
+ (gnutls_certificate_credentials_t cred,
+ gnutls_certificate_verify_function * func)
+{
+ cred->verify_callback = func;
+}
+
/*-
* _gnutls_x509_extract_certificate_activation_time - return the peer's
certificate activation time
* @cert: should contain an X.509 DER encoded certificate
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index ffe5a79..26a979d 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1453,6 +1453,8 @@ extern "C" {
typedef int gnutls_certificate_server_retrieve_function (gnutls_session_t,
gnutls_retr_st *);
+ typedef int gnutls_certificate_verify_function( gnutls_session_t);
+
/* Functions that allow auth_info_t structures handling
*/
@@ -1507,6 +1509,9 @@ extern "C" {
(gnutls_certificate_credentials_t cred,
gnutls_certificate_server_retrieve_function * func);
+ void gnutls_certificate_set_verify_function(
+ gnutls_certificate_credentials_t cred, gnutls_certificate_verify_function
* func);
+
void
gnutls_certificate_server_set_request (gnutls_session_t session,
gnutls_certificate_request_t req);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index bec2db0..a69a395 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -598,6 +598,7 @@ GNUTLS_2_10
gnutls_hmac_fast;
gnutls_hmac_deinit;
gnutls_hmac_output;
+ gnutls_certificate_set_verify_function;
} GNUTLS_2_8;
GNUTLS_PRIVATE {
diff --git a/src/cli.c b/src/cli.c
index 55888af..281b7dc 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -318,7 +318,24 @@ load_keys (void)
}
+static int cert_verify_callback( gnutls_session_t session)
+{
+int rc;
+unsigned int status;
+
+ if (!x509_cafile && !pgp_keyring)
+ return 0;
+ rc = gnutls_certificate_verify_peers2 (session, &status);
+ if (rc != 0 || status != 0)
+ {
+ printf ("*** Verifying server certificate failed...\n");
+ if (!insecure)
+ return -1;
+ }
+
+ return 0;
+}
/* This callback should be associated with a session by calling
* gnutls_certificate_client_set_retrieve_function( session, cert_callback),
@@ -493,6 +510,7 @@ init_tls_session (const char *hostname)
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
+ gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
@@ -1018,19 +1036,6 @@ do_handshake (socket_st * socket)
/* print some information */
print_info (socket->session, socket->hostname, info.insecure);
- if ((x509_cafile || pgp_keyring) && !insecure)
- {
- int rc;
- unsigned int status;
-
- /* abort if verification fail */
- rc = gnutls_certificate_verify_peers2 (socket->session, &status);
- if (rc != 0 || status != 0)
- {
- printf ("*** Verifying server certificate failed...\n");
- exit (1);
- }
- }
socket->secure = 1;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-171-g6e803c7,
Nikos Mavrogiannopoulos <=