[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-148-g19bb0b2

[Nikos Mavrogiannopoulos]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=19bb0b223e8c05112f62aeff830b3eba75189263

The branch, master has been updated
       via  19bb0b223e8c05112f62aeff830b3eba75189263 (commit)
       via  7d172255d3b085197f49457a817edfb9af0ca7fc (commit)
       via  36983b561488ef2a22e128e136965e469662baca (commit)
       via  cda8ef8cf1572e25d8667546745b80aab753e3d9 (commit)
      from  4dd3adf7d4eccf2a5c7c16ee89610d9f0df81613 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 19bb0b223e8c05112f62aeff830b3eba75189263
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jun 10 12:31:33 2012 +0200

    removed old news entry

commit 7d172255d3b085197f49457a817edfb9af0ca7fc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jun 10 12:31:23 2012 +0200

    updated TODO

commit 36983b561488ef2a22e128e136965e469662baca
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jun 10 02:25:13 2012 +0200

    Added flag GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED for 
gnutls_pkcs12_simple_parse().

commit cda8ef8cf1572e25d8667546745b80aab753e3d9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Jun 10 02:15:05 2012 +0200

    deinitialize extra certs if they are empty.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                         |    4 --
 doc/TODO                     |   16 +++++----
 lib/includes/gnutls/pkcs12.h |    2 +
 lib/x509/pkcs12.c            |   76 ++++++++++++++++++++++++++----------------
 4 files changed, 58 insertions(+), 40 deletions(-)

diff --git a/NEWS b/NEWS
index 0a38d6b..132b872 100644
--- a/NEWS
+++ b/NEWS
@@ -17,10 +17,6 @@ as it has issues. Implemented by David Woodhouse.
 ** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
 for encryption and signatures.
 
-** libgnutls: When decoding a PKCS #11 URL the pin-source field
-is assumed to be a file that stores the pin. Based on patch
-by David Smith.
-
 ** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between
 generic errors and signature verification errors in the verification
 functions.
diff --git a/doc/TODO b/doc/TODO
index 655b5cf..ce185e2 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -3,18 +3,20 @@ anything), contact the developer's mailing list 
(address@hidden),
 in order to avoid having people working on the same thing. 
 
 Current list:
-* Add DTLS 1.2 support (RFC6347)
 * Added heartbeat support 
(http://tools.ietf.org/html/draft-ietf-tls-dtls-heartbeat-04)
-* Add certificate image support (see RFC3709, RFC6170)
-* Perform signature calculation in PKCS #11 using not plain
+* When importing a PKCS #11 certificate, check for its issuers to generate a
+  chain (e.g. use the DN to retrieve possible signers).
+- Add DTLS 1.2 support (RFC6347)
+- Add certificate image support (see RFC3709, RFC6170)
+- Perform signature calculation in PKCS #11 using not plain
   RSA but rather the combination of RSA-SHA256, RSA-SHA1 etc.
   That will allow the usage of more secure tokens that do not
   allow plain RSA.
-* Support PKCS#8 DES-MD5 (tests/enc3pkcs8.pem) encrypted keys.
+- Support PKCS#8 DES-MD5 (tests/enc3pkcs8.pem) encrypted keys.
   (openssl seems to use DES-MD5 to encrypt keys by default)
-* Add support for generating empty CRLs
-* Document the format for the supported DN attributes.
-* Audit the code
+- Add support for generating empty CRLs
+- Document the format for the supported DN attributes.
+- Audit the code
 - Implement TLS-PSK with PKCS #11.
 - Allow setting a PKCS #11 module to gnutls_x509_trust_list_t, to verify 
   against, similarly to NSS way.
diff --git a/lib/includes/gnutls/pkcs12.h b/lib/includes/gnutls/pkcs12.h
index 14b45f8..09b75e9 100644
--- a/lib/includes/gnutls/pkcs12.h
+++ b/lib/includes/gnutls/pkcs12.h
@@ -57,6 +57,8 @@ extern "C"
   int gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const char *pass);
   int gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t bag, const char *pass,
                                  unsigned int flags);
+
+#define GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED 1
   int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12,
                      const char *password,
                      gnutls_x509_privkey_t * key,
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index a595488..b1240a5 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1333,7 +1333,8 @@ cleanup:
  * and appends those in the chain.
  */
 static int make_chain(gnutls_x509_crt_t **chain, unsigned int *chain_len,
-                      gnutls_x509_crt_t **extra_certs, unsigned int 
*extra_certs_len)
+                      gnutls_x509_crt_t **extra_certs, unsigned int 
*extra_certs_len,
+                      unsigned int flags)
 {
 unsigned int i;
 
@@ -1344,24 +1345,29 @@ unsigned int i;
   while(i<*extra_certs_len)
     {
       /* if it is an issuer but not a self-signed one */
-      if (gnutls_x509_crt_check_issuer((*chain)[*chain_len - 1], 
(*extra_certs)[i]) != 0 &&
-          gnutls_x509_crt_check_issuer((*extra_certs)[i], (*extra_certs)[i]) 
== 0)
+      if (gnutls_x509_crt_check_issuer((*chain)[*chain_len - 1], 
(*extra_certs)[i]) != 0)
         {
-           *chain = gnutls_realloc (*chain, sizeof((*chain)[0]) *
+          if (!(flags & GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED) && 
+              gnutls_x509_crt_check_issuer((*extra_certs)[i], 
(*extra_certs)[i]) != 0)
+            goto skip;
+
+          *chain = gnutls_realloc (*chain, sizeof((*chain)[0]) *
                                                      ++(*chain_len));
-           if (*chain == NULL)
-             {
-               gnutls_assert();
-               return GNUTLS_E_MEMORY_ERROR;
-             }
-           (*chain)[*chain_len - 1] = (*extra_certs)[i];
-           
-           (*extra_certs)[i] = (*extra_certs)[*extra_certs_len-1];
-           (*extra_certs_len)--;
-
-           i=0;
-           continue;
+          if (*chain == NULL)
+            {
+              gnutls_assert();
+              return GNUTLS_E_MEMORY_ERROR;
+            }
+          (*chain)[*chain_len - 1] = (*extra_certs)[i];
+          
+          (*extra_certs)[i] = (*extra_certs)[*extra_certs_len-1];
+          (*extra_certs_len)--;
+
+          i=0;
+          continue;
         }
+
+skip:
       i++;
     }
   return 0;
@@ -1379,7 +1385,7 @@ unsigned int i;
  * @extra_certs_len: will be updated with the number of additional
  *                       certs.
  * @crl: an optional structure to store the parsed CRL.
- * @flags: should be zero
+ * @flags: should be zero or one of GNUTLS_PKCS12_SP_*
  *
  * This function parses a PKCS#12 blob in @p12blob and extracts the
  * private key, the corresponding certificate chain, and any additional
@@ -1394,9 +1400,6 @@ unsigned int i;
  * only password based security, and the same password for all
  * operations, are supported.
  *
- * The private keys may be RSA PKCS#1 or DSA private keys encoded in
- * the OpenSSL way.
- *
  * PKCS#12 file may contain many keys and/or certificates, and there
  * is no way to identify which key/certificate pair you want.  You
  * should make sure the PKCS#12 file only contain one key/certificate
@@ -1410,6 +1413,11 @@ unsigned int i;
  * If the provided structure has encrypted fields but no password
  * is provided then this function returns %GNUTLS_E_DECRYPTION_FAILED.
  *
+ * Note that normally the chain constructed does not include self signed
+ * certificates, to comply with TLS' requirements. If, however, the flag 
+ * %GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED is specified then
+ * self signed certificates will be included in the chain.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  *
@@ -1438,6 +1446,7 @@ gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12,
   uint8_t cert_id[20];
   uint8_t key_id[20];
   int privkey_ok = 0;
+  unsigned int i;
 
   *key = NULL;
   
@@ -1764,7 +1773,7 @@ gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12,
       goto done;
     }
 
-  ret = make_chain(&_chain, &_chain_len, &_extra_certs, &_extra_certs_len);
+  ret = make_chain(&_chain, &_chain_len, &_extra_certs, &_extra_certs_len, 
flags);
   if (ret < 0)
     {
       gnutls_assert();
@@ -1783,30 +1792,39 @@ done:
         gnutls_x509_privkey_deinit(*key);
       if (_extra_certs_len && _extra_certs != NULL)
         {
-          unsigned int i;
           for (i = 0; i < _extra_certs_len; i++)
             gnutls_x509_crt_deinit(_extra_certs[i]);
           gnutls_free(_extra_certs);
         }
       if (_chain_len && chain != NULL)
         {
-          unsigned int i;
           for (i = 0; i < _chain_len; i++)
             gnutls_x509_crt_deinit(_chain[i]);
           gnutls_free(_chain);
         }
+      
+      return ret;
     }
-  else 
+
+  if (extra_certs && _extra_certs_len > 0)
+    {
+      *extra_certs = _extra_certs;
+      *extra_certs_len = _extra_certs_len;
+    }
+  else
     {
       if (extra_certs) 
         {
-          *extra_certs = _extra_certs;
-          *extra_certs_len = _extra_certs_len;
+          *extra_certs = NULL;
+          *extra_certs_len = 0;
         }
-      
-      *chain = _chain;
-      *chain_len = _chain_len;
+      for (i = 0; i < _extra_certs_len; i++)
+        gnutls_x509_crt_deinit(_extra_certs[i]);
+      gnutls_free(_extra_certs);
     }
+      
+  *chain = _chain;
+  *chain_len = _chain_len;
 
   return ret;
 }


hooks/post-receive
-- 
GNU gnutls