[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_19-3-gb3aca
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_19-3-gb3aca84 |
Date: |
Fri, 01 Jun 2012 22:52:12 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=b3aca845c0cec7e39d98d57d06a76aa295926f5a
The branch, gnutls_2_12_x has been updated
via b3aca845c0cec7e39d98d57d06a76aa295926f5a (commit)
via 1b6cfff1c9aad0207498f11d372b8fc3d542cab2 (commit)
from 77670476814c078bbad56ce8772b192a3b5736b6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b3aca845c0cec7e39d98d57d06a76aa295926f5a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 27 13:53:35 2012 +0200
corrected data copy
commit 1b6cfff1c9aad0207498f11d372b8fc3d542cab2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 24 18:20:32 2012 +0200
When checking for an issuer check for a match in the key identifiers.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 ++++++++-
lib/gnutls_session_pack.c | 8 ++++----
lib/x509/verify.c | 40 ++++++++++++++++++++++++++++++++++++----
3 files changed, 48 insertions(+), 9 deletions(-)
diff --git a/NEWS b/NEWS
index 243e14c..4c70f28 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,14 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
See the end for copying conditions.
+Version 2.12.20 (unreleased)
+
+** libgnutls: Check key identifiers when checking for an issuer.
+
+** API and ABI modifications:
+No changes since last version.
+
+
Version 2.12.19 (released 2012-05-05)
** libgnutls: When decoding a PKCS #11 URL the pin-source field
@@ -15,7 +23,6 @@ SRP key exchange public keys.
** minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
** API and ABI modifications:
-
No changes since last version.
diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c
index a305a8b..effaabe 100644
--- a/lib/gnutls_session_pack.c
+++ b/lib/gnutls_session_pack.c
@@ -827,20 +827,20 @@ unpack_security_parameters (gnutls_session_t session,
gnutls_buffer_st * ps)
BUFFER_POP_NUM (ps, session->internals.resumed_security_parameters.version);
BUFFER_POP (ps,
- &session->internals.resumed_security_parameters.master_secret,
+ session->internals.resumed_security_parameters.master_secret,
GNUTLS_MASTER_SIZE);
BUFFER_POP (ps,
- &session->internals.resumed_security_parameters.client_random,
+ session->internals.resumed_security_parameters.client_random,
GNUTLS_RANDOM_SIZE);
BUFFER_POP (ps,
- &session->internals.resumed_security_parameters.server_random,
+ session->internals.resumed_security_parameters.server_random,
GNUTLS_RANDOM_SIZE);
BUFFER_POP_NUM (ps,
session->internals.
resumed_security_parameters.session_id_size);
- BUFFER_POP (ps, &session->internals.resumed_security_parameters.session_id,
+ BUFFER_POP (ps, session->internals.resumed_security_parameters.session_id,
session->internals.resumed_security_parameters.session_id_size);
BUFFER_POP_NUM (ps,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 97606be..2efcebf 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -227,9 +227,12 @@ cleanup:
static int
is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
{
- gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
- {
- NULL, 0};
+ gnutls_datum_t dn1 = { NULL, 0 },
+ dn2 = { NULL, 0};
+ uint8_t id1[512];
+ uint8_t id2[512];
+ size_t id1_size;
+ size_t id2_size;
int ret;
ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1);
@@ -247,6 +250,34 @@ is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t
issuer_cert)
}
ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
+
+ if (ret != 0)
+ {
+ /* check if the authority key identifier matches the subject key
identifier
+ * of the isser */
+ id1_size = sizeof(id1);
+
+ ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);
+ if (ret < 0)
+ {
+ ret = 1;
+ goto cleanup;
+ }
+
+ id2_size = sizeof(id2);
+ ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size,
NULL);
+ if (ret < 0)
+ {
+ ret = 1;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0)
+ ret = 1;
+ else
+ ret = 0;
+ }
cleanup:
_gnutls_free_datum (&dn1);
@@ -416,7 +447,8 @@ cleanup:
* @issuer: is the certificate of a possible issuer
*
* This function will check if the given certificate was issued by the
- * given issuer.
+ * given issuer. It checks the DN fields and the authority
+ * key identifier and subject key identifier fields match.
*
* Returns: It will return true (1) if the given certificate is issued
* by the given issuer, and false (0) if not. A negative value is
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_19-3-gb3aca84,
Nikos Mavrogiannopoulos <=