[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-19-g804f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-19-g804f01c |
|
Date: |
Sun, 16 Sep 2012 21:13:14 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=804f01c627215d39d44694ecdcb2280558c72055
The branch, gnutls_3_0_x-2 has been updated
via 804f01c627215d39d44694ecdcb2280558c72055 (commit)
via 2360035b59e3b9a5d0ea6b20a3d32f5b18cdbbc7 (commit)
via 827114a45e4af37aa1986e9a444d3287fc6b7055 (commit)
via 61b4442c6871253d90ace549f700d41e0f5982d3 (commit)
via ac0f6c3e7efa242a4ccd0e55e0edbce283c97441 (commit)
via a501b7d37dda50953077b3e7083e6ec3be1157cc (commit)
via 43a4f7e4eba901e5fffaa2bbdb6d1f43fde51e10 (commit)
via dcea85107a1c9abec5cfc254bd23cb4bc26c9255 (commit)
via c0e1ab2ee4acb94c9a16070dae3850609501eee9 (commit)
via ce735c9f1a84a49092b3d3047eb90a200851f7fc (commit)
via b319a0b901167e993a297bf0cdea2249de7c1b19 (commit)
from 6220817e240ae0da6821f14e8f85b61bfa8b2ee4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 804f01c627215d39d44694ecdcb2280558c72055
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 23:12:21 2012 +0200
fix ECDSA issues with openssl
commit 2360035b59e3b9a5d0ea6b20a3d32f5b18cdbbc7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:07:18 2012 +0200
Be tolerant is ECDSA-violating signatures.
commit 827114a45e4af37aa1986e9a444d3287fc6b7055
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 21:31:36 2012 +0200
documented updates
commit 61b4442c6871253d90ace549f700d41e0f5982d3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 21:30:12 2012 +0200
corrected prototype.
commit ac0f6c3e7efa242a4ccd0e55e0edbce283c97441
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 20:48:36 2012 +0200
removed old libtasn1 requirements
commit a501b7d37dda50953077b3e7083e6ec3be1157cc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 20:48:18 2012 +0200
MAX_NAME_SIZE -> MAX_SERVER_NAME_SIZE
commit 43a4f7e4eba901e5fffaa2bbdb6d1f43fde51e10
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Sep 12 22:45:55 2012 +0200
Use the new asn1_read_node_value()
commit dcea85107a1c9abec5cfc254bd23cb4bc26c9255
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 21:21:28 2012 +0200
updated minitasn1 to 2.14.
commit c0e1ab2ee4acb94c9a16070dae3850609501eee9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 21:20:04 2012 +0200
Use the pkg-config macro to find libtasn1.
commit ce735c9f1a84a49092b3d3047eb90a200851f7fc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 11:21:45 2012 +0200
use a %STATELESS_COMPRESSION priority string instead of gnutls_init() flag.
commit b319a0b901167e993a297bf0cdea2249de7c1b19
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:13:39 2012 +0200
Do not ask unnecessary questions when signing a certificate (request).
-----------------------------------------------------------------------
Summary of changes:
NEWS | 2 +
doc/cha-gtls-app.texi | 5 ++++
doc/cha-intro-tls.texi | 2 +-
lib/Makefile.am | 3 +-
lib/gnutls_cipher.c | 2 +-
lib/gnutls_int.h | 4 +-
lib/gnutls_priority.c | 4 +++
lib/gnutls_pubkey.c | 13 ++++++----
lib/gnutls_sig.c | 8 +++---
lib/gnutls_state.c | 6 +----
lib/includes/gnutls/gnutls.h.in | 2 -
lib/minitasn1/coding.c | 4 +-
lib/minitasn1/decoding.c | 21 +++++++++--------
lib/minitasn1/element.c | 20 ++++++++++++++++
lib/minitasn1/errors.c | 2 +-
lib/minitasn1/gstr.c | 2 +-
lib/minitasn1/int.h | 48 +++++++++++++++++++-------------------
lib/minitasn1/libtasn1.h | 42 +++++++++++++++++++++++++++++++--
lib/minitasn1/parser_aux.c | 3 +-
lib/minitasn1/version.c | 2 +-
lib/x509/mpi.c | 3 --
lib/x509/verify-high.c | 4 +-
lib/x509/x509.c | 27 +++++++++++++++++-----
lib/x509/x509_int.h | 8 ------
m4/hooks.m4 | 6 +---
src/certtool.c | 30 +++++++++++++++---------
26 files changed, 175 insertions(+), 98 deletions(-)
diff --git a/NEWS b/NEWS
index 69ef46a..6532f04 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ key usage violation errors (they are far too common to
ignore).
which provides a tool to counter compression-related attacks where
parts of the data are controlled by the attacker.
+** libgnutls: Depends on libtasn1 2.14 or later.
+
** API and ABI modifications:
No changes since last version.
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 52f6126..2bb872c 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -948,6 +948,11 @@ will prevent the sending of any TLS extensions in client
side. Note
that TLS 1.2 requires extensions to be used, as well as safe
renegotiation thus this option must be used with care.
address@hidden %STATELESS_COMPRESSION @tab
+will disable keeping state across records when compressing. This may
+help to mitigate attacks when compression is used but an attacker
+is in control of input data.
+
@item %SERVER_PRECEDENCE @tab
The ciphersuite will be selected according to server priorities
and not the client's.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 8b06475..ca2a81c 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -191,7 +191,7 @@ on @xcite{RFC3749}. The supported algorithms are shown
below.
Note that compression enables attacks such as traffic analysis, or even
plaintext recovery under certain circumstances. To avoid some of these
attacks GnuTLS allows each record to be compressed independently (i.e.,
-stateless compression), by using a flag to @funcref{gnutls_init}.
+stateless compression), by using the "%STATELESS_COMPRESSION" priority string.
@node Weaknesses and countermeasures
@subsection Weaknesses and countermeasures
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 3b33651..51474ba 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -37,6 +37,7 @@ AM_CPPFLAGS = \
-I$(srcdir)/includes \
-I$(builddir)/includes \
-I$(srcdir)/x509 \
+ $(LIBTASN1_CFLAGS) \
$(P11_KIT_CFLAGS)
if ENABLE_OPENPGP
@@ -134,7 +135,7 @@ endif
if ENABLE_MINITASN1
libgnutls_la_LIBADD += minitasn1/libminitasn1.la
else
-libgnutls_la_LDFLAGS += $(LTLIBTASN1)
+libgnutls_la_LDFLAGS += $(LIBTASN1_LIBS)
endif
if ENABLE_NETTLE
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 73dc387..b49b439 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -105,7 +105,7 @@ _gnutls_encrypt (gnutls_session_t session, const uint8_t *
headers,
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
ret = _gnutls_compress(¶ms->write.compression_state, data,
data_size,
- comp.data, comp.size,
session->internals.stateless_compression);
+ comp.data, comp.size,
session->internals.priorities.stateless_compression);
if (ret < 0)
{
gnutls_free(comp.data);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 348e3fc..fec0d3e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -579,6 +579,8 @@ struct gnutls_priority_st
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
unsigned int allow_key_usage_violation:1;
+ /* Whether stateless compression will be used */
+ unsigned int stateless_compression:1;
unsigned int additional_verify_flags;
};
@@ -869,8 +871,6 @@ typedef struct
/* if set it means that the master key was set using
* gnutls_session_set_master() rather than being negotiated. */
unsigned int premaster_set:1;
- /* Whether stateless compression will be used */
- unsigned int stateless_compression:1;
unsigned int cb_tls_unique_len;
unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE];
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 6008276..6a39294 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -917,6 +917,10 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
{
(*priority_cache)->no_extensions = 1;
}
+ else if (strcasecmp (&broken_list[i][1], "STATELESS_COMPRESSION") ==
0)
+ {
+ (*priority_cache)->stateless_compression = 1;
+ }
else if (strcasecmp (&broken_list[i][1],
"VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
{
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index f2be130..9b029fa 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1532,6 +1532,7 @@ unsigned int sig_hash_size;
else if (sign != GNUTLS_SIGN_UNKNOWN)
{
sig_hash_size =
_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign));
+
if (sig_hash_size < hash_size)
_gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
@@ -1659,16 +1660,18 @@ _pkcs1_rsa_verify_sig (gnutls_digest_algorithm_t
hash_algo,
/* Hashes input data and verifies a signature.
*/
static int
-dsa_verify_hashed_data (const gnutls_datum_t * hash,
+dsa_verify_hashed_data (gnutls_pk_algorithm_t pk,
+ gnutls_digest_algorithm_t algo,
+ const gnutls_datum_t * hash,
const gnutls_datum_t * signature,
- gnutls_pk_algorithm_t pk,
gnutls_pk_params_st* params)
{
gnutls_datum_t digest;
- unsigned int algo;
unsigned int hash_len;
- algo = _gnutls_dsa_q_to_hash (pk, params, &hash_len);
+ if (algo == GNUTLS_DIG_UNKNOWN)
+ algo = _gnutls_dsa_q_to_hash (pk, params, &hash_len);
+ else hash_len = _gnutls_hash_get_algo_len(algo);
/* SHA1 or better allowed */
if (!hash->data || hash->size < hash_len)
@@ -1741,7 +1744,7 @@ pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_EC:
case GNUTLS_PK_DSA:
- if (dsa_verify_hashed_data(hash, signature, pk, issuer_params) != 0)
+ if (dsa_verify_hashed_data(pk, hash_algo, hash, signature,
issuer_params) != 0)
{
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 1838c25..7c7b64e 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -272,7 +272,7 @@ es_cleanup:
}
static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
+verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver,
gnutls_pcert_st* cert,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature, size_t sha1pos,
gnutls_sign_algorithm_t sign_algo,
@@ -424,7 +424,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
}
- ret = verify_tls_hash (ver, cert, &dconcat, signature,
+ ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
dconcat.size -
_gnutls_hash_get_algo_len (hash_algo),
sign_algo,
@@ -473,7 +473,7 @@ _gnutls_handshake_verify_crt_vrfy12 (gnutls_session_t
session,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 0, sign_algo, pk);
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 0, sign_algo,
pk);
if (ret < 0)
{
gnutls_assert ();
@@ -567,7 +567,7 @@ _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
dconcat.size = 20 + 16; /* md5+ sha */
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 16,
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
GNUTLS_SIGN_UNKNOWN,
gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
if (ret < 0)
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 428c065..eba6621 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -291,8 +291,7 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t
session)
* @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
* entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
* also available. The latter flag will enable a non-blocking
- * operation of the DTLS timers. The flag %GNUTLS_STATELESS_COMPRESSION
- * would disable keeping state across records when compressing.
+ * operation of the DTLS timers.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
@@ -391,9 +390,6 @@ gnutls_init (gnutls_session_t * session, unsigned int flags)
else
(*session)->internals.transport = GNUTLS_STREAM;
- if (flags & GNUTLS_STATELESS_COMPRESSION)
- (*session)->internals.stateless_compression = 1;
-
if (flags & GNUTLS_NONBLOCK)
(*session)->internals.dtls.blocking = 0;
else
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 9494a3f..773834c 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -293,14 +293,12 @@ extern "C"
* @GNUTLS_CLIENT: Connection end is a client.
* @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS).
* @GNUTLS_NONBLOCK: Connection should not block (DTLS).
- * @GNUTLS_STATELESS_COMPRESSION: Compression will be applied independently
on each record.
*
*/
#define GNUTLS_SERVER 1
#define GNUTLS_CLIENT (1<<1)
#define GNUTLS_DATAGRAM (1<<2)
#define GNUTLS_NONBLOCK (1<<3)
-#define GNUTLS_STATELESS_COMPRESSION (1<<4)
/**
* gnutls_alert_level_t:
diff --git a/lib/minitasn1/coding.c b/lib/minitasn1/coding.c
index 8b72eba..307dd40 100644
--- a/lib/minitasn1/coding.c
+++ b/lib/minitasn1/coding.c
@@ -256,7 +256,7 @@ _asn1_objectid_der (unsigned char *str, unsigned char *der,
int *der_len)
char *temp, *n_end, *n_start;
unsigned char bit7;
unsigned long val, val1 = 0;
- int str_len = _asn1_strlen(str);
+ int str_len = _asn1_strlen (str);
max_len = *der_len;
@@ -266,7 +266,7 @@ _asn1_objectid_der (unsigned char *str, unsigned char *der,
int *der_len)
memcpy (temp, str, str_len);
temp[str_len] = '.';
- temp[str_len+1] = 0;
+ temp[str_len + 1] = 0;
counter = 0;
n_start = temp;
diff --git a/lib/minitasn1/decoding.c b/lib/minitasn1/decoding.c
index 1cfad35..e6cdb98 100644
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -58,11 +58,11 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char
*ErrorDescription)
* length, or -2 when the value was too big to fit in a int, or -4
* when the decoded length value plus @len would exceed @der_len.
**/
-signed long
+long
asn1_get_length_der (const unsigned char *der, int der_len, int *len)
{
unsigned int ans, sum, last;
- unsigned int k, punt;
+ int k, punt;
*len = 0;
if (der_len <= 0)
@@ -87,7 +87,7 @@ asn1_get_length_der (const unsigned char *der, int der_len,
int *len)
last = ans;
ans = (ans*256) + der[punt++];
- if (ans < last)
+ if (ans < last)
/* we wrapped around, no bignum support... */
return -2;
}
@@ -102,13 +102,13 @@ asn1_get_length_der (const unsigned char *der, int
der_len, int *len)
}
sum = ans + *len;
-
+
/* check for overflow as well INT_MAX as a maximum upper
* limit for length */
if (sum >= INT_MAX || sum < ans)
return -2;
-
- if (sum > der_len)
+
+ if (((int) sum) > der_len)
return -4;
return ans;
@@ -130,7 +130,8 @@ int
asn1_get_tag_der (const unsigned char *der, int der_len,
unsigned char *cls, int *len, unsigned long *tag)
{
- unsigned int punt, ris;
+ unsigned int ris;
+ int punt;
unsigned int last;
if (der == NULL || der_len < 2 || len == NULL)
@@ -162,10 +163,10 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
return ASN1_DER_ERROR;
last = ris;
-
+
ris = (ris * 128) + (der[punt++] & 0x7F);
if (ris < last)
- return ASN1_DER_ERROR;
+ return ASN1_DER_ERROR;
*len = punt;
}
@@ -189,7 +190,7 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
*
* Since: 2.0
**/
-signed long
+long
asn1_get_length_ber (const unsigned char *ber, int ber_len, int *len)
{
int ret;
diff --git a/lib/minitasn1/element.c b/lib/minitasn1/element.c
index ead899c..8e8807b 100644
--- a/lib/minitasn1/element.c
+++ b/lib/minitasn1/element.c
@@ -976,3 +976,23 @@ asn1_read_tag (ASN1_TYPE root, const char *name, int
*tagValue,
return ASN1_SUCCESS;
}
+
+/**
+ * asn1_read_node_value:
+ * @node: pointer to a node.
+ * @data: a point to a node_data_struct
+ *
+ * Returns the value a data node inside a ASN1_TYPE structure.
+ * The data returned should be handled as constant values.
+ *
+ * Returns: %ASN1_SUCCESS if the node exists.
+ **/
+asn1_retCode asn1_read_node_value (ASN1_TYPE node, ASN1_DATA_NODE* data)
+{
+ data->name = node->name;
+ data->value = node->value;
+ data->value_len = node->value_len;
+ data->type = type_field(node->type);
+
+ return ASN1_SUCCESS;
+}
diff --git a/lib/minitasn1/errors.c b/lib/minitasn1/errors.c
index 7878c50..76611d8 100644
--- a/lib/minitasn1/errors.c
+++ b/lib/minitasn1/errors.c
@@ -21,7 +21,7 @@
#include <int.h>
#ifdef STDC_HEADERS
-# include <stdarg.h>
+#include <stdarg.h>
#endif
#define LIBTASN1_ERROR_ENTRY(name) { #name, name }
diff --git a/lib/minitasn1/gstr.c b/lib/minitasn1/gstr.c
index 9590b45..4785073 100644
--- a/lib/minitasn1/gstr.c
+++ b/lib/minitasn1/gstr.c
@@ -61,7 +61,7 @@ _asn1_str_cpy (char *dest, size_t dest_tot_size, const char
*src)
{
if (dest_tot_size > 0)
{
- strncpy (dest, src, (dest_tot_size) - 1);
+ memcpy (dest, src, dest_tot_size - 1);
dest[dest_tot_size - 1] = 0;
}
}
diff --git a/lib/minitasn1/int.h b/lib/minitasn1/int.h
index fcaf0d8..aad7ba6 100644
--- a/lib/minitasn1/int.h
+++ b/lib/minitasn1/int.h
@@ -23,7 +23,7 @@
#define INT_H
#ifdef HAVE_CONFIG_H
-# include <config.h>
+#include <config.h>
#endif
#include <string.h>
@@ -33,7 +33,7 @@
#include <stdint.h>
#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
+#include <sys/types.h>
#endif
#include <libtasn1.h>
@@ -83,28 +83,28 @@ struct node_asn_struct
#define type_field(x) (x&0xFF)
/* List of constants for field type of typedef node_asn */
-#define TYPE_CONSTANT 1
-#define TYPE_IDENTIFIER 2
-#define TYPE_INTEGER 3
-#define TYPE_BOOLEAN 4
-#define TYPE_SEQUENCE 5
-#define TYPE_BIT_STRING 6
-#define TYPE_OCTET_STRING 7
-#define TYPE_TAG 8
-#define TYPE_DEFAULT 9
-#define TYPE_SIZE 10
-#define TYPE_SEQUENCE_OF 11
-#define TYPE_OBJECT_ID 12
-#define TYPE_ANY 13
-#define TYPE_SET 14
-#define TYPE_SET_OF 15
-#define TYPE_DEFINITIONS 16
-#define TYPE_TIME 17
-#define TYPE_CHOICE 18
-#define TYPE_IMPORTS 19
-#define TYPE_NULL 20
-#define TYPE_ENUMERATED 21
-#define TYPE_GENERALSTRING 27
+#define TYPE_CONSTANT ASN1_ETYPE_CONSTANT
+#define TYPE_IDENTIFIER ASN1_ETYPE_IDENTIFIER
+#define TYPE_INTEGER ASN1_ETYPE_INTEGER
+#define TYPE_BOOLEAN ASN1_ETYPE_BOOLEAN
+#define TYPE_SEQUENCE ASN1_ETYPE_SEQUENCE
+#define TYPE_BIT_STRING ASN1_ETYPE_BIT_STRING
+#define TYPE_OCTET_STRING ASN1_ETYPE_OCTET_STRING
+#define TYPE_TAG ASN1_ETYPE_TAG
+#define TYPE_DEFAULT ASN1_ETYPE_DEFAULT
+#define TYPE_SIZE ASN1_ETYPE_SIZE
+#define TYPE_SEQUENCE_OF ASN1_ETYPE_SEQUENCE_OF
+#define TYPE_OBJECT_ID ASN1_ETYPE_OBJECT_ID
+#define TYPE_ANY ASN1_ETYPE_ANY
+#define TYPE_SET ASN1_ETYPE_SET
+#define TYPE_SET_OF ASN1_ETYPE_SET_OF
+#define TYPE_DEFINITIONS ASN1_ETYPE_DEFINITIONS
+#define TYPE_TIME ASN1_ETYPE_TIME
+#define TYPE_CHOICE ASN1_ETYPE_CHOICE
+#define TYPE_IMPORTS ASN1_ETYPE_IMPORTS
+#define TYPE_NULL ASN1_ETYPE_NULL
+#define TYPE_ENUMERATED ASN1_ETYPE_ENUMERATED
+#define TYPE_GENERALSTRING ASN1_ETYPE_GENERALSTRING
/***********************************************************************/
diff --git a/lib/minitasn1/libtasn1.h b/lib/minitasn1/libtasn1.h
index 289fb57..e9337e2 100644
--- a/lib/minitasn1/libtasn1.h
+++ b/lib/minitasn1/libtasn1.h
@@ -44,7 +44,7 @@ extern "C"
{
#endif
-#define ASN1_VERSION "2.12"
+#define ASN1_VERSION "2.14"
typedef int asn1_retCode; /* type returned by libtasn1 functions */
@@ -141,6 +141,39 @@ extern "C"
};
typedef struct static_struct_asn ASN1_ARRAY_TYPE;
+/* List of constants for field type of typedef node_asn */
+#define ASN1_ETYPE_CONSTANT 1
+#define ASN1_ETYPE_IDENTIFIER 2
+#define ASN1_ETYPE_INTEGER 3
+#define ASN1_ETYPE_BOOLEAN 4
+#define ASN1_ETYPE_SEQUENCE 5
+#define ASN1_ETYPE_BIT_STRING 6
+#define ASN1_ETYPE_OCTET_STRING 7
+#define ASN1_ETYPE_TAG 8
+#define ASN1_ETYPE_DEFAULT 9
+#define ASN1_ETYPE_SIZE 10
+#define ASN1_ETYPE_SEQUENCE_OF 11
+#define ASN1_ETYPE_OBJECT_ID 12
+#define ASN1_ETYPE_ANY 13
+#define ASN1_ETYPE_SET 14
+#define ASN1_ETYPE_SET_OF 15
+#define ASN1_ETYPE_DEFINITIONS 16
+#define ASN1_ETYPE_TIME 17
+#define ASN1_ETYPE_CHOICE 18
+#define ASN1_ETYPE_IMPORTS 19
+#define ASN1_ETYPE_NULL 20
+#define ASN1_ETYPE_ENUMERATED 21
+#define ASN1_ETYPE_GENERALSTRING 27
+
+ struct node_data_struct
+ {
+ const char *name; /* Node name */
+ const void *value; /* Node value */
+ unsigned int value_len; /* Node value size */
+ unsigned int type; /* Node value type (ASN1_ETYPE_*) */
+ };
+ typedef struct node_data_struct ASN1_DATA_NODE;
+
/***********************************/
/* Fixed constants */
/***********************************/
@@ -193,6 +226,9 @@ extern "C"
void *ivalue, int *len);
extern ASN1_API asn1_retCode
+ asn1_read_node_value (ASN1_TYPE node, ASN1_DATA_NODE* data);
+
+ extern ASN1_API asn1_retCode
asn1_number_of_elements (ASN1_TYPE element, const char *name, int *num);
extern ASN1_API asn1_retCode
@@ -261,10 +297,10 @@ extern "C"
int *ret_len, unsigned char *str,
int str_size, int *bit_len);
- extern ASN1_API signed long
+ extern ASN1_API long
asn1_get_length_der (const unsigned char *der, int der_len, int *len);
- extern ASN1_API signed long
+ extern ASN1_API long
asn1_get_length_ber (const unsigned char *ber, int ber_len, int *len);
extern ASN1_API void
diff --git a/lib/minitasn1/parser_aux.c b/lib/minitasn1/parser_aux.c
index ce55253..2e1f7ee 100644
--- a/lib/minitasn1/parser_aux.c
+++ b/lib/minitasn1/parser_aux.c
@@ -718,7 +718,8 @@ _asn1_expand_object_id (ASN1_TYPE node)
{
_asn1_str_cpy (name2, sizeof (name2), name_root);
_asn1_str_cat (name2, sizeof (name2), ".");
- _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
+ _asn1_str_cat (name2, sizeof (name2),
+ (char *) p2->value);
p3 = asn1_find_node (node, name2);
if (!p3 || (type_field (p3->type) != TYPE_OBJECT_ID) ||
!(p3->type & CONST_ASSIGN))
diff --git a/lib/minitasn1/version.c b/lib/minitasn1/version.c
index fb17223..83d70c9 100644
--- a/lib/minitasn1/version.c
+++ b/lib/minitasn1/version.c
@@ -20,7 +20,7 @@
*/
#ifdef HAVE_CONFIG_H
-# include <config.h>
+#include <config.h>
#endif
#include <string.h> /* for strverscmp */
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index baef1ee..c9d3058 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -229,9 +229,6 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char
*dst_name,
return 0;
}
-
-
-
/* this function reads a (small) unsigned integer
* from asn1 structs. Combines the read and the convertion
* steps.
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 3b3c02c..2ec5279 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -35,7 +35,7 @@
struct named_cert_st {
gnutls_x509_crt_t cert;
- uint8_t name[MAX_NAME_SIZE];
+ uint8_t name[MAX_SERVER_NAME_SIZE];
unsigned int name_size;
};
@@ -223,7 +223,7 @@
gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list,
int ret;
uint32_t hash;
- if (name_size >= MAX_NAME_SIZE)
+ if (name_size >= MAX_SERVER_NAME_SIZE)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 4b533eb..498eb05 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2160,10 +2160,12 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn,
int irdn, int iava, gnutls_x509_ava_st * ava)
{
ASN1_TYPE rdn, elem;
+ ASN1_DATA_NODE vnode;
long len;
int lenlen, remlen, ret;
char rbuf[ASN1_MAX_NAME_SIZE];
- unsigned char cls, *ptr;
+ unsigned char cls;
+ const unsigned char *ptr;
iava++;
irdn++; /* 0->1, 1->2 etc */
@@ -2184,8 +2186,15 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn,
return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
}
- ava->oid.data = elem->value;
- ava->oid.size = elem->value_len;
+ ret = asn1_read_node_value(elem, &vnode);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
+ }
+
+ ava->oid.data = (void*)vnode.value;
+ ava->oid.size = vnode.value_len;
snprintf (rbuf, sizeof (rbuf), "?%d.value", iava);
elem = asn1_find_node (rdn, rbuf);
@@ -2195,12 +2204,18 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn,
return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
}
+ ret = asn1_read_node_value(elem, &vnode);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
+ }
/* The value still has the previous tag's length bytes, plus the
* current value's tag and length bytes. Decode them.
*/
- ptr = elem->value;
- remlen = elem->value_len;
+ ptr = vnode.value;
+ remlen = vnode.value_len;
len = asn1_get_length_der (ptr, remlen, &lenlen);
if (len < 0)
{
@@ -2231,7 +2246,7 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn,
}
ava->value.size = tmp;
}
- ava->value.data = ptr + lenlen;
+ ava->value.data = (void*)(ptr + lenlen);
return 0;
}
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 3cc18e4..1173f95 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -28,14 +28,6 @@
#include <libtasn1.h>
-/* Remove these when we require libtasn1 v1.6 or later. */
-#ifndef ASN1_MAX_NAME_SIZE
-#define ASN1_MAX_NAME_SIZE MAX_NAME_SIZE
-#endif
-#ifndef ASN1_MAX_ERROR_DESCRIPTION_SIZE
-#define ASN1_MAX_ERROR_DESCRIPTION_SIZE MAX_ERROR_DESCRIPTION_SIZE
-#endif
-
#define MAX_CRQ_EXTENSIONS_SIZE 8*1024
#define MAX_OID_SIZE 128
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 8485dcb..ba4163b 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -99,10 +99,8 @@ fi
included_libtasn1=$withval,
included_libtasn1=no)
if test "$included_libtasn1" = "no"; then
- AC_LIB_HAVE_LINKFLAGS(tasn1,, [#include <libtasn1.h>],
- [asn1_check_version (NULL)])
- if test "$ac_cv_libtasn1" != yes; then
- included_libtasn1=yes
+ PKG_CHECK_MODULES(LIBTASN1, [libtasn1 >= 2.14], [],
[included_libtasn1=yes])
+ if test "$included_libtasn1" = yes; then
AC_MSG_WARN([[
***
*** Libtasn1 was not found. Will use the included one.
diff --git a/src/certtool.c b/src/certtool.c
index 7cc88d5..c438642 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -509,9 +509,8 @@ generate_certificate (gnutls_privkey_t * ret_key,
pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
- if (pk != GNUTLS_PK_DSA)
- { /* DSA keys can only sign.
- */
+ if (pk == GNUTLS_PK_RSA)
+ { /* DSA and ECDSA keys can only sign. */
result = get_sign_status (server);
if (result)
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
@@ -1828,7 +1827,7 @@ generate_request (common_info_st * cinfo)
gnutls_x509_privkey_t xkey;
gnutls_pubkey_t pubkey;
gnutls_privkey_t pkey;
- int ret, ca_status, path_len;
+ int ret, ca_status, path_len, pk;
const char *pass;
unsigned int usage = 0;
@@ -1859,6 +1858,8 @@ generate_request (common_info_st * cinfo)
pubkey = load_public_key_or_import (1, pkey, cinfo);
+ pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL);
+
/* Set the DN.
*/
get_country_crq_set (crq);
@@ -1898,14 +1899,21 @@ generate_request (common_info_st * cinfo)
error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
gnutls_strerror (ret));
- ret = get_sign_status (1);
- if (ret)
- usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+ if (pk == GNUTLS_PK_RSA)
+ {
+ ret = get_sign_status (1);
+ if (ret)
+ usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
- ret = get_encrypt_status (1);
- if (ret)
- usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
- else
+ /* Only ask for an encryption certificate
+ * if it is an RSA one */
+ ret = get_encrypt_status (1);
+ if (ret)
+ usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
+ else
+ usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+ }
+ else /* DSA and ECDSA are always signing */
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
if (ca_status)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-19-g804f01c,
Nikos Mavrogiannopoulos <=