[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d0

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015
Date:	Sun, 30 Sep 2012 16:10:40 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7b9d0158f022b8468ea7cd362ef9142889f4ff29

The branch, gnutls_3_0_x-2 has been updated
       via  7b9d0158f022b8468ea7cd362ef9142889f4ff29 (commit)
      from  52f373cdf26d50e05f5dd49e4ecc8b29fc742535 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7b9d0158f022b8468ea7cd362ef9142889f4ff29
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 30 18:09:46 2012 +0200

    Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
    response corresponds to the given certificate.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                            |    5 ++-
 lib/gnutls_errors.c             |    2 +
 lib/includes/gnutls/gnutls.h.in |    2 +
 lib/includes/gnutls/ocsp.h      |    4 ++
 lib/libgnutls.map               |    1 +
 lib/x509/ocsp.c                 |   97 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 110 insertions(+), 1 deletions(-)

diff --git a/NEWS b/NEWS
index 345148d..e92b0d3 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,11 @@ See the end for copying conditions.
 ** libgnutls: Fixed the receipt of session tickets during session resumption.
 Reported by danblack at http://savannah.gnu.org/support/?108146
 
+** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
+response corresponds to the given certificate.
+
 ** API and ABI modifications:
-No changes since last version.
+gnutls_ocsp_resp_check_crt: Added
 
 
 * Version 3.0.24 (released 2012-09-26)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 71b6e6a..5e8df24 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -334,6 +334,8 @@ static const gnutls_error_entry error_algorithms[] = {
                GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE, 1),
   ERROR_ENTRY (N_("The provided X.509 certificate list is not sorted (in 
subject to issuer order)"),
                GNUTLS_E_CERTIFICATE_LIST_UNSORTED, 1),
+  ERROR_ENTRY (N_("The OCSP response is invalid"),
+               GNUTLS_E_OCSP_RESPONSE_ERROR, 1),
   {NULL, NULL, 0, 0}
 };
 
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 773834c..355621a 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1905,6 +1905,8 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t 
session);
 #define GNUTLS_E_X509_UNSUPPORTED_EXTENSION -327
 #define GNUTLS_E_SESSION_EOF -328
 
+#define GNUTLS_E_OCSP_RESPONSE_ERROR -341
+
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
 
diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index db16b70..70343a2 100644
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -249,6 +249,10 @@ extern "C"
                               unsigned int *verify,
                               unsigned int flags);
 
+int
+gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
+                           gnutls_x509_crt_t crt);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 1078a07..f164733 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -790,6 +790,7 @@ GNUTLS_3_0_0 {
        gnutls_pk_to_sign;
        gnutls_certificate_set_x509_system_trust;
        gnutls_session_set_premaster;
+       gnutls_ocsp_resp_check_crt;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 0857e33..3aca0f5 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1275,6 +1275,103 @@ gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp)
 }
 
 /**
+ * gnutls_ocsp_resp_check_crt:
+ * @resp: should contain a #gnutls_ocsp_resp_t structure
+ * @crt: The certificate to check
+ *
+ * This function will check whether the OCSP response
+ * is about the provided certificate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error code is returned.  
+ **/
+int
+gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
+                           gnutls_x509_crt_t crt)
+{
+int ret;
+gnutls_digest_algorithm_t digest;
+gnutls_datum_t rdn_hash = {NULL, 0}, rserial = {NULL, 0};
+gnutls_datum_t cserial = {NULL, 0};
+gnutls_datum_t dn = {NULL, 0};
+uint8_t cdn_hash[MAX_HASH_SIZE];
+size_t t, hash_len;
+
+  ret = gnutls_ocsp_resp_get_single (resp, 0, &digest, &rdn_hash, NULL,
+                                     &rserial, NULL, NULL, NULL, NULL, NULL);
+  if (ret < 0)
+    return gnutls_assert_val(ret);
+    
+  if (rserial.size == 0 || digest == GNUTLS_DIG_UNKNOWN)
+    {
+      ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR);
+      goto cleanup;
+    }
+  
+  hash_len = _gnutls_hash_get_algo_len(digest);
+  if (hash_len != rdn_hash.size)
+    {
+      ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR);
+      goto cleanup;
+    }
+
+  cserial.size = rserial.size;
+  cserial.data = gnutls_malloc(cserial.size);
+  if (cserial.data == NULL)
+    {
+      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+      goto cleanup;
+    }
+  
+  t = cserial.size;
+  ret = gnutls_x509_crt_get_serial(crt, cserial.data, &t);
+  if (ret < 0)
+    {
+      gnutls_assert();
+      goto cleanup;
+    }
+
+  if (rserial.size != cserial.size || memcmp(cserial.data, rserial.data, 
rserial.size) != 0)
+    {
+      ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
+      gnutls_assert();
+      goto cleanup;
+    }
+  
+  ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &dn);
+  if (ret < 0)
+    {
+      gnutls_assert();
+      goto cleanup;
+    }
+    
+  ret = _gnutls_hash_fast( digest, dn.data, dn.size, cdn_hash);
+  if (ret < 0)
+    {
+      gnutls_assert();
+      goto cleanup;
+    }
+
+  if (memcmp(cdn_hash, rdn_hash.data, hash_len) != 0)
+    {
+      ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
+      gnutls_assert();
+      goto cleanup;
+    }
+
+  ret = 0;
+  
+cleanup:
+  gnutls_free(rdn_hash.data);
+  gnutls_free(rserial.data);
+  gnutls_free(cserial.data);
+  gnutls_free(dn.data);
+
+  return ret;
+}
+
+
+/**
  * gnutls_ocsp_resp_get_single:
  * @resp: should contain a #gnutls_ocsp_resp_t structure
  * @indx: Specifies which extension OID to get. Use (0) to get the first one.


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-20-g946ea95
Next by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-22-gc9d778d
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-20-g946ea95
Next by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-22-gc9d778d
Index(es):
- Date
- Thread