[SCM] GNU gnutls branch, master, updated. gnutls_3_1

gnutls-commit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-22-gc9d778d

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-22-gc9d778d
Date:	Sun, 30 Sep 2012 16:10:42 +0000
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=c9d778ddf36a19a427d30e501ba2b5d7ad81898a

The branch, master has been updated
       via  c9d778ddf36a19a427d30e501ba2b5d7ad81898a (commit)
       via  6174e84cdd5734aff7fc5b1b9818716c540845fd (commit)
      from  946ea95e6f3ac2a9dad38d8f64eeee2956279a47 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c9d778ddf36a19a427d30e501ba2b5d7ad81898a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 30 18:10:17 2012 +0200

    gnutls_ocsp_resp_check_crt was moved to 3.0 symbols and documented update.

commit 6174e84cdd5734aff7fc5b1b9818716c540845fd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 30 16:34:32 2012 +0200

    documented gnutls_ocsp_resp_check_crt().

-----------------------------------------------------------------------

Summary of changes:
 NEWS                          |    3 ++
 doc/cha-cert-auth2.texi       |    5 ++-
 doc/examples/ex-ocsp-client.c |   56 ++++++++++++++++-------------------------
 doc/invoke-gnutls-cli.texi    |    9 ++++++-
 doc/invoke-gnutls-serv.texi   |   11 +++++++-
 lib/libgnutls.map             |    2 +-
 6 files changed, 47 insertions(+), 39 deletions(-)

diff --git a/NEWS b/NEWS
index 1a19bad..7deecba 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ extension.
 ** libgnutls: Fixed the receipt of session tickets during session resumption.
 Reported by danblack at http://savannah.gnu.org/support/?108146
 
+** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
+response corresponds to the given certificate.
+
 ** API and ABI modifications:
 gnutls_certificate_set_ocsp_status_request_function: Added
 gnutls_certificate_set_ocsp_status_request_file: Added
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 9e4baba..fa6c55d 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -283,9 +283,10 @@ automatically parsed when an OCSP Response is imported.
 
@showfuncE{gnutls_ocsp_resp_init,gnutls_ocsp_resp_deinit,gnutls_ocsp_resp_import,gnutls_ocsp_resp_export,gnutls_ocsp_resp_print}
 
 The OCSP response needs to be verified against some set of trust
-anchors before it can be relied upon.
+anchors before it can be relied upon, and it is wise to check whether
+the OCSP response corresponds to the certificate being checked.
 
address@hidden,gnutls_ocsp_resp_verify_direct}
address@hidden,gnutls_ocsp_resp_verify_direct,gnutls_ocsp_resp_check_crt}
 
 @node Managing encrypted keys
 @section Managing encrypted keys
diff --git a/doc/examples/ex-ocsp-client.c b/doc/examples/ex-ocsp-client.c
index 9ca7100..0428574 100644
--- a/doc/examples/ex-ocsp-client.c
+++ b/doc/examples/ex-ocsp-client.c
@@ -20,10 +20,11 @@ size_t get_data (void *buffer, size_t size, size_t nmemb,
 static gnutls_x509_crt_t load_cert (const char *cert_file);
 static void _response_info (const gnutls_datum_t * data);
 static void
-_generate_request (gnutls_datum_t * rdata, const char *cert_file,
-                   const char *issuer_file);
-static int _verify_response (gnutls_datum_t * data,
-                             const char *signer_file);
+_generate_request (gnutls_datum_t * rdata, gnutls_x509_crt_t cert,
+                   gnutls_x509_crt_t issuer);
+static int
+_verify_response (gnutls_datum_t * data, gnutls_x509_crt_t cert, 
+                  gnutls_x509_crt_t signer);
 
 /* This program queries an OCSP server.
    It expects three files. argv[1] containing the certificate to
@@ -40,6 +41,7 @@ main (int argc, char *argv[])
     gnutls_datum_t ud, tmp;
     int ret;
     gnutls_datum_t req;
+    gnutls_x509_crt_t cert, issuer, signer;
 #ifndef NO_LIBCURL
     CURL *handle;
     struct curl_slist *headers = NULL;
@@ -55,9 +57,12 @@ main (int argc, char *argv[])
     if (argc > 4)
         hostname = argv[4];
 
+    cert = load_cert (cert_file);
+    issuer = load_cert (issuer_file);
+    signer = load_cert (signer_file);
+
     if (hostname == NULL)
       {
-          gnutls_x509_crt_t cert = load_cert (cert_file);
 
           for (seq = 0;; seq++)
             {
@@ -90,7 +95,6 @@ main (int argc, char *argv[])
                 break;
             }
 
-          gnutls_x509_crt_deinit (cert);
       }
 
     /* Note that the OCSP servers hostname might be available
@@ -100,7 +104,7 @@ main (int argc, char *argv[])
     memset (&ud, 0, sizeof (ud));
     fprintf (stderr, "Connecting to %s\n", hostname);
 
-    _generate_request (&req, cert_file, issuer_file);
+    _generate_request (&req, cert, issuer);
 
 #ifndef NO_LIBCURL
     curl_global_init (CURL_GLOBAL_ALL);
@@ -132,8 +136,11 @@ main (int argc, char *argv[])
 
     _response_info (&ud);
 
-    v = _verify_response (&ud, signer_file);
+    v = _verify_response (&ud, cert, signer);
 
+    gnutls_x509_crt_deinit (cert);
+    gnutls_x509_crt_deinit (issuer);
+    gnutls_x509_crt_deinit (signer);
     gnutls_global_deinit ();
 
     return v;
@@ -198,12 +205,11 @@ load_cert (const char *cert_file)
 }
 
 static void
-_generate_request (gnutls_datum_t * rdata, const char *cert_file,
-                   const char *issuer_file)
+_generate_request (gnutls_datum_t * rdata, gnutls_x509_crt_t cert,
+                   gnutls_x509_crt_t issuer)
 {
     gnutls_ocsp_req_t req;
     int ret;
-    gnutls_x509_crt_t issuer, cert;
     unsigned char noncebuf[23];
     gnutls_datum_t nonce = { noncebuf, sizeof (noncebuf) };
 
@@ -211,16 +217,11 @@ _generate_request (gnutls_datum_t * rdata, const char 
*cert_file,
     if (ret < 0)
         exit (1);
 
-    issuer = load_cert (issuer_file);
-    cert = load_cert (cert_file);
 
     ret = gnutls_ocsp_req_add_cert (req, GNUTLS_DIG_SHA1, issuer, cert);
     if (ret < 0)
         exit (1);
 
-    gnutls_x509_crt_deinit (issuer);
-    gnutls_x509_crt_deinit (cert);
-
     ret = gnutls_rnd (GNUTLS_RND_RANDOM, nonce.data, nonce.size);
     if (ret < 0)
         exit (1);
@@ -239,14 +240,12 @@ _generate_request (gnutls_datum_t * rdata, const char 
*cert_file,
 }
 
 static int
-_verify_response (gnutls_datum_t * data, const char *signer_file)
+_verify_response (gnutls_datum_t * data, gnutls_x509_crt_t cert, 
+                  gnutls_x509_crt_t signer)
 {
     gnutls_ocsp_resp_t resp;
     int ret;
-    size_t size;
-    gnutls_x509_crt_t signer;
     unsigned verify;
-    gnutls_datum_t dat;
 
     ret = gnutls_ocsp_resp_init (&resp);
     if (ret < 0)
@@ -255,21 +254,10 @@ _verify_response (gnutls_datum_t * data, const char 
*signer_file)
     ret = gnutls_ocsp_resp_import (resp, data);
     if (ret < 0)
         exit (1);
-
-    ret = gnutls_x509_crt_init (&signer);
-    if (ret < 0)
-        exit (1);
-
-    dat.data = (void *) read_binary_file (signer_file, &size);
-    if (dat.data == NULL)
-        exit (1);
-
-    dat.size = size;
-
-    ret = gnutls_x509_crt_import (signer, &dat, GNUTLS_X509_FMT_PEM);
-    free (dat.data);
+        
+    ret = gnutls_ocsp_resp_check_crt (resp, cert);
     if (ret < 0)
-        exit (1);
+      exit(1);
 
     ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0);
     if (ret < 0)
diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi
index f00fa04..c0191e9 100644
--- a/doc/invoke-gnutls-cli.texi
+++ b/doc/invoke-gnutls-cli.texi
@@ -7,7 +7,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-gnutls-cli.texi)
 # 
-# It has been AutoGen-ed  September  1, 2012 at 11:10:28 AM by AutoGen 5.16
+# It has been AutoGen-ed  September 30, 2012 at 04:41:48 PM by AutoGen 5.16
 # From the definitions    ../src/cli-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -51,6 +51,7 @@ USAGE:  gnutls-cli [ -<flag> [<val>] | 
--<name>address@hidden| @}<val>] ]... [hostname]
    -b, --heartbeat            Activate heartbeat support
    -e, --rehandshake          Establish a session and rehandshake
        --noticket             Don't accept session tickets
+       --ocsp-status-request  Enable OCSP status request
    -s, --starttls             Connect, establish a plain session and start TLS.
    -u, --udp                  Use DTLS (datagram TLS) over UDP
        --mtu=num              Set MTU for datagram TLS
@@ -138,6 +139,12 @@ Connect, establish a session, reconnect and resume.
 
 This is the ``establish a session and rehandshake'' option.
 Connect, establish a session and rehandshake immediately.
address@hidden ocsp-status-request}
address@hidden ocsp-status-request option
address@hidden gnutls-cli-ocsp-status-request
+
+This is the ``enable ocsp status request'' option.
+The client will indicate to the server in a TLS extension that it wants a OCSP 
status request.
 @anchor{gnutls-cli starttls}
 @subheading starttls option (-s)
 @cindex gnutls-cli-starttls
diff --git a/doc/invoke-gnutls-serv.texi b/doc/invoke-gnutls-serv.texi
index 57da3b7..aaa7928 100644
--- a/doc/invoke-gnutls-serv.texi
+++ b/doc/invoke-gnutls-serv.texi
@@ -7,7 +7,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-gnutls-serv.texi)
 # 
-# It has been AutoGen-ed  September  1, 2012 at 11:10:28 AM by AutoGen 5.16
+# It has been AutoGen-ed  September 30, 2012 at 04:41:49 PM by AutoGen 5.16
 # From the definitions    ../src/serv-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -80,6 +80,8 @@ USAGE:  gnutls-serv [ -<flag> [<val>] | 
--<name>address@hidden| @}<val>] ]...
        --pskpasswd=file       PSK password file to use
                                 - file must pre-exist
        --pskhint=str          PSK identity hint to use
+       --ocsp-response=file   The OCSP response to send to client
+                                - file must pre-exist
    -p, --port=num             The port to connect to
    -l, --list                 Print a list of the supported algorithms and 
modes
    -v, --version[=arg]        Output version information and exit
@@ -122,6 +124,13 @@ NORMAL, SECURE128, SECURE256.
 
 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 information on allowed keywords
address@hidden ocsp-response}
address@hidden ocsp-response option
address@hidden gnutls-serv-ocsp-response
+
+This is the ``the ocsp response to send to client'' option.
+This option takes an argument file.
+If the client requested an OCSP response, return data from this file to the 
client.
 @anchor{gnutls-serv list}
 @subheading list option (-l)
 @cindex gnutls-serv-list
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index af01488..9cfe3d3 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -790,6 +790,7 @@ GNUTLS_3_0_0 {
        gnutls_pk_to_sign;
        gnutls_certificate_set_x509_system_trust;
        gnutls_session_set_premaster;
+       gnutls_ocsp_resp_check_crt;
 } GNUTLS_2_12;
 
 GNUTLS_3_1_0 {
@@ -840,7 +841,6 @@ GNUTLS_3_1_0 {
        gnutls_certificate_set_ocsp_status_request_file;
        gnutls_ocsp_status_request_enable_client;
        gnutls_ocsp_status_request_get;
-       gnutls_ocsp_resp_check_crt;
 } GNUTLS_3_0_0;
 
 GNUTLS_PRIVATE {


hooks/post-receive
-- 
GNU gnutls
[Prev in Thread]
Current Thread
[Next in Thread]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-22-gc9d778d, Nikos Mavrogiannopoulos <=
Prev by Date: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015
Next by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-26-gc348926
Previous by thread: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_24-2-g7b9d015
Next by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-26-gc348926
Index(es):
- Date
- Thread