[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-89-gc767001
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-89-gc767001 |
|
Date: |
Tue, 06 Nov 2012 22:20:56 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=c76700178f85f3bae45c296eaafba6187fb36d4e
The branch, master has been updated
via c76700178f85f3bae45c296eaafba6187fb36d4e (commit)
via 30e0eed098299705dae650b120d54562dffa4280 (commit)
via c7c228b0619cfdc27e2f156d67e7732ee0b02829 (commit)
via b21ed9ee52cf8678d048075fa56ceecf6fa69241 (commit)
via ca109dccfc29a0afa2ab13c031e7d64a3bbe191d (commit)
via 3f34f7ee180c4c20411daa1678a50c033011829d (commit)
from 885e339e5542cac1266e21b710d7419fa813b8e5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c76700178f85f3bae45c296eaafba6187fb36d4e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 23:19:50 2012 +0100
Do not succeed if no MKI was received.
The gnutls_srtp_get_mki() function succeeds only when the MKI was received
by the peer.
Also store the received MKI -if any- in the session resumption data.
commit 30e0eed098299705dae650b120d54562dffa4280
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 23:07:12 2012 +0100
Added gnutls_ocsp_status_request_is_checked().
commit c7c228b0619cfdc27e2f156d67e7732ee0b02829
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:47:02 2012 +0100
When verifying an OCSP response included in TLS don't fail if the response
is old.
That is to avoid creating more problems for a server that included an
old response, from a server that included none.
Also renamed: Too old -> Superseded.
commit b21ed9ee52cf8678d048075fa56ceecf6fa69241
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:28:24 2012 +0100
updated
commit ca109dccfc29a0afa2ab13c031e7d64a3bbe191d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 22:10:10 2012 +0100
doc update
commit 3f34f7ee180c4c20411daa1678a50c033011829d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 6 21:36:35 2012 +0100
updated doc
-----------------------------------------------------------------------
Summary of changes:
NEWS | 12 ++++++------
doc/cha-intro-tls.texi | 2 +-
lib/ext/srtp.c | 28 +++++++++++++++++++++-------
lib/ext/srtp.h | 1 +
lib/gnutls_cert.c | 11 ++++++-----
lib/gnutls_int.h | 3 +++
lib/gnutls_ui.c | 20 ++++++++++++++++++++
lib/gnutls_x509.c | 15 +++++++++++++--
lib/includes/gnutls/gnutls.h.in | 5 +++--
lib/libgnutls.map | 1 +
lib/x509/verify.c | 2 +-
11 files changed, 76 insertions(+), 24 deletions(-)
diff --git a/NEWS b/NEWS
index 09c8ae2..5fe0411 100644
--- a/NEWS
+++ b/NEWS
@@ -8,23 +8,20 @@ See the end for copying conditions.
the available revocation data validity.
** libgnutls: Added gnutls_certificate_verification_status_print(),
-a function to print the verification status code in human
-readable text.
+a function to print the verification status code in human readable text.
** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.
** libgnutls: Simplified certificate verification by adding
gnutls_certificate_verify_peers3().
-** libgnutls: Added support for extension to establish keys
-for SRTP.
+** libgnutls: Added support for extension to establish keys for SRTP.
** libgnutls: The X.509 verification functions check the key
usage bits and pathlen constraints and on failure output
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
-** libgnutls: gnutls_x509_crl_verify() includes the time
-checks.
+** libgnutls: gnutls_x509_crl_verify() includes the time checks.
** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
@@ -41,6 +38,7 @@ a site's DANE data.
** API and ABI modifications:
gnutls_session_get_id2: Added
gnutls_certificate_verify_peers3: Added
+gnutls_ocsp_status_request_is_checked: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
gnutls_srtp_set_profile_direct: Added
@@ -57,6 +55,8 @@ dane_cert_usage_name: Added
dane_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
+GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
+GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 624efb9..a83c0f7 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -580,7 +580,7 @@ may periodically run @code{ocsptool} (see @ref{ocsptool
Invocation}) to obtain
its certificate revocation status and serve it to the clients. That
way a client avoids an additional connection to the OCSP server.
address@hidden,gnutls_certificate_set_ocsp_status_request_file,gnutls_ocsp_status_request_enable_client}
address@hidden,gnutls_certificate_set_ocsp_status_request_file,gnutls_ocsp_status_request_enable_client,gnutls_ocsp_status_request_is_checked}
A server is required to provide the OCSP server's response using the
@funcref{gnutls_certificate_set_ocsp_status_request_file}.
The response may be obtained periodically using the following command.
diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
index 0dc7cf1..f4e8681 100644
--- a/lib/ext/srtp.c
+++ b/lib/ext/srtp.c
@@ -234,6 +234,7 @@ _gnutls_srtp_recv_params (gnutls_session_t session,
{
DECR_LEN (data_size, priv->mki_size);
memcpy(priv->mki, p, priv->mki_size);
+ priv->mki_received = 1;
}
return 0;
@@ -343,8 +344,8 @@ gnutls_srtp_get_selected_profile (gnutls_session_t session,
* @mki: will hold the MKI
*
* This function exports the negotiated Master Key Identifier,
- * if any. The returned value in @mki should be treated as
- * constant and valid only during the session's lifetime.
+ * received by the peer if any. The returned value in @mki should be
+ * treated as constant and valid only during the session's lifetime.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error code is returned.
@@ -363,12 +364,12 @@ gnutls_srtp_get_mki (gnutls_session_t session,
_gnutls_ext_get_session_data (session, GNUTLS_EXTENSION_SRTP,
&epriv);
if (ret < 0)
- {
- gnutls_assert ();
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
priv = epriv.ptr;
+
+ if (priv->mki_received == 0)
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
mki->data = priv->mki;
mki->size = priv->mki_size;
@@ -647,7 +648,13 @@ _gnutls_srtp_pack (extension_priv_data_t epriv,
gnutls_buffer_st * ps)
{
BUFFER_APPEND_NUM (ps, priv->profiles[i]);
}
- BUFFER_APPEND_NUM (ps, priv->selected_profile);
+
+ BUFFER_APPEND_NUM (ps, priv->mki_received);
+ if (priv->mki_received)
+ {
+ BUFFER_APPEND_NUM (ps, priv->selected_profile);
+ BUFFER_APPEND_PFX4 (ps, priv->mki, priv->mki_size);
+ }
return 0;
}
@@ -674,6 +681,13 @@ _gnutls_srtp_unpack (gnutls_buffer_st * ps,
}
BUFFER_POP_NUM (ps, priv->selected_profile);
+ BUFFER_POP_NUM (ps, priv->mki_received);
+ if (priv->mki_received)
+ {
+ BUFFER_POP_NUM (ps, priv->mki_size);
+ BUFFER_POP (ps, priv->mki, priv->mki_size);
+ }
+
epriv.ptr = priv;
*_priv = epriv;
diff --git a/lib/ext/srtp.h b/lib/ext/srtp.h
index 73552f7..bb565b7 100644
--- a/lib/ext/srtp.h
+++ b/lib/ext/srtp.h
@@ -33,6 +33,7 @@ typedef struct
gnutls_srtp_profile_t selected_profile;
uint8_t mki[256];
unsigned mki_size;
+ unsigned int mki_received;
} srtp_ext_st;
extern extension_entry_st ext_mod_srtp;
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index f784cc5..f98ecdc 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -692,7 +692,7 @@ gnutls_certificate_verify_peers2 (gnutls_session_t session,
/**
* gnutls_certificate_verify_peers3:
* @session: is a gnutls session
- * @hostname: is the expected name of the peer
+ * @hostname: is the expected name of the peer; may be %NULL
* @status: is the output of the verification
*
* This function will verify the peer's certificate and its name and
@@ -701,8 +701,9 @@ gnutls_certificate_verify_peers2 (gnutls_session_t session,
* bitwise or'd or zero if the certificate is trusted. Note that verification
* failure does not imply a negative return value. Only the @status is updated.
*
- * In case the @hostname does not match the %GNUTLS_CERT_UNEXPECTED_OWNER
- * status flag will be set.
+ * If the @hostname provided is non-NULL then this function will compare
+ * the hostname in the certificate against the given. If they do not match
+ * the %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set.
*
* If available the OCSP Certificate Status extension will be
* utilized by this function.
@@ -943,8 +944,8 @@ gnutls_certificate_verification_status_print (unsigned int
status,
if (status & GNUTLS_CERT_REVOKED)
_gnutls_buffer_append_str (&str, _("The certificate chain revoked. "));
- if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
- _gnutls_buffer_append_str (&str, _("The revocation data are too old.
"));
+ if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
+ _gnutls_buffer_append_str (&str, _("The revocation data are old and
have been superseded. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
_gnutls_buffer_append_str (&str, _("The revocation data are invalid.
"));
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 1081135..bc03a8c 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -919,6 +919,9 @@ typedef struct
unsigned int hb_actual_retrans_timeout_ms; /* current timeout, in
milliseconds*/
unsigned int hb_retrans_timeout_ms; /* the default timeout, in milliseconds*/
unsigned int hb_total_timeout_ms; /* the total timeout, in milliseconds*/
+
+ unsigned int ocsp_check_ok; /* will be zero if the OCSP response TLS
extension
+ * check failed (OCSP was old/unrelated or so).
*/
heartbeat_state_t hb_state; /* for ping */
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 110ebae..9fb6c50 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -825,3 +825,23 @@ gnutls_url_is_supported (const char* url)
#endif
return 0;
}
+
+/**
+ * gnutls_ocsp_status_request_is_checked:
+ * @session: is a gnutls session
+ * @flags: should be zero
+ *
+ * Check whether an OCSP status response was included in the handshake
+ * and whether it was checked and valid (not too old or superseded).
+ * This is a helper function when needing to decide whether to perform an
+ * OCSP validity check on the peer's certificate. Must be called after
+ * gnutls_certificate_verify_peers3() is called.
+ *
+ * Returns: non zero it was valid, or a zero if it wasn't sent,
+ * or sent and was invalid.
+ **/
+int
+gnutls_ocsp_status_request_is_checked (gnutls_session_t session, unsigned int
flags)
+{
+ return session->internals.ocsp_check_ok;
+}
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index cf8dee5..8188b79 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -102,6 +102,7 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
int ret;
unsigned int status, cert_status;
time_t rtime, vtime, ntime, now;
+ int check_failed;
now = gnutls_time(0);
@@ -148,11 +149,16 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
goto cleanup;
}
+ /* Report but do not fail on the following errors. That is
+ * because including the OCSP response in the handshake shouldn't
+ * cause more problems that not including it.
+ */
if (ntime == -1)
{
if (now - vtime > MAX_OCSP_VALIDITY_SECS)
{
_gnutls_audit_log(session, "The OCSP response is old\n");
+ check_failed = 1;
}
}
else
@@ -161,11 +167,13 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
if (ntime < now)
{
_gnutls_audit_log(session, "There is a newer OCSP response but was
not provided by the server\n");
- if (now-ntime > MAX_OCSP_VALIDITY_SECS)
- *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+ check_failed = 1;
}
}
+ if (check_failed == 0)
+ session->internals.ocsp_check_ok = 1;
+
ret = 0;
cleanup:
gnutls_ocsp_resp_deinit (resp);
@@ -203,6 +211,9 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
unsigned int ocsp_status = 0;
unsigned int verify_flags;
+ /* No OCSP check so far */
+ session->internals.ocsp_check_ok = 0;
+
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index d7f07f2..b91f684 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -447,8 +447,8 @@ extern "C"
* should not be trusted.
* @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
- * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
* @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
+ * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and
have been superseded.
* @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a
future issue date.
* @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
*
@@ -466,7 +466,7 @@ extern "C"
GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
GNUTLS_CERT_EXPIRED = 1<<10,
GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
- GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12,
+ GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12,
GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13,
GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14,
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
@@ -1274,6 +1274,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
int gnutls_ocsp_status_request_get (gnutls_session_t session, gnutls_datum_t
*response);
+ int gnutls_ocsp_status_request_is_checked (gnutls_session_t session,
unsigned int flags);
/* global state functions
*/
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index afc2dd4..201bdda 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -868,6 +868,7 @@ GNUTLS_3_1_0 {
gnutls_srtp_get_keys;
gnutls_srtp_get_mki;
gnutls_srtp_set_mki;
+ gnutls_ocsp_status_request_is_checked;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 7cbbb63..636ae0e 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1114,7 +1114,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
*output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
if (gnutls_x509_crl_get_next_update (crl) < now)
- *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+ *output |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
cleanup:
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-89-gc767001,
Nikos Mavrogiannopoulos <=