[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-18-g8c772
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-18-g8c7728f |
|
Date: |
Sat, 04 Jun 2011 20:49:01 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=8c7728fe406317b0abfd007c0fa9dc80404d07fe
The branch, gnutls_2_12_x has been updated
via 8c7728fe406317b0abfd007c0fa9dc80404d07fe (commit)
via 0f6e058baca642acbdcbb23f055f4b4dd71d402b (commit)
via 0b34266779b5600e3985fdbd7a0a473bc549318f (commit)
from a427ebb75a2da65f2fa11c6dc5e095e49da40b7e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8c7728fe406317b0abfd007c0fa9dc80404d07fe
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jun 4 22:18:18 2011 +0200
preparing for release.
commit 0f6e058baca642acbdcbb23f055f4b4dd71d402b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jun 4 22:13:51 2011 +0200
Follow http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00 in DSA
signature generation.
commit 0b34266779b5600e3985fdbd7a0a473bc549318f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jun 1 00:04:33 2011 +0200
updates
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 +++++++-
configure.ac | 2 +-
doc/cha-intro-tls.texi | 6 +++---
lib/configure.ac | 2 +-
lib/ext_signature.c | 6 ++++--
lib/gnutls_sig.c | 18 +-----------------
lib/m4/hooks.m4 | 2 +-
lib/nettle/pk.c | 21 ++++++++++-----------
lib/x509/common.h | 2 +-
lib/x509/verify.c | 18 ++++++++++++------
libextra/configure.ac | 2 +-
11 files changed, 42 insertions(+), 45 deletions(-)
diff --git a/NEWS b/NEWS
index 112f9e1..e0dda70 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,13 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
See the end for copying conditions.
-* Version 2.12.5 (unreleased)
+* Version 2.12.6 (released 2011-06-4)
+
+** libgnutls: Allow usage of DSA signatures with truncated hash.
+Following: http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00
+
+** libgnutls: Prevent the usage of write() and friends when no data
+are to be sent.
** libgnutls: Correctly set compression method when resuming sessions.
Reported by Dash Shendy.
diff --git a/configure.ac b/configure.ac
index a383b60..310bcf3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure
script.
# USA
AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [2.12.5], address@hidden)
+AC_INIT([GnuTLS], [2.12.6], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index e081951..d3de6b3 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -355,7 +355,7 @@ To initiate the handshake.
* Client Authentication:: Requesting a certificate from the client.
* Resuming Sessions:: Reusing previously established keys.
* Resuming Internals:: More information on reusing previously
established keys.
-* Interoperability Issues:: Interoperability issues with other
implementations.
+* Interoperability:: About interoperability with other
implementations.
@end menu
@node TLS Cipher Suites
@@ -617,8 +617,8 @@ It might also be useful to be able to check for expired
sessions in
order to remove them, and save space. The function
@ref{gnutls_db_check_entry} is provided for that reason.
address@hidden Interoperability Issues
address@hidden Interoperability Issues
address@hidden Interoperability
address@hidden Interoperability
The @acronym{TLS} handshake is a complex procedure that negotiates all
required parameters for a secure session. @acronym{GnuTLS} supports
diff --git a/lib/configure.ac b/lib/configure.ac
index eb63e8e..4c8eb9d 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure
script.
# MA 02110-1301, USA
AC_PREREQ(2.61)
-AC_INIT([libgnutls], [2.12.5], address@hidden)
+AC_INIT([libgnutls], [2.12.6], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index edfb386..48eb535 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -249,9 +249,11 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
gnutls_sign_algorithm_t sign)
{
+unsigned int hash_len;
+
if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
{ /* override */
- int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+ int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1], &hash_len);
/* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
if (!_gnutls_version_has_selectable_sighash (ver))
@@ -261,7 +263,7 @@ int cert_compatible_with_sig(gnutls_cert* cert,
gnutls_protocol_t ver,
}
else
{
- if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo)
+ if (_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign))
< hash_len)
return GNUTLS_E_UNWANTED_ALGORITHM;
}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 82155f4..9a925c3 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -711,7 +711,7 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
break;
case GNUTLS_PK_DSA:
/* ensure 1024 bit DSA keys are used */
- hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+ hash_algo = _gnutls_dsa_q_to_hash (cert->params[1], NULL);
if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1)
return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
@@ -738,22 +738,6 @@ pk_hash_data (gnutls_pk_algorithm_t pk,
gnutls_digest_algorithm_t hash,
{
int ret;
- switch (pk)
- {
- case GNUTLS_PK_RSA:
- break;
- case GNUTLS_PK_DSA:
- if (params && hash != _gnutls_dsa_q_to_hash (params[1]))
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
- break;
- default:
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
digest->size = _gnutls_hash_get_algo_len (hash);
digest->data = gnutls_malloc (digest->size);
if (digest->data == NULL)
diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4
index 47834ee..6584fff 100644
--- a/lib/m4/hooks.m4
+++ b/lib/m4/hooks.m4
@@ -28,7 +28,7 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
# Interfaces removed: AGE=0
AC_SUBST(LT_CURRENT, 46)
AC_SUBST(LT_REVISION, 0)
- AC_SUBST(LT_AGE, 20)
+ AC_SUBST(LT_AGE, 21)
AC_SUBST(LT_SSL_CURRENT, 27)
AC_SUBST(LT_SSL_REVISION, 0)
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 9af3739..505c6b4 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -276,7 +276,7 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
struct dsa_public_key pub;
struct dsa_private_key priv;
struct dsa_signature sig;
- int hash_len;
+ unsigned int hash_len;
memset(&priv, 0, sizeof(priv));
memset(&pub, 0, sizeof(pub));
@@ -285,13 +285,12 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
dsa_signature_init (&sig);
- hash = _gnutls_dsa_q_to_hash (pub.q);
- hash_len = _gnutls_hash_get_algo_len (hash);
+ hash = _gnutls_dsa_q_to_hash (pub.q, &hash_len);
if (hash_len > vdata->size)
{
gnutls_assert ();
- ret = GNUTLS_E_PK_SIGN_FAILED;
- goto dsa_fail;
+ _gnutls_debug_log("Security level of algorithm requires hash
%s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
+ hash_len = vdata->size;
}
ret =
@@ -417,6 +416,7 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
{
struct dsa_public_key pub;
struct dsa_signature sig;
+ unsigned int hash_len;
ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
if (ret < 0)
@@ -429,16 +429,16 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
memcpy (&sig.r, tmp[0], sizeof (sig.r));
memcpy (&sig.s, tmp[1], sizeof (sig.s));
- hash = _gnutls_dsa_q_to_hash (pub.q);
+ hash = _gnutls_dsa_q_to_hash (pub.q, &hash_len);
- if (vdata->size != _gnutls_hash_get_algo_len (hash))
+ if (hash_len > vdata->size)
{
gnutls_assert ();
- ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
- goto dsa_fail;
+ _gnutls_debug_log("Security level of algorithm requires hash
%s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
+ hash_len = vdata->size;
}
- ret = _dsa_verify (&pub, vdata->size, vdata->data, &sig);
+ ret = _dsa_verify (&pub, hash_len, vdata->data, &sig);
if (ret == 0)
{
gnutls_assert();
@@ -447,7 +447,6 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
else
ret = 0;
- dsa_fail:
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
break;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 05526fd..5cc6a10 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -139,7 +139,7 @@ int _gnutls_x509_get_signed_data (ASN1_TYPE src, const char
*src_name,
int _gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name,
gnutls_datum_t * signature);
-gnutls_digest_algorithm_t _gnutls_dsa_q_to_hash (bigint_t q);
+gnutls_digest_algorithm_t _gnutls_dsa_q_to_hash (bigint_t q, unsigned int*
hash_len);
int _gnutls_get_asn_mpis (ASN1_TYPE asn, const char *root,
bigint_t * params, int *params_size);
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 86f7f76..97606be 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -798,16 +798,19 @@ dsa_verify_sig (const gnutls_datum_t * text,
gnutls_datum_t digest;
digest_hd_st hd;
gnutls_digest_algorithm_t algo;
+ unsigned int hash_len;
- algo = _gnutls_dsa_q_to_hash (params[1]);
+ algo = _gnutls_dsa_q_to_hash (params[1], &hash_len);
if (hash)
{
/* SHA1 or better allowed */
- if (!hash->data || hash->size != _gnutls_hash_get_algo_len(algo))
+ if (!hash->data || hash->size < hash_len)
{
gnutls_assert();
_gnutls_debug_log("Hash size (%d) does not correspond to hash %s",
(int)hash->size, gnutls_mac_get_name(algo));
- return GNUTLS_E_INVALID_REQUEST;
+
+ if (hash->size != 20)
+ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
digest = *hash;
}
@@ -876,20 +879,23 @@ pubkey_verify_sig (const gnutls_datum_t * tbs,
}
gnutls_digest_algorithm_t
-_gnutls_dsa_q_to_hash (bigint_t q)
+_gnutls_dsa_q_to_hash (bigint_t q, unsigned int* hash_len)
{
int bits = _gnutls_mpi_get_nbits (q);
if (bits <= 160)
{
+ if (hash_len) *hash_len = 20;
return GNUTLS_DIG_SHA1;
}
else if (bits <= 224)
{
- return GNUTLS_DIG_SHA224;
+ if (hash_len) *hash_len = 28;
+ return GNUTLS_DIG_SHA256;
}
else
{
+ if (hash_len) *hash_len = 32;
return GNUTLS_DIG_SHA256;
}
}
@@ -915,7 +921,7 @@ _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t *
hash,
case GNUTLS_PK_DSA:
if (hash)
- *hash = _gnutls_dsa_q_to_hash (issuer_params[1]);
+ *hash = _gnutls_dsa_q_to_hash (issuer_params[1], NULL);
ret = 0;
break;
diff --git a/libextra/configure.ac b/libextra/configure.ac
index 9f65dee..6c12247 100644
--- a/libextra/configure.ac
+++ b/libextra/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to produce a configure
script.
# 02110-1301, USA.
AC_PREREQ(2.61)
-AC_INIT([libgnutls-extra], [2.12.5], address@hidden)
+AC_INIT([libgnutls-extra], [2.12.6], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-18-g8c7728f,
Nikos Mavrogiannopoulos <=