[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_1-117-g886da0
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_1-117-g886da0b |
|
Date: |
Fri, 09 Sep 2011 16:53:15 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=886da0ba7dcda8ce4332a32ee71f200044ec29fe
The branch, gnutls_3_0_x has been updated
via 886da0ba7dcda8ce4332a32ee71f200044ec29fe (commit)
via e4fc905c80d0403f7c4ea3e9dc89de5fb88a6b59 (commit)
via 782332683f63e9a8c2bb815024a15710079a4112 (commit)
via a92a733316da7119cb699fbb1f19059ba16c7436 (commit)
via 6936579f1b508890e7b43d92c7b58269f0c41c9a (commit)
via 98dfaef4fd5d5a763a60c364fb0c74316d8fb6bc (commit)
via 37745b5b50d19297a01eb089da92040751d6561e (commit)
via 24ce0c3ec407144892fc21b7ddadd4ada5f96cc2 (commit)
via b62dfd371ee8e1d836a5a9418ee254f6ede6d297 (commit)
from d031152f05f85ec623cc3fa03fce9d7bc709dcdd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 886da0ba7dcda8ce4332a32ee71f200044ec29fe
Merge: d031152 e4fc905
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Sep 9 18:53:20 2011 +0200
Merge branch 'master' into gnutls_3_0_x
commit e4fc905c80d0403f7c4ea3e9dc89de5fb88a6b59
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Sep 9 18:18:27 2011 +0200
Memory leak fixes in ECC ciphersuites and the trust_list.
commit 782332683f63e9a8c2bb815024a15710079a4112
Merge: b62dfd3 a92a733
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Sep 9 17:31:47 2011 +0200
Merge branch 'master' of ssh://git.sv.gnu.org/srv/git/gnutls
commit b62dfd371ee8e1d836a5a9418ee254f6ede6d297
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Sep 8 18:10:47 2011 +0200
simplified ecb encryption.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 5 +-
lib/accelerated/intel/aes-gcm-padlock.c | 7 +-
lib/accelerated/intel/aes-padlock.c | 13 -
lib/accelerated/intel/aes-padlock.h | 2 -
lib/auth/ecdh_common.c | 6 +
lib/nettle/ecc_free.c | 2 +-
lib/nettle/pk.c | 24 ++-
lib/x509/verify-high.c | 601 ++++++++++++++++---------------
tests/x509cert-tl.c | 2 +
tests/x509cert.c | 2 +
10 files changed, 349 insertions(+), 315 deletions(-)
diff --git a/NEWS b/NEWS
index 01649bf..e6083c8 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ See the end for copying conditions.
* Version 3.0.3 (unreleased)
+** libgnutls: Memory leak fixes in ECC ciphersuites.
+
** libgnutls: Do not send an empty extension structure in server
hello. This affected old implementations that do not support extensions.
Reported by J. Cameijo Cerdeira.
@@ -19,7 +21,8 @@ PKCS #11.
to allow generating a key in a token.
** p11tool: Added generate-rsa, generate-dsa and
-generate-ecc options.
+generate-ecc options to allow generating private
+keys in the token.
** API and ABI modifications:
gnutls_pkcs11_privkey_generate: Added
diff --git a/lib/accelerated/intel/aes-gcm-padlock.c
b/lib/accelerated/intel/aes-gcm-padlock.c
index d60c0a6..28292ad 100644
--- a/lib/accelerated/intel/aes-gcm-padlock.c
+++ b/lib/accelerated/intel/aes-gcm-padlock.c
@@ -52,7 +52,12 @@ static void padlock_aes_encrypt(void *_ctx,
unsigned length, uint8_t *dst,
const uint8_t *src)
{
- padlock_aes_ecb_encrypt(_ctx, src, length, dst, length);
+ struct padlock_ctx *ctx = _ctx;
+ struct padlock_cipher_data *pce;
+
+ pce = ALIGN16(&ctx->expanded_key);
+
+ padlock_ecb_encrypt(dst, src, pce, length);
}
static void padlock_aes_set_encrypt_key(struct padlock_ctx *_ctx,
diff --git a/lib/accelerated/intel/aes-padlock.c
b/lib/accelerated/intel/aes-padlock.c
index a0bf838..a44f230 100644
--- a/lib/accelerated/intel/aes-padlock.c
+++ b/lib/accelerated/intel/aes-padlock.c
@@ -131,19 +131,6 @@ padlock_aes_encrypt(void *_ctx, const void *src, size_t
src_size,
return 0;
}
-int
-padlock_aes_ecb_encrypt(void *_ctx, const void *src, size_t src_size,
- void *dst, size_t dst_size)
-{
- struct padlock_ctx *ctx = _ctx;
- struct padlock_cipher_data *pce;
-
- pce = ALIGN16(&ctx->expanded_key);
-
- padlock_ecb_encrypt(dst, src, pce, src_size);
-
- return 0;
-}
static int
padlock_aes_decrypt(void *_ctx, const void *src, size_t src_size,
diff --git a/lib/accelerated/intel/aes-padlock.h
b/lib/accelerated/intel/aes-padlock.h
index ea3e2c6..d15a6b9 100644
--- a/lib/accelerated/intel/aes-padlock.h
+++ b/lib/accelerated/intel/aes-padlock.h
@@ -29,8 +29,6 @@ struct padlock_ctx {
extern const gnutls_crypto_cipher_st aes_gcm_padlock_struct;
int padlock_aes_cipher_setkey(void *_ctx, const void *userkey, size_t keysize);
-int padlock_aes_ecb_encrypt(void *_ctx, const void *src, size_t src_size,
- void *dst, size_t dst_size);
/* asm */
unsigned int padlock_capability(void);
diff --git a/lib/auth/ecdh_common.c b/lib/auth/ecdh_common.c
index 2903388..2b3672b 100644
--- a/lib/auth/ecdh_common.c
+++ b/lib/auth/ecdh_common.c
@@ -75,6 +75,7 @@ int ret;
ret = _gnutls_set_psk_session_key (session, psk_key, &tmp_dh_key);
_gnutls_free_datum (&tmp_dh_key);
}
+
if (ret < 0)
{
@@ -86,6 +87,11 @@ int ret;
cleanup:
_gnutls_mpi_release(&pub.params[7]);
+
+ /* no longer needed */
+ _gnutls_mpi_release (&session->key->ecdh_x);
+ _gnutls_mpi_release (&session->key->ecdh_y);
+ gnutls_pk_params_release( &session->key->ecdh_params);
return ret;
}
diff --git a/lib/nettle/ecc_free.c b/lib/nettle/ecc_free.c
index 81a9241..ab04d03 100644
--- a/lib/nettle/ecc_free.c
+++ b/lib/nettle/ecc_free.c
@@ -37,7 +37,7 @@ void
ecc_free (ecc_key * key)
{
mp_clear_multi (&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
- &key->prime, &key->order, &key->Gx, &key->Gy, NULL);
+ &key->prime, &key->order, &key->Gx, &key->Gy, &key->A, NULL);
}
/* $Source: /cvs/libtom/libtomcrypt/src/pk/ecc/ecc_free.c,v $ */
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 5cc7746..794a2c9 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -97,6 +97,11 @@ _ecc_params_to_privkey(const gnutls_pk_params_st * pk_params,
mpz_init_set_ui(priv->pubkey.z, 1);
}
+static void _ecc_params_clear(ecc_key * key)
+{
+ mpz_clear(key->pubkey.z);
+}
+
static void
_ecc_params_to_pubkey(const gnutls_pk_params_st * pk_params,
ecc_key * pub)
@@ -126,6 +131,8 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t
algo, gnutls_datum_t * o
int curve = priv->flags;
unsigned long sz;
+ out->data = NULL;
+
if (is_supported_curve(curve) == 0)
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
@@ -135,14 +142,25 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t
algo, gnutls_datum_t * o
sz = ECC_BUF_SIZE;
out->data = gnutls_malloc(sz);
if (out->data == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto ecc_cleanup;
+ }
ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, &sz);
if (ret != 0)
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ecc_cleanup:
+ _ecc_params_clear(&ecc_pub);
+ _ecc_params_clear(&ecc_priv);
+
+ if (ret < 0)
{
gnutls_free(out->data);
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ return ret;
}
+
out->size = sz;
break;
}
@@ -378,6 +396,7 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
ecdsa_fail:
dsa_signature_clear (&sig);
+ _ecc_params_clear( &priv);
if (ret < 0)
{
@@ -560,6 +579,7 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
+ _ecc_params_clear( &pub);
break;
}
case GNUTLS_PK_DSA:
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index a9e8879..17ede24 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -37,27 +37,27 @@
#define INIT_HASH 0x33a1
struct named_cert_st {
- gnutls_x509_crt_t cert;
- uint8_t name[MAX_NAME_SIZE];
- unsigned int name_size;
+ gnutls_x509_crt_t cert;
+ uint8_t name[MAX_NAME_SIZE];
+ unsigned int name_size;
};
struct node_st {
- /* The trusted certificates */
- gnutls_x509_crt_t * trusted_cas;
- unsigned int trusted_ca_size;
+ /* The trusted certificates */
+ gnutls_x509_crt_t *trusted_cas;
+ unsigned int trusted_ca_size;
- struct named_cert_st *named_certs;
- unsigned int named_cert_size;
+ struct named_cert_st *named_certs;
+ unsigned int named_cert_size;
- /* The trusted CRLs */
- gnutls_x509_crl_t * crls;
- unsigned int crl_size;
+ /* The trusted CRLs */
+ gnutls_x509_crl_t *crls;
+ unsigned int crl_size;
};
struct gnutls_x509_trust_list_st {
- int size;
- struct node_st *node;
+ int size;
+ struct node_st *node;
};
/**
@@ -73,27 +73,29 @@ struct gnutls_x509_trust_list_st {
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_init (gnutls_x509_trust_list_t * list, unsigned int
size)
+gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list,
+ unsigned int size)
{
- gnutls_x509_trust_list_t tmp = gnutls_calloc (1, sizeof (struct
gnutls_x509_trust_list_st));
-
- if (!tmp)
- return GNUTLS_E_MEMORY_ERROR;
-
- if (size == 0) size = DEFAULT_SIZE;
- tmp->size = size;
-
- tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0]));
- if (tmp->node == NULL)
- {
- gnutls_assert();
- gnutls_free(tmp);
- return GNUTLS_E_MEMORY_ERROR;
+ gnutls_x509_trust_list_t tmp =
+ gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st));
+
+ if (!tmp)
+ return GNUTLS_E_MEMORY_ERROR;
+
+ if (size == 0)
+ size = DEFAULT_SIZE;
+ tmp->size = size;
+
+ tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0]));
+ if (tmp->node == NULL) {
+ gnutls_assert();
+ gnutls_free(tmp);
+ return GNUTLS_E_MEMORY_ERROR;
}
- *list = tmp;
+ *list = tmp;
- return 0; /* success */
+ return 0; /* success */
}
/**
@@ -106,32 +108,31 @@ gnutls_x509_trust_list_init (gnutls_x509_trust_list_t *
list, unsigned int size)
* Since: 3.0.0
**/
void
-gnutls_x509_trust_list_deinit (gnutls_x509_trust_list_t list, unsigned int all)
+gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list,
+ unsigned int all)
{
-int i, j;
-
- if (!list)
- return;
-
- if (all)
- {
- for (i=0;i<list->size;i++)
- {
- for (j=0;j<list->node[i].trusted_ca_size;j++)
- {
- gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]);
+ int i, j;
+
+ if (!list)
+ return;
+
+ for (i = 0; i < list->size; i++) {
+ if (all)
+ for (j = 0; j < list->node[i].trusted_ca_size; j++) {
+ gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]);
}
- gnutls_free(list->node[i].trusted_cas);
- for (j=0;j<list->node[i].crl_size;j++)
- {
- gnutls_x509_crl_deinit(list->node[i].crls[j]);
+ gnutls_free(list->node[i].trusted_cas);
+
+ if (all)
+ for (j = 0; j < list->node[i].crl_size; j++) {
+ gnutls_x509_crl_deinit(list->node[i].crls[j]);
}
- gnutls_free(list->node[i].crls);
- }
+ gnutls_free(list->node[i].crls);
+ gnutls_free(list->node[i].named_certs);
}
- gnutls_free (list->node);
- gnutls_free (list);
+ gnutls_free(list->node);
+ gnutls_free(list);
}
/**
@@ -150,39 +151,41 @@ int i, j;
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_add_cas (gnutls_x509_trust_list_t list,
- const gnutls_x509_crt_t * clist, int clist_size, unsigned int flags)
+gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
+ const gnutls_x509_crt_t * clist,
+ int clist_size, unsigned int flags)
{
-gnutls_datum_t dn;
-int ret, i;
-uint32_t hash;
+ gnutls_datum_t dn;
+ int ret, i;
+ uint32_t hash;
- for (i=0;i<clist_size;i++)
- {
+ for (i = 0; i < clist_size; i++) {
ret = gnutls_x509_crt_get_raw_dn(clist[i], &dn);
- if (ret < 0)
- {
+ if (ret < 0) {
gnutls_assert();
return i;
- }
+ }
hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
hash %= list->size;
_gnutls_free_datum(&dn);
-
- list->node[hash].trusted_cas = gnutls_realloc_fast(
list->node[hash].trusted_cas,
(list->node[hash].trusted_ca_size+1)*sizeof(list->node[hash].trusted_cas[0]));
- if (list->node[hash].trusted_cas == NULL)
- {
+ list->node[hash].trusted_cas =
+ gnutls_realloc_fast(list->node[hash].trusted_cas,
+ (list->node[hash].trusted_ca_size +
+ 1) *
+ sizeof(list->node[hash].trusted_cas[0]));
+ if (list->node[hash].trusted_cas == NULL) {
gnutls_assert();
return i;
- }
+ }
- list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] =
clist[i];
+ list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] =
+ clist[i];
list->node[hash].trusted_ca_size++;
}
- return i;
+ return i;
}
/**
@@ -211,39 +214,46 @@ uint32_t hash;
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_add_named_crt (gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert, const void* name, size_t name_size, unsigned int
flags)
+gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert,
+ const void *name, size_t name_size,
+ unsigned int flags)
{
-gnutls_datum_t dn;
-int ret;
-uint32_t hash;
-
- if (name_size >= MAX_NAME_SIZE)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
- ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ gnutls_datum_t dn;
+ int ret;
+ uint32_t hash;
+
+ if (name_size >= MAX_NAME_SIZE)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
- _gnutls_free_datum(&dn);
+ _gnutls_free_datum(&dn);
- list->node[hash].named_certs = gnutls_realloc_fast(
list->node[hash].named_certs,
(list->node[hash].named_cert_size+1)*sizeof(list->node[hash].named_certs[0]));
- if (list->node[hash].named_certs == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ list->node[hash].named_certs =
+ gnutls_realloc_fast(list->node[hash].named_certs,
+ (list->node[hash].named_cert_size +
+ 1) * sizeof(list->node[hash].named_certs[0]));
+ if (list->node[hash].named_certs == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- list->node[hash].named_certs[list->node[hash].named_cert_size].cert = cert;
- memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size].name,
name, name_size);
- list->node[hash].named_certs[list->node[hash].named_cert_size].name_size =
name_size;
+ list->node[hash].named_certs[list->node[hash].named_cert_size].cert =
+ cert;
+ memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size].
+ name, name, name_size);
+ list->node[hash].named_certs[list->node[hash].named_cert_size].
+ name_size = name_size;
- list->node[hash].named_cert_size++;
+ list->node[hash].named_cert_size++;
- return 0;
+ return 0;
}
/**
@@ -266,58 +276,62 @@ uint32_t hash;
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_add_crls (gnutls_x509_trust_list_t list,
- const gnutls_x509_crl_t * crl_list, int crl_size, unsigned int flags,
- unsigned int verification_flags)
+gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
+ const gnutls_x509_crl_t * crl_list,
+ int crl_size, unsigned int flags,
+ unsigned int verification_flags)
{
-int ret, i, j = 0;
-gnutls_datum_t dn;
-unsigned int vret = 0;
-uint32_t hash;
+ int ret, i, j = 0;
+ gnutls_datum_t dn;
+ unsigned int vret = 0;
+ uint32_t hash;
- /* Probably we can optimize things such as removing duplicates
- * etc.
- */
+ /* Probably we can optimize things such as removing duplicates
+ * etc.
+ */
- if (crl_size == 0 || crl_list == NULL)
- return 0;
+ if (crl_size == 0 || crl_list == NULL)
+ return 0;
- for (i=0;i<crl_size;i++)
- {
+ for (i = 0; i < crl_size; i++) {
ret = gnutls_x509_crl_get_raw_issuer_dn(crl_list[i], &dn);
- if (ret < 0)
- {
+ if (ret < 0) {
gnutls_assert();
return i;
- }
+ }
hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
hash %= list->size;
_gnutls_free_datum(&dn);
- if (flags & GNUTLS_TL_VERIFY_CRL)
- {
+ if (flags & GNUTLS_TL_VERIFY_CRL) {
- ret = gnutls_x509_crl_verify(crl_list[i],
list->node[hash].trusted_cas,
- list->node[hash].trusted_ca_size, verification_flags, &vret);
+ ret =
+ gnutls_x509_crl_verify(crl_list[i],
+ list->node[hash].trusted_cas,
+ list->node[hash].trusted_ca_size,
+ verification_flags, &vret);
if (ret < 0 || vret != 0)
- continue;
- }
+ continue;
+ }
- list->node[hash].crls = gnutls_realloc_fast( list->node[hash].crls,
(list->node[hash].crl_size+1)*sizeof(list->node[hash].trusted_cas[0]));
- if (list->node[hash].crls == NULL)
- {
+ list->node[hash].crls =
+ gnutls_realloc_fast(list->node[hash].crls,
+ (list->node[hash].crl_size +
+ 1) *
+ sizeof(list->node[hash].trusted_cas[0]));
+ if (list->node[hash].crls == NULL) {
gnutls_assert();
return i;
- }
+ }
list->node[hash].crls[list->node[hash].crl_size] = crl_list[i];
list->node[hash].crl_size++;
j++;
}
- return j;
+ return j;
}
/* Takes a certificate list and shortens it if there are
@@ -328,64 +342,62 @@ uint32_t hash;
* Returns the new size of the list or a negative number on error.
*/
static int shorten_clist(gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t* certificate_list, int clist_size)
+ gnutls_x509_crt_t * certificate_list,
+ int clist_size)
{
-int i, ret;
-uint32_t hash;
-gnutls_datum_t dn;
-
- if (clist_size > 1)
- {
- /* Check if the last certificate in the path is self signed.
- * In that case ignore it (a certificate is trusted only if it
- * leads to a trusted party by us, not the server's).
- *
- * This prevents from verifying self signed certificates against
- * themselves. This (although not bad) caused verification
- * failures on some root self signed certificates that use the
- * MD2 algorithm.
- */
- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
- certificate_list[clist_size - 1]) > 0)
- {
- clist_size--;
+ int i, ret;
+ uint32_t hash;
+ gnutls_datum_t dn;
+
+ if (clist_size > 1) {
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ *
+ * This prevents from verifying self signed certificates against
+ * themselves. This (although not bad) caused verification
+ * failures on some root self signed certificates that use the
+ * MD2 algorithm.
+ */
+ if (gnutls_x509_crt_check_issuer(certificate_list[clist_size - 1],
+ certificate_list[clist_size -
+ 1]) > 0) {
+ clist_size--;
}
}
- /* We want to shorten the chain by removing the cert that matches
- * one of the certs we trust and all the certs after that i.e. if
- * cert chain is A signed-by B signed-by C signed-by D (signed-by
- * self-signed E but already removed above), and we trust B, remove
- * B, C and D. */
- for (i=1; i < clist_size; i++)
- {
- int j;
-
- ret = gnutls_x509_crt_get_raw_issuer_dn(certificate_list[i], &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ /* We want to shorten the chain by removing the cert that matches
+ * one of the certs we trust and all the certs after that i.e. if
+ * cert chain is A signed-by B signed-by C signed-by D (signed-by
+ * self-signed E but already removed above), and we trust B, remove
+ * B, C and D. */
+ for (i = 1; i < clist_size; i++) {
+ int j;
+
+ ret = gnutls_x509_crt_get_raw_issuer_dn(certificate_list[i], &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
- _gnutls_free_datum(&dn);
+ _gnutls_free_datum(&dn);
- for (j = 0; j < list->node[hash].trusted_ca_size; j++)
- {
- if (check_if_same_cert (certificate_list[i],
list->node[hash].trusted_cas[j]) == 0)
- {
- /* cut the list at the point of first the trusted certificate */
- clist_size = i+1;
- break;
+ for (j = 0; j < list->node[hash].trusted_ca_size; j++) {
+ if (check_if_same_cert
+ (certificate_list[i],
+ list->node[hash].trusted_cas[j]) == 0) {
+ /* cut the list at the point of first the trusted certificate
*/
+ clist_size = i + 1;
+ break;
}
}
- /* clist_size may have been changed which gets out of loop */
+ /* clist_size may have been changed which gets out of loop */
}
- return clist_size;
+ return clist_size;
}
/**
@@ -404,35 +416,36 @@ gnutls_datum_t dn;
* Since: 3.0.0
**/
int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags)
+ gnutls_x509_crt_t cert,
+ gnutls_x509_crt_t * issuer,
+ unsigned int flags)
{
-gnutls_datum_t dn;
-int ret, i;
-uint32_t hash;
-
- ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ gnutls_datum_t dn;
+ int ret, i;
+ uint32_t hash;
+
+ ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
- _gnutls_free_datum(&dn);
+ _gnutls_free_datum(&dn);
- for (i=0;i<list->node[hash].trusted_ca_size;i++)
- {
- ret = gnutls_x509_crt_check_issuer (cert,
list->node[hash].trusted_cas[i]);
- if (ret > 0)
- {
- *issuer = list->node[hash].trusted_cas[i];
- return 0;
+ for (i = 0; i < list->node[hash].trusted_ca_size; i++) {
+ ret =
+ gnutls_x509_crt_check_issuer(cert,
+ list->node[hash].trusted_cas[i]);
+ if (ret > 0) {
+ *issuer = list->node[hash].trusted_cas[i];
+ return 0;
}
}
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
/**
@@ -453,82 +466,83 @@ uint32_t hash;
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_verify_crt (
- gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t *cert_list,
- unsigned int cert_list_size,
- unsigned int flags,
- unsigned int *verify,
- gnutls_verify_output_function func)
+gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t * cert_list,
+ unsigned int cert_list_size,
+ unsigned int flags,
+ unsigned int *verify,
+ gnutls_verify_output_function func)
{
-gnutls_datum_t dn;
-int ret, i;
-uint32_t hash;
-
- if (cert_list == NULL || cert_list_size < 1)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
- cert_list_size = shorten_clist(list, cert_list, cert_list_size);
- if (cert_list_size <= 0)
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-
- ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size-1], &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ gnutls_datum_t dn;
+ int ret, i;
+ uint32_t hash;
+
+ if (cert_list == NULL || cert_list_size < 1)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ cert_list_size = shorten_clist(list, cert_list, cert_list_size);
+ if (cert_list_size <= 0)
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ ret =
+ gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size - 1],
+ &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
-
- _gnutls_free_datum(&dn);
-
- *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size,
- list->node[hash].trusted_cas, list->node[hash].trusted_ca_size,
- flags, func);
-
- if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0;
-
- /* Check revocation of individual certificates.
- * start with the last one that we already have its hash
- */
- ret = _gnutls_x509_crt_check_revocation (cert_list[cert_list_size-1],
- list->node[hash].crls,
- list->node[hash].crl_size, func);
- if (ret == 1)
- { /* revoked */
- *verify |= GNUTLS_CERT_REVOKED;
- *verify |= GNUTLS_CERT_INVALID;
- return 0;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
+
+ _gnutls_free_datum(&dn);
+
+ *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size,
+ list->node[hash].trusted_cas,
+ list->node[hash].
+ trusted_ca_size, flags,
+ func);
+
+ if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
+ return 0;
+
+ /* Check revocation of individual certificates.
+ * start with the last one that we already have its hash
+ */
+ ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1],
+ list->node[hash].crls,
+ list->node[hash].crl_size,
+ func);
+ if (ret == 1) { /* revoked */
+ *verify |= GNUTLS_CERT_REVOKED;
+ *verify |= GNUTLS_CERT_INVALID;
+ return 0;
}
- for (i=0;i<cert_list_size-1;i++)
- {
- ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ for (i = 0; i < cert_list_size - 1; i++) {
+ ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
- _gnutls_free_datum(&dn);
+ _gnutls_free_datum(&dn);
- ret = _gnutls_x509_crt_check_revocation (cert_list[i],
- list->node[hash].crls,
- list->node[hash].crl_size, func);
- if (ret == 1)
- { /* revoked */
- *verify |= GNUTLS_CERT_REVOKED;
- *verify |= GNUTLS_CERT_INVALID;
- return 0;
+ ret = _gnutls_x509_crt_check_revocation(cert_list[i],
+ list->node[hash].crls,
+ list->node[hash].crl_size,
+ func);
+ if (ret == 1) { /* revoked */
+ *verify |= GNUTLS_CERT_REVOKED;
+ *verify |= GNUTLS_CERT_INVALID;
+ return 0;
}
}
- return 0;
+ return 0;
}
/**
@@ -551,60 +565,57 @@ uint32_t hash;
* Since: 3.0.0
**/
int
-gnutls_x509_trust_list_verify_named_crt (
- gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert,
- const void * name,
- size_t name_size,
- unsigned int flags,
- unsigned int *verify,
- gnutls_verify_output_function func)
+gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert,
+ const void *name,
+ size_t name_size,
+ unsigned int flags,
+ unsigned int *verify,
+ gnutls_verify_output_function func)
{
-gnutls_datum_t dn;
-int ret, i;
-uint32_t hash;
-
- ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
+ gnutls_datum_t dn;
+ int ret, i;
+ uint32_t hash;
+
+ ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
}
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
- _gnutls_free_datum(&dn);
+ _gnutls_free_datum(&dn);
- *verify = GNUTLS_CERT_INVALID;
+ *verify = GNUTLS_CERT_INVALID;
- for (i=0;i<list->node[hash].named_cert_size;i++)
- {
- if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert)==0)
- { /* check if name matches */
- if (list->node[hash].named_certs[i].name_size==name_size &&
- memcmp(list->node[hash].named_certs[i].name, name, name_size) ==
0)
- {
+ for (i = 0; i < list->node[hash].named_cert_size; i++) {
+ if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert) ==
0) { /* check if name matches */
+ if (list->node[hash].named_certs[i].name_size == name_size &&
+ memcmp(list->node[hash].named_certs[i].name, name,
+ name_size) == 0) {
*verify = 0;
break;
- }
+ }
}
}
- if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0;
-
- /* Check revocation of individual certificates.
- * start with the last one that we already have its hash
- */
- ret = _gnutls_x509_crt_check_revocation (cert,
- list->node[hash].crls,
- list->node[hash].crl_size, func);
- if (ret == 1)
- { /* revoked */
- *verify |= GNUTLS_CERT_REVOKED;
- *verify |= GNUTLS_CERT_INVALID;
- return 0;
+ if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
+ return 0;
+
+ /* Check revocation of individual certificates.
+ * start with the last one that we already have its hash
+ */
+ ret = _gnutls_x509_crt_check_revocation(cert,
+ list->node[hash].crls,
+ list->node[hash].crl_size,
+ func);
+ if (ret == 1) { /* revoked */
+ *verify |= GNUTLS_CERT_REVOKED;
+ *verify |= GNUTLS_CERT_INVALID;
+ return 0;
}
- return 0;
+ return 0;
}
diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c
index b6ee2e6..f3936f7 100644
--- a/tests/x509cert-tl.c
+++ b/tests/x509cert-tl.c
@@ -205,5 +205,7 @@ doit (void)
gnutls_x509_crt_deinit(server_crt);
gnutls_x509_trust_list_deinit(tl, 0);
+ gnutls_global_deinit();
+
success("success");
}
diff --git a/tests/x509cert.c b/tests/x509cert.c
index 2b7c8e8..8edd711 100644
--- a/tests/x509cert.c
+++ b/tests/x509cert.c
@@ -201,5 +201,7 @@ doit (void)
gnutls_x509_crt_deinit(list[i]);
gnutls_certificate_free_credentials(x509_cred);
+ gnutls_global_deinit();
+
success("success");
}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_1-117-g886da0b,
Nikos Mavrogiannopoulos <=