[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-66-g63ac406
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-66-g63ac406 |
|
Date: |
Sat, 12 Nov 2011 10:42:28 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=63ac40632a4eaae661e2c43584d68be22c2dc43a
The branch, ocsp has been updated
via 63ac40632a4eaae661e2c43584d68be22c2dc43a (commit)
via 9b3d0fbe3183ab8a99ecd2a0812c2dbd580a55af (commit)
via c922eaae5145af6e09fd5bd21381c70510fd8546 (commit)
via 22e2a02f8fb2f0a6aa04c363f2abe30ca0ed8169 (commit)
from 5f944be2aea6b3ea8fd82de1d0d1d7b289c96d5b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 63ac40632a4eaae661e2c43584d68be22c2dc43a
Author: Simon Josefsson <address@hidden>
Date: Sat Nov 12 10:22:52 2011 +0100
Don't export verify-high structs internally.
commit 9b3d0fbe3183ab8a99ecd2a0812c2dbd580a55af
Author: Simon Josefsson <address@hidden>
Date: Thu Nov 10 17:07:54 2011 +0100
Improve OCSP manual.
commit c922eaae5145af6e09fd5bd21381c70510fd8546
Author: Simon Josefsson <address@hidden>
Date: Thu Nov 10 16:48:33 2011 +0100
Add gnutls_ocsp_req_randomize_nonce.
commit 22e2a02f8fb2f0a6aa04c363f2abe30ca0ed8169
Author: Simon Josefsson <address@hidden>
Date: Thu Nov 10 16:25:39 2011 +0100
Improve OCSP manual.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-bib.texi | 5 +
doc/cha-cert-auth.texi | 120 +++++++++++++++++++++---
lib/includes/gnutls/ocsp.h | 10 +-
lib/libgnutls.map | 1 +
lib/x509/ocsp.c | 221 +++++++++++++++++++-------------------------
lib/x509/verify-high.c | 62 ++++++++++++-
lib/x509/verify-high.h | 47 +++++-----
tests/ocsp.c | 149 +++++++++++++++++++++++++++++
8 files changed, 445 insertions(+), 170 deletions(-)
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index d517289..3bde7da 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -176,6 +176,11 @@ John Wiley \& Sons, Inc., 2001.
M. Mathis, J. Heffner, "Packetization Layer Path MTU Discovery", March 2007,
available from @url{http://www.ietf.org/rfc/rfc4821.txt}.
address@hidden @anchor{RFC2560}[RFC2560]
+M. Myers et al, "X.509 Internet Public Key Infrastructure Online
+Certificate Status Protocol - OCSP", June 1999, Available from
address@hidden://www.ietf.org/rfc/rfc2560.txt}.
+
@item @anchor{RIVESTCRL}[RIVESTCRL]
R. L. Rivest, "Can We Eliminate Certificate Revocation Lists?",
Proceedings of Financial Cryptography '98; Springer Lecture Notes in
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index e479638..96e37c4 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -212,10 +212,10 @@ example @xcite{RIVESTCRL}.
The Online Certificate Status Protocol (@acronym{OCSP}) is widely
implemented protocol to perform certificate (revocation) status
-checking. An application that wishes to verify the identity of a peer
-will check the certificate against a set of trusted certificates and
-then also check whether the certificate is listed in a CRL and/or
-perform an OCSP check of the certificate.
+checking. @xcite{RFC2560}. An application that wish to verify the
+identity of a peer will check the certificate against a set of trusted
+certificates and then also check whether the certificate is listed in
+a CRL and/or perform an OCSP check of the certificate.
Before performing the OCSP query, the application will need to figure
out the address of the OCSP server. The OCSP server information can
@@ -229,14 +229,15 @@ information from a certificate.
@showfuncA{gnutls_x509_crt_get_authority_info_access}
There are several functions in GnuTLS for creating and manipulating
-OCSP requests and responses. The idea is that a client application
-create an OCSP request object, store some information about the
-certificate to check in the request, and then export the request in
-DER format. The request will then need to be sent to the OCSP
-responder, and normally an OCSP response is received that the
-application will need to import into an OCSP response object. The
-digital signature in the OCSP response needs to be verified before the
-information in the response can be trusted.
+OCSP requests and responses. The general idea is that a client
+application create an OCSP request object, store some information
+about the certificate to check in the request, and then export the
+request in DER format. The request will then need to be sent to the
+OCSP responder, which needs to be done by the application (GnuTLS does
+not send and receive OCSP packets). Normally an OCSP response is
+received that the application will need to import into an OCSP
+response object. The digital signature in the OCSP response needs to
+be verified before the information in the response can be trusted.
The ASN.1 structure of OCSP requests are briefly as follows. It is
useful to review the structures to get an understanding of which
@@ -278,9 +279,100 @@ a OCSP request, the first being a low-level function when
you have the
issuer name hash, issuer key hash, and certificate serial number in
binary form. The second is usually more useful if you have the
certificate (and its issuer) in a @code{gnutls_x509_crt_t} type.
+There is also a function to extract this information from an OCSP
+request.
address@hidden,
- gnutls_ocsp_req_add_cert}
address@hidden,
+ gnutls_ocsp_req_add_cert,
+ gnutls_ocsp_req_get_certid}
+
+Each OCSP request may contain a number of extensions. Extensions are
+identified by an Object Identifier (OID) and an opaque data buffer
+whose syntax and semantics is implied by the OID.
+
address@hidden,
+ gnutls_ocsp_req_set_extension}
+
+A common OCSP Request extension is the nonce extension (OID
+1.3.6.1.5.5.7.48.1.2), which is used to avoid replay attacks of
+earlier recorded OCSP responses. The nonce extension carries a value
+that is intended to be sufficiently random and unique so that an
+attacker will not be able to give a stale response for the same nonce.
+
address@hidden,
+ gnutls_ocsp_req_set_nonce,
+ gnutls_ocsp_req_randomize_nonce}
+
+The OCSP response structures is a bit more complex than the request.
+The important ASN.1 structure is as follows. In practice, all OCSP
+responses contain a Basic OCSP response sub-structure.
+
address@hidden
+OCSPResponse ::= SEQUENCE @{
+ responseStatus OCSPResponseStatus,
+ responseBytes [0] EXPLICIT ResponseBytes OPTIONAL @}
+
+OCSPResponseStatus ::= ENUMERATED @{
+ successful (0), --Response has valid confirmations
+ malformedRequest (1), --Illegal confirmation request
+ internalError (2), --Internal error in issuer
+ tryLater (3), --Try again later
+ --(4) is not used
+ sigRequired (5), --Must sign the request
+ unauthorized (6) --Request unauthorized @}
+
+ResponseBytes ::= SEQUENCE @{
+ responseType OBJECT IDENTIFIER,
+ response OCTET STRING @}
+
+id-pkix-ocsp-basic OBJECT IDENTIFIER ::= @{ id-pkix-ocsp 1 @}
+
+BasicOCSPResponse ::= SEQUENCE @{
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL @}
+
+ResponseData ::= SEQUENCE @{
+ version [0] EXPLICIT Version DEFAULT v1,
+ responderID ResponderID,
+ producedAt GeneralizedTime,
+ responses SEQUENCE OF SingleResponse,
+ responseExtensions [1] EXPLICIT Extensions OPTIONAL @}
+
+ResponderID ::= CHOICE @{
+ byName [1] Name,
+ byKey [2] KeyHash @}
+
+KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+(excluding the tag and length fields)
+
+SingleResponse ::= SEQUENCE @{
+ certID CertID,
+ certStatus CertStatus,
+ thisUpdate GeneralizedTime,
+ nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ singleExtensions [1] EXPLICIT Extensions OPTIONAL @}
+
+CertStatus ::= CHOICE @{
+ good [0] IMPLICIT NULL,
+ revoked [1] IMPLICIT RevokedInfo,
+ unknown [2] IMPLICIT UnknownInfo @}
+
+RevokedInfo ::= SEQUENCE @{
+ revocationTime GeneralizedTime,
+ revocationReason [0] EXPLICIT CRLReason OPTIONAL @}
address@hidden example
+
+We provide basic functions for initialization, importing, exporting
+and deallocating OCSP responses. The Basic OCSP Response structure is
+automatically parsed when an OCSP Response is imported.
+
address@hidden,
+ gnutls_ocsp_resp_deinit,
+ gnutls_ocsp_resp_import,
+ gnutls_ocsp_resp_export,
+ gnutls_ocsp_resp_print}
@node Certificate requests
@subsection @acronym{PKCS} #10 certificate requests
diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index 4031ca5..af37303 100644
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -139,6 +139,7 @@ extern "C"
gnutls_datum_t * out);
int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req);
+
int gnutls_ocsp_req_get_certid (gnutls_ocsp_req_t req,
unsigned indx,
gnutls_digest_algorithm_t *digest,
@@ -160,17 +161,18 @@ extern "C"
gnutls_datum_t *oid,
unsigned int *critical,
gnutls_datum_t *data);
- int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
- unsigned int *critical,
- gnutls_datum_t *nonce);
-
int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req,
const char *oid,
unsigned int critical,
const gnutls_datum_t *data);
+
+ int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
+ unsigned int *critical,
+ gnutls_datum_t *nonce);
int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req,
unsigned int critical,
const gnutls_datum_t *nonce);
+ int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req);
struct gnutls_ocsp_resp_int;
typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index d5bee1b..322045a 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -748,6 +748,7 @@ GNUTLS_3_0_0 {
gnutls_ocsp_resp_get_nonce;
gnutls_ocsp_req_set_nonce;
gnutls_ocsp_resp_verify;
+ gnutls_ocsp_req_randomize_nonce;
gnutls_privkey_import_ext;
gnutls_certificate_set_key;
gnutls_srp_3072_group_generator;
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index a50fa93..d1cee34 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -741,65 +741,6 @@ gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req,
}
/**
- * gnutls_ocsp_req_get_nonce:
- * @req: should contain a #gnutls_ocsp_req_t structure
- * @critical: whether nonce extension is marked critical
- * @nonce: will hold newly allocated buffer with nonce data
- *
- * This function will return the OCSP request nonce extension data.
- *
- * The caller needs to deallocate memory by calling gnutls_free() on
- * @nonce->data.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error code is returned.
- **/
-int
-gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
- unsigned int *critical,
- gnutls_datum_t *nonce)
-{
- int ret;
- size_t l = 0;
- gnutls_datum_t tmp;
-
- ret = get_extension (req->req, "tbsRequest.requestExtensions",
- GNUTLS_OCSP_NONCE, 0,
- &tmp, critical);
- if (ret != GNUTLS_E_SUCCESS)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_x509_decode_octet_string (NULL, tmp.data, (size_t) tmp.size,
- NULL, &l);
- if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- gnutls_assert ();
- return ret;
- }
-
- nonce->data = gnutls_malloc (l);
- if (nonce->data == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- ret = _gnutls_x509_decode_octet_string (NULL, tmp.data, (size_t) tmp.size,
- nonce->data, &l);
- if (ret != GNUTLS_E_SUCCESS)
- {
- gnutls_assert ();
- return ret;
- }
- nonce->size = l;
-
- return GNUTLS_E_SUCCESS;
-}
-
-/**
* gnutls_ocsp_req_get_extension:
* @req: should contain a #gnutls_ocsp_req_t structure
* @indx: Specifies which extension OID to get. Use (0) to get the first one.
@@ -914,6 +855,65 @@ gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req,
}
/**
+ * gnutls_ocsp_req_get_nonce:
+ * @req: should contain a #gnutls_ocsp_req_t structure
+ * @critical: whether nonce extension is marked critical
+ * @nonce: will hold newly allocated buffer with nonce data
+ *
+ * This function will return the OCSP request nonce extension data.
+ *
+ * The caller needs to deallocate memory by calling gnutls_free() on
+ * @nonce->data.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code is returned.
+ **/
+int
+gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
+ unsigned int *critical,
+ gnutls_datum_t *nonce)
+{
+ int ret;
+ size_t l = 0;
+ gnutls_datum_t tmp;
+
+ ret = get_extension (req->req, "tbsRequest.requestExtensions",
+ GNUTLS_OCSP_NONCE, 0,
+ &tmp, critical);
+ if (ret != GNUTLS_E_SUCCESS)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = _gnutls_x509_decode_octet_string (NULL, tmp.data, (size_t) tmp.size,
+ NULL, &l);
+ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ nonce->data = gnutls_malloc (l);
+ if (nonce->data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ ret = _gnutls_x509_decode_octet_string (NULL, tmp.data, (size_t) tmp.size,
+ nonce->data, &l);
+ if (ret != GNUTLS_E_SUCCESS)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+ nonce->size = l;
+
+ return GNUTLS_E_SUCCESS;
+}
+
+/**
* gnutls_ocsp_req_set_nonce:
* @req: should contain a #gnutls_ocsp_req_t structure
* @critical: critical flag, normally false.
@@ -963,6 +963,40 @@ gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req,
}
/**
+ * gnutls_ocsp_req_randomize_nonce:
+ * @req: should contain a #gnutls_ocsp_req_t structure
+ *
+ * This function will add or update an nonce extension to the OCSP
+ * request with a newly generated random value.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code is returned.
+ **/
+int
+gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req)
+{
+ int ret;
+ char rndbuf[23];
+ gnutls_datum_t nonce = { rndbuf, sizeof (rndbuf) };
+
+ ret = gnutls_rnd (GNUTLS_RND_NONCE, rndbuf, sizeof (rndbuf));
+ if (ret != GNUTLS_E_SUCCESS)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = gnutls_ocsp_req_set_nonce (req, 0, &nonce);
+ if (ret != GNUTLS_E_SUCCESS)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ return GNUTLS_E_SUCCESS;
+}
+
+/**
* gnutls_ocsp_resp_get_status:
* @resp: should contain a #gnutls_ocsp_resp_t structure
*
@@ -1809,73 +1843,6 @@ find_signercert (gnutls_ocsp_resp_t resp)
return signercert;
}
-static int
-same_cert_p (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
-{
- gnutls_datum_t cert1bin, cert2bin;
- int result;
-
- result = _gnutls_x509_der_encode (cert1->cert, "", &cert1bin, 0);
- if (result < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- result = _gnutls_x509_der_encode (cert2->cert, "", &cert2bin, 0);
- if (result < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- if ((cert1bin.size == cert2bin.size) &&
- (memcmp (cert1bin.data, cert2bin.data, cert1bin.size) == 0))
- result = 1;
- else
- result = 0;
-
- cleanup:
- _gnutls_free_datum (&cert1bin);
- _gnutls_free_datum (&cert2bin);
- return result;
-}
-
-static int
-inlist_p (gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert)
-{
- gnutls_datum_t dn;
- int ret, i;
- uint32_t hash;
-
- ret = gnutls_x509_crt_get_raw_dn (cert, &dn);
- if (ret < 0)
- {
- gnutls_assert();
- return ret;
- }
-
- hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
- hash %= list->size;
-
- _gnutls_free_datum (&dn);
-
- for (i = 0; i < list->node[hash].trusted_ca_size; i++)
- {
- ret = same_cert_p (cert, list->node[hash].trusted_cas[i]);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- if (ret == 1)
- return 1;
- }
-
- return 0;
-}
-
/**
* gnutls_ocsp_resp_verify:
* @resp: should contain a #gnutls_ocsp_resp_t structure
@@ -1948,7 +1915,7 @@ gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
directly signed by something we trust, and has proper OCSP
extkeyusage. */
- rc = inlist_p (trustlist, signercert);
+ rc = _gnutls_trustlist_inlist_p (trustlist, signercert);
if (rc < 0)
{
gnutls_assert ();
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index b0efe32..31eb1c0 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -20,7 +20,6 @@
*
*/
-
#include <gnutls_int.h>
#include <gnutls_errors.h>
#include <libtasn1.h>
@@ -34,6 +33,31 @@
#include <common.h>
#include "verify-high.h"
+struct named_cert_st {
+ gnutls_x509_crt_t cert;
+ uint8_t name[MAX_NAME_SIZE];
+ unsigned int name_size;
+};
+
+struct node_st {
+ /* The trusted certificates */
+ gnutls_x509_crt_t *trusted_cas;
+ unsigned int trusted_ca_size;
+
+ struct named_cert_st *named_certs;
+ unsigned int named_cert_size;
+
+ /* The trusted CRLs */
+ gnutls_x509_crl_t *crls;
+ unsigned int crl_size;
+};
+
+struct gnutls_x509_trust_list_st {
+ int size;
+ struct node_st *node;
+};
+
+#define INIT_HASH 0x33a1
#define DEFAULT_SIZE 503
/**
@@ -595,3 +619,39 @@
gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list,
return 0;
}
+
+int
+_gnutls_trustlist_inlist_p (gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert)
+{
+ gnutls_datum_t dn;
+ int ret, i;
+ uint32_t hash;
+
+ ret = gnutls_x509_crt_get_raw_dn (cert, &dn);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ return ret;
+ }
+
+ hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
+ hash %= list->size;
+
+ _gnutls_free_datum (&dn);
+
+ for (i = 0; i < list->node[hash].trusted_ca_size; i++)
+ {
+ ret = check_if_same_cert (cert, list->node[hash].trusted_cas[i]);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ if (ret == 1)
+ return 1;
+ }
+
+ return 0;
+}
diff --git a/lib/x509/verify-high.h b/lib/x509/verify-high.h
index c241b08..5272806 100644
--- a/lib/x509/verify-high.h
+++ b/lib/x509/verify-high.h
@@ -1,25 +1,24 @@
-struct named_cert_st {
- gnutls_x509_crt_t cert;
- uint8_t name[MAX_NAME_SIZE];
- unsigned int name_size;
-};
+/*
+ * Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
-struct node_st {
- /* The trusted certificates */
- gnutls_x509_crt_t *trusted_cas;
- unsigned int trusted_ca_size;
-
- struct named_cert_st *named_certs;
- unsigned int named_cert_size;
-
- /* The trusted CRLs */
- gnutls_x509_crl_t *crls;
- unsigned int crl_size;
-};
-
-struct gnutls_x509_trust_list_st {
- int size;
- struct node_st *node;
-};
-
-#define INIT_HASH 0x33a1
+int _gnutls_trustlist_inlist_p (gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert);
diff --git a/tests/ocsp.c b/tests/ocsp.c
index 088acc6..2492eba 100644
--- a/tests/ocsp.c
+++ b/tests/ocsp.c
@@ -162,6 +162,36 @@ req_parse (void)
exit (1);
}
+ /* check nonce */
+ {
+ gnutls_datum_t expect =
+ { (unsigned char*) REQ1NONCE + 2, sizeof (REQ1NONCE) - 3 };
+ gnutls_datum_t got;
+ unsigned int critical;
+
+ ret = gnutls_ocsp_req_get_nonce (req, &critical, &got);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_get_nonce %d\n", ret);
+ exit (1);
+ }
+
+ if (critical != 0)
+ {
+ fail ("unexpected critical %d\n", critical);
+ exit (1);
+ }
+
+ if (expect.size != got.size ||
+ memcmp (expect.data, got.data, got.size) != 0)
+ {
+ fail ("ocsp request nonce memcmp failed\n");
+ exit (1);
+ }
+
+ gnutls_free (got.data);
+ }
+
/* print request */
ret = gnutls_ocsp_req_print (req, GNUTLS_OCSP_PRINT_FULL, &d);
@@ -197,6 +227,125 @@ req_parse (void)
}
gnutls_free (d.data);
+ /* test setting nonce */
+ {
+ gnutls_datum_t n1 = { (unsigned char *) "foo", 3 };
+ gnutls_datum_t n2 = { (unsigned char *) "foobar", 6 };
+ gnutls_datum_t got;
+ unsigned critical;
+
+ ret = gnutls_ocsp_req_set_nonce (req, 0, &n1);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_set_nonce %d\n", ret);
+ exit (1);
+ }
+
+ ret = gnutls_ocsp_req_get_nonce (req, &critical, &got);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_get_nonce %d\n", ret);
+ exit (1);
+ }
+
+ if (critical != 0)
+ {
+ fail ("unexpected critical %d\n", critical);
+ exit (1);
+ }
+
+ if (n1.size != got.size ||
+ memcmp (n1.data, got.data, got.size) != 0)
+ {
+ fail ("ocsp request parse nonce memcmp failed\n");
+ exit (1);
+ }
+
+ gnutls_free (got.data);
+
+ /* set another time */
+
+ ret = gnutls_ocsp_req_set_nonce (req, 1, &n2);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_set_nonce %d\n", ret);
+ exit (1);
+ }
+
+ ret = gnutls_ocsp_req_get_nonce (req, &critical, &got);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_get_nonce %d\n", ret);
+ exit (1);
+ }
+
+ if (critical != 1)
+ {
+ fail ("unexpected critical %d\n", critical);
+ exit (1);
+ }
+
+ if (n2.size != got.size ||
+ memcmp (n2.data, got.data, got.size) != 0)
+ {
+ fail ("ocsp request parse2 nonce memcmp failed\n");
+ exit (1);
+ }
+
+ gnutls_free (got.data);
+
+ /* randomize nonce */
+
+ ret = gnutls_ocsp_req_randomize_nonce (req);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_randomize_nonce %d\n", ret);
+ exit (1);
+ }
+
+ ret = gnutls_ocsp_req_get_nonce (req, &critical, &n1);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_get_nonce %d\n", ret);
+ exit (1);
+ }
+
+ if (critical != 0)
+ {
+ fail ("unexpected random critical %d\n", critical);
+ exit (1);
+ }
+
+ ret = gnutls_ocsp_req_randomize_nonce (req);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_randomize_nonce %d\n", ret);
+ exit (1);
+ }
+
+ ret = gnutls_ocsp_req_get_nonce (req, &critical, &n2);
+ if (ret != 0)
+ {
+ fail ("gnutls_ocsp_req_get_nonce %d\n", ret);
+ exit (1);
+ }
+
+ if (critical != 0)
+ {
+ fail ("unexpected random critical %d\n", critical);
+ exit (1);
+ }
+
+ if (n2.size == got.size && memcmp (n1.data, n2.data, n1.size) == 0)
+ {
+ fail ("ocsp request random nonce memcmp failed\n");
+ exit (1);
+ }
+
+ gnutls_free (n1.data);
+ gnutls_free (n2.data);
+ }
+
/* cleanup */
gnutls_ocsp_req_deinit (req);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-66-g63ac406,
Simon Josefsson <=