[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-86-g7f74c56
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-86-g7f74c56 |
|
Date: |
Sun, 27 May 2012 09:12:02 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7f74c56e76b97f34de90e5e659251063d3898916
The branch, master has been updated
via 7f74c56e76b97f34de90e5e659251063d3898916 (commit)
via 4966324c088d7cdaa581e1b1c04928f16ff8ab90 (commit)
via 1f7dd895ed3949f0f3998e021cea9ba6f28281aa (commit)
via bd0c48a106d54f3a7929edef6eefbf0eadd68c21 (commit)
via f5c539c07bc60fcbb7748cac68fc3eebb63866e5 (commit)
via 9d67d48d9a190ba7e2033f0fb5fab8ab13e8f6ba (commit)
via ede14288c3f393ced2b984a8a5c21e803cc05c2d (commit)
via 18f06c7b32a29de36ba74127805474af62c6ff7a (commit)
via e6b3c5c6b5ed8096530fc335ca769840d019c2ad (commit)
via 16b03a96fa864e1bba5c28f1a1bd6846163ac6b2 (commit)
via d869e863c32d685d7e795616db4e6e6bf4fa1d22 (commit)
via c724a415c7b33177c259ca85930690826318e80e (commit)
via 76ef5cde8b97eb5936b232e1c67123ead6e07b29 (commit)
via 907ba9435589b79db592702ff99127f52c49458a (commit)
via c68027dfbcf833c12d7f0a745e0cc1a6f7df4c72 (commit)
via 656fca01fdb23986c37b8aedbfaff6f23de0975f (commit)
via c1ef7efb7fa4023f134be01939b13960aa4d27da (commit)
via 927e29c30ac2f7d9a79c6ad008a8f81846461214 (commit)
via 35b2c4cc8ffd5af9fed7fdb571ecadf0ffea788b (commit)
via 16206a5b3030dd85410f587730d08ac01853b37e (commit)
via 9e1d1c9302f81cf3f3c9cbb878ffa36123cc90c8 (commit)
via e2d2a9446565c4639eaef9a829851febf191a5c2 (commit)
via d9dee48fcdff0516718a19933e5be6d99090323f (commit)
via 6f9bfaac9d50c2fee5e4146ca9315f0769dd43c4 (commit)
from 2a5f15cc214793b8bdea578db02acd25361fa9ee (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7f74c56e76b97f34de90e5e659251063d3898916
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 27 11:11:05 2012 +0200
MAX_ENTRIES increased to 128.
commit 4966324c088d7cdaa581e1b1c04928f16ff8ab90
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 27 10:51:09 2012 +0200
Updated documentation on DTLS.
commit 1f7dd895ed3949f0f3998e021cea9ba6f28281aa
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 22:47:24 2012 +0200
updated documentation
commit bd0c48a106d54f3a7929edef6eefbf0eadd68c21
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 22:47:09 2012 +0200
updated Makefile.
commit f5c539c07bc60fcbb7748cac68fc3eebb63866e5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 13:52:23 2012 +0200
updated cross compilation makefile.
commit 9d67d48d9a190ba7e2033f0fb5fab8ab13e8f6ba
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 13:47:16 2012 +0200
Added support for windows trusted certificate store
commit ede14288c3f393ced2b984a8a5c21e803cc05c2d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 12:28:08 2012 +0200
updated cross compilation makefile
commit 18f06c7b32a29de36ba74127805474af62c6ff7a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 12:28:00 2012 +0200
bumped version
commit e6b3c5c6b5ed8096530fc335ca769840d019c2ad
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 26 09:52:50 2012 +0200
no need to distribute postscript
commit 16b03a96fa864e1bba5c28f1a1bd6846163ac6b2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 25 23:44:15 2012 +0200
Added the notion of a default CRL file.
commit d869e863c32d685d7e795616db4e6e6bf4fa1d22
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 25 22:25:51 2012 +0200
updated doc
commit c724a415c7b33177c259ca85930690826318e80e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 25 22:25:33 2012 +0200
updated
commit 76ef5cde8b97eb5936b232e1c67123ead6e07b29
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 25 21:45:51 2012 +0200
Added DevPak package.
commit 907ba9435589b79db592702ff99127f52c49458a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 24 17:54:11 2012 +0200
corrected doc.
commit c68027dfbcf833c12d7f0a745e0cc1a6f7df4c72
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 24 00:19:22 2012 +0200
document nettle requirement
commit 656fca01fdb23986c37b8aedbfaff6f23de0975f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 24 00:16:48 2012 +0200
no need for netinet/ip.h
commit c1ef7efb7fa4023f134be01939b13960aa4d27da
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 23 20:58:11 2012 +0200
When checking for an issuer check for a match in the key identifiers.
commit 927e29c30ac2f7d9a79c6ad008a8f81846461214
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 23 20:57:23 2012 +0200
Added the --dh-bits option to gnutls-cli.
commit 35b2c4cc8ffd5af9fed7fdb571ecadf0ffea788b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 16 19:41:46 2012 +0200
Be more conservative with examples and changed semantics of
gnutls_certificate_set_x509_system_trust().
gnutls_certificate_set_x509_system_trust() returns
GNUTLS_E_UNIMPLEMENTED_FEATURE on systems that do not have a (known) default
trust store.
commit 16206a5b3030dd85410f587730d08ac01853b37e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 11 22:48:04 2012 +0200
documented function.
commit 9e1d1c9302f81cf3f3c9cbb878ffa36123cc90c8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 11 22:05:42 2012 +0200
updated
commit e2d2a9446565c4639eaef9a829851febf191a5c2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 9 20:32:42 2012 +0200
updates
commit d9dee48fcdff0516718a19933e5be6d99090323f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 9 20:09:38 2012 +0200
align with 3.0.x
commit 6f9bfaac9d50c2fee5e4146ca9315f0769dd43c4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 9 18:02:12 2012 +0200
Use the PKCS #1 1.5 encoding provided by nettle (2.5) for encryption and
signatures.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 +-
configure.ac | 13 +-
cross.mk | 24 ++-
doc/Makefile.am | 6 +-
doc/cha-cert-auth.texi | 6 +-
doc/cha-cert-auth2.texi | 2 +-
doc/cha-gtls-app.texi | 43 ++++-
doc/cha-gtls-examples.texi | 32 ++--
doc/cha-shared-key.texi | 3 +-
doc/examples/ex-client-dtls.c | 3 +-
doc/examples/ex-client-resume.c | 3 +-
doc/examples/ex-client-srp.c | 5 +-
doc/examples/ex-client-x509.c | 21 +-
doc/examples/ex-serv-x509.c | 1 +
doc/invoke-gnutls-cli.texi | 10 +-
lib/Makefile.am | 4 +
lib/abstract_int.h | 10 +-
lib/algorithms.h | 2 -
lib/algorithms/sign.c | 20 ++-
lib/auth/rsa.c | 4 +-
lib/auth/rsa_export.c | 2 +-
lib/crypto-backend.h | 9 +-
lib/ext/signature.c | 3 +-
lib/gnutls_cert.c | 3 +-
lib/gnutls_pk.c | 481 ++++++++++++++-------------------------
lib/gnutls_pk.h | 24 +-
lib/gnutls_privkey.c | 22 +--
lib/gnutls_pubkey.c | 160 ++++++++------
lib/gnutls_sig.c | 240 ++------------------
lib/gnutls_sig.h | 9 -
lib/gnutls_x509.c | 48 +----
lib/includes/gnutls/abstract.h | 24 ++-
lib/includes/gnutls/gnutls.h.in | 9 +-
lib/libgnutls.map | 2 +
lib/nettle/pk.c | 361 +++++++++++++++++-------------
lib/opencdk/main.h | 4 -
lib/opencdk/pubkey.c | 24 ++-
lib/opencdk/seskey.c | 164 -------------
lib/openpgp/privkey.c | 16 +-
lib/system.c | 92 ++++++++
lib/x509/privkey.c | 7 +-
lib/x509/verify-high2.c | 39 +---
lib/x509/verify.c | 138 +++--------
lib/x509/x509.c | 33 +++-
lib/x509/x509_int.h | 4 -
src/certtool-cfg.c | 2 +-
src/cli-args.c | 386 +++++++++++++++++---------------
src/cli-args.def | 7 +
src/cli-args.h | 86 ++++----
src/cli.c | 3 +-
src/common.h | 1 -
tests/x509sign-verify.c | 29 ++-
win32/.gitignore | 10 +
win32/devcpp.tar | Bin 0 -> 30720 bytes
54 files changed, 1175 insertions(+), 1488 deletions(-)
create mode 100644 win32/.gitignore
create mode 100644 win32/devcpp.tar
diff --git a/NEWS b/NEWS
index 4afa452..235d154 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,11 @@ See the end for copying conditions.
* Version 3.1.0 (unreleased)
+** libgnutls: requires libnettle 2.5.
+
+** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
+for encryption and signatures.
+
** libgnutls: When decoding a PKCS #11 URL the pin-source field
is assumed to be a file that stores the pin. Based on patch
by David Smith.
@@ -22,6 +27,8 @@ gnutls_x509_trust_list_add_system_trust: Added
gnutls_x509_trust_list_add_trust_file: Added
gnutls_x509_trust_list_add_trust_mem: Added
gnutls_pk_to_sign: Added
+gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2)
+gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2)
* Version 3.0.19 (unreleased)
@@ -39,7 +46,7 @@ with openssl.
in pkcs12 decoding tests.
** API and ABI modifications:
-No changes since last version.
+gnutls_pubkey_verify_hash2: Added
* Version 3.0.18 (released 2012-04-02)
diff --git a/configure.ac b/configure.ac
index b0fa3ae..eba91ad 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure
script.
# USA
AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [3.0.18], address@hidden)
+AC_INIT([GnuTLS], [3.1.0], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
@@ -296,6 +296,10 @@ AC_ARG_WITH([default-trust-store-file],
[AS_HELP_STRING([--with-default-trust-store-file=FILE],
[use the given file default trust store])])
+AC_ARG_WITH([default-crl-file],
+ [AS_HELP_STRING([--with-default-crl-file=FILE],
+ [use the given CRL file as default])])
+
if test "x$with_default_trust_store_pkcs11" = x -a
"x$with_default_trust_store_file" = x; then
# auto detect
http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
for i in \
@@ -315,6 +319,11 @@ if test "x$with_default_trust_store_file" != x; then
["$with_default_trust_store_file"], [use the given file default trust
store])
fi
+if test "x$with_default_crl_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
+ ["$with_default_crl_file"], [use the given CRL file])
+fi
+
dnl Guile bindings.
opt_guile_bindings=yes
AC_MSG_CHECKING([whether building Guile bindings])
@@ -548,8 +557,10 @@ if features are disabled)
SRP support: $ac_enable_srp
PSK support: $ac_enable_psk
Anon auth support:$ac_enable_anon
+
Trust store pkcs: $with_default_trust_store_pkcs11
Trust store file: $with_default_trust_store_file
+ CRL file: $with_default_crl_file
])
AC_MSG_NOTICE([Optional applications:
diff --git a/cross.mk b/cross.mk
index a5eb8fe..08f20dc 100644
--- a/cross.mk
+++ b/cross.mk
@@ -1,6 +1,6 @@
-
-GNUTLS_FILE:=gnutls-3.0.18.tar.xz
-GNUTLS_DIR:=gnutls-3.0.18
+GNUTLS_VERSION:=3.0.20
+GNUTLS_FILE:=gnutls-$(GNUTLS_VERSION).tar.xz
+GNUTLS_DIR:=gnutls-$(GNUTLS_VERSION)
GMP_FILE:=gmp-5.0.4.tar.bz2
GMP_DIR:=gmp-5.0.4
@@ -15,6 +15,7 @@ CROSS_DIR:=$(PWD)/win32
BIN_DIR:=$(CROSS_DIR)/bin
LIB_DIR:=$(CROSS_DIR)/lib
HEADERS_DIR:=$(CROSS_DIR)/include
+DEVCPP_DIR:=$(PWD)/devcpp
all: update-gpg-keys gnutls-w32
@@ -22,10 +23,19 @@ update-gpg-keys:
gpg --recv-keys 96865171 B565716F D92765AF A8F4C2FD DB899F46
$(GNUTLS_DIR)-w32.zip: $(LIB_DIR) $(BIN_DIR) $(GNUTLS_DIR)/.installed
- rm -rf $(CROSS_DIR)/etc $(CROSS_DIR)/share
+ rm -rf $(CROSS_DIR)/etc $(CROSS_DIR)/share $(CROSS_DIR)/lib/include
$(CROSS_DIR)/lib/pkgconfig
cd $(CROSS_DIR) && zip -r $(PWD)/$@ *
gpg --sign --detach $(GNUTLS_DIR)-w32.zip
+gnutls-$(GNUTLS_VERSION)-1gn.DevPak: $(GNUTLS_DIR)-w32.zip devcpp.tar
+ rm -rf $(DEVCPP_DIR)
+ mkdir -p $(DEVCPP_DIR)
+ cd $(DEVCPP_DIR) && unzip ../$(GNUTLS_DIR)-w32.zip
+ cd $(DEVCPP_DIR) && tar xf ../devcpp.tar && sed -i
's/@VERSION@/$(GNUTLS_VERSION)/g' gnutls.DevPackage
+ cd $(DEVCPP_DIR) && tar -cjf ../$@ .
+
+devpak: gnutls-$(GNUTLS_VERSION)-1gn.DevPak
+
gnutls-w32: $(GNUTLS_DIR)-w32.zip
nettle: $(NETTLE_DIR)/.installed
@@ -38,7 +48,7 @@ $(BIN_DIR):
$(LIB_DIR):
mkdir -p $(LIB_DIR)
-CONFIG_FLAGS := --prefix=$(CROSS_DIR) --host=i686-w64-mingw32 --enable-shared
--disable-static --bindir=$(BIN_DIR) --libdir=$(LIB_DIR)
+CONFIG_FLAGS := --prefix=$(CROSS_DIR) --host=i686-w64-mingw32 --enable-shared
--disable-static --bindir=$(BIN_DIR) --libdir=$(LIB_DIR)
--includedir=$(HEADERS_DIR)
$(P11_KIT_DIR)/.configured:
test -f $(P11_KIT_FILE) || wget
http://p11-glue.freedesktop.org/releases/$(P11_KIT_FILE)
@@ -62,12 +72,14 @@ $(GMP_DIR)/.configured:
test -f $(GMP_FILE).sig || wget
ftp://ftp.gmplib.org/pub/$(GMP_DIR)/$(GMP_FILE).sig
gpg --verify $(GMP_FILE).sig
test -d $(GMP_DIR) || tar -xf $(GMP_FILE)
- cd $(GMP_DIR) && ./configure $(CONFIG_FLAGS) --enable-fat
--exec-prefix=$(LIB_DIR) --oldincludedir=$(HEADERS_DIR) && cd ..
+ cd $(GMP_DIR) && ./configure $(CONFIG_FLAGS) --enable-fat
--exec-prefix=$(LIB_DIR) --oldincludedir=$(HEADERS_DIR) && cd ..
touch $@
$(GMP_DIR)/.installed: $(GMP_DIR)/.configured
make -C $(GMP_DIR) -j2
make -C $(GMP_DIR) install -i
+ mv $(LIB_DIR)/include/* $(HEADERS_DIR)/
+ rmdir $(LIB_DIR)/include/
touch $@
$(NETTLE_DIR)/.configured: $(GMP_DIR)/.installed
diff --git a/doc/Makefile.am b/doc/Makefile.am
index e922ed9..31b4982 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -19,7 +19,7 @@
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-EXTRA_DIST = TODO certtool.cfg gnutls.ps gnutls.pdf gnutls.html \
+EXTRA_DIST = TODO certtool.cfg gnutls.pdf gnutls.html \
doxygen/Doxyfile.in doxygen/Doxyfile.orig texinfo.css \
gnutls-guile.pdf gnutls-guile.html stamp_enums stamp_functions
@@ -502,10 +502,8 @@ FUNCS += functions/gnutls_pubkey_import_ecc_raw
FUNCS += functions/gnutls_pubkey_encrypt_data
FUNCS += functions/gnutls_x509_crt_set_pubkey
FUNCS += functions/gnutls_x509_crq_set_pubkey
-FUNCS += functions/gnutls_pubkey_verify_hash
FUNCS += functions/gnutls_pubkey_verify_hash2
FUNCS += functions/gnutls_pubkey_get_verify_algorithm
-FUNCS += functions/gnutls_pubkey_verify_data
FUNCS += functions/gnutls_pubkey_verify_data2
FUNCS += functions/gnutls_privkey_init
FUNCS += functions/gnutls_privkey_deinit
@@ -529,6 +527,8 @@ FUNCS += functions/gnutls_pcert_import_openpgp
FUNCS += functions/gnutls_pcert_deinit
FUNCS += functions/gnutls_certificate_set_retrieve_function2
FUNCS += functions/gnutls_certificate_set_key
+FUNCS += functions/gnutls_pubkey_verify_data
+FUNCS += functions/gnutls_pubkey_verify_hash
FUNCS += functions/gnutls_sign_callback_set
FUNCS += functions/gnutls_sign_callback_get
FUNCS += functions/gnutls_x509_privkey_sign_hash
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 1ee95bf..946674c 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -243,7 +243,8 @@ provided.
The verification function will verify a given certificate chain against a list
of certificate
authorities and certificate revocation lists, and output
a bit-wise OR of elements of the @address@hidden@-status_t}
-enumeration shown in @ref{gnutls_certificate_status_t}.
+enumeration shown in @ref{gnutls_certificate_status_t}. The
@address@hidden@-INVALID} flag
+is always set on a verification error and more detailed flags will also be set
when appropriate.
@showenumdesc{gnutls_certificate_status_t,The @address@hidden@-status_t}
enumeration.}
@@ -263,7 +264,8 @@ authority list may also be set using:
Then it is not required to setup a trusted list as above.
The function @funcref{gnutls_certificate_verify_peers2}
-may then be used to verify the peer's certificate chain.
+may then be used to verify the peer's certificate chain. The flags
+are set similarly to the verification functions in the previous section.
There is also the possibility to pass some input to the verification
functions in the form of flags. For
@funcref{gnutls_x509_trust_list_verify_crt} the
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 9ebb74a..0c731a3 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -616,7 +616,7 @@ The abstract key types can be used to access signing and
signature verification operations with the underlying keys.
@showfuncdesc{gnutls_pubkey_verify_data2}
address@hidden
address@hidden
@showfuncdesc{gnutls_pubkey_encrypt_data}
@showfuncdesc{gnutls_privkey_sign_data}
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 605c3ca..0aa9c9b 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -22,6 +22,7 @@
@menu
* General idea::
* Error handling::
+* Common types::
* Debugging and auditing::
* Thread safety::
* Callback functions::
@@ -94,6 +95,32 @@ a function, these error codes will be documented in the
function's
reference. See @ref{Error codes}, for a description of the available
error codes.
address@hidden Common types
address@hidden Common types
+
+Several functions in @acronym{GnuTLS} use @code{gnutls_datum_t} which is
+convenient way to combine a pointer to data and data's size. Its definition is
+shown below.
address@hidden
+ typedef struct
+ {
+ unsigned char *data;
+ unsigned int size;
+ } gnutls_datum_t;
address@hidden verbatim
+
+Other functions that require data for scattered read use a structure similar
+to @code{struct iovec} typically used by @funcintref{readv}. It is shown
+below.
address@hidden
+ typedef struct
+ {
+ void *iov_base; /* Starting address */
+ size_t iov_len; /* Number of bytes to transfer */
+ } giovec_t;
address@hidden verbatim
+
+
@node Debugging and auditing
@subsection Debugging and auditing
@@ -623,10 +650,18 @@ either before the @funcintref{select} system call, or
after a call to
@funcref{gnutls_record_recv}. @acronym{GnuTLS} does not keep a write buffer,
thus when writing no additional actions are required.
-In the DTLS, however, @acronym{GnuTLS} may block due to retransmission timers
-required by the protocol. To prevent those timers from blocking a DTLS
handshake,
-the @funcref{gnutls_init} should be called with the
address@hidden flag (see @ref{Session initialization}).
+Although in the TLS protocol implementation each call to receive or send
+function implies to restoring the same function that was interrupted, in
+the DTLS protocol this requirement isn't true.
+There are cases where a retransmission is required, which are indicated by
+a received message and thus @funcref{gnutls_record_get_direction} must be
called
+to decide which operation to restore, i.e., send or receive.
address@hidden
+
+Moreover, to prevent blocking from DTLS' retransmission timers to block a
+handshake, the @funcref{gnutls_init} function should be called with the
address@hidden flag set (see @ref{Session initialization}).
+
@node DTLS sessions
@subsection DTLS sessions
diff --git a/doc/cha-gtls-examples.texi b/doc/cha-gtls-examples.texi
index 637653c..d88e9bc 100644
--- a/doc/cha-gtls-examples.texi
+++ b/doc/cha-gtls-examples.texi
@@ -23,9 +23,9 @@ clients, using @acronym{GnuTLS}. Note that some of the
examples require function
implemented by another example.
@menu
-* Simple client example with anonymous authentication::
* Simple client example with X.509 certificate support::
* Simple client example with SSH-style certificate verification::
+* Simple client example with anonymous authentication::
* Simple Datagram TLS client example::
* Obtaining session information::
* Using a callback to select the certificate to use::
@@ -38,20 +38,6 @@ implemented by another example.
* Helper functions for UDP connections::
@end menu
address@hidden Simple client example with anonymous authentication
address@hidden Simple client example with anonymous authentication
-
-The simplest client using TLS is the one that doesn't do any
-authentication. This means no external certificates or passwords are
-needed to set up the connection. As could be expected, the connection
-is vulnerable to man-in-the-middle (active or redirection) attacks.
-However, the data are integrity protected and encrypted from
-passive eavesdroppers.
-
-Note that the server must support anonymous authentication as well.
-
address@hidden examples/ex-client-anon.c
-
@node Simple client example with X.509 certificate support
@subsection Simple client example with @acronym{X.509} certificate support
@anchor{ex:verify}
@@ -76,6 +62,22 @@ trusted.
@verbatiminclude examples/ex-verify-ssh.c
address@hidden Simple client example with anonymous authentication
address@hidden Simple client example with anonymous authentication
+
+The simplest client using TLS is the one that doesn't do any
+authentication. This means no external certificates or passwords are
+needed to set up the connection. As could be expected, the connection
+is vulnerable to man-in-the-middle (active or redirection) attacks.
+However, the data are integrity protected and encrypted from
+passive eavesdroppers.
+
+Note that due to the vulnerable nature of this method very few public
+servers support it.
+
address@hidden examples/ex-client-anon.c
+
+
@node Simple Datagram TLS client example
@subsection Simple datagram @acronym{TLS} client example
diff --git a/doc/cha-shared-key.texi b/doc/cha-shared-key.texi
index c9605de..1d3186a 100644
--- a/doc/cha-shared-key.texi
+++ b/doc/cha-shared-key.texi
@@ -132,7 +132,8 @@ with the peer. Moreover it is useful when complete
anonymity is required.
Unless in one of the above cases, do not use anonymous authentication.
The available key exchange algorithms for anonymous authentication are
-shown below.
+shown below, but note that few public servers support them. They typically
+have to be explicitly enabled.
@table @code
diff --git a/doc/examples/ex-client-dtls.c b/doc/examples/ex-client-dtls.c
index 377c42e..21e7244 100644
--- a/doc/examples/ex-client-dtls.c
+++ b/doc/examples/ex-client-dtls.c
@@ -18,6 +18,7 @@
*/
#define MAX_BUF 1024
+#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
extern int udp_connect (void);
@@ -39,7 +40,7 @@ main (void)
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file */
- gnutls_certificate_set_x509_system_trust(xcred);
+ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
/* Initialize TLS session */
diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c
index cfa3aad..c094950 100644
--- a/doc/examples/ex-client-resume.c
+++ b/doc/examples/ex-client-resume.c
@@ -16,6 +16,7 @@ extern int tcp_connect (void);
extern void tcp_close (int sd);
#define MAX_BUF 1024
+#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
int
@@ -38,7 +39,7 @@ main (void)
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
- gnutls_certificate_set_x509_system_trust(xcred);
+ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
for (t = 0; t < 2; t++)
{ /* connect 2 times to the server */
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index 172c152..7784075 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -18,6 +18,7 @@ extern void tcp_close (int sd);
#define MAX_BUF 1024
#define USERNAME "user"
#define PASSWORD "pass"
+#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
int
@@ -35,8 +36,8 @@ main (void)
gnutls_srp_allocate_client_credentials (&srp_cred);
gnutls_certificate_allocate_credentials (&cert_cred);
- gnutls_certificate_set_x509_system_trust(cert_cred);
-
+ gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,
+ GNUTLS_X509_FMT_PEM);
gnutls_srp_set_client_credentials (srp_cred, USERNAME, PASSWORD);
/* connects to server
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index e442886..2a78e2d 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -17,7 +17,7 @@
*/
#define MAX_BUF 1024
-/* #define CAFILE "/etc/ssl/certs/ca-certificates.crt" */
+#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
extern int tcp_connect (void);
@@ -37,12 +37,9 @@ int main (void)
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
- /* sets the trusted cas to be the system ones
+ /* sets the trusted cas file
*/
- gnutls_certificate_set_x509_system_trust(xcred);
- /* gnutls_certificate_set_x509_trust_file (xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
- */
-
+ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
/* If client holds a certificate it can be set using the following:
@@ -162,9 +159,6 @@ _verify_certificate_callback (gnutls_session_t session)
return GNUTLS_E_CERTIFICATE_ERROR;
}
- if (status & GNUTLS_CERT_INVALID)
- printf ("The certificate is not trusted.\n");
-
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("The certificate hasn't got a known issuer.\n");
@@ -177,6 +171,12 @@ _verify_certificate_callback (gnutls_session_t session)
if (status & GNUTLS_CERT_NOT_ACTIVATED)
printf ("The certificate is not yet activated\n");
+ if (status & GNUTLS_CERT_INVALID)
+ {
+ printf ("The certificate is not trusted.\n");
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
/* Up to here the process is the same for X.509 certificates and
* OpenPGP keys. From now on X.509 certificates are assumed. This can
* be easily extended to work with openpgp keys as well.
@@ -197,9 +197,6 @@ _verify_certificate_callback (gnutls_session_t session)
return GNUTLS_E_CERTIFICATE_ERROR;
}
- /* This is not a real world example, since we only check the first
- * certificate in the given chain.
- */
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
printf ("error parsing certificate\n");
diff --git a/doc/examples/ex-serv-x509.c b/doc/examples/ex-serv-x509.c
index dedd1a1..a8dc20e 100644
--- a/doc/examples/ex-serv-x509.c
+++ b/doc/examples/ex-serv-x509.c
@@ -84,6 +84,7 @@ main (void)
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
+ /* gnutls_certificate_set_x509_system_trust(xcred); */
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi
index e2b7511..c077aec 100644
--- a/doc/invoke-gnutls-cli.texi
+++ b/doc/invoke-gnutls-cli.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi)
#
-# It has been AutoGen-ed May 9, 2012 at 08:06:11 PM by AutoGen 5.16
+# It has been AutoGen-ed May 25, 2012 at 10:22:22 PM by AutoGen 5.16
# From the definitions ../src/cli-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -63,6 +63,7 @@ USAGE: gnutls-cli [ -<flag> [<val>] |
--<name>address@hidden| @}<val>] ]... [hostname]
--recordsize=num The maximum record size to advertize
- It must be in the range:
0 to 4096
+ --dh-bits=num The minimum number of bits allowed for DH
--priority=str Priorities string
--x509cafile=str Certificate file or PKCS #11 URL to use
--x509crlfile=file CRL file to use
@@ -141,6 +142,13 @@ Connect, establish a session and rehandshake immediately.
This is the ``connect, establish a plain session and start tls.'' option.
The TLS session will be initiated when EOF or a SIGALRM is received.
address@hidden dh-bits}
address@hidden dh-bits option
address@hidden gnutls-cli-dh-bits
+
+This is the ``the minimum number of bits allowed for dh'' option.
+This option takes an argument number.
+This option sets the minimum number of bits allowed for a Diffie-Hellman key
exchange. You may want to lower the default value if the peer sends a weak
prime and you get an connection error with unacceptable prime.
@anchor{gnutls-cli priority}
@subheading priority option
@cindex gnutls-cli-priority
diff --git a/lib/Makefile.am b/lib/Makefile.am
index a1e19a1..a15abbe 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -111,6 +111,10 @@ libgnutls_la_SOURCES = $(HFILES) $(COBJECTS)
$(SRP_COBJECTS) \
libgnutls_la_LDFLAGS = -no-undefined \
-version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE)
+if WINDOWS
+libgnutls_la_LDFLAGS += -lcrypt32
+endif
+
libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
accelerated/libaccelerated.la ext/libgnutls_ext.la \
auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
diff --git a/lib/abstract_int.h b/lib/abstract_int.h
index ca2be2b..ad859e5 100644
--- a/lib/abstract_int.h
+++ b/lib/abstract_int.h
@@ -36,10 +36,12 @@ int
_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
gnutls_pk_params_st * params);
-int pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
- const gnutls_datum_t * hash,
- const gnutls_datum_t * signature,
- gnutls_pk_params_st * issuer_params);
+int
+pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
+ gnutls_digest_algorithm_t algo,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature,
+ gnutls_pk_params_st * issuer_params);
int pubkey_verify_data (gnutls_pk_algorithm_t pk,
gnutls_digest_algorithm_t algo,
diff --git a/lib/algorithms.h b/lib/algorithms.h
index e2600c6..9fe0272 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -106,8 +106,6 @@ enum encipher_type _gnutls_kx_encipher_type
(gnutls_kx_algorithm_t algorithm);
/* Functions for sign algorithms. */
gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm (const char *oid);
-gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk,
- gnutls_digest_algorithm_t
mac);
gnutls_pk_algorithm_t _gnutls_x509_sign_to_pk (gnutls_sign_algorithm_t sign);
const char *_gnutls_x509_sign_to_oid (gnutls_pk_algorithm_t,
gnutls_digest_algorithm_t mac);
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index ab81b83..b422c4c 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -134,12 +134,12 @@ static gnutls_sign_algorithm_t supported_sign[MAX_ALGOS]
= {0};
/**
* gnutls_sign_get_id:
- * @name: is a MAC algorithm name
+ * @name: is a sign algorithm name
*
* The names are compared in a case insensitive way.
*
* Returns: return a #gnutls_sign_algorithm_t value corresponding to
- * the specified cipher, or %GNUTLS_SIGN_UNKNOWN on error.
+ * the specified algorithm, or %GNUTLS_SIGN_UNKNOWN on error.
**/
gnutls_sign_algorithm_t
gnutls_sign_get_id (const char *name)
@@ -178,12 +178,22 @@ _gnutls_x509_oid2sign_algorithm (const char *oid)
return ret;
}
+/**
+ * gnutls_pk_to_sign:
+ * @pk: is a public key algorithm
+ * @hash: a hash algorithm
+ *
+ * This function maps public key and hash algorithms combinations
+ * to signature algorithms.
+ *
+ * Returns: return a #gnutls_sign_algorithm_t value, or %GNUTLS_SIGN_UNKNOWN
on error.
+ **/
gnutls_sign_algorithm_t
-_gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t
mac)
+gnutls_pk_to_sign (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash)
{
gnutls_sign_algorithm_t ret = 0;
- GNUTLS_SIGN_LOOP (if (pk == p->pk && mac == p->mac)
+ GNUTLS_SIGN_LOOP (if (pk == p->pk && hash == p->mac)
{
ret = p->id; break;}
);
@@ -200,7 +210,7 @@ _gnutls_x509_sign_to_oid (gnutls_pk_algorithm_t pk,
gnutls_sign_algorithm_t sign;
const char *ret = NULL;
- sign = _gnutls_x509_pk_to_sign (pk, mac);
+ sign = gnutls_pk_to_sign (pk, mac);
if (sign == GNUTLS_SIGN_UNKNOWN)
return NULL;
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 77a61f9..f728503 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -298,8 +298,8 @@ _gnutls_gen_rsa_client_kx (gnutls_session_t session,
gnutls_buffer_st* data)
}
ret =
- _gnutls_pkcs1_rsa_encrypt (&sdata, &session->key->key,
- ¶ms, 2);
+ _gnutls_pk_encrypt (GNUTLS_PK_RSA, &sdata, &session->key->key,
+ ¶ms);
gnutls_pk_params_release(¶ms);
diff --git a/lib/auth/rsa_export.c b/lib/auth/rsa_export.c
index f93211d..df78dea 100644
--- a/lib/auth/rsa_export.c
+++ b/lib/auth/rsa_export.c
@@ -159,7 +159,7 @@ proc_rsa_export_client_kx (gnutls_session_t session,
uint8_t * data,
return ret;
}
- ret = _gnutls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, 2); /*
btype==2 */
+ ret = _gnutls_pk_decrypt (GNUTLS_PK_RSA, &plaintext, &ciphertext, params);
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE)
{
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 1044f00..58c7530 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -311,8 +311,15 @@
const gnutls_datum_t * data,
const gnutls_pk_params_st * priv);
int (*verify) (gnutls_pk_algorithm_t, const gnutls_datum_t * data,
- const gnutls_datum_t * signature,
+ const gnutls_datum_t * sig,
const gnutls_pk_params_st * pub);
+ /* given a signature and the public parameters,
+ * suggest a hash algorithm */
+ int (*hash_algorithm) (gnutls_pk_algorithm_t,
+ const gnutls_datum_t * sig,
+ gnutls_pk_params_st * issuer_params,
+ gnutls_digest_algorithm_t*);
+ /* sanity checks the public key parameters */
int (*verify_params) (gnutls_pk_algorithm_t,
const gnutls_pk_params_st * pub);
int (*generate) (gnutls_pk_algorithm_t, unsigned int nbits,
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 4fe9795..47724da 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -27,6 +27,7 @@
#include "gnutls_int.h"
#include "gnutls_errors.h"
#include "gnutls_num.h"
+#include <gnutls/gnutls.h>
#include <ext/signature.h>
#include <gnutls_state.h>
#include <gnutls_num.h>
@@ -264,7 +265,7 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
gnutls_pcert_st* cert)
|| priv->sign_algorithms_size == 0)
/* none set, allow SHA-1 only */
{
- return _gnutls_x509_pk_to_sign (cert_algo, GNUTLS_DIG_SHA1);
+ return gnutls_pk_to_sign (cert_algo, GNUTLS_DIG_SHA1);
}
for (i = 0; i < priv->sign_algorithms_size; i++)
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 4724d55..ac25051 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -335,7 +335,8 @@ gnutls_certificate_server_set_request (gnutls_session_t
session,
* @st should contain the certificates and private keys.
*
* If the callback function is provided then gnutls will call it, in the
- * handshake, after the certificate request message has been received.
+ * handshake, if a certificate is requested by the server (and after the
+ * certificate request message has been received).
*
* The callback function should set the certificate list to be sent,
* and return 0 on success. If no certificate was selected then the
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 738f1ac..8c3b9d3 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -36,318 +36,6 @@
#include <x509/common.h>
#include <random.h>
-/* Do PKCS-1 RSA encryption.
- * params is modulus, public exp.
- */
-int
-_gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
- const gnutls_datum_t * plaintext,
- gnutls_pk_params_st * params,
- unsigned btype)
-{
- unsigned int i, pad;
- int ret;
- uint8_t *edata, *ps;
- size_t k, psize;
- size_t mod_bits;
- gnutls_datum_t to_encrypt, encrypted;
-
- mod_bits = _gnutls_mpi_get_nbits (params->params[0]);
- k = mod_bits / 8;
- if (mod_bits % 8 != 0)
- k++;
-
- if (plaintext->size > k - 11)
- {
- gnutls_assert ();
- return GNUTLS_E_PK_ENCRYPTION_FAILED;
- }
-
- edata = gnutls_malloc (k);
- if (edata == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- /* EB = 00||BT||PS||00||D
- * (use block type 'btype')
- */
-
- edata[0] = 0;
- edata[1] = btype;
- psize = k - 3 - plaintext->size;
-
- ps = &edata[2];
- switch (btype)
- {
- case 2:
- /* using public key */
- if (params->params_nr < RSA_PUBLIC_PARAMS)
- {
- gnutls_assert ();
- gnutls_free (edata);
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- ret = _gnutls_rnd (GNUTLS_RND_RANDOM, ps, psize);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (edata);
- return ret;
- }
- for (i = 0; i < psize; i++)
- while (ps[i] == 0)
- {
- ret = _gnutls_rnd (GNUTLS_RND_RANDOM, &ps[i], 1);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (edata);
- return ret;
- }
- }
- break;
- case 1:
- /* using private key */
-
- if (params->params_nr < RSA_PRIVATE_PARAMS)
- {
- gnutls_assert ();
- gnutls_free (edata);
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- for (i = 0; i < psize; i++)
- ps[i] = 0xff;
- break;
- default:
- gnutls_assert ();
- gnutls_free (edata);
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- ps[psize] = 0;
- memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
-
- to_encrypt.data = edata;
- to_encrypt.size = k;
-
- if (btype == 2) /* encrypt */
- ret =
- _gnutls_pk_encrypt (GNUTLS_PK_RSA, &encrypted, &to_encrypt, params);
- else /* sign */
- ret =
- _gnutls_pk_sign (GNUTLS_PK_RSA, &encrypted, &to_encrypt, params);
-
- gnutls_free (edata);
-
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- psize = encrypted.size;
- if (psize < k)
- {
- /* padding psize */
- pad = k - psize;
- psize = k;
- }
- else if (psize == k)
- {
- /* pad = 0;
- * no need to do anything else
- */
- ciphertext->data = encrypted.data;
- ciphertext->size = encrypted.size;
- return 0;
- }
- else
- { /* psize > k !!! */
- /* This is an impossible situation */
- gnutls_assert ();
- _gnutls_free_datum (&encrypted);
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- ciphertext->data = gnutls_malloc (psize);
- if (ciphertext->data == NULL)
- {
- gnutls_assert ();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
-
- memcpy (&ciphertext->data[pad], encrypted.data, encrypted.size);
- for (i = 0; i < pad; i++)
- ciphertext->data[i] = 0;
-
- ciphertext->size = k;
-
- ret = 0;
-
-cleanup:
- _gnutls_free_datum (&encrypted);
-
- return ret;
-}
-
-
-/* Do PKCS-1 RSA decryption.
- * params is modulus, public exp., private key
- * Can decrypt block type 1 and type 2 packets.
- */
-int
-_gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
- const gnutls_datum_t * ciphertext,
- gnutls_pk_params_st* params,
- unsigned btype)
-{
- unsigned int k, i;
- int ret;
- size_t esize, mod_bits;
-
- mod_bits = _gnutls_mpi_get_nbits (params->params[0]);
- k = mod_bits / 8;
- if (mod_bits % 8 != 0)
- k++;
-
- esize = ciphertext->size;
-
- if (esize != k)
- {
- gnutls_assert ();
- return GNUTLS_E_PK_DECRYPTION_FAILED;
- }
-
- /* we can use btype to see if the private key is
- * available.
- */
- if (btype == 2)
- {
- ret =
- _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, params);
- }
- else
- {
- ret =
- _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, params);
- }
-
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- /* EB = 00||BT||PS||00||D
- * (use block type 'btype')
- *
- * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
- * avoid attacks similar to the one described by Bleichenbacher in:
- * "Chosen Ciphertext Attacks against Protocols Based on RSA
- * Encryption Standard PKCS #1".
- */
- if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
- {
- gnutls_assert ();
- _gnutls_free_datum (plaintext);
- return GNUTLS_E_DECRYPTION_FAILED;
- }
-
- ret = GNUTLS_E_DECRYPTION_FAILED;
- switch (btype)
- {
- case 2:
- for (i = 2; i < plaintext->size; i++)
- {
- if (plaintext->data[i] == 0)
- {
- ret = 0;
- break;
- }
- }
- break;
- case 1:
- for (i = 2; i < plaintext->size; i++)
- {
- if (plaintext->data[i] == 0 && i > 2)
- {
- ret = 0;
- break;
- }
- if (plaintext->data[i] != 0xff)
- {
- _gnutls_handshake_log ("PKCS #1 padding error");
- _gnutls_free_datum (plaintext);
- /* PKCS #1 padding error. Don't use
- GNUTLS_E_PKCS1_WRONG_PAD here. */
- break;
- }
- }
- break;
- default:
- gnutls_assert ();
- _gnutls_free_datum (plaintext);
- break;
- }
-
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_free_datum (plaintext);
- return GNUTLS_E_DECRYPTION_FAILED;
- }
-
- i++;
- memmove (plaintext->data, &plaintext->data[i], esize - i);
- plaintext->size = esize - i;
-
- return 0;
-}
-
-
-int
-_gnutls_rsa_verify (const gnutls_datum_t * vdata,
- const gnutls_datum_t * ciphertext,
- gnutls_pk_params_st * params,
- int btype)
-{
-
- gnutls_datum_t plain;
- int ret;
-
- /* decrypt signature */
- if ((ret =
- _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params,
- btype)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- if (plain.size != vdata->size)
- {
- gnutls_assert ();
- _gnutls_free_datum (&plain);
- return GNUTLS_E_PK_SIG_VERIFY_FAILED;
- }
-
- if (memcmp (plain.data, vdata->data, plain.size) != 0)
- {
- gnutls_assert ();
- _gnutls_free_datum (&plain);
- return GNUTLS_E_PK_SIG_VERIFY_FAILED;
- }
-
- _gnutls_free_datum (&plain);
-
- return 0; /* ok */
-}
-
/* encodes the Dss-Sig-Value structure
*/
int
@@ -506,3 +194,172 @@ _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk,
NULL, pk, params);
}
+
+/* Writes the digest information and the digest in a DER encoded
+ * structure. The digest info is allocated and stored into the info structure.
+ */
+int
+encode_ber_digest_info (gnutls_digest_algorithm_t hash,
+ const gnutls_datum_t * digest,
+ gnutls_datum_t * output)
+{
+ ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
+ int result;
+ const char *algo;
+ uint8_t *tmp_output;
+ int tmp_output_size;
+
+ algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash);
+ if (algo == NULL)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Hash algorithm: %d has no OID\n", hash);
+ return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
+ }
+
+ if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
+ "GNUTLS.DigestInfo",
+ &dinfo)) != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return _gnutls_asn2err (result);
+ }
+
+ result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ /* Write an ASN.1 NULL in the parameters field. This matches RFC
+ 3279 and RFC 4055, although is arguable incorrect from a historic
+ perspective (see those documents for more information).
+ Regardless of what is correct, this appears to be what most
+ implementations do. */
+ result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
+ ASN1_NULL, ASN1_NULL_SIZE);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ result = asn1_write_value (dinfo, "digest", digest->data, digest->size);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ tmp_output_size = 0;
+ asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL);
+
+ tmp_output = gnutls_malloc (tmp_output_size);
+ if (tmp_output == NULL)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ asn1_delete_structure (&dinfo);
+
+ output->size = tmp_output_size;
+ output->data = tmp_output;
+
+ return 0;
+}
+
+/* Reads the digest information.
+ * we use DER here, although we should use BER. It works fine
+ * anyway.
+ */
+int
+decode_ber_digest_info (const gnutls_datum_t * info,
+ gnutls_digest_algorithm_t * hash,
+ uint8_t * digest, unsigned int *digest_size)
+{
+ ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
+ int result;
+ char str[1024];
+ int len;
+
+ if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
+ "GNUTLS.DigestInfo",
+ &dinfo)) != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return _gnutls_asn2err (result);
+ }
+
+ result = asn1_der_decoding (&dinfo, info->data, info->size, NULL);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ len = sizeof (str) - 1;
+ result = asn1_read_value (dinfo, "digestAlgorithm.algorithm", str, &len);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ *hash = _gnutls_x509_oid_to_digest (str);
+
+ if (*hash == GNUTLS_DIG_UNKNOWN)
+ {
+
+ _gnutls_debug_log ("verify.c: HASH OID: %s\n", str);
+
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return GNUTLS_E_UNKNOWN_ALGORITHM;
+ }
+
+ len = sizeof (str) - 1;
+ result = asn1_read_value (dinfo, "digestAlgorithm.parameters", str, &len);
+ /* To avoid permitting garbage in the parameters field, either the
+ parameters field is not present, or it contains 0x05 0x00. */
+ if (!(result == ASN1_ELEMENT_NOT_FOUND ||
+ (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
+ memcmp (str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return GNUTLS_E_ASN1_GENERIC_ERROR;
+ }
+
+ len = *digest_size;
+ result = asn1_read_value (dinfo, "digest", digest, &len);
+
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ *digest_size = len;
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
+ *digest_size = len;
+ asn1_delete_structure (&dinfo);
+
+ return 0;
+}
+
diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h
index 189c61c..ee2b80b 100644
--- a/lib/gnutls_pk.h
+++ b/lib/gnutls_pk.h
@@ -33,6 +33,7 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
#define _gnutls_pk_verify_params( algo, params) _gnutls_pk_ops.verify_params(
algo, params)
#define _gnutls_pk_derive( algo, out, pub, priv) _gnutls_pk_ops.derive( algo,
out, pub, priv)
#define _gnutls_pk_generate( algo, bits, priv) _gnutls_pk_ops.generate( algo,
bits, priv)
+#define _gnutls_pk_hash_algorithm( pk, sig, params, hash)
_gnutls_pk_ops.hash_algorithm(pk, sig, params, hash)
inline static int
_gnutls_pk_fixup (gnutls_pk_algorithm_t algo, gnutls_direction_t direction,
@@ -46,19 +47,6 @@ _gnutls_pk_fixup (gnutls_pk_algorithm_t algo,
gnutls_direction_t direction,
int _gnutls_pk_params_copy (gnutls_pk_params_st * dst, const
gnutls_pk_params_st * src);
/* The internal PK interface */
-int _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
- const gnutls_datum_t * plaintext,
- gnutls_pk_params_st * params,
- unsigned btype);
-int _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
- const gnutls_datum_t * ciphertext,
- gnutls_pk_params_st* params,
- unsigned btype);
-int _gnutls_rsa_verify (const gnutls_datum_t * vdata,
- const gnutls_datum_t * ciphertext,
- gnutls_pk_params_st*,
- int btype);
-
int
_gnutls_encode_ber_rs (gnutls_datum_t * sig_value, bigint_t r, bigint_t s);
@@ -66,6 +54,16 @@ int
_gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
bigint_t * s);
+int
+encode_ber_digest_info (gnutls_digest_algorithm_t hash,
+ const gnutls_datum_t * digest,
+ gnutls_datum_t * output);
+
+int
+decode_ber_digest_info (const gnutls_datum_t * info,
+ gnutls_digest_algorithm_t * hash,
+ uint8_t * digest, unsigned int *digest_size);
+
int _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk,
gnutls_pk_params_st*,
gnutls_digest_algorithm_t * dig,
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 9cb820e..3b44463 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -562,7 +562,7 @@ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
* together with a hash functions. Different hash functions may be
* used for the RSA algorithm, but only the SHA family for the DSA keys.
*
- * Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
+ * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
@@ -623,7 +623,7 @@ cleanup:
* together with a hash functions. Different hash functions may be
* used for the RSA algorithm, but only SHA-XXX for the DSA keys.
*
- * Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
+ * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
@@ -701,9 +701,8 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key,
hash, signature);
#endif
case GNUTLS_PRIVKEY_X509:
- return _gnutls_soft_sign (key->key.x509->pk_algorithm,
- &key->key.x509->params,
- hash, signature);
+ return _gnutls_pk_sign (key->key.x509->pk_algorithm,
+ signature, hash, &key->key.x509->params);
case GNUTLS_PRIVKEY_EXT:
if (key->key.ext.sign_func == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -735,23 +734,16 @@ gnutls_privkey_decrypt_data (gnutls_privkey_t key,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext)
{
- if (key->pk_algorithm != GNUTLS_PK_RSA)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
switch (key->type)
{
#ifdef ENABLE_OPENPGP
case GNUTLS_PRIVKEY_OPENPGP:
return _gnutls_openpgp_privkey_decrypt_data (key->key.openpgp, flags,
- ciphertext, plaintext);
+ ciphertext, plaintext);
#endif
case GNUTLS_PRIVKEY_X509:
- return _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext,
- &key->key.x509->params,
- 2);
+ return _gnutls_pk_decrypt (key->pk_algorithm, plaintext, ciphertext,
+ &key->key.x509->params);
#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 6496537..aaae702 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1,5 +1,5 @@
/*
- * GnuTLS PKCS#11 support
+ * GnuTLS public key support
* Copyright (C) 2010-2012 Free Software Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
@@ -1305,7 +1305,9 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
* parameters from the certificate.
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
- * is returned, and zero or positive code on success.
+ * is returned, and zero or positive code on success.
+ *
+ * Deprecated. Use gnutls_pubkey_verify_data2() instead of this function.
*
* Since: 2.12.0
**/
@@ -1350,10 +1352,10 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
unsigned int flags,
**/
int
gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
- gnutls_sign_algorithm_t algo,
- unsigned int flags,
- const gnutls_datum_t * data,
- const gnutls_datum_t * signature)
+ gnutls_sign_algorithm_t algo,
+ unsigned int flags,
+ const gnutls_datum_t * data,
+ const gnutls_datum_t * signature)
{
int ret;
@@ -1363,8 +1365,8 @@ gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
return GNUTLS_E_INVALID_REQUEST;
}
- ret = pubkey_verify_data( pubkey->pk_algorithm,
_gnutls_sign_get_hash_algorithm(algo), data, signature,
- &pubkey->params);
+ ret = pubkey_verify_data( pubkey->pk_algorithm,
_gnutls_sign_get_hash_algorithm(algo),
+ data, signature, &pubkey->params);
if (ret < 0)
{
gnutls_assert();
@@ -1382,7 +1384,9 @@ gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
* @signature: contains the signature
*
* This function will verify the given signed digest, using the
- * parameters from the public key.
+ * parameters from the public key.
+ *
+ * Deprecated. Use gnutls_pubkey_verify_hash2() instead of this function.
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, and zero or positive code on success.
@@ -1394,6 +1398,40 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned
int flags,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature)
{
+gnutls_digest_algorithm_t algo;
+int ret;
+
+ ret = gnutls_pubkey_get_verify_algorithm (key, signature, &algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ return gnutls_pubkey_verify_hash2(key, gnutls_pk_to_sign(key->pk_algorithm,
algo),
+ flags, hash, signature);
+}
+
+/**
+ * gnutls_pubkey_verify_hash2:
+ * @key: Holds the public key
+ * @algo: The signature algorithm used
+ * @flags: should be 0 for now
+ * @hash: holds the hash digest to be verified
+ * @signature: contains the signature
+ *
+ * This function will verify the given signed digest, using the
+ * parameters from the public key.
+ *
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and zero or positive code on success.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_pubkey_verify_hash2 (gnutls_pubkey_t key,
+ gnutls_sign_algorithm_t algo,
+ unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature)
+{
if (key == NULL)
{
gnutls_assert ();
@@ -1401,11 +1439,11 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key,
unsigned int flags,
}
if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA)
- return _gnutls_rsa_verify (hash, signature, &key->params, 1);
+ return _gnutls_pk_verify (GNUTLS_PK_RSA, hash, signature, &key->params);
else
{
- return pubkey_verify_hashed_data (key->pk_algorithm, hash, signature,
- &key->params);
+ return pubkey_verify_hashed_data (key->pk_algorithm,
_gnutls_sign_get_hash_algorithm(algo),
+ hash, signature, &key->params);
}
}
@@ -1426,18 +1464,17 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key,
unsigned int flags,
**/
int
gnutls_pubkey_encrypt_data (gnutls_pubkey_t key, unsigned int flags,
- const gnutls_datum_t * plaintext,
- gnutls_datum_t * ciphertext)
+ const gnutls_datum_t * plaintext,
+ gnutls_datum_t * ciphertext)
{
- if (key == NULL || key->pk_algorithm != GNUTLS_PK_RSA)
+ if (key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- return _gnutls_pkcs1_rsa_encrypt (ciphertext, plaintext,
- &key->params,
- 2);
+ return _gnutls_pk_encrypt (key->pk_algorithm, ciphertext,
+ plaintext, &key->params);
}
/**
@@ -1535,48 +1572,24 @@ _gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
* params[1] is public key
*/
static int
-_pkcs1_rsa_verify_sig (const gnutls_datum_t * text,
+_pkcs1_rsa_verify_sig (gnutls_digest_algorithm_t hash,
+ const gnutls_datum_t * text,
const gnutls_datum_t * prehash,
const gnutls_datum_t * signature,
gnutls_pk_params_st * params)
{
- gnutls_digest_algorithm_t hash = GNUTLS_DIG_UNKNOWN;
int ret;
- uint8_t digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE], *cmp;
+ uint8_t md[MAX_HASH_SIZE], *cmp;
unsigned int digest_size;
+ gnutls_datum_t d, di;
digest_hd_st hd;
- gnutls_datum_t decrypted;
- ret =
- _gnutls_pkcs1_rsa_decrypt (&decrypted, signature, params, 1);
- if (ret < 0)
+ digest_size = _gnutls_hash_get_algo_len (hash);
+ if (prehash)
{
- gnutls_assert ();
- return ret;
- }
-
- /* decrypted is a BER encoded data of type DigestInfo
- */
-
- digest_size = sizeof (digest);
- if ((ret =
- decode_ber_digest_info (&decrypted, &hash, digest, &digest_size)) != 0)
- {
- gnutls_assert ();
- _gnutls_free_datum (&decrypted);
- return ret;
- }
-
- _gnutls_free_datum (&decrypted);
-
- if (digest_size != _gnutls_hash_get_algo_len (hash))
- {
- gnutls_assert ();
- return GNUTLS_E_ASN1_GENERIC_ERROR;
- }
+ if (prehash->data == NULL || prehash->size != digest_size)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- if (prehash && prehash->data && prehash->size == digest_size)
- {
cmp = prehash->data;
}
else
@@ -1599,29 +1612,39 @@ _pkcs1_rsa_verify_sig (const gnutls_datum_t * text,
cmp = md;
}
+
+ d.data = cmp;
+ d.size = digest_size;
- if (memcmp (cmp, digest, digest_size) != 0)
- {
- gnutls_assert ();
- return GNUTLS_E_PK_SIG_VERIFY_FAILED;
- }
+ /* decrypted is a BER encoded data of type DigestInfo
+ */
- return 0;
+ ret = encode_ber_digest_info (hash, &d, &di);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_pk_verify (GNUTLS_PK_RSA, &di, signature, params);
+
+ _gnutls_free_datum (&di);
+
+ return ret;
}
/* Hashes input data and verifies a signature.
*/
static int
-dsa_verify_hashed_data (const gnutls_datum_t * hash,
+dsa_verify_hashed_data (gnutls_pk_algorithm_t pk,
+ gnutls_digest_algorithm_t algo,
+ const gnutls_datum_t * hash,
const gnutls_datum_t * signature,
- gnutls_pk_algorithm_t pk,
gnutls_pk_params_st* params)
{
gnutls_datum_t digest;
- unsigned int algo;
unsigned int hash_len;
- algo = _gnutls_dsa_q_to_hash (pk, params, &hash_len);
+ if (algo == GNUTLS_DIG_UNKNOWN)
+ algo = _gnutls_dsa_q_to_hash (pk, params, &hash_len);
+ else hash_len = _gnutls_hash_get_algo_len(algo);
/* SHA1 or better allowed */
if (!hash->data || hash->size < hash_len)
@@ -1672,9 +1695,10 @@ dsa_verify_data (gnutls_pk_algorithm_t pk,
*/
int
pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
- const gnutls_datum_t * hash,
- const gnutls_datum_t * signature,
- gnutls_pk_params_st * issuer_params)
+ gnutls_digest_algorithm_t hash_algo,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature,
+ gnutls_pk_params_st * issuer_params)
{
switch (pk)
@@ -1682,7 +1706,7 @@ pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_RSA:
if (_pkcs1_rsa_verify_sig
- (NULL, hash, signature, issuer_params) != 0)
+ (hash_algo, NULL, hash, signature, issuer_params) != 0)
{
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
@@ -1693,7 +1717,7 @@ pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_EC:
case GNUTLS_PK_DSA:
- if (dsa_verify_hashed_data(hash, signature, pk, issuer_params) != 0)
+ if (dsa_verify_hashed_data(pk, hash_algo, hash, signature,
issuer_params) != 0)
{
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
@@ -1713,7 +1737,7 @@ pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk,
*/
int
pubkey_verify_data (gnutls_pk_algorithm_t pk,
- gnutls_digest_algorithm_t algo,
+ gnutls_digest_algorithm_t hash_algo,
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_pk_params_st * issuer_params)
@@ -1724,7 +1748,7 @@ pubkey_verify_data (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_RSA:
if (_pkcs1_rsa_verify_sig
- (data, NULL, signature, issuer_params) != 0)
+ (hash_algo, data, NULL, signature, issuer_params) != 0)
{
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
@@ -1735,7 +1759,7 @@ pubkey_verify_data (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_EC:
case GNUTLS_PK_DSA:
- if (dsa_verify_data(pk, algo, data, signature, issuer_params) != 0)
+ if (dsa_verify_data(pk, hash_algo, data, signature, issuer_params) != 0)
{
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index afed87f..c576655 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -45,10 +45,6 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature);
-static int
-encode_ber_digest_info (gnutls_digest_algorithm_t hash,
- const gnutls_datum_t * digest,
- gnutls_datum_t * output);
/* While this is currently equal to the length of RSA/SHA512
* signature, it should also be sufficient for DSS signature and any
@@ -163,41 +159,6 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_pcert_st* cert,
}
-
-/* This will create a PKCS1 or DSA signature, using the given parameters, and
the
- * given data. The output will be allocated and be put in signature.
- */
-int
-_gnutls_soft_sign (gnutls_pk_algorithm_t algo, gnutls_pk_params_st * params,
- const gnutls_datum_t * data,
- gnutls_datum_t * signature)
-{
- int ret;
-
- switch (algo)
- {
- case GNUTLS_PK_RSA:
- /* encrypt */
- if ((ret = _gnutls_pkcs1_rsa_encrypt (signature, data, params, 1)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- break;
- default:
- ret = _gnutls_pk_sign( algo, signature, data, params);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
- break;
- }
-
- return 0;
-}
-
/* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
* Cert is the certificate of the corresponding private key. It is only
checked if
* it supports signing.
@@ -270,9 +231,10 @@ es_cleanup:
static int
verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
- const gnutls_datum_t * hash_concat,
- gnutls_datum_t * signature, size_t sha1pos,
- gnutls_pk_algorithm_t pk_algo)
+ const gnutls_datum_t * hash_concat,
+ gnutls_datum_t * signature, size_t sha1pos,
+ gnutls_sign_algorithm_t sign_algo,
+ gnutls_pk_algorithm_t pk_algo)
{
int ret;
gnutls_datum_t vdata;
@@ -309,12 +271,9 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st*
cert,
flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
else
flags = 0;
-
-
break;
case GNUTLS_PK_DSA:
case GNUTLS_PK_EC:
-
vdata.data = &hash_concat->data[sha1pos];
vdata.size = hash_concat->size - sha1pos;
@@ -326,8 +285,8 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st*
cert,
return GNUTLS_E_INTERNAL_ERROR;
}
- ret = gnutls_pubkey_verify_hash(cert->pubkey, flags, &vdata,
- signature);
+ ret = gnutls_pubkey_verify_hash2(cert->pubkey, sign_algo, flags,
+ &vdata, signature);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -344,7 +303,7 @@ int
_gnutls_handshake_verify_data (gnutls_session_t session, gnutls_pcert_st* cert,
const gnutls_datum_t * params,
gnutls_datum_t * signature,
- gnutls_sign_algorithm_t algo)
+ gnutls_sign_algorithm_t sign_algo)
{
gnutls_datum_t dconcat;
int ret;
@@ -357,17 +316,17 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
if (_gnutls_version_has_selectable_sighash (ver))
{
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
- session, gnutls_sign_algorithm_get_name (algo));
+ session, gnutls_sign_algorithm_get_name (sign_algo));
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, algo);
+ ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, sign_algo);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_session_sign_algo_enabled (session, algo);
+ ret = _gnutls_session_sign_algo_enabled (session, sign_algo);
if (ret < 0)
return gnutls_assert_val(ret);
- hash_algo = _gnutls_sign_get_hash_algorithm (algo);
+ hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
}
else
{
@@ -420,7 +379,8 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
ret = verify_tls_hash (ver, cert, &dconcat, signature,
dconcat.size -
_gnutls_hash_get_algo_len (hash_algo),
- _gnutls_sign_get_pk_algorithm (algo));
+ sign_algo,
+ _gnutls_sign_get_pk_algorithm (sign_algo));
if (ret < 0)
{
gnutls_assert ();
@@ -465,7 +425,7 @@ _gnutls_handshake_verify_crt_vrfy12 (gnutls_session_t
session,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 0, pk);
+ verify_tls_hash (ver, cert, &dconcat, signature, 0, sign_algo, pk);
if (ret < 0)
{
gnutls_assert ();
@@ -498,7 +458,7 @@ _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
if (_gnutls_version_has_selectable_sighash(ver))
return _gnutls_handshake_verify_crt_vrfy12 (session, cert, signature,
- sign_algo);
+ sign_algo);
ret =
_gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
@@ -560,7 +520,8 @@ _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
ret =
verify_tls_hash (ver, cert, &dconcat, signature, 16,
- gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
+ GNUTLS_SIGN_UNKNOWN,
+ gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
if (ret < 0)
{
gnutls_assert ();
@@ -788,170 +749,3 @@ pk_prepare_hash (gnutls_pk_algorithm_t pk,
return 0;
}
-/* Reads the digest information.
- * we use DER here, although we should use BER. It works fine
- * anyway.
- */
-int
-decode_ber_digest_info (const gnutls_datum_t * info,
- gnutls_digest_algorithm_t * hash,
- uint8_t * digest, unsigned int *digest_size)
-{
- ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
- int result;
- char str[1024];
- int len;
-
- if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
- "GNUTLS.DigestInfo",
- &dinfo)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- return _gnutls_asn2err (result);
- }
-
- result = asn1_der_decoding (&dinfo, info->data, info->size, NULL);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- len = sizeof (str) - 1;
- result = asn1_read_value (dinfo, "digestAlgorithm.algorithm", str, &len);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- *hash = _gnutls_x509_oid_to_digest (str);
-
- if (*hash == GNUTLS_DIG_UNKNOWN)
- {
-
- _gnutls_debug_log ("verify.c: HASH OID: %s\n", str);
-
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return GNUTLS_E_UNKNOWN_ALGORITHM;
- }
-
- len = sizeof (str) - 1;
- result = asn1_read_value (dinfo, "digestAlgorithm.parameters", str, &len);
- /* To avoid permitting garbage in the parameters field, either the
- parameters field is not present, or it contains 0x05 0x00. */
- if (!(result == ASN1_ELEMENT_NOT_FOUND ||
- (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
- memcmp (str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return GNUTLS_E_ASN1_GENERIC_ERROR;
- }
-
- len = *digest_size;
- result = asn1_read_value (dinfo, "digest", digest, &len);
-
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- *digest_size = len;
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- *digest_size = len;
- asn1_delete_structure (&dinfo);
-
- return 0;
-}
-
-/* Writes the digest information and the digest in a DER encoded
- * structure. The digest info is allocated and stored into the info structure.
- */
-static int
-encode_ber_digest_info (gnutls_digest_algorithm_t hash,
- const gnutls_datum_t * digest,
- gnutls_datum_t * output)
-{
- ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
- int result;
- const char *algo;
- uint8_t *tmp_output;
- int tmp_output_size;
-
- algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash);
- if (algo == NULL)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Hash algorithm: %d has no OID\n", hash);
- return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
- }
-
- if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
- "GNUTLS.DigestInfo",
- &dinfo)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- return _gnutls_asn2err (result);
- }
-
- result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- /* Write an ASN.1 NULL in the parameters field. This matches RFC
- 3279 and RFC 4055, although is arguable incorrect from a historic
- perspective (see those documents for more information).
- Regardless of what is correct, this appears to be what most
- implementations do. */
- result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
- ASN1_NULL, ASN1_NULL_SIZE);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- result = asn1_write_value (dinfo, "digest", digest->data, digest->size);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- tmp_output_size = 0;
- asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL);
-
- tmp_output = gnutls_malloc (tmp_output_size);
- if (output->data == NULL)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL);
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- asn1_delete_structure (&dinfo);
- return _gnutls_asn2err (result);
- }
-
- asn1_delete_structure (&dinfo);
-
- output->size = tmp_output_size;
- output->data = tmp_output;
-
- return 0;
-}
diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h
index cd4981d..25ef26a 100644
--- a/lib/gnutls_sig.h
+++ b/lib/gnutls_sig.h
@@ -48,11 +48,6 @@ int _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t algo);
-int _gnutls_soft_sign (gnutls_pk_algorithm_t algo,
- gnutls_pk_params_st* params,
- const gnutls_datum_t * data,
- gnutls_datum_t * signature);
-
int pk_prepare_hash (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash,
gnutls_datum_t * output);
int pk_hash_data (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash,
@@ -64,9 +59,5 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key,
const gnutls_datum_t * hash,
gnutls_datum_t * signature);
-int
-decode_ber_digest_info (const gnutls_datum_t * info,
- gnutls_digest_algorithm_t * hash,
- uint8_t * digest, unsigned int *digest_size);
#endif
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index b220e08..18a86f2 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1588,36 +1588,6 @@ gnutls_certificate_set_x509_trust_file
(gnutls_certificate_credentials_t cred,
return ret;
}
-#ifdef DEFAULT_TRUST_STORE_FILE
-static int
-_gnutls_certificate_set_x509_system_trust_file
(gnutls_certificate_credentials_t cred)
-{
- int ret;
- gnutls_datum_t cas;
- size_t size;
-
- cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
- if (cas.data == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_FILE_ERROR;
- }
-
- cas.size = size;
-
- ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
-
- free (cas.data);
-
- if (ret < 0)
- {
- gnutls_assert ();
- }
-
- return ret;
-}
-#endif
-
/**
* gnutls_certificate_set_x509_system_trust:
* @cred: is a #gnutls_certificate_credentials_t structure.
@@ -1625,26 +1595,18 @@ _gnutls_certificate_set_x509_system_trust_file
(gnutls_certificate_credentials_t
* This function adds the system's default trusted CAs in order to
* verify client or server certificates.
*
+ * In the case the system is currently unsupported
%GNUTLS_E_UNIMPLEMENTED_FEATURE
+ * is returned.
+ *
* Returns: the number of certificates processed or a negative error code
* on error.
*
- * Since: 3.1
+ * Since: 3.0
**/
int
gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t
cred)
{
- int ret, r = 0;
-#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
- ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
- if (ret > 0)
- r += ret;
-#endif
-#ifdef DEFAULT_TRUST_STORE_FILE
- ret = _gnutls_certificate_set_x509_system_trust_file(cred);
- if (ret > 0)
- r += ret;
-#endif
- return r;
+ return gnutls_x509_trust_list_add_system_trust(cred->list, 0, 0);
}
static int
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index b89da86..f12e9ac 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -137,18 +137,17 @@ int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,
gnutls_pubkey_t key);
#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1
int
-gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
- const gnutls_datum_t * hash,
- const gnutls_datum_t * signature);
+gnutls_pubkey_verify_hash2 (gnutls_pubkey_t key,
+ gnutls_sign_algorithm_t algo,
+ unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature);
+
int
gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
const gnutls_datum_t * signature,
gnutls_digest_algorithm_t * hash);
-int gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
- unsigned int flags,
- const gnutls_datum_t * data,
- const gnutls_datum_t * signature);
int
gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
gnutls_sign_algorithm_t algo,
@@ -290,6 +289,17 @@ gnutls_certificate_set_key
(gnutls_certificate_credentials_t res,
int pcert_list_size,
gnutls_privkey_t key);
+#include <gnutls/compat.h>
+
+int gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
+ unsigned int flags,
+ const gnutls_datum_t * data,
+ const gnutls_datum_t * signature)
_GNUTLS_GCC_ATTR_DEPRECATED;
+
+int gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature)
_GNUTLS_GCC_ATTR_DEPRECATED;
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index e9d92fd..50cc22d 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -770,10 +770,11 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
gnutls_cipher_algorithm_t gnutls_cipher_get (gnutls_session_t session);
gnutls_kx_algorithm_t gnutls_kx_get (gnutls_session_t session);
gnutls_mac_algorithm_t gnutls_mac_get (gnutls_session_t session);
- gnutls_compression_method_t
+ gnutls_compression_method_t
gnutls_compression_get (gnutls_session_t session);
- gnutls_certificate_type_t
+ gnutls_certificate_type_t
gnutls_certificate_type_get (gnutls_session_t session);
+
int gnutls_sign_algorithm_get_requested (gnutls_session_t session,
size_t indx,
gnutls_sign_algorithm_t * algo);
@@ -791,6 +792,10 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
type);
const char *gnutls_pk_get_name (gnutls_pk_algorithm_t algorithm);
const char *gnutls_sign_get_name (gnutls_sign_algorithm_t algorithm);
+
+ gnutls_sign_algorithm_t gnutls_pk_to_sign (gnutls_pk_algorithm_t pk,
+ gnutls_digest_algorithm_t d);
+
#define gnutls_sign_algorithm_get_name gnutls_sign_get_name
gnutls_mac_algorithm_t gnutls_mac_get_id (const char *name);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index c7385ad..7ac20a4 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -786,6 +786,8 @@ GNUTLS_3_0_0 {
gnutls_x509_crt_set_private_key_usage_period;
gnutls_x509_crq_set_private_key_usage_period;
gnutls_session_get_random;
+ gnutls_pubkey_verify_hash2;
+ gnutls_pk_to_sign;
} GNUTLS_2_12;
GNUTLS_3_1_0 {
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index d7e9a05..ea46f4c 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -30,6 +30,7 @@
#include <gnutls_errors.h>
#include <gnutls_datum.h>
#include <gnutls_global.h>
+#include <gnutls_sig.h>
#include <gnutls_num.h>
#include <x509/x509_int.h>
#include <x509/common.h>
@@ -78,7 +79,16 @@ _rsa_params_to_privkey (const gnutls_pk_params_st *
pk_params,
memcpy (&priv->c, pk_params->params[5], sizeof (mpz_t));
memcpy (&priv->a, pk_params->params[6], sizeof (mpz_t));
memcpy (&priv->b, pk_params->params[7], sizeof (mpz_t));
+ priv->size =
nettle_mpz_sizeinbase_256_u(TOMPZ(pk_params->params[RSA_MODULUS]));
+}
+static void
+_rsa_params_to_pubkey (const gnutls_pk_params_st * pk_params,
+ struct rsa_public_key *pub)
+{
+ memcpy (&pub->n, pk_params->params[RSA_MODULUS], sizeof (mpz_t));
+ memcpy (&pub->e, pk_params->params[RSA_PUB], sizeof (mpz_t));
+ pub->size = nettle_mpz_sizeinbase_256_u(pub->n);
}
static void
@@ -192,25 +202,26 @@ _wrap_nettle_pk_encrypt (gnutls_pk_algorithm_t algo,
const gnutls_pk_params_st * pk_params)
{
int ret;
+ mpz_t p;
+
+ mpz_init(p);
switch (algo)
{
case GNUTLS_PK_RSA:
{
- bigint_t p;
+ struct rsa_public_key pub;
+
+ _rsa_params_to_pubkey (pk_params, &pub);
- if (_gnutls_mpi_scan_nz (&p, plaintext->data, plaintext->size) != 0)
+ ret = rsa_encrypt(&pub, NULL, rnd_func, plaintext->size,
plaintext->data, p);
+ if (ret == 0)
{
- gnutls_assert ();
- return GNUTLS_E_MPI_SCAN_FAILED;
+ ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
+ goto cleanup;
}
- mpz_powm (p, p, TOMPZ (pk_params->params[1]) /*e */ ,
- TOMPZ (pk_params->params[0] /*m */ ));
-
ret = _gnutls_mpi_dprint_size (p, ciphertext, plaintext->size);
- _gnutls_mpi_release (&p);
-
if (ret < 0)
{
gnutls_assert ();
@@ -229,74 +240,10 @@ _wrap_nettle_pk_encrypt (gnutls_pk_algorithm_t algo,
cleanup:
+ mpz_clear(p);
return ret;
}
-/* returns the blinded c and the inverse of a random
- * number r;
- */
-static bigint_t
-rsa_blind (bigint_t c, bigint_t e, bigint_t n, bigint_t * _ri)
-{
- bigint_t nc = NULL, r = NULL, ri = NULL;
-
- /* nc = c*(r^e)
- * ri = r^(-1)
- */
- nc = _gnutls_mpi_alloc_like (n);
- if (nc == NULL)
- {
- gnutls_assert ();
- return NULL;
- }
-
- ri = _gnutls_mpi_alloc_like (n);
- if (nc == NULL)
- {
- gnutls_assert ();
- goto fail;
- }
-
- r = _gnutls_mpi_randomize (NULL, _gnutls_mpi_get_nbits (n),
- GNUTLS_RND_NONCE);
- if (r == NULL)
- {
- gnutls_assert ();
- goto fail;
- }
-
- /* invert r */
- if (mpz_invert (ri, r, n) == 0)
- {
- gnutls_assert ();
- goto fail;
- }
-
- /* r = r^e */
-
- _gnutls_mpi_powm (r, r, e, n);
-
- _gnutls_mpi_mulm (nc, c, r, n);
-
- *_ri = ri;
-
- _gnutls_mpi_release (&r);
-
- return nc;
-fail:
- _gnutls_mpi_release (&nc);
- _gnutls_mpi_release (&r);
- return NULL;
-}
-
-/* c = c*ri mod n
- */
-static inline void
-rsa_unblind (bigint_t c, bigint_t ri, bigint_t n)
-{
- _gnutls_mpi_mulm (c, c, ri, n);
-}
-
static int
_wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo,
gnutls_datum_t * plaintext,
@@ -305,44 +252,44 @@ _wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo,
{
int ret;
+ plaintext->data = NULL;
+
/* make a sexp from pkey */
switch (algo)
{
case GNUTLS_PK_RSA:
{
struct rsa_private_key priv;
- bigint_t c, ri, nc;
+ struct rsa_public_key pub;
+ unsigned length;
+ bigint_t c;
+
+ memset(&priv, 0, sizeof(priv));
+ _rsa_params_to_privkey (pk_params, &priv);
+ _rsa_params_to_pubkey (pk_params, &pub);
if (_gnutls_mpi_scan_nz (&c, ciphertext->data, ciphertext->size) != 0)
{
- gnutls_assert ();
- return GNUTLS_E_MPI_SCAN_FAILED;
+ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
+ goto cleanup;
}
- nc = rsa_blind (c, pk_params->params[1] /*e */ ,
- pk_params->params[0] /*m */ , &ri);
- _gnutls_mpi_release (&c);
- if (nc == NULL)
+ length = pub.size;
+ plaintext->data = gnutls_malloc(length);
+ if (plaintext->data == NULL)
{
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto cleanup;
}
+
+ ret = rsa_decrypt_tr(&pub, &priv, NULL, rnd_func, &length,
plaintext->data,
+ TOMPZ(c));
+ _gnutls_mpi_release (&c);
+ plaintext->size = length;
- memset(&priv, 0, sizeof(priv));
- _rsa_params_to_privkey (pk_params, &priv);
-
- rsa_compute_root (&priv, TOMPZ (nc), TOMPZ (nc));
-
- rsa_unblind (nc, ri, pk_params->params[0] /*m */ );
-
- ret = _gnutls_mpi_dprint_size (nc, plaintext, ciphertext->size);
-
- _gnutls_mpi_release (&nc);
- _gnutls_mpi_release (&ri);
-
- if (ret < 0)
+ if (ret == 0)
{
- gnutls_assert ();
+ ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto cleanup;
}
@@ -357,6 +304,8 @@ _wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo,
ret = 0;
cleanup:
+ if (ret < 0)
+ gnutls_free(plaintext->data);
return ret;
}
@@ -460,38 +409,26 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
case GNUTLS_PK_RSA:
{
struct rsa_private_key priv;
- bigint_t hash, nc, ri;
-
- if (_gnutls_mpi_scan_nz (&hash, vdata->data, vdata->size) != 0)
- {
- gnutls_assert ();
- return GNUTLS_E_MPI_SCAN_FAILED;
- }
+ mpz_t s;
memset(&priv, 0, sizeof(priv));
_rsa_params_to_privkey (pk_params, &priv);
+
+ mpz_init(s);
- nc = rsa_blind (hash, pk_params->params[1] /*e */ ,
- pk_params->params[0] /*m */ , &ri);
-
- _gnutls_mpi_release (&hash);
-
- if (nc == NULL)
+/* XXX update when _tr is available */
+ ret = rsa_pkcs1_sign(&priv, vdata->size, vdata->data, s);
+ if (ret == 0)
{
- gnutls_assert ();
- ret = GNUTLS_E_MEMORY_ERROR;
+ gnutls_assert();
+ ret = GNUTLS_E_PK_SIGN_FAILED;
goto rsa_fail;
}
- rsa_compute_root (&priv, TOMPZ (nc), TOMPZ (nc));
-
- rsa_unblind (nc, ri, pk_params->params[0] /*m */ );
-
- ret = _gnutls_mpi_dprint (nc, signature);
+ ret = _gnutls_mpi_dprint (s, signature);
rsa_fail:
- _gnutls_mpi_release (&nc);
- _gnutls_mpi_release (&ri);
+ mpz_clear(s);
if (ret < 0)
{
@@ -515,35 +452,6 @@ cleanup:
}
static int
-_int_rsa_verify (const gnutls_pk_params_st * pk_params,
- bigint_t m, bigint_t s)
-{
- int res;
-
- mpz_t m1;
-
- if ((mpz_sgn (TOMPZ (s)) <= 0)
- || (mpz_cmp (TOMPZ (s), TOMPZ (pk_params->params[0])) >= 0))
- return GNUTLS_E_PK_SIG_VERIFY_FAILED;
-
- mpz_init (m1);
-
- mpz_powm (m1, TOMPZ (s), TOMPZ (pk_params->params[1]),
- TOMPZ (pk_params->params[0]));
-
- res = !mpz_cmp (TOMPZ (m), m1);
-
- mpz_clear (m1);
-
- if (res == 0)
- res = GNUTLS_E_PK_SIG_VERIFY_FAILED;
- else
- res = 0;
-
- return res;
-}
-
-static int
_wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
const gnutls_datum_t * vdata,
const gnutls_datum_t * signature,
@@ -625,13 +533,9 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
}
case GNUTLS_PK_RSA:
{
- bigint_t hash;
-
- if (_gnutls_mpi_scan_nz (&hash, vdata->data, vdata->size) != 0)
- {
- gnutls_assert ();
- return GNUTLS_E_MPI_SCAN_FAILED;
- }
+ struct rsa_public_key pub;
+
+ _rsa_params_to_pubkey (pk_params, &pub);
ret = _gnutls_mpi_scan_nz (&tmp[0], signature->data, signature->size);
if (ret < 0)
@@ -640,9 +544,12 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
goto cleanup;
}
- ret = _int_rsa_verify (pk_params, hash, tmp[0]);
+ ret = rsa_pkcs1_verify (&pub, vdata->size, vdata->data, TOMPZ(tmp[0]));
+ if (ret == 0)
+ ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
+ else ret = 0;
+
_gnutls_mpi_release (&tmp[0]);
- _gnutls_mpi_release (&hash);
break;
}
default:
@@ -1077,9 +984,149 @@ wrap_nettle_pk_fixup (gnutls_pk_algorithm_t algo,
return 0;
}
+static int
+extract_digest_info(const struct rsa_public_key *key,
+ unsigned *length, uint8_t *digest_info,
+ const mpz_t signature)
+{
+ unsigned i;
+ int ret;
+ mpz_t m;
+ uint8_t *em;
+
+ if (key->size == 0 || *length < key->size)
+ return 0;
+
+ em = gnutls_malloc(key->size);
+ if (em == NULL)
+ return 0;
+
+ mpz_init (m);
+
+ mpz_powm(m, signature, key->e, key->n);
+
+ nettle_mpz_get_str_256(key->size, em, m);
+ mpz_clear(m);
+
+ if (em[0] != 0 || em[1] != 1)
+ {
+ ret = 0;
+ goto cleanup;
+ }
+
+ for (i = 2; i < key->size; i++)
+ {
+ if (em[i] == 0 && i > 2)
+ break;
+
+ if (em[i] != 0xff)
+ {
+ ret = 0;
+ goto cleanup;
+ }
+ }
+
+ i++;
+ memcpy(digest_info, &em[i], key->size-i);
+ *length = key->size-i;
+
+ ret = 1;
+cleanup:
+ gnutls_free(em);
+
+ return ret;
+}
+
+/* Given a signature and parameters, it should return
+ * the hash algorithm used in the signature. This is a kludge
+ * but until we deprecate gnutls_pubkey_get_verify_algorithm()
+ * we depend on it.
+ */
+static int wrap_nettle_hash_algorithm (gnutls_pk_algorithm_t pk,
+ const gnutls_datum_t * sig, gnutls_pk_params_st * issuer_params,
+ gnutls_digest_algorithm_t* hash_algo)
+{
+ uint8_t digest[MAX_HASH_SIZE];
+ uint8_t digest_info[MAX_HASH_SIZE*3];
+ gnutls_datum_t di;
+ unsigned digest_size;
+ mpz_t s;
+ struct rsa_public_key pub;
+ int ret;
+
+ mpz_init(s);
+
+ switch (pk)
+ {
+ case GNUTLS_PK_DSA:
+ case GNUTLS_PK_EC:
+
+ if (hash_algo)
+ *hash_algo = _gnutls_dsa_q_to_hash (pk, issuer_params, NULL);
+
+ ret = 0;
+ break;
+ case GNUTLS_PK_RSA:
+ if (sig == NULL)
+ { /* return a sensible algorithm */
+ if (hash_algo)
+ *hash_algo = GNUTLS_DIG_SHA256;
+ return 0;
+ }
+
+ _rsa_params_to_pubkey (issuer_params, &pub);
+
+ digest_size = sizeof(digest);
+
+ nettle_mpz_set_str_256_u(s, sig->size, sig->data);
+
+ digest_size = sizeof (digest_info);
+ ret = extract_digest_info( &pub, &digest_size, digest_info, s);
+ if (ret == 0)
+ {
+ ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ di.data = digest_info;
+ di.size = digest_size;
+
+ digest_size = sizeof(digest);
+ if ((ret =
+ decode_ber_digest_info (&di, hash_algo, digest,
+ &digest_size)) < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ if (digest_size != _gnutls_hash_get_algo_len (*hash_algo))
+ {
+ gnutls_assert ();
+ ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+ ret = 0;
+ break;
+
+ default:
+ gnutls_assert ();
+ ret = GNUTLS_E_INTERNAL_ERROR;
+ }
+
+cleanup:
+ mpz_clear(s);
+ return ret;
+
+}
+
+
int crypto_pk_prio = INT_MAX;
gnutls_crypto_pk_st _gnutls_pk_ops = {
+ .hash_algorithm = wrap_nettle_hash_algorithm,
.encrypt = _wrap_nettle_pk_encrypt,
.decrypt = _wrap_nettle_pk_decrypt,
.sign = _wrap_nettle_pk_sign,
diff --git a/lib/opencdk/main.h b/lib/opencdk/main.h
index e786fe6..72bf7a9 100644
--- a/lib/opencdk/main.h
+++ b/lib/opencdk/main.h
@@ -121,10 +121,6 @@ void _cdk_kbnode_add (cdk_kbnode_t root, cdk_kbnode_t
node);
void _cdk_kbnode_clone (cdk_kbnode_t node);
/*-- sesskey.c --*/
-cdk_error_t _cdk_digest_encode_pkcs1 (byte ** r_md, size_t * r_mdlen,
- int pk_algo,
- const byte * md,
- int digest_algo, unsigned nbits);
cdk_error_t _cdk_sk_unprotect_auto (cdk_ctx_t hd, cdk_pkt_seckey_t sk);
/*-- keydb.c --*/
diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
index ab3d47c..492a0f2 100644
--- a/lib/opencdk/pubkey.c
+++ b/lib/opencdk/pubkey.c
@@ -26,6 +26,7 @@
#include <gnutls_int.h>
#include <gnutls_datum.h>
#include <gnutls_pk.h>
+#include <gnutls_sig.h>
#include <x509/common.h>
#include "opencdk.h"
#include "main.h"
@@ -72,13 +73,12 @@ sig_to_datum (gnutls_datum_t * r_sig, cdk_pkt_signature_t
sig)
cdk_error_t
cdk_pk_verify (cdk_pubkey_t pk, cdk_pkt_signature_t sig, const byte * md)
{
- gnutls_datum_t s_sig;
+ gnutls_datum_t s_sig = { NULL, 0}, di = {NULL, 0};
byte *encmd = NULL;
size_t enclen;
cdk_error_t rc;
int ret, algo;
unsigned int i;
- gnutls_datum_t data;
gnutls_pk_params_st params;
if (!pk || !sig || !md)
@@ -104,22 +104,25 @@ cdk_pk_verify (cdk_pubkey_t pk, cdk_pkt_signature_t sig,
const byte * md)
goto leave;
}
- rc = _cdk_digest_encode_pkcs1 (&encmd, &enclen, pk->pubkey_algo, md,
- sig->digest_algo, cdk_pk_get_nbits (pk));
- if (rc)
+ rc = _gnutls_set_datum (&di, md, _gnutls_hash_get_algo_len
(sig->digest_algo));
+ if (rc < 0)
{
- gnutls_assert ();
+ rc = gnutls_assert_val(CDK_Out_Of_Core);
goto leave;
- }
+ }
- data.data = encmd;
- data.size = enclen;
+ rc = pk_prepare_hash (algo, sig->digest_algo, &di);
+ if (rc < 0)
+ {
+ rc = gnutls_assert_val(CDK_General_Error);
+ goto leave;
+ }
params.params_nr = cdk_pk_get_npkey (pk->pubkey_algo);
for (i = 0; i < params.params_nr; i++)
params.params[i] = pk->mpi[i];
params.flags = 0;
- ret = _gnutls_pk_verify (algo, &data, &s_sig, ¶ms);
+ ret = _gnutls_pk_verify (algo, &di, &s_sig, ¶ms);
if (ret < 0)
{
@@ -132,6 +135,7 @@ cdk_pk_verify (cdk_pubkey_t pk, cdk_pkt_signature_t sig,
const byte * md)
leave:
_gnutls_free_datum (&s_sig);
+ _gnutls_free_datum (&di);
cdk_free (encmd);
return rc;
}
diff --git a/lib/opencdk/seskey.c b/lib/opencdk/seskey.c
index 09863bf..8d1d929 100644
--- a/lib/opencdk/seskey.c
+++ b/lib/opencdk/seskey.c
@@ -29,170 +29,6 @@
#include "main.h"
#include "packet.h"
-
-/* We encode the MD in this way:
- *
- * 0 1 PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
- *
- * PAD consists of FF bytes.
- */
-static cdk_error_t
-do_encode_md (byte ** r_frame, size_t * r_flen, const byte * md, int algo,
- size_t len, unsigned nbits, const byte * asn, size_t asnlen)
-{
- byte *frame = NULL;
- size_t nframe = (nbits + 7) / 8;
- ssize_t i;
- size_t n = 0;
-
- if (!asn || !md || !r_frame || !r_flen)
- return CDK_Inv_Value;
-
- if (len + asnlen + 4 > nframe)
- return CDK_General_Error;
-
- frame = cdk_calloc (1, nframe);
- if (!frame)
- return CDK_Out_Of_Core;
- frame[n++] = 0;
- frame[n++] = 1;
- i = nframe - len - asnlen - 3;
- if (i < 0)
- {
- cdk_free (frame);
- return CDK_Inv_Value;
- }
- memset (frame + n, 0xFF, i);
- n += i;
- frame[n++] = 0;
- memcpy (frame + n, asn, asnlen);
- n += asnlen;
- memcpy (frame + n, md, len);
- n += len;
- if (n != nframe)
- {
- cdk_free (frame);
- return CDK_Inv_Value;
- }
- *r_frame = frame;
- *r_flen = n;
- return 0;
-}
-
-static const byte md5_asn[18] = /* Object ID is 1.2.840.113549.2.5 */
-{ 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
-};
-
-static const byte sha1_asn[15] = /* Object ID is 1.3.14.3.2.26 */
-{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
- 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
-};
-
-static const byte sha224_asn[19] = /* Object ID is 2.16.840.1.101.3.4.2.4
*/
-{ 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
- 0x1C
-};
-
-static const byte sha256_asn[19] = /* Object ID is
2.16.840.1.101.3.4.2.1 */
-{ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
- 0x00, 0x04, 0x20
-};
-
-static const byte sha512_asn[] = /* Object ID is 2.16.840.1.101.3.4.2.3
*/
-{
- 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
- 0x00, 0x04, 0x40
-};
-
-static const byte sha384_asn[] = /* Object ID is 2.16.840.1.101.3.4.2.2
*/
-{
- 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
- 0x00, 0x04, 0x30
-};
-
-static const byte rmd160_asn[15] = /* Object ID is 1.3.36.3.2.1 */
-{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
- 0x02, 0x01, 0x05, 0x00, 0x04, 0x14
-};
-
-static int
-_gnutls_get_digest_oid (gnutls_digest_algorithm_t algo, const byte ** data)
-{
- switch (algo)
- {
- case GNUTLS_DIG_MD5:
- *data = md5_asn;
- return sizeof (md5_asn);
- case GNUTLS_DIG_SHA1:
- *data = sha1_asn;
- return sizeof (sha1_asn);
- case GNUTLS_DIG_RMD160:
- *data = rmd160_asn;
- return sizeof (rmd160_asn);
- case GNUTLS_DIG_SHA256:
- *data = sha256_asn;
- return sizeof (sha256_asn);
- case GNUTLS_DIG_SHA384:
- *data = sha384_asn;
- return sizeof (sha384_asn);
- case GNUTLS_DIG_SHA512:
- *data = sha512_asn;
- return sizeof (sha512_asn);
- case GNUTLS_DIG_SHA224:
- *data = sha224_asn;
- return sizeof (sha224_asn);
- default:
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
-}
-
-
-/* Encode the given digest into a pkcs#1 compatible format. */
-cdk_error_t
-_cdk_digest_encode_pkcs1 (byte ** r_md, size_t * r_mdlen, int pk_algo,
- const byte * md, int digest_algo, unsigned nbits)
-{
- size_t dlen;
-
- if (!md || !r_md || !r_mdlen)
- return CDK_Inv_Value;
-
- dlen = _gnutls_hash_get_algo_len (digest_algo);
- if (dlen <= 0)
- return CDK_Inv_Algo;
- if (is_DSA (pk_algo))
- { /* DSS does not use a special encoding. */
- *r_md = cdk_malloc (dlen + 1);
- if (!*r_md)
- return CDK_Out_Of_Core;
- *r_mdlen = dlen;
- memcpy (*r_md, md, dlen);
- return 0;
- }
- else
- {
- const byte *asn;
- int asnlen;
- cdk_error_t rc;
-
- asnlen = _gnutls_get_digest_oid (digest_algo, &asn);
- if (asnlen < 0)
- return asnlen;
-
- rc = do_encode_md (r_md, r_mdlen, md, digest_algo, dlen,
- nbits, asn, asnlen);
- return rc;
- }
- return 0;
-}
-
-
/**
* cdk_s2k_new:
* @ret_s2k: output for the new S2K object
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index 9be87b0..8870ef6 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -1281,7 +1281,7 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
result =
- _gnutls_soft_sign (pk_algorithm, ¶ms, hash, signature);
+ _gnutls_pk_sign (pk_algorithm, signature, hash, ¶ms);
gnutls_pk_params_release(¶ms);
@@ -1351,22 +1351,12 @@ _gnutls_openpgp_privkey_decrypt_data
(gnutls_openpgp_privkey_t key,
return result;
}
- if (pk_algorithm != GNUTLS_PK_RSA)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
- result =
- _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext, ¶ms, 2);
+ result = _gnutls_pk_decrypt (pk_algorithm, plaintext, ciphertext, ¶ms);
gnutls_pk_params_release(¶ms);
if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
+ return gnutls_assert_val(result);
return 0;
}
diff --git a/lib/system.c b/lib/system.c
index 679bb0a..bec2e09 100644
--- a/lib/system.c
+++ b/lib/system.c
@@ -30,6 +30,7 @@
#ifdef _WIN32
# include <windows.h>
+# include <Wincrypt.h>
#else
# ifdef HAVE_PTHREAD_LOCKS
@@ -346,3 +347,94 @@ const char *home_dir = getenv ("HOME");
return 0;
}
+
+/**
+ * gnutls_x509_trust_list_add_system_trust:
+ * @list: The structure of the list
+ * @tl_flags: GNUTLS_TL_*
+ * @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
+ *
+ * This function adds the system's default trusted certificate
+ * authorities to the trusted list. Note that on unsupported system
+ * this function returns %GNUTLS_E_UNIMPLEMENTED_FEATURE.
+ *
+ * Returns: The number of added elements or a negative error code on error.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int
tl_vflags)
+{
+#if !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE)
&& !defined(_WIN32)
+ return GNUTLS_E_UNIMPLEMENTED_FEATURE;
+#else
+ int ret, r = 0;
+ const char* crl_file =
+# ifdef DEFAULT_CRL_FILE
+ DEFAULT_CRL_FILE;
+# else
+ NULL;
+# endif
+
+# ifdef _WIN32
+ unsigned int i;
+
+ for (i=0;i<2;i++)
+ {
+ HCERTSTORE store;
+ const CERT_CONTEXT *cert;
+ const CRL_CONTEXT *crl;
+ gnutls_datum_t data;
+
+ if (i==0) store = CertOpenSystemStore(0, "ROOT");
+ else store = CertOpenSystemStore(0, "CA");
+
+ if (store == NULL) return GNUTLS_E_FILE_ERROR;
+
+ cert = CertEnumCertificatesInStore(store, NULL);
+ crl = CertEnumCRLsInStore(store, NULL);
+
+ while(cert != NULL)
+ {
+ if (cert->dwCertEncodingType == X509_ASN_ENCODING)
+ {
+ data.data = cert->pbCertEncoded;
+ data.size = cert->cbCertEncoded;
+ if (gnutls_x509_trust_list_add_trust_mem(list, &data, NULL,
GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0)
+ r++;
+ }
+ cert = CertEnumCertificatesInStore(store, cert);
+ }
+
+ while(crl != NULL)
+ {
+ if (crl->dwCertEncodingType == X509_ASN_ENCODING)
+ {
+ data.data = crl->pbCrlEncoded;
+ data.size = crl->cbCrlEncoded;
+ gnutls_x509_trust_list_add_trust_mem(list, NULL, &data,
GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
+ }
+ crl = CertEnumCRLsInStore(store, crl);
+ }
+ CertCloseStore(store, 0);
+ }
+# endif
+
+# if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = gnutls_x509_trust_list_add_trust_file(list,
DEFAULT_TRUST_STORE_PKCS11, crl_file,
+ GNUTLS_X509_FMT_DER, tl_flags,
tl_vflags);
+ if (ret > 0)
+ r += ret;
+# endif
+
+# ifdef DEFAULT_TRUST_STORE_FILE
+ ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE,
crl_file,
+ GNUTLS_X509_FMT_PEM, tl_flags,
tl_vflags);
+ if (ret > 0)
+ r += ret;
+# endif
+#endif
+
+ return r;
+}
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 4d622cc..5f9496b 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1476,8 +1476,7 @@ _gnutls_x509_privkey_sign_hash2 (gnutls_x509_privkey_t
signer,
goto cleanup;
}
- ret = _gnutls_soft_sign (signer->pk_algorithm, &signer->params,
- &digest, signature);
+ ret = _gnutls_pk_sign (signer->pk_algorithm, signature, &digest,
&signer->params);
if (ret < 0)
{
@@ -1521,8 +1520,8 @@ gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key,
return GNUTLS_E_INVALID_REQUEST;
}
- result = _gnutls_soft_sign (key->pk_algorithm, &key->params,
- hash, signature);
+ result = _gnutls_pk_sign (key->pk_algorithm, signature, hash, &key->params);
+
if (result < 0)
{
gnutls_assert ();
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index d6c9991..d76a0f2 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -40,8 +40,8 @@
/**
* gnutls_x509_trust_list_add_trust_mem:
* @list: The structure of the list
- * @ca_file: A file containing a list of CAs (optional)
- * @crl_file: A file containing a list of CRLs (optional)
+ * @cas: A buffer containing a list of CAs (optional)
+ * @crls: A buffer containing a list of CRLs (optional)
* @type: The format of the certificates
* @tl_flags: GNUTLS_TL_*
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
@@ -215,38 +215,3 @@
gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
return ret;
}
-/**
- * gnutls_x509_trust_list_add_system_trust:
- * @list: The structure of the list
- * @tl_flags: GNUTLS_TL_*
- * @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
- *
- * This function adds the system's default trusted certificate
- * authorities to the trusted list.
- *
- * Returns: The number of added elements is returned.
- *
- * Since: 3.1
- **/
-int
-gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
- unsigned int tl_flags, unsigned int
tl_vflags)
-{
- int ret, r = 0;
-
-#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
- ret = gnutls_x509_trust_list_add_trust_file(list,
DEFAULT_TRUST_STORE_PKCS11, NULL,
- GNUTLS_X509_FMT_DER, tl_flags,
tl_vflags);
- if (ret > 0)
- r += ret;
-#endif
-
-#ifdef DEFAULT_TRUST_STORE_FILE
- ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE,
NULL,
- GNUTLS_X509_FMT_PEM, tl_flags,
tl_vflags);
- if (ret > 0)
- r += ret;
-#endif
-
- return r;
-}
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 4a133d4..8c42e13 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -218,9 +218,12 @@ cleanup:
static int
is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
{
- gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
- {
- NULL, 0};
+ gnutls_datum_t dn1 = { NULL, 0 },
+ dn2 = { NULL, 0};
+ uint8_t id1[512];
+ uint8_t id2[512];
+ size_t id1_size;
+ size_t id2_size;
int ret;
ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1);
@@ -238,6 +241,34 @@ is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t
issuer_cert)
}
ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
+
+ if (ret != 0)
+ {
+ /* check if the authority key identifier matches the subject key
identifier
+ * of the isser */
+ id1_size = sizeof(id1);
+
+ ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);
+ if (ret < 0)
+ {
+ ret = 1;
+ goto cleanup;
+ }
+
+ id2_size = sizeof(id2);
+ ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size,
NULL);
+ if (ret < 0)
+ {
+ ret = 1;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0)
+ ret = 1;
+ else
+ ret = 0;
+ }
cleanup:
_gnutls_free_datum (&dn1);
@@ -525,7 +556,8 @@ cleanup:
* @issuer: is the certificate of a possible issuer
*
* This function will check if the given certificate was issued by the
- * given issuer.
+ * given issuer. It checks the DN fields and the authority
+ * key identifier and subject key identifier fields match.
*
* Returns: It will return true (1) if the given certificate is issued
* by the given issuer, and false (0) if not. A negative error code is
@@ -682,70 +714,7 @@ _gnutls_x509_verify_algorithm (gnutls_digest_algorithm_t *
hash,
gnutls_pk_algorithm_t pk,
gnutls_pk_params_st * issuer_params)
{
- uint8_t digest[MAX_HASH_SIZE];
- gnutls_datum_t decrypted;
- unsigned int digest_size;
- int ret;
-
- switch (pk)
- {
- case GNUTLS_PK_DSA:
- case GNUTLS_PK_EC:
-
- if (hash)
- *hash = _gnutls_dsa_q_to_hash (pk, issuer_params, NULL);
-
- ret = 0;
- break;
- case GNUTLS_PK_RSA:
- if (signature == NULL)
- { /* return a sensible algorithm */
- if (hash)
- *hash = GNUTLS_DIG_SHA256;
- return 0;
- }
-
- ret =
- _gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
- issuer_params, 1);
-
-
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- digest_size = sizeof (digest);
- if ((ret =
- decode_ber_digest_info (&decrypted, hash, digest,
- &digest_size)) != 0)
- {
- gnutls_assert ();
- _gnutls_free_datum (&decrypted);
- goto cleanup;
- }
-
- _gnutls_free_datum (&decrypted);
- if (digest_size != _gnutls_hash_get_algo_len (*hash))
- {
- gnutls_assert ();
- ret = GNUTLS_E_ASN1_GENERIC_ERROR;
- goto cleanup;
- }
-
- ret = 0;
- break;
-
- default:
- gnutls_assert ();
- ret = GNUTLS_E_INTERNAL_ERROR;
- }
-
-cleanup:
-
- return ret;
-
+ return _gnutls_pk_hash_algorithm(pk, signature, issuer_params, hash);
}
/* verifies if the certificate is properly signed.
@@ -788,39 +757,6 @@ _gnutls_x509_verify_data (gnutls_digest_algorithm_t algo,
return ret;
}
-int
-_gnutls_x509_verify_hashed_data (const gnutls_datum_t * hash,
- const gnutls_datum_t * signature,
- gnutls_x509_crt_t issuer)
-{
- gnutls_pk_params_st issuer_params;
- int ret;
-
- /* Read the MPI parameters from the issuer's certificate.
- */
- ret =
- _gnutls_x509_crt_get_mpis (issuer, &issuer_params);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret =
- pubkey_verify_hashed_data (gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
- hash, signature, &issuer_params);
- if (ret < 0)
- {
- gnutls_assert ();
- }
-
- /* release all allocated MPIs
- */
- gnutls_pk_params_release(&issuer_params);
-
- return ret;
-}
-
/**
* gnutls_x509_crt_list_verify:
* @cert_list: is the certificate list to be verified
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index e69bab6..8ebec1f 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2693,7 +2693,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
unsigned int flags,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Deprecated. Please use gnutls_pubkey_verify_data().
+ * Deprecated. Please use gnutls_pubkey_verify_data2() or
gnutls_pubkey_verify_hash2().
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, and zero or positive code on success.
@@ -2703,7 +2703,9 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature)
{
- int result;
+ gnutls_pk_params_st params;
+ gnutls_digest_algorithm_t algo;
+ int ret;
if (crt == NULL)
{
@@ -2711,14 +2713,33 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
return GNUTLS_E_INVALID_REQUEST;
}
- result = _gnutls_x509_verify_hashed_data (hash, signature, crt);
- if (result < 0)
+ ret = gnutls_x509_crt_get_verify_algorithm (crt, signature, &algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* Read the MPI parameters from the issuer's certificate.
+ */
+ ret =
+ _gnutls_x509_crt_get_mpis (crt, ¶ms);
+ if (ret < 0)
{
gnutls_assert ();
- return result;
+ return ret;
}
- return result;
+ ret =
+ pubkey_verify_hashed_data (gnutls_x509_crt_get_pk_algorithm (crt, NULL),
algo,
+ hash, signature, ¶ms);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ }
+
+ /* release all allocated MPIs
+ */
+ gnutls_pk_params_release(¶ms);
+
+ return ret;
}
/**
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 19c2c12..3cc18e4 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -151,10 +151,6 @@ int _gnutls_x509_verify_data (gnutls_digest_algorithm_t
algo,
const gnutls_datum_t * signature,
gnutls_x509_crt_t issuer);
-int _gnutls_x509_verify_hashed_data (const gnutls_datum_t * hash,
- const gnutls_datum_t * signature,
- gnutls_x509_crt_t issuer);
-
/* privkey.h */
ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key (const gnutls_datum_t *
raw_key,
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index d4aeefa..4538c0a 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -48,7 +48,7 @@
extern int batch;
-#define MAX_ENTRIES 16
+#define MAX_ENTRIES 128
typedef struct _cfg_ctx
{
diff --git a/src/cli-args.c b/src/cli-args.c
index 87c3052..027ef00 100644
--- a/src/cli-args.c
+++ b/src/cli-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (cli-args.c)
*
- * It has been AutoGen-ed May 9, 2012 at 08:04:46 PM by AutoGen 5.16
+ * It has been AutoGen-ed May 23, 2012 at 08:55:14 PM by AutoGen 5.16
* From the definitions cli-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* gnutls-cli option static const strings
*/
-static char const gnutls_cli_opt_strs[3376] =
+static char const gnutls_cli_opt_strs[3434] =
/* 0 */ "gnutls-cli @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -133,80 +133,83 @@ static char const gnutls_cli_opt_strs[3376] =
/* 1662 */ "The maximum record size to advertize\0"
/* 1699 */ "RECORDSIZE\0"
/* 1710 */ "recordsize\0"
-/* 1721 */ "Priorities string\0"
-/* 1739 */ "PRIORITY\0"
-/* 1748 */ "priority\0"
-/* 1757 */ "Certificate file or PKCS #11 URL to use\0"
-/* 1797 */ "X509CAFILE\0"
-/* 1808 */ "x509cafile\0"
-/* 1819 */ "CRL file to use\0"
-/* 1835 */ "X509CRLFILE\0"
-/* 1847 */ "x509crlfile\0"
-/* 1859 */ "PGP Key file to use\0"
-/* 1879 */ "PGPKEYFILE\0"
-/* 1890 */ "pgpkeyfile\0"
-/* 1901 */ "PGP Key ring file to use\0"
-/* 1926 */ "PGPKEYRING\0"
-/* 1937 */ "pgpkeyring\0"
-/* 1948 */ "PGP Public Key (certificate) file to use\0"
-/* 1989 */ "PGPCERTFILE\0"
-/* 2001 */ "pgpcertfile\0"
-/* 2013 */ "X.509 key file or PKCS #11 URL to use\0"
-/* 2051 */ "X509KEYFILE\0"
-/* 2063 */ "x509keyfile\0"
-/* 2075 */ "X.509 Certificate file or PKCS #11 URL to use\0"
-/* 2121 */ "X509CERTFILE\0"
-/* 2134 */ "x509certfile\0"
-/* 2147 */ "PGP subkey to use (hex or auto)\0"
-/* 2179 */ "PGPSUBKEY\0"
-/* 2189 */ "pgpsubkey\0"
-/* 2199 */ "SRP username to use\0"
-/* 2219 */ "SRPUSERNAME\0"
-/* 2231 */ "srpusername\0"
-/* 2243 */ "SRP password to use\0"
-/* 2263 */ "SRPPASSWD\0"
-/* 2273 */ "srppasswd\0"
-/* 2283 */ "PSK username to use\0"
-/* 2303 */ "PSKUSERNAME\0"
-/* 2315 */ "pskusername\0"
-/* 2327 */ "PSK key (in hex) to use\0"
-/* 2351 */ "PSKKEY\0"
-/* 2358 */ "pskkey\0"
-/* 2365 */ "The port or service to connect to\0"
-/* 2399 */ "PORT\0"
-/* 2404 */ "port\0"
-/* 2409 */ "Don't abort program if server certificate can't be validated\0"
-/* 2470 */ "INSECURE\0"
-/* 2479 */ "insecure\0"
-/* 2488 */ "Benchmark individual ciphers\0"
-/* 2517 */ "BENCHMARK_CIPHERS\0"
-/* 2535 */ "benchmark-ciphers\0"
-/* 2553 */ "Benchmark individual software ciphers (no hw acceleration)\0"
-/* 2612 */ "BENCHMARK_SOFT_CIPHERS\0"
-/* 2635 */ "benchmark-soft-ciphers\0"
-/* 2658 */ "Benchmark ciphers and key exchange methods in TLS\0"
-/* 2708 */ "BENCHMARK_TLS\0"
-/* 2722 */ "benchmark-tls\0"
-/* 2736 */ "Print a list of the supported algorithms and modes\0"
-/* 2787 */ "LIST\0"
-/* 2792 */ "list\0"
-/* 2797 */ "Display extended usage information and exit\0"
-/* 2841 */ "help\0"
-/* 2846 */ "Extended usage information passed thru pager\0"
-/* 2891 */ "more-help\0"
-/* 2901 */ "Output version information and exit\0"
-/* 2937 */ "version\0"
-/* 2945 */ "GNUTLS_CLI\0"
-/* 2956 */ "gnutls-cli - GnuTLS client - Ver. @address@hidden"
+/* 1721 */ "The minimum number of bits allowed for DH\0"
+/* 1763 */ "DH_BITS\0"
+/* 1771 */ "dh-bits\0"
+/* 1779 */ "Priorities string\0"
+/* 1797 */ "PRIORITY\0"
+/* 1806 */ "priority\0"
+/* 1815 */ "Certificate file or PKCS #11 URL to use\0"
+/* 1855 */ "X509CAFILE\0"
+/* 1866 */ "x509cafile\0"
+/* 1877 */ "CRL file to use\0"
+/* 1893 */ "X509CRLFILE\0"
+/* 1905 */ "x509crlfile\0"
+/* 1917 */ "PGP Key file to use\0"
+/* 1937 */ "PGPKEYFILE\0"
+/* 1948 */ "pgpkeyfile\0"
+/* 1959 */ "PGP Key ring file to use\0"
+/* 1984 */ "PGPKEYRING\0"
+/* 1995 */ "pgpkeyring\0"
+/* 2006 */ "PGP Public Key (certificate) file to use\0"
+/* 2047 */ "PGPCERTFILE\0"
+/* 2059 */ "pgpcertfile\0"
+/* 2071 */ "X.509 key file or PKCS #11 URL to use\0"
+/* 2109 */ "X509KEYFILE\0"
+/* 2121 */ "x509keyfile\0"
+/* 2133 */ "X.509 Certificate file or PKCS #11 URL to use\0"
+/* 2179 */ "X509CERTFILE\0"
+/* 2192 */ "x509certfile\0"
+/* 2205 */ "PGP subkey to use (hex or auto)\0"
+/* 2237 */ "PGPSUBKEY\0"
+/* 2247 */ "pgpsubkey\0"
+/* 2257 */ "SRP username to use\0"
+/* 2277 */ "SRPUSERNAME\0"
+/* 2289 */ "srpusername\0"
+/* 2301 */ "SRP password to use\0"
+/* 2321 */ "SRPPASSWD\0"
+/* 2331 */ "srppasswd\0"
+/* 2341 */ "PSK username to use\0"
+/* 2361 */ "PSKUSERNAME\0"
+/* 2373 */ "pskusername\0"
+/* 2385 */ "PSK key (in hex) to use\0"
+/* 2409 */ "PSKKEY\0"
+/* 2416 */ "pskkey\0"
+/* 2423 */ "The port or service to connect to\0"
+/* 2457 */ "PORT\0"
+/* 2462 */ "port\0"
+/* 2467 */ "Don't abort program if server certificate can't be validated\0"
+/* 2528 */ "INSECURE\0"
+/* 2537 */ "insecure\0"
+/* 2546 */ "Benchmark individual ciphers\0"
+/* 2575 */ "BENCHMARK_CIPHERS\0"
+/* 2593 */ "benchmark-ciphers\0"
+/* 2611 */ "Benchmark individual software ciphers (no hw acceleration)\0"
+/* 2670 */ "BENCHMARK_SOFT_CIPHERS\0"
+/* 2693 */ "benchmark-soft-ciphers\0"
+/* 2716 */ "Benchmark ciphers and key exchange methods in TLS\0"
+/* 2766 */ "BENCHMARK_TLS\0"
+/* 2780 */ "benchmark-tls\0"
+/* 2794 */ "Print a list of the supported algorithms and modes\0"
+/* 2845 */ "LIST\0"
+/* 2850 */ "list\0"
+/* 2855 */ "Display extended usage information and exit\0"
+/* 2899 */ "help\0"
+/* 2904 */ "Extended usage information passed thru pager\0"
+/* 2949 */ "more-help\0"
+/* 2959 */ "Output version information and exit\0"
+/* 2995 */ "version\0"
+/* 3003 */ "GNUTLS_CLI\0"
+/* 3014 */ "gnutls-cli - GnuTLS client - Ver. @address@hidden"
"USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
[hostname]\n\0"
-/* 3069 */ "address@hidden"
-/* 3088 */ "\n\n\0"
-/* 3091 */ "\n"
+/* 3127 */ "address@hidden"
+/* 3146 */ "\n\n\0"
+/* 3149 */ "\n"
"Simple client program to set up a TLS connection to some other
computer. It\n"
"sets up a TLS connection and forwards data from the standard
input to the\n"
"secured socket and vice versa.\n\0"
-/* 3275 */ "gnutls-cli @address@hidden"
-/* 3296 */ "Usage: gnutls-cli [options] hostname\n"
+/* 3333 */ "gnutls-cli @address@hidden"
+/* 3354 */ "Usage: gnutls-cli [options] hostname\n"
"gnutls-cli --help for usage instructions.\n";
/*
@@ -345,179 +348,188 @@ static char const gnutls_cli_opt_strs[3376] =
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
+ * dh-bits option description:
+ */
+#define DH_BITS_DESC (gnutls_cli_opt_strs+1721)
+#define DH_BITS_NAME (gnutls_cli_opt_strs+1763)
+#define DH_BITS_name (gnutls_cli_opt_strs+1771)
+#define DH_BITS_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
+
+/*
* priority option description:
*/
-#define PRIORITY_DESC (gnutls_cli_opt_strs+1721)
-#define PRIORITY_NAME (gnutls_cli_opt_strs+1739)
-#define PRIORITY_name (gnutls_cli_opt_strs+1748)
+#define PRIORITY_DESC (gnutls_cli_opt_strs+1779)
+#define PRIORITY_NAME (gnutls_cli_opt_strs+1797)
+#define PRIORITY_name (gnutls_cli_opt_strs+1806)
#define PRIORITY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509cafile option description:
*/
-#define X509CAFILE_DESC (gnutls_cli_opt_strs+1757)
-#define X509CAFILE_NAME (gnutls_cli_opt_strs+1797)
-#define X509CAFILE_name (gnutls_cli_opt_strs+1808)
+#define X509CAFILE_DESC (gnutls_cli_opt_strs+1815)
+#define X509CAFILE_NAME (gnutls_cli_opt_strs+1855)
+#define X509CAFILE_name (gnutls_cli_opt_strs+1866)
#define X509CAFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509crlfile option description:
*/
-#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1819)
-#define X509CRLFILE_NAME (gnutls_cli_opt_strs+1835)
-#define X509CRLFILE_name (gnutls_cli_opt_strs+1847)
+#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1877)
+#define X509CRLFILE_NAME (gnutls_cli_opt_strs+1893)
+#define X509CRLFILE_name (gnutls_cli_opt_strs+1905)
#define X509CRLFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpkeyfile option description:
*/
-#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+1859)
-#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+1879)
-#define PGPKEYFILE_name (gnutls_cli_opt_strs+1890)
+#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+1917)
+#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+1937)
+#define PGPKEYFILE_name (gnutls_cli_opt_strs+1948)
#define PGPKEYFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpkeyring option description:
*/
-#define PGPKEYRING_DESC (gnutls_cli_opt_strs+1901)
-#define PGPKEYRING_NAME (gnutls_cli_opt_strs+1926)
-#define PGPKEYRING_name (gnutls_cli_opt_strs+1937)
+#define PGPKEYRING_DESC (gnutls_cli_opt_strs+1959)
+#define PGPKEYRING_NAME (gnutls_cli_opt_strs+1984)
+#define PGPKEYRING_name (gnutls_cli_opt_strs+1995)
#define PGPKEYRING_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpcertfile option description:
*/
-#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+1948)
-#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+1989)
-#define PGPCERTFILE_name (gnutls_cli_opt_strs+2001)
+#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+2006)
+#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+2047)
+#define PGPCERTFILE_name (gnutls_cli_opt_strs+2059)
#define PGPCERTFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* x509keyfile option description:
*/
-#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2013)
-#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2051)
-#define X509KEYFILE_name (gnutls_cli_opt_strs+2063)
+#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2071)
+#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2109)
+#define X509KEYFILE_name (gnutls_cli_opt_strs+2121)
#define X509KEYFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509certfile option description:
*/
-#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2075)
-#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2121)
-#define X509CERTFILE_name (gnutls_cli_opt_strs+2134)
+#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2133)
+#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2179)
+#define X509CERTFILE_name (gnutls_cli_opt_strs+2192)
#define X509CERTFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pgpsubkey option description:
*/
-#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2147)
-#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2179)
-#define PGPSUBKEY_name (gnutls_cli_opt_strs+2189)
+#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2205)
+#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2237)
+#define PGPSUBKEY_name (gnutls_cli_opt_strs+2247)
#define PGPSUBKEY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* srpusername option description:
*/
-#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2199)
-#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2219)
-#define SRPUSERNAME_name (gnutls_cli_opt_strs+2231)
+#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2257)
+#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2277)
+#define SRPUSERNAME_name (gnutls_cli_opt_strs+2289)
#define SRPUSERNAME_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* srppasswd option description:
*/
-#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2243)
-#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2263)
-#define SRPPASSWD_name (gnutls_cli_opt_strs+2273)
+#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2301)
+#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2321)
+#define SRPPASSWD_name (gnutls_cli_opt_strs+2331)
#define SRPPASSWD_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pskusername option description:
*/
-#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2283)
-#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2303)
-#define PSKUSERNAME_name (gnutls_cli_opt_strs+2315)
+#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2341)
+#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2361)
+#define PSKUSERNAME_name (gnutls_cli_opt_strs+2373)
#define PSKUSERNAME_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pskkey option description:
*/
-#define PSKKEY_DESC (gnutls_cli_opt_strs+2327)
-#define PSKKEY_NAME (gnutls_cli_opt_strs+2351)
-#define PSKKEY_name (gnutls_cli_opt_strs+2358)
+#define PSKKEY_DESC (gnutls_cli_opt_strs+2385)
+#define PSKKEY_NAME (gnutls_cli_opt_strs+2409)
+#define PSKKEY_name (gnutls_cli_opt_strs+2416)
#define PSKKEY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* port option description:
*/
-#define PORT_DESC (gnutls_cli_opt_strs+2365)
-#define PORT_NAME (gnutls_cli_opt_strs+2399)
-#define PORT_name (gnutls_cli_opt_strs+2404)
+#define PORT_DESC (gnutls_cli_opt_strs+2423)
+#define PORT_NAME (gnutls_cli_opt_strs+2457)
+#define PORT_name (gnutls_cli_opt_strs+2462)
#define PORT_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* insecure option description:
*/
-#define INSECURE_DESC (gnutls_cli_opt_strs+2409)
-#define INSECURE_NAME (gnutls_cli_opt_strs+2470)
-#define INSECURE_name (gnutls_cli_opt_strs+2479)
+#define INSECURE_DESC (gnutls_cli_opt_strs+2467)
+#define INSECURE_NAME (gnutls_cli_opt_strs+2528)
+#define INSECURE_name (gnutls_cli_opt_strs+2537)
#define INSECURE_FLAGS (OPTST_DISABLED)
/*
* benchmark-ciphers option description:
*/
-#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2488)
-#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2517)
-#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2535)
+#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2546)
+#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2575)
+#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2593)
#define BENCHMARK_CIPHERS_FLAGS (OPTST_DISABLED)
/*
* benchmark-soft-ciphers option description:
*/
-#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2553)
-#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2612)
-#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2635)
+#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2611)
+#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2670)
+#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2693)
#define BENCHMARK_SOFT_CIPHERS_FLAGS (OPTST_DISABLED)
/*
* benchmark-tls option description:
*/
-#define BENCHMARK_TLS_DESC (gnutls_cli_opt_strs+2658)
-#define BENCHMARK_TLS_NAME (gnutls_cli_opt_strs+2708)
-#define BENCHMARK_TLS_name (gnutls_cli_opt_strs+2722)
+#define BENCHMARK_TLS_DESC (gnutls_cli_opt_strs+2716)
+#define BENCHMARK_TLS_NAME (gnutls_cli_opt_strs+2766)
+#define BENCHMARK_TLS_name (gnutls_cli_opt_strs+2780)
#define BENCHMARK_TLS_FLAGS (OPTST_DISABLED)
/*
* list option description:
*/
-#define LIST_DESC (gnutls_cli_opt_strs+2736)
-#define LIST_NAME (gnutls_cli_opt_strs+2787)
-#define LIST_name (gnutls_cli_opt_strs+2792)
+#define LIST_DESC (gnutls_cli_opt_strs+2794)
+#define LIST_NAME (gnutls_cli_opt_strs+2845)
+#define LIST_name (gnutls_cli_opt_strs+2850)
#define LIST_FLAGS (OPTST_DISABLED)
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (gnutls_cli_opt_strs+2797)
-#define HELP_name (gnutls_cli_opt_strs+2841)
+#define HELP_DESC (gnutls_cli_opt_strs+2855)
+#define HELP_name (gnutls_cli_opt_strs+2899)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (gnutls_cli_opt_strs+2846)
-#define MORE_HELP_name (gnutls_cli_opt_strs+2891)
+#define MORE_HELP_DESC (gnutls_cli_opt_strs+2904)
+#define MORE_HELP_name (gnutls_cli_opt_strs+2949)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC NULL
@@ -530,8 +542,8 @@ static char const gnutls_cli_opt_strs[3376] =
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (gnutls_cli_opt_strs+2901)
-#define VER_name (gnutls_cli_opt_strs+2937)
+#define VER_DESC (gnutls_cli_opt_strs+2959)
+#define VER_name (gnutls_cli_opt_strs+2995)
/*
* Declare option callback procedures
*/
@@ -744,8 +756,20 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ RECORDSIZE_DESC, RECORDSIZE_NAME, RECORDSIZE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 16, VALUE_OPT_PRIORITY,
- /* equiv idx, value */ 16, VALUE_OPT_PRIORITY,
+ { /* entry idx, value */ 16, VALUE_OPT_DH_BITS,
+ /* equiv idx, value */ 16, VALUE_OPT_DH_BITS,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DH_BITS_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dh-bits */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ optionNumericVal,
+ /* desc, NAME, name */ DH_BITS_DESC, DH_BITS_NAME, DH_BITS_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 17, VALUE_OPT_PRIORITY,
+ /* equiv idx, value */ 17, VALUE_OPT_PRIORITY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PRIORITY_FLAGS, 0,
@@ -756,8 +780,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PRIORITY_DESC, PRIORITY_NAME, PRIORITY_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 17, VALUE_OPT_X509CAFILE,
- /* equiv idx, value */ 17, VALUE_OPT_X509CAFILE,
+ { /* entry idx, value */ 18, VALUE_OPT_X509CAFILE,
+ /* equiv idx, value */ 18, VALUE_OPT_X509CAFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ X509CAFILE_FLAGS, 0,
@@ -768,8 +792,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ X509CAFILE_DESC, X509CAFILE_NAME, X509CAFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 18, VALUE_OPT_X509CRLFILE,
- /* equiv idx, value */ 18, VALUE_OPT_X509CRLFILE,
+ { /* entry idx, value */ 19, VALUE_OPT_X509CRLFILE,
+ /* equiv idx, value */ 19, VALUE_OPT_X509CRLFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ X509CRLFILE_FLAGS, 0,
@@ -780,8 +804,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ X509CRLFILE_DESC, X509CRLFILE_NAME,
X509CRLFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 19, VALUE_OPT_PGPKEYFILE,
- /* equiv idx, value */ 19, VALUE_OPT_PGPKEYFILE,
+ { /* entry idx, value */ 20, VALUE_OPT_PGPKEYFILE,
+ /* equiv idx, value */ 20, VALUE_OPT_PGPKEYFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PGPKEYFILE_FLAGS, 0,
@@ -792,8 +816,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PGPKEYFILE_DESC, PGPKEYFILE_NAME, PGPKEYFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 20, VALUE_OPT_PGPKEYRING,
- /* equiv idx, value */ 20, VALUE_OPT_PGPKEYRING,
+ { /* entry idx, value */ 21, VALUE_OPT_PGPKEYRING,
+ /* equiv idx, value */ 21, VALUE_OPT_PGPKEYRING,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PGPKEYRING_FLAGS, 0,
@@ -804,8 +828,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PGPKEYRING_DESC, PGPKEYRING_NAME, PGPKEYRING_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 21, VALUE_OPT_PGPCERTFILE,
- /* equiv idx, value */ 21, VALUE_OPT_PGPCERTFILE,
+ { /* entry idx, value */ 22, VALUE_OPT_PGPCERTFILE,
+ /* equiv idx, value */ 22, VALUE_OPT_PGPCERTFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PGPCERTFILE_FLAGS, 0,
@@ -816,8 +840,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PGPCERTFILE_DESC, PGPCERTFILE_NAME,
PGPCERTFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 22, VALUE_OPT_X509KEYFILE,
- /* equiv idx, value */ 22, VALUE_OPT_X509KEYFILE,
+ { /* entry idx, value */ 23, VALUE_OPT_X509KEYFILE,
+ /* equiv idx, value */ 23, VALUE_OPT_X509KEYFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ X509KEYFILE_FLAGS, 0,
@@ -828,8 +852,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ X509KEYFILE_DESC, X509KEYFILE_NAME,
X509KEYFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 23, VALUE_OPT_X509CERTFILE,
- /* equiv idx, value */ 23, VALUE_OPT_X509CERTFILE,
+ { /* entry idx, value */ 24, VALUE_OPT_X509CERTFILE,
+ /* equiv idx, value */ 24, VALUE_OPT_X509CERTFILE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ X509CERTFILE_FLAGS, 0,
@@ -840,8 +864,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ X509CERTFILE_DESC, X509CERTFILE_NAME,
X509CERTFILE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 24, VALUE_OPT_PGPSUBKEY,
- /* equiv idx, value */ 24, VALUE_OPT_PGPSUBKEY,
+ { /* entry idx, value */ 25, VALUE_OPT_PGPSUBKEY,
+ /* equiv idx, value */ 25, VALUE_OPT_PGPSUBKEY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PGPSUBKEY_FLAGS, 0,
@@ -852,8 +876,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PGPSUBKEY_DESC, PGPSUBKEY_NAME, PGPSUBKEY_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 25, VALUE_OPT_SRPUSERNAME,
- /* equiv idx, value */ 25, VALUE_OPT_SRPUSERNAME,
+ { /* entry idx, value */ 26, VALUE_OPT_SRPUSERNAME,
+ /* equiv idx, value */ 26, VALUE_OPT_SRPUSERNAME,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ SRPUSERNAME_FLAGS, 0,
@@ -864,8 +888,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ SRPUSERNAME_DESC, SRPUSERNAME_NAME,
SRPUSERNAME_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 26, VALUE_OPT_SRPPASSWD,
- /* equiv idx, value */ 26, VALUE_OPT_SRPPASSWD,
+ { /* entry idx, value */ 27, VALUE_OPT_SRPPASSWD,
+ /* equiv idx, value */ 27, VALUE_OPT_SRPPASSWD,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ SRPPASSWD_FLAGS, 0,
@@ -876,8 +900,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ SRPPASSWD_DESC, SRPPASSWD_NAME, SRPPASSWD_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 27, VALUE_OPT_PSKUSERNAME,
- /* equiv idx, value */ 27, VALUE_OPT_PSKUSERNAME,
+ { /* entry idx, value */ 28, VALUE_OPT_PSKUSERNAME,
+ /* equiv idx, value */ 28, VALUE_OPT_PSKUSERNAME,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PSKUSERNAME_FLAGS, 0,
@@ -888,8 +912,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PSKUSERNAME_DESC, PSKUSERNAME_NAME,
PSKUSERNAME_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 28, VALUE_OPT_PSKKEY,
- /* equiv idx, value */ 28, VALUE_OPT_PSKKEY,
+ { /* entry idx, value */ 29, VALUE_OPT_PSKKEY,
+ /* equiv idx, value */ 29, VALUE_OPT_PSKKEY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PSKKEY_FLAGS, 0,
@@ -900,8 +924,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PSKKEY_DESC, PSKKEY_NAME, PSKKEY_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 29, VALUE_OPT_PORT,
- /* equiv idx, value */ 29, VALUE_OPT_PORT,
+ { /* entry idx, value */ 30, VALUE_OPT_PORT,
+ /* equiv idx, value */ 30, VALUE_OPT_PORT,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PORT_FLAGS, 0,
@@ -912,8 +936,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PORT_DESC, PORT_NAME, PORT_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 30, VALUE_OPT_INSECURE,
- /* equiv idx, value */ 30, VALUE_OPT_INSECURE,
+ { /* entry idx, value */ 31, VALUE_OPT_INSECURE,
+ /* equiv idx, value */ 31, VALUE_OPT_INSECURE,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ INSECURE_FLAGS, 0,
@@ -924,8 +948,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ INSECURE_DESC, INSECURE_NAME, INSECURE_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 31, VALUE_OPT_BENCHMARK_CIPHERS,
- /* equiv idx, value */ 31, VALUE_OPT_BENCHMARK_CIPHERS,
+ { /* entry idx, value */ 32, VALUE_OPT_BENCHMARK_CIPHERS,
+ /* equiv idx, value */ 32, VALUE_OPT_BENCHMARK_CIPHERS,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ BENCHMARK_CIPHERS_FLAGS, 0,
@@ -936,8 +960,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ BENCHMARK_CIPHERS_DESC, BENCHMARK_CIPHERS_NAME,
BENCHMARK_CIPHERS_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 32, VALUE_OPT_BENCHMARK_SOFT_CIPHERS,
- /* equiv idx, value */ 32, VALUE_OPT_BENCHMARK_SOFT_CIPHERS,
+ { /* entry idx, value */ 33, VALUE_OPT_BENCHMARK_SOFT_CIPHERS,
+ /* equiv idx, value */ 33, VALUE_OPT_BENCHMARK_SOFT_CIPHERS,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ BENCHMARK_SOFT_CIPHERS_FLAGS, 0,
@@ -948,8 +972,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ BENCHMARK_SOFT_CIPHERS_DESC,
BENCHMARK_SOFT_CIPHERS_NAME, BENCHMARK_SOFT_CIPHERS_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 33, VALUE_OPT_BENCHMARK_TLS,
- /* equiv idx, value */ 33, VALUE_OPT_BENCHMARK_TLS,
+ { /* entry idx, value */ 34, VALUE_OPT_BENCHMARK_TLS,
+ /* equiv idx, value */ 34, VALUE_OPT_BENCHMARK_TLS,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ BENCHMARK_TLS_FLAGS, 0,
@@ -960,8 +984,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ BENCHMARK_TLS_DESC, BENCHMARK_TLS_NAME,
BENCHMARK_TLS_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 34, VALUE_OPT_LIST,
- /* equiv idx, value */ 34, VALUE_OPT_LIST,
+ { /* entry idx, value */ 35, VALUE_OPT_LIST,
+ /* equiv idx, value */ 35, VALUE_OPT_LIST,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ LIST_FLAGS, 0,
@@ -1016,14 +1040,14 @@ static tOptDesc optDesc[OPTION_CT] = {
*
* Define the gnutls-cli Option Environment
*/
-#define zPROGNAME (gnutls_cli_opt_strs+2945)
-#define zUsageTitle (gnutls_cli_opt_strs+2956)
+#define zPROGNAME (gnutls_cli_opt_strs+3003)
+#define zUsageTitle (gnutls_cli_opt_strs+3014)
#define zRcName NULL
#define apzHomeList NULL
-#define zBugsAddr (gnutls_cli_opt_strs+3069)
-#define zExplain (gnutls_cli_opt_strs+3088)
-#define zDetail (gnutls_cli_opt_strs+3091)
-#define zFullVersion (gnutls_cli_opt_strs+3275)
+#define zBugsAddr (gnutls_cli_opt_strs+3127)
+#define zExplain (gnutls_cli_opt_strs+3146)
+#define zDetail (gnutls_cli_opt_strs+3149)
+#define zFullVersion (gnutls_cli_opt_strs+3333)
/* extracted from optcode.tlib near line 350 */
#if defined(ENABLE_NLS)
@@ -1037,7 +1061,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define gnutls_cli_full_usage (NULL)
-#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3296)
+#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3354)
#endif /* not defined __doxygen__ */
@@ -1315,7 +1339,7 @@ tOptions gnutls_cliOptions = {
NO_EQUIVALENT, /* '-#' option index */
NO_EQUIVALENT /* index of default opt */
},
- 38 /* full option count */, 35 /* user option count */,
+ 39 /* full option count */, 36 /* user option count */,
gnutls_cli_full_usage, gnutls_cli_short_usage,
NULL, NULL,
PKGDATADIR, gnutls_cli_packager_info
diff --git a/src/cli-args.def b/src/cli-args.def
index b032ad0..35508d8 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -110,6 +110,13 @@ flag = {
};
flag = {
+ name = dh-bits;
+ arg-type = number;
+ descrip = "The minimum number of bits allowed for DH";
+ doc = "This option sets the minimum number of bits allowed for a
Diffie-Hellman key exchange. You may want to lower the default value if the
peer sends a weak prime and you get an connection error with unacceptable
prime.";
+};
+
+flag = {
name = priority;
arg-type = string;
descrip = "Priorities string";
diff --git a/src/cli-args.h b/src/cli-args.h
index 39a62b1..86562fd 100644
--- a/src/cli-args.h
+++ b/src/cli-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (cli-args.h)
*
- * It has been AutoGen-ed May 9, 2012 at 08:04:46 PM by AutoGen 5.16
+ * It has been AutoGen-ed May 23, 2012 at 08:55:13 PM by AutoGen 5.16
* From the definitions cli-args.def
* and the template file options
*
@@ -83,31 +83,32 @@ typedef enum {
INDEX_OPT_DISABLE_EXTENSIONS = 13,
INDEX_OPT_PRINT_CERT = 14,
INDEX_OPT_RECORDSIZE = 15,
- INDEX_OPT_PRIORITY = 16,
- INDEX_OPT_X509CAFILE = 17,
- INDEX_OPT_X509CRLFILE = 18,
- INDEX_OPT_PGPKEYFILE = 19,
- INDEX_OPT_PGPKEYRING = 20,
- INDEX_OPT_PGPCERTFILE = 21,
- INDEX_OPT_X509KEYFILE = 22,
- INDEX_OPT_X509CERTFILE = 23,
- INDEX_OPT_PGPSUBKEY = 24,
- INDEX_OPT_SRPUSERNAME = 25,
- INDEX_OPT_SRPPASSWD = 26,
- INDEX_OPT_PSKUSERNAME = 27,
- INDEX_OPT_PSKKEY = 28,
- INDEX_OPT_PORT = 29,
- INDEX_OPT_INSECURE = 30,
- INDEX_OPT_BENCHMARK_CIPHERS = 31,
- INDEX_OPT_BENCHMARK_SOFT_CIPHERS = 32,
- INDEX_OPT_BENCHMARK_TLS = 33,
- INDEX_OPT_LIST = 34,
- INDEX_OPT_VERSION = 35,
- INDEX_OPT_HELP = 36,
- INDEX_OPT_MORE_HELP = 37
+ INDEX_OPT_DH_BITS = 16,
+ INDEX_OPT_PRIORITY = 17,
+ INDEX_OPT_X509CAFILE = 18,
+ INDEX_OPT_X509CRLFILE = 19,
+ INDEX_OPT_PGPKEYFILE = 20,
+ INDEX_OPT_PGPKEYRING = 21,
+ INDEX_OPT_PGPCERTFILE = 22,
+ INDEX_OPT_X509KEYFILE = 23,
+ INDEX_OPT_X509CERTFILE = 24,
+ INDEX_OPT_PGPSUBKEY = 25,
+ INDEX_OPT_SRPUSERNAME = 26,
+ INDEX_OPT_SRPPASSWD = 27,
+ INDEX_OPT_PSKUSERNAME = 28,
+ INDEX_OPT_PSKKEY = 29,
+ INDEX_OPT_PORT = 30,
+ INDEX_OPT_INSECURE = 31,
+ INDEX_OPT_BENCHMARK_CIPHERS = 32,
+ INDEX_OPT_BENCHMARK_SOFT_CIPHERS = 33,
+ INDEX_OPT_BENCHMARK_TLS = 34,
+ INDEX_OPT_LIST = 35,
+ INDEX_OPT_VERSION = 36,
+ INDEX_OPT_HELP = 37,
+ INDEX_OPT_MORE_HELP = 38
} teOptIndex;
-#define OPTION_CT 38
+#define OPTION_CT 39
#define GNUTLS_CLI_VERSION "@VERSION@"
#define GNUTLS_CLI_FULL_VERSION "gnutls-cli @VERSION@"
@@ -167,24 +168,27 @@ typedef enum {
#define VALUE_OPT_RECORDSIZE 15
#define OPT_VALUE_RECORDSIZE (DESC(RECORDSIZE).optArg.argInt)
-#define VALUE_OPT_PRIORITY 16
-#define VALUE_OPT_X509CAFILE 17
-#define VALUE_OPT_X509CRLFILE 18
-#define VALUE_OPT_PGPKEYFILE 19
-#define VALUE_OPT_PGPKEYRING 20
-#define VALUE_OPT_PGPCERTFILE 21
-#define VALUE_OPT_X509KEYFILE 22
-#define VALUE_OPT_X509CERTFILE 23
-#define VALUE_OPT_PGPSUBKEY 24
-#define VALUE_OPT_SRPUSERNAME 25
-#define VALUE_OPT_SRPPASSWD 26
-#define VALUE_OPT_PSKUSERNAME 27
-#define VALUE_OPT_PSKKEY 28
+#define VALUE_OPT_DH_BITS 16
+
+#define OPT_VALUE_DH_BITS (DESC(DH_BITS).optArg.argInt)
+#define VALUE_OPT_PRIORITY 17
+#define VALUE_OPT_X509CAFILE 18
+#define VALUE_OPT_X509CRLFILE 19
+#define VALUE_OPT_PGPKEYFILE 20
+#define VALUE_OPT_PGPKEYRING 21
+#define VALUE_OPT_PGPCERTFILE 22
+#define VALUE_OPT_X509KEYFILE 23
+#define VALUE_OPT_X509CERTFILE 24
+#define VALUE_OPT_PGPSUBKEY 25
+#define VALUE_OPT_SRPUSERNAME 26
+#define VALUE_OPT_SRPPASSWD 27
+#define VALUE_OPT_PSKUSERNAME 28
+#define VALUE_OPT_PSKKEY 29
#define VALUE_OPT_PORT 'p'
-#define VALUE_OPT_INSECURE 30
-#define VALUE_OPT_BENCHMARK_CIPHERS 31
-#define VALUE_OPT_BENCHMARK_SOFT_CIPHERS 32
-#define VALUE_OPT_BENCHMARK_TLS 129
+#define VALUE_OPT_INSECURE 31
+#define VALUE_OPT_BENCHMARK_CIPHERS 32
+#define VALUE_OPT_BENCHMARK_SOFT_CIPHERS 129
+#define VALUE_OPT_BENCHMARK_TLS 130
#define VALUE_OPT_LIST 'l'
#define VALUE_OPT_HELP 'h'
#define VALUE_OPT_MORE_HELP '!'
diff --git a/src/cli.c b/src/cli.c
index b9368dc..b66b775 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -674,7 +674,8 @@ init_tls_session (const char *hostname)
strlen (hostname));
}
- gnutls_dh_set_prime_bits (session, 512);
+ if (HAVE_OPT(DH_BITS))
+ gnutls_dh_set_prime_bits( session, OPT_VALUE_DH_BITS);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
diff --git a/src/common.h b/src/common.h
index 0495bdb..09f1933 100644
--- a/src/common.h
+++ b/src/common.h
@@ -28,7 +28,6 @@
#include <unistd.h>
#ifndef _WIN32
# include <netinet/in.h>
-# include <netinet/ip.h>
#endif
#include <signal.h>
diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c
index 9ac6b5d..7e0727c 100644
--- a/tests/x509sign-verify.c
+++ b/tests/x509sign-verify.c
@@ -40,6 +40,12 @@
#include "utils.h"
+static void
+tls_log_func (int level, const char *str)
+{
+ fprintf (stderr, "<%d> %s", level, str);
+}
+
/* sha1 hash of "hello" string */
const gnutls_datum_t hash_data = {
(void *)
@@ -147,6 +153,7 @@ doit (void)
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_digest_algorithm_t hash_algo;
+ gnutls_sign_algorithm_t sign_algo;
gnutls_datum_t signature;
gnutls_datum_t signature2;
int ret;
@@ -154,6 +161,10 @@ doit (void)
gnutls_global_init ();
+ gnutls_global_set_log_function (tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level (6);
+
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
if (debug)
@@ -210,7 +221,7 @@ doit (void)
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature);
if (ret < 0)
- fail ("gnutls_x509_privkey_verify_hash\n");
+ fail ("gnutls_x509_pubkey_verify_hash\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo);
@@ -219,12 +230,24 @@ doit (void)
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2);
if (ret < 0)
- fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
+ fail ("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data,
&signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
- fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
+ fail ("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n");
+
+ sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey,
NULL),
+ GNUTLS_DIG_SHA1);
+
+ ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &hash_data,
&signature2);
+ if (ret < 0)
+ fail ("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n");
+
+ /* should fail */
+ ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0,
&invalid_hash_data, &signature2);
+ if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
+ fail ("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n");
gnutls_free(signature.data);
diff --git a/win32/.gitignore b/win32/.gitignore
new file mode 100644
index 0000000..692ff23
--- /dev/null
+++ b/win32/.gitignore
@@ -0,0 +1,10 @@
+*.tar.*
+*.zip
+*.sig
+*.DevPak
+gnutls-*
+nettle-*
+gmp-*
+p11-kit-*
+devcpp
+win32
diff --git a/win32/devcpp.tar b/win32/devcpp.tar
new file mode 100644
index 0000000..d8ba064
Binary files /dev/null and b/win32/devcpp.tar differ
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-86-g7f74c56,
Nikos Mavrogiannopoulos <=