[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-5-gc34a21
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-5-gc34a21d |
|
Date: |
Sun, 05 Dec 2010 09:24:33 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=c34a21d1b9389d3e4cd4c1c607bc65d106770309
The branch, gnutls_2_10_x has been updated
via c34a21d1b9389d3e4cd4c1c607bc65d106770309 (commit)
via e22f714d85bb3e659c4f6e357f27c94a9e784c57 (commit)
via d3a61f4ad2874f67e226bb768fecaaab31cb10f0 (commit)
from d2a4b4d57cceccaf922773ae5b64f4c5fdb293da (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c34a21d1b9389d3e4cd4c1c607bc65d106770309
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Dec 5 10:21:55 2010 +0100
Corrected buffer overflow in gnutls-serv by Tomas Mraz.
The gnutls-serv uses fixed allocated buffer for the response which can
be pretty long if a client certificate is presented to it and the http
header is large. This causes buffer overflow and heap corruption which
then leads to random segfaults or aborts.
It was reported originally here:
https://bugzilla.redhat.com/show_bug.cgi?id=659259
The attached patch changes sprintf calls in peer_print_info() to
snprintf so the buffer is never overflowed.
commit e22f714d85bb3e659c4f6e357f27c94a9e784c57
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 26 12:46:16 2010 +0100
Reverted default behavior for verification and introduced
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT.
Thus by default V1 trusted CAs are allowed, unless the new flag is
specified.
commit d3a61f4ad2874f67e226bb768fecaaab31cb10f0
Author: Simon Josefsson <address@hidden>
Date: Tue Nov 23 22:06:34 2010 +0100
Fix dependencies, fixes parallel builds.
Tiny patch from Graham Gower <address@hidden>.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 11 ++++++++++
guile/src/Makefile.am | 2 +-
lib/gnutls_cert.c | 5 ----
lib/includes/gnutls/x509.h | 11 +++++----
lib/x509/verify.c | 4 +-
src/certtool.c | 4 +-
src/cli.c | 3 +-
src/serv.c | 46 +++++++++++++++++++------------------------
tests/chainverify.c | 12 ++++------
9 files changed, 48 insertions(+), 50 deletions(-)
diff --git a/NEWS b/NEWS
index fdda943..d19e0a1 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,17 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version 2.10.4 (unreleased)
+
+** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
+
+** libgnutls: Reverted default behavior for verification and
+introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
+V1 trusted CAs are allowed, unless the new flag is specified.
+
+** API and ABI modifications:
+No changes since last version.
+
* Version 2.10.3 (released 2010-11-19)
** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key.
diff --git a/guile/src/Makefile.am b/guile/src/Makefile.am
index e8e81b1..2ee1297 100644
--- a/guile/src/Makefile.am
+++ b/guile/src/Makefile.am
@@ -122,7 +122,7 @@ extra-smob-types.i.c: $(srcdir)/make-smob-types.scm
snarfcppopts = $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(CFLAGS) $(AM_CFLAGS) $(GUILE_CFLAGS)
-.c.x:
+.c.x: $(BUILT_SOURCES)
$(guile_snarf) -o $@ $< $(snarfcppopts)
# Target used by doc/Makefile, to create all built sources necessary
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 5072c8e..633da1c 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -606,11 +606,6 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
* This function uses gnutls_x509_crt_list_verify() with the CAs in
* the credentials as trusted CAs.
*
- * Note that some commonly used X.509 Certificate Authorities are
- * still using Version 1 certificates. If you want to accept them,
- * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
- * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
- *
* Returns: a negative error code on error and zero on success.
**/
int
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index fc2381f..e3163f6 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -506,10 +506,10 @@ extern "C"
* @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted
* list is never checked for expiration or activation.
* @GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Allow only trusted CA
- * certificates that have version 1. This is safer than
- * %GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used
- * instead. That way only signers in your trusted list will be
- * allowed to have certificates of version 1.
+ * certificates that have version 1. This is the default.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA
+ * certificates that have version 1. This option is to be used
+ * to deprecate all V1 certificates.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
@@ -537,7 +537,8 @@ extern "C"
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
- GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 393b8a5..e7fdbad 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -171,7 +171,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t
issuer,
these certs only if the appropriate flags are set. */
else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) ||
- ((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) &&
+ (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) &&
(gnutls_x509_crt_check_issuer (issuer, issuer) == 1))))
{
gnutls_assert ();
@@ -311,7 +311,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
}
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
- !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1))
+ ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version
!= 1))
{
if (check_if_ca (cert, issuer, flags) == 0)
{
diff --git a/src/certtool.c b/src/certtool.c
index 30cde61..f908d84 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2065,8 +2065,8 @@ _verify_x509_mem (const void *cert, int cert_size)
{
const char *ptr;
int ret, i;
- char name[256];
- char issuer_name[256];
+ char name[512];
+ char issuer_name[512];
size_t name_size;
size_t issuer_name_size;
gnutls_datum_t tmp;
diff --git a/src/cli.c b/src/cli.c
index 3964a93..fdc8b55 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -512,8 +512,7 @@ init_tls_session (const char *hostname)
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
- gnutls_certificate_set_verify_flags (xcred,
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+ gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
diff --git a/src/serv.c b/src/serv.c
index 0e95fcf..0307b05 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -438,7 +438,7 @@ static const char DEFAULT_DATA[] =
/* Creates html with the current session information.
*/
-#define tmp2 &http_buffer[strlen(http_buffer)]
+#define tmp2 &http_buffer[strlen(http_buffer)], len-strlen(http_buffer)
static char *
peer_print_info (gnutls_session_t session, int *ret_length,
const char *header)
@@ -448,7 +448,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
size_t i, sesid_size;
char *http_buffer;
gnutls_kx_algorithm_t kx_alg;
- size_t len = 5 * 1024 + strlen (header);
+ size_t len = 20 * 1024 + strlen (header);
char *crtinfo = NULL;
size_t ncrtinfo = 0;
@@ -512,11 +512,11 @@ peer_print_info (gnutls_session_t session, int
*ret_length,
/* print session_id */
gnutls_session_get_id (session, sesid, &sesid_size);
- sprintf (tmp2, "\n<p>Session ID: <i>");
+ snprintf (tmp2, "\n<p>Session ID: <i>");
for (i = 0; i < sesid_size; i++)
- sprintf (tmp2, "%.2X", sesid[i]);
- sprintf (tmp2, "</i></p>\n");
- sprintf (tmp2,
+ snprintf (tmp2, "%.2X", sesid[i]);
+ snprintf (tmp2, "</i></p>\n");
+ snprintf (tmp2,
"<h5>If your browser supports session resuming, then you should see
the "
"same session ID, when you press the <b>reload</b> button.</h5>\n");
@@ -530,7 +530,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
{
- sprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
+ snprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
}
}
@@ -541,7 +541,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_SRP
if (kx_alg == GNUTLS_KX_SRP)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_srp_server_get_username (session));
}
#endif
@@ -549,7 +549,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_PSK
if (kx_alg == GNUTLS_KX_PSK)
{
- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
gnutls_psk_server_get_username (session));
}
#endif
@@ -557,7 +557,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
#ifdef ENABLE_ANON
if (kx_alg == GNUTLS_KX_ANON_DH)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"<p> Connect using anonymous DH (prime of %d bits)</p>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -565,7 +565,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
{
- sprintf (tmp2,
+ snprintf (tmp2,
"Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
gnutls_dh_get_prime_bits (session));
}
@@ -576,7 +576,7 @@ peer_print_info (gnutls_session_t session, int *ret_length,
tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2,
+ snprintf (tmp2,
"<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
tmp);
@@ -587,50 +587,44 @@ peer_print_info (gnutls_session_t session, int
*ret_length,
(session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
}
tmp = gnutls_kx_get_name (kx_alg);
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_compression_get_name (gnutls_compression_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_mac_get_name (gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
+ snprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
tmp = gnutls_cipher_suite_get_name (kx_alg,
gnutls_cipher_get (session),
gnutls_mac_get (session));
if (tmp == NULL)
tmp = str_unknown;
- sprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
+ snprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
tmp);
if (crtinfo)
{
- strcat (http_buffer, "<hr><PRE>");
- strcat (http_buffer, crtinfo);
- strcat (http_buffer, "\n</PRE>\n");
+ snprintf(tmp2, "<hr><PRE>%s\n</PRE>\n", crtinfo);
free (crtinfo);
}
- strcat (http_buffer, "<hr><P>Your HTTP header was:<PRE>");
- strcat (http_buffer, header);
- strcat (http_buffer, "</PRE></P>");
-
- strcat (http_buffer, "\n" HTTP_END);
+ snprintf(tmp2, "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END,
header);
*ret_length = strlen (http_buffer);
diff --git a/tests/chainverify.c b/tests/chainverify.c
index 5aa4b88..2e9fd54 100644
--- a/tests/chainverify.c
+++ b/tests/chainverify.c
@@ -687,15 +687,13 @@ static struct
{ "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
{ "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
- { "verisign.com v1 fail2", verisign_com_chain, &verisign_com_chain[3],
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+ 0,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
0 },
{ "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID },
{ "expired self signed", pem_self_cert, &pem_self_cert[0],
0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "self signed", pem_self_cert, &pem_self_cert[0],
@@ -706,7 +704,7 @@ static struct
{ "ca=false2", thea_chain, &thea_chain[1],
0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
{ "hbci v1 fail", hbci_chain, &hbci_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID},
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID},
{ "hbci v1 ok expired", hbci_chain, &hbci_chain[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
@@ -724,7 +722,7 @@ static struct
{ "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 },
{ "v1ca fail", v1ca, &v1ca[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID },
{ "v1ca expired", v1ca, &v1ca[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
@@ -851,7 +849,7 @@ doit (void)
fail ("verify_status: %d expected: %d",
verify_status, chains[i].expected_verify_result);
- if (debug)
+ if (!debug)
exit (1);
}
else if (debug)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-5-gc34a21d,
Nikos Mavrogiannopoulos <=