[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-55-g3ec531a
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-55-g3ec531a |
|
Date: |
Sun, 05 Dec 2010 20:11:57 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3ec531a07ddfaddacdef08af6d49abc0eb8d8edd
The branch, master has been updated
via 3ec531a07ddfaddacdef08af6d49abc0eb8d8edd (commit)
via 6808f0bddae9ebaa81a85f0f22bbf88afe1da9d0 (commit)
from 86ecfeed9948097dd9f34f2cefc49654521b3e69 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3ec531a07ddfaddacdef08af6d49abc0eb8d8edd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Dec 5 17:06:24 2010 +0100
Temporarily remove gendh test. It takes extremely long time under valgrind.
commit 6808f0bddae9ebaa81a85f0f22bbf88afe1da9d0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Dec 5 16:33:01 2010 +0100
Use ASN1_NULL when writing parameters for RSA signatures. This makes us
comply with RFC3279. Reported by Michael Rommel.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +++
lib/gnutls_sig.c | 3 ++-
lib/x509/common.c | 2 +-
lib/x509/common.h | 3 +++
lib/x509/mpi.c | 5 ++++-
lib/x509/sign.c | 2 +-
lib/x509/verify.c | 4 ++--
tests/Makefile.am | 2 +-
8 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/NEWS b/NEWS
index 3bdd35c..132af9d 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
* Version 2.11.6 (unreleased)
+** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
+This makes us comply with RFC3279. Reported by Michael Rommel.
+
** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
** API and ABI modifications:
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 13ad46a..165a6dc 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -40,6 +40,7 @@
#include <libtasn1.h>
#include <ext_signature.h>
#include <gnutls_state.h>
+#include <x509/common.h>
static int
_gnutls_tls_sign (gnutls_session_t session,
@@ -90,7 +91,7 @@ _gnutls_rsa_encode_sig (gnutls_mac_algorithm_t algo,
/* Use NULL parameters. */
if ((result = asn1_write_value (di, "digestAlgorithm.parameters",
- "\x05\x00", 2)) != ASN1_SUCCESS)
+ ASN1_NULL, ASN1_NULL_SIZE)) != ASN1_SUCCESS)
{
gnutls_assert ();
asn1_delete_structure (&di);
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 44b8528..c90b4e2 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1226,7 +1226,7 @@ _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst,
_asnstr_append_name (name, sizeof (name), dst_name,
".algorithm.parameters");
- result = asn1_write_value (dst, name, NULL, 0);
+ result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
diff --git a/lib/x509/common.h b/lib/x509/common.h
index c6c2406..6246824 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -64,6 +64,9 @@
#define SIG_GOST_R3410_94_OID "1.2.643.2.2.4"
#define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3"
+#define ASN1_NULL "\x05\x00"
+#define ASN1_NULL_SIZE 2
+
int _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim);
int _gnutls_x509_decode_octet_string (const char *string_type,
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 2ce6a53..4b1aa16 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -456,7 +456,10 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char
*dst_name,
_gnutls_str_cpy (name, sizeof (name), dst_name);
_gnutls_str_cat (name, sizeof (name), ".parameters");
- result = asn1_write_value (dst, name, NULL, 0);
+ if (pk_algorithm == GNUTLS_PK_RSA)
+ result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE);
+ else
+ result = asn1_write_value (dst, name, NULL, 0);
if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND)
{
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index cab6c04..1151300 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -86,7 +86,7 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash,
Regardless of what is correct, this appears to be what most
implementations do. */
result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
- "\x05\x00", 2);
+ ASN1_NULL, ASN1_NULL_SIZE);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index c845e6f..e7cdc74 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -684,8 +684,8 @@ decode_ber_digest_info (const gnutls_datum_t * info,
/* To avoid permitting garbage in the parameters field, either the
parameters field is not present, or it contains 0x05 0x00. */
if (!(result == ASN1_ELEMENT_NOT_FOUND ||
- (result == ASN1_SUCCESS && len == 2 &&
- str[0] == 0x05 && str[1] == 0x00)))
+ (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
+ memcmp(str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
{
gnutls_assert ();
asn1_delete_structure (&dinfo);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 57a1981..83f9426 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -60,7 +60,7 @@ ctests = simple gc set_pkcs12_cred certder certuniqueid mpi
\
crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \
crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \
nul-in-x509-names x509_altname pkcs12_encode mini-x509 \
- mini-x509-rehandshake gendh
+ mini-x509-rehandshake #gendh
if ENABLE_OPENSSL
ctests += openssl
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_4-55-g3ec531a,
Nikos Mavrogiannopoulos <=