[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-34-g663a869
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-34-g663a869 |
|
Date: |
Sat, 18 Dec 2010 11:16:08 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=663a869147fb9264c3747a46da92b7878eeb4867
The branch, master has been updated
via 663a869147fb9264c3747a46da92b7878eeb4867 (commit)
via aa32bcbffbba694a798a2e39f5ab0a5fb3548180 (commit)
via c583cb7d335ad1f0a055ebbdc0bd2e92a23a01cb (commit)
via 32aabbb05e25e7eb3cf306590ff30be8d7e30da5 (commit)
via dc6c1be344ff3641b8e5c1e301a466427bd02b49 (commit)
from c6f19f3a0f715d2e03e11f7e21e41153e44d931f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 663a869147fb9264c3747a46da92b7878eeb4867
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Dec 18 12:14:50 2010 +0100
Account for GNUTLS_E_PK_SIG_VERIFY_FAILED.
commit aa32bcbffbba694a798a2e39f5ab0a5fb3548180
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Dec 18 12:11:47 2010 +0100
Corrected bug in gnutls_privkey_sign_data().
commit c583cb7d335ad1f0a055ebbdc0bd2e92a23a01cb
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Dec 18 12:09:34 2010 +0100
some fixes in pk_prepare_hash().
commit 32aabbb05e25e7eb3cf306590ff30be8d7e30da5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Dec 18 12:00:01 2010 +0100
The verification functions now return a GNUTLS_E_PK_SIG_VERIFY_FAILED on
signature verification error.
commit dc6c1be344ff3641b8e5c1e301a466427bd02b49
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Dec 18 11:54:55 2010 +0100
The default input format for p11tool is PEM.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 ++++++-
lib/gnutls_privkey.c | 2 +-
lib/gnutls_pubkey.c | 8 +++---
lib/gnutls_sig.c | 3 +-
lib/openpgp/pgp.c | 6 ++--
lib/x509/privkey.c | 6 ++--
lib/x509/verify.c | 54 ++++++++++++++++++++++------------------------
lib/x509/x509.c | 12 +++++-----
src/p11tool-gaa.c | 9 ++++---
src/p11tool.gaa | 6 ++--
tests/cve-2009-1415.c | 2 +-
tests/x509sign-verify.c | 12 +++++-----
12 files changed, 67 insertions(+), 61 deletions(-)
diff --git a/NEWS b/NEWS
index 66f6d6d..b61d12d 100644
--- a/NEWS
+++ b/NEWS
@@ -8,7 +8,13 @@ See the end for copying conditions.
** libgnutls: The deprecated gnutls_x509_privkey_sign_hash() was
replaced by gnutls_privkey_sign_hash2().
-** Added helper functions for signature verification:
+** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash,
+gnutls_openpgp_crt_verify_hash, gnutls_x509_privkey_verify_data,
+gnutls_x509_crt_verify_data, gnutls_x509_crt_verify_hash
+return the negative error code GNUTLS_E_PK_SIG_VERIFY_FAILED
+if verification fails.
+
+** libgnutls: Added helper functions for signature verification:
gnutls_pubkey_verify_data() and gnutls_pubkey_import_privkey().
** libgnutls: Added gnutls_pkcs11_privkey_sign_hash2(),
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index a398621..fdd8b18 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -383,7 +383,7 @@ gnutls_privkey_sign_data (gnutls_privkey_t signer,
int ret;
gnutls_datum_t digest;
- ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, signature);
+ ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, &digest);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 5142130..035553f 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -981,8 +981,8 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags,
@@ -1018,8 +1018,8 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
unsigned int flags,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 961203f..2bd6685 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -952,13 +952,14 @@ pk_prepare_hash (gnutls_pk_algorithm_t pk,
case GNUTLS_PK_RSA:
/* Encode the digest as a DigestInfo
*/
- if ((ret = encode_ber_digest_info (hash, digest, digest)) != 0)
+ if ((ret = encode_ber_digest_info (hash, &old_digest, digest)) != 0)
{
gnutls_assert ();
return ret;
}
_gnutls_free_datum (&old_digest);
+ break;
case GNUTLS_PK_DSA:
break;
default:
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index 4dc8af4..409711c 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -1698,8 +1698,8 @@ gnutls_openpgp_crt_get_auth_subkey (gnutls_openpgp_crt_t
crt,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_openpgp_crt_verify_hash (gnutls_openpgp_crt_t crt, unsigned int flags,
@@ -1738,7 +1738,7 @@ gnutls_openpgp_crt_verify_hash (gnutls_openpgp_crt_t crt,
unsigned int flags,
if (ret < 0)
{
gnutls_assert ();
- return 0;
+ return ret;
}
return ret;
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 7d3caa3..b5ad997 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1889,8 +1889,8 @@ gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key,
* This function will verify the given signed data, using the
* parameters in the private key.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key,
@@ -1910,7 +1910,7 @@ gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t
key,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 8ced281..e830cec 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -299,7 +299,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_x509_crt_t issuer = NULL;
- int ret, issuer_version, result;
+ int issuer_version, result;
if (output)
*output = 0;
@@ -365,20 +365,21 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
goto cleanup;
}
- ret =
+ result =
_gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature,
issuer);
- if (ret < 0)
- {
- gnutls_assert ();
- }
- else if (ret == 0)
+ if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
{
gnutls_assert ();
/* error. ignore it */
if (output)
*output |= GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
+ }
+ else if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
}
/* If the certificate is not self signed check if the algorithms
@@ -398,12 +399,10 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
}
}
- result = ret;
-
cleanup:
_gnutls_free_datum (&cert_signed_data);
_gnutls_free_datum (&cert_signature);
@@ -829,8 +828,8 @@ dsa_verify_sig (const gnutls_datum_t * text,
return ret;
}
-/* Verifies the signature data, and returns 0 if not verified,
- * or 1 otherwise.
+/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
+ * not verified, or 1 otherwise.
*/
int
pubkey_verify_sig (const gnutls_datum_t * tbs,
@@ -848,7 +847,7 @@ pubkey_verify_sig (const gnutls_datum_t * tbs,
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
{
gnutls_assert ();
- return 0;
+ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
return 1;
@@ -859,7 +858,7 @@ pubkey_verify_sig (const gnutls_datum_t * tbs,
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
{
gnutls_assert ();
- return 0;
+ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
return 1;
@@ -967,7 +966,7 @@ cleanup:
}
/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
+ * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'tbs' is the signed data
* 'signature' is the signature!
@@ -1012,7 +1011,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
}
/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
+ * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'tbs' is the signed data
* 'signature' is the signature!
@@ -1244,7 +1243,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
gnutls_datum_t crl_signed_data = { NULL, 0 };
gnutls_datum_t crl_signature = { NULL, 0 };
gnutls_x509_crt_t issuer;
- int ret, result;
+ int result;
if (output)
*output = 0;
@@ -1296,20 +1295,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
goto cleanup;
}
- ret =
+ result =
_gnutls_x509_verify_signature (&crl_signed_data, NULL, &crl_signature,
issuer);
- if (ret < 0)
- {
- gnutls_assert ();
- }
- else if (ret == 0)
+ if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
{
gnutls_assert ();
/* error. ignore it */
if (output)
*output |= GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
+ }
+ else if (result < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
}
{
@@ -1324,12 +1324,10 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
}
}
- result = ret;
-
cleanup:
_gnutls_free_datum (&crl_signed_data);
_gnutls_free_datum (&crl_signature);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index c3b9090..9aaeff8 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2600,8 +2600,8 @@ gnutls_x509_crt_get_preferred_hash_algorithm
(gnutls_x509_crt_t crt,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags,
@@ -2620,7 +2620,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
unsigned int flags,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
@@ -2636,8 +2636,8 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
unsigned int flags,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags,
@@ -2656,7 +2656,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
diff --git a/src/p11tool-gaa.c b/src/p11tool-gaa.c
index 99dab2f..83976f0 100644
--- a/src/p11tool-gaa.c
+++ b/src/p11tool-gaa.c
@@ -727,14 +727,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
case GAAOPTID_inraw:
OK = 0;
#line 69 "p11tool.gaa"
-{ gaaval->incert_format=1 ;};
+{ gaaval->incert_format=GNUTLS_X509_FMT_DER ;};
return GAA_OK;
break;
case GAAOPTID_inder:
OK = 0;
#line 68 "p11tool.gaa"
-{ gaaval->incert_format=1 ;};
+{ gaaval->incert_format=GNUTLS_X509_FMT_DER ;};
return GAA_OK;
break;
@@ -940,10 +940,11 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
{
#line 85 "p11tool.gaa"
-{ gaaval->action = -1; gaaval->pkcs11_provider= NULL; gaaval->outfile =
NULL; gaaval->pubkey = NULL; gaaval->privkey = NULL;
+{
+ gaaval->action = -1; gaaval->pkcs11_provider= NULL; gaaval->outfile =
NULL; gaaval->pubkey = NULL; gaaval->privkey = NULL;
gaaval->pkcs11_url = NULL; gaaval->pkcs11_type = PKCS11_TYPE_PK;
gaaval->pubkey=NULL; gaaval->pkcs11_label = NULL;
gaaval->pkcs11_trusted=0; gaaval->pkcs11_login = 0;
gaaval->pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB;
- gaaval->secret_key = NULL; gaaval->cert = NULL; gaaval->incert_format =
0; ;};
+ gaaval->secret_key = NULL; gaaval->cert = NULL; gaaval->incert_format =
GNUTLS_X509_FMT_PEM; ;};
}
inited = 1;
diff --git a/src/p11tool.gaa b/src/p11tool.gaa
index 256aad2..7c2ca91 100644
--- a/src/p11tool.gaa
+++ b/src/p11tool.gaa
@@ -65,8 +65,8 @@ option (load-certificate) STR "FILE" { $cert = $1 }
"Certificate file to use."
option (8, pkcs8) { $pkcs8=1 } "Use PKCS #8 format for private keys."
#int incert_format;
-option (inder) { $incert_format=1 } "Use DER format for input certificates and
private keys."
-option (inraw) { $incert_format=1 } "Use RAW/DER format for input certificates
and private keys."
+option (inder) { $incert_format=GNUTLS_X509_FMT_DER } "Use DER format for
input certificates and private keys."
+option (inraw) { $incert_format=GNUTLS_X509_FMT_DER } "Use RAW/DER format for
input certificates and private keys."
#char* pkcs11_provider;
#int action;
@@ -86,4 +86,4 @@ init {
$action = -1; $pkcs11_provider= NULL; $outfile = NULL; $pubkey = NULL;
$privkey = NULL;
$pkcs11_url = NULL; $pkcs11_type = PKCS11_TYPE_PK; $pubkey=NULL;
$pkcs11_label = NULL;
$pkcs11_trusted=0; $pkcs11_login = 0; $pkcs11_detailed_url =
GNUTLS_PKCS11_URL_LIB;
- $secret_key = NULL; $cert = NULL; $incert_format = 0; }
+ $secret_key = NULL; $cert = NULL; $incert_format = GNUTLS_X509_FMT_PEM;
}
diff --git a/tests/cve-2009-1415.c b/tests/cve-2009-1415.c
index 2a20178..d1e23c5 100644
--- a/tests/cve-2009-1415.c
+++ b/tests/cve-2009-1415.c
@@ -92,7 +92,7 @@ main (void)
return 1;
ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
- if (ret < 0)
+ if (ret < 0 && ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
return 1;
//printf ("success!\n");
diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c
index 0d2a36c..85e9ce7 100644
--- a/tests/x509sign-verify.c
+++ b/tests/x509sign-verify.c
@@ -195,7 +195,7 @@ doit (void)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash\n");
ret =
@@ -204,12 +204,12 @@ doit (void)
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature2);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
/* should fail */
ret = gnutls_x509_crt_verify_hash (crt, 0, &invalid_hash_data,
&signature2);
- if (ret < 0 || ret == 1)
+ if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
@@ -262,13 +262,13 @@ doit (void)
fail ("gnutls_pubkey_get_verify_algorithm\n");
/* should fail */
- ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature);
- if (ret < 0 || ret == 1)
+ ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data,
+ &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash 1\n");
/* should succeed */
ret = gnutls_pubkey_verify_data (pubkey, 0, &raw_data, &signature);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_data\n");
gnutls_x509_privkey_deinit(key);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-34-g663a869,
Nikos Mavrogiannopoulos <=