[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-55-g89856c8
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-55-g89856c8 |
|
Date: |
Sat, 17 Mar 2012 09:09:09 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=89856c82cc0a29a3566c9362354473baa39ba9a9
The branch, master has been updated
via 89856c82cc0a29a3566c9362354473baa39ba9a9 (commit)
via 8af7669ec60d3f8bddeda0bd7295aff4986bd708 (commit)
via dbd17e9817319a4a32038f3559f7677003560fba (commit)
via 83703564eeae6ce702444ad17969fdee17cd80ce (commit)
via 5bc465a0bc1a5ec5d2c92cb616f704094cea17ab (commit)
via a762995f3fe9e68359c8cc043333fef9b92aeb6a (commit)
via 8471d8ea878fc8c39d060a37b1f78db74c8f6fec (commit)
from 8056a527aa2bbacdc16c99f60e6f4c539c87fbb7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 89856c82cc0a29a3566c9362354473baa39ba9a9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 17 09:32:47 2012 +0100
bumped version
commit 8af7669ec60d3f8bddeda0bd7295aff4986bd708
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 17 09:24:00 2012 +0100
corrected the documentation of the verification functions.
commit dbd17e9817319a4a32038f3559f7677003560fba
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Mar 16 17:30:46 2012 +0100
released 3.0.16
commit 83703564eeae6ce702444ad17969fdee17cd80ce
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Mar 16 17:28:31 2012 +0100
enable_local_libopts is by default no
commit 5bc465a0bc1a5ec5d2c92cb616f704094cea17ab
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Mar 16 17:23:34 2012 +0100
bumped shared lib version
commit a762995f3fe9e68359c8cc043333fef9b92aeb6a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Mar 16 17:22:26 2012 +0100
Added gnutls_x509_crt_set_authority_info_access.
commit 8471d8ea878fc8c39d060a37b1f78db74c8f6fec
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Mar 16 07:59:21 2012 +0100
updated
-----------------------------------------------------------------------
Summary of changes:
NEWS | 17 ++++-
configure.ac | 6 +-
cross.mk | 4 +-
lib/accelerated/x86/README | 5 +-
lib/gnutls_pubkey.c | 12 ++--
lib/includes/gnutls/x509.h | 3 +
lib/libgnutls.map | 1 +
lib/x509/crq.c | 5 +-
lib/x509/x509.c | 4 +-
lib/x509/x509_write.c | 135 ++++++++++++++++++++++++++++++++++++++++++++
m4/hooks.m4 | 6 +-
src/certtool-args.def | 6 ++
src/certtool-cfg.c | 58 +++++++++++++++++++
src/certtool-cfg.h | 2 +
src/certtool.c | 2 +
15 files changed, 241 insertions(+), 25 deletions(-)
diff --git a/NEWS b/NEWS
index 45c7a63..490660d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,9 +2,17 @@ GnuTLS NEWS -- History of user-visible changes.
-*- outline -*-
Copyright (C) 2000-2012 Free Software Foundation, Inc.
See the end for copying conditions.
-* Version 3.0.16 (unreleased)
+* Version 3.0.17 (released 2012-03-17)
-** minitasn1: Upgraded to libtasn1 version 2.12.
+** command line apps: Always link with local libopts.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.0.16 (released 2012-03-16)
+
+** minitasn1: Upgraded to libtasn1 version 2.12 (pre-release).
** libgnutls: Corrected SRP-RSA ciphersuites when used under TLS 1.2.
@@ -14,10 +22,11 @@ See the end for copying conditions.
line option.
** certtool: The template option allows for setting the domain
-component (DC) option of the distinguished name.
+component (DC) option of the distinguished name, and the ocsp_uri
+as well as the ca_issuers_uri options.
** API and ABI modifications:
-No changes since last version.
+gnutls_x509_crt_set_authority_info_access: Added
* Version 3.0.15 (released 2012-03-02)
diff --git a/configure.ac b/configure.ac
index 6b0ade5..83c3577 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure
script.
# USA
AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [3.0.16], address@hidden)
+AC_INIT([GnuTLS], [3.0.17], address@hidden)
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
@@ -153,8 +153,8 @@ fi
AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
-dnl Checks for programs in src/
-PKG_CHECK_MODULES([autoopts], autoopts >= 36.2.11,, [enable_local_libopts=yes])
+enable_local_libopts=yes
+dnl PKG_CHECK_MODULES([autoopts], autoopts >= 36.2.11,,
[enable_local_libopts=yes])
NEED_LIBOPTS_DIR=true
LIBOPTS_CHECK([src/libopts])
diff --git a/cross.mk b/cross.mk
index 5cb4a04..006bf90 100644
--- a/cross.mk
+++ b/cross.mk
@@ -1,6 +1,6 @@
-GNUTLS_FILE:=gnutls-3.0.15.tar.xz
-GNUTLS_DIR:=gnutls-3.0.15
+GNUTLS_FILE:=gnutls-3.0.17.tar.xz
+GNUTLS_DIR:=gnutls-3.0.17
GMP_FILE:=gmp-5.0.2.tar.bz2
GMP_DIR:=gmp-5.0.2
diff --git a/lib/accelerated/x86/README b/lib/accelerated/x86/README
index 9325982..0dd5cb9 100644
--- a/lib/accelerated/x86/README
+++ b/lib/accelerated/x86/README
@@ -1,3 +1,4 @@
-The AES-NI and Padlock implementation by Andy Polyakov is not part of the
GnuTLS library, but is
-used with GnuTLS. Their license is included in license.txt.
+The AES-NI and Padlock implementation by Andy Polyakov is not part of the
+GnuTLS library, but is used with GnuTLS. Its license is included in
+license.txt.
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index ba0c2c4..d66a531 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1304,8 +1304,8 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and zero or positive code on success.
*
* Since: 2.12.0
**/
@@ -1343,8 +1343,8 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
unsigned int flags,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and zero or positive code on success.
*
* Since: 3.0
**/
@@ -1384,8 +1384,8 @@ gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
* This function will verify the given signed digest, using the
* parameters from the public key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and zero or positive code on success.
*
* Since: 2.12.0
**/
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index a0b11f1..ac6de53 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -295,6 +295,9 @@ extern "C"
unsigned int *critical);
int gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt,
unsigned int usage);
+ int gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt,
+ int what,
+ gnutls_datum_t * data);
int gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
unsigned int *critical,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 5849918..519d5fc 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -780,6 +780,7 @@ GNUTLS_3_0_0 {
gnutls_tdb_set_store_commitment_func;
gnutls_tdb_set_verify_func;
gnutls_tdb_deinit;
+ gnutls_x509_crt_set_authority_info_access;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index e21341e..4873d69 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2422,9 +2422,8 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,
gnutls_privkey_t key,
* This function will verify self signature in the certificate
* request and return its status.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
- * %GNUTLS_E_PK_SIG_VERIFY_FAILED if verification failed, otherwise a
- * negative error value.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and zero or positive code on success.
*
* Since 2.12.0
**/
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index d98a2b6..fc36e89 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2585,7 +2585,7 @@ gnutls_x509_crt_get_preferred_hash_algorithm
(gnutls_x509_crt_t crt,
* Deprecated. Please use gnutls_pubkey_verify_data().
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
- * is returned, and a positive code on success.
+ * is returned, and zero or positive code on success.
**/
int
gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags,
@@ -2623,7 +2623,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
unsigned int flags,
* Deprecated. Please use gnutls_pubkey_verify_data().
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
- * is returned, and a positive code on success.
+ * is returned, and zero or positive code on success.
**/
int
gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags,
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 4e31493..e2a28c4 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -1337,3 +1337,138 @@ gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
return 0;
}
+
+static const char* what_to_oid(int what)
+{
+ switch(what)
+ {
+ case GNUTLS_IA_OCSP_URI:
+ return GNUTLS_OID_AD_OCSP;
+ case GNUTLS_IA_CAISSUERS_URI:
+ return GNUTLS_OID_AD_CAISSUERS;
+ default:
+ return NULL;
+ }
+}
+
+/**
+ * gnutls_x509_crt_set_authority_info_access:
+ * @crt: Holds the certificate
+ * @what: what data to get, a #gnutls_info_access_what_t type.
+ * @data: output data to be freed with gnutls_free().
+ *
+ * This function sets the Authority Information Access (AIA)
+ * extension, see RFC 5280 section 4.2.2.1 for more information.
+ *
+ * The type of data stored in @data is specified via @what which
+ * should be #gnutls_info_access_what_t values.
+ *
+ * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
+ * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
+ * URI.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt,
+ int what,
+ gnutls_datum_t * data)
+{
+ int ret, result;
+ gnutls_datum_t aia = { NULL, 0 };
+ gnutls_datum_t der_data = { NULL, 0 };
+ ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+ const char* oid;
+ unsigned int c;
+
+ if (crt == NULL)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ oid = what_to_oid(what);
+ if (oid == NULL)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ ret = asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.AuthorityInfoAccessSyntax", &c2);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return _gnutls_asn2err (ret);
+ }
+
+ ret = _gnutls_x509_crt_get_extension (crt, GNUTLS_OID_AIA, 0, &aia,
+ &c);
+ if (ret >= 0) /* decode it */
+ {
+ ret = asn1_der_decoding (&c2, aia.data, aia.size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+ }
+
+ /* generate the extension.
+ */
+ /* 1. create a new element.
+ */
+ result = asn1_write_value (c2, "", "NEW", 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ /* 2. Add the OID.
+ */
+ result = asn1_write_value (c2, "?LAST.accessMethod", oid, 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ /* accessLocation is a choice */
+ result = asn1_write_value (c2, "?LAST.accessLocation",
"uniformResourceIdentifier", 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ result = asn1_write_value (c2,
"?LAST.accessLocation.uniformResourceIdentifier", data->data, data->size);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_der_encode (c2, "", &der_data, 0);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_crt_set_extension (crt, GNUTLS_OID_AIA,
+ &der_data, 0);
+ if (ret < 0)
+ gnutls_assert ();
+
+ crt->use_extensions = 1;
+
+cleanup:
+ _gnutls_free_datum (&der_data);
+ _gnutls_free_datum(&aia);
+ asn1_delete_structure (&c2);
+
+ return ret;
+}
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index cc4d67d..081380f 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -39,9 +39,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
# Interfaces changed/added/removed: CURRENT++ REVISION=0
# Interfaces added: AGE++
# Interfaces removed: AGE=0
- AC_SUBST(LT_CURRENT, 34)
- AC_SUBST(LT_REVISION, 2)
- AC_SUBST(LT_AGE, 6)
+ AC_SUBST(LT_CURRENT, 35)
+ AC_SUBST(LT_REVISION, 1)
+ AC_SUBST(LT_AGE, 7)
AC_SUBST(LT_SSL_CURRENT, 27)
AC_SUBST(LT_SSL_REVISION, 2)
diff --git a/src/certtool-args.def b/src/certtool-args.def
index c9726af..27d14d9 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -616,6 +616,12 @@ signing_key
#path_len = -1
#path_len = 2
+# OCSP URI
+# ocsp_uri = http://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = http://my.ca.issuer
+
# Options for proxy certificates
# proxy_policy_language = 1.3.6.1.5.5.7.21.1
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index f92a507..d47ef76 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -88,6 +88,8 @@ typedef struct _cfg_ctx
int crl_number;
int crq_extensions;
char *proxy_policy_language;
+ char **ocsp_uris;
+ char **ca_issuers_uris;
} cfg_ctx;
cfg_ctx cfg;
@@ -254,6 +256,9 @@ template_parse (const char *template)
val = optionGetValue(pov, "proxy_policy_language");
if (val != NULL && val->valType == OPARG_TYPE_STRING)
cfg.proxy_policy_language = strdup(val->v.strVal);
+
+ READ_MULTI_LINE("ocsp_uri", cfg.ocsp_uris);
+ READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);
READ_BOOLEAN("ca", cfg.ca);
READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
@@ -704,7 +709,60 @@ get_key_purpose_set (gnutls_x509_crt_t crt)
}
}
}
+}
+
+void
+get_ocsp_issuer_set (gnutls_x509_crt_t crt)
+{
+ int ret, i;
+ gnutls_datum_t uri;
+
+ if (batch)
+ {
+ if (!cfg.ocsp_uris)
+ return;
+ for (i = 0; cfg.ocsp_uris[i] != NULL; i++)
+ {
+ uri.data = cfg.ocsp_uris[i];
+ uri.size = strlen(cfg.ocsp_uris[i]);
+ ret =
+ gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_OCSP_URI,
+ &uri);
+ if (ret < 0)
+ {
+ fprintf (stderr, "set OCSP URI (%s): %s\n",
+ cfg.ocsp_uris[i], gnutls_strerror (ret));
+ exit (1);
+ }
+ }
+ }
+}
+void
+get_ca_issuers_set (gnutls_x509_crt_t crt)
+{
+ int ret, i;
+ gnutls_datum_t uri;
+
+ if (batch)
+ {
+ if (!cfg.ca_issuers_uris)
+ return;
+ for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++)
+ {
+ uri.data = cfg.ca_issuers_uris[i];
+ uri.size = strlen(cfg.ca_issuers_uris[i]);
+ ret =
+ gnutls_x509_crt_set_authority_info_access (crt,
GNUTLS_IA_CAISSUERS_URI,
+ &uri);
+ if (ret < 0)
+ {
+ fprintf (stderr, "set CA ISSUERS URI (%s): %s\n",
+ cfg.ca_issuers_uris[i], gnutls_strerror (ret));
+ exit (1);
+ }
+ }
+ }
}
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 9587f86..5181425 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -70,6 +70,8 @@ void get_dns_name_set (int type, void *crt);
void get_email_set (int type, void *crt);
int get_ipsec_ike_status (void);
void get_dc_set (int type, void *crt);
+void get_ca_issuers_set (gnutls_x509_crt_t crt);
+void get_ocsp_issuer_set (gnutls_x509_crt_t crt);
void get_cn_crq_set (gnutls_x509_crq_t crq);
void get_uid_crq_set (gnutls_x509_crq_t crq);
diff --git a/src/certtool.c b/src/certtool.c
index a8bd26b..df23033 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -584,6 +584,8 @@ generate_certificate (gnutls_privkey_t * ret_key,
gnutls_strerror (result));
}
}
+ get_ocsp_issuer_set(crt);
+ get_ca_issuers_set(crt);
if (usage != 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-55-g89856c8,
Nikos Mavrogiannopoulos <=