[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-87-g13ee3a5
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-87-g13ee3a5 |
|
Date: |
Fri, 12 Oct 2012 17:25:42 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=13ee3a5eecf7131a45d967985e2a2d64ab3ac0a4
The branch, master has been updated
via 13ee3a5eecf7131a45d967985e2a2d64ab3ac0a4 (commit)
via a16d52f0bd0163a9064f56f109d29300cb2e3892 (commit)
via 4f0d888361475d75d82e68d9351d809cb7f739c5 (commit)
via 49575ac3dce9c07c5ad6d759adee1eb93253dadd (commit)
via b9bde0d74c0c24f2fc04b0f29ce1b553777c0af8 (commit)
via 048f1431c3cb5e0e4dd3e2154b19f9c4854c5690 (commit)
via d72e97c8a4ba9a6767ba61d635dfdf0c4ab52991 (commit)
from 8d222b51800e1070ff91b53eb2000690d07b1c35 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 13ee3a5eecf7131a45d967985e2a2d64ab3ac0a4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 19:11:34 2012 +0200
call gnutls_x509_privkey_import_openssl() even with not a password.
commit a16d52f0bd0163a9064f56f109d29300cb2e3892
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 18:55:11 2012 +0200
updated makefile
commit 4f0d888361475d75d82e68d9351d809cb7f739c5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 18:42:55 2012 +0200
Added debugging.
commit 49575ac3dce9c07c5ad6d759adee1eb93253dadd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 18:30:40 2012 +0200
doc fixes
commit b9bde0d74c0c24f2fc04b0f29ce1b553777c0af8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 17:53:21 2012 +0200
Added debugging
commit 048f1431c3cb5e0e4dd3e2154b19f9c4854c5690
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 17:35:49 2012 +0200
Added danetool manpage
commit d72e97c8a4ba9a6767ba61d635dfdf0c4ab52991
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Oct 12 17:16:20 2012 +0200
released 3.1.3
-----------------------------------------------------------------------
Summary of changes:
NEWS | 2 +-
doc/invoke-danetool.texi | 7 +++-
doc/latex/Makefile.am | 5 ++-
doc/manpages/Makefile.am | 8 +++
lib/auth/cert.c | 8 ++-
lib/gnutls_pubkey.c | 4 +-
lib/openpgp/privkey.c | 11 +++++
lib/x509/crq.c | 2 +-
lib/x509/privkey.c | 4 +-
lib/x509/x509.c | 2 +-
libdane/dane.c | 108 ++++++++++++++++++++++++++++++++--------------
src/danetool-args.c | 2 +-
src/danetool-args.def | 5 ++
src/danetool-args.h | 2 +-
14 files changed, 124 insertions(+), 46 deletions(-)
diff --git a/NEWS b/NEWS
index fe4326a..fc25f54 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ GnuTLS NEWS -- History of user-visible changes.
-*- outline -*-
Copyright (C) 2000-2012 Free Software Foundation, Inc.
See the end for copying conditions.
-* Version 3.1.3 (unreleased)
+* Version 3.1.3 (released 2012-10-12)
** libgnutls: Added support for the OCSP Certificate Status
extension.
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index 63b90ce..64ee89b 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
#
-# It has been AutoGen-ed October 12, 2012 at 09:27:38 AM by AutoGen 5.16
+# It has been AutoGen-ed October 12, 2012 at 05:34:36 PM by AutoGen 5.16
# From the definitions ../src/danetool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -222,3 +222,8 @@ $ certtool --tlsa-rr --host www.example.com
--load-certificate cert.pem \
--ca
@end example
+To read a server's DANE TLSA entry, using the dig tool, use:
address@hidden
+$ dig +short TYPE52 _443._tcp.www.example.com
address@hidden example
+
diff --git a/doc/latex/Makefile.am b/doc/latex/Makefile.am
index 5f7b8d6..3d8fc47 100644
--- a/doc/latex/Makefile.am
+++ b/doc/latex/Makefile.am
@@ -7,7 +7,7 @@ GEN_TEX_OBJECTS = cha-preface.tex cha-library.tex
cha-intro-tls.tex cha-cert-aut
cha-errors.tex alerts.tex cha-internals.tex cha-gtls-examples.tex
cha-upgrade.tex \
invoke-certtool.tex invoke-gnutls-cli.tex invoke-gnutls-serv.tex
cha-tokens.tex \
invoke-srptool.tex invoke-psktool.tex invoke-gnutls-cli-debug.tex \
- invoke-p11tool.tex invoke-ocsptool.tex invoke-tpmtool.tex
+ invoke-p11tool.tex invoke-ocsptool.tex invoke-tpmtool.tex invoke-danetool.tex
invoke-certtool.tex: ../invoke-certtool.texi
../scripts/mytexi2latex $< > $@
@@ -24,6 +24,9 @@ invoke-gnutls-cli.tex: ../invoke-gnutls-cli.texi
invoke-tpmtool.tex: ../invoke-tpmtool.texi
../scripts/mytexi2latex $< > $@
+invoke-danetool.tex: ../invoke-danetool.texi
+ ../scripts/mytexi2latex $< > $@
+
invoke-gnutls-serv.tex: ../invoke-gnutls-serv.texi
../scripts/mytexi2latex $< > $@
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index ab2566a..1ef5a79 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -27,6 +27,9 @@ dist_man_MANS = gnutls-cli.1 gnutls-cli-debug.1 gnutls-serv.1
\
if ENABLE_SRP
dist_man_MANS += srptool.1
endif
+if ENABLE_DANE
+dist_man_MANS += danetool.1
+endif
# Note that our .def files depend on autogen
# supporting the @subheading texi keyword. This
@@ -44,6 +47,11 @@ ocsptool.1: ../../src/ocsptool-args.def
autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
rm -f "$<".tmp
+danetool.1: ../../src/danetool-args.def
+ -sed 's/@subheading \(.*\)/@address@hidden@*/' $< > "$<".tmp && \
+ autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
+ rm -f "$<".tmp
+
gnutls-cli.1: ../../src/cli-args.def
-sed 's/@subheading \(.*\)/@address@hidden@*/' $< > "$<".tmp && \
autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 937d9a2..b431b0a 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -856,8 +856,10 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
+ unsigned int subkey;
uint8_t type;
uint8_t fpr[20];
+ char buf[2*GNUTLS_OPENPGP_KEYID_SIZE+1];
size_t fpr_size;
/* find the appropriate certificate */
@@ -871,18 +873,18 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
ret = 3 + 1 + 3;
-
-
if (apr_cert_list_length > 0)
{
fpr_size = sizeof (fpr);
ret =
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
- &fpr_size, NULL);
+ &fpr_size, &subkey);
if (ret < 0)
return gnutls_assert_val (ret);
ret += 1 + fpr_size; /* for the keyid */
+ _gnutls_handshake_log("Sending PGP key ID %s (%s)\n",
_gnutls_bin2hex(fpr, GNUTLS_OPENPGP_KEYID_SIZE, buf, sizeof(buf), NULL),
+ subkey?"subkey":"master");
ret += apr_cert_list[0].cert.size;
}
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 253b722..e9dbcbe 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -421,7 +421,7 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
* @subkey: Will be non zero if the key ID corresponds to a subkey
*
* This function returned the OpenPGP key ID of the corresponding key.
- * The key is a unique ID the depends on the public
+ * The key is a unique ID that depends on the public
* key parameters.
*
* If the buffer provided is not long enough to hold the output, then
@@ -678,7 +678,7 @@ cleanup:
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
- * This function will return a unique ID the depends on the public
+ * This function will return a unique ID that depends on the public
* key parameters. This ID can be used in checking whether a
* certificate corresponds to the given public key.
*
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index 77ef7b4..93fd683 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -1336,6 +1336,7 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
gnutls_pk_params_st params;
int pk_algorithm;
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
+ char buf[2*GNUTLS_OPENPGP_KEYID_SIZE+1];
if (key == NULL)
{
@@ -1350,6 +1351,8 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
int idx;
KEYID_IMPORT (kid, keyid);
+
+ _gnutls_hard_log("Signing using PGP key ID %s\n", _gnutls_bin2hex(keyid,
GNUTLS_OPENPGP_KEYID_SIZE, buf, sizeof(buf), NULL));
idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
pk_algorithm =
@@ -1359,6 +1362,8 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
}
else
{
+ _gnutls_hard_log("Signing using master PGP key\n");
+
pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
result = _gnutls_openpgp_privkey_get_mpis (key, NULL, ¶ms);
}
@@ -1408,6 +1413,7 @@ _gnutls_openpgp_privkey_decrypt_data
(gnutls_openpgp_privkey_t key,
gnutls_pk_params_st params;
int pk_algorithm;
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
+ char buf[2*GNUTLS_OPENPGP_KEYID_SIZE+1];
if (key == NULL)
{
@@ -1421,6 +1427,9 @@ _gnutls_openpgp_privkey_decrypt_data
(gnutls_openpgp_privkey_t key,
uint32_t kid[2];
KEYID_IMPORT (kid, keyid);
+
+ _gnutls_hard_log("Decrypting using PGP key ID %s\n",
_gnutls_bin2hex(keyid, GNUTLS_OPENPGP_KEYID_SIZE, buf, sizeof(buf), NULL));
+
result = _gnutls_openpgp_privkey_get_mpis (key, kid, ¶ms);
i = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
@@ -1429,6 +1438,8 @@ _gnutls_openpgp_privkey_decrypt_data
(gnutls_openpgp_privkey_t key,
}
else
{
+ _gnutls_hard_log("Decrypting using master PGP key\n");
+
pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
result = _gnutls_openpgp_privkey_get_mpis (key, NULL, ¶ms);
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 28c9d70..19a7b68 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2359,7 +2359,7 @@ gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t
crq,
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
- * This function will return a unique ID the depends on the public key
+ * This function will return a unique ID that depends on the public key
* parameters. This ID can be used in checking whether a certificate
* corresponds to the given private key.
*
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index c5738fd..2b91e70 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -601,7 +601,7 @@ gnutls_x509_privkey_import2 (gnutls_x509_privkey_t key,
ret = gnutls_x509_privkey_import_pkcs8(key, data, format, password,
flags);
if (ret < 0)
{
- if (format == GNUTLS_X509_FMT_PEM && password != NULL)
+ if (format == GNUTLS_X509_FMT_PEM)
{
int err;
err = gnutls_x509_privkey_import_openssl(key, data, password);
@@ -1537,7 +1537,7 @@ gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t
key)
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
- * This function will return a unique ID the depends on the public key
+ * This function will return a unique ID that depends on the public key
* parameters. This ID can be used in checking whether a certificate
* corresponds to the given key.
*
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 308047f..1549eda 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2415,7 +2415,7 @@ cleanup:
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
- * This function will return a unique ID the depends on the public
+ * This function will return a unique ID that depends on the public
* key parameters. This ID can be used in checking whether a
* certificate corresponds to the given private key.
*
diff --git a/libdane/dane.c b/libdane/dane.c
index 0596f8e..052a0fa 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -35,6 +35,19 @@
#define MAX_DATA_ENTRIES 4
+#ifdef DEBUG
+# define gnutls_assert() fprintf(stderr, "ASSERT: %s: %d\n", __FILE__,
__LINE__);
+# define gnutls_assert_val(x) gnutls_assert_val_int(x, __FILE__, __LINE__)
+static int gnutls_assert_val_int (int val, const char *file, int line)
+{
+ fprintf(stderr, "ASSERT: %s: %d\n", file, line);
+ return val;
+}
+#else
+# define gnutls_assert()
+# define gnutls_assert_val(x) (x)
+#endif
+
struct dane_state_st
{
struct ub_ctx* ctx;
@@ -100,7 +113,7 @@ int dane_query_data(dane_query_t q, unsigned int idx,
unsigned int *match, gnutls_datum_t * data)
{
if (idx >= q->data_entries)
- return DANE_E_REQUESTED_DATA_NOT_AVAILABLE;
+ return gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
if (usage)
*usage = q->usage[idx];
@@ -133,10 +146,11 @@ int dane_state_init(dane_state_t* s, unsigned int flags)
*s = calloc(1, sizeof(struct dane_state_st));
if (*s == NULL)
- return DANE_E_MEMORY_ERROR;
+ return gnutls_assert_val(DANE_E_MEMORY_ERROR);
ctx = ub_ctx_create();
if(!ctx) {
+ gnutls_assert();
ret = DANE_E_INITIALIZATION_ERROR;
goto cleanup;
}
@@ -144,11 +158,13 @@ int dane_state_init(dane_state_t* s, unsigned int flags)
if (!(flags & DANE_F_IGNORE_LOCAL_RESOLVER)) {
if( (ret=ub_ctx_resolvconf(ctx, NULL)) != 0) {
+ gnutls_assert();
ret = DANE_E_INITIALIZATION_ERROR;
goto cleanup;
}
if( (ret=ub_ctx_hosts(ctx, NULL)) != 0) {
+ gnutls_assert();
ret = DANE_E_INITIALIZATION_ERROR;
goto cleanup;
}
@@ -156,6 +172,7 @@ int dane_state_init(dane_state_t* s, unsigned int flags)
/* read public keys for DNSSEC verification */
if( (ret=ub_ctx_add_ta_file(ctx, (char*)UNBOUND_ROOT_KEY_FILE)) != 0) {
+ gnutls_assert();
ret = DANE_E_INITIALIZATION_ERROR;
goto cleanup;
}
@@ -222,19 +239,19 @@ int dane_query_tlsa(dane_state_t s, dane_query_t *r,
const char* host, const cha
*r = calloc(1, sizeof(struct dane_query_st));
if (*r == NULL)
- return DANE_E_MEMORY_ERROR;
+ return gnutls_assert_val(DANE_E_MEMORY_ERROR);
snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host);
/* query for webserver */
ret = ub_resolve(s->ctx, ns, 52, 1, &(*r)->result);
if(ret != 0) {
- return DANE_E_RESOLVING_ERROR;
+ return gnutls_assert_val(DANE_E_RESOLVING_ERROR);
}
/* show first result */
if(!(*r)->result->havedata) {
- return DANE_E_NO_DANE_DATA;
+ return gnutls_assert_val(DANE_E_NO_DANE_DATA);
}
i = 0;
@@ -243,7 +260,7 @@ int dane_query_tlsa(dane_state_t s, dane_query_t *r, const
char* host, const cha
if ((*r)->result->len[i] > 3)
ret = DANE_E_SUCCESS;
else {
- return DANE_E_RECEIVED_CORRUPT_DATA;
+ return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA);
}
(*r)->usage[i] = (*r)->result->data[i][0];
@@ -258,17 +275,21 @@ int dane_query_tlsa(dane_state_t s, dane_query_t *r,
const char* host, const cha
if (!(*r)->result->secure) {
if ((*r)->result->bogus)
- ret = DANE_E_INVALID_DNSSEC_SIG;
+ ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG);
else
- ret = DANE_E_NO_DNSSEC_SIG;
+ ret = gnutls_assert_val(DANE_E_NO_DNSSEC_SIG);
}
/* show security status */
- if ((*r)->result->secure)
+ if ((*r)->result->secure) {
(*r)->status = DANE_QUERY_DNSSEC_VERIFIED;
- else if ((*r)->result->bogus)
+ } else if ((*r)->result->bogus) {
+ gnutls_assert();
(*r)->status = DANE_QUERY_BOGUS;
- else (*r)->status = DANE_QUERY_NO_DNSSEC;
+ } else {
+ gnutls_assert();
+ (*r)->status = DANE_QUERY_NO_DNSSEC;
+ }
return ret;
}
@@ -281,40 +302,40 @@ int ret;
if (match == DANE_MATCH_EXACT) {
if (raw1->size != raw2->size)
- return 0;
+ return gnutls_assert_val(0);
if (memcmp(raw1->data, raw2->data, raw1->size) != 0)
- return 0;
+ return gnutls_assert_val(0);
return 1;
} else if (match == DANE_MATCH_SHA2_256) {
if (raw2->size != 32)
- return 0;
+ return gnutls_assert_val(0);
ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data,
raw1->size, digest);
if (ret < 0)
- return 0;
+ return gnutls_assert_val(0);
if (memcmp(digest, raw2->data, 32) != 0)
- return 0;
+ return gnutls_assert_val(0);
return 1;
} else if (match == DANE_MATCH_SHA2_512) {
if (raw2->size != 64)
- return 0;
+ return gnutls_assert_val(0);
ret = gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data,
raw1->size, digest);
if (ret < 0)
- return 0;
+ return gnutls_assert_val(0);
if (memcmp(digest, raw2->data, 64) != 0)
- return 0;
+ return gnutls_assert_val(0);
return 1;
}
- return 0;
+ return gnutls_assert_val(0);
}
static int crt_to_pubkey(const gnutls_datum_t *raw_crt, gnutls_datum_t * out)
@@ -327,28 +348,32 @@ int ret;
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
- return DANE_E_PUBKEY_ERROR;
+ return gnutls_assert_val(DANE_E_PUBKEY_ERROR);
ret = gnutls_pubkey_init( &pub);
if (ret < 0) {
+ gnutls_assert();
ret = DANE_E_PUBKEY_ERROR;
goto cleanup;
}
ret = gnutls_x509_crt_import(crt, raw_crt, GNUTLS_X509_FMT_DER);
if (ret < 0) {
+ gnutls_assert();
ret = DANE_E_PUBKEY_ERROR;
goto cleanup;
}
ret = gnutls_pubkey_import_x509(pub, crt, 0);
if (ret < 0) {
+ gnutls_assert();
ret = DANE_E_PUBKEY_ERROR;
goto cleanup;
}
ret = gnutls_pubkey_export2(pub, GNUTLS_X509_FMT_DER, out);
if (ret < 0) {
+ gnutls_assert();
ret = DANE_E_PUBKEY_ERROR;
goto cleanup;
}
@@ -377,20 +402,26 @@ gnutls_datum_t pubkey = {NULL, 0};
int ret;
if (raw_crt_size < 2)
- return DANE_E_INVALID_REQUEST;
+ return gnutls_assert_val(DANE_E_INVALID_REQUEST);
if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) {
- if (!matches(&raw_crt[1], data, match))
+ if (!matches(&raw_crt[1], data, match)) {
+ gnutls_assert();
*verify |= DANE_VERIFY_CA_CONSTRAINS_VIOLATED;
+ }
} else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) {
ret = crt_to_pubkey(&raw_crt[1], &pubkey);
- if (ret < 0)
+ if (ret < 0) {
+ gnutls_assert();
goto cleanup;
+ }
- if (!matches(&pubkey, data, match))
+ if (!matches(&pubkey, data, match)) {
+ gnutls_assert();
*verify |= DANE_VERIFY_CA_CONSTRAINS_VIOLATED;
+ }
}
ret = 0;
@@ -408,17 +439,23 @@ int ret;
if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) {
- if (!matches(raw_crt, data, match))
+ if (!matches(raw_crt, data, match)) {
+ gnutls_assert();
*verify |= DANE_VERIFY_CERT_DIFFERS;
+ }
} else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) {
ret = crt_to_pubkey(raw_crt, &pubkey);
- if (ret < 0)
+ if (ret < 0) {
+ gnutls_assert();
goto cleanup;
+ }
- if (!matches(&pubkey, data, match))
+ if (!matches(&pubkey, data, match)) {
+ gnutls_assert();
*verify |= DANE_VERIFY_CERT_DIFFERS;
+ }
}
ret = 0;
@@ -471,13 +508,14 @@ unsigned int usage, type, match, idx;
gnutls_datum_t data;
if (chain_type != GNUTLS_CRT_X509)
- return DANE_E_INVALID_REQUEST;
+ return gnutls_assert_val(DANE_E_INVALID_REQUEST);
*verify = 0;
if (s == NULL) {
ret = dane_state_init(&_s, sflags);
if (ret < 0) {
+ gnutls_assert();
return ret;
}
} else
@@ -485,6 +523,7 @@ gnutls_datum_t data;
ret = dane_query_tlsa(_s, &r, hostname, proto, port);
if (ret < 0) {
+ gnutls_assert();
goto cleanup;
}
@@ -495,18 +534,23 @@ gnutls_datum_t data;
break;
if (ret < 0) {
+ gnutls_assert();
goto cleanup;
}
if (usage == DANE_CERT_USAGE_LOCAL_CA || usage ==
DANE_CERT_USAGE_CA) {
ret = verify_ca(chain, chain_size, chain_type, type,
match, &data, verify);
- if (ret < 0)
+ if (ret < 0) {
+ gnutls_assert();
goto cleanup;
+ }
} else if (usage == DANE_CERT_USAGE_LOCAL_EE || usage ==
DANE_CERT_USAGE_EE) {
ret = verify_ee(&chain[0], chain_type, type, match,
&data, verify);
- if (ret < 0)
+ if (ret < 0) {
+ gnutls_assert();
goto cleanup;
+ }
}
} while(1);
@@ -550,7 +594,7 @@ unsigned int type;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
- return DANE_E_NO_CERT;
+ return gnutls_assert_val(DANE_E_NO_CERT);
}
type = gnutls_certificate_type_get(session);
diff --git a/src/danetool-args.c b/src/danetool-args.c
index c89443c..826691a 100644
--- a/src/danetool-args.c
+++ b/src/danetool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.c)
*
- * It has been AutoGen-ed October 12, 2012 at 09:16:57 AM by AutoGen 5.16
+ * It has been AutoGen-ed October 12, 2012 at 05:34:29 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
diff --git a/src/danetool-args.def b/src/danetool-args.def
index 0e8f74f..d13e52a 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -144,6 +144,11 @@ In order to create a record for the signer of your
certificate use:
$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem \
--ca
@end example
+
+To read a server's DANE TLSA entry, using the dig tool, use:
address@hidden
+$ dig +short TYPE52 _443._tcp.www.example.com
address@hidden example
_EOT_;
};
diff --git a/src/danetool-args.h b/src/danetool-args.h
index cb4ad97..cb2bf75 100644
--- a/src/danetool-args.h
+++ b/src/danetool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.h)
*
- * It has been AutoGen-ed October 12, 2012 at 09:16:57 AM by AutoGen 5.16
+ * It has been AutoGen-ed October 12, 2012 at 05:34:29 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-87-g13ee3a5,
Nikos Mavrogiannopoulos <=