[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-9-g524b5e8
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-9-g524b5e8 |
Date: |
Sat, 13 Oct 2012 21:19:43 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=524b5e837d533407dc27a4851b17ed86a57cdabf
The branch, master has been updated
via 524b5e837d533407dc27a4851b17ed86a57cdabf (commit)
via 1fb4b204e138fe0d42c4ae042d9d9c07cba03d82 (commit)
via dd77bd8f7fe31caa8bee4882e88086b2e643201a (commit)
via 515a055d1ec7a59e8a6d6de4a349a639e8f11447 (commit)
via bd8a9c7479019b8758f6cd3d062b57d25b1afe11 (commit)
from 21dce46c4c33fb29dd5784044187d180e448151d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 524b5e837d533407dc27a4851b17ed86a57cdabf
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 13 23:19:33 2012 +0200
documented fix
commit 1fb4b204e138fe0d42c4ae042d9d9c07cba03d82
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 13 23:17:33 2012 +0200
Added priority string %VERIFY_DISABLE_CRL_CHECKS.
commit dd77bd8f7fe31caa8bee4882e88086b2e643201a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 13 23:04:36 2012 +0200
If OCSP revocation data are invalid or too old set appropriate verification
flags.
commit 515a055d1ec7a59e8a6d6de4a349a639e8f11447
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 13 22:44:14 2012 +0200
doc updates
commit bd8a9c7479019b8758f6cd3d062b57d25b1afe11
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 13 22:34:03 2012 +0200
removed incorrect description
-----------------------------------------------------------------------
Summary of changes:
NEWS | 10 +++++++-
doc/cha-cert-auth2.texi | 5 ++++
doc/cha-gtls-app.texi | 3 ++
doc/cha-intro-tls.texi | 14 +++++++----
doc/invoke-certtool.texi | 2 +-
doc/invoke-danetool.texi | 2 +-
lib/gnutls_priority.c | 6 ++++
lib/gnutls_x509.c | 50 +++++++++++++++++++++------------------
lib/includes/gnutls/gnutls.h.in | 8 ++++-
lib/includes/gnutls/x509.h | 2 +-
src/certtool-args.c | 6 ++--
src/certtool-args.def | 2 +-
src/certtool-args.h | 2 +-
src/common.c | 4 +++
src/danetool-args.c | 6 ++--
src/danetool-args.def | 2 +-
src/danetool-args.h | 2 +-
17 files changed, 82 insertions(+), 44 deletions(-)
diff --git a/NEWS b/NEWS
index ce32bf7..206dc0c 100644
--- a/NEWS
+++ b/NEWS
@@ -4,10 +4,18 @@ See the end for copying conditions.
* Version 3.1.4 (unreleased)
+** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on
+the available revocation data validity.
+
+** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.
+
** gnutls-cli: Added --local-dns option.
+** danetool: Corrected bug that prevented loading PEM files.
+
** API and ABI modifications:
-No changes since last version.
+GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added.
+GNUTLS_CERT_REVOCATION_DATA_INVALID: Added.
* Version 3.1.3 (released 2012-10-12)
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index fe10087..e34f0a4 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -153,6 +153,11 @@ identity of a peer will verify the certificate against a
set of
trusted certificates and then check whether the certificate is listed
in a CRL and/or perform an OCSP check for the certificate.
+Note that in the context of a TLS session the server may provide an
+OCSP response that will used during the TLS certificate verification
+(see @funcref{gnutls_certificate_verify_peers2}).
+You may obtain this response using @funcref{gnutls_ocsp_status_request_get}.
+
Before performing the OCSP query, the application will need to figure
out the address of the OCSP server. The OCSP server address can be
provided by the local user in manual configuration or may be stored
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 8bd5d92..e603866 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1033,6 +1033,9 @@ causes interoperability problems, but is required for
full protection.
@item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
will allow RSA-MD5 signatures in certificate chains.
address@hidden %VERIFY_DISABLE_CRL_CHECKS @tab
+will disable CRL or OCSP checks in the verification of the certificate chain.
+
@item %VERIFY_ALLOW_X509_V1_CA_CRT @tab
will allow V1 CAs in chains.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index bf9f174..3329da9 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -576,13 +576,17 @@ to connect to the server's CA OCSP server and request the
status of the
certificate. This extension however, enables a TLS server to include
its CA OCSP server response in the handshake. That is an HTTPS server
may periodically run @code{ocsptool} (see @ref{ocsptool Invocation}) to obtain
-its certificate revocation status and serve it to the clients. This
-reduces the number of connections a client needs to perform to access a
-secure server.
+its certificate revocation status and serve it to the clients. That
+way a client avoids an additional connection to the OCSP server.
address@hidden,gnutls_certificate_set_ocsp_status_request_file}
address@hidden,gnutls_certificate_set_ocsp_status_request_file,gnutls_ocsp_status_request_enable_client}
address@hidden
+A server is required to provide the OCSP server's response using the
@funcref{gnutls_certificate_set_ocsp_status_request_file}.
+The response may be obtained periodically using the following command.
address@hidden example
+ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
+ --load-signer the_issuer.pem --outfile ocsp.response
address@hidden example
Since version 3.1.3 GnuTLS clients transparently support the certificate status
request.
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index 56dfb14..044c3ab 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
-# It has been AutoGen-ed October 12, 2012 at 09:21:29 AM by AutoGen 5.16
+# It has been AutoGen-ed October 13, 2012 at 10:33:53 PM by AutoGen 5.16
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index 3a222d9..667e6a0 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
#
-# It has been AutoGen-ed October 12, 2012 at 07:55:39 PM by AutoGen 5.16
+# It has been AutoGen-ed October 13, 2012 at 10:33:54 PM by AutoGen 5.16
# From the definitions ../src/danetool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 9c0eed9..b6649ca 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -996,6 +996,12 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
}
else if (strcasecmp (&broken_list[i][1],
+ "VERIFY_DISABLE_CRL_CHECKS") == 0)
+ {
+ (*priority_cache)->additional_verify_flags |=
+ GNUTLS_VERIFY_DISABLE_CRL_CHECKS;
+ }
+ else if (strcasecmp (&broken_list[i][1],
"SSL3_RECORD_VERSION") == 0)
(*priority_cache)->ssl3_record_version = 1;
else if (strcasecmp (&broken_list[i][1],
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 309b267..19e6c73 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -88,15 +88,15 @@ check_bits (gnutls_session_t session, gnutls_x509_crt_t
crt, unsigned int max_bi
/* three days */
#define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
-/* Returns:
- * -1: certificate is revoked
- * 1: certificate is ok
- * 0: dunno
+/* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
+ *
+ * Returns:
+ * Zero on success, a negative error code otherwise.
*/
static int
check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
gnutls_x509_crt_t issuer,
- gnutls_datum_t *data)
+ gnutls_datum_t *data, unsigned int * ostatus)
{
gnutls_ocsp_resp_t resp;
int ret;
@@ -107,23 +107,22 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
- return gnutls_assert_val(0);
+ return gnutls_assert_val(ret);
ret = gnutls_ocsp_resp_import (resp, data);
if (ret < 0)
- return gnutls_assert_val(0);
+ return gnutls_assert_val(ret);
ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
if (ret < 0)
{
- _gnutls_audit_log (session, "Got OCSP response on an unrelated
certificate (ignoring)\n");
- ret = 0;
+ _gnutls_audit_log (session, "Got OCSP response on an unrelated
certificate.\n");
goto cleanup;
}
ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
if (ret < 0)
- return gnutls_assert_val(0);
+ return gnutls_assert_val(ret);
/* do not consider revocation data if response was not verified */
if (status != 0)
@@ -137,13 +136,15 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
if (ret < 0)
{
ret = gnutls_assert_val(0);
+ *ostatus |= GNUTLS_CERT_REVOCATION_DATA_INVALID;
goto cleanup;
}
if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
{
_gnutls_audit_log(session, "The certificate was revoked via OCSP\n");
- ret = gnutls_assert_val(-1);
+ *ostatus |= GNUTLS_CERT_REVOKED;
+ ret = gnutls_assert_val(0);
goto cleanup;
}
@@ -160,10 +161,12 @@ check_ocsp_response (gnutls_session_t session,
gnutls_x509_crt_t cert,
if (ntime < now)
{
_gnutls_audit_log(session, "There is a newer OCSP response but was
not provided by the server\n");
+ if (now-ntime > MAX_OCSP_VALIDITY_SECS)
+ *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
}
}
- ret = 1;
+ ret = 0;
cleanup:
gnutls_ocsp_resp_deinit (resp);
@@ -197,6 +200,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
int peer_certificate_list_size, i, x, ret;
gnutls_x509_crt_t issuer;
unsigned int ocsp_status = 0;
+ unsigned int verify_flags;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
@@ -224,6 +228,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
return GNUTLS_E_CONSTRAINT_ERROR;
}
+ verify_flags = cred->verify_flags |
session->internals.priorities.additional_verify_flags;
/* generate a list of gnutls_certs based on the auth info
* raw certs.
*/
@@ -268,6 +273,9 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
}
/* Use the OCSP extension if any */
+ if (verify_flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
+ goto skip_ocsp;
+
ret = gnutls_ocsp_status_request_get(session, &resp);
if (ret < 0)
goto skip_ocsp;
@@ -284,18 +292,19 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
}
}
- ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp);
- if (ret < 0) /* revoked */
- ocsp_status |= GNUTLS_CERT_REVOKED;
+ ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp,
&ocsp_status);
+ if (ret < 0)
+ {
+ CLEAR_CERTS;
+ return gnutls_assert_val(ret);
+ }
skip_ocsp:
/* Verify certificate
*/
ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
peer_certificate_list_size,
- cred->verify_flags | session->internals.
- priorities.additional_verify_flags,
- status, NULL);
+ verify_flags, status, NULL);
CLEAR_CERTS;
@@ -310,11 +319,6 @@ skip_ocsp:
return 0;
}
-/*
- * Read certificates and private keys, from files, memory etc.
- */
-
-
/* Returns the name of the certificate of a null name
*/
static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 55928ce..b6cd8be 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -444,9 +444,11 @@ extern "C"
* should not be trusted.
* @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
+ * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
+ * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
*
* Enumeration of certificate status codes. Note that the status
- * bits have different meanings in OpenPGP keys and X.509
+ * bits may have different meanings in OpenPGP keys and X.509
* certificate verification.
*/
typedef enum
@@ -458,7 +460,9 @@ extern "C"
GNUTLS_CERT_INSECURE_ALGORITHM = 256,
GNUTLS_CERT_NOT_ACTIVATED = 512,
GNUTLS_CERT_EXPIRED = 1024,
- GNUTLS_CERT_SIGNATURE_FAILURE = 2048
+ GNUTLS_CERT_SIGNATURE_FAILURE = 2048,
+ GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 4096,
+ GNUTLS_CERT_REVOCATION_DATA_INVALID = 8192,
} gnutls_certificate_status_t;
/**
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 7845f22..8fd32eb 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -646,7 +646,7 @@ extern "C"
* and expiration validity periods of certificate chains. Don't set
* this unless you understand the security implications.
* @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity
- * using certificate revocation lists.
+ * using certificate revocation lists or the available OCSP data.
*
* Enumeration of different certificate verify flags.
*/
diff --git a/src/certtool-args.c b/src/certtool-args.c
index b71148b..3608bbf 100644
--- a/src/certtool-args.c
+++ b/src/certtool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.c)
*
- * It has been AutoGen-ed October 12, 2012 at 09:17:49 AM by AutoGen 5.16
+ * It has been AutoGen-ed October 13, 2012 at 10:33:30 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* certtool option static const strings
*/
-static char const certtool_opt_strs[4697] =
+static char const certtool_opt_strs[4691] =
/* 0 */ "certtool @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -264,7 +264,7 @@ static char const certtool_opt_strs[4697] =
"It can be used interactively or non interactively by specifying
the\n"
"template command line option.\n\0"
/* 4612 */ "certtool @address@hidden"
-/* 4631 */ "certtool [options] [url]\n"
+/* 4631 */ "certtool [options]\n"
"certtool --help for usage instructions.\n";
/*
diff --git a/src/certtool-args.def b/src/certtool-args.def
index c4d8a53..23c9d4f 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -5,7 +5,7 @@ prog-desc = "Manipulate certificates and private keys.";
detail = "Tool to parse and generate X.509 certificates, requests and
private keys.
It can be used interactively or non interactively by
specifying the template command line option.";
-short-usage = "certtool [options] [url]\ncerttool --help for usage
instructions.\n";
+short-usage = "certtool [options]\ncerttool --help for usage
instructions.\n";
explain = "";
#define INFILE_OPT 1
diff --git a/src/certtool-args.h b/src/certtool-args.h
index c328d59..0339b00 100644
--- a/src/certtool-args.h
+++ b/src/certtool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.h)
*
- * It has been AutoGen-ed October 12, 2012 at 09:17:49 AM by AutoGen 5.16
+ * It has been AutoGen-ed October 13, 2012 at 10:33:30 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
diff --git a/src/common.c b/src/common.c
index 75048c6..9ef83b6 100644
--- a/src/common.c
+++ b/src/common.c
@@ -439,6 +439,10 @@ cert_verify (gnutls_session_t session, const char*
hostname)
if (status & GNUTLS_CERT_REVOKED)
printf ("- Peer's certificate chain revoked\n");
+ if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
+ printf ("- The revocation data provided by the peer are too
old\n");
+ if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
+ printf ("- The revocation data provided by the peer are
invalid\n");
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("- Peer's certificate issuer is unknown\n");
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
diff --git a/src/danetool-args.c b/src/danetool-args.c
index 054ec2a..c3ce504 100644
--- a/src/danetool-args.c
+++ b/src/danetool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.c)
*
- * It has been AutoGen-ed October 12, 2012 at 07:55:33 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 13, 2012 at 10:33:32 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* danetool option static const strings
*/
-static char const danetool_opt_strs[2268] =
+static char const danetool_opt_strs[2262] =
/* 0 */ "danetool @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -152,7 +152,7 @@ static char const danetool_opt_strs[2268] =
/* 2123 */ "\n"
"Tool generate DNS resource records for the DANE protocol.\n\0"
/* 2183 */ "danetool @address@hidden"
-/* 2202 */ "danetool [options] [url]\n"
+/* 2202 */ "danetool [options]\n"
"danetool --help for usage instructions.\n";
/*
diff --git a/src/danetool-args.def b/src/danetool-args.def
index 90017ea..d657804 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -3,7 +3,7 @@ prog-name = danetool;
prog-title = "GnuTLS DANE tool";
prog-desc = "Generate DANE TLSA RR entries.";
detail = "Tool generate DNS resource records for the DANE protocol.";
-short-usage = "danetool [options] [url]\ndanetool --help for usage
instructions.\n";
+short-usage = "danetool [options]\ndanetool --help for usage
instructions.\n";
explain = "";
#define INFILE_OPT 1
diff --git a/src/danetool-args.h b/src/danetool-args.h
index a80066a..de3da54 100644
--- a/src/danetool-args.h
+++ b/src/danetool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.h)
*
- * It has been AutoGen-ed October 12, 2012 at 07:55:33 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 13, 2012 at 10:33:32 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-9-g524b5e8,
Nikos Mavrogiannopoulos <=