diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-04 07:47:57 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-04 07:47:57 +0000 |
commit | 94b36a2b79c6216cbb502c65f08829be1a5b1989 (patch) | |
tree | c3ec781bd94f0218f2c13115bd226671696ee9df | |
parent | 9a740fdabd18b2b50097023dc72123dcfb8bb28c (diff) | |
download | gnutls-94b36a2b79c6216cbb502c65f08829be1a5b1989.tar.gz |
* Corrected a bug in 64 bit architectures, which affected the
serial number calculation in the record layer.
* Added gnutls_certificate_free_keys() which deletes all the
private keys and certificates from the credentials structure.
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | lib/defines.h | 7 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 2 | ||||
-rw-r--r-- | lib/gnutls_alert.c | 4 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 9 | ||||
-rw-r--r-- | lib/gnutls_constate.c | 4 | ||||
-rw-r--r-- | lib/gnutls_dh_primes.c | 1 | ||||
-rw-r--r-- | lib/gnutls_int.h | 4 | ||||
-rw-r--r-- | lib/gnutls_num.c | 39 | ||||
-rw-r--r-- | lib/gnutls_num.h | 41 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 4 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 38 | ||||
-rw-r--r-- | src/serv.c | 10 |
14 files changed, 81 insertions, 92 deletions
@@ -1,4 +1,10 @@ -Version 0.9.0 +Version 0.9.1 +- Corrected a bug in 64 bit architectures, which affected the + serial number calculation in the record layer. +- Added gnutls_certificate_free_keys() which deletes all the + private keys and certificates from the credentials structure. + +Version 0.9.0 (03/03/2003) - This version is not binary compatible with the previous ones. - The library notifies the application on empty and illegal SRP usernames, so that proper notification (via an alert) is sent to the peer. diff --git a/configure.in b/configure.in index c194437e3b..6faa5dd5fa 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ AC_DEFINE_UNQUOTED(T_OS, "$target_os", [OS name]) dnl Gnutls Version GNUTLS_MAJOR_VERSION=0 GNUTLS_MINOR_VERSION=9 -GNUTLS_MICRO_VERSION=0 +GNUTLS_MICRO_VERSION=1 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION", [version of gnutls]) diff --git a/lib/defines.h b/lib/defines.h index 17b3add903..8afb31450f 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -96,19 +96,12 @@ typedef signed int sint; #define SIZEOF_UNSIGNED_LONG_INT SIZEOF_UNSIGNED_LONG -#if SIZEOF_UNSIGNED_LONG == 8 -# define HAVE_UINT64 -/* only used native uint64 in 64 bit machines */ -typedef unsigned long int uint64; -#else /* some systems had problems with long long int, thus, * it is not used. */ typedef struct { unsigned char i[8]; } uint64; -#endif - #if SIZEOF_UNSIGNED_LONG == 4 typedef unsigned long int uint32; diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 43ad152d41..f189001741 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -301,6 +301,8 @@ int gnutls_anon_allocate_client_credentials( gnutls_anon_server_credentials *sc) void gnutls_certificate_free_credentials( gnutls_certificate_credentials sc); int gnutls_certificate_allocate_credentials( gnutls_certificate_credentials *sc); +void gnutls_certificate_free_keys(gnutls_certificate_credentials sc); + void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params); void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params); void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags); diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index 8a8b7924e4..7740d121e0 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -94,6 +94,10 @@ const char* ret = NULL; * him of something important (eg. his Certificate could not be verified). * If the alert level is Fatal then the peer is expected to close the * connection, otherwise he may ignore the alert and continue. + * + * The error code of the underlying record send function will be returned, + * so you may also receive GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN as well. + * * Returns 0 on success. * **/ diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index c31ac04da5..120bbfff71 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -241,7 +241,6 @@ int _gnutls_compressed2ciphertext(gnutls_session session, uint8 MAC[MAX_HASH_SIZE]; uint16 c_length; uint8 pad; - uint64 seq_num; int length,ret; GNUTLS_MAC_HANDLE td; uint8 type = _type; @@ -271,11 +270,9 @@ int _gnutls_compressed2ciphertext(gnutls_session session, } c_length = _gnutls_conv_uint16(compressed.size); - seq_num = - _gnutls_conv_uint64(&session->connection_state.write_sequence_number); if (td != GNUTLS_MAC_FAILED) { /* actually when the algorithm in not the NULL one */ - _gnutls_hmac(td, UINT64DATA(seq_num), 8); + _gnutls_hmac(td, UINT64DATA(session->connection_state.write_sequence_number), 8); _gnutls_hmac(td, &type, 1); if ( ver != GNUTLS_SSL3) { /* TLS 1.0 only */ @@ -332,7 +329,6 @@ int _gnutls_ciphertext2compressed(gnutls_session session, uint8 MAC[MAX_HASH_SIZE]; uint16 c_length; uint8 pad; - uint64 seq_num; uint16 length; GNUTLS_MAC_HANDLE td; uint16 blocksize; @@ -431,13 +427,12 @@ int _gnutls_ciphertext2compressed(gnutls_session session, c_length = _gnutls_conv_uint16((uint16) length); - seq_num = _gnutls_conv_uint64( &session->connection_state.read_sequence_number); /* Pass the type, version, length and compressed through * MAC. */ if (td != GNUTLS_MAC_FAILED) { - _gnutls_hmac(td, UINT64DATA(seq_num), 8); + _gnutls_hmac(td, UINT64DATA(session->connection_state.read_sequence_number), 8); _gnutls_hmac(td, &type, 1); if ( ver != GNUTLS_SSL3) { /* TLS 1.0 only */ diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 4d49af2440..fc75d27832 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -450,7 +450,7 @@ int _gnutls_read_connection_state_init(gnutls_session session) int mac_size; int rc; - _gnutls_uint64zero(&session->connection_state.read_sequence_number); + _gnutls_uint64zero(session->connection_state.read_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session @@ -632,7 +632,7 @@ int _gnutls_write_connection_state_init(gnutls_session session) int mac_size; int rc; - _gnutls_uint64zero(&session->connection_state.write_sequence_number); + _gnutls_uint64zero(session->connection_state.write_sequence_number); /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index e1540bc41a..865b93d178 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -397,7 +397,6 @@ int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, } if (format == GNUTLS_X509_FMT_DER) { -#warning FIX THIS if ((result=asn1_der_coding( c2, "", params_data, params_data_size, NULL)) != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&c2); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 4fd336172f..f27e36d75f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -34,9 +34,9 @@ #define HANDSHAKE_DEBUG // Prints some information on handshake #define X509_DEBUG #define RECORD_DEBUG -#define COMPRESSION_DEBUG*/ +#define COMPRESSION_DEBUG #define DEBUG - +*/ /* It might be a good idea to replace int with void* * here. diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index f747d4454e..8e078bb098 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2000,2001,2002 Nikos Mavroyanopoulos + * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos * - * This file is part of GNUTLS. + * This file is part of GNUTLS. * * The GNUTLS library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -27,16 +27,8 @@ #include <gnutls_num.h> #include <gnutls_errors.h> - -#ifndef HAVE_UINT64 - /* This function will set the uint64 x to zero */ -int _gnutls_uint64zero( uint64 *x) { - - memset( x->i, 0, 8); - return 0; -} /* This function will add one to uint64 x. * Returns 0 on success, or -1 if the uint64 max limit @@ -59,8 +51,6 @@ register int i, y=0; return 0; } -#endif /* HAVE_UINT64 */ - uint32 _gnutls_uint24touint32( uint24 num) { uint32 ret=0; @@ -163,34 +153,13 @@ uint16 _gnutls_conv_uint16( uint16 data) { #endif } -uint64 _gnutls_conv_uint64( const uint64* data) { -#ifdef HAVE_UINT64 -# ifndef WORDS_BIGENDIAN - return byteswap64(*data); -# else - return *data; -# endif /* WORDS_BIGENDIAN */ -#else - uint64 ret; - - memcpy( ret.i, data->i, 8); - return ret; -#endif /* HAVE_UINT64 */ -} - uint32 _gnutls_uint64touint32( const uint64* num) { uint32 ret; -#ifdef HAVE_UINT64 - ret = (uint32) *num; - -#else /* no native uint64 */ - memcpy( &ret, &num->i[4], 4); -# ifndef WORDS_BIGENDIAN +#ifndef WORDS_BIGENDIAN ret = byteswap32(ret); -# endif -#endif /* HAVE_UINT64 */ +#endif return ret; } diff --git a/lib/gnutls_num.h b/lib/gnutls_num.h index a8f0ebae48..91a54a4073 100644 --- a/lib/gnutls_num.h +++ b/lib/gnutls_num.h @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2000,2003 Nikos Mavroyanopoulos * - * This file is part of GNUTLS. + * This file is part of GNUTLS. * - * GNUTLS is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * GNUTLS is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. * - * GNUTLS is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * GNUTLS is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ #include <gnutls_int.h> @@ -37,25 +37,12 @@ uint32 _gnutls_read_uint32( const opaque* data); uint16 _gnutls_read_uint16( const opaque* data); uint32 _gnutls_conv_uint32( uint32 data); uint16 _gnutls_conv_uint16( uint16 data); -uint64 _gnutls_conv_uint64( const uint64 *data); uint32 _gnutls_read_uint24( const opaque* data); void _gnutls_write_uint24( uint32 num, opaque* data); void _gnutls_write_uint32( uint32 num, opaque* data); void _gnutls_write_uint16( uint16 num, opaque* data); uint32 _gnutls_uint64touint32( const uint64*); -#ifndef HAVE_UINT64 -int _gnutls_uint64zero( uint64 *); int _gnutls_uint64pp( uint64 *); +# define _gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0 # define UINT64DATA(x) x.i - -#else -# define UINT64DATA(x) &x -# define rotl64(x,n) (((x) << ((uint16)(n))) | ((x) >> (64 - (uint16)(n)))) -# define rotr64(x,n) (((x) >> ((uint16)(n))) | ((x) << (64 - (uint16)(n)))) -# define byteswap64(x) ((rotl64(x, 8) & 0x00ff00ff00ff00ffUL) | (rotr64(x, 8) & 0xff00ff00ff00ff00UL)) - -# define _gnutls_uint64pp(x) ((++(*x)==0) ? -1 : 0) -# define _gnutls_uint64zero(x) (*x) = 0 - -#endif diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 36b21eb33b..aa5df95c06 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -212,7 +212,9 @@ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session) return NULL; /* no certificate */ } - return &cred->cert_list[index][0].raw; + if (cred->ncerts > index) + return &cred->cert_list[index][0].raw; + return NULL; } /** diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 971d16e72e..5e970a7acc 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -714,12 +714,50 @@ static int read_key_file(gnutls_certificate_credentials res, const char *keyfile } ret = read_key_mem( res, x, size, type); + memset( x, 0, size); gnutls_free(x); return ret; } /** + * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials structure + * @sc: is an &gnutls_certificate_credentials structure. + * + * This function will delete all the keys and the certificates associated + * with the given credentials. This function must not be called when a + * TLS negotiation that uses the credentials is in progress. + * + **/ +void gnutls_certificate_free_keys(gnutls_certificate_credentials sc) +{ + uint i, j; + + for (i = 0; i < sc->ncerts; i++) { + for (j = 0; j < sc->cert_list_length[i]; j++) { + _gnutls_free_cert( &sc->cert_list[i][j]); + } + gnutls_free( sc->cert_list[i]); + } + + gnutls_free(sc->cert_list_length); + sc->cert_list_length = NULL; + + gnutls_free(sc->cert_list); + sc->cert_list = NULL; + + for (i = 0; i < sc->ncerts; i++) { + _gnutls_free_private_key(sc->pkey[i]); + } + + gnutls_free( sc->pkey); + sc->pkey = NULL; + + sc->ncerts = 0; + +} + +/** * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials structure * @res: is an &gnutls_certificate_credentials structure. * @CERT: contains a certificate list (path) for the specified private key diff --git a/src/serv.c b/src/serv.c index e6a49d5d43..68b28b4e42 100644 --- a/src/serv.c +++ b/src/serv.c @@ -620,14 +620,8 @@ int main(int argc, char **argv) } if (generate != 0 || read_dh_params != NULL) { - if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) { - fprintf(stderr, "Error while setting DH parameters\n"); - exit(1); - } - if (gnutls_certificate_set_rsa_params(cert_cred, rsa_params) < 0) { - fprintf(stderr, "Error while setting RSA parameters\n"); - exit(1); - } + gnutls_certificate_set_dh_params(cert_cred, dh_params); + gnutls_certificate_set_rsa_params(cert_cred, rsa_params); } /* this is a password file (created with the included srpcrypt utility) |