diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-09-09 18:18:27 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-09-09 18:55:43 +0200 |
| commit | 4d57e71e9916543258118c05d6580b8c64127b58 (patch) | |
| tree | 8272366146ef974a5d8739c513ad8b1190007e5a | |
| parent | 85381e3cd276df73c16e61ac69d7e3f3951a5d53 (diff) | |
| download | gnutls-4d57e71e9916543258118c05d6580b8c64127b58.tar.gz | |
Memory leak fixes in ECC ciphersuites and the trust_list.
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | lib/auth/ecdh_common.c | 6 | ||||
| -rw-r--r-- | lib/nettle/ecc_free.c | 2 | ||||
| -rw-r--r-- | lib/nettle/pk.c | 24 | ||||
| -rw-r--r-- | lib/x509/verify-high.c | 601 | ||||
| -rw-r--r-- | tests/x509cert-tl.c | 2 | ||||
| -rw-r--r-- | tests/x509cert.c | 2 |
7 files changed, 343 insertions, 299 deletions
@@ -4,6 +4,8 @@ See the end for copying conditions. * Version 3.0.3 (unreleased) +** libgnutls: Memory leak fixes in ECC ciphersuites. + ** libgnutls: Do not send an empty extension structure in server hello. This affected old implementations that do not support extensions. Reported by J. Cameijo Cerdeira. @@ -19,7 +21,8 @@ PKCS #11. to allow generating a key in a token. ** p11tool: Added generate-rsa, generate-dsa and -generate-ecc options. +generate-ecc options to allow generating private +keys in the token. ** API and ABI modifications: gnutls_pkcs11_privkey_generate: Added diff --git a/lib/auth/ecdh_common.c b/lib/auth/ecdh_common.c index 2903388fc0..2b3672b853 100644 --- a/lib/auth/ecdh_common.c +++ b/lib/auth/ecdh_common.c @@ -75,6 +75,7 @@ int ret; ret = _gnutls_set_psk_session_key (session, psk_key, &tmp_dh_key); _gnutls_free_datum (&tmp_dh_key); } + if (ret < 0) { @@ -86,6 +87,11 @@ int ret; cleanup: _gnutls_mpi_release(&pub.params[7]); + + /* no longer needed */ + _gnutls_mpi_release (&session->key->ecdh_x); + _gnutls_mpi_release (&session->key->ecdh_y); + gnutls_pk_params_release( &session->key->ecdh_params); return ret; } diff --git a/lib/nettle/ecc_free.c b/lib/nettle/ecc_free.c index 81a9241173..ab04d033db 100644 --- a/lib/nettle/ecc_free.c +++ b/lib/nettle/ecc_free.c @@ -37,7 +37,7 @@ void ecc_free (ecc_key * key) { mp_clear_multi (&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, - &key->prime, &key->order, &key->Gx, &key->Gy, NULL); + &key->prime, &key->order, &key->Gx, &key->Gy, &key->A, NULL); } /* $Source: /cvs/libtom/libtomcrypt/src/pk/ecc/ecc_free.c,v $ */ diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 5cc7746aaf..794a2c99be 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -97,6 +97,11 @@ _ecc_params_to_privkey(const gnutls_pk_params_st * pk_params, mpz_init_set_ui(priv->pubkey.z, 1); } +static void _ecc_params_clear(ecc_key * key) +{ + mpz_clear(key->pubkey.z); +} + static void _ecc_params_to_pubkey(const gnutls_pk_params_st * pk_params, ecc_key * pub) @@ -126,6 +131,8 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, gnutls_datum_t * o int curve = priv->flags; unsigned long sz; + out->data = NULL; + if (is_supported_curve(curve) == 0) return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); @@ -135,14 +142,25 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, gnutls_datum_t * o sz = ECC_BUF_SIZE; out->data = gnutls_malloc(sz); if (out->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto ecc_cleanup; + } ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, &sz); if (ret != 0) + ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + +ecc_cleanup: + _ecc_params_clear(&ecc_pub); + _ecc_params_clear(&ecc_priv); + + if (ret < 0) { gnutls_free(out->data); - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return ret; } + out->size = sz; break; } @@ -378,6 +396,7 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo, ecdsa_fail: dsa_signature_clear (&sig); + _ecc_params_clear( &priv); if (ret < 0) { @@ -560,6 +579,7 @@ _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo, _gnutls_mpi_release (&tmp[0]); _gnutls_mpi_release (&tmp[1]); + _ecc_params_clear( &pub); break; } case GNUTLS_PK_DSA: diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index a9e887933c..17ede24565 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -37,27 +37,27 @@ #define INIT_HASH 0x33a1 struct named_cert_st { - gnutls_x509_crt_t cert; - uint8_t name[MAX_NAME_SIZE]; - unsigned int name_size; + gnutls_x509_crt_t cert; + uint8_t name[MAX_NAME_SIZE]; + unsigned int name_size; }; struct node_st { - /* The trusted certificates */ - gnutls_x509_crt_t * trusted_cas; - unsigned int trusted_ca_size; + /* The trusted certificates */ + gnutls_x509_crt_t *trusted_cas; + unsigned int trusted_ca_size; - struct named_cert_st *named_certs; - unsigned int named_cert_size; + struct named_cert_st *named_certs; + unsigned int named_cert_size; - /* The trusted CRLs */ - gnutls_x509_crl_t * crls; - unsigned int crl_size; + /* The trusted CRLs */ + gnutls_x509_crl_t *crls; + unsigned int crl_size; }; struct gnutls_x509_trust_list_st { - int size; - struct node_st *node; + int size; + struct node_st *node; }; /** @@ -73,27 +73,29 @@ struct gnutls_x509_trust_list_st { * Since: 3.0.0 **/ int -gnutls_x509_trust_list_init (gnutls_x509_trust_list_t * list, unsigned int size) +gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, + unsigned int size) { - gnutls_x509_trust_list_t tmp = gnutls_calloc (1, sizeof (struct gnutls_x509_trust_list_st)); - - if (!tmp) - return GNUTLS_E_MEMORY_ERROR; - - if (size == 0) size = DEFAULT_SIZE; - tmp->size = size; - - tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0])); - if (tmp->node == NULL) - { - gnutls_assert(); - gnutls_free(tmp); - return GNUTLS_E_MEMORY_ERROR; + gnutls_x509_trust_list_t tmp = + gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st)); + + if (!tmp) + return GNUTLS_E_MEMORY_ERROR; + + if (size == 0) + size = DEFAULT_SIZE; + tmp->size = size; + + tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0])); + if (tmp->node == NULL) { + gnutls_assert(); + gnutls_free(tmp); + return GNUTLS_E_MEMORY_ERROR; } - *list = tmp; + *list = tmp; - return 0; /* success */ + return 0; /* success */ } /** @@ -106,32 +108,31 @@ gnutls_x509_trust_list_init (gnutls_x509_trust_list_t * list, unsigned int size) * Since: 3.0.0 **/ void -gnutls_x509_trust_list_deinit (gnutls_x509_trust_list_t list, unsigned int all) +gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, + unsigned int all) { -int i, j; - - if (!list) - return; - - if (all) - { - for (i=0;i<list->size;i++) - { - for (j=0;j<list->node[i].trusted_ca_size;j++) - { - gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]); + int i, j; + + if (!list) + return; + + for (i = 0; i < list->size; i++) { + if (all) + for (j = 0; j < list->node[i].trusted_ca_size; j++) { + gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]); } - gnutls_free(list->node[i].trusted_cas); - for (j=0;j<list->node[i].crl_size;j++) - { - gnutls_x509_crl_deinit(list->node[i].crls[j]); + gnutls_free(list->node[i].trusted_cas); + + if (all) + for (j = 0; j < list->node[i].crl_size; j++) { + gnutls_x509_crl_deinit(list->node[i].crls[j]); } - gnutls_free(list->node[i].crls); - } + gnutls_free(list->node[i].crls); + gnutls_free(list->node[i].named_certs); } - gnutls_free (list->node); - gnutls_free (list); + gnutls_free(list->node); + gnutls_free(list); } /** @@ -150,39 +151,41 @@ int i, j; * Since: 3.0.0 **/ int -gnutls_x509_trust_list_add_cas (gnutls_x509_trust_list_t list, - const gnutls_x509_crt_t * clist, int clist_size, unsigned int flags) +gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, + const gnutls_x509_crt_t * clist, + int clist_size, unsigned int flags) { -gnutls_datum_t dn; -int ret, i; -uint32_t hash; + gnutls_datum_t dn; + int ret, i; + uint32_t hash; - for (i=0;i<clist_size;i++) - { + for (i = 0; i < clist_size; i++) { ret = gnutls_x509_crt_get_raw_dn(clist[i], &dn); - if (ret < 0) - { + if (ret < 0) { gnutls_assert(); return i; - } + } hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); hash %= list->size; _gnutls_free_datum(&dn); - - list->node[hash].trusted_cas = gnutls_realloc_fast( list->node[hash].trusted_cas, (list->node[hash].trusted_ca_size+1)*sizeof(list->node[hash].trusted_cas[0])); - if (list->node[hash].trusted_cas == NULL) - { + list->node[hash].trusted_cas = + gnutls_realloc_fast(list->node[hash].trusted_cas, + (list->node[hash].trusted_ca_size + + 1) * + sizeof(list->node[hash].trusted_cas[0])); + if (list->node[hash].trusted_cas == NULL) { gnutls_assert(); return i; - } + } - list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = clist[i]; + list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = + clist[i]; list->node[hash].trusted_ca_size++; } - return i; + return i; } /** @@ -211,39 +214,46 @@ uint32_t hash; * Since: 3.0.0 **/ int -gnutls_x509_trust_list_add_named_crt (gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, const void* name, size_t name_size, unsigned int flags) +gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void *name, size_t name_size, + unsigned int flags) { -gnutls_datum_t dn; -int ret; -uint32_t hash; - - if (name_size >= MAX_NAME_SIZE) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + gnutls_datum_t dn; + int ret; + uint32_t hash; + + if (name_size >= MAX_NAME_SIZE) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; - _gnutls_free_datum(&dn); + _gnutls_free_datum(&dn); - list->node[hash].named_certs = gnutls_realloc_fast( list->node[hash].named_certs, (list->node[hash].named_cert_size+1)*sizeof(list->node[hash].named_certs[0])); - if (list->node[hash].named_certs == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + list->node[hash].named_certs = + gnutls_realloc_fast(list->node[hash].named_certs, + (list->node[hash].named_cert_size + + 1) * sizeof(list->node[hash].named_certs[0])); + if (list->node[hash].named_certs == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - list->node[hash].named_certs[list->node[hash].named_cert_size].cert = cert; - memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size].name, name, name_size); - list->node[hash].named_certs[list->node[hash].named_cert_size].name_size = name_size; + list->node[hash].named_certs[list->node[hash].named_cert_size].cert = + cert; + memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size]. + name, name, name_size); + list->node[hash].named_certs[list->node[hash].named_cert_size]. + name_size = name_size; - list->node[hash].named_cert_size++; + list->node[hash].named_cert_size++; - return 0; + return 0; } /** @@ -266,58 +276,62 @@ uint32_t hash; * Since: 3.0.0 **/ int -gnutls_x509_trust_list_add_crls (gnutls_x509_trust_list_t list, - const gnutls_x509_crl_t * crl_list, int crl_size, unsigned int flags, - unsigned int verification_flags) +gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, + const gnutls_x509_crl_t * crl_list, + int crl_size, unsigned int flags, + unsigned int verification_flags) { -int ret, i, j = 0; -gnutls_datum_t dn; -unsigned int vret = 0; -uint32_t hash; + int ret, i, j = 0; + gnutls_datum_t dn; + unsigned int vret = 0; + uint32_t hash; - /* Probably we can optimize things such as removing duplicates - * etc. - */ + /* Probably we can optimize things such as removing duplicates + * etc. + */ - if (crl_size == 0 || crl_list == NULL) - return 0; + if (crl_size == 0 || crl_list == NULL) + return 0; - for (i=0;i<crl_size;i++) - { + for (i = 0; i < crl_size; i++) { ret = gnutls_x509_crl_get_raw_issuer_dn(crl_list[i], &dn); - if (ret < 0) - { + if (ret < 0) { gnutls_assert(); return i; - } + } hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); hash %= list->size; _gnutls_free_datum(&dn); - if (flags & GNUTLS_TL_VERIFY_CRL) - { + if (flags & GNUTLS_TL_VERIFY_CRL) { - ret = gnutls_x509_crl_verify(crl_list[i], list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size, verification_flags, &vret); + ret = + gnutls_x509_crl_verify(crl_list[i], + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, + verification_flags, &vret); if (ret < 0 || vret != 0) - continue; - } + continue; + } - list->node[hash].crls = gnutls_realloc_fast( list->node[hash].crls, (list->node[hash].crl_size+1)*sizeof(list->node[hash].trusted_cas[0])); - if (list->node[hash].crls == NULL) - { + list->node[hash].crls = + gnutls_realloc_fast(list->node[hash].crls, + (list->node[hash].crl_size + + 1) * + sizeof(list->node[hash].trusted_cas[0])); + if (list->node[hash].crls == NULL) { gnutls_assert(); return i; - } + } list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; list->node[hash].crl_size++; j++; } - return j; + return j; } /* Takes a certificate list and shortens it if there are @@ -328,64 +342,62 @@ uint32_t hash; * Returns the new size of the list or a negative number on error. */ static int shorten_clist(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t* certificate_list, int clist_size) + gnutls_x509_crt_t * certificate_list, + int clist_size) { -int i, ret; -uint32_t hash; -gnutls_datum_t dn; - - if (clist_size > 1) - { - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - * - * This prevents from verifying self signed certificates against - * themselves. This (although not bad) caused verification - * failures on some root self signed certificates that use the - * MD2 algorithm. - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) > 0) - { - clist_size--; + int i, ret; + uint32_t hash; + gnutls_datum_t dn; + + if (clist_size > 1) { + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + * + * This prevents from verifying self signed certificates against + * themselves. This (although not bad) caused verification + * failures on some root self signed certificates that use the + * MD2 algorithm. + */ + if (gnutls_x509_crt_check_issuer(certificate_list[clist_size - 1], + certificate_list[clist_size - + 1]) > 0) { + clist_size--; } } - /* We want to shorten the chain by removing the cert that matches - * one of the certs we trust and all the certs after that i.e. if - * cert chain is A signed-by B signed-by C signed-by D (signed-by - * self-signed E but already removed above), and we trust B, remove - * B, C and D. */ - for (i=1; i < clist_size; i++) - { - int j; - - ret = gnutls_x509_crt_get_raw_issuer_dn(certificate_list[i], &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + /* We want to shorten the chain by removing the cert that matches + * one of the certs we trust and all the certs after that i.e. if + * cert chain is A signed-by B signed-by C signed-by D (signed-by + * self-signed E but already removed above), and we trust B, remove + * B, C and D. */ + for (i = 1; i < clist_size; i++) { + int j; + + ret = gnutls_x509_crt_get_raw_issuer_dn(certificate_list[i], &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; - _gnutls_free_datum(&dn); + _gnutls_free_datum(&dn); - for (j = 0; j < list->node[hash].trusted_ca_size; j++) - { - if (check_if_same_cert (certificate_list[i], list->node[hash].trusted_cas[j]) == 0) - { - /* cut the list at the point of first the trusted certificate */ - clist_size = i+1; - break; + for (j = 0; j < list->node[hash].trusted_ca_size; j++) { + if (check_if_same_cert + (certificate_list[i], + list->node[hash].trusted_cas[j]) == 0) { + /* cut the list at the point of first the trusted certificate */ + clist_size = i + 1; + break; } } - /* clist_size may have been changed which gets out of loop */ + /* clist_size may have been changed which gets out of loop */ } - return clist_size; + return clist_size; } /** @@ -404,35 +416,36 @@ gnutls_datum_t dn; * Since: 3.0.0 **/ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) + gnutls_x509_crt_t cert, + gnutls_x509_crt_t * issuer, + unsigned int flags) { -gnutls_datum_t dn; -int ret, i; -uint32_t hash; - - ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + gnutls_datum_t dn; + int ret, i; + uint32_t hash; + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; - _gnutls_free_datum(&dn); + _gnutls_free_datum(&dn); - for (i=0;i<list->node[hash].trusted_ca_size;i++) - { - ret = gnutls_x509_crt_check_issuer (cert, list->node[hash].trusted_cas[i]); - if (ret > 0) - { - *issuer = list->node[hash].trusted_cas[i]; - return 0; + for (i = 0; i < list->node[hash].trusted_ca_size; i++) { + ret = + gnutls_x509_crt_check_issuer(cert, + list->node[hash].trusted_cas[i]); + if (ret > 0) { + *issuer = list->node[hash].trusted_cas[i]; + return 0; } } - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } /** @@ -453,82 +466,83 @@ uint32_t hash; * Since: 3.0.0 **/ int -gnutls_x509_trust_list_verify_crt ( - gnutls_x509_trust_list_t list, - gnutls_x509_crt_t *cert_list, - unsigned int cert_list_size, - unsigned int flags, - unsigned int *verify, - gnutls_verify_output_function func) +gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t * cert_list, + unsigned int cert_list_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func) { -gnutls_datum_t dn; -int ret, i; -uint32_t hash; - - if (cert_list == NULL || cert_list_size < 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - cert_list_size = shorten_clist(list, cert_list, cert_list_size); - if (cert_list_size <= 0) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size-1], &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + gnutls_datum_t dn; + int ret, i; + uint32_t hash; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + cert_list_size = shorten_clist(list, cert_list, cert_list_size); + if (cert_list_size <= 0) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + + ret = + gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size - 1], + &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; - - _gnutls_free_datum(&dn); - - *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, - list->node[hash].trusted_cas, list->node[hash].trusted_ca_size, - flags, func); - - if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; - - /* Check revocation of individual certificates. - * start with the last one that we already have its hash - */ - ret = _gnutls_x509_crt_check_revocation (cert_list[cert_list_size-1], - list->node[hash].crls, - list->node[hash].crl_size, func); - if (ret == 1) - { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; + + _gnutls_free_datum(&dn); + + *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash]. + trusted_ca_size, flags, + func); + + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) + return 0; + + /* Check revocation of individual certificates. + * start with the last one that we already have its hash + */ + ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1], + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; } - for (i=0;i<cert_list_size-1;i++) - { - ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + for (i = 0; i < cert_list_size - 1; i++) { + ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; - _gnutls_free_datum(&dn); + _gnutls_free_datum(&dn); - ret = _gnutls_x509_crt_check_revocation (cert_list[i], - list->node[hash].crls, - list->node[hash].crl_size, func); - if (ret == 1) - { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; + ret = _gnutls_x509_crt_check_revocation(cert_list[i], + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; } } - return 0; + return 0; } /** @@ -551,60 +565,57 @@ uint32_t hash; * Since: 3.0.0 **/ int -gnutls_x509_trust_list_verify_named_crt ( - gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - const void * name, - size_t name_size, - unsigned int flags, - unsigned int *verify, - gnutls_verify_output_function func) +gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void *name, + size_t name_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func) { -gnutls_datum_t dn; -int ret, i; -uint32_t hash; - - ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); - if (ret < 0) - { - gnutls_assert(); - return ret; + gnutls_datum_t dn; + int ret, i; + uint32_t hash; + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) { + gnutls_assert(); + return ret; } - hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); - hash %= list->size; + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; - _gnutls_free_datum(&dn); + _gnutls_free_datum(&dn); - *verify = GNUTLS_CERT_INVALID; + *verify = GNUTLS_CERT_INVALID; - for (i=0;i<list->node[hash].named_cert_size;i++) - { - if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert)==0) - { /* check if name matches */ - if (list->node[hash].named_certs[i].name_size==name_size && - memcmp(list->node[hash].named_certs[i].name, name, name_size) == 0) - { + for (i = 0; i < list->node[hash].named_cert_size; i++) { + if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert) == 0) { /* check if name matches */ + if (list->node[hash].named_certs[i].name_size == name_size && + memcmp(list->node[hash].named_certs[i].name, name, + name_size) == 0) { *verify = 0; break; - } + } } } - if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; - - /* Check revocation of individual certificates. - * start with the last one that we already have its hash - */ - ret = _gnutls_x509_crt_check_revocation (cert, - list->node[hash].crls, - list->node[hash].crl_size, func); - if (ret == 1) - { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) + return 0; + + /* Check revocation of individual certificates. + * start with the last one that we already have its hash + */ + ret = _gnutls_x509_crt_check_revocation(cert, + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; } - return 0; + return 0; } diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c index b6ee2e662e..f3936f70be 100644 --- a/tests/x509cert-tl.c +++ b/tests/x509cert-tl.c @@ -205,5 +205,7 @@ doit (void) gnutls_x509_crt_deinit(server_crt); gnutls_x509_trust_list_deinit(tl, 0); + gnutls_global_deinit(); + success("success"); } diff --git a/tests/x509cert.c b/tests/x509cert.c index 2b7c8e8598..8edd71123f 100644 --- a/tests/x509cert.c +++ b/tests/x509cert.c @@ -201,5 +201,7 @@ doit (void) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); + gnutls_global_deinit(); + success("success"); } |