diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | doc/TODO | 1 | ||||
-rw-r--r-- | doc/tex/Makefile.am | 2 | ||||
-rw-r--r-- | lib/auth_cert.c | 44 | ||||
-rw-r--r-- | lib/auth_rsa_export.c | 16 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 2 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 4 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_mem.h | 17 | ||||
-rw-r--r-- | lib/gnutls_mpi.c | 4 | ||||
-rw-r--r-- | lib/gnutls_mpi.h | 4 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 8 | ||||
-rw-r--r-- | libextra/gnutls_openpgp.c | 4 | ||||
-rw-r--r-- | src/serv.c | 19 |
14 files changed, 77 insertions, 51 deletions
@@ -3,6 +3,7 @@ Version 0.9.99 and gnutls_server_name_get() prototypes. - Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data() and gnutls_x509_crt_verify_data(). +- Some fixes in the openpgp authentication. Version 0.9.98 (16/11/2003) - The openssl compatibility layer was moved to gnutls-openssl @@ -8,6 +8,7 @@ Current list: of the certificate selection part. * Add gnutls_certificate_set_openpgp_key() and gnutls_certificate_set_openpgp_keyring() functions, similar to gnutls_certificate_set_x509_key(). +* Add gnutls_openpgp_key_get_key_usage(). * Add support for generating and handling DSA keys * Convert documentation to texinfo format * Audit the code diff --git a/doc/tex/Makefile.am b/doc/tex/Makefile.am index 513d98a663..741d8944b0 100644 --- a/doc/tex/Makefile.am +++ b/doc/tex/Makefile.am @@ -18,7 +18,7 @@ TEX_OBJECTS = gnutls.tex ../../lib/gnutls-api.tex fdl.tex ../../lib/x509/x509-ap memory.tex openpgp.tex x509.tex howto.tex openssl.tex \ appendix.tex x509cert.xml.tex pgpcert.xml.tex \ programs.tex library.tex certificate.tex record_weaknesses.tex \ - tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) \ + tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) preface.tex \ tls_extensions.tex srp.tex preparation.tex callbacks.tex gnutls.html: build_api_pgp build_api_lib build_api_x509 build_api_extra $(TEX_OBJECTS) diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 1508ec38b7..f289026e7d 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -292,6 +292,8 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { + /* Makes the issuers_dn stuff. + */ do { /* This works like DECR_LEN() */ @@ -314,12 +316,14 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, } while (issuers_dn_len < MAX_ISSUERS); - my_certs = - gnutls_alloca(cred->ncerts * sizeof(gnutls_datum)); - if (my_certs == NULL) { - result = GNUTLS_E_MEMORY_ERROR; - gnutls_assert(); - goto error; + if (cred->ncerts != 0) { + my_certs = + gnutls_alloca(cred->ncerts * sizeof(gnutls_datum)); + if (my_certs == NULL) { + result = GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + goto error; + } } /* put the requested DNs to req_dn, only in case @@ -362,12 +366,18 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, issuers_dn = NULL; } - /* maps j -> i */ - ij_map = gnutls_alloca(sizeof(int) * cred->ncerts); - if (ij_map == NULL) { - result = GNUTLS_E_MEMORY_ERROR; - gnutls_assert(); - goto error; + /* If not certificates are present. + */ + /* maps j -> i + */ + + if (cred->ncerts != 0) { + ij_map = gnutls_alloca(sizeof(int) * cred->ncerts); + if (ij_map == NULL) { + result = GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + goto error; + } } /* put our certificate's issuer and dn into cdn, idn @@ -405,12 +415,14 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session, * This will make it relative to the certificates * we've got. */ - if (indx != -1) + if (indx != -1 && cred->ncerts != 0) indx = ij_map[indx]; + else + indx = -1; - gnutls_afree(my_certs); - gnutls_afree(ij_map); - gnutls_afree(issuers_dn); + if (my_certs) gnutls_afree(my_certs); + if (ij_map) gnutls_afree(ij_map); + if (issuers_dn) gnutls_afree(issuers_dn); } *ind = indx; diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index 66d4f25280..3ae0096690 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -99,6 +99,7 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) * of 512 bits or less. */ if ( _gnutls_mpi_get_nbits( apr_pkey->params[0]) <= 512) { + gnutls_assert(); return GNUTLS_E_INT_RET_0; } @@ -108,7 +109,8 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS; } - if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, sizeof( CERTIFICATE_AUTH_INFO_INT), 0)) < 0) { + if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, + sizeof( CERTIFICATE_AUTH_INFO_INT), 0)) < 0) { gnutls_assert(); return ret; } @@ -167,7 +169,7 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) return GNUTLS_E_MEMORY_ERROR; } - _gnutls_write_datum16(&(*data)[data_size], signature); + _gnutls_write_datum16(&((*data)[data_size]), signature); data_size += signature.size + 2; _gnutls_free_datum(&signature); @@ -265,10 +267,6 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, DECR_LEN( data_size, n_m); data_m = &data[i]; i += n_m; - if (i > data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } DECR_LEN( data_size, 2); n_e = _gnutls_read_uint16(&data[i]); @@ -277,10 +275,6 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, DECR_LEN( data_size, n_e); data_e = &data[i]; i += n_e; - if (i > data_size) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } _n_e = n_e; _n_m = n_m; @@ -297,7 +291,7 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, ret=_gnutls_rsa_export_set_modulus_bits( session, _gnutls_mpi_get_nbits( session->key->rsa[0])); - if (ret<0) { + if (ret < 0) { gnutls_assert(); return ret; } diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 5c53a61575..07b7ec4803 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -85,7 +85,7 @@ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5, /* exported for other gnutls headers. This is the maximum number * of algorithms (ciphers, kx or macs). */ -#define GNUTLS_MAX_ALGORITHM_NUM 10 +#define GNUTLS_MAX_ALGORITHM_NUM 16 typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, GNUTLS_COMP_ZLIB, diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 872e3b854b..2296914feb 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2317,8 +2317,9 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, */ cert = NULL; - if (session->security_parameters.entity == GNUTLS_SERVER) + if (session->security_parameters.entity == GNUTLS_SERVER) { cert = _gnutls_server_find_cert(session, requested_pk_algo); + } if (cert == NULL) { /* No certificate was found @@ -2371,7 +2372,6 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session, * is compatible with the certificate. */ for (j = 0; j < alg_size; j++) { - if (alg[j] == kx) { keep = 0; break; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 0929dd6f11..8f7aa0dc5a 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -156,7 +156,7 @@ typedef struct { /* This is the maximum number of algorithms (ciphers or macs etc). * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h */ -#define MAX_ALGOS 10 +#define MAX_ALGOS 16 #define MAX_CIPHERSUITES 256 diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h index 2526ec8d58..959757a27f 100644 --- a/lib/gnutls_mem.h +++ b/lib/gnutls_mem.h @@ -11,15 +11,24 @@ typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */ * memory leaks may occur in systems which do not * support alloca. */ +#ifdef USE_EFENCE +# define gnutls_alloca gnutls_malloc +# define gnutls_afree gnutls_free +#endif + #ifdef HAVE_ALLOCA # ifdef HAVE_ALLOCA_H # include <alloca.h> # endif -# define gnutls_alloca alloca -# define gnutls_afree(x) +# ifndef gnutls_alloca +# define gnutls_alloca alloca +# define gnutls_afree(x) +# endif #else -# define gnutls_alloca gnutls_malloc -# define gnutls_afree gnutls_free +# ifndef gnutls_alloca +# define gnutls_alloca gnutls_malloc +# define gnutls_afree gnutls_free +# endif #endif /* HAVE_ALLOCA */ typedef void* (*gnutls_alloc_function)(size_t); diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index c6149396f9..337f396c94 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -71,7 +71,7 @@ int ret; return 0; } -int _gnutls_mpi_print( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) +int _gnutls_mpi_print( void *buffer, size_t *nbytes, const GNUTLS_MPI a ) { int ret; @@ -82,7 +82,7 @@ int ret; } /* Always has the first bit zero */ -int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) +int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const GNUTLS_MPI a ) { int ret; diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h index 07333349d5..2ac9eae663 100644 --- a/lib/gnutls_mpi.h +++ b/lib/gnutls_mpi.h @@ -32,8 +32,8 @@ void _gnutls_mpi_release( GNUTLS_MPI* x); int _gnutls_mpi_scan( GNUTLS_MPI *ret_mpi, const opaque *buffer, size_t *nbytes ); int _gnutls_mpi_scan_pgp( GNUTLS_MPI *ret_mpi, const opaque *buffer, size_t *nbytes ); -int _gnutls_mpi_print( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ); -int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ); +int _gnutls_mpi_print( void *buffer, size_t *nbytes, const GNUTLS_MPI a ); +int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const GNUTLS_MPI a ); #endif diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 1bfadf9f05..b09f4df2fa 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -1003,17 +1003,21 @@ int _gnutls_check_key_usage( const gnutls_cert* cert, * type algorithm, and key's usage does not permit * encipherment, then fail. */ - if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) + if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) { + gnutls_assert(); return GNUTLS_E_KEY_USAGE_VIOLATION; + } } if ( encipher_type == CIPHER_SIGN) { /* The same as above, but for sign only keys */ - if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) + if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) { + gnutls_assert(); return GNUTLS_E_KEY_USAGE_VIOLATION; + } } } } diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index 075b8666e7..a8f5c86c57 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -261,10 +261,10 @@ openpgp_pk_to_gnutls_cert( gnutls_cert *cert, cdk_pkt_pubkey_t pk ) if( is_DSA(pk->pubkey_algo) || pk->pubkey_algo == GCRY_PK_RSA_S ) cert->keyUsage = KEY_DIGITAL_SIGNATURE; else if( pk->pubkey_algo == GCRY_PK_RSA_E ) - cert->keyUsage = KEY_ENCIPHER_ONLY; + cert->keyUsage = KEY_KEY_ENCIPHERMENT; else if( pk->pubkey_algo == GCRY_PK_RSA ) cert->keyUsage = KEY_DIGITAL_SIGNATURE - | KEY_ENCIPHER_ONLY; + | KEY_KEY_ENCIPHERMENT; cert->params_size = cdk_pk_get_npkey( pk->pubkey_algo ); for( i = 0; i < cert->params_size; i++ ) { diff --git a/src/serv.c b/src/serv.c index 0125e19c26..a3af0a0fe5 100644 --- a/src/serv.c +++ b/src/serv.c @@ -105,9 +105,9 @@ char *x509_crlfile = NULL; #define RENEGOTIATE /* These are global */ -gnutls_srp_server_credentials srp_cred; -gnutls_anon_server_credentials dh_cred; -gnutls_certificate_credentials cert_cred; +gnutls_srp_server_credentials srp_cred = NULL; +gnutls_anon_server_credentials dh_cred = NULL; +gnutls_certificate_credentials cert_cred = NULL; const int ssl_session_cache = 128; @@ -295,8 +295,12 @@ gnutls_session initialize_session(void) gnutls_certificate_type_set_priority(session, cert_type_priority); gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred); - gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); + + if (srp_cred != NULL) + gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); + + if (cert_cred != NULL) + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); @@ -667,9 +671,9 @@ int main(int argc, char **argv) * Read README.crypt prior to using SRP. */ #ifdef ENABLE_SRP - gnutls_srp_allocate_server_credentials(&srp_cred); + if (srp_passwd != NULL) { + gnutls_srp_allocate_server_credentials(&srp_cred); - if (srp_passwd != NULL) if ((ret = gnutls_srp_set_server_credentials_file(srp_cred, srp_passwd, srp_passwd_conf)) < 0) { @@ -678,6 +682,7 @@ int main(int argc, char **argv) fprintf(stderr, "Error while setting SRP parameters\n"); GERR(ret); } + } #endif #ifdef ENABLE_ANON |