diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/alert.c | 1 | ||||
| -rw-r--r-- | lib/cert-cred.c | 14 | ||||
| -rw-r--r-- | lib/ext/session_ticket.c | 6 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 20 | ||||
| -rw-r--r-- | lib/pk.c | 4 | ||||
| -rw-r--r-- | lib/pkcs11.c | 8 | ||||
| -rw-r--r-- | lib/tls13-sig.c | 2 | ||||
| -rw-r--r-- | lib/tls13/certificate_verify.c | 2 | ||||
| -rw-r--r-- | lib/x509/common.c | 5 | ||||
| -rw-r--r-- | lib/x509/extensions.c | 3 | ||||
| -rw-r--r-- | lib/x509/name_constraints.c | 38 | ||||
| -rw-r--r-- | lib/x509/output.c | 4 | ||||
| -rw-r--r-- | lib/x509/x509.c | 9 | ||||
| -rw-r--r-- | lib/x509/x509_ext.c | 21 |
14 files changed, 83 insertions, 54 deletions
diff --git a/lib/alert.c b/lib/alert.c index 047c976d1b..cfd1205d01 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -227,6 +227,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_PK_INVALID_PUBKEY: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_RECEIVED_DISALLOWED_NAME: + case GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/cert-cred.c b/lib/cert-cred.c index c34d241fc1..7311737298 100644 --- a/lib/cert-cred.c +++ b/lib/cert-cred.c @@ -804,10 +804,16 @@ void gnutls_certificate_set_retrieve_function2 * or during post-handshake authentication. * * The callback's function prototype is defined in `abstract.h': - * int (*callback)(gnutls_session_t, const struct gnutls_cert_retr_st *info, - * gnutls_pcert_st **certs, unsigned int *pcert_length, - * gnutls_datum_t **ocsp, unsigned int *ocsp_length, - * gnutls_privkey_t * pkey, unsigned int *flags); + * + * int gnutls_certificate_retrieve_function3( + * gnutls_session_t, + * const struct gnutls_cert_retr_st *info, + * gnutls_pcert_st **certs, + * unsigned int *pcert_length, + * gnutls_ocsp_data_st **ocsp, + * unsigned int *ocsp_length, + * gnutls_privkey_t *privkey, + * unsigned int *flags); * * The info field of the callback contains: * @req_ca_dn which is a list with the CA names that the server considers trusted. diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c index 09e240c2d0..98db39ff88 100644 --- a/lib/ext/session_ticket.c +++ b/lib/ext/session_ticket.c @@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data) _gnutls_write_uint16(ticket->encrypted_state_len, p); p += 2; - memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len); + /* We use memmove instead of memcpy here because + * ticket->encrypted_state is allocated from + * ticket_data->data, and thus both memory areas may overlap. + */ + memmove(p, ticket->encrypted_state, ticket->encrypted_state_len); p += ticket->encrypted_state_len; memcpy(p, ticket->mac, TICKET_MAC_SIZE); diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 11652a8c2b..f5a5a66acb 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -103,14 +103,14 @@ extern "C" { * @GNUTLS_CIPHER_CAMELLIA_256_CBC: Camellia in CBC mode with 256-bit keys. * @GNUTLS_CIPHER_RC2_40_CBC: RC2 in CBC mode with 40-bit keys. * @GNUTLS_CIPHER_DES_CBC: DES in CBC mode (56-bit keys). - * @GNUTLS_CIPHER_AES_128_GCM: AES in GCM mode with 128-bit keys. - * @GNUTLS_CIPHER_AES_256_GCM: AES in GCM mode with 256-bit keys. - * @GNUTLS_CIPHER_AES_128_CCM: AES in CCM mode with 128-bit keys. - * @GNUTLS_CIPHER_AES_256_CCM: AES in CCM mode with 256-bit keys. - * @GNUTLS_CIPHER_AES_128_CCM_8: AES in CCM mode with 64-bit tag and 128-bit keys. - * @GNUTLS_CIPHER_AES_256_CCM_8: AES in CCM mode with 64-bit tag and 256-bit keys. - * @GNUTLS_CIPHER_CAMELLIA_128_GCM: CAMELLIA in GCM mode with 128-bit keys. - * @GNUTLS_CIPHER_CAMELLIA_256_GCM: CAMELLIA in GCM mode with 256-bit keys. + * @GNUTLS_CIPHER_AES_128_GCM: AES in GCM mode with 128-bit keys (AEAD). + * @GNUTLS_CIPHER_AES_256_GCM: AES in GCM mode with 256-bit keys (AEAD). + * @GNUTLS_CIPHER_AES_128_CCM: AES in CCM mode with 128-bit keys (AEAD). + * @GNUTLS_CIPHER_AES_256_CCM: AES in CCM mode with 256-bit keys (AEAD). + * @GNUTLS_CIPHER_AES_128_CCM_8: AES in CCM mode with 64-bit tag and 128-bit keys (AEAD). + * @GNUTLS_CIPHER_AES_256_CCM_8: AES in CCM mode with 64-bit tag and 256-bit keys (AEAD). + * @GNUTLS_CIPHER_CAMELLIA_128_GCM: CAMELLIA in GCM mode with 128-bit keys (AEAD). + * @GNUTLS_CIPHER_CAMELLIA_256_GCM: CAMELLIA in GCM mode with 256-bit keys (AEAD). * @GNUTLS_CIPHER_SALSA20_256: Salsa20 with 256-bit keys. * @GNUTLS_CIPHER_ESTREAM_SALSA20_256: Estream's Salsa20 variant with 256-bit keys. * @GNUTLS_CIPHER_CHACHA20_POLY1305: The Chacha20 cipher with the Poly1305 authenticator (AEAD). @@ -2579,6 +2579,7 @@ gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t * @GNUTLS_SAN_IPADDRESS: IP address SAN. * @GNUTLS_SAN_OTHERNAME: OtherName SAN. * @GNUTLS_SAN_DN: DN SAN. + * @GNUTLS_SAN_REGISTERED_ID: RegisteredID. * @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience. * @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience. * @@ -2591,7 +2592,8 @@ typedef enum gnutls_x509_subject_alt_name_t { GNUTLS_SAN_IPADDRESS = 4, GNUTLS_SAN_OTHERNAME = 5, GNUTLS_SAN_DN = 6, - GNUTLS_SAN_MAX = GNUTLS_SAN_DN, + GNUTLS_SAN_REGISTERED_ID = 7, + GNUTLS_SAN_MAX = GNUTLS_SAN_REGISTERED_ID, /* The following are "virtual" subject alternative name types, in that they are represented by an otherName value and an OID. Used by gnutls_x509_crt_get_subject_alt_othername_oid. */ @@ -598,6 +598,10 @@ encode_ber_digest_info(const mac_entry_st * e, uint8_t *tmp_output; int tmp_output_size; + /* prevent asn1_write_value() treating input as string */ + if (digest->size == 0) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + algo = _gnutls_x509_mac_to_oid(e); if (algo == NULL) { gnutls_assert(); diff --git a/lib/pkcs11.c b/lib/pkcs11.c index de5309b296..2ef0e3e025 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1617,7 +1617,13 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, info, flags); if (ret < 0) { gnutls_assert(); - return ret; + pkcs11_close_session(&sinfo); + + /* treat the error as fatal only if + * the token requires login */ + if (l_tinfo.flags & CKF_LOGIN_REQUIRED) + return ret; + continue; } ret = diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index aee15eaf87..61f9d58209 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -72,7 +72,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session, ret = _gnutls_session_sign_algo_enabled(session, se->id); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); if (se->tls13_ok == 0) /* explicitly prohibited */ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 7300f88f5d..6c3617c026 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -85,7 +85,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session)); if (se == NULL) { _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]); - ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); goto cleanup; } diff --git a/lib/x509/common.c b/lib/x509/common.c index 4669d37ad5..3f1a1776c4 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -537,6 +537,9 @@ gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) return GNUTLS_SAN_OTHERNAME; if (strcmp(str_type, "directoryName") == 0) return GNUTLS_SAN_DN; + if (strcmp(str_type, "registeredID") == 0) + return GNUTLS_SAN_REGISTERED_ID; + return (gnutls_x509_subject_alt_name_t) - 1; } @@ -703,6 +706,8 @@ x509_read_value(ASN1_TYPE c, const char *root, if (result == 0 && allow_null == 0 && len == 0) { /* don't allow null strings */ return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + } else if (result == 0 && allow_null == 0 && etype == ASN1_ETYPE_OBJECT_ID && len == 1) { + return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); } if (result != ASN1_MEM_ERROR) { diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 8506da2b93..c9fef21a12 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -715,6 +715,9 @@ _gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name, case GNUTLS_SAN_IPADDRESS: str = "iPAddress"; break; + case GNUTLS_SAN_REGISTERED_ID: + str = "registeredID"; + break; default: gnutls_assert(); return GNUTLS_E_INTERNAL_ERROR; diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index d5ce52ee70..dba2fd4b9f 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -116,7 +116,7 @@ int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr, { int ret; char tmpstr[128]; - unsigned indx = 0; + unsigned indx; gnutls_datum_t tmp = { NULL, 0 }; unsigned int type; struct name_constraints_node_st *nc, *prev; @@ -127,8 +127,7 @@ int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr, prev = prev->next; } - do { - indx++; + for (indx=1;;indx++) { snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); ret = @@ -164,7 +163,7 @@ int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr, } tmp.data = NULL; - } while (ret >= 0); + } if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { gnutls_assert(); @@ -1071,13 +1070,12 @@ static unsigned check_unsupported_constraint2(gnutls_x509_crt_t cert, unsigned san_type; int ret; - idx = 0; found_one = 0; - do { + for (idx=0;;idx++) { name_size = sizeof(name); ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); + idx, name, &name_size, &san_type, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret < 0) @@ -1088,7 +1086,7 @@ static unsigned check_unsupported_constraint2(gnutls_x509_crt_t cert, found_one = 1; break; - } while(ret >= 0); + } if (found_one != 0) return check_unsupported_constraint(nc, type); @@ -1129,11 +1127,11 @@ unsigned found_one; return 1; /* shortcut; no constraints to check */ if (type == GNUTLS_SAN_RFC822NAME) { - idx = found_one = 0; - do { + found_one = 0; + for (idx=0;;idx++) { name_size = sizeof(name); ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); + idx, name, &name_size, &san_type, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret < 0) @@ -1149,7 +1147,7 @@ unsigned found_one; &n); if (t == 0) return gnutls_assert_val(t); - } while(ret >= 0); + } /* there is at least a single e-mail. That means that the EMAIL field will * not be used for verifying the identity of the holder. */ @@ -1190,11 +1188,11 @@ unsigned found_one; return gnutls_assert_val(1); } } else if (type == GNUTLS_SAN_DNSNAME) { - idx = found_one = 0; - do { + found_one = 0; + for (idx=0;;idx++) { name_size = sizeof(name); ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); + idx, name, &name_size, &san_type, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret < 0) @@ -1210,7 +1208,7 @@ unsigned found_one; &n); if (t == 0) return gnutls_assert_val(t); - } while(ret >= 0); + } /* there is at least a single DNS name. That means that the CN will * not be used for verifying the identity of the holder. */ @@ -1256,11 +1254,11 @@ unsigned found_one; return gnutls_assert_val(1); } } else if (type == GNUTLS_SAN_IPADDRESS) { - idx = found_one = 0; - do { + found_one = 0; + for (idx=0;;idx++) { name_size = sizeof(name); ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); + idx, name, &name_size, &san_type, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret < 0) @@ -1275,7 +1273,7 @@ unsigned found_one; t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_IPADDRESS, &n); if (t == 0) return gnutls_assert_val(t); - } while(ret >= 0); + } /* there is at least a single IP address. */ diff --git a/lib/x509/output.c b/lib/x509/output.c index 6c5055cf22..40ba77b7ea 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -144,6 +144,10 @@ print_name(gnutls_buffer_st *str, const char *prefix, unsigned type, gnutls_datu addf(str, _("%sdirectoryName: %.*s\n"), prefix, name->size, NON_NULL(name->data)); break; + case GNUTLS_SAN_REGISTERED_ID: + addf(str, _("%sRegistered ID: %.*s\n"), prefix, name->size, NON_NULL(name->data)); + break; + case GNUTLS_SAN_OTHERNAME_XMPP: addf(str, _("%sXMPP Address: %.*s\n"), prefix, name->size, NON_NULL(name->data)); break; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 26055e08a3..48ab2a7526 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1344,7 +1344,7 @@ inline static int is_type_printable(int type) { if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP || - type == GNUTLS_SAN_OTHERNAME) + type == GNUTLS_SAN_OTHERNAME || type == GNUTLS_SAN_REGISTERED_ID) return 1; else return 0; @@ -1657,7 +1657,6 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, len = sizeof(choice_type); result = asn1_read_value(src, nptr, choice_type, &len); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) { return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; @@ -1739,6 +1738,12 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, return ret; } + if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) { + /* see #805; OIDs contain the null termination byte */ + assert(tmp.data[tmp.size-1] == 0); + tmp.size--; + } + /* _gnutls_x509_read_value() null terminates */ dname->size = tmp.size; dname->data = tmp.data; diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index aa09ef85f1..6aeb159dba 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -236,8 +236,7 @@ int gnutls_x509_ext_import_subject_alt_names(const gnutls_datum_t * ext, goto cleanup; } - i = 0; - do { + for (i=0;;i++) { san.data = NULL; san.size = 0; othername_oid.data = NULL; @@ -264,9 +263,7 @@ int gnutls_x509_ext_import_subject_alt_names(const gnutls_datum_t * ext, (char *)othername_oid.data, 1); if (ret < 0) break; - - i++; - } while (ret >= 0); + } sans->size = i; if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { @@ -916,8 +913,7 @@ int gnutls_x509_ext_import_authority_key_id(const gnutls_datum_t * ext, } /* Read authorityCertIssuer */ - i = 0; - do { + for (i=0;;i++) { san.data = NULL; san.size = 0; othername_oid.data = NULL; @@ -944,9 +940,7 @@ int gnutls_x509_ext_import_authority_key_id(const gnutls_datum_t * ext, (char *)othername_oid.data, 1); if (ret < 0) break; - - i++; - } while (ret >= 0); + } aki->cert_issuer.size = i; if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE @@ -2444,8 +2438,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, snprintf(name, sizeof(name), "?%u.distributionPoint.fullName", (unsigned)i + 1); - j = 0; - do { + for (j=0;;j++) { san.data = NULL; san.size = 0; @@ -2464,9 +2457,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext, if (ret < 0) break; san.data = NULL; /* it is now in cdp */ - - j++; - } while (ret >= 0); + } i++; } while (ret >= 0); |