From: Nikos Mavrogiannopoulos Date: Fri, 2 Nov 2012 09:24:16 +0000 (+0100) Subject: CRL verification includes the time checks. X-Git-Tag: gnutls_3_1_4~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=115e7a0801179d5d931399448d89831d41fe8a01;p=thirdparty%2Fgnutls.git CRL verification includes the time checks. --- diff --git a/NEWS b/NEWS index 6be3890794..d18b7e89d2 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,9 @@ gnutls_certificate_verify_peers3(). ** libgnutls: Added support for extension to establish keys for SRTP. +** libgnutls: gnutls_x509_crl_verify() includes the time +checks. + ** gnutls-cli: Added --local-dns option. ** danetool: Corrected bug that prevented loading PEM files. diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 9e73d91942..21a3a5d860 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -945,10 +945,13 @@ gnutls_certificate_verification_status_print (unsigned int status, _gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked. ")); if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD) - _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are too old. ")); + _gnutls_buffer_append_str (&str, _("The revocation data are too old. ")); if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID) - _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are invalid. ")); + _gnutls_buffer_append_str (&str, _("The revocation data are invalid. ")); + + if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE) + _gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. ")); if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is unknown. ")); diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index a64db31fe3..61421b635e 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -448,6 +448,7 @@ extern "C" * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old. * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid. * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one. + * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date. * * Enumeration of certificate status codes. Note that the status * bits may have different meanings in OpenPGP keys and X.509 @@ -455,17 +456,18 @@ extern "C" */ typedef enum { - GNUTLS_CERT_INVALID = 2, - GNUTLS_CERT_REVOKED = 32, - GNUTLS_CERT_SIGNER_NOT_FOUND = 64, - GNUTLS_CERT_SIGNER_NOT_CA = 128, - GNUTLS_CERT_INSECURE_ALGORITHM = 256, - GNUTLS_CERT_NOT_ACTIVATED = 512, - GNUTLS_CERT_EXPIRED = 1024, - GNUTLS_CERT_SIGNATURE_FAILURE = 2048, - GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 4096, - GNUTLS_CERT_REVOCATION_DATA_INVALID = 8192, - GNUTLS_CERT_UNEXPECTED_OWNER = 16384, + GNUTLS_CERT_INVALID = 1<<1, + GNUTLS_CERT_REVOKED = 1<<6, + GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<7, + GNUTLS_CERT_SIGNER_NOT_CA = 1<<8, + GNUTLS_CERT_INSECURE_ALGORITHM = 1<<9, + GNUTLS_CERT_NOT_ACTIVATED = 1<<10, + GNUTLS_CERT_EXPIRED = 1<<11, + GNUTLS_CERT_SIGNATURE_FAILURE = 1<<12, + GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<13, + GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<14, + GNUTLS_CERT_UNEXPECTED_OWNER = 1<<15, + GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<16, } gnutls_certificate_status_t; /** diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 7f39fd8f35..6ff9258f21 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -880,7 +880,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl, * * This function will try to verify the given crl and return its status. * See gnutls_x509_crt_list_verify() for a detailed description of - * return values. + * return values. Note that since GnuTLS 3.1.4 this function includes + * the time checks. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -976,6 +977,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, gnutls_datum_t crl_signature = { NULL, 0 }; gnutls_x509_crt_t issuer; int result, hash_algo; + time_t now = gnutls_time(0); if (output) *output = 0; @@ -1044,7 +1046,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, gnutls_assert (); /* error. ignore it */ if (output) - *output |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE; + *output |= GNUTLS_CERT_SIGNATURE_FAILURE; result = 0; } else if (result < 0) @@ -1064,12 +1066,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) { if (output) - *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; + *output |= GNUTLS_CERT_INSECURE_ALGORITHM; result = 0; } } + + if (gnutls_x509_crl_get_this_update (crl) > now) + *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE; + + if (gnutls_x509_crl_get_next_update (crl) < now) + *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD; + cleanup: + if (*output) *output |= GNUTLS_CERT_INVALID; + _gnutls_free_datum (&crl_signed_data); _gnutls_free_datum (&crl_signature); diff --git a/src/certtool.c b/src/certtool.c index 81ec1425a2..826e879f03 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2089,58 +2089,27 @@ _verify_x509_mem (const void *cert, int cert_size, const void* ca, int ca_size) static void print_verification_res (FILE* outfile, unsigned int output) { - int comma = 0; + gnutls_datum_t pout; + int ret; - if (output & GNUTLS_CERT_INVALID) + if (output) { - fprintf (outfile, "Not verified"); - comma = 1; + fprintf (outfile, "Not verified."); } else { fprintf (outfile, "Verified"); - comma = 1; - } - - if (output & GNUTLS_CERT_SIGNER_NOT_CA) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Issuer is not a CA"); - comma = 1; - } - - if (output & GNUTLS_CERT_INSECURE_ALGORITHM) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Insecure algorithm"); - comma = 1; - } - - if (output & GNUTLS_CERT_NOT_ACTIVATED) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Not activated"); - comma = 1; } - if (output & GNUTLS_CERT_EXPIRED) + ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0); + if (ret < 0) { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Expired"); - comma = 1; + fprintf(stderr, "error: %s\n", gnutls_strerror(ret); + exit(EXIT_FAILURE); } - if (output & GNUTLS_CERT_REVOKED) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Revoked"); - comma = 1; - } + fprintf (outfile, " %s", pout.data); + gnutls_free(pout.data); } static void @@ -2196,7 +2165,7 @@ verify_crl (common_info_st * cinfo) unsigned int output; int comma = 0; int ret; - gnutls_datum_t pem; + gnutls_datum_t pem, pout; gnutls_x509_crl_t crl; time_t now = time (0); gnutls_x509_crt_t issuer; @@ -2231,51 +2200,24 @@ verify_crl (common_info_st * cinfo) if (ret < 0) error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret)); - if (output & GNUTLS_CERT_INVALID) + if (output) { - fprintf (outfile, "Not verified"); - comma = 1; + fprintf (outfile, "Not verified. "); } else { - fprintf (outfile, "Verified"); - comma = 1; + fprintf (outfile, "Verified."); } - if (output & GNUTLS_CERT_SIGNER_NOT_CA) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Issuer is not a CA"); - comma = 1; - } - - if (output & GNUTLS_CERT_INSECURE_ALGORITHM) - { - if (comma) - fprintf (outfile, ", "); - fprintf (outfile, "Insecure algorithm"); - comma = 1; - } - - /* Check expiration dates. - */ - - if (gnutls_x509_crl_get_this_update (crl) > now) + ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0); + if (ret < 0) { - if (comma) - fprintf (outfile, ", "); - comma = 1; - fprintf (outfile, "Issued in the future!"); + fprintf(stderr, "error: %s\n", gnutls_strerror(ret); + exit(EXIT_FAILURE); } - if (gnutls_x509_crl_get_next_update (crl) < now) - { - if (comma) - fprintf (outfile, ", "); - comma = 1; - fprintf (outfile, "CRL is not up to date"); - } + fprintf (outfile, " %s", pout.data); + gnutls_free(pout.data); fprintf (outfile, "\n"); }