[git] KSBA - branch, master, updated. libksba-1.3.4-8-geb7833b

by Tomáš Trnka cvs at cvs.gnupg.org
Sun Jul 17 13:27:35 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "KSBA is a library to access X.509 certificates and CMS data.".

The branch, master has been updated
       via  eb7833b8720cd0831c78d42e993ca878cecf27bc (commit)
      from  ee203f948a6573809672d9e61177145a13b3987d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit eb7833b8720cd0831c78d42e993ca878cecf27bc
Author: Tomáš Trnka <tomastrnka at gmx.com>
Date:   Sun Jul 3 21:27:31 2016 +0200

    Encode OCSP nonce value as an octet string (RFC 6960)
    
    * src/ocsp.c (ksba_ocsp_set_nonce): Stop removing the sign bit.
     (write_request_extensions): Encode nonce as octet string.
     (parse_response_extensions): Decode nonce as octet string.
    --
    
    The type of nonce value was not specified back in RFC 2560, but RFC
    6960 has clarified the situation by requiring an octet string. This
    is also what OpenSSL does since 0.9.7d. Doing the same improves
    interoperability with some responders (and Wireshark packet dissectors).
    
    Signed-off-by: Tomáš Trnka <tomastrnka at gmx.com>

diff --git a/src/ocsp.c b/src/ocsp.c
index 56d2b55..4b26f8d 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -401,10 +401,6 @@ ksba_ocsp_set_nonce (ksba_ocsp_t ocsp, unsigned char *nonce, size_t noncelen)
   if (noncelen)
     {
       memcpy (ocsp->nonce, nonce, noncelen);
-      /* Reset the high bit.  We do this to make sure that we have a
-         positive integer and thus we don't need to prepend a leading
-         zero which would be needed then. */
-      ocsp->nonce[0] &= 0x7f;
     }
   ocsp->noncelen = noncelen;
   return noncelen;
@@ -492,7 +488,7 @@ write_request_extensions (ksba_ocsp_t ocsp, ksba_writer_t wout)
     err = _ksba_ber_write_tl (w1, TYPE_OCTET_STRING, CLASS_UNIVERSAL, 0,
                               2+ocsp->noncelen);
   if (!err)
-    err = _ksba_ber_write_tl (w1, TYPE_INTEGER, CLASS_UNIVERSAL, 0,
+    err = _ksba_ber_write_tl (w1, TYPE_OCTET_STRING, CLASS_UNIVERSAL, 0,
                               ocsp->noncelen);
   if (!err)
     err = ksba_writer_write (w1, ocsp->nonce, ocsp->noncelen);
@@ -907,7 +903,7 @@ parse_response_extensions (ksba_ocsp_t ocsp,
         goto leave;
       if (!strcmp (oid, oidstr_ocsp_nonce))
         {
-          err = parse_integer (&data, &datalen, &ti);
+          err = parse_octet_string (&data, &datalen, &ti);
           if (err)
             goto leave;
           if (ocsp->noncelen != ti.length

-----------------------------------------------------------------------

Summary of changes:
 src/ocsp.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
KSBA is a library to access X.509 certificates and CMS data.
http://git.gnupg.org

More information about the Gnupg-commits mailing list