[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-46-g7c86a89
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-46-g7c86a89 |
|
Date: |
Sat, 01 Sep 2012 17:07:32 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7c86a89e78b22d18fc828643d93cbe28492b55af
The branch, master has been updated
via 7c86a89e78b22d18fc828643d93cbe28492b55af (commit)
via 03db18515c16a542b7b510b99cb34485ca2c1726 (commit)
from 7121c0e832886fa72c70e02e99d0dc75b23937e3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7c86a89e78b22d18fc828643d93cbe28492b55af
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:07:18 2012 +0200
Be tolerant is ECDSA-violating signatures.
commit 03db18515c16a542b7b510b99cb34485ca2c1726
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:06:09 2012 +0200
Added server mode tests for the various EC curves.
-----------------------------------------------------------------------
Summary of changes:
lib/abstract_int.h | 4 +-
lib/ext/signature.c | 2 +-
lib/gnutls_pubkey.c | 22 ++++++++----
lib/gnutls_sig.c | 4 +-
tests/suite/testcompat-main | 81 +++++++++++++++++++++++++++++++++++++++---
5 files changed, 95 insertions(+), 18 deletions(-)
diff --git a/lib/abstract_int.h b/lib/abstract_int.h
index c01e983..9b1de33 100644
--- a/lib/abstract_int.h
+++ b/lib/abstract_int.h
@@ -79,8 +79,8 @@ int _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
gnutls_pk_params_st*);
int pubkey_to_bits(gnutls_pk_algorithm_t pk, gnutls_pk_params_st* params);
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign);
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t, gnutls_pubkey_t
pubkey,
+ gnutls_protocol_t ver, gnutls_sign_algorithm_t sign);
int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey);
int
_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 59e3750..d8a6bcc 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -272,7 +272,7 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
gnutls_pcert_st* cert)
{
if (gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == cert_algo)
{
- if (_gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
+ if (_gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
continue;
if (_gnutls_session_sign_algo_enabled(session,
priv->sign_algorithms[i]) < 0)
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index b894677..58c4139 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1545,12 +1545,18 @@ gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
}
-
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign)
+/* Checks whether the public key given is compatible with the
+ * signature algorithm used. The session is only used for audit logging, and
+ * it may be null.
+ */
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
+ gnutls_pubkey_t pubkey,
+ gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
{
unsigned int hash_size;
unsigned int hash_algo;
+unsigned int sig_hash_size;
if (pubkey->pk_algorithm == GNUTLS_PK_DSA)
{
@@ -1564,8 +1570,9 @@ unsigned int hash_algo;
}
else if (sign != GNUTLS_SIGN_UNKNOWN)
{
- if (_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ sig_hash_size =
_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign));
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
@@ -1574,9 +1581,10 @@ unsigned int hash_algo;
if (_gnutls_version_has_selectable_sighash (ver) && sign !=
GNUTLS_SIGN_UNKNOWN)
{
hash_algo = _gnutls_dsa_q_to_hash (pubkey->pk_algorithm,
&pubkey->params, &hash_size);
+ sig_hash_size =
_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign));
- if (_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 6b5386a..256ca1c 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -320,7 +320,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
session, gnutls_sign_algorithm_get_name (sign_algo));
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, sign_algo);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
sign_algo);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -639,7 +639,7 @@ _gnutls_handshake_sign_crt_vrfy (gnutls_session_t session,
_gnutls_hash_deinit (&td_sha, &concat[16]);
/* ensure 1024 bit DSA keys are used */
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/tests/suite/testcompat-main b/tests/suite/testcompat-main
index 06de7b7..1b1f5e6 100755
--- a/tests/suite/testcompat-main
+++ b/tests/suite/testcompat-main
@@ -59,6 +59,9 @@ CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
ECC224_CERT=$srcdir/../certs/cert-ecc.pem
ECC224_KEY=$srcdir/../certs/ecc.pem
+ECC256_CERT=$srcdir/../certs/cert-ecc256.pem
+ECC256_KEY=$srcdir/../certs/ecc256.pem
+
ECC521_CERT=$srcdir/../certs/cert-ecc521.pem
ECC521_KEY=$srcdir/../certs/ecc521.pem
@@ -374,12 +377,45 @@ $OPENSSL_CLI s_client -host localhost -tls1 -port $PORT
-cert $CLI_CERT -key $C
kill $PID
wait
-echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC_CERT -key
$ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
@@ -418,12 +454,45 @@ $OPENSSL_CLI s_client -host localhost -tls1_2 -port
$PORT -cert $CLI_CERT -key
kill $PID
wait
-echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC_CERT
-key $ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-46-g7c86a89,
Nikos Mavrogiannopoulos <=