[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_22-19-g5bd5
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_22-19-g5bd518d |
|
Date: |
Sat, 01 Sep 2012 17:14:54 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=5bd518deaab699d46164f9e82744f482f3dabde7
The branch, gnutls_3_0_x-2 has been updated
via 5bd518deaab699d46164f9e82744f482f3dabde7 (commit)
via 5716be97d8583209baaeaded7d15dff5ecae5305 (commit)
via a664bc7e1b3ded3caa0eeec69450308b5eb03cc8 (commit)
via e924836de7eec63a3297376db5a0eef27a76823b (commit)
from 813f46eb7afb73db5ced786ae3959855ffc56c25 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5bd518deaab699d46164f9e82744f482f3dabde7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:07:18 2012 +0200
Be tolerant in ECDSA-violating signatures.
commit 5716be97d8583209baaeaded7d15dff5ecae5305
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:06:09 2012 +0200
Added server mode tests for the various EC curves.
commit a664bc7e1b3ded3caa0eeec69450308b5eb03cc8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 11:27:51 2012 +0200
Added suite for ECDSA under various curves
commit e924836de7eec63a3297376db5a0eef27a76823b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 10:33:45 2012 +0200
documented fix
-----------------------------------------------------------------------
Summary of changes:
NEWS | 6 ++
lib/abstract_int.h | 4 +-
lib/ext/signature.c | 2 +-
lib/gnutls_pubkey.c | 22 ++++--
lib/gnutls_sig.c | 4 +-
tests/certs/cert-ecc256.pem | 18 +++++
tests/certs/cert-ecc384.pem | 19 +++++
tests/certs/cert-ecc521.pem | 19 +++++
tests/certs/ecc256.pem | 37 ++++++++++
tests/certs/ecc384.pem | 41 +++++++++++
tests/certs/ecc521.pem | 45 +++++++++++++
tests/suite/testcompat-main | 154 +++++++++++++++++++++++++++++++++++++++----
12 files changed, 345 insertions(+), 26 deletions(-)
create mode 100644 tests/certs/cert-ecc256.pem
create mode 100644 tests/certs/cert-ecc384.pem
create mode 100644 tests/certs/cert-ecc521.pem
create mode 100644 tests/certs/ecc256.pem
create mode 100644 tests/certs/ecc384.pem
create mode 100644 tests/certs/ecc521.pem
diff --git a/NEWS b/NEWS
index 17f023c..a971972 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,12 @@ See the end for copying conditions.
* Version 3.0.23 (unreleased)
+** gnutls-serv: Listens on IPv6. Patch by Bernhard R. Link.
+
+** libgnutls: Be tolerant in ECDSA signature violations (e.g. using
+SHA256 with a SECP384 curve instead of SHA-384), to interoperate with
+openssl.
+
** libgnutls: Fixed DSA and ECDSA signature generation in
smart cards.
diff --git a/lib/abstract_int.h b/lib/abstract_int.h
index 429d27e..7a42b09 100644
--- a/lib/abstract_int.h
+++ b/lib/abstract_int.h
@@ -29,8 +29,8 @@ int _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
gnutls_pk_params_st*);
int pubkey_to_bits(gnutls_pk_algorithm_t pk, gnutls_pk_params_st* params);
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign);
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t, gnutls_pubkey_t
pubkey,
+ gnutls_protocol_t ver, gnutls_sign_algorithm_t sign);
int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey);
int
_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index d52091a..46dc5a6 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -271,7 +271,7 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
gnutls_pcert_st* cert)
{
if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) ==
cert_algo)
{
- if (_gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
+ if (_gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
continue;
if (_gnutls_session_sign_algo_enabled(session,
priv->sign_algorithms[i]) < 0)
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 39246f7..f2be130 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1506,12 +1506,18 @@ gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
}
-
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign)
+/* Checks whether the public key given is compatible with the
+ * signature algorithm used. The session is only used for audit logging, and
+ * it may be null.
+ */
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
+ gnutls_pubkey_t pubkey,
+ gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
{
unsigned int hash_size;
unsigned int hash_algo;
+unsigned int sig_hash_size;
if (pubkey->pk_algorithm == GNUTLS_PK_DSA)
{
@@ -1525,8 +1531,9 @@ unsigned int hash_algo;
}
else if (sign != GNUTLS_SIGN_UNKNOWN)
{
- if (_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ sig_hash_size =
_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign));
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
@@ -1535,9 +1542,10 @@ unsigned int hash_algo;
if (_gnutls_version_has_selectable_sighash (ver) && sign !=
GNUTLS_SIGN_UNKNOWN)
{
hash_algo = _gnutls_dsa_q_to_hash (pubkey->pk_algorithm,
&pubkey->params, &hash_size);
+ sig_hash_size =
_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign));
- if (_gnutls_hash_get_algo_len(_gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index b30dcc3..5a78e02 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -360,7 +360,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
session, gnutls_sign_algorithm_get_name (sign_algo));
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, sign_algo);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
sign_algo);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -677,7 +677,7 @@ _gnutls_handshake_sign_crt_vrfy (gnutls_session_t session,
_gnutls_hash_deinit (&td_sha, &concat[16]);
/* ensure 1024 bit DSA keys are used */
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/tests/certs/cert-ecc256.pem b/tests/certs/cert-ecc256.pem
new file mode 100644
index 0000000..3f5cbc1
--- /dev/null
+++ b/tests/certs/cert-ecc256.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAoagAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMzZaGA8yMDE5MTAwNTA5MjIzNlow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEPBVvHUg+ZFkTLG0EGjgNMFzkP1XL2RcVRnJx
+ksH4xjM9BC7IwQ/AUAR7n8lItUD6b5OCWWFeclfLgwa9zIKUwaOBtjCBszAMBgNV
+HRMBAf8EAjAAMD0GA1UdEQQ2MDSCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFu
+b25lLm9yZ4IJbG9jYWxob3N0hwTAqAEBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G
+A1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFKz6R2fGG0F5Elf3rAXBUOKO0A5bMB8G
+A1UdIwQYMBaAFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqGSM49BAMCA0gAMEUC
+ICgq4CTInkRQ1DaFoI8wmu2KP8445NWRXKouag2WJSFzAiEAx4KxaoZJNVfBBSc4
+bA9XTz/2OnpgAZutUohNNb/tmRE=
+-----END CERTIFICATE-----
diff --git a/tests/certs/cert-ecc384.pem b/tests/certs/cert-ecc384.pem
new file mode 100644
index 0000000..29b057b
--- /dev/null
+++ b/tests/certs/cert-ecc384.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAqOgAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMzFaGA8yMDE5MTAwNTA5MjIzMVow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMHYwEAYH
+KoZIzj0CAQYFK4EEACIDYgAEBdFp7VW/awwLHqaOT6qzraO12SYSPvIXu/4R0oBA
+ygamgH1/0nuW/ZKNQYfmiPtnLickPpVGaRBvoTEyAq858FmuTCFE2Kft0/En+Dpk
+6md6yd+7EqqztcvY2Gw4zPNwo4G2MIGzMAwGA1UdEwEB/wQCMAAwPQYDVR0RBDYw
+NIIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jngglsb2NhbGhvc3SH
+BMCoAQEwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNV
+HQ4EFgQUR6LCq3Gbiil4XRkgb6gdSskwQIQwHwYDVR0jBBgwFoAU8LSB/pgSv7Uo
+uWRAA8vMH2ZOKAMwCgYIKoZIzj0EAwIDSQAwRgIhAL4FmNCgnUEnkfJAysOLApVT
+bOYXH1dnJ6j3FKxMXM+jAiEAtcWWV7yqvihzxptUdWMcg1kuZanf9VHuWmUMuUcc
+Nnk=
+-----END CERTIFICATE-----
diff --git a/tests/certs/cert-ecc521.pem b/tests/certs/cert-ecc521.pem
new file mode 100644
index 0000000..3fc1778
--- /dev/null
+++ b/tests/certs/cert-ecc521.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAsmgAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMjRaGA8yMDE5MTAwNTA5MjIyNFow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMIGbMBAG
+ByqGSM49AgEGBSuBBAAjA4GGAAQAoapA9bLQHQiI8V2mIzs9sq80VR4FBB0TBOSx
+GqBOE3FSzHAejQkIKc/1pW0v0wKvapYMq/RrfhPJxPkjTPtztUsAkU//9E0/aoEW
+VC6Rqf+VX3wIhe7+RS8JXdBh9SM0+Z9MCRUiM8K9qPMtpNgB2ks7T5BGFHSMlNKm
+uLW1agWPy5CjgbYwgbMwDAYDVR0TAQH/BAIwADA9BgNVHREENjA0ggx3d3cubm9u
+ZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCCWxvY2FsaG9zdIcEwKgBATATBgNV
+HSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBTagKMW
+kYyqTJk/RRjg++gqz6xX6zAfBgNVHSMEGDAWgBTwtIH+mBK/tSi5ZEADy8wfZk4o
+AzAKBggqhkjOPQQDAgNJADBGAiEAoj/ZB98cG/FaA7VVU+R6+TT3icF+De61rfim
+R43VMlUCIQCXjG9gRp0x+/8vCRL0/nr0a32SRPruKVDqbHnNiWchsg==
+-----END CERTIFICATE-----
diff --git a/tests/certs/ecc256.pem b/tests/certs/ecc256.pem
new file mode 100644
index 0000000..75a2cfa
--- /dev/null
+++ b/tests/certs/ecc256.pem
@@ -0,0 +1,37 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: High
+
+curve: SECP256R1
+private key:
+ 00:fd:2b:00:80:f3:36:5f:11:32:65:e3:8d:30:33:
+ 3b:47:f5:ce:f8:13:e5:4c:c2:cf:fd:e8:05:6a:ca:
+ c9:41:b1:
+x:
+ 3c:15:6f:1d:48:3e:64:59:13:2c:6d:04:1a:38:0d:
+ 30:5c:e4:3f:55:cb:d9:17:15:46:72:71:92:c1:f8:
+ c6:33:
+y:
+ 3d:04:2e:c8:c1:0f:c0:50:04:7b:9f:c9:48:b5:40:
+ fa:6f:93:82:59:61:5e:72:57:cb:83:06:bd:cc:82:
+ 94:c1:
+
+Public Key ID: AC:FA:47:67:C6:1B:41:79:12:57:F7:AC:05:C1:50:E2:8E:D0:0E:5B
+Public key's random art:
++--[ EC 256]----+
+| .o+==..|
+| .+o...+.|
+| o.Eo. +|
+| . *.o o |
+| S.o.. . |
+| .. * |
+| .. + o |
+| . . . |
+| .... |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIQD9KwCA8zZfETJl440wMztH9c74E+VMws/96AVqyslBsaAKBggqhkjO
+PQMBB6FEA0IABDwVbx1IPmRZEyxtBBo4DTBc5D9Vy9kXFUZycZLB+MYzPQQuyMEP
+wFAEe5/JSLVA+m+TgllhXnJXy4MGvcyClME=
+-----END EC PRIVATE KEY-----
diff --git a/tests/certs/ecc384.pem b/tests/certs/ecc384.pem
new file mode 100644
index 0000000..bfa5d9f
--- /dev/null
+++ b/tests/certs/ecc384.pem
@@ -0,0 +1,41 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: High
+
+curve: SECP384R1
+private key:
+ 00:ff:42:b3:6d:ca:d3:06:13:d7:a7:e4:41:27:18:
+ ff:82:15:6a:c9:35:20:dc:4e:ad:e8:e6:07:37:87:
+ d8:d2:59:e9:39:17:94:22:c0:5e:07:46:0f:aa:4a:
+ 7d:7a:ea:30:
+x:
+ 05:d1:69:ed:55:bf:6b:0c:0b:1e:a6:8e:4f:aa:b3:
+ ad:a3:b5:d9:26:12:3e:f2:17:bb:fe:11:d2:80:40:
+ ca:06:a6:80:7d:7f:d2:7b:96:fd:92:8d:41:87:e6:
+ 88:fb:67:
+y:
+ 2e:27:24:3e:95:46:69:10:6f:a1:31:32:02:af:39:
+ f0:59:ae:4c:21:44:d8:a7:ed:d3:f1:27:f8:3a:64:
+ ea:67:7a:c9:df:bb:12:aa:b3:b5:cb:d8:d8:6c:38:
+ cc:f3:70:
+
+Public Key ID: 47:A2:C2:AB:71:9B:8A:29:78:5D:19:20:6F:A8:1D:4A:C9:30:40:84
+Public key's random art:
++--[ EC 384]----+
+|*o |
+|E . . |
+|o..+ . . . |
+| +o.o .. o |
+|.+ oo .oS . |
+|o . oo . |
+|. ..o. |
+|oo.+.o |
+|+.o.o |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MIGlAgEBBDEA/0KzbcrTBhPXp+RBJxj/ghVqyTUg3E6t6OYHN4fY0lnpOReUIsBe
+B0YPqkp9euowoAcGBSuBBAAioWQDYgAEBdFp7VW/awwLHqaOT6qzraO12SYSPvIX
+u/4R0oBAygamgH1/0nuW/ZKNQYfmiPtnLickPpVGaRBvoTEyAq858FmuTCFE2Kft
+0/En+Dpk6md6yd+7EqqztcvY2Gw4zPNw
+-----END EC PRIVATE KEY-----
diff --git a/tests/certs/ecc521.pem b/tests/certs/ecc521.pem
new file mode 100644
index 0000000..136d1e2
--- /dev/null
+++ b/tests/certs/ecc521.pem
@@ -0,0 +1,45 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: Ultra
+
+curve: SECP521R1
+private key:
+ 01:02:2a:fc:98:41:e5:9c:78:8a:68:74:9d:bc:48:
+ 53:80:de:28:5b:21:ee:f8:88:3a:6e:8e:1f:4e:e8:
+ 4d:f7:2d:a8:8c:0d:6a:00:11:c9:7a:58:28:57:df:
+ 57:50:27:89:67:93:44:d4:14:fd:5d:39:2c:bf:f6:
+ 07:58:f9:7e:96:63:
+x:
+ 00:a1:aa:40:f5:b2:d0:1d:08:88:f1:5d:a6:23:3b:
+ 3d:b2:af:34:55:1e:05:04:1d:13:04:e4:b1:1a:a0:
+ 4e:13:71:52:cc:70:1e:8d:09:08:29:cf:f5:a5:6d:
+ 2f:d3:02:af:6a:96:0c:ab:f4:6b:7e:13:c9:c4:f9:
+ 23:4c:fb:73:b5:4b:
+y:
+ 00:91:4f:ff:f4:4d:3f:6a:81:16:54:2e:91:a9:ff:
+ 95:5f:7c:08:85:ee:fe:45:2f:09:5d:d0:61:f5:23:
+ 34:f9:9f:4c:09:15:22:33:c2:bd:a8:f3:2d:a4:d8:
+ 01:da:4b:3b:4f:90:46:14:74:8c:94:d2:a6:b8:b5:
+ b5:6a:05:8f:cb:90:
+
+Public Key ID: DA:80:A3:16:91:8C:AA:4C:99:3F:45:18:E0:FB:E8:2A:CF:AC:57:EB
+Public key's random art:
++--[ EC 528]----+
+| ... |
+|.o .o |
+|..+. . |
+|. +... |
+|.=. o.. S |
+|+ +oo. + |
+|.oo= .. . |
+|o+. o |
+|==+.E |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBAir8mEHlnHiKaHSdvEhTgN4oWyHu+Ig6bo4fTuhN9y2ojA1qABHJ
+elgoV99XUCeJZ5NE1BT9XTksv/YHWPl+lmOgBwYFK4EEACOhgYkDgYYABAChqkD1
+stAdCIjxXaYjOz2yrzRVHgUEHRME5LEaoE4TcVLMcB6NCQgpz/WlbS/TAq9qlgyr
+9Gt+E8nE+SNM+3O1SwCRT//0TT9qgRZULpGp/5VffAiF7v5FLwld0GH1IzT5n0wJ
+FSIzwr2o8y2k2AHaSztPkEYUdIyU0qa4tbVqBY/LkA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/suite/testcompat-main b/tests/suite/testcompat-main
index e1ffb94..1b1f5e6 100755
--- a/tests/suite/testcompat-main
+++ b/tests/suite/testcompat-main
@@ -56,8 +56,17 @@ CLI_CERT=$srcdir/../../doc/credentials/x509/clicert.pem
CLI_KEY=$srcdir/../../doc/credentials/x509/clikey.pem
CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
-ECC_CERT=$srcdir/../certs/cert-ecc.pem
-ECC_KEY=$srcdir/../certs/ecc.pem
+ECC224_CERT=$srcdir/../certs/cert-ecc.pem
+ECC224_KEY=$srcdir/../certs/ecc.pem
+
+ECC256_CERT=$srcdir/../certs/cert-ecc256.pem
+ECC256_KEY=$srcdir/../certs/ecc256.pem
+
+ECC521_CERT=$srcdir/../certs/cert-ecc521.pem
+ECC521_KEY=$srcdir/../certs/ecc521.pem
+
+ECC384_CERT=$srcdir/../certs/cert-ecc384.pem
+ECC384_KEY=$srcdir/../certs/ecc384.pem
SERV_CERT=$srcdir/../../doc/credentials/x509/cert-rsa.pem
SERV_KEY=$srcdir/../../doc/credentials/x509/key-rsa.pem
@@ -133,18 +142,45 @@ kill $PID
wait
#-cipher ECDHE-ECDSA-AES128-SHA
-launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC_KEY -cert $ECC_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve
secp384r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve
secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID
# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
-echo "Checking TLS 1.0 with ECDHE-ECDSA..."
-$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC_CERT --x509keyfile $ECC_KEY </dev/null
>/dev/null || \
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null
>/dev/null || \
fail $PID "Failed"
kill $PID
wait
+
if test $SV2 = 0;then
# Tests requiring openssl 1.0.1 - TLS 1.2
#-cipher
RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
@@ -172,12 +208,36 @@ kill $PID
wait
#-cipher ECDHE-ECDSA-AES128-SHA
-launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC_KEY -cert $ECC_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1
-named_curve secp224r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1
-named_curve secp384r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1
-named_curve secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID
-echo "Checking TLS 1.2 with ECDHE-ECDSA..."
-$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC_CERT --x509keyfile $ECC_KEY </dev/null
>/dev/null || \
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null
>/dev/null || \
fail $PID "Failed"
kill $PID
@@ -317,12 +377,45 @@ $OPENSSL_CLI s_client -host localhost -tls1 -port $PORT
-cert $CLI_CERT -key $C
kill $PID
wait
-echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC_CERT -key
$ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
@@ -361,12 +454,45 @@ $OPENSSL_CLI s_client -host localhost -tls1_2 -port
$PORT -cert $CLI_CERT -key
kill $PID
wait
-echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC_CERT
-key $ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_22-19-g5bd518d,
Nikos Mavrogiannopoulos <=