[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_0-38-gf7ea065
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_0-38-gf7ea065 |
|
Date: |
Sat, 01 Sep 2012 17:14:55 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=f7ea065e5e35dfe615905926293888af7af8ae8e
The branch, gnutls_3_1_x has been updated
via f7ea065e5e35dfe615905926293888af7af8ae8e (commit)
via 56f982b0247219569ebe962bec68f0dbd5c19cfd (commit)
via d178911375a37f9ed087c624c5bc601c3f655cc6 (commit)
via 24e2962598dac4d0c80b4dfe844969775f237eab (commit)
via 1a690efce7624255093a031b019028ad0695d99c (commit)
via f33f14441d8c3a901c1e14454c26b5a7a1d4cc93 (commit)
from 2194c56774da46de07767f167b5d3905a144d7aa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f7ea065e5e35dfe615905926293888af7af8ae8e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:10:18 2012 +0200
documented fix
commit 56f982b0247219569ebe962bec68f0dbd5c19cfd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:07:18 2012 +0200
Be tolerant is ECDSA-violating signatures.
commit d178911375a37f9ed087c624c5bc601c3f655cc6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 19:06:09 2012 +0200
Added server mode tests for the various EC curves.
commit 24e2962598dac4d0c80b4dfe844969775f237eab
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 11:27:51 2012 +0200
Added suite for ECDSA under various curves
commit 1a690efce7624255093a031b019028ad0695d99c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 1 10:34:08 2012 +0200
documented fix
commit f33f14441d8c3a901c1e14454c26b5a7a1d4cc93
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Aug 30 23:01:45 2012 +0200
corrected ciphersuite names
-----------------------------------------------------------------------
Summary of changes:
NEWS | 6 ++
lib/abstract_int.h | 4 +-
lib/algorithms/ciphersuites.c | 8 +-
lib/ext/signature.c | 2 +-
lib/gnutls_pubkey.c | 22 ++++--
lib/gnutls_sig.c | 4 +-
tests/certs/cert-ecc256.pem | 18 +++++
tests/certs/cert-ecc384.pem | 19 +++++
tests/certs/cert-ecc521.pem | 19 +++++
tests/certs/ecc256.pem | 37 ++++++++++
tests/certs/ecc384.pem | 41 +++++++++++
tests/certs/ecc521.pem | 45 ++++++++++++
tests/suite/testcompat-main | 154 +++++++++++++++++++++++++++++++++++++----
13 files changed, 349 insertions(+), 30 deletions(-)
create mode 100644 tests/certs/cert-ecc256.pem
create mode 100644 tests/certs/cert-ecc384.pem
create mode 100644 tests/certs/cert-ecc521.pem
create mode 100644 tests/certs/ecc256.pem
create mode 100644 tests/certs/ecc384.pem
create mode 100644 tests/certs/ecc521.pem
diff --git a/NEWS b/NEWS
index e36b2a0..9a2cd4a 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ See the end for copying conditions.
* Version 3.1.1 (unreleased)
+** gnutls-serv: Listens on IPv6. Patch by Bernhard R. Link.
+
** certtool: Changes in password handling of certtool.
Ask password when required and only if the '--password' option is not
given. If the '--password' option is given during key generation then
@@ -11,6 +13,10 @@ assume the PKCS #8 file format, instead of ignoring the
password.
** tpmtool: No longer asks for key password in registered keys.
+** libgnutls: Be tolerant in ECDSA signature violations (e.g. using
+SHA256 with a SECP384 curve instead of SHA-384), to interoperate with
+openssl.
+
** libgnutls: Fixed DSA and ECDSA signature generation in smart
cards. Thanks to Andreas Schwier from cardcontact.de for providing
me with ECDSA capable smart cards.
diff --git a/lib/abstract_int.h b/lib/abstract_int.h
index c01e983..9b1de33 100644
--- a/lib/abstract_int.h
+++ b/lib/abstract_int.h
@@ -79,8 +79,8 @@ int _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
gnutls_pk_params_st*);
int pubkey_to_bits(gnutls_pk_algorithm_t pk, gnutls_pk_params_st* params);
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign);
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t, gnutls_pubkey_t
pubkey,
+ gnutls_protocol_t ver, gnutls_sign_algorithm_t sign);
int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey);
int
_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index 678812e..5e2cc79 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -167,8 +167,8 @@ typedef struct
/* GCM-PSK */
#define GNUTLS_PSK_AES_128_GCM_SHA256 { 0x00, 0xA8 }
#define GNUTLS_DHE_PSK_AES_128_GCM_SHA256 { 0x00, 0xAA }
-#define GNUTLS_PSK_WITH_AES_256_GCM_SHA384 { 0x00, 0xA9 }
-#define GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384 { 0x00, 0xAB }
+#define GNUTLS_PSK_AES_256_GCM_SHA384 { 0x00, 0xA9 }
+#define GNUTLS_DHE_PSK_AES_256_GCM_SHA384 { 0x00, 0xAB }
/* PSK - SHA256 HMAC */
#define GNUTLS_PSK_AES_128_CBC_SHA256 { 0x00, 0xAE }
@@ -611,11 +611,11 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = {
GNUTLS_CIPHER_AES_256_CBC,
GNUTLS_KX_ECDHE_ECDSA,
GNUTLS_MAC_SHA384, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
- ENTRY_PRF(GNUTLS_PSK_WITH_AES_256_GCM_SHA384,
+ ENTRY_PRF(GNUTLS_PSK_AES_256_GCM_SHA384,
GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_PSK,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
- ENTRY_PRF(GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+ ENTRY_PRF(GNUTLS_DHE_PSK_AES_256_GCM_SHA384,
GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 59e3750..d8a6bcc 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -272,7 +272,7 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
gnutls_pcert_st* cert)
{
if (gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == cert_algo)
{
- if (_gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
+ if (_gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
continue;
if (_gnutls_session_sign_algo_enabled(session,
priv->sign_algorithms[i]) < 0)
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index b894677..58c4139 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1545,12 +1545,18 @@ gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
}
-
-int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign)
+/* Checks whether the public key given is compatible with the
+ * signature algorithm used. The session is only used for audit logging, and
+ * it may be null.
+ */
+int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
+ gnutls_pubkey_t pubkey,
+ gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
{
unsigned int hash_size;
unsigned int hash_algo;
+unsigned int sig_hash_size;
if (pubkey->pk_algorithm == GNUTLS_PK_DSA)
{
@@ -1564,8 +1570,9 @@ unsigned int hash_algo;
}
else if (sign != GNUTLS_SIGN_UNKNOWN)
{
- if (_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ sig_hash_size =
_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign));
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
@@ -1574,9 +1581,10 @@ unsigned int hash_algo;
if (_gnutls_version_has_selectable_sighash (ver) && sign !=
GNUTLS_SIGN_UNKNOWN)
{
hash_algo = _gnutls_dsa_q_to_hash (pubkey->pk_algorithm,
&pubkey->params, &hash_size);
+ sig_hash_size =
_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign));
- if (_gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign))
< hash_size)
- return GNUTLS_E_UNWANTED_ALGORITHM;
+ if (sig_hash_size < hash_size)
+ _gnutls_audit_log(session, "The hash size used in signature (%u)
is less than the expected (%u)\n", sig_hash_size, hash_size);
}
}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 6b5386a..256ca1c 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -320,7 +320,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
session, gnutls_sign_algorithm_get_name (sign_algo));
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, sign_algo);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
sign_algo);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -639,7 +639,7 @@ _gnutls_handshake_sign_crt_vrfy (gnutls_session_t session,
_gnutls_hash_deinit (&td_sha, &concat[16]);
/* ensure 1024 bit DSA keys are used */
- ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
+ ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/tests/certs/cert-ecc256.pem b/tests/certs/cert-ecc256.pem
new file mode 100644
index 0000000..3f5cbc1
--- /dev/null
+++ b/tests/certs/cert-ecc256.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAoagAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMzZaGA8yMDE5MTAwNTA5MjIzNlow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEPBVvHUg+ZFkTLG0EGjgNMFzkP1XL2RcVRnJx
+ksH4xjM9BC7IwQ/AUAR7n8lItUD6b5OCWWFeclfLgwa9zIKUwaOBtjCBszAMBgNV
+HRMBAf8EAjAAMD0GA1UdEQQ2MDSCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFu
+b25lLm9yZ4IJbG9jYWxob3N0hwTAqAEBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G
+A1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFKz6R2fGG0F5Elf3rAXBUOKO0A5bMB8G
+A1UdIwQYMBaAFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqGSM49BAMCA0gAMEUC
+ICgq4CTInkRQ1DaFoI8wmu2KP8445NWRXKouag2WJSFzAiEAx4KxaoZJNVfBBSc4
+bA9XTz/2OnpgAZutUohNNb/tmRE=
+-----END CERTIFICATE-----
diff --git a/tests/certs/cert-ecc384.pem b/tests/certs/cert-ecc384.pem
new file mode 100644
index 0000000..29b057b
--- /dev/null
+++ b/tests/certs/cert-ecc384.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAqOgAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMzFaGA8yMDE5MTAwNTA5MjIzMVow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMHYwEAYH
+KoZIzj0CAQYFK4EEACIDYgAEBdFp7VW/awwLHqaOT6qzraO12SYSPvIXu/4R0oBA
+ygamgH1/0nuW/ZKNQYfmiPtnLickPpVGaRBvoTEyAq858FmuTCFE2Kft0/En+Dpk
+6md6yd+7EqqztcvY2Gw4zPNwo4G2MIGzMAwGA1UdEwEB/wQCMAAwPQYDVR0RBDYw
+NIIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jngglsb2NhbGhvc3SH
+BMCoAQEwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNV
+HQ4EFgQUR6LCq3Gbiil4XRkgb6gdSskwQIQwHwYDVR0jBBgwFoAU8LSB/pgSv7Uo
+uWRAA8vMH2ZOKAMwCgYIKoZIzj0EAwIDSQAwRgIhAL4FmNCgnUEnkfJAysOLApVT
+bOYXH1dnJ6j3FKxMXM+jAiEAtcWWV7yqvihzxptUdWMcg1kuZanf9VHuWmUMuUcc
+Nnk=
+-----END CERTIFICATE-----
diff --git a/tests/certs/cert-ecc521.pem b/tests/certs/cert-ecc521.pem
new file mode 100644
index 0000000..3fc1778
--- /dev/null
+++ b/tests/certs/cert-ecc521.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAsmgAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMjRaGA8yMDE5MTAwNTA5MjIyNFow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMIGbMBAG
+ByqGSM49AgEGBSuBBAAjA4GGAAQAoapA9bLQHQiI8V2mIzs9sq80VR4FBB0TBOSx
+GqBOE3FSzHAejQkIKc/1pW0v0wKvapYMq/RrfhPJxPkjTPtztUsAkU//9E0/aoEW
+VC6Rqf+VX3wIhe7+RS8JXdBh9SM0+Z9MCRUiM8K9qPMtpNgB2ks7T5BGFHSMlNKm
+uLW1agWPy5CjgbYwgbMwDAYDVR0TAQH/BAIwADA9BgNVHREENjA0ggx3d3cubm9u
+ZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCCWxvY2FsaG9zdIcEwKgBATATBgNV
+HSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBTagKMW
+kYyqTJk/RRjg++gqz6xX6zAfBgNVHSMEGDAWgBTwtIH+mBK/tSi5ZEADy8wfZk4o
+AzAKBggqhkjOPQQDAgNJADBGAiEAoj/ZB98cG/FaA7VVU+R6+TT3icF+De61rfim
+R43VMlUCIQCXjG9gRp0x+/8vCRL0/nr0a32SRPruKVDqbHnNiWchsg==
+-----END CERTIFICATE-----
diff --git a/tests/certs/ecc256.pem b/tests/certs/ecc256.pem
new file mode 100644
index 0000000..75a2cfa
--- /dev/null
+++ b/tests/certs/ecc256.pem
@@ -0,0 +1,37 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: High
+
+curve: SECP256R1
+private key:
+ 00:fd:2b:00:80:f3:36:5f:11:32:65:e3:8d:30:33:
+ 3b:47:f5:ce:f8:13:e5:4c:c2:cf:fd:e8:05:6a:ca:
+ c9:41:b1:
+x:
+ 3c:15:6f:1d:48:3e:64:59:13:2c:6d:04:1a:38:0d:
+ 30:5c:e4:3f:55:cb:d9:17:15:46:72:71:92:c1:f8:
+ c6:33:
+y:
+ 3d:04:2e:c8:c1:0f:c0:50:04:7b:9f:c9:48:b5:40:
+ fa:6f:93:82:59:61:5e:72:57:cb:83:06:bd:cc:82:
+ 94:c1:
+
+Public Key ID: AC:FA:47:67:C6:1B:41:79:12:57:F7:AC:05:C1:50:E2:8E:D0:0E:5B
+Public key's random art:
++--[ EC 256]----+
+| .o+==..|
+| .+o...+.|
+| o.Eo. +|
+| . *.o o |
+| S.o.. . |
+| .. * |
+| .. + o |
+| . . . |
+| .... |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIQD9KwCA8zZfETJl440wMztH9c74E+VMws/96AVqyslBsaAKBggqhkjO
+PQMBB6FEA0IABDwVbx1IPmRZEyxtBBo4DTBc5D9Vy9kXFUZycZLB+MYzPQQuyMEP
+wFAEe5/JSLVA+m+TgllhXnJXy4MGvcyClME=
+-----END EC PRIVATE KEY-----
diff --git a/tests/certs/ecc384.pem b/tests/certs/ecc384.pem
new file mode 100644
index 0000000..bfa5d9f
--- /dev/null
+++ b/tests/certs/ecc384.pem
@@ -0,0 +1,41 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: High
+
+curve: SECP384R1
+private key:
+ 00:ff:42:b3:6d:ca:d3:06:13:d7:a7:e4:41:27:18:
+ ff:82:15:6a:c9:35:20:dc:4e:ad:e8:e6:07:37:87:
+ d8:d2:59:e9:39:17:94:22:c0:5e:07:46:0f:aa:4a:
+ 7d:7a:ea:30:
+x:
+ 05:d1:69:ed:55:bf:6b:0c:0b:1e:a6:8e:4f:aa:b3:
+ ad:a3:b5:d9:26:12:3e:f2:17:bb:fe:11:d2:80:40:
+ ca:06:a6:80:7d:7f:d2:7b:96:fd:92:8d:41:87:e6:
+ 88:fb:67:
+y:
+ 2e:27:24:3e:95:46:69:10:6f:a1:31:32:02:af:39:
+ f0:59:ae:4c:21:44:d8:a7:ed:d3:f1:27:f8:3a:64:
+ ea:67:7a:c9:df:bb:12:aa:b3:b5:cb:d8:d8:6c:38:
+ cc:f3:70:
+
+Public Key ID: 47:A2:C2:AB:71:9B:8A:29:78:5D:19:20:6F:A8:1D:4A:C9:30:40:84
+Public key's random art:
++--[ EC 384]----+
+|*o |
+|E . . |
+|o..+ . . . |
+| +o.o .. o |
+|.+ oo .oS . |
+|o . oo . |
+|. ..o. |
+|oo.+.o |
+|+.o.o |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MIGlAgEBBDEA/0KzbcrTBhPXp+RBJxj/ghVqyTUg3E6t6OYHN4fY0lnpOReUIsBe
+B0YPqkp9euowoAcGBSuBBAAioWQDYgAEBdFp7VW/awwLHqaOT6qzraO12SYSPvIX
+u/4R0oBAygamgH1/0nuW/ZKNQYfmiPtnLickPpVGaRBvoTEyAq858FmuTCFE2Kft
+0/En+Dpk6md6yd+7EqqztcvY2Gw4zPNw
+-----END EC PRIVATE KEY-----
diff --git a/tests/certs/ecc521.pem b/tests/certs/ecc521.pem
new file mode 100644
index 0000000..136d1e2
--- /dev/null
+++ b/tests/certs/ecc521.pem
@@ -0,0 +1,45 @@
+Public Key Info:
+ Public Key Algorithm: EC
+ Key Security Level: Ultra
+
+curve: SECP521R1
+private key:
+ 01:02:2a:fc:98:41:e5:9c:78:8a:68:74:9d:bc:48:
+ 53:80:de:28:5b:21:ee:f8:88:3a:6e:8e:1f:4e:e8:
+ 4d:f7:2d:a8:8c:0d:6a:00:11:c9:7a:58:28:57:df:
+ 57:50:27:89:67:93:44:d4:14:fd:5d:39:2c:bf:f6:
+ 07:58:f9:7e:96:63:
+x:
+ 00:a1:aa:40:f5:b2:d0:1d:08:88:f1:5d:a6:23:3b:
+ 3d:b2:af:34:55:1e:05:04:1d:13:04:e4:b1:1a:a0:
+ 4e:13:71:52:cc:70:1e:8d:09:08:29:cf:f5:a5:6d:
+ 2f:d3:02:af:6a:96:0c:ab:f4:6b:7e:13:c9:c4:f9:
+ 23:4c:fb:73:b5:4b:
+y:
+ 00:91:4f:ff:f4:4d:3f:6a:81:16:54:2e:91:a9:ff:
+ 95:5f:7c:08:85:ee:fe:45:2f:09:5d:d0:61:f5:23:
+ 34:f9:9f:4c:09:15:22:33:c2:bd:a8:f3:2d:a4:d8:
+ 01:da:4b:3b:4f:90:46:14:74:8c:94:d2:a6:b8:b5:
+ b5:6a:05:8f:cb:90:
+
+Public Key ID: DA:80:A3:16:91:8C:AA:4C:99:3F:45:18:E0:FB:E8:2A:CF:AC:57:EB
+Public key's random art:
++--[ EC 528]----+
+| ... |
+|.o .o |
+|..+. . |
+|. +... |
+|.=. o.. S |
+|+ +oo. + |
+|.oo= .. . |
+|o+. o |
+|==+.E |
++-----------------+
+
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBAir8mEHlnHiKaHSdvEhTgN4oWyHu+Ig6bo4fTuhN9y2ojA1qABHJ
+elgoV99XUCeJZ5NE1BT9XTksv/YHWPl+lmOgBwYFK4EEACOhgYkDgYYABAChqkD1
+stAdCIjxXaYjOz2yrzRVHgUEHRME5LEaoE4TcVLMcB6NCQgpz/WlbS/TAq9qlgyr
+9Gt+E8nE+SNM+3O1SwCRT//0TT9qgRZULpGp/5VffAiF7v5FLwld0GH1IzT5n0wJ
+FSIzwr2o8y2k2AHaSztPkEYUdIyU0qa4tbVqBY/LkA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/suite/testcompat-main b/tests/suite/testcompat-main
index e1ffb94..1b1f5e6 100755
--- a/tests/suite/testcompat-main
+++ b/tests/suite/testcompat-main
@@ -56,8 +56,17 @@ CLI_CERT=$srcdir/../../doc/credentials/x509/clicert.pem
CLI_KEY=$srcdir/../../doc/credentials/x509/clikey.pem
CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
-ECC_CERT=$srcdir/../certs/cert-ecc.pem
-ECC_KEY=$srcdir/../certs/ecc.pem
+ECC224_CERT=$srcdir/../certs/cert-ecc.pem
+ECC224_KEY=$srcdir/../certs/ecc.pem
+
+ECC256_CERT=$srcdir/../certs/cert-ecc256.pem
+ECC256_KEY=$srcdir/../certs/ecc256.pem
+
+ECC521_CERT=$srcdir/../certs/cert-ecc521.pem
+ECC521_KEY=$srcdir/../certs/ecc521.pem
+
+ECC384_CERT=$srcdir/../certs/cert-ecc384.pem
+ECC384_KEY=$srcdir/../certs/ecc384.pem
SERV_CERT=$srcdir/../../doc/credentials/x509/cert-rsa.pem
SERV_KEY=$srcdir/../../doc/credentials/x509/key-rsa.pem
@@ -133,18 +142,45 @@ kill $PID
wait
#-cipher ECDHE-ECDSA-AES128-SHA
-launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC_KEY -cert $ECC_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve
secp384r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve
secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID
# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
-echo "Checking TLS 1.0 with ECDHE-ECDSA..."
-$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC_CERT --x509keyfile $ECC_KEY </dev/null
>/dev/null || \
+echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null
>/dev/null || \
fail $PID "Failed"
kill $PID
wait
+
if test $SV2 = 0;then
# Tests requiring openssl 1.0.1 - TLS 1.2
#-cipher
RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
@@ -172,12 +208,36 @@ kill $PID
wait
#-cipher ECDHE-ECDSA-AES128-SHA
-launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC_KEY -cert $ECC_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1
-named_curve secp224r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1
-named_curve secp384r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null
>/dev/null || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1_2 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1
-named_curve secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID
-echo "Checking TLS 1.2 with ECDHE-ECDSA..."
-$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC_CERT --x509keyfile $ECC_KEY </dev/null
>/dev/null || \
+echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)"
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null
>/dev/null || \
fail $PID "Failed"
kill $PID
@@ -317,12 +377,45 @@ $OPENSSL_CLI s_client -host localhost -tls1 -port $PORT
-cert $CLI_CERT -key $C
kill $PID
wait
-echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC_CERT -key
$ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
@@ -361,12 +454,45 @@ $OPENSSL_CLI s_client -host localhost -tls1_2 -port
$PORT -cert $CLI_CERT -key
kill $PID
wait
-echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC224_CERT
-key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC256_CERT
-key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile
$CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC384_CERT
-key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile
$CA_ECC_CERT & PID=$!
wait_server $PID
#-cipher ECDHE-ECDSA-AES128-SHA
-$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC_CERT
-key $ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC521_CERT
-key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail $PID "Failed"
kill $PID
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_0-38-gf7ea065,
Nikos Mavrogiannopoulos <=