...
 
Commits (17)
os:
- osx
language: c
compiler:
- clang
git:
submodules: false
notifications:
email:
on_success: change
on_failure: always
before_install:
- git submodule update --init
- if [ "$TRAVIS_OS_NAME" = "osx" ]; then
brew install pkg-config autoconf automake autogen libtool nettle valgrind p11-kit libtasn1 unbound libidn gettext;
fi
script:
- PATH=/usr/local/opt/gettext/bin:$PATH make autoreconf && rm -f tests/suite/mini-eagain2.c
- PATH=/usr/local/opt/gettext/bin:$PATH ./configure --disable-valgrind-tests --disable-doc --disable-guile --without-p11-kit --disable-dependency-tracking
- make -j$(sysctl -n hw.ncpu)
- make -j$(sysctl -n hw.ncpu) check gl_public_submodule_commit=
......@@ -17,12 +17,20 @@ See the end for copying conditions.
in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
functions.
** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
functions return an index, to avoid affecting programs which explicitly
check success of the function as equality to zero. In order for these
functions to return an index an explicit call to gnutls_certificate_set_flags
with the GNUTLS_CERTIFICATE_API_V2 flag is required.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
** p11tool: improvements in --initialize option.
** API and ABI modifications:
GNUTLS_CERTIFICATE_API_V2: Added
GNUTLS_NO_TICKETS: Added
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
......
Master [![build status](https://gitlab.com/gnutls/gnutls/badges/master/build.svg)](https://gitlab.com/gnutls/gnutls/commits/master)
3.4.x [![build status](https://gitlab.com/gnutls/gnutls/badges/gnutls_3_4_x/build.svg)](https://gitlab.com/gnutls/gnutls/commits/gnutls_3_4_x)
3.3.x [![build status](https://gitlab.com/gnutls/gnutls/badges/gnutls_3_3_x/build.svg)](https://gitlab.com/gnutls/gnutls/commits/gnutls_3_3_x)
|Branch|CI system|Status|Coverage|
|:----:|:-------:|-----:|:------:|
|Master|Gitlab|[![build status](https://gitlab.com/gnutls/gnutls/badges/master/build.svg)](https://gitlab.com/gnutls/gnutls/commits/master)|[![coverage report](https://gitlab.com/gnutls/gnutls/badges/master/coverage.svg)](https://gitlab.com/gnutls/gnutls/commits/master)|
|Master|Travis|[![build status](https://travis-ci.org/gnutls/gnutls.svg?branch=master)](https://travis-ci.org/gnutls/gnutls)|N/A|
|3.4.x|Gitlab|[![build status](https://gitlab.com/gnutls/gnutls/badges/gnutls_3_4_x/build.svg)](https://gitlab.com/gnutls/gnutls/commits/gnutls_3_4_x)|N/A|
|3.3.x|Gitlab|[![build status](https://gitlab.com/gnutls/gnutls/badges/gnutls_3_3_x/build.svg)](https://gitlab.com/gnutls/gnutls/commits/gnutls_3_3_x)|N/A|
[![coverage report](https://gitlab.com/gnutls/gnutls/badges/master/coverage.svg)](https://gitlab.com/gnutls/gnutls/commits/master)
# GnuTLS -- Information for developers
......
......@@ -60,7 +60,11 @@ autoreconf:
cp $$f `echo $$f | sed 's/.in//'`; \
done
autopoint
rm -f m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 m4/intlmacosx.m4 m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes-pri.m4 m4/lcmessage.m4 m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 m4/printf-posix.m4 m4/progtest.m4 m4/size_max.m4 m4/stdint_h.m4 m4/uintmax_t.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/visibility.m4 m4/xsize.m4
for i in m4/po.m4 m4/nls.m4 m4/gettext.m4 m4/codeset.m4 m4/glibc21.m4 m4/glibc2.m4 m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 m4/intlmacosx.m4 m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes-pri.m4 m4/lcmessage.m4 m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 m4/longlong.m4 m4/printf-posix.m4 m4/progtest.m4 m4/size_max.m4 m4/stdint_h.m4 m4/uintmax_t.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/visibility.m4 m4/xsize.m4;do \
if test -f /usr/share/aclocal/$i;then \
rm -f $i; \
fi; \
done
touch ChangeLog
test -f ./configure || AUTOPOINT=true autoreconf --install
......
......@@ -82,11 +82,23 @@ resumed one, and will share the same session ID with the previous one.
@node Error handling
@subsection Error handling
There two types of @acronym{GnuTLS} functions. One type returns
a boolean true (non-zero) or false (zero) value, which are set
to return an unsigned integer type. The other type returns a
signed integer type with zero indicating success and a negative
value indicating failure.
There two types of @acronym{GnuTLS} functions. The first type returns
a boolean value, true (non-zero) or false (zero) value; these functions
are defined to return an unsigned integer type. The other type returns a
signed integer type with zero (or a positive number) indicating
success and a negative value indicating failure. For the latter
type it is recommended to check for errors as following.
@example
ret = gnutls_function();
if (ret < 0) @{
return -1;
@}
@end example
The above example checks for a failure condition rather than
for explicit success (e.g., equality to zero). That has the advantage
that future extensions of the API can be extended to provide
additional information via positive returned values (see for example
@funcref{gnutls_certificate_set_x509_key_file}).
For certain operations such as TLS handshake and TLS packet receive
there is the notion of fatal and non-fatal error codes.
......
......@@ -63,11 +63,16 @@ int main(void)
CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM));
/* The following code sets the certificate key pair as well as,
* an OCSP response which corresponds to it. It is possible
* to set multiple key-pairs and multiple OCSP status responses
* (the latter since 3.5.6). See the manual pages of the individual
* functions for more information.
*/
CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE,
KEYFILE,
GNUTLS_X509_FMT_PEM));
/* loads an OCSP status request if available */
CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred,
OCSP_STATUS_FILE,
0));
......@@ -75,9 +80,11 @@ int main(void)
CHECK(gnutls_priority_init(&priority_cache,
"PERFORMANCE:%SERVER_PRECEDENCE", NULL));
#if GNUTLS_VERSION_NUMBER >= 0x030506
/* only available since GnuTLS 3.5.6, on previous versions see
* gnutls_certificate_set_dh_params(). */
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
#endif
/* Socket operations
*/
......
......@@ -62,7 +62,7 @@ unsigned int _gnutls_get_forkid(void)
int _gnutls_detect_fork(unsigned int forkid)
{
if (getpid() == forkid)
if ((unsigned int)getpid() == forkid)
return 0;
return 1;
}
......
......@@ -475,7 +475,8 @@ static int file_ocsp_func(gnutls_session_t session, void *ptr,
* file accesses.
*
* Note: the ability to set multiple OCSP responses per credential
* structure via @idx was added in version 3.5.5.
* structure via @idx was added in version 3.5.6 with the
* %GNUTLS_CERTIFICATE_API_V2 flag.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error code is returned.
......
......@@ -356,6 +356,7 @@ typedef enum {
* @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.
* @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.
* @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expectated by the server. Since 3.5.0.
* @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets.
*
* Enumeration of different flags for gnutls_init() function. All the flags
* can be combined except @GNUTLS_SERVER and @GNUTLS_CLIENT which are mutually
......@@ -371,7 +372,8 @@ typedef enum {
GNUTLS_NO_SIGNAL = (1<<6),
GNUTLS_ALLOW_ID_CHANGE = (1<<7),
GNUTLS_ENABLE_FALSE_START = (1<<8),
GNUTLS_FORCE_CLIENT_CERT = (1<<9)
GNUTLS_FORCE_CLIENT_CERT = (1<<9),
GNUTLS_NO_TICKETS = (1<<10)
} gnutls_init_flags_t;
/* compatibility defines (previous versions of gnutls
......@@ -384,6 +386,9 @@ typedef enum {
#define GNUTLS_NO_REPLAY_PROTECTION (1<<5)
#define GNUTLS_NO_SIGNAL (1<<6)
#define GNUTLS_ALLOW_ID_CHANGE (1<<7)
#define GNUTLS_ENABLE_FALSE_START (1<<8)
#define GNUTLS_FORCE_CLIENT_CERT (1<<9)
#define GNUTLS_NO_TICKETS (1<<10)
/**
* gnutls_alert_level_t:
......@@ -1656,11 +1661,13 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
/**
* gnutls_certificate_flags:
* @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
* @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero.
*
* Enumeration of different certificate credentials flags.
*/
typedef enum gnutls_certificate_flags {
GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1
GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1,
GNUTLS_CERTIFICATE_API_V2 = (1<<1)
} gnutls_certificate_flags;
void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,
......
......@@ -1806,7 +1806,8 @@ _pkcs1_rsa_verify_sig(const mac_entry_st * me,
return GNUTLS_E_INVALID_REQUEST;
}
ret = _gnutls_hash_fast(me->id, text->data, text->size, md);
ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
text->data, text->size, md);
if (ret < 0) {
gnutls_assert();
return ret;
......@@ -1881,7 +1882,8 @@ dsa_verify_data(gnutls_pk_algorithm_t pk,
if (algo == NULL)
algo = _gnutls_dsa_q_to_hash(pk, params, NULL);
ret = _gnutls_hash_fast(algo->id, data->data, data->size, _digest);
ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)algo->id,
data->data, data->size, _digest);
if (ret < 0)
return gnutls_assert_val(ret);
......
......@@ -322,8 +322,7 @@ char *gnutls_session_get_desc(gnutls_session_t session)
(session)),
gnutls_certificate_type_get_name(type));
gnutls_protocol_get_name(get_num_version(session)),
desc = gnutls_malloc(DESC_SIZE);
desc = gnutls_malloc(DESC_SIZE);
if (desc == NULL)
return NULL;
......
......@@ -429,7 +429,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
/* Enable useful extensions */
if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) {
#ifdef ENABLE_SESSION_TICKETS
gnutls_session_ticket_enable_client(*session);
if (!(flags & GNUTLS_NO_TICKETS))
gnutls_session_ticket_enable_client(*session);
#endif
#ifdef ENABLE_OCSP
gnutls_ocsp_status_request_enable_client(*session, NULL, 0,
......
......@@ -57,6 +57,13 @@
* some x509 certificate parsing functions.
*/
#define CRED_RET_SUCCESS(cred) \
if (cred->flags & GNUTLS_CERTIFICATE_API_V2) { \
return cred->ncerts-1; \
} else { \
return 0; \
}
/* fifteen days */
#define MAX_OCSP_VALIDITY_SECS (15*60*60*24)
#ifdef ENABLE_OCSP
......@@ -986,7 +993,12 @@ read_key_file(gnutls_certificate_credentials_t res,
* The @key may be %NULL if you are using a sign callback, see
* gnutls_sign_callback_set().
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
**/
int
gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res,
......@@ -1022,7 +1034,11 @@ gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res,
* The @key may be %NULL if you are using a sign callback, see
* gnutls_sign_callback_set().
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
**/
int
gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res,
......@@ -1052,8 +1068,7 @@ gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res,
return ret;
}
/* return the index of the chain */
return res->ncerts-1;
CRED_RET_SUCCESS(res);
}
int
......@@ -1115,7 +1130,11 @@ certificate_credentials_append_pkey(gnutls_certificate_credentials_t res,
* If that function fails to load the @res type is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 2.4.0
**/
......@@ -1197,7 +1216,7 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
return ret;
}
return res->ncerts-1;
CRED_RET_SUCCESS(res);
cleanup:
gnutls_free(pcerts);
......@@ -1219,11 +1238,12 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
* gnutls_certificate_set_x509_key_mem2(). The returned key must be deallocated
* with gnutls_x509_privkey_deinit() when no longer needed.
*
* The @index matches the return value of gnutls_certificate_set_x509_key() and friends
* functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set.
*
* If there is no key with the given index,
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the key with the
* given index is not a X.509 key, %GNUTLS_E_INVALID_REQUEST is returned.
* The @index matches the value gnutls_certificate_set_x509_key() and friends
* functions.
*
* Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
......@@ -1258,8 +1278,10 @@ gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res,
* certificate list must be deallocated with gnutls_x509_crt_deinit(), and the
* list itself must be freed with gnutls_free().
*
* The @index matches the value gnutls_certificate_set_x509_key() and friends
* functions. If there is no certificate with the given index,
* The @index matches the return value of gnutls_certificate_set_x509_key() and friends
* functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set.
*
* If there is no certificate with the given index,
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the certificate
* with the given index is not a X.509 certificate, %GNUTLS_E_INVALID_REQUEST
* is returned. The returned certificates must be deinitialized after
......@@ -1329,7 +1351,11 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
* If that function fails to load the @res structure is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 3.0
**/
......@@ -1421,7 +1447,7 @@ gnutls_certificate_set_key(gnutls_certificate_credentials_t res,
goto cleanup;
}
return res->ncerts-1;
CRED_RET_SUCCESS(res);
cleanup:
_gnutls_str_array_clear(&str_names);
......@@ -1502,7 +1528,11 @@ gnutls_certificate_get_trust_list(gnutls_certificate_credentials_t res,
* If that function fails to load the @res structure is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 3.1.11
**/
......@@ -1550,7 +1580,11 @@ gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t res,
* If that function fails to load the @res structure is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
**/
int
......@@ -1580,7 +1614,7 @@ gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res,
return ret;
}
return res->ncerts-1;
CRED_RET_SUCCESS(res);
}
/* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
......@@ -1972,7 +2006,11 @@ int ret;
* complexity that would make it harder to use this functionality at
* all.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
**/
int
......@@ -2028,7 +2066,11 @@ int
* complexity that would make it harder to use this functionality at
* all.
*
* Returns: An index of the inserted certificate chain on success (greater or equal to zero), or a negative error code.
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 2.8.0
**/
......@@ -2098,7 +2140,10 @@ int
}
}
ret = idx;
if (res->flags & GNUTLS_CERTIFICATE_API_V2)
ret = idx;
else
ret = 0;
done:
if (chain) {
......
This diff is collapsed. Click to expand it.
# nls.m4 serial 5 (gettext-0.18)
dnl Copyright (C) 1995-2003, 2005-2006, 2008-2014 Free Software Foundation,
dnl Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl
dnl This file can be used in projects which are not available under
dnl the GNU General Public License or the GNU Library General Public
dnl License but which still want to provide support for the GNU gettext
dnl functionality.
dnl Please note that the actual code of the GNU gettext library is covered
dnl by the GNU Library General Public License, and the rest of the GNU
dnl gettext package is covered by the GNU General Public License.
dnl They are *not* in the public domain.
dnl Authors:
dnl Ulrich Drepper <drepper@cygnus.com>, 1995-2000.
dnl Bruno Haible <haible@clisp.cons.org>, 2000-2003.
AC_PREREQ([2.50])
AC_DEFUN([AM_NLS],
[
AC_MSG_CHECKING([whether NLS is requested])
dnl Default is enabled NLS
AC_ARG_ENABLE([nls],
[ --disable-nls do not use Native Language Support],
USE_NLS=$enableval, USE_NLS=yes)
AC_MSG_RESULT([$USE_NLS])
AC_SUBST([USE_NLS])
])
This diff is collapsed. Click to expand it.
# progtest.m4 serial 7 (gettext-0.18.2)
dnl Copyright (C) 1996-2003, 2005, 2008-2016 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl
dnl This file can be used in projects which are not available under
dnl the GNU General Public License or the GNU Library General Public
dnl License but which still want to provide support for the GNU gettext
dnl functionality.
dnl Please note that the actual code of the GNU gettext library is covered
dnl by the GNU Library General Public License, and the rest of the GNU
dnl gettext package is covered by the GNU General Public License.
dnl They are *not* in the public domain.
dnl Authors:
dnl Ulrich Drepper <drepper@cygnus.com>, 1996.
AC_PREREQ([2.50])
# Search path for a program which passes the given test.
dnl AM_PATH_PROG_WITH_TEST(VARIABLE, PROG-TO-CHECK-FOR,
dnl TEST-PERFORMED-ON-FOUND_PROGRAM [, VALUE-IF-NOT-FOUND [, PATH]])
AC_DEFUN([AM_PATH_PROG_WITH_TEST],
[
# Prepare PATH_SEPARATOR.
# The user is always right.
if test "${PATH_SEPARATOR+set}" != set; then
# Determine PATH_SEPARATOR by trying to find /bin/sh in a PATH which
# contains only /bin. Note that ksh looks also at the FPATH variable,
# so we have to set that as well for the test.
PATH_SEPARATOR=:
(PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 \
&& { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 \
|| PATH_SEPARATOR=';'
}
fi
# Find out how to test for executable files. Don't use a zero-byte file,
# as systems may use methods other than mode bits to determine executability.
cat >conf$$.file <<_ASEOF
#! /bin/sh
exit 0
_ASEOF
chmod +x conf$$.file
if test -x conf$$.file >/dev/null 2>&1; then
ac_executable_p="test -x"
else
ac_executable_p="test -f"
fi
rm -f conf$$.file
# Extract the first word of "$2", so it can be a program name with args.
set dummy $2; ac_word=[$]2
AC_MSG_CHECKING([for $ac_word])
AC_CACHE_VAL([ac_cv_path_$1],
[case "[$]$1" in
[[\\/]]* | ?:[[\\/]]*)
ac_cv_path_$1="[$]$1" # Let the user override the test with a path.
;;
*)
ac_save_IFS="$IFS"; IFS=$PATH_SEPARATOR
for ac_dir in ifelse([$5], , $PATH, [$5]); do
IFS="$ac_save_IFS"
test -z "$ac_dir" && ac_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if $ac_executable_p "$ac_dir/$ac_word$ac_exec_ext"; then
echo "$as_me: trying $ac_dir/$ac_word..." >&AS_MESSAGE_LOG_FD
if [$3]; then
ac_cv_path_$1="$ac_dir/$ac_word$ac_exec_ext"
break 2
fi
fi
done
done
IFS="$ac_save_IFS"
dnl If no 4th arg is given, leave the cache variable unset,
dnl so AC_PATH_PROGS will keep looking.
ifelse([$4], , , [ test -z "[$]ac_cv_path_$1" && ac_cv_path_$1="$4"
])dnl
;;
esac])dnl
$1="$ac_cv_path_$1"
if test ifelse([$4], , [-n "[$]$1"], ["[$]$1" != "$4"]); then
AC_MSG_RESULT([$][$1])
else
AC_MSG_RESULT([no])
fi
AC_SUBST([$1])dnl
])
......@@ -115,7 +115,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \
set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \
client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \
multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \
set_known_dh_params_anon set_known_dh_params_psk
set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \
session-tickets-missing set_x509_key_file_legacy
if HAVE_SECCOMP_TESTS
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
......@@ -181,6 +182,10 @@ pkcs11_privkey_fork_SOURCES = pkcs11/pkcs11-privkey-fork.c
pkcs11_privkey_fork_DEPENDENCIES = libpkcs11mock1.la libutils.la
pkcs11_privkey_fork_LDADD = $(LDADD) $(LIBDL)
pkcs11_privkey_export_SOURCES = pkcs11/pkcs11-privkey-export.c
pkcs11_privkey_export_DEPENDENCIES = libpkcs11mock1.la libutils.la
pkcs11_privkey_export_LDADD = $(LDADD) $(LIBDL)
pkcs11_privkey_always_auth_SOURCES = pkcs11/pkcs11-privkey-always-auth.c
pkcs11_privkey_always_auth_DEPENDENCIES = libpkcs11mock1.la libutils.la
pkcs11_privkey_always_auth_LDADD = $(LDADD) $(LIBDL)
......@@ -189,7 +194,7 @@ ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts
pkcs11-cert-import-url4-exts pkcs11/pkcs11-chainverify pkcs11/pkcs11-get-issuer pkcs11/pkcs11-is-known \
pkcs11/pkcs11-combo pkcs11/pkcs11-privkey pkcs11/pkcs11-pubkey-import-rsa pkcs11/pkcs11-pubkey-import-ecdsa \
pkcs11-import-url-privkey pkcs11-privkey-fork pkcs11/pkcs11-ec-privkey-test \
pkcs11-privkey-always-auth
pkcs11-privkey-always-auth pkcs11-privkey-export
endif
......
......@@ -113,6 +113,29 @@ const char mock_pubkey[] =
"\x3f\x66\x62\x92\xfd\x41\x20\xb6\x2c\x00\xf0\x52\xca\x26\x06\x2d"
"\x7c\xcf\x7a\x50\x7d\x0f\xcb\xdd\x97\x20\xc8\x6f\xe4\xe0\x50\xf4"
"\xe3\x02\x03\x01\x00\x01";
const char mock_public_exponent[] = "\x01\x00\x01";
const char mock_modulus[] =
"\xDD\xCF\x97\xD2\xA5\x1D\x95\xDD\x86\x18\xD8\xC4\xB9\xAD\xA6\x0C"
"\xB4\x9D\xB6\xDC\xFA\xDC\x21\xE1\x3A\x62\x34\x07\xE8\x33\xB2\xE8"
"\x97\xEE\x2C\x41\xD2\x12\xF1\x5F\xED\xE4\x76\xFF\x65\x26\x1E\x0C"
"\xC7\x41\x15\x69\x5F\x0D\xF9\xAD\x89\x14\x8D\xEA\xD7\x16\x52\x9A"
"\x47\xC1\xBB\x00\x02\xE4\x88\x45\x73\x78\xA4\xAE\xDB\x38\xC3\xC6"
"\x07\xD2\x64\x0E\x87\xED\x74\x8C\x6B\xC4\xC0\x02\x50\x7C\x4E\xA6"
"\xD1\x58\xE9\xE5\x13\x09\xA9\xDB\x5A\xEA\xEB\x0F\x06\x80\x5C\x09"
"\xEF\x94\xC8\xE9\xFB\x37\x2E\x75\xE1\xAC\x93\xAD\x9B\x37\x13\x4B"
"\x66\x3A\x76\x33\xD8\xC4\xD7\x4C\xFB\x61\xC8\x92\x21\x07\xFC\xDF"
"\xA9\x88\x54\xE4\xA3\xA9\x47\xD2\x6C\xB8\xE3\x39\x89\x11\x88\x38"
"\x2D\xA2\xDC\x3E\x5E\x4A\xA9\xA4\x8E\xD5\x1F\xB2\xD0\xDD\x41\x3C"
"\xDA\x10\x68\x9E\x47\x1B\x65\x02\xA2\xC5\x28\x73\x02\x83\x03\x09"
"\xFD\xF5\x29\x7E\x97\xDC\x2A\x4E\x4B\xAA\x79\x46\x46\x70\x86\x1B"
"\x9B\xB8\xF6\x8A\xBE\x29\x87\x7D\x5F\xDA\xA5\x97\x6B\xEF\xC8\x43"
"\x09\x43\xE2\x1F\x8A\x16\x7E\x1D\x50\x5D\xF5\xDA\x02\xEE\xF2\xC3"
"\x2A\x48\xE6\x6B\x30\xEA\x02\xD7\xEF\xAC\x8B\x0C\xB8\xC1\x85\xD8"
"\xBF\x7C\x85\xA8\x1E\x83\xBE\x5C\x26\x2E\x79\x7B\x47\xF5\x4A\x3F"
"\x66\x62\x92\xFD\x41\x20\xB6\x2C\x00\xF0\x52\xCA\x26\x06\x2D\x7C"
"\xCF\x7A\x50\x7D\x0F\xCB\xDD\x97\x20\xC8\x6F\xE4\xE0\x50\xF4\xE3";
const char mock_subject[] =
"DN: C=US, O=Test Government, OU=Test Department, OU=Test Agency/serialNumber=";
CK_BBOOL pkcs11_mock_initialized = CK_FALSE;
CK_BBOOL pkcs11_mock_session_opened = CK_FALSE;
......@@ -919,6 +942,56 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)(CK_SESSION_HANDLE hSession, CK_OB
pTemplate[i].ulValueLen = (CK_ULONG) sizeof(mock_pubkey)-1;
memcpy(pTemplate[i].pValue, mock_pubkey, pTemplate[i].ulValueLen);
}
else if (CKA_CLASS == pTemplate[i].type)
{
if (NULL != pTemplate[i].pValue)
{
if (pTemplate[i].ulValueLen < sizeof(hObject))
return CKR_BUFFER_TOO_SMALL;
else
memcpy(pTemplate[i].pValue, &hObject, sizeof(hObject));
}
pTemplate[i].ulValueLen = sizeof(hObject);
}
else if (CKA_PUBLIC_EXPONENT == pTemplate[i].type &&
(PKCS11_MOCK_CK_OBJECT_HANDLE_PUBLIC_KEY == hObject || PKCS11_MOCK_CK_OBJECT_HANDLE_PRIVATE_KEY == hObject))
{
if (NULL != pTemplate[i].pValue)
{
if (pTemplate[i].ulValueLen < sizeof(mock_public_exponent)-1)
return CKR_BUFFER_TOO_SMALL;
else
memcpy(pTemplate[i].pValue, mock_public_exponent, sizeof(mock_public_exponent)-1);
}
pTemplate[i].ulValueLen = sizeof(mock_public_exponent)-1;
}
else if (CKA_MODULUS == pTemplate[i].type &&
(PKCS11_MOCK_CK_OBJECT_HANDLE_PUBLIC_KEY == hObject || PKCS11_MOCK_CK_OBJECT_HANDLE_PRIVATE_KEY == hObject))
{
if (NULL != pTemplate[i].pValue)
{
if (pTemplate[i].ulValueLen < sizeof(mock_modulus)-1)
return CKR_BUFFER_TOO_SMALL;
else
memcpy(pTemplate[i].pValue, mock_modulus, sizeof(mock_modulus)-1);
}
pTemplate[i].ulValueLen = sizeof(mock_modulus)-1;
}
else if (CKA_SUBJECT == pTemplate[i].type && PKCS11_MOCK_CK_OBJECT_HANDLE_CERTIFICATE == hObject)
{
if (NULL != pTemplate[i].pValue)
{
if (pTemplate[i].ulValueLen < strlen(mock_subject))
return CKR_BUFFER_TOO_SMALL;
else
memcpy(pTemplate[i].pValue, mock_subject, strlen(mock_subject));
}
pTemplate[i].ulValueLen = strlen(mock_subject);
}
else if (CKA_LABEL == pTemplate[i].type)
{
if (NULL != pTemplate[i].pValue)
......
/*
* Copyright (C) 2016 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/abstract.h>
#include "utils.h"
/* This checks whether the public parts of RSA private and public keys
* can be properly extracted from a PKCS#11 module. */
#define PIN "1234"
#ifdef _WIN32
# define P11LIB "libpkcs11mock1.dll"
#else
# include <dlfcn.h>
# define P11LIB "libpkcs11mock1.so"
#endif
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "|<%d>| %s", level, str);
}
static
int pin_func(void* userdata, int attempt, const char* url, const char *label,
unsigned flags, char *pin, size_t pin_max)
{
if (attempt == 0) {
strcpy(pin, PIN);
return 0;
}
return -1;
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pubkey_t pub;
gnutls_datum_t m1, e1;
gnutls_datum_t m2, e2;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_init(&key);
assert(ret>=0);
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m1, &e1);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pubkey_deinit(pub);
gnutls_privkey_deinit(key);
/* try again using gnutls_pubkey_import_url */
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
ret = gnutls_pubkey_import_url(pub, "pkcs11:object=test;type=public", 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m2, &e2);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(m1.size == m2.size);
assert(e1.size == e2.size);
assert(memcmp(e1.data, e2.data, e2.size)==0);
assert(memcmp(m1.data, m2.data, m2.size)==0);
gnutls_pubkey_deinit(pub);
gnutls_free(m1.data);
gnutls_free(e1.data);
gnutls_free(m2.data);
gnutls_free(e2.data);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
/*
* Copyright (C) 2016 Red Hat, Inc
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#if defined(_WIN32)
int main()
{
exit(77);
}
#else
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <time.h>
#include <gnutls/gnutls.h>
#include <gnutls/dtls.h>
#include <signal.h>
#include <assert.h>
#include "cert-common.h"
#include "utils.h"
static void terminate(void);
/* This program tests that handshakes do not include a session ticket
* if the flag GNUTLS_NO_TICKETS is specified.
*/
static time_t mytime(time_t * t)
{
time_t then = 1464610242;
if (t)
*t = then;
return then;
}
static void server_log_func(int level, const char *str)
{
fprintf(stderr, "server|<%d>| %s", level, str);
}
static void client_log_func(int level, const char *str)
{
fprintf(stderr, "client|<%d>| %s", level, str);
}
static int sent = 0;
static int handshake_callback(gnutls_session_t session, unsigned int htype,
unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
{
if (htype != GNUTLS_HANDSHAKE_NEW_SESSION_TICKET)
return 0;
fail("sent session ticket\n");
sent = 1;
return 0;
}
#define MAX_BUF 1024
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
gnutls_global_set_time_function(mytime);
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_TICKETS);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
/* These are global */
pid_t child;
static void terminate(void)
{
kill(child, SIGTERM);
exit(1);
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
gnutls_datum_t skey;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&session, GNUTLS_SERVER)>=0);
assert(gnutls_session_ticket_key_generate(&skey)>=0);
assert(gnutls_session_ticket_enable_server(session, &skey) >= 0);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
GNUTLS_HOOK_POST,
handshake_callback);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
assert(gnutls_priority_set_direct(session, "NORMAL", NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug) {
success("server: Handshake was completed\n");
}
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (sent != 0) {
fail("new session ticket was sent\n");
exit(1);
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_free(skey.data);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void ch_handler(int sig)
{
return;
}
void doit(void)
{
int fd[2];
int ret, status = 0;
signal(SIGCHLD, ch_handler);
signal(SIGPIPE, SIG_IGN);
ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
if (ret < 0) {
perror("socketpair");
exit(1);
}
child = fork();
if (child < 0) {
perror("fork");
fail("fork");
exit(1);
}
if (child) {
/* parent */
close(fd[1]);
server(fd[0]);
waitpid(child, &status, 0);
check_wait_status(status);
} else {
close(fd[0]);
client(fd[1]);
exit(0);
}
return;
}
#endif /* _WIN32 */
/*
* Copyright (C) 2016 Red Hat, Inc
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#if defined(_WIN32)
int main()
{
exit(77);
}
#else
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <gnutls/gnutls.h>
#include <gnutls/dtls.h>
#include <signal.h>
#include <assert.h>
#include "cert-common.h"
#include "utils.h"
static void terminate(void);
/* This program tests that handshakes include a session ticket.
*/
static void server_log_func(int level, const char *str)
{
fprintf(stderr, "server|<%d>| %s", level, str);
}
static void client_log_func(int level, const char *str)
{
fprintf(stderr, "client|<%d>| %s", level, str);
}
static int sent = 0;
static int handshake_callback(gnutls_session_t session, unsigned int htype,
unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
{
if (htype != GNUTLS_HANDSHAKE_NEW_SESSION_TICKET)
return 0;
success("sent session ticket\n");
sent = 1;
return 0;
}
#define MAX_BUF 1024
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
/* These are global */
pid_t child;
static void terminate(void)
{
kill(child, SIGTERM);
exit(1);
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
gnutls_datum_t skey;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&session, GNUTLS_SERVER)>=0);
assert(gnutls_session_ticket_key_generate(&skey)>=0);
assert(gnutls_session_ticket_enable_server(session, &skey) >= 0);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
GNUTLS_HOOK_POST,
handshake_callback);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
assert(gnutls_priority_set_direct(session, "NORMAL", NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug) {
success("server: Handshake was completed\n");
}
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (sent == 0) {
fail("client: didn't send new sessiont ticket\n");
terminate();
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_free(skey.data);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void ch_handler(int sig)
{
return;
}
void doit(void)
{
int fd[2];
int ret, status = 0;
signal(SIGCHLD, ch_handler);
signal(SIGPIPE, SIG_IGN);
ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
if (ret < 0) {
perror("socketpair");
exit(1);
}
child = fork();
if (child < 0) {
perror("fork");
fail("fork");
exit(1);
}
if (child) {
/* parent */
close(fd[1]);
server(fd[0]);
waitpid(child, &status, 0);
check_wait_status(status);
} else {
close(fd[0]);
client(fd[1]);
exit(0);
}
return;
}
#endif /* _WIN32 */
......@@ -134,6 +134,8 @@ static void basic(void)
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
......
......@@ -156,6 +156,8 @@ static void basic(void)
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
......
......@@ -21,6 +21,9 @@
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* This test checks the behavior of gnutls_certificate_set_x509_key_file2()
* when the GNUTLS_CERTIFICATE_API_V2 is set */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
......@@ -136,6 +139,8 @@ void doit(void)
assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &subca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
......
/*
* Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
* Copyright (C) 2016 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* This test checks the behavior of gnutls_certificate_set_x509_key_file2()
* when the GNUTLS_CERTIFICATE_API_V2 is not set */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "cert-common.h"
#include "utils.h"
static time_t mytime(time_t * t)
{
time_t then = 1470002400;
if (t)
*t = then;
return then;
}
static void compare(const gnutls_datum_t *der, const void *ipem)
{
gnutls_datum_t pem = {(void*)ipem, strlen((char*)ipem)};
gnutls_datum_t new_der;
int ret;
ret = gnutls_pem_base64_decode2("CERTIFICATE", &pem, &new_der);
if (ret < 0) {
fail("error: %s\n", gnutls_strerror(ret));
}
if (der->size != new_der.size || memcmp(der->data, new_der.data, der->size) != 0) {
fail("error in %d: %s\n", __LINE__, "cert don't match");
exit(1);
}
gnutls_free(new_der.data);
return;
}
static unsigned set_cert(gnutls_certificate_credentials_t xcred, const gnutls_datum_t *key, const gnutls_datum_t *cert)
{
const char *certfile;
FILE *fp;
int ret;
certfile = get_tmpname(NULL);
fp = fopen(certfile, "w");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(cert->data, 1, cert->size, fp)>0);
assert(fwrite(key->data, 1, key->size, fp)>0);
fclose(fp);
ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile,
GNUTLS_X509_FMT_PEM, NULL, 0);
if (ret < 0)
fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
/* return index */
return ret;
}
static void verify_written_cert(gnutls_certificate_credentials_t xcred, unsigned idx, const gnutls_datum_t *cert, unsigned ncerts)
{
int ret;
gnutls_datum_t tcert = {NULL, 0};
/* verify whether the stored certificate match the ones we have */
ret = gnutls_certificate_get_crt_raw(xcred, idx,</